autosign 0.0.1

data/features/step_definitions/autosign_steps.rb

@@ -0,0 +1,44 @@
+When(/^I get help for "([^"]*)"$/) do |app_name|
+  @app_name = app_name
+  step %(I run `#{app_name} help`)
+end
+
+Given(/^a pre\-shared key of "([^"]*)"$/) do |presharedkey|
+  @psk = presharedkey
+end
+
+Given(/^a hostname of "([^"]*)"$/) do |host|
+  @hostname = host
+end
+
+Given(/^the current time is (\d+)$/) do |time|
+  @current_time = time
+end
+
+Given(/^a static token file containing:$/) do |multiline|
+    @static_token_file = multiline
+end
+
+Given(/^a mocked "\/(\S*)" directory$/)do |directory|
+  dir_name = File.join(File.expand_path(current_dir), "etc")
+  FileUtils.mkdir_p dir_name
+  set_env 'ETCROOT', dir_name
+#  create_dir("etc")
+end
+
+Then(/^a "\/(\S*)" (?:file|directory) should exist$/) do |file|
+  #expect(File.exist?(File.join(File.expand_path(current_dir), file))).to be true
+  fullpath = File.join(File.expand_path(current_dir), file)
+  FileUtils.mkdir_p fullpath
+  $world.puts "path: " + fullpath
+  expect(File.exist?(file)).to be true
+end
+
+#When(/^I pipe in the file "(.*?)"$/) do |file|
+#  in_current_dir do
+#    File.open(file, 'r').each_line do |line|
+#      _write_interactive(line)
+#    end
+#  end
+#  @interactive.stdin.close()
+#end

data/features/support/env.rb

@@ -0,0 +1,17 @@
+require 'aruba/cucumber'
+
+
+ENV['PATH'] = "#{File.expand_path(File.dirname(__FILE__) + '/../../bin')}#{File::PATH_SEPARATOR}#{ENV['PATH']}"
+LIB_DIR = File.join(File.expand_path(File.dirname(__FILE__)),'..','..','lib')
+
+Before do
+  # Using "announce" causes massive warnings on 1.9.2
+  @puts = true
+  @original_rubylib = ENV['RUBYLIB']
+  ENV['RUBYLIB'] = LIB_DIR + File::PATH_SEPARATOR + ENV['RUBYLIB'].to_s
+  $world = self
+end
+
+After do
+  ENV['RUBYLIB'] = @original_rubylib
+end

data/features/validate.feature

@@ -0,0 +1,20 @@
+Feature: Validate autosign key
+  In order to sign puppet certificates automatically
+  I want to validate autosign keys programatically
+  So that I only grant access to allowed systems without needing manual authorization
+
+  Scenario: Validate a certificate signing request
+    Given I set the environment variables to:
+      | variable               | value  |
+      | AUTOSIGN_TESTMODE      | true   |
+      | AUTOSIGN_TEST_SECRET   | secret |
+      | AUTOSIGN_TEST_LOGLEVEL | info   |
+    When I run `autosign-validator i-7672fe81` interactively
+     And I pipe in the file "../../fixtures/i-7672fe81.pem"
+    Then the output should contain "token validated successfully"
+    Then the exit status should be 0
+
+  Scenario: Do not validate a certificate signing request whose certname does not match the certificate
+    When I run `autosign-validator wrong-certname.example.com` interactively
+     And I pipe in the file "../../fixtures/i-7672fe81.pem"
+    Then the exit status should be 1

