Merge pull request #5 from klyonrad/feature/ssl-security-in-http-helper

Enable SSL certificate check in http helper

Author: ncreuschling

.rubocop.yml

@@ -1,4 +1,5 @@
 AllCops:
+  TargetRubyVersion: 2.2
   Exclude:
     - 'tmp/**/*'
     - 'spec/fixtures/application/htdocs/stylesheets/**/config.rb'

Berksfile.lock

@@ -18,6 +18,7 @@ GRAPH
     mysql (~> 6.1)
     mysql2_chef_gem (~> 1.0)
     php (~> 1.9)
+    ssl_certificate (~> 1.12.0)
   iis (4.1.7)
     windows (>= 1.34.6)
   mariadb (0.3.1)
@@ -49,6 +50,7 @@ GRAPH
     windows (>= 1.2.2)
   smf (2.2.8)
     rbac (>= 1.0.1)
+  ssl_certificate (1.12.0)
   windows (1.40.0)
     chef_handler (>= 0.0.0)
   xml (2.0.0)

CHANGELOG.md

@@ -2,10 +2,25 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [Unreleased]: https://github.com/dkdeploy/dkdeploy-php/compare/master...develop
+
+### Added
+
+- `:ssl_verify_mode` for server properties, which takes SSL verify_mode constants (`OpenSSL::SSL::VERIFY_NONE`)
+
+### Changed
+
+- `Dkdeploy::Php::Helpers::Http::http_get_with_redirect` gets arguments as options hash now
+
+### Fixed
+
+- remove SSL certificate bypassing in http helper #5
+
+
 ## [7.0.0] - 2016-07-01
 ### Summary
 
 - first public release
 
-[Unreleased]: https://github.com/dkdeploy/dkdeploy-php/compare/master...develop
+
 [7.0.0]: https://github.com/dkdeploy/dkdeploy-php/releases/tag/v7.0.0

config/vm/cookbooks/dkdeploy-php/metadata.rb

@@ -10,3 +10,4 @@
 depends 'apache2', '~> 3.2'
 depends 'php', '~> 1.9'
 depends 'apt', '~> 3.0'
+depends 'ssl_certificate', '~> 1.12.0'

config/vm/cookbooks/dkdeploy-php/recipes/default.rb

@@ -56,16 +56,22 @@
 # Apache
 include_recipe 'apache2'
 include_recipe 'apache2::mod_php5'
+include_recipe 'apache2::mod_ssl'
 
 # install apache2-utils. It is needed for the assets:add_htpasswd task
 package 'apache2-utils' do
   action :install
 end
 
+ssl_key_path = '/var/www/dkdeploy.key'
+ssl_cert_path = '/var/www/dkdeploy.pem'
+
 web_app 'dkdeploy-php.dev' do
   server_name 'dkdeploy-php.dev'
   server_aliases ['second-dkdeploy-php.dev']
   docroot '/var/www/dkdeploy/current/'
+  key_path ssl_key_path
+  cert_path ssl_cert_path
   template 'web_app.conf.erb'
 end
 
@@ -75,3 +81,13 @@
   mode '0770'
   action :create
 end
+
+ssl_certificate 'dkdeploy-php.dev' do
+  key_path ssl_key_path
+  key_mode 00755
+  cert_path ssl_cert_path
+  domain 'dkdeploy-php.dev'
+  organization 'dkdeploy'
+  email 'offical@example.com'
+  notifies :restart, 'service[apache2]'
+end

config/vm/cookbooks/dkdeploy-php/templates/default/web_app.conf.erb

@@ -26,3 +26,38 @@
   php_admin_value realpath_cache_ttl 0
   php_admin_value realpath_cache_size 0k
 </VirtualHost>
+
+<VirtualHost *:443>
+  ServerName <%= @params[:server_name] %>
+  ServerAlias <%= @params[:server_aliases].join(' ') %>
+  DocumentRoot <%= @params[:docroot] %>
+  RewriteEngine On
+
+  <Directory <%= @params[:docroot] %>>
+    Options FollowSymLinks
+    AllowOverride None
+    Require all granted
+  </Directory>
+
+  <Directory />
+  Options FollowSymLinks
+  AllowOverride None
+  </Directory>
+
+  <IfModule mod_ssl.c>
+    SSLEngine on
+    SSLCertificateFile <%= @params[:cert_path] %>
+    SSLCertificateKeyFile <%= @params[:key_path] %>
+  </IfModule>
+
+  LogLevel info
+  ErrorLog <%= node[:apache][:log_dir] %>/<%= @params[:name] %>-error.log
+  CustomLog <%= node[:apache][:log_dir] %>/<%= @params[:name] %>-access.log combined
+
+  RewriteEngine On
+  LogLevel info rewrite:trace2 alias:debug
+
+  # Deactivate php realpath cache
+  php_admin_value realpath_cache_ttl 0
+  php_admin_value realpath_cache_size 0k
+</VirtualHost>

