conjur-api 4.31.0 → 5.0.0.rc1

data/ci/test.sh

@@ -1,9 +0,0 @@
-#!/bin/bash -e
-
-cd /src/conjur-api
-
-export CONJUR_AUTHN_LOGIN=admin
-export CONJUR_AUTHN_API_KEY=secret
-
-bundle
-bundle exec rake jenkins || true

data/features/audit_resources.feature

@@ -1,15 +0,0 @@
-Feature: audit with additional resources
-
-  Background:
-    Given I create the variable "$ns_foo"
-
-  Scenario: with one additional resource
-    When I create an api with the additional audit resource "webservice:ws1"
-    And I check to see if I'm permitted to "read" variable "$ns_foo"
-    Then an audit event for variable "$ns_foo" with action "check" and resource "webservice:ws1" is generated
-
-  Scenario: with more than one additional resource
-    When I create an api with the additional audit resources "webservice:ws1, webservice:ws2"
-    And I check to see if I'm permitted to "read" variable "$ns_foo"
-    Then an audit event for variable "$ns_foo" with action "check" and resources "webservice:ws1, webservice:ws2" is generated
-

data/features/audit_roles.feature

@@ -1,15 +0,0 @@
-Feature: audit with additional resources
-
-  Background:
-    Given I create the variable "$ns_foo"
-
-  Scenario: with one additional resource
-    When I create an api with the additional audit role "user:auditor1"
-    And I check to see if I'm permitted to "read" variable "$ns_foo"
-    Then an audit event for variable "$ns_foo" with action "check" and role "user:auditor1" is generated
-
-  Scenario: with more than one additional resource
-    When I create an api with the additional audit roles "user:auditor2,group:auditors"
-    And I check to see if I'm permitted to "read" variable "$ns_foo"
-    Then an audit event for variable "$ns_foo" with action "check" and roles "user:auditor2,group:auditors" is generated
-

data/features/bootstrap.feature

@@ -1,31 +0,0 @@
-Feature: conjur bootstrap
-
-	Background: Bootstrap
-		Given I bootstrap
-
-	Scenario: Expected resources exist
-		Then expressions "$conjur.group('security_admin').exists?" and "true" are equal
-		Then expressions "$conjur.group('auditors').exists?" and "true" are equal
-		Then expressions "$conjur.group('pubkeys-1.0/key-managers').exists?" and "true" are equal
-		Then expressions "$conjur.resource('webservice:conjur/authn-tv').exists?" and "true" are equal
-		Then expressions "$conjur.resource('webservice:conjur/policy-loader').exists?" and "true" are equal
-		Then expressions "$conjur.resource('webservice:conjur/policy-loader').ownerid" and "'cucumber:group:security_admin'" are equal
-		Then expressions "$conjur.host('conjur/policy-loader').exists?" and "true" are equal
-		Then expressions "$conjur.host('conjur/secrets-rotator').exists?" and "true" are equal
-		Then expressions "$conjur.host('conjur/ldap-sync').exists?" and "true" are equal
-		
-	Scenario: security_admin group has the expected members
-		Then expressions "$conjur.role('group:security_admin').members.map(&:member).map(&:roleid).sort.join(',')" and "'cucumber:host:conjur/authn-tv,cucumber:host:conjur/expiration,cucumber:host:conjur/ldap-sync,cucumber:host:conjur/policy-loader,cucumber:host:conjur/secrets-rotator,cucumber:user:admin'" are equal
-
-	Scenario: security_admin group can update public keys
-		Then expression "$conjur.resource('service:pubkeys-1.0/public-keys').permitted_roles('update')" includes "$conjur.group('security_admin').roleid"
-
-	Scenario: security_admin can 'elevate' and 'reveal'
-		Then expression "$conjur.resource('!:!:conjur').permitted_roles('elevate')" includes "$conjur.group('security_admin').roleid"
-		Then expression "$conjur.resource('!:!:conjur').permitted_roles('reveal')" includes "$conjur.group('security_admin').roleid"
-
-	Scenario: auditors can 'reveal'
-		Then expression "$conjur.resource('!:!:conjur').permitted_roles('reveal')" includes "$conjur.group('auditors').roleid"
-
-	Scenario: API keys are saved in variables
-		Then expression "$conjur.resources(kind: 'variable').map(&:resourceid)" includes "'cucumber:variable:conjur/hosts/conjur/secrets-rotator/api-key'"

