conjur-rack 1.4.0 → 5.0.0

data/spec/rack/authenticator_spec.rb

@@ -3,107 +3,179 @@ require 'spec_helper'
 require 'conjur/rack/authenticator'
 
 describe Conjur::Rack::Authenticator do
-  let(:app) { double(:app) }
-  let(:options) { {} }
-  let(:authenticator) { Conjur::Rack::Authenticator.new(app, options) }
-  let(:call) { authenticator.call env }
-  
-  context "#call" do
-    context "with Conjur authorization" do
-      before{ stub_const 'Slosilo', Module.new }
-      let(:env) {
-        {
-          'HTTP_AUTHORIZATION' => "Token token=\"#{basic_64}\""
-        }.tap do |e|
-          e['HTTP_X_CONJUR_PRIVILEGE'] = privilege if privilege
-          e['HTTP_X_FORWARDED_FOR'] = remote_ip if remote_ip
-        end
+  include_context "with authenticator"
+
+  describe "#call" do
+    context "to an unprotected path" do
+      let(:except) { [ /^\/foo/ ] }
+      let(:env) { { 'SCRIPT_NAME' => '', 'PATH_INFO' => '/foo/bar' } }
+      before {
+        options[:except] = except
+        expect(app).to receive(:call).with(env).and_return app
       }
-      let(:basic_64) { Base64.strict_encode64(token.to_json) }
-      let(:token) { { "data" => "foobar" } }
-      let(:sample_account) { "someacc" }
-      let(:privilege) { nil }
-      let(:remote_ip) { nil }
-
-      context "of a valid token" do
-          
-        before(:each) {
-          Slosilo.stub token_signer: 'authn:'+sample_account
-        }
-
-        it 'launches app' do
-          app.should_receive(:call).with(env).and_return app
-          call.should == app
+      context "without authorization" do
+        it "proceeds" do
+          expect(call).to eq(app)
+          expect(Conjur::Rack.identity?).to be(false)
+        end
+      end
+      context "with authorization" do
+        include_context "with authorization"
+        it "ignores the authorization" do
+          expect(call).to eq(app)
+          expect(Conjur::Rack.identity?).to be(false)
         end
+      end
+    end
 
-        context 'Authable provides module method conjur_user' do
-          let(:stubuser) { "some value" }
-          before {
-            app.stub(:call) { Conjur::Rack.user }
-          }
-
-          context 'when called in app context' do
-            let(:invoke) {
-              Conjur::Rack::User.should_receive(:new).
-                with(token, sample_account, privilege, remote_ip).
-                and_return(stubuser)
-              Conjur::Rack.should_receive(:user).and_call_original
-              call
-            }
-            
-            shared_examples_for 'returns User built from token' do
-              specify { 
-                invoke.should == stubuser      
-              }
-            end
-            
-            it_should_behave_like 'returns User built from token'
-            
-            context 'with X-Conjur-Privilege' do
-              let(:privilege) { "sudo" }
-              it_should_behave_like 'returns User built from token'
+    context "to a protected path" do
+      let(:env) { { 'SCRIPT_NAME' => '/pathname' } }
+      context "without authorization" do
+        it "returns a 401 error" do
+          expect(call).to return_http 401, "Authorization missing"
+        end
+      end
+      context "with Conjur authorization" do
+        include_context "with authorization"
+
+        context "with CIDR restriction" do
+          let(:claims) { { 'sub' => 'test-user', 'cidr' => %w(192.168.2.0/24 2001:db8::/32) } }
+          let(:token) { Slosilo::JWT.new(claims) }
+          before do
+            allow(subject).to receive_messages \
+                parsed_token: token,
+                http_remote_ip: remote_ip
+          end
+
+          %w(10.0.0.2 fdda:5cc1:23:4::1f).each do |addr|
+            context "with address #{addr} out of range" do
+              let(:remote_ip) { addr }
+              it "returns 403" do
+                expect(call).to return_http 403, "IP address rejected"
+              end
             end
-            
-            context 'with X-Forwarded-For' do
-              let(:remote_ip) { "66.0.0.1" }
-              it_should_behave_like 'returns User built from token'
+          end
+
+          %w(192.168.2.3 2001:db8::22).each do |addr|
+            context "with address #{addr} in range" do
+              let(:remote_ip) { addr }
+              it "passes the request" do
+                expect(call.login).to eq 'test-user'
+              end
             end
           end
+        end
 
