certmeister 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 546ac60693e496000a1fcb1c52cfe9324e091efe
+  data.tar.gz: ecfe80b2211241e9782329a705ea9e8e9869d51b
+SHA512:
+  metadata.gz: 3a7528b98e7f6c92527b53f8d0038535ae49c7b62265d97b35964f6c93d9dbda60e7c0dc796ae5b85834f552f0e5ede845314ed412ca32bb50c6abcfebab4210
+  data.tar.gz: 1ddc2e5d38a52438fcb9a1420077e19117edb6c1d08126cbde580c656fb93b946c0135cdcff085d4e82ae5a7ba13e5abed57b08e8325dd750c2a3a4b28571ddb

data/.gitignore

@@ -0,0 +1,20 @@
+*~
+*.sw*
+*.gem
+*.rbc
+.bundle
+.config
+coverage
+InstalledFiles
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+
+# YARD artifacts
+.yardoc
+_yardoc
+doc/

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format progress

data/.ruby-gemset

@@ -0,0 +1 @@
+certmeister

data/.ruby-version

@@ -0,0 +1 @@
+ruby-2.0.0-p247

data/Gemfile

@@ -0,0 +1,4 @@
+source 'http://rubygems.org'
+
+gemspec
+

data/Gemfile.lock

@@ -0,0 +1,27 @@
+PATH
+  remote: .
+  specs:
+    certmeister (0.0.1)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    diff-lcs (1.2.5)
+    rake (0.9.6)
+    rspec (2.14.1)
+      rspec-core (~> 2.14.0)
+      rspec-expectations (~> 2.14.0)
+      rspec-mocks (~> 2.14.0)
+    rspec-core (2.14.7)
+    rspec-expectations (2.14.4)
+      diff-lcs (>= 1.1.3, < 2.0)
+    rspec-mocks (2.14.4)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.5)
+  certmeister!
+  rake (~> 0)
+  rspec (~> 2.14)

data/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2013 Sheldon Hearn
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,32 @@
+# Certmeister
+
+Certmeister is a conditionally autosigning Certificate Authority. It was developed for use
+with the Puppet infrastructure at Hetzner PTY Ltd.
+
+The service will autosign a certificate request when the configurable access policy permits.
+The reference access policy in use by Hetzner PTY Ltd is:
+
+* the Common Name (CN) of the certificate is in the host-h.net domain,
+* the service has no record of already having signed a certificate for that CN, and
+* the requesting client IP address has forward confirmed reverse DNS that matches the CN.
+* Requests to fetch certificates are always allowed.
+* Requests to delete certificates are only allowed when they originate from
+  a secure operator network.
+
+This allows us the convenience of Puppet's autosign feature, without the horrendous security implications.
+
+Certmeister is the core of a fancy web service that does this:
+
+```
+cat request/client.csr | openssl x509 -req -CA CA/ca.crt -CAkey CA/ca.key -CAcreateserial -addtrust clientAuth > CA/signed/<cn>.crt
+```
+
+To hit the service:
+
+```
+$ curl -L \
+    -d "psk=secretkey" \
+    -d "csr=$(perl -MURI::Escape -e 'print uri_escape(join("", <STDIN>));' < request/client.csr)" \
+    http://certmeister.hetzner.co.za/certificate/$(hostname --fqdn) > request/client.crt
+```
+

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/certmeister.gemspec

@@ -0,0 +1,26 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'certmeister/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "certmeister"
+  spec.version       = Certmeister::VERSION
+  spec.authors       = ["Sheldon Hearn"]
+  spec.email         = ["sheldonh@starjuice.net"]
+  spec.summary       = %q{Conditionally autosigning certificate authority.}
+  spec.description   = %q{Certificate authority that can be configured to make decisions about whether to autosign certificate signing requests for clients. This gem provides the protocol-agnostic library, which is expected to be used within something like an HTTP REST service.}
+  spec.homepage      = "https://github.com/sheldonh/certmeister"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.5"
+  spec.add_development_dependency "rake", "~> 0"
+  spec.add_development_dependency "rspec", "~> 2.14"
+end
+
+

