acmesmith 2.3.1 → 2.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4c2ccb5560fae2d63385e8460268f5c1fa4ca9e7fa96abb34874fbc2225c4f85
-  data.tar.gz: 58f74cdbdbb476db11fe8bdde5f6cd8b60e6f05845c47f6293147fb644e29b3c
+  metadata.gz: 4089bdb36940e87e2f996a6c820a2f06505024f6ae9721c3da332999c2145998
+  data.tar.gz: 1abf984f4f5d82a0d266bb5aee3905708ba1392238439663af0bc8ac9aa700b0
 SHA512:
-  metadata.gz: 49099fbee8ea178501cd45fd468c5554c3dfc938ff9d86ff1a5dcbbe3e8385444486ca46bffdadea7f1f70f89e7d5df69ef4191bbd6f6de4de2c94d9ec73c8cf
-  data.tar.gz: f841483c5c224e73a6e6b95ca7317dc481642b7786899ad15c31c2c97dfae649fc1cf0133ea7ac3afe8b002d10230c73235c77d90eca85c2103789fc5aed3e7d
+  metadata.gz: d1147c0742b2bd14205b89ca76f4b011453d2eeadf0df2aaad094b7e3c32907de322aed48c0d4fce40a4120ddd782c5c67e6da1504644fce3db679b4452ef774
+  data.tar.gz: e8bc441a9cb9fff624f338fb33946bab80bf742848e695130b17bd807ba8da98d79e5999459ce824cf6ebcdac6206f156026a17adc754aa6bde8356cc3a915f1

data/.github/stale.yml

@@ -0,0 +1,17 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 30
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - pinned
+  - security
+# Label to use when marking an issue as stale
+staleLabel: rotten
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## v2.4.0 (2020-05-12)
+
+### Enhancement
+
+- route53: Gains `restore_to_original_records` option. When enabled, existing record will be restored after authorizing domain names. Useful when other ACME tools or providers using ACME where requires a certain record to remain as long as possible for their renewal process (e.g. Fastly TLS).
+
 ## v2.3.1 (2020-05-12)
 
 ### Fixes

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    acmesmith (2.3.1)
+    acmesmith (2.4.0)
       acme-client (~> 2)
       aws-sdk-acm
       aws-sdk-route53
@@ -11,33 +11,34 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    acme-client (2.0.6)
+    acme-client (2.0.7)
       faraday (>= 0.17, < 2.0.0)
     aws-eventstream (1.1.0)
-    aws-partitions (1.312.0)
-    aws-sdk-acm (1.30.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
+    aws-partitions (1.402.0)
+    aws-sdk-acm (1.38.0)
+      aws-sdk-core (~> 3, >= 3.109.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.95.0)
+    aws-sdk-core (3.109.3)
       aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-kms (1.31.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
+    aws-sdk-kms (1.39.0)
+      aws-sdk-core (~> 3, >= 3.109.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-route53 (1.34.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
+    aws-sdk-route53 (1.44.0)
+      aws-sdk-core (~> 3, >= 3.109.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.64.0)
-      aws-sdk-core (~> 3, >= 3.83.0)
+    aws-sdk-s3 (1.86.0)
+      aws-sdk-core (~> 3, >= 3.109.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.1.3)
-      aws-eventstream (~> 1.0, >= 1.0.2)
+    aws-sigv4 (1.2.2)
+      aws-eventstream (~> 1, >= 1.0.2)
     diff-lcs (1.3)
-    faraday (1.0.1)
+    faraday (1.1.0)
       multipart-post (>= 1.2, < 3)
+      ruby2_keywords
     jmespath (1.4.0)
     mini_portile2 (2.4.0)
     multipart-post (2.1.1)
@@ -57,6 +58,7 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-support (3.9.3)
+    ruby2_keywords (0.0.2)
     thor (1.0.1)
 