-          context 'called out of app context' do
-            it { lambda { Conjur::Rack.user }.should raise_error }
+        context "of a valid token" do
+          it 'launches app' do
+            expect(app).to receive(:call).with(env).and_return app
+            expect(call).to eq(app)
+          end
+        end
+        context "of an invalid token" do
+          it "returns a 401 error" do
+            allow(Slosilo).to receive(:token_signer).and_return(nil)
+            expect(call).to return_http 401, "Unauthorized: Invalid token"
+          end
+        end
+        context "of a token invalid for authn" do
+          it "returns a 401 error" do
+            allow(Slosilo).to receive(:token_signer).and_return('a-totally-different-key')
+            expect(call).to return_http 401, "Unauthorized: Invalid token"
+          end
+        end
+        context "of 'own' token" do
+          it "returns ENV['CONJUR_ACCOUNT']" do
+            expect(ENV).to receive(:[]).with("CONJUR_ACCOUNT").and_return("test-account")
+            expect(app).to receive(:call) do |*args|
+              expect(Conjur::Rack.identity?).to be(true)
+              expect(Conjur::Rack.user.account).to eq('test-account')
+              :done
+            end
+            allow(Slosilo).to receive(:token_signer).and_return('own')
+            expect(call).to eq(:done)
+          end
+          it "requires ENV['CONJUR_ACCOUNT']" do
+            expect(ENV).to receive(:[]).with("CONJUR_ACCOUNT").and_return(nil)
+            allow(Slosilo).to receive(:token_signer).and_return('own')
+            expect(call).to return_http 401, "Unauthorized: Invalid token"
           end
         end
       end
-      context "of an invalid token" do
-        it "returns a 401 error" do
-          Slosilo.stub token_signer: nil
-          call.should == [401, {"Content-Type"=>"text/plain", "Content-Length"=>"26"}, ["Unathorized: Invalid token"]]
+
+      context "with junk in token" do
+        let(:env) { { 'HTTP_AUTHORIZATION' => 'Token token="open sesame"' } }
+        it "returns 401" do
+          expect(call).to return_http 401, "Malformed authorization token"
         end
       end
-      context "of a token invalid for authn" do
-        it "returns a 401 error" do
-          Slosilo.stub token_signer: 'a-totally-different-key'
-          call.should == [401, {"Content-Type"=>"text/plain", "Content-Length"=>"26"}, ["Unathorized: Invalid token"]]
+
+      context "with JSON junk in token" do
+        let(:env) { { 'HTTP_AUTHORIZATION' => 'Token token="eyJmb28iOiAiYmFyIn0="' } }
+        before do
+          allow(Slosilo).to receive(:token_signer).and_return(nil)
+        end
+
+        it "returns 401" do
+            expect(call).to return_http 401, "Unauthorized: Invalid token"
         end
       end
     end
-  end
-  context "without authorization" do
-    context "to a protected path" do
-      let(:env) { { 'SCRIPT_NAME' => '/pathname' } }
-      it "returns a 401 error" do
-        call.should == [401, {"Content-Type"=>"text/plain", "Content-Length"=>"21"}, ["Authorization missing"]]
+    context "to an optional path" do
+      let(:optional) { [ /^\/foo/ ] }
+      let(:env) { { 'SCRIPT_NAME' => '', 'PATH_INFO' => '/foo/bar' } }
+      before {
+        options[:optional] = optional
+      }
+      context "without authorization" do
+        it "proceeds" do
+          expect(app).to receive(:call) do |*args|
+            expect(Conjur::Rack.identity?).to be(false)
+            :done
+          end
+          expect(call).to eq(:done)
+        end
+      end
+      context "with authorization" do
+        include_context "with authorization"
+        it "processes the authorization" do
+          expect(app).to receive(:call) do |*args|
+            expect(Conjur::Rack.identity?).to be(true)
+            :done
+          end
+          expect(call).to eq(:done)
+        end
       end
     end
-    context "to an unprotected path" do
-      let(:except) { [ /^\/foo/ ] }
-      let(:env) { { 'SCRIPT_NAME' => '', 'PATH_INFO' => '/foo/bar' } }
-      it "proceeds" do
-        options[:except] = except
-        app.should_receive(:call).with(env).and_return app
-        call.should == app
+
+    RSpec::Matchers.define :return_http do |status, message|
+      match do |actual|
+        status, headers, body = actual
+        expect(status).to eq status
+        expect(headers).to eq "Content-Type" => "text/plain", "Content-Length" => message.length.to_s
+        expect(body.join).to eq message
       end
     end
   end
+
+  # protected internal methods
+
+  describe '#verify_authorization_and_get_identity' do
+    it "accepts JWT tokens without CIDR restrictions" do
+      mock_jwt sub: 'user'
+      expect { subject.send :verify_authorization_and_get_identity }.to_not raise_error
+    end
+
+    it "rejects JWT tokens with unrecognized claims" do
+      mock_jwt extra: 'field'
+      expect { subject.send :verify_authorization_and_get_identity }.to raise_error \
+          Conjur::Rack::Authenticator::AuthorizationError
+    end
+
+    def mock_jwt claims
+      token = Slosilo::JWT.new(claims).add_signature(alg: 'none') {}
+      allow(subject).to receive(:parsed_token) { token }
+      allow(Slosilo).to receive(:token_signer).with(token).and_return 'authn:test'
+    end
+  end
 end

