conjur-api 5.0.0 → 5.1.0

data/lib/conjur-api/version.rb

@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "5.0.0"
+    VERSION = "5.1.0"
   end
 end

data/lib/conjur/acts_as_resource.rb

@@ -61,7 +61,7 @@ module Conjur
     # @return [Boolean] does it exist?
     def exists?
       begin
-        rbac_resource_resource.head
+        url_for(:resources_resource, credentials, id).head
         true
       rescue RestClient::Forbidden
         true
@@ -88,10 +88,7 @@ module Conjur
     # @param privilege [String] the privilege
     # @return [Array<String>] the ids of roles that have `privilege` on this resource.
     def permitted_roles privilege
-      options = {}
-      options[:permitted_roles] = true
-      options[:privilege] = privilege
-      result = JSON.parse rbac_resource_resource[options_querystring options].get
+      result = JSON.parse url_for(:resources_permitted_roles, credentials, id, privilege).get
       if result.is_a?(Hash) && ( count = result['count'] )
         count
       else
@@ -115,23 +112,12 @@ module Conjur
     #   instead of checking +api.current_role+.
     # @return [Boolean]
     def permitted? privilege, role: nil
-      options = {}
-      options[:check] = true
-      options[:privilege] = privilege
-      options[:role] = cast_to_id(role) if role
-      rbac_resource_resource[options_querystring options].get
+      url_for(:resources_check, credentials, id, privilege, role)
       true
     rescue RestClient::Forbidden
       false
     rescue RestClient::ResourceNotFound
       false
     end
-
-    private
-    
-    # RestClient::Resource for RBAC resource operations.
-    def rbac_resource_resource
-      RestClient::Resource.new(Conjur.configuration.core_url, credentials)['resources'][id.to_url_path]
-    end
   end
 end

data/lib/conjur/acts_as_role.rb

@@ -132,9 +132,7 @@ module Conjur
       if result.is_a?(Hash) && ( count = result['count'] )
         count
       else
-        result['members'].collect do |json|
-          RoleGrant.parse_from_json(json, credentials)
-        end
+        parser_for(:members, credentials, result)
       end
     end
 
@@ -142,7 +140,7 @@ module Conjur
 
     # RestClient::Resource for RBAC role operations.
     def rbac_role_resource
-      RestClient::Resource.new(Conjur.configuration.core_url, credentials)['roles'][id.to_url_path]
+      url_for(:roles_role, credentials, id)    
     end
   end
 end

data/lib/conjur/acts_as_user.rb

@@ -58,8 +58,7 @@ module Conjur
     #
     # @return [String] the new API key for this user.
     def rotate_api_key
-      path = "authn/#{path_escape account}/api_key?role=#{id}"
-      core_resource[path].put('').body
+      url_for(:authn_rotate_api_key, credentials, account, id).put("").body
     end
   end
 end

data/lib/conjur/api.rb

@@ -22,6 +22,7 @@ require 'active_support'
 require 'active_support/deprecation'
 
 require 'conjur/configuration'
+require 'conjur/routing'
 require 'conjur/id'
 require 'conjur/base'
 require 'conjur/exceptions'

data/lib/conjur/api/authn.rb

@@ -47,7 +47,7 @@ module Conjur
         if Conjur.log
           Conjur.log << "Logging in #{username} to account #{account} via Basic authentication\n"
         end
-        RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)[fully_escape account]['login'].get
+        url_for(:authn_login, account, username, password).get
       end
 
       # Exchanges Conjur the API key (refresh token) for an access token.  The access token can 
@@ -62,7 +62,25 @@ module Conjur
         if Conjur.log
           Conjur.log << "Authenticating #{username} to account #{account}\n"
         end
-        JSON::parse(RestClient::Resource.new(Conjur.configuration.authn_url)[fully_escape account][fully_escape username]['authenticate'].post api_key, content_type: 'text/plain')
+        JSON.parse url_for(:authn_authenticate, account, username).post(api_key, content_type: 'text/plain')
+      end
+
+      # Obtains an access token from the +authn_local+ service. The access token can 
+      # then be used to authenticate further API calls.
+      #
+      # @param [String] username The username or host id for which we want a token
+      # @param [String] account The organization account.
+      # @return [String] A JSON formatted authentication token.
+      def authenticate_local username, account: Conjur.configuration.account, expiration: nil, cidr: nil
+        account ||= Conjur.configuration.account
+        if Conjur.log
+          Conjur.log << "Authenticating #{username} to account #{account} using authn_local\n"
+        end
+
+        require 'json'
+        require 'socket'
+        message = url_for(:authn_authenticate_local, username, account, expiration, cidr)
+        JSON.parse(UNIXSocket.open(Conjur.configuration.authn_local_socket) {|s| s.puts message; s.gets })        
       end
 
