Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update readme; correct issue with vault client which failed to load in #46

Merged
merged 1 commit into from
Oct 7, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 23 additions & 11 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,20 +1,32 @@
# README

Astral is an api-only application intended to simplify
certificate acquisition for other applications/services. Broadly speaking,
it will:
Astral is an api-only application intended to simplify certificate
acquisition and secrets storage. Invoking a single endpoint can issue
an mTLS certificate or fetch a secret for applications in your
environment, without any need to configure the underlying PKI or
secrets storage (Vault).

1) Authenticate the request for cerficate using a third party trusted source (JWT, etc)
2) Authorize the request using a Domain Ownership Registry
3) If authorized, obtain a certificate from PKI CLM (such as Vault/OpenBao)
4) Log this transaction in audit infrastructure (ELK, etc).
Some features of Astral:

0) Configure Astral-specific Certificate Authority and Key-Value stores in Vault
1) Authenticate requests for cerficates or secrets using a third party
trusted source (JWT with signing key, eg)
2) For certiciates:
a) Authorize the request using a Domain Ownership registry, where domain owner
or authorized groups must match the identity of the requesting client
b) When authorized, obtain a certificate for the common name
3) For secrets:
a) Create secrets with a policy for reading
b) Read only when the requesting client identity has the policy.
4) Log all transactions in audit infrastructure (ELK, etc).

# Running in development

This Rails app is most easily run and developed in its devcontainer.
This Rails app is most easily run and developed in its devcontainer, which includes Vault
and a Domain Ownership registry (AppRegistry) in the compose environment.

1) Open in devcontainer
2) Launch server using vscode launch config, or in terminal run:
1) Open in devcontainer (automatic in vscode)
2) Launch server using vscode launch config, or in the terminal run:
```
rails s
```
Expand Down Expand Up @@ -47,5 +59,5 @@ docker build -t astral:latest .
```
2) Run the prod image:
```
docker run -e SECRET_KEY_BASE=mysecrit -p 3000:3000 astral:latest
docker run -p 3000:3000 astral:latest
```
12 changes: 6 additions & 6 deletions app/lib/clients/vault.rb
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
module Clients
class Vault
extend Clients::Vault::Certificate
extend Clients::Vault::KeyValue
extend Clients::Vault::Policy
extend Clients::Vault::Entity
extend Clients::Vault::EntityAlias

class_attribute :token

class << self
Expand All @@ -21,10 +27,4 @@ def enable_engine(mount, type)
end
end
end

require_relative "vault/key_value"
require_relative "vault/certificate"
require_relative "vault/policy"
require_relative "vault/entity"
require_relative "vault/entity_alias"
end
20 changes: 10 additions & 10 deletions app/lib/clients/vault/certificate.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module Clients
class Vault
class << self
module Certificate
def issue_cert(cert_issue_request)
opts = cert_issue_request.attributes
# Generate the TLS certificate using the intermediate CA
Expand Down Expand Up @@ -57,21 +57,21 @@ def configure_root_ca

# generate root certificate
root_cert = client.logical.write("#{root_ca_mount}/root/generate/internal",
common_name: "astral.internal",
issuer_name: root_ca_ref,
ttl: "87600h").data[:certificate]
common_name: "astral.internal",
issuer_name: root_ca_ref,
ttl: "87600h").data[:certificate]
# save the root certificate
File.write("tmp/#{root_ca_mount}.crt", root_cert)

client.logical.write("#{root_ca_mount}/config/cluster",
path: "#{address}/v1/#{root_ca_mount}",
aia_path: "#{address}/v1/#{root_ca_mount}")
path: "#{address}/v1/#{root_ca_mount}",
aia_path: "#{address}/v1/#{root_ca_mount}")

client.logical.write("#{root_ca_mount}/config/urls",
issuing_certificates: "{{cluster_aia_path}}/issuer/{{issuer_id}}/der",
crl_distribution_points: "{{cluster_aia_path}}/issuer/{{issuer_id}}/crl/der",
ocsp_servers: "{{cluster_path}}/ocsp",
enable_templating: true)
issuing_certificates: "{{cluster_aia_path}}/issuer/{{issuer_id}}/der",
crl_distribution_points: "{{cluster_aia_path}}/issuer/{{issuer_id}}/crl/der",
ocsp_servers: "{{cluster_path}}/ocsp",
enable_templating: true)
end

def sign_cert
Expand Down
2 changes: 1 addition & 1 deletion app/lib/clients/vault/entity.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module Clients
class Vault
class << self
module Entity
def put_entity(name, policies)
client.logical.write("identity/entity",
name: name,
Expand Down
2 changes: 1 addition & 1 deletion app/lib/clients/vault/entity_alias.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module Clients
class Vault
class << self
module EntityAlias
def put_entity_alias(entity_name, alias_name, auth_method)
e = read_entity(entity_name)
if e.nil?
Expand Down
2 changes: 1 addition & 1 deletion app/lib/clients/vault/key_value.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module Clients
class Vault
class << self
module KeyValue
def kv_read(path)
client.kv(kv_mount).read(path)
end
Expand Down
2 changes: 1 addition & 1 deletion app/lib/clients/vault/policy.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module Clients
class Vault
class << self
module Policy
def rotate_token
create_astral_policy
token = create_astral_token
Expand Down
2 changes: 1 addition & 1 deletion app/lib/requests/cert_issue_request.rb
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ class CertIssueRequest
validates :format, presence: true, inclusion: { in: %w[pem der pem_bundle] }
validates :private_key_format, presence: true, inclusion: { in: %w[pem der pkcs8] }
validates :ttl, numericality: {
less_than_or_equal_to: Config[:cert_ttl],
less_than_or_equal_to: Config[:cert_ttl].to_i,
greater_than: 0
}
validate :validate_no_wildcards
Expand Down
3 changes: 3 additions & 0 deletions config/application.rb
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ class Application < Rails::Application
# Skip views, helpers and assets when generating a new resource.
config.api_only = true

# the secret_key_base isn't used, but Rails requires it
config.secret_key_base = "secret_key_base_not_used!"

# Application configs from config/astral.yml
config.astral = config_for :astral

Expand Down