data/spec/rack/path_prefix_spec.rb

@@ -17,21 +17,21 @@ describe Conjur::Rack::PathPrefix do
     context "/api/hosts" do
       let(:path) { "/api/hosts" }
       it "matches" do
-        app.should_receive(:call).with({ 'PATH_INFO' => '/hosts' }).and_return app
+        expect(app).to receive(:call).with({ 'PATH_INFO' => '/hosts' }).and_return app
         call
       end
     end
     context "/api" do
       let(:path) { "/api" }
       it "doesn't erase the path completely" do
-        app.should_receive(:call).with({ 'PATH_INFO' => '/' }).and_return app
+        expect(app).to receive(:call).with({ 'PATH_INFO' => '/' }).and_return app
         call
       end
     end
     context "with non-matching prefix" do
       let(:path) { "/hosts" }
       it "doesn't match" do
-        app.should_receive(:call).with({ 'PATH_INFO' => '/hosts' }).and_return app
+        expect(app).to receive(:call).with({ 'PATH_INFO' => '/hosts' }).and_return app
         call
       end
     end

data/spec/rack/user_spec.rb

@@ -1,4 +1,5 @@
 require 'spec_helper'
+require 'conjur/rack/user'
 
 describe Conjur::Rack::User do
   let(:login){ 'admin' }
@@ -6,41 +7,50 @@ describe Conjur::Rack::User do
   let(:account){ 'acct' }
   let(:privilege) { nil }
   let(:remote_ip) { nil }
+  let(:audit_roles) { nil }
+  let(:audit_resources) { nil }
   
-  subject{ described_class.new token, account, privilege, remote_ip }
+  subject(:user) { 
+    described_class.new(token, account, 
+      :privilege => privilege, 
+      :remote_ip => remote_ip, 
+      :audit_roles => audit_roles, 
+      :audit_resources => audit_resources 
+    )
+  }
   
