varanus 0.8.0 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9c5717bc294e05caa49007dbf36c638ecf3a1d3e192aee421e51a73fec58246c
-  data.tar.gz: 54f6feea0b5b692d415dd2f9d5eff9d0d088f29e26d54a700467494f11904048
+  metadata.gz: 60230826037fe526c9ea6086ccef657896d0df0344377d31fb58e966f19b8f2f
+  data.tar.gz: 72ced55d6a53f8cd61c01a13cea9c65da882ecb9ad0d314882af1633df36def4
 SHA512:
-  metadata.gz: 246eeabfd08d59b01f5b8e6cca4d5ec8b4c7a73223ee34d8ac86a1d459d286fdf965ed410a381b2312ab72e97f3c0b65dc0da77c8b31776e53253f10b9003a05
-  data.tar.gz: cdf0e60e8894b50e55f81901f0d441a7a3edf376856de12ea4a0bfc845267c3026926dcafabec14e7aebaf1292a25e6c8c0e76cbdfd9f346a9b18a3828021543
+  metadata.gz: ce123c1c9d05bff2aa0d829cc4d04c682872e8e8da28f6362fa8164b3fe397f2f3f5245a28b28f9979f79465916e6133215088289f4aaddf3d34978a976a9274
+  data.tar.gz: 3436eb567954074d1e4acc8ccd0bec419c279a411e56fddaf558d4384ff30fecfc7303470f7c95b79f32b445aab0526eaf386f294154b4ea4eea36563096287f

data/.codeclimate.yml

@@ -0,0 +1,4 @@
+plugins:
+  rubocop:
+    enabled: true
+    channel: rubocop-0-59

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/test.rb

data/.rubocop.yml

@@ -0,0 +1,51 @@
+AllCops:
+  NewCops: disable
+  TargetRubyVersion: 2.5
+
+Bundler/OrderedGems:
+  AutoCorrect: false
+
+Layout/LineLength:
+  Max: 90
+  Exclude:
+    - 'test/**/*'
+
+Metrics/AbcSize:
+  Max: 25
+  Exclude:
+    - 'test/**/*'
+
+Metrics/ClassLength:
+  Max: 125
+  Exclude:
+    - 'test/**/*'
+
+Metrics/MethodLength:
+  Max: 20
+  Exclude:
+    - 'test/**/*'
+
+Naming/FileName:
+  Exclude:
+    - Gemfile
+
+Style/ClassAndModuleChildren:
+  EnforcedStyle: compact
+
+Style/ConditionalAssignment:
+  Enabled: false
+
+Style/MethodDefParentheses:
+  EnforcedStyle: require_no_parentheses_except_multiline
+
+Style/NumericPredicate:
+  EnforcedStyle: comparison
+
+Style/RescueModifier:
+  AutoCorrect: false
+
+Style/SymbolArray:
+  EnforcedStyle: brackets
+
+Style/WordArray:
+  EnforcedStyle: brackets

data/.travis.yml

@@ -0,0 +1,18 @@
+---
+env:
+  global:
+    - CC_TEST_REPORTER_ID=11ec0aee76479858801566bb43fd7d76eced4cbb2432bcead71db59dae21eaae
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.5
+  - 2.6
+  - 2.7
+before_install: gem install bundler -v 1.16.5
+before_script:
+  - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
+  - chmod +x ./cc-test-reporter
+  - ./cc-test-reporter before-build
+after_script:
+  - ./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT

data/CHANGELOG.md

@@ -0,0 +1,48 @@
+### Version 0.9.0 (2026-02-16)
+* Use faraday 2.x
+
+### Version 0.8.1 (2024-09-27)
+* Fix gem build issues
+
+### Version 0.8.0 (2024-09-27)
+* Varanus::SSL::CSR - improve support for subclassing
+* Varanus::SSL::CSR.generate - support an EC key being passed in
+
+### Version 0.7.1 (2022-01-31)
+* Varanus::SSL#certificate_types_standard - also exclude 'Extended Validation'
+
+### Version 0.7.0 (2020-02-03)
+* Add Varanus::Domain#report
+
+### Version 0.6.0 (2020-02-01)
+* Add Varanus::SSL#report
+* Varanus::Reports (Varanus#reports) is now deprecated.
+
+### Version 0.5.1 (2021-01-28)
+* Varanus::SSL::CSR - support EC certs
+
+### Version 0.5.0 (2021-01-26)
+* Add Varanus::Domain
+* Add Varanus::SSL#list and Varanus::SSL#info
+* Add Varanus::Organization
+
+### 0.4.0 (2021-01-06)
+* Add Varanus::DCV
+
+### 0.3.1 (2020-10-14)
+* Fix issue when Sectigo reports two identical 'Short Life' certs
+
+### 0.3.0 (2020-08-24)
+* Add support for new 'Short Life' certs
+
+### 0.2.1 (2018-11-13)
+* Increase timeout value for SSL requests
+
+### 0.2.0 (2018-11-09)
+* Added Varanus::SSL::CSR.generate
+* Added Reports
+  * Varanus::Reports#ssl - list of SSL/TLS certs
+  * Varanus::Reports#domains - list of domains validated with DCV
+
+### 0.1.0 (2018-11-07)
+* Initial release

