bullion 0.1.0 → 0.1.2

data/bin/console

@@ -1,7 +1,8 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
-require "bundler/setup"
-require "bullion"
+require 'bundler/setup'
+require 'bullion'
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.
@@ -10,5 +11,5 @@ require "bullion"
 # require "pry"
 # Pry.start
 
-require "irb"
+require 'irb'
 IRB.start(__FILE__)

data/bullion.gemspec

@@ -1,28 +1,51 @@
+# frozen_string_literal: true
 
-lib = File.expand_path("../lib", __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require "bullion/version"
+require_relative 'lib/bullion/version'
 
 Gem::Specification.new do |spec|
-  spec.name          = "bullion"
+  spec.name          = 'bullion'
   spec.version       = Bullion::VERSION
-  spec.authors       = ["Jonathan Gnagy"]
-  spec.email         = ["jonathan.gnagy@gmail.com"]
+  spec.authors       = ['Jonathan Gnagy']
+  spec.email         = ['jonathan.gnagy@gmail.com']
 
-  spec.summary       = 'Ruby ACME v2 Certificate Issuer'
-  spec.homepage      = "https://github.com/jgnagy/bullion"
-  spec.license       = "MIT"
+  spec.summary       = 'Ruby ACME v2 Certificate Authority'
+  spec.homepage      = 'https://github.com/jgnagy/bullion'
+  spec.license       = 'MIT'
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = 'https://github.com/jgnagy/bullion'
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
-  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
     `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   end
-  spec.bindir        = "exe"
+  spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
-  spec.require_paths = ["lib"]
+  spec.require_paths = ['lib']
+
+  spec.required_ruby_version = '~> 2.6'
+
+  spec.add_runtime_dependency 'httparty',             '~> 0.18'
+  spec.add_runtime_dependency 'json',                 '~> 2.5'
+  spec.add_runtime_dependency 'jwt',                  '~> 1.5'
+  spec.add_runtime_dependency 'mysql2',               '~> 0.5'
+  spec.add_runtime_dependency 'openssl',              '~> 2.2'
+  spec.add_runtime_dependency 'prometheus-client',    '~> 2.1'
+  spec.add_runtime_dependency 'puma',                 '~> 3.12'
+  spec.add_runtime_dependency 'sinatra',              '~> 2.1'
+  spec.add_runtime_dependency 'sinatra-activerecord', '~> 2.0'
+  spec.add_runtime_dependency 'sinatra-contrib',      '~> 2.1'
+  spec.add_runtime_dependency 'sqlite3',              '~> 1.4'
 
-  spec.add_development_dependency "bundler", "~> 1.17"
-  spec.add_development_dependency "rake", "~> 10.0"
-  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency 'acme-client',         '~> 2.0'
+  spec.add_development_dependency 'bundler',             '~> 2.0'
+  spec.add_development_dependency 'byebug',              '~> 9'
+  spec.add_development_dependency 'rack-test',           '~> 0.8'
+  spec.add_development_dependency 'rake',                '~> 12.3'
+  spec.add_development_dependency 'rspec',               '~> 3.10'
+  spec.add_development_dependency 'rubocop',             '~> 0.93'
+  spec.add_development_dependency 'simplecov',           '~> 0.20'
+  spec.add_development_dependency 'simplecov-cobertura', '~> 1.4'
+  spec.add_development_dependency 'yard',                '~> 0.9'
 end

data/config.ru

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+# \ -s puma
+
+require 'bullion'
+Bullion.validate_config!
+
+require 'prometheus/middleware/collector'
+require 'prometheus/middleware/exporter'
+
+use Rack::ShowExceptions
+use Rack::Deflater
+use Prometheus::Middleware::Collector
+use Prometheus::Middleware::Exporter
+
+# Prometheus metrics are on /metrics
+mappings = {
+  '/ping' => Bullion::Services::Ping.new,
+  '/acme' => Bullion::Services::CA.new
+}
+
+run Rack::URLMap.new(mappings)

