certmeister-rack 0.3.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 50f3f6929f52a9500d3e1a1f1f983ed7de5a3fd7
+  data.tar.gz: c5b34e536ce55388c1937c8f25eef3bbd79f06c1
+SHA512:
+  metadata.gz: cd6d0dea0018201e2fb0e4e26a5ce1aa41f609ca6208d42e411ee3fd670cfa0a8cda1fd1fb820aa2ae02eae2951be134ecd47b8bd047a90a8385b04c1a0ebd22
+  data.tar.gz: a0b1d591d24dbf43d9a3dea978f7db4cabf1211130bf5ea14e9ad6e915570eb526c98a489da90448f2722e229bd83b5422734d5ca5644f29e9509110c7aa70b8

data/lib/certmeister/rack/app.rb

@@ -0,0 +1,107 @@
+require 'rack/request'
+require 'certmeister/rack/symbolic_hash_accessor'
+
+module Certmeister
+
+  module Rack
+
+    class App
+
+      def initialize(ca)
+        @ca = ca
+      end
+
+      def call(env)
+        req = ::Rack::Request.new(env)
+        if req.path_info == '/ping'
+          if req.request_method == 'GET'
+            ok('PONG')
+          else
+            method_not_allowed
+          end
+        elsif req.path_info =~ %r{^/certificate/(.+)}
+          req.params['cn'] = $1
+          req.params['ip'] = req.ip
+          case req.request_method
+            when 'POST' then sign_action(req)
+            when 'GET' then fetch_action(req)
+            when 'DELETE' then remove_action(req)
+            else method_not_allowed
+          end
+        else
+          not_implemented
+        end
+      end
+
+      private
+
+      def sign_action(req)
+        response = @ca.sign(SymbolicHashAccessor.new(req.params))
+        if response.hit?
+          redirect(req.path)
+        elsif response.denied?
+          forbidden(response.error)
+        else
+          internal_server_error(response.error)
+        end
+      end
+
+      def fetch_action(req)
+        response = @ca.fetch(SymbolicHashAccessor.new(req.params))
+        if response.hit?
+          ok(response.pem, 'application/x-pem-file')
+        elsif response.miss?
+          not_found
+        elsif response.denied?
+          forbidden(response.error)
+        else
+          internal_server_error(response.error)
+        end
+      end
+
+      def remove_action(req)
+        response = @ca.remove(SymbolicHashAccessor.new(req.params))
+        if response.hit?
+          ok
+        elsif response.miss?
+          not_found
+        elsif response.denied?
+          forbidden(response.error)
+        else
+          internal_server_error(response.error)
+        end
+      end
+
+      def ok(body = '200 OK', content_type = 'text/plain')
+        [200, {'Content-Type' => content_type}, [body]]
+      end
+
+      def redirect(location)
+        [303, {'Content-Type' => 'text/plain', 'Location' => location}, ['303 See Other']]
+      end
+
+      def not_found
+        [404, {'Content-Type' => 'text/plain'}, ["404 Not Found"]]
+      end
+
+      def forbidden(reason)
+        [403, {'Content-Type' => 'text/plain'}, ["403 Forbidden (#{reason})"]]
+      end
+
+      def method_not_allowed
+        [405, {'Content-Type' => 'text/plain'}, ['405 Method Not Allowed']]
+      end
+
+      def internal_server_error(reason)
+        [500, {'Content-Type' => 'text/plain'}, ["500 Internal Server Error (#{reason})"]]
+      end
+
+      def not_implemented
+        [501, {'Content-Type' => 'text/plain'}, ['501 Not Implemented']]
+      end
+
+    end
+
+  end
+
+end

