conjur-api 4.31.0 → 5.0.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.dockerignore +1 -0
- data/.gitignore +1 -0
- data/CHANGELOG.md +22 -3
- data/Dockerfile +12 -3
- data/Gemfile +3 -3
- data/Jenkinsfile +69 -0
- data/LICENSE.md +195 -0
- data/README.md +16 -0
- data/Rakefile +34 -18
- data/ci/wait_for_server.sh +10 -0
- data/conjur-api.gemspec +6 -14
- data/dev/docker-compose.yml +23 -0
- data/dev/empty.yml +2 -0
- data/dev/start.sh +15 -0
- data/dev/stop.sh +6 -0
- data/docker-compose.yml +27 -0
- data/features/exists.feature +37 -0
- data/features/group.feature +11 -0
- data/features/host.feature +20 -0
- data/features/host_factory_create_host.feature +28 -0
- data/features/host_factory_token.feature +63 -0
- data/features/load_policy.feature +61 -0
- data/features/members.feature +51 -0
- data/features/new_api.feature +36 -0
- data/features/permitted.feature +43 -0
- data/features/permitted_roles.feature +30 -0
- data/features/public_keys.feature +11 -0
- data/features/resource_fields.feature +53 -0
- data/features/role_fields.feature +15 -0
- data/features/rotate_api_key.feature +13 -0
- data/features/step_definitions/api_steps.rb +4 -54
- data/features/step_definitions/policy_steps.rb +35 -0
- data/features/step_definitions/result_steps.rb +7 -0
- data/features/support/env.rb +14 -5
- data/features/support/hooks.rb +3 -0
- data/features/support/world.rb +5 -6
- data/features/update_password.feature +14 -0
- data/features/user.feature +17 -0
- data/features/variable_fields.feature +20 -0
- data/features/variable_value.feature +67 -0
- data/lib/conjur/acts_as_resource.rb +95 -65
- data/lib/conjur/acts_as_role.rb +102 -51
- data/lib/conjur/{audit-api.rb → acts_as_rolsource.rb} +10 -14
- data/lib/conjur/acts_as_user.rb +13 -22
- data/lib/conjur/api/authn.rb +37 -72
- data/lib/conjur/api/host_factories.rb +35 -55
- data/lib/conjur/api/policies.rb +56 -0
- data/lib/conjur/api/pubkeys.rb +36 -160
- data/lib/conjur/api/resources.rb +32 -116
- data/lib/conjur/api/roles.rb +28 -105
- data/lib/conjur/api/variables.rb +22 -91
- data/lib/conjur/api.rb +19 -46
- data/lib/conjur/base.rb +21 -132
- data/lib/conjur/base_object.rb +57 -0
- data/lib/conjur/{authn-api.rb → build_object.rb} +23 -11
- data/lib/conjur/cast.rb +12 -17
- data/lib/conjur/cert_utils.rb +1 -1
- data/lib/conjur/cidr.rb +1 -1
- data/lib/conjur/configuration.rb +13 -91
- data/lib/conjur/escape.rb +1 -2
- data/lib/conjur/group.rb +9 -65
- data/lib/conjur/has_attributes.rb +22 -59
- data/lib/conjur/host.rb +5 -35
- data/lib/conjur/host_factory.rb +40 -40
- data/lib/conjur/host_factory_token.rb +38 -23
- data/lib/conjur/id.rb +63 -0
- data/lib/conjur/layer.rb +5 -80
- data/lib/conjur/log.rb +1 -1
- data/lib/conjur/log_source.rb +1 -1
- data/lib/conjur/{secret.rb → policy.rb} +11 -14
- data/lib/conjur/{api/secrets.rb → policy_load_result.rb} +35 -22
- data/lib/conjur/query_string.rb +2 -1
- data/lib/conjur/resource.rb +5 -299
- data/lib/conjur/role.rb +5 -317
- data/lib/conjur/role_grant.rb +20 -28
- data/lib/conjur/user.rb +5 -63
- data/lib/conjur/variable.rb +31 -76
- data/lib/conjur/{authz-api.rb → webservice.rb} +8 -16
- data/lib/conjur-api/version.rb +2 -2
- data/publish.sh +7 -0
- data/spec/api_spec.rb +208 -0
- data/spec/cast_spec.rb +21 -0
- data/spec/{lib/cert_utils_spec.rb → cert_utils_spec.rb} +0 -0
- data/spec/{lib/cidr_spec.rb → cidr_spec.rb} +0 -0
