conjur-api 4.25.0 → 4.25.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e0f792bf6c2fecf1b2c2c5756b612107162435c7
-  data.tar.gz: 34ee61c0276a1e07ca7f3ba449474d402d867475
+  metadata.gz: 6a4d39e4a78aca87161fdd361e061d8fa61eb103
+  data.tar.gz: 18c7f65ecd58167229788f3d01ffd55c22198341
 SHA512:
-  metadata.gz: cf65304611eb945ad4f5b352a01405096acce35a42b721bf9c999660423fedf8fd9524896d17de26e792ed4fe02292739cf86a49ec5fc04a1aa8ce26bccab152
-  data.tar.gz: 9a1d53c9643545419e27172f204635b6273155b4a3f0c0920cfda05e8631387f46433a266badc660a8a65b8a5995e2f83e4b5fd9431f31311bcb5b9d0866192e
+  metadata.gz: 92e237543b838497692b062f514d3bf17693f82a1705a3527146e262417629c667a3bd5f2c4cf9247eac630bf0985d990a45f31b5d8f1bc93d0e557b1305b2ee
+  data.tar.gz: ab2049acd3830d358897ab9b3bc4c2450c088c6c94bc8ac7bab5c03fa4ae320b9294d661ca87a1360944ebe95ef8c1f8bbdfd1aa66c65025d60277b1fc633d32

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+# v4.25.1
+
+* Fix token refresh when using `with_privilege`, `with_audit_roles`,
+  and `with_audit_resources`.
+
 # v4.25.0
 
 * Add a workaround for a bug in Conjur <4.7 where long-running operations

data/Gemfile

@@ -7,5 +7,5 @@ source 'https://rubygems.org'
 gemspec
 
 group :development do
-  gem 'pry'
+  gem 'pry-byebug'
 end

data/jenkins.sh

@@ -1,6 +1,6 @@
 #!/bin/bash -ex
 
-CONJUR_VERSION=${CONJUR_VERSION:-"5.0"}
+CONJUR_VERSION=${CONJUR_VERSION:-"4.8"}
 DOCKER_IMAGE=${DOCKER_IMAGE:-"registry.tld/conjur-appliance-cuke-master:$CONJUR_VERSION-stable"}
 NOKILL=${NOKILL:-"0"}
 PULL=${PULL:-"1"}

data/lib/conjur-api/version.rb

@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "4.25.0"
+    VERSION = "4.25.1"
   end
 end

data/lib/conjur/base.rb

@@ -104,7 +104,7 @@ module Conjur
       # @param [String] remote_ip the optional IP address to be recorded in the audit record.
       # @return [Conjur::API] an api that will authenticate with the given username and api key.
       def new_from_key(username, api_key, remote_ip = nil)
-        self.new username, api_key, nil, remote_ip
+        self.new.init_from_key username, api_key, remote_ip
       end
 
 
@@ -139,7 +139,7 @@ module Conjur
       # @param [String] remote_ip the optional IP address to be recorded in the audit record.
       # @return [Conjur::API] an api that will authenticate with the token
       def new_from_token(token, remote_ip = nil)
-        self.new nil, nil, token, remote_ip
+        self.new.init_from_token token, remote_ip
       end
       
       def encode_audit_ids(ids)
@@ -151,28 +151,6 @@ module Conjur
       end
 
     end
-    
-    # Create a new instance from a username and api key or a token.
-    #
-    # @note You should use {Conjur::API.new_from_token} or {Conjur::API.new_from_key} instead of calling this method
-    #   directly.
-    #
-    # This method requires that you pass **either** a username and api_key **or** a token Hash.
-    #
-    # @param [String] username the username to authenticate as
-    # @param [String] api_key the api key or password to use when authenticating
-    # @param [Hash] token the token to use when making authenticated requuests.
-    # @param [String] remote_ip the optional IP address to be recorded in the audit record.
-    #
-    # @api internal
-    def initialize username, api_key, token, remote_ip = nil
-      @username = username
-      @api_key = api_key
-      @token = token
-      @remote_ip = remote_ip
-
-      raise "Expecting ( username and api_key ) or token" unless ( username && api_key ) || token
-    end
 
