conjur-api 4.31.0 → 5.0.0.rc1

data/features/variable_value.feature

@@ -0,0 +1,67 @@
+Feature: Work with Variable values.
+
+  Background:
+    Given I run the code:
+    """
+    @variable_id = "password"
+    $conjur.load_policy 'root', <<-POLICY
+    - !variable #{@variable_id}
+    - !variable #{@variable_id}-2
+    POLICY
+    @variable = $conjur.resource("cucumber:variable:#{@variable_id}")
+    @variable_2 = $conjur.resource("cucumber:variable:#{@variable_id}-2")
+    """
+
+  Scenario: Initially the variable has no values
+    When I run the code:
+    """
+    @variable.version_count
+    """
+    Then the result should be "0"
+
+  Scenario: Add a value, retrieve the variable metadata and the value.
+    Given I run the code:
+    """
+    @variable.add_value 'value-0'
+    """
+    When I run the code:
+    """
+    @variable.version_count
+    """
+    Then the result should be "1"
+    And I run the code:
+    """
+    @variable.value
+    """
+    Then the result should be "value-0"
+
+  Scenario: Retrieve a historical value.
+    Given I run the code:
+    """
+    @variable.add_value 'value-0'
+    @variable.add_value 'value-1'
+    @variable.add_value 'value-2'
+    """
+    When I run the code:
+    """
+    @variable.value(1)
+    """
+    Then the result should be "value-0"
+
+  Scenario: Retrieve multiple values in a batch
+    Given I run the code:
+    """
+    @variable.add_value 'value-0'
+    @variable_2.add_value 'value-2'
+    """
+    When I run the code:
+    """
+    $conjur.variable_values([ @variable, @variable_2 ].map(&:id))
+    """
+    Then the JSON should be:
+    """
+    {
+      "cucumber:variable:password": "value-0",
+      "cucumber:variable:password-2": "value-2"
+    }
+    """

data/lib/conjur/acts_as_resource.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright 2013-2017 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -19,89 +19,119 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 
-require 'active_support/dependencies/autoload'
-require 'active_support/core_ext'
-
 module Conjur
-
-  # This module is included in asset classes that have an associated resource.
+  # This module is included in object classes that have resource behavior.
   module ActsAsResource
-    # Return the {Conjur::Resource} associated with this asset.
-    #
-    # @return [Conjur::Resource] the resource associated with this asset
-    def resource
-      require 'conjur/resource'
-      # NOTE: should we use specific class to build sub-url below?
-      Conjur::Resource.new(Conjur::Authz::API.host, self.options)[[ core_conjur_account, 'resources', path_escape(resource_kind), path_escape(resource_id) ].join('/')]
+    # @api private
+    def self.included(base)
+      base.include HasAttributes
+      base.include Escape
+      base.extend QueryString
     end
 
-    # Return the *qualified* id of the resource associated with this asset.
+    # The full role id of the role that owns this resource.
     #
-    # @return [String] the qualified id of the resource associated with this asset.
-    def resourceid
-      [ core_conjur_account, resource_kind, resource_id ].join(':')
-    end
-
-    # The kind of resource underlying the asset.  The kind is the second token in
-    # a Conjur id like `"account:kind:id"`.
+    # @example
+    #   api.current_role # => 'conjur:user:jon'
+    #   resource = api.create_resource 'conjur:example:resource-owner'
+    #   resource.owner # => 'conjur:user:jon'
     #
-    # @see Conjur:Resource#kind
-    # @return [String] the resource kind for the underlying resource
-    def resource_kind
-      self.class.name.split("::")[-1].underscore.split('/').join('-')
+    # @return [String] the full role id of this resource's owner.
+    def owner
+      build_object attributes['owner'], default_class: Role
     end
 
