anchor-pki 0.6.2 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7c165de1fc5ccb1e5f542bc090d96f2f7f86178454378f997c3d079b373f6252
-  data.tar.gz: 355a21c6cb3d14f137c57073557eaf00feb0ed33b8ff08dabf4b7898c418376a
+  metadata.gz: 668bda70c37b6cfed433ff05de800a8e2a4f1576a6a16b73d0c653794890938a
+  data.tar.gz: 9c96396faf03bed36249890bd19682988bdbb52d4e5eca4fe7994bbfaddf66f8
 SHA512:
-  metadata.gz: 56f8142fcf5295e08aad91f36f4339b8c755c2dd262b3e4c806edad2b9572c2babfd4755c2851b55ff8f135f78ba6b35d98f4e5abd8ff0d0a99a339b0a863f1e
-  data.tar.gz: 2f259c3a7c1db5df960d978c88daed117848283d51d5bcceb06d13abaa4bcb962a72eeefe03ed0aedc529adb83a201afef5fab0d789027ff75416cc847add67e
+  metadata.gz: 6a8a30a3eb39f5544250bf12338c31d7f3392fda4440a74dc916c28ffac5d2817b8687a911695db06d46f236f7e27857a482abb172854f7d9fd88e5332115749
+  data.tar.gz: 004d41141dcca7ef89f994f726e0502c43957ce0c144d09fc719f71292f9abdc1a7cb45c6a57f75a84debd9ca2ac3f2085778879e104f4349bae51100c46909e

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 ## [Unreleased]
 
+## [0.7.0] - 2024-01-11
+
+- inherit from the puma-acme plugin in auto\_cert plugin
+- remove extraneous config & environment settings
+
+## [0.6.3] - 2024-01-10
+
+- fixed release (0.6.2 didn't contain the expected changes)
+
 ## [0.6.2] - 2023-12-20
 
 - make terms of service an optional parameter

data/Gemfile.lock

@@ -1,9 +1,8 @@
 PATH
   remote: .
   specs:
-    anchor-pki (0.6.2)
-      acme-client (~> 2.0.13)
-      pstore (~> 0.1)
+    anchor-pki (0.6.3)
+      puma-acme (~> 0.1)
 
 GEM
   remote: https://rubygems.org/
@@ -19,21 +18,36 @@ GEM
       rexml
     diff-lcs (1.5.0)
     docile (1.4.0)
-    faraday (2.8.0)
-      base64
-      faraday-net_http (>= 2.0, < 3.1)
-      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (3.0.2)
+    faraday (2.9.0)
+      faraday-net_http (>= 2.0, < 3.2)
+    faraday-net_http (3.1.0)
+      net-http
     faraday-retry (2.2.0)
       faraday (~> 2.0)
     hashdiff (1.0.1)
     json (2.6.3)
     minitest (5.18.0)
+    mustermann (3.0.0)
+      ruby2_keywords (~> 0.0.1)
+    net-http (0.4.1)
+      uri
+    nio4r (2.7.0)
     parallel (1.23.0)
     parser (3.2.2.1)
       ast (~> 2.4.1)
     pstore (0.1.3)
     public_suffix (5.0.1)
+    puma (6.4.2)
+      nio4r (~> 2.0)
+    puma-acme (0.1.0)
+      acme-client (~> 2.0.13)
+      pstore (~> 0.1)
+      puma (~> 6.4)
+      sinatra (~> 3.1)
+    rack (2.2.8)
+    rack-protection (3.2.0)
+      base64 (>= 0.1.0)
+      rack (~> 2.2, >= 2.2.4)
     rainbow (3.1.1)
     rake (13.1.0)
     regexp_parser (2.8.0)
@@ -79,7 +93,14 @@ GEM
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.12.3)
     simplecov_json_formatter (0.1.4)
+    sinatra (3.2.0)
+      mustermann (~> 3.0)
+      rack (~> 2.2, >= 2.2.4)
+      rack-protection (= 3.2.0)
+      tilt (~> 2.0)
+    tilt (2.3.0)
     unicode-display_width (2.4.2)
+    uri (0.13.0)
     vcr (6.1.0)
     webmock (3.18.1)
       addressable (>= 2.8.0)

data/README.md

@@ -8,15 +8,13 @@ The Following environment variables are available to configure the default
 [`AutoCert::Manager`](./lib/anchor/auto_cert/manager.rb).
