RubyGems - anchor-pki - Versions diffs - 0.2.0 → 0.4.0 - Mend

anchor-pki 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +22 -0
data/Gemfile +6 -0
data/Gemfile.lock +94 -0
data/LICENSE.txt +21 -0
data/README.md +50 -0
data/Rakefile +11 -0
data/lib/anchor/auto_cert/configuration.rb +199 -0
data/lib/anchor/auto_cert/identifier_policy.rb +68 -0
data/lib/anchor/auto_cert/managed_certificate.rb +63 -0
data/lib/anchor/auto_cert/manager.rb +200 -0
data/lib/anchor/auto_cert/policy_check/for_hostname.rb +40 -0
data/lib/anchor/auto_cert/policy_check/for_ipaddr.rb +48 -0
data/lib/anchor/auto_cert/policy_check/for_wildcard_hostname.rb +57 -0
data/lib/anchor/auto_cert/policy_check.rb +37 -0
data/lib/anchor/auto_cert/railtie.rb +88 -0
data/lib/anchor/auto_cert/registry.rb +63 -0
data/lib/anchor/auto_cert/renewal_busy_wait.rb +39 -0
data/lib/anchor/auto_cert/terms_of_service_acceptor.rb +34 -0
data/lib/anchor/auto_cert.rb +21 -0
data/lib/anchor/version.rb +5 -0
data/lib/anchor-pki.rb +6 -14
data/lib/anchor.rb +23 -0
data/lib/puma/dsl.rb +28 -0
data/lib/puma/plugin/auto_cert.rb +97 -0
metadata +134 -9
data/lib/anchor-pki/auto_cert.rb +0 -134

data/lib/puma/dsl.rb ADDED Viewed

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+#
+# Extend the ::Puma::DSL module with the configuration options we want for
+# autocert
+#
+require 'puma/dsl'
+module Puma
+  # Extend the ::Puma::DSL module with the configuration options we want
+  class DSL
+    def auto_cert_name(name = nil)
+      @options[:auto_cert_name] = name if name
+      @options[:auto_cert_name]
+    end
+    def auto_cert_port(port = nil)
+      @options[:auto_cert_port] = port if port
+      @options[:auto_cert_port]
+    end
+    def auto_cert_check_every(check_every = nil)
+      @options[:auto_cert_check_every] = check_every if check_every
+      @options[:auto_cert_check_every]
+    end
+  end
+end

