autosign 0.1.4 → 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop.yml +12 -0
- data/.rubocop_todo.yml +659 -0
- data/.travis.yml +4 -4
- data/CHANGELOG.md +53 -0
- data/Gemfile.lock +66 -34
- data/README.md +37 -0
- data/Rakefile +22 -22
- data/autosign.gemspec +23 -18
- data/bin/autosign +10 -6
- data/bin/autosign-validator +5 -5
- data/lib/autosign/config.rb +66 -52
- data/lib/autosign/validator.rb +33 -196
- data/lib/autosign/{validators → validator}/jwt.rb +41 -42
- data/lib/autosign/{validators → validator}/multiplexer.rb +24 -32
- data/lib/autosign/{validators → validator}/passwordlist.rb +16 -17
- data/lib/autosign/validator/validator_base.rb +168 -0
- data/lib/autosign/version.rb +1 -1
- metadata +78 -75
- data/features/autosign.feature +0 -93
- data/features/step_definitions/autosign_steps.rb +0 -44
- data/features/support/env.rb +0 -17
- data/features/validate.feature +0 -22
- data/fixtures/i-7672fe81.pem +0 -34
- data/spec/spec_helper.rb +0 -102
- data/spec/specs/config_spec.rb +0 -20
- data/spec/specs/decoder_spec.rb +0 -24
- data/spec/specs/journal_spec.rb +0 -41
- data/spec/specs/token_spec.rb +0 -102
- data/spec/specs/validators/jwt_spec.rb +0 -69
- data/spec/specs/validators/passwordlist_spec.rb +0 -51
data/.travis.yml
CHANGED
data/CHANGELOG.md
ADDED
@@ -0,0 +1,53 @@
|
|
1
|
+
# Augosign changelog
|
2
|
+
|
3
|
+
## Unreleased
|
4
|
+
|
5
|
+
## 1.0.0
|
6
|
+
Released May 19, 2020
|
7
|
+
|
8
|
+
* (maint) print config in yaml format
|
9
|
+
* (maint) Fix a cache bug where the settings were loaded multiple times
|
10
|
+
* (maint) Fix a bug where the config overwrites settings
|
11
|
+
* (maint) Fix bug with validation order
|
12
|
+
* (maint) The autosign gem now requires the deep_merge gem 1.2.1
|
13
|
+
* (maint) The require_all has been dropped and is no longer a dependency
|
14
|
+
* (maint) Fix deprecation warnings with gemspec file
|
15
|
+
* (maint) Objectify the validator classes
|
16
|
+
* (maint) Fix a cache bug where the settings were loaded multiple times.
|
17
|
+
This was causing overzealous logging
|
18
|
+
* (feat) Add an ordered validator list
|
19
|
+
* (feat) Any validator should short circuit
|
20
|
+
* (feat) Allow user to specify validation order
|
21
|
+
|
22
|
+
This release removes support for ruby < 2.4.
|
23
|
+
|
24
|
+
## 0.1.4
|
25
|
+
Released Nov 25, 2019
|
26
|
+
|
27
|
+
### Bug fixes
|
28
|
+
|
29
|
+
* Use multi_json to allow a variety of JSON engines to be used, which makes installation easier.
|
30
|
+
* Read all of STDIN regardless of whether we’ll use it in order to avoid a bug in Java 8.
|
31
|
+
* Change yard from a runtime dependency to a dev dependency.
|
32
|
+
* Security updates for dependencies:
|
33
|
+
* Bump ffi from 1.9.10 to 1.9.25
|
34
|
+
* Bump yard from 0.9.12 to 0.9.20
|
35
|
+
|
36
|
+
## 0.1.3
|
37
|
+
Released Jan 24, 2018
|
38
|
+
|
39
|
+
### Bug fixes
|
40
|
+
|
41
|
+
* Fix config file path; the latest version of puppet-autosign creates config files in /etc/puppetlabs/puppetserver/autosign.conf but we weren't checking there
|
42
|
+
* @reidmv fixed a bug where the decoder would error when presented with a csr with no challengePassword
|
43
|
+
* added an Apache license to be explicit about how the code is licensed. Did check with all contributors first.
