letscert 0.4.1 → 0.4.2

data/lib/letscert/io_plugins/account_key.rb

@@ -0,0 +1,29 @@
+module LetsCert
+
+  # Account key IO plugin
+  # @author Sylvain Daubert
+  class AccountKey < IOPlugin
+    include FileIOPluginMixin
+    include JWKIOPluginMixin
+
+    # @return [Hash] always get +true+ for +:account_key+ key
+    def persisted
+      { account_key: true }
+    end
+
+    # @return [Hash]
+    def load_from_content(content)
+      { account_key: load_jwk(content) }
+    end
+
+    # Save account key.
+    # @param [Hash] data
+    # @return [void]
+    def save(data)
+      save_to_file(dump_jwk(data[:account_key]))
+    end
+
+  end
+
+  IOPlugin.register(AccountKey, 'account_key.json')
+end

data/lib/letscert/io_plugins/cert_file.rb

@@ -0,0 +1,29 @@
+module LetsCert
+
+  # Cert file plugin
+  # @author Sylvain Daubert
+  class CertFile < OpenSSLIOPlugin
+    include FileIOPluginMixin
+
+    # @return [Hash] always get +true+ for +:cert+ key
+    def persisted
+      @persisted ||= { cert: true }
+    end
+
+    # @return [Hash]
+    def load_from_content(content)
+      { cert: load_cert(content) }
+    end
+
+    # Save certificate.
+    # @param [Hash] data
+    # @return [void]
+    def save(data)
+      save_to_file(dump_cert(data[:cert]))
+    end
+
+  end
+
+  IOPlugin.register(CertFile, 'cert.pem', :pem)
+  IOPlugin.register(CertFile, 'cert.der', :der)
+end

data/lib/letscert/io_plugins/chain_file.rb

@@ -0,0 +1,32 @@
+module LetsCert
+
+  # Chain file plugin
+  # @author Sylvain Daubert
+  class ChainFile < OpenSSLIOPlugin
+    include FileIOPluginMixin
+
+    # @return [Hash] always get +true+ for +:chain+ key
+    def persisted
+      @persisted ||= { chain: true }
+    end
+
+    # @return [Hash]
+    def load_from_content(content)
+      chain = []
+      split_pems(content) do |pem|
+        chain << load_cert(pem)
+      end
+      { chain: chain }
+    end
+
+    # Save chain.
+    # @param [Hash] data
+    # @return [void]
+    def save(data)
+      save_to_file(data[:chain].map { |c| dump_cert(c) }.join)
+    end
+
+  end
+
+  IOPlugin.register(ChainFile, 'chain.pem', :pem)
+end

data/lib/letscert/io_plugins/file_io_plugin_mixin.rb

@@ -0,0 +1,48 @@
+module LetsCert
+
+  # Mixin for IOPmugin subclasses that handle files
+  # @author Sylvain Daubert
+  module FileIOPluginMixin
+
+    # Load data from file named +#name+
+    # @return [Hash]
+    def load
+      logger.debug { "Loading #{@name}" }
+
+      begin
+        content = File.read(@name)
+      rescue Errno::ENOENT => ex
+        logger.info { "no #{@name} file" }
+        return self.class.empty_data
+      end
+
+      load_from_content(content)
+    end
+
+    # @abstract
+    # @param [String] _content
+    # @return [Hash]
+    def load_from_content(_content)
+      raise NotImplementedError
+    end
+
+    # Save data to file +#name+
+    # @param [Hash] data
+    # @return [void]
+    def save_to_file(data)
+      return if data.nil?
+
+      logger.info { "saving #{@name}" }
+      begin
+        File.open(name, 'w') do |f|
+          f.write(data)
+        end
+      rescue Errno => ex
+        @logger.error { ex.message }
+        raise Error, "Error when saving #{@name}"
+      end
+    end
+
+  end
+
+end

