conjur-api 4.19.1 → 4.20.0

data/spec/api/authn_spec.rb

@@ -65,4 +65,17 @@ describe Conjur::API do
       expect(Conjur::API.update_password(user, password, 'new-password')).to eq(:response)
     end
   end
+
+  describe '::rotate_api_key' do
+    it 'puts with basic auth' do
+      expect_request(
+          method: :put,
+          url: 'http://authn.example.com/users/api_key',
+          user: user,
+          password: password,
+          headers: { }
+      ).and_return double('response', body: 'new api key')
+      expect(Conjur::API.rotate_api_key user, password).to eq('new api key')
+    end
+  end
 end

data/spec/api/hosts_spec.rb

@@ -1,5 +1,6 @@
 require 'spec_helper'
 require 'standard_methods_helper'
+require 'cidr_helper'
 
 describe Conjur::API, api: :dummy do
   describe '::enroll_host' do
@@ -16,10 +17,17 @@ describe Conjur::API, api: :dummy do
   end
 
   describe '#create_host' do
-    it_should_behave_like "standard_create with", :host, nil, :options do
-      let(:invoke) { subject.create_host :options }
+    it_should_behave_like "standard_create with", :host, nil, some: :options do
+      let(:invoke) { subject.create_host some: :options }
+    end
+
+    include_examples 'CIDR create' do
+      def create opts
+        api.create_host opts
+      end
     end
   end
+
   describe '#host' do
     it_should_behave_like "standard_show with", :host, :id do
       let(:invoke) { subject.host :id }

data/spec/api/info_spec.rb

@@ -0,0 +1,89 @@
+require 'spec_helper'
+require 'standard_methods_helper'
+
+describe Conjur::API, api: :dummy do
+  before do
+    # The standard test setup doesn't do this
+    allow(Conjur.configuration).to receive(:appliance_url).and_return 'https://example.com/api'
+  end
+
+  let(:version_string) { '4.5.0-75-gde404a6' }
+  let(:response_json){
+    {
+        'services' => {
+            'authn' => {
+                'version' => version_string
+            }
+        }
+    }
+  }
+  let(:response){ double('response', body: response_json.to_json) }
+
+  describe '+appliance_info' do
+    subject{ Conjur::API.appliance_info }
+    context 'when /info does not exist' do
+      it 'raises a FeatureNotAvailable exception' do
+        expect_request(
+            method: :get,
+            url: 'https://example.com/info'
+        ).and_raise RestClient::ResourceNotFound
+        expect{ subject }.to raise_error(Conjur::FeatureNotAvailable)
+      end
+    end
+
+    context 'when /info exists' do
+      it 'returns the response json' do
+        expect_request(
+            method: :get,
+            url: 'https://example.com/info'
+        ).and_return response
+
+        expect(subject).to eq(response_json)
+      end
+    end
+  end
+
+  describe '+service_names' do
+    subject{ Conjur::API.service_names }
+    it 'returns the service names' do
+      expect_request(
+          method: :get,
+          url: 'https://example.com/info'
+      ).and_return response
+      expect(subject).to eq(%w(authn))
+    end
+  end
+
+  describe '+service_version' do
+    subject{ Conjur::API.service_version(service)}
+    context 'when the service name is valid' do
+      let(:service){'authn'}
+      let(:expected_version){ "4.5.0".to_version }
+      before {
+        expect_request(
+            method: :get,
+            url: 'https://example.com/info'
+        ).at_least(1).times.and_return response
+      }
+      it 'returns the version as a Semantic::Version' do
+        expect(subject).to eq(expected_version)
+      end
+      describe 'can be compared' do
+        it 'returns the version as a Semantic::Version' do
+          expect(subject >= Semantic::Version.new('4.5.0')).to eq(true)
+        end
+      end
+    end
+
+    context 'when the service name is not valid' do
+      let(:service){'blahblah'}
+      it 'raises an exception' do
+        expect_request(
+            method: :get,
+            url: 'https://example.com/info'
+        ).at_least(1).times.and_return response
+        expect{ subject }.to raise_error(RuntimeError, /Unknown service/i)
+      end
+    end
+  end
+end