|
44
|
+
|
45
|
+
## 0.1.1
|
46
|
+
Released Oct 30, 2015
|
47
|
+
|
48
|
+
* bump version to 0.1.1 to fix safe_yaml issue
|
49
|
+
|
50
|
+
## 0.0.6
|
51
|
+
Released Jul 15, 2015
|
52
|
+
|
53
|
+
* add autosign-validator executable to gem
|
data/Gemfile.lock
CHANGED
@@ -1,28 +1,29 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
autosign (0.
|
5
|
-
deep_merge (~> 1)
|
4
|
+
autosign (1.0.0)
|
5
|
+
deep_merge (~> 1.2)
|
6
6
|
gli (~> 2)
|
7
7
|
iniparse (~> 1)
|
8
8
|
jwt (~> 1)
|
9
9
|
logging (~> 2)
|
10
10
|
multi_json (>= 1)
|
11
|
-
require_all (~> 1)
|
12
11
|
|
13
12
|
GEM
|
14
13
|
remote: https://rubygems.org/
|
15
14
|
specs:
|
16
|
-
aruba (0.14.
|
15
|
+
aruba (0.14.14)
|
17
16
|
childprocess (>= 0.6.3, < 4.0.0)
|
18
17
|
contracts (~> 0.9)
|
19
18
|
cucumber (>= 1.3.19)
|
20
19
|
ffi (~> 1.9)
|
21
20
|
rspec-expectations (>= 2.99)
|
22
|
-
thor (
|
23
|
-
|
21
|
+
thor (>= 0.19, < 2.0)
|
22
|
+
ast (2.4.0)
|
23
|
+
builder (3.2.4)
|
24
24
|
childprocess (3.0.0)
|
25
25
|
coderay (1.1.2)
|
26
|
+
concurrent-ruby (1.1.6)
|
26
27
|
contracts (0.16.0)
|
27
28
|
coveralls (0.8.23)
|
28
29
|
json (>= 1.8, < 3)
|
@@ -44,56 +45,85 @@ GEM
|
|
44
45
|
deep_merge (1.2.1)
|
45
46
|
diff-lcs (1.3)
|
46
47
|
docile (1.3.2)
|
47
|
-
facter (
|
48
|
-
|
48
|
+
facter (4.0.21)
|
49
|
+
hocon (~> 1.3)
|
50
|
+
thor (>= 1.0.1, < 2.0)
|
51
|
+
fast_gettext (1.8.0)
|
52
|
+
ffi (1.12.2)
|
49
53
|
gherkin (4.1.3)
|
50
54
|
gli (2.19.0)
|
51
|
-
hiera (
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
55
|
+
hiera (3.6.0)
|
56
|
+
hocon (1.3.0)
|
57
|
+
httpclient (2.8.3)
|
58
|
+
iniparse (1.5.0)
|
59
|
+
json (2.3.0)
|
56
60
|
jwt (1.5.6)
|
57
61
|
little-plugger (1.1.4)
|
62
|
+
locale (2.1.3)
|
58
63
|
logging (2.2.2)
|
59
64
|
little-plugger (~> 1.1)
|
60
65
|
multi_json (~> 1.10)
|
61
|
-
method_source (0.
