acme-client 0.2.4 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e2bfc1b30ebefbb87d572378e91ac4d9e47552de
-  data.tar.gz: 51bedd0f2e79328154c044f98c354b0bb2db4860
+  metadata.gz: b4f8844db80f42dfbebde13f4834adff81b31a6c
+  data.tar.gz: aac066e3a86278081ad327072318cf659065760d
 SHA512:
-  metadata.gz: 03c36be67fa43961e1c61ce1ae9abaf0922042e4281240901b520f69bc38961e7690b7301cc95dc9be6962d9e23057f46fba3d154e56c33993f9abb767c29a14
-  data.tar.gz: fb2079a8eb3c28772b01655e211a82391ee76f68ecc41cc41f95b7b800dc04aec3c6d4f9f36f8574a7d53b7bd78edf7b908a81296065bf0f29d289500a6e5bab
+  metadata.gz: 0d8ae92a14464b33d91f07e127c35016987c4b912cb65edfa2d416f1471127f3a6ea8df093ca349778a45cf745d5caeae734d8c2f2f93b6a029deb04d7841ff0
+  data.tar.gz: 7e16c99dfedf9620fb9f1879ce89fba8bbc6f547f4c589b2177e9ee96966074f35bb85ff4c0afa9edd94ec9d3203dc05f8fb5568c57754300e7ed2ea1a9b7752

data/.rubocop.yml

@@ -0,0 +1,85 @@
+AllCops:
+  TargetRubyVersion: 2.2
+  Exclude:
+    - 'bin/*'
+    - 'vendor/**/*'
+
+Rails:
+  Enabled: false
+
+Style/FileName:
+  Exclude:
+    - 'lib/acme-client.rb'
+
+Lint/AssignmentInCondition:
+  Enabled: false
+
+Style/ClassAndModuleChildren:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/MultilineOperationIndentation:
+  Enabled: false
+
+Style/SignalException:
+  EnforcedStyle: only_raise
+
+Style/AlignParameters:
+  EnforcedStyle: with_fixed_indentation
+
+Style/FirstParameterIndentation:
+  EnforcedStyle: consistent
+
+Style/TrailingCommaInArguments:
+  Enabled: false
+
+Style/TrailingCommaInLiteral:
+  Enabled: false
+
+Style/StringLiterals:
+  Enabled: single_quotes
+
+Metrics/LineLength:
+  Max: 140
+
+Metrics/ParameterLists:
+  Max: 5
+  CountKeywordArgs: false
+
+Lint/EndAlignment:
+  AlignWith: variable
+
+Style/ParallelAssignment:
+  Enabled: false
+
+Style/ModuleFunction:
+  Enabled: false
+
+Style/TrivialAccessors:
+  AllowPredicates: true
+
+Lint/UnusedMethodArgument:
+  AllowUnusedKeywordArguments: true
+
+Metrics/MethodLength:
+  Max: 15
+
+Style/DoubleNegation:
+  Enabled: false
+
+Style/IfUnlessModifier:
+  Enabled: false
+
+Style/MultilineBlockChain:
+  Enabled: false
+
+Style/BlockDelimiters:
+  EnforcedStyle: semantic
+
+Style/Lambda:
+  Enabled: false
+
+Style/AccessorMethodName:
+  Enabled: false

data/Gemfile

@@ -3,5 +3,6 @@ gemspec
 
 group :development, :test do
   gem 'pry'
+  gem 'rubocop', '0.36.0'
   gem 'ruby-prof', require: false
 end

data/README.md

@@ -85,7 +85,7 @@ File.write("fullchain.pem", certificate.fullchain_to_pem)
 #   :Port => 8443,
 #   :DocumentRoot => Dir.pwd,
 #   :SSLEnable => true,
-#   :SSLPrivateKey => OpenSSL::PKey::RSA.new( File.read('key.pem') ),
+#   :SSLPrivateKey => OpenSSL::PKey::RSA.new( File.read('privkey.pem') ),
 #   :SSLCertificate => OpenSSL::X509::Certificate.new( File.read('cert.pem') )); trap('INT') { s.shutdown }; s.start"
 ```
 
@@ -94,6 +94,10 @@ File.write("fullchain.pem", certificate.fullchain_to_pem)
 - Recovery methods are not implemented.
 - proofOfPossession-01 is not implemented.
