conjur-api 4.31.0 → 5.0.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.dockerignore +1 -0
- data/.gitignore +1 -0
- data/CHANGELOG.md +22 -3
- data/Dockerfile +12 -3
- data/Gemfile +3 -3
- data/Jenkinsfile +69 -0
- data/LICENSE.md +195 -0
- data/README.md +16 -0
- data/Rakefile +34 -18
- data/ci/wait_for_server.sh +10 -0
- data/conjur-api.gemspec +6 -14
- data/dev/docker-compose.yml +23 -0
- data/dev/empty.yml +2 -0
- data/dev/start.sh +15 -0
- data/dev/stop.sh +6 -0
- data/docker-compose.yml +27 -0
- data/features/exists.feature +37 -0
- data/features/group.feature +11 -0
- data/features/host.feature +20 -0
- data/features/host_factory_create_host.feature +28 -0
- data/features/host_factory_token.feature +63 -0
- data/features/load_policy.feature +61 -0
- data/features/members.feature +51 -0
- data/features/new_api.feature +36 -0
- data/features/permitted.feature +43 -0
- data/features/permitted_roles.feature +30 -0
- data/features/public_keys.feature +11 -0
- data/features/resource_fields.feature +53 -0
- data/features/role_fields.feature +15 -0
- data/features/rotate_api_key.feature +13 -0
- data/features/step_definitions/api_steps.rb +4 -54
- data/features/step_definitions/policy_steps.rb +35 -0
- data/features/step_definitions/result_steps.rb +7 -0
- data/features/support/env.rb +14 -5
- data/features/support/hooks.rb +3 -0
- data/features/support/world.rb +5 -6
- data/features/update_password.feature +14 -0
- data/features/user.feature +17 -0
- data/features/variable_fields.feature +20 -0
- data/features/variable_value.feature +67 -0
- data/lib/conjur/acts_as_resource.rb +95 -65
- data/lib/conjur/acts_as_role.rb +102 -51
- data/lib/conjur/{audit-api.rb → acts_as_rolsource.rb} +10 -14
- data/lib/conjur/acts_as_user.rb +13 -22
- data/lib/conjur/api/authn.rb +37 -72
- data/lib/conjur/api/host_factories.rb +35 -55
- data/lib/conjur/api/policies.rb +56 -0
- data/lib/conjur/api/pubkeys.rb +36 -160
- data/lib/conjur/api/resources.rb +32 -116
- data/lib/conjur/api/roles.rb +28 -105
- data/lib/conjur/api/variables.rb +22 -91
- data/lib/conjur/api.rb +19 -46
- data/lib/conjur/base.rb +21 -132
- data/lib/conjur/base_object.rb +57 -0
- data/lib/conjur/{authn-api.rb → build_object.rb} +23 -11
- data/lib/conjur/cast.rb +12 -17
- data/lib/conjur/cert_utils.rb +1 -1
- data/lib/conjur/cidr.rb +1 -1
- data/lib/conjur/configuration.rb +13 -91
- data/lib/conjur/escape.rb +1 -2
- data/lib/conjur/group.rb +9 -65
- data/lib/conjur/has_attributes.rb +22 -59
- data/lib/conjur/host.rb +5 -35
- data/lib/conjur/host_factory.rb +40 -40
- data/lib/conjur/host_factory_token.rb +38 -23
- data/lib/conjur/id.rb +63 -0
- data/lib/conjur/layer.rb +5 -80
- data/lib/conjur/log.rb +1 -1
- data/lib/conjur/log_source.rb +1 -1
- data/lib/conjur/{secret.rb → policy.rb} +11 -14
- data/lib/conjur/{api/secrets.rb → policy_load_result.rb} +35 -22
- data/lib/conjur/query_string.rb +2 -1
- data/lib/conjur/resource.rb +5 -299
- data/lib/conjur/role.rb +5 -317
- data/lib/conjur/role_grant.rb +20 -28
- data/lib/conjur/user.rb +5 -63
- data/lib/conjur/variable.rb +31 -76
- data/lib/conjur/{authz-api.rb → webservice.rb} +8 -16
- data/lib/conjur-api/version.rb +2 -2
- data/publish.sh +7 -0
- data/spec/api_spec.rb +208 -0
- data/spec/cast_spec.rb +21 -0
- data/spec/{lib/cert_utils_spec.rb → cert_utils_spec.rb} +0 -0
- data/spec/{lib/cidr_spec.rb → cidr_spec.rb} +0 -0
- data/spec/{lib/configuration_spec.rb → configuration_spec.rb} +40 -140
