RubyGems - certmeister - Versions diffs - 0.0.1 - Mend

certmeister 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

checksums.yaml +7 -0
data/.gitignore +20 -0
data/.rspec +2 -0
data/.ruby-gemset +1 -0
data/.ruby-version +1 -0
data/Gemfile +4 -0
data/Gemfile.lock +27 -0
data/LICENSE +20 -0
data/README.md +32 -0
data/Rakefile +6 -0
data/certmeister.gemspec +26 -0
data/fixtures/ca.crt +15 -0
data/fixtures/ca.csr +12 -0
data/fixtures/ca.key +15 -0
data/fixtures/client.crt +15 -0
data/fixtures/client.csr +12 -0
data/fixtures/client.key +15 -0
data/lib/certmeister.rb +14 -0
data/lib/certmeister/base.rb +92 -0
data/lib/certmeister/config.rb +129 -0
data/lib/certmeister/in_memory_store.rb +43 -0
data/lib/certmeister/policy.rb +21 -0
data/lib/certmeister/policy/blackhole.rb +15 -0
data/lib/certmeister/policy/chain_all.rb +36 -0
data/lib/certmeister/policy/domain.rb +37 -0
data/lib/certmeister/policy/existing.rb +32 -0
data/lib/certmeister/policy/fcrdns.rb +40 -0
data/lib/certmeister/policy/noop.rb +15 -0
data/lib/certmeister/policy/psk.rb +37 -0
data/lib/certmeister/policy/response.rb +24 -0
data/lib/certmeister/response.rb +47 -0
data/lib/certmeister/store_error.rb +6 -0
data/lib/certmeister/test/memory_store_interface.rb +54 -0
data/lib/certmeister/version.rb +5 -0
data/signit.rb +39 -0
data/spec/certmeister/base_spec.rb +205 -0
data/spec/certmeister/config_spec.rb +170 -0
data/spec/certmeister/in_memory_store_spec.rb +40 -0
data/spec/certmeister/policy/blackhole_spec.rb +19 -0
data/spec/certmeister/policy/chain_all_spec.rb +40 -0
data/spec/certmeister/policy/domain_spec.rb +38 -0
data/spec/certmeister/policy/existing_spec.rb +39 -0
data/spec/certmeister/policy/fcrdns_spec.rb +45 -0
data/spec/certmeister/policy/noop_spec.rb +17 -0
data/spec/certmeister/policy/psk_spec.rb +38 -0
data/spec/certmeister/policy/response_spec.rb +35 -0
data/spec/certmeister/response_spec.rb +73 -0
data/spec/helpers/certmeister_config_helper.rb +21 -0
data/spec/helpers/certmeister_fetching_request_helper.rb +9 -0
data/spec/helpers/certmeister_policy_helper.rb +14 -0
data/spec/helpers/certmeister_removing_request_helper.rb +9 -0
data/spec/helpers/certmeister_signing_request_helper.rb +10 -0
data/spec/spec_helper.rb +20 -0
metadata +159 -0

data/spec/certmeister/policy/domain_spec.rb ADDED Viewed

@@ -0,0 +1,38 @@
+require 'spec_helper'
+require 'certmeister/policy/domain'
+describe Certmeister::Policy::Domain do
+  subject { Certmeister::Policy::Domain.new(['hetzner.africa']) }
+  it "must be configured with a list of domains" do
+    expected_error = "enumerable collection of domains required"
+    expect { Certmeister::Policy::Domain.new }.to raise_error(ArgumentError)
+    expect { Certmeister::Policy::Domain.new('example.com') }.to raise_error(ArgumentError, expected_error)
+    expect { Certmeister::Policy::Domain.new([]) }.to raise_error(ArgumentError, expected_error)
+  end
+  it "demands a request" do
+    expect { subject.authenticate }.to raise_error(ArgumentError)
+  end
+  it "refuses to authenticate a request with a missing cn" do
+    response = subject.authenticate({anything: 'something'})
+    expect(response).to_not be_authenticated
+    expect(response.error).to eql "missing cn"
+  end
+  it "refuses to authenticate a request with a cn in an unknown domain" do
+    response = subject.authenticate({anything: 'something', cn: 'axl.starjuice.net'})
+    expect(response).to_not be_authenticated
+    expect(response.error).to eql "cn in unknown domain"
+  end
+  it "authenticates any request with a cn in a known domain" do
+    response = subject.authenticate({anything: 'something', cn: 'axl.hetzner.africa'})
+    expect(response).to be_authenticated
+  end
+end

