conjur-api 5.3.2 → 5.3.6

data/features/user.feature

@@ -1,17 +1,58 @@
-Feature: Display User object fields.
+Feature: User object
 
   Background:
-    Given a new user
 
-  Scenario: User has a uidnumber.
-    Then I run the code:
+  Scenario: User has a uidnumber
+    Given a new user
+    Then I can run the code:
     """
     @user.uidnumber
     """
     Then the result should be "1000"
 
-  Scenario: Logged-in user is the current_role.
-    Then I run the code:
+  Scenario: Logged-in user is the current_role
+    Given a new user
+    Then I can run the code:
     """
     expect($conjur.current_role(Conjur.configuration.account).id.to_s).to eq("cucumber:user:admin")
     """
+
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: User's own API key cannot be rotated with an API key
+    Given a new user
+    Then this code should fail with "You cannot rotate your own API key via this method"
+    """
+    user = Conjur::API.new_from_key(@user.login, @user_api_key).resource(@user.id)
+    user.rotate_api_key
+    """
+
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: User's own API key cannot be rotated with a token
+    Given a new user
+    Then this code should fail with "You cannot rotate your own API key via this method"
+    """
+    token = Conjur::API.new_from_key(@user.login, @user_api_key).token
+
+    user = Conjur::API.new_from_token(token).resource(@user.id)
+    user.rotate_api_key
+    """
+
+  Scenario: Delegated user's API key can be rotated with an API key
+    Given a new delegated user
+    Then I can run the code:
+    """
+    delegated_user_resource = Conjur::API.new_from_key(@user_owner.login, @user_owner_api_key).resource(@user.id)
+    api_key = delegated_user_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_user_resource.login, api_key).token
+    """
+
+  Scenario: Delegated user's API key can be rotated with a token
+    Given a new delegated user
+    Then I can run the code:
+    """
+    token = Conjur::API.new_from_key(@user_owner.login, @user_owner_api_key).token
+
+    delegated_user_resource = Conjur::API.new_from_token(token).resource(@user.id)
+    api_key = delegated_user_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_user_resource.login, api_key).token
+    """

data/features_v4/support/env.rb

@@ -1,7 +1,5 @@
 require 'simplecov'
-require 'simplecov-cobertura'
 
-SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
 SimpleCov.start
 
 require 'json_spec/cucumber'

data/lib/conjur/acts_as_user.rb

@@ -52,12 +52,16 @@ module Conjur
     # @note You will not be able to access the API key returned by this method later, so you should
     #   probably hang onto it it.
     #
-    # @note You cannot rotate your own API key with this method. To do so, use `Conjur::API.rotate_api_key`
+    # @note You cannot rotate your own API key with this method. To do so, use `Conjur::API.rotate_api_key`.
     #
     # @note This feature requires a Conjur appliance running version 4.6 or higher.
     #
     # @return [String] the new API key for this user.
     def rotate_api_key
+      if login == username
+        raise 'You cannot rotate your own API key via this method. To do so, use `Conjur::API.rotate_api_key`'
+      end
+
       url_for(:authn_rotate_api_key, credentials, account, id).put("").body
     end
   end

data/lib/conjur/api/authn.rb

@@ -50,7 +50,7 @@ module Conjur
         url_for(:authn_login, account, username, password).get
       end
 
-      # Exchanges Conjur the API key (refresh token) for an access token.  The access token can 
+      # Exchanges Conjur the API key (refresh token) for an access token.  The access token can
       # then be used to authenticate further API calls.
       #
       # @param [String] username The username or host id for which we want a token
@@ -65,7 +65,7 @@ module Conjur
         JSON.parse url_for(:authn_authenticate, account, username).post(api_key, content_type: 'text/plain')
       end
 
