varanus 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c3f1e3b8a3c5d8b1999ab00642afaef76bfa69be3872b9af2ab91af9aa4731bc
-  data.tar.gz: bf2cd9f9449d290133f6a8f21a5c64fb5541d42c6349b0179eaa85af153bf3e9
+  metadata.gz: 9495d1c66215f0313068a30921d24545643441237139ced9220570e16b771b0f
+  data.tar.gz: cb104ae0cc2e2b8269e0d8914e90978870f402a386e2d9064e542e757fcab188
 SHA512:
-  metadata.gz: 6890038fac5dfa28e212cdb119d16ff35bfa5344359df100076ddd533f5226b3b4c00f8302442d24c27ecdd233d9e23991d37ac3ca6400066ff050f168937d2a
-  data.tar.gz: df2e85079624160c161e8d8849c97c0e7287f5e89585dd3a1f9fa2c6fddd100876b72b6fff6e0dc3c028090c7830835c047d8bd22ffbb477c6935ed19d857496
+  metadata.gz: 8415fc14216976c5e989d82e676fdbf25868ab2dfe55b645a85b43f162f60e1029a2a68d8f72fe9acd14a2d911e708402ca6160c6a101e2d0e3f233484a8ab05
+  data.tar.gz: 87710705995b46e27314aad6e4eadce44fab7ca7b3e4515cb91b1c65edfe0c85a542c5e2fafb59e39d32f30b563c13bb8d125c9a9d1156c4c8b1dbce82009945

data/.gitignore

@@ -6,3 +6,4 @@
 /pkg/
 /spec/reports/
 /tmp/
+/test.rb

data/.rubocop.yml

@@ -28,23 +28,12 @@ Naming/FileName:
   Exclude:
     - Gemfile
 
-Naming/UncommunicativeMethodParamName:
-  AllowedNames:
-    - gb
-    - id
-    - ip
-    - os
-    - vm
-
 Style/ClassAndModuleChildren:
-  Enabled: false
+  EnforcedStyle: compact
 
 Style/ConditionalAssignment:
   Enabled: false
 
-Style/FrozenStringLiteralComment:
-  Enabled: false
-
 Style/MethodDefParentheses:
   EnforcedStyle: require_no_parentheses_except_multiline
 
@@ -57,14 +46,5 @@ Style/RescueModifier:
 Style/SymbolArray:
   EnforcedStyle: brackets
 
-Style/TrailingCommaInArguments:
-  EnforcedStyleForMultiline: no_comma
-
-Style/TrailingCommaInArrayLiteral:
-  EnforcedStyleForMultiline: no_comma
-
-Style/TrailingCommaInHashLiteral:
-  EnforcedStyleForMultiline: no_comma
-
 Style/WordArray:
   EnforcedStyle: brackets

data/CHANGELOG.md

@@ -0,0 +1,8 @@
+### 0.2.0 (2018-11-09)
+* Added Varanus::SSL::CSR.generate
+* Added Reports
+  * Varanus::Reports#ssl - list of SSL/TLS certs
+  * Varanus::Reports#domains - list of domains validated with DCV
+
+### 0.1.0 (2018-11-07)
+* Initial release

