conjur-api 5.3.0 → 5.3.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.codeclimate.yml +10 -0
- data/.github/CODEOWNERS +10 -0
- data/.github/ISSUE_TEMPLATE/bug.md +42 -0
- data/.github/ISSUE_TEMPLATE/feature_request.md +27 -0
- data/.github/PULL_REQUEST_TEMPLATE.md +21 -0
- data/.gitignore +1 -0
- data/.gitleaks.toml +219 -0
- data/.overcommit.yml +16 -0
- data/.rubocop.yml +3 -0
- data/.rubocop_settings.yml +86 -0
- data/.rubocop_todo.yml +709 -0
- data/CHANGELOG.md +373 -181
- data/CONTRIBUTING.md +141 -0
- data/Gemfile +1 -1
- data/Jenkinsfile +27 -29
- data/LICENSE +202 -0
- data/README.md +34 -117
- data/SECURITY.md +42 -0
- data/bin/parse-changelog.sh +12 -0
- data/ci/codeclimate.dockerfile +6 -0
- data/conjur-api.gemspec +4 -1
- data/docker-compose.yml +2 -0
- data/features/authenticators.feature +33 -0
- data/features/host.feature +39 -9
- data/features/step_definitions/api_steps.rb +14 -3
- data/features/step_definitions/policy_steps.rb +40 -0
- data/features/support/env.rb +2 -0
- data/features/update_password.feature +2 -2
- data/features/user.feature +47 -6
- data/features_v4/support/env.rb +2 -0
- data/lib/conjur-api/version.rb +2 -2
- data/lib/conjur/acts_as_role.rb +15 -19
- data/lib/conjur/acts_as_user.rb +5 -1
- data/lib/conjur/api.rb +1 -18
- data/lib/conjur/api/authenticators.rb +35 -0
- data/lib/conjur/api/authn.rb +3 -3
- data/lib/conjur/api/host_factories.rb +20 -19
- data/lib/conjur/api/resources.rb +17 -21
- data/lib/conjur/api/router/v4.rb +80 -23
- data/lib/conjur/api/router/v5.rb +117 -23
- data/lib/conjur/base.rb +19 -5
- data/lib/conjur/base_object.rb +31 -26
- data/lib/conjur/build_object.rb +13 -20
- data/lib/conjur/cert_utils.rb +14 -0
- data/lib/conjur/configuration.rb +46 -24
- data/lib/conjur/id.rb +22 -19
- data/lib/conjur/role_grant.rb +13 -18
- data/spec/api/host_factories_spec.rb +34 -0
- data/spec/api_spec.rb +55 -6
- data/spec/base_object_spec.rb +13 -0
- data/spec/cert_utils_spec.rb +92 -0
- data/spec/configuration_spec.rb +25 -3
- data/spec/id_spec.rb +29 -0
- data/spec/spec_helper.rb +4 -1
- data/spec/ssl_spec.rb +50 -26
- data/spec/uri_escape_spec.rb +14 -2
- data/test.sh +23 -1
- metadata +31 -14
- data/LICENSE.md +0 -195
- data/lib/conjur/cast.rb +0 -41
- data/spec/cast_spec.rb +0 -21
- data/spec/vendor/rest_client_spec.rb +0 -41
data/lib/conjur/api.rb
CHANGED
@@ -34,6 +34,7 @@ require 'conjur/acts_as_rolsource'
|
|
34
34
|
require 'conjur/acts_as_user'
|
35
35
|
require 'conjur/log_source'
|
36
36
|
require 'conjur/has_attributes'
|
37
|
+
require 'conjur/api/authenticators'
|
37
38
|
require 'conjur/api/authn'
|
38
39
|
require 'conjur/api/roles'
|
39
40
|
require 'conjur/api/resources'
|
@@ -49,24 +50,6 @@ require 'conjur/layer'
|
|
49
50
|
require 'conjur/cache'
|
50
51
|
require 'conjur-api/version'
