lester 1.0.0.pre1

data/lib/lester/uploader.rb

@@ -0,0 +1,28 @@
+module Lester
+  class Uploader
+    def initialize(iam, cloudfront, distribution_id)
+      @iam = iam
+      @cloudfront = cloudfront
+      @distribution_id = distribution_id
+    end
+
+    def upload(name, certificate, private_key)
+      metadata = @iam.upload_server_certificate({
+        path: '/cloudfront/',
+        server_certificate_name: name,
+        private_key: private_key.to_pem,
+        certificate_body: certificate.to_pem,
+        certificate_chain: certificate.chain_to_pem,
+      }).server_certificate_metadata
+      certificate_id = metadata.server_certificate_id
+      response = @cloudfront.get_distribution_config(id: @distribution_id)
+      distribution_config = response.distribution_config.to_hash
+      distribution_config[:viewer_certificate][:iam_certificate_id] = certificate_id
+      @cloudfront.update_distribution({
+        distribution_config: distribution_config,
+        id: @distribution_id,
+        if_match: response.etag,
+      })
+    end
+  end
+end

data/lib/lester/version.rb

@@ -0,0 +1,3 @@
+module Lester
+  VERSION = '1.0.0.pre1'.freeze
+end

data/spec/acceptance/cli_init_spec.rb

@@ -0,0 +1,47 @@
+require 'spec_helper'
+
+describe 'bin/lester init' do
+  include_context 'acceptance setup'
+
+  let :command do
+    Lester::Cli.new(argv, io)
+  end
+
+  let :argv do
+    [
+      'init',
+      '--domain', 'example.org',
+      '--storage-bucket', 'example-org-backup',
+      '--private-key', private_key_path,
+    ]
+  end
+
+  context 'when the private key exists' do
+    it 'stores it' do
+      command.run
+      object = storage_bucket.object('example.org/account/private_key.json')
+      expect { JSON::JWK.new(JSON.parse(object.read)).to_key }.to_not raise_error
+    end
+
+    it 'returns an ok exit code' do
+      code = command.run
+      expect(code).to eq(0)
+    end
+  end
+
+  context 'when the private key does not exist' do
+    let :private_key_path do
+      'this/should/not/exist.pem'
+    end
+
+    it 'prints an error message' do
+      command.run
+      expect(io.string).to match(/No such file or directory/)
+    end
+
+    it 'returns a non-ok exit code' do
+      code = command.run
+      expect(code).to eq(1)
+    end
+  end
+end