 
+# Requirements
+
+Ruby >= 2.1
+
 ## Development
 
 All the tests use VCR to mock the interaction with the server but if you

data/Rakefile

@@ -1,6 +1,9 @@
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
+require 'bundler/gem_tasks'
 
+require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new(:spec)
 
-task :default => :spec
+require 'rubocop/rake_task'
+RuboCop::RakeTask.new
+
+task default: [:spec, :rubocop]

data/lib/acme/client.rb

@@ -1,13 +1,13 @@
-require "acme-client"
+require 'acme-client'
 
 class Acme::Client
-  DEFAULT_ENDPOINT = 'http://127.0.0.1:4000'
+  DEFAULT_ENDPOINT = 'http://127.0.0.1:4000'.freeze
   DIRECTORY_DEFAULT = {
     'new-authz' => '/acme/new-authz',
     'new-cert' => '/acme/new-cert',
     'new-reg' => '/acme/new-reg',
     'revoke-cert' => '/acme/revoke-cert'
-  }
+  }.freeze
 
   def initialize(private_key:, endpoint: DEFAULT_ENDPOINT, directory_uri: nil)
     @endpoint, @private_key, @directory_uri = endpoint, private_key, directory_uri
@@ -70,12 +70,13 @@ class Acme::Client
 
   private
 
-  def fetch_chain(response, limit=10)
-    if limit == 0 || response.headers["link"].nil? || response.headers["link"]["up"].nil?
+  def fetch_chain(response, limit = 10)
+    links = response.headers['link']
+    if limit.zero? || links.nil? || links['up'].nil?
       []
     else
-      issuer = connection.get(response.headers["link"]["up"])
-      [OpenSSL::X509::Certificate.new(issuer.body), *fetch_chain(issuer, limit-1)]
+      issuer = connection.get(links['up'])
+      [OpenSSL::X509::Certificate.new(issuer.body), *fetch_chain(issuer, limit - 1)]
     end
   end
 

data/lib/acme/client/certificate.rb

@@ -24,6 +24,6 @@ class Acme::Client::Certificate
   end
 
   def common_name
-    x509.subject.to_a.find {|name, _, _| name == "CN" }[1]
+    x509.subject.to_a.find { |name, _, _| name == 'CN' }[1]
   end
 end

data/lib/acme/client/certificate_request.rb

@@ -4,43 +4,34 @@ class Acme::Client::CertificateRequest
   DEFAULT_KEY_LENGTH = 2048
   DEFAULT_DIGEST = OpenSSL::Digest::SHA256
   SUBJECT_KEYS = {
-    common_name:         "CN",
-    country_name:        "C",
-    organization_name:   "O",
-    organizational_unit: "OU",
-    state_or_province:   "ST",
-    locality_name:       "L"
+    common_name:         'CN',
+    country_name:        'C',
+    organization_name:   'O',
+    organizational_unit: 'OU',
+    state_or_province:   'ST',
+    locality_name:       'L'
   }.freeze
 
   SUBJECT_TYPES = {
-    "CN" => OpenSSL::ASN1::UTF8STRING,
-    "C"  => OpenSSL::ASN1::UTF8STRING,
-    "O"  => OpenSSL::ASN1::UTF8STRING,
-    "OU" => OpenSSL::ASN1::UTF8STRING,
-    "ST" => OpenSSL::ASN1::UTF8STRING,
-    "L"  => OpenSSL::ASN1::UTF8STRING
+    'CN' => OpenSSL::ASN1::UTF8STRING,
+    'C'  => OpenSSL::ASN1::UTF8STRING,
+    'O'  => OpenSSL::ASN1::UTF8STRING,
+    'OU' => OpenSSL::ASN1::UTF8STRING,
+    'ST' => OpenSSL::ASN1::UTF8STRING,
+    'L'  => OpenSSL::ASN1::UTF8STRING
   }.freeze
 
   attr_reader :private_key, :common_name, :names, :subject
 
   def_delegators :csr, :to_pem, :to_der
 
-  def initialize(common_name: nil,
-                 names: [],
-                 private_key: generate_private_key,
-                 subject: {},
-                 digest: DEFAULT_DIGEST.new)
-    raise ArgumentError.new("Digest must be a OpenSSL::Digest") unless digest.is_a?(OpenSSL::Digest)
+  def initialize(common_name: nil, names: [], private_key: generate_private_key, subject: {}, digest: DEFAULT_DIGEST.new)
     @digest = digest
-
     @private_key = private_key
-
     @subject = normalize_subject(subject)
     @common_name = common_name || @subject[SUBJECT_KEYS[:common_name]] || @subject[:common_name]
-
     @names = names.to_a.dup
     normalize_names
-
     @subject[SUBJECT_KEYS[:common_name]] ||= @common_name
     validate_subject
   end
@@ -56,30 +47,34 @@ class Acme::Client::CertificateRequest
   end
 
   def normalize_subject(subject)
-    @subject = subject.each_with_object({}) {|(key, value), subject|
-      subject[SUBJECT_KEYS.fetch(key, key)] = value.to_s
-    }
+    @subject = subject.each_with_object({}) do |(key, value), hash|
+      hash[SUBJECT_KEYS.fetch(key, key)] = value.to_s
+    end
   end
 
   def normalize_names
     if @common_name
       @names.unshift(@common_name) unless @names.include?(@common_name)
-    elsif @names.empty?