data/config/puma.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+threads 2, Integer(ENV.fetch('MAX_THREADS', 32))

data/db/migrate/20210104000000_create_accounts.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+# Creates the accounts table
+class CreateAccounts < ActiveRecord::Migration[6.1]
+  def change
+    create_table :accounts do |t|
+      t.boolean :tos_agreed, null: false, default: true, index: true
+      t.text :public_key, null: false, index: { unique: true }
+      t.text :contacts, null: false
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20210104060422_create_certificates.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+# Creates the certificates table
+class CreateCertificates < ActiveRecord::Migration[6.1]
+  def change
+    create_table :certificates do |t|
+      t.string :subject, null: false, index: true
+      t.string :csr_fingerprint, null: false, index: true
+      t.text :data, null: false
+      t.text :alternate_names
+      t.string :requester
+      t.boolean :validated, null: false, default: false, index: true
+      t.integer :serial, null: false, index: { unique: true }
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20210105060406_create_orders.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+# Creates the orders table
+class CreateOrders < ActiveRecord::Migration[6.1]
+  def change
+    create_table :orders do |t|
+      t.string :status, null: false, default: 'pending', index: true
+      t.timestamp :expires, null: false, index: true
+      t.text :identifiers, null: false
+      t.timestamp :not_before, null: false
+      t.timestamp :not_after, null: false
+      t.references :certificate, foreign_key: true
+
+      t.belongs_to :account
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20210106052306_create_authorizations.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+# Creates the authorizations table
+class CreateAuthorizations < ActiveRecord::Migration[6.1]
+  def change
+    create_table :authorizations do |t|
+      t.string :status, null: false, default: 'pending', index: true
+      t.timestamp :expires, null: false, index: true
+      t.text :identifier, null: false
+
+      t.belongs_to :order
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20210106055421_create_challenges.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+# Creates the challenges table
+class CreateChallenges < ActiveRecord::Migration[6.1]
+  def change
+    create_table :challenges do |t|
+      t.string :acme_type, null: false, index: true
+      t.string :status, null: false, default: :pending, index: true
+      t.timestamp :expires, null: false, index: true
+      t.string :token, null: false
+      t.timestamp :validated
+
+      t.belongs_to :authorization
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20210106060335_create_nonces.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# Creates the nonces table
+class CreateNonces < ActiveRecord::Migration[6.1]
+  def change
+    create_table :nonces do |t|
+      t.string :token, null: false, index: { unique: true }
+
+      t.timestamps
+    end
+  end
+end

