conjur-api 5.1.0 → 5.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: a7dc24a2726ea693a242271b1f3d5a89ce22189d
-  data.tar.gz: 7676f82fc5f389b1b4eed5f75be20a31e7e6b8f5
+SHA256:
+  metadata.gz: 5cde5e15366fbf8e8838402bd8ffa29183a1d6972cbf0c2f2583a6e56093fed7
+  data.tar.gz: 8a2fe440ec1693c50498adbcc1f188341ffe4767ea80182ce6e1e13a089936ce
 SHA512:
-  metadata.gz: 124f290a448e5f08bbcbe926ba3aa3a680fe9d8300a7f3e16d8f2ab891b37113797e2e2427681288ba9b70628238af7b8727482353430bae786aa455fd4bbdd6
-  data.tar.gz: 4861bf1424b924c503a0fcd76c8401617121c1c831369d588c0729afe1c741bbe486f44a1ddb998e951286965ebde88cf83aa96fd37dd24a667603a3e928a3ba
+  metadata.gz: ff0b849ec96f16fa10fa1ef8f8c661fa5a1695ed16f8c97a24a4d5e3cf7a6660f3fb8e112d1086eec995028585ecd074348d202b96f0fa6252fd55ae128ac7bc
+  data.tar.gz: 5597bfc53825bd362be9f50b914824ca77640f391b859820277a50179ca917a1502d3d33bfad9eccfa81d0aa618c32f0e41db734ea9cb013520a018944831892

data/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Latest
 
+# v5.2.0
+
+* Adds support for the Role endpoint for searching and paging Role Members
+* Adds additional escaping to URL parameters on requests to handle special characters (e.g. spaces)
+
 # v5.1.0
 
 * Introduces backwards compatibility with Conjur 4.x for most API methods.

data/README.md

@@ -7,7 +7,7 @@ Programmatic Ruby access to the Conjur API.
 The Conjur server comes in two major versions:
 
 * **4.x** Conjur 4 is a commercial, non-open-source product, which is documented at [https://developer.conjur.net/](https://developer.conjur.net/).
-* **5.x** Conjur 5 is open-source software, hosted and documented at [https://www.conjur.org/](https://www.conjur.org/). 
+* **5.x** Conjur 5 is open-source software, hosted and documented at [https://www.conjur.org/](https://www.conjur.org/).
 
 You can use the `master` branch of this project, which is `conjur-api` version `5.x`, to do all of the following things against either type of Conjur server:
 
@@ -47,12 +47,16 @@ Connecting to Conjur is a two-step process:
 
 The simplest way to configure the Conjur API is to use the configuration file stored on the machine.
 If you have configured the machine with [conjur init](http://developer.conjur.net/reference/tools/init.html),
-it's default location is `~/.conjurrc`. 
+<<<<<<< HEAD
+its default location is `~/.conjurrc`.
+=======
+it's default location is `~/.conjurrc`.
+>>>>>>> Added development environment
 
 The Conjur configuration process also checks `/etc/conjur.conf` for global settings. This is typically used
 in server environments.
 
-For custom scenarios, the location of the file can be overridden using the `CONJURRC` environment variable. 
+For custom scenarios, the location of the file can be overridden using the `CONJURRC` environment variable.
 
 You can load the Conjur configuration file using the following Ruby code:
 
@@ -76,9 +80,9 @@ conjur = Conjur::Authn.connect nil, noask: true
 To [authenticate](http://developer.conjur.net/reference/services/authentication/authenticate.html), the API client must
 provide a `login` name and `api_key`. The `Conjur::Authn.connect` will attempt the following, in order:
 
-1. Look for `login` in environment variable `CONJUR_AUTHN_LOGIN`, and `api_key` in `CONJUR_AUTHN_API_KEY` 
+1. Look for `login` in environment variable `CONJUR_AUTHN_LOGIN`, and `api_key` in `CONJUR_AUTHN_API_KEY`
 2. Look for credentials on disk. The default credentials file is `~/.netrc`. The location of the credentials file
-can be overridden using the configuration file `netrc_path` option. 
+can be overridden using the configuration file `netrc_path` option.
 3. Prompt for credentials. This can be disabled using the option `noask: true`.
 