data/lib/letscert/io_plugins/full_chain_file.rb

@@ -0,0 +1,39 @@
+module LetsCert
+
+  # Fullchain file plugin
+  # @author Sylvain Daubert
+  class FullChainFile < ChainFile
+
+    # @return [Hash] always get +true+ for +:cert+ and +:chain+ keys
+    def persisted
+      @persisted ||= { cert: true, chain: true }
+    end
+
+    # Load full certificate chain
+    # @return [Hash]
+    def load
+      data = super
+      if data[:chain].nil? or data[:chain].empty?
+        cert = nil
+        chain = []
+      else
+        cert = data[:chain].shift
+        chain = data[:chain]
+      end
+
+      { account_key: data[:account_key], key: data[:key], cert: cert,
+        chain: chain }
+    end
+
+    # Save fullchain.
+    # @param [Hash] data
+    # @return [void]
+    def save(data)
+      super(account_key: data[:account_key], key: data[:key], cert: nil,
+            chain: [data[:cert]] + data[:chain])
+    end
+
+  end
+
+  IOPlugin.register(FullChainFile, 'fullchain.pem', :pem)
+end

data/lib/letscert/io_plugins/jwk_io_plugin_mixin.rb

@@ -0,0 +1,68 @@
+require 'base64'
+
+module LetsCert
+
+  # Mixin for IOPlugin subclasses that handle JWK
+  # @author Sylvain Daubert
+  module JWKIOPluginMixin
+
+    # Encode string +data+ to base64
+    # @param [String] data
+    # @return [String]
+    def urlsafe_encode64(data)
+      Base64.urlsafe_encode64(data).sub(/[\s=]*\z/, '')
+    end
+
+    # Decode base64 string +data+
+    # @param [String] data
+    # @return [String]
+    def urlsafe_decode64(data)
+      Base64.urlsafe_decode64(data.sub(/[\s=]*\z/, ''))
+    end
+
+    # Load crypto data from JSON-encoded file
+    # @param [String] data JSON-encoded data
+    # @return [OpenSSL::PKey::PKey]
+    def load_jwk(data)
+      return nil if data.empty?
+
+      h = JSON.parse(data)
+      case h['kty']
+      when 'RSA'
+        pkey = OpenSSL::PKey::RSA.new
+        %w(e n d p q).collect do |key|
+          next if h[key].nil?
+          value = OpenSSL::BN.new(urlsafe_decode64(h[key]), 2)
+          pkey.send "#{key}=".to_sym, value
+        end
+      else
+        raise Error, "unknown account key type '#{k['kty']}'"
+      end
+
+      pkey
+    end
+
+    # Dump crypto data (key) to a JSON-encoded string
+    # @param [OpenSSL::PKey] key
+    # @return [String]
+    def dump_jwk(key)
+      return {}.to_json if key.nil?
+
+      h = { 'kty' => 'RSA' }
+      case key
+      when OpenSSL::PKey::RSA
+        h['e'] = urlsafe_encode64(key.e.to_s(2)) if key.e
+        h['n'] = urlsafe_encode64(key.n.to_s(2)) if key.n
+        if key.private?
+          h['d'] = urlsafe_encode64(key.d.to_s(2))
+          h['p'] = urlsafe_encode64(key.p.to_s(2))
+          h['q'] = urlsafe_encode64(key.q.to_s(2))
+        end
+      else
+        raise Error, 'only RSA keys are supported'
+      end
+      h.to_json
+    end
+  end
+
+end

data/lib/letscert/io_plugins/key_file.rb

@@ -0,0 +1,29 @@
+module LetsCert
+
+  # Key file plugin
+  # @author Sylvain Daubert
+  class KeyFile < OpenSSLIOPlugin
+    include FileIOPluginMixin
+
+    # @return [Hash] always get +true+ for +:key+ key
+    def persisted
+      @persisted ||= { key: true }
+    end
+
+    # @return [Hash]
+    def load_from_content(content)
+      { key: load_key(content) }
+    end
+
+    # Save private key.
+    # @param [Hash] data
+    # @return [void]
+    def save(data)
+      save_to_file(dump_key(data[:key]))
+    end
+
+  end
+
+  IOPlugin.register(KeyFile, 'key.pem', :pem)
+  IOPlugin.register(KeyFile, 'key.der', :der)
+end

