lester 1.0.0.pre1

data/spec/lester/command/renew_spec.rb

@@ -0,0 +1,123 @@
+require 'spec_helper'
+
+module Lester
+  module Command
+    describe Renew do
+      let :command do
+        described_class.new(domain, acme_client, authenticator, uploader, store, options)
+      end
+
+      let :domain do
+        'example.org'
+      end
+
+      let :acme_client do
+        double(:acme_client)
+      end
+
+      let :authenticator do
+        double(:authenticator)
+      end
+
+      let :uploader do
+        double(:uploader)
+      end
+
+      let :store do
+        double(:store)
+      end
+
+      let :options do
+        {
+          key_class: key_impl,
+          csr_class: csr_impl,
+        }
+      end
+
+      let :key_impl do
+        double(new: private_key)
+      end
+
+      let :csr_impl do
+        double(:csr_impl)
+      end
+
+      let :authorization do
+        double(:authorization)
+      end
+
+      let :http01_challenge do
+        double(:challenge)
+      end
+
+      let :certificate do
+        OpenSSL::X509::Certificate.new.tap do |cert|
+          cert.not_before = Time.utc(2016, 1, 1)
+        end
+      end
+
+      let :chain do
+        2.times.map { OpenSSL::X509::Certificate.new }
+      end
+
+      let :private_key do
+        OpenSSL::PKey::RSA.new(2048)
+      end
+
+      let :new_certificate do
+        Acme::Certificate.new(certificate, chain, nil)
+      end
+
+      before do
+        allow(acme_client).to receive(:authorize).and_return(authorization)
+        allow(acme_client).to receive(:new_certificate).and_return(new_certificate)
+        allow(authorization).to receive(:http01).and_return(http01_challenge)
+        allow(authenticator).to receive(:authenticate).with(http01_challenge)
+        allow(uploader).to receive(:upload)
+        allow(csr_impl).to receive(:new) do |args|
+          Acme::CertificateRequest.new(args)
+        end
+        allow(store).to receive(:put)
+      end
+
+      describe '#run' do
+        before do
+          command.run
+        end
+
+        it 'authorizes using the ACME client' do
+          expect(acme_client).to have_received(:authorize).with(domain: 'example.org')
+          expect(acme_client).to have_received(:authorize).with(domain: 'www.example.org')
+        end
+
+        it 'requests a new certificate' do
+          expect(acme_client).to have_received(:new_certificate)
+        end
+
+        it 'uploads the new certificate with a timestamp suffix' do
+          expect(uploader).to have_received(:upload).with('example.org-201601010000', new_certificate, private_key)
+        end
+
+        it 'stores the certificate under a timestamp prefix' do
+          expect(store).to have_received(:put).with('201601010000/cert.pem', certificate.to_pem)
+        end
+
+        it 'stores the certificate request under a timestamp prefix' do
+          expect(store).to have_received(:put).with('201601010000/csr.pem', anything)
+        end
+
+        it 'stores the certificate chain under a timestamp prefix' do
+          expect(store).to have_received(:put).with('201601010000/chain.pem', chain.map(&:to_pem).join)
+        end
+
+        it 'stores the certificate fullchain under a timestamp prefix' do
+          expect(store).to have_received(:put).with('201601010000/fullchain.pem', certificate.to_pem + chain.map(&:to_pem).join)
+        end
+
+        it 'stores the certificate private key under a timestamp prefix' do
+          expect(store).to have_received(:put).with('201601010000/privkey.pem', private_key.to_pem)
+        end
+      end
+    end
+  end
+end

data/spec/lester/private_key_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+
+module Lester
+  describe PrivateKey do
+    let :private_key do
+      described_class.new(Pathname.new(path))
+    end
+
+    describe '.load' do
+      context 'with a PEM encoded key' do
+        let :path do
+          File.expand_path('../../support/resources/privkey.pem', __FILE__)
+        end
+
+        it 'loads the key' do
+          expect(private_key.load).to be_a(OpenSSL::PKey::RSA)
+        end
+      end
+
+      context 'with a JWK encoded key' do
+        let :path do
+          File.expand_path('../../support/resources/privkey.json', __FILE__)
+        end
+
+        it 'loads the key' do
+          expect(private_key.load).to be_a(OpenSSL::PKey::RSA)
+        end
+      end
+
+      context 'with any other key type' do
+        let :path do
+          File.expand_path('../../support/resources/privkey.txt')
+        end
+
+        it 'raises an error' do
+          expect { private_key.load }.to raise_error(UnknownKeyFormatError)
+        end
+      end
+    end
+  end
+end

