conjur-asset-key-pair 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +8 -0
- data/.project +18 -0
- data/.rvmrc +1 -0
- data/Gemfile +16 -0
- data/Gemfile.lock +214 -0
- data/MIT-LICENSE +20 -0
- data/README.rdoc +3 -0
- data/Rakefile +27 -0
- data/app/controllers/key_pairs_controller.rb +30 -0
- data/app/models/key_pair.rb +55 -0
- data/config/routes.rb +8 -0
- data/conjur-asset-key-pair.gemspec +48 -0
- data/db/migrate/20121219081344_slosilo_keystore.rb +1 -0
- data/db/migrate/20130206195553_create_random_id_functions.rb +9 -0
- data/db/migrate/20130513145031_create_key_pairs.rb +18 -0
- data/features/key_pair_create.feature +21 -0
- data/features/key_pair_roles.feature +46 -0
- data/features/support/env.rb +87 -0
- data/features/support/hooks.rb +22 -0
- data/lib/conjur-asset-key-pair-version.rb +7 -0
- data/lib/conjur-asset-key-pair.rb +5 -0
- data/lib/conjur/api/key_pairs.rb +13 -0
- data/lib/conjur/asset/key-pair/cucumber/key_pair_steps.rb +24 -0
- data/lib/conjur/asset/key-pair/cucumber/steps.rb +1 -0
- data/lib/conjur/asset/key-pair/engine.rb +8 -0
- data/lib/conjur/command/key_pairs.rb +28 -0
- data/lib/conjur/key-pair-api.rb +13 -0
- data/lib/conjur/key_pair.rb +15 -0
- data/spec/dummy/README.rdoc +261 -0
- data/spec/dummy/Rakefile +7 -0
- data/spec/dummy/app/controllers/application_controller.rb +2 -0
- data/spec/dummy/config.ru +4 -0
- data/spec/dummy/config/application.rb +64 -0
- data/spec/dummy/config/boot.rb +10 -0
- data/spec/dummy/config/database.yml +19 -0
- data/spec/dummy/config/environment.rb +5 -0
- data/spec/dummy/config/environments/cucumber.rb +40 -0
- data/spec/dummy/config/environments/development.rb +37 -0
- data/spec/dummy/config/environments/test.rb +38 -0
- data/spec/dummy/config/initializers/authenticator.rb +5 -0
- data/spec/dummy/config/initializers/conjur.rb +6 -0
- data/spec/dummy/config/locales/en.yml +5 -0
- data/spec/dummy/config/routes.rb +58 -0
- data/spec/dummy/db/schema.rb +24 -0
- data/spec/dummy/log/.gitkeep +0 -0
- data/spec/dummy/script/rails +6 -0
- data/spec/models/key_pair_spec.rb +117 -0
- data/spec/spec_helper.rb +54 -0
- metadata +273 -0
data/spec/dummy/Rakefile
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
#!/usr/bin/env rake
|
2
|
+
# Add your own tasks in files placed in lib/tasks ending in .rake,
|
3
|
+
# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
|
4
|
+
|
5
|
+
require File.expand_path('../config/application', __FILE__)
|
6
|
+
|
7
|
+
Dummy::Application.load_tasks
|
@@ -0,0 +1,64 @@
|
|
1
|
+
require File.expand_path('../boot', __FILE__)
|
2
|
+
|
3
|
+
ENV['CONJUR_ASSET_SERVICE'] = "true"
|
4
|
+
|
5
|
+
# Pick the frameworks you want:
|
6
|
+
require "sequel-rails/railtie"
|
7
|
+
require "action_controller/railtie"
|
8
|
+
|
9
|
+
Bundler.require
|
10
|
+
|
11
|
+
require "conjur-asset-key-pair"
