autosign 0.1.1 → 1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.rubocop.yml +12 -0
- data/.rubocop_todo.yml +659 -0
- data/.travis.yml +4 -5
- data/CHANGELOG.md +56 -0
- data/Gemfile.lock +107 -89
- data/LICENSE +201 -0
- data/README.md +37 -0
- data/Rakefile +22 -22
- data/autosign.gemspec +24 -20
- data/bin/autosign +23 -15
- data/bin/autosign-validator +14 -6
- data/lib/autosign.rb +1 -1
- data/lib/autosign/config.rb +71 -56
- data/lib/autosign/decoder.rb +7 -3
- data/lib/autosign/journal.rb +2 -2
- data/lib/autosign/token.rb +7 -7
- data/lib/autosign/validator.rb +34 -197
- data/lib/autosign/{validators → validator}/jwt.rb +41 -42
- data/lib/autosign/{validators → validator}/multiplexer.rb +24 -32
- data/lib/autosign/{validators → validator}/passwordlist.rb +16 -17
- data/lib/autosign/validator/validator_base.rb +168 -0
- data/lib/autosign/version.rb +1 -1
- metadata +78 -74
- data/features/autosign.feature +0 -93
- data/features/step_definitions/autosign_steps.rb +0 -44
- data/features/support/env.rb +0 -17
- data/features/validate.feature +0 -22
- data/fixtures/i-7672fe81.pem +0 -34
- data/spec/spec_helper.rb +0 -102
- data/spec/specs/config_spec.rb +0 -20
- data/spec/specs/decoder_spec.rb +0 -16
- data/spec/specs/journal_spec.rb +0 -41
- data/spec/specs/token_spec.rb +0 -102
- data/spec/specs/validators/jwt_spec.rb +0 -69
- data/spec/specs/validators/passwordlist_spec.rb +0 -51
data/features/autosign.feature
DELETED
@@ -1,93 +0,0 @@
|
|
1
|
-
Feature: Generate autosign key
|
2
|
-
In order to sign puppet certificates automatically
|
3
|
-
I want to generate autosign keys programatically
|
4
|
-
So I don't have to use static strings as keys
|
5
|
-
|
6
|
-
Scenario: Generate new token
|
7
|
-
Given a pre-shared key of "secret"
|
8
|
-
And a hostname of "foo.example.com"
|
9
|
-
And a file named "autosign.conf" with:
|
10
|
-
"""
|
11
|
-
---
|
12
|
-
jwt_token:
|
13
|
-
validity: '7200'
|
14
|
-
secret: 'secret'
|
15
|
-
"""
|
16
|
-
When I run `chmod 600 autosign.conf`
|
17
|
-
And I run `autosign --config autosign.conf generate foo.example.com`
|
18
|
-
Then the output should contain "Autosign token for: foo.example.com"
|
19
|
-
And the output should contain "valid until"
|
20
|
-
And the exit status should be 0
|
21
|
-
|
22
|
-
Scenario: Generate new token using the --bare flag
|
23
|
-
Given a pre-shared key of "secret"
|
24
|
-
And a hostname of "foo.example.com"
|
25
|
-
And a file named "autosign.conf" with:
|
26
|
-
"""
|
27
|
-
---
|
28
|
-
jwt_token:
|
29
|
-
validity: '7200'
|
30
|
-
secret: 'secret'
|
31
|
-
"""
|
32
|
-
