conjur-api 4.19.1 → 4.20.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 901ca102477411588107366adff9780e60eca7c2
-  data.tar.gz: 710a9dc4be2dce8bb3f7130ade8120563ee61e19
+  metadata.gz: ebb00e2f94e68846848adb5a2cd1ab57ac5fc1a6
+  data.tar.gz: 56489be115c5c8204ab84fd2985e6041384af5be
 SHA512:
-  metadata.gz: ad298e7f945003d44306c6b9eb8b90a072ccde560735b8a092b1581a7847a3efcecc37f4d16f33f272a2b8b5d5d0c655fe767e7ddcd67b643616ca7767519cc2
-  data.tar.gz: 582dec6a6727e502be95af2b7024944e9ad9c260dc465710400d6e600af59a644b5df030264449b685831e064a7371a503cc11e2301ae4605c1f376cbd309427
+  metadata.gz: e03d90f9779f73f2fcdb366f72b5f23266072121a69e03c480be29796822e5048fb580fddb56a9b57c44c0a7084cd60de22b21f185f8e4c881aa1e1c678c05fd
+  data.tar.gz: 40b2f4d6c81f5c38a97917526e8dd8fd6176fb53d1bf53deaddd902ac59d264dafdb8c30449c3f95c397964cef18ba722ca897685b025132702b35010303d10d

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+# v4.20.0
+
+* Add support for Host Factory functionality (replaces conjur-asset-host-factory plugin).
+* Add support for sending audit events (replaces conjur-asset-audit-send plugin).
+* Add support for variable expiration. Variable expiration is available in version 4.6 of the Conjur server.
+* Add `Conjur::API` methods to querying service versions : `service_version`, `service_names`, `appliance_info`.
+* Add `Conjur::API` method for querying server health: `appliance_health(remote_host=nil)`
+* Support ISO8601 duration strings as arguments in variable expiration methods.
+* Add support for CIDR restrictions
+
 # v4.19.1
 
 * BUGFIX: Allow Configuration to parse several certs in a string

data/Dockerfile

@@ -0,0 +1,4 @@
+FROM ruby:1.9.3
+
+RUN mkdir /src
+WORKDIR /src

data/Gemfile

@@ -1,5 +1,6 @@
 source 'https://rubygems.org'
 
+#ruby=ruby-2.1.5
 #ruby-gemset=conjur-api
 
 # Specify your gem's dependencies in conjur-api.gemspec

data/conjur-api.gemspec

@@ -21,10 +21,12 @@ Gem::Specification.new do |gem|
   
   gem.add_dependency 'rest-client', '~> 1.7', '>= 1.7.3'
   gem.add_dependency 'activesupport'
+  gem.add_dependency 'semantic'
   
   gem.add_development_dependency 'rake'
   gem.add_development_dependency 'spork'
   gem.add_development_dependency 'rspec', '~> 3'
+  gem.add_development_dependency 'rspec-expectations', '~> 3.4'
   gem.add_development_dependency 'webmock'
   gem.add_development_dependency 'ci_reporter_rspec'
   gem.add_development_dependency 'simplecov'
@@ -33,5 +35,6 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency 'yard'
   gem.add_development_dependency 'redcarpet'
   gem.add_development_dependency 'timecop'
+  gem.add_development_dependency 'tins', '~> 1.6', '< 1.7.0'
   gem.add_development_dependency 'inch'
 end

data/jenkins.sh

@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+docker build -t api-ruby .
+
+docker run --rm \
+-v $PWD:/src \
+api-ruby \
+bash -c '''
+bundle
+bundle exec rake jenkins
+'''

data/lib/conjur-api/version.rb

@@ -1,4 +1,4 @@
-# Copyright (C) 2013-2015 Conjur Inc.
+# Copyright (C) 2013-2016 Conjur Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "4.19.1"
+    VERSION = "4.20.0"
   end
 end

