bullion 0.1.0 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3b88cfcad16d974ad6145f6ae559fcbf9b32298cfc74c981255654f6d30bd784
-  data.tar.gz: cfd3a6bf3394dd2639e9a3e2f7e0d10b59705a666645c27ad24364f72b8a4abb
+  metadata.gz: 010be491b129c74b11557aa08487ea130d9026af4a84cb1036b7e3409cab8633
+  data.tar.gz: 7de3eba05bded0ffcb439cc8c0f2faa1539020767d761e8bc773b10ee8439519
 SHA512:
-  metadata.gz: 5497a50668f1e1bd5e942e3b519f608fc1ec840c9e4d61720ebf5b9674981fc41eb4a9a125bbd6b7f5ac8ed311c5db27b6b444204720847da74d3d946c26e42e
-  data.tar.gz: 33f8cde6f20d336b350e60a7334a4652f5fb6ea18bbf9956b63011aedb246a7cd910e919e1a2e877346432d945e1cb368ca10299131a0a03b1b3447470ab8956
+  metadata.gz: 4d198c5fb45716236d64d2cf180bc4494cbaad7e0d07d30e6f5a25dc80caba635999df72bd4cf80cc281e96e7d517fb64af4bc6afd8926f8aa17c95ab1f5eb37
+  data.tar.gz: b230b4bc97c014b27037d0dcf9a938af9e14d2cf51a5925b25a54e09ef3b69650aa95feb14da7dbf93277f75350d421c36656b9c6d973335c1a0cf386bceb76a

data/.gitignore

@@ -9,3 +9,6 @@
 
 # rspec failure tracking
 .rspec_status
+
+.DS_Store
+*.gem

data/.rubocop.yml

@@ -0,0 +1,32 @@
+Layout/LineLength:
+  Max: 100
+
+AllCops:
+  Exclude:
+    - 'spec/**/*_spec.rb'
+    - 'db/schema.rb'
+    - 'vendor/**/*'
+  TargetRubyVersion: 2.6
+  NewCops: enable
+
+Metrics/AbcSize:
+  Max: 21
+
+Metrics/BlockLength:
+  Max: 30
+  Exclude:
+  - 'Rakefile'
+  - '*.gemspec'
+
+Metrics/MethodLength:
+  Max: 20
+
+Metrics/ModuleLength:
+  Max: 150
+
+Metrics/ClassLength:
+  Max: 300
+
+Style/StringConcatenation:
+  Exclude:
+  - 'Rakefile'

data/.travis.yml

@@ -1,7 +1,15 @@
----
-sudo: false
 language: ruby
 cache: bundler
 rvm:
-  - 2.6.5
-before_install: gem install bundler -v 1.17.3
+- 2.6
+- 2.7
+before_install: gem install bundler -v 2.1.4
+deploy:
+  provider: rubygems
+  api_key:
+    secure: zDbqFIQbCirgJ7KLCAyJV6KvJIOFa+FyDVXgrOTopDUUHbqV+tBMO/bvcMOwSUZQKsqfR/HMgoVCEDnq+iesLIQqBrSAuFcjEFM06rF7KC7Q7y0pmXVuK/I3tyQ1nsvOBApc6PHLxu+cEFZ3K37Rx5AZpj/wss+Oqz6Rx0VO7IgZ7Zs/+Ssp6aESSxs+IEXhK+wekEzt6lznqvcuZ5Z/KUlZ2Hd8uH7JxpBQb3EdzFD6coxaisb6ZIX9S7EPJeA08kmswPmv12HVJjm2M6dW6cyeZLbkGct1tnRqmxxSwFJqMJ8/Omlh26+1iaeFKnahBW3OsaiepSFeXfpACSmo+NhOO6cLDxvs5Fk9QsvXIvib1rSkTvNjZZnKN/fd48lcG7U/XiOJefFV23IeILNXiEFI6tDWlGiMQ/qZvQtlgmCsAeu31eW2oxGLFw4651q2ORUENXu5nuC9zQaxniPxsk1DnQVasn2TbVt6Hmpe4R9JWdd59eFddMAK4pysFGr1+jJzEdVw3/SbI+5cSoQ8DCSHxfJhLWjL0I2NjArtnjoeVOLqyDIs6h0FObKP4pi6TxlpGlbh2uf7jT2VIDoUnQwnHjLJiKYG+dK6Xvw6+j82a0QOA9wreEasri2LG1N7UUD5vBSYkJrCy/7u65rfZ438RDM66n1dyZKZ81pXP3w=
+  gem: bullion
+  on:
+    tags: true
+    repo: jgnagy/bullion
+  skip_cleanup: 'true'

