vcert 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: aca37924c54553b285f4a71cb5dd665a67899ee035024acb0fdae853d0fda053
+  data.tar.gz: 16683bfaaf3d43b2b6b2f899fee72a13860121cf8be85975b4808fd687b0b165
+SHA512:
+  metadata.gz: 32b44cb26e66b63fc39dd4066470e79363b3de5af723d6ad5e9a63eaf6447568041bcacbd71ebfebc5beff36174204c201d0346e47cfc25994da33f37b63cf11
+  data.tar.gz: 29c0bdf783fd33860c32685d9f7465b1a788acb3a60371b9e998f809c46182da36e2315f7567a07b5a073221678f411796e53db71e7d00534f57ff11d98747ce

data/lib/cloud/cloud.rb

@@ -0,0 +1,281 @@
+require 'json'
+require 'utils/utils'
+
+class Vcert::CloudConnection
+  def initialize(url, token)
+    @url = url
+    @token = token
+  end
+
+
+  def request(zone_tag, request)
+    zone_id = get_zoneId_by_tag(zone_tag)
+    _, data = post(URL_CERTIFICATE_REQUESTS, {:zoneId => zone_id, :certificateSigningRequest => request.csr})
+    LOG.debug("Raw response to certificate request:")
+    LOG.debug(JSON.pretty_generate(data))
+    request.id = data['certificateRequests'][0]["id"]
+    request
+  end
+
+  def retrieve(request)
+    LOG.info(("Getting certificate status for ID %s" % request.id))
+    status, data = get(URL_CERTIFICATE_STATUS % request.id)
+    if [200, 409].include? status
+      case data['status']
+      when CERT_STATUS_PENDING, CERT_STATUS_REQUESTED
+        LOG.info(("Certificate status is: %s" % data['status']))
+        return nil
+      when CERT_STATUS_FAILED
+        raise Vcert::ServerUnexpectedBehaviorError, "Certificate issue status is FAILED"
+      when CERT_STATUS_ISSUED
+        status, full_chain = get(URL_CERTIFICATE_RETRIEVE % request.id + "?chainOrder=#{CHAIN_OPTION_ROOT_LAST}&format=PEM")
+        if status == 200
+          cert = parse_full_chain full_chain
+          if cert.private_key == nil
+            cert.private_key = request.private_key
+          end
+          return cert
+        else
+          LOG.error("Can't issue certificate: #{full_chain}")
+          raise Vcert::ServerUnexpectedBehaviorError, "Status #{status}"
+        end
+      else
+        raise Vcert::ServerUnexpectedBehaviorError, "Unknown certificate status #{data['status']}"
+      end
+    end
+  end
+
+  def renew(request, generate_new_key: true)
+    puts("Trying to renew certificate")
+    if request.id == nil && request.thumbprint == nil
+      raise Vcert::ClientBadDataError, "Either request ID or certificate thumbprint is required to renew the certificate"
+    end
+    if request.thumbprint != nil
+      manage_id = search_by_thumbprint(request.thumbprint)
+    end
+    if request.id != nil
+      prev_request = get_cert_status(request)
+      manage_id = prev_request[:manage_id]
+      zone = prev_request[:zoneId]
+    end
+    if manage_id == nil
+      raise Vcert::VcertError, "Can't find the existing certificate"
+    end
+
+    status, data = get(URL_MANAGED_CERTIFICATE_BY_ID % manage_id)
+    if status == 200
+      request.id = data['latestCertificateRequestId']
+    else
+      raise Vcert::ServerUnexpectedBehaviorError, "Status #{status}"
+    end
+
+    if zone == nil
+      prev_request = get_cert_status(request)
+      zone = prev_request[:zoneId]
+    end
+
+    d = {existingManagedCertificateId: manage_id, zoneId: zone}
+    if request.csr?
+      d.merge!(certificateSigningRequest: request.csr)
+      d.merge!(reuseCSR: false)
+    elsif generate_new_key
+      parsed_csr = parse_csr_fields(prev_request[:csr])
+      renew_request = Vcert::Request.new(
+          common_name: parsed_csr[:CN],
+          san_dns: parsed_csr[:DNS],
+          country: parsed_csr[:C],
+          province: parsed_csr[:ST],
+          locality: parsed_csr[:L],
+          organization: parsed_csr[:O],
+          organizational_unit: parsed_csr[:OU])
+      d.merge!(certificateSigningRequest: renew_request.csr)
+    else
+      d.merge!(reuseCSR: true)
+    end
+
+    status, data = post(URL_CERTIFICATE_REQUESTS, data = d)
+    if status == 201
+      if generate_new_key
+        return data['certificateRequests'][0]['id'], renew_request.private_key
+      else
+        return data['certificateRequests'][0]['id'], nil
+      end
+
+    else
+      raise Vcert::ServerUnexpectedBehaviorError, "Status: #{status} Message: #{data}"
+    end
+
+  end
+
+  def zone_configuration(tag)
+    if tag.to_s.strip.empty?
