conjur-api 4.8.0 → 4.9.0

data/.gitignore

@@ -1,3 +1,4 @@
+.DS_Store
 build_number
 *.gem
 *.rbc

data/conjur-api.gemspec

@@ -24,7 +24,7 @@ Gem::Specification.new do |gem|
   
   gem.add_development_dependency 'rake'
   gem.add_development_dependency 'spork'
-  gem.add_development_dependency 'rspec'
+  gem.add_development_dependency 'rspec', '>= 2.14', '< 3.0'
   gem.add_development_dependency 'webmock'
   gem.add_development_dependency 'ci_reporter'
   gem.add_development_dependency 'simplecov'

data/lib/conjur-api/version.rb

@@ -20,6 +20,6 @@
 #
 module Conjur
   class API
-    VERSION = "4.8.0"
+    VERSION = "4.9.0"
   end
 end

data/lib/conjur/acts_as_resource.rb

@@ -18,6 +18,10 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
+
+require 'active_support/dependencies/autoload'
+require 'active_support/core_ext'
+
 module Conjur
   module ActsAsResource
     def resource
@@ -31,7 +35,6 @@ module Conjur
     end
     
     def resource_kind
-      require 'active_support/core_ext'
       self.class.name.split("::")[-1].underscore.split('/').join('-')
     end
 
@@ -52,4 +55,4 @@ module Conjur
       resource.deny privilege, role
     end
   end
-end
+end

data/lib/conjur/annotations.rb

@@ -1,3 +1,23 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
 module Conjur
   # An Annotations instance acts like a Hash: you can fetch an annotation
   # with '[]' and update with '[]=', 'each' it, and 'merge!' to do bulk updates
@@ -58,9 +78,11 @@ module Conjur
     protected
     
     def update_annotation name, value
-      @annotations_hash = nil
-      path = [@resource.account,'annotations', @resource.kind, @resource.identifier].join '/'
-      RestClient::Resource.new(Conjur::Authz::API.host, @resource.options)[path].put name: name, value: value
+      @resource.invalidate do
+        @annotations_hash = nil
+        path = [@resource.account,'annotations', @resource.kind, @resource.identifier].join '/'
+        RestClient::Resource.new(Conjur::Authz::API.host, @resource.options)[path].put name: name, value: value
+      end
     end
     
     def annotations_hash
@@ -69,7 +91,7 @@ module Conjur
     
     def fetch_annotations
       {}.tap do |hash|
-        JSON.parse(@resource.get)['annotations'].each do |annotation|
+        @resource.attributes['annotations'].each do |annotation|
           hash[annotation['name'].to_sym] = annotation['value']
         end
       end

data/lib/conjur/api.rb

@@ -18,6 +18,9 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
+require 'active_support'
+require 'active_support/deprecation'
+
 require 'conjur/cast'
 require 'conjur/configuration'
 require 'conjur/env'
@@ -35,6 +38,8 @@ require 'conjur/authn-api'
 require 'conjur/authz-api'
 require 'conjur/audit-api'
 require 'conjur/core-api'
+require 'conjur/layer-api'
+require 'conjur/pubkeys-api'
 require 'conjur-api/version'
 
 class RestClient::Resource

data/lib/conjur/api/layers.rb

@@ -0,0 +1,17 @@
+require 'conjur/layer'
+
+module Conjur
+  class API
+    def create_layer(id, options = {})
+      standard_create Conjur::API.layer_asset_host, :layer, id, options
+    end
+    
+    def layers(options = {})
+      standard_list Conjur::API.layer_asset_host, :layer, options
+    end
+    
+    def layer id
+      standard_show Conjur::API.layer_asset_host, :layer, id
+    end
+  end
+end

data/lib/conjur/api/pubkeys.rb

@@ -0,0 +1,54 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+
+module Conjur
+  class API
+    # Return all of a user's public keys, as a newline delimited string
+    # (the format expected by authorized-keys)
+    def public_keys username
+      public_keys_resource(username).get
+    end
+    
+    # Return a specific public key for a given user and key name
+    def public_key username, keyname
+      public_keys_resource(username, keyname).get
+    end
+    
+    # Add a public key for the given user
+    def add_public_key username, key
+      public_keys_resource(username).post key
+    end
+    
+    # Delete a public key for the given user and key name
+    def delete_public_key username, keyname
+      public_keys_resource(username, keyname).delete
+    end
+    
+    protected
+    def public_keys_resource *path
+      RestClient::Resource.new(Conjur::API.pubkeys_asset_host, credentials)[public_keys_path *path]
+    end
+    
+    def public_keys_path *args
+      args.map{|a| fully_escape(a)}.join('/')
+    end
+  end
+end

