conjur-api 5.2.1 → 5.3.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (60) hide show
  1. checksums.yaml +4 -4
  2. data/.codeclimate.yml +10 -0
  3. data/.github/CODEOWNERS +10 -0
  4. data/.github/ISSUE_TEMPLATE/bug.md +42 -0
  5. data/.github/ISSUE_TEMPLATE/feature_request.md +27 -0
  6. data/.github/PULL_REQUEST_TEMPLATE.md +21 -0
  7. data/.gitignore +1 -0
  8. data/.gitleaks.toml +219 -0
  9. data/.overcommit.yml +16 -0
  10. data/.rubocop.yml +3 -0
  11. data/.rubocop_settings.yml +86 -0
  12. data/.rubocop_todo.yml +709 -0
  13. data/CHANGELOG.md +358 -177
  14. data/CONTRIBUTING.md +141 -0
  15. data/Gemfile +1 -1
  16. data/Jenkinsfile +27 -29
  17. data/LICENSE +202 -0
  18. data/README.md +19 -126
  19. data/SECURITY.md +42 -0
  20. data/bin/parse-changelog.sh +12 -0
  21. data/ci/codeclimate.dockerfile +6 -0
  22. data/conjur-api.gemspec +4 -1
  23. data/docker-compose.yml +2 -0
  24. data/features/authenticators.feature +33 -0
  25. data/features/host.feature +39 -9
  26. data/features/step_definitions/api_steps.rb +14 -3
  27. data/features/step_definitions/policy_steps.rb +40 -0
  28. data/features/support/env.rb +2 -0
  29. data/features/update_password.feature +2 -2
  30. data/features/user.feature +47 -6
  31. data/features_v4/support/env.rb +2 -0
  32. data/lib/conjur-api/version.rb +2 -2
  33. data/lib/conjur/acts_as_role.rb +15 -19
  34. data/lib/conjur/acts_as_user.rb +5 -1
  35. data/lib/conjur/api.rb +2 -0
  36. data/lib/conjur/api/authenticators.rb +35 -0
  37. data/lib/conjur/api/host_factories.rb +20 -19
  38. data/lib/conjur/{cast.rb → api/ldap_sync.rb} +14 -17
  39. data/lib/conjur/api/resources.rb +17 -21
  40. data/lib/conjur/api/router/v5.rb +39 -7
  41. data/lib/conjur/base.rb +19 -5
  42. data/lib/conjur/base_object.rb +31 -26
  43. data/lib/conjur/build_object.rb +13 -20
  44. data/lib/conjur/cert_utils.rb +14 -0
  45. data/lib/conjur/configuration.rb +1 -7
  46. data/lib/conjur/has_attributes.rb +6 -3
  47. data/lib/conjur/id.rb +22 -19
  48. data/lib/conjur/role_grant.rb +13 -18
  49. data/spec/api/host_factories_spec.rb +34 -0
  50. data/spec/api_spec.rb +55 -6
  51. data/spec/base_object_spec.rb +13 -0
  52. data/spec/cert_utils_spec.rb +92 -0
  53. data/spec/id_spec.rb +29 -0
  54. data/spec/ldap_sync_spec.rb +21 -0
  55. data/spec/spec_helper.rb +3 -0
  56. data/spec/uri_escape_spec.rb +14 -2
  57. data/test.sh +23 -1
  58. metadata +34 -12
  59. data/LICENSE.md +0 -195
  60. data/spec/cast_spec.rb +0 -21
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e48184760d9c40ab8a43ffeb451c3f733ba23cbe0cdb364efd13ac6183b68055
4
- data.tar.gz: e31f3fee9f4f75038da1b3ad3ffcad72e5005c758b2fc1fc52cf00e0bc9deff1
3
+ metadata.gz: 476ea2f5b5e2a375363e03e6c4659f5a425837b5e3036f41ae5aea208c56f781
4
+ data.tar.gz: 973be7e50f9a8a86c78770125723e42460e2264ceb7d71823fbd5d4962a31195
5
5
  SHA512:
6
- metadata.gz: 7a215e37eda9fb96db4c2554d02fd88a862b7a34865fad86c080314b217bca494b88a0a3b431f49f6b06476c3bd17ab0ed6c678db7ab42c7c5310936fde75361
7
- data.tar.gz: 2b381514ef1d02855e6ce96b635738b7ee0bcfc7b12367eca924d8e1cade02d45ebc8f8911cdd7d98b030d772d16b217859badc5885cc37d370829288b52f843
6
+ metadata.gz: 5c1cb2ded26fe6dfd44992ef4a81e5e71a01551f2874c1045a66fb556da05b55268cceef5124323dfbe14c7e032da3382e0d48cf21732a443a3c52e70af53b38
7
+ data.tar.gz: 58e061632c5c072134f5d2a23dab0103d73790750c054d5f6167ee0fa239598908130fc921aa3f74b9f57a93ced1092ec6165b55ae54728b3e16114baca486f1
