RubyGems - certmeister - Versions diffs - 0.0.1 - Mend

certmeister 0.0.1

Files changed (54) hide show

checksums.yaml +7 -0
data/.gitignore +20 -0
data/.rspec +2 -0
data/.ruby-gemset +1 -0
data/.ruby-version +1 -0
data/Gemfile +4 -0
data/Gemfile.lock +27 -0
data/LICENSE +20 -0
data/README.md +32 -0
data/Rakefile +6 -0
data/certmeister.gemspec +26 -0
data/fixtures/ca.crt +15 -0
data/fixtures/ca.csr +12 -0
data/fixtures/ca.key +15 -0
data/fixtures/client.crt +15 -0
data/fixtures/client.csr +12 -0
data/fixtures/client.key +15 -0
data/lib/certmeister.rb +14 -0
data/lib/certmeister/base.rb +92 -0
data/lib/certmeister/config.rb +129 -0
data/lib/certmeister/in_memory_store.rb +43 -0
data/lib/certmeister/policy.rb +21 -0
data/lib/certmeister/policy/blackhole.rb +15 -0
data/lib/certmeister/policy/chain_all.rb +36 -0
data/lib/certmeister/policy/domain.rb +37 -0
data/lib/certmeister/policy/existing.rb +32 -0
data/lib/certmeister/policy/fcrdns.rb +40 -0
data/lib/certmeister/policy/noop.rb +15 -0
data/lib/certmeister/policy/psk.rb +37 -0
data/lib/certmeister/policy/response.rb +24 -0
data/lib/certmeister/response.rb +47 -0
data/lib/certmeister/store_error.rb +6 -0
data/lib/certmeister/test/memory_store_interface.rb +54 -0
data/lib/certmeister/version.rb +5 -0
data/signit.rb +39 -0
data/spec/certmeister/base_spec.rb +205 -0
data/spec/certmeister/config_spec.rb +170 -0
data/spec/certmeister/in_memory_store_spec.rb +40 -0
data/spec/certmeister/policy/blackhole_spec.rb +19 -0
data/spec/certmeister/policy/chain_all_spec.rb +40 -0
data/spec/certmeister/policy/domain_spec.rb +38 -0
data/spec/certmeister/policy/existing_spec.rb +39 -0
data/spec/certmeister/policy/fcrdns_spec.rb +45 -0
data/spec/certmeister/policy/noop_spec.rb +17 -0
data/spec/certmeister/policy/psk_spec.rb +38 -0
data/spec/certmeister/policy/response_spec.rb +35 -0
data/spec/certmeister/response_spec.rb +73 -0
data/spec/helpers/certmeister_config_helper.rb +21 -0
data/spec/helpers/certmeister_fetching_request_helper.rb +9 -0
data/spec/helpers/certmeister_policy_helper.rb +14 -0
data/spec/helpers/certmeister_removing_request_helper.rb +9 -0
data/spec/helpers/certmeister_signing_request_helper.rb +10 -0
data/spec/spec_helper.rb +20 -0
metadata +159 -0

data/spec/certmeister/policy/domain_spec.rb ADDED Viewed

@@ -0,0 +1,38 @@
+require 'spec_helper'
+require 'certmeister/policy/domain'
+describe Certmeister::Policy::Domain do
+  subject { Certmeister::Policy::Domain.new(['hetzner.africa']) }
+  it "must be configured with a list of domains" do
+    expected_error = "enumerable collection of domains required"
+    expect { Certmeister::Policy::Domain.new }.to raise_error(ArgumentError)
+    expect { Certmeister::Policy::Domain.new('example.com') }.to raise_error(ArgumentError, expected_error)
+    expect { Certmeister::Policy::Domain.new([]) }.to raise_error(ArgumentError, expected_error)
+  end
+  it "demands a request" do
+    expect { subject.authenticate }.to raise_error(ArgumentError)
+  end
+  it "refuses to authenticate a request with a missing cn" do
+    response = subject.authenticate({anything: 'something'})
+    expect(response).to_not be_authenticated
+    expect(response.error).to eql "missing cn"
+  end
+  it "refuses to authenticate a request with a cn in an unknown domain" do
+    response = subject.authenticate({anything: 'something', cn: 'axl.starjuice.net'})
+    expect(response).to_not be_authenticated
+    expect(response.error).to eql "cn in unknown domain"
+  end
+  it "authenticates any request with a cn in a known domain" do
+    response = subject.authenticate({anything: 'something', cn: 'axl.hetzner.africa'})
+    expect(response).to be_authenticated
+  end
+end