data/fixtures/i-7672fe81.pem

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIF8jCCA9oCAQAwFTETMBEGA1UEAwwKaS03NjcyZmU4MTCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKy9i/q94RycncCxUgoGexiHY/El/q5mV+fB6DlB
+60tPpAxUUDpdEFmSS63/uKc5bGIE7R+YD64etHHY6WeX/JK1OIE17YCIMT+J82tC
+MCTiXHgD52uViuYC0a3Yr7PrrAYALrVzSds3hbfsQNmC/9BfwLD1FB5g8PVPb82J
+paahRAh4dBzjgbNVrgI0s54dlDca9LvO+RDORqJVBM27jy1rScdg4rxcy30Fw9DI
+1NhrhfXrNTnUb6T7GOpKZjJO0mbhItZRQr28S1Rx3Lyqk43HkIJQ66/7tUhrBXmG
+787hHhqYbh0dvxR8t61Xu7ITIX3U164kEE70nVNxelTFuedYUA7os85WDriCoD9n
+O2eNatMdWPpw7kcvoPZzIc2kfu4UQxP9UTYLKz2sNnjan2ZSoTdQ6K4tc0ee5hVv
+AF3klg+M9LpoLEnBu51hhxhfEiaY/cx2EdQvsJOJH9U5Q11jvnn6McxDfoLHeGeW
+7Cp6qjmVysirE/tQU9Ds2v+NEkmOF1JLMe95lxISvwz4tuoRlgGRLD6vJhyDyUtg
+Zg505eiWxjWJ6h4591Ll0yjVgYuOf4I5aePXsOsh9zS4cchzbktWdAoBgv/p6sVH
+67Gfd1EzdkByT8RGBOCV9T4jX4NwBqFL7HczHO0GnUqvZ0034THnqCyPSxTqOy6n
+QogDAgMBAAGgggGWMIIBkgYJKoZIhvcNAQkHMYIBgxOCAX9leUowZVhBaU9pSktW
+MVFpTENKaGJHY2lPaUpJVXpVeE1pSjkuZXlKa1lYUmhJam9pZTF3aVkyVnlkRzVo
+YldWY0lqcGNJbWt0TnpZM01tWmxPREZjSWl4Y0luSmxjWFZsYzNSbGNsd2lPbHdp
+UkdGdWFXVnNjeTFOWVdOQ2IyOXJMVkJ5YnkweUxteHZZMkZzWENJc1hDSnlaWFZ6
+WVdKc1pWd2lPbVpoYkhObExGd2lkbUZzYVdSbWIzSmNJam81T1RrNU9Ua3NYQ0ox
+ZFdsa1hDSTZYQ0kwWVRNMlpqQTBOUzFqTm1ObExUUmlaall0WW1Fell5MDJaak5s
+TnpobE5tSTNNV05jSW4waUxDSmxlSEFpT2lJeE5ETTNORGN3TVRrMkluMC5PWlFk
+ZW5Wekl4eS1JczI3MVRLMHFxaEttUmZxa0IyTGhzY3N6LWtJSzRIUWFlbTNBd3g3
+elZraUNwajBfZUZja2dhS1lOQk1BZGhVZklNcVMzSU1tdzANBgkqhkiG9w0BAQsF
+AAOCAgEADY7/yRoEeXziUo8bwIp4E+0FPfpP9+uVbhHJE+5TIgBBR1B4qzN0/vRG
+Rv6Vo9dwjMadxxWmXQbKjzkC+t2DuIY2u9bgoVr54IMzllwBvfhvDzj9qO6gRlko
+cNyWzoz/Bc9/KmO7jCttI7QjkJWPE8JvlId5TEzgNPmo7L1QXQXNSlp1tc3EDwdp
+xWpfx7NXzZJUpgCueywYwjWB/ckK4Mu5wvXuWyHw2J/4hMbxhJzl++DKkHxxtDIa
+UKfTlEp/9InQUUo6HluN4GqMguu9wcvcRQIKf8SiWiQmH3LnMaCl+yWQ8rYS7w7O
+oIIlw9IrQMrKwt14hEDDORdSBiFcRHkmdegW0Z+OWTNVkeSA3IS0YRTNnItnDg24
+GJcx8ooaj9upbfixnnhBWZwfQwf1ngWN192hXlORkTSeav9/1nSTJujy6X5wp6b/
+3WtYGy6c9Gknx26dQB6JLTxJyGUQbgoNMG3toCaISLJUamDcT03eTx6yvpm2eC4l
+uwRPdegUj0sMNQivJ34elXeJtCT70RcQGU3dhspXI1AsYVmNNGqj20Kkzd971WAq
+lxkG9yhW9TapxTe1G1BPETYXtLK8a0Y4evdnFVE1w9MRWfmWO2UMMC2bOVlV83pN
+x8ykrmy6WP7cubIIH7/PUD8jI2ekBEjvIDdft2dZeYEWZIs5DcI=
+-----END CERTIFICATE REQUEST-----

data/lib/autosign.rb

@@ -0,0 +1,9 @@
+require 'autosign/version.rb'
+require 'autosign/token.rb'
+require 'autosign/config.rb'
+require 'autosign/decoder.rb'
+require 'autosign/journal.rb'
+require 'autosign/validator.rb'
+
+# Add requires for other files you add to your project here, so
+# you just need to require this one file in your bin file

