conjur-api 4.1.1 → 4.3.0

data/Rakefile

@@ -1,5 +1,6 @@
 #!/usr/bin/env rake
 require "bundler/gem_tasks"
+require "yard"
 
 begin
   require 'rspec/core/rake_task'
@@ -10,6 +11,8 @@ rescue LoadError
   $stderr.puts "RSpec Rake tasks not available in environment #{ENV['RACK_ENV']}"
 end
 
+YARD::Rake::YardocTask.new(:yard)
+
 task :jenkins do
   if ENV['BUILD_NUMBER']
     File.write('build_number', ENV['BUILD_NUMBER'])
@@ -17,6 +20,7 @@ task :jenkins do
   require 'ci/reporter/rake/rspec'
   Rake::Task["ci:setup:rspec"].invoke
   Rake::Task["spec"].invoke
+  Rake::Task["yard"].invoke
 end
 
 task default: :spec

data/conjur-api.gemspec

@@ -15,6 +15,9 @@ Gem::Specification.new do |gem|
   gem.name          = "conjur-api"
   gem.require_paths = ["lib"]
   gem.version       = Conjur::API::VERSION
+
+  gem.required_ruby_version = '>= 1.9'
+
   
   gem.add_dependency 'rest-client'
   gem.add_dependency 'activesupport'
@@ -26,4 +29,6 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency 'ci_reporter'
   gem.add_development_dependency 'simplecov'
   gem.add_development_dependency 'io-grab'
+  gem.add_development_dependency 'yard'
+  gem.add_development_dependency 'redcarpet'
 end

data/lib/conjur-api/version.rb

@@ -20,6 +20,6 @@
 #
 module Conjur
   class API
-    VERSION = "4.1.1"
+    VERSION = "4.3.0"
   end
 end

data/lib/conjur/acts_as_asset.rb

@@ -29,5 +29,22 @@ module Conjur
         include HasAttributes
       end
     end
+      
+    def add_member(role_name, member, options = {})
+      owned_role(role_name).grant_to member, options
+    end
+    
+    def remove_member(role_name, member)
+      owned_role(role_name).revoke_from member
+    end
+    
+    protected
+    
+    def owned_role(role_name)
+      tokens = [ resource_kind, resource_id, role_name ]
+      grant_role = [ core_conjur_account, '@', tokens.join('/') ].join(':')
+      require 'conjur/role'
+      Conjur::Role.new(Conjur::Authz::API.host, self.options)[Conjur::API.parse_role_id(grant_role).join('/')]
+    end
   end
 end

data/lib/conjur/acts_as_resource.rb

@@ -26,6 +26,10 @@ module Conjur
       Conjur::Resource.new(Conjur::Authz::API.host, self.options)[[ core_conjur_account, 'resources', path_escape(resource_kind), path_escape(resource_id) ].join('/')]
     end
     
+    def resourceid
+      [ core_conjur_account, resource_kind, resource_id ].join(':')
+    end
+    
     def resource_kind
       require 'active_support/core_ext'
       self.class.name.split("::")[-1].underscore.split('/').join('-')
@@ -39,5 +43,13 @@ module Conjur
       resource.delete
       super
     end
+    
+    def permit(privilege, role, options = {})
+      resource.permit privilege, role, options
+    end
+    
+    def deny(privilege, role)
+      resource.deny privilege, role
+    end
   end
 end

data/lib/conjur/acts_as_role.rb

@@ -34,5 +34,17 @@ module Conjur
       require 'conjur/role'
       Conjur::Role.new(Conjur::Authz::API.host, self.options)[Conjur::API.parse_role_id(self.roleid).join('/')]
     end
+    
+    # Permit this role to perform a privileged action.
+    def can(privilege, resource, options = {})
+      require 'conjur/resource'
+      Conjur::Resource.new(Conjur::Authz::API.host, self.options)[Conjur::API.parse_resource_id(resource).join('/')].permit privilege, self.roleid, options
+    end
+
+    # Deny this role from performing perform a privileged action.
+    def cannot(privilege, resource, options = {})
+      require 'conjur/resource'
+      Conjur::Resource.new(Conjur::Authz::API.host, self.options)[Conjur::API.parse_resource_id(resource).join('/')].deny privilege, self.roleid
+    end
   end
 end

data/lib/conjur/acts_as_user.rb

@@ -25,5 +25,13 @@ module Conjur
         include ActsAsRole
       end
     end
+    
+    def api_key
+      attributes['api_key'] or raise "api_key is only available on a newly created #{self.class.name.downcase}"
+    end
+    
+    def api
+      Conjur::API.new_from_key login, api_key
+    end
   end
 end

