certmeister 0.4.1 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4a27d8981207e04f484c463efee5eb192b1ac040
-  data.tar.gz: d3d089cf572cd18dd08997483539fe56b1257f88
+  metadata.gz: d599d2605bb65cd2744e7de3d7989ebbb9f5c9ec
+  data.tar.gz: 9f0e0e9d87f1c9420c8071e42d365737df0d24b0
 SHA512:
-  metadata.gz: 0699466fc8b0eee2e5f68a001138c8a4fa30b64c9fc16830e6e5b5bd64b3d08796e6f348e7c3d2430366890505991173d8857a7e00b252c2923dbf023b0af5c2
-  data.tar.gz: 76df1686defaeb078155b070dd5b4325bf29a5d565c49bd4d4dacfc5f4754b7607952da5e516651e75edd740fded0e02def5ac2ce3c20032fb725e988629d8c6
+  metadata.gz: 364b0d70f2d07ffc8f0c82f12974171b8f7861dad592bf02c5515b9930c85ae933cb1a29efccfca7b4c32b26c1c85e702b9bba6fa3f586709993c68a82b247dc
+  data.tar.gz: b8755d5da13d7c2275638218d739dfc4c40cff95da95080402ae2734000fea2bbcec5dd9e2e1f9b4678ede071bd92e9843e260aa473dcd68db70cf7aa2860b98

data/.ruby-version

@@ -1 +1 @@
-ruby-2.0.0-p247
+ruby-2.1.5

data/Gemfile.lock

@@ -1,12 +1,12 @@
 PATH
   remote: .
   specs:
-    certmeister (0.4.1)
-    certmeister-rack (0.4.1)
-      certmeister (= 0.4.1)
+    certmeister (1.0.0)
+    certmeister-rack (1.0.0)
+      certmeister (= 1.0.0)
       rack (~> 1.5)
-    certmeister-redis (0.4.1)
-      certmeister (= 0.4.1)
+    certmeister-redis (1.0.0)
+      certmeister (= 1.0.0)
       redis-sentinel (~> 1.4)
 
 GEM
@@ -20,14 +20,18 @@ GEM
     redis (3.0.7)
     redis-sentinel (1.4.2)
       redis
-    rspec (2.14.1)
-      rspec-core (~> 2.14.0)
-      rspec-expectations (~> 2.14.0)
-      rspec-mocks (~> 2.14.0)
-    rspec-core (2.14.7)
-    rspec-expectations (2.14.4)
-      diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.14.4)
+    rspec (3.1.0)
+      rspec-core (~> 3.1.0)
+      rspec-expectations (~> 3.1.0)
+      rspec-mocks (~> 3.1.0)
+    rspec-core (3.1.7)
+      rspec-support (~> 3.1.0)
+    rspec-expectations (3.1.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.1.0)
+    rspec-mocks (3.1.3)
+      rspec-support (~> 3.1.0)
+    rspec-support (3.1.2)
 
 PLATFORMS
   ruby
@@ -39,4 +43,4 @@ DEPENDENCIES
   certmeister-redis!
   rack-test (~> 0.6)
   rake (~> 0)
-  rspec (~> 2.14)
+  rspec (~> 3.1)

