conjur-api 2.5.1 → 2.7.1

data/.gitignore

@@ -18,4 +18,4 @@ test/version_tmp
 tmp
 .kateproject.d
 .rvmrc
-
+.idea

data/conjur-api.gemspec

@@ -25,4 +25,5 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency 'webmock'
   gem.add_development_dependency 'ci_reporter'
   gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency 'io-grab'
 end

data/lib/conjur-api/version.rb

@@ -1,6 +1,6 @@
 module Conjur
   class API
-    VERSION = "2.5.1"
+    VERSION = "2.7.1"
     # Note: when bumping major version, please remove compatibility code in role#grant_to
   end
 end

data/lib/conjur/api/authn.rb

@@ -27,6 +27,13 @@ module Conjur
         end
         JSON::parse(RestClient::Resource.new(Conjur::Authn::API.host)["users/#{fully_escape username}/authenticate"].post password, content_type: 'text/plain')
       end
+      
+      def update_password username, password, new_password
+        if Conjur.log
+          Conjur.log << "Updating password for #{username}\n"
+        end
+        RestClient::Resource.new(Conjur::Authn::API.host, user: username, password: password)['users/password'].put new_password
+      end
     end
 
     # Options:

data/lib/conjur/api/roles.rb

@@ -17,7 +17,16 @@ module Conjur
     end
 
     def role_from_username username
-      role(username.split('/').unshift('user')[-2..-1].join(':'))
+      role(role_name_from_username username)
+    end
+    
+    def role_name_from_username username = self.username
+      tokens = username.split('/')
+      if tokens.size == 1
+        [ 'user', username ].join(':')
+      else
+        [ tokens[0], tokens[1..-1].join('/') ].join(':')
+      end
     end
   end
 end

data/lib/conjur/base.rb

@@ -1,5 +1,6 @@
 require 'rest-client'
 require 'json'
+require 'base64'
 
 require 'conjur/exists'
 require 'conjur/has_attributes'

data/lib/conjur/core-api.rb

@@ -1,4 +1,12 @@
 module Conjur
+  class API
+    class << self
+      def core_asset_host
+        ::Conjur::Core::API.host
+      end
+    end
+  end
+  
   module Core
     class API < Conjur::API
       class << self

data/lib/conjur/standard_methods.rb

@@ -20,7 +20,7 @@ module Conjur
     
     def standard_list(host, type, options)
       JSON.parse(RestClient::Resource.new(host, credentials)[type.to_s.pluralize].get(options)).collect do |json|
-        send(type, json['id']).tap do |obj|
+        send(type, fully_escape(json['id'])).tap do |obj|
           obj.attributes = json
         end
       end

data/spec/api/authn_spec.rb

@@ -13,8 +13,10 @@ describe Conjur::API do
   describe "::login" do
     it "gets /users/login" do
       RestClient::Request.should_receive(:execute).with(
-        method: :get, url: "http://authn.example.com/users/login", user: user,
-        password: password, headers: {}
+        method: :get, url: "http://authn.example.com/users/login", 
+        user: user,
+        password: password, 
+        headers: {}
       ).and_return(response = double)
       Conjur::API::login(user, password).should == response
     end
@@ -46,4 +48,18 @@ describe Conjur::API do
       Conjur::API.authenticate(user, password).should == { 'response' => 'foo' }
     end
   end
+  
+  describe "::update_password" do
+    it "logs in and puts the new password" do
+      RestClient::Request.should_receive(:execute).with(
+        method: :put, 
+        url: "http://authn.example.com/users/password",
+        user: user,
+        password: password,
+        payload: 'new-password', 
+        headers: {  }
+      ).and_return :response
+      Conjur::API.update_password(user, password, 'new-password').should == :response
+    end
+  end
 end

data/spec/api/roles_spec.rb

@@ -0,0 +1,23 @@
+require 'spec_helper'
+
+describe Conjur::API, api: :dummy do
+  describe '#role_name_from_username' do
+    subject { api }
+    before {
+      api.stub(:username) { username }
+    }
+    context "username is" do
+      [ 
+        [ 'the-user', 'user:the-user' ], 
+        [ 'host/the-host', 'host:the-host' ],
+        [ 'host/a/quite/long/host/name', 'host:a/quite/long/host/name' ],
+        [ 'newkind/host/name', 'newkind:host/name' ],
+      ].each do |p|
+        context "'#{p[0]}'" do
+          let(:username) { p[0] }
+          its("role_name_from_username") { should == p[1] }
+        end
+      end
+    end
+  end
+end

data/spec/lib/log_spec.rb

@@ -1,5 +1,5 @@
 require 'spec_helper'
-require 'io_helper'
+require 'io/grab'
 require 'tempfile'
 
 describe Conjur do
@@ -19,14 +19,14 @@ describe Conjur do
     context "with 'stdout'" do
       let(:param) { 'stdout' }
       it "creates something which writes to STDOUT" do
-        STDOUT.grab { log << "foo" }.should == 'foo'
+        $stdout.grab { log << "foo" }.should == 'foo'
       end
     end
 
     context "with 'stderr'" do
       let(:param) { 'stderr' }
       it "creates something which writes to STDERR" do
-        STDERR.grab { log << "foo" }.should == 'foo'
+        $stderr.grab { log << "foo" }.should == 'foo'
       end
     end
 

data/spec/rest_client/resource_spec.rb

@@ -0,0 +1,28 @@
+require 'spec_helper'
+
+describe RestClient::Resource do
+  context "URL path parsing" do
+    let(:resource) { RestClient::Resource.new "http://test.host/#{path}" }
+    
+    shared_examples_for "extracts the expected identifier" do
+      include Conjur::HasId
+      specify {
+        resource.path_components.should == path_components
+        id.should == path_components[2..-1].join('/')
+      }
+    end
+    
+    it_should_behave_like "extracts the expected identifier" do
+      let(:path) { "hosts/foo" }
+      let(:path_components) { [ "", "hosts", "foo" ] }
+    end
+    it_should_behave_like "extracts the expected identifier" do
+      let(:path) { "hosts/foo/bar" }
+      let(:path_components) { [ "", "hosts", "foo", "bar" ] }
+    end
+    it_should_behave_like "extracts the expected identifier" do
+      let(:path) { "hosts/foo%2Fbar" }
+      let(:path_components) { [ "", "hosts", "foo/bar" ] }
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 2.5.1
+  version: 2.7.1
   prerelease: 
 platform: ruby
 authors:
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-07-26 00:00:00.000000000 Z
+date: 2013-10-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -140,6 +140,22 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: io-grab
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Conjur API
 email:
 - divided.mind@gmail.com
@@ -199,30 +215,15 @@ files:
 - lib/conjur/standard_methods.rb
 - lib/conjur/user.rb
 - lib/conjur/variable.rb
-- manual/asset/about.markdown
-- manual/asset/members.add.markdown
-- manual/asset/show.markdown
-- manual/group/about.markdown
-- manual/group/create.markdown
-- manual/host/about.markdown
-- manual/host/create.markdown
-- manual/host/enroll.markdown
-- manual/resource/about.markdown
-- manual/resource/create.markdown
-- manual/resource/deny.markdown
-- manual/resource/permit.markdown
-- manual/role/about.markdown
-- manual/role/members.markdown
-- manual/role/memberships.markdown
 - spec/api/authn_spec.rb
 - spec/api/groups_spec.rb
 - spec/api/hosts_spec.rb
 - spec/api/resources_spec.rb
+- spec/api/roles_spec.rb
 - spec/api/secrets_spec.rb
 - spec/api/users_spec.rb
 - spec/api/variables_spec.rb
 - spec/cas_rest_client.rb
-- spec/io_helper.rb
 - spec/lib/api_spec.rb
 - spec/lib/build_from_response_spec.rb
 - spec/lib/exists_spec.rb
@@ -234,6 +235,7 @@ files:
 - spec/lib/role_spec.rb
 - spec/lib/standard_methods_spec.rb
 - spec/lib/user_spec.rb
+- spec/rest_client/resource_spec.rb
 - spec/spec_helper.rb
 - spec/standard_methods_helper.rb
 - spec/variable_spec.rb
@@ -255,7 +257,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -863653852387038484
+      hash: -2598801054573023374
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -264,7 +266,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -863653852387038484
+      hash: -2598801054573023374
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.25
@@ -280,11 +282,11 @@ test_files:
 - spec/api/groups_spec.rb
 - spec/api/hosts_spec.rb
 - spec/api/resources_spec.rb
+- spec/api/roles_spec.rb
 - spec/api/secrets_spec.rb
 - spec/api/users_spec.rb
 - spec/api/variables_spec.rb
 - spec/cas_rest_client.rb
-- spec/io_helper.rb
 - spec/lib/api_spec.rb
 - spec/lib/build_from_response_spec.rb
 - spec/lib/exists_spec.rb
@@ -296,6 +298,7 @@ test_files:
 - spec/lib/role_spec.rb
 - spec/lib/standard_methods_spec.rb
 - spec/lib/user_spec.rb
+- spec/rest_client/resource_spec.rb
 - spec/spec_helper.rb
 - spec/standard_methods_helper.rb
 - spec/variable_spec.rb

