acmesmith 2.2.0 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 428d6ec71e91259de56ffd77471e823c9673eb9002e8c1bb419875f57f9086e3
-  data.tar.gz: c85d4efa0fd6a36b04ea1fbfbd346a055426a1fdb818c5c7f25d28d4073f8b56
+  metadata.gz: 0dd12b4a45a6d9a46c3c3b6c55cd2918e534da57e25293b2b40f06b5e5faeea3
+  data.tar.gz: 6edaf583cdb673a28b4d549a7c7d2636a867365afe59482d34f79c28e0a60900
 SHA512:
-  metadata.gz: f748341d751c06fe73c17e25c381979e6c77700a5df8bed4978fbfb5563e767d94a73cbfb5bc403cd60516e94fdf34af79b43c0ec3dcd82340e96c776a3cef70
-  data.tar.gz: f25125c00a446baa23f7025594096081a2ddd10c920d8602b8df8eb8bac0def9bb6ea63ae00d984124dc5a306d79e86faf386135e9f4281ddf28cb77b8094918
+  metadata.gz: c00d5e1e8ad23acca150df071027c64e030429167b29bd25bd3347a19c558836ec9cf25405bc2e0493541e027f568a1e63f688894b40753774de76fefcd01e72
+  data.tar.gz: f0c02fbec4d3572499321be2279384ea9424b20a43166ea536c208d3cb3332de4841537c944bfd9664ba596e5da154645fc3d6cb4dc207c346740e5a5d4a086d

data/.dockerignore

@@ -0,0 +1,6 @@
+.git/
+pkg/
+.bundle/
+vendor/
+acmesmith.yml
+config*yml

data/.github/workflows/build.yml

@@ -0,0 +1,123 @@
+name: ci
+on: 
+  schedule:
+    - cron: '36 7 2,12,22 * *'
+  release:
+    types: [published]
+  pull_request:
+    branches: [master]
+  push:
+    branches: [master, ci-test]
+
+env:
+  DOCKER_REPO: 'sorah/ruby'
+
+jobs:
+  test:
+    name: rspec
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby-version: ['2.6', '2.7']
+    container:
+      image: sorah/ruby:${{ matrix.ruby-version }}-dev
+    steps:
+
+      - name: Cache bundled gems
+        uses: actions/cache@v1
+        id: rspec-bundle
+        with:
+          path: ~/bundle
+          key: ${{ runner.os }}-${{ matrix.ruby-version }}
+
+      - uses: actions/checkout@master
+      - run: 'bundle install --path ~/bundle'
+      - run: 'bundle exec rspec -fd'
+
+  integration-pebble:
+    name: integration-pebble
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby-version: ['2.6', '2.7']
+
+        # FIXME: once GitHub Actions gains support of adding command line arguments to container
+      #    services:
+      #      # https://github.com/letsencrypt/pebble
+      #      pebble:
+      #        image: letsencrypt/pebble
+      #        ports:
+      #          - 14000:14000  # ACME port
+      #          - 15000:15000  # Management port
+      #        options: "pebble -config /test/config/pebble-config.json -strict -dnsserver 127.0.0.1:8053"
+      #
+      #      challtestsrv:
+      #        image: letsencrypt/pebble-challtestsrv:latest
+      #        ports:
+      #          - 8055:8055  # HTTP Management API
+      #          - 8053:8053/udp # DNS
+      #          - 8053:8053 # DNS
+      #        options: 'pebble-challtestsrv -management :8055 -defaultIPv4 127.0.0.1'
+
+    steps:
+      - uses: actions/checkout@master
+
+      - name: Cache bundled gems
+        uses: actions/cache@v1
+        id: instegration-pebble-bundle
+        with:
+          path: ~/bundle
+          key: ${{ runner.os }}-${{ matrix.ruby-version }}
+
+      - run: 'docker run -d --net=host --rm letsencrypt/pebble pebble -config /test/config/pebble-config.json -strict -dnsserver 127.0.0.1:8053'
+      - run: 'docker run -d --net=host --rm letsencrypt/pebble-challtestsrv pebble-challtestsrv -management :8055 -defaultIPv4 127.0.0.1'
+      - run: 'docker run --net=host -e CI --rm -v $(pwd):/work -v $(realpath ~/bundle):/bundle sorah/ruby:${{ matrix.ruby-version  }}-dev sh -c "cd /work && bundle install --path /bundle && bundle exec rspec -fd -t integration_pebble"'
+
+  docker-build:
+    name: docker-build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - run: 'echo $GITHUB_SHA > REVISION'
+
+      - run: "docker pull ${DOCKER_REPO}:latest || :"
+      - name: "docker tag ${DOCKER_REPO}:${TAG} ${DOCKER_REPO}:latest"
+        run: |
+          TAG=$(basename "${{ github.ref }}")
+          docker pull ${DOCKER_REPO}:${TAG}
+          docker tag ${DOCKER_REPO}:${TAG} ${DOCKER_REPO}:latest
+        if: "${{ startsWith(github.ref, 'refs/tags/v') }}"
+
+      - run: "docker pull ${DOCKER_REPO}:builder || :"
+
+      - run: "docker build --pull --cache-from ${DOCKER_REPO}:builder --target builder -t ${DOCKER_REPO}:builder -f Dockerfile ."
+      - run: "docker build --pull --cache-from ${DOCKER_REPO}:builder --cache-from ${DOCKER_REPO}:latest -t ${DOCKER_REPO}:${GITHUB_SHA} -f Dockerfile ."
+
+      - run: "echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login -u sorah --password-stdin"
+        if: "${{ github.event_name != 'pull_request' }}"
+
+      - run: "docker push ${DOCKER_REPO}:builder"
+        if: "${{ github.ref == 'refs/heads/master' }}"
+      - run: "docker push ${DOCKER_REPO}:${GITHUB_SHA}"
+        if: "${{ github.event_name != 'pull_request' }}"
+
+  docker-push:
+    name: docker-push
+    needs: [test, integration-pebble, docker-build]
+    if: "${{ github.event_name == 'push' || github.event_name == 'release' }}"
+    runs-on: ubuntu-latest
+    steps:
+      - run: "echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login -u sorah --password-stdin"
+      - run: "docker pull ${DOCKER_REPO}:${GITHUB_SHA}"
+
+      - run: |
+          docker tag ${DOCKER_REPO}:${GITHUB_SHA} ${DOCKER_REPO}:latest
+          docker push ${DOCKER_REPO}:latest
+        if: "${{ github.ref == 'refs/heads/master' }}"
+      - run: |
+          TAG=$(basename "${{ github.ref }}")
+          docker tag ${DOCKER_REPO}:${GITHUB_SHA} ${DOCKER_REPO}:${TAG}
+          docker push ${DOCKER_REPO}:${TAG}
+        if: "${{ startsWith(github.ref, 'refs/tags/v') }}"

