conjur-asset-key-pair 0.2.1

data/db/migrate/20121219081344_slosilo_keystore.rb

@@ -0,0 +1 @@
+require 'slosilo/adapters/sequel_adapter/migration'

data/db/migrate/20130206195553_create_random_id_functions.rb

@@ -0,0 +1,9 @@
+Sequel.migration do
+  up do
+    create_random_id_functions
+  end
+  
+  down do
+    drop_random_id_functions
+  end
+end

data/db/migrate/20130513145031_create_key_pairs.rb

@@ -0,0 +1,18 @@
+Sequel.migration do
+  up do
+    create_table :key_pairs do
+      primary_key :id
+      String :userid,  null: false
+      String :ownerid, null: false
+      
+      String :public_keyid,  null: false
+      String :private_keyid, null: false
+    end
+
+    random_str_id :key_pairs
+  end
+  
+  down do
+    drop_table :key_pairs
+  end
+end

data/features/key_pair_create.feature

@@ -0,0 +1,21 @@
+Feature: Creating a key pair
+
+	Background:
+		Given admin user
+		
+	Scenario: I can create a key pair with a group owner
+		Given I create a "group"
+		When I create a key pair owned by "@group.roleid"
+		And I find a "key_pair" resource named "@key_pair.id"
+		Then the resource owner is "@group.roleid"
+
+	Scenario: I can encrypt data
+		When I create a key pair
+		Then I can encrypt with the key pair
+		
+	Scenario: I can decrypt data
+		When I create a key pair
+		And I can encrypt with the key pair
+		Then I can decrypt with the key pair
+		And the decrypted data is round-tripped
+		

data/features/key_pair_roles.feature

@@ -0,0 +1,46 @@
+Feature: Working with key pair roles
+
+	Background:
+		Given admin user
+		And I create a key pair
+		And I create a new user
+
+	Scenario: Random users cannot encrypt data
+		And I log in as the new user
+		And I anticipate a request failure
+		And I encrypt with the key pair
+		Then the request fails
+
+	Scenario: Random users cannot decrypt data
+		When I encrypt with the key pair
+		And I log in as the new user
+		And I anticipate a request failure
+		And I decrypt with the key pair
+		Then the request fails
+
+	Scenario: Encrypt role does not grant permission to decrypt
+		When I encrypt with the key pair
+		And I grant "key_pair" role "encrypt" to "user" "@new_user.username"
+		And I log in as the new user
+		And I anticipate a request failure
+		And I decrypt with the key pair
+		Then the request fails
+
+	Scenario: Decrypt role does not grant permission to encrypt
+		And I grant "key_pair" role "decrypt" to "user" "@new_user.username"
+		And I log in as the new user
+		And I anticipate a request failure
+		And I encrypt with the key pair
+		Then the request fails
+
+	Scenario: I can encrypt data when granted the role
+		And I grant "key_pair" role "encrypt" to "user" "@new_user.username"
+		And I log in as the new user
+		Then I can encrypt with the key pair
+		
+	Scenario: I can decrypt data when granted the role
+		When I encrypt with the key pair
+		And I grant "key_pair" role "decrypt" to "user" "@new_user.username"
+		And I log in as the new user
+		Then I can decrypt with the key pair
+		

