acme_plugin 0.0.13

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 6666fcd67062f236c49381267588d414edddd669c4f8520abdff1b918df2b48c
+  data.tar.gz: aa9045732686e8149e4fde70f98303f5ba93250af488904b9ab3ca8e007a7314
+SHA512:
+  metadata.gz: 2ecad8e88f8138d7ef00129396d8ea4908fe89dbb1831378124c856309b4d7fba8016a313acbc92663fd928aa40d749c065a60e8dc87edfd276e6bbc90ca9610
+  data.tar.gz: db3cfe8b2ce24e2f56bfa6f11d91acd42cf9017c6d5d13423a28ddc4d4cd58fd12c92b4f50c1cb7fc34b20455476c749ba7887cdc6e2d2cf2384779ef2571101

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2015-2018 Lukasz Gromanowski <lgromanowski@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,33 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'AcmePlugin'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path('../test/dummy/Rakefile', __FILE__)
+load 'rails/tasks/engine.rake'
+
+load 'rails/tasks/statistics.rake'
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test

data/app/controllers/acme_plugin/application_controller.rb

@@ -0,0 +1,34 @@
+module AcmePlugin
+  class ApplicationController < ActionController::Base
+    before_action :challenge_response, only: [:index]
+    before_action :validate_length, only: [:index]
+    protect_from_forgery with: :exception
+
+    def index
+      # There is only one item in DB with challenge response from our task
+      # we will use it to render plain text response
+      render plain: @response.response, status: :ok
+    end
+
+    private
+
+    def validate_length
+      # Challenge request should have at least 128bit
+      challenge_failed('Challenge failed - Request has invalid length!') if invalid_length
+    end
+
+    def challenge_response
+      @response = AcmePlugin.config.challenge_dir_name.present? ? Challenge.new : Challenge.first
+      challenge_failed('Challenge failed - Can not get response from database!') if @response.nil?
+    end
+
+    def challenge_failed(msg)
+      Rails.logger.error(msg)
+      render plain: msg, status: :bad_request
+    end
+
+    def invalid_length
+      params[:challenge].nil? || params[:challenge].length < 16 || params[:challenge].length > 256
+    end
+  end
+end

data/app/models/acme_plugin/challenge.rb

@@ -0,0 +1,17 @@
+module AcmePlugin
+  # if the project doesn't use ActiveRecord, we assume the challenge will
+  # be stored in the filesystem
+  if AcmePlugin.config.challenge_dir_name.blank? && defined?(ActiveRecord::Base) == 'constant' && ActiveRecord::Base.class == Class
+    class Challenge < ActiveRecord::Base
+    end
+  else
+    class Challenge
+      attr_accessor :response
+
+      def initialize
+        full_challenge_dir = File.join(Rails.root, AcmePlugin.config.challenge_dir_name, 'challenge')
+        @response = IO.read(full_challenge_dir)
+      end
+    end
+  end
+end

data/app/models/acme_plugin/setting.rb

@@ -0,0 +1,10 @@
+module AcmePlugin
+  if AcmePlugin.config.challenge_dir_name.blank? && defined?(ActiveRecord::Base) == 'constant' && ActiveRecord::Base.class == Class
+    class Setting < ActiveRecord::Base
+    end
+  else
+    class Setting
+      attr_accessor :private_key
+    end
+  end
+end

data/config/routes.rb

@@ -0,0 +1,3 @@
+AcmePlugin::Engine.routes.draw do
+  get '.well-known/acme-challenge/:challenge' => 'application#index'
+end

data/db/migrate/20151206135029_create_acme_plugin_challenges.rb

@@ -0,0 +1,9 @@
+class CreateAcmePluginChallenges < ActiveRecord::Migration[4.2]
+  def change
+    create_table :acme_plugin_challenges do |t|
+      t.text :response
+
+      t.timestamps null: false
+    end
+  end
+end

data/db/migrate/20160412195212_create_acme_plugin_settings.rb

@@ -0,0 +1,9 @@
+class CreateAcmePluginSettings < ActiveRecord::Migration[4.2]
+  def change
+    create_table :acme_plugin_settings do |t|
+      t.text :private_key
+
+      t.timestamps null: false
+    end
+  end
+end

