smart_proxy_vault 0.2.0

data/README.md

@@ -0,0 +1,152 @@
+[![Build Status](https://img.shields.io/travis/visioncritical/smart_proxy_vault/master.svg)](https://travis-ci.org/visioncritical/smart_proxy_vault)
+[![Code Quality](https://img.shields.io/codeclimate/github/visioncritical/smart_proxy_vault.svg)](https://codeclimate.com/github/visioncritical/smart_proxy_vault)
+[![Code Climate](https://img.shields.io/codeclimate/coverage/github/visioncritical/smart_proxy_vault.svg)](https://codeclimate.com/github/visioncritical/smart_proxy_vault/coverage)
+[![Gem](https://img.shields.io/gem/v/smart_proxy_vault.svg)](https://rubygems.org/gems/smart_proxy_vault/versions)
+[![GitHub license](https://img.shields.io/badge/license-GPLv3-blue.svg)](./LICENSE)
+
+
+# Smart Proxy - Vault Plugin
+
+A Smart Proxy plugin will return a Vault token after authenticating a client.
+
+## Design
+
+The authentication portion of this plugin has been designed to be modular. Below is a current list of clients this plugin knows how to authenticate:
+
+* Chef
+
+If you're unable to use one of the above to authenticate your clients, you can always write your own & submit a PR (see [DEVELOPMENT.md](documentation/DEVELOPMENT.md)).
+
+## Installation
+
+Add this line to your Smart Proxy bundler.d/vault.rb gemfile:
+
+```ruby
+gem 'smart_proxy_vault'
+```
+
+And then execute:
+
+```bash
+bundle install
+```
+
+## Settings
+
+Example:
+
+```yaml
+---
+:enabled: true
+:auth_backend: 'chef'
+:vault:
+  :address: "https://vault.example.com"
+  :token: "UUID"
+  :ssl_verify: true
+:add_token_metadata: true
+:token_options:
+  :policies: ['policyname']
+  :ttl: '72h'
+:chef:
+  :endpoint: 'https://chef.example.com'
+  :client: 'user'
+  :key: '/path/to/client.pem'
+  :ssl_verify: true
+```
+
+#### General
+
+#####:enabled:
+
+Toggles whether or not this plugin is enabled for Smart Proxy.
+
+#####:auth_backend:
+
+Specifies what authentication module you would like to use to authenticate your clients (must correspond to a filename in [lib/smart_proxy_vault/authentication/](lib/smart_proxy_vault/authentication/))
+
+#####:vault:
+
+A hash of Vault settings that are used to configure a connection to the Vault server (determined by the [Vault](https://github.com/hashicorp/vault-ruby) gem).
+
+```yaml
+# https://github.com/hashicorp/vault-ruby/blob/master/lib/vault/configurable.rb
+:vault:
+  :address:
+  :token:
+  :open_timeout:
+  :proxy_address:
+  :proxy_password:
+  :proxy_port:
+  :proxy_username:
+  :read_timeout:
+  :ssl_ciphers:
+  :ssl_pem_file:
+  :ssl_pem_passphrase:
+  :ssl_ca_cert:
+  :ssl_ca_path:
+  :ssl_verify:
+  :ssl_timeout:
+  :timeout:
+```
+
+#####:add_token_metadata:
+
+If set to true, this plugin will add the requesting client's ID (as determined by the auth_backend) in the metadata & display-name fields when requesting a token.
+
+#####:token_options:
+
+A hash of parameters that will be passed to the token creation call ([/auth/token/create](https://www.vaultproject.io/docs/auth/token.html)).
+
+#### Chef Backend
+
+Only to be specified when the `:auth_backend:` is `chef`. Refer to the [Chef backend](documentation/CHEF.md) documentation for more information.
+
+#####:chef:
+
+A hash of settings that are used to configure a connection to the Chef server (used by the [Chef API](https://github.com/sethvargo/chef-api) gem).
+
+```yaml
+# https://github.com/sethvargo/chef-api/blob/master/lib/chef-api/configurable.rb
+:chef:
+  :endpoint:
+  :flavor:
+  :client:
+  :key:
+  :proxy_address:
+  :proxy_password:
+  :proxy_port:
+  :proxy_username:
+  :ssl_pem_file:
+  :ssl_verify:
+  :user_agent:
+```
+
+## Usage
+
+To configure this plugin you can use template from [settings.d/vault.yml.example](settings.d/vault.yml.example). You must place the vault.yml config file in your Smart Proxy's `config/settings.d/` directory.