 PLATFORMS

data/docs/challenge_responders/route53.md

@@ -21,6 +21,10 @@ challenge_responders:
       ##  Required when you have multiple hosted zones for the same domain name.
       hosted_zone_map: 
         "example.org.": "/hostedzone/DEADBEEF"
+
+      # Restore to original records on cleanup (after domain authorization). Default to false.
+      # Useful when you need to keep existing record as long as possible.
+      restore_to_original_records: true
 ```
 
 ## IAM Policy

data/lib/acmesmith/authorization_service.rb

@@ -69,9 +69,30 @@ module Acmesmith
       puts "=> Requesting validations..."
       puts
       processes.each do |process|
-        print " * #{process.domain} (#{process.challenge.challenge_type}) ..."
-        process.challenge.request_validation()
-        puts " [ ok ]"
+        challenge = process.challenge
+        print " * #{process.domain} (#{challenge.challenge_type}) ..."
+        retried = false
+        begin
+          challenge.request_validation()
+          puts " [ ok ]"
+        rescue Acme::Client::Error::Malformed
+          # Rescue in case of requesting validation for a challenge which has already determined valid (asynchronously while we're receiving it).
+          # LE Boulder doesn't take this as an error, but pebble do.
+          # https://github.com/letsencrypt/boulder/blob/ebba443cad233111ee2b769ef09b32a13c3ba57e/wfe2/wfe.go#L1235
+          # https://github.com/letsencrypt/pebble/blob/b60b0b677c280ccbf63de55a26775591935c448b/wfe/wfe.go#L2166
+          challenge.reload
+          if process.valid?
+            puts " [ ok ] (turned valid in background)"
+            next
+          end
+
+          if retried
+            raise
+          else
+            retried = true
+            retry
+          end
+        end
       end
       puts
 

data/lib/acmesmith/challenge_responders/route53.rb

@@ -17,7 +17,7 @@ module Acmesmith
         true
       end
 
-      def initialize(aws_access_key: nil, assume_role: nil, hosted_zone_map: {})
+      def initialize(aws_access_key: nil, assume_role: nil, hosted_zone_map: {}, restore_to_original_records: false)
         aws_options = {region: 'us-east-1'}.tap do |opt| 
           opt[:credentials] = Aws::Credentials.new(aws_access_key['access_key_id'], aws_access_key['secret_access_key'], aws_access_key['session_token']) if aws_access_key
         end
@@ -34,13 +34,25 @@ module Acmesmith
 
         @hosted_zone_map = hosted_zone_map
         @hosted_zone_cache = {}
+
+        @restore_to_original_records = restore_to_original_records
+        @original_records = {}
       end
 
       def respond_all(*domain_and_challenges)
+        save_original_records(*domain_and_challenges) if @restore_to_original_records
+
         challenges_by_hosted_zone = domain_and_challenges.group_by { |(domain, _)| find_hosted_zone(domain) }
 
         zone_and_batches = challenges_by_hosted_zone.map do |zone_id, dcs|
-          [zone_id, change_batch_for_challenges(dcs, action: 'UPSERT')]
+          [
+            zone_id,
+            change_batch_for_challenges(
+              dcs,
+              action: 'UPSERT',
+              pre_changes: changes_to_delete_original_cname(zone_id, *dcs),
+            ),
+          ]
         end
 
         change_ids = request_changing_rrset(zone_and_batches, comment: 'for challenge response')
@@ -51,7 +63,15 @@ module Acmesmith
         challenges_by_hosted_zone = domain_and_challenges.group_by { |(domain, _)| find_hosted_zone(domain) }
 
         zone_and_batches = challenges_by_hosted_zone.map do |zone_id, dcs|
-          [zone_id, change_batch_for_challenges(dcs, action: 'DELETE', comment: '(cleanup)')]
+          [
+            zone_id,
+            change_batch_for_challenges(
+              dcs,
+              action: 'DELETE',
+              comment: '(cleanup)',
+              post_changes: changes_to_restore_original_records(zone_id, *dcs),
+            ),
+          ]
         end
 
         request_changing_rrset(zone_and_batches, comment: 'to remove challenge responses')
@@ -59,6 +79,69 @@ module Acmesmith
 
       private
 
+      def save_original_records(*domain_and_challenges)
+        domain_and_challenges.each do |domain, challenge|
+
+          hosted_zone_id = find_hosted_zone(domain)
+          name = "#{challenge.record_name}.#{domain}."
+
+          rrsets = list_existing_rrsets(hosted_zone_id, name)
+          next if rrsets.empty?
+
+          @original_records[hosted_zone_id] ||= {}
+          @original_records[hosted_zone_id][name] = rrsets
+          puts "   * original_record: #{domain}(#{hosted_zone_id}): #{rrsets.inspect}"
+
+        end
+      end
+
+      def changes_to_delete_original_cname(zone_id, *domain_and_challenges)
+        @original_records[zone_id] ||= {}
+        domain_and_challenges.map do |domain, challenge|