 ## Connecting Without Files
@@ -86,7 +90,7 @@ can be overridden using the configuration file `netrc_path` option.
 It's possible to configure and authenticate the Conjur connection without using any files, and without requiring
 the `conjur-cli` gem.
 
-To accomplish this, apply the configuration settings directly to the [Conjur::Configuration](https://github.com/conjurinc/api-ruby/blob/master/lib/conjur/configuration.rb) 
+To accomplish this, apply the configuration settings directly to the [Conjur::Configuration](https://github.com/conjurinc/api-ruby/blob/master/lib/conjur/configuration.rb)
 object.
 
 For example, specify the `account` and `appliance_url` (both of which are required) like this:
@@ -96,8 +100,8 @@ Conjur.configuration.account = 'my-account'
 Conjur.configuration.appliance_url = 'https://conjur.mydomain.com/api'
 ```
 
-You can also specify these values using environment variables, which is often a bit more convenient. 
-Environment variables are mapped to configuration variables by prepending `CONJUR_` to the all-caps name of the 
+You can also specify these values using environment variables, which is often a bit more convenient.
+Environment variables are mapped to configuration variables by prepending `CONJUR_` to the all-caps name of the
 configuration variable. For example, `appliance_url` is `CONJUR_APPLIANCE_URL`, `account` is `CONJUR_ACCOUNT`.
 
 In either case, you will also need to configure certificate trust. For example:
@@ -112,10 +116,50 @@ Once Conjur is configured, you can create a new API client by providing a `login
 Conjur::API.new_from_key login, api_key
 ```
 
-Note that if you are connecting as a [Host](http://developer.conjur.net/reference/services/directory/host), the login should be 
+Note that if you are connecting as a [Host](http://developer.conjur.net/reference/services/directory/host), the login should be
 prefixed with `host/`. For example: `host/myhost.example.com`, not just `myhost.example.com`.
 
-# Development
+
+# Development (V5)
+To develop and run tests against Conjur V5, use the `start` and `stop` scripts in the `dev` folder. The start script brings up an open source Conjur (and Postgres database), CLI container, and a "work" container, with the gem code mounted into the working directory.
+
+#### Starting a Shell
+To begin:
+```sh
+$ cd dev
+$ ./start
+...
+root@9df0ac10ada2:/src/conjur-api#
+```
+You'll be dropped into development container upon completion. From there, install the development gems:
+
+```sh
+root@9df0ac10ada2:/src/conjur-api# bundle
+```
+
+#### Running Tests
+*NOTE*: There are some existing challenges around running tests from the development console.  For now, run tests
+by using the `./test.sh` script utilized for Jenkins Pipelines.
+
+<!--
+Commented out until I can get tests running locally
+
+Tests can be run with:
+```sh
+root@9df0ac10ada2:/src/conjur-api# bundle exec cucumber features
+root@9df0ac10ada2:/src/conjur-api# bundle exec rspec
+```
+-->
+
+#### Stopping & Environment Cleanup
+Once you're done, exit the shell, and stop the containers:
+
+```sh
+root@9df0ac10ada2:/src/conjur-api# exit
+$ ./stop
+```
+
+# Development (V4)
 
 The file `docker-compose.yml` is a self-contained development environment for the project.
 

