autosign 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 3d43769ea221d92c48e517138ec7a3c1ba16ed3a
+  data.tar.gz: 0a8454928712134b07dfaa5aa16c4451042086ac
+SHA512:
+  metadata.gz: fd1b62abf9b19f6806a356a693c42eb91593ca9cad9bcc79240b7df3d01d1b72bc92c6b8cb14647f92cb92a59179831aa7a90e6d379274b536c977b65a844fd1
+  data.tar.gz: 4d5660957738acf9edd0413efab0c1fcc029ecc23ba049d75c26807a7e68f2310d5f5e22054a3c1469ab6e8609ec796ce1956968f6445bfb6e28ff3d990eda74

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/Gemfile.lock

@@ -0,0 +1,73 @@
+PATH
+  remote: .
+  specs:
+    autosign (0.0.1)
+      deep_merge
+      gli (~> 2)
+      iniparse (~> 1)
+      jwt (~> 1)
+      logging
+      require_all
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    CFPropertyList (2.2.8)
+    aruba (0.6.2)
+      childprocess (>= 0.3.6)
+      cucumber (>= 1.1.1)
+      rspec-expectations (>= 2.7.0)
+    builder (3.2.2)
+    childprocess (0.5.6)
+      ffi (~> 1.0, >= 1.0.11)
+    cucumber (2.0.0)
+      builder (>= 2.1.2)
+      cucumber-core (~> 1.1.3)
+      diff-lcs (>= 1.1.3)
+      gherkin (~> 2.12)
+      multi_json (>= 1.7.5, < 2.0)
+      multi_test (>= 0.1.2)
+    cucumber-core (1.1.3)
+      gherkin (~> 2.12.0)
+    deep_merge (1.0.1)
+    diff-lcs (1.2.5)
+    facter (2.2.0)
+      CFPropertyList (~> 2.2.6)
+    ffi (1.9.9)
+    gherkin (2.12.2)
+      multi_json (~> 1.3)
+    gli (2.13.1)
+    hiera (1.3.4)
+      json_pure
+    iniparse (1.4.0)
+    json (1.8.3)
+    json_pure (1.8.1)
+    jwt (1.5.1)
+    little-plugger (1.1.3)
+    logging (2.0.0)
+      little-plugger (~> 1.1)
+      multi_json (~> 1.10)
+    multi_json (1.11.1)
+    multi_test (0.1.2)
+    puppet (3.7.0)
+      facter (> 1.6, < 3)
+      hiera (~> 1.0)
+      json_pure
+    rake (10.4.2)
+    rdoc (4.2.0)
+      json (~> 1.4)
+    require_all (1.3.2)
+    rspec-expectations (3.3.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.3.0)
+    rspec-support (3.3.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  aruba
+  autosign!
+  puppet
+  rake
+  rdoc

data/README.rdoc

@@ -0,0 +1,6 @@
+= autosign
+
+Describe your project here
+
+:include:autosign.rdoc
+

data/Rakefile

@@ -0,0 +1,44 @@
+require 'rake/clean'
+require 'rubygems'
+require 'rubygems/package_task'
+require 'rdoc/task'
+require 'cucumber'
+require 'cucumber/rake/task'
+Rake::RDocTask.new do |rd|
+  rd.main = "README.rdoc"
+  rd.rdoc_files.include("README.rdoc","lib/**/*.rb","bin/**/*")
+  rd.title = 'Your application title'
+end
+
+spec = eval(File.read('autosign.gemspec'))
+
+Gem::PackageTask.new(spec) do |pkg|
+end
+CUKE_RESULTS = 'results.html'
+CLEAN << CUKE_RESULTS
+desc 'Run features'
+Cucumber::Rake::Task.new(:features) do |t|
+  opts = "features --format html -o #{CUKE_RESULTS} --format progress -x"
+  opts += " --tags #{ENV['TAGS']}" if ENV['TAGS']
+  t.cucumber_opts =  opts
+  t.fork = false
+end
+
+desc 'Run features tagged as work-in-progress (@wip)'
+Cucumber::Rake::Task.new('features:wip') do |t|
+  tag_opts = ' --tags ~@pending'
+  tag_opts = ' --tags @wip'
+  t.cucumber_opts = "features --format html -o #{CUKE_RESULTS} --format pretty -x -s#{tag_opts}"
+  t.fork = false
+end
+
+task :cucumber => :features
+task 'cucumber:wip' => 'features:wip'
+task :wip => 'features:wip'
+require 'rake/testtask'
+Rake::TestTask.new do |t|
+  t.libs << "test"
+  t.test_files = FileList['test/*_test.rb']
+end
+
+task :default => [:test,:features]

