conjur-api 5.3.8.pre.8 → 5.3.8.pre.194

data/lib/conjur/base.rb

@@ -0,0 +1,355 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'rest-client'
+require 'active_support'
+require 'active_support/core_ext'
+require 'json'
+require 'base64'
+
+require 'conjur/query_string'
+require 'conjur/has_attributes'
+require 'conjur/escape'
+require 'conjur/log'
+require 'conjur/log_source'
+
+module Conjur
+  # NOTE: You have to put all 'class level' api docs here, because YARD is stoopid :-(
+
+  # This class provides access to the Conjur services.
+  class API
+    include Escape
+    include LogSource
+    include Routing
+    extend Routing
+
+    class << self
+      # Create a new {Conjur::API} instance from a username and a password or api key.
+      #
+      # @example Create an API with valid credentials
+      #   api = Conjur::API.new_from_key 'admin', '<admin password>'
+      #   api.current_role # => 'conjur:user:admin'
+      #   api.token['data'] # => 'admin'
+      #
+      # @example Authentication is lazy
+      #   api = Conjur::API.new_from_key 'admin', 'wrongpassword'   # succeeds
+      #   api.user 'foo' # raises a 401 error
+      #
+      # @param [String] username the username to use when making authenticated requests.
+      # @param [String] api_key the api key or password for `username`
+      # @param [String] remote_ip the optional IP address to be recorded in the audit record.
+      # @param [String] account The organization account.
+      # @return [Conjur::API] an api that will authenticate with the given username and api key.
+      def new_from_key username, api_key, account: Conjur.configuration.account, remote_ip: nil
+        self.new.init_from_key username, api_key, remote_ip: remote_ip, account: account
+      end
+
+      # Create a new {Conjur::API} instance from an access token.
+      #
+      # Generally, you will have a Conjur identitiy (username and API key), and create an {Conjur::API} instance
+      # for the identity using {.new_from_key}.  This method is useful when you are performing authorization checks
+      # given a token.  For example, a Conjur gateway that requires you to prove that you can 'read' a resource named
+      # 'super-secret' might get the token from a request header, create an {Conjur::API} instance with this method,
+      # and use {Conjur::Resource#permitted?} to decide whether to accept and forward the request.
+      #
+      # @example A simple gatekeeper
+      #   RESOURCE_NAME = 'protected-service'
+      #
+      #   def handle_request request
+      #     token_header = request.header 'X-Conjur-Token'
+      #     token = JSON.parse Base64.b64decode(token_header)
+      #
+      #     api = Conjur::API.new_from_token token
+      #     raise Forbidden unless api.resource(RESOURCE_NAME).permitted? 'read'
+      #
+      #     proxy_to_service request
+      #   end
+      #
+      # @param [Hash] token the authentication token as parsed JSON to use when making authenticated requests
+      # @param [String] remote_ip the optional IP address to be recorded in the audit record.
+      # @return [Conjur::API] an api that will authenticate with the token
+      def new_from_token token, remote_ip: nil
+        self.new.init_from_token token, remote_ip: remote_ip
+      end
+
+      # Create a new {Conjur::API} instance from a file containing a token issued by the
+      # {http://developer.conjur.net/reference/services/authentication Conjur authentication service}.
+      # The file is read the first time that a token is required. It is also re-read 
+      # whenever the API decides that the token it already has is getting close to expiration.
+      #
+      # This method is useful when an external process, such as a sidecar container, is continuously
+      # obtaining fresh tokens and writing them to a known file.
+      #
+      # @param [String] token_file the file path containing an authentication token as parsed JSON.
+      # @param [String] remote_ip the optional IP address to be recorded in the audit record.
+      # @return [Conjur::API] an api that will authenticate with the tokens provided in the file.
+      def new_from_token_file token_file, remote_ip: nil
+        self.new.init_from_token_file token_file, remote_ip: remote_ip
+      end
+
+      # Create a new {Conjur::API} instance which authenticates using +authn-local+
+      # using the specified username.
+      # 
+      # @param [String] username the username to use when making authenticated requests.
+      # @param [String] account The organization account.
+      # @param [String] remote_ip the optional IP address to be recorded in the audit record.
+      # @param [String] expiration the optional expiration time of the token (supported in V5 only).
+      # @param [String] cidr the optional CIDR restriction on the token (supported in V5 only).
+      # @return [Conjur::API] an api that will authenticate with the given username.
+      def new_from_authn_local username, account: Conjur.configuration.account, remote_ip: nil, expiration: nil, cidr: nil
+        self.new.init_from_authn_local username, account: account, remote_ip: remote_ip, expiration: expiration, cidr: cidr
+      end
+    end
+
+    #@!attribute [r] api_key
+    # The api key used to create this instance.  This is only present when you created the api with {Conjur::API.new_from_key}.#
+    #
+    # @return [String] the api key, or nil if this instance was created from a token.
+    attr_reader :api_key
+
+    #@!attribute [r] remote_ip
+    # An optional IP address to be recorded in the audit record for any actions performed by this API instance.
+    attr_reader :remote_ip
+
+    # The name of the user as which this api instance is authenticated.  This is available whether the api
+    # instance was created from credentials or an authentication token. If the instance was created from
+    # credentials, we will use that value directly otherwise we will attempt to extract the username from
+    # the token (either the old-style data field or the new-style JWT `sub` field).
+    #
+    # @return [String] the login of the current user.
+    def username
+      @username || token['data'] || jwt_username(token)
+    end
+
+    # @api private
+    # used to delegate to host providing subclasses.
+    # @return [String] the host
+    def host
