labria’s ruby blog

Well, I made some progress and now the whole thing is a rails plugin, based on the restful_authentication one. You can get it here: git://github.com/labria/restful-authentication.git

The readme has all the info. If something is missing, not working or anything else, please tell me, it’s my first rails plugin ever. By the way if you even bother testing it or looking at the code, please leave me a comment.

Things to do yet:

• remove some hard-coded stuff.
• make certificate delivery more natural (if I happen to find a way to do it)
• dunno, I think much more will come up…

Well, I made it, kinda…

The code is still a awful mess, but it works. Some portions of the code and setup are dictated by my setup involving a nginx server. With apache it should be simpler, with lighttpd it wouldn’t work at all, as far as I know.

Anyway, this is the way it works. You go to the site with http and register. The modified restful_authentication plugin instantly generates your client certificate. You get by clicking a link in the p12 format. The signing (self-signed) certificate is generated with the first user certificate (i’ll move this to a rake task later). After installing the certificate you can go to the site with https (before installing it nginx would reject you and redirect you to the non-https version of the login page). Now, if you log out and go to the session/new page, your certificate gets checked and, if your user is found (he should be), you get logged in automagically. Not much, but it’s all it does.

Now, about the code. There is not much code, really. Everything works from a combination of the modded restful_authentication plugin and the QuickCert library. If someone will actually find the whole thing useful, i’ll repackage it as a restful_authentication plugin fork, with some rake tasks and generators, and stuff. The nginx server is configured to use a self-signed certificate for the SSL connection, and the app generated certificate to check client certificates, this way:

server {
    listen       443;
    server_name  ssltest.startika.com;
    ssl                  on;
    ssl_certificate      /u/stuff/CA/demoCA/private/server.crt;
    ssl_certificate_key  /u/stuff/CA/demoCA/private/server.key;
    ssl_client_certificate /u/apps/ssltest/current/cert/CA/cacert.pem;
    ssl_verify_client on;
    ssl_verify_depth 2;
    ssl_session_timeout  5m;
    error_page 496 http://ssltest.startika.com/session/new;
    error_page 495 http://ssltest.startika.com/session/new;
    error_page 497 http://ssltest.startika.com/session/new;
    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;
    root   /u/apps/ssltest/current;
    location / {
      proxy_set_header X-Real-IP  $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-FORWARDED_PROTO https;
      proxy_set_header X-SSL_CLIENT_S_DN $ssl_client_s_dn;
      proxy_set_header X-SSL_PROTO $ssl_protocol;
      proxy_pass http://ssl_test;
      break;
  }
}

Well, if you want to see for yourself, just go to http://ssltest.startika.com/.

If you want to see the code (I’m ashamed of it, but it’s the only proof I have I actually made this), you can get it from github here: http://github.com/labria/rails-ssl-authentication/ (sorry for the mess, I’m quite a noob programmer yet…)

PS: If you will actually go and test the thing, don’t forget Safari has serious issues with certificates, better use Firefox =)

Well, I’ve made some progress at last. Now my test app lets you logon automatically if you happen to have a certificate whose name and email matches a user in the DB. Still, you have to have some certificate just to get to the site, but “a progress there is”.

Now I’ll try to figure out how to generate certificates for users (and the root cert too). The code is a mess, but it works, kinda.

UPD: wow! I just found http://segment7.net/projects/ruby/QuickCert/, it may save me 90% of the pain with the almost undocumented OpenSSL library!

Sometimes you don’t want to reveal the real id of the object in the system to the user for some reason. For example, you don’t want to reveal the number of items in the system, or let the user view all of them by simply changing the id in the address.

The most obvious and easy way to do it is to generate a fake id for the object and use it instead. Lets say we have a model named Foo and you want it to have a fake id. Here’s the code for it:

 
class Foo < ActiveRecord::Base
  before_validation_on_create :generate_fake_id
 
  def to_param
    fake_id
  end
 
protected
  def generate_fake_id
    string = random_string
    while Foo.find_by_fake_id(string)
      string = random_string
    end
    self.fake_id = string
  end
 
  def random_string(size = 8)
    chars = (('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a)
    (1..size).collect{|a| chars[rand(chars.size)] }.join
  end
end
 

Now, when you create a Foo with for example “Foo.create(:name => ‘first foo’)”, the model generates a random string of 8 characters and stores it in fake_id. The fake id is only generated once, on creation, so it’s not changed later on. Now, for the helpers. Suppose you have map.resources :foos in your routes.rb. The helper you user before, foo_path(@foo) now generates a url with the fake id (foos/Hd45jdg3), because of the to_param method. All you have to do, is to change your foos_controller this way:

 
class FoosController < ApplicationController
  def show
    @foo = Foo.find_by_fake_id(params[:id])
  end
end
 

The uniqueness of the fake_id is guarantied by the Foo.find_by_fake_id call in the generate_fake_id method. Yes, it does add an extra query to the database, but it’s not really impaction performance much unless you are generating a lot of objects all of the time. You can change the way the fake id looks like by modifying the array used in random_string. For example if you want to eliminate symbols that look much alike you can have it this way:

 
def random_string(size = 8)
   chars = (('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a) - %w(i o 0 1 l O)
   (1..size).collect{|a| chars[rand(chars.size)] }.join
end
 

And also: don’t forget to add the fake_id field to the table in the database.