sprinkle_dns 1.0.2 → 1.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5b3535eda69750742757aa7f7c7bcf14b811e2a596ef14efa626db61de75b69d
-  data.tar.gz: 0f6e5928450f857ca7b304e1d0482c19e9112f6fa56c65d3716e0c14ec7a3638
+  metadata.gz: 95998c62520f5326402247fbc532e871436a3fa15ada7ada0b7129cd1d4ab051
+  data.tar.gz: '05139f95b6b5d8a7cdbe0bd97a0f17a85e40b32637c5e1c9098548fa7febce42'
 SHA512:
-  metadata.gz: c613e559b39c52375aad712a395eeb894802dce620adfff24114664f6ecf1519f881e209e3be682a4472369e9d6218642390bcd64dda3f6a5f3f2a0189fce264
-  data.tar.gz: d3297e82d02cba1b8a07d82323c3dbdf20988e5fa779edd7d4d3e02e90bda5773dd441bbc8c9b8b1f85458fc66598983d183e5af585c6341a683aa6c62eb8df9
+  metadata.gz: 985806eef794688c33d8de78a9755bf42f3d41e390fbf18e2afac7d7624b0ab228e7d8d8f13779ab3ff30bbaaf32929d4321e29be1bcec2d6e31ed63fc7308b5
+  data.tar.gz: 9221b6ec0d931d93ab30a0fa50389441ad7f4368f62d75d2c7dc8600580f109913aeb937e2e3bff1244b10cc1ba61732036d6ee28d3972683c55482d64f6d3b2

data/.ruby-version

@@ -1 +1 @@
-2.6.2
+2.6.6

data/CHANGELOG.md

@@ -5,6 +5,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
 
+N/A
+
+## [1.0.3] - 2023-05-26
+### Added
+- Added an LetsEncrypt guide to the README, including the scripts to communicate with LetsEncrypt.
+- Added support for CAA-records, https://blog.qualys.com/product-tech/2017/03/13/caa-mandated-by-cabrowser-forum
+
 ## [1.0.2] - 2019-05-11
 ### Fixed
 - Fixed issue with the non-interactive printer https://github.com/gfish/sprinkle_dns/commit/1e43591c46e056aab9711ccb37eaf91c904969cc

data/Gemfile.lock

@@ -1,59 +1,58 @@
 PATH
   remote: .
   specs:
-    sprinkle_dns (1.0.1)
+    sprinkle_dns (1.0.2)
       aws-sdk-route53 (~> 1.21)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.6.0)
-      public_suffix (>= 2.0.2, < 4.0)
-    aws-eventstream (1.0.3)
-    aws-partitions (1.160.0)
-    aws-sdk-core (3.50.0)
-      aws-eventstream (~> 1.0, >= 1.0.2)
-      aws-partitions (~> 1.0)
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    aws-eventstream (1.1.0)
+    aws-partitions (1.345.0)
+    aws-sdk-core (3.104.3)
+      aws-eventstream (~> 1, >= 1.0.2)
+      aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-route53 (1.22.0)
-      aws-sdk-core (~> 3, >= 3.48.2)
+    aws-sdk-route53 (1.40.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
       aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.1.0)
-      aws-eventstream (~> 1.0, >= 1.0.2)
-    coderay (1.1.2)
+    aws-sigv4 (1.2.1)
+      aws-eventstream (~> 1, >= 1.0.2)
+    coderay (1.1.3)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
-    diff-lcs (1.3)
-    docile (1.3.1)
-    hashdiff (0.3.9)
-    jmespath (1.4.0)
-    json (2.2.0)
-    method_source (0.9.2)
-    pry (0.12.2)
-      coderay (~> 1.1.0)
-      method_source (~> 0.9.0)
-    public_suffix (3.0.3)
-    rake (12.3.2)
-    rspec (3.8.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-    rspec-core (3.8.0)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.3)
+    diff-lcs (1.4.4)
+    docile (1.3.2)
+    hashdiff (1.0.1)
+    jmespath (1.6.1)
+    method_source (1.0.0)
+    pry (0.14.2)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    public_suffix (4.0.5)
+    rake (12.3.3)
+    rexml (3.2.5)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-support (3.8.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.3)
     safe_yaml (1.0.5)
-    simplecov (0.16.1)
+    simplecov (0.18.5)
       docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
+      simplecov-html (~> 0.11)
+    simplecov-html (0.12.3)
     vcr (3.0.3)
     webmock (2.3.2)
       addressable (>= 2.3.6)
@@ -64,8 +63,9 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  pry (~> 0.12)
+  pry (~> 0.14.2)
   rake (~> 12.3)
+  rexml (~> 3.2)
   rspec (~> 3.8)
   simplecov (~> 0.16)
   sprinkle_dns!
@@ -73,4 +73,4 @@ DEPENDENCIES
   webmock (~> 2.3)
 