data/db/schema.rb

@@ -0,0 +1,92 @@
+# This file is auto-generated from the current state of the database. Instead
+# of editing this file, please use the migrations feature of Active Record to
+# incrementally modify your database, and then regenerate this schema definition.
+#
+# This file is the source Rails uses to define your schema when running `bin/rails
+# db:schema:load`. When creating a new database, `bin/rails db:schema:load` tends to
+# be faster and is potentially less error prone than running all of your
+# migrations from scratch. Old migrations may fail to apply correctly if those
+# migrations use external dependencies or application code.
+#
+# It's strongly recommended that you check this file into your version control system.
+
+ActiveRecord::Schema.define(version: 2021_01_06_060335) do
+
+  create_table "accounts", force: :cascade do |t|
+    t.boolean "tos_agreed", default: true, null: false
+    t.text "public_key", null: false
+    t.text "contacts", null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["public_key"], name: "index_accounts_on_public_key", unique: true
+    t.index ["tos_agreed"], name: "index_accounts_on_tos_agreed"
+  end
+
+  create_table "authorizations", force: :cascade do |t|
+    t.string "status", default: "pending", null: false
+    t.datetime "expires", null: false
+    t.text "identifier", null: false
+    t.integer "order_id"
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["expires"], name: "index_authorizations_on_expires"
+    t.index ["order_id"], name: "index_authorizations_on_order_id"
+    t.index ["status"], name: "index_authorizations_on_status"
+  end
+
+  create_table "certificates", force: :cascade do |t|
+    t.string "subject", null: false
+    t.string "csr_fingerprint", null: false
+    t.text "data", null: false
+    t.text "alternate_names"
+    t.string "requester"
+    t.boolean "validated", default: false, null: false
+    t.integer "serial", null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["csr_fingerprint"], name: "index_certificates_on_csr_fingerprint"
+    t.index ["serial"], name: "index_certificates_on_serial", unique: true
+    t.index ["subject"], name: "index_certificates_on_subject"
+    t.index ["validated"], name: "index_certificates_on_validated"
+  end
+
+  create_table "challenges", force: :cascade do |t|
+    t.string "acme_type", null: false
+    t.string "status", default: "pending", null: false
+    t.datetime "expires", null: false
+    t.string "token", null: false
+    t.datetime "validated"
+    t.integer "authorization_id"
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["acme_type"], name: "index_challenges_on_acme_type"
+    t.index ["authorization_id"], name: "index_challenges_on_authorization_id"
+    t.index ["expires"], name: "index_challenges_on_expires"
+    t.index ["status"], name: "index_challenges_on_status"
+  end
+
+  create_table "nonces", force: :cascade do |t|
+    t.string "token", null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["token"], name: "index_nonces_on_token", unique: true
+  end
+
+  create_table "orders", force: :cascade do |t|
+    t.string "status", default: "pending", null: false
+    t.datetime "expires", null: false
+    t.text "identifiers", null: false
+    t.datetime "not_before", null: false
+    t.datetime "not_after", null: false
+    t.integer "certificate_id"
+    t.integer "account_id"
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+    t.index ["account_id"], name: "index_orders_on_account_id"
+    t.index ["certificate_id"], name: "index_orders_on_certificate_id"
+    t.index ["expires"], name: "index_orders_on_expires"
+    t.index ["status"], name: "index_orders_on_status"
+  end
+
+  add_foreign_key "orders", "certificates"
+end