|
12
|
+
|
13
|
+
module Dummy
|
14
|
+
class Application < Rails::Application
|
15
|
+
# Settings in config/environments/* take precedence over those specified here.
|
16
|
+
# Application configuration should go into files in config/initializers
|
17
|
+
# -- all .rb files in that directory are automatically loaded.
|
18
|
+
|
19
|
+
# Custom directories with classes and modules you want to be autoloadable.
|
20
|
+
# config.autoload_paths += %W(#{config.root}/extras)
|
21
|
+
|
22
|
+
# Only load the plugins named here, in the order given (default is alphabetical).
|
23
|
+
# :all can be used as a placeholder for all plugins not explicitly named.
|
24
|
+
# config.plugins = [ :exception_notification, :ssl_requirement, :all ]
|
25
|
+
|
26
|
+
# Activate observers that should always be running.
|
27
|
+
# config.active_record.observers = :cacher, :garbage_collector, :forum_observer
|
28
|
+
|
29
|
+
# Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
|
30
|
+
# Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
|
31
|
+
# config.time_zone = 'Central Time (US & Canada)'
|
32
|
+
|
33
|
+
# The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
|
34
|
+
# config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
|
35
|
+
# config.i18n.default_locale = :de
|
36
|
+
|
37
|
+
# Configure the default encoding used in templates for Ruby 1.9.
|
38
|
+
config.encoding = "utf-8"
|
39
|
+
|
40
|
+
# Configure sensitive parameters which will be filtered from the log file.
|
41
|
+
config.filter_parameters += [:password]
|
42
|
+
|
43
|
+
# Enable escaping HTML in JSON.
|
44
|
+
config.active_support.escape_html_entities_in_json = true
|
45
|
+
|
46
|
+
# Use SQL instead of Active Record's schema dumper when creating the database.
|
47
|
+
# This is necessary if your schema can't be completely dumped by the schema dumper,
|
48
|
+
# like if you have constraints or database-specific column types
|
49
|
+
#config.active_record.schema_format = :sql
|
50
|
+
|
51
|
+
# Enforce whitelist mode for mass assignment.
|
52
|
+
# This will create an empty whitelist of attributes available for mass-assignment for all models
|
53
|
+
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
|
54
|
+
# parameters by using an attr_accessible or attr_protected declaration.
|
55
|
+
#config.active_record.whitelist_attributes = true
|
56
|
+
|
57
|
+
# Enable the asset pipeline
|
58
|
+
config.assets.enabled = true
|
59
|
+
|
60
|
+
# Version of your assets, change this if you want to expire all your assets
|
61
|
+
config.assets.version = '1.0'
|
62
|
+
end
|
63
|
+
end
|
64
|
+
|
@@ -0,0 +1,19 @@
|
|
1
|
+
development:
|
2
|
+
adapter: postgresql
|
3
|
+
encoding: unicode
|
4
|
+
database: conjur-asset-key-pair_dev
|
5
|
+
pool: 5
|
6
|
+
username: postgres
|
7
|
+
password:
|
8
|
+
|
9
|
+
test: &test
|
10
|
+
adapter: postgresql
|
11
|
+
encoding: unicode
|
12
|
+
database: conjur-asset-key-pair_test
|
13
|
+
pool: 5
|
14
|
+
username: postgres
|
15
|
+
password:
|
16
|
+
|
17
|
+
cucumber:
|
18
|
+
<<: *test
|
19
|
+
|
@@ -0,0 +1,40 @@
|
|
1
|
+
Dummy::Application.configure do
|
2
|
+
# Settings specified here will take precedence over those in config/application.rb
|
3
|
+
|
4
|
+
# The test environment is used exclusively to run your application's
|
5
|
+
# test suite. You never need to work with it otherwise. Remember that
|
6
|
+
# your test database is "scratch space" for the test suite and is wiped
|
7
|
+
# and recreated between test runs. Don't rely on the data there!
|
8
|
+
config.cache_classes = true
|
9
|
+
|
10
|
+
# Configure static asset server for tests with Cache-Control for performance
|
11
|
+
config.serve_static_assets = true
|
12
|
+
|
13
|
+
# Log error messages when you accidentally call methods on nil
|
14
|
+
config.whiny_nils = true
|
15
|
+
|
16
|
+
# Show full error reports and disable caching
|
17
|
+
config.consider_all_requests_local = true
|
18
|
+
config.action_controller.perform_caching = true
|
19
|
+
|
20
|
+
# Raise exceptions instead of rendering exception templates
|
21
|
+
config.action_dispatch.show_exceptions = false
|
22
|
+
|
23
|
+
# Disable request forgery protection in test environment
|
24
|
+
config.action_controller.allow_forgery_protection = false
|
25
|
+
|
26
|
+
# Tell Action Mailer not to deliver emails to the real world.
|
27
|
+
# The :test delivery method accumulates sent emails in the
|
28
|
+
# ActionMailer::Base.deliveries array.
|
29
|
+
# config.action_mailer.delivery_method = :test
|
30
|
+
|
31
|
+
# Raise exception on mass assignment protection for Active Record models
|
32
|
+
# config.active_record.mass_assignment_sanitizer = :strict
|
33
|
+
|
34
|
+
# Print deprecation notices to the stderr
|
35
|
+
config.active_support.deprecation = :stderr
|
36
|
+
end
|
37
|
+
|
38
|
+
ENV['CONJUR_AUTHN_URL'] ||= "https://authn-ci-conjur.herokuapp.com"
|
39
|
+
ENV['CONJUR_AUTHZ_URL'] ||= "https://authz-ci-conjur.herokuapp.com"
|
40
|
+
ENV['CONJUR_CORE_URL'] ||= "https://core-ci-conjur.herokuapp.com"
