apartment_acme_client 0.0.1

data/app/views/layouts/apartment_acme_client/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Apartment acme client</title>
+  <%= stylesheet_link_tag    "apartment_acme_client/application", media: "all" %>
+  <%= javascript_include_tag "apartment_acme_client/application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/config/routes.rb

@@ -0,0 +1,3 @@
+ApartmentAcmeClient::Engine.routes.draw do
+  get '/verify', to: "verifications#verify"
+end

data/lib/apartment_acme_client.rb

@@ -0,0 +1,61 @@
+require "apartment_acme_client/version"
+require "apartment_acme_client/domain_checker"
+require "apartment_acme_client/encryption"
+require "apartment_acme_client/renewal_service"
+require "apartment_acme_client/engine"
+require "apartment_acme_client/acme_client/proxy"
+require "apartment_acme_client/acme_client/real_client"
+require "apartment_acme_client/certificate_storage/proxy"
+require "apartment_acme_client/certificate_storage/s3"
+require "apartment_acme_client/nginx_configuration/proxy"
+require "apartment_acme_client/nginx_configuration/real"
+require "apartment_acme_client/file_manipulation/proxy"
+require "apartment_acme_client/file_manipulation/real"
+
+require 'apartment_acme_client/railtie' if defined?(Rails)
+
+module ApartmentAcmeClient
+  # A callback method which lists the possible domains to be checked
+  # We will verify each of them before requesting a certificate from Let's Encrypt for all of them
+  mattr_accessor :domains_to_check
+
+  def self.domains_to_check
+    if @@domains_to_check.respond_to?(:call)
+      @@domains_to_check.call
+    else
+      @@domains_to_check
+    end
+  end
+
+  # The base domain, a domain which is always going to be accessible.
+  # because we need a common domain to be used on each request.
+  # if not defined, the first 'domain_to_check' which succeeds will be used
+  mattr_accessor :common_name
+
+  # Directory where to store the challenge files, Must be accessible via the internet
+  mattr_accessor :public_folder # Rails.root.join('public')
+
+  # Directory where to store certificates locally
+  # must persist between deployments, so that nginx can reference it permanently
+  mattr_accessor :certificate_storage_folder # Rails.root.join("public", "system")
+
+  # for s3 storage
+  mattr_accessor :aws_region # Rails.application.secrets.aws_region
+  mattr_accessor :aws_bucket # Rails.application.secrets.aws_bucket
+
+  # For use in the nginx configuration
+  mattr_accessor :socket_path # = "/tmp/unicorn-application.socket"
+  mattr_accessor :nginx_config_path # "/etc/nginx/conf.d/site.conf"
+
+  # If your server stops responding 200 OK to http connections (ie: when all connections are forced-ssl)
+  # you must verify new subdomains over https instead of http
+  mattr_accessor :verify_over_https
+
+  # For Testing/injection purposes
+  mattr_accessor :acme_client_class
+  mattr_accessor :certificate_storage_class
+  mattr_accessor :file_manipulation_class
+  mattr_accessor :nginx_configuration_class
+
+  mattr_accessor :lets_encrypt_test_server_enabled
+end

data/lib/apartment_acme_client/acme_client/proxy.rb

@@ -0,0 +1,14 @@
+module ApartmentAcmeClient
+  module AcmeClient
+    class Proxy
+      def self.singleton(options = {})
+        base_class.new(options)
+      end
+
+      def self.base_class
+        # allow overriding the AcmeClient
+        ApartmentAcmeClient.acme_client_class || AcmeClient::RealClient
+      end
+    end
+  end
+end

