anchor-pki 0.6.2 → 0.7.0

data/lib/puma/plugin/auto_cert.rb

@@ -1,106 +1,139 @@
 # frozen_string_literal: true
 
 require_relative '../dsl'
+
+require 'puma/acme'
+
 module Puma
   class Plugin
-    # This is a plugin for Puma that will automatically renew a certificate
-    #
-    # This module is here in order to communicate plugin configuration options
-    # to the plugin since the plugin is created dynamically and it is loaded and
-    # initialized without any configuration options.
-    module AutoCert
+    # This is a plugin for Puma that will automatically provision & renew certificates based
+    # on options loaded from a framework plugin or the environment. Only the foreground acme
+    # mode is supported.
+    class AutoCert < Puma::Acme::Plugin
+      Plugins.register('auto_cert', self)
+
+      class Error < StandardError; end
+      class PortMissingError < Error; end
+      class ServerNameMissingError < Error; end
+
       class << self
-        def ssl_bind_options(managed_certificate:)
-          {
-            cert: managed_certificate.cert_path,
-            key: managed_certificate.private_key_path
-          }
-        end
+        attr_accessor :start_hooks
       end
 
-      # Instance methods that are included in the dynamic Puma Plugin class when
-      # a plugin is created
-      module PluginInstanceMethods
-        attr_accessor :managed_certificate
-        attr_reader :manager, :port
-
-        def config(dsl)
-          @port         = dsl.auto_cert_port || ENV.fetch('HTTPS_PORT', nil)
-          name          = dsl.auto_cert_name || ENV.fetch('AUTO_CERT_NAME', 'default')
-          configuration = ::Anchor::AutoCert::Registry.fetch(name)
-          identifiers   = configuration.allow_identifiers
-          @manager      = ::Anchor::AutoCert::Manager.new(configuration: configuration)
-
-          @managed_certificate = manager.managed_certificate(identifiers: identifiers)
-        rescue StandardError => _e
-          @manager = nil
-          @managed_certificate = nil
-        end
+      ENV_VARS = {
+        server_names: %w[ACME_SERVER_NAME ACME_SERVER_NAMES SERVER_NAME SERVER_NAMES ACME_ALLOW_IDENTIFIERS],
+        directory: %w[ACME_DIRECTORY ACME_DIRECTORY_URL],
+        eab_kid: %w[ACME_KID ACME_EAB_KID],
+        eab_hmac_key: %w[ACME_HMAC_KEY ACME_EAB_HMAC_KEY]
+      }.freeze
 
-        def start(launcher)
-          @launcher = launcher
-          unless manager&.enabled? && managed_certificate
-            log_writer.log 'AutoCert >> Not enabled - skipping certificate renewal process'
-            return
-          end
+      def self.add_start_hook(&block)
+        (self.start_hooks ||= []) << block
+      end
+
+      def start(launcher, env: ENV)
+        # puma.rb > framework config > ENV
+        config = ConfigLookup.new(puma: launcher.options, app: framework_config, env: env)
+
+        enabled = config.first(:enabled)
 
-          options = ::Puma::Plugin::AutoCert.ssl_bind_options(managed_certificate: managed_certificate)
-          launcher.config.configure do |_user_config, file_config|
-            file_config.ssl_bind '[::]', port, options
+        https_port = config.first(:port, puma: :auto_cert_port, env: 'HTTPS_PORT')
+        if https_port.nil?
+          if enabled
+            raise PortMissingError, 'AutoCert was enabled, but no https port number provided'
           end
 
-          managed_certificate.identifiers.each do |identifier|
-            log_writer.log "AutoCert >> Available at https://#{identifier}:#{port}/"
+          launcher.log_writer.log 'AutoCert >> Not enabled, no HTTPS_PORT'
+          return
+        end
+
+        server_names = [*config.all(:server_names, env: ENV_VARS[:server_names])]
+                       .map { |val| val.split(/[ ,]/) }.flatten.uniq
+
+        if server_names.empty?
+          if enabled
+            raise ServerNameMissingError, 'AutoCert was enabled, but no server name(s) provided'
           end
 
