conjur-asset-ui-api 1.1.0

data/lib/conjur/webserver/api_proxy.rb

@@ -0,0 +1,94 @@
+module Conjur
+  module WebServer
+    require 'rack/streaming_proxy'
+    
+    class APIProxy < Rack::StreamingProxy::Proxy
+
+      class Request < Rack::StreamingProxy::Request
+        def initialize env
+          path = env["PATH_INFO"]
+
+          path =~ /^\/([^\/]+)(.*)/
+          app = $1
+          path_remainder = $2
+
+          new_url = case app
+          when 'authn', 'authz', 'audit', 'pubkeys'
+            [ Conjur.configuration.send("#{app}_url"), path_remainder ].join
+          else
+            [ Conjur.configuration.send("core_url"), path ].join
+          end
+          if query = env["QUERY_STRING"]
+            new_url = [ new_url, query ].join('?')
+          end
+
+          super new_url.to_s, Rack::Request.new(env)
+        end
+      end
+
+      Rack::StreamingProxy::Proxy.set_default_configuration
+
+      def initialize
+        super nil
+      end
+
+      def call env
+        request = Request.new(env)
+        request.http_request['Authorization'] = authorization_header
+        response = Rack::StreamingProxy::Session.new(request).start
+        rewrite_response(env, response.status, response.headers, response)
+      end
+
+      def rewrite_response(*args)
+        env, status, headers, body = args
+        
+        source_request = Rack::Request.new(env)
+
+        headers = Hash[*headers.flat_map { |k, v| [capitalize_header(k), v] }]
+        headers.delete 'Transfer-Encoding' # let Puma handle chunking
+    
+        # Rewrite location
+        if location = headers["Location"]
+          headers["Location"] = location.gsub(Conjur.configuration.service_url, "http://#{source_request.host}:#{source_request.port}")
+        end
+        
+        [ status, headers, body ]
+      end
+      
+      protected
+      
+      def authorization_header
+        require 'conjur/authn'
+        require 'base64'
+        token = Conjur::Authn.authenticate
+        "Token token=\"#{Base64.strict_encode64(token.to_json)}\""
+      end
+      
+      def perform_request(env)
+        triplet = super(env)
+        [ env ] + triplet
+      end
+
+      private
+
+      def capitalize_header hdr
+        hdr.split('-').map(&:capitalize).join('-')
+      end
+    end
+  end
+end
+
+# Rack::StreamingProxy by default doesn't handle closing, which leads to stale
+# (but still running) connections. Handle the close by quitting the child
+# (it will close connection with upstream automatically).
+class Rack::StreamingProxy::Response
+  def initialize piper
+    @piper = piper
+    @client_http_version = '1.0'
+    receive
+  end
+
+  def close
+    @piper.signal :QUIT
+  end
+end

