spec/lib/api_spec.rb in conjur-api-4.16.0 vs spec/lib/api_spec.rb in conjur-api-4.19.0

@@ -224,11 +224,13 @@
 
   shared_context logged_in: true do
     let(:login) { "bob" }
     let(:token) { { 'data' => login, 'timestamp' => Time.now.to_s } }
     subject { api }
-    let(:api) { Conjur::API.new_from_token(token) }
+    let(:remote_ip) { nil }
+    let(:api_args) { [ token, remote_ip ].compact }
+    let(:api) { Conjur::API.new_from_token(*api_args) }
     let(:account) { 'some-account' }
     before { allow(Conjur::Core::API).to receive_messages conjur_account: account }
   end
 
   context "credential handling", logged_in: true do
@@ -240,25 +242,50 @@
 
       describe '#credentials' do
         subject { super().credentials }
         it { is_expected.to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login }) }
       end
+      
+      describe "privileged" do
+        describe '#credentials' do
+          subject { super().with_privilege('elevate').credentials }
+          it { is_expected.to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"", :x_conjur_privilege=>"elevate" }, username: login }) }
+        end
+      end
+      
+      context "with remote_ip" do
+        let(:remote_ip) { "66.0.0.1" }
+        describe '#credentials' do
+          subject { super().credentials }
+          it { is_expected.to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"", :x_forwarded_for=>"66.0.0.1" }, username: login }) }
+        end
+      end
     end
 
     context "from api key", logged_in: true do
       let(:api_key) { "theapikey" }
-      let(:api) { Conjur::API.new_from_key(login, api_key) }
+      let(:api_args) { [ login, api_key, remote_ip ].compact }
+      let(:api) { Conjur::API.new_from_key(*api_args) }
+      let(:remote_ip) { nil }
       subject { api }
 
       it("should authenticate to get a token") do
         expect(Conjur::API).to receive(:authenticate).with(login, api_key).and_return token
         
         expect(api.instance_variable_get("@token")).to eq(nil)
         expect(api.token).to eq(token)
         expect(api.credentials).to eq({ headers: { authorization: "Token token=\"#{Base64.strict_encode64(token.to_json)}\"" }, username: login })
       end
 
+      it("checks if the token is fresh") do
+        expired_token = token.merge 'timestamp' => 10.minutes.ago.to_s
+        expect(Conjur::API).to receive(:authenticate).with(login, api_key).and_return expired_token
+
+        expect(api.instance_variable_get("@token")).to eq(nil)
+        expect { api.token }.to raise_error /obtained token is invalid/
+      end
+
       context "with an expired token" do
         it "fetches a new one" do
           allow(Conjur::API).to receive(:authenticate).with(login, api_key).and_return token
           expect(Time.parse(api.token['timestamp'])).to be_within(5.seconds).of(Time.now)
 
@@ -271,14 +298,39 @@
       end
     end
 
     context "from logged-in RestClient::Resource" do
       let(:token_encoded) { Base64.strict_encode64(token.to_json) }
-      let(:resource) { RestClient::Resource.new("http://example.com", { headers: { authorization: "Token token=\"#{token_encoded}\"" } })}
+      let(:headers) { { authorization: "Token token=\"#{token_encoded}\"" } }
+      let(:resource) { RestClient::Resource.new("http://example.com", { headers: headers })}
       it "can construct a new API instance" do
         api = resource.conjur_api
         expect(api.credentials[:headers][:authorization]).to eq("Token token=\"#{token_encoded}\"")
+        expect(api.credentials[:headers][:x_conjur_privilege]).to be_nil
+        expect(api.credentials[:headers][:x_forwarded_for]).to be_nil
         expect(api.credentials[:username]).to eq("bob")
+      end
+      
+      context "privileged" do
+        let(:headers) { { authorization: "Token token=\"#{token_encoded}\"", x_conjur_privilege: "elevate" } }
+        it "can clone itself" do
+          api = resource.conjur_api
+          expect(api.credentials[:headers][:authorization]).to eq("Token token=\"#{token_encoded}\"")
+          expect(api.credentials[:headers][:x_conjur_privilege]).to eq("elevate")
+          expect(api.credentials[:headers][:x_forwarded_for]).to be_nil
+          expect(api.credentials[:username]).to eq("bob")
+        end
+      end
+      
+      context "privileged" do
+        let(:headers) { { authorization: "Token token=\"#{token_encoded}\"", x_forwarded_for: "66.0.0.1" } }
+        it "can clone itself" do
+          api = resource.conjur_api
+          expect(api.credentials[:headers][:authorization]).to eq("Token token=\"#{token_encoded}\"")
+          expect(api.credentials[:headers][:x_conjur_privilege]).to be_nil
+          expect(api.credentials[:headers][:x_forwarded_for]).to eq("66.0.0.1")
+          expect(api.credentials[:username]).to eq("bob")
+        end
       end
     end
   end
 
   describe "#role_from_username", logged_in: true do