Trying out Rails 3.1

Rails 3.1 is almost here, and all the rock star ninja hipster early adopters have been playing with it for a while. I’m not a ninja (picture me with a black tight skin suit if you wonder why), so I didn’t install it until today.

Installation is pretty straight forward, but there are a couple of tricks, so here they are in full Technicolor to save you a couple of minutes.

The first thing you are going to need is the right gem, which you can install directly via

gem install rails --pre

I didn’t want to install it as a system-wide gem, so I created a new gemset in rvm like this

rvm gemset create r31

If you are on windows and don’t have rvm, maybe you could install another version of ruby via pik, but I cannot help you with that.

Anyway, system-wide or scoped to a local gemset, after installing the gem you should be able to create your first rails 3.1 project like this

rails new sandbox

If you are on rvm, don’t forget to create a .rvmrc file with your local gemset to make things more convenient. In my case the contents of the file are

rvm 1.9.2@r31

Are we there already? not yet! Rails 3.1 needs a javascript runtime for all the asset magic. You can choose the runtime of your choice, as long as your choice is one of the options here :p

I chose (see update below!) the rubyracer because I’ve heard good things about it lately, but what do I know, just pick the one you prefer and add it to your gemfile. In my case it looks like this

gem 'therubyracer'

And, you know, now you need to bundle it

bundle install --binstubs

And that’s it, now you can do things like

bin/rake -T

Of course you can start the rails server too

bin/rails server

You know the rest of the song.. Now go to http://localhost:3000 and start dancing!

update: i found some errors when using ruby 1.9.2p0, therubyracer and coffescript. I changed to nodejs (just install it and leave the binary somewhere in your path) and things got back to normal

Advertisement

How we improved FACTURAgem security, or how to set HTTPS for your rails application

As you probably know, one of the products in my company is FACTURAgem, a web application for making simple invoices targetted to those users who are currently invoicing using word, excel or a notepad and a ballpoint.

Since your invoices are something you don’t want to share with the rest of the word, all the pages protected by login were securily encrypted and served via https since the first day, and the session cookie was automatically expired when the browser is closed, so the system was pretty safe.

Still, there was a very small chance of someone hijacking your session, if you were using FACTURAgem and you happened to be sharing a public network with a hacker nearby who was interested in accessing your FACTURAgem account. Due to the profile of both our users and our application this scenario was not likely to happen, and we never had any security breach since we launched the product.

However, with the proliferation of public networks and the quick adoption of smartphones, ipads, netbooks and a myriad of always-connected portable devices, we wanted to add an extra layer of security for our users, so now they can safely use FACTURAgem at any place without any worries.

Since yesterday, all the pages in FACTURAgem, both private and public, are securily served via https. Even if you forget to include the “s” when accesing the apllication, our servers will redirect appropriately to the safest version.

For the technically savvy, I will explain the highlights of the process:

note: FACTURAgem is running on an Apache/Passenger/Rails stack. If you are using a different setup, details might be differ, but the spirit is the same.

We had to cover different fronts of the https problem:

Configuring a certificate and SSL virtual host for Apache.

This was already done in our case since the beginning of the project. There’s a lot of information out there about how to do this.

Telling Apache to redirect all the traffic to https

We had to instruct our non-ssl virtual host to redirect all the traffic to the SSL one, so if you type http://www.facturagem.com/help you should be redirected to https://www.facturagem.com/help instead.

This is easily done with:

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Unfortunately, in our case, we had an extra constraint. There are a couple of subdirectories we don’t want to put under SSL, because they are served by an external service that cannot run under https. For those pages, we will not store any session information, so they will not be a security problem. All we had to do is telling Apache not to redirect if the url is in one of those directories

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !.(fictional_directory_name|another_fictional_directory_name).*
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

By doing this, if you try to visit http://www.facturagem.com/fictional_directory_name/whatever you will not be redirected to https.

Making sure we marked the cookie as secure, so we are 100% sure it will never be passed to non-encrypted pages

By setting a cookie as “secure” your browser is smart enough to send the cookie back only when asking for a SSL resource. That way, even if you are browsing unsafe pages from the same domain, the cookie will not be transmitted, so your session is not subject to attacks.

If you are setting your cookies “manually”, secure is one of the attributes you can set. But if you are using session cookies in Rails, it’s as easy as setting an extra parameter when configuring your session cookie.

ActionController::Base.session = {
:key => '_your_application_secure_session_id',
:secret => '11111222312321321321321313213213213213213213213237761223213213213213131231231321321312',
:secure => Facturagem.config.secure_cookie
}

Some things to consider here. If you are changing a live application, as it was our case, it’s a good idea to change the name of the cookie. That way, you are sure everybody is going to be using the secure version. Otherwise, users with a valid cookie would still use the non-secure version in some browsers. By changing the name, you are sure everyone is setting a new cookie and everyone is secure using your site. The collateral effect is you will be signing out all of the users browsing your site, so take it into account.

Also, note how we are using a config variable to set a secure cookie (or not). This way, our developers can work without locally enabling SSL.

Removing any references to http external resources, so we avoid the “mixed content” message in some browsers

By this point everything should be working fine, but if you are using any resources directly by absolute URL (as is the case of external js or, in many ocassions, images referenced from your stylesheets), then you will be having the “mixed content” message and your users will feel something is not right.

Your first impulse can be changing all the “http://” ocurrences in your files for “https://”. That would fix the problem on production, but should any developer work without SSL, she would experience the mixed content alerts.

There is a not-so-known-but-perfectly-fine solution for this. You can use relative network-path references , also known as protocol relative urls. To make a long story short, if you write ‘//www.google.com/jsapi’ it will use http or https depending on which protocol you are using on the current page. That way, you can forget about which schema you are on. There’s a caveat with explorer downloading twice the javascript files (at least until IE8 there was), and if you want more info Paul Irish has it ready for you.

That was it! by following those steps we were able to make our site more secure and it took just some hours to set up. Now you can use FACTURAgem when you need to, without worrying who your neighbours are.

If you are out of Spain, pay attention to @facturagem, because we are going to be launching an international version pretty soon.

Installing a Rails plugin from a github branch

Today I wanted to install a plugin from github into a rails project. So far so good, you would think. You only need to run script/plugin install and start coding right away.

Unfortunately, the branch of the plugin I need is not the master one, because this applications runs on rails 2.3.x and the master branch has been adapted to rails 3 already.

I could just download the tar file from github, or I could make a git clone and checkout the branch I wanted.. but it turns out I don’t need to do any of those, because old good script/plugin has an option to checkout a specific branch

script/plugin install http://github.com/rails/exception_notification.git -r 2-3-stable

And I can start coding right away.. and that’s exactly what I’m going to do after publishing this post.

Slides and video for my talk “La herramienta de desarrollo definitiva” in conferencia rails 2009

I just realized I still hadn’t published in my blog the slides and video of my talk “La herramienta de desarrollo definitiva” in conferencia rails 2009, back in november.

My talk was a reflection about web development and the relative importance of the development tools. I was defending the idea of the individual with good practices being much more important than the choice of a tool or another. I was also talking about why Ruby on Rails is very appealing for such an individual and why it’s still relatively hard to find companies using modern techniques in development.

I talked about which were the best practices I consider an “ultimate developer” should embrace, linking it to concepts found in geek literature such as The Mythical Man Month, The Cluetrain Manifesto, Microserfs o The Soul of a New Machine.

This material is published under a Creative Commons NonCommercial-Attribution-ShareAlike license 2.5

The video is divided in two parts:

Vodpod videos no longer available.

Vodpod videos no longer available.

Ruby on Rails on unofficial Chrome OS

update: I thought this Chrome OS distribution was THE google distro. I was wrong. It’s just someone who used SUSE Studio to make a customized version of Open SUSE around the Chromium theme. With the site being on a google site and the code on a google code repository, I thought this was it, but no.. this distro is totally unrelated to google.