-      raise ArgumentError.new("No common name and no list of names given")
     else
+      raise ArgumentError, 'No common name and no list of names given' if @names.empty?
       @common_name = @names.first
     end
   end
 
   def validate_subject
+    validate_subject_attributes
+    validate_subject_common_name
+  end
+
+  def validate_subject_attributes
     extra_keys = @subject.keys - SUBJECT_KEYS.keys - SUBJECT_KEYS.values
-    unless extra_keys.empty?
-      raise ArgumentError.new("Unexpected subject attributes given: #{extra_keys.inspect}")
-    end
+    return if extra_keys.empty?
+    raise ArgumentError, "Unexpected subject attributes given: #{extra_keys.inspect}"
+  end
 
-    unless @common_name == @subject[SUBJECT_KEYS[:common_name]]
-      raise ArgumentError.new("Conflicting common name given in arguments and subject")
-    end
+  def validate_subject_common_name
+    return if @common_name == @subject[SUBJECT_KEYS[:common_name]]
+    raise ArgumentError, 'Conflicting common name given in arguments and subject'
   end
 
   def generate
@@ -103,11 +98,11 @@ class Acme::Client::CertificateRequest
     return if @names.size <= 1
 
     extension = OpenSSL::X509::ExtensionFactory.new.create_extension(
-      "subjectAltName", @names.map {|name| "DNS:#{name}" }.join(", "), false
+      'subjectAltName', @names.map { |name| "DNS:#{name}" }.join(', '), false
     )
     csr.add_attribute(
       OpenSSL::X509::Attribute.new(
-        "extReq",
+        'extReq',
         OpenSSL::ASN1::Set.new([OpenSSL::ASN1::Sequence.new([extension])])
       )
     )

data/lib/acme/client/faraday_middleware.rb

@@ -9,50 +9,76 @@ class Acme::Client::FaradayMiddleware < Faraday::Middleware
   def call(env)
     @env = env
     @env.body = crypto.generate_signed_jws(header: { nonce: pop_nonce }, payload: env.body)
-    @app.call(env).on_complete {|env| on_complete(env) }
+    @app.call(env).on_complete { |response_env| on_complete(response_env) }
   end
 
   def on_complete(env)
-    raise Acme::Client::Error::NotFound, env.url.to_s if env.status == 404
+    @env = env
 
-    nonces << env.response_headers['replay-nonce']
+    raise_on_not_found!
+    store_nonce
+    env.body = decode_body
+    env.response_headers['Link'] = decode_link_headers
 
-    content_type = env.response_headers['Content-Type']
+    return if env.success?
 
-    if content_type == 'application/json' || content_type == 'application/problem+json'
-      env.body = JSON.load(env.body)
-    end
+    raise_on_error!
+  end
 
-    if env.response_headers.key?('Link')
-      link_header = env.response_headers['Link']
-      links = link_header.split(', ').map do |entry|
-        link = entry.match(/<(.*?)>;/).captures.first
-        name = entry.match(/rel="([\w-]+)"/).captures.first
-        [name, link]
-      end
+  private
 
-      env.response_headers['Link'] = Hash[*links.flatten]
-    end
+  def raise_on_not_found!
+    raise Acme::Client::Error::NotFound, env.url.to_s if env.status == 404
+  end
 
-    return if env.success?
+  def raise_on_error!