data/lib/letscert/io_plugins/openssl_io_plugin.rb

@@ -0,0 +1,68 @@
+module LetsCert
+
+  # OpenSSL IOPlugin
+  # @author Sylvain Daubert
+  class OpenSSLIOPlugin < IOPlugin
+
+    # @private Regular expression to discriminate PEM
+    PEM_RE = /^-----BEGIN CERTIFICATE-----\n.*?\n-----END CERTIFICATE-----\n/m
+
+    # @param [String] name filename
+    # @param [:pem,:der] type
+    def initialize(name, type)
+      case type
+      when :pem
+      when :der
+      else
+        raise ArgumentError, 'type should be :pem or :der'
+      end
+
+      @type = type
+      super(name)
+    end
+
+    # Load key from raw +data+
+    # @param [String] data
+    # @return [OpenSSL::PKey]
+    def load_key(data)
+      OpenSSL::PKey::RSA.new data
+    end
+
+    # Dump key/cert data
+    # @param [OpenSSL::PKey] key
+    # @return [String]
+    def dump_key(key)
+      case @type
+      when :pem
+        key.to_pem
+      when :der
+        key.to_der
+      end
+    end
+    alias dump_cert dump_key
+
+    # Load certificate from raw +data+
+    # @param [String] data
+    # @return [OpenSSL::X509::Certificate]
+    def load_cert(data)
+      OpenSSL::X509::Certificate.new data
+    end
+
+    private
+
+    # Split concatenated PEMs.
+    # @param [String] data
+    # @yield [String] pem
+    def split_pems(data)
+      my_data = data
+      m = my_data.match(PEM_RE)
+      while m
+        yield m[0]
+        my_data = my_data[m.end(0)..-1]
+        m = my_data.match(PEM_RE)
+      end
+    end
+
+  end
+
+end

data/lib/letscert/loggable.rb

@@ -41,8 +41,8 @@ module LetsCert
     module ClassMethods
 
       # @private hook called when a subclass is created.
-      #  Take care of all subclasses to later properly set @logger class instance
-      #  variable.
+      #  Take care of all subclasses to later properly set @logger class
+      #  instance variable.
       # @param [Class] subclass
       # @return [void]
       def inherited(subclass)
@@ -69,5 +69,4 @@ module LetsCert
     end
 
   end
-
 end

data/lib/letscert/runner.rb

@@ -25,86 +25,15 @@ require 'fileutils'
 
 require_relative 'io_plugin'
 require_relative 'certificate'
+require_relative 'runner/logger_formatter'
+require_relative 'runner/valid_time'
 