|
51
52
|
|
52
|
-
# Monkey patch RestClient::Request so it always uses
|
53
|
-
# :ssl_cert_store. (RestClient::Resource uses Request to send
|
54
|
-
# requests, so it sees :ssl_cert_store, too).
|
55
|
-
# @api private
|
56
|
-
class RestClient::Request
|
57
|
-
alias_method :initialize_without_defaults, :initialize
|
58
|
-
|
59
|
-
def default_args
|
60
|
-
{
|
61
|
-
ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
|
62
|
-
}
|
63
|
-
end
|
64
|
-
|
65
|
-
def initialize args
|
66
|
-
initialize_without_defaults default_args.merge(args)
|
67
|
-
end
|
68
|
-
end
|
69
|
-
|
70
53
|
# @api private
|
71
54
|
class RestClient::Resource
|
72
55
|
include Conjur::Escape
|
@@ -0,0 +1,35 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'conjur/webservice'
|
4
|
+
|
5
|
+
module Conjur
|
6
|
+
# API contains each of the methods for access the Conjur API endpoints
|
7
|
+
#-- :reek:DataClump for authenticator identifier fields (name, id, account)
|
8
|
+
class API
|
9
|
+
# @!group Authenticators
|
10
|
+
|
11
|
+
# List all configured authenticators
|
12
|
+
def authenticator_list
|
13
|
+
JSON.parse(url_for(:authenticators).get)
|
14
|
+
end
|
15
|
+
|
16
|
+
# Enables an authenticator in Conjur. The authenticator must be defined and
|
17
|
+
# loaded in Conjur policy prior to enabling it.
|
18
|
+
#
|
19
|
+
# @param [String] authenticator the authenticator type to enable (e.g. authn-k8s)
|
20
|
+
# @param [String] id the service ID of the authenticator to enable
|
21
|
+
def authenticator_enable authenticator, id, account: Conjur.configuration.account
|
22
|
+
url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: true)
|
23
|
+
end
|
24
|
+
|
25
|
+
# Disables an authenticator in Conjur.
|
26
|
+
#
|
27
|
+
# @param [String] authenticator the authenticator type to disable (e.g. authn-k8s)
|
28
|
+
# @param [String] id the service ID of the authenticator to disable
|
29
|
+
def authenticator_disable authenticator, id, account: Conjur.configuration.account
|
30
|
+
url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: false)
|
31
|
+
end
|
32
|
+
|
33
|
+
# @!endgroup
|
34
|
+
end
|
35
|
+
end
|
data/lib/conjur/api/authn.rb
CHANGED
@@ -50,7 +50,7 @@ module Conjur
|
|
50
50
|
url_for(:authn_login, account, username, password).get
|
51
51
|
end
|
52
52
|
|
53
|
-
# Exchanges Conjur the API key (refresh token) for an access token. The access token can
|
53
|
+
# Exchanges Conjur the API key (refresh token) for an access token. The access token can
|
54
54
|
# then be used to authenticate further API calls.
|
55
55
|
#
|
56
56
|
# @param [String] username The username or host id for which we want a token
|
@@ -65,7 +65,7 @@ module Conjur
|
|
65
65
|
JSON.parse url_for(:authn_authenticate, account, username).post(api_key, content_type: 'text/plain')
|
66
66
|
end
|
67
67
|
|
68
|
-
# Obtains an access token from the +authn_local+ service. The access token can
|
68
|
+
# Obtains an access token from the +authn_local+ service. The access token can
|
69
69
|
# then be used to authenticate further API calls.
|
70
70
|
#
|
71
71
|
# @param [String] username The username or host id for which we want a token
|
@@ -80,7 +80,7 @@ module Conjur
|
|
80
80
|
require 'json'
|
81
81
|
require 'socket'
|
82
82
|
message = url_for(:authn_authenticate_local, username, account, expiration, cidr)
|
83
|
-
JSON.parse(UNIXSocket.open(Conjur.configuration.authn_local_socket) {|s| s.puts message; s.gets })
|
83
|
+
JSON.parse(UNIXSocket.open(Conjur.configuration.authn_local_socket) {|s| s.puts message; s.gets })
|
84
84
|
end
|
85
85
|
|
86
86
|
# Change a user's password. To do this, you must have the user's current password. This does not change or rotate
|
@@ -1,23 +1,19 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2013-2018 CyberArk Ltd.
