conjur-api 4.14.0 → 4.15.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +3 -0
- data/CHANGELOG.md +4 -0
- data/lib/conjur-api/version.rb +1 -1
- data/lib/conjur/acts_as_asset.rb +44 -3
- data/lib/conjur/acts_as_resource.rb +53 -4
- data/lib/conjur/acts_as_user.rb +17 -7
- data/lib/conjur/annotations.rb +49 -3
- data/lib/conjur/api.rb +30 -3
- data/lib/conjur/api/deputies.rb +25 -1
- data/lib/conjur/api/resources.rb +109 -5
- data/lib/conjur/api/roles.rb +103 -11
- data/lib/conjur/api/secrets.rb +16 -1
- data/lib/conjur/api/users.rb +65 -1
- data/lib/conjur/api/variables.rb +65 -1
- data/lib/conjur/audit-api.rb +3 -0
- data/lib/conjur/authn-api.rb +4 -0
- data/lib/conjur/authz-api.rb +4 -0
- data/lib/conjur/base.rb +31 -30
- data/lib/conjur/build_from_response.rb +11 -0
- data/lib/conjur/cast.rb +5 -1
- data/lib/conjur/core-api.rb +22 -2
- data/lib/conjur/deputy.rb +19 -2
- data/lib/conjur/env.rb +18 -3
- data/lib/conjur/escape.rb +65 -4
- data/lib/conjur/event_source.rb +15 -2
- data/lib/conjur/graph.rb +103 -12
- data/lib/conjur/has_id.rb +13 -1
- data/lib/conjur/has_identifier.rb +9 -6
- data/lib/conjur/has_owner.rb +21 -7
- data/lib/conjur/host.rb +8 -0
- data/lib/conjur/layer-api.rb +4 -0
- data/lib/conjur/layer.rb +50 -3
- data/lib/conjur/log.rb +22 -2
- data/lib/conjur/log_source.rb +27 -0
- data/lib/conjur/path_based.rb +47 -2
- data/lib/conjur/pubkeys-api.rb +12 -0
- data/lib/conjur/role.rb +220 -9
- data/lib/conjur/role_grant.rb +50 -2
- data/lib/conjur/secret.rb +9 -1
- data/lib/conjur/standard_methods.rb +31 -3
- data/lib/conjur/user.rb +55 -3
- data/spec/lib/role_spec.rb +1 -2
- metadata +2 -2
data/lib/conjur/role_grant.rb
CHANGED
@@ -19,8 +19,56 @@
|
|
19
19
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
20
|
#
|
21
21
|
module Conjur
|
22
|
-
RoleGrant
|
22
|
+
# A `RoleGrant` instance represents the membership of a role in some unspecified role. `RoleGrant`s are returned
|
23
|
+
# by {Conjur::Role#members} and represent members of the role on which the method was invoked.
|
24
|
+
#
|
25
|
+
# @example
|
26
|
+
# alice.members.map{|grant| grant.member}.include? admin_role # => true
|
27
|
+
# admin_role.members.map{|grant| grant.member}.include? alice # => true
|
28
|
+
#
|
29
|
+
class RoleGrant
|
30
|
+
|
31
|
+
|
32
|
+
# The member role in the relationship
|
33
|
+
# @return [Conjur::Role] the member
|
34
|
+
attr_reader :member
|
35
|
+
|
36
|
+
# The role that created this grant.
|
37
|
+
#
|
38
|
+
# @return [Conjur::Role] the role that created the grant
|
39
|
+
attr_reader :grantor
|
40
|
+
|
41
|
+
# When true, the role {#member} is allowed to give this grant to other roles
|
42
|
+
#
|
43
|
+
# @return [Boolean] whether the role can grant the role to others
|
44
|
+
attr_reader :admin_option
|
45
|
+
|
46
|
+
|
47
|
+
# @api private
|
48
|
+
#
|
49
|
+
# Create a new RoleGrant instance.
|
50
|
+
#
|
51
|
+
# @param [Conjur::Role] member the member to which the role was granted
|
52
|
+
# @param [Conjur::Role] grantor the role that created this grant
|
53
|
+
# @param [Boolean] admin_option whether `member` can give the grant to other roles
|
54
|
+
def initialize member, grantor, admin_option
|
55
|
+
@member = member
|
56
|
+
@grantor = grantor
|
57
|
+
@admin_option = admin_option
|
58
|
+
end
|
59
|
+
|
60
|
+
#@!attribute member
|
61
|
+
