conjur-api 5.3.7 → 5.3.8.pre.8

data/features_v4/host_factory_token.feature

@@ -1,49 +0,0 @@
-Feature: Working with host factory tokens.
-
-  Background:
-    Given I run the code:
-    """
-    @expiration = (DateTime.now + 1.hour).change(sec: 0)
-    """
-
-
-  Scenario: Create a new host factory token.
-    When I run the code:
-    """
-    @token = $host_factory.create_token(@expiration)
-    """
-    Then I can run the code:
-    """
-    expect(@token).to be_instance_of(Conjur::HostFactoryToken)
-    expect(@token.token).to be_instance_of(String)
-    expiration = @token.expiration
-    expiration = expiration.change(sec: 0)
-    expect(expiration).to eq(@expiration)
-    """
-
-  Scenario: Create multiple new host factory tokens.
-    When I run the code:
-    """
-    $host_factory.create_tokens @expiration, count: 2
-    """
-    Then the JSON should have 2 items
-
-  Scenario: Revoke a host factory token using the token object.
-    When I run the code:
-    """
-    @token = $host_factory.create_token @expiration
-    """
-    Then I can run the code:
-    """
-    @token.revoke
-    """
-
-  Scenario: Revoke a host factory token using the API.
-    When I run the code:
-    """
-    @token = $host_factory.create_token @expiration
-    """
-    Then I can run the code:
-    """
-    $conjur.revoke_host_factory_token @token.token
-    """

data/features_v4/members.feature

@@ -1,39 +0,0 @@
-Feature: Display role members and memberships.
-
-  Scenario: Show a role's members.
-    When I run the code:
-    """
-    $conjur.role('cucumber:group:everyone').members.map(&:as_json)
-    """
-    Then the JSON should be:
-    """
-    [
-      {
-        "admin_option": false,
-        "member": "cucumber:group:developers",
-        "role": "cucumber:group:everyone"
-      },
-      {
-        "admin_option": true,
-        "member": "cucumber:group:security_admin",
-        "role": "cucumber:group:everyone"
-      }
-    ]
-    """
-
-  Scenario: Show a role's memberships.
-    When I run the code:
-    """
-    $conjur.role('cucumber:group:developers').memberships.map(&:as_json)
-    """
-    Then the JSON should be:
-    """
-    [
-      {
-        "id": "cucumber:group:developers"
-      },
-      {
-        "id": "cucumber:group:everyone"
-      }
-    ]
-    """

data/features_v4/permitted.feature

@@ -1,15 +0,0 @@
-Feature: Check if a role has permission on a resource.
-
-  Scenario: Check if the current user has the privilege.
-    When I run the code:
-    """
-    $conjur.resource('cucumber:variable:db-password').permitted? 'execute'
-    """
-    Then the result should be "true"
-
-  Scenario: Check if a different user has the privilege.
-    When I run the code:
-    """
-    $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:user:bob"
-    """
-    Then the result should be "false"

data/features_v4/permitted_roles.feature

@@ -1,8 +0,0 @@
-Feature: Enumerate roles which have a permission on a resource.
-
-  Scenario: Permitted roles can be enumerated.
-    When I run the code:
-    """
-    $conjur.resource('cucumber:variable:db-password').permitted_roles 'execute'
-    """
-    Then the JSON should include "cucumber:layer:myapp"

data/features_v4/resource_fields.feature

@@ -1,47 +0,0 @@
-Feature: Display basic resource fields.
-
-  Scenario: Group exposes id, kind, identifier, and gidnumber.
-    When I run the code:
-    """
-    resource = $conjur.resource('cucumber:group:developers')
-    [ resource.id, resource.account, resource.kind, resource.identifier, resource.gidnumber ]
-    """
-    Then the JSON should be:
-    """
-    [
-      "cucumber:group:developers",
-      "cucumber",
-      "group",
-      "developers",
-      2000
-    ]
-    """
-
-  Scenario: User exposes id, kind, identifier, and uidnumber.
-    When I run the code:
-    """
-    resource = $conjur.resource('cucumber:user:alice')
-    [ resource.id, resource.account, resource.kind, resource.identifier, resource.uidnumber ]
-    """
-    Then the JSON should be:
-    """
-    [
-      "cucumber:user:alice",
-      "cucumber",
-      "user",
-      "alice",
-      2000
-    ]
-    """
-
-  Scenario: Resource#owner is the owner object
-    When I run the code:
-    """
-    $conjur.resource('cucumber:group:developers').owner.id
-    """
-    Then the result should be "cucumber:group:security_admin"
-    And I run the code:
-    """
-    $conjur.resource('cucumber:group:developers').class
-    """
-    Then the result should be "Conjur::Group"