data/.gitignore

@@ -1,6 +1,5 @@
 /.bundle/
 /.yardoc
-/Gemfile.lock
 /_yardoc/
 /coverage/
 /doc/

data/CHANGELOG.md

@@ -1,3 +1,38 @@
+## v2.3.0 (2020-05-12)
+
+### Enhancement
+
+- route53: Added support of assuming IAM Role to access Route 53. (requested at [#36](https://github.com/sorah/acmesmith/issues/36) [#37](https://github.com/sorah/acmesmith/pull/37) [#38](https://github.com/sorah/acmesmith/issues/36))
+
+- Added filter for challenge responders. This allows selecting a challenge responder for specific domain names. (indirectly requested at [#36](https://github.com/sorah/acmesmith/issues/36) [#37](https://github.com/sorah/acmesmith/pull/37) [#38](https://github.com/sorah/acmesmith/issues/36))
+
+  ```yaml
+  challenge_responders:
+    # Use specific IAM role for the domain "example.dev" ...
+    - route53:
+        assume_role:
+          role_arn: 'arn:aws:iam:...'
+      filter:
+        subject_name_exact:
+          - example.dev
+
+    - manual_dns: {}
+      filter:
+        subject_name_suffix:
+          - example.net
+
+    # Default
+    - route53: {}
+  ```
+
+- config: now accepts `connection_options` and `bad_nonce_retry` for [`Acme::Client`](https://github.com/unixcharles/acme-client).
+
+### Fixes
+
+- Exported PKCS#12 were not included a certificate chain [#35](https://github.com/sorah/acmesmith/pulls/35)
+- s3: `use_kms` option was not respected for certificate keys & PKCS#12. It was always `true`.
+- A large refactoring of internal components.
+
 ## v2.2.0 (2018-08-08)
 