       # Change a user's password.  To do this, you must have the user's current password.  This does not change or rotate
@@ -78,7 +96,7 @@ module Conjur
         if Conjur.log
           Conjur.log << "Updating password for #{username} in account #{account}\n"
         end
-        RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)[fully_escape account]['password'].put new_password
+        url_for(:authn_update_password, account, username, password).put new_password
       end
 
       #@!endgroup
@@ -98,11 +116,7 @@ module Conjur
           Conjur.log << "Rotating API key for self (#{username} in account #{account})\n"
         end
 
-        RestClient::Resource.new(
-              Conjur.configuration.authn_url,
-              user: username,
-              password: password
-        )[fully_escape account]['api_key'].put('').body
+        url_for(:authn_rotate_own_api_key, account, username, password).put('').body
       end
 
       #@!endgroup

data/lib/conjur/api/host_factories.rb

@@ -40,10 +40,7 @@ module Conjur
       # @return [Host]
       def host_factory_create_host token, id, options = {}
         token = token.token if token.is_a?(HostFactoryToken)
-        http_options = {
-          headers: { authorization: %Q(Token token="#{token}") }
-        }
-        response = RestClient::Resource.new(Conjur.configuration.core_url, http_options)["host_factories"]["hosts"].post(options.merge(id: id)).body
+        response = url_for(:host_factory_create_host, token).post(options.merge(id: id)).body
         attributes = JSON.parse(response)
         Host.new(attributes['id'], {}).tap do |host|
           host.attributes = attributes
@@ -56,7 +53,7 @@ module Conjur
       # @param [Hash] credentials authentication credentials of the current user.
       # @param [String] token the host factory token.
       def revoke_host_factory_token credentials, token
-        RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factory_tokens'][token].delete
+        url_for(:host_factory_revoke_token, credentials, token).delete
       end
     end
     

data/lib/conjur/api/policies.rb

@@ -47,7 +47,7 @@ module Conjur
     # @param account [String] Conjur organization account
     # @param method [Symbol] Policy load method to use: {POLICY_METHOD_POST} (default), {POLICY_METHOD_PATCH}, or {POLICY_METHOD_PUT}.
     def load_policy id, policy, account: Conjur.configuration.account, method: POLICY_METHOD_POST
-      request = RestClient::Resource.new(Conjur.configuration.core_url, credentials)['policies'][path_escape account]['policy'][path_escape id]
+      request = url_for(:policies_load_policy, credentials, account, id)
       PolicyLoadResult.new JSON.parse(request.send(method, policy))
     end
 

data/lib/conjur/api/pubkeys.rb

@@ -44,18 +44,10 @@ module Conjur
       # @param [String] username the *unqualified* Conjur username
       # @return [String] newline delimited public keys
       def public_keys username, account: Conjur.configuration.account
-        public_keys_resource(username, account).get
+        url_for(:public_keys_for_user, account, username).get
       end
 
       #@!endgroup
-      
-      protected
-
-      # @api private
-      # Returns a RestClient::Resource with the pubkeys host and the given path.
-      def public_keys_resource username, account
-        RestClient::Resource.new(Conjur.configuration.core_url)['public_keys'][fully_escape account]['user'][path_escape username]
-      end
     end
   end
 end

data/lib/conjur/api/resources.rb

@@ -95,12 +95,7 @@ module Conjur
         options.delete(name.to_sym)
       end
 
-      credentials ||= {}
-
-      path = "/resources/#{path_escape account}" 
-      path += "/#{path_escape kind}" if kind
-
-      result = JSON.parse(RestClient::Resource.new(Conjur.configuration.core_url, credentials)[path][options_querystring options].get)
+      result = JSON.parse(url_for(:resources, credentials, account, kind, options).get)
 
       result = result['count'] if result.is_a?(Hash)
 