# The member thing
|
62
|
+
# @return [Conjur::Role] a ret?
|
63
|
+
|
23
64
|
class << self
|
65
|
+
# @api private
|
66
|
+
#
|
67
|
+
# Create a `RoleGrant` from a JSON respnose
|
68
|
+
#
|
69
|
+
# @param [Hash] json the parsed JSON response
|
70
|
+
# @param [Hash] credentials the credentials used to create APIs for the member and grantor role objects
|
71
|
+
# @return [Conjur::RoleGrant]
|
24
72
|
def parse_from_json(json, credentials)
|
25
73
|
member = Role.new(Conjur::Authz::API.host, credentials)[Conjur::API.parse_role_id(json['member']).join('/')]
|
26
74
|
grantor = Role.new(Conjur::Authz::API.host, credentials)[Conjur::API.parse_role_id(json['grantor']).join('/')]
|
@@ -28,4 +76,4 @@ module Conjur
|
|
28
76
|
end
|
29
77
|
end
|
30
78
|
end
|
31
|
-
end
|
79
|
+
end
|
data/lib/conjur/secret.rb
CHANGED
@@ -19,9 +19,17 @@
|
|
19
19
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
20
|
#
|
21
21
|
module Conjur
|
22
|
+
# @api private
|
23
|
+
#
|
24
|
+
# Secrets are primitive encrypted values upon which {Conjur::Variable}s are built.
|
25
|
+
# You probably want to use {Conjur::Variable} instead.
|
22
26
|
class Secret < RestClient::Resource
|
23
27
|
include ActsAsAsset
|
24
|
-
|
28
|
+
|
29
|
+
# @api private
|
30
|
+
# Return the value of the secret
|
31
|
+
#
|
32
|
+
# @return [String] the value stored by this secret
|
25
33
|
def value
|
26
34
|
self['value'].get.body
|
27
35
|
end
|
@@ -29,7 +29,17 @@ module Conjur
|
|
29
29
|
module StandardMethods
|
30
30
|
|
31
31
|
protected
|
32
|
-
|
32
|
+
|
33
|
+
# @api private
|
34
|
+
#
|
35
|
+
# Create this resource by sending a POST request to its URL.
|
36
|
+
#
|
37
|
+
# @param [String] host the url of the service (for example, https://conjur.host.com/api)
|
38
|
+
# @param [String] type the asset `kind` (for example, 'user', 'group')
|
39
|
+
# @param [String, nil] id the id of the new asset
|
40
|
+
# @param [Hash] options options to pass through to `RestClient::Resource`'s `post` method.
|
41
|
+
# @return [Object] an instance of a class determined by `type`. For example, if `type` is
|
42
|
+
# `'user'`, the class will be `Conjur::User`.
|
33
43
|
def standard_create(host, type, id = nil, options = nil)
|
34
44
|
log do |logger|
|
35
45
|
logger << "Creating #{type}"
|
@@ -43,7 +53,16 @@ module Conjur
|
|
43
53
|
resp = RestClient::Resource.new(host, credentials)[type.to_s.pluralize].post(options)
|
44
54
|
"Conjur::#{type.to_s.classify}".constantize.build_from_response(resp, credentials)
|
45
55
|
end
|
46
|
-
|
56
|
+
|
57
|
+
# @api private
|
58
|
+
#
|
59
|
+
# Fetch a list of assets by sending a GET request to the URL for resources of the given `type`.
|
60
|
+
#
|
61
|
+
# @param [String] host the url of the service (for example, https://conjur.host.com/api)
|
62
|
+
# @param [String] type the asset `kind` (for example, 'user', 'group')
|
63
|
+
# @param [Hash] options options to pass through to `RestClient::Resource`'s `post` method.
|
64
|
+
# @return [Array<Object>] an array of instances of the asset class determined by `type`. For example, if
|
65
|
+
# `type` is `'group'`, and array of `Conjur::Group` instances will be returned.
|
47
66
|
def standard_list(host, type, options)
|
48
67
|
JSON.parse(RestClient::Resource.new(host, credentials)[type.to_s.pluralize].get(options)).collect do |item|
