conjur-api 2.0.0

data/lib/conjur/log_source.rb

@@ -0,0 +1,13 @@
+module Conjur
+  module LogSource
+    def log(&block)
+      if Conjur.log
+        Conjur.log << "["
+        Conjur.log << username
+        Conjur.log << "] "
+        yield Conjur.log
+        Conjur.log << "\n"
+      end
+    end
+  end
+end

data/lib/conjur/resource.rb

@@ -0,0 +1,81 @@
+module Conjur
+  class Resource < RestClient::Resource
+    include Exists
+    include HasAttributes
+    
+    def kind
+      match_path(0..0)
+    end
+
+    def identifier
+      match_path(1..-1)
+    end
+    
+    def create(options = {})
+      log do |logger|
+        logger << "Creating resource #{kind} : #{identifier}"
+        unless options.empty?
+          logger << " with options #{options.to_json}"
+        end
+      end
+      self.put(options)
+    end
+
+    # Lists roles that have a specified permission on the resource.
+    def permitted_roles(permission, options = {})
+      JSON.parse RestClient::Resource.new(Conjur::Authz::API.host, self.options)["/roles/allowed_to/#{permission}/#{path_escape kind}/#{path_escape identifier}"].get(options)
+    end
+    
+    # Changes the owner of a resource
+    def give_to(owner, options = {})
+      self.put(options.merge(owner: owner))
+    end
+
+    def delete(options = {})
+      log do |logger|
+        logger << "Deleting resource #{kind} : #{identifier}"
+        unless options.empty?
+          logger << " with options #{options.to_json}"
+        end
+      end
+      super.delete(options)
+    end
+
+    def permit(privilege, role, options = {})
+      eachable(privilege).each do |p|
+        log do |logger|
+          logger << "Permitting #{p} on resource #{kind} : #{identifier} by #{role}"
+          unless options.empty?
+            logger << " with options #{options.to_json}"
+          end
+        end
+        
+        self["?grant&privilege=#{query_escape p}&role=#{query_escape role}"].post(options)
+      end
+    end
+    
+    def deny(privilege, role, options = {})
+      eachable(privilege).each do |p|
+        log do |logger|
+          logger << "Denying #{p} on resource #{kind} : #{identifier} by #{role}"
+          unless options.empty?
+            logger << " with options #{options.to_json}"
+          end
+        end
+        self["?revoke&privilege=#{query_escape p}&role=#{query_escape role}"].post(options)
+      end
+    end
+    
+    protected
+    
+    def eachable(item)
+      item.respond_to?(:each) ? item : [ item ]
+    end
+    
+    def match_path(range)
+      require 'uri'
+      tokens = URI.parse(self.url).path[1..-1].split('/')[range]
+      tokens.map{|t| URI.unescape(t)}.join('/')
+    end
+  end
+end

data/lib/conjur/role.rb

@@ -0,0 +1,52 @@
+module Conjur
+  class Role < RestClient::Resource
+    include Exists
+    include HasId
+    
+    def create(options = {})
+      log do |logger|
+        logger << "Creating role #{id}"
+        unless options.empty?
+          logger << " with options #{options.to_json}"
+        end
+      end
+      self.put(options)
+    end
+    
+    def all(options = {})
+      JSON.parse(self["/all"].get(options)).collect do |id|
+        Role.new("#{Conjur::Authz::API.host}/roles/#{path_escape id}", self.options)
+      end
+    end
+    
+    def grant_to(member, admin_option = false, options = {})
+      log do |logger|
+        logger << "Granting role #{id} to #{member}"
+        if admin_option
+          logger << " with admin option"
+        end
+        unless options.empty?
+          logger << " and extended options #{options.to_json}"
+        end
+      end
+      self["/members/#{path_escape member}?admin_option=#{query_escape admin_option}"].put(options)
+    end
+
+    def revoke_from(member, options = {})
+      log do |logger|
+        logger << "Revoking role #{id} from #{member}"
+        unless options.empty?
+          logger << " with options #{options.to_json}"
+        end
+      end
+      self["/members/#{path_escape member}"].delete(options)
+    end
+
+    def permitted?(resource_kind, resource_id, privilege, options = {})
+      self["/permitted?resource_kind=#{query_escape resource_kind}&resource_id=#{query_escape resource_id}&privilege=#{query_escape privilege}"].get(options)
+      true
+    rescue RestClient::ResourceNotFound
+      false
+    end
+  end
+end

