conjur-api 5.3.1 → 5.3.2

data/bin/parse-changelog.sh

@@ -0,0 +1,12 @@
+#!/bin/bash -ex
+
+cd "$(dirname "$0")"
+
+docker run --rm \
+  -v "$PWD/..:/work" \
+  -w "/work" \
+  ruby:2.5 bash -ec "
+    gem install -N parse_a_changelog
+    parse ./CHANGELOG.md
+  "
+

data/bin/release

@@ -0,0 +1,43 @@
+#!/bin/bash -e
+
+git fetch --tags
+
+if [ "$(git rev-parse --abbrev-ref HEAD)" != "master" ]; then
+  echo "Must be on the master branch to releases.  Please switch with 'git checkout master'."
+  exit 1
+fi
+
+version_file="$(cat lib/conjur-api/version.rb)"
+re='VERSION = "([0-9]{1,}\.[0-9]{1,}\.[0-9]{1,})"'
+if [[ "$version_file" =~ $re ]]; then
+  version="v${BASH_REMATCH[1]}"
+else
+  echo "Failed to find a version in 'lib/conjur-api/version.rb'"
+  exit 1
+fi
+
+last_release=$(git describe --abbrev=0 --tags)
+
+echo "The last release was: $last_release"
+echo "The next release will be: $version"
+
+if [ "$version" = "$last_release" ]; then
+  echo 'To release, the VERSION file must be incremented to the latest release number.'
+  exit 1
+fi
+
+if [[ ! $(git status --porcelain) ]]; then
+  echo 'Your Git is clean. Please update the lib/conjur-api/version.rb, and CHANGELOG.md before releasing.  The script will handle commits and pushing.'
+  exit 1
+fi
+
+# Make sure we have the most recent changes, without destroying local changes.
+git stash
+git pull --rebase origin master
+git stash pop
+
+# Perform a commit, tag, and push. The tag needs to be present before the commit
+# to insure Jenkins has what it needs to make a decision about a release.
+git commit -am "$version"
+git tag -a "$version" -m "$version release"
+git push --follow-tags

data/ci/codeclimate.dockerfile

@@ -0,0 +1,6 @@
+FROM alpine:3.11
+RUN wget https://codeclimate.com/downloads/test-reporter/test-reporter-0.6.3-linux-amd64 -O /opt/cc-test-reporter
+RUN chmod +x /opt/cc-test-reporter
+RUN apk update && apk upgrade && apk add --no-cache git
+
+ENTRYPOINT ["/opt/cc-test-reporter"]

data/conjur-api.gemspec

@@ -18,10 +18,13 @@ Gem::Specification.new do |gem|
 
   gem.required_ruby_version = '>= 1.9'
 
+  # Filter out development only executables
+  gem.executables -= %w{parse-changelog.sh}
+
   gem.add_dependency 'rest-client'
   gem.add_dependency 'activesupport'
 
-  gem.add_development_dependency 'rake', '~> 10.0'
+  gem.add_development_dependency 'rake', '>= 12.3.3'
   gem.add_development_dependency 'rspec', '~> 3'
   gem.add_development_dependency 'rspec-expectations', '~> 3.4'
   gem.add_development_dependency 'json_spec'

data/docker-compose.yml

@@ -27,6 +27,7 @@ services:
     volumes:
       - ./spec/reports:/src/conjur-api/spec/reports
       - ./features/reports:/src/conjur-api/features/reports
+      - ./coverage:/src/conjur-api/coverage
       - authn_local_5:/run/authn-local-5
     environment:
       CONJUR_APPLIANCE_URL: http://conjur_5
@@ -38,6 +39,7 @@ services:
     volumes:
       - ./features_v4/reports:/src/conjur-api/features_v4/reports
       - ./tmp/conjur.pem:/src/conjur-api/tmp/conjur.pem
+      - ./coverage_v4:/src/conjur-api/coverage
       - authn_local_4:/run/authn-local-4
     environment:
       CONJUR_APPLIANCE_URL: https://conjur_4/api