+      self.class.host
+    end
+
+    # The token used to authenticate requests made with the api.  The token will be fetched,
+    # if possible, when not present or about to expire.  Accordingly, this
+    # method may raise a RestClient::Unauthorized exception if the credentials are invalid.
+    #
+    # @return [Hash] the authentication token as a Hash
+    # @raise [RestClient::Unauthorized] if the username and api key are invalid.
+    def token
+      refresh_token if needs_token_refresh?
+      return @token
+    end
+
+    # @api private
+    # Force the API to obtain a new access token on the next invocation.
+    def force_token_refresh
+      @token = nil
+    end
+
+    # Credentials that can be merged with options to be passed to `RestClient::Resource` HTTP request methods.
+    # These include a username and an Authorization header containing the authentication token.
+    #
+    # @return [Hash] the options.
+    # @raise [RestClient::Unauthorized] if fetching the token fails.
+    def credentials
+      headers = {}.tap do |h|
+        h[:authorization] = "Token token=\"#{Base64.strict_encode64 token.to_json}\""
+        h[:x_forwarded_for] = @remote_ip if @remote_ip
+      end
+      { headers: headers, username: username }
+    end
+
+    module TokenExpiration
+
+      # The four minutes is to work around a bug in Conjur < 4.7 causing a 404 on 
+      # long-running operations (when the token is used right around the 5 minute mark).
+      TOKEN_STALE = 4.minutes
+
+      attr_accessor :token_born
+
+      def needs_token_refresh?
+        token_age > TOKEN_STALE
+      end
+
+      def update_token_born
+        self.token_born = gettime
+      end
+
+      def token_age
+        gettime - token_born
+      end
+
+      def gettime
+        Process.clock_gettime Process::CLOCK_MONOTONIC
+      rescue
+        # fall back to normal clock if there's no CLOCK_MONOTONIC
+        Time.now.to_f
+      end
+    end
+
+    # When the API is constructed with an API key, the token can be refreshed using
+    # the username and API key. This authenticator assumes that the token was
+    # minted immediately before the API instance was created.
+    class APIKeyAuthenticator
+      include TokenExpiration
+
+      attr_reader :account, :username, :api_key
+
+      def initialize account, username, api_key
+        @account = account
+        @username = username
+        @api_key = api_key
+
+        update_token_born
+      end
+
+      def refresh_token
+        Conjur::API.authenticate(username, api_key, account: account).tap do
+          update_token_born
+        end
+      end
+    end
+
+    # Obtains access tokens from the +authn-local+ service.
+    class LocalAuthenticator
+      include TokenExpiration
+
+      attr_reader :account, :username, :expiration, :cidr
+
+      def initialize account, username, expiration, cidr
+        @account = account
+        @username = username
+        @expiration = expiration
+        @cidr = cidr
+
+        update_token_born
+      end
+
+      def refresh_token
+        Conjur::API.authenticate_local(username, account: account, expiration: expiration, cidr: cidr).tap do
+          update_token_born
+        end
+      end
+    end
+
+    # When the API is constructed with a token, the token cannot be refreshed.
+    class UnableAuthenticator
+      def refresh_token
+        raise "Unable to re-authenticate using an access token"
+      end
+
+      def needs_token_refresh?
+        false
+      end
+    end
+
+    # Obtains fresh tokens by reading them from a file. Some other process is assumed
+    # to be acquiring tokens and storing them to the file on a regular basis.
+    # 
+    # This authenticator assumes that the token was created immediately before
+    # it was written to the file.
+    class TokenFileAuthenticator
+      attr_reader :token_file
+
+      def initialize token_file
+        @token_file = token_file
+      end
+
+      attr_reader :last_mtime
+
+      def mtime
+        File.mtime token_file
+      end
+
+      def refresh_token
+        # There's a race condition here in which the file could be updated
+        # after we read the mtime but before we read the file contents. So to be
+        # conservative, use the oldest possible mtime.
+        mtime = self.mtime
+        File.open token_file, 'r' do |f|
+          JSON.load(f.read).tap { @last_mtime = mtime }
+        end
+      end
+
+      def needs_token_refresh?
+        mtime != last_mtime
+      end
+    end
+
+    def init_from_key username, api_key, account: Conjur.configuration.account, remote_ip: nil
+      @username = username
+      @api_key = api_key
+      @remote_ip = remote_ip
+      @authenticator = APIKeyAuthenticator.new(account, username, api_key)
+      self
+    end
+
+    def init_from_token token, remote_ip: nil
+      @token = token
+      @remote_ip = remote_ip
+      @authenticator = UnableAuthenticator.new
+      self
+    end
+
+    def init_from_token_file token_file, remote_ip: nil
+      @remote_ip = remote_ip
+      @authenticator = TokenFileAuthenticator.new(token_file)
+      self
+    end
+
+    def init_from_authn_local username, account: Conjur.configuration.account, remote_ip: nil, expiration: nil, cidr: nil
+      @username = username
+      @api_key = api_key
+      @remote_ip = remote_ip
+      @authenticator = LocalAuthenticator.new(account, username, expiration, cidr)
+      self
+    end
+
+    attr_reader :authenticator
+
+    private
+
+    # Tries to get the username (subject) from a JWT API token by examining
+    # its content.
+    #
+    # @return [String] of the 'sub' payload field from the JWT if present,
+    # otherwise return nil
+    def jwt_username raw_token
+      return nil unless raw_token
+      return nil unless raw_token.include? 'payload'
+
+      JSON.parse(Base64.strict_decode64(raw_token["payload"]))["sub"]
+    end
+
+    # Tries to refresh the token if possible.
+    #
+    # @return [Hash, false] false if the token couldn't be refreshed due to
+    # unavailable API key; otherwise, the new token.
+    def refresh_token
+      @token = @authenticator.refresh_token
+    end
+
+    # Checks if the token is old (or not present).
+    #
+    # @return [Boolean]
+    def needs_token_refresh?
+      !@token || @authenticator.needs_token_refresh?
+    end
+  end
+end

