conjur-api 4.20.1 → 4.21.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 499e973eac8164648777759b0128f502ad692bb6
-  data.tar.gz: 6d85fe429b8d77cb7aaca33370c0bc48179e5345
+  metadata.gz: d71200c2e70d47ac438ff0c37aefb9eb3336291a
+  data.tar.gz: 81b7029927b6227918d9449e5e279280194a56a1
 SHA512:
-  metadata.gz: fa2d3a7024f3d41e6e87f81873179a1528b5d9b6d0a5657a8e8c281d8368189b3db301d3b525d88697d049d44868bac8df6b26aa026d2da48e785ed62d4ab843
-  data.tar.gz: 301f2f79b84e3c8a3f13a2cdb21666d33e3cc80bc0e5144aa8974e19a248070d49c081d6ffaabc41c4b06925cbfce7b637a4b30a91b3aba36e94e12927a0c160
+  metadata.gz: 6f2dc2ffd7e4a1fe1b183e25c907dbb3e442e68e324993405913256ad2b1a6d44465485d30a686aa94db161ea302d0e15da84500c669b1824ad6623a04f7225b
+  data.tar.gz: c991fdd8ff7d36c2dbc3d74e03f469d9d235ced8b30735b3454991aa9ea53c3f56140b0981022823f2c092c72b2ec1336140956f2745ec5237ee9de0ac996dee

data/.gitignore

@@ -1,3 +1,4 @@
+features/reports
 .DS_Store
 build_number
 *.gem

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+# v4.21.0
+
+* Add extensible Bootstrap commands as API methods.
+* `bootstrap` grants `reveal` and `elevate` to the `security_admin` group.
+* `bootstrap` creates `webservice:authn-tv`.
+* `bootstrap` creates an `auditors` group and gives `reveal` privilege to it.
+
 # v4.20.1
 
 * BUGFIX: Better handling for unicode and special characters in user ids.

data/Rakefile

@@ -1,26 +1,25 @@
 #!/usr/bin/env rake
 require "bundler/gem_tasks"
 require "yard"
+require 'ci/reporter/rake/rspec'
+require 'cucumber'
+require 'cucumber/rake/task'
+require 'rspec/core/rake_task'
 
-begin
-  require 'rspec/core/rake_task'
-  RSpec::Core::RakeTask.new(:spec) do |t|
-    t.rspec_opts = '--order rand'
-  end
-rescue LoadError
-  $stderr.puts "RSpec Rake tasks not available in environment #{ENV['RACK_ENV']}"
-end
-
+RSpec::Core::RakeTask.new :spec
+Cucumber::Rake::Task.new :features
 YARD::Rake::YardocTask.new(:yard)
 
-task :jenkins do
+task :jenkins => ['ci:setup:rspec', :spec] do
   if ENV['BUILD_NUMBER']
     File.write('build_number', ENV['BUILD_NUMBER'])
   end
-  require 'ci/reporter/rake/rspec'
-  Rake::Task["ci:setup:rspec"].invoke
-  Rake::Task["spec"].invoke
+  require 'fileutils'
+  FileUtils.rm_rf 'features/reports'
+  Cucumber::Rake::Task.new do |t|
+    t.cucumber_opts = "--tags ~@real-api --format pretty --format junit --out features/reports"
+  end.runner.run
   Rake::Task["yard"].invoke
 end
 
-task default: :spec
+task default: [:spec, :features]

data/ci/test.sh

@@ -0,0 +1,9 @@
+#!/bin/bash -e
+
+cd /src/conjur-api
+
+export CONJUR_AUTHN_LOGIN=admin
+export CONJUR_AUTHN_API_KEY=secret
+
+bundle
+bundle exec rake jenkins || true

data/conjur-api.gemspec

@@ -28,6 +28,9 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency 'rspec', '~> 3'
   gem.add_development_dependency 'rspec-expectations', '~> 3.4'
   gem.add_development_dependency 'webmock'
+  gem.add_development_dependency 'cucumber'
+  gem.add_development_dependency 'conjur-cli'
+  gem.add_development_dependency 'conjur-debify'
   gem.add_development_dependency 'ci_reporter_rspec'
   gem.add_development_dependency 'simplecov'
   gem.add_development_dependency 'io-grab'

