conjur-api 5.3.8.pre.8 → 5.3.8.pre.194

data/features_v4/host_factory_token.feature

@@ -0,0 +1,49 @@
+Feature: Working with host factory tokens.
+
+  Background:
+    Given I run the code:
+    """
+    @expiration = (DateTime.now + 1.hour).change(sec: 0)
+    """
+
+
+  Scenario: Create a new host factory token.
+    When I run the code:
+    """
+    @token = $host_factory.create_token(@expiration)
+    """
+    Then I can run the code:
+    """
+    expect(@token).to be_instance_of(Conjur::HostFactoryToken)
+    expect(@token.token).to be_instance_of(String)
+    expiration = @token.expiration
+    expiration = expiration.change(sec: 0)
+    expect(expiration).to eq(@expiration)
+    """
+
+  Scenario: Create multiple new host factory tokens.
+    When I run the code:
+    """
+    $host_factory.create_tokens @expiration, count: 2
+    """
+    Then the JSON should have 2 items
+
+  Scenario: Revoke a host factory token using the token object.
+    When I run the code:
+    """
+    @token = $host_factory.create_token @expiration
+    """
+    Then I can run the code:
+    """
+    @token.revoke
+    """
+
+  Scenario: Revoke a host factory token using the API.
+    When I run the code:
+    """
+    @token = $host_factory.create_token @expiration
+    """
+    Then I can run the code:
+    """
+    $conjur.revoke_host_factory_token @token.token
+    """

data/features_v4/members.feature

@@ -0,0 +1,39 @@
+Feature: Display role members and memberships.
+
+  Scenario: Show a role's members.
+    When I run the code:
+    """
+    $conjur.role('cucumber:group:everyone').members.map(&:as_json)
+    """
+    Then the JSON should be:
+    """
+    [
+      {
+        "admin_option": false,
+        "member": "cucumber:group:developers",
+        "role": "cucumber:group:everyone"
+      },
+      {
+        "admin_option": true,
+        "member": "cucumber:group:security_admin",
+        "role": "cucumber:group:everyone"
+      }
+    ]
+    """
+
+  Scenario: Show a role's memberships.
+    When I run the code:
+    """
+    $conjur.role('cucumber:group:developers').memberships.map(&:as_json)
+    """
+    Then the JSON should be:
+    """
+    [
+      {
+        "id": "cucumber:group:developers"
+      },
+      {
+        "id": "cucumber:group:everyone"
+      }
+    ]
+    """

data/features_v4/permitted.feature

@@ -0,0 +1,15 @@
+Feature: Check if a role has permission on a resource.
+
+  Scenario: Check if the current user has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute'
+    """
+    Then the result should be "true"
+
+  Scenario: Check if a different user has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:user:bob"
+    """
+    Then the result should be "false"

data/features_v4/permitted_roles.feature

@@ -0,0 +1,8 @@
+Feature: Enumerate roles which have a permission on a resource.
+
+  Scenario: Permitted roles can be enumerated.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted_roles 'execute'
+    """
+    Then the JSON should include "cucumber:layer:myapp"

data/features_v4/resource_fields.feature

@@ -0,0 +1,47 @@
+Feature: Display basic resource fields.
+
+  Scenario: Group exposes id, kind, identifier, and gidnumber.
+    When I run the code:
+    """
+    resource = $conjur.resource('cucumber:group:developers')
+    [ resource.id, resource.account, resource.kind, resource.identifier, resource.gidnumber ]
+    """
+    Then the JSON should be:
+    """
+    [
+      "cucumber:group:developers",
+      "cucumber",
+      "group",
+      "developers",
+      2000
+    ]
+    """
+
+  Scenario: User exposes id, kind, identifier, and uidnumber.
+    When I run the code:
+    """
+    resource = $conjur.resource('cucumber:user:alice')
+    [ resource.id, resource.account, resource.kind, resource.identifier, resource.uidnumber ]
+    """
+    Then the JSON should be:
+    """
+    [
+      "cucumber:user:alice",
+      "cucumber",
+      "user",
+      "alice",
+      2000
+    ]
+    """
+
+  Scenario: Resource#owner is the owner object
+    When I run the code:
+    """
+    $conjur.resource('cucumber:group:developers').owner.id
+    """
+    Then the result should be "cucumber:group:security_admin"
+    And I run the code:
+    """
+    $conjur.resource('cucumber:group:developers').class
+    """
+    Then the result should be "Conjur::Group"

