conjur-api 5.2.0 → 5.3.3

data/SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for the CyberArk Conjur
+suite of tools and products.
+
+  * [Reporting a Bug](#reporting-a-bug)
+  * [Disclosure Policy](#disclosure-policy)
+  * [Comments on this Policy](#comments-on-this-policy)
+
+## Reporting a Bug
+
+The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
+Thank you for improving the security of the Conjur suite. We appreciate your efforts and
+responsible disclosure and will make every effort to acknowledge your
+contributions.
+
+Report security bugs by emailing the lead maintainers at security@conjur.org.
+
+The maintainers will acknowledge your email within 2 business days. Subsequently, we will 
+send a more detailed response within 2 business days of our acknowledgement indicating
+the next steps in handling your report. After the initial reply to your report, the security
+team will endeavor to keep you informed of the progress towards a fix and full
+announcement, and may ask for additional information or guidance.
+
+Report security bugs in third-party modules to the person or team maintaining
+the module.
+
+## Disclosure Policy
+
+When the security team receives a security bug report, they will assign it to a
+primary handler. This person will coordinate the fix and release process,
+involving the following steps:
+
+  * Confirm the problem and determine the affected versions.
+  * Audit code to find any potential similar problems.
+  * Prepare fixes for all releases still under maintenance. These fixes will be
+    released as fast as possible.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+pull request.

data/bin/parse-changelog.sh

@@ -0,0 +1,12 @@
+#!/bin/bash -ex
+
+cd "$(dirname "$0")"
+
+docker run --rm \
+  -v "$PWD/..:/work" \
+  -w "/work" \
+  ruby:2.5 bash -ec "
+    gem install -N parse_a_changelog
+    parse ./CHANGELOG.md
+  "
+

data/ci/codeclimate.dockerfile

@@ -0,0 +1,6 @@
+FROM alpine:3.11
+RUN wget https://codeclimate.com/downloads/test-reporter/test-reporter-0.6.3-linux-amd64 -O /opt/cc-test-reporter
+RUN chmod +x /opt/cc-test-reporter
+RUN apk update && apk upgrade && apk add --no-cache git
+
+ENTRYPOINT ["/opt/cc-test-reporter"]

data/conjur-api.gemspec

@@ -18,10 +18,13 @@ Gem::Specification.new do |gem|
 
   gem.required_ruby_version = '>= 1.9'
 
+  # Filter out development only executables
+  gem.executables -= %w{parse-changelog.sh}
+
   gem.add_dependency 'rest-client'
   gem.add_dependency 'activesupport'
 
-  gem.add_development_dependency 'rake', '~> 10.0'
+  gem.add_development_dependency 'rake', '>= 12.3.3'
   gem.add_development_dependency 'rspec', '~> 3'
   gem.add_development_dependency 'rspec-expectations', '~> 3.4'
   gem.add_development_dependency 'json_spec'

data/docker-compose.yml

@@ -27,6 +27,7 @@ services:
     volumes:
       - ./spec/reports:/src/conjur-api/spec/reports
       - ./features/reports:/src/conjur-api/features/reports
+      - ./coverage:/src/conjur-api/coverage
       - authn_local_5:/run/authn-local-5
     environment:
       CONJUR_APPLIANCE_URL: http://conjur_5
@@ -38,6 +39,7 @@ services:
     volumes:
       - ./features_v4/reports:/src/conjur-api/features_v4/reports
       - ./tmp/conjur.pem:/src/conjur-api/tmp/conjur.pem
+      - ./coverage_v4:/src/conjur-api/coverage
       - authn_local_4:/run/authn-local-4
     environment:
       CONJUR_APPLIANCE_URL: https://conjur_4/api

data/features/authenticators.feature

@@ -0,0 +1,33 @@
+Feature: List and manage authenticators
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !webservice conjur/authn-k8s/my-auth
+    POLICY
+    """
+
+  Scenario: Authenticator list includes the authenticator status
+    When I run the code:
+    """
+    $conjur.authenticator_list
+    """
+    Then the JSON should have "installed"
+    And the JSON should have "configured"
+    And the JSON should have "enabled"
+    And the JSON at "enabled" should be ["authn"]
+
+  Scenario: Enable and disable authenticator
+    When I run the code:
+    """
+    $conjur.authenticator_enable("authn-k8s", "my-auth")
+    $conjur.authenticator_list
+    """
+    Then the JSON at "enabled" should be ["authn", "authn-k8s/my-auth"]
+    When I run the code:
+    """
+    $conjur.authenticator_disable("authn-k8s", "my-auth")
+    $conjur.authenticator_list
+    """
+    Then the JSON at "enabled" should be ["authn"]

data/features/support/env.rb

@@ -1,5 +1,7 @@
 require 'simplecov'
+require 'simplecov-cobertura'
 
+SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
 SimpleCov.start
 
 require 'json_spec/cucumber'

data/features/update_password.feature

@@ -5,8 +5,8 @@ Feature: Change a user's password.
   Scenario: A user can set/change her password using the current API key.
     When I run the code:
     """
-    Conjur::API.update_password @user_id, @user_api_key, 'secret'
-    @new_api_key = Conjur::API.login @user_id, 'secret'
+    Conjur::API.update_password @user_id, @user_api_key, 'SEcret12!!!!'
+    @new_api_key = Conjur::API.login @user_id, 'SEcret12!!!!'
     """
     Then I can run the code:
     """

data/features_v4/support/env.rb

@@ -1,5 +1,7 @@
 require 'simplecov'
+require 'simplecov-cobertura'
 
+SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
 SimpleCov.start
 
 require 'json_spec/cucumber'

data/lib/conjur-api/version.rb

@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "5.2.0"
+    VERSION = "5.3.3"
   end
 end

data/lib/conjur/acts_as_role.rb

@@ -1,23 +1,19 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
 #
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
 #
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#   http://www.apache.org/licenses/LICENSE-2.0
 #
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 module Conjur
 
   # This module provides methods for things that have an associated {Conjur::Role}.
@@ -100,7 +96,7 @@ module Conjur
       end
       if filter = options.delete(:filter)
         filter = [filter] unless filter.is_a?(Array)
-        options["filter"] = filter.map{ |obj| cast_to_id(obj) }
+        options["filter"] = filter.map(&Id.method(:new))
       end
 
       result = JSON.parse(rbac_role_resource[options_querystring options].get)
@@ -143,4 +139,4 @@ module Conjur
       url_for(:roles_role, credentials, id)    
     end
   end
-end
+end

data/lib/conjur/api.rb

@@ -34,6 +34,7 @@ require 'conjur/acts_as_rolsource'
 require 'conjur/acts_as_user'
 require 'conjur/log_source'
 require 'conjur/has_attributes'
+require 'conjur/api/authenticators'
 require 'conjur/api/authn'
 require 'conjur/api/roles'
 require 'conjur/api/resources'
@@ -41,6 +42,7 @@ require 'conjur/api/pubkeys'
 require 'conjur/api/variables'
 require 'conjur/api/policies'
 require 'conjur/api/host_factories'
+require 'conjur/api/ldap_sync'
 require 'conjur/host'
 require 'conjur/group'
 require 'conjur/variable'

data/lib/conjur/api/authenticators.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'conjur/webservice'
+
+module Conjur
+  # API contains each of the methods for access the Conjur API endpoints
+  #-- :reek:DataClump for authenticator identifier fields (name, id, account)
+  class API
+    # @!group Authenticators
+
+    # List all configured authenticators
+    def authenticator_list
+      JSON.parse(url_for(:authenticators).get)
+    end
+
+    # Enables an authenticator in Conjur. The authenticator must be defined and
+    # loaded in Conjur policy prior to enabling it.
+    # 
+    # @param [String] authenticator the authenticator type to enable (e.g. authn-k8s)
+    # @param [String] id the service ID of the authenticator to enable
+    def authenticator_enable authenticator, id, account: Conjur.configuration.account
+      url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: true)
+    end
+
+    # Disables an authenticator in Conjur.
+    # 
+    # @param [String] authenticator the authenticator type to disable (e.g. authn-k8s)
+    # @param [String] id the service ID of the authenticator to disable
+    def authenticator_disable authenticator, id, account: Conjur.configuration.account
+      url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: false)
+    end
+
+    # @!endgroup
+  end
+end

data/lib/conjur/api/host_factories.rb

@@ -1,23 +1,19 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
 #
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
 #
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#   http://www.apache.org/licenses/LICENSE-2.0
 #
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 require 'conjur/host_factory'
 
 module Conjur
@@ -40,9 +36,14 @@ module Conjur
       # @return [Host]
       def host_factory_create_host token, id, options = {}
         token = token.token if token.is_a?(HostFactoryToken)
-        response = url_for(:host_factory_create_host, token).post(options.merge(id: id)).body
+        response = url_for(:host_factory_create_host, token)
+          .post(options.merge(id: id)).body
+
         attributes = JSON.parse(response)
-        Host.new(attributes['id'], {}).tap do |host|
+        # in v4 'id' is just the identifier
+        host_id = attributes['roleid'] || attributes['id']
+
+        Host.new(host_id, {}).tap do |host|
           host.attributes = attributes
         end
       end

data/lib/conjur/{cast.rb → api/ldap_sync.rb}

@@ -1,5 +1,5 @@
 #
-# Copyright 2013-2017 Conjur Inc
+# Copyright 2013-2018 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -20,22 +20,19 @@
 #
 
