conjur-api 5.3.3 → 5.3.7.pre.167
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/CODEOWNERS +1 -1
- data/.gitleaks.toml +1 -1
- data/CHANGELOG.md +48 -3
- data/CONTRIBUTING.md +1 -1
- data/Dockerfile +3 -2
- data/Gemfile +1 -5
- data/Jenkinsfile +115 -18
- data/LICENSE +1 -1
- data/README.md +26 -4
- data/VERSION +1 -0
- data/ci/submit-coverage +36 -0
- data/conjur-api.gemspec +6 -5
- data/docker-compose.yml +15 -3
- data/features/host.feature +39 -9
- data/features/permitted.feature +27 -0
- data/features/step_definitions/api_steps.rb +14 -3
- data/features/step_definitions/policy_steps.rb +40 -0
- data/features/support/env.rb +3 -3
- data/features/user.feature +47 -6
- data/features_v4/support/env.rb +0 -2
- data/lib/conjur/acts_as_user.rb +5 -1
- data/lib/conjur/api/authn.rb +3 -3
- data/lib/conjur/api/resources.rb +2 -2
- data/lib/conjur/api/router/v4.rb +80 -23
- data/lib/conjur/api/router/v5.rb +87 -21
- data/lib/conjur/api.rb +0 -18
- data/lib/conjur/base.rb +19 -5
- data/lib/conjur/base_object.rb +14 -7
- data/lib/conjur/configuration.rb +45 -17
- data/lib/conjur/escape.rb +2 -3
- data/lib/conjur-api/version.rb +2 -2
- data/spec/api_spec.rb +59 -13
- data/spec/base_object_spec.rb +0 -1
- data/spec/configuration_spec.rb +25 -3
- data/spec/spec_helper.rb +4 -4
- data/spec/ssl_spec.rb +50 -26
- data/test.sh +10 -17
- metadata +35 -21
- data/.github/ISSUE_TEMPLATE/bug.md +0 -42
- data/.github/ISSUE_TEMPLATE/feature_request.md +0 -27
- data/.github/PULL_REQUEST_TEMPLATE.md +0 -21
- data/ci/codeclimate.dockerfile +0 -6
- data/spec/vendor/rest_client_spec.rb +0 -41
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ad1a073ba389391d9ed2e0770f947a0a7e30c982154063c9a488925c05050efa
|
4
|
+
data.tar.gz: 7abc458cd851260b3f96aa1ede3abf4dfe338c42197a501bdfe6b37d672d1707
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 75079d3b4699e33e470643f9c0d75aa095cb937217619cd316c69cb36a80d73addaa6d1c238d1920d712e7483bf6d69d28c1f1f8256bceab5de27f5f3e73752d
|
7
|
+
data.tar.gz: 8f73519cf1241e9aae9034ca51727507b3390af92e93ee0008fce2934368f31e581876c66b53e50f58755669ff823ab57ced16d4037e1c0c4dcadda83468986b
|
data/.github/CODEOWNERS
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
* @cyberark/
|
1
|
+
* @cyberark/community-and-integrations-team @conjurinc/community-and-integrations-team @conjurdemos/community-and-integrations-team
|
2
2
|
|
3
3
|
# Changes to .trivyignore require Security Architect approval
|
4
4
|
.trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects
|
data/.gitleaks.toml
CHANGED
data/CHANGELOG.md
CHANGED
@@ -4,13 +4,54 @@ All notable changes to this project will be documented in this file.
|
|
4
4
|
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
|
5
5
|
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
|
6
6
|
|
7
|
-
##
|
7
|
+
## Unreleased
|
8
|
+
### Changed
|
9
|
+
- Nothing should go in this section, please add to the latest unreleased version
|
10
|
+
(and update the corresponding date), or add a new version.
|
11
|
+
|
12
|
+
## [5.3.7] - 2021-12-28
|
13
|
+
|
14
|
+
### Changed
|
15
|
+
- Change addressable gem dependency.
