anchor-pki 0.2.0 → 0.3.0

data/lib/anchor/auto_cert/manager.rb

@@ -0,0 +1,215 @@
+# frozen_string_literal: true
+
+require 'acme/client'
+require 'uri'
+require 'tmpdir'
+require 'pathname'
+require 'forwardable'
+
+module Anchor
+  module AutoCert
+    # AutoCert Manager provides automatic access to certificates from Anchor, but
+    # theoretically it could work with Let's Encrypt or any other ACME-based CA.
+    class Manager
+      FALLBACK_RENEW_BEFORE_SECONDS = 24 * 60 * 60 # 1 day
+
+      extend Forwardable
+      def_delegators :@configuration,
+                     :cache,
+                     :contact,
+                     :directory,
+                     :external_account_binding,
+                     :renew_before_fraction,
+                     :renew_before_seconds
+
+      attr_reader :client,
+                  :configuration,
+                  :directory_url,
+                  :identifier_policies,
+                  :tos_acceptors
+
+      def self.for(configuration)
+        new(configuration: configuration)
+      end
+
+      def initialize(configuration:, client: nil)
+        configuration.validate!
+        @configuration = configuration
+
+        @identifier_policies = IdentifierPolicy.build(@configuration.allow_identifiers)
+        @tos_acceptors = Array(@configuration.tos_acceptors)
+        @directory_url = URI.parse(@configuration.directory_url)
+        @work_dir      = Pathname.new(@configuration.work_dir || Dir.mktmpdir)
+
+        @account_opts = {
+          contact: @configuration.contact,
+          external_account_binding: @configuration.external_account_binding
+        }
+
+        @client = client || new_client(contact: @configuration.contact)
+        @enabled = true
+      end
+
+      # It is currently assumed that the common name is the first of the
+      # `identifiers` passed into this method. If that is not the case, then the
+      # `common_name` parameter needs to be set explicitly
+      def certificate_paths(identifiers:, algorithm: :ecdsa, common_name: Array(identifiers).first, **opts)
+        cert_pem, key_pem = certificate(identifiers: identifiers, algorithm: algorithm, common_name: common_name,
+                                        **opts)
+
+        cert = (@work_dir / common_name).open('w') { |f| f << cert_pem }.path
+        key = (@work_dir / "#{common_name}+#{algorithm}").open('w') { |f| f << key_pem }.path
+
+        [cert, key]
+      end
+
+      # It is currently assumed that the common name is the first of the
+      # `identifiers` passed into this method. If that is not the case, then
+      # the `common_name` parameter needs to be set explicitly
+      def certificate(identifiers:, algorithm: :ecdsa, common_name: Array(identifiers).first, **opts)
+        if (arr = denied_identifiers(identifiers)).size.positive?
+          raise IdentifierNotAllowedError, "denied identifiers'#{arr.join(',')}'"
+        end
+
+        key_pem = cache&.read("#{common_name}+#{algorithm}")
+        cert_pem = cache&.read(common_name)
+
+        if key_pem.nil? || cert_pem.nil? || needs_renewal?(cert_pem: cert_pem)
+          cert_pem, key_pem = provision(identifiers: identifiers, algorithm: algorithm, common_name: common_name,
+                                        **opts)
+
+          cache&.write("#{common_name}+#{algorithm}", key_pem)
+          cache&.write(common_name, cert_pem)
+        end
+
+        [cert_pem, key_pem]
+      end
+
+      def disable
+        @enabled = false
+      end
+
+      # Currently this only tests for kid/hmac_key, but in the future it could
+      # test for other configuration options.
+      def enabled?
+        @enabled && configuration.enabled?
+      end
+
+      private
+
+      def provision(identifiers:, algorithm:, common_name:, **opts)
+        identifiers = Array(identifiers)
+        load_or_build_account
+        key_pem ||= new_key(algorithm).to_pem
+        csr = Acme::Client::CertificateRequest.new(private_key: parse_key_pem(key_pem), common_name: common_name,
+                                                   names: identifiers)
+
+        order = @client.new_order(identifiers: identifiers, **opts)
+        order.finalize(csr: csr)
+        # TODO: loop over order.authorizations and process the challenges
+
+        while order.status == 'processing'
+          sleep(1)
+          order.reload
+        end
+
+        [order.certificate, key_pem]
+      end
+
+      def account
+        @account ||= build_account(**@account_opts)
+      end
+      alias load_or_build_account account
+
+      def build_account(contact: nil, external_account_binding: nil, terms_of_service_agreed: false, **)
+        terms_of_service_agreed ||= @tos_acceptors.any? { |a| a.accept?(@client.terms_of_service) }
+
+        @client.new_account(contact: contact, terms_of_service_agreed: terms_of_service_agreed,
+                            external_account_binding: external_account_binding)
+      end
+
+      def needs_renewal?(cert_pem:, now: Time.now.utc)
+        cert = OpenSSL::X509::Certificate.new(cert_pem)
+
+        renew_after = [
+          renew_after_from_seconds(cert: cert),
+          renew_after_from_fraction(cert: cert),
+          renew_after_fallback(cert: cert),
+          cert.not_after # cert expired, get a new one
+        ].compact.min
+
+        (now > renew_after)
+      end
+
+      def renew_after_from_seconds(cert:, before_seconds: renew_before_seconds)
+        return nil unless before_seconds
+
+        renew_after = (cert.not_after - before_seconds)
+
+        # invalid if the renewal time is outside the certificate validity window
+        return nil unless (cert.not_before..cert.not_after).cover?(renew_after)
+
+        renew_after
+      end
+
+      def renew_after_from_fraction(cert:, before_fraction: renew_before_fraction)
+        return nil unless (0..1).cover?(before_fraction)
+
+        valid_span     = cert.not_after - cert.not_before
+        before_seconds = (valid_span * before_fraction).floor
+
+        renew_after_from_seconds(cert: cert, before_seconds: before_seconds)
+      end
+
+      # Fallback timestamp, in case there is some corner case that is not covered
+      def renew_after_fallback(cert:)
+        renew_after_from_seconds(cert: cert, before_seconds: FALLBACK_RENEW_BEFORE_SECONDS)
+      end
+
+      def new_client(account_key: nil, contact: nil, **)
+        account_key ||= fetch_account_key(contact) { new_key(:ecdsa) }
+
+        Acme::Client.new(private_key: account_key, directory: @directory_url)
+      end
+
+      def new_key(algorithm)
+        case algorithm
+        when :ecdsa then OpenSSL::PKey::EC.generate('prime256v1')
+        else
+          raise UnknownAlgorithmError, "unknown key algorithm '#{algorithm}'"
+        end
+      end
+
+      def fetch_account_key(contact)
+        id = "#{contact || 'default'}+#{@directory_url.host}+key"
+        parse_key_pem(cache&.fetch(id) { parse_key_pem(yield.to_pem) } || yield.to_pem)
+      end
+
+      def parse_key_pem(data)
+        key_pem = parse_rsa_pem(data) || parse_ecdsa_pem(data)
+        raise UnknownKeyFormatError unless key_pem
+
+        key_pem
+      end
+
+      def parse_rsa_pem(data)
+        OpenSSL::PKey::RSA.new(data)
+      rescue StandardError
+        nil
+      end
+
+      def parse_ecdsa_pem(data)
+        OpenSSL::PKey::EC.new(data)
+      rescue StandardError
+        nil
+      end
+
+      # returns all those identifiers that were not accepted by any policy
+      def denied_identifiers(identifiers)
+        Array(identifiers).reject do |identifier|
+          @identifier_policies.any? { |policy| policy.allow?(identifier) }
+        end
+      end
+    end
+  end
+end

