Permalink
Browse files

Version 1.0.1 of the AWS SDK for Ruby

  • Loading branch information...
1 parent 16894ff commit baafccd35f1cfb0f4ff72c4ed64120eae7221f83 amazonwebservices committed Jul 15, 2011
View
3,987 ca-bundle.crt
3,987 additions, 0 deletions not shown because the diff is too large. Please use a local Git client to view these changes.
View
2 lib/aws/base_client.rb
@@ -382,6 +382,8 @@ def client_request name, options, &block
http_request = new_request
http_request.host = endpoint
http_request.use_ssl = config.use_ssl?
+ http_request.ssl_verify_peer = config.ssl_verify_peer?
+ http_request.ssl_ca_file = config.ssl_ca_file
send("configure_#{name}_request", http_request, opts, &block)
http_request.headers["user-agent"] = user_agent_string
http_request.add_authorization!(signer)
View
12 lib/aws/common.rb
@@ -92,6 +92,18 @@ class << self
# values. This is primarily used for writing tests.
# @option options [Boolean] :use_ssl (true) When true, all requests are
# sent over SSL.
+ # @option options [Boolean] :ssl_verify_peer (true) True if the HTTPS
+ # client should validate the server certificate. *Note:* This
+ # option should only be used for diagnostic purposes; leaving
+ # this option set to +false+ exposes your application to
+ # man-in-the-middle attacks and can pose a serious security
+ # risk.
+ # @option options [String] :ssl_ca_file The path to a CA cert
+ # bundle in PEM format. If +:ssl_verify_peer+ is true (the
+ # default) this bundle will be used to validate the server
+ # certificate in each HTTPS request. The AWS SDK for Ruby ships
+ # with a CA cert bundle, which is the default value for this
+ # option.
# @option options [String] :user_agent_prefix (nil) A string prefix to
# append to all requets against AWS services. This should be set
# for clients and applications built ontop of the aws-sdk gem.
View
24 lib/aws/configuration.rb
@@ -83,6 +83,9 @@ def initialize options = {}
:stub_requests => false,
:use_ssl => true,
:user_agent_prefix => nil,
+ :ssl_verify_peer => true,
+ :ssl_ca_file => File.expand_path(File.dirname(__FILE__)+
+ "/../../ca-bundle.crt")
}
{
@@ -235,6 +238,27 @@ def s3_multipart_max_parts
@options[:s3_multipart_max_parts]
end
+ # @return [Boolean] True if the HTTPS client should validate the
+ # server certificate.
+ #
+ # @note This option should only be used for diagnostic purposes;
+ # leaving this option set to +false+ exposes your application to
+ # man-in-the-middle attacks and can pose a serious security
+ # risk.
+ def ssl_verify_peer?
+ @options[:ssl_verify_peer]
+ end
+
+ # @return [String] The path to a CA cert bundle in PEM format.
+ #
+ # If {#ssl_verify_peer?} is true (the default) this bundle will be
+ # used to validate the server certificate in each HTTPS request.
+ # The AWS SDK for Ruby ships with a CA cert bundle, which is the
+ # default value for this option.
+ def ssl_ca_file
+ @options[:ssl_ca_file]
+ end
+
# @private
def inspect
"<#{self.class}>"
View
22 lib/aws/http/httparty_handler.rb
@@ -27,9 +27,18 @@ class NoOpParser < HTTParty::Parser
def handle(request, response)
- url = request.use_ssl? ?
- "https://#{request.host}:443#{request.uri}" :
- "http://#{request.host}#{request.uri}"
+ opts = {
+ :body => request.body,
+ :parser => NoOpParser
+ }
+
+ if request.use_ssl?
+ url = "https://#{request.host}:443#{request.uri}"
+ opts[:ssl_ca_file] = request.ssl_ca_file if
+ request.ssl_verify_peer?
+ else
+ url = "http://#{request.host}#{request.uri}"
+ end
# get, post, put, delete, head
method = request.http_method.downcase
@@ -43,11 +52,10 @@ def handle(request, response)
headers[key] = value.to_s
end
+ opts[:headers] = headers
+
begin
- http_response = self.class.send(method, url,
- :headers => headers,
- :body => request.body,
- :parser => NoOpParser)
+ http_response = self.class.send(method, url, opts)
rescue Timeout::Error => e
response.timeout = true
else
View
26 lib/aws/http/request.rb
@@ -61,6 +61,32 @@ def use_ssl?
@use_ssl
end
+ # @param [Boolean] verify_peer If the client should verify the
+ # peer certificate or not.
