conjur-api 4.31.0 → 5.0.0.rc1

data/lib/conjur/variable.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013-2016 Conjur Inc
+# Copyright 2013-2017 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -20,69 +20,37 @@
 #
 module Conjur
 
-  # Secrets stored in Conjur are represented by {http://developer.conjur.net/reference/services/directory/variable Variables}.
+  # Protected (secret) data stored in Conjur.
+  # 
   # The code responsible for the actual encryption of variables is open source as part of the
   # {https://github.com/conjurinc/slosilo Slosilo} library.
   #
-  # You should not generally create instances of this class directly.  Instead, you can get them from
-  # {Conjur::API} methods such as {Conjur::API#create_variable} and {Conjur::API#variable}.
-  #
-  # Conjur variables store metadata (mime-type and secret kind) with each secret.
+  # Each variables has some standard metadata (`mime-type` and secret `kind`).
   #
   # Variables are *versioned*.  Storing secrets in multiple places is a bad security practice, but
   # overwriting a secret accidentally can create a major problem for development and ops teams.  Conjur
-  # discourages bad security practices while avoiding ops disasters by storing all previous versions of
-  # a secret.
+  # discourages bad security practices while avoiding ops disasters by storing previous versions of
+  # a secret (up to a fixed limit, to avoid unbounded database growth).
   #
   # ### Important
   # A common pitfall when trying to access older versions of a variable is to assume that `0` is the oldest
-  # version.  In fact, `0` references the *latest* version, while *1* is the oldest.
-  #
+  # version.  Variable versions are `1`-based, with `1` being the oldest.
   #
   # ### Permissions
   #
-  # * To *read* the value of a `variable`, you must have permission to `'execute'` the variable.
+  # * To *fetch* the value of a `variable`, you must have permission to `'execute'` the variable.
   # * To *add* a value to a `variable`, you must have permission to `'update'` the variable.
   # * To *show* metadata associated with a variable, but *not* the value of the secret, you must have `'read'`
   #     permission on the variable.
   #
-  #  When you create a secret, the creator role is granted all three of the above permissions.
-  #
   # @example Get a variable and access its metadata and the latest value
-  #   variable = api.variable 'example'
+  #   variable = api.resource 'myorg:variable:example'
   #   puts variable.kind      # "example-secret"
   #   puts variable.mime_type # "text/plain"
   #   puts variable.value     # "supahsecret"
-  #
-  # @example Variable permissions
-  #   # use our 'admin' api to create a variable 'permissions-example
-  #   admin_var = admin_api.create_variable 'text/plain', 'example', 'permissions-example'
-  #
-  #   # get a 'view' to it from user 'alice'
-  #   alice_var = alice_api.variable admin_var.id
-  #
-  #   # Initilally, all of the following raise a RestClient::Forbidden exception
-  #   alice_var.attributes
-  #   alice_var.value
-  #   alice_var.add_value 'hi'
-  #
-  #   # Allow alice to see the variables attributes
-  #   admin_var.permit 'read', alice
-  #   alice_var.attributes # OK
-  #
-  #   # Allow alice to update the variable
-  #   admin_var.permit 'update', alice
-  #   alice_var.add_value 'hello'
-  #
-  #   # Notice that alice still can't see the variable's value:
-  #   alice_var.value # raises RestClient::Forbidden
-  #
-  #   # Finally, we let alice execute the variable
-  #   admin_var.permit 'execute', alice
-  #   alice_var.value # 'hello'
-  #
+
   # @example Variables are versioned
-  #   var = api.variable 'version-example'
+  #   variable = api.resource 'myorg:variable:example'
   #   # Unless you set a variables value when you create it, the variable starts out without a value and version_count
   #   # is 0.
   #   var.version_count # => 0
@@ -106,9 +74,16 @@ module Conjur
   #   # Notice that version 0 of a variable is always the most recent:
   #   var.value 0 # => 'value 2'
   #
-  class Variable < RestClient::Resource
-    include ActsAsAsset
+  class Variable < BaseObject
+    include ActsAsResource
 
