heroku_ssl 0.6.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 00f612a6491420af98a63a207d0d1d17a6a20bbf
+  data.tar.gz: 327c380d45de0e67ff691fa886bb5abd8d0ccd12
+SHA512:
+  metadata.gz: ca5e94d5682c154c1961976f27c47d9a47eb5cb17a1674a6d3c7305e29f32a800d97da5eec682b34a3d58cefb5afa65a4892b9ce666583c63318757260639fa3
+  data.tar.gz: 68eff01513b554ef21f7f3af737d19f0dda30666577fb9c74221221adcecb97ed2bd2cfc60696afe1a9c11af9228fa5a965230f989f481902952383700d1b9b1

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2016 Kai Marshland
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,45 @@
+# Heroku SSL
+With the advent of free SSL from [Let's Encrypt](https://letsencrypt.org/), SSL should be as easy as clicking a button. 
+
+## Usage on Heroku
+Add this gem to your gemfile, then deploy it to heroku. 
+Then, you can simply run `rake ssl:update_heroku_certs`
+
+This should prompt you for everything you need to update your shiny new SSL certificate! 
+The only thing left to do will be to [configure your DNS correctly](https://devcenter.heroku.com/articles/ssl-endpoint#dns-and-domain-configuration). 
+You'll also want to make sure that the domain had been added to heroku with `heroku domains:add [your domain]`
+
+## Usage outside of Heroku
+Although designed for Heroku, it can generate certificates on other providers. 
+To do so, on your server, run `rake ssl:generate_certs`.
+This will print a JSON encoded set of PEM keys to the console.
+You can download these (you will likely want to use `privkey` and `fullchain` as your public and private keys respectively) 
+and add them to your own servers and configure the DNS yourself.
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'heroku-ssl'
+```
+
+Or, to test the bleeding edge version:
+```ruby
+gem 'heroku_ssl', git: 'https://github.com/KMarshland/heroku-ssl.git'
+```
+
+And then execute:
+```bash
+$ bundle install
+```
+
+It also requires one of the following:
+- The global variable `$redis` is set
+- The environment variable `REDIS_URL` is set
+- The environment variable `HEROKU_REDIS_URL` is set
+
+## Contributing
+Submit a pull request!
+
+## License
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,36 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'HerokuSsl'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../test/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+
+load 'rails/tasks/statistics.rake'
+
+
+require 'bundler/gem_tasks'
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task default: :test

data/app/assets/config/heroku_ssl_manifest.js

@@ -0,0 +1,2 @@
+//= link_directory ../javascripts/heroku_ssl .js
+//= link_directory ../stylesheets/heroku_ssl .css

data/app/assets/javascripts/heroku_ssl/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or any plugin's vendor/assets/javascripts directory can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file. JavaScript code in this file should be added after the last require_* statement.
+//
+// Read Sprockets README (https://github.com/rails/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/app/assets/javascripts/heroku_ssl/heroku_ssl.js

@@ -0,0 +1,2 @@
+// Place all the behaviors and hooks related to the matching controller here.
+// All this logic will automatically be available in application.js.

data/app/assets/stylesheets/heroku_ssl/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/assets/stylesheets/heroku_ssl/heroku_ssl.css

@@ -0,0 +1,4 @@
+/*
+  Place all the styles related to the matching controller here.
+  They will automatically be included in application.css.
+*/

data/app/controllers/heroku_ssl/application_controller.rb

@@ -0,0 +1,5 @@
+module HerokuSsl
+  class ApplicationController < ActionController::Base
+    protect_from_forgery with: :exception
+  end
+end

data/app/controllers/heroku_ssl/heroku_ssl_controller.rb

@@ -0,0 +1,12 @@
+require_dependency "heroku_ssl/application_controller"
+
+module HerokuSsl
+  class HerokuSslController < ApplicationController
+
+    def challenge
+      response = HerokuSsl::redis_instance.get("ssl-challenge-#{params[:challenge]}")
+      render text: response
+    end
+
+  end
+end

data/app/helpers/heroku_ssl/application_helper.rb

@@ -0,0 +1,4 @@
+module HerokuSsl
+  module ApplicationHelper
+  end
+end

data/app/helpers/heroku_ssl/heroku_ssl_helper.rb

@@ -0,0 +1,4 @@
+module HerokuSsl
+  module HerokuSslHelper
+  end
+end

data/app/jobs/heroku_ssl/application_job.rb

@@ -0,0 +1,4 @@
+module HerokuSsl
+  class ApplicationJob < ActiveJob::Base
+  end
+end

