anchor-pki 0.4.0 → 0.5.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 342dadd5c28835816da2c07cdd1d4b7b546cc2a35ca80738cc98707d2a048cd4
4
- data.tar.gz: 97cb3d7c9c9bbb770c8a3a52eae0690bc7f18cadd5f3a31689d6d00239f5a523
3
+ metadata.gz: c07e54ede7ccff887e6023fe9842989720fdf9d63f159e4a5a3b4ba1a92c6c1a
4
+ data.tar.gz: dc0ba249f2125b9cc9d6a4a2dfda9fb042e86c0c7691d45fd6f7b432c5aa2d43
5
5
  SHA512:
6
- metadata.gz: 06b0f93d4bc1962f60a4122bd2f4a046818e36c49779eae9255ff24d6cbb7ba9bd9029bb4f72f516b96c5fa8aef98cea7fbbd6f29ae3b69e42e6cb31e5990ade
7
- data.tar.gz: f220a29a0c170f74b8926a1ae804f65d1719a4f9956edc04c6844ac27b2404f15c56908cf5b608a35fec1fe10679b74442ace2b3f6034af3eab814d564da670d
6
+ metadata.gz: e074e115e1035f8ed0b2289859073516b9cad04f9452f5dd8aa8dc070b8cdd119db2abf26b5bf2540a410818948fd4dfff4ca854cdc579b457bf15ae4065428a
7
+ data.tar.gz: 916f262c31580a3f92ca909bd0900d979a9ccb7a93d3f2cdb9e538bc9b29e8215db96468b5fe21c49c16ed836260857cc392f697772f032e6f76c28540af0653
data/README.md CHANGED
@@ -44,6 +44,27 @@ ACME_KID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
44
44
  ACME_HMAC_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
45
45
  ```
46
46
 
47
+ ## Record new test cassettes
48
+
49
+ This code base tests against vcr recordings. These may need to be
50
+ regenerated periodically.
51
+
52
+ 1. check out the code base locally
53
+ 1. go to <https://anchor.dev/autocert-cab3bc/services/anchor-pki-rb-testing>
54
+ 1. in the **Server Setup** section, generate new `ACME_KID` & `ACME_HMAC_KEY`
55
+ tokens.
56
+ 1. Make a local `.env` file or similar containing:
57
+
58
+ export ACME_DIRECTORY_URL='https://anchor.dev/autocert-cab3bc/development/x509/ca/acme'
59
+ export ACME_KID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
60
+ export ACME_HMAC_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
61
+
62
+ 1. on the command line execute:
63
+
64
+ $ . .env
65
+ $ rm -r spec/cassettes
66
+ $ bundle exec rake spec
67
+
47
68
  ## License
48
69
 
49
70
  The gem is available as open source under the terms of the [MIT
@@ -36,6 +36,10 @@ module Anchor
36
36
  x509.serial.to_s(16).scan(/.{2}/).join(joiner)
37
37
  end
38
38
 
39
+ def expired?(now: Time.now.utc)
40
+ not_after <= now
41
+ end
42
+
39
43
  def needs_renewal?(now = Time.now.utc)
40
44
  manager.needs_renewal?(cert: x509, now: now)
41
45
  end
@@ -62,14 +62,16 @@ module Anchor
62
62
  key_pem = cache&.read("#{common_name}+#{algorithm}")
63
63
  cert_pem = cache&.read(common_name)
64
64
 
65
- if key_pem.nil? || cert_pem.nil?
66
- cert_pem, key_pem = provision(identifiers: identifiers, algorithm: algorithm, common_name: common_name,
67
- **opts)
68
-
69
- cache&.write("#{common_name}+#{algorithm}", key_pem)
70
- cache&.write(common_name, cert_pem)
65
+ if !key_pem.nil? && !cert_pem.nil?
66
+ managed_cert = ManagedCertificate.new(manager: self, cert_pem: cert_pem, key_pem: key_pem)
67
+ return managed_cert unless managed_cert.expired?
71
68
  end
72
69
 
70
+ cert_pem, key_pem = provision(identifiers: identifiers, algorithm: algorithm, common_name: common_name, **opts)
71
+
72
+ cache&.write("#{common_name}+#{algorithm}", key_pem)
73
+ cache&.write(common_name, cert_pem)
74
+
73
75
  ManagedCertificate.new(manager: self, cert_pem: cert_pem, key_pem: key_pem)
74
76
  end
75
77
 
data/lib/anchor/oid.rb ADDED
@@ -0,0 +1,11 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Anchor
4
+ # Oid is ASN.1 Object Identifiers.
5
+ module Oid
6
+ PEN = OpenSSL::ASN1::ObjectId.new('1.3.6.1.4.1.60900', OpenSSL::ASN1::OBJECT, :EXPLICIT, :PRIVATE)
7
+ CERT_EXT = OpenSSL::ASN1::ObjectId.new("#{PEN.oid}.1", OpenSSL::ASN1::OBJECT, :EXPLICIT, :PRIVATE)
8
+
9
+ OpenSSL::ASN1::ObjectId.register(CERT_EXT.oid, 'anchorCertExt', 'Anchor Certificate Extension')
10
+ end
11
+ end
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Anchor
4
- VERSION = '0.4.0'
4
+ VERSION = '0.5.0'
5
5
  end
data/lib/anchor-pki.rb CHANGED
@@ -5,5 +5,5 @@
5
5
  # this file is named anchor-pki.rb to match the gem name and to be consistent
6
6
  # with the other anchor modules for other languages
7
7
 
8
- require_relative './anchor'
8
+ require_relative 'anchor'
9
9
  # rubocop:enable Naming/FileName
data/lib/anchor.rb CHANGED
@@ -19,5 +19,6 @@ module Anchor
19
19
  end
20
20
  end
21
21
 
22
- require_relative './anchor/version'
23
- require_relative './anchor/auto_cert'
22
+ require_relative 'anchor/version'
23
+ require_relative 'anchor/auto_cert'
24
+ require_relative 'anchor/oid'
@@ -22,9 +22,10 @@ module Puma
22
22
  # a plugin is created
23
23
  module PluginInstanceMethods
24
24
  attr_accessor :managed_certificate
25
+ attr_reader :port
25
26
 
26
27
  def config(dsl)
27
- port = dsl.auto_cert_port || ENV.fetch('HTTPS_PORT', nil)
28
+ @port = dsl.auto_cert_port || ENV.fetch('HTTPS_PORT', nil)
28
29
  name = dsl.auto_cert_name || ENV.fetch('AUTO_CERT_NAME', 'default')
29
30
  configuration = ::Anchor::AutoCert::Registry.fetch(name)
30
31
  identifiers = configuration.allow_identifiers
@@ -46,7 +47,10 @@ module Puma
46
47
  return
47
48
  end
48
49
 
49
- log_writer.log "AutoCert >> Configured for #{managed_certificate.identifiers.join(', ')}"
50
+ @managed_certificate.identifiers.each do |identifier|
51
+ log_writer.log "AutoCert >> Available at https://#{identifier}:#{port}/"
52
+ end
53
+
50
54
  check_every = launcher.config.options[:auto_cert_check_every] ||
51
55
  ENV.fetch('AUTO_CERT_CHECK_EVERY', nil) ||
52
56
  ::Anchor::AutoCert::RenewalBusyWait::ONE_HOUR
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: anchor-pki
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.0
4
+ version: 0.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Anchor Security, Inc
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-06-06 00:00:00.000000000 Z
11
+ date: 2023-09-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: acme-client
@@ -152,6 +152,7 @@ files:
152
152
  - lib/anchor/auto_cert/registry.rb
153
153
  - lib/anchor/auto_cert/renewal_busy_wait.rb
154
154
  - lib/anchor/auto_cert/terms_of_service_acceptor.rb
155
+ - lib/anchor/oid.rb
155
156
  - lib/anchor/version.rb
156
157
  - lib/puma/dsl.rb
157
158
  - lib/puma/plugin/auto_cert.rb