data/Dockerfile

@@ -0,0 +1,55 @@
+FROM ruby:2.6-alpine AS build
+
+ENV RACK_ENV=development
+
+COPY . /build
+
+RUN apk --no-cache upgrade \
+    && apk --no-cache add git mariadb-client mariadb-connector-c \
+       runit sqlite-dev \
+    && apk --no-cache add --virtual build-dependencies \
+       build-base mariadb-dev
+
+RUN apk add build-base \
+    && cd /build \
+    && gem build bullion.gemspec \
+    && mv bullion*.gem /bullion.gem
+
+WORKDIR /build
+
+FROM ruby:2.6-alpine
+LABEL maintainer="Jonathan Gnagy <jonathan.gnagy@gmail.com>"
+
+ENV BULLION_PORT=9292
+ENV BULLION_ENVIRONMENT=development
+ENV DATABASE_URL=sqlite3:///tmp/bullion.db
+
+RUN apk --no-cache upgrade \
+    && apk --no-cache add git mariadb-client mariadb-connector-c \
+       runit sqlite-dev \
+    && apk --no-cache add --virtual build-dependencies \
+       build-base mariadb-dev
+
+RUN mkdir /app
+
+COPY ./scripts/docker-entrypoint.sh /entrypoint.sh
+COPY --from=build /bullion.gem /app/bullion.gem
+COPY ./db /app/db
+COPY ./config.ru /app/config.ru
+COPY ./Rakefile /app/Rakefile
+
+RUN mkdir /ssl
+
+RUN chmod +x /entrypoint.sh \
+    && chown nobody /app/db \
+    && chown nobody /app/db/schema.rb \
+    && chown -R nobody:nogroup /ssl
+
+WORKDIR /app
+
+RUN gem install bullion.gem \
+    && apk del build-dependencies
+
+USER nobody
+
+ENTRYPOINT ["/entrypoint.sh"]

data/Gemfile

@@ -1,6 +1,8 @@
-source "https://rubygems.org"
+# frozen_string_literal: true
 
-git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+source 'https://rubygems.org'
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
 