data/lib/anchor/auto_cert/policy_check/for_hostname.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Anchor
+  module AutoCert
+    class PolicyCheck
+      # Check the identifier by strict hostname name comparison
+      #
+      # Reference: http://www.faqs.org/rfcs/rfc2396.html
+      #
+      class ForHostname < PolicyCheck
+        ALPHA                = '[a-zA-Z]'
+        ALPHA_NUMERIC        = '[a-zA-Z0-9]'
+        ALPHA_NUMERIC_HYPHEN = '[-a-zA-Z0-9]'
+        DOMAIN_LABEL         = "#{ALPHA_NUMERIC}#{ALPHA_NUMERIC_HYPHEN}*#{ALPHA_NUMERIC}"
+        TOP_LEVEL_DOMAIN     = "#{ALPHA}#{ALPHA_NUMERIC_HYPHEN}*#{ALPHA_NUMERIC}"
+
+        REGEX = /
+          \A
+          (?<sub>(#{DOMAIN_LABEL}\.)+)
+          (?<tld>#{TOP_LEVEL_DOMAIN})
+          \z
+        /ix.freeze
+
+        def self.handles?(description)
+          description.is_a?(String) && description.match?(REGEX)
+        end
+
+        def initialize(description)
+          super
+          @hostname = description.downcase
+        end
+
+        # case insensitive comparison
+        def allow?(name)
+          name.is_a?(String) && (name.downcase == @hostname)
+        end
+      end
+    end
+  end
+end

