acme-client 2.0.0 → 2.0.18

data/lib/acme/client/resources/account.rb

@@ -5,7 +5,7 @@ class Acme::Client::Resources::Account
 
   def initialize(client, **arguments)
     @client = client
-    assign_attributes(arguments)
+    assign_attributes(**arguments)
   end
 
   def kid
@@ -13,19 +13,19 @@ class Acme::Client::Resources::Account
   end
 
   def update(contact: nil, terms_of_service_agreed: nil)
-    assign_attributes **@client.account_update(
+    assign_attributes(**@client.account_update(
       contact: contact, terms_of_service_agreed: term_of_service
-    ).to_h
+    ).to_h)
     true
   end
 
   def deactivate
-    assign_attributes **@client.account_deactivate.to_h
+    assign_attributes(**@client.account_deactivate.to_h)
     true
   end
 
   def reload
-    assign_attributes **@client.account.to_h
+    assign_attributes(**@client.account.to_h)
     true
   end
 

data/lib/acme/client/resources/authorization.rb

@@ -5,16 +5,16 @@ class Acme::Client::Resources::Authorization
 
   def initialize(client, **arguments)
     @client = client
-    assign_attributes(arguments)
+    assign_attributes(**arguments)
   end
 
   def deactivate
-    assign_attributes **@client.deactivate_authorization(url: url).to_h
+    assign_attributes(**@client.deactivate_authorization(url: url).to_h)
     true
   end
 
   def reload
-    assign_attributes **@client.authorization(url: url).to_h
+    assign_attributes(**@client.authorization(url: url).to_h)
     true
   end
 
@@ -56,7 +56,7 @@ class Acme::Client::Resources::Authorization
       type: attributes.fetch('type'),
       status: attributes.fetch('status'),
       url: attributes.fetch('url'),
-      token: attributes.fetch('token'),
+      token: attributes.fetch('token', nil),
       error: attributes['error']
     }
     Acme::Client::Resources::Challenges.new(@client, **arguments)

data/lib/acme/client/resources/challenges/base.rb

@@ -5,7 +5,7 @@ class Acme::Client::Resources::Challenges::Base
 
   def initialize(client, **arguments)
     @client = client
-    assign_attributes(arguments)
+    assign_attributes(**arguments)
   end
 
   def challenge_type
@@ -17,14 +17,14 @@ class Acme::Client::Resources::Challenges::Base
   end
 
   def reload
-    assign_attributes **@client.challenge(url: url).to_h
+    assign_attributes(**@client.challenge(url: url).to_h)
     true
   end
 
   def request_validation
-    assign_attributes **@client.request_challenge_validation(
-      url: url, key_authorization: key_authorization
-    ).to_h
+    assign_attributes(**send_challenge_validation(
+      url: url
+    ))
     true
   end
 
@@ -34,6 +34,12 @@ class Acme::Client::Resources::Challenges::Base
 
   private
 
+  def send_challenge_validation(url:)
+    @client.request_challenge_validation(
+      url: url
+    ).to_h
+  end
+
   def assign_attributes(status:, url:, token:, error: nil)
     @status = status
     @url = url

data/lib/acme/client/resources/challenges/unsupported_challenge.rb

@@ -0,0 +1,2 @@
+class Acme::Client::Resources::Challenges::Unsupported < Acme::Client::Resources::Challenges::Base
+end

data/lib/acme/client/resources/challenges.rb

@@ -4,6 +4,7 @@ module Acme::Client::Resources::Challenges
   require 'acme/client/resources/challenges/base'
   require 'acme/client/resources/challenges/http01'
   require 'acme/client/resources/challenges/dns01'
+  require 'acme/client/resources/challenges/unsupported_challenge'
 
   CHALLENGE_TYPES = {
     'http-01' => Acme::Client::Resources::Challenges::HTTP01,
@@ -11,11 +12,6 @@ module Acme::Client::Resources::Challenges
   }
 
   def self.new(client, type:, **arguments)
-    klass = CHALLENGE_TYPES[type]
-    if klass
-      klass.new(client, **arguments)
-    else
-      { type: type }.merge(arguments)
-    end
+    CHALLENGE_TYPES.fetch(type, Unsupported).new(client, **arguments)
   end
 end

data/lib/acme/client/resources/directory.rb

@@ -17,12 +17,13 @@ class Acme::Client::Resources::Directory
     external_account_required: 'externalAccountRequired'
   }
 