|
@@ -0,0 +1,37 @@
|
|
1
|
+
Dummy::Application.configure do
|
2
|
+
# Settings specified here will take precedence over those in config/application.rb
|
3
|
+
|
4
|
+
# In the development environment your application's code is reloaded on
|
5
|
+
# every request. This slows down response time but is perfect for development
|
6
|
+
# since you don't have to restart the web server when you make code changes.
|
7
|
+
config.cache_classes = false
|
8
|
+
|
9
|
+
# Log error messages when you accidentally call methods on nil.
|
10
|
+
config.whiny_nils = true
|
11
|
+
|
12
|
+
# Show full error reports and disable caching
|
13
|
+
config.consider_all_requests_local = true
|
14
|
+
config.action_controller.perform_caching = false
|
15
|
+
|
16
|
+
# Don't care if the mailer can't send
|
17
|
+
# config.action_mailer.raise_delivery_errors = false
|
18
|
+
|
19
|
+
# Print deprecation notices to the Rails logger
|
20
|
+
config.active_support.deprecation = :log
|
21
|
+
|
22
|
+
# Only use best-standards-support built into browsers
|
23
|
+
config.action_dispatch.best_standards_support = :builtin
|
24
|
+
|
25
|
+
# Raise exception on mass assignment protection for Active Record models
|
26
|
+
#config.active_record.mass_assignment_sanitizer = :strict
|
27
|
+
|
28
|
+
# Log the query plan for queries taking more than this (works
|
29
|
+
# with SQLite, MySQL, and PostgreSQL)
|
30
|
+
#config.active_record.auto_explain_threshold_in_seconds = 0.5
|
31
|
+
|
32
|
+
# Do not compress assets
|
33
|
+
config.assets.compress = false
|
34
|
+
|
35
|
+
# Expands the lines which load the assets
|
36
|
+
config.assets.debug = true
|
37
|
+
end
|
@@ -0,0 +1,38 @@
|
|
1
|
+
Dummy::Application.configure do
|
2
|
+
# Settings specified here will take precedence over those in config/application.rb
|
3
|
+
|
4
|
+
# The test environment is used exclusively to run your application's
|
5
|
+
# test suite. You never need to work with it otherwise. Remember that
|
6
|
+
# your test database is "scratch space" for the test suite and is wiped
|
7
|
+
# and recreated between test runs. Don't rely on the data there!
|
8
|
+
config.cache_classes = true
|
9
|
+
|
10
|
+
# Configure static asset server for tests with Cache-Control for performance
|
11
|
+
config.serve_static_assets = true
|
12
|
+
config.static_cache_control = "public, max-age=3600"
