acme-client 1.0.0 → 2.0.0

data/lib/acme/client/certificate_request.rb

@@ -104,8 +104,6 @@ class Acme::Client::CertificateRequest
   end
 
   def add_extension(csr)
-    return if @names.size <= 1
-
     extension = OpenSSL::X509::ExtensionFactory.new.create_extension(
       'subjectAltName', @names.map { |name| "DNS:#{name}" }.join(', '), false
     )

data/lib/acme/client/error.rb

@@ -1,16 +1,55 @@
 class Acme::Client::Error < StandardError
-  class NotFound < Acme::Client::Error; end
-  class BadCSR < Acme::Client::Error; end
-  class BadNonce < Acme::Client::Error; end
-  class Connection < Acme::Client::Error; end
-  class Dnssec < Acme::Client::Error; end
-  class Malformed < Acme::Client::Error; end
-  class ServerInternal < Acme::Client::Error; end
-  class Acme::Tls < Acme::Client::Error; end
-  class Unauthorized < Acme::Client::Error; end
-  class UnknownHost < Acme::Client::Error; end
   class Timeout < Acme::Client::Error; end
-  class RateLimited < Acme::Client::Error; end
-  class RejectedIdentifier < Acme::Client::Error; end
-  class UnsupportedIdentifier < Acme::Client::Error; end
+
+  class ClientError < Acme::Client::Error; end
+  class InvalidDirectory < ClientError; end
+  class UnsupportedOperation < ClientError; end
+  class UnsupportedChallengeType < ClientError; end
+  class NotFound < ClientError; end
+  class CertificateNotReady < ClientError; end
+
+  class ServerError < Acme::Client::Error; end
+  class BadCSR < ServerError; end
+  class BadNonce < ServerError; end
+  class BadSignatureAlgorithm < ServerError; end
+  class InvalidContact < ServerError; end
+  class UnsupportedContact < ServerError; end
+  class ExternalAccountRequired < ServerError; end
+  class AccountDoesNotExist < ServerError; end
+  class Malformed < ServerError; end
+  class RateLimited < ServerError; end
+  class RejectedIdentifier < ServerError; end
+  class ServerInternal < ServerError; end
+  class Unauthorized < ServerError; end
+  class UnsupportedIdentifier < ServerError; end
+  class UserActionRequired < ServerError; end
+  class BadRevocationReason < ServerError; end
+  class Caa < ServerError; end
+  class Dns < ServerError; end
+  class Connection < ServerError; end
+  class Tls < ServerError; end
+  class IncorrectResponse < ServerError; end
+
+  ACME_ERRORS = {
+    'urn:ietf:params:acme:error:badCSR' => BadCSR,
+    'urn:ietf:params:acme:error:badNonce' => BadNonce,
+    'urn:ietf:params:acme:error:badSignatureAlgorithm' => BadSignatureAlgorithm,
+    'urn:ietf:params:acme:error:invalidContact' => InvalidContact,
+    'urn:ietf:params:acme:error:unsupportedContact' => UnsupportedContact,
+    'urn:ietf:params:acme:error:externalAccountRequired' => ExternalAccountRequired,
+    'urn:ietf:params:acme:error:accountDoesNotExist' => AccountDoesNotExist,
+    'urn:ietf:params:acme:error:malformed' => Malformed,
+    'urn:ietf:params:acme:error:rateLimited' => RateLimited,
+    'urn:ietf:params:acme:error:rejectedIdentifier' => RejectedIdentifier,
+    'urn:ietf:params:acme:error:serverInternal' => ServerInternal,
+    'urn:ietf:params:acme:error:unauthorized' => Unauthorized,
+    'urn:ietf:params:acme:error:unsupportedIdentifier' => UnsupportedIdentifier,
+    'urn:ietf:params:acme:error:userActionRequired' => UserActionRequired,
+    'urn:ietf:params:acme:error:badRevocationReason' => BadRevocationReason,
+    'urn:ietf:params:acme:error:caa' => Caa,
+    'urn:ietf:params:acme:error:dns' => Dns,
+    'urn:ietf:params:acme:error:connection' => Connection,
+    'urn:ietf:params:acme:error:tls' => Tls,
+    'urn:ietf:params:acme:error:incorrectResponse' => IncorrectResponse
+  }
 end

data/lib/acme/client/faraday_middleware.rb

@@ -3,18 +3,20 @@
 class Acme::Client::FaradayMiddleware < Faraday::Middleware
   attr_reader :env, :response, :client
 
