leap_ca 0.2.0

data/README.md

@@ -0,0 +1,118 @@
+LEAP Certificate Authority Daemon
+---------------------------------------------------
+
+``leap_ca_daemon`` is a background daemon that generates x509 certificates as needed and stores them in CouchDB. You can run ``leap_ca`` on a machine that is not connected to a network, and then periodically connect to sync up the cert database.
+
+* Its only interface with the outside world is a CouchDB connection (defaults to localhost).
+* The daemon monitors changes to the database and fills it with x509 certs as needed.
+* It requires access to a Certificate Authority (in other words, the RSA private key and x509 root certificate, in PEM format).
+
+This program is written in Ruby and is distributed under the following license:
+
+> GNU Affero General Public License
+> Version 3.0 or higher
+> http://www.gnu.org/licenses/agpl-3.0.html
+
+Installation
+---------------------
+
+Prerequisites:
+
+    sudo apt-get install ruby ruby-dev couchdb
+    # if you are running ruby 1.8, you will also need rubygems.
+    # for development, you will also need git, bundle, and rake.
+
+From source:
+
+    git clone git://leap.se/leap_ca
+    cd cleap_ca
+    bundle
+    rake build
+    sudo rake install
+
+From gem:
+
+    sudo gem install leap_ca
+
+Running
+--------------------
+
+See if it worked:
+
+    leap_ca_daemon run -- test/config/config.yaml
+    browse to http://localhost:5984/_utils
+
+How you would run normally in production mode:
+
+    leap_ca_daemon start
+    leap_ca_daemon stop
+
+See ``leap_ca_daemon --help`` for more options.
+
+Configuration
+---------------------
+
+``leap_ca_daemon`` reads the following configurations files, in this order:
+
+* ``$(leap_ca_source)/config/default_config.yaml``
+* ``/etc/leap/leap_ca.yaml``
+* Any file passed to ARGV like so ``leap_ca start -- /etc/leap_ca.yaml``
+
+Other than ``ca_key_path`` and ``ca_cert_path`` you can probably leave all other options at their default values.
+
+The default options are:
+
+    #
+    # Default configuration options for LEAP Certificate Authority Daemon
+    #
+
+    #
+    # Certificate Authority
+    #
+    ca_key_path: "../test/files/ca.key"
+    ca_key_password: nil
+    ca_cert_path: "../test/files/ca.crt"
+
+    #
+    # Certificate pool
+    #
+    max_pool_size: 100
+    client_cert_lifespan: 2
+    client_cert_bit_size: 2024
+    client_cert_hash: "SHA256"
+
+    #
+    # Database
+    #
+    db_name: "client_certificates"
+    couch_connection:
+      protocol: "http"
+      host: "localhost"
+      port: 5984
+      username: ~
+      password: ~
+      prefix: ""
+      suffix: ""
+
+Rake Tasks
+----------------------------
+
+    rake -T
+    rake build      # Build leap_ca-x.x.x.gem into the pkg directory
+    rake install    # Install leap_ca-x.x.x.gem into either system-wide or user gems
+    rake test       # Run tests
+    rake uninstall  # Uninstall leap_ca-x.x.x.gem from either system-wide or user gems
+
+Development
+--------------------
+
+For development and debugging you might want to run the programm directly without
+the deamon wrapper. You can do this like this:
+
+    ruby -I lib lib/leap_ca_daemon.rb
+
+
+Todo
+----------------------------
+
+* Remove deprecated 'yajl/http_stream'