data/features/step_definitions/cli_steps.rb

@@ -1,5 +0,0 @@
-Transform /\$ns/ do |s|
-  s.gsub('$ns', namespace)
-end
-
-

data/jenkins.sh

@@ -1,27 +0,0 @@
-#!/bin/bash -ex
-
-CONJUR_VERSION=${CONJUR_VERSION:-"4.9"}
-DOCKER_IMAGE=${DOCKER_IMAGE:-"registry.tld/conjur-appliance-cuke-master:$CONJUR_VERSION-stable"}
-NOKILL=${NOKILL:-"0"}
-PULL=${PULL:-"1"}
-
-if [ -z "$CONJUR_CONTAINER" ]; then
-	if [ "$PULL" == "1" ]; then
-	    docker pull $DOCKER_IMAGE
-	fi
-	
-	cid=$(docker run --privileged -d -v ${PWD}:/src/conjur-api $DOCKER_IMAGE)
-	function finish {
-    	if [ "$NOKILL" != "1" ]; then
-			docker rm -f ${cid}
-		fi
-	}
-	trap finish EXIT
-	
-	>&2 echo "Container id:"
-	>&2 echo $cid
-else
-	cid=${CONJUR_CONTAINER}
-fi
-
-docker exec -i ${cid} /src/conjur-api/ci/test.sh

data/lib/conjur/acts_as_asset.rb

@@ -1,88 +0,0 @@
-#
-# Copyright (C) 2013 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-module Conjur
-  # A mixin used by Conjur asset classes such as {Conjur::User} and {Conjur::Group}.
-  module ActsAsAsset
-    include HasId
-    include Exists
-    include HasOwner
-    include ActsAsResource
-    include HasAttributes
-
-    # Add an internal grant on this asset's resource.  This method allows you to grant permissions on all members of
-    # a container asset (for example, all hosts in a layer) to the given role.  Currently this method
-    # is only useful for `layer` assets, and corresponds to the
-    # {http://developer.conjur.net/reference/services/directory/layer/hosts-permit.html `hosts permit`} CLI
-    # command.  In particular, to permit `'update'` on all hosts in a layer, `role_name` should be
-    # `'admin_host'`, and to permit `'execute'` it should be `'use_host'`.
-    #
-    # @example Allow group 'ops' to admin hosts in the 'dev/database' layer
-    #   ops = api.create_group 'ops'
-    #   dev_database = api.create_layer 'dev/database'
-    #
-    #   # Create and add a host to the databasees layer
-    #   host = api.create_host 'ec2/i-123ab23f'
-    #   dev_databases.add_host host
-    #
-    #   # Ops can't update the hosts
-    #   host.resource.permitted? 'update', acting_as: 'conjur:group:ops'
-    #   # => false
-    #
-    #   # Allow 'group:ops' to admin all hosts in the layer
-    #   layer.add_member 'admin_host', ops
-    #
-    #   # Now 'group:ops' is allowed to `'update'` the role.`
-    #   host.resource.permitted? 'update', acting_as: 'group:ops'
-    #   # => true
-    #
-    # @param [String] role_name name of the internal role to grant (for layers, it must be `'use_host'` or `'admin_host'`)
-    # @param [String, #roleid] member the role to receive the grant
-    # @param [Hash] options Unused, included for backwards compatibility
-    # @return [void]
-    def add_member(role_name, member, options = {})
-      owned_role(role_name).grant_to member, options
-    end
-
-    # Remove a grant created with {#add_member}.  When an internal grant has been created on this asset's resource
-    # with {#add_member}, you can remove it with this method.
-    #
-    # @see #add_member
-    # @param [String] role_name name of the internal grant role (for layers, it must be `'use_host'` or `'admin_host'`).
-    # @param [String, #roleid] member the role to remove
-    # @return [void]
-    def remove_member(role_name, member)
-      owned_role(role_name).revoke_from member
-    end
-    
-    protected
-
-    # Return the internal role for an add/remove member grant.
-    #
-    # @param [String] role_name the name of the internal role
-    # @return [Conjur::Role] the internal role
-    def owned_role(role_name)
-      tokens = [ resource_kind, resource_id, role_name ]
-      grant_role = [ core_conjur_account, '@', tokens.join('/') ].join(':')
-      require 'conjur/role'
-      Conjur::Role.new(Conjur::Authz::API.host, self.options)[Conjur::API.parse_role_id(grant_role).join('/')]
-    end
-  end
-end