data/fixtures/ca.crt

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICVzCCAcACCQDZ9VpcDtwY1TANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJa
+QTEVMBMGA1UECAwMV2VzdGVybiBDYXBlMRIwEAYDVQQHDAlDYXBlIFRvd24xGDAW
+BgNVBAoMD0hldHpuZXIgUFRZIEx0ZDEcMBoGA1UEAwwTQ2VydG1laXN0ZXIgVGVz
+dCBDQTAeFw0xMzEyMTgwOTQxMTdaFw0xNjEyMTcwOTQxMTdaMHAxCzAJBgNVBAYT
+AlpBMRUwEwYDVQQIDAxXZXN0ZXJuIENhcGUxEjAQBgNVBAcMCUNhcGUgVG93bjEY
+MBYGA1UECgwPSGV0em5lciBQVFkgTHRkMRwwGgYDVQQDDBNDZXJ0bWVpc3RlciBU
+ZXN0IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDE+JkNX7kXFGZ2JyFH
+GfMgXhzazKoGJj/HV3aJSqTjRVrYkgTgCz1aIGj/DXd3gTbturC4s4SiU0i1Gi5K
+J8dHVfDlz/jNbPG4LiMOL1B0TQV4MyVdKJFn6nZCbBqvhCc0vHGw1O7xFiuRBmcP
+SJyqT7Qwz8B1hYNQggVLbPAwawIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADptm7G+
+9jt9v9yjReQu8KgPcMOfzvNBH8g6s4WH7fn7FAj7//92YsYzX2Ost2zPzdsYCSgD
+DucgmG/cezUCyoljqmND5gfcEtk2WjdXF/Sd+Ulnr02L0QTmIzHNf52rRfZGH8O1
+dfx9ZA9mS0uPXd6ePgJI5/y7x7tgHjsm1VOz
+-----END CERTIFICATE-----

data/fixtures/ca.csr

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBsDCCARkCAQAwcDELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
+ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
+HDAaBgNVBAMME0NlcnRtZWlzdGVyIFRlc3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBAMT4mQ1fuRcUZnYnIUcZ8yBeHNrMqgYmP8dXdolKpONFWtiSBOAL
+PVogaP8Nd3eBNu26sLizhKJTSLUaLkonx0dV8OXP+M1s8bguIw4vUHRNBXgzJV0o
+kWfqdkJsGq+EJzS8cbDU7vEWK5EGZw9InKpPtDDPwHWFg1CCBUts8DBrAgMBAAGg
+ADANBgkqhkiG9w0BAQUFAAOBgQAJL3fCo4b9Y05+Sims2j58dX599cKzjWJFxEFr
++nNleWoxRu8yEzKTGW9F8xrBHIM3lN8ULLEWr4B0kG+k1vMc2ZQHaalRL3OE386k
+Swt5HcL01He6cLnQppIlDNhj5LpkGRipzQZrXip2NCQTYEEKX6PEed/hqv20jXU1
+ge75bA==
+-----END CERTIFICATE REQUEST-----

data/fixtures/ca.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDE+JkNX7kXFGZ2JyFHGfMgXhzazKoGJj/HV3aJSqTjRVrYkgTg
+Cz1aIGj/DXd3gTbturC4s4SiU0i1Gi5KJ8dHVfDlz/jNbPG4LiMOL1B0TQV4MyVd
+KJFn6nZCbBqvhCc0vHGw1O7xFiuRBmcPSJyqT7Qwz8B1hYNQggVLbPAwawIDAQAB
+AoGAQf6hGTAHTcpSAiheJ/pz0VZ3CIAmP2U1XU7asmlGEbe9Fm7mH0LkzXuqcjpK
+2sl6Y/B3IYtUVybcZ4FcHRBy3ccOZtV7mkZtJqg8Uso9pHKvtgvAleeGB8PRQlfr
+Ah9hv+vGKqbfrh3gFupzJGkw0oYxknW0Cf/adcoc+FsfgDECQQDveKbW7lUajYkz
+Gvx0N5VbzemQz01LO8AtYfnV7875lIDaBBxuT5GyOVKq2zCT6t7oOtGdyY520P7J
+WPu6UvONAkEA0pD8ovjMYVIxe5FrTyIeqhj6zx8Ji1oYA0x/4aEwNjZ3wT8gdJXw
+3zLkoGbJFj1OD+qvn/IyKdsU+Sjjzsh51wJALZVe1MzbQEmu0x6Q7aJi+O2yRxFe
+2jJOe5UJ1JJoaJO/D0D3FHxq9Gz68nD0x0NPGQ+RNSLXzoAr77HTgP0nRQJBAJDi
+XlMs6kRUr+Ocbb/ndD4KLhlx+7k85qTucFep92h2FfSMISLXQQPzGskbsGVzDVF6
+ZBmkJswSCN5gOk/ANcUCQHJobzZpl7IQmee/qDt8ZIffVUtSuF77y4Xwso9bbcJN
+Ax03Rg6rhgm0KcklEc/4VTahfNBzhF5YDkaRSTRcUsI=
+-----END RSA PRIVATE KEY-----

data/fixtures/client.crt

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXTCCAcYCCQDomedDhZaLjzANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJa
+QTEVMBMGA1UECAwMV2VzdGVybiBDYXBlMRIwEAYDVQQHDAlDYXBlIFRvd24xGDAW
+BgNVBAoMD0hldHpuZXIgUFRZIEx0ZDEjMCEGA1UEAwwaY2VydG1laXN0ZXIuaGV0
+em5lci5hZnJpY2EwHhcNMTMxMjExMTE0MTU0WhcNMTQwMTEwMTE0MTU0WjBvMQsw
+CQYDVQQGEwJaQTEVMBMGA1UECAwMV2VzdGVybiBDYXBlMRIwEAYDVQQHDAlDYXBl
+IFRvd24xGDAWBgNVBAoMD0hldHpuZXIgUFRZIEx0ZDEbMBkGA1UEAwwSYXhsLmhl
+dHpuZXIuYWZyaWNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrXgWS0TD1
+mKXOPkNQpMjYyLHroDRlrmVMB5GY/Uyz0eaNz5GecKa7kvrM+gdjyzr/y1vF7C27
+zovu/ZJ8qQmMtIrFlAsXEETMwc6DPOIdPJnXNTlI9a8KjwBB2VtkjxaZqLt2THB1
+oDbFpZHh6UeWBPvzEN1hlfBEvvnB+aQX+QIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
+ABl5o3iL1t9NY0MAaw53VAsM86n53WBAZEzQ+6z3vsxoKU2ejMp3GACoTsyjGWad
+EyN2lKfCjPPYsmrmtshXGb/U0xHXeJS4xifibBktfwv2v2eIfrh5CbDMl6EuUzEC
+mLmVOt4adTt8R8vJ42KaKULKODrsc29AHK79oyxEhYyE
+-----END CERTIFICATE-----

data/fixtures/client.csr

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBrzCCARgCAQAwbzELMAkGA1UEBhMCWkExFTATBgNVBAgMDFdlc3Rlcm4gQ2Fw
+ZTESMBAGA1UEBwwJQ2FwZSBUb3duMRgwFgYDVQQKDA9IZXR6bmVyIFBUWSBMdGQx
+GzAZBgNVBAMMEmF4bC5oZXR6bmVyLmFmcmljYTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAq14FktEw9Zilzj5DUKTI2Mix66A0Za5lTAeRmP1Ms9Hmjc+RnnCm
+u5L6zPoHY8s6/8tbxewtu86L7v2SfKkJjLSKxZQLFxBEzMHOgzziHTyZ1zU5SPWv
+Co8AQdlbZI8Wmai7dkxwdaA2xaWR4elHlgT78xDdYZXwRL75wfmkF/kCAwEAAaAA
+MA0GCSqGSIb3DQEBBQUAA4GBAKHHpelQzMYFBXYa0VOWFiqRd1HXJfnUbo8D5xup
+RzveAVlGTj83slgKvGigUupWdfk1S4KiUG1HsAyLcwl8lgOCO77CrdNPZC0qjB4+
+pK3Xp2FMsK4+lp24FNR0tM31FA03DU8uhL8v5cvExHBn4idBEwO2W4OWPKVYKrtm
+w9ne
+-----END CERTIFICATE REQUEST-----