data/Rakefile

@@ -0,0 +1,93 @@
+require "rubygems"
+require "highline/import"
+require "pty"
+require "fileutils"
+require 'rake/testtask'
+
+##
+## HELPER
+##
+
+def run(cmd)
+  PTY.spawn(cmd) do |output, input, pid|
+    begin
+      while line = output.gets do
+        puts line
+      end
+    rescue Errno::EIO
+    end
+  end
+rescue PTY::ChildExited
+end
+
+##
+## GEM BUILDING AND INSTALLING
+##
+
+$spec_path = 'leap_ca.gemspec'
+$spec      = eval(File.read($spec_path))
+$base_dir  = File.dirname(__FILE__)
+$gem_path  = File.join($base_dir, 'pkg', "#{$spec.name}-#{$spec.version}.gem")
+
+def built_gem_path
+  Dir[File.join($base_dir, "#{$spec.name}-*.gem")].sort_by{|f| File.mtime(f)}.last
+end
+
+desc "Build #{$spec.name}-#{$spec.version}.gem into the pkg directory"
+task 'build' do
+  FileUtils.mkdir_p(File.join($base_dir, 'pkg'))
+  FileUtils.rm($gem_path) if File.exists?($gem_path)
+  run "gem build -V '#{$spec_path}'"
+  file_name = File.basename(built_gem_path)
+  FileUtils.mv(built_gem_path, 'pkg')
+  say "#{$spec.name} #{$spec.version} built to pkg/#{file_name}"
+end
+
+desc "Install #{$spec.name}-#{$spec.version}.gem into either system-wide or user gems"
+task 'install' do
+  if !File.exists?($gem_path)
+    say("Could not file #{$gem_path}. Try running 'rake build'")
+  else
+    if ENV["USER"] == "root"
+      run "gem install '#{$gem_path}'"
+    else
+      home_gem_path = Gem.path.grep(/home/).first
+      say("You are installing as an unprivileged user, which will result in the installation being placed in '#{home_gem_path}'.")
+      if agree("Do you want to continue installing to #{home_gem_path}? ")
+        run "gem install '#{$gem_path}' --user-install"
+      end
+    end
+  end
+end
+
+desc "Uninstall #{$spec.name}-#{$spec.version}.gem from either system-wide or user gems"
+task 'uninstall' do
+  if ENV["USER"] == "root"
+    say("Removing #{$spec.name}-#{$spec.version}.gem from system-wide gems")
+    run "gem uninstall '#{$spec.name}' --version #{$spec.version} --verbose -x -I"
+  else
+    say("Removing #{$spec.name}-#{$spec.version}.gem from user's gems")
+    run "gem uninstall '#{$spec.name}' --version #{$spec.version} --verbose --user-install -x -I"
+  end
+end
+
+##
+## TESTING
+##
+
+Rake::TestTask.new do |t|
+  t.pattern = "test/unit/*_test.rb"
+end
+task :default => :test
+
+##
+## DOCUMENTATION
+##
+
+# require 'rdoc/task'
+
+# Rake::RDocTask.new do |rd|
+#   rd.main = "README.rdoc"
+#   rd.rdoc_files.include("README.rdoc","lib/**/*.rb","bin/**/*")
+#   rd.title = 'Your application title'
+# end

data/bin/leap_ca_daemon

@@ -0,0 +1,59 @@
+#!/usr/bin/ruby
+
+#
+# LEAP Client Certificate Generation Daemon
+#
+
+BASE_DIR = File.expand_path('../..', File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__)
+
+begin
+  #
+  # try without rubygems (might be already loaded or not present)
+  #
+  require 'leap_ca/version'
+rescue LoadError
+  #
+  # try with rubygems
+  #
+  require "#{BASE_DIR}/lib/leap_ca/version.rb"
+  LeapCA::REQUIRE_PATHS.each do |path|
+    path = File.expand_path(path, BASE_DIR)
+    $LOAD_PATH.unshift path unless $LOAD_PATH.include?(path)
+  end
+  require 'rubygems'
+  require 'leap_ca/version'
+end
+
+# Graceful Ctrl-C
+Signal.trap("SIGINT") do
+  puts "\nQuit"
+  exit
+end
+
+# this changes later, so save the initial current directory
+CWD = Dir.pwd
+
+# handle --version ourselves
+if ARGV.grep(/--version/).any?
+  puts "leap_ca #{LeapCA::VERSION}, ruby #{RUBY_VERSION}"
+  exit(0)
+end
+
+# --fill-pool will fill the pool and then exit
+if ARGV.grep(/--fill-pool/).any?
+  require 'leap_ca'
+  pool = LeapCA::Pool.new(:size => LeapCA::Config.max_pool_size)
+  pool.fill
+  exit(0)
+end
+
+#
+# Start the daemon
+#
+require 'daemons'
+if ENV["USER"] == "root"
+  options = {:app_name => 'leap_ca', :dir_mode => :system}  # this will put the pid file in /var/run
+else
+  options = {:app_name => 'leap_ca', :dir_mode => :normal, :dir => '/tmp'} # this will put the pid file in /tmp
+end
+Daemons.run("#{BASE_DIR}/lib/leap_ca_daemon.rb", options)

