autosign 0.1.4 → 1.0.0

data/.travis.yml

@@ -4,10 +4,10 @@ before_install: rm Gemfile.lock || true
 cache: bundler
 sudo: false
 rvm:
-  - 2.0.0
-  - 2.1.5
-  - 2.2.2
-  - 2.3.0
+  - 2.4.10
+  - 2.5.8
+  - 2.6.6
+  - 2.7.1
 deploy:
   provider: rubygems
   api_key:

data/CHANGELOG.md

@@ -0,0 +1,53 @@
+# Augosign changelog
+
+## Unreleased
+
+## 1.0.0
+Released May 19, 2020 
+
+* (maint) print config in yaml format
+* (maint) Fix a cache bug where the settings were loaded multiple times
+* (maint) Fix a bug where the config overwrites settings
+* (maint) Fix bug with validation order
+* (maint) The autosign gem now requires the deep_merge gem 1.2.1
+* (maint) The require_all has been dropped and is no longer a dependency
+* (maint) Fix deprecation warnings with gemspec file
+* (maint) Objectify the validator classes
+* (maint) Fix a cache bug where the settings were loaded multiple times.
+    This was causing overzealous logging
+* (feat) Add an ordered validator list
+* (feat) Any validator should short circuit
+* (feat) Allow user to specify validation order
+
+This release removes support for ruby < 2.4.
+
+## 0.1.4
+Released Nov 25, 2019 
+
+### Bug fixes
+
+* Use multi_json to allow a variety of JSON engines to be used, which makes installation easier.
+* Read all of STDIN regardless of whether we’ll use it in order to avoid a bug in Java 8.
+* Change yard from a runtime dependency to a dev dependency.
+* Security updates for dependencies:
+* Bump ffi from 1.9.10 to 1.9.25
+* Bump yard from 0.9.12 to 0.9.20
+
+## 0.1.3
+Released Jan 24, 2018
+
+### Bug fixes
+
+* Fix config file path; the latest version of puppet-autosign creates config files in /etc/puppetlabs/puppetserver/autosign.conf but we weren't checking there
+* @reidmv fixed a bug where the decoder would error when presented with a csr with no challengePassword
+* added an Apache license to be explicit about how the code is licensed. Did check with all contributors first.
+
+## 0.1.1
+Released Oct 30, 2015
+
+* bump version to 0.1.1 to fix safe_yaml issue
+
+## 0.0.6 
+Released Jul 15, 2015
+
+* add autosign-validator executable to gem

