autosign 0.1.4 → 1.0.0

data/bin/autosign-validator

@@ -13,14 +13,14 @@ raw_csr = $stdin.read
 @logger.add_appenders Logging.appenders.stdout
 
 # Load config and then add logfile as a log appender
-config = Autosign::Config.new
+config_settings = Autosign::Config.new.settings
 
-unless config.settings['general']['logfile'].nil?
+unless config_settings['general']['logfile'].nil?
   file_layout = Logging.layouts.pattern(:pattern => "%d %-5l -- %c : %m\n", :date_pattern => "%Y-%m-%dT%H:%M:%S.%s")
-  @logger.add_appenders Logging.appenders.file(config.settings['general']['logfile'], :layout => file_layout)
+  @logger.add_appenders Logging.appenders.file(config_settings['general']['logfile'], :layout => file_layout)
 end
 
-@logger.level = config.settings['general']['loglevel'].to_sym unless config.settings['general']['loglevel'].nil?
+@logger.level = config_settings['general']['loglevel'].to_sym unless config_settings['general']['loglevel'].nil?
 
 ### End logging initialization
 
@@ -41,7 +41,7 @@ exit 1 unless csr.is_a?(Hash)
 ### End Inputs
 
 ### validate token
-token_validation = Autosign::Validator.any_validator(csr[:challenge_password].to_s, certname.to_s, raw_csr)
+token_validation = Autosign::Validator.any_validator(csr[:challenge_password].to_s, certname.to_s, raw_csr, config_settings)
 ### end validation
 
 ### Exit with correct exit status

data/lib/autosign/config.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rbconfig'
 require 'securerandom'
 require 'deep_merge'
@@ -7,16 +9,16 @@ module Autosign
   # Exceptions namespace for Autosign class
   module Exceptions
     # Exception representing a general failure during validation
-    class Validation < Exception
+    class Validation < RuntimeError
     end
     # Exception representing a missing file during config validation
-    class NotFound < Exception
+    class NotFound < RuntimeError
     end
     # Exception representing a permissions error during config validation
-    class Permissions < Exception
+    class Permissions < RuntimeError
     end
     # Exception representing errors that Autosign does not know how to handle
-    class Error < Exception
+    class Error < RuntimeError
     end
   end
 
@@ -45,11 +47,16 @@ module Autosign
       @config_file_paths = ['/etc/puppetlabs/puppetserver/autosign.conf', '/etc/autosign.conf', '/usr/local/etc/autosign.conf']
 
       # HOME is unset when puppet runs, so we need to only use it if it's set
-      @config_file_paths << File.join(Dir.home, '.autosign.conf') unless ENV['HOME'].nil?
-      @config_file_paths = [ settings_param['config_file'] ] unless settings_param['config_file'].nil?
+      unless ENV['HOME'].nil?
+        @config_file_paths << File.join(Dir.home, '.autosign.conf')
+      end
+
+      unless settings_param['config_file'].nil?
+        @config_file_paths = [settings_param['config_file']]
+      end
 
       @settings = settings_param
-      @log.debug "Using merged settings hash: " + @settings.to_s
+      @log.debug 'Using merged settings hash: ' + @settings.to_s
     end
 
     # Return a merged settings hash of defaults, config file settings
@@ -57,11 +64,11 @@ module Autosign
     #
     # @return [Hash] deep merged settings hash
     def settings
-      @log.debug "merging settings"
+      @log.debug 'merging settings'
       setting_sources = [default_settings, configfile, @settings]
-      merged_settings = setting_sources.inject({}) { |merged, hash| merged.deep_merge!(hash) }
-      @log.debug "using merged settings: " + merged_settings.to_s
-      return merged_settings
+      merged_settings = setting_sources.inject({}) { |merged, hash| merged.deep_merge!(hash, {:overwrite_arrays => true}) }
+      @log.debug 'using merged settings: ' + merged_settings.to_s
+      merged_settings
     end
 
     private
@@ -78,12 +85,14 @@ module Autosign
     def default_settings
       { 'general' =>
         {
-          'loglevel'       => 'INFO',
+          'loglevel' => 'INFO',
+          'validation_order' => %w[
+            jwt_token password_list multiplexer
+          ]
         },
         'jwt_token' => {
           'validity' => 7200
-        }
-      }
+        } }
     end
 