+    raise error_class, error_message
+  end
 
+  def error_message
+    if env.body.is_a? Hash
+      env.body['detail']
+    else
+      "Error message: #{env.body}"
+    end
+  end
+
+  def error_class
     error_name = env.body['type'].gsub('urn:acme:error:', '').classify
-    error_class = if Acme::Client::Error.qualified_const_defined?(error_name)
+    if Acme::Client::Error.qualified_const_defined?(error_name)
       "Acme::Client::Error::#{error_name}".constantize
     else
       Acme::Client::Error
     end
+  end
 
-    message = if env.body.is_a? Hash
-      env.body['detail']
+  def decode_body
+    content_type = env.response_headers['Content-Type']
+
+    if content_type == 'application/json' || content_type == 'application/problem+json'
+      JSON.load(env.body)
     else
-      "Error message: #{env.body}"
+      env.body
     end
+  end
+
+  LINK_MATCH = /<(.*?)>;rel="([\w-]+)"/
+
+  def decode_link_headers
+    return unless env.response_headers.key?('Link')
+    link_header = env.response_headers['Link']
 
-    raise error_class, message
+    links = link_header.split(', ').map { |entry|
+      _, link, name = *entry.match(LINK_MATCH)
+      [name, link]
+    }
+
+    Hash[*links.flatten]
   end
 
-  private
+  def store_nonce
+    nonces << env.response_headers['replay-nonce']
+  end
 
   def pop_nonce
     if nonces.empty?

data/lib/acme/client/resources/authorization.rb

@@ -3,7 +3,7 @@ class Acme::Client::Resources::Authorization
   DNS01 = Acme::Client::Resources::Challenges::DNS01
   TLSSNI01 = Acme::Client::Resources::Challenges::TLSSNI01
 
-  attr_reader :domain, :status, :http01, :dns01, :tls_sni01
+  attr_reader :domain, :status, :expires, :http01, :dns01, :tls_sni01
 
   def initialize(client, response)
     @client = client
@@ -19,13 +19,13 @@ class Acme::Client::Resources::Authorization
       when 'http-01' then @http01 = HTTP01.new(@client, attributes)
       when 'dns-01' then @dns01 = DNS01.new(@client, attributes)
       when 'tls-sni-01' then @tls_sni01 = TLSSNI01.new(@client, attributes)
-      else
-        # no supported
+        # else no-op
       end
     end
   end
 
   def assign_attributes(body)
+    @expires = Time.iso8601(body['expires']) if body.key? 'expires'
     @domain = body['identifier']['value']
     @status = body['status']
   end

data/lib/acme/client/resources/challenges/base.rb

@@ -1,5 +1,4 @@
 class Acme::Client::Resources::Challenges::Base
-
   attr_reader :client, :status, :uri, :token, :error
 
   def initialize(client, attributes)
@@ -15,8 +14,17 @@ class Acme::Client::Resources::Challenges::Base
     status
   end
 
+  def request_verification
+    response = @client.connection.post(@uri, resource: 'challenge', type: challenge_type, keyAuthorization: authorization_key)
+    response.success?
+  end
+
   private
 
+  def challenge_type
+    self.class::CHALLENGE_TYPE
+  end
+
   def authorization_key
     "#{token}.#{crypto.thumbprint}"
   end

data/lib/acme/client/resources/challenges/dns01.rb

@@ -1,4 +1,5 @@
 class Acme::Client::Resources::Challenges::DNS01 < Acme::Client::Resources::Challenges::Base
+  CHALLENGE_TYPE = 'dns-01'.freeze
   RECORD_NAME = '_acme-challenge'.freeze
   RECORD_TYPE = 'TXT'.freeze
 
@@ -11,11 +12,6 @@ class Acme::Client::Resources::Challenges::DNS01 < Acme::Client::Resources::Chal
   end
 
   def record_content
-    crypto.digest.hexdigest(authorization_key)
-  end
-
-  def request_verification
-    response = @client.connection.post(@uri, { resource: 'challenge', type: 'dns-01', keyAuthorization: authorization_key })
-    response.success?
+    Base64.urlsafe_encode64(crypto.digest.digest(authorization_key)).sub(/[\s=]*\z/, '')
   end
 end

data/lib/acme/client/resources/challenges/http01.rb

@@ -1,4 +1,5 @@
 class Acme::Client::Resources::Challenges::HTTP01 < Acme::Client::Resources::Challenges::Base
+  CHALLENGE_TYPE = 'http-01'.freeze
   CONTENT_TYPE = 'text/plain'.freeze
 
   def content_type
@@ -12,9 +13,4 @@ class Acme::Client::Resources::Challenges::HTTP01 < Acme::Client::Resources::Cha
   def filename
     ".well-known/acme-challenge/#{token}"
   end
-
-  def request_verification
-    response = client.connection.post(@uri, { resource: 'challenge', type: 'http-01', keyAuthorization: authorization_key })
-    response.success?