data/app/mailers/heroku_ssl/application_mailer.rb

@@ -0,0 +1,6 @@
+module HerokuSsl
+  class ApplicationMailer < ActionMailer::Base
+    default from: 'from@example.com'
+    layout 'mailer'
+  end
+end

data/app/models/heroku_ssl/application_record.rb

@@ -0,0 +1,5 @@
+module HerokuSsl
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/views/layouts/heroku_ssl/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Heroku ssl</title>
+  <%= stylesheet_link_tag    "heroku_ssl/application", media: "all" %>
+  <%= javascript_include_tag "heroku_ssl/application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/config/routes.rb

@@ -0,0 +1,5 @@
+Rails.application.routes.draw do
+
+  get '.well-known/acme-challenge/:challenge' => 'heroku_ssl/heroku_ssl#challenge'
+
+end

data/lib/heroku_ssl/engine.rb

@@ -0,0 +1,5 @@
+module HerokuSsl
+  class Engine < ::Rails::Engine
+    isolate_namespace HerokuSsl
+  end
+end

data/lib/heroku_ssl/ssl.rb

@@ -0,0 +1,187 @@
+require 'openssl'
+require 'acme-client'
+
+module HerokuSsl
+
+  class << self
+    def endpoint
+      # Use 'https://acme-staging.api.letsencrypt.org/' for development
+
+      'https://acme-v01.api.letsencrypt.org/'
+    end
+
+    def redis_instance
+
+      return $redis if $redis.present?
+      return $heroku_ssl_redis if $heroku_ssl_redis.present?
+
+      redis_url = ENV['REDIS_URL'] || ENV['HEROKU_REDIS_URL'] || 'redis://127.0.0.1:6379/0'
+      $heroku_ssl_redis = Redis.new(:url => redis_url)
+
+    end
+
+    # Where the certificates are stored
+    def cert_directory
+      Rails.root.join('certs')
+    end
+
+    def write(filename, content)
+      FileUtils.mkdir_p cert_directory
+
+      File.write(cert_directory.join(filename), content)
+    end
+
+    def read(filename)
+      FileUtils.mkdir_p cert_directory
+
+      return nil unless File.exists? cert_directory.join(filename)
+
+      File.read cert_directory.join(filename)
+    end
+
+    def gen_unless_exists(filename)
+      existing = read filename
+      return existing if existing.present?
+
+      created = yield filename
+      write filename, created
+
+      created
+    end
+
+    #forcibly regenerates the account private key
+    def regenerate_private_key
+      @private_key = OpenSSL::PKey::RSA.new(4096)
+      write('account.pem', @private_key.export)
+
+      @private_key
+    end
+
+    #returns any existing account private key; only generates a new one if none exist
+    def private_key
+      return @private_key if @private_key.present?
+
+      pem = read "#{Rails.env}/account.pem"
+      if pem.present?
+        @private_key = OpenSSL::PKey::RSA.new(pem)
+      else
+        regenerate_private_key
+      end
+    end
+
+
+    def client
+      @client ||= Acme::Client.new(
+          private_key: private_key,
+          endpoint: endpoint,
+          connection_options: {
+              request: {
+                  open_timeout: 5,
+                  timeout: 5
+              }
+          }
+      )
+    end
+
+    #adds a contact for a domain
+    def register(email)
+      # If the private key is not known to the server, we need to register it for the first time.
+      registration = client.register(contact: "mailto:#{email}")
+
+      # You may need to agree to the terms of service (that's up the to the server to require it or not but boulder does by default)
+      registration.agree_terms
+    rescue Acme::Client::Error::Malformed => e
+      if e.message == 'Registration key is already in use'
+        puts 'Already registered'
+      else
+        raise e
+      end
+    end
+
+    def authorize(domain)
+      if domain.is_a? Array
+        domain.each do |dom|
+          authorize dom
+        end
+
+        return
+      end
+
+      authorization = client.authorize(domain: domain)
+
+      return if authorization.status == 'valid'
+
+      # This example is using the http-01 challenge type. Other challenges are dns-01 or tls-sni-01.
+      challenge = authorization.http01
+
+      redis_instance.set("ssl-challenge-#{challenge.filename.split('/').last}", challenge.file_content)
+      redis_instance.expire("ssl-challenge-#{challenge.filename.split('/').last}", 5.minutes)
+
+      challenge.request_verification
+
+      # Wait a bit for the server to make the request, or just blink. It should be fast.
+      sleep(1)
+
+      status = nil
+      begin
+        # May sometimes give an error, for mysterious reasons
+        status = challenge.authorization.verify_status
+      rescue
+      end
+
+      #alternate method to read authorization status
+      status = client.authorize(domain: domain).status if status == 'pending' || status.blank?
+
+      unless status == 'valid'
+        puts challenge.error
+        raise "Did not verify client. Status is still #{status}"
+      end
+    end
+
+    def try_authorize(domain, retries=1)
+      begin
+        authorize domain
+        return true
+      rescue RuntimeError => e
+        puts e.message
+
+        if retries > 0
+          puts 'Retrying domain authorization...'
+          return try_authorize domain, retries-1
+        else
+          return false
+        end
+      end
+    end
+
+    def request_certificate(domain)
+      unless try_authorize domain
+        puts 'Domain authorization failed. Aborting operation'
+        return
+      end
+
+      csr = Acme::Client::CertificateRequest.new(names: [*domain])
+
+      # We can now request a certificate. You can pass anything that returns
+      # a valid DER encoded CSR when calling to_der on it. For example an
+      # OpenSSL::X509::Request should work too.
+      certificate = client.new_certificate(csr)
+
+      {
+          privkey: certificate.request.private_key.to_pem,
+          cert: certificate.to_pem,
+          chain: certificate.chain_to_pem,
+          fullchain: certificate.fullchain_to_pem
+      }
+
+    end
+
+    def create_dh_params
+      gen_unless_exists 'dhparam.pem' do |filename|
+        `openssl dhparam -out #{filename} 4096`
+      end
+    end
+
+  end
+
+end

