cert_watch 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0235895da21094eabbdc37b3641a63a5fcfc2b3c
+  data.tar.gz: 192222872b10fc655735666b4d06e0c0e997ec2a
+SHA512:
+  metadata.gz: f9f00d934bf03f0fbfb3b2c2b3918acb4c3e1a2e6c6d22ee91c6bbc33835945048a9eaddc2ff28945a64d9bc1f00f24dadfde3f6941239b85cd360842d4cae92
+  data.tar.gz: cbed0377537e874fe030f1c2aaca33b5d7aaf9a6756b6628c2fdd71c4dc64349a3f03cf70f940101775395df9a1ce8cae548348056be40b770ebc3844690652c

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2016 Tim Fischbach
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,151 @@
+# CertWatch
+
+[![Gem Version](https://badge.fury.io/rb/cert_watch.svg)](http://badge.fury.io/rb/cert_watch)
+[![Dependency Status](https://gemnasium.com/badges/github.com/codevise/cert_watch.svg)](https://gemnasium.com/github.com/codevise/cert_watch)
+[![Build Status](https://travis-ci.org/codevise/cert_watch.svg?branch=master)](https://travis-ci.org/codevise/cert_watch)
+[![Coverage Status](https://coveralls.io/repos/github/codevise/cert_watch/badge.svg?branch=master)](https://coveralls.io/github/codevise/cert_watch?branch=master)
+[![Code Climate](https://codeclimate.com/github/codevise/cert_watch/badges/gpa.svg)](https://codeclimate.com/github/codevise/cert_watch)
+
+A Rails engine to manage and automatically obtain, install and renew
+SSL certificates.
+
+## Ingredients
+
+CertWatch consists of the following components:
+
+* Resque jobs to renew and install certificates.
+* A mixin for models with a `cname` attribute to request certificats
+  on attribute change.
+
+Optionally:
+
+* An Active Admin resource to manage certificates.
+* An Arbre view component to display certificate status for a given
+  domain.
+
+## Requirements
+
+* Rails 4
+* [Resque](https://github.com/resque/resque)
+* [Resque Scheduler](https://github.com/resque/resque-scheduler)
+* [Resque Logger](https://github.com/salizzar/resque-logger)
+* [Certbot](https://certbot.eff.org/)
+
+## Limitations
+
+* Requires `sudo` on the server. The `certbot` script used to obtain
+  certificates needs root priviledges. This could probably be avoided
+  by using the
+  [`acme-client` gem](https://github.com/unixcharles/acme-client)
+  instead.
+* Works only with webservers that can read certificates from a
+  directory (Tested with HAProxy).
+
+## Installation
+
+Add the following lines to your `Gemfile` and run `bundle install`:
+
+```ruby
+gem 'cert_watch'
+
+# Required since state_machine gem is unmaintained
+gem 'state_machine', git: 'https://github.com/codevise/state_machine.git'
+```
+
+Add an initializer:
+
+```ruby
+# config/initializers/cert_watch.rb
+CertWatch.setup do |config|
+  # Uncomment any of the below options to change the default
+
+  # Maximum age of certificates before renewal.
+  # config.renewal_interval = 1.month
+
+  # Number of expiring certificates to renew in one run of the
+  # `RenewExpiringCertificatesJob`.
+  # config.renewal_batch_size = 10
+
+  # File name of the certbot executable.
+  # config.certbot_executable = '/usr/local/share/letsencrypt/bin/certbot'
+
+  # Port for the standalone certbot HTTP server
+  # config.certbot_port = 9999
+
+  # Directory certbot outputs certificates to
+  # config.certbot_output_directory = '/etc/letsencrypt/live'
+
+  # Directory the web server reads pem files from
+  # config.pem_directory = '/etc/haproxy/ssl/
+
+  # Command to make server reload pem files
+  # config.server_reload_command = '/etc/init.d/haproxy reload'
+end
+```
+
+Include the `DomainOwner` mixin into a model with a domain
+attribute. This makes CertWatch obtain or renew certificates whenever
+the attribute changes. Validation has to be provided by the host
+application.
+
+```ruby
+# app/models/account.rb
+# assuming Account has a cname attribute
+class Account
+  include CertWatch.domain_owner(attribute: :cname)
+end
+```
+
+If you want to use the Active Admin resource, add the following line
+to the top of your Active Admin initializer:
+
+```ruby
+# config/initializers/active_admin.rb
+ActiveAdmin.application.load_paths.unshift(CertWatch.active_admin_load_path)
+```
+
+If you use the CanCan authorization adapter, you also need add the
+following rule for users that should be allowed to manage certificats:
+
+```ruby
+# app/models/ability.rb
+can :manage, CertWatch::Certificate
+```
+
+Now install migrations and migrate your database:
+
+```
+$ bin/rake cert_watch:install:migrations
+$ bin/rake db:migrate
+```
+
+Setup your `resque_schedule.yml` to check for expiring certificates:
+
+```
+# config/resque_schedule.yml
+fetch_billed_traffic_usages:
+  every:
+    - "5h"
+    - :first_in: "1m"
+  class: "CertWatch::RenewExpiringCertificatesJob"
+  queue: cert_watch
+  description: "Check for expiring SSL certificates"
+```
+
+Finally ensure Resque workers have been assigned to the `cert_watch`
+queue.
+
+## Active Admin View Components
+
+You can render a status tag displaying the current certificate state
+for a given domain:
+
+```ruby
+# app/admin/dashboard.rb
+require 'cert_watch/views/certificate_state'
+
+div(class: 'account_cname') do
+  text_node(account.cname)
+  cert_watch_certificate_state(account.cname)
+end
+```

