autosign 0.1.1 → 1.0.1

data/lib/autosign/{validators → validator}/multiplexer.rb

@@ -1,6 +1,8 @@
-module Autosign
-  module Validators
+# frozen_string_literal: true
+require 'autosign/validator/validator_base'
 
+module Autosign
+  module Validator
     # The multiplexer validator sends the same request received by the autosign
     # executable to one or more external executables. The purpose is to allow
     # one or more existing autosign scripts to be used in conjunction with the
@@ -25,15 +27,8 @@ module Autosign
     #     external_policy_executable = /usr/local/bin/another-autosign-script.rb
     #   # requests will only be validated by the multiplexer validator if they
     #   # are validated by both external policy executables.
-    class Multiplexer < Autosign::Validator
-
-      # set the user-friendly name of the Multiplexer validator.
-      # This name is used to specify that configuration should come from the
-      # [multiplexer] section of the autosign.conf file.
-      # @return [String] name of the validator
-      def name
-        "multiplexer"
-      end
+    class Multiplexer < Autosign::Validator::ValidatorBase
+      NAME = 'multiplexer'
 
       private
 
@@ -42,25 +37,24 @@ module Autosign
       # @param certname [String] certname requested in the CSR
       # @param raw_csr [String] X509 certificate signing request as received by the policy executable
       # @return [True, False] returns true to indicate successful validation, and false to indicate failure to validate
-      def perform_validation(token, certname, raw_csr)
+      def perform_validation(_token, certname, raw_csr)
         results = []
-        @log.debug "validating using multiplexed external executables"
-        policy_executables.each {|executable|
-          @log.debug "attempting to validate using #{executable.to_s}"
-          results << IO.popen(executable + ' ' + certname.to_s, 'r+') {|obj| obj.puts raw_csr; obj.close_write; obj.read; obj.close; $?.to_i }
-          @log.debug "exit code from #{executable.to_s}: #{results.last}"
-        }
-        bool_results = results.map {|val| val == 0}
-        return validate_using_strategy(bool_results)
+        @log.debug 'validating using multiplexed external executables'
+        policy_executables.each do |executable|
+          @log.debug "attempting to validate using #{executable}"
+          results << IO.popen(executable + ' ' + certname.to_s, 'r+') { |obj| obj.puts raw_csr; obj.close_write; obj.read; obj.close; $CHILD_STATUS.to_i }
+          @log.debug "exit code from #{executable}: #{results.last}"
+        end
+        bool_results = results.map { |val| val == 0 }
+        validate_using_strategy(bool_results)
       end
 
-
       # set the default validation strategy to "any", succeeding if any one
       # external autosign script succeeds.
       # @return [Hash] config hash to be merged in with config file settings and overrides.
       def default_settings
         {
-          'strategy' => 'any',
+          'strategy' => 'any'
         }
       end
 
@@ -72,13 +66,13 @@ module Autosign
         case settings['strategy']
         when 'any'
           @log.debug "validating using 'any' strategy"
-          return array.any?
+          array.any?
         when 'all'
           @log.debug "validating using 'all' strategy"
-          return array.all?
+          array.all?
         else
-          @log.error "unable to validate; unknown strategy"
-          return false
+          @log.error 'unable to validate; unknown strategy'
+          false
         end
       end
 
@@ -86,25 +80,23 @@ module Autosign
       # or an empty array if none are specified.
       # @return [Array] of policy executables.
       def policy_executables
-	Array(settings['external_policy_executable'])      
+        Array(settings['external_policy_executable'])
       end
 
-
       # validate that settins are reasonable. Validation strategy must be
       # either any or all.
       # @param settings [Hash] config settings hash
       # @return [True, False] true if settings validate successfully, false otherwise
       def validate_settings(settings)
-        @log.debug "validating settings: " + settings.to_s
-        unless ['any', 'all'].include? settings['strategy']
+        @log.debug 'validating settings: ' + settings.to_s
+        unless %w[any all].include? settings['strategy']
           @log.error "strategy setting must be set to 'any' or 'all'"
           return false
         end
 
