conjur-api 2.7.1 → 4.1.1

data/lib/conjur/resource.rb

@@ -1,3 +1,23 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
 module Conjur
   class Resource < RestClient::Resource
     include Exists

data/lib/conjur/role.rb

@@ -1,3 +1,23 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
 require 'conjur/role_grant'
 
 module Conjur
@@ -24,32 +44,25 @@ module Conjur
       end
       self.put(options)
     end
-    
+   
     def all(options = {})
-      JSON.parse(self["?all"].get(options)).collect do |id|
-        id = [ id['account'], id['id'] ].join(':')
+      query_string = "?all"
+      
+      if filter = options.delete(:filter)
+        filter = [filter] unless filter.is_a?(Array)
+        (query_string << "&" << filter.to_query("filter")) unless filter.empty?
+      end
+      JSON.parse(self[query_string].get(options)).collect do |id|
         Role.new(Conjur::Authz::API.host, self.options)[Conjur::API.parse_role_id(id).join('/')]
       end
     end
     
-    def grant_to(member, *args)
-      if Conjur::API::VERSION < "3.0.0"
-        options = args[-1]
-        if args.length > 1
-          warning = "WARNING: Deprecated arguments to grant_to. Please put admin_option in the options hash."
-          options[:admin_option] = args[0]
-        end
-
-        unless options.nil? || options.is_a?(Hash)
-          warning = "WARNING: Deprecated arguments to grant_to. Please put admin_option in the options hash."
-          options = { admin_option: options }
-        end
-      else
-        raise "Please remove the deprecated API in 3.0 and change the method signature to grant_to(member, options)"
-      end
-
+    def member_of?(other_role)
+      not all(filter: (other_role.roleid rescue other_role)).empty?
+    end
+    
+    def grant_to(member, options={})
       log do |logger|
-        logger << warning if warning
         logger << "Granting role #{identifier} to #{member}"
         unless options.blank?
           logger << " with options #{options.to_json}"
@@ -68,8 +81,9 @@ module Conjur
       self["?members&member=#{query_escape member}"].delete(options)
     end
 
-    def permitted?(resource_kind, resource_id, privilege, options = {})
-      self["?check&resource_kind=#{query_escape resource_kind}&resource_id=#{query_escape resource_id}&privilege=#{query_escape privilege}"].get(options)
+    def permitted?(resource_id, privilege, options = {})
+      # NOTE: in previous versions there was 'kind' passed separately. Now it is part of id
+      self["?check&resource_id=#{query_escape resource_id}&privilege=#{query_escape privilege}"].get(options)
       true
     rescue RestClient::ResourceNotFound
       false

data/lib/conjur/role_grant.rb

@@ -1,3 +1,23 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
 module Conjur
   RoleGrant = Struct.new(:member, :grantor, :admin_option) do
     class << self

data/lib/conjur/secret.rb

@@ -1,3 +1,23 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
 module Conjur
   class Secret < RestClient::Resource
     include ActsAsAsset

data/lib/conjur/standard_methods.rb

@@ -1,3 +1,23 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
 module Conjur
   module StandardMethods
     require 'active_support/core_ext'
@@ -19,9 +39,11 @@ module Conjur
     end
     
     def standard_list(host, type, options)
-      JSON.parse(RestClient::Resource.new(host, credentials)[type.to_s.pluralize].get(options)).collect do |json|
-        send(type, fully_escape(json['id'])).tap do |obj|
-          obj.attributes = json
+      JSON.parse(RestClient::Resource.new(host, credentials)[type.to_s.pluralize].get(options)).collect do |item|
+        if item.is_a? String  # lists w/o details are just list of ids 
+          send(type, fully_escape(item)) 
+        else                  # list w/ details consists of hashes
+          send(type, fully_escape(item['id'])).tap { |obj| obj.attributes=item }
         end
       end
     end

data/lib/conjur/user.rb

@@ -1,3 +1,23 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
 module Conjur
   class InvalidToken < Exception
   end
@@ -8,4 +28,4 @@ module Conjur
     
     alias login id
   end
-end
+end

data/lib/conjur/variable.rb

@@ -1,3 +1,23 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
 module Conjur
   class Variable < RestClient::Resource
     include ActsAsAsset
@@ -21,4 +41,4 @@ module Conjur
       self[url].get.body
     end
   end
-end
+end