data/lib/acme_plugin.rb

@@ -0,0 +1,146 @@
+require 'acme_plugin/engine'
+require 'acme_plugin/file_output'
+require 'acme_plugin/heroku_output'
+require 'acme_plugin/file_store'
+require 'acme_plugin/database_store'
+require 'acme_plugin/configuration'
+require 'acme_plugin/private_key_store'
+require 'acme-client'
+
+module AcmePlugin
+  def self.config
+    # load files on demand
+    @config ||= Configuration.load_file
+  end
+
+  def self.config=(config)
+    @config = config
+  end
+
+  class CertGenerator
+    attr_reader :options, :cert, :client
+
+    def initialize(options = {})
+      @options = options
+      @options.freeze
+    end
+
+    def generate_certificate
+      register
+      domains = @options[:domain].split(' ')
+      return unless authorize_and_handle_challenge(domains)
+      # We can now request a certificate
+      Rails.logger.info('Creating CSR...')
+      @cert = @client.new_certificate(Acme::Client::CertificateRequest.new(names: domains))
+      save_certificate(@cert)
+      Rails.logger.info('Certificate has been generated.')
+    end
+
+    def authorize_and_handle_challenge(domains)
+      result = false
+      domains.each do |domain|
+        authorize(domain)
+        handle_challenge
+        request_challenge_verification
+        result = valid_verification_status
+        break unless result
+      end
+      result
+    end
+
+    def client
+      @client ||= Acme::Client.new(private_key: private_key, endpoint: @options[:endpoint])
+    end
+
+    def private_key
+      store ||= PrivateKeyStore.new(private_key_from_db) if @options.fetch(:private_key_in_db, false)
+
+      pk_id = @options.fetch(:private_key, nil)
+
+      raise 'Private key is not set, please check your config/acme_plugin.yml file!' if pk_id.nil? || pk_id.empty?
+
+      store ||= PrivateKeyStore.new(private_key_from_file(private_key_path(pk_id))) if File.file?(private_key_path(pk_id))
+
+      raise "Can not open private key: #{private_key_path(pk_id)}" if File.directory?(private_key_path(pk_id))
+
+      store ||= PrivateKeyStore.new(pk_id)
+      store.retrieve
+    end
+
+    def private_key_path(private_key_file)
+      Rails.root.join(private_key_file)
+    end
+
+    def private_key_from_db
+      settings = AcmePlugin::Setting.first
+      raise 'Empty private_key field in settings table!' if settings.private_key.nil?
+      settings.private_key
+    end
+
+    def private_key_from_file(filepath)
+      File.read(filepath)
+    end
+
+    def register
+      Rails.logger.info('Trying to register at Let\'s Encrypt service...')
+      registration = client.register(contact: "mailto:#{@options[:email]}")
+      registration.agree_terms
+      Rails.logger.info('Registration succeed.')
+    rescue => e
+      Rails.logger.info("#{e.class} - #{e.message}. Already registered.")
+    end
+
+    def common_domain_name
+      @domain ||= @options[:cert_name] || @options[:domain].split(' ').first.to_s
+    end
+
+    def authorize(domain = common_domain_name)
+      Rails.logger.info("Sending authorization request for: #{domain}...")
+      @authorization = client.authorize(domain: domain)
+    end
+
+    def store_challenge(challenge)
+      if @options[:challenge_dir_name].nil? || @options[:challenge_dir_name].empty?
+        DatabaseStore.new(challenge.file_content).store
+      else
+        FileStore.new(challenge.file_content, @options[:challenge_dir_name]).store
+      end
+      sleep(2)
+    end
+
+    def handle_challenge
+      @challenge = @authorization.http01
+      store_challenge(@challenge)
+    end
+
+    def request_challenge_verification
+      @challenge.request_verification
+    end
+
+    def wait_for_status(challenge)
+      Rails.logger.info('Waiting for challenge status...')
+      counter = 0
+      while challenge.verify_status == 'pending' && counter < 10
+        sleep(1)
+        counter += 1
+      end
+    end
+
+    def valid_verification_status
+      wait_for_status(@challenge)
+      return true if @challenge.verify_status == 'valid'
+      Rails.logger.error('Challenge verification failed! ' \
+        "Error: #{@challenge.error['type']}: #{@challenge.error['detail']}")
+      false
+    end
+
+    # Save the certificate and key
+    def save_certificate(certificate)
+      return unless certificate
+      return HerokuOutput.new(common_domain_name, certificate).output unless ENV['DYNO'].nil?
+      output_dir = File.join(Rails.root, @options[:output_cert_dir])
+      return FileOutput.new(common_domain_name, certificate, output_dir).output if File.directory?(output_dir)
+      Rails.logger.error("Output directory: '#{output_dir}' does not exist!")
+    end
+  end
+end