|
16
|
+
[cyberark/conjur-api-ruby#199](https://github.com/cyberark/conjur-api-ruby/pull/199)
|
17
|
+
- Update to use automated release process
|
18
|
+
|
19
|
+
## [5.3.6] - 2021-12-09
|
20
|
+
|
21
|
+
### Changed
|
22
|
+
- Support ruby-3.0.2.
|
23
|
+
[cyberark/conjur-api-ruby#197](https://github.com/cyberark/conjur-api-ruby/pull/197)
|
24
|
+
|
25
|
+
## [5.3.5] - 2021-05-04
|
26
|
+
|
27
|
+
### Added
|
28
|
+
- Add `rest_client_options` option to `Conjur.configuration`. This allows users to
|
29
|
+
configure the RestClient instance used by Conjur API to communicate with the Conjur
|
30
|
+
server.
|
31
|
+
[cyberark/conjur-api-ruby#188](https://github.com/cyberark/conjur-api-ruby/issues/188)
|
32
|
+
|
33
|
+
### Changed
|
34
|
+
- Replace monkey patching `RestClient::Request` with defaults on `Conjur.configuration.rest_client_options`
|
35
|
+
in order to limit the scope of the default `:ssl_cert_store` option only to inside
|
36
|
+
Conjur API.
|
37
|
+
[cyberark/conjur-api-ruby#188](https://github.com/cyberark/conjur-api-ruby/issues/188)
|
38
|
+
|
39
|
+
## [5.3.4] - 2020-10-29
|
40
|
+
|
41
|
+
### Changed
|
42
|
+
- When rotating the currently logged in user's/host's API key, we now explictily
|
43
|
+
prevent use of `resource({own_id}).rotate_api_key` for that action as the
|
44
|
+
`Conjur::API.rotate_api_key` should be used instead for that. This change is a
|
45
|
+
downstream enforcement of the stricter key rotation requirements on the server
|
46
|
+
covered by [this](https://github.com/cyberark/conjur/security/advisories/GHSA-qhjf-g9gm-64jq)
|
47
|
+
security bulletin.
|
48
|
+
[cyberark/conjur-api-ruby#181](https://github.com/cyberark/conjur-api-ruby/issues/181)
|
8
49
|
|
9
50
|
## [5.3.3] - 2020-08-18
|
10
51
|
### Changed
|
11
52
|
- Release process is updated to ensure that the published Ruby Gem matches a tag in this repository,
|
12
53
|
so that consumers of this gem can always reference the correct source code included in any given version.
|
13
|
-
[cyberark/conjur-api-ruby](https://github.com/cyberark/conjur-api-ruby/issues/173)
|
54
|
+
[cyberark/conjur-api-ruby#173](https://github.com/cyberark/conjur-api-ruby/issues/173)
|
14
55
|
|
15
56
|
## 5.3.2 - 2018-09-24
|
16
57
|
### Added
|
@@ -321,7 +362,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
|
|
321
362
|
|
322
363
|
## [2.0.0] - 2013-13-12
|
323
364
|
|
324
|
-
[Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.
|
365
|
+
[Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.6...HEAD
|
366
|
+
[5.3.7]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.6...v5.3.7
|
367
|
+
[5.3.6]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.5...v5.3.6
|
368
|
+
[5.3.5]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.4...v5.3.5
|
369
|
+
[5.3.4]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.3...v5.3.4
|
325
370
|
[5.3.3]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.1...v5.3.3
|
326
371
|
[5.3.1]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.0...v5.3.1
|
327
372
|
[5.3.0]: https://github.com/cyberark/conjur-api-ruby/compare/v5.1.0...v5.3.0
|
data/CONTRIBUTING.md
CHANGED
@@ -131,7 +131,7 @@ $ docker-compose down
|
|
131
131
|
|
132
132
|
### Add a git tag
|
133
133
|
|
134
|
-
1. Once your changes have been **reviewed and merged into
|
134
|
+
1. Once your changes have been **reviewed and merged into main**, tag the version
|
135
135
|
using `git tag -a "vx.y.z" -m "vx.y.z release"`. Note this requires you to be able to sign releases.
