acmesmith 0.1.0

data/lib/acmesmith/storages/s3.rb

@@ -0,0 +1,176 @@
+require 'aws-sdk'
+
+require 'acmesmith/storages/base'
+require 'acmesmith/account_key'
+require 'acmesmith/certificate'
+
+module Acmesmith
+  module Storages
+    class S3 < Base
+      def initialize(aws_access_key: nil, bucket:, prefix: nil, region:, use_kms: true, kms_key_id: nil, kms_key_id_account: nil, kms_key_id_certificate_key: nil)
+        @region = region
+        @bucket = bucket
+        @prefix = prefix
+        if @prefix && !@prefix.end_with?('/')
+          @prefix += '/'
+        end
+
+        @use_kms = use_kms
+        @kms_key_id = kms_key_id
+        @kms_key_id_account = kms_key_id_account
+        @kms_key_id_certificate_key = kms_key_id_certificate_key
+
+        @s3 = Aws::S3::Client.new({region: region, signature_version: 'v4'}.tap do |opt| 
+          opt[:credentials] = Aws::Credentials.new(aws_access_key['access_key_id'], aws_access_key['secret_access_key'], aws_access_key['session_token']) if aws_access_key
+        end)
+      end
+
+      attr_reader :region, :bucket, :prefix, :use_kms, :kms_key_id, :kms_key_id_account, :kms_key_id_certificate_key
+
+      def get_account_key
+        obj = @s3.get_object(bucket: bucket, key: account_key_key)
+        AccountKey.new obj.body.read
+      rescue Aws::S3::Errors::NoSuchKey
+        raise NotExist
+      end
+
+      def account_key_exist?
+        begin
+          get_account_key
+        rescue NotExist
+          return false
+        else
+          return true
+        end
+      end
+
+      def put_account_key(key, passphrase = nil)
+        raise AlreadyExist if account_key_exist?
+        params = {
+          bucket: bucket,
+          key: account_key_key,
+          body: key.export(passphrase),
+          content_type: 'application/x-pem-file',
+        }
+        if use_kms
+          params[:server_side_encryption] = 'aws:kms'
+          key_id = kms_key_id_account || kms_key_id
+          params[:ssekms_key_id] = key_id if key_id
+        end
+
+        @s3.put_object(params)
+      end
+
+      def put_certificate(cert, passphrase = nil, update_current: true)
+        h = cert.export(passphrase)
+
+        put = -> (key, body, kms) do
+          params = {
+            bucket: bucket,
+            key: key,
+            body: body,
+            content_type: 'application/x-pem-file',
+          }
+          if kms
+            params[:server_side_encryption] = 'aws:kms'
+            key_id = kms_key_id_certificate_key || kms_key_id
+            params[:ssekms_key_id] = key_id if key_id
+          end
+          @s3.put_object(params)
+        end
+
+        put.call certificate_key(cert.common_name, cert.version), "#{h[:certificate].rstrip}\n", false
+        put.call chain_key(cert.common_name, cert.version), "#{h[:chain].rstrip}\n", false
+        put.call fullchain_key(cert.common_name, cert.version), "#{h[:fullchain].rstrip}\n", false
+        put.call private_key_key(cert.common_name, cert.version), "#{h[:private_key].rstrip}\n", true
+
+        if update_current
+          @s3.put_object(
+            bucket: bucket,
+            key: certificate_current_key(cert.common_name),
+            content_type: 'text/plain',
+            body: cert.version,
+          )
+        end
+      end
+
+      def get_certificate(common_name, version: 'current')
+        version = certificate_current(common_name) if version == 'current'
+
+        certificate = @s3.get_object(bucket: bucket, key: certificate_key(common_name, version)).body.read
+        chain = @s3.get_object(bucket: bucket, key: chain_key(common_name, version)).body.read
+        private_key = @s3.get_object(bucket: bucket, key: private_key_key(common_name, version)).body.read
+        Certificate.new(certificate, chain, private_key)
+      rescue Aws::S3::Errors::NoSuchKey
+        raise NotExist
+      end
+
+      def list_certificates
+        certs_prefix = "#{prefix}certs/"
+        @s3.list_objects(
+          bucket: bucket,
+          delimiter: '/',
+          prefix: certs_prefix,
+        ).each.flat_map do |page|
+          regexp = /\A#{Regexp.escape(certs_prefix)}/
+          page.common_prefixes.map { |_| _.sub(regexp, '').sub(/\/.+\z/, '') }.uniq
+        end
+      end
+
+      def list_certificate_versions(common_name)
+        cert_ver_prefix = "#{prefix}certs/#{common_name}/"
+        @s3.list_objects(
+          bucket: bucket,
+          delimiter: '/',
+          prefix: cert_ver_prefix,
+        ).each.flat_map do |page|
+          regexp = /\A#{Regexp.escape(cert_ver_prefix)}/
+          page.common_prefixes.map { |_| _.sub(regexp, '').sub(/\/.+\z/, '') }.uniq
+        end.reject { |_| _ == 'current' }
+      end
+
+      def get_current_certificate_version(common_name)
+        certificate_current(common_name)
+      end
+
+      private
+
+      def account_key_key
+        "#{prefix}account.pem"
+      end
+
+      def certificate_base_key(cn, ver)
+        "#{prefix}certs/#{cn}/#{ver}"
+      end
+
+      def certificate_current_key(cn)
+        certificate_base_key(cn, 'current')
+      end
+
+      def certificate_current(cn)
+        @s3.get_object(
+          bucket: bucket,
+          key: certificate_current_key(cn),
+        ).body.read.chomp
+      rescue Aws::S3::Errors::NoSuchKey
+        raise NotExist
+      end
+
+      def certificate_key(cn, ver)
+        "#{certificate_base_key(cn, ver)}/cert.pem"
+      end
+
+      def private_key_key(cn, ver)
+        "#{certificate_base_key(cn, ver)}/key.pem"
+      end
+
+      def chain_key(cn, ver)
+        "#{certificate_base_key(cn, ver)}/chain.pem"
+      end
+
+      def fullchain_key(cn, ver)
+        "#{certificate_base_key(cn, ver)}/fullchain.pem"
+      end
+    end
+  end
+end

