conjur-rack 3.1.0 → 4.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. checksums.yaml +5 -5
  2. data/CHANGELOG.md +9 -0
  3. data/Jenkinsfile +63 -0
  4. data/conjur-rack.gemspec +2 -2
  5. data/lib/conjur/rack/user.rb +12 -4
  6. data/lib/conjur/rack/version.rb +1 -1
  7. data/publish.sh +7 -0
  8. data/spec/rack/user_spec.rb +74 -42
  9. data/{jenkins.sh → test.sh} +1 -1
  10. metadata +10 -8
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 0ee85c177c59da73e229825170b3b8c34230e4e1
4
- data.tar.gz: 7758e75373c0ccdfcb61539a33325795d5394600
2
+ SHA256:
3
+ metadata.gz: e7a94d29090dcdb5515723b50f1f0217be932a96574e9d46c9f7e84abd3a3cb3
4
+ data.tar.gz: 3a011098248a61fa80a92e3085f07f71e18b8748867e3c44cc6c174dc922e69f
5
5
  SHA512:
6
- metadata.gz: ccec8cadd0827fbf5b298f57fa78aa32a7792a58d985c0ff54ee05b80c256e55c0a9c868a1432be4908d7314c9becefdcf812ed95aad28ec756e989ad250def2
7
- data.tar.gz: 36e507e1714480f2c5e4f5ff9d3af63cca883f855fc2259e272c3ce45420dadc36e0cd64cbe926f6396d0d3793968f802df147950ac0db86c7b69bba3abd0b8d
6
+ metadata.gz: a11e49c31d758257c79b508dc3f30c500310962e2420d4c31adf7b83a706f44618ea11350a53e5fdda8dc0a1173082cbf84dea8616493e3733730e42c31714cc
7
+ data.tar.gz: ce37831b5f5eb108a1637db47bfd73b823eec4bde8e55a3ceafcedccd98dba7f53a8007578931fec18021fd36e174fffd991cc8caf0327622fcdfe3638ba44a5
data/CHANGELOG.md CHANGED
@@ -1,3 +1,12 @@
1
+ # unreleased version
2
+
3
+ # v4.0.0
4
+
5
+ * Bump `rack` to v2, `bundler` to v1.16 in gemspec
6
+ * Add Jenkinsfile to project
7
+ * Ignore headers such as Conjur-Privilege or Conjur-Audit if they're not
8
+ supported by the API (instead of erroring out).
9
+
1
10
  # v3.1.0
2
11
 
3
12
  * Support for JWT Slosilo tokens.
data/Jenkinsfile ADDED
@@ -0,0 +1,63 @@
1
+ pipeline {
2
+ agent { label 'executor-v2' }
3
+
4
+ options {
5
+ timestamps()
6
+ buildDiscarder(logRotator(daysToKeepStr: '30'))
7
+ }
8
+
9
+ stages {
10
+ stage('Run tests') {
11
+ steps {
12
+ sh './test.sh'
13
+
14
+ junit 'spec/reports/*.xml'
15
+ }
16
+ }
17
+
18
+ // Only publish to RubyGems if the HEAD is
19
+ // tagged with the same version as in version.rb
20
+ stage('Publish to RubyGems') {
21
+ agent { label 'releaser-v2' }
22
+
23
+ when {
24
+ expression { currentBuild.resultIsBetterOrEqualTo('SUCCESS') }
25
+ branch "master"
26
+ expression {
27
+ def exitCode = sh returnStatus: true, script: ''' set +x
28
+ echo "Determining if publishing is requested..."
29
+
30
+ VERSION=`cat lib/conjur/rack/version.rb | grep VERSION | sed 's/.* "//;s/"//'`
31
+ echo Declared version: $VERSION
32
+
33
+ # Jenkins git plugin is broken and always fetches with `--no-tags`
34
+ # (or `--tags`, neither of which is what you want), so tags end up
35
+ # not being fetched. Try to fix that.
36
+ # (Unfortunately this fetches all remote heads, so we may have to find
37
+ # another solution for bigger repos.)
38
+ git fetch -q
39
+
40
+ # note when tag not found git rev-parse will just print its name
41
+ TAG=`git rev-list -n 1 "v$VERSION" 2>/dev/null || :`
42
+ echo Tag v$VERSION: $TAG
43
+
44
+ HEAD=`git rev-parse HEAD`
45
+ echo HEAD: $HEAD
46
+
47
+ test "$HEAD" = "$TAG"
48
+ '''
49
+ return exitCode == 0
50
+ }
51
+ }
52
+ steps {
53
+ sh './publish.sh'
54
+ }
55
+ }
56
+ }
57
+
58
+ post {
59
+ always {
60
+ cleanupAndNotify(currentBuild.currentResult)
61
+ }
62
+ }
63
+ }
data/conjur-rack.gemspec CHANGED
@@ -20,9 +20,9 @@ Gem::Specification.new do |spec|
20
20
 