- data/spec/{lib/configuration_spec.rb → configuration_spec.rb} +40 -140
- data/spec/{lib/has_attributes_spec.rb → has_attributes_spec.rb} +6 -2
- data/spec/{lib/log_source_spec.rb → log_source_spec.rb} +0 -0
- data/spec/{lib/log_spec.rb → log_spec.rb} +0 -0
- data/spec/roles_spec.rb +24 -0
- data/spec/spec_helper.rb +63 -78
- data/spec/ssl_spec.rb +3 -5
- data/spec/vendor/rest_client_spec.rb +0 -54
- data/test.sh +40 -0
- metadata +122 -281
- data/.kateproject +0 -5
- data/LICENSE +0 -22
- data/ci/test.sh +0 -9
- data/features/audit_resources.feature +0 -15
- data/features/audit_roles.feature +0 -15
- data/features/bootstrap.feature +0 -31
- data/features/step_definitions/cli_steps.rb +0 -5
- data/jenkins.sh +0 -27
- data/lib/conjur/acts_as_asset.rb +0 -88
- data/lib/conjur/annotations.rb +0 -186
- data/lib/conjur/api/audit.rb +0 -138
- data/lib/conjur/api/deputies.rb +0 -57
- data/lib/conjur/api/groups.rb +0 -111
- data/lib/conjur/api/hosts.rb +0 -109
- data/lib/conjur/api/info.rb +0 -126
- data/lib/conjur/api/layers.rb +0 -62
- data/lib/conjur/api/ldapsync.rb +0 -115
- data/lib/conjur/api/users.rb +0 -106
- data/lib/conjur/bootstrap.rb +0 -161
- data/lib/conjur/build_from_response.rb +0 -49
- data/lib/conjur/core-api.rb +0 -74
- data/lib/conjur/deputy.rb +0 -55
- data/lib/conjur/env.rb +0 -54
- data/lib/conjur/event_source.rb +0 -101
- data/lib/conjur/exists.rb +0 -60
- data/lib/conjur/graph.rb +0 -295
- data/lib/conjur/has_id.rb +0 -43
- data/lib/conjur/has_identifier.rb +0 -36
- data/lib/conjur/has_owner.rb +0 -51
- data/lib/conjur/host-factory-api.rb +0 -38
- data/lib/conjur/layer-api.rb +0 -13
- data/lib/conjur/ldap_sync_job.rb +0 -89
- data/lib/conjur/path_based.rb +0 -86
- data/lib/conjur/pubkeys-api.rb +0 -50
- data/lib/conjur/standard_methods.rb +0 -91
- data/reqspeed.rb +0 -20
- data/spec/api/authn_spec.rb +0 -81
- data/spec/api/graph_spec.rb +0 -117
- data/spec/api/groups_spec.rb +0 -40
- data/spec/api/hosts_spec.rb +0 -36
- data/spec/api/info_spec.rb +0 -89
- data/spec/api/layer_spec.rb +0 -18
- data/spec/api/ldapsync_spec.rb +0 -44
- data/spec/api/pubkeys_spec.rb +0 -66
- data/spec/api/resources_spec.rb +0 -92
- data/spec/api/roles_spec.rb +0 -100
- data/spec/api/secrets_spec.rb +0 -16
- data/spec/api/users_spec.rb +0 -71
- data/spec/api/variables_spec.rb +0 -112
- data/spec/cas_rest_client.rb +0 -17
- data/spec/cidr_helper.rb +0 -24
- data/spec/lib/acts_as_user_spec.rb +0 -27
- data/spec/lib/annotations_spec.rb +0 -109
- data/spec/lib/api_spec.rb +0 -480
- data/spec/lib/asset_spec.rb +0 -80
- data/spec/lib/audit_spec.rb +0 -155
- data/spec/lib/build_from_response_spec.rb +0 -49
- data/spec/lib/deputy_spec.rb +0 -25
- data/spec/lib/exists_spec.rb +0 -24
- data/spec/lib/group_spec.rb +0 -18
- data/spec/lib/host_spec.rb +0 -31
- data/spec/lib/resource_spec.rb +0 -240
- data/spec/lib/role_grant_spec.rb +0 -13
- data/spec/lib/role_spec.rb +0 -231
- data/spec/lib/standard_methods_spec.rb +0 -66
- data/spec/lib/user_spec.rb +0 -77
- data/spec/standard_methods_helper.rb +0 -41
- data/spec/variable_spec.rb +0 -101
- data/spec/vcr_cassettes/Conjur_Resource/_create/with_path-like_identifier.yml +0 -87
- data/spec/vcr_cassettes/Conjur_Resource/_create/with_un-encoded_path-like_identifier.yml +0 -87
- data/spec/vcr_cassettes/Conjur_Resource/_create/with_uuid_identifier.yml +0 -87
data/lib/conjur/group.rb
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
# Copyright
|
1
|
+
# Copyright 2013-2017 Conjur Inc.
|
2
2
|
#
|
3
3
|
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
4
4
|
# this software and associated documentation files (the "Software"), to deal in
|
@@ -19,73 +19,17 @@
|
|
19
19
|
#
|
20
20
|
module Conjur
|
21
21
|
|
22
|
-
# A Conjur
|
23
|
-
# Conjur {http://developer.conjur.net/reference/services/directory/user Users}.
|
24
|
-
# This class represents Conjur group assets and operations on them.
|
22
|
+
# A Conjur Group represents a collection of Conjur Users, Groups and Layers.
|
25
23
|
#
|
26
|
-
|
27
|
-
|
28
|
-
#
|
29
|
-
class Group < RestClient::Resource
|
30
|
-
include ActsAsAsset
|
31
|
-
include ActsAsRole
|
32
|
-
|
33
|
-
# Add a user to the group or change whether an existing member can manage other members.
|
34
|
-
#
|
35
|
-
# @example
|
36
|
-
# # create an empty group
|
37
|
-
# group = api.create_group 'hoommans'
|
38
|
-
# # put a user in the group, with the ability to manage members
|
39
|
-
# group.add_member 'conjur:user:bob', admin_option: True
|
40
|
-
# # Hmm, bob is getting a little suspicious, better lower his privileges.
|
41
|
-
# group.add_member 'conjur:user:bob', admin_option: False
|
42
|
-
#
|
43
|
-
# # Notice that this method is idempotent:
|
44
|
-
# group.add_member 'alice'
|
45
|
-
# group.add_member 'alice' # Does nothing, alice is already a member
|
46
|
-
#
|
47
|
-
#
|
48
|
-
# @param [String, Conjur::User, Conjur::Role] member the member to add. If a String is given, it must
|
49
|
-
# be a *fully qualified* Conjur id.
|
50
|
-
# @param [Hash] options
|
51
|
-
# @option options [Boolean] :admin_option (False) determines whether the member is able to manage members
|
52
|
-
# of this group.
|
53
|
-
# @return [void]
|
54
|
-
def add_member(member, options = {})
|
55
|
-
role.grant_to member, options
|
56
|
-
end
|
57
|
-
|
58
|
-
# Remove a member from this group.
|
59
|
-
#
|
60
|
-
# ### Notes
|
61
|
-
# * Unlike {#add_member}, this method is *not* idempotent.
|
62
|
-
# This means that calling it twice with the same user will raise a `RestClient::ResourceNotFound`
|
63
|
-
# exception.
|
64
|
-
# * The member may be represented as a *qualified* conjur id or a {Conjur::User} instance. Although
|
65
|
-
# it will accept anything that responds to `#roleid`, the behavior when adding or removing a non-user
|
66
|
-
# role is **undefined**.
|
67
|
-
#
|
68
|
-
# @example
|
69
|
-
# group = api.group 'admins'
|
70
|
-
# group.add_member 'bob'
|
71
|
-
# group.remove_member 'bob' # OK, bob is a member
|
72
|
-
# group.remove_member 'bob' # raises RestClient::ResourceNotFound
|
73
|
-
#
|
74
|
-
# @param [String, Conjur::User,Conjur::Role] member
|
75
|
-
# @return [void]
|
76
|
-
# @raise [RestClient::ResourceNotFound] when you try to remove a user who is not a member of the group.
|
77
|
-
def remove_member(member)