data/Gemfile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in varanus.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,141 @@
+PATH
+  remote: .
+  specs:
+    varanus (0.9.0)
+      faraday (~> 2.0)
+      savon (~> 2.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
+    akami (1.3.3)
+      base64
+      gyoku (>= 0.4.0)
+      nokogiri
+    ast (2.4.2)
+    base64 (0.2.0)
+    bigdecimal (3.1.8)
+    builder (3.3.0)
+    crack (1.0.0)
+      bigdecimal
+      rexml
+    date (3.3.4)
+    docile (1.4.1)
+    faraday (2.14.1)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-net_http (3.4.2)
+      net-http (~> 0.5)
+    gyoku (1.4.0)
+      builder (>= 2.1.2)
+      rexml (~> 3.0)
+    hashdiff (1.1.1)
+    httpi (4.0.4)
+      base64
+      mutex_m
+      nkf
+      rack (>= 2.0, < 4)
+    json (2.7.2)
+    language_server-protocol (3.17.0.3)
+    logger (1.7.0)
+    mail (2.8.1)
+      mini_mime (>= 0.1.1)
+      net-imap
+      net-pop
+      net-smtp
+    mini_mime (1.1.5)
+    minitest (5.25.1)
+    minitest-rg (5.3.0)
+      minitest (~> 5.0)
+    mocha (2.4.5)
+      ruby2_keywords (>= 0.0.5)
+    mutex_m (0.2.0)
+    net-http (0.9.1)
+      uri (>= 0.11.1)
+    net-imap (0.4.16)
+      date
+      net-protocol
+    net-pop (0.1.2)
+      net-protocol
+    net-protocol (0.2.2)
+      timeout
+    net-smtp (0.5.0)
+      net-protocol
+    nkf (0.2.0)
+    nokogiri (1.16.7-x86_64-linux)
+      racc (~> 1.4)
+    nori (2.7.1)
+      bigdecimal
+    parallel (1.26.3)
+    parser (3.3.5.0)
+      ast (~> 2.4.1)
+      racc
+    public_suffix (6.0.1)
+    racc (1.8.1)
+    rack (3.1.7)
+    rainbow (3.1.1)
+    rake (10.5.0)
+    regexp_parser (2.9.2)
+    rexml (3.3.7)
+    rubocop (1.66.1)
+      json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
+      parallel (~> 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.4, < 3.0)
+      rubocop-ast (>= 1.32.2, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 3.0)
+    rubocop-ast (1.32.3)
+      parser (>= 3.3.1.0)
+    ruby-progressbar (1.13.0)
+    ruby2_keywords (0.0.5)
+    savon (2.15.1)
+      akami (~> 1.2)
+      builder (>= 2.1.2)
+      gyoku (~> 1.2)
+      httpi (>= 4, < 5)
+      mail (~> 2.5)
+      nokogiri (>= 1.8.1)
+      nori (~> 2.4)
+      wasabi (>= 3.7, < 6)
+    simplecov (0.22.0)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.13.1)
+    simplecov_json_formatter (0.1.4)
+    timeout (0.4.1)
+    unicode-display_width (2.6.0)
+    uri (1.1.1)
+    wasabi (5.0.3)
+      addressable
+      faraday (>= 1.9, < 3)
+      nokogiri (>= 1.13.9)
+    webmock (3.23.1)
+      addressable (>= 2.8.0)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
+    yard (0.9.37)
+
+PLATFORMS
+  x86_64-linux
+
+DEPENDENCIES
+  bundler (~> 2.0)
+  minitest (~> 5.0)
+  minitest-rg
+  mocha
+  rake (~> 10.0)
+  rubocop
+  simplecov
+  varanus!
+  webmock
+  yard
+
+BUNDLED WITH
+   2.3.27

