WIP Work/possum

.gitignore

@@ -1,3 +1,5 @@
+generated-policy.yml
+data_key
 artifacts
 pytest.xml
 htmlcov

Dockerfile

@@ -6,6 +6,7 @@ WORKDIR /app
 COPY requirements* /app/
 RUN pip install -r requirements.txt -r requirements_dev.txt
 
-COPY . /app
+ENV PYTHONPATH /app
 
+VOLUME /app
 VOLUME /artifacts

README.md

@@ -32,8 +32,8 @@ of all classes and methods.
 from conjur.config import config
 
 # Set the conjur appliance url.  This can also be provided
-# by the CONJUR_APPLIANCE_URL environment variable.
-config.appliance_url = 'https://conjur.example.com/api'
+# by the POSSUM_URL environment variable.
+config.url = 'https://possum.example'
 
 # Set the (PEM) certificate file. This is also configurable with the
 # CONJUR_CERT_FILE environment variable.

conjur/__init__.py

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2014 Conjur Inc
+# Copyright (C) 2014-2016 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -17,17 +17,15 @@
 # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+import base64
 import os
+import re
+import requests
 
 from config import Config
 from api import API
-from group import Group
-from user import User
-from host import Host
-from layer import Layer
 from resource import Resource
 from role import Role
-from variable import Variable
 from exceptions import ConjurException
 
 from config import config
@@ -57,47 +55,42 @@ def configure(**kwargs):
     config.update(**kwargs)
     return config
 
-
-def new_from_netrc(netrc_file=None, configuration=None):
-    """
-    Create a `conjur.API` instance using an identity loaded from netrc.  This method
-    uses the identity stored for the host `config.authn_url`.
-
-    `netrc_file` is an alternative path to the netrc formatted file.  Defaults
-    to ~/.netrc on unixy systems.
-
-    `configuration` is a `conjur.Config` instance used to determine the host
-    in the netrc file, and also passed to the `conjur.new_from_key` method to
-    create the API instance using the identity.
-    """
-    import netrc
-
-    configuration = _config(configuration)
-    auth = netrc.netrc(netrc_file).authenticators(configuration.authn_url)
-    if auth is None:
-        raise ValueError("No authenticators found for authn_url '%s' in %s" % (
-            configuration.authn_url,
-            (netrc_file or '~/.netrc')
-        ))
-    login, _, api_key = auth
-    return new_from_key(login, api_key, configuration)
-
-
 def new_from_key(login, api_key, configuration=None):
     """
     Create a `conjur.API` instance that will authenticate on demand as the identity given
     by `login` and `api_key`.
 
     `login` is the identity of the Conjur user or host to authenticate as.
 
-    `api_key` is the api key *or* password to use when authenticating.
+    `api_key` is the api key to use when authenticating.
 
     `configuration` is a `conjur.Config` instance for the api.  If not given the global
         `Config` instance (`conjur.config`) will be used.
     """
 
     return API(credentials=(login, api_key), config=_config(configuration))
 
+def new_from_password(login, password, configuration=None):
+    """
+    Create a `conjur.API` instance that will authenticate immediately (to
+    exchange the password for the API key) as the identity given by `login`
+    and `api_key`.
+
+    `login` is the identity of the Conjur user or host to authenticate as.
+
+    `password` is the password to use when authenticating.
+
+    `configuration` is a `conjur.Config` instance for the api.  If not given the global
+        `Config` instance (`conjur.config`) will be used. Note it needs to be
+        set up correctly before using this function.
+    """
+    configuration = _config(configuration)
+    url = "%s/authn/%s/login" % (configuration.url, configuration.account)
+    response = requests.get(url, auth=(login, password), verify=configuration.verify)
+    if response.status_code != 200:
+        raise ConjurException("Authentication error: {} {}".format(response.status_code, response.reason))
+    api_key = response.text
+    return new_from_key(login, api_key, configuration)
 
 def new_from_token(token, configuration=None):
     """
@@ -114,7 +107,22 @@ def new_from_token(token, configuration=None):
     """
     return API(token=token, config=_config(configuration))
 
+def new_from_header(authorization_header, configuration=None):
+    """
+    Create a `conjur.API` instance based on an Authorization header.
+
+    This is mostly useful for proxies, authenticators and wrappers which
+    forward Authorization header supplied by the client.
+
+    `authorization_header` is the Authorization header contents,
+    eg. `Token token="<base64d token>"`.
+
+    `configuration` is a conjur.Config instance for the api.  If not given, the global Config
+    instance (`conjur.config`) will be used.
+    """
+    return API(header=authorization_header, config=_config(configuration))
+
 __all__ = (
     'config', 'Config', 'Group', 'API', 'User', 'Host', 'Layer', 'Resource', 'Role', 'Variable',
     'new_from_key', 'new_from_netrc', 'new_from_token', 'configure', 'ConjurException'
-)
+)