+
+### Endpoints
+
+#### `/vault/token/issue`
+
+##### Parameters
+
+`ttl=X[d,h,m,s]`
+
+Overrides the token TTL specified in the [`:token_options:`](#token_options) section. This value must be **lower** than the default TTL.
+
+Example:
+
+`/vault/token/issue?ttl=60s`
+
+### Caveats
+
+In order to use this plugin effectively, the Ruby installation on your Smart Proxy server should be version 2.0.0 or higher, and be compiled against a version of OpenSSL that supports TLS (=>1.0.1). I recommend using [RVM](https://rvm.io/) & [Passenger](https://www.phusionpassenger.com) to run your Smart Proxy server.
+
+```
+$ irb
+2.2.1 :001 > require 'openssl'
+ => true
+2.2.1 :002 > OpenSSL::OPENSSL_VERSION
+ => "OpenSSL 1.0.1e 11 Feb 2013"
+ ```

data/bundler.d/vault.rb

@@ -0,0 +1 @@
+gem 'smart_proxy_vault'

data/lib/smart_proxy_vault/authentication/chef.rb

@@ -0,0 +1,54 @@
+require 'chef-api'
+
+module VaultPlugin
+  module Authentication
+    module Chef
+      def vault_client
+        request.env['HTTP_X_VAULT_CLIENT']
+      end
+
+      def signature
+        request.env['HTTP_X_VAULT_SIGNATURE'] || request.env['HTTP_X_VAULT_SIGNATURE'].chomp
+      end
+
+      def authorized?
+        logger.info('Starting Chef client authentication for smart_proxy_vault')
+        request.env.each do |key,value|
+          logger.debug("header #{key}: #{value}")
+        end if logger.level == 0
+
+        if vault_client.nil? || signature.nil?
+          log_halt 401, "Failed to authenticate Chef client - #{vault_client}. Missing headers."
+        end
+
+        unless authenticate
+          log_halt 401, "Failed to authenticate Chef client - #{vault_client}. Verification failed."
+        end
+        logger.info("Successfully authenticated Chef client - #{vault_client}")
+      end
+
+      def chefapi
+        chefapi_settings = ::VaultPlugin::Plugin.settings.chef
+        connection = ::ChefAPI::Connection.new(chefapi_settings)
+        connection.ssl_verify = chefapi_settings[:ssl_verify] || false
+        connection
+      end
+
+      def authenticate
+        begin
+          node = chefapi.clients.fetch vault_client
+        rescue StandardError => e
+          log_halt 401, 'Failed to authenticate to the Chef server: ' + e.message
+        end
+        log_halt(401, "Could not find Chef client - #{vault_client}") if node.nil?
+
+        rsa = OpenSSL::PKey::RSA.new node.public_key
+        decoded_signature = Base64.decode64(signature)
+        # The body should contain the public key of the node
+        body = Digest::MD5.hexdigest rsa.public_key.to_s
+
+        rsa.verify(OpenSSL::Digest::SHA512.new, decoded_signature, body)
+      end
+    end
+  end
+end

data/lib/smart_proxy_vault/authentication.rb

@@ -0,0 +1,33 @@
+require_relative 'authentication/chef'
+
+module VaultPlugin
+  module Authentication
+    def auth_backend
+      ::VaultPlugin::Plugin.settings.auth_backend.to_sym
+    end
+
+    def auth_module
+      Object.const_get('::VaultPlugin::Authentication::' + auth_backend.capitalize.to_s)
+    end
+
+    # Creates convenient accessor methods for all keys underneath auth_backend
+    def create_setting_accessors
+      ::VaultPlugin::Plugin.settings[auth_backend].each do |key,value|
+        define_singleton_method(key.to_sym) { value }
+      end
+    end
+
+    def authorized?
+      create_setting_accessors
+      extend auth_module
+      authorized?
