bullion 0.4.1 → 0.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: da2051eea8f881ee3e56d351b6bee7494fb7de959eba77aae739328edffd5e0f
-  data.tar.gz: ad9035c201b16287f3ddc77819d5305d59fe35fda7f7c38ef5a10478ac399fd4
+  metadata.gz: 010c02c548debe154dae0438bf036238266630be93974cdb264983843286a56e
+  data.tar.gz: 02412dd0d7268bcef1e19b7c863a21f7252d5a7633fecd236bc768758506169a
 SHA512:
-  metadata.gz: 6ddacf95015d6d107ee32641dceb3eadde5239c74969ce1ce5d3853f3a65012c702054cb89d7926f3309635126e609dee49001a6da90755c400a81c483eb076d
-  data.tar.gz: 933fa8702de9730366cae2e62ab4c8087bcdb7e846efef4ef54be39a1e6b242c19f77dc947ffa7717a018ae9d123ca750e23aa81db8d60853842513a470d5e7a
+  metadata.gz: 65c9667eb7c624797e20c054694b7f2da90ad36ed541836e02500b0cd7bcca0359d432d3062b77dacb4c5455e11d741a91fa5d61a596b673f6bf1fe302a8968a
+  data.tar.gz: 6bbb7cab6cf45c08899fafbf9291dbe9de7a61ac10af364d622d72eea5b857ee4889c3a4e813b7d5adac8383596c2dec9bb6bf111e2405501a7604293432f20e

data/.rubocop.yml

@@ -10,7 +10,7 @@ AllCops:
   Exclude:
   - 'db/schema.rb'
   - 'vendor/**/*'
-  TargetRubyVersion: 3.1
+  TargetRubyVersion: 3.2
   NewCops: enable
 
 Metrics/AbcSize:

data/Gemfile.lock

@@ -1,7 +1,8 @@
 PATH
   remote: .
   specs:
-    bullion (0.4.1)
+    bullion (0.4.2)
+      dry-configurable (~> 1.1)
       httparty (~> 0.21)
       json (~> 2.6)
       jwt (~> 2.7)
@@ -48,6 +49,12 @@ GEM
     docile (1.4.0)
     drb (2.2.0)
       ruby2_keywords
+    dry-configurable (1.1.0)
+      dry-core (~> 1.0, < 2)
+      zeitwerk (~> 2.6)
+    dry-core (1.0.1)
+      concurrent-ruby (~> 1.0)
+      zeitwerk (~> 2.6)
     e2mmap (0.1.0)
     faraday (2.7.12)
       base64
@@ -70,7 +77,6 @@ GEM
       kramdown (~> 2.0)
     language_server-protocol (3.17.0.3)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.5)
     minitest (5.20.0)
     multi_json (1.15.0)
     multi_xml (0.6.0)
@@ -79,8 +85,9 @@ GEM
     mutex_m (0.2.0)
     mysql2 (0.5.5)
     nio4r (2.6.1)
-    nokogiri (1.15.5)
-      mini_portile2 (~> 2.8.2)
+    nokogiri (1.15.5-arm64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.15.5-x86_64-linux)
       racc (~> 1.4)
     openssl (3.2.0)
     parallel (1.23.0)
@@ -180,8 +187,8 @@ GEM
       thor (~> 1.0)
       tilt (~> 2.0)
       yard (~> 0.9, >= 0.9.24)
-    sqlite3 (1.6.9)
-      mini_portile2 (~> 2.8.0)
+    sqlite3 (1.6.9-arm64-darwin)
+    sqlite3 (1.6.9-x86_64-linux)
     thor (1.3.0)
     tilt (2.3.0)
     timeout (0.4.1)
@@ -189,9 +196,11 @@ GEM
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.5.0)
     yard (0.9.34)
+    zeitwerk (2.6.12)
 
 PLATFORMS
-  ruby
+  arm64-darwin-23
+  x86_64-linux
 
 DEPENDENCIES
   acme-client (~> 2.0)

data/Rakefile

@@ -94,7 +94,7 @@ desc "Cleans up test or demo environment"
 task :cleanup do
   at_exit do
     if File.exist?("#{File.expand_path(".")}/tmp/daemon.pid")
-      system("kill $(cat #{File.expand_path(".")}/tmp/daemon.pid)")
+      system("kill $(cat #{File.expand_path(".")}/tmp/daemon.pid) > /dev/null 2>&1")
     end
     FileUtils.rm_f(File.join(File.expand_path("."), "tmp", "tls.crt"))
     FileUtils.rm_f(File.join(File.expand_path("."), "tmp", "tls.key"))

data/bullion.gemspec

@@ -24,8 +24,9 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = "~> 3.1"
+  spec.required_ruby_version = "~> 3.2"
 