|
136
136
|
Consult the [github documentation on signing commits](https://help.github.com/articles/signing-commits-with-gpg/)
|
137
137
|
on how to set this up. `vx.y.z release` is an acceptable tag message.
|
data/Dockerfile
CHANGED
@@ -1,10 +1,11 @@
|
|
1
|
-
|
1
|
+
ARG RUBY_VERSION
|
2
|
+
FROM ruby:$RUBY_VERSION
|
2
3
|
|
3
4
|
RUN apt-get update && apt-get install -y vim curl
|
4
5
|
|
5
6
|
WORKDIR /src/conjur-api
|
6
7
|
|
7
|
-
COPY Gemfile conjur-api.gemspec ./
|
8
|
+
COPY Gemfile conjur-api.gemspec VERSION ./
|
8
9
|
COPY lib/conjur-api/version.rb ./lib/conjur-api/
|
9
10
|
|
10
11
|
RUN bundle
|
data/Gemfile
CHANGED
data/Jenkinsfile
CHANGED
@@ -1,5 +1,17 @@
|
|
1
1
|
#!/usr/bin/env groovy
|
2
2
|
|
3
|
+
// Automated release, promotion and dependencies
|
4
|
+
properties([
|
5
|
+
release.addParams()
|
6
|
+
])
|
7
|
+
|
8
|
+
if (params.MODE == "PROMOTE") {
|
9
|
+
release.promote(params.VERSION_TO_PROMOTE) { sourceVersion, targetVersion, assetDirectory ->
|
10
|
+
sh './publish.sh'
|
11
|
+
}
|
12
|
+
return
|
13
|
+
}
|
14
|
+
|
3
15
|
pipeline {
|
4
16
|
agent { label 'executor-v2' }
|
5
17
|
|
@@ -12,21 +24,62 @@ pipeline {
|
|
12
24
|
cron(getDailyCronString())
|
13
25
|
}
|
14
26
|
|
27
|
+
environment {
|
28
|
+
MODE = release.canonicalizeMode()
|
29
|
+
}
|
30
|
+
|
15
31
|
stages {
|
16
|
-
stage('
|
17
|
-
|
18
|
-
|
19
|
-
|
32
|
+
stage ("Skip build if triggering job didn't create a release") {
|
33
|
+
when {
|
34
|
+
expression {
|
35
|
+
MODE == "SKIP"
|
20
36
|
}
|
21
37
|
}
|
38
|
+
steps {
|
39
|
+
script {
|
40
|
+
currentBuild.result = 'ABORTED'
|
41
|
+
error("Aborting build because this build was triggered from upstream, but no release was built")
|
42
|
+
}
|
43
|
+
}
|
44
|
+
}
|
45
|
+
stage('Validate Changelog and set version') {
|
46
|
+
steps {
|
47
|
+
sh './bin/parse-changelog.sh'
|
48
|
+
updateVersion("CHANGELOG.md", "${BUILD_NUMBER}")
|
49
|
+
}
|
22
50
|
}
|
23
51
|
|
24
|
-
stage('
|
52
|
+
stage('Prepare CC Report Dir'){
|
25
53
|
steps {
|
26
54
|
script {
|
27
|
-
ccCoverage.
