amarillo 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a94e70709b0f4147b7c04711d1e1f58a54eeea7a743364ee4e8dc2d25984b83a
-  data.tar.gz: 1f179ac5eea2d4919e22d09a44b491cbed3e2704128d9da71a9c00a10c177275
+  metadata.gz: b53b0e0803cc4bd89185cbfc67aeb3d468ab7f34988073d7c405f6e88f38e6fe
+  data.tar.gz: ef2b8ec288bae0acd3924aa61ded5ccde2f9915bb15ec664316693641d4391e8
 SHA512:
-  metadata.gz: 3acd69905f4138ab59a2de3a1cb8493a6e1ea9363ccaaa622c8d565112850e78ce11ea6fad940052c7a4795a3e19980bb2f24f392775ac4aeab463f19ef6d013
-  data.tar.gz: 0025b7ca2705e934750ca1bf267644ddc9fd610072ab64a2d5fc7c762b1c16d200b6ea1c6f74b87723c2a75fe6251982478ee72cfc9bc7c5b11581211b2d1a9d
+  metadata.gz: 16eb56677f677b3b752de0af6e1b67dc6495b01a494e84e8c935ea19db84f3b16a2bf71cbc67893025388b4289b39d9ebf84f86b2e81b0abf0742c7707bd2e33
+  data.tar.gz: 94af28ad358c6313fa4a43c00b0b31fc9f01d577556c90e8bf49c9396c06946c7d689abdd6fcd826b558fbcf74b3767b93c183055c2db7514510369033a8c1f6

data/bin/amarillo

@@ -23,9 +23,18 @@
 require 'optparse' 
 require 'fileutils'
 require 'amarillo'
+require 'amarillo/environment'
 
 options = {}
 OptionParser.new do |opts|
+  opts.on("-i", "--initialize", "Initialize amarillo defaults") do |i|
+    options[:initialize] = i
+  end 
+
+  opts.on("-r", "--renew", "Renew certificates") do |r|
+    options[:renew] = r
+  end
+
   opts.on("-z", "--zone ZONE", "Hosted zone") do |z|
     options[:zone] = z
   end
@@ -38,8 +47,8 @@ OptionParser.new do |opts|
     options[:name] = n
   end
 
-  opts.on("-o", "--output-directory OUTPUT_PATH", "Output directory of certificates and keys") do |o|
-    options[:certificate_path] = o
+  opts.on("-a", "--amarillo-home AMARILLO_HOME", "Home directory for configuration, keys, and certificates") do |o|
+    options[:amarillo_home] = a
   end
 
   opts.on("-h", "--help") do |h|
@@ -55,57 +64,56 @@ Usage:  amarillo --zone ZONE --name COMMONNAME --email EMAIL [--output-path OUTP
   exit 0
 end 
 
-if options[:zone].nil? or
-   options[:email].nil? or
-   options[:name].nil? then
+if options[:initialize] then
+  e = Amarillo::Environment.new
 
-   puts "Usage:  amarillo --zone ZONE --name COMMONNAME --email EMAIL [--output-directory OUTPUT_PATH]"
+  e.init options[:zone], options[:email]
 
-   exit -1
+  exit 0
 end
 
-if options[:output_path].nil?
-  certificate_path = "/etc/ssl/amarillo"
-  key_path         = "/etc/ssl/amarillo/private"
+e = Amarillo::Environment.new
+e.load_config
+
+if options[:zone].nil?
+  zone = e.config["defaults"]["zone"]
+  if zone.nil? or zone == '' then
+    puts "Error:  Specify a default zone in config.yml or use --zone"
+    exit -1
+  end
 else
-  certificate_path = options[:output_path]
-  key_path         = "#{certificate_path}/private"
+  zone = options[:zone]
 end
 
-# Try to create the certificate_path and key_path
-keypath_dirname = File.dirname(key_path)
-unless File.directory?(keypath_dirname)
-	begin
-	  FileUtils.mkdir_p(keypath_dirname)
-	rescue
-		writableMessage = <<-"HEREDOC"
-Error:  #{certificate_path} and #{key_path} are not writable directories to store keys and certificates.
-HEREDOC
-		print writableMessage
-		exit -1
-	end
+if options[:email].nil?
+  email = e.config["defaults"]["email"]
+  if email.nil? or email == '' then
+    puts "Error:  Specify a default e-mail address in config.yml or use --email"
+    exit -1
+  end
+else
+  email = options[:email]
 end
 