|
1
4
|
#
|
2
|
-
#
|
3
|
-
#
|
4
|
-
#
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
13
8
|
#
|
14
|
-
#
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
9
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
20
10
|
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
21
17
|
require 'conjur/host_factory'
|
22
18
|
|
23
19
|
module Conjur
|
@@ -40,9 +36,14 @@ module Conjur
|
|
40
36
|
# @return [Host]
|
41
37
|
def host_factory_create_host token, id, options = {}
|
42
38
|
token = token.token if token.is_a?(HostFactoryToken)
|
43
|
-
response = url_for(:host_factory_create_host, token)
|
39
|
+
response = url_for(:host_factory_create_host, token)
|
40
|
+
.post(options.merge(id: id)).body
|
41
|
+
|
44
42
|
attributes = JSON.parse(response)
|
45
|
-
|
43
|
+
# in v4 'id' is just the identifier
|
44
|
+
host_id = attributes['roleid'] || attributes['id']
|
45
|
+
|
46
|
+
Host.new(host_id, {}).tap do |host|
|
46
47
|
host.attributes = attributes
|
47
48
|
end
|
48
49
|
end
|
data/lib/conjur/api/resources.rb
CHANGED
@@ -1,34 +1,30 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2013-2018 CyberArk Ltd.
|
1
4
|
#
|
2
|
-
#
|
3
|
-
#
|
4
|
-
#
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
13
8
|
#
|
14
|
-
#
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
9
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
20
10
|
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
21
17
|
require 'conjur/resource'
|
22
18
|
|
23
19
|
module Conjur
|
24
20
|
class API
|
25
21
|
include QueryString
|
26
22
|
include BuildObject
|
27
|
-
|
23
|
+
|
28
24
|
#@!group Resources
|
29
25
|
|
30
|
-
# Find a resource by
|
31
|
-
#
|
26
|
+
# Find a resource by its id.
|
27
|
+
# @note The id given to this method must be fully qualified.
|
32
28
|
#
|
33
29
|
# ### Permissions
|
34
30
|
#
|
@@ -88,7 +84,7 @@ module Conjur
|
|
88
84
|
def resources options = {}
|
89
85
|
options = { host: Conjur.configuration.core_url, credentials: credentials }.merge options
|
90
86
|
options[:account] ||= Conjur.configuration.account
|
91
|
-
|
87
|
+
|
92
88
|
host, credentials, account, kind = options.values_at(*[:host, :credentials, :account, :kind])
|
93
89
|
fail ArgumentError, "host and account are required" unless [host, account].all?
|
94
90
|
%w(host credentials account kind).each do |name|
|
data/lib/conjur/api/router/v4.rb
CHANGED
@@ -8,18 +8,27 @@ module Conjur
|
|
8
8
|
|
9
9
|
def authn_login account, username, password
|
10
10
|
verify_account(account)
|
11
|
-
RestClient::Resource.new(
|
11
|
+
RestClient::Resource.new(
|
12
|
+
Conjur.configuration.authn_url,
|
13
|
+
Conjur.configuration.create_rest_client_options(
|
14
|
+
user: username,
|
15
|
+
password: password
|
16
|
+
)
|
17
|
+
)['users/login']
|
12
18
|
end
|
13
19
|
|
14
20
|
def authn_authenticate account, username
|
15
21
|
verify_account(account)
|
16
|
-
RestClient::Resource.new(
|
22
|
+
RestClient::Resource.new(
|
23
|
+
Conjur.configuration.authn_url,
|
24
|
+
Conjur.configuration.rest_client_options
|
25
|
+
)['users'][fully_escape username]['authenticate']