data/spec/api/users_spec.rb

@@ -1,11 +1,32 @@
 require 'spec_helper'
 require 'standard_methods_helper'
+require 'cidr_helper'
 
 describe Conjur::API, api: :dummy do
   describe '#create_user' do
     it_should_behave_like 'standard_create with', :user, nil, login: 'login', other: true do
       let(:invoke) { api.create_user 'login', other: true }
     end
+
+    include_examples 'CIDR create' do
+      def create opts
+        api.create_user 'login', opts
+      end
+    end
+  end
+
+  describe 'user#rotate_api_key' do
+    let(:userid){ 'alice@wonderland' }
+    let(:new_api_key){ 'new api key' }
+    it 'PUTS to /authn/users/api_key?id=:userid' do
+      expect_request(
+          method: :put,
+          url: "#{authn_host}/users/api_key?id=#{api.fully_escape userid}",
+          headers: credentials[:headers],
+          payload: ''
+      ).and_return double('response', body: new_api_key)
+      expect(api.user(userid).rotate_api_key).to eq(new_api_key)
+    end
   end
 
   describe 'user#update' do

data/spec/api/variables_spec.rb

@@ -13,6 +13,25 @@ describe Conjur::API, api: :dummy do
     it_should_behave_like 'standard_show with', :variable, :id
   end
 
+
+  let (:expected_url) { nil }
+  let (:expected_headers) { {} }
+  shared_context "Stubbed API" do
+    before {
+      expect_request(
+        method: :get,
+        url: expected_url,
+        headers: credentials[:headers].merge(expected_headers)
+        ) { 
+        if defined? return_error 
+          raise return_error
+        else
+          double( code: return_code, body: return_body ) 
+        end
+      }
+    }
+  end
+
   describe "#variable_values" do
 
     let (:varlist) { ["var/1","var/2","var/3" ] }
@@ -22,22 +41,7 @@ describe Conjur::API, api: :dummy do
       expect { api.variable_values([]) }.to raise_exception(ArgumentError)
     end 
 
-    shared_context "Stubbed API" do
-      let (:expected_url) { "#{core_host}/variables/values?vars=#{varlist.map {|v| api.fully_escape(v) }.join(",")}"  }
-      before {
-        expect_request(
-          method: :get,
-          url: expected_url,
-          headers: credentials[:headers]
-          ) { 
-            if defined? return_error 
-              raise return_error
-            else
-              double( code: return_code, body: return_body ) 
-            end
-          }
-      }
-    end
+    let (:expected_url) { "#{core_host}/variables/values?vars=#{varlist.map {|v| api.fully_escape(v) }.join(",")}"  }
 
     let (:invoke) { api.variable_values(varlist) }
 
@@ -78,4 +82,31 @@ describe Conjur::API, api: :dummy do
 
   end
 
+  describe '#variable_expirations' do
+    include_context "Stubbed API"
+    let (:expected_url) { "#{core_host}/variables/expirations" }
+    let (:return_code) { '200' }
+    let (:return_body) { '[]' }
+
+    context "with no interval" do
+      subject {api.variable_expirations}
+      it { is_expected.to eq([]) }
+    end
+
+    context "with Fixnum interval" do
+      let (:interval) { 2.weeks }
+      let (:expected_headers) { {:params => { :duration => "PT#{interval.to_i}S" } } }
+      subject { api.variable_expirations(2.weeks) }
+      it { is_expected.to eq([]) }
+    end
+
+    context "with String interval" do
+      let (:interval) { 'P2W' }
+      let (:expected_headers) { {:params => { :duration => 'P2W' } } }
+      subject { api.variable_expirations('P2W') }
+      it { is_expected.to eq([]) }
+    end
+
+  end
+
 end