-# Check for existense of aws.env
-awsEnvPath = Pathname.new("/etc/amarillo/aws.env")
-if not awsEnvPath.exist? then
-	awsEnvMessage = <<-"HEREDOC"
-Error:  /etc/amarillo/aws.env AWS credentials file not found.
-
-/etc/amarillo/aws.env must exist and set both aws_access_key_id and aws_secret_access_key for an IAM user with AmazonRoute53FullAccess permissions. 
-
-Example:
+if options[:name].nil? and options[:renew].nil? then
+   puts "Usage:  amarillo --name COMMONNAME [--zone ZONE] [--email EMAIL] [--amarillo-home AMARILLO_HOME]"
+   exit -1
+else
+  name = options[:name]
+end
 
-[default]
-aws_access_key_id = your_access_key_id
-aws_secret_access_key = your_secret_access_key
-	HEREDOC
+if options[:amarillo_home].nil?
+  amarillo_home = "/usr/local/etc/amarillo"
+else
+  amarillo_home = options[:amarillo_home]
+end
 
-	print awsEnvMessage
+y = Amarillo.new amarillo_home
 
-  exit -1
+if options[:renew] then
+  y.renewCertificates
+else
+  y.requestCertificate zone, name, email, nil
 end
 
 
-y = Amarillo.new(certificate_path, key_path, awsEnvPath)
-y.requestCertificate(options[:zone], options[:name], options[:email])

data/lib/amarillo.rb

@@ -29,14 +29,23 @@ require 'openssl'         # Key Generation
 require 'aws-sdk-core'    # Credentials
 require 'aws-sdk-route53' # Route 53
 require 'resolv'          # DNS Resolvers
+require 'yaml'            # YAML
 
 class Amarillo
 
-  def initialize(certificatePath, keyPath, awsEnvPath)
+  def initialize(amarilloHome)
 
-    @certificatePath = certificatePath
-    @keyPath         = keyPath
-    @awsEnvPath      = awsEnvPath
+    @environment = Amarillo::Environment.new(amarilloHome:  amarilloHome)
+
+    if not @environment.verify then raise "Cannot initialize amarillo" end
+
+    @environment.load_config
+
+    @certificatePath = @environment.certificatePath
+    @keyPath         = @environment.keyPath
+    @config          = @environment.config
+    @awsEnvFile      = @environment.awsEnvFile
+    @configsPath     = @environment.configsPath
 
     @logger = Logger.new(STDOUT)
     @logger.level = Logger::INFO
@@ -65,19 +74,35 @@ class Amarillo
     valid
   end
 
-  def requestCertificate(zone, commonName, email)
+  def get_route53
+    shared_creds = Aws::SharedCredentials.new(path: "#{@awsEnvFile}")
+
+    Aws.config.update(credentials: shared_creds)
+
+    region  = @config["defaults"]["region"] ? @config["defaults"]["region"] : 'us-east-2'
+    @route53 = Aws::Route53::Client.new(region: region)
+    @hzone   = @route53.list_hosted_zones(max_items: 100).hosted_zones.detect { |z| z.name == "#{@zone}." }
+
+  end
+
+  def requestCertificate(zone, commonName, email, key_type)
+
+    @zone = zone
+
+    acmeUrl = @config["defaults"]["acme_url"] ? @config["defaults"]["acme_url"] : 'https://acme-v02.api.letsencrypt.org/directory'
+
+    # Load private key
 
-    @logger.info "Generating 4096-bit RSA private key"
-    key = OpenSSL::PKey::RSA.new(4096)
-    client = Acme::Client.new(
-      private_key: key, 
-      directory: 'https://acme-v02.api.letsencrypt.org/directory'
-      )
+    @logger.info "Loading 4096-bit RSA private key for Let's Encrypt account"
+    @logger.info "Let's Encrypt directory set to #{acmeUrl}"
 
-    account = client.new_account(
-      contact: "mailto:#{email}", 
-      terms_of_service_agreed: true
-      )
+    key = OpenSSL::PKey::RSA.new File.read "#{@keyPath}/letsencrypt.key"
+
+    client = Acme::Client.new private_key: key, 
+                              directory:   acmeUrl
+
+    account = client.new_account contact: "mailto:#{email}", 
+                                 terms_of_service_agreed: true
 