-  def initialize(url, connection_options)
-    @url, @connection_options = url, connection_options
+  def initialize(client, **arguments)
+    @client = client
+    assign_attributes(**arguments)
   end
 
   def endpoint_for(key)
-    directory.fetch(key) do |missing_key|
+    @directory.fetch(key) do |missing_key|
       raise Acme::Client::Error::UnsupportedOperation,
         "Directory at #{@url} does not include `#{missing_key}`"
     end
@@ -45,31 +46,16 @@ class Acme::Client::Resources::Directory
   end
 
   def meta
-    directory[:meta]
+    @directory[:meta]
   end
 
   private
 
-  def directory
-    @directory ||= load_directory
-  end
-
-  def load_directory
-    body = fetch_directory
-    result = {}
-    result[:meta] = body.delete('meta')
+  def assign_attributes(directory:)
+    @directory = {}
+    @directory[:meta] = directory.delete('meta')
     DIRECTORY_RESOURCES.each do |key, entry|
-      result[key] = URI(body[entry]) if body[entry]
+      @directory[key] = URI(directory[entry]) if directory[entry]
     end
-    result
-  rescue JSON::ParserError => exception
-    raise InvalidDirectory, "Invalid directory url\n#{@directory} did not return a valid directory\n#{exception.inspect}"
-  end
-
-  def fetch_directory
-    connection = Faraday.new(url: @directory, **@connection_options)
-    connection.headers[:user_agent] = Acme::Client::USER_AGENT
-    response = connection.get(@url)
-    JSON.parse(response.body)
   end
 end

data/lib/acme/client/resources/order.rb

@@ -5,11 +5,11 @@ class Acme::Client::Resources::Order
 
   def initialize(client, **arguments)
     @client = client
-    assign_attributes(arguments)
+    assign_attributes(**arguments)
   end
 
   def reload
-    assign_attributes **@client.order(url: url).to_h
+    assign_attributes(**@client.order(url: url).to_h)
     true
   end
 
@@ -20,13 +20,13 @@ class Acme::Client::Resources::Order
   end
 
   def finalize(csr:)
-    assign_attributes **@client.finalize(url: finalize_url, csr: csr).to_h
+    assign_attributes(**@client.finalize(url: finalize_url, csr: csr).to_h)
     true
   end
 
-  def certificate
+  def certificate(force_chain: nil)
     if certificate_url
-      @client.certificate(url: certificate_url)
+      @client.certificate(url: certificate_url, force_chain: force_chain)
     else
       raise Acme::Client::Error::CertificateNotReady, 'No certificate_url to collect the order'
     end

data/lib/acme/client/util.rb

@@ -1,8 +1,21 @@
 module Acme::Client::Util
+  extend self
+
   def urlsafe_base64(data)
     Base64.urlsafe_encode64(data).sub(/[\s=]*\z/, '')
   end
 
+  LINK_MATCH = /<(.*?)>\s?;\s?rel="([\w-]+)"/
+
+  # See RFC 8288 - https://tools.ietf.org/html/rfc8288#section-3
+  def decode_link_headers(link_header)
+    link_header.split(',').each_with_object({}) { |entry, hash|
+      _, link, name = *entry.match(LINK_MATCH)
+      hash[name] ||= []
+      hash[name].push(link)
+    }
+  end
+
   # Sets public key on CSR or cert.
   #
   # obj  - An OpenSSL::X509::Certificate or OpenSSL::X509::Request instance.
@@ -19,6 +32,4 @@ module Acme::Client::Util
       raise ArgumentError, 'priv must be EC or RSA'
     end
   end
-
-  extend self
 end

data/lib/acme/client/version.rb

@@ -2,6 +2,6 @@
 
 module Acme
   class Client
-    VERSION = '2.0.0'.freeze
+    VERSION = '2.0.18'.freeze
   end
 end

data/lib/acme/client.rb

@@ -1,24 +1,27 @@
 # frozen_string_literal: true
 
 require 'faraday'
+require 'faraday/retry'
 require 'json'
 require 'openssl'
 require 'digest'
 require 'forwardable'
 require 'base64'
 require 'time'
+require 'uri'
 
 module Acme; end
 class Acme::Client; end
 
 require 'acme/client/version'
+require 'acme/client/http_client'
 require 'acme/client/certificate_request'
 require 'acme/client/self_sign_certificate'
 require 'acme/client/resources'
-require 'acme/client/faraday_middleware'
 require 'acme/client/jwk'
 require 'acme/client/error'
 require 'acme/client/util'
+require 'acme/client/chain_identifier'
 
 class Acme::Client
   DEFAULT_DIRECTORY = 'http://127.0.0.1:4000/directory'.freeze
@@ -28,7 +31,7 @@ class Acme::Client
     pem: 'application/pem-certificate-chain'
   }
 
-  def initialize(jwk: nil, kid: nil, private_key: nil, directory: DEFAULT_DIRECTORY, connection_options: {})
+  def initialize(jwk: nil, kid: nil, private_key: nil, directory: DEFAULT_DIRECTORY, connection_options: {}, bad_nonce_retry: 0)
     if jwk.nil? && private_key.nil?
       raise ArgumentError, 'must specify jwk or private_key'
     end
@@ -40,13 +43,15 @@ class Acme::Client
     end
 
