autosign 0.0.6 → 0.0.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +8 -8
- data/Gemfile.lock +3 -3
- data/bin/autosign +12 -26
- data/features/autosign.feature +4 -11
- data/lib/autosign/config.rb +16 -5
- data/lib/autosign/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,15 +1,15 @@
|
|
|
1
1
|
---
|
|
2
2
|
!binary "U0hBMQ==":
|
|
3
3
|
metadata.gz: !binary |-
|
|
4
|
-
|
|
4
|
+
YWFiZDhhNDExMzllMTRiNTMxMjYzZjNjNjljYzQ1MjdjNjc3NGM2MQ==
|
|
5
5
|
data.tar.gz: !binary |-
|
|
6
|
-
|
|
6
|
+
Mzk0ZmVhNWNlNDg1Y2FjYmE0N2RjY2EzOTIyOTUyOWYzODk3NTgwOQ==
|
|
7
7
|
SHA512:
|
|
8
8
|
metadata.gz: !binary |-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
9
|
+
MmZmZTA5YmE2ZjM4NjY3ZTdlZTNkMjhiMTllNDczNWU4MTYzNWZmMDc4MjI0
|
|
10
|
+
ODhlZjE1YjUyZWYxNTU4ZDA1YzQ4Y2EyNGY1OGRiNjVjNzlhOGExN2M1ODZj
|
|
11
|
+
Mzk5YzhkZWY2NGNhMTc0M2QwNGU4ZTMwZWIyOGUwMjQyZWVmNWE=
|
|
12
12
|
data.tar.gz: !binary |-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
13
|
+
MTJhNzI0NzM5NDYwMjVmOWU5MGI0NzIwODI5NDgwMGMwODlkNTY1NzRkZTcz
|
|
14
|
+
NWE3ODdiNjY5NzdlYzU4MzVmNDg1YzgyODc3MzA4NTBkMjVmMmYwZGRlOGRh
|
|
15
|
+
ZDQzYjYxZTFjMjY1NzViMmM5YmQ4YTBhYzViZTExMzA2YWY3YWM=
|
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
autosign (0.0.
|
|
4
|
+
autosign (0.0.7)
|
|
5
5
|
deep_merge (~> 1)
|
|
6
6
|
gli (~> 2)
|
|
7
7
|
iniparse (~> 1)
|
|
@@ -23,14 +23,14 @@ GEM
|
|
|
23
23
|
builder (3.2.2)
|
|
24
24
|
childprocess (0.5.6)
|
|
25
25
|
ffi (~> 1.0, >= 1.0.11)
|
|
26
|
-
contracts (0.10)
|
|
26
|
+
contracts (0.10.1)
|
|
27
27
|
coveralls (0.8.2)
|
|
28
28
|
json (~> 1.8)
|
|
29
29
|
rest-client (>= 1.6.8, < 2)
|
|
30
30
|
simplecov (~> 0.10.0)
|
|
31
31
|
term-ansicolor (~> 1.3)
|
|
32
32
|
thor (~> 0.19.1)
|
|
33
|
-
cucumber (2.0.
|
|
33
|
+
cucumber (2.0.2)
|
|
34
34
|
builder (>= 2.1.2)
|
|
35
35
|
cucumber-core (~> 1.2.0)
|
|
36
36
|
diff-lcs (>= 1.1.3)
|
data/bin/autosign
CHANGED
|
@@ -37,15 +37,11 @@ desc 'Quiet output - only log errors'
|
|
|
37
37
|
switch [:q, :quiet]
|
|
38
38
|
|
|
39
39
|
desc 'Generate an autosign token'
|
|
40
|
-
arg_name 'certname
|
|
40
|
+
arg_name 'certname/regex'
|
|
41
41
|
command :generate do |c|
|
|
42
42
|
c.desc 'Generate a reusable token; default is to generate one-time tokens'
|
|
43
43
|
c.switch [:r, :reusable]
|
|
44
44
|
|
|
45
|
-
c.desc 'certname or regex of certnames the autosign token will be valid for'
|
|
46
|
-
c.arg_name 'certname'
|
|
47
|
-
c.flag [:n,:certname]
|
|
48
|
-
|
|
49
45
|
c.desc 'autosign token validity period'
|
|
50
46
|
c.default_value '7200'
|
|
51
47
|
c.arg_name 'seconds'
|
|
@@ -57,16 +53,17 @@ command :generate do |c|
|
|
|
57
53
|
options['validfor'] = config.settings.to_hash['jwt_token']['validity'].to_s if options['validfor'] == '7200'
|
|
58
54
|
@logger.debug "validfor: " + options['validfor']
|
|
59
55
|
help_now!('no secret was defined via --secret or a config file') if global_options['secret'].nil?
|
|
60
|
-
help_now!('certname is required') if
|
|
56
|
+
help_now!('certname is required as argument') if args[0].nil?
|
|
57
|
+
certname = args[0]
|
|
61
58
|
|
|
62
59
|
help_now!('validfor setting must be an positive integer number of seconds') if !/\A\d+\z/.match(options['validfor'].to_s)
|
|
63
|
-
token = Autosign::Token.new(
|
|
64
|
-
@logger.info "generated token for: " +
|
|
65
|
-
puts "Autosign token for: " + token.certname
|
|
66
|
-
puts "
|
|
67
|
-
puts ""
|
|
68
|
-
puts token.sign.to_s
|
|
60
|
+
token = Autosign::Token.new(certname, options['reusable'], options['validfor'].to_i, Socket.gethostname.to_s, global_options['secret'])
|
|
61
|
+
@logger.info "generated token for: " + certname
|
|
62
|
+
puts "Autosign token for: " + token.certname + ", valid until: " + Time.at(token.validto).to_s
|
|
63
|
+
puts "To use the token, put the following in ${puppet_confdir}/csr_attributes.yaml prior to running puppet agent for the first time:"
|
|
69
64
|
puts ""
|
|
65
|
+
puts "custom_attributes:"
|
|
66
|
+
puts " challengePassword: \"#{token.sign.to_s}\""
|
|
70
67
|
end
|
|
71
68
|
end
|
|
72
69
|
|
|
@@ -101,11 +98,12 @@ end
|
|
|
101
98
|
desc 'Autosign configuration'
|
|
102
99
|
command :config do |c|
|
|
103
100
|
|
|
104
|
-
c.desc '
|
|
101
|
+
c.desc 'Create a default autosign.conf file'
|
|
105
102
|
c.command :setup do |setup|
|
|
106
103
|
setup.action do |global_options,options,args|
|
|
107
104
|
@logger.info "setup command ran with #{global_options} #{options} #{args}"
|
|
108
|
-
|
|
105
|
+
result = Autosign::Config.generate_default
|
|
106
|
+
STDOUT.puts "generated default config file at #{result}" if result
|
|
109
107
|
end
|
|
110
108
|
end
|
|
111
109
|
|
|
@@ -120,18 +118,6 @@ command :config do |c|
|
|
|
120
118
|
|
|
121
119
|
end
|
|
122
120
|
|
|
123
|
-
desc 'Install an autosign token; run this prior to running puppet for the first time on an agent'
|
|
124
|
-
arg_name 'token'
|
|
125
|
-
command :use do |c|
|
|
126
|
-
c.action do |global_options,options,args|
|
|
127
|
-
puppet_confdir = %x[puppet config print confdir].chomp
|
|
128
|
-
@logger.debug "use command ran with #{global_options} #{options} #{args}"
|
|
129
|
-
puts "put the following in #{puppet_confdir}/csr_attributes.yaml prior to running puppet agent for the first time:
|
|
130
|
-
custom_attributes:
|
|
131
|
-
challengePassword: \"#{args[0]}\""
|
|
132
|
-
end
|
|
133
|
-
end
|
|
134
|
-
|
|
135
121
|
pre do |global,command,options,args|
|
|
136
122
|
# Pre logic here
|
|
137
123
|
# Return true to proceed; false to abort and not call the
|
data/features/autosign.feature
CHANGED
|
@@ -13,9 +13,9 @@ Feature: Generate autosign key
|
|
|
13
13
|
secret = secret
|
|
14
14
|
"""
|
|
15
15
|
When I run `chmod 600 autosign.conf`
|
|
16
|
-
And I run `autosign --config autosign.conf generate
|
|
16
|
+
And I run `autosign --config autosign.conf generate foo.example.com`
|
|
17
17
|
Then the output should contain "Autosign token for: foo.example.com"
|
|
18
|
-
And the output should contain "
|
|
18
|
+
And the output should contain "valid until"
|
|
19
19
|
And the exit status should be 0
|
|
20
20
|
|
|
21
21
|
Scenario: Generate new reusable token
|
|
@@ -28,9 +28,9 @@ Feature: Generate autosign key
|
|
|
28
28
|
validity = 7200
|
|
29
29
|
"""
|
|
30
30
|
When I run `chmod 600 autosign.conf`
|
|
31
|
-
When I run `autosign --config autosign.conf generate
|
|
31
|
+
When I run `autosign --config autosign.conf generate foo.example.com --reusable`
|
|
32
32
|
Then the output should contain "Autosign token for: foo.example.com"
|
|
33
|
-
And the output should contain "
|
|
33
|
+
And the output should contain "valid until"
|
|
34
34
|
And the exit status should be 0
|
|
35
35
|
|
|
36
36
|
Scenario: Validate a token
|
|
@@ -69,10 +69,3 @@ Feature: Generate autosign key
|
|
|
69
69
|
When I run `chmod 600 autosign.conf`
|
|
70
70
|
When I run `autosign --config autosign.conf validate --certname "foo.example.com" "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcImZvby5leGFtcGxlLmNvbVwiLFwicmVxdWVzdGVyXCI6XCJEYW5pZWxzLU1hY0Jvb2stUHJvLTIubG9jYWxcIixcInJldXNhYmxlXCI6ZmFsc2UsXCJ2YWxpZGZvclwiOjEsXCJ1dWlkXCI6XCJlNjI1Y2I1Ny02NzY5LTQwMzQtODNiZS0zNzkxNmQ5YmMxMDRcIn0iLCJleHAiOiIxNDM2NDY2MzAyIn0.UXEDEbRqEWx5SdSpQjfowU56JubY5Yz2QN6cckby2es-g2P_n2lyAS6AwFeliBXyCDyVUelIT3g1QP4TdB9EEA"`
|
|
71
71
|
Then the exit status should be 1
|
|
72
|
-
|
|
73
|
-
Scenario: Generate a csr_attributes.yaml file
|
|
74
|
-
When I run `autosign use hunter2`
|
|
75
|
-
Then the output should contain "challengePassword: "
|
|
76
|
-
And the output should contain "csr_attributes.yaml"
|
|
77
|
-
And the output should contain "hunter2"
|
|
78
|
-
And the exit status should be 0
|
data/lib/autosign/config.rb
CHANGED
|
@@ -43,7 +43,10 @@ module Autosign
|
|
|
43
43
|
raise 'settings is not a hash' unless settings_param.is_a?(Hash)
|
|
44
44
|
|
|
45
45
|
# look in the following places for a config file
|
|
46
|
-
@config_file_paths = ['/etc/autosign.conf', '/usr/local/etc/autosign.conf'
|
|
46
|
+
@config_file_paths = ['/etc/autosign.conf', '/usr/local/etc/autosign.conf']
|
|
47
|
+
|
|
48
|
+
# HOME is unset when puppet runs, so we need to only use it if it's set
|
|
49
|
+
@config_file_paths << File.join(Dir.home, '.autosign.conf') unless ENV['HOME'].nil?
|
|
47
50
|
@config_file_paths = [ settings_param['config_file'] ] unless settings_param['config_file'].nil?
|
|
48
51
|
|
|
49
52
|
@settings = settings_param
|
|
@@ -145,13 +148,13 @@ module Autosign
|
|
|
145
148
|
{
|
|
146
149
|
'logpath' => '/var/log/autosign.log',
|
|
147
150
|
'confpath' => '/etc/autosign.conf',
|
|
148
|
-
'journalfile' => File.join(Dir.home, '/var/
|
|
151
|
+
'journalfile' => File.join(Dir.home, '/var/autosign/autosign.journal')
|
|
149
152
|
}
|
|
150
153
|
when /bsd/
|
|
151
154
|
{
|
|
152
155
|
'logpath' => '/var/log/autosign.log',
|
|
153
156
|
'confpath' => '/usr/local/etc/autosign.conf',
|
|
154
|
-
'journalfile' => File.join(Dir.home, '/var/
|
|
157
|
+
'journalfile' => File.join(Dir.home, '/var/autosign/autosign.journal')
|
|
155
158
|
}
|
|
156
159
|
else
|
|
157
160
|
raise Autosign::Exceptions::Error, "unsupported os: #{host_os.inspect}"
|
|
@@ -162,15 +165,23 @@ module Autosign
|
|
|
162
165
|
doc.section("general") do |general|
|
|
163
166
|
general.option("loglevel", "warn")
|
|
164
167
|
general.option("logfile", os_defaults['logpath'])
|
|
165
|
-
general.option("journalfile", os_defaults['journalfile'])
|
|
166
168
|
end
|
|
167
169
|
doc.section("jwt_token") do |jwt_token|
|
|
168
170
|
jwt_token.option("secret", SecureRandom.base64(15))
|
|
169
171
|
jwt_token.option("validity", 7200)
|
|
172
|
+
jwt_token.option("journalfile", os_defaults['journalfile'])
|
|
173
|
+
end
|
|
174
|
+
doc.section("multiplexer") do |jwt_token|
|
|
175
|
+
jwt_token.option(";external_policy_executable", '/usr/local/bin/some_autosign_executable')
|
|
176
|
+
jwt_token.option(";external_policy_executable", '/usr/local/bin/another_autosign_executable')
|
|
177
|
+
end
|
|
178
|
+
doc.section("password_list") do |jwt_token|
|
|
179
|
+
jwt_token.option(";password", 'static_autosign_password_here')
|
|
180
|
+
jwt_token.option(";password", 'another_static_autosign_password')
|
|
170
181
|
end
|
|
171
182
|
end.to_ini
|
|
172
183
|
raise Autosign::Exceptions::Error, "file #{os_defaults['confpath']} already exists, aborting" if File.file?(os_defaults['confpath'])
|
|
173
|
-
File.write(os_defaults['confpath'], config)
|
|
184
|
+
return os_defaults['confpath'] if File.write(os_defaults['confpath'], config)
|
|
174
185
|
end
|
|
175
186
|
end
|
|
176
187
|
end
|
data/lib/autosign/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: autosign
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Your Name Here
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-07-
|
|
11
|
+
date: 2015-07-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|