conjur-api 4.19.0 → 4.19.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d286220bf5ce8e32e9fa3ecbba374906d40739a8
-  data.tar.gz: d38f3fd537e81c44c537327642cc4ef6b6407537
+  metadata.gz: 901ca102477411588107366adff9780e60eca7c2
+  data.tar.gz: 710a9dc4be2dce8bb3f7130ade8120563ee61e19
 SHA512:
-  metadata.gz: c1c6e64c7cc31108c7c9f2fc7dde41c10d4b57006c8963f0be3288b49e365f5fb5fbf97b58e744e9fcf9493feafc8070a6571a26d65b6c7b0b13298dffef209e
-  data.tar.gz: b64f23a2614041ec2f186d9f563ace280ea3cb1f791663c26d780b41911cc5b057e37161cb1d1b9588162cf7393c8290dff26cd2a7d45136bbdd35463f20d361
+  metadata.gz: ad298e7f945003d44306c6b9eb8b90a072ccde560735b8a092b1581a7847a3efcecc37f4d16f33f272a2b8b5d5d0c655fe767e7ddcd67b643616ca7767519cc2
+  data.tar.gz: 582dec6a6727e502be95af2b7024944e9ad9c260dc465710400d6e600af59a644b5df030264449b685831e064a7371a503cc11e2301ae4605c1f376cbd309427

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+# v4.19.1
+
+* BUGFIX: Allow Configuration to parse several certs in a string
+
 # v4.19.0
 
 * Rename `sudo` to `elevate` throughout the spec and docstrings. This is an incompatible change, but it

data/lib/conjur-api/version.rb

@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "4.19.0"
+    VERSION = "4.19.1"
   end
 end

data/lib/conjur/api.rb

@@ -42,24 +42,31 @@ require 'conjur/layer-api'
 require 'conjur/pubkeys-api'
 require 'conjur-api/version'
 
-class RestClient::Resource
-  include Conjur::Escape
-  include Conjur::LogSource
-  include Conjur::Cast
-  extend  Conjur::BuildFromResponse
-
+# Monkey patch RestClient::Request so it always uses
+# :ssl_cert_store. (RestClient::Resource uses Request to send
+# requests, so it sees :ssl_cert_store, too).
+class RestClient::Request
   alias_method :initialize_without_defaults, :initialize
 
-  def initialize url, options = nil, &block
-    initialize_without_defaults url, default_options.merge(options || {}), &block
-  end
-
-  def default_options
+  def default_args
     {
       ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
     }
   end
   
+  def initialize args
+    initialize_without_defaults default_args.merge(args)
+  end
+  
+end
+
+    
+class RestClient::Resource
+  include Conjur::Escape
+  include Conjur::LogSource
+  include Conjur::Cast
+  extend  Conjur::BuildFromResponse
+
   # @api private
   # @deprecated
   # The account used by the core service.  This  is deprecated in favor of {Conjur.account} and

data/lib/conjur/base.rb

@@ -175,7 +175,7 @@ module Conjur
     # An optional IP address to be recorded in the audit record for any actions performed by this API instance.
     attr_reader :remote_ip
 
-    #@!attribute [r] privilege
+    #@!attribute [rw] privilege
     # The optional global privilege (e.g. 'elevate' or 'reveal') which should be attempted on the request.
     attr_accessor :privilege
 

data/lib/conjur/cert_utils.rb

@@ -0,0 +1,47 @@
+#
+# Copyright (C) 2015 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+
+module Conjur
+  module CertUtils
+    CERT_RE = /-----BEGIN CERTIFICATE-----\n.*?\n-----END CERTIFICATE-----\n/m
+
+    class << self
+      # Parse X509 DER-encoded certificates from a string
+      # @param certs [String] certificate(s) to parse in DER form
+      # @return [Array<OpenSSL::X509::Certificate>] certificates contained in the string
+      def parse_certs certs
+        # fix any mangled namespace
+        certs = certs.gsub /\s+/, "\n"
+        certs.gsub! "-----BEGIN\nCERTIFICATE-----", '-----BEGIN CERTIFICATE-----'
+        certs.gsub! "-----END\nCERTIFICATE-----", '-----END CERTIFICATE-----'
+        certs += "\n" unless certs[-1] == "\n"
+
+        certs.scan(CERT_RE).map do |cert|
+          begin
+            OpenSSL::X509::Certificate.new cert
+          rescue OpenSSL::X509::CertificateError => exn
+            raise exn, "Invalid certificate:\n#{cert} (#{exn.message})"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/conjur/configuration.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright (C) 2013-2015 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -20,6 +20,9 @@
 #
 
 require 'set'
+
+require 'conjur/cert_utils'
+
 module Conjur
   
   class << self
@@ -409,7 +412,13 @@ module Conjur
     # @return [Boolean]  whether a certificate was added to the store.
     def apply_cert_config! store=OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
       if ssl_certificate
-        add_cert_string store, ssl_certificate
+        CertUtils.parse_certs(ssl_certificate).each do |cert|
+          begin
+            store.add_cert cert
+          rescue OpenSSL::X509::StoreError => ex
+            raise unless ex.message == 'cert already in hash table'
+          end
+        end
       elsif cert_file
         store.add_file cert_file
       else
@@ -420,19 +429,6 @@ module Conjur
 
     private
 
-    def add_cert_string store, str
-      str = str.gsub(/\s+/, "\n")
-      str.gsub!("-----BEGIN\n", "-----BEGIN ")
-      str.gsub!("-----END\n", "-----END ")
-      store.add_cert OpenSSL::X509::Certificate.new str
-    rescue OpenSSL::X509::CertificateError => ex
-      $stderr.puts "Invalid certificate:"
-      $stderr.puts str
-      raise ex
-    rescue OpenSSL::X509::StoreError => ex
-      raise ex unless ex.message == 'cert already in hash table'
-    end
-
     def global_service_url(service_name, service_port_offset)
       if appliance_url
         URI.join(appliance_url + '/', service_name).to_s