data/dev/Dockerfile.dev

@@ -0,0 +1,12 @@
+FROM ruby:2.5
+
+RUN apt-get update && apt-get install -y vim curl
+
+WORKDIR /src/conjur-api
+
+COPY Gemfile conjur-api.gemspec ./
+COPY lib/conjur-api/version.rb ./lib/conjur-api/
+
+RUN bundle
+
+COPY . ./

data/dev/docker-compose.yml

@@ -0,0 +1,56 @@
+version: '3'
+services:
+  pg:
+    image: postgres:9.3
+
+  conjur_5:
+    image: cyberark/conjur
+    command: server -a cucumber
+    environment:
+      DATABASE_URL: postgres://postgres@pg/postgres
+      CONJUR_DATA_KEY: 'WMfApcDBtocRWV+ZSUP3Tjr5XNU+Z2FdBb6BEezejIs='
+    volumes:
+      - authn_local_5:/run/authn-local
+    depends_on:
+      - pg
+
+  conjur_4:
+    image: registry2.itci.conjur.net/conjur-appliance-cuke-master:4.9-stable
+    security_opt:
+      - seccomp:unconfined
+    volumes:
+      - ../features_v4/support/policy.yml:/etc/policy.yml
+      - authn_local_4:/run/authn-local
+
+  gem:
+    build:
+      context: ../
+      dockerfile: dev/Dockerfile.dev
+    entrypoint: sleep
+    command: infinity
+    environment:
+      CONJUR_APPLIANCE_URL: http://conjur_5
+      CONJUR_VERSION: 5
+      CONJUR_ACCOUNT: cucumber
+    links:
+      - conjur_5:conjur_5
+      - conjur_4:conjur_4
+    volumes:
+      - ..:/src/conjur-api
+      - authn_local_4:/run/authn-local-4
+      - authn_local_5:/run/authn-local-5
+
+  client:
+    image: conjurinc/cli5
+    entrypoint: sleep
+    command: infinity
+    environment:
+      CONJUR_APPLIANCE_URL: http://conjur_5
+      CONJUR_ACCOUNT: cucumber
+      CONJUR_AUTHN_LOGIN: admin
+    links:
+    - conjur_5:conjur_5
+
+volumes:
+  authn_local_5:
+  authn_local_4:

data/dev/start

@@ -0,0 +1,17 @@
+#!/bin/bash -ex
+
+function v5_development() {
+  docker-compose up -d --no-deps conjur_5 pg gem client
+
+  docker-compose exec -T conjur_5 conjurctl wait
+
+  local api_key=$(docker-compose exec -T conjur_5 rake 'role:retrieve-key[cucumber:user:admin]')
+  api_key=$(docker-compose exec -T conjur_5 conjurctl role retrieve-key cucumber:user:admin | tr -d '\r')
+
+  docker exec -e CONJUR_AUTHN_API_KEY="$api_key" -it --detach-keys 'ctrl-\' $(docker-compose ps -q gem) bash
+}
+
+docker-compose pull
+docker-compose build
+
+v5_development

data/dev/stop

@@ -0,0 +1,5 @@
+#!/bin/bash -ex
+
+echo 'Removing test environment'
+echo '---'
+docker-compose down --rmi 'local' --volumes

data/features/members.feature

@@ -21,13 +21,13 @@ Feature: Display role members and memberships.
     """
     [
       {
-        "admin_option": true,
-        "member": "cucumber:user:admin",
+        "admin_option": false,
+        "member": "cucumber:group:developers",
         "role": "cucumber:group:everyone"
       },
       {
-        "admin_option": false,
-        "member": "cucumber:group:developers",
+        "admin_option": true,
+        "member": "cucumber:user:admin",
         "role": "cucumber:group:everyone"
       }
     ]

data/features/new_api.feature

@@ -7,7 +7,7 @@ Feature: Constructing a new API object.
     """
     api = Conjur::API.new_from_key "host/#{@host_id}", @host_api_key
     expect(api.token).to be_instance_of(Hash)
-    expect(api.resource("cucumber:host:#{@host_id}")).to exist
+    expect($conjur.resource("cucumber:host:#{@host_id}")).to exist
     """
 