data/Rakefile

@@ -0,0 +1,16 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec)
+
+require 'bundler/gem_tasks'
+Bundler::GemHelper.install_tasks
+
+require 'semmy'
+Semmy::Tasks.install
+
+task default: :spec

data/app/assets/javascripts/cert_watch/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or any plugin's vendor/assets/javascripts directory can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// Read Sprockets README (https://github.com/rails/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/app/assets/stylesheets/cert_watch/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any styles
+ * defined in the other CSS/SCSS files in this directory. It is generally better to create a new
+ * file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/controllers/cert_watch/application_controller.rb

@@ -0,0 +1,5 @@
+module CertWatch
+  class ApplicationController < ActionController::Base
+    protect_from_forgery with: :exception
+  end
+end

data/app/jobs/cert_watch/install_certificate_job.rb

@@ -0,0 +1,16 @@
+module CertWatch
+  class InstallCertificateJob
+    extend StateMachineJob
+
+    @queue = :cert_watch
+
+    def self.perform_with_result(certificate, _options = {})
+      CertWatch.installer.install(certificate.domain)
+      certificate.last_installed_at = Time.now
+      :ok
+    rescue InstallError
+      certificate.last_install_failed_at = Time.now
+      fail
+    end
+  end
+end

data/app/jobs/cert_watch/renew_certificate_job.rb

@@ -0,0 +1,16 @@
+module CertWatch
+  class RenewCertificateJob
+    extend StateMachineJob
+
+    @queue = :cert_watch
+
+    def self.perform_with_result(certificate, _options = {})
+      CertWatch.client.renew(certificate.domain)
+      certificate.last_renewed_at = Time.now
+      :ok
+    rescue RenewError
+      certificate.last_renewal_failed_at = Time.now
+      fail
+    end
+  end
+end

data/app/jobs/cert_watch/renew_expiring_certificates_job.rb

@@ -0,0 +1,13 @@
+module CertWatch
+  class RenewExpiringCertificatesJob
+    @queue = :cert_watch
+
+    def self.perform
+      Certificate
+        .installed
+        .expiring
+        .limit(CertWatch.config.renewal_batch_size)
+        .each(&:renew)
+    end
+  end
+end