-      # Obtains an access token from the +authn_local+ service. The access token can 
+      # Obtains an access token from the +authn_local+ service. The access token can
       # then be used to authenticate further API calls.
       #
       # @param [String] username The username or host id for which we want a token
@@ -80,7 +80,7 @@ module Conjur
         require 'json'
         require 'socket'
         message = url_for(:authn_authenticate_local, username, account, expiration, cidr)
-        JSON.parse(UNIXSocket.open(Conjur.configuration.authn_local_socket) {|s| s.puts message; s.gets })        
+        JSON.parse(UNIXSocket.open(Conjur.configuration.authn_local_socket) {|s| s.puts message; s.gets })
       end
 
       # Change a user's password.  To do this, you must have the user's current password.  This does not change or rotate

data/lib/conjur/api/resources.rb

@@ -20,7 +20,7 @@ module Conjur
   class API
     include QueryString
     include BuildObject
-    
+
     #@!group Resources
 
     # Find a resource by its id.
@@ -84,7 +84,7 @@ module Conjur
     def resources options = {}
       options = { host: Conjur.configuration.core_url, credentials: credentials }.merge options
       options[:account] ||= Conjur.configuration.account
-      
+
       host, credentials, account, kind = options.values_at(*[:host, :credentials, :account, :kind])
       fail ArgumentError, "host and account are required" unless [host, account].all?
       %w(host credentials account kind).each do |name|

data/lib/conjur/api/router/v4.rb

@@ -8,18 +8,27 @@ module Conjur
 
         def authn_login account, username, password
           verify_account(account)
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)['users/login']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )['users/login']
         end
 
         def authn_authenticate account, username
           verify_account(account)
-          RestClient::Resource.new(Conjur.configuration.authn_url)['users'][fully_escape username]['authenticate']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.rest_client_options
+          )['users'][fully_escape username]['authenticate']
         end
 
         # For v4, the authn-local message is the username.
         def authn_authenticate_local username, account, expiration, cidr, &block
           verify_account(account)
-          
+
           raise "'expiration' is not supported for authn-local v4" if expiration
           raise "'cidr' is not supported for authn-local v4" if cidr
 
@@ -28,36 +37,51 @@ module Conjur
 
         def authn_rotate_api_key credentials, account, id
           verify_account(account)
-          username = if id.kind == "user"
-            id.identifier
-          else
-            [ id.kind, id.identifier ].join('/')
-          end
-          RestClient::Resource.new(Conjur.configuration.authn_url, credentials)['users']["api_key?id=#{username}"]
+          username = id.kind == "user" ? id.identifier : [id.kind, id.identifier].join('/')
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['users']["api_key?id=#{username}"]
         end
 
         def authn_rotate_own_api_key account, username, password
           verify_account(account)
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)['users']["api_key"]
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(user: username, password: password)
+          )['users']["api_key"]
         end
 
         def host_factory_create_host token
           http_options = {
             headers: { authorization: %Q(Token token="#{token}") }
           }
-          RestClient::Resource.new(Conjur.configuration.core_url, http_options)['host_factories']['hosts']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(http_options)
+          )['host_factories']['hosts']
         end
 
         def host_factory_create_tokens credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factories'][id.identifier]['tokens']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factories'][id.identifier]['tokens']
         end
 
         def host_factory_revoke_token credentials, token
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factories']['tokens'][token]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factories']['tokens'][token]
         end
 
         def resources_resource credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authz'][id.account]['resources'][id.kind][id.identifier]
+
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['resources'][id.kind][id.identifier]
         end
 
         def resources_check credentials, id, privilege, role
@@ -73,47 +97,80 @@ module Conjur
         end
 
         def resources_permitted_roles credentials, id, privilege
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authz'][id.account]['roles']['allowed_to'][privilege][id.kind][id.identifier]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['roles']['allowed_to'][privilege][id.kind][id.identifier]
         end
 
         def roles_role credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authz'][id.account]['roles'][id.kind][id.identifier]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['roles'][id.kind][id.identifier]
         end
 
         def secrets_add credentials, id
           verify_account(id.account)
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier]['values']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]['values']
         end
 
         def variable credentials, id
           verify_account(id.account)
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]
         end
 
         def secrets_value credentials, id, options
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier]['value'][options_querystring options]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]['value'][options_querystring options]
         end
 