   Scenario: From access token.
@@ -18,7 +18,7 @@ Feature: Constructing a new API object.
     Then I run the code:
     """
     api = Conjur::API.new_from_token @token
-    expect(api.resource("cucumber:host:#{@host_id}")).to exist
+    expect($conjur.resource("cucumber:host:#{@host_id}")).to exist
     """
 
   Scenario: From access token file.
@@ -32,5 +32,5 @@ Feature: Constructing a new API object.
     Then I run the code:
     """
     api = Conjur::API.new_from_token_file @temp_file.path
-    expect(api.resource("cucumber:host:#{@host_id}")).to exist
+    expect($conjur.resource("cucumber:host:#{@host_id}")).to exist
     """

data/lib/conjur-api/version.rb

@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "5.1.0"
+    VERSION = "5.2.0"
   end
 end

data/lib/conjur/api/router/v5.rb

@@ -82,7 +82,7 @@ module Conjur
           options = {}
           options[:check] = true
           options[:privilege] = privilege
-          options[:role] = cast_to_id(role) if role
+          options[:role] = path_escape(cast_to_id(role)) if role
           resources_resource(credentials, id)[options_querystring options].get
         end
 
@@ -134,7 +134,7 @@ module Conjur
         end
 
         def parse_members credentials, result
-          result['members'].collect do |json|
+          result.map do |json|
             RoleGrant.parse_from_json(json, credentials)
           end
         end

data/lib/conjur/configuration.rb

@@ -391,7 +391,7 @@ module Conjur
       when "5"
         v5_logic.call
       else
-        raise "Unspported major version #{version}"
+        raise "Unsupported major version #{version}"
       end
     end
 

data/lib/conjur/id.rb

@@ -18,16 +18,19 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
+require 'conjur/escape'
 
 module Conjur
   # Encapsulates a Conjur id, which consists of account, kind, and identifier.
   class Id
+    include Conjur::Escape
+
     attr_reader :id
-    
+
     def initialize id
       @id = id
     end
-    
+
     # The organization account, obtained from the first component of the id.
     def account; id.split(':', 3)[0]; end
     # The object kind, obtained from the second component of the id.
@@ -52,7 +55,9 @@ module Conjur
 
     # Splits the id into 3 components, and then joins them with a forward-slash `/`.
     def to_url_path
-      id.split(':', 3).join('/')
+      id.split(':', 3)
+        .map(&method(:path_escape))
+        .join('/')
     end
     
     # @return [String] the id string

data/spec/uri_escape_spec.rb

@@ -0,0 +1,9 @@
+require 'spec_helper'
+require 'conjur/id'
+
+describe 'url escaping' do
+  it 'Id to path is escaped' do
+    id = Conjur::Id.new('cucumber:variable:foo bar')
+    expect(id.to_url_path).to eq('cucumber/variable/foo%20bar')
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 5.1.0
+  version: 5.2.0
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-12-19 00:00:00.000000000 Z
+date: 2018-06-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -229,6 +229,10 @@ files:
 - ci/configure_v4.sh
 - ci/configure_v5.sh
 - conjur-api.gemspec
+- dev/Dockerfile.dev
+- dev/docker-compose.yml
+- dev/start
+- dev/stop
 - docker-compose.yml
 - example/demo_v4.rb
 - example/demo_v5.rb
@@ -332,6 +336,7 @@ files:
 - spec/roles_spec.rb
 - spec/spec_helper.rb
 - spec/ssl_spec.rb
+- spec/uri_escape_spec.rb
 - spec/vendor/rest_client_spec.rb
 - test.sh
 - tmp/.keep
@@ -355,7 +360,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2.1
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Conjur API
@@ -398,4 +403,5 @@ test_files:
 - spec/roles_spec.rb
 - spec/spec_helper.rb
 - spec/ssl_spec.rb
+- spec/uri_escape_spec.rb
 - spec/vendor/rest_client_spec.rb