conjur-api 4.26.0 → 4.28.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e955d64cd6ce130071bad4809bfe207dc3fb8b6c
-  data.tar.gz: b0f1cf6e8960332a9a06ec806cbb52866bd39ecc
+  metadata.gz: 038dcc4d85e30d07b34ca84dda11196b3cbc8a98
+  data.tar.gz: 7b47721f2a9af64c512c6c2fbc5a5644aa5d98e5
 SHA512:
-  metadata.gz: 26bf9521c171451e4820aed4636071b735e7876e5b71707377e07e36d450a842d9e627ecd69e2456d8966708b3854c3bfbf9b7a7dea515067007e9ec969862f2
-  data.tar.gz: cff05fb02234c561bbbfbf8d7130b48a72c741c9bc80db1d540212d02d7f3334b1abc3fdf72dbe6bc60d14a703713550d7670e5ce2f9e1a3f14814a2c37bef82
+  metadata.gz: 9d4dc629522aa37aeea760aa16ec9d9df7694754fe5490f45530de68bcba544a9b35de834288dd4576920a92b800be71fe3a03414397be0e24bd06a954929fe0
+  data.tar.gz: dafee7953f111a1723a22f9cc0b2a2dacd970e6c10fad46f20458380fb14951ff7ef0e83a09027aa9e3cb20d0fc993a39e6872bfce2fc46e536879ab356f2c73

data/CHANGELOG.md

@@ -1,3 +1,22 @@
+# v4.28.0
+
+* Add `Conjur::API#ldap_sync_policy` to fetch the policy to use to
+  bring Conjur and the LDAP server into sync.
+  
+* Remove `Conjur::API#ldap_sync_now` and `Conjur::API#ldap_sync_jobs`
+
+# v4.27.0
+
+* Add `Conjur::API#resources_permitted?"
+
+* `Conjur::API#ldap_sync_now` now accepts an options Hash which will
+  be passed on to the `/sync` entrypoint. The old argument list is
+  maintained for backwards compatibility.
+
+* `Conjur::Api#resources` now supports `:has_annotation` for
+  retrieving Conjur resources that have an annotation with the given
+  name.
+
 # v4.26.0
 
 * expose admin_option in the role graph (only populated by Conjur 4.8 and later)

data/features/bootstrap.feature

@@ -17,6 +17,9 @@ Feature: conjur bootstrap
 	Scenario: security_admin group has the expected members
 		Then expressions "$conjur.role('group:security_admin').members.map(&:member).map(&:roleid).sort.join(',')" and "'cucumber:host:conjur/authn-tv,cucumber:host:conjur/expiration,cucumber:host:conjur/ldap-sync,cucumber:host:conjur/policy-loader,cucumber:host:conjur/secrets-rotator,cucumber:user:admin'" are equal
 
+	Scenario: security_admin group can update public keys
+		Then expression "$conjur.resource('service:pubkeys-1.0/public-keys').permitted_roles('update')" includes "$conjur.group('security_admin').roleid"
+
 	Scenario: security_admin can 'elevate' and 'reveal'
 		Then expression "$conjur.resource('!:!:conjur').permitted_roles('elevate')" includes "$conjur.group('security_admin').roleid"
 		Then expression "$conjur.resource('!:!:conjur').permitted_roles('reveal')" includes "$conjur.group('security_admin').roleid"

data/lib/conjur-api/version.rb

@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "4.26.0"
+    VERSION = "4.28.0"
   end
 end

data/lib/conjur/api/ldapsync.rb

@@ -18,36 +18,74 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
+require 'conjur/ldap_sync_job'
 
 module Conjur
   class API
-  # @!group LDAP Sync Service
+    # @!group LDAP Sync Service
 
-    # Trigger a LDAP sync with a given profile.
-
-    # @param [String] config_name Saved profile to run sync with
-    # @param [Boolean] dry_run Don't actually run sync, instead just report the state of the upstream LDAP.
-    # @param [String] format Requested MIME type of the response, either 'text/yaml' or 'application/json'
-    # @return [Hash] a hash mapping with keys 'ok' and 'result[:actions]'
-    def ldap_sync_now(config_name, format, dry_run)
-      opts = credentials.dup.tap{ |h|
-        h[:headers][:accept] = format
+    # Fetch a Conjur policy that will bring Conjur into sync with the
+    # LDAP server specified by a profile.
+    #
+    # @param [String] profile the name of the LDAP server profile 
+    # @param [Hash] options reserved for future use
+    def ldap_sync_policy profile, options = {}
+      
+      headers = credentials.dup.tap {|h|
+        h[:headers][:accept] = 'text/event-stream'
       }
 