         def secrets_values credentials, variable_ids
           options = {
             vars: Array(variable_ids).map { |v| fully_escape(v.identifier) }.join(',')
           }
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables']['values'][options_querystring options]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables']['values'][options_querystring options]
         end
 
         def group_attributes credentials, resource, id
           verify_account(id.account)
-          JSON.parse(RestClient::Resource.new(Conjur.configuration.core_url, credentials)['groups'][fully_escape id.identifier].get)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['groups'][fully_escape id.identifier].get
+          )
         end
 
         def variable_attributes credentials, resource, id
           verify_account(id.account)
-          JSON.parse(RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier].get)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['variables'][fully_escape id.identifier].get
+          )
         end
 
         def user_attributes credentials, resource, id
           verify_account(id.account)
-          JSON.parse(RestClient::Resource.new(Conjur.configuration.core_url, credentials)['users'][fully_escape id.identifier].get)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['users'][fully_escape id.identifier].get
+          )
         end
 
         def parse_group_gidnumber attributes

data/lib/conjur/api/router/v5.rb

@@ -27,19 +27,34 @@ module Conjur
         extend self
 
         def authn_login account, username, password
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)[fully_escape account]['login']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )[fully_escape account]['login']
         end
 
         def authn_authenticate account, username
-          RestClient::Resource.new(Conjur.configuration.authn_url)[fully_escape account][fully_escape username]['authenticate']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.rest_client_options
+          )[fully_escape account][fully_escape username]['authenticate']
         end
 
         def authenticator account, authenticator, service_id, credentials
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)[fully_escape authenticator][fully_escape service_id][fully_escape account]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )[fully_escape authenticator][fully_escape service_id][fully_escape account]
         end
 
         def authenticators
-          RestClient::Resource.new(Conjur.configuration.core_url)['authenticators']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.rest_client_options
+          )['authenticators']
         end
 
         # For v5, the authn-local message is a JSON string with account, sub, and optional fields.
@@ -51,38 +66,68 @@ module Conjur
         end
 
         def authn_update_password account, username, password
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)[fully_escape account]['password']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )[fully_escape account]['password']
         end
 
         def authn_rotate_api_key credentials, account, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authn'][fully_escape account]["api_key?role=#{id}"]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authn'][fully_escape account]["api_key?role=#{id}"]
         end
 
         def authn_rotate_own_api_key account, username, password
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)[fully_escape account]['api_key']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )[fully_escape account]['api_key']
         end
 
         def host_factory_create_host token
           http_options = {
             headers: { authorization: %Q(Token token="#{token}") }
           }
-          RestClient::Resource.new(Conjur.configuration.core_url, http_options)["host_factories"]["hosts"]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(http_options)
+          )["host_factories"]["hosts"]
         end
 
         def host_factory_create_tokens credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factory_tokens']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factory_tokens']
         end
 
         def host_factory_revoke_token credentials, token
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factory_tokens'][token]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factory_tokens'][token]
         end
 
         def policies_load_policy credentials, account, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['policies'][fully_escape account]['policy'][fully_escape id]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['policies'][fully_escape account]['policy'][fully_escape id]
         end
 
         def public_keys_for_user account, username
-          RestClient::Resource.new(Conjur.configuration.core_url)['public_keys'][fully_escape account]['user'][fully_escape username]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.rest_client_options
+          )['public_keys'][fully_escape account]['user'][fully_escape username]
         end
 
         def resources credentials, account, kind, options
@@ -91,11 +136,17 @@ module Conjur
           path = "/resources/#{fully_escape account}"
           path += "/#{fully_escape kind}" if kind
 
