anchor-pki 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 30508321e074e903d3e8328cc7b2e32fad03b696a32dbb2f16014e92f7636ede
-  data.tar.gz: 7705acb22177288ac5de11a37c62080504efef41a82c7337673c84dadc90fd28
+  metadata.gz: 342dadd5c28835816da2c07cdd1d4b7b546cc2a35ca80738cc98707d2a048cd4
+  data.tar.gz: 97cb3d7c9c9bbb770c8a3a52eae0690bc7f18cadd5f3a31689d6d00239f5a523
 SHA512:
-  metadata.gz: 392139d7eea3518ba1d9f9915e628050818e3855494b55876e8fc63ffa4aff45e6434918f8fabae4bd6fe042210ac56fc7b1e0fe6093ee558013b85cb0d15551
-  data.tar.gz: e8f674f66082121873997074914a619205b9375608a6db2f1bd4afe6199d43c96f9874d3d584811f251143cd3c559f90b30ec5ca70ef1c42f01c043da4c3d5ef
+  metadata.gz: 06b0f93d4bc1962f60a4122bd2f4a046818e36c49779eae9255ff24d6cbb7ba9bd9029bb4f72f516b96c5fa8aef98cea7fbbd6f29ae3b69e42e6cb31e5990ade
+  data.tar.gz: f220a29a0c170f74b8926a1ae804f65d1719a4f9956edc04c6844ac27b2404f15c56908cf5b608a35fec1fe10679b74442ace2b3f6034af3eab814d564da670d

data/CHANGELOG.md

@@ -1,6 +1,13 @@
 ## [Unreleased]
 
-## [0.3.0] - 2023-06-02
+## [0.4.0] - 2023-06-06
+
+- add a puma plugin and configuration dsl for better integration
+- auto restart of puma when a certificate is renewed
+- improve tests
+- internal refactor to support the puma plugin
+
+## [0.3.0] - 2023-06-05
 
 - improve gem packaging
 - extract out a configuration class for Acme

data/README.md

@@ -14,6 +14,8 @@ The Following environment variables are available to configure the default
 * `ACME_HMAC_KEY` - your EAB HMAC_KEY for authenticating with the ACME directory above
 * `ACME_RENEW_BEFORE_SECONDS` - **optional** Start a renewal this number number of seconds before the cert expires. This defaults to 30 days (2592000 seconds)
 * `ACME_RENEW_BEFORE_FRACTION` - **optional** Start the renewal when this fraction of a cert's valid window is left. This defaults to 0.5, which means when the cert is in the last 50% of its lifespan a renewal is attempted.
+* `AUTO_CERT_CHECK_EVERY` - **optional** the number of seconds to wait between checking if the certificate has expired. This defaults to 1 hour (3600 seconds)
+* `AUTO_CERT_NAME` - **optional** the name to use to lookup the default `AutoCert::Configuration` in the `AutoCert::Registry`. This is `default` by default
 
 If both `ACME_RENEW_BEFORE_SECONDS` and `ACME_RENEW_BEFORE_FRACTION` are set,
 the one that causes the renewal to take place earlier is used.

data/lib/anchor/auto_cert/configuration.rb

@@ -60,10 +60,12 @@ module Anchor
         }
       end
 
-      # Enabled means that the configuration has both allow_identifiers and a
-      # directory url set.
+      # Enabled just means that the configuration is valid
       def enabled?
-        allow_identifiers && directory_url
+        validate!
+        true
+      rescue ConfigurationError => _e
+        false
       end
 
       def validate!

