conjur-api 5.3.8.pre.319 → 5.3.8.pre.321

data/lib/conjur/api/variables.rb

@@ -0,0 +1,59 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur/variable'
+
+module Conjur
+  class API
+  
+    #@!group Variables
+
+    # Fetch the values of a list of variables.  This operation is more efficient than fetching the
+    # values one by one.
+    #
+    # This method will fail unless:
+    #   * All of the variables exist
+    #   * You have permission to `'execute'` all of the variables
+    #
+    # @example Fetch multiple variable values
+    #   values = variable_values ['myorg:variable:postgres_uri', 'myorg:variable:aws_secret_access_key', 'myorg:variable:aws_access_key_id']
+    #   values # =>
+    #   {
+    #      "postgres://...",
+    #      "the-secret-key",
+    #      "the-access-key-id"
+    #   }
+    # 
+    # This method is used to implement the {http://developer.conjur.net/reference/tools/utilities/conjurenv `conjur env`}
+    # commands.  You may consider using that instead to run your program in an environment with the necessary secrets.
+    #
+    # @param [Array<String>] variable_ids list of variable ids to fetch
+    # @return [Array<String>] a list of variable values corresponding to the variable ids.
+    # @raise [RestClient::Forbidden, RestClient::ResourceNotFound] if any of the variables don't exist or aren't accessible.
+    def variable_values variable_ids
+      raise ArgumentError, "Variables list must be an array" unless variable_ids.kind_of? Array 
+      raise ArgumentError, "Variables list is empty" if variable_ids.empty?
+
+      JSON.parse(url_for(:secrets_values, credentials, variable_ids).get.body)
+    end
+    
+    #@!endgroup
+  end
+end

data/lib/conjur/api.rb

@@ -0,0 +1,105 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'active_support'
+require 'active_support/deprecation'
+
+require 'conjur/configuration'
+require 'conjur/routing'
+require 'conjur/id'
+require 'conjur/base'
+require 'conjur/exceptions'
+require 'conjur/build_object'
+require 'conjur/base_object'
+require 'conjur/acts_as_resource'
+require 'conjur/acts_as_role'
+require 'conjur/acts_as_rolsource'
+require 'conjur/acts_as_user'
+require 'conjur/log_source'
+require 'conjur/has_attributes'
+require 'conjur/api/authenticators'
+require 'conjur/api/authn'
+require 'conjur/api/roles'
+require 'conjur/api/resources'
+require 'conjur/api/pubkeys'
+require 'conjur/api/variables'
+require 'conjur/api/policies'
+require 'conjur/api/host_factories'
+require 'conjur/api/ldap_sync'
+require 'conjur/host'
+require 'conjur/group'
+require 'conjur/variable'
+require 'conjur/layer'
+require 'conjur/cache'
+require 'conjur-api/version'
+
+# @api private
+class RestClient::Resource
+  include Conjur::Escape
+  include Conjur::LogSource
+
+  # @api private
+  # This method exists so that all {RestClient::Resource}s support JSON serialization.  It returns an
+  # empty hash.
+  # @return [Hash] the empty hash
+  def to_json(options = {})
+    {}
+  end
+
+  # Creates a Conjur API from this resource's authorization header.
+  #
+  # The new API is created using the token, so it will not be able to refresh
+  # when the token expires (after about 8 minutes).  This is equivalent to creating
+  # an {Conjur::API} instance with {Conjur::API.new_from_token}.
+  #
+  # @return {Conjur::API} the new api
+  def conjur_api
+    api = Conjur::API.new_from_token token, remote_ip: remote_ip
+    api
+  end
+
+  # Get an authentication token from the clients Authorization header.
+  #
+  # Useful fields in the token include `"data"`, which holds the username for which the
+  # token was issued, and `"timestamp"`, which contains the time at which the token was issued.
+  # The token will expire 8 minutes after timestamp, but we recommend you treat the lifespan as
+  # about 5  minutes to account for time differences.
+  #
+  # @return [Hash] the parsed authentication token
+  def token
+    authorization = options[:headers][:authorization]
+    if authorization && authorization.to_s[/^Token token="(.*)"/]
+      JSON.parse(Base64.decode64($1))
+    else
+      raise AuthorizationError.new("Authorization missing")
+    end
+  end
+
+  def remote_ip
+    options[:headers][:x_forwarded_for]
+  end
+
+  # The username this resource authenticates as.
+  #
+  # @return [String] the username
+  def username
+    options[:user] || options[:username]
+  end
+end

