conjur-api 5.2.1 → 5.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e48184760d9c40ab8a43ffeb451c3f733ba23cbe0cdb364efd13ac6183b68055
-  data.tar.gz: e31f3fee9f4f75038da1b3ad3ffcad72e5005c758b2fc1fc52cf00e0bc9deff1
+  metadata.gz: 476ea2f5b5e2a375363e03e6c4659f5a425837b5e3036f41ae5aea208c56f781
+  data.tar.gz: 973be7e50f9a8a86c78770125723e42460e2264ceb7d71823fbd5d4962a31195
 SHA512:
-  metadata.gz: 7a215e37eda9fb96db4c2554d02fd88a862b7a34865fad86c080314b217bca494b88a0a3b431f49f6b06476c3bd17ab0ed6c678db7ab42c7c5310936fde75361
-  data.tar.gz: 2b381514ef1d02855e6ce96b635738b7ee0bcfc7b12367eca924d8e1cade02d45ebc8f8911cdd7d98b030d772d16b217859badc5885cc37d370829288b52f843
+  metadata.gz: 5c1cb2ded26fe6dfd44992ef4a81e5e71a01551f2874c1045a66fb556da05b55268cceef5124323dfbe14c7e032da3382e0d48cf21732a443a3c52e70af53b38
+  data.tar.gz: 58e061632c5c072134f5d2a23dab0103d73790750c054d5f6167ee0fa239598908130fc921aa3f74b9f57a93ced1092ec6165b55ae54728b3e16114baca486f1

data/.codeclimate.yml

@@ -0,0 +1,10 @@
+plugins:
+  rubocop:
+    enabled: true
+    channel: rubocop-0-76
+  reek:
+    enabled: true
+  brakeman:
+    enabled: false
+  shellcheck:
+    enabled: true

data/.github/CODEOWNERS

@@ -0,0 +1,10 @@
+* @cyberark/conjur-core-team @conjurinc/conjur-core-team @conjurdemos/conjur-core-team
+
+# Changes to .trivyignore require Security Architect approval
+.trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects
+
+# Changes to .codeclimate.yml require Quality Architect approval
+.codeclimate.yml @cyberark/quality-architects @conjurinc/quality-architects @conjurdemos/quality-architects
+
+# Changes to SECURITY.md require Security Architect approval
+SECURITY.md @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects

data/.github/ISSUE_TEMPLATE/bug.md

@@ -0,0 +1,42 @@
+---
+name: Bug
+about: Create a bug report to help us improve
+title: ''
+labels: component/api/ruby, kind/bug
+assignees: ''
+
+---
+
+## Summary
+A clear and concise description of what the bug is.
+
+## Steps to Reproduce
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+## Expected Results
+A clear and concise description of what you expected to happen.
+
+## Actual Results (including error logs, if applicable)
+A clear and concise description of what actually did happen.
+
+## Reproducible
+   * [ ] Always 
+   * [ ] Sometimes
+   * [ ] Non-Reproducible
+   
+## Version/Tag number
+What version of the product are you running? Any version info that you can share is helpful. 
+For example, you might give the version from Docker logs, the Docker tag, a specific download URL, 
+the output of the `/info` route, etc.
+
+## Environment setup
+Can you describe the environment in which this product is running? Is it running on a VM / in a container / in a cloud? 
+Which cloud provider? Which container orchestrator (including version)? 
+The more info you can share about your runtime environment, the better we may be able to reproduce the issue.
+
+## Additional Information
+Add any other context about the problem here.

data/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,27 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: kind/enhancement, component/api/ruby
+assignees: ''
+
+---
+
+## Is your feature request related to a problem? Please describe.
+
+A clear and concise description of what the problem is. Ex. `I would like to see [...] because [...]`.
+Please include the intended use case and what the feature would improve on so that we can prioritize
+the feature accordingly.
+
+## Describe the solution you would like
+
+A clear and concise description of what the desired end result(s) would be.
+
+## Describe alternatives you have considered
+
+A clear and concise description of any alternative solutions or features that may be related to this that
+you have considered.
+
+## Additional context
+
+Add any other context information about the feature request here.

