conjur-api 2.4.0 → 2.5.1

data/manual/role/about.markdown

@@ -0,0 +1,10 @@
+Role
+====
+
+A role is a target to which permissions are assigned. Permitting an action on a resource by a role enables the role to perform
+the specified action.
+
+In addition, roles can be "granted to" other roles. When role "A" is granted to role "B", role "B" gains the ability to perform
+all the actions permitted to "A". In addition, a role can be granted with "grant option". When role "A" is granted to role "B" with
+grant option, role "B" can in turn grant role "A" to other roles.
+

data/manual/role/members.markdown

@@ -0,0 +1,40 @@
+Role#members
+============
+
+Lists the roles that have been the recipient of a role grant. The creator of the role is always a role member.
+
+If role "A" is created by user "U" and then granted to roles "B" and "C", then the members of role "A" are [ "U", "B", "C" ].
+
+Examples
+--------
+
+### Command Line
+
+#### Add a role member and list the members
+
+```bash
+$ conjur role:create test:`conjur id:create`
+Created https://authz-v3-conjur.herokuapp.com/sandbox/roles/test/2y1300
+$ conjur role:members test:2y1300
+[
+  "sandbox:user:kgilpin"
+]
+$ conjur host:create
+{
+  "id": "w43699",
+  <snip>
+}
+$ conjur role:grant_to test:2y1300 host:w43699
+Role granted
+$ conjur role:members test:2y1300
+[
+  "sandbox:user:kgilpin",
+  "sandbox:host:w43699"
+]
+```
+
+#### The role argument is optional and defaults to the current role
+
+```bash
+$ conjur role:members
+```

data/manual/role/memberships.markdown

@@ -0,0 +1,26 @@
+Role#memberships
+================
+
+List the roles that a role has been granted, transitively.
+
+If role "A" is granted to role "B" which is granted to role "C", then the memberships of role "C" are [ "C", "B", "A" ].
+
+Examples
+--------
+
+### Command Line
+
+```bash
+$ ns=`conjur id:create`
+$ conjur role:create test:$ns/A
+$ conjur role:create test:$ns/B
+$ conjur role:create test:$ns/C
+$ conjur role:grant_to test:$ns/A test:$ns/B
+$ conjur role:grant_to test:$ns/B test:$ns/C
+$ conjur role:memberships test:$ns/C
+[
+  "sandbox:test:dy7mg0/C",
+  "sandbox:test:dy7mg0/B",
+  "sandbox:test:dy7mg0/A"
+]
+```

data/spec/api/authn_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+require 'cas_rest_client'
+
+describe Conjur::API do
+  let(:host) { 'http://authn.example.com' }
+  let(:user) { 'kmitnick' }
+  let(:password) { 'sikret' }
+
+  before do
+    Conjur::Authn::API.stub host: host
+  end
+
+  describe "::login" do
+    it "gets /users/login" do
+      RestClient::Request.should_receive(:execute).with(
+        method: :get, url: "http://authn.example.com/users/login", user: user,
+        password: password, headers: {}
+      ).and_return(response = double)
+      Conjur::API::login(user, password).should == response
+    end
+  end
+
+  describe "::login_cas" do
+    let(:response) { "response body" }
+    let(:cas_uri) { 'http://cas.example.com' }
+
+    it "uses CasRestClient to authenticate" do
+      stub_const 'CasRestClient', MockCasRestClient.new(double("response", body: response))
+      Conjur::API.login_cas(user, password, cas_uri).should == response
+      CasRestClient.options.should == {
+        username: user,
+        password: password,
+        uri: "http://cas.example.com/v1/tickets",
+        use_cookies: false
+      }
+      CasRestClient.url.should == "http://authn.example.com/users/login"
+    end
+  end
+
+  describe "::authenticate" do
+    it "posts the password and dejsons the result" do
+      RestClient::Request.should_receive(:execute).with(
+        method: :post, url: "http://authn.example.com/users/#{user}/authenticate",
+        payload: password, headers: { content_type: 'text/plain' }
+      ).and_return '{ "response": "foo"}'
+      Conjur::API.authenticate(user, password).should == { 'response' => 'foo' }
+    end
+  end
+end

