1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
|
@title = 'LEAP Web'
@summary = 'The web component of the LEAP Platform, providing user management, support desk, documentation and more.'
@toc = true
Introduction
===================
"LEAP Web" is the webapp component of the LEAP Platform, providing the following services:
* REST API for user registration.
* Admin interface to manage users.
* Client certificate distribution and renewal.
* User support help tickets.
* Billing
* Customizable and Localized user documentation
This web application is written in Ruby on Rails 3, using CouchDB as the backend data store.
It is licensed under the GNU Affero General Public License (version 3.0 or higher). See http://www.gnu.org/licenses/agpl-3.0.html for more information.
Known problems
====================
* Client certificates are generated without a CSR. The problem is that this makes the web
application extremely vulnerable to denial of service attacks. This was not an issue until we
started to allow the possibility of anonymously fetching a client certificate without
authenticating first.
* By its very nature, the user database is vulnerable to enumeration attacks. These are
very hard to prevent, because our protocol is designed to allow query of a user database via
proxy in order to provide network perspective.
Integration
===========
LEAP web is part of the leap platform. Most of the time it will be customized and deployed in that context. This section describes the integration of LEAP web in the wider framework. The Development section focusses on development of LEAP web itself.
Configuration & Customization
------------------------------
The customization of the webapp for a leap provider happens via two means:
* configuration settings in services/webapp.json
* custom files in files/webapp
### Configuration Settings
The webapp ships with a fairly large set of default settings for all environments. They are stored in config/defaults.yml. During deploy the platform creates config/config.yml from the settings in services/webapp.json. These settings will overwrite the defaults.
### Custom Files
Any file placed in files/webapp in the providers repository will overwrite the content of config/customization in the webapp. These files will override files of the same name.
This mechanism allows customizing basically all aspects of the webapp.
See files/webapp/README.md in the providers repository for more.
### Provider Information ###
The leap client fetches provider information via json files from the server. The platform prepares that information and stores it in the webapp in public/1/config/*.json. (1 being the current API version).
Provider Documentation
-------------
LEAP web already comes with a bit of user documentation. It mostly resides in app/views/pages and thus can be overwritten by adding files to files/webapp/views/pages in the provider repository. You probably want to add your own Terms of Services and Privacy Policy here.
The webapp will render haml, erb and markdown templates and pick translated content from localized files such as privacy_policy.es.md. In order to add or remove languages you have to modify the available_locales setting in the config. (See Configuration Settings above)
Development
===========
Installation
---------------------------
Typically, this application is installed automatically as part of the LEAP Platform. To install it manually for testing or development, follow these instructions:
### TL;DR ###
Install git, ruby 1.9, rubygems and couchdb on your system. Then run
gem install bundler
git clone https://leap.se/git/leap_web
cd leap_web
git submodule update --init
bundle install --binstubs
bin/rails server
### Install system requirements
First of all you need to install ruby, git and couchdb. On debian based systems this would be achieved by something like
sudo apt-get install git ruby1.9.3 rubygems couchdb
We install most gems we depend upon through [bundler](http://gembundler.com). So first install bundler
sudo gem install bundler
On Debian Wheezy or later, there is a Debian package for bundler, so you can alternately run ``sudo apt-get install bundler``.
### Download source
Simply clone the git repository:
git clone git://leap.se/leap_web
cd leap_web
### SRP Submodule
We currently use a git submodule to include srp-js. This will soon be replaced by a ruby gem. but for now you need to run
git submodule update --init
### Install required ruby libraries
cd leap_web
bundle
Typically, you run ``bundle`` as a normal user and it will ask you for a sudo password when it is time to install the required gems. If you don't have sudo, run ``bundle`` as root.
Configuration
----------------------------
The configuration file `config/defaults.yml` providers good defaults for most
values. You can override these defaults by creating a file `config/config.yml`.
There are a few values you should make sure to modify:
production:
admins: ["myusername","otherusername"]
domain: example.net
force_ssl: true
secret_token: "4be2f60fafaf615bd4a13b96bfccf2c2c905898dad34..."
client_ca_key: "/etc/ssl/ca.key"
client_ca_cert: "/etc/ssl/ca.crt"
ca_key_password: nil
* `admins` is an array of usernames that are granted special admin privilege.