-          check_every = launcher.config.options[:auto_cert_check_every] ||
-                        ENV.fetch('AUTO_CERT_CHECK_EVERY', nil) ||
-                        ::Anchor::AutoCert::RenewalBusyWait::ONE_HOUR
-
-          in_background do
-            Anchor::AutoCert::RenewalBusyWait.wait_for_it(manager: manager,
-                                                          managed_certificate: managed_certificate,
-                                                          check_every: check_every) do
-              dump_cert_info
-
-              # if ssl server is up, then it has already read the local working
-              # files, which means we can purge them - if there's a disk cache, those still
-              # probably exist
-              ssl_server = launcher.binder.ios.find { |io| io.instance_of?(Puma::MiniSSL::Server) }
-              managed_certificate.purge_working_files if ssl_server
-
-              true
-            end
-            log_writer.log 'AutoCert >> Restarting Puma in order to renew certificate'
-            @launcher.restart
+          launcher.log_writer.log 'AutoCert >> Not enabled, no ACME_SERVER_NAME(S)'
+          return
+        end
+
+        launcher.options[:acme_server_names] = server_names
+
+        tcp_hosts(launcher.options[:binds]).each do |host|
+          launcher.options[:binds] << "acme://#{host}:#{https_port}"
+        end
+
+        %i[algorithm cache_dir contact tos_agreed].each do |key|
+          if (val = config.first(key))
+            launcher.options[:"acme_#{key}"] ||= val
           end
-        rescue StandardError => e
-          log_writer.log "AutoCert >> Error - #{e.message}"
         end
 
-        private
+        launcher.options[:acme_directory] ||= config.first(:directory, env: ENV_VARS[:directory])
+
+        launcher.options[:acme_eab_kid]      ||= config.first(:eab_kid, env: ENV_VARS[:eab_kid])
+        launcher.options[:acme_eab_hmac_key] ||= config.first(:eab_hmac_key, env: ENV_VARS[:eab_hmac_key])
+
+        launcher.options[:acme_mode] ||= config.first(:mode) || :foreground
+
+        # TODO: unify with config, check/use :renew_interval
+        launcher.options[:acme_renew_at] ||= renew_before
+
+        super(launcher)
+      end
+
+      protected
+
+      def renew_before
+        if (renew_at = ENV.fetch('ACME_RENEW_BEFORE_SECONDS', nil))
+          renew_at.to_i
+        elsif (renew_at = ENV.fetch('ACME_RENEW_BEFORE_FRACTION', nil))
+          renew_at.to_f
+        else
+          0.5
+        end
+      end
+
+      def framework_config
+        # TODO(benburkert): for the next framework plugin, make this generic
+        Rails.application.config.auto_cert if defined?(Rails)
+      end
 
-        def dump_cert_info
-          log_writer.debug "AutoCert >> Bound cert    : #{managed_certificate.hex_serial}"
-          log_writer.debug "AutoCert >>   common name : #{managed_certificate.common_name}"
-          log_writer.debug "AutoCert >>   identifiers : #{managed_certificate.identifiers.join(', ')}"
-          log_writer.debug "AutoCert >>    not before : #{managed_certificate.not_before}"
-          log_writer.debug "AutoCert >>    not after  : #{managed_certificate.not_after}"
+      def tcp_hosts(binds)
+        binds.select { |bind| bind.start_with?('tcp://') }
+             .map { |bind| URI.parse(bind).host }.uniq
+      end
+
+      # puma.rb > app framework config > ENV
+      ConfigLookup = Struct.new(:puma, :app, :env, keyword_init: true) do
+        alias_method :puma_config, :puma
+        alias_method :app_config, :app
+        alias_method :env_config, :env
+
+        def first(key, puma: :"acme_#{key}", env: puma.upcase.to_s)
+          lookup(key, puma: puma, env: env) { |val| return val }
+          nil
+        end
+
+        def all(key, puma: :"acme_#{key}", env: puma.upcase)
+          values = []
+          lookup(key, puma: puma, env: env) { |val| values << val }
+          values
         end
 