 module LetsCert
 
   # Runner class: analyse and execute CLI commands.
   # @author Sylvain Daubert
+  # rubocop:disable Metrics/ClassLength
   class Runner
-    # Get options
-    # @return [Hash]
-    attr_reader :options
-    # @return [Logger]
-    attr_accessor :logger
-
-    # Custom logger formatter
-    class LoggerFormatter < Logger::Formatter
-
-      # @private log format
-      FORMAT = "[%s] %5s: %s\n"
-
-      # @param [String] severity
-      # @param [Datetime] time
-      # @param [nil,String] progname
-      # @param [String] msg
-      # @return [String]
-      def call(severity, time, progname, msg)
-        FORMAT % [format_datetime(time), severity, msg2str(msg)]
-      end
-
-
-      private
-
-      # @private simple datetime formatter
-      # @param [DateTime] time
-      # @return [String]
-      def format_datetime(time)
-        time.strftime("%Y-%m-%d %H:%M:%S")
-      end
-
-    end
-
-    # Class used to process validation time from String.
-    # @author Sylvain Daubert
-    class ValidTime
-
-      # @param [String] str time string. May be:
-      #   * an integer -> time in seconds
-      #   * an integer plus a letter:
-      #     * 30m: 30 minutes,
-      #     * 30h: 30 hours,
-      #     * 30d: 30 days.
-      def initialize(str)
-        m = str.match(/^(\d+)([mhd])?$/)
-        if m
-          case m[2]
-          when nil
-            @seconds = m[1].to_i
-          when 'm'
-            @seconds = m[1].to_i * 60
-          when 'h'
-            @seconds = m[1].to_i * 60 * 60
-          when 'd'
-            @seconds = m[1].to_i * 24 * 60 * 60
-          end
-        else
-          raise OptionParser::InvalidArgument, "invalid argument: --valid-min #{str}"
-        end
-        @string = str
-      end
-
-      # Get time in seconds
-      # @return [Integer]
-      def to_seconds
-        @seconds
-      end
-
-      # Get time as string
-      # @return [String]
-      def to_s
-        @string
-      end
-    end
 
     # Exit value for OK
     RETURN_OK = 1
@@ -112,9 +41,12 @@ module LetsCert
     RETURN_OK_CERT = 0
     # Exit value for error(s)
     RETURN_ERROR = 2
-    
+
+    # Get options
+    # @return [Hash]
+    attr_reader :options
     # @return [Logger]
-    attr_reader :logger
+    attr_accessor :logger
 
     # Run LetsCert
     # @return [Integer]
@@ -125,7 +57,6 @@ module LetsCert
       runner.run
     end
 
-
     def initialize
       @options = {
         verbose: 0,
@@ -134,9 +65,9 @@ module LetsCert
         cert_key_size: 2048,
         valid_min: ValidTime.new('30d'),
         account_key_size: 4096,
-        tos_sha256: '33d233c8ab558ba6c8ebc370a509acdded8b80e5d587aa5d192193f35226540f',
-        user_agent: "letscert/#{VERSION.gsub(/\..*/, '')}",
-        server: 'https://acme-v01.api.letsencrypt.org/directory',
+        tos_sha256: '33d233c8ab558ba6c8ebc370a509acdded8b80e5d587aa5d192193f3' \
+                    '5226540f',
+        server: 'https://acme-v01.api.letsencrypt.org/directory'
       }
 
       @logger = Logger.new($stdout)
@@ -148,62 +79,19 @@ module LetsCert
     #   * 1 if renewal was not necessery
     #   * 2 in case of errors
     def run
-      if @options[:print_help]
-        puts @opt_parser
-        exit RETURN_OK
-      end
-
-      if @options[:show_version]
-        puts "letscert #{LetsCert::VERSION}"
-        puts "Copyright (c) 2016 Sylvain Daubert"
-        puts "License MIT: see http://opensource.org/licenses/MIT"
-        exit RETURN_OK
-      end
-
-      case @options[:verbose]
-      when 0
-        @logger.level = Logger::Severity::WARN
-      when 1
-        @logger.level = Logger::Severity::INFO
-      when 2..5
-        @logger.level = Logger::Severity::DEBUG
-      end
-
-      @logger.debug { "options are: #{@options.inspect}" }
-
-      IOPlugin.logger = @logger
-      Certificate.logger = @logger
+      print_help_if_needed
+      show_version_if_needed
+      set_logger_level
+      set_logger
 