data/features/bootstrap.feature

@@ -0,0 +1,27 @@
+Feature: conjur bootstrap
+
+	Background: Bootstrap
+		Given I bootstrap
+
+	Scenario: Expected resources exist
+		Then expressions "$conjur.group('security_admin').exists?" and "true" are equal
+		Then expressions "$conjur.group('auditors').exists?" and "true" are equal
+		Then expressions "$conjur.group('pubkeys-1.0/key-managers').exists?" and "true" are equal
+		Then expressions "$conjur.resource('webservice:conjur/authn-tv').exists?" and "true" are equal
+		Then expressions "$conjur.resource('webservice:conjur/policy-loader').exists?" and "true" are equal
+		Then expressions "$conjur.host('conjur/policy-loader').exists?" and "true" are equal
+		Then expressions "$conjur.host('conjur/secrets-rotator').exists?" and "true" are equal
+		Then expressions "$conjur.host('conjur/ldap-sync').exists?" and "true" are equal
+		
+	Scenario: security_admin group has the expected members
+		Then expressions "$conjur.role('group:security_admin').members.map(&:member).map(&:roleid).sort.join(',')" and "'cucumber:host:conjur/authn-tv,cucumber:host:conjur/ldap-sync,cucumber:host:conjur/policy-loader,cucumber:host:conjur/secrets-rotator,cucumber:user:admin'" are equal
+
+	Scenario: security_admin can 'elevate' and 'reveal'
+		Then expression "$conjur.resource('!:!:conjur').permitted_roles('elevate')" includes "$conjur.group('security_admin').roleid"
+		Then expression "$conjur.resource('!:!:conjur').permitted_roles('reveal')" includes "$conjur.group('security_admin').roleid"
+
+	Scenario: auditors can 'reveal'
+		Then expression "$conjur.resource('!:!:conjur').permitted_roles('reveal')" includes "$conjur.group('auditors').roleid"
+
+	Scenario: API keys are saved in variables
+		Then expression "$conjur.resources(kind: 'variable').map(&:resourceid)" includes "'cucumber:variable:conjur/hosts/conjur/secrets-rotator/api-key'"

data/features/step_definitions/api_steps.rb

@@ -0,0 +1,24 @@
+Then(/^I bootstrap$/) do
+  class Listener
+    attr_accessor :messages
+    
+    def initialize
+      @messages = []
+    end
+    
+    def echo msg
+      @messages.push msg
+    end
+  end
+  @listener = Listener.new
+  
+  $conjur.bootstrap @listener
+end
+
+Then(/^expressions "([^"]*)" and "([^"]*)" are equal$/) do |code, test|
+  expect(eval(code)).to eq(eval(test))
+end
+
+Then(/^expression "([^"]*)" includes "([^"]*)"$/) do |code, test|
+  expect(eval(code)).to include(eval(test))
+end

data/features/support/env.rb

@@ -0,0 +1,5 @@
+require 'conjur/cli'
+
+Conjur::Config.load
+Conjur::Config.apply
+$conjur = Conjur::Authn.connect nil, noask: true

data/jenkins.sh

@@ -1,11 +1,27 @@
-#!/bin/bash -e
+#!/bin/bash -ex
 
-docker build -t api-ruby .
+CONJUR_VERSION=${CONJUR_VERSION:-"4.6"}
+DOCKER_IMAGE=${DOCKER_IMAGE:-"registry.tld/conjur-appliance-cuke-master:$CONJUR_VERSION-stable"}
+NOKILL=${NOKILL:-"0"}
+PULL=${PULL:-"1"}
 
-docker run --rm \
--v $PWD:/src \
-api-ruby \
-bash -c '''
-bundle
-bundle exec rake jenkins
-'''
+if [ -z "$CONJUR_CONTAINER" ]; then
+	if [ "$PULL" == "1" ]; then
+	    docker pull $DOCKER_IMAGE
+	fi
+	
+	cid=$(docker run -d -v ${PWD}:/src/conjur-api $DOCKER_IMAGE)
+	function finish {
+    	if [ "$NOKILL" != "1" ]; then
+			docker rm -f ${cid}
+		fi
+	}
+	trap finish EXIT
+	
+	>&2 echo "Container id:"
+	>&2 echo $cid
+else
+	cid=${CONJUR_CONTAINER}
+fi
+
+docker exec -i ${cid} /src/conjur-api/ci/test.sh

data/lib/conjur-api/version.rb

@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "4.20.1"
+    VERSION = "4.21.0"
   end
 end

data/lib/conjur/api.rb

@@ -42,6 +42,7 @@ require 'conjur/core-api'
 require 'conjur/layer-api'
 require 'conjur/pubkeys-api'
 require 'conjur/host-factory-api'
+require 'conjur/bootstrap'
 require 'conjur-api/version'
 require 'conjur/api/info'
 

data/lib/conjur/api/host_factories.rb

@@ -56,7 +56,7 @@ module Conjur
       log do |logger|
         logger << "Creating host_factory #{id}"
         unless options.blank?
-          logger << " with options #{options.inspect}"
+          logger << " with options #{options.to_json}"
         end
       end
       options ||= {}

data/lib/conjur/api/hosts.rb

@@ -25,7 +25,7 @@ module Conjur
   class API
     class << self
       # @api private
-      # TODO WTF does this do!
+      # deprecated
       def enroll_host(url)
         if Conjur.log
           Conjur.log << "Enrolling host with URL #{url}\n"

data/lib/conjur/base.rb

@@ -186,6 +186,15 @@ module Conjur
     def username
       @username || @token['data']
     end
+    
+    # Perform all commands in Conjur::Bootstrap::Command.
+    def bootstrap listener
+        Conjur::Bootstrap::Command.constants.map{|c| Conjur::Bootstrap::Command.const_get(c)}.each do |cls|
+        next unless cls.is_a?(Class)
+        next unless cls.superclass == Conjur::Bootstrap::Command::Base
+        cls.new(self, listener).perform
+      end
+    end
 