+    end
+
+    # Returns the human-readable identity for the requesting client
+    # Optionally used in a token's metadata & display-name
+    def client
+      extend auth_module
+      client
+    end
+  end
+end

data/lib/smart_proxy_vault/helpers.rb

@@ -0,0 +1,31 @@
+module VaultPlugin
+  module Helpers
+    def settings_ttl
+      ::VaultPlugin::Plugin.settings.token_options[:ttl]
+    end
+
+    def to_seconds(string)
+      case string.slice(-1)
+      when 'd'
+        string.tr('d', '').to_i * 30 * 24
+      when 'h'
+        string.tr('h', '').to_i * 3600
+      when 'm'
+        string.tr('m', '').to_i * 60
+      when 's'
+        string.tr('s', '').to_i
+      else
+        log_halt 400, "Invalid TTL - #{string}. Must end with 'd', 'h', 'm' or 's'."
+      end
+    end
+
+    # Only allow clients to specify a TTL that is shorter than the default
+    def valid_ttl?(ttl)
+      return true if ttl.nil? || settings_ttl.nil?
+      unless (to_seconds(settings_ttl) >= to_seconds(ttl))
+        log_halt 400, "Invalid TTL - #{ttl}. Must be shorter or equal to #{settings_ttl}."
+      end
+      true
+    end
+  end
+end

data/lib/smart_proxy_vault/https_config.ru

@@ -0,0 +1,3 @@
+map '/vault' do
+  run VaultPlugin::VaultAPI
+end

data/lib/smart_proxy_vault/vault.rb

@@ -0,0 +1,14 @@
+module VaultPlugin
+  class Plugin < ::Proxy::Plugin
+    plugin 'vault', VaultPlugin::VERSION
+
+    settings_file 'vault.yml'
+    default_settings auth_backend: 'chef',
+                     vault: {},
+                     add_token_metadata: false,
+                     token_options: {},
+                     chef: {}
+
+    https_rackup_path File.expand_path('https_config.ru', File.expand_path('../', __FILE__))
+  end
+end

data/lib/smart_proxy_vault/vault_api.rb

@@ -0,0 +1,20 @@
+module VaultPlugin
+  class VaultAPI < ::Sinatra::Base
+    include ::Proxy::Log
+    include ::VaultPlugin::Authentication
+    include ::VaultPlugin::VaultBackend
+    helpers ::Proxy::Helpers, ::VaultPlugin::Helpers
+
+    ::Sinatra::Base.register Authentication
+
+    before do
+      content_type :json
+      authorized?
+    end
+
+    get '/token/issue' do
+      ttl = params[:ttl]
+      issue(ttl) if valid_ttl? ttl
+    end
+  end
+end

data/lib/smart_proxy_vault/vault_backend.rb

@@ -0,0 +1,43 @@
+module VaultPlugin
+  module VaultBackend
+    class API
+      attr_reader :connection
+
+      def initialize(child, ttl)
+        vault_settings = ::VaultPlugin::Plugin.settings.vault
+        @connection = ::Vault::Client.new(vault_settings)
+        @child = child
+        @ttl = ttl
+        @token_options = token_options
+      end
+
+      def issue_token
+        @connection.auth_token.create(@token_options).auth.client_token
+      end
+
+      private
+      def metadata
+        if ::VaultPlugin::Plugin.settings.add_token_metadata == true
+          return { meta: { client: @child, smartproxy_generated: true },
+                   display_name: @child }
+        end
+        {}
+      end
+
+      def token_options
+        options = metadata.merge ::VaultPlugin::Plugin.settings[:token_options]
+        options[:ttl] = @ttl unless @ttl.nil?