data/features_v4/rotate_api_key.feature

@@ -1,13 +0,0 @@
-Feature: Rotate the API key.
-
-  Scenario: Logged-in user can rotate the API key.
-    When I run the code:
-    """
-    $conjur.role('cucumber:user:alice').rotate_api_key
-    """
-    Then I can run the code:
-    """
-    @api_key = @result.strip
-    @conjur = Conjur::API.new_from_key 'alice', @api_key
-    @conjur.token
-    """

data/features_v4/step_definitions/api_steps.rb

@@ -1,17 +0,0 @@
-Given(/^a new host$/) do
-  @host_id = "app-#{random_hex}"
-  host = Conjur::API.host_factory_create_host($token, @host_id)
-  @host_api_key = host.api_key
-  expect(@host_api_key).to be
-
-  @host = $conjur.resource("cucumber:host:#{@host_id}")
-  @host.attributes['api_key'] = @host_api_key
-end
-
-When(/^I(?: can)? run the code:$/) do |code|
-  @result = eval(code).tap do |result|
-    if ENV['DEBUG']
-      puts result
-    end
-  end
-end

data/features_v4/step_definitions/result_steps.rb

@@ -1,3 +0,0 @@
-Then(/^the result should be "([^"]+)"$/) do |expected|
-  expect(@result.to_s).to eq(expected.to_s)
-end

data/features_v4/support/env.rb

@@ -1,23 +0,0 @@
-require 'simplecov'
-
-SimpleCov.start
-
-require 'json_spec/cucumber'
-require 'conjur/api'
-
-Conjur.configuration.appliance_url = ENV['CONJUR_APPLIANCE_URL'] || 'https://conjur_4/api'
-Conjur.configuration.account = ENV['CONJUR_ACCOUNT'] || 'cucumber'
-Conjur.configuration.cert_file = "./tmp/conjur.pem"
-Conjur.configuration.authn_local_socket = "/run/authn-local-4/.socket"
-Conjur.configuration.version = 4
-
-Conjur.configuration.apply_cert_config!
-
-$username = ENV['CONJUR_AUTHN_LOGIN'] || 'admin'
-$password = ENV['CONJUR_AUTHN_API_KEY'] || 'secret'
-
-$api_key = Conjur::API.login $username, $password
-$conjur = Conjur::API.new_from_key $username, $api_key
-
-$host_factory = $conjur.resource('cucumber:host_factory:myapp')
-$token = $host_factory.create_token(Time.now + 1.hour)

data/features_v4/support/policy.yml

@@ -1,34 +0,0 @@
-- !user
-  id: alice
-  uidnumber: 2000
-  
-- !group
-  id: developers
-  gidnumber: 2000
-
-- !group everyone
-
-- !grant
-  role: !group everyone
-  member: !group developers
-
-- !variable db-password
-
-- !variable ssh-key
-
-- !variable
-  id: ssl-certificate
-  kind: SSL certificate
-  mime_type: application/x-pem-file
-
-- !layer myapp
-
-- !host-factory
-  id: myapp
-  layers: [ !layer myapp ]
-
-- !permit
-  role: !layer myapp
-  privileges: [ read, execute ]
-  resources:
-    - !variable db-password

data/features_v4/support/world.rb

@@ -1,12 +0,0 @@
-module ApiWorld
-  def last_json
-    @result.to_json
-  end
-
-  def random_hex nbytes = 12
-    @random ||= Random.new
-    @random.bytes(nbytes).unpack('h*').first
-  end
-end
-
-World ApiWorld

data/features_v4/variable_fields.feature

@@ -1,11 +0,0 @@
-Feature: Display Variable fields.
-
-  Background:
-    When I run the code:
-    """
-    $conjur.resource('cucumber:variable:ssl-certificate')
-    """
-
-  Scenario: Display MIME type and kind
-    Then the JSON at "mime_type" should be "application/x-pem-file"
-    And the JSON at "kind" should be "SSL certificate"

data/features_v4/variable_value.feature

@@ -1,54 +0,0 @@
-Feature: Work with Variable values.
-  Background:
-    Given I run the code:
-    """
-    @variable = $conjur.resource("cucumber:variable:db-password")
-    @variable_2 = $conjur.resource("cucumber:variable:ssh-key")
-    """
-
-  Scenario: Add a value, retrieve the variable metadata and the value.
-    Given I run the code:
-    """
-    @initial_count = @variable.version_count
-    @variable.add_value 'value-0'
-    """
-    When I run the code:
-    """
-    expect(@variable.version_count).to eq(@initial_count + 1)
-    """
-    And I run the code:
-    """
-    @variable.value
-    """
-    Then the result should be "value-0"
-
-  Scenario: Retrieve a historical value.
-    Given I run the code:
-    """
-    @variable.add_value 'value-0'
-    @variable.add_value 'value-1'
-    @variable.add_value 'value-2'
-    """
-    When I run the code:
-    """
-    @variable.value(@variable.version_count - 2)
-    """
-    Then the result should be "value-0"
-
-  Scenario: Retrieve multiple values in a batch
-    Given I run the code:
-    """
-    @variable.add_value 'value-0'
-    @variable_2.add_value 'value-2'
-    """
-    When I run the code:
-    """
-    $conjur.variable_values([ @variable, @variable_2 ].map(&:id))
-    """
-    Then the JSON should be:
-    """
-    {
-      "db-password": "value-0",
-      "ssh-key": "value-2"
-    }
-    """