data/features_v4/rotate_api_key.feature

@@ -0,0 +1,13 @@
+Feature: Rotate the API key.
+
+  Scenario: Logged-in user can rotate the API key.
+    When I run the code:
+    """
+    $conjur.role('cucumber:user:alice').rotate_api_key
+    """
+    Then I can run the code:
+    """
+    @api_key = @result.strip
+    @conjur = Conjur::API.new_from_key 'alice', @api_key
+    @conjur.token
+    """

data/features_v4/step_definitions/api_steps.rb

@@ -0,0 +1,17 @@
+Given(/^a new host$/) do
+  @host_id = "app-#{random_hex}"
+  host = Conjur::API.host_factory_create_host($token, @host_id)
+  @host_api_key = host.api_key
+  expect(@host_api_key).to be
+
+  @host = $conjur.resource("cucumber:host:#{@host_id}")
+  @host.attributes['api_key'] = @host_api_key
+end
+
+When(/^I(?: can)? run the code:$/) do |code|
+  @result = eval(code).tap do |result|
+    if ENV['DEBUG']
+      puts result
+    end
+  end
+end

data/features_v4/step_definitions/result_steps.rb

@@ -0,0 +1,3 @@
+Then(/^the result should be "([^"]+)"$/) do |expected|
+  expect(@result.to_s).to eq(expected.to_s)
+end

data/features_v4/support/env.rb

@@ -0,0 +1,23 @@
+require 'simplecov'
+
+SimpleCov.start
+
+require 'json_spec/cucumber'
+require 'conjur/api'
+
+Conjur.configuration.appliance_url = ENV['CONJUR_APPLIANCE_URL'] || 'https://conjur_4/api'
+Conjur.configuration.account = ENV['CONJUR_ACCOUNT'] || 'cucumber'
+Conjur.configuration.cert_file = "./tmp/conjur.pem"
+Conjur.configuration.authn_local_socket = "/run/authn-local-4/.socket"
+Conjur.configuration.version = 4
+
+Conjur.configuration.apply_cert_config!
+
+$username = ENV['CONJUR_AUTHN_LOGIN'] || 'admin'
+$password = ENV['CONJUR_AUTHN_API_KEY'] || 'secret'
+
+$api_key = Conjur::API.login $username, $password
+$conjur = Conjur::API.new_from_key $username, $api_key
+
+$host_factory = $conjur.resource('cucumber:host_factory:myapp')
+$token = $host_factory.create_token(Time.now + 1.hour)

data/features_v4/support/policy.yml

@@ -0,0 +1,34 @@
+- !user
+  id: alice
+  uidnumber: 2000
+  
+- !group
+  id: developers
+  gidnumber: 2000
+
+- !group everyone
+
+- !grant
+  role: !group everyone
+  member: !group developers
+
+- !variable db-password
+
+- !variable ssh-key
+
+- !variable
+  id: ssl-certificate
+  kind: SSL certificate
+  mime_type: application/x-pem-file
+
+- !layer myapp
+
+- !host-factory
+  id: myapp
+  layers: [ !layer myapp ]
+
+- !permit
+  role: !layer myapp
+  privileges: [ read, execute ]
+  resources:
+    - !variable db-password

data/features_v4/support/world.rb

@@ -0,0 +1,12 @@
+module ApiWorld
+  def last_json
+    @result.to_json
+  end
+
+  def random_hex nbytes = 12
+    @random ||= Random.new
+    @random.bytes(nbytes).unpack('h*').first
+  end
+end
+
+World ApiWorld

data/features_v4/variable_fields.feature

@@ -0,0 +1,11 @@
+Feature: Display Variable fields.
+
+  Background:
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:ssl-certificate')
+    """
+
+  Scenario: Display MIME type and kind
+    Then the JSON at "mime_type" should be "application/x-pem-file"
+    And the JSON at "kind" should be "SSL certificate"

data/features_v4/variable_value.feature

@@ -0,0 +1,54 @@
+Feature: Work with Variable values.
+  Background:
+    Given I run the code:
+    """
+    @variable = $conjur.resource("cucumber:variable:db-password")
+    @variable_2 = $conjur.resource("cucumber:variable:ssh-key")
+    """
+
+  Scenario: Add a value, retrieve the variable metadata and the value.
+    Given I run the code:
+    """
+    @initial_count = @variable.version_count
+    @variable.add_value 'value-0'
+    """
+    When I run the code:
+    """
+    expect(@variable.version_count).to eq(@initial_count + 1)
+    """
+    And I run the code:
+    """
+    @variable.value
+    """
+    Then the result should be "value-0"
+
+  Scenario: Retrieve a historical value.
+    Given I run the code:
+    """
+    @variable.add_value 'value-0'
+    @variable.add_value 'value-1'
+    @variable.add_value 'value-2'
+    """
+    When I run the code:
+    """
+    @variable.value(@variable.version_count - 2)
+    """
+    Then the result should be "value-0"
+
+  Scenario: Retrieve multiple values in a batch
+    Given I run the code:
+    """
+    @variable.add_value 'value-0'
+    @variable_2.add_value 'value-2'
+    """
+    When I run the code:
+    """
+    $conjur.variable_values([ @variable, @variable_2 ].map(&:id))
+    """
+    Then the JSON should be:
+    """
+    {
+      "db-password": "value-0",
+      "ssh-key": "value-2"
+    }
+    """