data/spec/certmeister/policy/existing_spec.rb ADDED Viewed

@@ -0,0 +1,39 @@
+require 'spec_helper'
+require 'certmeister/policy/existing'
+require 'certmeister/in_memory_store'
+describe Certmeister::Policy::Existing do
+  subject { Certmeister::Policy::Existing.new(Certmeister::InMemoryStore.new) }
+  it "must be configured with access to the store" do
+    expect { subject.class.new }.to raise_error(ArgumentError)
+    expect { subject.class.new(Object.new) }.to raise_error(ArgumentError)
+    expect { subject }.to_not raise_error
+  end
+  it "demands a request" do
+    expect { subject.authenticate }.to raise_error(ArgumentError)
+  end
+  context "when the store contains a cert for axl.hetzner.africa" do
+    subject { Certmeister::Policy::Existing.new(Certmeister::InMemoryStore.new({"axl.hetzner.africa" => "...cert..."})) }
+    it "refuses to authenticate a request for axl.hetzner.africa" do
+      response = subject.authenticate(cn: 'axl.hetzner.africa')
+      expect(response).to_not be_authenticated
+      expect(response.error).to match /exists/
+    end
+    it "authenticates requests for other common names" do
+      response = subject.authenticate(cn: 'bob.example.com')
+      expect(response).to be_authenticated
+    end
+  end
+end

data/spec/certmeister/policy/fcrdns_spec.rb ADDED Viewed

@@ -0,0 +1,45 @@
+require 'spec_helper'
+require 'certmeister/policy/fcrdns'
+describe Certmeister::Policy::Fcrdns do
+  it "demands a request" do
+    expect { subject.authenticate }.to raise_error(ArgumentError)
+  end
+  it "refuses to authenticate a request with a missing cn" do
+    response = subject.authenticate({ip: '127.0.0.1'})
+    expect(response).to_not be_authenticated
+    expect(response.error).to eql "missing cn"
+  end
+  it "refuses to authenticate a request with a missing ip" do
+    response = subject.authenticate({cn: 'localhost'})
+    expect(response).to_not be_authenticated
+    expect(response.error).to eql "missing ip"
+  end
+  it "refuses to authenticate a request with an ip that does not have fcrdns that matches the cn" do
+    response = subject.authenticate({cn: 'bad.example.com', ip: '127.0.0.1'})
+    expect(response).to_not be_authenticated
+    expect(response.error).to eql "cn in unknown domain"
+  end
+  it "authenticates any request with an ip that does not have fcrdns that matches the cn" do
+    response = subject.authenticate({cn: 'localhost', ip: '127.0.0.1'})
+    expect(response).to be_authenticated
+  end
+  describe "error handling" do
+    it "refuses to authenticate a request when a DNS failure occurs" do
+      Resolv::DNS.any_instance.stub(:getnames).with('nonsense').and_raise(Resolv::ResolvError.new("cannot interpret as address: nonsense"))
+      response = subject.authenticate({cn: 'localhost', ip: 'nonsense'})
+      expect(response).to_not be_authenticated
+      expect(response.error).to eql "DNS error (cannot interpret as address: nonsense)"
+    end
+  end
+end

data/spec/certmeister/policy/noop_spec.rb ADDED Viewed

@@ -0,0 +1,17 @@
+require 'spec_helper'
+require 'certmeister/policy/noop'
+describe Certmeister::Policy::Noop do
+  it "demands a request" do
+    expect { subject.authenticate }.to raise_error(ArgumentError)
+  end
+  it "authenticates any non-empty request" do
+    response = subject.authenticate(anything: 'something')
+    expect(response).to be_authenticated
+    expect(response.error).to be_nil
+  end
+end

data/spec/certmeister/policy/psk_spec.rb ADDED Viewed

@@ -0,0 +1,38 @@
+require 'spec_helper'
+require 'certmeister/policy/psk'
+describe Certmeister::Policy::Psk do
+  subject { Certmeister::Policy::Psk.new(['secret']) }
+  it "must be configured with a list of psks" do
+    expected_error = "enumerable collection of psks required"
+    expect { Certmeister::Policy::Psk.new }.to raise_error(ArgumentError)
+    expect { Certmeister::Policy::Psk.new('secret') }.to raise_error(ArgumentError, expected_error)
+    expect { Certmeister::Policy::Psk.new([]) }.to raise_error(ArgumentError, expected_error)
+  end
+  it "demands a request" do
+    expect { subject.authenticate }.to raise_error(ArgumentError)
+  end
+  it "refuses to authenticate a request with a missing psk" do
+    response = subject.authenticate({anything: 'something'})
+    expect(response).to_not be_authenticated
+    expect(response.error).to eql "missing psk"
+  end
+  it "refuses to authenticate a request with an unknown psk" do
+    response = subject.authenticate({anything: 'something', psk: 'wrong'})
+    expect(response).to_not be_authenticated
+    expect(response.error).to eql "unknown psk"
+  end
+  it "authenticates any request with a known psk" do
+    response = subject.authenticate({anything: 'something', psk: 'secret'})
+    expect(response).to be_authenticated
+  end
+end

