autosign 0.1.4 → 1.0.0

data/lib/autosign/{validators → validator}/jwt.rb

@@ -1,20 +1,16 @@
+# frozen_string_literal: true
+require 'autosign/validator/validator_base'
+
 module Autosign
-  module Validators
+  module Validator
     # Validate certificate signing requests using JSON Web Tokens (JWT).
     # This is the expected primary validator when using the autosign gem.
     # Validation requires that the shared secret used to generate the JWT is
     # the same as on the validating system. The validator also checks that the
     # token has not expired, and that one-time (non-reusable) tokens have not
     # been previously used.
-    class JWT < Autosign::Validator
-
-      # set the user-friendly name of the JWT validator.
-      # This name is used to specify that configuration should come from the
-      # [jwt_token] section of the autosign.conf file.
-      # @return [String] name of the validator
-      def name
-        "jwt_token"
-      end
+    class JWT < Autosign::Validator::ValidatorBase
+      NAME = 'jwt_token'
 
       private
 
@@ -26,15 +22,19 @@ module Autosign
       # @param certname [String] the certname being requested in the certificate signing request
       # @param raw_csr [String] Raw CSR; not used in this validator.
       # @return [True, False] returns true to indicate successful validation, and false to indicate failure to validate
-      def perform_validation(token, certname, raw_csr)
-        @log.info "attempting to validate JWT token"
-        return false unless Autosign::Token.validate(certname, token, settings['secret'])
-        @log.info "validated JWT token"
-        @log.debug "validated JWT token, checking reusability"
+      def perform_validation(token, certname, _raw_csr)
+        @log.info "attempting to validate with #{name}"
+        unless Autosign::Token.validate(certname, token, settings['secret'])
+          return false
+        end
+
+        @log.info 'validated JWT token'
+        @log.debug 'validated JWT token, checking reusability'
 
         return true if is_reusable?(token)
         return true if add_to_journal(token)
-        return false
+
+        false
       end
 
       def is_reusable?(token)
@@ -49,16 +49,16 @@ module Autosign
       def add_to_journal(token)
         validated_token = Autosign::Token.from_token(token, settings['secret'])
         @log.debug 'add_to_journal settings: ' + settings.to_s
-        journal = Autosign::Journal.new({'journalfile' => settings['journalfile']})
+        journal = Autosign::Journal.new('journalfile' => settings['journalfile'])
         token_expiration = Autosign::Token.token_validto(token, settings['secret'])
 
         # adding will return false if the token is already in the journal
         if journal.add(validated_token.uuid, token_expiration, validated_token.to_hash)
           @log.info "added token with UUID '#{validated_token.uuid}' to journal"
-          return true
+          true
         else
-          @log.warn "journal cannot validate one-time token; may already have been used"
-          return false
+          @log.warn 'journal cannot validate one-time token; may already have been used'
+          false
         end
       end
 
@@ -75,34 +75,33 @@ module Autosign
       #
       # This should probably be done differently at some point.
       def get_override_settings
-        if (ENV["AUTOSIGN_TESTMODE"] == "true" and
-            !ENV["AUTOSIGN_TEST_SECRET"].nil? and
-            !ENV["AUTOSIGN_TEST_JOURNALFILE"].nil? )
-           {
-             'secret'      => ENV["AUTOSIGN_TEST_SECRET"].to_s,
-             'journalfile' => ENV["AUTOSIGN_TEST_JOURNALFILE"].to_s
-           }
+        if (ENV['AUTOSIGN_TESTMODE'] == 'true') &&
+           !ENV['AUTOSIGN_TEST_SECRET'].nil? &&
+           !ENV['AUTOSIGN_TEST_JOURNALFILE'].nil?
+          {
+            'secret' => ENV['AUTOSIGN_TEST_SECRET'].to_s,
+            'journalfile' => ENV['AUTOSIGN_TEST_JOURNALFILE'].to_s
+          }
         else
           {}
         end
       end
 
