Wednesday, August 30, 2017

Even clowns need coffee

Almost a year has passed. I did not foresee that the bug I spoke of the last time would be that hard to fix.

OK, life took its toll; the last months have been difficult. But that's no excuse, I failed to fix the bug. My analysis was wrong; in fact it seems that stdout is opened more than once. I never found out the actual cause.

Circus is dead. As always my sin was greed: I wanted to build a full stack instead of concentrating on my application.

Let it be a lesson. If only I could learn it.

So I decided to start again with a stack I am comfortable with: Java. Everything is provided by external libraries, it is only a matter of plugging things together.

The application already works… "on my laptop". I am currently packaging it before launch in a few weeks.

Stay tuned!

Thursday, September 8, 2016

More polish…

As the Circus is getting ready to open its gates, the clowns are still polishing their shoes.

The past few days brought some improvements:
  • Clearer vocabulary
  • Improved debian packaging
  • Bug fixes, mainly memory corruption

I found an important bug: nginx + fcgiwrap + armhf: that mixture provides the Circus CGI client a stdout that is not pollable. The way Circus uses libuv needs to be fixed.

It is interesting to note that my tests on amd64 did not raise that concern… Not sure why though. Any explanation is welcome…

I am currently fixing that. Stay tuned!

Thursday, August 18, 2016

Hoist the flag!

Circus is getting ready to ship.

Although I was in holidays and with a lot of real-life hard work, I found a bit of time for circus:
  • Continuous integration on Travis CI
  • Debian packaging
  • A logo! (I designed it, please be indulgent…)
Upcoming work:
  • Try Circus for real
  • Package the web fonts instead of relying on Google's font site
  • Sweep the ring, polish the ringmaster's shoes, and drive bellowing through town: "Tonight! The GREAT circus!! Places for everyone!!"

Sunday, July 24, 2016

A brand new marquee

This week-end was a coding marathon; it was quite worth it.

Circus changed a lot those last few days. Rather than being the draft thing of a few days ago, it is now an actual web application. No need to say how proud I feel.

The latest big changes include:

  • The Post-Redirect-Get pattern is now implemented. This pattern is the current standard web pattern used when posting new data: use a POST to send the data, then redirect to another page fetched by the browser using GET.
    This single change was quite intrusive since it involved deep changes in the handling of the HTTP requests, but also some re-architecturing of the pages navigation.
  • The anti-CSRF synchronization pattern is now checked against a tokens history. By defaut, the 5 latest tokens are kept. This helps with navigation: the browser "back" button is not the greatest enemy anymore. One can also reload a page without being kicked out. Even double-clicks are no big deal anymore.
    The idea comes from Tomcat's CsrfPreventionFilter.
  • The pages underwent a big lifting. They are now prettier. More red noses all around!
  • The database layer is not mixed up with the vault layer anymore. It should help with testing; but it also helps coding by circonscribing the database API use, and removing the small inconsistencies of the sqlite API (viz. the fact that data binding is 1-based while data fetching is 0-based).
  • A major security issue was fixed: now the encryption key is really secure. It cannot be decrypted without the user providing their password.
    Previously the data in the database was enough to decrypt the user passwords, defeating Circus' goal.
Note: I may not be able to hack a lot in the upcoming weeks. But I shall be back.

Stay tuned and… Merry hacking!

Thursday, July 14, 2016

Cleaning the cages

The last few weeks were centered on cleaning up the memory leaks.

Valgrind is a great tool; unfortunately it does not work with libgcrypt. Once the libgcrypt code is mocked out though, I was able to find and clean a lot of memory leaks during tests.

On the features front, circus gained a single new feature: the recipes now support size ranges (instead of just fixed sizes). When a range is defined in a recipe, the generated password size will be randomly chosen within that range.

Now that the cages are clean, we can go on adding new features…

Thursday, June 23, 2016

Let the lions out.

Finally! Circus has its core feature implemented: password generation.

The password generator is almost identical to pwd's: number of characters, and four classes of characters: letters, figures, symbols, and free-form (pwd only had the first three forms). The free-form allows to specify the exact set of characters to choose from.

Also in the news:

  • Templates now have "operators". Only one operator is implemented for the moment: count, which gives either the length of a string or the number of elements in an array.
  • An important update in libcad's packaging fixes a long-standing error: the -dbg package did not correctly provide the library's symbols. This fix will enable an accurate check of the memory leaks of Circus, and to fix them.

Hold your red nose, and make the whip crack: the lions roar!

Thursday, June 16, 2016

The circus is back to town.

That's right: the last circus article was posted almost four months ago. Real life took its toll.

So what happened in the scant time I could spare?

The CGI client is now awake and kicking.
It is especially security-conscious: secure cookies, nonce tokens, cache control… The only missing technology is Post/Redirect/Get; I keep that for later as it needs important changes (esp. more roundtrips with the server).
The CGI client uses a code generator that translates a JSON file to web actions. It greatly simplifies adding new pages!

A new manual test script was added. It starts the server and a local web server (lighttpd).

The administration pages are complete (or complete enough for an alpha release).

The user pages are work in progress. They are the core of the system, and I want that part done right! Especially the password generator. It will use a similar algorithm to pwd's, but maybe mix ideas from e.g. pwgen.

There is still a lot of work to do; the clowns still need to apply makeup instead of fooling around. But hearts stay light under the marquee!