     # Locate the configuration file, parse it from INI-format, and return
@@ -91,21 +100,21 @@ module Autosign
     #
     # @return [Hash] configuration settings loaded from INI file
     def configfile
-      @log.debug "Finding config file"
-      @config_file_paths.each { |file|
+      @log.debug 'Finding config file'
+      @config_file_paths.each do |file|
         @log.debug "Checking if file '#{file}' exists"
         if File.file?(file)
-          @log.debug "Reading config file from: " + file
+          @log.debug 'Reading config file from: ' + file
           config_file = File.read(file)
           parsed_config_file = YAML.load(config_file)
-          #parsed_config_file = IniParse.parse(config_file).to_hash
-          @log.debug "configuration read from config file: " + parsed_config_file.to_s
+          # parsed_config_file = IniParse.parse(config_file).to_hash
+          @log.debug 'configuration read from config file: ' + parsed_config_file.to_s
           return parsed_config_file if parsed_config_file.is_a?(Hash)
         else
           @log.debug "Configuration file '#{file}' not found"
         end
-      }
-      return {}
+      end
+      {}
     end
 
     # Validate configuration file
@@ -114,14 +123,14 @@ module Autosign
     # @param configfile [String] the absolute path of the config file to validate
     # @return [String] the absolute path of the config file
     def validate_config_file(configfile = location)
-      @log.debug "validating config file"
+      @log.debug 'validating config file'
       unless File.file?(configfile)
         @log.error "configuration file not found at: #{configfile}"
         raise Autosign::Exceptions::NotFound
       end
 
       # check if file is world-readable
-      if File.world_readable?(configfile) or File.world_writable?(configfile)
+      if File.world_readable?(configfile) || File.world_writable?(configfile)
         @log.error "configuration file #{configfile} is world-readable or world-writable, which is a security risk"
         raise Autosign::Exceptions::Permissions
       end
@@ -137,20 +146,20 @@ module Autosign
         case RbConfig::CONFIG['host_os']
         when /darwin|mac os/
           {
-            'logpath'     => File.join(Dir.home, 'autosign.log'),
-            'confpath'    => File.join(Dir.home, '.autosign.conf'),
+            'logpath' => File.join(Dir.home, 'autosign.log'),
+            'confpath' => File.join(Dir.home, '.autosign.conf'),
             'journalfile' => File.join(Dir.home, '.autosign.journal')
           }
         when /linux/
           {
-            'logpath'     => '/var/log/autosign.log',
-            'confpath'    => '/etc/autosign.conf',
+            'logpath' => '/var/log/autosign.log',
+            'confpath' => '/etc/autosign.conf',
             'journalfile' => File.join(Dir.home, '/var/autosign/autosign.journal')
           }
         when /bsd/
           {
-            'logpath'     => '/var/log/autosign.log',
-            'confpath'    => '/usr/local/etc/autosign.conf',
+            'logpath' => '/var/log/autosign.log',
+            'confpath' => '/usr/local/etc/autosign.conf',
             'journalfile' => File.join(Dir.home, '/var/autosign/autosign.journal')
           }
         else
@@ -161,36 +170,41 @@ module Autosign
       config = {
         'general' => {
           'loglevel' => 'warn',
-          'logfile' =>  os_defaults['logpath']
+          'logfile' => os_defaults['logpath'],
+          'validation_order' => %w[
+            jwt_token password_list multiplexer
+          ]
         },
         'jwt_token' => {
-          'secret' =>  SecureRandom.base64(20),
+          'secret' => SecureRandom.base64(20),
           'validity' => '7200',
           'journalfile' => os_defaults['journalfile']
         }
       }
 