+          name = "#{challenge.record_name}.#{domain}."
+          original_records = @original_records[zone_id][name]
+          next unless original_records
+          original_cname = original_records.find{ |_| _.type == 'CNAME' }
+          next unless original_cname
+
+          # FIXME: support set_identifier?
+          {
+            action: 'DELETE',
+            resource_record_set: {
+              name: original_cname.name,
+              ttl: original_cname.ttl,
+              type: original_cname.type,
+              resource_records: original_cname.resource_records.map(&:to_h),
+              alias_target: original_cname.alias_target&.to_h,
+            },
+          }
+        end.compact
+      end
+
+      def changes_to_restore_original_records(zone_id, *domain_and_challenges)
+        @original_records[zone_id] ||= {}
+        domain_and_challenges.flat_map do |domain, challenge|
+          name = "#{challenge.record_name}.#{domain}."
+          original_records = @original_records[zone_id][name]
+          next unless original_records
+
+          # FIXME: support set_identifier?
+          original_records.map do |original_record|
+            next if original_record.type != challenge.record_type && original_record.type != 'CNAME'
+            {
+              action: 'CREATE',
+              resource_record_set: {
+                name: original_record.name,
+                ttl: original_record.ttl,
+                type: original_record.type,
+                resource_records: original_record.resource_records.map(&:to_h),
+                alias_target: original_record.alias_target&.to_h,
+              },
+            }
+          end
+        end.compact
+      end
+
       def request_changing_rrset(zone_and_batches, comment: nil)
         puts "=> Requesting RRSet change #{comment}"
         puts
@@ -107,10 +190,9 @@ module Acmesmith
           end
         end
         puts
-
       end
 
-      def change_batch_for_challenges(domain_and_challenges, comment: nil, action: 'UPSERT')
+      def change_batch_for_challenges(domain_and_challenges, comment: nil, action: 'UPSERT', pre_changes: [], post_changes: [])
         changes = domain_and_challenges
           .map do |d, c|
             rrset_for_challenge(d, c)
@@ -133,7 +215,7 @@ module Acmesmith
 
         {
           comment: "ACME challenge response #{comment}",
-          changes: changes,
+          changes: pre_changes + changes + post_changes,
         }
       end
 
@@ -181,6 +263,40 @@ module Acmesmith
           end.group_by(&:first).map { |domain, kvs| [domain, kvs.map(&:last)] }.to_h.merge(hosted_zone_map)
         end
       end
+
+      def list_existing_rrsets(hosted_zone_id, name)
+        rrsets = []
+        start_record_name = name
+        start_record_type = nil
+        start_record_identifier = nil
+
+        while start_record_name == name
+          begin
+            tries = 0
+            page = @route53.list_resource_record_sets(
+              hosted_zone_id: hosted_zone_id,
+              start_record_name: start_record_name,
+              start_record_type: start_record_type,
+              start_record_identifier: start_record_identifier,
+              max_items: 10,
+            )
+            page.resource_record_sets.each do |rrset|
+              rrsets << rrset if rrset.name == name
+            end
+
+            start_record_name = page.next_record_name
+            start_record_type = page.next_record_type
+            start_record_identifier = page.next_record_identifier
+          rescue Aws::Route53::Errors::Throttling => e
+            interval = (2**tries) * 0.1
+            $stderr.puts "   ! #{e.class}: Sleeping #{interval} seconds (#{e.message})"
+            sleep interval
+            tries += 1
+            retry
+          end
+        end
+        rrsets
+      end
     end
   end
 end

data/lib/acmesmith/version.rb

@@ -1,3 +1,3 @@
 module Acmesmith
-  VERSION = "2.3.1"
+  VERSION = "2.4.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: acmesmith
 version: !ruby/object:Gem::Version
-  version: 2.3.1
+  version: 2.4.0
 platform: ruby
 authors:
 - Sorah Fukumori
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-05-12 00:00:00.000000000 Z
+date: 2020-12-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
@@ -136,6 +136,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".dockerignore"
+- ".github/stale.yml"
 - ".github/workflows/build.yml"
 - ".gitignore"
 - ".rspec"
@@ -190,7 +191,7 @@ homepage: https://github.com/sorah/acmesmith
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -206,7 +207,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.1.2
-signing_key: 
+signing_key:
 specification_version: 4
 summary: ACME client (Let's encrypt client) to manage certificate in multi server
   environment with cloud services (e.g. AWS)