ftw 0.0.16 → 0.0.17

data/lib/ftw/agent.rb

@@ -64,14 +64,106 @@ class FTW::Agent
     configuration[REDIRECTION_LIMIT] = 20
 
     @certificate_store = OpenSSL::X509::Store.new
-    @certificate_store.add_file("/etc/ssl/certs/ca-bundle.trust.crt")
-    @certificate_store.verify_callback = proc do |*args|
-      p :verify_callback => args
-      true
+    if File.readable?(OpenSSL::X509::DEFAULT_CERT_FILE)
+      @logger.debug("Adding default certificate file",
+                    :path => OpenSSL::X509::DEFAULT_CERT_FILE)
+      @certificate_store.add_file(OpenSSL::X509::DEFAULT_CERT_FILE)
     end
 
+    # Handle the local user/app trust store as well.
+    if File.directory?(configuration[SSL_TRUST_STORE])
+      # This is a directory, so use add_path
+      @logger.debug("Adding SSL_TRUST_STORE",
+                    :path => configuration[SSL_TRUST_STORE])
+      @certificate_store.add_path(configuration[SSL_TRUST_STORE])
+    end
+
+    # TODO(sissel): Add custom paths for ssl certs
   end # def initialize
 
+  # Verify a certificate.
+  #
+  # host => the host (string)
+  # port => the port (number)
+  # verified => true/false, was this cert verified by our certificate store?
+  # context => an OpenSSL::SSL::StoreContext
+  def certificate_verify(host, port, verified, context)
+    # Now verify the entire chain.
+    begin
+      @logger.debug("Verify peer via OpenSSL::X509::Store",
+                    :verified => verified, :chain => context.chain.collect { |c| c.subject },
+                    :context => context, :depth => context.error_depth,
+                    :error => context.error, :string => context.error_string)
+      # Untrusted certificate; prompt to accept if possible.
+      if !verified and STDOUT.tty?
+        # TODO(sissel): Factor this out into a verify callback where this
+        # happens to be the default.
+
+        puts "Untrusted certificate found; here's what I know:"
+        puts "  Why it's untrusted: (#{context.error}) #{context.error_string}"
+        puts "  What you think it's for: #{host} (port #{port})"
+        cn = context.chain[0].subject.to_s.split("/").grep(/^CN=/).first.split("=",2).last rescue "<unknown, no CN?>"
+        puts "  What it's actually for: #{cn}"
+        puts "  Full chain:"
+        context.chain.each_with_index do |cert, i|
+          puts "    Subject(#{i}): #{cert.subject}"
+        end
+        print "Trust? [(N)o/(Y)es/(P)ersistent] "
+
+        system("stty raw")
+        answer = $stdin.getc.downcase
+        system("stty sane")
+        puts
+
+        if ["y", "p"].include?(answer)
+          # TODO(sissel): Factor this out into Agent::Trust or somesuch
+          context.chain.each do |cert|
+            # For each certificate, add it to the in-process certificate store.
+            begin
+              @certificate_store.add_cert(cert)
+            rescue OpenSSL::X509::StoreError => e
+              # If the cert is already trusted, move along.
+              if e.to_s != "cert already in hash table" 
+                raise # this is a real error, reraise.
+              end
+            end
+
+            # TODO(sissel): Factor this out into Agent::Trust or somesuch
+            # For each certificate, if persistence is requested, write the cert to
+            # the configured ssl trust store (usually ~/.ftw/ssl-trust.db/) 
+            if answer == "p" # persist this trusted cert
+              require "fileutils"
+              if !File.directory?(configuration[SSL_TRUST_STORE])
+                FileUtils.mkdir_p(configuration[SSL_TRUST_STORE])
+              end
+
+              # openssl verify recommends the 'ca path' have files named by the
+              # hashed subject name. Turns out openssl really expects the
+              # hexadecimal version of this.
+              name = File.join(configuration[SSL_TRUST_STORE], cert.subject.hash.to_s(16))
+              # Find a filename that doesn't exist.
+              num = 0
+              num += 1 while File.exists?("#{name}.#{num}")
+
+              # Write it out
+              path = "#{name}.#{num}"
+              @logger.info("Persisting certificate", :subject => cert.subject, :path => path)
+              File.write(path, cert.to_pem)
+            end # if answer == "p"
+          end # context.chain.each
+          return true
+        end # if answer was "y" or "p"
+      end # if !verified and stdout is a tty
+
+      return verified
+    rescue => e
+      # We have to rescue all and emit because openssl verify_callback ignores
+      # exceptions silently
+      @logger.error(e)
+      return verified
+    end
+  end # def certificate_verify
+
   # Define all the standard HTTP methods (Per RFC2616)
   # As an example, for "get" method, this will define these methods:
   # 
@@ -180,15 +272,11 @@ class FTW::Agent
   def execute(request)
     # TODO(sissel): Make redirection-following optional, but default.
 
