acmesmith 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +12 -0
- data/.rspec +2 -0
- data/.travis.yml +4 -0
- data/Gemfile +4 -0
- data/LICENSE.txt +21 -0
- data/README.md +250 -0
- data/Rakefile +6 -0
- data/acmesmith.gemspec +31 -0
- data/bin/acmesmith +4 -0
- data/config.sample.yml +18 -0
- data/lib/acmesmith.rb +5 -0
- data/lib/acmesmith/account_key.rb +53 -0
- data/lib/acmesmith/certificate.rb +98 -0
- data/lib/acmesmith/challenge_responders.rb +9 -0
- data/lib/acmesmith/challenge_responders/base.rb +20 -0
- data/lib/acmesmith/challenge_responders/route53.rb +134 -0
- data/lib/acmesmith/command.rb +130 -0
- data/lib/acmesmith/config.rb +59 -0
- data/lib/acmesmith/storages.rb +9 -0
- data/lib/acmesmith/storages/base.rb +39 -0
- data/lib/acmesmith/storages/filesystem.rb +86 -0
- data/lib/acmesmith/storages/s3.rb +176 -0
- data/lib/acmesmith/utils/finder.rb +26 -0
- data/lib/acmesmith/version.rb +3 -0
- data/script/console +14 -0
- data/script/setup +7 -0
- metadata +161 -0
@@ -0,0 +1,176 @@
|
|
1
|
+
require 'aws-sdk'
|
2
|
+
|
3
|
+
require 'acmesmith/storages/base'
|
4
|
+
require 'acmesmith/account_key'
|
5
|
+
require 'acmesmith/certificate'
|
6
|
+
|
7
|
+
module Acmesmith
|
8
|
+
module Storages
|
9
|
+
class S3 < Base
|
10
|
+
def initialize(aws_access_key: nil, bucket:, prefix: nil, region:, use_kms: true, kms_key_id: nil, kms_key_id_account: nil, kms_key_id_certificate_key: nil)
|
11
|
+
@region = region
|
12
|
+
@bucket = bucket
|
13
|
+
@prefix = prefix
|
14
|
+
if @prefix && !@prefix.end_with?('/')
|
15
|
+
@prefix += '/'
|
16
|
+
end
|
17
|
+
|
18
|
+
@use_kms = use_kms
|
19
|
+
@kms_key_id = kms_key_id
|
20
|
+
@kms_key_id_account = kms_key_id_account
|
21
|
+
@kms_key_id_certificate_key = kms_key_id_certificate_key
|
22
|
+
|
23
|
+
@s3 = Aws::S3::Client.new({region: region, signature_version: 'v4'}.tap do |opt|
|
24
|
+
opt[:credentials] = Aws::Credentials.new(aws_access_key['access_key_id'], aws_access_key['secret_access_key'], aws_access_key['session_token']) if aws_access_key
|
25
|
+
end)
|
26
|
+
end
|
27
|
+
|
28
|
+
attr_reader :region, :bucket, :prefix, :use_kms, :kms_key_id, :kms_key_id_account, :kms_key_id_certificate_key
|
29
|
+
|
30
|
+
def get_account_key
|
31
|
+
obj = @s3.get_object(bucket: bucket, key: account_key_key)
|
32
|
+
AccountKey.new obj.body.read
|
33
|
+
rescue Aws::S3::Errors::NoSuchKey
|
34
|
+
raise NotExist
|
35
|
+
end
|
36
|
+
|
37
|
+
def account_key_exist?
|
38
|
+
begin
|
39
|
+
get_account_key
|
40
|
+
rescue NotExist
|
41
|
+
return false
|
42
|
+
else
|
43
|
+
return true
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
def put_account_key(key, passphrase = nil)
|
48
|
+
raise AlreadyExist if account_key_exist?