data/lib/conjur/annotations.rb

@@ -1,186 +0,0 @@
-#
-# Copyright (C) 2013 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-require 'forwardable'
-
-module Conjur
-  # Conjur allows {http://developer.conjur.net/reference/services/authorization/resource Resource}
-  #   instances to be {http://developer.conjur.net/reference/services/authorization/resource/annotate.html annotated}
-  #   with arbitrary key-value data.  This data is generally for "user consumption", and it *is not* governed
-  #   by any particular schema or constraints.  Your applications can define their own schema for annotations they
-  #   use.  If you do so, we recommend prefixing your annotations, for example, `'myapp:Name'`, in order to avoid
-  #   conflict with annotations used, for example, by the Conjur  UI.
-  #
-  # An Annotations instance acts like a Hash: you can fetch an annotation
-  #   with {#[]} and update with {#[]=}, {#each} it, and {#merge!} to do bulk updates.
-  #
-  class Annotations
-    include Enumerable
-    include Conjur::Escape
-    # Create an `Annotations` instance for the given {Conjur::Resource}.
-    #
-    # Note that you will generally use the {Conjur::Resource#annotations} method to get
-    # the `Annotations` for a {Conjur::Resource}.
-    #
-    # @param resource [Conjur::Resource]
-    #
-    def initialize resource
-      @resource = resource
-    end
-    
-    # Get the value of the annotation with the given name
-    # @param [String,Symbol] name the annotation name, indifferent to whether it's
-    # a String or Symbol.
-    def [] name
-      annotations_hash[name.to_sym]
-    end
-    
-    # Set an annotation value.  This will perform an api call to set the annotation
-    #   on the server.
-    #
-    # @param [String, Symbol] name the annotation name
-    # @param [String] value the annotation value
-    #
-    # @return [String] the new annotation value
-    def []= name, value
-      update_annotation name.to_sym, value
-      value
-    end
-    
-    # Enumerate all annotations, yielding key,value pairs.
-    # @return [Conjur::Annotations] self
-    def each &blk
-      annotations_hash.each &blk
-      self
-    end
-
-    # Return a *copy* of the annotation values
-    #
-    # @example Changing values has no effectannotations_hash
-    #   resource.annotations.values ["Some Value"]
-    #   resource.annotations.values.each do |v|
-    #     v << "HI"
-    #   end
-    #   resource.annotations.values # => ["Some Value"]
-    #
-    #    # Notice that this is different from ordinary Hash behavior
-    #    h = {"Some Key" => "Some Value"}
-    #    h.values.each do |v|
-    #       v << "HI"
-    #    end
-    #    h.values # "Some ValueHI"
-    #
-    # @example Show the values of a resources annotations
-    #   resource.annotations # => {'Name' => 'The Best Resource EVAR',
-    #                        #  'Story' => 'The Coolest!' }
-    #   resource.annotations.values # => ['The Best Resource EVAR', 'The Coolest!']
-    #
-    # @return [Array<String>] the annotation values
-    def values
-      annotations_hash.values.map(&:dup)
-    end
-
-    # Return the annotation names.
-    #
-    # This has exactly the same behavior as {Hash#keys}, in that the
-    # returned keys are immutable, and modifications to the array have no
-    # effect.
-    #
-    # @return [Array<String, Symbol>] the annotation names
-    def keys
-      annotations_hash.keys
-    end
-    alias names keys
-
-    def to_a
-      to_h.to_a
-    end
-
-
-    # Set annotations from key,value pairs in `hash`.
-    #
-    # @note this is currently no more efficient than setting each
-    #   annotation with {#[]=}.
-    #
-    # @param [Hash, #each] hash
-    # @return [Conjur::Annotations] self
-    def merge! hash
-      hash.each do |k, v|
-        self[k] = v unless self[k] == v
-      end
-      self
-    end
-    
-    # Return a proper hash containing a **copy** of the annotations.  Note that
-    # updates to this hash have no effect on the actual annotations.
-    #
-    # @return [Hash]
-    def to_h
-      annotations_hash.dup
-    end
-
-    # Return the annotations hash as a string.  This method simply delegates to
-    # `Hash#to_s`.
-    #
-    # @return [String]
-    def to_s
-      annotations_hash.to_s
-    end
-
-    # Return an informative representation of the annotations, including
-    # the resource to which they're attached.  Suitable for debugging.
-    #
-    # @return [String]
-    def inspect
-      "<Annotations for #{@resource.resourceid}: #{to_s}>"
-    end
-    
-    protected
-    #@api private
-    # Update an annotation on the server.
-    # @param name [String]
-    # @param value [String, #to_s]
-    # @return [void]
-    def update_annotation name, value
-      @resource.invalidate do
-        @annotations_hash = nil
-        path = [@resource.account,'annotations', @resource.kind, @resource.identifier].map do |seg|
-          fully_escape(seg)
-        end.join('/')
-        RestClient::Resource.new(Conjur::Authz::API.host, @resource.options)[path].put name: name, value: value
-      end
-    end
-    # @api private
-    # Our internal {Hash} of annotations.  Lazily loaded.
-    def annotations_hash
-      @annotations_hash ||= fetch_annotations
-    end
-
-    # @api private
-    # Fetch the annotations from the server.
-    def fetch_annotations
-      {}.tap do |hash|
-        @resource.attributes['annotations'].each do |annotation|
-          hash[annotation['name'].to_sym] = annotation['value']
-        end
-      end
-    end
-  end
-end

