conjur-api 5.3.8.pre.319 → 5.4.0

data/lib/conjur/api/resources.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'conjur/resource'
+
+module Conjur
+  class API
+    include QueryString
+    include BuildObject
+
+    #@!group Resources
+
+    # Find a resource by its id.
+    # @note The id given to this method must be fully qualified.
+    #
+    # ### Permissions
+    #
+    # The resource **must** be visible to the current role.  This is the case if the current role is the owner of
+    # the resource, or has any privilege on it.
+    #
+    # @param id [String] a fully qualified resource identifier
+    # @return [Conjur::Resource] the resource, which may or may not exist
+    def resource id
+      build_object id
+    end
+
+    # Find all resources visible to the current role that match the given search criteria.
+    #
+    # ## Full Text Search
+    # Conjur supports full text search over the identifiers and annotation *values*
+    # of resources.  For example, if `opts[:search]` is `"pubkeys"`, any resource with
+    # an id containing `"pubkeys"` or an annotation whose value contains `"pubkeys"` will match.
+    #
+    # **Notes**
+    #   * Annotation *keys* are *not* indexed for full text search.
+    #   * Conjur indexes the content of ids and annotation values by word.
+    #   * Only resources visible to the current role (either owned by that role or
+    #       having a privilege on it) are returned.
+    #   * If you do not provide `:offset` or `:limit`, all records will be returned. For systems
+    #       with a huge number of resources, you may want to paginate as shown in the example below.
+    #   * If `:offset` is provided and `:limit` is not, 10 records starting at `:offset` will be
+    #       returned.  You may choose an arbitrarily large number for `:limit`, but the same performance
+    #       considerations apply as when omitting `:offset` and `:limit`.
+    #
+    # @example Search for resources annotated with the text "WebService Route"
+    #    webservice_routes = api.resources search: "WebService Route"
+    #
+    # @example Restrict the search to 'group' resources
+    #   groups = api.resources kind: 'group'
+    #
+    #   # Correct behavior:
+    #   expect(groups.all?{|g| g.kind == 'group'}).to be_true
+    #
+    # @example Get every single resource in a performant way
+    #   resources = []
+    #   limit = 25
+    #   offset = 0
+    #   until (batch = api.resources limit: limit, offset: offset).empty?
+    #     offset += batch.length
+    #     resources.concat results
+    #   end
+    #   # do something with your resources
+    #
+    # @param options [Hash] search criteria
+    # @option options [String]   :search find resources whose ids or annotations contain this string
+    # @option options [String]   :kind find resources whose `kind` matches this string
+    # @option options [Integer]  :limit the maximum number of records to return (Conjur may return fewer)
+    # @option options [Integer]  :offset offset of the first record to return
+    # @option options [Boolean]  :count return a count of records instead of the records themselves when set to true
+    # @return [Array<Conjur::Resource>] the resources matching the criteria given
+    def resources options = {}
+      options = { host: Conjur.configuration.core_url, credentials: credentials }.merge options
+      options[:account] ||= Conjur.configuration.account
+
+      host, credentials, account, kind = options.values_at(*[:host, :credentials, :account, :kind])
+      fail ArgumentError, "host and account are required" unless [host, account].all?
+      %w(host credentials account kind).each do |name|
+        options.delete(name.to_sym)
+      end
+
+      result = JSON.parse(url_for(:resources, credentials, account, kind, options).get)
+
+      result = result['count'] if result.is_a?(Hash)
+
+      if result.is_a?(Numeric)
+        result
+      else
+        result.map do |result|
+          resource(result['id']).tap do |r|
+            r.attributes = result
+          end
+        end
+      end
+    end
+  end
+end