data/lib/conjur/base_object.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Conjur
+  class BaseObject
+    include QueryString
+    include LogSource
+    include BuildObject
+    include Routing
+
+    attr_reader :id, :credentials
+
+    def initialize id, credentials
+      @id = Id.new id
+      @credentials = credentials
+    end
+
+    def as_json options={}
+      {
+        id: id.to_s
+      }
+    end
+
+    def account
+      id.account
+    end
+
+    def kind
+      id.kind
+    end
+
+    def identifier
+      id.identifier
+    end
+
+    def username
+      credentials[:username] or raise "No username found in credentials"
+    end
+
+    def inspect
+      "<#{self.class.name} id='#{id.to_s}'>"
+    end
+  end
+end

data/lib/conjur/build_object.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Conjur
+  module BuildObject
+    def self.included base
+      base.module_eval do
+        extend ClassMethods
+      end
+    end
+
+    module ClassMethods
+      def build_object id, credentials, default_class:
+        id = Id.new id
+        class_name = id.kind.classify.to_sym
+        find_class(class_name, default_class)
+          .new(id, credentials)
+      end
+
+      def find_class class_name, default_class
+        cls = if Conjur.constants.member?(class_name)
+          Conjur.const_get(class_name)
+        else
+          default_class
+        end
+        cls < BaseObject ? cls : default_class
+      end
+    end
+
+    def build_object id, default_class: Resource
+      self.class.build_object id, credentials, default_class: default_class
+    end
+  end
+end

