conjur-asset-key-pair 0.2.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (50) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +8 -0
  3. data/.project +18 -0
  4. data/.rvmrc +1 -0
  5. data/Gemfile +16 -0
  6. data/Gemfile.lock +214 -0
  7. data/MIT-LICENSE +20 -0
  8. data/README.rdoc +3 -0
  9. data/Rakefile +27 -0
  10. data/app/controllers/key_pairs_controller.rb +30 -0
  11. data/app/models/key_pair.rb +55 -0
  12. data/config/routes.rb +8 -0
  13. data/conjur-asset-key-pair.gemspec +48 -0
  14. data/db/migrate/20121219081344_slosilo_keystore.rb +1 -0
  15. data/db/migrate/20130206195553_create_random_id_functions.rb +9 -0
  16. data/db/migrate/20130513145031_create_key_pairs.rb +18 -0
  17. data/features/key_pair_create.feature +21 -0
  18. data/features/key_pair_roles.feature +46 -0
  19. data/features/support/env.rb +87 -0
  20. data/features/support/hooks.rb +22 -0
  21. data/lib/conjur-asset-key-pair-version.rb +7 -0
  22. data/lib/conjur-asset-key-pair.rb +5 -0
  23. data/lib/conjur/api/key_pairs.rb +13 -0
  24. data/lib/conjur/asset/key-pair/cucumber/key_pair_steps.rb +24 -0
  25. data/lib/conjur/asset/key-pair/cucumber/steps.rb +1 -0
  26. data/lib/conjur/asset/key-pair/engine.rb +8 -0
  27. data/lib/conjur/command/key_pairs.rb +28 -0
  28. data/lib/conjur/key-pair-api.rb +13 -0
  29. data/lib/conjur/key_pair.rb +15 -0
  30. data/spec/dummy/README.rdoc +261 -0
  31. data/spec/dummy/Rakefile +7 -0
  32. data/spec/dummy/app/controllers/application_controller.rb +2 -0
  33. data/spec/dummy/config.ru +4 -0
  34. data/spec/dummy/config/application.rb +64 -0
  35. data/spec/dummy/config/boot.rb +10 -0
  36. data/spec/dummy/config/database.yml +19 -0
  37. data/spec/dummy/config/environment.rb +5 -0
  38. data/spec/dummy/config/environments/cucumber.rb +40 -0
  39. data/spec/dummy/config/environments/development.rb +37 -0
  40. data/spec/dummy/config/environments/test.rb +38 -0
  41. data/spec/dummy/config/initializers/authenticator.rb +5 -0
  42. data/spec/dummy/config/initializers/conjur.rb +6 -0
  43. data/spec/dummy/config/locales/en.yml +5 -0
  44. data/spec/dummy/config/routes.rb +58 -0
  45. data/spec/dummy/db/schema.rb +24 -0
  46. data/spec/dummy/log/.gitkeep +0 -0
  47. data/spec/dummy/script/rails +6 -0
  48. data/spec/models/key_pair_spec.rb +117 -0
  49. data/spec/spec_helper.rb +54 -0
  50. metadata +273 -0
@@ -0,0 +1,7 @@
1
+ #!/usr/bin/env rake
2
+ # Add your own tasks in files placed in lib/tasks ending in .rake,
3
+ # for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
4
+
5
+ require File.expand_path('../config/application', __FILE__)
6
+
7
+ Dummy::Application.load_tasks
@@ -0,0 +1,2 @@
1
+ class ApplicationController < ActionController::API
2
+ end
@@ -0,0 +1,4 @@
1
+ # This file is used by Rack-based servers to start the application.
2
+
3
+ require ::File.expand_path('../config/environment', __FILE__)
4
+ run Dummy::Application
@@ -0,0 +1,64 @@
1
+ require File.expand_path('../boot', __FILE__)
2
+
3
+ ENV['CONJUR_ASSET_SERVICE'] = "true"
4
+
5
+ # Pick the frameworks you want:
6
+ require "sequel-rails/railtie"
7
+ require "action_controller/railtie"
8
+
9
+ Bundler.require
10
+
11
+ require "conjur-asset-key-pair"
12
+
13
+ module Dummy
14
+ class Application < Rails::Application
15
+ # Settings in config/environments/* take precedence over those specified here.
16
+ # Application configuration should go into files in config/initializers
17
+ # -- all .rb files in that directory are automatically loaded.