data/Gemfile.lock

@@ -1,28 +1,29 @@
 PATH
   remote: .
   specs:
-    autosign (0.1.4)
-      deep_merge (~> 1)
+    autosign (1.0.0)
+      deep_merge (~> 1.2)
       gli (~> 2)
       iniparse (~> 1)
       jwt (~> 1)
       logging (~> 2)
       multi_json (>= 1)
-      require_all (~> 1)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    aruba (0.14.12)
+    aruba (0.14.14)
       childprocess (>= 0.6.3, < 4.0.0)
       contracts (~> 0.9)
       cucumber (>= 1.3.19)
       ffi (~> 1.9)
       rspec-expectations (>= 2.99)
-      thor (~> 0.19)
-    builder (3.2.3)
+      thor (>= 0.19, < 2.0)
+    ast (2.4.0)
+    builder (3.2.4)
     childprocess (3.0.0)
     coderay (1.1.2)
+    concurrent-ruby (1.1.6)
     contracts (0.16.0)
     coveralls (0.8.23)
       json (>= 1.8, < 3)
@@ -44,56 +45,85 @@ GEM
     deep_merge (1.2.1)
     diff-lcs (1.3)
     docile (1.3.2)
-    facter (2.5.6)
-    ffi (1.11.2)
+    facter (4.0.21)
+      hocon (~> 1.3)
+      thor (>= 1.0.1, < 2.0)
+    fast_gettext (1.8.0)
+    ffi (1.12.2)
     gherkin (4.1.3)
     gli (2.19.0)
-    hiera (1.3.4)
-      json_pure
-    iniparse (1.4.4)
-    json (2.2.0)
-    json_pure (2.2.0)
+    hiera (3.6.0)
+    hocon (1.3.0)
+    httpclient (2.8.3)
+    iniparse (1.5.0)
+    json (2.3.0)
     jwt (1.5.6)
     little-plugger (1.1.4)
+    locale (2.1.3)
     logging (2.2.2)
       little-plugger (~> 1.1)
       multi_json (~> 1.10)
-    method_source (0.9.2)
+    method_source (1.0.0)
     multi_json (1.14.1)
     multi_test (0.1.2)
-    pry (0.12.2)
-      coderay (~> 1.1.0)
-      method_source (~> 0.9.0)
-    puppet (3.8.7)
-      facter (> 1.6, < 3)
-      hiera (~> 1.0)
-      json_pure
-    rake (10.5.0)
+    parallel (1.19.1)
+    parser (2.7.1.2)
+      ast (~> 2.4.0)
+    pry (0.13.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    puppet (6.15.0)
+      concurrent-ruby (~> 1.0)
+      deep_merge (~> 1.0)
+      facter (> 2.0.1, < 5)
+      fast_gettext (~> 1.1)
+      hiera (>= 3.2.1, < 4)
+      httpclient (~> 2.8)
+      locale (~> 2.1)
+      multi_json (~> 1.10)
+      puppet-resource_api (~> 1.5)
+      semantic_puppet (~> 1.0)
+    puppet-resource_api (1.8.13)
+      hocon (>= 1.0)
+    rainbow (3.0.0)
+    rake (13.0.1)
     rdoc (4.3.0)
-    require_all (1.5.0)
+    rexml (3.2.4)
     rspec (3.9.0)
       rspec-core (~> 3.9.0)
       rspec-expectations (~> 3.9.0)
       rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.0)
-      rspec-support (~> 3.9.0)
-    rspec-expectations (3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
-    rspec-support (3.9.0)
+    rspec-support (3.9.3)
+    rubocop (0.83.0)
+      parallel (~> 1.10)
+      parser (>= 2.7.0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      rexml
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 2.0)
+    ruby-progressbar (1.10.1)
+    semantic_puppet (1.0.2)
     simplecov (0.16.1)
       docile (~> 1.1)
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
+    sync (0.5.0)
     term-ansicolor (1.7.1)
       tins (~> 1.0)
-    thor (0.20.3)
-    tins (1.22.2)
-    yard (0.9.20)
+    thor (1.0.1)
+    tins (1.25.0)
+      sync
+    unicode-display_width (1.7.0)
+    yard (0.9.25)
 
 PLATFORMS
   ruby
@@ -101,14 +131,16 @@ PLATFORMS
 DEPENDENCIES
   aruba (~> 0.6)
   autosign!
+  bundler (~> 2.0)
   coveralls
   cucumber (~> 2)
   pry (~> 0.10)
-  puppet (~> 3)
-  rake (~> 10)
+  puppet (~> 6)
+  rake (~> 13)
   rdoc (~> 4)
   rspec (~> 3)
+  rubocop (~> 0.83.0)
   yard (~> 0.9.11)
 
 BUNDLED WITH
-   1.17.3
+   2.1.4

data/README.md

@@ -81,6 +81,42 @@ password_list:
 
 Note that this is a relatively insecure way to do certificate autosigning. Using one-time tokens via the `autosign generate` command is more secure. This functionality is provided to grandfather in existing use cases to ease the transition.
 
+## Validation order
+By default the validation runs the following validators in order: 
+
+1. jwt_token
+2. password_list
+3. multiplexer
+
+The first validator to succeed wins and short circuits the validaiton process.
+
+You can completely customize the list and how they are ordered via the configuration file.  Or even remove some entirely.
+
+```
+---
+general:
+  loglevel: debug
+  logfile: "/var/log/autosign.log"
+  validation_order: 
+    - jwt_token
+    - multiplexer
+    - password_list
+jwt_token:
+  secret: J7/WjmkC/CJp2K0/8+sktzSgCqQ=
+  validity: '7200'
+  journalfile: "/root/var/autosign/autosign.journal"
+```
+
+The validation_order config is an ordered array and since the validators will only match the first validation
+to succeed the validation script should occur as fast as you want.  
+
+Additionally, if you omit any validator that validator will not be used during the validation process.  This might 
+be important if you wanted to only use special validators or remove unwanted validator execution.
+
+Please note, the name of the validator which is speficed by the `NAME` constant in the validator code must match
+the list you specify otherwise it will not be part of the validation process.
+
+**NOTE** To use this feature you must have deep_merge 1.2.1+ installed which is now a requirement of this gem.
 
