puma-acme 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: a03fafd8bedea51ad2a908d71c255510bc2cd852d0f5587916e3bce12635c58d
+  data.tar.gz: 146ab48df5ba65410b00fb065d891373076814efb47bfc184e94f164b6b75f6b
+SHA512:
+  metadata.gz: 746645713f39db8403b0299ee0a473b6b54c750fdd8d4f9a371a00894c02b35fb96367c22195e1707beea93a0ef65939235c0f6cddb4f0be43606546957db440
+  data.tar.gz: 74f1b2504eeb5dc97fe6ce421c389989cfd6ce5a5783daeb911d556b0fac915292d9d4ce6710ef81b027901f75426e0aecff3a86fbf58927dc99529d9e18a11a

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## 0.1.0 - 12/29/23
+
+- Initial release

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,58 @@
+PATH
+  remote: .
+  specs:
+    puma-acme (0.1.0)
+      acme-client (~> 2.0.13)
+      pstore (~> 0.1)
+      puma (~> 6.4)
+      sinatra (~> 3.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    acme-client (2.0.15)
+      faraday (>= 1.0, < 3.0.0)
+      faraday-retry (>= 1.0, < 3.0.0)
+    base64 (0.2.0)
+    faraday (2.7.12)
+      base64
+      faraday-net_http (>= 2.0, < 3.1)
+      ruby2_keywords (>= 0.0.4)
+    faraday-net_http (3.0.2)
+    faraday-retry (2.2.0)
+      faraday (~> 2.0)
+    http.rb (0.12.0)
+    minitest (5.20.0)
+    minitest-mock_expectations (1.2.0)
+    mustermann (3.0.0)
+      ruby2_keywords (~> 0.0.1)
+    nio4r (2.7.0)
+    pstore (0.1.3)
+    puma (6.4.0)
+      nio4r (~> 2.0)
+    rack (2.2.8)
+    rack-protection (3.1.0)
+      rack (~> 2.2, >= 2.2.4)
+    rake (13.1.0)
+    ruby2_keywords (0.0.5)
+    sinatra (3.1.0)
+      mustermann (~> 3.0)
+      rack (~> 2.2, >= 2.2.4)
+      rack-protection (= 3.1.0)
+      tilt (~> 2.0)
+    tilt (2.3.0)
+    vcr (6.2.0)
+
+PLATFORMS
+  arm64-darwin-23
+
+DEPENDENCIES
+  http.rb (~> 0.12)
+  minitest (~> 5.14)
+  minitest-mock_expectations (~> 1.2)
+  puma-acme!
+  rake (~> 13.0)
+  vcr (~> 6.1)
+
+BUNDLED WITH
+   2.3.26

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2023 Anchor Security, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE. 