 BUNDLED WITH
-   1.17.2
+   2.4.10

data/README.md

@@ -181,3 +181,120 @@ For a more "locked down" policy you can use this (remember to update the `resour
     ]
 }
 ```
+
+# Obtain certificates with LetsEncrypt
+
+Not everyone is aware of it, but LetsEncrypt allows for a DNS-challenge, this means that if you want to have a certificate for `billetto.com` you can ask certbot to use the DNS-challenge, and run a script:
+
+```bash
+certbot --preferred-challenges dns --manual-auth-hook "bash run_my_dns_script.sh"
+```
+
+The script `run_my_dns_script.sh` will then recieve two ENV-variables, one for `CERTBOT_DOMAIN` which in our example is `billetto.com` and `CERTBOT_VALIDATION` which is a value that needs to be set in the DNS, so in order to prove to LetsEncrypt that we manage the domain we have to set the following:
+
+```
+TXT   _acme-challenge.ENV['CERTBOT_DOMAIN']   ENV['CERTBOT_VALIDATION']
+```
+
+Instead of a bash-script, we can use Ruby and SprinkleDNS like so:
+
+```ruby
+#!/usr/bin/env ruby
+require 'sprinkle_dns'
+require_relative '../includes/access_keys'
+
+raise 'ENV-variable CERTBOT_DOMAIN is not supplied' if ENV['CERTBOT_DOMAIN'].nil?
+raise 'ENV-variable CERTBOT_VALIDATION is not supplied' if ENV['CERTBOT_VALIDATION'].nil?
+
+c = SprinkleDNS::Route53Client.new(ACCESS_KEY_ID, SECRET_ACCESS_KEY)
+s = SprinkleDNS::Client.new(c, interactive_progress: false, diff: false, force: true, delete: false, create_hosted_zones: false)
+s.entry('TXT', "_acme-challenge.#{ENV['CERTBOT_DOMAIN']}", %Q{"#{ENV['CERTBOT_VALIDATION']}"}, 60)
+s.sprinkle!
+```
+
+Save it as `dns_auth.rb`, and remember to chmod it: `chmod +x dns_auth.rb`.
+
+Now you can start on the main script `ssl_certbot.rb`:
+
+```ruby
+#!/usr/bin/env ruby
+require 'open3'
+require 'fileutils'
+
+EMAIL = 'domains@billetto.com'
+MAIN_DOMAIN = 'billetto.com'
+DOMAINS = ['billetto.dk', 'billetto.co.uk', 'billetto.com']
+
+def run_command(command)
+  puts("+: #{command}")
+
+  Open3.popen2e(command) do |stdin, stdout_stderr, wait_thread|
+    Thread.new do
+      stdout_stderr.each {|l| puts l }
+    end
+    wait_thread.value
+  end
+end
+
+def print_guide
+  puts "Congratulations, you have a new certificate!"
+  puts "----------------------------------------------------------------"
+  puts "CERTIFICATE: #{Dir.pwd}/config/live/billetto.com/cert.pem"
+  puts "KEY:         #{Dir.pwd}/config/live/billetto.com/privkey.pem"
+  puts "CHAIN:       #{Dir.pwd}/config/live/billetto.com/chain.pem"
+end
+
+letsencrypt_dirs = ['config', 'work', 'logs']
+previous_letsencrypt_run = letsencrypt_dirs.all?{|dir| Dir.exist?(dir)}
+
+case ARGV[0]
+when 'create'
+  certbot_commands = []
+  certbot_commands << "certbot certonly"
+  certbot_commands << "--manual --manual-public-ip-logging-ok --agree-tos"
+  certbot_commands << "--email #{EMAIL} --update-registration --no-eff-email"
+  certbot_commands << "--non-interactive --preferred-challenges dns"
+  certbot_commands << "--manual-auth-hook \"bundle exec #{Dir.pwd}/dns_auth.rb\""
+  certbot_commands << "--config-dir config --work-dir work --logs-dir logs"
+  certbot_commands << "--cert-name #{MAIN_DOMAIN}"
+  DOMAINS.each do |domain|
+    certbot_commands << "-d #{domain} -d www.#{domain}"
+  end
+  certbot_commands = certbot_commands.join(" ")
+
