conjur-api 4.28.1 → 4.29.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f57acfdd94157de9609e46b399c12484591d13c2
-  data.tar.gz: a4ecc120203d25a8cfd56d9b01894a61e71d13cd
+  metadata.gz: f0564b6aa766b949e956c83932c25994999c8e03
+  data.tar.gz: 03be39ecd89a7b370115ce168c4b3c54acd45b09
 SHA512:
-  metadata.gz: ff668011c790785e3c80eeeccac8a85ee22e6337030f96c58bb69f9c012bce35044c96d33b47ea52ee8d203c65c79f2aebaf5e24355c7f1646eef93cbd947f1c
-  data.tar.gz: 547ae4223549ecf0150f861ec7e6736e90933219d9f22f122573f7745dedee3218ebf911b36eb44523bcfd3acad0ca99677582262ee3b27ab7fff9d97e7aa432
+  metadata.gz: d04e0fb688351001e486bc01613ecd5e1cd4ec66e7790f0ed802b9a7d4eb5280fef68498cf720ebe4a3cfc5a270e190a2e970fea8c9419cec16dbd77060b69d1
+  data.tar.gz: c64f11b333a74bfa8f5af3ad0985daa7b25f82d55db7514f00589f210be408d04079792b7a5ff8efe23922a5967e04e8759457b62c4fd8209b02d6daf7984232

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+# v4.29.0
+
+* Add `Conjur::API#new_from_token_file` to create an API instance from a file which contains an access token, which should be periodically updated by another process.
+
+# v4.28.2
+
+* Make sure certificate file is readable before trying to use it.
+
 # v4.28.1
 
 * `Conjur::API#ldap_sync_policy` now returns log events generated when

data/Gemfile

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-#ruby=ruby-2.1.5
+#ruby=ruby-2.2.5
 #ruby-gemset=conjur-api
 
 # Specify your gem's dependencies in conjur-api.gemspec

data/conjur-api.gemspec

@@ -23,7 +23,7 @@ Gem::Specification.new do |gem|
   gem.add_dependency 'activesupport'
   gem.add_dependency 'semantic'
   
-  gem.add_development_dependency 'rake'
+  gem.add_development_dependency 'rake', '~> 10.0'
   gem.add_development_dependency 'spork'
   gem.add_development_dependency 'rspec', '~> 3'
   gem.add_development_dependency 'rspec-expectations', '~> 3.4'
@@ -40,4 +40,5 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency 'redcarpet'
   gem.add_development_dependency 'tins', '~> 1.6', '< 1.7.0'
   gem.add_development_dependency 'inch'
+  gem.add_development_dependency 'fakefs'
 end

data/jenkins.sh

@@ -1,6 +1,6 @@
 #!/bin/bash -ex
 
-CONJUR_VERSION=${CONJUR_VERSION:-"4.8"}
+CONJUR_VERSION=${CONJUR_VERSION:-"4.9"}
 DOCKER_IMAGE=${DOCKER_IMAGE:-"registry.tld/conjur-appliance-cuke-master:$CONJUR_VERSION-stable"}
 NOKILL=${NOKILL:-"0"}
 PULL=${PULL:-"1"}

data/lib/conjur-api/version.rb

@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "4.28.1"
+    VERSION = "4.29.0"
   end
 end

data/lib/conjur/base.rb

@@ -117,11 +117,6 @@ module Conjur
       # 'super-secret' might get the token from a request header, create an {Conjur::API} instance with this method,
       # and use {Conjur::Resource#permitted?} to decide whether to accept and forward the request.
       #
-      # Note that Conjur tokens are issued as JSON.  This method expects to get the token as a parsed JSON Hash.
-      # When sending tokens as headers, you will normally use base64 encoded strings.  Authorization headers
-      # used by Conjur have the form `'Token token="#{b64encode token.to_json}"'`, but this format is in no way
-      # required.
-      #
       # @example A simple gatekeeper
       #   RESOURCE_NAME = 'protected-service'
       #
@@ -141,6 +136,21 @@ module Conjur
       def new_from_token(token, remote_ip = nil)
         self.new.init_from_token token, remote_ip
       end
+
+      # Create a new {Conjur::API} instance from a file containing a token issued by the
+      # {http://developer.conjur.net/reference/services/authentication Conjur authentication service}.
+      # The file is read the first time that a token is required. It is also re-read 
+      # whenever the API decides that the token it already has is getting close to expiration.
+      #
+      # This method is useful when an external process, such as a sidecar container, is continuously
+      # obtaining fresh tokens and writing them to a known file.
+      #
+      # @param [String] token_file the file path containing an authentication token as parsed JSON.
+      # @param [String] remote_ip the optional IP address to be recorded in the audit record.
+      # @return [Conjur::API] an api that will authenticate with the tokens provided in the file.
+      def new_from_token_file(token_file, remote_ip = nil)
+        self.new.init_from_token_file token_file, remote_ip
+      end
       
       def encode_audit_ids(ids)
         ids.collect{|id| CGI::escape(id)}.join('&')
@@ -253,52 +263,146 @@ module Conjur
       end
     end
 