data/spec/lib/cert_utils_spec.rb

@@ -0,0 +1,81 @@
+require 'spec_helper'
+
+describe Conjur::CertUtils do
+  describe '.parse_certs' do
+    let(:cert1_raw) do
+      """-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIVAKW1gdmOFrXt6xB0iQmYQ4z8Pf+kMA0GCSqGSIb3DQEB
+CwUAMD0xETAPBgNVBAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDAS
+BgNVBAMTC2N1a2UtbWFzdGVyMB4XDTE1MTAwNzE2MzAwNloXDTI1MTAwNDE2MzAw
+NlowFjEUMBIGA1UEAwwLY3VrZS1tYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC9e8bGIHOLOypKA4lsLcAOcDLAq+ICuVxn9Vg0No0m32Ok/K7G
+uEGtlC8RidObntblUwqdX2uP7mqAQm19j78UTl1KT97vMmmFrpVZ7oQvEm1FUq3t
+FBmJglthJrSbpdZjLf7a7eL1NnunkfBdI1DK9QL9ndMjNwZNFbXhld4fC5zuSr/L
+PxawSzTEsoTaB0Nw0DdRowaZgrPxc0hQsrj9OF20gTIJIYO7ctZzE/JJchmBzgI4
+CdfAYg7zNS+0oc0ylV0CWMerQtLICI6BtiQ482bCuGYJ00NlDcdjd3w+A2cj7PrH
+wH5UhtORL5Q6i9EfGGUCDbmfpiVD9Bd3ukbXAgMBAAGjXDBaMA4GA1UdDwEB/wQE
+AwIFoDAdBgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwKQYDVR0RBCIwIIIL
+Y3VrZS1tYXN0ZXKCCWxvY2FsaG9zdIIGY29uanVyMA0GCSqGSIb3DQEBCwUAA4IB
+AQBCepy6If67+sjuVnT9NGBmjnVaLa11kgGNEB1BZQnvCy0IN7gpLpshoZevxYDR
+3DnPAetQiZ70CSmCwjL4x6AVxQy59rRj0Awl9E1dgFTYI3JxxgLsI9ePdIRVEPnH
+dhXqPY5ZIZhvdHlLStjsXX7laaclEtMeWfSzxe4AmP/Sm/er4ks0gvLQU6/XJNIu
+RnRH59ZB1mZMsIv9Ii790nnioYFR54JmQu1JsIib77ZdSXIJmxAtraJSTLcZbU1E
++SM3XCE423Xols7onyluMYDy3MCUTFwoVMRBcRWCAk5gcv6XvZDfLi6Zwdne6x3Y
+bGenr4vsPuSFsycM03/EcQDT
+-----END CERTIFICATE-----
+"""
+    end
+    let(:cert2_raw) do
+      """-----BEGIN CERTIFICATE-----
+MIIDhzCCAm+gAwIBAgIJAJnsrJ1+j9MhMA0GCSqGSIb3DQEBCwUAMD0xETAPBgNV
+BAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDASBgNVBAMTC2N1a2Ut
+bWFzdGVyMB4XDTE1MTAwNzE2MzAwM1oXDTI1MTAwNDE2MzAwM1owPTERMA8GA1UE
+ChMIY3VjdW1iZXIxEjAQBgNVBAsTCUNvbmp1ciBDQTEUMBIGA1UEAxMLY3VrZS1t
+YXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsuZ06Ld4JDhxZ
+FcxKVxu7MTjXVv6W8pI7qFKmgr39aNqmDpKYJ1H9aM+r9zaTAeithpM4wJpVswkJ
+d0RSuKdm1LOx11yHLyZ1OvlPHFhsVWdZIQZ6R9srhPYBUCMem4sHR5IAcBBX+HkR
+35gaPYUl1uFV/9zCniekt92Kdta+it1WL7XinXTBURlhDawiD/kv1C9x6dICEJVe
+IT/jRohmqHAoM/JSOQTthaDli3Qvu5K8XAx8UXvWVmv3eStZFVDbC4ZEueRd9KAe
+4IZ5FxdpFYkPBgt2lBYeydYKRShyYrDKye1uJBDkeplNaYW4cS4mOhYuRkdKn7MH
+uY/xb1lFAgMBAAGjgYkwgYYwKQYDVR0RBCIwIIILY3VrZS1tYXN0ZXKCCWxvY2Fs
+aG9zdIIGY29uanVyMB0GA1UdDgQWBBRHpGF7aQbHdORYgQKDC2hV6NzEKzAfBgNV
+HSMEGDAWgBRHpGF7aQbHdORYgQKDC2hV6NzEKzAMBgNVHRMEBTADAQH/MAsGA1Ud
+DwQEAwIB5jANBgkqhkiG9w0BAQsFAAOCAQEAGZT9Wek1hYluIVaxu03wSKCKIJ4p
+KxTHw+mLDapg1y9t3Fa/5IQQK0Bx0xGU2qWiQKjda3vdFPJWO6l6XJvsUY5Nwtm5
+Gcsk8l3L/zWCrjrFTH3TdVad5E+DTwVhThelmEjw68AyM+WuOL61j0MItd9mLW74
+Lv2zouj9nQBdnUBHWQ0EL/9d5cfaCVu/bFlDfYt7Yj0IzXCuaWZfJeHodU1hmqVX
+BvYRjnTB2LSxfmSnkrCeFPmhE11bWVtsLIdrGIgtEMX0/s9xg58QuNnva1U3pJsW
+RjvSxre4Xg2qlI9Laybb4oZ4g6DI8hRbL0VdFAsveg6SXg2RxgJcXeJUFw==
+-----END CERTIFICATE-----
+"""
+    end
+
+    let(:cert1) { OpenSSL::X509::Certificate.new cert1_raw }
+    let(:cert2) { OpenSSL::X509::Certificate.new cert2_raw }
+
+    it 'parses a certificate' do
+      expect(Conjur::CertUtils.parse_certs(cert1_raw).map(&:to_der))\
+          .to eq [cert1.to_der]
+    end
+
+    it 'parses two certificates' do
+      expect(Conjur::CertUtils.parse_certs(cert1_raw + cert2_raw).map(&:to_der))\
+          .to eq [cert1.to_der, cert2.to_der]
+    end
+
+    it 'parses the certificate correctly even if the whitespace is wrong' do
+      bad_whitespace = cert1_raw.gsub "\n", " "
+      expect(Conjur::CertUtils.parse_certs(bad_whitespace).map(&:to_der))\
+          .to eq [cert1.to_der]
+    end
+
+    it 'shows a bad cert in error message' do
+      bad_cert = "-----BEGIN CERTIFICATE-----\nfoo\n-----END CERTIFICATE-----\n"
+      expect do
+        Conjur::CertUtils.parse_certs(bad_cert)
+      end.to raise_error(OpenSSL::X509::CertificateError) do |exn|
+        expect(exn.message).to include bad_cert
+      end
+    end
+  end
+end