@@ -0,0 +1,10 @@
1
+ plugins:
2
+ rubocop:
3
+ enabled: true
4
+ channel: rubocop-0-76
5
+ reek:
6
+ enabled: true
7
+ brakeman:
8
+ enabled: false
9
+ shellcheck:
10
+ enabled: true
@@ -0,0 +1,10 @@
1
+ * @cyberark/conjur-core-team @conjurinc/conjur-core-team @conjurdemos/conjur-core-team
2
+
3
+ # Changes to .trivyignore require Security Architect approval
4
+ .trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects
5
+
6
+ # Changes to .codeclimate.yml require Quality Architect approval
7
+ .codeclimate.yml @cyberark/quality-architects @conjurinc/quality-architects @conjurdemos/quality-architects
8
+
9
+ # Changes to SECURITY.md require Security Architect approval
10
+ SECURITY.md @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects
@@ -0,0 +1,42 @@
1
+ ---
2
+ name: Bug
3
+ about: Create a bug report to help us improve
4
+ title: ''
5
+ labels: component/api/ruby, kind/bug
6
+ assignees: ''
7
+
8
+ ---
9
+
10
+ ## Summary
11
+ A clear and concise description of what the bug is.
12
+
13
+ ## Steps to Reproduce
14
+ Steps to reproduce the behavior:
15
+ 1. Go to '...'
16
+ 2. Click on '....'
17
+ 3. Scroll down to '....'
18
+ 4. See error
19
+
20
+ ## Expected Results
21
+ A clear and concise description of what you expected to happen.
22
+
23
+ ## Actual Results (including error logs, if applicable)
24
+ A clear and concise description of what actually did happen.
25
+
26
+ ## Reproducible
27
+ * [ ] Always
28
+ * [ ] Sometimes
29
+ * [ ] Non-Reproducible
30
+
31
+ ## Version/Tag number
32
+ What version of the product are you running? Any version info that you can share is helpful.
33
+ For example, you might give the version from Docker logs, the Docker tag, a specific download URL,
34
+ the output of the `/info` route, etc.
35
+
36
+ ## Environment setup
37
+ Can you describe the environment in which this product is running? Is it running on a VM / in a container / in a cloud?
38
+ Which cloud provider? Which container orchestrator (including version)?
39
+ The more info you can share about your runtime environment, the better we may be able to reproduce the issue.
40
+
41
+ ## Additional Information
42
+ Add any other context about the problem here.
@@ -0,0 +1,27 @@
1
+ ---
2
+ name: Feature request
3
+ about: Suggest an idea for this project
4
+ title: ''
5
+ labels: kind/enhancement, component/api/ruby
6
+ assignees: ''
7
+
8
+ ---
9
+
10
+ ## Is your feature request related to a problem? Please describe.
11
+
12
+ A clear and concise description of what the problem is. Ex. `I would like to see [...] because [...]`.
13
+ Please include the intended use case and what the feature would improve on so that we can prioritize
14
+ the feature accordingly.
15
+
16
+ ## Describe the solution you would like
17
+
18
+ A clear and concise description of what the desired end result(s) would be.
19
+
20
+ ## Describe alternatives you have considered
21
+
22
+ A clear and concise description of any alternative solutions or features that may be related to this that
23
+ you have considered.
24
+
25
+ ## Additional context
26
+
27
+ Add any other context information about the feature request here.
@@ -0,0 +1,21 @@
1
+ ### What does this PR do?
2
+ - _What's changed? Why were these changes made?_
3
+ - _How should the reviewer approach this PR, especially if manual tests are required?_
4
+ - _Are there relevant screenshots you can add to the PR description?_
5
+
6
+ ### What ticket does this PR close?
