conjur-api 5.3.1 → 5.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,12 @@
1
+ #!/bin/bash -ex
2
+
3
+ cd "$(dirname "$0")"
4
+
5
+ docker run --rm \
6
+ -v "$PWD/..:/work" \
7
+ -w "/work" \
8
+ ruby:2.5 bash -ec "
9
+ gem install -N parse_a_changelog
10
+ parse ./CHANGELOG.md
11
+ "
12
+
@@ -0,0 +1,43 @@
1
+ #!/bin/bash -e
2
+
3
+ git fetch --tags
4
+
5
+ if [ "$(git rev-parse --abbrev-ref HEAD)" != "master" ]; then
6
+ echo "Must be on the master branch to releases. Please switch with 'git checkout master'."
7
+ exit 1
8
+ fi
9
+
10
+ version_file="$(cat lib/conjur-api/version.rb)"
11
+ re='VERSION = "([0-9]{1,}\.[0-9]{1,}\.[0-9]{1,})"'
12
+ if [[ "$version_file" =~ $re ]]; then
13
+ version="v${BASH_REMATCH[1]}"
14
+ else
15
+ echo "Failed to find a version in 'lib/conjur-api/version.rb'"
16
+ exit 1
17
+ fi
18
+
19
+ last_release=$(git describe --abbrev=0 --tags)
20
+
21
+ echo "The last release was: $last_release"
22
+ echo "The next release will be: $version"
23
+
24
+ if [ "$version" = "$last_release" ]; then
25
+ echo 'To release, the VERSION file must be incremented to the latest release number.'
26
+ exit 1
27
+ fi
28
+
29
+ if [[ ! $(git status --porcelain) ]]; then
30
+ echo 'Your Git is clean. Please update the lib/conjur-api/version.rb, and CHANGELOG.md before releasing. The script will handle commits and pushing.'
31
+ exit 1
32
+ fi
33
+
34
+ # Make sure we have the most recent changes, without destroying local changes.
35
+ git stash
36
+ git pull --rebase origin master
37
+ git stash pop
38
+
39
+ # Perform a commit, tag, and push. The tag needs to be present before the commit
40
+ # to insure Jenkins has what it needs to make a decision about a release.
41
+ git commit -am "$version"
42
+ git tag -a "$version" -m "$version release"
43
+ git push --follow-tags
@@ -0,0 +1,6 @@
1
+ FROM alpine:3.11
2
+ RUN wget https://codeclimate.com/downloads/test-reporter/test-reporter-0.6.3-linux-amd64 -O /opt/cc-test-reporter
3
+ RUN chmod +x /opt/cc-test-reporter
4
+ RUN apk update && apk upgrade && apk add --no-cache git
5
+
6
+ ENTRYPOINT ["/opt/cc-test-reporter"]
@@ -18,10 +18,13 @@ Gem::Specification.new do |gem|
18
18
 
19
19
  gem.required_ruby_version = '>= 1.9'
20
20
 
21
+ # Filter out development only executables
22
+ gem.executables -= %w{parse-changelog.sh}
23
+
21
24
  gem.add_dependency 'rest-client'
22
25
  gem.add_dependency 'activesupport'
23
26
 
