autosign 0.0.2 → 0.0.3

checksums.yaml

@@ -1,7 +1,15 @@
 ---
-SHA1:
-  metadata.gz: df93f6a505859c956b527410ffd01c67f3aad762
-  data.tar.gz: f9a1c7f7e857e6f596e6a50b4f534b772a1e62af
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    ZmEzYTA2MWU4NGI4MDVlYTgwZDZkMTFkNWFhM2QwNDhmMGEyZThjZg==
+  data.tar.gz: !binary |-
+    MDZmNjkzMDM3M2IxY2JjMDY3YzEwZWQ3MjMxNzY5MGY0MGFlZmRlNw==
 SHA512:
-  metadata.gz: 86adf30615877ec93e1038b51bf59b73026d01e842c93cdcc7b834965f7de546b8cded69e23d10917a393b0633650899c0460d3b3b60fcd1bb9cf9f5e76e39ff
-  data.tar.gz: 0d2b232814a18fef940e3605d83148a45d724c22ca3f7e490dbf14550ef4d67fbf0ef6eb3281ef35e9ad9fce8ff429ca88bb9d546071208d54fef405bd72229b
+  metadata.gz: !binary |-
+    MGJlNDkyMGQxYzViZDgwY2U5ZDcwNjAwMDgxZjVkMDExNjZhZWNiYWJkN2My
+    YmFhMjIzZGE2YmUwZDc0MTFhMjM1ZWY1OTVkZGQ3YzlkNTA1ZTVlZmI5NDVm
+    MmNjMGI2NjFkMmQ2NTlmNTBjYjJiYmIzMTkzNThjYTU1YmFhNmM=
+  data.tar.gz: !binary |-
+    YjJiNTYwNGIyNzFkMjRlYjUyZjJiMzZkZjZhNmQ5NDU3OGI2ZTkyNDE5YTU4
+    NmY4ZTI3MDVmMWVkYzE4MWRjMGI4ZTVkNjQzNDkzYTBhYzA5NTdlNjQzODFk
+    OWI1MTM5YmQ5N2ExNjg4Nzk3YWUxZWQ4MzQyNTM4ZGEwYjJhMTQ=

data/.gitignore

@@ -0,0 +1,5 @@
+html
+doc
+.vagrant
+.yardoc
+autosign.conf

data/.rspec

@@ -0,0 +1,4 @@
+--color
+--require spec_helper
+--format documentation
+--backtrace

data/.travis.yml

@@ -10,4 +10,10 @@ rvm:
   - 2.1.5
   - 2.2.2
 script:
-  - bundle exec cucumber
+  - bundle exec rake ci
+deploy:
+  provider: rubygems
+  api_key:
+    secure: "ivsiPBTcedPXuQ3hiLhLMDEaM5UUWfNi32Wy/BaDw8qwrUa6+v87IOFzipse4pa7GXzEpZf65o6/5ihxGeSZtw1sf90kwF2tMVWqjp4oFoHqg83Qscsz49X4yE1IkgVj1W/tOg2gJDneCjf250bZ3Wg/3UFSORM/f/3WVQ9vidHzb0JEaPWf4ClSeW7UVZfGz2muc6txKsQJwWgNccuyOnCfc9ElS4Vn130cIMB/t0xumVos2z8CExAFJ2dMfSqHJMc/NtamXT/tED6e2G28wLQGzViO48DuAyG3v+ubrEFpknaLkEzryfvOUPieP/hpCm9yfzbkTnulgFg1qw2QMtkrubECujZ3hg59UNyeKcixrihEWL6oSqCkJKbGyVnNxYpisb08Jdxq2o1xQD5uh1EGmMaewl3NExYdjCTzDmCVgEO7I5ItiKwUCMl9mVAGa2LEiI/SCjFxoEdglJOfCqeGunWXG1QjE2KYaD1qzkR4VCqBEP7v+wgheL0108VILjOQ6SzfMt6aaAjX0nQ2thtMvIeWUVXBlRUOzNVtQaGSyMcABPespDoyrlE5N/6HwVon+OObVKo+0mx9OYrRwxlBkAqp/vV2mXSdlD6ThUYgk7bk5ofpKQuJGTT/sr1Vyulzh2a2B1D2lDCK87mHbqvd5XnxuGCNFA90wxJ5biI="
+  on:
+    tags: true