     # @api private
     # used to delegate to host providing subclasses.

data/lib/conjur/bootstrap.rb

@@ -0,0 +1,151 @@
+module Conjur
+  module Bootstrap
+    module Command
+      Base = Struct.new(:api, :listener) do
+        def echo msg
+          listener.echo msg
+        end
+        
+        def security_admin
+          api.group("security_admin")
+        end
+        
+        def auditors
+          api.group("auditors")
+        end
+        
+        def find_or_create_record record, owner = nil, &block
+          if record.exists?
+            echo "#{record.resource_kind.capitalize} '#{record.id}' already exists"
+            record
+          else
+            echo "Creating #{record.resource_kind} '#{record.id}'"
+            options = {}
+            options[:ownerid] = owner.roleid if owner
+            result = if block_given?
+              yield record, options
+            else
+              api.send "create_#{record.resource_kind}", record.id, options
+            end
+            store_api_key result if result.attributes['api_key']
+            result
+          end
+        end
+
+        def find_or_create_resource resource, owner = nil
+          if resource.exists?
+            echo "#{resource.resource_kind.capitalize} '#{resource.identifier}' already exists"
+          else
+            echo "Creating #{resource.resource_kind} '#{resource.identifier}'"
+            options = {}
+            options[:ownerid] = owner.roleid if owner
+            api.create_resource resource.resourceid, options
+          end
+        end
+        
+        def store_api_key user
+          api.create_variable "text/plain", 
+            "conjur-api-key", 
+            id: "conjur/#{user.resource_kind.pluralize}/#{user.id}/api-key", 
+            value: user.api_key,
+            ownerid: security_admin.role.roleid
+          echo "The API of #{user.resource_kind} #{user.id} is stored in variable 'conjur/#{user.resource_kind.pluralize}/#{user.id}/api-key'. " +
+            "You can retire the variable if you don't want to keep it there."
+        end
+        
+        def permit resource, privilege, role
+          if resource.permitted_roles(privilege).member?(role.roleid)
+            echo "#{role.roleid} already has '#{privilege}' privilege on #{resource.resourceid}"
+          else
+            resource.permit privilege, role
+          end
+        end
+      end
+      
+      class SecurityAdminGroup < Base
+        def perform
+          find_or_create_record security_admin
+
+          security_admin.resource.give_to(security_admin) unless security_admin.resource.ownerid == security_admin.role.roleid
+        end
+      end
+
+      class AuditorsGroup < Base
+        def perform
+          find_or_create_record auditors, security_admin
+        end
+      end
+      
+      class Pubkeys < Base
+        def perform
+          find_or_create_record key_managers, security_admin
+          find_or_create_record pubkeys_layer, security_admin
+          find_or_create_record pubkeys_host, security_admin do |record, options|
+            api.create_host(id: record.id, ownerid: security_admin.roleid)
+          end
+          pubkeys_layer.add_host pubkeys_host unless pubkeys_layer.hosts.map(&:roleid).member?(pubkeys_host.roleid)
+          
+          find_or_create_resource pubkeys_service, security_admin
+          permit pubkeys_service, 'update', key_managers
+        end
+        
+        def pubkeys_layer
+          api.layer("pubkeys-1.0/public-keys")
+        end
+        
+        def pubkeys_host
+          api.host("conjur/pubkeys")
+        end
+        
+        def pubkeys_service
+          api.resource("service:pubkeys-1.0/public-keys")
+        end
+        
+        def key_managers
+          api.group("pubkeys-1.0/key-managers")
+        end
+      end
+      
+      class Attic < Base
+        def perform
+          find_or_create_record attic
+        end
+        
+        def attic_user_name
+          "attic"
+        end
+        
+        def attic
+          api.user(attic_user_name)
+        end
+      end
+      
+      # Create a set of hosts that have security_admin privilege.
+      class SystemAccounts < Base
+        def perform
+          for hostname in %w(conjur/authn-tv conjur/secrets-rotator conjur/policy-loader conjur/ldap-sync)
+            find_or_create_resource api.resource("webservice:#{hostname}"), security_admin
+            find_or_create_record api.host(hostname), security_admin do |record, options|
+              api.create_host(id: record.id, ownerid: security_admin.roleid).tap do |host|
+                host.role.revoke_from security_admin
+                security_admin.add_member host
+              end
+            end
+          end
+        end
+      end
+      
+      class GlobalPrivileges < Base
+        def perform
+          permit conjur_resource, 'elevate', security_admin
+          permit conjur_resource, 'reveal', security_admin
+          permit conjur_resource, 'reveal', auditors
+        end
+        
+        def conjur_resource
+          api.resource("!:!:conjur")
+        end
+      end
+    end
+  end
+end

data/lib/conjur/layer.rb

@@ -77,7 +77,7 @@ module Conjur
     # @return [Array<Conjur::Host>] the hosts in the layer.
     def hosts
       self.attributes['hosts'].collect do |id|
-        Conjur::Host.new(Conjur::API.core_asset_host, options)["hosts/#{fully_escape id}"]
+        Conjur::Host.new(Conjur::API.core_asset_host, options)["hosts/#{fully_escape id.split(':', 3)[-1]}"]
       end
     end
   end

data/lib/conjur/resource.rb

@@ -34,6 +34,8 @@ module Conjur
     include PathBased
     include Exists
 
+    alias resource_kind kind
+    
     # The identifier part of the `resource_id` for this resource.  The identifier
     # is the resource id without the `account` and `kind` parts.
     #

data/lib/conjur/standard_methods.rb

@@ -45,7 +45,7 @@ module Conjur
         logger << "Creating #{type}"
         logger << " #{id}" if id
         unless options.blank?
-          logger << " with options #{options.inspect}"
+          logger << " with options #{options.to_json}"
         end
       end
       options ||= {}

