conjur-api 4.31.0 → 5.0.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.dockerignore +1 -0
- data/.gitignore +1 -0
- data/CHANGELOG.md +22 -3
- data/Dockerfile +12 -3
- data/Gemfile +3 -3
- data/Jenkinsfile +69 -0
- data/LICENSE.md +195 -0
- data/README.md +16 -0
- data/Rakefile +34 -18
- data/ci/wait_for_server.sh +10 -0
- data/conjur-api.gemspec +6 -14
- data/dev/docker-compose.yml +23 -0
- data/dev/empty.yml +2 -0
- data/dev/start.sh +15 -0
- data/dev/stop.sh +6 -0
- data/docker-compose.yml +27 -0
- data/features/exists.feature +37 -0
- data/features/group.feature +11 -0
- data/features/host.feature +20 -0
- data/features/host_factory_create_host.feature +28 -0
- data/features/host_factory_token.feature +63 -0
- data/features/load_policy.feature +61 -0
- data/features/members.feature +51 -0
- data/features/new_api.feature +36 -0
- data/features/permitted.feature +43 -0
- data/features/permitted_roles.feature +30 -0
- data/features/public_keys.feature +11 -0
- data/features/resource_fields.feature +53 -0
- data/features/role_fields.feature +15 -0
- data/features/rotate_api_key.feature +13 -0
- data/features/step_definitions/api_steps.rb +4 -54
- data/features/step_definitions/policy_steps.rb +35 -0
- data/features/step_definitions/result_steps.rb +7 -0
- data/features/support/env.rb +14 -5
- data/features/support/hooks.rb +3 -0
- data/features/support/world.rb +5 -6
- data/features/update_password.feature +14 -0
- data/features/user.feature +17 -0
- data/features/variable_fields.feature +20 -0
- data/features/variable_value.feature +67 -0
- data/lib/conjur/acts_as_resource.rb +95 -65
- data/lib/conjur/acts_as_role.rb +102 -51
- data/lib/conjur/{audit-api.rb → acts_as_rolsource.rb} +10 -14
- data/lib/conjur/acts_as_user.rb +13 -22
- data/lib/conjur/api/authn.rb +37 -72
- data/lib/conjur/api/host_factories.rb +35 -55
- data/lib/conjur/api/policies.rb +56 -0
- data/lib/conjur/api/pubkeys.rb +36 -160
- data/lib/conjur/api/resources.rb +32 -116
- data/lib/conjur/api/roles.rb +28 -105
- data/lib/conjur/api/variables.rb +22 -91
- data/lib/conjur/api.rb +19 -46
- data/lib/conjur/base.rb +21 -132
- data/lib/conjur/base_object.rb +57 -0
- data/lib/conjur/{authn-api.rb → build_object.rb} +23 -11
- data/lib/conjur/cast.rb +12 -17
- data/lib/conjur/cert_utils.rb +1 -1
- data/lib/conjur/cidr.rb +1 -1
- data/lib/conjur/configuration.rb +13 -91
- data/lib/conjur/escape.rb +1 -2
- data/lib/conjur/group.rb +9 -65
- data/lib/conjur/has_attributes.rb +22 -59
- data/lib/conjur/host.rb +5 -35
- data/lib/conjur/host_factory.rb +40 -40
- data/lib/conjur/host_factory_token.rb +38 -23
- data/lib/conjur/id.rb +63 -0
- data/lib/conjur/layer.rb +5 -80
- data/lib/conjur/log.rb +1 -1
- data/lib/conjur/log_source.rb +1 -1
- data/lib/conjur/{secret.rb → policy.rb} +11 -14
- data/lib/conjur/{api/secrets.rb → policy_load_result.rb} +35 -22
- data/lib/conjur/query_string.rb +2 -1
- data/lib/conjur/resource.rb +5 -299
- data/lib/conjur/role.rb +5 -317
- data/lib/conjur/role_grant.rb +20 -28
- data/lib/conjur/user.rb +5 -63
- data/lib/conjur/variable.rb +31 -76
- data/lib/conjur/{authz-api.rb → webservice.rb} +8 -16
- data/lib/conjur-api/version.rb +2 -2
- data/publish.sh +7 -0
- data/spec/api_spec.rb +208 -0
- data/spec/cast_spec.rb +21 -0
- data/spec/{lib/cert_utils_spec.rb → cert_utils_spec.rb} +0 -0
- data/spec/{lib/cidr_spec.rb → cidr_spec.rb} +0 -0
- data/spec/{lib/configuration_spec.rb → configuration_spec.rb} +40 -140
- data/spec/{lib/has_attributes_spec.rb → has_attributes_spec.rb} +6 -2
