certmeister 0.3.0 → 0.3.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/.semver +1 -1
- data/Gemfile.lock +5 -5
- data/README.md +7 -5
- data/contrib/config.ru +13 -4
- data/lib/certmeister/policy/fcrdns.rb +1 -1
- data/spec/certmeister/policy/fcrdns_spec.rb +1 -1
- metadata +1 -2
- data/contrib/Gemfile.lock +0 -26
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: de61dde48c749021eef1047fd719711008770b5d
|
|
4
|
+
data.tar.gz: b081799709e3b1886ed5aff471f439ad6dad71b3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a1c46e2c35b3051933f4041de9555ed13bfedf04878dae9aec2bfb8b094e58deca68a611237354cf83bb823fefa05418c486da1077572e79777ff1a976305b68
|
|
7
|
+
data.tar.gz: 2fe9b72e34b032be34177e04574485ced23ce5da5843f3b75c716fd28ad081e8a2b24778f1caf085bf2ddf94f0d2391c1aac7a60db9eb0dcd1a75055b747c010
|
data/.gitignore
CHANGED
data/.semver
CHANGED
data/Gemfile.lock
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
certmeister (0.3.
|
|
4
|
+
certmeister (0.3.1)
|
|
5
5
|
semver2 (~> 3.3)
|
|
6
|
-
certmeister-rack (0.3.
|
|
7
|
-
certmeister (= 0.3.
|
|
6
|
+
certmeister-rack (0.3.1)
|
|
7
|
+
certmeister (= 0.3.1)
|
|
8
8
|
rack (~> 1.5)
|
|
9
|
-
certmeister-redis (0.3.
|
|
10
|
-
certmeister (= 0.3.
|
|
9
|
+
certmeister-redis (0.3.1)
|
|
10
|
+
certmeister (= 0.3.1)
|
|
11
11
|
redis-sentinel (~> 1.4)
|
|
12
12
|
|
|
13
13
|
GEM
|
data/README.md
CHANGED
|
@@ -15,11 +15,13 @@ The reference access policy in use by Hetzner PTY Ltd is:
|
|
|
15
15
|
|
|
16
16
|
This allows us the convenience of Puppet's autosign feature, without the horrendous security implications.
|
|
17
17
|
|
|
18
|
-
|
|
18
|
+
This repository currently builds three gems:
|
|
19
19
|
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
20
|
+
* _certmeister_ - the CA, some off-the-shelf policy modules and an in-memory cert store
|
|
21
|
+
* _certmeister-redis_ - a redis-backed store
|
|
22
|
+
* _certmeister-rack_ - a rack application to provide an HTTP interface to the CA
|
|
23
|
+
|
|
24
|
+
An example, using redis and rack and enforcing Hetzner PTY Ltd's policy, is available in [contrib/config.ru](contrib/config.ru).
|
|
23
25
|
|
|
24
26
|
To hit the service:
|
|
25
27
|
|
|
@@ -27,7 +29,7 @@ To hit the service:
|
|
|
27
29
|
$ curl -L \
|
|
28
30
|
-d "psk=secretkey" \
|
|
29
31
|
-d "csr=$(perl -MURI::Escape -e 'print uri_escape(join("", <STDIN>));' < fixtures/client.csr)" \
|
|
30
|
-
http://
|
|
32
|
+
http://localhost:9292/ca/certificate/axl.starjuice.net
|
|
31
33
|
```
|
|
32
34
|
|
|
33
35
|
## Testing
|
data/contrib/config.ru
CHANGED
|
@@ -6,13 +6,22 @@ require 'certmeister/redis/store'
|
|
|
6
6
|
require 'certmeister/rack/app'
|
|
7
7
|
require 'redis'
|
|
8
8
|
|
|
9
|
-
|
|
9
|
+
store = Certmeister::Redis::Store.new(Redis.new, "development")
|
|
10
|
+
|
|
11
|
+
sign_policy =
|
|
12
|
+