data/lib/conjur/webserver/audit_stream.rb

@@ -0,0 +1,92 @@
+require 'eventmachine'
+require 'conjur/audit/humanizer'
+require 'conjur/audit/tableizer'
+
+module Conjur
+  module WebServer
+    class AuditStream
+      include Conjur::Audit::Humanizer
+      include Conjur::Audit::Tableizer
+      
+      class Body
+        include EM::Deferrable
+        def write chunk
+          @callable.call chunk
+        end
+        def each &block
+          @callable = block
+        end
+      end
+      
+      HEADERS = {
+        "Content-Type"  => "text/event-stream",
+        "Connection"    => "keepalive",
+        "Cache-Control" => "no-cache, no-store"
+      }
+      
+      def call env
+        body = Body.new
+        stream_events(env) do |events|
+          write_events body, events
+        end
+        [200, HEADERS, body]
+      end
+      
+      def stream_events env, &block
+        # This could be a lot more "EventMachineish" by using for example
+        # EM::HttpRequest, but putting it in the thread pool should be
+        # good enough for our purposes.
+        EM.defer do
+          follower = Conjur::Audit::Follower.new{|opts| fetch_events(env, opts)}
+          follower.filter{|e| self_event?(env, e)} unless show_self_events?(env)
+          follower.follow &block
+        end
+      end
+      
+      # Returns true if this looks like a permission check performed by the
+      # audit service
+      def self_event? env, e
+        e['action'] == 'check' && e['asset'] == 'resource' && e['conjur_role'] == e['role'] && e['role'] == env['conjur.roleid']
+      end
+      
+      def show_self_events? env
+        !!Rack::Request.new(env).params['self']
+      end
+      
+      # Returns [kind, id]
+      def parse_path env
+        path = env["SCRIPT_NAME"] + env["PATH_INFO"]
+        %r{^/api/audit/stream/(.*?)(?:/(.*))?$} =~ path
+        [$1, $2]
+      end
+
+      def fetch_events env, options
+        kind, id = parse_path env
+        args = if kind == 'role' && id.nil?
+          [:audit_current_role, options] 
+        else
+          [:"audit_#{kind}", id, options]
+        end
+        format = Rack::Request.new(env).params['format'] || 'string'
+        format_method = case format
+        when 'table'
+          :tableize
+        else
+          :humanize
+        end
+        api.send(*args).each {|e| send(format_method, e)}
+      end
+      
+      def write_events body, events
+        events.each do |e|
+          body.write "id: #{e['event_id']}\n"
+          body.write "data: #{JSON.generate e}\n\n"
+        end
+      end
+      
+      def api
+        Conjur::API.new_from_token Conjur::Authn.authenticate
+      end
+    end
+  end
+end

data/lib/conjur/webserver/authorize.rb

@@ -0,0 +1,28 @@
+module Conjur
+  module WebServer
+    # Verifies that the request contains the authorization token, and then strips it.
+    class Authorize
+      attr_reader :app, :sessionid
+      
+      def initialize(app, sessionid)
+        @app = app
+        @sessionid = sessionid
+      end
+      
+      def call(env)
+        if token_valid?(env)
+          @app.call env
+        else
+          [403, {}, ["Authorization is missing or invalid"]]
+        end
+      end
+      
+      protected
+      
+      def token_valid?(env)
+        request = Rack::Request.new(env)
+        request.session[:sessionid] == sessionid
+      end
+    end
+  end
+end

data/lib/conjur/webserver/conjur_info.rb

@@ -0,0 +1,33 @@
+module Conjur
+  module WebServer
+    # Middleware that adds some conjur info to the rack environment
+    class ConjurInfo
+      def initialize app
+        @app = app
+      end
+      
+      def call env
+        update_env env
+        @app.call env
+      end
+      
+      def update_env env
+        PROPERTIES.each{|name| env["conjur.#{name}"] = send(name)}
+      end
+      
+      PROPERTIES = %w(roleid account stack)
+      
+      def roleid
+        "#{account}:user:#{Conjur::Authn.get_credentials[0]}"
+      end
+      
+      def account
+        Conjur.account
+      end
+      
+      def stack
+        Conjur.stack
+      end
+    end
+  end
+end

data/lib/conjur/webserver/home.rb

@@ -0,0 +1,36 @@
+require 'time'
+require 'rack/utils'
+require 'rack/mime'
+
+module Conjur
+  module WebServer
+    class Home
+      F = ::File
+      
+      def initialize(root)
+        @root = root
+      end
+      
+      # From Rack::File
+      def call(env)
+        path = File.expand_path("index.html", @root)
+
+        if env["REQUEST_METHOD"] == "OPTIONS"
+                return [200, {'Allow' => ALLOW_HEADER, 'Content-Length' => '0'}, []]
+        end
+        last_modified = F.mtime(path).httpdate
+        return [304, {}, []] if env['HTTP_IF_MODIFIED_SINCE'] == last_modified
+
+        size = F.size?(path) || Rack::Utils.bytesize(F.read(path))
+  
+        headers = { 
+          "Last-Modified"  => last_modified,
+          "Content-Type"   => "text/html",
+          "Content-Length" => size.to_s
+        }
+  
+        [ 200, headers, env["REQUEST_METHOD"] == "HEAD" ? [] : [ F.read(path) ] ]
+      end
+    end
+  end
+end