|
66
|
+
method_source (1.0.0)
|
62
67
|
multi_json (1.14.1)
|
63
68
|
multi_test (0.1.2)
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
69
|
+
parallel (1.19.1)
|
70
|
+
parser (2.7.1.2)
|
71
|
+
ast (~> 2.4.0)
|
72
|
+
pry (0.13.1)
|
73
|
+
coderay (~> 1.1)
|
74
|
+
method_source (~> 1.0)
|
75
|
+
puppet (6.15.0)
|
76
|
+
concurrent-ruby (~> 1.0)
|
77
|
+
deep_merge (~> 1.0)
|
78
|
+
facter (> 2.0.1, < 5)
|
79
|
+
fast_gettext (~> 1.1)
|
80
|
+
hiera (>= 3.2.1, < 4)
|
81
|
+
httpclient (~> 2.8)
|
82
|
+
locale (~> 2.1)
|
83
|
+
multi_json (~> 1.10)
|
84
|
+
puppet-resource_api (~> 1.5)
|
85
|
+
semantic_puppet (~> 1.0)
|
86
|
+
puppet-resource_api (1.8.13)
|
87
|
+
hocon (>= 1.0)
|
88
|
+
rainbow (3.0.0)
|
89
|
+
rake (13.0.1)
|
72
90
|
rdoc (4.3.0)
|
73
|
-
|
91
|
+
rexml (3.2.4)
|
74
92
|
rspec (3.9.0)
|
75
93
|
rspec-core (~> 3.9.0)
|
76
94
|
rspec-expectations (~> 3.9.0)
|
77
95
|
rspec-mocks (~> 3.9.0)
|
78
|
-
rspec-core (3.9.
|
79
|
-
rspec-support (~> 3.9.
|
80
|
-
rspec-expectations (3.9.
|
96
|
+
rspec-core (3.9.2)
|
97
|
+
rspec-support (~> 3.9.3)
|
98
|
+
rspec-expectations (3.9.2)
|
81
99
|
diff-lcs (>= 1.2.0, < 2.0)
|
82
100
|
rspec-support (~> 3.9.0)
|
83
|
-
rspec-mocks (3.9.
|
101
|
+
rspec-mocks (3.9.1)
|
84
102
|
diff-lcs (>= 1.2.0, < 2.0)
|
85
103
|
rspec-support (~> 3.9.0)
|
86
|
-
rspec-support (3.9.
|
104
|
+
rspec-support (3.9.3)
|
105
|
+
rubocop (0.83.0)
|
106
|
+
parallel (~> 1.10)
|
107
|
+
parser (>= 2.7.0.1)
|
108
|
+
rainbow (>= 2.2.2, < 4.0)
|
109
|
+
rexml
|
110
|
+
ruby-progressbar (~> 1.7)
|
111
|
+
unicode-display_width (>= 1.4.0, < 2.0)
|
112
|
+
ruby-progressbar (1.10.1)
|
113
|
+
semantic_puppet (1.0.2)
|
87
114
|
simplecov (0.16.1)
|
88
115
|
docile (~> 1.1)
|
89
116
|
json (>= 1.8, < 3)
|
90
117
|
simplecov-html (~> 0.10.0)
|
91
118
|
simplecov-html (0.10.2)
|
119
|
+
sync (0.5.0)
|
92
120
|
term-ansicolor (1.7.1)
|
93
121
|
tins (~> 1.0)
|
94
|
-
thor (0.
|
95
|
-
tins (1.
|
96
|
-
|
122
|
+
thor (1.0.1)
|
123
|
+
tins (1.25.0)
|
124
|
+
sync
|
125
|
+
unicode-display_width (1.7.0)
|
126
|
+
yard (0.9.25)
|
97
127
|
|
98
128
|
PLATFORMS
|
99
129
|
ruby
|
@@ -101,14 +131,16 @@ PLATFORMS
|
|
101
131
|
DEPENDENCIES
|
102
132
|
aruba (~> 0.6)
|
103
133
|
autosign!
|
134
|
+
bundler (~> 2.0)
|
104
135
|
coveralls
|
105
136
|
cucumber (~> 2)
|
106
137
|
pry (~> 0.10)
|
107
|
-
puppet (~>
|
108
|
-
rake (~>
|
138
|
+
puppet (~> 6)
|
139
|
+
rake (~> 13)
|
109
140
|
rdoc (~> 4)
|
110
141
|
rspec (~> 3)
|
142
|
+
rubocop (~> 0.83.0)
|
111
143
|
yard (~> 0.9.11)
|
112
144
|
|
113
145
|
BUNDLED WITH
|
114
|
-
1.