data/lib/conjur/api.rb

@@ -31,6 +31,7 @@ require 'conjur/has_id'
 require 'conjur/acts_as_asset'
 require 'conjur/authn-api'
 require 'conjur/authz-api'
+require 'conjur/audit-api'
 require 'conjur/core-api'
 require 'conjur-api/version'
 

data/lib/conjur/api/audit.rb

@@ -0,0 +1,53 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+module Conjur
+  class API
+    # Return audit events related to the given role_id.  Identitical to audit_events
+    # except that a String may be given instead of a Role object.
+    # @param role_id [String] the role for which events should be returned.
+    def audit_role role, options={}
+      audit_event_feed 'role', (role.roleid rescue role), options
+    end
+    
+    
+    # Return audit events related to the current authenticated role.
+    def audit_current_role options={}
+      audit_event_feed 'role', nil, options
+    end
+    
+    # Return audit events related to the given resource
+    def audit_resource resource, options={}
+      audit_event_feed 'resource', (resource.resourceid rescue resource), options
+    end
+    
+    private
+    def audit_event_feed kind, identifier=nil, options={}
+      path = "feeds/#{kind}"
+      path << "/#{CGI.escape identifier}" if identifier
+      query = options.slice(:limit, :offset)
+      path << "?#{query.to_param}" unless query.empty?
+      parse_response RestClient::Resource.new(Conjur::Audit::API.host, credentials)[path].get
+    end
+    
+    def parse_response response
+      JSON.parse response
+    end
+  end
+end

data/lib/conjur/audit-api.rb

@@ -0,0 +1,42 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+
+module Conjur
+  module Audit
+    class API < Conjur::API
+      class << self
+        def host
+          ENV['CONJUR_AUDIT_URL'] || default_host
+        end
+        
+        def default_host
+          case Conjur.env
+            when 'test', 'development'
+              "http://localhost:#{Conjur.service_base_port + 300}"
+            else 
+              "https://audit-#{Conjur.stack}-conjur.herokuapp.com"
+          end
+        end
+      end
+    end
+  end
+end
+require 'conjur/api/audit'

data/lib/conjur/base.rb

@@ -40,12 +40,26 @@ module Conjur
     class << self
       # Parse a role id into [ account, 'roles', kind, id ]
       def parse_role_id(id)
-        parse_id id, 'roles'
+        id = id.role if id.respond_to?(:role)
+        if id.is_a?(Role)
+          [ id.account, 'roles', id.kind, id.identifier ]
+        elsif id.respond_to?(:role_kind)
+          [ Conjur::Core::API.conjur_account, 'roles', id.role_kind, id.identifier ]
+        else
+          parse_id id, 'roles'
+        end
       end
 
       # Parse a resource id into [ account, 'resources', kind, id ]
       def parse_resource_id(id)
-        parse_id id, 'resources'
+        id = id.resource if id.respond_to?(:resource)
+        if id.is_a?(Resource)
+          [ id.account, 'resources', id.kind, id.identifier ]
+        elsif id.respond_to?(:resource_kind)
+          [ Conjur::Core::API.conjur_account, 'resources', id.resource_kind, id.resource_id ]
+        else
+          parse_id id, 'resources'
+        end
       end
     
       # Converts flat id into path components, with mixed-in "super-kind" 

data/lib/conjur/group.rb

@@ -22,5 +22,13 @@ module Conjur
   class Group < RestClient::Resource
     include ActsAsAsset
     include ActsAsRole
+    
+    def add_member(member, options = {})
+      role.grant_to member, options
+    end
+    
+    def remove_member(member)
+      role.revoke_from member
+    end
   end
 end

data/lib/conjur/resource.rb

@@ -28,6 +28,13 @@ module Conjur
       match_path(3..-1)
     end
     
+    # Name convention according to Role#roleid.  
+    def resourceid 
+      [account, kind, identifier].join ':'
+    end
+    
+    alias :resource_id :resourceid
+    
     def create(options = {})
       log do |logger|
         logger << "Creating resource #{kind}:#{identifier}"
@@ -67,7 +74,12 @@ module Conjur
           end
         end
         
-        self["?permit&privilege=#{query_escape p}&role=#{query_escape role}"].post(options)
+        begin
+          self["?permit&privilege=#{query_escape p}&role=#{query_escape role}"].post(options)
+        rescue RestClient::Forbidden
+          # TODO: Remove once permit is idempotent
+          raise $! unless $!.http_body == "Privilege already granted."
+        end
       end
     end
     
@@ -98,4 +110,4 @@ module Conjur
       item.respond_to?(:each) ? item : [ item ]
     end
   end
-end
+end

data/lib/conjur/variable.rb

@@ -22,6 +22,9 @@ module Conjur
   class Variable < RestClient::Resource
     include ActsAsAsset
     