data/Gemfile.lock

@@ -1,66 +1,119 @@
 PATH
   remote: .
   specs:
-    autosign (0.0.1)
-      deep_merge
+    autosign (0.0.3)
+      deep_merge (~> 1)
       gli (~> 2)
       iniparse (~> 1)
-      json
+      json (~> 1)
       jwt (~> 1)
-      logging
-      require_all
-      yard
+      logging (~> 2)
+      require_all (~> 1)
+      yard (~> 0.8)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    aruba (0.6.2)
-      childprocess (>= 0.3.6)
-      cucumber (>= 1.1.1)
-      rspec-expectations (>= 2.7.0)
+    CFPropertyList (2.2.8)
+    aruba (0.8.0)
+      childprocess (~> 0.5.6)
+      contracts (~> 0.9)
+      cucumber (>= 1.3.19)
+      rspec-expectations (>= 2.99)
     builder (3.2.2)
     childprocess (0.5.6)
       ffi (~> 1.0, >= 1.0.11)
-    cucumber (2.0.0)
+    contracts (0.10)
+    coveralls (0.8.2)
+      json (~> 1.8)
+      rest-client (>= 1.6.8, < 2)
+      simplecov (~> 0.10.0)
+      term-ansicolor (~> 1.3)
+      thor (~> 0.19.1)
+    cucumber (2.0.1)
       builder (>= 2.1.2)
-      cucumber-core (~> 1.1.3)
+      cucumber-core (~> 1.2.0)
       diff-lcs (>= 1.1.3)
       gherkin (~> 2.12)
       multi_json (>= 1.7.5, < 2.0)
       multi_test (>= 0.1.2)
-    cucumber-core (1.1.3)
+    cucumber-core (1.2.0)
       gherkin (~> 2.12.0)
     deep_merge (1.0.1)
     diff-lcs (1.2.5)
-    ffi (1.9.9)
+    docile (1.1.5)
+    domain_name (0.5.24)
+      unf (>= 0.0.5, < 1.0.0)
+    facter (2.4.4)
+      CFPropertyList (~> 2.2.6)
+    ffi (1.9.10)
     gherkin (2.12.2)
       multi_json (~> 1.3)
     gli (2.13.1)
+    hiera (1.3.4)
+      json_pure
+    http-cookie (1.0.2)
+      domain_name (~> 0.5)
     iniparse (1.4.0)
     json (1.8.3)
+    json_pure (1.8.2)
     jwt (1.5.1)
     little-plugger (1.1.3)
     logging (2.0.0)
       little-plugger (~> 1.1)
       multi_json (~> 1.10)
-    multi_json (1.11.1)
+    mime-types (2.6.1)
+    multi_json (1.11.2)
     multi_test (0.1.2)
+    netrc (0.10.3)
+    puppet (3.8.1)
+      facter (> 1.6, < 3)
+      hiera (~> 1.0)
+      json_pure
     rake (10.4.2)
     rdoc (4.2.0)
       json (~> 1.4)
     require_all (1.3.2)
+    rest-client (1.8.0)
+      http-cookie (>= 1.0.2, < 2.0)
+      mime-types (>= 1.16, < 3.0)
+      netrc (~> 0.7)
+    rspec (3.3.0)
+      rspec-core (~> 3.3.0)
+      rspec-expectations (~> 3.3.0)
+      rspec-mocks (~> 3.3.0)
+    rspec-core (3.3.1)
+      rspec-support (~> 3.3.0)
     rspec-expectations (3.3.0)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.3.0)
+    rspec-mocks (3.3.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.3.0)
     rspec-support (3.3.0)
+    simplecov (0.10.0)
+      docile (~> 1.1.0)
+      json (~> 1.8)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.0)
+    term-ansicolor (1.3.2)
+      tins (~> 1.0)
+    thor (0.19.1)
+    tins (1.5.4)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.7.1)
     yard (0.8.7.6)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  aruba
+  aruba (~> 0.6)
   autosign!
-  cucumber
-  rake
-  rdoc
+  coveralls
+  cucumber (~> 2)
+  puppet (~> 3)
+  rake (~> 10)
+  rdoc (~> 4)
+  rspec (~> 3)