data/lib/certmeister/rack/symbolic_hash_accessor.rb

@@ -0,0 +1,42 @@
+require 'delegate'
+
+# Light-weight alternative to active_support's HashWithIndifferentAccess.
+#
+# The rack application must not symbolize params from the client, because
+# symbols cannot be garbage-collected, and so provide a memory starvation
+# attack.
+#
+# So instead we wrap the parameters with a symbolic accessor, so that
+# Certmeister::Base and Certmeister::Policy::* can refer to parameters
+# symbolically.
+
+module Certmeister
+
+  module Rack
+
+    class SymbolicHashAccessor < SimpleDelegator
+
+      def initialize(hash)
+        @hash = hash
+        super(@hash)
+      end
+
+      def [](key)
+        @hash[key.to_s]
+      end
+
+      def fetch(*args)
+        args[0] = args[0].to_s
+        @hash.fetch(*args)
+      end
+
+      def has_key?(key)
+        @hash.has_key?(key.to_s)
+      end
+      alias_method :include?, :has_key?
+
+    end
+
+  end
+
+end

data/spec/certmeister/rack/app_spec.rb

@@ -0,0 +1,373 @@
+require 'spec_helper'
+require 'rack/test'
+
+require 'certmeister'
+require 'certmeister/rack/app'
+
+describe Certmeister::Rack::App do
+
+  include Rack::Test::Methods
+
+  let(:response) { double(Certmeister::Response).as_null_object }
+  let(:ca) { double(Certmeister::Base, sign: response, fetch: response, remove: response) }
+  let(:app) { Certmeister::Rack::App.new(ca) }
+
+  it "GET /ping always PONGs (although one day we want a health check)" do
+    get "/ping"
+    expect(last_response.status).to eql 200
+    expect(last_response.headers['Content-Type']).to eql "text/plain"
+    expect(last_response.body).to eql "PONG"
+  end
+
+  it "/ping returns 405 Method Not Allowed for other HTTP verbs" do
+    head "/ping"
+    expect(last_response.status).to eql 405
+    expect(last_response.headers['Content-Type']).to eql "text/plain"
+    expect(last_response.body).to eql "405 Method Not Allowed"
+  end
+
+  it "returns 501 Not Implemented for an unknown URI" do
+    get "/nonexistent"
+    expect(last_response.status).to eql 501
+    expect(last_response.headers['Content-Type']).to eql "text/plain"
+    expect(last_response.body).to eql "501 Not Implemented"
+  end
+
+  describe "POST /certificate/:cn" do
+
+    context "parameter handling" do
+
+      let (:response) { Certmeister::Response.hit("...crt...") }
+      before(:each) do
+        post "/certificate/axl.starjuice.net", {"csr" => "...csr..."}, {"REMOTE_ADDR" => "192.168.1.2"}
+      end
+
+      it "copies the cn into the params" do
+        expect(ca).to have_received(:sign).with hash_including(cn: "axl.starjuice.net")
+      end
+
+      it "copies the ip into the params" do
+        expect(ca).to have_received(:sign).with hash_including(ip: "192.168.1.2")
+      end
+
+      it "passes the form params into the CA" do
+        expect(ca).to have_received(:sign).with hash_including(csr: "...csr...")
+      end
+
+    end
+
+    context "on hit" do
+
+      let (:response) { Certmeister::Response.hit("...crt...") }
+      before(:each) do
+        post "/certificate/axl.starjuice.net", {"csr" => "...csr..."}
+      end
+
+      it "returns 303 See Other" do
+        expect(last_response.status).to eql 303
+      end
+
+      it "offers the same resource URI as Location" do
+        expect(last_response.headers['Location']).to eql "/certificate/axl.starjuice.net"
+      end
+
+      it "describes the HTTP status in the body" do
+        expect(last_response.body).to eql '303 See Other'
+      end
+
+      it "describes the body as text/plain" do
+        expect(last_response.headers['Content-Type']).to eql 'text/plain'
+      end
+
+    end
+
+    context "on denied" do
+
+      let (:response) { Certmeister::Response.denied("not enough mojo") }
+      before(:each) do
+        post "/certificate/axl.starjuice.net", {"csr" => "...csr..."}
+      end
+
+      it "returns 403 Forbidden" do
+        expect(last_response.status).to eql 403
+      end
+
+      it "describes the HTTP status in the body" do
+        expect(last_response.body).to eql '403 Forbidden (not enough mojo)'
+      end
+
+      it "describes the body as text/plain" do
