autosign 0.1.1 → 1.0.1

data/README.md

@@ -81,6 +81,42 @@ password_list:
 
 Note that this is a relatively insecure way to do certificate autosigning. Using one-time tokens via the `autosign generate` command is more secure. This functionality is provided to grandfather in existing use cases to ease the transition.
 
+## Validation order
+By default the validation runs the following validators in order: 
+
+1. jwt_token
+2. password_list
+3. multiplexer
+
+The first validator to succeed wins and short circuits the validaiton process.
+
+You can completely customize the list and how they are ordered via the configuration file.  Or even remove some entirely.
+
+```
+---
+general:
+  loglevel: debug
+  logfile: "/var/log/autosign.log"
+  validation_order: 
+    - jwt_token
+    - multiplexer
+    - password_list
+jwt_token:
+  secret: J7/WjmkC/CJp2K0/8+sktzSgCqQ=
+  validity: '7200'
+  journalfile: "/root/var/autosign/autosign.journal"
+```
+
+The validation_order config is an ordered array and since the validators will only match the first validation
+to succeed the validation script should occur as fast as you want.  
+
+Additionally, if you omit any validator that validator will not be used during the validation process.  This might 
+be important if you wanted to only use special validators or remove unwanted validator execution.
+
+Please note, the name of the validator which is speficed by the `NAME` constant in the validator code must match
+the list you specify otherwise it will not be part of the validation process.
+
+**NOTE** To use this feature you must have deep_merge 1.2.1+ installed which is now a requirement of this gem.
 
 ### Troubleshooting
 If you're having problems, try the following:
@@ -90,6 +126,7 @@ If you're having problems, try the following:
 - you can manually trigger the autosigning script with something like `cat the_csr.csr | autosign-validator certname.example.com`
 - If you run the puppet master foregrounded, you'll see quite a bit of autosign script output if autosign loglevel is set to debug.
 
+Starting with the 1.0.0 release the autosign gem requires ruby 2.4.  If you can't upgrade just yet you can continue to use the older 0.1.4 release.
 
 ### Further Reading
 

data/Rakefile

@@ -1,32 +1,32 @@
+# encoding: utf-8
+# frozen_string_literal: true
+
 require 'rubygems'
-begin
-  require 'rspec/core/rake_task'
-  require 'cucumber'
-  require 'cucumber/rake/task'
-  require 'rdoc/task'
-  RSpec::Core::RakeTask.new(:spec) do |t|
-    t.rspec_opts = '--format documentation'
-  end
-rescue LoadError
-end
+require 'bundler'
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+require 'rspec/core/rake_task'
+require 'cucumber'
+require 'cucumber/rake/task'
+require 'rdoc/task'
 require 'rake/clean'
-require 'rubygems/package_task'
-Rake::RDocTask.new do |rd|
-  rd.main = "README.rdoc"
-  rd.rdoc_files.include("README.rdoc","lib/**/*.rb","bin/**/*")
-  rd.title = 'Your application title'
-end
 
-spec = eval(File.read('autosign.gemspec'))
+RSpec::Core::RakeTask.new(:spec) do |t|
+  t.rspec_opts = '--format documentation'
+end
 
-Gem::PackageTask.new(spec) do |pkg|
+Rake::RDocTask.new do |rd|
+  rd.main = 'README.rdoc'
+  rd.rdoc_files.include('README.rdoc', 'lib/**/*.rb', 'bin/**/*')
+  rd.title = 'Autosign'
 end
-CUKE_RESULTS = 'results.html'
+
+CUKE_RESULTS = 'results.html'.freeze
 CLEAN << CUKE_RESULTS
 desc 'Run features'
 
 Cucumber::Rake::Task.new(:features) do |t|
-  t.cucumber_opts = "features --format pretty"
+  t.cucumber_opts = 'features --format pretty'
 end
 
 desc 'Run features tagged as work-in-progress (@wip)'
@@ -41,10 +41,10 @@ task 'cucumber:wip' => 'features:wip'
 task :wip => 'features:wip'
 require 'rake/testtask'
 Rake::TestTask.new do |t|
-  t.libs << "test"
+  t.libs << 'test'
   t.test_files = FileList['test/*_test.rb']
 end
 
 task :ci => [:spec, :features]
 
-task :default => [:test,:features]
+task :default => [:test, :features]

data/autosign.gemspec

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 # Ensure we require the local version and not one we might have installed already
-require File.join([File.dirname(__FILE__),'lib','autosign','version.rb'])
-spec = Gem::Specification.new do |s| 
+require File.join([__dir__, 'lib', 'autosign', 'version.rb'])
+spec = Gem::Specification.new do |s|
   s.name = 'autosign'
   s.version = Autosign::VERSION
   s.author = 'Daniel Dreier'
@@ -8,28 +10,30 @@ spec = Gem::Specification.new do |s|
   s.homepage = 'https://github.com/danieldreier/autosign'
   s.platform = Gem::Platform::RUBY
   s.summary = 'Tooling to make puppet autosigning easy, secure, and extensible'
-  s.files = `git ls-files`.split("
-")
+  s.files   = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec|features|fixtures)/}) }
   s.require_paths << 'lib'
-  s.has_rdoc = false
-  s.rdoc_options << '--title' << 'autosign' << '--main' << 'README.rdoc' << '-ri'
+  s.extra_rdoc_files = [
+    'CHANGELOG.md',
+    'LICENSE',
+    'README.md'
+  ]
   s.bindir = 'bin'
-  s.executables << 'autosign'
-  s.executables << 'autosign-validator'
-  s.add_development_dependency('rake', '~> 10')
-  s.add_development_dependency('rdoc', '~> 4')
+  s.executables = ['autosign', 'autosign-validator']
   s.add_development_dependency('aruba', '~> 0.6')
-  s.add_development_dependency('cucumber', '~> 2')
-  s.add_development_dependency('puppet', '~> 3')
-  s.add_development_dependency('rspec', '~> 3')
   s.add_development_dependency('coveralls')
+  s.add_development_dependency('cucumber', '~> 2')
   s.add_development_dependency('pry', '~> 0.10')
-  s.add_runtime_dependency('gli','~> 2')
-  s.add_runtime_dependency('jwt','~> 1')
-  s.add_runtime_dependency('iniparse','~> 1')
+  s.add_development_dependency('puppet', '~> 6')
+  s.add_development_dependency('rake', '~> 13')
+  s.add_development_dependency('rdoc', '~> 4')
+  s.add_development_dependency('rspec', '~> 3')
+  s.add_development_dependency('rubocop', '~> 0.83.0')
+  s.add_development_dependency('yard', '~> 0.9.11')
+  s.add_development_dependency('bundler', '~> 2.0')
+  s.add_runtime_dependency('deep_merge', '~> 1.2')
+  s.add_runtime_dependency('gli', '~> 2')
+  s.add_runtime_dependency('iniparse', '~> 1')
+  s.add_runtime_dependency('jwt', '~> 1')
   s.add_runtime_dependency('logging', '~> 2')
-  s.add_runtime_dependency('json', '~> 1')
-  s.add_runtime_dependency('deep_merge', '~> 1')
-  s.add_runtime_dependency('require_all', '~> 1')
-  s.add_runtime_dependency('yard', '~> 0.8')
+  s.add_runtime_dependency('multi_json', '>=1')
 end

data/bin/autosign

@@ -52,8 +52,9 @@ command :generate do |c|
 
   c.action do |global_options,options,args|
     config = Autosign::Config.new({'config_file' => global_options['config']})
-    global_options['secret'] = config.settings['jwt_token']['secret'] if global_options['secret'].nil?
-    options['validfor'] = config.settings.to_hash['jwt_token']['validity'].to_s if options['validfor'] == '7200'
+    config_settings = config.settings
+    global_options['secret'] = config_settings['jwt_token']['secret'] if global_options['secret'].nil?
+    options['validfor'] = config_settings.to_hash['jwt_token']['validity'].to_s if options['validfor'] == '7200'
     @logger.debug "validfor: " + options['validfor']
     help_now!('no secret was defined via --secret or a config file') if global_options['secret'].nil?
     help_now!('certname is required as argument') if args[0].nil?
@@ -66,9 +67,11 @@ command :generate do |c|
       puts token.sign.to_s
     else
       @logger.info "generated token for: " + certname
-      puts "Autosign token for: " + token.certname + ", valid until: " + Time.at(token.validto).to_s
-      puts "To use the token, put the following in ${puppet_confdir}/csr_attributes.yaml prior to running puppet agent for the first time:"
-      puts ""
+      unless global_options[:quiet]
+        puts "Autosign token for: " + token.certname + ", valid until: " + Time.at(token.validto).to_s
+        puts "To use the token, put the following in ${puppet_confdir}/csr_attributes.yaml prior to running puppet agent for the first time:"
+        puts ""
+      end
       puts "custom_attributes:"
       puts "  challengePassword: \"#{token.sign.to_s}\""
     end
@@ -85,8 +88,9 @@ command :validate do |c|
 
   c.action do |global_options,options,args|
     config = Autosign::Config.new({'config_file' => global_options['config']})
-    puts config.settings.to_hash['jwt_token']
-    global_options['secret'] = config.settings['jwt_token']['secret'] if global_options['secret'].nil?
+    config_settings = config.settings
+    puts config_settings.to_hash['jwt_token']
+    global_options['secret'] = config_settings['jwt_token']['secret'] if global_options['secret'].nil?
 
     help_now!('no secret was defined via --secret or a config file') if global_options['secret'].nil?
     help_now!('certname is required') if options['certname'].nil?
@@ -110,7 +114,7 @@ command :config do |c|
   c.command :setup do |setup|
     setup.action do |global_options,options,args|
       @logger.info "setup command ran with #{global_options} #{options} #{args}"
-      result = Autosign::Config.generate_default
+      result = Autosign::Config.generate_default({'config_file' => global_options['config']})
       STDOUT.puts "generated default config file at #{result}" if result
     end
   end
@@ -120,7 +124,8 @@ command :config do |c|
     print.action do |global_options,options,args|
       @logger.debug "print command ran with #{global_options} #{options} #{args}"
       config = Autosign::Config.new({'config_file' => global_options['config']})
-      puts config.settings.to_s
+      require 'yaml'
+      puts config.settings.to_yaml
     end
   end
 
@@ -132,17 +137,20 @@ pre do |global,command,options,args|
   # chosen command
   # Use skips_pre before a command to skip this block
   # on that command only
-#  config = Autosign::Config.new
-#  @logger.level = config.settings.to_hash['general']['loglevel'].to_sym unless config.settings.to_hash['general']['loglevel'].nil?
+  config = Autosign::Config.new
+  config_settings = config.settings
+  @logger.level = config_settings.to_hash['general']['loglevel'].to_sym unless config_settings.to_hash['general']['loglevel'].nil?
 
   @logger.level = :error if global['quiet']
   @logger.level = :info if global['verbose']
   @logger.level = :debug if global['debug']
 
-  if global['logfile'].nil?
-    @logger.add_appenders Logging.appenders.stdout
-  else
-    @logger.add_appenders Logging.appenders.stdout, Logging.appenders.file(global['logfile'])
+  stdout_layout = Logging.layouts.pattern(:pattern => "%-5l -- %c : %m\n")
+  @logger.add_appenders Logging.appenders.stdout(:layout => stdout_layout)
+
+  unless global['logfile'].nil?
+    file_layout = Logging.layouts.pattern(:pattern => "%d %-5l -- %c : %m\n", :date_pattern => "%Y-%m-%dT%H:%M:%S.%s")
+    @logger.add_appenders Logging.appenders.file(global['logfile'], :layout => file_layout)
   end
 
   true

data/bin/autosign-validator

@@ -2,17 +2,26 @@
 require 'autosign'
 require 'logging'
 