- data/spec/{lib/has_attributes_spec.rb → has_attributes_spec.rb} +6 -2
- data/spec/{lib/log_source_spec.rb → log_source_spec.rb} +0 -0
- data/spec/{lib/log_spec.rb → log_spec.rb} +0 -0
- data/spec/roles_spec.rb +24 -0
- data/spec/spec_helper.rb +63 -78
- data/spec/ssl_spec.rb +3 -5
- data/spec/vendor/rest_client_spec.rb +0 -54
- data/test.sh +40 -0
- metadata +122 -281
- data/.kateproject +0 -5
- data/LICENSE +0 -22
- data/ci/test.sh +0 -9
- data/features/audit_resources.feature +0 -15
- data/features/audit_roles.feature +0 -15
- data/features/bootstrap.feature +0 -31
- data/features/step_definitions/cli_steps.rb +0 -5
- data/jenkins.sh +0 -27
- data/lib/conjur/acts_as_asset.rb +0 -88
- data/lib/conjur/annotations.rb +0 -186
- data/lib/conjur/api/audit.rb +0 -138
- data/lib/conjur/api/deputies.rb +0 -57
- data/lib/conjur/api/groups.rb +0 -111
- data/lib/conjur/api/hosts.rb +0 -109
- data/lib/conjur/api/info.rb +0 -126
- data/lib/conjur/api/layers.rb +0 -62
- data/lib/conjur/api/ldapsync.rb +0 -115
- data/lib/conjur/api/users.rb +0 -106
- data/lib/conjur/bootstrap.rb +0 -161
- data/lib/conjur/build_from_response.rb +0 -49
- data/lib/conjur/core-api.rb +0 -74
- data/lib/conjur/deputy.rb +0 -55
- data/lib/conjur/env.rb +0 -54
- data/lib/conjur/event_source.rb +0 -101
- data/lib/conjur/exists.rb +0 -60
- data/lib/conjur/graph.rb +0 -295
- data/lib/conjur/has_id.rb +0 -43
- data/lib/conjur/has_identifier.rb +0 -36
- data/lib/conjur/has_owner.rb +0 -51
- data/lib/conjur/host-factory-api.rb +0 -38
- data/lib/conjur/layer-api.rb +0 -13
- data/lib/conjur/ldap_sync_job.rb +0 -89
- data/lib/conjur/path_based.rb +0 -86
- data/lib/conjur/pubkeys-api.rb +0 -50
- data/lib/conjur/standard_methods.rb +0 -91
- data/reqspeed.rb +0 -20
- data/spec/api/authn_spec.rb +0 -81
- data/spec/api/graph_spec.rb +0 -117
- data/spec/api/groups_spec.rb +0 -40
- data/spec/api/hosts_spec.rb +0 -36
- data/spec/api/info_spec.rb +0 -89
- data/spec/api/layer_spec.rb +0 -18
- data/spec/api/ldapsync_spec.rb +0 -44
- data/spec/api/pubkeys_spec.rb +0 -66
- data/spec/api/resources_spec.rb +0 -92
- data/spec/api/roles_spec.rb +0 -100
- data/spec/api/secrets_spec.rb +0 -16
- data/spec/api/users_spec.rb +0 -71
- data/spec/api/variables_spec.rb +0 -112
- data/spec/cas_rest_client.rb +0 -17
- data/spec/cidr_helper.rb +0 -24
- data/spec/lib/acts_as_user_spec.rb +0 -27
- data/spec/lib/annotations_spec.rb +0 -109
- data/spec/lib/api_spec.rb +0 -480
- data/spec/lib/asset_spec.rb +0 -80
- data/spec/lib/audit_spec.rb +0 -155
- data/spec/lib/build_from_response_spec.rb +0 -49
- data/spec/lib/deputy_spec.rb +0 -25
- data/spec/lib/exists_spec.rb +0 -24
- data/spec/lib/group_spec.rb +0 -18
- data/spec/lib/host_spec.rb +0 -31
- data/spec/lib/resource_spec.rb +0 -240
- data/spec/lib/role_grant_spec.rb +0 -13
- data/spec/lib/role_spec.rb +0 -231
- data/spec/lib/standard_methods_spec.rb +0 -66
- data/spec/lib/user_spec.rb +0 -77
- data/spec/standard_methods_helper.rb +0 -41
- data/spec/variable_spec.rb +0 -101
- data/spec/vcr_cassettes/Conjur_Resource/_create/with_path-like_identifier.yml +0 -87
- data/spec/vcr_cassettes/Conjur_Resource/_create/with_un-encoded_path-like_identifier.yml +0 -87
- data/spec/vcr_cassettes/Conjur_Resource/_create/with_uuid_identifier.yml +0 -87
data/ci/test.sh
DELETED
@@ -1,15 +0,0 @@
|
|
1
|
-
Feature: audit with additional resources
|
2
|
-
|
3
|
-
Background:
|
4
|
-
Given I create the variable "$ns_foo"
|
5
|
-
|
6
|
-
Scenario: with one additional resource
|
7
|
-
