bullion 0.1.0 → 0.1.2

data/lib/bullion/models.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require 'bullion/models/account'
+require 'bullion/models/authorization'
+require 'bullion/models/certificate'
+require 'bullion/models/challenge'
+require 'bullion/models/nonce'
+require 'bullion/models/order'

data/lib/bullion/models/account.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Bullion
+  module Models
+    # ACMEv2 Account model
+    class Account < ActiveRecord::Base
+      serialize :contacts, Array
+      serialize :public_key, Hash
+
+      validates_uniqueness_of :public_key
+
+      has_many :orders
+
+      def kid
+        id
+      end
+
+      def start_order(identifiers:, not_before: nil, not_after: nil)
+        order = Order.new
+        order.not_before = not_before if not_before
+        order.not_after = not_after if not_after
+        order.account = self
+        order.status = 'pending'
+        order.identifiers = identifiers
+        order.save
+
+        order.prep_authorizations!
+
+        order
+      end
+    end
+  end
+end

data/lib/bullion/models/authorization.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Bullion
+  module Models
+    # ACMEv2 Authorization model
+    class Authorization < ActiveRecord::Base
+      serialize :identifier, Hash
+
+      after_initialize :init_values, unless: :persisted?
+
+      belongs_to :order
+      has_many :challenges
+
+      validates :status, inclusion: { in: %w[invalid pending ready processing valid deactivated] }
+
+      def init_values
+        self.expires ||= Time.now + (60 * 60)
+      end
+
+      def prep_challenges!
+        %w[http-01 dns-01].each do |type|
+          chall = Challenge.new
+          chall.authorization = self
+          chall.acme_type = type
+
+          chall.save
+        end
+      end
+    end
+  end
+end

data/lib/bullion/models/certificate.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Bullion
+  module Models
+    # SSL Certificate model
+    class Certificate < ActiveRecord::Base
+      serialize :alternate_names
+
+      after_initialize :init_values, unless: :persisted?
+
+      validates_presence_of :subject
+
+      def init_values
+        self.serial ||= SecureRandom.hex(8).to_i(16)
+      end
+
+      def fingerprint
+        Base64.encode64(OpenSSL::Digest::SHA1.digest(data))
+      end
+
+      def cn
+        subject.split('/').select { |name| name =~ /^CN=/ }.first.split('=').last
+      end
+
+      def self.from_csr(csr)
+        subjt = csr.subject if csr.subject && !csr.subject.to_s.empty?
+
+        cert = new(
+          csr_fingerprint: Base64.encode64(OpenSSL::Digest::SHA1.digest(csr.to_pem)).chomp
+        )
+
+        cert.subject = subjt if subjt
+        cert
+      end
+    end
+  end
+end

data/lib/bullion/models/challenge.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Bullion
+  module Models
+    # ACMEv2 Challenge model
+    class Challenge < ActiveRecord::Base
+      after_initialize :init_values, unless: :persisted?
+
+      belongs_to :authorization
+
+      validates :acme_type, inclusion: { in: %w[http-01 dns-01] }
+      validates :status, inclusion: { in: %w[invalid pending processing valid] }
+
+      def init_values
+        self.expires ||= Time.now + (60 * 60)
+        self.token ||= SecureRandom.alphanumeric(48)
+      end
+
+      def thumbprint
+        cipher = OpenSSL::Digest.new('SHA256')
+        cipher.hexdigest authorization.order.account.public_key.to_json
+      end
+
+      def client
+        case acme_type
+        when 'dns-01'
+          ChallengeClients::DNS.new(self)
+        when 'http-01'
+          ChallengeClients::HTTP.new(self)
+        else
+          raise Bullion::Acme::Errors::UnsupportedChallengeType,
+                "Challenge type '#{acme_type}' is not supported by Bullion."
+        end
+      end
+    end
+  end
+end

data/lib/bullion/models/nonce.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Bullion
+  module Models
+    # ACMEv2 Nonce model
+    class Nonce < ActiveRecord::Base
+      after_initialize :init_values, unless: :persisted?
+
+      validates_uniqueness_of :token
+
+      def init_values
+        self.token ||= SecureRandom.alphanumeric
+      end
+
+      # Delete old nonces
+      def self.clean_up!
+        # nonces older than this can safely be deleted
+        where('created_at < ?', Time.now - 86_400).delete_all
+      end
+    end
+  end
+end

