certmeister 0.0.2 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2abf1804931548fc418f67e0ff9ef45b166ea05d
-  data.tar.gz: 0393170797e50b7bd2e94d9186ad4fd7f4aeef51
+  metadata.gz: 45294a93b1babeea90937ee91c345bddefa60b25
+  data.tar.gz: 1c0f12426788ad03d9952e2e3532128951d9575e
 SHA512:
-  metadata.gz: 734c2e011504db4f4722122351b667e0a9402f5767fcf01beed9dd1666c201bd3c561630a4135bea44f20ff638008fbecfee891aaeaf04e06d60c0f317348e20
-  data.tar.gz: c6078762403f470caafd18e58ba3516885e16ef4821b644aa57039c1ae4505c9efd35943e84d042fb9520c4f7e90fce480e9d9e45a9c7b0dc59cf37f32cd660a
+  metadata.gz: 763ed829a24c1002c00e3732b41db17d013195ad61686f6552d07424ed4ba101f5ff18545c47a1caa50c81228cb46961dac32048227b2ec9fcc164b69aab91cb
+  data.tar.gz: a953b468dddfdf2a27f381b1c9b316926ee7397011b9e28cbb9fd9834cfd439073ccf7a8c52fdeb98985785479ebe4b510f0ead3a791872aa31128239a05d463

data/Gemfile.lock

@@ -1,9 +1,9 @@
 PATH
   remote: .
   specs:
-    certmeister (0.0.2)
-    certmeister-redis (0.0.2)
-      certmeister (= 0.0.2)
+    certmeister (0.1.0)
+    certmeister-redis (0.1.0)
+      certmeister (= 0.1.0)
       redis-sentinel (~> 1.4)
 
 GEM

data/README.md

@@ -26,7 +26,23 @@ To hit the service:
 ```
 $ curl -L \
     -d "psk=secretkey" \
-    -d "csr=$(perl -MURI::Escape -e 'print uri_escape(join("", <STDIN>));' < request/client.csr)" \
-    http://certmeister.hetzner.co.za/certificate/$(hostname --fqdn) > request/client.crt
+    -d "csr=$(perl -MURI::Escape -e 'print uri_escape(join("", <STDIN>));' < fixtures/client.csr)" \
+    http://certmeister.hetzner.co.za/certificate/axl.starjuice.net
 ```
 
+## Testing
+
+Because we test both certmeister and certmeister-redis with `rake spec`, you need redis up if you want to run the tests. It's easy:
+
+* Install redis-2.8.4 or later.
+* Start redis.
+* Run tests.
+* Stop redis.
+
+```
+sudo yum install -y ansible
+sudo ansible-playbook -i contrib/hosts contrib/redis.yml
+redis-server --logfile /dev/null &
+rake spec
+kill %1; wait %1
+```

data/contrib/.ruby-gemset

@@ -0,0 +1 @@
+certmeister-contrib

data/contrib/.ruby-version

@@ -0,0 +1 @@
+ruby-2.0.0-p247

data/contrib/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org/"
+
+gem "certmeister", path: '..'
+gem "certmeister-redis", path: '..'
+gem "redis"
+gem "rack"

data/contrib/Gemfile.lock

@@ -0,0 +1,24 @@
+PATH
+  remote: ..
+  specs:
+    certmeister (0.0.2)
+    certmeister-redis (0.0.2)
+      certmeister (= 0.0.2)
+      redis-sentinel (~> 1.4)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    rack (1.5.2)
+    redis (3.0.7)
+    redis-sentinel (1.4.2)
+      redis
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  certmeister!
+  certmeister-redis!
+  rack
+  redis