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 Duke University
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,104 @@
+# Varanus
+
+This gem provides an interface to Sectigo's (formerly Comodo CA) APIs for working
+with SSL/TLS certificates as well as its reporting API.
+
+Support for Sectigo's other APIs (S/MIME, code signing, device certificates, etc) may
+be added at a later date.  Merge requests to add some of this functionality would be
+greatly appreciated.
+
+[![Build Status](https://travis-ci.org/duke-automation/varanus.svg?branch=master)](https://travis-ci.org/duke-automation/varanus)
+[![Gem Version](https://badge.fury.io/rb/varanus.svg)](http://badge.fury.io/rb/varanus)
+[![Maintainability](https://api.codeclimate.com/v1/badges/593ef1aa2ba757b5374f/maintainability)](https://codeclimate.com/github/duke-automation/varanus/maintainability)
+[![Test Coverage](https://api.codeclimate.com/v1/badges/593ef1aa2ba757b5374f/test_coverage)](https://codeclimate.com/github/duke-automation/varanus/test_coverage)
+
+## Usage
+
+#### Generate and sign SSL cert
+
+```ruby
+key, csr = Varanus::SSL::CSR.generate(['example.com'])
+varanus = Varanus.new(customer_uri, username, password)
+id = varanus.ssl.sign csr, org_id
+begin
+  cert = varanus.ssl.collect id
+rescue Varanus::Error::StillProcessing
+  sleep 1
+  retry
+end
+puts key
+puts cert
+```
+
+#### Sign SSL cert from CSR
+
+```ruby
+csr = File.read('/path/to/file.csr')
+varanus = Varanus.new(customer_uri, username, password)
+id = varanus.ssl.sign csr, org_id
+begin
+  cert = varanus.ssl.collect id
+rescue Varanus::Error::StillProcessing
+  sleep 1
+  retry
+end
+puts cert
+```
+
+#### Revoke SSL cert
+
+```ruby
+Varanus.new(customer_uri, username, password).ssl.revoke(id)
+```
+
+#### Reports
+
+Report on all SSL certs
+```ruby
+pp Varanus.new(customer_uri, usernams, password).reports.ssl
+```
+
+Report on all domains (DCV status)
+```ruby
+pp Varanus.new(customer_uri, usernams, password).reports.domains
+```
+
+#### Authentication
+
+Authentication requires the same credentials you use to login to cert-manager.com as well as the ```customer_uri```.  If your URL to log into cert-manager.com is https://cert-manager.com/customer/MyCompany then your ```customer_uri``` will be ```'MyCompany'```
+
+#### Finding Organization Id (org_id)
+
+Signing a cert requires specifying an ```org_id```.  Each department in cert-manager.com has an associated ```org_id```.
+
+To find the ```org_id```, log into cert-manager.com, go to **Settings** -> **Departments**, then click to edit the department you are interested in.  The value you want is in the **OrgID** field.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'varanus'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install varanus
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/duke-automation/varanus.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.libs << 'lib'
+  t.test_files = FileList['test/**/*_test.rb']
+end
+
+task default: :test

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'varanus'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/docker-compose.yml

@@ -0,0 +1,11 @@
+version: '3'
+services:
+  console:
+    image: ruby:3.1
+    volumes:
+      - .:/app:z
+    hostname: varanus-dev
+    working_dir: /app
+    stdin_open: true
+    tty: true
+    command: bash -c './bin/setup && ./bin/console'

data/lib/varanus/dcv.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+# An connection to the DCV API.  This should not be initialized directly.  Instead,
+# use Varanus#dcv
+class Varanus::DCV < Varanus::RestResource
+  # Returns an Array of DCV information about searched for domains.
+  # This method will automatically page through all results
+  # @param opts [Hash] - all opts are optional
+  # @option opts [String] :domain Domain to search for
+  # @option opts [Integer] :org ID of organization
+  # @option opts [Integer] :department ID of department
+  # @option opts [String] :dcvStatus
+  # @option opts [String] :orderStatus
+  # @option opts [Integer] :expiresIn Expires in (days)
+  #
+  # Results will included an extra 'expiration_date_obj' if 'expirationDate' is in the
+  # response
+  def search opts = {}
+    get_with_size_and_position('dcv/v2/validation', opts).map(&method(:_format_status))
+  end
+
+  # Start domain validation process.  This must be called before #submit is called
+  # @option domain [String] domain to validate
+  # @option type [String] Type of validation. Must be one of 'http', 'https', 'cname',
+  #                       or 'email'
+  def start domain, type
+    post("dcv/v1/validation/start/domain/#{type}", domain: domain)
+  end
+
+  # Retrieve DCV status for a single domain
+  # Result will included an extra 'expiration_date_obj' if 'expirationDate' is in the
+  # response
+  def status domain
+    _format_status(post('dcv/v2/validation/status', domain: domain))
+  end
+
+  # Submit domain validation for verficiation.  This must be called after #start
+  # @option domain [String] domain to validate
+  # @option type [String] Type of validation. Must be one of 'http', 'https', 'cname',
+  #                       or 'email'
+  # @option email_address [String] This is required of +type+ is 'email'. Otherwise, it is
+  #                                ignored.
+  def submit domain, type, email_address = nil
+    if type.to_s == 'email'
+      raise ArgumentError, 'email_address must be specified' if email_address.nil?
+
+      post('dcv/v1/validation/submit/domain/email', domain: domain,
+                                                    email: email_address)
+    else
+      post("dcv/v1/validation/submit/domain/#{type}", domain: domain)
+    end
+  end
+
+  private
+
+  def _format_status status
+    return status unless status['expirationDate']
+
+    status.merge('expiration_date_obj' =>
+                   Date.strptime(status['expirationDate'], '%Y-%m-%d'))
+  end
+end

data/lib/varanus/domain.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+# A connection to the Domain API
+class Varanus::Domain < Varanus::RestResource
+  # Create a new domain.  The domain may need to be manually approved after this is
+  # called.
+  # +name+ is the domain
+  # +delegations+ is an Array of Hashes.  Each Hash should have an 'orgId' and
+  #                                       'certTypes' key
+  # opts may include the following keys:
+  #  - :description - optional - String
+  #  - :active - optional - Boolean (defaults to +true+)
+  #  - :allow_subdomains - optional - set to +false+ if you don't want to allow sub
+  #                                   domains for this entry
+  #
+  # @returns [String] - URL for newly created domain
+  def create domain, delegations, opts = {}
+    opts = opts.dup
+    allow_subdomains = opts.delete(:allow_subdomains)
+    domain = "*.#{domain}" if allow_subdomains != false && !domain.start_with?('*.')
+
+    result = @varanus.connection.post('domain/v1',
+                                      opts.merge(name: domain, delegations: delegations))
+    check_result result
+    result.headers['Location']
+  end
+
+  # Return info on domain.  +id+ must be the id returned by #list
+  def info id
+    get("domain/v1/#{id}")
+  end
+
+  def list opts = {}
+    get_with_size_and_position('domain/v1', opts)
+  end
+
+  def list_with_info opts = {}
+    domains = list(opts)
+    domains.map! { |domain| info(domain['id']) }
+    domains
+  end
+
+  def report
+    post('report/v1/domains', {})['reports']
+  end
+end

data/lib/varanus/error.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+# Error returned from the Sectigo API
+class Varanus::Error < StandardError
+  # @return [Integer] Code associated with error
+  attr_reader :code
+
+  def initialize code, msg
+    @code = code
+    super(msg)
+  end
+end
+
+# Certificate is still being signed.
+class Varanus::Error::StillProcessing < Varanus::Error; end

data/lib/varanus/organization.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+# A connection to the Organization API
+class Varanus::Organization < Varanus::RestResource
+  # Return info on organization.
+  def info id
+    get("organization/v1/#{id}")
+  end
+
+  def list
+    get('organization/v1')
+  end
+end

data/lib/varanus/reports.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+# An connection to the Reports API.  This should not be initialized directly.  Instead,
+# use Varanus#reports
+class Varanus::Reports
+  SSL_CERT_STATUSES = {
+    any: 0,
+    requested: 1,
+    downloaded: 2,
+    revoked: 3,
+    expired: 4,
+    pending_download: 5,
+    not_enrolled: 6
+  }.freeze
+
+  # @note Do not call this directly.  Use {Varanus#reports} to initialize
+  def initialize varanus
+    @varanus = varanus
+  end
+
+  # DEPRECATED: Please use Varanus::Domain#list_with_info instead.
+  def domains
+    warn 'DEPRECATION WARNING: Varanus::Reports#domains is deprecated.  ' \
+         'Use Varanus::Domain#report instead'
+    r = soap_call :get_domain_report, {}
+    format_results r[:report_row_domains]
+  end
+
+  # DEPRECATED: Please use Varanus::SSL#report instead.
+  def ssl opts = {}
+    warn 'DEPRECATION WARNING: Varanus::Reports#ssl is deprecated.  ' \
+         'Use Varanus::SSL#report instead'
+
+    msg = { organizationNames: nil, certificateStatus: 0 }
+
+    msg[:organizationNames] = Array(opts[:orgs]).join(',') if opts.include? :orgs
+    if opts.include? :status
+      msg[:certificateStatus] = SSL_CERT_STATUSES[opts[:status]]
+      raise ArgumentError, 'Invalid status' if msg[:certificateStatus].nil?
+    end
+
+    r = soap_call :get_SSL_report, msg
+    format_results r[:reports]
+  end
+
+  private
+
+  def format_results results
+    if results.is_a? Hash
+      [results]
+    else
+      results.to_a
+    end
+  end
+
+  def savon
+    @savon ||= Savon.client(
+      namespace: 'http://report.ws.epki.comodo.com/',
+      endpoint: 'https://cert-manager.com:443/ws/ReportService',
+      log: false
+    )
+  end
+
+  def soap_call func, opts = {}
+    msg = opts.dup
+    msg[:authData] = { customerLoginUri: @varanus.customer_uri, login: @varanus.username,
+                       password: @varanus.password }
+
+    result = savon.call func, message: msg
+    result.body[(func.to_s.downcase + '_response').to_sym][:return]
+  end
+end

