conjur-api 5.3.0 → 5.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (63) hide show
  1. checksums.yaml +4 -4
  2. data/.codeclimate.yml +10 -0
  3. data/.github/CODEOWNERS +10 -0
  4. data/.github/ISSUE_TEMPLATE/bug.md +42 -0
  5. data/.github/ISSUE_TEMPLATE/feature_request.md +27 -0
  6. data/.github/PULL_REQUEST_TEMPLATE.md +21 -0
  7. data/.gitignore +1 -0
  8. data/.gitleaks.toml +219 -0
  9. data/.overcommit.yml +16 -0
  10. data/.rubocop.yml +3 -0
  11. data/.rubocop_settings.yml +86 -0
  12. data/.rubocop_todo.yml +709 -0
  13. data/CHANGELOG.md +373 -181
  14. data/CONTRIBUTING.md +141 -0
  15. data/Gemfile +1 -1
  16. data/Jenkinsfile +27 -29
  17. data/LICENSE +202 -0
  18. data/README.md +34 -117
  19. data/SECURITY.md +42 -0
  20. data/bin/parse-changelog.sh +12 -0
  21. data/ci/codeclimate.dockerfile +6 -0
  22. data/conjur-api.gemspec +4 -1
  23. data/docker-compose.yml +2 -0
  24. data/features/authenticators.feature +33 -0
  25. data/features/host.feature +39 -9
  26. data/features/step_definitions/api_steps.rb +14 -3
  27. data/features/step_definitions/policy_steps.rb +40 -0
  28. data/features/support/env.rb +2 -0
  29. data/features/update_password.feature +2 -2
  30. data/features/user.feature +47 -6
  31. data/features_v4/support/env.rb +2 -0
  32. data/lib/conjur-api/version.rb +2 -2
  33. data/lib/conjur/acts_as_role.rb +15 -19
  34. data/lib/conjur/acts_as_user.rb +5 -1
  35. data/lib/conjur/api.rb +1 -18
  36. data/lib/conjur/api/authenticators.rb +35 -0
  37. data/lib/conjur/api/authn.rb +3 -3
  38. data/lib/conjur/api/host_factories.rb +20 -19
  39. data/lib/conjur/api/resources.rb +17 -21
  40. data/lib/conjur/api/router/v4.rb +80 -23
  41. data/lib/conjur/api/router/v5.rb +117 -23
  42. data/lib/conjur/base.rb +19 -5
  43. data/lib/conjur/base_object.rb +31 -26
  44. data/lib/conjur/build_object.rb +13 -20
  45. data/lib/conjur/cert_utils.rb +14 -0
  46. data/lib/conjur/configuration.rb +46 -24
  47. data/lib/conjur/id.rb +22 -19
  48. data/lib/conjur/role_grant.rb +13 -18
  49. data/spec/api/host_factories_spec.rb +34 -0
  50. data/spec/api_spec.rb +55 -6
  51. data/spec/base_object_spec.rb +13 -0
  52. data/spec/cert_utils_spec.rb +92 -0
  53. data/spec/configuration_spec.rb +25 -3
  54. data/spec/id_spec.rb +29 -0
  55. data/spec/spec_helper.rb +4 -1
  56. data/spec/ssl_spec.rb +50 -26
  57. data/spec/uri_escape_spec.rb +14 -2
  58. data/test.sh +23 -1
  59. metadata +31 -14
  60. data/LICENSE.md +0 -195
  61. data/lib/conjur/cast.rb +0 -41
  62. data/spec/cast_spec.rb +0 -21
  63. data/spec/vendor/rest_client_spec.rb +0 -41
data/SECURITY.md ADDED
@@ -0,0 +1,42 @@
1
+ # Security Policies and Procedures
2
+
3
+ This document outlines security procedures and general policies for the CyberArk Conjur
4
+ suite of tools and products.
5
+
6
+ * [Reporting a Bug](#reporting-a-bug)
7
+ * [Disclosure Policy](#disclosure-policy)
8
+ * [Comments on this Policy](#comments-on-this-policy)
9
+
10
+ ## Reporting a Bug
11
+
12
+ The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
13
+ Thank you for improving the security of the Conjur suite. We appreciate your efforts and
14
+ responsible disclosure and will make every effort to acknowledge your
15
+ contributions.
16
+
17
+ Report security bugs by emailing the lead maintainers at security@conjur.org.
18
+
19
+ The maintainers will acknowledge your email within 2 business days. Subsequently, we will
20
+ send a more detailed response within 2 business days of our acknowledgement indicating
21
+ the next steps in handling your report. After the initial reply to your report, the security
22
+ team will endeavor to keep you informed of the progress towards a fix and full
23
+ announcement, and may ask for additional information or guidance.
24
+
25
+ Report security bugs in third-party modules to the person or team maintaining
26
+ the module.
27
+
28
+ ## Disclosure Policy
29
+
30
+ When the security team receives a security bug report, they will assign it to a
31
+ primary handler. This person will coordinate the fix and release process,
32
+ involving the following steps:
33
+
34
+ * Confirm the problem and determine the affected versions.
35
+ * Audit code to find any potential similar problems.
36
+ * Prepare fixes for all releases still under maintenance. These fixes will be
37
+ released as fast as possible.
38
+
39
+ ## Comments on this Policy
40
+
41
+ If you have suggestions on how this process could be improved please submit a
42
+ pull request.
@@ -0,0 +1,12 @@
1
+ #!/bin/bash -ex
2
+
3
+ cd "$(dirname "$0")"
4
+
5
+ docker run --rm \
6
+ -v "$PWD/..:/work" \
7
+ -w "/work" \
8
+ ruby:2.5 bash -ec "
9
+ gem install -N parse_a_changelog
10
+ parse ./CHANGELOG.md
11
+ "
12
+
@@ -0,0 +1,6 @@
1
+ FROM alpine:3.11
2
+ RUN wget https://codeclimate.com/downloads/test-reporter/test-reporter-0.6.3-linux-amd64 -O /opt/cc-test-reporter
3
+ RUN chmod +x /opt/cc-test-reporter
4
+ RUN apk update && apk upgrade && apk add --no-cache git
5
+
6
+ ENTRYPOINT ["/opt/cc-test-reporter"]
data/conjur-api.gemspec CHANGED
@@ -18,10 +18,13 @@ Gem::Specification.new do |gem|
18
18
 