data/spec/api/groups_spec.rb

@@ -0,0 +1,24 @@
+require 'spec_helper'
+require 'standard_methods_helper'
+
+describe Conjur::API, api: :dummy do
+  subject { api }
+
+  describe '#groups' do
+    it_should_behave_like 'standard_list with', :group, :options do
+      let(:invoke) { subject.groups :options }
+    end
+  end
+
+  describe '#create_group' do
+    it_should_behave_like 'standard_create with', :group, :id, :options do
+      let(:invoke) { subject.create_group :id, :options }
+    end
+  end
+
+  describe '#group' do
+    it_should_behave_like 'standard_show with', :group, :id do
+      let(:invoke) { subject.group :id }
+    end
+  end
+end

data/spec/api/hosts_spec.rb

@@ -0,0 +1,29 @@
+require 'spec_helper'
+require 'standard_methods_helper'
+
+describe Conjur::API, api: :dummy do
+  describe '::enroll_host' do
+    it "uses Net::HTTP to get something" do
+      response = double "response",
+          code: '200', body: 'foobar'
+      response.stub(:[]).with('Content-Type').and_return 'text/whatever'
+
+      url = URI.parse "http://example.com"
+      Net::HTTP.stub(:get_response).with(url).and_return response
+
+      Conjur::API.enroll_host("http://example.com").should == ['text/whatever', 'foobar']
+    end
+  end
+
+  describe '#create_host' do
+    it_should_behave_like "standard_create with", :host, nil, :options do
+      let(:invoke) { subject.create_host :options }
+    end
+  end
+
+  describe '#host' do
+    it_should_behave_like "standard_show with", :host, :id do
+      let(:invoke) { subject.host :id }
+    end
+  end
+end

data/spec/api/resources_spec.rb

@@ -0,0 +1,19 @@
+require 'spec_helper'
+
+describe Conjur::API, api: :dummy do
+  describe '#create_resource' do
+    it "passes to resource#create" do
+      api.stub(:resource).with(:id).and_return(resource = double)
+      resource.should_receive :create
+
+      api.create_resource(:id).should == resource
+    end
+  end
+
+  describe '#resource' do
+    it "builds a path and creates a resource from it" do
+      res = api.resource "some-account:a-kind:the-id"
+      res.url.should == "#{authz_host}/some-account/resources/a-kind/the-id"
+    end
+  end
+end

data/spec/api/secrets_spec.rb

@@ -0,0 +1,16 @@
+require 'spec_helper'
+require 'standard_methods_helper'
+
+describe Conjur::API, api: :dummy do
+  describe '#create_secret' do
+    it_should_behave_like 'standard_create with', :secret, nil, value: 'val' do
+      let(:invoke) { api.create_secret 'val' }
+    end
+  end
+
+  describe '#secret' do
+    it_should_behave_like 'standard_show with', :secret, :id do
+      let(:invoke) { api.secret :id }
+    end
+  end
+end

data/spec/api/users_spec.rb

@@ -0,0 +1,16 @@
+require 'spec_helper'
+require 'standard_methods_helper'
+
+describe Conjur::API, api: :dummy do
+  describe '#create_user' do
+    it_should_behave_like 'standard_create with', :user, nil, login: 'login', other: true do
+      let(:invoke) { api.create_user 'login', other: true }
+    end
+  end
+
+  describe '#user' do
+    it_should_behave_like 'standard_show with', :user, :login do
+      let(:invoke) { api.user :login }
+    end
+  end
+end

data/spec/api/variables_spec.rb

@@ -0,0 +1,14 @@
+require 'spec_helper'
+require 'standard_methods_helper'
+
+describe Conjur::API, api: :dummy do
+  describe '#create_variable' do
+    let(:invoke) { api.create_variable :type, :kind, other: true }
+    it_should_behave_like 'standard_create with', :variable, nil, mime_type: :type, kind: :kind, other: true
+  end
+
+  describe '#variable' do
+    let(:invoke) { api.variable :id }
+    it_should_behave_like 'standard_show with', :variable, :id
+  end
+end

data/spec/cas_rest_client.rb

@@ -0,0 +1,17 @@
+class MockCasRestClient
+  def initialize response
+    @response = response
+  end
+
+  def new options
+    @options = options
+    self
+  end
+
+  def get url
+    @url = url
+    @response
+  end
+
+  attr_reader :options, :url
+end