+      raise Vcert::ClientBadDataError, "Zone should not be empty"
+    end
+    LOG.info("Getting configuration for zone #{tag}")
+    _, data = get(URL_ZONE_BY_TAG % tag)
+    template_id = data['certificateIssuingTemplateId']
+    _, data = get(URL_TEMPLATE_BY_ID % template_id)
+    kt = Vcert::KeyType.new data['keyTypes'][0]["keyType"], data['keyTypes'][0]["keyLengths"][0].to_i
+    z = Vcert::ZoneConfiguration.new(
+        country: Vcert::CertField.new(""),
+        province: Vcert::CertField.new(""),
+        locality: Vcert::CertField.new(""),
+        organization: Vcert::CertField.new(""),
+        organizational_unit: Vcert::CertField.new(""),
+        key_type: Vcert::CertField.new(kt, locked: true),
+    )
+    return z
+  end
+
+  def policy(zone_id)
+    unless zone_id
+      raise Vcert::ClientBadDataError, "Zone should be not nil"
+    end
+    status, data = get(URL_PROJECT_ZONE_DETAILS % zone_id)
+    if status != 200
+      raise Vcert::ServerUnexpectedBehaviorError, "Invalid status getting issuing template: %s for zone %s" % status, zone_id
+    end
+    template_id = data['certificateIssuingTemplateId']
+    status, data = get(URL_TEMPLATE_BY_ID % template_id)
+    if status != 200
+      raise Vcert::ServerUnexpectedBehaviorError, "Invalid status getting policy: %s for issuing template %s" % status, template_id
+    end
+    parse_policy_responce_to_object(data)
+  end
+
+  private
+
+  TOKEN_HEADER_NAME = "tppl-api-key"
+  CHAIN_OPTION_ROOT_FIRST = "ROOT_FIRST"
+  CHAIN_OPTION_ROOT_LAST = "EE_FIRST"
+  CERT_STATUS_REQUESTED = 'REQUESTED'
+  CERT_STATUS_PENDING = 'PENDING'
+  CERT_STATUS_FAILED = 'FAILED'
+  CERT_STATUS_ISSUED = 'ISSUED'
+  URL_ZONE_BY_TAG = "zones/tag/%s"
+  URL_PROJECT_ZONE_DETAILS = "projectzones/%s"
+  URL_TEMPLATE_BY_ID = "certificateissuingtemplates/%s"
+  URL_CERTIFICATE_REQUESTS = "certificaterequests"
+  URL_CERTIFICATE_STATUS = URL_CERTIFICATE_REQUESTS + "/%s"
+  URL_CERTIFICATE_RETRIEVE = URL_CERTIFICATE_REQUESTS + "/%s/certificate"
+  URL_CERTIFICATE_SEARCH = "certificatesearch"
+  URL_MANAGED_CERTIFICATES = "managedcertificates"
+  URL_MANAGED_CERTIFICATE_BY_ID = URL_MANAGED_CERTIFICATES + "/%s"
+
+  def get_zoneId_by_tag(tag)
+    _, data = get(URL_ZONE_BY_TAG % tag)
+    data['id']
+  end
+
+  def get(url)
+    uri = URI.parse(@url)
+    request = Net::HTTP.new(uri.host, uri.port)
+    request.use_ssl = true
+    url = uri.path + "/" + url
+
+
+    response = request.get(url, {TOKEN_HEADER_NAME => @token})
+    case response.code.to_i
+    when 200, 201, 202, 409
+      LOG.info(("HTTP status OK"))
+    when 403
+      raise Vcert::AuthenticationError
+    else
+      raise Vcert::ServerUnexpectedBehaviorError, "Unexpected code #{response.code} for URL #{url}. Message: #{response.body}"
+    end
+    case response.header['content-type']
+    when "application/json"
+      begin
+        data = JSON.parse(response.body)
+      rescue JSON::ParserError
+        raise Vcert::ServerUnexpectedBehaviorError, "Invalid JSON"
+      end
+    when "text/plain"
+      data = response.body
+    else
+      raise Vcert::ServerUnexpectedBehaviorError, "Unexpected content-type #{response.header['content-type']}"
+    end
+    # rescue *ALL_NET_HTTP_ERRORS
+    return response.code.to_i, data
+    # end
+  end
+
+  def post(url, data)
+    uri = URI.parse(@url)
+    request = Net::HTTP.new(uri.host, uri.port)
+    request.use_ssl = true
+    url = uri.path + "/" + url
+    encoded_data = JSON.generate(data)
+    response = request.post(url, encoded_data, {TOKEN_HEADER_NAME => @token, "Content-Type" => "application/json", "Accept" => "application/json"})
+    case response.code.to_i
+    when 200, 201, 202, 409
+      LOG.info(("HTTP status OK"))
+    when 403
+      raise Vcert::AuthenticationError
+    else
+      raise Vcert::ServerUnexpectedBehaviorError, "Unexpected code #{response.code} for URL #{url}. Message: #{response.body}"
+    end
+    data = JSON.parse(response.body)
+    return response.code.to_i, data
+  end
+
+  def parse_full_chain(full_chain)
+    pems = parse_pem_list(full_chain)
+    Vcert::Certificate.new(
+        cert: pems[0],
+        chain: pems[1..-1]
+    )
+  end
+
+  def parse_policy_responce_to_object(d)
+    key_types = []
+    d['keyTypes'].each { |kt| key_types.push(['keyType']) }
+    Vcert::Policy.new(policy_id: d['id'],
+                               name: d['name'],
+                               system_generated: d['systemGenerated'],
+                               creation_date: d['creationDate'],
+                               subject_cn_regexes: d['subjectCNRegexes'],
+                               subject_o_regexes: d['subjectORegexes'],
+                               subject_ou_regexes: d['subjectOURegexes'],
+                               subject_st_regexes: d['subjectSTRegexes'],
+                               subject_l_regexes: d['subjectLRegexes'],
+                               subject_c_regexes: d['subjectCValues'],
+                               san_regexes: d['sanRegexes'],
+                               key_types: key_types)
+  end
+
+  def search_by_thumbprint(thumbprint)
+    # thumbprint = re.sub(r'[^\dabcdefABCDEF]', "", thumbprint)
+    thumbprint = thumbprint.upcase