data/lib/conjur/base.rb

@@ -0,0 +1,355 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'rest-client'
+require 'active_support'
+require 'active_support/core_ext'
+require 'json'
+require 'base64'
+
+require 'conjur/query_string'
+require 'conjur/has_attributes'
+require 'conjur/escape'
+require 'conjur/log'
+require 'conjur/log_source'
+
+module Conjur
+  # NOTE: You have to put all 'class level' api docs here, because YARD is stoopid :-(
+
+  # This class provides access to the Conjur services.
+  class API
+    include Escape
+    include LogSource
+    include Routing
+    extend Routing
+
+    class << self
+      # Create a new {Conjur::API} instance from a username and a password or api key.
+      #
+      # @example Create an API with valid credentials
+      #   api = Conjur::API.new_from_key 'admin', '<admin password>'
+      #   api.current_role # => 'conjur:user:admin'
+      #   api.token['data'] # => 'admin'
+      #
+      # @example Authentication is lazy
+      #   api = Conjur::API.new_from_key 'admin', 'wrongpassword'   # succeeds
+      #   api.user 'foo' # raises a 401 error
+      #
+      # @param [String] username the username to use when making authenticated requests.
+      # @param [String] api_key the api key or password for `username`
+      # @param [String] remote_ip the optional IP address to be recorded in the audit record.
+      # @param [String] account The organization account.
+      # @return [Conjur::API] an api that will authenticate with the given username and api key.
+      def new_from_key username, api_key, account: Conjur.configuration.account, remote_ip: nil
+        self.new.init_from_key username, api_key, remote_ip: remote_ip, account: account
+      end
+
+      # Create a new {Conjur::API} instance from an access token.
+      #
+      # Generally, you will have a Conjur identitiy (username and API key), and create an {Conjur::API} instance
+      # for the identity using {.new_from_key}.  This method is useful when you are performing authorization checks
+      # given a token.  For example, a Conjur gateway that requires you to prove that you can 'read' a resource named
+      # 'super-secret' might get the token from a request header, create an {Conjur::API} instance with this method,
+      # and use {Conjur::Resource#permitted?} to decide whether to accept and forward the request.
+      #
+      # @example A simple gatekeeper
+      #   RESOURCE_NAME = 'protected-service'
+      #
+      #   def handle_request request
+      #     token_header = request.header 'X-Conjur-Token'
+      #     token = JSON.parse Base64.b64decode(token_header)
+      #
+      #     api = Conjur::API.new_from_token token
+      #     raise Forbidden unless api.resource(RESOURCE_NAME).permitted? 'read'
+      #
+      #     proxy_to_service request
+      #   end
+      #
+      # @param [Hash] token the authentication token as parsed JSON to use when making authenticated requests
+      # @param [String] remote_ip the optional IP address to be recorded in the audit record.
+      # @return [Conjur::API] an api that will authenticate with the token
+      def new_from_token token, remote_ip: nil
+        self.new.init_from_token token, remote_ip: remote_ip
+      end
+
+      # Create a new {Conjur::API} instance from a file containing a token issued by the
+      # {http://developer.conjur.net/reference/services/authentication Conjur authentication service}.
+      # The file is read the first time that a token is required. It is also re-read 
+      # whenever the API decides that the token it already has is getting close to expiration.
+      #
+      # This method is useful when an external process, such as a sidecar container, is continuously
+      # obtaining fresh tokens and writing them to a known file.
+      #
+      # @param [String] token_file the file path containing an authentication token as parsed JSON.
+      # @param [String] remote_ip the optional IP address to be recorded in the audit record.
+      # @return [Conjur::API] an api that will authenticate with the tokens provided in the file.
+      def new_from_token_file token_file, remote_ip: nil
+        self.new.init_from_token_file token_file, remote_ip: remote_ip
+      end
+
+      # Create a new {Conjur::API} instance which authenticates using +authn-local+
+      # using the specified username.
+      # 
+      # @param [String] username the username to use when making authenticated requests.
+      # @param [String] account The organization account.
+      # @param [String] remote_ip the optional IP address to be recorded in the audit record.
+      # @param [String] expiration the optional expiration time of the token (supported in V5 only).
+      # @param [String] cidr the optional CIDR restriction on the token (supported in V5 only).
+      # @return [Conjur::API] an api that will authenticate with the given username.
+      def new_from_authn_local username, account: Conjur.configuration.account, remote_ip: nil, expiration: nil, cidr: nil
+        self.new.init_from_authn_local username, account: account, remote_ip: remote_ip, expiration: expiration, cidr: cidr
+      end
+    end
+
+    #@!attribute [r] api_key
+    # The api key used to create this instance.  This is only present when you created the api with {Conjur::API.new_from_key}.#
+    #
+    # @return [String] the api key, or nil if this instance was created from a token.
+    attr_reader :api_key
+
+    #@!attribute [r] remote_ip
+    # An optional IP address to be recorded in the audit record for any actions performed by this API instance.
+    attr_reader :remote_ip
+
+    # The name of the user as which this api instance is authenticated.  This is available whether the api
+    # instance was created from credentials or an authentication token. If the instance was created from
+    # credentials, we will use that value directly otherwise we will attempt to extract the username from
+    # the token (either the old-style data field or the new-style JWT `sub` field).
+    #
+    # @return [String] the login of the current user.
+    def username
+      @username || token['data'] || jwt_username(token)
+    end
+
+    # @api private
+    # used to delegate to host providing subclasses.
+    # @return [String] the host
+    def host
+      self.class.host
+    end