data/spec/ssl_spec.rb

@@ -25,18 +25,20 @@ describe 'SSL connection' do
       expect { Conjur::API.login 'foo', 'bar' }.to raise_error RestClient::ResourceNotFound
     end
   end
-
-  let(:port) { 54_128 }
+  
+  let(:server) do
+    server = WEBrick::HTTPServer.new \
+        Port: 0, SSLEnable: true,
+        AccessLog: [], Logger: Logger.new('/dev/null'), # shut up, WEBrick
+        SSLCertificate: cert, SSLPrivateKey: key
+  end
+  let(:port) { server.config[:Port] }
 
   before do
     allow(Conjur::Authn::API).to receive(:host).and_return "https://localhost:#{port}"
   end
 
   around do |example|
-    server = WEBrick::HTTPServer.new \
-        Port: port, SSLEnable: true,
-        AccessLog: [], Logger: Logger.new('/dev/null'), # shut up, WEBrick
-        SSLCertificate: cert, SSLPrivateKey: key
     server_thread = Thread.new do
       server.start
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 4.20.1
+  version: 4.21.0
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-18 00:00:00.000000000 Z
+date: 2016-03-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -129,6 +129,48 @@ dependencies:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: cucumber
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: conjur-cli
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: conjur-debify
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: ci_reporter_rspec
   requirement: !ruby/object:Gem::Requirement
@@ -279,11 +321,11 @@ files:
 - LICENSE
 - README.md
 - Rakefile
+- ci/test.sh
 - conjur-api.gemspec
-- features/enroll_server.feature
-- features/login.feature
-- features/ping_as_server.feature
-- features/ping_as_user.feature
+- features/bootstrap.feature
+- features/step_definitions/api_steps.rb
+- features/support/env.rb
 - jenkins.sh
 - lib/conjur-api.rb
 - lib/conjur-api/version.rb
@@ -311,6 +353,7 @@ files:
 - lib/conjur/authn-api.rb
 - lib/conjur/authz-api.rb
 - lib/conjur/base.rb
+- lib/conjur/bootstrap.rb
 - lib/conjur/build_from_response.rb
 - lib/conjur/cast.rb
 - lib/conjur/cert_utils.rb
@@ -416,10 +459,9 @@ signing_key:
 specification_version: 4
 summary: Conjur API
 test_files:
-- features/enroll_server.feature
-- features/login.feature
-- features/ping_as_server.feature
-- features/ping_as_user.feature
+- features/bootstrap.feature
+- features/step_definitions/api_steps.rb
+- features/support/env.rb
 - spec/api/authn_spec.rb
 - spec/api/graph_spec.rb
 - spec/api/groups_spec.rb

data/features/enroll_server.feature

@@ -1,26 +0,0 @@
-Feature: Server enrollment
-
-Background:
-	When I login with my username and password
-	And I receive an API key
-
-Scenario: Enroll this server
-	When I enroll a server
-	Then the request succeeds
-	Then I receive an enrollment key
-
-Scenario: The server is granted no other roles by default
-	Given I enroll a server
-	And I switch to the server role
-	When I list my roles
-	Then the result contains 1 item
-
-Scenario: The server can be granted other roles
-	Given I enroll a server
-	And I create a role
-	And I grant the role to the server
-	And I switch to the server role
-	And I list my roles
-	Then the result contains 2 items
-
-	

data/features/login.feature

@@ -1,13 +0,0 @@
-Feature: Login
-
-Scenario: Login with my username and password
-	When I login with my username and password
-	Then the request succeeds
-	And I receive an API key
-
-Scenario: Login with my username and password
-	When I login with my username and invalid password
-	Then the request fails with error 401
-	
-
-

data/features/ping_as_server.feature

@@ -1,16 +0,0 @@
-Feature: Ping
-
-Background:
-	Given I login with my username and password
-	And I receive an API key
-	And I enroll a server
-	And I switch to the server role
-
-Scenario: Ping using the server enrollment key
-	When I ping
-	Then the request succeeds
-
-Scenario: Server credentials do not work from a different host 
-	Given I force the request IP address to 127.0.0.1
-	When I ping
-	Then the request fails with error 401

data/features/ping_as_user.feature

@@ -1,9 +0,0 @@
-Feature: Ping
-
-Background:
-	When I login with my username and password
-	And I receive an API key
-
-Scenario: Ping using an API key
-	When I ping
-	Then the request succeeds