data/app/models/cert_watch/certificate.rb

@@ -0,0 +1,42 @@
+module CertWatch
+  class Certificate < ActiveRecord::Base
+    state_machine initial: 'not_installed' do
+      extend StateMachineJob::Macro
+
+      event :renew do
+        transition 'not_installed' => 'renewing'
+        transition 'installed' => 'renewing'
+        transition 'renewing_failed' => 'renewing'
+        transition 'installing_failed' => 'renewing'
+        transition 'abandoned' => 'renewing'
+      end
+
+      event :install do
+        transition 'installed' => 'installing'
+        transition 'installing_failed' => 'installing'
+      end
+
+      job RenewCertificateJob do
+        on_enter 'renewing'
+        result ok: 'installing'
+        result error: 'renewing_failed'
+      end
+
+      job InstallCertificateJob do
+        on_enter 'installing'
+        result ok: 'installed'
+        result error: 'installing_failed'
+      end
+
+      event :abandon do
+        transition any => 'abandoned'
+      end
+    end
+
+    scope(:installed, -> { where(state: 'installed') })
+    scope(:processing, -> { where(state: %w(renewing installing)) })
+    scope(:failed, -> { where(state: %w(renewing_failed installing_failed)) })
+    scope(:expiring, -> { where('last_renewed_at < ?', CertWatch.config.renewal_interval.ago) })
+    scope(:abandoned, -> { where(state: 'abandoned') })
+  end
+end

data/app/views/layouts/cert_watch/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>CertWatch</title>
+  <%= stylesheet_link_tag    "cert_watch/application", media: "all" %>
+  <%= javascript_include_tag "cert_watch/application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/config/locales/de.yml

@@ -0,0 +1,47 @@
+de:
+  cert_watch:
+    states:
+      short:
+        not_found: "Nicht installiert"
+        not_installed: "Nicht installiert"
+        renewing: "Wird erneuert..."
+        renewing_failed: "Erneuerung fehlgeschlagen"
+        installing: "Wird installiert..."
+        installing_failed: "Installation fehlgeschlagen"
+        installed: "Installiert"
+        abandoned: "Unbenutzt"
+      long:
+        not_found: "SSL nicht installiert"
+        not_installed: "SSL nicht installiert"
+        renewing: "SSL wird eingerichtet..."
+        renewing_failed: "SSL Erneuerung fehlgeschlagen"
+        installing: "SSL wird installiert..."
+        installing_failed: "SSL Installation fehlgeschlagen"
+        installed: "SSL installiert"
+        abandoned: "SSL Zertifikat unbenutzt"
+    admin:
+      certificates:
+        renew: "Erneuern"
+        confirm_renew: "Soll das Zertifikat wirklich erneuert werden?"
+        install: "Installieren"
+        confirm_install: "Soll das Zertifikat wirklich installiert werden?"
+  activerecord:
+    models:
+      "cert_watch/certificate":
+        one: "SSL Zertifikat"
+        other: "SSL Zertifikate"
+    attributes:
+      "cert_watch/certificate":
+        domain: "Domain"
+        state: "Status"
+        created_at: "Erstellt am"
+        last_renewed_at: "Zuletzt erneuert"
+        last_renewal_failed_at: "Erneuerung fehlgeschlagen"
+        last_installed_at: "Zuletzt installiert"
+        last_install_failed_at: "Installation fehlgeschlagen"
+  active_admin:
+    scopes:
+      installed: "Installiert"
+      processing: "In Verarbeitung"
+      failed: "Fehlgeschlagen"
+      abandoned: "Unbenutzt"

