conjur-api 5.3.8.pre.3 → 5.3.8.pre.8

data/lib/conjur/api/variables.rb

@@ -1,59 +0,0 @@
-#
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-require 'conjur/variable'
-
-module Conjur
-  class API
-  
-    #@!group Variables
-
-    # Fetch the values of a list of variables.  This operation is more efficient than fetching the
-    # values one by one.
-    #
-    # This method will fail unless:
-    #   * All of the variables exist
-    #   * You have permission to `'execute'` all of the variables
-    #
-    # @example Fetch multiple variable values
-    #   values = variable_values ['myorg:variable:postgres_uri', 'myorg:variable:aws_secret_access_key', 'myorg:variable:aws_access_key_id']
-    #   values # =>
-    #   {
-    #      "postgres://...",
-    #      "the-secret-key",
-    #      "the-access-key-id"
-    #   }
-    # 
-    # This method is used to implement the {http://developer.conjur.net/reference/tools/utilities/conjurenv `conjur env`}
-    # commands.  You may consider using that instead to run your program in an environment with the necessary secrets.
-    #
-    # @param [Array<String>] variable_ids list of variable ids to fetch
-    # @return [Array<String>] a list of variable values corresponding to the variable ids.
-    # @raise [RestClient::Forbidden, RestClient::ResourceNotFound] if any of the variables don't exist or aren't accessible.
-    def variable_values variable_ids
-      raise ArgumentError, "Variables list must be an array" unless variable_ids.kind_of? Array 
-      raise ArgumentError, "Variables list is empty" if variable_ids.empty?
-
-      JSON.parse(url_for(:secrets_values, credentials, variable_ids).get.body)
-    end
-    
-    #@!endgroup
-  end
-end

data/lib/conjur/api.rb

@@ -1,105 +0,0 @@
-#
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-require 'active_support'
-require 'active_support/deprecation'
-
-require 'conjur/configuration'
-require 'conjur/routing'
-require 'conjur/id'
-require 'conjur/base'
-require 'conjur/exceptions'
-require 'conjur/build_object'
-require 'conjur/base_object'
-require 'conjur/acts_as_resource'
-require 'conjur/acts_as_role'
-require 'conjur/acts_as_rolsource'
-require 'conjur/acts_as_user'
-require 'conjur/log_source'
-require 'conjur/has_attributes'
-require 'conjur/api/authenticators'
-require 'conjur/api/authn'
-require 'conjur/api/roles'
-require 'conjur/api/resources'
-require 'conjur/api/pubkeys'
-require 'conjur/api/variables'
-require 'conjur/api/policies'
-require 'conjur/api/host_factories'
-require 'conjur/api/ldap_sync'
-require 'conjur/host'
-require 'conjur/group'
-require 'conjur/variable'
-require 'conjur/layer'
-require 'conjur/cache'
-require 'conjur-api/version'
-
-# @api private
-class RestClient::Resource
-  include Conjur::Escape
-  include Conjur::LogSource
-
-  # @api private
-  # This method exists so that all {RestClient::Resource}s support JSON serialization.  It returns an
-  # empty hash.
-  # @return [Hash] the empty hash
-  def to_json(options = {})
-    {}
-  end
-
-  # Creates a Conjur API from this resource's authorization header.
-  #
-  # The new API is created using the token, so it will not be able to refresh
-  # when the token expires (after about 8 minutes).  This is equivalent to creating
-  # an {Conjur::API} instance with {Conjur::API.new_from_token}.
-  #
-  # @return {Conjur::API} the new api
-  def conjur_api
-    api = Conjur::API.new_from_token token, remote_ip: remote_ip
-    api
-  end
-
-  # Get an authentication token from the clients Authorization header.
-  #
-  # Useful fields in the token include `"data"`, which holds the username for which the
-  # token was issued, and `"timestamp"`, which contains the time at which the token was issued.
-  # The token will expire 8 minutes after timestamp, but we recommend you treat the lifespan as
-  # about 5  minutes to account for time differences.
-  #
-  # @return [Hash] the parsed authentication token
-  def token
-    authorization = options[:headers][:authorization]
-    if authorization && authorization.to_s[/^Token token="(.*)"/]
-      JSON.parse(Base64.decode64($1))
-    else
-      raise AuthorizationError.new("Authorization missing")
-    end
-  end
-
-  def remote_ip
-    options[:headers][:x_forwarded_for]
-  end
-
-  # The username this resource authenticates as.
-  #
-  # @return [String] the username
-  def username
-    options[:user] || options[:username]
-  end
-end