data/lib/apartment_acme_client/acme_client/real_client.rb

@@ -0,0 +1,56 @@
+require 'acme-client'
+
+module ApartmentAcmeClient
+  module AcmeClient
+    class RealClient
+      def initialize(private_key:)
+        @client = Acme::Client.new(
+          private_key: private_key,
+          endpoint: server_endpoint,
+        )
+      end
+
+      def register(email)
+        # If the private key is not known to the server, we need to register it for the first time.
+        registration = @client.register(contact: "mailto:#{email}")
+
+        # You may need to agree to the terms of service (that's up the to the server to require it or not but boulder does by default)
+        registration.agree_terms
+
+        true
+      end
+
+      def authorize(domain:)
+        @client.authorize(domain: domain)
+      end
+
+      # Create a Certificate for our new set of domain names
+      # returns that certificate
+      def request_certificate(common_name:, domains:)
+        # We're going to need a certificate signing request. If not explicitly
+        # specified, the first name listed becomes the common name.
+        csr = Acme::Client::CertificateRequest.new(common_name: common_name, names: domains)
+
+        # We can now request a certificate. You can pass anything that returns
+        # a valid DER encoded CSR when calling to_der on it. For example an
+        # OpenSSL::X509::Request should work too.
+        certificate = @client.new_certificate(csr) # => #<Acme::Client::Certificate ....>
+
+        certificate
+      end
+
+      private
+
+      def server_endpoint
+        # We need an ACME server to talk to, see github.com/letsencrypt/boulder
+        # WARNING: This endpoint is the production endpoint, which is rate limited and will produce valid certificates.
+        # You should probably use the staging endpoint for all your experimentation:
+        if ApartmentAcmeClient.lets_encrypt_test_server_enabled
+          'https://acme-staging.api.letsencrypt.org/'
+        else
+          'https://acme-v01.api.letsencrypt.org/'
+        end
+      end
+    end
+  end
+end

data/lib/apartment_acme_client/certificate_storage/proxy.rb

@@ -0,0 +1,15 @@
+module ApartmentAcmeClient
+  module CertificateStorage
+    TEST_PREFIX = "test_".freeze
+
+    class Proxy
+      def self.singleton
+        base_class.new
+      end
+
+      def self.base_class
+        ApartmentAcmeClient.certificate_storage_class || CertificateStorage::S3
+      end
+    end
+  end
+end

data/lib/apartment_acme_client/certificate_storage/s3.rb

@@ -0,0 +1,74 @@
+require 'aws-sdk-s3'
+
+module ApartmentAcmeClient
+  module CertificateStorage
+    class S3
+      def initialize
+        @base_prefix = if ApartmentAcmeClient::lets_encrypt_test_server_enabled
+          TEST_PREFIX
+        else
+          ""
+        end
+      end
+
+      ENCRYPTION_S3_NAME = 'server_encryption_client_private_key.der'.freeze
+
+      def store_certificate(certificate)
+        # Save the certificate and the private key to files
+        File.write(cert_path("privkey.pem"), certificate.request.private_key.to_pem)
+        File.write(cert_path("cert.pem"), certificate.to_pem)
+        File.write(cert_path("chain.pem"), certificate.chain_to_pem)
+        File.write(cert_path("fullchain.pem"), certificate.fullchain_to_pem)
+
+        store_s3_file(derived_filename("privkey.pem"), certificate.request.private_key.to_pem)
+        store_s3_file(derived_filename("cert.pem"), certificate.to_pem)
+        store_s3_file(derived_filename("chain.pem"), certificate.chain_to_pem)
+        store_s3_file(derived_filename("fullchain.pem"), certificate.fullchain_to_pem)
+      end
+
+      # do we have a certificate on this server?
+      # We cannot start nginx when it is pointing at a non-existing certificate,
+      # so we need to check
+      def cert_exists?
+        File.exist?(cert_path("privkey.pem"))
+      end
+
+      def private_key
+        s3_object = s3_file(private_key_s3_filename)
+        return nil unless s3_object.exists?
+
+        s3_object.get.body.read
+      end
+
+      # saves a private key to s3
+      def save_private_key(private_key)
+        store_s3_file(private_key_s3_filename, private_key.to_der)
+      end
+
+      private
+
+      def private_key_s3_filename
+        derived_filename(ENCRYPTION_S3_NAME)
+      end
+
+      def derived_filename(filename)
+        "#{@base_prefix}#{filename}"
+      end
+
+      def store_s3_file(filename, file_contents)
+        object = s3_file(filename)
+        object.put(body: file_contents)
+      end
+
+      def cert_path(filename)
+        File.join(ApartmentAcmeClient.certificate_storage_folder, derived_filename(filename))
+      end
+
+      def s3_file(filename)
+        s3 = Aws::S3::Resource.new(region: ApartmentAcmeClient.aws_region)
+        object = s3.bucket(ApartmentAcmeClient.aws_bucket).object(filename)
+        object
+      end
+    end
+  end
+end