-  end
 end

data/lib/acme/client/resources/challenges/tls_sni01.rb

@@ -1,4 +1,6 @@
 class Acme::Client::Resources::Challenges::TLSSNI01 < Acme::Client::Resources::Challenges::Base
+  CHALLENGE_TYPE = 'tls-sni-01'.freeze
+
   def hostname
     digest = crypto.digest.hexdigest(authorization_key)
     "#{digest[0..31]}.#{digest[32..64]}.acme.invalid"
@@ -12,11 +14,6 @@ class Acme::Client::Resources::Challenges::TLSSNI01 < Acme::Client::Resources::C
     self_sign_certificate.private_key
   end
 
-  def request_verification
-    response = client.connection.post(@uri, { resource: 'challenge', type: 'tls-sni-01', keyAuthorization: authorization_key })
-    response.success?
-  end
-
   private
 
   def self_sign_certificate

data/lib/acme/client/resources/registration.rb

@@ -9,22 +9,16 @@ class Acme::Client::Resources::Registration
   end
 
   def get_terms
-    if @term_of_service_uri
-      @client.connection.get(@term_of_service_uri).body
-    end
+    return unless @term_of_service_uri
+
+    @client.connection.get(@term_of_service_uri).body
   end
 
   def agree_terms
-    if @term_of_service_uri
-      payload = {
-        resource: "reg",
-        agreement: @term_of_service_uri
-      }
-      response = @client.connection.post(@uri, { resource: 'reg', agreement: @term_of_service_uri })
-      response.success?
-    else
-      true
-    end
+    return true unless @term_of_service_uri
+
+    response = @client.connection.post(@uri, resource: 'reg', agreement: @term_of_service_uri)
+    response.success?
   end
 
   private

data/lib/acme/client/self_sign_certificate.rb

@@ -13,15 +13,9 @@ class Acme::Client::SelfSignCertificate
 
   def certificate
     @certificate ||= begin
-      certificate = OpenSSL::X509::Certificate.new
-      certificate.not_before = not_before
-      certificate.not_after = not_after
-      certificate.public_key = private_key.public_key
-
-      extension_factory = OpenSSL::X509::ExtensionFactory.new
-      extension_factory.subject_certificate = certificate
-      extension_factory.issuer_certificate = certificate
+      certificate = generate_certificate
 
+      extension_factory = generate_extension_factory(certificate)
       subject_alt_name_entry = subject_alt_names.map { |d| "DNS: #{d}" }.join(',')
       subject_alt_name_extension = extension_factory.create_extension('subjectAltName', subject_alt_name_entry)
       certificate.add_extension(subject_alt_name_extension)
@@ -37,7 +31,7 @@ class Acme::Client::SelfSignCertificate
   end
 
   def default_not_before
-    Time.now + 3600
+    Time.now - 3600
   end
 
   def default_not_after
@@ -47,4 +41,19 @@ class Acme::Client::SelfSignCertificate
   def digest
     OpenSSL::Digest::SHA256.new
   end
+
+  def generate_certificate
+    certificate = OpenSSL::X509::Certificate.new
+    certificate.not_before = not_before
+    certificate.not_after = not_after
+    certificate.public_key = private_key.public_key
+    certificate
+  end
+
+  def generate_extension_factory(certificate)
+    extension_factory = OpenSSL::X509::ExtensionFactory.new
+    extension_factory.subject_certificate = certificate
+    extension_factory.issuer_certificate = certificate
+    extension_factory
+  end
 end

data/lib/acme/client/version.rb

@@ -1,5 +1,5 @@
 module Acme
   class Client
-    VERSION = '0.2.4'
+    VERSION = '0.3.0'.freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: acme-client
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.3.0
 platform: ruby
 authors:
 - Charles Barbier
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-12-22 00:00:00.000000000 Z
+date: 2016-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -153,6 +153,7 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".rspec"
+- ".rubocop.yml"
 - ".travis.yml"
 - Gemfile
 - LICENSE.txt
@@ -198,7 +199,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 4
 summary: Client for the ACME protocol.