 ### Enhancement

data/Dockerfile

@@ -0,0 +1,29 @@
+FROM sorah/ruby:2.7-dev as builder
+
+#RUN apt-get update \
+#    && apt-get install -y libmysqlclient-dev git-core \
+#    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+COPY Gemfile /app/
+COPY Gemfile.lock /app/
+COPY acmesmith.gemspec /app/
+RUN sed -i -e 's|Acmesmith::VERSION|"0.0.0"|g' -e '/^require.*acmesmith.version/d' -e '/`git/d' acmesmith.gemspec
+
+RUN bundle install --path /gems --jobs 100 --without development
+
+FROM sorah/ruby:2.7
+
+#RUN apt-get update \
+#    && apt-get install -y libmysqlclient20 \
+#    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+COPY . /app/
+COPY --from=builder /gems /gems
+COPY --from=builder /app/.bundle /app/.bundle
+COPY --from=builder /app/Gemfile* /app/
+COPY --from=builder /app/acmesmith.gemspec /app/
+
+ENTRYPOINT ["bundle", "exec", "bin/acmesmith"]
+

data/Gemfile

@@ -2,3 +2,5 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in acmesmith.gemspec
 gemspec
+
+gem 'nokogiri'

data/Gemfile.lock

@@ -0,0 +1,73 @@
+PATH
+  remote: .
+  specs:
+    acmesmith (2.3.0)
+      acme-client (~> 2)
+      aws-sdk-acm
+      aws-sdk-route53
+      aws-sdk-s3
+      thor
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    acme-client (2.0.6)
+      faraday (>= 0.17, < 2.0.0)
+    aws-eventstream (1.1.0)
+    aws-partitions (1.312.0)
+    aws-sdk-acm (1.30.0)
+      aws-sdk-core (~> 3, >= 3.71.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-core (3.95.0)
+      aws-eventstream (~> 1, >= 1.0.2)
+      aws-partitions (~> 1, >= 1.239.0)
+      aws-sigv4 (~> 1.1)
+      jmespath (~> 1.0)
+    aws-sdk-kms (1.31.0)
+      aws-sdk-core (~> 3, >= 3.71.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-route53 (1.34.0)
+      aws-sdk-core (~> 3, >= 3.71.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-s3 (1.64.0)
+      aws-sdk-core (~> 3, >= 3.83.0)
+      aws-sdk-kms (~> 1)
+      aws-sigv4 (~> 1.1)
+    aws-sigv4 (1.1.3)
+      aws-eventstream (~> 1.0, >= 1.0.2)
+    diff-lcs (1.3)
+    faraday (1.0.1)
+      multipart-post (>= 1.2, < 3)
+    jmespath (1.4.0)
+    mini_portile2 (2.4.0)
+    multipart-post (2.1.1)
+    nokogiri (1.10.9)
+      mini_portile2 (~> 2.4.0)
+    rake (13.0.1)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.3)
+    thor (1.0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  acmesmith!
+  bundler
+  nokogiri
+  rake
+  rspec
+
+BUNDLED WITH
+   2.1.4

data/LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2016 sorah (Shota Fukumori)
+Copyright (c) 2016 Sorah Fukumori
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -1,5 +1,7 @@
 # Acmesmith: A simple, effective ACME v2 client to use with many servers and a cloud
 
+![ci](https://github.com/sorah/acmesmith/workflows/ci/badge.svg?event=push)
+
 Acmesmith is an [ACME (Automatic Certificate Management Environment)](https://github.com/ietf-wg-acme/acme) client that works perfect on environment with multiple servers. This client saves certificate and keys on cloud services (e.g. AWS S3) securely, then allow to deploy issued certificates onto your servers smoothly. This works well on [Let's encrypt](https://letsencrypt.org).
 
 This tool is written in Ruby, but Acmesmith saves certificates in simple scheme, so you can fetch certificate by your own simple scripts.
@@ -31,6 +33,17 @@ Or install it yourself as:
 
     $ gem install acmesmith
 
+### Docker
+
+```
+docker run -v /path/to/acmesmith.yml:/app/acmesmith.yml:ro sorah/acmesmith:latest
+```
+
+[`Dockerfile`](./Dockerfile) is available. Default confguration file is at `/app/acmesmith.yml`.
+
+Pre-built docker images are provided at https://hub.docker.com/r/sorah/acmesmith for your convenience
+Built with GitHub Actions & [sorah-rbpkg/dockerfiles](https://github.com/sorah-rbpkg/dockerfiles).
+
 ## Usage
 
 ```
@@ -71,76 +84,61 @@ See `acmesmith help [subcommand]` for more help.
 See [config.sample.yml](./config.sample.yml) to start. Default configuration file is `./acmesmith.yml`.
 