+  spec.add_runtime_dependency "dry-configurable",     "~> 1.1"
   spec.add_runtime_dependency "httparty",             "~> 0.21"
   spec.add_runtime_dependency "json",                 "~> 2.6"
   spec.add_runtime_dependency "jwt",                  "~> 2.7"

data/lib/bullion/challenge_clients/dns.rb

@@ -5,9 +5,8 @@ module Bullion
     # ACME DNS01 Challenge Client
     # @see https://tools.ietf.org/html/rfc8555#section-8.4
     class DNS < ChallengeClient
-      def type
-        "DNS01"
-      end
+      def self.acme_type = "dns-01"
+      def type = "DNS01"
 
       def perform
         value = dns_value
@@ -29,7 +28,7 @@ module Bullion
 
       def dns_value
         # Randomly select a nameserver to pull the TXT record
-        nameserver = NAMESERVERS.sample
+        nameserver = Bullion.config.nameservers.sample
 
         LOGGER.debug "Looking up #{dns_name}"
         records = records_for(dns_name, nameserver)

data/lib/bullion/challenge_clients/http.rb

@@ -5,9 +5,8 @@ module Bullion
     # ACME HTTP01 Challenge Client
     # @see https://tools.ietf.org/html/rfc8555#section-8.3
     class HTTP < ChallengeClient
-      def type
-        "HTTP01"
-      end
+      def self.acme_type = "http-01"
+      def type = "HTTP01"
 
       def perform
         response = begin

data/lib/bullion/helpers/acme.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 module Bullion
+  # Common helper functions
   module Helpers
     # ACME-specific helper functions
     module Acme
@@ -144,12 +145,9 @@ module Bullion
         end
 
         # Extract domains that end with something in our allowed domains list
-        valid_domains = order_domains.reject do |domain|
-          endings = CA_DOMAINS.select { |d| domain["value"].end_with?(d) }
-          endings.empty?
-        end
+        valid_domains = extract_valid_order_domains(order_domains)
 
-        # Only allow CA_DOMAINS domains...
+        # Only allow configured domains...
         unless order_domains == valid_domains
           raise(
             Bullion::Acme::Errors::InvalidOrder,
@@ -187,6 +185,12 @@ module Bullion
       # rubocop:enable Metrics/AbcSize
       # rubocop:enable Metrics/CyclomaticComplexity
       # rubocop:enable Metrics/PerceivedComplexity
+
+      def extract_valid_order_domains(order_domains)
+        order_domains.reject do |domain|
+          Bullion.config.ca.domains.none? { domain["value"].end_with?(_1) }
+        end
+      end
     end
   end
 end

data/lib/bullion/helpers/ssl.rb

@@ -184,7 +184,7 @@ module Bullion
       def filter_sans(potential_sans)
         # Select only those that are part of the appropriate domain
         potential_sans.select do |alt|
-          CA_DOMAINS.filter_map { |domain| alt.end_with?(".#{domain}") }.any?
+          Bullion.config.ca.domains.filter_map { |domain| alt.end_with?(".#{domain}") }.any?
         end
       end
 

data/lib/bullion/models/challenge.rb

@@ -8,12 +8,11 @@ module Bullion
 
       belongs_to :authorization
 
-      validates :acme_type, inclusion: { in: %w[http-01 dns-01] }
+      validates :acme_type, inclusion: {
+        in: -> { Bullion.config.acme.challenge_clients.map(&:acme_type) }
+      }
       validates :status, inclusion: { in: %w[invalid pending processing valid] }
 
-      scope :dns01, -> { where(acme_type: "dns-01") }
-      scope :http01, -> { where(acme_type: "http-01") }
-
       def identifier
         authorization.identifier["value"]
       end
@@ -29,15 +28,14 @@ module Bullion
       end
 
       def client
-        case acme_type
-        when "dns-01"
-          DNS_CHALLENGE_CLIENT.new(self)
-        when "http-01"
-          HTTP_CHALLENGE_CLIENT.new(self)
-        else
+        challenge_class = Bullion.acme.challenge_clients.find { _1.acme_type == acme_type }
+
+        unless challenge_class
           raise Bullion::Acme::Errors::UnsupportedChallengeType,
                 "Challenge type '#{acme_type}' is not supported by Bullion."
         end
+
+        challenge_class.new(self)
       end
     end
   end