data/lib/conjur/api/router/v4.rb

@@ -0,0 +1,149 @@
+module Conjur
+  class API
+    module Router
+      module V4
+        extend Conjur::Escape::ClassMethods
+        extend Conjur::QueryString
+        extend self
+
+        def authn_login account, username, password
+          verify_account(account)
+          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)['users/login']
+        end
+
+        def authn_authenticate account, username
+          verify_account(account)
+          RestClient::Resource.new(Conjur.configuration.authn_url)['users'][fully_escape username]['authenticate']
+        end
+
+        # For v4, the authn-local message is the username.
+        def authn_authenticate_local username, account, expiration, cidr, &block
+          verify_account(account)
+          
+          raise "'expiration' is not supported for authn-local v4" if expiration
+          raise "'cidr' is not supported for authn-local v4" if cidr
+
+          username
+        end
+
+        def authn_rotate_api_key credentials, account, id
+          verify_account(account)
+          username = if id.kind == "user"
+            id.identifier
+          else
+            [ id.kind, id.identifier ].join('/')
+          end
+          RestClient::Resource.new(Conjur.configuration.authn_url, credentials)['users']["api_key?id=#{username}"]
+        end
+
+        def authn_rotate_own_api_key account, username, password
+          verify_account(account)
+          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)['users']["api_key"]
+        end
+
+        def host_factory_create_host token
+          http_options = {
+            headers: { authorization: %Q(Token token="#{token}") }
+          }
+          RestClient::Resource.new(Conjur.configuration.core_url, http_options)['host_factories']['hosts']
+        end
+
+        def host_factory_create_tokens credentials, id
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factories'][id.identifier]['tokens']
+        end
+
+        def host_factory_revoke_token credentials, token
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factories']['tokens'][token]
+        end
+
+        def resources_resource credentials, id
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authz'][id.account]['resources'][id.kind][id.identifier]
+        end
+
+        def resources_check credentials, id, privilege, role
+          options = {}
+          options[:check] = true
+          options[:privilege] = privilege
+          if role
+            options[:resource_id] = id
+            roles_role(credentials, Id.new(role))[options_querystring options].get
+          else
+            resources_resource(credentials, id)[options_querystring options].get
+          end
+        end
+
+        def resources_permitted_roles credentials, id, privilege
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authz'][id.account]['roles']['allowed_to'][privilege][id.kind][id.identifier]
+        end
+
+        def roles_role credentials, id
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authz'][id.account]['roles'][id.kind][id.identifier]
+        end
+
+        def secrets_add credentials, id
+          verify_account(id.account)
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier]['values']
+        end
+
+        def variable credentials, id
+          verify_account(id.account)
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier]
+        end
+
+        def secrets_value credentials, id, options
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier]['value'][options_querystring options]
+        end
+
+        def secrets_values credentials, variable_ids
+          options = {
+            vars: Array(variable_ids).map { |v| fully_escape(v.identifier) }.join(',')
+          }
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables']['values'][options_querystring options]
+        end
+
+        def group_attributes credentials, resource, id
+          verify_account(id.account)
+          JSON.parse(RestClient::Resource.new(Conjur.configuration.core_url, credentials)['groups'][fully_escape id.identifier].get)
+        end
+
+        def variable_attributes credentials, resource, id
+          verify_account(id.account)
+          JSON.parse(RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier].get)
+        end
+
+        def user_attributes credentials, resource, id
+          verify_account(id.account)
+          JSON.parse(RestClient::Resource.new(Conjur.configuration.core_url, credentials)['users'][fully_escape id.identifier].get)
+        end
+
+        def parse_group_gidnumber attributes
+          attributes['gidnumber']
+        end
+
+        def parse_user_uidnumber attributes
+          attributes['uidnumber']
+        end
+
+        def parse_variable_kind attributes
+          attributes['kind']
+        end
+
+        def parse_variable_mime_type attributes
+          attributes['mime_type']
+        end
+
+        def parse_members credentials, result
+          result.collect do |json|
+            RoleGrant.parse_from_json(json, credentials)
+          end
+        end
+
+        protected
+
+        def verify_account account
+          raise "Expecting account to be #{Conjur.configuration.account.inspect}, got #{account.inspect}" unless Conjur.configuration.account == account
+        end
+      end
+    end
+  end
+end

