uninterruptible 2.0.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7f8d400309d6f9bf1354f04b9002aad29d077d2e
-  data.tar.gz: 3cb256b49089b46fdf7820594a6919c71e9d4d9f
+  metadata.gz: 45b1e17d9779c26d177d31c7dcdf49b4128eb0f4
+  data.tar.gz: 4a59b5fef72bd683bdfdcfa10d2c27a744271418
 SHA512:
-  metadata.gz: 4649cdbf7b3eff9fff3709f343513cf36a21814e03c1092c0d09d4a6ff4905bfdfb32ae61866a41caf513867623689429c44dfe5a8df57e824c2173699c52c63
-  data.tar.gz: d05d7c375ab9bd546691516abbbc7205a4221cfa60ffa8ddd3ea072fa9028fb12e51dc1951f83053605e7dd37ef9793dbf9c06e29631d7d00425128495ff82bb
+  metadata.gz: c3920549cf5cc3b176e385769190561920c9e21abe87ee9ec4deca2b73f99382e68b12e89071282b5258d985c1dbbed1712da90cfe4639fd2df06733167a205d
+  data.tar.gz: 615f4a872242d4d7fbade36d0457d7f5fb2433abf22061b8c1917a3a1e36f80288882d93ac6960d9aaab67a524d48fa8e02383a770158e30a2993e8c16cec88b

data/CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+# 2.1.0
+* Add TLS support for TCP connections
+
 # 2.0.0
 * Use an internal pipe for delivering signals to the main thread.
 * `accept_connections` retired in favour of a select loop and `accept_client_connection` being called for each waiting connection

data/README.md

@@ -64,6 +64,9 @@ echo_server.configure do |config|
   config.pidfile_path = 'tmp/pids/echoserver.pid' # Location to write a pidfile, falls back to ENV['PID_FILE']
   config.log_path = 'log/echoserver.log' # Location to write logfile, defaults to STDOUT
   config.log_level = Logger::INFO # Log writing severity, defaults to Logger::INFO
+  config.tls_version = 'TLSv1_2' # TLS version to use, defaults to TLSv1_2, falls back to ENV['TLS_VERSION']
+  config.tls_key = nil # Private key to use for TLS, reads file from ENV['TLS_KEY'] if set
+  config.tls_certificate = nil # Certificate to use for TLS, reads file from ENV['TLS_CERTIFICATE'] if set
 end
 ```
 
@@ -119,6 +122,10 @@ class EchoServer
 end
 ```
 
+## TLS Support
+
+If you would like to encrypt your TCP socket, Uninterruptible supports TLSv1.1 and TLSv1.2. Simply set `configuration.tls_key` and `configuration.tls_certificate` (see "Configuration" above) and your TCP socket will automatically be wrapped with TLS.
+
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/darkphnx/uninterruptible.

data/lib/uninterruptible.rb

@@ -1,6 +1,9 @@
+require 'openssl'
 require "uninterruptible/version"
+require 'uninterruptible/ssl_extensions'
 require 'uninterruptible/configuration'
 require 'uninterruptible/binder'
+require 'uninterruptible/tls_server_factory'
 require 'uninterruptible/server'
 
 # All of the interesting stuff is in Uninterruptible::Server

data/lib/uninterruptible/configuration.rb

@@ -3,7 +3,10 @@ module Uninterruptible
   #
   # See {Server#configure} for usage instructions.
   class Configuration
-    attr_writer :bind, :bind_port, :bind_address, :pidfile_path, :start_command, :log_path, :log_level
+    AVAILABLE_SSL_VERSIONS = %w[TLSv1_1 TLSv1_2].freeze
+
+    attr_writer :bind, :bind_port, :bind_address, :pidfile_path, :start_command, :log_path, :log_level, :tls_version,
+      :tls_key, :tls_certificate
 
     # Available TCP Port for the server to bind to (required). Falls back to environment variable PORT if set.
     #
@@ -19,7 +22,7 @@ module Uninterruptible
       @bind_address || "0.0.0.0"
     end
 
-    # URI to bind to, falls back to tcp://bind_address:bind_port if unset
+    # URI to bind to, falls back to tcp://bind_address:bind_port if unset. Accepts tcp:// or unix:// schemes.
     def bind
       @bind || "tcp://#{bind_address}:#{bind_port}"
     end
@@ -48,5 +51,35 @@ module Uninterruptible
     def log_level
       @log_level || Logger::INFO
     end
+
+    # Should the socket server be wrapped with a TLS server (TCP only). Automatically enabled when #tls_key or
+    # #tls_certificate is set
+    def tls_enabled?
+      !tls_key.nil? || !tls_certificate.nil?
+    end
+
+    # TLS version to use for the connection. Must be one of +Uninterruptible::Configuration::AVAILABLE_SSL_VERSIONS+
+    # If unset, connection will be unencrypted.
+    def tls_version
+      version = @tls_version || ENV['TLS_VERSION'] || 'TLSv1_2'
+
+      unless AVAILABLE_SSL_VERSIONS.include?(version)
+        raise ConfigurationError, "Please ensure tls_version is one of #{AVAILABLE_SSL_VERSIONS.join(', ')}"
+      end
+
+      version
+    end
+
+    # Private key used for encrypting TLS connection. If environment variable TLS_KEY is set, attempt to read from a
+    # file at that location.
+    def tls_key
+      @tls_key || (ENV['TLS_KEY'] ? File.read(ENV['TLS_KEY']) : nil)
+    end
+
+    # Certificate used for authenticating TLS connection. If environment variable TLS_CERTIFICATE is set, attempt to
+    # read from a file at that location
+    def tls_certificate
+      @tls_certificate || (ENV['TLS_CERTIFICATE'] ? File.read(ENV['TLS_CERTIFICATE']) : nil)
+    end
   end
 end

