conjur-api 2.0.0

data/.gitignore

@@ -0,0 +1,18 @@
+build_number
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.project

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>conjur-api</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>com.aptana.ide.core.unifiedBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>com.aptana.ruby.core.rubynature</nature>
+		<nature>com.aptana.projects.webnature</nature>
+	</natures>
+</projectDescription>

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format Fuubar

data/.rvmrc

@@ -0,0 +1 @@
+rvm use 1.9.3@conjur-api-ruby --create

data/Gemfile

@@ -0,0 +1,10 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in conjur-api.gemspec
+gemspec
+
+gem 'slosilo', :git => 'https://github.com/inscitiv/slosilo.git'
+
+group :test do
+  gem 'fuubar'
+end

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2012 Rafał Rzepecki
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,29 @@
+# Conjur::API
+
+TODO: Write a gem description
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'conjur-api'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install conjur-api
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,20 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+
+begin
+  require 'rspec/core/rake_task'
+  RSpec::Core::RakeTask.new(:spec)
+rescue LoadError
+  $stderr.puts "RSpec Rake tasks not available in environment #{ENV['RACK_ENV']}"
+end
+
+task :jenkins do
+  if ENV['BUILD_NUMBER']
+    File.write('build_number', ENV['BUILD_NUMBER'])
+  end
+  require 'ci/reporter/rake/rspec'
+  Rake::Task["ci:setup:rspec"].invoke
+  Rake::Task["spec"].invoke
+end
+
+task default: :spec

data/conjur-api.gemspec

@@ -0,0 +1,28 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/conjur-api/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Rafa\305\202 Rzepecki","Kevin Gilpin"]
+  gem.email         = ["divided.mind@gmail.com","kevin.gilpin@inscitiv.com"]
+  gem.description   = %q{Conjur API}
+  gem.summary       = %q{Conjur API}
+  gem.homepage      = ""
+
+  gem.files         = `git ls-files`.split($\) + Dir['build_number']
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "conjur-api"
+  gem.require_paths = ["lib"]
+  gem.version       = Conjur::API::VERSION
+  
+  gem.add_runtime_dependency 'rest-client'
+  gem.add_runtime_dependency 'slosilo'
+  gem.add_runtime_dependency 'activesupport'
+  
+  gem.add_development_dependency 'rake'
+  gem.add_development_dependency 'spork'
+  gem.add_development_dependency 'rspec'
+  gem.add_development_dependency 'vcr'
+  gem.add_development_dependency 'webmock'
+  gem.add_development_dependency 'ci_reporter'
+end

data/features/enroll_server.feature

@@ -0,0 +1,26 @@
+Feature: Server enrollment
+
+Background:
+	When I login with my username and password
+	And I receive an API key
+
+Scenario: Enroll this server
+	When I enroll a server
+	Then the request succeeds
+	Then I receive an enrollment key
+
+Scenario: The server is granted no other roles by default
+	Given I enroll a server
+	And I switch to the server role
+	When I list my roles
+	Then the result contains 1 item
+
+Scenario: The server can be granted other roles
+	Given I enroll a server
+	And I create a role
+	And I grant the role to the server
+	And I switch to the server role
+	And I list my roles
+	Then the result contains 2 items
+
+	

data/features/login.feature

@@ -0,0 +1,13 @@
+Feature: Login
+
+Scenario: Login with my username and password
+	When I login with my username and password
+	Then the request succeeds
+	And I receive an API key
+
+Scenario: Login with my username and password
+	When I login with my username and invalid password
+	Then the request fails with error 401
+	
+
+

data/features/ping_as_server.feature

@@ -0,0 +1,16 @@
+Feature: Ping
+
+Background:
+	Given I login with my username and password
+	And I receive an API key
+	And I enroll a server
+	And I switch to the server role
+
+Scenario: Ping using the server enrollment key
+	When I ping
+	Then the request succeeds
+
+Scenario: Server credentials do not work from a different host 
+	Given I force the request IP address to 127.0.0.1
+	When I ping
+	Then the request fails with error 401

data/features/ping_as_user.feature

@@ -0,0 +1,9 @@
+Feature: Ping
+
+Background:
+	When I login with my username and password
+	And I receive an API key
+
+Scenario: Ping using an API key
+	When I ping
+	Then the request succeeds

data/lib/conjur-api/version.rb

@@ -0,0 +1,5 @@
+module Conjur
+  class API
+    VERSION = "2.0.0"
+  end
+end

data/lib/conjur/acts_as_resource.rb

@@ -0,0 +1,21 @@
+module Conjur
+  module ActsAsResource
+    def resource
+      require 'conjur/resource'
+      Conjur::Resource.new("#{Conjur::Authz::API.host}/#{path_escape resource_kind}/#{path_escape resource_id}", self.options)
+    end
+    
+    def resource_kind
+      self.class.name.split("::")[1..-1].join('-').downcase
+    end
+
+    def resource_id
+      id
+    end
+
+    def delete
+      resource.delete
+      super
+    end
+  end
+end

data/lib/conjur/acts_as_role.rb

@@ -0,0 +1,8 @@
+module Conjur
+  module ActsAsRole
+    def role
+      require 'conjur/role'
+      Conjur::Role.new("#{Conjur::Authz::API.host}/roles/#{path_escape roleid}", self.options)
+    end
+  end
+end

data/lib/conjur/acts_as_user.rb

@@ -0,0 +1,13 @@
+module Conjur
+  module ActsAsUser
+    def self.included(base)
+      base.instance_eval do
+        include ActsAsRole
+      end
+    end
+    
+    def roleid
+      id
+    end
+  end
+end