data/lib/varanus/rest_resource.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+# An abstract class for rest resources
+# Rest resources should not be initialized directly.  They should be created by methods
+# on Varanus
+class Varanus::RestResource
+  # :nodoc:
+  def initialize varanus
+    @varanus = varanus
+  end
+
+  private
+
+  def check_result result
+    body = result.body
+    return unless body.is_a?(Hash)
+    return if body['code'].nil?
+
+    klass = Varanus::Error
+    if body['code'] == 0 && body['description'] =~ /process/
+      klass = Varanus::Error::StillProcessing
+    end
+
+    raise klass.new(body['code'], body['description'])
+  end
+
+  def get path, *args
+    result = @varanus.connection.get(path, *args)
+    check_result result
+    result.body
+  end
+
+  # Performs multiple GETs with varying positions to ensure all results are returned.
+  def get_with_size_and_position path, opts = {}
+    size = opts[:size] || 200
+    position = opts[:position] || 0
+
+    results = []
+    loop do
+      params = { size: size, position: position }.merge(opts)
+      new_results = get(path, params)
+      results += new_results
+      break if new_results.length < size
+
+      position += size
+    end
+
+    results
+  end
+
+  def post path, *args
+    result = @varanus.connection.post(path, *args)
+    check_result result
+    result.body
+  end
+end

data/lib/varanus/ssl/csr.rb

@@ -0,0 +1,135 @@
+# frozen_string_literal: true
+
+# Wrapper class around a OpenSSL::X509::Request
+# Provides helper functions to make reading information from the CSR easier
+class Varanus::SSL::CSR
+  # Key size used when calling {.generate}
+  DEFAULT_KEY_SIZE = 4096
+
+  # Generate a CSR
+  # @param names [Array<String>] List of DNS names.  The first one will be the CN
+  # @param key [OpenSSL::PKey::RSA, OpenSSL::PKey::DSA, nil] Secret key for the cert.
+  #   A DSA key will be generated if +nil+ is passed in.
+  # @param subject [Hash] Options for the subject of the cert.  By default only CN will
+  #   be set
+  # @return [Array(OpenSSL::PKey::PKey, Varanus::SSL::CSR)] The private key for the cert
+  #   and CSR
+  def self.generate names, key = nil, subject = {}
+    raise ArgumentError, 'names cannot be empty' if names.empty?
+
+    subject = subject.dup
+    subject['CN'] = names.first
+
+    key ||= OpenSSL::PKey::DSA.new(DEFAULT_KEY_SIZE)
+
+    request = OpenSSL::X509::Request.new
+    request.version = 0
+    request.subject = OpenSSL::X509::Name.parse subject.map { |k, v| "/#{k}=#{v}" }.join
+    request.add_attribute names_to_san_attribute(names)
+    if key.is_a? OpenSSL::PKey::EC
+      request.public_key = key
+    else
+      request.public_key = key.public_key
+    end
+
+    request.sign(key, OpenSSL::Digest.new('SHA256'))
+
+    [key, new(request)]
+  end
+
+  # :nodoc:
+  # Create a Subject Alternate Names attribute from an Array of dns names
+  def self.names_to_san_attribute names
+    ef = OpenSSL::X509::ExtensionFactory.new
+    name_str = names.map { |n| "DNS:#{n}" }.join(', ')
+    ext = ef.create_extension('subjectAltName', name_str, false)
+    seq = OpenSSL::ASN1::Sequence([ext])
+    ext_req = OpenSSL::ASN1::Set([seq])
+    OpenSSL::X509::Attribute.new('extReq', ext_req)
+  end
+
+  # Common Name (CN) for cert.
+  # @return [String]
+  attr_reader :cn
+
+  # OpenSSL::X509::Request representation of CSR
+  # @return [OpenSSL::X509::Request]
+  attr_reader :request
+
+  # @param csr [String, OpenSSL::X509::Request]
+  def initialize csr
+    if csr.is_a? OpenSSL::X509::Request
+      @request = csr
+      @text = csr.to_s
+    else
+      @text = csr.to_s
+      @request = OpenSSL::X509::Request.new @text
+    end
+
+    raise 'Improperly signed CSR' unless @request.verify @request.public_key
+
+    cn_ref = @request.subject.to_a.find { |a| a[0] == 'CN' }
+    @cn = cn_ref && cn_ref[1].downcase
+
+    _parse_sans
+
+    # If we have no CN or SAN, raise an error
+    raise 'CSR must have a CN and/or subjectAltName' if @cn.nil? && @sans.empty?
+  end
+
+  # Unique list of all DNS names for cert (CN and subject alt names)
+  # @return [Array<String>]
+  def all_names
+    ([@cn] + @sans).compact.uniq
+  end
+
+  # Key size for the cert
+  # @return [Integer]
+  def key_size
+    case @request.public_key
+    when OpenSSL::PKey::RSA
+      @request.public_key.n.num_bytes * 8
+    when OpenSSL::PKey::DSA
+      @request.public_key.p.num_bytes * 8
+    when OpenSSL::PKey::EC
+      @request.public_key.group.degree
+    else
+      raise "Unknown public key type: #{@request.public_key.class}"
+    end
+  end
+
+  # PEM format for cert
+  def to_s
+    @text
+  end
+
+  # DNS subject alt names
+  # @return [Array<String>]
+  def subject_alt_names
+    @sans
+  end
+
+  private
+
+  def _parse_sans
+    extensions = @request.attributes.select { |at| at.oid == 'extReq' }
+    sans_extensions = extensions.flat_map do |extension|
+      extension.value.value[0].value
+               .select { |ext| ext.first.value == 'subjectAltName' }
+               .map { |ext| ext.value.last }
+    end
+    @sans = sans_extensions.compact.flat_map do |san|
+      _parse_sans_extension san
+    end
+  end
+
+  def _parse_sans_extension ext
+    OpenSSL::ASN1.decode(ext.value).map do |s_entry|
+      unless s_entry.tag == 2 && s_entry.tag_class == :CONTEXT_SPECIFIC
+        raise "unknown tag #{s_entry.tag}"
+      end
+
+      s_entry.value.downcase
+    end
+  end
+end