data/spec/lib/api_spec.rb

@@ -35,22 +35,81 @@ shared_examples_for "API endpoint" do
 end
 
 describe Conjur::API do
-  context "parse_role_id" do
-    subject { Conjur::API }
-    specify {
-      Conjur::Core::API.should_receive(:conjur_account).and_return 'ci'      
-      subject.parse_role_id('foo:bar').should == [ 'ci', 'roles', 'foo', 'bar' ]
-    }
-    specify {
-      subject.parse_role_id('biz:foo:bar').should == [ 'biz', 'roles', 'foo', 'bar' ]
-    }
-    specify {
-      subject.parse_role_id('biz:foo:bar/12').should == [ 'biz', 'roles', 'foo', 'bar/12' ]
-    }
-    specify {
-      subject.parse_role_id('biz:foo:bar:12').should == [ 'biz', 'roles', 'foo', 'bar:12' ]
-    }
+  describe "provides functions for id parsing" do
+    describe "#parse_id(id, kind)" do
+      subject { Conjur::API } 
+      let (:kind) { "sample-kind" }
+
+      it "fails  on non-string ids" do
+        expect { subject.parse_id({}, kind) }.to raise_error
+      end
+      
+      it "fails on malformed ids (<2 tokens)" do
+        expect { subject.parse_id("foo", kind) }.to raise_error
+        expect { subject.parse_id("", kind) }.to raise_error
+        expect { subject.parse_id(nil, kind) }.to raise_error
+      end
+     
+      describe "returns array of [account, kind, subkind, id]" do
+        subject { Conjur::API.parse_id(id, kind) }
+        def escaped smth ; Conjur::API.path_escape(smth) ; end
+        
+        context "for short id (2 tokens)" do
+          let(:id) { "token#1:token#2" }
+          let(:current_account) { "current_account" }
+          before(:each) { Conjur::Core::API.stub(:conjur_account).and_return current_account }
+
+          it "account: current account" do
+            subject[0].should == current_account
+          end
+
+          it "kind: passed kind" do
+            subject[1].should == kind
+          end
+
+          it "subkind: token #1 (escaped)" do
+            subject[2].should == escaped("token#1")
+          end
+
+          it "id: token #2 (escaped)" do
+            subject[3].should == escaped("token#2")
+          end
+        end
+
+        context "for long ids (3+ tokens)" do
+          let(:id) { "token#1:token#2:token#3:token#4" }
+          it "account: token #1 (escaped)" do
+            subject[0].should == escaped("token#1")
+          end
+
+          it "kind: passed kind" do
+            subject[1].should  == kind
+          end
+          it "subkind: token #2 (escaped)" do
+            subject[2].should == escaped("token#2")
+          end
+          it "id: tail of id starting from token#3" do
+            subject[3].should == escaped("token#3:token#4")
+          end
+        end
+
+      end
+    end 
+    describe "wrapper functions" do
+      let(:result) { [:account,:kind,:id] }
+      let(:id)     { :input_id }
+
+      it "#parse_role_id(id): calls parse_id(id, 'roles') and returns result" do
+        Conjur::API.should_receive(:parse_id).with(id, 'roles').and_return(result)
+        Conjur::API.parse_role_id(id).should == result
+      end
+      it "#parse_resource_id(id): calls parse_id(id, 'resources') and returns result" do
+        Conjur::API.should_receive(:parse_id).with(id, 'resources').and_return(result)
+        Conjur::API.parse_resource_id(id).should == result
+      end
+    end
   end
+
   context "host construction" do
     context "of authn service" do
       let(:port_offset) { 0 }
@@ -67,6 +126,8 @@ describe Conjur::API do
         }
         context "in stage" do
           before(:each) do
+            # Looks at "ENV['CONJUR_STACK']" first, stub this out
+            ENV.stub(:[]).with('CONJUR_STACK').and_return nil
             Conjur.stub(:env).and_return "stage"
           end
           its "default_host" do
@@ -75,19 +136,30 @@ describe Conjur::API do
         end
         context "in ci" do
           before(:each) do
+            # Looks at "ENV['CONJUR_STACK']" first, stub this out
+            ENV.stub(:[]).with('CONJUR_STACK').and_return nil
             Conjur.stub(:env).and_return "ci"
           end
           its "default_host" do
             should == "https://authz-ci-conjur.herokuapp.com"
           end
         end
+        context "when ENV['CONJUR_STACK'] is set to 'v12'" do
+          before do
+            ENV.stub(:[]).and_call_original
+            ENV.stub(:[]).with('CONJUR_STACK').and_return 'v12'
+            # If the "real" env is used ('test') then the URL is always localhost:<someport>
+            Conjur.stub(:env).and_return "ci"
+          end
+          its(:default_host){ should == "https://authz-v12-conjur.herokuapp.com"}
+        end
       end
       context "in production" do
         before(:each) do
           Conjur.stub(:env).and_return "production"
         end
         its "default_host" do
-          should == "https://authz-v3-conjur.herokuapp.com"
+          should == "https://authz-v4-conjur.herokuapp.com"
         end
       end
       context "in named production version" do
@@ -142,7 +214,7 @@ describe Conjur::API do
     end
 