Chrome OS is by now just a bit more than a curiosity. In the meanwhile, you can go and download a non-official distribution mimicking what it could be, but be warned, all you are going to get is an Open Suse distribution with Chromium installed and a blue theme with a cute logo. Hopefully the real ChromeOS will be much lighter and more user-friendly.

Starting the virtual appliance from VirtualBox is easy. You create a new virtual media with the virtual media manager and then a virtual machine using this new media. That should be it. If you leave the default options (64MB) you’ll end up with a really slow boot. I set the base memory to 512K and things are much better.

What will you find in this distribution apart from Chromium? Zip, Zero, Null.. or if you are into ruby, nil.

Truth is, this distribution is a bit too rough around the edges (when it comes to internationalization, even if it ask you for the keyboard settings, it will just ignore them), but being a SUSE, you can install whatever you want. The only thing you’ll need is the root password. Since I’m such a hacker it took me almost no time to realize the root password was “root” (my other options being “sergei”, “larry” and “640Koughttobeenough”.

Once you have root access, you can use Yast for installing anything you might need. Just for fun I installed ruby, rubygems and sqlite3 via Yast, and then rails using gem. I had to run a gem update –system so I could use rails 2.3.4 and I generated a scaffold to see if everything was fine. Well, it was :)

ruby on rails running on google chrome os

Well, even if it was utterly useless, at least I found a cool way of making customized SUSE distros in an easy way ;)

Multiple rubygems versions, GEM_HOME and GEM_PATH

Installing rubygems is failrly easy and it’s great to have a package manager so you can forget about manually installing and upgrading the components you use. After installing a gem, you can require it from any ruby script and use it hassle-free. Well, given your ruby interpreter can find it.

When you install rubygems, a lot of default configuration is done behind the scenes. If you must see to believe, you can run

gem environment

do you believe me now?

Unless you are on windows, you have probably experienced already that gems can get installed in different locations. If using a superuser account, the global configuration will be used, but with a regular account gems install under your home directory.

If you are not careful about how you install your gems, or if you are using rake gems:install from regular accounts, you might end up installing the same version of a gem twice. That’s not only WET (not DRY, bear with me here) but it eats up your poor HD.

Things can get a lot worse than that. Suppose you are working with both JRuby and Ruby MRI. When you use rubygems from JRuby, it will try to use a different gem location by default. So, depending on how you are installing gems, you could have up to three different copies of exactly the same version.

And if you are on ubuntu and you upgrade from an old version of rubygems to the latest one —you will have to if you install Rails 2.3.4; if you are having problems you can read right here how to update it— you might be surprised that your gems are being installed *again*. The reason is under older versions the default location was “/var/lib/gems” and the latest one defaults to “/usr/lib/ruby/gems”.

Well, four different copies of ActiveRecord 2.3.4 are three and a half more copies than I wanted, mind you.

So.. how can we stop this gem install frenzy? Easy. Don’t use the defaults. Each of your installations is using default values, but they can be easily overridden with command line parameters or much more conveniently with environment variables.

Remember the title of this post? Can you see anything there that would make a good candidate for environment variables? That’s right, all the rubygems versions honor the GEM_HOME and GEM_PATH variables, so if they are set they will be used.

Depending on your OS, you can set these variables in different places. I’m on ubuntu and a bit lazy, so I chose the easiest, which is by adding this to my .bashrc file.

export GEM_HOME=/var/lib/gems/1.8
export GEM_PATH=/var/lib/gems/1.8

And now, no matter what I’m using: Ruby MRI, JRuby, or the latest rubygems, my already installed gems will be used, and the new ones will be put in the same place.

Saving the world is a hard job, but someone has to do it.

it’s not the framework, it’s you

I’m getting tired already of the hype about Ruby on Rails and how it is better than any other framework past, present or future.

Sure Rails is a cute piece of software, and Ruby is a gorgeous language (supposing you are into programming languages, that is), but if you take a critical look at Rails, you could just say it’s another MVC framework.. Big deal.. And with some coupling issues between the layers too, which are fortunately being targeted on Rails 3.