data/manual/asset/about.markdown

@@ -1,12 +0,0 @@
-Asset
-=====
-
-Implements a domain-specific permission modeling concept. Assets combine functionality of roles, resources, and other assets
-together into unified APIs.
-
-Assets commonly perform the following functions:
-
-* **containment** An asset can contain other assets, such as an environment which contains variables or a deployment which contains hosts.
-Assets can be collected and re-combined arbitrarily.
-* **role management** Container assets can define roles which manage permissions on child assets. 
-

data/manual/asset/members.add.markdown

@@ -1,52 +0,0 @@
-Asset#members#add
-=================
-
-A common purpose of an asset is to manage access to a collection of "child" assets. Permissions on child assets are granted
-via roles defined on the parent asset.
-
-For example, consider an Environment asset which contains a number of child Variables:
-
-```
-Environment[e1]
-  - variables
-    - Variable[v1]
-    - Variable[v2]
-    - Variable[v3]
-```
-
-The Environment may define a role "use_variable" and permit "read" and "execute" on each variable by the "use_variable" role. 
-Therefore, granting the "use_variable" role to another role "r1" will permit r1 to read and execute each variable.
-
-Examples
---------
-
-### Command Line
-
-```bash
-$ conjur asset:create environment `conjur id:create`
-{
-  "id": "9yxa80",
-  <snip>
-}
-$ conjur host:create
-{
-  "id": "9bfqx5",
-  <snip>
-}
-$ conjur environment:variables:create 9yxa80 test-var test text/plain "the-value"
-Variable created
-$ conjur asset:show environment 9yxa80
-{
-  "id": "9yxa80",
-  "variables": {
-    "test-var": "he2e00"
-  },
-  <snip>
-}
-$ conjur resource:check variable he2e00 host:9bfqx5 execute
-false
-$ conjur asset:members:add environment 9yxa80 use_variable host:9bfqx5
-Membership granted
-$ conjur resource:check variable he2e00 host:9bfqx5 execute
-true
-```

data/manual/asset/show.markdown

@@ -1,50 +0,0 @@
-Asset#show
-==========
-
-Display an asset as JSON.
-
-The Conjur `jsonfield` utility can be used to pluck JSON values.
-
-Examples
---------
-
-### Command Line
-
-#### Create and show an environment
-
-```bash
-$ id=`conjur id:create`
-$ e=`conjur asset:create environment $id`
-$ conjur asset:show environment id
-{
-  "id": "0y3s00",
-  "variables": {
-  },
-  "userid": "kgilpin",
-  "ownerid": "sandbox:user:kgilpin",
-  "resource_identifier": "sandbox:environment:0y3s00"
-}
-```
-#### Create and show a host
-
-```bash
-$ hostid=`conjur host:create | jsonfield id`
-$ conjur asset:show host $hostid
-{
-  "id": "g7hytz",
-  "userid": "kgilpin",
-  "created_at": "2013-07-09T21:10:06+00:00",
-  "ownerid": "sandbox:user:kgilpin",
-  "roleid": "sandbox:host:g7hytz",
-  "resource_identifier": "sandbox:host:g7hytz"
-}
-```
-
-#### Attempt to show a non-existant asset.
-
-```bash
-$ conjur asset:show host foo
-error: 404 Resource Not Found
-$ echo $?
-1
-```

data/manual/group/about.markdown

@@ -1,6 +0,0 @@
-Group
-=====
-
-A group represents a collection of other roles (users, groups, hosts, generic roles, etc). Essentially
-it is just a role whose `kind` is "group".
-

data/manual/group/create.markdown

@@ -1,20 +0,0 @@
-Group#create
-============
-
-A group is created from an identifier. The identifier should be unique.
-
-Example
--------
-
-### Command Line
-
-```bash
-$ conjur group:create `conjur id:create`
-Created https://core-sandbox-conjur.herokuapp.com/groups/5zjys0
-```
-
-### API
-
-```ruby
-conjur.create_group SecureRandom.uuid
-```

data/manual/host/about.markdown

@@ -1,23 +0,0 @@
-Host
-====
-
-A host represents a non-human user. VMs, processes, and jobs are all commonly represented as Hosts.
-
-Attributes
-----------
-
-* **username** the host username is composed of the word 'host' composed with the host identifier. For example, "host/i-bbe231db"
-* **api_key** each host is assigned an API key, just like a human user
-
-Like a human User, a Host can authenticate with Conjur and perform actions.
-
-Roles
------
-
-On creation, the host creates a Conjur role to represent itself. The role kind is 'host'.
-
-Resources
----------
-
-On creation, the host creates a Conjur resource to represent itself. 
-

data/manual/host/create.markdown

@@ -1,34 +0,0 @@
-Host#create
-===========
-
-A host is created with an identifier. The identifier must be unique.
-It can be assigned, or it can be generated by Conjur. 
-
-When the host is created, the `api_key` field is included in the JSON response.
-
-Host#show does not include the `api_key`.
-
-Example
--------
-
-```bash
-$ conjur host:create
-{
-  "id": "8y2p5w",
-  "userid": "kgilpin",
-  "created_at": "2013-07-09T21:12:57+00:00",
-  "ownerid": "sandbox:user:kgilpin",
-  "roleid": "sandbox:host:8y2p5w",
-  "resource_identifier": "sandbox:host:8y2p5w",
-  "api_key": "vj98ne10ar6vvmwrjt02ryfj6924a4vkch6yqcw292v9p12sv1rd"
-}
-$ conjur asset:show host 8y2p5w
-{
-  "id": "8y2p5w",
-  "userid": "kgilpin",
-  "created_at": "2013-07-09T21:12:57+00:00",
-  "ownerid": "sandbox:user:kgilpin",
-  "roleid": "sandbox:host:8y2p5w",
-  "resource_identifier": "sandbox:host:8y2p5w"
-}
-```

data/manual/host/enroll.markdown

@@ -1,21 +0,0 @@
-Host#enroll
-===========
-
-Returns a unique URL which, when fetched, returns a shell command which will login
-the host with Conjur.
-
-Example
--------
-
-```bash
-$ conjur host:enroll vaz7qg
-https://core-sandbox-conjur.herokuapp.com/hosts/enroll?key=7fxt_HiRfOodA3J6wh5s2X9a6gm-b-wkPmF0g-HOPYo=
-On the target host, please execute the following command:
-curl -L https://core-sandbox-conjur.herokuapp.com/hosts/enroll?key=7fxt_HiRfOodA3J6wh5s2X9a6gm-b-wkPmF0g-HOPYo= | bash
-$ curl -L https://core-sandbox-conjur.herokuapp.com/hosts/enroll?key=7fxt_HiRfOodA3J6wh5s2X9a6gm-b-wkPmF0g-HOPYo=
-#!/bin/sh
-set -e
-
-conjur authn:login -u host/vaz7qg -p 39c63b3d5bc372de1c100feec852e05f747bc9eb
-```
-

data/manual/resource/about.markdown

@@ -1,11 +0,0 @@
-Resource
-========
-
-A resource is an entity on which permissions are assigned. 
-
-Resources are partitioned into "kinds", such as "group", "host",
-"file", "environment", "variable", etc. 
-
-Resources are not frequently used directly. Instead, higher-level "assets" such as Host, Group, User,
-Variable provide more intuitive functionality. For example, Assets often combine role and resource
-functionality together.

