conjur-api 5.3.3 → 5.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4d068a6fcf42161573c1d317260549dd7e30001e1c53d9edeb36e8c8646f7db7
-  data.tar.gz: 0ea117aee05921d67c2feef6b863fae286f5556833134f410dbab73a18cc13b9
+  metadata.gz: 476ea2f5b5e2a375363e03e6c4659f5a425837b5e3036f41ae5aea208c56f781
+  data.tar.gz: 973be7e50f9a8a86c78770125723e42460e2264ceb7d71823fbd5d4962a31195
 SHA512:
-  metadata.gz: bda454b83559d845aad1a5b13e824937f9574420c9c14d0743fd93c56f79ac6de462648901bc3c9d7612ad6243099a659f1292d9b4fe7628865e6f6ca8dfa562
-  data.tar.gz: a6e5d7397c882d4d43ee95eead36bf51519fa5d6ea7c754b0c2648388769b9800180df8757c1ac5d3e968738e6e92dd013ba71c08686f2a3e6f85b1700556558
+  metadata.gz: 5c1cb2ded26fe6dfd44992ef4a81e5e71a01551f2874c1045a66fb556da05b55268cceef5124323dfbe14c7e032da3382e0d48cf21732a443a3c52e70af53b38
+  data.tar.gz: 58e061632c5c072134f5d2a23dab0103d73790750c054d5f6167ee0fa239598908130fc921aa3f74b9f57a93ced1092ec6165b55ae54728b3e16114baca486f1

data/CHANGELOG.md

@@ -6,11 +6,22 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [5.3.4] - 2020-10-29
+
+### Changed
+- When rotating the currently logged in user's/host's API key, we now explictily
+  prevent use of `resource(<own_id>).rotate_api_key` for that action as the
+  `Conjur::API.rotate_api_key` should be used instead for that. This change is a
+  downstream enforcement of the stricter key rotation requirements on the server
+  covered by [this](https://github.com/cyberark/conjur/security/advisories/GHSA-qhjf-g9gm-64jq)
+  security bulletin.
+  [cyberark/conjur-api-ruby#181](https://github.com/cyberark/conjur-api-ruby/issues/181)
+
 ## [5.3.3] - 2020-08-18
 ### Changed
 - Release process is updated to ensure that the published Ruby Gem matches a tag in this repository,
   so that consumers of this gem can always reference the correct source code included in any given version.
-  [cyberark/conjur-api-ruby](https://github.com/cyberark/conjur-api-ruby/issues/173)
+  [cyberark/conjur-api-ruby#173](https://github.com/cyberark/conjur-api-ruby/issues/173)
 
 ## 5.3.2 - 2018-09-24
 ### Added
@@ -321,7 +332,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [2.0.0] - 2013-13-12
 
-[Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.3...HEAD
+[Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.4...HEAD
+[5.3.4]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.3...v5.3.4
 [5.3.3]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.1...v5.3.3
 [5.3.1]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.0...v5.3.1
 [5.3.0]: https://github.com/cyberark/conjur-api-ruby/compare/v5.1.0...v5.3.0

data/features/host.feature

@@ -1,20 +1,50 @@
-Feature: Display Host object fields.
+Feature: Host object
 
-  Background:
+  Scenario: API key of a newly created host is available and valid
     Given a new host
-
-  Scenario: API key of a newly created host is available and valid.
-    Then I run the code:
+    Then I can run the code:
     """
     expect(@host.exists?).to be(true)
     expect(@host.api_key).to be
     Conjur::API.new_from_key(@host.login, @host.api_key).token
     """
 
-  Scenario: API key of a a host can be rotated.
-    Then I run the code:
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: Host's own API key cannot be rotated with an API key
+    Given a new host
+    Then this code should fail with "You cannot rotate your own API key via this method"
     """
     host = Conjur::API.new_from_key(@host.login, @host.api_key).resource(@host.id)
-    api_key = host.rotate_api_key
-    Conjur::API.new_from_key(@host.login, api_key).token
+    host.rotate_api_key
+    """
+
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: Host's own API key cannot be rotated with a token
+    Given a new host
+    Then this code should fail with "You cannot rotate your own API key via this method"
+    """
+    token = Conjur::API.new_from_key(@host.login, @host.api_key).token
+
+    host = Conjur::API.new_from_token(token).resource(@host.id)
+    host.rotate_api_key
+    """
+
+  Scenario: Delegated host's API key can be rotated with an API key
+    Given a new delegated host
+    Then I can run the code:
+    """
+    delegated_host_resource = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).resource(@host.id)
+    api_key = delegated_host_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
+    """
+
+  Scenario: Delegated host's API key can be rotated with a token
+    Given a new delegated host
+    Then I can run the code:
+    """
+    token = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).token
+
+    delegated_host_resource = Conjur::API.new_from_token(token).resource(@host.id)
+    api_key = delegated_host_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
     """

data/features/step_definitions/api_steps.rb

@@ -1,7 +1,18 @@
-When(/^I(?: can)? run the code:$/) do |code|
+Then(/^I(?: can)? run the code:$/) do |code|
   @result = eval(code).tap do |result|
-    if ENV['DEBUG']
-      puts result
+    puts result if ENV['DEBUG']
+  end
+end
+
+Then(/^this code should fail with "([^"]*)"$/) do |error_msg, code|
+  begin
+    @result = eval(code)
+  rescue Exception => exc
+    if not exc.message =~ %r{#{error_msg}}
+      fail "'#{error_msg}' was not found in '#{exc.message}'"
     end
+  else
+    puts @result if ENV['DEBUG']
+    fail "The provided block did not raise an error"
   end
 end

data/features/step_definitions/policy_steps.rb

@@ -13,6 +13,25 @@ Given(/^a new user$/) do
   expect(@user_api_key).to be
 end
 
+Given(/^a new delegated user$/) do
+  # Create a new host that is owned by that user
+  step 'a new user'
+  @user_owner = @user
+  @user_owner_id = @user_id
+  @user_owner_api_key = @user_api_key
+
+  # Create a new user that is owned by the user created earlier
+  @user_id = "user-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !user
+    id: #{@user_id}
+    owner: !user #{@user_owner_id}
+  POLICY
+  @user = $conjur.resource("cucumber:user:#{@user_id}")
+  @user_api_key = response.created_roles["cucumber:user:#{@user_id}"]['api_key']
+  expect(@user_api_key).to be
+end
+
 Given(/^a new group$/) do
   @group_id = "group-#{random_hex}"
   response = $conjur.load_policy 'root', <<-POLICY
@@ -33,3 +52,24 @@ Given(/^a new host$/) do
   @host = $conjur.resource("cucumber:host:#{@host_id}")
   @host.attributes['api_key'] = @host_api_key
 end
+
+Given(/^a new delegated host$/) do
+  # Create an owner user
+  step 'a new user'
+  @host_owner = @user
+  @host_owner_id = @user_id
+  @host_owner_api_key = @user_api_key
+
+  # Create a new host that is owned by that user
+  @host_id = "app-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !host
+    id: #{@host_id}
+    owner: !user #{@host_owner_id}
+  POLICY
+
+  @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
+  expect(@host_api_key).to be
+  @host = $conjur.resource("cucumber:host:#{@host_id}")
+  @host.attributes['api_key'] = @host_api_key
+end

data/features/user.feature

@@ -1,17 +1,58 @@
-Feature: Display User object fields.
+Feature: User object
 
   Background:
-    Given a new user
 
-  Scenario: User has a uidnumber.
-    Then I run the code:
+  Scenario: User has a uidnumber
+    Given a new user
+    Then I can run the code:
     """
     @user.uidnumber
     """
     Then the result should be "1000"
 
-  Scenario: Logged-in user is the current_role.
-    Then I run the code:
+  Scenario: Logged-in user is the current_role
+    Given a new user
+    Then I can run the code:
     """
     expect($conjur.current_role(Conjur.configuration.account).id.to_s).to eq("cucumber:user:admin")
     """
+
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: User's own API key cannot be rotated with an API key
+    Given a new user
+    Then this code should fail with "You cannot rotate your own API key via this method"
+    """
+    user = Conjur::API.new_from_key(@user.login, @user_api_key).resource(@user.id)
+    user.rotate_api_key
+    """
+
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: User's own API key cannot be rotated with a token
+    Given a new user
+    Then this code should fail with "You cannot rotate your own API key via this method"
+    """
+    token = Conjur::API.new_from_key(@user.login, @user_api_key).token
+
+    user = Conjur::API.new_from_token(token).resource(@user.id)
+    user.rotate_api_key
+    """
+
+  Scenario: Delegated user's API key can be rotated with an API key
+    Given a new delegated user
+    Then I can run the code:
+    """
+    delegated_user_resource = Conjur::API.new_from_key(@user_owner.login, @user_owner_api_key).resource(@user.id)
+    api_key = delegated_user_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_user_resource.login, api_key).token
+    """
+
+  Scenario: Delegated user's API key can be rotated with a token
+    Given a new delegated user
+    Then I can run the code:
+    """
+    token = Conjur::API.new_from_key(@user_owner.login, @user_owner_api_key).token
+
+    delegated_user_resource = Conjur::API.new_from_token(token).resource(@user.id)
+    api_key = delegated_user_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_user_resource.login, api_key).token
+    """

data/lib/conjur-api/version.rb

@@ -1,4 +1,4 @@
-# Copyright 2013-2017 Conjur Inc.
+# Copyright 2013-2020 Conjur Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "5.3.3"
+    VERSION = "5.3.4"
   end
 end

data/lib/conjur/acts_as_user.rb

@@ -52,12 +52,16 @@ module Conjur
     # @note You will not be able to access the API key returned by this method later, so you should
     #   probably hang onto it it.
     #
-    # @note You cannot rotate your own API key with this method. To do so, use `Conjur::API.rotate_api_key`
+    # @note You cannot rotate your own API key with this method. To do so, use `Conjur::API.rotate_api_key`.
     #
     # @note This feature requires a Conjur appliance running version 4.6 or higher.
     #
     # @return [String] the new API key for this user.
     def rotate_api_key
+      if login == username
+        raise 'You cannot rotate your own API key via this method. To do so, use `Conjur::API.rotate_api_key`'
+      end
+
       url_for(:authn_rotate_api_key, credentials, account, id).put("").body
     end
   end

data/lib/conjur/api/resources.rb

@@ -20,7 +20,7 @@ module Conjur
   class API
     include QueryString
     include BuildObject
-    
+
     #@!group Resources
 
     # Find a resource by its id.
@@ -84,7 +84,7 @@ module Conjur
     def resources options = {}
       options = { host: Conjur.configuration.core_url, credentials: credentials }.merge options
       options[:account] ||= Conjur.configuration.account
-      
+
       host, credentials, account, kind = options.values_at(*[:host, :credentials, :account, :kind])
       fail ArgumentError, "host and account are required" unless [host, account].all?
       %w(host credentials account kind).each do |name|

data/lib/conjur/api/router/v5.rb

@@ -169,7 +169,7 @@ module Conjur
         def ldap_sync_policy(credentials, config_name)
           RestClient::Resource.new(Conjur.configuration.core_url, credentials)['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
         end
-        
+
         private
 
         def resource_annotations resource

data/lib/conjur/base.rb

@@ -123,19 +123,21 @@ module Conjur
     #
     # @return [String] the api key, or nil if this instance was created from a token.
     attr_reader :api_key
-    
+
     #@!attribute [r] remote_ip
     # An optional IP address to be recorded in the audit record for any actions performed by this API instance.
     attr_reader :remote_ip
 
     # The name of the user as which this api instance is authenticated.  This is available whether the api
-    # instance was created from credentials or an authentication token.
+    # instance was created from credentials or an authentication token. If the instance was created from
+    # credentials, we will use that value directly otherwise we will attempt to extract the username from
+    # the token (either the old-style data field or the new-style JWT `sub` field).
     #
     # @return [String] the login of the current user.
     def username
-      @username || token['data']
+      @username || token['data'] || jwt_username(token)
     end
-    
+
     # @api private
     # used to delegate to host providing subclasses.
     # @return [String] the host
@@ -213,7 +215,7 @@ module Conjur
         @account = account
         @username = username
         @api_key = api_key
-        
+
         update_token_born
       end
 
@@ -323,6 +325,18 @@ module Conjur
 
     private
 
+    # Tries to get the username (subject) from a JWT API token by examining
+    # its content.
+    #
+    # @return [String] of the 'sub' payload field from the JWT if present,
+    # otherwise return nil
+    def jwt_username raw_token
+      return nil unless raw_token
+      return nil unless raw_token.include? 'payload'
+
+      JSON.parse(Base64.strict_decode64(raw_token["payload"]))["sub"]
+    end
+
     # Tries to refresh the token if possible.
     #
     # @return [Hash, false] false if the token couldn't be refreshed due to

data/lib/conjur/base_object.rb

@@ -20,9 +20,9 @@ module Conjur
     include LogSource
     include BuildObject
     include Routing
-    
+
     attr_reader :id, :credentials
-    
+
     def initialize id, credentials
       @id = Id.new id
       @credentials = credentials
@@ -34,10 +34,18 @@ module Conjur
       }
     end
 