data/lib/heroku_ssl/version.rb

@@ -0,0 +1,3 @@
+module HerokuSsl
+  VERSION = '0.6.0'
+end

data/lib/heroku_ssl.rb

@@ -0,0 +1,6 @@
+require "heroku_ssl/engine"
+require "heroku_ssl/ssl"
+
+module HerokuSsl
+
+end

data/lib/tasks/heroku_ssl_tasks.rake

@@ -0,0 +1,162 @@
+
+namespace :heroku_ssl do
+
+  task :update_certs do
+    STDOUT.puts 'Once your app has been deployed to Heroku, hit enter.'
+
+    STDIN.gets
+
+    email = get_email
+    domains = get_domains
+    app = get_app
+
+    puts "Attempting to generate ssl certificates for #{app} (registering #{domains} to #{email})"
+
+    #generate the certs on the server
+    output = `unset RUBYOPT; heroku run rake heroku_ssl:generate_certs #{email} #{domains} --app #{app}`
+
+    #read out the certs to temporary files
+    if output.include? '~~ GENERATED CERTIFICATES START ~~'
+      puts 'Successfully generated certificates! Attempting to update Heroku DNS'
+
+      output = output.split('~~ GENERATED CERTIFICATES START ~~').last
+                   .split('~~ GENERATED CERTIFICATES END ~~').first
+      output = JSON(output)
+
+      File.open('fullchain.pem', 'wb') do |file|
+        file.write output['fullchain']
+      end
+
+      File.open('privkey.pem', 'wb') do |file|
+        file.write output['privkey']
+      end
+
+      # update heroku certs
+      # RUBYOPT breaks the heroku command for some reason, so you have to unset it
+      `unset RUBYOPT; heroku certs:update fullchain.pem privkey.pem --app #{get_app} --confirm #{get_app}`
+
+      # clean up
+      File.delete('fullchain.pem', 'privkey.pem')
+
+      puts 'Successfully updated Heroku SSL certificates! Now you just need to make sure your DNS is configured to point as follows: '
+      puts `unset RUBYOPT; heroku domains`.split("\n")[4..-1].join("\n")
+    else
+      puts 'Full log: '
+      puts output
+      puts ''
+
+      puts 'Could not generate certificates. Please try again later or try running `heroku run rake heroku_ssl:generate_certs` directly'
+    end
+
+  end
+
+  task :generate_certs do
+    email = (ARGV[1] || '').strip
+    email = get_email if email.blank?
+
+    puts "Registering #{email}"
+    HerokuSsl::register email
+
+    domain = ARGV[2..-1]
+    domain = get_domains if domain.blank?
+
+    puts "Authorizing and generating certificates for #{domain}"
+
+    certs = HerokuSsl::request_certificate domain
+
+    if certs.present?
+      STDOUT.puts '~~ GENERATED CERTIFICATES START ~~'
+      STDOUT.puts JSON(certs)
+      STDOUT.puts '~~ GENERATED CERTIFICATES END ~~'
+    end
+  end
+
+  def get_email
+    return @email if @email.present?
+
+    @email = `git config user.email`
+    @email.strip! if @email.present?
+
+    default_prompt = ''
+    default_prompt = " [#{@email}]" if @email.present?
+
+    new_email = nil
+    while new_email.blank?
+      STDOUT.puts "Enter your email#{default_prompt}: "
+      new_email = STDIN.gets
+
+      if new_email.blank?
+        new_email = @email
+      else
+        new_email.strip!
+      end
+    end
+
+    @email = new_email
+  end
+