data/contrib/config.ru

@@ -0,0 +1,77 @@
+require 'rubygems'
+require 'rack'
+
+require 'certmeister'
+require 'certmeister/redis/store'
+require 'redis'
+
+allow = Certmeister::Policy::Noop.new
+
+ca = Certmeister.new(
+  Certmeister::Config.new(
+    sign_policy: allow,
+    fetch_policy: allow,
+    remove_policy: allow,
+    store: Certmeister::Redis::Store.new(Redis.new, "development"),
+    ca_cert: File.read("../fixtures/ca.crt"),
+    ca_key: File.read("../fixtures/ca.key"),
+  )
+)
+
+sign_action = ->(params) do
+  response = ca.sign(params)
+  if response.error?
+    [500, {'Content-Type' => 'text/plain'}, ["500 Internal Server Error (#{response.error})"]]
+  elsif response.denied?
+    [403, {'Content-Type' => 'text/plain'}, ["403 Forbidden (#{response.error})"]]
+  else
+    [303, {'Content-Type' => 'text/plain',
+           'Location' => "/certificate/#{params[:cn]}"}, ["303 See Other"]]
+  end
+end
+
+fetch_action = ->(params) do
+  response = ca.fetch(params)
+  if response.error?
+    [500, {'Content-Type' => 'text/plain'}, ["500 Internal Server Error (#{response.error})"]]
+  elsif response.denied?
+    [403, {'Content-Type' => 'text/plain'}, ["403 Forbidden (#{response.error})"]]
+  elsif response.miss?
+    [404, {'Content-Type' => 'text/plain'}, ["404 Not Found"]]
+  else
+    [200, {'Content-Type' => 'application/x-pem-file'}, [response.pem]]
+  end
+end
+
+remove_action = ->(params) do
+  response = ca.remove(params)
+  if response.error?
+    [500, {'Content-Type' => 'text/plain'}, ["500 Internal Server Error (#{response.error})"]]
+  elsif response.denied?
+    [403, {'Content-Type' => 'text/plain'}, ["403 Forbidden (#{response.error})"]]
+  elsif response.miss?
+    [404, {'Content-Type' => 'text/plain'}, ["404 Not Found"]]
+  else
+    [200, {'Content-Type' => 'text/plain'}, ["200 OK"]]
+  end
+end
+
+router = ->(env) do
+  req = Rack::Request.new(env)
+  if req.path_info =~ /^\/certificate\/(.+)/
+    params = req.params.tap do |p|
+      p[:cn] = $1
+      p[:ip] = req.ip
+    end
+    case req.request_method
+      when 'POST' then sign_action.call(params)
+      when 'GET' then fetch_action.call(params)
+      when 'DELETE' then remove_action.call(params)
+      else [405, {'Content-Type' => 'text-plain'}, ["405 Method Not Allowed"]]
+    end
+  else
+    [501, {'Content-Type' => 'text-plain'}, ["501 Not Implemented"]]
+  end
+end
+
+run router

data/contrib/hosts

@@ -0,0 +1,3 @@
+[local]
+localhost
+

data/contrib/redis.yml

@@ -0,0 +1,14 @@
+---
+- hosts: local
+  connection: local
+  vars:
+    version: 2.8.4
+  tasks:
+    - name: Download redis source
+      get_url: dest=/usr/src/redis-{{version}}.tar.gz url=http://download.redis.io/releases/redis-{{version}}.tar.gz
+    - name: Unpack redis source
+      command: tar -C /usr/src -xzf /usr/src/redis-{{version}}.tar.gz creates=/usr/src/redis-{{version}}
+    - name: Build redis from source
+      command: chdir=/usr/src/redis-{{version}} make creates=/usr/src/redis-{{version}}/src/redis-server
+    - name: Install redis from source
+      command: chdir=/usr/src/redis-{{version}} make install creates=/usr/local/bin/redis-server

data/lib/certmeister/base.rb

@@ -15,7 +15,8 @@ module Certmeister
         @store = config.store
         @openssl_digest = config.openssl_digest
       else
-        raise RuntimeError.new("invalid config")
+        reasons = config.errors.map { |kv| kv.join(' ') }
+        raise RuntimeError.new("invalid config: #{reasons.join('; ')}")
       end
     end
 
@@ -39,13 +40,21 @@ module Certmeister
 
     def fetch(request)
       subject_to_policy(@fetch_policy, request) do |request|
-        Certmeister::Response.new(@store.fetch(request[:cn]), nil)
+        if pem = @store.fetch(request[:cn])
+          Certmeister::Response.hit(pem)
+        else
+          Certmeister::Response.miss
+        end
       end
     end
 
     def remove(request)
       subject_to_policy(@remove_policy, request) do |request|
-        Certmeister::Response.new(!!@store.remove(request[:cn]), nil)
+        if @store.remove(request[:cn])
+          Certmeister::Response.hit
+        else
+          Certmeister::Response.miss
+        end
       end
     end
 

data/lib/certmeister/response.rb

@@ -2,12 +2,12 @@ module Certmeister
 
   class Response
 
-    def initialize(pem, error)
+    private_class_method :new
+
+    def initialize(type, pem, error)
+      @type = type
       @pem = pem
       @error = error
-      if @pem and @error
-        raise ArgumentError.new("pem and error are mutually exclusive")
-      end
     end
 
     def pem
@@ -19,27 +19,35 @@ module Certmeister
     end
 
     def hit?
-      !!@pem
+      @type == :hit
     end
 
     def miss?
-      !(hit? or error?)
+      @type == :miss
+    end
+
+    def denied?
+      @type == :denied
     end
 
     def error?
-      !!@error
+      @type == :error
     end
 
-    def self.hit(pem)
-      self.new(pem, nil)
+    def self.hit(pem = :none)
+      new(:hit, pem, nil)
     end
 