 # Specify your gem's dependencies in bullion.gemspec
 gemspec

data/Gemfile.lock

@@ -0,0 +1,148 @@
+PATH
+  remote: .
+  specs:
+    bullion (0.1.2)
+      httparty (~> 0.18)
+      json (~> 2.5)
+      jwt (~> 1.5)
+      mysql2 (~> 0.5)
+      openssl (~> 2.2)
+      prometheus-client (~> 2.1)
+      puma (~> 3.12)
+      sinatra (~> 2.1)
+      sinatra-activerecord (~> 2.0)
+      sinatra-contrib (~> 2.1)
+      sqlite3 (~> 1.4)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    acme-client (2.0.7)
+      faraday (>= 0.17, < 2.0.0)
+    activemodel (6.1.1)
+      activesupport (= 6.1.1)
+    activerecord (6.1.1)
+      activemodel (= 6.1.1)
+      activesupport (= 6.1.1)
+    activesupport (6.1.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
+    ast (2.4.1)
+    byebug (9.1.0)
+    concurrent-ruby (1.1.7)
+    diff-lcs (1.4.4)
+    docile (1.3.5)
+    faraday (1.3.0)
+      faraday-net_http (~> 1.0)
+      multipart-post (>= 1.2, < 3)
+      ruby2_keywords
+    faraday-net_http (1.0.1)
+    httparty (0.18.1)
+      mime-types (~> 3.0)
+      multi_xml (>= 0.5.2)
+    i18n (1.8.7)
+      concurrent-ruby (~> 1.0)
+    json (2.5.1)
+    jwt (1.5.6)
+    mime-types (3.3.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2020.1104)
+    minitest (5.14.3)
+    multi_json (1.15.0)
+    multi_xml (0.6.0)
+    multipart-post (2.1.1)
+    mustermann (1.1.1)
+      ruby2_keywords (~> 0.0.1)
+    mysql2 (0.5.3)
+    openssl (2.2.0)
+    parallel (1.20.1)
+    parser (3.0.0.0)
+      ast (~> 2.4.1)
+    prometheus-client (2.1.0)
+    puma (3.12.6)
+    rack (2.2.3)
+    rack-protection (2.1.0)
+      rack
+    rack-test (0.8.3)
+      rack (>= 1.0, < 3)
+    rainbow (3.0.0)
+    rake (12.3.3)
+    regexp_parser (2.0.3)
+    rexml (3.2.4)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.1)
+    rubocop (0.93.1)
+      parallel (~> 1.10)
+      parser (>= 2.7.1.5)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8)
+      rexml
+      rubocop-ast (>= 0.6.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 2.0)
+    rubocop-ast (1.4.0)
+      parser (>= 2.7.1.5)
+    ruby-progressbar (1.11.0)
+    ruby2_keywords (0.0.2)
+    simplecov (0.21.2)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-cobertura (1.4.2)
+      simplecov (~> 0.8)
+    simplecov-html (0.12.3)
+    simplecov_json_formatter (0.1.2)
+    sinatra (2.1.0)
+      mustermann (~> 1.0)
+      rack (~> 2.2)
+      rack-protection (= 2.1.0)
+      tilt (~> 2.0)
+    sinatra-activerecord (2.0.21)
+      activerecord (>= 4.1)
+      sinatra (>= 1.0)
+    sinatra-contrib (2.1.0)
+      multi_json
+      mustermann (~> 1.0)
+      rack-protection (= 2.1.0)
+      sinatra (= 2.1.0)
+      tilt (~> 2.0)
+    sqlite3 (1.4.2)
+    tilt (2.0.10)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
+    unicode-display_width (1.7.0)
+    yard (0.9.26)
+    zeitwerk (2.4.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  acme-client (~> 2.0)
+  bullion!
+  bundler (~> 2.0)
+  byebug (~> 9)
+  rack-test (~> 0.8)
+  rake (~> 12.3)
+  rspec (~> 3.10)
+  rubocop (~> 0.93)
+  simplecov (~> 0.20)
+  simplecov-cobertura (~> 1.4)
+  yard (~> 0.9)
+
+BUNDLED WITH
+   2.1.4

data/LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2020 Jonathan Gnagy
+Copyright (c) 2021 Jonathan Gnagy
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -1,38 +1,70 @@
-# Bullion
+<img src=".images/logo.png" alt="Bullion logo" title="Bullion" align="right" height="60" />
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/bullion`. To experiment with that code, run `bin/console` for an interactive prompt.
+# Bullion
 
-TODO: Delete this and the text above, and describe your gem
+Bullion is an [ACMEv2](https://tools.ietf.org/html/rfc8555)-compatible Certificate Authority (just like [Let's Encrypt](https://letsencrypt.org/)). Bullion makes it easy to leverage open standards for provisioning certificates for internal sites and services. Things like [cert-manager](https://cert-manager.io/), [certbot](https://certbot.eff.org/), and many other technologies work great with Let's Encrypt for _external_ hostnames, but for private domains and servers that aren't Internet accessible, there are few easy options.
 
-## Installation
+Bullion installs easily (both as a ruby gem or a Docker image) and will shortly come with Kubernetes examples and even a helm chart to make installing it that much easier. For its data, Bullion works with either [SQLite3](https://sqlite.org/index.html) for very small sites (where HA and high-throughput isn't a concern) or with [MariaDB](https://mariadb.org/)/[MySQL](https://www.mysql.com/).
 
-Add this line to your application's Gemfile:
+The goal of the Bullion project is to make running a scalable, internal ACMEv2 CA easy. Either make a custom root CA certificate or give Bullion a signed intermediary to use in simple, compatible PEM format and you're up and running.
 
-```ruby
-gem 'bullion'
-```
+## Why not use...
 
-And then execute:
+* Let's Encrypt? Let's Encrypt is a **fantastic** service and has help make securing communication over the Internet easy and free. That said, for internal (e.g., _inside_ the firewall) communication, it isn't particularly useful.
 
-    $ bundle
+* [Boulder](https://github.com/letsencrypt/boulder)? Let's Encrypt's Boulder is the code used by Let's Encrypt to run their public service. It is, of course, fantastic software. That said, it is a pretty complex architecture consisting of many components. It is built to scale to the needs of a huge number of public users. Per [the Boulder documentation](https://github.com/letsencrypt/boulder#production), "often Boulder is not the right fit for organizations that are evaluating it for production usage". It may meet your needs, but it is probably both overkill and more difficult to get up and running than you'll need.
 