data/lib/bullion.rb

@@ -1,6 +1,97 @@
-require "bullion/version"
+# frozen_string_literal: true
 
+# Standard Library requirements
+require 'base64'
+require 'resolv'
+require 'securerandom'
+require 'time'
+require 'logger'
+require 'openssl'
+
+# External requirements
+require 'sinatra/base'
+require 'sinatra/custom_logger'
+require 'mysql2'
+require 'sinatra/activerecord'
+require 'jwt'
+require 'prometheus/client'
+require 'httparty'
+
+# The top-level module for Bullion
 module Bullion
   class Error < StandardError; end
-  # Your code goes here...
+  class ConfigError < Error; end
+
+  LOGGER = Logger.new($stdout)
+
+  # Config through environment variables
+  CA_DIR       = File.expand_path ENV.fetch('CA_DIR', 'tmp')
+  CA_SECRET    = ENV.fetch('CA_SECRET', 'SomeS3cret')
+  CA_KEY_PATH  = ENV.fetch('CA_KEY_PATH') { File.join(CA_DIR, 'tls.key') }
+  CA_CERT_PATH = ENV.fetch('CA_CERT_PATH') { File.join(CA_DIR, 'tls.crt') }
+  CA_DOMAINS   = ENV.fetch('CA_DOMAINS', 'example.com').split(',')
+
+  # Set up log level
+  LOGGER.level = ENV.fetch('LOG_LEVEL', :warn)
+
+  # 90 days cert expiration
+  CERT_VALIDITY_DURATION = Integer(
+    ENV.fetch('CERT_VALIDITY_DURATION', 60 * 60 * 24 * 30 * 3)
+  )
+
+  DB_CONNECTION_SETTINGS =
+    ENV['DATABASE_URL'] || {
+      adapter: 'mysql2',
+      database: ENV.fetch('DB_NAME', 'bullion'),
+      encoding: ENV.fetch('DB_ENCODING', 'utf8mb4'),
+      pool: Integer(ENV.fetch('MAX_THREADS', 32)),
+      username: ENV.fetch('DB_USERNAME', 'root'),
+      password: ENV['DB_PASSWORD'],
+      host: ENV.fetch('DB_HOST', 'localhost')
+    }
+  DB_CONNECTION_SETTINGS.freeze
+
+  NAMESERVERS = ENV.fetch('DNS01_NAMESERVERS', '8.8.8.8').split(',')
+
+  MetricsRegistry = Prometheus::Client.registry
+
+  def self.ca_key
+    @ca_key ||= OpenSSL::PKey::RSA.new(File.read(CA_KEY_PATH), CA_SECRET)
+  end
+
+  def self.ca_cert
+    @ca_cert ||= OpenSSL::X509::Certificate.new(File.read(CA_CERT_PATH))
+  end
+
+  def self.rotate_keys!
+    @ca_key = nil
+    @ca_cert = nil
+    ca_key
+    ca_cert
+    true
+  end
+
+  # Ensures configuration settings are valid
+  # @see https://support.apple.com/en-us/HT211025
+  def self.validate_config!
+    raise ConfigError, 'Invalid Key Passphrase' unless CA_SECRET.is_a?(String)
+    raise ConfigError, "Invalid Key Path: #{CA_KEY_PATH}" unless File.readable?(CA_KEY_PATH)
+    raise ConfigError, "Invalid Cert Path: #{CA_CERT_PATH}" unless File.readable?(CA_CERT_PATH)
+    raise ConfigError, 'Cert Validity Too Long' if CERT_VALIDITY_DURATION > 60 * 60 * 24 * 397
+    raise ConfigError, 'Cert Validity Too Short' if CERT_VALIDITY_DURATION < 60 * 60 * 24 * 2
+  end
 end
+
+# Internal requirements
+require 'bullion/version'
+require 'bullion/acme/error'
+require 'bullion/helpers/acme'
+require 'bullion/helpers/service'
+require 'bullion/helpers/ssl'
+require 'bullion/models'
+require 'bullion/service'
+require 'bullion/services/ping'
+require 'bullion/services/ca'
+require 'bullion/challenge_client'
+require 'bullion/challenge_clients/dns'
+require 'bullion/challenge_clients/http'

data/lib/bullion/acme/error.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module Bullion
+  module Acme
+    # ACME protocol errors super class
+    class Error < Bullion::Error
+      # @see https://tools.ietf.org/html/rfc8555#section-6.7
+      def acme_type
+        'genericError'
+      end
+
+      def acme_preface
+        'urn:ietf:params:acme:error:'
+      end
+
+      def acme_error
+        acme_preface + acme_type
+      end
+    end
+
+    module Errors
+      # ACME exception for bad CSRs
+      class BadCsr < Bullion::Acme::Error
+        def acme_type
+          'badCSR'
+        end
+      end
+
+      # ACME exception for bad Nonces
+      class BadNonce < Bullion::Acme::Error
+        def acme_type
+          'badNonce'
+        end
+      end
+
+      # ACME exception for invalid contacts in accounts
+      class InvalidContact < Bullion::Acme::Error
+        def acme_type
+          'invalidContact'
+        end
+      end
+
+      # ACME exception for invalid orders
+      class InvalidOrder < Bullion::Acme::Error
+        def acme_type
+          'invalidOrder'
+        end
+      end
+
+      # ACME exception for malformed requests
+      class Malformed < Bullion::Acme::Error
+        def acme_type
+          'malformed'
+        end
+      end
+
+      # ACME exception for unsupported contacts in accounts
+      class UnsupportedContact < Bullion::Acme::Error
+        def acme_type
+          'unsupportedContact'
+        end
+      end
+
+      # Non-standard exception for unsupported challenge types
+      class UnsupportedChallengeType < Bullion::Acme::Error
+        def acme_error
+          'urn:ietf:params:bullion:error:unsupportedChallengeType'
+        end
+      end
+    end
+  end
+end