+    def as_json options={}
+      result = super(options)
+      result["mime_type"] = mime_type
+      result["kind"] = kind
+      result
+    end
+    
     # The kind of secret represented by this variable,  for example, `'postgres-url'` or
     # `'aws-secret-access-key'`.
     #
@@ -120,7 +95,7 @@ module Conjur
     # @note this is **not** the same as the `kind` part of a qualified Conjur id.
     # @return [String] a string representing the kind of secret.
     def kind
-      attributes['kind']
+      annotation_value 'conjur/kind' || "secret"
     end
 
     # The MIME Type of the variable's value.
@@ -134,7 +109,7 @@ module Conjur
     #
     # @return [String] a MIME type, such as `'text/plain'` or `'application/octet-stream'`.
     def mime_type
-      attributes['mime_type']
+      annotation_value 'conjur/mime_type' || "text/plain"
     end
 
     # Add a new value to the variable.
@@ -155,7 +130,7 @@ module Conjur
         logger << "Adding a value to variable #{id}"
       end
       invalidate do
-        self['values'].post value: value
+        core_resource['secrets'][id.to_url_path].post value
       end
     end
 
@@ -170,7 +145,12 @@ module Conjur
     #
     # @return [Integer] the number of versions
     def version_count
-      self.attributes['version_count']
+      secrets = attributes['secrets']
+      if secrets.empty?
+        0
+      else
+        secrets.last['version']
+      end
     end
 
     # Return the version of a variable.
@@ -205,34 +185,9 @@ module Conjur
     # @param options [Hash]
     # @option options [Boolean, false] :show_expired show value even if variable has expired
     # @return [String] the value of the variable
-    def value(version = nil, options = {})
-      url = 'value'
+    def value version = nil, options = {}
       options['version'] = version if version
-      url << '?' + options.to_query unless options.empty?
-      self[url].get.body
+      core_resource['secrets'][id.to_url_path][options_querystring options].get.body
     end
-
-    # Set the variable to expire after the given interval. The
-    # interval can either be an ISO8601 duration or it can the number
-    # of seconds for which the variable should be valid. Once a
-    # variable has expired, its value will no longer be retrievable.
-    #
-    # You must have the **`'update'`** permission on a variable to call this method.
-    #
-    # @example Use an ISO8601 duration to set the expiration for a variable to tomorrow
-    #   var = api.variable 'my-secret'
-    #   var.expires_in "P1D"
-    #
-    # @example Use ActiveSupport to set the expiration for a variable to tomorrow
-    #   require 'active_support/all'
-    #   var = api.variable 'my-secret'
-    #   var.expires_in 1.day
-    # @param interval a String containing an ISO8601 duration, otherwise the number of seconds before the variable xpires
-    # @return [Hash] description of the variable's expiration, including the (Conjur server) time when it expires
-    def expires_in interval
-      duration = interval.respond_to?(:to_str) ? interval : "PT#{interval.to_i}S"
-      JSON::parse(self['expiration'].post(duration: duration).body)
-    end
-
   end
 end

data/lib/conjur/{authz-api.rb → webservice.rb}

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright 2013-2017 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -19,20 +19,12 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  module Authz
-    class API < Conjur::API
-      class << self
-
-        # The URL for the audit service
-        #
-        # @return [String] the audit service url.
-        def host
-          Conjur.configuration.authz_url
-        end
-      end
-    end
+  # A Conjur Webservice, which protects access to service code.
+  #
+  # Permissions on webservices can be granted and interpreted in a free-form way
+  # which is appropriate to the domain. For example, for a Docker registry
+  # which is guarded by a Webservice, the likely privileges would be `pull` and `push`.
+  class Webservice < BaseObject
+    include ActsAsResource
   end
 end
-
-require 'conjur/api/roles'
-require 'conjur/api/resources'

data/lib/conjur-api/version.rb

@@ -1,4 +1,4 @@
-# Copyright (C) 2013-2016 Conjur Inc.
+# Copyright 2013-2017 Conjur Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "4.31.0"
+    VERSION = "5.0.0.rc1"
   end
 end