-  repo_url = 'https://github.com/unixcharles/acme-client'
-  USER_AGENT = "Acme::Client v#{Acme::Client::VERSION} (#{repo_url})".freeze
+  CONTENT_TYPE = 'application/jose+json'
 
-  def initialize(app, client:)
+  def initialize(app, client:, mode:)
     super(app)
     @client = client
+    @mode = mode
   end
 
   def call(env)
     @env = env
-    @env[:request_headers]['User-Agent'] = USER_AGENT
-    @env.body = client.jwk.jws(header: { nonce: pop_nonce }, payload: env.body)
+    @env[:request_headers]['User-Agent'] = Acme::Client::USER_AGENT
+    @env[:request_headers]['Content-Type'] = CONTENT_TYPE
+
+    @env.body = client.jwk.jws(header: jws_header, payload: env.body)
     @app.call(env).on_complete { |response_env| on_complete(response_env) }
   rescue Faraday::TimeoutError, Faraday::ConnectionFailed
     raise Acme::Client::Error::Timeout
@@ -35,6 +37,12 @@ class Acme::Client::FaradayMiddleware < Faraday::Middleware
 
   private
 
+  def jws_header
+    headers = { nonce: pop_nonce, url: env.url.to_s }
+    headers[:kid] = client.kid if @mode == :kid
+    headers
+  end
+
   def raise_on_not_found!
     raise Acme::Client::Error::NotFound, env.url.to_s if env.status == 404
   end
@@ -52,29 +60,20 @@ class Acme::Client::FaradayMiddleware < Faraday::Middleware
   end
 
   def error_class
-    if error_name && !error_name.empty? && Acme::Client::Error.const_defined?(error_name)
-      Object.const_get("Acme::Client::Error::#{error_name}")
-    else
-      Acme::Client::Error
-    end
+    Acme::Client::Error::ACME_ERRORS.fetch(error_name, Acme::Client::Error)
   end
 
   def error_name
     return unless env.body.is_a?(Hash)
     return unless env.body.key?('type')
-
-    error_type_to_klass env.body['type']
-  end
-
-  def error_type_to_klass(type)
-    type.gsub('urn:acme:error:', '').split(/[_-]/).map { |type_part| type_part[0].upcase + type_part[1..-1] }.join
+    env.body['type']
   end
 
   def decode_body
-    content_type = env.response_headers['Content-Type']
+    content_type = env.response_headers['Content-Type'].to_s
 
-    if content_type == 'application/json' || content_type == 'application/problem+json'
-      JSON.parse(env.body)
+    if content_type.start_with?('application/json', 'application/problem+json')
+      JSON.load(env.body)
     else
       env.body
     end
@@ -95,20 +94,20 @@ class Acme::Client::FaradayMiddleware < Faraday::Middleware
   end
 
   def store_nonce
-    nonces << env.response_headers['replay-nonce']
+    nonce = env.response_headers['replay-nonce']
+    nonces << nonce if nonce
   end
 
   def pop_nonce
     if nonces.empty?
       get_nonce
-    else
-      nonces.pop
     end
+
+    nonces.pop
   end
 
   def get_nonce
-    response = Faraday.head(env.url, nil, 'User-Agent' => USER_AGENT)
-    response.headers['replay-nonce']
+    client.get_nonce
   end
 
   def nonces

data/lib/acme/client/jwk/base.rb

@@ -15,7 +15,7 @@ class Acme::Client::JWK::Base
   #
   # Returns a JSON String.
   def jws(header: {}, payload: {})
-    header = jws_header.merge(header)
+    header = jws_header(header)
     encoded_header = Acme::Client::Util.urlsafe_base64(header.to_json)
     encoded_payload = Acme::Client::Util.urlsafe_base64(payload.to_json)
 