When I create an api with the additional audit resource "webservice:ws1"
|
8
|
-
And I check to see if I'm permitted to "read" variable "$ns_foo"
|
9
|
-
Then an audit event for variable "$ns_foo" with action "check" and resource "webservice:ws1" is generated
|
10
|
-
|
11
|
-
Scenario: with more than one additional resource
|
12
|
-
When I create an api with the additional audit resources "webservice:ws1, webservice:ws2"
|
13
|
-
And I check to see if I'm permitted to "read" variable "$ns_foo"
|
14
|
-
Then an audit event for variable "$ns_foo" with action "check" and resources "webservice:ws1, webservice:ws2" is generated
|
15
|
-
|
@@ -1,15 +0,0 @@
|
|
1
|
-
Feature: audit with additional resources
|
2
|
-
|
3
|
-
Background:
|
4
|
-
Given I create the variable "$ns_foo"
|
5
|
-
|
6
|
-
Scenario: with one additional resource
|
7
|
-
When I create an api with the additional audit role "user:auditor1"
|
8
|
-
And I check to see if I'm permitted to "read" variable "$ns_foo"
|
9
|
-
Then an audit event for variable "$ns_foo" with action "check" and role "user:auditor1" is generated
|
10
|
-
|
11
|
-
Scenario: with more than one additional resource
|
12
|
-
When I create an api with the additional audit roles "user:auditor2,group:auditors"
|
13
|
-
And I check to see if I'm permitted to "read" variable "$ns_foo"
|
14
|
-
Then an audit event for variable "$ns_foo" with action "check" and roles "user:auditor2,group:auditors" is generated
|
15
|
-
|
data/features/bootstrap.feature
DELETED
@@ -1,31 +0,0 @@
|
|
1
|
-
Feature: conjur bootstrap
|
2
|
-
|
3
|
-
Background: Bootstrap
|
4
|
-
Given I bootstrap
|
5
|
-
|
6
|
-
Scenario: Expected resources exist
|
7
|
-
Then expressions "$conjur.group('security_admin').exists?" and "true" are equal
|
8
|
-
Then expressions "$conjur.group('auditors').exists?" and "true" are equal
|
9
|
-
Then expressions "$conjur.group('pubkeys-1.0/key-managers').exists?" and "true" are equal
|
10
|
-
Then expressions "$conjur.resource('webservice:conjur/authn-tv').exists?" and "true" are equal
|
11
|
-
Then expressions "$conjur.resource('webservice:conjur/policy-loader').exists?" and "true" are equal
|
12
|
-
Then expressions "$conjur.resource('webservice:conjur/policy-loader').ownerid" and "'cucumber:group:security_admin'" are equal
|
13
|
-
Then expressions "$conjur.host('conjur/policy-loader').exists?" and "true" are equal
|
14
|
-
Then expressions "$conjur.host('conjur/secrets-rotator').exists?" and "true" are equal
|
15
|
-
Then expressions "$conjur.host('conjur/ldap-sync').exists?" and "true" are equal
|
16
|
-
|
17
|
-
Scenario: security_admin group has the expected members
|
18
|
-
Then expressions "$conjur.role('group:security_admin').members.map(&:member).map(&:roleid).sort.join(',')" and "'cucumber:host:conjur/authn-tv,cucumber:host:conjur/expiration,cucumber:host:conjur/ldap-sync,cucumber:host:conjur/policy-loader,cucumber:host:conjur/secrets-rotator,cucumber:user:admin'" are equal
|
19
|
-
|
20
|
-
Scenario: security_admin group can update public keys
|
21
|
-
Then expression "$conjur.resource('service:pubkeys-1.0/public-keys').permitted_roles('update')" includes "$conjur.group('security_admin').roleid"
|
22
|
-
|
23
|
-
Scenario: security_admin can 'elevate' and 'reveal'
|
24
|
-
Then expression "$conjur.resource('!:!:conjur').permitted_roles('elevate')" includes "$conjur.group('security_admin').roleid"
|
25
|
-
Then expression "$conjur.resource('!:!:conjur').permitted_roles('reveal')" includes "$conjur.group('security_admin').roleid"