-      dry_run = !!dry_run
+      options = options.merge(:config_name => profile)
+      url = Conjur.configuration.appliance_url + "/ldap-sync/policy?#{options.to_query}"
 
-      resp = RestClient::Resource.new(Conjur.configuration.appliance_url, opts)['ldap-sync']['sync'].post({
-        config_name: config_name,
-        dry_run: dry_run
-      })
-      
-      if format == 'text/yaml'
-        resp.body
-      elsif format == 'application/json'
-        JSON.parse(resp.body)
-      end
+      # Even though we're using SSE to return the policy, fetch the
+      # whole thing at once into a single response. Retrieving it in
+      # chunks doesn't buy us much of anything except more complicated
+      # client code.
+      response = RestClient::Resource.new(url, headers).get
+
+      json = if response.headers[:content_type] == 'text/event-stream'
+               find_policy_event(response) || find_error_events(response)
+             else
+               %Q({"error": {"message": "Unexpected response from server: #{response.body}"}})
+             end
+      JSON.parse(json)
+    end
+
+    # @api private
+    # Get an LDAP sync profile.
+
+    # @param [String] profile name 
+    # @param [Hash] options reserved
+    def ldap_sync_show_profile(profile, options = {})
+      resp = RestClient::Resource.new(Conjur.configuration.appliance_url, credentials)['ldap-sync']['config'].get(options)
+      JSON.parse(resp.body)
+    end
+
+    # @api private
+    # Update an LDAP sync profile. 
+    #
+    # ### Note
+    # DO NOT use this method and the UI to update an LDAP sync profile.
+    #
+    # @param [Hash] profile a hash containing the LDAP sync configuration
+    # @param [Hash] options reserved
+    def ldap_sync_update_profile(profile, options = {})
+      options[:json_config] = profile.to_json
+      resp = RestClient::Resource.new(Conjur.configuration.appliance_url, credentials)['ldap-sync']['config'].put(options.to_json, :content_type => 'application/json')
+      JSON.parse(resp.body)
+    end
+
+    # @!endgroup
+    
+    private
+    def find_policy_event(response)
+      response.body.lines.find {|l| l =~ /^data: {"policy":/}.try(:[], 6..-1)
+    end
+
+    def find_error_events(response)
+      response.body.lines.collect {|l| l.match(/^data: ({"error":.*)/).try(:[], 1)}.compact.join("\n")
     end
 
-  # @!endgroup
   end
 end

data/lib/conjur/api/resources.rb

@@ -166,5 +166,32 @@ module Conjur
     def global_privilege_permitted? privilege
       resource(GLOBAL_PRIVILEGE_RESOURCE).permitted? privilege
     end
+
+    # Check to see if the logged-in role has the specified +privilege+
+    # on the resources specified by +kind+ and +identifiers+.
+    #
+    # @example
+    #   secret1 = api.create_variable 'text/plain', 'secret1', id: 'secret1', value: 'my_first_secret'
+    #   secret2 = api.create_variable 'text/plain', 'secret2', id: 'secret2', value: 'another_secret'
+    #   all_permitted, results = api.resources_permitted? 'variable', ['secret1', 'secret2'], 'execute'
+
+    # @param [String] kind the kind of resources to check
+    # @param [Array<String>] identifiers the (unqualified) identifiers of the resources
+    # @param [String] privilege the privilege to check for
+    # @return [Array] first element is a Boolean, true if all checks passed, false otherwise. 
+    #                 If some checks fail, second element is the check result for each resource.
+    def resources_permitted? kind, identifiers, privilege
+      options = {
+        privilege: privilege,
+        identifiers: identifiers
+      }
+      resp = RestClient::Resource.new(Conjur::Authz::API.host, credentials)["#{Conjur.account}/resources/#{kind}?check=true"].post(options)
+      if resp.code == 204
+        [true, []]
+      else
+        [false, JSON.parse(resp.body)]
+      end
+    end
+
   end
 end

data/lib/conjur/api/roles.rb

@@ -31,8 +31,8 @@ module Conjur
     # @param [Array<Conjur::Role, String>, String, Conjur::Role] roles role or or array of roles
     #   roles whose relationships we're interested in
     # @param [Hash] options options for the request
-    # @option options [Boolean] :ancestors Whether to return ancestors of the given roles (true by default)
-    # @option options [Boolean] :descendants Whether to return descendants of the given roles (true by default)
+    # @option options [Boolean] :ancestors Whether to return ancestors ("roles that your role has") of the given roles (true by default)
+    # @option options [Boolean] :descendants Whether to return descendants ("roles that have your role") of the given roles (true by default)
     # @option options [Conjur::Role, String] :as_role Only roles visible to this role will be included in the graph
     # @return [Conjur::Graph] An object representing the role memberships digraph
     def role_graph roles, options = {}

data/lib/conjur/bootstrap.rb

@@ -84,6 +84,7 @@ module Conjur
       class Pubkeys < Base
         def perform
           find_or_create_record key_managers, security_admin
+
           find_or_create_record pubkeys_layer, security_admin
           find_or_create_record pubkeys_host, security_admin do |record, options|
             api.create_host(id: record.id, ownerid: security_admin.roleid)
@@ -91,7 +92,11 @@ module Conjur
           pubkeys_layer.add_host pubkeys_host unless pubkeys_layer.hosts.map(&:roleid).member?(pubkeys_host.roleid)
           
           find_or_create_resource pubkeys_service, security_admin
+
           permit pubkeys_service, 'update', key_managers
+
+          # also permit security_admin to update public keys
+          permit pubkeys_service, 'update', security_admin
         end
         
         def pubkeys_layer

data/lib/conjur/ldap_sync_job.rb

@@ -0,0 +1,89 @@
+require 'conjur/event_source'
+
+module Conjur
+  class LdapSyncJob
+
+    attr_reader :hash
+
+    # Creates a new `LdapSyncJob` from a Hash as returned
+    # by the LDAP sync service's `GET /jobs` route.
+    def self.new_from_json api, hash
+      new(api, hash)
+    end
+
+    def initialize api, hash
+      @api = api
+      @hash = hash.with_indifferent_access
+    end
+
+    def exclusive?
+      self.exclusive
+    end
+
+    def [](k)
+      @hash[k]
+    end
+
+    def method_missing(sym, *arguments, &block)
+      @hash[sym]
+    end
+
+    # Stop this job (if running) and remove it from the list of jobs.
+    def delete
+      job_resource.delete
+    end
+
+    # Receive output from this job and pass them to the given block.
+    def output &block
+      events = []
+      wrapper = lambda do |e|
+        events << e
+        block[e] if block
+      end
+
+      follow_job_output(&wrapper)
+
+      events
+    end
+
+    def to_s
+      "<LdapSyncJob #{id} type=#{type} state=#{state}#{exclusive? ? ' exclusive' : ''}>"
+    end
+
+    def to_h
+      @hash
+    end
+
+    alias as_json to_h
+
+    def to_json _unused
+      as_json.to_json
+    end
+    private
+
+    def follow_job_output &block
+      options = @api.credentials.dup.tap{|h| h[:headers][:accept] = 'text/event-stream'}
+
+      handle_response = lambda do |response|
+        response.error! unless response.code == '200'
+        es = EventSource.new
+        es.message{ |e| block[e.data] }
+
+        response.read_body do |chunk|
+          es.feed chunk
+        end
+      end
+
+      RestClient::Request.execute(
+          url: "#{job_resource['output'].url}",
+          headers: options[:headers],
+          method: :get,
+          block_response: handle_response
+      )
+    end
+
+    def job_resource
+      RestClient::Resource.new(Conjur.configuration.appliance_url, @api.credentials)['ldap-sync']['jobs'][id]
+    end
+  end
+end

data/lib/conjur/resource.rb

@@ -282,7 +282,7 @@ module Conjur
 
       path = "#{account}/resources" 
       path += "/#{kind}" if kind
-      query = opts.slice(:acting_as, :limit, :offset, :search)
+      query = opts.slice(:acting_as, :limit, :offset, :search, :has_annotation)
       path += "?#{query.to_query}" unless query.empty?
       resource = RestClient::Resource.new(host, credentials)[path]
       

data/lib/conjur/role.rb

@@ -76,8 +76,7 @@ module Conjur
     # so if `a` is a member of `b`, and `b` is a member of `c`, `a.all` will include `c`.
     #
     # ### Permissions
-    # You must be a member of the role to call this method (note that the `admin` user is
-    # a member of every role).
+    # You must be a member of the role to call this method.
     #
     # You can restrict the roles returned to one or more role ids.  This feature is mainly useful
     # for checking whether this role is a member of any of a set of roles.
@@ -92,7 +91,7 @@ module Conjur
     #   # => ["conjur:group:pubkeys-1.0/admin", "conjur:user:alice"]
     #
     # @example See if role `"conjur:user:alice"` is a member of either `"conjur:groups:developers"` or `"conjur:group:ops"`
-    #   is_member = not api.role('conjur:user:alice').all(filter: ['conjur:group:developers', 'conjur:group:ops']).empty?
+    #   is_member = api.role('conjur:user:alice').all(filter: ['conjur:group:developers', 'conjur:group:ops']).any?
     #
     # @param [Hash] options options for the request
     # @option options [String, #roleid, Array<String, #roleid>] :filter only return roles in this list

data/spec/api/ldapsync_spec.rb

@@ -12,64 +12,33 @@ require 'helpers/request_helpers'
 
 describe Conjur::API, api: :dummy do
   include RequestHelpers
-
-  let(:appliance_url){ "http://example.com/api" }
-  let(:ldapsync_url){ "#{appliance_url}/ldap-sync/sync" }
-  let(:response_json){
-    {
-        :okay => true,
-        :result => {
-            :actions => [
-                "Create user 'Guest'\n  Set annotation 'ldap-sync/source'\n  Set annotation 'ldap-sync/upstream-dn'"
-            ]
-        }
-    }
-  }
-  let(:response){ double('response', body: response_json.to_json) }
-  let(:dry_run) { true }
-
-  before do
-    allow(Conjur.configuration).to receive(:appliance_url).and_return appliance_url
-    allow(Conjur::API).to receive_messages(ldap_sync_now: ldapsync_url)
-    expect_request(
-      url: ldapsync_url,
-      method: :post,
-      headers: credentials[:headers],
-      payload: {config_name: 'default', dry_run: dry_run}
-    ).and_return response
-  end
-
-  describe "#ldap_sync_now" do
-    it "POSTs /sync" do
-      api.ldap_sync_now('default', 'application/json', true)
+  describe 'LDAP policy methods' do
+    let(:appliance_url){ "http://example.com/api" }
+    before do
+      allow(Conjur.configuration).to receive(:appliance_url).and_return appliance_url
     end
-  end
 
-  describe "#ldap_sync_now" do
-    let(:dry_run) { true }
-    it "POSTs /sync with dry_run set to true" do
-      api.ldap_sync_now('default', 'application/json', true)
+    describe '#ldap_sync_policy' do
+      let(:profile) { 'default' }
+      let(:url){ "#{appliance_url}/ldap-sync/policy?config_name=#{profile}" }
+      let(:policy_event){
+        %Q{data: {"policy": "a policy"}}
+      }
+
+      let(:response){ double('response', :body => policy_event, :headers => { :content_type => 'text/event-stream' }) }
+      subject{ api.ldap_sync_policy('default') }
+      before do
+        expect_request(
+            url: url,
+            method: :get,
+            headers: credentials[:headers]
+        ).and_return response
+      end
+
+      it 'returns a Hash with a policy' do
+        expect(subject).to be_kind_of Hash
+      end
     end
-  end
 
-  describe "#ldap_sync_now" do
-    let(:dry_run) { false }
-    it "POSTs /sync with dry_run set to false" do
-      api.ldap_sync_now('default', 'application/json', false)
-    end
-  end
-
-  describe "#ldap_sync_now" do
-    let(:dry_run) { true }
-    it "POSTs /sync with truthy dry_run value" do
-      api.ldap_sync_now('default', 'application/json', 1)
-    end
-  end
-
-  describe "#ldap_sync_now" do
-    let(:dry_run) { false }
-    it "POSTs /sync with falsey dry_run value" do
-      api.ldap_sync_now('default', 'application/json', nil)
-    end
   end
 end

data/spec/api/resources_spec.rb

@@ -44,4 +44,40 @@ describe Conjur::API, api: :dummy do
       expect(api.resources(kind: :chunky).map(&:url)).to eql(ids.map { |id| api.resource(id).url })
     end
   end
+
+  describe '#resources_permitted' do
+    let(:ids) { %w(foo bar baz) }
+    let(:kind) { 'variable' }
+    let(:priv) { 'execute' }
+
+    it 'creates the request correctly' do
+      expect_request(
+        method: :post,
+        url: "#{authz_host}/the-account/resources/#{kind}?check=true",
+        payload: {
+          :privilege => priv,
+          :identifiers => ids
+        }
+      ).and_return(double("response", :code => 204))
+      
+      res = api.resources_permitted?(kind, ids, priv)
+      expect(res[0]).to be(true)
+    end
+
+    it 'signals failure' do
+      expect_request(
+        method: :post,
+        url: "#{authz_host}/the-account/resources/#{kind}?check=true",
+        payload: {
+          :privilege => priv,
+          :identifiers => ids
+        }
+      ).and_return(double("response", :code => 403, :body => '[]'))
+      
+      res = api.resources_permitted?(kind, ids, priv)
+      expect(res[0]).to be(false)
+    end
+
+  end
+  
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 4.26.0
+  version: 4.28.0
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-07-01 00:00:00.000000000 Z
+date: 2016-11-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -383,6 +383,7 @@ files:
 - lib/conjur/host_factory_token.rb
 - lib/conjur/layer-api.rb
 - lib/conjur/layer.rb
+- lib/conjur/ldap_sync_job.rb
 - lib/conjur/log.rb
 - lib/conjur/log_source.rb
 - lib/conjur/path_based.rb