|
13
|
+
|
14
|
+
# Log error messages when you accidentally call methods on nil
|
15
|
+
config.whiny_nils = true
|
16
|
+
|
17
|
+
# Show full error reports and disable caching
|
18
|
+
config.consider_all_requests_local = true
|
19
|
+
config.action_controller.perform_caching = false
|
20
|
+
|
21
|
+
# Raise exceptions instead of rendering exception templates
|
22
|
+
config.action_dispatch.show_exceptions = false
|
23
|
+
|
24
|
+
# Disable request forgery protection in test environment
|
25
|
+
config.action_controller.allow_forgery_protection = false
|
26
|
+
|
27
|
+
# Tell Action Mailer not to deliver emails to the real world.
|
28
|
+
# The :test delivery method accumulates sent emails in the
|
29
|
+
# ActionMailer::Base.deliveries array.
|
30
|
+
#config.action_mailer.delivery_method = :test
|
31
|
+
|
32
|
+
# Raise exception on mass assignment protection for Active Record models
|
33
|
+
#config.active_record.mass_assignment_sanitizer = :strict
|
34
|
+
|
35
|
+
# Print deprecation notices to the stderr
|
36
|
+
config.active_support.deprecation = :stderr
|
37
|
+
end
|
38
|
+
|
@@ -0,0 +1,58 @@
|
|
1
|
+
Dummy::Application.routes.draw do
|
2
|
+
# The priority is based upon order of creation:
|
3
|
+
# first created -> highest priority.
|
4
|
+
|
5
|
+
# Sample of regular route:
|
6
|
+
# match 'products/:id' => 'catalog#view'
|
7
|
+
# Keep in mind you can assign values other than :controller and :action
|
8
|
+
|
9
|
+
# Sample of named route:
|
10
|
+
# match 'products/:id/purchase' => 'catalog#purchase', :as => :purchase
|
11
|
+
# This route can be invoked with purchase_url(:id => product.id)
|
12
|
+
|
13
|
+
# Sample resource route (maps HTTP verbs to controller actions automatically):
|
14
|
+
# resources :products
|
15
|
+
|
16
|
+
# Sample resource route with options:
|
17
|
+
# resources :products do
|
18
|
+
# member do
|
19
|
+
# get 'short'
|
20
|
+
# post 'toggle'
|
21
|
+
# end
|
22
|
+
#
|
23
|
+
# collection do
|
24
|
+
# get 'sold'
|
25
|
+
# end
|
26
|
+
# end
|
27
|
+
|
28
|
+
# Sample resource route with sub-resources:
|
29
|
+
# resources :products do
|
30
|
+
# resources :comments, :sales
|
31
|
+
# resource :seller
|
32
|
+
# end
|
33
|
+
|
34
|
+
# Sample resource route with more complex sub-resources
|
35
|
+
# resources :products do
|
36
|
+
# resources :comments
|
37
|
+
# resources :sales do
|
38
|
+
# get 'recent', :on => :collection
|
39
|
+
# end
|
40
|
+
# end
|
41
|
+
|
42
|
+
# Sample resource route within a namespace:
|
43
|
+
# namespace :admin do
|
44
|
+
# # Directs /admin/products/* to Admin::ProductsController
|
45
|
+
# # (app/controllers/admin/products_controller.rb)
|
46
|
+
# resources :products
|
47
|
+
# end
|
48
|
+
|
49
|
+
# You can have the root of your site routed with "root"
|
50
|
+
# just remember to delete public/index.html.
|
51
|
+
# root :to => 'welcome#index'
|
52
|
+
|
53
|
+
# See how all your routes lay out with "rake routes"
|
54
|
+
|
55
|
+
# This is a legacy wild controller route that's not recommended for RESTful applications.
|
56
|
+
# Note: This route will make all actions in every controller accessible via GET requests.
|
57
|
+
# match ':controller(/:action(/:id))(.:format)'
|
58
|
+
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
Sequel.migration do
|
2
|
+
change do
|
3
|
+
create_table(:schema_migrations) do
|
4
|
+
column :filename, "text", :null=>false
|
5
|
+
|
6
|
+
primary_key [:filename]
|
7
|
+
end
|
8
|
+
|
9
|
+
create_table(:secrets) do
|
10
|
+
primary_key :id
|
11
|
+
column :userid, "text", :null=>false
|
12
|
+
column :ownerid, "text", :null=>false
|
13
|
+
column :key, "bytea", :null=>false
|
14
|
+
column :created_at, "timestamp without time zone", :default=>Sequel::CURRENT_TIMESTAMP, :null=>false
|
15
|
+
end
|
16
|
+
|
17
|
+
create_table(:slosilo_keystore) do
|
18
|
+
column :id, "text", :null=>false
|
19
|
+
column :key, "bytea", :null=>false
|
20
|
+
|
21
|
+
primary_key [:id]
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
File without changes
|
@@ -0,0 +1,6 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
|
3
|
+
|
4
|
+
APP_PATH = File.expand_path('../../config/application', __FILE__)
|
5
|
+
require File.expand_path('../../config/boot', __FILE__)
|
6
|
+
require 'rails/commands'
|
@@ -0,0 +1,117 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
KEY_PAIR_KEY = Slosilo::Key.new
|
4
|
+
|
5
|
+
describe KeyPair do
|
6
|
+
include_context "mock authz"
|
7
|
+
include_context "current user"
|
8
|
+
|
9
|
+
before {
|
10
|
+
KeyPair.unrestrict_primary_key
|
11
|
+
}
|
12
|
+
|
13