     #@!attribute [r] api_key
     # The api key used to create this instance.  This is only present when you created the api with {Conjur::API.new_from_key}.#
@@ -254,14 +232,14 @@ module Conjur
     # 
     # @return The API instance.
     def with_privilege privilege
-      self.class.new(username, api_key, token, remote_ip).tap do |api|
+      self.clone.tap do |api|
         api.privilege = privilege
       end
     end
 
     def with_audit_roles role_ids
       role_ids = Array(role_ids)
-      self.class.new(username, api_key, token, remote_ip).tap do |api|
+      self.clone.tap do |api|
         # Ensure that all role ids are fully qualified
         api.audit_roles = role_ids.collect { |id| api.role(id).roleid }
       end
@@ -269,14 +247,27 @@ module Conjur
 
     def with_audit_resources resource_ids
       resource_ids = Array(resource_ids)
-      self.class.new(username, api_key, token, remote_ip).tap do |api|
+      self.clone.tap do |api|
         # Ensure that all resource ids are fully qualified
         api.audit_resources = resource_ids.collect { |id| api.resource(id).resourceid }
       end
     end
 
-    private
+    def init_from_key username, api_key, remote_ip = nil
+      @username = username
+      @api_key = api_key
+      @remote_ip = remote_ip
+      self
+    end
 
+    def init_from_token token, remote_ip = nil
+      @token = token
+      @remote_ip = remote_ip
+      self
+    end
+
+    private
+    attr_accessor :token_born
 
     # Tries to refresh the token if possible.
     #
@@ -284,7 +275,7 @@ module Conjur
     # unavailable API key; otherwise, the new token.
     def refresh_token
       return false unless @api_key
-      @token_born = gettime
+      self.token_born = gettime
       @token = Conjur::API.authenticate(@username, @api_key)
     end
 
@@ -307,7 +298,7 @@ module Conjur
     end
 
     def token_age
-      @token_born && (gettime - @token_born)
+      token_born && (gettime - token_born)
     end
   end
 end

data/spec/lib/api_spec.rb

@@ -254,15 +254,38 @@ describe Conjur::API do
         expect(api.credentials).to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login })
       end
 
-      it "fetches a new token if old" do
-        allow(Conjur::API).to receive(:authenticate).with(login, api_key).and_return token
-        expect(Time.parse(api.token['timestamp'])).to be_within(5.seconds).of(Time.now)
+      context "after expiration" do
+
+        shared_examples "it gets a new token" do
+          it 'by refreshing' do
+            allow(Conjur::API).to receive(:authenticate).with(login, api_key).and_return token
+            expect(Time.parse(api.token['timestamp'])).to be_within(5.seconds).of(Time.now)
+            
+            time_travel 6.minutes
+            new_token = token.merge "timestamp" => Time.now.to_s
+            
+            expect(Conjur::API).to receive(:authenticate).with(login, api_key).and_return new_token
+            expect(api.token).to eq(new_token)
+          end
+        end
 
-        time_travel 6.minutes
-        new_token = token.merge "timestamp" => Time.now.to_s
+        it_should_behave_like "it gets a new token"
+        
+        context "with elevated privilege" do
+          subject(:api) { Conjur::API.new_from_key(*api_args).with_privilege('reveal') }
+          it_should_behave_like "it gets a new token"
+        end
+
+        context "with audit roles" do
+          subject(:api) { Conjur::API.new_from_key(*api_args).with_audit_roles('account:host:host1') }
+          it_should_behave_like "it gets a new token"
+        end
+
+        context "with audit resources" do
+          subject(:api) { Conjur::API.new_from_key(*api_args).with_audit_resources('account:webservice:service1') }
+          it_should_behave_like "it gets a new token"
+        end
 
-        expect(Conjur::API).to receive(:authenticate).with(login, api_key).and_return new_token
-        expect(api.token).to eq(new_token)
       end
     end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 4.25.0
+  version: 4.25.1
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-06-17 00:00:00.000000000 Z
+date: 2016-06-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client