conjur-api 4.31.0 → 5.0.0.rc1

data/lib/conjur/{api/secrets.rb → policy_load_result.rb}

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright 2013-2017 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -18,31 +18,44 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
-require 'conjur/secret'
-
 module Conjur
-  class API
-
+  # The result of loading a policy. When a policy is loaded, two types of data
+  # are always provided:
+  #
+  # * {#created_roles} the API keys of any new roles which were created
+  # * {#version} the new version of the policy.
+  class PolicyLoadResult
+    def initialize data
+      @data = data
+    end
+    
     # @api private
-    #
-    # Create a Conjur secret.  Secrets are a low-level construcct upon which variables
-    # are built,
-    #
-    # @param [String] value the secret data
-    # @return [Conjur::Secret] the new secret
-    def create_secret(value, options = {})
-      standard_create Conjur::Core::API.host, :secret, nil, options.merge(value: value)
+    def to_h
+      @data
     end
-
+    
     # @api private
+    def to_json options = {}
+      @data.to_json(options)
+    end
+    
+    # @api private
+    def to_s
+      @data.to_s
+    end
+
+    # API keys for roles which were created when loading the policy.
     #
-    # Fetch a Conjur secret by id.  Secrets are a low-level construct upon which variables
-    # are built, and should not generally be used directly.
-    #
-    # @param [String] id the *unqualified* identifier for the secret
-    # @return [Conjur::Secret] an object representing the secret
-    def secret id
-      standard_show Conjur::Core::API.host, :secret, id
+    # @return [Hash] Hash keys are the role ids, and hash values are the API keys.    
+    def created_roles
+      @data['created_roles']
+    end
+    
+    # The new version of the policy. When a policy is updated, a new version is appended
+    # to that policy. The YAML of previous versions of the policy can be obtained 
+    # by fetching the policy resource using {API#resource}.
+    def version
+      @data['version']
     end
   end
-end
+end

data/lib/conjur/query_string.rb

@@ -1,4 +1,5 @@
-module QueryString
+# @api private
+module Conjur::QueryString
   protected
 
   def options_querystring options

data/lib/conjur/resource.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright 2013-2017 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -18,306 +18,12 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
-require 'conjur/annotations'
 
