conjur-api 4.15.0 → 4.16.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5364b2c4521be8b3f6b3fce20269873ac72a5ec8
-  data.tar.gz: e4e22c72cae8780bfe0263525156e5c57c0d5510
+  metadata.gz: 1774efca45d1103cedf13423ce1934f6c3a516e2
+  data.tar.gz: 028c735666d90ab39cc214e22f9e4013195b3894
 SHA512:
-  metadata.gz: 982cbf720ebb14461e0868a0c8281d14a6561b5335004270780ff45e393fbe93f5ddd755b60c127ab90aedf9b3f051a01f16b1bcb2a733293cb7199ef4f1f766
-  data.tar.gz: 9fbb761715f485f823b20a4493a53a753bca25d1217632c126bc03ced49fab69bb81922bb132dbaebb49d2e81c901f8567c9c26683031448214101725e86aad1
+  metadata.gz: 885c346828a875234c194bbd27f5a06b353e1b894d2dfc4cdca2dbfcbae27404176211417f968b8f9ca5854d627670d64c6c8a716d5a2f9b2db26f41eca3e802
+  data.tar.gz: 54bcfbb2d74a8f6e7c2079074716051d90369248b175a7f1a6fff434a808a4d2d4e41da24b484729b745012a751d3c982eb56f06ec3df24765a2cd0e55c87feb

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+# v4.16.0
+  * Add ssl_certificate option to allow certs to be provided as strings (helpful in heroku)
+  * Add `Conjur::Configuration#apply_cert_config!` method to add certs from `#cert_file` and `#ssl_certificate` 
+     to the default cert store.
 # v4.15.0
  * Extensive documentation improvements
  * A few additional methoods, for example `Conjur::API#public_key_names`.

data/lib/conjur-api/version.rb

@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "4.15.0"
+    VERSION = "4.16.0"
   end
 end

data/lib/conjur/configuration.rb

@@ -18,6 +18,8 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
+
+require 'set'
 module Conjur
   
   class << self
@@ -388,8 +390,42 @@ module Conjur
     # @return [String, nil] path to the certificate file, or nil if you aren't using one.
     add_option :cert_file
 
+    # @!attribute ssl_certificate
+    #
+    # Contents of a certificate file.  This can be used instead of :cert_file in environments like Heroku where  you
+    # can't use a certificate file.
+    #
+    # This option overrides the value of {#cert_file} if both are given, and issues a warning.
+    #
+    # @see cert_file
+    add_option :ssl_certificate
+
+
+
+    # Add the certificate configured by the {#ssl_certificate} and {#cert_file} options to the certificate
+    # store used by Conjur clients.
+    #
+    # @param [OpenSSL::X509::Store] store the certificate store that the certificate will be installed in.
+    # @return [Boolean]  whether a certificate was added to the store.
+    def apply_cert_config! store=OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+      if ssl_certificate
+        add_cert_string store, ssl_certificate
+      elsif cert_file
+        store.add_file cert_file
+      else
+        return false
+      end
+      true
+    end
+
     private
 
+    def add_cert_string store, str
+      store.add_cert OpenSSL::X509::Certificate.new str
+    rescue OpenSSL::X509::StoreError => ex
+      raise ex unless ex.message == 'cert already in hash table'
+    end
+
     def global_service_url(service_name, service_port_offset)
       if appliance_url
         URI.join(appliance_url + '/', service_name).to_s
@@ -428,5 +464,6 @@ module Conjur
     def herokuize name
       name.downcase.gsub(/[^a-z0-9\-]/, '-')
     end
+
   end
 end

data/spec/lib/configuration_spec.rb

@@ -213,4 +213,90 @@ describe Conjur::Configuration do
       end
     end
   end
+
+  describe "apply_cert_config!" do
+    subject{ Conjur.configuration.apply_cert_config! }
+
+    let(:store){ double('default store') }
+
+
+    before do
+      stub_const 'OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE', store
+      allow_any_instance_of(Conjur::Configuration).to receive(:ssl_certificate).and_return ssl_certificate
+      allow_any_instance_of(Conjur::Configuration).to receive(:cert_file).and_return cert_file
+
+    end
+
+    context "when neither cert_file or ssl_certificate is present" do
+      let(:cert_file){ nil }
+      let(:ssl_certificate){ nil }
+
+      it 'does nothing to the store' do
+        expect(store).to_not receive(:add_file)
+        expect(store).to_not receive(:add_cert)
+        expect(subject).to be_falsey
+      end
+    end
+
+    context 'when both are given' do
+      let(:cert_file){ '/path/to/cert.pem' }
+      let(:ssl_certificate){ 'certificate contents' }
+      let(:cert){ double('certificate') }
+      it 'calls store.add_cert with a certificate created from ssl_certificate' do
+        expect(OpenSSL::X509::Certificate).to receive(:new).with(ssl_certificate).once.and_return cert
+        expect(store).to receive(:add_cert).once.with(cert)
+        expect(subject).to be_truthy
+      end
+    end
+
+    context 'when cert_file is given and ssl_certificate is not' do
+      let(:cert_file){ '/path/to/cert.pem' }
+      let(:ssl_certificate){ nil }
+      it 'calls store.add_file with cert_file' do
+        expect(store).to receive(:add_file).with(cert_file).once
+        expect(subject).to be_truthy
+      end
+    end
+
+    context 'when ssl_certificate is given' do
+      let(:cert_file){ nil }
+      let(:ssl_certificate){ 'certificate contents' }
+      let(:cert){ double('cert') }
+
+      before do
+        expect(OpenSSL::X509::Certificate).to receive(:new).with(ssl_certificate).at_least(:once).and_return cert
+      end
+
+      it 'calls store.add_cert with a certificate created from ssl_certificate' do
+        expect(store).to receive(:add_cert).with(cert).once
+        expect(subject).to be_truthy
+      end
+
+      it 'rescues from a StoreError with message "cert already in hash tabble"' do
+        expect(store).to receive(:add_cert).with(cert).once.and_raise(OpenSSL::X509::StoreError.new('cert already in hash table'))
+        expect(subject).to be_truthy
+      end
+
+
+      it 'does not rescue from other exceptions' do
+        expect(store).to receive(:add_cert).with(cert).once.and_raise(OpenSSL::X509::StoreError.new('some other message'))
+        expect{subject}.to raise_exception
+        expect(store).to receive(:add_cert).with(cert).once.and_raise(ArgumentError.new('bad news'))
+        expect{subject}.to raise_exception
+      end
+    end
+
+    context 'when given a store argument' do
+      let(:cert_file){ '/path/to/cert.pem' }
+      let(:ssl_certificate){ nil }
+      let(:alt_store){ double('alt store') }
+      subject{ Conjur.configuration.apply_cert_config! alt_store }
+
+      it 'uses that store instead' do
+        expect(alt_store).to receive(:add_file).with(cert_file).once
+        expect(subject).to be_truthy
+      end
+    end
+
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 4.15.0
+  version: 4.16.0
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-04-23 00:00:00.000000000 Z
+date: 2015-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client