data/README.md

@@ -0,0 +1,121 @@
+# puma-acme
+
+A [Puma](https://puma.io/) plugin for for SSL certs via
+[ACME](https://www.rfc-editor.org/rfc/rfc8555.html).
+
+Easily add HTTPS support to a Puma server. To use, configure the server
+name(s), accept the TOS, and add a bind directive. The plugin will handle ACME
+account creation, order handling, challenge responses, and certificate
+provisioning. A rack handler for
+[HTTP-01](https://letsencrypt.org/docs/challenge-types/#http-01-challenge)
+is added to the app so that the non-SSL address can automatically answer
+challenges.
+
+On first boot, the server will boot without the SSL listener, and run the ACME
+order workflow in a background thread of the main process. When the workflow
+finishes and the certificate is ready, the server performs a graceful restart
+and binds to the SSL port.
+
+If the configured cache contains an unexpired certificate that matches the
+algorithm and server name(s), it will use the cert to bind a listener at server
+boot.
+
+Automatic renewals can be enabled by configuring a renewal interval based on
+the remaining time as a duration or a fraction. See the `acme_renew_at`
+directive for details.
+
+Supports standalone and cluster mode, along with graceful & rolling restarts.
+
+## Installation
+
+`Gemfile`:
+
+```ruby
+gem 'puma-acme'
+```
+
+## Configuration
+
+basic:
+
+```ruby
+# config/puma.rb
+
+config.bind 'tcp://0.0.0.0:80'
+
+plugin :acme
+
+acme_server_name 'puma-acme.example.org' 
+acme_tos_agreed true
+
+config.bind 'acme://0.0.0.0:443'
+```
+
+advanced:
+
+```ruby
+# config/puma.rb
+
+# Account contact URL(s). For email, use the form 'mailto:user@domain.tld'.
+# Recommended for account recovery and revocation.
+acme_contact 'mailto:acme-user@exmaple.org'
+
+# Specify multiple server names (SAN extension).
+acme_server_names 'puma-acme.example.org', 'www.puma-acme.example.org'
+
+# Enable automatic renewal based on an amount of time or fraction of life
+# remaining. For an amount of time, use a number of seconds as an Integer, for
+# example the value 2592000 will set renewal to 30 days before certificate
+# expiration. Use a Float between 0 and 1 for fraction of life remaining, for
+# example the value 0.75 will set renewal at %75 of the way through the
+# certificate lifetime.
+acme_renew_at 0.75
+
+# URL of ACME server's directory URL, default is LetsEncrypt.
+acme_directory 'https://acme.example.org/directory'
+
+# Accept the Terms of Service (TOS) of an ACME server, the value can be either
+# the server's directory URL as a string, or true to accept any server's TOS.
+acme_tos_agreed 'https://acme.example.org/directory'
+
+# External Account Binding (EAB) token KID & secret HMAC key for the ACME
+# server. See RFC 8555, Section 7.3.4 for details.
+acme_eab_kid      ENV['ACME_KID']
+acme_eab_hmac_key ENV['ACME_HMAC_KEY']
+
+# Encryption key algorithm, :ecdsa & :rsa are supported, :ecdsa is the default.
+acme_algorithm :ecdsa
+
+# Provision mode, :background and :foreground are supported, :background is the
+# default. Background mode will provision certificates in a background thread
+# without blocking binding or request serving for non-acme listeners.
+# Foreground mode blocks all binding listeners until a certificate is
+# provisioned, and is only compatable with zero-challenge ACME flow.
+acme_mode :background 
+
+# Store account, order, and certificate data in any ActiveSupport::Cache::Store
+# compatable cache store. A local filesystem based cache in the default.
+acme_cache Rails.cache
+
+# Path to the cache directory for the default cache, 'tmp/acme' is the default.
+acme_cache_dir 'tmp/acme'
+
+# Time to wait in seconds before checking for an updated order status, 1 second
+# is the default.
+acme_poll_interval 1
+
+# Time to wait in seconds before checking for automatic renewal, default is 1
+# hour.
+acme_renew_interval 60 * 60
+```
+
+## Tested ACME Providers
+
+* [Anchor](https://anchor.dev/)
+* [Let's Encrypt](https://letsencrypt.org/)
+* [ZeroSSL](https://zerossl.com/)
+
+## License
+
+The gem is available as open source under the terms of the [MIT
+License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.libs << 'lib'
+  t.test_files = FileList['test/**/*_test.rb']
+end
+
+task default: :test

data/lib/puma/acme/binder.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Puma
+  # Extend the ::Puma::Binder class to add hooks for acme binding support.
+  class Binder
+    def parse_with_before_hooks(*a, &b)
+      @before_parse_hooks&.each(&:call)
+
+      original_parse(*a, &b)
+    end
+
+    alias original_parse parse
+    alias parse parse_with_before_hooks
+
+    def before_parse_hook(&hook)
+      (@before_parse_hooks ||= []) << hook
+    end
+  end
+end

data/lib/puma/acme/disk_store.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Puma
+  module Acme
+    # DiskStore is a simple key/value store that persists to disk using PStore.
+    class DiskStore
+      def initialize(dir)
+        path = File.join(dir, 'puma-acme.pstore')
+        @pstore = PStore.new(path, true)
+      end
+
+      def delete(key, _options = nil)
+        @pstore.transaction do
+          !!@pstore.delete(key)
+        end
+      end
+
+      def fetch(key, _options = nil, &block)
+        raise ArgumentError if block.nil?
+
+        @pstore.transaction do
+          @pstore[key] || (@pstore[key] = yield(key))
+        end
+      end
+
+      def read(key, _options = nil)
+        @pstore.transaction(true) do
+          @pstore[key]
+        end
+      end
+
+      def write(key, value, _options = nil)
+        @pstore.transaction do
+          @pstore[key] = value
+          true
+        end
+      end
+    end
+  end
+end