-        def log_writer
-          if Gem::Version.new(Puma::Const::PUMA_VERSION) >= Gem::Version.new(6)
-            @launcher.log_writer
-          else
-            @launcher.events
+        protected
+
+        def lookup(key, puma:, env:)
+          yield(puma_config[puma]) if puma_config&.fetch(puma, nil)
+          yield(app_config[key])   if app_config&.to_h&.fetch(key, nil)
+
+          [*env].each do |k|
+            yield(env_config[k]) if env_config&.fetch(k, nil)
           end
         end
       end
     end
   end
 end
-
-# This is the entry point for the plugin
-Puma::Plugin.create do
-  include Puma::Plugin::AutoCert::PluginInstanceMethods
-end

metadata

@@ -1,31 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: anchor-pki
 version: !ruby/object:Gem::Version
-  version: 0.6.2
+  version: 0.7.0
 platform: ruby
 authors:
 - Anchor Security, Inc
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-12-20 00:00:00.000000000 Z
+date: 2024-01-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: acme-client
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 2.0.13
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 2.0.13
-- !ruby/object:Gem::Dependency
-  name: pstore
+  name: puma-acme
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -169,18 +155,7 @@ files:
 - lib/anchor.rb
 - lib/anchor/auto_cert.rb
 - lib/anchor/auto_cert/configuration.rb
-- lib/anchor/auto_cert/identifier_policy.rb
-- lib/anchor/auto_cert/managed_certificate.rb
-- lib/anchor/auto_cert/manager.rb
-- lib/anchor/auto_cert/policy_check.rb
-- lib/anchor/auto_cert/policy_check/for_hostname.rb
-- lib/anchor/auto_cert/policy_check/for_ipaddr.rb
-- lib/anchor/auto_cert/policy_check/for_wildcard_hostname.rb
 - lib/anchor/auto_cert/railtie.rb
-- lib/anchor/auto_cert/registry.rb
-- lib/anchor/auto_cert/renewal_busy_wait.rb
-- lib/anchor/auto_cert/terms_of_service_acceptor.rb
-- lib/anchor/disk_store.rb
 - lib/anchor/oid.rb
 - lib/anchor/pem_bundle.rb
 - lib/anchor/version.rb
@@ -207,7 +182,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.26
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: Ruby client for Anchor PKI. See https://anchor.dev/ for details.

data/lib/anchor/auto_cert/identifier_policy.rb

@@ -1,71 +0,0 @@
-# frozen_string_literal: true
-
-module Anchor
-  module AutoCert
-    #
-    # IdentifierPolicy is a class used to check that the identifiers used in
-    # certs would be valid.
-    #
-    # Each IdentierPolicy is initialized with a 'policy_description' which is used to
-    # derive the policy check.
-    #
-    # Current Policy Checks are:
-    # - ForHostname - checks that the identifier matches hostname exactly
-    # - ForWildcardHostname - checks that the identifier matches hostname with a wildcard prefix
-    # - ForIpAddress - checks that the identifier matches an IP address or subnet
-    #
-    class IdentifierPolicy
-      attr_reader :description, :check
-
-      # Given an individual, or an array of IdentifierPolicy or Strings build
-      # IdentifierPolicy objects
-      def self.build(policy_descriptions)
-        Array(policy_descriptions).map do |description|
-          IdentifierPolicy.new(description)
-        end
-      end
-
-      def self.new(description)
-        return description if description.is_a?(IdentifierPolicy)
-
-        super
-      end
-
-      # The list of policy checks that are available, the ordering here is
-      # important as the first one that matches is the one that is used for the
-      # check. So if a policy description would be matched by multiple checks,
-      # the one that it should match should be first.
-      def self.policy_checks
-        @policy_checks ||= [
-          PolicyCheck::ForIPAddr,
-          PolicyCheck::ForHostname,
-          PolicyCheck::ForWildcardHostname
-        ]
-      end
-
-      def initialize(description)
-        check_klass = self.class.policy_checks.find do |klass|
-          klass.handles?(description)
-        end
-        if check_klass.nil?
-          raise UnknownPolicyCheckError,
-                "Unable to create a policy check based upon '#{description}'"
-        end
-
-        @description = description
-        @check = check_klass.new(description)
-      end
-
-      def allow?(identifier)
-        raise ArgumentError, 'identifier must be a String' unless identifier.is_a?(String)
-
-        @check.allow?(identifier)
-      end
-
-      def deny?(identifier)
-        !allow?(identifier)
-      end
-    end
-  end
-end
-require_relative 'policy_check'

