conjur-api 5.3.8.pre.319 → 5.4.0

data/features/variable_value.feature

@@ -0,0 +1,60 @@
+Feature: Work with Variable values.
+
+  Background:
+    Given I run the code:
+    """
+    @variable_id = "password"
+    $conjur.load_policy 'root', <<-POLICY
+    - !variable #{@variable_id}
+    - !variable #{@variable_id}-2
+    POLICY
+    @variable = $conjur.resource("cucumber:variable:#{@variable_id}")
+    @variable_2 = $conjur.resource("cucumber:variable:#{@variable_id}-2")
+    """
+
+  Scenario: Add a value, retrieve the variable metadata and the value.
+    When I run the code:
+    """
+    @initial_count = @variable.version_count
+    @variable.add_value 'value-0'
+    """
+    And I run the code:
+    """
+    expect(@variable.version_count).to eq(@initial_count + 1)
+    """
+    And I run the code:
+    """
+    @variable.value(@variable.version_count)
+    """
+    Then the result should be "value-0"
+
+  Scenario: Retrieve a historical value.
+    Given I run the code:
+    """
+    @variable.add_value 'value-0'
+    @variable.add_value 'value-1'
+    @variable.add_value 'value-2'
+    """
+    When I run the code:
+    """
+    @variable.value(@variable.version_count - 2)
+    """
+    Then the result should be "value-0"
+
+  Scenario: Retrieve multiple values in a batch
+    Given I run the code:
+    """
+    @variable.add_value 'value-0'
+    @variable_2.add_value 'value-2'
+    """
+    When I run the code:
+    """
+    $conjur.variable_values([ @variable, @variable_2 ].map(&:id))
+    """
+    Then the JSON should be:
+    """
+    {
+      "cucumber:variable:password": "value-0",
+      "cucumber:variable:password-2": "value-2"
+    }
+    """

data/features_v4/authn_local.feature

@@ -0,0 +1,27 @@
+Feature: When co-located with the Conjur server, the API can use the authn-local service to authenticate.
+
+  Scenario: authn-local can be used to obtain an access token.
+    When I run the code:
+    """
+    Conjur::API.authenticate_local "alice"
+    """
+    Then the JSON should have "data"
+
+  Scenario: Conjur API supports construction from authn-local.
+    When I run the code:
+    """
+    @api = Conjur::API.new_from_authn_local "alice"
+    @api.token
+    """
+    Then the JSON should have "data"
+
+  Scenario: Conjur API will automatically refresh the token.
+    When I run the code:
+    """
+    @api = Conjur::API.new_from_authn_local "alice"
+    @api.token
+    @api.force_token_refresh
+    @api.token
+    """
+    Then the JSON should have "data"
+    And the JSON at "data" should be "alice"

data/features_v4/exists.feature

@@ -0,0 +1,29 @@
+Feature: Check if an object exists.
+
+  Scenario: A created group resource exists
+    When I run the code:
+    """
+    $conjur.resource('cucumber:group:developers').exists?
+    """
+    Then the result should be "true"
+
+  Scenario: An un-created resource doesn't exist
+    When I run the code:
+    """
+    $conjur.resource('cucumber:food:bacon').exists?
+    """
+    Then the result should be "false"
+
+  Scenario: A created group role exists
+    When I run the code:
+    """
+    $conjur.role('cucumber:group:developers').exists?
+    """
+    Then the result should be "true"
+
+  Scenario: An un-created role doesn't exist
+    When I run the code:
+    """
+    $conjur.role('cucumber:food:bacon').exists?
+    """
+    Then the result should be "false"

data/features_v4/host.feature

@@ -0,0 +1,18 @@
+Feature: Display Host object fields.
+
+  Background:
+    Given a new host
+
+  Scenario: API key of a newly created host is available and valid.
+    Then I run the code:
+    """
+    expect(@host.exists?).to be(true)
+    expect(@host.api_key).to be
+    """
+
+  Scenario: API key of a a host can be rotated.
+    Then I run the code:
+    """
+    api_key = @host.rotate_api_key
+    Conjur::API.new_from_key("host/#{@host.id.identifier}", api_key).token
+    """