data/lib/anchor/auto_cert/policy_check/for_ipaddr.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'ipaddr'
+module Anchor
+  module AutoCert
+    class PolicyCheck
+      #
+      # A PolicyCheck that compares the given IP address to an ipaddress
+      # or subnet
+      #
+      # The description for an IPAddr policy check can be anything that is
+      # parsed by the ruby IPAddr.new() method. Generally this is something in
+      # the format an ipv4 address, an ipv6 address, or CIDR notation.
+      #
+      # - "192.168.42.1"
+      # - "192.168.42.0/24"
+      # - "3ffe:505:2::1"
+      # - "2001:db8::/32"
+      #
+      class ForIPAddr < PolicyCheck
+        def self.handles?(description)
+          return true if description.is_a?(IPAddr)
+
+          begin
+            IPAddr.new(description)
+            true
+          rescue IPAddr::Error
+            false
+          end
+        end
+
+        def initialize(description)
+          super
+
+          @ipaddr = if description.is_a?(IPAddr)
+                      description
+                    else
+                      IPAddr.new(description)
+                    end
+        end
+
+        def allow?(name)
+          @ipaddr.include?(name)
+        end
+      end
+    end
+  end
+end

data/lib/anchor/auto_cert/policy_check/for_wildcard_hostname.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module Anchor
+  module AutoCert
+    class PolicyCheck
+      # Check that the identifier is allowed by wildcard hostname matching
+      #
+      # This does the same as the ForHostname check, but allows for an arbitrary
+      # prefixes, although the prefix itself also needs to match appropriate
+      # domain name rules.
+      #
+      # The description for a wildcard hostname check MUST be a string that starts
+      # with  `*.` followed by a valid domainname (which matches the ForHostname
+      # check)
+      #
+      #
+      class ForWildcardHostname < PolicyCheck
+        DOMAIN_LABEL_REGEX = /\A#{ForHostname::DOMAIN_LABEL}*\z/i.freeze
+        SPLAT              = '*'
+
+        def self.handles?(description)
+          return false unless description.is_a?(String)
+
+          parts = description.split('.')
+          return false unless parts[0] == SPLAT
+
+          suffix = parts[1..-1].join('.')
+          # reuse the hostname check here
+          ForHostname.handles?(suffix)
+        end
+
+        def initialize(description)
+          super
+          @parts    = description.split('.')
+          @wildcard = @parts.shift # assumed SPLAT
+          @suffix   = @parts.join('.').downcase
+        end
+
+        # An explicit '*.rest.of' is an allowable hostname for this check, even
+        # though it is not a valid domain name
+        #
+        def allow?(hostname)
+          return false unless hostname.is_a?(String)
+
+          parts = hostname.split('.')
+          prefix = parts.shift
+
+          return false unless (prefix == SPLAT) || DOMAIN_LABEL_REGEX.match?(prefix)
+
+          domain = parts.join('.').downcase
+
+          (domain == @suffix)
+        end
+      end
+    end
+  end
+end

data/lib/anchor/auto_cert/policy_check.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Anchor
+  module AutoCert
+    # Base class for PolicyCheck classes, these are utility classes used by the
+    # IdentifierPolicy class.
+    #
+    # The .handles? method is used to determine if an instance of this class
+    # could be created from the given description.
+    #
+    # Then the #allow? method is used to determine if the given identifier is allowed
+    # and the #deny? method is used to determine if the given identifier is denied.
+    #
+    class PolicyCheck
+      def self.handles?(description)
+        raise NotImplementedError, "#{self.class} must implement .handles?(description)"
+      end
+
+      attr_reader :policy_description
+
+      def initialize(description)
+        @policy_description = description
+      end
+
+      def deny?(identifier)
+        !allow?(identifier)
+      end
+
+      def allow?(identifier)
+        raise NotImplementedError, "#{self.class} must implement #allow?(identifier)"
+      end
+    end
+  end
+end
+require_relative 'policy_check/for_ipaddr'
+require_relative 'policy_check/for_hostname'
+require_relative 'policy_check/for_wildcard_hostname'