|
17
26
|
end
|
18
27
|
|
19
28
|
# For v4, the authn-local message is the username.
|
20
29
|
def authn_authenticate_local username, account, expiration, cidr, &block
|
21
30
|
verify_account(account)
|
22
|
-
|
31
|
+
|
23
32
|
raise "'expiration' is not supported for authn-local v4" if expiration
|
24
33
|
raise "'cidr' is not supported for authn-local v4" if cidr
|
25
34
|
|
@@ -28,36 +37,51 @@ module Conjur
|
|
28
37
|
|
29
38
|
def authn_rotate_api_key credentials, account, id
|
30
39
|
verify_account(account)
|
31
|
-
username =
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
RestClient::Resource.new(Conjur.configuration.authn_url, credentials)['users']["api_key?id=#{username}"]
|
40
|
+
username = id.kind == "user" ? id.identifier : [id.kind, id.identifier].join('/')
|
41
|
+
RestClient::Resource.new(
|
42
|
+
Conjur.configuration.authn_url,
|
43
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
44
|
+
)['users']["api_key?id=#{username}"]
|
37
45
|
end
|
38
46
|
|
39
47
|
def authn_rotate_own_api_key account, username, password
|
40
48
|
verify_account(account)
|
41
|
-
RestClient::Resource.new(
|
49
|
+
RestClient::Resource.new(
|
50
|
+
Conjur.configuration.authn_url,
|
51
|
+
Conjur.configuration.create_rest_client_options(user: username, password: password)
|
52
|
+
)['users']["api_key"]
|
42
53
|
end
|
43
54
|
|
44
55
|
def host_factory_create_host token
|
45
56
|
http_options = {
|
46
57
|
headers: { authorization: %Q(Token token="#{token}") }
|
47
58
|
}
|
48
|
-
RestClient::Resource.new(
|
59
|
+
RestClient::Resource.new(
|
60
|
+
Conjur.configuration.core_url,
|
61
|
+
Conjur.configuration.create_rest_client_options(http_options)
|
62
|
+
)['host_factories']['hosts']
|
49
63
|
end
|
50
64
|
|
51
65
|
def host_factory_create_tokens credentials, id
|
52
|
-
RestClient::Resource.new(
|
66
|
+
RestClient::Resource.new(
|
67
|
+
Conjur.configuration.core_url,
|
68
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
69
|
+
)['host_factories'][id.identifier]['tokens']
|
53
70
|
end
|
54
71
|
|
55
72
|
def host_factory_revoke_token credentials, token
|
56
|
-
RestClient::Resource.new(
|
73
|
+
RestClient::Resource.new(
|
74
|
+
Conjur.configuration.core_url,
|
75
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
76
|
+
)['host_factories']['tokens'][token]
|
57
77
|
end
|
58
78
|
|
59
79
|
def resources_resource credentials, id
|
60
|
-
|
80
|
+
|
81
|
+
RestClient::Resource.new(
|
82
|
+
Conjur.configuration.core_url,
|
83
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
84
|
+
)['authz'][id.account]['resources'][id.kind][id.identifier]
|
61
85
|
end
|
62
86
|
|
63
87
|
def resources_check credentials, id, privilege, role
|
@@ -73,47 +97,80 @@ module Conjur
|
|
73
97
|
end
|
74
98
|
|
75
99
|
def resources_permitted_roles credentials, id, privilege
|
76
|
-
RestClient::Resource.new(
|
100
|
+
RestClient::Resource.new(
|
101
|
+
Conjur.configuration.core_url,
|
102
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
103
|
+
)['authz'][id.account]['roles']['allowed_to'][privilege][id.kind][id.identifier]
|
77
104
|
end
|
78
105
|
|
79
106
|
def roles_role credentials, id
|
80
|
-
RestClient::Resource.new(
|
107
|
+
RestClient::Resource.new(
|
108
|
+
Conjur.configuration.core_url,
|
109
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
110
|
+
)['authz'][id.account]['roles'][id.kind][id.identifier]
|
81
111
|
end
|
82
112
|
|
83
113
|
def secrets_add credentials, id
|
84
114
|
verify_account(id.account)
|
85
|
-
RestClient::Resource.new(
|
115
|
+
RestClient::Resource.new(
|
116
|
+
Conjur.configuration.core_url,
|
117
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
118
|
+
)['variables'][fully_escape id.identifier]['values']
|
86
119
|
end
|
87
120
|
|
88
121
|
def variable credentials, id
|
89
122
|
verify_account(id.account)
|
90
|
-
RestClient::Resource.new(
|
123
|
+
RestClient::Resource.new(
|
124
|
+