data/lib/conjur/secret.rb

@@ -0,0 +1,12 @@
+module Conjur
+  class Secret < RestClient::Resource
+    include ActsAsResource
+    include HasAttributes
+    include Exists
+    include HasId
+    
+    def value
+      self['/value'].get.body
+    end
+  end
+end

data/lib/conjur/user.rb

@@ -0,0 +1,13 @@
+module Conjur
+  class InvalidToken < Exception
+  end
+  
+  class User < RestClient::Resource
+    include HasId
+    include HasAttributes
+    include ActsAsResource
+    include ActsAsUser
+    
+    alias login id
+  end
+end

data/lib/conjur/variable.rb

@@ -0,0 +1,27 @@
+module Conjur
+  class Variable < RestClient::Resource
+    include ActsAsResource
+    include HasAttributes
+    include Exists
+    include HasId
+    
+    def add_value value
+      log do |logger|
+        logger << "Adding #{value} to variable #{id}"
+      end
+      invalidate do
+        self['values'].post value: value
+      end
+    end
+    
+    def version_count
+      self.attributes['versions']
+    end
+    
+    def value(version = nil)
+      url = 'value'
+      url << "?version=#{version}" if version
+      self[url].get.body
+    end
+  end
+end

data/spec/lib/api_spec.rb

@@ -0,0 +1,98 @@
+require 'spec_helper'
+
+require 'conjur/api'
+
+shared_examples_for "API endpoint" do
+  subject { api }
+  let(:service_name) { api.name.split('::')[-2].downcase }
+  context "in development" do
+    before(:each) do
+      Conjur.stub(:env).and_return "development"
+    end
+    its "default_host" do
+      should == "http://localhost:#{Conjur.service_base_port + port_offset}"
+    end
+  end
+  context "in stage" do
+    before(:each) do
+      Conjur.stub(:env).and_return "stage"
+    end
+    its "default_host" do
+      should == "https://#{service_name}-stage-conjur.herokuapp.com"
+    end
+  end
+  context "in ci" do
+    before(:each) do
+      Conjur.stub(:env).and_return "ci"
+    end
+    its "default_host" do
+      should == "https://#{service_name}-ci-conjur.herokuapp.com"
+    end
+  end
+  context "in production" do
+    before(:each) do
+      Conjur.stub(:env).and_return "production"
+    end
+    its "default_host" do
+      should == "https://#{service_name}-v2-conjur.herokuapp.com"
+    end
+  end
+  context "in named production version" do
+    before(:each) do
+      Conjur.stub(:env).and_return "production"
+      Conjur.stub(:stack).and_return "waffle"
+    end
+    its "default_host" do
+      should == "https://#{service_name}-waffle-conjur.herokuapp.com"
+    end
+  end
+end
+
+describe Conjur::API do
+  context "host construction" do
+    context "of authn service" do
+      let(:port_offset) { 0 }
+      let(:api) { Conjur::Authn::API }
+      it_should_behave_like "API endpoint"
+    end
+    context "of authz service" do
+      let(:port_offset) { 100 }
+      let(:api) { Conjur::Authz::API }
+      it_should_behave_like "API endpoint"
+    end
+    context "of das service" do
+      let(:port_offset) { 200 }
+      let(:api) { Conjur::DAS::API }
+      it_should_behave_like "API endpoint"
+    end
+    context "of core service" do
+      let(:port_offset) { 300 }
+      let(:api) { Conjur::Core::API }
+      it_should_behave_like "API endpoint"
+    end    
+  end
+  context ".class" do
+    describe '#token_valid?' do
+      subject { Conjur::API }
+      it "raises KeyError when there's no authn key in the db" do
+        require 'slosilo'
+        Slosilo.stub(:[]).with(:authn).and_return nil
+        expect { subject.token_valid? :whatever }.to raise_error(KeyError)
+      end
+    end
+  end
+  context "credential handling" do
+    let(:login) { "bob" }
+    subject { api }
+    context "from token" do
+      let(:token) { { 'data' => login } }
+      let(:api) { Conjur::API.new_from_token(token) }
+      its(:credentials) { should == { headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login } }
+    end
+    context "from api key" do
+      let(:api_key) { "theapikey" }
+      let(:api) { Conjur::API.new_from_key(login, api_key) }
+      its(:credentials) { should == { user: login, password: api_key } }
+    end
+  end
+end