When I run `chmod 600 autosign.conf`
|
33
|
-
And I run `autosign --config autosign.conf generate --bare foo.example.com`
|
34
|
-
Then the output should be a JSON web token
|
35
|
-
And the output should not contain "Autosign token for: foo.example.com"
|
36
|
-
And the output should not contain "valid until"
|
37
|
-
And the exit status should be 0
|
38
|
-
|
39
|
-
Scenario: Generate new reusable token
|
40
|
-
Given a pre-shared key of "secret"
|
41
|
-
And a hostname of "foo.example.com"
|
42
|
-
And a file named "autosign.conf" with:
|
43
|
-
"""
|
44
|
-
---
|
45
|
-
jwt_token:
|
46
|
-
validity: '7200'
|
47
|
-
secret: 'secret'
|
48
|
-
"""
|
49
|
-
When I run `chmod 600 autosign.conf`
|
50
|
-
When I run `autosign --config autosign.conf generate foo.example.com --reusable`
|
51
|
-
Then the output should contain "Autosign token for: foo.example.com"
|
52
|
-
And the output should contain "valid until"
|
53
|
-
And the exit status should be 0
|
54
|
-
|
55
|
-
Scenario: Validate a token
|
56
|
-
Given a pre-shared key of "secret"
|
57
|
-
And a hostname of "foo.example.com"
|
58
|
-
And a file named "autosign.conf" with:
|
59
|
-
"""
|
60
|
-
---
|
61
|
-
jwt_token:
|
62
|
-
secret: 'secret'
|
63
|
-
"""
|
64
|
-
When I run `chmod 600 autosign.conf`
|
65
|
-
When I run `autosign --config autosign.conf validate --certname "foo.example.com" "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcImZvby5leGFtcGxlLmNvbVwiLFwicmVxdWVzdGVyXCI6XCJEYW5pZWxzLU1hY0Jvb2stUHJvLTIubG9jYWxcIixcInJldXNhYmxlXCI6ZmFsc2UsXCJ2YWxpZGZvclwiOjI5OTk5OTk5OSxcInV1aWRcIjpcIjlkYTA0Yzc4LWQ5NjUtNDk2OC04MWNjLWVhM2RjZDllZjVjMFwifSIsImV4cCI6IjE3MzY0NjYxMzAifQ.PJwY8rIunVyWi_lw0ypFclME0jx3Vd9xJIQSyhN3VUmul3V8u4Tp9XwDgoAu9DVV0-WEG2Tfxs6F8R6Fn71Ndg"`
|
66
|
-
Then the output should contain "token validated successfully"
|
67
|
-
And the exit status should be 0
|
68
|
-
|
69
|
-
Scenario: Not validate a bad token
|
70
|
-
Given a pre-shared key of "secret"
|
71
|
-
And a hostname of "foo.example.com"
|
72
|
-
And a file named "autosign.conf" with:
|
73
|
-
"""
|
74
|
-
---
|
75
|
-
jwt_token:
|
76
|
-
secret: 'secret'
|
77
|
-
"""
|
78
|
-
When I run `chmod 600 autosign.conf`
|
79
|
-
When I run `autosign --config autosign.conf validate --certname "foo.example.com" "invalid_token"`
|
80
|
-
Then the exit status should be 1
|
81
|
-
|
82
|
-
Scenario: Not validate an expired token
|
83
|
-
Given a pre-shared key of "secret"
|
84
|
-
And a hostname of "foo.example.com"
|
85
|
-
And a file named "autosign.conf" with:
|
86
|
-
"""
|
87
|
-
---
|
88
|
-
jwt_token:
|
89
|
-
secret: 'secret'
|
