conjur-api 4.16.0 → 4.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1774efca45d1103cedf13423ce1934f6c3a516e2
-  data.tar.gz: 028c735666d90ab39cc214e22f9e4013195b3894
+  metadata.gz: d286220bf5ce8e32e9fa3ecbba374906d40739a8
+  data.tar.gz: d38f3fd537e81c44c537327642cc4ef6b6407537
 SHA512:
-  metadata.gz: 885c346828a875234c194bbd27f5a06b353e1b894d2dfc4cdca2dbfcbae27404176211417f968b8f9ca5854d627670d64c6c8a716d5a2f9b2db26f41eca3e802
-  data.tar.gz: 54bcfbb2d74a8f6e7c2079074716051d90369248b175a7f1a6fff434a808a4d2d4e41da24b484729b745012a751d3c982eb56f06ec3df24765a2cd0e55c87feb
+  metadata.gz: c1c6e64c7cc31108c7c9f2fc7dde41c10d4b57006c8963f0be3288b49e365f5fb5fbf97b58e744e9fcf9493feafc8070a6571a26d65b6c7b0b13298dffef209e
+  data.tar.gz: b64f23a2614041ec2f186d9f563ace280ea3cb1f791663c26d780b41911cc5b057e37161cb1d1b9588162cf7393c8290dff26cd2a7d45136bbdd35463f20d361

data/CHANGELOG.md

@@ -1,3 +1,17 @@
+# v4.19.0
+
+* Rename `sudo` to `elevate` throughout the spec and docstrings. This is an incompatible change, but it
+occurs before the Conjur 4.5 server that implements `elevate` is released.
+
+# v4.18.0
+
+* Add method `global_privilege_permitted?` to facilitate working with Conjur 4.5 global privileges.
+
+# v4.17.0
+
+* Add handling for `X-Forwarded-For` and `X-Conjur-Privilege` ("conjur sudo")
+* Transform embedded whitespace in certificate string into newlines
+
 # v4.16.0
   * Add ssl_certificate option to allow certs to be provided as strings (helpful in heroku)
   * Add `Conjur::Configuration#apply_cert_config!` method to add certs from `#cert_file` and `#ssl_certificate` 

data/README.md

@@ -49,7 +49,7 @@ gemset or bundle.
 
 Once Conjur is configured, the connection can be established like this:
 
-```ruby
+```
 conjur = Conjur::Authn.connect nil, noask: true
 ```
 
@@ -71,7 +71,7 @@ object.
 
 For example, specify the `account` and `appliance_url` (both of which are required) like this:
 
-```ruby
+```
 Conjur.configuration.account = 'my-account'
 Conjur.configuration.appliance_url = 'https://conjur.mydomain.com/api'
 ```
@@ -82,13 +82,13 @@ configuration variable. For example, `appliance_url` is `CONJUR_APPLIANCE_URL`,
 
 In either case, you will also need to configure certificate trust. For example:
 
-```ruby
+```
 OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE.add_file "/etc/conjur-yourorg.pem"
 ```
 
 Once Conjur is configured, you can create a new API client by providing a `login` and `api_key`:
 
-```ruby
+```
 Conjur::API.new_from_key login, api_key
 ```
 

data/lib/conjur-api/version.rb

@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "4.16.0"
+    VERSION = "4.19.0"
   end
 end

data/lib/conjur/api.rb

@@ -85,7 +85,12 @@ class RestClient::Resource
   #
   # @return {Conjur::API} the new api
   def conjur_api
-    Conjur::API.new_from_token token
+    api = Conjur::API.new_from_token token, remote_ip
+    if conjur_privilege
+      api.with_privilege conjur_privilege
+    else
+      api
+    end
   end
 
   # Get an authentication token from the clients Authorization header.
@@ -104,6 +109,14 @@ class RestClient::Resource
       raise AuthorizationError.new("Authorization missing")
     end
   end
+  
+  def remote_ip
+    options[:headers][:x_forwarded_for]
+  end
+  
+  def conjur_privilege
+    options[:headers][:x_conjur_privilege]
+  end
 