|
146
|
+
2.1.4
|
data/README.md
CHANGED
@@ -81,6 +81,42 @@ password_list:
|
|
81
81
|
|
82
82
|
Note that this is a relatively insecure way to do certificate autosigning. Using one-time tokens via the `autosign generate` command is more secure. This functionality is provided to grandfather in existing use cases to ease the transition.
|
83
83
|
|
84
|
+
## Validation order
|
85
|
+
By default the validation runs the following validators in order:
|
86
|
+
|
87
|
+
1. jwt_token
|
88
|
+
2. password_list
|
89
|
+
3. multiplexer
|
90
|
+
|
91
|
+
The first validator to succeed wins and short circuits the validaiton process.
|
92
|
+
|
93
|
+
You can completely customize the list and how they are ordered via the configuration file. Or even remove some entirely.
|
94
|
+
|
95
|
+
```
|
96
|
+
---
|
97
|
+
general:
|
98
|
+
loglevel: debug
|
99
|
+
logfile: "/var/log/autosign.log"
|
100
|
+
validation_order:
|
101
|
+
- jwt_token
|
102
|
+
- multiplexer
|
103
|
+
- password_list
|
104
|
+
jwt_token:
|
105
|
+
secret: J7/WjmkC/CJp2K0/8+sktzSgCqQ=
|
106
|
+
validity: '7200'
|
107
|
+
journalfile: "/root/var/autosign/autosign.journal"
|
108
|
+
```
|
109
|
+
|
110
|
+
The validation_order config is an ordered array and since the validators will only match the first validation
|
111
|
+
to succeed the validation script should occur as fast as you want.
|
112
|
+
|
113
|
+
Additionally, if you omit any validator that validator will not be used during the validation process. This might
|
114
|
+
be important if you wanted to only use special validators or remove unwanted validator execution.
|
115
|
+
|
116
|
+
Please note, the name of the validator which is speficed by the `NAME` constant in the validator code must match
|
117
|
+
the list you specify otherwise it will not be part of the validation process.
|
118
|
+
|
119
|
+
**NOTE** To use this feature you must have deep_merge 1.2.1+ installed which is now a requirement of this gem.
|
84
120
|
|
85
121
|
### Troubleshooting
|
86
122
|
If you're having problems, try the following:
|
@@ -90,6 +126,7 @@ If you're having problems, try the following:
|
|
90
126
|
- you can manually trigger the autosigning script with something like `cat the_csr.csr | autosign-validator certname.example.com`
|
91
127
|
- If you run the puppet master foregrounded, you'll see quite a bit of autosign script output if autosign loglevel is set to debug.
|
92
128
|
|
129
|
+
Starting with the 1.0.0 release the autosign gem requires ruby 2.4. If you can't upgrade just yet you can continue to use the older 0.1.4 release.