data/spec/cidr_helper.rb

@@ -0,0 +1,24 @@
+shared_examples_for "CIDR create" do
+  it "formats the CIDRs correctly" do
+    cidrs = %w(192.0.2.0/24 198.51.100.0/24)
+    expect do
+      create cidr: cidrs.map(&IPAddr.method(:new))
+    end.to call_standard_create_with anything, anything, hash_including(cidr: cidrs)
+  end
+
+  it "parses addresses given as strings" do
+    expect do
+      create cidr: %w(192.0.2.0/255.255.255.128)
+    end.to call_standard_create_with anything, anything, hash_including(cidr: %w(192.0.2.0/25))
+  end
+
+  it "raises ArgumentError on invalid CIDR" do
+    expect do
+      create cidr: %w(192.0.2.0/255.255.0.255)
+    end.to raise_error ArgumentError
+
+    expect do
+      create cidr: %w(192.0.2.256/1)
+    end.to raise_error ArgumentError
+  end
+end

data/spec/lib/acts_as_user_spec.rb

@@ -0,0 +1,27 @@
+describe Conjur::ActsAsUser, api: :dummy do
+  subject do
+    api.user 'kmitnick'
+  end
+
+  describe '#set_cidr_restrictions' do
+    it "sends the new restrictions to the authn server" do
+      expect_request(
+        headers: hash_including(content_type: :json),
+        url: "http://authn.example.com/users?id=kmitnick",
+        method: :put,
+        payload: { cidr: ['192.0.2.1/32'] }.to_json
+      )
+      subject.set_cidr_restrictions %w(192.0.2.1)
+    end
+
+    it "resets the restrictions on the authn server if given empty cidr string" do
+      expect_request(
+        headers: hash_including(content_type: :json),
+        url: "http://authn.example.com/users?id=kmitnick",
+        method: :put,
+        payload: { cidr: [] }.to_json
+      )
+      subject.set_cidr_restrictions []
+    end
+  end
+end

data/spec/lib/api_spec.rb

@@ -55,13 +55,13 @@ describe Conjur::API do
       let (:kind) { "sample-kind" }
 
       it "fails  on non-string ids" do
-        expect { subject.parse_id({}, kind) }.to raise_error
+        expect { subject.parse_id({}, kind) }.to raise_error /Unexpected class/
       end
       
       it "fails on malformed ids (<2 tokens)" do
-        expect { subject.parse_id("foo", kind) }.to raise_error
-        expect { subject.parse_id("", kind) }.to raise_error
-        expect { subject.parse_id(nil, kind) }.to raise_error
+        expect { subject.parse_id("foo", kind) }.to raise_error /Expecting at least two /
+        expect { subject.parse_id("", kind) }.to raise_error /Expecting at least two /
+        expect { subject.parse_id(nil, kind) }.to raise_error /Unexpected class/
       end
      
       describe "returns array of [account, kind, subkind, id]" do

data/spec/lib/audit_spec.rb

@@ -102,5 +102,54 @@ describe Conjur::API, api: :dummy do
         it_behaves_like "gets the resource feed"
       end
     end
+
+    describe "#audit_send" do
+      let(:username) { "user" }
+      let(:api){ Conjur::API.new_from_key username, 'key' }
+      let(:credentials) { { headers: { authorization: "Token token=\"stub\"" } } } #, username: username } }
+      
+      before do
+        allow(api).to receive_messages credentials: credentials
+      end
+
+      context "valid input" do
+        let(:http_parameters)  {
+          {
+            headers: credentials[:headers].merge(content_type: "text/plain"),
+            method: :post ,
+            url: "#{Conjur::Authz::API.host}/audit"
+          } 
+        }
+        
+        it "sends Hash as JSON" do
+          event = { action: "login", user: "alice" }
+          expect(RestClient::Request).to receive(:execute).with(
+            http_parameters.merge( payload: event.to_json )
+            )
+          api.audit_send event
+        end
+        it "sends array as JSON" do
+          events = [ { action: "login", user: "alice" }, { action: "sudo", user: "alice" } ]
+          expect(RestClient::Request).to receive(:execute).with(
+            http_parameters.merge( payload: events.to_json )
+            )
+          api.audit_send events
+        end
+        
+        it "sends string as is (consider it preformatted JSON)" do
+          events_serialized = "this is supposed to be JSON" 
+          expect(RestClient::Request).to receive(:execute).with(
+            http_parameters.merge( payload: events_serialized )
+            )
+          api.audit_send events_serialized
+        end
+      end
+      
+      it "rejects any other types of arguments" do
+        expect { api.audit_send( api ) }.to raise_error(ArgumentError)
+      end
+      
+    end
   end
 end
+