-    # @api private
+    # Check whether this object exists by performing a HEAD request to its URL.
     #
-    # Confusingly, this method returns the *unqualified* resource id, as opposed to the *qualified*
-    # resource id returned by {#resourceid}.
+    # This method will return false if the object doesn't exist.
     #
-    # @return [String] the *unqualified* resource id.
-    def resource_id
-      id
-    end
-
-    # @api private
-    # Delete a resource
-    # This doesn't typically work ;-)
-    # @return [void]
-    def delete
-      resource.delete
-      super
+    # @example
+    #   does_not_exist = api.user 'does-not-exist' # This returns without error.
+    #
+    #   # this is wrong!
+    #   owner = does_not_exist.owner # raises RestClient::ResourceNotFound
+    #
+    #   # this is right!
+    #   owner = if does_not_exist.exists?
+    #     does_not_exist.owner
+    #   else
+    #     nil # or some sensible default
+    #   end
+    #
+    # @return [Boolean] does it exist?
+    def exists?
+      begin
+        rbac_resource_resource.head
+        true
+      rescue RestClient::Forbidden
+        true
+      rescue RestClient::ResourceNotFound
+        false
+      end
     end
 
-    # Permit `role` to perform `privilege` on this resource.  A
-    # {http://developer.conjur.net/reference/services/authorization/permission.html permission} represents an ability
-    # to perform certain (application defined) actions on this resource.
+    # Lists roles that have a specified privilege on the resource. 
+    #
+    # This will return only roles of which api.current_user is a member.
     #
-    # This method is equivalent to calling `resource.permit`.
+    # Options:
     #
-    # @example Allow a group and its members to get the value of a Conjur variable
-    #   group = api.group 'some-project/developers'
-    #   variable = api.variable 'some-project/development/postgres-uri'
-    #   variable.permit 'execute', group
+    # * **offset** Zero-based offset into the result set.
+    # * **limit**  Total number of records returned.
     #
-    # @see Conjur::Resource#permit
-    # @param [String] privilege the privilege to grant
-    # @param [String, #roleid] role the role to which the privilege is granted
-    # @param options [Hash, nil] options to pass through to `RestClient::Resource#post`
-    # @return [void]
-    # @raise [RestClient::Forbidden] if you don't have permission to perform this operation.
-    def permit(privilege, role, options = {})
-      resource.permit privilege, role, options
+    # @example
+    #   resource = api.resource 'conjur:variable:example'
+    #   resource.permitted_roles 'execute' # => ['conjur:user:admin']
+    #   # After permitting 'execute' to user 'jon'
+    #   resource.permitted_roles 'execute' # => ['conjur:user:admin', 'conjur:user:jon']
+    #
+    # @param privilege [String] the privilege
+    # @return [Array<String>] the ids of roles that have `privilege` on this resource.
+    def permitted_roles privilege
+      options = {}
+      options[:permitted_roles] = true
+      options[:privilege] = privilege
+      result = JSON.parse rbac_resource_resource[options_querystring options].get
+      if result.is_a?(Hash) && ( count = result['count'] )
+        count
+      else
+        result
+      end
     end
 
-
-    # Deny `role` permission to perform actions corresponding to `privilege` on the underlying resource.
+    # True if the logged-in role, or a role specified using the :role option, has the
+    # specified +privilege+ on this resource.
     #
-    # @see Conjur::Resource#deny
-    # @param privilege [String, #each] A permission name or an `Enumerable` of permissions to deny.  In the
-    #   later, all permissions will be denied.
-    # @param role [String, :roleid] A full role id or a role-ish object whose permissions we will deny.
+    # @example
+    #   api.current_role # => 'conjur:cat:mouse'
+    #   resource.permitted_roles 'execute' # => ['conjur:user:admin', 'conjur:cat:mouse']
+    #   resource.permitted_roles 'update', # => ['conjur:user:admin', 'conjur:cat:gino']
     #
-    # @return [void]
-    def deny(privilege, role)
-      resource.deny privilege, role
+    #   resource.permitted? 'update' # => false, `mouse` can't update this resource
+    #   resource.permitted? 'execute' # => true, `mouse` can execute it.
+    #   resource.permitted? 'update', role: 'conjur:cat:gino' # => true, `gino` can update it.
+    # @param privilege [String] the privilege to check
+    # @param role [String,nil] :role check whether the role given by this full role id is permitted
+    #   instead of checking +api.current_role+.
+    # @return [Boolean]
+    def permitted? privilege, role: nil
+      options = {}
+      options[:check] = true
+      options[:privilege] = privilege
+      options[:role] = cast_to_id(role) if role
+      rbac_resource_resource[options_querystring options].get
+      true
+    rescue RestClient::Forbidden
+      false
+    rescue RestClient::ResourceNotFound
+      false
+    end
+
+    private
+    
+    # RestClient::Resource for RBAC resource operations.
+    def rbac_resource_resource
+      RestClient::Resource.new(Conjur.configuration.core_url, credentials)['resources'][id.to_url_path]
     end
   end
 end