data/features/support/env.rb

@@ -0,0 +1,87 @@
+require 'rubygems'
+require 'spork'
+
+Spork.prefork do
+  # Loading more in this block will cause your tests to run faster. However, 
+  # if you change any configuration or code from libraries loaded here, you'll
+  # need to restart spork for it take effect.
+  
+  # --- Instructions ---
+  # - Sort through your spec_helper file. Place as much environment loading 
+  #   code that you don't normally modify during development in the 
+  #   Spork.prefork block.
+  # - Place the rest under Spork.each_run block
+  # - Any code that is left outside of the blocks will be ran during preforking
+  #   and during each_run!
+  # - These instructions should self-destruct in 10 seconds.  If they don't,
+  #   feel free to delete them.
+  #
+
+  # IMPORTANT: This file is generated by cucumber-rails - edit at your own peril.
+  # It is recommended to regenerate this file in the future when you upgrade to a 
+  # newer version of cucumber-rails. Consider adding your own code to a new file 
+  # instead of editing this one. Cucumber will automatically load all features/**/*.rb
+  # files.
+  
+  ENV["RAILS_ENV"] = "cucumber"
+  ENV["CONJUR_ENV"] = "test"
+  ENV["RAILS_ROOT"] ||= File.dirname(__FILE__) + "../../../spec/dummy"  
+
+  require File.expand_path("../../../spec/dummy/config/environment", __FILE__)
+
+#  require 'cucumber/formatter/unicode' # Remove this line if you don't want Cucumber Unicode support
+#  require 'cucumber/rails/rspec'
+#  require 'cucumber/rails/world'
+#  require 'cucumber/rails/active_record'
+#  require 'cucumber/web/tableish'
+
+  require 'cucumber/rails'
+  require 'capybara/rails'
+  require 'capybara/cucumber'
+  require 'capybara/session'
+  require 'json_spec/cucumber'
+  require 'authable/cucumber/steps'
+  require 'conjur/asset/key-pair/cucumber/steps'
+
+  # Display exception reports in HTTP response
+  ActionController::Base.allow_rescue = true
+
+  # Lets you click links with onclick javascript handlers without using @culerity or @javascript
+  # Capybara defaults to XPath selectors rather than Webrat's default of CSS3. In
+  # order to ease the transition to Capybara we set the default here. If you'd
+  # prefer to use XPath just remove this line and adjust any selectors in your
+  # steps to use the XPath syntax.
+  Capybara.default_selector = :css
+
+  Capybara.default_driver = :selenium
+  
+  # If you set this to false, any error raised from within your app will bubble 
+  # up to your step definition and out to cucumber unless you catch it somewhere
+  # on the way. You can make Rails rescue errors and render error pages on a
+  # per-scenario basis by tagging a scenario or feature with the @allow-rescue tag.
+  #
+  # If you set this to true, Rails will rescue all errors and render error
+  # pages, more or less in the same way your application would behave in the
+  # default production environment. It's not recommended to do this for all
+  # of your scenarios, as this makes it hard to discover errors in your application.
+  # ActionController::Base.allow_rescue = false
+
+  # If you set this to true, each scenario will run in a database transaction.
+  # You can still turn off transactions on a per-scenario basis, simply tagging 
+  # a feature or scenario with the @no-txn tag. If you are using Capybara,
+  # tagging with @culerity or @javascript will also turn transactions off.
+  #
+  # If you set this to false, transactions will be off for all scenarios,
+  # regardless of whether you use @no-txn or not.
+  #
+  # Beware that turning transactions off will leave data in your database 
+  # after each scenario, which can lead to hard-to-debug failures in 
+  # subsequent scenarios. If you do this, we recommend you create a Before
+  # block that will explicitly put your database in a known state.
+  # Cucumber::Rails::World.use_transactional_fixtures = true
+  
+  WebMock.allow_net_connect!
+end
+
+Spork.each_run do
+end

data/features/support/hooks.rb

@@ -0,0 +1,22 @@
+Before do
+  ENV['CONJUR_KEY_PAIR_URL'] ||= "http://#{Capybara.current_session.server.host}:#{Capybara.current_session.server.port}"
+end
+
+Before do
+  unless Slosilo[:"authn:#{ENV['CONJUR_ACCOUNT']}"]
+    default_key = <<-KEY
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvqNru+LycLSew3FTa+To
+QQCVTui+Ccyj8X5vtFhCB1i4KLg2ShGlyt8Yh1dX2Gl2ckugv4JfRSntmRFXCyCw
+stXe5U0p+4/WpzyjZ9t38emlRU3s9e6N2f4U+xSpR1CvemA5hZq11yNMTSKw2FCi
+MSqxzpvXc7uae+6kEMgxoQ7njATCPyeZW6QV920jInuvlWQDdSKZA7QQ0q7HcKSD
+PntKxuUBzioyurgr+HWznK1oCltYJlGMOca9CiQqvtUxAFiz0OppV+21Qeu/1ZwB
+CCxk2aZ3vy7kQ2gDKRsNXEkH4krQsBNoc7U+Tj4F24qx32DfWCiwaIk/M+Vfsx8n
+hwIDAQAB
+-----END PUBLIC KEY-----
+KEY
+    key_str = ENV['CONJUR_AUTHN_PRIVATE_KEY'] || default_key
+    key = Slosilo::Key.new key_str
+    Slosilo[:"authn:#{ENV['CONJUR_ACCOUNT']}"] = key
+  end
+end