|
55
|
+
ccCoverage.dockerPrep()
|
56
|
+
sh 'mkdir -p coverage'
|
28
57
|
}
|
29
|
-
|
58
|
+
}
|
59
|
+
}
|
60
|
+
|
61
|
+
stage('Test Ruby 2.5') {
|
62
|
+
environment {
|
63
|
+
RUBY_VERSION = '2.5'
|
64
|
+
}
|
65
|
+
steps {
|
66
|
+
sh './test.sh'
|
67
|
+
}
|
68
|
+
|
69
|
+
post {
|
70
|
+
always {
|
71
|
+
junit 'spec/reports/*.xml'
|
72
|
+
junit 'features/reports/*.xml'
|
73
|
+
junit 'features_v4/reports/*.xml'
|
74
|
+
}
|
75
|
+
}
|
76
|
+
}
|
77
|
+
|
78
|
+
stage('Test Ruby 2.6') {
|
79
|
+
environment {
|
80
|
+
RUBY_VERSION = '2.6'
|
81
|
+
}
|
82
|
+
steps {
|
30
83
|
sh './test.sh'
|
31
84
|
}
|
32
85
|
|
@@ -35,28 +88,72 @@ pipeline {
|
|
35
88
|
junit 'spec/reports/*.xml'
|
36
89
|
junit 'features/reports/*.xml'
|
37
90
|
junit 'features_v4/reports/*.xml'
|
38
|
-
cobertura autoUpdateHealth: true, autoUpdateStability: true, coberturaReportFile: 'coverage/coverage.xml', conditionalCoverageTargets: '100, 0, 0', failUnhealthy: true, failUnstable: false, lineCoverageTargets: '99, 0, 0', maxNumberOfBuilds: 0, methodCoverageTargets: '100, 0, 0', onlyStable: false, sourceEncoding: 'ASCII', zoomCoverageChart: false
|
39
91
|
}
|
40
92
|
}
|
41
93
|
}
|
42
94
|
|
43
|
-
|
44
|
-
|
45
|
-
|
95
|
+
stage('Test Ruby 2.7') {
|
96
|
+
environment {
|
97
|
+
RUBY_VERSION = '2.7'
|
98
|
+
}
|
99
|
+
steps {
|
100
|
+
sh './test.sh'
|
101
|
+
}
|
102
|
+
|
103
|
+
post {
|
104
|
+
always {
|
105
|
+
junit 'spec/reports/*.xml'
|
106
|
+
junit 'features/reports/*.xml'
|
107
|
+
junit 'features_v4/reports/*.xml'
|
108
|
+
}
|
109
|
+
}
|
110
|
+
}
|
46
111
|
|
47
|
-
|
112
|
+
stage('Test Ruby 3.0') {
|
113
|
+
environment {
|
114
|
+
RUBY_VERSION = '3.0'
|
115
|
+
}
|
48
116
|
steps {
|
49
|
-
|
50
|
-
|
117
|
+
sh("./test.sh")
|
118
|
+
}
|
119
|
+
post {
|
120
|
+
always {
|
121
|
+
junit 'spec/reports/*.xml'
|
122
|
+
junit 'features/reports/*.xml'
|
123
|
+
junit 'features_v4/reports/*.xml'
|
124
|
+
}
|
125
|
+
}
|
126
|
+
}
|
51
127
|
|
52
|
-
|
128
|
+
stage('Submit Coverage Report'){
|
129
|
+
steps{
|
130
|
+
sh 'ci/submit-coverage'
|
131
|
+
publishHTML([reportDir: 'coverage', reportFiles: 'index.html', reportName: 'Coverage Report', reportTitles: '',
|
132
|
+
allowMissing: false, alwaysLinkToLastBuild: true, keepAll: true])
|
133
|
+
}
|
53
134
|
|
54
|
-
|
55
|
-
|
56
|
-
|
135
|
+
post {
|
136
|
+
always {
|
137
|
+
archiveArtifacts artifacts: "coverage/.resultset.json", fingerprint: false
|
138
|
+
}
|
57
139
|
}
|
58
140
|
}
|
59
141
|
|
142
|
+
stage('Release') {
|
143
|
+
when {
|
144
|
+
expression {
|
145
|
+
MODE == "RELEASE"
|
146
|
+
}
|
147
|
+
}
|
148
|
+
|
149
|
+
steps {
|
150
|
+
release {
|
151
|
+
// Clean up all but the calculated VERSION
|
152
|
+
sh 'docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd -e VERSION'
|
153
|
+
sh './publish.sh'
|
154
|
+
}
|
155
|
+
}
|
156
|
+
}
|
60
157
|
}
|
61
158
|
|
62
159
|
post {
|
data/LICENSE
CHANGED
@@ -187,7 +187,7 @@
|
|
187
187
|
same "printed page" as the copyright notice for easier
|
188
188
|
identification within third-party archives.
|
189
189
|
|
190
|
-
Copyright (c)
|
190
|
+
Copyright (c) 2021 CyberArk Software Ltd. All rights reserved.
|
191
191
|
|
192
192
|
Licensed under the Apache License, Version 2.0 (the "License");
|
193
193
|
you may not use this file except in compliance with the License.
|
data/README.md
CHANGED
@@ -11,7 +11,7 @@ The Conjur server comes in two major versions:
|
|
11
11
|
* **4.x** Conjur 4 is a commercial, non-open-source product, which is documented at [https://developer.conjur.net/](https://developer.conjur.net/).
|
12
12
|
* **5.x** Conjur 5 is open-source software, hosted and documented at [https://www.conjur.org/](https://www.conjur.org/).
|
13
13
|
|
14
|
-
You can use the `
|
14
|
+
You can use the `main` branch of this project, which is `conjur-api` version `5.x`, to do all of the following things against either type of Conjur server:
|
15
15
|
|
16
16
|
* Authenticate
|
17
17
|
* Fetch secrets
|
@@ -24,9 +24,9 @@ Use the configuration setting `Conjur.configuration.version` to select your serv
|
|
24
24
|
|
25
25
|
If you are using Conjur server version `4.x`, you can also choose to use the `conjur-api` version `4.x`. In this case, the `Configuration.version` setting is not required (actually, it doesn't exist).
|
26
26
|
|
27
|
-
## Using conjur-api-ruby with Conjur
|
27
|
+
## Using conjur-api-ruby with Conjur Open Source
|
28
28
|
|
29
|
-
Are you using this project with [Conjur
|
29
|
+
Are you using this project with [Conjur Open Source](https://github.com/cyberark/conjur)? Then we
|
30
30
|
**strongly** recommend choosing the version of this project to use from the latest [Conjur OSS
|
31
31
|
suite release](https://docs.conjur.org/Latest/en/Content/Overview/Conjur-OSS-Suite-Overview.html).
|
32
32
|
Conjur maintainers perform additional testing on the suite release versions to ensure
|
@@ -128,12 +128,34 @@ Conjur::API.new_from_key login, api_key
|
|
128
128
|
Note that if you are connecting as a [Host](http://developer.conjur.net/reference/services/directory/host), the login should be
|
129
129
|
prefixed with `host/`. For example: `host/myhost.example.com`, not just `myhost.example.com`.
|
130
130
|
|
131
|
+
## Configuring RestClient
|
132
|
+
|
133
|
+
[Conjur::Configuration](https://github.com/conjurinc/api-ruby/blob/master/lib/conjur/configuration.rb)
|
134
|
+
allows optional configuration of the [RestClient](https://github.com/rest-client/rest-client)
|
135
|
+
instance used by Conjur API to communicate with the Conjur server, via the options hash
|
136
|
+
`Conjur.configuration.rest_client_options`.
|
137
|
+
|
138
|
+
The default value for the options hash is:
|
139
|
+
```ruby
|
140
|
+
{
|
141
|
+
ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
|
142
|
+
}
|
143
|
+
```
|
144
|
+
|
145
|
+
For example, here's how you would configure the client to use a proxy and `ssl_ca_file` (instead of the default `ssl_cert_store`).
|
146
|
+
```ruby
|
147
|
+
Conjur.configuration.rest_client_options = {
|
148
|
+
ssl_ca_file: "ca_certificate.pem",
|
149
|
+
proxy: "http://proxy.example.com/"
|
150
|
+
}
|
151
|
+
```
|
152
|
+
|
131
153
|
## Contributing
|
132
154
|
|
133
155
|
We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our [contributing
|
134
156
|
guide][contrib].
