conjur-api 4.23.0 → 4.24.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 91bb6f8e907814c4dd388fef05384202a9e51a29
-  data.tar.gz: 4884d67d8ec68a02fdbabe297edeb1e8d95a6d88
+  metadata.gz: b6a400415b1a2ace3c70bfa63befe1155411e689
+  data.tar.gz: da597b98f100670f494de01da0c7ec3e14f23164
 SHA512:
-  metadata.gz: 425b6e7ecbae6f9d79ee004a522ebe51d8ee091f452d3e6d30ff041a33dad04b15d33676b29179105e19f28b537be6325a0f951412a757236e07a1d03dee5954
-  data.tar.gz: a4fb4478261d5f9a677c19c2b8103e1f5a9a78015b36dcf17780a1c8288c43de3e3f854b26e1dde1f17c237bde971ac1d9cd1e2544b2fafd195ee10c798f9cdc
+  metadata.gz: 7cd91330ebb3ca97d512e639ee35256dd79723b55528fef64290e4d2c5c863048d4667598604e61145de22316045fe6a13a2a7bc5ba156819f7c440b52c0d3c1
+  data.tar.gz: beb95a4206bf8ffed5d1bd8bee7a799d0d9984d7f7dffb729b3e29bb1832ed576e77c083e00988e0e6bb5e0e77e4e39a381cd360090946ba478fab9f7c12a579

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+# v4.24.0
+
+* Add `Conjur::API#ldap_sync_now` (requires Conjur 4.7 or later).
+* Don't trust the system clock and don't check token validity. Rely on the
+  server to verify the token instead, and only try to refresh if enough time
+  has passed locally (using monotonic clock for reference where available).
+* Don't try refreshing the token if the required credentials are not available.
+
 # v4.23.0
 
 * Add `with_audit_roles` and `with_audit_resources` to `Conjur::API`

data/conjur-api.gemspec

@@ -38,7 +38,6 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency 'rdoc'
   gem.add_development_dependency 'yard'
   gem.add_development_dependency 'redcarpet'
-  gem.add_development_dependency 'timecop'
   gem.add_development_dependency 'tins', '~> 1.6', '< 1.7.0'
   gem.add_development_dependency 'inch'
 end

data/lib/conjur-api/version.rb

@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "4.23.0"
+    VERSION = "4.24.0"
   end
 end

data/lib/conjur/api.rb

@@ -45,6 +45,7 @@ require 'conjur/host-factory-api'
 require 'conjur/bootstrap'
 require 'conjur-api/version'
 require 'conjur/api/info'
+require 'conjur/api/ldapsync'
 
 # Monkey patch RestClient::Request so it always uses
 # :ssl_cert_store. (RestClient::Resource uses Request to send
@@ -57,14 +58,14 @@ class RestClient::Request
       ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
     }
   end
-  
+
   def initialize args
     initialize_without_defaults default_args.merge(args)
   end
-  
+
 end
 
-    
+
 class RestClient::Resource
   include Conjur::Escape
   include Conjur::LogSource
@@ -119,11 +120,11 @@ class RestClient::Resource
       raise AuthorizationError.new("Authorization missing")
     end
   end
-  
+
   def remote_ip
     options[:headers][:x_forwarded_for]
   end
-  
+
   def conjur_privilege
     options[:headers][:x_conjur_privilege]
   end

data/lib/conjur/api/ldapsync.rb

@@ -0,0 +1,51 @@
+#
+# Copyright (C) 2016 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+
+module Conjur
+  class API
+  # @!group LDAP Sync Service
+
+    # Trigger a LDAP sync with a given profile.
+
+    # @param [String] config_name Saved profile to run sync with
+    # @param [Boolean] dry_run Don't actually run sync, instead just report the state of the upstream LDAP.
+    # @param [String] format Requested MIME type of the response, either 'text/yaml' or 'application/json'
+    # @return [Hash] a hash mapping with keys 'ok' and 'result[:actions]'
+    def ldap_sync_now(config_name, format, dry_run)
+      opts = credentials.dup.tap{ |h|
+        h[:headers][:accept] = format
+      }
+      
+      resp = RestClient::Resource.new(Conjur.configuration.appliance_url, opts)['ldap-sync']['sync'].post({
+        config_name: config_name,
+        dry_run: dry_run
+      })
+      
+      if format == 'text/yaml'
+        resp.body
+      elsif format == 'application/json'
+        JSON.parse(resp.body)
+      end
+    end
+
+  # @!endgroup
+  end
+end

data/lib/conjur/base.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013-2014 Conjur Inc
+# Copyright (C) 2013-2016 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -222,22 +222,14 @@ module Conjur
       self.class.host
     end
 