-    # Validate that the settings hash contains a secret.
-    # The validator cannot function without a secret, so there's no point
-    # in continuing to run if it was configured without a secret.
-    # @param settings [Hash] settings hash
-    # @return [True, False] return true if settings are valid, false if config is unusable
-    def validate_settings(settings)
-      @log.debug "validating settings: " + settings.to_s
-      if settings['secret'].is_a?(String)
-        @log.info "validated settings successfully"
-        return true
-      else
-        @log.error "no secret setting found"
-        return false
+      # Validate that the settings hash contains a secret.
+      # The validator cannot function without a secret, so there's no point
+      # in continuing to run if it was configured without a secret.
+      # @param settings [Hash] settings hash
+      # @return [True, False] return true if settings are valid, false if config is unusable
+      def validate_settings(settings)
+        @log.debug 'validating settings: ' + settings.to_s
+        if settings['secret'].is_a?(String)
+          @log.info "validated settings successfully for #{name}"
+          true
+        else
+          @log.error 'no secret setting found'
+          false
+        end
       end
     end
-
-    end
   end
 end

data/lib/autosign/{validators → validator}/multiplexer.rb

@@ -1,6 +1,8 @@
-module Autosign
-  module Validators
+# frozen_string_literal: true
+require 'autosign/validator/validator_base'
 
+module Autosign
+  module Validator
     # The multiplexer validator sends the same request received by the autosign
     # executable to one or more external executables. The purpose is to allow
     # one or more existing autosign scripts to be used in conjunction with the
@@ -25,15 +27,8 @@ module Autosign
     #     external_policy_executable = /usr/local/bin/another-autosign-script.rb
     #   # requests will only be validated by the multiplexer validator if they
     #   # are validated by both external policy executables.
-    class Multiplexer < Autosign::Validator
-
-      # set the user-friendly name of the Multiplexer validator.
-      # This name is used to specify that configuration should come from the
-      # [multiplexer] section of the autosign.conf file.
-      # @return [String] name of the validator
-      def name
-        "multiplexer"
-      end
+    class Multiplexer < Autosign::Validator::ValidatorBase
+      NAME = 'multiplexer'
 
       private
 
@@ -42,25 +37,24 @@ module Autosign
       # @param certname [String] certname requested in the CSR
       # @param raw_csr [String] X509 certificate signing request as received by the policy executable
       # @return [True, False] returns true to indicate successful validation, and false to indicate failure to validate
-      def perform_validation(token, certname, raw_csr)
+      def perform_validation(_token, certname, raw_csr)
         results = []
-        @log.debug "validating using multiplexed external executables"
-        policy_executables.each {|executable|
-          @log.debug "attempting to validate using #{executable.to_s}"
-          results << IO.popen(executable + ' ' + certname.to_s, 'r+') {|obj| obj.puts raw_csr; obj.close_write; obj.read; obj.close; $?.to_i }
-          @log.debug "exit code from #{executable.to_s}: #{results.last}"
-        }
-        bool_results = results.map {|val| val == 0}
-        return validate_using_strategy(bool_results)
+        @log.debug 'validating using multiplexed external executables'
+        policy_executables.each do |executable|
+          @log.debug "attempting to validate using #{executable}"
+          results << IO.popen(executable + ' ' + certname.to_s, 'r+') { |obj| obj.puts raw_csr; obj.close_write; obj.read; obj.close; $CHILD_STATUS.to_i }
+          @log.debug "exit code from #{executable}: #{results.last}"
+        end
+        bool_results = results.map { |val| val == 0 }
+        validate_using_strategy(bool_results)
       end
 
-
       # set the default validation strategy to "any", succeeding if any one
       # external autosign script succeeds.
       # @return [Hash] config hash to be merged in with config file settings and overrides.
       def default_settings
         {
-          'strategy' => 'any',
+          'strategy' => 'any'
         }
       end
 
@@ -72,13 +66,13 @@ module Autosign
         case settings['strategy']
         when 'any'
           @log.debug "validating using 'any' strategy"
-          return array.any?
+          array.any?
         when 'all'
           @log.debug "validating using 'all' strategy"
-          return array.all?
+          array.all?
         else
-          @log.error "unable to validate; unknown strategy"
-          return false
+          @log.error 'unable to validate; unknown strategy'
+          false
         end
       end
 
@@ -86,25 +80,23 @@ module Autosign
       # or an empty array if none are specified.
       # @return [Array] of policy executables.
       def policy_executables
-	Array(settings['external_policy_executable'])      
+        Array(settings['external_policy_executable'])
       end
 