data/lib/conjur/acts_as_role.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright 2013-2017 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -29,69 +29,120 @@ module Conjur
   # The {Conjur::ActsAsRole} module itself should be considered private, but it's methods are
   # public when added to a Conjur asset class.
   module ActsAsRole
-
-    # The qualified identifier for the role associated with this asset.  A *qualified* identifier
-    # prepends the asset's account and kind, for example, a {Conjur::User} with login `'bob'` in a
-    # system with organizational account `'conjur'` would have a `roleid` of `'conjur:user:bob'`
-    #
-    # @return [String] the qualified role id
-    def roleid
-      [ core_conjur_account, role_kind, id ].join(':')
+    
+    # Login name of the role. This is formed from the role kind and role id.
+    # For users, the role kind can be omitted.
+    def login
+      [ kind, identifier ].delete_if{|t| t == "user"}.join('/')
     end
-    alias role_id roleid
 
-    # The `kind` of a role.  This may be any value, but standard ones correspond to various high level
-    # Conjur assets, for example, `'user'`, `'group'`, or `'variable'`.
+    # Check whether this object exists by performing a HEAD request to its URL.
     #
-    # Note that this method derives the role kind from the asset's class name.
+    # This method will return false if the object doesn't exist.
     #
-    # @return [String] the role kind
-    def role_kind
-      self.class.name.split('::')[-1].underscore
-    end
-
-    # Get a {Conjur::Role} instance corresponding to the `role` associated with this asset.
-    def role
-      require 'conjur/role'
-      Conjur::Role.new(Conjur::Authz::API.host, self.options)[Conjur::API.parse_role_id(self.roleid).join('/')]
+    # @example
+    #   does_not_exist = api.user 'does-not-exist' # This returns without error.
+    #
+    #   # this is wrong!
+    #   owner = does_not_exist.members # raises RestClient::ResourceNotFound
+    #
+    #   # this is right!
+    #   owner = if does_not_exist.exists?
+    #     does_not_exist.members
+    #   else
+    #     nil # or some sensible default
+    #   end
+    #
+    # @return [Boolean] does it exist?
+    def exists?
+      begin
+        rbac_role_resource.head
+        true
+      rescue RestClient::Forbidden
+        true
+      rescue RestClient::ResourceNotFound
+        false
+      end
     end
 