data/config/config_default.yaml

@@ -0,0 +1,32 @@
+#
+# Default configuration options for LEAP Certificate Authority Daemon
+#
+
+#
+# Certificate Authority
+#
+ca_key_path: "./test/files/ca.key"
+ca_key_password: nil
+ca_cert_path: "./test/files/ca.crt"
+
+#
+# Certificate pool
+#
+max_pool_size: 100
+client_cert_lifespan: 2
+client_cert_bit_size: 2024
+client_cert_hash: "SHA256"
+
+#
+# Database
+#
+db_name: "client_certificates"
+couch_connection:
+  protocol: "http"
+  host: "localhost"
+  port: 5984
+  username: ~
+  password: ~
+  prefix: ""
+  suffix: ""
+  join: "_"

data/lib/leap_ca/cert.rb

@@ -0,0 +1,145 @@
+#
+# Model for certificates stored in CouchDB.
+#
+# This file must be loaded after Config has been loaded.
+#
+
+require 'base64'
+require 'digest/md5'
+require 'openssl'
+require 'certificate_authority'
+require 'date'
+
+module LeapCA
+  class Cert < CouchRest::Model::Base
+
+    use_database LeapCA::Config.db_name
+
+    timestamps!
+
+    property :key, String                          # the client private RSA key
+    property :cert, String                         # the client x509 certificate, signed by the CA
+    property :valid_until, Time                    # expiration time of the client certificate
+    property :random, Float, :accessible => false  # used to help pick a random cert by the webapp
+
+    validates :key, :presence => true
+    validates :cert, :presence => true
+    validates :random, :presence => true, :numericality => {:greater_than_or_equal_to => 0, :less_than => 1}
+
+    before_validation :generate, :set_random, :on => :create
+
+    design do
+      view :by_random
+    end
+
+    class << self
+      def sample
+        self.by_random.startkey(rand).first || self.by_random.first
+      end
+
+      def pick_from_pool
+        cert = self.sample
+        raise RECORD_NOT_FOUND unless cert
+        cert.destroy
+        return cert
+      rescue RESOURCE_NOT_FOUND
+        retry if self.by_random.count > 0
+        raise RECORD_NOT_FOUND
+      end
+    end
+
+    #
+    # generate the private key and client certificate
+    #
+    def generate
+      cert = CertificateAuthority::Certificate.new
+
+      # set subject
+      cert.subject.common_name = random_common_name
+
+      # set expiration
+      self.valid_until = months_from_yesterday(Config.client_cert_lifespan)
+      cert.not_before  = yesterday
+      cert.not_after   = self.valid_until
+
+      # generate key
+      cert.serial_number.number = cert_serial_number
+      cert.key_material.generate_key(Config.client_cert_bit_size)
+
+      # sign
+      cert.parent = Cert.root_ca
+      cert.sign! client_signing_profile
+
+      self.key  = cert.key_material.private_key.to_pem
+      self.cert = cert.to_pem
+    end
+
+    private
+
+    def set_random
+      self.random = rand
+    end
+
+    def self.root_ca
+      @root_ca ||= begin
+        crt = File.read(Config.ca_cert_path)
+        key = File.read(Config.ca_key_path)
+        openssl_cert = OpenSSL::X509::Certificate.new(crt)
+        cert = CertificateAuthority::Certificate.from_openssl(openssl_cert)
+        cert.key_material.private_key = OpenSSL::PKey::RSA.new(key, Config.ca_key_password)
+        cert
+      end
+    end
+
+    #
+    # For cert serial numbers, we need a non-colliding number less than 160 bits.
+    # md5 will do nicely, since there is no need for a secure hash, just a short one.
+    # (md5 is 128 bits)
+    #
+    def cert_serial_number
+      Digest::MD5.hexdigest("#{rand(10**10)} -- #{Time.now}").to_i(16)
+    end
+
+    #
+    # for the random common name, we need a text string that will be unique across all certs.
+    # ruby 1.8 doesn't have a built-in uuid generator, or we would use SecureRandom.uuid
+    #
+    def random_common_name
+      cert_serial_number.to_s(36)
+    end
+
+    def client_signing_profile
+      {
+        "digest" => Config.client_cert_hash,
+        "extensions" => {
+          "keyUsage" => {
+            "usage" => ["digitalSignature"]
+          },
+          "extendedKeyUsage" => {
+            "usage" => ["clientAuth"]
+          }
+        }
+      }
+    end
+
+    ##
+    ## TIME HELPERS
+    ##
+    ## note: we use 'yesterday' instead of 'today', because times are in UTC, and some people on the planet
+    ## are behind UTC.
+    ##
+
+    def yesterday
+      t = Time.now - 24*24*60
+      Time.utc t.year, t.month, t.day
+    end
+
+    def months_from_yesterday(num)
+      t = yesterday
+      date = Date.new t.year, t.month, t.day
+      date = date >> num  # >> is months in the future operator
+      Time.utc date.year, date.month, date.day
+    end
+
+  end
+end