data/lib/anchor/auto_cert/railtie.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+module Anchor
+  module AutoCert
+    # AutoCert Railtie
+    class Railtie < Rails::Railtie
+      # Initialize the configuration with a blank configuration, ensuring
+      # the configuration exists, even if it is not used.
+      config.auto_cert = ::Anchor::AutoCert::Configuration.new(name: :rails)
+
+      # Make sure the auto cert configuration is valid before the app boots
+      # This will run after every code reload in development and after boot in
+      # production
+      config.to_prepare do
+        if Rails.configuration.auto_cert.enabled?
+          Rails.configuration.auto_cert.validate!
+
+          # register the configuration under its name so that it can
+          # be discovered by other parts of the application
+          auto_cert_config = Rails.configuration.auto_cert
+          unless ::Anchor::AutoCert::Registry.key?(auto_cert_config.name)
+            ::Anchor::AutoCert::Registry.store(auto_cert_config.name, auto_cert_config)
+          end
+        end
+      end
+
+      # this needs to be after the load_config_initializers so that the
+      # application can override the :rails auto_cert configuration
+      #
+      initializer 'auto_cert.configure_rails_initialization', after: :load_config_initializers do |app|
+        auto_cert_config = Railtie.determine_configuration(app)
+        app.config.auto_cert = auto_cert_config
+
+        # Update the app.config.hosts with the allow_identifiers if we are NOT
+        # in the test environment.
+        #
+        # In the test environment `config.hosts` is normally empty, and as a
+        # result HostAuthorization is not used. If we add the allow_identifiers
+        # to the `config.hosts` then HostAuthorization will be used, and tests
+        # will break.
+        unless Rails.env.test?
+          auto_cert_config&.allow_identifiers&.each do |identifier|
+            # need to convert an identifier into a host matcher, which is just
+            # strip off a leading '*' if it exists so that all subdomains match.
+            #
+            # https://guides.rubyonrails.org/configuring.html#actiondispatch-hostauthorization
+            host = identifier.to_s.sub(/^\*/, '')
+            app.config.hosts << host
+          end
+        end
+      end
+
+      def self.determine_configuration(app)
+        auto_cert_config = app.config.auto_cert
+
+        # If no configuration is set, then try to lookup one under the :rails
+        # key or create a default one.
+        begin
+          auto_cert_config ||= ::Anchor::AutoCert::Registry.fetch(:rails)
+        rescue KeyError
+          auto_cert_config = Railtie.try_to_create_default_configuration
+        end
+
+        return nil unless auto_cert_config
+
+        # Set some reasonable defaults for a scratch locations if they are not
+        # set explicitly.
+        acme_scratch_dir = app.root / 'tmp' / 'acme'
+        acme_scratch_dir.mkpath
+        auto_cert_config.cache ||= ActiveSupport::Cache::FileStore.new(acme_scratch_dir / 'cache')
+        auto_cert_config.work_dir ||= (acme_scratch_dir / 'work')
+
+        auto_cert_config
+      end
+
+      def self.try_to_create_default_configuration
+        # If it doesn't exist, create a new one - now this may raise an error
+        # if the configuration is not setup correctly
+        ::Anchor::AutoCert::Configuration.new(name: :rails)
+      rescue ConfigurationError => e
+        # its fine to not have a coniguration, just log the error and move on
+        msg = "[AutoCert] Unable to create the :rails configuration : #{e.message}"
+        Rails.logger.error(msg)
+        nil
+      end
+    end
+  end
+end