|
78
|
-
role.revoke_from member
|
79
|
-
end
|
24
|
+
class Group < BaseObject
|
25
|
+
include ActsAsRolsource
|
80
26
|
|
81
|
-
#
|
27
|
+
# Get the group's gidnumber, which can be used by LDAP and SSH login, among other things.
|
82
28
|
#
|
83
|
-
# @
|
84
|
-
# @
|
85
|
-
|
86
|
-
|
87
|
-
# not an alias because doc
|
88
|
-
put props
|
29
|
+
# @return [Fixnum] the gidnumber
|
30
|
+
# @raise [RestClient::Forbidden] if you don't have permission to `show` the group.
|
31
|
+
def gidnumber
|
32
|
+
annotation_value 'conjur/gidnumber'
|
89
33
|
end
|
90
34
|
end
|
91
35
|
end
|
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright
|
2
|
+
# Copyright 2013-2017 Conjur Inc
|
3
3
|
#
|
4
4
|
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
5
|
# this software and associated documentation files (the "Software"), to deal in
|
@@ -23,13 +23,16 @@ module Conjur
|
|
23
23
|
# methods on specific asset classes (for example, {Conjur::Resource#owner}), the are available as
|
24
24
|
# a `Hash` on all types supporting attributes.
|
25
25
|
module HasAttributes
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
26
|
+
def as_json options={}
|
27
|
+
result = super(options)
|
28
|
+
if @attributes
|
29
|
+
result.merge!(@attributes.as_json(options))
|
30
|
+
end
|
31
|
+
result
|
32
|
+
end
|
33
|
+
|
34
|
+
def to_s
|
35
|
+
to_json.to_s
|
33
36
|
end
|
34
37
|
|
35
38
|
# @api private
|
@@ -38,15 +41,8 @@ module Conjur
|
|
38
41
|
# @return [Hash] the new attributes
|
39
42
|
def attributes=(attributes); @attributes = attributes; end
|
40
43
|
|
41
|
-
# Get the attributes for this asset.
|
42
|
-
#
|
43
|
-
# Although the `Hash` returned by this method is mutable, you should treat as immutable unless you know
|
44
|
-
# exactly what you're doing. Each asset's attributes are constrained by a server side schema, which means
|
45
|
-
# that you will get an error if you violate the schema. and then try to save the asset.
|
46
|
-
#
|
47
|
-
#
|
48
|
-
# @note this method will use a cached copy of the objects attributes instead of fetching them
|
49
|
-
# with each call. To ensure that the attributes are fresh, you can use the {#refresh} method
|
44
|
+
# Get the attributes for this asset. This is an immutable Hash, unless the attributes
|
45
|
+
# are changed via policy update.
|
50
46
|
#
|
51
47
|
# @return [Hash] the asset's attributes.
|
52
48
|
def attributes
|
@@ -54,45 +50,6 @@ module Conjur
|
|
54
50
|
fetch
|
55
51
|
end
|
56
52
|
|
57
|
-
|
58
|
-
# Update this asset's attributes on the server.
|
59
|
-
#
|
60
|
-
#
|
61
|
-
# @note If the objects attributes haven't been fetched (for example, by calling {#attributes}),
|
62
|
-
# this method is a no-op.
|
63
|
-
#
|
64
|
-
# Although you can manipulate an assets attributes and then call {#save}, the attributes are constrained
|
65
|
-
# by a server side schema, and attempting to set an attribute that doesn't exist will result in
|
66
|
-
# a 422 Unprocessable Entity error.
|
67
|
-
#
|
68
|
-
# If you want to set arbitrary metadata on an asset, you might consider using the {Conjur::Resource#tags}
|
69
|
-
# method instead.
|
70
|
-
#
|
71
|
-
# @return [void]
|
72
|
-
def save
|
73
|
-
if @attributes
|
74
|
-
self.put(attributes.to_json)
|
75
|
-
end
|
76
|
-
end
|
77
|
-
|
78
|
-
# Reload this asset's attributes. This method can be used to guarantee a current view of the entity in the case
|
79
|
-
# that it has been modified by an update method or by an external party.
|
80
|
-
#
|
81
|
-
# @note any changes to {#attributes} without a call to #save will be overwritten by this method.
|
82
|
-
#
|
83
|
-
# @example
|
84
|
-
# res = api.resources.firs
|
85
|
-
# res.attributes # => { ... }
|
86
|
-
# res.attributes['hello'] = 'blah'
|
87
|
-
# res.refresh
|
88
|
-
# res.attributes['hello'] # => nil
|
89
|
-
#
|
90
|
-
#
|
91
|
-
# @return [Hash] the asset's attributes.
|
92
|
-
def refresh
|
93
|
-
fetch
|
94
|
-
end
|
95
|
-
|
96
53
|
# Call a block that will perform actions that might change the asset's attributes.
|
97
54
|
# No matter what happens in the block, this method ensures that the cached attributes
|
98
55
|
# will be invalidated.
|
@@ -106,18 +63,24 @@ module Conjur
|
|
106
63
|
@attributes = nil
|
107
64
|
end
|
108
65
|
|
66
|
+
|
109
67
|
protected
|
110
68
|
|
69
|
+
def annotation_value name
|
70
|
+
(attributes['annotations'].find{|a| a['name'] == name} || {})['value']