-    # Permit the asset to perform `privilege` on `resource`.  You can also use this method to control whether the role
-    # is able to grant the privilege on the resource to other roles by passing a `:grant_option` option.
-    #
-    # This method is primarily intended for use in the
-    # {http://developer.conjur.net/reference/tools/utilities/policy-load.html Conjur Policy DSL},
-    # and simply delegates to {Conjur::Resource#permit}.  For code clarity, you might consider using
-    # that method instead.
+    # Find all roles of which this role is a member.  By default, role relationships are recursively expanded,
+    # so if `a` is a member of `b`, and `b` is a member of `c`, `a.all` will include `c`.
     #
     # ### Permissions
+    # You must be a member of the role to call this method.
     #
-    # To call this method, you must *own* the resource, or have the privilege on it with grant option set to true.
+    # You can restrict the roles returned to one or more role ids.  This feature is mainly useful
+    # for checking whether this role is a member of any of a set of roles.
     #
-    # @api dsl
-    # @param [String] privilege the privilege to allow this role to perform, e.g. `'execute'` or `'update'`
-    # @param [Conjur::Resource, #resource_id, String] resource the resource to grant `privilege` on.
-    # @param [Hash] options Options to pass through to RestClient::Resource#post
-    # @option options [Boolean] :grant_option whether this role will be able to grant the privilege to other roles.
-    # @return [void]
-    def can(privilege, resource, options = {})
-      require 'conjur/resource'
-      Conjur::Resource.new(Conjur::Authz::API.host, self.options)[Conjur::API.parse_resource_id(resource).join('/')].permit privilege, self.roleid, options
-    end
-
-    # Deny the asset's role the ability to perform `privilege` on `resource`.  This operation is the inverse of {#can}.
+    # ### Options
     #
-    # This method is primarily intended for use in the
-    # {http://developer.conjur.net/reference/tools/utilities/policy-load.html Conjur Policy DSL},
-    # and simply delegates to {Conjur::Resource#permit}.  For code clarity, you might consider using
-    # that method instead.
+    # * **recursive** Defaults to +true+, performs recursive expansion of the memberships.
     #
-    # @see Conjur::Resource#deny
+    # @example Show all roles of which `"conjur:group:pubkeys-1.0/key-managers"` is a member
+    #   # Add alice to the group, so we see something interesting
+    #   key_managers = api.group('pubkeys-1.0/key-managers')
+    #   key_managers.add_member api.user('alice')
     #
-    # @api dsl
-    def cannot(privilege, resource, options = {})
-      require 'conjur/resource'
-      Conjur::Resource.new(Conjur::Authz::API.host, self.options)[Conjur::API.parse_resource_id(resource).join('/')].deny privilege, self.roleid
+    #   # Show the memberships, mapped to the member ids.
+    #   key_managers.role.all.map(&:id)
+    #   # => ["conjur:group:pubkeys-1.0/admin", "conjur:user:alice"]
+    #
+    # @example See if role `"conjur:user:alice"` is a member of either `"conjur:groups:developers"` or `"conjur:group:ops"`
+    #   is_member = api.role('conjur:user:alice').all(filter: ['conjur:group:developers', 'conjur:group:ops']).any?
+    #
+    # @param [Hash] options options for the request
+    # @return [Array<Conjur::Role>] Roles of which this role is a member
+    def memberships options = {}
+      request = if options.delete(:recursive) == false
+        options["memberships"] = true
+      else
+        options["all"] = true
+      end
+      if filter = options.delete(:filter)
+        filter = [filter] unless filter.is_a?(Array)
+        options["filter"] = filter.map{ |obj| cast_to_id(obj) }
+      end
+
+      result = JSON.parse(rbac_role_resource[options_querystring options].get)
+      if result.is_a?(Hash) && ( count = result['count'] )
+        count
+      else
+        host = Conjur.configuration.core_url
+        result.collect do |item|
+          if item.is_a?(String)
+            build_object(item, default_class: Role)
+          else
+            RoleGrant.parse_from_json(item, self.options)
+          end
+        end
+      end
+    end
+    
+    # Fetch the direct members of this role. The results are *not* recursively expanded).
+    #
+    # ### Permissions
+    # You must be a member of the role to call this method.
+    # 
+    # @param options [Hash, nil] extra parameters to pass to the webservice method.
+    # @return [Array<Conjur::RoleGrant>] the role memberships
+    # @raise [RestClient::Forbidden] if you don't have permission to perform this operation
+    def members options = {}
+      options["members"] = true
+      result = JSON.parse(rbac_role_resource[options_querystring options].get)
+      if result.is_a?(Hash) && ( count = result['count'] )
+        count
+      else
+        result['members'].collect do |json|
+          RoleGrant.parse_from_json(json, credentials)
+        end
+      end
+    end
+
+    private
+
+    # RestClient::Resource for RBAC role operations.
+    def rbac_role_resource
+      RestClient::Resource.new(Conjur.configuration.core_url, credentials)['roles'][id.to_url_path]
     end
   end
 end