- data/spec/{lib/log_source_spec.rb → log_source_spec.rb} +0 -0
- data/spec/{lib/log_spec.rb → log_spec.rb} +0 -0
- data/spec/roles_spec.rb +24 -0
- data/spec/spec_helper.rb +63 -78
- data/spec/ssl_spec.rb +3 -5
- data/spec/vendor/rest_client_spec.rb +0 -54
- data/test.sh +40 -0
- metadata +122 -281
- data/.kateproject +0 -5
- data/LICENSE +0 -22
- data/ci/test.sh +0 -9
- data/features/audit_resources.feature +0 -15
- data/features/audit_roles.feature +0 -15
- data/features/bootstrap.feature +0 -31
- data/features/step_definitions/cli_steps.rb +0 -5
- data/jenkins.sh +0 -27
- data/lib/conjur/acts_as_asset.rb +0 -88
- data/lib/conjur/annotations.rb +0 -186
- data/lib/conjur/api/audit.rb +0 -138
- data/lib/conjur/api/deputies.rb +0 -57
- data/lib/conjur/api/groups.rb +0 -111
- data/lib/conjur/api/hosts.rb +0 -109
- data/lib/conjur/api/info.rb +0 -126
- data/lib/conjur/api/layers.rb +0 -62
- data/lib/conjur/api/ldapsync.rb +0 -115
- data/lib/conjur/api/users.rb +0 -106
- data/lib/conjur/bootstrap.rb +0 -161
- data/lib/conjur/build_from_response.rb +0 -49
- data/lib/conjur/core-api.rb +0 -74
- data/lib/conjur/deputy.rb +0 -55
- data/lib/conjur/env.rb +0 -54
- data/lib/conjur/event_source.rb +0 -101
- data/lib/conjur/exists.rb +0 -60
- data/lib/conjur/graph.rb +0 -295
- data/lib/conjur/has_id.rb +0 -43
- data/lib/conjur/has_identifier.rb +0 -36
- data/lib/conjur/has_owner.rb +0 -51
- data/lib/conjur/host-factory-api.rb +0 -38
- data/lib/conjur/layer-api.rb +0 -13
- data/lib/conjur/ldap_sync_job.rb +0 -89
- data/lib/conjur/path_based.rb +0 -86
- data/lib/conjur/pubkeys-api.rb +0 -50
- data/lib/conjur/standard_methods.rb +0 -91
- data/reqspeed.rb +0 -20
- data/spec/api/authn_spec.rb +0 -81
- data/spec/api/graph_spec.rb +0 -117
- data/spec/api/groups_spec.rb +0 -40
- data/spec/api/hosts_spec.rb +0 -36
- data/spec/api/info_spec.rb +0 -89
- data/spec/api/layer_spec.rb +0 -18
- data/spec/api/ldapsync_spec.rb +0 -44
- data/spec/api/pubkeys_spec.rb +0 -66
- data/spec/api/resources_spec.rb +0 -92
- data/spec/api/roles_spec.rb +0 -100
- data/spec/api/secrets_spec.rb +0 -16
- data/spec/api/users_spec.rb +0 -71
- data/spec/api/variables_spec.rb +0 -112
- data/spec/cas_rest_client.rb +0 -17
- data/spec/cidr_helper.rb +0 -24
- data/spec/lib/acts_as_user_spec.rb +0 -27
- data/spec/lib/annotations_spec.rb +0 -109
- data/spec/lib/api_spec.rb +0 -480
- data/spec/lib/asset_spec.rb +0 -80
- data/spec/lib/audit_spec.rb +0 -155
- data/spec/lib/build_from_response_spec.rb +0 -49
- data/spec/lib/deputy_spec.rb +0 -25
- data/spec/lib/exists_spec.rb +0 -24
- data/spec/lib/group_spec.rb +0 -18
- data/spec/lib/host_spec.rb +0 -31
- data/spec/lib/resource_spec.rb +0 -240
- data/spec/lib/role_grant_spec.rb +0 -13
- data/spec/lib/role_spec.rb +0 -231
- data/spec/lib/standard_methods_spec.rb +0 -66
- data/spec/lib/user_spec.rb +0 -77
- data/spec/standard_methods_helper.rb +0 -41
- data/spec/variable_spec.rb +0 -101
- data/spec/vcr_cassettes/Conjur_Resource/_create/with_path-like_identifier.yml +0 -87
- data/spec/vcr_cassettes/Conjur_Resource/_create/with_un-encoded_path-like_identifier.yml +0 -87
- data/spec/vcr_cassettes/Conjur_Resource/_create/with_uuid_identifier.yml +0 -87
data/lib/conjur/role.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright
|
2
|
+
# Copyright 2013-2017 Conjur Inc
|
3
3
|
#
|
4
4
|
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
5
|
# this software and associated documentation files (the "Software"), to deal in
|
@@ -21,321 +21,9 @@
|
|
21
21
|
require 'conjur/role_grant'