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)[path][options_querystring options]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )[path][options_querystring options]
         end
 
         def resources_resource credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['resources'][id.to_url_path]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['resources'][id.to_url_path]
         end
 
         def resources_permitted_roles credentials, id, privilege
@@ -114,22 +165,34 @@ module Conjur
         end
 
         def roles_role credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['roles'][id.to_url_path]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['roles'][id.to_url_path]
         end
 
         def secrets_add credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['secrets'][id.to_url_path]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['secrets'][id.to_url_path]
         end
 
         def secrets_value credentials, id, options
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['secrets'][id.to_url_path][options_querystring options]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['secrets'][id.to_url_path][options_querystring options]
         end
 
         def secrets_values credentials, variable_ids
           options = {
             variable_ids: Array(variable_ids).join(',')
           }
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['secrets'][options_querystring(options).gsub("%2C", ',')]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['secrets'][options_querystring(options).gsub("%2C", ',')]
         end
 
         def group_attributes credentials, resource, id
@@ -167,13 +230,16 @@ module Conjur
         end
 
         def ldap_sync_policy(credentials, config_name)
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
         end
-        
+
         private
 
         def resource_annotations resource
-          resource.attributes['annotations'] || {}
+          resource.attributes['annotations']
         end
       end
     end

data/lib/conjur/api.rb

@@ -50,24 +50,6 @@ require 'conjur/layer'
 require 'conjur/cache'
 require 'conjur-api/version'
 
-# Monkey patch RestClient::Request so it always uses
-# :ssl_cert_store. (RestClient::Resource uses Request to send
-# requests, so it sees :ssl_cert_store, too).
-# @api private
-class RestClient::Request
-  alias_method :initialize_without_defaults, :initialize
-
-  def default_args
-    {
-      ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
-    }
-  end
-
-  def initialize args
-    initialize_without_defaults default_args.merge(args)
-  end
-end
-
 # @api private
 class RestClient::Resource
   include Conjur::Escape

data/lib/conjur/base.rb

@@ -123,19 +123,21 @@ module Conjur
     #
     # @return [String] the api key, or nil if this instance was created from a token.
     attr_reader :api_key
-    
+
     #@!attribute [r] remote_ip
     # An optional IP address to be recorded in the audit record for any actions performed by this API instance.
     attr_reader :remote_ip
 
     # The name of the user as which this api instance is authenticated.  This is available whether the api
-    # instance was created from credentials or an authentication token.
+    # instance was created from credentials or an authentication token. If the instance was created from
+    # credentials, we will use that value directly otherwise we will attempt to extract the username from
+    # the token (either the old-style data field or the new-style JWT `sub` field).
     #
     # @return [String] the login of the current user.
     def username
-      @username || token['data']
+      @username || token['data'] || jwt_username(token)
     end
-    
+
     # @api private
     # used to delegate to host providing subclasses.
     # @return [String] the host
@@ -213,7 +215,7 @@ module Conjur
         @account = account
         @username = username
         @api_key = api_key
-        
+
         update_token_born
       end
 
@@ -323,6 +325,18 @@ module Conjur
 
     private
 
+    # Tries to get the username (subject) from a JWT API token by examining
+    # its content.
+    #
+    # @return [String] of the 'sub' payload field from the JWT if present,
+    # otherwise return nil
+    def jwt_username raw_token
+      return nil unless raw_token
+      return nil unless raw_token.include? 'payload'
+
+      JSON.parse(Base64.strict_decode64(raw_token["payload"]))["sub"]
+    end
+
     # Tries to refresh the token if possible.
     #
     # @return [Hash, false] false if the token couldn't be refreshed due to

data/lib/conjur/base_object.rb

@@ -20,9 +20,9 @@ module Conjur
     include LogSource
     include BuildObject
     include Routing
-    
+
     attr_reader :id, :credentials
-    
+
     def initialize id, credentials
       @id = Id.new id
       @credentials = credentials
@@ -34,10 +34,18 @@ module Conjur
       }
     end
 
-    def account; id.account; end
-    def kind; id.kind; end
-    def identifier; id.identifier; end
-    
+    def account
+      id.account
+    end
+
+    def kind
+      id.kind
+    end
+
+    def identifier
+      id.identifier
+    end
+
     def username
       credentials[:username] or raise "No username found in credentials"
     end
@@ -45,6 +53,5 @@ module Conjur
     def inspect
       "<#{self.class.name} id='#{id.to_s}'>"
     end
-
   end
 end