|
71
|
+
end
|
72
|
+
|
111
73
|
# @api private
|
112
74
|
# Fetch the attributes, overwriting any current ones.
|
113
75
|
def fetch
|
114
76
|
@attributes ||= fetch_attributes
|
115
77
|
end
|
116
78
|
|
117
|
-
|
118
|
-
|
79
|
+
# @api private
|
80
|
+
def fetch_attributes
|
81
|
+
cache_key = Conjur.cache_key username, rbac_resource_resource.url
|
119
82
|
Conjur.cache.fetch_attributes cache_key do
|
120
|
-
JSON.parse(get.body)
|
83
|
+
JSON.parse(rbac_resource_resource.get.body)
|
121
84
|
end
|
122
85
|
end
|
123
86
|
end
|
data/lib/conjur/host.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright
|
2
|
+
# Copyright 2013-2017 Conjur Inc
|
3
3
|
#
|
4
4
|
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
5
|
# this software and associated documentation files (the "Software"), to deal in
|
@@ -19,39 +19,9 @@
|
|
19
19
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
20
|
#
|
21
21
|
module Conjur
|
22
|
-
# This class represents a
|
23
|
-
#
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
# @api private
|
28
|
-
# @deprecated
|
29
|
-
#
|
30
|
-
# This method was used before conjurize came along. It's no longer in use.
|
31
|
-
def enrollment_url
|
32
|
-
log do |logger|
|
33
|
-
logger << "Fetching enrollment_url for #{id}"
|
34
|
-
end
|
35
|
-
self['enrollment_url'].head{|response, request, result| response }.headers[:location]
|
36
|
-
end
|
37
|
-
|
38
|
-
# Assign new attributes to the host. Currently, this method only lets you change the
|
39
|
-
# `:cidr` attribute.
|
40
|
-
#
|
41
|
-
# ### Permissions
|
42
|
-
# You must have update permission on the hosts's resource or be the host to
|
43
|
-
# update CIDR restrictions.
|
44
|
-
#
|
45
|
-
# @note This feature requires Conjur server version 4.6 or later.
|
46
|
-
#
|
47
|
-
# @param [Hash] options attributes to change
|
48
|
-
# @option options [Array<String, IPAddr>] :cidr the network restrictions for this host
|
49
|
-
# @return [void]
|
50
|
-
# @raise [ArgumentError] if cidr isn't valid
|
51
|
-
def update options
|
52
|
-
if cidr = options[:cidr]
|
53
|
-
set_cidr_restrictions cidr
|
54
|
-
end
|
55
|
-
end
|
22
|
+
# This class represents a Conjur Host. Hosts are created in Conjur policy, or with
|
23
|
+
# {Conjur::HostFactory}.
|
24
|
+
class Host < BaseObject
|
25
|
+
include ActsAsUser
|
56
26
|
end
|
57
27
|
end
|
data/lib/conjur/host_factory.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright
|
2
|
+
# Copyright 2013-2017 Conjur Inc
|
3
3
|
#
|
4
4
|
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
5
|
# this software and associated documentation files (the "Software"), to deal in
|
@@ -21,54 +21,54 @@
|
|
21
21
|
require 'conjur/host_factory_token'
|
22
22
|
|
23
23
|
module Conjur
|
24
|
-
|
25
|
-
|
24
|
+
# A Host Factory is a way to allow clients to create Conjur hosts without giving them
|
25
|
+
# any other access to Conjur.
|
26
|
+
#
|
27
|
+
# Each Host Factory can have 0 or more tokens, each of which is a random string that
|
28
|
+
# has an associated expiration and optional CIDR restriction. A user or machine who has
|
29
|
+
# a host factory token can use it to create new hosts, or to rotate the API keys of
|
30
|
+
# existing hosts.
|
31
|
+
#
|
32
|
+
# @see API#host_factory_create_host
|
33
|
+
# @see HostFactoryToken
|
34
|
+
class HostFactory < BaseObject
|
35
|
+
include ActsAsRolsource
|
26
36
|
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
create_tokens(expiration, 1, options)[0]
|
37
|
+
# Create one or more host factory tokens. Each token can be used to create
|
38
|
+
# hosts, using {API#host_factory_create_host}.
|
39
|
+
#
|
40
|
+
# @param expiration [Time] the future time at which the token will stop working.
|
41
|
+
# @param count [Integer] the number of (identical) tokens to create (default: 1).
|
42
|
+
# @param cidr [String] a CIDR restriction on the usage of the token.
|
43
|
+
# @return [Array<HostFactoryToken>] the token or tokens.
|
44
|
+
def create_tokens expiration, count: 1, cidr: nil
|
45
|
+
options = {}
|
46
|
+
options[:expiration] = expiration.iso8601
|
47
|
+
options[:host_factory] = id
|
48
|
+
options[:count] = count
|
49
|
+
options[:cidr] = cidr if cidr
|
50
|
+
response = JSON.parse core_resource['host_factory_tokens'].post(options)
|
51
|
+
response.map do |data|
|
52
|
+
HostFactoryToken.new data, credentials
|
53
|
+
end
|
45
54
|
end
|
46
55
|
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
response = RestClient::Resource.new(Conjur::API.host_factory_asset_host, self.options)[fully_escape id]["tokens"].post(parameters).body
|
53
|
-
JSON.parse(response).map do |attrs|
|
54
|
-
build_host_factory_token attrs
|
55
|
-
end
|
56
|
+
# Create a new token.
|
57
|
+
#
|
58
|
+
# @see #create_tokens
|
59
|
+
def create_token expiration, cidr: nil
|
60
|
+
create_tokens(expiration, cidr: cidr).first
|
56
61
|
end
|
57
62
|
|
63
|
+
# Enumerate the tokens on the host factory.
|
64
|
+
#
|
65
|
+
# @return [Array<HostFactoryToken>] the token or tokens.
|
58
66
|
def tokens
|
59
67
|
# Tokens list is not returned by +show+ if the caller doesn't have permission
|
60
68
|
return nil unless self.attributes['tokens']
|
61
69
|
|
62
|
-
self.attributes['tokens'].collect do |
|
63
|
-
|
64
|
-
end
|
65
|
-
end
|
66
|
-
|
67
|
-
protected
|
68
|
-
|
69
|
-
def build_host_factory_token attrs
|
70
|
-
Conjur::HostFactoryToken.new(Conjur::API.host_factory_asset_host, self.options)["tokens"][attrs['token']].tap do |token|
|
71
|
-
token.attributes = attrs
|
70
|
+
self.attributes['tokens'].collect do |data|
|
71
|
+
HostFactoryToken.new data, credentials
|
72
72
|
end
|
73
73
|
end
|
74
74
|
end
|
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright
|
2
|
+
# Copyright 2013-2017 Conjur Inc
|
3
3
|
#
|
4
4
|
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
5
|
# this software and associated documentation files (the "Software"), to deal in
|
@@ -19,45 +19,60 @@
|
|
19
19
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
20
|
#
|
21
21
|
module Conjur
|
22
|
-
class HostFactoryToken
|
23
|
-
|
22
|
+
class HostFactoryToken
|
23
|
+
def initialize data, credentials
|
24
|
+
@data = data
|
25
|
+
@credentials = credentials
|
26
|
+
end
|
24
27
|
|
28
|
+
# Convert the object to JSON.
|
29
|
+
#
|
30
|
+
# Fields:
|
31
|
+
#
|
32
|
+
# * token
|
33
|
+
# * expiration
|
34
|
+
# * cidr
|
25
35
|
def to_json(options = {})
|
26
36
|
{ token: token, expiration: expiration, cidr: cidr }
|
27
37
|
end
|
28
38
|
|
39
|
+
# Format the token as a string, using JSON format.
|
40
|
+
def to_s
|
41
|
+
to_json.to_s
|
42
|
+
end
|
43
|
+
|
44
|
+
# Gets the token string.
|
45
|
+
#
|
46
|
+
# @return [String]
|
29
47
|
def token
|
30
|
-
|
48
|
+
@data['token']
|
31
49
|
end
|
32
50
|
|
33
|
-
|
34
|
-
|
51
|
+
# Gets the expiration.
|
52
|
+
#
|
53
|
+
# @return [DateTime]
|
35
54
|
def expiration
|
36
|
-
DateTime.iso8601(
|
55
|
+
DateTime.iso8601(@data['expiration'])
|
37
56
|
end
|
38
57
|
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
58
|
+
# Gets the CIDR restriction.
|
59
|
+
#
|
60
|
+
# @return [String]
|
43
61
|
def cidr
|
44
|
-
|
62
|
+
@data['cidr']
|
45
63
|
end
|
46
64
|
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
end
|
65
|
+
# Revokes the token, after which it cannot be used any more.
|
66
|
+
def revoke
|
67
|
+
Conjur::API.revoke_host_factory_token @credentials, token
|
51
68
|
end
|
52
69
|
|
53
|
-
def
|
54
|
-
|
70
|
+
def ==(other)
|
71
|
+
other.class == self.class &&
|
72
|
+
other.token == self.token &&
|
73
|
+
other.expiration == self.expiration &&
|
74
|
+
other.cidr == self.cidr
|
55
75
|
end
|
56
76
|
|
57
|
-
protected
|
58
|
-
|
59
|
-
def fetch
|
60
|
-
raise "HostFactoryToken attributes are not fetchable"
|
61
|
-
end
|
62
77
|
end
|
63
78
|
end
|
data/lib/conjur/id.rb
ADDED
@@ -0,0 +1,63 @@
|
|
1
|
+
#
|
2
|
+
# Copyright 2013-2017 Conjur Inc
|
3
|
+
#
|
4
|
+
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
+
# this software and associated documentation files (the "Software"), to deal in
|
6
|
+
# the Software without restriction, including without limitation the rights to
|
7
|
+
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
+
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
+
# subject to the following conditions:
|
10
|
+
#
|
11
|
+
# The above copyright notice and this permission notice shall be included in all
|
12
|
+
# copies or substantial portions of the Software.
|
13
|
+
#
|
14
|
+
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
+
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
+
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
+
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
+
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
+
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
+
#
|
21
|
+
|
22
|
+
module Conjur
|
23
|
+
# Encapsulates a Conjur id, which consists of account, kind, and identifier.
|
24
|
+
class Id
|
25
|
+
attr_reader :id
|
26
|
+
|
27
|
+
def initialize id
|
28
|
+
@id = id
|
29
|
+
end
|
30
|
+
|
31
|
+
# The organization account, obtained from the first component of the id.
|
32
|
+
def account; id.split(':', 3)[0]; end
|
33
|
+
# The object kind, obtained from the second component of the id.
|
34
|
+
def kind; id.split(':', 3)[1]; end
|
35
|
+
# The object identifier, obtained from the third component of the id. The
|
36
|
+
# identifier must be unique within the `account` and `kind`.
|
37
|
+
def identifier; id.split(':', 3)[2]; end
|
38
|
+
|
39
|
+
# Defines id equivalence using the string representation.
|
40
|
+
def == other
|
41
|
+
if other.is_a?(String)
|
42
|
+
to_s == other
|
43
|
+
else
|
44
|
+
super
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
48
|
+
# @return [String] the id string.
|
49
|
+
def as_json options={}
|
50
|
+
@id
|
51
|
+
end
|
52
|
+
|
53
|
+
# Splits the id into 3 components, and then joins them with a forward-slash `/`.
|
54
|
+
def to_url_path
|
55
|
+
id.split(':', 3).join('/')
