conjur-rack 1.4.0 → 5.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 90340dd3a8dbc2f410a43b66ef10d010e76a9ffd
-  data.tar.gz: 9cc5f13b006ac102df5a28b65da08e7f3a7ef6dd
+SHA256:
+  metadata.gz: bc0ff03755a64c04c14e15a5648c01484872315ac6e04904815ed93a115a569e
+  data.tar.gz: e7fd818c8efff7d6037c632117d8f73e021c185ebf5bebc08feeae75e88d72e7
 SHA512:
-  metadata.gz: 9223bfe5621080f8b9dba63e2de5593e2f6e44d2ad34d3beb60c8447a0ff8340eae3d1530420975052cfcbe6d26a66e2bbc5c8a1737f0019a2ee437c0fe458a3
-  data.tar.gz: 58042ba2ee61e535da72b1395ab7f48e1a873d8fba78fdc0ac1ab1a01a15b3dda63e7ba78fe83a550876c180238fbe5d38917d50f5c0485cf8dba1f42bfdbb67
+  metadata.gz: 55a29ba4ee7e25e26514298c780c77a779252168419b516efc238af619a58a809faea7ba2664130876a43ad3d74929394f473532054c6b83dc16651f7141291b
+  data.tar.gz: e27d9e5cb3e26bbf5bef707dfb51e1509b1957f9a26a54b12467e046160f3097e6a776247f308364a8f5a7a8dd904e02f8a00d112c24c81c7ef2772cc0c3402c

data/CHANGELOG.md

@@ -1,3 +1,47 @@
+# unreleased version
+
+# v5.0.0
+
+* Support Ruby 3.
+* Bump `slosilo` to v3.0 with ruby 3.
+* Remove pinned `bundler` version, use default system bundler.
+
+# v4.2.0
+
+* Bump `slosilo` to v2.2 in order to be FIPS compliant
+
+# v4.0.0
+
+* Bump `rack` to v2, `bundler` to v1.16 in gemspec
+* Add Jenkinsfile to project
+* Ignore headers such as Conjur-Privilege or Conjur-Audit if they're not
+supported by the API (instead of erroring out).
+
+# v3.1.0
+
+* Support for JWT Slosilo tokens.
+
+# v3.0.0.pre
+
+* Initial support for Conjur 5.
+
+# v2.3.0
+
+* Add TRUSTED_PROXIES support
+
+# v2.2.0
+
+* resolve 'own' token to CONJUR_ACCOUNT env var
+* add #optional paths to Conjur::Rack authenticator
+
+# v2.1.0
+
+* Add handling for `Conjur-Audit-Roles` and `Conjur-Audit-Resources`
+
+# v2.0.0
+
+* Change `global_sudo?` to `global_elevate?`
+
 # v1.4.0
 
 * Add `validated_global_privilege` helper function to get the global privilege, if any, which has been submitted with the request and verified by the Conjur server.

data/CONTRIBUTING.md

@@ -0,0 +1,16 @@
+# Contributing
+  
+For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community).
+
+## Contributing Workflow
+
+1. [Fork the project](https://help.github.com/en/github/getting-started-with-github/fork-a-repo)
+2. [Clone your fork](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/cloning-a-repository)
+3. Make local changes to your fork by editing files
+3. [Commit your changes](https://help.github.com/en/github/managing-files-in-a-repository/adding-a-file-to-a-repository-using-the-command-line)
+4. [Push your local changes to the remote server](https://help.github.com/en/github/using-git/pushing-commits-to-a-remote-repository)
+5. [Create new Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork)
+
+From here your pull request will be reviewed and once you've responded to all
+feedback it will be merged into the project. Congratulations, you're a
+contributor!

data/Gemfile

@@ -1,6 +1,12 @@
 source 'https://rubygems.org'
 
+# make sure github uses TLS
+git_source(:github) { |name| "https://github.com/#{name}.git" }
+
+#ruby=ruby-3.0
+#ruby-gemset=conjur-rack
+
 # Specify your gem's dependencies in conjur-rack.gemspec
 gemspec
 