data/spec/lester/s3_store_spec.rb

@@ -0,0 +1,73 @@
+require 'spec_helper'
+
+module Lester
+  describe S3Store do
+    let :store do
+      described_class.new(bucket, prefix, options)
+    end
+
+    let :bucket do
+      double(:bucket)
+    end
+
+    let :prefix do
+      'prefix'
+    end
+
+    let :options do
+      {'silly' => 'option'}
+    end
+
+    let :object do
+      double(:object)
+    end
+
+    before do
+      allow(bucket).to receive(:object).with('prefix/key.ext').and_return(object)
+      allow(bucket).to receive(:put_object)
+      allow(object).to receive(:key).and_return('prefix/key.ext')
+      allow(object).to receive(:get).and_return(object)
+      allow(object).to receive(:body).and_return(object)
+      allow(object).to receive(:read).and_return('content')
+      allow(object).to receive(:exists?).and_return(true)
+    end
+
+    describe '#put' do
+      it 'stores values under given prefix' do
+        store.put('key.ext', 'content')
+        expect(bucket).to have_received(:put_object).with(hash_including(key: 'prefix/key.ext'))
+        expect(bucket).to have_received(:put_object).with(hash_including(body: 'content'))
+      end
+
+      it 'includes given options' do
+        store.put('key.ext', 'content')
+        expect(bucket).to have_received(:put_object).with(hash_including('silly' => 'option'))
+      end
+    end
+
+    describe '#get' do
+      it 'retrieves values from a prefix' do
+        store.get('key.ext')
+        expect(bucket).to have_received(:object).with('prefix/key.ext')
+      end
+
+      context 'returns something that responds to' do
+        let :s3_object do
+          store.get('key.ext')
+        end
+
+        it 'exists?' do
+          expect(s3_object.exists?).to be true
+        end
+
+        it 'read' do
+          expect(s3_object.read).to eq('content')
+        end
+
+        it 'extname' do
+          expect(s3_object.extname).to eq('.ext')
+        end
+      end
+    end
+  end
+end