data/lib/conjur-asset-key-pair-version.rb

@@ -0,0 +1,7 @@
+module Conjur
+  module Asset
+    module KeyPair
+      VERSION = "0.2.1"
+    end
+  end
+end

data/lib/conjur-asset-key-pair.rb

@@ -0,0 +1,5 @@
+require "conjur-asset-key-pair-version"
+require "conjur/api"
+require "conjur/key-pair-api"
+
+require "conjur/asset/key-pair/engine" if defined?(Rails) && ENV['CONJUR_ASSET_SERVICE']

data/lib/conjur/api/key_pairs.rb

@@ -0,0 +1,13 @@
+require 'conjur/key_pair'
+
+module Conjur
+  class API
+    def create_key_pair(options = {})
+      standard_create Conjur::KeyPairs::API.host, :key_pair, nil, options
+    end
+    
+    def key_pair id
+      standard_show Conjur::KeyPairs::API.host, :key_pair, id
+    end
+  end
+end

data/lib/conjur/asset/key-pair/cucumber/key_pair_steps.rb

@@ -0,0 +1,24 @@
+When /^I create a key pair(?: owned by "(.*?)")?$/ do |owner|
+  options = {}
+  if owner
+    options[:ownerid] = interpret_value(owner)
+  end
+  create_variable :key_pair, options
+end
+
+When /^I(?: can)? decrypt with the key pair$/ do
+  attempt do
+    @plaintext_output = variable(:key_pair).decrypt @encrypted_data
+  end
+end
+
+When /^I(?: can)? encrypt with the key pair$/ do
+  attempt do
+    @plaintext_input = SecureRandom.uuid
+    @encrypted_data = variable(:key_pair).encrypt(@plaintext_input)
+  end
+end
+
+Then /^the decrypted data is round-tripped$/ do
+  @plaintext_input.should == @plaintext_output
+end

data/lib/conjur/asset/key-pair/cucumber/steps.rb

@@ -0,0 +1 @@
+require 'conjur/asset/key-pair/cucumber/key_pair_steps.rb'

data/lib/conjur/asset/key-pair/engine.rb

@@ -0,0 +1,8 @@
+module Conjur
+  module Asset
+    module KeyPair
+      class Engine < ::Rails::Engine
+      end
+    end
+  end
+end

data/lib/conjur/command/key_pairs.rb

@@ -0,0 +1,28 @@
+require 'conjur/authn'
+require 'conjur/command'
+
+class Conjur::Command::KeyPairs < Conjur::Command
+  self.prefix = :"key-pair"
+  
+  desc "Encrypt with a key pair"
+  arg_name "key-pair (value | STDIN)"
+  command :"encrypt" do |c|
+    c.action do |global_options, options, args|
+      id = require_arg(args, 'key-pair')
+      value = args.shift || STDIN.read
+      
+      $stdout.write api.key_pair(id).encrypt value
+    end
+  end
+
+  desc "Decrypt with a key pair"
+  arg_name "key-pair (value | STDIN)"
+  command :"decrypt" do |c|
+    c.action do |global_options, options, args|
+      id = require_arg(args, 'key-pair')
+      value = args.shift || STDIN.read
+      
+      $stdout.write api.key_pair(id).decrypt value
+    end
+  end
+end

data/lib/conjur/key-pair-api.rb

@@ -0,0 +1,13 @@
+module Conjur
+  module KeyPairs
+    class API < Conjur::API
+      class << self
+        def host
+          ENV['CONJUR_KEY_PAIR_URL'] || Conjur::Core::API.host
+        end
+      end
+    end
+  end
+end
+
+require 'conjur/api/key_pairs'

data/lib/conjur/key_pair.rb

@@ -0,0 +1,15 @@
+module Conjur
+  class KeyPair < RestClient::Resource
+    include ActsAsAsset
+    
+    def encrypt(data)
+      raise ArgumentError.new("data must not be nil") unless data
+      self["encrypt"].post(data, content_type: 'application/octet-stream').body
+    end
+    
+    def decrypt(data)
+      raise ArgumentError.new("data must not be nil") unless data
+      self["decrypt"].post(data, content_type: 'application/octet-stream').body
+    end
+  end
+end