|
22
22
|
|
23
23
|
module Conjur
|
24
|
-
# A
|
25
|
-
#
|
26
|
-
|
27
|
-
|
28
|
-
# to do. This relationship is transitive, so if a is a member of b, b is a member of c,
|
29
|
-
# and c is a member of d, a has all of d's permissions.
|
30
|
-
#
|
31
|
-
# This class represents a Role with a particular identifier. The actual Conjur role *may or may not
|
32
|
-
# exist!*
|
33
|
-
class Role < RestClient::Resource
|
34
|
-
include Exists
|
35
|
-
include PathBased
|
36
|
-
include QueryString
|
37
|
-
|
38
|
-
# The *unqualified* identifier for this role.
|
39
|
-
#
|
40
|
-
# @example
|
41
|
-
# api.role('conjur:foo:bar').identifier # => "bar"
|
42
|
-
#
|
43
|
-
# @return [String] the unqualified identifier
|
44
|
-
def identifier
|
45
|
-
match_path(3..-1)
|
46
|
-
end
|
47
|
-
|
48
|
-
alias id identifier
|
49
|
-
|
50
|
-
# The *qualified* identifier for this role.
|
51
|
-
#
|
52
|
-
# @example
|
53
|
-
# api.user('bob').role_id # => "conjur:user:bob"
|
54
|
-
#
|
55
|
-
# @return [String] the *qualified* identifier
|
56
|
-
def roleid
|
57
|
-
[ account, kind, identifier ].join(':')
|
58
|
-
end
|
59
|
-
|
60
|
-
alias role_id roleid
|
61
|
-
|
62
|
-
# @api private
|
63
|
-
# Create this role.
|
64
|
-
#
|
65
|
-
# You probably want to use {Conjur::API#create_role} instead.
|
66
|
-
def create(options = {})
|
67
|
-
log do |logger|
|
68
|
-
logger << "Creating role #{kind}:#{identifier}"
|
69
|
-
unless options.empty?
|
70
|
-
logger << " with options #{options.to_json}"
|
71
|
-
end
|
72
|
-
end
|
73
|
-
self.put(options)
|
74
|
-
end
|
75
|
-
|
76
|
-
# Find all roles of which this role is a member. By default, role relationships are recursively expanded,
|
77
|
-
# so if `a` is a member of `b`, and `b` is a member of `c`, `a.all` will include `c`.
|
78
|
-
#
|
79
|
-
# ### Permissions
|
80
|
-
# You must be a member of the role to call this method.
|
81
|
-
#
|
82
|
-
# You can restrict the roles returned to one or more role ids. This feature is mainly useful
|
83
|
-
# for checking whether this role is a member of any of a set of roles.
|
84
|
-
#
|
85
|
-
# ### Options
|
86
|
-
#
|
87
|
-
# * **recursive** Defaults to +true+, performs recursive expansion of the memberships.
|
88
|
-
#
|
89
|
-
# @example Show all roles of which `"conjur:group:pubkeys-1.0/key-managers"` is a member
|
90
|
-
# # Add alice to the group, so we see something interesting
|
91
|
-
# key_managers = api.group('pubkeys-1.0/key-managers')
|
92
|
-
# key_managers.add_member api.user('alice')
|
93
|
-
#
|
94
|
-
# # Show the memberships, mapped to the member ids.
|
95
|
-
# key_managers.role.all.map(&:roleid)
|
96
|
-
# # => ["conjur:group:pubkeys-1.0/admin", "conjur:user:alice"]
|
97
|
-
#
|
98
|
-
# @example See if role `"conjur:user:alice"` is a member of either `"conjur:groups:developers"` or `"conjur:group:ops"`
|
99
|
-
# is_member = api.role('conjur:user:alice').all(filter: ['conjur:group:developers', 'conjur:group:ops']).any?
|
100
|
-
#
|
101
|
-
# @param [Hash] options options for the request
|
102
|
-
# @param options [Hash, nil] :filter only return roles in this list. Also, extra parameters to pass to the webservice method.