|
93
130
|
|
94
131
|
### Further Reading
|
95
132
|
|
data/Rakefile
CHANGED
@@ -1,32 +1,32 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
1
4
|
require 'rubygems'
|
2
|
-
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
end
|
10
|
-
rescue LoadError
|
11
|
-
end
|
5
|
+
require 'bundler'
|
6
|
+
require 'bundler/gem_tasks'
|
7
|
+
require 'rake/testtask'
|
8
|
+
require 'rspec/core/rake_task'
|
9
|
+
require 'cucumber'
|
10
|
+
require 'cucumber/rake/task'
|
11
|
+
require 'rdoc/task'
|
12
12
|
require 'rake/clean'
|
13
|
-
require 'rubygems/package_task'
|
14
|
-
Rake::RDocTask.new do |rd|
|
15
|
-
rd.main = "README.rdoc"
|
16
|
-
rd.rdoc_files.include("README.rdoc","lib/**/*.rb","bin/**/*")
|
17
|
-
rd.title = 'Your application title'
|
18
|
-
end
|
19
13
|
|
20
|
-
spec
|
14
|
+
RSpec::Core::RakeTask.new(:spec) do |t|
|
15
|
+
t.rspec_opts = '--format documentation'
|
16
|
+
end
|
21
17
|
|
22
|
-
|
18
|
+
Rake::RDocTask.new do |rd|
|
19
|
+
rd.main = 'README.rdoc'
|
20
|
+
rd.rdoc_files.include('README.rdoc', 'lib/**/*.rb', 'bin/**/*')
|
21
|
+
rd.title = 'Autosign'
|
23
22
|
end
|
24
|
-
|
23
|
+
|
24
|
+
CUKE_RESULTS = 'results.html'.freeze
|
25
25
|
CLEAN << CUKE_RESULTS
|
26
26
|
desc 'Run features'
|
27
27
|
|
28
28
|
Cucumber::Rake::Task.new(:features) do |t|
|
29
|
-
t.cucumber_opts =
|
29
|
+
t.cucumber_opts = 'features --format pretty'
|
30
30
|
end
|
31
31
|
|
32
32
|
desc 'Run features tagged as work-in-progress (@wip)'
|
@@ -41,10 +41,10 @@ task 'cucumber:wip' => 'features:wip'
|
|
41
41
|
task :wip => 'features:wip'
|
42
42
|
require 'rake/testtask'
|
43
43
|
Rake::TestTask.new do |t|
|
44
|
-
t.libs <<
|
44
|
+
t.libs << 'test'
|
45
45
|
t.test_files = FileList['test/*_test.rb']
|
46
46
|
end
|
47
47
|
|
48
48
|
task :ci => [:spec, :features]
|
49
49
|
|
50
|
-
task :default => [:test
|
50
|
+
task :default => [:test, :features]
|
data/autosign.gemspec
CHANGED
@@ -1,6 +1,8 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
# Ensure we require the local version and not one we might have installed already
|
2
|
-
require File.join([
|
3
|
-
spec = Gem::Specification.new do |s|
|
4
|
+
require File.join([__dir__, 'lib', 'autosign', 'version.rb'])
|
5
|
+
spec = Gem::Specification.new do |s|
|
4
6
|
s.name = 'autosign'
|
5
7
|
s.version = Autosign::VERSION
|
6
8
|
s.author = 'Daniel Dreier'
|
@@ -8,28 +10,31 @@ spec = Gem::Specification.new do |s|
|
|
8
10
|
s.homepage = 'https://github.com/danieldreier/autosign'
|
9
11
|
s.platform = Gem::Platform::RUBY
|
10
12
|
s.summary = 'Tooling to make puppet autosigning easy, secure, and extensible'
|
11
|
-
s.files
|
12
|
-
|
13
|
+
s.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec|features|fixtures)/}) }
|
14
|
+
s.required_ruby_version = '>= 2.4'
|
13
15
|
s.require_paths << 'lib'
|
14
|
-
s.
|
15
|
-
|
16
|
+
s.extra_rdoc_files = [
|
17
|
+
'CHANGELOG.md',
|
18
|
+
'LICENSE',
|
19
|
+
'README.md'
|
20
|
+
]
|
16
21
|
s.bindir = 'bin'
|
17
|
-
s.executables
|
18
|
-
s.executables << 'autosign-validator'
|
19
|
-
s.add_development_dependency('rake', '~> 10')
|
20
|
-
s.add_development_dependency('rdoc', '~> 4')
|
22
|
+
s.executables = ['autosign', 'autosign-validator']
|
21
23
|
s.add_development_dependency('aruba', '~> 0.6')
|
22
|
-
s.add_development_dependency('cucumber', '~> 2')
|
23
|
-
s.add_development_dependency('puppet', '~> 3')
|
24
|
-
s.add_development_dependency('rspec', '~> 3')
|
25
24
|
s.add_development_dependency('coveralls')
|
25
|
+
s.add_development_dependency('cucumber', '~> 2')
|
26
26
|
s.add_development_dependency('pry', '~> 0.10')
|
27
|
+
s.add_development_dependency('puppet', '~> 6')
|
28
|
+
s.add_development_dependency('rake', '~> 13')
|
29
|
+
s.add_development_dependency('rdoc', '~> 4')
|
30
|
+
s.add_development_dependency('rspec', '~> 3')
|
31
|
+
s.add_development_dependency('rubocop', '~> 0.83.0')
|
27
32
|
s.add_development_dependency('yard', '~> 0.9.11')
|
28
|
-
s.