data/autosign.gemspec

@@ -0,0 +1,29 @@
+# Ensure we require the local version and not one we might have installed already
+require File.join([File.dirname(__FILE__),'lib','autosign','version.rb'])
+spec = Gem::Specification.new do |s| 
+  s.name = 'autosign'
+  s.version = Autosign::VERSION
+  s.author = 'Your Name Here'
+  s.email = 'your@email.address.com'
+  s.homepage = 'http://your.website.com'
+  s.platform = Gem::Platform::RUBY
+  s.summary = 'A description of your project'
+  s.files = `git ls-files`.split("
+")
+  s.require_paths << 'lib'
+  s.has_rdoc = true
+  s.extra_rdoc_files = ['README.rdoc','autosign.rdoc']
+  s.rdoc_options << '--title' << 'autosign' << '--main' << 'README.rdoc' << '-ri'
+  s.bindir = 'bin'
+  s.executables << 'autosign'
+  s.add_development_dependency('rake')
+  s.add_development_dependency('rdoc')
+  s.add_development_dependency('aruba')
+  s.add_development_dependency('puppet')
+  s.add_runtime_dependency('gli','~> 2')
+  s.add_runtime_dependency('jwt','~> 1')
+  s.add_runtime_dependency('iniparse','~> 1')
+  s.add_runtime_dependency('logging')
+  s.add_runtime_dependency('deep_merge')
+  s.add_runtime_dependency('require_all')
+end

data/autosign.rdoc

@@ -0,0 +1,5 @@
+= autosign
+
+Generate this with
+    autosign rdoc
+After you have described your command line interface