24
- gem.add_development_dependency 'rake', '~> 10.0'
27
+ gem.add_development_dependency 'rake', '>= 12.3.3'
25
28
  gem.add_development_dependency 'rspec', '~> 3'
26
29
  gem.add_development_dependency 'rspec-expectations', '~> 3.4'
27
30
  gem.add_development_dependency 'json_spec'
@@ -27,6 +27,7 @@ services:
27
27
  volumes:
28
28
  - ./spec/reports:/src/conjur-api/spec/reports
29
29
  - ./features/reports:/src/conjur-api/features/reports
30
+ - ./coverage:/src/conjur-api/coverage
30
31
  - authn_local_5:/run/authn-local-5
31
32
  environment:
32
33
  CONJUR_APPLIANCE_URL: http://conjur_5
@@ -38,6 +39,7 @@ services:
38
39
  volumes:
39
40
  - ./features_v4/reports:/src/conjur-api/features_v4/reports
40
41
  - ./tmp/conjur.pem:/src/conjur-api/tmp/conjur.pem
42
+ - ./coverage_v4:/src/conjur-api/coverage
41
43
  - authn_local_4:/run/authn-local-4
42
44
  environment:
43
45
  CONJUR_APPLIANCE_URL: https://conjur_4/api
@@ -0,0 +1,33 @@
1
+ Feature: List and manage authenticators
2
+
3
+ Background:
4
+ Given I run the code:
5
+ """
6
+ $conjur.load_policy 'root', <<-POLICY
7
+ - !webservice conjur/authn-k8s/my-auth
8
+ POLICY
9
+ """
10
+
11
+ Scenario: Authenticator list includes the authenticator status
12
+ When I run the code:
13
+ """
14
+ $conjur.authenticator_list
15
+ """
16
+ Then the JSON should have "installed"
17
+ And the JSON should have "configured"
18
+ And the JSON should have "enabled"
19
+ And the JSON at "enabled" should be ["authn"]
20
+
21
+ Scenario: Enable and disable authenticator
22
+ When I run the code:
23
+ """
24
+ $conjur.authenticator_enable("authn-k8s", "my-auth")
25
+ $conjur.authenticator_list
26
+ """
27
+ Then the JSON at "enabled" should be ["authn", "authn-k8s/my-auth"]
28
+ When I run the code:
29
+ """
30
+ $conjur.authenticator_disable("authn-k8s", "my-auth")
31
+ $conjur.authenticator_list
32
+ """
33
+ Then the JSON at "enabled" should be ["authn"]
@@ -1,5 +1,7 @@
1
1
  require 'simplecov'
2
+ require 'simplecov-cobertura'
2
3
 
4
+ SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
3
5
  SimpleCov.start
4
6
 
5
7
  require 'json_spec/cucumber'
@@ -5,8 +5,8 @@ Feature: Change a user's password.
5
5
  Scenario: A user can set/change her password using the current API key.
6
6
  When I run the code:
7
7
  """
8
- Conjur::API.update_password @user_id, @user_api_key, 'secret'
9
- @new_api_key = Conjur::API.login @user_id, 'secret'
8
+ Conjur::API.update_password @user_id, @user_api_key, 'SEcret12!!!!'
9
+ @new_api_key = Conjur::API.login @user_id, 'SEcret12!!!!'
10
10
  """
11
11
  Then I can run the code:
12
12
  """
@@ -1,5 +1,7 @@
1
1
  require 'simplecov'
2
+ require 'simplecov-cobertura'
2
3
 
4
+ SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
3
5
  SimpleCov.start
4
6
 
5
7
  require 'json_spec/cucumber'
@@ -19,6 +19,6 @@
19
19
 
20
20
  module Conjur
21
21
  class API
22
- VERSION = "5.3.1"
22
+ VERSION = "5.3.2"
23
23
  end
24
24
  end
@@ -34,6 +34,7 @@ require 'conjur/acts_as_rolsource'
34
34
  require 'conjur/acts_as_user'
35
35
  require 'conjur/log_source'
36
36
  require 'conjur/has_attributes'
37
+ require 'conjur/api/authenticators'
37
38
  require 'conjur/api/authn'
38
39
  require 'conjur/api/roles'
39
40
  require 'conjur/api/resources'
@@ -0,0 +1,35 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'conjur/webservice'
4
+
5
+ module Conjur
6
+ # API contains each of the methods for access the Conjur API endpoints
7
+ #-- :reek:DataClump for authenticator identifier fields (name, id, account)
8
+ class API
9
+ # @!group Authenticators
10
+
11
+ # List all configured authenticators
12
+ def authenticator_list
13
+ JSON.parse(url_for(:authenticators).get)
14
+ end
15
+
16
+ # Enables an authenticator in Conjur. The authenticator must be defined and
17
+ # loaded in Conjur policy prior to enabling it.
18
+ #
19
+ # @param [String] authenticator the authenticator type to enable (e.g. authn-k8s)
20
+ # @param [String] id the service ID of the authenticator to enable
21
+ def authenticator_enable authenticator, id, account: Conjur.configuration.account
22
+ url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: true)
23
+ end
24
+
25
+ # Disables an authenticator in Conjur.
26
+ #
27
+ # @param [String] authenticator the authenticator type to disable (e.g. authn-k8s)
28
+ # @param [String] id the service ID of the authenticator to disable
29
+ def authenticator_disable authenticator, id, account: Conjur.configuration.account
30
+ url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: false)
31
+ end
32
+
33
+ # @!endgroup
34
+ end
35
+ end
@@ -14,9 +14,13 @@
14
14
  # See the License for the specific language governing permissions and
15
15
  # limitations under the License.
16
16
 
