conjur-api 5.0.0 → 5.1.0

data/lib/conjur/api/variables.rb

@@ -50,14 +50,8 @@ module Conjur
     def variable_values variable_ids
       raise ArgumentError, "Variables list must be an array" unless variable_ids.kind_of? Array 
       raise ArgumentError, "Variables list is empty" if variable_ids.empty?
-      
-      opts = "?variable_ids=#{variable_ids.map { |v| fully_escape(v) }.join(',')}"
-      
-      response =
-        RestClient::Resource.
-          new(Conjur.configuration.core_url,credentials)['secrets'+opts].get
-      
-      return JSON.parse(response.body) 
+
+      JSON.parse(url_for(:secrets_values, credentials, variable_ids).get.body)
     end
     
     #@!endgroup

data/lib/conjur/base.rb

@@ -37,6 +37,8 @@ module Conjur
   class API
     include Escape
     include LogSource
+    include Routing
+    extend Routing
 
     class << self
       # Create a new {Conjur::API} instance from a username and a password or api key.
@@ -55,7 +57,7 @@ module Conjur
       # @param [String] remote_ip the optional IP address to be recorded in the audit record.
       # @param [String] account The organization account.
       # @return [Conjur::API] an api that will authenticate with the given username and api key.
-      def new_from_key username, api_key, remote_ip: nil, account: Conjur.configuration.account
+      def new_from_key username, api_key, account: Conjur.configuration.account, remote_ip: nil
         self.new.init_from_key username, api_key, remote_ip: remote_ip, account: account
       end
 
@@ -101,6 +103,19 @@ module Conjur
       def new_from_token_file token_file, remote_ip: nil
         self.new.init_from_token_file token_file, remote_ip: remote_ip
       end
+
+      # Create a new {Conjur::API} instance which authenticates using +authn-local+
+      # using the specified username.
+      # 
+      # @param [String] username the username to use when making authenticated requests.
+      # @param [String] account The organization account.
+      # @param [String] remote_ip the optional IP address to be recorded in the audit record.
+      # @param [String] expiration the optional expiration time of the token (supported in V5 only).
+      # @param [String] cidr the optional CIDR restriction on the token (supported in V5 only).
+      # @return [Conjur::API] an api that will authenticate with the given username.
+      def new_from_authn_local username, account: Conjur.configuration.account, remote_ip: nil, expiration: nil, cidr: nil
+        self.new.init_from_authn_local username, account: account, remote_ip: remote_ip, expiration: expiration, cidr: cidr
+      end
     end
 
     #@!attribute [r] api_key
@@ -139,6 +154,12 @@ module Conjur
       return @token
     end
 
+    # @api private
+    # Force the API to obtain a new access token on the next invocation.
+    def force_token_refresh
+      @token = nil
+    end
+
     # Credentials that can be merged with options to be passed to `RestClient::Resource` HTTP request methods.
     # These include a username and an Authorization header containing the authentication token.
     #
@@ -152,17 +173,7 @@ module Conjur
       { headers: headers, username: username }
     end
 
-    module MonotonicTime
-      def monotonic_time
-        Process.clock_gettime Process::CLOCK_MONOTONIC
-      rescue
-        # fall back to normal clock if there's no CLOCK_MONOTONIC
-        Time.now.to_f
-      end
-    end
-
     module TokenExpiration
-      include MonotonicTime
 
       # The four minutes is to work around a bug in Conjur < 4.7 causing a 404 on 
       # long-running operations (when the token is used right around the 5 minute mark).
@@ -174,9 +185,20 @@ module Conjur
         token_age > TOKEN_STALE
       end
 
+      def update_token_born
+        self.token_born = gettime
+      end
+
       def token_age
         gettime - token_born
       end
+
+      def gettime
+        Process.clock_gettime Process::CLOCK_MONOTONIC
+      rescue
+        # fall back to normal clock if there's no CLOCK_MONOTONIC
+        Time.now.to_f
+      end
     end
 
     # When the API is constructed with an API key, the token can be refreshed using
@@ -191,6 +213,7 @@ module Conjur
         @account = account
         @username = username
         @api_key = api_key
+        
         update_token_born
       end
 