data/lib/varanus/ssl.rb

@@ -0,0 +1,191 @@
+# frozen_string_literal: true
+
+# An connection to the SSL/TSL API.  This should not be initialized directly.  Instead,
+# use Varanus#ssl
+class Varanus::SSL < Varanus::RestResource
+  # rubocop:disable Style/MutableConstant
+  # These constants are frozen, rubocop is failing to detect the freeze.
+  # See https://github.com/rubocop-hq/rubocop/issues/4406
+  REPORT_CERT_STATUS = { any: 0, requested: 1, issued: 2, revoked: 3, expired: 4 }
+  REPORT_CERT_STATUS.default_proc = proc { |_h, k|
+    raise ArgumentError, "Unknown certificateStatus: #{k.inspect}"
+  }
+  REPORT_CERT_STATUS.freeze
+
+  REPORT_CERT_DATE_ATTR = { revocation_date: 2, expiration_date: 3, request_date: 4,
+                            issue_date: 5 }
+  REPORT_CERT_DATE_ATTR.default_proc = proc { |_h, k|
+    raise ArgumentError, "Unknown certificateDateAttribute: #{k.inspect}"
+  }
+  REPORT_CERT_DATE_ATTR.freeze
+  # rubocop:enable Style/MutableConstant
+
+  # Returns the option from #certificate_types that best matches the csr.
+  # @param csr [Varanus::SSL::CSR]
+  # @return [Hash] The option from {#certificate_types} that best matches the csr
+  def certificate_type_from_csr csr, days = nil
+    types = certificate_types_standard(days)
+    return types.first if types.length <= 1
+
+    regexp = cert_type_regexp(csr)
+    typ = types.find { |ct| ct['name'] =~ regexp } if regexp
+    return typ unless typ.nil?
+
+    types.find do |ct|
+      ct['name'] =~ /\bSSL\b/ && ct['name'] !~ /(?:Multi.?Domain|Wildcard)/i
+    end
+  end
+
+  # Certificate types that can be used to sign a cert
+  # @return [Array<Hash>]
+  def certificate_types
+    @certificate_types ||= get('ssl/v1/types')
+  end
+
+  # Return Array of certificate types based on standard sorting.
+  # @param days [Integer] if present, only include types that support the given day count
+  # @return [Array<Hash>]
+  def certificate_types_standard days = nil
+    types = certificate_types.reject do |ct|
+      ct['name'] =~ /\b(?:EV|Extended Validation|ECC|AMT|Elite)\b/
+    end
+    types = types.select! { |t| t['terms'].include? days } unless days.nil?
+
+    types
+  end
+
+  # Retrieves the cert.
+  # @param id [Integer] As returned by {#sign}
+  # @param type [String]
+  #
+  # +type+ can be one of:
+  #  'x509'    - X509 format - cert and chain (default)
+  #  'x509CO'  - X509 format - cert only
+  #  'x509IO'  - X509 format - intermediates/root only
+  #  'x590IOR' - X509 format - intermediates/root only reversed
+  #  'base64'  - PKCS#7 base64 encoded
+  #  'bin'     - PKCS#7 bin encoded
+  #
+  # @raise [Varanus::Error::StillProcessing] Cert is still being signed
+  # @return [String] Certificate
+  def collect id, type = 'x509'
+    get("ssl/v1/collect/#{id}/#{type}")
+  end
+
+  # Returns info on the SSL certificate of the given name
+  def info id
+    get("ssl/v1/#{id}")
+  end
+
+  # List certs ids and serial numbers
+  def list opts = {}
+    get_with_size_and_position('ssl/v1', opts)
+  end
+
+  # Return a report (list) of SSL certs based on the options.
+  # The report includes a full set of details about the certs, not just the id/cn/serial
+  # +opts+ can include:
+  # (all are optional)
+  # - :organizationIds - Array - ids of organization/departments to include certs for
+  # - :certificateStatus - :any, :requested, :issued, :revoked, or :expired
+  # - :certificateDateAttribute - Specifies what fields :from and/or :to refer to.
+  #                               Can be: :revocation_date, :expiration_date,
