conjur-api 5.3.0 → 5.3.5

data/lib/conjur/base.rb

@@ -123,19 +123,21 @@ module Conjur
     #
     # @return [String] the api key, or nil if this instance was created from a token.
     attr_reader :api_key
-    
+
     #@!attribute [r] remote_ip
     # An optional IP address to be recorded in the audit record for any actions performed by this API instance.
     attr_reader :remote_ip
 
     # The name of the user as which this api instance is authenticated.  This is available whether the api
-    # instance was created from credentials or an authentication token.
+    # instance was created from credentials or an authentication token. If the instance was created from
+    # credentials, we will use that value directly otherwise we will attempt to extract the username from
+    # the token (either the old-style data field or the new-style JWT `sub` field).
     #
     # @return [String] the login of the current user.
     def username
-      @username || token['data']
+      @username || token['data'] || jwt_username(token)
     end
-    
+
     # @api private
     # used to delegate to host providing subclasses.
     # @return [String] the host
@@ -213,7 +215,7 @@ module Conjur
         @account = account
         @username = username
         @api_key = api_key
-        
+
         update_token_born
       end
 
@@ -323,6 +325,18 @@ module Conjur
 
     private
 
+    # Tries to get the username (subject) from a JWT API token by examining
+    # its content.
+    #
+    # @return [String] of the 'sub' payload field from the JWT if present,
+    # otherwise return nil
+    def jwt_username raw_token
+      return nil unless raw_token
+      return nil unless raw_token.include? 'payload'
+
+      JSON.parse(Base64.strict_decode64(raw_token["payload"]))["sub"]
+    end
+
     # Tries to refresh the token if possible.
     #
     # @return [Hash, false] false if the token couldn't be refreshed due to

data/lib/conjur/base_object.rb

@@ -1,37 +1,30 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
 #
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
 #
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#   http://www.apache.org/licenses/LICENSE-2.0
 #
-require 'conjur/cast'
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 module Conjur
   class BaseObject
-    include Cast
     include QueryString
     include LogSource
     include BuildObject
     include Routing
-    
+
     attr_reader :id, :credentials
-    
+
     def initialize id, credentials
-      @id = cast_to_id(id)
+      @id = Id.new id
       @credentials = credentials
     end
 
@@ -41,12 +34,24 @@ module Conjur
       }
     end
 
-    def account; id.account; end
-    def kind; id.kind; end
-    def identifier; id.identifier; end
-    
+    def account
+      id.account
+    end
+
+    def kind
+      id.kind
+    end
+
+    def identifier
+      id.identifier
+    end
+
     def username
       credentials[:username] or raise "No username found in credentials"
     end
+
+    def inspect
+      "<#{self.class.name} id='#{id.to_s}'>"
+    end
   end
 end

data/lib/conjur/build_object.rb

@@ -1,37 +1,30 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
 #
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
 #
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#   http://www.apache.org/licenses/LICENSE-2.0
 #
-require 'conjur/cast'
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 module Conjur
   module BuildObject
     def self.included base
       base.module_eval do
-        extend Cast
         extend ClassMethods
       end
     end
 
     module ClassMethods
       def build_object id, credentials, default_class:
-        id = cast_to_id(id)
+        id = Id.new id
         class_name = id.kind.classify.to_sym
         find_class(class_name, default_class)
           .new(id, credentials)

data/lib/conjur/cert_utils.rb

@@ -44,6 +44,20 @@ module Conjur
           end
         end
       end
+
+      # Add a certificate to a given store. If the certificate has more than
+      # one certificate in its chain, it will be parsed and added to the store
+      # one by one. This is done because `OpenSSL::X509::Store.new.add_cert`
+      # adds only the intermediate certificate to the store.
+      def add_chained_cert store, chained_cert
+        parse_certs(chained_cert).each do |cert|
+          begin
+            store.add_cert cert
+          rescue OpenSSL::X509::StoreError => ex
+            raise unless ex.message == 'cert already in hash table'
+          end
+        end
+      end
     end
   end
 end

data/lib/conjur/configuration.rb

@@ -24,7 +24,6 @@ require 'set'
 require 'conjur/cert_utils'
 
 module Conjur
-  
   class << self
     # Saves the current thread local {Conjur::Configuration},
     # sets the thread local {Conjur::Configuration} to `config`, yields to the block, and ensures that
@@ -68,7 +67,7 @@ module Conjur
     ensure
       Thread.current[:conjur_configuration] = oldvalue
     end
-    
+
     # Gets the current thread-local or global configuration.
     #
     # The thread-local Conjur configuration can only be set using the {Conjur.with_configuration}
@@ -79,7 +78,7 @@ module Conjur
     def configuration
       Thread.current[:conjur_configuration] || (@config ||= Configuration.new)
     end
-    
+
     # Sets the global configuration.
     #
     # This method *has no effect* on the thread local configuration.  Use {Conjur.with_configuration} instead if
@@ -191,25 +190,25 @@ module Conjur
       @supplied = options.dup
       @computed = Hash.new
     end
-    
+
     class << self
       # @api private
       def accepted_options
         require 'set'
         @options ||= Set.new
       end
-      
+
       # @param [Symbol] name
       # @param [Hash] options
-      # @option options [Boolean] :boolean (false) whether this option should have a '?' accessor 
+      # @option options [Boolean] :boolean (false) whether this option should have a '?' accessor
       # @option options [Boolean, String] :env Environment variable for this option.  Set to false
       #   to disallow environment based configuration.  Default is CONJUR_<OPTION_NAME>.
       # @option options [Proc, *] :default Default value or proc to provide it
       # @option options [Boolean] :required (false) when true, raise an exception if the option is
       #   not set
-      # @option options [Proc, #to_proc] :convert proc-ish to convert environment 
+      # @option options [Proc, #to_proc] :convert proc-ish to convert environment
       #   values to appropriate types
-      # @param [Proc] def_proc block to provide default values 
+      # @param [Proc] def_proc block to provide default values
       # @api private
       def add_option name, options = {}, &def_proc
         accepted_options << name
@@ -217,7 +216,7 @@ module Conjur
         env_var = options[:env] || "CONJUR_#{name.to_s.upcase}"
         def_val = options[:default]
         opt_name = name
-        
+
         def_proc ||= if def_val.respond_to?(:call)
           def_val
         elsif options[:required]
@@ -225,10 +224,10 @@ module Conjur
         else
           proc { def_val }
         end
-        
+
         convert = options[:convert] || ->(x){ x }
         # Allow a Symbol, for example
-        convert = convert.to_proc if convert.respond_to?(:to_proc) 
+        convert = convert.to_proc if convert.respond_to?(:to_proc)
 