data/lib/leap_ca/config.rb

@@ -0,0 +1,71 @@
+require 'yaml'
+
+module LeapCA
+  module Config
+    extend self
+
+    attr_accessor :ca_key_path
+    attr_accessor :ca_key_password
+    attr_accessor :ca_cert_path
+
+    attr_accessor :max_pool_size
+    attr_accessor :client_cert_lifespan
+    attr_accessor :client_cert_bit_size
+    attr_accessor :client_cert_hash
+
+    attr_accessor :db_name
+    attr_accessor :couch_connection
+
+    def self.load(base_dir, *configs)
+      configs.each do |file_path|
+        file_path = find_file(base_dir, file_path)
+        next unless file_path
+        puts " * Loading configuration #{file_path}"
+        yml = YAML.load(File.read(file_path))
+        if yml
+          yml.each do |key, value|
+            begin
+              if value.is_a? Hash
+                value = symbolize_keys(value)
+              end
+              self.send("#{key}=", value)
+            rescue NoMethodError => exc
+              STDERR.puts "ERROR in file #{file}, '#{key}' is not a valid option"
+              exit(1)
+            end
+          end
+        end
+      end
+      [:ca_key_path, :ca_cert_path].each do |attr|
+        path = self.send(attr) || ""
+        if path =~ /^\./
+          path = File.expand_path(path, base_dir)
+          self.send("#{attr}=", path)
+        end
+        unless File.exists?(path)
+          STDERR.puts "ERROR: The config option '#{attr}' is set to '#{path}', but the file does not exist!"
+          exit(1)
+        end
+      end
+    end
+
+    private
+
+    def self.find_file(base_dir, file_path)
+      return nil unless file_path
+      if defined? CWD
+        return File.expand_path(file_path, CWD)  if File.exists?(File.expand_path(file_path, CWD))
+      end
+      return File.expand_path(file_path, base_dir) if File.exists?(File.expand_path(file_path, base_dir))
+      return nil
+    end
+
+    def self.symbolize_keys(hsh)
+      newhsh = {}
+      hsh.keys.each do |key|
+        newhsh[key.to_sym] = hsh[key]
+      end
+      newhsh
+    end
+  end
+end

data/lib/leap_ca/couch_changes.rb

@@ -0,0 +1,19 @@
+module LeapCA
+  class CouchChanges
+    def initialize(stream)
+      @stream = stream
+    end
+
+    def last_seq
+      @stream.get "_changes", :limit => 1, :descending => true do |hash|
+        return hash[:last_seq]
+      end
+    end
+
+    def follow
+      @stream.get "_changes", :feed => :continuous, :since => last_seq do |hash|
+        yield(hash)
+      end
+    end
+  end
+end

data/lib/leap_ca/couch_stream.rb

@@ -0,0 +1,25 @@
+require 'yajl/http_stream'
+
+module LeapCA
+  class CouchStream
+    def initialize(database_url)
+      @database_url = database_url
+    end
+
+    def get(path, options)
+      url = url_for(path, options)
+      # puts url
+      Yajl::HttpStream.get(url, :symbolize_keys => true) do |hash|
+        yield(hash)
+      end
+    end
+
+    protected
+
+    def url_for(path, options = {})
+      url = [@database_url, path].join('/')
+      url += '?' if options.any?
+      url += options.map {|k,v| "#{k}=#{v}"}.join('&')
+    end
+  end
+end