data/lib/conjur/group.rb

@@ -23,6 +23,8 @@ module Conjur
     include ActsAsAsset
     include ActsAsRole
     
+    # @param [Hash] options
+    #   * *admin_option* enables the +member+ to manage members of this group
     def add_member(member, options = {})
       role.grant_to member, options
     end

data/lib/conjur/has_attributes.rb

@@ -39,14 +39,14 @@ module Conjur
     def refresh
       fetch
     end
-    
-    protected
-    
+
     def invalidate(&block)
       yield
     ensure
       @attributes = nil
     end
+
+    protected
     
     def fetch
       @attributes = JSON.parse(get.body)

data/lib/conjur/layer-api.rb

@@ -0,0 +1,9 @@
+class Conjur::API
+  class << self
+    def layer_asset_host
+      ENV["CONJUR_LAYER_ASSET_URL"] || Conjur::Core::API.host
+    end
+  end
+end
+
+require 'conjur/api/layers'

data/lib/conjur/layer.rb

@@ -0,0 +1,37 @@
+module Conjur
+  class Layer < RestClient::Resource
+    include ActsAsAsset
+    include ActsAsRole
+    
+    def add_host(hostid)
+      hostid = cast(hostid, :roleid)
+      log do |logger|
+        logger << "Adding host #{hostid} to layer #{id}"
+      end
+      invalidate do
+        RestClient::Resource.new(self['hosts'].url, options).post(hostid: hostid) 
+      end
+    end
+    
+    def remove_host(hostid)
+      hostid = cast(hostid, :roleid)
+      log do |logger|
+        logger << "Removing host #{hostid} from layer #{id}"
+      end
+      invalidate do
+        RestClient::Resource.new(self["hosts/#{fully_escape hostid}"].url, options).delete
+      end
+    end
+    
+    # Lists the roles that have been granted access to the hosts owned roles.
+    def hosts_members(role_name)
+      owned_role(role_name).members
+    end
+
+    def hosts
+      self.attributes['hosts'].collect do |id|
+        Conjur::Host.new(Conjur::API.core_asset_host, options)["hosts/#{fully_escape id}"]
+      end
+    end
+  end
+end

data/lib/conjur/pubkeys-api.rb

@@ -0,0 +1,38 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur/api'
+require 'conjur/configuration'
+
+class Conjur::Configuration
+  add_option :pubkeys_url do
+    account_service_url 'pubkeys', 400
+  end
+end
+
+class Conjur::API
+  class << self
+    def pubkeys_asset_host 
+      Conjur.configuration.pubkeys_url
+    end
+  end
+end
+
+require 'conjur/api/pubkeys'

data/lib/conjur/resource.rb

@@ -39,7 +39,7 @@ module Conjur
     
     def create(options = {})
       log do |logger|
-        logger << "Creating resource #{kind}:#{identifier}"
+        logger << "Creating resource #{resourceid}"
         unless options.empty?
           logger << " with options #{options.to_json}"
         end
@@ -60,7 +60,7 @@ module Conjur
 
     def delete(options = {})
       log do |logger|
-        logger << "Deleting resource #{kind}:#{identifier}"
+        logger << "Deleting resource #{resourceid}"
         unless options.empty?
           logger << " with options #{options.to_json}"
         end
@@ -72,7 +72,7 @@ module Conjur
       role = cast(role, :roleid)
       eachable(privilege).each do |p|
         log do |logger|
-          logger << "Permitting #{p} on resource #{kind}:#{identifier} by #{role}"
+          logger << "Permitting #{p} on resource #{resourceid} by #{role}"
           unless options.empty?
             logger << " with options #{options.to_json}"
           end
@@ -91,7 +91,7 @@ module Conjur
       role = cast(role, :roleid)
       eachable(privilege).each do |p|
         log do |logger|
-          logger << "Denying #{p} on resource #{kind}:#{identifier} by #{role}"
+          logger << "Denying #{p} on resource #{resourceid} by #{role}"
           unless options.empty?
             logger << " with options #{options.to_json}"
           end
@@ -103,7 +103,12 @@ module Conjur
     # True if the logged-in role, or a role specified using the acting-as option, has the
     # specified +privilege+ on this resource.
     def permitted?(privilege, options = {})
-      self["?check&privilege=#{query_escape privilege}"].get(options)
+      params = {
+        check: true,
+        privilege: query_escape(privilege)
+      }
+      params[:acting_as] = options[:acting_as] if options[:acting_as]
+      self["?#{params.to_query}"].get(options)
       true
     rescue RestClient::ResourceNotFound
       false