data/spec/acceptance/cli_renew_spec.rb

@@ -0,0 +1,149 @@
+require 'spec_helper'
+
+describe 'bin/lester renew' do
+  include_context 'acceptance setup'
+
+  let :command do
+    Lester::Cli.new(argv, io)
+  end
+
+  let :argv do
+    [
+      'renew',
+      '--domain', 'example.org',
+      '--endpoint', 'http://127.0.0.1:4000',
+      '--site-bucket', 'example-org-site',
+      '--storage-bucket', 'example-org-backup',
+      '--email', 'contact@example.org',
+      '--distribution-id', 'distribution-id',
+    ]
+  end
+
+  before do
+    storage_bucket.put_object(key: 'example.org/account/private_key.json', body: Pathname.new(private_key_path))
+    cloudfront.add_config('distribution-id', {
+      viewer_certificate: { iam_certificate_id: 'example.org-old' },
+    })
+  end
+
+  describe '#run' do
+    context 'with a registered private key', vcr: { cassette_name: 'new-certificate' } do
+      it 'writes challenges to the expected path' do
+        command.run
+        key = '.well-known/acme-challenge/EGJjhjKuz9x5yNbH8IXfcZO6OljhIrwPQeTeZUcsKao'
+        object = site_bucket.object(key)
+        expect(object.read).to eq('EGJjhjKuz9x5yNbH8IXfcZO6OljhIrwPQeTeZUcsKao.XUQVUxLBe1x_yLe3HwXhatO3NImdF032T7C7BjKu6pc')
+        key = '.well-known/acme-challenge/wdo3QEPA0D2mUav-Yx34nbNkq61bLOMjj_3obOYvE2E'
+        object = site_bucket.object(key)
+        expect(object.read).to eq('wdo3QEPA0D2mUav-Yx34nbNkq61bLOMjj_3obOYvE2E.XUQVUxLBe1x_yLe3HwXhatO3NImdF032T7C7BjKu6pc')
+      end
+
+      it 'uploads the new certificate' do
+        command.run
+        expect(iam.certificates).to_not be_empty
+      end
+
+      it 'installs the certificate' do
+        command.run
+        update = cloudfront.updates.first
+        expect(update[:distribution_config][:viewer_certificate][:iam_certificate_id]).to eq('2ae9ea04d305762117cf854b39bb5ede')
+      end
+
+      it 'stores the certificate' do
+        command.run
+        object = storage_bucket.object('example.org/certificates/201512120949/cert.pem')
+        expect { OpenSSL::X509::Certificate.new(object.read) }.to_not raise_error
+      end
+
+      it 'stores the certificate request' do
+        command.run
+        object = storage_bucket.object('example.org/certificates/201512120949/csr.pem')
+        expect { OpenSSL::X509::Request.new(object.read) }.to_not raise_error
+      end
+
+      it 'stores the certificate chain' do
+        command.run
+        object = storage_bucket.object('example.org/certificates/201512120949/chain.pem')
+        expect { OpenSSL::X509::Certificate.new(object.read) }.to_not raise_error
+      end
+
+      it 'stores the certificate fullchain' do
+        command.run
+        object = storage_bucket.object('example.org/certificates/201512120949/fullchain.pem')
+        expect { OpenSSL::X509::Certificate.new(object.read) }.to_not raise_error
+      end
+
+      it 'stores the certificate private key' do
+        command.run
+        object = storage_bucket.object('example.org/certificates/201512120949/privkey.pem')
+        expect { OpenSSL::PKey::RSA.new(object.read) }.to_not raise_error
+      end
+
+      it 'uses server side encryption for everything that is stored' do
+        command.run
+        keys = storage_bucket.keys.select { |k| k.start_with?('example.org/certificates') }
+        expect(keys).to_not be_empty
+        keys.each do |key|
+          object = storage_bucket.object(key)
+          expect(object.options).to include(server_side_encryption: 'AES256')
+        end
+      end
+
+      it 'returns an ok exit code' do
+        code = command.run
+        expect(code).to eq(0)
+      end
+
+      context 'when a KMS ID is specified' do
+        let :argv do
+          [
+            'renew',
+            '--domain', 'example.org',
+            '--endpoint', 'http://127.0.0.1:4000',
+            '--site-bucket', 'example-org-site',
+            '--storage-bucket', 'example-org-backup',
+            '--email', 'contact@example.org',
+            '--distribution-id', 'distribution-id',
+            '--kms-id', 'alias/letsencrypt',
+          ]
+        end
+
+        it 'uses server side encryption through AWS KMS' do
+          command.run
+          keys = storage_bucket.keys.select { |k| k.start_with?('example.org/certificates') }
+          expect(keys).to_not be_empty
+          keys.each do |key|
+            object = storage_bucket.object(key)
+            expect(object.options).to include(server_side_encryption: 'aws:kms')
+            expect(object.options).to include(ssekms_key_id: 'alias/letsencrypt')
+          end
+        end
+      end
+    end
+
+    context 'when verification fails', vcr: { cassette_name: 'verification-fail' } do
+      it 'prints an error message' do
+        command.run
+        expect(io.string).to match(/unauthorized: Invalid response/)
+      end
+
+      it 'returns a non-ok exit code' do
+        command.run
+        code = command.run
+        expect(code).to eq(1)
+      end
+    end
+
+    context 'with a non-registered private key', vcr: { cassette_name: 'new-certificate-fail' } do
+      it 'prints an error message' do
+        command.run
+        expect(io.string.chomp).to eq('No registration exists matching provided key (Acme::Error::Unauthorized)')
+      end
+
+      it 'returns a non-ok exit code' do
+        code = command.run
+        expect(code).to eq(1)
+      end
+    end
+  end
+end