|
26
|
-
|
27
|
-
Scenario: auditors can 'reveal'
|
28
|
-
Then expression "$conjur.resource('!:!:conjur').permitted_roles('reveal')" includes "$conjur.group('auditors').roleid"
|
29
|
-
|
30
|
-
Scenario: API keys are saved in variables
|
31
|
-
Then expression "$conjur.resources(kind: 'variable').map(&:resourceid)" includes "'cucumber:variable:conjur/hosts/conjur/secrets-rotator/api-key'"
|
data/jenkins.sh
DELETED
@@ -1,27 +0,0 @@
|
|
1
|
-
#!/bin/bash -ex
|
2
|
-
|
3
|
-
CONJUR_VERSION=${CONJUR_VERSION:-"4.9"}
|
4
|
-
DOCKER_IMAGE=${DOCKER_IMAGE:-"registry.tld/conjur-appliance-cuke-master:$CONJUR_VERSION-stable"}
|
5
|
-
NOKILL=${NOKILL:-"0"}
|
6
|
-
PULL=${PULL:-"1"}
|
7
|
-
|
8
|
-
if [ -z "$CONJUR_CONTAINER" ]; then
|
9
|
-
if [ "$PULL" == "1" ]; then
|
10
|
-
docker pull $DOCKER_IMAGE
|
11
|
-
fi
|
12
|
-
|
13
|
-
cid=$(docker run --privileged -d -v ${PWD}:/src/conjur-api $DOCKER_IMAGE)
|
14
|
-
function finish {
|
15
|
-
if [ "$NOKILL" != "1" ]; then
|
16
|
-
docker rm -f ${cid}
|
17
|
-
fi
|
18
|
-
}
|
19
|
-
trap finish EXIT
|
20
|
-
|
21
|
-
>&2 echo "Container id:"
|
22
|
-
>&2 echo $cid
|
23
|
-
else
|
24
|
-
cid=${CONJUR_CONTAINER}
|
25
|
-
fi
|
26
|
-
|
27
|
-
docker exec -i ${cid} /src/conjur-api/ci/test.sh
|
data/lib/conjur/acts_as_asset.rb
DELETED
@@ -1,88 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright (C) 2013 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
module Conjur
|
22
|
-
# A mixin used by Conjur asset classes such as {Conjur::User} and {Conjur::Group}.
|
23
|
-
module ActsAsAsset
|
24
|
-
include HasId
|
25
|
-
include Exists
|
26
|
-
include HasOwner
|
27
|
-
include ActsAsResource
|
28
|
-
include HasAttributes
|
29
|
-
|
30
|
-
# Add an internal grant on this asset's resource. This method allows you to grant permissions on all members of
|
31
|
-
# a container asset (for example, all hosts in a layer) to the given role. Currently this method
|
32
|
-
# is only useful for `layer` assets, and corresponds to the
|
33
|
-
# {http://developer.conjur.net/reference/services/directory/layer/hosts-permit.html `hosts permit`} CLI
|
34
|
-
# command. In particular, to permit `'update'` on all hosts in a layer, `role_name` should be
|
35
|
-
# `'admin_host'`, and to permit `'execute'` it should be `'use_host'`.
|
36
|
-
#
|
37
|
-
# @example Allow group 'ops' to admin hosts in the 'dev/database' layer
|
38
|
-
# ops = api.create_group 'ops'
|
39
|
-
# dev_database = api.create_layer 'dev/database'
|
40
|
-
#
|
41
|
-
# # Create and add a host to the databasees layer
|
42
|
-
# host = api.create_host 'ec2/i-123ab23f'
|
43
|
-
# dev_databases.add_host host
|
44
|
-
#
|
45
|
-
# # Ops can't update the hosts
|
46
|
-
# host.resource.permitted? 'update', acting_as: 'conjur:group:ops'
|
47
|
-
# # => false
|
48
|
-
#
|
49
|
-
# # Allow 'group:ops' to admin all hosts in the layer
|
50
|
-
# layer.add_member 'admin_host', ops
|
51
|
-
#
|
52
|
-
# # Now 'group:ops' is allowed to `'update'` the role.`
|
53
|
-
# host.resource.permitted? 'update', acting_as: 'group:ops'
|
54
|
-
# # => true
|
55
|
-
#
|
56
|
-
# @param [String] role_name name of the internal role to grant (for layers, it must be `'use_host'` or `'admin_host'`)
|
57
|
-
# @param [String, #roleid] member the role to receive the grant
|
58
|
-
# @param [Hash] options Unused, included for backwards compatibility
|
59
|
-
# @return [void]
|
60
|
-
def add_member(role_name, member, options = {})