       begin
-        if @options[:domains].empty?
-          raise Error, "At leat one domain must be given with --domain option.\n" +
-                       "Try 'letscert --help' for more information."
-        end
-
+        check_domains
         if @options[:revoke]
-          data = load_data_from_disk(IOPlugin.registered.keys)
-          certificate = Certificate.new(data[:cert])
-          if certificate.revoke(data[:account_key], @options)
-            RETURN_OK
-          else
-            RETURN_ERROR
-          end
+          revoke
         else
           check_persisted
-
-          data = load_data_from_disk(@options[:files])
-
-          certificate = Certificate.new(data[:cert])
-          if certificate.valid?(@options[:domains], @options[:valid_min].to_seconds)
-            @logger.info { 'no need to update cert' }
-            RETURN_OK
-          else
-            # update/create cert
-            certificate.get data[:account_key], data[:key], @options
-            RETURN_OK_CERT
-          end
+          get_certificate
         end
-
       rescue Error, Acme::Client::Error => ex
         msg = ex.message
         msg = "[Acme] #{msg}" if ex.is_a?(Acme::Client::Error)
@@ -213,13 +101,13 @@ module LetsCert
       end
     end
 
-
     # Parse line command options
     # @raise [OptionParser::InvalidOption] on unrecognized or malformed option
     # @return [void]
+    # rubocop:disable Metrics/MethodLength
     def parse_options
       @opt_parser = OptionParser.new do |opts|
-        opts.banner = "Usage: lestcert [options]"
+        opts.banner = 'Usage: lestcert [options]'
 
         opts.separator('')
 
@@ -229,8 +117,9 @@ module LetsCert
         opts.on('-V', '--version', 'Show version and exit') do |v|
           @options[:show_version] = v
         end
-        opts.on('-v', '--verbose', 'Run verbosely') { |v| @options[:verbose] += 1 if v }
-
+        opts.on('-v', '--verbose', 'Run verbosely') do |v|
+          @options[:verbose] += 1 if v
+        end
 
         opts.separator("\nWebroot manager:")
 
@@ -252,7 +141,7 @@ module LetsCert
           @options[:revoke] = revoke
         end
 
-        opts.on("-f", "--file FILE", 'Input/output file.',
+        opts.on('-f', '--file FILE', 'Input/output file.',
                 'Can be specified multiple times',
                 'Allowed values: account_key.json, cert.der,',
                 'cert.pem, chain.pem, full.pem,',
@@ -269,9 +158,10 @@ module LetsCert
         opts.accept(ValidTime) do |valid_time|
           ValidTime.new(valid_time)
         end
-        opts.on('--valid-min TIME', ValidTime, 'Renew existing certificate if validity',
+        opts.on('--valid-min TIME', ValidTime,
+                'Renew existing certificate if validity',
                 'is lesser than TIME',
-                "(default: #{@options[:valid_min].to_s})") do |vt|
+                "(default: #{@options[:valid_min]})") do |vt|
           @options[:valid_min] = vt
         end
 
@@ -280,12 +170,13 @@ module LetsCert
         end
 
         opts.separator("\nRegistration:")
-        opts.separator("  Automatically register an account with he ACME CA specified" +
-                       " by --server")
+        opts.separator('  Automatically register an account with he ACME CA' \
+                       ' specified  by --server')
         opts.separator('')
 
         opts.on('--account-key-size BITS', Integer,
-                "Account key size (default: #{@options[:account_key_size]})") do |bits|
+                'Account key size (default: ' \
+                "#{@options[:account_key_size]})") do |bits|
           @options[:account_key_size] = bits
         end
 
@@ -307,11 +198,6 @@ module LetsCert
         opts.separator('  Configure properties of HTTP requests and responses.')
         opts.separator('')
 
-        opts.on('--user-agent NAME', 'User-Agent sent in all HTTP requests',
-                "(default: #{@options[:user_agent]})") do |ua|
-          @options[:user_agent] = ua
-        end
-        
         opts.on('--server URI', 'URI for the CA ACME API endpoint',
                 "(default: #{@options[:server]})") do |uri|
           @options[:server] = uri
@@ -325,14 +211,8 @@ module LetsCert
     # Check all components are covered by plugins
     # @raise [Error]
     def check_persisted
-      persisted = IOPlugin.empty_data
-
-      @options[:files].each do |file|
-        persisted.merge!(IOPlugin.registered[file].persisted) do |k, oldv, newv|
-          oldv || newv
-        end
-      end
-      not_persisted = persisted.keys.find_all { |k| !persisted[k] }
+      persisted = persisted_data
+      not_persisted = persisted.keys.find_all { |k| persisted[k].nil? }
 
       unless not_persisted.empty?
         raise Error, 'Selected IO plugins do not cover following components: ' +
@@ -340,9 +220,90 @@ module LetsCert
       end
     end
 