+  #                                       :request_date, or :issue_date
+  # - :from - Date - based on :certificateDateAttribute
+  # - :to - Date - based on :certificateDateAttribute
+  def report opts = { certificateStatus: :any }
+    # Default is to request any certificate status since the API call will fail if no
+    # options are passed
+    opts = { certificateStatus: :any } if opts.empty?
+    opts = _parse_report_opts(opts)
+
+    post('report/v1/ssl-certificates', opts)['reports']
+  end
+
+  # Revoke an ssl cert
+  # @param id [Integer] As returned by {#sign}
+  # @param reason [String] Reason for revoking. Sectigo's API will return an error if it
+  #   is blank.
+  def revoke id, reason
+    post("ssl/v1/revoke/#{id}", reason: reason)
+    nil
+  end
+
+  # Sign an SSL cert.  Returns the id of the SSL cert
+  # @param csr [Varanus::SSL::CSR, OpenSSL::X509::Request, String] CSR to sign
+  # @param org_id [Integer] your organization id on cert-manager.com
+  # @param opts [Hash]
+  # @option opts [String] :comments ('') Limited to 1,024 characters
+  # @option opts [String] :external_requester ('') email address associated with cert on
+  #   cert-manager.com - limited to 512 characters
+  # @option opts [String, Integer] :cert_type name(String) or id(Integer) of the cert
+  #   type to use.  If none is specified, Varanus will attempt to find one
+  # @option opts [Integer] :years number of years cert should be valid for (this number
+  #   is multiplied by 365  and used as days)
+  # @option opts [Integer] :days  number of days cert should be valid for (if none is
+  #   specified, lowest allowed for the cert type will be used)
+  # @return [Integer] Id of SSL cert.
+  def sign csr, org_id, opts = {}
+    opts[:days] ||= opts[:years] * 365 unless opts[:years].nil?
+    csr = Varanus::SSL::CSR.new(csr) unless csr.is_a?(Varanus::SSL::CSR)
+    cert_type_id = opts_to_cert_type_id opts, csr
+    args = {
+      orgId: org_id,
+      csr: csr.to_s,
+      subjAltNames: csr.subject_alt_names.join(','),
+      certType: cert_type_id,
+      term: opts_to_term(opts, cert_type_id),
+      serverType: -1,
+      comments: opts[:comments].to_s[0, 1024],
+      externalRequester: opts[:external_requester].to_s[0, 512]
+    }
+    post('ssl/v1/enroll', args)['sslId']
+  end
+
+  private
+
+  def cert_type_regexp csr
+    return /Wildcard.+SSL/i if csr.all_names.any? { |n| n.start_with?('*.') }
+
+    return /Multi.?Domain.+SSL/i if csr.subject_alt_names.any?
+
+    nil
+  end
+
+  def opts_to_cert_type_id opts, csr
+    case opts[:cert_type]
+    when Integer
+      opts[:cert_type]
+    when String
+      certificate_types.find { |ct| ct['name'] == opts[:cert_type] }['id']
+    else
+      certificate_type_from_csr(csr, opts[:days])['id']
+    end
+  end
+
+  def opts_to_term opts, cert_type_id
+    term = opts[:days]
+    term ||= certificate_types.find { |ct| ct['id'] == cert_type_id }['terms'].min
+    term
+  end
+
+  def _parse_report_opts user_opts
+    api_opts = {}
+    user_opts.each do |key, val|
+      case key
+      when :organizationIds, :certificateRequestSource, :serialNumberFormat
+        api_opts[key] = val
+      when :from, :to
+        api_opts[key] = val.strftime('%Y-%m-%d')
+      when :certificateStatus
+        api_opts[key] = REPORT_CERT_STATUS[val]
+      when :certificateDateAttribute
+        api_opts[key] = REPORT_CERT_DATE_ATTR[val]
+      else
+        raise ArgumentError, "Unknown key: #{key.inspect}"
+      end
+    end
+
+    api_opts
+  end
+end

