conjur-api 4.19.1 → 4.20.0

data/lib/conjur/api/users.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright (C) 2013-2015 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -19,6 +19,7 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 require 'conjur/user'
+require 'conjur/cidr'
 
 module Conjur
   class API
@@ -48,12 +49,16 @@ module Conjur
     # @param [String] login the login for the new user
     # @param [Hash] options options for user creation
     # @option options [String] :acting_as Qualified id of a role to perform the action as
+    # @option options [Array<String, IPAddr>] :cidr CIDR addresses of networks
+    #   the new user will be allower to login from
     # @option options [String, Integer] :uidnumber UID number to assign to the new user.  If not given, one will be generated.
     # @option options [String] :password when present, the user will be given a password in addition to a randomly
     #   generated api key.
     # @return [Conjur::User] an object representing the new user
     # @raise [RestClient::Conflict] If the user already exists, or a user with the given uidnumber exists.
     def create_user(login, options = {})
+      options = options.merge \
+          cidr: [*options[:cidr]].map(&CIDR.method(:validate)).map(&:to_s) if options[:cidr]
       standard_create Conjur::Core::API.host, :user, nil, options.merge(login: login)
     end
 

data/lib/conjur/api/variables.rb

@@ -105,6 +105,30 @@ module Conjur
       end
     end
 
+    # Fetch all visible variables that expire within the given
+    # interval (relative to the current time on the Conjur Server). If
+    # no interval is specifed, all variables that are set to expire
+    # will be returned.
+    #
+    # interval should either be a String containing an ISO8601
+    # duration, or it should implement #to_i to return a number of
+    # seconds.
+    #
+    # @example Use an ISO8601 duration to return variables expiring in the next month
+    #   expirations = api.variable_expirations('P1M')
+    #
+    # @example Use ActiveSupport to return variables expiring in the next month
+    #   require 'active_support/all'
+    #   expirations = api.variable_expirations(1.month)
+
+    # param interval a String containing an ISO8601 duration , or a number of seconds 
+    # return [Hash] variable expirations that occur within the interval
+    def variable_expirations(interval = nil)
+      duration = interval.try { |i| i.respond_to?(:to_str) ? i : "PT#{i.to_i}S" }
+      params = {}.tap { |p| p.merge!({:params => {:duration => duration }}) if duration }
+      JSON.parse(RestClient::Resource.new(Conjur::Core::API.host, self.credentials)['variables/expirations'].get(params).body)
+    end
+
     #@!endgroup
   end
 end

data/lib/conjur/cidr.rb

@@ -0,0 +1,71 @@
+#
+# Copyright (C) 2015 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+##
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+
+require 'ipaddr'
+
+module Conjur
+  # Utility methods for CIDR network addresses
+  module CIDR
+    # Parse addr into an IPAddr if it's not one already, then extend it with CIDR
+    # module. This will force validation and will raise ArgumentError if invalid.
+    # @return [IPAddr] the address (extended with CIDR module)
+    def self.validate addr
+      addr = IPAddr.new addr unless addr.kind_of? IPAddr
+      addr.extend self
+    end
+
+    def self.extended addr
+      addr.prefixlen # validates
+    end
+
+    # Error raised when an address is not a valid CIDR network address
+    class InvalidCIDR < ArgumentError
+    end
+
+    attr_reader :mask_addr
+
+    # @return [String] the address as an "address/mask length" string
+    # @example
+    #     IPAddr.new("192.0.2.0/255.255.255.0").extend(CIDR).to_s == "192.0.2.0/24"
+    def to_s
+      [super, prefixlen].join '/'
+    end
+
+    # @return [Fixnum] the length of the network mask prefix
+    def prefixlen
+      unless @prefixlen
+        return @prefixlen = 0 if (mask = mask_addr) == 0
+
+        @prefixlen = ipv4? ? 32 : 128
+
+        while (mask & 1) == 0
+          mask >>= 1
+          @prefixlen -= 1
+        end
+
+        if mask != ((1 << @prefixlen) - 1)
+          fail InvalidCIDR, "#{inspect} is not a valid CIDR network address"
+        end
+      end
+      return @prefixlen
+    end
+  end
+end