+    module MonotonicTime
+      def monotonic_time
+        Process.clock_gettime Process::CLOCK_MONOTONIC
+      rescue
+        # fall back to normal clock if there's no CLOCK_MONOTONIC
+        Time.now.to_f
+      end
+    end
+
+    module TokenExpiration
+      include MonotonicTime
+
+      # The four minutes is to work around a bug in Conjur < 4.7 causing a 404 on 
+      # long-running operations (when the token is used right around the 5 minute mark).
+      TOKEN_STALE = 4.minutes
+
+      attr_accessor :token_born
+
+      def needs_token_refresh?
+        token_age > TOKEN_STALE
+      end
+
+      def token_age
+        gettime - token_born
+      end
+    end
+
+    # When the API is constructed with an API key, the token can be refreshed using
+    # the username and API key. This authenticator assumes that the token was
+    # minted immediately before the API instance was created.
+    class APIKeyAuthenticator
+      include TokenExpiration
+
+      attr_reader :username, :api_key
+
+      def initialize username, api_key
+        @username = username
+        @api_key = api_key
+        update_token_born
+      end
+
+      def refresh_token
+        Conjur::API.authenticate(username, api_key).tap do
+          update_token_born
+        end
+      end
+
+      def update_token_born
+        self.token_born = gettime
+      end
+
+      def gettime
+        monotonic_time
+      end
+    end
+
+    # When the API is constructed with a token, the token cannot be refreshed.
+    class UnableAuthenticator
+      include MonotonicTime
+      
+      def refresh_token
+        raise "Unable to re-authenticate using an access token"
+      end
+
+      def needs_token_refresh?
+        false
+      end
+    end
+
+    # Obtains fresh tokens by reading them from a file. Some other process is assumed
+    # to be acquiring tokens and storing them to the file on a regular basis.
+    # 
+    # This authenticator assumes that the token was created immediately before
+    # it was written to the file.
+    class TokenFileAuthenticator
+      attr_reader :token_file
+
+      def initialize token_file
+        @token_file = token_file
+      end
+
+      attr_reader :last_mtime
+
+      def mtime
+        File.mtime token_file
+      end
+
+      def refresh_token
+        # There's a race condition here in which the file could be updated
+        # after we read the mtime but before we read the file contents. So to be
+        # conservative, use the oldest possible mtime.
+        mtime = self.mtime
+        File.open token_file, 'r' do |f|
+          JSON.load(f.read).tap { @last_mtime = mtime }
+        end
+      end
+
+      def needs_token_refresh?
+        mtime != last_mtime
+      end
+    end
+
     def init_from_key username, api_key, remote_ip = nil
       @username = username
       @api_key = api_key
       @remote_ip = remote_ip
+      @authenticator = APIKeyAuthenticator.new(username, api_key)
       self
     end
 
     def init_from_token token, remote_ip = nil
       @token = token
       @remote_ip = remote_ip
+      @authenticator = UnableAuthenticator.new
+      self
+    end
+
+    def init_from_token_file token_file, remote_ip = nil
+      @remote_ip = remote_ip
+      @authenticator = TokenFileAuthenticator.new(token_file)
       self
     end
 
+    attr_reader :authenticator
+
     private
-    attr_accessor :token_born
 
     # Tries to refresh the token if possible.
     #
     # @return [Hash, false] false if the token couldn't be refreshed due to
     # unavailable API key; otherwise, the new token.
     def refresh_token
-      return false unless @api_key
-      self.token_born = gettime
-      @token = Conjur::API.authenticate(@username, @api_key)
+      @token = @authenticator.refresh_token
     end
 