     @kid, @connection_options = kid, connection_options
-    @directory = Acme::Client::Resources::Directory.new(URI(directory), @connection_options)
+    @bad_nonce_retry = bad_nonce_retry
+    @directory_url = URI(directory)
     @nonces ||= []
   end
 
   attr_reader :jwk, :nonces
 
-  def new_account(contact:, terms_of_service_agreed: nil)
+  def new_account(contact:, terms_of_service_agreed: nil, external_account_binding: nil)
+    new_account_endpoint = endpoint_for(:new_account)
     payload = {
       contact: Array(contact)
     }
@@ -55,7 +60,18 @@ class Acme::Client
       payload[:termsOfServiceAgreed] = terms_of_service_agreed
     end
 
-    response = post(endpoint_for(:new_account), payload: payload, mode: :jws)
+    if external_account_binding
+      kid, hmac_key = external_account_binding.values_at(:kid, :hmac_key)
+      if kid.nil? || hmac_key.nil?
+        raise ArgumentError, 'must specify kid and hmac_key key for external_account_binding'
+      end
+
+      hmac = Acme::Client::JWK::HMAC.new(Base64.urlsafe_decode64(hmac_key))
+      external_account_payload = hmac.jws(header: { kid: kid, url: new_account_endpoint }, payload: @jwk)
+      payload[:externalAccountBinding] = JSON.parse(external_account_payload)
+    end
+
+    response = post(new_account_endpoint, payload: payload, mode: :jws)
     @kid = response.headers.fetch(:location)
 
     if response.body.nil? || response.body.empty?
@@ -82,13 +98,35 @@ class Acme::Client
     Acme::Client::Resources::Account.new(self, url: kid, **arguments)
   end
 
+  def account_key_change(new_private_key: nil, new_jwk: nil)
+    if new_private_key.nil? && new_jwk.nil?
+      raise ArgumentError, 'must specify new_jwk or new_private_key'
+    end
+    old_jwk = jwk
+    new_jwk ||= Acme::Client::JWK.from_private_key(new_private_key)
+
+    inner_payload_header = {
+      url: endpoint_for(:key_change)
+    }
+    inner_payload = {
+      account: kid,
+      oldKey: old_jwk.to_h
+    }
+    payload = JSON.parse(new_jwk.jws(header: inner_payload_header, payload: inner_payload))
+
+    response = post(endpoint_for(:key_change), payload: payload, mode: :kid)
+    arguments = attributes_from_account_response(response)
+    @jwk = new_jwk
+    Acme::Client::Resources::Account.new(self, url: kid, **arguments)
+  end
+
   def account
     @kid ||= begin
       response = post(endpoint_for(:new_account), payload: { onlyReturnExisting: true }, mode: :jwk)
       response.headers.fetch(:location)
     end
 
-    response = post(@kid)
+    response = post_as_get(@kid)
     arguments = attributes_from_account_response(response)
     Acme::Client::Resources::Account.new(self, url: @kid, **arguments)
   end
@@ -99,13 +137,7 @@ class Acme::Client
 
   def new_order(identifiers:, not_before: nil, not_after: nil)
     payload = {}
-    payload['identifiers'] = if identifiers.is_a?(Hash)
-      identifiers
-    else
-      Array(identifiers).map do |identifier|
-        { type: 'dns', value: identifier }
-      end
-    end
+    payload['identifiers'] = prepare_order_identifiers(identifiers)
     payload['notBefore'] = not_before if not_before
     payload['notAfter'] = not_after if not_after
 
@@ -115,7 +147,7 @@ class Acme::Client
   end
 
   def order(url:)
-    response = get(url)
+    response = post_as_get(url)
     arguments = attributes_from_order_response(response)
     Acme::Client::Resources::Order.new(self, **arguments.merge(url: url))
   end
@@ -131,13 +163,28 @@ class Acme::Client
     Acme::Client::Resources::Order.new(self, **arguments)
   end
 
-  def certificate(url:)
+  def certificate(url:, force_chain: nil)
     response = download(url, format: :pem)
-    response.body
+    pem = response.body
+
+    return pem if force_chain.nil?
+
+    return pem if ChainIdentifier.new(pem).match_name?(force_chain)
+
+    alternative_urls = Array(response.headers.dig('link', 'alternate'))
+    alternative_urls.each do |alternate_url|
+      response = download(alternate_url, format: :pem)
+      pem = response.body
+      if ChainIdentifier.new(pem).match_name?(force_chain)
+        return pem
+      end
+    end
+
+    raise Acme::Client::Error::ForcedChainNotFound, "Could not find any matching chain for `#{force_chain}`"
   end
 
   def authorization(url:)
-    response = get(url)
+    response = post_as_get(url)
     arguments = attributes_from_authorization_response(response)
     Acme::Client::Resources::Authorization.new(self, url: url, **arguments)
   end
@@ -149,13 +196,13 @@ class Acme::Client
   end
 
   def challenge(url:)
-    response = get(url)
+    response = post_as_get(url)
     arguments = attributes_from_challenge_response(response)
     Acme::Client::Resources::Challenges.new(self, **arguments)
   end
 