90
|
-
"""
|
91
|
-
When I run `chmod 600 autosign.conf`
|
92
|
-
When I run `autosign --config autosign.conf validate --certname "foo.example.com" "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcImZvby5leGFtcGxlLmNvbVwiLFwicmVxdWVzdGVyXCI6XCJEYW5pZWxzLU1hY0Jvb2stUHJvLTIubG9jYWxcIixcInJldXNhYmxlXCI6ZmFsc2UsXCJ2YWxpZGZvclwiOjEsXCJ1dWlkXCI6XCJlNjI1Y2I1Ny02NzY5LTQwMzQtODNiZS0zNzkxNmQ5YmMxMDRcIn0iLCJleHAiOiIxNDM2NDY2MzAyIn0.UXEDEbRqEWx5SdSpQjfowU56JubY5Yz2QN6cckby2es-g2P_n2lyAS6AwFeliBXyCDyVUelIT3g1QP4TdB9EEA"`
|
93
|
-
Then the exit status should be 1
|
@@ -1,44 +0,0 @@
|
|
1
|
-
When(/^I get help for "([^"]*)"$/) do |app_name|
|
2
|
-
@app_name = app_name
|
3
|
-
step %(I run `#{app_name} help`)
|
4
|
-
end
|
5
|
-
|
6
|
-
Given(/^a pre\-shared key of "([^"]*)"$/) do |presharedkey|
|
7
|
-
@psk = presharedkey
|
8
|
-
end
|
9
|
-
|
10
|
-
Given(/^a hostname of "([^"]*)"$/) do |host|
|
11
|
-
@hostname = host
|
12
|
-
end
|
13
|
-
|
14
|
-
Given(/^the current time is (\d+)$/) do |time|
|
15
|
-
@current_time = time
|
16
|
-
end
|
17
|
-
|
18
|
-
Given(/^a static token file containing:$/) do |multiline|
|
19
|
-
@static_token_file = multiline
|
20
|
-
end
|
21
|
-
|
22
|
-
Given(/^a mocked "\/(\S*)" directory$/)do |directory|
|
23
|
-
dir_name = File.join(File.expand_path(current_dir), "etc")
|
24
|
-
FileUtils.mkdir_p dir_name
|
25
|
-
set_env 'ETCROOT', dir_name
|
26
|
-
# create_dir("etc")
|
27
|
-
end
|
28
|
-
|
29
|
-
Then(/^a "\/(\S*)" (?:file|directory) should exist$/) do |file|
|
30
|
-
#expect(File.exist?(File.join(File.expand_path(current_dir), file))).to be true
|
31
|
-
fullpath = File.join(File.expand_path(current_dir), file)
|
32
|
-
FileUtils.mkdir_p fullpath
|
33
|
-
$world.puts "path: " + fullpath
|
34
|
-
expect(File.exist?(file)).to be true
|
35
|
-
end
|
36
|
-
|
37
|
-
#When(/^I pipe in the file "(.*?)"$/) do |file|
|
38
|
-
# in_current_dir do
|
39
|
-
# File.open(file, 'r').each_line do |line|
|
40
|
-
# _write_interactive(line)
|
41
|
-
# end
|
42
|
-
# end
|
43
|
-
# @interactive.stdin.close()
|
44
|
-
#end
|
data/features/support/env.rb
DELETED
@@ -1,17 +0,0 @@
|
|
1
|
-
require 'aruba/cucumber'
|
2
|
-
|
3
|
-
|
4
|
-
ENV['PATH'] = "#{File.expand_path(File.dirname(__FILE__) + '/../../bin')}#{File::PATH_SEPARATOR}#{ENV['PATH']}"
|
5
|
-
LIB_DIR = File.join(File.expand_path(File.dirname(__FILE__)),'..','..','lib')
|
6
|
-
|
7
|
-
Before do
|
8
|
-
# Using "announce" causes massive warnings on 1.9.2
|
9
|
-
@puts = true
|
10
|
-
@original_rubylib = ENV['RUBYLIB']
|
11
|
-
ENV['RUBYLIB'] = LIB_DIR + File::PATH_SEPARATOR + ENV['RUBYLIB'].to_s