data/lib/acme_plugin/certificate_output.rb

@@ -0,0 +1,17 @@
+module AcmePlugin
+  class CertificateOutput
+    def initialize(domain, cert)
+      @certificate = cert
+      @domain = domain
+    end
+
+    def output
+      display_info
+
+      output_cert('cert.pem', @certificate.to_pem)
+      output_cert('key.pem', @certificate.request.private_key.to_pem)
+      output_cert('chain.pem', @certificate.chain_to_pem)
+      output_cert('fullchain.pem', @certificate.fullchain_to_pem)
+    end
+  end
+end

data/lib/acme_plugin/challenge_store.rb

@@ -0,0 +1,18 @@
+module AcmePlugin
+  class ChallengeStore
+    def initialize(challenge_content)
+      @content = challenge_content
+    end
+
+    def store
+      display_info
+      store_content
+    end
+
+    protected
+
+    def display_info
+      Rails.logger.info('Storing challenge information...')
+    end
+  end
+end

data/lib/acme_plugin/configuration.rb

@@ -0,0 +1,27 @@
+module AcmePlugin
+  Config = Class.new(OpenStruct)
+
+  # This is a class whose responsibility is to load the lets_encrypt configuration file
+  module Configuration
+    def self.load_file(filename = Rails.root.join('config', 'acme_plugin.yml'))
+      config_data = parse_yaml_file(filename)
+      create_config(config_data)
+    end
+
+    def self.create_config(config_hash)
+      Config.new(config_hash.merge(config_hash.fetch(Rails.env, {})) || {})
+    end
+
+    def self.read_file(filename)
+      File.read(filename)
+    end
+
+    def self.evaluate_file(filename)
+      ERB.new(read_file(filename)).result
+    end
+
+    def self.parse_yaml_file(filename)
+      YAML.load(evaluate_file(filename))
+    end
+  end
+end

data/lib/acme_plugin/database_store.rb

@@ -0,0 +1,11 @@
+require 'acme_plugin/challenge_store'
+
+module AcmePlugin
+  class DatabaseStore < ChallengeStore
+    def store_content
+      ch = AcmePlugin::Challenge.first
+      ch = AcmePlugin::Challenge.new if ch.nil?
+      ch.update(response: @content)
+    end
+  end
+end

data/lib/acme_plugin/engine.rb

@@ -0,0 +1,5 @@
+module AcmePlugin
+  class Engine < ::Rails::Engine
+    isolate_namespace AcmePlugin
+  end
+end

data/lib/acme_plugin/file_output.rb

@@ -0,0 +1,18 @@
+require 'acme_plugin/certificate_output'
+
+module AcmePlugin
+  class FileOutput < CertificateOutput
+    def initialize(domain, cert, out_dir)
+      super(domain, cert)
+      @output_dir = out_dir
+    end
+
+    def output_cert(cert_type, cert_content)
+      File.write(File.join(@output_dir, "#{@domain}-#{cert_type}"), cert_content)
+    end
+
+    def display_info
+      Rails.logger.info('Saving certificates and key...')
+    end
+  end
+end

data/lib/acme_plugin/file_store.rb

@@ -0,0 +1,16 @@
+require 'acme_plugin/challenge_store'
+
+module AcmePlugin
+  class FileStore < ChallengeStore
+    def initialize(challenge_content, challenge_dir_name)
+      super(challenge_content)
+      @challenge_dir_name = challenge_dir_name
+    end
+
+    def store_content
+      full_challenge_dir = File.join(Rails.root, @challenge_dir_name)
+      Dir.mkdir(full_challenge_dir) unless File.directory?(full_challenge_dir)
+      File.open(File.join(full_challenge_dir, 'challenge'), 'w') { |file| file.write(@content) }
+    end
+  end
+end

data/lib/acme_plugin/heroku_output.rb

@@ -0,0 +1,19 @@
+require 'acme_plugin/certificate_output'
+
+module AcmePlugin
+  class HerokuOutput < CertificateOutput
+    def initialize(domain, cert)
+      super(domain, cert)
+    end
+
+    def output_cert(cert_type, cert_content)
+      Rails.logger.info("====== #{@domain}-#{cert_type} ======")
+      puts cert_content
+    end
+
+    def display_info
+      Rails.logger.info('You are running this script on Heroku, please copy-paste certificates to your local machine')
+      Rails.logger.info('and then follow https://devcenter.heroku.com/articles/ssl-endpoint guide:')
+    end
+  end
+end