anchor-pki 0.6.0 → 0.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2fe888d3160e743df15731de957658f18c7a31a1805d29d6d95d1364c03ceb73
-  data.tar.gz: d264ec5e53c951ceb0c8a5214479a9dd36933f220e05671f88b2029c418f00a3
+  metadata.gz: 7c165de1fc5ccb1e5f542bc090d96f2f7f86178454378f997c3d079b373f6252
+  data.tar.gz: 355a21c6cb3d14f137c57073557eaf00feb0ed33b8ff08dabf4b7898c418376a
 SHA512:
-  metadata.gz: 7dafa50e3a537fe79c29fedb256e9a4986feceb78cf81cd0afb4c30b14eacee84fdd5c952ed7e34866b96711d4d4f390b00ba91ef3ff0e7c8abab3b4018b1858
-  data.tar.gz: d9315cdc04dd7dd45dbdb223a31e392113c909f56a42d94981222196c68b90adea48d142847fa2b246655527a9c3f6cf18a53e26f0f7b9e5f6ec930d8dbd8363
+  metadata.gz: 56f8142fcf5295e08aad91f36f4339b8c755c2dd262b3e4c806edad2b9572c2babfd4755c2851b55ff8f135f78ba6b35d98f4e5abd8ff0d0a99a339b0a863f1e
+  data.tar.gz: 2f259c3a7c1db5df960d978c88daed117848283d51d5bcceb06d13abaa4bcb962a72eeefe03ed0aedc529adb83a201afef5fab0d789027ff75416cc847add67e

data/CHANGELOG.md

@@ -1,9 +1,30 @@
 ## [Unreleased]
 
+## [0.6.2] - 2023-12-20
+
+- make terms of service an optional parameter
+- change default autocert key from rails to anchor
+
+## [0.6.1] - 2023-12-11
+
+- improve support for ENV based configuration
+- improve error logging for Puma plugin
+
+## [0.6.0] - 2023-11-29
+
+- changes for feature parity and consistency across anchor language packages
+
+## [0.5.0] - 2023-09-18
+
+- automatic renewal for expired, cached certificates
+- log whole URL at startup, not just identifier
+- add support for Anchor Certificate Extension
+- update tests and test data recordings
+
 ## [0.4.0] - 2023-06-06
 
-- add a puma plugin and configuration dsl for better integration
-- auto restart of puma when a certificate is renewed
+- add a puma plugin and configuration DSL for better integration
+- auto restart puma when certificates renew
 - improve tests
 - internal refactor to support the puma plugin
 
@@ -15,7 +36,8 @@
 
 ## [0.2.0] - 2023-04-18
 
--
+- add autocert client for automatic certificate provisioning
+- don't contact ACME server when cache hits
 
 ## [0.1.0] - 2021-11-05
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    anchor-pki (0.5.0)
+    anchor-pki (0.6.2)
       acme-client (~> 2.0.13)
       pstore (~> 0.1)
 
@@ -19,7 +19,7 @@ GEM
       rexml
     diff-lcs (1.5.0)
     docile (1.4.0)
-    faraday (2.7.11)
+    faraday (2.8.0)
       base64
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
@@ -35,7 +35,7 @@ GEM
     pstore (0.1.3)
     public_suffix (5.0.1)
     rainbow (3.1.1)
-    rake (13.0.6)
+    rake (13.1.0)
     regexp_parser (2.8.0)
     rexml (3.2.5)
     rspec (3.12.0)
@@ -89,7 +89,9 @@ GEM
 PLATFORMS
   aarch64-linux
   arm64-darwin-21
+  arm64-darwin-23
   x86_64-darwin-22
+  x86_64-linux
 
 DEPENDENCIES
   anchor-pki!

data/README.md

@@ -9,9 +9,10 @@ The Following environment variables are available to configure the default
 
 * `HTTPS_PORT` - the TCP numerical port to bind SSL to.
 * `ACME_ALLOW_IDENTIFIERS` - A comma separated list of hostnames for provisioning certs
+* `ACME_CONTACT` - URL to contact in case of issues with the account
 * `ACME_DIRECTORY_URL` - the ACME provider's directory
+* `ACME_HMAC_KEY` - your External Account Binding (EAB) HMAC_KEY for authenticating with the ACME directory above
 * `ACME_KID` - your External Account Binding (EAB) KID for authenticating with the ACME directory above with an
-* `ACME_HMAC_KEY` - your EAB HMAC_KEY for authenticating with the ACME directory above
 * `ACME_RENEW_BEFORE_SECONDS` - **optional** Start a renewal this number number of seconds before the cert expires. This defaults to 30 days (2592000 seconds)
 * `ACME_RENEW_BEFORE_FRACTION` - **optional** Start the renewal when this fraction of a cert's valid window is left. This defaults to 0.5, which means when the cert is in the last 50% of its lifespan a renewal is attempted.
 * `AUTO_CERT_CHECK_EVERY` - **optional** the number of seconds to wait between checking if the certificate has expired. This defaults to 1 hour (3600 seconds)

data/lib/anchor/auto_cert/configuration.rb

@@ -76,6 +76,7 @@ module Anchor
         @allow_identifiers        = prepare_allow_identifiers(@allow_identifiers)
         @cache_dir                = prepare_directory(dir: @cache_dir, property: 'cache_dir')
         @check_every_seconds      = prepare_check_every_seconds(@check_every_seconds)
+        @contact                  = prepare_contact(@contact)
         @directory_url            = prepare_directory_url(@directory_url)
         @external_account_binding = prepare_external_account_binding(@external_account_binding)
         @renew_before_fraction    = prepare_renew_before_fraction(@renew_before_fraction)
@@ -136,6 +137,12 @@ module Anchor
         ensure_positive_integer(candidates, message)
       end
 
