rails-letsencrypt 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 97064ad048920d4fa44d9447f9d154d3573d366b
+  data.tar.gz: 79344a1b185cda5c7995b966cf7d95ce0976dfd1
+SHA512:
+  metadata.gz: c2f8dbf68b900f909ea10f300b146c232de28e02dc00d40ab4d6925c9c60dd2a8f0dca208132bb827fd9472de74087ac046c7ee4efa28034d38e641d39798fff
+  data.tar.gz: e36cc6b648b879d66f2871ab5f023deff93b2f42416a820319d2e2c5f9232c6b2b2428a997545e3c453ae5581bba81c37b25a2398e698c31136799237a6e30a9

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2017 蒼時弦也
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,28 @@
+# LetsEncrypt
+Short description and motivation.
+
+## Usage
+How to use my plugin.
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'lets_encrypt'
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install lets_encrypt
+```
+
+## Contributing
+Contribution directions go here.
+
+## License
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,21 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'LetsEncrypt'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+load 'rails/tasks/statistics.rake'
+
+require 'bundler/gem_tasks'
+
+task default: :stats

data/app/controllers/lets_encrypt/application_controller.rb

@@ -0,0 +1,5 @@
+module LetsEncrypt
+  class ApplicationController < ActionController::Base
+    protect_from_forgery with: :exception
+  end
+end

data/app/controllers/lets_encrypt/verifications_controller.rb

@@ -0,0 +1,25 @@
+require_dependency 'lets_encrypt/application_controller'
+
+module LetsEncrypt
+  # :nodoc:
+  class VerificationsController < ApplicationController
+    def show
+      return render_verification_string if certificate.present?
+      render plain: 'Verification not found', status: 404
+    end
+
+    protected
+
+    def render_verification_string
+      render plain: certificate.verification_string
+    end
+
+    def certificate
+      LetsEncrypt::Certificate.find_by(verification_path: filename)
+    end
+
+    def filename
+      ".well-known/acme-challenge/#{params[:verification_path]}"
+    end
+  end
+end

data/app/jobs/lets_encrypt/application_job.rb

@@ -0,0 +1,4 @@
+module LetsEncrypt
+  class ApplicationJob < ActiveJob::Base
+  end
+end

data/app/models/concerns/lets_encrypt/certificate_issuable.rb

@@ -0,0 +1,37 @@
+module LetsEncrypt
+  # :nodoc:
+  module CertificateIssuable
+    extend ActiveSupport::Concern
+
+    def issue
+      logger.info "Getting certificate for #{domain}"
+      create_certificate
+      # rubocop:disable Metrics/LineLength
+      logger.info "Certificate issued (expires on #{expires_at}, will renew after #{renew_after})"
+      # rubocop:enable Metrics/LineLength
+      true
+    end
+
+    private
+
+    def csr
+      csr = OpenSSL::X509::Request.new
+      csr.subject = OpenSSL::X509::Name.new(
+        [['CN', domain, OpenSSL::ASN1::UTF8STRING]]
+      )
+      private_key = OpenSSL::PKey::RSA.new(key)
+      csr.public_key = private_key.public_key
+      csr.sign(private_key, OpenSSL::Digest::SHA256.new)
+      csr
+    end
+
+    def create_certificate
+      https_cert = LetsEncrypt.client.new_certificate(csr)
+      self.certificate = https_cert.to_pem
+      self.intermediaries = https_cert.chain_to_pem
+      self.expires_at = https_cert.x509.not_after
+      self.renew_after = (expires_at - 1.month) + rand(10).days
+      save!
+    end
+  end
+end

data/app/models/concerns/lets_encrypt/certificate_verifiable.rb

@@ -0,0 +1,66 @@
+module LetsEncrypt
+  # :nodoc:
+  module CertificateVerifiable
+    extend ActiveSupport::Concern
+
+    def verify
+      start_authorize
+      start_challenge
+      wait_verify_status
+      check_verify_status
+    rescue Acme::Client::Error => e
+      retry_on_verify_error(e)
+    end
+
+    private
+
+    def start_authorize
+      authorization = LetsEncrypt.client.authorize(domain: domain)
+      @challenge = authorization.http01
+      self.verification_path = @challenge.filename
+      self.verification_string = @challenge.file_content
+      save!
+    end
+
+    def start_challenge
+      logger.info "Attempting verification of #{domain}"
+      @challenge.request_verification
+    end
+
+    def wait_verify_status
+      checks = 0
+      until @challenge.verify_status != 'pending'
+        checks += 1
+        if checks > 30
+          logger.info 'Status remained at pending for 30 checks'
+          return false
+        end
+        sleep 1
+      end
+    end
+
+    def check_verify_status
+      unless @challenge.verify_status == 'valid'
+        logger.info "Status was not valid (was: #{@challenge.verify_status})"
+        return false
+      end
+
+      true
+    end
+
+    def retry_on_verify_error
+      @retries = 0
+      if e.is_a?(Acme::Client::Error::BadNonce) && @retries < 5
+        @retries += 1
+        # rubocop:disable Metrics/LineLength
+        logger.info "Bad nounce encountered. Retrying (#{@retries} of 5 attempts)"
+        # rubocop:enable Metrics/LineLength
+        sleep 1
+        verify
+      else
+        logger.info "Error: #{e.class} (#{e.message})"
+        return false
+      end
+    end
+  end
+end

data/app/models/lets_encrypt/application_record.rb

@@ -0,0 +1,5 @@
+module LetsEncrypt
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/models/lets_encrypt/certificate.rb

@@ -0,0 +1,21 @@
+module LetsEncrypt
+  # :nodoc:
+  class Certificate < ApplicationRecord
+    include CertificateVerifiable
+    include CertificateIssuable
+
+    validates :domain, presence: true, uniqueness: true
+
+    before_create -> { self.key = OpenSSL::PKey::RSA.new(4096).to_s }
+
+    def get
+      verify && issue
+    end
+
+    protected
+
+    def logger
+      LetsEncrypt.logger
+    end
+  end
+end

data/config/routes.rb

@@ -0,0 +1,3 @@
+LetsEncrypt::Engine.routes.draw do
+  get '/acme-challenge/:verification_path', to: 'verifications#show'
+end

data/db/migrate/20170505165114_create_lets_encrypt_certificates.rb

@@ -0,0 +1,17 @@
+class CreateLetsEncryptCertificates < ActiveRecord::Migration[5.1]
+  def change
+    create_table :lets_encrypt_certificates do |t|
+      t.string :domain
+      t.text :certificate, limit: 65535
+      t.text :intermediaries, limit: 65535
+      t.text :key, limit: 65535
+      t.datetime :expires_at
+      t.datetime :renew_after
+      t.string :verification_path
+      t.string :verification_string
+
+      t.index :domain
+      t.timestamps
+    end
+  end
+end

data/lib/letsencrypt.rb

@@ -0,0 +1,52 @@
+require 'openssl'
+require 'acme-client'
+require 'letsencrypt/engine'
+require 'letsencrypt/logger_proxy'
+
+# :nodoc:
+module LetsEncrypt
+  def self.client
+    @client ||= ::Acme::Client.new(private_key: private_key, endpoint: endpoint)
+  end
+
+  def self.private_key
+    # TODO: Add options to retrieve key
+    @private_key ||= if private_key_path.exist?
+                       OpenSSL::PKey::RSA.new(File.open(private_key_path))
+                     else
+                       generate_private_key
+                     end
+  end
+
+  def self.endpoint
+    @endpoint ||= if Rails.env.production?
+                    'https://acme-v01.api.letsencrypt.org/'
+                  else
+                    'https://acme-staging.api.letsencrypt.org'
+                  end
+  end
+
+  def self.register(email)
+    registration = client.register(contact: "mailto:#{email}")
+    logger.info "Successfully registered private key with address #{email}"
+    registration.agree_terms
+    logger.info 'Terms have been accepted'
+    true
+  end
+
+  def self.private_key_path
+    # TODO: Add options for specify path
+    Rails.root.join('config', 'letsencrypt.key')
+  end
+
+  def self.generate_private_key
+    key = OpenSSL::PKey::RSA.new(4096)
+    File.open(private_key_path, 'w') { |f| f.write(key.to_s) }
+    logger.info "Created new private key for Let's Encrypt"
+    key
+  end
+
+  def self.logger
+    @logger ||= LoggerProxy.new(Rails.logger, tags: ['LetsEncrypt'])
+  end
+end

data/lib/letsencrypt/engine.rb

@@ -0,0 +1,9 @@
+module LetsEncrypt
+  # :nodoc:
+  class Engine < ::Rails::Engine
+    isolate_namespace LetsEncrypt
+    engine_name :letsencrypt
+
+    config.generators.test_framework :rspec
+  end
+end

data/lib/letsencrypt/logger_proxy.rb

@@ -0,0 +1,37 @@
+module LetsEncrypt
+  # :nodoc:
+  class LoggerProxy
+    attr_reader :tags
+
+    def initialize(logger, tags:)
+      @logger = logger
+      @tags = tags.flatten
+    end
+
+    def add_tags(*tags)
+      @tags += tags.flatten
+      @tags = @tags.uniq
+    end
+
+    def tag(logger)
+      if logger.respond_to?(:tagged)
+        current_tags = tags - logger.formatter.current_tags
+        logger.tagged(*current_tags) { yield }
+      else
+        yield
+      end
+    end
+
+    %i[debug info warn error fatal unknown].each do |severity|
+      define_method(severity) do |message|
+        log severity, message
+      end
+    end
+
+    private
+
+    def log(type, message)
+      tag(@logger) { @logger.send type, message }
+    end
+  end
+end

data/lib/letsencrypt/version.rb

@@ -0,0 +1,3 @@
+module LetsEncrypt
+  VERSION = '0.1.0'
+end

data/lib/rails-letsencrypt.rb

@@ -0,0 +1 @@
+require 'letsencrypt'

data/lib/tasks/lets_encrypt_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :lets_encrypt do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,118 @@
+--- !ruby/object:Gem::Specification
+name: rails-letsencrypt
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- 蒼時弦也
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-05-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.1.0
+- !ruby/object:Gem::Dependency
+  name: acme-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: The Let's Encrypt certificate manager for rails
+email:
+- elct9620@frost.tw
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- app/controllers/lets_encrypt/application_controller.rb
+- app/controllers/lets_encrypt/verifications_controller.rb
+- app/jobs/lets_encrypt/application_job.rb
+- app/models/concerns/lets_encrypt/certificate_issuable.rb
+- app/models/concerns/lets_encrypt/certificate_verifiable.rb
+- app/models/lets_encrypt/application_record.rb
+- app/models/lets_encrypt/certificate.rb
+- config/routes.rb
+- db/migrate/20170505165114_create_lets_encrypt_certificates.rb
+- lib/letsencrypt.rb
+- lib/letsencrypt/engine.rb
+- lib/letsencrypt/logger_proxy.rb
+- lib/letsencrypt/version.rb
+- lib/rails-letsencrypt.rb
+- lib/tasks/lets_encrypt_tasks.rake
+homepage: https://github.com/elct9620/rails-letsencrypt
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.11
+signing_key: 
+specification_version: 4
+summary: The Let's Encrypt certificate manager for rails
+test_files: []