data/features/authenticators.feature

@@ -0,0 +1,33 @@
+Feature: List and manage authenticators
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !webservice conjur/authn-k8s/my-auth
+    POLICY
+    """
+
+  Scenario: Authenticator list includes the authenticator status
+    When I run the code:
+    """
+    $conjur.authenticator_list
+    """
+    Then the JSON should have "installed"
+    And the JSON should have "configured"
+    And the JSON should have "enabled"
+    And the JSON at "enabled" should be ["authn"]
+
+  Scenario: Enable and disable authenticator
+    When I run the code:
+    """
+    $conjur.authenticator_enable("authn-k8s", "my-auth")
+    $conjur.authenticator_list
+    """
+    Then the JSON at "enabled" should be ["authn", "authn-k8s/my-auth"]
+    When I run the code:
+    """
+    $conjur.authenticator_disable("authn-k8s", "my-auth")
+    $conjur.authenticator_list
+    """
+    Then the JSON at "enabled" should be ["authn"]

data/features/support/env.rb

@@ -1,5 +1,7 @@
 require 'simplecov'
+require 'simplecov-cobertura'
 
+SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
 SimpleCov.start
 
 require 'json_spec/cucumber'

data/features/update_password.feature

@@ -5,8 +5,8 @@ Feature: Change a user's password.
   Scenario: A user can set/change her password using the current API key.
     When I run the code:
     """
-    Conjur::API.update_password @user_id, @user_api_key, 'secret'
-    @new_api_key = Conjur::API.login @user_id, 'secret'
+    Conjur::API.update_password @user_id, @user_api_key, 'SEcret12!!!!'
+    @new_api_key = Conjur::API.login @user_id, 'SEcret12!!!!'
     """
     Then I can run the code:
     """

data/features_v4/support/env.rb

@@ -1,5 +1,7 @@
 require 'simplecov'
+require 'simplecov-cobertura'
 
+SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
 SimpleCov.start
 
 require 'json_spec/cucumber'

data/lib/conjur-api/version.rb

@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "5.3.1"
+    VERSION = "5.3.2"
   end
 end

data/lib/conjur/api.rb

@@ -34,6 +34,7 @@ require 'conjur/acts_as_rolsource'
 require 'conjur/acts_as_user'
 require 'conjur/log_source'
 require 'conjur/has_attributes'
+require 'conjur/api/authenticators'
 require 'conjur/api/authn'
 require 'conjur/api/roles'
 require 'conjur/api/resources'

data/lib/conjur/api/authenticators.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'conjur/webservice'
+
+module Conjur
+  # API contains each of the methods for access the Conjur API endpoints
+  #-- :reek:DataClump for authenticator identifier fields (name, id, account)
+  class API
+    # @!group Authenticators
+
+    # List all configured authenticators
+    def authenticator_list
+      JSON.parse(url_for(:authenticators).get)
+    end
+
+    # Enables an authenticator in Conjur. The authenticator must be defined and
+    # loaded in Conjur policy prior to enabling it.
+    # 
+    # @param [String] authenticator the authenticator type to enable (e.g. authn-k8s)
+    # @param [String] id the service ID of the authenticator to enable
+    def authenticator_enable authenticator, id, account: Conjur.configuration.account
+      url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: true)
+    end
+
+    # Disables an authenticator in Conjur.
+    # 
+    # @param [String] authenticator the authenticator type to disable (e.g. authn-k8s)
+    # @param [String] id the service ID of the authenticator to disable
+    def authenticator_disable authenticator, id, account: Conjur.configuration.account
+      url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: false)
+    end
+
+    # @!endgroup
+  end
+end

data/lib/conjur/api/router/v5.rb

@@ -14,9 +14,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# rubocop:disable Metrics/ModuleLength
 module Conjur
   class API
     module Router
+      # V5 translates method arguments to rest-ful API request parameters.
+      # because of this, most of the methods suffer from :reek:LongParameterList:
+      # and :reek:UtilityFunction:
       module V5
         extend Conjur::Escape::ClassMethods
         extend Conjur::QueryString
@@ -30,6 +34,14 @@ module Conjur
           RestClient::Resource.new(Conjur.configuration.authn_url)[fully_escape account][fully_escape username]['authenticate']
         end
 
+        def authenticator account, authenticator, service_id, credentials
+          RestClient::Resource.new(Conjur.configuration.core_url, credentials)[fully_escape authenticator][fully_escape service_id][fully_escape account]
+        end
+
+        def authenticators
+          RestClient::Resource.new(Conjur.configuration.core_url)['authenticators']
+        end
+
         # For v5, the authn-local message is a JSON string with account, sub, and optional fields.
         def authn_authenticate_local username, account, expiration, cidr, &block
           { account: account, sub: username }.tap do |params|
@@ -167,3 +179,4 @@ module Conjur
     end
   end
 end
+# rubocop:enable Metrics/ModuleLength

data/lib/conjur/base_object.rb

@@ -41,5 +41,10 @@ module Conjur
     def username
       credentials[:username] or raise "No username found in credentials"
     end
+
+    def inspect
+      "<#{self.class.name} id='#{id.to_s}'>"
+    end
+
   end
 end

data/lib/conjur/cert_utils.rb

@@ -44,6 +44,20 @@ module Conjur
           end
         end
       end
+
+      # Add a certificate to a given store. If the certificate has more than
+      # one certificate in its chain, it will be parsed and added to the store
+      # one by one. This is done because `OpenSSL::X509::Store.new.add_cert`
+      # adds only the intermediate certificate to the store.
+      def add_chained_cert store, chained_cert
+        parse_certs(chained_cert).each do |cert|
+          begin
+            store.add_cert cert
+          rescue OpenSSL::X509::StoreError => ex
+            raise unless ex.message == 'cert already in hash table'
+          end
+        end
+      end
     end
   end
 end

data/lib/conjur/configuration.rb

@@ -402,13 +402,7 @@ module Conjur
     # @return [Boolean]  whether a certificate was added to the store.
     def apply_cert_config! store=OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
       if ssl_certificate
-        CertUtils.parse_certs(ssl_certificate).each do |cert|
-          begin
-            store.add_cert cert
-          rescue OpenSSL::X509::StoreError => ex
-            raise unless ex.message == 'cert already in hash table'
-          end
-        end
+        CertUtils.add_chained_cert(store, ssl_certificate)
       elsif cert_file
         ensure_cert_readable!(cert_file)
         store.add_file cert_file

data/spec/base_object_spec.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Conjur::BaseObject do
+
+  it "returns custom string for #inspect" do
+    id_str = 'foo:bar:baz'
+    base_obj = Conjur::BaseObject.new(Conjur::Id.new(id_str), { username: 'foo' })
+    expect(base_obj.inspect).to include("id='#{id_str}'")
+    expect(base_obj.inspect).to include(Conjur::BaseObject.name)
+  end
+
+end

