acmesmith 0.1.0

data/lib/acmesmith/challenge_responders.rb

@@ -0,0 +1,9 @@
+require 'acmesmith/utils/finder'
+
+module Acmesmith
+  module ChallengeResponders
+    def self.find(name)
+      Utils::Finder.find(self, 'acmesmith/challenge_responders', name)
+    end
+  end
+end

data/lib/acmesmith/challenge_responders/base.rb

@@ -0,0 +1,20 @@
+module Acmesmith
+  module ChallengeResponders
+    class Base
+      def support?(type)
+        raise NotImplementedError
+      end
+
+      def initialize()
+      end
+
+      def respond(challenge)
+        raise NotImplementedError
+      end
+
+      def cleanup(challenge)
+        raise NotImplementedError
+      end
+    end
+  end
+end

data/lib/acmesmith/challenge_responders/route53.rb

@@ -0,0 +1,134 @@
+require 'acmesmith/challenge_responders/base'
+
+require 'aws-sdk'
+
+module Acmesmith
+  module ChallengeResponders
+    class Route53 < Base
+      class HostedZoneNotFound < StandardError; end
+      class AmbiguousHostedZones < StandardError; end
+
+      def support?(type)
+        # Acme::Client::Resources::Challenges::DNS01
+        type == 'dns-01'
+      end
+
+      def initialize(aws_access_key: nil, hosted_zone_map: {})
+        @route53 = Aws::Route53::Client.new({region: 'us-east-1'}.tap do |opt| 
+          opt[:credentials] = Aws::Credentials.new(aws_access_key['access_key_id'], aws_access_key['secret_access_key'], aws_access_key['session_token']) if aws_access_key
+        end)
+        @hosted_zone_map = hosted_zone_map
+        @hosted_zone_cache = {}
+      end
+
+      def respond(domain, challenge)
+        puts "=> Responding challenge dns-01 for #{domain} in #{self.class.name}"
+
+        domain = canonical_fqdn(domain)
+        record_name = "#{challenge.record_name}.#{domain}"
+        record_type = challenge.record_type
+        record_content = "\"#{challenge.record_content}\""
+        zone_id = find_hosted_zone(domain)
+
+        puts " * UPSERT: #{record_type} #{record_name.inspect}, #{record_content.inspect} on #{zone_id}"
+        change_resp =  @route53.change_resource_record_sets(
+          hosted_zone_id: zone_id, # required
+          change_batch: { # required
+            comment: "ACME challenge response",
+            changes: [
+              {
+                action: "UPSERT",
+                resource_record_set: { # required
+                  name: record_name,  # required
+                  type: record_type,
+                  ttl: 5,
+                  resource_records: [
+                    value: record_content
+                  ],
+                },
+              },
+            ],
+          },
+        )
+
+        change_id = change_resp.change_info.id
+        puts " * requested change: #{change_id}"
+
+        puts "=> Waiting for change"
+        while (resp = @route53.get_change(id: change_id)).change_info.status != 'INSYNC'
+          puts " * change #{change_id.inspect} is still #{resp.change_info.status.inspect} ..."
+          sleep 5
+        end
+
+        puts " * synced!"
+      end
+
+      def cleanup(domain, challenge)
+        puts "=> Cleaning up challenge dns-01 for #{domain} in #{self.class.name}"
+
+        domain = canonical_fqdn(domain)
+        record_name = "#{challenge.record_name}.#{domain}"
+        record_type = challenge.record_type
+        record_content = "\"#{challenge.record_content}\""
+        zone_id = find_hosted_zone(domain)
+
+        puts " * DELETE: #{record_type} #{record_name.inspect}, #{record_content.inspect} on #{zone_id}"
+        change_resp =  @route53.change_resource_record_sets(
+          hosted_zone_id: zone_id, # required
+          change_batch: { # required
+            comment: "ACME challenge response: cleanup",
+            changes: [
+              {
+                action: "DELETE", # required, accepts CREATE, DELETE, UPSERT
+                resource_record_set: { # required
+                  name: record_name,  # required
+                  type: record_type,
+                  ttl: 5,
+                  resource_records: [
+                    value: record_content
+                  ],
+                },
+              },
+            ],
+          },
+        )
+
+        change_id = change_resp.change_info.id
+        puts " * requested: #{change_id}"
+      end
+
+      private
+
+      def canonical_fqdn(domain)
+        "#{domain}.".sub(/\.+$/, '')
+      end
+
+      def find_hosted_zone(domain)
+        labels = domain.split(?.)
+        zones = nil
+        0.upto(labels.size-1).each do |i|
+          zones = hosted_zone_list["#{labels[i .. -1].join(?.)}."]
+          break if zones
+        end
+
+        raise HostedZoneNotFound, "hosted zone not found for #{domain.inspect}" unless zones
+        raise AmbiguousHostedZones, "multiple hosted zones found for #{domain.inspect}: #{zones.inspect}, set @hosted_zone_map to identify" if zones.size != 1
+        zones.first
+      end
+
+      def hosted_zone_map
+        @hosted_zone_map.map { |domain, zone_id|
+          [canonical_fqdn(domain), [zone_id]]
+        }.to_h
+      end
+
+      def hosted_zone_list
+        @hosted_zone_list ||= begin
+          @route53.list_hosted_zones.each.flat_map do |page|
+            page.hosted_zones.map {  |zone| [zone.name, zone.id] }
+          end.group_by(&:first).map { |domain, kvs| [domain, kvs.map(&:last)] }.to_h.merge(hosted_zone_map)
+        end
+      end
+    end
+  end
+end

