RubyGems - anchor-pki - Versions diffs - 0.2.0 → 0.4.0 - Mend

anchor-pki 0.2.0 → 0.4.0

Files changed (27) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +22 -0
data/Gemfile +6 -0
data/Gemfile.lock +94 -0
data/LICENSE.txt +21 -0
data/README.md +50 -0
data/Rakefile +11 -0
data/lib/anchor/auto_cert/configuration.rb +199 -0
data/lib/anchor/auto_cert/identifier_policy.rb +68 -0
data/lib/anchor/auto_cert/managed_certificate.rb +63 -0
data/lib/anchor/auto_cert/manager.rb +200 -0
data/lib/anchor/auto_cert/policy_check/for_hostname.rb +40 -0
data/lib/anchor/auto_cert/policy_check/for_ipaddr.rb +48 -0
data/lib/anchor/auto_cert/policy_check/for_wildcard_hostname.rb +57 -0
data/lib/anchor/auto_cert/policy_check.rb +37 -0
data/lib/anchor/auto_cert/railtie.rb +88 -0
data/lib/anchor/auto_cert/registry.rb +63 -0
data/lib/anchor/auto_cert/renewal_busy_wait.rb +39 -0
data/lib/anchor/auto_cert/terms_of_service_acceptor.rb +34 -0
data/lib/anchor/auto_cert.rb +21 -0
data/lib/anchor/version.rb +5 -0
data/lib/anchor-pki.rb +6 -14
data/lib/anchor.rb +23 -0
data/lib/puma/dsl.rb +28 -0
data/lib/puma/plugin/auto_cert.rb +97 -0
metadata +134 -9
data/lib/anchor-pki/auto_cert.rb +0 -134

data/lib/puma/dsl.rb ADDED Viewed

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+#
+# Extend the ::Puma::DSL module with the configuration options we want for
+# autocert
+#
+require 'puma/dsl'
+module Puma
+  # Extend the ::Puma::DSL module with the configuration options we want
+  class DSL
+    def auto_cert_name(name = nil)
+      @options[:auto_cert_name] = name if name
+      @options[:auto_cert_name]
+    end
+    def auto_cert_port(port = nil)
+      @options[:auto_cert_port] = port if port
+      @options[:auto_cert_port]
+    end
+    def auto_cert_check_every(check_every = nil)
+      @options[:auto_cert_check_every] = check_every if check_every
+      @options[:auto_cert_check_every]
+    end
+  end
+end