data/lib/leap_ca/pool.rb

@@ -0,0 +1,20 @@
+require 'yaml'
+
+module LeapCA
+  class Pool
+    def initialize(config = {:size => 10})
+      @config = config
+    end
+
+    def fill
+      while Cert.count < self.size do
+        cert = Cert.create!
+        puts " * Created client certificate #{cert.id}"
+      end
+    end
+
+    def size
+      @config[:size]
+    end
+  end
+end

data/lib/leap_ca/version.rb

@@ -0,0 +1,4 @@
+module LeapCA
+  VERSION = "0.2.0"
+  REQUIRE_PATHS = ['lib']
+end

data/lib/leap_ca.rb

@@ -0,0 +1,26 @@
+unless defined? BASE_DIR
+  BASE_DIR = File.expand_path('../..', __FILE__)
+end
+unless defined? LEAP_CA_CONFIG
+  LEAP_CA_CONFIG = '/etc/leap/leap_ca.yaml'
+end
+
+#
+# Load Config
+# this must come first, because CouchRest needs the connection defined before the models are defined.
+#
+require 'leap_ca/config'
+LeapCA::Config.load(BASE_DIR, 'config/config_default.yaml', LEAP_CA_CONFIG, ARGV.grep(/\.ya?ml$/).first)
+
+require 'couchrest_model'
+CouchRest::Model::Base.configure do |config|
+  config.connection = LeapCA::Config.couch_connection
+end
+
+#
+# Load LeapCA
+#
+require 'leap_ca/cert'
+require 'leap_ca/couch_stream'
+require 'leap_ca/couch_changes'
+require 'leap_ca/pool'

data/lib/leap_ca_daemon.rb

@@ -0,0 +1,24 @@
+#
+# This file should not be required directly. Use it like so:
+#
+#  Daemons.run('leap_ca_daemon.rb')
+#
+
+require 'leap_ca'
+
+module LeapCA
+  puts    " * Tracking #{Cert.database.root}"
+  couch   = CouchStream.new(Cert.database.root)
+  changes = CouchChanges.new(couch)
+  pool    = Pool.new(:size => Config.max_pool_size)
+
+  # fill the pool
+  pool.fill
+
+  # watch for deletions, fill the pool whenever it gets low
+  changes.follow do |hash|
+    if hash[:deleted]
+      pool.fill
+    end
+  end
+end

data/test/config/config.yaml

@@ -0,0 +1,20 @@
+#
+# testing configuration options
+#
+
+#
+# Certificate Authority
+#
+ca_key_path: "./test/files/ca.key"
+ca_key_password: ~
+ca_cert_path: "./test/files/ca.crt"
+
+#
+# Certificate pool
+#
+max_pool_size: 4
+client_cert_lifespan: 1
+client_cert_bit_size: 1024
+client_cert_hash: "SHA1"
+
+db_name: "client_certificates_test"

data/test/files/ca.crt

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICPDCCAYmgAwIBAgIEUKCI4DANBgkqhkiG9w0BAQsFADAkMSIwIAYDVQQDExlS
+b290IENBIGZvciBydW5uaW5nIHRlc3RzMB4XDTEyMTExMjA1MjgwMFoXDTEzMTEx
+MjA1MjgwMFowJDEiMCAGA1UEAxMZUm9vdCBDQSBmb3IgcnVubmluZyB0ZXN0czCB
+uzANBgkqhkiG9w0BAQEFAAOBqQAwgaUCgZ0ApeqCGQOmiHxCFxsfUKmBV6ruOYar
+EsepFAycTmmakXBjNj4B9Pd3gE3Cc56rvkq0uxluRvqspzpEOQpCg8M5fkft/fxS
+acw+ackj3ys7r0MrXgL66QeLnNGe8+RjBO8UHb3OPx547hqUHVg+3HqSCdn9cGQX
+9//EJrnSJsLuZw9ktkN4Ytyd1deZo6AkiIeCyz0HxKQBIhdJAPRlAgMBAAGjQzBB
+MA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUBe1l
+BbuGErEkHLffGvkY5dDOH1YwDQYJKoZIhvcNAQELBQADgZ0ADpudncToYPS183w8
+c68dObCCvNfv/FTBg4ihCLW6PapADYuvXmCvXgHflylET+rFdcrnUfl+XjNT5IjF
+ImUyyOnCiy7scRgY+9qrEb7neH4CopGZKkWBTadZLu0QZqMcsWyAZBzaI8tBwL+G
++ylSgw3xTSf/HFjmTJAlDzUieV4DufrPqz7Yx0GrTswdJOcccc/PWUvQIU1GXvto
+-----END CERTIFICATE-----