Moreover, if you take a look at some of its components they could frankly be better. ActiveRecord, for example, is a wrapper ORM, which is implicitly tying you to the physical database layer, with one class per table, as opposed to a mapper ORM such as DataMapper or Hibernate. And the principle of least surprise is kind of a joke when it comes to some of the ActionView helpers and the parameters you have to pass along.

Still, as we like to say around here “Ruby on Rails mola infinito”, and it’s right now my favourite framework for non trivial web applications.

So.. what makes this framework so special? Is it only the absence of configuration and the sensible defaults? Would we sell ourselves for a couple of parlor tricks like those? Surely not.. specially with so many frameworks providing already sensible defaults. Come on, even in Java you can kind of forget about writing so much XML code if you make proper use of annotations and the like. No, it has to be something else.

Ruby on Rails has something that transcends the framework itself. It has you. The Mighty Developer. The Early Adopter. The Status Quo Challenger. The so-called Community —whatever that means.

Bottom line is, when I get together with people working with Rails, they are always in search of the holy grail of web development —or the nearest tavern, whatever comes first.. you have to love that kind of pragmatism. We like to break our assumptions, to learn new things and forget about the ones we already know.

We embrace Rails *today* but we are willing to embrace any other tool as long as we like it better. Do you remember the months before the Merb-Rails love affair? Half the Rails developers I know were already making eyes at Merb without the slightest hint of shame.

And by challenging the system, we are obliged to keep learning… and to find new ways to build the web. And instead of trying to make a carbon copy of what we did before, we like to start anew, because that’s where the fun is.

Sure you can argue this attitude is not the exclusive property of the Rails community. And I would second you on that based on theory.. but in practice, I have seen other some other communities lack this need of challenging. Maybe it’s because they have maturity models and certifications and black belts and whatnot…. And maybe having so many constraints is killing creativity; but fact is in some environments trying to take a step forward is seen as something odd, not desirable.

Rails will pass —or not— but as long as we keep alive the spirit of embracing change, we are entitled to be on the fun side of web development.

So, if you ask me, that’s the secret ingredient of Rails. Sure the language and the framework are cool, but the real power of Ruby on Rails is you.. and me.

update: please read the comments, since I was a bit ambiguous in the post and some points needed further explanation :)

Speaking about JRuby on Rails at the Sun Open Communities Forum

I’ve been invited to speak about JRuby on Rails at the Sun Open Communities Forum. This event is the evolution of the former editions of OpenJavaDay/OpenSolarisDay, revamped to include more Open Source communities.

Apart from the predictable “all-things-java” sessions, this year there are some interesting labs and talks about MySQL Scalability, REST, AJAX, the cloud, development frameworks and different languages running on the JVM.

Most of the talks, including mine, will be delivered in Spanish, but there will be some in English too.

My session will be

JRuby on Rails. Ruby on Rails on the JVM

And the excerpt I’ve sent for the talk goes something like this

Ruby is a dynamic programming language with a focus on simplicity and productivity. Ruby on Rails is a web framework optimized for programmer happiness and sustainable productivity. The JVM is one of the world’s most heavily-optimized pieces of software. The combination of these three elements provides a superb platform for building web applications.

In my session I will explain the highlights of Ruby, how Ruby on Rails has changed the rules of web development, and how JRuby allows for the integration of Ruby (on Rails) and Java.

Inscription is free and if you cannot attend, there will be live streaming as well. Notice you also have to inscribe (checking the “Lo seguiré por internet” radio button) if you want to watch the streaming.

Cucumber, Selenium, Webrat, and Windows

I spent last Saturday hacking around with some really smart people in Madrid. It’s not widely known than in Spain there’s a thriving Ruby on Rails community -my guess would be a language thing- but if you take a look at some of the Rails patches, Hackfest winners or the official Rails documentation project, you would be surprised to see how many -and how good- contributions are coming from this side of the world.