data/spec/certmeister/policy/existing_spec.rb ADDED Viewed

@@ -0,0 +1,39 @@
+require 'spec_helper'
+require 'certmeister/policy/existing'
+require 'certmeister/in_memory_store'
+describe Certmeister::Policy::Existing do
+  subject { Certmeister::Policy::Existing.new(Certmeister::InMemoryStore.new) }
+  it "must be configured with access to the store" do
+    expect { subject.class.new }.to raise_error(ArgumentError)
+    expect { subject.class.new(Object.new) }.to raise_error(ArgumentError)
+    expect { subject }.to_not raise_error
+  end
+  it "demands a request" do
+    expect { subject.authenticate }.to raise_error(ArgumentError)
+  end
+  context "when the store contains a cert for axl.hetzner.africa" do
+    subject { Certmeister::Policy::Existing.new(Certmeister::InMemoryStore.new({"axl.hetzner.africa" => "...cert..."})) }
+    it "refuses to authenticate a request for axl.hetzner.africa" do
+      response = subject.authenticate(cn: 'axl.hetzner.africa')
+      expect(response).to_not be_authenticated
+      expect(response.error).to match /exists/
+    end
+    it "authenticates requests for other common names" do
+      response = subject.authenticate(cn: 'bob.example.com')
+      expect(response).to be_authenticated
+    end
+  end
+end

data/spec/certmeister/policy/fcrdns_spec.rb ADDED Viewed

@@ -0,0 +1,45 @@
+require 'spec_helper'
+require 'certmeister/policy/fcrdns'
+describe Certmeister::Policy::Fcrdns do
+  it "demands a request" do
+    expect { subject.authenticate }.to raise_error(ArgumentError)
+  end
+  it "refuses to authenticate a request with a missing cn" do
+    response = subject.authenticate({ip: '127.0.0.1'})
+    expect(response).to_not be_authenticated
+    expect(response.error).to eql "missing cn"
+  end
+  it "refuses to authenticate a request with a missing ip" do
+    response = subject.authenticate({cn: 'localhost'})
+    expect(response).to_not be_authenticated
+    expect(response.error).to eql "missing ip"
+  end
+  it "refuses to authenticate a request with an ip that does not have fcrdns that matches the cn" do
+    response = subject.authenticate({cn: 'bad.example.com', ip: '127.0.0.1'})
+    expect(response).to_not be_authenticated
+    expect(response.error).to eql "cn in unknown domain"
+  end
+  it "authenticates any request with an ip that does not have fcrdns that matches the cn" do
+    response = subject.authenticate({cn: 'localhost', ip: '127.0.0.1'})
+    expect(response).to be_authenticated
+  end
+  describe "error handling" do
+    it "refuses to authenticate a request when a DNS failure occurs" do
+      Resolv::DNS.any_instance.stub(:getnames).with('nonsense').and_raise(Resolv::ResolvError.new("cannot interpret as address: nonsense"))
+      response = subject.authenticate({cn: 'localhost', ip: 'nonsense'})
+      expect(response).to_not be_authenticated
+      expect(response.error).to eql "DNS error (cannot interpret as address: nonsense)"
+    end
+  end
+end

data/spec/certmeister/policy/noop_spec.rb ADDED Viewed

@@ -0,0 +1,17 @@
+require 'spec_helper'
+require 'certmeister/policy/noop'
+describe Certmeister::Policy::Noop do
+  it "demands a request" do
+    expect { subject.authenticate }.to raise_error(ArgumentError)
+  end
+  it "authenticates any non-empty request" do
+    response = subject.authenticate(anything: 'something')
+    expect(response).to be_authenticated
+    expect(response.error).to be_nil
+  end
+end

data/spec/certmeister/policy/psk_spec.rb ADDED Viewed

@@ -0,0 +1,38 @@
+require 'spec_helper'
+require 'certmeister/policy/psk'
+describe Certmeister::Policy::Psk do
+  subject { Certmeister::Policy::Psk.new(['secret']) }
+  it "must be configured with a list of psks" do
+    expected_error = "enumerable collection of psks required"
+    expect { Certmeister::Policy::Psk.new }.to raise_error(ArgumentError)
+    expect { Certmeister::Policy::Psk.new('secret') }.to raise_error(ArgumentError, expected_error)
+    expect { Certmeister::Policy::Psk.new([]) }.to raise_error(ArgumentError, expected_error)
+  end
+  it "demands a request" do
+    expect { subject.authenticate }.to raise_error(ArgumentError)
+  end
+  it "refuses to authenticate a request with a missing psk" do
+    response = subject.authenticate({anything: 'something'})
+    expect(response).to_not be_authenticated
+    expect(response.error).to eql "missing psk"
+  end
+  it "refuses to authenticate a request with an unknown psk" do
+    response = subject.authenticate({anything: 'something', psk: 'wrong'})
+    expect(response).to_not be_authenticated
+    expect(response.error).to eql "unknown psk"
+  end
+  it "authenticates any request with a known psk" do
+    response = subject.authenticate({anything: 'something', psk: 'secret'})
+    expect(response).to be_authenticated
+  end
+end

data/spec/certmeister/policy/response_spec.rb ADDED Viewed

@@ -0,0 +1,35 @@
+require 'spec_helper'
+require 'certmeister/policy/response'
+describe Certmeister::Policy::Response do
+  describe "on error" do
+    it "is not authenticated" do
+      response = Certmeister::Policy::Response.new(nil, "you smell wrong")
+      expect(response).to_not be_authenticated
+    end
+    it "provides the error" do
+      response = Certmeister::Policy::Response.new(nil, "you smell wrong")
+      expect(response.error).to eql "you smell wrong"
+    end
+  end
+  describe "on success" do
+    it "is authenticated" do
+      response = Certmeister::Policy::Response.new(true, nil)
+      expect(response).to be_authenticated
+    end
+    it "provides no error" do
+      response = Certmeister::Policy::Response.new(true, nil)
+      expect(response.error).to be_nil
+    end
+  end
+end

data/spec/certmeister/response_spec.rb ADDED Viewed

@@ -0,0 +1,73 @@
+require 'spec_helper'
+require 'certmeister/response'
+describe Certmeister::Response do
+  let(:pem) { File.read('fixtures/client.crt') }
+  it "cannot be created with pem and error" do
+    expect { Certmeister::Response.new(pem, "silly") }.to raise_error(ArgumentError)
+  end
+  describe "on error" do
+    subject { Certmeister::Response.new(nil, "something went wrong") }
+    it "provides the error" do
+      expect(subject.error).to eql "something went wrong"
+    end
+    it "doesn't provide the PEM-encoded X509 certificate as a string" do
+      expect(subject.pem).to be_nil
+    end
+    it "offers appropriate boolean flags" do
+      expect(subject.hit?).to be_false
+      expect(subject.miss?).to be_false
+      expect(subject.error?).to be_true
+    end
+  end
+  describe "on miss (i.e. not found)" do
+    subject { Certmeister::Response.new(nil, nil) }
+    it "has no error" do
+      expect(subject.error).to be_nil
+    end
+    it "doesn't provide the PEM-encoded X509 certificate as a string" do
+      expect(subject.pem).to be_nil
+    end
+    it "offers appropriate boolean flags" do
+      expect(subject.hit?).to be_false
+      expect(subject.miss?).to be_true
+      expect(subject.error?).to be_false
+    end
+  end
+  describe "on hit (success)" do
+    subject { Certmeister::Response.new(pem, nil) }
+    it "has no error" do
+      expect(subject.error).to be_nil
+    end
+    it "provides the PEM-encoded X509 certificate as a string" do
+      expect(subject.pem).to eql pem
+    end
+    it "offers appropriate boolean flags" do
+      expect(subject.hit?).to be_true
+      expect(subject.miss?).to be_false
+      expect(subject.error?).to be_false
+    end
+  end
+end

data/spec/helpers/certmeister_config_helper.rb ADDED Viewed

@@ -0,0 +1,21 @@
+require 'certmeister/in_memory_store'
+require 'certmeister/policy/noop'
+module CertmeisterConfigHelper
+  def self.valid_config_options
+    ca_cert = File.read('fixtures/ca.crt')
+    ca_key = File.read('fixtures/ca.key')
+    { ca_cert: ca_cert,
+      ca_key: ca_key,
+      store: Certmeister::InMemoryStore.new,
+      sign_policy: Certmeister::Policy::Noop.new,
+      fetch_policy: Certmeister::Policy::Noop.new,
+      remove_policy: Certmeister::Policy::Noop.new }
+  end
+  def self.valid_config
+    Certmeister::Config.new(valid_config_options)
+  end
+end

data/spec/helpers/certmeister_fetching_request_helper.rb ADDED Viewed

@@ -0,0 +1,9 @@
+module CertmeisterFetchingRequestHelper
+  def self.valid_request
+    { cn: 'axl.hetzner.africa',
+      ip: '127.0.0.1',
+      psk: 'secret' }
+  end
+end

data/spec/helpers/certmeister_policy_helper.rb ADDED Viewed

@@ -0,0 +1,14 @@
+# This policy is broken because it violates the rule that an empty request must always be refused.
+module CertmeisterPolicyHelper
+  class BrokenPolicy
+    def authenticate(request)
+      :white_elephant
+    end
+  end
+end

data/spec/helpers/certmeister_removing_request_helper.rb ADDED Viewed

@@ -0,0 +1,9 @@
+module CertmeisterRemovingRequestHelper
+  def self.valid_request
+    { cn: 'axl.hetzner.africa',
+      ip: '127.0.0.1',
+      psk: 'secret' }
+  end
+end

data/spec/helpers/certmeister_signing_request_helper.rb ADDED Viewed

@@ -0,0 +1,10 @@
+module CertmeisterSigningRequestHelper
+  def self.valid_request
+    { cn: 'axl.hetzner.africa',
+      ip: '127.0.0.1',
+      csr: File.read('fixtures/client.csr'),
+      psk: 'secret' }
+  end
+end

data/spec/spec_helper.rb ADDED Viewed

@@ -0,0 +1,20 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# Require this file using `require "spec_helper"` to ensure that it is only
+# loaded once.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
+end
+$LOAD_PATH.unshift File.dirname(__FILE__)
+$LOAD_PATH.unshift File.join(File.dirname(__FILE__), '..', 'lib')

metadata ADDED Viewed

@@ -0,0 +1,159 @@
+--- !ruby/object:Gem::Specification
+name: certmeister
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Sheldon Hearn
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2014-01-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.14'
+description: Certificate authority that can be configured to make decisions about
+  whether to autosign certificate signing requests for clients. This gem provides
+  the protocol-agnostic library, which is expected to be used within something like
+  an HTTP REST service.
+email:
+- sheldonh@starjuice.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- .ruby-gemset
+- .ruby-version
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- certmeister.gemspec
+- fixtures/ca.crt
+- fixtures/ca.csr
+- fixtures/ca.key
+- fixtures/client.crt
+- fixtures/client.csr
+- fixtures/client.key
+- lib/certmeister.rb
+- lib/certmeister/base.rb
+- lib/certmeister/config.rb
+- lib/certmeister/in_memory_store.rb
+- lib/certmeister/policy.rb
+- lib/certmeister/policy/blackhole.rb
+- lib/certmeister/policy/chain_all.rb
+- lib/certmeister/policy/domain.rb
+- lib/certmeister/policy/existing.rb
+- lib/certmeister/policy/fcrdns.rb
+- lib/certmeister/policy/noop.rb
+- lib/certmeister/policy/psk.rb
+- lib/certmeister/policy/response.rb
+- lib/certmeister/response.rb
+- lib/certmeister/store_error.rb
+- lib/certmeister/test/memory_store_interface.rb
+- lib/certmeister/version.rb
+- signit.rb
+- spec/certmeister/base_spec.rb
+- spec/certmeister/config_spec.rb
+- spec/certmeister/in_memory_store_spec.rb
+- spec/certmeister/policy/blackhole_spec.rb
+- spec/certmeister/policy/chain_all_spec.rb
+- spec/certmeister/policy/domain_spec.rb
+- spec/certmeister/policy/existing_spec.rb
+- spec/certmeister/policy/fcrdns_spec.rb
+- spec/certmeister/policy/noop_spec.rb
+- spec/certmeister/policy/psk_spec.rb
+- spec/certmeister/policy/response_spec.rb
+- spec/certmeister/response_spec.rb
+- spec/helpers/certmeister_config_helper.rb
+- spec/helpers/certmeister_fetching_request_helper.rb
+- spec/helpers/certmeister_policy_helper.rb
+- spec/helpers/certmeister_removing_request_helper.rb
+- spec/helpers/certmeister_signing_request_helper.rb
+- spec/spec_helper.rb
+homepage: https://github.com/sheldonh/certmeister
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.2.1
+signing_key:
+specification_version: 4
+summary: Conditionally autosigning certificate authority.
+test_files:
+- spec/certmeister/base_spec.rb
+- spec/certmeister/config_spec.rb
+- spec/certmeister/in_memory_store_spec.rb
+- spec/certmeister/policy/blackhole_spec.rb
+- spec/certmeister/policy/chain_all_spec.rb
+- spec/certmeister/policy/domain_spec.rb
+- spec/certmeister/policy/existing_spec.rb
+- spec/certmeister/policy/fcrdns_spec.rb
+- spec/certmeister/policy/noop_spec.rb
+- spec/certmeister/policy/psk_spec.rb
+- spec/certmeister/policy/response_spec.rb
+- spec/certmeister/response_spec.rb
+- spec/helpers/certmeister_config_helper.rb
+- spec/helpers/certmeister_fetching_request_helper.rb
+- spec/helpers/certmeister_policy_helper.rb
+- spec/helpers/certmeister_removing_request_helper.rb
+- spec/helpers/certmeister_signing_request_helper.rb
+- spec/spec_helper.rb