Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support localhost integration in ssl_bind #2711

Closed
wants to merge 4 commits into from
Closed

Support localhost integration in ssl_bind #2711

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e3a05b0
Support localhost integratin in ssl_bind
Sep 23, 2021
2f41a31
Feedback changes
Oct 1, 2021
1d3f775
Add test
Oct 4, 2021
33cc92a
Update tests
Oct 4, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 5 additions & 25 deletions lib/puma/binder.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,6 @@ def initialize(events, conf = Configuration.new)

@envs = {}
@ios = []
localhost_authority
end

attr_reader :ios
Expand Down Expand Up @@ -229,11 +228,6 @@ def parse(binds, logger, log_msg = 'Listening')

params = Util.parse_query uri.query

# If key and certs are not defined and localhost gem is required.
# localhost gem will be used for self signed
# Load localhost authority if not loaded.
ctx = localhost_authority && localhost_authority_context if params.empty?

ctx ||= MiniSSL::ContextBuilder.new(params, @events).context

if fd = @inherited_fds.delete(str)
Expand All @@ -246,9 +240,11 @@ def parse(binds, logger, log_msg = 'Listening')
ios_len = @ios.length
io = add_ssl_listener uri.host, uri.port, ctx

uri_query = params.map { |k, v| "#{k}=#{v}" }.join('&')

@ios[ios_len..-1].each do |i|
addr = loc_addr_str i
logger.log "* #{log_msg} on ssl://#{addr}?#{uri.query}"
logger.log "* #{log_msg} on ssl://#{addr}?#{uri_query}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why change this? Looks to me like uri.query is still available?

Copy link
Contributor Author

@rodzyn rodzyn Oct 2, 2021
edited by dentarg
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So uri.query as uri comes from

puma/lib/puma/dsl.rb

Lines 66 to 67 in 20dc923

"ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}" \
"#{ssl_cipher_filter}&verify_mode=#{verify}#{tls_str}#{ca_additions}#{v_flags}"
(where there is no possibility to detect localhost gem, that was in my try in the first attempt) so it gets the URI with empty key and cert values (&key=&cert=).
These empty values are transformed to Hash and stored in params variable here

puma/lib/puma/binder.rb

Line 230 in 20dc923

params = Util.parse_query uri.query
, and then the current implementation is transforming them (default localhost gem paths). In the end only params is "enriched" by new values, thus I'm transforming it back from Hash to String

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the end only params is "enriched" by new values

I think we should have a comment about this somewhere, to help future readers understand that directly (I didn't know either), maybe where uri_query is defined or where params is passed to MiniSSL::ContextBuilder.new. WDYT?

Just mentioning this, not sure what we can do right now about it: there's another PR (#2728) changing code related to this, see https://github.com/puma/puma/pull/2728/files#diff-b771cc8da488f9700644eadd48510a23b1c2d5a7776dbc983eae1d2338536fd7. If I understand things correctly, with both these changes as-is, we would be logging cert_pem and cert_key if you are using the functionality added in #2728. I guess it would be up to the PR that's merged last to deal with that :) cc @dalibor

Copy link
Contributor Author

@rodzyn rodzyn Oct 29, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank @dentarg for bringing up #2728, it looks like really nice work, so I'll probably wait for that to be merged, and rebase that PR on these changes. I'm not sure if that will fix this workaround here, I'll need to dive again into this ;)

end
end

Expand Down Expand Up @@ -292,22 +288,6 @@ def parse(binds, logger, log_msg = 'Listening')
end
end

def localhost_authority
@localhost_authority ||= Localhost::Authority.fetch if defined?(Localhost::Authority) && !Puma::IS_JRUBY
end

def localhost_authority_context
return unless localhost_authority

key_path, crt_path = if [:key_path, :certificate_path].all? { |m| localhost_authority.respond_to?(m) }
[localhost_authority.key_path, localhost_authority.certificate_path]
else
local_certificates_path = File.expand_path("~/.localhost")
[File.join(local_certificates_path, "localhost.key"), File.join(local_certificates_path, "localhost.crt")]
end
MiniSSL::ContextBuilder.new({ "key" => key_path, "cert" => crt_path }, @events).context
end

# Tell the server to listen on host +host+, port +port+.
# If +optimize_for_latency+ is true (the default) then clients connecting
# will be optimized for latency over throughput.
Expand Down Expand Up @@ -348,7 +328,7 @@ def add_ssl_listener(host, port, ctx,

raise "Puma compiled without SSL support" unless HAS_SSL
# Puma will try to use local authority context if context is supplied nil
ctx ||= localhost_authority_context
ctx ||= MiniSSL::ContextBuilder.new({}, @events).context

if host == "localhost"
loopback_addresses.each do |addr|
Expand Down Expand Up @@ -377,7 +357,7 @@ def add_ssl_listener(host, port, ctx,
def inherit_ssl_listener(fd, ctx)
raise "Puma compiled without SSL support" unless HAS_SSL
# Puma will try to use local authority context if context is supplied nil
ctx ||= localhost_authority_context
ctx ||= MiniSSL::ContextBuilder.new({}, @events).context

s = fd.kind_of?(::TCPServer) ? fd : ::TCPServer.for_fd(fd)

