anchor-pki 0.6.0 → 0.6.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2fe888d3160e743df15731de957658f18c7a31a1805d29d6d95d1364c03ceb73
4
- data.tar.gz: d264ec5e53c951ceb0c8a5214479a9dd36933f220e05671f88b2029c418f00a3
3
+ metadata.gz: f6f3aa56dc5a365db7f3c2b4f255ac538ba455fad1bdf758f19450bca287381e
4
+ data.tar.gz: 6bf38bec006856c4a60246e3b53a119296e9c4557a17f3c4d0f5ef50404102ca
5
5
  SHA512:
6
- metadata.gz: 7dafa50e3a537fe79c29fedb256e9a4986feceb78cf81cd0afb4c30b14eacee84fdd5c952ed7e34866b96711d4d4f390b00ba91ef3ff0e7c8abab3b4018b1858
7
- data.tar.gz: d9315cdc04dd7dd45dbdb223a31e392113c909f56a42d94981222196c68b90adea48d142847fa2b246655527a9c3f6cf18a53e26f0f7b9e5f6ec930d8dbd8363
6
+ metadata.gz: 5d24d34f6c5448e2ba33ac004e6d2e99a7ff0c3b31840c119f5d0256576d6146e6e13b120251db58ab9d80db4f4927f1c71f2c38397ca434a66ded8124c300e8
7
+ data.tar.gz: 30ba030f48985e35f6d63e1ac02943bf0bed301eba7a36cc6728caa5dbee0395e14d8a4ba3e2d43edf68fca461ee5cb60ae204542b6f4f30c1ffa3655cf68986
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- anchor-pki (0.5.0)
4
+ anchor-pki (0.6.1)
5
5
  acme-client (~> 2.0.13)
6
6
  pstore (~> 0.1)
7
7
 
@@ -19,7 +19,7 @@ GEM
19
19
  rexml
20
20
  diff-lcs (1.5.0)
21
21
  docile (1.4.0)
22
- faraday (2.7.11)
22
+ faraday (2.7.12)
23
23
  base64
24
24
  faraday-net_http (>= 2.0, < 3.1)
25
25
  ruby2_keywords (>= 0.0.4)
@@ -35,7 +35,7 @@ GEM
35
35
  pstore (0.1.3)
36
36
  public_suffix (5.0.1)
37
37
  rainbow (3.1.1)
38
- rake (13.0.6)
38
+ rake (13.1.0)
39
39
  regexp_parser (2.8.0)
40
40
  rexml (3.2.5)
41
41
  rspec (3.12.0)
@@ -89,7 +89,9 @@ GEM
89
89
  PLATFORMS
90
90
  aarch64-linux
91
91
  arm64-darwin-21
92
+ arm64-darwin-23
92
93
  x86_64-darwin-22
94
+ x86_64-linux
93
95
 
94
96
  DEPENDENCIES
95
97
  anchor-pki!
data/README.md CHANGED
@@ -9,9 +9,10 @@ The Following environment variables are available to configure the default
9
9
 
10
10
  * `HTTPS_PORT` - the TCP numerical port to bind SSL to.
11
11
  * `ACME_ALLOW_IDENTIFIERS` - A comma separated list of hostnames for provisioning certs
12
+ * `ACME_CONTACT` - URL to contact in case of issues with the account
12
13
  * `ACME_DIRECTORY_URL` - the ACME provider's directory
14
+ * `ACME_HMAC_KEY` - your External Account Binding (EAB) HMAC_KEY for authenticating with the ACME directory above
13
15
  * `ACME_KID` - your External Account Binding (EAB) KID for authenticating with the ACME directory above with an
14
- * `ACME_HMAC_KEY` - your EAB HMAC_KEY for authenticating with the ACME directory above
15
16
  * `ACME_RENEW_BEFORE_SECONDS` - **optional** Start a renewal this number number of seconds before the cert expires. This defaults to 30 days (2592000 seconds)
16
17
  * `ACME_RENEW_BEFORE_FRACTION` - **optional** Start the renewal when this fraction of a cert's valid window is left. This defaults to 0.5, which means when the cert is in the last 50% of its lifespan a renewal is attempted.
17
18
  * `AUTO_CERT_CHECK_EVERY` - **optional** the number of seconds to wait between checking if the certificate has expired. This defaults to 1 hour (3600 seconds)
@@ -76,6 +76,7 @@ module Anchor
76
76
  @allow_identifiers = prepare_allow_identifiers(@allow_identifiers)
77
77
  @cache_dir = prepare_directory(dir: @cache_dir, property: 'cache_dir')
78
78
  @check_every_seconds = prepare_check_every_seconds(@check_every_seconds)
79
+ @contact = prepare_contact(@contact)
79
80
  @directory_url = prepare_directory_url(@directory_url)
80
81
  @external_account_binding = prepare_external_account_binding(@external_account_binding)
81
82
  @renew_before_fraction = prepare_renew_before_fraction(@renew_before_fraction)
@@ -136,6 +137,12 @@ module Anchor
136
137
  ensure_positive_integer(candidates, message)
137
138
  end
138
139
 
140
+ def prepare_contact(contact)
141
+ contact ||= ENV.fetch('ACME_CONTACT', nil)
142
+
143
+ contact
144
+ end
145
+
139
146
  def prepare_directory_url(directory_url)
140
147
  message = "The '#{name}' #{self.class} instance has a misconfigured `directory_url` value. " \
141
148
  'It must be set to a string, or set the ACME_DIRECTORY_URL environment variable.'
@@ -73,7 +73,9 @@ module Anchor
73
73
 
74
74
  # first look and see if its memory
75
75
  managed_certificate = @managed_certificates[common_name]
76
- return managed_certificate if managed_certificate && !needs_renewal?(cert: managed_certificate, now: now)
76
+ if managed_certificate && !needs_renewal?(cert: managed_certificate, now: now)
77
+ return managed_certificate
78
+ end
77
79
 
78
80
  # then look into the disk cache
79
81
  if @disk_store
@@ -97,7 +99,9 @@ module Anchor
97
99
  **opts
98
100
  )
99
101
 
100
- managed_certificate = ManagedCertificate.new(cert_pem: cert_pem, key_pem: key_pem, persist_dir: work_dir)
102
+ managed_certificate = ManagedCertificate.new(
103
+ cert_pem: cert_pem, key_pem: key_pem, persist_dir: work_dir
104
+ )
101
105
 
102
106
  @managed_certificates[common_name] = managed_certificate
103
107
 
@@ -135,11 +139,15 @@ module Anchor
135
139
  cert_pem = nil
136
140
  key_pem = nil
137
141
  begin
138
- cert_pem, key_pem = provision(identifiers: identifiers, algorithm: algorithm, common_name: common_name,
139
- **opts)
142
+ cert_pem, key_pem = provision(
143
+ identifiers: identifiers, algorithm: algorithm, common_name: common_name,
144
+ **opts
145
+ )
140
146
  rescue StandardError => _e
141
- cert_pem, key_pem = provision(identifiers: [], algorithm: algorithm, common_name: fallback_identifier,
142
- **opts)
147
+ cert_pem, key_pem = provision(
148
+ identifiers: [], algorithm: algorithm, common_name: fallback_identifier,
149
+ **opts
150
+ )
143
151
  end
144
152
  [cert_pem, key_pem]
145
153
  end
@@ -148,8 +156,10 @@ module Anchor
148
156
  identifiers = consolidate_identifiers(common_name: common_name, identifiers: identifiers)
149
157
  load_or_build_account
150
158
  key_pem ||= new_key(algorithm).to_pem
151
- csr = Acme::Client::CertificateRequest.new(common_name: common_name, names: identifiers,
152
- private_key: parse_key_pem(key_pem))
159
+ csr = Acme::Client::CertificateRequest.new(
160
+ common_name: common_name, names: identifiers,
161
+ private_key: parse_key_pem(key_pem)
162
+ )
153
163
 
154
164
  order = @client.new_order(identifiers: identifiers, **opts)
155
165
  order.finalize(csr: csr)
@@ -39,6 +39,9 @@ module Anchor
39
39
  # to the `config.hosts` then HostAuthorization will be used, and tests
40
40
  # will break.
41
41
  unless Rails.env.test?
42
+ # load values from ENV
43
+ auto_cert_config&.validate! if Rails.configuration.auto_cert.enabled?
44
+
42
45
  auto_cert_config&.allow_identifiers&.each do |identifier|
43
46
  # need to convert an identifier into a host matcher, which is just
44
47
  # strip off a leading '*' if it exists so that all subdomains match.
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Anchor
4
- VERSION = '0.6.0'
4
+ VERSION = '0.6.1'
5
5
  end
@@ -32,10 +32,6 @@ module Puma
32
32
  @manager = ::Anchor::AutoCert::Manager.new(configuration: configuration)
33
33
 
34
34
  @managed_certificate = manager.managed_certificate(identifiers: identifiers)
35
-
36
- options = ::Puma::Plugin::AutoCert.ssl_bind_options(managed_certificate: @managed_certificate)
37
-
38
- dsl.ssl_bind '[::]', port, options
39
35
  rescue StandardError => _e
40
36
  @manager = nil
41
37
  @managed_certificate = nil
@@ -48,6 +44,11 @@ module Puma
48
44
  return
49
45
  end
50
46
 
47
+ options = ::Puma::Plugin::AutoCert.ssl_bind_options(managed_certificate: managed_certificate)
48
+ launcher.config.configure do |_user_config, file_config|
49
+ file_config.ssl_bind '[::]', port, options
50
+ end
51
+
51
52
  managed_certificate.identifiers.each do |identifier|
52
53
  log_writer.log "AutoCert >> Available at https://#{identifier}:#{port}/"
53
54
  end
@@ -73,6 +74,8 @@ module Puma
73
74
  log_writer.log 'AutoCert >> Restarting Puma in order to renew certificate'
74
75
  @launcher.restart
75
76
  end
77
+ rescue StandardError => e
78
+ log_writer.log "AutoCert >> Error - #{e.message}"
76
79
  end
77
80
 
78
81
  private
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: anchor-pki
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.0
4
+ version: 0.6.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Anchor Security, Inc
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-11-29 00:00:00.000000000 Z
11
+ date: 2023-12-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: acme-client