|
49
|
+
params = {
|
50
|
+
bucket: bucket,
|
51
|
+
key: account_key_key,
|
52
|
+
body: key.export(passphrase),
|
53
|
+
content_type: 'application/x-pem-file',
|
54
|
+
}
|
55
|
+
if use_kms
|
56
|
+
params[:server_side_encryption] = 'aws:kms'
|
57
|
+
key_id = kms_key_id_account || kms_key_id
|
58
|
+
params[:ssekms_key_id] = key_id if key_id
|
59
|
+
end
|
60
|
+
|
61
|
+
@s3.put_object(params)
|
62
|
+
end
|
63
|
+
|
64
|
+
def put_certificate(cert, passphrase = nil, update_current: true)
|
65
|
+
h = cert.export(passphrase)
|
66
|
+
|
67
|
+
put = -> (key, body, kms) do
|
68
|
+
params = {
|
69
|
+
bucket: bucket,
|
70
|
+
key: key,
|
71
|
+
body: body,
|
72
|
+
content_type: 'application/x-pem-file',
|
73
|
+
}
|
74
|
+
if kms
|
75
|
+
params[:server_side_encryption] = 'aws:kms'
|
76
|
+
key_id = kms_key_id_certificate_key || kms_key_id
|
77
|
+
params[:ssekms_key_id] = key_id if key_id
|
78
|
+
end
|
79
|
+
@s3.put_object(params)
|
80
|
+
end
|
81
|
+
|
82
|
+
put.call certificate_key(cert.common_name, cert.version), "#{h[:certificate].rstrip}\n", false
|
83
|
+
put.call chain_key(cert.common_name, cert.version), "#{h[:chain].rstrip}\n", false
|
84
|
+
put.call fullchain_key(cert.common_name, cert.version), "#{h[:fullchain].rstrip}\n", false
|
85
|
+
put.call private_key_key(cert.common_name, cert.version), "#{h[:private_key].rstrip}\n", true
|
86
|
+
|
87
|
+
if update_current
|
88
|
+
@s3.put_object(
|
89
|
+
bucket: bucket,
|
90
|
+
key: certificate_current_key(cert.common_name),
|
91
|
+
content_type: 'text/plain',
|
92
|
+
body: cert.version,
|
93
|
+
)
|
94
|
+
end
|
95
|
+
end
|
96
|
+
|
97
|
+
def get_certificate(common_name, version: 'current')
|
98
|
+
version = certificate_current(common_name) if version == 'current'
|
99
|
+
|
100
|
+
certificate = @s3.get_object(bucket: bucket, key: certificate_key(common_name, version)).body.read
|
101
|
+
chain = @s3.get_object(bucket: bucket, key: chain_key(common_name, version)).body.read
|
102
|
+
private_key = @s3.get_object(bucket: bucket, key: private_key_key(common_name, version)).body.read
|
103
|
+
Certificate.new(certificate, chain, private_key)
|
104
|
+
rescue Aws::S3::Errors::NoSuchKey
|
105
|
+
raise NotExist
|
106
|
+
end
|
107
|
+
|
108
|
+
def list_certificates
|
109
|
+
certs_prefix = "#{prefix}certs/"
|
110
|
+
@s3.list_objects(
|
111
|
+
bucket: bucket,
|
112
|
+
delimiter: '/',
|
113
|
+
prefix: certs_prefix,
|
114
|
+
).each.flat_map do |page|
|
115
|
+
regexp = /\A#{Regexp.escape(certs_prefix)}/
|