data/README.md

@@ -1,5 +1,5 @@
 # autosign
-[![Build Status](https://travis-ci.org/danieldreier/autosign.svg?branch=master)](https://travis-ci.org/danieldreier/autosign) [![Code Climate](https://codeclimate.com/github/danieldreier/autosign/badges/gpa.svg)](https://codeclimate.com/github/danieldreier/autosign) [![Dependency Status](https://gemnasium.com/danieldreier/autosign.svg)](https://gemnasium.com/danieldreier/autosign) [![Yard Docs](http://img.shields.io/badge/yard-docs-blue.svg)](http://rubydoc.info/github/danieldreier/autosign) [![Inline docs](http://inch-ci.org/github/danieldreier/autosign.png)](http://inch-ci.org/github/danieldreier/autosign)
+[![Build Status](https://travis-ci.org/danieldreier/autosign.svg?branch=master)](https://travis-ci.org/danieldreier/autosign) [![Code Climate](https://codeclimate.com/github/danieldreier/autosign/badges/gpa.svg)](https://codeclimate.com/github/danieldreier/autosign) [![Dependency Status](https://gemnasium.com/danieldreier/autosign.svg)](https://gemnasium.com/danieldreier/autosign) [![Yard Docs](http://img.shields.io/badge/yard-docs-blue.svg)](http://rubydoc.info/github/danieldreier/autosign) [![Inline docs](http://inch-ci.org/github/danieldreier/autosign.png)](http://inch-ci.org/github/danieldreier/autosign) [![Coverage Status](https://coveralls.io/repos/danieldreier/autosign/badge.svg?branch=master&service=github)](https://coveralls.io/github/danieldreier/autosign?branch=master) [![Gem Version](https://badge.fury.io/rb/autosign.svg)](http://badge.fury.io/rb/autosign)
 
 Tooling to make puppet autosigning easy, secure, and extensible
 

data/Rakefile

@@ -1,9 +1,16 @@
-require 'rake/clean'
 require 'rubygems'
+begin
+  require 'rspec/core/rake_task'
+  require 'cucumber'
+  require 'cucumber/rake/task'
+  require 'rdoc/task'
+  RSpec::Core::RakeTask.new(:spec) do |t|
+    t.rspec_opts = '--format documentation'
+  end
+rescue LoadError
+end
+require 'rake/clean'
 require 'rubygems/package_task'
-require 'rdoc/task'
-require 'cucumber'
-require 'cucumber/rake/task'
 Rake::RDocTask.new do |rd|
   rd.main = "README.rdoc"
   rd.rdoc_files.include("README.rdoc","lib/**/*.rb","bin/**/*")
@@ -17,11 +24,9 @@ end
 CUKE_RESULTS = 'results.html'
 CLEAN << CUKE_RESULTS
 desc 'Run features'
+
 Cucumber::Rake::Task.new(:features) do |t|
-  opts = "features --format html -o #{CUKE_RESULTS} --format progress -x"
-  opts += " --tags #{ENV['TAGS']}" if ENV['TAGS']
-  t.cucumber_opts =  opts
-  t.fork = false
+  t.cucumber_opts = "features --format pretty"
 end
 
 desc 'Run features tagged as work-in-progress (@wip)'
@@ -32,7 +37,6 @@ Cucumber::Rake::Task.new('features:wip') do |t|
   t.fork = false
 end
 
-task :cucumber => :features
 task 'cucumber:wip' => 'features:wip'
 task :wip => 'features:wip'
 require 'rake/testtask'
@@ -41,4 +45,6 @@ Rake::TestTask.new do |t|
   t.test_files = FileList['test/*_test.rb']
 end
 
+task :ci => [:spec, :features]
+
 task :default => [:test,:features]

data/autosign.gemspec

@@ -11,22 +11,23 @@ spec = Gem::Specification.new do |s|
   s.files = `git ls-files`.split("
 ")
   s.require_paths << 'lib'
-  s.has_rdoc = true
-  s.extra_rdoc_files = ['README.rdoc','autosign.rdoc']
+  s.has_rdoc = false
   s.rdoc_options << '--title' << 'autosign' << '--main' << 'README.rdoc' << '-ri'
   s.bindir = 'bin'
   s.executables << 'autosign'
-  s.add_development_dependency('rake')
-  s.add_development_dependency('rdoc')
-  s.add_development_dependency('aruba')
-  s.add_development_dependency('cucumber')
-  s.add_development_dependency('puppet')
+  s.add_development_dependency('rake', '~> 10')
+  s.add_development_dependency('rdoc', '~> 4')
+  s.add_development_dependency('aruba', '~> 0.6')
+  s.add_development_dependency('cucumber', '~> 2')
+  s.add_development_dependency('puppet', '~> 3')
+  s.add_development_dependency('rspec', '~> 3')
+  s.add_development_dependency('coveralls')
   s.add_runtime_dependency('gli','~> 2')
   s.add_runtime_dependency('jwt','~> 1')
   s.add_runtime_dependency('iniparse','~> 1')
-  s.add_runtime_dependency('logging')
-  s.add_runtime_dependency('json')
-  s.add_runtime_dependency('deep_merge')
-  s.add_runtime_dependency('require_all')
-  s.add_runtime_dependency('yard')
+  s.add_runtime_dependency('logging', '~> 2')
+  s.add_runtime_dependency('json', '~> 1')
+  s.add_runtime_dependency('deep_merge', '~> 1')
+  s.add_runtime_dependency('require_all', '~> 1')
+  s.add_runtime_dependency('yard', '~> 0.8')
 end

data/lib/autosign.rb

@@ -9,3 +9,18 @@ require 'autosign/validator.rb'
 
 # Add requires for other files you add to your project here, so
 # you just need to require this one file in your bin file
+
+# Autosign facilitates SSL certificate autosigning in Puppet.
+# The overall flow of data is:
+#
+# When executed by puppet to validate certificate signing requests:
+#
+# 1. Puppet runs bin/autosign-validator with the requested certname as the parameter and the X509 CSR in STDIN
+# 2. bin/autosign-validator uses Autosign::Decoder to extract key data from the CSR, then
+# 3. Uses Autosign::Validator.any_validator to send the CSR to each available validator.
+# 4. Autosign::Validator.any_validator calls each of its' child classes, and returns true if any validator succeeds.
+# 5. bin/autosign-validator exits with exit code 0 if validation succeeded, or exit code 1 if validation failed.
+#
+module Autosign
+  # this section is only here as a stub to allow documentation of the overall module/gem in yardoc format.
+end

data/lib/autosign/config.rb

@@ -20,6 +20,11 @@ module Autosign
     end
   end
 
+  # Class to manage configuration settings.
+  # The purpose of this class is to interact with the configuration file,
+  # merge defaults and user-provided settings, and present a configuration hash
+  # so that validators and other components do not have to re-implement config
+  # file handling.
   class Config
     # Create a config instance to interact with configuration settings
     # To specify a configuration file, settings_param should include something like:

data/lib/autosign/decoder.rb

@@ -1,4 +1,8 @@
 module Autosign
+  # Class to abstract X509 certificate signing request decoding.
+  # This class is only expected to be used for class methods.
+  # The purpose is to extract common fields from CSRs so that individual
+  # validators don't have to re-implement that logic.
   class Decoder
     # Extract common name and challenge_password OID from X509 SSL Certificate signing requests
     #
@@ -13,6 +17,9 @@ module Autosign
       rescue OpenSSL::X509::RequestError
         @log.error "Rescued OpenSSL::X509::RequestError; unable to decode CSR"
         return nil
+      rescue
+        @log.error "Rescued an OpenSSL error. Unable to decode CSR."
+        return nil
       end
 
       # extract challenge password

data/lib/autosign/journal.rb

@@ -37,7 +37,7 @@ module Autosign
     # This is the primary way this class is expected to be used
     def add(uuid, validto, data = {})
       @log.debug "attempting to add UUID: '#{uuid.to_s}' which is valid to '#{Time.at(validto.to_i)}' with data #{data.to_s}"
-      puts validate_uuid(uuid).to_s
+      return false unless validate_uuid(uuid)
 
       store = setup
       # wrap the change in a transaction because multiple autosign instances

data/lib/autosign/token.rb

@@ -71,6 +71,12 @@ module Autosign
         errors << "Invalid Token"
       end
       @log.warn "validation failed with: #{errors.join(', ')}" unless errors.count == 0
+
+      if data.nil?
+        @log.error "token is nil; this probably means the token failed to validate"
+        return false
+      end
+
       certname_is_regex = (data["certname"] =~ /\/[^\/].*\//) ? true : false
 
       if certname_is_regex
@@ -117,12 +123,17 @@ module Autosign
     end
 
     # Sign the token with HMAC using a SHA-512 hash
-    # @return [String] signed, serialized JSON web token
     def sign()
       exp_payload = { :data => to_json, :exp => validto.to_s}
       JWT.encode exp_payload, secret, 'HS512'
     end
 
+    # Create an Autosign::Token object from a serialized token after validating
+    # the signature and expiration time validity.
+    #
+    # @param token [String] JSON Web Token coming from the certificate signing request
+    # @param secret [String] shared HMAC secret used to sign or validate tokens
+    # @return [Autosign::Token] instance of Autosign::Token with the settings from the serialized token
     def self.from_token(token, hmac_secret)
       begin
         decoded = JWT.decode(token, hmac_secret)[0]

data/lib/autosign/validators/jwt.rb

@@ -1,16 +1,35 @@
 module Autosign
   module Validators
+    # Validate certificate signing requests using JSON Web Tokens (JWT).
+    # This is the expected primary validator when using the autosign gem.
+    # Validation requires that the shared secret used to generate the JWT is
+    # the same as on the validating system. The validator also checks that the
+    # token has not expired, and that one-time (non-reusable) tokens have not
+    # been previously used.
     class JWT < Autosign::Validator
+
+      # set the user-friendly name of the JWT validator.
+      # This name is used to specify that configuration should come from the
+      # [jwt_token] section of the autosign.conf file.
+      # @return [String] name of the validator
       def name
         "jwt_token"
       end
 
       private
 
+      # Validate a JWT token.
+      # Validation relies on the Autosign::Token class, then additionally
+      # confirms that one-time tokens have not already been used by adding them
+      # to the journal.
+      # @param token [String] Base64 encoded JSON web token
+      # @param certname [String] the certname being requested in the certificate signing request
+      # @param raw_csr [String] Raw CSR; not used in this validator.
+      # @return [True, False] returns true to indicate successful validation, and false to indicate failure to validate
       def perform_validation(token, certname, raw_csr)
-        puts "attempting to validate JWT token"
+        @log.info "attempting to validate JWT token"
         return false unless Autosign::Token.validate(certname, token, settings['secret'])
-        puts "validated JWT token"
+        @log.info "validated JWT token"
         @log.debug "validated JWT token, checking reusability"
 
         return true if is_reusable?(token)
@@ -22,6 +41,11 @@ module Autosign
         Autosign::Token.from_token(token, settings['secret']).reusable
       end
 
+      # Attempt to add a token to the one-time token journal.
+      # The journal lists previously used non-reusable tokens, indexed by UUID.
+      #
+      # @param token [String] Base64 encoded JSON web token
+      # @return [True, False] returns true if the token was successfully added to the journal, or false if the token was previously used and is already in the journal
       def add_to_journal(token)
         validated_token = Autosign::Token.from_token(token, settings['secret'])
         @log.debug 'add_to_journal settings: ' + settings.to_s
@@ -44,8 +68,13 @@ module Autosign
         }
       end
 
+      # Override some configuration settings using environment variables to
+      # simplify testing. This is a hack to make testing easier.
+      # Cucumber sets environment variables because it's easier than templating
+      # out config files.
+      #
+      # This should probably be done differently at some point.
       def get_override_settings
-        # this is a hack to make testing easier
         if (ENV["AUTOSIGN_TESTMODE"] == "true" and
             !ENV["AUTOSIGN_TEST_SECRET"].nil? and
             !ENV["AUTOSIGN_TEST_JOURNALFILE"].nil? )
@@ -58,6 +87,11 @@ module Autosign
         end
       end
 
+    # Validate that the settings hash contains a secret.
+    # The validator cannot function without a secret, so there's no point
+    # in continuing to run if it was configured without a secret.
+    # @param settings [Hash] settings hash
+    # @return [True, False] return true if settings are valid, false if config is unusable
     def validate_settings(settings)
       @log.debug "validating settings: " + settings.to_s
       if settings['secret'].is_a?(String)