conjur-api 5.0.0 → 5.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5ddf9ddb616b3f5f7cdfec20ae8b3ccd32822922
-  data.tar.gz: 5609d9503bce6e7e2514aa46c01ce03b60b9f62f
+  metadata.gz: a7dc24a2726ea693a242271b1f3d5a89ce22189d
+  data.tar.gz: 7676f82fc5f389b1b4eed5f75be20a31e7e6b8f5
 SHA512:
-  metadata.gz: 065c61b553b155432ee6b4e33cef93d96e4838d171b5d40cbb5453587632f442c668570d8883f254ecef45fefa63ed52c36599a5dd36188e88b61701759e60e0
-  data.tar.gz: 5721dc4fb81cf00a6c7c5c5458941f517dffb4ee1d13bb5c3b87b671c7526f86bcea36cb541aa2e51b55c8df01584bb7a3ae611af4414312b0d1d56523c2ebb8
+  metadata.gz: 124f290a448e5f08bbcbe926ba3aa3a680fe9d8300a7f3e16d8f2ab891b37113797e2e2427681288ba9b70628238af7b8727482353430bae786aa455fd4bbdd6
+  data.tar.gz: 4861bf1424b924c503a0fcd76c8401617121c1c831369d588c0729afe1c741bbe486f44a1ddb998e951286965ebde88cf83aa96fd37dd24a667603a3e928a3ba

data/.gitignore

@@ -1,4 +1,5 @@
 features/reports
+features_v4/reports
 dev/data_key
 .DS_Store
 build_number

data/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Latest
 
+# v5.1.0
+
+* Introduces backwards compatibility with Conjur 4.x for most API methods.
+* Adds the configuration setting `version`, which is auto-populated from the environment variable `CONJUR_VERSION`.
+* Adds support for the `authn-local` service, which can be used when the API client runs on the server.
+
 # v5.0.0
 
 * Provides compatibility with [cyberark/conjur](https://github.com/cyberark/conjur), Conjur 5 CE.

data/Dockerfile

@@ -1,5 +1,7 @@
 FROM ruby:2.3
 
+RUN apt-get update && apt-get install -y vim curl
+
 WORKDIR /src/conjur-api
 
 COPY Gemfile conjur-api.gemspec ./

data/Jenkinsfile

@@ -16,6 +16,7 @@ pipeline {
 
         junit 'spec/reports/*.xml'
         junit 'features/reports/*.xml'
+        junit 'features_v4/reports/*.xml'
       }
     }
 
@@ -62,14 +63,7 @@ pipeline {
 
   post {
     always {
-      sh 'docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd'
-      deleteDir()
-    }
-    failure {
-      slackSend(color: 'danger', message: "${env.JOB_NAME} #${env.BUILD_NUMBER} FAILURE (<${env.BUILD_URL}|Open>)")
-    }
-    unstable {
-      slackSend(color: 'warning', message: "${env.JOB_NAME} #${env.BUILD_NUMBER} UNSTABLE (<${env.BUILD_URL}|Open>)")
+      cleanupAndNotify(currentBuild.currentResult)
     }
   }
 }

data/README.md

@@ -2,6 +2,26 @@
 
 Programmatic Ruby access to the Conjur API.
 
+# Server Versions
+
+The Conjur server comes in two major versions:
+
+* **4.x** Conjur 4 is a commercial, non-open-source product, which is documented at [https://developer.conjur.net/](https://developer.conjur.net/).
+* **5.x** Conjur 5 is open-source software, hosted and documented at [https://www.conjur.org/](https://www.conjur.org/). 
+
+You can use the `master` branch of this project, which is `conjur-api` version `5.x`, to do all of the following things against either type of Conjur server:
+
+* Authenticate
+* Fetch secrets
+* Check permissions
+* List roles, resources, members, memberships and permitted roles.
+* Create hosts using host factory
+* Rotate API keys
+
+Use the configuration setting `Conjur.configuration.version` to select your server version, or set the environment variable `CONJUR_VERSION`. In either case, the valid values are `4` and `5`; the default is `5`.
+
+If you are using Conjur server version `4.x`, you can also choose to use the `conjur-api` version `4.x`. In this case, the `Configuration.version` setting is not required (actually, it doesn't exist).
+
 # Installation
 
 Add this line to your application's Gemfile:
@@ -95,7 +115,70 @@ Conjur::API.new_from_key login, api_key
 Note that if you are connecting as a [Host](http://developer.conjur.net/reference/services/directory/host), the login should be 
 prefixed with `host/`. For example: `host/myhost.example.com`, not just `myhost.example.com`.
 