|
56
|
+
end
|
57
|
+
|
58
|
+
# @return [String] the id string
|
59
|
+
def to_s
|
60
|
+
id
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
data/lib/conjur/layer.rb
CHANGED
@@ -1,84 +1,9 @@
|
|
1
1
|
module Conjur
|
2
2
|
|
3
|
-
# A
|
4
|
-
#
|
5
|
-
#
|
6
|
-
|
7
|
-
|
8
|
-
# @example Allow hosts in the layer `dev/database` to access a `dev/database_uri` secret
|
9
|
-
# # Create the layer and add a couple of EC2 hosts
|
10
|
-
# layer = api.create_layer 'dev/database'
|
11
|
-
# hosts = ['ec2-iac5ed', 'ec2-iadc31'].map{ |hostid| api.create_host id: hostid }
|
12
|
-
# hosts.each{ |host| layer.add_host host }
|
13
|
-
#
|
14
|
-
# # A Variable representing the database uri secret
|
15
|
-
# database_uri = api.variable 'dev/database_uri'
|
16
|
-
#
|
17
|
-
# # Currently none of the hosts can access it:
|
18
|
-
# hosts.any?{ |host| host.role.permitted? database_uri, 'execute' } # => false
|
19
|
-
#
|
20
|
-
# # Grant permission on the layer
|
21
|
-
# database_uri.resource.permit 'execute', layer
|
22
|
-
#
|
23
|
-
# # Now all hosts in the layer have the execute permission on the secret through the layer
|
24
|
-
# hosts.all?{ |host| host.role.permitted? database_uri, 'execute' } # => true
|
25
|
-
#
|
26
|
-
class Layer < RestClient::Resource
|
27
|
-
include ActsAsAsset
|
28
|
-
include ActsAsRole
|
29
|
-
|
30
|
-
# Add a host to this layer. The host's role will become a member of the layer's role, and have
|
31
|
-
# all privileges of the layer.
|
32
|
-
#
|
33
|
-
# @param [String, Conjur::Host] hostid A *qualified* Conjur id for the host, or a {Conjur::Host} instance.
|
34
|
-
# @return [void]
|
35
|
-
def add_host(hostid)
|
36
|
-
hostid = cast(hostid, :roleid)
|
37
|
-
log do |logger|
|
38
|
-
logger << "Adding host #{hostid} to layer #{id}"
|
39
|
-
end
|
40
|
-
invalidate do
|
41
|
-
RestClient::Resource.new(self['hosts'].url, options).post(hostid: hostid)
|
42
|
-
end
|
43
|
-
end
|
44
|
-
|
45
|
-
# Remove a host from this layer. The host will lose all privileges it had through this
|
46
|
-
# layer.
|
47
|
-
#
|
48
|
-
# @param [String, Conjur::Host] hostid A *qualified* Conjur id for the host, or a {Conjur::Host} instance.
|
49
|
-
# @return [void]
|
50
|
-
def remove_host(hostid)
|
51
|
-
hostid = cast(hostid, :roleid)
|
52
|
-
log do |logger|
|
53
|
-
logger << "Removing host #{hostid} from layer #{id}"
|
54
|
-
end
|
55
|
-
invalidate do
|
56
|
-
RestClient::Resource.new(self["hosts/#{fully_escape hostid}"].url, options).delete
|
57
|
-
end
|
58
|
-
end
|
59
|
-
|
60
|
-
# Lists the roles that have been granted access to the host's owned roles.
|
61
|
-
#
|
62
|
-
# `role_name` can be either `admin_host` or `use_host`. This method corresponds
|
63
|
-
# to {Conjur::ActsAsAsset#add_member} in that members added with that method
|
64
|
-
# will be returned by this method.
|
65
|
-
#
|
66
|
-
# @param [String] role_name Either `use_host` or `admin_host`
|
67
|
-
# @return [Conjur::RoleGrant] the grants associated with this host (the return type
|
68
|
-
# is identical to that of {Conjur::Role#members}).
|
69
|
-
# @see Conjur::ActsAsAsset#add_member
|
70
|
-
def hosts_members(role_name)
|
71
|
-
owned_role(role_name).members
|
72
|
-
end
|
73
|
-
|
74
|
-
|
75
|
-
# Return all hosts in the layer.
|
76
|
-
#
|
77
|
-
# @return [Array<Conjur::Host>] the hosts in the layer.
|
78
|
-
def hosts
|
79
|
-
self.attributes['hosts'].collect do |id|
|
80
|
-
Conjur::Host.new(Conjur::API.core_asset_host, options)["hosts/#{fully_escape id.split(':', 3)[-1]}"]
|
81
|
-
end
|
82
|
-
end
|
3
|
+
# A Conjur Layer is a type of role whose members are Conjur Hosts. The hosts inherit
|
4
|
+
# permissions from the layer. Automatic roles on the layer can also be used to manage
|
5
|
+
# SSH permissions to the hosts.
|
6
|
+
class Layer < BaseObject
|
7
|
+
include ActsAsRolsource
|
83
8
|
end
|
84
9
|
end
|
data/lib/conjur/log.rb
CHANGED
data/lib/conjur/log_source.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright
|
2
|
+
# Copyright 2013-2017 Conjur Inc
|
3
3
|
#
|
4
4
|
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
5
|
# this software and associated documentation files (the "Software"), to deal in
|
@@ -19,19 +19,16 @@
|
|
19
19
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
20
|
#
|
21
21
|
module Conjur
|
22
|
-
# @api private
|
23
|
-
#
|
24
|
-
# Secrets are primitive encrypted values upon which {Conjur::Variable}s are built.
|
25
|
-
# You probably want to use {Conjur::Variable} instead.
|
26
|
-
class Secret < RestClient::Resource
|
27
|
-
include ActsAsAsset
|
28
22
|
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
23
|
+
# Defines an set of objects, permission grants and role grants. All objects in a policy
|
24
|
+
# share a common naming prefix, which is the id of the policy. (Exception: the root
|
25
|
+
# policy does not add a naming prefix to each of its objects).
|
26
|
+
#
|
27
|
+
# Policies are defined using a YAML syntax, which is extensively documented on the Conjur
|
28
|
+
# web site. To load a policy, define it using YAML and then use {API#load_policy}.
|
29
|
+
#
|
30
|
+
# @see API#load_policy
|
31
|
+
class Policy < BaseObject
|
32
|
+
include ActsAsRolsource
|
36
33
|
end
|
37
34
|
end
|