+    status, data = post(URL_CERTIFICATE_SEARCH, data = {"expression": {operands: [
+        {field: "fingerprint", operator: "MATCH", value: thumbprint}]}})
+    # TODO: check that data have valid certificate in it
+    if status != 200
+      raise Vcert::ServerUnexpectedBehaviorError, "Status: #{status}. Message: #{data.body.to_s}"
+    end
+    # TODO: check data
+    manageId = data['certificates'][0]['managedCertificateId']
+    LOG.info("Found existing certificate with ID #{manageId}")
+    return manageId
+  end
+
+  def get_cert_status(request)
+    status, d = get(URL_CERTIFICATE_STATUS % request.id)
+    if status == 200
+      request_status = Hash.new
+      request_status[:status] = d['status']
+      request_status[:subject] = d['subjectDN'] or d['subjectCN'][0]
+      request_status[:subject_alt_names] = d['subjectAlternativeNamesByType']
+      request_status[:zoneId] = d['zoneId']
+      request_status[:manage_id] = d['managedCertificateId']
+      request_status[:csr] = d['certificateSigningRequest']
+      request_status[:key_lenght] = d['keyLength']
+      request_status[:key_type] = d['keyType']
+      return request_status
+    else
+      raise Vcert::ServerUnexpectedBehaviorError, "status: #{status}"
+    end
+  end
+
+end
+

data/lib/fake/fake.rb

@@ -0,0 +1,130 @@
+require 'openssl'
+require 'base64'
+
+
+
+class Vcert::FakeConnection
+  def initialize()
+    @cert_cache = {}
+  end
+
+  def request(zone_tag, request)
+    request.id = Base64.encode64(request.csr)
+  end
+
+  def retrieve(request)
+    csrpem = Base64.decode64(request.id)
+    csr =  OpenSSL::X509::Request.new(csrpem)
+    root_ca = OpenSSL::X509::Certificate.new ROOT_CA
+    root_key = OpenSSL::PKey::RSA.new ROOT_KEY
+    cert = OpenSSL::X509::Certificate.new
+    cert.version = 2
+    cert.serial = (Time.new.to_f() * 100).to_i
+    cert.subject = csr.subject
+    cert.issuer = root_ca.subject
+    cert.not_before = Time.now
+    cert.public_key = csr.public_key
+    cert.not_after = cert.not_before + 1 * 365 * 24 * 60 * 60
+    # todo: add extensions
+    cert.sign(root_key, OpenSSL::Digest::SHA256.new)
+    c = Vcert::Certificate.new cert:cert.to_pem, chain: [ROOT_CA], private_key: request.private_key
+    thumbprint = OpenSSL::Digest::SHA1.new(cert.to_der).to_s
+    @cert_cache[thumbprint] = cert
+    c
+  end
+
+  def policy(zone_tag)
+        key_types = [1024, 2048, 4096, 8192].map {|s| Vcert::KeyType.new("rsa", s) } + Vcert::SUPPORTED_CURVES.map {|c| Vcert::KeyType.new("ecdsa", c) }
+        Vcert::Policy.new(policy_id: zone_tag, name: zone_tag, system_generated: false, creation_date: nil,
+                          subject_cn_regexes: [".*"], subject_o_regexes: [".*"],
+                          subject_ou_regexes: [".*"], subject_st_regexes: [".*"],
+                          subject_l_regexes: [".*"], subject_c_regexes: [".*"], san_regexes: [".*"],
+                          key_types: key_types)
+  end
+
+  def zone_configuration(zone_tag)
+    Vcert::ZoneConfiguration.new(
+        country: Vcert::CertField.new("US"),
+        province: Vcert::CertField.new("Utah"),
+        locality: Vcert::CertField.new("Salt Lake City"),
+        organization: Vcert::CertField.new("Venafi"),
+        organizational_unit: Vcert::CertField.new("DevOps"),
+        key_type: Vcert::CertField.new(Vcert::KeyType.new("rsa", 2048), locked: true),
+        )
+  end
+
+  def renew(request, generate_new_key: true)
+    if request.thumbprint
+      if generate_new_key
+        new_key = OpenSSL::PKey::RSA.new 2048
+        csr = OpenSSL::X509::Request.new
+        csr.subject = @cert_cache[request.thumbprint].subject
+        csr.public_key =  new_key.public_key
+        csr.sign new_key, OpenSSL::Digest::SHA256.new
+        return Base64.encode64(csr.to_pem), new_key.to_pem
+      else
+        raise Vcert::VcertError, "can not be implemented"
+      end
+    end
+    unless generate_new_key
+      return request.id, request.private_key
+    end
+    new_key = OpenSSL::PKey::RSA.new 2048
+    csr = OpenSSL::X509::Request.new Base64.decode64(request.id)
+    csr.public_key = new_key.public_key
+    csr.sign new_key, OpenSSL::Digest::SHA256.new
+    return Base64.encode64(csr.to_pem), new_key.to_pem
+  end
+  private
+  ROOT_CA = "-----BEGIN CERTIFICATE-----
+MIIDYDCCAkigAwIBAgIBATANBgkqhkiG9w0BAQsFADBBMRMwEQYKCZImiZPyLGQB
+GRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGVmVuYWZpMRIwEAYDVQQDDAlWZW5hZmkg
+Q0EwHhcNMTkxMDIzMTIzNzExWhcNMjkxMDIwMTIzNzExWjBBMRMwEQYKCZImiZPy
+LGQBGRYDb3JnMRYwFAYKCZImiZPyLGQBGRYGVmVuYWZpMRIwEAYDVQQDDAlWZW5h
+ZmkgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4NfBNSVzOqj8A
+E6+NSuEufK5EhgE/o8KPCTtM7qvMCa0X3P+T0I5IUDMXz5Yi/TXjhTANolYEz2RS
+9u5Pdv5dvBCe1hwMhXdLlcxEhLtJrjnQvBUTqzuFUBausvRZvE3GwozoZncakEEP
+OqTvGEpqjbnF1uiIJf944kjIq9oWnPudatOOlCFtpA1TG1mLJg8jcCrbeiXvRo9d
+/dyg7B7URgKdxMukdjCkUMqUwArlu7mnv1kN6UdzhfFRCH0MBH4pisVze9XP/QrV
+MJ+gMlultrpDFuMpiruJyPeapDnGloxtWKQ/aQHlnwwaX8fcaA3ADKUAFr66nFT2
+14fgmByFAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG
+MB0GA1UdDgQWBBSFrxYL7Fd190DFUZFJ4ahzptV7tTAfBgNVHSMEGDAWgBSFrxYL
+7Fd190DFUZFJ4ahzptV7tTANBgkqhkiG9w0BAQsFAAOCAQEAZsRtfC+4j6RWbWDZ
+3eRabfY4Nl7z3q3hL2cYo98ZQVb5wssYwKPpX8/DFMnmgiObe0Na5zqaB9PxDBpZ
+4wkRFpRfQ2oS13dzPMDdW0/IHhWfyWZiUqdpIacWIHvyuotZ/k3IZLT7zc9Lbs2p