-        @log.debug "done validating settings"
+        @log.debug 'done validating settings'
         true
       end
-
     end
   end
 end

data/lib/autosign/{validators → validator}/passwordlist.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+require 'autosign/validator/validator_base'
 module Autosign
-  module Validators
+  module Validator
     # Validate certificate signing requests using a simple password list.
     # This is not a very secure or flexible validation scheme, but is provided
     # because so many existing autosign policy scripts implement it.
@@ -11,35 +13,32 @@ module Autosign
     #   password = opensesame
     #   password = CPE1704TKS
     #
-    class Passwordlist < Autosign::Validator
-      def name
-        "password_list"
-      end
+    class Passwordlist < Autosign::Validator::ValidatorBase
+      NAME = 'password_list'
 
       private
 
-      def perform_validation(password, certname, raw_csr)
-        @log.debug "validating against simple password list"
-        @log.debug "passwords: " + settings.to_s
+      def perform_validation(password, _certname, _raw_csr)
+        @log.debug 'validating against simple password list'
+        @log.debug 'passwords: ' + settings.to_s
         result = validate_password(password.to_s)
-        @log.debug "validation result: " + result.to_s
-        return result
+        @log.debug 'validation result: ' + result.to_s
+        result
       end
 
       def validate_password(password)
-        @log.debug "Checking if password list includes password"
+        @log.debug 'Checking if password list includes password'
         password_list.include?(password.to_s)
       end
 
       def password_list
-	Array(settings['password'])      
+        Array(settings['password'])
       end
 
-    def validate_settings(settings)
-      @log.debug "validating settings: " + settings.to_s
-      true
-    end
-
+      def validate_settings(settings)
+        @log.debug 'validating settings: ' + settings.to_s
+        true
+      end
     end
   end
 end

