RubyGems - anchor-pki - Versions diffs - 0.2.0 → 0.3.0 - Mend

anchor-pki 0.2.0 → 0.3.0

Files changed (25) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +15 -0
data/Gemfile +6 -0
data/Gemfile.lock +94 -0
data/LICENSE.txt +21 -0
data/README.md +48 -0
data/Rakefile +11 -0
data/lib/anchor/auto_cert/configuration.rb +197 -0
data/lib/anchor/auto_cert/identifier_policy.rb +68 -0
data/lib/anchor/auto_cert/integration/puma.rb +17 -0
data/lib/anchor/auto_cert/integration.rb +11 -0
data/lib/anchor/auto_cert/manager.rb +215 -0
data/lib/anchor/auto_cert/policy_check/for_hostname.rb +40 -0
data/lib/anchor/auto_cert/policy_check/for_ipaddr.rb +48 -0
data/lib/anchor/auto_cert/policy_check/for_wildcard_hostname.rb +57 -0
data/lib/anchor/auto_cert/policy_check.rb +37 -0
data/lib/anchor/auto_cert/railtie.rb +88 -0
data/lib/anchor/auto_cert/registry.rb +63 -0
data/lib/anchor/auto_cert/terms_of_service_acceptor.rb +34 -0
data/lib/anchor/auto_cert.rb +20 -0
data/lib/anchor/version.rb +5 -0
data/lib/anchor-pki.rb +6 -14
data/lib/anchor.rb +23 -0
metadata +132 -9
data/lib/anchor-pki/auto_cert.rb +0 -134

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: anchor-pki
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
-- Anchor
+- Anchor Security, Inc
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-04-18 00:00:00.000000000 Z
+date: 2023-06-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
@@ -24,18 +24,141 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.0.13
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.50'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.50'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.22'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.22'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.1'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
 description: Anchor is a hosted PKI platform for your internal organization.
-email: support@anchor.dev
+email:
 executables: []
 extensions: []
-extra_rdoc_files: []
+extra_rdoc_files:
+- LICENSE.txt
+- README.md
+- CHANGELOG.md
 files:
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
 - lib/anchor-pki.rb
-- lib/anchor-pki/auto_cert.rb
-homepage: https://anchor.dev/
+- lib/anchor.rb
+- lib/anchor/auto_cert.rb
+- lib/anchor/auto_cert/configuration.rb
+- lib/anchor/auto_cert/identifier_policy.rb
+- lib/anchor/auto_cert/integration.rb
+- lib/anchor/auto_cert/integration/puma.rb
+- lib/anchor/auto_cert/manager.rb
+- lib/anchor/auto_cert/policy_check.rb
+- lib/anchor/auto_cert/policy_check/for_hostname.rb
+- lib/anchor/auto_cert/policy_check/for_ipaddr.rb
+- lib/anchor/auto_cert/policy_check/for_wildcard_hostname.rb
+- lib/anchor/auto_cert/railtie.rb
+- lib/anchor/auto_cert/registry.rb
+- lib/anchor/auto_cert/terms_of_service_acceptor.rb
+- lib/anchor/version.rb
+homepage: https://anchor.dev
 licenses:
 - MIT
-metadata: {}
+metadata:
+  homepage_uri: https://anchor.dev
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -44,7 +167,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.3'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="

data/lib/anchor-pki/auto_cert.rb DELETED Viewed

@@ -1,134 +0,0 @@
-# frozen_string_literal: true
-require 'acme/client'
-require 'uri'
-module Anchor
-  # AutoCert provides automatic access to certificates from Anchor, but
-  # theoretically it could work with Let's Encrypt and any other ACME-based CA.
-  class AutoCert
-    ACCEPT_ANY_TOS = [//].freeze
-    def initialize(name_policies, tos_acceptor, directory, account: {}, **opts)
-      @name_policies = name_policies
-      @tos_acceptor = tos_acceptor
-      @directory_url = URI.parse(directory)
-      @renew_before = opts[:renew_before]
-      @work_dir = Pathname(opts[:work_dir] || Dir.mktmpdir)
-      @cache = opts[:cache]
-      @client = opts[:client]
-      @client ||= new_client(**account)
-      @account_opts = account
-    end
-    def certificate(*names, algo: :ecdsa, common_name: names.first, **opts)
-      if (arr = unmatched_names(names)).size.positive?
-        raise StandardError, "unallowed names '#{arr.join(',')}'"
-      end
-      key_pem = @cache&.read("#{common_name}+#{algo}")
-      cert_pem = @cache&.read(common_name)
-      if key_pem.nil? || cert_pem.nil? || needs_renewal?(cert_pem)
-        cert_pem, key_pem = provision(names, algo, common_name, **opts)
-        @cache&.write("#{common_name}+#{algo}", key_pem)
-        @cache&.write(common_name, cert_pem)
-      end
-      cert = (@work_dir / common_name).open('w') { |f| f << cert_pem }.path
-      key = (@work_dir / "#{common_name}+#{algo}").open('w') { |f| f << key_pem }.path
-      [cert, key]
-    end
-    private
-    def provision(names, algo, common_name, **opts)
-      load_or_build_account
-      order = @client.new_order(identifiers: names, **opts)
-      key_pem ||= new_key(algo).to_pem
-      csr = Acme::Client::CertificateRequest.new(private_key: parse_key_pem(key_pem), common_name: common_name, names: names)
-      order.finalize(csr: csr)
-      # TODO: loop over order.authorizations and process the challenges
-      while order.status == 'processing'
-        sleep(1)
-        order.reload
-      end
-      return order.certificate, key_pem
-    end
-    def load_or_build_account
-      @account ||= build_account(**@account_opts)
-    end
-    def build_account(contact: nil, external_account_binding: nil, terms_of_service_agreed: false, **)
-      terms_of_service_agreed ||= @tos_acceptor.any? { |a| a.match?(@client.terms_of_service) }
-      @client.new_account(contact: contact, terms_of_service_agreed: terms_of_service_agreed, external_account_binding: external_account_binding)
-    end
-    def needs_renewal?(cert_pem)
-      cert = OpenSSL::X509::Certificate.new(cert_pem)
-      (Time.zone.now + @renew_before.to_i) > cert.not_after
-    end
-    def new_client(account_key: nil, contact: nil, **)
-      account_key ||= fetch_account_key(contact) { new_key(:ecdsa) }
-      Acme::Client.new(private_key: account_key, directory: @directory_url)
-    end
-    def new_key(algo)
-      case algo
-      when :ecdsa then OpenSSL::PKey::EC.generate('prime256v1')
-      else
-        raise "unknown key algo '#{algo}'"
-      end
-    end
-    def fetch_account_key(contact)
-      id = "#{contact || 'default'}+#{@directory_url.host}+key"
-      parse_key_pem(@cache&.fetch(id) { parse_key_pem(yield.to_pem) } || yield.to_pem)
-    end
-    def parse_key_pem(data)
-      begin
-        OpenSSL::PKey::RSA.new(data)
-      rescue StandardError
-        nil
-      end ||
-        begin
-          OpenSSL::PKey::EC.new(data)
-        rescue StandardError
-          nil
-        end ||
-        (raise 'unknown key data format')
-    end
-    def unmatched_names(names)
-      names.reject do |name|
-        @name_policies.any? do |policy|
-          case policy
-          when String then name == policy
-          when Regexp then policy.match?(name)
-          when IPAddr
-            begin
-              policy.include?(name)
-            rescue IPAddr::Error
-              nil
-            end
-          end
-        end
-      end
-    end
-  end
-end