autosign 0.0.2 → 0.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,12 +1,47 @@
1
1
  module Autosign
2
2
  module Validators
3
+
4
+ # The multiplexer validator sends the same request received by the autosign
5
+ # executable to one or more external executables. The purpose is to allow
6
+ # one or more existing autosign scripts to be used in conjunction with the
7
+ # native validators implemented in this tool.
8
+ #
9
+ # @example validate autosign requests with any one of three external autosign scripts
10
+ # # In the /etc/autosign.conf file, include a section reading:
11
+ # [multiplexer]
12
+ # strategy = any
13
+ # external_policy_executable = /usr/local/bin/custom-autosigner1.sh
14
+ # external_policy_executable = /usr/local/bin/another-autosign-script.rb
15
+ # external_policy_executable = /usr/local/bin/yet-another-autosign-script.pl
16
+ # # all three scripts will be called with the same interface puppet
17
+ # # uses when an autosign policy executable is specified in the `autosign`
18
+ # # setting in the [master] section of the puppet.conf config file.
19
+ #
20
+ # @example validate autosign requests with both of two external autosign scripts
21
+ # # In the /etc/autosign.conf file, include a section reading:
22
+ # [multiplexer]
23
+ # strategy = all
24
+ # external_policy_executable = /usr/local/bin/custom-autosigner1.sh
25
+ # external_policy_executable = /usr/local/bin/another-autosign-script.rb
26
+ # # requests will only be validated by the multiplexer validator if they
27
+ # # are validated by both external policy executables.
3
28
  class Multiplexer < Autosign::Validator
29
+
30
+ # set the user-friendly name of the Multiplexer validator.
31
+ # This name is used to specify that configuration should come from the
32
+ # [multiplexer] section of the autosign.conf file.
33
+ # @return [String] name of the validator
4
34
  def name
5
35
  "multiplexer"
6
36
  end
7
37
 
8
38
  private
9
39
 
40
+ # validate a CSR by passing it to each external executable
41
+ # @param token [String] not used by this validator
42
+ # @param certname [String] certname requested in the CSR
43
+ # @param raw_csr [String] X509 certificate signing request as received by the policy executable
44
+ # @return [True, False] returns true to indicate successful validation, and false to indicate failure to validate
10
45
  def perform_validation(token, certname, raw_csr)
11
46
  results = []
12
47
  @log.debug "validating using multiplexed external executables"
@@ -20,45 +55,59 @@ module Autosign
20
55
  end
21
56
 
22
57
 
58
+ # set the default validation strategy to "any", succeeding if any one
59
+ # external autosign script succeeds.
60
+ # @return [Hash] config hash to be merged in with config file settings and overrides.
23
61
  def default_settings
24
62
  {
25
63
  'strategy' => 'any',
26
64
  }
27
65
  end
28
66
 
29
- def validate_using_strategy(array)
30
- case settings['strategy']
31
- when 'any'
32
- @log.debug "validating using 'any' strategy"
33
- return array.any?
34
- when 'all'
35
- @log.debug "validating using 'all' strategy"
36
- return array.all?
37
- else
38
- @log.error "unable to validate; unknown strategy"
39
- return false
67
+ # given an array of booleans, check whether any or all of them are true
68
+ # depending on the strategy set in settings.
69
+ # @param array [Array] array of booleans
70
+ # @return [True, False]
71
+ def validate_using_strategy(array)
72
+ case settings['strategy']
73
+ when 'any'
74
+ @log.debug "validating using 'any' strategy"
75
+ return array.any?
76
+ when 'all'
77
+ @log.debug "validating using 'all' strategy"
78
+ return array.all?
79
+ else
80
+ @log.error "unable to validate; unknown strategy"
81
+ return false
82
+ end
40
83
  end
41
- end
42
84
 
43
- def policy_executables
44
- return [] if settings['external_policy_executable'].nil?
45
- exec_list = settings['external_policy_executable']
46
- return [exec_list] if exec_list.is_a?(String)
47
- return exec_list if exec_list.is_a?(Array)
48
- return []
49
- end
85
+ # return an array of external policy executables in settings,
86
+ # or an empty array if none are specified.
87
+ # @return [Array] of policy executables.
88
+ def policy_executables
89
+ return [] if settings['external_policy_executable'].nil?
90
+ exec_list = settings['external_policy_executable']
91
+ return [exec_list] if exec_list.is_a?(String)
92
+ return exec_list if exec_list.is_a?(Array)
93
+ return []
94
+ end
50
95
 
51
96
 
52
- def validate_settings(settings)
53
- @log.debug "validating settings: " + settings.to_s
54
- unless ['any', 'all'].include? settings['strategy']
55
- @log.error "strategy setting must be set to 'any' or 'all'"
56
- return false
57
- end
97
+ # validate that settins are reasonable. Validation strategy must be
98
+ # either any or all.
99
+ # @param settings [Hash] config settings hash
100
+ # @return [True, False] true if settings validate successfully, false otherwise
101
+ def validate_settings(settings)
102
+ @log.debug "validating settings: " + settings.to_s
103
+ unless ['any', 'all'].include? settings['strategy']
104
+ @log.error "strategy setting must be set to 'any' or 'all'"
105
+ return false
106
+ end
58
107
 
59
- @log.debug "done validating settings"
60
- true
61
- end
108
+ @log.debug "done validating settings"
109
+ true
110
+ end
62
111
 
63
112
  end
64
113
  end
@@ -0,0 +1,49 @@
1
+ module Autosign
2
+ module Validators
3
+ # Validate certificate signing requests using a simple password list.
4
+ # This is not a very secure or flexible validation scheme, but is provided
5
+ # because so many existing autosign policy scripts implement it.
6
+ #
7
+ # @example validate CSRs when the challengePassword OID is set to any of "hunter2", "opensesame", or "CPE1704TKS"
8
+ # # In /etc/autosign.conf, include the following configuration:
9
+ # [password_list]
10
+ # password = hunter2
11
+ # password = opensesame
12
+ # password = CPE1704TKS
13
+ #
14
+ class Passwordlist < Autosign::Validator
15
+ def name
16
+ "password_list"
17
+ end
18
+
19
+ private
20
+
21
+ def perform_validation(password, certname, raw_csr)
22
+ @log.debug "validating against simple password list"
23
+ @log.debug "passwords: " + settings.to_s
24
+ result = validate_password(password.to_s)
25
+ @log.debug "validation result: " + result.to_s
26
+ return result
27
+ end
28
+
29
+ def validate_password(password)
30
+ @log.debug "Checking if password list includes password"
31
+ password_list.include?(password.to_s)
32
+ end
33
+
34
+ def password_list
35
+ return [] if settings['password'].nil?
36
+ passwords = settings['password']
37
+ return [passwords] if passwords.is_a?(String)
38
+ return passwords if passwords.is_a?(Array)
39
+ return []
40
+ end
41
+
42
+ def validate_settings(settings)
43
+ @log.debug "validating settings: " + settings.to_s
44
+ true
45
+ end
46
+
47
+ end
48
+ end
49
+ end
@@ -1,3 +1,3 @@
1
1
  module Autosign
2
- VERSION = '0.0.2'
2
+ VERSION = '0.0.3'
3
3
  end
@@ -0,0 +1,102 @@
1
+ require 'coveralls'
2
+ Coveralls.wear!
3
+ # This file was generated by the `rspec --init` command. Conventionally, all
4
+ # specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
5
+ # The generated `.rspec` file contains `--require spec_helper` which will cause
6
+ # this file to always be loaded, without a need to explicitly require it in any
7
+ # files.
8
+ #
9
+ # Given that it is always loaded, you are encouraged to keep this file as
10
+ # light-weight as possible. Requiring heavyweight dependencies from this file
11
+ # will add to the boot time of your test suite on EVERY test run, even for an
12
+ # individual file that may not need all of that loaded. Instead, consider making
13
+ # a separate helper file that requires the additional dependencies and performs
14
+ # the additional setup, and require it from the spec files that actually need
15
+ # it.
16
+ #
17
+ # The `.rspec` file also contains a few flags that are not defaults but that
18
+ # users commonly want.
19
+ #
20
+ # See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
21
+ #
22
+ require_relative "../lib/autosign"
23
+ @fixture_path = File.expand_path(File.join(__FILE__, '..', 'fixtures'))
24
+
25
+ RSpec.configure do |config|
26
+ # rspec-expectations config goes here. You can use an alternate
27
+ # assertion/expectation library such as wrong or the stdlib/minitest
28
+ # assertions if you prefer.
29
+ config.expect_with :rspec do |expectations|
30
+ # This option will default to `true` in RSpec 4. It makes the `description`
31
+ # and `failure_message` of custom matchers include text for helper methods
32
+ # defined using `chain`, e.g.:
33
+ # be_bigger_than(2).and_smaller_than(4).description
34
+ # # => "be bigger than 2 and smaller than 4"
35
+ # ...rather than:
36
+ # # => "be bigger than 2"
37
+ expectations.include_chain_clauses_in_custom_matcher_descriptions = true
38
+ end
39
+
40
+ # rspec-mocks config goes here. You can use an alternate test double
41
+ # library (such as bogus or mocha) by changing the `mock_with` option here.
42
+ config.mock_with :rspec do |mocks|
43
+ # Prevents you from mocking or stubbing a method that does not exist on
44
+ # a real object. This is generally recommended, and will default to
45
+ # `true` in RSpec 4.
46
+ mocks.verify_partial_doubles = true
47
+ end
48
+
49
+ # The settings below are suggested to provide a good initial experience
50
+ # with RSpec, but feel free to customize to your heart's content.
51
+ =begin
52
+ # These two settings work together to allow you to limit a spec run
53
+ # to individual examples or groups you care about by tagging them with
54
+ # `:focus` metadata. When nothing is tagged with `:focus`, all examples
55
+ # get run.
56
+ config.filter_run :focus
57
+ config.run_all_when_everything_filtered = true
58
+
59
+ # Allows RSpec to persist some state between runs in order to support
60
+ # the `--only-failures` and `--next-failure` CLI options. We recommend
61
+ # you configure your source control system to ignore this file.
62
+ config.example_status_persistence_file_path = "spec/examples.txt"
63
+
64
+ # Limits the available syntax to the non-monkey patched syntax that is
65
+ # recommended. For more details, see:
66
+ # - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
67
+ # - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
68
+ # - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
69
+ config.disable_monkey_patching!
70
+
71
+ # This setting enables warnings. It's recommended, but in some cases may
72
+ # be too noisy due to issues in dependencies.
73
+ config.warnings = true
74
+
75
+ # Many RSpec users commonly either run the entire suite or an individual
76
+ # file, and it's useful to allow more verbose output when running an
77
+ # individual spec file.
78
+ if config.files_to_run.one?
79
+ # Use the documentation formatter for detailed output,
80
+ # unless a formatter has already been configured
81
+ # (e.g. via a command-line flag).
82
+ config.default_formatter = 'doc'
83
+ end
84
+
85
+ # Print the 10 slowest examples and example groups at the
86
+ # end of the spec run, to help surface which specs are running
87
+ # particularly slow.
88
+ config.profile_examples = 10
89
+
90
+ # Run specs in random order to surface order dependencies. If you find an
91
+ # order dependency and want to debug it, you can fix the order by providing
92
+ # the seed, which is printed after each run.
93
+ # --seed 1234
94
+ config.order = :random
95
+
96
+ # Seed global randomization in this process using the `--seed` CLI option.
97
+ # Setting this allows you to use `--seed` to deterministically reproduce
98
+ # test failures related to randomization by passing the same `--seed` value
99
+ # as the one that triggered the failure.
100
+ Kernel.srand config.seed
101
+ =end
102
+ end
@@ -0,0 +1,20 @@
1
+ require 'spec_helper'
2
+
3
+ context Autosign::Config do
4
+ describe 'basic use case' do
5
+ let(:settings) { {} }
6
+ let(:config) { Autosign::Config.new }
7
+ it 'accepts a hash as the parameter' do
8
+ expect { Autosign::Config.new(settings) }.to_not raise_error
9
+ end
10
+ it 'Returns hash' do
11
+ expect(config.settings).to be_a(Hash)
12
+ end
13
+ it 'Settings contains general section' do
14
+ expect(config.settings).to include(
15
+ 'general' => be_a(Hash)
16
+ )
17
+ end
18
+
19
+ end
20
+ end
@@ -0,0 +1,16 @@
1
+ require 'spec_helper'
2
+
3
+ context Autosign::Decoder do
4
+ describe '.decode_csr' do
5
+ let(:csr) { File.read(File.join('fixtures', 'i-7672fe81.pem')) }
6
+ it 'Accepts a CSR as the parameter' do
7
+ expect { Autosign::Decoder.decode_csr(csr) }.to_not raise_error
8
+ end
9
+ it 'Extracts the challenge_password and common_name from a CSR' do
10
+ expect(Autosign::Decoder.decode_csr(csr)).to eq({:challenge_password=>"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcImktNzY3MmZlODFcIixcInJlcXVlc3RlclwiOlwiRGFuaWVscy1NYWNCb29rLVByby0yLmxvY2FsXCIsXCJyZXVzYWJsZVwiOmZhbHNlLFwidmFsaWRmb3JcIjo5OTk5OTksXCJ1dWlkXCI6XCI0YTM2ZjA0NS1jNmNlLTRiZjYtYmEzYy02ZjNlNzhlNmI3MWNcIn0iLCJleHAiOiIxNDM3NDcwMTk2In0.OZQdenVzIxy-Is271TK0qqhKmRfqkB2Lhscsz-kIK4HQaem3Awx7zVkiCpj0_eFckgaKYNBMAdhUfIMqS3IMmw", :common_name=>"i-7672fe81"})
11
+ end
12
+ it 'Returns nil given an invalid CSR' do
13
+ expect(Autosign::Decoder.decode_csr("not_a_csr")).to be_nil
14
+ end
15
+ end
16
+ end
@@ -0,0 +1,41 @@
1
+ require 'spec_helper'
2
+ require 'securerandom'
3
+
4
+ context Autosign::Journal do
5
+ let(:settings) { {'journalfile' => '/tmp/test.journal'} }
6
+ let(:journal) { Autosign::Journal.new(settings) }
7
+ let(:uuid) { SecureRandom.uuid }
8
+ let(:validto) { Time.now.to_i + 900 }
9
+ let(:data) { {'arbitrary_hey' => 'value'} }
10
+
11
+
12
+ context 'class methods' do
13
+ describe '.new' do
14
+ it 'accepts a hash as the parameter' do
15
+ expect { Autosign::Journal.new(settings) }.to_not raise_error
16
+ end
17
+ end
18
+ end
19
+
20
+ context 'instance methods' do
21
+ describe '.add' do
22
+ it 'Returns hash' do
23
+ expect(journal.settings).to be_a(Hash)
24
+ end
25
+ it 'adds an entry to the journal with a data hash' do
26
+ expect(journal.add(uuid, validto, data)).to be true
27
+ end
28
+ it 'adds an entry to the journal without a data hash' do
29
+ expect(journal.add(uuid, validto)).to be true
30
+ end
31
+ it 'fail when adding two duplicate entries to the journal' do
32
+ expect(journal.add(uuid, validto, data)).to be true
33
+ expect(journal.add(uuid, validto, data)).to be false
34
+ end
35
+ it 'fail when adding an invalid UUID to the journal' do
36
+ expect(journal.add('invalid' + uuid, validto, data)).to be false
37
+ end
38
+ end
39
+
40
+ end
41
+ end
@@ -0,0 +1,102 @@
1
+ require 'spec_helper'
2
+ require 'securerandom'
3
+
4
+ context Autosign::Token do
5
+ let(:certname) { 'host.example.com' }
6
+ let(:reusable) { false }
7
+ let(:validfor) { rand(60..604800) }
8
+ let(:requester) { 'Autosign::Token rspec_test' }
9
+ let(:secret) { 'very_secret' }
10
+ let(:token) { Autosign::Token.new(certname, reusable, validfor, requester, secret) }
11
+ let(:reusable_token) { Autosign::Token.new(certname, true, validfor, requester, secret) }
12
+ let(:signed_token) { token.sign }
13
+ let(:wildcard_signed_token) { Autosign::Token.new('/.*\.example\.com/', reusable, validfor, requester, secret).sign }
14
+ let(:expired_token) { Autosign::Token.new(certname, reusable, -1, requester, secret).sign }
15
+ let(:reconstituted_token) { Autosign::Token.from_token(signed_token, secret) }
16
+
17
+
18
+ context 'class methods' do
19
+ describe '.new' do
20
+ it 'accepts expected parameters' do
21
+ expect { Autosign::Token.new(certname, reusable, validfor, requester, secret) }.to_not raise_error
22
+ end
23
+ end
24
+ describe '.validate' do
25
+ it 'validates a previously-generated token' do
26
+ expect(Autosign::Token.validate(certname, signed_token, secret)).to be true
27
+ end
28
+ it 'validates a previously-generated wildcard token' do
29
+ expect(Autosign::Token.validate(certname, wildcard_signed_token, secret)).to be true
30
+ end
31
+ it 'does not validate a previously-generated wildcard token when it does not match the hostname' do
32
+ expect(Autosign::Token.validate('not_the_regex', wildcard_signed_token, secret)).to be false
33
+ end
34
+ it 'does not validate a token when the secret does not match' do
35
+ expect(Autosign::Token.validate(certname, signed_token, 'wrong_secret')).to be false
36
+ end
37
+ it 'does not validate a token when the certname does not match' do
38
+ expect(Autosign::Token.validate('wrong' + certname, signed_token, secret)).to be false
39
+ end
40
+ it 'does not validate an expired token' do
41
+ expect(Autosign::Token.validate(certname, expired_token, secret)).to be false
42
+ end
43
+ end
44
+ describe '.from_token' do
45
+ it 'returns an Autosign::Token instance' do
46
+ expect(Autosign::Token.from_token(signed_token, secret)).to be_a(Autosign::Token)
47
+ end
48
+ it 'has the same hash values as the original token' do
49
+ expect(reconstituted_token.to_hash).to eq(token.to_hash)
50
+ end
51
+ end
52
+ describe '.token_validto' do
53
+ it 'returns an integer' do
54
+ expect(Autosign::Token.token_validto(signed_token, secret)).to be_an(Integer)
55
+ end
56
+ it 'returns valid POSIX time' do
57
+ expect(Time.at(Autosign::Token.token_validto(signed_token, secret))).to be_a(Time)
58
+ end
59
+ it 'returns time reasonable close to the current time' do
60
+ expect(Time.at(Autosign::Token.token_validto(signed_token, secret)).between?(Time.now, Time.now + 604801)).to be true
61
+ end
62
+ end
63
+ end
64
+
65
+ context 'instance methods' do
66
+ describe '.validto' do
67
+ it 'returns an integer' do
68
+ expect(token.validfor).to be_a(Integer)
69
+ end
70
+ it 'Returns validto time' do
71
+ expect(token.validfor).to eq(validfor)
72
+ end
73
+ end
74
+ describe '.reusable' do
75
+ it 'returns the expected value' do
76
+ expect(token.reusable).to be(reusable)
77
+ expect(reusable_token.reusable).to be true
78
+ end
79
+ end
80
+ describe '.to_hash' do
81
+ it 'returns a hash' do
82
+ expect(token.to_hash).to be_a(Hash)
83
+ end
84
+ it 'includes the expected certname, requester, reusable, validfor, and a uuid' do
85
+ expect(token.to_hash).to include(
86
+ "certname" => eq(certname),
87
+ "requester" => eq(requester),
88
+ "reusable" => eq(reusable),
89
+ "validfor" => eq(validfor),
90
+ "uuid" => be_a(String)
91
+ )
92
+ end
93
+ end
94
+ describe '.sign' do
95
+ it 'returns a string' do
96
+ expect(token.sign).to be_a(String)
97
+ end
98
+ end
99
+
100
+
101
+ end
102
+ end