data/lib/conjur/exceptions.rb

@@ -0,0 +1,4 @@
+module Conjur
+  class FeatureNotAvailable < StandardError
+  end
+end

data/lib/conjur/host-factory-api.rb

@@ -0,0 +1,38 @@
+#
+# Copyright (C) 2014 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur/api'
+require 'conjur/configuration'
+
+class Conjur::Configuration
+  add_option :host_factory_url do
+    account_service_url 'host_factories', 500
+  end
+end
+
+class Conjur::API
+  class << self
+    def host_factory_asset_host
+      Conjur.configuration.host_factory_url
+    end
+  end
+end
+
+require 'conjur/api/host_factories'

data/lib/conjur/host.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright (C) 2013-2015 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -34,5 +34,24 @@ module Conjur
       end
       self['enrollment_url'].head{|response, request, result| response }.headers[:location]
     end
+
+    # Assign new attributes to the host.  Currently, this method only lets you change the
+    # `:cidr` attribute.
+    #
+    # ### Permissions
+    # You must have update permission on the hosts's resource or be the host to
+    # update CIDR restrictions.
+    #
+    # @note This feature requires Conjur server version 4.6 or later.
+    #
+    # @param [Hash] options attributes to change
+    # @option options [Array<String, IPAddr>] :cidr the network restrictions for this host
+    # @return [void]
+    # @raise [ArgumentError] if cidr isn't valid
+    def update options
+      if cidr = options[:cidr]
+        set_cidr_restrictions cidr
+      end
+    end
   end
-end
+end

data/lib/conjur/host_factory.rb

@@ -0,0 +1,75 @@
+#
+# Copyright (C) 2014 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur/host_factory_token'
+
+module Conjur
+  class HostFactory < RestClient::Resource
+    include ActsAsAsset
+    
+    def roleid
+      attributes['roleid']
+    end
+    
+    def role
+      Role.new(Conjur::Authz::API.host, self.options)[Conjur::API.parse_role_id(roleid).join('/')]
+    end
+    
+    def deputy
+      Conjur::Deputy.new(Conjur::API.core_asset_host, options)["deputies/#{fully_escape id}"]
+    end
+
+    def deputy_api_key
+      attributes['deputy_api_key']
+    end
+    
+    def create_token(expiration, options = {})
+      create_tokens(expiration, 1, options)[0]
+    end
+    
+    def create_tokens(expiration, count, options = {})
+      parameters = options.merge({
+        expiration: expiration.iso8601,
+        count: count
+      })
+      response = RestClient::Resource.new(Conjur::API.host_factory_asset_host, self.options)[fully_escape id]["tokens"].post(parameters).body
+      JSON.parse(response).map do |attrs|
+        build_host_factory_token attrs
+      end
+    end
+
+    def tokens
+      # Tokens list is not returned by +show+ if the caller doesn't have permission
+      return nil unless self.attributes['tokens']
+
+      self.attributes['tokens'].collect do |attrs|
+        build_host_factory_token attrs
+      end
+    end
+    
+    protected
+    
+    def build_host_factory_token attrs
+      Conjur::HostFactoryToken.new(Conjur::API.host_factory_asset_host, self.options)["tokens"][attrs['token']].tap do |token|
+        token.attributes = attrs
+      end
+    end
+  end
+end

data/lib/conjur/host_factory_token.rb

@@ -0,0 +1,63 @@
+#
+# Copyright (C) 2014 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+module Conjur
+  class HostFactoryToken < RestClient::Resource
+    include HasAttributes
+    
+    def to_json(options = {})
+      { token: token, expiration: expiration, cidr: cidr }
+    end
+  
+    def token
+      self.url.split('/')[-1]
+    end    
+    
+    alias id token
+    
+    def expiration
+      DateTime.iso8601(attributes['expiration'])
+    end
+    
+    def host_factory
+      Conjur::HostFactory.new(Conjur::API.host_factory_asset_host, options)[fully_escape attributes['host_factory']['id']]
+    end
+
+    def cidr
+      attributes['cidr']
+    end
+
+    def revoke!
+      invalidate do
+        RestClient::Resource.new(self['revoke'].url, options).post
+      end
+    end
+
+    def save
+      raise "HostFactoryToken attributes are not updatable"
+    end
+
+    protected
+    
+    def fetch
+      raise "HostFactoryToken attributes are not fetchable"
+    end
+  end
+end