data/lib/bullion/service.rb

@@ -10,7 +10,7 @@ module Bullion
       set :protection, except: :http_origin
       set :logging, true
       set :logger, Bullion::LOGGER
-      set :database, DB_CONNECTION_SETTINGS
+      set :database, Bullion.config.db_url
       set :show_exceptions, false
     end
 

data/lib/bullion/version.rb

@@ -4,6 +4,6 @@ module Bullion
   VERSION = [
     0, # major
     4, # minor
-    1 # patch
+    2 # patch
   ].join(".")
 end

data/lib/bullion.rb

@@ -9,6 +9,7 @@ require "logger"
 require "openssl"
 
 # External requirements
+require "dry-configurable"
 require "sinatra/base"
 require "sinatra/contrib"
 require "sinatra/custom_logger"
@@ -20,50 +21,57 @@ require "httparty"
 
 # The top-level module for Bullion
 module Bullion
+  extend Dry::Configurable
+
   class Error < StandardError; end
   class ConfigError < Error; end
 
+  # Set up logging
   LOGGER = Logger.new($stdout)
-
-  # Config through environment variables
-  CA_DIR       = File.expand_path ENV.fetch("CA_DIR", "tmp")
-  CA_SECRET    = ENV.fetch("CA_SECRET", "SomeS3cret")
-  CA_KEY_PATH  = ENV.fetch("CA_KEY_PATH") { File.join(CA_DIR, "tls.key") }
-  CA_CERT_PATH = ENV.fetch("CA_CERT_PATH") { File.join(CA_DIR, "tls.crt") }
-  CA_DOMAINS   = ENV.fetch("CA_DOMAINS", "example.com").split(",")
-
-  # Set up log level
   LOGGER.level = ENV.fetch("LOG_LEVEL", :warn)
 
-  # 90 days cert expiration
-  CERT_VALIDITY_DURATION = Integer(
-    ENV.fetch("CERT_VALIDITY_DURATION", 60 * 60 * 24 * 30 * 3)
-  )
-
-  DB_CONNECTION_SETTINGS =
-    ENV.fetch("DATABASE_URL") do
-      {
-        adapter: "mysql2",
-        database: ENV.fetch("DB_NAME", "bullion"),
-        encoding: ENV.fetch("DB_ENCODING", "utf8mb4"),
-        pool: Integer(ENV.fetch("MAX_THREADS", 32)),
-        username: ENV.fetch("DB_USERNAME", "root"),
-        password: ENV.fetch("DB_PASSWORD", nil),
-        host: ENV.fetch("DB_HOST", "localhost")
+  setting :ca, reader: true do
+    setting :dir, default: "tmp", constructor: -> { File.expand_path(_1) }
+    setting :secret, default: "SomeS3cret"
+    setting(
+      :key_path,
+      default: "tls.key",
+      constructor: lambda { |v|
+        v.include?("/") ? File.expand_path(v) : File.join(Bullion.config.ca.dir, v)
       }
-    end
-  DB_CONNECTION_SETTINGS.freeze
+    )
+    setting(
+      :cert_path,
+      default: "tls.crt",
+      constructor: lambda { |v|
+        v.include?("/") ? File.expand_path(v) : File.join(Bullion.config.ca.dir, v)
+      }
+    )
+    setting :domains, default: "example.com", constructor: -> { _1.split(",") }
+    # 90 days cert expiration
+    setting :cert_validity_duration, default: 60 * 60 * 24 * 30 * 3, constructor: -> { Integer(_1) }
+  end
+
+  setting :acme, reader: true do
+    setting(
+      :challenge_clients,
+      default: ["Bullion::ChallengeClients::DNS", "Bullion::ChallengeClients::HTTP"],
+      constructor: -> { _1.map { |n| Kernel.const_get(n.to_s) } }
+    )
+  end
 
-  NAMESERVERS = ENV.fetch("DNS01_NAMESERVERS", "").split(",")
+  setting :db_url, reader: true
+
+  setting :nameservers, default: [], constructor: -> { _1.split(",") }
 