data/lib/conjur/acts_as_resource.rb

@@ -1,123 +0,0 @@
-#
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-
-module Conjur
-  # This module is included in object classes that have resource behavior.
-  module ActsAsResource
-    # @api private
-    def self.included(base)
-      base.include HasAttributes
-      base.include Escape
-      base.extend QueryString
-    end
-
-    # The full role id of the role that owns this resource.
-    #
-    # @example
-    #   api.current_role # => 'conjur:user:jon'
-    #   resource = api.create_resource 'conjur:example:resource-owner'
-    #   resource.owner # => 'conjur:user:jon'
-    #
-    # @return [String] the full role id of this resource's owner.
-    def owner
-      build_object attributes['owner'], default_class: Role
-    end
-
-    # Check whether this object exists by performing a HEAD request to its URL.
-    #
-    # This method will return false if the object doesn't exist.
-    #
-    # @example
-    #   does_not_exist = api.user 'does-not-exist' # This returns without error.
-    #
-    #   # this is wrong!
-    #   owner = does_not_exist.owner # raises RestClient::ResourceNotFound
-    #
-    #   # this is right!
-    #   owner = if does_not_exist.exists?
-    #     does_not_exist.owner
-    #   else
-    #     nil # or some sensible default
-    #   end
-    #
-    # @return [Boolean] does it exist?
-    def exists?
-      begin
-        url_for(:resources_resource, credentials, id).head
-        true
-      rescue RestClient::Forbidden
-        true
-      rescue RestClient::ResourceNotFound
-        false
-      end
-    end
-
-    # Lists roles that have a specified privilege on the resource. 
-    #
-    # This will return only roles of which api.current_user is a member.
-    #
-    # Options:
-    #
-    # * **offset** Zero-based offset into the result set.
-    # * **limit**  Total number of records returned.
-    #
-    # @example
-    #   resource = api.resource 'conjur:variable:example'
-    #   resource.permitted_roles 'execute' # => ['conjur:user:admin']
-    #   # After permitting 'execute' to user 'jon'
-    #   resource.permitted_roles 'execute' # => ['conjur:user:admin', 'conjur:user:jon']
-    #
-    # @param privilege [String] the privilege
-    # @return [Array<String>] the ids of roles that have `privilege` on this resource.
-    def permitted_roles privilege
-      result = JSON.parse url_for(:resources_permitted_roles, credentials, id, privilege).get
-      if result.is_a?(Hash) && ( count = result['count'] )
-        count
-      else
-        result
-      end
-    end
-
-    # True if the logged-in role, or a role specified using the :role option, has the
-    # specified +privilege+ on this resource.
-    #
-    # @example
-    #   api.current_role # => 'conjur:cat:mouse'
-    #   resource.permitted_roles 'execute' # => ['conjur:user:admin', 'conjur:cat:mouse']
-    #   resource.permitted_roles 'update', # => ['conjur:user:admin', 'conjur:cat:gino']
-    #
-    #   resource.permitted? 'update' # => false, `mouse` can't update this resource
-    #   resource.permitted? 'execute' # => true, `mouse` can execute it.
-    #   resource.permitted? 'update', role: 'conjur:cat:gino' # => true, `gino` can update it.
-    # @param privilege [String] the privilege to check
-    # @param role [String,nil] :role check whether the role given by this full role id is permitted
-    #   instead of checking +api.current_role+.
-    # @return [Boolean]
-    def permitted? privilege, role: nil
-      url_for(:resources_check, credentials, id, privilege, role)
-      true
-    rescue RestClient::Forbidden
-      false
-    rescue RestClient::ResourceNotFound
-      false
-    end
-  end
-end