+FPmW5/Oe7lNRu3xgqaMuhRid8i426c+fR5YPf32umZtwRnB5hFFE9IlFBPpRl5Z7
+GDJKJBgZi9+sk13a3CM8Zn0A9fiCaRASDPKRVhWPjDJwzLy44WF+1GiMZRCR79MX
+8B/rNxkrKpWJmjkQj3jqmQOOnp7+QwdZ5OIV7NNlc/Kx2QDV9QV+hnRPetXmsVfy
+y5KjSQ==
+-----END CERTIFICATE-----
+"
+  ROOT_KEY = "-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAuDXwTUlczqo/ABOvjUrhLnyuRIYBP6PCjwk7TO6rzAmtF9z/
+k9COSFAzF8+WIv0144UwDaJWBM9kUvbuT3b+XbwQntYcDIV3S5XMRIS7Sa450LwV
+E6s7hVAWrrL0WbxNxsKM6GZ3GpBBDzqk7xhKao25xdboiCX/eOJIyKvaFpz7nWrT
+jpQhbaQNUxtZiyYPI3Aq23ol70aPXf3coOwe1EYCncTLpHYwpFDKlMAK5bu5p79Z
+DelHc4XxUQh9DAR+KYrFc3vVz/0K1TCfoDJbpba6QxbjKYq7icj3mqQ5xpaMbVik
+P2kB5Z8MGl/H3GgNwAylABa+upxU9teH4JgchQIDAQABAoIBAEa/YIUuUdiFhiCv
+btLjGUzTUdK7bKtWZ5irwPyxBYYdiT8K/5VzmdGoC5dvgIf7m8DAHE6ANG0wgaVj
+dO9MEjFJ01BNhwRAFisPYx5Fo/COW2IRej7NmtR+h9ecnz//lBdsDNYM1F19XZ9N
+tJ6nQ51cxSZ4fWIcxdtVfQKlDeN0y7ZanHsltv4cpCCuVaVk8uzI6O5E8dNbDmpR
+Wotefps+9HHREa6uL39SbzU+S5SkdcVofs6/g/eL6RsP4D6VcF+qdBEQ38ffDaSZ
+Q1hOwfTFf6Ahv4HhpCVC6vlIpXJi/RyUu6yqbmInvcXfGHvYoMYhud/lasYZDAm2
+RdGB0gECgYEA7OHnaAqOaaYnE2rQkOAn3ZzA7VRhJgMvPgKUeQoUHDhXJOD/6wWD
+1/wYd4BKiQyODi5cAlOkLvdrcRlnrGOKRiLgemyNrG2GzJTzgrkJc1IOpRnl2QKw
+w1k0Xrv2qDpoebKMqhxjgEnYp+ddVB7kG561vl7JfhjQidrVqx6y/0UCgYEAxxPQ
+M4myF4JKHpxU4+21JKxB3bTY7CWmKM1ZBon/ZFVKd8bsq7wt0tWP83oxWq5b11o+
+AnWx4CsQQyl7EWanrDoPag2SjfI/q+AySq0VUNjcAsvPLfT2Q7WQQxEMQGoabZ7j
+u8uxkNvZmDy5XGDjcZVdANq2kynC++v1AtwO3EECgYEAnmeeaCuO+kU6ojhuikLr
+Rb3aIZqocFP21n/BK4O62PgwBiBT4qTIerlA30CyFx2HLSKBMqkeBK49cd8sPdI+
+mBIgjJ1ky+ZeGxaMFGGKWUyJMIy18D1lWOyhIayOEAcm8CKe/+6F9zbqo7UK6wLR
+RUsHe+tE0IblhRoKgijASAUCgYEAra7KkXxLhRklw0kPAwBLbqBeoqf6LSS3r5dg
+WUUiLQ4Adzl1GGuH6w5plbmAv6Wo+NyBhzHZq0LG4GGbPlY6aRcKhbMrrm2wQSrL
+lb0mALACWuonaefyxqXsI6cG8lffkM3zz87prwEv+RLZgRACvwDZ8Dng2cmwlIuK
+6iDFUkECgYBL4U3E+trPuVEQm3Nj9nyIFV1efKDZ+uehPSvglYdO+ca7UgwA0btZ
+iAAu3L3yP3TSJ6SbLV3hX1VoyyNQpUr+ODZo7VWf+MdZDh9XiiuLNqr5tx7yGhOb
+1JXZ1QPAZeRvALui6fdj5yCHjTvayEL2nzPAFbgFrgVYRoF8L9O0gg==
+-----END RSA PRIVATE KEY-----
+"
+
+end

data/lib/objects/objects.rb

@@ -0,0 +1,359 @@
+require 'openssl'
+require "logger"
+LOG = Logger.new(STDOUT)
+
+OpenSSL::PKey::EC.send(:alias_method, :private?, :private_key?)
+
+module Vcert
+  SUPPORTED_CURVES = ["secp224r1", "prime256v1", "secp521r1"]
+  class Request
+    attr_accessor :id, :thumbprint
+    attr_reader :common_name, :country, :province, :locality, :organization, :organizational_unit, :san_dns,:key_type
+
+    def initialize(common_name: nil, private_key: nil, key_type: nil,
+                   organization: nil, organizational_unit: nil, country: nil, province: nil, locality: nil, san_dns: nil,
+                   friendly_name: nil, csr: nil)
+      @common_name = common_name
+      @private_key = private_key
+      #todo: parse private key and set public
+      if key_type != nil && !key_type.instance_of?(KeyType)
+        raise Vcert::ClientBadDataError, "key_type bad type. should be Vcert::KeyType. for example KeyType('rsa', 2048)"
+      end
+      @key_type = key_type
+      @organization = organization
+      @organizational_unit = organizational_unit
+      @country = country
+      @province = province
+      @locality = locality
+      @san_dns = san_dns
+      @friendly_name = friendly_name
+      @id = nil
+      @csr = csr
+    end
+
+    def generate_csr
+      if @private_key == nil
+        generate_private_key
+      end
+      subject_attrs = [
+          ['CN', @common_name]
+      ]
+      if @organization != nil
+        subject_attrs.push(['O', @organization])
+      end
+      if @organizational_unit != nil
+        if @organizational_unit.kind_of?(Array)
+          @organizational_unit.each { |ou| subject_attrs.push(['OU', ou]) }
+        else
+          subject_attrs.push(['OU', @organizational_unit])
+        end
+      end
+      if @country != nil
+        subject_attrs.push(['C', @country])
+      end
+      if @province != nil
+        subject_attrs.push(['ST', @province])
+      end
+      if @locality != nil
+        subject_attrs.push(['L', @locality])
+      end
+
+      LOG.info("Making request from subject array #{subject_attrs.inspect}")
+      subject = OpenSSL::X509::Name.new subject_attrs
+      csr = OpenSSL::X509::Request.new
+      csr.version = 0
+      csr.subject = subject
+      csr.public_key = @public_key
+      if @san_dns != nil
+        unless @san_dns.kind_of?(Array)
+          @san_dns = [@san_dns]
+        end
+        #TODO: add check that san_dns is an array
+        san_list = @san_dns.map { |domain| "DNS:#{domain}" }
+        extensions = [
+            OpenSSL::X509::ExtensionFactory.new.create_extension('subjectAltName', san_list.join(','))
+        ]
+        attribute_values = OpenSSL::ASN1::Set [OpenSSL::ASN1::Sequence(extensions)]
+        [
+            OpenSSL::X509::Attribute.new('extReq', attribute_values),
+            OpenSSL::X509::Attribute.new('msExtReq', attribute_values)
+        ].each do |attribute|
+          csr.add_attribute attribute
+        end
+      end
+      csr.sign @private_key, OpenSSL::Digest::SHA256.new # todo: changable sign alg
+      @csr = csr.to_pem
+    end
+
+    def csr
+      # TODO: find a way to pass CSR generation if renew is requested
+      if @csr == nil
+        generate_csr
+      end
+      @csr
+    end
+
+    def csr?