   # The username this resource authenticates as.
   #

data/lib/conjur/api/resources.rb

@@ -22,7 +22,6 @@ require 'conjur/resource'
 
 module Conjur
   class API
-
     #@!group Authorization: Resources
 
     # Create a {http://developer.conjur.net/reference/services/authorization/resource Conjur Resource}.
@@ -60,7 +59,7 @@ module Conjur
         r.create(options)
       end
     end
-
+    
     # Find a resource by it's id.  The id given to this method must be qualified by a kind, but the account is
     # optional.
     #
@@ -84,7 +83,7 @@ module Conjur
     #
     # @param identifier [String] a qualified resource identifier, optionally including an account
     # @return [Conjur::Resource] the resource, which may or may not exist
-     def resource identifier
+    def resource identifier
       Resource.new(Conjur::Authz::API.host, credentials)[self.class.parse_resource_id(identifier).join('/')]
     end
 
@@ -148,5 +147,24 @@ module Conjur
         end
       end
     end
+
+    # The resource which grants global privileges to Conjur.
+    # Privileges given on this resource apply to any record in the system.
+    # There are two defined global privileges:
+    #
+    # * **elevate** permission is granted for any action.
+    # * **reveal** methods which list records will always return every matching
+    #   record, regardless of whether the user has any privileges on these records or not.
+    #   Services can also choose to attach additional semantics to *reveal*, such as allowing
+    #   the user to show non-sensitive attributes of any record.
+    #
+    # Global privileges are available in Conjur 4.5 and later.
+    GLOBAL_PRIVILEGE_RESOURCE = "!:!:conjur"
+    
+    # Checks whether the client has a particular global privilege.
+    # The global privileges are *elevate* and *reveal*.
+    def global_privilege_permitted? privilege
+      resource(GLOBAL_PRIVILEGE_RESOURCE).permitted? privilege
+    end
   end
 end

data/lib/conjur/base.rb

@@ -100,10 +100,11 @@ module Conjur
       #   api.user 'foo' # raises a 401 error
       #
       # @param [String] username the username to use when making authenticated requests.
-      # @param [Sring] api_key the api key or password for `username`
+      # @param [String] api_key the api key or password for `username`
+      # @param [String] remote_ip the optional IP address to be recorded in the audit record.
       # @return [Conjur::API] an api that will authenticate with the given username and api key.
-      def new_from_key(username, api_key)
-        self.new username, api_key, nil
+      def new_from_key(username, api_key, remote_ip = nil)
+        self.new username, api_key, nil, remote_ip
       end
 
 
@@ -135,9 +136,10 @@ module Conjur
       #   end
       #
       # @param [Hash] token the authentication token as parsed JSON to use when making authenticated requests
+      # @param [String] remote_ip the optional IP address to be recorded in the audit record.
       # @return [Conjur::API] an api that will authenticate with the token
-      def new_from_token(token)
-        self.new nil, nil, token
+      def new_from_token(token, remote_ip = nil)
+        self.new nil, nil, token, remote_ip
       end
     end
     
@@ -151,12 +153,14 @@ module Conjur
     # @param [String] username the username to authenticate as
     # @param [String] api_key the api key or password to use when authenticating
     # @param [Hash] token the token to use when making authenticated requuests.
+    # @param [String] remote_ip the optional IP address to be recorded in the audit record.
     #
     # @api internal
-    def initialize username, api_key, token
+    def initialize username, api_key, token, remote_ip = nil
       @username = username
       @api_key = api_key
       @token = token
+      @remote_ip = remote_ip
 
       raise "Expecting ( username and api_key ) or token" unless ( username && api_key ) || token
     end
@@ -166,6 +170,14 @@ module Conjur
     #
     # @return [String] the api key, or nil if this instance was created from a token.
     attr_reader :api_key
+    
+    #@!attribute [r] remote_ip
+    # An optional IP address to be recorded in the audit record for any actions performed by this API instance.
+    attr_reader :remote_ip
+
+    #@!attribute [r] privilege
+    # The optional global privilege (e.g. 'elevate' or 'reveal') which should be attempted on the request.
+    attr_accessor :privilege
 
     # The name of the user as which this api instance is authenticated.  This is available whether the api
     # instance was created from credentials or an authentication token.
@@ -196,7 +208,7 @@ module Conjur
 
       @token ||= Conjur::API.authenticate(@username, @api_key)
 
-      fail "obtained token is invalid" unless token_valid? # sanity check
+      validate_token
 
       return @token
     end
@@ -208,20 +220,47 @@ module Conjur
     # @raise [RestClient::Unauthorized] if fetching the token fails.
     # @see {#token}
     def credentials
-      { headers: { authorization: "Token token=\"#{Base64.strict_encode64 token.to_json}\"" }, username: username }
+      headers = {}.tap do |h|
+        h[:authorization] = "Token token=\"#{Base64.strict_encode64 token.to_json}\""
+        h[:x_conjur_privilege] = @privilege if @privilege
+        h[:x_forwarded_for] = @remote_ip if @remote_ip
+      end
+      { headers: headers, username: username }
     end
 