data/lib/acmesmith/utils/finder.rb

@@ -0,0 +1,26 @@
+module Acmesmith
+  module Utils
+    module Finder
+      def self.find(const, prefix, name)
+        retried = false
+        constant_name = name.to_s.gsub(/\A.|_./) { |s| s[-1].upcase }
+
+        begin
+          const.const_get constant_name, false
+        rescue NameError
+          unless retried
+            begin
+              require "#{prefix}/#{name}"
+            rescue LoadError
+            end
+
+            retried = true
+            retry
+          end
+
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/acmesmith/version.rb

@@ -0,0 +1,3 @@
+module Acmesmith
+  VERSION = "0.1.0"
+end

data/script/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "acmesmith"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/script/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

metadata

@@ -0,0 +1,161 @@
+--- !ruby/object:Gem::Specification
+name: acmesmith
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- sorah (Shota Fukumori)
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-01-31 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: acme-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 'Acmesmith is an [ACME (Automatic Certificate Management Environment)](https://github.com/ietf-wg-acme/acme)
+  client that works perfect on environment with multiple servers. This client saves
+  certificate and keys on cloud services (e.g. AWS S3) securely, then allow to deploy
+  issued certificates onto your servers smoothly. This works well on [Let''s encrypt](https://letsencrypt.org).
+
+'
+email:
+- her@sorah.jp
+executables:
+- acmesmith
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- acmesmith.gemspec
+- bin/acmesmith
+- config.sample.yml
+- lib/acmesmith.rb
+- lib/acmesmith/account_key.rb
+- lib/acmesmith/certificate.rb
+- lib/acmesmith/challenge_responders.rb
+- lib/acmesmith/challenge_responders/base.rb
+- lib/acmesmith/challenge_responders/route53.rb
+- lib/acmesmith/command.rb
+- lib/acmesmith/config.rb
+- lib/acmesmith/storages.rb
+- lib/acmesmith/storages/base.rb
+- lib/acmesmith/storages/filesystem.rb
+- lib/acmesmith/storages/s3.rb
+- lib/acmesmith/utils/finder.rb
+- lib/acmesmith/version.rb
+- script/console
+- script/setup
+homepage: https://github.com/sorah/acmesmith
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: ACME client (Let's encrypt client) to manage certificate in multi server
+  environment with cloud services (e.g. AWS)
+test_files: []