+      @csr != nil
+    end
+
+    def private_key
+      if @private_key == nil
+        generate_private_key
+      end
+      @private_key.to_pem
+    end
+
+    def friendly_name
+      if @friendly_name != nil
+        return @friendly_name
+      end
+      @common_name
+    end
+
+    # @param [ZoneConfiguration] zone_config
+    def update_from_zone_config(zone_config)
+      if zone_config.country.locked || (!@country && !!zone_config.country.value)
+        @country = zone_config.country.value
+      end
+      if zone_config.locality.locked || (!@locality && !!zone_config.locality.value)
+        @locality = zone_config.locality.value
+      end
+      if zone_config.province.locked || (!@province && !!zone_config.province.value)
+        @province = zone_config.province.value
+      end
+      if zone_config.organization.locked || (!@organization && !!zone_config.organization.value)
+        @organization = zone_config.organization.value
+      end
+      if zone_config.organizational_unit.locked || (!@organizational_unit && !!zone_config.organizational_unit.value)
+        @organizational_unit = zone_config.organizational_unit.value
+      end
+      if zone_config.key_type.locked || (@key_type == nil && zone_config.key_type.value != nil)
+        @key_type = zone_config.key_type.value
+      end
+    end
+
+    private
+
+
+    def generate_private_key
+      if @key_type == nil
+        @key_type = DEFAULT_KEY_TYPE
+      end
+      if @key_type.type == "rsa"
+        @private_key = OpenSSL::PKey::RSA.new @key_type.option
+        @public_key = @private_key.public_key
+      elsif @key_type.type == "ecdsa"
+        @private_key, @public_key = OpenSSL::PKey::EC.new(@key_type.option), OpenSSL::PKey::EC.new(@key_type.option)
+        @private_key.generate_key
+        @public_key.public_key = @private_key.public_key
+      end
+    end
+  end
+
+  class Certificate
+    attr_accessor :private_key
+    attr_reader :cert, :chain
+
+    def initialize(cert: nil, chain: nil, private_key: nil)
+      @cert = cert
+      @chain = chain
+      @private_key = private_key
+    end
+  end
+
+  class Policy
+    attr_reader :policy_id, :name, :system_generated, :creation_date
+
+    def initialize(policy_id:, name:, system_generated:, creation_date:, subject_cn_regexes:, subject_o_regexes:,
+                   subject_ou_regexes:, subject_st_regexes:, subject_l_regexes:, subject_c_regexes:, san_regexes:,
+                   key_types:)
+
+      @policy_id = policy_id
+      @name = name
+      @system_generated = system_generated
+      @creation_date = creation_date
+      @subject_cn_regexes = subject_cn_regexes
+      @subject_c_regexes = subject_c_regexes
+      @subject_st_regexes = subject_st_regexes
+      @subject_l_regexes = subject_l_regexes
+      @subject_o_regexes = subject_o_regexes
+      @subject_ou_regexes = subject_ou_regexes
+      @san_regexes = san_regexes
+      @key_types = key_types
+    end
+
+    # @param [Request] request
+    def simple_check_request(request)
+      if request.csr?
+        csr = parse_csr_fields(request.csr)
+        unless component_is_valid?(csr[:CN], @subject_cn_regexes)
+          raise ValidationError, "Common name #{csr[:CN]} doesnt match #{@subject_cn_regexes}"
+        end
+        unless component_is_valid?(request.san_dns, @san_regexes, optional: true)
+          raise ValidationError, "SANs #{csr[:DNS]} doesnt match #{ @san_regexes }"
+        end
+      else
+        unless component_is_valid?(request.common_name, @subject_cn_regexes)
+          raise ValidationError, "Common name #{request.common_name} doesnt match #{@subject_cn_regexes}"
+        end
+        unless component_is_valid?(request.san_dns, @san_regexes, optional: true)
+          raise ValidationError, "SANs #{request.san_dns} doesnt match #{ @san_regexes }"
+        end
+      end
+    end
+
+    # @param [Request] request
+    def check_request(request)
+      simple_check_request(request)
+      if request.csr?
+        csr = parse_csr_fields(request.csr)
+        unless component_is_valid?(csr[:C], @subject_c_regexes)
+          raise ValidationError, "Country #{csr[:C]} doesnt match #{@subject_c_regexes}"
+        end
+        unless component_is_valid?(csr[:ST], @subject_st_regexes)
+          raise ValidationError, "Province #{csr[:ST]} doesnt match #{@subject_st_regexes}"
+        end
+        unless component_is_valid?(csr[:L], @subject_l_regexes)
+          raise ValidationError, "Locality #{csr[:L]} doesnt match #{@subject_l_regexes}"
+        end
+        unless component_is_valid?(csr[:O], @subject_o_regexes)
+          raise ValidationError, "Organization #{csr[:O]} doesnt match #{@subject_o_regexes}"
+        end
+        unless component_is_valid?(csr[:OU], @subject_ou_regexes)
+          raise ValidationError, "Organizational unit #{csr[:OU]} doesnt match #{@subject_ou_regexes}"
+        end
+        #todo: add uri, upn, ip, email
+        unless is_key_type_is_valid?(csr[:key_type], @key_types)
+          raise ValidationError, "Key Type #{csr[:key_type]} doesnt match allowed #{@key_types}"
+        end
+      else
+        # subject
+        unless component_is_valid?(request.country, @subject_c_regexes)
+          raise ValidationError, "Country #{request.country} doesnt match #{@subject_c_regexes}"
+        end
+        unless component_is_valid?(request.province, @subject_st_regexes)
+          raise ValidationError, "Province #{request.province} doesnt match #{@subject_st_regexes}"
+        end
+        unless component_is_valid?(request.locality, @subject_l_regexes)
+          raise ValidationError, "Locality #{request.locality} doesnt match #{@subject_l_regexes}"
+        end
+        unless component_is_valid?(request.organization, @subject_o_regexes)
+          raise ValidationError, "Organization #{request.organization} doesnt match #{@subject_o_regexes}"
+        end
+        unless component_is_valid?(request.organizational_unit, @subject_ou_regexes)
+          raise ValidationError, "Organizational unit #{request.organizational_unit} doesnt match #{@subject_ou_regexes}"
+        end
+        #todo: add uri, upn, ip, email
+        unless is_key_type_is_valid?(request.key_type, @key_types)
+          raise ValidationError, "Key Type #{request.key_type} doesnt match allowed #{@key_types}"
+        end
+      end
+
+
+      # todo: (!important!) parse csr if it alredy generated (!important!)
