conjur-api 5.3.0 → 5.3.5

data/lib/conjur/api.rb

@@ -34,6 +34,7 @@ require 'conjur/acts_as_rolsource'
 require 'conjur/acts_as_user'
 require 'conjur/log_source'
 require 'conjur/has_attributes'
+require 'conjur/api/authenticators'
 require 'conjur/api/authn'
 require 'conjur/api/roles'
 require 'conjur/api/resources'
@@ -49,24 +50,6 @@ require 'conjur/layer'
 require 'conjur/cache'
 require 'conjur-api/version'
 
-# Monkey patch RestClient::Request so it always uses
-# :ssl_cert_store. (RestClient::Resource uses Request to send
-# requests, so it sees :ssl_cert_store, too).
-# @api private
-class RestClient::Request
-  alias_method :initialize_without_defaults, :initialize
-
-  def default_args
-    {
-      ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
-    }
-  end
-
-  def initialize args
-    initialize_without_defaults default_args.merge(args)
-  end
-end
-
 # @api private
 class RestClient::Resource
   include Conjur::Escape

data/lib/conjur/api/authenticators.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'conjur/webservice'
+
+module Conjur
+  # API contains each of the methods for access the Conjur API endpoints
+  #-- :reek:DataClump for authenticator identifier fields (name, id, account)
+  class API
+    # @!group Authenticators
+
+    # List all configured authenticators
+    def authenticator_list
+      JSON.parse(url_for(:authenticators).get)
+    end
+
+    # Enables an authenticator in Conjur. The authenticator must be defined and
+    # loaded in Conjur policy prior to enabling it.
+    # 
+    # @param [String] authenticator the authenticator type to enable (e.g. authn-k8s)
+    # @param [String] id the service ID of the authenticator to enable
+    def authenticator_enable authenticator, id, account: Conjur.configuration.account
+      url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: true)
+    end
+
+    # Disables an authenticator in Conjur.
+    # 
+    # @param [String] authenticator the authenticator type to disable (e.g. authn-k8s)
+    # @param [String] id the service ID of the authenticator to disable
+    def authenticator_disable authenticator, id, account: Conjur.configuration.account
+      url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: false)
+    end
+
+    # @!endgroup
+  end
+end

data/lib/conjur/api/authn.rb

@@ -50,7 +50,7 @@ module Conjur
         url_for(:authn_login, account, username, password).get
       end
 
-      # Exchanges Conjur the API key (refresh token) for an access token.  The access token can 
+      # Exchanges Conjur the API key (refresh token) for an access token.  The access token can
       # then be used to authenticate further API calls.
       #
       # @param [String] username The username or host id for which we want a token
@@ -65,7 +65,7 @@ module Conjur
         JSON.parse url_for(:authn_authenticate, account, username).post(api_key, content_type: 'text/plain')
       end
 
-      # Obtains an access token from the +authn_local+ service. The access token can 
+      # Obtains an access token from the +authn_local+ service. The access token can
       # then be used to authenticate further API calls.
       #
       # @param [String] username The username or host id for which we want a token
@@ -80,7 +80,7 @@ module Conjur
         require 'json'
         require 'socket'
         message = url_for(:authn_authenticate_local, username, account, expiration, cidr)
-        JSON.parse(UNIXSocket.open(Conjur.configuration.authn_local_socket) {|s| s.puts message; s.gets })        
+        JSON.parse(UNIXSocket.open(Conjur.configuration.authn_local_socket) {|s| s.puts message; s.gets })
       end
 
       # Change a user's password.  To do this, you must have the user's current password.  This does not change or rotate

data/lib/conjur/api/host_factories.rb

@@ -1,23 +1,19 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
 #
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
 #
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#   http://www.apache.org/licenses/LICENSE-2.0
 #
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 require 'conjur/host_factory'
 
 module Conjur
@@ -40,9 +36,14 @@ module Conjur
       # @return [Host]
       def host_factory_create_host token, id, options = {}
         token = token.token if token.is_a?(HostFactoryToken)
-        response = url_for(:host_factory_create_host, token).post(options.merge(id: id)).body
+        response = url_for(:host_factory_create_host, token)
+          .post(options.merge(id: id)).body
+
         attributes = JSON.parse(response)
-        Host.new(attributes['id'], {}).tap do |host|
+        # in v4 'id' is just the identifier
+        host_id = attributes['roleid'] || attributes['id']
+
+        Host.new(host_id, {}).tap do |host|
           host.attributes = attributes
         end
       end

data/lib/conjur/api/resources.rb

@@ -1,34 +1,30 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
 #
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
 #
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#   http://www.apache.org/licenses/LICENSE-2.0
 #
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 require 'conjur/resource'
 
 module Conjur
   class API
     include QueryString
     include BuildObject
-    
+
     #@!group Resources
 
-    # Find a resource by it's id.  The id given to this method must be qualified by a kind, but the account is
-    # optional.
+    # Find a resource by its id.
+    # @note The id given to this method must be fully qualified.
     #
     # ### Permissions
     #
@@ -88,7 +84,7 @@ module Conjur
     def resources options = {}
       options = { host: Conjur.configuration.core_url, credentials: credentials }.merge options
       options[:account] ||= Conjur.configuration.account
-      
+
       host, credentials, account, kind = options.values_at(*[:host, :credentials, :account, :kind])
       fail ArgumentError, "host and account are required" unless [host, account].all?
       %w(host credentials account kind).each do |name|

data/lib/conjur/api/router/v4.rb

@@ -8,18 +8,27 @@ module Conjur
 
         def authn_login account, username, password
           verify_account(account)
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)['users/login']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )['users/login']
         end
 
         def authn_authenticate account, username
           verify_account(account)
-          RestClient::Resource.new(Conjur.configuration.authn_url)['users'][fully_escape username]['authenticate']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.rest_client_options
+          )['users'][fully_escape username]['authenticate']
         end
 
         # For v4, the authn-local message is the username.
         def authn_authenticate_local username, account, expiration, cidr, &block
           verify_account(account)
-          
+
           raise "'expiration' is not supported for authn-local v4" if expiration
           raise "'cidr' is not supported for authn-local v4" if cidr
 
@@ -28,36 +37,51 @@ module Conjur
 
         def authn_rotate_api_key credentials, account, id
           verify_account(account)
-          username = if id.kind == "user"
-            id.identifier
-          else
-            [ id.kind, id.identifier ].join('/')
-          end
-          RestClient::Resource.new(Conjur.configuration.authn_url, credentials)['users']["api_key?id=#{username}"]
+          username = id.kind == "user" ? id.identifier : [id.kind, id.identifier].join('/')
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['users']["api_key?id=#{username}"]
         end
 
         def authn_rotate_own_api_key account, username, password
           verify_account(account)
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)['users']["api_key"]
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(user: username, password: password)
+          )['users']["api_key"]
         end
 
         def host_factory_create_host token
           http_options = {
             headers: { authorization: %Q(Token token="#{token}") }
           }
-          RestClient::Resource.new(Conjur.configuration.core_url, http_options)['host_factories']['hosts']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(http_options)
+          )['host_factories']['hosts']
         end
 
         def host_factory_create_tokens credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factories'][id.identifier]['tokens']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factories'][id.identifier]['tokens']
         end
 
         def host_factory_revoke_token credentials, token
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factories']['tokens'][token]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factories']['tokens'][token]
         end
 
         def resources_resource credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authz'][id.account]['resources'][id.kind][id.identifier]
+
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['resources'][id.kind][id.identifier]
         end
 
         def resources_check credentials, id, privilege, role
@@ -73,47 +97,80 @@ module Conjur
         end
 
         def resources_permitted_roles credentials, id, privilege
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authz'][id.account]['roles']['allowed_to'][privilege][id.kind][id.identifier]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['roles']['allowed_to'][privilege][id.kind][id.identifier]
         end
 
         def roles_role credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authz'][id.account]['roles'][id.kind][id.identifier]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['roles'][id.kind][id.identifier]
         end
 
         def secrets_add credentials, id
           verify_account(id.account)
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier]['values']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]['values']
         end
 
         def variable credentials, id
           verify_account(id.account)
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]
         end
 
         def secrets_value credentials, id, options
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier]['value'][options_querystring options]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]['value'][options_querystring options]
         end
 
         def secrets_values credentials, variable_ids
           options = {
             vars: Array(variable_ids).map { |v| fully_escape(v.identifier) }.join(',')
           }
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables']['values'][options_querystring options]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables']['values'][options_querystring options]
         end
 
         def group_attributes credentials, resource, id
           verify_account(id.account)
-          JSON.parse(RestClient::Resource.new(Conjur.configuration.core_url, credentials)['groups'][fully_escape id.identifier].get)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['groups'][fully_escape id.identifier].get
+          )
         end
 
         def variable_attributes credentials, resource, id
           verify_account(id.account)
-          JSON.parse(RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier].get)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['variables'][fully_escape id.identifier].get
+          )
         end
 
         def user_attributes credentials, resource, id
           verify_account(id.account)
-          JSON.parse(RestClient::Resource.new(Conjur.configuration.core_url, credentials)['users'][fully_escape id.identifier].get)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['users'][fully_escape id.identifier].get
+          )
         end
 
         def parse_group_gidnumber attributes

data/lib/conjur/api/router/v5.rb

@@ -1,18 +1,60 @@
+# frozen_string_literal: true
+
+# Copyright 2017-2018 CyberArk Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# rubocop:disable Metrics/ModuleLength
 module Conjur
   class API
     module Router
+      # V5 translates method arguments to rest-ful API request parameters.
+      # because of this, most of the methods suffer from :reek:LongParameterList:
+      # and :reek:UtilityFunction:
       module V5
         extend Conjur::Escape::ClassMethods
         extend Conjur::QueryString
-        extend Conjur::Cast
         extend self
 
         def authn_login account, username, password
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)[fully_escape account]['login']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )[fully_escape account]['login']
         end
 
         def authn_authenticate account, username
-          RestClient::Resource.new(Conjur.configuration.authn_url)[fully_escape account][fully_escape username]['authenticate']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.rest_client_options
+          )[fully_escape account][fully_escape username]['authenticate']
+        end
+
+        def authenticator account, authenticator, service_id, credentials
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )[fully_escape authenticator][fully_escape service_id][fully_escape account]
+        end
+
+        def authenticators
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.rest_client_options
+          )['authenticators']
         end
 
         # For v5, the authn-local message is a JSON string with account, sub, and optional fields.
@@ -24,51 +66,87 @@ module Conjur
         end
 
         def authn_update_password account, username, password
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)[fully_escape account]['password']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )[fully_escape account]['password']
         end
 
         def authn_rotate_api_key credentials, account, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authn'][path_escape account]["api_key?role=#{id}"]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authn'][fully_escape account]["api_key?role=#{id}"]
         end
 
         def authn_rotate_own_api_key account, username, password
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)[fully_escape account]['api_key']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )[fully_escape account]['api_key']
         end
 
         def host_factory_create_host token
           http_options = {
             headers: { authorization: %Q(Token token="#{token}") }
           }
-          RestClient::Resource.new(Conjur.configuration.core_url, http_options)["host_factories"]["hosts"]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(http_options)
+          )["host_factories"]["hosts"]
         end
 
         def host_factory_create_tokens credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factory_tokens']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factory_tokens']
         end
 
         def host_factory_revoke_token credentials, token
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factory_tokens'][token]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factory_tokens'][token]
         end
 
         def policies_load_policy credentials, account, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['policies'][path_escape account]['policy'][path_escape id]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['policies'][fully_escape account]['policy'][fully_escape id]
         end
 
         def public_keys_for_user account, username
-          RestClient::Resource.new(Conjur.configuration.core_url)['public_keys'][fully_escape account]['user'][path_escape username]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.rest_client_options
+          )['public_keys'][fully_escape account]['user'][fully_escape username]
         end
 
         def resources credentials, account, kind, options
           credentials ||= {}
 
-          path = "/resources/#{path_escape account}" 
-          path += "/#{path_escape kind}" if kind
+          path = "/resources/#{fully_escape account}"
+          path += "/#{fully_escape kind}" if kind
 
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)[path][options_querystring options]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )[path][options_querystring options]
         end
 
         def resources_resource credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['resources'][id.to_url_path]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['resources'][id.to_url_path]
         end
 
         def resources_permitted_roles credentials, id, privilege
@@ -82,27 +160,39 @@ module Conjur
           options = {}
           options[:check] = true
           options[:privilege] = privilege
-          options[:role] = path_escape(cast_to_id(role)) if role
+          options[:role] = query_escape(Id.new(role)) if role
           resources_resource(credentials, id)[options_querystring options].get
         end
 
         def roles_role credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['roles'][id.to_url_path]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['roles'][id.to_url_path]
         end
 
         def secrets_add credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['secrets'][id.to_url_path]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['secrets'][id.to_url_path]
         end
 
         def secrets_value credentials, id, options
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['secrets'][id.to_url_path][options_querystring options]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['secrets'][id.to_url_path][options_querystring options]
         end
 
         def secrets_values credentials, variable_ids
           options = {
             variable_ids: Array(variable_ids).join(',')
           }
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['secrets'][options_querystring(options).gsub("%2C", ',')]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['secrets'][options_querystring(options).gsub("%2C", ',')]
         end
 
         def group_attributes credentials, resource, id
@@ -140,15 +230,19 @@ module Conjur
         end
 
         def ldap_sync_policy(credentials, config_name)
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
         end
-        
+
         private
 
         def resource_annotations resource
-          resource.attributes['annotations'] || {}
+          resource.attributes['annotations']
         end
       end
     end
   end
 end
+# rubocop:enable Metrics/ModuleLength