@@ -56,12 +56,13 @@ class Acme::Client::JWK::Base
   # typ: - Value for the `typ` field. Default 'JWT'.
   #
   # Returns a Hash.
-  def jws_header
-    {
+  def jws_header(header)
+    jws = {
       typ: 'JWT',
-      alg: jwa_alg,
-      jwk: to_h
-    }
+      alg: jwa_alg
+    }.merge(header)
+    jws[:jwk] = to_h if header[:kid].nil?
+    jws
   end
 
   # The name of the algorithm as needed for the `alg` member of a JWS object.

data/lib/acme/client/jwk/ecdsa.rb

@@ -82,7 +82,6 @@ class Acme::Client::JWK::ECDSA < Acme::Client::JWK::Base
 
   private
 
-  # rubocop:disable Metrics/AbcSize
   def coordinates
     @coordinates ||= begin
       hex = public_key.to_bn.to_s(16)
@@ -96,7 +95,6 @@ class Acme::Client::JWK::ECDSA < Acme::Client::JWK::Base
       }
     end
   end
-  # rubocop:enable Metrics/AbcSize
 
   def public_key
     @private_key.public_key

data/lib/acme/client/resources.rb

@@ -1,5 +1,7 @@
 module Acme::Client::Resources; end
 
-require 'acme/client/resources/registration'
-require 'acme/client/resources/challenges'
+require 'acme/client/resources/directory'
+require 'acme/client/resources/account'
+require 'acme/client/resources/order'
 require 'acme/client/resources/authorization'
+require 'acme/client/resources/challenges'

data/lib/acme/client/resources/account.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+class Acme::Client::Resources::Account
+  attr_reader :url, :status, :contact, :term_of_service, :orders_url
+
+  def initialize(client, **arguments)
+    @client = client
+    assign_attributes(arguments)
+  end
+
+  def kid
+    url
+  end
+
+  def update(contact: nil, terms_of_service_agreed: nil)
+    assign_attributes **@client.account_update(
+      contact: contact, terms_of_service_agreed: term_of_service
+    ).to_h
+    true
+  end
+
+  def deactivate
+    assign_attributes **@client.account_deactivate.to_h
+    true
+  end
+
+  def reload
+    assign_attributes **@client.account.to_h
+    true
+  end
+
+  def to_h
+    {
+      url: url,
+      term_of_service: term_of_service,
+      status: status,
+      contact: contact
+    }
+  end
+
+  private
+
+  def assign_attributes(url:, term_of_service:, status:, contact:)
+    @url = url
+    @term_of_service = term_of_service
+    @status = status
+    @contact = Array(contact)
+  end
+end

data/lib/acme/client/resources/authorization.rb

@@ -1,44 +1,74 @@
-class Acme::Client::Resources::Authorization
-  HTTP01 = Acme::Client::Resources::Challenges::HTTP01
-  DNS01 = Acme::Client::Resources::Challenges::DNS01
-  TLSSNI01 = Acme::Client::Resources::Challenges::TLSSNI01
+# frozen_string_literal: true
 
-  attr_reader :client, :uri, :domain, :status, :expires, :http01, :dns01, :tls_sni01
+class Acme::Client::Resources::Authorization
+  attr_reader :url, :identifier, :domain, :expires, :status, :wildcard
 
-  def initialize(client, uri, response)
+  def initialize(client, **arguments)
     @client = client
-    @uri = uri
-    assign_attributes(response.body)
+    assign_attributes(arguments)
+  end
+
+  def deactivate
+    assign_attributes **@client.deactivate_authorization(url: url).to_h
+    true
   end
 
-  def verify_status
-    response = @client.connection.get(@uri)
+  def reload
+    assign_attributes **@client.authorization(url: url).to_h
+    true
+  end
+
+  def challenges
+    @challenges.map do |challenge|
+      initialize_challenge(challenge)
+    end
+  end
 