data/lib/conjur/acts_as_role.rb

@@ -1,142 +0,0 @@
-# frozen_string_literal: true
-
-# Copyright 2013-2018 CyberArk Ltd.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-module Conjur
-
-  # This module provides methods for things that have an associated {Conjur::Role}.
-  #
-  # All high level Conjur assets (groups and users, for example) are composed of both a role and a resource.  This allows
-  # these assets to have permissions on other assets, and for other assets to have permission
-  # on them.
-  #
-  # The {Conjur::ActsAsRole} module itself should be considered private, but it's methods are
-  # public when added to a Conjur asset class.
-  module ActsAsRole
-    
-    # Login name of the role. This is formed from the role kind and role id.
-    # For users, the role kind can be omitted.
-    def login
-      [ kind, identifier ].delete_if{|t| t == "user"}.join('/')
-    end
-
-    # Check whether this object exists by performing a HEAD request to its URL.
-    #
-    # This method will return false if the object doesn't exist.
-    #
-    # @example
-    #   does_not_exist = api.user 'does-not-exist' # This returns without error.
-    #
-    #   # this is wrong!
-    #   owner = does_not_exist.members # raises RestClient::ResourceNotFound
-    #
-    #   # this is right!
-    #   owner = if does_not_exist.exists?
-    #     does_not_exist.members
-    #   else
-    #     nil # or some sensible default
-    #   end
-    #
-    # @return [Boolean] does it exist?
-    def exists?
-      begin
-        rbac_role_resource.head
-        true
-      rescue RestClient::Forbidden
-        true
-      rescue RestClient::ResourceNotFound
-        false
-      end
-    end
-
-    # Find all roles of which this role is a member.  By default, role relationships are recursively expanded,
-    # so if `a` is a member of `b`, and `b` is a member of `c`, `a.all` will include `c`.
-    #
-    # ### Permissions
-    # You must be a member of the role to call this method.
-    #
-    # You can restrict the roles returned to one or more role ids.  This feature is mainly useful
-    # for checking whether this role is a member of any of a set of roles.
-    #
-    # ### Options
-    #
-    # * **recursive** Defaults to +true+, performs recursive expansion of the memberships.
-    #
-    # @example Show all roles of which `"conjur:group:pubkeys-1.0/key-managers"` is a member
-    #   # Add alice to the group, so we see something interesting
-    #   key_managers = api.group('pubkeys-1.0/key-managers')
-    #   key_managers.add_member api.user('alice')
-    #
-    #   # Show the memberships, mapped to the member ids.
-    #   key_managers.role.all.map(&:id)
-    #   # => ["conjur:group:pubkeys-1.0/admin", "conjur:user:alice"]
-    #
-    # @example See if role `"conjur:user:alice"` is a member of either `"conjur:groups:developers"` or `"conjur:group:ops"`
-    #   is_member = api.role('conjur:user:alice').all(filter: ['conjur:group:developers', 'conjur:group:ops']).any?
-    #
-    # @param [Hash] options options for the request
-    # @return [Array<Conjur::Role>] Roles of which this role is a member
-    def memberships options = {}
-      request = if options.delete(:recursive) == false
-        options["memberships"] = true
-      else
-        options["all"] = true
-      end
-      if filter = options.delete(:filter)
-        filter = [filter] unless filter.is_a?(Array)
-        options["filter"] = filter.map(&Id.method(:new))
-      end
-
-      result = JSON.parse(rbac_role_resource[options_querystring options].get)
-      if result.is_a?(Hash) && ( count = result['count'] )
-        count
-      else
-        host = Conjur.configuration.core_url
-        result.collect do |item|
-          if item.is_a?(String)
-            build_object(item, default_class: Role)
-          else
-            RoleGrant.parse_from_json(item, self.options)
-          end
-        end
-      end
-    end
-    
-    # Fetch the direct members of this role. The results are *not* recursively expanded).
-    #
-    # ### Permissions
-    # You must be a member of the role to call this method.
-    # 
-    # @param options [Hash, nil] extra parameters to pass to the webservice method.
-    # @return [Array<Conjur::RoleGrant>] the role memberships
-    # @raise [RestClient::Forbidden] if you don't have permission to perform this operation
-    def members options = {}
-      options["members"] = true
-      result = JSON.parse(rbac_role_resource[options_querystring options].get)
-      if result.is_a?(Hash) && ( count = result['count'] )
-        count
-      else
-        parser_for(:members, credentials, result)
-      end
-    end
-
-    private
-
-    # RestClient::Resource for RBAC role operations.
-    def rbac_role_resource
-      url_for(:roles_role, credentials, id)    
-    end
-  end
-end

data/lib/conjur/acts_as_rolsource.rb

@@ -1,32 +0,0 @@
-#
-# Copyright (C) 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-module Conjur
-
-  # This module provides methods for things that have an associated {Conjur::Role} and
-  # {Conjur::Resource}.
-  module ActsAsRolsource
-    # @api private
-    def self.included(base)
-      base.include ActsAsRole
-      base.include ActsAsResource
-    end
-  end
-end