data/lib/bullion/models/order.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Bullion
+  module Models
+    # ACMEv2 Order model
+    class Order < ActiveRecord::Base
+      serialize :identifiers, Array
+
+      after_initialize :init_values, unless: :persisted?
+
+      belongs_to :account
+      has_many :authorizations
+
+      validates :status, inclusion: { in: %w[invalid pending ready processing valid] }
+
+      def init_values
+        self.expires ||= Time.now + (60 * 60)
+        self.not_before ||= Time.now
+        self.not_after ||= Time.now + (60 * 60 * 24 * 90) # 90 days
+      end
+
+      def prep_authorizations!
+        identifiers.each do |identifier|
+          authorization = Authorization.new
+          authorization.order = self
+          authorization.identifier = identifier
+
+          authorization.save
+
+          authorization.prep_challenges!
+        end
+      end
+
+      def certificate
+        Certificate.find(certificate_id)
+      end
+    end
+  end
+end

data/lib/bullion/service.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Bullion
+  # Parent class for API services
+  class Service < Sinatra::Base
+    register Sinatra::ActiveRecordExtension
+    helpers Sinatra::CustomLogger
+
+    configure do
+      set :protection, except: :http_origin
+      set :logging, true
+      set :logger, Bullion::LOGGER
+      set :database, DB_CONNECTION_SETTINGS
+    end
+
+    before do
+      # Sets up a useful variable (@json_body) for accessing a parsed request body
+      if request.content_type&.include?('json') && !request.body.to_s.empty?
+        request.body.rewind
+        @json_body = JSON.parse(request.body.read, symbolize_names: true)
+      end
+    rescue StandardError => e
+      halt(400, { error: "Request must be JSON: #{e.message}" }.to_json)
+    end
+  end
+end