data/features_v4/host_factory_token.feature

@@ -0,0 +1,49 @@
+Feature: Working with host factory tokens.
+
+  Background:
+    Given I run the code:
+    """
+    @expiration = (DateTime.now + 1.hour).change(sec: 0)
+    """
+
+
+  Scenario: Create a new host factory token.
+    When I run the code:
+    """
+    @token = $host_factory.create_token(@expiration)
+    """
+    Then I can run the code:
+    """
+    expect(@token).to be_instance_of(Conjur::HostFactoryToken)
+    expect(@token.token).to be_instance_of(String)
+    expiration = @token.expiration
+    expiration = expiration.change(sec: 0)
+    expect(expiration).to eq(@expiration)
+    """
+
+  Scenario: Create multiple new host factory tokens.
+    When I run the code:
+    """
+    $host_factory.create_tokens @expiration, count: 2
+    """
+    Then the JSON should have 2 items
+
+  Scenario: Revoke a host factory token using the token object.
+    When I run the code:
+    """
+    @token = $host_factory.create_token @expiration
+    """
+    Then I can run the code:
+    """
+    @token.revoke
+    """
+
+  Scenario: Revoke a host factory token using the API.
+    When I run the code:
+    """
+    @token = $host_factory.create_token @expiration
+    """
+    Then I can run the code:
+    """
+    $conjur.revoke_host_factory_token @token.token
+    """

data/features_v4/members.feature

@@ -0,0 +1,39 @@
+Feature: Display role members and memberships.
+
+  Scenario: Show a role's members.
+    When I run the code:
+    """
+    $conjur.role('cucumber:group:everyone').members.map(&:as_json)
+    """
+    Then the JSON should be:
+    """
+    [
+      {
+        "admin_option": false,
+        "member": "cucumber:group:developers",
+        "role": "cucumber:group:everyone"
+      },
+      {
+        "admin_option": true,
+        "member": "cucumber:group:security_admin",
+        "role": "cucumber:group:everyone"
+      }
+    ]
+    """
+
+  Scenario: Show a role's memberships.
+    When I run the code:
+    """
+    $conjur.role('cucumber:group:developers').memberships.map(&:as_json)
+    """
+    Then the JSON should be:
+    """
+    [
+      {
+        "id": "cucumber:group:developers"
+      },
+      {
+        "id": "cucumber:group:everyone"
+      }
+    ]
+    """

data/features_v4/permitted.feature

@@ -0,0 +1,15 @@
+Feature: Check if a role has permission on a resource.
+
+  Scenario: Check if the current user has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute'
+    """
+    Then the result should be "true"
+
+  Scenario: Check if a different user has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:user:bob"
+    """
+    Then the result should be "false"

data/features_v4/permitted_roles.feature

@@ -0,0 +1,8 @@
+Feature: Enumerate roles which have a permission on a resource.
+
+  Scenario: Permitted roles can be enumerated.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted_roles 'execute'
+    """
+    Then the JSON should include "cucumber:layer:myapp"

data/features_v4/resource_fields.feature

@@ -0,0 +1,47 @@
+Feature: Display basic resource fields.
+
+  Scenario: Group exposes id, kind, identifier, and gidnumber.
+    When I run the code:
+    """
+    resource = $conjur.resource('cucumber:group:developers')
+    [ resource.id, resource.account, resource.kind, resource.identifier, resource.gidnumber ]
+    """
+    Then the JSON should be:
+    """
+    [
+      "cucumber:group:developers",
+      "cucumber",
+      "group",
+      "developers",
+      2000
+    ]
+    """
+
+  Scenario: User exposes id, kind, identifier, and uidnumber.
+    When I run the code:
+    """
+    resource = $conjur.resource('cucumber:user:alice')
+    [ resource.id, resource.account, resource.kind, resource.identifier, resource.uidnumber ]
+    """
+    Then the JSON should be:
+    """
+    [
+      "cucumber:user:alice",
+      "cucumber",
+      "user",
+      "alice",
+      2000
+    ]
+    """
+
+  Scenario: Resource#owner is the owner object
+    When I run the code:
+    """
+    $conjur.resource('cucumber:group:developers').owner.id
+    """
+    Then the result should be "cucumber:group:security_admin"
+    And I run the code:
+    """
+    $conjur.resource('cucumber:group:developers').class
+    """
+    Then the result should be "Conjur::Group"

data/features_v4/rotate_api_key.feature

@@ -0,0 +1,13 @@
+Feature: Rotate the API key.
+
+  Scenario: Logged-in user can rotate the API key.
+    When I run the code:
+    """
+    $conjur.role('cucumber:user:alice').rotate_api_key
+    """
+    Then I can run the code:
+    """
+    @api_key = @result.strip
+    @conjur = Conjur::API.new_from_key 'alice', @api_key
+    @conjur.token
+    """