-  def request_challenge_validation(url:, key_authorization:)
-    response = post(url, payload: { keyAuthorization: key_authorization })
+  def request_challenge_validation(url:, key_authorization: nil)
+    response = post(url, payload: {})
     arguments = attributes_from_challenge_response(response)
     Acme::Client::Resources::Challenges.new(self, **arguments)
   end
@@ -176,33 +223,64 @@ class Acme::Client
   end
 
   def get_nonce
-    response = Faraday.head(endpoint_for(:new_nonce), nil, 'User-Agent' => USER_AGENT)
+    http_client = Acme::Client::HTTPClient.new_connection(url: endpoint_for(:new_nonce), options: @connection_options)
+    response = http_client.head(nil, nil)
     nonces << response.headers['replay-nonce']
     true
   end
 
+  def directory
+    @directory ||= load_directory
+  end
+
   def meta
-    @directory.meta
+    directory.meta
   end
 
   def terms_of_service
-    @directory.terms_of_service
+    directory.terms_of_service
   end
 
   def website
-    @directory.website
+    directory.website
   end
 
   def caa_identities
-    @directory.caa_identities
+    directory.caa_identities
   end
 
   def external_account_required
-    @directory.external_account_required
+    directory.external_account_required
   end
 
   private
 
+  def load_directory
+    Acme::Client::Resources::Directory.new(self, directory: fetch_directory)
+  end
+
+  def fetch_directory
+    response = get(@directory_url)
+    response.body
+  rescue JSON::ParserError => exception
+    raise Acme::Client::Error::InvalidDirectory,
+      "Invalid directory url\n#{@directory_url} did not return a valid directory\n#{exception.inspect}"
+  end
+
+  def prepare_order_identifiers(identifiers)
+    if identifiers.is_a?(Hash)
+      [identifiers]
+    else
+      Array(identifiers).map do |identifier|
+        if identifier.is_a?(String)
+          { type: 'dns', value: identifier }
+        else
+          identifier
+        end
+      end
+    end
+  end
+
   def attributes_from_account_response(response)
     extract_attributes(
       response.body,
@@ -249,14 +327,19 @@ class Acme::Client
     connection.post(url, payload)
   end
 
-  def get(url, mode: :kid)
+  def post_as_get(url, mode: :kid)
+    connection = connection_for(url: url, mode: mode)
+    connection.post(url, nil)
+  end
+
+  def get(url, mode: :get)
     connection = connection_for(url: url, mode: mode)
     connection.get(url)
   end
 
   def download(url, format:)
-    connection = connection_for(url: url, mode: :download)
-    connection.get do |request|
+    connection = connection_for(url: url, mode: :kid)
+    connection.post do |request|
       request.url(url)
       request.headers['Accept'] = CONTENT_TYPES.fetch(format)
     end
@@ -265,29 +348,15 @@ class Acme::Client
   def connection_for(url:, mode:)
     uri = URI(url)
     endpoint = "#{uri.scheme}://#{uri.hostname}:#{uri.port}"
+
     @connections ||= {}
     @connections[mode] ||= {}
-    @connections[mode][endpoint] ||= new_connection(endpoint: endpoint, mode: mode)
-  end
-
-  def new_connection(endpoint:, mode:)
-    Faraday.new(endpoint, **@connection_options) do |configuration|
-      configuration.use Acme::Client::FaradayMiddleware, client: self, mode: mode
-      configuration.adapter Faraday.default_adapter
-    end
-  end
-
-  def fetch_chain(response, limit = 10)
-    links = response.headers['link']
-    if limit.zero? || links.nil? || links['up'].nil?
-      []
-    else
-      issuer = get(links['up'])
-      [OpenSSL::X509::Certificate.new(issuer.body), *fetch_chain(issuer, limit - 1)]
-    end
+    @connections[mode][endpoint] ||= Acme::Client::HTTPClient.new_acme_connection(
+      url: URI(endpoint), mode: mode, client: self, options: @connection_options, bad_nonce_retry: @bad_nonce_retry
+    )
   end
 
   def endpoint_for(key)
-    @directory.endpoint_for(key)
+    directory.endpoint_for(key)
   end
 end