+ def ssl_verify_peer=(verify_peer)
+ @ssl_verify_peer = verify_peer
+ end
+
+ # @return [Boolean] If the client should verify the peer
+ # certificate or not.
+ def ssl_verify_peer?
+ @ssl_verify_peer
+ end
+
+ # @param [String] ca_file Path to a bundle of CA certs in PEM
+ # format; the HTTP handler should use this to verify all HTTPS
+ # requests if {#ssl_verify_peer?} is true.
+ def ssl_ca_file=(ca_file)
+ @ssl_ca_file = ca_file
+ end
+
+ # @return [String] Path to a bundle of CA certs in PEM format;
+ # the HTTP handler should use this to verify all HTTPS
+ # requests if {#ssl_verify_peer?} is true.
+ def ssl_ca_file
+ @ssl_ca_file
+ end
+
# Adds a request param.
#
# @overload add_param(param_name, param_value = nil)
View
27 spec/aws/configuration_spec.rb
@@ -371,6 +371,33 @@ class DummyClient; end
end
+ context '#ssl_verify_peer?' do
+
+ it 'defaults to true' do
+ config.ssl_verify_peer?.should == true
+ end
+
+ it 'can be set to false' do
+ config.with(:ssl_verify_peer => false).ssl_verify_peer?.should == false
+ end
+
+ end
+
+ context '#ssl_ca_file' do
+
+ it 'defaults to a readable file' do
+ File.readable?(config.ssl_ca_file).should be_true
+ File.read(config.ssl_ca_file).
+ should include("Bundle of CA Root Certificates")
+ end
+
+ it 'can be set to another path' do
+ config.with(:ssl_ca_file => "foobar.txt").
+ ssl_ca_file.should == "foobar.txt"
+ end
+
+ end
+
end
end
View
53 spec/aws/http/httparty_handler_spec.rb
@@ -20,6 +20,59 @@ module Http
let(:handler) { HTTPartyHandler.new }
+ context 'CA cert path' do
+
+ let(:req) do
+ r = Http::Request.new
+ r.host = "foo.bar.com"
+ r
+ end
+
+ let(:resp) { Http::Response.new }
+
+ let(:httparty_options) do
+ options = nil
+ HTTPartyHandler.should_receive(:post). with do |url, opts|
+ options = opts
+
+ double("http response",
+ :body => "<foo/>",
+ :code => 200,
+ :to_hash => {})
+ end
+ handler.handle(req, resp)
+ options
+ end
+
+ context 'use_ssl? is true' do
+
+ before(:each) { req.use_ssl = true }
+
+ context 'ssl_verify_peer? is true' do
+
+ before(:each) do
+ req.ssl_verify_peer = true
+ req.ssl_ca_file = "foobar.txt"
+ end
+
+ it 'should use the ssl_ca_file attribute of the request' do
+ httparty_options[:ssl_ca_file].should == "foobar.txt"
+ end
+
+ end
+
+ it 'should not set the ssl_ca_file option without ssl_verify_peer?' do
+ httparty_options.should_not include(:ssl_ca_file)
+ end
+
+ end
+
+ it 'should not set the ssl_ca_file option without use_ssl?' do
+ httparty_options.should_not include(:ssl_ca_file)
+ end
+
+ end
+
end
end
end
View
28 spec/shared/aws_client_examples.rb
@@ -142,6 +142,34 @@ module AWS
end
+ it 'should set ssl_verify_peer to the current config ssl_verify_peer? value' do
+
+ ssl_verify_peer = double('ssl_peer_state')
+
+ ssl_peer_state = nil
+ new_client = client.with_http_handler{|request, response|
+ ssl_peer_state = request.ssl_verify_peer?
+ }
+ new_client.config.stub(:ssl_verify_peer?).and_return(ssl_verify_peer)
+ new_client.send(method, opts)
+ ssl_peer_state.should == ssl_verify_peer
+
+ end
+
+ it 'should set ssl_ca_file to the current config ssl_ca_file value' do
+
+ ssl_ca_file = double('ssl_ca_state')
+
+ ssl_ca_state = nil
+ new_client = client.with_http_handler{|request, response|
+ ssl_ca_state = request.ssl_ca_file
+ }
+ new_client.config.stub(:ssl_ca_file).and_return(ssl_ca_file)
+ new_client.send(method, opts)
+ ssl_ca_state.should == ssl_ca_file
+
+ end
+
it 'populates the response with the request options' do
resp = client.send(method, opts)
resp.request_options.should == opts
View
1 tasks/gems.rake
@@ -32,6 +32,7 @@ namespace :gems do
gem.add_dependency('json', '~> 1.4')
gem.files = FileList[
+ "ca-bundle.crt",
"rails/init.rb", # for compatability with older versions of rails
"lib/**/*.rb",
"lib/**/*.yml",
View
2 tasks/version.rb
@@ -11,4 +11,4 @@
# ANY KIND, either express or implied. See the License for the specific
# language governing permissions and limitations under the License.
-VERSION = "1.0.0"
+VERSION = "1.0.1"

0 comments on commit baafccd

Please sign in to comment.