|
12
|
-
$world = self
|
13
|
-
end
|
14
|
-
|
15
|
-
After do
|
16
|
-
ENV['RUBYLIB'] = @original_rubylib
|
17
|
-
end
|
data/features/validate.feature
DELETED
@@ -1,22 +0,0 @@
|
|
1
|
-
Feature: Validate autosign key
|
2
|
-
In order to sign puppet certificates automatically
|
3
|
-
I want to validate autosign keys programatically
|
4
|
-
So that I only grant access to allowed systems without needing manual authorization
|
5
|
-
|
6
|
-
Scenario: Validate a certificate signing request
|
7
|
-
Given I set the environment variables to:
|
8
|
-
| variable | value |
|
9
|
-
| AUTOSIGN_TESTMODE | true |
|
10
|
-
| AUTOSIGN_TEST_SECRET | secret |
|
11
|
-
| AUTOSIGN_TEST_LOGLEVEL | info |
|
12
|
-
| AUTOSIGN_TEST_JOURNALFILE | /tmp/autosign_journal |
|
13
|
-
When I run `rm -f /tmp/autosign_journal`
|
14
|
-
And I run `autosign-validator i-7672fe81` interactively
|
15
|
-
And I pipe in the file "../../fixtures/i-7672fe81.pem"
|
16
|
-
Then the output should contain "token validated successfully"
|
17
|
-
Then the exit status should be 0
|
18
|
-
|
19
|
-
Scenario: Do not validate a certificate signing request whose certname does not match the certificate
|
20
|
-
When I run `autosign-validator wrong-certname.example.com` interactively
|
21
|
-
And I pipe in the file "../../fixtures/i-7672fe81.pem"
|
22
|
-
Then the exit status should be 1
|
data/fixtures/i-7672fe81.pem
DELETED
@@ -1,34 +0,0 @@
|
|
1
|
-
-----BEGIN CERTIFICATE REQUEST-----
|
2
|
-
MIIF9jCCA94CAQAwFTETMBEGA1UEAwwKaS03NjcyZmU4MTCCAiIwDQYJKoZIhvcN
|
3
|
-
AQEBBQADggIPADCCAgoCggIBAKKhHBbqjeZUoeOoeeM2x3OT0CgbwN/GQfpKkuYc
|
4
|
-
8WowPKyRqqYnyMuQmEq4g7E5VwCkNWJYhbz+dwqmg+xCetKMD6LXd2y2ro2XmqIp
|
5
|
-
QTlEj833Voi3ULiesbqaY3tRZbJ/VyeycjgcClyqXA6JCwgvI3o92imXQSJanNRe
|
6
|
-
XN4MWPRkunAKqPahJyQ+++Oov+vBlS6RJdQGa1+2+qi18f323UJlwYeCDvV6psKi
|
7
|
-
FRMIBgJVKbuRMC1E381/MXr/J8WQK4IGbJP6oDeOGQujDwRYw6+byrx9Xbi2fvpA
|
8
|
-
T0ff4+9aAfBatkBG9O8ZGPxUMk//nPKo78qwEZWo1cCsWXdPZyEafu4uNi7B5nQf
|
9
|
-
EAwYofM3Igh6F5tHXmi/IyqNHIubfLJwrR/RFZW41zEyAqTTRcQxZsXR0bqTuFIm
|
10
|
-
ki0q7+6E9hPfG9bo2ux4rC5ttmmlEYELdRmpicfybB0S0w4JxVu+qNY4wVnQc2KS
|
11
|
-
6Sdif4EA3F+pvi21q0Nil8Xwp2xzdp7HDnTevZm/lKYyDv5XIhhAbCb3MVHuSRg1
|
12
|
-
WBEp0YScn4wju1XUwrczgT2FZx9PQ6Pqb8kWvED988tLE8yULqMpMHeDF/goNNJb
|
13
|
-
X9I521XSOLTPsKOALGeVt13CafO/Kuji+uQDXvj4hNUjIc49wvm30Gdng0IWnXsx
|
14
|
-
srXbAgMBAAGgggGaMIIBlgYJKoZIhvcNAQkHMYIBhxOCAYNleUowZVhBaU9pSktW
|
15
|
-
MVFpTENKaGJHY2lPaUpJVXpVeE1pSjkuZXlKa1lYUmhJam9pZTF3aVkyVnlkRzVo
|
16
|
-
YldWY0lqcGNJbWt0TnpZM01tWmxPREZjSWl4Y0luSmxjWFZsYzNSbGNsd2lPbHdp
|
17
|
-
