RubyGems - uninterruptible - Versions diffs - 2.1.1 → 2.2.0 - Mend

uninterruptible 2.1.1 → 2.2.0

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 905016acd4ef03c5f1d79dbccf3ecadc05f1ddaa
-  data.tar.gz: e159d89a13a89205b3d8857fed0dbe4ad7c88a84
+  metadata.gz: 42e77ed731e5fa9282a2ae7976a81c8cebf3ca30
+  data.tar.gz: 7914f883f7209fabae8fb8a0e7309b76506f0e16
 SHA512:
-  metadata.gz: 41ea4dfb2f3dc629002f93487651c5c27fad342325ace3b944c8fdff6889b4d3999ae13cfb6ebc2cdbf67a40e2cc774045be935f7ddf4512971e063a8a247537
-  data.tar.gz: b617f8f6948fa5dc0f2fa01767ec9b4c1f660cb7958853fded530c8d244ac486394d64b8bf23be524bf3d0c563244ede00b9c22743528d6503549b201efe6b33
+  metadata.gz: 1c9d0f312b9d34745710d1c930bd275b633eb20d8b85ad387cf3b3bca75fa551189ac6a2291624a2f308a8cfcab70016411af6eccc7884cabf6ad3ff689e1990
+  data.tar.gz: 7ad3f76b3eb6fca1399aac4c9ba8554bf1677967ba5942d0917444eb0e6249ec44b198253a1d94dafe36419787d8a0ae5857863a7739c202b9aa8fd27c9692b0

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,9 @@
 # Changelog
+# 2.2.0
+* Verify client TLS certificates
+* Allow trusted client CA to be set
 # 2.1.1
 * Prevent bad SSL handshakes from crashing server

data/README.md CHANGED Viewed

@@ -67,6 +67,8 @@ echo_server.configure do |config|
   config.tls_version = 'TLSv1_2' # TLS version to use, defaults to TLSv1_2, falls back to ENV['TLS_VERSION']
   config.tls_key = nil # Private key to use for TLS, reads file from ENV['TLS_KEY'] if set
   config.tls_certificate = nil # Certificate to use for TLS, reads file from ENV['TLS_CERTIFICATE'] if set
+  config.verify_client_tls_certificate = false # Should client TLS certificates be required and verifiyed? Falls back to ENV['VERIFY_CLIENT_TLS_CERTIFICATE']
+  config.client_tls_certificate_ca = nil # Path to a trusted CA for client certificates. Implies `config.verify_client_tls_certificate = true`. Falls back to ENV['CLIENT_TLS_CERTIFICATE_CA']
 end
 ```

data/lib/uninterruptible/configuration.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module Uninterruptible
     AVAILABLE_SSL_VERSIONS = %w[TLSv1_1 TLSv1_2].freeze
     attr_writer :bind, :bind_port, :bind_address, :pidfile_path, :start_command, :log_path, :log_level, :tls_version,
-      :tls_key, :tls_certificate
+      :tls_key, :tls_certificate, :verify_client_tls_certificate, :client_tls_certificate_ca
     # Available TCP Port for the server to bind to (required). Falls back to environment variable PORT if set.
     #
@@ -81,5 +81,18 @@ module Uninterruptible
     def tls_certificate
       @tls_certificate || (ENV['TLS_CERTIFICATE'] ? File.read(ENV['TLS_CERTIFICATE']) : nil)
     end
+    # Should the client be required to present it's own SSL Certificate? Set #verify_client_tls_certificate to true,
+    # or environment variable VERIFY_CLIENT_TLS_CERTIFICATE to enable
+    def verify_client_tls_certificate?
+      @verify_client_tls_certificate == true || !ENV['VERIFY_CLIENT_TLS_CERTIFICATE'].nil? ||
+        !client_tls_certificate_ca.nil?
+    end
+    # Validate any connecting clients against a specific CA. If environment variable CLIENT_TLS_CERTIFICATE_CA is set,
+    # attempt to read from that file. Setting this enables #verify_client_tls_certificate?
+    def client_tls_certificate_ca
+      @client_tls_certificate_ca || ENV['CLIENT_TLS_CERTIFICATE_CA']
+    end
   end
 end

data/lib/uninterruptible/tls_server_factory.rb CHANGED Viewed

@@ -33,6 +33,12 @@ module Uninterruptible
       context.cert = OpenSSL::X509::Certificate.new(configuration.tls_certificate)
       context.key = OpenSSL::PKey::RSA.new(configuration.tls_key)
       context.ssl_version = configuration.tls_version.to_sym
+      if configuration.verify_client_tls_certificate?
+        context.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+      end
+      context.ca_file = configuration.client_tls_certificate_ca if configuration.client_tls_certificate_ca
       context
     end

data/lib/uninterruptible/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Uninterruptible
-  VERSION = "2.1.1"
+  VERSION = "2.2.0".freeze
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: uninterruptible
 version: !ruby/object:Gem::Version
-  version: 2.1.1
+  version: 2.2.0
 platform: ruby
 authors:
 - Dan Wentworth
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2017-08-14 00:00:00.000000000 Z
+date: 2017-09-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler