kingsly_certbot 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: f918cc872b94fb857145acf72d39d5d832afcdc9e245df04da9162b98282d80f
+  data.tar.gz: efb37de505cc61020707ab4c3ed3ada16e5bedc110bedd0ac8806237f04d0754
+SHA512:
+  metadata.gz: a65a4a465a7cdabe2dabdd6267f1d05da358b58c067169972e4c3ae58bf845c280f99d403c4adda0c5eaeba4a9bfa103c48ead02c5800dc804ce83526d3ae5cf
+  data.tar.gz: bea614d762a02c1b459abcb051031ee1f05356294c616e0650e615fb38a00586a3f3656173e1bf1eabf4c19127ca51ec60ac2d724385fa2b1b362557fb050786

data/.gitignore

@@ -0,0 +1,57 @@
+# rspec failure tracking
+.rspec_status
+
+*.idea/
+# swap files
+*.swp
+
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+# Used by dotenv library to load environment variables.
+# .env
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+*.bridgesupport
+build-iPhoneOS/
+build-iPhoneSimulator/
+
+## Specific to RubyMotion (use of CocoaPods):
+#
+# We recommend against adding the Pods directory to your .gitignore. However
+# you should judge for yourself, the pros and cons are mentioned at:
+# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
+#
+# vendor/Pods/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+# Gemfile.lock
+# .ruby-version
+# .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,32 @@
+Metrics/LineLength:
+  Max: 200
+
+Style/FrozenStringLiteralComment:
+  Exclude:
+    - 'spec/*'
+
+Style/Documentation:
+  Enabled: false
+
+Style/CommandLiteral:
+  Enabled: false
+
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/*'
+
+Metrics/PerceivedComplexity:
+  Max: 8
+
+Metrics/MethodLength:
+  Max: 30
+
+Metrics/CyclomaticComplexity:
+  Max: 7
+
+Metrics/AbcSize:
+  Max: 36
+
+Metrics/ParameterLists:
+  Exclude:
+    - 'lib/kingsly_certbot/kingsly_client.rb'

data/.ruby-gemset

@@ -0,0 +1,2 @@
+kingsly-certbot
+-global

data/.ruby-version

@@ -0,0 +1 @@
+2.5.1

data/.travis.yml

@@ -0,0 +1,13 @@
+---
+sudo: false
+language: ruby
+cache: bundler
+
+rvm:
+  - 2.5.3
+
+before_install: gem install bundler -v 2.0.1
+
+script:
+  - bundle
+  - bundle exec rake

data/Gemfile

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in kingsly_certbot.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,71 @@
+PATH
+  remote: .
+  specs:
+    kingsly_certbot (0.1.0)
+      sentry-raven (~> 2.9.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.6.0)
+      public_suffix (>= 2.0.2, < 4.0)
+    ast (2.4.0)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
+    diff-lcs (1.3)
+    faraday (0.15.4)
+      multipart-post (>= 1.2, < 3)
+    hashdiff (0.3.8)
+    jaro_winkler (1.5.2)
+    multipart-post (2.0.0)
+    parallel (1.13.0)
+    parser (2.6.0.0)
+      ast (~> 2.4.0)
+    powerpack (0.1.2)
+    public_suffix (3.0.3)
+    rainbow (3.0.0)
+    rake (10.5.0)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.0)
+    rubocop (0.63.1)
+      jaro_winkler (~> 1.5.1)
+      parallel (~> 1.10)
+      parser (>= 2.5, != 2.5.1.1)
+      powerpack (~> 0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 1.4.0)
+    ruby-progressbar (1.10.0)
+    safe_yaml (1.0.4)
+    sentry-raven (2.9.0)
+      faraday (>= 0.7.6, < 1.0)
+    unicode-display_width (1.4.1)
+    webmock (3.5.1)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 2.0.1)
+  kingsly_certbot!
+  rake (~> 10.5.0)
+  rspec (~> 3.8.0)
+  rubocop (~> 0.63.1)
+  webmock (~> 3.5.1)
+
+BUNDLED WITH
+   2.0.1

data/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -0,0 +1,22 @@
+# Kingsly::Certbot
+
+kingsly-certbot would update the local certs and update them from the ones generated by kingsly
+
+## Installation
+
+TODO: Write installion instructions here
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/gojekfarm/kingsly-certbot
+

data/Rakefile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+RuboCop::RakeTask.new
+
+task(:default).enhance(%i[rubocop spec])

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'kingsly/certbot'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/kingsly-certbot

@@ -0,0 +1,21 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'kingsly_certbot'
+
+# kingsly-certbot --config /opt/kingsly-certbot/kingsly-certbot.conf
+log_dir = ENV['LOG_DIR'] || '/var/log'
+$logger = if Dir.exists?(log_dir)
+            Logger.new("#{log_dir}/kingsly-certbot.log", level: ENV['LOG_LEVEL'] || 'info')
+          else
+            Logger.new(STDOUT)
+          end
+certbot = begin
+  KingslyCertbot::Runner.new(ARGV)
+rescue StandardError => e
+  $logger.fatal(e)
+  $logger.fatal(e.backtrace.join("\n"))
+  return 1
+end
+
+certbot.configure.execute

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/kingsly-config.yaml.sample

@@ -0,0 +1,9 @@
+SENTRY_DSN:
+ENVIRONMENT: 'development'
+TOP_LEVEL_DOMAIN: 'go-life.co.id'
+SUB_DOMAIN: 'delete-thirty-one'
+KINGSLY_SERVER_HOST: 'integration-kingsly.golabs.io'
+KINGSLY_SERVER_USER: '****'
+KINGSLY_SERVER_PASSWORD: '****'
+SERVER_TYPE: 'ipsec'
+IPSEC_ROOT: ~/ipsec

data/kingsly_certbot.gemspec

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'kingsly_certbot/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'kingsly_certbot'
+  spec.version       = KingslyCertbot::VERSION
+  spec.authors       = ['FOSS at GO-JEK']
+  spec.email         = ['foss+tech@go-jek.com']
+  spec.homepage      = 'https://github.com/gojekfarm/kingsly'
+  spec.licenses      = ['Apache-2.0']
+
+  spec.summary       = 'kingsly-certbot would update the local certs and update them from the ones generated by kingsly'
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    # spec.metadata['allowed_push_host'] = 'https://rubygems.org'
+
+    spec.metadata['source_code_uri'] = 'https://github.com/gojekfarm/kingsly-certbot'
+    spec.metadata['changelog_uri'] = 'https://github.com/gojekfarm/kingsly-certbot/blob/master/CHANGELOG.md'
+  else
+    raise 'RubyGems 2.0 or newer is required to protect against ' \
+      'public gem pushes.'
+  end
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir = 'bin'
+  spec.executables = ['kingsly-certbot']
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 2.0', '>= 2.0.1'
+  spec.add_development_dependency 'rake', '~> 10.5', '>= 10.5.0'
+  spec.add_development_dependency 'rspec', '~> 3.8', '>= 3.8.0'
+  spec.add_development_dependency 'rubocop', '~> 0.63.1'
+  spec.add_development_dependency 'webmock', '~> 3.5', '>= 3.5.1'
+  spec.add_runtime_dependency 'sentry-raven', '~> 2.9', '>= 2.9.0'
+end

data/lib/kingsly_certbot/cert_bundle.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'fileutils'
+
+module KingslyCertbot
+  class CertBundle
+    attr_reader :tld, :subdomain, :private_key, :full_chain
+
+    def initialize(tld, subdomain, private_key, full_chain)
+      @tld = tld
+      @subdomain = subdomain
+      @private_key = private_key
+      @full_chain = full_chain
+    end
+
+    def ==(other)
+      return false if other.class != self.class
+
+      state == other.state
+    end
+
+    def hash
+      state.hash
+    end
+
+    protected
+
+    def state
+      [tld, subdomain, private_key, full_chain]
+    end
+  end
+end

data/lib/kingsly_certbot/configuration.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module KingslyCertbot
+  class Configuration
+    VARS = [:kingsly_server_host, :kingsly_server_user, :kingsly_server_password, :top_level_domain, :sub_domain,
+        :kingsly_http_read_timeout, :kingsly_http_open_timeout, :sentry_dsn, :environment, :server_type, :ipsec_root]
+    attr_accessor *VARS
+
+    def initialize(params = {})
+      @kingsly_http_read_timeout = 120
+      @kingsly_http_open_timeout = 5
+      @sentry_dsn = params['SENTRY_DSN']
+      @environment = params['ENVIRONMENT'] || 'development'
+      @top_level_domain = params['TOP_LEVEL_DOMAIN']
+      @sub_domain = params['SUB_DOMAIN']
+      @kingsly_server_host = params['KINGSLY_SERVER_HOST']
+      @kingsly_server_user = params['KINGSLY_SERVER_USER']
+      @kingsly_server_password = params['KINGSLY_SERVER_PASSWORD']
+      @server_type = params['SERVER_TYPE']
+      @ipsec_root = params['IPSEC_ROOT'] || '/'
+    end
+
+    def validate!
+      %i[top_level_domain sub_domain kingsly_server_host kingsly_server_user kingsly_server_password server_type].each do |mandatory|
+        raise "Missing mandatory config '#{mandatory}'" if send(mandatory).nil? || send(mandatory) == ''
+      end
+      raise "Unsupported server_type '#{server_type}'" unless ['ipsec'].include?(server_type)
+
+      self
+    end
+
+    def to_s
+      str = ''
+      VARS.each do |key|
+        value = self.send(key)
+        value = "****" if key == :kingsly_server_password
+        str+="#{key.to_s}: '#{value}'\n"
+      end
+      str
+    end
+  end
+end

data/lib/kingsly_certbot/ip_sec_cert_adapter.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module KingslyCertbot
+  class IpSecCertAdapter
+    attr_reader :cert_backup_dir, :cert_private_dir, :certs_dir
+
+    def initialize(cert_bundle, root = '/')
+      raise 'passed parameter not of type CertBundle' if cert_bundle.class != KingslyCertbot::CertBundle
+
+      @cert_bundle = cert_bundle
+      root = root.end_with?('/') ? root : "#{root}/"
+      @cert_backup_dir = "#{root}etc/ipsec.d/backup"
+      @cert_private_dir = "#{root}etc/ipsec.d/private"
+      @certs_dir = "#{root}etc/ipsec.d/certs"
+    end
+
+    def update_assets
+      cert_filename = "#{@cert_bundle.subdomain}.#{@cert_bundle.tld}.pem"
+      private_key_filepath = "#{cert_private_dir}/#{cert_filename}"
+      cert_filepath = "#{certs_dir}/#{cert_filename}"
+
+      if File.exist?(private_key_filepath) && File.exist?(cert_filepath)
+        existing_private_key_content = File.read(private_key_filepath)
+        existing_cert_content = File.read(cert_filepath)
+        if existing_private_key_content == @cert_bundle.private_key && existing_cert_content == @cert_bundle.full_chain
+          $logger.info('New certificate file is same as old cert file, skipping updating certificates')
+          return
+        else
+          time = Time.now.strftime('%Y%m%d_%H%M%S')
+          backup_dir = "#{cert_backup_dir}/#{time}"
+          $logger.info("Taking backup of existing certificates to #{backup_dir}")
+
+          FileUtils.mkdir_p(backup_dir)
+          FileUtils.mv(private_key_filepath, "#{backup_dir}/#{cert_filename}.private", force: true)
+          FileUtils.mv(cert_filepath, "#{backup_dir}/#{cert_filename}.certs", force: true)
+        end
+      end
+
+      FileUtils.mkdir_p(cert_private_dir) unless Dir.exist?(cert_private_dir)
+      File.open(private_key_filepath, 'w') do |f|
+        f.write(@cert_bundle.private_key)
+      end
+
+      FileUtils.mkdir_p(certs_dir) unless Dir.exist?(certs_dir)
+      File.open(cert_filepath, 'w') do |f|
+        f.write(@cert_bundle.full_chain)
+      end
+    end
+
+    def restart_service
+      result = %x(ipsec restart)
+      $logger.error("ipsec restart command failed with exitstatus: '#{result.exitstatus}'") unless result.success?
+      result.success?
+    rescue StandardError => e
+      $logger.fatal("ipsec restart command failed with error message: '#{e.message}'")
+      raise e
+    end
+  end
+end

data/lib/kingsly_certbot/kingsly_client.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'json'
+require 'base64'
+
+module KingslyCertbot
+  class KingslyClient
+    def self.get_cert_bundle(kingsly_server_host:,
+                             kingsly_server_user:,
+                             kingsly_server_password:,
+                             top_level_domain:,
+                             sub_domain:,
+                             kingsly_http_read_timeout: 120,
+                             kingsly_http_open_timeout: 5)
+
+      body = {
+        'top_level_domain' => top_level_domain,
+        'sub_domain' => sub_domain
+      }
+      uri = URI.parse("http://#{kingsly_server_host}/v1/cert_bundles")
+
+      http = Net::HTTP.new(uri.host, '80')
+
+      http.read_timeout = kingsly_http_read_timeout
+      http.open_timeout = kingsly_http_open_timeout
+
+      headers = {}
+      headers['Authorization'] = 'Basic ' + Base64.encode64("#{kingsly_server_user}:#{kingsly_server_password}").chop
+      headers['Content-Type'] = 'application/json'
+      resp = http.start do |http_request|
+        http_request.post(uri.path, JSON.dump(body), headers)
+      end
+
+      raise 'Authentication failure with kingsly, Please check your authentication configuration' if resp.code == '401'
+
+      body = JSON.parse(resp.body)
+      CertBundle.new(top_level_domain, sub_domain, body['private_key'], body['full_chain'])
+    end
+  end
+end

