conjur-api 5.2.1 → 5.3.4

data/lib/conjur/api/authenticators.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'conjur/webservice'
+
+module Conjur
+  # API contains each of the methods for access the Conjur API endpoints
+  #-- :reek:DataClump for authenticator identifier fields (name, id, account)
+  class API
+    # @!group Authenticators
+
+    # List all configured authenticators
+    def authenticator_list
+      JSON.parse(url_for(:authenticators).get)
+    end
+
+    # Enables an authenticator in Conjur. The authenticator must be defined and
+    # loaded in Conjur policy prior to enabling it.
+    # 
+    # @param [String] authenticator the authenticator type to enable (e.g. authn-k8s)
+    # @param [String] id the service ID of the authenticator to enable
+    def authenticator_enable authenticator, id, account: Conjur.configuration.account
+      url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: true)
+    end
+
+    # Disables an authenticator in Conjur.
+    # 
+    # @param [String] authenticator the authenticator type to disable (e.g. authn-k8s)
+    # @param [String] id the service ID of the authenticator to disable
+    def authenticator_disable authenticator, id, account: Conjur.configuration.account
+      url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: false)
+    end
+
+    # @!endgroup
+  end
+end

data/lib/conjur/api/host_factories.rb

@@ -1,23 +1,19 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
 #
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
 #
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#   http://www.apache.org/licenses/LICENSE-2.0
 #
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 require 'conjur/host_factory'
 
 module Conjur
@@ -40,9 +36,14 @@ module Conjur
       # @return [Host]
       def host_factory_create_host token, id, options = {}
         token = token.token if token.is_a?(HostFactoryToken)
-        response = url_for(:host_factory_create_host, token).post(options.merge(id: id)).body
+        response = url_for(:host_factory_create_host, token)
+          .post(options.merge(id: id)).body
+
         attributes = JSON.parse(response)
-        Host.new(attributes['id'], {}).tap do |host|
+        # in v4 'id' is just the identifier
+        host_id = attributes['roleid'] || attributes['id']
+
+        Host.new(host_id, {}).tap do |host|
           host.attributes = attributes
         end
       end

data/lib/conjur/{cast.rb → api/ldap_sync.rb}

@@ -1,5 +1,5 @@
 #
-# Copyright 2013-2017 Conjur Inc
+# Copyright 2013-2018 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -20,22 +20,19 @@
 #
 
 module Conjur
-  module Cast
-    protected
-
-    # Convert a value to a role or resource identifier.
+  class API
+    
+    # Retrieve the policy for the given LDAP sync
+    # configuration. Configurations created through the Conjur UI are
+    # named +default+, so the default value of +config_name+ can be
+    # used.
+    #
+    # For details on the use of LDAP sync, see
+    # https://developer.conjur.net/reference/services/ldap_sync/ .
     #
-    # @param obj the value to cast
-    def cast_to_id obj
-      result =if obj.is_a?(String) || obj.is_a?(Id)
-        obj
-      elsif obj.is_a?(Array)
-        obj.join(':')
-      else
-        raise "I don't know how to cast a #{obj.class} to an id"
-      end
-      result = Id.new(result) unless result.is_a?(Id)
-      result
+    # @param [String] config_name the name of the LDAP sync configuration.
+    def ldap_sync_policy config_name: 'default'
+      JSON.parse(url_for(:ldap_sync_policy, credentials, config_name).get)
     end
   end
-end
+end

data/lib/conjur/api/resources.rb

@@ -1,34 +1,30 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
 #
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
 #
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#   http://www.apache.org/licenses/LICENSE-2.0
 #
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 require 'conjur/resource'
 
 module Conjur
   class API
     include QueryString
     include BuildObject
-    
+
     #@!group Resources
 
-    # Find a resource by it's id.  The id given to this method must be qualified by a kind, but the account is
-    # optional.
+    # Find a resource by its id.
+    # @note The id given to this method must be fully qualified.
     #
     # ### Permissions
     #
@@ -88,7 +84,7 @@ module Conjur
     def resources options = {}
       options = { host: Conjur.configuration.core_url, credentials: credentials }.merge options
       options[:account] ||= Conjur.configuration.account
-      
+
       host, credentials, account, kind = options.values_at(*[:host, :credentials, :account, :kind])
       fail ArgumentError, "host and account are required" unless [host, account].all?
       %w(host credentials account kind).each do |name|

data/lib/conjur/api/router/v5.rb

@@ -1,10 +1,29 @@
+# frozen_string_literal: true
+
+# Copyright 2017-2018 CyberArk Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# rubocop:disable Metrics/ModuleLength
 module Conjur
   class API
     module Router
+      # V5 translates method arguments to rest-ful API request parameters.
+      # because of this, most of the methods suffer from :reek:LongParameterList:
+      # and :reek:UtilityFunction:
       module V5
         extend Conjur::Escape::ClassMethods
         extend Conjur::QueryString
-        extend Conjur::Cast
         extend self
 
         def authn_login account, username, password
@@ -15,6 +34,14 @@ module Conjur
           RestClient::Resource.new(Conjur.configuration.authn_url)[fully_escape account][fully_escape username]['authenticate']
         end
 