|
49
68
|
# Note that we don't want to fully_escape the ids below -- methods like #layer, #host, etc don't expect
|
@@ -55,7 +74,16 @@ module Conjur
|
|
55
74
|
end
|
56
75
|
end
|
57
76
|
end
|
58
|
-
|
77
|
+
|
78
|
+
# @api private
|
79
|
+
#
|
80
|
+
# Fetch details of an asset by sending a GET request to its URL.
|
81
|
+
#
|
82
|
+
# @param [String] host the url of the service (for example, https://conjur.host.com/api)
|
83
|
+
# @param [String] type the asset `kind` (for example, 'user', 'group')
|
84
|
+
# @param [String, nil] id the id of the asset to show
|
85
|
+
# @return [Object] an instance of a class determined by `type`. For example, if `type` is
|
86
|
+
# `'user'`, the class will be `Conjur::User`.
|
59
87
|
def standard_show(host, type, id)
|
60
88
|
"Conjur::#{type.to_s.classify}".constantize.new(host, credentials)[ [type.to_s.pluralize, fully_escape(id)].join('/') ]
|
61
89
|
end
|
data/lib/conjur/user.rb
CHANGED
@@ -21,15 +21,67 @@
|
|
21
21
|
module Conjur
|
22
22
|
class InvalidToken < Exception
|
23
23
|
end
|
24
|
-
|
24
|
+
|
25
|
+
# This class represents a {http://developer.conjur.net/reference/services/directory/user Conjur User}.
|
25
26
|
class User < RestClient::Resource
|
26
27
|
include ActsAsAsset
|
27
28
|
include ActsAsUser
|
28
|
-
|
29
|
-
alias login id
|
30
29
|
|
30
|
+
# Using a method instead of an alias here to make the docs look nicer :-/ - jjm
|
31
|
+
|
32
|
+
# This method is simply an alias for {#id}. It returns the user's *unqualified* id, which is referred to as
|
33
|
+
# `login` here because it can be used to login to Conjur.
|
34
|
+
# @return [String] the login for this user
|
35
|
+
def login; id end
|
36
|
+
|
37
|
+
# Assign new attributes to the user. Currently, this method only lets you change the
|
38
|
+
# `:uidnumber` attribute.
|
39
|
+
#
|
40
|
+
# If a user with the given `:uidnumber` already exists, this method will raise `RestClient::Forbidden`, with
|
41
|
+
# the response body providing additional details if possible.
|
42
|
+
#
|
43
|
+
# ### Permissions
|
44
|
+
# You must be a member of the user's role to call this method.
|
45
|
+
#
|
46
|
+
# @note This feature requires Conjur server version 4.3 or later.
|
47
|
+
#
|
48
|
+
# @param [Hash] options attributes to change
|
49
|
+
# @option options [FixNum] :uidnumber the new uidnumber for this user. This option *must* be present.
|
50
|
+
# @return [void]
|
51
|
+
# @raise [RestClient::Conflict] if the uidnumber is already in use
|
52
|
+
# @raise [ArgumentError] if uidnumber isn't a `Fixnum` or isn't present in `options`
|
31
53
|
def update options
|
54
|
+
# Currently the server raises a 400 Bad Request if uidnumber is missing, require it here
|
55
|
+
raise ArgumentError "options[:uidnumber] is required" unless uidnumber = options[:uidnumber]
|
56
|
+
raise ArgumentError, "options[:uidnumber] must be a Fixnum" unless uidnumber.kind_of?(Fixnum)
|
32
57
|
self.put(options)
|
33
58
|
end
|
59
|
+
|
60
|
+
# Get the user's uidnumber, which is used by LDAP and SSH login, among other things.
|
61
|
+
#
|
62
|
+
# ### Permissions
|
63
|
+
# You must have the `'show'` permission on the user's resource to call this method
|
64
|
+
#
|
65
|
+
# @note This feature requires Conjur server version 4.3 or later.
|
66
|
+
#
|
67
|
+
# @return [Fixnum] the uidnumber
|
68
|
+
# @raise [RestClient::Forbidden] if you don't have permission to `show` the user.
|
69
|
+
def uidnumber
|
70
|
+
attributes['uidnumber']
|
71
|
+
end
|
72
|
+
|
73
|
+
# Set the user's uidnumber, which is used by LDAP and SSH login.
|
74
|
+
#
|
75
|
+
# ### Permissions
|
76
|
+
# You must be a member of the user's role to call this method.
|
77
|
+
#
|
78
|
+
# @note This feature requires Conjur server version 4.3 or later.
|
79
|
+
#
|
80
|
+
# @param [Fixnum] uidnumber the new uidnumber
|
81
|
+
# @return [void]
|
82
|
+
# @raise [RestClient::Conflict] if the uidnumber is already in use.
|
83
|
+
def uidnumber= uidnumber
|
84
|
+
update uidnumber: uidnumber
|
85
|
+
end
|
34
86
|
end
|
35
87
|
end
|
data/spec/lib/role_spec.rb
CHANGED
@@ -190,8 +190,7 @@ describe Conjur::Role, api: :dummy do
|
|
190
190
|
grants = %w(foo bar)
|
191
191
|
expect_request(
|
192
192
|
method: :get,
|
193
|
-
url: role.url + "/?members"
|
194
|
-
headers: {}
|
193
|
+
url: role.url + "/?members"
|
195
194
|
).and_return grants.to_json
|
196
195
|
grants.each do |g|
|
197
196
|
expect(Conjur::RoleGrant).to receive(:parse_from_json).with(g, anything).and_return g
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: conjur-api
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.15.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Rafal Rzepecki
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2015-
|
12
|
+
date: 2015-04-23 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: rest-client
|