diff --git a/app/lib/audit_logger.rb b/app/lib/audit_logger.rb index b048687..84c3442 100644 --- a/app/lib/audit_logger.rb +++ b/app/lib/audit_logger.rb @@ -1,6 +1,6 @@ class AuditLogger < ActiveSupport::Logger def initialize - super(Rails.configuration.astral[:audit_log_file]) + super(Config[:audit_log_file]) self.formatter = AuditLogFormatter.new end end diff --git a/app/lib/clients/app_registry.rb b/app/lib/clients/app_registry.rb index 10aa226..23e6b3c 100644 --- a/app/lib/clients/app_registry.rb +++ b/app/lib/clients/app_registry.rb @@ -11,8 +11,8 @@ def get_domain_info(fqdn) private def client - Faraday.new(ssl: ssl_opts, url: Rails.configuration.astral[:app_registry_addr]) do |faraday| - faraday.request :authorization, "Bearer", -> { Rails.configuration.astral[:app_registry_token] } + Faraday.new(ssl: ssl_opts, url: Config[:app_registry_addr]) do |faraday| + faraday.request :authorization, "Bearer", -> { Config[:app_registry_token] } faraday.request :retry, retry_opts faraday.response :json faraday.response :raise_error, include_request: true @@ -34,9 +34,9 @@ def convert(domain_info) def ssl_opts { - ca_file: Rails.configuration.astral[:app_registry_ca_file], - client_cert: Rails.configuration.astral[:app_registry_client_cert], - client_key: Rails.configuration.astral[:app_registry_client_key] + ca_file: Config[:app_registry_ca_file], + client_cert: Config[:app_registry_client_cert], + client_key: Config[:app_registry_client_key] } end diff --git a/app/lib/clients/vault.rb b/app/lib/clients/vault.rb index 40d654a..78d496c 100644 --- a/app/lib/clients/vault.rb +++ b/app/lib/clients/vault.rb @@ -11,11 +11,11 @@ def client end def vault_address - Rails.configuration.astral[:vault_addr] + Config[:vault_addr] end def vault_token - Rails.configuration.astral[:vault_token] + Config[:vault_token] end def enable_engine(mount, type) diff --git a/app/lib/clients/vault/certificate.rb b/app/lib/clients/vault/certificate.rb index bd83cd6..7b3f57a 100644 --- a/app/lib/clients/vault/certificate.rb +++ b/app/lib/clients/vault/certificate.rb @@ -28,16 +28,16 @@ def cert_path end def create_root? - create_root_config = Rails.configuration.astral[:vault_create_root] + create_root_config = Config[:vault_create_root] !!ActiveModel::Type::Boolean.new.cast(create_root_config) end def root_ca_ref - Rails.configuration.astral[:vault_root_ca_ref] + Config[:vault_root_ca_ref] end def root_ca_mount - Rails.configuration.astral[:vault_root_ca_mount] + Config[:vault_root_ca_mount] end def cert_engine_type diff --git a/app/lib/config.rb b/app/lib/config.rb new file mode 100644 index 0000000..d2f6e0b --- /dev/null +++ b/app/lib/config.rb @@ -0,0 +1,19 @@ +class Config + class << self + def get(key) + ENV[key.to_s.upcase] || Rails.configuration.astral[key.to_s.downcase.to_sym] + end + + def set(key, value) + ENV[key.to_s.upcase] = value + end + + def [](key) + get(key) + end + + def []=(key, value) + set(key, value) + end + end +end diff --git a/app/lib/requests/cert_issue_request.rb b/app/lib/requests/cert_issue_request.rb index 8edcc0c..b718cc3 100644 --- a/app/lib/requests/cert_issue_request.rb +++ b/app/lib/requests/cert_issue_request.rb @@ -11,7 +11,7 @@ class CertIssueRequest attribute :other_sans, :string attribute :private_key_format, :string, default: "pem" attribute :remove_roots_from_chain, :boolean, default: false - attribute :ttl, :integer, default: Rails.configuration.astral[:cert_ttl] + attribute :ttl, :integer, default: Config[:cert_ttl] attribute :uri_sans, :string attribute :ip_sans, :string attribute :serial_number, :integer @@ -24,7 +24,7 @@ class CertIssueRequest validates :format, presence: true, inclusion: { in: %w[pem der pem_bundle] } validates :private_key_format, presence: true, inclusion: { in: %w[pem der pkcs8] } validates :ttl, numericality: { - less_than_or_equal_to: Rails.configuration.astral[:cert_ttl], + less_than_or_equal_to: Config[:cert_ttl], greater_than: 0 } validate :validate_no_wildcards diff --git a/app/lib/services/auth.rb b/app/lib/services/auth.rb index af387f6..963b7d0 100644 --- a/app/lib/services/auth.rb +++ b/app/lib/services/auth.rb @@ -12,7 +12,7 @@ def authenticate!