blather 0.5.4 → 0.5.6

data/examples/trusted_echo.rb

@@ -0,0 +1,21 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+require 'blather/client'
+
+setup 'chris@vines.local', 'test', 'vines.local', 5222, "./certs"
+
+when_ready { puts "Connected ! send messages to #{jid.stripped}." }
+
+subscription :request? do |s|
+  write_to_stream s.approve!
+end
+
+message :chat?, :body => 'exit' do |m|
+  say m.from, 'Exiting ...'
+  shutdown
+end
+
+message :chat?, :body do |m|
+  say m.from, "You sent: #{m.body}"
+end

data/lib/blather.rb

@@ -7,6 +7,7 @@
   digest/md5
   digest/sha1
   logger
+  openssl
 
   active_support/core_ext/class/attribute
   active_support/core_ext/object/blank
@@ -14,6 +15,7 @@
   blather/core_ext/eventmachine
   blather/core_ext/ipaddr
 
+  blather/cert_store
   blather/errors
   blather/errors/sasl_error
   blather/errors/stanza_error

data/lib/blather/cert_store.rb

@@ -0,0 +1,53 @@
+# encoding: UTF-8
+
+module Blather
+
+  # An X509 certificate store that validates certificate trust chains.
+  # This uses the #{cert_directory}/*.crt files as the list of trusted root
+  # CA certificates.
+  class CertStore
+    @@certs = nil
+    @cert_directory = nil
+
+    def initialize(cert_directory)
+      @cert_directory = cert_directory
+      @store = OpenSSL::X509::Store.new
+      certs.each {|c| @store.add_cert(c) }
+    end
+
+    # Return true if the certificate is signed by a CA certificate in the
+    # store. If the certificate can be trusted, it's added to the store so
+    # it can be used to trust other certs.
+    def trusted?(pem)
+      if cert = OpenSSL::X509::Certificate.new(pem) rescue nil
+        @store.verify(cert).tap do |trusted|
+          @store.add_cert(cert) if trusted rescue nil
+        end
+      end
+    end
+
+    # Return true if the domain name matches one of the names in the
+    # certificate. In other words, is the certificate provided to us really
+    # for the domain to which we think we're connected?
+    def domain?(pem, domain)
+      if cert = OpenSSL::X509::Certificate.new(pem) rescue nil
+        OpenSSL::SSL.verify_certificate_identity(cert, domain) rescue false
+      end
+    end
+
+    # Return the trusted root CA certificates installed in the @cert_directory. These
+    # certificates are used to start the trust chain needed to validate certs
+    # we receive from clients and servers.
+    def certs
+      unless @@certs
+        pattern = /-{5}BEGIN CERTIFICATE-{5}\n.*?-{5}END CERTIFICATE-{5}\n/m
+        dir = @cert_directory
+        certs = Dir[File.join(dir, '*.crt')].map {|f| File.read(f) }
+        certs = certs.map {|c| c.scan(pattern) }.flatten
+        certs.map! {|c| OpenSSL::X509::Certificate.new(c) }
+        @@certs = certs.reject {|c| c.not_after < Time.now }
+      end
+      @@certs
+    end
+  end
+end

data/lib/blather/client.rb

@@ -30,7 +30,15 @@ optparse = OptionParser.new do |opts|
     end
     options[:log] = log
   end
-
+  
+  opts.on('--certs=[CERTS DIRECTORY]', 'The directory path where the trusted certificates are stored') do |certs|
+    if !File.directory?(certs)
+      $stderr.puts "The certs directory path (#{certs}) is no good."
+      exit 1
+    end
+    options[:certs] = certs
+  end
+  
   opts.on_tail('-h', '--help', 'Show this message') do
     puts opts
     exit

data/lib/blather/client/client.rb

@@ -45,8 +45,8 @@ module Blather
     # @param [Fixnum, String] port the port to connect to.
     #
     # @return [Blather::Client]
-    def self.setup(jid, password, host = nil, port = nil)
-      self.new.setup(jid, password, host, port)
+    def self.setup(jid, password, host = nil, port = nil, certs = nil)
+      self.new.setup(jid, password, host, port, certs)
     end
 
     def initialize  # @private
@@ -194,11 +194,12 @@ module Blather
     end
 
     # @private
-    def setup(jid, password, host = nil, port = nil)
+    def setup(jid, password, host = nil, port = nil, certs = nil)
       @jid = JID.new(jid)
       @setup = [@jid, password]
       @setup << host if host
       @setup << port if port
+      @setup << certs if certs
       self
     end
 

data/lib/blather/client/dsl.rb

@@ -83,6 +83,13 @@ module Blather
 
     autoload :PubSub, File.expand_path(File.join(File.dirname(__FILE__), *%w[dsl pubsub]))
 
+    def self.append_features(o)
+      Blather::Stanza.handler_list.each do |handler_name|
+        o.__send__ :remove_method, handler_name if !o.is_a?(Class) && o.method_defined?(handler_name)
+      end
+      super
+    end
+
     # The actual client connection
     #
     # @return [Blather::Client]
@@ -116,8 +123,8 @@ module Blather
     # @param [String] host (optional) the host to connect to (can be an IP). If
     # this is `nil` the domain on the JID will be used
     # @param [Fixnum, String] (optional) port the port to connect on
-    def setup(jid, password, host = nil, port = nil)
-      client.setup(jid, password, host, port)
+    def setup(jid, password, host = nil, port = nil, certs = nil)
+      client.setup(jid, password, host, port, certs)
     end
 
     # Shutdown the connection.

data/lib/blather/stream.rb

@@ -55,6 +55,7 @@ module Blather
     STREAM_NS = 'http://etherx.jabber.org/streams'
     attr_accessor :password
     attr_reader :jid
+    @@store = nil
 
     # Start the stream between client and server
     #
@@ -66,8 +67,13 @@ module Blather
     # to use the domain on the JID
     # @param [Fixnum, nil] port the port to connect on. Default is the XMPP
     # default of 5222
-    def self.start(client, jid, pass, host = nil, port = 5222)
+    # @param [String, nil] certs the trusted cert store in pem format to verify 
+    # communication with the server is trusted.
+    def self.start(client, jid, pass, host = nil, port = 5222, certs_directory = nil)
       jid = JID.new jid
+      if certs_directory
+        @@store = CertStore.new(certs_directory)
+      end
       if host
         connect host, port, self, client, jid, pass
       else
@@ -153,6 +159,21 @@ module Blather
       send "<stream:error><xml-not-well-formed xmlns='#{StreamError::STREAM_ERR_NS}'/></stream:error>"
       stop
     end
+    
+    # Called by EM to verify the peer certificate. If a certificate store directory 
+    # has not been configured don't worry about peer verification. At least it is encrypted
+    # We Log the certificate so that you can add it to the trusted store easily if desired
+    # @private
+    def ssl_verify_peer(pem)
+      # EM is supposed to close the connection when this returns false,
+      # but it only does that for inbound connections, not when we
+      # make a connection to another server. 
+      Blather.logger.debug("Checking SSL cert: #{pem}")
+      return true if !@@store
+      @@store.trusted?(pem).tap do |trusted|
+        close_connection unless trusted
+      end
+    end
 