data/lib/anchor/auto_cert/registry.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Anchor
+  module AutoCert
+    # A global registry for storing AutoCert::Configuration objects
+    class Registry
+      @_registry = {}
+      @_mutex = Mutex.new
+
+      def self.store(name, configuration)
+        @_mutex.synchronize do
+          @_registry.store(name.to_s, configuration)
+        end
+      end
+
+      def self.fetch(name)
+        @_mutex.synchronize do
+          @_registry.fetch(name.to_s)
+        end
+      end
+
+      def self.key?(name)
+        @_mutex.synchronize do
+          @_registry.key?(name.to_s)
+        end
+      end
+
+      def self.delete(name)
+        @_mutex.synchronize do
+          @_registry.delete(name.to_s)
+        end
+      end
+
+      # helpers for creating an AutoCert::Manager instance from registered
+      # configuration
+      def self.manager_for(name)
+        manager_for!(name)
+      rescue KeyError
+        nil
+      end
+
+      # helpers for creating an AutoCert::Manager instance from registered
+      # configuration - raises KeyError if the named configuration does not
+      # exist
+      def self.manager_for!(name)
+        configuration = fetch(name)
+        AutoCert::Manager.new(configuration: configuration)
+      end
+
+      def self.default_configuration
+        fetch(:default)
+      rescue KeyError
+        default = AutoCert::Configuration.new
+        store(:default, default)
+        default
+      end
+
+      def self.default_manager
+        manager_for(:default)
+      end
+    end
+  end
+end

data/lib/anchor/auto_cert/terms_of_service_acceptor.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Anchor
+  module AutoCert
+    # Any class that implements the following interface can be used as a
+    # Terms of Service Acceptor. The interface is the single method `#accept?`
+    # which is handed the terms of service URI as a String.
+    module TermsOfServiceAcceptor
+      def accept?(tos_uri)
+        raise NotImplementedError, "#{self.class} must implement #accept?(tos_uri)"
+      end
+
+      # Terms of Service Acceptor that will always match anything
+      class Any
+        include TermsOfServiceAcceptor
+        def accept?(_tos_uri)
+          true
+        end
+      end
+
+      # Terms of Service Acceptor that matches based upon a regular expression
+      class Regex
+        include TermsOfServiceAcceptor
+        def initialize(regex)
+          @regex = regex
+        end
+
+        def accept?(tos_uri)
+          @regex.match?(tos_uri)
+        end
+      end
+    end
+  end
+end

data/lib/anchor/auto_cert.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Anchor
+  module AutoCert
+    class Error < StandardError; end
+    class IdentifierNotAllowedError < Error; end
+    class ConfigurationError < Error; end
+    class UnknownPolicyCheckError < Error; end
+    class UnknownAlgorithmError < Error; end
+    class UnknownKeyFormatError < Error; end
+  end
+end
+require_relative 'auto_cert/terms_of_service_acceptor'
+require_relative 'auto_cert/configuration'
+require_relative 'auto_cert/manager'
+require_relative 'auto_cert/identifier_policy'
+require_relative 'auto_cert/registry'
+require_relative 'auto_cert/integration'
+
+require_relative 'auto_cert/railtie' if defined?(Rails::Railtie)

data/lib/anchor/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Anchor
+  VERSION = '0.3.0'
+end

data/lib/anchor-pki.rb

@@ -1,17 +1,9 @@
+# rubocop:disable Naming/FileName
+#
 # frozen_string_literal: true
 
-require 'openssl'
+# this file is named anchor-pki.rb to match the gem name and to be consistent
+# with the other anchor modules for other languages
 
-module Anchor
-  def self.add_cert(pem)
-    (@certs ||= []) << OpenSSL::X509::Certificate.new(pem)
-  end
-
-  def self.cert_store
-    @ssl_cert_store ||= OpenSSL::X509::Store.new.tap do |store|
-      (@certs || []).each do |cert|
-        store.add_cert(cert)
-      end
-    end
-  end
-end
+require_relative './anchor'
+# rubocop:enable Naming/FileName

data/lib/anchor.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+#
+# Anchor module is the top-level namespace for the Anchor PKI client.
+#
+module Anchor
+  def self.add_cert(pem)
+    (@certs ||= []) << OpenSSL::X509::Certificate.new(pem)
+  end
+
+  def self.cert_store
+    @cert_store ||= OpenSSL::X509::Store.new.tap do |store|
+      (@certs || []).each do |cert|
+        store.add_cert(cert)
+      end
+    end
+  end
+end
+
+require_relative './anchor/version'
+require_relative './anchor/auto_cert'