data/features_v4/step_definitions/api_steps.rb

@@ -0,0 +1,17 @@
+Given(/^a new host$/) do
+  @host_id = "app-#{random_hex}"
+  host = Conjur::API.host_factory_create_host($token, @host_id)
+  @host_api_key = host.api_key
+  expect(@host_api_key).to be
+
+  @host = $conjur.resource("cucumber:host:#{@host_id}")
+  @host.attributes['api_key'] = @host_api_key
+end
+
+When(/^I(?: can)? run the code:$/) do |code|
+  @result = eval(code).tap do |result|
+    if ENV['DEBUG']
+      puts result
+    end
+  end
+end

data/features_v4/step_definitions/result_steps.rb

@@ -0,0 +1,3 @@
+Then(/^the result should be "([^"]+)"$/) do |expected|
+  expect(@result.to_s).to eq(expected.to_s)
+end

data/features_v4/support/env.rb

@@ -0,0 +1,23 @@
+require 'simplecov'
+
+SimpleCov.start
+
+require 'json_spec/cucumber'
+require 'conjur/api'
+
+Conjur.configuration.appliance_url = ENV['CONJUR_APPLIANCE_URL'] || 'https://conjur_4/api'
+Conjur.configuration.account = ENV['CONJUR_ACCOUNT'] || 'cucumber'
+Conjur.configuration.cert_file = "./tmp/conjur.pem"
+Conjur.configuration.authn_local_socket = "/run/authn-local-4/.socket"
+Conjur.configuration.version = 4
+
+Conjur.configuration.apply_cert_config!
+
+$username = ENV['CONJUR_AUTHN_LOGIN'] || 'admin'
+$password = ENV['CONJUR_AUTHN_API_KEY'] || 'secret'
+
+$api_key = Conjur::API.login $username, $password
+$conjur = Conjur::API.new_from_key $username, $api_key
+
+$host_factory = $conjur.resource('cucumber:host_factory:myapp')
+$token = $host_factory.create_token(Time.now + 1.hour)

data/features_v4/support/policy.yml

@@ -0,0 +1,34 @@
+- !user
+  id: alice
+  uidnumber: 2000
+  
+- !group
+  id: developers
+  gidnumber: 2000
+
+- !group everyone
+
+- !grant
+  role: !group everyone
+  member: !group developers
+
+- !variable db-password
+
+- !variable ssh-key
+
+- !variable
+  id: ssl-certificate
+  kind: SSL certificate
+  mime_type: application/x-pem-file
+
+- !layer myapp
+
+- !host-factory
+  id: myapp
+  layers: [ !layer myapp ]
+
+- !permit
+  role: !layer myapp
+  privileges: [ read, execute ]
+  resources:
+    - !variable db-password

data/features_v4/support/world.rb

@@ -0,0 +1,12 @@
+module ApiWorld
+  def last_json
+    @result.to_json
+  end
+
+  def random_hex nbytes = 12
+    @random ||= Random.new
+    @random.bytes(nbytes).unpack('h*').first
+  end
+end
+
+World ApiWorld

data/features_v4/variable_fields.feature

@@ -0,0 +1,11 @@
+Feature: Display Variable fields.
+
+  Background:
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:ssl-certificate')
+    """
+
+  Scenario: Display MIME type and kind
+    Then the JSON at "mime_type" should be "application/x-pem-file"
+    And the JSON at "kind" should be "SSL certificate"

data/features_v4/variable_value.feature

@@ -0,0 +1,54 @@
+Feature: Work with Variable values.
+  Background:
+    Given I run the code:
+    """
+    @variable = $conjur.resource("cucumber:variable:db-password")
+    @variable_2 = $conjur.resource("cucumber:variable:ssh-key")
+    """
+
+  Scenario: Add a value, retrieve the variable metadata and the value.
+    Given I run the code:
+    """
+    @initial_count = @variable.version_count
+    @variable.add_value 'value-0'
+    """
+    When I run the code:
+    """
+    expect(@variable.version_count).to eq(@initial_count + 1)
+    """
+    And I run the code:
+    """
+    @variable.value
+    """
+    Then the result should be "value-0"
+
+  Scenario: Retrieve a historical value.
+    Given I run the code:
+    """
+    @variable.add_value 'value-0'
+    @variable.add_value 'value-1'
+    @variable.add_value 'value-2'
+    """
+    When I run the code:
+    """
+    @variable.value(@variable.version_count - 2)
+    """
+    Then the result should be "value-0"
+
+  Scenario: Retrieve multiple values in a batch
+    Given I run the code:
+    """
+    @variable.add_value 'value-0'
+    @variable_2.add_value 'value-2'
+    """
+    When I run the code:
+    """
+    $conjur.variable_values([ @variable, @variable_2 ].map(&:id))
+    """
+    Then the JSON should be:
+    """
+    {
+      "db-password": "value-0",
+      "ssh-key": "value-2"
+    }
+    """

data/lib/conjur/acts_as_resource.rb

@@ -0,0 +1,123 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+
+module Conjur
+  # This module is included in object classes that have resource behavior.
+  module ActsAsResource
+    # @api private
+    def self.included(base)
+      base.include HasAttributes
+      base.include Escape
+      base.extend QueryString
+    end
+
+    # The full role id of the role that owns this resource.
+    #
+    # @example
+    #   api.current_role # => 'conjur:user:jon'
+    #   resource = api.create_resource 'conjur:example:resource-owner'
+    #   resource.owner # => 'conjur:user:jon'
+    #
+    # @return [String] the full role id of this resource's owner.
+    def owner
+      build_object attributes['owner'], default_class: Role
+    end
+
+    # Check whether this object exists by performing a HEAD request to its URL.
+    #
+    # This method will return false if the object doesn't exist.
+    #
+    # @example
+    #   does_not_exist = api.user 'does-not-exist' # This returns without error.
+    #
+    #   # this is wrong!
+    #   owner = does_not_exist.owner # raises RestClient::ResourceNotFound
+    #
+    #   # this is right!
+    #   owner = if does_not_exist.exists?
+    #     does_not_exist.owner
+    #   else
+    #     nil # or some sensible default
+    #   end
+    #
+    # @return [Boolean] does it exist?
+    def exists?
+      begin
+        url_for(:resources_resource, credentials, id).head
+        true
+      rescue RestClient::Forbidden
+        true
+      rescue RestClient::ResourceNotFound
+        false
+      end
+    end
+
+    # Lists roles that have a specified privilege on the resource. 
+    #
+    # This will return only roles of which api.current_user is a member.
+    #
+    # Options:
+    #
+    # * **offset** Zero-based offset into the result set.
+    # * **limit**  Total number of records returned.
+    #
+    # @example
+    #   resource = api.resource 'conjur:variable:example'
+    #   resource.permitted_roles 'execute' # => ['conjur:user:admin']
+    #   # After permitting 'execute' to user 'jon'
+    #   resource.permitted_roles 'execute' # => ['conjur:user:admin', 'conjur:user:jon']
+    #
+    # @param privilege [String] the privilege
+    # @return [Array<String>] the ids of roles that have `privilege` on this resource.
+    def permitted_roles privilege
+      result = JSON.parse url_for(:resources_permitted_roles, credentials, id, privilege).get
+      if result.is_a?(Hash) && ( count = result['count'] )
+        count
+      else
+        result
+      end
+    end
+
+    # True if the logged-in role, or a role specified using the :role option, has the
+    # specified +privilege+ on this resource.
+    #
+    # @example
+    #   api.current_role # => 'conjur:cat:mouse'
+    #   resource.permitted_roles 'execute' # => ['conjur:user:admin', 'conjur:cat:mouse']
+    #   resource.permitted_roles 'update', # => ['conjur:user:admin', 'conjur:cat:gino']
+    #
+    #   resource.permitted? 'update' # => false, `mouse` can't update this resource
+    #   resource.permitted? 'execute' # => true, `mouse` can execute it.
+    #   resource.permitted? 'update', role: 'conjur:cat:gino' # => true, `gino` can update it.
+    # @param privilege [String] the privilege to check
+    # @param role [String,nil] :role check whether the role given by this full role id is permitted
+    #   instead of checking +api.current_role+.
+    # @return [Boolean]
+    def permitted? privilege, role: nil
+      url_for(:resources_check, credentials, id, privilege, role)
+      true
+    rescue RestClient::Forbidden
+      false
+    rescue RestClient::ResourceNotFound
+      false
+    end
+  end
+end