 
 * `HTTPS_PORT` - the TCP numerical port to bind SSL to.
-* `ACME_ALLOW_IDENTIFIERS` - A comma separated list of hostnames for provisioning certs
-* `ACME_CONTACT` - URL to contact in case of issues with the account
+* `SERVER_NAME`/`SERVER_NAMES` - A comma separated list of hostnames for provisioning certs
 * `ACME_DIRECTORY_URL` - the ACME provider's directory
 * `ACME_HMAC_KEY` - your External Account Binding (EAB) HMAC_KEY for authenticating with the ACME directory above
 * `ACME_KID` - your External Account Binding (EAB) KID for authenticating with the ACME directory above with an
+* `ACME_CONTACT` - **optional** URL to contact in case of issues with the account
 * `ACME_RENEW_BEFORE_SECONDS` - **optional** Start a renewal this number number of seconds before the cert expires. This defaults to 30 days (2592000 seconds)
 * `ACME_RENEW_BEFORE_FRACTION` - **optional** Start the renewal when this fraction of a cert's valid window is left. This defaults to 0.5, which means when the cert is in the last 50% of its lifespan a renewal is attempted.
-* `AUTO_CERT_CHECK_EVERY` - **optional** the number of seconds to wait between checking if the certificate has expired. This defaults to 1 hour (3600 seconds)
-* `AUTO_CERT_NAME` - **optional** the name to use to lookup the default `AutoCert::Configuration` in the `AutoCert::Registry`. This is `default` by default
 
 If both `ACME_RENEW_BEFORE_SECONDS` and `ACME_RENEW_BEFORE_FRACTION` are set,
 the one that causes the renewal to take place earlier is used.
@@ -39,7 +37,7 @@ Currently the `AutoCert::Manager` will use whichever is earlier.
 
 ```sh
 HTTPS_PORT=44300
-ACME_ALLOW_IDENTIFIERS=my.lcl.host,*.my.lcl.host
+SERVER_NAMES=my.lcl.host,*.my.lcl.host
 ACME_DIRECTORY_URL=https://acme-v02.api.letsencrypt.org/directory
 ACME_KID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 ACME_HMAC_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

data/lib/anchor/auto_cert/configuration.rb

@@ -1,245 +1,52 @@
 # frozen_string_literal: true
 
 module Anchor
+  # This module is here in order to communicate plugin configuration options
+  # to the plugin since the plugin is created dynamically and it is loaded and
+  # initialized without any configuration options.
   module AutoCert
+    config_keys = %i[
+      algorithm
+      cache
+      cache_dir
+      contact
+      directory
+      eab_kid
+      eab_hmac_key
+      enabled
+      mode
+      port
+      renew_at
+      renew_interval
+      server_name
+      server_names
+      tos_agreed
+    ]
+
     # AutoCert Configuration provides a way to configure the AutoCert Manager.
     #
-    class Configuration
-      DEFAULT_RENEW_BEFORE_SECONDS  = 60 * 60 * 24 * 30 # 30 days in seconds
-      DEFAULT_RENEW_BEFORE_FRACTION = 0.5 # when in the last 50% of the validity window, renew
-      DEFAULT_CHECK_EVERY_SECONDS   = 60 * 60 # 1 day in seconds
-
-      # Note - although it is possible to set change the name of a config, it is
-      # not recommended. The name is used as the key in the Registry, and if a
-      # Configuration is in the Registry, and its name is changed, it does not
-      # change its registry key.