-gem 'conjur-api', github: 'conjurinc/api-ruby', branch: 'master'
+# gem 'conjur-api', github: 'cyberark/conjur-api-ruby', branch: 'master'

data/Jenkinsfile

@@ -0,0 +1,63 @@
+pipeline {
+  agent { label 'executor-v2' }
+
+  options {
+    timestamps()
+    buildDiscarder(logRotator(daysToKeepStr: '30'))
+  }
+
+  stages {
+    stage('Run tests') {
+      steps {
+        sh './test.sh'
+
+        junit 'spec/reports/*.xml'
+      }
+    }
+
+    // Only publish to RubyGems if the HEAD is
+    // tagged with the same version as in version.rb
+    stage('Publish to RubyGems') {
+      agent { label 'executor-v2' }
+
+      when {
+        expression { currentBuild.resultIsBetterOrEqualTo('SUCCESS') }
+        branch "master"
+        expression {
+          def exitCode = sh returnStatus: true, script: ''' set +x
+            echo "Determining if publishing is requested..."
+            
+            VERSION=`cat lib/conjur/rack/version.rb | grep VERSION | sed 's/.* "//;s/"//'`
+            echo Declared version: $VERSION
+            
+            # Jenkins git plugin is broken and always fetches with `--no-tags`
+            # (or `--tags`, neither of which is what you want), so tags end up
+            # not being fetched. Try to fix that.
+            # (Unfortunately this fetches all remote heads, so we may have to find          
+            # another solution for bigger repos.)
+            git fetch -q
+            
+            # note when tag not found git rev-parse will just print its name
+            TAG=`git rev-list -n 1 "v$VERSION" 2>/dev/null || :`
+            echo Tag v$VERSION: $TAG
+            
+            HEAD=`git rev-parse HEAD`
+            echo HEAD: $HEAD
+            
+            test "$HEAD" = "$TAG"
+          '''
+          return exitCode == 0
+        }
+      }
+      steps {
+        sh './publish.sh'
+      }
+    }
+  }
+
+  post {
+    always {
+      cleanupAndNotify(currentBuild.currentResult)
+    }
+  }
+}

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2013 Kevin Gilpin
+Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
 
 MIT License
 

data/README.md

@@ -22,8 +22,6 @@ TODO: Write usage instructions here
 
 ## Contributing
 
-1. Fork it
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request
+We welcome contributions of all kinds to this repository. For instructions on
+how to get started and descriptions of our development workflows, please see our
+[contributing guide](CONTRIBUTING.md).

data/conjur-rack.gemspec

@@ -18,12 +18,15 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "slosilo"
-  spec.add_dependency "conjur-api", ">= 4.17"
-  spec.add_dependency "rack"
-
-  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_dependency "slosilo", "~> 3.0"
+  spec.add_dependency "conjur-api", "< 6"
+  spec.add_dependency "rack", "~> 2"
+  
   spec.add_development_dependency "rake"
-  spec.add_development_dependency "rspec", ">=2.9", "<3.0"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "activesupport", "< 7"
   spec.add_development_dependency 'ci_reporter_rspec'
+  spec.add_development_dependency 'pry-byebug'
+  spec.add_development_dependency 'rspec-its'
+
 end

data/lib/conjur/rack/authenticator.rb

@@ -2,36 +2,51 @@ require "conjur/rack/user"
 
 module Conjur
   module Rack
-    def self.identity?
-      !Thread.current[:conjur_rack_identity].nil?
-    end
-    
-    def self.user
-      User.new(identity[0], identity[1], privilege, remote_ip)
-    end
-    
-    def self.identity
-      Thread.current[:conjur_rack_identity] or raise "No Conjur identity for current request"
-    end
-    
-    def self.privilege
-      Thread.current[:conjur_rack_privilege]
-    end
-    
-    def self.remote_ip
-      Thread.current[:conjur_rack_remote_ip]
+
+    class << self
+      def conjur_rack
+        Thread.current[:conjur_rack] ||= {}
+      end
+
+      def identity?
+        !conjur_rack[:identity].nil?
+      end
+      
+      def user
+        User.new(identity[0], identity[1], 
+          :privilege => privilege, 
+          :remote_ip => remote_ip, 
+          :audit_roles => audit_roles, 
+          :audit_resources => audit_resources
+          )
+      end
+      
+      def identity
+        conjur_rack[:identity] or raise "No Conjur identity for current request"
+      end
+
+      # class attributes
+      [:privilege, :remote_ip, :audit_roles, :audit_resources].each do |a|
+        define_method(a) do
+          conjur_rack[a]
+        end
+      end
     end
+
   