data/Gemfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }

data/Gemfile.lock

@@ -1,16 +1,21 @@
 PATH
   remote: .
   specs:
-    varanus (0.1.0)
+    varanus (0.2.0)
       faraday
       faraday_middleware
+      savon (~> 2.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
     addressable (2.5.2)
       public_suffix (>= 2.0.2, < 4.0)
+    akami (1.3.1)
+      gyoku (>= 0.4.0)
+      nokogiri
     ast (2.4.0)
+    builder (3.2.3)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
     docile (1.3.1)
@@ -18,21 +23,31 @@ GEM
       multipart-post (>= 1.2, < 3)
     faraday_middleware (0.12.2)
       faraday (>= 0.7.4, < 1.0)
+    gyoku (1.3.1)
+      builder (>= 2.1.2)
     hashdiff (0.3.7)
+    httpi (2.4.4)
+      rack
+      socksify
     jaro_winkler (1.5.1)
     json (2.1.0)
     metaclass (0.0.4)
+    mini_portile2 (2.3.0)
     minitest (5.11.3)
     minitest-rg (5.2.0)
       minitest (~> 5.0)
     mocha (1.7.0)
       metaclass (~> 0.0.1)
     multipart-post (2.0.0)
+    nokogiri (1.8.5)
+      mini_portile2 (~> 2.3.0)
+    nori (2.6.0)
     parallel (1.12.1)
     parser (2.5.3.0)
       ast (~> 2.4.0)
     powerpack (0.1.2)
     public_suffix (3.0.3)
+    rack (2.0.6)
     rainbow (3.0.0)
     rake (10.5.0)
     rubocop (0.60.0)
@@ -45,12 +60,24 @@ GEM
       unicode-display_width (~> 1.4.0)
     ruby-progressbar (1.10.0)
     safe_yaml (1.0.4)
+    savon (2.12.0)
+      akami (~> 1.2)
+      builder (>= 2.1.2)
+      gyoku (~> 1.2)
+      httpi (~> 2.3)
+      nokogiri (>= 1.8.1)
+      nori (~> 2.4)
+      wasabi (~> 3.4)
     simplecov (0.16.1)
       docile (~> 1.1)
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
+    socksify (1.7.1)
     unicode-display_width (1.4.0)
+    wasabi (3.5.0)
+      httpi (~> 2.0)
+      nokogiri (>= 1.4.2)
     webmock (3.4.2)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)

data/README.md

@@ -7,24 +7,29 @@ Support for Sectigo's other APIs (S/MIME, code signing, device certificates, etc
 be added at a later date.  Merge requests to add some of this functionality would be
 greatly appreciated.
 
-## Installation
+[![Build Status](https://travis-ci.org/duke-automation/varanus.svg?branch=master)](https://travis-ci.org/duke-automation/varanus)
+[![Gem Version](https://badge.fury.io/rb/varanus.svg)](http://badge.fury.io/rb/varanus)
+[![Maintainability](https://api.codeclimate.com/v1/badges/593ef1aa2ba757b5374f/maintainability)](https://codeclimate.com/github/duke-automation/varanus/maintainability)
+[![Test Coverage](https://api.codeclimate.com/v1/badges/593ef1aa2ba757b5374f/test_coverage)](https://codeclimate.com/github/duke-automation/varanus/test_coverage)
 
-Add this line to your application's Gemfile:
+## Usage
+
+#### Generate and sign SSL cert
 
 ```ruby
-gem 'varanus'
+key, csr = Varanus::SSL::CSR.generate(['example.com'])
+varanus = Varanus.new(customer_uri, username, password)
+id = varanus.ssl.sign csr, org_id
+begin
+  cert = varanus.ssl.collect id
+rescue Varanus::Error::StillProcessing
+  sleep 1
+  retry
+end
+puts key
+puts cert
 ```
 
-And then execute:
-
-    $ bundle
-
-Or install it yourself as:
-
-    $ gem install varanus
-
-## Usage
-
 #### Sign SSL cert from CSR
 
 ```ruby
@@ -46,6 +51,18 @@ puts cert
 Varanus.new(customer_uri, username, password).ssl.revoke(id)
 ```
 
+#### Reports
+
+Report on all SSL certs
+```ruby
+pp Varanus.new(customer_uri, usernams, password).reports.ssl
+```
+
+Report on all domains (DCV status)
+```ruby
+pp Varanus.new(customer_uri, usernams, password).reports.domains
+```
+
 #### Authentication
 
 Authentication requires the same credentials you use to login to cert-manager.com as well as the ```customer_uri```.  If your URL to log into cert-manager.com is https://cert-manager.com/customer/MyCompany then your ```customer_uri``` will be ```'MyCompany'```
@@ -56,6 +73,22 @@ Signing a cert requires specifying an ```org_id```.  Each department in cert-man
 
 To find the ```org_id```, log into cert-manager.com, go to **Settings** -> **Departments**, then click to edit the department you are interested in.  The value you want is in the **OrgID** field.
 
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'varanus'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install varanus
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'bundler/gem_tasks'
 require 'rake/testtask'
 

data/bin/console

@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'bundler/setup'
 require 'varanus'

data/lib/varanus/error.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Error returned from the Sectigo API
 class Varanus::Error < StandardError
   # @return [Integer] Code associated with error

data/lib/varanus/reports.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+# An connection to the Reports API.  This should not be initialized directly.  Instead,
+# use Varanus#reports
+class Varanus::Reports
+  SSL_CERT_STATUSES = {
+    any: 0,
+    requested: 1,
+    downloaded: 2,
+    revoked: 3,
+    expired: 4,
+    pending_download: 5,
+    not_enrolled: 6
+  }.freeze
+
+  # @note Do not call this directly.  Use {Varanus#reports} to initialize
+  def initialize varanus
+    @varanus = varanus
+  end
+
+  def domains
+    r = soap_call :get_domain_report, {}
+    format_results r[:report_row_domains]
+  end
+
+  # Return report on SSL request
+  # @param [opts] [Hash]
+  # @option opts [String, Array] :orgs Name(s) of organizations (departments) to limit
+  #   the report to.  If this is unset, results from all departments are returned.
+  # @option opts [Symbol] :status (:any) One of :any, :requested, :downloaded, :revoked,
+  #   :expired, :pending_download, :not_enrolled.    :downloaded and :pending_download
+  #   mean the cert has been enrolled/signed.
+  # @return [Array<Hash>]
+  def ssl opts = {}
+    msg = { organizationNames: nil, certificateStatus: 0 }
+
+    msg[:organizationNames] = Array(opts[:orgs]).join(',') if opts.include? :orgs
+    if opts.include? :status
+      msg[:certificateStatus] = SSL_CERT_STATUSES[opts[:status]]
+      raise ArgumentError, 'Invalid status' if msg[:certificateStatus].nil?
+    end
+
+    r = soap_call :get_SSL_report, msg
+    format_results r[:reports]
+  end
+
+  private
+
+  def format_results results
+    if results.is_a? Hash
+      [results]
+    else
+      results.to_a
+    end
+  end
+
+  def savon
+    @savon ||= Savon.client(
+      namespace: 'http://report.ws.epki.comodo.com/',
+      endpoint: 'https://cert-manager.com:443/ws/ReportService',
+      log: false
+    )
+  end
+
+  def soap_call func, opts = {}
+    msg = opts.dup
+    msg[:authData] = { customerLoginUri: @varanus.customer_uri, login: @varanus.username,
+                       password: @varanus.password }
+
+    result = savon.call func, message: msg
+    result.body[(func.to_s.downcase + '_response').to_sym][:return]
+  end
+end

data/lib/varanus/ssl/csr.rb

@@ -1,23 +1,65 @@
+# frozen_string_literal: true
+
 # Wrapper class around a OpenSSL::X509::Request
 # Provides helper functions to make reading information from the CSR easier
 class Varanus::SSL::CSR
+  # Key size used when calling {.generate}
+  DEFAULT_KEY_SIZE = 4096
+
+  # Generate a CSR
+  # @param names [Array<String>] List of DNS names.  The first one will be the CN
+  # @param key [OpenSSL::PKey::RSA, OpenSSL::PKey::DSA, nil] Secret key for the cert.
+  #   A DSA key will be generated if +nil+ is passed in.
+  # @param subject [Hash] Options for the subject of the cert.  By default only CN will
+  #   be set
+  # @return [Array(OpenSSL::PKey::PKey, Varanus::SSL::CSR)] The private key for the cert
+  #   and CSR
+  def self.generate names, key = nil, subject = {}
+    raise ArgumentError, 'names cannot be empty' if names.empty?
+
+    subject = subject.dup
+    subject['CN'] = names.first
+
+    key ||= OpenSSL::PKey::DSA.new(DEFAULT_KEY_SIZE)
+
+    request = OpenSSL::X509::Request.new
+    request.version = 0
+    request.subject = OpenSSL::X509::Name.parse subject.map { |k, v| "/#{k}=#{v}" }.join
+
+    # Set Subject Alternate Names
+    ef = OpenSSL::X509::ExtensionFactory.new
+    name_str = names.map { |n| "DNS:#{n}" }.join(', ')
+    ext = ef.create_extension('subjectAltName', name_str, false)
+    seq = OpenSSL::ASN1::Sequence([ext])
+    ext_req = OpenSSL::ASN1::Set([seq])
+    request.add_attribute OpenSSL::X509::Attribute.new('extReq', ext_req)
+
+    request.public_key = key.public_key
+    request.sign(key, OpenSSL::Digest::SHA256.new)
+    [key, Varanus::SSL::CSR.new(request)]
+  end
+
   # Common Name (CN) for cert.
   # @return [String]
   attr_reader :cn
 