-      attr_accessor :name,
-                    :allow_identifiers,
-                    :cache_dir,
-                    :check_every_seconds,
-                    :contact,
-                    :directory_url,
-                    :external_account_binding,
-                    :renew_before_fraction,
-                    :renew_before_seconds,
-                    :tos_acceptors,
-                    :work_dir
-
-      # rubocop:disable Metrics/ParameterLists
-      # Data defined classes have all required parameters in the initializer, so
-      # override the default initializer to allow for optional parameters and
-      # to pull in the defaults form the environment
-      #
-      def initialize(name:,
-                     allow_identifiers: nil,
-                     cache_dir: nil,
-                     check_every_seconds: nil,
-                     contact: nil,
-                     directory_url: nil,
-                     external_account_binding: nil,
-                     renew_before_fraction: nil,
-                     renew_before_seconds: nil,
-                     tos_acceptors: nil,
-                     work_dir: nil)
-
-        @name                     = name
-
-        @allow_identifiers        = allow_identifiers
-        @cache_dir                = cache_dir
-        @check_every_seconds      = check_every_seconds
-        @contact                  = contact
-        @directory_url            = directory_url
-        @external_account_binding = external_account_binding
-        @renew_before_fraction    = renew_before_fraction
-        @renew_before_seconds     = renew_before_seconds
-        @tos_acceptors            = tos_acceptors
-        @work_dir                 = work_dir
-      end
-      # rubocop:enable Metrics/ParameterLists
-
-      def account
-        {
-          contact: contact,
-          external_account_binding: external_account_binding
-        }
-      end
-
-      # Enabled just means that the configuration is valid
-      def enabled?
-        validate!
-        true
-      rescue ConfigurationError => _e
-        false
-      end
-
-      def validate!
-        @allow_identifiers        = prepare_allow_identifiers(@allow_identifiers)
-        @cache_dir                = prepare_directory(dir: @cache_dir, property: 'cache_dir')
-        @check_every_seconds      = prepare_check_every_seconds(@check_every_seconds)
-        @contact                  = prepare_contact(@contact)
-        @directory_url            = prepare_directory_url(@directory_url)
-        @external_account_binding = prepare_external_account_binding(@external_account_binding)
-        @renew_before_fraction    = prepare_renew_before_fraction(@renew_before_fraction)
-        @renew_before_seconds     = prepare_renew_before_seconds(@renew_before_seconds)
-        @tos_acceptors            = prepare_tos_acceptors(@tos_acceptors)
-        @work_dir                 = prepare_directory(dir: @work_dir, property: 'work_dir')
-        self
-      end
-
-      # Return the fallback identifer for this configuration
-
-      # look at all the identifiers, strip a leading wildcard off of all of
-      # them and then pick the one that has the fewest '.' in it, if there are
-      # ties for fewest, pick the first one in the list of ties. A minimum of
-      # 2 '.' is required.
-      #
-      def fallback_identifier
-        de_wildcarded = allow_identifiers.map { |i| i.sub(/^\*\./, '') }
-        not_tld = de_wildcarded.select { |i| i.count('.') >= 2 }
-        ordered = not_tld.sort_by { |i| i.count('.') }
-        ordered[0]
-      end
-
-      private
+    Configuration = Struct.new(*config_keys, keyword_init: true) do
+      alias_method :allow_identifiers=, :server_names=
+      alias_method :directory_url=, :directory=
 
-      def prepare_allow_identifiers(allow_identifiers)
-        prepared = case allow_identifiers
-                   when Array
-                     allow_identifiers
-                   when String
-                     allow_identifiers.split(',')
-                   when nil
-                     ENV.fetch('ACME_ALLOW_IDENTIFIERS', nil)&.split(',')
-                   end
+      def initialize(opts = {})
+        self.directory_url     = opts.delete(:directory_url)
+        self.allow_identifiers = opts.delete(:allow_identifiers)
 
-        if prepared.nil? || prepared.empty?