data/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,21 @@
+### What does this PR do?
+- _What's changed? Why were these changes made?_
+- _How should the reviewer approach this PR, especially if manual tests are required?_
+- _Are there relevant screenshots you can add to the PR description?_
+
+### What ticket does this PR close?
+Connected to #[relevant GitHub issues, eg 76]
+
+### Checklists
+
+#### Change log
+- [ ] The CHANGELOG has been updated, or
+- [ ] This PR does not include user-facing changes and doesn't require a CHANGELOG update
+
+#### Test coverage
+- [ ] This PR includes new unit and integration tests to go with the code changes, or
+- [ ] The changes in this PR do not require tests
+
+#### Documentation
+- [ ] Docs (e.g. `README`s) were updated in this PR, and/or there is a follow-on issue to update docs, or
+- [ ] This PR does not require updating any documentation

data/.gitignore

@@ -12,6 +12,7 @@ Gemfile.lock
 InstalledFiles
 _yardoc
 coverage
+coverage_v4
 doc/
 lib/bundler/man
 pkg

data/.gitleaks.toml

@@ -0,0 +1,219 @@
+title = "Secretless Broker gitleaks config"
+
+# This is the config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
+# If GITLEAKS_CONFIG environment variable
+# is set, gitleaks will load configurations from that path. If option --config-path is set, gitleaks will load
+# configurations from that path. Gitleaks does not whitelist anything by default.
+# - https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04B-3_Meli_paper.pdf
+# - https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
+[[rules]]
+description = "AWS Client ID"
+regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+tags = ["key", "AWS"]
+
+[[rules]]
+description = "AWS Secret Key"
+regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]'''
+tags = ["key", "AWS"]
+
+[[rules]]
+description = "AWS MWS key"
+regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
+tags = ["key", "AWS", "MWS"]
+
+[[rules]]
+description = "PKCS8"
+regex = '''-----BEGIN PRIVATE KEY-----'''
+tags = ["key", "PKCS8"]
+
+[[rules]]
+description = "RSA"
+regex = '''-----BEGIN RSA PRIVATE KEY-----'''
+tags = ["key", "RSA"]
+
+[[rules]]
+description = "SSH"
+regex = '''-----BEGIN OPENSSH PRIVATE KEY-----'''
+tags = ["key", "SSH"]
+
+[[rules]]
+description = "PGP"
+regex = '''-----BEGIN PGP PRIVATE KEY BLOCK-----'''
+tags = ["key", "PGP"]
+
+[[rules]]
+description = "Facebook Secret Key"
+regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Facebook Client ID"
+regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Facebook access token"
+regex = '''EAACEdEose0cBA[0-9A-Za-z]+'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Twitter Secret Key"
+regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]'''
+tags = ["key", "Twitter"]
+
+[[rules]]
+description = "Twitter Client ID"
+regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]'''
+tags = ["client", "Twitter"]
+
+[[rules]]
+description = "Github"
+regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]'''
+tags = ["key", "Github"]
+
+[[rules]]
+description = "LinkedIn Client ID"
+regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]'''
+tags = ["client", "Twitter"]
+
+[[rules]]
+description = "LinkedIn Secret Key"
+regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]'''
+tags = ["secret", "Twitter"]
+
+[[rules]]
+description = "Slack"
+regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
+tags = ["key", "Slack"]
+
+[[rules]]
+description = "EC"
+regex = '''-----BEGIN EC PRIVATE KEY-----'''
+tags = ["key", "EC"]
+
+[[rules]]
+description = "Generic API key"
+regex = '''(?i)(api_key|apikey)(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
+tags = ["key", "API", "generic"]
+
+[[rules]]
+description = "Generic Secret"
+regex = '''(?i)secret(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
+tags = ["key", "Secret", "generic"]
+
+[[rules]]
+description = "Google API key"
+regex = '''AIza[0-9A-Za-z\\-_]{35}'''
+tags = ["key", "Google"]
+
+[[rules]]
+description = "Google Cloud Platform API key"
+regex = '''(?i)(google|gcp|youtube|drive|yt)(.{0,20})?['\"][AIza[0-9a-z\\-_]{35}]['\"]'''
+tags = ["key", "Google", "GCP"]
+
+[[rules]]
+description = "Google OAuth"
+regex = '''(?i)(google|gcp|auth)(.{0,20})?['"][0-9]+-[0-9a-z_]{32}\.apps\.googleusercontent\.com['"]'''
+tags = ["key", "Google", "OAuth"]
+
+[[rules]]
+description = "Google OAuth access token"
+regex = '''ya29\.[0-9A-Za-z\-_]+'''
+tags = ["key", "Google", "OAuth"]
+
+[[rules]]
+description = "Heroku API key"
+regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]'''
+tags = ["key", "Heroku"]
+
+[[rules]]
+description = "MailChimp API key"
+regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]'''
+tags = ["key", "Mailchimp"]
+
+[[rules]]
+description = "Mailgun API key"
+regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]'''
+tags = ["key", "Mailgun"]
+
+[[rules]]
+description = "Password in URL"
+regex = '''[a-zA-Z]{3,10}:\/\/[^\/\s:@]{3,20}:[^\/\s:@]{3,20}@.{1,100}\/?.?'''
+tags = ["key", "URL", "generic"]
+
+[[rules]]
+description = "PayPal Braintree access token"
+regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'''
+tags = ["key", "Paypal"]
+
+[[rules]]
+description = "Picatic API key"
+regex = '''sk_live_[0-9a-z]{32}'''
+tags = ["key", "Picatic"]
+
+[[rules]]
+description = "Slack Webhook"
+regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'''
+tags = ["key", "slack"]
+
+[[rules]]
+description = "Stripe API key"
+regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}'''
+tags = ["key", "Stripe"]
+
+[[rules]]
+description = "Square access token"
+regex = '''sq0atp-[0-9A-Za-z\-_]{22}'''
+tags = ["key", "square"]
+
+[[rules]]
+description = "Square OAuth secret"
+regex = '''sq0csp-[0-9A-Za-z\\-_]{43}'''
+tags = ["key", "square"]
+
+[[rules]]
+description = "Twilio API key"
+regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]'''
+tags = ["key", "twilio"]
+
+[whitelist]
+files = [
+#  "(.*?)(jpg|gif|doc|pdf|bin)$",
+  ".gitleaks.toml",
+  "spec/ssl_spec.rb" # unit test file that has sample RSA key
+]
+regexes = [
+  "mysql://username:password@mysql.somehost.com/mydb", # sample mysql connection string from code comment
+  "http://master:master@localhost", # sample URI in unit test data
+  "http://admin:%5E6feWZpr@localhost" # sample URI in unit test data
+]
+
+# Additional Examples
+
+# [[rules]]
+# description = "Generic Key"
+# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
+# entropies = [
+#     "4.1-4.3",
+#     "5.5-6.3",
+# ]
+# entropyROI = "line"
+# filetypes = [".go", ".py", ".c"]
+# tags = ["key"]
+# severity = "8"
+#
+#
+# [[rules]]
+# description = "Generic Key"
+# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
+# entropies = ["4.1-4.3"]
+# filetypes = [".gee"]
+# entropyROI = "line"
+# tags = ["key"]
+# severity = "medium"
+
+# [[rules]]
+# description = "Any pem file"
+# filetypes = [".key"]
+# tags = ["pem"]
+# severity = "high"