data/lib/conjur/base.rb

@@ -1,355 +0,0 @@
-#
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-require 'rest-client'
-require 'active_support'
-require 'active_support/core_ext'
-require 'json'
-require 'base64'
-
-require 'conjur/query_string'
-require 'conjur/has_attributes'
-require 'conjur/escape'
-require 'conjur/log'
-require 'conjur/log_source'
-
-module Conjur
-  # NOTE: You have to put all 'class level' api docs here, because YARD is stoopid :-(
-
-  # This class provides access to the Conjur services.
-  class API
-    include Escape
-    include LogSource
-    include Routing
-    extend Routing
-
-    class << self
-      # Create a new {Conjur::API} instance from a username and a password or api key.
-      #
-      # @example Create an API with valid credentials
-      #   api = Conjur::API.new_from_key 'admin', '<admin password>'
-      #   api.current_role # => 'conjur:user:admin'
-      #   api.token['data'] # => 'admin'
-      #
-      # @example Authentication is lazy
-      #   api = Conjur::API.new_from_key 'admin', 'wrongpassword'   # succeeds
-      #   api.user 'foo' # raises a 401 error
-      #
-      # @param [String] username the username to use when making authenticated requests.
-      # @param [String] api_key the api key or password for `username`
-      # @param [String] remote_ip the optional IP address to be recorded in the audit record.
-      # @param [String] account The organization account.
-      # @return [Conjur::API] an api that will authenticate with the given username and api key.
-      def new_from_key username, api_key, account: Conjur.configuration.account, remote_ip: nil
-        self.new.init_from_key username, api_key, remote_ip: remote_ip, account: account
-      end
-
-      # Create a new {Conjur::API} instance from an access token.
-      #
-      # Generally, you will have a Conjur identitiy (username and API key), and create an {Conjur::API} instance
-      # for the identity using {.new_from_key}.  This method is useful when you are performing authorization checks
-      # given a token.  For example, a Conjur gateway that requires you to prove that you can 'read' a resource named
-      # 'super-secret' might get the token from a request header, create an {Conjur::API} instance with this method,
-      # and use {Conjur::Resource#permitted?} to decide whether to accept and forward the request.
-      #
-      # @example A simple gatekeeper
-      #   RESOURCE_NAME = 'protected-service'
-      #
-      #   def handle_request request
-      #     token_header = request.header 'X-Conjur-Token'
-      #     token = JSON.parse Base64.b64decode(token_header)
-      #
-      #     api = Conjur::API.new_from_token token
-      #     raise Forbidden unless api.resource(RESOURCE_NAME).permitted? 'read'
-      #
-      #     proxy_to_service request
-      #   end
-      #
-      # @param [Hash] token the authentication token as parsed JSON to use when making authenticated requests
-      # @param [String] remote_ip the optional IP address to be recorded in the audit record.
-      # @return [Conjur::API] an api that will authenticate with the token
-      def new_from_token token, remote_ip: nil
-        self.new.init_from_token token, remote_ip: remote_ip
-      end
-
-      # Create a new {Conjur::API} instance from a file containing a token issued by the
-      # {http://developer.conjur.net/reference/services/authentication Conjur authentication service}.
-      # The file is read the first time that a token is required. It is also re-read 
-      # whenever the API decides that the token it already has is getting close to expiration.
-      #
-      # This method is useful when an external process, such as a sidecar container, is continuously
-      # obtaining fresh tokens and writing them to a known file.
-      #
-      # @param [String] token_file the file path containing an authentication token as parsed JSON.
-      # @param [String] remote_ip the optional IP address to be recorded in the audit record.
-      # @return [Conjur::API] an api that will authenticate with the tokens provided in the file.
-      def new_from_token_file token_file, remote_ip: nil
-        self.new.init_from_token_file token_file, remote_ip: remote_ip
-      end
-
-      # Create a new {Conjur::API} instance which authenticates using +authn-local+
-      # using the specified username.
-      # 
-      # @param [String] username the username to use when making authenticated requests.
-      # @param [String] account The organization account.
-      # @param [String] remote_ip the optional IP address to be recorded in the audit record.
-      # @param [String] expiration the optional expiration time of the token (supported in V5 only).
-      # @param [String] cidr the optional CIDR restriction on the token (supported in V5 only).
-      # @return [Conjur::API] an api that will authenticate with the given username.
-      def new_from_authn_local username, account: Conjur.configuration.account, remote_ip: nil, expiration: nil, cidr: nil
-        self.new.init_from_authn_local username, account: account, remote_ip: remote_ip, expiration: expiration, cidr: cidr
-      end
-    end
-
-    #@!attribute [r] api_key
-    # The api key used to create this instance.  This is only present when you created the api with {Conjur::API.new_from_key}.#
-    #
-    # @return [String] the api key, or nil if this instance was created from a token.
-    attr_reader :api_key
-
-    #@!attribute [r] remote_ip
-    # An optional IP address to be recorded in the audit record for any actions performed by this API instance.
-    attr_reader :remote_ip
-
-    # The name of the user as which this api instance is authenticated.  This is available whether the api
-    # instance was created from credentials or an authentication token. If the instance was created from
-    # credentials, we will use that value directly otherwise we will attempt to extract the username from
-    # the token (either the old-style data field or the new-style JWT `sub` field).
-    #
-    # @return [String] the login of the current user.
-    def username
-      @username || token['data'] || jwt_username(token)
-    end
-
-    # @api private
-    # used to delegate to host providing subclasses.
-    # @return [String] the host
-    def host
-      self.class.host