 ### Troubleshooting
 If you're having problems, try the following:
@@ -90,6 +126,7 @@ If you're having problems, try the following:
 - you can manually trigger the autosigning script with something like `cat the_csr.csr | autosign-validator certname.example.com`
 - If you run the puppet master foregrounded, you'll see quite a bit of autosign script output if autosign loglevel is set to debug.
 
+Starting with the 1.0.0 release the autosign gem requires ruby 2.4.  If you can't upgrade just yet you can continue to use the older 0.1.4 release.
 
 ### Further Reading
 

data/Rakefile

@@ -1,32 +1,32 @@
+# encoding: utf-8
+# frozen_string_literal: true
+
 require 'rubygems'
-begin
-  require 'rspec/core/rake_task'
-  require 'cucumber'
-  require 'cucumber/rake/task'
-  require 'rdoc/task'
-  RSpec::Core::RakeTask.new(:spec) do |t|
-    t.rspec_opts = '--format documentation'
-  end
-rescue LoadError
-end
+require 'bundler'
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+require 'rspec/core/rake_task'
+require 'cucumber'
+require 'cucumber/rake/task'
+require 'rdoc/task'
 require 'rake/clean'
-require 'rubygems/package_task'
-Rake::RDocTask.new do |rd|
-  rd.main = "README.rdoc"
-  rd.rdoc_files.include("README.rdoc","lib/**/*.rb","bin/**/*")
-  rd.title = 'Your application title'
-end
 
-spec = eval(File.read('autosign.gemspec'))
+RSpec::Core::RakeTask.new(:spec) do |t|
+  t.rspec_opts = '--format documentation'
+end
 
-Gem::PackageTask.new(spec) do |pkg|
+Rake::RDocTask.new do |rd|
+  rd.main = 'README.rdoc'
+  rd.rdoc_files.include('README.rdoc', 'lib/**/*.rb', 'bin/**/*')
+  rd.title = 'Autosign'
 end
-CUKE_RESULTS = 'results.html'
+
+CUKE_RESULTS = 'results.html'.freeze
 CLEAN << CUKE_RESULTS
 desc 'Run features'
 
 Cucumber::Rake::Task.new(:features) do |t|
-  t.cucumber_opts = "features --format pretty"
+  t.cucumber_opts = 'features --format pretty'
 end
 
 desc 'Run features tagged as work-in-progress (@wip)'
@@ -41,10 +41,10 @@ task 'cucumber:wip' => 'features:wip'
 task :wip => 'features:wip'
 require 'rake/testtask'
 Rake::TestTask.new do |t|
-  t.libs << "test"
+  t.libs << 'test'
   t.test_files = FileList['test/*_test.rb']
 end
 
 task :ci => [:spec, :features]
 
-task :default => [:test,:features]
+task :default => [:test, :features]

