certmeister 2.0.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 083750255abf59b0e78a0c68f3b3aca6fd57d790
-  data.tar.gz: 5438388c4400a77bfa580dbb86d11560104a246a
+  metadata.gz: 6cc20cbf2bb5c2b4b721280da39d1f83ca04ac0a
+  data.tar.gz: aa0e73207c9f71d79ee4ebdf69df41c65dd47829
 SHA512:
-  metadata.gz: 437fd1f9d23f2e5355bb70453bbaa06d9195ab037b23eeda614eccc109e7027900de0ae1b7637d346a887775173bc5761d6d3b7e50220a7cc007327e6599a5c4
-  data.tar.gz: 9d4b7cfef3c402a6547df3cee80301a00bdc4eda57a8f86c04f572f85eaba7760d55bacfa6fb6a23b15560cfa82fe0871f11f283875ac608934e1f799eda49bf
+  metadata.gz: 68c617c0234008b6900ddedc66a6ac08a2a5d296e46a8bf1583c5f5aa059b5c827c3f6060908920a7c9862de8b02faa2f924b7693ea6e820266784340b2e4248
+  data.tar.gz: 37bd6723f00a8defd6121d50bcb77c01e881e54c543abe408cbdc2f2fb561863160d9c472ea666cb01fb7bded26ba049392ba96d55e9a2769dbc2e754c3aaf07

data/Gemfile.lock

@@ -1,19 +1,13 @@
 PATH
   remote: .
   specs:
-    certmeister (2.0.0)
-    certmeister-rack (2.0.0)
-      certmeister (= 2.0.0)
-      rack (~> 1.5)
+    certmeister (2.1.0)
 
 GEM
   remote: http://rubygems.org/
   specs:
     diff-lcs (1.2.5)
-    rack (1.5.2)
-    rack-test (0.6.2)
-      rack (>= 1.0)
-    rake (0.9.6)
+    rake (10.4.2)
     rspec (3.1.0)
       rspec-core (~> 3.1.0)
       rspec-expectations (~> 3.1.0)
@@ -33,7 +27,5 @@ PLATFORMS
 DEPENDENCIES
   bundler (~> 1.5)
   certmeister!
-  certmeister-rack!
-  rack-test (~> 0.6)
-  rake (~> 0)
+  rake (~> 10.4.2)
   rspec (~> 3.1)

data/README.md

@@ -15,10 +15,13 @@ The reference access policy in use by Hetzner PTY Ltd is:
 
 This allows us the convenience of Puppet's autosign feature, without the horrendous security implications.
 
-This repository currently builds two gems:
+This repository currently builds one gem:
 
 * _certmeister_ - the CA, some off-the-shelf policy modules and an in-memory cert store
-* _certmeister-rack_ - a rack application to provide an HTTP interface to the CA
+
+A rack application to provide an HTTP interface to the CA is available as a separate gem:
+
+* [certmeister-rack](https://github.com/sheldonh/certmeister-rack)
 
 Only an in-memory store is provided. Others are available as separate gems:
 
@@ -26,16 +29,8 @@ Only an in-memory store is provided. Others are available as separate gems:
 * [certmeister-pg](https://github.com/sheldonh/certmeister-pg)
 * [certmeister-redis](https://github.com/sheldonh/certmeister-redis)
 
-An example, using redis and rack and enforcing Hetzner PTY Ltd's policy, is available in [contrib/config.ru](contrib/config.ru).
-
-To hit the service:
-
-```
-$ curl -L \
-    -d "psk=secretkey" \
-    -d "csr=$(perl -MURI::Escape -e 'print uri_escape(join("", <STDIN>));' < fixtures/client.csr)" \
-    http://localhost:9292/ca/certificate/axl.starjuice.net
-```
+An example, using redis and rack and enforcing Hetzner PTY Ltd's policy, is available in the `contrib` subdirectory of the
+[certmeister-rack](https://github.com/sheldonh/certmeister-rack) source.
 
 ## Testing
 

data/certmeister.gemspec

@@ -23,6 +23,6 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_development_dependency "bundler", "~> 1.5"
-  spec.add_development_dependency "rake", "~> 0"
+  spec.add_development_dependency "rake", "~> 10.4.2"
   spec.add_development_dependency "rspec", "~> 3.1"
 end

data/lib/certmeister/base.rb

@@ -58,6 +58,10 @@ module Certmeister
       end
     end
 
+    def ca_cert_pem
+      @ca_cert.to_pem
+    end
+
     private
 
     def subject_to_policy(policy, request, &block)

data/lib/certmeister/version.rb

@@ -1,5 +1,5 @@
 module Certmeister
 
-  VERSION = '2.0.0' unless defined?(VERSION)
+  VERSION = '2.1.0' unless defined?(VERSION)
 