data/fixtures/client.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCrXgWS0TD1mKXOPkNQpMjYyLHroDRlrmVMB5GY/Uyz0eaNz5Ge
+cKa7kvrM+gdjyzr/y1vF7C27zovu/ZJ8qQmMtIrFlAsXEETMwc6DPOIdPJnXNTlI
+9a8KjwBB2VtkjxaZqLt2THB1oDbFpZHh6UeWBPvzEN1hlfBEvvnB+aQX+QIDAQAB
+AoGBAJJSkuG821gpghHrmiDGw3RPUZRG09aqpXXY1JpUVmUIahtWTBmESOnK43mY
+WCz+wB7f7jm+o4JEJ7nmLGljEHH9cvdIo84SgAeIbs1h0o28GJ1LG10L5CvTL3ai
+dejFXKRNnVGxpGQQi1XqpVqv6CUSmGZoZMeTWIOPVhSddAi9AkEA17Vq6T5gJfz6
+wRVpSlG1Nz2C3OQ0hPmtgwLJZcVSHUuQvgZfL8O6U7+QBQRHCHNNu0DtrdKheWHt
+GdqWbWwb4wJBAMtgUsu5U/KVU3i0R8eEBkFFNho7Np4FSBQ5MMPcp727hyI/Neev
+R/gFx8OSY4EBtu9Npt0fqEWVDKa/WNcU+3MCQDkm5BCwaiEmifmmhqMeSvk73vRP
+smqZDJPtpRbF1R/V6Z+vaIDrRu7xjmMF4xwmEK5QYajwacATZhK3i6uqPSkCQFJj
+OgdHk4dhEMiEF9PuWu5UEF+9/xkywIlYxbWCjP1im5K3EqpBqqECDnPeuKqJPEdj
+KKbJbUyK3e4q891lpZsCQQDWAY3NbuNufmuWp2naACwEcYSjoMfdPoHnaaynJu5h
+UHcPcCjAijtue9+iPZ/4LPJ5TH4pr8Ww4AxDCgBB8foH
+-----END RSA PRIVATE KEY-----

data/lib/certmeister.rb

@@ -0,0 +1,14 @@
+module Certmeister
+end
+
+Dir.glob(File.join(File.dirname(__FILE__), "certmeister", "*.rb")) do |path|
+  require path
+end
+
+module Certmeister
+
+  def self.new(*args)
+    Certmeister::Base.new(*args)
+  end
+
+end

data/lib/certmeister/base.rb

@@ -0,0 +1,92 @@
+require 'time'
+require 'openssl'
+
+module Certmeister
+
+  class Base
+
+    def initialize(config)
+      if config.valid?
+        @sign_policy = config.sign_policy
+        @fetch_policy = config.fetch_policy
+        @remove_policy = config.remove_policy
+        @ca_cert = config.ca_cert
+        @ca_key = config.ca_key
+        @store = config.store
+        @openssl_digest = config.openssl_digest
+      else
+        raise RuntimeError.new("invalid config")
+      end
+    end
+
+    def sign(request)
+      subject_to_policy(@sign_policy, request) do |request|
+        begin
+          csr = OpenSSL::X509::Request.new(request[:csr])
+        rescue OpenSSL::OpenSSLError => e
+          Certmeister::Response.error("invalid CSR (#{e.message})")
+        else
+          if get_cn(csr) == request[:cn]
+            pem = create_signed_certificate(csr).to_pem
+            @store.store(request[:cn], pem)
+            Certmeister::Response.hit(pem)
+          else
+            Certmeister::Response.error("CSR subject (#{get_cn(csr)}) disagrees with request CN (#{request[:cn]})")
+          end
+        end
+      end
+    end
+
+    def fetch(request)
+      subject_to_policy(@fetch_policy, request) do |request|
+        Certmeister::Response.new(@store.fetch(request[:cn]), nil)
+      end
+    end
+
+    def remove(request)
+      subject_to_policy(@remove_policy, request) do |request|
+        Certmeister::Response.new(!!@store.remove(request[:cn]), nil)
+      end
+    end
+
+    private
+
+    def subject_to_policy(policy, request, &block)
+      if !request[:cn]
+        Certmeister::Response.error("request missing CN")
+      else
+        authentication = policy.authenticate(request)
+        if authentication.authenticated?
+          block.call(request)
+        else
+          Certmeister::Response.error("request refused (#{authentication.error})")
+        end
+      end
+    end
+
+    def create_signed_certificate(csr)
+      cert = OpenSSL::X509::Certificate.new
+
+      cert.serial = 0
+      cert.version = 2
+      cert.subject = csr.subject
+      cert.public_key = csr.public_key
+
+      now = DateTime.now
+      cert.not_before = now.to_time
+      cert.not_after = (now + (5 * 365)).to_time
+      cert.issuer = @ca_cert.subject
+      cert.sign @ca_key, @openssl_digest.new
+
+      cert
+    end
+
+    def get_cn(csr)
+      if csr.subject.to_s =~ /CN=(.+)$/
+        $1
+      end
+    end
+
+  end
+
+end