     def self.miss
-      self.new(nil, nil)
+      new(:miss, nil, nil)
+    end
+
+    def self.denied(message)
+      new(:denied, nil, message)
     end
 
     def self.error(message)
-      self.new(nil, message)
+      new(:error, nil, message)
     end
 
   end

data/lib/certmeister/version.rb

@@ -1,5 +1,5 @@
 module Certmeister
 
-  VERSION = '0.0.2' unless defined?(VERSION)
+  VERSION = '0.1.0' unless defined?(VERSION)
   
 end

data/spec/certmeister/base_spec.rb

@@ -44,7 +44,7 @@ describe Certmeister do
         expect(response.error).to eql "invalid CSR (not enough data)"
       end
 
-      it "refuses to sign a CSR if the subject does not agree with the request CN" do
+      it "(XXX move this into the policy) refuses to sign a CSR if the subject does not agree with the request CN" do
         request = valid_request.tap { |r| r[:cn] = "monkeyface.example.com" }
         ca = Certmeister.new(CertmeisterConfigHelper::valid_config)
         response = ca.sign(request)

data/spec/certmeister/response_spec.rb

@@ -6,13 +6,13 @@ describe Certmeister::Response do
 
   let(:pem) { File.read('fixtures/client.crt') }
 
-  it "cannot be created with pem and error" do
-    expect { Certmeister::Response.new(pem, "silly") }.to raise_error(ArgumentError)
+  it "must be instantiated via the factory methods only" do
+    expect { Certmeister::Response.new(pem, nil, nil) }.to raise_error(NoMethodError, /private/)
   end
 
   describe "on error" do
 
-    subject { Certmeister::Response.new(nil, "something went wrong") }
+    subject { Certmeister::Response.error("something went wrong") }
 
     it "provides the error" do
       expect(subject.error).to eql "something went wrong"
@@ -25,14 +25,36 @@ describe Certmeister::Response do
     it "offers appropriate boolean flags" do
       expect(subject.hit?).to be_false
       expect(subject.miss?).to be_false
+      expect(subject.denied?).to be_false
       expect(subject.error?).to be_true
     end
 
   end
 
+  describe "on denial" do
+
+    subject { Certmeister::Response.denied("bad client, no cookie") }
+
+    it "provides the reason" do
+      expect(subject.error).to eql "bad client, no cookie"
+    end
+
+    it "doesn't provide the PEM-encoded X509 certificate as a string" do
+      expect(subject.pem).to be_nil
+    end
+
+    it "offers appropriate boolean flags" do
+      expect(subject.hit?).to be_false
+      expect(subject.miss?).to be_false
+      expect(subject.denied?).to be_true
+      expect(subject.error?).to be_false
+    end
+
+  end
+
   describe "on miss (i.e. not found)" do
 
-    subject { Certmeister::Response.new(nil, nil) }
+    subject { Certmeister::Response.miss }
 
     it "has no error" do
       expect(subject.error).to be_nil
@@ -45,6 +67,7 @@ describe Certmeister::Response do
     it "offers appropriate boolean flags" do
       expect(subject.hit?).to be_false
       expect(subject.miss?).to be_true
+      expect(subject.denied?).to be_false
       expect(subject.error?).to be_false
     end
 
@@ -52,19 +75,21 @@ describe Certmeister::Response do
 
   describe "on hit (success)" do
 
-    subject { Certmeister::Response.new(pem, nil) }
+    subject { Certmeister::Response.hit(pem) }
 
     it "has no error" do
       expect(subject.error).to be_nil
     end
 
-    it "provides the PEM-encoded X509 certificate as a string" do
+    it "provides the PEM-encoded X509 certificate as a string (or :none)" do
+      # some hits, like the one for a remove(), don't have a pem, returning :none
       expect(subject.pem).to eql pem
     end
 
     it "offers appropriate boolean flags" do
       expect(subject.hit?).to be_true
       expect(subject.miss?).to be_false
+      expect(subject.denied?).to be_false
       expect(subject.error?).to be_false
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: certmeister
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.1.0
 platform: ruby
 authors:
 - Sheldon Hearn
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-01-30 00:00:00.000000000 Z
+date: 2014-01-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -73,6 +73,13 @@ files:
 - Rakefile
 - certmeister-redis.gemspec
 - certmeister.gemspec
+- contrib/.ruby-gemset
+- contrib/.ruby-version
+- contrib/Gemfile
+- contrib/Gemfile.lock
+- contrib/config.ru
+- contrib/hosts
+- contrib/redis.yml
 - fixtures/ca.crt
 - fixtures/ca.csr
 - fixtures/ca.key