@@ -199,20 +222,32 @@ module Conjur
           update_token_born
         end
       end
+    end
 
-      def update_token_born
-        self.token_born = gettime
+    # Obtains access tokens from the +authn-local+ service.
+    class LocalAuthenticator
+      include TokenExpiration
+
+      attr_reader :account, :username, :expiration, :cidr
+
+      def initialize account, username, expiration, cidr
+        @account = account
+        @username = username
+        @expiration = expiration
+        @cidr = cidr
+
+        update_token_born
       end
 
-      def gettime
-        monotonic_time
+      def refresh_token
+        Conjur::API.authenticate_local(username, account: account, expiration: expiration, cidr: cidr).tap do
+          update_token_born
+        end
       end
     end
 
     # When the API is constructed with a token, the token cannot be refreshed.
     class UnableAuthenticator
-      include MonotonicTime
-      
       def refresh_token
         raise "Unable to re-authenticate using an access token"
       end
@@ -255,7 +290,7 @@ module Conjur
       end
     end
 
-    def init_from_key username, api_key, remote_ip: nil, account: Conjur.configuration.account
+    def init_from_key username, api_key, account: Conjur.configuration.account, remote_ip: nil
       @username = username
       @api_key = api_key
       @remote_ip = remote_ip
@@ -276,6 +311,14 @@ module Conjur
       self
     end
 
+    def init_from_authn_local username, account: Conjur.configuration.account, remote_ip: nil, expiration: nil, cidr: nil
+      @username = username
+      @api_key = api_key
+      @remote_ip = remote_ip
+      @authenticator = LocalAuthenticator.new(account, username, expiration, cidr)
+      self
+    end
+
     attr_reader :authenticator
 
     private

data/lib/conjur/base_object.rb

@@ -26,6 +26,7 @@ module Conjur
     include QueryString
     include LogSource
     include BuildObject
+    include Routing
     
     attr_reader :id, :credentials
     
@@ -47,11 +48,5 @@ module Conjur
     def username
       credentials[:username] or raise "No username found in credentials"
     end
-    
-    protected
-
-    def core_resource
-      RestClient::Resource.new(Conjur.configuration.core_url, credentials)
-    end
   end
 end

data/lib/conjur/configuration.rb

@@ -369,6 +369,32 @@ module Conjur
     # @see cert_file
     add_option :ssl_certificate
 
+    # @!attribute version
+    #
+    # Selects the major API version of the Conjur server. With this setting, the API
+    # will use the routing scheme for API version `4` or `5`. 
+    #
+    # Methods which are not available in the selected version will raise NoMethodError.
+    add_option :version, default: 5
+
+    # @!attribute authn_local_socket
+    #
+    # File path to the Unix socket used for local authentication.
+    # This is only available when the API client is running on the Conjur server.
+    add_option :authn_local_socket, default: "/run/authn-local/.socket"
+
+    # Calls a major-version-specific function.
+    def version_logic v4_logic, v5_logic
+      case version.to_s
+      when "4"
+        v4_logic.call
+      when "5"
+        v5_logic.call
+      else
+        raise "Unspported major version #{version}"
+      end
+    end
+
     # Add the certificate configured by the {#ssl_certificate} and {#cert_file} options to the certificate
     # store used by Conjur clients.
     #

data/lib/conjur/group.rb

@@ -29,7 +29,13 @@ module Conjur
     # @return [Fixnum] the gidnumber
     # @raise [RestClient::Forbidden] if you don't have permission to `show` the group.
     def gidnumber
-      annotation_value 'conjur/gidnumber'
+      parser_for(:group_gidnumber, group_attributes)
+    end
+
+    private
+
+    def group_attributes
+      @group_attributes ||= url_for(:group_attributes, credentials, self, id)
     end
   end
 end

data/lib/conjur/has_attributes.rb

@@ -23,6 +23,14 @@ module Conjur
   # methods on specific asset classes (for example, {Conjur::Resource#owner}), the are available as
   # a `Hash` on all types supporting attributes.
   module HasAttributes
+    class << self
+
+      # @api private
+      def annotation_value annotations, name
+        (annotations.find{|a| a['name'] == name} || {})['value']
+      end
+    end
+
     def as_json options={}
       result = super(options)
       if @attributes
@@ -67,7 +75,7 @@ module Conjur
     protected
 
     def annotation_value name
-      (attributes['annotations'].find{|a| a['name'] == name} || {})['value']
+      HasAttributes.annotation_value attributes['annotations'], name
     end
 