data/spec/dummy/README.rdoc

@@ -0,0 +1,261 @@
+== Welcome to Rails
+
+Rails is a web-application framework that includes everything needed to create
+database-backed web applications according to the Model-View-Control pattern.
+
+This pattern splits the view (also called the presentation) into "dumb"
+templates that are primarily responsible for inserting pre-built data in between
+HTML tags. The model contains the "smart" domain objects (such as Account,
+Product, Person, Post) that holds all the business logic and knows how to
+persist themselves to a database. The controller handles the incoming requests
+(such as Save New Account, Update Product, Show Post) by manipulating the model
+and directing data to the view.
+
+In Rails, the model is handled by what's called an object-relational mapping
+layer entitled Active Record. This layer allows you to present the data from
+database rows as objects and embellish these data objects with business logic
+methods. You can read more about Active Record in
+link:files/vendor/rails/activerecord/README.html.
+
+The controller and view are handled by the Action Pack, which handles both
+layers by its two parts: Action View and Action Controller. These two layers
+are bundled in a single package due to their heavy interdependence. This is
+unlike the relationship between the Active Record and Action Pack that is much
+more separate. Each of these packages can be used independently outside of
+Rails. You can read more about Action Pack in
+link:files/vendor/rails/actionpack/README.html.
+
+
+== Getting Started
+
+1. At the command prompt, create a new Rails application:
+       <tt>rails new myapp</tt> (where <tt>myapp</tt> is the application name)
+
+2. Change directory to <tt>myapp</tt> and start the web server:
+       <tt>cd myapp; rails server</tt> (run with --help for options)
+
+3. Go to http://localhost:3000/ and you'll see:
+       "Welcome aboard: You're riding Ruby on Rails!"
+
+4. Follow the guidelines to start developing your application. You can find
+the following resources handy:
+
+* The Getting Started Guide: http://guides.rubyonrails.org/getting_started.html
+* Ruby on Rails Tutorial Book: http://www.railstutorial.org/
+
+
+== Debugging Rails
+
+Sometimes your application goes wrong. Fortunately there are a lot of tools that
+will help you debug it and get it back on the rails.
+
+First area to check is the application log files. Have "tail -f" commands
+running on the server.log and development.log. Rails will automatically display
+debugging and runtime information to these files. Debugging info will also be
+shown in the browser on requests from 127.0.0.1.
+
+You can also log your own messages directly into the log file from your code
+using the Ruby logger class from inside your controllers. Example:
+
+  class WeblogController < ActionController::Base
+    def destroy
+      @weblog = Weblog.find(params[:id])
+      @weblog.destroy
+      logger.info("#{Time.now} Destroyed Weblog ID ##{@weblog.id}!")
+    end
+  end
+
+The result will be a message in your log file along the lines of:
+
+  Mon Oct 08 14:22:29 +1000 2007 Destroyed Weblog ID #1!
+
+More information on how to use the logger is at http://www.ruby-doc.org/core/
+
+Also, Ruby documentation can be found at http://www.ruby-lang.org/. There are
+several books available online as well:
+
+* Programming Ruby: http://www.ruby-doc.org/docs/ProgrammingRuby/ (Pickaxe)
+* Learn to Program: http://pine.fm/LearnToProgram/ (a beginners guide)
+
+These two books will bring you up to speed on the Ruby language and also on
+programming in general.
+
+
+== Debugger
+
+Debugger support is available through the debugger command when you start your
+Mongrel or WEBrick server with --debugger. This means that you can break out of
+execution at any point in the code, investigate and change the model, and then,
+resume execution! You need to install ruby-debug to run the server in debugging
+mode. With gems, use <tt>sudo gem install ruby-debug</tt>. Example:
+
+  class WeblogController < ActionController::Base
+    def index
+      @posts = Post.all
+      debugger
+    end
+  end
+
+So the controller will accept the action, run the first line, then present you
+with a IRB prompt in the server window. Here you can do things like:
+
+  >> @posts.inspect
+  => "[#<Post:0x14a6be8
+          @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>,
+       #<Post:0x14a6620
+          @attributes={"title"=>"Rails", "body"=>"Only ten..", "id"=>"2"}>]"
+  >> @posts.first.title = "hello from a debugger"
+  => "hello from a debugger"
+
+...and even better, you can examine how your runtime objects actually work:
+
+  >> f = @posts.first
+  => #<Post:0x13630c4 @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>