-#      config = IniParse.gen do |doc|
-#        doc.section("general") do |general|
-#          general.option("loglevel", "warn")
-#          general.option("logfile", os_defaults['logpath'])
-#        end
-#        doc.section("jwt_token") do |jwt_token|
-#          jwt_token.option("secret", SecureRandom.base64(15))
-#          jwt_token.option("validity", 7200)
-#          jwt_token.option("journalfile", os_defaults['journalfile'])
-#        end
-#        doc.section("multiplexer") do |jwt_token|
-#          jwt_token.option(";external_policy_executable", '/usr/local/bin/some_autosign_executable')
-#          jwt_token.option(";external_policy_executable", '/usr/local/bin/another_autosign_executable')
-#        end
-#        doc.section("password_list") do |jwt_token|
-#          jwt_token.option(";password", 'static_autosign_password_here')
-#          jwt_token.option(";password", 'another_static_autosign_password')
-#        end
-#      end.to_ini
-      config_file=settings_param['config_file'] || os_defaults['confpath']
-      raise Autosign::Exceptions::Error, "file #{config_file} already exists, aborting" if File.file?(config_file)
+      #      config = IniParse.gen do |doc|
+      #        doc.section("general") do |general|
+      #          general.option("loglevel", "warn")
+      #          general.option("logfile", os_defaults['logpath'])
+      #        end
+      #        doc.section("jwt_token") do |jwt_token|
+      #          jwt_token.option("secret", SecureRandom.base64(15))
+      #          jwt_token.option("validity", 7200)
+      #          jwt_token.option("journalfile", os_defaults['journalfile'])
+      #        end
+      #        doc.section("multiplexer") do |jwt_token|
+      #          jwt_token.option(";external_policy_executable", '/usr/local/bin/some_autosign_executable')
+      #          jwt_token.option(";external_policy_executable", '/usr/local/bin/another_autosign_executable')
+      #        end
+      #        doc.section("password_list") do |jwt_token|
+      #          jwt_token.option(";password", 'static_autosign_password_here')
+      #          jwt_token.option(";password", 'another_static_autosign_password')
+      #        end
+      #      end.to_ini
+      config_file = settings_param['config_file'] || os_defaults['confpath']
+      if File.file?(config_file)
+        raise Autosign::Exceptions::Error, "file #{config_file} already exists, aborting"
+      end
       return config_file if File.write(config_file, config.to_yaml)
     end
   end

data/lib/autosign/validator.rb

@@ -1,221 +1,58 @@
+# frozen_string_literal: true
+
 require 'logging'
-require 'require_all'
 