UkdGdWFXVnNjeTFOWVdOQ2IyOXJMVkJ5YnkweUxteHZZMkZzWENJc1hDSnlaWFZ6
|
18
|
-
WVdKc1pWd2lPbVpoYkhObExGd2lkbUZzYVdSbWIzSmNJam94TlRjMk9EQXdNREFz
|
19
|
-
WENKMWRXbGtYQ0k2WENKbE16WmtNemt5T1MwNU5XVmxMVFF5TkRRdE9USXdaUzAw
|
20
|
-
Tm1aaU4yWTRNVFUzWkRWY0luMGlMQ0psZUhBaU9pSXhOVGsxTVRjM05UYzBJbjAu
|
21
|
-
Z2ZUcFVQTEdueHd0dmZNSDVDMHVjV3NYQnFyaEJEX0h2Q2lOSF85enZoRmFmSE1p
|
22
|
-
al9uZzE0SzhGLU1NTGdRb0RCbG9PSnVralg4cWNraTVjRm1LS2cwDQYJKoZIhvcN
|
23
|
-
AQELBQADggIBABneBgIDyCee43GXJGduaZKVVepGtfYsgmI3Uvq9AU+UNNrF56d/
|
24
|
-
PhwsttTDC1V+vHBNuVq3hPgAb5TJ+f3DDT2v/3KenzAsOFRi0WEJ+iXjFRb4pJ8F
|
25
|
-
cDsyyPgqTkAnIMTk1dnMvzP3yrROVqnE0XU/EvFv9aiWcFd8e/HSkWXQoo1SnTxp
|
26
|
-
Ax6Dz673j9DBJwlg6yiFVvzO/styBAuVZBxA9r1VBUZUXqjmqQ36V8CJ+nATwoWt
|
27
|
-
rKQDpz+jR3WoKtFm3IIctHOYzv2G0bUCOhALKPVqqaaXCLnlWS1T+a9IwkwsH5eN
|
28
|
-
iOAb/NlSMO8vbXHyNV3zyNHEHGFzBgTYhQKJQvfPWPEpAG10jwvG5lY69wVev9+l
|
29
|
-
4rg841j7FNc4A6URyZ4rgKdr45LDZODNyCKgPEc+cU5dPjORbRISo5SAfIAol+yo
|
30
|
-
vIrhs1Bgs3sltnhGu9MJn9ffIhLyNkzstPaxP1xg+6yRiMXFTYxeAICtljgCAIPf
|
31
|
-
ZKngEMO5ZQUoVEW1TfyFYjkxbXDy76JbmgsLHPaFfDvXBJzquzKjDObAvBHx260Y
|
32
|
-
SGV4B8i9/ckcNSApkamuayZNSpelbLkrnkVqJy9XE8cQUgjwv7n8FJQMi/lmbwk6
|
33
|
-
NbdRflL16fC52CXimwJD+jmlmjK3nE7B3z96L41dV/vW/pzjXIKuKepH
|
34
|
-
-----END CERTIFICATE REQUEST-----
|
data/spec/spec_helper.rb
DELETED
@@ -1,102 +0,0 @@
|
|
1
|
-
require 'coveralls'
|
2
|
-
Coveralls.wear!
|
3
|
-
# This file was generated by the `rspec --init` command. Conventionally, all
|
4
|
-
# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
|
5
|
-
# The generated `.rspec` file contains `--require spec_helper` which will cause
|
6
|
-
# this file to always be loaded, without a need to explicitly require it in any
|
7
|
-
# files.
|
8
|
-
#
|
9
|
-
# Given that it is always loaded, you are encouraged to keep this file as
|
10
|
-
# light-weight as possible. Requiring heavyweight dependencies from this file
|
11
|
-
# will add to the boot time of your test suite on EVERY test run, even for an
|
12
|
-
# individual file that may not need all of that loaded. Instead, consider making
|
13
|
-
# a separate helper file that requires the additional dependencies and performs
|
14
|
-
# the additional setup, and require it from the spec files that actually need
|
15
|
-
# it.
|
16
|
-
#
|
17
|
-
# The `.rspec` file also contains a few flags that are not defaults but that
|
18
|
-
# users commonly want.
|
19
|
-
#
|
20
|
-
# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
|
21
|
-
#
|
22
|
-
require_relative "../lib/autosign"
|
23
|
-
@fixture_path = File.expand_path(File.join(__FILE__, '..', 'fixtures'))