data/lib/conjur/role.rb

@@ -58,11 +58,15 @@ module Conjur
       end
     end
     
+    alias memberships all
+    
     def member_of?(other_role)
       other_role = cast(other_role, :roleid)
       not all(filter: other_role).empty?
     end
     
+    # @param [Hash] options
+    #   * *admin_option* enables the +member+ to manage members of this role
     def grant_to(member, options={})
       member = cast(member, :roleid)
       log do |logger|

data/lib/conjur/standard_methods.rb

@@ -18,9 +18,12 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
+
+require 'active_support/dependencies/autoload'
+require 'active_support/core_ext'
+
 module Conjur
   module StandardMethods
-    require 'active_support/core_ext'
     
     protected
     
@@ -52,4 +55,4 @@ module Conjur
       "Conjur::#{type.to_s.classify}".constantize.new(host, credentials)[ [type.to_s.pluralize, fully_escape(id)].join('/') ]
     end
   end
-end
+end

data/spec/api/layer_spec.rb

@@ -0,0 +1,16 @@
+require 'spec_helper'
+require 'webmock/rspec'
+
+describe Conjur::Layer do
+  subject { Conjur::Layer.new 'http://example.com/layers/my%2Flayername', nil }
+  
+  describe "#add_host" do
+    it "casts Host to roleid" do
+      host = double(:host)
+      host.should_receive(:roleid).and_return "the-hostid"
+      stub_request(:post, "http://example.com/layers/my%2Flayername/hosts").with(hostid: "the-hostid")
+
+      subject.add_host host
+    end
+  end
+end

data/spec/api/pubkeys_spec.rb

@@ -0,0 +1,66 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'spec_helper'
+
+describe Conjur::API, api: :dummy do
+  let(:pubkeys_url){ "http://pubkeys.example.com/api/pubkeys" }
+  def pubkeys_url_for *path
+    [pubkeys_url, path.map{|p| CGI.escape(p)} ].join("/")  
+  end
+  
+  before do
+    Conjur::API.stub(pubkeys_asset_host: pubkeys_url)
+  end
+  
+  describe "#public_keys" do
+    it "GETs /:username" do
+      RestClient::Request.should_receive(:execute).with(
+        url: pubkeys_url_for("bob"),
+        method: :get,
+        headers: credentials[:headers],
+      ).and_return "key key key"
+      expect(api.public_keys("bob")).to eq("key key key")
+    end
+  end
+  
+  describe "#add_public_key" do
+    it "POSTs /:username with the data" do
+      RestClient::Request.should_receive(:execute).with(
+        url: pubkeys_url_for("bob"),
+        method: :post,
+        headers: credentials[:headers],
+        payload: "key data",
+      )
+      api.add_public_key("bob", "key data")
+    end
+  end
+  
+  describe "#delete_public_key" do
+    it "DELETEs /:username/:keyname" do
+      RestClient::Request.should_receive(:execute).with(
+        url: pubkeys_url_for("bob", "bob-key"),
+        method: :delete,
+        headers: credentials[:headers]
+      )
+      api.delete_public_key("bob", "bob-key")
+    end
+  end
+end

data/spec/lib/annotations_spec.rb

@@ -8,17 +8,17 @@ describe Conjur::Annotations do
   let(:options){ { } }
   let(:raw_annotations){ [{'name' => 'name', 'value' => 'bar'}, 
                       {'name' => 'comment', 'value' => 'some comment'}] }
-  let(:resource_hash){ { 'annotations' => raw_annotations } }
-  let(:resource){ 
-    double('resource', account: account, 
-           kind: kind, identifier: identifier, 
-           options: options, resourceid: resourceid,
-           get: resource_hash.to_json) 
-  }
+  let(:attributes){ { 'annotations' => raw_annotations } }
+
+  let(:resource){
+    double('resource', attributes: attributes, account: account,
+           kind: kind, identifier: identifier, resourceid: resourceid,
+           options: options
+      ) }
+
   let(:annotations){ Conjur::Annotations.new(resource) }
   
-  subject{ annotations }
-
+  subject { annotations }
 
   let(:url){ "#{Conjur::Authz::API.host}/#{account}/annotations/#{kind}/#{identifier}" }
 
@@ -39,7 +39,7 @@ describe Conjur::Annotations do
     end
     
     it "caches the get result" do
-      resource.should_receive(:get).exactly(1).times.and_return(resource_hash.to_json)
+      resource.should_receive(:attributes).exactly(1).times.and_return(attributes)
       subject[:name]
       subject[:name]
     end
@@ -76,6 +76,7 @@ describe Conjur::Annotations do
       hash.each do |k,v|
         expect_put_request(url, name: k, value: v)
       end
+      resource.should_receive(:invalidate).exactly(hash.count).times.and_yield
       subject.merge! hash
     end
   end
@@ -84,12 +85,14 @@ describe Conjur::Annotations do
 
     it "makes a put request" do
       expect_put_request url, name: :blah, value: 'boo'
+      resource.should_receive(:invalidate).and_yield
       subject[:blah] = 'boo'
     end
     
     it "forces a fresh request for the annotations" do
       expect_put_request(url, name: :foo, value: 'bar')
-      resource.should_receive(:get).exactly(2).times.and_return(resource_hash.to_json)
+      resource.should_receive(:attributes).exactly(2).times.and_return(attributes)
+      resource.should_receive(:invalidate).and_yield
       # One get request
       subject[:name].should == 'bar'
       # Update

data/spec/lib/resource_spec.rb

@@ -120,7 +120,7 @@ describe Conjur::Resource, api: :dummy, logging: :temp do
     it 'gets the ?permitted? action' do
       RestClient::Request.should_receive(:execute).with(
         method: :get,
-        url: uri + "/?check&privilege=fry",
+        url: uri + "/?check=true&privilege=fry",
         headers: {}
       )
       subject.permitted? 'fry'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 4.8.0
+  version: 4.9.0
   prerelease: 
 platform: ruby
 authors:
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-05-16 00:00:00.000000000 Z
+date: 2014-06-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -83,7 +83,10 @@ dependencies:
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.14'
+    - - <
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -91,7 +94,10 @@ dependencies:
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.14'
+    - - <
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
@@ -221,6 +227,8 @@ files:
 - lib/conjur/api/deputies.rb
 - lib/conjur/api/groups.rb
 - lib/conjur/api/hosts.rb
+- lib/conjur/api/layers.rb
+- lib/conjur/api/pubkeys.rb
 - lib/conjur/api/resources.rb
 - lib/conjur/api/roles.rb
 - lib/conjur/api/secrets.rb
@@ -245,9 +253,12 @@ files:
 - lib/conjur/has_identifier.rb
 - lib/conjur/has_owner.rb
 - lib/conjur/host.rb
+- lib/conjur/layer-api.rb
+- lib/conjur/layer.rb
 - lib/conjur/log.rb
 - lib/conjur/log_source.rb
 - lib/conjur/path_based.rb
+- lib/conjur/pubkeys-api.rb
 - lib/conjur/resource.rb
 - lib/conjur/role.rb
 - lib/conjur/role_grant.rb
@@ -258,6 +269,8 @@ files:
 - spec/api/authn_spec.rb
 - spec/api/groups_spec.rb
 - spec/api/hosts_spec.rb
+- spec/api/layer_spec.rb
+- spec/api/pubkeys_spec.rb
 - spec/api/resources_spec.rb
 - spec/api/roles_spec.rb
 - spec/api/secrets_spec.rb
@@ -307,7 +320,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2336930098172204581
+      hash: 1491369076526143326
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.25
@@ -322,6 +335,8 @@ test_files:
 - spec/api/authn_spec.rb
 - spec/api/groups_spec.rb
 - spec/api/hosts_spec.rb
+- spec/api/layer_spec.rb
+- spec/api/pubkeys_spec.rb
 - spec/api/resources_spec.rb
 - spec/api/roles_spec.rb
 - spec/api/secrets_spec.rb