-          raise ConfigurationError,
-                "The '#{name}' #{self.class} instance has a misconfigured " \
-                '`allow_identifiers` value. Set it to a string, or an array of strings, ' \
-                'or set the ACME_ALLOW_IDENTIFIERS environment variable ' \
-                'to a comma separated list of identifiers.'
+        if (eab = opts.delete(:external_account_binding))
+          self.external_account_binding = eab
         end
 
-        prepared
-      end
-
-      def prepare_check_every_seconds(check_every_seconds)
-        message = "The '#{name}' #{self.class} instance has a misconfigured " \
-                  '`check_every_seconds` value. It must be set to an integer > 0, ' \
-                  'or set the AUTO_CERT_CHECK_EVERY environment variable.'
-
-        candidates = [
-          check_every_seconds,
-          ENV.fetch('AUTO_CERT_CHECK_EVERY', nil),
-          DEFAULT_CHECK_EVERY_SECONDS
-        ]
-
-        ensure_positive_integer(candidates, message)
-      end
-
-      def prepare_contact(contact)
-        contact ||= ENV.fetch('ACME_CONTACT', nil)
-
-        contact
+        super(opts)
       end
 
-      def prepare_directory_url(directory_url)
-        message = "The '#{name}' #{self.class} instance has a misconfigured `directory_url` value. " \
-                  'It must be set to a string, or set the ACME_DIRECTORY_URL environment variable.'
-
-        directory_url ||= ENV.fetch('ACME_DIRECTORY_URL', nil)
-
-        raise ConfigurationError, message if directory_url.nil?
-
-        directory_url
+      def server_name=(name)
+        self.server_names = [name]
       end
 
-      def prepare_external_account_binding(external_account_binding)
-        kid = ENV.fetch('ACME_KID', nil)
-        hmac_key = ENV.fetch('ACME_HMAC_KEY', nil)
-
-        if external_account_binding && external_account_binding[:kid] && external_account_binding[:hmac_key]
-          return external_account_binding
-        end
-
-        { kid: kid, hmac_key: hmac_key }
-      end
-
-      def prepare_renew_before_seconds(renew_before_seconds)
-        message = "The '#{name}' #{self.class} instance has a misconfigured " \
-                  '`before_seconds` value. It must be set to an integer > 0, ' \
-                  'or set the ACME_RENEW_BEFORE_SECONDS environment variable.'
-
-        candidates = [
-          renew_before_seconds,
-          ENV.fetch('ACME_RENEW_BEFORE_SECONDS', nil),
-          DEFAULT_RENEW_BEFORE_SECONDS
-        ]
-        ensure_positive_integer(candidates, message)
-      end
-
-      def prepare_renew_before_fraction(renew_before_fraction)
-        message = "The '#{name}' #{self.class} instance has a misconfigured " \
-                  '`before_fraction` value. It must be set to a float > 0 and < 1, ' \
-                  'or set the ACME_RENEW_BEFORE_FRACTION environment variable.'
-
-        candidates = [
-          renew_before_fraction,
-          ENV.fetch('ACME_RENEW_BEFORE_FRACTION', nil),
-          DEFAULT_RENEW_BEFORE_FRACTION
-        ]
-
-        candidates.each do |candidate|
-          next if candidate.nil?
-
-          as_float = candidate.to_f
-          return as_float if (0..1).cover?(as_float)
-        end
-
-        # this should really never happen as DEFAULT_RENEW_BEFORE_FRACTION is
-        # valid
-        raise ConfigurationError, message
-      end
-
-      def prepare_tos_acceptors(tos_acceptors)
-        tos_acceptors = Array(tos_acceptors)
-
-        if tos_acceptors.empty? || tos_acceptors.any? { |tos| !tos.respond_to?(:accept?) }
-          raise ConfigurationError,
-                "The '#{name}' #{self.class} instance has a misconfigured " \
-                '`tos_acceptors` value. It must be set to an object ' \
-                'or an array of objects that respond to `accept?`.'