Certmeister::Policy::ChainAll.new([
|
|
13
|
+
Certmeister::Policy::Domain.new(['host-h.net']),
|
|
14
|
+
Certmeister::Policy::Fcrdns.new,
|
|
15
|
+
Certmeister::Policy::Existing.new(store),
|
|
16
|
+
])
|
|
17
|
+
fetch_policy = Certmeister::Policy::Noop.new
|
|
18
|
+
remove_policy = Certmeister::Policy::IP.new(['127.0.0.0/8'])
|
|
10
19
|
|
|
11
20
|
ca = Certmeister.new(
|
|
12
21
|
Certmeister::Config.new(
|
|
13
|
-
sign_policy:
|
|
14
|
-
fetch_policy:
|
|
15
|
-
remove_policy:
|
|
22
|
+
sign_policy: sign_policy,
|
|
23
|
+
fetch_policy: fetch_policy,
|
|
24
|
+
remove_policy: remove_policy,
|
|
16
25
|
store: Certmeister::Redis::Store.new(Redis.new, "development"),
|
|
17
26
|
ca_cert: File.read("../fixtures/ca.crt"),
|
|
18
27
|
ca_key: File.read("../fixtures/ca.key"),
|
|
@@ -14,7 +14,7 @@ module Certmeister
|
|
|
14
14
|
elsif not request[:ip]
|
|
15
15
|
Certmeister::Policy::Response.new(false, "missing ip")
|
|
16
16
|
elsif not fcrdns_names(request[:ip]).include?(request[:cn])
|
|
17
|
-
Certmeister::Policy::Response.new(false, "cn
|
|
17
|
+
Certmeister::Policy::Response.new(false, "cn does not match fcrdns")
|
|
18
18
|
else
|
|
19
19
|
Certmeister::Policy::Response.new(true, nil)
|
|
20
20
|
end
|
|
@@ -23,7 +23,7 @@ describe Certmeister::Policy::Fcrdns do
|
|
|
23
23
|
it "refuses to authenticate a request with an ip that does not have fcrdns that matches the cn" do
|
|
24
24
|
response = subject.authenticate({cn: 'bad.example.com', ip: '127.0.0.1'})
|
|
25
25
|
expect(response).to_not be_authenticated
|
|
26
|
-
expect(response.error).to eql "cn
|
|
26
|
+
expect(response.error).to eql "cn does not match fcrdns"
|
|
27
27
|
end
|
|
28
28
|
|
|
29
29
|
it "authenticates any request with an ip that does not have fcrdns that matches the cn" do
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: certmeister
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sheldon Hearn
|
|
@@ -92,7 +92,6 @@ files:
|
|
|
92
92
|
- contrib/.ruby-gemset
|
|
93
93
|
- contrib/.ruby-version
|
|
94
94
|
- contrib/Gemfile
|
|
95
|
-
- contrib/Gemfile.lock
|
|
96
95
|
- contrib/config.ru
|
|
97
96
|
- contrib/hosts
|
|
98
97
|
- contrib/redis.yml
|
data/contrib/Gemfile.lock
DELETED
|
@@ -1,26 +0,0 @@
|
|
|
1
|
-
PATH
|
|
2
|
-
remote: ..
|
|
3
|
-
specs:
|
|
4
|
-
certmeister (0.2.3)
|
|
5
|
-
semver2 (~> 3.3)
|
|
6
|
-
certmeister-redis (0.2.3)
|
|
7
|
-
certmeister (= 0.2.3)
|
|
8
|
-
redis-sentinel (~> 1.4)
|
|
9
|
-
|
|
10
|
-
GEM
|
|
11
|
-
remote: https://rubygems.org/
|
|
12
|
-
specs:
|
|
13
|
-
rack (1.5.2)
|
|
14
|
-
redis (3.0.7)
|
|
15
|
-
redis-sentinel (1.4.2)
|
|
16
|
-
redis
|
|
17
|
-
semver2 (3.3.3)
|
|
18
|
-
|
|
19
|
-
PLATFORMS
|
|
20
|
-
ruby
|
|
21
|
-
|
|
22
|
-
DEPENDENCIES
|
|
23
|
-
certmeister!
|
|
24
|
-
certmeister-redis!
|
|
25
|
-
rack
|
|
26
|
-
redis
|