 ``` yaml
-directory: https://acme-staging-v02.api.letsencrypt.org/directory
-# directory: https://acme-v02.api.letsencrypt.org/directory # production
+directory: https://acme-v02.api.letsencrypt.org/directory # production
 
 storage:
   # configure where to store keys and certificates; described later
+  type: s3
+  region: 'us-east-1'
+  bucket: 'my-acmesmith-bucket'
+  prefix: 'prod/'
+
 challenge_responders:
   # configure how to respond ACME challenges; described later
-
-account_key_passphrase: password
-certificate_key_passphrase: secret
+  - route53: {}
 ```
 
 ### Storage
 
-#### S3
-
-```
-storage:
-  type: s3
-  region:
-  bucket:
-  # prefix:
-  # aws_access_key: # aws credentials (optional); If omit, default configuration of aws-sdk use will be used.
-  #   access_key_id:
-  #   secret_access_key:
-  #   session_token:
-  # use_kms: true
-  # kms_key_id: # KMS key id (optional); if omit, default AWS managed key for S3 will be used
-  # kms_key_id_account: # KMS key id for account key (optional); This overrides kms_key_id
-  # kms_key_id_certificate_key: # KMS key id for private keys for certificates (optional); This oveerides kms_key_id
-  # pkcs12_passphrase: # (optional) Set passphrase to generate PKCS#12 file (for scripts that reads S3 bucket directly)
-  # pkcs12_common_names: ['example.org'] # (optional) List of common names to limit certificates for generating PKCS#12 file.
-```
-
-This saves certificates and keys in the following S3 keys:
-
-- `{prefix}/account.pem`: Account private key in pem
-- `{prefix}/certs/{common_name}/current`: text file contains current version name
-- `{prefix}/certs/{common_name}/{version}/cert.pem`: certificate in pem
-- `{prefix}/certs/{common_name}/{version}/key.pem`: private key in pem
-- `{prefix}/certs/{common_name}/{version}/chain.pem`: CA chain in pem
-- `{prefix}/certs/{common_name}/{version}/fullchain.pem`: certificate + CA chain in pem. This is suitable for some server softwares like nginx.
+Storage provider stores issued certificates, private keys and ACME account keys.
 
-#### Filesystem
-
-This is not recommended. If you're planning to use this, make sure backing up the keys.
-
-```
-storage:
-  type: filesystem
-  path: /path/to/directory/to/store/keys
-```
+- Amazon S3: [s3](./docs/storages/s3.md)
+- Filesystem: [filesystem](./docs/storages/filesystem.md)
+- Google Cloud Storage: [minimum2scp/acmesmith-google-cloud-storage](https://github.com/minimum2scp/acmesmith-google-cloud-storage) _(plugin)_
 
 ### Challenge Responders
 
 Challenge responders responds to ACME challenges to prove domain ownership to CA.
 
-#### Route53
+- API driven
+  - AWS Route 53: [route53](./docs/challenge_responders/route53.md) (`dns-01`)
+  - Google Cloud DNS: [nagachika/acmesmith-google-cloud-dns](https://github.com/nagachika/acmesmith-google-cloud-dns) (`dns-01`, _plugin_ )
+  - OpenStack Designate v1: [hanazuki/acmesmith-designate](https://github.com/hanazuki/acmesmith-designate) (`dns-01`, _plugin_ )
+  - Verisign MDNS REST API: [benkap/acmesmith-verisign](https://github.com/benkap/acmesmith-verisign) (`dns-01`, _plugin_ )
+- Generic
+  - Static HTTP: [mipmip/acmesmith-http-path](https://github.com/mipmip/acmesmith-http-path) (`http-01`, _plugin_ )
 
-Route53 responder supports `dns-01` challenge type. This assumes domain NS are managed under Route53 hosted zone.
+#### Common options
 
-```
+```yaml
 challenge_responders:
-  - route53:
-      # aws_access_key: # aws credentials (optional); If omit, default configuration of aws-sdk use will be used.
-      #   access_key_id:
-      #   secret_access_key:
-      #   session_token:
-      # hosted_zone_map: # hosted zone map (optional); This is to specify exactly one hosted zone to use. This will be required when there are multiple hosted zone with same domain name. Usually
-      #   "example.org.": "/hostedzone/DEADBEEF"
+  ## Multiple responders are accepted.
+  ## The first responder that supports a challenge and applicable for given domain name will be used.
+  - {RESPONDER_TYPE}:
+      {RESPONDER_OPTIONS}
+
+    ### Filter (optional)
+    filter:
+      subject_name_exact:
+        - my-app.example.com
+      subject_name_suffix:
+        - .example.org
+      subject_name_regexp:
+        - '\Aapp\d+.example.org\z'
+
+  - {RESPONDER_TYPE}:
+      {RESPONDER_OPTIONS}
+    ...
 ```
 