     # Generate a certificate order
     @logger.info "Creating certificate order request for #{commonName}"
@@ -90,16 +115,7 @@ class Amarillo
 
     @logger.info "Challenge value for #{commonName} in #{zone} zone is #{challengeValue}"
 
-    # Update Route 53
-
-    shared_creds = Aws::SharedCredentials.new(path: "#{@awsEnvPath}")
-    Aws.config.update(credentials: shared_creds)
-
-    # TODO:  Allow the user to set the region
-    route53 = Aws::Route53::Client.new(region: 'us-east-2')
-    hzone   = route53.list_hosted_zones(max_items: 100)
-    .hosted_zones
-    .detect { |z| z.name == "#{zone}." }
+    self.get_route53
 
     change = {
       action: 'UPSERT',
@@ -114,30 +130,20 @@ class Amarillo
     }
 
     options = {
-      hosted_zone_id: hzone.id,
+      hosted_zone_id: @hzone.id,
       change_batch: {
         changes: [change]
       }
     }
 
-    route53.change_resource_record_sets(options)
-
-    nameservers = []
+    @route53.change_resource_record_sets(options)
 
-    @logger.info "Looking up nameservers for #{zone}"
+    nameservers = @environment.get_zone_nameservers
 
-    Resolv::DNS.open(nameserver: '9.9.9.9') do |dns|
-      while nameservers.length == 0
-        nameservers = dns.getresources(
-          zone,
-          Resolv::DNS::Resource::IN::NS
-          ).map(&:name).map(&:to_s)
-      end
-    end
-
-    @logger.info "Waiting for DNS record to propogate"
+    @logger.info "Waiting for DNS record to propagate"
     while !check_dns(commonName, nameservers, challengeValue)
-      sleep 1
+      sleep 2
+      @logger.info "Still waiting..."
     end
 
     authorization.dns.request_validation
@@ -150,15 +156,40 @@ class Amarillo
     	authorization.dns.reload
     end
 
-    @logger.info "Requesting certificate..."
+    @logger.info "Generating key"
+
+    # Create certificate yml
+    certConfig = {
+      "commonName"  =>  commonName,
+      "email"       =>  email,
+      "zone"        =>  zone
+    }
 
-    cert_key = OpenSSL::PKey::RSA.new(4096)
-    csr = Acme::Client::CertificateRequest.new(
-      private_key: cert_key, 
-      names: [commonName]
-      )
+    if key_type
+      certConfig["key_type"] = key_type
+    else
+      key_type = @config["defaults"]["key_type"]
+      certConfig["key_type"] = key_type
+    end 
 
-    order.finalize(csr: csr)
+    type, args = key_type.split(',')
+
+    if type == 'ec' then
+      certPrivateKey = OpenSSL::PKey::EC.new(args).generate_key
+    elsif type == 'rsa' then
+      certPrivateKey = OpenSSL::PKey::RSA.new(args)
+    end
+
+    @logger.info "Requesting certificate..."  
+    csr = Acme::Client::CertificateRequest.new private_key: certPrivateKey, 
+                                               names: [commonName]
+
+    begin                                               
+      order.finalize(csr: csr)
+    rescue
+      @logger.error("ERROR")
+      self.cleanup label, record_type, challengeValue
+    end
 
     sleep(1) while order.status == 'processing'
 
@@ -168,8 +199,9 @@ class Amarillo
     @logger.info "Saving private key to #{keyOutputPath}"
 
     File.open(keyOutputPath, "w") do |f|
-    	f.puts cert_key.to_pem.to_s
+    	f.puts certPrivateKey.to_pem.to_s
     end
+    File.chmod(0600, keyOutputPath)
 
     @logger.info "Saving certificate to #{certOutputPath}"
 
@@ -177,6 +209,14 @@ class Amarillo
     	f.puts order.certificate
     end
 
+    certConfigFile = "#{@configsPath}/#{commonName}.yml"
+    File.write(certConfigFile, certConfig.to_yaml)
+
+    self.cleanup label, record_type, challengeValue
+
+  end
+
+  def cleanup(label, record_type, challengeValue)
     @logger.info "Cleaning up..."
 