(token) def decode(token) # Decode a JWT access token using the configured base. - body = JWT.decode(token, Rails.configuration.astral[:jwt_signing_key])[0] + body = JWT.decode(token, Config[:jwt_signing_key])[0] Identity.new(body) rescue => e Rails.logger.warn "Unable to decode token: #{e}" diff --git a/config/astral.yml b/config/astral.yml index f8acdeb..a574607 100644 --- a/config/astral.yml +++ b/config/astral.yml @@ -1,22 +1,22 @@ shared: - vault_addr: <%= ENV["VAULT_ADDR"] %> - vault_token: <%= ENV["VAULT_TOKEN"] %> + vault_addr: + vault_token: # Pre-existing root CA, or create new if requested - vault_create_root: <%= ENV["VAULT_CREATE_ROOT"] || "true" %> - vault_root_ca_ref: <%= ENV["VAULT_ROOT_CA_REF"] || "root-ca" %> - vault_root_ca_mount: <%= ENV["VAULT_ROOT_CA_MOUNT"] || "pki_root" %> + vault_create_root: true + vault_root_ca_ref: root_ca + vault_root_ca_mount: pki_root - jwt_signing_key: <%= ENV["JWT_SIGNING_KEY"] %> - cert_ttl: <%= ENV["CERT_TTL"] %> + jwt_signing_key: + cert_ttl: - app_registry_addr: <%= ENV["APP_REGISTRY_ADDR"] %> - app_registry_token: <%= ENV["APP_REGISTRY_TOKEN"] %> - app_registry_ca_file: <%= ENV["APP_REGISTRY_CA_FILE"] %> - app_registry_client_cert: <%= ENV["APP_REGISTRY_CLIENT_CERT"] %> - app_registry_client_key: <%= ENV["APP_REGISTRY_CLIENT_KEY"] %> + app_registry_addr: + app_registry_token: + app_registry_ca_file: + app_registry_client_cert: + app_registry_client_key: - audit_log_file: <%= ENV["AUDIT_LOG_FILE"] || "#{Rails.root.join('log')}/astral-audit.log" %> + audit_log_file: <%= "#{Rails.root.join('log')}/astral-audit.log" %> test: cert_ttl: <%= 24.hours.in_seconds %> @@ -24,3 +24,4 @@ test: development: production: + vault_create_root: false diff --git a/test/interactors/application_interactor_test.rb b/test/interactors/application_interactor_test.rb index 781a620..42a97ac 100644 --- a/test/interactors/application_interactor_test.rb +++ b/test/interactors/application_interactor_test.rb @@ -6,7 +6,7 @@ def setup @identity = Identity.new(subject: @domain.users_array.first) @cr = Requests::CertIssueRequest.new(common_name: @domain.fqdn) @log = Tempfile.new("log-test") - Rails.configuration.astral[:audit_log_file] = @log.path + Config[:audit_log_file] = @log.path end def teardown diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb index 4017556..2312e82 100644 --- a/test/lib/clients/vault_test.rb +++ b/test/lib/clients/vault_test.rb @@ -99,11 +99,11 @@ class VaultTest < ActiveSupport::TestCase def vault_client ::Vault::Client.new( address: vault_addr, - token: Rails.configuration.astral[:vault_token] + token: Config[:vault_token] ) end def vault_addr - Rails.configuration.astral[:vault_addr] + Config[:vault_addr] end end diff --git a/test/lib/requests/cert_isssue_request_test.rb b/test/lib/requests/cert_isssue_request_test.rb index cc15b36..8a7ae61 100644 --- a/test/lib/requests/cert_isssue_request_test.rb +++ b/test/lib/requests/cert_isssue_request_test.rb @@ -59,9 +59,9 @@ def setup end test "#valid? should require a ttl less than configured max" do - @cert_issue_request.ttl = Rails.configuration.astral[:cert_ttl] + 1 + @cert_issue_request.ttl = Config[:cert_ttl] + 1 assert_not @cert_issue_request.valid? - assert_includes @cert_issue_request.errors[:ttl], "must be less than or equal to #{Rails.configuration.astral[:cert_ttl]}" + assert_includes @cert_issue_request.errors[:ttl], "must be less than or equal to #{Config[:cert_ttl]}" end test "#valid? should prevent wildcard common_name" do @@ -82,7 +82,7 @@ def setup assert_equal "pem", @cert_issue_request.format assert_equal "pem", @cert_issue_request.private_key_format assert_equal false, @cert_issue_request.remove_roots_from_chain - assert_equal Rails.configuration.astral[:cert_ttl], @cert_issue_request.ttl + assert_equal Config[:cert_ttl], @cert_issue_request.ttl assert_equal true, @cert_issue_request.client_flag assert_equal false, @cert_issue_request.code_signing_flag assert_equal false, @cert_issue_request.email_protection_flag