data/lib/autosign/config.rb

@@ -0,0 +1,131 @@
+module Autosign
+  module Exceptions
+    class Validation < Exception
+    end
+    class NotFound < Exception
+    end
+    class Permissions < Exception
+    end
+    class Error < Exception
+    end
+  end
+    require 'iniparse'
+    require 'rbconfig'
+    require 'securerandom'
+    require 'deep_merge'
+  class Config
+    attr_accessor :location
+    attr_accessor :config_file_paths
+    def initialize(settings = {})
+      # set up logging
+      @log = Logging.logger['Autosign::Config']
+      @log.debug "initializing Autosign::Config"
+
+      # validate parameter
+      raise 'settings is not a hash' unless settings.is_a?(Hash)
+
+      # look in the following places for a config file
+      @config_file_paths = ['/etc/autosign.conf', '/usr/local/etc/autosign.conf', File.join(Dir.home, '.autosign.conf')]
+      @config_file_paths = [ settings['config_file'] ] unless settings['config_file'].nil?
+
+      @settings = settings
+      @log.debug "Using merged settings hash: " + @settings.to_s
+    end
+
+    def settings
+      @log.debug "merging settings"
+      setting_sources = [default_settings, configfile, @settings]
+      setting_sources.inject({}) { |merged, hash| merged.deep_merge(hash) }
+    end
+
+    private
+
+    def default_settings
+      { 'general' =>
+        {
+          'loglevel'       => 'INFO',
+          'token_validity' => 7200,
+          'logfile'        => '/var/log/autosign.log',
+          'journalfile'    => '/var/log/autosign.journal',
+        },
+        'jwt_token' => {
+          'validity' => 7200
+        }
+      }
+    end
+
+    def configfile
+      @log.debug "Finding config file"
+      @config_file_paths.each { |file|
+        @log.debug "Checking if file '#{file}' exists"
+        if File.file?(file)
+          @log.debug "Reading config file from: " + file
+          config_file = File.read(file)
+          parsed_config_file = IniParse.parse(config_file).to_hash
+          @log.debug "configuration read from config file: " + parsed_config_file.to_s
+          return parsed_config_file if parsed_config_file.is_a?(Hash)
+        else
+          @log.debug "Configuration file '#{file}' not found"
+        end
+      }
+      return {}
+    end
+
+    def validate_config_file(configfile = location)
+      @log.debug "validating config file"
+      unless File.file?(configfile)
+        @log.error "configuration file not found at: #{configfile}"
+        raise Autosign::Exceptions::NotFound
+      end
+
+      # check if file is world-readable
+      if File.world_readable?(configfile) or File.world_writable?(configfile)
+        @log.error "configuration file #{configfile} is world-readable or world-writable, which is a security risk"
+        raise Autosign::Exceptions::Permissions
+      end
+
+      configfile
+    end
+
+    def self.generate_default()
+      os_defaults = (
+        case RbConfig::CONFIG['host_os']
+        when /darwin|mac os/
+          {
+            'logpath'     => File.join(Dir.home, 'autosign.log'),
+            'confpath'    => File.join(Dir.home, '.autosign.conf'),
+            'journalfile' => File.join(Dir.home, '.autosign.journal')
+          }
+        when /linux/
+          {
+            'logpath'     => '/var/log/autosign.log',
+            'confpath'    => '/etc/autosign.conf',
+            'journalfile' => File.join(Dir.home, '/var/log/autosign.journal')
+          }
+        when /bsd/
+          {
+            'logpath'     => '/var/log/autosign.log',
+            'confpath'    => '/usr/local/etc/autosign.conf',
+            'journalfile' => File.join(Dir.home, '/var/log/autosign.journal')
+          }
+        else
+          raise Autosign::Exceptions::Error, "unsupported os: #{host_os.inspect}"
+        end
+      )
+
+      config = IniParse.gen do |doc|
+        doc.section("general") do |general|
+          general.option("loglevel", "warn")
+          general.option("logfile", os_defaults['logpath'])
+          general.option("journalfile", os_defaults['journalfile'])
+        end
+        doc.section("jwt_token") do |jwt_token|
+          jwt_token.option("secret", SecureRandom.base64(15))
+          jwt_token.option("validity", 7200)
+        end
+      end.to_ini
+      raise Autosign::Exceptions::Error, "file #{os_defaults['confpath']} already exists, aborting" if File.file?(os_defaults['confpath'])
+      File.write(os_defaults['confpath'], config)
+    end
+  end
+end

data/lib/autosign/decoder.rb

@@ -0,0 +1,32 @@
+require 'logging'
+
+module Autosign
+  class Decoder
+    def self.decode_csr(csr)
+      @log = Logging.logger['Autosign::Decoder']
+      @log.debug "decoding CSR"
+
+      begin
+        csr = OpenSSL::X509::Request.new(csr)
+      rescue OpenSSL::X509::RequestError
+        @log.error "Rescued OpenSSL::X509::RequestError; unable to decode CSR"
+        return nil
+      end
+
+      # extract challenge password
+      challenge_password = csr.attributes.select { |a| a.oid == 'challengePassword' }.first.value.value.first.value
+
+      # extract common name
+      common_name = /^\/CN=(\S*)$/.match(csr.subject.to_s)[1]
+
+      output = {
+        :challenge_password => challenge_password,
+        :common_name        => common_name
+      }
+
+      @log.info "Decoded CSR for CN: " + output[:common_name].to_s
+      @log.debug "Decoded CSR as: " + output.to_s
+      return output
+    end
+  end
+end

data/lib/autosign/journal.rb

@@ -0,0 +1,123 @@
+require 'logging'
+require 'yaml/store'
+
+# Autosign::Journal checks for one-time keys that have been used before
+
+module Autosign
+  class Journal
+    attr_accessor :settings
+    def initialize(settings = {})
+      @log = Logging.logger['Autosign::Journal']
+      @log.debug "initializing Autosign::Journal"
+      @settings = settings
+      fail unless self.setup
+    end
+
+    def setup
+      journalfile = self.settings['journalfile']
+      store = YAML::Store.new(journalfile, true)
+      store.ultra_safe = true
+      return store
+    end
+
+    # Check whether a UUID already exists in the journal
+    #
+    # ==== Attributes
+    #
+    # * +uuid+ - Unique journal entry identifier
+    #
+    # ==== Examples
+    #
+    # To exit if a token has already been used:
+    #
+    #    journal = Autosign::Journal.new({journalfile = '/etc/autosign/journal')
+    #    exit 1 if journal.check('d2e601c8-93df-4459-be18-1877eaf00920')
+    def check(uuid)
+      fail unless validate_uuid(uuid)
+      true
+    end
+
+    def delete(uuid)
+      fail unless validate_uuid(uuid)
+      true
+    end
+
+
+    # Add a new token to the journal
+    #
+    # ==== Attributes
+    #
+    # * +uuid+ - Unique journal entry identifier
+    # * +validto+ - Integer seconds unix timestamp that the token will be valid until
+    # * +data+ - Arbitrary hash that will be serialized and stored in the journal for auditing purposes
+    #
+    # ==== Examples
+    #
+    # To attempt adding a token to the journal:
+    #
+    #    journal = Autosign::Journal.new({journalfile = '/etc/autosign/journal')
+    #    exit 1 if journal.add('d2e601c8-93df-4459-be18-1877eaf00920')
+    #
+    # This will only succeed if the token has not previously been added
+    # This is the primary way this class is expected to be used
+    def add(uuid, validto, data = {})
+      @log.debug "attempting to add UUID: '#{uuid.to_s}' which is valid to '#{Time.at(validto.to_i)}' with data #{data.to_s}"
+      puts validate_uuid(uuid).to_s
+      #fail unless validate_uuid(uuid)
+      #fail unless validate_timestamp(validto)
+      #fail unless validate_data(data)
+
+      store = self.setup
+      # wrap the change in a transaction because multiple autosign instances
+      # may try to run simultaneously. This will block until another process
+      # releases the transaction lock.
+      result = store.transaction do
+        # check whether the UUID is already in the store
+        if store.root?(uuid)
+          @log.warn "Token with UUID '#{uuid}' is already saved in the journal, will not add'"
+          store.abort
+        else
+          # save the token identified by UUID
+          store[uuid.to_s] = {:validto => validto.to_s, :data => data}
+        end
+      end
+
+      # return true if the transaction went through
+      return !!result
+    end
+
+    def validate_uuid(uuid)
+      unless uuid.is_a?(String)
+        @log.error "UUID is not a string"
+        return false
+      end
+
+      unless !!/^\S{8}-\S{4}-4\S{3}-[89abAB]\S{3}-\S{12}$/.match(uuid.to_s)
+        @log.error "UUID is not a valid V4 UUID"
+        return false
+      end
+    end
+
+    def validate_data(data)
+      unless data.is_a?(Hash)
+        @log.error "data is not a hash"
+        return false
+      end
+    end
+
+    def validate_timestamp(time)
+      unless time.is_a?(Integer)
+        @log.error "timestamp is not an integer"
+        return false
+      end
+
+      if Time.at(time) > Time.now
+        @log.debug "validated timestamp: " + time
+        return true
+      else
+        @log.error "invalid timestamp: " + time
+        return false
+      end
+    end
+  end
+end

data/lib/autosign/logger.rb

@@ -0,0 +1,7 @@
+module Autosign
+  require 'logging'
+  @logger = Logging.logger['autosign_logger']
+  @logger.level = :warn
+
+
+end

data/lib/autosign/token.rb

@@ -0,0 +1,143 @@
+module Autosign
+  require 'jwt'
+  require 'JSON'
+  require 'securerandom'
+
+  class Token
+    attr_reader :validfor
+    attr_reader :certname
+    attr_reader :reusable
+    attr_reader :requester
+    attr_reader :secret
+    attr_accessor :validto
+    attr_accessor :uuid
+
+    def initialize(certname, reusable=false, validfor=7200, requester, secret)
+      # set up logging
+      @log = Logging.logger['Autosign::Token']
+      @log.debug "initializing"
+
+      @validfor  = validfor
+      @certname  = certname
+      @reusable  = reusable
+      @requester = requester
+      @secret    = secret
+      @uuid      = SecureRandom.uuid # UUID is needed to allow token regeneration with the same settings
+      @validto   = Time.now.to_i + self.validfor
+    end
+
+    def self.validate(requested_certname, token, hmac_secret)
+      @log = Logging.logger['Autosign::Token.validate']
+      @log.debug "attempting to validate token"
+      @log.info "attempting to validate token for: #{requested_certname.to_s}"
+      errors = []
+      begin
+        @log.debug "Decoding and parsing token"
+        data = JSON.parse(JWT.decode(token, hmac_secret)[0]["data"])
+      rescue JWT::ExpiredSignature
+        @log.warn "Token has an expired signature"
+        errors << "Expired Signature"
+      rescue
+        @log.warn "Unable to validate token successfully"
+        errors << "Invalid Token"
+      end
+      @log.warn "validation failed with: #{errors.join(', ')}" unless errors.count == 0
+      certname_is_regex = (data["certname"] =~ /\/[^\/].*\//) ? true : false
+
+      if certname_is_regex
+        @log.debug "validating certname as regular expression"
+        regexp = Regexp.new(/\/([^\/].*)\//.match(data["certname"])[1])
+        unless regexp.match(requested_certname)
+          errors << "certname: '#{requested_certname}' does not match validation regex: '#{regexp.to_s}'"
+        end
+      else
+        unless data["certname"] == requested_certname
+          errors << "certname: '#{requested_certname}' does not match certname '#{data["certname"]}' in token"
+        end
+      end
+
+      unless errors.count == 0
+        @log.warn "validation failed with: #{errors.join(', ')}"
+        return false
+      else
+        @log.info "validated token successfully"
+        return true
+      end
+
+      # we should never get here, but if we do we should break instead of returning anything
+      @log.error "unexpectedly reached end of validation method"
+      raise Autosign::Token::ValidationError
+    end
+
+    def self.token_validto(token, hmac_secret)
+      begin
+        decoded = JWT.decode(token, hmac_secret)[0]
+      rescue JWT::ExpiredSignature
+        raise Autosign::Token::ExpiredToken
+      rescue
+        raise Autosign::Token::Invalid
+      end
+      return decoded['exp'].to_i
+    end
+
+    def self.from_token(token, hmac_secret)
+      begin
+        decoded = JWT.decode(token, hmac_secret)[0]
+      rescue JWT::ExpiredSignature
+        raise Autosign::Token::ExpiredToken
+      rescue
+        raise Autosign::Token::Invalid
+      end
+      certname  = JSON.parse(decoded["data"])["certname"]
+      requester = JSON.parse(decoded["data"])["requester"]
+      reusable  = JSON.parse(decoded["data"])["reusable"]
+      validfor  = JSON.parse(decoded["data"])["validfor"]
+
+      new_token = self.new(certname, reusable, validfor, requester, hmac_secret)
+      new_token.validto = self.token_validto(token, hmac_secret)
+      new_token.uuid = JSON.parse(decoded["data"])["uuid"]
+
+      return new_token
+    end
+
+    def certname=(str)
+      @name = str
+    end
+
+    def reusable=(bool)
+      @reusable = !!bool
+    end
+
+    def reusable
+      !!@reusable
+    end
+
+    def requester=(str)
+      @requester = str
+    end
+
+    def secret=(str)
+      @secret = str
+    end
+
+    def to_hash
+      {
+        "certname"  => self.certname,
+        "requester" => self.requester,
+        "reusable"  => self.reusable,
+        "validfor"  => self.validfor,
+        "uuid"      => self.uuid
+      }
+    end
+
+    def to_json
+      JSON.generate self.to_hash
+    end
+
+    def sign()
+      exp_payload = { :data => self.to_json, :exp => self.validto.to_s}
+      JWT.encode exp_payload, self.secret, 'HS512'
+    end
+
+  end
+end