data/lib/anchor/auto_cert/managed_certificate.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require 'forwardable'
+
+module Anchor
+  module AutoCert
+    # ManagedCertificate is a class that represents a certificate and its manager
+    # for renewal
+    class ManagedCertificate
+      attr_reader :cert_pem, :cert_path, :key_pem, :key_path, :key, :manager, :x509
+
+      extend Forwardable
+      def_delegators :@manager, :enabled?
+      def_delegators :@x509, :not_after, :not_before, :serial
+
+      def self.from(manager:, cert_path:, key_path:)
+        cert_pem = File.read(cert_path)
+        key_pem  = File.read(key_path)
+        new(manager: manager, cert_pem: cert_pem, key_pem: key_pem)
+      end
+
+      def initialize(manager:, cert_pem:, key_pem:)
+        @manager   = manager
+        @cert_pem  = cert_pem
+        @key_pem   = key_pem
+        @x509      = OpenSSL::X509::Certificate.new(cert_pem)
+
+        hex_serial_basename = hex_serial('-')
+        @cert_path = manager.work_dir / "#{hex_serial_basename}.crt"
+        @key_path  = manager.work_dir / "#{hex_serial_basename}.key"
+
+        write_working_files
+      end
+
+      def hex_serial(joiner = ':')
+        x509.serial.to_s(16).scan(/.{2}/).join(joiner)
+      end
+
+      def needs_renewal?(now = Time.now.utc)
+        manager.needs_renewal?(cert: x509, now: now)
+      end
+
+      def identifiers
+        alt_names = x509&.extensions&.find { |ext| ext.oid == 'subjectAltName' }&.value&.split(', ') || []
+        alt_names.map { |name| name.sub(/^DNS:/, '') }
+      end
+
+      def common_name
+        x509.subject.to_a.find { |name, _, _| name == 'CN' }[1]
+      end
+
+      def write_working_files
+        cert_path.open('w') { |f| f << cert_pem }
+        key_path.open('w') { |f| f << key_pem }
+      end
+
+      def purge_working_files
+        cert_path.delete if cert_path.exist?
+        key_path.delete if key_path.exist?
+      end
+    end
+  end
+end

data/lib/anchor/auto_cert/manager.rb

@@ -26,7 +26,8 @@ module Anchor
                   :configuration,
                   :directory_url,
                   :identifier_policies,
-                  :tos_acceptors
+                  :tos_acceptors,
+                  :work_dir
 
       def self.for(configuration)
         new(configuration: configuration)
@@ -50,23 +51,10 @@ module Anchor
         @enabled = true
       end
 
-      # It is currently assumed that the common name is the first of the
-      # `identifiers` passed into this method. If that is not the case, then the
-      # `common_name` parameter needs to be set explicitly
-      def certificate_paths(identifiers:, algorithm: :ecdsa, common_name: Array(identifiers).first, **opts)
-        cert_pem, key_pem = certificate(identifiers: identifiers, algorithm: algorithm, common_name: common_name,
-                                        **opts)
-
-        cert = (@work_dir / common_name).open('w') { |f| f << cert_pem }.path
-        key = (@work_dir / "#{common_name}+#{algorithm}").open('w') { |f| f << key_pem }.path
-
-        [cert, key]
-      end
-
       # It is currently assumed that the common name is the first of the
       # `identifiers` passed into this method. If that is not the case, then
       # the `common_name` parameter needs to be set explicitly
-      def certificate(identifiers:, algorithm: :ecdsa, common_name: Array(identifiers).first, **opts)
+      def managed_certificate(identifiers:, algorithm: :ecdsa, common_name: Array(identifiers).first, **opts)
         if (arr = denied_identifiers(identifiers)).size.positive?
           raise IdentifierNotAllowedError, "denied identifiers'#{arr.join(',')}'"
         end
@@ -74,7 +62,7 @@ module Anchor
         key_pem = cache&.read("#{common_name}+#{algorithm}")
         cert_pem = cache&.read(common_name)
 
-        if key_pem.nil? || cert_pem.nil? || needs_renewal?(cert_pem: cert_pem)
+        if key_pem.nil? || cert_pem.nil?
           cert_pem, key_pem = provision(identifiers: identifiers, algorithm: algorithm, common_name: common_name,
                                         **opts)
 
@@ -82,15 +70,25 @@ module Anchor
           cache&.write(common_name, cert_pem)
         end
 
-        [cert_pem, key_pem]
+        ManagedCertificate.new(manager: self, cert_pem: cert_pem, key_pem: key_pem)
+      end
+
+      def needs_renewal?(cert:, now: Time.now.utc)
+        renew_after = [
+          renew_after_from_seconds(cert: cert),
+          renew_after_from_fraction(cert: cert),
+          renew_after_fallback(cert: cert),
+          cert.not_after # cert expired, get a new one
+        ].compact.min
+
+        (now > renew_after)
       end
 
       def disable
         @enabled = false
       end
 
-      # Currently this only tests for kid/hmac_key, but in the future it could
-      # test for other configuration options.
+      # if the manager is enabled && the configuration is enabled
       def enabled?
         @enabled && configuration.enabled?
       end
@@ -128,19 +126,6 @@ module Anchor
                             external_account_binding: external_account_binding)
       end
 
-      def needs_renewal?(cert_pem:, now: Time.now.utc)
-        cert = OpenSSL::X509::Certificate.new(cert_pem)
-
-        renew_after = [
-          renew_after_from_seconds(cert: cert),
-          renew_after_from_fraction(cert: cert),
-          renew_after_fallback(cert: cert),
-          cert.not_after # cert expired, get a new one
-        ].compact.min
-
-        (now > renew_after)
-      end
-
       def renew_after_from_seconds(cert:, before_seconds: renew_before_seconds)
         return nil unless before_seconds
 

data/lib/anchor/auto_cert/renewal_busy_wait.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Anchor
+  module AutoCert
+    # RenewalBusyWait is a class that will loop to check if a certificate needs to
+    # to be renewed, and if it does, return
+    #
+    # Generally this class should be used inside its own thread as it will sleep
+    # and loop until the pem file is able to be renewed.
+    #
+    # Every 'check_every' interval it will check if the certificate needs to be
+    # renewed. If it does, the loop will end and `wait_for_it` will return. If
+    # it does not need renewal, the block will be called, and if the result of
+    # the block is falsy, the loop will exit early
+    #
+    class RenewalBusyWait
+      ONE_HOUR = 60 * 60
+
+      def self.wait_for_it(managed_certificate:, check_every: ONE_HOUR, &keep_going)
+        waiter = new(managed_certificate: managed_certificate, check_every: check_every)
+        waiter.wait_for_it(&keep_going)
+      end
+
+      def initialize(managed_certificate:, check_every: ONE_HOUR)
+        @managed_certificate = managed_certificate
+        @check_every = check_every
+      end
+
+      def wait_for_it
+        loop do
+          break if @managed_certificate.needs_renewal?
+          break unless yield
+
+          sleep @check_every
+        end
+      end
+    end
+  end
+end

data/lib/anchor/auto_cert.rb

@@ -13,8 +13,9 @@ end
 require_relative 'auto_cert/terms_of_service_acceptor'
 require_relative 'auto_cert/configuration'
 require_relative 'auto_cert/manager'
+require_relative 'auto_cert/managed_certificate'
 require_relative 'auto_cert/identifier_policy'
 require_relative 'auto_cert/registry'
-require_relative 'auto_cert/integration'
+require_relative 'auto_cert/renewal_busy_wait'
 
 require_relative 'auto_cert/railtie' if defined?(Rails::Railtie)

data/lib/anchor/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Anchor
-  VERSION = '0.3.0'
+  VERSION = '0.4.0'
 end

data/lib/puma/dsl.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+#
+# Extend the ::Puma::DSL module with the configuration options we want for
+# autocert
+#
+
+require 'puma/dsl'
+
+module Puma
+  # Extend the ::Puma::DSL module with the configuration options we want
+  class DSL
+    def auto_cert_name(name = nil)
+      @options[:auto_cert_name] = name if name
+      @options[:auto_cert_name]
+    end
+
+    def auto_cert_port(port = nil)
+      @options[:auto_cert_port] = port if port
+      @options[:auto_cert_port]
+    end
+
+    def auto_cert_check_every(check_every = nil)
+      @options[:auto_cert_check_every] = check_every if check_every
+      @options[:auto_cert_check_every]
+    end
+  end
+end

data/lib/puma/plugin/auto_cert.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require_relative '../dsl'
+module Puma
+  class Plugin
+    # This is a plugin for Puma that will automatically renew a certificate
+    #
+    # This module is here in order to communicate plugin configuration options
+    # to the plugin since the plugin is created dynamically and it is loaded and
+    # initialized without any configuration options.
+    module AutoCert
+      class << self
+        def ssl_bind_options(managed_certificate:)
+          {
+            cert: managed_certificate.cert_path,
+            key: managed_certificate.key_path
+          }
+        end
+      end
+
+      # Instance methods that are included in the dynamic Puma Plugin class when
+      # a plugin is created
+      module PluginInstanceMethods
+        attr_accessor :managed_certificate
+
+        def config(dsl)
+          port          = dsl.auto_cert_port || ENV.fetch('HTTPS_PORT', nil)
+          name          = dsl.auto_cert_name || ENV.fetch('AUTO_CERT_NAME', 'default')
+          configuration = ::Anchor::AutoCert::Registry.fetch(name)
+          identifiers   = configuration.allow_identifiers
+          manager       = ::Anchor::AutoCert::Manager.new(configuration: configuration)
+
+          @managed_certificate = manager.managed_certificate(identifiers: identifiers)
+
+          options = ::Puma::Plugin::AutoCert.ssl_bind_options(managed_certificate: @managed_certificate)
+
+          dsl.ssl_bind '[::]', port, options
+        rescue StandardError
+          @managed_certificate = nil
+        end
+
+        def start(launcher)
+          @launcher = launcher
+          unless managed_certificate&.enabled?
+            log_writer.log 'AutoCert >> Not enabled - skipping certificate renewal process'
+            return
+          end
+
+          log_writer.log "AutoCert >> Configured for #{managed_certificate.identifiers.join(', ')}"
+          check_every = launcher.config.options[:auto_cert_check_every] ||
+                        ENV.fetch('AUTO_CERT_CHECK_EVERY', nil) ||
+                        ::Anchor::AutoCert::RenewalBusyWait::ONE_HOUR
+
+          in_background do
+            Anchor::AutoCert::RenewalBusyWait.wait_for_it(managed_certificate: managed_certificate,
+                                                          check_every: check_every) do
+              dump_cert_info
+
+              # if ssl server is up, then it has already read the local working
+              # files, which means we can purge them - if there's a disk cache, those still
+              # probably exist
+              ssl_server = launcher.binder.ios.find { |io| io.instance_of?(Puma::MiniSSL::Server) }
+              managed_certificate.purge_working_files if ssl_server
+
+              true
+            end
+            log_writer.log 'AutoCert >> Restarting Puma in order to renew certificate'
+            @launcher.restart
+          end
+        end
+
+        private
+
+        def dump_cert_info
+          log_writer.debug "AutoCert >> Bound cert    : #{managed_certificate.hex_serial}"
+          log_writer.debug "AutoCert >>   common name : #{managed_certificate.common_name}"
+          log_writer.debug "AutoCert >>   identifiers : #{managed_certificate.identifiers.join(', ')}"
+          log_writer.debug "AutoCert >>    not before : #{managed_certificate.not_before}"
+          log_writer.debug "AutoCert >>    not after  : #{managed_certificate.not_after}"
+        end
+
+        def log_writer
+          if Gem::Version.new(Puma::Const::PUMA_VERSION) >= Gem::Version.new(6)
+            @launcher.log_writer
+          else
+            @launcher.events
+          end
+        end
+      end
+    end
+  end
+end
+
+# This is the entry point for the plugin
+Puma::Plugin.create do
+  include Puma::Plugin::AutoCert::PluginInstanceMethods
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: anchor-pki
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Anchor Security, Inc
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-06-05 00:00:00.000000000 Z
+date: 2023-06-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: acme-client
@@ -142,8 +142,7 @@ files:
 - lib/anchor/auto_cert.rb
 - lib/anchor/auto_cert/configuration.rb
 - lib/anchor/auto_cert/identifier_policy.rb
-- lib/anchor/auto_cert/integration.rb
-- lib/anchor/auto_cert/integration/puma.rb
+- lib/anchor/auto_cert/managed_certificate.rb
 - lib/anchor/auto_cert/manager.rb
 - lib/anchor/auto_cert/policy_check.rb
 - lib/anchor/auto_cert/policy_check/for_hostname.rb
@@ -151,8 +150,11 @@ files:
 - lib/anchor/auto_cert/policy_check/for_wildcard_hostname.rb
 - lib/anchor/auto_cert/railtie.rb
 - lib/anchor/auto_cert/registry.rb
+- lib/anchor/auto_cert/renewal_busy_wait.rb
 - lib/anchor/auto_cert/terms_of_service_acceptor.rb
 - lib/anchor/version.rb
+- lib/puma/dsl.rb
+- lib/puma/plugin/auto_cert.rb
 homepage: https://anchor.dev
 licenses:
 - MIT

data/lib/anchor/auto_cert/integration/puma.rb

@@ -1,17 +0,0 @@
-# frozen_string_literal: true
-
-module Anchor
-  module AutoCert
-    module Integration
-      # Puma integration
-      class Puma
-        def self.ssl_bind_options(manager:, identifiers: nil)
-          identifiers ||= manager.configuration.allow_identifiers
-          cert, key = manager.certificate_paths(identifiers: identifiers)
-
-          { cert: cert, key: key }
-        end
-      end
-    end
-  end
-end

data/lib/anchor/auto_cert/integration.rb

@@ -1,11 +0,0 @@
-# frozen_string_literal: true
-
-module Anchor
-  module AutoCert
-    # Integration module
-    module Integration
-    end
-  end
-end
-
-require_relative 'integration/puma'