data/autosign.gemspec

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 # Ensure we require the local version and not one we might have installed already
-require File.join([File.dirname(__FILE__),'lib','autosign','version.rb'])
-spec = Gem::Specification.new do |s| 
+require File.join([__dir__, 'lib', 'autosign', 'version.rb'])
+spec = Gem::Specification.new do |s|
   s.name = 'autosign'
   s.version = Autosign::VERSION
   s.author = 'Daniel Dreier'
@@ -8,28 +10,31 @@ spec = Gem::Specification.new do |s|
   s.homepage = 'https://github.com/danieldreier/autosign'
   s.platform = Gem::Platform::RUBY
   s.summary = 'Tooling to make puppet autosigning easy, secure, and extensible'
-  s.files = `git ls-files`.split("
-")
+  s.files   = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec|features|fixtures)/}) }
+  s.required_ruby_version = '>= 2.4'
   s.require_paths << 'lib'
-  s.has_rdoc = false
-  s.rdoc_options << '--title' << 'autosign' << '--main' << 'README.rdoc' << '-ri'
+  s.extra_rdoc_files = [
+    'CHANGELOG.md',
+    'LICENSE',
+    'README.md'
+  ]
   s.bindir = 'bin'
-  s.executables << 'autosign'
-  s.executables << 'autosign-validator'
-  s.add_development_dependency('rake', '~> 10')
-  s.add_development_dependency('rdoc', '~> 4')
+  s.executables = ['autosign', 'autosign-validator']
   s.add_development_dependency('aruba', '~> 0.6')
-  s.add_development_dependency('cucumber', '~> 2')
-  s.add_development_dependency('puppet', '~> 3')
-  s.add_development_dependency('rspec', '~> 3')
   s.add_development_dependency('coveralls')
+  s.add_development_dependency('cucumber', '~> 2')
   s.add_development_dependency('pry', '~> 0.10')
+  s.add_development_dependency('puppet', '~> 6')
+  s.add_development_dependency('rake', '~> 13')
+  s.add_development_dependency('rdoc', '~> 4')
+  s.add_development_dependency('rspec', '~> 3')
+  s.add_development_dependency('rubocop', '~> 0.83.0')
   s.add_development_dependency('yard', '~> 0.9.11')
-  s.add_runtime_dependency('gli','~> 2')
-  s.add_runtime_dependency('jwt','~> 1')
-  s.add_runtime_dependency('iniparse','~> 1')
+  s.add_development_dependency('bundler', '~> 2.0')
+  s.add_runtime_dependency('deep_merge', '~> 1.2')
+  s.add_runtime_dependency('gli', '~> 2')
+  s.add_runtime_dependency('iniparse', '~> 1')
+  s.add_runtime_dependency('jwt', '~> 1')
   s.add_runtime_dependency('logging', '~> 2')
   s.add_runtime_dependency('multi_json', '>=1')
-  s.add_runtime_dependency('deep_merge', '~> 1')
-  s.add_runtime_dependency('require_all', '~> 1')
 end

data/bin/autosign

@@ -52,8 +52,9 @@ command :generate do |c|
 
   c.action do |global_options,options,args|
     config = Autosign::Config.new({'config_file' => global_options['config']})
-    global_options['secret'] = config.settings['jwt_token']['secret'] if global_options['secret'].nil?
-    options['validfor'] = config.settings.to_hash['jwt_token']['validity'].to_s if options['validfor'] == '7200'
+    config_settings = config.settings
+    global_options['secret'] = config_settings['jwt_token']['secret'] if global_options['secret'].nil?
+    options['validfor'] = config_settings.to_hash['jwt_token']['validity'].to_s if options['validfor'] == '7200'
     @logger.debug "validfor: " + options['validfor']
     help_now!('no secret was defined via --secret or a config file') if global_options['secret'].nil?
     help_now!('certname is required as argument') if args[0].nil?
@@ -87,8 +88,9 @@ command :validate do |c|
 
   c.action do |global_options,options,args|
     config = Autosign::Config.new({'config_file' => global_options['config']})
-    puts config.settings.to_hash['jwt_token']
-    global_options['secret'] = config.settings['jwt_token']['secret'] if global_options['secret'].nil?
+    config_settings = config.settings
+    puts config_settings.to_hash['jwt_token']
+    global_options['secret'] = config_settings['jwt_token']['secret'] if global_options['secret'].nil?
 
     help_now!('no secret was defined via --secret or a config file') if global_options['secret'].nil?
     help_now!('certname is required') if options['certname'].nil?
@@ -122,7 +124,8 @@ command :config do |c|
     print.action do |global_options,options,args|
       @logger.debug "print command ran with #{global_options} #{options} #{args}"
       config = Autosign::Config.new({'config_file' => global_options['config']})
-      puts config.settings.to_s
+      require 'yaml'
+      puts config.settings.to_yaml
     end
   end
 
@@ -135,7 +138,8 @@ pre do |global,command,options,args|
   # Use skips_pre before a command to skip this block
   # on that command only
   config = Autosign::Config.new
-  @logger.level = config.settings.to_hash['general']['loglevel'].to_sym unless config.settings.to_hash['general']['loglevel'].nil?
+  config_settings = config.settings
+  @logger.level = config_settings.to_hash['general']['loglevel'].to_sym unless config_settings.to_hash['general']['loglevel'].nil?
 
   @logger.level = :error if global['quiet']
   @logger.level = :info if global['verbose']