data/spec/io_helper.rb

@@ -0,0 +1,18 @@
+class IO
+  def grab &block
+    @grabbed_output = ""
+    class << self
+      def write arg
+        @grabbed_output += arg
+      end
+    end
+
+    begin
+      yield
+    ensure
+      singleton_class.send :remove_method, :write
+    end
+
+    @grabbed_output
+  end
+end

data/spec/lib/build_from_response_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+
+describe Conjur::BuildFromResponse do
+  describe "::build_from_response", logging: :temp do
+    let(:location) { "http://example.com" }
+    let(:attrs) {{ 'some' => 'foo', 'other' => 'bar' }}
+    let(:response) do
+      double "response", headers: { location: location }, body: attrs.to_json
+    end
+    subject { double "class", name: 'some' }
+    let(:constructed) { double "object" }
+    let(:credentials) { "whatever" }
+
+    before do
+      subject.extend Conjur::BuildFromResponse
+      subject.should_receive(:new).with(location, credentials).and_return constructed
+      constructed.should_receive(:attributes=).with attrs
+
+      constructed.extend Conjur::LogSource
+      constructed.stub username: 'whatever'
+    end
+
+    it "passes the location credentials and attributes" do
+      subject.build_from_response response, credentials
+    end
+
+    context "with a resource(-ish) class" do
+      before do
+        constructed.stub resource_kind: 'chunky', resource_id: 'bacon'
+      end
+
+      it "logs creation correctly" do
+        subject.build_from_response response, credentials
+        log.should =~ /Created chunky bacon/
+      end
+    end
+
+    context "with a id(-ish) class" do
+      before do
+        constructed.stub id: 'bacon'
+      end
+
+      it "logs creation correctly" do
+        subject.build_from_response response, credentials
+        log.should =~ /Created some bacon/
+      end
+    end
+  end
+end

data/spec/lib/host_spec.rb

@@ -1,14 +1,18 @@
 require 'spec_helper'
 
-describe Conjur::Host do
-  let(:login) { 'the-login' }
-  let(:api_key) { 'the-api-key' }
-  let(:credentials) { { user: login, password: api_key } }
-  let(:account) { 'test-account' }
+describe Conjur::Host, api: :dummy do
+  subject { Conjur::Host.new 'http://example.com/hosts/my/hostname', nil }
 
-  before { Conjur::Core::API.stub conjur_account: account }
+  its(:resource) { should be }
+  its(:login) { should == 'host/my/hostname' }
 
-  subject { Conjur::Host.new 'hostname', credentials }
+  let(:api_key) { 'theapikey' }
+  before { subject.attributes = { 'api_key' => api_key } }
+  its(:api_key) { should == api_key }
 
-  its(:resource) { should be }
+  it "fetches enrollment_url" do
+    stub_request(:head, "http://example.com/hosts/my/hostname/enrollment_url").
+         to_return(:status => 200, :headers => {location: 'foo'})
+    subject.enrollment_url.should == 'foo'
+  end
 end

data/spec/lib/log_source_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+describe Conjur::LogSource, logging: :temp, api: :dummy do
+  describe "#log" do
+    it "adds a username to the log" do
+      api.log do |log|
+        log << 'foo'
+      end
+
+      log.should == "[#{username}] foo\n"
+    end
+  end
+end

data/spec/lib/log_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+require 'io_helper'
+require 'tempfile'
+
+describe Conjur do
+  describe '::log=' do
+    before { @old_log = Conjur.log }
+    let(:log) { double 'log' }
+    it "creates the log with given type and makes it available" do
+      Conjur.stub(:create_log).with(:param).and_return log
+      Conjur::log = :param
+      Conjur::log.should == log
+    end
+    after { Conjur.class_variable_set :@@log, @old_log }
+  end
+
+  describe '::create_log' do
+    let(:log) { Conjur::create_log param }
+    context "with 'stdout'" do
+      let(:param) { 'stdout' }
+      it "creates something which writes to STDOUT" do
+        STDOUT.grab { log << "foo" }.should == 'foo'
+      end
+    end
+
+    context "with 'stderr'" do
+      let(:param) { 'stderr' }
+      it "creates something which writes to STDERR" do
+        STDERR.grab { log << "foo" }.should == 'foo'
+      end
+    end
+
+    context "with a filename" do
+      let(:tempfile) { Tempfile.new 'spec' }
+      let(:param) { tempfile.path }
+      it "creates something which writes to the file" do
+        log << "foo"
+        tempfile.read.should == "foo"
+      end
+    end
+  end
+end

data/spec/lib/resource_spec.rb

@@ -1,13 +1,13 @@
 require 'spec_helper'
 