Once in a while we like to get together and take code challenges, so we can learn from each other and eat pizza to match the stereotype ;)

Thing is I’m a Windows guy. I know I should be sorry, I know it’s for housewives (or househusbands for that matter), but that’s life. (disclaimer: I’m planning to switch to Ubuntu in the near future)

As you know, developing software in windows while entirely possible is a bit more difficult than in other systems, specially when it comes to compiling, forking and the like.

Last Saturday I was, as usual, the only windows at hand (the rest being a lot of Macs in different flavors and a lonely Ubuntu) and, as a part of the code challenge, I had to run some tests with Cucumber, Selenium and Webrat. Apart from libxml, that has been working flawlessly in my computer for months, no other binaries were involved, so you would think everything was working just fine.. well, think twice.

First problem was the test server couldn’t be started automatically. I didn’t investigate much about it (my guess being that a fork or a system call is being issued and Windows cannot cope with it) since it was easier just to start it manually before running the tests. Also it was faster, because it didn’t need to be started every time.

After this obstacle, when I was trying to run the tests, I was getting a cryptic Errno::EADDRNOTAVAIL message. At first I thought it was because of Selenium not being able to bind to the given port, but a quick test from the command line discarded that possibility.

I don’t know anything about webrat (yet) but as the song goes, with a little help from my friends I was able to locate the source of the problem. When connecting to remote control Selenium, Webrat is trying to bind to the address “0.0.0.0” and that’s something Windows doesn’t like.

All I had to do was opening the file “selecium_rc_server.rb” at the gem source and replacing “0.0.0.0” by “127.0.0.1”.

I was told I can do this much more clearly at the Webrat config, but I tried it out and I still had the same problem. Taking a look at the Webrat code I would say the config param is not honoured system-wide, but truth is I was in a hurry and I didn’t researched it thoroughly. I had a challenge to solve after all ;)

Once I did this, all was hunky dory. Selenium started, the form fields were filled in, the tests were passing (or not) and the result was displayed on my not-ansi console. Bummer.

Believe me, cucumber is not half the fun without the colors in the output. Fortunately enough, google can tell you where to find lots of ansi-aware console replacements. Unfortunately enough console2, my favourite, is not one of those.

So, there, it took a bit of extra work but now you can also run this neat stack in your good-old windows box.

Scotland on Rails 2009

De vuelta de la conferencia Scotland on Rails me vuelvo con unas cuantas cosas aprendidas/confirmadas

a) Lo de menos son las charlas (aunque sigue siendo importante que, si las hay, sean interesantes). Lo que importa es el ambiente que se genera alrededor . Creo que el futuro de los eventos de desarrollo va por menos charlas, o por charlas filosóficas.

b) Tener un nombre en la comunidad no garantiza que seas competente haciendo presentaciones. Lo que sí garantiza es que te aplaudirán digas lo que digas (o leas lo que leas, aunque lleve años publicado y no tenga ningún interés).

c) El feedback positivo en una conferencia será directamente proporcional a la gente que venga de otros países. Se ve que la cortesía hace que evalúes bien aunque cometas el suicidio de no tener wifi en un sitio lleno de geeks, haya pocos enchufes, y des un catering de todo a 100.

d) La comunidad Rails hispana es muy potente, técnica y personalmente. El día que nos dé por hablar en inglés la vamos a liar parda. Da gusto escuchar a cualquiera de los de la representación “española” formada por Sam, Rai, Blat, Xavier, Alfredo, Gaizka, Susana, Fernando G., Sergio, Christos, Luismi, Guillermo, Felipe, David, Raúl, Juanjo, Jaime (y yo mismo :p )

En cuanto a las charlas, las que me inspiraron algo fueron (en orden cronológico):

– Getting Git, por Scott Chacon. Muy didáctico y con un buen balance entre crash course y consejos para usuarios más avanzados. Me gustó tanto que en cuanto su libro se publique es muy posible que lo compre. EPIC WIN