     class Authenticator
       class AuthorizationError < SecurityError
       end
       class SignatureError < SecurityError
       end
+      class Forbidden < SecurityError
+      end
       
       attr_reader :app, :options
       
       # +options+:
-      # :except :: a list of request path patterns for which to skip authentication
+      # :except :: a list of request path patterns for which to skip authentication.
+      # :optional :: request path patterns for which authentication is optional.
       def initialize app, options = {}
         @app = app
         @options = options
@@ -39,10 +54,13 @@ module Conjur
 
       # threadsafe accessors, values are established explicitly below
       def env; Thread.current[:rack_env] ; end
-      def token; Thread.current[:conjur_rack_token] ; end
-      def account; Thread.current[:conjur_rack_account]; end
-      def privilege; Thread.current[:conjur_rack_privilege]; end
-      def remote_ip; Thread.current[:conjur_rack_remote_ip]; end
+
+      # instance attributes
+      [:token, :account, :privilege, :remote_ip, :audit_roles, :audit_resources].each do |a|
+        define_method(a) do
+          conjur_rack[a]
+        end
+      end
  
       def call rackenv
         # never store request-specific variables as application attributes 
@@ -50,13 +68,19 @@ module Conjur
         if authenticate?
           begin
             identity = verify_authorization_and_get_identity # [token, account]
-             
-            Thread.current[:conjur_rack_token] = identity[0]
-            Thread.current[:conjur_rack_account] = identity[1]
-            Thread.current[:conjur_rack_identity] = identity
-            Thread.current[:conjur_rack_privilege] = conjur_privilege
-            Thread.current[:conjur_rack_remote_ip] = remote_ip
+            
+            if identity
+              conjur_rack[:token] = identity[0]
+              conjur_rack[:account] = identity[1]
+              conjur_rack[:identity] = identity
+              conjur_rack[:privilege] = http_privilege
+              conjur_rack[:remote_ip] = http_remote_ip
+              conjur_rack[:audit_roles] = http_audit_roles
+              conjur_rack[:audit_resources] = http_audit_resources
+            end
 
+          rescue Forbidden
+            return error 403, $!.message
           rescue SecurityError, RestClient::Exception
             return error 401, $!.message
           end
@@ -65,61 +89,108 @@ module Conjur
           @app.call rackenv
         ensure
           Thread.current[:rack_env] = nil
-          Thread.current[:conjur_rack_identity] = nil
-          Thread.current[:conjur_rack_token] = nil
-          Thread.current[:conjur_rack_account] = nil
-          Thread.current[:conjur_rack_privilege] = nil
-          Thread.current[:conjur_rack_remote_ip] = nil
+          Thread.current[:conjur_rack] = {}
         end
       end
       
       protected
       
+      def conjur_rack
+        Conjur::Rack.conjur_rack
+      end
+
       def validate_token_and_get_account token
-        failure = SignatureError.new("Unathorized: Invalid token")
+        failure = SignatureError.new("Unauthorized: Invalid token")
         raise failure unless (signer = Slosilo.token_signer token)
-        raise failure unless signer =~ /\Aauthn:(.+)\z/
-        return $1
+        if signer == 'own'
+          ENV['CONJUR_ACCOUNT'] or raise failure
+        else
+          raise failure unless signer =~ /\Aauthn:(.+)\z/
+          $1
+        end
       end
       
       def error status, message
         [status, { 'Content-Type' => 'text/plain', 'Content-Length' => message.length.to_s }, [message] ]
       end
+
+      def parsed_token
+        token = http_authorization.to_s[/^Token token="(.*)"/, 1]
+        token = token && JSON.parse(Base64.decode64(token))
+        token = Slosilo::JWT token rescue token
+      rescue JSON::ParserError
+        raise AuthorizationError.new("Malformed authorization token")
+      end
       
+      RECOGNIZED_CLAIMS = [
+        'iat', 'exp', # recognized by Slosilo
+        'cidr', 'sub',
+        'iss', 'aud', 'jti' # RFC 7519, not handled but recognized
+      ].freeze
+
       def verify_authorization_and_get_identity
-        if authorization.to_s[/^Token token="(.*)"/]
-          token = JSON.parse(Base64.decode64($1))
-          account = validate_token_and_get_account(token)
-          return [token, account]
+        if token = parsed_token
+          begin
+            account = validate_token_and_get_account token
+            if token.respond_to?(:claims)
+              claims = token.claims
+              raise AuthorizationError, "token contains unrecognized claims" unless \
+                  (claims.keys.map(&:to_s) - RECOGNIZED_CLAIMS).empty?
+              if (cidr = claims['cidr'])
+                raise Forbidden, "IP address rejected" unless \
+                    cidr.map(&IPAddr.method(:new)).any? { |c| c.include? http_remote_ip }
+              end
+            end
+            return [token, account]
+          end
         else
-          raise AuthorizationError.new("Authorization missing")
+          path = http_path
+          if optional_paths.find{|p| p.match(path)}.nil?
+            raise AuthorizationError.new("Authorization missing")
+          else
+            nil
+          end
         end
       end
       
       def authenticate?
+        path = http_path
         if options[:except]
           options[:except].find{|p| p.match(path)}.nil?
         else
           true
         end
       end
-
-      def conjur_privilege
-        env['HTTP_X_CONJUR_PRIVILEGE']
-      end
       
-      def authorization
+      def optional_paths
+        options[:optional] || []
+      end
+
+      def http_authorization
         env['HTTP_AUTHORIZATION']
       end
-      
-      def remote_ip
+
+      def http_privilege
+        env['HTTP_X_CONJUR_PRIVILEGE']
+      end
+
+      def http_remote_ip
         require 'rack/request'
         ::Rack::Request.new(env).ip
       end
-      
-      def path
+
+      def http_audit_roles
+        env['HTTP_CONJUR_AUDIT_ROLES']
+      end
+
+      def http_audit_resources
+        env['HTTP_CONJUR_AUDIT_RESOURCES']
+      end
+
+      def http_path
         [ env['SCRIPT_NAME'], env['PATH_INFO'] ].join
       end
+
     end
   end
 end

data/lib/conjur/rack/user.rb

@@ -2,25 +2,32 @@ require 'conjur/api'
 
 module Conjur
   module Rack
+    # Token data can be a string (which is the user login), or a Hash.
+    # If it's a hash, it should contain the user login keyed by the string 'login'.
+    # The rest of the payload is available as +attributes+.
     class User
-      attr_accessor :token, :account, :privilege, :remote_ip
+      attr_reader :token, :account, :privilege, :remote_ip, :audit_roles, :audit_resources
       
-      def initialize(token, account, privilege = nil, remote_ip = nil)
+      def initialize(token, account, options = {})
         @token = token
         @account = account
-        @privilege = privilege
-        @remote_ip = remote_ip
+        # Third argument used to be the name of privilege, be
+        # backwards compatible:
+        if options.respond_to?(:to_str)
+          @privilege = options
+        else
+          @privilege = options[:privilege]
+          @remote_ip = options[:remote_ip]
+          @audit_roles = options[:audit_roles]
+          @audit_resources = options[:audit_resources]
+        end
       end
       
       # This file was accidently calling account conjur_account,
       # I'm adding an alias in case that's going on anywhere else.
       # -- Jon
       alias :conjur_account :account
-      alias :conjur_account= :account=
-      
-      def new_association(cls, params = {})
-        cls.new params.merge({userid: login})
-      end
+      # alias :conjur_account= :account=
       
       # Returns the global privilege which was present on the request, if and only
       # if the user actually has that privilege.
@@ -30,7 +37,9 @@ module Conjur
       # actually have that privilege according to the Conjur server.
       def validated_global_privilege
         unless @validated_global_privilege
-          @privilege = nil if @privilege && !api.global_privilege_permitted?(@privilege)
+          @privilege = nil unless @privilege &&
+                  api.respond_to?(:global_privilege_permitted?) &&
+                  api.global_privilege_permitted?(@privilege)
           @validated_global_privilege = true
         end
         @privilege
@@ -41,13 +50,21 @@ module Conjur
         validated_global_privilege == "reveal"
       end
       
-      # True if and only if the user has valid global 'sudo' privilege.
-      def global_sudo?
-        validated_global_privilege == "sudo"
+      # True if and only if the user has valid global 'elevate' privilege.
+      def global_elevate?
+        validated_global_privilege == "elevate"
       end
       
       def login
-        token["data"] or raise "No data field in token"
+        parse_token
+
+        @login
+      end
+
+      def attributes
+        parse_token
+
+        @attributes || {}
       end
       
       def roleid
@@ -63,17 +80,62 @@ module Conjur
       def role
         api.role(roleid)
       end
-      
+
+      def audit_resources
+        Conjur::API.decode_audit_ids(@audit_resources) if @audit_resources
+      end
+
+      def audit_roles
+        Conjur::API.decode_audit_ids(@audit_roles) if @audit_roles
+      end
+
       def api(cls = Conjur::API)
         args = [ token ]
         args.push remote_ip if remote_ip
         api = cls.new_from_token(*args)
-        if privilege
-          api.with_privilege(privilege)
+
+        # These are features not present in some API versions.
+        # Test for them and only apply if it makes sense. Ignore otherwise.
+        %i(privilege audit_resources audit_roles).each do |feature|
+          meth = "with_#{feature}".intern
+          if api.respond_to?(meth) && (value = send(feature))
+            api = api.send meth, value
+          end
+        end
+
+        api
+      end
+
+      protected
+
+      def parse_token
+        return if @login
+
+        @token = Slosilo::JWT token
+        load_jwt token
+      rescue ArgumentError
+        if data = token['data']
+          return load_legacy data
         else
-          api
+          raise "malformed token"
         end
       end
+
+      def load_legacy data
+        if data.is_a?(String)
+          @login = token['data']
+        elsif data.is_a?(Hash)
+          @attributes = token['data'].clone
+          @login = @attributes.delete('login') or raise "No 'login' field in token data"
+        else
+          raise "Expecting String or Hash token data, got #{data.class.name}"
+        end
+      end
+
+      def load_jwt jwt
+        @attributes = jwt.claims.merge (jwt.header || {}) # just pass all the info
+        @login = jwt.claims['sub'] or raise "No 'sub' field in claims"
+      end
     end
   end
 end

data/lib/conjur/rack/version.rb

@@ -1,5 +1,5 @@
 module Conjur
   module Rack
-    VERSION = "1.4.0"
+    VERSION = "5.0.0"
   end
 end

data/lib/conjur/rack.rb

@@ -1,3 +1,26 @@
 require "conjur/rack/version"
 require "conjur/rack/authenticator"
 require "conjur/rack/path_prefix"
+require 'ipaddr'
+require 'set'
+
+module TrustedProxies
+  
+  def trusted_proxy?(ip)
+    trusted_proxies ? trusted_proxies.any? { |cidr| cidr.include?(ip) } : super
+  end
+  
+  def trusted_proxies
+    @trusted_proxies || ENV['TRUSTED_PROXIES'].try do |proxies|
+      cidrs = Set.new(proxies.split(',') + ['127.0.0.1'])
+      @trusted_proxies = cidrs.collect {|cidr| IPAddr.new(cidr) }
+    end
+  end
+  
+end
+
+module Rack
+  class Request
+    prepend TrustedProxies
+  end
+end

data/publish.sh

@@ -0,0 +1,7 @@
+#!/bin/bash -ex
+
+docker pull registry.tld/conjurinc/publish-rubygem
+
+summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
+  docker run --rm --env-file @SUMMONENVFILE -v "$(pwd)":/opt/src \
+  registry.tld/conjurinc/publish-rubygem conjur-rack