18
+
19
+ # Custom directories with classes and modules you want to be autoloadable.
20
+ # config.autoload_paths += %W(#{config.root}/extras)
21
+
22
+ # Only load the plugins named here, in the order given (default is alphabetical).
23
+ # :all can be used as a placeholder for all plugins not explicitly named.
24
+ # config.plugins = [ :exception_notification, :ssl_requirement, :all ]
25
+
26
+ # Activate observers that should always be running.
27
+ # config.active_record.observers = :cacher, :garbage_collector, :forum_observer
28
+
29
+ # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
30
+ # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
31
+ # config.time_zone = 'Central Time (US & Canada)'
32
+
33
+ # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
34
+ # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
35
+ # config.i18n.default_locale = :de
36
+
37
+ # Configure the default encoding used in templates for Ruby 1.9.
38
+ config.encoding = "utf-8"
39
+
40
+ # Configure sensitive parameters which will be filtered from the log file.
41
+ config.filter_parameters += [:password]
42
+
43
+ # Enable escaping HTML in JSON.
44
+ config.active_support.escape_html_entities_in_json = true
45
+
46
+ # Use SQL instead of Active Record's schema dumper when creating the database.
47
+ # This is necessary if your schema can't be completely dumped by the schema dumper,
48
+ # like if you have constraints or database-specific column types
49
+ #config.active_record.schema_format = :sql
50
+
51
+ # Enforce whitelist mode for mass assignment.
52
+ # This will create an empty whitelist of attributes available for mass-assignment for all models
53
+ # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
54
+ # parameters by using an attr_accessible or attr_protected declaration.
55
+ #config.active_record.whitelist_attributes = true
56
+
57
+ # Enable the asset pipeline
58
+ config.assets.enabled = true
59
+
60
+ # Version of your assets, change this if you want to expire all your assets
61
+ config.assets.version = '1.0'
62
+ end
63
+ end
64
+
@@ -0,0 +1,10 @@
1
+ require 'rubygems'
2
+ gemfile = File.expand_path('../../../../Gemfile', __FILE__)
3
+
4
+ if File.exist?(gemfile)
5
+ ENV['BUNDLE_GEMFILE'] = gemfile
6
+ require 'bundler'
7
+ Bundler.setup
8
+ end
9
+
10
+ $:.unshift File.expand_path('../../../../lib', __FILE__)
@@ -0,0 +1,19 @@
1
+ development:
2
+ adapter: postgresql
3
+ encoding: unicode
4
+ database: conjur-asset-key-pair_dev
5
+ pool: 5
6
+ username: postgres
7
+ password:
8
+
9
+ test: &test
10
+ adapter: postgresql
11
+ encoding: unicode
12
+ database: conjur-asset-key-pair_test
13
+ pool: 5
14
+ username: postgres
15
+ password:
16
+
17
+ cucumber:
18
+ <<: *test
19
+
@@ -0,0 +1,5 @@
1
+ # Load the rails application
2
+ require File.expand_path('../application', __FILE__)
3
+
4
+ # Initialize the rails application
5
+ Dummy::Application.initialize!
@@ -0,0 +1,40 @@
1
+ Dummy::Application.configure do
2
+ # Settings specified here will take precedence over those in config/application.rb
3
+
4
+ # The test environment is used exclusively to run your application's
5
+ # test suite. You never need to work with it otherwise. Remember that
6
+ # your test database is "scratch space" for the test suite and is wiped
7
+ # and recreated between test runs. Don't rely on the data there!
8
+ config.cache_classes = true
9
+
10
+ # Configure static asset server for tests with Cache-Control for performance
11
+ config.serve_static_assets = true
12
+
13
+ # Log error messages when you accidentally call methods on nil
14
+ config.whiny_nils = true
15
+
16
+ # Show full error reports and disable caching
17
+ config.consider_all_requests_local = true
18
+ config.action_controller.perform_caching = true
19
+
20
+ # Raise exceptions instead of rendering exception templates
21
+ config.action_dispatch.show_exceptions = false
22
+
23
+ # Disable request forgery protection in test environment
24
+ config.action_controller.allow_forgery_protection = false
25
+
26
+ # Tell Action Mailer not to deliver emails to the real world.
27
+ # The :test delivery method accumulates sent emails in the
28
+ # ActionMailer::Base.deliveries array.