-Or install it yourself as:
+* [cfssl](https://github.com/cloudflare/cfssl)? The "cfssl" project is a great tool for running a tiny CA for manually managing certs. It is certainly easier than using OpenSSL directly. While it offers an API, it isn't an ACME-compliant API and has less integration with things like Kubernetes. While I'm a fan of the project but it didn't meet my needs with creating certificates through automation and at the scale I need.
 
-    $ gem install bullion
+* [step-ca](https://smallstep.com/blog/private-acme-server/)? The step-ca project is a well-documented and robust CA and includes nearly all the features of Bullion. It really is wonderful, but the project takes on more than the goal of managing the provisioning of certificates via the ACME protocol. While there's no strong argument against using step-ca, it might be more complicated to setup and manage than Bullion for your scenario.
 
 ## Usage
 
-TODO: Write usage instructions here
+### Running
+
+TODO: Write instructions for starting Bullion
+
+### Configuration Options
+
+Whether run locally or via Docker, the following environment variables configure Bullion:
+
+| Environment Variable | Default Value | Description |
+| --- | --- | --- |
+| `CA_DIR` | `./tmp/` | Path to directory container the public and private key for Bullion. |
+| `CA_SECRET` | `SomeS3cret` | Secret used to read the encrypted `$CA_KEY` PEM. |
+| `CA_KEY_PATH` | `$CA_DIR/tls.key` | Private signer key for Bullion. Keep this safe! |
+| `CA_CERT_PATH` | `$CA_DIR/tls.crt` | Public cert for Bullion. If Bullion is an intermediate CA, you'll want to include the root CA's public cert in this file as well the signed cert for Bullion. |
+| `CA_DOMAINS` | `example.com` | A comma-delimited list of domains for which Bullion will sign certificate requests. Subdomains are automatically allowed. Certificates containing other domains will be rejected. |
+| `CERT_VALIDITY_DURATION` | `7776000` | How long should issued certs be valid (in seconds)? Default is 90 days. |
+| `DATABASE_URL` | _None_ | A shorthand for telling Bullion how to connect to a database. Acceptable URLs will either being with `sqlite3:` or [`mysql2://`](https://github.com/brianmario/mysql2#using-active-records-database_url). |
+| `DNS01_NAMESERVERS` | `8.8.8.8` | A comma-delimited list of nameservers to use for resolving [DNS-01](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) challenges. Usually you'll want this to be set to your _internal_ nameservers so internal names resolve correctly. |
+| `LOG_LEVEL` | `warn` | Log level for Bullion. Supported levels (starting with the noisiest) are debug, info, warn, error, and fatal. |
+| `BULLION_PORT` | `9292` | TCP port Bullion will listen on. |
+| `MIN_THREADS` | `2` | Minimum number of [Puma](https://puma.io/) threads for processing requests. |
+| `MAX_THREADS` | `32` | Maximum number of [Puma](https://puma.io/) threads for processing requests. |
+| `RACK_ENV` | `production`* | When run via Docker, the default is `production`, when run via `rake local_demo` it is `development`. Used to tell Bullion if it is run in development mode or for testing. |
+
+### Integrating
+
+Any client that speaks the [ACMEv2](https://tools.ietf.org/html/rfc8555) protocol can be pointed at `/acme/directory` and everything else can be auto-discovered.
+
+Bullion also supports a non-standard directory option `caBundle` (which directs clients to `/acme/cabundle`) that responds with Bullion's PEM-encoded public key. Trusting this should automatically trust certificates signed by Bullion (eliminating browser messages about untrusted/unverified certificates).
+
+### Monitoring
+
+Bullion provides a `/ping` endpoint that should respond with `{ 'status': 'up' }` when Bullion is functional and ready to receive requests.
+
+Prometheus metrics are also scrapable at `/metrics`. This includes typical web request information as well as latencies related to the different Challenge types.
 