-    # The four minutes is to work around a bug in Conjur < 4.7 causing a 404 on 
-    # long-running operations (when the token is used right around the 5 minute mark).
-    TOKEN_STALE = 4.minutes
-
     # Checks if the token is old (or not present).
     #
     # @return [Boolean]
     def needs_token_refresh?
-      !@token || ((token_age || 0) > TOKEN_STALE)
-    end
-
-    def gettime
-      Process.clock_gettime Process::CLOCK_MONOTONIC
-    rescue
-      # fall back to normal clock if there's no CLOCK_MONOTONIC
-      Time.now.to_f
-    end
-
-    def token_age
-      token_born && (gettime - token_born)
+      !@token || @authenticator.needs_token_refresh?
     end
   end
 end

data/lib/conjur/configuration.rb

@@ -420,6 +420,7 @@ module Conjur
           end
         end
       elsif cert_file
+        ensure_cert_readable!(cert_file)
         store.add_file cert_file
       else
         return false
@@ -468,5 +469,12 @@ module Conjur
       name.downcase.gsub(/[^a-z0-9\-]/, '-')
     end
 
+    def ensure_cert_readable!(path)
+      # Try to open the file to make sure it exists and that it's
+      # readable. Don't rescue exceptions from it, just let them
+      # propagate.
+      File.open(path) {}
+    end
+
   end
 end

data/spec/lib/api_spec.rb

@@ -1,4 +1,5 @@
 require 'spec_helper'
+require 'fakefs/spec_helpers'
 
 shared_examples_for "API endpoint" do
   before { Conjur.configuration = Conjur::Configuration.new }
@@ -238,13 +239,55 @@ describe Conjur::API do
     subject(:api) { Conjur::API.new_from_key(*api_args) }
   end
 
+  shared_context "logged in with a token file", logged_in: :token_file do
+    include FakeFS::SpecHelpers
+    include_context "logged in"
+    let(:token_file) { "token_file" }
+    let(:api_args) { [ token_file, remote_ip ].compact }
+    subject(:api) { Conjur::API.new_from_token_file(*api_args) }
+  end
+
   def time_travel delta
-    allow(api).to receive(:gettime).and_wrap_original do |m|
+    allow(api.authenticator).to receive(:gettime).and_wrap_original do |m|
+      m[] + delta
+    end
+    allow(api.authenticator).to receive(:monotonic_time).and_wrap_original do |m|
+      m[] + delta
+    end
+    allow(Time).to receive(:now).and_wrap_original do |m|
       m[] + delta
     end
   end
 
   describe '#token' do
+    context 'with token file available', logged_in: :token_file do
+      def write_token token
+        File.write token_file, JSON.generate(token)
+      end
+
+      before do
+        write_token token
+      end
+
+      it "reads the file to get a token" do
+        expect(api.instance_variable_get("@token")).to eq(nil)
+        expect(api.token).to eq(token)
+        expect(api.credentials).to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login })
+      end
+
+      context "after expiration" do
+        it 'it reads a new token' do
+          expect(Time.parse(api.token['timestamp'])).to be_within(5.seconds).of(Time.now)
+          
+          time_travel 6.minutes
+          new_token = token.merge "timestamp" => Time.now.to_s
+          write_token new_token
+          
+          expect(api.token).to eq(new_token)
+        end
+      end
+    end
+
     context 'with API key available', logged_in: :api_key do
       it "authenticates to get a token" do
         expect(Conjur::API).to receive(:authenticate).with(login, api_key).and_return token

data/spec/lib/configuration_spec.rb

@@ -215,6 +215,8 @@ describe Conjur::Configuration do
   end
 
   describe "apply_cert_config!" do
+    let (:cert_exists) { true }
+    let (:cert_readable) { true }
     subject{ Conjur.configuration.apply_cert_config! }
 
     let(:store){ double('default store') }
@@ -223,42 +225,47 @@ describe Conjur::Configuration do
       stub_const 'OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE', store
       allow_any_instance_of(Conjur::Configuration).to receive(:ssl_certificate).and_return ssl_certificate
       allow_any_instance_of(Conjur::Configuration).to receive(:cert_file).and_return cert_file
+      allow_any_instance_of(Conjur::Configuration).to receive(:ensure_cert_readable!).with(cert_file) do
+        raise Errno::ENOENT unless cert_exists
+        raise Errno::EPERM unless cert_readable
+      end
     end
 
-    context "when neither cert_file or ssl_certificate is present" do
-      let(:cert_file){ nil }
-      let(:ssl_certificate){ nil }
+    context 'when cert file may exist' do
+      context "when neither cert_file or ssl_certificate is present" do
+        let(:cert_file){ nil }
+        let(:ssl_certificate){ nil }
 