-
       # validate that settins are reasonable. Validation strategy must be
       # either any or all.
       # @param settings [Hash] config settings hash
       # @return [True, False] true if settings validate successfully, false otherwise
       def validate_settings(settings)
-        @log.debug "validating settings: " + settings.to_s
-        unless ['any', 'all'].include? settings['strategy']
+        @log.debug 'validating settings: ' + settings.to_s
+        unless %w[any all].include? settings['strategy']
           @log.error "strategy setting must be set to 'any' or 'all'"
           return false
         end
 
-        @log.debug "done validating settings"
+        @log.debug 'done validating settings'
         true
       end
-
     end
   end
 end

data/lib/autosign/{validators → validator}/passwordlist.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+require 'autosign/validator/validator_base'
 module Autosign
-  module Validators
+  module Validator
     # Validate certificate signing requests using a simple password list.
     # This is not a very secure or flexible validation scheme, but is provided
     # because so many existing autosign policy scripts implement it.
@@ -11,35 +13,32 @@ module Autosign
     #   password = opensesame
     #   password = CPE1704TKS
     #
-    class Passwordlist < Autosign::Validator
-      def name
-        "password_list"
-      end
+    class Passwordlist < Autosign::Validator::ValidatorBase
+      NAME = 'password_list'
 
       private
 
-      def perform_validation(password, certname, raw_csr)
-        @log.debug "validating against simple password list"
-        @log.debug "passwords: " + settings.to_s
+      def perform_validation(password, _certname, _raw_csr)
+        @log.debug 'validating against simple password list'
+        @log.debug 'passwords: ' + settings.to_s
         result = validate_password(password.to_s)
-        @log.debug "validation result: " + result.to_s
-        return result
+        @log.debug 'validation result: ' + result.to_s
+        result
       end
 
       def validate_password(password)
-        @log.debug "Checking if password list includes password"
+        @log.debug 'Checking if password list includes password'
         password_list.include?(password.to_s)
       end
 
       def password_list
-	Array(settings['password'])      
+        Array(settings['password'])
       end
 
-    def validate_settings(settings)
-      @log.debug "validating settings: " + settings.to_s
-      true
-    end
-
+      def validate_settings(settings)
+        @log.debug 'validating settings: ' + settings.to_s
+        true
+      end
     end
   end
 end