+    def kind; attributes['kind']; end
+    def mime_type; attributes['mime_type']; end
+    
     def add_value value
       log do |logger|
         logger << "Adding a value to variable #{id}"

data/spec/lib/asset_spec.rb

@@ -0,0 +1,80 @@
+require 'spec_helper'
+
+describe Conjur::ActsAsAsset do
+  let(:asset) { Object.new }
+  before {
+    class << asset
+      include Conjur::ActsAsAsset
+      
+      def options
+        OPTIONS
+      end
+    end
+  }
+  let(:invoke) {
+    send action
+  }
+  let(:add_member) {
+    asset.add_member ROLE, MEMBER, OPTIONS
+  }
+  let(:remove_member) {
+    asset.remove_member ROLE, MEMBER
+  }
+
+  shared_context "asset with role" do
+    before(:each) {
+      asset.stub(:core_conjur_account).and_return(ACCOUNT)
+      asset.stub(:resource_kind).and_return(KIND)
+      asset.stub(:resource_id).and_return(ID)
+      Conjur::Role.stub(:new).and_return(role_base)
+    }
+    let(:role_base) {
+      double(:"[]" => role_instance)
+    }
+    let(:role_instance) { 
+      double(grant_to: true, revoke_from: true)
+    }
+  end
+  
+  shared_examples_for "it obtains role via asset" do
+    it "account=asset.core_conjur_account" do
+      asset.should_receive(:core_conjur_account)
+      invoke
+    end
+    it "kind=asset.resource_kind" do
+      asset.should_receive(:resource_kind)
+      invoke
+    end
+    it "id=asset.resource_id" do
+      asset.should_receive(:resource_id)
+      invoke
+    end
+    
+    it "obtains role as #{ACCOUNT}:@:#{KIND}/#{ID}/#{ROLE}" do
+      Conjur::Role.should_receive(:new).with("http://localhost:5100", {}).and_return role_base
+      role_base.should_receive(:[]).with("#{CGI.escape ACCOUNT}/roles/@/#{KIND}/#{ID}/#{CGI.escape ROLE}").and_return role_instance
+      
+      invoke
+    end   
+  end
+  
+  describe "#add_member" do
+    let(:action) { :add_member }
+    include_context "asset with role"
+    it_behaves_like "it obtains role via asset"
+    it 'calls role.grant_to(member,...)' do
+      role_instance.should_receive(:grant_to).with(MEMBER, anything)
+      invoke
+    end
+  end
+  
+  describe "#remove_member" do
+    let(:action) { :remove_member }
+    include_context "asset with role"
+    it_behaves_like "it obtains role via asset"
+    it 'calls role.revoke_from(member)' do
+      role_instance.should_receive(:revoke_from).with(MEMBER)
+      invoke
+    end
+  end
+end

data/spec/lib/audit_spec.rb

@@ -0,0 +1,102 @@
+require 'spec_helper'
+
+describe Conjur::API, api: :dummy do 
+  describe "audit API methods" do
+    
+    let(:options){ {limit:20, offset: 51, some_unwanted_option: 'heloo!'} }
+    let(:expected_options){ options.slice(:limit, :offset) }
+    let(:response){ ['some event'] }
+    let(:include_options){ false }
+    let(:query){ include_options ? '?' + expected_options.to_query : '' }
+    let(:expected_path){ nil }
+    let(:expected_url){ "#{Conjur::Audit::API.host}/#{expected_path}#{query}" }
+    
+    def expect_request
+      RestClient::Request.should_receive(:execute).with(
+        user: credentials,
+        password: nil,
+        headers: {},
+        url: expected_url,
+        method: :get
+      ).and_return response.to_json
+    end
+    
+    
+    describe "#audit_role" do
+      let(:role_id){ 'acct:user:foobar' }
+      let(:role){ double('role', roleid: role_id) }
+      let(:expected_path){ "feeds/role/#{CGI.escape role_id}" }
+      let(:args){ [role_id] }
+      let(:full_args){ include_options ? args + [options] : args }
+      shared_examples_for "gets roles feed" do
+        it "GETs feeds/role/:role_id" do
+          expect_request
+          api.audit_role(*full_args).should == response
+        end
+      end
+      
+      context "when called with a role id" do
+        let(:args){ [role_id] }
+        it_behaves_like "gets roles feed"
+      end
+      
+      context "when called with a role instance" do
+        let(:audit_role_args){ [role] }
+        it_behaves_like "gets roles feed"
+      end
+      
+      context "when called with pagination options" do
+        let(:include_options){ true }
+        let(:args){ [ role_id ] }
+        it_behaves_like  "gets roles feed"
+      end
+    end
+    
+    describe "#audit_current_role" do
+      let(:expected_path){ "feeds/role" }
+      let(:args){ include_options ? [options] : [] }
+      shared_examples_for "gets current role feed" do
+        it "GETS feeds/role" do
+          expect_request
+          api.audit_current_role(*args).should == response
+        end
+      end
+      context "when called with no args" do 
+        it_behaves_like "gets current role feed"
+      end
+      context "when called with pagination options" do
+        let(:include_options){ true }
+        it_behaves_like "gets current role feed"
+      end
+    end
+    
+    describe "#audit_resource" do
+      let(:resource_id){ 'acct:food:bacon' }
+      let(:resource){ double('resource', resourceid: resource_id) }
+      let(:expected_path){ "feeds/resource/#{CGI.escape resource_id}" }
+      let(:args){[resource_id]}
+      let(:full_args){ include_options ? args + [options] : args }
+      shared_examples_for "gets the resource feed" do
+        it "GETS feeds/resource/:resource_id" do
+          expect_request
+          api.audit_resource(*full_args).should == response
+        end
+      end
+      
+      context "when called with resource id" do
+        let(:args){ [resource_id] }
+        it_behaves_like "gets the resource feed"
+      end
+      
+      context "when called with resource instance" do
+        let(:args){ [resource] }
+        it_behaves_like "gets the resource feed"
+      end
+      
+      context "when called with pagination options" do
+        let(:include_options) { true }
+        it_behaves_like "gets the resource feed"
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -82,10 +82,20 @@ end
 
 require 'conjur/api'
 
+KIND="asset_kind"
+ID="unique_id" 
+ROLE='<role>'
+MEMBER='<member>'
+PRIVILEGE='<privilege>'
+OWNER='<owner/userid>'
+ACCOUNT='<core_account>'
+OPTIONS={}
+
 shared_context api: :dummy do
   let(:username) { "user" }
   let(:api){ Conjur::API.new_from_key username, 'key' }
   let(:authz_host) { 'http://authz.example.com' }
+  let(:audit_host) { 'http://audit.example.com' }
   let(:credentials) { double "fake credentials" }
   let(:core_host) { 'http://core.example.com' }
   let(:account) { 'the-account' }
@@ -94,6 +104,7 @@ shared_context api: :dummy do
     Conjur::Authz::API.stub host: authz_host
     Conjur::Core::API.stub host: core_host
     Conjur::Core::API.stub conjur_account: account
+    Conjur::Audit::API.stub host:audit_host
     api.stub credentials: credentials
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 4.1.1
+  version: 4.3.0
   prerelease: 
 platform: ruby
 authors:
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-10-24 00:00:00.000000000 Z
+date: 2013-11-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -156,6 +156,38 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: redcarpet
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Conjur API
 email:
 - divided.mind@gmail.com
@@ -183,6 +215,7 @@ files:
 - lib/conjur/acts_as_role.rb
 - lib/conjur/acts_as_user.rb
 - lib/conjur/api.rb
+- lib/conjur/api/audit.rb
 - lib/conjur/api/authn.rb
 - lib/conjur/api/groups.rb
 - lib/conjur/api/hosts.rb
@@ -191,6 +224,7 @@ files:
 - lib/conjur/api/secrets.rb
 - lib/conjur/api/users.rb
 - lib/conjur/api/variables.rb
+- lib/conjur/audit-api.rb
 - lib/conjur/authn-api.rb
 - lib/conjur/authz-api.rb
 - lib/conjur/base.rb
@@ -225,6 +259,8 @@ files:
 - spec/api/variables_spec.rb
 - spec/cas_rest_client.rb
 - spec/lib/api_spec.rb
+- spec/lib/asset_spec.rb
+- spec/lib/audit_spec.rb
 - spec/lib/build_from_response_spec.rb
 - spec/lib/exists_spec.rb
 - spec/lib/host_spec.rb
@@ -254,10 +290,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
-      version: '0'
-      segments:
-      - 0
-      hash: 2013228503366139163
+      version: '1.9'
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -266,7 +299,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2013228503366139163
+      hash: 1370688255515528538
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.25
@@ -288,6 +321,8 @@ test_files:
 - spec/api/variables_spec.rb
 - spec/cas_rest_client.rb
 - spec/lib/api_spec.rb
+- spec/lib/asset_spec.rb
+- spec/lib/audit_spec.rb
 - spec/lib/build_from_response_spec.rb
 - spec/lib/exists_spec.rb
 - spec/lib/host_spec.rb
@@ -305,3 +340,4 @@ test_files:
 - spec/vcr_cassettes/Conjur_Resource/_create/with_path-like_identifier.yml
 - spec/vcr_cassettes/Conjur_Resource/_create/with_un-encoded_path-like_identifier.yml
 - spec/vcr_cassettes/Conjur_Resource/_create/with_uuid_identifier.yml
+has_rdoc: