conjur-api 5.3.8.pre.8 → 5.3.8.pre.194

data/lib/conjur/api/router/v4.rb

@@ -0,0 +1,206 @@
+module Conjur
+  class API
+    module Router
+      module V4
+        extend Conjur::Escape::ClassMethods
+        extend Conjur::QueryString
+        extend self
+
+        def authn_login account, username, password
+          verify_account(account)
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )['users/login']
+        end
+
+        def authn_authenticate account, username
+          verify_account(account)
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.rest_client_options
+          )['users'][fully_escape username]['authenticate']
+        end
+
+        # For v4, the authn-local message is the username.
+        def authn_authenticate_local username, account, expiration, cidr, &block
+          verify_account(account)
+
+          raise "'expiration' is not supported for authn-local v4" if expiration
+          raise "'cidr' is not supported for authn-local v4" if cidr
+
+          username
+        end
+
+        def authn_rotate_api_key credentials, account, id
+          verify_account(account)
+          username = id.kind == "user" ? id.identifier : [id.kind, id.identifier].join('/')
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['users']["api_key?id=#{username}"]
+        end
+
+        def authn_rotate_own_api_key account, username, password
+          verify_account(account)
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(user: username, password: password)
+          )['users']["api_key"]
+        end
+
+        def host_factory_create_host token
+          http_options = {
+            headers: { authorization: %Q(Token token="#{token}") }
+          }
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(http_options)
+          )['host_factories']['hosts']
+        end
+
+        def host_factory_create_tokens credentials, id
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factories'][id.identifier]['tokens']
+        end
+
+        def host_factory_revoke_token credentials, token
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factories']['tokens'][token]
+        end
+
+        def resources_resource credentials, id
+
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['resources'][id.kind][id.identifier]
+        end
+
+        def resources_check credentials, id, privilege, role
+          options = {}
+          options[:check] = true
+          options[:privilege] = privilege
+          if role
+            options[:resource_id] = id
+            roles_role(credentials, Id.new(role))[options_querystring options].get
+          else
+            resources_resource(credentials, id)[options_querystring options].get
+          end
+        end
+
+        def resources_permitted_roles credentials, id, privilege
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['roles']['allowed_to'][privilege][id.kind][id.identifier]
+        end
+
+        def roles_role credentials, id
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['roles'][id.kind][id.identifier]
+        end
+
+        def secrets_add credentials, id
+          verify_account(id.account)
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]['values']
+        end
+
+        def variable credentials, id
+          verify_account(id.account)
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]
+        end
+
+        def secrets_value credentials, id, options
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]['value'][options_querystring options]
+        end
+
+        def secrets_values credentials, variable_ids
+          options = {
+            vars: Array(variable_ids).map { |v| fully_escape(v.identifier) }.join(',')
+          }
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables']['values'][options_querystring options]
+        end
+
+        def group_attributes credentials, resource, id
+          verify_account(id.account)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['groups'][fully_escape id.identifier].get
+          )
+        end
+
+        def variable_attributes credentials, resource, id
+          verify_account(id.account)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['variables'][fully_escape id.identifier].get
+          )
+        end
+
+        def user_attributes credentials, resource, id
+          verify_account(id.account)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['users'][fully_escape id.identifier].get
+          )
+        end
+
+        def parse_group_gidnumber attributes
+          attributes['gidnumber']
+        end
+
+        def parse_user_uidnumber attributes
+          attributes['uidnumber']
+        end
+
+        def parse_variable_kind attributes
+          attributes['kind']
+        end
+
+        def parse_variable_mime_type attributes
+          attributes['mime_type']
+        end
+
+        def parse_members credentials, result
+          result.collect do |json|
+            RoleGrant.parse_from_json(json, credentials)
+          end
+        end
+
+        protected
+
+        def verify_account account
+          raise "Expecting account to be #{Conjur.configuration.account.inspect}, got #{account.inspect}" unless Conjur.configuration.account == account
+        end
+      end
+    end
+  end
+end

data/lib/conjur/api/router/v5.rb

@@ -0,0 +1,248 @@
+# frozen_string_literal: true
+
+# Copyright 2017-2018 CyberArk Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# rubocop:disable Metrics/ModuleLength
+module Conjur
+  class API
+    module Router
+      # V5 translates method arguments to rest-ful API request parameters.
+      # because of this, most of the methods suffer from :reek:LongParameterList:
+      # and :reek:UtilityFunction:
+      module V5
+        extend Conjur::Escape::ClassMethods
+        extend Conjur::QueryString
+        extend self
+
+        def authn_login account, username, password
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )[fully_escape account]['login']
+        end
+
+        def authn_authenticate account, username
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.rest_client_options
+          )[fully_escape account][fully_escape username]['authenticate']
+        end
+
+        def authenticator account, authenticator, service_id, credentials
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )[fully_escape authenticator][fully_escape service_id][fully_escape account]
+        end
+
+        def authenticators
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.rest_client_options
+          )['authenticators']
+        end
+
+        # For v5, the authn-local message is a JSON string with account, sub, and optional fields.
+        def authn_authenticate_local username, account, expiration, cidr, &block
+          { account: account, sub: username }.tap do |params|
+            params[:exp] = expiration if expiration
+            params[:cidr] = cidr if cidr
+          end.to_json
+        end
+
+        def authn_update_password account, username, password
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )[fully_escape account]['password']
+        end
+
+        def authn_rotate_api_key credentials, account, id
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authn'][fully_escape account]["api_key?role=#{id}"]
+        end
+
+        def authn_rotate_own_api_key account, username, password
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )[fully_escape account]['api_key']
+        end
+
+        def host_factory_create_host token
+          http_options = {
+            headers: { authorization: %Q(Token token="#{token}") }
+          }
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(http_options)
+          )["host_factories"]["hosts"]
+        end
+
+        def host_factory_create_tokens credentials, id
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factory_tokens']
+        end
+
+        def host_factory_revoke_token credentials, token
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factory_tokens'][token]
+        end
+
+        def policies_load_policy credentials, account, id
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['policies'][fully_escape account]['policy'][fully_escape id]
+        end
+
+        def public_keys_for_user account, username
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.rest_client_options
+          )['public_keys'][fully_escape account]['user'][fully_escape username]
+        end
+
+        def resources credentials, account, kind, options
+          credentials ||= {}
+
+          path = "/resources/#{fully_escape account}"
+          path += "/#{fully_escape kind}" if kind
+
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )[path][options_querystring options]
+        end
+
+        def resources_resource credentials, id
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['resources'][id.to_url_path]
+        end
+
+        def resources_permitted_roles credentials, id, privilege
+          options = {}
+          options[:permitted_roles] = true
+          options[:privilege] = privilege
+          resources_resource(credentials, id)[options_querystring options]
+        end
+
+        def resources_check credentials, id, privilege, role
+          options = {}
+          options[:check] = true
+          options[:privilege] = privilege
+          options[:role] = query_escape(Id.new(role)) if role
+          resources_resource(credentials, id)[options_querystring options].get
+        end
+
+        def roles_role credentials, id
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['roles'][id.to_url_path]
+        end
+
+        def secrets_add credentials, id
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['secrets'][id.to_url_path]
+        end
+
+        def secrets_value credentials, id, options
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['secrets'][id.to_url_path][options_querystring options]
+        end
+
+        def secrets_values credentials, variable_ids
+          options = {
+            variable_ids: Array(variable_ids).join(',')
+          }
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['secrets'][options_querystring(options).gsub("%2C", ',')]
+        end
+
+        def group_attributes credentials, resource, id
+          resource_annotations resource
+        end
+
+        def variable_attributes credentials, resource, id
+          resource_annotations resource
+        end
+
+        def user_attributes credentials, resource, id
+          resource_annotations resource
+        end
+
+        def parse_group_gidnumber attributes
+          HasAttributes.annotation_value attributes, 'conjur/gidnumber'
+        end
+
+        def parse_user_uidnumber attributes
+          HasAttributes.annotation_value attributes, 'conjur/uidnumber'
+        end
+
+        def parse_variable_kind attributes
+          HasAttributes.annotation_value attributes, 'conjur/kind'
+        end
+
+        def parse_variable_mime_type attributes
+          HasAttributes.annotation_value attributes, 'conjur/mime_type'
+        end
+
+        def parse_members credentials, result
+          result.map do |json|
+            RoleGrant.parse_from_json(json, credentials)
+          end
+        end
+
+        def ldap_sync_policy(credentials, config_name)
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
+        end
+
+        private
+
+        def resource_annotations resource
+          resource.attributes['annotations']
+        end
+      end
+    end
+  end
+end
+# rubocop:enable Metrics/ModuleLength

data/lib/conjur/api/variables.rb

@@ -0,0 +1,59 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur/variable'
+
+module Conjur
+  class API
+  
+    #@!group Variables
+
+    # Fetch the values of a list of variables.  This operation is more efficient than fetching the
+    # values one by one.
+    #
+    # This method will fail unless:
+    #   * All of the variables exist
+    #   * You have permission to `'execute'` all of the variables
+    #
+    # @example Fetch multiple variable values
+    #   values = variable_values ['myorg:variable:postgres_uri', 'myorg:variable:aws_secret_access_key', 'myorg:variable:aws_access_key_id']
+    #   values # =>
+    #   {
+    #      "postgres://...",
+    #      "the-secret-key",
+    #      "the-access-key-id"
+    #   }
+    # 
+    # This method is used to implement the {http://developer.conjur.net/reference/tools/utilities/conjurenv `conjur env`}
+    # commands.  You may consider using that instead to run your program in an environment with the necessary secrets.
+    #
+    # @param [Array<String>] variable_ids list of variable ids to fetch
+    # @return [Array<String>] a list of variable values corresponding to the variable ids.
+    # @raise [RestClient::Forbidden, RestClient::ResourceNotFound] if any of the variables don't exist or aren't accessible.
+    def variable_values variable_ids
+      raise ArgumentError, "Variables list must be an array" unless variable_ids.kind_of? Array 
+      raise ArgumentError, "Variables list is empty" if variable_ids.empty?
+
+      JSON.parse(url_for(:secrets_values, credentials, variable_ids).get.body)
+    end
+    
+    #@!endgroup
+  end
+end

data/lib/conjur/api.rb

@@ -0,0 +1,105 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'active_support'
+require 'active_support/deprecation'
+
+require 'conjur/configuration'
+require 'conjur/routing'
+require 'conjur/id'
+require 'conjur/base'
+require 'conjur/exceptions'
+require 'conjur/build_object'
+require 'conjur/base_object'
+require 'conjur/acts_as_resource'
+require 'conjur/acts_as_role'
+require 'conjur/acts_as_rolsource'
+require 'conjur/acts_as_user'
+require 'conjur/log_source'
+require 'conjur/has_attributes'
+require 'conjur/api/authenticators'
+require 'conjur/api/authn'
+require 'conjur/api/roles'
+require 'conjur/api/resources'
+require 'conjur/api/pubkeys'
+require 'conjur/api/variables'
+require 'conjur/api/policies'
+require 'conjur/api/host_factories'
+require 'conjur/api/ldap_sync'
+require 'conjur/host'
+require 'conjur/group'
+require 'conjur/variable'
+require 'conjur/layer'
+require 'conjur/cache'
+require 'conjur-api/version'
+
+# @api private
+class RestClient::Resource
+  include Conjur::Escape
+  include Conjur::LogSource
+
+  # @api private
+  # This method exists so that all {RestClient::Resource}s support JSON serialization.  It returns an
+  # empty hash.
+  # @return [Hash] the empty hash
+  def to_json(options = {})
+    {}
+  end
+
+  # Creates a Conjur API from this resource's authorization header.
+  #
+  # The new API is created using the token, so it will not be able to refresh
+  # when the token expires (after about 8 minutes).  This is equivalent to creating
+  # an {Conjur::API} instance with {Conjur::API.new_from_token}.
+  #
+  # @return {Conjur::API} the new api
+  def conjur_api
+    api = Conjur::API.new_from_token token, remote_ip: remote_ip
+    api
+  end
+
+  # Get an authentication token from the clients Authorization header.
+  #
+  # Useful fields in the token include `"data"`, which holds the username for which the
+  # token was issued, and `"timestamp"`, which contains the time at which the token was issued.
+  # The token will expire 8 minutes after timestamp, but we recommend you treat the lifespan as
+  # about 5  minutes to account for time differences.
+  #
+  # @return [Hash] the parsed authentication token
+  def token
+    authorization = options[:headers][:authorization]
+    if authorization && authorization.to_s[/^Token token="(.*)"/]
+      JSON.parse(Base64.decode64($1))
+    else
+      raise AuthorizationError.new("Authorization missing")
+    end
+  end
+
+  def remote_ip
+    options[:headers][:x_forwarded_for]
+  end
+
+  # The username this resource authenticates as.
+  #
+  # @return [String] the username
+  def username
+    options[:user] || options[:username]
+  end
+end