7
+ Connected to #[relevant GitHub issues, eg 76]
8
+
9
+ ### Checklists
10
+
11
+ #### Change log
12
+ - [ ] The CHANGELOG has been updated, or
13
+ - [ ] This PR does not include user-facing changes and doesn't require a CHANGELOG update
14
+
15
+ #### Test coverage
16
+ - [ ] This PR includes new unit and integration tests to go with the code changes, or
17
+ - [ ] The changes in this PR do not require tests
18
+
19
+ #### Documentation
20
+ - [ ] Docs (e.g. `README`s) were updated in this PR, and/or there is a follow-on issue to update docs, or
21
+ - [ ] This PR does not require updating any documentation
data/.gitignore CHANGED
@@ -12,6 +12,7 @@ Gemfile.lock
12
12
  InstalledFiles
13
13
  _yardoc
14
14
  coverage
15
+ coverage_v4
15
16
  doc/
16
17
  lib/bundler/man
17
18
  pkg
@@ -0,0 +1,219 @@
1
+ title = "Secretless Broker gitleaks config"
2
+
3
+ # This is the config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
4
+ # If GITLEAKS_CONFIG environment variable
5
+ # is set, gitleaks will load configurations from that path. If option --config-path is set, gitleaks will load
6
+ # configurations from that path. Gitleaks does not whitelist anything by default.
7
+ # - https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04B-3_Meli_paper.pdf
8
+ # - https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
9
+ [[rules]]
10
+ description = "AWS Client ID"
11
+ regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
12
+ tags = ["key", "AWS"]
13
+
14
+ [[rules]]
15
+ description = "AWS Secret Key"
16
+ regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]'''
17
+ tags = ["key", "AWS"]
18
+
19
+ [[rules]]
20
+ description = "AWS MWS key"
21
+ regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
22
+ tags = ["key", "AWS", "MWS"]
23
+
24
+ [[rules]]
25
+ description = "PKCS8"
26
+ regex = '''-----BEGIN PRIVATE KEY-----'''
27
+ tags = ["key", "PKCS8"]
28
+
29
+ [[rules]]
30
+ description = "RSA"
31
+ regex = '''-----BEGIN RSA PRIVATE KEY-----'''
32
+ tags = ["key", "RSA"]
33
+
34
+ [[rules]]
35
+ description = "SSH"
36
+ regex = '''-----BEGIN OPENSSH PRIVATE KEY-----'''
37
+ tags = ["key", "SSH"]
38
+
39
+ [[rules]]
40
+ description = "PGP"
41
+ regex = '''-----BEGIN PGP PRIVATE KEY BLOCK-----'''
42
+ tags = ["key", "PGP"]
43
+
44
+ [[rules]]
45
+ description = "Facebook Secret Key"
46
+ regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]'''
47
+ tags = ["key", "Facebook"]
48
+
49
+ [[rules]]
50
+ description = "Facebook Client ID"
51
+ regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]'''
52
+ tags = ["key", "Facebook"]
53
+
54
+ [[rules]]
55
+ description = "Facebook access token"
56
+ regex = '''EAACEdEose0cBA[0-9A-Za-z]+'''
57
+ tags = ["key", "Facebook"]
58
+
59
+ [[rules]]
60
+ description = "Twitter Secret Key"
61
+ regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]'''
62
+ tags = ["key", "Twitter"]
63
+
64
+ [[rules]]
65
+ description = "Twitter Client ID"
66
+ regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]'''
67
+ tags = ["client", "Twitter"]
68
+
69
+ [[rules]]
70
+ description = "Github"
71
+ regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]'''
72
+ tags = ["key", "Github"]
73
+
74
+ [[rules]]
75
+ description = "LinkedIn Client ID"
76
+ regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]'''
77
+ tags = ["client", "Twitter"]
78
+
79
+ [[rules]]
80
+ description = "LinkedIn Secret Key"
81
+ regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]'''
82
+ tags = ["secret", "Twitter"]
83
+
84
+ [[rules]]
85
+ description = "Slack"
86
+ regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
87
+ tags = ["key", "Slack"]
88
+
89
+ [[rules]]
90
+ description = "EC"
91
+ regex = '''-----BEGIN EC PRIVATE KEY-----'''
92
+ tags = ["key", "EC"]
93
+
94
+ [[rules]]
95
+ description = "Generic API key"
96
+ regex = '''(?i)(api_key|apikey)(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
97
+ tags = ["key", "API", "generic"]
98
+
99
+ [[rules]]
100
+ description = "Generic Secret"
101
+ regex = '''(?i)secret(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
102
+ tags = ["key", "Secret", "generic"]
103
+
104
+ [[rules]]