+        expect(last_response.headers['Content-Type']).to eql 'text/plain'
+      end
+
+    end
+
+    context "on error" do
+
+      let (:response) { Certmeister::Response.error("all is lost") }
+
+      before(:each) do
+        post "/certificate/axl.starjuice.net", {"csr" => "...csr..."}
+      end
+
+      it "returns 500 Internal Server Error" do
+        expect(last_response.status).to eql 500
+      end
+
+      it "describes the HTTP status in the body" do
+        expect(last_response.body).to eql "500 Internal Server Error (all is lost)"
+      end
+
+      it "describes the body as text/plain" do
+        expect(last_response.headers['Content-Type']).to eql 'text/plain'
+      end
+
+    end
+
+  end
+
+  describe "GET /certificate/:cn" do
+
+    context "parameter handling" do
+
+      let (:response) { Certmeister::Response.hit("...crt...") }
+      before(:each) do
+        get "/certificate/axl.starjuice.net", {"psk" => "...secret..."}, {"REMOTE_ADDR" => "192.168.1.2"}
+      end
+
+      it "copies the cn into the params" do
+        expect(ca).to have_received(:fetch).with hash_including(cn: "axl.starjuice.net")
+      end
+
+      it "copies the ip into the params" do
+        expect(ca).to have_received(:fetch).with hash_including(ip: "192.168.1.2")
+      end
+
+      it "passes the form params into the CA" do
+        expect(ca).to have_received(:fetch).with hash_including(psk: "...secret...")
+      end
+
+    end
+
+    context "on hit" do
+
+      let (:response) { Certmeister::Response.hit("...crt...") }
+      before(:each) do
+        get "/certificate/axl.starjuice.net"
+      end
+
+      it "returns 200 OK" do
+        expect(last_response.status).to eql 200
+      end
+
+      it "provides the PEM-encoded X.509 certificate in the body" do
+        expect(last_response.body).to eql "...crt..."
+      end
+
+      it "describes the body as application/x-pem-file" do
+        expect(last_response.headers['Content-Type']).to eql 'application/x-pem-file'
+      end
+
+    end
+
+    context "on miss" do
+
+      let (:response) { Certmeister::Response.miss }
+      before(:each) do
+        get "/certificate/axl.starjuice.net"
+      end
+
+      it "returns 404 Not Found" do
+        expect(last_response.status).to eql 404
+      end
+
+      it "describes the HTTP status in the body" do
+        expect(last_response.body).to eql "404 Not Found"
+      end
+
+      it "describes the body as text/plain" do
+        expect(last_response.headers['Content-Type']).to eql "text/plain"
+      end
+
+    end
+
+    context "on denied" do
+
+      let (:response) { Certmeister::Response.denied("your fu is weak") }
+      before(:each) do
+        get "/certificate/axl.starjuice.net"
+      end
+
+      it "returns 403 Forbidden" do
+        expect(last_response.status).to eql 403
+      end
+
+      it "describes the HTTP status in the body" do
+        expect(last_response.body).to eql '403 Forbidden (your fu is weak)'
+      end
+
+      it "describes the body as text/plain" do
+        expect(last_response.headers['Content-Type']).to eql 'text/plain'
+      end
+
+    end
+
+    context "on error" do
+
+      let (:response) { Certmeister::Response.error("i have fallen") }
+
+      before(:each) do
+        get "/certificate/axl.starjuice.net"
+      end
+
+      it "returns 500 Internal Server Error" do
+        expect(last_response.status).to eql 500
+      end
+
+      it "describes the HTTP status in the body" do
+        expect(last_response.body).to eql "500 Internal Server Error (i have fallen)"
+      end
+
+      it "describes the body as text/plain" do
+        expect(last_response.headers['Content-Type']).to eql 'text/plain'
+      end
+
+    end
+
+  end
+
+  describe "DELETE /certificate/:cn" do
+
+    context "parameter handling" do
+
+      let (:response) { Certmeister::Response.hit }
+      before(:each) do
+        delete "/certificate/axl.starjuice.net", {"authoritah" => "...warhammer..."}, {"REMOTE_ADDR" => "192.168.1.2"}
+      end
+
+      it "copies the cn into the params" do
+        expect(ca).to have_received(:remove).with hash_including(cn: "axl.starjuice.net")
+      end
+