 module Conjur
 
-  # A `Conjur::Resource` instance represents a Conjur
-  # {http://developer.conjur.net/reference/services/authorization/resource Resource}.
-  #
-  # You should not instantiate this class directly.  Instead, you can get an instance from the
-  # {Conjur::API#resource} and {Conjur::API#resources} methods, or from the {ActsAsResource#resource} method
-  # present on objects representing Conjur assets that have associated resources.
-  #
-  class Resource < RestClient::Resource
-    include HasAttributes
-    include PathBased
-    include Exists
-    include QueryString
-    extend QueryString
-
-    alias resource_kind kind
-    
-    # The identifier part of the `resource_id` for this resource.  The identifier
-    # is the resource id without the `account` and `kind` parts.
-    #
-    # @example
-    #   resource = api.resource 'conjur:layer:pubkeys-1.0/public-keys'
-    #   resource.identifier # => 'pubkeys-1.0/public-keys'
-    #
-    # @return [String] the identifier part of the id.
-    def identifier
-      match_path(3..-1)
-    end
-
-    # The full role id of the role that owns this resource.
-    #
-    # @example
-    #   api.current_role # => 'conjur:user:jon'
-    #   resource = api.create_resource 'conjur:example:resource-owner'
-    #   resource.owner # => 'conjur:user:jon'
-    #
-    # @return [String] the full role id of this resource's owner.
-    def ownerid
-      attributes['owner']
-    end
-
-    alias owner ownerid
-    
-    # Return the full id for this resource.  The format is `account:kind:identifier`
-    #
-    # @example
-    #   resource = api.layer('pubkeys-1.0/public-keys').resource
-    #   resource.account        # => 'conjur'
-    #   resource.kind           # => 'layer'
-    #   resource.identifier     # => 'pubkeys-1.0/public-keys'
-    #   resource.resourceid     # => 'conjur:layer:pubkeys-1.0/public-keys'
-    # @return [String]
-    def resourceid 
-      [account, kind, identifier].join ':'
-    end
-    
-    alias :resource_id :resourceid
-
-
-    # @api private
-    def create(options = {})
-      log do |logger|
-        logger << "Creating resource #{resourceid}"
-        unless options.empty?
-          logger << " with options #{options.to_json}"
-        end
-      end
-      self.put(options)
-    end
-    
-    # Lists roles that have a specified privilege on the resource. 
-    #
-    # This will return only roles of which api.current_user is a member.
-    #
-    # Options:
-    #
-    # * **offset** Zero-based offset into the result set.
-    # * **limit**  Total number of records returned.
-    #
-    # @example
-    #   resource = api.resource 'conjur:variable:example'
-    #   resource.permitted_roles 'execute' # => ['conjur:user:admin']
-    #   resource.permit 'execute', api.user('jon')
-    #   resource.permitted_roles 'execute' # => ['conjur:user:admin', 'conjur:user:jon']
-    #
-    # @param privilege [String] the privilege
-    # @param options [Hash, nil] extra parameters to pass to the webservice method.
-    # @return [Array<String>] the ids of roles that have `privilege` on this resource, sorted 
-    # alphabetically.
-    def permitted_roles(privilege, options = {})
-      result = JSON.parse RestClient::Resource.new(Conjur::Authz::API.host, self.options)["#{account}/roles/allowed_to/#{privilege}/#{path_escape kind}/#{path_escape identifier}#{options_querystring options}"].get
-      if result.is_a?(Hash) && ( count = result['count'] )
-        count
-      else
-        result
-      end
-    end
-
-    # Changes the owner of a resource.  You must be the owner of the resource
-    # or a member of the owner role to do this.
-    #
-    # @example
-    #     resource.owner # => 'conjur:user:admin'
-    #     resource.give_to 'conjur:user:jon'
-    #     resource.owner # => 'conjur:user:jon'
-    #
-    # @param owner [String, #roleid] the new owner.
-    # @return [void]
-    def give_to(owner, options = {})
-      owner = cast(owner, :roleid)
-      invalidate do
-        self.put(options.merge(owner: owner))
-      end
-
-      nil
-    end
-
-    # @api private
-    def delete(options = {})
-      log do |logger|
-        logger << "Deleting resource #{resourceid}"
-        unless options.empty?
-          logger << " with options #{options.to_json}"
-        end
-      end
-      super options
-    end
-
-    # Grant `privilege` on this resource to `role`.
-    #
-    # This operation is idempotent, that is, nothing will happen if
-    # you attempt to grant a privilege that the role already has on
-    # this resource.
-    #
-    # @example
-    #   user = api.user 'bob'
-    #   resource = api.variable('example').resource
-    #   resource.permitted_roles 'bake' # => ['conjur:user:admin']
-    #   resource.permit 'fry', user
-    #   resource.permitted_roles 'fry' # => ['conjur:user:admin', 'conjur:user:bob']
-    #   resource.permit ['boil', 'bake'], bob
-    #   resource.permitted_roles 'boil' # => ['conjur:user:admin', 'conjur:user:bob']
-    #   resource.permitted_roles 'bake' # => ['conjur:user:admin', 'conjur:user:bob']
-    #
-    # @param privilege [String, #each] The privilege to grant, for example
-    #   `'execute'`, `'read'`, or `'update'`.  You may also pass an `Enumerable`
-    #   object, in which case the Strings yielded by #each will all be granted
-    #
-    # @param role [String, #roleid] The role-ish object or full role id
-    #   to which the privilege is to be granted.
-    #
