autosign 0.1.1 → 1.0.1

data/lib/autosign/decoder.rb

@@ -9,7 +9,7 @@ module Autosign
     # @param csr[String] X509 format CSR
     # @return [Hash] hash containing :challenge_password and :common_name keys
     def self.decode_csr(csr)
-      @log = Logging.logger['Autosign::Decoder']
+      @log = Logging.logger[self.class]
       @log.debug "decoding CSR"
 
       begin
@@ -23,8 +23,12 @@ module Autosign
       end
 
       # extract challenge password
-
-      challenge_password = csr.attributes.find { |a| a.oid == 'challengePassword' }.value.value.first.value.to_s
+      challenge_attr = csr.attributes.find { |a| a.oid == 'challengePassword' }
+      challenge_password = if challenge_attr
+                             challenge_attr.value.value.first.value.to_s
+                           else
+                             nil
+                           end
 
       # extract common name
       common_name = /^\/CN=(\S*)$/.match(csr.subject.to_s)[1]

data/lib/autosign/journal.rb

@@ -15,8 +15,8 @@ module Autosign
     # @param settings [Hash] config settings for the new journal instance
     # @return [Autosign::Journal] instance of the Autosign::Journal class
     def initialize(settings = {})
-      @log = Logging.logger['Autosign::Journal']
-      @log.debug "initializing Autosign::Journal"
+      @log = Logging.logger[self.class]
+      @log.debug "initializing #{self.class.name}"
       @settings = settings
       fail unless setup
     end

data/lib/autosign/token.rb

@@ -1,6 +1,6 @@
 module Autosign
   require 'jwt'
-  require 'json'
+  require 'multi_json'
   require 'securerandom'
 
   # Class modeling JSON Web Tokens as credentials for certificate auto signing.
@@ -33,8 +33,8 @@ module Autosign
     # @return [Autosign::Config] instance of the Autosign::Config class
     def initialize(certname, reusable=false, validfor=7200, requester, secret)
       # set up logging
-      @log = Logging.logger['Autosign::Token']
-      @log.debug "initializing"
+      @log = Logging.logger[self.class]
+      @log.debug "initializing #{self.class.name}"
 
       @validfor  = validfor
       @certname  = certname
@@ -56,13 +56,13 @@ module Autosign
     # @param hmac_secret [String] Password that the token was (hopefully) originally signed with.
     # @return [True, False] returns true if the token can be validated, or false if the token cannot be validated.
     def self.validate(requested_certname, token, hmac_secret)
-      @log = Logging.logger['Autosign::Token.validate']
+      @log = Logging.logger[self.class]
       @log.debug "attempting to validate token"
       @log.info "attempting to validate token for: #{requested_certname.to_s}"
       errors = []
       begin
         @log.debug "Decoding and parsing token"
-        data = JSON.parse(JWT.decode(token, hmac_secret)[0]["data"])
+        data = MultiJson.load(JWT.decode(token, hmac_secret)[0]["data"])
       rescue JWT::ExpiredSignature
         @log.warn "Token has an expired signature"
         errors << "Expired Signature"
@@ -142,7 +142,7 @@ module Autosign
       rescue
         raise Autosign::Token::Invalid
       end
-      cert_data = JSON.parse(decoded["data"])
+      cert_data = MultiJson.load(decoded["data"])
       new_token = self.new(cert_data["certname"], cert_data["reusable"], cert_data["validfor"],
                            cert_data["requester"], hmac_secret)
 
@@ -186,7 +186,7 @@ module Autosign
     end
 
     def to_json
-      JSON.generate to_hash
+      MultiJson.dump to_hash
     end
 
   end

data/lib/autosign/validator.rb

@@ -1,221 +1,58 @@
+# frozen_string_literal: true
+
 require 'logging'
-require 'require_all'
 
 module Autosign
-  # Parent class for validation backends. Validators take the
-  # challenge_password and common name from a certificate signing request,
-  # and perform some action to determine whether the request is valid.
-  #
-  # Validators also get the raw X509 CSR in case the extracted information
-  # is insufficient for future, more powerful validators.
-  #
-  # All validators must inherit from this class, and must override several
-  # methods in order to function. At a minimum, the name and perform_validation
-  # methods must be implemented by child classes.
-  #
-  # @return [Autosign::Validator] instance of the Autosign::Validator class
-  class Validator
-    def initialize()
-      start_logging()
-      settings() # just run to validate settings
-      setup()
-      # call name to ensure that the class fails immediately if child classes
-      # do not implement it.
-      name()
-    end
-
-    # Name of the validator. This must be implemented by validators which
-    # inherit from the Autosign::Validator class. The name is used to identify
-    # the validator in friendly messages and to determine which configuration
-    # file section settings will be loaded from.
-    #
-    # @example set the name of a child class validator to "example"
-    #    module Autosign
-    #      module Validators
-    #        class Example < Autosign::Validator
-    #          def name
-    #           "example"
-    #          end
-    #        end
-    #      end
-    #    end
-    # @return [String] name of the validator. Do not use special characters.
-    def name
-      # override this after inheriting
-      # should return a string with no spaces
-      # this is the name used to reference the validator in config files
-      raise NotImplementedError
-    end
-
-    # define how a validator actually validates the request.
-    # This must be implemented by validators which inherit from the
-    # Autosign::Validator class.
-    #
-    # @param challenge_password [String] the challenge_password OID from the certificate signing request. The challenge_password field is the same setting as the "challengePassword" field in a `csr_attributes.yaml` file when the CSR is generated. In a request using a JSON web token, this would be the serialized token.
-    # @param certname [String] the common name being requested in the certificate signing request. Treat the certname as untrusted. This is user-submitted data that you must validate.
-    # @param raw_csr [String] the encoded X509 certificate signing request, as received by the autosign policy executable. This is provided as an optional extension point, but your validator may not need to use it.
-    # @return [True, False] return true if the certificate should be signed, and false if you cannot validate the request successfully.
-    def perform_validation(challenge_password, certname, raw_csr)
-      # override this after inheriting
-      # should return true to indicate success validating
-      # or false to indicate that the validator was unable to validate
-      raise NotImplementedError
-    end
-
-    # wrapper method that wraps input validation and logging around the perform_validation method.
-    # Do not override or use this class in child classes. This is the class that gets called
-    # on validator objects.
-    def validate(challenge_password, certname, raw_csr)
-      @log.debug "running validate"
-      fail unless challenge_password.is_a?(String)
-      fail unless certname.is_a?(String)
-
-      case perform_validation(challenge_password, certname, raw_csr)
-      when true
-        @log.debug "validated successfully"
-        @log.info  "Validated '#{certname}' using '#{name}' validator"
-        return true
-      when false
-        @log.debug "validation failed"
-        @log.debug "Unable to validate '#{certname}' using '#{name}' validator"
-        return false
-      else
-        @log.error "perform_validation returned a non-boolean result"
-        raise "perform_validation returned a non-boolean result"
+  module Validator
+    
+    # @return [Array] - A list of all the validator classes
+    # @param list [Array] - a list of validators to use, uses the settings list by default
+    # This returns a list of validators that were specified by the user and the exact
+    # order they want the validation to procede.
+    def self.validation_order(settings = Autosign::Config.new.settings, list = nil)
+      validation_order = list || settings['general']['validation_order']
+      # create a key pair where the key is the name of the validator and value is the class
+      validator_list = validator_classes.each_with_object({}) do |klass, acc|
+        acc[klass::NAME] = klass
+        acc
       end
+      # filter out validators that do not exist
+      order = validation_order.map { |v| validator_list.fetch(v, nil) }.compact
+      @log = Logging.logger[self.class]
+      @log.debug("Validator order: #{order.inspect}")
+      order
     end
 
+    # @summary
     # Class method to attempt validation of a request against all validators which inherit from this class.
     # The request is considered to be validated if any one validator succeeds.
+    # The first validator to pass shorts the validation process so other validators are not called.
     # @param challenge_password [String] the challenge_password OID from the certificate signing request
     # @param certname [String] the common name being requested in the certificate signing request
     # @param raw_csr [String] the encoded X509 certificate signing request, as received by the autosign policy executable
-    # @return [True, False] return true if the certificate should be signed, and false if it cannot be validated
-    def self.any_validator(challenge_password, certname, raw_csr)
-      @log = Logging.logger[self.name]
-      # iterate over all known validators and attempt to validate using them
-      results_by_validator = {}
-      results = self.descendants.map {|c|
-        validator = c.new()
-        @log.debug "attempting to validate using #{validator.name}"
-        result = validator.validate(challenge_password, certname, raw_csr)
-        results_by_validator[validator.name] = result
-        @log.debug "result: #{result.to_s}"
-        result
-      }
-      @log.debug "validator results: " + results.to_s
-      @log.info "results by validator: " + results_by_validator.to_s
-      success = results.any?{|result| result == true}
-      if success
-        @log.info "successfully validated using one or more validators"
-        return true
+    # @return [Boolean] return true if the certificate should be signed, and false if it cannot be validated
+    def self.any_validator(challenge_password, certname, raw_csr, settings = Autosign::Config.new.settings)
+      @log = Logging.logger[self.class]
+      # find the first validator that passes and return the class
+      validator = validation_order(settings).find { |c| c.new(settings).validate(challenge_password, certname, raw_csr) }
+      if validator
+        @log.info "Successfully validated using #{validator::NAME}"
+        true
       else
-        @log.info "unable to validate using any validator"
-        return false
+        @log.info 'unable to validate using any validator'
+        false
       end
     end
 