     # Called by EM after the connection has started
     # @private

data/lib/blather/stream/features/tls.rb

@@ -15,7 +15,7 @@ class Stream
       when 'starttls'
         @stream.send "<starttls xmlns='#{TLS_NS}'/>"
       when 'proceed'
-        @stream.start_tls
+        @stream.start_tls(:verify_peer => true)
         @stream.start
 #        succeed!
       else

data/lib/blather/version.rb

@@ -1,4 +1,4 @@
 module Blather
   # Blather version number
-  VERSION = '0.5.4'
+  VERSION = '0.5.6'
 end

data/spec/blather/client/dsl_spec.rb

@@ -12,23 +12,35 @@ describe Blather::DSL do
   end
 
   it 'wraps the setup' do
-    args = ['jid', 'pass', 'host', 0000]
+    args = ['jid', 'pass', 'host', 0000, nil]
     @client.expects(:setup).with *args
     @dsl.setup *args
   end
 
   it 'allows host to be nil in setup' do
     args = ['jid', 'pass']
-    @client.expects(:setup).with *(args + [nil, nil])
+    @client.expects(:setup).with *(args + [nil, nil, nil])
     @dsl.setup *args
   end
 
   it 'allows port to be nil in setup' do
     args = ['jid', 'pass', 'host']
-    @client.expects(:setup).with *(args + [nil])
+    @client.expects(:setup).with *(args + [nil, nil])
     @dsl.setup *args
   end
 
+  it 'allows certs to be nil in setup' do
+    args = ['jid', 'pass', 'host', 'port']
+    @client.expects(:setup).with *(args + [nil])
+    @dsl.setup *args
+  end
+  
+  it 'accepts certs in setup' do
+    args = ['jid', 'pass', 'host', 'port', 'certs']
+    @client.expects(:setup).with *(args)
+    @dsl.setup *args
+  end
+  
   it 'stops when shutdown is called' do
     @client.expects(:close)
     @dsl.shutdown
@@ -61,6 +73,11 @@ describe Blather::DSL do
     @dsl.handle type, *guards
   end
 
+  it 'sets up handler methods' do
+    @client.expects(:register_handler).with :presence, :unavailable?
+    @dsl.presence :unavailable?
+  end
+
   it 'provides a helper for ready state' do
     @client.expects(:register_handler).with :ready
     @dsl.when_ready