29
+ # config.action_mailer.delivery_method = :test
30
+
31
+ # Raise exception on mass assignment protection for Active Record models
32
+ # config.active_record.mass_assignment_sanitizer = :strict
33
+
34
+ # Print deprecation notices to the stderr
35
+ config.active_support.deprecation = :stderr
36
+ end
37
+
38
+ ENV['CONJUR_AUTHN_URL'] ||= "https://authn-ci-conjur.herokuapp.com"
39
+ ENV['CONJUR_AUTHZ_URL'] ||= "https://authz-ci-conjur.herokuapp.com"
40
+ ENV['CONJUR_CORE_URL'] ||= "https://core-ci-conjur.herokuapp.com"
@@ -0,0 +1,37 @@
1
+ Dummy::Application.configure do
2
+ # Settings specified here will take precedence over those in config/application.rb
3
+
4
+ # In the development environment your application's code is reloaded on
5
+ # every request. This slows down response time but is perfect for development
6
+ # since you don't have to restart the web server when you make code changes.
7
+ config.cache_classes = false
8
+
9
+ # Log error messages when you accidentally call methods on nil.
10
+ config.whiny_nils = true
11
+
12
+ # Show full error reports and disable caching
13
+ config.consider_all_requests_local = true
14
+ config.action_controller.perform_caching = false
15
+
16
+ # Don't care if the mailer can't send
17
+ # config.action_mailer.raise_delivery_errors = false
18
+
19
+ # Print deprecation notices to the Rails logger
20
+ config.active_support.deprecation = :log
21
+
22
+ # Only use best-standards-support built into browsers
23
+ config.action_dispatch.best_standards_support = :builtin
24
+
25
+ # Raise exception on mass assignment protection for Active Record models
26
+ #config.active_record.mass_assignment_sanitizer = :strict
27
+
28
+ # Log the query plan for queries taking more than this (works
29
+ # with SQLite, MySQL, and PostgreSQL)
30
+ #config.active_record.auto_explain_threshold_in_seconds = 0.5
31
+
32
+ # Do not compress assets
33
+ config.assets.compress = false
34
+
35
+ # Expands the lines which load the assets
36
+ config.assets.debug = true
37
+ end
@@ -0,0 +1,38 @@
1
+ Dummy::Application.configure do
2
+ # Settings specified here will take precedence over those in config/application.rb
3
+
4
+ # The test environment is used exclusively to run your application's
5
+ # test suite. You never need to work with it otherwise. Remember that
6
+ # your test database is "scratch space" for the test suite and is wiped
7
+ # and recreated between test runs. Don't rely on the data there!
8
+ config.cache_classes = true
9
+
10
+ # Configure static asset server for tests with Cache-Control for performance
11
+ config.serve_static_assets = true
12
+ config.static_cache_control = "public, max-age=3600"
13
+
14
+ # Log error messages when you accidentally call methods on nil
15
+ config.whiny_nils = true
16
+
17
+ # Show full error reports and disable caching
18
+ config.consider_all_requests_local = true
19
+ config.action_controller.perform_caching = false
20
+
21
+ # Raise exceptions instead of rendering exception templates
22
+ config.action_dispatch.show_exceptions = false
23
+
24
+ # Disable request forgery protection in test environment
25
+ config.action_controller.allow_forgery_protection = false
26
+
27
+ # Tell Action Mailer not to deliver emails to the real world.
28
+ # The :test delivery method accumulates sent emails in the
29
+ # ActionMailer::Base.deliveries array.
30
+ #config.action_mailer.delivery_method = :test
31
+
32
+ # Raise exception on mass assignment protection for Active Record models
33
+ #config.active_record.mass_assignment_sanitizer = :strict
34
+
35
+ # Print deprecation notices to the stderr
36
+ config.active_support.deprecation = :stderr
37
+ end
38
+
@@ -0,0 +1,5 @@
1
+ require 'authable/rack/authenticator'
2
+
3
+ Dummy::Application.config.middleware.use Authable::Rack::Authenticator
4
+
5
+ ENV['DUMMY_SLOSILO_KEY'] = "FuMJAe21j/JPQFjm+9WxQTsjwR/WB6Az3GIqC8dYRnw="
@@ -0,0 +1,6 @@
1
+ ENV['CONJUR_ACCOUNT'] ||= 'ci'
2
+
3
+ def conjur_account
4
+ ENV['CONJUR_ACCOUNT']
5
+ end
6
+
@@ -0,0 +1,5 @@
1
+ # Sample localization file for English. Add more files in this directory for other locales.