data/lib/autosign/validator/validator_base.rb

@@ -0,0 +1,168 @@
+# frozen_string_literal: true
+
+require 'logging'
+
+module Autosign
+  module Validator
+    # Parent class for validation backends. Validator take the
+    # challenge_password and common name from a certificate signing request,
+    # and perform some action to determine whether the request is valid.
+    #
+    # Validator also get the raw X509 CSR in case the extracted information
+    # is insufficient for future, more powerful validators.
+    #
+    # All validators must inherit from this class, and must override several
+    # methods in order to function. At a minimum, the name and perform_validation
+    # methods must be implemented by child classes.
+    #
+    # @return Autosign::Validator::ValidatorBase instance of the Autosign::Validator::ValidatorBase class
+    class ValidatorBase
+      NAME = 'base'
+      attr_reader :config_file_settings
+
+      def initialize(config_file_settings = nil)
+        @config_file_settings = config_file_settings
+        start_logging
+        settings # just run to validate settings
+        setup
+        # call name to ensure that the class fails immediately if child classes
+        # do not implement it.
+        name
+      end
+  
+      # @return [String] name of the validator. Do not use special characters.
+      # You must set the NAME constant in the sublcass
+      def name
+        self.class::NAME
+      end
+  
+      # define how a validator actually validates the request.
+      # This must be implemented by validators which inherit from the
+      # Autosign::Validator class.
+      #
+      # @param challenge_password [String] the challenge_password OID from the certificate signing request. The challenge_password field is the same setting as the "challengePassword" field in a `csr_attributes.yaml` file when the CSR is generated. In a request using a JSON web token, this would be the serialized token.
+      # @param certname [String] the common name being requested in the certificate signing request. Treat the certname as untrusted. This is user-submitted data that you must validate.
+      # @param raw_csr [String] the encoded X509 certificate signing request, as received by the autosign policy executable. This is provided as an optional extension point, but your validator may not need to use it.
+      # @return [True, False] return true if the certificate should be signed, and false if you cannot validate the request successfully.
+      def perform_validation(_challenge_password, _certname, _raw_csr)
+        # override this after inheriting
+        # should return true to indicate success validating
+        # or false to indicate that the validator was unable to validate
+        raise NotImplementedError
+      end
+  
+      # wrapper method that wraps input validation and logging around the perform_validation method.
+      # Do not override or use this class in child classes. This is the class that gets called
+      # on validator objects.
+      def validate(challenge_password, certname, raw_csr)
+        raise unless challenge_password.is_a?(String)
+        raise unless certname.is_a?(String)
+  
+        case perform_validation(challenge_password, certname, raw_csr)
+        when true
+          @log.debug 'validated successfully'
+          @log.info  "Validated '#{certname}' using '#{name}' validator"
+          true
+        when false
+          @log.debug 'validation failed'
+          @log.debug "Unable to validate '#{certname}' using '#{name}' validator"
+          false
+        else
+          @log.error 'perform_validation returned a non-boolean result'
+          raise 'perform_validation returned a non-boolean result'
+        end
+      end
+
+      private
+
+      # this is automatically called when the class is initialized; do not
+      # override it in child classes.
+      def start_logging
+        @log = Logging.logger[self.class]
+        @log.debug 'starting autosign validator: ' + name.to_s
+      end
+
+      # (optionally) override this method in validator child classes to perform any additional
+      # setup during class initialization prior to beginning validation.
+      # If you need to create a database connection, this would be a good place to do it.
+      # @return [True, False] return true if setup succeeded, or false if setup failed and the validation should not continue
+      def setup
+        true
+      end
+
+    # provide a merged settings hash of default settings for a validator,
+    # config file settings for the validator, and override settings defined in
+    # the validator.
+    #
+    # Do not override this in child classes. If you need to set
+    # custom config settings, override the get_override_settings method.
+    # The section of the config file this reads from is the same as the name
+    # method returns.
+    #
+    # @return [Hash] of config settings
+    def settings
+      @settings ||= begin
+        @log.debug "merging settings for #{name} validator"
+        setting_sources = [get_override_settings, load_config, default_settings]
+        merged_settings = setting_sources.inject({}) { |merged, hash| merged.deep_merge(hash, {:overwrite_arrays => true}) }
+        @log.debug 'using merged settings: ' + merged_settings.to_s
+        @log.debug 'validating merged settings'
+        if validate_settings(merged_settings)
+          @log.debug 'successfully validated merged settings'
+          merged_settings
+        else
+          @log.warn 'validation of merged settings failed'
+          @log.warn "unable to validate settings in #{name} validator"
+          raise 'settings validation error'
+        end
+        merged_settings
+      end
+    end
+
+    # (optionally) override this from a child class to set config defaults.
+    # These will be overridden by config file settings.
+    #
+    # Override this when inheriting if you need to set config defaults.
+    # For example, if you want to pull settings from zookeeper, this would
+    # be a good place to do that.
+    #
+    # @return [Hash] of config settings
+    def default_settings
+      {}
+    end
+
+    # (optionally) override this to perform validation checks on the merged
+    # config hash of default settings, config file settings, and override
+    # settings.
+    # @return [True, False]
+    def validate_settings(settings)
+      settings.is_a?(Hash)
+    end
+
+    # load any required configuration from the config file.
+    # Do not override this in child classes.
+    # @return [Hash] configuration settings from the validator's section of the config file
+    def load_config
+      @log.debug 'loading validator-specific configuration'
+      config_settings = @config_file_settings ||= Autosign::Config.new.settings
+      if config_settings.to_hash[name].nil?
+        @log.warn 'Unable to load validator-specific configuration'
+        @log.warn "Cannot load configuration section named '#{name}'"
+        {}
+      else
+        @log.debug 'Set validator-specific settings from config file: ' + config_settings.to_hash[name].to_s
+        config_settings.to_hash[name]
+      end
+    end
+
+    # (optionally) override this from child classes to get custom configuration
+    # from a validator.
+    #
+    # This is how you override defaults and config file settings.
+    # @return [Hash] configuration settings
+    def get_override_settings
+      {}
+    end
+  end
+  end
+end