data/lib/varanus/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class Varanus
+  VERSION = '0.9.0'
+end

data/lib/varanus.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+# Interface for Sectigo's (formerly Comodo CA) API.
+class Varanus
+  attr_reader :customer_uri, :username, :password
+
+  # @param customer_uri [String]
+  #   (see {file:README.md#label-Finding+Organization+Id+-28org_id-29})
+  # @param username [String]
+  # @param password [String]
+  def initialize customer_uri, username, password
+    @customer_uri = customer_uri
+    @username = username
+    @password = password
+  end
+
+  # :nodoc:
+  def connection
+    @connection ||= Faraday.new(url: 'https://cert-manager.com/api',
+                                request: { timeout: 300 }) do |conn|
+      conn.request :json
+      conn.response :json, content_type: /\bjson$/
+
+      conn.headers['login'] = @username
+      conn.headers['password'] = @password
+      conn.headers['customerUri'] = @customer_uri
+
+      conn.adapter Faraday.default_adapter
+    end
+  end
+
+  # Retrive DCV instance
+  # @return [Varanus::DCV]
+  def dcv
+    @dcv ||= DCV.new(self)
+  end
+
+  # Retrieve Domain instance
+  # @return [Varanus::Domain]
+  def domain
+    @domain ||= Domain.new(self)
+  end
+
+  # Retrieve Organization instance
+  # @return [Varanus::Organization]
+  def organization
+    @organization ||= Organization.new(self)
+  end
+
+  # DEPRECATED
+  def reports
+    @reports ||= Reports.new(self)
+  end
+
+  # Retrive SSL instance
+  # @return [Varanus::SSL]
+  def ssl
+    @ssl ||= SSL.new(self)
+  end
+end
+
+# stdlib/gem requires
+require 'faraday'
+require 'openssl'
+require 'savon'
+
+# Require other files in this gem
+require 'varanus/error'
+require 'varanus/rest_resource'
+require 'varanus/dcv'
+require 'varanus/domain'
+require 'varanus/organization'
+require 'varanus/reports'
+require 'varanus/ssl'
+require 'varanus/ssl/csr'
+require 'varanus/version'

data/varanus.gemspec

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'varanus/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'varanus'
+  spec.version       = Varanus::VERSION
+  spec.authors       = ['Sean Dilda']
+  spec.email         = ['sean@duke.edu']
+
+  spec.summary       = "Interface for Sectigo's (formerly Comodo CA) API."
+  spec.description   = <<~DESCRIPTION
+    This gem provides an interface to Sectigo's (formerly Comodo CA) APIs for working
+    with SSL/TLS certificates as well as its reporting API.
+
+    Support for Sectigo's other APIs (S/MIME, code signing, device certificates, etc) may
+    be added at a later date.
+  DESCRIPTION
+  spec.homepage      = 'https://github.com/duke-automation/varanus'
+  spec.license       = 'MIT'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.require_paths = ['lib']
+  spec.required_ruby_version = '>= 2.5.0'
+
+  spec.add_development_dependency 'bundler', '~> 2.0'
+  spec.add_development_dependency 'minitest', '~> 5.0'
+  spec.add_development_dependency 'minitest-rg'
+  spec.add_development_dependency 'mocha'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rubocop'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'webmock'
+  spec.add_development_dependency 'yard'
+
+  spec.add_runtime_dependency 'faraday', '~> 2.0'
+  spec.add_runtime_dependency 'savon', '~> 2.0'
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: varanus
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.9.0
 platform: ruby
 authors:
 - Sean Dilda
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-09-27 00:00:00.000000000 Z
+date: 2026-02-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -140,30 +140,16 @@ dependencies:
   name: faraday
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: faraday_middleware
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: savon
   requirement: !ruby/object:Gem::Requirement
@@ -189,7 +175,31 @@ email:
 executables: []
 extensions: []
 extra_rdoc_files: []
-files: []
+files:
+- ".codeclimate.yml"
+- ".gitignore"
+- ".rubocop.yml"
+- ".travis.yml"
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- docker-compose.yml
+- lib/varanus.rb
+- lib/varanus/dcv.rb
+- lib/varanus/domain.rb
+- lib/varanus/error.rb
+- lib/varanus/organization.rb
+- lib/varanus/reports.rb
+- lib/varanus/rest_resource.rb
+- lib/varanus/ssl.rb
+- lib/varanus/ssl/csr.rb
+- lib/varanus/version.rb
+- varanus.gemspec
 homepage: https://github.com/duke-automation/varanus
 licenses:
 - MIT
@@ -209,7 +219,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.27
+rubygems_version: 3.4.20
 signing_key:
 specification_version: 4
 summary: Interface for Sectigo's (formerly Comodo CA) API.