-    connection, error = connect(request.headers["Host"], request.port)
+    connection, error = connect(request.headers["Host"], request.port, request.protocol == "https")
     if !error.nil?
       p :error => error
       raise error
     end
-
-    if request.protocol == "https"
-      connection.secure(:certificate_store => @certificate_store)
-    end
     response = request.execute(connection)
 
     redirects = 0
@@ -222,15 +310,12 @@ class FTW::Agent
 
       @logger.debug("Redirecting", :location => response.headers["Location"])
       request.use_uri(response.headers["Location"])
-      connection, error = connect(request.headers["Host"], request.port)
+      connection, error = connect(request.headers["Host"], request.port, request.protocol == "https")
       # TODO(sissel): Do better error handling than raising.
       if !error.nil?
         p :error => error
         raise error
       end
-      if request.protocol == "https"
-        connection.secure(:certificate_store => @certificate_store)
-      end
       response = request.execute(connection)
     end # while being redirected
 
@@ -258,10 +343,11 @@ class FTW::Agent
   end # def shutdown
 
   # Returns a FTW::Connection connected to this host:port.
-  def connect(host, port)
+  def connect(host, port, secure=false)
     address = "#{host}:#{port}"
     @logger.debug("Fetching from pool", :address => address)
     error = nil
+
     connection = @pool.fetch(address) do
       @logger.info("New connection to #{address}")
       connection = FTW::Connection.new(address)
@@ -282,6 +368,20 @@ class FTW::Agent
 
     @logger.debug("Pool fetched a connection", :connection => connection)
     connection.mark
+
+    if secure
+      # Curry a certificate_verify callback for this connection.
+      verify_callback = proc do |verified, context|
+        begin
+          certificate_verify(host, port, verified, context)
+        rescue => e
+          @logger.error("Error in certificate_verify call", :exception => e)
+        end
+      end
+      connection.secure(:certificate_store => @certificate_store,
+                        :verify_callback => verify_callback)
+    end # if secure
+
     return connection, nil
   end # def connect
 

data/lib/ftw/agent/configuration.rb

@@ -6,8 +6,29 @@ module FTW::Agent::Configuration
   # giving up.
   REDIRECTION_LIMIT = "redirection-limit".freeze
 
+  # SSL Trust Store
+  SSL_TRUST_STORE = "ssl.trustdb".freeze
+
+  private
+
   # Get the configuration hash
   def configuration
-    return @configuration ||= Hash.new
+    return @configuration ||= default_configuration
   end # def configuration
+
+  # default configuration
+  def default_configuration
+    require "tmpdir"
+    home = File.join(ENV.fetch("HOME", tmpdir), ".ftw")
+    return {
+      REDIRECTION_LIMIT => 20,
+      SSL_TRUST_STORE => File.join(home, "ssl-trust.db")
+    }
+  end # def default_configuration
+
+  def tmpdir
+    return File.join(Dir.tmpdir, "ftw-#{Process.uid}")
+  end # def tmpdir
+
+  public(:configuration)
 end # def FTW::Agent::Configuration

data/lib/ftw/connection.rb

@@ -300,19 +300,28 @@ class FTW::Connection
   #
   # * :certificate_store, an OpenSSL::X509::Store
   # * :timeout, a timeout threshold in seconds.
-  def secure(options={})
+  def secure(options=nil)
     # Skip this if we're already secure.
     return if secured?
 
-    options[:timeout] ||= nil
-    options[:certificate_store] ||= OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+    defaults = {
+      :timeout => nil,
+      #:certificate_store => OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+    }
+    settings = defaults.merge(options) unless options.nil?
 
-    @logger.info("Securing this connection", :peer => peer)
+    @logger.info("Securing this connection", :peer => peer, :options => settings)
     # Wrap this connection with TLS/SSL
     sslcontext = OpenSSL::SSL::SSLContext.new
     # If you use VERIFY_NONE, you are removing the trust feature of TLS. Don't do that.
     # Encryption without trust means you don't know who you are talking to.
     sslcontext.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    sslcontext.verify_callback = proc do |*args| 
+      @logger.debug("Verify peer via FTW::Connection#secure", :callback => settings[:verify_callback])
+      if settings[:verify_callback].respond_to?(:call)
+        settings[:verify_callback].call(*args)
+      end
+    end
     sslcontext.ssl_version = :TLSv1
     sslcontext.cert_store = options[:certificate_store]
     @socket = OpenSSL::SSL::SSLSocket.new(@socket, sslcontext)

data/lib/ftw/version.rb

@@ -3,5 +3,5 @@ require "ftw/namespace"
 # :nodoc:
 module FTW
   # The version of this library
-  VERSION = "0.0.16"
+  VERSION = "0.0.17"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ftw
 version: !ruby/object:Gem::Version
-  version: 0.0.16
+  version: 0.0.17
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-04-20 00:00:00.000000000 Z
+date: 2012-04-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json