data/lib/apartment_acme_client/domain_checker.rb

@@ -0,0 +1,21 @@
+module ApartmentAcmeClient
+  class DomainChecker
+    # returns an array containing 2 lists:
+    # successful domains
+    # rejected domains (those which don't appear properly configured in DNS)
+    def accessible_domains
+      possible_domains = ApartmentAcmeClient.domains_to_check
+
+      domains = []
+      rejected_domains = []
+      possible_domains.each do |domain|
+        if ApartmentAcmeClient::Verifier.new(domain).properly_configured?
+          domains << domain
+        else
+          rejected_domains << domain
+        end
+      end
+      [domains, rejected_domains]
+    end
+  end
+end

data/lib/apartment_acme_client/encryption.rb

@@ -0,0 +1,134 @@
+require 'openssl'
+
+# Initially, the system is only accessible via subdomain.example.com
+# But, as we add more Conventions, we want to be able to access those also,
+# thus we will need:
+# - a.subdomain.example.com
+# - b.subdomain.example.com
+# - c.subdomain.example.com
+#
+# Also, each convention may add an "alias" for their convention, like:
+# - www.naucc.com
+# - french-convention.unicycle.fr
+#
+# Steps to make this work:
+# 1) When a new Convention is created, or a new alias is added, configure nginx
+#    so that it responds to that domain request
+#    `rake update_nginx_config` (writes a new nginx.conf and restarts nginx)
+#
+# 2) Register the new domain with letsencrypt
+#    `rake renew_and_update_certificate`
+#
+# Manage the encryption of the website (https).
+module ApartmentAcmeClient
+  class Encryption
+    def initialize
+      @certificate_storage = ApartmentAcmeClient::CertificateStorage::Proxy.singleton
+    end
+
+    # Largely based on https://github.com/unixcharles/acme-client documentation
+    def register_new(email)
+      raise StandardError.new("Private key already exists") unless @certificate_storage.private_key.nil?
+
+      private_key = create_private_key
+
+      # Initialize the client
+      new_client = ApartmentAcmeClient::AcmeClient::Proxy.singleton(
+        private_key: private_key,
+      )
+
+      new_client.register(email)
+
+      @certificate_storage.save_private_key(private_key)
+    end
+
+    def authorize_domains(domains)
+      successful_domains = domains.select {|domain| authorize_domain(domain) }
+      successful_domains
+    end
+
+    # authorizes a domain with letsencrypt server
+    # returns true on success, false otherwise.
+    #
+    # from https://github.com/unixcharles/acme-client/tree/master#authorize-for-domain
+    def authorize_domain(domain)
+      authorization = client.authorize(domain: domain)
+
+      # This example is using the http-01 challenge type. Other challenges are dns-01 or tls-sni-01.
+      challenge = authorization.http01
+
+      # The http-01 method will require you to respond to a HTTP request.
+
+      # You can retrieve the challenge token
+      challenge.token # => "some_token"
+
+      # You can retrieve the expected path for the file.
+      challenge.filename # => ".well-known/acme-challenge/:some_token"
+
+      # You can generate the body of the expected response.
+      challenge.file_content # => 'string token and JWK thumbprint'
+
+      # You are not required to send a Content-Type. This method will return the right Content-Type should you decide to include one.
+      challenge.content_type
+
+      # Save the file. We'll create a public directory to serve it from, and inside it we'll create the challenge file.
+      FileUtils.mkdir_p(File.join(ApartmentAcmeClient.public_folder, File.dirname(challenge.filename)))
+
+      # We'll write the content of the file
+      full_challenge_filename = File.join(ApartmentAcmeClient.public_folder, challenge.filename)
+      File.write(full_challenge_filename, challenge.file_content)
+
+      # Optionally save the challenge for use at another time (eg: by a background job processor)
+      #  File.write('challenge', challenge.to_h.to_json)
+
+      # The challenge file can be served with a Ruby webserver.
+      # You can run a webserver in another console for that purpose. You may need to forward ports on your router.
+      #
+      # $ ruby -run -e httpd public -p 8080 --bind-address 0.0.0.0
+
+      # Load a saved challenge. This is only required if you need to reuse a saved challenge as outlined above.
+      #  challenge = client.challenge_from_hash(JSON.parse(File.read('challenge')))
+
+      # Once you are ready to serve the confirmation request you can proceed.
+      challenge.request_verification # => true
+
+      success = false
+      10.times do
+        if challenge.verify_status == 'valid' # may be 'pending' initially
+          success = true
+          break
+        end
+
+        # Wait a bit for the server to make the request, or just blink. It should be fast.
+        sleep(1)
+      end
+      File.delete(full_challenge_filename)
+
+      success
+    end
+
+    def request_certificate(common_name:, domains:)
+      client.request_certificate(common_name: common_name, domains: domains)
+    end
+
+    private
+
+    def client
+      @client ||= ApartmentAcmeClient::AcmeClient::Proxy.singleton(
+        private_key: private_key,
+      )
+    end
+
+    # Returns a private key
+    def private_key
+      private_key = @certificate_storage.private_key
+      return nil unless private_key
+
+      OpenSSL::PKey::RSA.new(private_key)
+    end
+
+    def create_private_key
+      OpenSSL::PKey::RSA.new(4096)
+    end
+  end
+end

