rack-tls_tools 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 142ab0d969273c9be4f7f457aab4e2407f926493
4
+ data.tar.gz: 25df1c6e73c1c9a2aa85e14ebb54a6ada3218ec1
5
+ SHA512:
6
+ metadata.gz: 788fe7f194feb7bb7663becb4b9cdd8ec4f2de9c32e57d229b830a1a9a4481f6d2b9067323b6c3826e1c0b596fd673c88924fe0cfb5fcea254923b3369276dc2
7
+ data.tar.gz: ba1d9dfd34301a50f59928a143253571b9b8345fcf45fd369a05a528c3b134a07280a0b6da672e190d26e059c551af4f08c9e6d4725c8d6b94870429565fdcc2
@@ -0,0 +1,9 @@
1
+ /.bundle/
2
+ /.yardoc
3
+ /Gemfile.lock
4
+ /_yardoc/
5
+ /coverage/
6
+ /doc/
7
+ /pkg/
8
+ /spec/reports/
9
+ /tmp/
@@ -0,0 +1,6 @@
1
+ language: ruby
2
+ rvm:
3
+ - 2.0.0
4
+ - 2.2.2
5
+ - ruby-head
6
+ - jruby
data/Gemfile ADDED
@@ -0,0 +1,11 @@
1
+ source 'https://rubygems.org'
2
+
3
+ # Specify your gem's dependencies in rack-tls_tools.gemspec
4
+ gemspec
5
+
6
+ group :test do
7
+ gem 'minitest'
8
+ gem 'rack-test'
9
+ gem 'pry-nav'
10
+ end
11
+
@@ -0,0 +1,21 @@
1
+ The MIT License (MIT)
2
+
3
+ Copyright (c) 2015 Jens Kraemer
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in
13
+ all copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21
+ THE SOFTWARE.
@@ -0,0 +1,132 @@
1
+ # Rack::TlsTools [![Build Status](https://travis-ci.org/jkraemer/rack-tls_tools.png?branch=master)](https://travis-ci.org/jkraemer/rack-tls_tools)
2
+
3
+ A bunch of rack middlewares to enforce secure cookies and add HSTS and HPKP
4
+ headers to your app's responses.
5
+
6
+ ## Caution
7
+
8
+ By mis-using HSTS and HPKP it's very easy to lock out your clients from your
9
+ site.
10
+
11
+ Please make sure you understand what they do and how they work before trying
12
+ this out on a production site. While experimenting it might be a good idea to
13
+ use short `max_age` values so any effects of a possible mis-configuration don't
14
+ last until next year.
15
+
16
+ ## Installation
17
+
18
+ Add this line to your application's Gemfile:
19
+
20
+ ```ruby
21
+ gem 'rack-tls_tools'
22
+ ```
23
+
24
+ And then execute:
25
+
26
+ $ bundle
27
+
28
+ Or install it yourself as:
29
+
30
+ $ gem install rack-tls_tools
31
+
32
+
33
+ ## Usage
34
+
35
+ ### SecureCookies
36
+
37
+ To mark any cookie you set over HTTPS as *secure*, just add
38
+ `Rack::TlsTools::SecureCookies` to your middleware stack. For Rails that means
39
+ adding
40
+
41
+ ```ruby
42
+ config.middleware.use Rack::TlsTools::SecureCookies
43
+ ```
44
+
45
+ to your `config/application.rb`.
46
+
47
+
48
+ ### HSTS
49
+
50
+ HTTP Strict Transport Security is a security feature that lets your web site
51
+ tell browsers that it should only be communicated with using HTTPS.
52
+
53
+ Basically it's a simple HTTP header sent by the server, indicating that the
54
+ current site must only be accessed over HTTPS.
55
+
56
+ - [Mozilla Developer Network](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security)
57
+ - [RFC 6797](https://tools.ietf.org/html/rfc6797)
58
+
59
+ ```ruby
60
+ config.middleware.use Rack::TlsTools::Hsts, max_age: 1.year, subdomains: false
61
+ ```
62
+
63
+ ### HPKP
64
+
65
+ HPKP aka Public Key Pinning is used to tell clients to associate a specific
66
+ cryptographic public key with your site. The goal is to prevent MITM attacks
67
+ with forged certificates in the future.