data/lib/puma/acme/dsl.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+module Puma
+  # Extend the ::Puma::DSL module with the configuration options we want
+  class DSL
+    def acme_algorithm(algo = nil)
+      @options[:acme_algorithm] = algo if algo
+      @options[:acme_algorithm]
+    end
+
+    def acme_cache(cache = nil)
+      @options[:acme_cache] = cache if cache
+      @options[:acme_cache]
+    end
+
+    def acme_cache_dir(dir = nil)
+      @options[:acme_cache_dir] = dir if dir
+      @options[:acme_cache_dir]
+    end
+
+    def acme_contact(contact = nil)
+      @options[:acme_contact] = contact if contact
+      @options[:acme_contact]
+    end
+
+    def acme_directory(url = nil)
+      @options[:acme_directory] = url if url
+      @options[:acme_directory]
+    end
+
+    def acme_eab_kid(kid = nil)
+      @options[:acme_eab_kid] = kid if kid
+      @options[:acme_eab_kid]
+    end
+
+    def acme_eab_hmac_key(hmac_key = nil)
+      @options[:acme_eab_hmac_key] = hmac_key if hmac_key
+      @options[:acme_eab_hmac_key]
+    end
+
+    def acme_mode(mode = nil)
+      @options[:acme_mode] = mode if mode
+      @options[:acme_mode]
+    end
+
+    def acme_poll_interval(interval = nil)
+      @options[:acme_poll_interval] = interval if interval
+      @options[:acme_poll_interval]
+    end
+
+    def acme_renew_at(duration = nil)
+      @options[:acme_renew_at] = duration if duration
+      @options[:acme_renew_at]
+    end
+
+    def acme_renew_interval(duration = nil)
+      @options[:acme_renew_interval] = duration if duration
+      @options[:acme_renew_interval]
+    end
+
+    def acme_server_name(name)
+      (@options[:acme_server_names] ||= []) << name
+    end
+
+    def acme_server_names(*names)
+      (@options[:acme_server_names] ||= []).unshift(*names)
+      @options[:acme_server_names]
+    end
+
+    def acme_tos_agreed(agreed)
+      (@options[:acme_tos_agreed] = agreed) unless agreed.nil?
+      @options[:acme_to_agreed]
+    end
+  end
+end

