conjur-api 4.22.1 → 4.23.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 112df80d0de58ed399d501948d9003abb1afcfb3
-  data.tar.gz: 33d13ad37bfc43d7f69643eba261b5d6367513f7
+  metadata.gz: 91bb6f8e907814c4dd388fef05384202a9e51a29
+  data.tar.gz: 4884d67d8ec68a02fdbabe297edeb1e8d95a6d88
 SHA512:
-  metadata.gz: 64162326b7b50d050f1b46ba398b2e356cc719b0fa1520c22c6da2007288e52afa7e48e493aae01c9da70a0b15180018a32ff56d40183a7bd1dc31ca439bdb44
-  data.tar.gz: 54695910fe7b6e085111b7ffa52adb2e3b9b7ca07117d664debaf3439cb6d5d4aa63c0a9684e287257401fb9c1cb86651154c95dde53fbb3802866df564c508b
+  metadata.gz: 425b6e7ecbae6f9d79ee004a522ebe51d8ee091f452d3e6d30ff041a33dad04b15d33676b29179105e19f28b537be6325a0f951412a757236e07a1d03dee5954
+  data.tar.gz: a4fb4478261d5f9a677c19c2b8103e1f5a9a78015b36dcf17780a1c8288c43de3e3f854b26e1dde1f17c237bde971ac1d9cd1e2544b2fafd195ee10c798f9cdc

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+# v4.23.0
+
+* Add `with_audit_roles` and `with_audit_resources` to `Conjur::API`
+  to add additional roles and resources to audit records generated by
+  requests
+
+* Fix encoding of spaces in some urls.
+
 # v4.22.1
 
 * `bootstrap` creates host and webservice `conjur/expiration`.

data/conjur-api.gemspec

@@ -28,6 +28,7 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency 'rspec', '~> 3'
   gem.add_development_dependency 'rspec-expectations', '~> 3.4'
   gem.add_development_dependency 'webmock'
+  gem.add_development_dependency 'aruba', '~> 0.12.0'
   gem.add_development_dependency 'cucumber'
   gem.add_development_dependency 'conjur-cli'
   gem.add_development_dependency 'conjur-debify'

data/features/audit_resources.feature

@@ -0,0 +1,15 @@
+Feature: audit with additional resources
+
+  Background:
+    Given I create the variable "$ns_foo"
+
+  Scenario: with one additional resource
+    When I create an api with the additional audit resource "webservice:ws1"
+    And I check to see if I'm permitted to "read" variable "$ns_foo"
+    Then an audit event for variable "$ns_foo" with action "check" and resource "webservice:ws1" is generated
+
+  Scenario: with more than one additional resource
+    When I create an api with the additional audit resources "webservice:ws1, webservice:ws2"
+    And I check to see if I'm permitted to "read" variable "$ns_foo"
+    Then an audit event for variable "$ns_foo" with action "check" and resources "webservice:ws1, webservice:ws2" is generated
+

data/features/audit_roles.feature

@@ -0,0 +1,15 @@
+Feature: audit with additional resources
+
+  Background:
+    Given I create the variable "$ns_foo"
+
+  Scenario: with one additional resource
+    When I create an api with the additional audit role "user:auditor1"
+    And I check to see if I'm permitted to "read" variable "$ns_foo"
+    Then an audit event for variable "$ns_foo" with action "check" and role "user:auditor1" is generated
+
+  Scenario: with more than one additional resource
+    When I create an api with the additional audit roles "user:auditor2,group:auditors"
+    And I check to see if I'm permitted to "read" variable "$ns_foo"
+    Then an audit event for variable "$ns_foo" with action "check" and roles "user:auditor2,group:auditors" is generated
+

data/features/step_definitions/api_steps.rb

@@ -19,6 +19,39 @@ Then(/^expressions "([^"]*)" and "([^"]*)" are equal$/) do |code, test|
   expect(eval(code)).to eq(eval(test))
 end
 
+Then(/^expression "(.*?)" is equal to$/) do |code, test| 
+  step %Q{expressions "#{code}" and "#{test}" are equal}
+end
+    
 Then(/^expression "([^"]*)" includes "([^"]*)"$/) do |code, test|
   expect(eval(code)).to include(eval(test))
 end
+
+Then(/^I evaluate the expression "([^"]*)"$/) do |code|
+  eval(code)
+end
+
+Then(/^I evaluate the expression$/) do |code|
+  step %Q{I evaluate the expression "#{code}"}
+end
+
+Then(/^I create the variable "(.*?)"$/) do |var|
+  api.create_variable('text/plain', 'secret', :id => var)
+end
+
+Then(/^I create an api with the additional audit (role|resource)[s]* "(.*?)"$/) do |type, things|
+  @api = api.send("with_audit_#{type}s", things.split(','))
+end
+
+Then(/^I check to see if I'm permitted to "(.*?)" variable "(.*?)"$/) do |priv, var|
+  api.variable(var).resource.permitted?(priv)
+end
+
+Then(/^an audit event for variable "(.*?)" with action "(.*?)" and (role|resource)[s]* "(.*?)" is generated$/) do |var, action, type, things|
+  resource_ids = things.split(',').collect {|id| api.resource(id).resourceid }
+  event_found = api.audit_resource(api.resource("variable:#{var}")).any? do |e|
+    e['action'] == action &&
+      Set.new(e["#{type}s"]).superset?(Set.new(resource_ids))
+  end
+  expect(event_found).to be true
+end

data/features/step_definitions/cli_steps.rb

@@ -0,0 +1,5 @@
+Transform /\$ns/ do |s|
+  s.gsub('$ns', namespace)
+end
+
+

data/features/support/env.rb

@@ -1,3 +1,4 @@
+require 'aruba/cucumber'
 require 'conjur/cli'
 
 Conjur::Config.load

data/features/support/world.rb

@@ -0,0 +1,13 @@
+module ApiWorld
+
+  def api
+    @api ||= Conjur::Authn.connect(nil, :noask => true)
+  end
+
+  def namespace
+    @namespace ||= api.create_variable('text/plain', 'id').id.tap {|ns| puts "namespace: #{ns}"}
+  end
+
+end
+
+World ApiWorld

data/jenkins.sh

@@ -1,6 +1,6 @@
 #!/bin/bash -ex
 
-CONJUR_VERSION=${CONJUR_VERSION:-"4.6"}
+CONJUR_VERSION=${CONJUR_VERSION:-"5.0"}
 DOCKER_IMAGE=${DOCKER_IMAGE:-"registry.tld/conjur-appliance-cuke-master:$CONJUR_VERSION-stable"}
 NOKILL=${NOKILL:-"0"}
 PULL=${PULL:-"1"}

data/lib/conjur-api/version.rb

@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "4.22.1"
+    VERSION = "4.23.0"
   end
 end

data/lib/conjur/api.rb

@@ -97,11 +97,10 @@ class RestClient::Resource
   # @return {Conjur::API} the new api
   def conjur_api
     api = Conjur::API.new_from_token token, remote_ip
-    if conjur_privilege
-      api.with_privilege conjur_privilege
-    else
-      api
-    end
+    api = api.with_privilege(conjur_privilege) if conjur_privilege
+    api = api.with_audit_roles(audit_roles) if audit_roles
+    api = api.with_audit_resources(audit_resources) if audit_resources
+    api
   end
 
   # Get an authentication token from the clients Authorization header.
@@ -129,6 +128,14 @@ class RestClient::Resource
     options[:headers][:x_conjur_privilege]
   end
 
+  def audit_roles
+    options[:headers][:conjur_audit_roles].try { |r| Conjur::API.decode_audit_ids(r) }
+  end
+
+  def audit_resources
+    options[:headers][:conjur_audit_resources].try { |r| Conjur::API.decode_audit_ids(r) }
+  end
+
   # The username this resource authenticates as.
   #
   # @return [String] the username

data/lib/conjur/base.rb

@@ -141,6 +141,15 @@ module Conjur
       def new_from_token(token, remote_ip = nil)
         self.new nil, nil, token, remote_ip
       end
+      
+      def encode_audit_ids(ids)
+        ids.collect{|id| CGI::escape(id)}.join('&')
+      end
+
+      def decode_audit_ids(ids)
+        ids.split('&').collect{|id| CGI::unescape(id)}
+      end
+
     end
     
     # Create a new instance from a username and api key or a token.
@@ -179,6 +188,16 @@ module Conjur
     # The optional global privilege (e.g. 'elevate' or 'reveal') which should be attempted on the request.
     attr_accessor :privilege
 