-## Contributing
+# Development
+
+The file `docker-compose.yml` is a self-contained development environment for the project.
+
+## Starting
+
+To bring it up, run:
+
+```sh-session
+$ docker-compose build
+$ docker-compose up -d pg conjur_4 conjur_5
+```
+
+Then configure the v4 and v5 servers:
+
+```sh-session
+$ ./ci/configure_v4.sh
+...
+$ ./ci/configure_v5.sh
+...
+```
+
+## Using
+
+Obtain the API key for the v5 admin user:
+
+```
+$ docker-compose exec conjur_5 rake 'role:retrieve-key[cucumber:user:admin]'
+3aezp05q3wkem3hmegymwzz8wh3bs3dr6xx3y3m2q41k5ymebkc
+```
+
+The password of the v4 admin user is "secret".
+
+Now you can run the client `dev` container:
+
+```sh-session
+$ docker-compose run --rm dev
+```
+
+This gives you a shell session with `conjur_4` and `conjur_5` available as linked containers.
+
+## Demos
+
+For a v5 demo, run:
+
+```sh-session
+$ bundle exec ./example/demo_v5.rb <admin-api-key>
+```
+
+For a v4 demo, run:
+
+```sh-session
+$ bundle exec ./example/demo_v4.rb
+```
+
+## Stopping
+
+To bring it down, run:
+
+```sh-session
+$ docker-compose down
+```
+
+# Contributing
 
 1. Fork it
 2. Create your feature branch (`git checkout -b my-new-feature`)
@@ -103,7 +186,7 @@ prefixed with `host/`. For example: `host/myhost.example.com`, not just `myhost.
 4. Push to the branch (`git push origin my-new-feature`)
 5. Create new Pull Request
 
-## License
+# License
 
 Copyright 2016-2017 CyberArk
 

data/Rakefile

@@ -23,15 +23,21 @@ begin
   require 'cucumber'
   require 'cucumber/rake/task'
 
-  Cucumber::Rake::Task.new(:cucumber) do |t|
+  Cucumber::Rake::Task.new(:cucumber_4) do |t|
+    t.cucumber_opts = "--tags ~@wip --format pretty --format junit --out features_v4/reports -r features_v4/step_definitions/ -r features_v4/support/ features_v4/"
+  end
+
+  Cucumber::Rake::Task.new(:cucumber_5) do |t|
     t.cucumber_opts = "--tags ~@wip --format pretty --format junit --out features/reports"
   end
 
   begin
     require 'ci/reporter/rake/rspec'
     desc "Run the spec and cucumber suites, compute the test results and coverage statistics, build Yard docs"
-    task :jenkins => [:init_coverage, :"ci:setup:rspec", :spec, :cuke_report_cleanup, :cucumber, :yard]
-    task default: [ :jenkins ]
+    task :jenkins_init => [ :init_coverage, :cuke_report_cleanup ]
+    task :jenkins_spec => [ :"ci:setup:rspec", :spec ]
+    task :jenkins_cucumber_v4 => [ :cucumber_4 ]
+    task :jenkins_cucumber_v5 => [ :cucumber_5 ]
   rescue LoadError
     warn "ci_reporter_rspec not found, jenkins task will be unavailable"
   end

data/ci/configure_v4.sh

@@ -0,0 +1,12 @@
+#!/bin/bash -e
+
+cat << "CONFIGURE" | docker exec -i $(docker-compose ps -q conjur_4) bash
+set -e
+
+/opt/conjur/evoke/bin/wait_for_conjur
+evoke ca regenerate conjur_4
+/opt/conjur/evoke/bin/wait_for_conjur
+env CONJUR_AUTHN_LOGIN=admin CONJUR_AUTHN_API_KEY=secret conjur policy load --as-group security_admin /etc/policy.yml
+CONFIGURE
+
+docker cp $(docker-compose ps -q conjur_4):/opt/conjur/etc/ssl/ca.pem ./tmp/conjur.pem