|
+
let(:id) { KeyPair.model.db["SELECT crockford(pri_nextval('key_pairs_id_seq'::regclass))"].first.values[0] }
|
14
|
+
let(:ownerid) { nil }
|
15
|
+
let(:key_pair) {
|
16
|
+
params = { id: id, userid: userid }
|
17
|
+
params[:ownerid] = ownerid if ownerid
|
18
|
+
KeyPair.new(params)
|
19
|
+
}
|
20
|
+
let(:private_key_variable) { mock(:private_key_variable, id: 'private-key-variable-id', value: KEY_PAIR_KEY.key.to_pem) }
|
21
|
+
let(:public_key_variable) { mock(:public_key_variable, id: 'public-key-variable-id', value: KEY_PAIR_KEY.key.public_key.to_pem) }
|
22
|
+
let(:variable_options) { {} }
|
23
|
+
|
24
|
+
before {
|
25
|
+
Slosilo::Key.stub(:new).and_return KEY_PAIR_KEY
|
26
|
+
|
27
|
+
authz_api.should_receive(:create_variable).with('application/x-pem-file', 'rsa-private-key', variable_options).and_return private_key_variable
|
28
|
+
private_key_variable.should_receive(:add_value).with(KEY_PAIR_KEY.key.to_pem)
|
29
|
+
authz_api.should_receive(:create_variable).with('application/x-pem-file', 'rsa-public-key', variable_options).and_return public_key_variable
|
30
|
+
public_key_variable.should_receive(:add_value).with(KEY_PAIR_KEY.key.public_key.to_pem)
|
31
|
+
|
32
|
+
authz_api.stub(:variable).with(private_key_variable.id).and_return private_key_variable
|
33
|
+
authz_api.stub(:variable).with(public_key_variable.id).and_return public_key_variable
|
34
|
+
}
|
35
|
+
|
36
|
+
context "#new" do
|
37
|
+
before { key_pair.valid? }
|
38
|
+
context "fields" do
|
39
|
+
subject { key_pair }
|
40
|
+
its(:public_key) {
|
41
|
+
authz_api.should_receive(:variable).with('public-key-variable-id').and_return public_key_variable
|
42
|
+
should be_instance_of(Slosilo::Key)
|
43
|
+
}
|
44
|
+
its(:private_key) { should be_instance_of(Slosilo::Key) }
|
45
|
+
its(:public_keyid) { should == public_key_variable.id }
|
46
|
+
its(:private_keyid) { should == private_key_variable.id }
|
47
|
+
end
|
48
|
+
context "validation errors" do
|
49
|
+
subject { key_pair.errors }
|
50
|
+
its(:full_messages) { should == [] }
|
51
|
+
end
|
52
|
+
end
|
53
|
+
|
54
|
+
def key_pair_role(role)
|
55
|
+
"ci:@:key_pair/#{key_pair.id}/#{role}"
|
56
|
+
end
|
57
|
+
|
58
|
+
shared_context "saved service key_pair" do
|
59
|
+
before {
|
60
|
+
key_pair.stub(:create_authz_resources)
|
61
|
+
key_pair.stub(:create_authz_roles)
|
62
|
+
|
63
|
+
authz_api.should_receive(:variable).with('public-key-variable-id').and_return public_key_variable = mock(:public_key_variable)
|
64
|
+
public_key_variable.should_receive(:resource).and_return public_key_resource = mock(:public_key_resource)
|
65
|
+
public_key_resource.should_receive(:permit).with(:execute, key_pair_role('encrypt'))
|
66
|
+
|
67
|
+
authz_api.should_receive(:variable).with('private-key-variable-id').and_return private_key_variable = mock(:private_key_variable)
|
68
|
+
private_key_variable.should_receive(:resource).and_return private_key_resource = mock(:private_key_resource)
|
69
|
+
private_key_resource.should_receive(:permit).with(:execute, key_pair_role('decrypt'))
|
70
|
+
|
71
|
+
key_pair.save
|
72
|
+
}
|
73
|
+
end
|
74
|
+
|
75
|
+
context "#saved" do
|
76
|
+
include_context "saved service key_pair"
|
77
|
+
|
78
|
+
subject { key_pair }
|
79
|
+
|
80
|
+
let(:decrypt_role) { double(:"decrypt-role") }
|
81
|
+
before {
|
82
|
+
authz_api.stub(:role).with("ci:@:key_pair/#{id}/decrypt").and_return decrypt_role
|
83
|
+
}
|
84
|
+
let(:encrypt_role) { double(:"encrypt-role") }
|
85
|
+
before {
|
86
|
+
authz_api.stub(:role).with("ci:@:key_pair/#{id}/encrypt").and_return encrypt_role
|
87
|
+
}
|
88
|
+
|
89
|
+
context "group owner" do
|
90
|
+
let(:ownerid) { "a:group:owner" }
|
91
|
+
let(:variable_options) { { acting_as: ownerid } }
|
92
|
+
it "should create the variable with options" do
|
93
|
+
key_pair.should be
|
94
|
+
end
|
95
|
+
end
|
96
|
+
|
97
|
+
context "encryption" do
|
98
|
+
let(:message) { "the-message" }
|
99
|
+
let(:encrypted_message) { key_pair.encrypt(message) }
|
100
|
+
it "encrypted message should match the expected format" do
|
101
|
+
encrypted_message.length.should == 288
|
102
|
+
end
|
103
|
+
context "and decryption" do
|
104
|
+
it "round-trips successfully" do
|
105
|
+
key_pair.decrypt(encrypted_message) == message
|
106
|
+
end
|
107
|
+
end
|
108
|
+
end
|
109
|
+
|
110
|
+
context "#public_json" do
|
111
|
+
context ".keys" do
|
112
|
+
subject { key_pair.public_json.keys }
|
113
|
+
specify { should == [ :id, :userid, :ownerid, :resource_identifier ] }
|
114
|
+
end
|
115
|
+
end
|
116
|
+
end
|
117
|
+
end
|