|
29
|
-
s.add_runtime_dependency('
|
30
|
-
s.add_runtime_dependency('
|
33
|
+
s.add_development_dependency('bundler', '~> 2.0')
|
34
|
+
s.add_runtime_dependency('deep_merge', '~> 1.2')
|
35
|
+
s.add_runtime_dependency('gli', '~> 2')
|
36
|
+
s.add_runtime_dependency('iniparse', '~> 1')
|
37
|
+
s.add_runtime_dependency('jwt', '~> 1')
|
31
38
|
s.add_runtime_dependency('logging', '~> 2')
|
32
39
|
s.add_runtime_dependency('multi_json', '>=1')
|
33
|
-
s.add_runtime_dependency('deep_merge', '~> 1')
|
34
|
-
s.add_runtime_dependency('require_all', '~> 1')
|
35
40
|
end
|
data/bin/autosign
CHANGED
@@ -52,8 +52,9 @@ command :generate do |c|
|
|
52
52
|
|
53
53
|
c.action do |global_options,options,args|
|
54
54
|
config = Autosign::Config.new({'config_file' => global_options['config']})
|
55
|
-
|
56
|
-
|
55
|
+
config_settings = config.settings
|
56
|
+
global_options['secret'] = config_settings['jwt_token']['secret'] if global_options['secret'].nil?
|
57
|
+
options['validfor'] = config_settings.to_hash['jwt_token']['validity'].to_s if options['validfor'] == '7200'
|
57
58
|
@logger.debug "validfor: " + options['validfor']
|
58
59
|
help_now!('no secret was defined via --secret or a config file') if global_options['secret'].nil?
|
59
60
|
help_now!('certname is required as argument') if args[0].nil?
|
@@ -87,8 +88,9 @@ command :validate do |c|
|
|
87
88
|
|
88
89
|
c.action do |global_options,options,args|
|
89
90
|
config = Autosign::Config.new({'config_file' => global_options['config']})
|
90
|
-
|
91
|
-
|
91
|
+
config_settings = config.settings
|
92
|
+
puts config_settings.to_hash['jwt_token']
|
93
|
+
global_options['secret'] = config_settings['jwt_token']['secret'] if global_options['secret'].nil?
|
92
94
|
|
93
95
|
help_now!('no secret was defined via --secret or a config file') if global_options['secret'].nil?
|
94
96
|
help_now!('certname is required') if options['certname'].nil?
|
@@ -122,7 +124,8 @@ command :config do |c|
|
|
122
124
|
print.action do |global_options,options,args|
|
123
125
|
@logger.debug "print command ran with #{global_options} #{options} #{args}"
|
124
126
|
config = Autosign::Config.new({'config_file' => global_options['config']})
|
125
|
-
|
127
|
+
require 'yaml'
|
128
|
+
puts config.settings.to_yaml
|
126
129
|
end
|
127
130
|
end
|
128
131
|
|
@@ -135,7 +138,8 @@ pre do |global,command,options,args|
|
|
135
138
|
# Use skips_pre before a command to skip this block
|
136
139
|
# on that command only
|
137
140
|
config = Autosign::Config.new
|
138
|
-
|
141
|
+
config_settings = config.settings
|
142
|
+
@logger.level = config_settings.to_hash['general']['loglevel'].to_sym unless config_settings.to_hash['general']['loglevel'].nil?
|
139
143
|
|
140
144
|
@logger.level = :error if global['quiet']
|
141
145
|
@logger.level = :info if global['verbose']
|