2
+ # See https://github.com/svenfuchs/rails-i18n/tree/master/rails%2Flocale for starting points.
3
+
4
+ en:
5
+ hello: "Hello world"
@@ -0,0 +1,58 @@
1
+ Dummy::Application.routes.draw do
2
+ # The priority is based upon order of creation:
3
+ # first created -> highest priority.
4
+
5
+ # Sample of regular route:
6
+ # match 'products/:id' => 'catalog#view'
7
+ # Keep in mind you can assign values other than :controller and :action
8
+
9
+ # Sample of named route:
10
+ # match 'products/:id/purchase' => 'catalog#purchase', :as => :purchase
11
+ # This route can be invoked with purchase_url(:id => product.id)
12
+
13
+ # Sample resource route (maps HTTP verbs to controller actions automatically):
14
+ # resources :products
15
+
16
+ # Sample resource route with options:
17
+ # resources :products do
18
+ # member do
19
+ # get 'short'
20
+ # post 'toggle'
21
+ # end
22
+ #
23
+ # collection do
24
+ # get 'sold'
25
+ # end
26
+ # end
27
+
28
+ # Sample resource route with sub-resources:
29
+ # resources :products do
30
+ # resources :comments, :sales
31
+ # resource :seller
32
+ # end
33
+
34
+ # Sample resource route with more complex sub-resources
35
+ # resources :products do
36
+ # resources :comments
37
+ # resources :sales do
38
+ # get 'recent', :on => :collection
39
+ # end
40
+ # end
41
+
42
+ # Sample resource route within a namespace:
43
+ # namespace :admin do
44
+ # # Directs /admin/products/* to Admin::ProductsController
45
+ # # (app/controllers/admin/products_controller.rb)
46
+ # resources :products
47
+ # end
48
+
49
+ # You can have the root of your site routed with "root"
50
+ # just remember to delete public/index.html.
51
+ # root :to => 'welcome#index'
52
+
53
+ # See how all your routes lay out with "rake routes"
54
+
55
+ # This is a legacy wild controller route that's not recommended for RESTful applications.
56
+ # Note: This route will make all actions in every controller accessible via GET requests.
57
+ # match ':controller(/:action(/:id))(.:format)'
58
+ end
@@ -0,0 +1,24 @@
1
+ Sequel.migration do
2
+ change do
3
+ create_table(:schema_migrations) do
4
+ column :filename, "text", :null=>false
5
+
6
+ primary_key [:filename]
7
+ end
8
+
9
+ create_table(:secrets) do
10
+ primary_key :id
11
+ column :userid, "text", :null=>false
12
+ column :ownerid, "text", :null=>false
13
+ column :key, "bytea", :null=>false
14
+ column :created_at, "timestamp without time zone", :default=>Sequel::CURRENT_TIMESTAMP, :null=>false
15
+ end
16
+
17
+ create_table(:slosilo_keystore) do
18
+ column :id, "text", :null=>false
19
+ column :key, "bytea", :null=>false
20
+
21
+ primary_key [:id]
22
+ end
23
+ end
24
+ end
File without changes
@@ -0,0 +1,6 @@
1
+ #!/usr/bin/env ruby
2
+ # This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
3
+
4
+ APP_PATH = File.expand_path('../../config/application', __FILE__)
5
+ require File.expand_path('../../config/boot', __FILE__)
6
+ require 'rails/commands'
@@ -0,0 +1,117 @@
1
+ require 'spec_helper'
2
+
3
+ KEY_PAIR_KEY = Slosilo::Key.new
4
+
5
+ describe KeyPair do
6
+ include_context "mock authz"
7
+ include_context "current user"
8
+
9
+ before {
10
+ KeyPair.unrestrict_primary_key
11
+ }
12
+
13
+ let(:id) { KeyPair.model.db["SELECT crockford(pri_nextval('key_pairs_id_seq'::regclass))"].first.values[0] }
14
+ let(:ownerid) { nil }
15
+ let(:key_pair) {
16
+ params = { id: id, userid: userid }
17
+ params[:ownerid] = ownerid if ownerid
18
+ KeyPair.new(params)
19
+ }
20
+ let(:private_key_variable) { mock(:private_key_variable, id: 'private-key-variable-id', value: KEY_PAIR_KEY.key.to_pem) }
21
+ let(:public_key_variable) { mock(:public_key_variable, id: 'public-key-variable-id', value: KEY_PAIR_KEY.key.public_key.to_pem) }