-      it 'does nothing to the store' do
-        expect(store).to_not receive(:add_file)
-        expect(store).to_not receive(:add_cert)
-        expect(subject).to be_falsey
+        it 'does nothing to the store' do
+          expect(store).to_not receive(:add_file)
+          expect(store).to_not receive(:add_cert)
+          expect(subject).to be_falsey
+        end
       end
-    end
 
-    context 'when both are given' do
-      let(:cert_file){ '/path/to/cert.pem' }
-      let(:ssl_certificate){ "-----BEGIN CERTIFICATE-----\nfoo\n-----END CERTIFICATE-----\n" }
-      let(:cert){ double('certificate') }
-      it 'calls store.add_cert with a certificate created from ssl_certificate' do
-        expect(OpenSSL::X509::Certificate).to receive(:new).with(ssl_certificate).once.and_return cert
-        expect(store).to receive(:add_cert).once.with(cert)
-        expect(subject).to be_truthy
+      context 'when both are given' do
+        let(:cert_file){ '/path/to/cert.pem' }
+        let(:ssl_certificate){ "-----BEGIN CERTIFICATE-----\nfoo\n-----END CERTIFICATE-----\n" }
+        let(:cert){ double('certificate') }
+        it 'calls store.add_cert with a certificate created from ssl_certificate' do
+          expect(OpenSSL::X509::Certificate).to receive(:new).with(ssl_certificate).once.and_return cert
+          expect(store).to receive(:add_cert).once.with(cert)
+          expect(subject).to be_truthy
+        end
       end
-    end
 
-    context 'when cert_file is given and ssl_certificate is not' do
-      let(:cert_file){ '/path/to/cert.pem' }
-      let(:ssl_certificate){ nil }
-      it 'calls store.add_file with cert_file' do
-        expect(store).to receive(:add_file).with(cert_file).once
-        expect(subject).to be_truthy
+      context 'when cert_file is given and ssl_certificate is not' do
+        let(:cert_file){ '/path/to/cert.pem' }
+        let(:ssl_certificate){ nil }
+        it 'calls store.add_file with cert_file' do
+          expect(store).to receive(:add_file).with(cert_file).once
+          expect(subject).to be_truthy
+        end
       end
-    end
 