+    end
+
+    private
+
+    def is_key_type_is_valid?(key_type, allowed_key_types)
+      if key_type == nil
+        key_type = DEFAULT_KEY_TYPE
+      end
+      for i in 0 ... allowed_key_types.length
+        if allowed_key_types[i] == key_type
+          return true
+        end
+      end
+      false
+    end
+
+    def component_is_valid?(component, regexps, optional:false)
+      if component == nil
+        component = []
+      end
+      unless component.instance_of? Array
+        component = [component]
+      end
+      if component.length == 0 && optional
+        return true
+      end
+      if component.length == 0
+        component = [""]
+      end
+      for i in 0 ... component.length
+        unless match_regexps?(component[i], regexps)
+          return false
+        end
+      end
+      true
+    end
+
+    def match_regexps?(s, regexps)
+      for i in 0 ... regexps.length
+        if Regexp.new(regexps[i]).match(s)
+          return true
+        end
+      end
+      false
+    end
+  end
+
+  class ZoneConfiguration
+    attr_reader :country, :province, :locality, :organization, :organizational_unit, :key_type
+
+    # @param [CertField] country
+    # @param [CertField] province
+    # @param [CertField] locality
+    # @param [CertField] organization
+    # @param [CertField] organizational_unit
+    # @param [CertField] key_type
+    def initialize(country:, province:, locality:, organization:, organizational_unit:, key_type:)
+      @country = country
+      @province = province
+      @locality = locality
+      @organization = organization
+      @organizational_unit = organizational_unit
+      @key_type = key_type
+    end
+  end
+
+  class CertField
+    attr_reader :value, :locked
+
+    def initialize(value, locked: false)
+      @value = value
+      @locked = locked
+    end
+  end
+
+  class KeyType
+    attr_reader :type, :option
+
+    def initialize(type, option)
+      @type = {"rsa" => "rsa", "ec" => "ecdsa", "ecdsa" => "ecdsa"}[type.downcase]
+      if @type == nil
+        raise Vcert::VcertError, "bad key type"
+      end
+      if @type == "rsa"
+        unless  [512, 1024, 2048, 3072, 4096, 8192].include?(option)
+          raise  Vcert::VcertError,"bad option for rsa key: #{option}. should be one from list 512, 1024, 2048, 3072, 4096, 8192"
+        end
+      else
+        unless SUPPORTED_CURVES.include?(option)
+          raise Vcert::VcertError, "bad option for ec key: #{option}. should be one from list #{ SUPPORTED_CURVES}"
+        end
+      end
+      @option = option
+    end
+    def ==(other)
+      unless other.instance_of? KeyType
+        return false
+      end
+      self.type == other.type && self.option == other.option
+    end
+  end
+
+  DEFAULT_KEY_TYPE = KeyType.new("rsa", 2048)
+end
+

data/lib/tpp/tpp.rb

@@ -0,0 +1,338 @@
+require 'json'
+require 'date'
+require 'base64'
+require 'utils/utils'
+
+class Vcert::TPPConnection
+  def initialize(url, user, password, trust_bundle: nil)
+    @url = normalize_url url
+    @user = user
+    @password = password
+    @token = nil
+    @trust_bundle = trust_bundle
+  end
+
+  def request(zone_tag, request)
+    data = {:PolicyDN => policy_dn(zone_tag),
+            :PKCS10 => request.csr,
+            :ObjectName => request.friendly_name,
+            :DisableAutomaticRenewal => "true"}
+    code, response = post URL_CERTIFICATE_REQUESTS, data
+    if code != 200
+      raise Vcert::ServerUnexpectedBehaviorError, "Status  #{code}"
+    end
+    request.id = response['CertificateDN']
+  end
+
+  def retrieve(request)
+    retrieve_request = {CertificateDN: request.id, Format: "base64", IncludeChain: 'true', RootFirstOrder: "false"}
+    code, response = post URL_CERTIFICATE_RETRIEVE, retrieve_request
+    if code != 200
+      return nil
+    end
+    full_chain = Base64.decode64(response['CertificateData'])
+    cert = parse_full_chain full_chain
+    if cert.private_key == nil
+      cert.private_key = request.private_key
+    end
+    cert
+  end
+
+  def policy(zone_tag)
+    code, response = post URL_ZONE_CONFIG, {:PolicyDN => policy_dn(zone_tag)}
+    if code != 200
+      raise Vcert::ServerUnexpectedBehaviorError, "Status  #{code}"
+    end
+    parse_policy_response response, zone_tag
+  end
+
+  def zone_configuration(zone_tag)
+    code, response = post URL_ZONE_CONFIG, {:PolicyDN => policy_dn(zone_tag)}
+    if code != 200
+      raise Vcert::ServerUnexpectedBehaviorError, "Status  #{code}"
+    end
+    parse_zone_configuration response
+  end
+
+  def renew(request, generate_new_key: true)
+    if request.id == nil && request.thumbprint == nil
+      raise("Either request ID or certificate thumbprint is required to renew the certificate")
+    end
+
+    if request.thumbprint != nil
+      request.id = search_by_thumbprint(request.thumbprint)
+    end
+    renew_req_data = {"CertificateDN": request.id}
+    if generate_new_key
+      _, r = post(URL_SECRET_STORE_SEARCH, d = {"Namespace": "config", "Owner": request.id, "VaultType": 512})
+      vaultId = r["VaultIDs"][0]
+      _, r = post(URL_SECRET_STORE_RETRIEVE, d = {"VaultID": vaultId})
+      csr_base64_data = r['Base64Data']
+      csr_pem = "-----BEGIN CERTIFICATE REQUEST-----\n#{csr_base64_data}\n-----END CERTIFICATE REQUEST-----\n"
+      parsed_csr = parse_csr_fields(csr_pem)
+      renew_request = Vcert::Request.new(
+          common_name: parsed_csr.fetch(:CN, nil),
+          san_dns: parsed_csr.fetch(:DNS, nil),
+          country: parsed_csr.fetch(:C, nil),
+          province: parsed_csr.fetch(:ST, nil),
+          locality: parsed_csr.fetch(:L, nil),