data/lib/conjur/api/roles.rb

@@ -0,0 +1,98 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur/role'
+
+module Conjur
+  class API
+    include BuildObject
+
+    #@!group Roles
+
+    # Return a {Conjur::Role} representing a role with the given id.  Note that the {Conjur::Role} may or
+    # may not exist (see {Conjur::Exists#exists?}).
+    #
+    # ### Permissions
+    #
+    # Because this method returns roles that may or may not exist, it doesn't require any permissions to call it:
+    # in fact, it does not perform an HTTP request (except for authentication if necessary).
+    #
+    # @example Create and show a role
+    #   iggy = api.role 'cat:iggy'
+    #   iggy.exists? # true
+    #   iggy.members.map(&:member).map(&:id) # => ['conjur:user:admin']
+    #   api.current_role.id # => 'conjur:user:admin' # creator role is a member of created role.
+    #
+    # @example No permissions are required to call this method
+    #   api.current_role # => "user:no-access"
+    #
+    #   # current role is only a member of itself, so it can't see other roles.
+    #   api.current_role.memberships.count # => 1
+    #   admin = api.role 'user:admin' # OK
+    #   admin.exists? # => true
+    #   admin.members # => RestClient::Forbidden: 403 Forbidden
+    #
+    # @param id [String] a fully qualified role identifier
+    # @return [Conjur::Role] an object representing the role
+    def role id
+      build_object id, default_class: Role
+    end
+
+    # Return a {Conjur::Role} object representing the role (typically a user or host) that this API instance is authenticated
+    # as.  This is derived either from the `login` argument to {Conjur::API.new_from_key} or from the contents of the
+    # `token` given to {Conjur::API.new_from_token} or {Conjur::API.new_from_token_file}.
+    #
+    # @example Current role for a user
+    #   api = Conjur::API.new_from_key 'jon', 'somepassword'
+    #   api.current_role.id # => 'conjur:user:jon'
+    #
+    # @example Current role for a host
+    #   host = api.create_host id: 'exapmle-host'
+    #
+    #   # Host and User have an `api` method that returns an api with their credentials.  Note
+    #   # that this only works with a newly created host or user, which has an `api_key` attribute.
+    #   host.api.current_role.id # => 'conjur:host:example-host'
+    #
+    # @param [String] account the organization account 
+    # @return [Conjur::Role] the authenticated role for this API instance
+    def current_role account
+      self.class.role_from_username self, username, account
+    end
+
+    #@!endgroup
+
+    class << self
+      # @api private
+      def role_from_username api, username, account
+        api.role role_name_from_username(username, account)
+      end
+
+      # @api private
+      def role_name_from_username username, account
+        tokens = username.split('/')
+        if tokens.size == 1
+          [ account, 'user', username ].join(':')
+        else
+          [ account, tokens[0], tokens[1..-1].join('/') ].join(':')
+        end
+      end
+    end
+  end
+end