data/lib/puma/plugin/auto_cert.rb ADDED Viewed

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+require_relative '../dsl'
+module Puma
+  class Plugin
+    # This is a plugin for Puma that will automatically renew a certificate
+    #
+    # This module is here in order to communicate plugin configuration options
+    # to the plugin since the plugin is created dynamically and it is loaded and
+    # initialized without any configuration options.
+    module AutoCert
+      class << self
+        def ssl_bind_options(managed_certificate:)
+          {
+            cert: managed_certificate.cert_path,
+            key: managed_certificate.key_path
+          }
+        end
+      end
+      # Instance methods that are included in the dynamic Puma Plugin class when
+      # a plugin is created
+      module PluginInstanceMethods
+        attr_accessor :managed_certificate
+        def config(dsl)
+          port          = dsl.auto_cert_port || ENV.fetch('HTTPS_PORT', nil)
+          name          = dsl.auto_cert_name || ENV.fetch('AUTO_CERT_NAME', 'default')
+          configuration = ::Anchor::AutoCert::Registry.fetch(name)
+          identifiers   = configuration.allow_identifiers
+          manager       = ::Anchor::AutoCert::Manager.new(configuration: configuration)
+          @managed_certificate = manager.managed_certificate(identifiers: identifiers)
+          options = ::Puma::Plugin::AutoCert.ssl_bind_options(managed_certificate: @managed_certificate)
+          dsl.ssl_bind '[::]', port, options
+        rescue StandardError
+          @managed_certificate = nil
+        end
+        def start(launcher)
+          @launcher = launcher
+          unless managed_certificate&.enabled?
+            log_writer.log 'AutoCert >> Not enabled - skipping certificate renewal process'
+            return
+          end
+          log_writer.log "AutoCert >> Configured for #{managed_certificate.identifiers.join(', ')}"
+          check_every = launcher.config.options[:auto_cert_check_every] ||
+                        ENV.fetch('AUTO_CERT_CHECK_EVERY', nil) ||
+                        ::Anchor::AutoCert::RenewalBusyWait::ONE_HOUR
+          in_background do
+            Anchor::AutoCert::RenewalBusyWait.wait_for_it(managed_certificate: managed_certificate,
+                                                          check_every: check_every) do
+              dump_cert_info
+              # if ssl server is up, then it has already read the local working
+              # files, which means we can purge them - if there's a disk cache, those still
+              # probably exist
+              ssl_server = launcher.binder.ios.find { |io| io.instance_of?(Puma::MiniSSL::Server) }
+              managed_certificate.purge_working_files if ssl_server
+              true
+            end
+            log_writer.log 'AutoCert >> Restarting Puma in order to renew certificate'
+            @launcher.restart
+          end
+        end
+        private
+        def dump_cert_info
+          log_writer.debug "AutoCert >> Bound cert    : #{managed_certificate.hex_serial}"
+          log_writer.debug "AutoCert >>   common name : #{managed_certificate.common_name}"
+          log_writer.debug "AutoCert >>   identifiers : #{managed_certificate.identifiers.join(', ')}"
+          log_writer.debug "AutoCert >>    not before : #{managed_certificate.not_before}"
+          log_writer.debug "AutoCert >>    not after  : #{managed_certificate.not_after}"
+        end
+        def log_writer
+          if Gem::Version.new(Puma::Const::PUMA_VERSION) >= Gem::Version.new(6)
+            @launcher.log_writer
+          else
+            @launcher.events
+          end
+        end
+      end
+    end
+  end
+end
+# This is the entry point for the plugin
+Puma::Plugin.create do
+  include Puma::Plugin::AutoCert::PluginInstanceMethods
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: anchor-pki
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.4.0
 platform: ruby
 authors:
-- Anchor
+- Anchor Security, Inc
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-04-18 00:00:00.000000000 Z
+date: 2023-06-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
@@ -24,18 +24,143 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.0.13
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.50'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.50'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.22'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.22'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.1'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
 description: Anchor is a hosted PKI platform for your internal organization.
-email: support@anchor.dev
+email:
 executables: []
 extensions: []
-extra_rdoc_files: []
+extra_rdoc_files:
+- LICENSE.txt
+- README.md
+- CHANGELOG.md
 files:
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
 - lib/anchor-pki.rb
-- lib/anchor-pki/auto_cert.rb
-homepage: https://anchor.dev/
+- lib/anchor.rb
+- lib/anchor/auto_cert.rb
+- lib/anchor/auto_cert/configuration.rb
+- lib/anchor/auto_cert/identifier_policy.rb
+- lib/anchor/auto_cert/managed_certificate.rb
+- lib/anchor/auto_cert/manager.rb
+- lib/anchor/auto_cert/policy_check.rb
+- lib/anchor/auto_cert/policy_check/for_hostname.rb
+- lib/anchor/auto_cert/policy_check/for_ipaddr.rb
+- lib/anchor/auto_cert/policy_check/for_wildcard_hostname.rb
+- lib/anchor/auto_cert/railtie.rb
+- lib/anchor/auto_cert/registry.rb
+- lib/anchor/auto_cert/renewal_busy_wait.rb
+- lib/anchor/auto_cert/terms_of_service_acceptor.rb
+- lib/anchor/version.rb
+- lib/puma/dsl.rb
+- lib/puma/plugin/auto_cert.rb
+homepage: https://anchor.dev
 licenses:
 - MIT
-metadata: {}
+metadata:
+  homepage_uri: https://anchor.dev
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -44,7 +169,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.3'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="