data/README.md

@@ -61,5 +61,5 @@ bundle
 git commit \
   -m "Bump version to v$(bundle exec ruby -Ilib -rcertmeister -e 'puts Certmeister::VERSION')" \
   Gemfile.lock lib/certmeister/version.rb
-bundle exec release
+bundle exec rake release
 ```

data/certmeister.gemspec

@@ -24,5 +24,5 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency "bundler", "~> 1.5"
   spec.add_development_dependency "rake", "~> 0"
-  spec.add_development_dependency "rspec", "~> 2.14"
+  spec.add_development_dependency "rspec", "~> 3.1"
 end

data/contrib/certmeister-client

@@ -0,0 +1,111 @@
+#!/bin/sh -e
+
+DEFAULT_SERVICE=http://certmeister.hetzner.co.za/certificate
+
+usage() {
+	echo "usage: certmeister-client create /path/to/save/key.pem /path/to/save/crt.pem"
+	echo "       certmeister-client fetch /path/to/save/crt.pem"
+	echo "       certmeister-client remove"
+	echo
+	echo "Environmental overrides:"
+	echo
+	echo "  CERTMEISTER_HOSTNAME name to use as CN in CSR"
+	echo "                       (default: hostname --fqdn)"
+	echo "  CERTMEISTER_SERVICE  the URI prefix of certmeister service"
+	echo "                       (default: $DEFAULT_SERVICE)"
+	exit 1
+}
+
+install_preserving_permissions() {
+	src_file=$1
+	dst_file=$2
+
+	if [ -e "$dst_file" ]; then
+		cat "$src_file" > "$dst_file"
+	else
+		cp "$src_file" "$dst_file"
+	fi
+}
+
+tmp=
+cleanup() {
+	if [ -e "$tmp" ]; then
+		rm -rf "$tmp"
+	fi
+}
+
+umask 0077
+
+type -p curl >/dev/null
+type -p openssl >/dev/null
+perl -MURI::Escape -e 'print uri_escape(" ")' >/dev/null
+hostname=${CERTMEISTER_HOSTNAME:=$(hostname --fqdn)}
+uri=${CERTMEISTER_SERVICE:=$DEFAULT_SERVICE}/$hostname
+
+[ $# -gt 0 ] || usage
+command="$1"
+shift
+
+case "$command" in
+	create)
+		[ $# = 2 ] || usage
+		key_file=$1
+		crt_file=$2
+		tmp=$(mktemp -d -t certmeister.XXXXXX)
+		trap cleanup EXIT
+		echo Creating secret key for $hostname...
+		openssl genrsa -out $tmp/key.pem 4096
+		echo Creating certificate signing request for $hostname...
+		openssl req -new -subj "/C=ZA/ST=Western Cape/L=Cape Town/O=Hetzner PTY Ltd/CN=$hostname" -key $tmp/key.pem -out $tmp/csr.pem
+		csr=$(perl -MURI::Escape -e 'print uri_escape(join("", <STDIN>));' < $tmp/csr.pem)
+		echo Sending signing request to $uri...
+		curl -s -S -L -d "csr=$csr" $uri > $tmp/crt.pem
+		if ! openssl x509 -subject -noout -in $tmp/crt.pem >/dev/null 2>&1; then
+			cat $tmp/crt.pem 1>&2
+			echo 1>&2
+			exit 1
+		fi
+		echo Installing certificate and key...
+		chmod 644 $tmp/crt.pem
+		install_preserving_permissions $tmp/key.pem $key_file
+		install_preserving_permissions $tmp/crt.pem $crt_file
+		cd /
+		rm -rf $tmp
+		echo Done.
+		;;
+	fetch)
+		[ $# = 1 ] || usage
+		crt_file=$1
+		tmp=$(mktemp -d -t certmeister.XXXXXX)
+		trap cleanup EXIT
+		echo Requesting certificate from $uri...
+		curl -s -S $uri > $tmp/crt.pem
+		if ! openssl x509 -subject -noout -in $tmp/crt.pem >/dev/null 2>&1; then
+			cat $tmp/crt.pem 1>&2
+			echo 1>&2
+			exit 1
+		fi
+		echo Installing certificate...
+		chmod 644 $tmp/crt.pem
+		install_preserving_permissions $tmp/crt.pem $crt_file
+		cd /
+		rm -rf $tmp
+		echo Done.
+		;;
+	remove)
+		[ $# = 0 ] || usage
+		echo Sending delete request to $uri...
+		response=$(curl -s -S -X DELETE $uri 2>&1)
+		if ! echo "$response" | grep -q '^200 OK'; then
+			echo error: $response 1>&2
+			echo 1>&2
+			exit 1
+		fi
+		echo Done.
+		;;
+	*)
+		usage
+		;;
+esac
+
+exit 0

data/contrib/config.ru

@@ -8,14 +8,21 @@ require 'redis'
 
 store = Certmeister::Redis::Store.new(Redis.new, "development")
 
-sign_policy =
+sign_policy = Certmeister::Policy::ChainAny.new([
   Certmeister::Policy::ChainAll.new([
+    Certmeister::Policy::Existing.new(store),
     Certmeister::Policy::Domain.new(['host-h.net']),
     Certmeister::Policy::Fcrdns.new,
+  ]),
+  Certmeister::Policy::ChainAll.new([
     Certmeister::Policy::Existing.new(store),
-  ])
+    Certmeister::Policy::Domain.new(['example.com']),
+    Certmeister::Policy::IP.new(['192.168.0.0/23']),
+  ]),
+  Certmeister::Policy::IP.new(['127.0.0.1/32']),
+])
 fetch_policy = Certmeister::Policy::Noop.new
-remove_policy = Certmeister::Policy::IP.new(['127.0.0.0/8'])
+remove_policy = Certmeister::Policy::IP.new(['192.168.0.0/23', '127.0.0.1/32'])
 
 ca = Certmeister.new(
   Certmeister::Config.new(

data/lib/certmeister/test/memory_store_interface.rb

@@ -28,21 +28,21 @@ module Certmeister
 
         it "deletes certificates by CN (common name)" do
           subject.store('axl.hetzner.africa', "cert")
-          expect(subject.remove('axl.hetzner.africa')).to be_true
+          expect(subject.remove('axl.hetzner.africa')).to be true
           expect(subject.fetch('axl.hetzner.africa')).to be_nil
         end
 
         it "returns false when removing a non-existent CN" do
-          expect(subject.remove('axl.hetzner.africa')).to be_false