         define_method("#{name}=") do |value|
           set name, value
@@ -237,7 +236,7 @@ module Conjur
         define_method("#{name}_env_var") do
           allow_env ? env_var : nil
         end
-        
+
         define_method(name) do
           value = computed[name]
           return value unless value.nil?
@@ -246,7 +245,7 @@ module Conjur
             supplied[name]
           elsif allow_env && ENV.member?(env_var)
             instance_exec(ENV[env_var], &convert)
-          else 
+          else
             instance_eval(&def_proc)
           end.tap do |value|
             computed[name] = value
@@ -256,7 +255,7 @@ module Conjur
         alias_method("#{name}?", name) if options[:boolean]
       end
     end
-    
+
     # Return a copy of this {Conjur::Configuration} instance, optionally
     # updating the copy with options from the `override_options` hash.
     #
@@ -290,8 +289,8 @@ module Conjur
     #
     # The url for the {http://developer.conjur.net/reference/services/authentication Conjur authentication service}.
     #
-    # By default, this will be built from the +appliance_url+. To use a custom authenticator, 
-    # set this option in code or set `CONJUR_AUTHN_URL`. 
+    # By default, this will be built from the +appliance_url+. To use a custom authenticator,
+    # set this option in code or set `CONJUR_AUTHN_URL`.
     #
     #
     # @return [String] the authentication service url
@@ -369,10 +368,30 @@ module Conjur
     # @see cert_file
     add_option :ssl_certificate
 
+    # @!attribute rest_client_options
+    #
+    # Custom options for the underlying RestClient Requests. This defaults to:
+    # ```
+    # {
+    #   ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+    # }
+    # ``
+    #
+    # The `ssl_cert_store` value aligns with the default certificate store used by
+    # {#apply_cert_config!}.
+    #
+    # NOTE: When setting the value of rest_client_options the defaults are not retained,
+    # you must manually set them on the value you provide.
+    add_option :rest_client_options do
+      {
+        ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+      }
+    end
+
     # @!attribute version
     #
     # Selects the major API version of the Conjur server. With this setting, the API
-    # will use the routing scheme for API version `4` or `5`. 
+    # will use the routing scheme for API version `4` or `5`.
     #
     # Methods which are not available in the selected version will raise NoMethodError.
     add_option :version, default: 5
@@ -383,6 +402,12 @@ module Conjur
     # This is only available when the API client is running on the Conjur server.
     add_option :authn_local_socket, default: "/run/authn-local/.socket"
 
+    # Create rest_client_options by merging the input with the
+    # rest_client_options present on the configuration object.
+    def create_rest_client_options options
+      rest_client_options.merge(options || {})
+    end
+
     # Calls a major-version-specific function.
     def version_logic v4_logic, v5_logic
       case version.to_s
@@ -398,17 +423,14 @@ module Conjur
     # Add the certificate configured by the {#ssl_certificate} and {#cert_file} options to the certificate
     # store used by Conjur clients.
     #
+    # NOTE: If you specify a non-default `store` value, you must manually set the
+    # `ssl_cert_store` value on {#rest_client_options} to the same value.
+    #
     # @param [OpenSSL::X509::Store] store the certificate store that the certificate will be installed in.
     # @return [Boolean]  whether a certificate was added to the store.
     def apply_cert_config! store=OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
       if ssl_certificate
-        CertUtils.parse_certs(ssl_certificate).each do |cert|
-          begin
-            store.add_cert cert
-          rescue OpenSSL::X509::StoreError => ex
-            raise unless ex.message == 'cert already in hash table'
-          end
-        end
+        CertUtils.add_chained_cert(store, ssl_certificate)
       elsif cert_file
         ensure_cert_readable!(cert_file)
         store.add_file cert_file

data/lib/conjur/id.rb

@@ -1,23 +1,19 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
 #
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
 #
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#   http://www.apache.org/licenses/LICENSE-2.0
 #
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 require 'conjur/escape'
 
 module Conjur
@@ -28,7 +24,7 @@ module Conjur
     attr_reader :id
 
     def initialize id
-      @id = id
+      @id = Id.normalize id
     end
 
     # The organization account, obtained from the first component of the id.
@@ -56,7 +52,7 @@ module Conjur
     # Splits the id into 3 components, and then joins them with a forward-slash `/`.
     def to_url_path
       id.split(':', 3)
-        .map(&method(:path_escape))
+        .map(&method(:fully_escape))
         .join('/')
     end
     
@@ -64,5 +60,12 @@ module Conjur
     def to_s
       id
     end
+
+    def self.normalize id
+      Array(id).join(':').tap do |id|
+        raise ArgumentError, "id must be fully qualified: #{id}" \
+          unless id =~ /.*:.*:.*/
+      end
+    end
   end
 end