data/spec/lib/cidr_spec.rb

@@ -0,0 +1,34 @@
+require 'conjur/cidr'
+
+describe Conjur::CIDR do
+  def cidr addr
+    Conjur::CIDR.validate addr
+  end
+
+  describe '.validate' do
+    it 'rejects malformed addresses' do
+      expect { Conjur::CIDR.validate '192.0.2.2/255.255.0.255' }.to raise_error ArgumentError
+      expect { Conjur::CIDR.validate '192.0.2.2/0.255.0.0' }.to raise_error ArgumentError
+      expect { Conjur::CIDR.validate '192.0.256.2' }.to raise_error ArgumentError
+      expect { Conjur::CIDR.validate '::/:ffff:' }.to raise_error ArgumentError
+    end
+  end
+
+  describe '#prefixlen' do
+    it 'calculates prefix mask length' do
+      expected = {
+        '0.0.0.0/0' => 0,
+        '192.0.2.0/24' => 24,
+        '192.0.2.1' => 32,
+        '192.0.2.0/255.255.255.0' => 24,
+        '10.0.0.0/255.0.0.0' => 8,
+        '1234::/42' => 42,
+        '1234::/ffff::' => 16,
+        '::/::' => 0,
+      }
+      expected.each do |addr, len|
+        expect(Conjur::CIDR.validate(addr).prefixlen).to eq len
+      end
+    end
+  end
+end

data/spec/lib/configuration_spec.rb

@@ -301,10 +301,12 @@ CERT
 
 
       it 'does not rescue from other exceptions' do
-        expect(store).to receive(:add_cert).with(cert).once.and_raise(OpenSSL::X509::StoreError.new('some other message'))
-        expect{subject}.to raise_exception
-        expect(store).to receive(:add_cert).with(cert).once.and_raise(ArgumentError.new('bad news'))
-        expect{subject}.to raise_exception
+        exn = OpenSSL::X509::StoreError.new('some other message')
+        expect(store).to receive(:add_cert).with(cert).once.and_raise(exn)
+        expect{subject}.to raise_error exn
+        exn = ArgumentError.new('bad news')
+        expect(store).to receive(:add_cert).with(cert).once.and_raise(exn)
+        expect{subject}.to raise_error exn
       end
     end
 

data/spec/lib/host_spec.rb

@@ -1,7 +1,7 @@
 require 'spec_helper'
 
 describe Conjur::Host, api: :dummy do
-  subject { Conjur::Host.new 'http://example.com/hosts/my%2Fhostname', nil }
+  subject(:host) { Conjur::Host.new 'http://example.com/hosts/my%2Fhostname', nil }
 
   describe '#resource' do
     subject { super().resource }
@@ -18,4 +18,14 @@ describe Conjur::Host, api: :dummy do
          to_return(:status => 200, :headers => {location: 'foo'})
     expect(subject.enrollment_url).to eq('foo')
   end
+
+  describe '#update' do
+    it "calls set_cidr_restrictions if given CIDR" do
+      expect(host).to receive(:set_cidr_restrictions).with(['192.0.2.0/24'])
+      host.update cidr: ['192.0.2.0/24']
+
+      expect(host).to_not receive(:set_cidr_restrictions)
+      host.update foo: 42
+    end
+  end
 end