+      def prepare_contact(contact)
+        contact ||= ENV.fetch('ACME_CONTACT', nil)
+
+        contact
+      end
+
       def prepare_directory_url(directory_url)
         message = "The '#{name}' #{self.class} instance has a misconfigured `directory_url` value. " \
                   'It must be set to a string, or set the ACME_DIRECTORY_URL environment variable.'

data/lib/anchor/auto_cert/manager.rb

@@ -73,7 +73,9 @@ module Anchor
 
         # first look and see if its memory
         managed_certificate = @managed_certificates[common_name]
-        return managed_certificate if managed_certificate && !needs_renewal?(cert: managed_certificate, now: now)
+        if managed_certificate && !needs_renewal?(cert: managed_certificate, now: now)
+          return managed_certificate
+        end
 
         # then look into the disk cache
         if @disk_store
@@ -97,7 +99,9 @@ module Anchor
           **opts
         )
 
-        managed_certificate = ManagedCertificate.new(cert_pem: cert_pem, key_pem: key_pem, persist_dir: work_dir)
+        managed_certificate = ManagedCertificate.new(
+          cert_pem: cert_pem, key_pem: key_pem, persist_dir: work_dir
+        )
 
         @managed_certificates[common_name] = managed_certificate
 
@@ -135,11 +139,15 @@ module Anchor
         cert_pem = nil
         key_pem = nil
         begin
-          cert_pem, key_pem = provision(identifiers: identifiers, algorithm: algorithm, common_name: common_name,
-                                        **opts)
+          cert_pem, key_pem = provision(
+            identifiers: identifiers, algorithm: algorithm, common_name: common_name,
+            **opts
+          )
         rescue StandardError => _e
-          cert_pem, key_pem = provision(identifiers: [], algorithm: algorithm, common_name: fallback_identifier,
-                                        **opts)
+          cert_pem, key_pem = provision(
+            identifiers: [], algorithm: algorithm, common_name: fallback_identifier,
+            **opts
+          )
         end
         [cert_pem, key_pem]
       end
@@ -148,8 +156,10 @@ module Anchor
         identifiers = consolidate_identifiers(common_name: common_name, identifiers: identifiers)
         load_or_build_account
         key_pem ||= new_key(algorithm).to_pem
-        csr = Acme::Client::CertificateRequest.new(common_name: common_name, names: identifiers,
-                                                   private_key: parse_key_pem(key_pem))
+        csr = Acme::Client::CertificateRequest.new(
+          common_name: common_name, names: identifiers,
+          private_key: parse_key_pem(key_pem)
+        )
 
         order = @client.new_order(identifiers: identifiers, **opts)
         order.finalize(csr: csr)

data/lib/anchor/auto_cert/railtie.rb

@@ -39,6 +39,9 @@ module Anchor
         # to the `config.hosts` then HostAuthorization will be used, and tests
         # will break.
         unless Rails.env.test?
+          # load values from ENV
+          auto_cert_config&.validate! if Rails.configuration.auto_cert.enabled?
+
           auto_cert_config&.allow_identifiers&.each do |identifier|
             # need to convert an identifier into a host matcher, which is just
             # strip off a leading '*' if it exists so that all subdomains match.

data/lib/anchor/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Anchor
-  VERSION = '0.6.0'
+  VERSION = '0.6.2'
 end

data/lib/puma/plugin/auto_cert.rb

@@ -32,10 +32,6 @@ module Puma
           @manager      = ::Anchor::AutoCert::Manager.new(configuration: configuration)
 
           @managed_certificate = manager.managed_certificate(identifiers: identifiers)
-
-          options = ::Puma::Plugin::AutoCert.ssl_bind_options(managed_certificate: @managed_certificate)
-
-          dsl.ssl_bind '[::]', port, options
         rescue StandardError => _e
           @manager = nil
           @managed_certificate = nil
@@ -48,6 +44,11 @@ module Puma
             return
           end
 
+          options = ::Puma::Plugin::AutoCert.ssl_bind_options(managed_certificate: managed_certificate)
+          launcher.config.configure do |_user_config, file_config|
+            file_config.ssl_bind '[::]', port, options
+          end
+
           managed_certificate.identifiers.each do |identifier|
             log_writer.log "AutoCert >> Available at https://#{identifier}:#{port}/"
           end
@@ -73,6 +74,8 @@ module Puma
             log_writer.log 'AutoCert >> Restarting Puma in order to renew certificate'
             @launcher.restart
           end
+        rescue StandardError => e
+          log_writer.log "AutoCert >> Error - #{e.message}"
         end
 
         private

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: anchor-pki
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.6.2
 platform: ruby
 authors:
 - Anchor Security, Inc
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-11-29 00:00:00.000000000 Z
+date: 2023-12-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client