     # @api private
@@ -78,9 +86,9 @@ module Conjur
 
     # @api private
     def fetch_attributes
-      cache_key = Conjur.cache_key username, rbac_resource_resource.url
+      cache_key = Conjur.cache_key username, url_for(:resources_resource, credentials, id).url
       Conjur.cache.fetch_attributes cache_key do
-        JSON.parse(rbac_resource_resource.get.body)
+        JSON.parse(url_for(:resources_resource, credentials, id).get.body)
       end
     end
   end

data/lib/conjur/host_factory.rb

@@ -47,7 +47,7 @@ module Conjur
       options[:host_factory] = id
       options[:count] = count
       options[:cidr] = cidr if cidr
-      response = JSON.parse core_resource['host_factory_tokens'].post(options)
+      response = JSON.parse url_for(:host_factory_create_tokens, credentials, id).post(options)
       response.map do |data|
         HostFactoryToken.new data, credentials
       end

data/lib/conjur/routing.rb

@@ -0,0 +1,29 @@
+module Conjur
+  module Routing
+    def url_for method, *args
+      router.send method, *args
+    end
+
+    def parser_for method, *args
+      router.send "parse_#{method}", *args
+    end
+
+    protected
+
+    def router
+      require 'conjur/api/router/v4'
+      require 'conjur/api/router/v5'
+
+      variable_id = "@v#{Conjur.configuration.version}_router"
+      router = instance_variable_get variable_id
+      if router.nil?
+        router = instance_variable_set variable_id, router_for_version
+      end
+      router
+    end
+
+    def router_for_version
+      Conjur::API::Router.const_get("V#{Conjur.configuration.version}")
+    end
+  end
+end

data/lib/conjur/user.rb

@@ -28,7 +28,13 @@ module Conjur
     # @return [Fixnum] the uidnumber
     # @raise [RestClient::Forbidden] if you don't have permission to `show` the user.
     def uidnumber
-      annotation_value 'conjur/uidnumber'
+      parser_for(:user_uidnumber, user_attributes)
+    end
+
+    private
+
+    def user_attributes
+      @user_attributes ||= url_for(:user_attributes, credentials, self, id)
     end
   end
 end

data/lib/conjur/variable.rb

@@ -95,7 +95,7 @@ module Conjur
     # @note this is **not** the same as the `kind` part of a qualified Conjur id.
     # @return [String] a string representing the kind of secret.
     def kind
-      annotation_value 'conjur/kind' || "secret"
+      parser_for(:variable_kind, variable_attributes) || "secret"
     end
 
     # The MIME Type of the variable's value.
@@ -109,7 +109,7 @@ module Conjur
     #
     # @return [String] a MIME type, such as `'text/plain'` or `'application/octet-stream'`.
     def mime_type
-      annotation_value 'conjur/mime_type' || "text/plain"
+      parser_for(:variable_mime_type, variable_attributes) || "text/plain"
     end
 
     # Add a new value to the variable.
@@ -130,7 +130,12 @@ module Conjur
         logger << "Adding a value to variable #{id}"
       end
       invalidate do
-        core_resource['secrets'][id.to_url_path].post value
+        route = url_for(:secrets_add, credentials, id)
+        Conjur.configuration.version_logic lambda {
+            route.post value: value
+          }, lambda {
+            route.post value
+          }
       end
     end
 