data/spec/lester/authenticator_spec.rb

@@ -0,0 +1,80 @@
+require 'spec_helper'
+
+module Lester
+  describe Authenticator do
+    let :authenticator do
+      described_class.new(bucket, sleeper: sleeper)
+    end
+
+    let :challenge do
+      double(:challenge)
+    end
+
+    let :bucket do
+      double(:bucket)
+    end
+
+    let :sleeper do
+      double(:sleeper)
+    end
+
+    before do
+      allow(challenge).to receive(:filename).and_return('challenge-filename')
+      allow(challenge).to receive(:file_content).and_return('challenge-file-content')
+      allow(challenge).to receive(:content_type).and_return('text/plain')
+      allow(challenge).to receive(:request_verification).and_return(true)
+      allow(challenge).to receive(:status).and_return('valid')
+      allow(challenge).to receive(:error)
+      allow(bucket).to receive(:put_object)
+      allow(sleeper).to receive(:sleep)
+    end
+
+    describe '#authenticate' do
+      it 'uses the challenge\'s filename as S3 key' do
+        authenticator.authenticate(challenge)
+        expect(bucket).to have_received(:put_object).with(hash_including(key: 'challenge-filename'))
+      end
+
+      it 'writes the challenge\'s content' do
+        authenticator.authenticate(challenge)
+        expect(bucket).to have_received(:put_object).with(hash_including(body: 'challenge-file-content'))
+      end
+
+      it 'uses `public-read` as acl' do
+        authenticator.authenticate(challenge)
+        expect(bucket).to have_received(:put_object).with(hash_including(acl: 'public-read'))
+      end
+
+      it 'requests verification' do
+        authenticator.authenticate(challenge)
+        expect(challenge).to have_received(:request_verification)
+      end
+
+      it 'raises an error when verification is refused' do
+        allow(challenge).to receive(:request_verification).and_return(false)
+        expect { authenticator.authenticate(challenge) }.to raise_error(RequestVerificationError)
+      end
+
+      context 'request verification' do
+        it 'verifies the status of the challenge' do
+          allow(challenge).to receive(:status).and_return('pending')
+          allow(challenge).to receive(:verify_status) do
+            allow(challenge).to receive(:status).and_return('valid')
+          end
+          authenticator.authenticate(challenge)
+          expect(challenge).to have_received(:verify_status)
+        end
+
+        it 'raises an error when the verification returns an error' do
+          allow(challenge).to receive(:error).and_return('type' => 'urn:acme:error:unauthorized', 'detail' => 'Invalid response: 404')
+          expect { authenticator.authenticate(challenge) }.to raise_error(RequestVerificationError, 'urn:acme:error:unauthorized: Invalid response: 404')
+        end
+
+        it 'raises an error when the verification status is != valid' do
+          allow(challenge).to receive(:status).and_return('invalid')
+          expect { authenticator.authenticate(challenge) }.to raise_error(RequestVerificationError, 'invalid')
+        end
+      end
+    end
+  end
+end

data/spec/lester/cli_spec.rb

@@ -0,0 +1,102 @@
+require 'spec_helper'
+
+module Lester
+  describe Cli do
+    let :cli do
+      described_class.new(argv, io)
+    end
+
+    let :io do
+      StringIO.new
+    end
+
+    let :output do
+      io.string
+    end
+
+    describe 'help|-h' do
+      let :argv do
+        ['help']
+      end
+
+      it 'prints usage' do
+        cli.run
+        expect(output).to match(/Usage/)
+      end
+
+      it 'returns an ok exit code' do
+        code = cli.run
+        expect(code).to eq(0)
+      end
+    end
+
+    describe 'init' do
+      let :command_name do
+        'init'
+      end
+
+      context 'cli parameters' do
+        context '-d / --domain DOMAIN' do
+          parameter_validation 'domain'
+        end
+
+        context '-s / --storage-bucket NAME' do
+          parameter_validation 'storage-bucket', 'storage bucket'
+        end
+
+        context '-p / --private-key PATH' do
+          parameter_validation 'private-key', 'private key path'
+        end
+      end
+    end
+
+    describe 'renew|new' do
+      let :command_name do
+        'renew'
+      end
+
+      context 'cli parameters' do
+        context '-d / --domain DOMAIN' do
+          parameter_validation 'domain'
+        end
+
+        context '-s / --storage-bucket NAME' do
+          parameter_validation 'storage-bucket', 'storage bucket'
+        end
+
+        context '-b / --site-bucket NAME' do
+          parameter_validation 'site-bucket', 'site bucket'
+        end
+
+        context '-e / --email ADDRESS' do
+          parameter_validation 'email'
+        end
+
+        context '-D / --distribution-id ID' do
+          parameter_validation 'distribution-id', 'distribution id'
+        end
+      end
+    end
+
+    describe 'any other command' do
+      let :argv do
+        ['other']
+      end
+
+      it 'prints an error message' do
+        cli.run
+        expect(output).to match(/Unknown command "other"/)
+      end
+
+      it 'prints usage' do
+        cli.run
+        expect(output).to match(/Usage/)
+      end
+
+      it 'returns a non-ok exit code' do
+        code = cli.run
+        expect(code).to eq(1)
+      end
+    end
+  end
+end

data/spec/lester/command/init_spec.rb

@@ -0,0 +1,31 @@
+require 'spec_helper'
+
+module Lester
+  module Command
+    describe Init do
+      let :command do
+        described_class.new(private_key, store)
+      end
+
+      let :private_key do
+        double(:private_key)
+      end
+
+      let :store do
+        double(:store)
+      end
+
+      before do
+        allow(private_key).to receive(:to_jwk).and_return({})
+        allow(store).to receive(:put)
+      end
+
+      describe '#run' do
+        it 'unconditionally stores the key in JSON JWK format' do
+          command.run
+          expect(store).to have_received(:put).with('private_key.json', '{}')
+        end
+      end
+    end
+  end
+end