|
135
157
|
|
136
|
-
[contrib]: https://github.com/cyberark/conjur-api-ruby/blob/
|
158
|
+
[contrib]: https://github.com/cyberark/conjur-api-ruby/blob/main/CONTRIBUTING.md
|
137
159
|
|
138
160
|
## License
|
139
161
|
|
data/VERSION
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
5.3.7-167
|
data/ci/submit-coverage
ADDED
@@ -0,0 +1,36 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
set -eux
|
4
|
+
|
5
|
+
DIR="coverage"
|
6
|
+
BIN="cc-test-reporter"
|
7
|
+
REPORT="${DIR}/.resultset.json"
|
8
|
+
|
9
|
+
if [[ ! -e ${REPORT} ]]; then
|
10
|
+
echo "SimpleCov report (${REPORT}) not found"
|
11
|
+
ls -laR ${DIR}
|
12
|
+
exit 1
|
13
|
+
fi
|
14
|
+
|
15
|
+
if [[ ! -x ${BIN} ]]; then
|
16
|
+
echo "cc-test-reporter binary not found, not reporting coverage data to code climate"
|
17
|
+
ls -laR ${DIR}
|
18
|
+
# report is present but reporter binary is not, definitely a bug, exit error.
|
19
|
+
exit 1
|
20
|
+
fi
|
21
|
+
|
22
|
+
# Simplecov excludes files not within the current repo, it also needs to
|
23
|
+
# be able to read all the files referenced within the report. As the reports
|
24
|
+
# are generated in containers, the absolute paths contained in the report
|
25
|
+
# are not valid outside that container. This sed fixes the paths
|
26
|
+
# So they are correct relative to the Jenkins workspace.
|
27
|
+
sed -i -E "s+/src/conjur-api+${WORKSPACE}+g" "${REPORT}"
|
28
|
+
|
29
|
+
echo "Coverage reports prepared, submitting to CodeClimate."
|
30
|
+
# vars GIT_COMMIT, GIT_BRANCH & TRID are set by ccCoverage.dockerPrep
|
31
|
+
|
32
|
+
./${BIN} after-build \
|
33
|
+
--coverage-input-type "simplecov"\
|
34
|
+
--id "${TRID}"
|
35
|
+
|
36
|
+
echo "Successfully Reported Coverage Data"
|
data/conjur-api.gemspec
CHANGED
@@ -2,14 +2,14 @@
|
|
2
2
|
require File.expand_path('../lib/conjur-api/version', __FILE__)
|
3
3
|
|
4
4
|
Gem::Specification.new do |gem|
|
5
|
-
gem.authors = ["
|
6
|
-
gem.email = ["
|
5
|
+
gem.authors = ["CyberArk Maintainers"]
|
6
|
+
gem.email = ["conj_maintainers@cyberark.com"]
|
7
7
|
gem.description = %q{Conjur API}
|
8
8
|
gem.summary = %q{Conjur API}
|
9
9
|
gem.homepage = "https://github.com/cyberark/conjur-api-ruby/"
|
10
10
|
gem.license = "Apache-2.0"
|
11
11
|
|
12
|
-
gem.files = `git ls-files`.split($\) + Dir['build_number']
|
12
|
+
gem.files = `git ls-files`.split($\).append("VERSION") + Dir['build_number']
|
13
13
|
gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
|
14
14
|
gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
|
15
15
|
gem.name = "conjur-api"
|
@@ -22,7 +22,8 @@ Gem::Specification.new do |gem|
|
|
22
22
|
gem.executables -= %w{parse-changelog.sh}
|
23
23
|
|
24
24
|
gem.add_dependency 'rest-client'
|
25
|
-
gem.add_dependency 'activesupport'
|
25
|
+
gem.add_dependency 'activesupport', '>= 4.2'
|
26
|
+
gem.add_dependency 'addressable', '~> 2.0'
|
26
27
|
|
27
28
|
gem.add_development_dependency 'rake', '>= 12.3.3'
|
28
29
|
gem.add_development_dependency 'rspec', '~> 3'
|
@@ -30,7 +31,7 @@ Gem::Specification.new do |gem|
|
|
30
31
|
gem.add_development_dependency 'json_spec'
|
31
32
|
gem.add_development_dependency 'cucumber', '~> 2.99'
|
32
33
|
gem.add_development_dependency 'ci_reporter_rspec'
|
33
|
-
gem.add_development_dependency 'simplecov'
|
34
|
+
gem.add_development_dependency 'simplecov', '~> 0.17', '< 0.18'
|
34
35
|
gem.add_development_dependency 'io-grab'
|
35
36
|
gem.add_development_dependency 'rdoc'
|
36
37
|
gem.add_development_dependency 'yard'
|
data/docker-compose.yml
CHANGED
@@ -23,7 +23,11 @@ services:
|
|
23
23
|
- authn_local_4:/run/authn-local
|
24
24
|
|
25
25
|
tester_5:
|
26
|
-
build:
|
26
|
+
build:
|
27
|
+
context: .
|
28
|
+
dockerfile: Dockerfile
|
29
|
+
args:
|
30
|
+
RUBY_VERSION: ${RUBY_VERSION}
|
27
31
|
volumes:
|
28
32
|
- ./spec/reports:/src/conjur-api/spec/reports
|
29
33
|
- ./features/reports:/src/conjur-api/features/reports
|
@@ -35,7 +39,11 @@ services:
|
|
35
39
|
CONJUR_ACCOUNT: cucumber
|
36
40
|
|
37
41
|
tester_4:
|
38
|
-
build:
|
42
|
+
build:
|
43
|
+
context: .
|
44
|
+
dockerfile: Dockerfile
|
45
|
+
args:
|
46
|
+
RUBY_VERSION: ${RUBY_VERSION}
|
39
47
|
volumes:
|
40
48
|
- ./features_v4/reports:/src/conjur-api/features_v4/reports
|
41
49
|
- ./tmp/conjur.pem:/src/conjur-api/tmp/conjur.pem
|
@@ -47,7 +55,11 @@ services:
|
|
47
55
|
CONJUR_ACCOUNT: cucumber
|
48
56
|
|
49
57
|
dev:
|
50
|
-
build:
|
58
|
+
build:
|
59
|
+
context: .
|
60
|
+
dockerfile: Dockerfile
|
61
|
+
args:
|
62
|
+
RUBY_VERSION: ${RUBY_VERSION}
|
51
63
|
entrypoint: bash
|
52
64
|
volumes:
|
53
65
|
- .:/src/conjur-api
|
data/features/host.feature
CHANGED
@@ -1,20 +1,50 @@
|
|
1
|
-
Feature:
|
1
|
+
Feature: Host object
|
2
2
|
|
3
|
-
|
3
|
+
Scenario: API key of a newly created host is available and valid
|
4
4
|
Given a new host
|
5
|
-
|
6
|
-
Scenario: API key of a newly created host is available and valid.
|
7
|
-
Then I run the code:
|
5
|
+
Then I can run the code:
|
8
6
|
"""
|
9
7
|
expect(@host.exists?).to be(true)
|
10
8
|
expect(@host.api_key).to be
|
11
9
|
Conjur::API.new_from_key(@host.login, @host.api_key).token
|
12
10
|
"""
|
13
11
|
|
14
|
-
|
15
|
-
|
12
|
+
# Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
|
13
|
+
Scenario: Host's own API key cannot be rotated with an API key
|
14
|
+
Given a new host
|
15
|
+
Then this code should fail with "You cannot rotate your own API key via this method"
|
16
16
|
"""
|
17
17
|
host = Conjur::API.new_from_key(@host.login, @host.api_key).resource(@host.id)
|
18
|
-
|
19
|
-
|
18
|
+
host.rotate_api_key
|
19
|
+
"""
|
20
|
+
|
21
|
+
# Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
|
22
|
+
Scenario: Host's own API key cannot be rotated with a token
|
23
|
+
Given a new host
|
24
|
+
Then this code should fail with "You cannot rotate your own API key via this method"
|
25
|
+
"""
|
26
|
+
token = Conjur::API.new_from_key(@host.login, @host.api_key).token
|
27
|
+
|
28
|
+
host = Conjur::API.new_from_token(token).resource(@host.id)
|
29
|
+
host.rotate_api_key
|
30
|
+
"""
|
31
|
+
|
32
|
+
Scenario: Delegated host's API key can be rotated with an API key
|
33
|
+
Given a new delegated host
|
34
|
+
Then I can run the code:
|
35
|
+
"""
|
36
|
+
delegated_host_resource = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).resource(@host.id)
|
37
|
+
api_key = delegated_host_resource.rotate_api_key
|
38
|
+
Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
|
39
|
+
"""
|
40
|
+
|
41
|
+
Scenario: Delegated host's API key can be rotated with a token
|
42
|
+
Given a new delegated host
|
43
|
+
Then I can run the code:
|
44
|
+
"""
|
45
|
+
token = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).token
|
46
|
+
|
47
|
+
delegated_host_resource = Conjur::API.new_from_token(token).resource(@host.id)
|
48
|
+
api_key = delegated_host_resource.rotate_api_key
|
49
|
+
Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
|
20
50
|
"""
|
data/features/permitted.feature
CHANGED
@@ -4,6 +4,8 @@ Feature: Check if a role has permission on a resource.