data/lib/conjur/api.rb

@@ -0,0 +1,22 @@
+require 'conjur/env'
+require 'conjur/base'
+require 'conjur/acts_as_resource'
+require 'conjur/acts_as_role'
+require 'conjur/acts_as_user'
+require 'conjur/log_source'
+require 'conjur/has_attributes'
+require 'conjur/has_identifier'
+require 'conjur/has_id'
+require 'conjur/das-api'
+require 'conjur/authn-api'
+require 'conjur/authz-api'
+require 'conjur/core-api'
+
+class RestClient::Resource
+  include Conjur::Escape
+  include Conjur::LogSource
+  
+  def username
+    options[:user] || options[:username]
+  end
+end

data/lib/conjur/api/authn.rb

@@ -0,0 +1,66 @@
+require 'conjur/user'
+
+# Fails for the CLI client because it has no slosilo key
+#require 'rest-client'
+
+#RestClient.add_before_execution_proc do |req, params|
+#  require 'slosilo'
+#  req.extend Slosilo::HTTPRequest
+#  req.keyname = :authn
+#end
+
+module Conjur
+  class API
+    class << self
+      # Perform login by Basic authentication.
+      def login username, password
+        if Conjur.log
+          Conjur.log << "Logging in #{username} via Basic authentication\n"
+        end
+        RestClient::Resource.new(Conjur::Authn::API.host, user: username, password: password)['/users/login'].get
+      end
+
+      # Perform login by CAS authentication.
+      def login_cas username, password, cas_api_url
+        if Conjur.log
+          Conjur.log << "Logging in #{username} via CAS authentication\n"
+        end
+        require 'cas_rest_client'
+        client = CasRestClient.new(:username => username, :password => password, :uri => [ cas_api_url, 'v1', 'tickets' ].join('/'), :use_cookies => false)
+        client.get("#{Conjur::Authn::API.host}/users/login").body
+      end
+
+      def authenticate username, password
+        if Conjur.log
+          Conjur.log << "Authenticating #{username}\n"
+        end
+        JSON::parse(RestClient::Resource.new(Conjur::Authn::API.host)["/users/#{path_escape username}/authenticate"].post password, content_type: 'text/plain').tap do |token|
+          raise InvalidToken.new unless token_valid?(token)
+        end
+      end
+      
+      def token_valid? token
+        require 'slosilo'
+        key = Slosilo[:authn]
+        if key
+          key.token_valid? token
+        else
+          raise KeyError, "authn key not found in Slosilo keystore"
+        end
+      end
+    end
+
+    # Options:
+    # +password+
+    #
+    # Response:
+    # +login+
+    # +api_key+
+    def create_authn_user login, options = {}
+      log do |logger|
+        logger << "Creating authn user #{login}"
+      end
+      JSON.parse RestClient::Resource.new(Conjur::Authn::API.host, credentials)['/users'].post(options.merge(login: login))
+    end
+  end
+end

data/lib/conjur/api/das.rb

@@ -0,0 +1,33 @@
+
+module Conjur
+  class API
+    class << self
+      def data_access_service_url(account, path = nil, params = {})
+        provider = 'inscitiv'
+        base_url = if path.nil? || path.empty?
+          "#{Conjur::DAS::API.host}/data/#{account}/#{provider}"
+        else
+          path = path.split('/').collect do |p|
+            # Best possible answer I could find
+            # http://stackoverflow.com/questions/2834034/how-do-i-raw-url-encode-decode-in-javascript-and-ruby-to-get-the-same-values-in
+            URI.escape(p, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+          end.join('/')
+          "#{Conjur::DAS::API.host}/data/#{account}/#{provider}/#{path}"
+        end
+        if params.nil? || params.empty?
+          base_url
+        else
+          query_string = params.map do |name,values|
+            values = [ values ] unless values.is_a?(Array)
+            values.map do |value|
+              name = URI.escape(name, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+              value = URI.escape(value || "", Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+              "#{name}=#{value}"
+            end
+          end.flatten.join("&")
+          "#{base_url}?#{query_string}"
+        end
+      end
+    end
+  end
+end

data/lib/conjur/api/groups.rb

@@ -0,0 +1,18 @@
+require 'conjur/group'
+
+module Conjur
+  class API
+    def create_group(id, options = {})
+      log do |logger|
+        logger << "Creating group "
+        logger << id
+      end
+      resp = RestClient::Resource.new(Conjur::Core::API.host, credentials)['/groups'].post(options.merge(id: id))
+      Group.new(resp.headers[:location], credentials)
+    end
+
+    def group id
+      Group.new(Conjur::Core::API.host)["/groups/#{path_escape id}"]
+    end
+  end
+end

data/lib/conjur/api/hosts.rb

@@ -0,0 +1,37 @@
+require 'conjur/host'
+
+module Conjur
+  class API
+    def create_host options
+      log do |logger|
+        logger << "Creating host"
+      end
+      resp = JSON.parse RestClient::Resource.new("#{Conjur::Core::API.host}/hosts", credentials).post(options)
+      host(resp['id']).tap do |h|
+        log do |logger|
+          logger << "Created host #{h.id}"
+        end
+        h.attributes = resp
+      end
+    end
+    
+    class << self
+      def enroll_host(url)
+        if Conjur.log
+          logger << "Enrolling host with URL #{url}"
+        end
+        require 'uri'
+        url = URI.parse(url) if url.is_a?(String)
+        response = Net::HTTP.get_response url
+        raise "Host enrollment failed with status #{response.code} : #{response.body}" unless response.code.to_i == 200
+        mime_type = response['Content-Type']
+        body = response.body
+        [ mime_type, body ]
+      end
+    end
+    
+    def host id
+      Host.new("#{Conjur::Core::API.host}/hosts/#{path_escape id}", credentials)
+    end
+  end
+end