Implement HTTPI::Auth::SSL#ciphers configuration

savonrb · Dec 14, 2016 · 749bada · 749bada
1 parent 4aed534
commit 749bada
Show file tree

Hide file tree

Showing 13 changed files with 31 additions and 3 deletions.
diff --git a/Gemfile b/Gemfile
@@ -9,7 +9,7 @@ gem 'curb',                '~> 0.8',    :require => false, :platforms => :ruby
 gem 'em-http-request',                  :require => false, :platforms => [:ruby, :jruby]
 gem 'em-synchrony',                     :require => false, :platforms => [:ruby, :jruby]
 gem 'excon',               '~> 0.21',   :require => false, :platforms => [:ruby, :jruby]
-gem 'net-http-persistent', '~> 2.8',    :require => false
+gem 'net-http-persistent', '~> 3.0',    :require => false
 gem 'http',                             :require => false
 
 # coverage

diff --git a/lib/httpi/adapter/curb.rb b/lib/httpi/adapter/curb.rb
@@ -115,6 +115,7 @@ def setup_ssl_auth
           @client.cert_key = ssl.cert_key_file
           @client.cert = ssl.cert_file
           @client.certpassword = ssl.cert_key_password
+          @client.set(:ssl_cipher_list, ssl.ciphers.map(&:first).join(':')) if ssl.ciphers
 
           @client.ssl_verify_peer = ssl.verify_mode == :peer
         end

diff --git a/lib/httpi/adapter/excon.rb b/lib/httpi/adapter/excon.rb
@@ -71,6 +71,7 @@ def client_opts
           opts[:ssl_verify_peer] = false
         end
 
+        opts[:ciphers] = ssl.ciphers if ssl.ciphers
         opts[:ssl_version] = ssl.ssl_version if ssl.ssl_version
 
         opts

diff --git a/lib/httpi/adapter/http.rb b/lib/httpi/adapter/http.rb
@@ -55,6 +55,7 @@ def create_client
           context.key         = @request.auth.ssl.cert_key
           context.ssl_version = @request.auth.ssl.ssl_version if @request.auth.ssl.ssl_version != nil
           context.verify_mode = @request.auth.ssl.openssl_verify_mode
+          context.ciphers     = @request.auth.ssl.ciphers if @request.auth.ssl.ciphers
 
           client = ::HTTP::Client.new(:ssl_context => context)
         else

diff --git a/lib/httpi/adapter/httpclient.rb b/lib/httpi/adapter/httpclient.rb
@@ -72,6 +72,7 @@ def setup_ssl_auth
           # Send client-side certificate regardless of state of SSL verify mode
           @client.ssl_config.client_cert = ssl.cert
           @client.ssl_config.client_key = ssl.cert_key
+          @client.ssl_config.ciphers = ssl.ciphers if ssl.ciphers
 
           @client.ssl_config.verify_mode = ssl.openssl_verify_mode
         end

diff --git a/lib/httpi/adapter/net_http.rb b/lib/httpi/adapter/net_http.rb
@@ -166,6 +166,7 @@ def setup_ssl_auth
           # Send client-side certificate regardless of state of SSL verify mode
           @client.key = ssl.cert_key
           @client.cert = ssl.cert
+          @client.ciphers = ssl.ciphers if ssl.ciphers
 
           @client.verify_mode = ssl.openssl_verify_mode
         end

diff --git a/lib/httpi/adapter/net_http_persistent.rb b/lib/httpi/adapter/net_http_persistent.rb
@@ -12,7 +12,11 @@ class NetHTTPPersistent < NetHTTP
       private
 
       def create_client
-        Net::HTTP::Persistent.new thread_key
+        if Gem::Version.new(Net::HTTP::Persistent::VERSION) < Gem::Version.new('3.0.0')
+          Net::HTTP::Persistent.new thread_key
+        else
+          Net::HTTP::Persistent.new name: thread_key
+        end
       end
 
       def perform(http, http_request, &on_body)

diff --git a/lib/httpi/auth/ssl.rb b/lib/httpi/auth/ssl.rb
@@ -34,9 +34,19 @@ def present?
       # Accessor for the ca_path to validate SSL certificates.
       attr_accessor :ca_cert_path
 
-      # ertificate store holds trusted CA certificates used to verify peer certificates.
+      # Certificate store holds trusted CA certificates used to verify peer certificates.
       attr_accessor :cert_store
 