-    end
-
-    # The token used to authenticate requests made with the api.  The token will be fetched,
-    # if possible, when not present or about to expire.  Accordingly, this
-    # method may raise a RestClient::Unauthorized exception if the credentials are invalid.
-    #
-    # @return [Hash] the authentication token as a Hash
-    # @raise [RestClient::Unauthorized] if the username and api key are invalid.
-    def token
-      refresh_token if needs_token_refresh?
-      return @token
-    end
-
-    # @api private
-    # Force the API to obtain a new access token on the next invocation.
-    def force_token_refresh
-      @token = nil
-    end
-
-    # Credentials that can be merged with options to be passed to `RestClient::Resource` HTTP request methods.
-    # These include a username and an Authorization header containing the authentication token.
-    #
-    # @return [Hash] the options.
-    # @raise [RestClient::Unauthorized] if fetching the token fails.
-    def credentials
-      headers = {}.tap do |h|
-        h[:authorization] = "Token token=\"#{Base64.strict_encode64 token.to_json}\""
-        h[:x_forwarded_for] = @remote_ip if @remote_ip
-      end
-      { headers: headers, username: username }
-    end
-
-    module TokenExpiration
-
-      # The four minutes is to work around a bug in Conjur < 4.7 causing a 404 on 
-      # long-running operations (when the token is used right around the 5 minute mark).
-      TOKEN_STALE = 4.minutes
-
-      attr_accessor :token_born
-
-      def needs_token_refresh?
-        token_age > TOKEN_STALE
-      end
-
-      def update_token_born
-        self.token_born = gettime
-      end
-
-      def token_age
-        gettime - token_born
-      end
-
-      def gettime
-        Process.clock_gettime Process::CLOCK_MONOTONIC
-      rescue
-        # fall back to normal clock if there's no CLOCK_MONOTONIC
-        Time.now.to_f
-      end
-    end
-
-    # When the API is constructed with an API key, the token can be refreshed using
-    # the username and API key. This authenticator assumes that the token was
-    # minted immediately before the API instance was created.
-    class APIKeyAuthenticator
-      include TokenExpiration
-
-      attr_reader :account, :username, :api_key
-
-      def initialize account, username, api_key
-        @account = account
-        @username = username
-        @api_key = api_key
-
-        update_token_born
-      end
-
-      def refresh_token
-        Conjur::API.authenticate(username, api_key, account: account).tap do
-          update_token_born
-        end
-      end
-    end
-
-    # Obtains access tokens from the +authn-local+ service.
-    class LocalAuthenticator
-      include TokenExpiration
-
-      attr_reader :account, :username, :expiration, :cidr
-
-      def initialize account, username, expiration, cidr
-        @account = account
-        @username = username
-        @expiration = expiration
-        @cidr = cidr
-
-        update_token_born
-      end
-
-      def refresh_token
-        Conjur::API.authenticate_local(username, account: account, expiration: expiration, cidr: cidr).tap do
-          update_token_born
-        end
-      end
-    end
-
-    # When the API is constructed with a token, the token cannot be refreshed.
-    class UnableAuthenticator
-      def refresh_token
-        raise "Unable to re-authenticate using an access token"
-      end
-
-      def needs_token_refresh?
-        false
-      end
-    end
-
-    # Obtains fresh tokens by reading them from a file. Some other process is assumed
-    # to be acquiring tokens and storing them to the file on a regular basis.
-    # 
-    # This authenticator assumes that the token was created immediately before
-    # it was written to the file.
-    class TokenFileAuthenticator
-      attr_reader :token_file
-
-      def initialize token_file
-        @token_file = token_file
-      end
-
-      attr_reader :last_mtime
-
-      def mtime
-        File.mtime token_file
-      end
-
-      def refresh_token
-        # There's a race condition here in which the file could be updated
-        # after we read the mtime but before we read the file contents. So to be
-        # conservative, use the oldest possible mtime.
-        mtime = self.mtime
-        File.open token_file, 'r' do |f|
-          JSON.load(f.read).tap { @last_mtime = mtime }
-        end
-      end
-
-      def needs_token_refresh?
-        mtime != last_mtime
-      end
-    end
-
-    def init_from_key username, api_key, account: Conjur.configuration.account, remote_ip: nil
-      @username = username
-      @api_key = api_key
-      @remote_ip = remote_ip
-      @authenticator = APIKeyAuthenticator.new(account, username, api_key)
-      self
-    end
-
-    def init_from_token token, remote_ip: nil
-      @token = token
-      @remote_ip = remote_ip
-      @authenticator = UnableAuthenticator.new
-      self
-    end
-
-    def init_from_token_file token_file, remote_ip: nil
-      @remote_ip = remote_ip
-      @authenticator = TokenFileAuthenticator.new(token_file)
-      self
-    end
-
-    def init_from_authn_local username, account: Conjur.configuration.account, remote_ip: nil, expiration: nil, cidr: nil
-      @username = username
-      @api_key = api_key
-      @remote_ip = remote_ip
-      @authenticator = LocalAuthenticator.new(account, username, expiration, cidr)
-      self
-    end
-
-    attr_reader :authenticator
-
-    private
-
-    # Tries to get the username (subject) from a JWT API token by examining
-    # its content.
-    #
-    # @return [String] of the 'sub' payload field from the JWT if present,
-    # otherwise return nil
-    def jwt_username raw_token
-      return nil unless raw_token
-      return nil unless raw_token.include? 'payload'
-
-      JSON.parse(Base64.strict_decode64(raw_token["payload"]))["sub"]
-    end
-
-    # Tries to refresh the token if possible.
-    #
-    # @return [Hash, false] false if the token couldn't be refreshed due to
-    # unavailable API key; otherwise, the new token.
-    def refresh_token
-      @token = @authenticator.refresh_token
-    end
-
-    # Checks if the token is old (or not present).
-    #
-    # @return [Boolean]
-    def needs_token_refresh?
-      !@token || @authenticator.needs_token_refresh?
-    end
-  end
-end