data/publish.sh

@@ -0,0 +1,7 @@
+#!/bin/bash -e
+
+docker pull registry.tld/conjurinc/publish-rubygem
+
+summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
+  docker run --rm --env-file @SUMMONENVFILE -v "$(pwd)":/opt/src \
+  registry.tld/conjurinc/publish-rubygem conjur-api

data/spec/api_spec.rb

@@ -0,0 +1,208 @@
+require 'spec_helper'
+require 'fakefs/spec_helpers'
+
+describe Conjur::API do
+
+  let(:account) { 'api-spec-acount' }
+  before { allow(Conjur.configuration).to receive_messages account: account }
+
+  shared_context "logged in", logged_in: true do
+    let(:login) { "bob" }
+    let(:token) { { 'data' => login, 'timestamp' => Time.now.to_s } }
+    let(:remote_ip) { nil }
+    let(:api_args) { [ token, { remote_ip: remote_ip } ] }
+    subject(:api) { Conjur::API.new_from_token(*api_args) }
+  end
+
+  shared_context "logged in with an API key", logged_in: :api_key do
+    include_context "logged in"
+    let(:api_key) { "theapikey" }
+    let(:api_args) { [ login, api_key, { remote_ip: remote_ip, account: account } ] }
+    subject(:api) { Conjur::API.new_from_key(*api_args) }
+  end
+
+  shared_context "logged in with a token file", logged_in: :token_file do
+    include FakeFS::SpecHelpers
+    include_context "logged in"
+    let(:token_file) { "token_file" }
+    let(:api_args) { [ token_file, { remote_ip: remote_ip } ] }
+    subject(:api) { Conjur::API.new_from_token_file(*api_args) }
+  end
+
+  def time_travel delta
+    allow(api.authenticator).to receive(:gettime).and_wrap_original do |m|
+      m[] + delta
+    end
+    allow(api.authenticator).to receive(:monotonic_time).and_wrap_original do |m|
+      m[] + delta
+    end
+    allow(Time).to receive(:now).and_wrap_original do |m|
+      m[] + delta
+    end
+  end
+
+  describe '#token' do
+    context 'with token file available', logged_in: :token_file do
+      def write_token token
+        File.write token_file, JSON.generate(token)
+      end
+
+      before do
+        write_token token
+      end
+
+      it "reads the file to get a token" do
+        expect(api.instance_variable_get("@token")).to eq(nil)
+        expect(api.token).to eq(token)
+        expect(api.credentials).to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login })
+      end
+
+      context "after expiration" do
+        it 'it reads a new token' do
+          expect(Time.parse(api.token['timestamp'])).to be_within(5.seconds).of(Time.now)
+          
+          time_travel 6.minutes
+          new_token = token.merge "timestamp" => Time.now.to_s
+          write_token new_token
+          
+          expect(api.token).to eq(new_token)
+        end
+      end
+    end
+
+    context 'with API key available', logged_in: :api_key do
+      it "authenticates to get a token" do
+        expect(Conjur::API).to receive(:authenticate).with(login, api_key, account: account).and_return token
+
+        expect(api.instance_variable_get("@token")).to eq(nil)
+        expect(api.token).to eq(token)
+        expect(api.credentials).to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login })
+      end
+
+      context "after expiration" do
+
+        shared_examples "it gets a new token" do
+          it 'by refreshing' do
+            allow(Conjur::API).to receive(:authenticate).with(login, api_key, account: account).and_return token
+            expect(Time.parse(api.token['timestamp'])).to be_within(5.seconds).of(Time.now)
+            
+            time_travel 6.minutes
+            new_token = token.merge "timestamp" => Time.now.to_s
+            
+            expect(Conjur::API).to receive(:authenticate).with(login, api_key, account: account).and_return new_token
+            expect(api.token).to eq(new_token)
+          end
+        end
+
+        it_should_behave_like "it gets a new token"
+      end
+    end
+
+    context 'with no API key available', logged_in: true do
+      it "returns the token used to create it" do
+        expect(api.token).to eq token
+      end
+