|
61
|
-
owned_role(role_name).grant_to member, options
|
62
|
-
end
|
63
|
-
|
64
|
-
# Remove a grant created with {#add_member}. When an internal grant has been created on this asset's resource
|
65
|
-
# with {#add_member}, you can remove it with this method.
|
66
|
-
#
|
67
|
-
# @see #add_member
|
68
|
-
# @param [String] role_name name of the internal grant role (for layers, it must be `'use_host'` or `'admin_host'`).
|
69
|
-
# @param [String, #roleid] member the role to remove
|
70
|
-
# @return [void]
|
71
|
-
def remove_member(role_name, member)
|
72
|
-
owned_role(role_name).revoke_from member
|
73
|
-
end
|
74
|
-
|
75
|
-
protected
|
76
|
-
|
77
|
-
# Return the internal role for an add/remove member grant.
|
78
|
-
#
|
79
|
-
# @param [String] role_name the name of the internal role
|
80
|
-
# @return [Conjur::Role] the internal role
|
81
|
-
def owned_role(role_name)
|
82
|
-
tokens = [ resource_kind, resource_id, role_name ]
|
83
|
-
grant_role = [ core_conjur_account, '@', tokens.join('/') ].join(':')
|
84
|
-
require 'conjur/role'
|
85
|
-
Conjur::Role.new(Conjur::Authz::API.host, self.options)[Conjur::API.parse_role_id(grant_role).join('/')]
|
86
|
-
end
|
87
|
-
end
|
88
|
-
end
|
data/lib/conjur/annotations.rb
DELETED
@@ -1,186 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright (C) 2013 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
|
21
|
-
require 'forwardable'
|
22
|
-
|
23
|
-
module Conjur
|
24
|
-
# Conjur allows {http://developer.conjur.net/reference/services/authorization/resource Resource}
|
25
|
-
# instances to be {http://developer.conjur.net/reference/services/authorization/resource/annotate.html annotated}
|
26
|
-
# with arbitrary key-value data. This data is generally for "user consumption", and it *is not* governed
|
27
|
-
# by any particular schema or constraints. Your applications can define their own schema for annotations they
|
28
|
-
# use. If you do so, we recommend prefixing your annotations, for example, `'myapp:Name'`, in order to avoid
|
29
|
-
# conflict with annotations used, for example, by the Conjur UI.
|
30
|
-
#
|
31
|
-
# An Annotations instance acts like a Hash: you can fetch an annotation
|
32
|
-
# with {#[]} and update with {#[]=}, {#each} it, and {#merge!} to do bulk updates.
|
33
|
-
#
|
34
|
-
class Annotations
|
35
|
-
include Enumerable
|
36
|
-
include Conjur::Escape
|
37
|
-
# Create an `Annotations` instance for the given {Conjur::Resource}.
|
38
|
-
#
|
39
|
-
# Note that you will generally use the {Conjur::Resource#annotations} method to get
|
40
|
-
# the `Annotations` for a {Conjur::Resource}.
|
41
|
-
#
|
42
|
-
# @param resource [Conjur::Resource]
|
43
|
-
#
|
44
|
-
def initialize resource
|
45
|
-
@resource = resource
|
46
|
-
end
|
47
|
-
|
48
|
-
# Get the value of the annotation with the given name
|
49
|
-
# @param [String,Symbol] name the annotation name, indifferent to whether it's
|
50
|
-
# a String or Symbol.
|
51
|
-
def [] name
|
52
|
-
annotations_hash[name.to_sym]
|
53
|
-
end
|
54
|
-
|
55
|
-
# Set an annotation value. This will perform an api call to set the annotation
|
56
|
-
# on the server.
|
57
|
-
#
|
58
|
-
# @param [String, Symbol] name the annotation name
|
59
|
-
# @param [String] value the annotation value
|
60
|
-
#
|
61
|
-
# @return [String] the new annotation value
|
62
|
-
def []= name, value
|
63
|
-
update_annotation name.to_sym, value
|
64
|
-
value
|
65
|
-
end
|
66
|
-
|
67
|
-
# Enumerate all annotations, yielding key,value pairs.
|
68
|
-
# @return [Conjur::Annotations] self
|
69
|
-
def each &blk
|
70
|
-
annotations_hash.each &blk
|
71
|
-
self
|
72
|
-
end
|
73
|
-
|
74
|
-
# Return a *copy* of the annotation values
|
75
|
-
#
|
76
|
-
# @example Changing values has no effectannotations_hash
|
77
|
-
# resource.annotations.values ["Some Value"]
|
78
|
-
# resource.annotations.values.each do |v|
|
79
|
-
# v << "HI"
|
80
|
-
# end
|
81
|
-
# resource.annotations.values # => ["Some Value"]
|
82
|
-
#
|
83
|
-
# # Notice that this is different from ordinary Hash behavior
|
84
|
-
# h = {"Some Key" => "Some Value"}
|
85
|
-
# h.values.each do |v|
|
86
|
-
# v << "HI"
|
87
|
-
# end
|
88
|
-
# h.values # "Some ValueHI"
|
89
|
-
#
|
90
|
-
# @example Show the values of a resources annotations
|
91
|
-
# resource.annotations # => {'Name' => 'The Best Resource EVAR',
|
92
|
-
# # 'Story' => 'The Coolest!' }
|
93
|
-
# resource.annotations.values # => ['The Best Resource EVAR', 'The Coolest!']
|
94
|
-
#
|
95
|
-
# @return [Array<String>] the annotation values
|
96
|
-
def values
|
97
|
-
annotations_hash.values.map(&:dup)
|
98
|
-
end
|
99
|
-
|
100
|
-
# Return the annotation names.
|
101
|
-
#
|
102
|
-
# This has exactly the same behavior as {Hash#keys}, in that the
|
103
|
-
# returned keys are immutable, and modifications to the array have no
|
104
|
-
# effect.
|
105
|
-
#
|
106
|
-
# @return [Array<String, Symbol>] the annotation names
|
107
|
-
def keys
|
108
|
-
annotations_hash.keys
|
109
|
-
end
|
110
|
-
alias names keys
|
111
|
-
|
112
|
-
def to_a
|
113
|
-
to_h.to_a
|
114
|
-
end
|
115
|
-
|
116
|
-
|
117
|
-
# Set annotations from key,value pairs in `hash`.
|
118
|
-
#
|
119
|
-
# @note this is currently no more efficient than setting each
|
120
|
-
# annotation with {#[]=}.
|
121
|
-
#
|
122
|
-
# @param [Hash, #each] hash
|
123
|
-
# @return [Conjur::Annotations] self
|
124
|
-
def merge! hash
|
125
|
-
hash.each do |k, v|
|
126
|
-
self[k] = v unless self[k] == v
|
127
|
-
end
|
128
|
-
self
|
129
|
-
end
|
130
|
-
|
131
|
-
# Return a proper hash containing a **copy** of the annotations. Note that
|
132
|
-
# updates to this hash have no effect on the actual annotations.
|
133
|
-
#
|
134
|
-
# @return [Hash]
|
135
|
-
def to_h
|
136
|
-
annotations_hash.dup
|
137
|
-
end
|
138
|
-
|
139
|
-
# Return the annotations hash as a string. This method simply delegates to
|
140
|
-
# `Hash#to_s`.
|
141
|
-
#
|
142
|
-
# @return [String]
|
143
|
-
def to_s
|
144
|
-
annotations_hash.to_s
|
145
|
-
end
|
146
|
-
|
147
|
-
# Return an informative representation of the annotations, including
|
148
|
-
# the resource to which they're attached. Suitable for debugging.
|
149
|
-
#
|
150
|
-
# @return [String]
|
151
|
-
def inspect
|
152
|
-
"<Annotations for #{@resource.resourceid}: #{to_s}>"
|
153
|
-
end
|
154
|
-
|
155
|
-
protected
|
156
|
-
#@api private
|
157
|
-
# Update an annotation on the server.
|
158
|
-
# @param name [String]
|
159
|
-
# @param value [String, #to_s]
|
160
|
-
# @return [void]
|
161
|
-
def update_annotation name, value
|
162
|
-
@resource.invalidate do
|
163
|
-
@annotations_hash = nil
|
164
|
-
path = [@resource.account,'annotations', @resource.kind, @resource.identifier].map do |seg|
|
165
|
-
fully_escape(seg)
|
166
|
-
end.join('/')
|
167
|
-
RestClient::Resource.new(Conjur::Authz::API.host, @resource.options)[path].put name: name, value: value
|
168
|
-
end
|
169
|
-
end
|
170
|
-
# @api private
|
171
|
-
# Our internal {Hash} of annotations. Lazily loaded.
|
172
|
-
def annotations_hash
|
173
|
-
@annotations_hash ||= fetch_annotations
|
174
|
-
end
|
175
|
-
|
176
|
-
# @api private
|
177
|
-
# Fetch the annotations from the server.
|
178
|
-
def fetch_annotations
|
179
|
-
{}.tap do |hash|
|
180
|
-
@resource.attributes['annotations'].each do |annotation|
|
181
|
-
hash[annotation['name'].to_sym] = annotation['value']
|
182
|
-
end
|
183
|
-
end
|
184
|
-
end
|
185
|
-
end
|
186
|
-
end
|
data/lib/conjur/api/audit.rb
DELETED
@@ -1,138 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright (C) 2013 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
|
21
|
-
require 'conjur/event_source'
|
22
|
-
module Conjur
|
23
|
-
|
24
|
-
|
25
|
-
class API
|
26
|
-
#@!group Audit Service
|
27
|
-
|
28
|
-
# Return up to 100 audit events visible to the current authorized role.
|
29
|
-
#
|
30
|
-
# An audit event is visible to a role if that role or one of it's ancestors is in the
|
31
|
-
# event's `:roles` field, or the role has a privilege any of the event's `:resources` field.
|
32
|
-
#
|
33
|
-
# @param options [Hash]
|
34
|
-
# @option options [Time, nil] :till only show events before this time
|
35
|
-
# @option options [Time, nil] :since only show events after this time
|
36
|
-
# @option options [String, nil] :has_annotation only show events for resources with an annotation with this name
|
37
|
-
# @option options [Boolean] :follow block the current thread and call `block` with `Array` of
|
38
|
-
# audit events as the occur.
|
39
|
-
#
|
40
|
-
# @see #audit_role
|
41
|
-
#
|
42
|
-
# @return [Array<Hash>] the audit events
|
43
|
-
def audit options={}, &block
|
44
|
-
audit_event_feed "", options, &block
|
45
|
-
end
|
46
|
-
|
47
|
-
# Return up to 100 audit events visible to the current role and related to the given role.
|
48
|
-
#
|
49
|
-
# See {#audit} for the conditions under which an event is visible to a role.
|
50
|
-
#
|
51
|
-
# An event is said to be "related to" a role iff the role is a member of the event's
|
52
|
-
# `:roles` field.
|
53
|
-
#
|
54
|
-
# @param role [Conjur::Role, String, #roleid] the role to audit (if a string is given, it must
|
55
|
-
# be of the form `'account:kind:id'`).
|
56
|
-
# @param options [Hash]
|
57
|
-
# @option options [Time, nil] :till only show events before this time
|
58
|
-
# @option options [Time, nil] :since only show events after this time
|
59
|
-
# @option options [Boolean] :follow block the current thread and call `block` with `Array` of
|
60
|
-
# audit events as the occur.
|
61
|
-
#
|
62
|
-
# @return [Array<Hash>] the audit events
|
63
|
-
def audit_role role, options={}, &block
|
64
|
-
audit_event_feed "roles/#{CGI.escape cast(role, :roleid)}", options, &block
|
65
|
-
end
|
66
|
-
|
67
|
-
# Return up to 100 audit events visible to the current role and related to the given resource.
|
68
|
-
#
|
69
|
-
# See {#audit} for the conditions under which an event is visible to a role.
|
70
|
-
#
|
71
|
-
# An event is said to be "related to" a role iff the role is a member of the event's
|
72
|
-
# `:roles` field.
|
73
|
-
# @param resource [Conjur::Resource, String, #resourceid] the resource to audit (when a string is given, it must be
|
74
|
-
# of the form `'account:kind:id'`).
|
75
|
-
# @param options [Hash]
|
76
|
-
# @option options [Time, nil] :till only show events before this time
|
77
|
-
# @option options [Time, nil] :since only show events after this time
|
78
|
-
# @option options [String, nil] :has_annotation only show events for resources with an annotation with this name
|
79
|
-
# @option options [Boolean] :follow block the current thread and call `block` with `Array` of
|
80
|
-
# audit events as the occur.
|
81
|
-
#
|
82
|
-
# @return [Array<Hash>] the audit events
|
83
|
-
def audit_resource resource, options={}, &block
|
84
|
-
audit_event_feed "resources/#{CGI.escape cast(resource, :resourceid)}", options, &block
|
85
|
-
end
|
86
|
-
|
87
|
-
# Send custom audit event
|
88
|
-
# @param input [String|Hash|Array] event or array of events (optionally serialized to JSON)
|
89
|
-
def audit_send input
|
90
|
-
json = if input.kind_of? String
|
91
|
-
input
|
92
|
-
elsif input.kind_of? Array or input.kind_of? Hash
|
93
|
-
input.to_json
|
94
|
-
else
|
95
|
-
raise ArgumentError, "Parameter should be either String, Hash or Array"
|
96
|
-
end
|
97
|
-
rest_api = RestClient::Resource.new(Conjur::Authz::API.host, credentials)["audit"]
|
98
|
-
rest_api.post json, content_type: "text/plain"
|
99
|
-
end
|
100
|
-
#@!endgroup
|
101
|
-
|
102
|
-
private
|
103
|
-
def audit_event_feed path, options={}, &block
|
104
|
-
query = options.slice(:since, :till, :has_annotation)
|
105
|
-
path << "?#{query.to_param}" unless query.empty?
|
106
|
-
if options[:follow]
|
107
|
-
follow_events path, &block
|
108
|
-
else
|
109
|
-
parse_response(RestClient::Resource.new(Conjur::Audit::API.host, credentials)[path].get).tap do |events|
|
110
|
-
block.call(events) if block
|
111
|
-
end
|
112
|
-
end
|
113
|
-
end
|
114
|
-
|
115
|
-
def follow_events path, &block
|
116
|
-
opts = credentials.dup.tap{|h| h[:headers][:accept] = "text/event-stream"}
|
117
|
-
block_response = lambda do |response|
|
118
|
-
response.error! unless response.code == "200"
|
119
|
-
es = EventSource.new
|
120
|
-
es.message{ |e| block[e.data] }
|
121
|
-
response.read_body do |chunk|
|
122
|
-
es.feed chunk
|
123
|
-
end
|
124
|
-
end
|
125
|
-
url = "#{Conjur::Audit::API.host}/#{path}"
|
126
|
-
RestClient::Request.execute(
|
127
|
-
url: url,
|
128
|
-
headers: opts[:headers],
|
129
|
-
method: :get,
|
130
|
-
block_response: block_response
|
131
|
-
)
|
132
|
-
end
|
133
|
-
|
134
|
-
def parse_response response
|
135
|
-
JSON.parse response
|
136
|
-
end
|
137
|
-
end
|
138
|
-
end
|
data/lib/conjur/api/deputies.rb
DELETED
@@ -1,57 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright (C) 2013 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
require 'conjur/deputy'
|
22
|
-
|
23
|
-
module Conjur
|
24
|
-
class API
|
25
|
-
#@!group Directory: Deputies
|
26
|
-
|
27
|
-
# @api internal
|
28
|
-
#
|
29
|
-
# Create a Conjur deputy.
|
30
|
-
#
|
31
|
-
# Deputies are used internally by Conjur services that need to perform
|
32
|
-
# actions as a particular role. While the deputies API is stable,
|
33
|
-
# it isn't intended for use by end users.
|
34
|
-
#
|
35
|
-
# @param [Hash] options options for deputy creation
|
36
|
-
# @option options [String] :id the *unqualified* id for the new deputy. If not present,
|
37
|
-
# the deputy will be given a randomly generated id.
|
38
|
-
# @return [Conjur::Deputy] the new deputy
|
39
|
-
# @raise [RestClient::Conflict] if a deputy already exists with the given id.
|
40
|
-
def create_deputy options = {}
|
41
|
-
standard_create Conjur::Core::API.host, :deputy, nil, options
|
42
|
-
end
|
43
|
-
|
44
|
-
# @api internal
|
45
|
-
#
|
46
|
-
# Find a Conjur deputy by id.
|
47
|
-
# Deputies are used internally by Conjur services that need to perform
|
48
|
-
# actions as a particular role. While the deputies API is stable,
|
49
|
-
# it isn't intended for use by end users.
|
50
|
-
#
|
51
|
-
# @param [String] id the deputy's *unqualified* id
|
52
|
-
# @return [Conjur::Deputy] the deputy, which may or may not exist.
|
53
|
-
def deputy id
|
54
|
-
standard_show Conjur::Core::API.host, :deputy, id
|
55
|
-
end
|
56
|
-
end
|
57
|
-
end
|