data/lib/conjur/webserver/login.rb

@@ -0,0 +1,50 @@
+
+module Conjur
+  module WebServer
+    class Login
+      attr_reader :sessionid
+      
+      def initialize(sessionid)
+        @sessionid = sessionid
+      end
+      
+      def call(env)
+        if sessionid = token_valid?(env)
+          env["rack.session"][:sessionid] = sessionid
+          response = Rack::Response.new(env)
+          configuration = {
+            account: Conjur.configuration.account,
+            stack: Conjur.configuration.stack,
+            appliance_url: Conjur.configuration.appliance_url,
+            login: Conjur::Authn.get_credentials[0]
+          }
+          response.status = 302
+          response.set_cookie('conjur_configuration', value: JSON.pretty_generate(configuration), path: '/')
+          response['Location'] = "/ui"
+          response.finish
+        else
+          [ 403, {}, ["Authorization is missing or invalid"] ]
+        end
+      end
+      
+      protected
+      
+      def token_valid?(env)
+        token = extract_token(env)
+        if token == sessionid
+          sessionid
+        else
+          nil
+        end
+      end
+      
+      def extract_token(env)
+        require 'cgi'
+        require 'uri'
+        query = URI.parse(env['REQUEST_URI']).query
+        query && ( sessionid = CGI.parse(query)['sessionid'] ) && sessionid[0]
+      end
+    end
+  end
+end
+

data/lib/conjur/webserver/server.rb

@@ -0,0 +1,111 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+
+module Conjur
+  module WebServer
+    # Launch a web server which serves local files and proxies to the remote Conjur API.
+    class Server
+      def start(root)
+        require 'rack'
+        require 'conjur/webserver/login'
+        require 'conjur/webserver/authorize'
+        require 'conjur/webserver/api_proxy'
+        require 'conjur/webserver/home'
+        require 'conjur/webserver/conjur_info'
+        require 'pry'
+
+        sessionid = self.sessionid
+        cookie_options = {
+          secret: SecureRandom.hex(32),
+          expire_after: 24*60*60
+        }
+
+        api_stack = [
+          [Rack::Session::Cookie, cookie_options],
+          #[Conjur::WebServer::Authorize, sessionid],
+          [Conjur::WebServer::ConjurInfo]
+        ]
+
+        app = Rack::Builder.app do
+          map "/login" do
+            use Rack::Session::Cookie, cookie_options
+            run Conjur::WebServer::Login.new sessionid
+          end
+          map "/api" do
+            api_stack.each{|args| use *args}
+            run Conjur::WebServer::APIProxy.new
+          end
+          %w(js css fonts images).each do |path|
+            map "/#{path}" do
+              run Rack::File.new(File.join(root, path), 'Cache-Control' => 'max-age=0')
+            end
+          end
+          map "/ui" do
+            run Conjur::WebServer::Home.new(root)
+          end
+        end
+        options = {
+          app:  app,
+          Port: port,
+          Threads: '0:64',
+          Verbose: true
+        }
+
+        # this vivifies the env for correct url settings
+        # otherwise puma sets it to development and
+        # confusion ensues
+        Conjur.configuration.env
+
+        Rack::Server.start(options)
+      end
+      
+      def open
+        require 'launchy'
+        url = "http://localhost:#{port}/login?sessionid=#{sessionid}"
+        # as launchy sometimes silently fails, we need human-friendly failover
+        $stderr.puts "UI should be available now at #{url}" 
+        Launchy.open(url)
+      end
+      
+      protected
+      
+      def port
+        @port ||= find_available_port
+      end
+
+      DEFAULT_PORT = 42_289
+      
+      def find_available_port
+        begin
+          server = TCPServer.new('127.0.0.1', 0)
+          server.addr[1]
+        ensure
+          server.close if server
+        end
+      end
+      
+      def sessionid
+        require 'securerandom'
+        @sessionid ||= SecureRandom.hex(32)
+      end
+    end
+  end
+end