data/lib/anchor/auto_cert/managed_certificate.rb

@@ -1,77 +0,0 @@
-# frozen_string_literal: true
-
-require 'forwardable'
-
-module Anchor
-  module AutoCert
-    # ManagedCertificate is a class that represents a certificate
-    # for renewal
-    class ManagedCertificate
-      attr_reader :cert_pem, :key_pem, :x509, :persist_dir, :cert_path, :private_key_path
-
-      extend Forwardable
-      def_delegators :@x509, :not_after, :not_before
-
-      def initialize(cert_pem:, key_pem:, persist_dir: nil)
-        @cert_pem         = cert_pem
-        @key_pem          = key_pem
-        @persist_dir      = Pathname.new(persist_dir) if persist_dir
-        @x509             = OpenSSL::X509::Certificate.new(cert_pem)
-        @cert_path        = nil
-        @private_key_path = nil
-        persist_pems
-      end
-
-      def serial
-        x509.serial.to_i
-      end
-
-      def hex_serial(joiner = ':')
-        x509.serial.to_s(16).scan(/.{2}/).join(joiner)
-      end
-
-      def expired?(now: Time.now.utc)
-        not_after <= now
-      end
-
-      # For the moment, the only items in subjectAltName we care about are DNS:
-      # entries.
-      def identifiers
-        alt_names = x509&.extensions&.find { |ext| ext.oid == 'subjectAltName' }&.value&.split(', ') || []
-        alt_names.select { |name| name.start_with?('DNS:') }
-                 .map { |name| name.sub(/^DNS:/, '') }
-      end
-
-      def common_name
-        x509.subject.to_a.find { |name, _, _| name == 'CN' }[1]
-      end
-
-      def all_names
-        non_common_identifiers = identifiers.reject { |name| name == common_name }
-        [common_name, *non_common_identifiers.sort]
-      end
-
-      def persist_pems
-        return unless persist_dir
-        return nil unless persist_dir.directory? && persist_dir.writable?
-
-        @cert_path = persist_dir.join("#{serial}.crt")
-        @cert_path.write(cert_pem)
-
-        @private_key_path = persist_dir.join("#{serial}.key")
-        @private_key_path.write(key_pem)
-      end
-
-      def purge_working_files
-        return unless persist_dir
-        return nil unless persist_dir.directory? && persist_dir.writable?
-
-        [@cert_path, @private_key_path].each do |path|
-          next unless path&.exist? && path&.writable?
-
-          path.delete
-        end
-      end
-    end
-  end
-end