     private
 
-    # this is automatically called when the class is initialized; do not
-    # override it in child classes.
-    def start_logging
-      @log = Logging.logger["Autosign::Validator::" + self.name.to_s]
-      @log.debug "starting autosign validator: " + self.name.to_s
-    end
-
-    # (optionally) override this method in validator child classes to perform any additional
-    # setup during class initialization prior to beginning validation.
-    # If you need to create a database connection, this would be a good place to do it.
-    # @return [True, False] return true if setup succeeded, or false if setup failed and the validation should not continue
-    def setup
-      true
-    end
-
     # Find other classes that inherit from this class.
     # Used to discover autosign validators. There is probably no reason to use
     # this directly.
     # @return [Array] of classes inheriting from Autosign::Validator
-    def self.descendants
-      ObjectSpace.each_object(Class).select { |klass| klass < self }
+    def self.validator_classes
+      validators = Dir.glob(File.join(__dir__, 'validator', '*')).sort.each {|k| require k }
+      ObjectSpace.each_object(Class).select { |klass| klass < Autosign::Validator::ValidatorBase }
     end
-
-    # provide a merged settings hash of default settings for a validator,
-    # config file settings for the validator, and override settings defined in
-    # the validator.
-    #
-    # Do not override this in child classes. If you need to set
-    # custom config settings, override the get_override_settings method.
-    # The section of the config file this reads from is the same as the name
-    # method returns.
-    #
-    # @return [Hash] of config settings
-    def settings
-      @log.debug "merging settings"
-      setting_sources = [get_override_settings, load_config, default_settings]
-      merged_settings = setting_sources.inject({}) { |merged, hash| merged.deep_merge(hash) }
-      @log.debug "using merged settings: " + merged_settings.to_s
-      @log.debug "validating merged settings"
-      if validate_settings(merged_settings)
-        @log.debug "successfully validated merged settings"
-        return merged_settings
-      else
-        @log.warn "validation of merged settings failed"
-        @log.warn "unable to validate settings in #{self.name} validator"
-        raise "settings validation error"
-      end
-    end
-
-    # (optionally) override this from a child class to set config defaults.
-    # These will be overridden by config file settings.
-    #
-    # Override this when inheriting if you need to set config defaults.
-    # For example, if you want to pull settings from zookeeper, this would
-    # be a good place to do that.
-    #
-    # @return [Hash] of config settings
-    def default_settings
-      {}
-    end
-
-
-    # (optionally) override this to perform validation checks on the merged
-    # config hash of default settings, config file settings, and override
-    # settings.
-    # @return [True, False]
-    def validate_settings(settings)
-      settings.is_a?(Hash)
-    end
-
-    # load any required configuration from the config file.
-    # Do not override this in child classes.
-    # @return [Hash] configuration settings from the validator's section of the config file
-    def load_config
-      @log.debug "loading validator-specific configuration"
-      config = Autosign::Config.new
-
-      if config.settings.to_hash[self.name].nil?
-        @log.warn "Unable to load validator-specific configuration"
-        @log.warn "Cannot load configuration section named '#{self.name}'"
-        return {}
-      else
-        @log.debug "Set validator-specific settings from config file: " + config.settings.to_hash[self.name].to_s
-        return config.settings.to_hash[self.name]
-      end
-    end
-
-    # (optionally) override this from child classes to get custom configuration
-    # from a validator.
-    #
-    # This is how you override defaults and config file settings.
-    # @return [Hash] configuration settings
-    def get_override_settings
-      {}
-    end
-
   end
 end
-
-# must run at the end because the validators inherit this class
-# this loads all validators
-require_rel 'validators'