data/spec/lester/uploader_spec.rb

@@ -0,0 +1,116 @@
+require 'spec_helper'
+
+module Lester
+  describe Uploader do
+    let :uploader do
+      described_class.new(iam, cloudfront, distribution_id)
+    end
+
+    let :iam do
+      double(:iam)
+    end
+
+    let :cloudfront do
+      double(:cloudfront)
+    end
+
+    let :distribution_id do
+      'distribution-id'
+    end
+
+    let :certificate_name do
+      'name'
+    end
+
+    let :certificate do
+      double(:certificate)
+    end
+
+    let :private_key do
+      double(:private_key)
+    end
+
+    let :iam_response do
+      double(:iam_response)
+    end
+
+    let :distribution_config do
+      {
+        viewer_certificate: {
+          iam_certificate_id: 'old-certificate-id',
+          some: 'other-option',
+        },
+        top_level_key: {
+          hello: :world,
+        }
+      }
+    end
+
+    before do
+      allow(iam_response).to receive(:server_certificate_metadata) do
+        double(server_certificate_id: 'certificate-id')
+      end
+      allow(iam).to receive(:upload_server_certificate).and_return(iam_response)
+      allow(certificate).to receive(:to_pem).and_return('PEM ENCODED CERTIFICATE')
+      allow(certificate).to receive(:chain_to_pem).and_return('PEM ENCODED CHAIN')
+      allow(private_key).to receive(:to_pem).and_return('PEM ENCODED KEY')
+      allow(cloudfront).to receive(:get_distribution_config) do
+        double(distribution_config: distribution_config, etag: 'ETAG')
+      end
+      allow(cloudfront).to receive(:update_distribution)
+    end
+
+    describe '#upload' do
+      before do
+        uploader.upload(certificate_name, certificate, private_key)
+      end
+
+      it 'uploads the certificate to IAM' do
+        expect(iam).to have_received(:upload_server_certificate)
+      end
+
+      it 'uses `/cloudfront/` as path argument' do
+        expect(iam).to have_received(:upload_server_certificate).with(hash_including(path: '/cloudfront/'))
+      end
+
+      it 'uses given name for the certificate' do
+        expect(iam).to have_received(:upload_server_certificate).with(hash_including(server_certificate_name: 'name'))
+      end
+
+      it 'uses a PEM encoded certificate' do
+        expect(iam).to have_received(:upload_server_certificate).with(hash_including(certificate_body: 'PEM ENCODED CERTIFICATE'))
+      end
+
+      it 'uses a PEM encoded private key' do
+        expect(iam).to have_received(:upload_server_certificate).with(hash_including(private_key: 'PEM ENCODED KEY'))
+      end
+
+      it 'uses a PEM encoded certificate chain' do
+        expect(iam).to have_received(:upload_server_certificate).with(hash_including(certificate_chain: 'PEM ENCODED CHAIN'))
+      end
+
+      it 'fetches distribution config for the given distribution ID' do
+        expect(cloudfront).to have_received(:get_distribution_config).with(id: 'distribution-id')
+      end
+
+      it 'updates the IAM certificate ID' do
+        expect(cloudfront).to have_received(:update_distribution) do |args|
+          expect(args[:distribution_config][:viewer_certificate][:iam_certificate_id]).to eq('certificate-id')
+        end
+      end
+
+      it 'leaves all other configuration untouched' do
+        distribution_config[:viewer_certificate].delete(:iam_certificate_id)
+        expect(cloudfront).to have_received(:update_distribution).with(hash_including(distribution_config: hash_including(distribution_config)))
+      end
+
+      it 'includes etag from distribution config response when updating distribution' do
+        expect(cloudfront).to have_received(:update_distribution).with(hash_including(if_match: 'ETAG'))
+      end
+
+      it 'uses given distribution ID when updating distribution' do
+        expect(cloudfront).to have_received(:update_distribution).with(hash_including(id: 'distribution-id'))
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,33 @@
+require 'simplecov'
+require 'webmock/rspec'
+require 'vcr'
+require 'stringio'
+require 'ostruct'
+require 'digest/md5'
+
+require 'support/fake_cloudfront'
+require 'support/fake_bucket'
+require 'support/fake_iam'
+require 'support/acceptance_setup'
+require 'support/parameter_validation'
+
+RSpec.configure do |c|
+  c.extend(ParameterValidation)
+end
+
+VCR.configure do |c|
+  c.cassette_library_dir = 'spec/support/cassettes'
+  c.configure_rspec_metadata!
+  c.hook_into :webmock
+  c.ignore_localhost = false
+  c.default_cassette_options = {record: :none}
+  c.allow_http_connections_when_no_cassette = false
+end
+
+SimpleCov.start do
+  add_group 'Source', 'lib'
+  add_group 'Unit tests', 'spec/lester'
+  add_filter '/vendor/bundle/'
+end
+
+require 'lester'

data/spec/support/acceptance_setup.rb

@@ -0,0 +1,38 @@
+shared_context 'acceptance setup' do
+  let :io do
+    StringIO.new
+  end
+
+  let :private_key_path do
+    File.expand_path('../../support/resources/privkey.json', __FILE__)
+  end
+
+  let :iam do
+    FakeIAM.new
+  end
+
+  let :buckets do
+    {}
+  end
+
+  let :site_bucket do
+    Aws::S3::Bucket.new('example-org-site')
+  end
+
+  let :storage_bucket do
+    Aws::S3::Bucket.new('example-org-backup')
+  end
+
+  let :cloudfront do
+    FakeCloudFront.new
+  end
+
+  before do
+    allow(Aws::S3::Bucket).to receive(:new) do |name, opts|
+      buckets[name] ||= FakeBucket.new(name)
+      buckets[name]
+    end
+    allow(Aws::IAM::Client).to receive(:new).and_return(iam)
+    allow(Aws::CloudFront::Client).to receive(:new).and_return(cloudfront)
+  end
+end