data/spec/blather/stream/ssl_spec.rb

@@ -0,0 +1,32 @@
+require 'spec_helper'
+
+describe Blather::CertStore do
+  before do
+    @pem = "-----BEGIN CERTIFICATE-----\nMIIDszCCApugAwIBAgIETiZC5TANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJV\nUzERMA8GA1UECAwIQ29sb3JhZG8xDzANBgNVBAcMBkRlbnZlcjEaMBgGA1UECgwR\nVmluZXMgWE1QUCBTZXJ2ZXIxFDASBgNVBAMMC3ZpbmVzLmxvY2FsMB4XDTExMDcx\nOTAyNTIyMVoXDTEyMDcxOTAyNTIyMVowYzELMAkGA1UEBhMCVVMxETAPBgNVBAgM\nCENvbG9yYWRvMQ8wDQYDVQQHDAZEZW52ZXIxGjAYBgNVBAoMEVZpbmVzIFhNUFAg\nU2VydmVyMRQwEgYDVQQDDAt2aW5lcy5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQAD\nggEPADCCAQoCggEBAMyqj4UyXIpLYyIDaqDoN/8yZHDv281lz1UzuhPZ5r4S6teA\n90dXT6MxEoQ5vpRV2lVU21mDOoRPk9qjgGA01zimrX/YvPf2BBedFkvU18ZKiOMD\n7D89Ej2oIPLc6dJMiIx1SbfpdvUtVZFn1/jGvQPv5iajHW5n/zn1KrHOvVa6R5eY\nVGEH3DD3RkzSxWHyiNN8R5SQzyOVX9F4DVFAffPOLbkFsCi2POy3dp+ZWuYKEjBd\nMuRibrt87PCESnyXZx/Y+GBG856wQT8Ny6mmnh5z5YtopvAJh16ps2p6DFgyDtF+\nhaW3WMlStXYQPqSTrreD7qdAxi3rVft2OUJLTJkCAwEAAaNvMG0wDAYDVR0TBAUw\nAwEB/zAdBgNVHQ4EFgQUUCSlixByIPK3s20w4xHhcMax7igwPgYDVR0RBDcwNYIL\ndmluZXMubG9jYWyCJmNocmlzdG9waGVyLWpvaG5zb25zLW1hY2Jvb2stcHJvLmxv\nY2FsMA0GCSqGSIb3DQEBBQUAA4IBAQBOy1nI7H8XpnpVzpRK5RN/MzelQUl1Efo0\nl9wZ73E6EgJinl2AUp1/sYMUWkVlZ4DSflRBxBEp0CAJNoUydBh8O1xEKGTyqlLy\n/daqvNFLnYwFluAWi1xJQZv4AE62ua5wjsrhPuu3aMvPt9hx1X3CVh+8aA24/gAo\nAPJYsfT3T8GCD+MU3Uc2yADnLSUJ6Jal56/okOJA2Pfkr/K4zj1CyfAEWlpgo2Pv\nyrpv4V2WP1SL5fOONNGfOzio1LD6seAl+8SjiCefnMan2aXmna6SpMDzXB8vTDUE\nWmsD9g0621WqNz2x6lY5IYr7azE2C46Tpb9FOeSAAd83Zka4acaL\n-----END CERTIFICATE-----\n"
+    @cert = File.open("./test.crt", 'w') {|f| f.write(@pem) }
+    @store = Blather::CertStore.new("./")
+  end
+  
+  after do
+    File.delete("./test.crt")
+  end
+  
+  it 'can verify valid cert' do
+    @store.trusted?(@pem).tap do |trusted|
+      trusted.must_equal true
+    end
+  end
+  
+  it 'can verify invalid cert' do
+    @store.trusted?(@pem.gsub("L", "a")).tap do |trusted|
+      trusted.must_equal nil
+    end
+  end
+  
+  it 'can verify without a cert store' do
+    @store = Blather::CertStore.new("../")
+    @store.trusted?(@pem).tap do |trusted|
+      trusted.must_equal true
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: blather
 version: !ruby/object:Gem::Version
-  version: 0.5.4
+  version: 0.5.6
   prerelease: 
 platform: ruby
 authors:
@@ -9,12 +9,12 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-08-11 00:00:00.000000000 +01:00
+date: 2011-09-23 00:00:00.000000000 +01:00
 default_executable: 
 dependencies:
 - !ruby/object:Gem::Dependency
   name: eventmachine
-  requirement: &2153050540 !ruby/object:Gem::Requirement
+  requirement: &2153627300 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -22,10 +22,10 @@ dependencies:
         version: 0.12.6
   type: :runtime
   prerelease: false
-  version_requirements: *2153050540
+  version_requirements: *2153627300
 - !ruby/object:Gem::Dependency
   name: nokogiri
-  requirement: &2156390300 !ruby/object:Gem::Requirement
+  requirement: &2153626740 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -33,10 +33,10 @@ dependencies:
         version: 1.4.0
   type: :runtime
   prerelease: false
-  version_requirements: *2156390300
+  version_requirements: *2153626740
 - !ruby/object:Gem::Dependency
   name: niceogiri
-  requirement: &2156389820 !ruby/object:Gem::Requirement
+  requirement: &2153626180 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -44,21 +44,10 @@ dependencies:
         version: 0.0.4
   type: :runtime
   prerelease: false
-  version_requirements: *2156389820
-- !ruby/object:Gem::Dependency
-  name: minitest
-  requirement: &2156389340 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 1.7.1
-  type: :runtime
-  prerelease: false
-  version_requirements: *2156389340
+  version_requirements: *2153626180
 - !ruby/object:Gem::Dependency
   name: activesupport
-  requirement: &2156388860 !ruby/object:Gem::Requirement