data/config/locales/en.yml

@@ -0,0 +1,47 @@
+en:
+  cert_watch:
+    states:
+      short:
+        not_found: "Not installed"
+        not_installed: "Not installed"
+        renewing: "Renewing..."
+        renewing_failed: "Renewing failed"
+        installing: "Installing..."
+        installing_failed: "Installing failed"
+        installed: "Installed"
+        abandoned: "Unused"
+      long:
+        not_found: "SSL not installed"
+        not_installed: "SSL not installed"
+        renewing: "SSL is being renewed..."
+        renewing_failed: "SSL renewal failed"
+        installing: "SSL is being installed..."
+        installing_failed: "SSL install failed "
+        installed: "SSL installed"
+        abandoned: "SSL certificate unused"
+    admin:
+      certificates:
+        renew: "Renew"
+        confirm_renew: "Are you sure you want to renew the certificate?"
+        install: "Install"
+        confirm_install: "Are you sure you want to reinstall this certificate?"
+  activerecord:
+    models:
+      "cert_watch/certificate":
+        one: "SSL Certificate"
+        other: "SSL Certificates"
+    attributes:
+      "cert_watch/certificate":
+        domain: "Domain"
+        state: "State"
+        created_at: "Created at"
+        last_renewed_at: "Last renewed at"
+        last_renewal_failed_at: "Last failed renewal"
+        last_installed_at: "Last installed at"
+        last_install_failed_at: "Last failed install"
+  active_admin:
+    scopes:
+      installed: "Installed"
+      processing: "Processing"
+      failed: "Failed"
+      abandoned: "Unused"

data/config/routes.rb

@@ -0,0 +1,2 @@
+CertWatch::Engine.routes.draw do
+end

data/db/migrate/20160711193700_create_certificates.rb

@@ -0,0 +1,18 @@
+class CreateCertificates < ActiveRecord::Migration
+  def change
+    create_table :cert_watch_certificates do |t|
+      t.string :state, default: 'not_installed', null: false
+      t.string :domain
+
+      t.datetime :last_renewed_at
+      t.datetime :last_renewal_failed_at
+
+      t.datetime :last_installed_at
+      t.datetime :last_install_failed_at
+
+      t.timestamps null: false
+    end
+
+    add_index 'cert_watch_certificates', ['domain'], name: 'index_cert_watch_certificates_on_domain', using: :btree
+  end
+end

data/lib/cert_watch/CHANGELOG.md

@@ -0,0 +1,5 @@
+# CHANGELOG
+
+### Version 1.0.0
+
+Initial release.

data/lib/cert_watch/certbot_client.rb

@@ -0,0 +1,32 @@
+module CertWatch
+  class CertbotClient < Client
+    def initialize(options)
+      @executable = options.fetch(:executable)
+      @port = options.fetch(:port)
+      @shell = options.fetch(:shell, Shell)
+    end
+
+    def renew(domain)
+      if Rails.env.development?
+        Rails.logger.info("[CertWatch] Skipping certificate renewal for #{domain} in development.")
+        return
+      end
+
+      @shell.sudo(renew_command(domain))
+    rescue Shell::CommandFailed => e
+      fail(RenewError, e.message)
+    end
+
+    private
+
+    def renew_command(domain)
+      Sanitize.check_domain!(domain)
+      "#{@executable} certonly #{flags} -d #{domain}"
+    end
+
+    def flags
+      '--agree-tos --renew-by-default ' \
+      "--standalone --standalone-supported-challenges http-01 --http-01-port #{@port}"
+    end
+  end
+end

data/lib/cert_watch/client.rb

@@ -0,0 +1,7 @@
+module CertWatch
+  class Client
+    def renew(_domain)
+      fail(NotImplementedError)
+    end
+  end
+end

