certmeister 0.3.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1a3a1d325b8d922702cdc4b1f6a7188e2c4cb8c0
-  data.tar.gz: 6aa00bbb80a4e13cfa652f664c2e0a56435c14d8
+  metadata.gz: de61dde48c749021eef1047fd719711008770b5d
+  data.tar.gz: b081799709e3b1886ed5aff471f439ad6dad71b3
 SHA512:
-  metadata.gz: 3fae8dfbe3b3a6dc499551b127723ca41eb714d87482b42b88f81bcdff6e89903b8cb6ffde0847136f8b004cef88810c79397e383eac8c11aa9e388e44dfb4db
-  data.tar.gz: c2692563e1c2007e6a0ebee23d30efafd30eb57c09efd929e99b0e3503aba1dc5b95e3d8b437a2ba9cf568ca990fbffad6ec2d0677b39f3ee2420abe466870a9
+  metadata.gz: a1c46e2c35b3051933f4041de9555ed13bfedf04878dae9aec2bfb8b094e58deca68a611237354cf83bb823fefa05418c486da1077572e79777ff1a976305b68
+  data.tar.gz: 2fe9b72e34b032be34177e04574485ced23ce5da5843f3b75c716fd28ad081e8a2b24778f1caf085bf2ddf94f0d2391c1aac7a60db9eb0dcd1a75055b747c010

data/.gitignore

@@ -13,6 +13,7 @@ spec/reports
 test/tmp
 test/version_tmp
 tmp
+contrib/Gemfile.lock
 
 # YARD artifacts
 .yardoc

data/.semver

@@ -1,6 +1,6 @@
 ---
 :major: 0
 :minor: 3
-:patch: 0
+:patch: 1
 :special: ''
 :metadata: ''

data/Gemfile.lock

@@ -1,13 +1,13 @@
 PATH
   remote: .
   specs:
-    certmeister (0.3.0)
+    certmeister (0.3.1)
       semver2 (~> 3.3)
-    certmeister-rack (0.3.0)
-      certmeister (= 0.3.0)
+    certmeister-rack (0.3.1)
+      certmeister (= 0.3.1)
       rack (~> 1.5)
-    certmeister-redis (0.3.0)
-      certmeister (= 0.3.0)
+    certmeister-redis (0.3.1)
+      certmeister (= 0.3.1)
       redis-sentinel (~> 1.4)
 
 GEM

data/README.md

@@ -15,11 +15,13 @@ The reference access policy in use by Hetzner PTY Ltd is:
 
 This allows us the convenience of Puppet's autosign feature, without the horrendous security implications.
 
-Certmeister is the core of a fancy web service that does this:
+This repository currently builds three gems:
 
-```
-cat request/client.csr | openssl x509 -req -CA CA/ca.crt -CAkey CA/ca.key -CAcreateserial -addtrust clientAuth > CA/signed/<cn>.crt
-```
+* _certmeister_ - the CA, some off-the-shelf policy modules and an in-memory cert store
+* _certmeister-redis_ - a redis-backed store
+* _certmeister-rack_ - a rack application to provide an HTTP interface to the CA
+
+An example, using redis and rack and enforcing Hetzner PTY Ltd's policy, is available in [contrib/config.ru](contrib/config.ru).
 
 To hit the service:
 
@@ -27,7 +29,7 @@ To hit the service:
 $ curl -L \
     -d "psk=secretkey" \
     -d "csr=$(perl -MURI::Escape -e 'print uri_escape(join("", <STDIN>));' < fixtures/client.csr)" \
-    http://certmeister.hetzner.co.za/certificate/axl.starjuice.net
+    http://localhost:9292/ca/certificate/axl.starjuice.net
 ```
 
 ## Testing

data/contrib/config.ru

@@ -6,13 +6,22 @@ require 'certmeister/redis/store'
 require 'certmeister/rack/app'
 require 'redis'
 
-allow = Certmeister::Policy::Noop.new
+store = Certmeister::Redis::Store.new(Redis.new, "development")
+
+sign_policy =
+  Certmeister::Policy::ChainAll.new([
+    Certmeister::Policy::Domain.new(['host-h.net']),
+    Certmeister::Policy::Fcrdns.new,
+    Certmeister::Policy::Existing.new(store),
+  ])
+fetch_policy = Certmeister::Policy::Noop.new
+remove_policy = Certmeister::Policy::IP.new(['127.0.0.0/8'])
 
 ca = Certmeister.new(
   Certmeister::Config.new(
-    sign_policy: allow,
-    fetch_policy: allow,
-    remove_policy: allow,
+    sign_policy: sign_policy,
+    fetch_policy: fetch_policy,
+    remove_policy: remove_policy,
     store: Certmeister::Redis::Store.new(Redis.new, "development"),
     ca_cert: File.read("../fixtures/ca.crt"),
     ca_key: File.read("../fixtures/ca.key"),

data/lib/certmeister/policy/fcrdns.rb

@@ -14,7 +14,7 @@ module Certmeister
           elsif not request[:ip]
             Certmeister::Policy::Response.new(false, "missing ip")
           elsif not fcrdns_names(request[:ip]).include?(request[:cn])
-            Certmeister::Policy::Response.new(false, "cn in unknown domain")
+            Certmeister::Policy::Response.new(false, "cn does not match fcrdns")
           else
             Certmeister::Policy::Response.new(true, nil)
           end

data/spec/certmeister/policy/fcrdns_spec.rb

@@ -23,7 +23,7 @@ describe Certmeister::Policy::Fcrdns do
   it "refuses to authenticate a request with an ip that does not have fcrdns that matches the cn" do
     response = subject.authenticate({cn: 'bad.example.com', ip: '127.0.0.1'})
     expect(response).to_not be_authenticated
-    expect(response.error).to eql "cn in unknown domain"
+    expect(response.error).to eql "cn does not match fcrdns"
   end
 
   it "authenticates any request with an ip that does not have fcrdns that matches the cn" do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: certmeister
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Sheldon Hearn
@@ -92,7 +92,6 @@ files:
 - contrib/.ruby-gemset
 - contrib/.ruby-version
 - contrib/Gemfile
-- contrib/Gemfile.lock
 - contrib/config.ru
 - contrib/hosts
 - contrib/redis.yml

data/contrib/Gemfile.lock

@@ -1,26 +0,0 @@
-PATH
-  remote: ..
-  specs:
-    certmeister (0.2.3)
-      semver2 (~> 3.3)
-    certmeister-redis (0.2.3)
-      certmeister (= 0.2.3)
-      redis-sentinel (~> 1.4)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    rack (1.5.2)
-    redis (3.0.7)
-    redis-sentinel (1.4.2)
-      redis
-    semver2 (3.3.3)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  certmeister!
-  certmeister-redis!
-  rack
-  redis