+### Ensure stdin is read https://tickets.puppetlabs.com/browse/SERVER-1116
+raw_csr = $stdin.read
 
 ### Start logging
 @logger = Logging.logger['Autosign']
-@logger.level = :debug
+@logger.level = :warn
 
 # Start logging to stdout first so we get errors while loading the config file
 @logger.add_appenders Logging.appenders.stdout
 
 # Load config and then add logfile as a log appender
-config = Autosign::Config.new
-@logger.add_appenders Logging.appenders.file(config.settings['general']['logfile']) unless config.settings['general']['logfile'].nil?
+config_settings = Autosign::Config.new.settings
+
+unless config_settings['general']['logfile'].nil?
+  file_layout = Logging.layouts.pattern(:pattern => "%d %-5l -- %c : %m\n", :date_pattern => "%Y-%m-%dT%H:%M:%S.%s")
+  @logger.add_appenders Logging.appenders.file(config_settings['general']['logfile'], :layout => file_layout)
+end
+
+@logger.level = config_settings['general']['loglevel'].to_sym unless config_settings['general']['loglevel'].nil?
+
 ### End logging initialization
 
 ### Get Inputs
@@ -21,11 +30,10 @@ unless ARGV.count == 1
   exit 1
 end
 
-certname = ARGV[0]
+certname = ARGV.shift
 @logger.debug "certname is " + certname
 
 @logger.debug "reading CSR from stdin"
-raw_csr = $stdin.read
 csr = Autosign::Decoder.decode_csr(raw_csr)
 exit 1 unless csr.is_a?(Hash)
 
@@ -33,7 +41,7 @@ exit 1 unless csr.is_a?(Hash)
 ### End Inputs
 
 ### validate token
-token_validation = Autosign::Validator.any_validator(csr[:challenge_password].to_s, certname.to_s, raw_csr)
+token_validation = Autosign::Validator.any_validator(csr[:challenge_password].to_s, certname.to_s, raw_csr, config_settings)
 ### end validation
 
 ### Exit with correct exit status

data/lib/autosign.rb

@@ -1,5 +1,5 @@
 require 'rubygems'
-require 'json'
+require 'multi_json'
 require 'autosign/version.rb'
 require 'autosign/token.rb'
 require 'autosign/config.rb'

data/lib/autosign/config.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rbconfig'
 require 'securerandom'
 require 'deep_merge'
@@ -7,16 +9,16 @@ module Autosign
   # Exceptions namespace for Autosign class
   module Exceptions
     # Exception representing a general failure during validation
-    class Validation < Exception
+    class Validation < RuntimeError
     end
     # Exception representing a missing file during config validation
-    class NotFound < Exception
+    class NotFound < RuntimeError
     end
     # Exception representing a permissions error during config validation
-    class Permissions < Exception
+    class Permissions < RuntimeError
     end
     # Exception representing errors that Autosign does not know how to handle
-    class Error < Exception
+    class Error < RuntimeError
     end
   end
 
@@ -36,20 +38,25 @@ module Autosign
     # @return [Autosign::Config] instance of the Autosign::Config class
     def initialize(settings_param = {})
       # set up logging
-      @log = Logging.logger['Autosign::Config']
-      @log.debug "initializing Autosign::Config"
+      @log = Logging.logger[self.class]
+      @log.debug "initializing #{self.class.name}"
       # validate parameter
       raise 'settings is not a hash' unless settings_param.is_a?(Hash)
 
       # look in the following places for a config file
-      @config_file_paths = ['/etc/autosign.conf', '/usr/local/etc/autosign.conf']
+      @config_file_paths = ['/etc/puppetlabs/puppetserver/autosign.conf', '/etc/autosign.conf', '/usr/local/etc/autosign.conf']
 
       # HOME is unset when puppet runs, so we need to only use it if it's set
-      @config_file_paths << File.join(Dir.home, '.autosign.conf') unless ENV['HOME'].nil?
-      @config_file_paths = [ settings_param['config_file'] ] unless settings_param['config_file'].nil?
+      unless ENV['HOME'].nil?
+        @config_file_paths << File.join(Dir.home, '.autosign.conf')
+      end
+
+      unless settings_param['config_file'].nil?
+        @config_file_paths = [settings_param['config_file']]
+      end
 
       @settings = settings_param
-      @log.debug "Using merged settings hash: " + @settings.to_s
+      @log.debug 'Using merged settings hash: ' + @settings.to_s
     end
 
     # Return a merged settings hash of defaults, config file settings
@@ -57,11 +64,11 @@ module Autosign
     #
     # @return [Hash] deep merged settings hash
     def settings
-      @log.debug "merging settings"
+      @log.debug 'merging settings'
       setting_sources = [default_settings, configfile, @settings]
-      merged_settings = setting_sources.inject({}) { |merged, hash| merged.deep_merge(hash) }
-      @log.debug "using merged settings: " + merged_settings.to_s
-      return merged_settings
+      merged_settings = setting_sources.inject({}) { |merged, hash| merged.deep_merge!(hash, {:overwrite_arrays => true}) }
+      @log.debug 'using merged settings: ' + merged_settings.to_s
+      merged_settings
     end
 
     private
@@ -78,12 +85,14 @@ module Autosign
     def default_settings
       { 'general' =>
         {
-          'loglevel'       => 'INFO',
+          'loglevel' => 'INFO',
+          'validation_order' => %w[
+            jwt_token password_list multiplexer
+          ]
         },
         'jwt_token' => {
           'validity' => 7200
-        }
-      }
+        } }
     end
 
     # Locate the configuration file, parse it from INI-format, and return
@@ -91,21 +100,21 @@ module Autosign
     #
     # @return [Hash] configuration settings loaded from INI file
     def configfile
-      @log.debug "Finding config file"
-      @config_file_paths.each { |file|
+      @log.debug 'Finding config file'
+      @config_file_paths.each do |file|
         @log.debug "Checking if file '#{file}' exists"
         if File.file?(file)
-          @log.debug "Reading config file from: " + file
+          @log.debug 'Reading config file from: ' + file
           config_file = File.read(file)
           parsed_config_file = YAML.load(config_file)
-          #parsed_config_file = IniParse.parse(config_file).to_hash
-          @log.debug "configuration read from config file: " + parsed_config_file.to_s
+          # parsed_config_file = IniParse.parse(config_file).to_hash
+          @log.debug 'configuration read from config file: ' + parsed_config_file.to_s
           return parsed_config_file if parsed_config_file.is_a?(Hash)
         else
           @log.debug "Configuration file '#{file}' not found"
         end
-      }
-      return {}
+      end
+      {}
     end
 
     # Validate configuration file
@@ -114,14 +123,14 @@ module Autosign
     # @param configfile [String] the absolute path of the config file to validate
     # @return [String] the absolute path of the config file
     def validate_config_file(configfile = location)
-      @log.debug "validating config file"
+      @log.debug 'validating config file'
       unless File.file?(configfile)
         @log.error "configuration file not found at: #{configfile}"
         raise Autosign::Exceptions::NotFound
       end
 
