labria’s ruby blog

I wrote my first working bit of Erlang code. Wasn't much code, actually. Here it is:

 
<erl>
out(A) ->
    {ok, Challenge} = queryvar(A,"hub.challenge"),
    {html,io_lib:format('~s', [Challenge])}.
</erl>
 

Wow... my highlighter doesn't even support Erlang! now it does

This a complete and finished piece of code, yes. If you heard of PubSubHubbub — that's the code to confirm all subscriptions in async mode.

The funny thing about it is the amount of code I would user to do the same in Rails/Sinatra/Whatever + erb:

 
<%= params["hub.challenge"]%>
 

I recently found myself doing a wierd thing. While writing specs i add this spec to the end of the file:

 
it "should fail" do
  raise "foo"
end
 

The reason to do it? Simple: every time i have all the specs passing in the current file, autospec begins running all the specs in my project, breaking my red-green cycle for about 30 seconds. Adding a failing spec prevents it from doing it, and speeds up my work.

Am I doing something wrong?

They made it!
Phusion has released passenger with nginx support.
No more bloated apache installs, hooray!
I've been waiting for this since the day passenger was first released.
UPD: well, it has some issues as of now, but I'm sure it's all gonna be fixed soon enough!

Well, I made some progress and now the whole thing is a rails plugin, based on the restful_authentication one. You can get it here: git://github.com/labria/restful-authentication.git

The readme has all the info. If something is missing, not working or anything else, please tell me, it’s my first rails plugin ever. By the way if you even bother testing it or looking at the code, please leave me a comment.

Things to do yet:

• remove some hard-coded stuff.
• make certificate delivery more natural (if I happen to find a way to do it)
• dunno, I think much more will come up…

Well, I made it, kinda…

The code is still a awful mess, but it works. Some portions of the code and setup are dictated by my setup involving a nginx server. With apache it should be simpler, with lighttpd it wouldn’t work at all, as far as I know.

Anyway, this is the way it works. You go to the site with http and register. The modified restful_authentication plugin instantly generates your client certificate. You get by clicking a link in the p12 format. The signing (self-signed) certificate is generated with the first user certificate (i’ll move this to a rake task later). After installing the certificate you can go to the site with https (before installing it nginx would reject you and redirect you to the non-https version of the login page). Now, if you log out and go to the session/new page, your certificate gets checked and, if your user is found (he should be), you get logged in automagically. Not much, but it’s all it does.

Now, about the code. There is not much code, really. Everything works from a combination of the modded restful_authentication plugin and the QuickCert library. If someone will actually find the whole thing useful, i’ll repackage it as a restful_authentication plugin fork, with some rake tasks and generators, and stuff. The nginx server is configured to use a self-signed certificate for the SSL connection, and the app generated certificate to check client certificates, this way:

server {
    listen       443;
    server_name  ssltest.startika.com;
    ssl                  on;
    ssl_certificate      /u/stuff/CA/demoCA/private/server.crt;
    ssl_certificate_key  /u/stuff/CA/demoCA/private/server.key;
    ssl_client_certificate /u/apps/ssltest/current/cert/CA/cacert.pem;
    ssl_verify_client on;
    ssl_verify_depth 2;
    ssl_session_timeout  5m;
    error_page 496 http://ssltest.startika.com/session/new;
    error_page 495 http://ssltest.startika.com/session/new;
    error_page 497 http://ssltest.startika.com/session/new;
    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;
    root   /u/apps/ssltest/current;
    location / {
      proxy_set_header X-Real-IP  $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-FORWARDED_PROTO https;
      proxy_set_header X-SSL_CLIENT_S_DN $ssl_client_s_dn;
      proxy_set_header X-SSL_PROTO $ssl_protocol;
      proxy_pass http://ssl_test;
      break;
  }
}

Well, if you want to see for yourself, just go to http://ssltest.startika.com/.

If you want to see the code (I’m ashamed of it, but it’s the only proof I have I actually made this), you can get it from github here: http://github.com/labria/rails-ssl-authentication/ (sorry for the mess, I’m quite a noob programmer yet…)

PS: If you will actually go and test the thing, don’t forget Safari has serious issues with certificates, better use Firefox =)

Well, I’ve made some progress at last. Now my test app lets you logon automatically if you happen to have a certificate whose name and email matches a user in the DB. Still, you have to have some certificate just to get to the site, but “a progress there is”.

Now I’ll try to figure out how to generate certificates for users (and the root cert too). The code is a mess, but it works, kinda.

UPD: wow! I just found http://segment7.net/projects/ruby/QuickCert/, it may save me 90% of the pain with the almost undocumented OpenSSL library!