116
|
+
page.common_prefixes.map { |_| _.sub(regexp, '').sub(/\/.+\z/, '') }.uniq
|
117
|
+
end
|
118
|
+
end
|
119
|
+
|
120
|
+
def list_certificate_versions(common_name)
|
121
|
+
cert_ver_prefix = "#{prefix}certs/#{common_name}/"
|
122
|
+
@s3.list_objects(
|
123
|
+
bucket: bucket,
|
124
|
+
delimiter: '/',
|
125
|
+
prefix: cert_ver_prefix,
|
126
|
+
).each.flat_map do |page|
|
127
|
+
regexp = /\A#{Regexp.escape(cert_ver_prefix)}/
|
128
|
+
page.common_prefixes.map { |_| _.sub(regexp, '').sub(/\/.+\z/, '') }.uniq
|
129
|
+
end.reject { |_| _ == 'current' }
|
130
|
+
end
|
131
|
+
|
132
|
+
def get_current_certificate_version(common_name)
|
133
|
+
certificate_current(common_name)
|
134
|
+
end
|
135
|
+
|
136
|
+
private
|
137
|
+
|
138
|
+
def account_key_key
|
139
|
+
"#{prefix}account.pem"
|
140
|
+
end
|
141
|
+
|
142
|
+
def certificate_base_key(cn, ver)
|
143
|
+
"#{prefix}certs/#{cn}/#{ver}"
|
144
|
+
end
|
145
|
+
|
146
|
+
def certificate_current_key(cn)
|
147
|
+
certificate_base_key(cn, 'current')
|
148
|
+
end
|
149
|
+
|
150
|
+
def certificate_current(cn)
|
151
|
+
@s3.get_object(
|
152
|
+
bucket: bucket,
|
153
|
+
key: certificate_current_key(cn),
|
154
|
+
).body.read.chomp
|
155
|
+
rescue Aws::S3::Errors::NoSuchKey
|
156
|
+
raise NotExist
|
157
|
+
end
|
158
|
+
|
159
|
+
def certificate_key(cn, ver)
|
160
|
+
"#{certificate_base_key(cn, ver)}/cert.pem"
|
161
|
+
end
|
162
|
+
|
163
|
+
def private_key_key(cn, ver)
|
164
|
+
"#{certificate_base_key(cn, ver)}/key.pem"
|
165
|
+
end
|
166
|
+
|
167
|
+
def chain_key(cn, ver)
|
168
|
+
"#{certificate_base_key(cn, ver)}/chain.pem"
|
169
|
+
end
|
170
|
+
|
171
|
+
def fullchain_key(cn, ver)
|
172
|
+
"#{certificate_base_key(cn, ver)}/fullchain.pem"
|
173
|
+
end
|
174
|
+
end
|
175
|
+
end
|
176
|
+
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
module Acmesmith
|
2
|
+
module Utils
|
3
|
+
module Finder
|
4
|
+
def self.find(const, prefix, name)
|
5
|
+
retried = false
|
6
|
+
constant_name = name.to_s.gsub(/\A.|_./) { |s| s[-1].upcase }
|
7
|
+
|
8
|
+
begin
|
9
|
+
const.const_get constant_name, false
|
10
|
+
rescue NameError
|
11
|
+
unless retried
|
12
|
+
begin
|
13
|
+
require "#{prefix}/#{name}"
|
14
|
+
rescue LoadError
|
15
|
+
end
|
16
|
+
|
17
|
+
retried = true
|
18
|
+
retry
|
19
|
+
end
|
20
|
+
|
21
|
+
nil
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
data/script/console
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require "bundler/setup"
|
4
|
+
require "acmesmith"