data/spec/support/cassettes/new-certificate-fail.yml

@@ -0,0 +1,64 @@
+---
+http_interactions:
+- request:
+    method: head
+    uri: http://127.0.0.1:4000/acme/new-authz
+    body:
+      encoding: US-ASCII
+      string: ''
+    headers:
+      User-Agent:
+      - Faraday v0.9.2
+      Accept:
+      - "*/*"
+  response:
+    status:
+      code: 405
+      message: Method Not Allowed
+    headers:
+      Allow:
+      - POST
+      Content-Type:
+      - application/problem+json
+      Replay-Nonce:
+      - nivK3lvQemeqPlxezrNF6Teb7SBJIywII1UhUpyeUW8
+      Date:
+      - Sat, 12 Dec 2015 09:36:10 GMT
+    body:
+      encoding: UTF-8
+      string: ''
+    http_version: 
+  recorded_at: Sat, 12 Dec 2015 09:36:10 GMT
+- request:
+    method: post
+    uri: http://127.0.0.1:4000/acme/new-authz
+    body:
+      encoding: UTF-8
+      string: '{"protected":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIm5vbmNlIjoibml2SzNsdlFlbWVxUGx4ZXpyTkY2VGViN1NCSkl5d0lJMVVoVXB5ZVVXOCIsImp3ayI6eyJrdHkiOiJSU0EiLCJlIjoiQVFBQiIsIm4iOiI1QkZzQzFxUWxRR1RDLURiY1lfY21NaFFJSG1yd3VCYmZOeW1BMU9HYXpzWkliWVpvekVoVmotSmMtcXJCYzYzOE1uZHNRcUtwUF96NFpPQ0NMQ1Ryd05rM2JjX2pUXzFpaXJ4Y1g1RU82YmVrcU4tdEtzZFNkTnZFUTZwY2FFeWhuQTZnTlJma19VSTM1S0hON2ZlaWkxSU05d2RDRW5qRjBocDdGdXpCYU1aT05pYTlKYXB2SFE2aW1ydHZwMFJpNUNSSTBzbFVNZHRnZnY0UUVIOS13dHk1M1hsWnRLT1kzQV9kR255RmxNcEFJdThFVUQtMTFMUWxvR1ZzMi1ONVZfMy1hU2NrMzQ2X1pFNEE0M2ZVYkJjdElyZjRTUnlUNTd0Zm5qc0l1RE0xUmR2aVFkVDB4c2UxcGxVU2VUb0Ywa0FONU5iV3k3blNKMDZHTWg5clEifX0","payload":"eyJyZXNvdXJjZSI6Im5ldy1hdXRoeiIsImlkZW50aWZpZXIiOnsidHlwZSI6ImRucyIsInZhbHVlIjoiZXhhbXBsZS5vcmcifX0","signature":"44R4iCec1Wit09vBBGkKnUJw10sxvY5i-xj8T6ndy-gwXWO7N8-5h84epq32kEeGLcpLIX7JAbt6LKs9gJm5C1O_5vYR6chukZANlzQhVqRVtjTenTr1lbUT276suZ4bOmKuqjts5cPiz1tKvIYhXVwNd927QKudf0PjTvVvixTvubUfadghSWr3HbcRGPIt0FaWZchZhKN5FtX5E8vzevUpg1jMuaxY5PNIXUegqysj-ZW8y3ZkFLO-1ZNK8q7y63d8Qe0BI6zKrDEw0pujFEfMk4ybfqGxyPq9FdH3C7Q-N3D0KWDKwZlze6zLztLWSMN07Aurf9uGJGocWTPNKg"}'
+    headers:
+      User-Agent:
+      - Faraday v0.9.2
+      Accept-Encoding:
+      - gzip;q=1.0,deflate;q=0.6,identity;q=0.3
+      Accept:
+      - "*/*"
+  response:
+    status:
+      code: 403
+      message: Forbidden
+    headers:
+      Content-Type:
+      - application/problem+json
+      Replay-Nonce:
+      - r3cXZnYPrb2SBLE-Ly6v19BPZrvaN7KsA8Imn_5MvaE
+      Date:
+      - Sat, 12 Dec 2015 09:36:10 GMT
+      Content-Length:
+      - '107'
+    body:
+      encoding: UTF-8
+      string: '{"type":"urn:acme:error:unauthorized","detail":"No registration exists
+        matching provided key","status":403}'
+    http_version: 
+  recorded_at: Sat, 12 Dec 2015 09:36:10 GMT
+recorded_with: VCR 2.9.3