 module Conjur
-  module Cast
-    protected
-
-    # Convert a value to a role or resource identifier.
+  class API
+    
+    # Retrieve the policy for the given LDAP sync
+    # configuration. Configurations created through the Conjur UI are
+    # named +default+, so the default value of +config_name+ can be
+    # used.
+    #
+    # For details on the use of LDAP sync, see
+    # https://developer.conjur.net/reference/services/ldap_sync/ .
     #
-    # @param obj the value to cast
-    def cast_to_id obj
-      result =if obj.is_a?(String) || obj.is_a?(Id)
-        obj
-      elsif obj.is_a?(Array)
-        obj.join(':')
-      else
-        raise "I don't know how to cast a #{obj.class} to an id"
-      end
-      result = Id.new(result) unless result.is_a?(Id)
-      result
+    # @param [String] config_name the name of the LDAP sync configuration.
+    def ldap_sync_policy config_name: 'default'
+      JSON.parse(url_for(:ldap_sync_policy, credentials, config_name).get)
     end
   end
-end
+end

data/lib/conjur/api/resources.rb

@@ -1,23 +1,19 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
 #
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
 #
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#   http://www.apache.org/licenses/LICENSE-2.0
 #
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 require 'conjur/resource'
 
 module Conjur
@@ -27,8 +23,8 @@ module Conjur
     
     #@!group Resources
 
-    # Find a resource by it's id.  The id given to this method must be qualified by a kind, but the account is
-    # optional.
+    # Find a resource by its id.
+    # @note The id given to this method must be fully qualified.
     #
     # ### Permissions
     #

data/lib/conjur/api/router/v5.rb

@@ -1,10 +1,29 @@
+# frozen_string_literal: true
+
+# Copyright 2017-2018 CyberArk Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# rubocop:disable Metrics/ModuleLength
 module Conjur
   class API
     module Router
+      # V5 translates method arguments to rest-ful API request parameters.
+      # because of this, most of the methods suffer from :reek:LongParameterList:
+      # and :reek:UtilityFunction:
       module V5
         extend Conjur::Escape::ClassMethods
         extend Conjur::QueryString
-        extend Conjur::Cast
         extend self
 
         def authn_login account, username, password
@@ -15,6 +34,14 @@ module Conjur
           RestClient::Resource.new(Conjur.configuration.authn_url)[fully_escape account][fully_escape username]['authenticate']
         end
 
+        def authenticator account, authenticator, service_id, credentials
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)[fully_escape authenticator][fully_escape service_id][fully_escape account]
+        end
+
+        def authenticators
+          RestClient::Resource.new(Conjur.configuration.core_url)['authenticators']
+        end
+
         # For v5, the authn-local message is a JSON string with account, sub, and optional fields.
         def authn_authenticate_local username, account, expiration, cidr, &block
           { account: account, sub: username }.tap do |params|
@@ -28,7 +55,7 @@ module Conjur
         end
 
         def authn_rotate_api_key credentials, account, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authn'][path_escape account]["api_key?role=#{id}"]
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authn'][fully_escape account]["api_key?role=#{id}"]
         end
 
         def authn_rotate_own_api_key account, username, password
@@ -51,18 +78,18 @@ module Conjur
         end
 
         def policies_load_policy credentials, account, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['policies'][path_escape account]['policy'][path_escape id]
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['policies'][fully_escape account]['policy'][fully_escape id]
         end
 
         def public_keys_for_user account, username
-          RestClient::Resource.new(Conjur.configuration.core_url)['public_keys'][fully_escape account]['user'][path_escape username]
+          RestClient::Resource.new(Conjur.configuration.core_url)['public_keys'][fully_escape account]['user'][fully_escape username]
         end
 
         def resources credentials, account, kind, options
           credentials ||= {}
 
-          path = "/resources/#{path_escape account}" 
-          path += "/#{path_escape kind}" if kind
+          path = "/resources/#{fully_escape account}"
+          path += "/#{fully_escape kind}" if kind
 
           RestClient::Resource.new(Conjur.configuration.core_url, credentials)[path][options_querystring options]
         end
@@ -82,7 +109,7 @@ module Conjur
           options = {}
           options[:check] = true
           options[:privilege] = privilege
-          options[:role] = path_escape(cast_to_id(role)) if role
+          options[:role] = query_escape(Id.new(role)) if role
           resources_resource(credentials, id)[options_querystring options].get
         end
 
@@ -139,6 +166,10 @@ module Conjur
           end
         end
 
+        def ldap_sync_policy(credentials, config_name)
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
+        end
+        
         private
 
         def resource_annotations resource
@@ -148,3 +179,4 @@ module Conjur
     end
   end
 end
+# rubocop:enable Metrics/ModuleLength