17
+ # rubocop:disable Metrics/ModuleLength
17
18
  module Conjur
18
19
  class API
19
20
  module Router
21
+ # V5 translates method arguments to rest-ful API request parameters.
22
+ # because of this, most of the methods suffer from :reek:LongParameterList:
23
+ # and :reek:UtilityFunction:
20
24
  module V5
21
25
  extend Conjur::Escape::ClassMethods
22
26
  extend Conjur::QueryString
@@ -30,6 +34,14 @@ module Conjur
30
34
  RestClient::Resource.new(Conjur.configuration.authn_url)[fully_escape account][fully_escape username]['authenticate']
31
35
  end
32
36
 
37
+ def authenticator account, authenticator, service_id, credentials
38
+ RestClient::Resource.new(Conjur.configuration.core_url, credentials)[fully_escape authenticator][fully_escape service_id][fully_escape account]
39
+ end
40
+
41
+ def authenticators
42
+ RestClient::Resource.new(Conjur.configuration.core_url)['authenticators']
43
+ end
44
+
33
45
  # For v5, the authn-local message is a JSON string with account, sub, and optional fields.
34
46
  def authn_authenticate_local username, account, expiration, cidr, &block
35
47
  { account: account, sub: username }.tap do |params|
@@ -167,3 +179,4 @@ module Conjur
167
179
  end
168
180
  end
169
181
  end
182
+ # rubocop:enable Metrics/ModuleLength
@@ -41,5 +41,10 @@ module Conjur
41
41
  def username
42
42
  credentials[:username] or raise "No username found in credentials"
43
43
  end
44
+
45
+ def inspect
46
+ "<#{self.class.name} id='#{id.to_s}'>"
47
+ end
48
+
44
49
  end
45
50
  end
@@ -44,6 +44,20 @@ module Conjur
44
44
  end
45
45
  end
46
46
  end
47
+
48
+ # Add a certificate to a given store. If the certificate has more than
49
+ # one certificate in its chain, it will be parsed and added to the store
50
+ # one by one. This is done because `OpenSSL::X509::Store.new.add_cert`
51
+ # adds only the intermediate certificate to the store.
52
+ def add_chained_cert store, chained_cert
53
+ parse_certs(chained_cert).each do |cert|
54
+ begin
55
+ store.add_cert cert
56
+ rescue OpenSSL::X509::StoreError => ex
57
+ raise unless ex.message == 'cert already in hash table'
58
+ end
59
+ end
60
+ end
47
61
  end
48
62
  end
49
63
  end
@@ -402,13 +402,7 @@ module Conjur
402
402
  # @return [Boolean] whether a certificate was added to the store.
403
403