19
19
  gem.required_ruby_version = '>= 1.9'
20
20
 
21
+ # Filter out development only executables
22
+ gem.executables -= %w{parse-changelog.sh}
23
+
21
24
  gem.add_dependency 'rest-client'
22
25
  gem.add_dependency 'activesupport'
23
26
 
24
- gem.add_development_dependency 'rake', '~> 10.0'
27
+ gem.add_development_dependency 'rake', '>= 12.3.3'
25
28
  gem.add_development_dependency 'rspec', '~> 3'
26
29
  gem.add_development_dependency 'rspec-expectations', '~> 3.4'
27
30
  gem.add_development_dependency 'json_spec'
data/docker-compose.yml CHANGED
@@ -27,6 +27,7 @@ services:
27
27
  volumes:
28
28
  - ./spec/reports:/src/conjur-api/spec/reports
29
29
  - ./features/reports:/src/conjur-api/features/reports
30
+ - ./coverage:/src/conjur-api/coverage
30
31
  - authn_local_5:/run/authn-local-5
31
32
  environment:
32
33
  CONJUR_APPLIANCE_URL: http://conjur_5
@@ -38,6 +39,7 @@ services:
38
39
  volumes:
39
40
  - ./features_v4/reports:/src/conjur-api/features_v4/reports
40
41
  - ./tmp/conjur.pem:/src/conjur-api/tmp/conjur.pem
42
+ - ./coverage_v4:/src/conjur-api/coverage
41
43
  - authn_local_4:/run/authn-local-4
42
44
  environment:
43
45
  CONJUR_APPLIANCE_URL: https://conjur_4/api
@@ -0,0 +1,33 @@
1
+ Feature: List and manage authenticators
2
+
3
+ Background:
4
+ Given I run the code:
5
+ """
6
+ $conjur.load_policy 'root', <<-POLICY
7
+ - !webservice conjur/authn-k8s/my-auth
8
+ POLICY
9
+ """
10
+
11
+ Scenario: Authenticator list includes the authenticator status
12
+ When I run the code:
13
+ """
14
+ $conjur.authenticator_list
15
+ """
16
+ Then the JSON should have "installed"
17
+ And the JSON should have "configured"
18
+ And the JSON should have "enabled"
19
+ And the JSON at "enabled" should be ["authn"]
20
+
21
+ Scenario: Enable and disable authenticator
22
+ When I run the code:
23
+ """
24
+ $conjur.authenticator_enable("authn-k8s", "my-auth")
25
+ $conjur.authenticator_list
26
+ """
27
+ Then the JSON at "enabled" should be ["authn", "authn-k8s/my-auth"]
28
+ When I run the code:
29
+ """
30
+ $conjur.authenticator_disable("authn-k8s", "my-auth")
31
+ $conjur.authenticator_list
32
+ """
33
+ Then the JSON at "enabled" should be ["authn"]
@@ -1,20 +1,50 @@
1
- Feature: Display Host object fields.
1
+ Feature: Host object
2
2
 