21
21
  spec.add_dependency "slosilo", "~> 2.1"
22
22
  spec.add_dependency "conjur-api", "< 6"
23
- spec.add_dependency "rack", '~> 1'
23
+ spec.add_dependency "rack", '~> 2'
24
24
 
25
- spec.add_development_dependency "bundler", "~> 1.3"
25
+ spec.add_development_dependency "bundler", "~> 1.16"
26
26
  spec.add_development_dependency "rake"
27
27
  spec.add_development_dependency "rspec"
28
28
  spec.add_development_dependency 'ci_reporter_rspec'
data/lib/conjur/rack/user.rb CHANGED
@@ -37,7 +37,9 @@ module Conjur
37
37
  # actually have that privilege according to the Conjur server.
38
38
  def validated_global_privilege
39
39
  unless @validated_global_privilege
40
- @privilege = nil if @privilege && !api.global_privilege_permitted?(@privilege)
40
+ @privilege = nil unless @privilege &&
41
+ api.respond_to?(:global_privilege_permitted?) &&
42
+ api.global_privilege_permitted?(@privilege)
41
43
  @validated_global_privilege = true
42
44
  end
43
45
  @privilege
@@ -91,9 +93,15 @@ module Conjur
91
93
  args = [ token ]
92
94
  args.push remote_ip if remote_ip
93
95
  api = cls.new_from_token(*args)
94
- api = api.with_privilege(privilege) if privilege
95
- api = api.with_audit_resources(audit_resources) if audit_resources
96
- api = api.with_audit_roles(audit_roles) if audit_roles
96
+
97
+ # These are features not present in some API versions.
98
+ # Test for them and only apply if it makes sense. Ignore otherwise.
99
+ %i(privilege audit_resources audit_roles).each do |feature|
100
+ meth = "with_#{feature}".intern
101
+ if api.respond_to?(meth) && (value = send(feature))
102
+ api = api.send meth, value
103
+ end
104
+ end
97
105
 
98
106
  api
99
107
  end
data/lib/conjur/rack/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Conjur
2
2
  module Rack
3
- VERSION = "3.1.0"
3
+ VERSION = "4.0.0"
4
4
  end
5
5
  end
data/publish.sh ADDED
@@ -0,0 +1,7 @@
1
+ #!/bin/bash -ex
2
+
3
+ docker pull registry.tld/conjurinc/publish-rubygem
4
+
5
+ summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
6
+ docker run --rm --env-file @SUMMONENVFILE -v "$(pwd)":/opt/src \
7
+ registry.tld/conjurinc/publish-rubygem conjur-rack
data/spec/rack/user_spec.rb CHANGED
@@ -69,22 +69,34 @@ describe Conjur::Rack::User do
69
69
  end
70
70
 