+
+    # The token used to authenticate requests made with the api.  The token will be fetched,
+    # if possible, when not present or about to expire.  Accordingly, this
+    # method may raise a RestClient::Unauthorized exception if the credentials are invalid.
+    #
+    # @return [Hash] the authentication token as a Hash
+    # @raise [RestClient::Unauthorized] if the username and api key are invalid.
+    def token
+      refresh_token if needs_token_refresh?
+      return @token
+    end
+
+    # @api private
+    # Force the API to obtain a new access token on the next invocation.
+    def force_token_refresh
+      @token = nil
+    end
+
+    # Credentials that can be merged with options to be passed to `RestClient::Resource` HTTP request methods.
+    # These include a username and an Authorization header containing the authentication token.
+    #
+    # @return [Hash] the options.
+    # @raise [RestClient::Unauthorized] if fetching the token fails.
+    def credentials
+      headers = {}.tap do |h|
+        h[:authorization] = "Token token=\"#{Base64.strict_encode64 token.to_json}\""
+        h[:x_forwarded_for] = @remote_ip if @remote_ip
+      end
+      { headers: headers, username: username }
+    end
+
+    module TokenExpiration
+
+      # The four minutes is to work around a bug in Conjur < 4.7 causing a 404 on 
+      # long-running operations (when the token is used right around the 5 minute mark).
+      TOKEN_STALE = 4.minutes
+
+      attr_accessor :token_born
+
+      def needs_token_refresh?
+        token_age > TOKEN_STALE
+      end
+
+      def update_token_born
+        self.token_born = gettime
+      end
+
+      def token_age
+        gettime - token_born
+      end
+
+      def gettime
+        Process.clock_gettime Process::CLOCK_MONOTONIC
+      rescue
+        # fall back to normal clock if there's no CLOCK_MONOTONIC
+        Time.now.to_f
+      end
+    end
+
+    # When the API is constructed with an API key, the token can be refreshed using
+    # the username and API key. This authenticator assumes that the token was
+    # minted immediately before the API instance was created.
+    class APIKeyAuthenticator
+      include TokenExpiration
+
+      attr_reader :account, :username, :api_key
+
+      def initialize account, username, api_key
+        @account = account
+        @username = username
+        @api_key = api_key
+
+        update_token_born
+      end
+
+      def refresh_token
+        Conjur::API.authenticate(username, api_key, account: account).tap do
+          update_token_born
+        end
+      end
+    end
+
+    # Obtains access tokens from the +authn-local+ service.
+    class LocalAuthenticator
+      include TokenExpiration
+
+      attr_reader :account, :username, :expiration, :cidr
+
+      def initialize account, username, expiration, cidr
+        @account = account
+        @username = username
+        @expiration = expiration
+        @cidr = cidr
+
+        update_token_born
+      end
+
+      def refresh_token
+        Conjur::API.authenticate_local(username, account: account, expiration: expiration, cidr: cidr).tap do
+          update_token_born
+        end
+      end
+    end
+
+    # When the API is constructed with a token, the token cannot be refreshed.
+    class UnableAuthenticator
+      def refresh_token
+        raise "Unable to re-authenticate using an access token"
+      end
+
+      def needs_token_refresh?
+        false
+      end
+    end
+
+    # Obtains fresh tokens by reading them from a file. Some other process is assumed
+    # to be acquiring tokens and storing them to the file on a regular basis.
+    # 
+    # This authenticator assumes that the token was created immediately before
+    # it was written to the file.
+    class TokenFileAuthenticator
+      attr_reader :token_file
+
+      def initialize token_file
+        @token_file = token_file
+      end
+
+      attr_reader :last_mtime
+
+      def mtime
+        File.mtime token_file
+      end
+
+      def refresh_token
+        # There's a race condition here in which the file could be updated
+        # after we read the mtime but before we read the file contents. So to be
+        # conservative, use the oldest possible mtime.
+        mtime = self.mtime
+        File.open token_file, 'r' do |f|
+          JSON.load(f.read).tap { @last_mtime = mtime }
+        end
+      end
+
+      def needs_token_refresh?
+        mtime != last_mtime
+      end
+    end
+
+    def init_from_key username, api_key, account: Conjur.configuration.account, remote_ip: nil
+      @username = username
+      @api_key = api_key
+      @remote_ip = remote_ip
+      @authenticator = APIKeyAuthenticator.new(account, username, api_key)
+      self
+    end
+
+    def init_from_token token, remote_ip: nil
+      @token = token
+      @remote_ip = remote_ip
+      @authenticator = UnableAuthenticator.new
+      self
+    end
+
+    def init_from_token_file token_file, remote_ip: nil
+      @remote_ip = remote_ip
+      @authenticator = TokenFileAuthenticator.new(token_file)
+      self
+    end
+
+    def init_from_authn_local username, account: Conjur.configuration.account, remote_ip: nil, expiration: nil, cidr: nil
+      @username = username
+      @api_key = api_key
+      @remote_ip = remote_ip
+      @authenticator = LocalAuthenticator.new(account, username, expiration, cidr)
+      self
+    end
+
+    attr_reader :authenticator
+
+    private
+
+    # Tries to get the username (subject) from a JWT API token by examining
+    # its content.
+    #
+    # @return [String] of the 'sub' payload field from the JWT if present,
+    # otherwise return nil
+    def jwt_username raw_token
+      return nil unless raw_token
+      return nil unless raw_token.include? 'payload'
+
+      JSON.parse(Base64.strict_decode64(raw_token["payload"]))["sub"]
+    end
+
+    # Tries to refresh the token if possible.
+    #
+    # @return [Hash, false] false if the token couldn't be refreshed due to
+    # unavailable API key; otherwise, the new token.
+    def refresh_token
+      @token = @authenticator.refresh_token
+    end
+
+    # Checks if the token is old (or not present).
+    #
+    # @return [Boolean]
+    def needs_token_refresh?
+      !@token || @authenticator.needs_token_refresh?
+    end
+  end
+end