data/spec/lib/das_spec.rb

@@ -0,0 +1,33 @@
+require 'spec_helper'
+
+require 'conjur/api'
+
+describe Conjur::API do
+  context "data_access_service_url" do
+    let(:account) { "the-account" }
+    let(:path) { "upload" }
+    subject { Conjur::API.data_access_service_url(account, path, params) }
+    context "to test environment" do
+      before(:each) do
+        Conjur.stub(:env).and_return "development"
+      end
+      context "with empty params" do
+        let(:params) { {} }
+        it { should == "http://localhost:5200/data/the-account/inscitiv/upload" }
+      end
+      context "with params" do
+        let(:params) { { "foo" => "b/r" } }
+        it { should == "http://localhost:5200/data/the-account/inscitiv/upload?foo=b%2Fr" }
+      end
+    end
+    context "to production environment" do
+      before(:each) do
+        Conjur.stub(:env).and_return "production"
+      end
+      context "with empty params" do
+        let(:params) { {} }
+        it { should == "https://das-v2-conjur.herokuapp.com/data/the-account/inscitiv/upload" }
+      end
+    end
+  end
+end

data/spec/lib/resource_spec.rb

@@ -0,0 +1,84 @@
+require 'spec_helper'
+
+require 'conjur/api'
+
+describe Conjur::Resource do
+  let(:user) { 'admin' }
+  let(:api_key) { '^6feWZpr' }
+  
+  def conjur_api
+    Conjur::API.new_from_key(user, api_key)
+  end
+  
+  def self.it_creates_with code
+    it "should create with status #{code}" do
+      resource = conjur_api.resource("spec", identifier)
+      resource.create
+      resource.should exist
+      conjur_api.resource("spec", identifier).kind.should == "spec"
+      conjur_api.resource("spec", identifier).identifier.should == identifier
+    end
+  end
+
+  def self.it_fails_with code
+    it "should fail with status #{code}" do
+      expect { conjur_api.resource("spec", identifier).create }.to raise_error { |error|
+        error.should be_a(RestClient::Exception)
+        error.http_code.should == code
+      }
+    end
+  end
+
+  let(:uuid) { "ddd1f59a-494d-48fb-b045-0374c4a6eef9" }
+  
+  context "identifier" do
+    include Conjur::Escape
+    let(:resource) { Conjur::Resource.new("#{Conjur::Authz::API.host}/#{kind}/#{path_escape identifier}") }
+    
+    context "Object with an #id" do
+      let(:kind) { "host" }
+      let(:identifier) do
+        Conjur::Host.new("#{Conjur::Core::API.host}/hosts/foobar", {})
+      end
+      it "identifier should obtained from the id" do
+        resource.identifier.should == "foobar"
+      end
+    end
+    
+    [ [ "foo", "bar/baz" ], [ "f:o", "bar" ], [ "@f", "bar.baz" ], [ "@f", "bar baz" ], [ "@f", "bar?baz" ] ].each do |p|
+      context "of /#{p[0]}/#{p[1]}" do
+        let(:kind) { p[0] }
+        let(:identifier) { p[1] }
+        context "resource_kind" do
+          subject { resource.kind }
+          specify { should == p[0] }
+        end
+        context "resource_id" do
+          subject { resource.identifier }
+          specify { should == ( p[1] ) }
+        end
+      end
+    end
+  end
+  context "#create" do
+    context "with uuid identifier" do
+      use_vcr_cassette
+      let(:identifier) { uuid }
+      it_creates_with 204
+      it "is findable" do
+        conjur_api.resource("spec", identifier).create
+        conjur_api.resource("spec", identifier).should exist
+      end
+    end
+    context "with path-like identifier" do
+      use_vcr_cassette
+      let(:identifier) { [ uuid, "xxx" ].join("/") }
+      it_creates_with 204
+    end
+    context "with un-encoded path-like identifier" do
+      use_vcr_cassette
+      let(:identifier) { [ uuid, "+?!!?+/xxx" ].join("/") }
+      it_creates_with 204
+    end
+  end
+end

data/spec/lib/role_spec.rb

@@ -0,0 +1,24 @@
+require 'spec_helper'
+
+require 'conjur/api'
+
+shared_examples_for "properties" do
+  subject { role }
+  its(:id) { should == id }
+end
+
+describe Conjur::Role do
+  context "#new" do
+    let(:url) { "#{Conjur::Authz::API.host}/roles/#{id}" }
+    let(:credentials) { mock(:credentials) }
+    let(:role) { Conjur::Role.new(url, credentials) }
+    context "with plain id" do
+      let(:id) { "foo" }
+      it_should_behave_like "properties"
+    end
+    context "with more complex id" do
+      let(:id) { "@foo;bar" }
+      it_should_behave_like "properties"
+    end
+  end
+end