+      # Returns the available symmetric algorithms for encryption and decryption.
+      attr_reader :ciphers
+
+      # Sets the available symmetric algorithms for encryption and decryption.
+      def ciphers=(ciphers)
+        context = OpenSSL::SSL::SSLContext.new
+        context.ciphers = ciphers
+        @ciphers = context.ciphers
+      end
+
       # Returns the cert type to validate SSL certificates PEM|DER.
       def cert_type
         @cert_type ||= :pem

diff --git a/spec/httpi/adapter/curb_spec.rb b/spec/httpi/adapter/curb_spec.rb
@@ -280,6 +280,7 @@
           request.auth.ssl.cert_key_file = "spec/fixtures/client_key.pem"
           request.auth.ssl.cert_file = "spec/fixtures/client_cert.pem"
           request.auth.ssl.cert_key_password = 'example'
+          request.auth.ssl.ciphers = OpenSSL::Cipher.ciphers
           request
         end
 

diff --git a/spec/httpi/adapter/excon_spec.rb b/spec/httpi/adapter/excon_spec.rb
@@ -93,6 +93,7 @@
       it "works when no client cert is specified" do
         request = HTTPI::Request.new(@server.url)
         request.auth.ssl.ca_cert_file = IntegrationServer.ssl_ca_file
+        request.auth.ssl.ciphers = OpenSSL::Cipher.ciphers
 
         response = HTTPI.get(request, adapter)
         expect(response.body).to eq("get")
@@ -103,6 +104,7 @@
         request.auth.ssl.ca_cert_file = IntegrationServer.ssl_ca_file
         request.auth.ssl.cert_file = "spec/fixtures/client_cert.pem"
         request.auth.ssl.cert_key_file = "spec/fixtures/client_key.pem"
+        request.auth.ssl.ciphers = OpenSSL::Cipher.ciphers
 
         response = HTTPI.get(request, adapter)
         expect(response.body).to eq("get")
@@ -114,6 +116,7 @@
         request.auth.ssl.ca_cert_file = IntegrationServer.ssl_ca_file
         request.auth.ssl.cert = OpenSSL::X509::Certificate.new File.open("spec/fixtures/client_cert.pem").read
         request.auth.ssl.cert_key = OpenSSL::PKey.read File.open("spec/fixtures/client_key.pem").read
+        request.auth.ssl.ciphers = OpenSSL::Cipher.ciphers
 
         response = HTTPI.get(request, adapter)
         expect(response.body).to eq("get")

diff --git a/spec/httpi/adapter/http_spec.rb b/spec/httpi/adapter/http_spec.rb
@@ -91,6 +91,7 @@
       it "works when set up properly" do
         request = HTTPI::Request.new(@server.url)
         request.auth.ssl.ca_cert_file = IntegrationServer.ssl_ca_file
+        request.auth.ssl.ciphers = OpenSSL::Cipher.ciphers
 
         response = HTTPI.get(request, adapter)
         expect(response.body).to eq("get")

diff --git a/spec/httpi/adapter/httpclient_spec.rb b/spec/httpi/adapter/httpclient_spec.rb
@@ -133,12 +133,14 @@
       before do
         request.auth.ssl.cert_key_file = "spec/fixtures/client_key.pem"
         request.auth.ssl.cert_file = "spec/fixtures/client_cert.pem"
+        request.auth.ssl.ciphers = OpenSSL::Cipher.ciphers
       end
 
       it "send certificate regardless of state of SSL verify mode" do
         request.auth.ssl.verify_mode = :none
         ssl_config.expects(:client_cert=).with(request.auth.ssl.cert)
         ssl_config.expects(:client_key=).with(request.auth.ssl.cert_key)
+        ssl_config.expects(:ciphers=).with(request.auth.ssl.ciphers)
 
         adapter.request(:get)
       end
@@ -147,6 +149,7 @@
         ssl_config.expects(:client_cert=).with(request.auth.ssl.cert)
         ssl_config.expects(:client_key=).with(request.auth.ssl.cert_key)
         ssl_config.expects(:verify_mode=).with(request.auth.ssl.openssl_verify_mode)
+        ssl_config.expects(:ciphers=).with(request.auth.ssl.ciphers)
 
         adapter.request(:get)
       end

diff --git a/spec/httpi/adapter/net_http_persistent_spec.rb b/spec/httpi/adapter/net_http_persistent_spec.rb
@@ -86,6 +86,7 @@
       it "works when set up properly" do
         request = HTTPI::Request.new(@server.url)
         request.auth.ssl.ca_cert_file = IntegrationServer.ssl_ca_file
+        request.auth.ssl.ciphers = OpenSSL::Cipher.ciphers
 
         response = HTTPI.get(request, adapter)
         expect(response.body).to eq("get")