-    assign_attributes(response.body)
-    status
+  def http01
+    @http01 ||= challenges.find { |challenge|
+      challenge.is_a?(Acme::Client::Resources::Challenges::HTTP01)
+    }
+  end
+  alias_method :http, :http01
+
+  def dns01
+    @dns01 ||= challenges.find { |challenge|
+      challenge.is_a?(Acme::Client::Resources::Challenges::DNS01)
+    }
+  end
+  alias_method :dns, :dns01
+
+  def to_h
+    {
+      url: url,
+      identifier: identifier,
+      status: status,
+      expires: expires,
+      challenges: @challenges,
+      wildcard: wildcard
+    }
   end
 
   private
 
-  def assign_attributes(body)
-    @expires = Time.iso8601(body['expires']) if body.key? 'expires'
-    @domain = body['identifier']['value']
-    @status = body['status']
-    assign_challenges(body['challenges'])
-  end
-
-  def assign_challenges(challenges)
-    challenges.each do |attributes|
-      challenge = case attributes.fetch('type')
-                  when 'http-01'
-                    @http01 ||= HTTP01.new(self)
-                  when 'dns-01'
-                    @dns01 ||= DNS01.new(self)
-                  when 'tls-sni-01'
-                    @tls_sni01 ||= TLSSNI01.new(self)
-      end
-
-      challenge.assign_attributes(attributes) if challenge
-    end
+  def initialize_challenge(attributes)
+    arguments = {
+      type: attributes.fetch('type'),
+      status: attributes.fetch('status'),
+      url: attributes.fetch('url'),
+      token: attributes.fetch('token'),
+      error: attributes['error']
+    }
+    Acme::Client::Resources::Challenges.new(@client, **arguments)
+  end
+
+  def assign_attributes(url:, status:, expires:, challenges:, identifier:, wildcard: false)
+    @url = url
+    @identifier = identifier
+    @domain = identifier.fetch('value')
+    @status = status
+    @expires = expires
+    @challenges = challenges
+    @wildcard = wildcard
   end
 end

data/lib/acme/client/resources/challenges.rb

@@ -1,6 +1,21 @@
-module Acme::Client::Resources::Challenges; end
+# frozen_string_literal: true
 
-require 'acme/client/resources/challenges/base'
-require 'acme/client/resources/challenges/http01'
-require 'acme/client/resources/challenges/dns01'
-require 'acme/client/resources/challenges/tls_sni01'
+module Acme::Client::Resources::Challenges
+  require 'acme/client/resources/challenges/base'
+  require 'acme/client/resources/challenges/http01'
+  require 'acme/client/resources/challenges/dns01'
+
+  CHALLENGE_TYPES = {
+    'http-01' => Acme::Client::Resources::Challenges::HTTP01,
+    'dns-01' => Acme::Client::Resources::Challenges::DNS01
+  }
+
+  def self.new(client, type:, **arguments)
+    klass = CHALLENGE_TYPES[type]
+    if klass
+      klass.new(client, **arguments)
+    else
+      { type: type }.merge(arguments)
+    end
+  end
+end

data/lib/acme/client/resources/challenges/base.rb

@@ -1,39 +1,43 @@
+# frozen_string_literal: true
+
 class Acme::Client::Resources::Challenges::Base
-  attr_reader :authorization, :status, :uri, :token, :error
+  attr_reader :status, :url, :token, :error
 
-  def initialize(authorization)
-    @authorization = authorization
+  def initialize(client, **arguments)
+    @client = client
+    assign_attributes(arguments)
   end
 
-  def client
-    authorization.client
+  def challenge_type
+    self.class::CHALLENGE_TYPE
   end
 
-  def verify_status
-    authorization.verify_status
+  def key_authorization
+    "#{token}.#{@client.jwk.thumbprint}"
+  end
 
-    status
+  def reload
+    assign_attributes **@client.challenge(url: url).to_h
+    true
   end
 
-  def request_verification
-    response = client.connection.post(@uri, resource: 'challenge', type: challenge_type, keyAuthorization: authorization_key)
-    response.success?
+  def request_validation
+    assign_attributes **@client.request_challenge_validation(
+      url: url, key_authorization: key_authorization
+    ).to_h
+    true
   end
 
-  def assign_attributes(attributes)
-    @status = attributes.fetch('status', 'pending')
-    @uri = attributes.fetch('uri')
-    @token = attributes.fetch('token')
-    @error = attributes['error']
+  def to_h
+    { status: status, url: url, token: token, error: error }
   end
 
   private
 
-  def challenge_type
-    self.class::CHALLENGE_TYPE
-  end
-
-  def authorization_key
-    "#{token}.#{client.jwk.thumbprint}"
+  def assign_attributes(status:, url:, token:, error: nil)
+    @status = status
+    @url = url
+    @token = token
+    @error = error
   end
 end