data/.overcommit.yml

@@ -0,0 +1,16 @@
+PreCommit:
+  ALL:
+    problem_on_unmodified_line: warn
+
+  RuboCop:
+    enabled: true
+    flags: [
+      '--format=emacs', '--force-exclusion', '--display-cop-names',
+      '-c', '.rubocop_settings.yml']
+
+  Reek:
+    enabled: true
+    flags: [
+      '--single-line', '--no-color',
+      '-c', '/dev/null']
+

data/.rubocop.yml

@@ -0,0 +1,3 @@
+inherit_from:
+  - .rubocop_settings.yml
+  - .rubocop_todo.yml

data/.rubocop_settings.yml

@@ -0,0 +1,86 @@
+AllCops:
+  TargetRubyVersion: 2.5
+
+# These non-default settings best reflect our current code style.
+Style/MethodDefParentheses:
+  EnforcedStyle: require_no_parentheses_except_multiline
+Style/PercentLiteralDelimiters:
+  PreferredDelimiters:
+    "%i": ()
+    "%w": ()
+Style/RescueStandardError:
+  EnforcedStyle: implicit
+Style/AndOr:
+  EnforcedStyle: conditionals
+Layout/IndentHeredoc:
+  EnforcedStyle: squiggly
+Layout/MultilineMethodCallBraceLayout:
+  EnforcedStyle: symmetrical
+Layout/SpaceAroundBlockParameters:
+  EnforcedStyleInsidePipes: no_space
+Layout/SpaceAroundEqualsInParameterDefault:
+  EnforcedStyle: space
+Layout/SpaceBeforeBlockBraces:
+  EnforcedStyle: space
+  EnforcedStyleForEmptyBraces: space
+Layout/SpaceInsideBlockBraces:
+  EnforcedStyle: space
+  EnforcedStyleForEmptyBraces: no_space
+  SpaceBeforeBlockParameters: true
+Layout/SpaceInsideHashLiteralBraces:
+  EnforcedStyle: space
+  EnforcedStyleForEmptyBraces: no_space
+Layout/SpaceInsideParens:
+  EnforcedStyle: no_space
+Layout/SpaceInsideReferenceBrackets:
+  EnforcedStyle: no_space
+  EnforcedStyleForEmptyBrackets: no_space
+Layout/TrailingBlankLines:
+  EnforcedStyle: final_newline
+Style/BarePercentLiterals:
+  EnforcedStyle: percent_q
+
+# Either style of these arguably has its place depending on the context.
+Style/FormatStringToken:
+  Enabled: false
+Style/LambdaCall:
+  Enabled: false
+Style/StringLiterals:
+  Enabled: false
+Layout/SpaceInsideArrayLiteralBrackets:
+  Enabled: false
+  # However, these score at comparatively fewer offences, so I'll 
+  # leave it here in case we want to enforce a style after all.
+  EnforcedStyle: no_space
+  EnforcedStyleForEmptyBrackets: no_space
+
+# The default configuration of these makes it hard to use proportional fonts.
+Layout/MultilineMethodCallIndentation:
+  EnforcedStyle: indented
+Layout/AlignParameters:
+  EnforcedStyle: with_fixed_indentation
+Layout/EndAlignment:
+  EnforcedStyleAlignWith: start_of_line
+Layout/ExtraSpacing:
+  AllowForAlignment: false
+Layout/IndentFirstArgument:
+  EnforcedStyle: consistent
+Layout/IndentFirstHashElement:
+  EnforcedStyle: consistent
+Layout/MultilineMethodCallIndentation:
+  EnforcedStyle: indented
+Layout/MultilineOperationIndentation:
+  EnforcedStyle: indented
+Layout/SpaceAroundOperators:
+  AllowForAlignment: false
+Layout/SpaceBeforeFirstArg:
+  AllowForAlignment: false
+
+Metrics/BlockLength:
+  CountComments: false
+  Max: 25
+  Exclude:
+    - 'Rakefile'
+    - '**/*.rake'
+    - 'spec/**/*.rb'
+    - 'conjur-api.gemspec'