+          expect(subject.remove('axl.hetzner.africa')).to be false
         end
 
         it "returns true from health_check when healthy" do
-          expect(subject.health_check).to be_true
+          expect(subject.health_check).to be true
         end
 
         it "returns false from health_check when not healthy" do
           subject.send(:break!)
-          expect(subject.health_check).to be_false
+          expect(subject.health_check).to be false
         end
 
       end

data/lib/certmeister/version.rb

@@ -1,5 +1,5 @@
 module Certmeister
 
-  VERSION = '0.4.1' unless defined?(VERSION)
+  VERSION = '1.0.0' unless defined?(VERSION)
 
 end

data/spec/certmeister/policy/fcrdns_spec.rb

@@ -34,7 +34,7 @@ describe Certmeister::Policy::Fcrdns do
   describe "error handling" do
 
     it "refuses to authenticate a request when a DNS failure occurs" do
-      Resolv::DNS.any_instance.stub(:getnames).with('nonsense').and_raise(Resolv::ResolvError.new("cannot interpret as address: nonsense"))
+      allow_any_instance_of(Resolv::DNS).to receive(:getnames).with('nonsense').and_raise(Resolv::ResolvError.new("cannot interpret as address: nonsense"))
       response = subject.authenticate({cn: 'localhost', ip: 'nonsense'})
       expect(response).to_not be_authenticated
       expect(response.error).to eql "DNS error (cannot interpret as address: nonsense)"

data/spec/certmeister/response_spec.rb

@@ -23,10 +23,10 @@ describe Certmeister::Response do
     end
 
     it "offers appropriate boolean flags" do
-      expect(subject.hit?).to be_false
-      expect(subject.miss?).to be_false
-      expect(subject.denied?).to be_false
-      expect(subject.error?).to be_true
+      expect(subject.hit?).to be false
+      expect(subject.miss?).to be false
+      expect(subject.denied?).to be false
+      expect(subject.error?).to be true
     end
 
   end
@@ -44,10 +44,10 @@ describe Certmeister::Response do
     end
 
     it "offers appropriate boolean flags" do
-      expect(subject.hit?).to be_false
-      expect(subject.miss?).to be_false
-      expect(subject.denied?).to be_true
-      expect(subject.error?).to be_false
+      expect(subject.hit?).to be false
+      expect(subject.miss?).to be false
+      expect(subject.denied?).to be true
+      expect(subject.error?).to be false
     end
 
   end
@@ -65,10 +65,10 @@ describe Certmeister::Response do
     end
 
     it "offers appropriate boolean flags" do
-      expect(subject.hit?).to be_false
-      expect(subject.miss?).to be_true
-      expect(subject.denied?).to be_false
-      expect(subject.error?).to be_false
+      expect(subject.hit?).to be false
+      expect(subject.miss?).to be true
+      expect(subject.denied?).to be false
+      expect(subject.error?).to be false
     end
 
   end
@@ -87,10 +87,10 @@ describe Certmeister::Response do
     end
 
     it "offers appropriate boolean flags" do
-      expect(subject.hit?).to be_true
-      expect(subject.miss?).to be_false
-      expect(subject.denied?).to be_false
-      expect(subject.error?).to be_false
+      expect(subject.hit?).to be true
+      expect(subject.miss?).to be false
+      expect(subject.denied?).to be false
+      expect(subject.error?).to be false
     end
 
   end

data/spec/spec_helper.rb

@@ -5,7 +5,6 @@
 #
 # See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
 RSpec.configure do |config|
-  config.treat_symbols_as_metadata_keys_with_true_values = true
   config.run_all_when_everything_filtered = true
   config.filter_run :focus
 

metadata

@@ -1,57 +1,57 @@
 --- !ruby/object:Gem::Specification
 name: certmeister
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 1.0.0
 platform: ruby
 authors:
 - Sheldon Hearn
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-02-07 00:00:00.000000000 Z
+date: 2015-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.5'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.5'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.14'
+        version: '3.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.14'
+        version: '3.1'
 description: Certificate authority that can be configured to make decisions about
   whether to autosign certificate signing requests for clients. This gem provides
   the protocol-agnostic library, which is expected to be used within something like
@@ -62,10 +62,10 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
-- .ruby-gemset
-- .ruby-version
+- ".gitignore"
+- ".rspec"
+- ".ruby-gemset"
+- ".ruby-version"
 - Gemfile
 - Gemfile.lock
 - LICENSE
@@ -77,6 +77,7 @@ files:
 - contrib/.ruby-gemset
 - contrib/.ruby-version
 - contrib/Gemfile
+- contrib/certmeister-client
 - contrib/config.ru
 - contrib/hosts
 - contrib/redis.yml
@@ -135,17 +136,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.1
+rubygems_version: 2.4.5
 signing_key: 
 specification_version: 4
 summary: Conditionally autosigning certificate authority.