data/spec/lib/configuration_spec.rb

@@ -238,7 +238,7 @@ describe Conjur::Configuration do
 
     context 'when both are given' do
       let(:cert_file){ '/path/to/cert.pem' }
-      let(:ssl_certificate){ 'certificate-contents' }
+      let(:ssl_certificate){ "-----BEGIN CERTIFICATE-----\nfoo\n-----END CERTIFICATE-----\n" }
       let(:cert){ double('certificate') }
       it 'calls store.add_cert with a certificate created from ssl_certificate' do
         expect(OpenSSL::X509::Certificate).to receive(:new).with(ssl_certificate).once.and_return cert
@@ -320,5 +320,57 @@ CERT
       end
     end
 
+    context 'with two certificates in a string' do
+      let(:cert_file) { nil }
+      let(:ssl_certificate) do
+        """-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIVAKW1gdmOFrXt6xB0iQmYQ4z8Pf+kMA0GCSqGSIb3DQEB
+CwUAMD0xETAPBgNVBAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDAS
+BgNVBAMTC2N1a2UtbWFzdGVyMB4XDTE1MTAwNzE2MzAwNloXDTI1MTAwNDE2MzAw
+NlowFjEUMBIGA1UEAwwLY3VrZS1tYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC9e8bGIHOLOypKA4lsLcAOcDLAq+ICuVxn9Vg0No0m32Ok/K7G
+uEGtlC8RidObntblUwqdX2uP7mqAQm19j78UTl1KT97vMmmFrpVZ7oQvEm1FUq3t
+FBmJglthJrSbpdZjLf7a7eL1NnunkfBdI1DK9QL9ndMjNwZNFbXhld4fC5zuSr/L
+PxawSzTEsoTaB0Nw0DdRowaZgrPxc0hQsrj9OF20gTIJIYO7ctZzE/JJchmBzgI4
+CdfAYg7zNS+0oc0ylV0CWMerQtLICI6BtiQ482bCuGYJ00NlDcdjd3w+A2cj7PrH
+wH5UhtORL5Q6i9EfGGUCDbmfpiVD9Bd3ukbXAgMBAAGjXDBaMA4GA1UdDwEB/wQE
+AwIFoDAdBgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwKQYDVR0RBCIwIIIL
+Y3VrZS1tYXN0ZXKCCWxvY2FsaG9zdIIGY29uanVyMA0GCSqGSIb3DQEBCwUAA4IB
+AQBCepy6If67+sjuVnT9NGBmjnVaLa11kgGNEB1BZQnvCy0IN7gpLpshoZevxYDR
+3DnPAetQiZ70CSmCwjL4x6AVxQy59rRj0Awl9E1dgFTYI3JxxgLsI9ePdIRVEPnH
+dhXqPY5ZIZhvdHlLStjsXX7laaclEtMeWfSzxe4AmP/Sm/er4ks0gvLQU6/XJNIu
+RnRH59ZB1mZMsIv9Ii790nnioYFR54JmQu1JsIib77ZdSXIJmxAtraJSTLcZbU1E
++SM3XCE423Xols7onyluMYDy3MCUTFwoVMRBcRWCAk5gcv6XvZDfLi6Zwdne6x3Y
+bGenr4vsPuSFsycM03/EcQDT
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDhzCCAm+gAwIBAgIJAJnsrJ1+j9MhMA0GCSqGSIb3DQEBCwUAMD0xETAPBgNV
+BAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDASBgNVBAMTC2N1a2Ut
+bWFzdGVyMB4XDTE1MTAwNzE2MzAwM1oXDTI1MTAwNDE2MzAwM1owPTERMA8GA1UE
+ChMIY3VjdW1iZXIxEjAQBgNVBAsTCUNvbmp1ciBDQTEUMBIGA1UEAxMLY3VrZS1t
+YXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsuZ06Ld4JDhxZ
+FcxKVxu7MTjXVv6W8pI7qFKmgr39aNqmDpKYJ1H9aM+r9zaTAeithpM4wJpVswkJ
+d0RSuKdm1LOx11yHLyZ1OvlPHFhsVWdZIQZ6R9srhPYBUCMem4sHR5IAcBBX+HkR
+35gaPYUl1uFV/9zCniekt92Kdta+it1WL7XinXTBURlhDawiD/kv1C9x6dICEJVe
+IT/jRohmqHAoM/JSOQTthaDli3Qvu5K8XAx8UXvWVmv3eStZFVDbC4ZEueRd9KAe
+4IZ5FxdpFYkPBgt2lBYeydYKRShyYrDKye1uJBDkeplNaYW4cS4mOhYuRkdKn7MH
+uY/xb1lFAgMBAAGjgYkwgYYwKQYDVR0RBCIwIIILY3VrZS1tYXN0ZXKCCWxvY2Fs
+aG9zdIIGY29uanVyMB0GA1UdDgQWBBRHpGF7aQbHdORYgQKDC2hV6NzEKzAfBgNV
+HSMEGDAWgBRHpGF7aQbHdORYgQKDC2hV6NzEKzAMBgNVHRMEBTADAQH/MAsGA1Ud
+DwQEAwIB5jANBgkqhkiG9w0BAQsFAAOCAQEAGZT9Wek1hYluIVaxu03wSKCKIJ4p
+KxTHw+mLDapg1y9t3Fa/5IQQK0Bx0xGU2qWiQKjda3vdFPJWO6l6XJvsUY5Nwtm5
+Gcsk8l3L/zWCrjrFTH3TdVad5E+DTwVhThelmEjw68AyM+WuOL61j0MItd9mLW74
+Lv2zouj9nQBdnUBHWQ0EL/9d5cfaCVu/bFlDfYt7Yj0IzXCuaWZfJeHodU1hmqVX
+BvYRjnTB2LSxfmSnkrCeFPmhE11bWVtsLIdrGIgtEMX0/s9xg58QuNnva1U3pJsW
+RjvSxre4Xg2qlI9Laybb4oZ4g6DI8hRbL0VdFAsveg6SXg2RxgJcXeJUFw==
+-----END CERTIFICATE-----
+"""
+      end
+
+      it 'adds both to the store' do
+        expect(store).to receive(:add_cert).twice
+        expect(subject).to be_truthy
+      end
+    end
   end
 end