features/php.feature

@@ -42,3 +42,18 @@ Feature: Test tasks for namespace 'php'
 		And I extend the development capistrano configuration from the fixture file server_with_faulty_domain_configuration.rb
 		When I run `cap dev php:clear_opcache`
 		Then the exit status should not be 0
+
+	Scenario: Clear APC via HTTPS
+		Given a directory named "temp"
+		And I extend the development capistrano configuration from the fixture file server_with_ssl.rb
+	    And I inject the root SSL certificate
+		When I run `cap dev php:clear_apc_cache`
+		Then the exit status should be 0
+		And the output should contain "200 - OK"
+
+	Scenario: Clear APC via HTTPS and failing SSL certificate
+		Given a directory named "temp"
+		And I extend the development capistrano configuration from the fixture file server_with_ssl.rb
+		When I run `cap dev php:clear_apc_cache`
+		Then the exit status should not be 0
+		And the output should contain "certificate verify failed"

features/support/step_definitions/steps.rb

@@ -1,6 +1,7 @@
 require 'erb'
 require 'ostruct'
 
+include Dkdeploy::TestEnvironment::Constants # to get access to test_app_path method
 # Creates an empty doctrine migration with a given migration version and basic content
 #
 # @yieldparam migration_version [String] the 14 digits migration number
@@ -13,3 +14,13 @@ def context_object.binding_for_erb
   empty_doctrine_migration_template = ERB.new File.read(empty_doctrine_migration_template_path)
   write_file file_path, empty_doctrine_migration_template.result(context_object.binding_for_erb)
 end
+
+Given(/^I set relative to current path the environment variable "(.*)" to "(.*)"/) do |variable, value|
+  set_environment_variable(variable.to_s, test_app_path + value.to_s)
+end
+
+# injects the self-signed certificate into environment variables to simulate a valid certificate
+Given('I inject the root SSL certificate') do
+  steps 'When I run `cap dev utils:download_file[../../../dkdeploy.pem]`
+         Given I set relative to current path the environment variable "SSL_CERT_FILE" to "/temp/dkdeploy.dkdeploy-php.dev.pem"'
+end

lib/dkdeploy/php/helpers/http.rb

@@ -18,20 +18,22 @@ def call_file_on_server(filename, server)
           web_server_port = domain_scheme == 'https' ? 443 : 80
           # Use server configuration, if exists
           web_server_port = server.fetch(:web_server_port) if server.properties.respond_to?(:web_server_port)
+          ssl_verify_mode = server.properties.respond_to?(:ssl_verify_mode) ? server.fetch(:ssl_verify_mode) : OpenSSL::SSL::VERIFY_PEER
 
           url = URI.parse("#{domain_scheme}://#{domain}").merge("/#{filename}")
           url.port = web_server_port
           info "Call URL #{url}"
 
-          http_get_with_redirect url
+          http_get_with_redirect url: url, verify_mode: ssl_verify_mode
         end
 
         # Sends a get request that handles redirects
         #
         # @param url [URI]
         # @param limit [Integer] defines how many redirects are allowed
+        # @param verify_mode [OpenSSL::SSL::verify_mode] ssl verify mode, setting to VERIFY_NONE disables certificate check
         # @return [NET::HTTPResponse]
-        def http_get_with_redirect(url, limit = 5)
+        def http_get_with_redirect(url:, limit: 5, verify_mode: OpenSSL::SSL::VERIFY_PEER)
           limit = Integer(limit)
           raise ArgumentError, 'limit cannot be negative' if limit < 0
           raise 'too many HTTP redirects' if limit.zero?
@@ -41,16 +43,15 @@ def http_get_with_redirect(url, limit = 5)
           http.read_timeout = fetch :http_read_timeout
           if url.scheme == 'https'
             http.use_ssl = true
-            http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+            http.verify_mode = verify_mode
           end
           request = Net::HTTP::Get.new(url.path) # build request
-          # call url
-          response = http.request(request)
+          response = http.request(request) # call url
           if response.is_a? Net::HTTPRedirection
             # Does not handle multiple redirects. Code/idea from http://stackoverflow.com/a/7210600/1796645
             location = URI.parse(response.header['location'])
             info "redirected to #{location}"
-            response = http_get_with_redirect(location, limit - 1)
+            response = http_get_with_redirect(url: location, limit: limit - 1, verify_mode: verify_mode)
           end
           response
         end

spec/fixtures/capistrano/configuration/server_with_ssl.rb

@@ -0,0 +1 @@
+server 'dkdeploy-php.dev', roles: %w(web app backend), primary: true, domain_scheme: 'https'