conjur-api 4.31.0 → 5.0.0.rc1

data/lib/conjur/base.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013-2016 Conjur Inc
+# Copyright 2013-2017 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -19,19 +19,16 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 require 'rest-client'
+require 'active_support'
+require 'active_support/core_ext'
 require 'json'
 require 'base64'
 
 require 'conjur/query_string'
-require 'conjur/exists'
 require 'conjur/has_attributes'
-require 'conjur/has_owner'
-require 'conjur/path_based'
 require 'conjur/escape'
 require 'conjur/log'
 require 'conjur/log_source'
-require 'conjur/standard_methods'
-require 'conjur/cast'
 
 module Conjur
   # NOTE: You have to put all 'class level' api docs here, because YARD is stoopid :-(
@@ -40,55 +37,8 @@ module Conjur
   class API
     include Escape
     include LogSource
-    include StandardMethods
-    include Cast
 
     class << self
-      # @api private
-      # Parse a role id into [ account, 'roles', kind, id ]
-      def parse_role_id(id)
-        id = id.role if id.respond_to?(:role)
-        if id.is_a?(Role)
-          [ id.account, 'roles', id.kind, id.identifier ]
-        elsif id.respond_to?(:role_kind)
-          [ Conjur::Core::API.conjur_account, 'roles', id.role_kind, id.identifier ]
-        else
-          parse_id id, 'roles'
-        end
-      end
-
-      # @api private
-      # Parse a resource id into [ account, 'resources', kind, id ]
-      def parse_resource_id(id)
-        id = id.resource if id.respond_to?(:resource)
-        if id.is_a?(Resource)
-          [ id.account, 'resources', id.kind, id.identifier ]
-        elsif id.respond_to?(:resource_kind)
-          [ Conjur::Core::API.conjur_account, 'resources', id.resource_kind, id.resource_id ]
-        else
-          parse_id id, 'resources'
-        end
-      end
-    
-      # @api private
-      # Converts flat id into path components, with mixed-in "super-kind"
-      #                                     (not that kind which is part of id)
-      # NOTE: name is a bit confusing, as result of 'parse' is just recombined
-      #       representation of parts, not an object of higher abstraction level
-      def parse_id(id, kind)
-        # Structured IDs (hashes) are no more supported
-        raise "Unexpected class #{id.class} for #{id}" unless id.is_a?(String)
-        paths = path_escape(id).split(':')
-        if paths.size < 2
-          raise "Expecting at least two tokens in #{id}"
-        elsif paths.size == 2
-          paths.unshift Conjur::Core::API.conjur_account
-        end
-        # I would strongly recommend to encapsulate this into object 
-        [ paths[0], kind, paths[1], paths[2..-1].join(':') ]
-      end
-
-
       # Create a new {Conjur::API} instance from a username and a password or api key.
       #
       # @example Create an API with valid credentials
@@ -103,16 +53,15 @@ module Conjur
       # @param [String] username the username to use when making authenticated requests.
       # @param [String] api_key the api key or password for `username`
       # @param [String] remote_ip the optional IP address to be recorded in the audit record.
+      # @param [String] account The organization account.
       # @return [Conjur::API] an api that will authenticate with the given username and api key.
-      def new_from_key(username, api_key, remote_ip = nil)
-        self.new.init_from_key username, api_key, remote_ip
+      def new_from_key username, api_key, remote_ip: nil, account: Conjur.configuration.account
+        self.new.init_from_key username, api_key, remote_ip: remote_ip, account: account
       end
 
-
-      # Create a new {Conjur::API} instance from a token issued by the
-      # {http://developer.conjur.net/reference/services/authentication Conjur authentication service}
+      # Create a new {Conjur::API} instance from an access token.
       #
-      # Generally, you will have a Conjur identitiy (username and api key), and create an {Conjur::API} instance
+      # Generally, you will have a Conjur identitiy (username and API key), and create an {Conjur::API} instance
       # for the identity using {.new_from_key}.  This method is useful when you are performing authorization checks
       # given a token.  For example, a Conjur gateway that requires you to prove that you can 'read' a resource named
       # 'super-secret' might get the token from a request header, create an {Conjur::API} instance with this method,
@@ -134,8 +83,8 @@ module Conjur
       # @param [Hash] token the authentication token as parsed JSON to use when making authenticated requests
       # @param [String] remote_ip the optional IP address to be recorded in the audit record.
       # @return [Conjur::API] an api that will authenticate with the token
-      def new_from_token(token, remote_ip = nil)
-        self.new.init_from_token token, remote_ip
+      def new_from_token token, remote_ip: nil
+        self.new.init_from_token token, remote_ip: remote_ip
       end
 