|
24
|
-
|
25
|
-
RSpec.configure do |config|
|
26
|
-
# rspec-expectations config goes here. You can use an alternate
|
27
|
-
# assertion/expectation library such as wrong or the stdlib/minitest
|
28
|
-
# assertions if you prefer.
|
29
|
-
config.expect_with :rspec do |expectations|
|
30
|
-
# This option will default to `true` in RSpec 4. It makes the `description`
|
31
|
-
# and `failure_message` of custom matchers include text for helper methods
|
32
|
-
# defined using `chain`, e.g.:
|
33
|
-
# be_bigger_than(2).and_smaller_than(4).description
|
34
|
-
# # => "be bigger than 2 and smaller than 4"
|
35
|
-
# ...rather than:
|
36
|
-
# # => "be bigger than 2"
|
37
|
-
expectations.include_chain_clauses_in_custom_matcher_descriptions = true
|
38
|
-
end
|
39
|
-
|
40
|
-
# rspec-mocks config goes here. You can use an alternate test double
|
41
|
-
# library (such as bogus or mocha) by changing the `mock_with` option here.
|
42
|
-
config.mock_with :rspec do |mocks|
|
43
|
-
# Prevents you from mocking or stubbing a method that does not exist on
|
44
|
-
# a real object. This is generally recommended, and will default to
|
45
|
-
# `true` in RSpec 4.
|
46
|
-
mocks.verify_partial_doubles = true
|
47
|
-
end
|
48
|
-
|
49
|
-
# The settings below are suggested to provide a good initial experience
|
50
|
-
# with RSpec, but feel free to customize to your heart's content.
|
51
|
-
=begin
|
52
|
-
# These two settings work together to allow you to limit a spec run
|
53
|
-
# to individual examples or groups you care about by tagging them with
|
54
|
-
# `:focus` metadata. When nothing is tagged with `:focus`, all examples
|
55
|
-
# get run.
|
56
|
-
config.filter_run :focus
|
57
|
-
config.run_all_when_everything_filtered = true
|
58
|
-
|
59
|
-
# Allows RSpec to persist some state between runs in order to support
|
60
|
-
# the `--only-failures` and `--next-failure` CLI options. We recommend
|
61
|
-
# you configure your source control system to ignore this file.
|
62
|
-
config.example_status_persistence_file_path = "spec/examples.txt"
|
63
|
-
|
64
|
-
# Limits the available syntax to the non-monkey patched syntax that is
|
65
|
-
# recommended. For more details, see:
|
66
|
-
# - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
|
67
|
-
# - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
|
68
|
-
# - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
|
69
|
-
config.disable_monkey_patching!
|
70
|
-
|
71
|
-
# This setting enables warnings. It's recommended, but in some cases may
|
72
|
-
# be too noisy due to issues in dependencies.
|
73
|
-
config.warnings = true
|
74
|
-
|
75
|
-
# Many RSpec users commonly either run the entire suite or an individual
|
76
|
-
# file, and it's useful to allow more verbose output when running an
|
77
|
-
# individual spec file.
|
78
|
-
if config.files_to_run.one?
|
79
|
-
# Use the documentation formatter for detailed output,
|
80
|
-
# unless a formatter has already been configured
|
81
|
-
# (e.g. via a command-line flag).
|
82
|
-
config.default_formatter = 'doc'
|
83
|
-
end
|
84
|
-
|
85
|
-
# Print the 10 slowest examples and example groups at the
|
86
|
-
# end of the spec run, to help surface which specs are running
|
87
|
-
# particularly slow.
|
88
|
-
config.profile_examples = 10
|
89
|
-
|
90
|
-
# Run specs in random order to surface order dependencies. If you find an
|
91
|
-
# order dependency and want to debug it, you can fix the order by providing
|
92
|
-
# the seed, which is printed after each run.
|
93
|
-
# --seed 1234
|
94
|
-
config.order = :random
|
95
|
-
|
96
|
-
# Seed global randomization in this process using the `--seed` CLI option.
|
97
|
-
# Setting this allows you to use `--seed` to deterministically reproduce
|
98
|
-
# test failures related to randomization by passing the same `--seed` value
|
99
|
-