data/test/files/ca.key

@@ -0,0 +1,18 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIC2gIBAAKBnQCl6oIZA6aIfEIXGx9QqYFXqu45hqsSx6kUDJxOaZqRcGM2PgH0
+93eATcJznqu+SrS7GW5G+qynOkQ5CkKDwzl+R+39/FJpzD5pySPfKzuvQyteAvrp
+B4uc0Z7z5GME7xQdvc4/HnjuGpQdWD7cepIJ2f1wZBf3/8QmudImwu5nD2S2Q3hi
+3J3V15mjoCSIh4LLPQfEpAEiF0kA9GUCAwEAAQKBnAKz9FSgqO42Sq6tBBtAolkh
+nBSXK2L4mmTiOQr/UMOnzLtN0qMBWRK1Bu2dRcz+0zztEs0t45wsfdS0DxYDGy+s
+elBrSOhs/w34IeZ5LM6xY0u4HZDmhn0pQNo6QZcFICr0GkkYdmWDlkLvIeJ/u6+q
+nmyqAQXvj3R4nA7hrKUXzJjfvN3RYrhLN+/T41zLybeJ5vLZQK3jJSiIjQJPAMhS
+HTIbYTUi2pxYVSwJDY4S2klTdroNGvTCkqcTRcB4Ms70FGLPZ6+ZumrkbSohHUsj
+gDRRy3e4fjA9qMSQynVr2gkUobsR0tAdQGVOKwJPANQIUPaTc2ouNYNLAiHoAXoL
+qAcF5g7/vtlMOwr+16EYoG7bLbiEie7nBfg9zz/VUnvOEy6pZ89YvsZOMlGicsRs
++tfUM1g/u0ZFEoQPrwJOC6bbE+ML0G9qj9WDfsA4DZ+DGujD6yZ//uSiax1v3TYg
+nnEMDoNJ4KjscvM+dkjez1QNTP3E+/27OUsc2fIiFJplYEnW7m6m+Hv7FulpAk8A
+tiASk0oiV/ErLARw53jmU9PRV378lqOcZgAxswclZo3FuJLxmc3WwOuV2B4Xd+gf
+epKPLYR708GR1Lp0RGS6GfjWGi9+ju3nSbuo5OCnAk5yun/UvDdtnZ6fXo9aF22/
+yoiztru7yhJdVrMx3PbbndfN2y9ctqcd6CD5fIQdyZ4K8eTr686RjH8C0XP095Ib
+an3AO/TQG1c4yE2hSvQ=
+-----END RSA PRIVATE KEY-----

data/test/test_helper.rb

@@ -0,0 +1,10 @@
+require 'rubygems'
+require 'minitest/autorun'
+
+BASE_DIR = File.expand_path('../..', __FILE__)
+$:.unshift File.expand_path('lib', BASE_DIR)
+
+require 'mocha/setup'
+
+LEAP_CA_CONFIG = "test/config/config.yaml"
+require 'leap_ca'

data/test/unit/cert_test.rb

@@ -0,0 +1,32 @@
+require File.expand_path('../../test_helper.rb', __FILE__)
+
+class CertTest < MiniTest::Unit::TestCase
+
+  def setup
+    @cert = LeapCA::Cert.new
+  end
+
+  def test_generate
+    @cert.generate
+
+    assert @cert.cert, 'certificate should exist'
+    assert @cert.key, 'key should exist'
+
+    ca   = OpenSSL::X509::Certificate.new(File.read(LeapCA::Config.ca_cert_path))
+    cert = OpenSSL::X509::Certificate.new(@cert.cert)
+    key  = OpenSSL::PKey::RSA.new(@cert.key)
+
+    assert cert.verify(ca.public_key), "cert was not signed by CA"
+    assert_equal ca.subject.to_s, cert.issuer.to_s, 'issuer should match'
+    assert_equal "test", cert.public_key.public_decrypt(key.private_encrypt("test")), 'keypair should be able to encrypt/decrypt'
+  end
+
+  def test_validation_of_random
+    @cert.stubs(:set_random)
+    [1, nil, "asdf"].each do |invalid|
+      @cert.random = invalid
+      assert !@cert.valid?, "#{invalid} should not be a valid value for random"
+    end
+  end
+
+end