-    # The token used to authenticate requests made with the api.  The token will be fetched
-    # if it hasn't already, or if it has expired.  Accordingly, this method may raise a RestClient::Unauthorized
-    # exception if the credentials are invalid.
-    #
-    # @note calling this method on an {Conjur::API} instance created with {Conjur::API.new_from_token} will have
-    # undefined behavior if the token is expired.
+    # The token used to authenticate requests made with the api.  The token will be fetched,
+    # if possible, when not present or about to expire.  Accordingly, this
+    # method may raise a RestClient::Unauthorized exception if the credentials are invalid.
     #
     # @return [Hash] the authentication token as a Hash
     # @raise [RestClient::Unauthorized] if the username and api key are invalid.
     def token
-      @token = nil unless token_valid?
-
-      @token ||= Conjur::API.authenticate(@username, @api_key)
-
-      validate_token
-
+      refresh_token if needs_token_refresh?
       return @token
     end
 
@@ -285,28 +277,35 @@ module Conjur
 
     private
 
-    def token_valid?
-      begin
-        validate_token
-        return true
-      rescue Exception
-        return false
-      end
+
+    # Tries to refresh the token if possible.
+    #
+    # @return [Hash, false] false if the token couldn't be refreshed due to
+    # unavailable API key; otherwise, the new token.
+    def refresh_token
+      return false unless @api_key
+      @token_born = gettime
+      @token = Conjur::API.authenticate(@username, @api_key)
     end
 
-    # Check to see if @token is defined, and whether it's expired
+    TOKEN_STALE = 5.minutes
+
+    # Checks if the token is old (or not present).
     #
-    # @raise [Exception] if the token is invalid
-    def validate_token
-      fail "token not present" unless @token
-      
-      # Actual token expiration is 8 minutes, but why cut it so close
-      expiration = 5.minutes
-      lag = Time.now - Time.parse(@token['timestamp'])
-      unless lag < expiration
-        fail "obtained token is invalid: "\
-            "token timestamp is #{@token['timestamp']}, #{lag} seconds ago"
-      end
+    # @return [Boolean]
+    def needs_token_refresh?
+      !@token || ((token_age || 0) > TOKEN_STALE)
+    end
+
+    def gettime
+      Process.clock_gettime Process::CLOCK_MONOTONIC
+    rescue
+      # fall back to normal clock if there's no CLOCK_MONOTONIC
+      Time.now.to_f
+    end
+
+    def token_age
+      @token_born && (gettime - @token_born)
     end
   end
 end

data/lib/conjur/escape.rb

@@ -25,7 +25,8 @@ module Conjur
   # The helpers are added as both class and isntance methods.
   module Escape
     module ClassMethods
-      # URL escape the entire string.  This is essentially the same as calling `CGI.escape str`.
+      # URL escape the entire string.  This is essentially the same as calling `CGI.escape str`,
+      # and then substituting `%20` for `+`.
       #
       # @example
       #   fully_escape 'foo/bar@baz'

data/lib/conjur/user.rb

@@ -19,9 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  class InvalidToken < Exception
-  end
-
   # This class represents a {http://developer.conjur.net/reference/services/directory/user Conjur User}.
   class User < RestClient::Resource
     include ActsAsAsset

data/spec/api/ldapsync_spec.rb

@@ -0,0 +1,54 @@
+#
+# Copyright (C) 2016 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'spec_helper'
+
+describe Conjur::API, api: :dummy do
+  let(:appliance_url){ "http://example.com/api" }
+  let(:ldapsync_url){ "#{appliance_url}/ldap-sync/sync" }
+  let(:response_json){
+    {
+        :okay => true,
+        :result => {
+            :actions => [
+                "Create user 'Guest'\n  Set annotation 'ldap-sync/source'\n  Set annotation 'ldap-sync/upstream-dn'"
+            ]
+        }
+    }
+  }
+  let(:response){ double('response', body: response_json.to_json) }
+
+  before do
+    allow(Conjur.configuration).to receive(:appliance_url).and_return appliance_url
+    allow(Conjur::API).to receive_messages(ldap_sync_now: ldapsync_url)
+  end
+
+  describe "#ldap_sync_now" do
+    it "POSTs /sync" do
+      expect_request(
+          url: ldapsync_url,
+          method: :post,
+          headers: credentials[:headers],
+          payload: {config_name: 'default', dry_run: true}
+      ).and_return response
+      api.ldap_sync_now('default', 'application/json', true)
+    end
+  end
+end

data/spec/lib/api_spec.rb

@@ -1,5 +1,4 @@
 require 'spec_helper'
-require 'timecop'
 
 shared_examples_for "API endpoint" do
   before { Conjur.configuration = Conjur::Configuration.new }
@@ -222,24 +221,67 @@ describe Conjur::API do
     end    
   end
 
-  shared_context logged_in: true do
+  shared_context "logged in", logged_in: true do
     let(:login) { "bob" }
     let(:token) { { 'data' => login, 'timestamp' => Time.now.to_s } }
-    subject { api }
     let(:remote_ip) { nil }
     let(:api_args) { [ token, remote_ip ].compact }
-    let(:api) { Conjur::API.new_from_token(*api_args) }
+    subject(:api) { Conjur::API.new_from_token(*api_args) }
     let(:account) { 'some-account' }
     before { allow(Conjur::Core::API).to receive_messages conjur_account: account }
   end
 