# as the one that triggered the failure.
|
100
|
-
Kernel.srand config.seed
|
101
|
-
=end
|
102
|
-
end
|
data/spec/specs/config_spec.rb
DELETED
@@ -1,20 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
|
3
|
-
context Autosign::Config do
|
4
|
-
describe 'basic use case' do
|
5
|
-
let(:settings) { {} }
|
6
|
-
let(:config) { Autosign::Config.new }
|
7
|
-
it 'accepts a hash as the parameter' do
|
8
|
-
expect { Autosign::Config.new(settings) }.to_not raise_error
|
9
|
-
end
|
10
|
-
it 'Returns hash' do
|
11
|
-
expect(config.settings).to be_a(Hash)
|
12
|
-
end
|
13
|
-
it 'Settings contains general section' do
|
14
|
-
expect(config.settings).to include(
|
15
|
-
'general' => be_a(Hash)
|
16
|
-
)
|
17
|
-
end
|
18
|
-
|
19
|
-
end
|
20
|
-
end
|
data/spec/specs/decoder_spec.rb
DELETED
@@ -1,16 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
|
3
|
-
context Autosign::Decoder do
|
4
|
-
describe '.decode_csr' do
|
5
|
-
let(:csr) { File.read(File.join('fixtures', 'i-7672fe81.pem')) }
|
6
|
-
it 'Accepts a CSR as the parameter' do
|
7
|
-
expect { Autosign::Decoder.decode_csr(csr) }.to_not raise_error
|
8
|
-
end
|
9
|
-
it 'Extracts the challenge_password and common_name from a CSR' do
|
10
|
-
expect(Autosign::Decoder.decode_csr(csr)).to eq({:challenge_password=>"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcImktNzY3MmZlODFcIixcInJlcXVlc3RlclwiOlwiRGFuaWVscy1NYWNCb29rLVByby0yLmxvY2FsXCIsXCJyZXVzYWJsZVwiOmZhbHNlLFwidmFsaWRmb3JcIjoxNTc2ODAwMDAsXCJ1dWlkXCI6XCJlMzZkMzkyOS05NWVlLTQyNDQtOTIwZS00NmZiN2Y4MTU3ZDVcIn0iLCJleHAiOiIxNTk1MTc3NTc0In0.gfTpUPLGnxwtvfMH5C0ucWsXBqrhBD_HvCiNH_9zvhFafHMij_ng14K8F-MMLgQoDBloOJukjX8qcki5cFmKKg", :common_name=>"i-7672fe81"})
|
11
|
-
end
|
12
|
-
it 'Returns nil given an invalid CSR' do
|
13
|
-
expect(Autosign::Decoder.decode_csr("not_a_csr")).to be_nil
|
14
|
-
end
|
15
|
-
end
|
16
|
-
end
|
data/spec/specs/journal_spec.rb
DELETED
@@ -1,41 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
require 'securerandom'
|
3
|
-
|
4
|
-
context Autosign::Journal do
|
5
|
-
let(:settings) { {'journalfile' => '/tmp/test.journal'} }
|
6
|
-
let(:journal) { Autosign::Journal.new(settings) }
|
7
|
-
let(:uuid) { SecureRandom.uuid }
|
8
|
-
let(:validto) { Time.now.to_i + 900 }
|
9
|
-
let(:data) { {'arbitrary_hey' => 'value'} }
|
10
|
-
|
11
|
-
|
12
|
-
context 'class methods' do
|
13
|
-
describe '.new' do
|
14
|
-
it 'accepts a hash as the parameter' do
|
15
|
-
expect { Autosign::Journal.new(settings) }.to_not raise_error
|
16
|
-
end
|
17
|
-
end
|
18
|
-
end
|
19
|
-
|
20
|
-
context 'instance methods' do
|
21
|
-
describe '.add' do
|
22
|
-
it 'Returns hash' do
|
23
|
-
expect(journal.settings).to be_a(Hash)
|
24
|
-
end
|
25
|
-
it 'adds an entry to the journal with a data hash' do
|
26
|
-
expect(journal.add(uuid, validto, data)).to be true
|
27
|
-
end
|
28
|
-
it 'adds an entry to the journal without a data hash' do
|
29
|
-
expect(journal.add(uuid, validto)).to be true
|
30
|
-
end
|
31
|
-
it 'fail when adding two duplicate entries to the journal' do
|
32
|
-
expect(journal.add(uuid, validto, data)).to be true
|
33
|
-
expect(journal.add(uuid, validto, data)).to be false
|
34
|
-
end
|
35
|
-
it 'fail when adding an invalid UUID to the journal' do
|
36
|
-
expect(journal.add('invalid' + uuid, validto, data)).to be false
|
37
|
-
end
|
38
|
-
end
|
39
|
-
|
40
|
-
end
|
41
|
-
end
|
data/spec/specs/token_spec.rb
DELETED
@@ -1,102 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
require 'securerandom'
|
3
|
-
|
4
|
-
context Autosign::Token do
|
5
|
-
let(:certname) { 'host.example.com' }
|
6
|
-
let(:reusable) { false }
|
7
|
-
let(:validfor) { rand(60..604800) }
|
8
|
-
let(:requester) { 'Autosign::Token rspec_test' }
|
9
|
-
let(:secret) { 'very_secret' }
|
10
|
-
let(:token) { Autosign::Token.new(certname, reusable, validfor, requester, secret) }
|
11
|
-