– Building blocks of modularity, por Jim Weirich. A pesar de alguna diferencia de criterio que tengo en las categorías de “connascence”, me pareció una charla muy interesante. Lo mejor es que no tenía nada que ver con Ruby o Rails. Era una charla de ingeniería/arquitectura de software. Así sí. EPIC WIN

– Security – what Rails will and won’t do for you, por Rory McCune. Sin entrar en nada especialmente novedoso, hizo una muy buena exposición de seguridad, comprensible, con ritmo, y con algunos datos que me parecieron interesantes. Es posible que acabe cambiando el login en alguna aplicación después de escucharla. WIN

– Advanced deployment, por Jonathan Weiss. Estuve a punto de perderme esta charla porque el nombre es muy engañoso, pero afortunadamente una amiga me hizo leer la descripción de la charla y acabé viéndola. No va de cómo hacer deploy, sino de qué forma puedes lidiar con una instalación compleja que requiere rendimiento, en concreto muy enfocado a la capa de datos. Explicaba las diferentes opciones para que tu base de datos escale, bien con replicación master-slave, master-master, particionado vertical de base de datos, sharding.. o mucho más sencillamente aplicando los famosos KISS y less is more. Me gustó ver que varias de las soluciones que aportaba las tenemos en producción en algunos proyectos. Siempre reconforta ver que lo que has hecho confiando en tu instinto es algo que tiene sentido. WIN

– The Ruby Object Model, por Dave Thomas. Nada nuevo que no esté escrito hace años (de hecho en los libros de este señor), pero de todos modos muy bien explicado y con unas referencias muy bien puestas a Simula y Smalltalk, incluída alguna frase lapidaria de Alan Kay. Lástima que no dedicase unos minutos más (dos) para introducir la teoría de objetos y el concepto de mensaje. Es lo único que le faltó para que me pareciera brillante. EPIC WIN

Y las charlas a las que asistí y que me hicieron sentir decepcionado:

– Keynote por Marcel Molina. Me alegro de que sepas leer y de que conozcas la página archive.org. El resto de la sala también tenemos internet en casa y también sabemos leer. Quizás sea especialmente duro porque en todas las charlas que he visto de Marcel me ha parecido brillante y esperaba mucho de esta keynote. FAIL

– Merb and Rails 3.0, por Yehuda Katz. Quitando el momento “teletienda engine yard de los primeros minutos”, me pareció en algunos puntos demasiado agresivo, en otros demasiado técnico, en otros demasiado ambiguo, y en otros pelín soberbio. Puede que por eso me dijeran que me parezco a él :P No me gustó su charla, pero he de reconocerle que de no haber sido por él puede que nunca se hubiera inventado el famoso juego “muerte violenta en seis movimientos”. De nuevo puede que sea un pelín duro porque Merb me gusta mucho y esperaba una charla espectacular. FAIL

– Server to server communication using XMPP and Ruby, por George Palmer. Dar una charla de XMPP sin hablar de XMPP y sin estar seguro de las siglas tiene su mérito. Dar una charla de 45 minutos en 20 tiene su mérito. Jactarse de no haberse leído un manual de 108 páginas porque es demasiado grande y luego no saber contestar a ninguna pregunta diciendo “pues esto estaría bien que lo hiciera, pero no sé si lo lleva”, tiene su mérito. Y a pesar de todo el FAIL no es absoluto porque la puesta en escena y la presentación multimedia me gustaron. Salvado por las slides de ser un EPIC FAIL.

A pesar de que el nivel de las charlas no me pareció óptimo y de que varios detalles de organización me parecieron muy malos (como que se llame “scotland on rails” y luego se quejen de que está demasiado orientada a Rails), el balance general que me llevo de la conferencia es bueno.

La experiencia fue muy interesante, la compañía inmejorable, y nada como ir a una de éstas para estar al día en tendencias de camisetas, zapatillas, y portátiles y gadgets cool ;)

Las fotos de la conferencia se están subiendo a flickr

p.s. gracias a aspgems por el detalle de hacerse cargo de mi viaje.