-    context 'when ssl_certificate is given' do
-      let(:cert_file){ nil }
-      let(:ssl_certificate){ "-----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIJAO4Lf1Rf2cciMA0GCSqGSIb3DQEBBQUAMDMxMTAvBgNV BAMTKGVjMi01NC05MS0yNDYtODQuY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20wHhcN MTQxMDA4MjEwNTA5WhcNMjQxMDA1MjEwNTA5WjAzMTEwLwYDVQQDEyhlYzItNTQt OTEtMjQ2LTg0LmNvbXB1dGUtMS5hbWF6b25hd3MuY29tMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAx+OFANXNEYNsMR3Uvg4/72VG3LZO8yxrYaYzc3FZ NN3NpIOCZvRTC5S+OawsdEljHwfhdVoXdWNKgVJakSxsAnnaj11fA6XpfN60o6Fk i4q/BqwqgeNJjKAlElFsNz2scWFWRe49NHlj9qaq/yWZ8Cn0IeHy8j8F+jMek4zt dCSxVEayVG/k8RFmYCcluQc/1LuCjPiFwJU43AGkO+yvmOuYGivsNKY+54yuEZqF VDsjAjMsYXxgLx9y1F7Rq3CfeqY6IajR7pmmRup8/D9NyyyQuIML83mjTSvo0UYu rkdXPObd/m6gumscvXMl6SoJ5IPItvTA42MZqTaNzimF0QIDAQABo2gwZjBkBgNV HREEXTBbgglsb2NhbGhvc3SCBmNvbmp1coIcY29uanVyLW1hc3Rlci5pdHAuY29u anVyLm5ldIIoZWMyLTU0LTkxLTI0Ni04NC5jb21wdXRlLTEuYW1hem9uYXdzLmNv bTANBgkqhkiG9w0BAQUFAAOCAQEANk7P3ZEZHLgiTrLG13VAkm33FAvFzRG6akx1 jgNeRDgSaxRtrfJq3mnhsmD6hdvv+e6prPCFOjeEDheyCZyQDESdVEJBwytHVjnH dbvgMRaPm6OO8CyRyNjg3YcC36T//oQKOdAXXEcrtd0QbelBDYlKA7smJtznfhAb XypVdeS/6I4qvJi3Ckp5sQ1GszYhVXAvEeWeY59WwsTWYHLkzss9QShnigPyo3LY ZA5JVXofYi9DJ6VexP7sJNhCMrY2WnMpPcAOB9T7a6lcoXj6mWxvFys0xDIEOnc6 NGb+d47blphUKRZMAUZgYgFfMfmlyu1IXj03J8AuKtIMEwkXAA== -----END CERTIFICATE----- " }
+      context 'when ssl_certificate is given' do
+        let(:cert_file){ nil }
+        let(:ssl_certificate){ "-----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIJAO4Lf1Rf2cciMA0GCSqGSIb3DQEBBQUAMDMxMTAvBgNV BAMTKGVjMi01NC05MS0yNDYtODQuY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20wHhcN MTQxMDA4MjEwNTA5WhcNMjQxMDA1MjEwNTA5WjAzMTEwLwYDVQQDEyhlYzItNTQt OTEtMjQ2LTg0LmNvbXB1dGUtMS5hbWF6b25hd3MuY29tMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAx+OFANXNEYNsMR3Uvg4/72VG3LZO8yxrYaYzc3FZ NN3NpIOCZvRTC5S+OawsdEljHwfhdVoXdWNKgVJakSxsAnnaj11fA6XpfN60o6Fk i4q/BqwqgeNJjKAlElFsNz2scWFWRe49NHlj9qaq/yWZ8Cn0IeHy8j8F+jMek4zt dCSxVEayVG/k8RFmYCcluQc/1LuCjPiFwJU43AGkO+yvmOuYGivsNKY+54yuEZqF VDsjAjMsYXxgLx9y1F7Rq3CfeqY6IajR7pmmRup8/D9NyyyQuIML83mjTSvo0UYu rkdXPObd/m6gumscvXMl6SoJ5IPItvTA42MZqTaNzimF0QIDAQABo2gwZjBkBgNV HREEXTBbgglsb2NhbGhvc3SCBmNvbmp1coIcY29uanVyLW1hc3Rlci5pdHAuY29u anVyLm5ldIIoZWMyLTU0LTkxLTI0Ni04NC5jb21wdXRlLTEuYW1hem9uYXdzLmNv bTANBgkqhkiG9w0BAQUFAAOCAQEANk7P3ZEZHLgiTrLG13VAkm33FAvFzRG6akx1 jgNeRDgSaxRtrfJq3mnhsmD6hdvv+e6prPCFOjeEDheyCZyQDESdVEJBwytHVjnH dbvgMRaPm6OO8CyRyNjg3YcC36T//oQKOdAXXEcrtd0QbelBDYlKA7smJtznfhAb XypVdeS/6I4qvJi3Ckp5sQ1GszYhVXAvEeWeY59WwsTWYHLkzss9QShnigPyo3LY ZA5JVXofYi9DJ6VexP7sJNhCMrY2WnMpPcAOB9T7a6lcoXj6mWxvFys0xDIEOnc6 NGb+d47blphUKRZMAUZgYgFfMfmlyu1IXj03J8AuKtIMEwkXAA== -----END CERTIFICATE----- " }
         let(:actual_certificate) {
           <<-CERT
 -----BEGIN CERTIFICATE-----
@@ -283,49 +290,49 @@ NGb+d47blphUKRZMAUZgYgFfMfmlyu1IXj03J8AuKtIMEwkXAA==
 -----END CERTIFICATE-----
 CERT
         }
-      let(:cert){ double('cert') }
+        let(:cert){ double('cert') }
 
-      before do
-        expect(OpenSSL::X509::Certificate).to receive(:new).with(actual_certificate).at_least(:once).and_return cert
-      end
+        before do
+          expect(OpenSSL::X509::Certificate).to receive(:new).with(actual_certificate).at_least(:once).and_return cert
+        end
 
-      it 'calls store.add_cert with a certificate created from ssl_certificate' do
-        expect(store).to receive(:add_cert).with(cert).once
-        expect(subject).to be_truthy
-      end
+        it 'calls store.add_cert with a certificate created from ssl_certificate' do
+          expect(store).to receive(:add_cert).with(cert).once
+          expect(subject).to be_truthy
+        end
 