data/lib/acmesmith/command.rb

@@ -0,0 +1,130 @@
+require 'thor'
+
+require 'acmesmith/config'
+require 'acmesmith/account_key'
+require 'acmesmith/certificate'
+require 'acme/client'
+
+module Acmesmith
+  class Command < Thor
+    class_option :config, default: './acmesmith.yml'
+
+    desc "register CONTACT", "Create account key (contact e.g. mailto:xxx@example.org)"
+    def register(contact)
+      key = AccountKey.generate
+      acme = Acme::Client.new(private_key: key.private_key, endpoint: config['endpoint'])
+      registration = acme.register(contact: contact)
+      registration.agree_terms
+
+      storage.put_account_key(key, config['account_key_passphrase'])
+      puts "Generated:\n#{key.private_key.public_key.to_pem}"
+    end
+
+    desc "authorize DOMAIN", "Get authz for DOMAIN."
+    def authorize(domain)
+      authz = acme.authorize(domain: domain)
+
+      challenges = [authz.http01, authz.dns01, authz.tls_sni01].compact
+
+      challenge = nil
+      responder = config.challenge_responders.find do |x|
+        challenge = challenges.find { |_| x.support?(_.class::CHALLENGE_TYPE) }
+      end
+
+      responder.respond(domain, challenge)
+
+      puts "=> Requesting verification..."
+      challenge.request_verification
+      loop do
+        status = challenge.verify_status
+        puts " * verify_status: #{status}"
+        break if status == 'valid'
+        sleep 3
+      end
+
+      responder.cleanup(domain, challenge)
+      puts "=> Done"
+    end
+
+    desc "request COMMON_NAME [SAN]", "request certificate for CN +COMMON_NAME+ with SANs +SAN+"
+    def request(common_name, *sans)
+      csr = Acme::Client::CertificateRequest.new(common_name: common_name, names: sans)
+      acme_cert = acme.new_certificate(csr)
+
+      cert = Certificate.from_acme_client_certificate(acme_cert)
+      storage.put_certificate(cert, config['certificate_key_passphrase'])
+
+      puts cert.certificate.to_text
+      puts cert.certificate.to_pem
+    end
+
+    desc "list [COMMON_NAME]", "list certificates or its versions"
+    def list(common_name = nil)
+      if common_name
+        puts storage.list_certificate_versions(common_name).sort
+      else
+        puts storage.list_certificates.sort
+      end
+    end
+
+    desc "current COMMON_NAME", "show current version for certificate"
+    def current(common_name)
+      puts storage.get_current_certificate_version(common_name)
+    end
+
+    desc "show-certificate COMMON_NAME", "show certificate"
+    method_option :version, type: :string, default: 'current'
+    method_option :type, type: :string, enum: %w(text certificate chain fullchain), default: 'text'
+    def show_certificate(common_name)
+      cert = storage.get_certificate(common_name, version: options[:version])
+
+      case options[:type]
+      when 'text'
+        puts cert.certificate.to_text
+        puts cert.certificate.to_pem
+      when 'certificate'
+        puts cert.certificate.to_pem
+      when 'chain'
+        puts cert.chain
+      when 'fullchain'
+        puts cert.fullchain
+      end
+    end
+    map 'show-certiticate' => :show_certificate
+
+    desc "show-private-key COMMON_NAME", "show private key"
+    method_option :version, type: :string, default: 'current'
+    def show_private_key(common_name)
+      cert = storage.get_certificate(common_name, version: options[:version])
+      cert.key_passphrase = config['certificate_key_passphrase'] if config['certificate_key_passphrase']
+
+      puts cert.private_key.to_pem
+    end
+    map 'show-private-key' => :show_private_key
+
+    # desc "autorenew", "request renewal of certificates which expires soon"
+    # method_option :days, alias: %w(-d), type: :integer, default: 7, desc: 'specify threshold in days to select certificates to renew'
+    # def autorenew
+    # end
+
+    private
+
+    def config
+      @config ||= Config.load_yaml(options[:config])
+    end
+
+    def storage
+      config.storage
+    end
+
+    def account_key
+      @account_key ||= storage.get_account_key.tap do |x|
+        x.key_passphrase = config['account_key_passphrase'] if config['account_key_passphrase']
+      end
+    end
+
+    def acme
+      @acme ||= Acme::Client.new(private_key: account_key.private_key, endpoint: config['endpoint'])
+    end
+  end
+end

data/lib/acmesmith/config.rb

@@ -0,0 +1,59 @@
+require 'yaml'
+require 'acmesmith/storages'
+require 'acmesmith/challenge_responders'
+
+module Acmesmith
+  class Config
+    def self.load_yaml(path)
+      new YAML.load_file(path)
+    end
+
+    def initialize(config)
+      @config = config
+      validate
+    end
+
+    def validate
+      unless @config['storage']
+        raise ArgumentError, "config['storage'] must be provided"
+      end
+
+      unless @config['endpoint']
+        raise ArgumentError, "config['endpoint'] must be provided, e.g. https://acme-v01.api.letsencrypt.org/ or https://acme-staging.api.letsencrypt.org/"
+      end
+    end
+
+    def [](key)
+      @config[key]
+    end
+
+    def account_key_passphrase
+      @config['account_key_passphrase']
+    end
+
+    def certificate_key_passphrase
+      @config['certificate_key_passphrase']
+    end
+
+    def storage
+      @storage ||= begin
+        c = @config['storage'].dup
+        Storages.find(c.delete('type')).new(**c.map{ |k,v| [k.to_sym, v]}.to_h)
+      end
+    end
+
+    def challenge_responders
+      @challange_responders ||= begin
+        specs = @config['challenge_responders'].kind_of?(Hash) ? @config['challenge_responders'].map { |k,v| [k => v] } : @config['challenge_responders']
+        specs.flat_map do |specs_sub|
+          specs_sub.map do |k, v|
+            ChallengeResponders.find(k).new(**v.map{ |k_,v_| [k_.to_sym, v_]}.to_h)
+          end
+        end
+      end
+    end
+
+    # def post_actions
+    # end
+  end
+end

data/lib/acmesmith/storages.rb

@@ -0,0 +1,9 @@
+require 'acmesmith/utils/finder'
+
+module Acmesmith
+  module Storages
+    def self.find(name)
+      Utils::Finder.find(self, 'acmesmith/storages', name)
+    end
+  end
+end