  def apply_cert_config! store=OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
404
404
  if ssl_certificate
405
- CertUtils.parse_certs(ssl_certificate).each do |cert|
406
- begin
407
- store.add_cert cert
408
- rescue OpenSSL::X509::StoreError => ex
409
- raise unless ex.message == 'cert already in hash table'
410
- end
411
- end
405
+ CertUtils.add_chained_cert(store, ssl_certificate)
412
406
  elsif cert_file
413
407
  ensure_cert_readable!(cert_file)
414
408
  store.add_file cert_file
@@ -0,0 +1,14 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'spec_helper'
4
+
5
+ describe Conjur::BaseObject do
6
+
7
+ it "returns custom string for #inspect" do
8
+ id_str = 'foo:bar:baz'
9
+ base_obj = Conjur::BaseObject.new(Conjur::Id.new(id_str), { username: 'foo' })
10
+ expect(base_obj.inspect).to include("id='#{id_str}'")
11
+ expect(base_obj.inspect).to include(Conjur::BaseObject.name)
12
+ end
13
+
14
+ end
@@ -78,4 +78,96 @@ RjvSxre4Xg2qlI9Laybb4oZ4g6DI8hRbL0VdFAsveg6SXg2RxgJcXeJUFw==
78
78
  end
79
79
  end
80
80
  end
81
+
82
+ describe '.add_chained_cert' do
83
+ let(:one_certificate_chain) do
84
+ """-----BEGIN CERTIFICATE-----
85
+ MIIDPjCCAiagAwIBAgIVAKW1gdmOFrXt6xB0iQmYQ4z8Pf+kMA0GCSqGSIb3DQEB
86
+ CwUAMD0xETAPBgNVBAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDAS
87
+ BgNVBAMTC2N1a2UtbWFzdGVyMB4XDTE1MTAwNzE2MzAwNloXDTI1MTAwNDE2MzAw
88
+ NlowFjEUMBIGA1UEAwwLY3VrZS1tYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
89
+ DwAwggEKAoIBAQC9e8bGIHOLOypKA4lsLcAOcDLAq+ICuVxn9Vg0No0m32Ok/K7G
90
+ uEGtlC8RidObntblUwqdX2uP7mqAQm19j78UTl1KT97vMmmFrpVZ7oQvEm1FUq3t
91
+ FBmJglthJrSbpdZjLf7a7eL1NnunkfBdI1DK9QL9ndMjNwZNFbXhld4fC5zuSr/L
92
+ PxawSzTEsoTaB0Nw0DdRowaZgrPxc0hQsrj9OF20gTIJIYO7ctZzE/JJchmBzgI4
93
+ CdfAYg7zNS+0oc0ylV0CWMerQtLICI6BtiQ482bCuGYJ00NlDcdjd3w+A2cj7PrH
94
+ wH5UhtORL5Q6i9EfGGUCDbmfpiVD9Bd3ukbXAgMBAAGjXDBaMA4GA1UdDwEB/wQE
95
+ AwIFoDAdBgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwKQYDVR0RBCIwIIIL
96
+ Y3VrZS1tYXN0ZXKCCWxvY2FsaG9zdIIGY29uanVyMA0GCSqGSIb3DQEBCwUAA4IB
97
+ AQBCepy6If67+sjuVnT9NGBmjnVaLa11kgGNEB1BZQnvCy0IN7gpLpshoZevxYDR
98
+ 3DnPAetQiZ70CSmCwjL4x6AVxQy59rRj0Awl9E1dgFTYI3JxxgLsI9ePdIRVEPnH
99
+ dhXqPY5ZIZhvdHlLStjsXX7laaclEtMeWfSzxe4AmP/Sm/er4ks0gvLQU6/XJNIu
100
+ RnRH59ZB1mZMsIv9Ii790nnioYFR54JmQu1JsIib77ZdSXIJmxAtraJSTLcZbU1E