-    def account; id.account; end
-    def kind; id.kind; end
-    def identifier; id.identifier; end
-    
+    def account
+      id.account
+    end
+
+    def kind
+      id.kind
+    end
+
+    def identifier
+      id.identifier
+    end
+
     def username
       credentials[:username] or raise "No username found in credentials"
     end
@@ -45,6 +53,5 @@ module Conjur
     def inspect
       "<#{self.class.name} id='#{id.to_s}'>"
     end
-
   end
 end

data/spec/api_spec.rb

@@ -60,11 +60,11 @@ describe Conjur::API do
       context "after expiration" do
         it 'it reads a new token' do
           expect(Time.parse(api.token['timestamp'])).to be_within(5.seconds).of(Time.now)
-          
+
           time_travel 6.minutes
           new_token = token.merge "timestamp" => Time.now.to_s
           write_token new_token
-          
+
           expect(api.token).to eq(new_token)
         end
       end
@@ -85,10 +85,10 @@ describe Conjur::API do
           it 'by refreshing' do
             allow(Conjur::API).to receive(:authenticate).with(login, api_key, account: account).and_return token
             expect(Time.parse(api.token['timestamp'])).to be_within(5.seconds).of(Time.now)
-            
+
             time_travel 6.minutes
             new_token = token.merge "timestamp" => Time.now.to_s
-            
+
             expect(Conjur::API).to receive(:authenticate).with(login, api_key, account: account).and_return new_token
             expect(api.token).to eq(new_token)
           end
@@ -118,7 +118,7 @@ describe Conjur::API do
         subject { super().credentials }
         it { is_expected.to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login }) }
       end
-      
+
       context "with remote_ip" do
         let(:remote_ip) { "66.0.0.1" }
         describe '#credentials' do
@@ -153,7 +153,7 @@ describe Conjur::API do
       context 'basic functioning' do
         it_behaves_like 'it can clone itself'
       end
-      
+
       context "forwarded for" do
         let(:forwarded_for_header) { "66.0.0.1" }
         let(:headers) { base_headers.merge(x_forwarded_for: forwarded_for_header) }
@@ -172,6 +172,55 @@ describe Conjur::API do
     end
   end
 
+  describe "#username" do
+    let(:jwt_payload) do
+      'eyJzdWIiOiJ1c2VyLTlhYjBiYmZiOWJlNjA5Yzk2ZjUyN2Y1YiIsImlhdCI6MTYwMzQ5MDA4MH0='
+    end
+
+    let(:jwt_header) do
+      'eyJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiI2MWZjOGRiZDM4MjA4NDll' \
+      'ZDI4YTZhYTAwMzFjNjM5MjkxZjJmMDQzNDVjYTU0MWI5NzUxMGQ5NjkyM2I3NDlmIn0='
+    end
+
+    let(:conjur_token) do
+      {
+        'data' => 'conjur-user-1234',
+        'timestamp' => Time.now.to_s
+      }
+    end
+
+    let(:jwt_token) do
+      {
+        'protected' => jwt_header,
+        'payload' => jwt_payload,
+      }
+    end
+
+    it "can correctly extract the username from old Conjur token" do
+      expect(Conjur::API.new_from_token(conjur_token).username).to(
+        eq('conjur-user-1234')
+      )
+    end
+
+    context 'when using JWT token' do
+      it "can correctly extract username" do
+        expect(Conjur::API.new_from_token(jwt_token).username).to(
+          eq('user-9ab0bbfb9be609c96f527f5b')
+        )
+      end
+
+      it "returns nil when JWT token has no payload field" do
+        no_payload_jwt_token = { 'protected' => jwt_header }
+        expect(Conjur::API.new_from_token(no_payload_jwt_token).username).to be_nil
+      end
+
+      it "returns nil when JWT token has no 'sub' field in payload" do
+        no_sub_token = { 'payload' => 'eyJpYXQiOjE2MDM0OTAwODB9' }
+        expect(Conjur::API.new_from_token(no_sub_token).username).to be_nil
+      end
+    end
+  end
+
   describe "#current_role", logged_in: true do
     context "when logged in as user" do
       let(:login) { 'joerandom' }

data/spec/base_object_spec.rb

@@ -10,5 +10,4 @@ describe Conjur::BaseObject do
     expect(base_obj.inspect).to include("id='#{id_str}'")
     expect(base_obj.inspect).to include(Conjur::BaseObject.name)
   end
-
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 5.3.3
+  version: 5.3.4
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-19 00:00:00.000000000 Z
+date: 2020-10-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client