data/lib/kingsly_certbot/runner.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module KingslyCertbot
+  class Runner
+    attr_reader :configuration
+
+    def initialize(args)
+      raise 'Argument passed is not of type Array' if args.class != Array
+      raise '--config argument missing' if args[0] == nil || args[0].strip == ''
+      raise "Unknown argument '#{args[0]}'" if args[0] != '--config'
+      raise "Config file does not exist at '#{args[1]}'" unless File.exist?(args[1])
+
+      @config_path = args[1]
+    end
+
+    def configure
+      begin
+        local_config = YAML.load_file(@config_path)
+        $logger.info("Loaded config file from #{@config_path}")
+      rescue Psych::SyntaxError => e
+        raise StandardError, "Invalid YAML config file '#{@config_path}', original message: '#{e.message}'"
+      end
+
+      @configuration = KingslyCertbot::Configuration.new(local_config)
+      $logger.info("Loaded configuration: #{@configuration.to_s}")
+      Raven.configure do |config|
+        config.dsn = @configuration.sentry_dsn
+        config.encoding = 'json'
+        config.environments = %w[production integration]
+        config.current_environment = @configuration.environment
+        config.logger = $logger
+        config.release = KingslyCertbot::VERSION
+      end
+      self
+    end
+
+    def execute
+      @configuration.validate!
+      $logger.info("Querying Kingsly server for certificate to domain #{@configuration.sub_domain}.#{@configuration.top_level_domain}")
+      cert_bundle = KingslyClient.get_cert_bundle(
+        kingsly_server_host: @configuration.kingsly_server_host,
+        kingsly_server_user: @configuration.kingsly_server_user,
+        kingsly_server_password: @configuration.kingsly_server_password,
+        top_level_domain: @configuration.top_level_domain,
+        sub_domain: @configuration.sub_domain,
+        kingsly_http_read_timeout: @configuration.kingsly_http_read_timeout,
+        kingsly_http_open_timeout: @configuration.kingsly_http_open_timeout
+      )
+      $logger.info("Updating assets for server type #{@configuration.server_type}")
+      adapter = case @configuration.server_type
+                when 'ipsec'
+                  IpSecCertAdapter.new(cert_bundle, @configuration.ipsec_root)
+                else
+                  raise "Unsupported server type #{@configuration.server_type}"
+                end
+      adapter.update_assets
+      adapter.restart_service
+      $logger.info("Updated assets for server type #{@configuration.server_type}")
+    rescue StandardError => e
+      $logger.error('FAILED - Kingsly Certbot execution failed for following reason:')
+      $logger.error(e.message)
+      $logger.error e.backtrace.join("\n")
+      Raven.capture_exception(e, 'Failed in KingslyCertbot::Runner.execute operation')
+    end
+  end
+end

data/lib/kingsly_certbot/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module KingslyCertbot
+  VERSION = '0.1.0'
+end

data/lib/kingsly_certbot.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'sentry-raven'
+require 'yaml'
+require 'psych'
+
+require 'kingsly_certbot/version'
+require 'kingsly_certbot/configuration'
+require 'kingsly_certbot/cert_bundle'
+require 'kingsly_certbot/kingsly_client'
+require 'kingsly_certbot/ip_sec_cert_adapter'
+require 'kingsly_certbot/runner'
+
+module KingslyCertbot
+end

metadata

@@ -0,0 +1,186 @@
+--- !ruby/object:Gem::Specification
+name: kingsly_certbot
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- FOSS at GO-JEK
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-01-31 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.1
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.5'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 10.5.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.5'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 10.5.0
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.8.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.8.0
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.63.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.63.1
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.5.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.5.1
+- !ruby/object:Gem::Dependency
+  name: sentry-raven
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.9'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.9.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.9'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.9.0
+description: 
+email:
+- foss+tech@go-jek.com
+executables:
+- kingsly-certbot
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".ruby-gemset"
+- ".ruby-version"
+- ".travis.yml"
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- bin/console
+- bin/kingsly-certbot
+- bin/setup
+- kingsly-config.yaml.sample
+- kingsly_certbot.gemspec
+- lib/kingsly_certbot.rb
+- lib/kingsly_certbot/cert_bundle.rb
+- lib/kingsly_certbot/configuration.rb
+- lib/kingsly_certbot/ip_sec_cert_adapter.rb
+- lib/kingsly_certbot/kingsly_client.rb
+- lib/kingsly_certbot/runner.rb
+- lib/kingsly_certbot/version.rb
+homepage: https://github.com/gojekfarm/kingsly
+licenses:
+- Apache-2.0
+metadata:
+  source_code_uri: https://github.com/gojekfarm/kingsly-certbot
+  changelog_uri: https://github.com/gojekfarm/kingsly-certbot/blob/master/CHANGELOG.md
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: kingsly-certbot would update the local certs and update them from the ones
+  generated by kingsly
+test_files: []