data/lib/cert_watch/configuration.rb

@@ -0,0 +1,37 @@
+module CertWatch
+  class Configuration
+    # Maximum age of certificates before renewal.
+    attr_accessor :renewal_interval
+
+    # Number of expiring certificates to renew in one run of the
+    # `RenewExpiringCertificatesJob`.
+    attr_accessor :renewal_batch_size
+
+    # File name of the certbot executable.
+    attr_accessor :certbot_executable
+
+    # Port for the standalone certbot HTTP server
+    attr_accessor :certbot_port
+
+    # Directory certbot outputs certificates to
+    attr_accessor :certbot_output_directory
+
+    # Directory the web server reads pem files from
+    attr_accessor :pem_directory
+
+    # Command to make server reload pem files
+    attr_accessor :server_reload_command
+
+    def initialize
+      @renewal_interval = 1.month
+      @renewal_batch_size = 10
+
+      @certbot_executable = '/usr/local/share/letsencrypt/bin/certbot'
+      @certbot_port = 9999
+      @certbot_output_directory = '/etc/letsencrypt/live'
+
+      @pem_directory = '/etc/haproxy/ssl/'
+      @server_reload_command = '/etc/init.d/haproxy reload'
+    end
+  end
+end

data/lib/cert_watch/domain_owner.rb

@@ -0,0 +1,23 @@
+module CertWatch
+  module DomainOwner
+    def self.define(options)
+      attribute = options.fetch(:attribute).to_s
+
+      Module.new do
+        extend ActiveSupport::Concern
+
+        included do
+          after_save do
+            if changed.include?(attribute)
+              previous_value = changes[attribute].first
+              new_value = self[attribute]
+
+              Certificate.find_by(domain: previous_value).try(:abandon)
+              Certificate.find_or_create_by(domain: new_value).renew if new_value.present?
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/cert_watch/engine.rb

@@ -0,0 +1,10 @@
+require 'state_machine'
+require 'state_machine_job'
+
+module CertWatch
+  class Engine < ::Rails::Engine
+    isolate_namespace CertWatch
+
+    config.autoload_paths << File.join(config.root, 'lib')
+  end
+end

data/lib/cert_watch/error.rb

@@ -0,0 +1,4 @@
+module CertWatch
+  class Error < StandardError
+  end
+end

data/lib/cert_watch/install_error.rb

@@ -0,0 +1,4 @@
+module CertWatch
+  class InstallError < Error
+  end
+end

data/lib/cert_watch/installer.rb

@@ -0,0 +1,7 @@
+module CertWatch
+  class PemDirectoryInstaller < Installer
+    def install(_domain)
+      fail(NotImplementedError)
+    end
+  end
+end

data/lib/cert_watch/pem_directory_installer.rb

@@ -0,0 +1,55 @@
+module CertWatch
+  class PemDirectoryInstaller
+    def initialize(options)
+      @pem_directory = options.fetch(:pem_directory)
+      @input_directory = options.fetch(:input_directory)
+      @reload_command = options[:reload_command]
+    end
+
+    def install(domain)
+      if Rails.env.development?
+        Rails.logger.info("[CertWatch] Skipping certificate install for #{domain} in development.")
+        return
+      end
+
+      Sanitize.check_domain!(domain)
+
+      check_inputs_exist(domain)
+      write_pem_file(domain)
+      perform_reload_command
+    end
+
+    private
+
+    def check_inputs_exist(domain)
+      Shell.sudo("ls #{input_files(domain)}")
+    rescue Shell::CommandFailed
+      fail(InstallError, "Input files '#{input_files(domain)}' do not exist.")
+    end
+
+    def write_pem_file(domain)
+      sudo("cat #{input_files(domain)} > #{pem_file(domain)}")
+    end
+
+    def input_files(domain)
+      ['fullchain.pem', 'privkey.pem'].map do |file_name|
+        File.join(@input_directory, domain, file_name)
+      end.join(' ')
+    end
+
+    def pem_file(domain)
+      File.join(@pem_directory, "#{domain}.pem")
+    end
+
+    def perform_reload_command
+      return unless @reload_command
+      sudo(@reload_command)
+    end
+
+    def sudo(command)
+      Shell.sudo(command)
+    rescue Shell::CommandFailed => e
+      fail(InstallError, e.message)
+    end
+  end
+end

data/lib/cert_watch/renew_error.rb

@@ -0,0 +1,4 @@
+module CertWatch
+  class RenewError < Error
+  end
+end