-  its(:token){ should == token }
-  its(:account){ should == account }
-  its(:conjur_account){ should == account }
-  its(:login){ should == token['data'] }
-  
-  it "aliases setter for account to conjur_account" do
-    subject.conjur_account = "changed!"
-    subject.account.should == "changed!"
-  end
-  
-  describe '#new_assocation' do
-    let(:associate){ Class.new }
-    let(:params){{foo: 'bar'}}
-    it "calls cls.new with params including userid: login" do
-      associate.should_receive(:new).with(params.merge(userid: subject.login))
-      subject.new_association(associate, params)
-    end
+  it 'provides field accessors' do
+    expect(user.token).to eq token
+    expect(user.account).to eq account
+    expect(user.conjur_account).to eq account
+    expect(user.login).to eq login
   end
   
   describe '#roleid' do
     let(:login){ tokens.join('/') }
-    context "when login contains one token 'foobar'" do
-      let(:tokens){ ['foobar'] }
-      its(:roleid){ should == "#{account}:user:#{login}" } 
+
+    context "when login contains one token" do
+      let(:tokens) { %w(foobar) }
+
+      it "is expanded to account:user:token" do
+        expect(subject.roleid).to eq "#{account}:user:foobar"
+      end
     end
-    context "when login contains tokens ['foo', 'bar']" do
-      let(:tokens){ ["foos", "bar"] }
-      its(:roleid){ should == "#{account}:#{tokens[0]}:#{tokens[1]}"}
+
+    context "when login contains two tokens" do
+      let(:tokens) { %w(foo bar) }
+
+      it "is expanded to account:first:second" do
+        expect(subject.roleid).to eq "#{account}:foo:bar"
+      end
     end
-    context "when login contains tokens ['foo','bar','baz']" do
-      let(:tokens){ ['foo', 'bar', 'baz'] }
-      its(:roleid){ should == "#{account}:#{tokens[0]}:#{tokens[1]}/#{tokens[2]}" }
+
+    context "when login contains three tokens" do
+      let(:tokens) { %w(foo bar baz) }
+
+      it "is expanded to account:first:second/third" do
+        expect(subject.roleid).to eq "#{account}:foo:bar/baz"
+      end
     end
   end
   
@@ -48,34 +58,46 @@ describe Conjur::Rack::User do
     let(:roleid){ 'the role id' }
     let(:api){ double('conjur api') }
     before do
-      subject.stub(:roleid).and_return roleid
-      subject.stub(:api).and_return api
+      allow(subject).to receive(:roleid).and_return roleid
+      allow(subject).to receive(:api).and_return api
     end
     
     it 'passes roleid to api.role' do
-      api.should_receive(:role).with(roleid).and_return 'the role'
-      subject.role.should == 'the role'
+      expect(api).to receive(:role).with(roleid).and_return 'the role'
+      expect(subject.role).to eq('the role')
     end
   end
   
   describe "#global_reveal?" do
+    let(:api){ double "conjur-api" }
+    before { allow(subject).to receive(:api).and_return(api) }
+
     context "with global privilege" do
       let(:privilege) { "reveal" }
-      let(:api){ Conjur::API.new_from_token "the-token" }
-      before do
-        subject.stub(:api).and_return api
+
+      context "when not supported" do
+        before { expect(api).not_to respond_to :global_privilege_permitted? }
+        it "simply returns false" do
+          expect(subject.global_reveal?).to be false
+        end
       end
-      it "checks the API function global_privilege_permitted?" do
-        api.should_receive(:resource).with("!:!:conjur").and_return resource = double(:resource)
-        resource.should_receive(:permitted?).with("reveal").and_return true
-        expect(subject.global_reveal?).to be_true
-        # The result is cached
-        subject.global_reveal?
+
+      context "when supported" do
+        before do
+          allow(api).to receive(:global_privilege_permitted?).with('reveal') { true }
+        end
+        it "checks the API function global_privilege_permitted?" do
+          expect(subject.global_reveal?).to be true
+          # The result is cached
+          expect(api).not_to receive :global_privilege_permitted?
+          subject.global_reveal?
+        end
       end
     end
+
     context "without a global privilege" do
-      it "simply returns nil" do
-        expect(subject.global_reveal?).to be_false
+      it "simply returns false" do
+        expect(subject.global_reveal?).to be false
       end
     end
   end
@@ -84,38 +106,116 @@ describe Conjur::Rack::User do
     context "when given a class" do
       let(:cls){ double('API class') }
       it "calls cls.new_from_token with its token" do
-        cls.should_receive(:new_from_token).with(token).and_return 'the api'
-        subject.api(cls).should == 'the api'
+        expect(cls).to receive(:new_from_token).with(token).and_return 'the api'
+        expect(subject.api(cls)).to eq('the api')
       end
     end
+
     context 'when not given args' do
-      shared_examples_for "builds the api" do
-        specify {
-          subject.api.should == 'the api'
-        }
+      let(:api) { double :api }
+      before do
+        allow(Conjur::API).to receive(:new_from_token).with(token).and_return(api)
       end
-      
-      context "with no extra args" do
-        before {
-          Conjur::API.should_receive(:new_from_token).with(token).and_return 'the api'
-        }
-        it_should_behave_like "builds the api"
+
+      it "builds the api from token" do
+        expect(subject.api).to eq api
       end
+
       context "with remote_ip" do
         let(:remote_ip) { "the-ip" }
-        before {
-          Conjur::API.should_receive(:new_from_token).with(token, 'the-ip').and_return 'the api'
-        }
-        it_should_behave_like "builds the api"
+        it "passes the IP to the API constructor" do
+          expect(Conjur::API).to receive(:new_from_token).with(token, 'the-ip').and_return(api)
+          expect(subject.api).to eq api
+        end
       end
+
       context "with privilege" do
-        let(:privilege) { "sudo" }
-        before {
-          Conjur::API.should_receive(:new_from_token).with(token).and_return api = double(:api)
-          expect(api).to receive(:with_privilege).with("sudo").and_return('the api')
-        }
-        it_should_behave_like "builds the api"
+        let(:privilege) { "elevate" }
+        it "applies the privilege on the API object" do
+          expect(api).to receive(:with_privilege).with("elevate").and_return "privileged api"
+          expect(subject.api).to eq "privileged api"
+        end
       end
+
+      context "when audit supported" do
+        before do
+          # If we're testing on an API version that doesn't
+          # support audit this method will be missing, so stub.
+          unless Conjur::API.respond_to? :decode_audit_ids
+            # not exactly a faithful reimplementation, but good enough for here
+            allow(Conjur::API).to receive(:decode_audit_ids) {|x|[x]}
+          end
+        end
+
+        context "with audit resource" do
+          let (:audit_resources) { 'food:bacon' }
+          it "applies the audit resource on the API object" do
+            expect(api).to receive(:with_audit_resources).with(['food:bacon']).and_return('the api')
+            expect(subject.api).to eq 'the api'
+          end
+        end
+
+        context "with audit roles" do
+          let (:audit_roles) { 'user:cook' }
+          it "applies the audit role on the API object" do
+            expect(api).to receive(:with_audit_roles).with(['user:cook']).and_return('the api')
+            expect(subject.api).to eq 'the api'
+          end
+        end
+      end
+
+      context "when audit not supported" do
+        before do
+          expect(api).not_to respond_to :with_audit_resources
+          expect(api).not_to respond_to :with_audit_roles
+        end
+        let (:audit_resources) { 'food:bacon' }
+        let (:audit_roles) { 'user:cook' }
+        it "ignores audit roles and resources" do
+          expect(subject.api).to eq api
+        end
+      end
+    end
+  end
+
+  context "with invalid type payload" do
+    let(:token){ { "data" => :alice } }
+    it "raises an error on trying to access the content" do
+      expect{ subject.login }.to raise_error("Expecting String or Hash token data, got Symbol")
+    end
+  end
+
+  context "with hash payload" do
+    let(:token){ { "data" => { "login" => "alice", "capabilities" => { "fry" => "bacon" } } } }
+
+    it "processes the login and attributes" do
+      original_token = token.deep_dup
+
+      expect(subject.login).to eq('alice')
+      expect(subject.attributes).to eq({"capabilities" => { "fry" => "bacon" }})
+
+      expect(token).to eq original_token
+    end
+  end
+
+  context "with JWT token" do
+    let(:token) { {"protected"=>"eyJhbGciOiJ0ZXN0IiwidHlwIjoiSldUIn0=",
+ "payload"=>"eyJzdWIiOiJhbGljZSIsImlhdCI6MTUwNDU1NDI2NX0=",
+ "signature"=>"dGVzdHNpZw=="} }
+
+    it "processes the login and attributes" do
+      original_token = token.deep_dup
+
+      expect(subject.login).to eq('alice')
+
+      # TODO: should we only pass unrecognized attrs here?
+      expect(subject.attributes).to eq \
+          'alg' => 'test',
+          'iat' => 1504554265,
+          'sub' => 'alice',
+          'typ' => 'JWT'
+
+      expect(token).to eq original_token
     end
   end
-end
+end

data/spec/rack_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+require 'conjur/rack'
+
+describe Conjur::Rack do
+  describe '.user' do
+    include_context "with authorization"
+    let(:stubuser) { double :stubuser }
+    before do
+      allow(Conjur::Rack::User).to receive(:new)
+        .with(token, 'someacc', {:privilege => privilege, :remote_ip => remote_ip, :audit_roles => audit_roles, :audit_resources => audit_resources})
+        .and_return(stubuser)
+    end
+
+    context 'when called in app context' do
+      shared_examples_for :returns_user do
+        it "returns user built from token" do
+          expect(call).to eq stubuser
+        end
+      end
+
+      include_examples :returns_user
+
+      context 'with X-Conjur-Privilege' do
+        let(:privilege) { "elevate" }
+        include_examples :returns_user
+      end
+
+      context 'with X-Forwarded-For' do
+        let(:remote_ip) { "66.0.0.1" }
+        include_examples :returns_user
+      end
+
+      context 'with Conjur-Audit-Roles' do
+        let (:audit_roles) { 'user%3Acook' }
+        include_examples :returns_user
+      end
+
+      context 'with Conjur-Audit-Resources' do
+        let (:audit_resources) { 'food%3Abacon' }
+        include_examples :returns_user
+      end
+
+    end
+
+    it "raises error if called out of app context" do
+      expect { Conjur::Rack.user }.to raise_error('No Conjur identity for current request')
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -4,8 +4,44 @@ $:.unshift File.join(File.dirname(__FILE__), "lib")
 
 # Allows loading of an environment config based on the environment
 require 'rspec'
+require 'rspec/its'
 require 'securerandom'
+require 'slosilo'
 
 RSpec.configure do |config|
 end
 
+RSpec.shared_context "with authenticator" do
+  let(:options) { {} }
+  let(:app) { double(:app) }
+  subject(:authenticator) { Conjur::Rack::Authenticator.new(app, options) }
+  let(:call) { authenticator.call env }
+end
+
+RSpec.shared_context "with authorization" do
+  include_context "with authenticator"
+  let(:token_signer) { "authn:someacc" }
+  let(:audit_resources) { nil }
+  let(:privilege) { nil }
+  let(:remote_ip) { nil }
+  let(:audit_roles) { nil }
+
+  before do
+    allow(app).to receive(:call) { Conjur::Rack.user }
+    allow(Slosilo).to receive(:token_signer).and_return(token_signer)
+  end
+
+  let(:env) do
+    {
+      'HTTP_AUTHORIZATION' => "Token token=\"#{basic_64}\""
+    }.tap do |e|
+      e['HTTP_X_CONJUR_PRIVILEGE'] = privilege if privilege
+      e['HTTP_X_FORWARDED_FOR'] = remote_ip if remote_ip
+      e['HTTP_CONJUR_AUDIT_ROLES'] = audit_roles if audit_roles
+      e['HTTP_CONJUR_AUDIT_RESOURCES'] = audit_resources if audit_resources
+    end
+  end
+
+  let(:basic_64) { Base64.strict_encode64(token.to_json) }
+  let(:token) { { "data" => "foobar" } }
+end