101
+ +SM3XCE423Xols7onyluMYDy3MCUTFwoVMRBcRWCAk5gcv6XvZDfLi6Zwdne6x3Y
102
+ bGenr4vsPuSFsycM03/EcQDT
103
+ -----END CERTIFICATE-----
104
+ """
105
+ end
106
+
107
+ let(:two_certificates_chain) do
108
+ """-----BEGIN CERTIFICATE-----
109
+ MIIDPjCCAiagAwIBAgIVAKW1gdmOFrXt6xB0iQmYQ4z8Pf+kMA0GCSqGSIb3DQEB
110
+ CwUAMD0xETAPBgNVBAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDAS
111
+ BgNVBAMTC2N1a2UtbWFzdGVyMB4XDTE1MTAwNzE2MzAwNloXDTI1MTAwNDE2MzAw
112
+ NlowFjEUMBIGA1UEAwwLY3VrZS1tYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
113
+ DwAwggEKAoIBAQC9e8bGIHOLOypKA4lsLcAOcDLAq+ICuVxn9Vg0No0m32Ok/K7G
114
+ uEGtlC8RidObntblUwqdX2uP7mqAQm19j78UTl1KT97vMmmFrpVZ7oQvEm1FUq3t
115
+ FBmJglthJrSbpdZjLf7a7eL1NnunkfBdI1DK9QL9ndMjNwZNFbXhld4fC5zuSr/L
116
+ PxawSzTEsoTaB0Nw0DdRowaZgrPxc0hQsrj9OF20gTIJIYO7ctZzE/JJchmBzgI4
117
+ CdfAYg7zNS+0oc0ylV0CWMerQtLICI6BtiQ482bCuGYJ00NlDcdjd3w+A2cj7PrH
118
+ wH5UhtORL5Q6i9EfGGUCDbmfpiVD9Bd3ukbXAgMBAAGjXDBaMA4GA1UdDwEB/wQE
119
+ AwIFoDAdBgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwKQYDVR0RBCIwIIIL
120
+ Y3VrZS1tYXN0ZXKCCWxvY2FsaG9zdIIGY29uanVyMA0GCSqGSIb3DQEBCwUAA4IB
121
+ AQBCepy6If67+sjuVnT9NGBmjnVaLa11kgGNEB1BZQnvCy0IN7gpLpshoZevxYDR
122
+ 3DnPAetQiZ70CSmCwjL4x6AVxQy59rRj0Awl9E1dgFTYI3JxxgLsI9ePdIRVEPnH
123
+ dhXqPY5ZIZhvdHlLStjsXX7laaclEtMeWfSzxe4AmP/Sm/er4ks0gvLQU6/XJNIu
124
+ RnRH59ZB1mZMsIv9Ii790nnioYFR54JmQu1JsIib77ZdSXIJmxAtraJSTLcZbU1E
125
+ +SM3XCE423Xols7onyluMYDy3MCUTFwoVMRBcRWCAk5gcv6XvZDfLi6Zwdne6x3Y
126
+ bGenr4vsPuSFsycM03/EcQDT
127
+ -----END CERTIFICATE-----
128
+ -----BEGIN CERTIFICATE-----
129
+ MIIDhzCCAm+gAwIBAgIJAJnsrJ1+j9MhMA0GCSqGSIb3DQEBCwUAMD0xETAPBgNV
130
+ BAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDASBgNVBAMTC2N1a2Ut
131
+ bWFzdGVyMB4XDTE1MTAwNzE2MzAwM1oXDTI1MTAwNDE2MzAwM1owPTERMA8GA1UE
132
+ ChMIY3VjdW1iZXIxEjAQBgNVBAsTCUNvbmp1ciBDQTEUMBIGA1UEAxMLY3VrZS1t
133
+ YXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsuZ06Ld4JDhxZ
134
+ FcxKVxu7MTjXVv6W8pI7qFKmgr39aNqmDpKYJ1H9aM+r9zaTAeithpM4wJpVswkJ
135
+ d0RSuKdm1LOx11yHLyZ1OvlPHFhsVWdZIQZ6R9srhPYBUCMem4sHR5IAcBBX+HkR
136
+ 35gaPYUl1uFV/9zCniekt92Kdta+it1WL7XinXTBURlhDawiD/kv1C9x6dICEJVe
137
+ IT/jRohmqHAoM/JSOQTthaDli3Qvu5K8XAx8UXvWVmv3eStZFVDbC4ZEueRd9KAe
138
+ 4IZ5FxdpFYkPBgt2lBYeydYKRShyYrDKye1uJBDkeplNaYW4cS4mOhYuRkdKn7MH