-describe Conjur::Resource do
+describe Conjur::Resource, api: :dummy, logging: :temp do
   let(:account) { "the-account" }
   let(:uuid) { "ddd1f59a-494d-48fb-b045-0374c4a6eef9" }
-  
+
   context "identifier" do
     include Conjur::Escape
     let(:resource) { Conjur::Resource.new("#{Conjur::Authz::API.host}/#{account}/resources/#{kind}/#{path_escape identifier}") }
-    
+
     context "Object with an #id" do
       let(:kind) { "host" }
       let(:identifier) do
@@ -17,7 +17,7 @@ describe Conjur::Resource do
         resource.identifier.should == "foobar"
       end
     end
-    
+
     [ [ "foo", "bar/baz" ], [ "f:o", "bar" ], [ "@f", "bar.baz" ], [ "@f", "bar baz" ], [ "@f", "@:bar/baz" ] ].each do |p|
       context "of /#{p[0]}/#{p[1]}" do
         let(:kind) { p[0] }
@@ -33,4 +33,97 @@ describe Conjur::Resource do
       end
     end
   end
-end
+
+  let(:uri) { "#{authz_host}/some-account/resources/the-kind/resource-id" }
+  subject { Conjur::Resource.new uri }
+
+  describe '#create' do
+    it "simply puts" do
+      RestClient::Request.should_receive(:execute).with(
+        method: :put,
+        url: uri,
+        payload: {},
+        headers: {}
+      ).and_return "new resource"
+      subject.create.should == "new resource"
+    end
+  end
+
+  describe '#permitted_roles' do
+    it 'gets the list from /roles/allowed_to' do
+      RestClient::Request.should_receive(:execute).with(
+        method: :get,
+        url: "http://authz.example.com/some-account/roles/allowed_to/nuke/the-kind/resource-id",
+        headers: {}
+      ).and_return '["foo", "bar"]'
+
+      subject.permitted_roles("nuke").should == ['foo', 'bar']
+    end
+  end
+
+  describe '#give_to' do
+    it "puts the owner field" do
+      RestClient::Request.should_receive(:execute).with(
+        method: :put,
+        url: uri,
+        payload: {owner: 'new-owner' },
+        headers: {}
+      )
+
+      subject.give_to 'new-owner'
+    end
+  end
+
+  describe '#delete' do
+    it 'simply deletes' do
+      RestClient::Request.should_receive(:execute).with(
+        method: :delete,
+        url: uri,
+        headers: {}
+      )
+
+      subject.delete
+    end
+  end
+
+  describe '#permit' do
+    it 'posts permit for every privilege' do
+      privileges = [:nuke, :fry]
+      privileges.each do |p|
+        RestClient::Request.should_receive(:execute).with(
+          method: :post,
+          url: uri + "/?permit&privilege=#{p}&role=dr-strangelove",
+          headers: {},
+          payload: {}
+        )
+      end
+      subject.permit privileges, "dr-strangelove"
+    end
+  end
+
+  describe '#deny' do
+    it 'posts deny for every privilege' do
+      privileges = [:nuke, :fry]
+      privileges.each do |p|
+        RestClient::Request.should_receive(:execute).with(
+          method: :post,
+          url: uri + "/?deny&privilege=#{p}&role=james-bond",
+          headers: {},
+          payload: {}
+        )
+      end
+      subject.deny privileges, "james-bond"
+    end
+  end
+
+  describe '#permitted?' do
+    it 'gets the ?permitted? action' do
+      RestClient::Request.should_receive(:execute).with(
+        method: :get,
+        url: uri + "/?check&privilege=fry",
+        headers: {}
+      )
+      subject.permitted? 'fry'
+    end
+  end
+end