conjur-api 4.31.0 → 5.0.0.rc1

data/lib/conjur/bootstrap.rb

@@ -1,161 +0,0 @@
-module Conjur
-  module Bootstrap
-    module Command
-      Base = Struct.new(:api, :listener) do
-        def echo msg
-          listener.echo msg
-        end
-        
-        def security_admin
-          api.group("security_admin")
-        end
-        
-        def auditors
-          api.group("auditors")
-        end
-        
-        def find_or_create_record record, owner = nil, &block
-          if record.exists?
-            echo "#{record.resource_kind.capitalize} '#{record.id}' already exists"
-            record
-          else
-            echo "Creating #{record.resource_kind} '#{record.id}'"
-            options = {}
-            options[:ownerid] = owner.roleid if owner
-            result = if block_given?
-              yield record, options
-            else
-              api.send "create_#{record.resource_kind}", record.id, options
-            end
-            store_api_key result if result.attributes['api_key']
-            result
-          end
-        end
-
-        def find_or_create_resource resource, owner = nil
-          if resource.exists?
-            echo "#{resource.resource_kind.capitalize} '#{resource.identifier}' already exists"
-            # v4.21.0 incorrectly assigned these resources to the admin user
-            if resource.ownerid == "#{Conjur.configuration.account}:user:admin"
-              echo "Giving '#{resource.identifier}' to the security_admin group"
-              resource.give_to 'group:security_admin'
-            end
-          else
-            echo "Creating #{resource.resource_kind} '#{resource.identifier}'"
-            options = {}
-            options[:acting_as] = owner.roleid if owner
-            api.create_resource resource.resourceid, options
-          end
-        end
-        
-        def store_api_key user
-          api.create_variable "text/plain", 
-            "conjur-api-key", 
-            id: "conjur/#{user.resource_kind.pluralize}/#{user.id}/api-key", 
-            value: user.api_key,
-            ownerid: security_admin.role.roleid
-          echo "The API of #{user.resource_kind} #{user.id} is stored in variable 'conjur/#{user.resource_kind.pluralize}/#{user.id}/api-key'. " +
-            "You can retire the variable if you don't want to keep it there."
-        end
-        
-        def permit resource, privilege, role
-          if resource.permitted_roles(privilege).member?(role.roleid)
-            echo "#{role.roleid} already has '#{privilege}' privilege on #{resource.resourceid}"
-          else
-            resource.permit privilege, role
-          end
-        end
-      end
-      
-      class SecurityAdminGroup < Base
-        def perform
-          find_or_create_record security_admin
-
-          security_admin.resource.give_to(security_admin) unless security_admin.resource.ownerid == security_admin.role.roleid
-        end
-      end
-
-      class AuditorsGroup < Base
-        def perform
-          find_or_create_record auditors, security_admin
-        end
-      end
-      
-      class Pubkeys < Base
-        def perform
-          find_or_create_record key_managers, security_admin
-
-          find_or_create_record pubkeys_layer, security_admin
-          find_or_create_record pubkeys_host, security_admin do |record, options|
-            api.create_host(id: record.id, ownerid: security_admin.roleid)
-          end
-          pubkeys_layer.add_host pubkeys_host unless pubkeys_layer.hosts.map(&:roleid).member?(pubkeys_host.roleid)
-          
-          find_or_create_resource pubkeys_service, security_admin
-
-          permit pubkeys_service, 'update', key_managers
-
-          # also permit security_admin to update public keys
-          permit pubkeys_service, 'update', security_admin
-        end
-        
-        def pubkeys_layer
-          api.layer("pubkeys-1.0/public-keys")
-        end
-        
-        def pubkeys_host
-          api.host("conjur/pubkeys")
-        end
-        
-        def pubkeys_service
-          api.resource("service:pubkeys-1.0/public-keys")
-        end
-        
-        def key_managers
-          api.group("pubkeys-1.0/key-managers")
-        end
-      end
-      
-      class Attic < Base
-        def perform
-          find_or_create_record attic
-        end
-        
-        def attic_user_name
-          "attic"
-        end
-        
-        def attic
-          api.user(attic_user_name)
-        end
-      end
-      
-      # Create a set of hosts that have security_admin privilege.
-      class SystemAccounts < Base
-        def perform
-          for hostname in %w(conjur/authn-tv conjur/expiration conjur/secrets-rotator conjur/policy-loader conjur/ldap-sync)
-            find_or_create_resource api.resource("webservice:#{hostname}"), security_admin
-            find_or_create_record api.host(hostname), security_admin do |record, options|
-              api.create_host(id: record.id, ownerid: security_admin.roleid).tap do |host|
-                host.role.revoke_from security_admin
-                security_admin.add_member host
-              end
-            end
-          end
-        end
-      end
-      
-      class GlobalPrivileges < Base
-        def perform
-          permit conjur_resource, 'elevate', security_admin
-          permit conjur_resource, 'reveal', security_admin
-          permit conjur_resource, 'reveal', auditors
-        end
-        
-        def conjur_resource
-          api.resource("!:!:conjur")
-        end
-      end
-    end
-  end
-end

