conjur-api 2.0.1 → 2.1.0

data/Gemfile

@@ -3,8 +3,6 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in conjur-api.gemspec
 gemspec
 
-gem 'slosilo', :git => 'https://github.com/inscitiv/slosilo.git'
-
 group :test do
   gem 'fuubar'
 end

data/conjur-api.gemspec

@@ -16,7 +16,6 @@ Gem::Specification.new do |gem|
   gem.version       = Conjur::API::VERSION
   
   gem.add_dependency 'rest-client'
-  gem.add_dependency 'slosilo'
   gem.add_dependency 'activesupport'
   
   gem.add_development_dependency 'rake'

data/lib/conjur-api/version.rb

@@ -1,5 +1,5 @@
 module Conjur
   class API
-    VERSION = "2.0.1"
+    VERSION = "2.1.0"
   end
 end

data/lib/conjur/acts_as_resource.rb

@@ -2,7 +2,7 @@ module Conjur
   module ActsAsResource
     def resource
       require 'conjur/resource'
-      Conjur::Resource.new("#{Conjur::Authz::API.host}/#{path_escape resource_kind}/#{path_escape resource_id}", self.options)
+      Conjur::Resource.new(Conjur::Authz::API.host, self.options)[[ Conjur.account, 'resources', path_escape(resource_kind), path_escape(resource_id) ].join('/')]
     end
     
     def resource_kind

data/lib/conjur/acts_as_user.rb

@@ -5,9 +5,5 @@ module Conjur
         include ActsAsRole
       end
     end
-    
-    def roleid
-      id
-    end
   end
 end

data/lib/conjur/api/authn.rb

@@ -1,14 +1,5 @@
 require 'conjur/user'
 
-# Fails for the CLI client because it has no slosilo key
-#require 'rest-client'
-
-#RestClient.add_before_execution_proc do |req, params|
-#  require 'slosilo'
-#  req.extend Slosilo::HTTPRequest
-#  req.keyname = :authn
-#end
-
 module Conjur
   class API
     class << self
@@ -34,19 +25,7 @@ module Conjur
         if Conjur.log
           Conjur.log << "Authenticating #{username}\n"
         end
-        JSON::parse(RestClient::Resource.new(Conjur::Authn::API.host)["users/#{path_escape username}/authenticate"].post password, content_type: 'text/plain').tap do |token|
-          raise InvalidToken.new unless token_valid?(token)
-        end
-      end
-      
-      def token_valid? token
-        require 'slosilo'
-        key = Slosilo[:authn]
-        if key
-          key.token_valid? token
-        else
-          raise KeyError, "authn key not found in Slosilo keystore"
-        end
+        JSON::parse(RestClient::Resource.new(Conjur::Authn::API.host)["users/#{path_escape username}/authenticate"].post password, content_type: 'text/plain')
       end
     end
 

data/lib/conjur/api/hosts.rb

@@ -5,7 +5,7 @@ module Conjur
     class << self
       def enroll_host(url)
         if Conjur.log
-          logger << "Enrolling host with URL #{url}"
+          Conjur.log << "Enrolling host with URL #{url}\n"
         end
         require 'uri'
         url = URI.parse(url) if url.is_a?(String)

data/lib/conjur/api/resources.rb

@@ -2,8 +2,16 @@ require 'conjur/resource'
 
 module Conjur
   class API
-    def resource kind, identifier
-      Resource.new("#{Conjur::Authz::API.host}/#{kind}/#{path_escape identifier}", credentials)
+    def create_resource(identifier, options = {})
+      resource(identifier).tap do |r|
+        r.create(options)
+      end
+    end
+    
+    def resource identifier
+      paths = path_escape(identifier).split(':')
+      path = [ paths[0], 'resources', paths[1], paths[2..-1].join(':') ].flatten.join('/')
+      Resource.new(Conjur::Authz::API.host, credentials)[path]
     end
   end
 end

data/lib/conjur/api/roles.rb

@@ -3,15 +3,13 @@ require 'conjur/role'
 module Conjur
   class API
     def create_role(role, options = {})
-      log do |logger|
-        logger << "Creating role #{account}/#{role}"
+      role(role).tap do |r|
+        r.create(options)
       end
-      RestClient::Resource.new(Conjur::Authz::API.host, credentials)["roles/#{path_escape role}"].put(options)
-      role(role)
     end
 
     def role role
-      Role.new(Conjur::Authz::API.host, credentials)["roles/#{path_escape role}"]
+      Role.new(Conjur::Authz::API.host, credentials)[self.class.parse_role_id(role).join('/')]
     end
   end
 end

data/lib/conjur/base.rb

@@ -3,6 +3,7 @@ require 'json'
 
 require 'conjur/exists'
 require 'conjur/has_attributes'
+require 'conjur/path_based'
 require 'conjur/escape'
 require 'conjur/log'
 require 'conjur/log_source'
@@ -16,6 +17,12 @@ module Conjur
     include StandardMethods
     
     class << self
+      # Parse a role id into [ account, 'roles', kind, id ]
+      def parse_role_id(id)
+        paths = path_escape(id).split(':')
+        [ paths[0], 'roles', paths[1], paths[2..-1].join(':') ]
+      end
+
       def new_from_key(username, api_key)
         self.new username, api_key, nil
       end

data/lib/conjur/env.rb

@@ -16,7 +16,7 @@ module Conjur
   def stack
     ENV['CONJUR_STACK'] || case env
     when "production"
-      "v2"
+      "v21"
     else
       env
     end

data/lib/conjur/escape.rb

@@ -2,17 +2,20 @@ module Conjur
   module Escape
     module ClassMethods
       def path_escape(str)
-        return "false" unless str
-        str = str.id if str.respond_to?(:id)
-        require 'uri'
-        URI.escape(str.to_s, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+        path_or_query_escape str
       end
 
       def query_escape(str)
+        path_or_query_escape str
+      end
+      
+      def path_or_query_escape(str)
         return "false" unless str
         str = str.id if str.respond_to?(:id)
+        # Leave colons and forward slashes alone
         require 'uri'
-        URI.escape(str.to_s, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+        pattern = URI::PATTERN::UNRESERVED + ":\\/@"
+        URI.escape(str.to_s, Regexp.new("[^#{pattern}]"))
       end
     end
     

data/lib/conjur/host.rb

@@ -7,7 +7,7 @@ module Conjur
     include ActsAsUser
     
     def roleid
-      "host-#{id}"
+      "host:#{id}"
     end
     
     def enrollment_url

data/lib/conjur/path_based.rb

@@ -0,0 +1,19 @@
+module Conjur
+  module PathBased
+    def account
+      match_path(0..0)
+    end
+
+    def kind
+      match_path(2..2)
+    end
+    
+    protected
+    
+    def match_path(range)
+      require 'uri'
+      tokens = URI.parse(self.url).path[1..-1].split('/')[range]
+      tokens.map{|t| URI.unescape(t)}.join('/')
+    end
+  end
+end

data/lib/conjur/resource.rb

@@ -2,18 +2,15 @@ module Conjur
   class Resource < RestClient::Resource
     include Exists
     include HasAttributes
+    include PathBased
     
-    def kind
-      match_path(0..0)
-    end
-
     def identifier
-      match_path(1..-1)
+      match_path(3..-1)
     end
     
     def create(options = {})
       log do |logger|
-        logger << "Creating resource #{kind} : #{identifier}"
+        logger << "Creating resource #{kind}:#{identifier}"
         unless options.empty?
           logger << " with options #{options.to_json}"
         end
@@ -23,7 +20,7 @@ module Conjur
 
     # Lists roles that have a specified permission on the resource.
     def permitted_roles(permission, options = {})
-      JSON.parse RestClient::Resource.new(Conjur::Authz::API.host, self.options)["roles/allowed_to/#{permission}/#{path_escape kind}/#{path_escape identifier}"].get(options)
+      JSON.parse RestClient::Resource.new(Conjur::Authz::API.host, self.options)["#{account}/roles/allowed_to/#{permission}/#{path_escape kind}/#{path_escape identifier}"].get(options)
     end
     
     # Changes the owner of a resource
@@ -71,11 +68,5 @@ module Conjur
     def eachable(item)
       item.respond_to?(:each) ? item : [ item ]
     end
-    
-    def match_path(range)
-      require 'uri'
-      tokens = URI.parse(self.url).path[1..-1].split('/')[range]
-      tokens.map{|t| URI.unescape(t)}.join('/')
-    end
   end
 end

data/lib/conjur/role.rb

@@ -1,11 +1,17 @@
 module Conjur
   class Role < RestClient::Resource
     include Exists
-    include HasId
+    include PathBased
+
+    def identifier
+      match_path(3..-1)
+    end
+    
+    alias id identifier
     
     def create(options = {})
       log do |logger|
-        logger << "Creating role #{id}"
+        logger << "Creating role #{kind}:#{identifier}"
         unless options.empty?
           logger << " with options #{options.to_json}"
         end
@@ -14,14 +20,14 @@ module Conjur
     end
     
     def all(options = {})
-      JSON.parse(self["all"].get(options)).collect do |id|
-        Role.new("#{Conjur::Authz::API.host}/roles/#{path_escape id}", self.options)
+      JSON.parse(self["?all"].get(options)).collect do |id|
+        Role.new(Conjur::Authz::API.host, self.options)[Conjur::API.parse_role_id(id).join('/')]
       end
     end
     
     def grant_to(member, admin_option = false, options = {})
       log do |logger|
-        logger << "Granting role #{id} to #{member}"
+        logger << "Granting role #{identifier} to #{member}"
         if admin_option
           logger << " with admin option"
         end
@@ -29,24 +35,30 @@ module Conjur
           logger << " and extended options #{options.to_json}"
         end
       end
-      self["members/#{path_escape member}?admin_option=#{query_escape admin_option}"].put(options)
+      self["?members&member=#{query_escape member}&admin_option=#{query_escape admin_option}"].put(options)
     end
 
     def revoke_from(member, options = {})
       log do |logger|
-        logger << "Revoking role #{id} from #{member}"
+        logger << "Revoking role #{identifier} from #{member}"
         unless options.empty?
           logger << " with options #{options.to_json}"
         end
       end
-      self["members/#{path_escape member}"].delete(options)
+      self["?members&member=#{query_escape member}"].delete(options)
     end
 
     def permitted?(resource_kind, resource_id, privilege, options = {})
-      self["permitted?resource_kind=#{query_escape resource_kind}&resource_id=#{query_escape resource_id}&privilege=#{query_escape privilege}"].get(options)
+      self["?check&resource_kind=#{query_escape resource_kind}&resource_id=#{query_escape resource_id}&privilege=#{query_escape privilege}"].get(options)
       true
     rescue RestClient::ResourceNotFound
       false
     end
+    
+    def members
+      JSON.parse(self["?members"].get(options)).collect do |id|
+        Role.new(Conjur::Authz::API.host, self.options)[Conjur::API.parse_role_id(id).join('/')]
+      end
+    end
   end
 end

data/lib/conjur/user.rb

@@ -9,5 +9,9 @@ module Conjur
     include ActsAsUser
     
     alias login id
+
+    def roleid
+      [ 'user', id ].join(':')
+    end
   end
 end

data/spec/lib/api_spec.rb

@@ -66,16 +66,6 @@ describe Conjur::API do
       it_should_behave_like "API endpoint"
     end    
   end
-  context ".class" do
-    describe '#token_valid?' do
-      subject { Conjur::API }
-      it "raises KeyError when there's no authn key in the db" do
-        require 'slosilo'
-        Slosilo.stub(:[]).with(:authn).and_return nil
-        expect { subject.token_valid? :whatever }.to raise_error(KeyError)
-      end
-    end
-  end
   context "credential handling" do
     let(:login) { "bob" }
     let(:token) { { 'data' => login, 'timestamp' => (Time.now + elapsed ).to_s } }

data/spec/lib/resource_spec.rb

@@ -3,11 +3,12 @@ require 'spec_helper'
 require 'conjur/api'
 
 describe Conjur::Resource do
+  let(:account) { "the-account" }
   let(:uuid) { "ddd1f59a-494d-48fb-b045-0374c4a6eef9" }
   
   context "identifier" do
     include Conjur::Escape
-    let(:resource) { Conjur::Resource.new("#{Conjur::Authz::API.host}/#{kind}/#{path_escape identifier}") }
+    let(:resource) { Conjur::Resource.new("#{Conjur::Authz::API.host}/#{account}/resources/#{kind}/#{path_escape identifier}") }
     
     context "Object with an #id" do
       let(:kind) { "host" }
@@ -19,7 +20,7 @@ describe Conjur::Resource do
       end
     end
     
-    [ [ "foo", "bar/baz" ], [ "f:o", "bar" ], [ "@f", "bar.baz" ], [ "@f", "bar baz" ], [ "@f", "bar?baz" ] ].each do |p|
+    [ [ "foo", "bar/baz" ], [ "f:o", "bar" ], [ "@f", "bar.baz" ], [ "@f", "bar baz" ], [ "@f", "@:bar/baz" ] ].each do |p|
       context "of /#{p[0]}/#{p[1]}" do
         let(:kind) { p[0] }
         let(:identifier) { p[1] }

data/spec/lib/role_spec.rb

@@ -4,20 +4,25 @@ require 'conjur/api'
 
 shared_examples_for "properties" do
   subject { role }
+  its(:kind) { should == kind }
   its(:id) { should == id }
 end
 
 describe Conjur::Role do
+  let(:account) { "the-account" }
   context "#new" do
-    let(:url) { "#{Conjur::Authz::API.host}/roles/#{id}" }
-    let(:credentials) { mock(:credentials) }
-    let(:role) { Conjur::Role.new(url, credentials) }
+    let(:kind) { "test" }
+    let(:role) { Conjur::API.new_from_key('the-user', 'the-key').role([ account, kind, id ].join(":")) }
+    let(:token) { 'the-token' }
+    before {
+      Conjur::TokenCache.stub(:fetch).and_return token
+    }
     context "with plain id" do
       let(:id) { "foo" }
       it_should_behave_like "properties"
     end
     context "with more complex id" do
-      let(:id) { "@foo;bar" }
+      let(:id) { "foo/bar" }
       it_should_behave_like "properties"
     end
   end

data/spec/lib/user_spec.rb

@@ -12,14 +12,18 @@ describe Conjur::User do
       subject { user }
       its(:id) { should == login }
       its(:login) { should == login }
-      its(:roleid) { should == login }
+      its(:roleid) { should == ["user", login].join(':') }
       its(:resource_id) { should == login }
       its(:resource_kind) { should == "user" }
       its(:options) { should == credentials }
     end
+    before {
+      Conjur.stub(:account).and_return 'ci'
+    }
     it "connects to a Resource" do
       require 'conjur/resource'
-      Conjur::Resource.should_receive(:new).with("#{Conjur::Authz::API.host}/#{user.resource_kind}/#{user.resource_id}", credentials)
+      Conjur::Resource.should_receive(:new).with(Conjur::Authz::API.host, credentials).and_return resource = double(:resource)
+      resource.should_receive(:[]).with("ci/resources/user/the-login")
       
       user.resource
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 2.0.1
+  version: 2.1.0
   prerelease: 
 platform: ruby
 authors:
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-03-14 00:00:00.000000000 Z
+date: 2013-03-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -28,22 +28,6 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: slosilo
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
@@ -167,7 +151,6 @@ files:
 - lib/conjur/acts_as_user.rb
 - lib/conjur/api.rb
 - lib/conjur/api/authn.rb
-- lib/conjur/api/das.rb
 - lib/conjur/api/groups.rb
 - lib/conjur/api/hosts.rb
 - lib/conjur/api/resources.rb
@@ -179,7 +162,6 @@ files:
 - lib/conjur/authz-api.rb
 - lib/conjur/base.rb
 - lib/conjur/core-api.rb
-- lib/conjur/das-api.rb
 - lib/conjur/env.rb
 - lib/conjur/escape.rb
 - lib/conjur/exists.rb
@@ -190,6 +172,7 @@ files:
 - lib/conjur/host.rb
 - lib/conjur/log.rb
 - lib/conjur/log_source.rb
+- lib/conjur/path_based.rb
 - lib/conjur/resource.rb
 - lib/conjur/role.rb
 - lib/conjur/secret.rb
@@ -219,7 +202,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 3809342943954328390
+      hash: -1471203965853689802
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -228,7 +211,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 3809342943954328390
+      hash: -1471203965853689802
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.24

data/lib/conjur/api/das.rb

@@ -1,33 +0,0 @@
-
-module Conjur
-  class API
-    class << self
-      def data_access_service_url(account, path = nil, params = {})
-        provider = 'inscitiv'
-        base_url = if path.nil? || path.empty?
-          "#{Conjur::DAS::API.host}/data/#{account}/#{provider}"
-        else
-          path = path.split('/').collect do |p|
-            # Best possible answer I could find
-            # http://stackoverflow.com/questions/2834034/how-do-i-raw-url-encode-decode-in-javascript-and-ruby-to-get-the-same-values-in
-            URI.escape(p, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
-          end.join('/')
-          "#{Conjur::DAS::API.host}/data/#{account}/#{provider}/#{path}"
-        end
-        if params.nil? || params.empty?
-          base_url
-        else
-          query_string = params.map do |name,values|
-            values = [ values ] unless values.is_a?(Array)
-            values.map do |value|
-              name = URI.escape(name, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
-              value = URI.escape(value || "", Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
-              "#{name}=#{value}"
-            end
-          end.flatten.join("&")
-          "#{base_url}?#{query_string}"
-        end
-      end
-    end
-  end
-end

data/lib/conjur/das-api.rb

@@ -1,22 +0,0 @@
-module Conjur
-  module DAS
-    class API < Conjur::API
-      class << self
-        def host
-          ENV['CONJUR_DAS_URL'] || default_host
-        end
-        
-        def default_host
-          case Conjur.env
-          when 'test', 'development'
-            "http://localhost:#{Conjur.service_base_port + 200}"
-          else
-            "https://das-#{Conjur.stack}-conjur.herokuapp.com"
-          end
-        end
-      end
-    end
-  end
-end
-
-require 'conjur/api/das'