+      it "copies the ip into the params" do
+        expect(ca).to have_received(:remove).with hash_including(ip: "192.168.1.2")
+      end
+
+      it "passes the form params into the CA" do
+        expect(ca).to have_received(:remove).with hash_including(authoritah: "...warhammer...")
+      end
+
+    end
+
+    context "on hit" do
+
+      let (:response) { Certmeister::Response.hit }
+      before(:each) do
+        delete "/certificate/axl.starjuice.net"
+      end
+
+      it "returns 200 OK" do
+        expect(last_response.status).to eql 200
+      end
+
+      it "describes the HTTP status in the body" do
+        expect(last_response.body).to eql "200 OK"
+      end
+
+      it "describes the body as text/plain" do
+        expect(last_response.headers['Content-Type']).to eql 'text/plain'
+      end
+
+    end
+
+    context "on miss" do
+
+      let (:response) { Certmeister::Response.miss }
+      before(:each) do
+        delete "/certificate/axl.starjuice.net"
+      end
+
+      it "returns 404 Not Found" do
+        expect(last_response.status).to eql 404
+      end
+
+      it "describes the HTTP status in the body" do
+        expect(last_response.body).to eql "404 Not Found"
+      end
+
+      it "describes the body as text/plain" do
+        expect(last_response.headers['Content-Type']).to eql "text/plain"
+      end
+
+    end
+
+    context "on denied" do
+
+      let (:response) { Certmeister::Response.denied("y u no boss") }
+      before(:each) do
+        delete "/certificate/axl.starjuice.net"
+      end
+
+      it "returns 403 Forbidden" do
+        expect(last_response.status).to eql 403
+      end
+
+      it "describes the HTTP status in the body" do
+        expect(last_response.body).to eql '403 Forbidden (y u no boss)'
+      end
+
+      it "describes the body as text/plain" do
+        expect(last_response.headers['Content-Type']).to eql 'text/plain'
+      end
+
+    end
+
+    context "on error" do
+
+      let (:response) { Certmeister::Response.error("shuffled off this mortal coil") }
+
+      before(:each) do
+        delete "/certificate/axl.starjuice.net"
+      end
+
+      it "returns 500 Internal Server Error" do
+        expect(last_response.status).to eql 500
+      end
+
+      it "describes the HTTP status in the body" do
+        expect(last_response.body).to eql "500 Internal Server Error (shuffled off this mortal coil)"
+      end
+
+      it "describes the body as text/plain" do
+        expect(last_response.headers['Content-Type']).to eql 'text/plain'
+      end
+
+    end
+
+  end
+
+  describe "other verbs on /certificate/:cn" do
+
+    context "(e.g. HEAD)" do
+
+      before(:each) do
+        head "/certificate/axl.starjuice.net"
+      end
+
+      it "returns 405 Method Not Allowed" do
+        expect(last_response.status).to eql 405
+      end
+
+      it "describes the HTTP status in the body" do
+        expect(last_response.body).to eql '405 Method Not Allowed'
+      end
+
+      it "describes the body as text/plain" do
+        expect(last_response.headers['Content-Type']).to eql 'text/plain'
+      end
+
+    end
+
+  end
+
+end

metadata

@@ -0,0 +1,91 @@
+--- !ruby/object:Gem::Specification
+name: certmeister-rack
+version: !ruby/object:Gem::Version
+  version: 0.3.0
+platform: ruby
+authors:
+- Sheldon Hearn
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-02-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: certmeister
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.3.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.3.0
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.6'
+description: This gem provides a rack application to offer an HTTP service around
+  certmeister, the conditional autosigning certificate authority.
+email:
+- sheldonh@starjuice.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/certmeister/rack/app.rb
+- lib/certmeister/rack/symbolic_hash_accessor.rb
+- spec/certmeister/rack/app_spec.rb
+homepage: https://github.com/sheldonh/certmeister
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.1
+signing_key: 
+specification_version: 4
+summary: Rack application for certmeister
+test_files:
+- spec/certmeister/rack/app_spec.rb