anchor-pki 0.6.0 → 0.6.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2fe888d3160e743df15731de957658f18c7a31a1805d29d6d95d1364c03ceb73
4
- data.tar.gz: d264ec5e53c951ceb0c8a5214479a9dd36933f220e05671f88b2029c418f00a3
3
+ metadata.gz: 7c165de1fc5ccb1e5f542bc090d96f2f7f86178454378f997c3d079b373f6252
4
+ data.tar.gz: 355a21c6cb3d14f137c57073557eaf00feb0ed33b8ff08dabf4b7898c418376a
5
5
  SHA512:
6
- metadata.gz: 7dafa50e3a537fe79c29fedb256e9a4986feceb78cf81cd0afb4c30b14eacee84fdd5c952ed7e34866b96711d4d4f390b00ba91ef3ff0e7c8abab3b4018b1858
7
- data.tar.gz: d9315cdc04dd7dd45dbdb223a31e392113c909f56a42d94981222196c68b90adea48d142847fa2b246655527a9c3f6cf18a53e26f0f7b9e5f6ec930d8dbd8363
6
+ metadata.gz: 56f8142fcf5295e08aad91f36f4339b8c755c2dd262b3e4c806edad2b9572c2babfd4755c2851b55ff8f135f78ba6b35d98f4e5abd8ff0d0a99a339b0a863f1e
7
+ data.tar.gz: 2f259c3a7c1db5df960d978c88daed117848283d51d5bcceb06d13abaa4bcb962a72eeefe03ed0aedc529adb83a201afef5fab0d789027ff75416cc847add67e
data/CHANGELOG.md CHANGED
@@ -1,9 +1,30 @@
1
1
  ## [Unreleased]
2
2
 
3
+ ## [0.6.2] - 2023-12-20
4
+
5
+ - make terms of service an optional parameter
6
+ - change default autocert key from rails to anchor
7
+
8
+ ## [0.6.1] - 2023-12-11
9
+
10
+ - improve support for ENV based configuration
11
+ - improve error logging for Puma plugin
12
+
13
+ ## [0.6.0] - 2023-11-29
14
+
15
+ - changes for feature parity and consistency across anchor language packages
16
+
17
+ ## [0.5.0] - 2023-09-18
18
+
19
+ - automatic renewal for expired, cached certificates
20
+ - log whole URL at startup, not just identifier
21
+ - add support for Anchor Certificate Extension
22
+ - update tests and test data recordings
23
+
3
24
  ## [0.4.0] - 2023-06-06
4
25
 
5
- - add a puma plugin and configuration dsl for better integration
6
- - auto restart of puma when a certificate is renewed
26
+ - add a puma plugin and configuration DSL for better integration
27
+ - auto restart puma when certificates renew
7
28
  - improve tests
8
29
  - internal refactor to support the puma plugin
9
30
 
@@ -15,7 +36,8 @@
15
36
 
16
37
  ## [0.2.0] - 2023-04-18
17
38
 
18
- -
39
+ - add autocert client for automatic certificate provisioning
40
+ - don't contact ACME server when cache hits
19
41
 
20
42
  ## [0.1.0] - 2021-11-05
21
43
 
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- anchor-pki (0.5.0)
4
+ anchor-pki (0.6.2)
5
5
  acme-client (~> 2.0.13)
6
6
  pstore (~> 0.1)
7
7
 
@@ -19,7 +19,7 @@ GEM
19
19
  rexml
20
20
  diff-lcs (1.5.0)
21
21
  docile (1.4.0)
22
- faraday (2.7.11)
22
+ faraday (2.8.0)
23
23
  base64
24
24
  faraday-net_http (>= 2.0, < 3.1)
25
25
  ruby2_keywords (>= 0.0.4)
@@ -35,7 +35,7 @@ GEM
35
35
  pstore (0.1.3)
36
36
  public_suffix (5.0.1)
37
37
  rainbow (3.1.1)
38
- rake (13.0.6)
38
+ rake (13.1.0)
39
39
  regexp_parser (2.8.0)
40
40
  rexml (3.2.5)
41
41
  rspec (3.12.0)
@@ -89,7 +89,9 @@ GEM
89
89
  PLATFORMS
90
90
  aarch64-linux
91
91
  arm64-darwin-21
92
+ arm64-darwin-23
92
93
  x86_64-darwin-22
94
+ x86_64-linux
93
95
 