data/lib/bullion/services/ca.rb

@@ -0,0 +1,370 @@
+# frozen_string_literal: true
+
+module Bullion
+  module Services
+    # ACME CA web service
+    class CA < Service
+      helpers Helpers::Acme
+      helpers Helpers::Service
+      helpers Helpers::Ssl
+
+      before do
+        Models::Nonce.clean_up! if rand(5) > 2 # randomly clean up
+        @new_nonce = Models::Nonce.create.token
+      end
+
+      after do
+        if request.options?
+          @allowed_types ||= ['POST']
+          headers 'Access-Control-Allow-Methods' => @allowed_types
+        end
+      end
+
+      options '/directory' do
+        @allowed_types = ['GET']
+        halt 200
+      end
+
+      options '/nonces' do
+        @allowed_types = %w[HEAD GET]
+        halt 200
+      end
+
+      options '/accounts' do
+        halt 200
+      end
+
+      options '/accounts/:id' do
+        halt 200
+      end
+
+      options '/accounts/:id/orders' do
+        halt 200
+      end
+
+      options '/orders' do
+        halt 200
+      end
+
+      options '/orders/:id' do
+        halt 200
+      end
+
+      options '/orders/:id/finalize' do
+        halt 200
+      end
+
+      options '/authorizations/:id' do
+        halt 200
+      end
+
+      options '/challenges/:id' do
+        halt 200
+      end
+
+      options '/certificates/:id' do
+        halt 200
+      end
+
+      # Non-standard endpoint that returns the CA bundle for Bullion
+      # Trusting this bundle should be sufficient to trust all Bullion-issued certs
+      options '/cabundle' do
+        @allowed_types = ['GET']
+        halt 200
+      end
+
+      # The directory is used to find all required URLs for the ACME endpoints
+      # @see https://tools.ietf.org/html/rfc8555#section-7.1.1
+      get '/directory' do
+        content_type 'application/json'
+
+        {
+          newNonce: uri('/nonces'),
+          newAccount: uri('/accounts'),
+          newOrder: uri('/orders'),
+          revokeCert: uri('/revokecert'),
+          keyChange: uri('/keychanges'),
+          # non-standard entries:
+          caBundle: uri('/cabundle')
+        }.to_json
+      end
+
+      # Responds with Bullion's PEM-encoded public cert
+      get '/cabundle' do
+        expires 3600 * 48, :public, :must_revalidate
+        content_type 'application/x-pem-file'
+
+        attachment 'cabundle.pem'
+        Bullion.ca_cert.to_pem
+      end
+
+      # Retrieves a Nonce via a HEAD request
+      # @see https://tools.ietf.org/html/rfc8555#section-7.2
+      head '/nonces' do
+        add_acme_headers @new_nonce, additional: { 'Cache-Control' => 'no-store' }
+
+        halt 200
+      end
+
+      # Retrieves a Nonce via a GET request
+      # @see https://tools.ietf.org/html/rfc8555#section-7.2
+      get '/nonces' do
+        add_acme_headers @new_nonce, additional: { 'Cache-Control' => 'no-store' }
+
+        halt 204
+      end
+
+      # Creates an account or verifies that an account exists
+      # @see https://tools.ietf.org/html/rfc8555#section-7.3
+      post '/accounts' do
+        header_data = JSON.parse(Base64.decode64(@json_body[:protected]))
+        begin
+          parse_acme_jwt(header_data['jwk'], validate_nonce: false)
+
+          validate_account_data(@payload_data)
+        rescue Bullion::Acme::Error => e
+          content_type 'application/problem+json'
+          halt 400, { type: e.acme_error, detail: e.message }.to_json
+        end
+
+        user = Models::Account.where(
+          public_key: header_data['jwk']
+        ).first
+
+        if @payload_data['onlyReturnExisting']
+          content_type 'application/problem+json'
+          halt 400, { type: 'urn:ietf:params:acme:error:accountDoesNotExist' }.to_json unless user
+        end
+
+        user ||= Models::Account.new(public_key: header_data['jwk'])
+        user.tos_agreed = true
+        user.contacts = @payload_data['contact']
+        user.save
+
+        content_type 'application/json'
+        add_acme_headers @new_nonce, additional: { 'Location' => uri("/accounts/#{user.id}") }
+
+        halt 201, {
+          'status': user.tos_agreed? ? 'valid' : 'pending',
+          'contact': user.contacts,
+          'orders': uri("/accounts/#{user.id}/orders")
+        }.to_json
+      end
+
+      # Endpoint for updating accounts
+      # @see https://tools.ietf.org/html/rfc8555#section-7.3.2
+      post '/accounts/:id' do
+        parse_acme_jwt
+
+        unless params[:id] == @user.id
+          content_type 'application/json'
+          add_acme_headers @new_nonce
+
+          halt 403, { error: 'Accounts can only view or update themselves' }.to_json
+        end
+
+        content_type 'application/json'
+
+        {
+          'status': 'valid',
+          'orders': uri("/accounts/#{@user.id}/orders"),
+          'contact': @user.contacts
+        }.to_json
+      end
+
+      post '/accounts/:id/orders' do
+        parse_acme_jwt
+
+        unless params[:id] == @user.id
+          content_type 'application/json'
+          add_acme_headers @new_nonce
+
+          halt 403, { error: 'Accounts can only view or update themselves' }.to_json
+        end
+
+        content_type 'application/json'
+        add_acme_headers @new_nonce
+
+        {
+          orders: @user.orders.map { |order| uri("/orders/#{order.id}") }
+        }
+      end
+
+      # Endpoint for creating new orders
+      # @see https://tools.ietf.org/html/rfc8555#section-7.4
+      post '/orders' do
+        parse_acme_jwt
+
+        # Only identifiers of type "dns" are supported