-    # @param options [Hash, nil] options to pass through to `RestClient::Resource#post`
-    #
-    # @return [void]
-    def permit(privilege, role, options = {})
-      role = cast(role, :roleid)
-      eachable(privilege).each do |p|
-        log do |logger|
-          logger << "Permitting #{p} on resource #{resourceid} by #{role}"
-          unless options.empty?
-            logger << " with options #{options.to_json}"
-          end
-        end
-        
-        begin
-          self["?permit&privilege=#{query_escape p}&role=#{query_escape role}"].post(options)
-        rescue RestClient::Forbidden
-          # TODO: Remove once permit is idempotent
-          raise $! unless $!.http_body == "Privilege already granted."
-        end
-      end
-      nil
-    end
-
-    # The inverse operation of `#permit`.  Deny privilege `privilege` to `role`
-    # on this resource.
-    #
-    # @example
-    #
-    #   resource.permitted_roles 'execute' # => ['conjur:user:admin', 'conjur:user:alice']
-    #   resource.deny 'execute', 'conjur:user:alice'
-    #   resource.permitted_roles 'execute' # =>  ['conjur:user:admin']
-    #
-    # @param privilege [String, #each] A privilege name or an `Enumerable` of privileges to deny.  In the
-    #   later, all privileges will be denied.
-    #
-    # @param role [String, :roleid] A full role id or a role-ish object whose privileges we will deny.
-    #
-    # @return [void]
-    def deny(privilege, role, options = {})
-      role = cast(role, :roleid)
-      eachable(privilege).each do |p|
-        log do |logger|
-          logger << "Denying #{p} on resource #{resourceid} by #{role}"
-          unless options.empty?
-            logger << " with options #{options.to_json}"
-          end
-        end
-        self["?deny&privilege=#{query_escape p}&role=#{query_escape role}"].post(options)
-      end
-      nil
-    end
-
-    # True if the logged-in role, or a role specified using the :acting_as option, has the
-    # specified +privilege+ on this resource.
-    #
-    # @example
-    #   api.current_role # => 'conjur:cat:mouse'
-    #   resource.permitted_roles 'execute' # => ['conjur:user:admin', 'conjur:cat:mouse']
-    #   resource.permitted_roles 'update', # => ['conjur:user:admin', 'conjur:cat:gino']
-    #
-    #   resource.permitted? 'update' # => false, `mouse` can't update this resource
-    #   resource.permitted? 'execute' # => true, `mouse` can execute it.
-    #   resource.permitted? 'update',acting_as: 'conjur:cat:gino' # => true, `gino` can update it.
-    # @param privilege [String] the privilege to check
-    # @param [Hash, nil] options for the request
-    # @option options [String,nil] :acting_as check whether the role given by this full role id is permitted
-    #   instead of checking +api.current_role+.
-    # @return [Boolean]
-    def permitted?(privilege, options = {})
-      # TODO this method should accept an optional role rather than putting it in the options hash.
-      params = {
-        check: true,
-        privilege: query_escape(privilege)
-      }
-      params[:acting_as] = options[:acting_as] if options[:acting_as]
-      self["?#{params.to_query}"].get(options)
-      true
-    rescue RestClient::Forbidden
-      false
-    rescue RestClient::ResourceNotFound
-      false
-    end
-
-    # Return an {Conjur::Annotations} object to manipulate and view annotations.
-    #
-    # @see Conjur::Annotations
-    # @example
-    #    resource.annotations.count # => 0
-    #    resource.annotations['foo'] = 'bar'
-    #    resource.annotations.each do |k,v|
-    #       puts "#{k}=#{v}"
-    #    end
-    #    # output is
-    #    # foo=bar
-    #
-    #
-    # @return [Conjur::Annotations]
-    def annotations
-      @annotations ||= Conjur::Annotations.new(self)
-    end
-    alias tags annotations
-
-    # @api private
-    # This is documented by Conjur::API#resources.
-    # Returns all resources (optionally qualified by kind) visible to the user with given credentials.
-    #
-    #
-    # Options are:
-    # - host - authz url,
-    # - credentials,
-    # - account,
-    # - owner (optional),
-    # - kind (optional),
-    # - search (optional),
-    # - limit (optional),
-    # - offset (optional).
-    def self.all options = {}
-      host, credentials, account, kind = options.values_at(*[:host, :credentials, :account, :kind])
-      fail ArgumentError, "host and account are required" unless [host, account].all?
-      %w(host credentials account kind).each do |name|
-        options.delete(name.to_sym)
-      end
-
-      credentials ||= {}
-
-      path = "#{account}/resources" 
-      path += "/#{kind}" if kind
-
-      result = JSON.parse(RestClient::Resource.new(host, credentials)[path][options_querystring options].get)
-
-      result = result['count'] if result.is_a?(Hash)
-      result
-    end
-
-    protected
-
-
-    # Given an Object, return something that responds to each.  In particular,
-    # if `item.respond_to? :each` is true, we return the item, otherwise we put it in
-    # an array.
-    #
-    # @param item [Object] the value we want to each over.
-    # @return [#each]  `item` if item is already eachable, otherwise `[item]`.
-    # @api private
-    def eachable(item)
-      item.respond_to?(:each) ? item : [ item ]
-    end
+  # A Conjur custom Resource. This object is used for resources whose `kind` is not
+  # any of the pre-defined common types such as {Group}, {Host}, {Variable}, etc.
+  class Resource < BaseObject
+    include ActsAsResource
   end
 end