3
- Background:
3
+ Scenario: API key of a newly created host is available and valid
4
4
  Given a new host
5
-
6
- Scenario: API key of a newly created host is available and valid.
7
- Then I run the code:
5
+ Then I can run the code:
8
6
  """
9
7
  expect(@host.exists?).to be(true)
10
8
  expect(@host.api_key).to be
11
9
  Conjur::API.new_from_key(@host.login, @host.api_key).token
12
10
  """
13
11
 
14
- Scenario: API key of a a host can be rotated.
15
- Then I run the code:
12
+ # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
13
+ Scenario: Host's own API key cannot be rotated with an API key
14
+ Given a new host
15
+ Then this code should fail with "You cannot rotate your own API key via this method"
16
16
  """
17
17
  host = Conjur::API.new_from_key(@host.login, @host.api_key).resource(@host.id)
18
- api_key = host.rotate_api_key
19
- Conjur::API.new_from_key(@host.login, api_key).token
18
+ host.rotate_api_key
19
+ """
20
+
21
+ # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
22
+ Scenario: Host's own API key cannot be rotated with a token
23
+ Given a new host
24
+ Then this code should fail with "You cannot rotate your own API key via this method"
25
+ """
26
+ token = Conjur::API.new_from_key(@host.login, @host.api_key).token
27
+
28
+ host = Conjur::API.new_from_token(token).resource(@host.id)
29
+ host.rotate_api_key
30
+ """
31
+
32
+ Scenario: Delegated host's API key can be rotated with an API key
33
+ Given a new delegated host
34
+ Then I can run the code:
35
+ """
36
+ delegated_host_resource = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).resource(@host.id)
37
+ api_key = delegated_host_resource.rotate_api_key
38
+ Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
39
+ """
40
+
41
+ Scenario: Delegated host's API key can be rotated with a token
42
+ Given a new delegated host
43
+ Then I can run the code:
44
+ """
45
+ token = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).token
46
+
47
+ delegated_host_resource = Conjur::API.new_from_token(token).resource(@host.id)
48
+ api_key = delegated_host_resource.rotate_api_key
49
+ Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
20
50
  """
@@ -1,7 +1,18 @@
1
- When(/^I(?: can)? run the code:$/) do |code|
1
+ Then(/^I(?: can)? run the code:$/) do |code|
2
2
  @result = eval(code).tap do |result|
3
- if ENV['DEBUG']
4
- puts result
3
+ puts result if ENV['DEBUG']
4
+ end
5
+ end
6
+
7
+ Then(/^this code should fail with "([^"]*)"$/) do |error_msg, code|
8
+ begin
9
+ @result = eval(code)
10
+ rescue Exception => exc
11
+ if not exc.message =~ %r{#{error_msg}}
12
+ fail "'#{error_msg}' was not found in '#{exc.message}'"
5
13
  end
14
+ else
15
+ puts @result if ENV['DEBUG']
16
+ fail "The provided block did not raise an error"
6
17
  end
7
18
  end
@@ -13,6 +13,25 @@ Given(/^a new user$/) do
13
13
  expect(@user_api_key).to be
14
14
  end
15
15
 
16
+ Given(/^a new delegated user$/) do
17
+ # Create a new host that is owned by that user
18
+ step 'a new user'
19
+ @user_owner = @user
20
+ @user_owner_id = @user_id
21
+ @user_owner_api_key = @user_api_key
22
+
23
+ # Create a new user that is owned by the user created earlier
24
+ @user_id = "user-#{random_hex}"
25
+ response = $conjur.load_policy 'root', <<-POLICY
26
+ - !user
27
+ id: #{@user_id}
28
+ owner: !user #{@user_owner_id}
29
+ POLICY
30
+ @user = $conjur.resource("cucumber:user:#{@user_id}")
31
+ @user_api_key = response.created_roles["cucumber:user:#{@user_id}"]['api_key']
32
+ expect(@user_api_key).to be
33
+ end
34
+
16
35
  Given(/^a new group$/) do
17
36
  @group_id = "group-#{random_hex}"
18
37
  response = $conjur.load_policy 'root', <<-POLICY
@@ -33,3 +52,24 @@ Given(/^a new host$/) do
33
52
  @host = $conjur.resource("cucumber:host:#{@host_id}")
34
53
  @host.attributes['api_key'] = @host_api_key
35
54
  end
55
+
56
+ Given(/^a new delegated host$/) do
57
+ # Create an owner user
58
+ step 'a new user'
59
+ @host_owner = @user
60
+ @host_owner_id = @user_id
61
+ @host_owner_api_key = @user_api_key
62
+
63
+ # Create a new host that is owned by that user
64
+ @host_id = "app-#{random_hex}"
65
+ response = $conjur.load_policy 'root', <<-POLICY
66
+ - !host
67
+ id: #{@host_id}
68
+ owner: !user #{@host_owner_id}
69
+ POLICY
70
+
71
+ @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
72
+ expect(@host_api_key).to be
73
+ @host = $conjur.resource("cucumber:host:#{@host_id}")
74
+ @host.attributes['api_key'] = @host_api_key
75
+ end
@@ -1,5 +1,7 @@
1
1
  require 'simplecov'
2
+ require 'simplecov-cobertura'
2
3
 
4
+ SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
3
5
  SimpleCov.start
4
6
 
5
7
  require 'json_spec/cucumber'
@@ -5,8 +5,8 @@ Feature: Change a user's password.
5
5
  Scenario: A user can set/change her password using the current API key.
6
6
  When I run the code:
7
7
  """
8
- Conjur::API.update_password @user_id, @user_api_key, 'secret'
9
- @new_api_key = Conjur::API.login @user_id, 'secret'
8
+ Conjur::API.update_password @user_id, @user_api_key, 'SEcret12!!!!'
9
+ @new_api_key = Conjur::API.login @user_id, 'SEcret12!!!!'
10
10
  """
11
11
  Then I can run the code:
12
12
  """
@@ -1,17 +1,58 @@
1
- Feature: Display User object fields.
1
+ Feature: User object
2
2
 
3
3
  Background:
4
- Given a new user
5
4
 
6
- Scenario: User has a uidnumber.
7
- Then I run the code:
5
+ Scenario: User has a uidnumber
6
+ Given a new user
7
+ Then I can run the code:
8
8
  """
9
9
  @user.uidnumber
10
10
  """
11
11
  Then the result should be "1000"
12
12
 
13
- Scenario: Logged-in user is the current_role.
14
- Then I run the code:
13
+ Scenario: Logged-in user is the current_role
14
+ Given a new user
15
+ Then I can run the code:
15
16
  """
16
17
  expect($conjur.current_role(Conjur.configuration.account).id.to_s).to eq("cucumber:user:admin")
17
18
  """
19
+
20
+ # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
21
+ Scenario: User's own API key cannot be rotated with an API key
22
+ Given a new user
23
+ Then this code should fail with "You cannot rotate your own API key via this method"
24
+ """
25
+ user = Conjur::API.new_from_key(@user.login, @user_api_key).resource(@user.id)
26
+ user.rotate_api_key
27
+ """
28
+
29
+ # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
30
+ Scenario: User's own API key cannot be rotated with a token
31
+ Given a new user
32
+ Then this code should fail with "You cannot rotate your own API key via this method"
33
+ """
34
+ token = Conjur::API.new_from_key(@user.login, @user_api_key).token
35
+
36
+ user = Conjur::API.new_from_token(token).resource(@user.id)
37
+ user.rotate_api_key
38
+ """
39
+
40
+ Scenario: Delegated user's API key can be rotated with an API key
41
+ Given a new delegated user
42
+ Then I can run the code:
43
+ """
44
+ delegated_user_resource = Conjur::API.new_from_key(@user_owner.login, @user_owner_api_key).resource(@user.id)
45
+ api_key = delegated_user_resource.rotate_api_key
46
+ Conjur::API.new_from_key(delegated_user_resource.login, api_key).token
47
+ """
48
+
49
+ Scenario: Delegated user's API key can be rotated with a token
50
+ Given a new delegated user
51
+ Then I can run the code:
52
+ """
53
+ token = Conjur::API.new_from_key(@user_owner.login, @user_owner_api_key).token
54
+
55
+ delegated_user_resource = Conjur::API.new_from_token(token).resource(@user.id)
56
+ api_key = delegated_user_resource.rotate_api_key
57
+ Conjur::API.new_from_key(delegated_user_resource.login, api_key).token
58
+ """
@@ -1,5 +1,7 @@
1
1
  require 'simplecov'
2
+ require 'simplecov-cobertura'
2
3
 
4
+ SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
3
5
  SimpleCov.start
4
6
 
5
7
  require 'json_spec/cucumber'
@@ -1,4 +1,4 @@
1
- # Copyright 2013-2017 Conjur Inc.
1
+ # Copyright 2013-2020 Conjur Inc.
2
2
  #
3
3
  # Permission is hereby granted, free of charge, to any person obtaining a copy of
4
4
  # this software and associated documentation files (the "Software"), to deal in
@@ -19,6 +19,6 @@
19
19
 
20
20
  module Conjur
21
21
  class API
22
- VERSION = "5.3.0"
22
+ VERSION = "5.3.5"
23
23
  end
24
24
  end
@@ -1,23 +1,19 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Copyright 2013-2018 CyberArk Ltd.
1
4
  #
2
- # Copyright 2013-2017 Conjur Inc
3
- #
4
- # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
- # this software and associated documentation files (the "Software"), to deal in
6
- # the Software without restriction, including without limitation the rights to
7
- # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
- # the Software, and to permit persons to whom the Software is furnished to do so,
9
- # subject to the following conditions:
10
- #
11
- # The above copyright notice and this permission notice shall be included in all
12
- # copies or substantial portions of the Software.
5
+ # Licensed under the Apache License, Version 2.0 (the "License");
6
+ # you may not use this file except in compliance with the License.
7
+ # You may obtain a copy of the License at
13
8
  #
14
- # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
- # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
- # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
- # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
- # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
- # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
9
+ # http://www.apache.org/licenses/LICENSE-2.0
20
10
  #
11
+ # Unless required by applicable law or agreed to in writing, software
12
+ # distributed under the License is distributed on an "AS IS" BASIS,
13
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ # See the License for the specific language governing permissions and
15
+ # limitations under the License.
16
+
21
17
  module Conjur
22
18
 
23
19
  # This module provides methods for things that have an associated {Conjur::Role}.
@@ -100,7 +96,7 @@ module Conjur
100
96
  end
101
97
  if filter = options.delete(:filter)
102
98
  filter = [filter] unless filter.is_a?(Array)
103
- options["filter"] = filter.map{ |obj| cast_to_id(obj) }
99
+ options["filter"] = filter.map(&Id.method(:new))
104
100
  end
105
101
 
106
102
  result = JSON.parse(rbac_role_resource[options_querystring options].get)
@@ -143,4 +139,4 @@ module Conjur
143
139
  url_for(:roles_role, credentials, id)
144
140
  end
145
141
  end
146
- end
142
+ end
@@ -52,12 +52,16 @@ module Conjur
52
52
  # @note You will not be able to access the API key returned by this method later, so you should
53
53
  # probably hang onto it it.
54
54
  #
55
- # @note You cannot rotate your own API key with this method. To do so, use `Conjur::API.rotate_api_key`
55
+ # @note You cannot rotate your own API key with this method. To do so, use `Conjur::API.rotate_api_key`.
56
56
  #
57
57
  # @note This feature requires a Conjur appliance running version 4.6 or higher.
58
58
  #
59
59
  # @return [String] the new API key for this user.
60
60
  def rotate_api_key
61
+ if login == username
62
+ raise 'You cannot rotate your own API key via this method. To do so, use `Conjur::API.rotate_api_key`'
63
+ end
64
+
61
65
  url_for(:authn_rotate_api_key, credentials, account, id).put("").body
62
66
  end
63
67
  end