+        identifiers = @payload_data['identifiers'].select { |i| i['type'] == 'dns' }
+
+        validate_order(@payload_data)
+
+        order = @user.start_order(
+          identifiers: identifiers,
+          not_before: @payload_data['notBefore'],
+          not_after: @payload_data['notAfter']
+        )
+
+        content_type 'application/json'
+        add_acme_headers @new_nonce, additional: { 'Location' => uri("/orders/#{order.id}") }
+
+        halt 201, {
+          status: order.status,
+          expires: order.expires,
+          notBefore: order.not_before,
+          notAfter: order.not_after,
+          identifiers: order.identifiers,
+          authorizations: order.authorizations.map { |a| uri("/authorizations/#{a.id}") },
+          finalize: uri("/orders/#{order.id}/finalize")
+        }.to_json
+      rescue Bullion::Acme::Error => e
+        content_type 'application/problem+json'
+        halt 400, { type: e.acme_error, detail: e.message }.to_json
+      end
+
+      # Retrieve existing Orders
+      post '/orders/:id' do
+        parse_acme_jwt
+
+        content_type 'application/json'
+        add_acme_headers @new_nonce
+
+        order = Models::Order.find(params[:id])
+
+        data = {
+          status: order.status,
+          expires: order.expires,
+          notBefore: order.not_before,
+          notAfter: order.not_after,
+          identifiers: order.identifiers,
+          authorizations: order.authorizations.map { |a| uri("/authorizations/#{a.id}") },
+          finalize: uri("/orders/#{order.id}/finalize")
+        }
+
+        data[:certificate] = uri("/certificates/#{order.certificate.id}") if order.status == 'valid'
+
+        data.to_json
+      end
+
+      # Submit an order for finalization/signing
+      # @see https://tools.ietf.org/html/rfc8555#section-7.4
+      post '/orders/:id/finalize' do
+        parse_acme_jwt
+
+        content_type 'application/json'
+        add_acme_headers @new_nonce, additional: { 'Location' => uri("/orders/#{order.id}") }
+
+        raw_csr_data = Base64.urlsafe_decode64(@payload_data['csr'])
+        encoded_csr = Base64.encode64(raw_csr_data)
+
+        csr_data = openssl_compat_csr(encoded_csr)
+
+        csr = OpenSSL::X509::Request.new(csr_data)
+
+        order = Models::Order.find(params[:id])
+
+        unless validate_csr(csr) && validate_acme_csr(order, csr)
+          content_type 'application/problem+json'
+          halt 400, {
+            type: Bullion::Acme::Errors::BadCSR.new.acme_error,
+            detail: 'CSR failed validation'
+          }.to_json
+        end
+
+        cert_id = sign_csr(csr, @user.contacts.first, acme: true).last
+
+        order.certificate_id = cert_id
+        order.status = 'valid'
+        order.save
+
+        data = {
+          status: order.status,
+          expires: order.expires,
+          notBefore: order.not_before,
+          notAfter: order.not_after,
+          identifiers: order.identifiers,
+          authorizations: order.authorizations.map { |a| uri("/authorizations/#{a.id}") },
+          finalize: uri("/orders/#{order.id}/finalize")
+        }
+
+        data[:certificate] = uri("/certificates/#{order.certificate.id}") if order.status == 'valid'
+
+        data.to_json
+      end
+
+      # Shows that the client controls the account private key
+      # @see https://tools.ietf.org/html/rfc8555#section-7.5
+      post '/authorizations/:id' do
+        parse_acme_jwt
+
+        content_type 'application/json'
+        add_acme_headers @new_nonce
+
+        authorization = Models::Authorization.find(params[:id])
+        halt 404 unless authorization
+
+        data = {
+          status: authorization.status,
+          expires: authorization.expires,
+          identifier: authorization.identifier,
+          challenges: authorization.challenges.map do |c|
+            chash = {}
+            chash[:type] = c.acme_type
+            chash[:url] = uri("/challenges/#{c.id}")
+            chash[:token] = c.token
+            chash[:status] = c.status
+            chash[:validated] = c.validated if c.status == 'valid'
+
+            chash
+          end
+        }
+
+        data.to_json
+      end
+
+      # Starts server verification of a challenge (either HTTP call or DNS lookup)
+      # @see https://tools.ietf.org/html/rfc8555#section-7.5.1
+      post '/challenges/:id' do
+        parse_acme_jwt
+
+        content_type 'application/json'
+        add_acme_headers @new_nonce
+
+        challenge = Models::Challenge.find(params[:id])
+
+        # Oddly enough, cert-manager uses a GET request for retrieving Challenge info
+        challenge.client.attempt unless @parsed_body[:payload] == ''
+
+        data = {
+          type: challenge.acme_type,
+          status: challenge.status,
+          expires: challenge.expires,
+          token: challenge.token,
+          url: uri("/challenges/#{challenge.id}")
+        }
+
+        data[:validated] = challenge.validated if challenge.status == 'valid'
+
+        data.to_json
+      end
+
+      # Retrieves a signed certificate
+      # @see https://tools.ietf.org/html/rfc8555#section-7.4.2
+      post '/certificates/:id' do
+        parse_acme_jwt
+
+        order = Models::Order.where(certificate_id: params[:id]).first
+        if order && order.status == 'valid'
+          content_type 'application/pem-certificate-chain'
+
+          cert = Models::Certificate.find(params[:id])
+
+          cert.data + Bullion.ca_cert.to_pem
+        else
+          halt(422, { 'error': 'Order not valid' }.to_json)
+        end
+      end
+    end
+  end
+end