data/lib/conjur/base_object.rb

@@ -1,57 +0,0 @@
-# frozen_string_literal: true
-
-# Copyright 2013-2018 CyberArk Ltd.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-module Conjur
-  class BaseObject
-    include QueryString
-    include LogSource
-    include BuildObject
-    include Routing
-
-    attr_reader :id, :credentials
-
-    def initialize id, credentials
-      @id = Id.new id
-      @credentials = credentials
-    end
-
-    def as_json options={}
-      {
-        id: id.to_s
-      }
-    end
-
-    def account
-      id.account
-    end
-
-    def kind
-      id.kind
-    end
-
-    def identifier
-      id.identifier
-    end
-
-    def username
-      credentials[:username] or raise "No username found in credentials"
-    end
-
-    def inspect
-      "<#{self.class.name} id='#{id.to_s}'>"
-    end
-  end
-end

data/lib/conjur/build_object.rb

@@ -1,47 +0,0 @@
-# frozen_string_literal: true
-
-# Copyright 2013-2018 CyberArk Ltd.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-module Conjur
-  module BuildObject
-    def self.included base
-      base.module_eval do
-        extend ClassMethods
-      end
-    end
-
-    module ClassMethods
-      def build_object id, credentials, default_class:
-        id = Id.new id
-        class_name = id.kind.classify.to_sym
-        find_class(class_name, default_class)
-          .new(id, credentials)
-      end
-
-      def find_class class_name, default_class
-        cls = if Conjur.constants.member?(class_name)
-          Conjur.const_get(class_name)
-        else
-          default_class
-        end
-        cls < BaseObject ? cls : default_class
-      end
-    end
-
-    def build_object id, default_class: Resource
-      self.class.build_object id, credentials, default_class: default_class
-    end
-  end
-end

data/lib/conjur/cache.rb

@@ -1,26 +0,0 @@
-module Conjur
-  # A cache which performs no caching.
-  class BaseCache
-    def fetch_attributes cache_key, &block
-      yield
-    end
-  end
-
-  class << self
-    @@cache = BaseCache.new
-
-    # Sets the global cache. It should implement +fetch_:method+ methods.
-    # The easy way to accomplish this is to extend BaseCache.
-    def cache= cache
-      @@cache = cache
-    end
-
-    # Gets the global cache.
-    def cache; @@cache; end
-
-    # Builds a cache key from a +username+, +url+ and optional +path+.
-    def cache_key username, url, path = nil
-      [ username, [ url, path ].compact.join ].join(".")
-    end
-  end
-end