 end

data/spec/certmeister/base_spec.rb

@@ -201,5 +201,14 @@ describe Certmeister do
 
   end
 
+  describe "#ca_cert_pem" do
+
+    it "exposes the CA certificate in PEM format" do
+      ca = Certmeister.new(CertmeisterConfigHelper::valid_config)
+      expect(ca.ca_cert_pem).to match(/-----BEGIN CERTIFICATE-----/)
+    end
+
+  end
+
 end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: certmeister
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.0
 platform: ruby
 authors:
 - Sheldon Hearn
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-02-11 00:00:00.000000000 Z
+date: 2015-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 10.4.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 10.4.2
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -71,15 +71,7 @@ files:
 - LICENSE
 - README.md
 - Rakefile
-- certmeister-rack.gemspec
 - certmeister.gemspec
-- contrib/.ruby-gemset
-- contrib/.ruby-version
-- contrib/Gemfile
-- contrib/certmeister-client
-- contrib/config.ru
-- contrib/hosts
-- contrib/redis.yml
 - fixtures/ca.crt
 - fixtures/ca.csr
 - fixtures/ca.key

data/certmeister-rack.gemspec

@@ -1,24 +0,0 @@
-# coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'certmeister/version'
-
-Gem::Specification.new do |spec|
-  spec.name          = "certmeister-rack"
-  spec.version       = Certmeister::VERSION
-  spec.authors       = ["Sheldon Hearn"]
-  spec.email         = ["sheldonh@starjuice.net"]
-  spec.summary       = %q{Rack application for certmeister}
-  spec.description   = %q{This gem provides a rack application to offer an HTTP service around certmeister, the conditional autosigning certificate authority.}
-  spec.homepage      = "https://github.com/sheldonh/certmeister"
-  spec.license       = "MIT"
-
-  spec.files         = `git ls-files -z lib/certmeister spec/certmeister`.split("\x0").grep(/rack/)
-  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = ["lib"]
-
-  spec.add_dependency "certmeister", Certmeister::VERSION
-  spec.add_dependency "rack", "~> 1.5"
-
-  spec.add_development_dependency "rack-test", "~> 0.6"
-end

data/contrib/.ruby-gemset

@@ -1 +0,0 @@
-certmeister-contrib

data/contrib/.ruby-version

@@ -1 +0,0 @@
-ruby-2.1.5

data/contrib/Gemfile

@@ -1,6 +0,0 @@
-source "https://rubygems.org/"
-
-gem "certmeister", path: '..'
-gem "certmeister-redis"
-gem "redis"
-gem "rack"

data/contrib/certmeister-client

@@ -1,111 +0,0 @@
-#!/bin/sh -e
-
-DEFAULT_SERVICE=http://certmeister.hetzner.co.za/certificate
-
-usage() {
-	echo "usage: certmeister-client create /path/to/save/key.pem /path/to/save/crt.pem"
-	echo "       certmeister-client fetch /path/to/save/crt.pem"
-	echo "       certmeister-client remove"
-	echo
-	echo "Environmental overrides:"
-	echo
-	echo "  CERTMEISTER_HOSTNAME name to use as CN in CSR"
-	echo "                       (default: hostname --fqdn)"
-	echo "  CERTMEISTER_SERVICE  the URI prefix of certmeister service"
-	echo "                       (default: $DEFAULT_SERVICE)"
-	exit 1
-}
-
-install_preserving_permissions() {
-	src_file=$1
-	dst_file=$2
-
-	if [ -e "$dst_file" ]; then
-		cat "$src_file" > "$dst_file"
-	else
-		cp "$src_file" "$dst_file"
-	fi
-}
-
-tmp=
-cleanup() {
-	if [ -e "$tmp" ]; then
-		rm -rf "$tmp"
-	fi
-}
-
-umask 0077
-
-type -p curl >/dev/null
-type -p openssl >/dev/null
-perl -MURI::Escape -e 'print uri_escape(" ")' >/dev/null
-hostname=${CERTMEISTER_HOSTNAME:=$(hostname --fqdn)}
-uri=${CERTMEISTER_SERVICE:=$DEFAULT_SERVICE}/$hostname
-
-[ $# -gt 0 ] || usage
-command="$1"
-shift
-
-case "$command" in
-	create)
-		[ $# = 2 ] || usage
-		key_file=$1
-		crt_file=$2
-		tmp=$(mktemp -d -t certmeister.XXXXXX)
-		trap cleanup EXIT
-		echo Creating secret key for $hostname...
-		openssl genrsa -out $tmp/key.pem 4096
-		echo Creating certificate signing request for $hostname...
-		openssl req -new -subj "/C=ZA/ST=Western Cape/L=Cape Town/O=Hetzner PTY Ltd/CN=$hostname" -key $tmp/key.pem -out $tmp/csr.pem
-		csr=$(perl -MURI::Escape -e 'print uri_escape(join("", <STDIN>));' < $tmp/csr.pem)
-		echo Sending signing request to $uri...
-		curl -s -S -L -d "csr=$csr" $uri > $tmp/crt.pem
-		if ! openssl x509 -subject -noout -in $tmp/crt.pem >/dev/null 2>&1; then
-			cat $tmp/crt.pem 1>&2
-			echo 1>&2
-			exit 1
-		fi
-		echo Installing certificate and key...
-		chmod 644 $tmp/crt.pem
-		install_preserving_permissions $tmp/key.pem $key_file
-		install_preserving_permissions $tmp/crt.pem $crt_file
-		cd /
-		rm -rf $tmp
-		echo Done.
-		;;
-	fetch)
-		[ $# = 1 ] || usage
-		crt_file=$1
-		tmp=$(mktemp -d -t certmeister.XXXXXX)
-		trap cleanup EXIT
-		echo Requesting certificate from $uri...
-		curl -s -S $uri > $tmp/crt.pem
-		if ! openssl x509 -subject -noout -in $tmp/crt.pem >/dev/null 2>&1; then
-			cat $tmp/crt.pem 1>&2
-			echo 1>&2
-			exit 1
-		fi
-		echo Installing certificate...
-		chmod 644 $tmp/crt.pem
-		install_preserving_permissions $tmp/crt.pem $crt_file
-		cd /
-		rm -rf $tmp
-		echo Done.
-		;;
-	remove)
-		[ $# = 0 ] || usage
-		echo Sending delete request to $uri...
-		response=$(curl -s -S -X DELETE $uri 2>&1)
-		if ! echo "$response" | grep -q '^200 OK'; then
-			echo error: $response 1>&2
-			echo 1>&2
-			exit 1
-		fi
-		echo Done.
-		;;
-	*)
-		usage
-		;;
-esac
-
-exit 0

data/contrib/config.ru

@@ -1,45 +0,0 @@
-require 'rubygems'
-require 'rack'
-
-require 'certmeister'
-require 'certmeister/redis/store'
-require 'certmeister/rack/app'
-require 'redis'
-
-store = Certmeister::Redis::Store.new(Redis.new, "development")
-
-sign_policy = Certmeister::Policy::ChainAny.new([
-  Certmeister::Policy::ChainAll.new([
-    Certmeister::Policy::Existing.new(store),
-    Certmeister::Policy::Domain.new(['host-h.net']),
-    Certmeister::Policy::Fcrdns.new,
-  ]),
-  Certmeister::Policy::ChainAll.new([
-    Certmeister::Policy::Existing.new(store),
-    Certmeister::Policy::Domain.new(['example.com']),
-    Certmeister::Policy::IP.new(['192.168.0.0/23']),
-  ]),
-  Certmeister::Policy::IP.new(['127.0.0.1/32']),
-])
-fetch_policy = Certmeister::Policy::Noop.new
-remove_policy = Certmeister::Policy::IP.new(['192.168.0.0/23', '127.0.0.1/32'])
-
-ca = Certmeister.new(
-  Certmeister::Config.new(
-    sign_policy: sign_policy,
-    fetch_policy: fetch_policy,
-    remove_policy: remove_policy,
-    store: store,
-    ca_cert: File.read("../fixtures/ca.crt"),
-    ca_key: File.read("../fixtures/ca.key"),
-  )
-)
-certmeister = Certmeister::Rack::App.new(ca)
-
-app = Rack::Builder.new do
-  map "/ca" do
-    run certmeister
-  end
-end
-
-run app

data/contrib/hosts

@@ -1,3 +0,0 @@
-[local]
-localhost
-

data/contrib/redis.yml

@@ -1,14 +0,0 @@
----
-- hosts: local
-  connection: local
-  vars:
-    version: 2.8.4
-  tasks:
-    - name: Download redis source
-      get_url: dest=/usr/src/redis-{{version}}.tar.gz url=http://download.redis.io/releases/redis-{{version}}.tar.gz
-    - name: Unpack redis source
-      command: tar -C /usr/src -xzf /usr/src/redis-{{version}}.tar.gz creates=/usr/src/redis-{{version}}
-    - name: Build redis from source
-      command: chdir=/usr/src/redis-{{version}} make creates=/usr/src/redis-{{version}}/src/redis-server
-    - name: Install redis from source
-      command: chdir=/usr/src/redis-{{version}} make install creates=/usr/local/bin/redis-server