data/ci/configure_v5.sh

@@ -0,0 +1,14 @@
+#!/bin/bash -e
+
+cat << "CONFIGURE" | docker exec -i $(docker-compose ps -q conjur_5) bash
+set -e
+
+for _ in $(seq 20); do
+  curl -o /dev/null -fs -X OPTIONS http://localhost > /dev/null && break
+  echo .
+  sleep 2
+done
+
+# So we fail if the server isn't up yet:
+curl -o /dev/null -fs -X OPTIONS http://localhost > /dev/null
+CONFIGURE

data/conjur-api.gemspec

@@ -25,7 +25,7 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency 'rspec', '~> 3'
   gem.add_development_dependency 'rspec-expectations', '~> 3.4'
   gem.add_development_dependency 'json_spec'
-  gem.add_development_dependency 'cucumber'
+  gem.add_development_dependency 'cucumber', '~> 2.99'
   gem.add_development_dependency 'ci_reporter_rspec'
   gem.add_development_dependency 'simplecov'
   gem.add_development_dependency 'io-grab'

data/docker-compose.yml

@@ -1,27 +1,62 @@
 version: '2.1'
 services:
-  postgres:
+  pg:
     image: postgres:9.3
 
-  conjur:
-    image: registry.tld/cyberark/conjur:0.1.0-stable
+  conjur_5:
+    image: cyberark/conjur
     command: server -a cucumber
     environment:
-      DATABASE_URL: postgres://postgres@postgres/postgres
+      DATABASE_URL: postgres://postgres@pg/postgres
       CONJUR_DATA_KEY: 'WMfApcDBtocRWV+ZSUP3Tjr5XNU+Z2FdBb6BEezejIs='
+    volumes:
+      - authn_local_5:/run/authn-local
     depends_on:
-      - postgres
-    # healthcheck:
-    #   test: ['CMD', 'curl', '-f', '-X OPTIONS', 'http://localhost']
-    #   interval: 2s
-    #   timeout: 1s
-    #   retries: 5
+      - pg
+
+  conjur_4:
+    image: registry2.itci.conjur.net/conjur-appliance-cuke-master:4.9-stable
+    security_opt:
+      - seccomp:unconfined
+    volumes:
+      - ./features_v4/support/policy.yml:/etc/policy.yml
+      - authn_local_4:/run/authn-local
 
-  tester:
+  tester_5:
     build: .
     volumes:
       - ./spec/reports:/src/conjur-api/spec/reports
       - ./features/reports:/src/conjur-api/features/reports
+      - authn_local_5:/run/authn-local-5
+    environment:
+      CONJUR_APPLIANCE_URL: http://conjur_5
+      CONJUR_VERSION: 5
+      CONJUR_ACCOUNT: cucumber
+
+  tester_4:
+    build: .
+    volumes:
+      - ./features_v4/reports:/src/conjur-api/features_v4/reports
+      - ./tmp/conjur.pem:/src/conjur-api/tmp/conjur.pem
+      - authn_local_4:/run/authn-local-4
     environment:
-      CONJUR_APPLIANCE_URL: http://conjur
+      CONJUR_APPLIANCE_URL: https://conjur_4/api
+      CONJUR_VERSION: 4
       CONJUR_ACCOUNT: cucumber
+
+  dev:
+    build: .
+    entrypoint: bash
+    volumes:
+      - .:/src/conjur-api
+      - authn_local_4:/run/authn-local-4
+      - authn_local_5:/run/authn-local-5
+    environment:
+      CONJUR_ACCOUNT: cucumber
+    depends_on:
+      - conjur_4
+      - conjur_5
+
+volumes:
+  authn_local_4:
+  authn_local_5:

data/example/demo_v4.rb

@@ -0,0 +1,49 @@
+#!/usr/bin/env ruby
+
+require 'conjur-api'
+require 'securerandom'
+
+username = "admin"
+password = "secret"
+
+Conjur.configuration.appliance_url = "https://conjur_4/api"
+Conjur.configuration.account = "cucumber"
+Conjur.configuration.cert_file = "./tmp/conjur.pem"
+Conjur.configuration.version = 4
+Conjur.configuration.apply_cert_config!
+
+puts "Configured with Conjur version: #{Conjur.configuration.version}"
+puts
+
+api_key = Conjur::API.login username, password
+api = Conjur::API.new_from_key username, api_key
+
+db_password = SecureRandom.hex(12)
+puts "Populating variable 'db-password' = #{db_password.inspect}"
+api.resource("cucumber:variable:db-password").add_value db_password
+puts "Value added"
+puts
+
+puts "Creating host factory token for 'myapp'"
+expiration = Time.now + 1.day
+hf_token = api.resource("cucumber:host_factory:myapp").create_token expiration
+puts "Created: #{hf_token.token}"
+puts
+
+puts "Creating new host 'host-01' with host factory"
+host = Conjur::API.host_factory_create_host(hf_token, "host-01")
+puts "Created: #{host}"
+puts
+
+puts "Logging in as #{host.id}"
+host_api = Conjur::API.new_from_key "host/host-01", host.api_key
+puts "Logged in"
+puts
+
+
+puts "Fetching db-password as #{host.id}"
+value = host_api.resource("cucumber:variable:db-password").value
+puts value
+puts
+
+puts "Done!"

data/example/demo_v5.rb

@@ -0,0 +1,57 @@
+#!/usr/bin/env ruby
+
+require 'conjur-api'
+require 'securerandom'
+
+username = "admin"
+
+arguments = ARGV.dup
+
+api_key = arguments.shift or raise "Usage: ./demo_v5 <admin-api-key>"
+
+Conjur.configuration.appliance_url = "http://conjur_5"
+Conjur.configuration.account = "cucumber"
+# This is the default
+# Conjur.configuration.version = 5
+
+puts "Configured with Conjur version: #{Conjur.configuration.version}"
+puts
+
+api = Conjur::API.new_from_key username, api_key
+
+policy = File.read("features_v4/support/policy.yml")
+
+puts "Loading policy 'root'"
+policy_result = api.load_policy "root", policy
+puts "Loaded: #{policy_result}"
+puts
+
+db_password = SecureRandom.hex(12)
+puts "Populating variable 'db-password' = #{db_password.inspect}"
+api.resource("cucumber:variable:db-password").add_value db_password
+puts "Value added"
+puts
+
+puts "Creating host factory token for 'myapp'"
+expiration = Time.now + 1.day
+hf_token = api.resource("cucumber:host_factory:myapp").create_token expiration
+puts "Created: #{hf_token.token}"
+puts
+
+puts "Creating new host 'host-01' with host factory"
+host = Conjur::API.host_factory_create_host(hf_token, "host-01")
+puts "Created: #{host}"
+puts
+
+puts "Logging in as #{host.id}"
+host_api = Conjur::API.new_from_key "host/host-01", host.api_key
+puts "Logged in"
+puts
+
+
+puts "Fetching db-password as #{host.id}"
+value = host_api.resource("cucumber:variable:db-password").value
+puts value
+puts
+
+puts "Done!"

data/features/authn_local.feature

@@ -0,0 +1,32 @@
+Feature: When co-located with the Conjur server, the API can use the authn-local service to authenticate.
+
+  Scenario: authn-local can be used to obtain an access token.
+    When I run the code:
+    """
+    Conjur::API.authenticate_local "alice"
+    """
+    Then the JSON should have "payload"
+    And I run the code:
+    """
+    JSON.parse(Base64.decode64(@result['payload']))
+    """
+    Then the JSON should have "sub"
+    And the JSON should have "iat"
+
+  Scenario: Conjur API supports construction from authn-local.
+    When I run the code:
+    """
+    @api = Conjur::API.new_from_authn_local "alice"
+    @api.token
+    """
+    Then the JSON should have "payload"
+
+  Scenario: Conjur API will automatically refresh the token.
+    When I run the code:
+    """
+    @api = Conjur::API.new_from_authn_local "alice"
+    @api.token
+    @api.force_token_refresh
+    @api.token
+    """
+    Then the JSON should have "payload"