71
71
  describe "#global_reveal?" do
72
+ let(:api){ double "conjur-api" }
73
+ before { allow(subject).to receive(:api).and_return(api) }
74
+
72
75
  context "with global privilege" do
73
76
  let(:privilege) { "reveal" }
74
- let(:api){ Conjur::API.new_from_token "the-token" }
75
- before do
76
- allow(subject).to receive(:api).and_return(api)
77
+
78
+ context "when not supported" do
79
+ before { expect(api).not_to respond_to :global_privilege_permitted? }
80
+ it "simply returns false" do
81
+ expect(subject.global_reveal?).to be false
82
+ end
77
83
  end
78
- it "checks the API function global_privilege_permitted?" do
79
- expect(api).to receive(:resource).with("!:!:conjur").and_return(resource = double(:resource))
80
- expect(resource).to receive(:permitted?).with("reveal").and_return(true)
81
- expect(subject.global_reveal?).to be true
82
- # The result is cached
83
- subject.global_reveal?
84
+
85
+ context "when supported" do
86
+ before do
87
+ allow(api).to receive(:global_privilege_permitted?).with('reveal') { true }
88
+ end
89
+ it "checks the API function global_privilege_permitted?" do
90
+ expect(subject.global_reveal?).to be true
91
+ # The result is cached
92
+ expect(api).not_to receive :global_privilege_permitted?
93
+ subject.global_reveal?
94
+ end
84
95
  end
85
96
  end
97
+
86
98
  context "without a global privilege" do
87
- it "simply returns nil" do
99
+ it "simply returns false" do
88
100
  expect(subject.global_reveal?).to be false
89
101
  end
90
102
  end
@@ -98,51 +110,71 @@ describe Conjur::Rack::User do
98
110
  expect(subject.api(cls)).to eq('the api')
99
111
  end
100
112
  end
113
+
101
114
  context 'when not given args' do
102
- shared_examples_for "builds the api" do
103
- its(:api) { should == 'the api' }
115
+ let(:api) { double :api }
116
+ before do
117
+ allow(Conjur::API).to receive(:new_from_token).with(token).and_return(api)
104
118
  end
105
-
106
- context "with no extra args" do
107
- before {
108
- expect(Conjur::API).to receive(:new_from_token).with(token).and_return('the api')
109
- }
110
- it_should_behave_like "builds the api"
119
+
120
+ it "builds the api from token" do
121
+ expect(subject.api).to eq api
111
122
  end
123
+
112
124
  context "with remote_ip" do
113
125
  let(:remote_ip) { "the-ip" }
114
- before {
115
- expect(Conjur::API).to receive(:new_from_token).with(token, 'the-ip').and_return('the api')
116
- }
117
- it_should_behave_like "builds the api"
126
+ it "passes the IP to the API constructor" do
127
+ expect(Conjur::API).to receive(:new_from_token).with(token, 'the-ip').and_return(api)
128
+ expect(subject.api).to eq api
129
+ end
118
130
  end
131
+
119
132
  context "with privilege" do
120
133
  let(:privilege) { "elevate" }
121
- before {
122
- expect(Conjur::API).to receive(:new_from_token).with(token).and_return(api = double(:api))
123
- expect(api).to receive(:with_privilege).with("elevate").and_return('the api')
124
- }
125
- it_should_behave_like "builds the api"
134
+ it "applies the privilege on the API object" do
135
+ expect(api).to receive(:with_privilege).with("elevate").and_return "privileged api"
136
+ expect(subject.api).to eq "privileged api"
137
+ end
126
138
  end
127
139
 
128
- context "with audit resource" do
129
- let (:audit_resources) { 'food:bacon' }
130
- before {
131
- expect(Conjur::API).to receive(:new_from_token).with(token).and_return(api = double(:api))
132
- expect(api).to receive(:with_audit_resources).with(['food:bacon']).and_return('the api')
133
- }
134
- it_should_behave_like "builds the api"
140
+ context "when audit supported" do
141
+ before do
142
+ # If we're testing on an API version that doesn't
143
+ # support audit this method will be missing, so stub.
144
+ unless Conjur::API.respond_to? :decode_audit_ids
145
+ # not exactly a faithful reimplementation, but good enough for here
146
+ allow(Conjur::API).to receive(:decode_audit_ids) {|x|[x]}
147
+ end
148
+ end
149
+
150
+ context "with audit resource" do
151
+ let (:audit_resources) { 'food:bacon' }
152
+ it "applies the audit resource on the API object" do
153
+ expect(api).to receive(:with_audit_resources).with(['food:bacon']).and_return('the api')
154
+ expect(subject.api).to eq 'the api'
155
+ end
156
+ end
157
+
158
+ context "with audit roles" do
159
+ let (:audit_roles) { 'user:cook' }
160
+ it "applies the audit role on the API object" do
161
+ expect(api).to receive(:with_audit_roles).with(['user:cook']).and_return('the api')
162
+ expect(subject.api).to eq 'the api'
163
+ end
164
+ end
135
165
  end
136
166
 