|
103
|
-
# @return [Array<Conjur::Role>] Roles of which this role is a member
|
104
|
-
def all(options = {})
|
105
|
-
request = if options.delete(:recursive) == false
|
106
|
-
options["memberships"] = true
|
107
|
-
else
|
108
|
-
options["all"] = true
|
109
|
-
end
|
110
|
-
if filter = options.delete(:filter)
|
111
|
-
filter = [filter] unless filter.is_a?(Array)
|
112
|
-
options["filter"] = filter.map{ |obj| cast(obj, :roleid) }
|
113
|
-
end
|
114
|
-
|
115
|
-
result = JSON.parse(self[options_querystring options].get)
|
116
|
-
if result.is_a?(Hash) && ( count = result['count'] )
|
117
|
-
count
|
118
|
-
else
|
119
|
-
host = Conjur::Authz::API.host
|
120
|
-
result.collect do |item|
|
121
|
-
if item.is_a?(String)
|
122
|
-
Role.new(host, self.options)[Conjur::API.parse_role_id(item).join('/')]
|
123
|
-
else
|
124
|
-
RoleGrant.parse_from_json(item, self.options)
|
125
|
-
end
|
126
|
-
end
|
127
|
-
end
|
128
|
-
end
|
129
|
-
|
130
|
-
alias memberships all
|
131
|
-
|
132
|
-
# Check to see if this role is a member of another role. Membership is transitive.
|
133
|
-
#
|
134
|
-
# ### Permissions
|
135
|
-
# You must be logged in as a member of this role in order to call this method. Note that if you
|
136
|
-
# pass a role of which you aren't a member to this method, it will return false rather than raising an
|
137
|
-
# exception.
|
138
|
-
#
|
139
|
-
# @example Permissions
|
140
|
-
# alice_api = Conjur::API.new_from_key "alice", "alice-password"
|
141
|
-
# admin_api = Conjur::API.new_from_key "admin", "admin-password"
|
142
|
-
#
|
143
|
-
# # admin_view is the role as seen by the admin user
|
144
|
-
# admin_view = admin_api.role('conjur:group:pubkeys-1.0/key-managers')
|
145
|
-
# admin_view.member_of? alice_api.current_role # => false
|
146
|
-
# alice_api.current_role.member_of? admin_view # => false
|
147
|
-
#
|
148
|
-
# # alice_view is the role as seen by alice (who isn't a member of the key-managers group)
|
149
|
-
# alice_view = alice_api.role('conjur:group:pubkeys-1.0/key-managers')
|
150
|
-
# alice_view.member_of? alice_api.current_role # raises RestClient::Forbidden
|
151
|
-
# alice_api.current_role.member_of? alice_view # false
|
152
|
-
#
|
153
|
-
# @param [String, #roleid] other_role the role or role id of which we might be a member
|
154
|
-
# @return [Boolean] whether this role is a member of `other_role`
|
155
|
-
# @raise [RestClient::Forbidden] if you don't have permission to perform this operation
|
156
|
-
def member_of?(other_role)
|
157
|
-
other_role = cast(other_role, :roleid)
|
158
|
-
not all(filter: other_role).empty?