     change = {
@@ -192,12 +232,45 @@ class Amarillo
     }
 
     options = {
-      hosted_zone_id: hzone.id,
+      hosted_zone_id: @hzone.id,
       change_batch: {
         changes: [change]
       }
     }
 
-    route53.change_resource_record_sets(options)
+    @route53.change_resource_record_sets(options)
+  end
+
+  def renewCertificate(zone, commonName, email)
+
+  end
+
+  def renewCertificates
+    t = Time.now
+    @logger.info "Renewing certificates"
+
+    Dir["#{@configsPath}/*.yml"].each do |c|
+      config = YAML.load(File.read(c))
+
+      cn       = config["commonName"]
+      email    = config["email"]
+      zone     = config["zone"]
+      key_type = config["key_type"]
+
+      certificatePath = "#{@certificatePath}/#{cn}.crt"
+      raw = File.read certificatePath
+      certificate = OpenSSL::X509::Certificate.new raw      
+      daysToExpiration = (certificate.not_after - t).to_i / (24 * 60 * 60)
+
+      if daysToExpiration < 30 then
+        @logger.info "#{cn} certificate needs to be renewed"
+        self.requestCertificate zone, cn, email, key_type
+      else
+        @logger.info "#{cn} certificate does not need to be renewed"
+      end
+    end
   end
 end
+
+
+require 'amarillo/environment'