data/spec/vendor/rest_client_spec.rb

@@ -30,6 +30,15 @@ describe RestClient::Request do
     end
   end
 
+  context 'default arguments' do
+    let(:cache) { nil }
+    let(:lazy) { false }
+    it "sets cert_store to OpenSSL's default cert store" do
+      request = RestClient::Request.new(method: 'GET', url: 'http://example.com')
+      expect(request.ssl_opts[:cert_store]).to eq(OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE)
+    end
+  end
+  
   def reinit_mime_types!
     # pretend to initialize MIME::Types from scratch
     MIME::Types.instance_variable_set :@__types__, nil

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 4.19.0
+  version: 4.19.1
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-08-28 00:00:00.000000000 Z
+date: 2015-10-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -261,6 +261,7 @@ files:
 - lib/conjur/base.rb
 - lib/conjur/build_from_response.rb
 - lib/conjur/cast.rb
+- lib/conjur/cert_utils.rb
 - lib/conjur/configuration.rb
 - lib/conjur/core-api.rb
 - lib/conjur/deputy.rb
@@ -308,6 +309,7 @@ files:
 - spec/lib/asset_spec.rb
 - spec/lib/audit_spec.rb
 - spec/lib/build_from_response_spec.rb
+- spec/lib/cert_utils_spec.rb
 - spec/lib/configuration_spec.rb
 - spec/lib/deputy_spec.rb
 - spec/lib/exists_spec.rb
@@ -376,6 +378,7 @@ test_files:
 - spec/lib/asset_spec.rb
 - spec/lib/audit_spec.rb
 - spec/lib/build_from_response_spec.rb
+- spec/lib/cert_utils_spec.rb
 - spec/lib/configuration_spec.rb
 - spec/lib/deputy_spec.rb
 - spec/lib/exists_spec.rb