data/manual/resource/create.markdown

@@ -1,29 +0,0 @@
-Resource#create
-===============
-
-A resource is composed of a `kind` and `identifier`. The `kind`
-indicates the semantic purpose of the resource, the identifier identifies
-it uniquely within the kind. 
-
-Example
--------
-
-### Command Line
-
-```bash
-$ conjur resource:create food bacon
-{
-  "id": {
-    "account": "sandbox",
-    "kind": "food",
-    "id": "bacon"
-  },
-  "owner": {
-    "account": "sandbox",
-    "id": "user:kgilpin"
-  },
-  "permissions": [
-
-  ]
-}
-```

data/manual/resource/deny.markdown

@@ -1,23 +0,0 @@
-Resource#deny
-=============
-
-Removes a specific permission on a resource from a role. 
-
-The owner of a resource always has all permissions on the resource, even if specific permissions
-are denied.
-
-Example
--------
-
-### Command Line
-
-```bash
-$ conjur resource:permit food bacon host:a4yta8 fry
-Permission granted
-$ conjur resource:check food bacon host:a4yta8 fry
-true
-$ conjur resource:deny food bacon host:a4yta8 fry
-Permission revoked
-$ conjur resource:check food bacon host:a4yta8 fry
-false
-```

data/manual/resource/permit.markdown

@@ -1,35 +0,0 @@
-Resource#permit
-===============
-
-Gives a specific permission on a resource to a role. 
-
-Example
--------
-
-### Command Line
-
-```bash
-$ conjur host:create
-<snip>
-$ conjur resource:permit food bacon host:a4yta8 fry
-Permission granted
-$ conjur resource:check food bacon host:a4yta8 fry
-true
-$ conjur resource:check food bacon host:a4yta8 bake
-false
-$ conjur resource:permitted_roles food bacon fry
-[
-  {
-    "id": {
-      "account": "sandbox",
-      "id": "user:kgilpin"
-    }
-  },
-  {
-    "id": {
-      "account": "sandbox",
-      "id": "host:a4yta8"
-    }
-  }
-]
-```

data/manual/role/about.markdown

@@ -1,10 +0,0 @@
-Role
-====
-
-A role is a target to which permissions are assigned. Permitting an action on a resource by a role enables the role to perform
-the specified action.
-
-In addition, roles can be "granted to" other roles. When role "A" is granted to role "B", role "B" gains the ability to perform
-all the actions permitted to "A". In addition, a role can be granted with "grant option". When role "A" is granted to role "B" with
-grant option, role "B" can in turn grant role "A" to other roles.
-

data/manual/role/members.markdown

@@ -1,40 +0,0 @@
-Role#members
-============
-
-Lists the roles that have been the recipient of a role grant. The creator of the role is always a role member.
-
-If role "A" is created by user "U" and then granted to roles "B" and "C", then the members of role "A" are [ "U", "B", "C" ].
-
-Examples
---------
-
-### Command Line
-
-#### Add a role member and list the members
-
-```bash
-$ conjur role:create test:`conjur id:create`
-Created https://authz-v3-conjur.herokuapp.com/sandbox/roles/test/2y1300
-$ conjur role:members test:2y1300
-[
-  "sandbox:user:kgilpin"
-]
-$ conjur host:create
-{
-  "id": "w43699",
-  <snip>
-}
-$ conjur role:grant_to test:2y1300 host:w43699
-Role granted
-$ conjur role:members test:2y1300
-[
-  "sandbox:user:kgilpin",
-  "sandbox:host:w43699"
-]
-```
-
-#### The role argument is optional and defaults to the current role
-
-```bash
-$ conjur role:members
-```

data/manual/role/memberships.markdown

@@ -1,26 +0,0 @@
-Role#memberships
-================
-
-List the roles that a role has been granted, transitively.
-
-If role "A" is granted to role "B" which is granted to role "C", then the memberships of role "C" are [ "C", "B", "A" ].
-
-Examples
---------
-
-### Command Line
-
-```bash
-$ ns=`conjur id:create`
-$ conjur role:create test:$ns/A
-$ conjur role:create test:$ns/B
-$ conjur role:create test:$ns/C
-$ conjur role:grant_to test:$ns/A test:$ns/B
-$ conjur role:grant_to test:$ns/B test:$ns/C
-$ conjur role:memberships test:$ns/C
-[
-  "sandbox:test:dy7mg0/C",
-  "sandbox:test:dy7mg0/B",
-  "sandbox:test:dy7mg0/A"
-]
-```

data/spec/io_helper.rb

@@ -1,18 +0,0 @@
-class IO
-  def grab &block
-    @grabbed_output = ""
-    class << self
-      def write arg
-        @grabbed_output += arg
-      end
-    end
-
-    begin
-      yield
-    ensure
-      singleton_class.send :remove_method, :write
-    end
-
-    @grabbed_output
-  end
-end