data/lib/amarillo/environment.rb

@@ -0,0 +1,226 @@
+#!/usr/bin/env ruby
+#
+# Inspired by Pete Keen's (pete@petekeen.net) post
+# https://www.petekeen.net/lets-encrypt-without-certbot
+# 
+# Copyright 2021 iAchieved.it LLC
+# 
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+require 'logger'
+require 'yaml'
+require 'aws-sdk-core'
+
+DefaultAmarilloHome = "/usr/local/etc/amarillo/"
+
+class Amarillo::Environment
+
+  attr_reader :certificatePath, :keyPath, :configPath, :configsPath, :config, :awsEnvFile
+
+  def initialize(amarilloHome:  DefaultAmarilloHome)
+
+    @logger = Logger.new(STDOUT)
+    @logger.level = Logger::INFO
+
+    @amarilloHome    = amarilloHome
+    @certificatePath = amarilloHome + "/certificates"
+    @keyPath         = amarilloHome + "/keys"
+    @configPath      = amarilloHome
+    @configsPath     = amarilloHome + "/configs"
+    @configFile      = amarilloHome + "/config.yml"
+    @awsEnvFile      = amarilloHome + "/aws.env"
+
+  end
+
+  # Public method to create default configuration files
+  def init(zone = nil, email = nil)
+
+    unless File.exist?(@configsPath) and File.directory?(@configsPath)
+      begin
+        @logger.info "Creating #{@configsPath} directory"
+        FileUtils.mkpath(@configsPath)
+      rescue
+        @logger.error("Cannot create #{@configsPath} directory")
+        return false
+      end
+    end
+
+    unless File.exist?(@certificatePath) and File.directory?(@certificatePath)
+      begin
+        @logger.info "Creating #{@certificatePath} directory"
+        FileUtils.mkpath(@certificatePath)
+      rescue
+        @logger.error("Cannot create #{@certificatePath} directory")
+        return false
+      end 
+    end 
+
+    unless File.exist?(@keyPath) and File.directory?(@keyPath)
+      begin
+        @logger.info "Creating #{@keyPath} directory"
+        FileUtils.mkpath(@keyPath)
+      rescue
+        @logger.error("Cannot create #{@keyPath} directory")
+        return false
+      end 
+    end
+
+    # Create aws.env
+    unless File.exist?(@awsEnvFile) then
+      awsEnv = <<-HEREDOC
+[default]
+aws_access_key_id = 
+aws_secret_access_key = 
+HEREDOC
+      @logger.info("Creating blank #{@awsEnvFile}")
+      @logger.warn("NOTE:  aws_access_key_id and aws_secret_access_key must be specified in this file.")
+      File.write(@awsEnvFile, awsEnv)
+    else
+      @logger.info("Refusing to overwrite #{@awsEnvFile}")
+    end
+
+    # Create config.yml
+    unless File.exist?(@configFile) then
+      @logger.info("Creating default configuration #{@configFile}")
+      config = {
+        "defaults" => {
+          "region"      =>  'us-east-2',
+          "profile"     => 'default',
+          "email"       =>  email,
+          "zone"        =>  zone,
+          "nameservers" =>  ['208.67.222.222', '9.9.9.9'],
+          "key_type"    =>  'ec,secp384r1'
+      }}
+      File.write(@configFile, config.to_yaml)
+    else
+      @logger.info("Refusing to overwrite #{@configFile}")
+    end
+
+    # Create RSA private key for Let's Encrypt account
+    privateKeyPath = "#{@keyPath}/letsencrypt.key"
+
+    unless File.exist? privateKeyPath then
+      @logger.info "Generating 4096-bit RSA private key for Let's Encrypt account"
+
+      privateKey = OpenSSL::PKey::RSA.new(4096)
+
+
+      File.open(privateKeyPath, "w") do |f|
+        f.puts privateKey.to_pem.to_s
+      end
+      File.chmod(0400, privateKeyPath)
+    end
+  end
+
+  #
+  # Verify paths exist and are writable
+  # Verify aws.env exists and is formatted correctly
+  # Verify config.yml exists and is formatted correctly
+  #
+  def verify
+    @logger.info "Verifying amarillo environment"
+    if not verify_env()    then return false end
+    if not verify_awsenv() then return false end
+    if not verify_config() then return false end
+    return true
+  end
+
+  def verify_env
+    unless File.stat(@certificatePath).writable? then
+      @logger.error(@certificatePath + " is not writable")
+      return false
+    end
+
+    unless File.stat(@keyPath).writable? then
+      @logger.error(@keyPath + " is not writable")
+      return false
+    end 
+
+    return true
+  end
+
+  def verify_awsenv()
+    awsEnvFile = Pathname.new(@awsEnvFile)
+    if not awsEnvFile.exist? then 
+      @logger.error("#{awsEnvFile} does not exist")
+      return false 
+    end           
+
+    awsCredentials = Aws::SharedCredentials.new(path: "#{@awsEnvFile}")
+
+    if awsCredentials.credentials.access_key_id.length != 20 then
+      @logger.error("#{@awsEnvFile} aws_access_key_id does not appear to be valid")
+      return false
+    end
+
+    if awsCredentials.credentials.secret_access_key.length != 40 then
+      @logger.error("#{@awsEnvFile} aws_secret_access_key does not appear to be valid")
+      return false
+    end
+
+    return true
+  end
+
+  def verify_config()
+    if not File.exist?(@configFile) then
+      @logger.error("#{@configFile} does not exist")
+      return false
+    end
+
+    begin
+      YAML.load(File.read(@configFile))
+    rescue
+      @logger.error("Unable to load configuration file")
+      return false
+    end 
+
+    return true
+  end
+
+  def load_config()
+    if verify_config() then
+      @config = YAML.load(File.read(@configFile))
+    end
+  end
+
+  def get_zone_nameservers
+
+    self.load_config
+
+    nameservers      = @config["defaults"]["nameservers"]
+    zone             = @config["defaults"]["zone"]
+
+    @logger.info "Looking up nameservers for #{zone}"
+
+    zone_nameservers = []
+    Resolv::DNS.open(nameserver:  nameservers) do |dns|
+      while zone_nameservers.length == 0
+        zone_nameservers = dns.getresources(
+          zone,
+          Resolv::DNS::Resource::IN::NS
+          ).map(&:name).map(&:to_s)
+      end
+    end
+
+    @logger.info "Found #{zone_nameservers.length} nameservers for zone #{zone}:  #{zone_nameservers}"
+
+    return zone_nameservers
+  end 
+
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: amarillo
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - iAchieved.it LLC
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-04-28 00:00:00.000000000 Z
+date: 2021-05-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
@@ -75,11 +75,12 @@ extra_rdoc_files: []
 files:
 - bin/amarillo
 - lib/amarillo.rb
+- lib/amarillo/environment.rb
 homepage: https://github.com/iachievedit/amarillo
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -94,8 +95,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.2.3
+signing_key:
 specification_version: 4
 summary: Amarillo
 test_files: []