-        end
-
-        tos_acceptors
-      end
-
-      def prepare_directory(dir:, property:)
-        return nil if dir.nil?
-
-        dir = Pathname.new(dir) unless dir.is_a?(Pathname)
-        message = "The '#{name}' #{self.class} instance has a misconfigured " \
-                  "`#{property}` value, it resolves to (#{dir}). " \
-                  'It must be set to a directory, or a path that can be created.'
-
-        begin
-          dir.mkpath
-        rescue StandardError => _e
-          raise ConfigurationError, message
-        end
-
-        dir
-      end
-
-      def ensure_positive_integer(candidates, message)
-        candidates.each do |candidate|
-          next if candidate.nil?
-
-          as_int = candidate.to_i
-          return as_int if as_int.positive?
-        end
-
-        raise ConfigurationError, message
+      def external_account_binding=(eab)
+        self.eab_kid      = eab[:kid]
+        self.eab_hmac_key = eab[:hmac_key]
       end
     end
   end

data/lib/anchor/auto_cert/railtie.rb

@@ -6,32 +6,14 @@ module Anchor
     class Railtie < Rails::Railtie
       # Initialize the configuration with a blank configuration, ensuring
       # the configuration exists, even if it is not used.
-      config.auto_cert = ::Anchor::AutoCert::Configuration.new(name: :rails)
-
-      # Make sure the auto cert configuration is valid before the app boots
-      # This will run after every code reload in development and after boot in
-      # production
-      config.to_prepare do
-        if Rails.configuration.auto_cert.enabled?
-          Rails.configuration.auto_cert.validate!
-
-          # register the configuration under its name so that it can
-          # be discovered by other parts of the application
-          auto_cert_config = Rails.configuration.auto_cert
-          unless ::Anchor::AutoCert::Registry.key?(auto_cert_config.name)
-            ::Anchor::AutoCert::Registry.store(auto_cert_config.name, auto_cert_config)
-          end
-        end
-      end
+      config.auto_cert = ::Anchor::AutoCert::Configuration.new
 
       # this needs to be after the load_config_initializers so that the
       # application can override the :rails auto_cert configuration
       #
-      initializer 'auto_cert.configure_rails_initialization', after: :load_config_initializers do |app|
-        auto_cert_config = Railtie.determine_configuration(app)
-        app.config.auto_cert = auto_cert_config
 
-        # Update the app.config.hosts with the allow_identifiers if we are NOT
+      initializer 'auto_cert.configure_rails_initialization', after: :load_config_initializers do |app|
+        # Update the app.config.hosts with the server_names if we are NOT
         # in the test environment.
         #
         # In the test environment `config.hosts` is normally empty, and as a
@@ -39,10 +21,7 @@ module Anchor
         # to the `config.hosts` then HostAuthorization will be used, and tests
         # will break.
         unless Rails.env.test?
-          # load values from ENV
-          auto_cert_config&.validate! if Rails.configuration.auto_cert.enabled?
-
-          auto_cert_config&.allow_identifiers&.each do |identifier|
+          app.config.auto_cert[:server_names]&.each do |identifier|
             # need to convert an identifier into a host matcher, which is just
             # strip off a leading '*' if it exists so that all subdomains match.
             #
@@ -52,40 +31,6 @@ module Anchor
           end
         end
       end
-
-      def self.determine_configuration(app)
-        auto_cert_config = app.config.auto_cert
-
-        # If no configuration is set, then try to lookup one under the :rails
-        # key or create a default one.
-        begin
-          auto_cert_config ||= ::Anchor::AutoCert::Registry.fetch(:rails)
-        rescue KeyError
-          auto_cert_config = Railtie.try_to_create_default_configuration
-        end
-
-        return nil unless auto_cert_config
-
-        # Set some reasonable defaults for a scratch locations if they are not
-        # set explicitly.