Conjur.configuration.core_url,
|
125
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
126
|
+
)['variables'][fully_escape id.identifier]
|
91
127
|
end
|
92
128
|
|
93
129
|
def secrets_value credentials, id, options
|
94
|
-
RestClient::Resource.new(
|
130
|
+
RestClient::Resource.new(
|
131
|
+
Conjur.configuration.core_url,
|
132
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
133
|
+
)['variables'][fully_escape id.identifier]['value'][options_querystring options]
|
95
134
|
end
|
96
135
|
|
97
136
|
def secrets_values credentials, variable_ids
|
98
137
|
options = {
|
99
138
|
vars: Array(variable_ids).map { |v| fully_escape(v.identifier) }.join(',')
|
100
139
|
}
|
101
|
-
RestClient::Resource.new(
|
140
|
+
RestClient::Resource.new(
|
141
|
+
Conjur.configuration.core_url,
|
142
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
143
|
+
)['variables']['values'][options_querystring options]
|
102
144
|
end
|
103
145
|
|
104
146
|
def group_attributes credentials, resource, id
|
105
147
|
verify_account(id.account)
|
106
|
-
JSON.parse(
|
148
|
+
JSON.parse(
|
149
|
+
RestClient::Resource.new(
|
150
|
+
Conjur.configuration.core_url,
|
151
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
152
|
+
)['groups'][fully_escape id.identifier].get
|
153
|
+
)
|
107
154
|
end
|
108
155
|
|
109
156
|
def variable_attributes credentials, resource, id
|
110
157
|
verify_account(id.account)
|
111
|
-
JSON.parse(
|
158
|
+
JSON.parse(
|
159
|
+
RestClient::Resource.new(
|
160
|
+
Conjur.configuration.core_url,
|
161
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
162
|
+
)['variables'][fully_escape id.identifier].get
|
163
|
+
)
|
112
164
|
end
|
113
165
|
|
114
166
|
def user_attributes credentials, resource, id
|
115
167
|
verify_account(id.account)
|
116
|
-
JSON.parse(
|
168
|
+
JSON.parse(
|
169
|
+
RestClient::Resource.new(
|
170
|
+
Conjur.configuration.core_url,
|
171
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
172
|
+
)['users'][fully_escape id.identifier].get
|
173
|
+
)
|
117
174
|
end
|
118
175
|
|
119
176
|
def parse_group_gidnumber attributes
|
data/lib/conjur/api/router/v5.rb
CHANGED
@@ -1,18 +1,60 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2017-2018 CyberArk Ltd.
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# rubocop:disable Metrics/ModuleLength
|
1
18
|
module Conjur
|
2
19
|
class API
|
3
20
|
module Router
|
21
|
+
# V5 translates method arguments to rest-ful API request parameters.
|
22
|
+
# because of this, most of the methods suffer from :reek:LongParameterList:
|
23
|
+
# and :reek:UtilityFunction:
|
4
24
|
module V5
|
5
25
|
extend Conjur::Escape::ClassMethods
|
6
26
|
extend Conjur::QueryString
|
7
|
-
extend Conjur::Cast
|
8
27
|
extend self
|
9
28
|
|
10
29
|
def authn_login account, username, password
|
11
|
-
RestClient::Resource.new(
|
30
|
+
RestClient::Resource.new(
|
31
|
+
Conjur.configuration.authn_url,
|
32
|
+
Conjur.configuration.create_rest_client_options(
|
33
|
+
user: username,
|
34
|
+
password: password
|
35
|
+
)
|
36
|
+
)[fully_escape account]['login']
|
12
37
|
end
|
13
38
|
|
14
39
|
def authn_authenticate account, username
|
15
|
-
RestClient::Resource.new(
|
40
|
+
RestClient::Resource.new(
|
41
|
+
Conjur.configuration.authn_url,
|
42
|
+
Conjur.configuration.rest_client_options
|
43
|
+
)[fully_escape account][fully_escape username]['authenticate']
|
44
|
+
end
|
45
|
+
|
46
|
+
def authenticator account, authenticator, service_id, credentials
|
47
|
+
RestClient::Resource.new(
|
48
|
+
Conjur.configuration.core_url,
|
49
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
50
|
+
)[fully_escape authenticator][fully_escape service_id][fully_escape account]
|
51
|
+
end
|
52
|
+
|
53
|
+
def authenticators
|
54
|
+
RestClient::Resource.new(
|
55
|
+
Conjur.configuration.core_url,
|
56
|
+
Conjur.configuration.rest_client_options
|
57
|
+
)['authenticators']