+  def get_domains
+    return @domain if @domain.present?
+
+    domains = `unset RUBYOPT; heroku domains`.split("\n").select(&:present?)[5..-1]
+    domains.map! do |domain|
+      domain.split(/\s+/).first
+    end
+    @domain = domains.join ' '
+
+    default_prompt = ''
+    default_prompt = " [#{@domain}]" if @domain.present?
+
+    new_domain = nil
+    while new_domain.blank?
+      STDOUT.puts "Enter the domain to register#{default_prompt}: "
+      new_domain = STDIN.gets
+
+      if new_domain.blank?
+        new_domain = @domain
+      else
+        new_domain.strip!
+      end
+    end
+
+    @domain = new_domain
+  end
+
+  def get_app
+    return @app if @app.present?
+
+    @apps = @apps || `unset RUBYOPT; heroku apps`.split("\n")
+    remotes = `git remote -v`.split("\n").map do |r|
+      r.split("\t").last
+    end
+
+    @apps.each do |app|
+      remotes.each do |remote|
+        if remote.include? app
+          @app = app
+          break
+        end
+      end
+      break if @app.present?
+    end
+
+    default_prompt = ''
+    default_prompt = " [#{@app}]" if @app.present?
+
+    new_app = nil
+    while new_app.blank?
+      STDOUT.puts "Enter the heroku app#{default_prompt}: "
+      new_app = STDIN.gets
+
+      if new_app.blank?
+        new_app = @app
+      else
+        new_app.strip!
+      end
+    end
+
+    @app = new_app
+  end
+
+end
+

metadata

@@ -0,0 +1,108 @@
+--- !ruby/object:Gem::Specification
+name: heroku_ssl
+version: !ruby/object:Gem::Version
+  version: 0.6.0
+platform: ruby
+authors:
+- Kai Marshland
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-11-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.0.0
+- !ruby/object:Gem::Dependency
+  name: acme-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.4.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.4.0
+- !ruby/object:Gem::Dependency
+  name: redis
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: Designed for Heroku, but can be adapted for other hosts as well
+email:
+- kaimarshland@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- app/assets/config/heroku_ssl_manifest.js
+- app/assets/javascripts/heroku_ssl/application.js
+- app/assets/javascripts/heroku_ssl/heroku_ssl.js
+- app/assets/stylesheets/heroku_ssl/application.css
+- app/assets/stylesheets/heroku_ssl/heroku_ssl.css
+- app/controllers/heroku_ssl/application_controller.rb
+- app/controllers/heroku_ssl/heroku_ssl_controller.rb
+- app/helpers/heroku_ssl/application_helper.rb
+- app/helpers/heroku_ssl/heroku_ssl_helper.rb
+- app/jobs/heroku_ssl/application_job.rb
+- app/mailers/heroku_ssl/application_mailer.rb
+- app/models/heroku_ssl/application_record.rb
+- app/views/layouts/heroku_ssl/application.html.erb
+- config/routes.rb
+- lib/heroku_ssl.rb
+- lib/heroku_ssl/engine.rb
+- lib/heroku_ssl/ssl.rb
+- lib/heroku_ssl/version.rb
+- lib/tasks/heroku_ssl_tasks.rake
+homepage: https://github.com/KMarshland/heroku-ssl
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Quickly and easily add SSL to a Rails App with Let's Encrypt
+test_files: []