 module Autosign
-  # Parent class for validation backends. Validators take the
-  # challenge_password and common name from a certificate signing request,
-  # and perform some action to determine whether the request is valid.
-  #
-  # Validators also get the raw X509 CSR in case the extracted information
-  # is insufficient for future, more powerful validators.
-  #
-  # All validators must inherit from this class, and must override several
-  # methods in order to function. At a minimum, the name and perform_validation
-  # methods must be implemented by child classes.
-  #
-  # @return [Autosign::Validator] instance of the Autosign::Validator class
-  class Validator
-    def initialize()
-      start_logging()
-      settings() # just run to validate settings
-      setup()
-      # call name to ensure that the class fails immediately if child classes
-      # do not implement it.
-      name()
-    end
-
-    # Name of the validator. This must be implemented by validators which
-    # inherit from the Autosign::Validator class. The name is used to identify
-    # the validator in friendly messages and to determine which configuration
-    # file section settings will be loaded from.
-    #
-    # @example set the name of a child class validator to "example"
-    #    module Autosign
-    #      module Validators
-    #        class Example < Autosign::Validator
-    #          def name
-    #           "example"
-    #          end
-    #        end
-    #      end
-    #    end
-    # @return [String] name of the validator. Do not use special characters.
-    def name
-      # override this after inheriting
-      # should return a string with no spaces
-      # this is the name used to reference the validator in config files
-      raise NotImplementedError
-    end
-
-    # define how a validator actually validates the request.
-    # This must be implemented by validators which inherit from the
-    # Autosign::Validator class.
-    #
-    # @param challenge_password [String] the challenge_password OID from the certificate signing request. The challenge_password field is the same setting as the "challengePassword" field in a `csr_attributes.yaml` file when the CSR is generated. In a request using a JSON web token, this would be the serialized token.
-    # @param certname [String] the common name being requested in the certificate signing request. Treat the certname as untrusted. This is user-submitted data that you must validate.
-    # @param raw_csr [String] the encoded X509 certificate signing request, as received by the autosign policy executable. This is provided as an optional extension point, but your validator may not need to use it.
-    # @return [True, False] return true if the certificate should be signed, and false if you cannot validate the request successfully.
-    def perform_validation(challenge_password, certname, raw_csr)
-      # override this after inheriting
-      # should return true to indicate success validating
-      # or false to indicate that the validator was unable to validate
-      raise NotImplementedError
-    end
-
-    # wrapper method that wraps input validation and logging around the perform_validation method.
-    # Do not override or use this class in child classes. This is the class that gets called
-    # on validator objects.
-    def validate(challenge_password, certname, raw_csr)
-      @log.debug "running validate"
-      fail unless challenge_password.is_a?(String)
-      fail unless certname.is_a?(String)
-
-      case perform_validation(challenge_password, certname, raw_csr)
-      when true
-        @log.debug "validated successfully"
-        @log.info  "Validated '#{certname}' using '#{name}' validator"
-        return true
-      when false
-        @log.debug "validation failed"
-        @log.debug "Unable to validate '#{certname}' using '#{name}' validator"
-        return false
-      else
-        @log.error "perform_validation returned a non-boolean result"
-        raise "perform_validation returned a non-boolean result"
+  module Validator
+    
+    # @return [Array] - A list of all the validator classes
+    # @param list [Array] - a list of validators to use, uses the settings list by default
+    # This returns a list of validators that were specified by the user and the exact
+    # order they want the validation to procede.
+    def self.validation_order(settings = Autosign::Config.new.settings, list = nil)
+      validation_order = list || settings['general']['validation_order']
+      # create a key pair where the key is the name of the validator and value is the class
+      validator_list = validator_classes.each_with_object({}) do |klass, acc|
+        acc[klass::NAME] = klass
+        acc
       end
+      # filter out validators that do not exist
+      order = validation_order.map { |v| validator_list.fetch(v, nil) }.compact
+      @log = Logging.logger[self.class]
+      @log.debug("Validator order: #{order.inspect}")
+      order
     end
 
+    # @summary
     # Class method to attempt validation of a request against all validators which inherit from this class.
     # The request is considered to be validated if any one validator succeeds.
+    # The first validator to pass shorts the validation process so other validators are not called.
     # @param challenge_password [String] the challenge_password OID from the certificate signing request
     # @param certname [String] the common name being requested in the certificate signing request
     # @param raw_csr [String] the encoded X509 certificate signing request, as received by the autosign policy executable
-    # @return [True, False] return true if the certificate should be signed, and false if it cannot be validated
-    def self.any_validator(challenge_password, certname, raw_csr)
+    # @return [Boolean] return true if the certificate should be signed, and false if it cannot be validated
+    def self.any_validator(challenge_password, certname, raw_csr, settings = Autosign::Config.new.settings)
       @log = Logging.logger[self.class]
-      # iterate over all known validators and attempt to validate using them
-      results_by_validator = {}
-      results = self.descendants.map {|c|
-        validator = c.new()
-        @log.debug "attempting to validate using #{validator.name}"
-        result = validator.validate(challenge_password, certname, raw_csr)
-        results_by_validator[validator.name] = result
-        @log.debug "result: #{result.to_s}"
-        result
-      }
-      @log.debug "validator results: " + results.to_s
-      @log.info "results by validator: " + results_by_validator.to_s
-      success = results.any?{|result| result == true}
-      if success
-        @log.info "successfully validated using one or more validators"
-        return true
+      # find the first validator that passes and return the class
+      validator = validation_order(settings).find { |c| c.new(settings).validate(challenge_password, certname, raw_csr) }
+      if validator
+        @log.info "Successfully validated using #{validator::NAME}"
+        true
       else
-        @log.info "unable to validate using any validator"
-        return false
+        @log.info 'unable to validate using any validator'
+        false
       end
     end
 