data/lib/puma/acme/manager.rb

@@ -0,0 +1,160 @@
+# frozen_string_literal: true
+
+module Puma
+  module Acme
+    # Manager tracks and performs the ACME workflow steps for a certificate.
+    class Manager
+      attr_reader :contact, :directory, :tos_agreed, :eab
+
+      def initialize(store:, directory:, tos_agreed:, eab:, contact: nil)
+        @store = store
+        @contact = contact
+        @directory = directory
+        @tos_agreed = [true, directory].include?(tos_agreed)
+        @eab = eab
+      end
+
+      def account
+        @store.read(Account.key(directory: directory, contact: contact, eab: eab))
+      end
+
+      def cert(algorithm:, identifiers:)
+        @store.read(Cert.key(algorithm: algorithm, identifiers: identifiers))
+      end
+
+      def answer(type:, token:)
+        @store.read(Answer.key(type: type, token: token))
+      end
+
+      def account!
+        @store.fetch(Account.key(directory: directory, contact: contact, eab: eab)) { create_account }
+      end
+
+      def cert!(algorithm:, identifiers:)
+        @store.fetch(Cert.key(algorithm: algorithm, identifiers: identifiers)) { Cert.new(algorithm: algorithm, identifiers: identifiers) }
+      end
+
+      def order!(cert)
+        stale_check!(cert)
+
+        identifiers = cert.identifiers.map(&:value)
+        acme_order = client.new_order(**cert.to_h.slice(:not_before, :not_after).merge(identifiers: identifiers))
+        cert.order = Order.from(acme_order)
+
+        # TODO: maybe move this to caller
+        cert.order.authorizations.each do |authz|
+          authz.challenges.each do |challenge|
+            next unless challenge.type == CHALLENGE_TYPE
+
+            validate!(challenge)
+          end
+        end
+
+        @store.write(cert.key, cert) && cert.order
+      end
+
+      def validate!(challenge)
+        @store.write(challenge.answer.key, challenge.answer)
+
+        client.request_challenge_validation(url: challenge.url)
+      end
+
+      def finalize!(cert)
+        stale_check!(cert)
+
+        names = cert.identifiers.map(&:value)
+        common_name = names.first
+        private_key = new_key(cert.algorithm)
+
+        csr = ::Acme::Client::CertificateRequest.new(common_name: common_name, names: names, private_key: private_key)
+
+        acme_order = client.order(url: cert.order.url)
+        return unless acme_order.finalize(csr: csr)
+
+        cert.order = Order.from(acme_order)
+        cert.key_pem = private_key.to_pem
+
+        @store.write(cert.key, cert) && cert
+      end
+
+      def download!(cert)
+        stale_check!(cert)
+
+        acme_order = client.order(url: cert.order.url)
+
+        cert.cert_pem = acme_order.certificate
+
+        @store.write(cert.key, cert) && cert
+      end
+
+      def reload!(cert)
+        stale_check!(cert)
+
+        acme_order = client.order(url: cert.order.url)
+        cert.order = Order.from(acme_order)
+
+        @store.write(cert.key, cert) && cert
+      end
+
+      protected
+
+      def client
+        @client ||= acme_client
+      end
+
+      def acme_client
+        account = self.account!
+
+        ::Acme::Client.new(
+          kid: account.kid,
+          private_key: load_key(account.jwk, account.key_pem),
+          directory: directory
+        )
+      end
+
+      def create_account
+        private_key = new_key(:ecdsa)
+
+        client = ::Acme::Client.new(
+          private_key: private_key,
+          directory: directory
+        )
+
+        acme_account = client.new_account(
+          contact: contact,
+          terms_of_service_agreed: tos_agreed,
+          external_account_binding: eab&.to_h
+        )
+
+        account_parts = {
+          jwk: client.jwk.to_h,
+          kid: client.kid,
+          key_pem: private_key.to_pem,
+          tos_agreed: tos_agreed
+        }
+
+        Account.new(acme_account.to_h.slice(:url, :status, :contact).merge(account_parts))
+      end
+
+      def new_key(algorithm)
+        case algorithm.to_sym
+        when :ecdsa then OpenSSL::PKey::EC.generate('prime256v1')
+        when :rsa then OpenSSL::PKey::RSA.new(2048)
+        else raise UnknownAlgorithmError, "unknown key algorithm '#{algorithm}'"
+        end
+      end
+
+      def load_key(jwk, data)
+        case jwk.slice(:kty, :crv)
+        when { kty: 'RSA' }              then OpenSSL::PKey::RSA.new(data)
+        when { kty: 'EC', crv: 'P-256' } then OpenSSL::PKey::EC.new(data)
+        else raise UnknownAlgorithmError, "unknown key algorithm '#{jwk[:kty]}'"
+        end
+      end
+
+      def stale_check!(cert)
+        raise StaleCert if @store.read(cert.key) != cert
+      end
+    end
+  end
+end

data/lib/puma/acme/middleware.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Puma
+  module Acme
+    # ACME challenge response handler for HTTP-01 challenges.
+    class Middleware < Sinatra::Base
+      def initialize(app, manager:)
+        @app = app
+        @manager = manager
+
+        super(app)
+      end
+
+      get '/.well-known/acme-challenge/:token' do
+        if (token = params[:token]).nil?
+          return @app.call(env)
+        end
+
+        if (answer = @manager.answer(type: CHALLENGE_TYPE, token: token)).nil?
+          return @app.call(env)
+        end
+
+        content_type 'text/plain'
+        answer.value
+      end
+    end
+  end
+end

data/lib/puma/acme/plugin.rb

@@ -0,0 +1,194 @@
+# frozen_string_literal: true
+
+module Puma
+  module Acme
+    # Puma plugin for SSL certificate provisioning via an ACME server.
+    class Plugin < Puma::Plugin
+      Plugins.register('acme', self)
+
+      def start(launcher)
+        identifiers = launcher.options[:acme_server_names] || raise(Error, 'missing ACME server name(s)')
+        algorithm   = launcher.options.fetch(:acme_algorithm, :ecdsa)
+
+        contact    = launcher.options.fetch(:acme_contact, nil)
+        directory  = launcher.options.fetch(:acme_directory, DEFAULT_DIRECTORY)
+        tos_agreed = launcher.options.fetch(:acme_tos_agreed, false)
+
+        if (eab_kid = launcher.options[:acme_eab_kid])
+          eab = Eab.new(kid: eab_kid, hmac_key: launcher.options.fetch(:acme_eab_hmac_key))
+        end
+
+        store = launcher.options[:acme_cache] || disk_store(launcher.options)
+
+        mode           = launcher.options.fetch(:acme_mode, :background)
+        poll_interval  = launcher.options.fetch(:acme_poll_interval, 1)
+        renew_at       = launcher.options.fetch(:acme_renew_at, nil)
+        renew_interval = launcher.options.fetch(:acme_renew_interval, DEFAULT_RENEW_INTERVAL)
+
+        @manager = Manager.new(
+          store: store,
+          contact: contact,
+          directory: directory,
+          tos_agreed: tos_agreed,
+          eab: eab
+        )
+
+        @acme_binds, binds = launcher.options[:binds].partition { |bind| bind.start_with?('acme://') }
+        launcher.options[:binds] = binds
+
+        launcher.options[:app] = Middleware.new(
+          launcher.options[:app],
+          manager: @manager
+        )
+
+        @log_writer = launcher.log_writer
+
+        cert = @manager.cert!(identifiers: identifiers, algorithm: algorithm)
+        if cert.usable?
+          @log_writer.debug 'Acme: cert already provisioned'
+
+          bind_to(launcher, cert)
+
+          if renew_at
+            in_background do
+              renew(cert, renew_at: renew_at, renew_interval: renew_interval, poll_interval: poll_interval)
+
+              launcher.restart
+            end
+          end
+        elsif mode == :background
+          @log_writer.log 'Puma background provisioning cert via puma-acme plugin...'
+
+          in_background do
+            provision(cert, poll_interval: poll_interval)
+
+            @log_writer.log 'Puma restarting after provisioning cert via puma-acme plugin...'
+
+            launcher.restart
+          end
+        elsif mode == :foreground
+          @log_writer.log 'Puma foreground provisioning cert via puma-acme plugin...'
+
+          provision(cert, poll_interval: poll_interval)
+          bind_to(launcher, cert)
+
+          if renew_at
+            in_background do
+              renew(cert, renew_at: renew_at, renew_interval: renew_interval, poll_interval: poll_interval)
+
+              launcher.restart
+            end
+          end
+        else
+          raise UnknownMode, mode
+        end
+      end
+
+      protected
+
+      def bind_to(launcher, cert)
+        params = {
+          'key_pem' => cert.key_pem,
+          'cert_pem' => cert.cert_pem
+        }
+
+        ctx = MiniSSL::ContextBuilder.new(params, @log_writer).context
+
+        launcher.binder.before_parse_hook do
+          @acme_binds.each do |str|
+            uri = URI.parse(str)
+
+            if (fd = launcher.binder.inherited_fds.delete(str))
+              io = launcher.binder.inherit_ssl_listener(fd, ctx)
+              @log_writer.log "* Inherited #{str}"
+            elsif (fd = launcher.binder.activated_sockets.delete([:acme, uri.host, uri.port]))
+              io = launcher.binder.inherit_ssl_listener(fd, ctx)
+              @log_writer.log "* Activated #{str}"
+            else
+              io = launcher.binder.add_ssl_listener(uri.host, uri.port, ctx)
+            end
+
+            cert.identifiers.each do |identifier|
+              @log_writer.log "* Listening on ssl://#{uri.host}:#{uri.port} for https://#{identifier.value} (puma-acme)"
+            end
+
+            launcher.binder.listeners << [str, io]
+          end
+        end
+      end
+
+      def provision(cert, poll_interval:)
+        unless @manager.account
+          @log_writer.debug 'Acme: creating account'
+
+          @manager.account!
+        end
+
+        if cert.order.nil?
+          @log_writer.debug 'Acme: creating order'
+          @manager.order!(cert)
+        else
+          @manager.reload!(cert)
+        end
+
+        loop do
+          case cert.order.status.to_sym
+          when :valid
+            @log_writer.debug 'Acme: downloading cert'
+
+            @manager.download!(cert)
+
+            return
+          when :processing, :pending
+            @log_writer.debug "Acme: waiting on #{cert.order.status} order"
+
+            sleep poll_interval
+
+            @manager.reload!(cert)
+          when :ready
+            @log_writer.debug 'Acme: finalizing ready order'
+
+            @manager.finalize!(cert)
+          when :invalid
+            @log_writer.debug 'Acme: invalid order, re-ordering'
+
+            @manager.order!(cert)
+          end
+        end
+      rescue StaleCert
+        sleep poll_interval
+        retry
+      end
+
+      def renew(cert, renew_at:, renew_interval:, poll_interval:)
+        if cert.order.status.to_sym != :valid
+          # finish provisioning aborted renewal
+          return provision(cert, poll_interval: poll_interval)
+        end
+
+        loop do
+          sleep renew_interval
+
+          next unless cert.renewable?(renew_at)
+
+          @log_writer.debug 'Acme: creating renewal order'
+
+          @manager.order!(cert)
+
+          return provision(cert, poll_interval: poll_interval)
+        end
+      rescue StaleCert
+        sleep poll_interval
+        retry
+      end
+
+      def disk_store(options)
+        cache_dir = options[:acme_cache_dir] || 'tmp/acme'
+
+        FileUtils.mkdir_p(cache_dir)
+
+        DiskStore.new(cache_dir)
+      end
+    end
+  end
+end