data/lib/conjur/acts_as_resource.rb

@@ -0,0 +1,123 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+
+module Conjur
+  # This module is included in object classes that have resource behavior.
+  module ActsAsResource
+    # @api private
+    def self.included(base)
+      base.include HasAttributes
+      base.include Escape
+      base.extend QueryString
+    end
+
+    # The full role id of the role that owns this resource.
+    #
+    # @example
+    #   api.current_role # => 'conjur:user:jon'
+    #   resource = api.create_resource 'conjur:example:resource-owner'
+    #   resource.owner # => 'conjur:user:jon'
+    #
+    # @return [String] the full role id of this resource's owner.
+    def owner
+      build_object attributes['owner'], default_class: Role
+    end
+
+    # Check whether this object exists by performing a HEAD request to its URL.
+    #
+    # This method will return false if the object doesn't exist.
+    #
+    # @example
+    #   does_not_exist = api.user 'does-not-exist' # This returns without error.
+    #
+    #   # this is wrong!
+    #   owner = does_not_exist.owner # raises RestClient::ResourceNotFound
+    #
+    #   # this is right!
+    #   owner = if does_not_exist.exists?
+    #     does_not_exist.owner
+    #   else
+    #     nil # or some sensible default
+    #   end
+    #
+    # @return [Boolean] does it exist?
+    def exists?
+      begin
+        url_for(:resources_resource, credentials, id).head
+        true
+      rescue RestClient::Forbidden
+        true
+      rescue RestClient::ResourceNotFound
+        false
+      end
+    end
+
+    # Lists roles that have a specified privilege on the resource. 
+    #
+    # This will return only roles of which api.current_user is a member.
+    #
+    # Options:
+    #
+    # * **offset** Zero-based offset into the result set.
+    # * **limit**  Total number of records returned.
+    #
+    # @example
+    #   resource = api.resource 'conjur:variable:example'
+    #   resource.permitted_roles 'execute' # => ['conjur:user:admin']
+    #   # After permitting 'execute' to user 'jon'
+    #   resource.permitted_roles 'execute' # => ['conjur:user:admin', 'conjur:user:jon']
+    #
+    # @param privilege [String] the privilege
+    # @return [Array<String>] the ids of roles that have `privilege` on this resource.
+    def permitted_roles privilege
+      result = JSON.parse url_for(:resources_permitted_roles, credentials, id, privilege).get
+      if result.is_a?(Hash) && ( count = result['count'] )
+        count
+      else
+        result
+      end
+    end
+
+    # True if the logged-in role, or a role specified using the :role option, has the
+    # specified +privilege+ on this resource.
+    #
+    # @example
+    #   api.current_role # => 'conjur:cat:mouse'
+    #   resource.permitted_roles 'execute' # => ['conjur:user:admin', 'conjur:cat:mouse']
+    #   resource.permitted_roles 'update', # => ['conjur:user:admin', 'conjur:cat:gino']
+    #
+    #   resource.permitted? 'update' # => false, `mouse` can't update this resource
+    #   resource.permitted? 'execute' # => true, `mouse` can execute it.
+    #   resource.permitted? 'update', role: 'conjur:cat:gino' # => true, `gino` can update it.
+    # @param privilege [String] the privilege to check
+    # @param role [String,nil] :role check whether the role given by this full role id is permitted
+    #   instead of checking +api.current_role+.
+    # @return [Boolean]
+    def permitted? privilege, role: nil
+      url_for(:resources_check, credentials, id, privilege, role)
+      true
+    rescue RestClient::Forbidden
+      false
+    rescue RestClient::ResourceNotFound
+      false
+    end
+  end
+end