       # check if file is world-readable
-      if File.world_readable?(configfile) or File.world_writable?(configfile)
+      if File.world_readable?(configfile) || File.world_writable?(configfile)
         @log.error "configuration file #{configfile} is world-readable or world-writable, which is a security risk"
         raise Autosign::Exceptions::Permissions
       end
@@ -132,25 +141,25 @@ module Autosign
     # Generate a default configuration file
     # As a convenience for the user, we can generate a default config file
     # This class is currently too tightly coupled with the JWT token validator
-    def self.generate_default()
+    def self.generate_default(settings_param = {})
       os_defaults = (
         case RbConfig::CONFIG['host_os']
         when /darwin|mac os/
           {
-            'logpath'     => File.join(Dir.home, 'autosign.log'),
-            'confpath'    => File.join(Dir.home, '.autosign.conf'),
+            'logpath' => File.join(Dir.home, 'autosign.log'),
+            'confpath' => File.join(Dir.home, '.autosign.conf'),
             'journalfile' => File.join(Dir.home, '.autosign.journal')
           }
         when /linux/
           {
-            'logpath'     => '/var/log/autosign.log',
-            'confpath'    => '/etc/autosign.conf',
+            'logpath' => '/var/log/autosign.log',
+            'confpath' => '/etc/autosign.conf',
             'journalfile' => File.join(Dir.home, '/var/autosign/autosign.journal')
           }
         when /bsd/
           {
-            'logpath'     => '/var/log/autosign.log',
-            'confpath'    => '/usr/local/etc/autosign.conf',
+            'logpath' => '/var/log/autosign.log',
+            'confpath' => '/usr/local/etc/autosign.conf',
             'journalfile' => File.join(Dir.home, '/var/autosign/autosign.journal')
           }
         else
@@ -161,36 +170,42 @@ module Autosign
       config = {
         'general' => {
           'loglevel' => 'warn',
-          'logfile' =>  os_defaults['logpath']
+          'logfile' => os_defaults['logpath'],
+          'validation_order' => %w[
+            jwt_token password_list multiplexer
+          ]
         },
         'jwt_token' => {
-          'secret' =>  SecureRandom.base64(20),
+          'secret' => SecureRandom.base64(20),
           'validity' => '7200',
           'journalfile' => os_defaults['journalfile']
         }
       }
 
-#      config = IniParse.gen do |doc|
-#        doc.section("general") do |general|
-#          general.option("loglevel", "warn")
-#          general.option("logfile", os_defaults['logpath'])
-#        end
-#        doc.section("jwt_token") do |jwt_token|
-#          jwt_token.option("secret", SecureRandom.base64(15))
-#          jwt_token.option("validity", 7200)
-#          jwt_token.option("journalfile", os_defaults['journalfile'])
-#        end
-#        doc.section("multiplexer") do |jwt_token|
-#          jwt_token.option(";external_policy_executable", '/usr/local/bin/some_autosign_executable')
-#          jwt_token.option(";external_policy_executable", '/usr/local/bin/another_autosign_executable')
-#        end
-#        doc.section("password_list") do |jwt_token|
-#          jwt_token.option(";password", 'static_autosign_password_here')
-#          jwt_token.option(";password", 'another_static_autosign_password')
-#        end
-#      end.to_ini
-      raise Autosign::Exceptions::Error, "file #{os_defaults['confpath']} already exists, aborting" if File.file?(os_defaults['confpath'])
-      return os_defaults['confpath'] if File.write(os_defaults['confpath'], config.to_yaml)
+      #      config = IniParse.gen do |doc|
+      #        doc.section("general") do |general|
+      #          general.option("loglevel", "warn")
+      #          general.option("logfile", os_defaults['logpath'])
+      #        end
+      #        doc.section("jwt_token") do |jwt_token|
+      #          jwt_token.option("secret", SecureRandom.base64(15))
+      #          jwt_token.option("validity", 7200)
+      #          jwt_token.option("journalfile", os_defaults['journalfile'])
+      #        end
+      #        doc.section("multiplexer") do |jwt_token|
+      #          jwt_token.option(";external_policy_executable", '/usr/local/bin/some_autosign_executable')
+      #          jwt_token.option(";external_policy_executable", '/usr/local/bin/another_autosign_executable')
+      #        end
+      #        doc.section("password_list") do |jwt_token|
+      #          jwt_token.option(";password", 'static_autosign_password_here')
+      #          jwt_token.option(";password", 'another_static_autosign_password')
+      #        end
+      #      end.to_ini
+      config_file = settings_param['config_file'] || os_defaults['confpath']
+      if File.file?(config_file)
+        raise Autosign::Exceptions::Error, "file #{config_file} already exists, aborting"
+      end
+      return config_file if File.write(config_file, config.to_yaml)
     end
   end
 end