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+To install this gem onto your local machine, run `bundle exec rake install`.
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/bullion. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+Bug reports and pull requests are welcome on GitHub at https://github.com/jgnagy/bullion. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
 
 ## License
 
@@ -40,4 +72,4 @@ The gem is available as open source under the terms of the [MIT License](https:/
 
 ## Code of Conduct
 
-Everyone interacting in the Bullion project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/bullion/blob/master/CODE_OF_CONDUCT.md).
+Everyone interacting in the Bullion project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/jgnagy/bullion/blob/master/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -1,6 +1,91 @@
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
+# frozen_string_literal: true
+
+if %w[development test].include? ENV['RACK_ENV']
+  ENV['DATABASE_URL'] = "sqlite3:#{File.expand_path('.')}/tmp/db/#{ENV['RACK_ENV']}.sqlite3"
+end
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+require 'yard'
+require 'openssl'
+require 'sqlite3'
+require 'sinatra/activerecord/rake'
+
+namespace :db do
+  task :load_config do
+    ActiveRecord::Base.establish_connection(ENV['DATABASE_URL'])
+  end
+end
 
 RSpec::Core::RakeTask.new(:spec)
+RuboCop::RakeTask.new(:rubocop)
+YARD::Rake::YardocTask.new
+
+task :prep do
+  FileUtils.mkdir_p(File.join(File.expand_path('.'), 'tmp'))
+  ENV['CA_DIR'] = File.join(File.expand_path('.'), 'tmp').to_s
+  ENV['CA_SECRET'] = 'SomeS3cret'
+  ENV['CA_DOMAINS'] = 'test.domain'
+
+  key = OpenSSL::PKey::RSA.new(4096)
+  File.open(File.join(File.expand_path('.'), 'tmp', 'tls.key'), 'w') do |f|
+    f.write key.to_pem(OpenSSL::Cipher.new('aes-128-cbc'), ENV['CA_SECRET'])
+  end
+
+  root_ca = OpenSSL::X509::Certificate.new
+  root_ca.version = 2
+  root_ca.serial = (2**rand(10..20)) - 1
+  root_ca.subject = OpenSSL::X509::Name.parse(
+    %w[test domain].reverse.map { |piece| "DC=#{piece}" }.join('/') + '/CN=bullion'
+  )
+  root_ca.issuer = root_ca.subject # root CA's are "self-signed"
+  root_ca.public_key = key.public_key
+  root_ca.not_before = Time.now
+  root_ca.not_after = root_ca.not_before + 5 * 365 * 24 * 60 * 60 # 5 years validity
+  ef = OpenSSL::X509::ExtensionFactory.new
+  ef.subject_certificate = root_ca
+  ef.issuer_certificate = root_ca
+  root_ca.add_extension(
+    ef.create_extension('basicConstraints', 'CA:TRUE', true)
+  )
+  root_ca.add_extension(
+    ef.create_extension('keyUsage', 'keyCertSign, cRLSign', true)
+  )
+  root_ca.add_extension(
+    ef.create_extension('subjectKeyIdentifier', 'hash', false)
+  )
+  root_ca.add_extension(
+    ef.create_extension('authorityKeyIdentifier', 'keyid:always', false)
+  )
+  root_ca.sign(key, OpenSSL::Digest.new('SHA256'))
+  File.open(File.join(File.expand_path('.'), 'tmp', 'tls.crt'), 'w') do |f|
+    f.write root_ca.to_pem
+  end
+end
+
+task :demo do
+  system("rackup -D -P #{File.expand_path('.')}/tmp/daemon.pid")
+end
+
+task :foreground_demo do
+  system("rackup -P #{File.expand_path('.')}/tmp/daemon.pid")
+end
+
+task :cleanup do
+  at_exit do
+    system("kill $(cat #{File.expand_path('.')}/tmp/daemon.pid)")
+    FileUtils.rm_f(File.join(File.expand_path('.'), 'tmp', 'tls.crt'))
+    FileUtils.rm_f(File.join(File.expand_path('.'), 'tmp', 'tls.key'))
+    FileUtils.rm_rf(File.join(File.expand_path('.'), 'tmp', 'db'))
+    ENV['CA_DIR'] = nil
+    ENV['CA_SECRET'] = nil
+    ENV['CA_DOMAINS'] = nil
+  end
+end
+
+Rake::Task['spec'].enhance(['cleanup'])
+
+task default: %i[prep db:migrate demo spec rubocop]
 
-task :default => :spec
+task local_demo: %i[prep db:migrate foreground_demo]