|
159
|
-
end
|
160
|
-
|
161
|
-
# Grant this role to another one. The role given by the `member` argument will become
|
162
|
-
# a member of this role, and have all of its permissions.
|
163
|
-
#
|
164
|
-
# ### Permissions
|
165
|
-
# You must have admin permissions on this role.
|
166
|
-
#
|
167
|
-
# @example Allow `'alice'` to do everything that `'bob'` can do (perhaps better!).
|
168
|
-
# bob = api.role 'cook:bob'
|
169
|
-
# alice = api.role 'cook:alice'
|
170
|
-
#
|
171
|
-
# # bob is allowed to 'fry' a resource called 'food:bacon'
|
172
|
-
# bob.permitted? "food:bacon", "fry" # => true
|
173
|
-
#
|
174
|
-
# # alice isn't
|
175
|
-
# alice.permitted? "food:bacon", "fry" # => false
|
176
|
-
#
|
177
|
-
# # grant the role 'cook:bob' to alice, so that she can participate in our culture's
|
178
|
-
# # bizarre bacon obsession!
|
179
|
-
# bob.grant_to alice
|
180
|
-
#
|
181
|
-
# # Now she can fry some bacon!
|
182
|
-
# alice.permitted? 'food:bacon', 'fry' # => true
|
183
|
-
#
|
184
|
-
# @example Make `alice` a member of `job:cook`, and let her grant that role to others
|
185
|
-
# # Create an api logged in as 'alice'. We assume that `api` is an admin.
|
186
|
-
# alice_api = Conjur::API.new_from_key 'alice', 'alice-password'
|
187
|
-
#
|
188
|
-
# # First do it without the `admin_option`
|
189
|
-
# api.role('job:cook').grant_to alice_api.current_role
|
190
|
-
#
|
191
|
-
# # Alice can't grant the role to bob
|
192
|
-
# alice_api.role('job:cook').grant_to 'user:bob' # => raises RestClient::Forbidden
|
193
|
-
#
|
194
|
-
# # Make alice an admin of the role
|
195
|
-
# api.role('job:cook').grant_to alice_api.current_role, admin_option: true
|
196
|
-
#
|
197
|
-
# # Now she can grant the role to bob
|
198
|
-
# alice_api.role('job:cook').grant_to 'user:bob' # Works!
|
199
|
-
#
|
200
|
-
# @example Take away a member's admin privilege
|
201
|
-
# # alice_api is an api logged in as user "alice", who has admin rights on the role 'job:cooks'.
|
202
|
-
# # Notice that she can grant the role to 'eve'
|
203
|
-
# alice_api.role('job:cook').grant_to 'eve'
|
204
|
-
#
|
205
|
-
# # We don't want her to do this any more
|
206
|
-
# admin_api.role('job:cook').grant_to 'user:alice', admin_option: false
|
207
|
-
#
|
208
|
-
# # She's still a member
|
209
|
-
# alice_api.member_of?('job:cook') # => true
|
210
|
-
#
|
211
|
-
# # But she can't grant the role to 'bob'
|
212
|
-
# alice_api.role('job:cook').grant_to 'user:bob' # raises RestClient:Forbidden
|
213
|
-
#
|
214
|
-
# @param [String, #roleid] member the role that will become a member of this role
|
215
|
-
# @param [Hash] options options for the grant
|
216
|
-
# @option options [Boolean] :admin_option when given, the admin flag on the role grant will be set to
|
217
|
-
# this value.
|
218
|
-
# @return [void]
|
219
|
-
# @raise [RestClient::Forbidden] if you don't have permission to perform the operation
|
220
|
-
def grant_to(member, options={})
|
221
|
-
member = cast(member, :roleid)
|
222
|
-
log do |logger|
|
223
|
-
logger << "Granting role #{identifier} to #{member}"
|
224
|
-
unless options.blank?
|
225
|
-
logger << " with options #{options.to_json}"
|
226
|
-
end
|
227
|
-
end
|
228
|
-
self["?members&member=#{query_escape member}"].put(options)
|
229
|
-
end
|
230
|
-
|
231
|
-
# Remove (revoke) a member from this role. This operation is the inverse of {#grant_to}
|
232
|
-
#
|
233
|
-
# ### Permissions
|
234
|
-
# You must have admin permissions on this role
|
235
|
-
#
|
236
|
-
#
|
237
|
-
# @example Bob has been fired from his job as a cook.
|
238
|
-
# # currently, he's a member, and therefore is allowed to 'fry' the 'bacon' resource
|
239
|
-
# bob = api.role('user:bob')
|
240
|
-
# bob.member_of? 'job:cook' # true
|
241
|
-
# bob.permitted? 'food:bacon', 'fry' # true
|
242
|
-
#
|
243
|
-
# # Revoke 'job:cook'
|
244
|
-
# api.role('job:cook').revoke_from 'user:bob'
|
245
|
-
#
|
246
|
-
# # Now he's not a member, and he can't fry bacon any more
|
247
|
-
# bob.member_of? 'job:cook' # false
|
248
|
-
# bob.permitted? 'food:bacon', 'fry' # false
|
249
|
-
#
|
250
|
-
# # Note that if alice had her bacon frying permissions through her membership in the role 'user:bob',
|
251
|
-
# # she'll lose them too:
|
252
|
-
# api.role('user:alice').member_of? 'user:bob' # true
|
253
|
-
# api.role('user:alice').permitted? 'food:bacon', 'fry' # => false
|
254
|
-
#
|
255
|
-
#
|
256
|
-
# @param [String, #roleid] member the member to revoke this role from
|
257
|
-
# @param [Hash] options included for backwards compatibility. Don't use it.
|
258
|
-
# @return [void]
|
259
|
-
# @raise [RestClient::Forbidden] If you don't have permission to perform this operation
|
260
|
-
def revoke_from(member, options = {})
|
261
|
-
member = cast(member, :roleid)
|
262
|
-
log do |logger|
|
263
|
-
logger << "Revoking role #{identifier} from #{member}"
|
264
|
-
unless options.empty?