data/lib/autosign/validator/validator_base.rb

@@ -0,0 +1,168 @@
+# frozen_string_literal: true
+
+require 'logging'
+
+module Autosign
+  module Validator
+    # Parent class for validation backends. Validator take the
+    # challenge_password and common name from a certificate signing request,
+    # and perform some action to determine whether the request is valid.
+    #
+    # Validator also get the raw X509 CSR in case the extracted information
+    # is insufficient for future, more powerful validators.
+    #
+    # All validators must inherit from this class, and must override several
+    # methods in order to function. At a minimum, the name and perform_validation
+    # methods must be implemented by child classes.
+    #
+    # @return Autosign::Validator::ValidatorBase instance of the Autosign::Validator::ValidatorBase class
+    class ValidatorBase
+      NAME = 'base'
+      attr_reader :config_file_settings
+
+      def initialize(config_file_settings = nil)
+        @config_file_settings = config_file_settings
+        start_logging
+        settings # just run to validate settings
+        setup
+        # call name to ensure that the class fails immediately if child classes
+        # do not implement it.
+        name
+      end
+  
+      # @return [String] name of the validator. Do not use special characters.
+      # You must set the NAME constant in the sublcass
+      def name
+        self.class::NAME
+      end
+  
+      # define how a validator actually validates the request.
+      # This must be implemented by validators which inherit from the
+      # Autosign::Validator class.
+      #
+      # @param challenge_password [String] the challenge_password OID from the certificate signing request. The challenge_password field is the same setting as the "challengePassword" field in a `csr_attributes.yaml` file when the CSR is generated. In a request using a JSON web token, this would be the serialized token.
+      # @param certname [String] the common name being requested in the certificate signing request. Treat the certname as untrusted. This is user-submitted data that you must validate.
+      # @param raw_csr [String] the encoded X509 certificate signing request, as received by the autosign policy executable. This is provided as an optional extension point, but your validator may not need to use it.
+      # @return [True, False] return true if the certificate should be signed, and false if you cannot validate the request successfully.
+      def perform_validation(_challenge_password, _certname, _raw_csr)
+        # override this after inheriting
+        # should return true to indicate success validating
+        # or false to indicate that the validator was unable to validate
+        raise NotImplementedError
+      end
+  
+      # wrapper method that wraps input validation and logging around the perform_validation method.
+      # Do not override or use this class in child classes. This is the class that gets called
+      # on validator objects.
+      def validate(challenge_password, certname, raw_csr)
+        raise unless challenge_password.is_a?(String)
+        raise unless certname.is_a?(String)
+  
+        case perform_validation(challenge_password, certname, raw_csr)
+        when true
+          @log.debug 'validated successfully'
+          @log.info  "Validated '#{certname}' using '#{name}' validator"
+          true
+        when false
+          @log.debug 'validation failed'
+          @log.debug "Unable to validate '#{certname}' using '#{name}' validator"
+          false
+        else
+          @log.error 'perform_validation returned a non-boolean result'
+          raise 'perform_validation returned a non-boolean result'
+        end
+      end
+
+      private
+
+      # this is automatically called when the class is initialized; do not
+      # override it in child classes.
+      def start_logging
+        @log = Logging.logger[self.class]
+        @log.debug 'starting autosign validator: ' + name.to_s
+      end
+
+      # (optionally) override this method in validator child classes to perform any additional
+      # setup during class initialization prior to beginning validation.
+      # If you need to create a database connection, this would be a good place to do it.
+      # @return [True, False] return true if setup succeeded, or false if setup failed and the validation should not continue
+      def setup
+        true
+      end
+
+    # provide a merged settings hash of default settings for a validator,
+    # config file settings for the validator, and override settings defined in
+    # the validator.
+    #
+    # Do not override this in child classes. If you need to set
+    # custom config settings, override the get_override_settings method.
+    # The section of the config file this reads from is the same as the name
+    # method returns.
+    #
+    # @return [Hash] of config settings
+    def settings
+      @settings ||= begin
+        @log.debug "merging settings for #{name} validator"
+        setting_sources = [get_override_settings, load_config, default_settings]
+        merged_settings = setting_sources.inject({}) { |merged, hash| merged.deep_merge(hash, {:overwrite_arrays => true}) }
+        @log.debug 'using merged settings: ' + merged_settings.to_s
+        @log.debug 'validating merged settings'
+        if validate_settings(merged_settings)
+          @log.debug 'successfully validated merged settings'
+          merged_settings
+        else
+          @log.warn 'validation of merged settings failed'
+          @log.warn "unable to validate settings in #{name} validator"
+          raise 'settings validation error'
+        end
+        merged_settings
+      end
+    end
+
+    # (optionally) override this from a child class to set config defaults.
+    # These will be overridden by config file settings.
+    #
+    # Override this when inheriting if you need to set config defaults.
+    # For example, if you want to pull settings from zookeeper, this would
+    # be a good place to do that.
+    #
+    # @return [Hash] of config settings
+    def default_settings
+      {}
+    end
+
+    # (optionally) override this to perform validation checks on the merged
+    # config hash of default settings, config file settings, and override
+    # settings.
+    # @return [True, False]
+    def validate_settings(settings)
+      settings.is_a?(Hash)
+    end
+
+    # load any required configuration from the config file.
+    # Do not override this in child classes.
+    # @return [Hash] configuration settings from the validator's section of the config file
+    def load_config
+      @log.debug 'loading validator-specific configuration'
+      config_settings = @config_file_settings ||= Autosign::Config.new.settings
+      if config_settings.to_hash[name].nil?
+        @log.warn 'Unable to load validator-specific configuration'
+        @log.warn "Cannot load configuration section named '#{name}'"
+        {}
+      else
+        @log.debug 'Set validator-specific settings from config file: ' + config_settings.to_hash[name].to_s
+        config_settings.to_hash[name]
+      end
+    end
+
+    # (optionally) override this from child classes to get custom configuration
+    # from a validator.
+    #
+    # This is how you override defaults and config file settings.
+    # @return [Hash] configuration settings
+    def get_override_settings
+      {}
+    end
+  end
+  end
+end