@@ -145,12 +150,16 @@ module Conjur
     #
     # @return [Integer] the number of versions
     def version_count
-      secrets = attributes['secrets']
-      if secrets.empty?
-        0
-      else
-        secrets.last['version']
-      end
+      Conjur.configuration.version_logic lambda {
+          JSON.parse(url_for(:variable, credentials, id).get)['version_count']
+        }, lambda {
+          secrets = attributes['secrets']
+          if secrets.empty?
+            0
+          else
+            secrets.last['version']
+          end
+        }
     end
 
     # Return the version of a variable.
@@ -187,7 +196,13 @@ module Conjur
     # @return [String] the value of the variable
     def value version = nil, options = {}
       options['version'] = version if version
-      core_resource['secrets'][id.to_url_path][options_querystring options].get.body
+      url_for(:secrets_value, credentials, id, options).get.body
+    end
+
+    private
+
+    def variable_attributes
+      @variable_attributes ||= url_for(:variable_attributes, credentials, self, id)
     end
-  end
+  end  
 end

data/spec/has_attributes_spec.rb

@@ -4,6 +4,8 @@ describe Conjur::HasAttributes do
   class ObjectWithAttributes
     include Conjur::HasAttributes
 
+    def id; "the-object"; end
+    def credentials; {}; end
     def username; 'alice'; end
     def url; 'http://example.com/the-object'; end
   end
@@ -18,8 +20,8 @@ describe Conjur::HasAttributes do
   let(:rbac_resource_resource) { double(:rbac_resource_resource, url: object.url) }
 
   before {
-    allow(object).to receive(:rbac_resource_resource).and_return(rbac_resource_resource)
-    allow(second_object).to receive(:rbac_resource_resource).and_return(rbac_resource_resource)
+    allow(object).to receive(:url_for).with(:resources_resource, {}, "the-object").and_return(rbac_resource_resource)
+    allow(second_object).to receive(:url_for).with(:resources_resource, {}, "the-object").and_return(rbac_resource_resource)
     expect(rbac_resource_resource).to receive(:get).with(no_args).and_return(double(:response, body: attributes.to_json))
   }
 

data/test.sh

@@ -5,36 +5,50 @@ function finish {
   echo '---'
   docker-compose down --rmi 'local' --volumes
 }
+
 trap finish EXIT
 
 function main() {
   # Generate reports folders locally
-  mkdir -p spec/reports features/reports
+  mkdir -p spec/reports features/reports features_v4/reports
 
   startConjur
-  runTests
+  runTests_5
+  runTests_4
 }
 
 function startConjur() {
   echo 'Starting Conjur environment'
   echo '-----'
-  docker-compose pull conjur postgres
-  docker-compose build --pull tester
-  docker-compose up -d conjur
+  docker-compose pull
+  docker-compose build
+  docker-compose up -d pg conjur_4 conjur_5
+}
+
+function runTests_5() {
+  echo 'Waiting for Conjur v5 to come up, and configuring it...'
+  ./ci/configure_v5.sh
+
+  local api_key=$(docker-compose exec -T conjur_5 rake 'role:retrieve-key[cucumber:user:admin]')
+
+  echo 'Running tests'
+  echo '-----'
+  docker-compose run --rm \
+    -e CONJUR_AUTHN_API_KEY="$api_key" \
+    tester_5 rake jenkins_init jenkins_spec jenkins_cucumber_v5
 }
 
-function runTests() {
-  echo 'waiting for Conjur to come up...'
-  # TODO: remove this once we have HEALTHCHECK in place
-  docker-compose run --rm tester ./ci/wait_for_server.sh
+function runTests_4() {
+  echo 'Waiting for Conjur v4 to come up, and configuring it...'
+  ./ci/configure_v4.sh
 
-  local api_key=$(docker-compose exec -T conjur rails r "print Credentials['cucumber:user:admin'].api_key")
+  local api_key=$(docker-compose exec -T conjur_4 su conjur -c "conjur-plugin-service authn env RAILS_ENV=appliance rails r \"puts User['admin'].api_key\" 2>/dev/null")
 
   echo 'Running tests'
   echo '-----'
   docker-compose run --rm \
     -e CONJUR_AUTHN_API_KEY="$api_key" \
-    tester
+    tester_4 rake jenkins_cucumber_v4
 }
 
 main