data/lib/anchor-pki/auto_cert.rb DELETED Viewed

@@ -1,134 +0,0 @@
-# frozen_string_literal: true
-require 'acme/client'
-require 'uri'
-module Anchor
-  # AutoCert provides automatic access to certificates from Anchor, but
-  # theoretically it could work with Let's Encrypt and any other ACME-based CA.
-  class AutoCert
-    ACCEPT_ANY_TOS = [//].freeze
-    def initialize(name_policies, tos_acceptor, directory, account: {}, **opts)
-      @name_policies = name_policies
-      @tos_acceptor = tos_acceptor
-      @directory_url = URI.parse(directory)
-      @renew_before = opts[:renew_before]
-      @work_dir = Pathname(opts[:work_dir] || Dir.mktmpdir)
-      @cache = opts[:cache]
-      @client = opts[:client]
-      @client ||= new_client(**account)
-      @account_opts = account
-    end
-    def certificate(*names, algo: :ecdsa, common_name: names.first, **opts)
-      if (arr = unmatched_names(names)).size.positive?
-        raise StandardError, "unallowed names '#{arr.join(',')}'"
-      end
-      key_pem = @cache&.read("#{common_name}+#{algo}")
-      cert_pem = @cache&.read(common_name)
-      if key_pem.nil? || cert_pem.nil? || needs_renewal?(cert_pem)
-        cert_pem, key_pem = provision(names, algo, common_name, **opts)
-        @cache&.write("#{common_name}+#{algo}", key_pem)
-        @cache&.write(common_name, cert_pem)
-      end
-      cert = (@work_dir / common_name).open('w') { |f| f << cert_pem }.path
-      key = (@work_dir / "#{common_name}+#{algo}").open('w') { |f| f << key_pem }.path
-      [cert, key]
-    end
-    private
-    def provision(names, algo, common_name, **opts)
-      load_or_build_account
-      order = @client.new_order(identifiers: names, **opts)
-      key_pem ||= new_key(algo).to_pem
-      csr = Acme::Client::CertificateRequest.new(private_key: parse_key_pem(key_pem), common_name: common_name, names: names)
-      order.finalize(csr: csr)
-      # TODO: loop over order.authorizations and process the challenges
-      while order.status == 'processing'
-        sleep(1)
-        order.reload
-      end
-      return order.certificate, key_pem
-    end
-    def load_or_build_account
-      @account ||= build_account(**@account_opts)
-    end
-    def build_account(contact: nil, external_account_binding: nil, terms_of_service_agreed: false, **)
-      terms_of_service_agreed ||= @tos_acceptor.any? { |a| a.match?(@client.terms_of_service) }
-      @client.new_account(contact: contact, terms_of_service_agreed: terms_of_service_agreed, external_account_binding: external_account_binding)
-    end
-    def needs_renewal?(cert_pem)
-      cert = OpenSSL::X509::Certificate.new(cert_pem)
-      (Time.zone.now + @renew_before.to_i) > cert.not_after
-    end
-    def new_client(account_key: nil, contact: nil, **)
-      account_key ||= fetch_account_key(contact) { new_key(:ecdsa) }
-      Acme::Client.new(private_key: account_key, directory: @directory_url)
-    end
-    def new_key(algo)
-      case algo
-      when :ecdsa then OpenSSL::PKey::EC.generate('prime256v1')
-      else
-        raise "unknown key algo '#{algo}'"
-      end
-    end
-    def fetch_account_key(contact)
-      id = "#{contact || 'default'}+#{@directory_url.host}+key"
-      parse_key_pem(@cache&.fetch(id) { parse_key_pem(yield.to_pem) } || yield.to_pem)
-    end
-    def parse_key_pem(data)
-      begin
-        OpenSSL::PKey::RSA.new(data)
-      rescue StandardError
-        nil
-      end ||
-        begin
-          OpenSSL::PKey::EC.new(data)
-        rescue StandardError
-          nil
-        end ||
-        (raise 'unknown key data format')
-    end
-    def unmatched_names(names)
-      names.reject do |name|
-        @name_policies.any? do |policy|
-          case policy
-          when String then name == policy
-          when Regexp then policy.match?(name)
-          when IPAddr
-            begin
-              policy.include?(name)
-            rescue IPAddr::Error
-              nil
-            end
-          end
-        end
-      end
-    end
-  end
-end