105
+ description = "Google API key"
106
+ regex = '''AIza[0-9A-Za-z\\-_]{35}'''
107
+ tags = ["key", "Google"]
108
+
109
+ [[rules]]
110
+ description = "Google Cloud Platform API key"
111
+ regex = '''(?i)(google|gcp|youtube|drive|yt)(.{0,20})?['\"][AIza[0-9a-z\\-_]{35}]['\"]'''
112
+ tags = ["key", "Google", "GCP"]
113
+
114
+ [[rules]]
115
+ description = "Google OAuth"
116
+ regex = '''(?i)(google|gcp|auth)(.{0,20})?['"][0-9]+-[0-9a-z_]{32}\.apps\.googleusercontent\.com['"]'''
117
+ tags = ["key", "Google", "OAuth"]
118
+
119
+ [[rules]]
120
+ description = "Google OAuth access token"
121
+ regex = '''ya29\.[0-9A-Za-z\-_]+'''
122
+ tags = ["key", "Google", "OAuth"]
123
+
124
+ [[rules]]
125
+ description = "Heroku API key"
126
+ regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]'''
127
+ tags = ["key", "Heroku"]
128
+
129
+ [[rules]]
130
+ description = "MailChimp API key"
131
+ regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]'''
132
+ tags = ["key", "Mailchimp"]
133
+
134
+ [[rules]]
135
+ description = "Mailgun API key"
136
+ regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]'''
137
+ tags = ["key", "Mailgun"]
138
+
139
+ [[rules]]
140
+ description = "Password in URL"
141
+ regex = '''[a-zA-Z]{3,10}:\/\/[^\/\s:@]{3,20}:[^\/\s:@]{3,20}@.{1,100}\/?.?'''
142
+ tags = ["key", "URL", "generic"]
143
+
144
+ [[rules]]
145
+ description = "PayPal Braintree access token"
146
+ regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'''
147
+ tags = ["key", "Paypal"]
148
+
149
+ [[rules]]
150
+ description = "Picatic API key"
151
+ regex = '''sk_live_[0-9a-z]{32}'''
152
+ tags = ["key", "Picatic"]
153
+
154
+ [[rules]]
155
+ description = "Slack Webhook"
156
+ regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'''
157
+ tags = ["key", "slack"]
158
+
159
+ [[rules]]
160
+ description = "Stripe API key"
161
+ regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}'''
162
+ tags = ["key", "Stripe"]
163
+
164
+ [[rules]]
165
+ description = "Square access token"
166
+ regex = '''sq0atp-[0-9A-Za-z\-_]{22}'''
167
+ tags = ["key", "square"]
168
+
169
+ [[rules]]
170
+ description = "Square OAuth secret"
171
+ regex = '''sq0csp-[0-9A-Za-z\\-_]{43}'''
172
+ tags = ["key", "square"]
173
+
174
+ [[rules]]
175
+ description = "Twilio API key"
176
+ regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]'''
177
+ tags = ["key", "twilio"]
178
+
179
+ [whitelist]
180
+ files = [
181
+ # "(.*?)(jpg|gif|doc|pdf|bin)$",
182
+ ".gitleaks.toml",
183
+ "spec/ssl_spec.rb" # unit test file that has sample RSA key
184
+ ]
185
+ regexes = [
186
+ "mysql://username:password@mysql.somehost.com/mydb", # sample mysql connection string from code comment
187
+ "http://master:master@localhost", # sample URI in unit test data
188
+ "http://admin:%5E6feWZpr@localhost" # sample URI in unit test data
189
+ ]
190
+
191
+ # Additional Examples
192
+
193
+ # [[rules]]
194
+ # description = "Generic Key"
195
+ # regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
196
+ # entropies = [
197
+ # "4.1-4.3",
198
+ # "5.5-6.3",
199
+ # ]
200
+ # entropyROI = "line"
201
+ # filetypes = [".go", ".py", ".c"]
202
+ # tags = ["key"]
203
+ # severity = "8"
204
+ #
205
+ #
206
+ # [[rules]]
207
+ # description = "Generic Key"
208
+ # regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
209
+ # entropies = ["4.1-4.3"]
210
+ # filetypes = [".gee"]
211
+ # entropyROI = "line"
212
+ # tags = ["key"]
213
+ # severity = "medium"
214
+
215
+ # [[rules]]
216
+ # description = "Any pem file"
217
+ # filetypes = [".key"]
218
+ # tags = ["pem"]
219
+ # severity = "high"
@@ -0,0 +1,16 @@
1
+ PreCommit:
2
+ ALL:
3
+ problem_on_unmodified_line: warn
4
+
5
+ RuboCop:
6
+ enabled: true
7
+ flags: [
8
+ '--format=emacs', '--force-exclusion', '--display-cop-names',
9
+ '-c', '.rubocop_settings.yml']
10
+
11
+ Reek:
12
+ enabled: true
13
+ flags: [
14
+ '--single-line', '--no-color',
15
+ '-c', '/dev/null']
16
+
@@ -0,0 +1,3 @@
1
+ inherit_from:
2
+ - .rubocop_settings.yml
3
+ - .rubocop_todo.yml
@@ -0,0 +1,86 @@
1
+ AllCops:
2
+ TargetRubyVersion: 2.5
3
+
4
+ # These non-default settings best reflect our current code style.