data/lib/conjur/acts_as_role.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Conjur
+
+  # This module provides methods for things that have an associated {Conjur::Role}.
+  #
+  # All high level Conjur assets (groups and users, for example) are composed of both a role and a resource.  This allows
+  # these assets to have permissions on other assets, and for other assets to have permission
+  # on them.
+  #
+  # The {Conjur::ActsAsRole} module itself should be considered private, but it's methods are
+  # public when added to a Conjur asset class.
+  module ActsAsRole
+    
+    # Login name of the role. This is formed from the role kind and role id.
+    # For users, the role kind can be omitted.
+    def login
+      [ kind, identifier ].delete_if{|t| t == "user"}.join('/')
+    end
+
+    # Check whether this object exists by performing a HEAD request to its URL.
+    #
+    # This method will return false if the object doesn't exist.
+    #
+    # @example
+    #   does_not_exist = api.user 'does-not-exist' # This returns without error.
+    #
+    #   # this is wrong!
+    #   owner = does_not_exist.members # raises RestClient::ResourceNotFound
+    #
+    #   # this is right!
+    #   owner = if does_not_exist.exists?
+    #     does_not_exist.members
+    #   else
+    #     nil # or some sensible default
+    #   end
+    #
+    # @return [Boolean] does it exist?
+    def exists?
+      begin
+        rbac_role_resource.head
+        true
+      rescue RestClient::Forbidden
+        true
+      rescue RestClient::ResourceNotFound
+        false
+      end
+    end
+
+    # Find all roles of which this role is a member.  By default, role relationships are recursively expanded,
+    # so if `a` is a member of `b`, and `b` is a member of `c`, `a.all` will include `c`.
+    #
+    # ### Permissions
+    # You must be a member of the role to call this method.
+    #
+    # You can restrict the roles returned to one or more role ids.  This feature is mainly useful
+    # for checking whether this role is a member of any of a set of roles.
+    #
+    # ### Options
+    #
+    # * **recursive** Defaults to +true+, performs recursive expansion of the memberships.
+    #
+    # @example Show all roles of which `"conjur:group:pubkeys-1.0/key-managers"` is a member
+    #   # Add alice to the group, so we see something interesting
+    #   key_managers = api.group('pubkeys-1.0/key-managers')
+    #   key_managers.add_member api.user('alice')
+    #
+    #   # Show the memberships, mapped to the member ids.
+    #   key_managers.role.all.map(&:id)
+    #   # => ["conjur:group:pubkeys-1.0/admin", "conjur:user:alice"]
+    #
+    # @example See if role `"conjur:user:alice"` is a member of either `"conjur:groups:developers"` or `"conjur:group:ops"`
+    #   is_member = api.role('conjur:user:alice').all(filter: ['conjur:group:developers', 'conjur:group:ops']).any?
+    #
+    # @param [Hash] options options for the request
+    # @return [Array<Conjur::Role>] Roles of which this role is a member
+    def memberships options = {}
+      request = if options.delete(:recursive) == false
+        options["memberships"] = true
+      else
+        options["all"] = true
+      end
+      if filter = options.delete(:filter)
+        filter = [filter] unless filter.is_a?(Array)
+        options["filter"] = filter.map(&Id.method(:new))
+      end
+
+      result = JSON.parse(rbac_role_resource[options_querystring options].get)
+      if result.is_a?(Hash) && ( count = result['count'] )
+        count
+      else
+        host = Conjur.configuration.core_url
+        result.collect do |item|
+          if item.is_a?(String)
+            build_object(item, default_class: Role)
+          else
+            RoleGrant.parse_from_json(item, self.options)
+          end
+        end
+      end
+    end
+    
+    # Fetch the direct members of this role. The results are *not* recursively expanded).
+    #
+    # ### Permissions
+    # You must be a member of the role to call this method.
+    # 
+    # @param options [Hash, nil] extra parameters to pass to the webservice method.
+    # @return [Array<Conjur::RoleGrant>] the role memberships
+    # @raise [RestClient::Forbidden] if you don't have permission to perform this operation
+    def members options = {}
+      options["members"] = true
+      result = JSON.parse(rbac_role_resource[options_querystring options].get)
+      if result.is_a?(Hash) && ( count = result['count'] )
+        count
+      else
+        parser_for(:members, credentials, result)
+      end
+    end
+
+    private
+
+    # RestClient::Resource for RBAC role operations.
+    def rbac_role_resource
+      url_for(:roles_role, credentials, id)    
+    end
+  end
+end

data/lib/conjur/acts_as_rolsource.rb

@@ -0,0 +1,32 @@
+#
+# Copyright (C) 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+module Conjur
+
+  # This module provides methods for things that have an associated {Conjur::Role} and
+  # {Conjur::Resource}.
+  module ActsAsRolsource
+    # @api private
+    def self.included(base)
+      base.include ActsAsRole
+      base.include ActsAsResource
+    end
+  end
+end