data/lib/conjur/resource.rb

@@ -97,7 +97,7 @@ module Conjur
     #   resource.permit 'execute', api.user('jon')
     #   resource.permitted_roles 'execute' # => ['conjur:user:admin', 'conjur:user:jon']
     #
-    # @param permission [String] the permission``
+    # @param permission [String] the permission
     # @param options [Hash, nil] extra options to pass to RestClient::Resource#get
     # @return [Array<String>] the ids of roles that have `permission` on this resource.
     def permitted_roles(permission, options = {})

data/lib/conjur/user.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright (C) 2013-2015 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -34,27 +34,35 @@ module Conjur
     # @return [String] the login for this user
     def login; id end
 
-    # Assign new attributes to the user.  Currently, this method only lets you change the
-    # `:uidnumber` attribute.
+    # Assign new attributes to the user.
     #
     # If a user with the given `:uidnumber` already exists, this method will raise `RestClient::Forbidden`, with
     # the response body providing additional details if possible.
     #
     # ### Permissions
-    # You must be a member of the user's role to call this method.
+    # You must be a member of the user's role to update the uidnumber.
+    # You must have update permission on the user's resource or be the user to
+    # update CIDR restrictions.
     #
-    # @note This feature requires Conjur server version 4.3 or later.
+    # @note Updating `uidnumber` requires Conjur server version 4.3 or later.
+    # @note Updating `cidr` requires Conjur server version 4.6 or later.
     #
     # @param [Hash] options attributes to change
-    # @option options [FixNum] :uidnumber the new uidnumber for this user.  This option *must* be present.
+    # @option options [FixNum] :uidnumber the new uidnumber for this user.
+    # @option options [Array<String, IPAddr>] :cidr the network restrictions for this user. Requires Conjur server version 4.6 or later
     # @return [void]
     # @raise [RestClient::Conflict] if the uidnumber is already in use
-    # @raise [ArgumentError] if uidnumber isn't a `Fixnum` or isn't present in `options`
+    # @raise [ArgumentError] if uidnumber or cidr aren't valid
     def update options
-      # Currently the server raises a 400 Bad Request if uidnumber is missing, require it here
-      raise ArgumentError "options[:uidnumber] is required" unless uidnumber = options[:uidnumber]
-      raise ArgumentError, "options[:uidnumber] must be a Fixnum" unless uidnumber.kind_of?(Fixnum)
-      self.put(options)
+      if uidnumber = options[:uidnumber]
+        # Currently the server raises a 400 Bad Request if uidnumber is missing, require it here
+        raise ArgumentError, "options[:uidnumber] must be a Fixnum" unless uidnumber.kind_of?(Fixnum)
+        self.put(options)
+      end
+
+      if cidr = options[:cidr]
+        set_cidr_restrictions cidr
+      end
     end
 
     # Get the user's uidnumber, which is used by LDAP and SSH login, among other things.

data/lib/conjur/variable.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright (C) 2013-2016 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -205,5 +205,28 @@ module Conjur
       url << "?version=#{version}" if version
       self[url].get.body
     end
+
+    # Set the variable to expire after the given interval. The
+    # interval can either be an ISO8601 duration or it can the number
+    # of seconds for which the variable should be valid. Once a
+    # variable has expired, its value will no longer be retrievable.
+    #
+    # You must have the **`'update'`** permission on a variable to call this method.
+    #
+    # @example Use an ISO8601 duration to set the expiration for a variable to tomorrow
+    #   var = api.variable 'my-secret'
+    #   var.expires_in "P1D"
+    #
+    # @example Use ActiveSupport to set the expiration for a variable to tomorrow
+    #   require 'active_support/all'
+    #   var = api.variable 'my-secret'
+    #   var.expires_in 1.day
+    # @param interval a String containing an ISO8601 duration, otherwise the number of seconds before the variable xpires
+    # @return [Hash] description of the variable's expiration, including the (Conjur server) time when it expires
+    def expires_in interval
+      duration = interval.respond_to?(:to_str) ? interval : "PT#{interval.to_i}S"
+      JSON::parse(self['expiration'].post(duration: duration).body)
+    end
+
   end
-end
+end