data/lib/apartment_acme_client/engine.rb

@@ -0,0 +1,5 @@
+module ApartmentAcmeClient
+  class Engine < ::Rails::Engine
+    isolate_namespace ApartmentAcmeClient
+  end
+end

data/lib/apartment_acme_client/file_manipulation/proxy.rb

@@ -0,0 +1,13 @@
+module ApartmentAcmeClient
+  module FileManipulation
+    class Proxy
+      def self.singleton
+        base_class.new
+      end
+
+      def self.base_class
+        ApartmentAcmeClient.file_manipulation_class || FileManipulation::Real
+      end
+    end
+  end
+end

data/lib/apartment_acme_client/file_manipulation/real.rb

@@ -0,0 +1,37 @@
+require "open3"
+
+module ApartmentAcmeClient
+  module FileManipulation
+    class Real
+      def copy_file(from, to)
+        run_command("sudo cp #{from} #{to}")
+      end
+
+      def restart_service(service)
+        run_command("sudo service #{service} restart")
+      end
+
+      private
+
+      def run_command(command)
+        Open3.popen3(command) do |_stdin, stdout, stderr, wait_thr|
+          stdout_lines = stdout.read
+          # puts "stdout is:" + stdout_lines
+
+          # to watch the output as it runs:
+          # while line = stdout.gets
+          #   puts line
+          # end
+
+          stderr_lines = stderr.read
+          # puts "stderr is:" + stderr_lines
+          exit_status = wait_thr.value
+
+          unless exit_status.success?
+            abort "FAILED !!! #{command}"
+          end
+        end
+      end
+    end
+  end
+end