5
+ Style/MethodDefParentheses:
6
+ EnforcedStyle: require_no_parentheses_except_multiline
7
+ Style/PercentLiteralDelimiters:
8
+ PreferredDelimiters:
9
+ "%i": ()
10
+ "%w": ()
11
+ Style/RescueStandardError:
12
+ EnforcedStyle: implicit
13
+ Style/AndOr:
14
+ EnforcedStyle: conditionals
15
+ Layout/IndentHeredoc:
16
+ EnforcedStyle: squiggly
17
+ Layout/MultilineMethodCallBraceLayout:
18
+ EnforcedStyle: symmetrical
19
+ Layout/SpaceAroundBlockParameters:
20
+ EnforcedStyleInsidePipes: no_space
21
+ Layout/SpaceAroundEqualsInParameterDefault:
22
+ EnforcedStyle: space
23
+ Layout/SpaceBeforeBlockBraces:
24
+ EnforcedStyle: space
25
+ EnforcedStyleForEmptyBraces: space
26
+ Layout/SpaceInsideBlockBraces:
27
+ EnforcedStyle: space
28
+ EnforcedStyleForEmptyBraces: no_space
29
+ SpaceBeforeBlockParameters: true
30
+ Layout/SpaceInsideHashLiteralBraces:
31
+ EnforcedStyle: space
32
+ EnforcedStyleForEmptyBraces: no_space
33
+ Layout/SpaceInsideParens:
34
+ EnforcedStyle: no_space
35
+ Layout/SpaceInsideReferenceBrackets:
36
+ EnforcedStyle: no_space
37
+ EnforcedStyleForEmptyBrackets: no_space
38
+ Layout/TrailingBlankLines:
39
+ EnforcedStyle: final_newline
40
+ Style/BarePercentLiterals:
41
+ EnforcedStyle: percent_q
42
+
43
+ # Either style of these arguably has its place depending on the context.
44
+ Style/FormatStringToken:
45
+ Enabled: false
46
+ Style/LambdaCall:
47
+ Enabled: false
48
+ Style/StringLiterals:
49
+ Enabled: false
50
+ Layout/SpaceInsideArrayLiteralBrackets:
51
+ Enabled: false
52
+ # However, these score at comparatively fewer offences, so I'll
53
+ # leave it here in case we want to enforce a style after all.
54
+ EnforcedStyle: no_space
55
+ EnforcedStyleForEmptyBrackets: no_space
56
+
57
+ # The default configuration of these makes it hard to use proportional fonts.
58
+ Layout/MultilineMethodCallIndentation:
59
+ EnforcedStyle: indented
60
+ Layout/AlignParameters:
61
+ EnforcedStyle: with_fixed_indentation
62
+ Layout/EndAlignment:
63
+ EnforcedStyleAlignWith: start_of_line
64
+ Layout/ExtraSpacing:
65
+ AllowForAlignment: false
66
+ Layout/IndentFirstArgument:
67
+ EnforcedStyle: consistent
68
+ Layout/IndentFirstHashElement:
69
+ EnforcedStyle: consistent
70
+ Layout/MultilineMethodCallIndentation:
71
+ EnforcedStyle: indented
72
+ Layout/MultilineOperationIndentation:
73
+ EnforcedStyle: indented
74
+ Layout/SpaceAroundOperators:
75
+ AllowForAlignment: false
76
+ Layout/SpaceBeforeFirstArg:
77
+ AllowForAlignment: false
78
+
79
+ Metrics/BlockLength:
80
+ CountComments: false
81
+ Max: 25
82
+ Exclude:
83
+ - 'Rakefile'
84
+ - '**/*.rake'
85
+ - 'spec/**/*.rb'
86
+ - 'conjur-api.gemspec'