+  # OpenSSL::X509::Request representation of CSR
+  # @return [OpenSSL::X509::Request]
+  attr_reader :request
+
   # @param csr [String, OpenSSL::X509::Request]
   def initialize csr
     if csr.is_a? OpenSSL::X509::Request
-      @req = csr
+      @request = csr
       @text = csr.to_s
     else
       @text = csr.to_s
-      @req = OpenSSL::X509::Request.new @text
+      @request = OpenSSL::X509::Request.new @text
     end
 
-    raise 'Improperly signed CSR' unless @req.verify @req.public_key
+    raise 'Improperly signed CSR' unless @request.verify @request.public_key
 
-    cn_ref = @req.subject.to_a.find { |a| a[0] == 'CN' }
+    cn_ref = @request.subject.to_a.find { |a| a[0] == 'CN' }
     @cn = cn_ref && cn_ref[1].downcase
 
     _parse_sans
@@ -35,13 +77,13 @@ class Varanus::SSL::CSR
   # Key size for the cert
   # @return [Integer]
   def key_size
-    case @req.public_key
+    case @request.public_key
     when OpenSSL::PKey::RSA
-      @req.public_key.n.num_bytes * 8
+      @request.public_key.n.num_bytes * 8
     when OpenSSL::PKey::DSA
-      @req.public_key.p.num_bytes * 8
+      @request.public_key.p.num_bytes * 8
     else
-      raise "Unknown public key type: #{@req.public_key.class}"
+      raise "Unknown public key type: #{@request.public_key.class}"
     end
   end
 
@@ -59,7 +101,7 @@ class Varanus::SSL::CSR
   private
 
   def _parse_sans
-    extensions = @req.attributes.select { |at| at.oid == 'extReq' }
+    extensions = @request.attributes.select { |at| at.oid == 'extReq' }
     sans_extensions = extensions.flat_map do |extension|
       extension.value.value[0].value
                .select { |ext| ext.first.value == 'subjectAltName' }

data/lib/varanus/ssl.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # An connection to the SSL/TSL API.  This should not be initialized directly.  Instead,
 # use Varanus#ssl
 class Varanus::SSL

data/lib/varanus/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Varanus
-  VERSION = '0.1.0'.freeze
+  VERSION = '0.2.0'
 end

data/lib/varanus.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Interface for Sectigo's (formerly Comodo CA) API.
 class Varanus
   attr_reader :customer_uri, :username, :password
@@ -12,6 +14,12 @@ class Varanus
     @password = password
   end
 
+  # Retrieve Reports instance
+  # @return [Varanus::Reports]
+  def reports
+    @reports ||= Reports.new(self)
+  end
+
   # Retrive SSL instance
   # @return [Varanus::SSL]
   def ssl
@@ -23,9 +31,11 @@ end
 require 'faraday'
 require 'faraday_middleware'
 require 'openssl'
+require 'savon'
 
 # Require other files in this gem
 require 'varanus/error'
+require 'varanus/reports'
 require 'varanus/ssl'
 require 'varanus/ssl/csr'
 require 'varanus/version'

data/varanus.gemspec

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'varanus/version'
@@ -40,5 +42,6 @@ Gem::Specification.new do |spec|
 
   spec.add_runtime_dependency 'faraday'
   spec.add_runtime_dependency 'faraday_middleware'
+  spec.add_runtime_dependency 'savon', '~> 2.0'
 end
 # rubocop:enable Metrics/BlockLength

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: varanus
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Sean Dilda
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-11-07 00:00:00.000000000 Z
+date: 2018-11-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -164,6 +164,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: savon
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 description: |
   This gem provides an interface to Sectigo's (formerly Comodo CA) APIs for working
   with SSL/TLS certificates as well as its reporting API.
@@ -180,6 +194,7 @@ files:
 - ".gitignore"
 - ".rubocop.yml"
 - ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -190,6 +205,7 @@ files:
 - docker-compose.yml
 - lib/varanus.rb
 - lib/varanus/error.rb
+- lib/varanus/reports.rb
 - lib/varanus/ssl.rb
 - lib/varanus/ssl/csr.rb
 - lib/varanus/version.rb