|
265
|
-
logger << " with options #{options.to_json}"
|
266
|
-
end
|
267
|
-
end
|
268
|
-
self["?members&member=#{query_escape member}"].delete(options)
|
269
|
-
end
|
270
|
-
|
271
|
-
# Check to see if this role is allowed to perform `privilege` on `resource`.
|
272
|
-
#
|
273
|
-
# ### Permissions
|
274
|
-
# Any authenticated role may call this method. However, instead of raising a 404 if a resource
|
275
|
-
# or role doesn't exist, it will return false. This is to prevent bad guys from finding out which roles
|
276
|
-
# and resources exist.
|
277
|
-
#
|
278
|
-
# @example
|
279
|
-
# bacon = api.create_resource 'food:bacon'
|
280
|
-
# eggs = api.create_resoure 'food:eggs'
|
281
|
-
# bob = api.create_role 'cook:bob'
|
282
|
-
#
|
283
|
-
# # Bob can't do anything initially
|
284
|
-
# bob.permitted? bacon, 'fry' # => false
|
285
|
-
# bob.permitted? eggs, 'poach' # => false
|
286
|
-
#
|
287
|
-
# # Let him poach eggs
|
288
|
-
# eggs.permit 'poach', bob
|
289
|
-
#
|
290
|
-
# # Now it's permitted
|
291
|
-
# bob.permitted? eggs, 'poach' # => true
|
292
|
-
#
|
293
|
-
# @example Somethign a bit more realistic
|
294
|
-
# # Say we have a service layer that needs access to a database connection string.
|
295
|
-
# # The layer is called 'web', and the connection string is stored in a variable 'mysql-uri'
|
296
|
-
# web_layer = api.layer 'web'
|
297
|
-
# mysql_uri = api.variable 'mysql-uri'
|
298
|
-
#
|
299
|
-
# # The web layer can't see the value of the variable right now:
|
300
|
-
# web_layer.role.permitted? mysql_uri, 'execute' # => false
|
301
|
-
#
|
302
|
-
# # Let's permit that
|
303
|
-
# mysql_uri.permit 'execute', web_layer
|
304
|
-
#
|
305
|
-
# # Now it's allowed to fetch the connection string
|
306
|
-
# web_layer.role.permitted? mysql_uri, 'execute' # => true
|
307
|
-
#
|
308
|
-
# @param [#resourceid, String] resource the resource to check the permission against
|
309
|
-
# @param [String] privilege the privilege to check
|
310
|
-
# @return [Boolean] true if this role has the privilege on the resource
|
311
|
-
def permitted?(resource, privilege, options = {})
|
312
|
-
resource = cast(resource, :resourceid)
|
313
|
-
# NOTE: in previous versions there was 'kind' passed separately. Now it is part of id
|
314
|
-
self["?check&resource_id=#{query_escape resource}&privilege=#{query_escape privilege}"].get(options)
|
315
|
-
true
|
316
|
-
rescue RestClient::ResourceNotFound
|
317
|
-
false
|
318
|
-
end
|
319
|
-
|
320
|
-
|
321
|
-
# Fetch the direct members of this role. The results are *not* recursively expanded).
|
322
|
-
#
|
323
|
-
# ### Permissions
|
324
|
-
# You must be a member of the role to call this method.
|
325
|
-
#
|
326
|
-
# @param options [Hash, nil] extra parameters to pass to the webservice method.
|
327
|
-
# @return [Array<Conjur::RoleGrant>] the role memberships
|
328
|
-
# @raise [RestClient::Forbidden] if you don't have permission to perform this operation
|
329
|
-
def members options = {}
|
330
|
-
options["members"] = true
|
331
|
-
result = JSON.parse(self[options_querystring options].get)
|
332
|
-
if result.is_a?(Hash) && ( count = result['count'] )
|
333
|
-
count
|
334
|
-
else
|
335
|
-
result.collect do |json|
|
336
|
-
RoleGrant.parse_from_json(json, self.options)