data/spec/certmeister/policy/response_spec.rb ADDED Viewed

@@ -0,0 +1,35 @@
+require 'spec_helper'
+require 'certmeister/policy/response'
+describe Certmeister::Policy::Response do
+  describe "on error" do
+    it "is not authenticated" do
+      response = Certmeister::Policy::Response.new(nil, "you smell wrong")
+      expect(response).to_not be_authenticated
+    end
+    it "provides the error" do
+      response = Certmeister::Policy::Response.new(nil, "you smell wrong")
+      expect(response.error).to eql "you smell wrong"
+    end
+  end
+  describe "on success" do
+    it "is authenticated" do
+      response = Certmeister::Policy::Response.new(true, nil)
+      expect(response).to be_authenticated
+    end
+    it "provides no error" do
+      response = Certmeister::Policy::Response.new(true, nil)
+      expect(response.error).to be_nil
+    end
+  end
+end

data/spec/certmeister/response_spec.rb ADDED Viewed

@@ -0,0 +1,73 @@
+require 'spec_helper'
+require 'certmeister/response'
+describe Certmeister::Response do
+  let(:pem) { File.read('fixtures/client.crt') }
+  it "cannot be created with pem and error" do
+    expect { Certmeister::Response.new(pem, "silly") }.to raise_error(ArgumentError)
+  end
+  describe "on error" do
+    subject { Certmeister::Response.new(nil, "something went wrong") }
+    it "provides the error" do
+      expect(subject.error).to eql "something went wrong"
+    end
+    it "doesn't provide the PEM-encoded X509 certificate as a string" do
+      expect(subject.pem).to be_nil
+    end
+    it "offers appropriate boolean flags" do
+      expect(subject.hit?).to be_false
+      expect(subject.miss?).to be_false
+      expect(subject.error?).to be_true
+    end
+  end
+  describe "on miss (i.e. not found)" do
+    subject { Certmeister::Response.new(nil, nil) }
+    it "has no error" do
+      expect(subject.error).to be_nil
+    end
+    it "doesn't provide the PEM-encoded X509 certificate as a string" do
+      expect(subject.pem).to be_nil
+    end
+    it "offers appropriate boolean flags" do
+      expect(subject.hit?).to be_false
+      expect(subject.miss?).to be_true
+      expect(subject.error?).to be_false
+    end
+  end
+  describe "on hit (success)" do
+    subject { Certmeister::Response.new(pem, nil) }
+    it "has no error" do
+      expect(subject.error).to be_nil
+    end
+    it "provides the PEM-encoded X509 certificate as a string" do
+      expect(subject.pem).to eql pem
+    end
+    it "offers appropriate boolean flags" do
+      expect(subject.hit?).to be_true
+      expect(subject.miss?).to be_false
+      expect(subject.error?).to be_false
+    end
+  end
+end

data/spec/helpers/certmeister_config_helper.rb ADDED Viewed

@@ -0,0 +1,21 @@
+require 'certmeister/in_memory_store'
+require 'certmeister/policy/noop'
+module CertmeisterConfigHelper
+  def self.valid_config_options
+    ca_cert = File.read('fixtures/ca.crt')
+    ca_key = File.read('fixtures/ca.key')
+    { ca_cert: ca_cert,
+      ca_key: ca_key,
+      store: Certmeister::InMemoryStore.new,
+      sign_policy: Certmeister::Policy::Noop.new,
+      fetch_policy: Certmeister::Policy::Noop.new,
+      remove_policy: Certmeister::Policy::Noop.new }
+  end
+  def self.valid_config
+    Certmeister::Config.new(valid_config_options)
+  end
+end

data/spec/helpers/certmeister_fetching_request_helper.rb ADDED Viewed

@@ -0,0 +1,9 @@
+module CertmeisterFetchingRequestHelper
+  def self.valid_request
+    { cn: 'axl.hetzner.africa',
+      ip: '127.0.0.1',
+      psk: 'secret' }
+  end
+end

data/spec/helpers/certmeister_policy_helper.rb ADDED Viewed

@@ -0,0 +1,14 @@
+# This policy is broken because it violates the rule that an empty request must always be refused.
+module CertmeisterPolicyHelper
+  class BrokenPolicy
+    def authenticate(request)
+      :white_elephant
+    end
+  end
+end

data/spec/helpers/certmeister_removing_request_helper.rb ADDED Viewed

@@ -0,0 +1,9 @@
+module CertmeisterRemovingRequestHelper
+  def self.valid_request
+    { cn: 'axl.hetzner.africa',
+      ip: '127.0.0.1',
+      psk: 'secret' }
+  end
+end

data/spec/helpers/certmeister_signing_request_helper.rb ADDED Viewed

@@ -0,0 +1,10 @@
+module CertmeisterSigningRequestHelper
+  def self.valid_request
+    { cn: 'axl.hetzner.africa',
+      ip: '127.0.0.1',
+      csr: File.read('fixtures/client.csr'),
+      psk: 'secret' }
+  end
+end

data/spec/spec_helper.rb ADDED Viewed

@@ -0,0 +1,20 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# Require this file using `require "spec_helper"` to ensure that it is only
+# loaded once.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
+end
+$LOAD_PATH.unshift File.dirname(__FILE__)
+$LOAD_PATH.unshift File.join(File.dirname(__FILE__), '..', 'lib')

metadata ADDED Viewed

@@ -0,0 +1,159 @@
+--- !ruby/object:Gem::Specification
+name: certmeister
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Sheldon Hearn
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2014-01-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.14'
+description: Certificate authority that can be configured to make decisions about
+  whether to autosign certificate signing requests for clients. This gem provides
+  the protocol-agnostic library, which is expected to be used within something like
+  an HTTP REST service.
+email:
+- sheldonh@starjuice.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- .ruby-gemset
+- .ruby-version
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- certmeister.gemspec
+- fixtures/ca.crt
+- fixtures/ca.csr
+- fixtures/ca.key
+- fixtures/client.crt
+- fixtures/client.csr
+- fixtures/client.key
+- lib/certmeister.rb
+- lib/certmeister/base.rb
+- lib/certmeister/config.rb
+- lib/certmeister/in_memory_store.rb
+- lib/certmeister/policy.rb
+- lib/certmeister/policy/blackhole.rb
+- lib/certmeister/policy/chain_all.rb
+- lib/certmeister/policy/domain.rb
+- lib/certmeister/policy/existing.rb
+- lib/certmeister/policy/fcrdns.rb
+- lib/certmeister/policy/noop.rb
+- lib/certmeister/policy/psk.rb
+- lib/certmeister/policy/response.rb
+- lib/certmeister/response.rb
+- lib/certmeister/store_error.rb
+- lib/certmeister/test/memory_store_interface.rb
+- lib/certmeister/version.rb
+- signit.rb
+- spec/certmeister/base_spec.rb
+- spec/certmeister/config_spec.rb
+- spec/certmeister/in_memory_store_spec.rb
+- spec/certmeister/policy/blackhole_spec.rb
+- spec/certmeister/policy/chain_all_spec.rb
+- spec/certmeister/policy/domain_spec.rb
+- spec/certmeister/policy/existing_spec.rb
+- spec/certmeister/policy/fcrdns_spec.rb
+- spec/certmeister/policy/noop_spec.rb
+- spec/certmeister/policy/psk_spec.rb
+- spec/certmeister/policy/response_spec.rb
+- spec/certmeister/response_spec.rb
+- spec/helpers/certmeister_config_helper.rb
+- spec/helpers/certmeister_fetching_request_helper.rb
+- spec/helpers/certmeister_policy_helper.rb
+- spec/helpers/certmeister_removing_request_helper.rb
+- spec/helpers/certmeister_signing_request_helper.rb
+- spec/spec_helper.rb
+homepage: https://github.com/sheldonh/certmeister
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.2.1
+signing_key:
+specification_version: 4
+summary: Conditionally autosigning certificate authority.
+test_files:
+- spec/certmeister/base_spec.rb
+- spec/certmeister/config_spec.rb
+- spec/certmeister/in_memory_store_spec.rb
+- spec/certmeister/policy/blackhole_spec.rb
+- spec/certmeister/policy/chain_all_spec.rb
+- spec/certmeister/policy/domain_spec.rb
+- spec/certmeister/policy/existing_spec.rb
+- spec/certmeister/policy/fcrdns_spec.rb
+- spec/certmeister/policy/noop_spec.rb
+- spec/certmeister/policy/psk_spec.rb
+- spec/certmeister/policy/response_spec.rb
+- spec/certmeister/response_spec.rb
+- spec/helpers/certmeister_config_helper.rb
+- spec/helpers/certmeister_fetching_request_helper.rb
+- spec/helpers/certmeister_policy_helper.rb
+- spec/helpers/certmeister_removing_request_helper.rb
+- spec/helpers/certmeister_signing_request_helper.rb
+- spec/spec_helper.rb