data/lib/anchor/auto_cert/manager.rb

@@ -1,260 +0,0 @@
-# frozen_string_literal: true
-
-require 'acme/client'
-require 'uri'
-require 'tmpdir'
-require 'pathname'
-require 'forwardable'
-
-module Anchor
-  module AutoCert
-    # AutoCert Manager provides automatic access to certificates from Anchor, but
-    # theoretically it could work with Let's Encrypt or any other ACME-based CA.
-    class Manager
-      FALLBACK_RENEW_BEFORE_SECONDS = 24 * 60 * 60 # 1 day
-
-      extend Forwardable
-      def_delegators :@configuration,
-                     :check_every_seconds,
-                     :cache_dir,
-                     :contact,
-                     :directory,
-                     :external_account_binding,
-                     :fallback_identifier,
-                     :renew_before_fraction,
-                     :renew_before_seconds,
-                     :work_dir
-
-      attr_reader :disk_store,
-                  :client,
-                  :configuration,
-                  :directory_url,
-                  :identifier_policies,
-                  :tos_acceptors
-
-      def self.for(configuration)
-        new(configuration: configuration)
-      end
-
-      def initialize(configuration:, client: nil)
-        configuration.validate!
-        @configuration = configuration
-
-        # disk store early since other things may use it
-        @disk_store = DiskStore.new(dir: @configuration.cache_dir, basename: 'autocert-manager')
-
-        @identifier_policies = IdentifierPolicy.build(@configuration.allow_identifiers)
-        @tos_acceptors = Array(@configuration.tos_acceptors)
-        @directory_url = URI.parse(@configuration.directory_url)
-
-        @account_opts = {
-          contact: @configuration.contact,
-          external_account_binding: @configuration.external_account_binding
-        }
-
-        @client = client || new_client(contact: @configuration.contact)
-        @enabled = true
-        @managed_certificates = {}
-      end
-
-      # It is currently assumed that the common name is the first of the
-      # `identifiers` passed into this method. If that is not the case, then
-      # the `common_name` parameter needs to be set explicitly
-      def managed_certificate(identifiers:, algorithm: :ecdsa, common_name: Array(identifiers).first,
-                              now: Time.now.utc, **opts)
-        full_ids = consolidate_identifiers(common_name: common_name, identifiers: identifiers)
-        denied_ids = denied_identifiers(full_ids)
-
-        # Fallback to a configured identifier if the requested one(s) are denied
-        if denied_ids.any?
-          common_name = fallback_identifier
-          identifiers = []
-        end
-
-        # first look and see if its memory
-        managed_certificate = @managed_certificates[common_name]
-        if managed_certificate && !needs_renewal?(cert: managed_certificate, now: now)
-          return managed_certificate
-        end
-
-        # then look into the disk cache
-        if @disk_store
-          key_pem = @disk_store["#{common_name}.key.pem"]
-          cert_pem = @disk_store["#{common_name}.cert.pem"]
-        end
-
-        if !key_pem.nil? && !cert_pem.nil?
-          managed_certificate = ManagedCertificate.new(cert_pem: cert_pem,
-                                                       key_pem: key_pem,
-                                                       persist_dir: work_dir)
-          if managed_certificate && !needs_renewal?(cert: managed_certificate, now: now)
-            return managed_certificate
-          end
-        end
-
-        # and then provision a new one
-        cert_pem, key_pem = provision_or_fallback(
-          identifiers: identifiers, algorithm: algorithm,
-          common_name: common_name,
-          **opts
-        )
-
-        managed_certificate = ManagedCertificate.new(
-          cert_pem: cert_pem, key_pem: key_pem, persist_dir: work_dir
-        )
-
-        @managed_certificates[common_name] = managed_certificate
-
-        if @disk_store
-          @disk_store["#{common_name}.key.pem"] = key_pem
-          @disk_store["#{common_name}.cert.pem"] = cert_pem
-        end
-
-        managed_certificate
-      end
-
-      def needs_renewal?(cert:, now: Time.now.utc)
-        renew_after = [
-          renew_after_from_seconds(cert: cert),
-          renew_after_from_fraction(cert: cert),
-          renew_after_fallback(cert: cert),
-          cert.not_after # cert expired, get a new one
-        ].compact.min
-
-        (now > renew_after)
