autosign 0.0.2 → 0.0.3

data/lib/autosign/validators/multiplexer.rb

@@ -1,12 +1,47 @@
 module Autosign
   module Validators
+
+    # The multiplexer validator sends the same request received by the autosign
+    # executable to one or more external executables. The purpose is to allow
+    # one or more existing autosign scripts to be used in conjunction with the
+    # native validators implemented in this tool.
+    #
+    # @example validate autosign requests with any one of three external autosign scripts
+    #   # In the /etc/autosign.conf file, include a section reading:
+    #   [multiplexer]
+    #     strategy = any
+    #     external_policy_executable = /usr/local/bin/custom-autosigner1.sh
+    #     external_policy_executable = /usr/local/bin/another-autosign-script.rb
+    #     external_policy_executable = /usr/local/bin/yet-another-autosign-script.pl
+    #   # all three scripts will be called with the same interface puppet
+    #   # uses when an autosign policy executable is specified in the `autosign`
+    #   # setting in the [master] section of the puppet.conf config file.
+    #
+    # @example validate autosign requests with both of two external autosign scripts
+    #   # In the /etc/autosign.conf file, include a section reading:
+    #   [multiplexer]
+    #     strategy = all
+    #     external_policy_executable = /usr/local/bin/custom-autosigner1.sh
+    #     external_policy_executable = /usr/local/bin/another-autosign-script.rb
+    #   # requests will only be validated by the multiplexer validator if they
+    #   # are validated by both external policy executables.
     class Multiplexer < Autosign::Validator
+
+      # set the user-friendly name of the Multiplexer validator.
+      # This name is used to specify that configuration should come from the
+      # [multiplexer] section of the autosign.conf file.
+      # @return [String] name of the validator
       def name
         "multiplexer"
       end
 
       private
 
+      # validate a CSR by passing it to each external executable
+      # @param token [String] not used by this validator
+      # @param certname [String] certname requested in the CSR
+      # @param raw_csr [String] X509 certificate signing request as received by the policy executable
+      # @return [True, False] returns true to indicate successful validation, and false to indicate failure to validate
       def perform_validation(token, certname, raw_csr)
         results = []
         @log.debug "validating using multiplexed external executables"
@@ -20,45 +55,59 @@ module Autosign
       end
 
 
+      # set the default validation strategy to "any", succeeding if any one
+      # external autosign script succeeds.
+      # @return [Hash] config hash to be merged in with config file settings and overrides.
       def default_settings
         {
           'strategy' => 'any',
         }
       end
 
-    def validate_using_strategy(array)
-      case settings['strategy']
-      when 'any'
-        @log.debug "validating using 'any' strategy"
-        return array.any?
-      when 'all'
-        @log.debug "validating using 'all' strategy"
-        return array.all?
-      else
-        @log.error "unable to validate; unknown strategy"
-        return false
+      # given an array of booleans, check whether any or all of them are true
+      # depending on the strategy set in settings.
+      # @param array [Array] array of booleans
+      # @return [True, False]
+      def validate_using_strategy(array)
+        case settings['strategy']
+        when 'any'
+          @log.debug "validating using 'any' strategy"
+          return array.any?
+        when 'all'
+          @log.debug "validating using 'all' strategy"
+          return array.all?
+        else
+          @log.error "unable to validate; unknown strategy"
+          return false
+        end
       end
-    end
 
-    def policy_executables
-      return [] if settings['external_policy_executable'].nil?
-      exec_list = settings['external_policy_executable']
-      return [exec_list] if exec_list.is_a?(String)
-      return exec_list if exec_list.is_a?(Array)
-      return []
-    end
+      # return an array of external policy executables in settings,
+      # or an empty array if none are specified.
+      # @return [Array] of policy executables.
+      def policy_executables
+        return [] if settings['external_policy_executable'].nil?
+        exec_list = settings['external_policy_executable']
+        return [exec_list] if exec_list.is_a?(String)
+        return exec_list if exec_list.is_a?(Array)
+        return []
+      end
 
 
-    def validate_settings(settings)
-      @log.debug "validating settings: " + settings.to_s
-      unless ['any', 'all'].include? settings['strategy']
-        @log.error "strategy setting must be set to 'any' or 'all'"
-        return false
-      end
+      # validate that settins are reasonable. Validation strategy must be
+      # either any or all.
+      # @param settings [Hash] config settings hash
+      # @return [True, False] true if settings validate successfully, false otherwise
+      def validate_settings(settings)
+        @log.debug "validating settings: " + settings.to_s
+        unless ['any', 'all'].include? settings['strategy']
+          @log.error "strategy setting must be set to 'any' or 'all'"
+          return false
+        end
 
-      @log.debug "done validating settings"
-      true
-    end
+        @log.debug "done validating settings"
+        true
+      end
 
     end
   end

data/lib/autosign/validators/passwordlist.rb

@@ -0,0 +1,49 @@
+module Autosign
+  module Validators
+    # Validate certificate signing requests using a simple password list.
+    # This is not a very secure or flexible validation scheme, but is provided
+    # because so many existing autosign policy scripts implement it.
+    #
+    # @example validate CSRs when the challengePassword OID is set to any of "hunter2", "opensesame", or "CPE1704TKS"
+    #   # In /etc/autosign.conf, include the following configuration:
+    #   [password_list]
+    #   password = hunter2
+    #   password = opensesame
+    #   password = CPE1704TKS
+    #
+    class Passwordlist < Autosign::Validator
+      def name
+        "password_list"
+      end
+
+      private
+
+      def perform_validation(password, certname, raw_csr)
+        @log.debug "validating against simple password list"
+        @log.debug "passwords: " + settings.to_s
+        result = validate_password(password.to_s)
+        @log.debug "validation result: " + result.to_s
+        return result
+      end
+
+      def validate_password(password)
+        @log.debug "Checking if password list includes password"
+        password_list.include?(password.to_s)
+      end
+
+      def password_list
+        return [] if settings['password'].nil?
+        passwords = settings['password']
+        return [passwords] if passwords.is_a?(String)
+        return passwords if passwords.is_a?(Array)
+        return []
+      end
+
+    def validate_settings(settings)
+      @log.debug "validating settings: " + settings.to_s
+      true
+    end
+
+    end
+  end
+end

data/lib/autosign/version.rb

@@ -1,3 +1,3 @@
 module Autosign
-  VERSION = '0.0.2'
+  VERSION = '0.0.3'
 end

data/spec/spec_helper.rb

@@ -0,0 +1,102 @@
+require 'coveralls'
+Coveralls.wear!
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause
+# this file to always be loaded, without a need to explicitly require it in any
+# files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider making
+# a separate helper file that requires the additional dependencies and performs
+# the additional setup, and require it from the spec files that actually need
+# it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+#
+require_relative "../lib/autosign"
+@fixture_path = File.expand_path(File.join(__FILE__, '..', 'fixtures'))
+
+RSpec.configure do |config|
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+=begin
+  # These two settings work together to allow you to limit a spec run
+  # to individual examples or groups you care about by tagging them with
+  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+  # get run.
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Allows RSpec to persist some state between runs in order to support
+  # the `--only-failures` and `--next-failure` CLI options. We recommend
+  # you configure your source control system to ignore this file.
+  config.example_status_persistence_file_path = "spec/examples.txt"
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
+  #   - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+=end
+end

data/spec/specs/config_spec.rb

@@ -0,0 +1,20 @@
+require 'spec_helper'
+
+context Autosign::Config do
+  describe 'basic use case' do
+    let(:settings) { {} }
+    let(:config) { Autosign::Config.new }
+    it 'accepts a hash as the parameter' do
+      expect { Autosign::Config.new(settings) }.to_not raise_error
+    end
+    it 'Returns hash' do
+      expect(config.settings).to be_a(Hash)
+    end
+    it 'Settings contains general section' do
+      expect(config.settings).to include(
+        'general' => be_a(Hash)
+      )
+    end
+
+  end
+end

data/spec/specs/decoder_spec.rb

@@ -0,0 +1,16 @@
+require 'spec_helper'
+
+context Autosign::Decoder do
+  describe '.decode_csr' do
+    let(:csr) { File.read(File.join('fixtures', 'i-7672fe81.pem')) }
+    it 'Accepts a CSR as the parameter' do
+      expect { Autosign::Decoder.decode_csr(csr) }.to_not raise_error
+    end
+    it 'Extracts the challenge_password and common_name from a CSR' do
+      expect(Autosign::Decoder.decode_csr(csr)).to eq({:challenge_password=>"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcImktNzY3MmZlODFcIixcInJlcXVlc3RlclwiOlwiRGFuaWVscy1NYWNCb29rLVByby0yLmxvY2FsXCIsXCJyZXVzYWJsZVwiOmZhbHNlLFwidmFsaWRmb3JcIjo5OTk5OTksXCJ1dWlkXCI6XCI0YTM2ZjA0NS1jNmNlLTRiZjYtYmEzYy02ZjNlNzhlNmI3MWNcIn0iLCJleHAiOiIxNDM3NDcwMTk2In0.OZQdenVzIxy-Is271TK0qqhKmRfqkB2Lhscsz-kIK4HQaem3Awx7zVkiCpj0_eFckgaKYNBMAdhUfIMqS3IMmw", :common_name=>"i-7672fe81"})
+    end
+    it 'Returns nil given an invalid CSR' do
+      expect(Autosign::Decoder.decode_csr("not_a_csr")).to be_nil
+    end
+  end
+end

data/spec/specs/journal_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+require 'securerandom'
+
+context Autosign::Journal do
+  let(:settings) { {'journalfile' => '/tmp/test.journal'} }
+  let(:journal) { Autosign::Journal.new(settings) }
+  let(:uuid) { SecureRandom.uuid }
+  let(:validto) { Time.now.to_i + 900 }
+  let(:data) { {'arbitrary_hey' => 'value'} }
+
+
+  context 'class methods' do
+    describe '.new' do
+      it 'accepts a hash as the parameter' do
+        expect { Autosign::Journal.new(settings) }.to_not raise_error
+      end
+    end
+  end
+
+  context 'instance methods' do
+    describe '.add' do
+      it 'Returns hash' do
+        expect(journal.settings).to be_a(Hash)
+      end
+      it 'adds an entry to the journal with a data hash' do
+        expect(journal.add(uuid, validto, data)).to be true
+      end
+      it 'adds an entry to the journal without a data hash' do
+        expect(journal.add(uuid, validto)).to be true
+      end
+      it 'fail when adding two duplicate entries to the journal' do
+        expect(journal.add(uuid, validto, data)).to be true
+        expect(journal.add(uuid, validto, data)).to be false
+      end
+      it 'fail when adding an invalid UUID to the journal' do
+        expect(journal.add('invalid' + uuid, validto, data)).to be false
+      end
+    end
+
+  end
+end

data/spec/specs/token_spec.rb

@@ -0,0 +1,102 @@
+require 'spec_helper'
+require 'securerandom'
+
+context Autosign::Token do
+  let(:certname)  { 'host.example.com' }
+  let(:reusable)  { false }
+  let(:validfor)  { rand(60..604800) }
+  let(:requester) { 'Autosign::Token rspec_test' }
+  let(:secret)    { 'very_secret' }
+  let(:token)     { Autosign::Token.new(certname, reusable, validfor, requester, secret) }
+  let(:reusable_token)     { Autosign::Token.new(certname, true, validfor, requester, secret) }
+  let(:signed_token)     { token.sign }
+  let(:wildcard_signed_token)     { Autosign::Token.new('/.*\.example\.com/', reusable, validfor, requester, secret).sign }
+  let(:expired_token)     { Autosign::Token.new(certname, reusable, -1, requester, secret).sign }
+  let(:reconstituted_token) { Autosign::Token.from_token(signed_token, secret) }
+
+
+  context 'class methods' do
+    describe '.new' do
+      it 'accepts expected parameters' do
+        expect { Autosign::Token.new(certname, reusable, validfor, requester, secret) }.to_not raise_error
+      end
+    end
+    describe '.validate' do
+      it 'validates a previously-generated token' do
+        expect(Autosign::Token.validate(certname, signed_token, secret)).to be true
+      end
+      it 'validates a previously-generated wildcard token' do
+        expect(Autosign::Token.validate(certname, wildcard_signed_token, secret)).to be true
+      end
+      it 'does not validate a previously-generated wildcard token when it does not match the hostname' do
+        expect(Autosign::Token.validate('not_the_regex', wildcard_signed_token, secret)).to be false
+      end
+      it 'does not validate a token when the secret does not match' do
+        expect(Autosign::Token.validate(certname, signed_token, 'wrong_secret')).to be false
+      end
+      it 'does not validate a token when the certname does not match' do
+        expect(Autosign::Token.validate('wrong' + certname, signed_token, secret)).to be false
+      end
+      it 'does not validate an expired token' do
+        expect(Autosign::Token.validate(certname, expired_token, secret)).to be false
+      end
+    end
+    describe '.from_token' do
+      it 'returns an Autosign::Token instance' do
+        expect(Autosign::Token.from_token(signed_token, secret)).to be_a(Autosign::Token)
+      end
+      it 'has the same hash values as the original token' do
+        expect(reconstituted_token.to_hash).to eq(token.to_hash)
+      end
+    end
+    describe '.token_validto' do
+      it 'returns an integer' do
+        expect(Autosign::Token.token_validto(signed_token, secret)).to be_an(Integer)
+      end
+      it 'returns valid POSIX time' do
+        expect(Time.at(Autosign::Token.token_validto(signed_token, secret))).to be_a(Time)
+      end
+      it 'returns time reasonable close to the current time' do
+        expect(Time.at(Autosign::Token.token_validto(signed_token, secret)).between?(Time.now, Time.now + 604801)).to be true
+      end
+    end
+  end
+
+  context 'instance methods' do
+    describe '.validto' do
+      it 'returns an integer' do
+        expect(token.validfor).to be_a(Integer)
+      end
+      it 'Returns validto time' do
+        expect(token.validfor).to eq(validfor)
+      end
+    end
+    describe '.reusable' do
+      it 'returns the expected value' do
+        expect(token.reusable).to be(reusable)
+        expect(reusable_token.reusable).to be true
+      end
+    end
+    describe '.to_hash' do
+      it 'returns a hash' do
+        expect(token.to_hash).to be_a(Hash)
+      end
+      it 'includes the expected certname, requester, reusable, validfor, and a uuid' do
+        expect(token.to_hash).to include(
+          "certname"  => eq(certname),
+          "requester" => eq(requester),
+          "reusable"  => eq(reusable),
+          "validfor"  => eq(validfor),
+          "uuid"      => be_a(String)
+        )
+      end
+    end
+    describe '.sign' do
+      it 'returns a string' do
+        expect(token.sign).to be_a(String)
+      end
+    end
+
+
+  end
+end