conjur-api 5.3.0 → 5.3.5

data/SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for the CyberArk Conjur
+suite of tools and products.
+
+  * [Reporting a Bug](#reporting-a-bug)
+  * [Disclosure Policy](#disclosure-policy)
+  * [Comments on this Policy](#comments-on-this-policy)
+
+## Reporting a Bug
+
+The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
+Thank you for improving the security of the Conjur suite. We appreciate your efforts and
+responsible disclosure and will make every effort to acknowledge your
+contributions.
+
+Report security bugs by emailing the lead maintainers at security@conjur.org.
+
+The maintainers will acknowledge your email within 2 business days. Subsequently, we will 
+send a more detailed response within 2 business days of our acknowledgement indicating
+the next steps in handling your report. After the initial reply to your report, the security
+team will endeavor to keep you informed of the progress towards a fix and full
+announcement, and may ask for additional information or guidance.
+
+Report security bugs in third-party modules to the person or team maintaining
+the module.
+
+## Disclosure Policy
+
+When the security team receives a security bug report, they will assign it to a
+primary handler. This person will coordinate the fix and release process,
+involving the following steps:
+
+  * Confirm the problem and determine the affected versions.
+  * Audit code to find any potential similar problems.
+  * Prepare fixes for all releases still under maintenance. These fixes will be
+    released as fast as possible.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+pull request.

data/bin/parse-changelog.sh

@@ -0,0 +1,12 @@
+#!/bin/bash -ex
+
+cd "$(dirname "$0")"
+
+docker run --rm \
+  -v "$PWD/..:/work" \
+  -w "/work" \
+  ruby:2.5 bash -ec "
+    gem install -N parse_a_changelog
+    parse ./CHANGELOG.md
+  "
+

data/ci/codeclimate.dockerfile

@@ -0,0 +1,6 @@
+FROM alpine:3.11
+RUN wget https://codeclimate.com/downloads/test-reporter/test-reporter-0.6.3-linux-amd64 -O /opt/cc-test-reporter
+RUN chmod +x /opt/cc-test-reporter
+RUN apk update && apk upgrade && apk add --no-cache git
+
+ENTRYPOINT ["/opt/cc-test-reporter"]

data/conjur-api.gemspec

@@ -18,10 +18,13 @@ Gem::Specification.new do |gem|
 
   gem.required_ruby_version = '>= 1.9'
 
+  # Filter out development only executables
+  gem.executables -= %w{parse-changelog.sh}
+
   gem.add_dependency 'rest-client'
   gem.add_dependency 'activesupport'
 
-  gem.add_development_dependency 'rake', '~> 10.0'
+  gem.add_development_dependency 'rake', '>= 12.3.3'
   gem.add_development_dependency 'rspec', '~> 3'
   gem.add_development_dependency 'rspec-expectations', '~> 3.4'
   gem.add_development_dependency 'json_spec'

data/docker-compose.yml

@@ -27,6 +27,7 @@ services:
     volumes:
       - ./spec/reports:/src/conjur-api/spec/reports
       - ./features/reports:/src/conjur-api/features/reports
+      - ./coverage:/src/conjur-api/coverage
       - authn_local_5:/run/authn-local-5
     environment:
       CONJUR_APPLIANCE_URL: http://conjur_5
@@ -38,6 +39,7 @@ services:
     volumes:
       - ./features_v4/reports:/src/conjur-api/features_v4/reports
       - ./tmp/conjur.pem:/src/conjur-api/tmp/conjur.pem
+      - ./coverage_v4:/src/conjur-api/coverage
       - authn_local_4:/run/authn-local-4
     environment:
       CONJUR_APPLIANCE_URL: https://conjur_4/api

data/features/authenticators.feature

@@ -0,0 +1,33 @@
+Feature: List and manage authenticators
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !webservice conjur/authn-k8s/my-auth
+    POLICY
+    """
+
+  Scenario: Authenticator list includes the authenticator status
+    When I run the code:
+    """
+    $conjur.authenticator_list
+    """
+    Then the JSON should have "installed"
+    And the JSON should have "configured"
+    And the JSON should have "enabled"
+    And the JSON at "enabled" should be ["authn"]
+
+  Scenario: Enable and disable authenticator
+    When I run the code:
+    """
+    $conjur.authenticator_enable("authn-k8s", "my-auth")
+    $conjur.authenticator_list
+    """
+    Then the JSON at "enabled" should be ["authn", "authn-k8s/my-auth"]
+    When I run the code:
+    """
+    $conjur.authenticator_disable("authn-k8s", "my-auth")
+    $conjur.authenticator_list
+    """
+    Then the JSON at "enabled" should be ["authn"]

data/features/host.feature

@@ -1,20 +1,50 @@
-Feature: Display Host object fields.
+Feature: Host object
 
-  Background:
+  Scenario: API key of a newly created host is available and valid
     Given a new host
-
-  Scenario: API key of a newly created host is available and valid.
-    Then I run the code:
+    Then I can run the code:
     """
     expect(@host.exists?).to be(true)
     expect(@host.api_key).to be
     Conjur::API.new_from_key(@host.login, @host.api_key).token
     """
 