+    #@!attribute [rw] audit_roles
+    # An array of role ids that should be included in any audit
+    # records generated by requsts made by this instance of the api.
+    attr_accessor :audit_roles
+
+    #@!attribute [rw] audit_resources
+    # An array of resource ids that should be included in any audit
+    # records generated by requsts made by this instance of the api.
+    attr_accessor :audit_resources
+
     # The name of the user as which this api instance is authenticated.  This is available whether the api
     # instance was created from credentials or an authentication token.
     #
@@ -233,6 +252,8 @@ module Conjur
         h[:authorization] = "Token token=\"#{Base64.strict_encode64 token.to_json}\""
         h[:x_conjur_privilege] = @privilege if @privilege
         h[:x_forwarded_for] = @remote_ip if @remote_ip
+        h[:conjur_audit_roles] = Conjur::API.encode_audit_ids(@audit_roles) if @audit_roles
+        h[:conjur_audit_resources] = Conjur::API.encode_audit_ids(@audit_resources) if @audit_resources
       end
       { headers: headers, username: username }
     end
@@ -245,7 +266,23 @@ module Conjur
         api.privilege = privilege
       end
     end
-    
+
+    def with_audit_roles role_ids
+      role_ids = Array(role_ids)
+      self.class.new(username, api_key, token, remote_ip).tap do |api|
+        # Ensure that all role ids are fully qualified
+        api.audit_roles = role_ids.collect { |id| api.role(id).roleid }
+      end
+    end
+
+    def with_audit_resources resource_ids
+      resource_ids = Array(resource_ids)
+      self.class.new(username, api_key, token, remote_ip).tap do |api|
+        # Ensure that all resource ids are fully qualified
+        api.audit_resources = resource_ids.collect { |id| api.resource(id).resourceid }
+      end
+    end
+
     private
 
     def token_valid?

data/lib/conjur/escape.rb

@@ -31,13 +31,19 @@ module Conjur
       #   fully_escape 'foo/bar@baz'
       #   # => "foo%2Fbar%40baz"
       #
+      # @example
+      #   fully_escape 'test/Domain Controllers'
+      #   # => "test%2FDomain%20Controllers"
+      #
       # @param [String] str the string to escape
       # @return [String] the escaped string
       def fully_escape(str)
-        require 'cgi'
-        CGI.escape(str.to_s)
+        # CGI escape uses + for spaces, which our services don't support :-(
+        # We just gsub it.
+        CGI.escape(str.to_s).gsub('+', '%20')
       end
 
+
       # Escape a URI path component.
       #
       # This method simply calls {Conjur::Escape::ClassMethods#path_or_query_escape}.
@@ -121,4 +127,4 @@ module Conjur
       self.class.query_escape str
     end
   end
-end
+end

data/spec/lib/api_spec.rb

@@ -260,6 +260,7 @@ describe Conjur::API do
         end
       end
     end
+      
 
     context "from api key", logged_in: true do
       let(:api_key) { "theapikey" }
@@ -299,38 +300,67 @@ describe Conjur::API do
     end
 
     context "from logged-in RestClient::Resource" do
+      let (:authz_header) { %Q{Token token="#{token_encoded}"} }
+      let (:priv_header) { nil }
+      let (:forwarded_for_header) { nil }
+      let (:audit_roles_header) { nil }
+      let (:audit_resources_header) { nil }
+      let (:username) { 'bob' }
+      subject { resource.conjur_api }
+
+      shared_examples "it can clone itself" do
+        it "has the authz header" do
+          expect(subject.credentials[:headers][:authorization]).to eq(authz_header)
+        end
+        it "has the conjur privilege header" do
+          expect(subject.credentials[:headers][:x_conjur_privilege]).to eq(priv_header)
+        end
+        it "has the forwarded for header" do
+          expect(subject.credentials[:headers][:x_forwarded_for]).to eq(forwarded_for_header)
+        end
+        it "has the audit_roles header" do
+          expect(subject.credentials[:headers][:conjur_audit_roles]).to eq(audit_roles_header)
+        end
+        it "has the audit_resources header" do
+          expect(subject.credentials[:headers][:conjur_audit_resources]).to eq(audit_resources_header)
+        end
+        it "has the username" do
+          expect(subject.credentials[:username]).to eq(username)
+        end
+      end
+
       let(:token_encoded) { Base64.strict_encode64(token.to_json) }
-      let(:headers) { { authorization: "Token token=\"#{token_encoded}\"" } }
+      let(:base_headers) { { authorization: authz_header } }
+      let(:headers) { base_headers }
       let(:resource) { RestClient::Resource.new("http://example.com", { headers: headers })}
-      it "can construct a new API instance" do
-        api = resource.conjur_api
-        expect(api.credentials[:headers][:authorization]).to eq("Token token=\"#{token_encoded}\"")
-        expect(api.credentials[:headers][:x_conjur_privilege]).to be_nil
-        expect(api.credentials[:headers][:x_forwarded_for]).to be_nil
-        expect(api.credentials[:username]).to eq("bob")
+      context 'basic functioning' do
+        it_behaves_like 'it can clone itself'
       end
       
       context "privileged" do
-        let(:headers) { { authorization: "Token token=\"#{token_encoded}\"", x_conjur_privilege: "elevate" } }
-        it "can clone itself" do
-          api = resource.conjur_api
-          expect(api.credentials[:headers][:authorization]).to eq("Token token=\"#{token_encoded}\"")
-          expect(api.credentials[:headers][:x_conjur_privilege]).to eq("elevate")
-          expect(api.credentials[:headers][:x_forwarded_for]).to be_nil
-          expect(api.credentials[:username]).to eq("bob")
-        end
+        let(:priv_header) { 'elevate' }
+        let(:headers) { base_headers.merge(x_conjur_privilege: priv_header) }
+        it_behaves_like "it can clone itself"
       end
       
-      context "privileged" do
-        let(:headers) { { authorization: "Token token=\"#{token_encoded}\"", x_forwarded_for: "66.0.0.1" } }
-        it "can clone itself" do
-          api = resource.conjur_api
-          expect(api.credentials[:headers][:authorization]).to eq("Token token=\"#{token_encoded}\"")
-          expect(api.credentials[:headers][:x_conjur_privilege]).to be_nil
-          expect(api.credentials[:headers][:x_forwarded_for]).to eq("66.0.0.1")
-          expect(api.credentials[:username]).to eq("bob")
-        end
+      context "forwarded for" do
+        let(:forwarded_for_header) { "66.0.0.1" }
+        let(:headers) { base_headers.merge(x_forwarded_for: forwarded_for_header) }
+        it_behaves_like 'it can clone itself'
+      end
+
+      context "audit roles" do
+        let(:audit_roles_header) { Conjur::API.encode_audit_ids(['account:kind:role1', 'account:kind:role2']) }
+        let(:headers) { base_headers.merge(:conjur_audit_roles => audit_roles_header) }
+        it_behaves_like 'it can clone itself'
+      end
+
+      context "audit resources" do
+        let(:audit_resources_header) { Conjur::API.encode_audit_ids(['account:kind:resource1', 'account:kind:resource2']) }
+        let(:headers) { base_headers.merge(:conjur_audit_resources => audit_resources_header) }
+        it_behaves_like 'it can clone itself'
       end
+
     end
   end
 
@@ -360,4 +390,21 @@ describe Conjur::API do
       end
     end
   end
+
+  describe 'url escapes' do
+    let(:urls){[
+        'foo/bar@baz',
+        '/test/some group with spaces'
+    ]}
+
+    describe '#fully_escape' do
+      let(:expected){[
+        'foo%2Fbar%40baz',
+        '%2Ftest%2Fsome%20group%20with%20spaces'
+      ]}
+      it 'escapes the urls correctly' do
+        expect(urls.map{|u| Conjur::API.fully_escape u}).to eq(expected)
+      end
+    end
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 4.22.1
+  version: 4.23.0
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-04-13 00:00:00.000000000 Z
+date: 2016-04-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -129,6 +129,20 @@ dependencies:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: aruba
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.12.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.12.0
 - !ruby/object:Gem::Dependency
   name: cucumber
   requirement: !ruby/object:Gem::Requirement
@@ -323,9 +337,13 @@ files:
 - Rakefile
 - ci/test.sh
 - conjur-api.gemspec
+- features/audit_resources.feature
+- features/audit_roles.feature
 - features/bootstrap.feature
 - features/step_definitions/api_steps.rb
+- features/step_definitions/cli_steps.rb
 - features/support/env.rb
+- features/support/world.rb
 - jenkins.sh
 - lib/conjur-api.rb
 - lib/conjur-api/version.rb
@@ -459,9 +477,13 @@ signing_key:
 specification_version: 4
 summary: Conjur API
 test_files:
+- features/audit_resources.feature
+- features/audit_roles.feature
 - features/bootstrap.feature
 - features/step_definitions/api_steps.rb
+- features/step_definitions/cli_steps.rb
 - features/support/env.rb
+- features/support/world.rb
 - spec/api/authn_spec.rb
 - spec/api/graph_spec.rb
 - spec/api/groups_spec.rb