139
+ uY/xb1lFAgMBAAGjgYkwgYYwKQYDVR0RBCIwIIILY3VrZS1tYXN0ZXKCCWxvY2Fs
140
+ aG9zdIIGY29uanVyMB0GA1UdDgQWBBRHpGF7aQbHdORYgQKDC2hV6NzEKzAfBgNV
141
+ HSMEGDAWgBRHpGF7aQbHdORYgQKDC2hV6NzEKzAMBgNVHRMEBTADAQH/MAsGA1Ud
142
+ DwQEAwIB5jANBgkqhkiG9w0BAQsFAAOCAQEAGZT9Wek1hYluIVaxu03wSKCKIJ4p
143
+ KxTHw+mLDapg1y9t3Fa/5IQQK0Bx0xGU2qWiQKjda3vdFPJWO6l6XJvsUY5Nwtm5
144
+ Gcsk8l3L/zWCrjrFTH3TdVad5E+DTwVhThelmEjw68AyM+WuOL61j0MItd9mLW74
145
+ Lv2zouj9nQBdnUBHWQ0EL/9d5cfaCVu/bFlDfYt7Yj0IzXCuaWZfJeHodU1hmqVX
146
+ BvYRjnTB2LSxfmSnkrCeFPmhE11bWVtsLIdrGIgtEMX0/s9xg58QuNnva1U3pJsW
147
+ RjvSxre4Xg2qlI9Laybb4oZ4g6DI8hRbL0VdFAsveg6SXg2RxgJcXeJUFw==
148
+ -----END CERTIFICATE-----
149
+ """
150
+ end
151
+
152
+ let(:store){ double('default store') }
153
+
154
+ context 'with one certificate in the chain' do
155
+ subject{ Conjur::CertUtils.add_chained_cert(store, one_certificate_chain) }
156
+
157
+ it 'adds one certificate to the store' do
158
+ expect(store).to receive(:add_cert).once
159
+ expect(subject).to be_truthy
160
+ end
161
+ end
162
+
163
+ context 'with two certificate in the chain' do
164
+ subject{ Conjur::CertUtils.add_chained_cert(store, two_certificates_chain) }
165
+
166
+ it 'adds both certificate to the store' do
167
+ expect(store).to receive(:add_cert).twice
168
+ expect(subject).to be_truthy
169
+ end
170
+ end
171
+
172
+ end
81
173
  end
@@ -1,4 +1,7 @@
1
1
  require 'simplecov'
2
+ require 'simplecov-cobertura'
3
+
4
+ SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
2
5
  SimpleCov.start
3
6
 
4
7
  require 'rubygems'
data/test.sh CHANGED
@@ -8,6 +8,18 @@ function finish {
8
8
 
9
9
  trap finish EXIT
10
10
 
11
+ function publishToCodeClimate() {
12
+ docker build -f ci/codeclimate.dockerfile -t cyberark/code-climate:latest .
13
+ docker run \
14
+ --rm \
15
+ --volume "$PWD:/src/conjur-api" \
16
+ -w "/src/conjur-api" \
17
+ cyberark/code-climate:latest \
18
+ after-build \
19
+ -r "$(<TRID)" \
20
+ -t "simplecov"
21
+ }
22
+
11
23
  function main() {
12
24
  # Generate reports folders locally
13
25
  mkdir -p spec/reports features/reports features_v4/reports
@@ -15,6 +27,7 @@ function main() {
15
27
  startConjur
16
28
  runTests_5
17
29
  runTests_4
30
+ publishToCodeClimate
18
31
  }
19
32
 
20
33
  function startConjur() {