data/lib/autosign/{validators → validator}/jwt.rb

@@ -1,20 +1,16 @@
+# frozen_string_literal: true
+require 'autosign/validator/validator_base'
+
 module Autosign
-  module Validators
+  module Validator
     # Validate certificate signing requests using JSON Web Tokens (JWT).
     # This is the expected primary validator when using the autosign gem.
     # Validation requires that the shared secret used to generate the JWT is
     # the same as on the validating system. The validator also checks that the
     # token has not expired, and that one-time (non-reusable) tokens have not
     # been previously used.
-    class JWT < Autosign::Validator
-
-      # set the user-friendly name of the JWT validator.
-      # This name is used to specify that configuration should come from the
-      # [jwt_token] section of the autosign.conf file.
-      # @return [String] name of the validator
-      def name
-        "jwt_token"
-      end
+    class JWT < Autosign::Validator::ValidatorBase
+      NAME = 'jwt_token'
 
       private
 
@@ -26,15 +22,19 @@ module Autosign
       # @param certname [String] the certname being requested in the certificate signing request
       # @param raw_csr [String] Raw CSR; not used in this validator.
       # @return [True, False] returns true to indicate successful validation, and false to indicate failure to validate
-      def perform_validation(token, certname, raw_csr)
-        @log.info "attempting to validate JWT token"
-        return false unless Autosign::Token.validate(certname, token, settings['secret'])
-        @log.info "validated JWT token"
-        @log.debug "validated JWT token, checking reusability"
+      def perform_validation(token, certname, _raw_csr)
+        @log.info "attempting to validate with #{name}"
+        unless Autosign::Token.validate(certname, token, settings['secret'])
+          return false
+        end
+
+        @log.info 'validated JWT token'
+        @log.debug 'validated JWT token, checking reusability'
 
         return true if is_reusable?(token)
         return true if add_to_journal(token)
-        return false
+
+        false
       end
 
       def is_reusable?(token)
@@ -49,16 +49,16 @@ module Autosign
       def add_to_journal(token)
         validated_token = Autosign::Token.from_token(token, settings['secret'])
         @log.debug 'add_to_journal settings: ' + settings.to_s
-        journal = Autosign::Journal.new({'journalfile' => settings['journalfile']})
+        journal = Autosign::Journal.new('journalfile' => settings['journalfile'])
         token_expiration = Autosign::Token.token_validto(token, settings['secret'])
 
         # adding will return false if the token is already in the journal
         if journal.add(validated_token.uuid, token_expiration, validated_token.to_hash)
           @log.info "added token with UUID '#{validated_token.uuid}' to journal"
-          return true
+          true
         else
-          @log.warn "journal cannot validate one-time token; may already have been used"
-          return false
+          @log.warn 'journal cannot validate one-time token; may already have been used'
+          false
         end
       end
 
@@ -75,34 +75,33 @@ module Autosign
       #
       # This should probably be done differently at some point.
       def get_override_settings
-        if (ENV["AUTOSIGN_TESTMODE"] == "true" and
-            !ENV["AUTOSIGN_TEST_SECRET"].nil? and
-            !ENV["AUTOSIGN_TEST_JOURNALFILE"].nil? )
-           {
-             'secret'      => ENV["AUTOSIGN_TEST_SECRET"].to_s,
-             'journalfile' => ENV["AUTOSIGN_TEST_JOURNALFILE"].to_s
-           }
+        if (ENV['AUTOSIGN_TESTMODE'] == 'true') &&
+           !ENV['AUTOSIGN_TEST_SECRET'].nil? &&
+           !ENV['AUTOSIGN_TEST_JOURNALFILE'].nil?
+          {
+            'secret' => ENV['AUTOSIGN_TEST_SECRET'].to_s,
+            'journalfile' => ENV['AUTOSIGN_TEST_JOURNALFILE'].to_s
+          }
         else
           {}
         end
       end
 
-    # Validate that the settings hash contains a secret.
-    # The validator cannot function without a secret, so there's no point
-    # in continuing to run if it was configured without a secret.
-    # @param settings [Hash] settings hash
-    # @return [True, False] return true if settings are valid, false if config is unusable
-    def validate_settings(settings)
-      @log.debug "validating settings: " + settings.to_s
-      if settings['secret'].is_a?(String)
-        @log.info "validated settings successfully"
-        return true
-      else
-        @log.error "no secret setting found"
-        return false
+      # Validate that the settings hash contains a secret.
+      # The validator cannot function without a secret, so there's no point
+      # in continuing to run if it was configured without a secret.
+      # @param settings [Hash] settings hash
+      # @return [True, False] return true if settings are valid, false if config is unusable
+      def validate_settings(settings)
+        @log.debug 'validating settings: ' + settings.to_s
+        if settings['secret'].is_a?(String)
+          @log.info "validated settings successfully for #{name}"
+          true
+        else
+          @log.error 'no secret setting found'
+          false
+        end
       end
     end
-
-    end
   end
 end