+    # Return a new API object with the specified X-Conjur-Privilege.
+    # 
+    # @return The API instance.
+    def with_privilege privilege
+      self.class.new(username, api_key, token, remote_ip).tap do |api|
+        api.privilege = privilege
+      end
+    end
+    
     private
 
+    def token_valid?
+      begin
+        validate_token
+        return true
+      rescue Exception
+        return false
+      end
+    end
+
     # Check to see if @token is defined, and whether it's expired
     #
-    # @return [Boolean] whether or not the token is valid.
-    def token_valid?
-      return false unless @token
+    # @raise [Exception] if the token is invalid
+    def validate_token
+      fail "token not present" unless @token
       
       # Actual token expiration is 8 minutes, but why cut it so close
       expiration = 5.minutes
-      Time.now - Time.parse(@token['timestamp']) < expiration
+      lag = Time.now - Time.parse(@token['timestamp'])
+      unless lag < expiration
+        fail "obtained token is invalid: "\
+            "token timestamp is #{@token['timestamp']}, #{lag} seconds ago"
+      end
     end
   end
 end

data/lib/conjur/configuration.rb

@@ -421,7 +421,14 @@ module Conjur
     private
 
     def add_cert_string store, str
+      str = str.gsub(/\s+/, "\n")
+      str.gsub!("-----BEGIN\n", "-----BEGIN ")
+      str.gsub!("-----END\n", "-----END ")
       store.add_cert OpenSSL::X509::Certificate.new str
+    rescue OpenSSL::X509::CertificateError => ex
+      $stderr.puts "Invalid certificate:"
+      $stderr.puts str
+      raise ex
     rescue OpenSSL::X509::StoreError => ex
       raise ex unless ex.message == 'cert already in hash table'
     end

data/spec/lib/api_spec.rb

@@ -226,7 +226,9 @@ describe Conjur::API do
     let(:login) { "bob" }
     let(:token) { { 'data' => login, 'timestamp' => Time.now.to_s } }
     subject { api }
-    let(:api) { Conjur::API.new_from_token(token) }
+    let(:remote_ip) { nil }
+    let(:api_args) { [ token, remote_ip ].compact }
+    let(:api) { Conjur::API.new_from_token(*api_args) }
     let(:account) { 'some-account' }
     before { allow(Conjur::Core::API).to receive_messages conjur_account: account }
   end
@@ -242,11 +244,28 @@ describe Conjur::API do
         subject { super().credentials }
         it { is_expected.to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login }) }
       end
+      
+      describe "privileged" do
+        describe '#credentials' do
+          subject { super().with_privilege('elevate').credentials }
+          it { is_expected.to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"", :x_conjur_privilege=>"elevate" }, username: login }) }
+        end
+      end
+      
+      context "with remote_ip" do
+        let(:remote_ip) { "66.0.0.1" }
+        describe '#credentials' do
+          subject { super().credentials }
+          it { is_expected.to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"", :x_forwarded_for=>"66.0.0.1" }, username: login }) }
+        end
+      end
     end
 
     context "from api key", logged_in: true do
       let(:api_key) { "theapikey" }
-      let(:api) { Conjur::API.new_from_key(login, api_key) }
+      let(:api_args) { [ login, api_key, remote_ip ].compact }
+      let(:api) { Conjur::API.new_from_key(*api_args) }
+      let(:remote_ip) { nil }
       subject { api }
 
       it("should authenticate to get a token") do
@@ -257,6 +276,14 @@ describe Conjur::API do
         expect(api.credentials).to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login })
       end
 
+      it("checks if the token is fresh") do
+        expired_token = token.merge 'timestamp' => 10.minutes.ago.to_s
+        expect(Conjur::API).to receive(:authenticate).with(login, api_key).and_return expired_token
+
+        expect(api.instance_variable_get("@token")).to eq(nil)
+        expect { api.token }.to raise_error /obtained token is invalid/
+      end
+
       context "with an expired token" do
         it "fetches a new one" do
           allow(Conjur::API).to receive(:authenticate).with(login, api_key).and_return token
@@ -273,12 +300,37 @@ describe Conjur::API do
 