+  letsencrypt_dirs.select{|dirname| Dir.exists?(dirname)}.map{|dirname| FileUtils.remove_dir(dirname)}
+  run_command("mkdir -p #{letsencrypt_dirs.join(' ')}")
+  stdout, stdeerr, status = run_command(certbot_commands)
+
+  print_guide
+when 'renew'
+  if previous_letsencrypt_run
+    certbot_commands =  []
+    certbot_commands << "certbot renew"
+    certbot_commands << "--manual --manual-public-ip-logging-ok --agree-tos"
+    certbot_commands << "--email #{EMAIL} --update-registration --no-eff-email"
+    certbot_commands << "--non-interactive --preferred-challenges dns"
+    certbot_commands << "--manual-auth-hook \"bundle exec #{Dir.pwd}/dns_auth.rb\""
+    certbot_commands << "--config-dir config --work-dir work --logs-dir logs"
+    certbot_commands << "--cert-name #{MAIN_DOMAIN}"
+    certbot_commands = certbot_commands.join(" ")
+    stdout, stdeerr, status = run_command(certbot_commands)
+
+    print_guide
+  else
+    puts "It seems like there are no files from a previous LetsEncrypt run, exiting!"
+    exit 1
+  end
+else
+  puts "Usage:"
+  puts "bundle exec ruby ssl_certbot.rb COMMAND"
+  puts
+  puts "Commands:"
+  puts "create - Request a new certificate from LetsEncrypt, should only be used on the first run, or if you have modified the list of domains."
+  puts "renew  - Renew an already created certificate"
+end
+```
+
+You can update the variables in top of the script, and then you can run `bundle exec ruby ssl_certbot.rb create`, and everytime you need to renew the certificate you can run `bundle exec ruby ssl_certbot.rb renew`.
+
+You will need to run the `create` if your list of domains have changed.

data/lib/sprinkle_dns/hosted_zone_alias.rb

@@ -83,7 +83,7 @@ module SprinkleDNS
     private
 
     def valid_record_types
-      ['SOA','A','TXT','NS','CNAME','MX','NAPTR','PTR','SRV','SPF','AAAA']
+      ['SOA','A','TXT','NS','CNAME','MX','NAPTR','PTR','SRV','SPF','AAAA', 'CAA']
     end
 
   end

data/lib/sprinkle_dns/hosted_zone_entry.rb

@@ -90,7 +90,7 @@ module SprinkleDNS
     private
 
     def valid_record_types
-      ['SOA','A','TXT','NS','CNAME','MX','NAPTR','PTR','SRV','SPF','AAAA']
+      ['SOA','A','TXT','NS','CNAME','MX','NAPTR','PTR','SRV','SPF','AAAA', 'CAA']
     end
 
   end

data/lib/sprinkle_dns/providers/mock_client.rb

@@ -9,8 +9,6 @@ module SprinkleDNS
     end
 
     def fetch_hosted_zones(filter: [])
-      hosted_zones = []
-
       if filter.empty?
         return []
       end

data/lib/sprinkle_dns/version.rb

@@ -1,3 +1,3 @@
 module SprinkleDNS
-  VERSION = "1.0.2"
+  VERSION = "1.0.3"
 end

data/spec/spec_helper.rb

@@ -24,6 +24,7 @@ require 'simplecov'
 SimpleCov.start
 
 require 'vcr'
+require 'pry'
 
 require './spec/support/entry_helpers'
 

data/spec/unit/caa_record.rb

@@ -0,0 +1,24 @@
+require 'spec_helper'
+
+RSpec.describe "CAA-records" do
+  it 'should allow for CAA records' do
+    hz = SprinkleDNS::HostedZone.new('colourful.com.')
+    e1 = SprinkleDNS::HostedZoneEntry.new('A', 'colourful.com.', Array.wrap('80.80.80.80'), 3600, hz.name)
+    e1.persisted!
+    hz.resource_record_sets << e1
+
+    client = SprinkleDNS::MockClient.new([hz])
+    sdns = SprinkleDNS::Client.new(client, dry_run: false, delete: true, force: true)
+
+    sdns.entry('A', 'colourful.com', '80.80.80.80', 3600)