 ### Post Issuing Hooks
@@ -150,52 +148,40 @@ when a new certificate has been succesfully issued. The hooks are
 sequentially executed in the same order as they are configured, and they
 are configurable per certificate's common-name.
 
-#### `shell`
+- Shell script: [shell](./docs/post_issuing_hooks/shell.md)
+- Amazon Certificate Manager (ACM): [acm](./docs/post_issuing_hooks/acm.md)
 
-Execute specified command on a shell. Environment variable `${COMMON_NAME}` is available.
+## Vendor dependent notes
 
-```
-post_issuing_hooks:
-  "test.example.com":
-    - shell:
-        command: mail -s "New cert for ${COMMON_NAME} has been issued" user@example.com < /dev/null
-    - shell:
-        command: touch /tmp/certs-has-been-issued-${COMMON_NAME}
-  "admin.example.com":
-    - shell:
-        command: /usr/bin/dosomethingelse ${COMMON_NAME}
-```
+- [./docs/vendor/aws.md](./docs/vendor/aws.md): IAM and KMS key policies, and some tips
 
-### `acm`
+## Contributing
 
-Import certificate into AWS ACM.
+Bug reports and pull requests are welcome on GitHub at https://github.com/sorah/acmesmith.
 
-```
-post_issuing_hooks:
-  "test.example.com":
-    - acm:
-        region: us-east-1 # required
-        certificate_arn: arn:aws:acm:... # (optional)
-```
+### Running tests
 
-When `certificate_arn` is not present, `acm` hook attempts to find the certificate ARN from existing certificate list. Certificate with same common name ("domain name" on ACM), and `Acmesmith` tag
- will be used. Otherwise, `acm` hook imports as a new certificate with `Acmesmith` tag.
+unit test:
 
-## 3rd party Plugins
+```
+bundle exec rspec
+```
 
-### Challenge responders
+integration test using [letsencrypt/pebble](https://github.com/letsencrypt/pebble). needs Docker:
 
-- [hanazuki/acmesmith-designate](https://github.com/hanazuki/acmesmith-designate) `dns-01` challenge responder with OpenStack-based DNSaaS (Designate v1 API), e.g. for ConoHa.
-- [nagachika/acmesmith-google-cloud-dns](https://github.com/nagachika/acmesmith-google-cloud-dns) `dns-01` challenge responder with [Google Cloud DNS](https://cloud.google.com/dns/).
-- [mipmip/acmesmith-http-path](https://github.com/mipmip/acmesmith-http-path) - `http-01` challenge reponder if you have write access to the vhost server root.
+```
+ACMESMITH_CI_START_PEBBLE=1 CI=1 bundle exec -t integration_pebble
+```
 
-### Storage
+## Writing plugins
 
-- [minimum2scp/acmesmith-google-cloud-storage](https://github.com/minimum2scp/acmesmith-google-cloud-storage) storage using [Google Cloud Storage](https://cloud.google.com/storage/)
+Publish as a gem (RubyGems). Files will be loaded automatically from `lib/acmesmith/{plugin_type}/{name}.rb`.
 
-## Vendor dependent notes
+e.g.
 
-- [./docs/vendor/aws.md](./docs/vendor/aws.md): IAM and KMS key policies, and some tips
+- storage: `lib/acmesmith/storages/perfect_storage.rb` & `Acmesmith::Storages::PerfectStorage`
+- challenge_responder: `lib/acmesmith/challenge_responders/perfect_authority.rb` & `Acmesmith::Storages::PerfectAuthority`
+- post_issuing_hook: `lib/acmesmith/challenge_responders/nice_deploy.rb` & `Acmesmith::Storages::NiceDeploy`
 
 ## Development
 
@@ -203,14 +189,6 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
-### Todos
-
-- Tests
-- Support post actions (notifying servers, deploying to somewhere, etc...)
-
-## Contributing
-
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/acmesmith.
 
 
 ## License