|
16
58
|
end
|
17
59
|
|
18
60
|
# For v5, the authn-local message is a JSON string with account, sub, and optional fields.
|
@@ -24,51 +66,87 @@ module Conjur
|
|
24
66
|
end
|
25
67
|
|
26
68
|
def authn_update_password account, username, password
|
27
|
-
RestClient::Resource.new(
|
69
|
+
RestClient::Resource.new(
|
70
|
+
Conjur.configuration.authn_url,
|
71
|
+
Conjur.configuration.create_rest_client_options(
|
72
|
+
user: username,
|
73
|
+
password: password
|
74
|
+
)
|
75
|
+
)[fully_escape account]['password']
|
28
76
|
end
|
29
77
|
|
30
78
|
def authn_rotate_api_key credentials, account, id
|
31
|
-
RestClient::Resource.new(
|
79
|
+
RestClient::Resource.new(
|
80
|
+
Conjur.configuration.core_url,
|
81
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
82
|
+
)['authn'][fully_escape account]["api_key?role=#{id}"]
|
32
83
|
end
|
33
84
|
|
34
85
|
def authn_rotate_own_api_key account, username, password
|
35
|
-
RestClient::Resource.new(
|
86
|
+
RestClient::Resource.new(
|
87
|
+
Conjur.configuration.authn_url,
|
88
|
+
Conjur.configuration.create_rest_client_options(
|
89
|
+
user: username,
|
90
|
+
password: password
|
91
|
+
)
|
92
|
+
)[fully_escape account]['api_key']
|
36
93
|
end
|
37
94
|
|
38
95
|
def host_factory_create_host token
|
39
96
|
http_options = {
|
40
97
|
headers: { authorization: %Q(Token token="#{token}") }
|
41
98
|
}
|
42
|
-
RestClient::Resource.new(
|
99
|
+
RestClient::Resource.new(
|
100
|
+
Conjur.configuration.core_url,
|
101
|
+
Conjur.configuration.create_rest_client_options(http_options)
|
102
|
+
)["host_factories"]["hosts"]
|
43
103
|
end
|
44
104
|
|
45
105
|
def host_factory_create_tokens credentials, id
|
46
|
-
RestClient::Resource.new(
|
106
|
+
RestClient::Resource.new(
|
107
|
+
Conjur.configuration.core_url,
|
108
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
109
|
+
)['host_factory_tokens']
|
47
110
|
end
|
48
111
|
|
49
112
|
def host_factory_revoke_token credentials, token
|
50
|
-
RestClient::Resource.new(
|
113
|
+
RestClient::Resource.new(
|
114
|
+
Conjur.configuration.core_url,
|
115
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
116
|
+
)['host_factory_tokens'][token]
|
51
117
|
end
|
52
118
|
|
53
119
|
def policies_load_policy credentials, account, id
|
54
|
-
RestClient::Resource.new(
|
120
|
+
RestClient::Resource.new(
|
121
|
+
Conjur.configuration.core_url,
|
122
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
123
|
+
)['policies'][fully_escape account]['policy'][fully_escape id]
|
55
124
|
end
|
56
125
|
|
57
126
|
def public_keys_for_user account, username
|
58
|
-
RestClient::Resource.new(
|
127
|
+
RestClient::Resource.new(
|
128
|
+
Conjur.configuration.core_url,
|
129
|
+
Conjur.configuration.rest_client_options
|
130
|
+
)['public_keys'][fully_escape account]['user'][fully_escape username]
|
59
131
|
end
|
60
132
|
|
61
133
|
def resources credentials, account, kind, options
|
62
134
|
credentials ||= {}
|
63
135
|
|
64
|
-
path = "/resources/#{
|
65
|
-
path += "/#{
|
136
|
+
path = "/resources/#{fully_escape account}"