+    sdns.entry('CAA', 'colourful.com', '0 issue "letsencrypt.org"', 3600)
+
+    existing_hosted_zones, _ = sdns.sprinkle!
+
+    shz = client.fetch_hosted_zones(filter: [hz.name]).first
+
+    rrs = shz.resource_record_sets.select{|rrs| rrs.type == 'CAA' && rrs.name == 'colourful.com.'}.first
+    expect(rrs.ttl).to eq 3600
+    expect(rrs.value).to eq ['0 issue "letsencrypt.org"']
+  end
+end

data/spec/unit/sprinkle_dns_spec.rb

@@ -269,7 +269,7 @@ RSpec.describe SprinkleDNS::Client do
 
   context 'record validation' do
     it 'should only allow valid string records' do
-      valid_records = ['SOA','A','TXT','NS','CNAME','MX','NAPTR','PTR','SRV','SPF','AAAA']
+      valid_records = ['SOA','A','TXT','NS','CNAME','MX','NAPTR','PTR','SRV','SPF','AAAA', 'CAA']
 
       valid_records.each do |record_type|
         r53c = SprinkleDNS::Route53Client.new('1','2')
@@ -280,7 +280,7 @@ RSpec.describe SprinkleDNS::Client do
     end
 
     it 'should not allow symbols for records' do
-      invalid_records = [:SOA, :A, :TXT, :NS, :CNAME, :MX, :NAPTR, :PTR, :SRV, :SPF, :AAAA]
+      invalid_records = [:SOA, :A, :TXT, :NS, :CNAME, :MX, :NAPTR, :PTR, :SRV, :SPF, :AAAA, :CAA]
 
       invalid_records.each do |record_type|
         r53c = SprinkleDNS::Route53Client.new('1','2')

data/sprinkle_dns.gemspec

@@ -22,8 +22,9 @@ Gem::Specification.new do |gem|
 
   gem.add_development_dependency "rspec", '~> 3.8'
   gem.add_development_dependency "simplecov", '~> 0.16'
-  gem.add_development_dependency "pry", '~> 0.12'
+  gem.add_development_dependency "pry", '~> 0.14.2'
   gem.add_development_dependency "rake", '~> 12.3'
   gem.add_development_dependency "vcr", '~> 3.0'
   gem.add_development_dependency "webmock", '~> 2.3'
+  gem.add_development_dependency "rexml", '~> 3.2'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sprinkle_dns
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 1.0.3
 platform: ruby
 authors:
 - Kasper Grubbe
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-05-10 00:00:00.000000000 Z
+date: 2023-05-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-route53
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.12'
+        version: 0.14.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.12'
+        version: 0.14.2
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -108,6 +108,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: rexml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
 description: Make handling DNS easier by using simple Ruby constructs
 email:
 - kaspergrubbe@gmail.com
@@ -152,6 +166,7 @@ files:
 - readme_files/force_false.png
 - spec/spec_helper.rb
 - spec/support/entry_helpers.rb
+- spec/unit/caa_record.rb
 - spec/unit/cli_hosted_zone_diff_spec.rb
 - spec/unit/hosted_zone_domain_spec.rb
 - spec/unit/hosted_zone_spec.rb
@@ -164,7 +179,7 @@ licenses:
 - MIT
 - GPL-2.0
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -179,13 +194,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.4.10
+signing_key:
 specification_version: 4
 summary: Make handling DNS easier
 test_files:
 - spec/spec_helper.rb
 - spec/support/entry_helpers.rb
+- spec/unit/caa_record.rb
 - spec/unit/cli_hosted_zone_diff_spec.rb
 - spec/unit/hosted_zone_domain_spec.rb
 - spec/unit/hosted_zone_spec.rb