     it "returns an appropriate role kind when username is qualified" do
-      api.role_from_username("host/foobar").roleid.should == "#{account}:host:foobar"
+      api.role_from_username("host/foo/bar").roleid.should == "#{account}:host:foo/bar"
     end
   end
 

data/spec/lib/role_spec.rb

@@ -35,25 +35,10 @@ describe Conjur::Role, api: :dummy do
     it "works without arguments" do
       members = double "members request"
       subject.should_receive(:[]).with('?members&member=other').and_return(members)
-      members.should_receive(:put).with nil
+      members.should_receive(:put).with({})
       subject.grant_to "other"
     end
 
-    context deprecated: 'v3' do # remove in 3.0
-      it "should also accept the deprecated argument format with extra options" do
-        members = double "members request"
-        subject.should_receive(:[]).with('?members&member=other').and_return(members)
-        members.should_receive(:put).with admin_option: true, foo: 'bar'
-        subject.grant_to "other", true, foo: 'bar'
-      end
-
-      it "should also accept the deprecated argument format without extra options" do
-        members = double "members request"
-        subject.should_receive(:[]).with('?members&member=other').and_return(members)
-        members.should_receive(:put).with admin_option: true, foo: 'bar'
-        subject.grant_to "other", true, foo: 'bar'
-      end
-    end
   end
 
   describe '#create' do
@@ -70,7 +55,7 @@ describe Conjur::Role, api: :dummy do
 
   describe '#all' do
     it 'returns roles for ids got from ?all' do
-      roles = [{'account' => 'foo', 'id' => 'k:bar'}, {'account' => 'baz', 'id' => 'k:xyzzy'}]
+      roles = ['foo:k:bar', 'baz:k:xyzzy'] 
       RestClient::Request.should_receive(:execute).with(
         method: :get,
         url: role.url + "/?all",
@@ -82,6 +67,45 @@ describe Conjur::Role, api: :dummy do
       all[1].account.should == 'baz'
       all[1].id.should == 'xyzzy'
     end
+    
+    
+    describe "filter param" do
+      def self.it_passes_the_filter_as(query_string)
+        it "calls ?all&#{query_string}" do
+          RestClient::Request.should_receive(:execute).with(
+            method: :get,
+            url: role.url + "/?all&#{query_string}",
+            headers:{}
+          ).and_return([].to_json)
+          role.all filter: filter
+        end
+      end
+      context "when a string" do
+        let(:filter){ 'string' }
+        it_passes_the_filter_as ['string'].to_query('filter')
+      end
+
+      context "when an array" do
+        let(:filter){ ['foo', 'bar'] }
+        it_passes_the_filter_as ['foo', 'bar'].to_query('filter')
+      end
+    end
+
+  end
+  
+  describe '#member_of?' do
+    it 'calls #all with :filter=>id and returns true if the result is non-empty' do
+      role.should_receive(:all).with(filter: 'the filter').and_return ['an id']
+      role.member_of?('the filter').should be_true
+      role.should_receive(:all).with(filter: 'the filter').and_return []
+      role.member_of?('the filter').should be_false
+    end
+    
+    it "accepts a Role" do
+      other = double('Role', roleid: 'foo')
+      role.should_receive(:all).with(filter: other.roleid).and_return []
+      role.member_of?(other)
+    end
   end
 
   describe '#revoke_from' do
@@ -99,7 +123,7 @@ describe Conjur::Role, api: :dummy do
     before do
       RestClient::Request.stub(:execute).with(
         method: :get,
-        url: role.url + "/?check&resource_kind=chunky&resource_id=bacon&privilege=fry",
+        url: role.url + "/?check&resource_id=chunky:bacon&privilege=fry",
         headers: {}
       ) { result }
     end
@@ -107,14 +131,14 @@ describe Conjur::Role, api: :dummy do
     context "when get ?check is successful" do
       let(:result) { :ok }
       it "returns true" do
-        role.permitted?('chunky', 'bacon', 'fry').should be_true
+        role.permitted?('chunky:bacon', 'fry').should be_true
       end
     end
 
     context "when get ?check not found" do
       let(:result) { raise RestClient::ResourceNotFound, 'foo' }
       it "returns false" do
-        role.permitted?('chunky', 'bacon', 'fry').should be_false
+        role.permitted?('chunky:bacon', 'fry').should be_false
       end
     end
   end