+  requirement: &2153625680 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -66,10 +55,10 @@ dependencies:
         version: 3.0.7
   type: :runtime
   prerelease: false
-  version_requirements: *2156388860
+  version_requirements: *2153625680
 - !ruby/object:Gem::Dependency
   name: minitest
-  requirement: &2156388380 !ruby/object:Gem::Requirement
+  requirement: &2153625200 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -77,10 +66,10 @@ dependencies:
         version: 1.7.1
   type: :development
   prerelease: false
-  version_requirements: *2156388380
+  version_requirements: *2153625200
 - !ruby/object:Gem::Dependency
   name: mocha
-  requirement: &2156387900 !ruby/object:Gem::Requirement
+  requirement: &2153624720 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -88,10 +77,10 @@ dependencies:
         version: 0.9.12
   type: :development
   prerelease: false
-  version_requirements: *2156387900
+  version_requirements: *2153624720
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &2156387420 !ruby/object:Gem::Requirement
+  requirement: &2153624180 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -99,10 +88,10 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *2156387420
+  version_requirements: *2153624180
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &2156386940 !ruby/object:Gem::Requirement
+  requirement: &2153623680 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -110,10 +99,10 @@ dependencies:
         version: 0.9.9
   type: :development
   prerelease: false
-  version_requirements: *2156386940
+  version_requirements: *2153623680
 - !ruby/object:Gem::Dependency
   name: yard
-  requirement: &2156386460 !ruby/object:Gem::Requirement
+  requirement: &2153623200 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -121,10 +110,10 @@ dependencies:
         version: 0.6.1
   type: :development
   prerelease: false
-  version_requirements: *2156386460
+  version_requirements: *2153623200
 - !ruby/object:Gem::Dependency
   name: bluecloth
-  requirement: &2156385980 !ruby/object:Gem::Requirement
+  requirement: &2153622680 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -132,10 +121,21 @@ dependencies:
         version: 2.1.0
   type: :development
   prerelease: false
-  version_requirements: *2156385980
+  version_requirements: *2153622680
 - !ruby/object:Gem::Dependency
   name: rake
-  requirement: &2156385600 !ruby/object:Gem::Requirement
+  requirement: &2153609960 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2153609960
+- !ruby/object:Gem::Dependency
+  name: guard-minitest
+  requirement: &2153609500 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -143,7 +143,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2156385600
+  version_requirements: *2153609500
 description: An XMPP DSL for Ruby written on top of EventMachine and Nokogiri
 email: sprsquish@gmail.com
 executables: []
@@ -158,19 +158,24 @@ files:
 - .travis.yml
 - CHANGELOG
 - Gemfile
+- Guardfile
 - LICENSE
 - README.md
 - Rakefile
 - TODO.md
 - blather.gemspec
+- examples/certs/README
+- examples/certs/ca-bundle.crt
 - examples/echo.rb
 - examples/execute.rb
 - examples/ping_pong.rb
 - examples/print_hierarchy.rb
 - examples/rosterprint.rb
 - examples/stream_only.rb
+- examples/trusted_echo.rb
 - examples/xmpp4r/echo.rb
 - lib/blather.rb
+- lib/blather/cert_store.rb
 - lib/blather/client.rb
 - lib/blather/client/client.rb
 - lib/blather/client/dsl.rb
@@ -279,6 +284,7 @@ files:
 - spec/blather/stream/client_spec.rb
 - spec/blather/stream/component_spec.rb
 - spec/blather/stream/parser_spec.rb
+- spec/blather/stream/ssl_spec.rb
 - spec/blather/xmpp_node_spec.rb
 - spec/fixtures/pubsub.rb
 - spec/spec_helper.rb
@@ -358,6 +364,7 @@ test_files:
 - spec/blather/stream/client_spec.rb
 - spec/blather/stream/component_spec.rb
 - spec/blather/stream/parser_spec.rb
+- spec/blather/stream/ssl_spec.rb
 - spec/blather/xmpp_node_spec.rb
 - spec/fixtures/pubsub.rb
 - spec/spec_helper.rb