data/lib/conjur/api/router/v4.rb

@@ -0,0 +1,206 @@
+module Conjur
+  class API
+    module Router
+      module V4
+        extend Conjur::Escape::ClassMethods
+        extend Conjur::QueryString
+        extend self
+
+        def authn_login account, username, password
+          verify_account(account)
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )['users/login']
+        end
+
+        def authn_authenticate account, username
+          verify_account(account)
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.rest_client_options
+          )['users'][fully_escape username]['authenticate']
+        end
+
+        # For v4, the authn-local message is the username.
+        def authn_authenticate_local username, account, expiration, cidr, &block
+          verify_account(account)
+
+          raise "'expiration' is not supported for authn-local v4" if expiration
+          raise "'cidr' is not supported for authn-local v4" if cidr
+
+          username
+        end
+
+        def authn_rotate_api_key credentials, account, id
+          verify_account(account)
+          username = id.kind == "user" ? id.identifier : [id.kind, id.identifier].join('/')
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['users']["api_key?id=#{username}"]
+        end
+
+        def authn_rotate_own_api_key account, username, password
+          verify_account(account)
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(user: username, password: password)
+          )['users']["api_key"]
+        end
+
+        def host_factory_create_host token
+          http_options = {
+            headers: { authorization: %Q(Token token="#{token}") }
+          }
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(http_options)
+          )['host_factories']['hosts']
+        end
+
+        def host_factory_create_tokens credentials, id
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factories'][id.identifier]['tokens']
+        end
+
+        def host_factory_revoke_token credentials, token
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factories']['tokens'][token]
+        end
+
+        def resources_resource credentials, id
+
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['resources'][id.kind][id.identifier]
+        end
+
+        def resources_check credentials, id, privilege, role
+          options = {}
+          options[:check] = true
+          options[:privilege] = privilege
+          if role
+            options[:resource_id] = id
+            roles_role(credentials, Id.new(role))[options_querystring options].get
+          else
+            resources_resource(credentials, id)[options_querystring options].get
+          end
+        end
+
+        def resources_permitted_roles credentials, id, privilege
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['roles']['allowed_to'][privilege][id.kind][id.identifier]
+        end
+
+        def roles_role credentials, id
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['roles'][id.kind][id.identifier]
+        end
+
+        def secrets_add credentials, id
+          verify_account(id.account)
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]['values']
+        end
+
+        def variable credentials, id
+          verify_account(id.account)
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]
+        end
+
+        def secrets_value credentials, id, options
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]['value'][options_querystring options]
+        end
+
+        def secrets_values credentials, variable_ids
+          options = {
+            vars: Array(variable_ids).map { |v| fully_escape(v.identifier) }.join(',')
+          }
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables']['values'][options_querystring options]
+        end
+
+        def group_attributes credentials, resource, id
+          verify_account(id.account)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['groups'][fully_escape id.identifier].get
+          )
+        end
+
+        def variable_attributes credentials, resource, id
+          verify_account(id.account)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['variables'][fully_escape id.identifier].get
+          )
+        end
+
+        def user_attributes credentials, resource, id
+          verify_account(id.account)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['users'][fully_escape id.identifier].get
+          )
+        end
+
+        def parse_group_gidnumber attributes
+          attributes['gidnumber']
+        end
+
+        def parse_user_uidnumber attributes
+          attributes['uidnumber']
+        end
+
+        def parse_variable_kind attributes
+          attributes['kind']
+        end
+
+        def parse_variable_mime_type attributes
+          attributes['mime_type']
+        end
+
+        def parse_members credentials, result
+          result.collect do |json|
+            RoleGrant.parse_from_json(json, credentials)
+          end
+        end
+
+        protected
+
+        def verify_account account
+          raise "Expecting account to be #{Conjur.configuration.account.inspect}, got #{account.inspect}" unless Conjur.configuration.account == account
+        end
+      end
+    end
+  end
+end