let(:reusable_token) { Autosign::Token.new(certname, true, validfor, requester, secret) }
|
12
|
-
let(:signed_token) { token.sign }
|
13
|
-
let(:wildcard_signed_token) { Autosign::Token.new('/.*\.example\.com/', reusable, validfor, requester, secret).sign }
|
14
|
-
let(:expired_token) { Autosign::Token.new(certname, reusable, -1, requester, secret).sign }
|
15
|
-
let(:reconstituted_token) { Autosign::Token.from_token(signed_token, secret) }
|
16
|
-
|
17
|
-
|
18
|
-
context 'class methods' do
|
19
|
-
describe '.new' do
|
20
|
-
it 'accepts expected parameters' do
|
21
|
-
expect { Autosign::Token.new(certname, reusable, validfor, requester, secret) }.to_not raise_error
|
22
|
-
end
|
23
|
-
end
|
24
|
-
describe '.validate' do
|
25
|
-
it 'validates a previously-generated token' do
|
26
|
-
expect(Autosign::Token.validate(certname, signed_token, secret)).to be true
|
27
|
-
end
|
28
|
-
it 'validates a previously-generated wildcard token' do
|
29
|
-
expect(Autosign::Token.validate(certname, wildcard_signed_token, secret)).to be true
|
30
|
-
end
|
31
|
-
it 'does not validate a previously-generated wildcard token when it does not match the hostname' do
|
32
|
-
expect(Autosign::Token.validate('not_the_regex', wildcard_signed_token, secret)).to be false
|
33
|
-
end
|
34
|
-
it 'does not validate a token when the secret does not match' do
|
35
|
-
expect(Autosign::Token.validate(certname, signed_token, 'wrong_secret')).to be false
|
36
|
-
end
|
37
|
-
it 'does not validate a token when the certname does not match' do
|
38
|
-
expect(Autosign::Token.validate('wrong' + certname, signed_token, secret)).to be false
|
39
|
-
end
|
40
|
-
it 'does not validate an expired token' do
|
41
|
-
expect(Autosign::Token.validate(certname, expired_token, secret)).to be false
|
42
|
-
end
|
43
|
-
end
|
44
|
-
describe '.from_token' do
|
45
|
-
it 'returns an Autosign::Token instance' do
|
46
|
-
expect(Autosign::Token.from_token(signed_token, secret)).to be_a(Autosign::Token)
|
47
|
-
end
|
48
|
-
it 'has the same hash values as the original token' do
|
49
|
-
expect(reconstituted_token.to_hash).to eq(token.to_hash)
|
50
|
-
end
|
51
|
-
end
|
52
|
-
describe '.token_validto' do
|
53
|
-
it 'returns an integer' do
|
54
|
-
expect(Autosign::Token.token_validto(signed_token, secret)).to be_an(Integer)
|
55
|
-
end
|
56
|
-
it 'returns valid POSIX time' do
|
57
|
-
expect(Time.at(Autosign::Token.token_validto(signed_token, secret))).to be_a(Time)
|
58
|
-
end
|
59
|
-
it 'returns time reasonable close to the current time' do
|
60
|
-
expect(Time.at(Autosign::Token.token_validto(signed_token, secret)).between?(Time.now, Time.now + 604801)).to be true
|
61
|
-
end
|
62
|
-
end
|
63
|
-
end
|
64
|
-
|
65
|
-
context 'instance methods' do
|
66
|
-
describe '.validto' do
|
67
|
-
it 'returns an integer' do
|
68
|
-
expect(token.validfor).to be_a(Integer)
|
69
|
-
end
|
70
|
-
it 'Returns validto time' do
|
71
|
-
expect(token.validfor).to eq(validfor)
|
72
|
-
end
|
73
|
-
end
|
74
|
-
describe '.reusable' do
|
75
|
-
it 'returns the expected value' do
|
76
|
-
expect(token.reusable).to be(reusable)
|
77
|
-
expect(reusable_token.reusable).to be true
|
78
|
-
end
|
79
|
-
end
|
80
|
-
describe '.to_hash' do
|
81
|
-
it 'returns a hash' do
|
82
|
-
expect(token.to_hash).to be_a(Hash)
|
83
|
-
end
|
84
|
-
it 'includes the expected certname, requester, reusable, validfor, and a uuid' do
|
85
|
-
expect(token.to_hash).to include(
|
86
|
-
"certname" => eq(certname),
|
87
|
-
"requester" => eq(requester),
|
88
|
-
"reusable" => eq(reusable),
|
89
|
-
"validfor" => eq(validfor),
|
90
|
-
"uuid" => be_a(String)
|
91
|
-
)
|
92
|
-
end
|
93
|
-
end
|
94
|
-
describe '.sign' do
|
95
|
-
it 'returns a string' do
|
96
|
-
expect(token.sign).to be_a(String)
|
97
|
-
end
|
98
|
-
end
|
99
|
-
|
100
|
-
|
101
|
-
end
|
102
|
-
end
|