22
+ let(:variable_options) { {} }
23
+
24
+ before {
25
+ Slosilo::Key.stub(:new).and_return KEY_PAIR_KEY
26
+
27
+ authz_api.should_receive(:create_variable).with('application/x-pem-file', 'rsa-private-key', variable_options).and_return private_key_variable
28
+ private_key_variable.should_receive(:add_value).with(KEY_PAIR_KEY.key.to_pem)
29
+ authz_api.should_receive(:create_variable).with('application/x-pem-file', 'rsa-public-key', variable_options).and_return public_key_variable
30
+ public_key_variable.should_receive(:add_value).with(KEY_PAIR_KEY.key.public_key.to_pem)
31
+
32
+ authz_api.stub(:variable).with(private_key_variable.id).and_return private_key_variable
33
+ authz_api.stub(:variable).with(public_key_variable.id).and_return public_key_variable
34
+ }
35
+
36
+ context "#new" do
37
+ before { key_pair.valid? }
38
+ context "fields" do
39
+ subject { key_pair }
40
+ its(:public_key) {
41
+ authz_api.should_receive(:variable).with('public-key-variable-id').and_return public_key_variable
42
+ should be_instance_of(Slosilo::Key)
43
+ }
44
+ its(:private_key) { should be_instance_of(Slosilo::Key) }
45
+ its(:public_keyid) { should == public_key_variable.id }
46
+ its(:private_keyid) { should == private_key_variable.id }
47
+ end
48
+ context "validation errors" do
49
+ subject { key_pair.errors }
50
+ its(:full_messages) { should == [] }
51
+ end
52
+ end
53
+
54
+ def key_pair_role(role)
55
+ "ci:@:key_pair/#{key_pair.id}/#{role}"
56
+ end
57
+
58
+ shared_context "saved service key_pair" do
59
+ before {
60
+ key_pair.stub(:create_authz_resources)
61
+ key_pair.stub(:create_authz_roles)
62
+
63
+ authz_api.should_receive(:variable).with('public-key-variable-id').and_return public_key_variable = mock(:public_key_variable)
64
+ public_key_variable.should_receive(:resource).and_return public_key_resource = mock(:public_key_resource)
65
+ public_key_resource.should_receive(:permit).with(:execute, key_pair_role('encrypt'))
66
+
67
+ authz_api.should_receive(:variable).with('private-key-variable-id').and_return private_key_variable = mock(:private_key_variable)
68
+ private_key_variable.should_receive(:resource).and_return private_key_resource = mock(:private_key_resource)
69
+ private_key_resource.should_receive(:permit).with(:execute, key_pair_role('decrypt'))
70
+
71
+ key_pair.save
72
+ }
73
+ end
74
+
75
+ context "#saved" do
76
+ include_context "saved service key_pair"
77
+
78
+ subject { key_pair }
79
+
80
+ let(:decrypt_role) { double(:"decrypt-role") }
81
+ before {
82
+ authz_api.stub(:role).with("ci:@:key_pair/#{id}/decrypt").and_return decrypt_role
83
+ }
84
+ let(:encrypt_role) { double(:"encrypt-role") }
85
+ before {
86
+ authz_api.stub(:role).with("ci:@:key_pair/#{id}/encrypt").and_return encrypt_role
87
+ }
88
+
89
+ context "group owner" do
90
+ let(:ownerid) { "a:group:owner" }
91
+ let(:variable_options) { { acting_as: ownerid } }
92
+ it "should create the variable with options" do
93
+ key_pair.should be
94
+ end
95
+ end
96
+
97
+ context "encryption" do
98
+ let(:message) { "the-message" }
99
+ let(:encrypted_message) { key_pair.encrypt(message) }
100
+ it "encrypted message should match the expected format" do
101
+ encrypted_message.length.should == 288
102
+ end
103
+ context "and decryption" do
104
+ it "round-trips successfully" do
105
+ key_pair.decrypt(encrypted_message) == message
106
+ end
107
+ end
108
+ end
109
+
110
+ context "#public_json" do
111
+ context ".keys" do
112
+ subject { key_pair.public_json.keys }
113
+ specify { should == [ :id, :userid, :ownerid, :resource_identifier ] }
114
+ end
115
+ end
116
+ end
117
+ end