-
     private
 
+    # Print help and exit, if +:print_help+ option is set
+    # @return [void]
+    # rubocop:disable Style/GuardClause
+    def print_help_if_needed
+      if @options[:print_help]
+        puts @opt_parser
+        exit RETURN_OK
+      end
+    end
+
+    # Show version and exit, if +:show_version+ option is set
+    # @return [void]
+    def show_version_if_needed
+      if @options[:show_version]
+        puts "letscert #{LetsCert::VERSION}"
+        puts 'Copyright (c) 2016 Sylvain Daubert'
+        puts 'License MIT: see http://opensource.org/licenses/MIT'
+        exit RETURN_OK
+      end
+    end
+
+    # Set logger level from +:verbose+ option
+    # @return [void]
+    def set_logger_level
+      case @options[:verbose]
+      when 0
+        @logger.level = Logger::Severity::WARN
+      when 1
+        @logger.level = Logger::Severity::INFO
+      when 2..5
+        @logger.level = Logger::Severity::DEBUG
+      end
+    end
+
+    # Set logger for IOPlugin and Certificate classes.
+    # @return [void]
+    def set_logger
+      @logger.debug { "options are: #{@options.inspect}" }
+      IOPlugin.logger = @logger
+      Certificate.logger = @logger
+    end
+
+    # Check at least on domain is given.
+    # @return [void]
+    # @raise [Error] no domain given
+    def check_domains
+      if @options[:domains].empty?
+        raise Error, 'At leat one domain must be given with --domain ' \
+                     "option.\nTry 'letscert --help' for more information."
+      end
+    end
+
+    # Revoke a certificate
+    # @return [Integer] exit status
+    def revoke
+      data = load_data_from_disk(IOPlugin.registered.keys)
+      certificate = Certificate.new(data[:cert])
+      if certificate.revoke(data[:account_key], @options)
+        RETURN_OK
+      else
+        RETURN_ERROR
+      end
+    end
+
+    # Create/update a certificate
+    # @return [Integer] exit status
+    # rubocop:disable Style/AccessorMethodName
+    def get_certificate
+      data = load_data_from_disk(@options[:files])
+
+      certificate = Certificate.new(data[:cert])
+      min_time = @options[:valid_min].to_seconds
+      if certificate.valid?(@options[:domains], min_time)
+        @logger.info { 'no need to update cert' }
+        RETURN_OK
+      else
+        # update/create cert
+        certificate.get data[:account_key], data[:key], @options
+        RETURN_OK_CERT
+      end
+    end
+
     # Load existing data from disk
     # @param [Array<String>] files
     # @return [Hash]
@@ -358,9 +319,9 @@ module LetsCert
         end
         raise Error unless test
 
-        # Merge data into all_data. New value replace old one only if old one was
-        # not defined
-        all_data.merge!(data) do |key, oldval, newval|
+        # Merge data into all_data. New value replace old one only if old
+        # one was not defined
+        all_data.merge!(data) do |_key, oldval, newval|
           oldval || newval
         end
       end
@@ -387,6 +348,18 @@ module LetsCert
       @options[:roots] = roots
     end
 
+    def persisted_data
+      persisted = IOPlugin.empty_data
+      @options[:files].each do |file|
+        ioplugin = IOPlugin.registered[file]
+        next if ioplugin.nil?
+        persisted.merge!(ioplugin.persisted) do |_k, oldv, newv|
+          oldv || newv
+        end
+      end
+      persisted
+    end
+
   end
 
 end