|
5
|
+
|
6
|
+
# You can add fixtures and/or initialization code here to make experimenting
|
7
|
+
# with your gem easier. You can also use a different console, if you like.
|
8
|
+
|
9
|
+
# (If you use this, don't forget to add pry to your Gemfile!)
|
10
|
+
# require "pry"
|
11
|
+
# Pry.start
|
12
|
+
|
13
|
+
require "irb"
|
14
|
+
IRB.start
|
data/script/setup
ADDED
metadata
ADDED
@@ -0,0 +1,161 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: acmesmith
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.1.0
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- sorah (Shota Fukumori)
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
date: 2016-01-31 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: acme-client
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - ">="
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: '0'
|
20
|
+
type: :runtime
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - ">="
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '0'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: aws-sdk
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - ">"
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '2'
|
34
|
+
type: :runtime
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - ">"
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '2'
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: thor
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - ">="
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '0'
|
48
|
+
type: :runtime
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - ">="
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '0'
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: bundler
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - ">="
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: '0'
|
62
|
+
type: :development
|
63
|
+
prerelease: false
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
65
|
+
requirements:
|
66
|
+
- - ">="
|
67
|
+
- !ruby/object:Gem::Version
|
68
|
+
version: '0'
|
69
|
+
- !ruby/object:Gem::Dependency
|
70
|
+
name: rake
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
72
|
+
requirements:
|
73
|
+
- - ">="
|
74
|
+
- !ruby/object:Gem::Version
|
75
|
+
version: '0'
|
76
|
+
type: :development
|
77
|
+
prerelease: false
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
79
|
+
requirements:
|
80
|
+
- - ">="
|
81
|
+
- !ruby/object:Gem::Version
|
82
|
+
version: '0'
|
83
|
+
- !ruby/object:Gem::Dependency
|
84
|
+
name: rspec
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
86
|
+
requirements:
|
87
|
+
- - ">="
|
88
|
+
- !ruby/object:Gem::Version
|
89
|
+
version: '0'
|
90
|
+
type: :development
|
91
|
+
prerelease: false
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
93
|
+
requirements:
|
94
|
+
- - ">="
|
95
|
+
- !ruby/object:Gem::Version
|
96
|
+
version: '0'
|
97
|
+
description: 'Acmesmith is an [ACME (Automatic Certificate Management Environment)](https://github.com/ietf-wg-acme/acme)
|
98
|
+
client that works perfect on environment with multiple servers. This client saves
|
99
|
+
certificate and keys on cloud services (e.g. AWS S3) securely, then allow to deploy
|
100
|
+
issued certificates onto your servers smoothly. This works well on [Let''s encrypt](https://letsencrypt.org).
|
101
|
+
|
102
|
+
'
|
103
|
+
email:
|
104
|
+
- her@sorah.jp
|
105
|
+
executables:
|
106
|
+
- acmesmith
|
107
|
+
extensions: []
|
108
|
+
extra_rdoc_files: []
|
109
|
+
files:
|
110
|
+
- ".gitignore"
|
111
|
+
- ".rspec"
|
112
|
+
- ".travis.yml"
|
113
|
+
- Gemfile
|
114
|
+
- LICENSE.txt
|
115
|
+
- README.md
|
116
|
+
- Rakefile
|
117
|
+
- acmesmith.gemspec
|
118
|
+
- bin/acmesmith
|
119
|
+
- config.sample.yml
|
120
|
+
- lib/acmesmith.rb
|
121
|
+
- lib/acmesmith/account_key.rb
|
122
|
+
- lib/acmesmith/certificate.rb
|
123
|
+
- lib/acmesmith/challenge_responders.rb
|
124
|
+
- lib/acmesmith/challenge_responders/base.rb
|
125
|
+
- lib/acmesmith/challenge_responders/route53.rb
|
126
|
+
- lib/acmesmith/command.rb
|
127
|
+
- lib/acmesmith/config.rb
|
128
|
+
- lib/acmesmith/storages.rb
|
129
|
+
- lib/acmesmith/storages/base.rb
|
130
|
+
- lib/acmesmith/storages/filesystem.rb
|
131
|
+
- lib/acmesmith/storages/s3.rb
|
132
|
+
- lib/acmesmith/utils/finder.rb
|
133
|
+
- lib/acmesmith/version.rb
|
134
|
+
- script/console
|
135
|
+
- script/setup
|
136
|
+
homepage: https://github.com/sorah/acmesmith
|
137
|
+
licenses:
|
138
|
+
- MIT
|
139
|
+
metadata: {}
|
140
|
+
post_install_message:
|
141
|
+
rdoc_options: []
|
142
|
+
require_paths:
|
143
|
+
- lib
|
144
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
145
|
+
requirements:
|
146
|
+
- - ">="
|
147
|
+
- !ruby/object:Gem::Version
|
148
|
+
version: '0'
|
149
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
150
|
+
requirements:
|
151
|
+
- - ">="
|
152
|
+
- !ruby/object:Gem::Version
|
153
|
+
version: '0'
|
154
|
+
requirements: []
|
155
|
+
rubyforge_project:
|
156
|
+
rubygems_version: 2.5.1
|
157
|
+
signing_key:
|
158
|
+
specification_version: 4
|
159
|
+
summary: ACME client (Let's encrypt client) to manage certificate in multi server
|
160
|
+
environment with cloud services (e.g. AWS)
|
161
|
+
test_files: []
|