autosign 0.0.6 → 0.0.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +8 -8
- data/Gemfile.lock +3 -3
- data/bin/autosign +12 -26
- data/features/autosign.feature +4 -11
- data/lib/autosign/config.rb +16 -5
- data/lib/autosign/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,15 +1,15 @@
|
|
|
1
1
|
---
|
|
2
2
|
!binary "U0hBMQ==":
|
|
3
3
|
metadata.gz: !binary |-
|
|
4
|
-
|
|
4
|
+
YWFiZDhhNDExMzllMTRiNTMxMjYzZjNjNjljYzQ1MjdjNjc3NGM2MQ==
|
|
5
5
|
data.tar.gz: !binary |-
|
|
6
|
-
|
|
6
|
+
Mzk0ZmVhNWNlNDg1Y2FjYmE0N2RjY2EzOTIyOTUyOWYzODk3NTgwOQ==
|
|
7
7
|
SHA512:
|
|
8
8
|
metadata.gz: !binary |-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
9
|
+
MmZmZTA5YmE2ZjM4NjY3ZTdlZTNkMjhiMTllNDczNWU4MTYzNWZmMDc4MjI0
|
|
10
|
+
ODhlZjE1YjUyZWYxNTU4ZDA1YzQ4Y2EyNGY1OGRiNjVjNzlhOGExN2M1ODZj
|
|
11
|
+
Mzk5YzhkZWY2NGNhMTc0M2QwNGU4ZTMwZWIyOGUwMjQyZWVmNWE=
|
|
12
12
|
data.tar.gz: !binary |-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
13
|
+
MTJhNzI0NzM5NDYwMjVmOWU5MGI0NzIwODI5NDgwMGMwODlkNTY1NzRkZTcz
|
|
14
|
+
NWE3ODdiNjY5NzdlYzU4MzVmNDg1YzgyODc3MzA4NTBkMjVmMmYwZGRlOGRh
|
|
15
|
+
ZDQzYjYxZTFjMjY1NzViMmM5YmQ4YTBhYzViZTExMzA2YWY3YWM=
|
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
autosign (0.0.
|
|
4
|
+
autosign (0.0.7)
|
|
5
5
|
deep_merge (~> 1)
|
|
6
6
|
gli (~> 2)
|
|
7
7
|
iniparse (~> 1)
|
|
@@ -23,14 +23,14 @@ GEM
|
|
|
23
23
|
builder (3.2.2)
|
|
24
24
|
childprocess (0.5.6)
|
|
25
25
|
ffi (~> 1.0, >= 1.0.11)
|
|
26
|
-
contracts (0.10)
|
|
26
|
+
contracts (0.10.1)
|
|
27
27
|
coveralls (0.8.2)
|
|
28
28
|
json (~> 1.8)
|
|
29
29
|
rest-client (>= 1.6.8, < 2)
|
|
30
30
|
simplecov (~> 0.10.0)
|
|
31
31
|
term-ansicolor (~> 1.3)
|
|
32
32
|
thor (~> 0.19.1)
|
|
33
|
-
cucumber (2.0.
|
|
33
|
+
cucumber (2.0.2)
|
|
34
34
|
builder (>= 2.1.2)
|
|
35
35
|
cucumber-core (~> 1.2.0)
|
|
36
36
|
diff-lcs (>= 1.1.3)
|
data/bin/autosign
CHANGED
|
@@ -37,15 +37,11 @@ desc 'Quiet output - only log errors'
|
|
|
37
37
|
switch [:q, :quiet]
|
|
38
38
|
|
|
39
39
|
desc 'Generate an autosign token'
|
|
40
|
-
arg_name 'certname
|
|
40
|
+
arg_name 'certname/regex'
|
|
41
41
|
command :generate do |c|
|
|
42
42
|
c.desc 'Generate a reusable token; default is to generate one-time tokens'
|
|
43
43
|
c.switch [:r, :reusable]
|
|
44
44
|
|
|
45
|
-
c.desc 'certname or regex of certnames the autosign token will be valid for'
|
|
46
|
-
c.arg_name 'certname'
|
|
47
|
-
c.flag [:n,:certname]
|
|
48
|
-
|
|
49
45
|
c.desc 'autosign token validity period'
|
|
50
46
|
c.default_value '7200'
|
|
51
47
|
c.arg_name 'seconds'
|
|
@@ -57,16 +53,17 @@ command :generate do |c|
|
|
|
57
53
|
options['validfor'] = config.settings.to_hash['jwt_token']['validity'].to_s if options['validfor'] == '7200'
|
|
58
54
|
@logger.debug "validfor: " + options['validfor']
|
|
59
55
|
help_now!('no secret was defined via --secret or a config file') if global_options['secret'].nil?
|
|
60
|
-
help_now!('certname is required') if
|
|
56
|
+
help_now!('certname is required as argument') if args[0].nil?
|
|
57
|
+
certname = args[0]
|
|
61
58
|
|
|
62
59
|
help_now!('validfor setting must be an positive integer number of seconds') if !/\A\d+\z/.match(options['validfor'].to_s)
|
|
63
|
-
token = Autosign::Token.new(
|
|
64
|
-
@logger.info "generated token for: " +
|
|
65
|
-
puts "Autosign token for: " + token.certname
|
|
66
|
-
puts "
|
|
67
|
-
puts ""
|
|
68
|
-
puts token.sign.to_s
|
|
60
|
+
token = Autosign::Token.new(certname, options['reusable'], options['validfor'].to_i, Socket.gethostname.to_s, global_options['secret'])
|
|
61
|
+
@logger.info "generated token for: " + certname
|
|
62
|
+
puts "Autosign token for: " + token.certname + ", valid until: " + Time.at(token.validto).to_s
|
|
63
|
+
puts "To use the token, put the following in ${puppet_confdir}/csr_attributes.yaml prior to running puppet agent for the first time:"
|
|
69
64
|
puts ""
|
|
65
|
+
puts "custom_attributes:"
|
|
66
|
+
puts " challengePassword: \"#{token.sign.to_s}\""
|
|
70
67
|
end
|
|
71
68
|
end
|
|
72
69
|
|
|
@@ -101,11 +98,12 @@ end
|
|
|
101
98
|
desc 'Autosign configuration'
|
|
102
99
|
command :config do |c|
|
|
103
100
|
|
|
104
|
-
c.desc '
|
|
101
|
+
c.desc 'Create a default autosign.conf file'
|
|
105
102
|
c.command :setup do |setup|
|
|
106
103
|
setup.action do |global_options,options,args|
|
|
107
104
|
@logger.info "setup command ran with #{global_options} #{options} #{args}"
|
|
108
|
-
|
|
105
|
+
result = Autosign::Config.generate_default
|
|
106
|
+
STDOUT.puts "generated default config file at #{result}" if result
|
|
109
107
|
end
|
|
110
108
|
end
|
|
111
109
|
|
|
@@ -120,18 +118,6 @@ command :config do |c|
|
|
|
120
118
|
|
|
121
119
|
end
|
|
122
120
|
|
|
123
|
-
desc 'Install an autosign token; run this prior to running puppet for the first time on an agent'
|
|
124
|
-
arg_name 'token'
|
|
125
|
-
command :use do |c|
|
|
126
|
-
c.action do |global_options,options,args|
|
|
127
|
-
puppet_confdir = %x[puppet config print confdir].chomp
|
|
128
|
-
@logger.debug "use command ran with #{global_options} #{options} #{args}"
|
|
129
|
-
puts "put the following in #{puppet_confdir}/csr_attributes.yaml prior to running puppet agent for the first time:
|
|
130
|
-
custom_attributes:
|
|
131
|
-
challengePassword: \"#{args[0]}\""
|
|
132
|
-
end
|
|
133
|
-
end
|
|
134
|
-
|
|
135
121
|
pre do |global,command,options,args|
|
|
136
122
|
# Pre logic here
|
|
137
123
|
# Return true to proceed; false to abort and not call the
|
data/features/autosign.feature
CHANGED
|
@@ -13,9 +13,9 @@ Feature: Generate autosign key
|
|
|
13
13
|
secret = secret
|
|
14
14
|
"""
|
|
15
15
|
When I run `chmod 600 autosign.conf`
|
|
16
|
-
And I run `autosign --config autosign.conf generate
|
|
16
|
+
And I run `autosign --config autosign.conf generate foo.example.com`
|
|
17
17
|
Then the output should contain "Autosign token for: foo.example.com"
|
|
18
|
-
And the output should contain "
|
|
18
|
+
And the output should contain "valid until"
|
|
19
19
|
And the exit status should be 0
|
|
20
20
|
|
|
21
21
|
Scenario: Generate new reusable token
|
|
@@ -28,9 +28,9 @@ Feature: Generate autosign key
|
|
|
28
28
|
validity = 7200
|
|
29
29
|
"""
|
|
30
30
|
When I run `chmod 600 autosign.conf`
|
|
31
|
-
When I run `autosign --config autosign.conf generate
|
|
31
|
+
When I run `autosign --config autosign.conf generate foo.example.com --reusable`
|
|
32
32
|
Then the output should contain "Autosign token for: foo.example.com"
|
|
33
|
-
And the output should contain "
|
|
33
|
+
And the output should contain "valid until"
|
|
34
34
|
And the exit status should be 0
|
|
35
35
|
|
|
36
36
|
Scenario: Validate a token
|
|
@@ -69,10 +69,3 @@ Feature: Generate autosign key
|
|
|
69
69
|
When I run `chmod 600 autosign.conf`
|
|
70
70
|
When I run `autosign --config autosign.conf validate --certname "foo.example.com" "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcImZvby5leGFtcGxlLmNvbVwiLFwicmVxdWVzdGVyXCI6XCJEYW5pZWxzLU1hY0Jvb2stUHJvLTIubG9jYWxcIixcInJldXNhYmxlXCI6ZmFsc2UsXCJ2YWxpZGZvclwiOjEsXCJ1dWlkXCI6XCJlNjI1Y2I1Ny02NzY5LTQwMzQtODNiZS0zNzkxNmQ5YmMxMDRcIn0iLCJleHAiOiIxNDM2NDY2MzAyIn0.UXEDEbRqEWx5SdSpQjfowU56JubY5Yz2QN6cckby2es-g2P_n2lyAS6AwFeliBXyCDyVUelIT3g1QP4TdB9EEA"`
|
|
71
71
|
Then the exit status should be 1
|
|
72
|
-
|
|
73
|
-
Scenario: Generate a csr_attributes.yaml file
|
|
74
|
-
When I run `autosign use hunter2`
|
|
75
|
-
Then the output should contain "challengePassword: "
|
|
76
|
-
And the output should contain "csr_attributes.yaml"
|
|
77
|
-
And the output should contain "hunter2"
|
|
78
|
-
And the exit status should be 0
|
data/lib/autosign/config.rb
CHANGED
|
@@ -43,7 +43,10 @@ module Autosign
|
|
|
43
43
|
raise 'settings is not a hash' unless settings_param.is_a?(Hash)
|
|
44
44
|
|
|
45
45
|
# look in the following places for a config file
|
|
46
|
-
@config_file_paths = ['/etc/autosign.conf', '/usr/local/etc/autosign.conf'
|
|
46
|
+
@config_file_paths = ['/etc/autosign.conf', '/usr/local/etc/autosign.conf']
|
|
47
|
+
|
|
48
|
+
# HOME is unset when puppet runs, so we need to only use it if it's set
|
|
49
|
+
@config_file_paths << File.join(Dir.home, '.autosign.conf') unless ENV['HOME'].nil?
|
|
47
50
|
@config_file_paths = [ settings_param['config_file'] ] unless settings_param['config_file'].nil?
|
|
48
51
|
|
|
49
52
|
@settings = settings_param
|
|
@@ -145,13 +148,13 @@ module Autosign
|
|
|
145
148
|
{
|
|
146
149
|
'logpath' => '/var/log/autosign.log',
|
|
147
150
|
'confpath' => '/etc/autosign.conf',
|
|
148
|
-
'journalfile' => File.join(Dir.home, '/var/
|
|
151
|
+
'journalfile' => File.join(Dir.home, '/var/autosign/autosign.journal')
|
|
149
152
|
}
|
|
150
153
|
when /bsd/
|
|
151
154
|
{
|
|
152
155
|
'logpath' => '/var/log/autosign.log',
|
|
153
156
|
'confpath' => '/usr/local/etc/autosign.conf',
|
|
154
|
-
'journalfile' => File.join(Dir.home, '/var/
|
|
157
|
+
'journalfile' => File.join(Dir.home, '/var/autosign/autosign.journal')
|
|
155
158
|
}
|
|
156
159
|
else
|
|
157
160
|
raise Autosign::Exceptions::Error, "unsupported os: #{host_os.inspect}"
|
|
@@ -162,15 +165,23 @@ module Autosign
|
|
|
162
165
|
doc.section("general") do |general|
|
|
163
166
|
general.option("loglevel", "warn")
|
|
164
167
|
general.option("logfile", os_defaults['logpath'])
|
|
165
|
-
general.option("journalfile", os_defaults['journalfile'])
|
|
166
168
|
end
|
|
167
169
|
doc.section("jwt_token") do |jwt_token|
|
|
168
170
|
jwt_token.option("secret", SecureRandom.base64(15))
|
|
169
171
|
jwt_token.option("validity", 7200)
|
|
172
|
+
jwt_token.option("journalfile", os_defaults['journalfile'])
|
|
173
|
+
end
|
|
174
|
+
doc.section("multiplexer") do |jwt_token|
|
|
175
|
+
jwt_token.option(";external_policy_executable", '/usr/local/bin/some_autosign_executable')
|
|
176
|
+
jwt_token.option(";external_policy_executable", '/usr/local/bin/another_autosign_executable')
|
|
177
|
+
end
|
|
178
|
+
doc.section("password_list") do |jwt_token|
|
|
179
|
+
jwt_token.option(";password", 'static_autosign_password_here')
|
|
180
|
+
jwt_token.option(";password", 'another_static_autosign_password')
|
|
170
181
|
end
|
|
171
182
|
end.to_ini
|
|
172
183
|
raise Autosign::Exceptions::Error, "file #{os_defaults['confpath']} already exists, aborting" if File.file?(os_defaults['confpath'])
|
|
173
|
-
File.write(os_defaults['confpath'], config)
|
|
184
|
+
return os_defaults['confpath'] if File.write(os_defaults['confpath'], config)
|
|
174
185
|
end
|
|
175
186
|
end
|
|
176
187
|
end
|
data/lib/autosign/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: autosign
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Your Name Here
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-07-
|
|
11
|
+
date: 2015-07-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|