-  Scenario: API key of a a host can be rotated.
-    Then I run the code:
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: Host's own API key cannot be rotated with an API key
+    Given a new host
+    Then this code should fail with "You cannot rotate your own API key via this method"
     """
     host = Conjur::API.new_from_key(@host.login, @host.api_key).resource(@host.id)
-    api_key = host.rotate_api_key
-    Conjur::API.new_from_key(@host.login, api_key).token
+    host.rotate_api_key
+    """
+
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: Host's own API key cannot be rotated with a token
+    Given a new host
+    Then this code should fail with "You cannot rotate your own API key via this method"
+    """
+    token = Conjur::API.new_from_key(@host.login, @host.api_key).token
+
+    host = Conjur::API.new_from_token(token).resource(@host.id)
+    host.rotate_api_key
+    """
+
+  Scenario: Delegated host's API key can be rotated with an API key
+    Given a new delegated host
+    Then I can run the code:
+    """
+    delegated_host_resource = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).resource(@host.id)
+    api_key = delegated_host_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
+    """
+
+  Scenario: Delegated host's API key can be rotated with a token
+    Given a new delegated host
+    Then I can run the code:
+    """
+    token = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).token
+
+    delegated_host_resource = Conjur::API.new_from_token(token).resource(@host.id)
+    api_key = delegated_host_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
     """

data/features/step_definitions/api_steps.rb

@@ -1,7 +1,18 @@
-When(/^I(?: can)? run the code:$/) do |code|
+Then(/^I(?: can)? run the code:$/) do |code|
   @result = eval(code).tap do |result|
-    if ENV['DEBUG']
-      puts result
+    puts result if ENV['DEBUG']
+  end
+end
+
+Then(/^this code should fail with "([^"]*)"$/) do |error_msg, code|
+  begin
+    @result = eval(code)
+  rescue Exception => exc
+    if not exc.message =~ %r{#{error_msg}}
+      fail "'#{error_msg}' was not found in '#{exc.message}'"
     end
+  else
+    puts @result if ENV['DEBUG']
+    fail "The provided block did not raise an error"
   end
 end

data/features/step_definitions/policy_steps.rb

@@ -13,6 +13,25 @@ Given(/^a new user$/) do
   expect(@user_api_key).to be
 end
 
+Given(/^a new delegated user$/) do
+  # Create a new host that is owned by that user
+  step 'a new user'
+  @user_owner = @user
+  @user_owner_id = @user_id
+  @user_owner_api_key = @user_api_key
+
+  # Create a new user that is owned by the user created earlier
+  @user_id = "user-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !user
+    id: #{@user_id}
+    owner: !user #{@user_owner_id}
+  POLICY
+  @user = $conjur.resource("cucumber:user:#{@user_id}")
+  @user_api_key = response.created_roles["cucumber:user:#{@user_id}"]['api_key']
+  expect(@user_api_key).to be
+end
+
 Given(/^a new group$/) do
   @group_id = "group-#{random_hex}"
   response = $conjur.load_policy 'root', <<-POLICY
@@ -33,3 +52,24 @@ Given(/^a new host$/) do
   @host = $conjur.resource("cucumber:host:#{@host_id}")
   @host.attributes['api_key'] = @host_api_key
 end
+
+Given(/^a new delegated host$/) do
+  # Create an owner user
+  step 'a new user'
+  @host_owner = @user
+  @host_owner_id = @user_id
+  @host_owner_api_key = @user_api_key
+
+  # Create a new host that is owned by that user
+  @host_id = "app-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !host
+    id: #{@host_id}
+    owner: !user #{@host_owner_id}
+  POLICY
+
+  @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
+  expect(@host_api_key).to be
+  @host = $conjur.resource("cucumber:host:#{@host_id}")
+  @host.attributes['api_key'] = @host_api_key
+end

data/features/support/env.rb

@@ -1,5 +1,7 @@
 require 'simplecov'
+require 'simplecov-cobertura'
 
+SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
 SimpleCov.start
 
 require 'json_spec/cucumber'

data/features/update_password.feature

@@ -5,8 +5,8 @@ Feature: Change a user's password.
   Scenario: A user can set/change her password using the current API key.
     When I run the code:
     """
-    Conjur::API.update_password @user_id, @user_api_key, 'secret'
-    @new_api_key = Conjur::API.login @user_id, 'secret'
+    Conjur::API.update_password @user_id, @user_api_key, 'SEcret12!!!!'
+    @new_api_key = Conjur::API.login @user_id, 'SEcret12!!!!'
     """
     Then I can run the code:
     """

data/features/user.feature

@@ -1,17 +1,58 @@
-Feature: Display User object fields.
+Feature: User object
 
   Background:
-    Given a new user
 
-  Scenario: User has a uidnumber.
-    Then I run the code:
+  Scenario: User has a uidnumber
+    Given a new user
+    Then I can run the code:
     """
     @user.uidnumber
     """
     Then the result should be "1000"
 
-  Scenario: Logged-in user is the current_role.
-    Then I run the code:
+  Scenario: Logged-in user is the current_role
+    Given a new user
+    Then I can run the code:
     """
     expect($conjur.current_role(Conjur.configuration.account).id.to_s).to eq("cucumber:user:admin")
     """
+
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: User's own API key cannot be rotated with an API key
+    Given a new user
+    Then this code should fail with "You cannot rotate your own API key via this method"
+    """
+    user = Conjur::API.new_from_key(@user.login, @user_api_key).resource(@user.id)
+    user.rotate_api_key
+    """
+
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: User's own API key cannot be rotated with a token
+    Given a new user
+    Then this code should fail with "You cannot rotate your own API key via this method"
+    """
+    token = Conjur::API.new_from_key(@user.login, @user_api_key).token
+
+    user = Conjur::API.new_from_token(token).resource(@user.id)
+    user.rotate_api_key
+    """
+
+  Scenario: Delegated user's API key can be rotated with an API key
+    Given a new delegated user
+    Then I can run the code:
+    """
+    delegated_user_resource = Conjur::API.new_from_key(@user_owner.login, @user_owner_api_key).resource(@user.id)
+    api_key = delegated_user_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_user_resource.login, api_key).token
+    """
+
+  Scenario: Delegated user's API key can be rotated with a token
+    Given a new delegated user
+    Then I can run the code:
+    """
+    token = Conjur::API.new_from_key(@user_owner.login, @user_owner_api_key).token
+
+    delegated_user_resource = Conjur::API.new_from_token(token).resource(@user.id)
+    api_key = delegated_user_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_user_resource.login, api_key).token
+    """

data/features_v4/support/env.rb

@@ -1,5 +1,7 @@
 require 'simplecov'
+require 'simplecov-cobertura'
 
+SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
 SimpleCov.start
 
 require 'json_spec/cucumber'

data/lib/conjur-api/version.rb

@@ -1,4 +1,4 @@
-# Copyright 2013-2017 Conjur Inc.
+# Copyright 2013-2020 Conjur Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "5.3.0"
+    VERSION = "5.3.5"
   end
 end

data/lib/conjur/acts_as_role.rb

@@ -1,23 +1,19 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
 #
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
 #
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#   http://www.apache.org/licenses/LICENSE-2.0
 #
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 module Conjur
 
   # This module provides methods for things that have an associated {Conjur::Role}.
@@ -100,7 +96,7 @@ module Conjur
       end
       if filter = options.delete(:filter)
         filter = [filter] unless filter.is_a?(Array)
-        options["filter"] = filter.map{ |obj| cast_to_id(obj) }
+        options["filter"] = filter.map(&Id.method(:new))
       end
 
       result = JSON.parse(rbac_role_resource[options_querystring options].get)
@@ -143,4 +139,4 @@ module Conjur
       url_for(:roles_role, credentials, id)    
     end
   end
-end
+end

data/lib/conjur/acts_as_user.rb

@@ -52,12 +52,16 @@ module Conjur
     # @note You will not be able to access the API key returned by this method later, so you should
     #   probably hang onto it it.
     #
-    # @note You cannot rotate your own API key with this method. To do so, use `Conjur::API.rotate_api_key`
+    # @note You cannot rotate your own API key with this method. To do so, use `Conjur::API.rotate_api_key`.
     #
     # @note This feature requires a Conjur appliance running version 4.6 or higher.
     #
     # @return [String] the new API key for this user.
     def rotate_api_key
+      if login == username
+        raise 'You cannot rotate your own API key via this method. To do so, use `Conjur::API.rotate_api_key`'
+      end
+
       url_for(:authn_rotate_api_key, credentials, account, id).put("").body
     end
   end