-      it 'rescues from a StoreError with message "cert already in hash tabble"' do
-        expect(store).to receive(:add_cert).with(cert).once.and_raise(OpenSSL::X509::StoreError.new('cert already in hash table'))
-        expect(subject).to be_truthy
-      end
+        it 'rescues from a StoreError with message "cert already in hash tabble"' do
+          expect(store).to receive(:add_cert).with(cert).once.and_raise(OpenSSL::X509::StoreError.new('cert already in hash table'))
+          expect(subject).to be_truthy
+        end
 
 
-      it 'does not rescue from other exceptions' do
-        exn = OpenSSL::X509::StoreError.new('some other message')
-        expect(store).to receive(:add_cert).with(cert).once.and_raise(exn)
-        expect{subject}.to raise_error exn
-        exn = ArgumentError.new('bad news')
-        expect(store).to receive(:add_cert).with(cert).once.and_raise(exn)
-        expect{subject}.to raise_error exn
+        it 'does not rescue from other exceptions' do
+          exn = OpenSSL::X509::StoreError.new('some other message')
+          expect(store).to receive(:add_cert).with(cert).once.and_raise(exn)
+          expect{subject}.to raise_error exn
+          exn = ArgumentError.new('bad news')
+          expect(store).to receive(:add_cert).with(cert).once.and_raise(exn)
+          expect{subject}.to raise_error exn
+        end
       end
-    end
 
-    context 'when given a store argument' do
-      let(:cert_file){ '/path/to/cert.pem' }
-      let(:ssl_certificate){ nil }
-      let(:alt_store){ double('alt store') }
-      subject{ Conjur.configuration.apply_cert_config! alt_store }
+      context 'when given a store argument' do
+        let(:cert_file){ '/path/to/cert.pem' }
+        let(:ssl_certificate){ nil }
+        let(:alt_store){ double('alt store') }
+        subject{ Conjur.configuration.apply_cert_config! alt_store }
 
-      it 'uses that store instead' do
-        expect(alt_store).to receive(:add_file).with(cert_file).once
-        expect(subject).to be_truthy
+        it 'uses that store instead' do
+          expect(alt_store).to receive(:add_file).with(cert_file).once
+          expect(subject).to be_truthy
+        end
       end
-    end
 
-    context 'with two certificates in a string' do
-      let(:cert_file) { nil }
-      let(:ssl_certificate) do
-        """-----BEGIN CERTIFICATE-----
+      context 'with two certificates in a string' do
+        let(:cert_file) { nil }
+        let(:ssl_certificate) do
+          """-----BEGIN CERTIFICATE-----
 MIIDPjCCAiagAwIBAgIVAKW1gdmOFrXt6xB0iQmYQ4z8Pf+kMA0GCSqGSIb3DQEB
 CwUAMD0xETAPBgNVBAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDAS
 BgNVBAMTC2N1a2UtbWFzdGVyMB4XDTE1MTAwNzE2MzAwNloXDTI1MTAwNDE2MzAw
@@ -367,12 +374,35 @@ BvYRjnTB2LSxfmSnkrCeFPmhE11bWVtsLIdrGIgtEMX0/s9xg58QuNnva1U3pJsW
 RjvSxre4Xg2qlI9Laybb4oZ4g6DI8hRbL0VdFAsveg6SXg2RxgJcXeJUFw==
 -----END CERTIFICATE-----
 """
+        end
+
+        it 'adds both to the store' do
+          expect(store).to receive(:add_cert).twice
+          expect(subject).to be_truthy
+        end
+      end
+      
+    end
+
+    context 'when cert file is not readable' do
+      let(:cert_file) { '/path/to/not_cert.pem' }
+      let(:ssl_certificate) { nil }
+
+      context 'raises ENOENT when cert file does not exist' do
+        let(:cert_exists) { false }
+        it 'raises the exception' do
+          expect{subject}.to raise_error(Errno::ENOENT)
+        end
       end
 
-      it 'adds both to the store' do
-        expect(store).to receive(:add_cert).twice
-        expect(subject).to be_truthy
+      context "raises EPERM when cert file does not have read permission" do
+        let(:cert_readable) {false}
+        it 'raises the exception' do
+          expect{subject}.to raise_error(Errno::EPERM)
+        end
       end
+
     end
+
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 4.28.1
+  version: 4.29.0
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-11-30 00:00:00.000000000 Z
+date: 2017-02-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -63,16 +63,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '10.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '10.0'
 - !ruby/object:Gem::Dependency
   name: spork
   requirement: !ruby/object:Gem::Requirement
@@ -303,6 +303,20 @@ dependencies:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: fakefs
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Conjur API
 email:
 - rafal@conjur.net