-  context "credential handling", logged_in: true do
-    context "from token" do
-      describe '#token' do
-        subject { super().token }
-        it { is_expected.to eq(token) }
+  shared_context "logged in with an API key", logged_in: :api_key do
+    include_context "logged in"
+    let(:api_key) { "theapikey" }
+    let(:api_args) { [ login, api_key, remote_ip ].compact }
+    subject(:api) { Conjur::API.new_from_key(*api_args) }
+  end
+
+  def time_travel delta
+    allow(api).to receive(:gettime).and_wrap_original do |m|
+      m[] + delta
+    end
+  end
+
+  describe '#token' do
+    context 'with API key available', logged_in: :api_key do
+      it "authenticates to get a token" do
+        expect(Conjur::API).to receive(:authenticate).with(login, api_key).and_return token
+
+        expect(api.instance_variable_get("@token")).to eq(nil)
+        expect(api.token).to eq(token)
+        expect(api.credentials).to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login })
       end
 
+      it "fetches a new token if old" do
+        allow(Conjur::API).to receive(:authenticate).with(login, api_key).and_return token
+        expect(Time.parse(api.token['timestamp'])).to be_within(5.seconds).of(Time.now)
+
+        time_travel 6.minutes
+        new_token = token.merge "timestamp" => Time.now.to_s
+
+        expect(Conjur::API).to receive(:authenticate).with(login, api_key).and_return new_token
+        expect(api.token).to eq(new_token)
+      end
+    end
+
+    context 'with no API key available', logged_in: true do
+      it "returns the token used to create it" do
+        expect(api.token).to eq token
+      end
+
+      it "doesn't try to refresh an old token" do
+        expect(Conjur::API).not_to receive :authenticate
+        api.token # vivify
+        time_travel 6.minutes
+        expect { api.token }.not_to raise_error
+      end
+    end
+  end
+
+  context "credential handling", logged_in: true do
+    context "from token" do
       describe '#credentials' do
         subject { super().credentials }
         it { is_expected.to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login }) }
@@ -260,44 +302,6 @@ describe Conjur::API do
         end
       end
     end
-      
-
-    context "from api key", logged_in: true do
-      let(:api_key) { "theapikey" }
-      let(:api_args) { [ login, api_key, remote_ip ].compact }
-      let(:api) { Conjur::API.new_from_key(*api_args) }
-      let(:remote_ip) { nil }
-      subject { api }
-
-      it("should authenticate to get a token") do
-        expect(Conjur::API).to receive(:authenticate).with(login, api_key).and_return token
-        
-        expect(api.instance_variable_get("@token")).to eq(nil)
-        expect(api.token).to eq(token)
-        expect(api.credentials).to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login })
-      end
-
-      it("checks if the token is fresh") do
-        expired_token = token.merge 'timestamp' => 10.minutes.ago.to_s
-        expect(Conjur::API).to receive(:authenticate).with(login, api_key).and_return expired_token
-
-        expect(api.instance_variable_get("@token")).to eq(nil)
-        expect { api.token }.to raise_error /obtained token is invalid/
-      end
-
-      context "with an expired token" do
-        it "fetches a new one" do
-          allow(Conjur::API).to receive(:authenticate).with(login, api_key).and_return token
-          expect(Time.parse(api.token['timestamp'])).to be_within(5.seconds).of(Time.now)
-
-          Timecop.travel Time.now + 6.minutes
-          new_token = token.merge "timestamp" => Time.now.to_s
-
-          expect(Conjur::API).to receive(:authenticate).with(login, api_key).and_return new_token
-          expect(api.token).to eq(new_token)
-        end
-      end
-    end
 
     context "from logged-in RestClient::Resource" do
       let (:authz_header) { %Q{Token token="#{token_encoded}"} }

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 4.23.0
+  version: 4.24.0
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-04-22 00:00:00.000000000 Z
+date: 2016-05-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -269,20 +269,6 @@ dependencies:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: timecop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: tins
   requirement: !ruby/object:Gem::Requirement
@@ -361,6 +347,7 @@ files:
 - lib/conjur/api/hosts.rb
 - lib/conjur/api/info.rb
 - lib/conjur/api/layers.rb
+- lib/conjur/api/ldapsync.rb
 - lib/conjur/api/pubkeys.rb
 - lib/conjur/api/resources.rb
 - lib/conjur/api/roles.rb
@@ -414,6 +401,7 @@ files:
 - spec/api/hosts_spec.rb
 - spec/api/info_spec.rb
 - spec/api/layer_spec.rb
+- spec/api/ldapsync_spec.rb
 - spec/api/pubkeys_spec.rb
 - spec/api/resources_spec.rb
 - spec/api/roles_spec.rb
@@ -490,6 +478,7 @@ test_files:
 - spec/api/hosts_spec.rb
 - spec/api/info_spec.rb
 - spec/api/layer_spec.rb
+- spec/api/ldapsync_spec.rb
 - spec/api/pubkeys_spec.rb
 - spec/api/resources_spec.rb
 - spec/api/roles_spec.rb