autosign 0.0.7 → 0.0.8

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    YWFiZDhhNDExMzllMTRiNTMxMjYzZjNjNjljYzQ1MjdjNjc3NGM2MQ==
+    YTQ1YWExMWZhOTA2OGYzN2NmODBjOGRhNjAxY2NkMTdhZDQ4ZTliNQ==
   data.tar.gz: !binary |-
-    Mzk0ZmVhNWNlNDg1Y2FjYmE0N2RjY2EzOTIyOTUyOWYzODk3NTgwOQ==
+    ZDNlZmY2YjcxMDY0ODZjMDM0ZDFkNzNhNGI5Zjk0NDMxZDgxMTc3Yw==
 SHA512:
   metadata.gz: !binary |-
-    MmZmZTA5YmE2ZjM4NjY3ZTdlZTNkMjhiMTllNDczNWU4MTYzNWZmMDc4MjI0
-    ODhlZjE1YjUyZWYxNTU4ZDA1YzQ4Y2EyNGY1OGRiNjVjNzlhOGExN2M1ODZj
-    Mzk5YzhkZWY2NGNhMTc0M2QwNGU4ZTMwZWIyOGUwMjQyZWVmNWE=
+    NTlkZDVhZDY3OWE5Mzk4YmQyMjVjYzg0OTI1Y2U3ZDU3ZjJkYjYzOTIzZDQz
+    Mzg2NjI0MGVkNDA2ZTcwMTk3MjNhODIyZjU0NzMxNGU0MDIyY2VmMDkyOWI3
+    MDI4OTE2OTg5NWMwYTM2NjdkMTYyN2JlZGRmZDY1YjY4NjY3ZDk=
   data.tar.gz: !binary |-
-    MTJhNzI0NzM5NDYwMjVmOWU5MGI0NzIwODI5NDgwMGMwODlkNTY1NzRkZTcz
-    NWE3ODdiNjY5NzdlYzU4MzVmNDg1YzgyODc3MzA4NTBkMjVmMmYwZGRlOGRh
-    ZDQzYjYxZTFjMjY1NzViMmM5YmQ4YTBhYzViZTExMzA2YWY3YWM=
+    YWI5ZTQzNzljNGU3NWUzMjJmMmU2ZTM1OTlkNWEwZjhjNzBjYTI5MWExZmIx
+    NWUxNjg0N2ZjMTE2ZTIxNTM5ZDBlNGQxOTkxYjZlMWVhYjQ2YjcyOGFlNjBj
+    MThhYmY2MmVjYWE0ZmNkMDJiMDM2ZTlkNzQxNTYyNzcxYmE3M2U=

data/.gitignore

@@ -3,3 +3,5 @@ doc
 .vagrant
 .yardoc
 autosign.conf
+results.html
+coverage/

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    autosign (0.0.7)
+    autosign (0.0.8)
       deep_merge (~> 1)
       gli (~> 2)
       iniparse (~> 1)
@@ -9,6 +9,7 @@ PATH
       jwt (~> 1)
       logging (~> 2)
       require_all (~> 1)
+      safe_yaml (~> 1)
       yard (~> 0.8)
 
 GEM
@@ -91,6 +92,7 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.3.0)
     rspec-support (3.3.0)
+    safe_yaml (1.0.4)
     simplecov (0.10.0)
       docile (~> 1.1.0)
       json (~> 1.8)

data/README.md

@@ -6,3 +6,93 @@ Tooling to make puppet autosigning easy, secure, and extensible
 ### Introduction
 
 This tool provides a CLI for performing puppet policy-based autosigning using JWT tokens. Read more at https://danieldreier.github.io/autosign.
+
+### Quick Start: How to Generate Tokens
+
+##### 1. Install Gem on Puppet Master
+```shell
+gem install autosign
+```
+
+##### 2. Generate default configuration
+
+```shell
+autosign config setup
+```
+
+##### 3. Generate your first autosign token on the puppet master
+```shell
+autosign generate foo.example.com
+```
+
+The output will look something like
+```
+Autosign token for: foo.example.com, valid until: 2015-07-16 16:25:50 -0700
+To use the token, put the following in ${puppet_confdir}/csr_attributes.yaml prior to running puppet agent for the first time:
+
+custom_attributes:
+  challengePassword: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcImZvby5leGFtcGxlLmNvbVwiLFwicmVxdWVzdGVyXCI6XCJEYW5pZWxzLU1hY0Jvb2stUHJvLTIubG9jYWxcIixcInJldXNhYmxlXCI6ZmFsc2UsXCJ2YWxpZGZvclwiOjcyMDAsXCJ1dWlkXCI6XCJkM2YyNzI0OC1jZDFmLTRhZmItYjI0MC02ZjBjMDU4NWJiZDNcIn0iLCJleHAiOiIxNDM3MDg5MTUwIn0.lC-EzWaV2dL81aLL7P-9mGwNbiOQDJWcoYjuSHVOqmaLtc7Wis5OZvHFOLln2Fn9qv98oSTnZsIkjmFpbI5dvA"
+  ```
+
+The resulting output can be copied to `/etc/puppet/csr_attributes.yaml` on an agent machine prior to running puppet for the first time to add the token to the CSR as the `challengePassword` OID. (just copy-paste from one terminal to another to copy the text)
+
+### Quick Start: Puppet Master Configuration
+
+Run through the previous quick start steps to get the gem installed, then configure puppet to use the `autosign-validator` executable as the policy autosign command:
+
+##### 1. Prerequisities
+Note that these settings will be slightly different if you're running Puppet Enterprise, because you'll need to use the `pe-puppet` user instead of `puppet`.
+
+```shell
+mkdir /var/autosign
+chown puppet:puppet /var/autosign
+chmod 750 /var/autosign
+touch /var/log/autosign.log
+chown puppet:puppet /var/log/autosign.log
+```
+
+
+##### 2. Configure master
+```shell
+puppet config set autosign $(which autosign-validator) --section master
+```
+
+Your master is now configured to autosign using the autosign gem. 
+
+
+##### 3. Using Legacy Autosign Scripts
+
+If you already had an autosign script you want to continue using, add a setting to your `autosign.conf` like:
+
+```yaml
+multiplexer:
+  external_policy_executable: "/path/to/autosign/executable"
+```
+
+The master will validate the certificate if either the token validator or the external validator succeeds.
+
+If the autosign script was just validating simple strings, you can use the `password_list` validator instead. For example, to configure the master to sign any CSR that includes the challenge passwords of "hunter2" or "CPE1704TKS" you would add:
+
+```ini
+password_list:
+  password: "hunter2"
+  password: "CPE1704TKS"
+```
+
+Note that this is a relatively insecure way to do certificate autosigning. Using one-time tokens via the `autosign generate` command is more secure. This functionality is provided to grandfather in existing use cases to ease the transition.
+
+
+### Troubleshooting
+If you're having problems, try the following:
+
+- Set `loglevel: "debug"` in `/etc/autosign.conf`
+- Check the `journalfile`, in `/var/autosign/autosign.journal` by default, to see if the one-time token's UUID has already been recorded. It's just YAML, so you can either delete it or remove the offending entry if you actually want to re-use a token.
+- you can manually trigger the autosigning script with something like `cat the_csr.csr | autosign-validator certname.example.com`
+- If you run the puppet master foregrounded, you'll see quite a bit of autosign script output if autosign loglevel is set to debug.
+
+
+### Further Reading
+
+- [https://danieldreier.github.io/autosign](https://danieldreier.github.io/autosign) has background on why this exists.
+- Automatically generated code documentation in YARDOC format is [available on rubydoc.info](http://rubydoc.info/github/danieldreier/autosign).
+- Look at the [puppet-autosign](https://travis-ci.org/danieldreier/puppet-autosign) puppet module to automate setup of this tool, and for a puppet function to generate tokens inside of Puppet, for example when provisioning systems in AWS.

data/autosign.gemspec

@@ -31,4 +31,5 @@ spec = Gem::Specification.new do |s|
   s.add_runtime_dependency('deep_merge', '~> 1')
   s.add_runtime_dependency('require_all', '~> 1')
   s.add_runtime_dependency('yard', '~> 0.8')
+  s.add_runtime_dependency('safe_yaml', '~> 1')
 end

data/features/autosign.feature

@@ -8,9 +8,10 @@ Feature: Generate autosign key
       And a hostname of "foo.example.com"
       And a file named "autosign.conf" with:
       """
-      [jwt_token]
-      validity = 7200
-      secret = secret
+      ---
+      jwt_token:
+        validity: '7200'
+        secret: 'secret'
       """
     When I run `chmod 600 autosign.conf`
      And I run `autosign --config autosign.conf generate foo.example.com`
@@ -23,9 +24,10 @@ Feature: Generate autosign key
       And a hostname of "foo.example.com"
       And a file named "autosign.conf" with:
       """
-      [jwt_token]
-      secret = secret
-      validity = 7200
+      ---
+      jwt_token:
+        validity: '7200'
+        secret: 'secret'
       """
     When I run `chmod 600 autosign.conf`
     When I run `autosign --config autosign.conf generate foo.example.com --reusable`
@@ -38,8 +40,9 @@ Feature: Generate autosign key
       And a hostname of "foo.example.com"
       And a file named "autosign.conf" with:
       """
-      [jwt_token]
-      secret = secret
+      ---
+      jwt_token:
+        secret: 'secret'
       """
     When I run `chmod 600 autosign.conf`
     When I run `autosign --config autosign.conf validate --certname "foo.example.com" "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcImZvby5leGFtcGxlLmNvbVwiLFwicmVxdWVzdGVyXCI6XCJEYW5pZWxzLU1hY0Jvb2stUHJvLTIubG9jYWxcIixcInJldXNhYmxlXCI6ZmFsc2UsXCJ2YWxpZGZvclwiOjI5OTk5OTk5OSxcInV1aWRcIjpcIjlkYTA0Yzc4LWQ5NjUtNDk2OC04MWNjLWVhM2RjZDllZjVjMFwifSIsImV4cCI6IjE3MzY0NjYxMzAifQ.PJwY8rIunVyWi_lw0ypFclME0jx3Vd9xJIQSyhN3VUmul3V8u4Tp9XwDgoAu9DVV0-WEG2Tfxs6F8R6Fn71Ndg"`
@@ -51,8 +54,9 @@ Feature: Generate autosign key
       And a hostname of "foo.example.com"
       And a file named "autosign.conf" with:
       """
-      [jwt_token]
-      secret = secret
+      ---
+      jwt_token:
+        secret: 'secret'
       """
     When I run `chmod 600 autosign.conf`
     When I run `autosign --config autosign.conf validate --certname "foo.example.com" "invalid_token"`
@@ -63,8 +67,9 @@ Feature: Generate autosign key
       And a hostname of "foo.example.com"
       And a file named "autosign.conf" with:
       """
-      [jwt_token]
-      secret = secret
+      ---
+      jwt_token:
+        secret: 'secret'
       """
     When I run `chmod 600 autosign.conf`
     When I run `autosign --config autosign.conf validate --certname "foo.example.com" "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcImZvby5leGFtcGxlLmNvbVwiLFwicmVxdWVzdGVyXCI6XCJEYW5pZWxzLU1hY0Jvb2stUHJvLTIubG9jYWxcIixcInJldXNhYmxlXCI6ZmFsc2UsXCJ2YWxpZGZvclwiOjEsXCJ1dWlkXCI6XCJlNjI1Y2I1Ny02NzY5LTQwMzQtODNiZS0zNzkxNmQ5YmMxMDRcIn0iLCJleHAiOiIxNDM2NDY2MzAyIn0.UXEDEbRqEWx5SdSpQjfowU56JubY5Yz2QN6cckby2es-g2P_n2lyAS6AwFeliBXyCDyVUelIT3g1QP4TdB9EEA"`

data/lib/autosign/config.rb

@@ -1,7 +1,8 @@
-require 'iniparse'
 require 'rbconfig'
 require 'securerandom'
 require 'deep_merge'
+require 'yaml'
+require 'safe_yaml'
 
 module Autosign
   # Exceptions namespace for Autosign class
@@ -38,7 +39,7 @@ module Autosign
       # set up logging
       @log = Logging.logger['Autosign::Config']
       @log.debug "initializing Autosign::Config"
-
+      SafeYAML::OPTIONS[:default_mode] = :safe
       # validate parameter
       raise 'settings is not a hash' unless settings_param.is_a?(Hash)
 
@@ -101,7 +102,8 @@ module Autosign
         if File.file?(file)
           @log.debug "Reading config file from: " + file
           config_file = File.read(file)
-          parsed_config_file = IniParse.parse(config_file).to_hash
+          parsed_config_file = YAML.safe_load(config_file)
+          #parsed_config_file = IniParse.parse(config_file).to_hash
           @log.debug "configuration read from config file: " + parsed_config_file.to_s
           return parsed_config_file if parsed_config_file.is_a?(Hash)
         else
@@ -161,27 +163,39 @@ module Autosign
         end
       )
 
-      config = IniParse.gen do |doc|
-        doc.section("general") do |general|
-          general.option("loglevel", "warn")
-          general.option("logfile", os_defaults['logpath'])
-        end
-        doc.section("jwt_token") do |jwt_token|
-          jwt_token.option("secret", SecureRandom.base64(15))
-          jwt_token.option("validity", 7200)
-          jwt_token.option("journalfile", os_defaults['journalfile'])
-        end
-        doc.section("multiplexer") do |jwt_token|
-          jwt_token.option(";external_policy_executable", '/usr/local/bin/some_autosign_executable')
-          jwt_token.option(";external_policy_executable", '/usr/local/bin/another_autosign_executable')
-        end
-        doc.section("password_list") do |jwt_token|
-          jwt_token.option(";password", 'static_autosign_password_here')
-          jwt_token.option(";password", 'another_static_autosign_password')
-        end
-      end.to_ini
+      config = {
+        'general' => {
+          'loglevel' => 'warn',
+          'logfile' =>  os_defaults['logpath']
+        },
+        'jwt_token' => {
+          'secret' =>  SecureRandom.base64(20),
+          'validity' => '7200',
+          'journalfile' => os_defaults['journalfile']
+        }
+      }
+
+#      config = IniParse.gen do |doc|
+#        doc.section("general") do |general|
+#          general.option("loglevel", "warn")
+#          general.option("logfile", os_defaults['logpath'])
+#        end
+#        doc.section("jwt_token") do |jwt_token|
+#          jwt_token.option("secret", SecureRandom.base64(15))
+#          jwt_token.option("validity", 7200)
+#          jwt_token.option("journalfile", os_defaults['journalfile'])
+#        end
+#        doc.section("multiplexer") do |jwt_token|
+#          jwt_token.option(";external_policy_executable", '/usr/local/bin/some_autosign_executable')
+#          jwt_token.option(";external_policy_executable", '/usr/local/bin/another_autosign_executable')
+#        end
+#        doc.section("password_list") do |jwt_token|
+#          jwt_token.option(";password", 'static_autosign_password_here')
+#          jwt_token.option(";password", 'another_static_autosign_password')
+#        end
+#      end.to_ini
       raise Autosign::Exceptions::Error, "file #{os_defaults['confpath']} already exists, aborting" if File.file?(os_defaults['confpath'])
-      return os_defaults['confpath'] if File.write(os_defaults['confpath'], config)
+      return os_defaults['confpath'] if File.write(os_defaults['confpath'], config.to_yaml)
     end
   end
 end

data/lib/autosign/decoder.rb

@@ -23,7 +23,7 @@ module Autosign
       end
 
       # extract challenge password
-      challenge_password = csr.attributes.select { |a| a.oid == 'challengePassword' }.first.value.value.first.value
+      challenge_password = csr.attributes.select { |a| a.oid == 'challengePassword' }.first.value.value.first.value.to_s
 
       # extract common name
       common_name = /^\/CN=(\S*)$/.match(csr.subject.to_s)[1]

data/lib/autosign/token.rb

@@ -106,7 +106,7 @@ module Autosign
 
     # check if the token is reusable or a one-time use token
     # @return [True, False] return true if the token can be used multiple times, false if the token can only be used once
-    def reusable
+    def reusable?
       !!@reusable
     end
 
@@ -116,7 +116,7 @@ module Autosign
       {
         "certname"  => certname,
         "requester" => requester,
-        "reusable"  => reusable,
+        "reusable"  => reusable?,
         "validfor"  => validfor,
         "uuid"      => uuid
       }

data/lib/autosign/validator.rb

@@ -132,6 +132,10 @@ module Autosign
       true
     end
 
+    # Find other classes that inherit from this class.
+    # Used to discover autosign validators. There is probably no reason to use
+    # this directly.
+    # @return [Array] of classes inheriting from Autosign::Validator
     def self.descendants
       ObjectSpace.each_object(Class).select { |klass| klass < self }
     end

data/lib/autosign/validators/jwt.rb

@@ -38,7 +38,7 @@ module Autosign
       end
 
       def is_reusable?(token)
-        Autosign::Token.from_token(token, settings['secret']).reusable
+        Autosign::Token.from_token(token, settings['secret']).reusable?
       end
 
       # Attempt to add a token to the one-time token journal.

data/lib/autosign/version.rb

@@ -1,3 +1,3 @@
 module Autosign
-  VERSION = '0.0.7'
+  VERSION = '0.0.8'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: autosign
 version: !ruby/object:Gem::Version
-  version: 0.0.7
+  version: 0.0.8
 platform: ruby
 authors:
 - Your Name Here
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-07-16 00:00:00.000000000 Z
+date: 2015-07-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -220,6 +220,20 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: safe_yaml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1'
 description: 
 email: your@email.address.com
 executables: