conjur-api 5.2.0 → 5.3.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.codeclimate.yml +10 -0
- data/.github/CODEOWNERS +10 -0
- data/.github/ISSUE_TEMPLATE/bug.md +42 -0
- data/.github/ISSUE_TEMPLATE/feature_request.md +27 -0
- data/.github/PULL_REQUEST_TEMPLATE.md +21 -0
- data/.gitignore +1 -0
- data/.gitleaks.toml +219 -0
- data/.overcommit.yml +16 -0
- data/.rubocop.yml +3 -0
- data/.rubocop_settings.yml +86 -0
- data/.rubocop_todo.yml +709 -0
- data/CHANGELOG.md +348 -173
- data/CONTRIBUTING.md +141 -0
- data/Gemfile +1 -1
- data/Jenkinsfile +27 -29
- data/LICENSE +202 -0
- data/README.md +19 -126
- data/SECURITY.md +42 -0
- data/bin/parse-changelog.sh +12 -0
- data/ci/codeclimate.dockerfile +6 -0
- data/conjur-api.gemspec +4 -1
- data/docker-compose.yml +2 -0
- data/features/authenticators.feature +33 -0
- data/features/support/env.rb +2 -0
- data/features/update_password.feature +2 -2
- data/features_v4/support/env.rb +2 -0
- data/lib/conjur-api/version.rb +1 -1
- data/lib/conjur/acts_as_role.rb +15 -19
- data/lib/conjur/api.rb +2 -0
- data/lib/conjur/api/authenticators.rb +35 -0
- data/lib/conjur/api/host_factories.rb +20 -19
- data/lib/conjur/{cast.rb → api/ldap_sync.rb} +14 -17
- data/lib/conjur/api/resources.rb +15 -19
- data/lib/conjur/api/router/v5.rb +39 -7
- data/lib/conjur/base_object.rb +18 -20
- data/lib/conjur/build_object.rb +19 -21
- data/lib/conjur/cert_utils.rb +16 -0
- data/lib/conjur/configuration.rb +2 -8
- data/lib/conjur/has_attributes.rb +6 -3
- data/lib/conjur/id.rb +22 -19
- data/lib/conjur/role_grant.rb +13 -18
- data/spec/api/host_factories_spec.rb +34 -0
- data/spec/base_object_spec.rb +14 -0
- data/spec/cert_utils_spec.rb +92 -0
- data/spec/id_spec.rb +29 -0
- data/spec/ldap_sync_spec.rb +21 -0
- data/spec/spec_helper.rb +3 -0
- data/spec/uri_escape_spec.rb +14 -2
- data/test.sh +23 -1
- metadata +34 -12
- data/LICENSE.md +0 -195
- data/spec/cast_spec.rb +0 -21
data/SECURITY.md
ADDED
@@ -0,0 +1,42 @@
|
|
1
|
+
# Security Policies and Procedures
|
2
|
+
|
3
|
+
This document outlines security procedures and general policies for the CyberArk Conjur
|
4
|
+
suite of tools and products.
|
5
|
+
|
6
|
+
* [Reporting a Bug](#reporting-a-bug)
|
7
|
+
* [Disclosure Policy](#disclosure-policy)
|
8
|
+
* [Comments on this Policy](#comments-on-this-policy)
|
9
|
+
|
10
|
+
## Reporting a Bug
|
11
|
+
|
12
|
+
The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
|
13
|
+
Thank you for improving the security of the Conjur suite. We appreciate your efforts and
|
14
|
+
responsible disclosure and will make every effort to acknowledge your
|
15
|
+
contributions.
|
16
|
+
|
17
|
+
Report security bugs by emailing the lead maintainers at security@conjur.org.
|
18
|
+
|
19
|
+
The maintainers will acknowledge your email within 2 business days. Subsequently, we will
|
20
|
+
send a more detailed response within 2 business days of our acknowledgement indicating
|
21
|
+
the next steps in handling your report. After the initial reply to your report, the security
|
22
|
+
team will endeavor to keep you informed of the progress towards a fix and full
|
23
|
+
announcement, and may ask for additional information or guidance.
|
24
|
+
|
25
|
+
Report security bugs in third-party modules to the person or team maintaining
|
26
|
+
the module.
|
27
|
+
|
28
|
+
## Disclosure Policy
|
29
|
+
|
30
|
+
When the security team receives a security bug report, they will assign it to a
|
31
|
+
primary handler. This person will coordinate the fix and release process,
|
32
|
+
involving the following steps:
|
33
|
+
|
34
|
+
* Confirm the problem and determine the affected versions.
|
35
|
+
* Audit code to find any potential similar problems.
|
36
|
+
* Prepare fixes for all releases still under maintenance. These fixes will be
|
37
|
+
released as fast as possible.
|
38
|
+
|
39
|
+
## Comments on this Policy
|
40
|
+
|
41
|
+
If you have suggestions on how this process could be improved please submit a
|
42
|
+
pull request.
|
data/conjur-api.gemspec
CHANGED
@@ -18,10 +18,13 @@ Gem::Specification.new do |gem|
|
|
18
18
|
|
19
19
|
gem.required_ruby_version = '>= 1.9'
|
20
20
|
|
21
|
+
# Filter out development only executables
|
22
|
+
gem.executables -= %w{parse-changelog.sh}
|
23
|
+
|
21
24
|
gem.add_dependency 'rest-client'
|
22
25
|
gem.add_dependency 'activesupport'
|
23
26
|
|
24
|
-
gem.add_development_dependency 'rake', '
|
27
|
+
gem.add_development_dependency 'rake', '>= 12.3.3'
|
25
28
|
gem.add_development_dependency 'rspec', '~> 3'
|
26
29
|
gem.add_development_dependency 'rspec-expectations', '~> 3.4'
|
27
30
|
gem.add_development_dependency 'json_spec'
|
data/docker-compose.yml
CHANGED
@@ -27,6 +27,7 @@ services:
|
|
27
27
|
volumes:
|
28
28
|
- ./spec/reports:/src/conjur-api/spec/reports
|
29
29
|
- ./features/reports:/src/conjur-api/features/reports
|
30
|
+
- ./coverage:/src/conjur-api/coverage
|
30
31
|
- authn_local_5:/run/authn-local-5
|
31
32
|
environment:
|
32
33
|
CONJUR_APPLIANCE_URL: http://conjur_5
|
@@ -38,6 +39,7 @@ services:
|
|
38
39
|
volumes:
|
39
40
|
- ./features_v4/reports:/src/conjur-api/features_v4/reports
|
40
41
|
- ./tmp/conjur.pem:/src/conjur-api/tmp/conjur.pem
|
42
|
+
- ./coverage_v4:/src/conjur-api/coverage
|
41
43
|
- authn_local_4:/run/authn-local-4
|
42
44
|
environment:
|
43
45
|
CONJUR_APPLIANCE_URL: https://conjur_4/api
|
@@ -0,0 +1,33 @@
|
|
1
|
+
Feature: List and manage authenticators
|
2
|
+
|
3
|
+
Background:
|
4
|
+
Given I run the code:
|
5
|
+
"""
|
6
|
+
$conjur.load_policy 'root', <<-POLICY
|
7
|
+
- !webservice conjur/authn-k8s/my-auth
|
8
|
+
POLICY
|
9
|
+
"""
|
10
|
+
|
11
|
+
Scenario: Authenticator list includes the authenticator status
|
12
|
+
When I run the code:
|
13
|
+
"""
|
14
|
+
$conjur.authenticator_list
|
15
|
+
"""
|
16
|
+
Then the JSON should have "installed"
|
17
|
+
And the JSON should have "configured"
|
18
|
+
And the JSON should have "enabled"
|
19
|
+
And the JSON at "enabled" should be ["authn"]
|
20
|
+
|
21
|
+
Scenario: Enable and disable authenticator
|
22
|
+
When I run the code:
|
23
|
+
"""
|
24
|
+
$conjur.authenticator_enable("authn-k8s", "my-auth")
|
25
|
+
$conjur.authenticator_list
|
26
|
+
"""
|
27
|
+
Then the JSON at "enabled" should be ["authn", "authn-k8s/my-auth"]
|
28
|
+
When I run the code:
|
29
|
+
"""
|
30
|
+
$conjur.authenticator_disable("authn-k8s", "my-auth")
|
31
|
+
$conjur.authenticator_list
|
32
|
+
"""
|
33
|
+
Then the JSON at "enabled" should be ["authn"]
|
data/features/support/env.rb
CHANGED
@@ -5,8 +5,8 @@ Feature: Change a user's password.
|
|
5
5
|
Scenario: A user can set/change her password using the current API key.
|
6
6
|
When I run the code:
|
7
7
|
"""
|
8
|
-
Conjur::API.update_password @user_id, @user_api_key, '
|
9
|
-
@new_api_key = Conjur::API.login @user_id, '
|
8
|
+
Conjur::API.update_password @user_id, @user_api_key, 'SEcret12!!!!'
|
9
|
+
@new_api_key = Conjur::API.login @user_id, 'SEcret12!!!!'
|
10
10
|
"""
|
11
11
|
Then I can run the code:
|
12
12
|
"""
|
data/features_v4/support/env.rb
CHANGED
data/lib/conjur-api/version.rb
CHANGED
data/lib/conjur/acts_as_role.rb
CHANGED
@@ -1,23 +1,19 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2013-2018 CyberArk Ltd.
|
1
4
|
#
|
2
|
-
#
|
3
|
-
#
|
4
|
-
#
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
13
8
|
#
|
14
|
-
#
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
9
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
20
10
|
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
21
17
|
module Conjur
|
22
18
|
|
23
19
|
# This module provides methods for things that have an associated {Conjur::Role}.
|
@@ -100,7 +96,7 @@ module Conjur
|
|
100
96
|
end
|
101
97
|
if filter = options.delete(:filter)
|
102
98
|
filter = [filter] unless filter.is_a?(Array)
|
103
|
-
options["filter"] = filter.map
|
99
|
+
options["filter"] = filter.map(&Id.method(:new))
|
104
100
|
end
|
105
101
|
|
106
102
|
result = JSON.parse(rbac_role_resource[options_querystring options].get)
|
@@ -143,4 +139,4 @@ module Conjur
|
|
143
139
|
url_for(:roles_role, credentials, id)
|
144
140
|
end
|
145
141
|
end
|
146
|
-
end
|
142
|
+
end
|
data/lib/conjur/api.rb
CHANGED
@@ -34,6 +34,7 @@ require 'conjur/acts_as_rolsource'
|
|
34
34
|
require 'conjur/acts_as_user'
|
35
35
|
require 'conjur/log_source'
|
36
36
|
require 'conjur/has_attributes'
|
37
|
+
require 'conjur/api/authenticators'
|
37
38
|
require 'conjur/api/authn'
|
38
39
|
require 'conjur/api/roles'
|
39
40
|
require 'conjur/api/resources'
|
@@ -41,6 +42,7 @@ require 'conjur/api/pubkeys'
|
|
41
42
|
require 'conjur/api/variables'
|
42
43
|
require 'conjur/api/policies'
|
43
44
|
require 'conjur/api/host_factories'
|
45
|
+
require 'conjur/api/ldap_sync'
|
44
46
|
require 'conjur/host'
|
45
47
|
require 'conjur/group'
|
46
48
|
require 'conjur/variable'
|
@@ -0,0 +1,35 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'conjur/webservice'
|
4
|
+
|
5
|
+
module Conjur
|
6
|
+
# API contains each of the methods for access the Conjur API endpoints
|
7
|
+
#-- :reek:DataClump for authenticator identifier fields (name, id, account)
|
8
|
+
class API
|
9
|
+
# @!group Authenticators
|
10
|
+
|
11
|
+
# List all configured authenticators
|
12
|
+
def authenticator_list
|
13
|
+
JSON.parse(url_for(:authenticators).get)
|
14
|
+
end
|
15
|
+
|
16
|
+
# Enables an authenticator in Conjur. The authenticator must be defined and
|
17
|
+
# loaded in Conjur policy prior to enabling it.
|
18
|
+
#
|
19
|
+
# @param [String] authenticator the authenticator type to enable (e.g. authn-k8s)
|
20
|
+
# @param [String] id the service ID of the authenticator to enable
|
21
|
+
def authenticator_enable authenticator, id, account: Conjur.configuration.account
|
22
|
+
url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: true)
|
23
|
+
end
|
24
|
+
|
25
|
+
# Disables an authenticator in Conjur.
|
26
|
+
#
|
27
|
+
# @param [String] authenticator the authenticator type to disable (e.g. authn-k8s)
|
28
|
+
# @param [String] id the service ID of the authenticator to disable
|
29
|
+
def authenticator_disable authenticator, id, account: Conjur.configuration.account
|
30
|
+
url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: false)
|
31
|
+
end
|
32
|
+
|
33
|
+
# @!endgroup
|
34
|
+
end
|
35
|
+
end
|
@@ -1,23 +1,19 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2013-2018 CyberArk Ltd.
|
1
4
|
#
|
2
|
-
#
|
3
|
-
#
|
4
|
-
#
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
13
8
|
#
|
14
|
-
#
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
9
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
20
10
|
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
21
17
|
require 'conjur/host_factory'
|
22
18
|
|
23
19
|
module Conjur
|
@@ -40,9 +36,14 @@ module Conjur
|
|
40
36
|
# @return [Host]
|
41
37
|
def host_factory_create_host token, id, options = {}
|
42
38
|
token = token.token if token.is_a?(HostFactoryToken)
|
43
|
-
response = url_for(:host_factory_create_host, token)
|
39
|
+
response = url_for(:host_factory_create_host, token)
|
40
|
+
.post(options.merge(id: id)).body
|
41
|
+
|
44
42
|
attributes = JSON.parse(response)
|
45
|
-
|
43
|
+
# in v4 'id' is just the identifier
|
44
|
+
host_id = attributes['roleid'] || attributes['id']
|
45
|
+
|
46
|
+
Host.new(host_id, {}).tap do |host|
|
46
47
|
host.attributes = attributes
|
47
48
|
end
|
48
49
|
end
|
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright 2013-
|
2
|
+
# Copyright 2013-2018 Conjur Inc
|
3
3
|
#
|
4
4
|
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
5
|
# this software and associated documentation files (the "Software"), to deal in
|
@@ -20,22 +20,19 @@
|
|
20
20
|
#
|
21
21
|
|
22
22
|
module Conjur
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
#
|
23
|
+
class API
|
24
|
+
|
25
|
+
# Retrieve the policy for the given LDAP sync
|
26
|
+
# configuration. Configurations created through the Conjur UI are
|
27
|
+
# named +default+, so the default value of +config_name+ can be
|
28
|
+
# used.
|
29
|
+
#
|
30
|
+
# For details on the use of LDAP sync, see
|
31
|
+
# https://developer.conjur.net/reference/services/ldap_sync/ .
|
27
32
|
#
|
28
|
-
# @param
|
29
|
-
def
|
30
|
-
|
31
|
-
obj
|
32
|
-
elsif obj.is_a?(Array)
|
33
|
-
obj.join(':')
|
34
|
-
else
|
35
|
-
raise "I don't know how to cast a #{obj.class} to an id"
|
36
|
-
end
|
37
|
-
result = Id.new(result) unless result.is_a?(Id)
|
38
|
-
result
|
33
|
+
# @param [String] config_name the name of the LDAP sync configuration.
|
34
|
+
def ldap_sync_policy config_name: 'default'
|
35
|
+
JSON.parse(url_for(:ldap_sync_policy, credentials, config_name).get)
|
39
36
|
end
|
40
37
|
end
|
41
|
-
end
|
38
|
+
end
|
data/lib/conjur/api/resources.rb
CHANGED
@@ -1,23 +1,19 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2013-2018 CyberArk Ltd.
|
1
4
|
#
|
2
|
-
#
|
3
|
-
#
|
4
|
-
#
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
13
8
|
#
|
14
|
-
#
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
9
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
20
10
|
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
21
17
|
require 'conjur/resource'
|
22
18
|
|
23
19
|
module Conjur
|
@@ -27,8 +23,8 @@ module Conjur
|
|
27
23
|
|
28
24
|
#@!group Resources
|
29
25
|
|
30
|
-
# Find a resource by
|
31
|
-
#
|
26
|
+
# Find a resource by its id.
|
27
|
+
# @note The id given to this method must be fully qualified.
|
32
28
|
#
|
33
29
|
# ### Permissions
|
34
30
|
#
|
data/lib/conjur/api/router/v5.rb
CHANGED
@@ -1,10 +1,29 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2017-2018 CyberArk Ltd.
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# rubocop:disable Metrics/ModuleLength
|
1
18
|
module Conjur
|
2
19
|
class API
|
3
20
|
module Router
|
21
|
+
# V5 translates method arguments to rest-ful API request parameters.
|
22
|
+
# because of this, most of the methods suffer from :reek:LongParameterList:
|
23
|
+
# and :reek:UtilityFunction:
|
4
24
|
module V5
|
5
25
|
extend Conjur::Escape::ClassMethods
|
6
26
|
extend Conjur::QueryString
|
7
|
-
extend Conjur::Cast
|
8
27
|
extend self
|
9
28
|
|
10
29
|
def authn_login account, username, password
|
@@ -15,6 +34,14 @@ module Conjur
|
|
15
34
|
RestClient::Resource.new(Conjur.configuration.authn_url)[fully_escape account][fully_escape username]['authenticate']
|
16
35
|
end
|
17
36
|
|
37
|
+
def authenticator account, authenticator, service_id, credentials
|
38
|
+
RestClient::Resource.new(Conjur.configuration.core_url, credentials)[fully_escape authenticator][fully_escape service_id][fully_escape account]
|
39
|
+
end
|
40
|
+
|
41
|
+
def authenticators
|
42
|
+
RestClient::Resource.new(Conjur.configuration.core_url)['authenticators']
|
43
|
+
end
|
44
|
+
|
18
45
|
# For v5, the authn-local message is a JSON string with account, sub, and optional fields.
|
19
46
|
def authn_authenticate_local username, account, expiration, cidr, &block
|
20
47
|
{ account: account, sub: username }.tap do |params|
|
@@ -28,7 +55,7 @@ module Conjur
|
|
28
55
|
end
|
29
56
|
|
30
57
|
def authn_rotate_api_key credentials, account, id
|
31
|
-
RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authn'][
|
58
|
+
RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authn'][fully_escape account]["api_key?role=#{id}"]
|
32
59
|
end
|
33
60
|
|
34
61
|
def authn_rotate_own_api_key account, username, password
|
@@ -51,18 +78,18 @@ module Conjur
|
|
51
78
|
end
|
52
79
|
|
53
80
|
def policies_load_policy credentials, account, id
|
54
|
-
RestClient::Resource.new(Conjur.configuration.core_url, credentials)['policies'][
|
81
|
+
RestClient::Resource.new(Conjur.configuration.core_url, credentials)['policies'][fully_escape account]['policy'][fully_escape id]
|
55
82
|
end
|
56
83
|
|
57
84
|
def public_keys_for_user account, username
|
58
|
-
RestClient::Resource.new(Conjur.configuration.core_url)['public_keys'][fully_escape account]['user'][
|
85
|
+
RestClient::Resource.new(Conjur.configuration.core_url)['public_keys'][fully_escape account]['user'][fully_escape username]
|
59
86
|
end
|
60
87
|
|
61
88
|
def resources credentials, account, kind, options
|
62
89
|
credentials ||= {}
|
63
90
|
|
64
|
-
path = "/resources/#{
|
65
|
-
path += "/#{
|
91
|
+
path = "/resources/#{fully_escape account}"
|
92
|
+
path += "/#{fully_escape kind}" if kind
|
66
93
|
|
67
94
|
RestClient::Resource.new(Conjur.configuration.core_url, credentials)[path][options_querystring options]
|
68
95
|
end
|
@@ -82,7 +109,7 @@ module Conjur
|
|
82
109
|
options = {}
|
83
110
|
options[:check] = true
|
84
111
|
options[:privilege] = privilege
|
85
|
-
options[:role] =
|
112
|
+
options[:role] = query_escape(Id.new(role)) if role
|
86
113
|
resources_resource(credentials, id)[options_querystring options].get
|
87
114
|
end
|
88
115
|
|
@@ -139,6 +166,10 @@ module Conjur
|
|
139
166
|
end
|
140
167
|
end
|
141
168
|
|
169
|
+
def ldap_sync_policy(credentials, config_name)
|
170
|
+
RestClient::Resource.new(Conjur.configuration.core_url, credentials)['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
|
171
|
+
end
|
172
|
+
|
142
173
|
private
|
143
174
|
|
144
175
|
def resource_annotations resource
|
@@ -148,3 +179,4 @@ module Conjur
|
|
148
179
|
end
|
149
180
|
end
|
150
181
|
end
|
182
|
+
# rubocop:enable Metrics/ModuleLength
|