data/lib/conjur/cache.rb

@@ -0,0 +1,26 @@
+module Conjur
+  # A cache which performs no caching.
+  class BaseCache
+    def fetch_attributes cache_key, &block
+      yield
+    end
+  end
+
+  class << self
+    @@cache = BaseCache.new
+
+    # Sets the global cache. It should implement +fetch_:method+ methods.
+    # The easy way to accomplish this is to extend BaseCache.
+    def cache= cache
+      @@cache = cache
+    end
+
+    # Gets the global cache.
+    def cache; @@cache; end
+
+    # Builds a cache key from a +username+, +url+ and optional +path+.
+    def cache_key username, url, path = nil
+      [ username, [ url, path ].compact.join ].join(".")
+    end
+  end
+end

data/lib/conjur/cert_utils.rb

@@ -0,0 +1,63 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+
+require 'openssl'
+
+module Conjur
+  module CertUtils
+    CERT_RE = /-----BEGIN CERTIFICATE-----\n.*?\n-----END CERTIFICATE-----\n/m
+
+    class << self
+      # Parse X509 DER-encoded certificates from a string
+      # @param certs [String] certificate(s) to parse in DER form
+      # @return [Array<OpenSSL::X509::Certificate>] certificates contained in the string
+      def parse_certs certs
+        # fix any mangled namespace
+        certs = certs.gsub /\s+/, "\n"
+        certs.gsub! "-----BEGIN\nCERTIFICATE-----", '-----BEGIN CERTIFICATE-----'
+        certs.gsub! "-----END\nCERTIFICATE-----", '-----END CERTIFICATE-----'
+        certs += "\n" unless certs[-1] == "\n"
+
+        certs.scan(CERT_RE).map do |cert|
+          begin
+            OpenSSL::X509::Certificate.new cert
+          rescue OpenSSL::X509::CertificateError => exn
+            raise exn, "Invalid certificate:\n#{cert} (#{exn.message})"
+          end
+        end
+      end
+
+      # Add a certificate to a given store. If the certificate has more than
+      # one certificate in its chain, it will be parsed and added to the store
+      # one by one. This is done because `OpenSSL::X509::Store.new.add_cert`
+      # adds only the intermediate certificate to the store.
+      def add_chained_cert store, chained_cert
+        parse_certs(chained_cert).each do |cert|
+          begin
+            store.add_cert cert
+          rescue OpenSSL::X509::StoreError => ex
+            raise unless ex.message == 'cert already in hash table'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/conjur/cidr.rb

@@ -0,0 +1,71 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+##
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+
+require 'ipaddr'
+
+module Conjur
+  # Utility methods for CIDR network addresses
+  module CIDR
+    # Parse addr into an IPAddr if it's not one already, then extend it with CIDR
+    # module. This will force validation and will raise ArgumentError if invalid.
+    # @return [IPAddr] the address (extended with CIDR module)
+    def self.validate addr
+      addr = IPAddr.new addr unless addr.kind_of? IPAddr
+      addr.extend self
+    end
+
+    def self.extended addr
+      addr.prefixlen # validates
+    end
+
+    # Error raised when an address is not a valid CIDR network address
+    class InvalidCIDR < ArgumentError
+    end
+
+    attr_reader :mask_addr
+
+    # @return [String] the address as an "address/mask length" string
+    # @example
+    #     IPAddr.new("192.0.2.0/255.255.255.0").extend(CIDR).to_s == "192.0.2.0/24"
+    def to_s
+      [super, prefixlen].join '/'
+    end
+
+    # @return [Fixnum] the length of the network mask prefix
+    def prefixlen
+      unless @prefixlen
+        return @prefixlen = 0 if (mask = mask_addr) == 0
+
+        @prefixlen = ipv4? ? 32 : 128
+
+        while (mask & 1) == 0
+          mask >>= 1
+          @prefixlen -= 1
+        end
+
+        if mask != ((1 << @prefixlen) - 1)
+          fail InvalidCIDR, "#{inspect} is not a valid CIDR network address"
+        end
+      end
+      return @prefixlen
+    end
+  end
+end