|
337
|
-
end
|
338
|
-
end
|
339
|
-
end
|
24
|
+
# A Conjur custom Role. This object is used for roles whose `kind` is not
|
25
|
+
# any of the pre-defined common types such as {Group}, {Host}, {Layer}, etc.
|
26
|
+
class Role < BaseObject
|
27
|
+
include ActsAsRole
|
340
28
|
end
|
341
29
|
end
|
data/lib/conjur/role_grant.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright
|
2
|
+
# Copyright 2013-2017 Conjur Inc
|
3
3
|
#
|
4
4
|
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
5
|
# this software and associated documentation files (the "Software"), to deal in
|
@@ -19,14 +19,17 @@
|
|
19
19
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
20
|
#
|
21
21
|
module Conjur
|
22
|
-
#
|
23
|
-
# by {
|
22
|
+
# Represents the membership of a role. `RoleGrant`s are returned
|
23
|
+
# by {ActsAsRole#members} and represent members of the role on which the method was invoked.
|
24
24
|
#
|
25
25
|
# @example
|
26
26
|
# alice.members.map{|grant| grant.member}.include? admin_role # => true
|
27
27
|
# admin_role.members.map{|grant| grant.member}.include? alice # => true
|
28
28
|
#
|
29
29
|
class RoleGrant
|
30
|
+
extend BuildObject::ClassMethods
|
31
|
+
extend Cast
|
32
|
+
|
30
33
|
# The role which was granted.
|
31
34
|
# @return [Conjur::Role]
|
32
35
|
attr_reader :role
|
@@ -35,11 +38,6 @@ module Conjur
|
|
35
38
|
# @return [Conjur::Role]
|
36
39
|
attr_reader :member
|
37
40
|
|
38
|
-
# The role that created this grant.
|
39
|
-
#
|
40
|
-
# @return [Conjur::Role]
|
41
|
-
attr_reader :grantor
|
42
|
-
|
43
41
|
# When true, the role {#member} is allowed to give this grant to other roles
|
44
42
|
#
|
45
43
|
# @return [Boolean]
|
@@ -50,29 +48,29 @@ module Conjur
|
|
50
48
|
# Create a new RoleGrant instance.
|
51
49
|
#
|
52
50
|
# @param [Conjur::Role] member the member to which the role was granted
|
53
|
-
# @param [Conjur::Role] grantor the role that created this grant
|
54
51
|
# @param [Boolean] admin_option whether `member` can give the grant to other roles
|
55
|
-
def initialize role, member,
|
52
|
+
def initialize role, member, admin_option
|
56
53
|
@role = role
|
57
54
|
@member = member
|
58
|
-
@grantor = grantor
|
59
55
|
@admin_option = admin_option
|
60
56
|
end
|
61
57
|
|
62
58
|
# Representation of the role grant as a hash.
|
63
59
|
def to_h
|
64
60
|
{
|
65
|
-
|
66
|
-
|
61
|
+
role: role.id,
|
62
|
+
member: member.id,
|
67
63
|
admin_option: admin_option
|
68
|
-
}
|
69
|
-
|
70
|
-
|
64
|
+
}
|
65
|
+
end
|
66
|
+
|
67
|
+
def to_s
|
68
|
+
to_h.to_s
|
71
69
|
end
|
72
70
|
|
73
|
-
|
74
|
-
|
75
|
-
|
71
|
+
def as_json options = {}
|
72
|
+
to_h.as_json(options)
|
73
|
+
end
|
76
74
|
|
77
75
|
class << self
|
78
76
|
# @api private
|
@@ -83,15 +81,9 @@ module Conjur
|
|
83
81
|
# @param [Hash] credentials the credentials used to create APIs for the member and grantor role objects
|
84
82
|
# @return [Conjur::RoleGrant]
|
85
83
|
def parse_from_json(json, credentials)
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
else
|
90
|
-
nil
|
91
|
-
end
|
92
|
-
member = Role.new(Conjur::Authz::API.host, credentials)[Conjur::API.parse_role_id(json['member']).join('/')]
|
93
|
-
grantor = Role.new(Conjur::Authz::API.host, credentials)[Conjur::API.parse_role_id(json['grantor']).join('/')]
|
94
|
-
RoleGrant.new(role, member, grantor, json['admin_option'])
|
84
|
+
role = build_object(json['role'], credentials, default_class: Role)
|
85
|
+
member = build_object(json['member'], credentials, default_class: Role)
|
86
|
+
RoleGrant.new(role, member, json['admin_option'])
|
95
87
|
end
|
96
88
|
end
|
97
89
|
end
|
data/lib/conjur/user.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright
|
2
|
+
# Copyright 2013-2017 Conjur Inc
|
3
3
|
#
|
4
4
|
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
5
|
# this software and associated documentation files (the "Software"), to deal in
|
@@ -19,74 +19,16 @@
|
|
19
19
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
20
|
#
|
21
21
|
module Conjur
|
22
|
-
#
|
23
|
-
class User <
|
24
|
-
include ActsAsAsset
|
22
|
+
# A Conjur User.
|
23
|
+
class User < BaseObject
|
25
24
|
include ActsAsUser
|
26
25
|
|
27
|
-
#
|
28
|
-
|
29
|
-
# This method is simply an alias for {#id}. It returns the user's *unqualified* id, which is referred to as
|
30
|
-
# `login` here because it can be used to login to Conjur.
|
31
|
-
# @return [String] the login for this user
|
32
|
-
def login; id end
|
33
|
-
|
34
|
-
# Assign new attributes to the user.
|
35
|
-
#
|
36
|
-
# If a user with the given `:uidnumber` already exists, this method will raise `RestClient::Forbidden`, with
|
37
|
-
# the response body providing additional details if possible.
|
38
|
-
#
|
39
|
-
# ### Permissions
|
40
|
-
# You must be a member of the user's role to update the uidnumber.
|
41
|
-
# You must have update permission on the user's resource or be the user to
|
42
|
-
# update CIDR restrictions.
|
43
|
-
#
|
44
|
-
# @note Updating `uidnumber` requires Conjur server version 4.3 or later.
|
45
|
-
# @note Updating `cidr` requires Conjur server version 4.6 or later.
|
46
|
-
#
|
47
|
-
# @param [Hash] options attributes to change
|
48
|
-
# @option options [FixNum] :uidnumber the new uidnumber for this user.
|
49
|
-
# @option options [Array<String, IPAddr>] :cidr the network restrictions for this user. Requires Conjur server version 4.6 or later
|
50
|
-
# @return [void]
|
51
|
-
# @raise [RestClient::Conflict] if the uidnumber is already in use
|
52
|
-
# @raise [ArgumentError] if uidnumber or cidr aren't valid
|
53
|
-
def update options
|
54
|
-
if uidnumber = options[:uidnumber]
|
55
|
-
# Currently the server raises a 400 Bad Request if uidnumber is missing, require it here
|
56
|
-
raise ArgumentError, "options[:uidnumber] must be a Fixnum" unless uidnumber.kind_of?(Fixnum)
|
57
|
-
self.put(options)
|
58
|
-
end
|
59
|
-
|
60
|
-
if cidr = options[:cidr]
|
61
|
-
set_cidr_restrictions cidr
|
62
|
-
end
|
63
|
-
end
|
64
|
-
|
65
|
-
# Get the user's uidnumber, which is used by LDAP and SSH login, among other things.
|
66
|
-
#
|
67
|
-
# ### Permissions
|
68
|
-
# You must have the `'show'` permission on the user's resource to call this method
|
69
|
-
#
|
70
|
-
# @note This feature requires Conjur server version 4.3 or later.
|
26
|
+
# Get the user's uidnumber, which can be used by LDAP and SSH login, among other things.
|
71
27
|
#
|
72
28
|
# @return [Fixnum] the uidnumber
|
73
29
|
# @raise [RestClient::Forbidden] if you don't have permission to `show` the user.
|
74
30
|
def uidnumber
|
75
|
-
|
76
|
-
end
|
77
|
-
|
78
|
-
# Set the user's uidnumber, which is used by LDAP and SSH login.
|
79
|
-
#
|
80
|
-
# ### Permissions
|
81
|
-
# You must be a member of the user's role to call this method.
|
82
|
-
#
|
83
|
-
# @note This feature requires Conjur server version 4.3 or later.
|
84
|
-
#
|
85
|
-
# @param [Fixnum] uidnumber the new uidnumber
|
86
|
-
# @return [void]
|
87
|
-
# @raise [RestClient::Conflict] if the uidnumber is already in use.
|
88
|
-
def uidnumber= uidnumber
|
89
|
-
update uidnumber: uidnumber
|
31
|
+
annotation_value 'conjur/uidnumber'
|
90
32
|
end
|
91
33
|
end
|
92
34
|
end
|