data/lib/conjur/api/router/v5.rb

@@ -0,0 +1,150 @@
+module Conjur
+  class API
+    module Router
+      module V5
+        extend Conjur::Escape::ClassMethods
+        extend Conjur::QueryString
+        extend Conjur::Cast
+        extend self
+
+        def authn_login account, username, password
+          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)[fully_escape account]['login']
+        end
+
+        def authn_authenticate account, username
+          RestClient::Resource.new(Conjur.configuration.authn_url)[fully_escape account][fully_escape username]['authenticate']
+        end
+
+        # For v5, the authn-local message is a JSON string with account, sub, and optional fields.
+        def authn_authenticate_local username, account, expiration, cidr, &block
+          { account: account, sub: username }.tap do |params|
+            params[:exp] = expiration if expiration
+            params[:cidr] = cidr if cidr
+          end.to_json
+        end
+
+        def authn_update_password account, username, password
+          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)[fully_escape account]['password']
+        end
+
+        def authn_rotate_api_key credentials, account, id
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authn'][path_escape account]["api_key?role=#{id}"]
+        end
+
+        def authn_rotate_own_api_key account, username, password
+          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)[fully_escape account]['api_key']
+        end
+
+        def host_factory_create_host token
+          http_options = {
+            headers: { authorization: %Q(Token token="#{token}") }
+          }
+          RestClient::Resource.new(Conjur.configuration.core_url, http_options)["host_factories"]["hosts"]
+        end
+
+        def host_factory_create_tokens credentials, id
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factory_tokens']
+        end
+
+        def host_factory_revoke_token credentials, token
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factory_tokens'][token]
+        end
+
+        def policies_load_policy credentials, account, id
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['policies'][path_escape account]['policy'][path_escape id]
+        end
+
+        def public_keys_for_user account, username
+          RestClient::Resource.new(Conjur.configuration.core_url)['public_keys'][fully_escape account]['user'][path_escape username]
+        end
+
+        def resources credentials, account, kind, options
+          credentials ||= {}
+
+          path = "/resources/#{path_escape account}" 
+          path += "/#{path_escape kind}" if kind
+
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)[path][options_querystring options]
+        end
+
+        def resources_resource credentials, id
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['resources'][id.to_url_path]
+        end
+
+        def resources_permitted_roles credentials, id, privilege
+          options = {}
+          options[:permitted_roles] = true
+          options[:privilege] = privilege
+          resources_resource(credentials, id)[options_querystring options]
+        end
+
+        def resources_check credentials, id, privilege, role
+          options = {}
+          options[:check] = true
+          options[:privilege] = privilege
+          options[:role] = cast_to_id(role) if role
+          resources_resource(credentials, id)[options_querystring options].get
+        end
+
+        def roles_role credentials, id
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['roles'][id.to_url_path]
+        end
+
+        def secrets_add credentials, id
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['secrets'][id.to_url_path]
+        end
+
+        def secrets_value credentials, id, options
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['secrets'][id.to_url_path][options_querystring options]
+        end
+
+        def secrets_values credentials, variable_ids
+          options = {
+            variable_ids: Array(variable_ids).join(',')
+          }
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['secrets'][options_querystring(options).gsub("%2C", ',')]
+        end
+
+        def group_attributes credentials, resource, id
+          resource_annotations resource
+        end
+
+        def variable_attributes credentials, resource, id
+          resource_annotations resource
+        end
+
+        def user_attributes credentials, resource, id
+          resource_annotations resource
+        end
+
+        def parse_group_gidnumber attributes
+          HasAttributes.annotation_value attributes, 'conjur/gidnumber'
+        end
+
+        def parse_user_uidnumber attributes
+          HasAttributes.annotation_value attributes, 'conjur/uidnumber'
+        end
+
+        def parse_variable_kind attributes
+          HasAttributes.annotation_value attributes, 'conjur/kind'
+        end
+
+        def parse_variable_mime_type attributes
+          HasAttributes.annotation_value attributes, 'conjur/mime_type'
+        end
+
+        def parse_members credentials, result
+          result['members'].collect do |json|
+            RoleGrant.parse_from_json(json, credentials)
+          end
+        end
+
+        private
+
+        def resource_annotations resource
+          resource.attributes['annotations'] || {}
+        end
+      end
+    end
+  end
+end