data/lib/puma/acme/structs.rb

@@ -0,0 +1,134 @@
+# frozen_string_literal: true
+
+module Puma
+  module Acme
+    # https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.2
+    Account = Struct.new(:directory, :url, :status, :contact, :tos_agreed, :eab, :jwk, :kid, :key_pem,
+                         keyword_init: true) do
+      def self.key(directory:, contact: nil, eab: nil)
+        new(directory: directory, contact: contact, eab: eab).key
+      end
+
+      def self.from(acme_account)
+        new(acme_account.to_h.slice(*members))
+      end
+
+      def key
+        [:account, directory, contact, eab&.key]
+      end
+    end
+
+    Answer = Struct.new(:type, :token, :value, keyword_init: true) do
+      def self.from(acme_challenge)
+        new(
+          type: acme_challenge.challenge_type,
+          token: acme_challenge.token,
+          value: acme_challenge.key_authorization
+        )
+      end
+
+      def self.key(type:, token:)
+        new(type: type, token: token).key
+      end
+
+      def key
+        [:answer, type, token]
+      end
+    end
+
+    # https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.4
+    Authz = Struct.new(:url, :identifier, :status, :expires, :challenges, :wildcard, keyword_init: true) do
+      def self.from(acme_authz)
+        identifier = Identifier.from(acme_authz.identifier)
+        challenges = acme_authz.challenges
+                               .reject { |c| c.is_a?(::Acme::Client::Resources::Challenges::Unsupported) }
+                               .map { |c| Challenge.from(c) }
+
+        new(acme_authz.to_h.slice(*members).merge(challenges: challenges, identifier: identifier))
+      end
+    end
+
+    Cert = Struct.new(:algorithm, :identifiers, :cert_pem, :key_pem, :order, keyword_init: true) do
+      def self.key(algorithm:, identifiers:)
+        new(algorithm: algorithm, identifiers: identifiers).key
+      end
+
+      def initialize(identifiers: nil, **kwargs)
+        identifiers = identifiers&.map { |value| Identifier.parse(value) }
+
+        super(identifiers: identifiers, **kwargs)
+      end
+
+      def key
+        [:cert, algorithm, identifiers&.map(&:key)]
+      end
+
+      def names
+        identifiers&.map(&:value)
+      end
+
+      def usable?(now: Time.now.utc)
+        !cert_pem.nil? && !key_pem.nil? && x509.not_after > now
+      end
+
+      def renewable?(renew_in, now: Time.now.utc)
+        case renew_in
+        when Float
+          renew_at = x509.not_before + (x509.not_after - x509.not_before) * renew_in
+        when Integer
+          renew_at = x509.not_before + renew_in
+        else
+          raise UnknownRenewIn, renew_in
+        end
+
+        now >= renew_at
+      end
+
+      protected
+
+      def x509
+        @x509 ||= OpenSSL::X509::Certificate.new(cert_pem) if cert_pem
+      end
+    end
+
+    # https://www.rfc-editor.org/rfc/rfc8555.html#section-8
+    Challenge = Struct.new(:url, :type, :token, :error, :answer, keyword_init: true) do
+      def self.from(acme_challenge)
+        new(acme_challenge.to_h.slice(*members).merge(type: acme_challenge.challenge_type,
+                                                      answer: Answer.from(acme_challenge)))
+      end
+    end
+
+    Eab = Struct.new(:kid, :hmac_key, keyword_init: true) do
+      def key
+        [:eab, kid]
+      end
+    end
+
+    Identifier = Struct.new(:type, :value, keyword_init: true) do
+      def self.parse(value)
+        # TODO: ip identifiers
+        new(type: :dns, value: value)
+      end
+
+      def self.from(acme_identifier)
+        new(acme_identifier.to_h.slice(*members.map(&:to_s)))
+      end
+
+      def key
+        [:identifier, type, value]
+      end
+    end
+
+    # https://datatracker.ietf.org/doc/html/rfc8555#section-7.1.3
+    Order = Struct.new(:url, :status, :expires, :identifiers, :not_before, :not_after, :error, :authorizations,
+                       keyword_init: true) do
+      def self.from(acme_order)
+        identifiers = acme_order.identifiers.map { |i| Identifier.new(i) }
+        authorizations = acme_order.authorizations.map { |a| Authz.from(a) }
+
+        new(acme_order.to_h.slice(*members).merge(identifiers: identifiers, authorizations: authorizations))
+      end
+    end
+  end
+end