data/lib/acmesmith/storages/base.rb

@@ -0,0 +1,39 @@
+module Acmesmith
+  module Storages
+    class Base
+      class NotExist < StandardError; end
+      class AlreadyExist < StandardError; end
+
+      def initialize()
+      end
+
+      def get_account_key
+        raise NotImplementedError
+      end
+
+      def put_account_key(key, passphrase = nil)
+        raise NotImplementedError
+      end
+
+      def put_certificate(cert, passphrase = nil, update_current: true)
+        raise NotImplementedError
+      end
+
+      def get_certificate(common_name, version: 'current')
+        raise NotImplementedError
+      end
+
+      def list_certificates
+        raise NotImplementedError
+      end
+
+      def list_certificate_versions(common_name)
+        raise NotImplementedError
+      end
+
+      def get_current_certificate_version(common_name)
+        raise NotImplementedError
+      end
+    end
+  end
+end

data/lib/acmesmith/storages/filesystem.rb

@@ -0,0 +1,86 @@
+require 'pathname'
+
+require 'acmesmith/storages/base'
+require 'acmesmith/account_key'
+require 'acmesmith/certificate'
+
+module Acmesmith
+  module Storages
+    class Filesystem < Base
+      def initialize(path:)
+        @path = Pathname(path)
+      end
+
+      attr_reader :path
+
+      def get_account_key
+        raise NotExist unless account_key_path.exist?
+        AccountKey.new account_key_path.read
+      end
+
+      def put_account_key(key, passphrase = nil)
+        raise AlreadyExist if account_key_path.exist?
+        File.write account_key_path.to_s, key.export(passphrase), 0, perm: 0600
+      end
+
+      def put_certificate(cert, passphrase = nil, update_current: true)
+        h = cert.export(passphrase)
+        certificate_base_path(cert.common_name, cert.version).mkpath
+        File.write certificate_path(cert.common_name, cert.version), "#{h[:certificate].rstrip}\n"
+        File.write chain_path(cert.common_name, cert.version), "#{h[:chain].rstrip}\n"
+        File.write fullchain_path(cert.common_name, cert.version), "#{h[:fullchain].rstrip}\n"
+        File.write private_key_path(cert.common_name, cert.version), "#{h[:private_key].rstrip}\n", 0, perm: 0600
+        if update_current
+          File.symlink(cert.version, certificate_base_path(cert.common_name, 'current.new'))
+          File.rename(certificate_base_path(cert.common_name, 'current.new'), certificate_base_path(cert.common_name, 'current'))
+        end
+      end
+
+      def get_certificate(common_name, version: 'current')
+        raise NotExist unless certificate_base_path(common_name, version).exist?
+        certificate = certificate_path(common_name, version).read
+        chain = chain_path(common_name, version).read
+        private_key = private_key_path(common_name, version).read
+        Certificate.new(certificate, chain, private_key)
+      end
+
+      def list_certificates
+        Dir[path.join('certs', '*').to_s].map { |_| File.basename(_) }
+      end
+
+      def list_certificate_versions(common_name)
+        Dir[path.join('certs', common_name, '*').to_s].map { |_| File.basename(_) }.reject { |_| _ == 'current' }
+      end
+
+      def get_current_certificate_version(common_name)
+        path.join('certs', common_name, 'current').readlink
+      end
+
+      private
+
+      def account_key_path
+        path.join('account.pem')
+      end
+
+      def certificate_base_path(cn, ver)
+        path.join('certs', cn, ver)
+      end
+
+      def certificate_path(cn, ver)
+        certificate_base_path(cn, ver).join('cert.pem')
+      end
+
+      def private_key_path(cn, ver)
+        certificate_base_path(cn, ver).join('key.pem')
+      end
+
+      def chain_path(cn, ver)
+        certificate_base_path(cn, ver).join('chain.pem')
+      end
+
+      def fullchain_path(cn, ver)
+        certificate_base_path(cn, ver).join('fullchain.pem')
+      end
+    end
+  end
+end