68
+
69
+ - [Mozilla Developer Network](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning)
70
+ - [RFC7469](https://tools.ietf.org/html/rfc7469)
71
+
72
+ In order to add HPKP headers to your site you have to specify a set of
73
+ configurations, each consisting of a number of host names (which are all
74
+ using the same SSL certificates) and a number of hashes identifying these
75
+ certificates. So if your app serves different domains using different SSL
76
+ certificates, use a separate hash in the `hosts` array for each of them.
77
+
78
+ ```ruby
79
+ config.middleware.use Rack::TlsTools::Hpkp, {
80
+ max_age: 3.months,
81
+ subdomains: false,
82
+ hosts: [
83
+ {
84
+ names: %w(test.com www.test.com),
85
+ sha256: %w(TjqopKw/ZnhQVuSJcigTYFZzyzcV4meL4ukoThbkr0E= IXx7fkhrahUAGPqxiGyXvQ0aACvZiT0GqELG5X+Irlc=),
86
+ report_uri: 'https://hpkp-reports.test.com/',
87
+ },
88
+ {
89
+ names: %w(example.com),
90
+ sha256: %w(cw67ZLBJG8VBdPwhnpAWV9hn65+ETjdJ80N7QaKPq4Q= /OO9h4ETSyxhCj11N+52iPXCkZY1hoWSye9Xb3AkbZ0=),
91
+ subdomains: true,
92
+ max_age: 30000,
93
+ },
94
+ ]
95
+ }
96
+ ```
97
+
98
+ The top level `max_age` and `subdomains` values serve as defaults which can be
99
+ overridden in each of the `hosts` hashes. If omitted these default to the
100
+ values shown above. `report_uri` is optional, if set, browsers should `POST`
101
+ some useful information there once they detect a certificate mismatch according
102
+ to the [RFC](https://tools.ietf.org/html/rfc7469).
103
+
104
+ **Always** add at least two hashes for each domain - one for the current key, and
105
+ one for a backup key you will be using in case the current one is lost,
106
+ compromised or simply expires.
107
+
108
+ #### Generating the relevant hashes
109
+
110
+ You can generate these hashes from your private key, your server certificate
111
+ and even the Certificate Signing Request ([Source](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning)):
112
+
113
+ openssl rsa -in my-key-file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
114
+ openssl req -in my-signing-request.csr -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
115
+ openssl x509 -in my-certificate.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
116
+
117
+
118
+
119
+ ## Development
120
+
121
+ After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/console` for an interactive prompt that will allow you to experiment.
122
+
123
+ To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release` to create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
124
+
125
+ ## Contributing
126
+
127
+ 1. Fork it ( https://github.com/jkraemer/rack-tls_tools/fork )
128
+ 2. Create your feature branch (`git checkout -b my-new-feature`)
129
+ 3. Commit your changes (`git commit -am 'Add some feature'`)
130
+ 4. Push to the branch (`git push origin my-new-feature`)
131
+ 5. Create a new Pull Request
132
+
@@ -0,0 +1,11 @@
1
+ require "bundler/gem_tasks"
2
+ require 'rake/testtask'
3
+
4
+ Rake::TestTask.new(:test) do |test|
5
+ test.libs << 'lib' << 'test'
6
+ test.pattern = 'test/**/*_test.rb'
7
+ test.verbose = true
8
+ end
9
+
10
+ task default: :test
11
+
@@ -0,0 +1,14 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require "bundler/setup"
4
+ require "rack/tls_tools"
5
+
6
+ # You can add fixtures and/or initialization code here to make experimenting
7
+ # with your gem easier. You can also use a different console, if you like.
8
+
9
+ # (If you use this, don't forget to add pry to your Gemfile!)
