kotovalexarian-likes-github/puma--puma
1
0
Fork 0
mirror of https://github.com/puma/puma.git synced 2022-11-09 13:48:40 -05:00
Code Releases Activity

Fix JRuby ssl_cipher_list, add Puma::DSL.ssl_bind_str method (#2489)

Browse source 
Adds a class method to Puma::DSL that creates the ssl bind string.  The method should be used in CI for generating these strings.
This commit is contained in:
MSP-Greg 2020-11-27 09:40:26 -06:00 committed by GitHub
parent 441c474ec3
commit c3e97fc1da
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 94 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
History.md
View file

@ -11,6 +11,7 @@
* Bugfixes
* Your bugfix goes here <Most recent on the top, like GitHub> (#Github Number)
* Fix JRuby handling in Puma::DSL#ssl_bind (#2489)
* control_cli.rb - all normal output should be to @stdout (#2487)
* Catch 'Error in reactor loop escaped: mode not supported for this object: r' (#2477)
* Ignore Rails' reaper thread (and any thread marked forksafe) for warning ([#2475])

51
lib/puma/dsl.rb
View file

@ -34,6 +34,34 @@ module Puma
class DSL
include ConfigDefault
# convenience method so logic can be used in CI
# @see ssl_bind
#
def self.ssl_bind_str(host, port, opts)
verify = opts.fetch(:verify_mode, 'none').to_s
tls_str =
if opts[:no_tlsv1_1] then '&no_tlsv1_1=true'
elsif opts[:no_tlsv1] then '&no_tlsv1=true'
else ''
end
ca_additions = "&ca=#{opts[:ca]}" if ['peer', 'force_peer'].include?(verify)
if defined?(JRUBY_VERSION)
ssl_cipher_list = opts[:ssl_cipher_list] ?
"&ssl_cipher_list=#{opts[:ssl_cipher_list]}" : nil
keystore_additions = "keystore=#{opts[:keystore]}&keystore-pass=#{opts[:keystore_pass]}"
"ssl://#{host}:#{port}?#{keystore_additions}#{ssl_cipher_list}" \
"&verify_mode=#{verify}#{tls_str}#{ca_additions}"
else
ssl_cipher_filter = opts[:ssl_cipher_filter] ?
"&ssl_cipher_filter=#{opts[:ssl_cipher_filter]}" : nil
"ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}" \
"#{ssl_cipher_filter}&verify_mode=#{verify}#{tls_str}#{ca_additions}"
end
end
def initialize(options, config)
@config = config
@options = options
@ -402,28 +430,15 @@ module Puma
# ssl_cipher_filter: cipher_filter, # optional
# verify_mode: verify_mode, # default 'none'
# }
# @example For JRuby additional keys are required: keystore & keystore_pass.
# @example For JRuby, two keys are required: keystore & keystore_pass.
# ssl_bind '127.0.0.1', '9292', {
# cert: path_to_cert,
# key: path_to_key,
# ssl_cipher_filter: cipher_filter, # optional
# verify_mode: verify_mode, # default 'none'
# keystore: path_to_keystore,
# keystore_pass: password
# keystore_pass: password,
# ssl_cipher_list: cipher_list, # optional
# verify_mode: verify_mode # default 'none'
# }
def ssl_bind(host, port, opts)
verify = opts.fetch(:verify_mode, 'none').to_s
no_tlsv1 = opts.fetch(:no_tlsv1, 'false')
no_tlsv1_1 = opts.fetch(:no_tlsv1_1, 'false')
ca_additions = "&ca=#{opts[:ca]}" if ['peer', 'force_peer'].include?(verify)
if defined?(JRUBY_VERSION)
keystore_additions = "keystore=#{opts[:keystore]}&keystore-pass=#{opts[:keystore_pass]}"
bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&#{keystore_additions}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}&no_tlsv1_1=#{no_tlsv1_1}#{ca_additions}"
else
ssl_cipher_filter = "&ssl_cipher_filter=#{opts[:ssl_cipher_filter]}" if opts[:ssl_cipher_filter]
bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}#{ssl_cipher_filter}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}&no_tlsv1_1=#{no_tlsv1_1}#{ca_additions}"
end
bind self.class.ssl_bind_str(host, port, opts)
end
# Use +path+ as the file to store the server info state. This is

14
test/helpers/ssl.rb
View file

@ -10,4 +10,18 @@ module SSLHelper
"key=#{@key}&cert=#{@cert}"
end
end
# sets and returns an opts hash for use with Puma::DSL.ssl_bind_str
def ssl_opts
@ssl_opts ||= if Puma.jruby?
@ssl_opts = {}
@ssl_opts[:keystore] = File.expand_path '../../examples/puma/keystore.jks', __dir__
@ssl_opts[:keystore_pass] = 'jruby_puma'
@ssl_opts[:ssl_cipher_list] = 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
else
@ssl_opts = {}
@ssl_opts[:cert] = File.expand_path '../../examples/puma/cert_puma.pem', __dir__
@ssl_opts[:key] = File.expand_path '../../examples/puma/puma_keypair.pem', __dir__
end
end
end

48
test/test_config.rb
View file

@ -6,7 +6,6 @@ require_relative "helpers/config_file"
require "puma/configuration"
require 'puma/events'
class TestConfigFile < TestConfigFileBase
parallelize_me!
@ -74,7 +73,52 @@ class TestConfigFile < TestConfigFileBase
conf.load
ssl_binding = "ssl://0.0.0.0:9292?cert=/path/to/cert&key=/path/to/key&verify_mode=the_verify_mode&no_tlsv1=false&no_tlsv1_1=false"
ssl_binding = "ssl://0.0.0.0:9292?cert=/path/to/cert&key=/path/to/key&verify_mode=the_verify_mode"
assert_equal [ssl_binding], conf.options[:binds]
end
def test_ssl_bind_jruby
skip_unless :jruby
skip 'No ssl support' unless ::Puma::HAS_SSL
cipher_list = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
conf = Puma::Configuration.new do |c|
c.ssl_bind "0.0.0.0", "9292", {
keystore: "/path/to/keystore",
keystore_pass: "password",
ssl_cipher_list: cipher_list,
verify_mode: "the_verify_mode"
}
end
conf.load
ssl_binding = "ssl://0.0.0.0:9292?keystore=/path/to/keystore" \
"&keystore-pass=password&ssl_cipher_list=#{cipher_list}" \
"&verify_mode=the_verify_mode"
assert_equal [ssl_binding], conf.options[:binds]
end
def test_ssl_bind_no_tlsv1_1
skip_on :jruby
skip 'No ssl support' unless ::Puma::HAS_SSL
conf = Puma::Configuration.new do |c|
c.ssl_bind "0.0.0.0", "9292", {
cert: "/path/to/cert",
key: "/path/to/key",
verify_mode: "the_verify_mode",
no_tlsv1_1: true
}
end
conf.load
ssl_binding = "ssl://0.0.0.0:9292?cert=/path/to/cert&key=/path/to/key&verify_mode=the_verify_mode&no_tlsv1_1=true"
assert_equal [ssl_binding], conf.options[:binds]
end