Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fail hard if SSL certs or keys cannot be read by user #2847

Merged
merged 2 commits into from Apr 2, 2022
Merged

Fail hard if SSL certs or keys cannot be read by user #2847

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c2df664
Fail hard if SSL certs or keys cannot be read by user
stanhu Mar 26, 2022
a254765
minissl.rb - add check_file method
MSP-Greg Mar 26, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
13 changes: 9 additions & 4 deletions lib/puma/minissl.rb
View file
Open in desktop
Expand Up @@ -214,14 +214,19 @@ def initialize
@cert_pem = nil
end

def check_file(file, desc)
raise ArgumentError, "#{desc} file '#{file}' does not exist" unless File.exist? file
raise ArgumentError, "#{desc} file '#{file}' is not readable" unless File.readable? file
end

if IS_JRUBY
# jruby-specific Context properties: java uses a keystore and password pair rather than a cert/key pair
attr_reader :keystore
attr_accessor :keystore_pass
attr_accessor :ssl_cipher_list

def keystore=(keystore)
raise ArgumentError, "No such keystore file '#{keystore}'" unless File.exist? keystore
check_file keystore, 'Keystore'
@keystore = keystore
end

Expand All @@ -240,17 +245,17 @@ def check
attr_accessor :verification_flags

def key=(key)
raise ArgumentError, "No such key file '#{key}'" unless File.exist? key
check_file key, 'Key'
@key = key
end

def cert=(cert)
raise ArgumentError, "No such cert file '#{cert}'" unless File.exist? cert
check_file cert, 'Cert'
@cert = cert
end

def ca=(ca)
raise ArgumentError, "No such ca file '#{ca}'" unless File.exist? ca
check_file ca, 'ca'
@ca = ca
end

Expand Down
50 changes: 47 additions & 3 deletions test/test_minissl.rb
View file
Open in desktop
Expand Up @@ -9,21 +9,54 @@ def test_raises_with_invalid_keystore_file
ctx = Puma::MiniSSL::Context.new

exception = assert_raises(ArgumentError) { ctx.keystore = "/no/such/keystore" }
assert_equal("No such keystore file '/no/such/keystore'", exception.message)
assert_equal("Keystore file '/no/such/keystore' does not exist", exception.message)
end

def test_raises_with_unreadable_keystore_file
ctx = Puma::MiniSSL::Context.new

File.stub(:exist?, true) do
File.stub(:readable?, false) do
exception = assert_raises(ArgumentError) { ctx.keystore = "/unreadable/keystore" }
assert_equal("Keystore file '/unreadable/keystore' is not readable", exception.message)
end
end
end
else
def test_raises_with_invalid_key_file
ctx = Puma::MiniSSL::Context.new

exception = assert_raises(ArgumentError) { ctx.key = "/no/such/key" }
assert_equal("No such key file '/no/such/key'", exception.message)
assert_equal("Key file '/no/such/key' does not exist", exception.message)
end

def test_raises_with_unreadable_key_file
ctx = Puma::MiniSSL::Context.new

File.stub(:exist?, true) do
File.stub(:readable?, false) do
exception = assert_raises(ArgumentError) { ctx.key = "/unreadable/key" }
assert_equal("Key file '/unreadable/key' is not readable", exception.message)
end
end
end

def test_raises_with_invalid_cert_file
ctx = Puma::MiniSSL::Context.new

exception = assert_raises(ArgumentError) { ctx.cert = "/no/such/cert" }
assert_equal("No such cert file '/no/such/cert'", exception.message)
assert_equal("Cert file '/no/such/cert' does not exist", exception.message)
end

def test_raises_with_unreadable_cert_file
ctx = Puma::MiniSSL::Context.new

File.stub(:exist?, true) do
File.stub(:readable?, false) do
exception = assert_raises(ArgumentError) { ctx.key = "/unreadable/cert" }
assert_equal("Key file '/unreadable/cert' is not readable", exception.message)
end
end
end

def test_raises_with_invalid_key_pem
Expand All @@ -33,6 +66,17 @@ def test_raises_with_invalid_key_pem
assert_equal("'key_pem' is not a String", exception.message)
end

def test_raises_with_unreadable_ca_file
ctx = Puma::MiniSSL::Context.new

File.stub(:exist?, true) do
File.stub(:readable?, false) do
exception = assert_raises(ArgumentError) { ctx.ca = "/unreadable/cert" }
assert_equal("ca file '/unreadable/cert' is not readable", exception.message)
end
end
end

def test_raises_with_invalid_cert_pem
ctx = Puma::MiniSSL::Context.new

Expand Down