data/bin/autosign

@@ -0,0 +1,169 @@
+#!/usr/bin/env ruby
+require 'gli'
+require 'autosign'
+require 'socket' # for determining the current hostname
+include GLI::App
+require 'logging'
+
+@logger = Logging.logger['Autosign']
+@logger.level = :warn
+
+program_desc 'Easy Puppet Certificate Autosigning'
+
+version Autosign::VERSION
+
+subcommand_option_handling :normal
+arguments :strict
+
+desc 'Configuration file location'
+arg_name 'path'
+flag [:c,:config]
+
+desc 'log file location'
+arg_name 'path'
+flag [:l,:logfile]
+
+desc 'secret symmetric key'
+arg_name 'secret'
+flag [:s,:secret]
+
+desc 'Enable verbose output'
+switch [:v, :verbose]
+
+desc 'Enable debug output'
+switch [:d, :debug]
+
+desc 'Quiet output - only log errors'
+switch [:q, :quiet]
+
+desc 'Generate an autosign token'
+arg_name 'certname or regex the autosign token will be valid for'
+command :generate do |c|
+  c.desc 'Generate a reusable token; default is to generate one-time tokens'
+  c.switch [:r, :reusable]
+
+  c.desc 'certname or regex of certnames the autosign token will be valid for'
+  c.arg_name 'certname'
+  c.flag [:n,:certname]
+
+  c.desc 'autosign token validity period'
+  c.default_value '7200'
+  c.arg_name 'seconds'
+  c.flag [:t,:validfor]
+
+  c.action do |global_options,options,args|
+    config = Autosign::Config.new({'config_file' => global_options['config']})
+    global_options['secret'] = config.settings['jwt_token']['secret'] if global_options['secret'].nil?
+    options['validfor'] = config.settings.to_hash['jwt_token']['validity'].to_s if options['validfor'] == '7200'
+    @logger.debug "validfor: " + options['validfor']
+    help_now!('no secret was defined via --secret or a config file') if global_options['secret'].nil?
+    help_now!('certname is required') if options['certname'].nil?
+
+    help_now!('validfor setting must be an positive integer number of seconds') if !/\A\d+\z/.match(options['validfor'].to_s)
+    token = Autosign::Token.new(options['certname'].to_s, options['reusable'], options['validfor'].to_i, Socket.gethostname.to_s, global_options['secret'])
+    @logger.info "generated token for: " + options['certname'].to_s
+    puts "Autosign token for: " + token.certname
+    puts "Valid until: " + Time.at(token.validto).to_s
+    puts ""
+    puts token.sign.to_s
+    puts ""
+  end
+end
+
+desc 'Validate a previously issued token'
+arg_name 'path'
+command :validate do |c|
+  c.desc 'display the contents of the token'
+
+  c.arg_name 'certname'
+  c.flag [:n,:certname]
+
+  c.action do |global_options,options,args|
+    config = Autosign::Config.new({'config_file' => global_options['config']})
+    puts config.settings.to_hash['jwt_token']
+    global_options['secret'] = config.settings['jwt_token']['secret'] if global_options['secret'].nil?
+
+    help_now!('no secret was defined via --secret or a config file') if global_options['secret'].nil?
+    help_now!('certname is required') if options['certname'].nil?
+    help_now!('a single token must be provided as an argument') if args.size != 1
+    token = Autosign::Token.validate(options['certname'].to_s, args[0], global_options['secret'])
+    if token == true
+      puts "token validated successfully"
+      @logger.info "token validated successfully"
+    else
+      @logger.error "Unable to validate token"
+      exit_now!("Unable to validate token", 1)
+    end
+  end
+end
+
+
+desc 'Autosign configuration'
+command :config do |c|
+
+  c.desc 'Configure a puppet server for autosigning'
+  c.command :setup do |setup|
+    setup.action do |global_options,options,args|
+      @logger.info "setup command ran with #{global_options} #{options} #{args}"
+      @logger.info "generated default config file" if Autosign::Config.generate_default
+    end
+  end
+
+  c.desc 'Print autosign configuration'
+  c.command :print do |print|
+    print.action do |global_options,options,args|
+      @logger.debug "print command ran with #{global_options} #{options} #{args}"
+      config = Autosign::Config.new({'config_file' => global_options['config']})
+      puts config.settings.to_s
+    end
+  end
+
+end
+
+desc 'Install an autosign token; run this prior to running puppet for the first time on an agent'
+arg_name 'token'
+command :use do |c|
+  c.action do |global_options,options,args|
+    puppet_confdir = %x[puppet config print confdir].chomp
+    @logger.debug "use command ran with #{global_options} #{options} #{args}"
+    puts "put the following in #{puppet_confdir}/csr_attributes.yaml prior to running puppet agent for the first time:
+custom_attributes:
+  challengePassword: \"#{args[0]}\""
+  end
+end
+
+pre do |global,command,options,args|
+  # Pre logic here
+  # Return true to proceed; false to abort and not call the
+  # chosen command
+  # Use skips_pre before a command to skip this block
+  # on that command only
+#  config = Autosign::Config.new
+#  @logger.level = config.settings.to_hash['general']['loglevel'].to_sym unless config.settings.to_hash['general']['loglevel'].nil?
+
+  @logger.level = :error if global['quiet']
+  @logger.level = :info if global['verbose']
+  @logger.level = :debug if global['debug']
+
+  if global['logfile'].nil?
+    @logger.add_appenders Logging.appenders.stdout
+  else
+    @logger.add_appenders Logging.appenders.stdout, Logging.appenders.file(global['logfile'])
+  end
+
+  true
+end
+
+post do |global,command,options,args|
+  # Post logic here
+  # Use skips_post before a command to skip this
+  # block on that command only
+end
+
+on_error do |exception|
+  # Error logic here
+  # return false to skip default error handling
+  true
+end
+
+exit run(ARGV)

data/bin/autosign-validator

@@ -0,0 +1,41 @@
+#!/usr/bin/env ruby
+require 'autosign'
+require 'logging'
+
+@logger = Logging.logger['Autosign']
+@logger.level = :debug
+@logger.add_appenders Logging.appenders.stdout
+
+### Get Inputs
+unless ARGV.count == 1
+  @logger.error "This executable must be called with a certname as the only parameter and with an X509 CSR piped into STDIN"
+  exit 1
+end
+
+certname = ARGV[0]
+@logger.debug "certname is " + certname
+
+@logger.debug "reading CSR from stdin"
+csr = Autosign::Decoder.decode_csr($stdin.read)
+exit 1 unless csr.is_a?(Hash)
+
+@logger.debug "CSR: " + csr.to_s
+### End Inputs
+
+### validate token
+token_validation = Autosign::Validator.any_validator(csr[:challenge_password].to_s, certname.to_s)
+### end validation
+
+### Exit with correct exit status
+if token_validation == true
+  @logger.info "token validated successfully"
+  exit 0
+else
+  STDERR.puts "failed to validate token"
+  @logger.error "Unable to validate token"
+  exit 1
+end
+### Done exiting
+
+# end with an exit 1 just in case
+exit 1

data/features/autosign.feature

@@ -0,0 +1,78 @@
+Feature: Generate autosign key
+  In order to sign puppet certificates automatically
+  I want to generate autosign keys programatically
+  So I don't have to use static strings as keys
+
+  Scenario: Generate new token
+    Given a pre-shared key of "secret"
+      And a hostname of "foo.example.com"
+      And a file named "autosign.conf" with:
+      """
+      [jwt_token]
+      validity = 7200
+      secret = secret
+      """
+    When I run `chmod 600 autosign.conf`
+     And I run `autosign --config autosign.conf generate --certname foo.example.com`
+    Then the output should contain "Autosign token for: foo.example.com"
+     And the output should contain "Valid until"
+     And the exit status should be 0
+
+  Scenario: Generate new reusable token
+    Given a pre-shared key of "secret"
+      And a hostname of "foo.example.com"
+      And a file named "autosign.conf" with:
+      """
+      [jwt_token]
+      secret = secret
+      validity = 7200
+      """
+    When I run `chmod 600 autosign.conf`
+    When I run `autosign --config autosign.conf generate --certname foo.example.com --reusable`
+    Then the output should contain "Autosign token for: foo.example.com"
+     And the output should contain "Valid until"
+     And the exit status should be 0
+
+  Scenario: Validate a token
+    Given a pre-shared key of "secret"
+      And a hostname of "foo.example.com"
+      And a file named "autosign.conf" with:
+      """
+      [jwt_token]
+      secret = secret
+      """
+    When I run `chmod 600 autosign.conf`
+    When I run `autosign --config autosign.conf validate --certname "foo.example.com" "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcImZvby5leGFtcGxlLmNvbVwiLFwicmVxdWVzdGVyXCI6XCJEYW5pZWxzLU1hY0Jvb2stUHJvLTIubG9jYWxcIixcInJldXNhYmxlXCI6ZmFsc2UsXCJ2YWxpZGZvclwiOjI5OTk5OTk5OSxcInV1aWRcIjpcIjlkYTA0Yzc4LWQ5NjUtNDk2OC04MWNjLWVhM2RjZDllZjVjMFwifSIsImV4cCI6IjE3MzY0NjYxMzAifQ.PJwY8rIunVyWi_lw0ypFclME0jx3Vd9xJIQSyhN3VUmul3V8u4Tp9XwDgoAu9DVV0-WEG2Tfxs6F8R6Fn71Ndg"`
+    Then the output should contain "token validated successfully"
+     And the exit status should be 0
+
+  Scenario: Not validate a bad token
+    Given a pre-shared key of "secret"
+      And a hostname of "foo.example.com"
+      And a file named "autosign.conf" with:
+      """
+      [jwt_token]
+      secret = secret
+      """
+    When I run `chmod 600 autosign.conf`
+    When I run `autosign --config autosign.conf validate --certname "foo.example.com" "invalid_token"`
+    Then the exit status should be 1
+
+  Scenario: Not validate an expired token
+    Given a pre-shared key of "secret"
+      And a hostname of "foo.example.com"
+      And a file named "autosign.conf" with:
+      """
+      [jwt_token]
+      secret = secret
+      """
+    When I run `chmod 600 autosign.conf`
+    When I run `autosign --config autosign.conf validate --certname "foo.example.com" "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjoie1wiY2VydG5hbWVcIjpcImZvby5leGFtcGxlLmNvbVwiLFwicmVxdWVzdGVyXCI6XCJEYW5pZWxzLU1hY0Jvb2stUHJvLTIubG9jYWxcIixcInJldXNhYmxlXCI6ZmFsc2UsXCJ2YWxpZGZvclwiOjEsXCJ1dWlkXCI6XCJlNjI1Y2I1Ny02NzY5LTQwMzQtODNiZS0zNzkxNmQ5YmMxMDRcIn0iLCJleHAiOiIxNDM2NDY2MzAyIn0.UXEDEbRqEWx5SdSpQjfowU56JubY5Yz2QN6cckby2es-g2P_n2lyAS6AwFeliBXyCDyVUelIT3g1QP4TdB9EEA"`
+    Then the exit status should be 1
+
+  Scenario: Generate a csr_attributes.yaml file
+    When I run `autosign use hunter2`
+    Then the output should contain "challengePassword: "
+     And the output should contain "csr_attributes.yaml"
+     And the output should contain "hunter2"
+     And the exit status should be 0