data/lib/certmeister/config.rb

@@ -0,0 +1,129 @@
+require 'openssl'
+
+require 'certmeister/policy'
+
+module Certmeister
+
+  class Config
+
+    attr_reader :store, :sign_policy, :fetch_policy, :remove_policy
+
+    def initialize(options)
+      @options = options
+      @store = options[:store]
+      @sign_policy = options[:sign_policy]
+      @fetch_policy = options[:fetch_policy]
+      @remove_policy = options[:remove_policy]
+      @errors = {}
+    end
+
+    def ca_cert
+      @ca_cert ||= OpenSSL::X509::Certificate.new(@options[:ca_cert])
+    end
+
+    def ca_key
+      @ca_key ||= OpenSSL::PKey.read(@options[:ca_key])
+    end
+
+    def openssl_digest
+      if OpenSSL::Digest.const_defined?('SHA256')
+        @digest = OpenSSL::Digest::SHA256
+      elsif OpenSSL::Digest.const_defined?('SHA1')
+        @digest = OpenSSL::Digest::SHA1
+      end
+    end
+
+    def valid?
+      validate
+      @errors.empty?
+    end
+
+    def errors
+      @errors
+    end
+
+    def error_list
+      @errors.keys.sort.inject([]) do |list, option|
+        list << "#{option} #{@errors[option]}"
+      end
+    end
+
+    private
+
+    def validate
+      validate_x509_pem(:ca_cert)
+      validate_pkey_pem(:ca_key)
+      validate_store(:store)
+      validate_policy(:sign_policy)
+      validate_policy(:fetch_policy)
+      validate_policy(:remove_policy)
+      validate_openssl_digest
+      validate_known_options
+    end
+
+    def validate_x509_pem(option)
+      if not @options[option]
+        @errors[option] = "is required"
+      else
+        begin
+          OpenSSL::X509::Certificate.new(@options[option])
+        rescue OpenSSL::OpenSSLError => e
+          @errors[option] = "must be a PEM-encoded x509 certificate (#{e.message})"
+        end
+      end
+    end
+
+    def validate_pkey_pem(option)
+      if not @options[option]
+        @errors[option] = "is required"
+      else
+        begin
+          OpenSSL::PKey.read(@options[option])
+        rescue ArgumentError => e
+          @errors[option] = "must be a PEM-encoded private key (#{e.message})"
+        end
+      end
+    end
+
+    def validate_store(option)
+      o = @options[option]
+      if not o
+        @errors[option] = "is required"
+      elsif not o.respond_to?(:store) or o.method(:store).arity != 2
+        @errors[option] = "must provide a binary store method"
+      elsif not o.respond_to?(:fetch) or o.method(:fetch).arity != 1
+        @errors[option] = "must provide a unary fetch method"
+      elsif not o.respond_to?(:remove) or o.method(:remove).arity != 1
+        @errors[option] = "must provide a unary remove method"
+      elsif not o.respond_to?(:health_check) or o.method(:health_check).arity != 0
+        @errors[option] = "must provide a nullary health_check method"
+      end
+    end
+
+    def validate_policy(option)
+      o = @options[option]
+      if not o
+        @errors[option] = "is required"
+      elsif not Certmeister::Policy.validate_authenticate_signature(@options[option])
+        @errors[option] = "must provide a unary authenticate method"
+      elsif not Certmeister::Policy.validate_authenticate_returns_response(@options[option])
+        @errors[option] = "must return a policy response"
+      end
+    end
+
+    def validate_openssl_digest
+      if not openssl_digest
+        @errors[:openssl_digest] = "can't find FIPS 140-2 compliant algorithm in OpenSSL::Digest"
+      end
+    end
+
+    def validate_known_options
+      unexpected = @options.keys - [:ca_cert, :ca_key, :store, :sign_policy, :fetch_policy, :remove_policy]
+      unexpected.each do |option|
+        @errors[option] = "is not a supported option"
+      end
+    end
+
+  end
+
+end