knowngithub 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1558981157ccbd8a9a6813f322c35ca067144616
+  data.tar.gz: 2f7725e9cf5b14c844d68dab2034587608674ec8
+SHA512:
+  metadata.gz: 7b725ce302e80464a62e7520f2a3a6bb597895bc25d34e37b9c97d21a29a4f8335cfb00dd3c3d77f5745faf07c91f03e4270521b723cfede4633ff6ae1e50e94
+  data.tar.gz: a2ab935cb1cc4c7ca0cb10b22ab60b72264e0abd70c2bd43321c06f5ef9ec4ccda3d07c4513dcb13681e979990e53cc5eddb8414d69185487675616365ad8847

data/.gitignore

@@ -0,0 +1,8 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in knowngithub.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,26 @@
+PATH
+  remote: .
+  specs:
+    knowngithub (0.1.0)
+      net-ssh (~> 4.2)
+      nokogiri (~> 1.8)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    mini_portile2 (2.3.0)
+    net-ssh (4.2.0)
+    nokogiri (1.8.1)
+      mini_portile2 (~> 2.3.0)
+    rake (10.5.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.16)
+  knowngithub!
+  rake (~> 10.0)
+
+BUNDLED WITH
+   1.16.0

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Alexis Vanier
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,53 @@
+# Knowngithub
+
+> ### _“Some people think this is paranoia, but it isn't. Paranoids only think everyone is out to get them. Wizards know it.”_
+>
+> _— Terry Pratchett, Sourcery_
+
+Have you hit the problem where you're trying to bootstrap new containers or VMs and `git` will refuse to clone stuff because it doesn't automatically trust GitHub?
+
+This gem answers the scenario where you believe that manually burning the `known_hosts` into whatever you're making doesn't scale, and blindly trusting any host to provide you with legitimiate code is insufficient.
+
+While the solution is not elegant, and the implementation is fragile, I'm hoping it proves the following point : a diagonal chain of trust is better than blind trust.
+
+The idea behind this gem is that by calling GitHub's web pages and API through https, the answers will be certified through it's CA and cannot be tampered with unbeknownst to us. Thus, one can call GitHub's SSH endpoint, and verify its key fingerprint is valid against a dynamic trustable source of truth to protect against man-in-the-middle attacks on `git` operations.
+
+This gem will return one or a list of trusted hosts in a format appropriate for `.ssh/known_hosts` files.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'knowngithub'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install knowngithub
+
+## Usage
+
+The main goal of this gem is for use in automation scripts, specifically [Chef](https://www.chef.io/chef/) cookbooks.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Honorable mentions
+
+Huge thanks to [Brent Smith](https://github.com/BrentOnRails) for the scraping and Nokogiri code.
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/avanier/knowngithub.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "knowngithub"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/knowngithub.gemspec

@@ -0,0 +1,36 @@
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "knowngithub/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "knowngithub"
+  spec.version       = Knowngithub::VERSION
+  spec.authors       = ["Alexis Vanier"]
+  spec.email         = ["alexis@amonoid.io"]
+
+  spec.summary       = "Don't blindly trust GitHub hosts"
+  spec.description   = spec.summary
+  spec.homepage      = "https://github.com/avanier/knowngithub"
+  spec.license       = "MIT"
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata["allowed_push_host"] = 'https://rubygems.org'
+  else
+    raise "RubyGems 2.0 or newer is required to protect against " \
+      "public gem pushes."
+  end
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_runtime_dependency "net-ssh", "~> 4.2"
+  spec.add_runtime_dependency "nokogiri", "~> 1.8"
+end