data/lib/conjur/base_object.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Conjur
+  class BaseObject
+    include QueryString
+    include LogSource
+    include BuildObject
+    include Routing
+
+    attr_reader :id, :credentials
+
+    def initialize id, credentials
+      @id = Id.new id
+      @credentials = credentials
+    end
+
+    def as_json options={}
+      {
+        id: id.to_s
+      }
+    end
+
+    def account
+      id.account
+    end
+
+    def kind
+      id.kind
+    end
+
+    def identifier
+      id.identifier
+    end
+
+    def username
+      credentials[:username] or raise "No username found in credentials"
+    end
+
+    def inspect
+      "<#{self.class.name} id='#{id.to_s}'>"
+    end
+  end
+end

data/lib/conjur/build_object.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Conjur
+  module BuildObject
+    def self.included base
+      base.module_eval do
+        extend ClassMethods
+      end
+    end
+
+    module ClassMethods
+      def build_object id, credentials, default_class:
+        id = Id.new id
+        class_name = id.kind.classify.to_sym
+        find_class(class_name, default_class)
+          .new(id, credentials)
+      end
+
+      def find_class class_name, default_class
+        cls = if Conjur.constants.member?(class_name)
+          Conjur.const_get(class_name)
+        else
+          default_class
+        end
+        cls < BaseObject ? cls : default_class
+      end
+    end
+
+    def build_object id, default_class: Resource
+      self.class.build_object id, credentials, default_class: default_class
+    end
+  end
+end

data/lib/conjur/cache.rb

@@ -0,0 +1,26 @@
+module Conjur
+  # A cache which performs no caching.
+  class BaseCache
+    def fetch_attributes cache_key, &block
+      yield
+    end
+  end
+
+  class << self
+    @@cache = BaseCache.new
+
+    # Sets the global cache. It should implement +fetch_:method+ methods.
+    # The easy way to accomplish this is to extend BaseCache.
+    def cache= cache
+      @@cache = cache
+    end
+
+    # Gets the global cache.
+    def cache; @@cache; end
+
+    # Builds a cache key from a +username+, +url+ and optional +path+.
+    def cache_key username, url, path = nil
+      [ username, [ url, path ].compact.join ].join(".")
+    end
+  end
+end