data/lib/puma/plugin/auto_cert.rb ADDED Viewed

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+require_relative '../dsl'
+module Puma
+  class Plugin
+    # This is a plugin for Puma that will automatically renew a certificate
+    #
+    # This module is here in order to communicate plugin configuration options
+    # to the plugin since the plugin is created dynamically and it is loaded and
+    # initialized without any configuration options.
+    module AutoCert
+      class << self
+        def ssl_bind_options(managed_certificate:)
+          {
+            cert: managed_certificate.cert_path,
+            key: managed_certificate.key_path
+          }
+        end
+      end
+      # Instance methods that are included in the dynamic Puma Plugin class when
+      # a plugin is created
+      module PluginInstanceMethods
+        attr_accessor :managed_certificate
+        def config(dsl)
+          port          = dsl.auto_cert_port || ENV.fetch('HTTPS_PORT', nil)
+          name          = dsl.auto_cert_name || ENV.fetch('AUTO_CERT_NAME', 'default')
+          configuration = ::Anchor::AutoCert::Registry.fetch(name)
+          identifiers   = configuration.allow_identifiers
+          manager       = ::Anchor::AutoCert::Manager.new(configuration: configuration)
+          @managed_certificate = manager.managed_certificate(identifiers: identifiers)
+          options = ::Puma::Plugin::AutoCert.ssl_bind_options(managed_certificate: @managed_certificate)
+          dsl.ssl_bind '[::]', port, options
+        rescue StandardError
+          @managed_certificate = nil
+        end
+        def start(launcher)
+          @launcher = launcher
+          unless managed_certificate&.enabled?
+            log_writer.log 'AutoCert >> Not enabled - skipping certificate renewal process'
+            return
+          end
+          log_writer.log "AutoCert >> Configured for #{managed_certificate.identifiers.join(', ')}"
+          check_every = launcher.config.options[:auto_cert_check_every] ||
+                        ENV.fetch('AUTO_CERT_CHECK_EVERY', nil) ||
+                        ::Anchor::AutoCert::RenewalBusyWait::ONE_HOUR
+          in_background do
+            Anchor::AutoCert::RenewalBusyWait.wait_for_it(managed_certificate: managed_certificate,
+                                                          check_every: check_every) do
+              dump_cert_info
+              # if ssl server is up, then it has already read the local working
+              # files, which means we can purge them - if there's a disk cache, those still
+              # probably exist
+              ssl_server = launcher.binder.ios.find { |io| io.instance_of?(Puma::MiniSSL::Server) }
+              managed_certificate.purge_working_files if ssl_server
+              true
+            end
+            log_writer.log 'AutoCert >> Restarting Puma in order to renew certificate'
+            @launcher.restart
+          end
+        end
+        private
+        def dump_cert_info
+          log_writer.debug "AutoCert >> Bound cert    : #{managed_certificate.hex_serial}"
+          log_writer.debug "AutoCert >>   common name : #{managed_certificate.common_name}"
+          log_writer.debug "AutoCert >>   identifiers : #{managed_certificate.identifiers.join(', ')}"
+          log_writer.debug "AutoCert >>    not before : #{managed_certificate.not_before}"
+          log_writer.debug "AutoCert >>    not after  : #{managed_certificate.not_after}"
+        end
+        def log_writer
+          if Gem::Version.new(Puma::Const::PUMA_VERSION) >= Gem::Version.new(6)
+            @launcher.log_writer
+          else
+            @launcher.events
+          end
+        end
+      end
+    end
+  end
+end
+# This is the entry point for the plugin
+Puma::Plugin.create do
+  include Puma::Plugin::AutoCert::PluginInstanceMethods
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: anchor-pki
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.4.0
 platform: ruby
 authors:
-- Anchor
+- Anchor Security, Inc
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-04-18 00:00:00.000000000 Z
+date: 2023-06-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
@@ -24,18 +24,143 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.0.13
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.50'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.50'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.22'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.22'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.1'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
 description: Anchor is a hosted PKI platform for your internal organization.
-email: support@anchor.dev
+email:
 executables: []
 extensions: []
-extra_rdoc_files: []
+extra_rdoc_files:
+- LICENSE.txt
+- README.md
+- CHANGELOG.md
 files:
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
 - lib/anchor-pki.rb
-- lib/anchor-pki/auto_cert.rb
-homepage: https://anchor.dev/
+- lib/anchor.rb
+- lib/anchor/auto_cert.rb
+- lib/anchor/auto_cert/configuration.rb
+- lib/anchor/auto_cert/identifier_policy.rb
+- lib/anchor/auto_cert/managed_certificate.rb
+- lib/anchor/auto_cert/manager.rb
+- lib/anchor/auto_cert/policy_check.rb
+- lib/anchor/auto_cert/policy_check/for_hostname.rb
+- lib/anchor/auto_cert/policy_check/for_ipaddr.rb
+- lib/anchor/auto_cert/policy_check/for_wildcard_hostname.rb
+- lib/anchor/auto_cert/railtie.rb
+- lib/anchor/auto_cert/registry.rb
+- lib/anchor/auto_cert/renewal_busy_wait.rb
+- lib/anchor/auto_cert/terms_of_service_acceptor.rb
+- lib/anchor/version.rb
+- lib/puma/dsl.rb
+- lib/puma/plugin/auto_cert.rb
+homepage: https://anchor.dev
 licenses:
 - MIT
-metadata: {}
+metadata:
+  homepage_uri: https://anchor.dev
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -44,7 +169,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.3'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="