94
96
  DEPENDENCIES
95
97
  anchor-pki!
data/README.md CHANGED
@@ -9,9 +9,10 @@ The Following environment variables are available to configure the default
9
9
 
10
10
  * `HTTPS_PORT` - the TCP numerical port to bind SSL to.
11
11
  * `ACME_ALLOW_IDENTIFIERS` - A comma separated list of hostnames for provisioning certs
12
+ * `ACME_CONTACT` - URL to contact in case of issues with the account
12
13
  * `ACME_DIRECTORY_URL` - the ACME provider's directory
14
+ * `ACME_HMAC_KEY` - your External Account Binding (EAB) HMAC_KEY for authenticating with the ACME directory above
13
15
  * `ACME_KID` - your External Account Binding (EAB) KID for authenticating with the ACME directory above with an
14
- * `ACME_HMAC_KEY` - your EAB HMAC_KEY for authenticating with the ACME directory above
15
16
  * `ACME_RENEW_BEFORE_SECONDS` - **optional** Start a renewal this number number of seconds before the cert expires. This defaults to 30 days (2592000 seconds)
16
17
  * `ACME_RENEW_BEFORE_FRACTION` - **optional** Start the renewal when this fraction of a cert's valid window is left. This defaults to 0.5, which means when the cert is in the last 50% of its lifespan a renewal is attempted.
17
18
  * `AUTO_CERT_CHECK_EVERY` - **optional** the number of seconds to wait between checking if the certificate has expired. This defaults to 1 hour (3600 seconds)
@@ -76,6 +76,7 @@ module Anchor
76
76
  @allow_identifiers = prepare_allow_identifiers(@allow_identifiers)
77
77
  @cache_dir = prepare_directory(dir: @cache_dir, property: 'cache_dir')
78
78
  @check_every_seconds = prepare_check_every_seconds(@check_every_seconds)
79
+ @contact = prepare_contact(@contact)
79
80
  @directory_url = prepare_directory_url(@directory_url)
80
81
  @external_account_binding = prepare_external_account_binding(@external_account_binding)
81
82
  @renew_before_fraction = prepare_renew_before_fraction(@renew_before_fraction)
@@ -136,6 +137,12 @@ module Anchor
136
137
  ensure_positive_integer(candidates, message)
137
138
  end
138
139
 
140
+ def prepare_contact(contact)
141
+ contact ||= ENV.fetch('ACME_CONTACT', nil)
142
+
143
+ contact
144
+ end
145
+
139
146
  def prepare_directory_url(directory_url)
140
147
  message = "The '#{name}' #{self.class} instance has a misconfigured `directory_url` value. " \
141
148
  'It must be set to a string, or set the ACME_DIRECTORY_URL environment variable.'
@@ -73,7 +73,9 @@ module Anchor
73
73
 
74
74
  # first look and see if its memory
75
75
  managed_certificate = @managed_certificates[common_name]
76
- return managed_certificate if managed_certificate && !needs_renewal?(cert: managed_certificate, now: now)
76
+ if managed_certificate && !needs_renewal?(cert: managed_certificate, now: now)
77
+ return managed_certificate
78
+ end
77
79
 
78
80
  # then look into the disk cache
79
81
  if @disk_store
@@ -97,7 +99,9 @@ module Anchor
97
99
  **opts
98
100
  )
99
101
 
100
- managed_certificate = ManagedCertificate.new(cert_pem: cert_pem, key_pem: key_pem, persist_dir: work_dir)
102
+ managed_certificate = ManagedCertificate.new(
103
+ cert_pem: cert_pem, key_pem: key_pem, persist_dir: work_dir
104
+ )
101
105
 