       # Create a new {Conjur::API} instance from a file containing a token issued by the
@@ -149,18 +98,9 @@ module Conjur
       # @param [String] token_file the file path containing an authentication token as parsed JSON.
       # @param [String] remote_ip the optional IP address to be recorded in the audit record.
       # @return [Conjur::API] an api that will authenticate with the tokens provided in the file.
-      def new_from_token_file(token_file, remote_ip = nil)
-        self.new.init_from_token_file token_file, remote_ip
-      end
-      
-      def encode_audit_ids(ids)
-        ids.collect{|id| CGI::escape(id)}.join('&')
-      end
-
-      def decode_audit_ids(ids)
-        ids.split('&').collect{|id| CGI::unescape(id)}
+      def new_from_token_file token_file, remote_ip: nil
+        self.new.init_from_token_file token_file, remote_ip: remote_ip
       end
-
     end
 
     #@!attribute [r] api_key
@@ -173,37 +113,14 @@ module Conjur
     # An optional IP address to be recorded in the audit record for any actions performed by this API instance.
     attr_reader :remote_ip
 
-    #@!attribute [rw] privilege
-    # The optional global privilege (e.g. 'elevate' or 'reveal') which should be attempted on the request.
-    attr_accessor :privilege
-
-    #@!attribute [rw] audit_roles
-    # An array of role ids that should be included in any audit
-    # records generated by requsts made by this instance of the api.
-    attr_accessor :audit_roles
-
-    #@!attribute [rw] audit_resources
-    # An array of resource ids that should be included in any audit
-    # records generated by requsts made by this instance of the api.
-    attr_accessor :audit_resources
-
     # The name of the user as which this api instance is authenticated.  This is available whether the api
     # instance was created from credentials or an authentication token.
     #
     # @return [String] the login of the current user.
     def username
-      @username || @token['data']
+      @username || token['data']
     end
     
-    # Perform all commands in Conjur::Bootstrap::Command.
-    def bootstrap listener
-        Conjur::Bootstrap::Command.constants.map{|c| Conjur::Bootstrap::Command.const_get(c)}.each do |cls|
-        next unless cls.is_a?(Class)
-        next unless cls.superclass == Conjur::Bootstrap::Command::Base
-        cls.new(self, listener).perform
-      end
-    end
-
     # @api private
     # used to delegate to host providing subclasses.
     # @return [String] the host
@@ -227,43 +144,14 @@ module Conjur
     #
     # @return [Hash] the options.
     # @raise [RestClient::Unauthorized] if fetching the token fails.
-    # @see {#token}
     def credentials
       headers = {}.tap do |h|
         h[:authorization] = "Token token=\"#{Base64.strict_encode64 token.to_json}\""
-        h[:x_conjur_privilege] = @privilege if @privilege
         h[:x_forwarded_for] = @remote_ip if @remote_ip
-        h[:conjur_audit_roles] = Conjur::API.encode_audit_ids(@audit_roles) if @audit_roles
-        h[:conjur_audit_resources] = Conjur::API.encode_audit_ids(@audit_resources) if @audit_resources
       end
       { headers: headers, username: username }
     end
 
-    # Return a new API object with the specified X-Conjur-Privilege.
-    # 
-    # @return The API instance.
-    def with_privilege privilege
-      self.clone.tap do |api|
-        api.privilege = privilege
-      end
-    end
-
-    def with_audit_roles role_ids
-      role_ids = Array(role_ids)
-      self.clone.tap do |api|
-        # Ensure that all role ids are fully qualified
-        api.audit_roles = role_ids.collect { |id| api.role(id).roleid }
-      end
-    end
-
-    def with_audit_resources resource_ids
-      resource_ids = Array(resource_ids)
-      self.clone.tap do |api|
-        # Ensure that all resource ids are fully qualified
-        api.audit_resources = resource_ids.collect { |id| api.resource(id).resourceid }
-      end
-    end
-
     module MonotonicTime
       def monotonic_time
         Process.clock_gettime Process::CLOCK_MONOTONIC
@@ -297,16 +185,17 @@ module Conjur
     class APIKeyAuthenticator
       include TokenExpiration
 
-      attr_reader :username, :api_key
+      attr_reader :account, :username, :api_key
 
-      def initialize username, api_key
+      def initialize account, username, api_key
+        @account = account
         @username = username
         @api_key = api_key
         update_token_born
       end
 
       def refresh_token
-        Conjur::API.authenticate(username, api_key).tap do
+        Conjur::API.authenticate(username, api_key, account: account).tap do
           update_token_born
         end
       end
@@ -366,22 +255,22 @@ module Conjur
       end
     end
 