data/spec/cert_utils_spec.rb

@@ -78,4 +78,96 @@ RjvSxre4Xg2qlI9Laybb4oZ4g6DI8hRbL0VdFAsveg6SXg2RxgJcXeJUFw==
       end
     end
   end
+
+  describe '.add_chained_cert' do
+    let(:one_certificate_chain) do
+        """-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIVAKW1gdmOFrXt6xB0iQmYQ4z8Pf+kMA0GCSqGSIb3DQEB
+CwUAMD0xETAPBgNVBAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDAS
+BgNVBAMTC2N1a2UtbWFzdGVyMB4XDTE1MTAwNzE2MzAwNloXDTI1MTAwNDE2MzAw
+NlowFjEUMBIGA1UEAwwLY3VrZS1tYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC9e8bGIHOLOypKA4lsLcAOcDLAq+ICuVxn9Vg0No0m32Ok/K7G
+uEGtlC8RidObntblUwqdX2uP7mqAQm19j78UTl1KT97vMmmFrpVZ7oQvEm1FUq3t
+FBmJglthJrSbpdZjLf7a7eL1NnunkfBdI1DK9QL9ndMjNwZNFbXhld4fC5zuSr/L
+PxawSzTEsoTaB0Nw0DdRowaZgrPxc0hQsrj9OF20gTIJIYO7ctZzE/JJchmBzgI4
+CdfAYg7zNS+0oc0ylV0CWMerQtLICI6BtiQ482bCuGYJ00NlDcdjd3w+A2cj7PrH
+wH5UhtORL5Q6i9EfGGUCDbmfpiVD9Bd3ukbXAgMBAAGjXDBaMA4GA1UdDwEB/wQE
+AwIFoDAdBgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwKQYDVR0RBCIwIIIL
+Y3VrZS1tYXN0ZXKCCWxvY2FsaG9zdIIGY29uanVyMA0GCSqGSIb3DQEBCwUAA4IB
+AQBCepy6If67+sjuVnT9NGBmjnVaLa11kgGNEB1BZQnvCy0IN7gpLpshoZevxYDR
+3DnPAetQiZ70CSmCwjL4x6AVxQy59rRj0Awl9E1dgFTYI3JxxgLsI9ePdIRVEPnH
+dhXqPY5ZIZhvdHlLStjsXX7laaclEtMeWfSzxe4AmP/Sm/er4ks0gvLQU6/XJNIu
+RnRH59ZB1mZMsIv9Ii790nnioYFR54JmQu1JsIib77ZdSXIJmxAtraJSTLcZbU1E
++SM3XCE423Xols7onyluMYDy3MCUTFwoVMRBcRWCAk5gcv6XvZDfLi6Zwdne6x3Y
+bGenr4vsPuSFsycM03/EcQDT
+-----END CERTIFICATE-----
+"""
+    end
+
+    let(:two_certificates_chain) do
+      """-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIVAKW1gdmOFrXt6xB0iQmYQ4z8Pf+kMA0GCSqGSIb3DQEB
+CwUAMD0xETAPBgNVBAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDAS
+BgNVBAMTC2N1a2UtbWFzdGVyMB4XDTE1MTAwNzE2MzAwNloXDTI1MTAwNDE2MzAw
+NlowFjEUMBIGA1UEAwwLY3VrZS1tYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC9e8bGIHOLOypKA4lsLcAOcDLAq+ICuVxn9Vg0No0m32Ok/K7G
+uEGtlC8RidObntblUwqdX2uP7mqAQm19j78UTl1KT97vMmmFrpVZ7oQvEm1FUq3t
+FBmJglthJrSbpdZjLf7a7eL1NnunkfBdI1DK9QL9ndMjNwZNFbXhld4fC5zuSr/L
+PxawSzTEsoTaB0Nw0DdRowaZgrPxc0hQsrj9OF20gTIJIYO7ctZzE/JJchmBzgI4
+CdfAYg7zNS+0oc0ylV0CWMerQtLICI6BtiQ482bCuGYJ00NlDcdjd3w+A2cj7PrH
+wH5UhtORL5Q6i9EfGGUCDbmfpiVD9Bd3ukbXAgMBAAGjXDBaMA4GA1UdDwEB/wQE
+AwIFoDAdBgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwKQYDVR0RBCIwIIIL
+Y3VrZS1tYXN0ZXKCCWxvY2FsaG9zdIIGY29uanVyMA0GCSqGSIb3DQEBCwUAA4IB
+AQBCepy6If67+sjuVnT9NGBmjnVaLa11kgGNEB1BZQnvCy0IN7gpLpshoZevxYDR
+3DnPAetQiZ70CSmCwjL4x6AVxQy59rRj0Awl9E1dgFTYI3JxxgLsI9ePdIRVEPnH
+dhXqPY5ZIZhvdHlLStjsXX7laaclEtMeWfSzxe4AmP/Sm/er4ks0gvLQU6/XJNIu
+RnRH59ZB1mZMsIv9Ii790nnioYFR54JmQu1JsIib77ZdSXIJmxAtraJSTLcZbU1E
++SM3XCE423Xols7onyluMYDy3MCUTFwoVMRBcRWCAk5gcv6XvZDfLi6Zwdne6x3Y
+bGenr4vsPuSFsycM03/EcQDT