Expand Down
9 changes: 8 additions & 1 deletion lib/puma/dsl.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -439,6 +439,12 @@ def threads(min, max)
# Instead of `bind 'ssl://127.0.0.1:9292?key=key_path&cert=cert_path'` you
# can also use the this method.
#
# When binding on localhost you don't need to specify cert and key - it will assume you are
# using localhost gem and will try to load appropriate files for you
#
# @example
# ssl_bind '127.0.0.1', '9292'
#
# @example
# ssl_bind '127.0.0.1', '9292', {
# cert: path_to_cert,
Expand All @@ -454,7 +460,8 @@ def threads(min, max)
# ssl_cipher_list: cipher_list, # optional
# verify_mode: verify_mode # default 'none'
# }
def ssl_bind(host, port, opts)
#
def ssl_bind(host, port, opts = {})
bind self.class.ssl_bind_str(host, port, opts)
end

Expand Down
31 changes: 27 additions & 4 deletions lib/puma/minissl/context_builder.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,21 @@ def initialize(params, events)
@events = events
end

def localhost_authority
@localhost_authority ||= Localhost::Authority.fetch if defined?(Localhost::Authority) && !Puma::IS_JRUBY
end

def localhost_authority_context
return unless localhost_authority

key_path, crt_path = if [:key_path, :certificate_path].all? { |m| localhost_authority.respond_to?(m) }
[localhost_authority.key_path, localhost_authority.certificate_path]
else
local_certificates_path = File.expand_path("~/.localhost")
[File.join(local_certificates_path, "localhost.key"), File.join(local_certificates_path, "localhost.crt")]
end
end

def context
ctx = MiniSSL::Context.new

Expand All @@ -23,14 +38,22 @@ def context
ctx.keystore_pass = params['keystore-pass']
ctx.ssl_cipher_list = params['ssl_cipher_list'] if params['ssl_cipher_list']
else
unless params['key']
events.error "Please specify the SSL key via 'key='"
if params['key'].nil? || params['key'] == ""
if localhost_authority
params['key'] = localhost_authority_context[0]
else
events.error "Please specify the SSL key via 'key='"
end
end

ctx.key = params['key']

unless params['cert']
events.error "Please specify the SSL cert via 'cert='"
if params['cert'].nil? || params['cert'] == ""
if localhost_authority
params['cert'] = localhost_authority_context[1]
else
events.error "Please specify the SSL cert via 'cert='"
end
end

ctx.cert = params['cert']
Expand Down
52 changes: 38 additions & 14 deletions test/test_integration_ssl.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,18 +15,10 @@ class TestIntegrationSSL < TestIntegration
require "net/http"
require "openssl"

def teardown
@server.close unless @server.closed?
@server = nil
super
end

def generate_config(opts = nil)
def setup
@bind_port = UniquePort.call
@control_tcp_port = UniquePort.call

config = <<RUBY
#{opts}
@default_config = <<RUBY
if ::Puma.jruby?
keystore = '#{File.expand_path '../examples/puma/keystore.jks', __dir__}'
keystore_pass = 'jruby_puma'
Expand Down Expand Up @@ -54,14 +46,35 @@ def generate_config(opts = nil)
end
RUBY

@localhost_config = <<RUBY
require 'localhost/authority'
rodzyn marked this conversation as resolved.
Show resolved Hide resolved

ssl_bind '#{HOST}', '#{@bind_port}'

activate_control_app 'tcp://#{HOST}:#{@control_tcp_port}', { auth_token: '#{TOKEN}' }

app do |env|
[200, {}, [env['rack.url_scheme']]]
end
RUBY

super
end

def teardown
@server.close unless @server.closed?
@server = nil
super
end

def generate_config(config)
config_file = Tempfile.new %w(config .rb)
config_file.write config
config_file.write(config)
config_file.close
config_file.path
end

def start_server(opts = nil)
cmd = "#{BASE} bin/puma -C #{generate_config opts}"
def start_server(cmd)
@server = IO.popen cmd, 'r'
wait_for_server_to_boot
@pid = @server.pid
Expand All @@ -81,12 +94,23 @@ def stop_server

def test_ssl_run
body = nil
start_server
start_server("#{BASE} bin/puma -C #{generate_config(@default_config)}")
@http.start do
req = Net::HTTP::Get.new '/', {}
@http.request(req) { |resp| body = resp.body }
end
assert_equal 'https', body
stop_server
end

def test_ssl_run_with_localhost_authority
body = nil
start_server("#{BASE} bin/puma -C #{generate_config(@localhost_config)}")
@http.start do
req = Net::HTTP::Get.new '/', {}
@http.request(req) { |resp| body = resp.body }
end
assert_equal 'https', body
stop_server
end unless ::Puma::IS_JRUBY
rodzyn marked this conversation as resolved.
Show resolved Hide resolved
end if ::Puma::HAS_SSL