-    def init_from_key username, api_key, remote_ip = nil
+    def init_from_key username, api_key, remote_ip: nil, account: Conjur.configuration.account
       @username = username
       @api_key = api_key
       @remote_ip = remote_ip
-      @authenticator = APIKeyAuthenticator.new(username, api_key)
+      @authenticator = APIKeyAuthenticator.new(account, username, api_key)
       self
     end
 
-    def init_from_token token, remote_ip = nil
+    def init_from_token token, remote_ip: nil
       @token = token
       @remote_ip = remote_ip
       @authenticator = UnableAuthenticator.new
       self
     end
 
-    def init_from_token_file token_file, remote_ip = nil
+    def init_from_token_file token_file, remote_ip: nil
       @remote_ip = remote_ip
       @authenticator = TokenFileAuthenticator.new(token_file)
       self

data/lib/conjur/base_object.rb

@@ -0,0 +1,57 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur/cast'
+
+module Conjur
+  class BaseObject
+    include Cast
+    include QueryString
+    include LogSource
+    include BuildObject
+    
+    attr_reader :id, :credentials
+    
+    def initialize id, credentials
+      @id = cast_to_id(id)
+      @credentials = credentials
+    end
+
+    def as_json options={}
+      {
+        id: id.to_s
+      }
+    end
+
+    def account; id.account; end
+    def kind; id.kind; end
+    def identifier; id.identifier; end
+    
+    def username
+      credentials[:username] or raise "No username found in credentials"
+    end
+    
+    protected
+
+    def core_resource
+      RestClient::Resource.new(Conjur.configuration.core_url, credentials)
+    end
+  end
+end

data/lib/conjur/{authn-api.rb → build_object.rb}

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright 2013-2017 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -18,20 +18,32 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
+require 'conjur/cast'
+
 module Conjur
-  module Authn
-    class API < Conjur::API
-      class << self
+  module BuildObject
+    def self.included base
+      base.module_eval do
+        extend Cast
+        extend ClassMethods
+      end
+    end
 
-        # The URL for the audit service
-        #
-        # @return [String] the audit service url.
-        def host
-          Conjur.configuration.authn_url
+    module ClassMethods
+      def build_object id, credentials, default_class:
+        id = cast_to_id(id)
+        class_name = id.kind.classify.to_sym
+        cls = if Conjur.constants.member?(class_name)
+          Conjur.const_get(class_name)
+        else
+          default_class
         end
+        cls.new(id, credentials)
       end
     end
+
+    def build_object id, default_class: Resource
+      self.class.build_object id, credentials, default_class: default_class
+    end
   end
 end
-
-require 'conjur/api/authn'

data/lib/conjur/cast.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright 2013-2017 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -18,29 +18,24 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
+
 module Conjur
   module Cast
     protected
 
     # Convert a value to a role or resource identifier.
     #
-    # @param [String, Array, #roleid, #resourceid] obj the value to cast
-    # @param [Symbol] kind must be either `:roleid` or `:resourceid`
-    def cast(obj, kind)
-      case kind
-      when :roleid, :resourceid
-        if obj.is_a?(String)
-          obj
-        elsif obj.is_a?(Array)
-          obj.join(':')
-        elsif obj.respond_to?(kind)
-          obj.send(kind)
-        else
-          raise "I don't know how to cast a #{obj.class} to a #{kind}"
-        end
+    # @param obj the value to cast
+    def cast_to_id obj
+      result =if obj.is_a?(String) || obj.is_a?(Id)
+        obj
+      elsif obj.is_a?(Array)
+        obj.join(':')
       else
-        raise "I don't know how to convert things to a #{kind}"
+        raise "I don't know how to cast a #{obj.class} to an id"
       end
+      result = Id.new(result) unless result.is_a?(Id)
+      result
     end
   end
-end
+end

data/lib/conjur/cert_utils.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2015 Conjur Inc
+# Copyright 2013-2017 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in

data/lib/conjur/cidr.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2015 Conjur Inc
+# Copyright 2013-2017 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in

data/lib/conjur/configuration.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013-2015 Conjur Inc
+# Copyright 2013-2017 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -287,53 +287,31 @@ module Conjur
     end
 