+          organization: parsed_csr.fetch(:O, nil),
+          organizational_unit: parsed_csr.fetch(:OU, nil))
+      renew_req_data.merge!(PKCS10: renew_request.csr)
+    end
+    LOG.info("Trying to renew certificate %s" % request.id)
+    _, d = post(URL_CERTIFICATE_RENEW, renew_req_data)
+    if d.key?('Success')
+      if generate_new_key
+        return request.id, renew_request.private_key
+      else
+        return request.id, nil
+      end
+    else
+      raise "Certificate renew error"
+    end
+
+  end
+
+  private
+
+  URL_AUTHORIZE = "authorize/"
+  URL_CERTIFICATE_REQUESTS = "certificates/request"
+  URL_ZONE_CONFIG = "certificates/checkpolicy"
+  URL_CERTIFICATE_RETRIEVE = "certificates/retrieve"
+  URL_CERTIFICATE_SEARCH = "certificates/"
+  URL_CERTIFICATE_RENEW = "certificates/renew"
+  URL_SECRET_STORE_SEARCH = "SecretStore/LookupByOwner"
+  URL_SECRET_STORE_RETRIEVE = "SecretStore/Retrieve"
+
+  TOKEN_HEADER_NAME = "x-venafi-api-key"
+  ALL_ALLOWED_REGEX = ".*"
+
+  def auth
+    uri = URI.parse(@url)
+    request = Net::HTTP.new(uri.host, uri.port)
+    request.use_ssl = true
+    if @trust_bundle != nil
+      request.ca_file = @trust_bundle
+    end
+    url = uri.path + URL_AUTHORIZE
+    data = {:Username => @user, :Password => @password}
+    encoded_data = JSON.generate(data)
+    response = request.post(url, encoded_data, {"Content-Type" => "application/json"})
+    if response.code.to_i != 200
+      raise Vcert::AuthenticationError
+    end
+    data = JSON.parse(response.body)
+    token = data['APIKey']
+    valid_until = DateTime.strptime(data['ValidUntil'].gsub(/\D/, ''), '%Q')
+    @token = token, valid_until
+  end
+
+  def post(url, data)
+    if @token == nil || @token[1] < DateTime.now
+      auth()
+    end
+    uri = URI.parse(@url)
+    request = Net::HTTP.new(uri.host, uri.port)
+    request.use_ssl = true
+    if @trust_bundle != nil
+      request.ca_file = @trust_bundle
+    end
+    url = uri.path + url
+    encoded_data = JSON.generate(data)
+    response = request.post(url, encoded_data, {TOKEN_HEADER_NAME => @token[0], "Content-Type" => "application/json"})
+    data = JSON.parse(response.body)
+    return response.code.to_i, data
+  end
+
+  def get(url)
+    if @token == nil || @token[1] < DateTime.now
+      auth()
+    end
+    uri = URI.parse(@url)
+    request = Net::HTTP.new(uri.host, uri.port)
+    request.use_ssl = true
+    if @trust_bundle != nil
+      request.ca_file = @trust_bundle
+    end
+    url = uri.path + url
+    response = request.get(url, {TOKEN_HEADER_NAME => @token[0]})
+    # TODO: check valid json
+    data = JSON.parse(response.body)
+    return response.code.to_i, data
+  end
+
+  def policy_dn(zone)
+    if zone == nil || zone == ''
+      raise Vcert::ClientBadDataError, "Zone should not be empty"
+    end
+    if zone =~ /^\\\\VED\\\\Poplicy/
+      return zone
+    end
+    if zone =~ /^\\\\/
+      return '\\VED\\Policy' + zone
+    else
+      return '\\VED\\Policy\\' + zone
+    end
+  end
+
+  def normalize_url(url)
+    if url.index('http://') == 0
+      url = "https://" + url[7..-1]
+    elsif url.index('https://') != 0
+      url = 'https://' + url
+    end
+    unless url.end_with?('/')
+      url = url + '/'
+    end
+    unless url.end_with?('/vedsdk/')
+      url = url + 'vedsdk/'
+    end
+    unless url =~ /^https:\/\/[a-z\d]+[-a-z\d.]+[a-z\d][:\d]*\/vedsdk\/$/
+      raise Vcert::ClientBadDataError, "Invalid URL for TPP"
+    end
+    url
+  end
+
+  def parse_full_chain(full_chain)
+    pems = parse_pem_list(full_chain)
+    Vcert::Certificate.new cert: pems[0], chain: pems[1..-1], private_key: nil
+  end
+
+  def search_by_thumbprint(thumbprint)
+    # thumbprint = re.sub(r'[^\dabcdefABCDEF]', "", thumbprint)
+    thumbprint = thumbprint.upcase
+    status, data = get(URL_CERTIFICATE_SEARCH+"?Thumbprint=#{thumbprint}")
+    # TODO: check that data have valid certificate in it
+    if status != 200
+      raise Vcert::ServerUnexpectedBehaviorError, "Status: #{status}. Message:\n #{data.body.to_s}"
+    end
+    # TODO: check valid data
+    return data['Certificates'][0]['DN']
+  end
+
+  def parse_zone_configuration(data)
+    s = data["Policy"]["Subject"]
+    country = Vcert::CertField.new s["Country"]["Value"], locked: s["Country"]["Locked"]
+    state = Vcert::CertField.new s["State"]["Value"], locked: s["State"]["Locked"]
+    city = Vcert::CertField.new s["City"]["Value"], locked: s["City"]["Locked"]
+    organization = Vcert::CertField.new s["Organization"]["Value"], locked: s["Organization"]["Locked"]
+    organizational_unit = Vcert::CertField.new s["OrganizationalUnit"]["Values"], locked: s["OrganizationalUnit"]["Locked"]
+    key_type = Vcert::KeyType.new data["Policy"]["KeyPair"]["KeyAlgorithm"]["Value"], data["Policy"]["KeyPair"]["KeySize"]["Value"]
+    Vcert::ZoneConfiguration.new country: country, province: state, locality: city, organization: organization,
+                                 organizational_unit: organizational_unit, key_type: Vcert::CertField.new(key_type)
+  end
+
+  def parse_policy_response(response, zone_tag)
+    def addStartEnd(s)
+      unless s.index("^") == 0
+        s = "^" + s
+      end
+      unless s.end_with?("$")
+        s = s + "$"
+      end
+      s
+    end
+
+    def escape(value)
+      if value.kind_of? Array
+        return value.map { |v| addStartEnd(Regexp.escape(v)) }
+      else
+        return addStartEnd(Regexp.escape(value))
+      end
+    end
+
+    policy = response["Policy"]
+    s = policy["Subject"]
+    if policy["WhitelistedDomains"].empty?