data/lib/anchor-pki/auto_cert.rb DELETED Viewed

@@ -1,134 +0,0 @@
-# frozen_string_literal: true
-require 'acme/client'
-require 'uri'
-module Anchor
-  # AutoCert provides automatic access to certificates from Anchor, but
-  # theoretically it could work with Let's Encrypt and any other ACME-based CA.
-  class AutoCert
-    ACCEPT_ANY_TOS = [//].freeze
-    def initialize(name_policies, tos_acceptor, directory, account: {}, **opts)
-      @name_policies = name_policies
-      @tos_acceptor = tos_acceptor
-      @directory_url = URI.parse(directory)
-      @renew_before = opts[:renew_before]
-      @work_dir = Pathname(opts[:work_dir] || Dir.mktmpdir)
-      @cache = opts[:cache]
-      @client = opts[:client]
-      @client ||= new_client(**account)
-      @account_opts = account
-    end
-    def certificate(*names, algo: :ecdsa, common_name: names.first, **opts)
-      if (arr = unmatched_names(names)).size.positive?
-        raise StandardError, "unallowed names '#{arr.join(',')}'"
-      end
-      key_pem = @cache&.read("#{common_name}+#{algo}")
-      cert_pem = @cache&.read(common_name)
-      if key_pem.nil? || cert_pem.nil? || needs_renewal?(cert_pem)
-        cert_pem, key_pem = provision(names, algo, common_name, **opts)
-        @cache&.write("#{common_name}+#{algo}", key_pem)
-        @cache&.write(common_name, cert_pem)
-      end
-      cert = (@work_dir / common_name).open('w') { |f| f << cert_pem }.path
-      key = (@work_dir / "#{common_name}+#{algo}").open('w') { |f| f << key_pem }.path
-      [cert, key]
-    end
-    private
-    def provision(names, algo, common_name, **opts)
-      load_or_build_account
-      order = @client.new_order(identifiers: names, **opts)
-      key_pem ||= new_key(algo).to_pem
-      csr = Acme::Client::CertificateRequest.new(private_key: parse_key_pem(key_pem), common_name: common_name, names: names)
-      order.finalize(csr: csr)
-      # TODO: loop over order.authorizations and process the challenges
-      while order.status == 'processing'
-        sleep(1)
-        order.reload
-      end
-      return order.certificate, key_pem
-    end
-    def load_or_build_account
-      @account ||= build_account(**@account_opts)
-    end
-    def build_account(contact: nil, external_account_binding: nil, terms_of_service_agreed: false, **)
-      terms_of_service_agreed ||= @tos_acceptor.any? { |a| a.match?(@client.terms_of_service) }
-      @client.new_account(contact: contact, terms_of_service_agreed: terms_of_service_agreed, external_account_binding: external_account_binding)
-    end
-    def needs_renewal?(cert_pem)
-      cert = OpenSSL::X509::Certificate.new(cert_pem)
-      (Time.zone.now + @renew_before.to_i) > cert.not_after
-    end
-    def new_client(account_key: nil, contact: nil, **)
-      account_key ||= fetch_account_key(contact) { new_key(:ecdsa) }
-      Acme::Client.new(private_key: account_key, directory: @directory_url)
-    end
-    def new_key(algo)
-      case algo
-      when :ecdsa then OpenSSL::PKey::EC.generate('prime256v1')
-      else
-        raise "unknown key algo '#{algo}'"
-      end
-    end
-    def fetch_account_key(contact)
-      id = "#{contact || 'default'}+#{@directory_url.host}+key"
-      parse_key_pem(@cache&.fetch(id) { parse_key_pem(yield.to_pem) } || yield.to_pem)
-    end
-    def parse_key_pem(data)
-      begin
-        OpenSSL::PKey::RSA.new(data)
-      rescue StandardError
-        nil
-      end ||
-        begin
-          OpenSSL::PKey::EC.new(data)
-        rescue StandardError
-          nil
-        end ||
-        (raise 'unknown key data format')
-    end
-    def unmatched_names(names)
-      names.reject do |name|
-        @name_policies.any? do |policy|
-          case policy
-          when String then name == policy
-          when Regexp then policy.match?(name)
-          when IPAddr
-            begin
-              policy.include?(name)
-            rescue IPAddr::Error
-              nil
-            end
-          end
-        end
-      end
-    end
-  end
-end