10
+ # require "pry"
11
+ # Pry.start
12
+
13
+ require "irb"
14
+ IRB.start
@@ -0,0 +1,7 @@
1
+ #!/bin/bash
2
+ set -euo pipefail
3
+ IFS=$'\n\t'
4
+
5
+ bundle install
6
+
7
+ # Do any other automated setup that you need to do here
@@ -0,0 +1 @@
1
+ require 'rack/tls_tools'
@@ -0,0 +1,8 @@
1
+ require "rack/tls_tools/hpkp"
2
+ require "rack/tls_tools/hsts"
3
+ require "rack/tls_tools/secure_cookies"
4
+
5
+ module Rack
6
+ module TlsTools
7
+ end
8
+ end
@@ -0,0 +1,55 @@
1
+ module Rack
2
+ module TlsTools
3
+
4
+ # https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
5
+ class Hpkp
6
+
7
+ # three months
8
+ DEFAULT_MAX_AGE = 3600 * 24 * 60
9
+
10
+ def initialize(app, options = {})
11
+ @app = app
12
+ @options = {
13
+ enable: true,
14
+ max_age: DEFAULT_MAX_AGE,
15
+ subdomains: false,
16
+ hosts: [],
17
+ }.merge(options)
18
+ @config_by_hostname = flatten_host_config @options[:hosts]
19
+ end
20
+
21
+ def call(env)
22
+ @app.call(env).tap do |response|
23
+ @request = Rack::Request.new env
24
+ if @request.ssl? and config = @config_by_hostname[@request.host] and config[:enable]
25
+ add_hpkp_header! response[1], config
26
+ end
27
+ end
28
+ end
29
+
30
+ private
31
+
32
+ def add_hpkp_header!(headers, config)
33
+ val = config[:sha256].map{|h|%{pin-sha256="#{h}"}}.join('; ')
34
+ val << %{; max-age=#{config[:max_age]}} if config[:max_age]
35
+ val << %{; includeSubDomains} if config[:subdomains]
36
+ val << %{; report-uri="#{config[:report_uri]}"} if config[:report_uri]
37
+ headers['Public-Key-Pins'] = val
38
+ end
39
+
40
+ def flatten_host_config(hosts)
41
+ {}.tap do |config_by_hostname|
42
+ hosts.each do |host_config|
43
+ host_config[:names].each do |hostname|
44
+ cfg = @options.merge host_config
45
+ cfg.delete :names
46
+ cfg.delete :hosts
47
+ config_by_hostname[hostname] = cfg
48
+ end
49
+ end
50
+ end
51
+ end
52
+ end
53
+ end
54
+ end
55
+
@@ -0,0 +1,38 @@
1
+ module Rack
2
+ module TlsTools
3
+
4
+ # http://en.wikipedia.org/wiki/Strict_Transport_Security
5
+ class Hsts
6
+
7
+ # a year
8
+ DEFAULT_MAX_AGE = 3600 * 24 * 365
9
+
10
+ def initialize(app, options = {})
11
+ @app = app
12
+ @options = {
13
+ enable: true,
14
+ max_age: DEFAULT_MAX_AGE,
15
+ subdomains: false,
16
+ }.merge(options)
17
+ end
18
+
19
+ def call(env)
20
+ @app.call(env).tap do |response|
21
+ @request = Rack::Request.new env
22
+ if @request.ssl? && @options[:enable]
23
+ add_hsts_header! response[1]
24
+ end
25
+ end
26
+ end
27
+
28
+ private
29
+
30
+ def add_hsts_header!(headers)
31
+ val = "max-age=#{@options[:max_age]}"
32
+ val += "; includeSubDomains" if @options[:subdomains]
33
+ headers['Strict-Transport-Security'] = val
34
+ end
35
+
36
+ end
37
+ end
38
+ end
@@ -0,0 +1,34 @@
1
+ module Rack
2
+ module TlsTools
3
+
4
+ class SecureCookies
5
+
6
+ def initialize(app, *args)
7
+ @app = app
8
+ end
9
+
10
+ def call(env)
11
+ @app.call(env).tap do |response|
12
+ @request = Rack::Request.new env
13
+ if @request.ssl?