data/lib/autosign/version.rb

@@ -1,3 +1,3 @@
 module Autosign
-  VERSION = '0.1.1'
+  VERSION = '1.0.1'
 end

metadata

@@ -1,171 +1,185 @@
 --- !ruby/object:Gem::Specification
 name: autosign
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 1.0.1
 platform: ruby
 authors:
 - Daniel Dreier
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-10-30 00:00:00.000000000 Z
+date: 2020-06-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: aruba
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10'
+        version: '0.6'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10'
+        version: '0.6'
 - !ruby/object:Gem::Dependency
-  name: rdoc
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cucumber
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: '2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '4'
+        version: '2'
 - !ruby/object:Gem::Dependency
-  name: aruba
+  name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: '0.10'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: '0.10'
 - !ruby/object:Gem::Dependency
-  name: cucumber
+  name: puppet
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '6'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '6'
 - !ruby/object:Gem::Dependency
-  name: puppet
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '13'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '13'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: rdoc
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '4'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '4'
 - !ruby/object:Gem::Dependency
-  name: coveralls
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3'
 - !ruby/object:Gem::Dependency
-  name: pry
+  name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.10'
+        version: 0.83.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.10'
+        version: 0.83.0
 - !ruby/object:Gem::Dependency
-  name: gli
+  name: yard
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
-  type: :runtime
+        version: 0.9.11
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: 0.9.11
 - !ruby/object:Gem::Dependency
-  name: jwt
+  name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1'
-  type: :runtime
+        version: '2.0'
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
-  name: iniparse
+  name: deep_merge
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1'
+        version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1'
+        version: '1.2'
 - !ruby/object:Gem::Dependency
-  name: logging
+  name: gli
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -179,7 +193,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2'
 - !ruby/object:Gem::Dependency
-  name: json
+  name: iniparse
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -193,7 +207,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1'
 - !ruby/object:Gem::Dependency
-  name: deep_merge
+  name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -207,83 +221,74 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1'
 - !ruby/object:Gem::Dependency
-  name: require_all
+  name: logging
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1'
+        version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1'
+        version: '2'
 - !ruby/object:Gem::Dependency
-  name: yard
+  name: multi_json
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: '1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: '1'
 description: 
 email: ddreier@thinkplango.com
 executables:
 - autosign
 - autosign-validator
 extensions: []
-extra_rdoc_files: []
+extra_rdoc_files:
+- CHANGELOG.md
+- LICENSE
+- README.md
 files:
 - ".gitignore"
 - ".rspec"
+- ".rubocop.yml"
+- ".rubocop_todo.yml"
 - ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - Gemfile.lock
+- LICENSE
 - README.md
 - Rakefile
 - autosign.gemspec
 - bin/autosign
 - bin/autosign-validator
-- features/autosign.feature
-- features/step_definitions/autosign_steps.rb
-- features/support/env.rb
-- features/validate.feature
-- fixtures/i-7672fe81.pem
 - lib/autosign.rb
 - lib/autosign/config.rb
 - lib/autosign/decoder.rb
 - lib/autosign/journal.rb
 - lib/autosign/token.rb
 - lib/autosign/validator.rb
-- lib/autosign/validators/jwt.rb
-- lib/autosign/validators/multiplexer.rb
-- lib/autosign/validators/passwordlist.rb
+- lib/autosign/validator/jwt.rb
+- lib/autosign/validator/multiplexer.rb
+- lib/autosign/validator/passwordlist.rb
+- lib/autosign/validator/validator_base.rb
 - lib/autosign/version.rb
-- spec/spec_helper.rb
-- spec/specs/config_spec.rb
-- spec/specs/decoder_spec.rb
-- spec/specs/journal_spec.rb
-- spec/specs/token_spec.rb
-- spec/specs/validators/jwt_spec.rb
-- spec/specs/validators/passwordlist_spec.rb
 homepage: https://github.com/danieldreier/autosign
 licenses: []
 metadata: {}
 post_install_message: 
-rdoc_options:
-- "--title"
-- autosign
-- "--main"
-- README.rdoc
-- "-ri"
+rdoc_options: []
 require_paths:
 - lib
 - lib
@@ -298,8 +303,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: Tooling to make puppet autosigning easy, secure, and extensible