data/lib/conjur/acts_as_user.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright (C) 2013-2015 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -43,5 +43,32 @@ module Conjur
     def api
       Conjur::API.new_from_key login, api_key
     end
+
+    # Rotate this user's API key.  You must have `update` permission on the user to do so.
+    #
+    # @note You will not be able to access the API key returned by this method later, so you should
+    #   probably hang onto it it.
+    #
+    # @note You cannot rotate your own API key with this method.  To do so, use `Conjur::API.rotate_api_key`
+    #
+    # @note This feature requires a Conjur appliance running version 4.6 or higher.
+    #
+    # @return [String] the new API key for this user.
+    def rotate_api_key
+      path = "users/api_key?id=#{fully_escape login}"
+      RestClient::Resource.new(Conjur::Authn::API.host, options)[path].put('').body
+    end
+
+    # Set login network restrictions for the user.
+    #
+    # @param [Array<String, IPAddr>] networks which allow logging in. Set to empty to remove restrictions
+    def set_cidr_restrictions networks
+      authn_user = RestClient::Resource.new(Conjur::Authn::API.host, options)\
+          ["users?id=#{fully_escape login}"]
+
+      # we need use JSON here to be able to PUT an empty array
+      params = { cidr: [*networks].map(&CIDR.method(:validate)).map(&:to_s) }
+      authn_user.put params.to_json, content_type: :json
+    end
   end
 end

data/lib/conjur/api.rb

@@ -25,6 +25,7 @@ require 'conjur/cast'
 require 'conjur/configuration'
 require 'conjur/env'
 require 'conjur/base'
+require 'conjur/exceptions'
 require 'conjur/build_from_response'
 require 'conjur/acts_as_resource'
 require 'conjur/acts_as_role'
@@ -40,7 +41,9 @@ require 'conjur/audit-api'
 require 'conjur/core-api'
 require 'conjur/layer-api'
 require 'conjur/pubkeys-api'
+require 'conjur/host-factory-api'
 require 'conjur-api/version'
+require 'conjur/api/info'
 
 # Monkey patch RestClient::Request so it always uses
 # :ssl_cert_store. (RestClient::Resource uses Request to send

data/lib/conjur/api/audit.rb

@@ -82,6 +82,19 @@ module Conjur
       audit_event_feed "resources/#{CGI.escape cast(resource, :resourceid)}", options, &block
     end
 
+    # Send custom audit event
+    # @param input [String|Hash|Array] event or array of events (optionally serialized to JSON)
+    def audit_send input 
+      json = if input.kind_of? String
+                input
+             elsif input.kind_of? Array or input.kind_of? Hash
+                input.to_json
+             else
+                raise ArgumentError, "Parameter should be either String, Hash or Array"
+             end
+      rest_api = RestClient::Resource.new(Conjur::Authz::API.host, credentials)["audit"]
+      rest_api.post json, content_type: "text/plain"
+    end
     #@!endgroup
 
     private
@@ -120,4 +133,4 @@ module Conjur
       JSON.parse response
     end
   end
-end
+end

data/lib/conjur/api/authn.rb

@@ -86,6 +86,7 @@ module Conjur
         JSON::parse(RestClient::Resource.new(Conjur::Authn::API.host)["users/#{fully_escape username}/authenticate"].post password, content_type: 'text/plain')
       end
 
+
       # Change a user's password.  To do this, you must have the user's current password.  This does not change or rotate
       #   api keys.  However, you *can*  use the user's api key as the *current* password, if the user was not created
       #   with a password.
@@ -102,6 +103,34 @@ module Conjur
       end
 
       #@!endgroup
+
+      #@!group Password and API key management
+
+      # Rotate the currently authenticated user's API key by generating and returning a new one.
+      # The old API key is no longer valid after calling this method.  You must have the user's current
+      # API key or password to perform this operation.  This method *does not* affect the user's password.
+      #
+      # @note If the user does not have a password, the returned API key will be the **only** way to authenticate as
+      #   the user.  Therefore, you'd best save it.
+      #
+      # @note This feature requires version 4.6 of the Conjur appliance.
+      #
+      # @param [String] username the name of the user whose password we want to change
+      # @param [String] password the user's current password *or* api key
+      # @return [String] the new API key for the user
+      def rotate_api_key username, password
+        if Conjur.log
+          Conjur.log << "Rotating API key for self (#{username})\n"
+        end
+
+        RestClient::Resource.new(
+              Conjur::Authn::API.host,
+              user: username,
+              password: password
+        )['users/api_key'].put('').body
+      end
+
+      #@!endgroup
     end
 
     # @api private

data/lib/conjur/api/host_factories.rb

@@ -0,0 +1,93 @@
+#
+# Copyright (C) 2014 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur/host_factory'
+
+module Conjur
+  class API
+    class << self
+      # Creates a host and returns the response Hash.
+      def host_factory_create_host token, id, options = {}
+        token = token.token if token.is_a?(HostFactoryToken)
+        http_options = {
+          headers: { authorization: %Q(Token token="#{token}") }
+        }
+        response = RestClient::Resource.new(Conjur::API.host_factory_asset_host, http_options)["hosts"].post(options.merge(id: id)).body
+        JSON.parse(response)
+      end
+    end
+    
+    # Options:
+    # +layers+ list of host factory layers
+    # +roleid+ host factory role id
+    # +role+ host factory role. If this is provided, it is converted to roleid.
+    def create_host_factory(id, options = {})
+      if options[:layers]
+        options[:layers] = options[:layers].map do |layer|
+          if layer.is_a?(Conjur::Layer)
+            layer.id
+          elsif layer.is_a?(String)
+            layer
+          else
+            raise "Can't interpret layer #{layer}"
+          end
+        end
+      end
+      if role = options.delete(:role)
+        options[:roleid] = role.roleid
+      end
+      log do |logger|
+        logger << "Creating host_factory #{id}"
+        unless options.blank?
+          logger << " with options #{options.inspect}"
+        end
+      end
+      options ||= {}
+      options[:id] = id
+      resp = RestClient::Resource.new(Conjur::API.host_factory_asset_host, credentials).post(options)
+      Conjur::HostFactory.build_from_response(resp, credentials)
+    end
+    
+    def host_factory id
+      Conjur::HostFactory.new(Conjur::API.host_factory_asset_host, credentials)[fully_escape(id)]
+    end
+
+    def revoke_host_factory_token token
+      token = token.token if token.is_a?(Conjur::HostFactoryToken)
+      RestClient::Resource.new(Conjur::API.host_factory_asset_host, credentials)["tokens/#{token}"].delete
+    end
+    
+    def show_host_factory_token token
+      token = token.token if token.is_a?(Conjur::HostFactoryToken)
+      attrs = JSON.parse(RestClient::Resource.new(Conjur::API.host_factory_asset_host, credentials)["tokens/#{token}"].get.body)
+      Conjur::HostFactoryToken.new(Conjur::API.host_factory_asset_host, credentials)["tokens"][attrs['token']].tap do |token|
+        token.attributes = attrs
+      end
+    end
+    
+    # Creates a Host and returns a Host object.
+    def host_factory_create_host token, id, options = {}
+      attributes = self.class.host_factory_create_host token, id, options
+      Conjur::Host.new(Conjur::API.core_asset_host, credentials)["hosts"][fully_escape attributes['id']].tap do |host|
+        host.attributes = attributes
+      end
+    end
+  end
+end

data/lib/conjur/api/hosts.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright (C) 2013-2015 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -78,6 +78,8 @@ module Conjur
     #   a member of the owner role.
     #
     def create_host options = nil
+      options = options.merge \
+          cidr: [*options[:cidr]].map(&CIDR.method(:validate)).map(&:to_s) if options[:cidr]
       standard_create Conjur::Core::API.host, :host, nil, options
     end
 