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDhzCCAm+gAwIBAgIJAJnsrJ1+j9MhMA0GCSqGSIb3DQEBCwUAMD0xETAPBgNV
+BAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDASBgNVBAMTC2N1a2Ut
+bWFzdGVyMB4XDTE1MTAwNzE2MzAwM1oXDTI1MTAwNDE2MzAwM1owPTERMA8GA1UE
+ChMIY3VjdW1iZXIxEjAQBgNVBAsTCUNvbmp1ciBDQTEUMBIGA1UEAxMLY3VrZS1t
+YXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsuZ06Ld4JDhxZ
+FcxKVxu7MTjXVv6W8pI7qFKmgr39aNqmDpKYJ1H9aM+r9zaTAeithpM4wJpVswkJ
+d0RSuKdm1LOx11yHLyZ1OvlPHFhsVWdZIQZ6R9srhPYBUCMem4sHR5IAcBBX+HkR
+35gaPYUl1uFV/9zCniekt92Kdta+it1WL7XinXTBURlhDawiD/kv1C9x6dICEJVe
+IT/jRohmqHAoM/JSOQTthaDli3Qvu5K8XAx8UXvWVmv3eStZFVDbC4ZEueRd9KAe
+4IZ5FxdpFYkPBgt2lBYeydYKRShyYrDKye1uJBDkeplNaYW4cS4mOhYuRkdKn7MH
+uY/xb1lFAgMBAAGjgYkwgYYwKQYDVR0RBCIwIIILY3VrZS1tYXN0ZXKCCWxvY2Fs
+aG9zdIIGY29uanVyMB0GA1UdDgQWBBRHpGF7aQbHdORYgQKDC2hV6NzEKzAfBgNV
+HSMEGDAWgBRHpGF7aQbHdORYgQKDC2hV6NzEKzAMBgNVHRMEBTADAQH/MAsGA1Ud
+DwQEAwIB5jANBgkqhkiG9w0BAQsFAAOCAQEAGZT9Wek1hYluIVaxu03wSKCKIJ4p
+KxTHw+mLDapg1y9t3Fa/5IQQK0Bx0xGU2qWiQKjda3vdFPJWO6l6XJvsUY5Nwtm5
+Gcsk8l3L/zWCrjrFTH3TdVad5E+DTwVhThelmEjw68AyM+WuOL61j0MItd9mLW74
+Lv2zouj9nQBdnUBHWQ0EL/9d5cfaCVu/bFlDfYt7Yj0IzXCuaWZfJeHodU1hmqVX
+BvYRjnTB2LSxfmSnkrCeFPmhE11bWVtsLIdrGIgtEMX0/s9xg58QuNnva1U3pJsW
+RjvSxre4Xg2qlI9Laybb4oZ4g6DI8hRbL0VdFAsveg6SXg2RxgJcXeJUFw==
+-----END CERTIFICATE-----
+"""
+    end
+
+    let(:store){ double('default store') }
+
+    context 'with one certificate in the chain' do
+      subject{ Conjur::CertUtils.add_chained_cert(store, one_certificate_chain) }
+
+      it 'adds one certificate to the store' do
+        expect(store).to receive(:add_cert).once
+        expect(subject).to be_truthy
+      end
+    end
+
+    context 'with two certificate in the chain' do
+      subject{ Conjur::CertUtils.add_chained_cert(store, two_certificates_chain) }
+
+      it 'adds both certificate to the store' do
+        expect(store).to receive(:add_cert).twice
+        expect(subject).to be_truthy
+      end
+    end
+
+  end
 end

data/spec/spec_helper.rb

@@ -1,4 +1,7 @@
 require 'simplecov'
+require 'simplecov-cobertura'
+
+SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
 SimpleCov.start
 
 require 'rubygems'

data/test.sh

@@ -8,6 +8,18 @@ function finish {
 
 trap finish EXIT
 
+function publishToCodeClimate() {
+  docker build -f ci/codeclimate.dockerfile -t cyberark/code-climate:latest .
+  docker run \
+    --rm \
+    --volume "$PWD:/src/conjur-api" \
+    -w "/src/conjur-api" \
+    cyberark/code-climate:latest \
+      after-build \
+        -r "$(<TRID)" \
+        -t "simplecov"
+}
+
 function main() {
   # Generate reports folders locally
   mkdir -p spec/reports features/reports features_v4/reports
@@ -15,6 +27,7 @@ function main() {
   startConjur
   runTests_5
   runTests_4
+  publishToCodeClimate
 }
 
 function startConjur() {