+      subjectCNRegex = [ALL_ALLOWED_REGEX]
+    else
+      if policy["WildcardsAllowed"]
+        subjectCNRegex = policy["WhitelistedDomains"].map { |d| addStartEnd('[\w\-*]+' + Regexp.escape("." + d)) }
+      else
+        subjectCNRegex = policy["WhitelistedDomains"].map { |d| addStartEnd('[\w\-]+' + Regexp.escape("." + d)) }
+      end
+    end
+    if s["OrganizationalUnit"]["Locked"]
+      subjectOURegexes = escape(s["OrganizationalUnit"]["Values"])
+    else
+      subjectOURegexes = [ALL_ALLOWED_REGEX]
+    end
+    if s["Organization"]["Locked"]
+      subjectORegexes = [escape(s["Organization"]["Value"])]
+    else
+      subjectORegexes = [ALL_ALLOWED_REGEX]
+    end
+    if s["City"]["Locked"]
+      subjectLRegexes = [escape(s["City"]["Value"])]
+    else
+      subjectLRegexes = [ALL_ALLOWED_REGEX]
+    end
+    if s["State"]["Locked"]
+      subjectSTRegexes = [escape(s["State"]["Value"])]
+    else
+      subjectSTRegexes = [ALL_ALLOWED_REGEX]
+    end
+    if s["Country"]["Locked"]
+      subjectCRegexes = [escape(s["Country"]["Value"])]
+    else
+      subjectCRegexes = [ALL_ALLOWED_REGEX]
+    end
+    if policy["SubjAltNameDnsAllowed"]
+      if policy["WhitelistedDomains"].length == 0
+        dnsSanRegExs = [ALL_ALLOWED_REGEX]
+      else
+        dnsSanRegExs = policy["WhitelistedDomains"].map { |d| addStartEnd('[\w-]+' + Regexp.escape("." + d)) }
+      end
+    else
+      dnsSanRegExs = []
+    end
+    if policy["SubjAltNameIpAllowed"]
+      ipSanRegExs = [ALL_ALLOWED_REGEX] # todo: support
+    else
+      ipSanRegExs = []
+    end
+    if policy["SubjAltNameEmailAllowed"]
+      emailSanRegExs = [ALL_ALLOWED_REGEX] # todo: support
+    else
+      emailSanRegExs = []
+    end
+    if policy["SubjAltNameUriAllowed"]
+      uriSanRegExs = [ALL_ALLOWED_REGEX] # todo: support
+    else
+      uriSanRegExs = []
+    end
+
+    if policy["SubjAltNameUpnAllowed"]
+      upnSanRegExs = [ALL_ALLOWED_REGEX] # todo: support
+    else
+      upnSanRegExs = []
+    end
+    unless policy["KeyPair"]["KeyAlgorithm"]["Locked"]
+      key_types = [1024, 2048, 4096, 8192].map { |s| Vcert::KeyType.new("rsa", s) } + Vcert::SUPPORTED_CURVES.map { |c| Vcert::KeyType.new("ecdsa", c) }
+    else
+      if policy["KeyPair"]["KeyAlgorithm"]["Value"] == "RSA"
+        if policy["KeyPair"]["KeySize"]["Locked"]
+          key_types = [Vcert::KeyType.new("rsa", policy["KeyPair"]["KeySize"]["Value"])]
+        else
+          key_types = [1024, 2048, 4096, 8192].map { |s| Vcert::KeyType.new("rsa", s) }
+        end
+      elsif policy["KeyPair"]["KeyAlgorithm"]["Value"] == "EC"
+        if policy["KeyPair"]["EllipticCurve"]["Locked"]
+          curve = {"p224" => "secp224r1", "p256" => "prime256v1", "p521" => "secp521r1"}[policy["KeyPair"]["EllipticCurve"]["Value"].downcase]
+          key_types = [Vcert::KeyType.new("ecdsa", curve)]
+        else
+          key_types = Vcert::SUPPORTED_CURVES.map { |c| Vcert::KeyType.new("ecdsa", c) }
+        end
+      end
+    end
+
+    Vcert::Policy.new(policy_id: policy_dn(zone_tag), name: zone_tag, system_generated: false, creation_date: nil,
+                      subject_cn_regexes: subjectCNRegex, subject_o_regexes: subjectORegexes,
+                      subject_ou_regexes: subjectOURegexes, subject_st_regexes: subjectSTRegexes,
+                      subject_l_regexes: subjectLRegexes, subject_c_regexes: subjectCRegexes, san_regexes: dnsSanRegExs,
+                      key_types: key_types)
+  end
+end
+
+

data/lib/vcert.rb

@@ -0,0 +1,91 @@
+require 'net/https'
+require 'time'
+
+TIMEOUT = 420
+
+module Vcert
+  class VcertError < StandardError ; end
+  class AuthenticationError < VcertError; end
+  class ServerUnexpectedBehaviorError < VcertError; end
+  class ClientBadDataError < VcertError; end
+  class ValidationError < VcertError; end
+
+  class Connection
+    def initialize(url: nil, user: nil, password: nil, cloud_token: nil, trust_bundle:nil, fake: false)
+      if fake
+        @conn = FakeConnection.new
+      elsif cloud_token != nil
+        @conn = CloudConnection.new url, cloud_token
+      elsif user != nil && password != nil && url != nil then
+        @conn = TPPConnection.new url, user, password, trust_bundle:trust_bundle
+      else
+        raise ClientBadDataError, "Invalid credentials list"
+      end
+    end
+
+
+    # @param [String] zone
+    # @param [Request] request
+    def request(zone, request)
+      @conn.request(zone, request)
+    end
+
+    # @param [Request] request
+    # @return [Certificate]
+    def retrieve(request)
+      @conn.retrieve(request)
+    end
+
+    def revoke(*args)
+      @conn.revoke(*args)
+    end
+
+    # @param [String] zone
+    # @return [ZoneConfiguration]
+    def zone_configuration(zone)
+      @conn.zone_configuration(zone)
+    end
+
+    # @param [String] zone
+    # @return [Policy]
+    def policy(zone)
+      @conn.policy(zone)
+    end
+
+    def renew(*args)
+      @conn.renew(*args)
+    end
+
+    # @param [Request] req
+    # @param [String] zone
+    # @param [Integer] timeout
+    # @return [Certificate]
+    def request_and_retrieve(req, zone, timeout: TIMEOUT)
+      request zone, req
+      cert = retrieve_loop(req, timeout: timeout)
+      return cert
+    end
+
+    def retrieve_loop(req, timeout: TIMEOUT)
+      t = Time.new() + timeout
+      loop do
+        if Time.new() > t
+          LOG.info("Waiting certificate #{req.id}")
+          break
+        end
+        certificate = @conn.retrieve(req)
+        if certificate != nil
+          return certificate
+        end
+        sleep 10
+      end
+      return nil
+    end
+
+  end
+end
+
+require 'fake/fake'
+require 'cloud/cloud'
+require 'tpp/tpp'
+require 'objects/objects'

metadata

@@ -0,0 +1,49 @@
+--- !ruby/object:Gem::Specification
+name: vcert
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Denis Subbotin
+- Alexander Rykalin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-09-18 00:00:00.000000000 Z
+dependencies: []
+description: Ruby client for Venafi Cloud and Trust Protection Platform
+email: opensource@venafi.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/cloud/cloud.rb
+- lib/fake/fake.rb
+- lib/objects/objects.rb
+- lib/tpp/tpp.rb
+- lib/vcert.rb
+homepage: https://rubygems.org/gems/vcert
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: Library for Venafi products
+test_files: []