+  >> f.
+  Display all 152 possibilities? (y or n)
+
+Finally, when you're ready to resume execution, you can enter "cont".
+
+
+== Console
+
+The console is a Ruby shell, which allows you to interact with your
+application's domain model. Here you'll have all parts of the application
+configured, just like it is when the application is running. You can inspect
+domain models, change values, and save to the database. Starting the script
+without arguments will launch it in the development environment.
+
+To start the console, run <tt>rails console</tt> from the application
+directory.
+
+Options:
+
+* Passing the <tt>-s, --sandbox</tt> argument will rollback any modifications
+  made to the database.
+* Passing an environment name as an argument will load the corresponding
+  environment. Example: <tt>rails console production</tt>.
+
+To reload your controllers and models after launching the console run
+<tt>reload!</tt>
+
+More information about irb can be found at:
+link:http://www.rubycentral.org/pickaxe/irb.html
+
+
+== dbconsole
+
+You can go to the command line of your database directly through <tt>rails
+dbconsole</tt>. You would be connected to the database with the credentials
+defined in database.yml. Starting the script without arguments will connect you
+to the development database. Passing an argument will connect you to a different
+database, like <tt>rails dbconsole production</tt>. Currently works for MySQL,
+PostgreSQL and SQLite 3.
+
+== Description of Contents
+
+The default directory structure of a generated Ruby on Rails application:
+
+  |-- app
+  |   |-- assets
+  |       |-- images
+  |       |-- javascripts
+  |       `-- stylesheets
+  |   |-- controllers
+  |   |-- helpers
+  |   |-- mailers
+  |   |-- models
+  |   `-- views
+  |       `-- layouts
+  |-- config
+  |   |-- environments
+  |   |-- initializers
+  |   `-- locales
+  |-- db
+  |-- doc
+  |-- lib
+  |   `-- tasks
+  |-- log
+  |-- public
+  |-- script
+  |-- test
+  |   |-- fixtures
+  |   |-- functional
+  |   |-- integration
+  |   |-- performance
+  |   `-- unit
+  |-- tmp
+  |   |-- cache
+  |   |-- pids
+  |   |-- sessions
+  |   `-- sockets
+  `-- vendor
+      |-- assets
+          `-- stylesheets
+      `-- plugins
+
+app
+  Holds all the code that's specific to this particular application.
+
+app/assets
+  Contains subdirectories for images, stylesheets, and JavaScript files.
+
+app/controllers
+  Holds controllers that should be named like weblogs_controller.rb for
+  automated URL mapping. All controllers should descend from
+  ApplicationController which itself descends from ActionController::Base.
+
+app/models
+  Holds models that should be named like post.rb. Models descend from
+  ActiveRecord::Base by default.
+
+app/views
+  Holds the template files for the view that should be named like
+  weblogs/index.html.erb for the WeblogsController#index action. All views use
+  eRuby syntax by default.
+
+app/views/layouts
+  Holds the template files for layouts to be used with views. This models the
+  common header/footer method of wrapping views. In your views, define a layout
+  using the <tt>layout :default</tt> and create a file named default.html.erb.
+  Inside default.html.erb, call <% yield %> to render the view using this
+  layout.
+
+app/helpers
+  Holds view helpers that should be named like weblogs_helper.rb. These are
+  generated for you automatically when using generators for controllers.
+  Helpers can be used to wrap functionality for your views into methods.
+
+config
+  Configuration files for the Rails environment, the routing map, the database,
+  and other dependencies.
+
+db
+  Contains the database schema in schema.rb. db/migrate contains all the
+  sequence of Migrations for your schema.
+
+doc
+  This directory is where your application documentation will be stored when
+  generated using <tt>rake doc:app</tt>
+
+lib
+  Application specific libraries. Basically, any kind of custom code that
+  doesn't belong under controllers, models, or helpers. This directory is in
+  the load path.
+
+public
+  The directory available for the web server. Also contains the dispatchers and the
+  default HTML files. This should be set as the DOCUMENT_ROOT of your web
+  server.
+
+script
+  Helper scripts for automation and generation.
+
+test
+  Unit and functional tests along with fixtures. When using the rails generate
+  command, template test files will be generated for you and placed in this
+  directory.
+
+vendor
+  External libraries that the application depends on. Also includes the plugins
+  subdirectory. If the app has frozen rails, those gems also go here, under
+  vendor/rails/. This directory is in the load path.