-      end
-
-      def disable
-        @enabled = false
-      end
-
-      # if the manager is enabled && the configuration is enabled
-      def enabled?
-        @enabled && configuration.enabled?
-      end
-
-      private
-
-      def provision_or_fallback(identifiers:, algorithm:, common_name:, **opts)
-        cert_pem = nil
-        key_pem = nil
-        begin
-          cert_pem, key_pem = provision(
-            identifiers: identifiers, algorithm: algorithm, common_name: common_name,
-            **opts
-          )
-        rescue StandardError => _e
-          cert_pem, key_pem = provision(
-            identifiers: [], algorithm: algorithm, common_name: fallback_identifier,
-            **opts
-          )
-        end
-        [cert_pem, key_pem]
-      end
-
-      def provision(identifiers:, algorithm:, common_name:, **opts)
-        identifiers = consolidate_identifiers(common_name: common_name, identifiers: identifiers)
-        load_or_build_account
-        key_pem ||= new_key(algorithm).to_pem
-        csr = Acme::Client::CertificateRequest.new(
-          common_name: common_name, names: identifiers,
-          private_key: parse_key_pem(key_pem)
-        )
-
-        order = @client.new_order(identifiers: identifiers, **opts)
-        order.finalize(csr: csr)
-        # TODO: loop over order.authorizations and process the challenges
-
-        while order.status == 'processing'
-          sleep(1)
-          order.reload
-        end
-
-        [order.certificate, key_pem]
-      end
-
-      def account
-        @account ||= build_account(**@account_opts)
-      end
-      alias load_or_build_account account
-
-      def build_account(contact: nil, external_account_binding: nil, terms_of_service_agreed: false, **)
-        terms_of_service_agreed ||= @tos_acceptors.any? { |a| a.accept?(@client.terms_of_service) }
-
-        @client.new_account(contact: contact, terms_of_service_agreed: terms_of_service_agreed,
-                            external_account_binding: external_account_binding)
-      end
-
-      def renew_after_from_seconds(cert:, before_seconds: renew_before_seconds)
-        return nil unless before_seconds
-
-        renew_after = (cert.not_after - before_seconds)
-
-        # invalid if the renewal time is outside the certificate validity window
-        return nil unless (cert.not_before..cert.not_after).cover?(renew_after)
-
-        renew_after
-      end
-
-      def renew_after_from_fraction(cert:, before_fraction: renew_before_fraction)
-        return nil unless (0..1).cover?(before_fraction)
-
-        valid_span     = cert.not_after - cert.not_before
-        before_seconds = (valid_span * before_fraction).floor
-
-        renew_after_from_seconds(cert: cert, before_seconds: before_seconds)
-      end
-
-      # Fallback timestamp, in case there is some corner case that is not covered
-      def renew_after_fallback(cert:)
-        renew_after_from_seconds(cert: cert, before_seconds: FALLBACK_RENEW_BEFORE_SECONDS)
-      end
-
-      def new_client(account_key: nil, contact: nil, **)
-        account_key ||= account_key_for(contact)
-
-        Acme::Client.new(private_key: account_key, directory: @directory_url)
-      end
-
-      # currently only using ecdsa algorithm
-      def new_key(algorithm = :ecdsa)
-        case algorithm
-        when :ecdsa then OpenSSL::PKey::EC.generate('prime256v1')
-        else
-          raise UnknownAlgorithmError, "unknown key algorithm '#{algorithm}'"
-        end
-      end
-
-      def account_key_for(contact)
-        return new_key unless @disk_store
-
-        account_key_id = "#{contact || 'default'}+#{@directory_url}+key"
-        pem = @disk_store[account_key_id]
-        return parse_key_pem(pem) if pem
-
-        raw_key = new_key
-        @disk_store[account_key_id] = raw_key.to_pem
-        raw_key
-      end
-
-      def parse_key_pem(data)
-        OpenSSL::PKey::EC.new(data)
-      rescue StandardError
-        nil
-      end
-
-      # returns all those identifiers that were not accepted by any policy
-      def denied_identifiers(identifiers)
-        Array(identifiers).reject do |identifier|
-          @identifier_policies.any? { |policy| policy.allow?(identifier) }
-        end
-      end
-
-      # return a list of identifiers with duplicates removed
-      #  preserving order with the common_name first
-      def consolidate_identifiers(common_name:, identifiers: [])
-        [common_name, *identifiers].compact.uniq
-      end
-    end
-  end
-end