data/lib/uninterruptible/server.rb

@@ -108,7 +108,7 @@ module Uninterruptible
       end
     end
 
-    # Listen (or reconnect) to the bind address and port specified in the config. If socket_server_FD is set in the env,
+    # Listen (or reconnect) to the bind address and port specified in the config. If SERVER_FD_VAR is set in the env,
     # reconnect to that file descriptor. Once @socket_server is set, write the file descriptor ID to the env.
     def establish_socket_server
       @socket_server = Uninterruptible::Binder.new(server_configuration.bind).bind_to_socket
@@ -118,6 +118,10 @@ module Uninterruptible
       @socket_server.autoclose = false
       @socket_server.close_on_exec = false
 
+      if server_configuration.tls_enabled?
+        @socket_server = Uninterruptible::TLSServerFactory.new(server_configuration).wrap_with_tls(@socket_server)
+      end
+
       ENV[SERVER_FD_VAR] = @socket_server.to_i.to_s
     end
 

data/lib/uninterruptible/ssl_extensions.rb

@@ -0,0 +1,30 @@
+# Augment some parts of OpenSSL::SSL::SSLServer from stdlib for extra functionality
+module OpenSSL
+  module SSL
+    # Extend this module from stdlib to delegate additional methods to the underlying TCP transport when wrapping
+    # with an OpenSSL::SSL::SSLServer
+    module SocketForwarder
+      # Fetch the file descriptor ID from the underlying transport
+      def to_i
+        to_io.to_i
+      end
+    end
+
+    # Extend OpenSSL::SSL::SSLServer to implement accept_nonblock (only #accept is implemented by stdlib)
+    class SSLServer
+      def accept_nonblock
+        sock = @svr.accept_nonblock
+
+        begin
+          ssl = OpenSSL::SSL::SSLSocket.new(sock, @ctx)
+          ssl.sync_close = true
+          ssl.accept if @start_immediately
+          ssl
+        rescue SSLError => ex
+          sock.close
+          raise ex
+        end
+      end
+    end
+  end
+end

data/lib/uninterruptible/tls_server_factory.rb

@@ -0,0 +1,49 @@
+module Uninterruptible
+  # Wraps a bound TCP server with an OpenSSL::SSL::SSLServer according to the Uninterruptible::Configuration for
+  # this server.
+  class TLSServerFactory
+    attr_reader :configuration
+
+    # @param [Uninterruptible::Configuration] configuration Object with valid TLS configuration options
+    #
+    # @raise [Uninterruptible::ConfigurationError] Correct options are not set for TLS
+    def initialize(configuration)
+      @configuration = configuration
+      check_configuration!
+    end
+
+    # Accepts a TCP server, gives it a nice friendly SSLServer wrapper and returns the SSLServer
+    #
+    # @param [TCPServer] tcp_server Server to be wrapped
+    #
+    # @return [OpenSSL::SSL::SSLServer] tcp_server with a TLS layer
+    def wrap_with_tls(tcp_server)
+      server = OpenSSL::SSL::SSLServer.new(tcp_server, ssl_context)
+      server.start_immediately = true
+      server
+    end
+
+    private
+
+    # Build an OpenSSL::SSL::SSLContext object from the configuration passed to the initializer
+    #
+    # @return [OpenSSL::SSL::SSLContext] SSL context for the server config
+    def ssl_context
+      context = OpenSSL::SSL::SSLContext.new
+      context.cert = OpenSSL::X509::Certificate.new(configuration.tls_certificate)
+      context.key = OpenSSL::PKey::RSA.new(configuration.tls_key)
+      context.ssl_version = configuration.tls_version.to_sym
+      context
+    end
+
+    # Check the configuration parameters for TLS are correct
+    #
+    # @raise [Uninterruptible::ConfigurationError] Correct options are not set for TLS
+    def check_configuration!
+      raise ConfigurationError, "TLS can only be used on TCP servers" unless configuration.bind.start_with?('tcp://')
+
+      empty = %i[tls_certificate tls_key].any? { |config_param| configuration.send(config_param).nil? }
+      raise ConfigurationError, "tls_certificate and tls_key must be set to use TLS" if empty
+    end
+  end
+end

data/lib/uninterruptible/version.rb

@@ -1,3 +1,3 @@
 module Uninterruptible
-  VERSION = "2.0.0"
+  VERSION = "2.1.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: uninterruptible
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.0
 platform: ruby
 authors:
 - Dan Wentworth
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-07-21 00:00:00.000000000 Z
+date: 2017-08-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -76,6 +76,8 @@ files:
 - lib/uninterruptible/binder.rb
 - lib/uninterruptible/configuration.rb
 - lib/uninterruptible/server.rb
+- lib/uninterruptible/ssl_extensions.rb
+- lib/uninterruptible/tls_server_factory.rb
 - lib/uninterruptible/version.rb
 - uninterruptible.gemspec
 homepage: https://github.com/darkphnx/uninterruptible