@@ -104,4 +106,4 @@ module Conjur
 
     #@!endgroup
   end
-end
+end

data/lib/conjur/api/info.rb

@@ -0,0 +1,126 @@
+# Copyright (C) 2013-2016 Conjur Inc.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'semantic'
+require 'semantic/core_ext'
+module Conjur
+  class API
+    class << self
+
+      # Return the version of the given service presently running on the Conjur appliance.
+      #
+      # @example Check that the authn service is at least version 4.6
+      #   if api.service_version('authn') >= '4.6.0'.to_version
+      #     puts "Authn version is at least 4.6.0"
+      #   end
+      #
+      # This feature is useful for determining whether the Conjur appliance has a particular feature.
+      #
+      # If the given service does not exist, this method will raise an exception.  To retrieve a list of
+      # valid service names, you can use `Conjur::API.service_names`
+      #
+      # @param [String] service the name of the service.
+      # @return [Semantic::Version] the version of the service.
+      def service_version service
+        if (service_info = appliance_info['services'][service]).nil?
+          raise "Unknown service #{service} (services are #{service_names.join(', ')}."
+        else
+          # Pre-release versions are discarded, because they make testing harder:
+          # 2.0.0-p598 :004 > Semantic::Version.new("4.5.0") <= Semantic::Version.new("4.5.0-1")
+          # => false
+          major, minor, patch, pre = service_info['version'].split(/[.-]/)[0..3]
+          Semantic::Version.new "#{major}.#{minor}.#{patch}"
+        end
+      end
+
+      # Return an Array of valid service names for your appliance.
+      #
+      # @return [Array<String>] the names of services on the appliance.
+      def service_names
+        appliance_info['services'].keys
+      end
+
+      # Return a Hash containing various information about the Conjur appliance.
+      #
+      # If the appliance does not support this feature, raise Conjur::FeatureNotAvailable.
+      #
+      # @note This feature requires Conjur appliance version 4.6 or above.
+      #
+      # @return [Hash] various information about the Conjur appliance.
+      def appliance_info
+        JSON.parse(RestClient::Resource.new(appliance_info_url).get.body)
+      rescue RestClient::ResourceNotFound
+        raise Conjur::FeatureNotAvailable.new('Your appliance does not support the /info URL needed by Conjur::API.appliance_info (you need 4.6 or later)')
+      end
+
+      # Return a Hash containing health information for this appliance, or for another host.
+      #
+      # If the `remote_host` argument is provided, the health of that appliance is reported from
+      # the perspective of the appliance being queried (as specified by the `appliance_url` configuration
+      # variable).
+      #
+      # @note When called without an argument, this method requires a Conjur server running version 4.5 or later.
+      #   When called with an argument, it requires 4.6 or later.
+      #
+      # @param [String, NilClass] remote_host a hostname for a remote host
+      # @return [Hash] the appliance health information.
+      def appliance_health remote_host=nil
+        remote_host.nil? ? own_health : remote_health(remote_host)
+      end
+
+      private
+
+
+      def remote_health host
+        JSON.parse(RestClient::Resource.new(remote_health_url(host)).get.body)
+      rescue RestClient::ResourceNotFound
+        raise Conjur::FeatureNotAvailable.new('Your appliance does not support the /remote_health/:host URL needed by Conjur::API.appliance_health (you need 4.6 or later)')
+      rescue RestClient::ExceptionWithResponse => ex
+        JSON.parse(ex.response.body)
+      end
+
+
+      def own_health
+        JSON.parse(RestClient::Resource.new(appliance_health_url).get.body)
+      rescue RestClient::ResourceNotFound
+        raise Conjur::FeatureNotAvailable.new('Your appliance does not support the /health URL needed by Conjur::API.appliance_health (you need 4.5 or later)')
+      rescue RestClient::ExceptionWithResponse => ex
+        JSON.parse(ex.response.body)
+      end
+
+      def remote_health_url host
+        raw_appliance_url "/remote_health/#{fully_escape host}"
+      end
+
+      def appliance_health_url
+        raw_appliance_url '/health'
+      end
+
+      def appliance_info_url
+        raw_appliance_url '/info'
+      end
+
+      def raw_appliance_url path
+        url = Conjur.configuration.appliance_url
+        raise "Conjur connection is not configured" unless url
+        url.gsub(%r{/api$}, path)
+      end
+    end
+  end
+end