data/lib/conjur/api/audit.rb

@@ -1,138 +0,0 @@
-#
-# Copyright (C) 2013 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-require 'conjur/event_source'
-module Conjur
-
-
-  class API
-    #@!group Audit Service
-
-    # Return up to 100 audit events visible to the current authorized role.
-    #
-    # An audit event is visible to a role if that role or one of it's ancestors is in the
-    #   event's `:roles` field, or the role has a privilege any of the event's `:resources` field.
-    #
-    # @param options [Hash]
-    # @option options [Time, nil] :till only show events before this time
-    # @option options [Time, nil] :since only show events after this time
-    # @option options [String, nil] :has_annotation only show events for resources with an annotation with this name
-    # @option options [Boolean] :follow block the current thread and call `block` with `Array` of
-    #   audit events as the occur.
-    #
-    # @see #audit_role
-    #
-    # @return [Array<Hash>] the audit events
-    def audit options={}, &block
-      audit_event_feed "", options, &block
-    end
-
-    # Return up to 100 audit events visible to the current role and related to the given role.
-    #
-    # See {#audit} for the conditions under which an event is visible to a role.
-    #
-    # An event is said to be "related to" a role iff the role is a member of the event's
-    # `:roles` field.
-    #
-    # @param role [Conjur::Role, String, #roleid] the role to audit (if a string is given, it must
-    #   be of the form `'account:kind:id'`).
-    # @param options [Hash]
-    # @option options [Time, nil] :till only show events before this time
-    # @option options [Time, nil] :since only show events after this time
-    # @option options [Boolean] :follow block the current thread and call `block` with `Array` of
-    #   audit events as the occur.
-    #
-    # @return [Array<Hash>] the audit events
-    def audit_role role, options={}, &block
-      audit_event_feed "roles/#{CGI.escape cast(role, :roleid)}", options, &block
-    end
-
-    # Return up to 100 audit events visible to the current role and related to the given resource.
-    #
-    # See {#audit} for the conditions under which an event is visible to a role.
-    #
-    # An event is said to be "related to" a role iff the role is a member of the event's
-    #   `:roles` field.
-    # @param resource [Conjur::Resource, String, #resourceid] the resource to audit (when a string is given, it must be
-    #   of the form `'account:kind:id'`).
-    # @param options [Hash]
-    # @option options [Time, nil] :till only show events before this time
-    # @option options [Time, nil] :since only show events after this time
-    # @option options [String, nil] :has_annotation only show events for resources with an annotation with this name
-    # @option options [Boolean] :follow block the current thread and call `block` with `Array` of
-    #   audit events as the occur.
-    #
-    # @return [Array<Hash>] the audit events
-    def audit_resource resource, options={}, &block
-      audit_event_feed "resources/#{CGI.escape cast(resource, :resourceid)}", options, &block
-    end
-
-    # Send custom audit event
-    # @param input [String|Hash|Array] event or array of events (optionally serialized to JSON)
-    def audit_send input 
-      json = if input.kind_of? String
-                input
-             elsif input.kind_of? Array or input.kind_of? Hash
-                input.to_json
-             else
-                raise ArgumentError, "Parameter should be either String, Hash or Array"
-             end
-      rest_api = RestClient::Resource.new(Conjur::Authz::API.host, credentials)["audit"]
-      rest_api.post json, content_type: "text/plain"
-    end
-    #@!endgroup
-
-    private
-    def audit_event_feed path, options={}, &block
-      query = options.slice(:since, :till, :has_annotation)
-      path << "?#{query.to_param}" unless query.empty? 
-      if options[:follow]
-        follow_events path, &block
-      else
-        parse_response(RestClient::Resource.new(Conjur::Audit::API.host, credentials)[path].get).tap do |events|
-          block.call(events) if block
-        end
-      end
-    end
-    
-    def follow_events path, &block
-      opts = credentials.dup.tap{|h| h[:headers][:accept] = "text/event-stream"}
-      block_response = lambda do |response|
-        response.error! unless response.code == "200"
-        es = EventSource.new
-        es.message{ |e| block[e.data] }
-        response.read_body do |chunk|
-          es.feed chunk
-        end
-      end
-      url = "#{Conjur::Audit::API.host}/#{path}"
-      RestClient::Request.execute(
-        url: url,
-        headers: opts[:headers],
-        method: :get,
-        block_response: block_response
-      )
-    end
-    
-    def parse_response response
-      JSON.parse response
-    end
-  end
-end

data/lib/conjur/api/deputies.rb

@@ -1,57 +0,0 @@
-#
-# Copyright (C) 2013 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-require 'conjur/deputy'
-
-module Conjur
-  class API
-    #@!group Directory: Deputies
-
-    # @api internal
-    #
-    # Create a Conjur deputy.
-    #
-    # Deputies are used internally by Conjur services that need to perform
-    # actions as a particular role.  While the deputies API is stable,
-    # it isn't intended for use by end users.
-    #
-    # @param [Hash] options options for deputy creation
-    # @option options [String] :id the *unqualified* id for the new deputy.  If not present,
-    #   the deputy will be given a randomly generated id.
-    # @return [Conjur::Deputy] the new deputy
-    # @raise [RestClient::Conflict] if a deputy already exists with the given id.
-    def create_deputy options = {}
-      standard_create Conjur::Core::API.host, :deputy, nil, options
-    end
-
-    # @api internal
-    #
-    # Find a Conjur deputy by id.
-    # Deputies are used internally by Conjur services that need to perform
-    # actions as a particular role.  While the deputies API is stable,
-    # it isn't intended for use by end users.
-    #
-    # @param [String] id the deputy's *unqualified* id
-    # @return [Conjur::Deputy] the deputy, which may or may not exist.
-    def deputy id
-      standard_show Conjur::Core::API.host, :deputy, id
-    end
-  end
-end