data/test/unit/couch_changes_test.rb

@@ -0,0 +1,32 @@
+require File.expand_path('../../test_helper.rb', __FILE__)
+require 'leap_ca/couch_changes'
+
+class CouchChangesTest < MiniTest::Unit::TestCase
+
+  LAST_SEQ = 12
+
+  def setup
+    @stream = mock()
+    @changes = LeapCA::CouchChanges.new(@stream)
+  end
+
+  def test_last_seq
+    @stream.expects(:get).
+      with('_changes', {:limit => 1, :descending => true}).
+      yields(:last_seq => LAST_SEQ)
+    assert_equal LAST_SEQ, @changes.last_seq
+  end
+
+  def test_follow
+    stub_entry = {:new => :result}
+    @stream.expects(:get).
+      with('_changes', {:limit => 1, :descending => true}).
+      yields(:last_seq => LAST_SEQ)
+    @stream.expects(:get).
+      with('_changes', {:feed => :continuous, :since => LAST_SEQ}).
+      yields(stub_entry)
+    @changes.follow do |hash|
+      assert_equal stub_entry, hash
+    end
+  end
+end

data/test/unit/couch_stream_test.rb

@@ -0,0 +1,35 @@
+require File.expand_path('../../test_helper.rb', __FILE__)
+require 'leap_ca/couch_stream'
+
+# we'll mock this
+module Yajl
+  class HttpStream
+  end
+end
+
+class CouchStreamTest < MiniTest::Unit::TestCase
+
+  def setup
+    @root = "http://server/database"
+    @stream = LeapCA::CouchStream.new(@root)
+    @url = @root + "/_changes?a=b&c=d"
+    @path = "_changes"
+    @options = {:a => :b, :c => :d}
+  end
+
+  def test_get
+    Yajl::HttpStream.expects(:get).
+      with(@url, :symbolize_keys => true).
+      yields(stub_hash = stub)
+    @stream.get(@path, @options) do |hash|
+      assert_equal stub_hash, hash
+    end
+  end
+
+  # internal
+  def test_url_creation
+    assert_equal "http://server/database/", @stream.send(:url_for, "")
+    assert_equal @url, @stream.send(:url_for, @path, @options)
+  end
+
+end

metadata

@@ -0,0 +1,217 @@
+--- !ruby/object:Gem::Specification
+name: leap_ca
+version: !ruby/object:Gem::Version
+  version: 0.2.0
+  prerelease: 
+platform: ruby
+authors:
+- Azul
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-12-31 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: couchrest
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.3
+- !ruby/object:Gem::Dependency
+  name: couchrest_model
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.0.0.beta2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.0.0.beta2
+- !ruby/object:Gem::Dependency
+  name: daemons
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: yajl-ruby
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: certificate_authority
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: highline
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Provides the executable leap_ca, a deamon that refills a pool of x509
+  client certs stored in CouchDB.
+email:
+- azul@leap.se
+executables:
+- leap_ca_daemon
+extensions: []
+extra_rdoc_files: []
+files:
+- config/config_default.yaml
+- lib/leap_ca/couch_stream.rb
+- lib/leap_ca/version.rb
+- lib/leap_ca/config.rb
+- lib/leap_ca/cert.rb
+- lib/leap_ca/pool.rb
+- lib/leap_ca/couch_changes.rb
+- lib/leap_ca_daemon.rb
+- lib/leap_ca.rb
+- bin/leap_ca_daemon
+- Rakefile
+- README.md
+- test/test_helper.rb
+- test/files/ca.crt
+- test/files/ca.key
+- test/unit/couch_stream_test.rb
+- test/unit/couch_changes_test.rb
+- test/unit/cert_test.rb
+- test/config/config.yaml
+homepage: https://leap.se
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Certificate Authority deamon for the LEAP Platform
+test_files:
+- test/test_helper.rb
+- test/files/ca.crt
+- test/files/ca.key
+- test/unit/couch_stream_test.rb
+- test/unit/couch_changes_test.rb
+- test/unit/cert_test.rb
+- test/config/config.yaml