14
+ secure_cookies! response[1]
15
+ end
16
+ end
17
+ end
18
+
19
+ private
20
+
21
+ def secure_cookies!(headers)
22
+ if cookies = headers['Set-Cookie']
23
+ headers['Set-Cookie'] = cookies.split("\n").map do |cookie|
24
+ cookie =~ /(^|;\s*)secure($|\s*;)/ ? cookie : cookie + '; secure'
25
+ end.join("\n")
26
+ end
27
+ end
28
+
29
+ end
30
+
31
+ end
32
+ end
33
+
34
+
@@ -0,0 +1,5 @@
1
+ module Rack
2
+ module TlsTools
3
+ VERSION = "0.1.0"
4
+ end
5
+ end
@@ -0,0 +1,24 @@
1
+ # coding: utf-8
2
+ lib = File.expand_path('../lib', __FILE__)
3
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
+ require 'rack/tls_tools/version'
5
+
6
+ Gem::Specification.new do |spec|
7
+ spec.name = "rack-tls_tools"
8
+ spec.version = Rack::TlsTools::VERSION
9
+ spec.authors = ["Jens Kraemer"]
10
+ spec.email = ["jk@jkraemer.net"]
11
+
12
+ spec.summary = %q{Secure cookies, HSTS and HPKP for any Rack app}
13
+ spec.description = %q{A bunch of rack middlewares to enforce secure cookies and add HSTS (Strict Transport Security) and HPKP (Public Key Pinning) headers to your Rack application.}
14
+ spec.homepage = "https://github.com/jkraemer/rack-tls_tools"
15
+
16
+ spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
17
+ spec.bindir = "exe"
18
+ spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
19
+ spec.require_paths = ["lib"]
20
+
21
+ spec.add_dependency 'rack', '>= 1.4.0'
22
+ spec.add_development_dependency "bundler", ">= 1.7"
23
+ spec.add_development_dependency "rake", "~> 10.0"
24
+ end
metadata ADDED
@@ -0,0 +1,101 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: rack-tls_tools
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ platform: ruby
6
+ authors:
7
+ - Jens Kraemer
8
+ autorequire:
9
+ bindir: exe
10
+ cert_chain: []
11
+ date: 2015-05-18 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: rack
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - ">="
18
+ - !ruby/object:Gem::Version
19
+ version: 1.4.0
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - ">="
25
+ - !ruby/object:Gem::Version
26
+ version: 1.4.0
27
+ - !ruby/object:Gem::Dependency
28
+ name: bundler
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - ">="
32
+ - !ruby/object:Gem::Version
33
+ version: '1.7'
34
+ type: :development
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - ">="
39
+ - !ruby/object:Gem::Version
40
+ version: '1.7'
41
+ - !ruby/object:Gem::Dependency
42
+ name: rake
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - "~>"
46
+ - !ruby/object:Gem::Version
47
+ version: '10.0'
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - "~>"
53
+ - !ruby/object:Gem::Version
54
+ version: '10.0'
55
+ description: A bunch of rack middlewares to enforce secure cookies and add HSTS (Strict
56
+ Transport Security) and HPKP (Public Key Pinning) headers to your Rack application.
57
+ email:
58
+ - jk@jkraemer.net
59
+ executables: []
60
+ extensions: []
61
+ extra_rdoc_files: []
62
+ files:
63
+ - ".gitignore"
64
+ - ".travis.yml"
65
+ - Gemfile
66
+ - LICENSE.txt
67
+ - README.md
68
+ - Rakefile
69
+ - bin/console
70
+ - bin/setup
71
+ - lib/rack-tls_tools.rb
72
+ - lib/rack/tls_tools.rb
73
+ - lib/rack/tls_tools/hpkp.rb
74
+ - lib/rack/tls_tools/hsts.rb
75
+ - lib/rack/tls_tools/secure_cookies.rb
76
+ - lib/rack/tls_tools/version.rb
77
+ - rack-tls_tools.gemspec
78
+ homepage: https://github.com/jkraemer/rack-tls_tools
79
+ licenses: []
80
+ metadata: {}
81
+ post_install_message:
82
+ rdoc_options: []
83
+ require_paths:
84
+ - lib
85
+ required_ruby_version: !ruby/object:Gem::Requirement
86
+ requirements:
87
+ - - ">="
88
+ - !ruby/object:Gem::Version
89
+ version: '0'
90
+ required_rubygems_version: !ruby/object:Gem::Requirement
91
+ requirements:
92
+ - - ">="
93
+ - !ruby/object:Gem::Version
94
+ version: '0'
95
+ requirements: []
96
+ rubyforge_project:
97
+ rubygems_version: 2.4.5
98
+ signing_key:
99
+ specification_version: 4
100
+ summary: Secure cookies, HSTS and HPKP for any Rack app
101
+ test_files: []