data/lib/puma/acme/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Puma
+  module Acme
+    VERSION = '0.1.0'
+  end
+end

data/lib/puma/acme.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'acme-client'
+require 'fileutils'
+require 'pstore'
+require 'puma'
+require 'puma/binder'
+require 'puma/plugin'
+require 'sinatra'
+
+module Puma
+  # This is a plugin for Puma that will automatically provision a SSL
+  # certificate.
+  module Acme
+    class Error < StandardError; end
+    class StaleCert < Error; end
+    class UnknownAlgorithmError < Error; end
+    class UnknownMode < Error; end
+
+    CHALLENGE_TYPE = ::Acme::Client::Resources::Challenges::HTTP01::CHALLENGE_TYPE
+    DEFAULT_DIRECTORY = 'https://acme-v02.api.letsencrypt.org/directory'
+    DEFAULT_RENEW_INTERVAL = 60 * 60
+  end
+end
+
+require_relative './acme/binder'
+require_relative './acme/disk_store'
+require_relative './acme/dsl'
+require_relative './acme/manager'
+require_relative './acme/middleware'
+require_relative './acme/plugin'
+require_relative './acme/structs'
+require_relative './acme/version'

data/lib/puma-acme.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'puma/acme'

metadata

@@ -0,0 +1,190 @@
+--- !ruby/object:Gem::Specification
+name: puma-acme
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Anchor Security, Inc
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2023-12-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: acme-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.13
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.13
+- !ruby/object:Gem::Dependency
+  name: pstore
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: puma
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.4'
+- !ruby/object:Gem::Dependency
+  name: sinatra
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: http.rb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.14'
+- !ruby/object:Gem::Dependency
+  name: minitest-mock_expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.1'
+description: A Puma webserver plugin for automatic access to certificates from Let's
+  Encrypt and any other ACME-based CA.
+email:
+executables: []
+extensions: []
+extra_rdoc_files:
+- LICENSE.txt
+- README.md
+- CHANGELOG.md
+files:
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/puma-acme.rb
+- lib/puma/acme.rb
+- lib/puma/acme/binder.rb
+- lib/puma/acme/disk_store.rb
+- lib/puma/acme/dsl.rb
+- lib/puma/acme/manager.rb
+- lib/puma/acme/middleware.rb
+- lib/puma/acme/plugin.rb
+- lib/puma/acme/structs.rb
+- lib/puma/acme/version.rb
+homepage: https://github.com/anchordotdev/puma-acme
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/anchordotdev/puma-acme
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.5'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.26
+signing_key:
+specification_version: 4
+summary: Puma plugin for ACME.
+test_files: []