102
106
  @managed_certificates[common_name] = managed_certificate
103
107
 
@@ -135,11 +139,15 @@ module Anchor
135
139
  cert_pem = nil
136
140
  key_pem = nil
137
141
  begin
138
- cert_pem, key_pem = provision(identifiers: identifiers, algorithm: algorithm, common_name: common_name,
139
- **opts)
142
+ cert_pem, key_pem = provision(
143
+ identifiers: identifiers, algorithm: algorithm, common_name: common_name,
144
+ **opts
145
+ )
140
146
  rescue StandardError => _e
141
- cert_pem, key_pem = provision(identifiers: [], algorithm: algorithm, common_name: fallback_identifier,
142
- **opts)
147
+ cert_pem, key_pem = provision(
148
+ identifiers: [], algorithm: algorithm, common_name: fallback_identifier,
149
+ **opts
150
+ )
143
151
  end
144
152
  [cert_pem, key_pem]
145
153
  end
@@ -148,8 +156,10 @@ module Anchor
148
156
  identifiers = consolidate_identifiers(common_name: common_name, identifiers: identifiers)
149
157
  load_or_build_account
150
158
  key_pem ||= new_key(algorithm).to_pem
151
- csr = Acme::Client::CertificateRequest.new(common_name: common_name, names: identifiers,
152
- private_key: parse_key_pem(key_pem))
159
+ csr = Acme::Client::CertificateRequest.new(
160
+ common_name: common_name, names: identifiers,
161
+ private_key: parse_key_pem(key_pem)
162
+ )
153
163
 
154
164
  order = @client.new_order(identifiers: identifiers, **opts)
155
165
  order.finalize(csr: csr)
@@ -39,6 +39,9 @@ module Anchor
39
39
  # to the `config.hosts` then HostAuthorization will be used, and tests
40
40
  # will break.
41
41
  unless Rails.env.test?
42
+ # load values from ENV
43
+ auto_cert_config&.validate! if Rails.configuration.auto_cert.enabled?
44
+
42
45
  auto_cert_config&.allow_identifiers&.each do |identifier|
43
46
  # need to convert an identifier into a host matcher, which is just
44
47
  # strip off a leading '*' if it exists so that all subdomains match.
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Anchor
4
- VERSION = '0.6.0'
4
+ VERSION = '0.6.2'
5
5
  end
@@ -32,10 +32,6 @@ module Puma
32
32
  @manager = ::Anchor::AutoCert::Manager.new(configuration: configuration)
33
33
 
34
34
  @managed_certificate = manager.managed_certificate(identifiers: identifiers)
35
-
36
- options = ::Puma::Plugin::AutoCert.ssl_bind_options(managed_certificate: @managed_certificate)
37
-
38
- dsl.ssl_bind '[::]', port, options
39
35
  rescue StandardError => _e
40
36
  @manager = nil
41
37
  @managed_certificate = nil
@@ -48,6 +44,11 @@ module Puma
48
44
  return
49
45
  end
50
46
 
47
+ options = ::Puma::Plugin::AutoCert.ssl_bind_options(managed_certificate: managed_certificate)
48
+ launcher.config.configure do |_user_config, file_config|
49
+ file_config.ssl_bind '[::]', port, options
50
+ end
51
+
51
52
  managed_certificate.identifiers.each do |identifier|
52
53
  log_writer.log "AutoCert >> Available at https://#{identifier}:#{port}/"
53
54
  end
@@ -73,6 +74,8 @@ module Puma
73
74
  log_writer.log 'AutoCert >> Restarting Puma in order to renew certificate'
74
75
  @launcher.restart
75
76
  end
77
+ rescue StandardError => e
78
+ log_writer.log "AutoCert >> Error - #{e.message}"
76
79
  end
77
80
 
78
81
  private
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: anchor-pki
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.0
4
+ version: 0.6.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Anchor Security, Inc
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-11-29 00:00:00.000000000 Z
11
+ date: 2023-12-20 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: acme-client