data/lib/conjur/build_from_response.rb

@@ -1,49 +0,0 @@
-#
-# Copyright (C) 2013 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-module Conjur
-  # @api private
-  # This module is included by classes that can be built from JSON responses.
-  module BuildFromResponse
-    # @api private
-    #
-    # Build a Conjur asset from a REST response.
-    #
-    # @param [RestCliet::Response] response the response to build the object from
-    # @param [Hash] credentials options as {Conjur::API#credentials} used to perform requests in methods on
-    #   the created asset.
-    #
-    # @return [Object] an object of this type
-    def build_from_response(response, credentials)
-      new(response.headers[:location], credentials).tap do |obj|
-        obj.attributes = JSON.parse(response.body)
-        if obj.respond_to?(:resource_kind)
-          obj.log do |logger|
-            logger << "Created #{obj.resource_kind} #{obj.resource_id}"
-          end
-        elsif obj.respond_to?(:id)
-          obj.log do |logger|
-            logger << "Created #{self.name} #{obj.id}"
-          end
-        end
-      end
-    end
-  end
-end

data/lib/conjur/core-api.rb

@@ -1,74 +0,0 @@
-#
-# Copyright (C) 2013 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-module Conjur
-  class API
-    class << self
-      # @api private
-      #
-      # Host for the core service.  We don't really use this anymore.
-      #
-      # @return [String] the core asset host
-      def core_asset_host
-        ::Conjur::Core::API.host
-      end
-    end
-  end
-  
-  module Core
-    class API < Conjur::API
-      class << self
-        # @api private
-        # @deprecated
-        # The host for the Conjur directory service
-        # @return [String] the host.
-        def host
-          Conjur.configuration.core_url
-        end
-
-        # Returns the account as determined by the conjur server.
-        #
-        # You should generally provide the account with {Conjur::Configuration#account}, but this method
-        # can determine it by asking the server.
-        #
-        # You do not need any credentials to call this method.
-        def conjur_account
-          info['account'] or raise "No account field in #{info.inspect}"
-        end
-
-        # @api private
-        #
-        # Used to fetch an `info` hash from the server.
-        #
-        # @return [Hash] a hash containing an `'account'` field that specifies the current Conjur account.
-        def info
-          @info ||= JSON.parse RestClient::Resource.new(Conjur::Core::API.host)['info'].get
-        end
-      end
-    end
-  end
-end
-
-require 'conjur/api/deputies'
-require 'conjur/api/hosts'
-require 'conjur/api/secrets'
-require 'conjur/api/users'
-require 'conjur/api/groups'
-require 'conjur/api/variables'

data/lib/conjur/deputy.rb

@@ -1,55 +0,0 @@
-#
-# Copyright (C) 2013 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-module Conjur
-  # A Deputy is an actor, typically representing a service.  It is given a login and
-  # an api key, just like {Conjur::Host}s and {Conjur::User}s, and can perform various
-  # actions.
-  #
-  # You should not create instances of this class directly.  Instead, you can get a {Conjur::Deputy}
-  # instance with {Conjur::API#deputy} or {Conjur::API#create_deputy}.
-  #
-  # The deputies api is stable, but is primarily used internally.
-  class Deputy < RestClient::Resource
-    include Exists
-    include HasId
-    include HasIdentifier
-    include HasAttributes
-    include ActsAsUser
-    include ActsAsResource
-
-    # Login for the deputy.  Of the form "deputy/<deputy-id>".
-    #
-    # @return [String] the login.
-    def login
-      [ self.class.name.split('::')[-1].downcase, id ].join('/')
-    end
-
-    # API Key that can be used to login as the deputy.
-    #
-    # This is only available if the {Conjur::Deputy} was returned
-    # by {Conjur::API#create_deputy}.
-    #
-    # @return [String] the api key.
-    def api_key
-      self.attributes['api_key']
-    end
-  end
-end

data/lib/conjur/env.rb

@@ -1,54 +0,0 @@
-#
-# Copyright (C) 2013 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-module Conjur
-  extend self
-
-  # @deprecated
-  # @api private
-  # This method delegates to {Conjur::Configuration#service_base_port}
-  #
-  # @return [Integer] the service base port
-  def service_base_port
-    Conjur.configuration.service_base_port
-  end
-
-  # This method delegates to {Conjur::Configuration#account}
-  #
-  # @return [String] the value of `Conjur.configuration.account`
-  def account
-    Conjur.configuration.account
-  end
-
-  # This method delegates to {Conjur::Configuration#env}
-  # @return [String] the value of `Conjur.configuration.env`
-  def env
-    Conjur.configuration.env
-  end
-
-  # @api private
-  # @deprecated
-  # This method delegates to {Conjur::Configuration#stack}
-  #
-  # @return [String] the value of `Conjur.configuration.stack`
-  def stack
-    Conjur.configuration.stack
-  end
-end

data/lib/conjur/event_source.rb

@@ -1,101 +0,0 @@
-module Conjur
-  # @api private
-  # An EventSource instance is used to parse a stream in the format given by
-  # the Server Sent Events standard: http://www.whatwg.org/specs/web-apps/current-work/#server-sent-events
-  #
-  # This class is used internally by the audit methods in follow mode.
-  #
-  class EventSource
-    # @api private
-    # Representation of a SSE event
-    class Event < Struct.new(:data, :name, :id);
-    end
-
-    # @!attribute retry [r]
-    #   @return [Fixnum] the last retry field received, or nil if no retry fields 
-    #   have been received.
-    attr_reader :retry
-
-    # @!attribute last_event_id [r]
-    #   @return [String] the id of the last fully received event, or nil if no 
-    #   events have been received containing an id field.
-    attr_reader :last_event_id
-
-    # @!attribute json [rw]
-    #   @return [Boolean] (true) Whether to parse event's data field as JSON.
-    attr_accessor :json
-    alias json? json
-
-    # @api private
-    # Create an EventSource
-    def initialize
-      @json   = true
-      @on     = {}
-      @all    = []
-      @buffer = ""
-    end
-
-    # @api private
-    # Feed a chunk of data to the EventSource and dispatch any fully received
-    # events.  
-    # @param [String] chunk the data to parse
-    # @return [void]
-    def feed chunk
-      @buffer << chunk
-
-      while i = @buffer.index("\n\n")
-        process_event @buffer.slice!(0..i)
-      end
-    end
-
-    # Add a block to be called when events with an `'event'` field of `name` are received.
-    #
-    # @param [String, Symbol] name the name to listen for
-    # @yieldparam [Conjur::EventSource::Event] the event
-    def on name, &block
-      (@on[name.to_sym] ||= []) << block
-    end
-
-    # Listens to all messages
-    def message &block
-      @all << block
-    end
-
-    protected
-    def process_event s
-      data, id, name = [], nil, nil
-      s.lines.map(&:chomp).each do |line|
-        field, value = case line
-          when /^:/ then
-            next # comment, do nothing
-          when /^(.*?):(.*)$/ then
-            [$1, $2]
-          else
-            [line, ''] # this is what the spec says, I swear!
-        end
-        # spec allows one optional space after the colon
-        value = value[1..-1] if value.start_with? ' '
-        case field
-          when 'data' then
-            data << value
-          when 'id' then
-            id = value
-          when 'event' then
-            name = value.to_sym
-          when 'retry' then
-            @retry = value.to_i
-        end
-      end
-      @last_event_id = id
-      dispatch_event(data.join("\n"), id, name) unless data.empty?
-    end
-
-    def dispatch_event data, id, name
-      data  = JSON.parse(data) if json?
-      name  = (name || :message).to_sym
-      event = Event.new(data, name, id)
-      ((@on[name] || []) + @all).each { |p| p.call event }
-    end
-
-  end
-end

data/lib/conjur/exists.rb

@@ -1,60 +0,0 @@
-#
-# Copyright (C) 2013 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-module Conjur
-  # Provides an `exists?` method for things that may or may not exist.
-  #
-  #
-  # Most conjur assets returned by `api.asset_name` methods (e.g., {Conjur::API#group}, {Conjur::API#user})
-  # may or may not exist.  The {Conjur::Exists#exists?} method lets you determine whether or not such assets
-  # do in fact exist.
-  module Exists
-
-    # Check whether this asset exists by performing a HEAD request to its URL.
-    #
-    # This method will return false if the asset doesn't exist.
-    #
-    # @example
-    #   does_not_exist = api.user 'does-not-exist' # This returns without error.
-    #
-    #   # this is wrong!
-    #   owner = does_not_exist.ownerid # raises RestClient::ResourceNotFound
-    #
-    #   # this is right!
-    #   owner = if does_not_exist.exists?
-    #     does_not_exist.ownerid
-    #    else
-    #       nil # or some sensible default
-    #    end
-    #
-    # @param [Hash] options included for compatibility: **don't use this argument**!
-    # @return [Boolean] does it exist?
-    def exists?(options = {})
-      begin
-        self.head(options)
-        true
-      rescue RestClient::Forbidden
-        true
-      rescue RestClient::ResourceNotFound
-        false
-      end
-    end
-  end
-end