     context "from logged-in RestClient::Resource" do
       let(:token_encoded) { Base64.strict_encode64(token.to_json) }
-      let(:resource) { RestClient::Resource.new("http://example.com", { headers: { authorization: "Token token=\"#{token_encoded}\"" } })}
+      let(:headers) { { authorization: "Token token=\"#{token_encoded}\"" } }
+      let(:resource) { RestClient::Resource.new("http://example.com", { headers: headers })}
       it "can construct a new API instance" do
         api = resource.conjur_api
         expect(api.credentials[:headers][:authorization]).to eq("Token token=\"#{token_encoded}\"")
+        expect(api.credentials[:headers][:x_conjur_privilege]).to be_nil
+        expect(api.credentials[:headers][:x_forwarded_for]).to be_nil
         expect(api.credentials[:username]).to eq("bob")
       end
+      
+      context "privileged" do
+        let(:headers) { { authorization: "Token token=\"#{token_encoded}\"", x_conjur_privilege: "elevate" } }
+        it "can clone itself" do
+          api = resource.conjur_api
+          expect(api.credentials[:headers][:authorization]).to eq("Token token=\"#{token_encoded}\"")
+          expect(api.credentials[:headers][:x_conjur_privilege]).to eq("elevate")
+          expect(api.credentials[:headers][:x_forwarded_for]).to be_nil
+          expect(api.credentials[:username]).to eq("bob")
+        end
+      end
+      
+      context "privileged" do
+        let(:headers) { { authorization: "Token token=\"#{token_encoded}\"", x_forwarded_for: "66.0.0.1" } }
+        it "can clone itself" do
+          api = resource.conjur_api
+          expect(api.credentials[:headers][:authorization]).to eq("Token token=\"#{token_encoded}\"")
+          expect(api.credentials[:headers][:x_conjur_privilege]).to be_nil
+          expect(api.credentials[:headers][:x_forwarded_for]).to eq("66.0.0.1")
+          expect(api.credentials[:username]).to eq("bob")
+        end
+      end
     end
   end
 

data/spec/lib/configuration_spec.rb

@@ -219,12 +219,10 @@ describe Conjur::Configuration do
 
     let(:store){ double('default store') }
 
-
     before do
       stub_const 'OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE', store
       allow_any_instance_of(Conjur::Configuration).to receive(:ssl_certificate).and_return ssl_certificate
       allow_any_instance_of(Conjur::Configuration).to receive(:cert_file).and_return cert_file
-
     end
 
     context "when neither cert_file or ssl_certificate is present" do
@@ -240,7 +238,7 @@ describe Conjur::Configuration do
 
     context 'when both are given' do
       let(:cert_file){ '/path/to/cert.pem' }
-      let(:ssl_certificate){ 'certificate contents' }
+      let(:ssl_certificate){ 'certificate-contents' }
       let(:cert){ double('certificate') }
       it 'calls store.add_cert with a certificate created from ssl_certificate' do
         expect(OpenSSL::X509::Certificate).to receive(:new).with(ssl_certificate).once.and_return cert
@@ -260,11 +258,35 @@ describe Conjur::Configuration do
 
     context 'when ssl_certificate is given' do
       let(:cert_file){ nil }
-      let(:ssl_certificate){ 'certificate contents' }
+      let(:ssl_certificate){ "-----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIJAO4Lf1Rf2cciMA0GCSqGSIb3DQEBBQUAMDMxMTAvBgNV BAMTKGVjMi01NC05MS0yNDYtODQuY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20wHhcN MTQxMDA4MjEwNTA5WhcNMjQxMDA1MjEwNTA5WjAzMTEwLwYDVQQDEyhlYzItNTQt OTEtMjQ2LTg0LmNvbXB1dGUtMS5hbWF6b25hd3MuY29tMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAx+OFANXNEYNsMR3Uvg4/72VG3LZO8yxrYaYzc3FZ NN3NpIOCZvRTC5S+OawsdEljHwfhdVoXdWNKgVJakSxsAnnaj11fA6XpfN60o6Fk i4q/BqwqgeNJjKAlElFsNz2scWFWRe49NHlj9qaq/yWZ8Cn0IeHy8j8F+jMek4zt dCSxVEayVG/k8RFmYCcluQc/1LuCjPiFwJU43AGkO+yvmOuYGivsNKY+54yuEZqF VDsjAjMsYXxgLx9y1F7Rq3CfeqY6IajR7pmmRup8/D9NyyyQuIML83mjTSvo0UYu rkdXPObd/m6gumscvXMl6SoJ5IPItvTA42MZqTaNzimF0QIDAQABo2gwZjBkBgNV HREEXTBbgglsb2NhbGhvc3SCBmNvbmp1coIcY29uanVyLW1hc3Rlci5pdHAuY29u anVyLm5ldIIoZWMyLTU0LTkxLTI0Ni04NC5jb21wdXRlLTEuYW1hem9uYXdzLmNv bTANBgkqhkiG9w0BAQUFAAOCAQEANk7P3ZEZHLgiTrLG13VAkm33FAvFzRG6akx1 jgNeRDgSaxRtrfJq3mnhsmD6hdvv+e6prPCFOjeEDheyCZyQDESdVEJBwytHVjnH dbvgMRaPm6OO8CyRyNjg3YcC36T//oQKOdAXXEcrtd0QbelBDYlKA7smJtznfhAb XypVdeS/6I4qvJi3Ckp5sQ1GszYhVXAvEeWeY59WwsTWYHLkzss9QShnigPyo3LY ZA5JVXofYi9DJ6VexP7sJNhCMrY2WnMpPcAOB9T7a6lcoXj6mWxvFys0xDIEOnc6 NGb+d47blphUKRZMAUZgYgFfMfmlyu1IXj03J8AuKtIMEwkXAA== -----END CERTIFICATE----- " }
+        let(:actual_certificate) {
+          <<-CERT
+-----BEGIN CERTIFICATE-----
+MIIDUTCCAjmgAwIBAgIJAO4Lf1Rf2cciMA0GCSqGSIb3DQEBBQUAMDMxMTAvBgNV
+BAMTKGVjMi01NC05MS0yNDYtODQuY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20wHhcN
+MTQxMDA4MjEwNTA5WhcNMjQxMDA1MjEwNTA5WjAzMTEwLwYDVQQDEyhlYzItNTQt
+OTEtMjQ2LTg0LmNvbXB1dGUtMS5hbWF6b25hd3MuY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAx+OFANXNEYNsMR3Uvg4/72VG3LZO8yxrYaYzc3FZ
+NN3NpIOCZvRTC5S+OawsdEljHwfhdVoXdWNKgVJakSxsAnnaj11fA6XpfN60o6Fk
+i4q/BqwqgeNJjKAlElFsNz2scWFWRe49NHlj9qaq/yWZ8Cn0IeHy8j8F+jMek4zt
+dCSxVEayVG/k8RFmYCcluQc/1LuCjPiFwJU43AGkO+yvmOuYGivsNKY+54yuEZqF
+VDsjAjMsYXxgLx9y1F7Rq3CfeqY6IajR7pmmRup8/D9NyyyQuIML83mjTSvo0UYu
+rkdXPObd/m6gumscvXMl6SoJ5IPItvTA42MZqTaNzimF0QIDAQABo2gwZjBkBgNV
+HREEXTBbgglsb2NhbGhvc3SCBmNvbmp1coIcY29uanVyLW1hc3Rlci5pdHAuY29u
+anVyLm5ldIIoZWMyLTU0LTkxLTI0Ni04NC5jb21wdXRlLTEuYW1hem9uYXdzLmNv
+bTANBgkqhkiG9w0BAQUFAAOCAQEANk7P3ZEZHLgiTrLG13VAkm33FAvFzRG6akx1
+jgNeRDgSaxRtrfJq3mnhsmD6hdvv+e6prPCFOjeEDheyCZyQDESdVEJBwytHVjnH
+dbvgMRaPm6OO8CyRyNjg3YcC36T//oQKOdAXXEcrtd0QbelBDYlKA7smJtznfhAb
+XypVdeS/6I4qvJi3Ckp5sQ1GszYhVXAvEeWeY59WwsTWYHLkzss9QShnigPyo3LY
+ZA5JVXofYi9DJ6VexP7sJNhCMrY2WnMpPcAOB9T7a6lcoXj6mWxvFys0xDIEOnc6
+NGb+d47blphUKRZMAUZgYgFfMfmlyu1IXj03J8AuKtIMEwkXAA==
+-----END CERTIFICATE-----
+CERT
+        }
       let(:cert){ double('cert') }
 
       before do
-        expect(OpenSSL::X509::Certificate).to receive(:new).with(ssl_certificate).at_least(:once).and_return cert
+        expect(OpenSSL::X509::Certificate).to receive(:new).with(actual_certificate).at_least(:once).and_return cert
       end
 
       it 'calls store.add_cert with a certificate created from ssl_certificate' do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 4.16.0
+  version: 4.19.0
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-04-28 00:00:00.000000000 Z
+date: 2015-08-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client