     # @!attribute authn_url
+    #
     # The url for the {http://developer.conjur.net/reference/services/authentication Conjur authentication service}.
     #
-    # @note You should not generally set this value.  Instead, Conjur will derive it from the
-    #   {Conjur::Configuration#account} and {Conjur::Configuration#appliance_url}
-    #   properties.
+    # By default, this will be built from the +appliance_url+. To use a custom authenticator, 
+    # set this option in code or set `CONJUR_AUTHN_URL`. 
+    #
     #
     # @return [String] the authentication service url
     add_option :authn_url do
-      account_service_url 'authn', 0
-    end
-
-    # @!attribute authz_url
-    # The url for the {http://developer.conjur.net/reference/services/authorization Conjur authorization service}.
-    #
-    # @note You should not generally set this value.  Instead, Conjur will derive it from the
-    #   {Conjur::Configuration#account} and {Conjur::Configuration#appliance_url}
-    #   properties.
-    #
-    # @return [String] the authorization service url
-    add_option :authz_url do
-      global_service_url  'authz', 100
+      global_service_url 0, service_name: 'authn'
     end
 
     # @!attribute core_url
-    # The url for the {http://developer.conjur.net/reference/services/directory Conjur core/directory service}.
+    #
+    # The url for the core Conjur services.
     #
     # @note You should not generally set this value.  Instead, Conjur will derive it from the
     #   {Conjur::Configuration#account} and {Conjur::Configuration#appliance_url}
     #   properties.
     #
-    # @return [String] the core/directory service url
+    # @return [String] the base service url
     add_option :core_url do
-      default_service_url 'core', 200
+      global_service_url 0
     end
 
-    # @!attribute audit_url
-    # The url for the {http://developer.conjur.net/reference/services/audit Conjur audit service}.
-    #
-    # @note You should not generally set this value.  Instead, Conjur will derive it from the
-    #   {Conjur::Configuration#account} and {Conjur::Configuration#appliance_url}
-    #   properties.
-    #
-    # @return [String] the audit service url
-    add_option :audit_url do
-      global_service_url  'audit', 300
-    end    
-
     # @!attribute appliance_url
     # The url for your Conjur appliance.
     #
@@ -368,28 +346,6 @@ module Conjur
     # @return [String]
     add_option :account, required: true
 
-
-    # @!attribute env
-    #
-    # The type of environment your program is running in (e.g., `development`, `production`, `test`).
-    #
-    # @deprecated
-    #
-    # @return [String] the environment name
-    add_option :env do
-      ENV['CONJUR_ENV'] || ENV['RAILS_ENV'] || ENV['RACK_ENV'] || "production"
-    end
-
-    # DEPRECATED SaaS option, do not doc comment!
-    add_option :stack do
-      case env
-      when "production"
-        "v4"
-      else
-        env
-      end
-    end
-
     # @!attribute cert_file
     #
     # Path to the certificate file to use when making secure connections to your Conjur appliance.
@@ -413,8 +369,6 @@ module Conjur
     # @see cert_file
     add_option :ssl_certificate
 
-
-
     # Add the certificate configured by the {#ssl_certificate} and {#cert_file} options to the certificate
     # store used by Conjur clients.
     #
@@ -440,44 +394,13 @@ module Conjur
 
     private
 
-    def global_service_url(service_name, service_port_offset)
-      if appliance_url
-        URI.join(appliance_url + '/', service_name).to_s
-      else
-        case env
-        when 'test', 'development', 'appliance'
-          "http://localhost:#{service_base_port + service_port_offset}"
-        else
-          "https://#{herokuize service_name}-#{stack}-conjur.herokuapp.com"
-        end
-      end
-    end
-    
-    def account_service_url(service_name, service_port_offset)
-      if appliance_url
-        URI.join(appliance_url + '/', service_name).to_s
-      else
-        case env
-        when 'test', 'development', 'appliance'
-          "http://localhost:#{service_base_port + service_port_offset}"
-        else
-          "https://#{herokuize service_name}-#{account}-conjur.herokuapp.com"
-        end
-      end
-    end
-    
-    def default_service_url(service_name, service_port_offset)
+    def global_service_url service_port_offset, service_name: nil
       if appliance_url
-        appliance_url
+        URI.join([appliance_url, service_name].compact.join('/')).to_s
       else
-        account_service_url(service_name, service_port_offset)
+        "http://localhost:#{service_base_port + service_port_offset}"
       end
     end
-    
-    # Heroku: Name must start with a letter and can only contain lowercase letters, numbers, and dashes.
-    def herokuize name
-      name.downcase.gsub(/[^a-z0-9\-]/, '-')
-    end
 
     def ensure_cert_readable!(path)
       # Try to open the file to make sure it exists and that it's
@@ -485,6 +408,5 @@ module Conjur
       # propagate.
       File.open(path) {}
     end
-
   end
 end

data/lib/conjur/escape.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright (C) 2013-2017 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -87,7 +87,6 @@ module Conjur
     end
 
     # @api private
-    # :nodoc:
     def self.included(base)
       base.extend ClassMethods
     end