data/lib/conjur/{audit-api.rb → acts_as_rolsource.rb}

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright (C) 2013-2017 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -18,19 +18,15 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
-
 module Conjur
-  module Audit
-    class API < Conjur::API
-      class << self
-        # The URL for the audit service
-        #
-        # @return [String] the audit service url.
-        def host
-          Conjur.configuration.audit_url
-        end
-      end
+
+  # This module provides methods for things that have an associated {Conjur::Role} and
+  # {Conjur::Resource}.
+  module ActsAsRolsource
+    # @api private
+    def self.included(base)
+      base.include ActsAsRole
+      base.include ActsAsResource
     end
   end
-end
-require 'conjur/api/audit'
+end

data/lib/conjur/acts_as_user.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013-2015 Conjur Inc
+# Copyright 2013-2017 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -22,17 +22,20 @@ module Conjur
   # This module provides methods for things that are like users (specifically, those that have
   # api keys).
   module ActsAsUser
-    include ActsAsRole
+    # @api private
+    def self.included(base)
+      base.include ActsAsRolsource
+    end
 
     # Returns a newly created user's api_key.
     #
-    # @note this method can only be called on newly created user-like things (those returned from, for example,)
-    #   {Conjur::API#create_user}.
+    # @note The API key is not returned by {API#resource}. It is only available
+    # via {API#login}, when the object is newly created, and when the API key is rotated.
     #
     # @return [String] the api key
     # @raise [Exception] when the object isn't newly created.
     def api_key
-      attributes['api_key'] or raise "api_key is only available on a newly created #{self.class.name.downcase}"
+      attributes['api_key'] or raise "api_key is only available on a newly created #{kind}"
     end
 
     # Create an api logged in as this user-like thing.
@@ -41,34 +44,22 @@ module Conjur
     # @see #api_key
     # @return [Conjur::API] an api logged in as this user-like thing.
     def api
-      Conjur::API.new_from_key login, api_key
+      Conjur::API.new_from_key login, api_key, account: account
     end
 
-    # Rotate this user's API key.  You must have `update` permission on the user to do so.
+    # Rotate this role's API key. You must have `update` permission on the user to do so.
     #
     # @note You will not be able to access the API key returned by this method later, so you should
     #   probably hang onto it it.
     #
-    # @note You cannot rotate your own API key with this method.  To do so, use `Conjur::API.rotate_api_key`
+    # @note You cannot rotate your own API key with this method. To do so, use `Conjur::API.rotate_api_key`
     #
     # @note This feature requires a Conjur appliance running version 4.6 or higher.
     #
     # @return [String] the new API key for this user.
     def rotate_api_key
-      path = "users/api_key?id=#{fully_escape login}"
-      RestClient::Resource.new(Conjur::Authn::API.host, options)[path].put('').body
-    end
-
-    # Set login network restrictions for the user.
-    #
-    # @param [Array<String, IPAddr>] networks which allow logging in. Set to empty to remove restrictions
-    def set_cidr_restrictions networks
-      authn_user = RestClient::Resource.new(Conjur::Authn::API.host, options)\
-          ["users?id=#{fully_escape login}"]
-
-      # we need use JSON here to be able to PUT an empty array
-      params = { cidr: [*networks].map(&CIDR.method(:validate)).map(&:to_s) }
-      authn_user.put params.to_json, content_type: :json
+      path = "authn/#{path_escape account}/api_key?role=#{id}"
+      core_resource[path].put('').body
     end
   end
 end