   MetricsRegistry = Prometheus::Client.registry
 
   def self.ca_key
-    @ca_key ||= OpenSSL::PKey::RSA.new(File.read(CA_KEY_PATH), CA_SECRET)
+    @ca_key ||= OpenSSL::PKey::RSA.new(File.read(config.ca.key_path), config.ca.secret)
   end
 
   def self.ca_cert
-    @ca_cert ||= OpenSSL::X509::Certificate.new(File.read(CA_CERT_PATH))
+    @ca_cert ||= OpenSSL::X509::Certificate.new(File.read(config.ca.cert_path))
   end
 
   def self.rotate_keys!
@@ -76,15 +84,50 @@ module Bullion
 
   # Ensures configuration settings are valid
   # @see https://support.apple.com/en-us/HT211025
-  def self.validate_config!
-    raise ConfigError, "Invalid Key Passphrase" unless CA_SECRET.is_a?(String)
-    raise ConfigError, "Invalid Key Path: #{CA_KEY_PATH}" unless File.readable?(CA_KEY_PATH)
-    raise ConfigError, "Invalid Cert Path: #{CA_CERT_PATH}" unless File.readable?(CA_CERT_PATH)
-    raise ConfigError, "Cert Validity Too Long" if 60 * 60 * 24 * 397 < CERT_VALIDITY_DURATION
-    raise ConfigError, "Cert Validity Too Short" if 60 * 60 * 24 * 2 > CERT_VALIDITY_DURATION
+  def self.validate_config! # rubocop:disable Metrics/AbcSize
+    raise ConfigError, "Invalid Key Passphrase" unless config.ca.secret.is_a?(String)
+
+    unless File.readable?(config.ca.key_path)
+      raise ConfigError,
+            "Invalid Key Path: #{config.ca.key_path}"
+    end
+    unless File.readable?(config.ca.cert_path)
+      raise ConfigError,
+            "Invalid Cert Path: #{config.ca.cert_path}"
+    end
+    if 60 * 60 * 24 * 397 < config.ca.cert_validity_duration
+      raise ConfigError,
+            "Cert Validity Too Long"
+    end
+    if 60 * 60 * 24 * 2 > config.ca.cert_validity_duration
+      raise ConfigError,
+            "Cert Validity Too Short"
+    end
+    raise ConfigError, "Missing DATABASE_URL" unless config.db_url
   end
 end
 
+Bullion.configure do |config|
+  # Config through environment variables
+  ca_dir       = ENV.fetch("CA_DIR", nil)
+  ca_secret    = ENV.fetch("CA_SECRET", nil)
+  ca_key_path  = ENV.fetch("CA_KEY_PATH", nil)
+  ca_cert_path = ENV.fetch("CA_CERT_PATH", nil)
+  ca_domains   = ENV.fetch("CA_DOMAINS", nil)
+  cert_dur     = ENV.fetch("CERT_VALIDITY_DURATION", nil)
+  db_url       = ENV.fetch("DATABASE_URL", nil)
+  nameservers  = ENV.fetch("DNS01_NAMESERVERS", nil)
+
+  config.ca.dir = ca_dir if ca_dir
+  config.ca.secret = ca_secret if ca_secret
+  config.ca.key_path = ca_key_path if ca_key_path
+  config.ca.cert_path = ca_cert_path if ca_cert_path
+  config.ca.domains = ca_domains if ca_domains
+  config.ca.cert_validity_duration = cert_dur if cert_dur
+  config.db_url = db_url if db_url
+  config.nameservers = nameservers if nameservers
+end
+
 # Internal requirements
 require "bullion/version"
 require "bullion/acme/error"
@@ -103,9 +146,8 @@ if %w[development test].include?(ENV["RACK_ENV"])
   require "bullion/rspec/challenge_clients/dns"
   require "bullion/rspec/challenge_clients/http"
 
-  Bullion::DNS_CHALLENGE_CLIENT = Bullion::RSpec::ChallengeClients::DNS
-  Bullion::HTTP_CHALLENGE_CLIENT = Bullion::RSpec::ChallengeClients::HTTP
-else
-  Bullion::DNS_CHALLENGE_CLIENT = Bullion::ChallengeClients::DNS
-  Bullion::HTTP_CHALLENGE_CLIENT = Bullion::ChallengeClients::HTTP
+  Bullion.config.acme.challenge_clients = [
+    "Bullion::RSpec::ChallengeClients::DNS",
+    "Bullion::RSpec::ChallengeClients::HTTP"
+  ]
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bullion
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 0.4.2
 platform: ruby
 authors:
 - Jonathan Gnagy
@@ -10,6 +10,20 @@ bindir: exe
 cert_chain: []
 date: 2023-11-29 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: dry-configurable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: httparty
   requirement: !ruby/object:Gem::Requirement
@@ -418,7 +432,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - "~>"
     - !ruby/object:Gem::Version
-      version: '3.1'
+      version: '3.2'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="