+      it "doesn't try to refresh an old token" do
+        expect(Conjur::API).not_to receive :authenticate
+        api.token # vivify
+        time_travel 6.minutes
+        expect { api.token }.not_to raise_error
+      end
+    end
+  end
+
+  context "credential handling", logged_in: true do
+    context "from token" do
+      describe '#credentials' do
+        subject { super().credentials }
+        it { is_expected.to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login }) }
+      end
+      
+      context "with remote_ip" do
+        let(:remote_ip) { "66.0.0.1" }
+        describe '#credentials' do
+          subject { super().credentials }
+          it { is_expected.to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"", :x_forwarded_for=>"66.0.0.1" }, username: login }) }
+        end
+      end
+    end
+
+    context "from logged-in RestClient::Resource" do
+      let (:authz_header) { %Q{Token token="#{token_encoded}"} }
+      let (:priv_header) { nil }
+      let (:forwarded_for_header) { nil }
+      let (:audit_roles_header) { nil }
+      let (:audit_resources_header) { nil }
+      let (:username) { 'bob' }
+      subject { resource.conjur_api }
+
+      shared_examples "it can clone itself" do
+        it "has the authz header" do
+          expect(subject.credentials[:headers][:authorization]).to eq(authz_header)
+        end
+        it "has the username" do
+          expect(subject.credentials[:username]).to eq(username)
+        end
+      end
+
+      let(:token_encoded) { Base64.strict_encode64(token.to_json) }
+      let(:base_headers) { { authorization: authz_header } }
+      let(:headers) { base_headers }
+      let(:resource) { RestClient::Resource.new("http://example.com", { headers: headers })}
+      context 'basic functioning' do
+        it_behaves_like 'it can clone itself'
+      end
+      
+      context "forwarded for" do
+        let(:forwarded_for_header) { "66.0.0.1" }
+        let(:headers) { base_headers.merge(x_forwarded_for: forwarded_for_header) }
+        it_behaves_like 'it can clone itself'
+      end
+    end
+  end
+
+  describe "#role_from_username", logged_in: true do
+    it "returns a user role when username is plain" do
+      expect(Conjur::API.role_from_username(api, "plain-username", account).id).to eq("#{account}:user:plain-username")
+    end
+
+    it "returns an appropriate role kind when username is qualified" do
+      expect(Conjur::API.role_from_username(api, "host/foo/bar", account).id).to eq("#{account}:host:foo/bar")
+    end
+  end
+
+  describe "#current_role", logged_in: true do
+    context "when logged in as user" do
+      let(:login) { 'joerandom' }
+      it "returns a user role" do
+        expect(api.current_role(account).id).to eq("#{account}:user:joerandom")
+      end
+    end
+
+    context "when logged in as host" do
+      let(:host) { "somehost" }
+      let(:login) { "host/#{host}" }
+      it "returns a host role" do
+        expect(api.current_role(account).id).to eq("#{account}:host:somehost")
+      end
+    end
+  end
+
+  describe 'url escapes' do
+    let(:urls){[
+        'foo/bar@baz',
+        '/test/some group with spaces'
+    ]}
+
+    describe '#fully_escape' do
+      let(:expected){[
+        'foo%2Fbar%40baz',
+        '%2Ftest%2Fsome%20group%20with%20spaces'
+      ]}
+      it 'escapes the urls correctly' do
+        expect(urls.map{|u| Conjur::API.fully_escape u}).to eq(expected)
+      end
+    end
+  end
+end

data/spec/cast_spec.rb

@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+describe Conjur::Cast do
+  let!(:object) {
+    Object.new.tap do |obj|
+      class << obj
+        include Conjur::Cast
+      end
+    end
+  }
+
+  it 'String casts to itself' do
+    expect(object.send(:cast_to_id, "foo")).to eq("foo")
+  end
+  it 'Id casts to to_s' do
+    expect(object.send(:cast_to_id, "foo")).to eq("foo")
+  end
+  it 'Array casts via #join' do
+    expect(object.send(:cast_to_id, [ "foo", "bar" ])).to eq("foo:bar")
+  end
+end