     private
 
-    # this is automatically called when the class is initialized; do not
-    # override it in child classes.
-    def start_logging
-      @log = Logging.logger[self.class]
-      @log.debug "starting autosign validator: " + self.name.to_s
-    end
-
-    # (optionally) override this method in validator child classes to perform any additional
-    # setup during class initialization prior to beginning validation.
-    # If you need to create a database connection, this would be a good place to do it.
-    # @return [True, False] return true if setup succeeded, or false if setup failed and the validation should not continue
-    def setup
-      true
-    end
-
     # Find other classes that inherit from this class.
     # Used to discover autosign validators. There is probably no reason to use
     # this directly.
     # @return [Array] of classes inheriting from Autosign::Validator
-    def self.descendants
-      ObjectSpace.each_object(Class).select { |klass| klass < self }
+    def self.validator_classes
+      validators = Dir.glob(File.join(__dir__, 'validator', '*')).sort.each {|k| require k }
+      ObjectSpace.each_object(Class).select { |klass| klass < Autosign::Validator::ValidatorBase }
     end
-
-    # provide a merged settings hash of default settings for a validator,
-    # config file settings for the validator, and override settings defined in
-    # the validator.
-    #
-    # Do not override this in child classes. If you need to set
-    # custom config settings, override the get_override_settings method.
-    # The section of the config file this reads from is the same as the name
-    # method returns.
-    #
-    # @return [Hash] of config settings
-    def settings
-      @log.debug "merging settings"
-      setting_sources = [get_override_settings, load_config, default_settings]
-      merged_settings = setting_sources.inject({}) { |merged, hash| merged.deep_merge(hash) }
-      @log.debug "using merged settings: " + merged_settings.to_s
-      @log.debug "validating merged settings"
-      if validate_settings(merged_settings)
-        @log.debug "successfully validated merged settings"
-        return merged_settings
-      else
-        @log.warn "validation of merged settings failed"
-        @log.warn "unable to validate settings in #{self.name} validator"
-        raise "settings validation error"
-      end
-    end
-
-    # (optionally) override this from a child class to set config defaults.
-    # These will be overridden by config file settings.
-    #
-    # Override this when inheriting if you need to set config defaults.
-    # For example, if you want to pull settings from zookeeper, this would
-    # be a good place to do that.
-    #
-    # @return [Hash] of config settings
-    def default_settings
-      {}
-    end
-
-
-    # (optionally) override this to perform validation checks on the merged
-    # config hash of default settings, config file settings, and override
-    # settings.
-    # @return [True, False]
-    def validate_settings(settings)
-      settings.is_a?(Hash)
-    end
-
-    # load any required configuration from the config file.
-    # Do not override this in child classes.
-    # @return [Hash] configuration settings from the validator's section of the config file
-    def load_config
-      @log.debug "loading validator-specific configuration"
-      config = Autosign::Config.new
-
-      if config.settings.to_hash[self.name].nil?
-        @log.warn "Unable to load validator-specific configuration"
-        @log.warn "Cannot load configuration section named '#{self.name}'"
-        return {}
-      else
-        @log.debug "Set validator-specific settings from config file: " + config.settings.to_hash[self.name].to_s
-        return config.settings.to_hash[self.name]
-      end
-    end
-
-    # (optionally) override this from child classes to get custom configuration
-    # from a validator.
-    #
-    # This is how you override defaults and config file settings.
-    # @return [Hash] configuration settings
-    def get_override_settings
-      {}
-    end
-
   end
 end
-
-# must run at the end because the validators inherit this class
-# this loads all validators
-require_rel 'validators'