data/lib/conjur/api/router/v5.rb

@@ -0,0 +1,269 @@
+# frozen_string_literal: true
+
+# Copyright 2017-2018 CyberArk Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# rubocop:disable Metrics/ModuleLength
+module Conjur
+  class API
+    module Router
+      # V5 translates method arguments to rest-ful API request parameters.
+      # because of this, most of the methods suffer from :reek:LongParameterList:
+      # and :reek:UtilityFunction:
+      module V5
+        extend Conjur::Escape::ClassMethods
+        extend Conjur::QueryString
+        extend self
+
+        def authn_login account, username, password
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )[fully_escape account]['login']
+        end
+
+        def authn_authenticate account, username
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.rest_client_options
+          )[fully_escape account][fully_escape username]['authenticate']
+        end
+
+        def authenticator_authenticate(account, service_id, authenticator, options)
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.rest_client_options
+          )[fully_escape authenticator][fully_escape service_id][fully_escape account]['authenticate'][options_querystring options]
+        end
+
+        def authenticator account, authenticator, service_id, credentials
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )[fully_escape authenticator][fully_escape service_id][fully_escape account]
+        end
+
+        def authenticators
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.rest_client_options
+          )['authenticators']
+        end
+
+        def authentication_providers(account, authenticator, credentials)
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )[fully_escape authenticator][fully_escape account]['providers']
+        end
+
+        # For v5, the authn-local message is a JSON string with account, sub, and optional fields.
+        def authn_authenticate_local username, account, expiration, cidr, &block
+          { account: account, sub: username }.tap do |params|
+            params[:exp] = expiration if expiration
+            params[:cidr] = cidr if cidr
+          end.to_json
+        end
+
+        def authn_update_password account, username, password
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )[fully_escape account]['password']
+        end
+
+        def authn_rotate_api_key credentials, account, id
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authn'][fully_escape account]["api_key?role=#{id}"]
+        end
+
+        def authn_rotate_own_api_key account, username, password
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )[fully_escape account]['api_key']
+        end
+
+        def host_factory_create_host token
+          http_options = {
+            headers: { authorization: %Q(Token token="#{token}") }
+          }
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(http_options)
+          )["host_factories"]["hosts"]
+        end
+
+        def host_factory_create_tokens credentials, id
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factory_tokens']
+        end
+
+        def host_factory_revoke_token credentials, token
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factory_tokens'][token]
+        end
+
+        def policies_load_policy credentials, account, id
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['policies'][fully_escape account]['policy'][fully_escape id]
+        end
+
+        def public_keys_for_user account, username
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.rest_client_options
+          )['public_keys'][fully_escape account]['user'][fully_escape username]
+        end
+
+        def resources credentials, account, kind, options
+          credentials ||= {}
+
+          path = "/resources/#{fully_escape account}"
+          path += "/#{fully_escape kind}" if kind
+
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )[path][options_querystring options]
+        end
+
+        def resources_resource credentials, id
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['resources'][id.to_url_path]
+        end
+
+        def resources_permitted_roles credentials, id, privilege
+          options = {}
+          options[:permitted_roles] = true
+          options[:privilege] = privilege
+          resources_resource(credentials, id)[options_querystring options]
+        end
+
+        def resources_check credentials, id, privilege, role
+          options = {}
+          options[:check] = true
+          options[:privilege] = privilege
+          options[:role] = query_escape(Id.new(role)) if role
+          resources_resource(credentials, id)[options_querystring options].get
+        end
+
+        def roles_role credentials, id
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['roles'][id.to_url_path]
+        end
+
+        def secrets_add credentials, id
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['secrets'][id.to_url_path]
+        end
+
+        def secrets_value credentials, id, options
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['secrets'][id.to_url_path][options_querystring options]
+        end
+
+        def secrets_values credentials, variable_ids
+          options = {
+            variable_ids: Array(variable_ids).join(',')
+          }
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['secrets'][options_querystring(options).gsub("%2C", ',')]
+        end
+
+        def group_attributes credentials, resource, id
+          resource_annotations resource
+        end
+
+        def variable_attributes credentials, resource, id
+          resource_annotations resource
+        end
+
+        def user_attributes credentials, resource, id
+          resource_annotations resource
+        end
+
+        def parse_group_gidnumber attributes
+          HasAttributes.annotation_value attributes, 'conjur/gidnumber'
+        end
+
+        def parse_user_uidnumber attributes
+          HasAttributes.annotation_value attributes, 'conjur/uidnumber'
+        end
+
+        def parse_variable_kind attributes
+          HasAttributes.annotation_value attributes, 'conjur/kind'
+        end
+
+        def parse_variable_mime_type attributes
+          HasAttributes.annotation_value attributes, 'conjur/mime_type'
+        end
+
+        def parse_members credentials, result
+          result.map do |json|
+            RoleGrant.parse_from_json(json, credentials)
+          end
+        end
+
+        def ldap_sync_policy(credentials, config_name)
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
+        end
+
+        def whoami(credentials)
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['whoami']
+        end
+
+        private
+
+        def resource_annotations resource
+          resource.attributes['annotations']
+        end
+      end
+    end
+  end
+end
+# rubocop:enable Metrics/ModuleLength