|
137
|
+
path += "/#{fully_escape kind}" if kind
|
66
138
|
|
67
|
-
RestClient::Resource.new(
|
139
|
+
RestClient::Resource.new(
|
140
|
+
Conjur.configuration.core_url,
|
141
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
142
|
+
)[path][options_querystring options]
|
68
143
|
end
|
69
144
|
|
70
145
|
def resources_resource credentials, id
|
71
|
-
RestClient::Resource.new(
|
146
|
+
RestClient::Resource.new(
|
147
|
+
Conjur.configuration.core_url,
|
148
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
149
|
+
)['resources'][id.to_url_path]
|
72
150
|
end
|
73
151
|
|
74
152
|
def resources_permitted_roles credentials, id, privilege
|
@@ -82,27 +160,39 @@ module Conjur
|
|
82
160
|
options = {}
|
83
161
|
options[:check] = true
|
84
162
|
options[:privilege] = privilege
|
85
|
-
options[:role] =
|
163
|
+
options[:role] = query_escape(Id.new(role)) if role
|
86
164
|
resources_resource(credentials, id)[options_querystring options].get
|
87
165
|
end
|
88
166
|
|
89
167
|
def roles_role credentials, id
|
90
|
-
RestClient::Resource.new(
|
168
|
+
RestClient::Resource.new(
|
169
|
+
Conjur.configuration.core_url,
|
170
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
171
|
+
)['roles'][id.to_url_path]
|
91
172
|
end
|
92
173
|
|
93
174
|
def secrets_add credentials, id
|
94
|
-
RestClient::Resource.new(
|
175
|
+
RestClient::Resource.new(
|
176
|
+
Conjur.configuration.core_url,
|
177
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
178
|
+
)['secrets'][id.to_url_path]
|
95
179
|
end
|
96
180
|
|
97
181
|
def secrets_value credentials, id, options
|
98
|
-
RestClient::Resource.new(
|
182
|
+
RestClient::Resource.new(
|
183
|
+
Conjur.configuration.core_url,
|
184
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
185
|
+
)['secrets'][id.to_url_path][options_querystring options]
|
99
186
|
end
|
100
187
|
|
101
188
|
def secrets_values credentials, variable_ids
|
102
189
|
options = {
|
103
190
|
variable_ids: Array(variable_ids).join(',')
|
104
191
|
}
|
105
|
-
RestClient::Resource.new(
|
192
|
+
RestClient::Resource.new(
|
193
|
+
Conjur.configuration.core_url,
|
194
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
195
|
+
)['secrets'][options_querystring(options).gsub("%2C", ',')]
|
106
196
|
end
|
107
197
|
|
108
198
|
def group_attributes credentials, resource, id
|
@@ -140,15 +230,19 @@ module Conjur
|
|
140
230
|
end
|
141
231
|
|
142
232
|
def ldap_sync_policy(credentials, config_name)
|
143
|
-
RestClient::Resource.new(
|
233
|
+
RestClient::Resource.new(
|
234
|
+
Conjur.configuration.core_url,
|
235
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
236
|
+
)['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
|
144
237
|
end
|
145
|
-
|
238
|
+
|
146
239
|
private
|
147
240
|
|
148
241
|
def resource_annotations resource
|
149
|
-
resource.attributes['annotations']
|
242
|
+
resource.attributes['annotations']
|
150
243
|
end
|
151
244
|
end
|
152
245
|
end
|
153
246
|
end
|
154
247
|
end
|
248
|
+
# rubocop:enable Metrics/ModuleLength
|