+        options
+      end
+    end
+
+    def issue(ttl)
+      begin
+        vault = API.new client, ttl
+        vault.issue_token
+      rescue StandardError => e
+        log_halt 500, 'Failed to generate Vault token ' + e.message
+      end
+    end
+  end
+end

data/lib/smart_proxy_vault/version.rb

@@ -0,0 +1,3 @@
+module VaultPlugin
+  VERSION = '0.2.0'
+end

data/lib/smart_proxy_vault.rb

@@ -0,0 +1,11 @@
+require 'sinatra/base'
+require 'vault'
+require 'base64'
+require 'openssl'
+
+require 'smart_proxy_vault/authentication'
+require 'smart_proxy_vault/helpers'
+require 'smart_proxy_vault/vault_backend'
+require 'smart_proxy_vault/vault_api'
+require 'smart_proxy_vault/version'
+require 'smart_proxy_vault/vault'

data/settings.d/vault.yml.example

@@ -0,0 +1,16 @@
+---
+:enabled: true
+:auth_backend: 'chef'
+:vault:
+  :address: "https://vault.example.com"
+  :token: "UUID"
+  :ssl_verify: true
+:add_token_metadata: true
+:token_options:
+  :policies: ['policyname']
+  :ttl: '72h'
+:chef:
+  :endpoint: 'https://chef.example.com'
+  :client: 'user'
+  :key: '/path/to/client.pem'
+  :ssl_verify: true

data/test/authentication_chef_test.rb

@@ -0,0 +1,102 @@
+require 'test_helper'
+require 'smart_proxy_vault'
+
+class AuthenticationChefTest < Test::Unit::TestCase
+  include Rack::Test::Methods
+
+  ###
+  # Classes
+  ###
+
+  class Mock
+    include VaultPlugin::Authentication::Chef
+
+    def logger
+      @logger ||= Logger.new(StringIO.new)
+      @logger.level = Logger::INFO
+      @logger
+    end
+
+    def log_halt(*args)
+      throw :halt
+    end
+  end
+
+  ###
+  # Helper Methods
+  ###
+
+  def sign_request(key_path)
+    rsa = OpenSSL::PKey::RSA.new File.read key_path
+    body = Digest::MD5.hexdigest rsa.public_key.to_s
+    Base64.strict_encode64(rsa.sign(OpenSSL::Digest::SHA512.new, body))
+  end
+
+  def stub_client(client, signature)
+    stub.proxy(AuthenticationChefTest::Mock).new do |obj|
+      stub(obj).vault_client { client }
+      stub(obj).signature { signature }
+    end
+  end
+
+  def stub_response(client, public_key, status=200)
+    response = %({"name": "#{client}", "admin": false, "public_key": "#{public_key.gsub("\n","\\n")}", "private_key": false, "validator": false})
+    stub_request(:get, "https://chef.example.com/clients/#{client}").to_return(:status => status, :body => response.to_s, :headers => {'content-type' => 'application/json'} )
+  end
+
+  ###
+  # Test Methods
+  ###
+
+  def setup
+    stub.proxy(::VaultPlugin::Plugin.settings).chef {{
+      :endpoint => 'https://chef.example.com',
+      :client => 'fry',
+      :key => 'test/fixtures/authentication/chef/fry.pem',
+      :ssl_verify => true
+    }}
+
+    @fry_client = FactoryGirl.create(:rsa, file: 'test/fixtures/authentication/chef/fry.pem' )
+    @fry_client_path = 'test/fixtures/authentication/chef/fry.pem'
+    @bender_client = FactoryGirl.create(:rsa, file: 'test/fixtures/authentication/chef/bender.pem' )
+    @bender_client_path = 'test/fixtures/authentication/chef/bender.pem'
+
+    @fry_signature = sign_request @fry_client_path
+    @bender_signature = sign_request @bender_client_path
+  end
+
+  def test_signature_verification_match
+    stub_client 'fry', @fry_signature
+    stub_response 'fry', @fry_client.public_key.to_s
+    chefauth = Mock.new
+    assert_nothing_thrown do
+      assert chefauth.authorized?, 'Encoding & Decoding a message with the same key should pass verification'
+    end
+  end
+
+  def test_signature_verification_mismatch
+    stub_client 'bender', @bender_signature
+    stub_response 'bender', @fry_client.public_key.to_s
+    chefauth = Mock.new
+    assert_throws :halt do
+      refute chefauth.authorized?, 'Encoding & Decoding a message with the different key should fail verification'
+    end
+  end
+
+  def test_header_requirement
+    stub_client(nil, nil)
+    chefauth = Mock.new
+    assert_throws :halt do
+      refute chefauth.authorized?, 'A request without headers should fail'
+    end
+  end
+
+  def test_client_not_found
+    stub_client('zoidberg', @bender_signature)
+    stub_response('zoidberg', @bender_signature, 404)
+    chefauth = Mock.new
+    assert_throws :halt do
+      refute chefauth.authorized?, %(It should fail when a client can't be found on the Chef server)
+    end
+  end
+end