+        def authenticator account, authenticator, service_id, credentials
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)[fully_escape authenticator][fully_escape service_id][fully_escape account]
+        end
+
+        def authenticators
+          RestClient::Resource.new(Conjur.configuration.core_url)['authenticators']
+        end
+
         # For v5, the authn-local message is a JSON string with account, sub, and optional fields.
         def authn_authenticate_local username, account, expiration, cidr, &block
           { account: account, sub: username }.tap do |params|
@@ -28,7 +55,7 @@ module Conjur
         end
 
         def authn_rotate_api_key credentials, account, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authn'][path_escape account]["api_key?role=#{id}"]
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authn'][fully_escape account]["api_key?role=#{id}"]
         end
 
         def authn_rotate_own_api_key account, username, password
@@ -51,18 +78,18 @@ module Conjur
         end
 
         def policies_load_policy credentials, account, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['policies'][path_escape account]['policy'][path_escape id]
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['policies'][fully_escape account]['policy'][fully_escape id]
         end
 
         def public_keys_for_user account, username
-          RestClient::Resource.new(Conjur.configuration.core_url)['public_keys'][fully_escape account]['user'][path_escape username]
+          RestClient::Resource.new(Conjur.configuration.core_url)['public_keys'][fully_escape account]['user'][fully_escape username]
         end
 
         def resources credentials, account, kind, options
           credentials ||= {}
 
-          path = "/resources/#{path_escape account}" 
-          path += "/#{path_escape kind}" if kind
+          path = "/resources/#{fully_escape account}"
+          path += "/#{fully_escape kind}" if kind
 
           RestClient::Resource.new(Conjur.configuration.core_url, credentials)[path][options_querystring options]
         end
@@ -82,7 +109,7 @@ module Conjur
           options = {}
           options[:check] = true
           options[:privilege] = privilege
-          options[:role] = path_escape(cast_to_id(role)) if role
+          options[:role] = query_escape(Id.new(role)) if role
           resources_resource(credentials, id)[options_querystring options].get
         end
 
@@ -139,6 +166,10 @@ module Conjur
           end
         end
 
+        def ldap_sync_policy(credentials, config_name)
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
+        end
+
         private
 
         def resource_annotations resource
@@ -148,3 +179,4 @@ module Conjur
     end
   end
 end
+# rubocop:enable Metrics/ModuleLength

data/lib/conjur/base.rb

@@ -123,19 +123,21 @@ module Conjur
     #
     # @return [String] the api key, or nil if this instance was created from a token.
     attr_reader :api_key
-    
+
     #@!attribute [r] remote_ip
     # An optional IP address to be recorded in the audit record for any actions performed by this API instance.
     attr_reader :remote_ip
 
     # The name of the user as which this api instance is authenticated.  This is available whether the api
-    # instance was created from credentials or an authentication token.
+    # instance was created from credentials or an authentication token. If the instance was created from
+    # credentials, we will use that value directly otherwise we will attempt to extract the username from
+    # the token (either the old-style data field or the new-style JWT `sub` field).
     #
     # @return [String] the login of the current user.
     def username
-      @username || token['data']
+      @username || token['data'] || jwt_username(token)
     end
-    
+
     # @api private
     # used to delegate to host providing subclasses.
     # @return [String] the host
@@ -213,7 +215,7 @@ module Conjur
         @account = account
         @username = username
         @api_key = api_key
-        
+
         update_token_born
       end
 
@@ -323,6 +325,18 @@ module Conjur
 
     private
 
+    # Tries to get the username (subject) from a JWT API token by examining
+    # its content.
+    #
+    # @return [String] of the 'sub' payload field from the JWT if present,
+    # otherwise return nil
+    def jwt_username raw_token
+      return nil unless raw_token
+      return nil unless raw_token.include? 'payload'
+
+      JSON.parse(Base64.strict_decode64(raw_token["payload"]))["sub"]
+    end
+
     # Tries to refresh the token if possible.
     #
     # @return [Hash, false] false if the token couldn't be refreshed due to

data/lib/conjur/base_object.rb

@@ -1,37 +1,30 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
 #
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
 #
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#   http://www.apache.org/licenses/LICENSE-2.0
 #
-require 'conjur/cast'
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 module Conjur
   class BaseObject
-    include Cast
     include QueryString
     include LogSource
     include BuildObject
     include Routing
-    
+
     attr_reader :id, :credentials
-    
+
     def initialize id, credentials
-      @id = cast_to_id(id)
+      @id = Id.new id
       @credentials = credentials
     end
 
@@ -41,12 +34,24 @@ module Conjur
       }
     end
 
-    def account; id.account; end
-    def kind; id.kind; end
-    def identifier; id.identifier; end
-    
+    def account
+      id.account
+    end
+
+    def kind
+      id.kind
+    end
+
+    def identifier
+      id.identifier
+    end
+
     def username
       credentials[:username] or raise "No username found in credentials"
     end
+
+    def inspect
+      "<#{self.class.name} id='#{id.to_s}'>"
+    end
   end
 end

data/lib/conjur/build_object.rb

@@ -1,37 +1,30 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
 #
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
 #
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#   http://www.apache.org/licenses/LICENSE-2.0
 #
-require 'conjur/cast'
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 module Conjur
   module BuildObject
     def self.included base
       base.module_eval do
-        extend Cast
         extend ClassMethods
       end
     end
 
     module ClassMethods
       def build_object id, credentials, default_class:
-        id = cast_to_id(id)
+        id = Id.new id
         class_name = id.kind.classify.to_sym
         find_class(class_name, default_class)
           .new(id, credentials)