137
- context "with audit roles" do
138
- let (:audit_roles) { 'user:cook' }
139
- before {
140
- expect(Conjur::API).to receive(:new_from_token).with(token).and_return(api = double(:api))
141
- expect(api).to receive(:with_audit_roles).with(['user:cook']).and_return('the api')
142
- }
143
- it_should_behave_like "builds the api"
167
+ context "when audit not supported" do
168
+ before do
169
+ expect(api).not_to respond_to :with_audit_resources
170
+ expect(api).not_to respond_to :with_audit_roles
171
+ end
172
+ let (:audit_resources) { 'food:bacon' }
173
+ let (:audit_roles) { 'user:cook' }
174
+ it "ignores audit roles and resources" do
175
+ expect(subject.api).to eq api
176
+ end
144
177
  end
145
-
146
178
  end
147
179
  end
148
180
 
data/{jenkins.sh → test.sh} RENAMED
@@ -9,4 +9,4 @@ docker run --rm \
9
9
  -w /usr/src/app \
10
10
  -e CONJUR_ENV=ci \
11
11
  $TEST_IMAGE \
12
- bash -c "bundle update && bundle exec rake spec"
12
+ bash -c "gem install bundler && bundle update && bundle exec rake spec"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: conjur-rack
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.0
4
+ version: 4.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Kevin Gilpin
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-10-18 00:00:00.000000000 Z
11
+ date: 2018-04-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: slosilo
@@ -44,28 +44,28 @@ dependencies:
44
44
  requirements:
45
45
  - - "~>"
46
46
  - !ruby/object:Gem::Version
47
- version: '1'
47
+ version: '2'
48
48
  type: :runtime
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
52
  - - "~>"
53
53
  - !ruby/object:Gem::Version
54
- version: '1'
54
+ version: '2'
55
55
  - !ruby/object:Gem::Dependency
56
56
  name: bundler
57
57
  requirement: !ruby/object:Gem::Requirement
58
58
  requirements:
59
59
  - - "~>"
60
60
  - !ruby/object:Gem::Version
61
- version: '1.3'
61
+ version: '1.16'
62
62
  type: :development
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
66
  - - "~>"
67
67
  - !ruby/object:Gem::Version
68
- version: '1.3'
68
+ version: '1.16'
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: rake
71
71
  requirement: !ruby/object:Gem::Requirement
@@ -147,21 +147,23 @@ files:
147
147
  - ".project"
148
148
  - CHANGELOG.md
149
149
  - Gemfile
150
+ - Jenkinsfile
150
151
  - LICENSE.txt
151
152
  - README.md
152
153
  - Rakefile
153
154
  - conjur-rack.gemspec
154
- - jenkins.sh
155
155
  - lib/conjur/rack.rb
156
156
  - lib/conjur/rack/authenticator.rb
157
157
  - lib/conjur/rack/path_prefix.rb
158
158
  - lib/conjur/rack/user.rb
159
159
  - lib/conjur/rack/version.rb
160
+ - publish.sh
160
161
  - spec/rack/authenticator_spec.rb
161
162
  - spec/rack/path_prefix_spec.rb
162
163
  - spec/rack/user_spec.rb
163
164
  - spec/rack_spec.rb
164
165
  - spec/spec_helper.rb
166
+ - test.sh
165
167
  homepage: http://github.com/conjurinc/conjur-rack
166
168
  licenses:
167
169
  - Private
@@ -182,7 +184,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
182
184
  version: '0'
183
185
  requirements: []
184
186
  rubyforge_project:
185
- rubygems_version: 2.6.13
187
+ rubygems_version: 2.7.6
186
188
  signing_key:
187
189
  specification_version: 4
188
190
  summary: Rack authenticator and basic User struct