-        acme_scratch_dir = app.root / 'tmp' / 'acme'
-        acme_scratch_dir.mkpath
-        auto_cert_config.cache_dir ||= (acme_scratch_dir / 'cache')
-        auto_cert_config.work_dir ||= (acme_scratch_dir / 'work')
-
-        auto_cert_config
-      end
-
-      def self.try_to_create_default_configuration
-        # If it doesn't exist, create a new one - now this may raise an error
-        # if the configuration is not setup correctly
-        ::Anchor::AutoCert::Configuration.new(name: :rails)
-      rescue ConfigurationError => e
-        # its fine to not have a coniguration, just log the error and move on
-        msg = "[AutoCert] Unable to create the :rails configuration : #{e.message}"
-        Rails.logger.error(msg)
-        nil
-      end
     end
   end
 end

data/lib/anchor/auto_cert.rb

@@ -1,21 +1,5 @@
 # frozen_string_literal: true
 
-module Anchor
-  module AutoCert
-    class Error < StandardError; end
-    class IdentifierNotAllowedError < Error; end
-    class ConfigurationError < Error; end
-    class UnknownPolicyCheckError < Error; end
-    class UnknownAlgorithmError < Error; end
-    class UnknownKeyFormatError < Error; end
-  end
-end
-require_relative 'auto_cert/terms_of_service_acceptor'
 require_relative 'auto_cert/configuration'
-require_relative 'auto_cert/manager'
-require_relative 'auto_cert/managed_certificate'
-require_relative 'auto_cert/identifier_policy'
-require_relative 'auto_cert/registry'
-require_relative 'auto_cert/renewal_busy_wait'
 
 require_relative 'auto_cert/railtie' if defined?(Rails::Railtie)

data/lib/anchor/pem_bundle.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'tmpdir'
+
 module Anchor
   # PEMBundle is a collection of PEM encoded certificates. It can be written
   # to a temporarly file on disk as a bundle if needed.

data/lib/anchor/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Anchor
-  VERSION = '0.6.2'
+  VERSION = '0.7.0'
 end

data/lib/anchor.rb

@@ -23,4 +23,3 @@ require_relative 'anchor/version'
 require_relative 'anchor/auto_cert'
 require_relative 'anchor/oid'
 require_relative 'anchor/pem_bundle'
-require_relative 'anchor/disk_store'

data/lib/puma/dsl.rb

@@ -6,23 +6,28 @@
 #
 
 require 'puma/dsl'
+require 'puma/acme/dsl'
 
 module Puma
   # Extend the ::Puma::DSL module with the configuration options we want
   class DSL
-    def auto_cert_name(name = nil)
-      @options[:auto_cert_name] = name if name
-      @options[:auto_cert_name]
-    end
-
     def auto_cert_port(port = nil)
       @options[:auto_cert_port] = port if port
       @options[:auto_cert_port]
     end
 
-    def auto_cert_check_every(check_every = nil)
-      @options[:auto_cert_check_every] = check_every if check_every
-      @options[:auto_cert_check_every]
-    end
+    alias auto_cert_algorithm acme_algorithm
+    alias auto_cert_cache acme_cache
+    alias auto_cert_cache_dir acme_cache_dir
+    alias auto_cert_contact acme_contact
+    alias auto_cert_directory acme_directory
+    alias auto_cert_eab_kid acme_eab_kid
+    alias auto_cert_eab_hmac_key acme_eab_hmac_key
+    alias auto_cert_mode acme_mode
+    alias auto_cert_renew_at acme_renew_at
+    alias auto_cert_renew_interval acme_renew_interval
+    alias auto_cert_server_name acme_server_name
+    alias auto_cert_server_names acme_server_names
+    alias auto_cert_tos_agreed acme_tos_agreed
   end
 end