Skip to content

Commit

Permalink
Update readme; correct issue with vault client which failed to load in
Browse files Browse the repository at this point in the history
production mode
  • Loading branch information
suprjinx committed Oct 6, 2024
1 parent 3598418 commit a79d894
Show file tree
Hide file tree
Showing 9 changed files with 47 additions and 32 deletions.
34 changes: 23 additions & 11 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,20 +1,32 @@
# README

Astral is an api-only application intended to simplify
certificate acquisition for other applications/services. Broadly speaking,
it will:
Astral is an api-only application intended to simplify certificate
acquisition and secrets storage. Invoking a single endpoint can issue
an mTLS certificate or fetch a secret for applications in your
environment, without any need to configure the underlying PKI or
secrets storage (Vault).

1) Authenticate the request for cerficate using a third party trusted source (JWT, etc)
2) Authorize the request using a Domain Ownership Registry
3) If authorized, obtain a certificate from PKI CLM (such as Vault/OpenBao)
4) Log this transaction in audit infrastructure (ELK, etc).
Some features of Astral:

0) Configure Astral-specific Certificate Authority and Key-Value stores in Vault
1) Authenticate requests for cerficates or secrets using a third party
trusted source (JWT with signing key, eg)
2) For certiciates:
a) Authorize the request using a Domain Ownership registry, where domain owner
or authorized groups must match the identity of the requesting client
b) When authorized, obtain a certificate for the common name
3) For secrets:
a) Create secrets with a policy for reading
b) Read only when the requesting client identity has the policy.
4) Log all transactions in audit infrastructure (ELK, etc).

# Running in development

This Rails app is most easily run and developed in its devcontainer.
This Rails app is most easily run and developed in its devcontainer, which includes Vault
and a Domain Ownership registry (AppRegistry) in the compose environment.

1) Open in devcontainer
2) Launch server using vscode launch config, or in terminal run:
1) Open in devcontainer (automatic in vscode)
2) Launch server using vscode launch config, or in the terminal run:
```
rails s
```
Expand Down Expand Up @@ -47,5 +59,5 @@ docker build -t astral:latest .
```
2) Run the prod image:
```
docker run -e SECRET_KEY_BASE=mysecrit -p 3000:3000 astral:latest
docker run -p 3000:3000 astral:latest
```
12 changes: 6 additions & 6 deletions app/lib/clients/vault.rb
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
module Clients
class Vault
extend Clients::Vault::Certificate
extend Clients::Vault::KeyValue
extend Clients::Vault::Policy
extend Clients::Vault::Entity
extend Clients::Vault::EntityAlias

class_attribute :token

class << self
Expand All @@ -21,10 +27,4 @@ def enable_engine(mount, type)
end
end
end

require_relative "vault/key_value"
require_relative "vault/certificate"
require_relative "vault/policy"
require_relative "vault/entity"
require_relative "vault/entity_alias"
end
20 changes: 10 additions & 10 deletions app/lib/clients/vault/certificate.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module Clients
class Vault
class << self
module Certificate
def issue_cert(cert_issue_request)
opts = cert_issue_request.attributes
# Generate the TLS certificate using the intermediate CA
Expand Down Expand Up @@ -57,21 +57,21 @@ def configure_root_ca

# generate root certificate
root_cert = client.logical.write("#{root_ca_mount}/root/generate/internal",
common_name: "astral.internal",
issuer_name: root_ca_ref,
ttl: "87600h").data[:certificate]
common_name: "astral.internal",
issuer_name: root_ca_ref,
ttl: "87600h").data[:certificate]
# save the root certificate
File.write("tmp/#{root_ca_mount}.crt", root_cert)

client.logical.write("#{root_ca_mount}/config/cluster",
path: "#{address}/v1/#{root_ca_mount}",
aia_path: "#{address}/v1/#{root_ca_mount}")
path: "#{address}/v1/#{root_ca_mount}",
aia_path: "#{address}/v1/#{root_ca_mount}")

client.logical.write("#{root_ca_mount}/config/urls",
issuing_certificates: "{{cluster_aia_path}}/issuer/{{issuer_id}}/der",
crl_distribution_points: "{{cluster_aia_path}}/issuer/{{issuer_id}}/crl/der",
ocsp_servers: "{{cluster_path}}/ocsp",
enable_templating: true)
issuing_certificates: "{{cluster_aia_path}}/issuer/{{issuer_id}}/der",
crl_distribution_points: "{{cluster_aia_path}}/issuer/{{issuer_id}}/crl/der",
ocsp_servers: "{{cluster_path}}/ocsp",
enable_templating: true)
end

def sign_cert
Expand Down
2 changes: 1 addition & 1 deletion app/lib/clients/vault/entity.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module Clients
class Vault
class << self
module Entity
def put_entity(name, policies)
client.logical.write("identity/entity",
name: name,
Expand Down
2 changes: 1 addition & 1 deletion app/lib/clients/vault/entity_alias.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module Clients
class Vault
class << self
module EntityAlias
def put_entity_alias(entity_name, alias_name, auth_method)
e = read_entity(entity_name)
if e.nil?
Expand Down
2 changes: 1 addition & 1 deletion app/lib/clients/vault/key_value.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module Clients
class Vault
class << self
module KeyValue
def kv_read(path)
client.kv(kv_mount).read(path)
end
Expand Down
2 changes: 1 addition & 1 deletion app/lib/clients/vault/policy.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module Clients
class Vault
class << self
module Policy
def rotate_token
create_astral_policy
token = create_astral_token
Expand Down
2 changes: 1 addition & 1 deletion app/lib/requests/cert_issue_request.rb
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ class CertIssueRequest
validates :format, presence: true, inclusion: { in: %w[pem der pem_bundle] }
validates :private_key_format, presence: true, inclusion: { in: %w[pem der pkcs8] }
validates :ttl, numericality: {
less_than_or_equal_to: Config[:cert_ttl],
less_than_or_equal_to: Config[:cert_ttl].to_i,
greater_than: 0
}
validate :validate_no_wildcards
Expand Down
3 changes: 3 additions & 0 deletions config/application.rb
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ class Application < Rails::Application
# Skip views, helpers and assets when generating a new resource.
config.api_only = true

# the secret_key_base isn't used, but Rails requires it
config.secret_key_base = "secret_key_base_not_used!"

# Application configs from config/astral.yml
config.astral = config_for :astral

Expand Down

0 comments on commit a79d894

Please sign in to comment.