data/lib/knowngithub.rb

@@ -0,0 +1,86 @@
+require 'ipaddr'
+require 'json'
+require 'net/http'
+require 'uri'
+
+require 'net/ssh'
+require 'nokogiri'
+require "knowngithub/version"
+
+module Knowngithub
+  # Make a call enforcing the strict use of SSL.
+  # @param [String] url A full url like `https://help.github.com`
+  # @return [Net::HTTP] Return the full Net::HTTP object of the response.
+  # @since 0.1.0
+  def self.safe_call(url)
+    uri = URI.parse(url)
+    http = Net::HTTP.new(uri.host, uri.port)
+    http.use_ssl = true
+    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+    request = Net::HTTP::Get.new(uri.request_uri)
+
+    http.request(request)
+  end
+
+  # Queries and parses the GitHub help page for the SSH key fingerprints.
+  # @return [Array<String>] SSH key fingerprints as an array of strings.
+  # @since 0.1.0
+  def self.fingerprints
+    pattern = /^(sha256:[a-z0-9\+\/]{43})|([0-9a-f\:]{32,47})$/i
+    res = self.safe_call('https://help.github.com/articles/github-s-ssh-key-fingerprints/')
+    output = Nokogiri::HTML(res.body)
+    fields = output.xpath("//code")
+    return fields.children.map(&:content).select{ |x| pattern =~ x }
+  end
+
+  # Instantiates a Net::SSH session with GitHub to get the host key and closes it.
+  # @return [Net:SSH] Returns a closed Net::SSH session
+  # @since 0.1.0
+  def self.session
+    s = Net::SSH::Transport::Session.new('github.com', { :verify_host_key => true })
+    s.close
+    s
+  end
+
+  # Composes a hash with the properties required for composing a known host entry
+  # @return [Hash] Returns a hash object with all of the needed components to compose a `known_hosts` file
+  # @raise [SecurityError] If the host keys fail validation or if the https call fails, this will be raised.
+  # @since 0.1.0
+  def self.host
+    s = self.session
+    if self.fingerprints.any?{|f| f == s.host_keys.first.fingerprint}
+      base64_key = [Net::SSH::Buffer.from(:key, s.host_keys.first).to_s].pack("m*").gsub(/\s/, "")
+      return {
+        "host_as_string" => s.host_as_string,
+        "ssh_type" => s.host_keys.first.ssh_type,
+        "base64_key" => base64_key
+      }
+    else
+      raise SecurityError # while this is inappropriate, it sounds cool
+    end
+  end
+
+  # Composes a known_hosts entry for the fqdn only
+  # @return [String] Returns a `known_hosts` entry for the fqdn only with no ip address binding as a string.
+  # @since 0.1.0
+  def self.known_host
+    h = self.host
+    return [ h["host_as_string"], h["ssh_type"], h["base64_key"] ].join(' ')
+  end
+
+  # Composes a block of text ready for appending to a known_hosts file
+  # @return [String] Returns a `known_hosts` multiline string enunciating every known IP GitHub may serve SSH on.
+  # @since 0.1.0
+  def self.known_hosts
+    h = self.host
+    cidr_ranges = JSON.parse(self.safe_call('https://api.github.com/meta').body)["git"]
+    known_hosts = []
+    cidr_ranges.each do |range|
+      IPAddr.new(range).to_range.to_a.map { |a| a.to_s }.each do |ip|
+        known_hosts << 'github.com,' + ip + ' ' + h["base64_key"]
+      end
+    end
+    return known_hosts
+  end
+end

data/lib/knowngithub/version.rb

@@ -0,0 +1,3 @@
+module Knowngithub
+  VERSION = "0.1.0"
+end

metadata

@@ -0,0 +1,112 @@
+--- !ruby/object:Gem::Specification
+name: knowngithub
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Alexis Vanier
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-12-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: net-ssh
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.2'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+description: Don't blindly trust GitHub hosts
+email:
+- alexis@amonoid.io
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- knowngithub.gemspec
+- lib/knowngithub.rb
+- lib/knowngithub/version.rb
+homepage: https://github.com/avanier/knowngithub
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.11
+signing_key: 
+specification_version: 4
+summary: Don't blindly trust GitHub hosts
+test_files: []