* `domain` is your fully qualified domain name.
* `force_ssl`, if set to true, will require secure cookies and turn on HSTS. Don't do this if you are using a self-signed server certificate.
* `secret_token`, used for cookie security, you can create one with `rake secret`. Should be at least 30 characters.
* `client_ca_key`, the private key of the CA used to generate client certificates.
* `client_ca_cert`, the public certificate the CA used to generate client certificates.
* `ca_key_password`, used to unlock the client_ca_key, if needed.
### Provider Settings
The leap client fetches provider information via json files from the server.
If you want to use that functionality please add your provider files the public/1/config directory. (1 being the current API version).
Running
-----------------------------
cd leap_web
bin/rails server
You will find Leap Web running on `localhost:3000`
Testing
--------------------------------
To run all tests
rake test
To run an individual test:
rake test TEST=certs/test/unit/client_certificate_test.rb
or
ruby -Itest certs/test/unit/client_certificate_test.rb
Engines
---------------------
Leap Web includes some Engines. All things in `app` will overwrite the engine behaviour. You can clone the leap web repository and add your customizations to the `app` directory. Including leap_web as a gem is currently not supported. It should not require too much work though and we would be happy to include the changes required.
If you have no use for one of the engines you can remove it from the Gemfile. Engines should really be plugins - no other engines should depend upon them. If you need functionality in different engines it should probably go into the toplevel.
# Deployment #
We strongly recommend using the LEAP platform for deploy. Most of the things documented here are automated as part of the platform. If you want to research how the platform deploys or work on your own mechanism this section is for you.
These instructions are targeting a Debian GNU/Linux system. You might need to change the commands to match your own needs.
## Server Preperation ##
### Dependencies ##
The following packages need to be installed:
* git
* ruby1.9
* rubygems1.9
* couchdb (if you want to use a local couch)
### Setup Capistrano ###
We use puppet to deploy. But we also ship an untested config/deploy.rb.example. Edit it to match your needs if you want to use capistrano.
run `cap deploy:setup` to create the directory structure.
run `cap deploy` to deploy to the server.
## Customized Files ##
Please make sure your deploy includes the following files:
* public/1/config/*.json (see Provider Settings section)
* config/couchdb.yml
## Couch Security ##
We recommend against using an admin user for running the webapp. To avoid this couch design documents need to be created ahead of time and the auto update mechanism needs to be disabled.
Take a look at test/setup_couch.sh for an example of securing the couch.
## Design Documents ##
After securing the couch design documents need to be deployed with admin permissions. There are two ways of doing this:
* rake couchrest:migrate_with_proxies
* dump the documents as files with `rake couchrest:dump` and deploy them
to the couch by hand or with the platform.
### CouchRest::Migrate ###
The before_script block in .travis.yml illustrates how to do this:
mv test/config/couchdb.yml.admin config/couchdb.yml # use admin privileges
bundle exec rake couchrest:migrate_with_proxies # run the migrations
bundle exec rake couchrest:migrate_with_proxies # looks like this needs to run twice
mv test/config/couchdb.yml.user config/couchdb.yml # drop admin privileges
### Deploy design docs from CouchRest::Dump ###
First of all we get the design docs as files:
# put design docs in /tmp/design
bundle exec rake couchrest:dump
Then we add them to files/design in the site_couchdb module in leap_platform so they get deployed with the couch. You could also upload them using curl or sth. similar.
# Troubleshooting #
Here are some less common issues you might run into when installing Leap Web.
## Cannot find Bundler ##
### Error Messages ###
`bundle: command not found`
### Solution ###
Make sure bundler is installed. `gem list bundler` should list `bundler`.
You also need to be able to access the `bundler` executable in your PATH.
## Outdated version of rubygems ##
### Error Messages ###
`bundler requires rubygems >= 1.3.6`
### Solution ###
`gem update --system` will install the latest rubygems
## Missing development tools ##
Some required gems will compile C extensions. They need a bunch of utils for this.
### Error Messages ###
`make: Command not found`
### Solution ###
Install the required tools. For linux the `build-essential` package provides most of them. For Mac OS you probably want the XCode Commandline tools.
## Missing libraries and headers ##
Some gem dependencies might not compile because they lack the needed c libraries.
### Solution ###
Install the libraries in question including their development files.
|