|
|
4
4
|
Given I run the code:
|
5
5
|
"""
|
6
6
|
@host_id = "app-#{random_hex}"
|
7
|
+
@test_user = "user$#{random_hex}"
|
8
|
+
@test_host = "host?#{random_hex}"
|
7
9
|
response = $conjur.load_policy 'root', <<-POLICY
|
8
10
|
- !variable db-password
|
9
11
|
|
@@ -15,6 +17,17 @@ Feature: Check if a role has permission on a resource.
|
|
15
17
|
role: !layer myapp
|
16
18
|
privilege: execute
|
17
19
|
resource: !variable db-password
|
20
|
+
|
21
|
+
- !policy
|
22
|
+
id: test
|
23
|
+
body:
|
24
|
+
- !user #{@test_user}
|
25
|
+
- !host #{@test_host}
|
26
|
+
|
27
|
+
- !permit
|
28
|
+
role: !user #{@test_user}@test
|
29
|
+
privilege: execute
|
30
|
+
resource: !variable db-password
|
18
31
|
POLICY
|
19
32
|
@host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
|
20
33
|
expect(@host_api_key).to be
|
@@ -34,6 +47,20 @@ Feature: Check if a role has permission on a resource.
|
|
34
47
|
"""
|
35
48
|
Then the result should be "false"
|
36
49
|
|
50
|
+
Scenario: Check if a different user from subpolicy has the privilege.
|
51
|
+
When I run the code:
|
52
|
+
"""
|
53
|
+
$conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:user:#{@test_user}@test"
|
54
|
+
"""
|
55
|
+
Then the result should be "true"
|
56
|
+
|
57
|
+
Scenario: Check if a different host from subpolicy has the privilege.
|
58
|
+
When I run the code:
|
59
|
+
"""
|
60
|
+
$conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:host:test/#{@test_host}"
|
61
|
+
"""
|
62
|
+
Then the result should be "false"
|
63
|
+
|
37
64
|
Scenario: Check if a different user has the privilege, while logged in as that user.
|
38
65
|
When I run the code:
|
39
66
|
"""
|
@@ -1,7 +1,18 @@
|
|
1
|
-
|
1
|
+
Then(/^I(?: can)? run the code:$/) do |code|
|
2
2
|
@result = eval(code).tap do |result|
|
3
|
-
if ENV['DEBUG']
|
4
|
-
|
3
|
+
puts result if ENV['DEBUG']
|
4
|
+
end
|
5
|
+
end
|
6
|
+
|
7
|
+
Then(/^this code should fail with "([^"]*)"$/) do |error_msg, code|
|
8
|
+
begin
|
9
|
+
@result = eval(code)
|
10
|
+
rescue Exception => exc
|
11
|
+
if not exc.message =~ %r{#{error_msg}}
|
12
|
+
fail "'#{error_msg}' was not found in '#{exc.message}'"
|
5
13
|
end
|
14
|
+
else
|
15
|
+
puts @result if ENV['DEBUG']
|
16
|
+
fail "The provided block did not raise an error"
|
6
17
|
end
|
7
18
|
end
|
@@ -13,6 +13,25 @@ Given(/^a new user$/) do
|
|
13
13
|
expect(@user_api_key).to be
|
14
14
|
end
|
15
15
|
|
16
|
+
Given(/^a new delegated user$/) do
|
17
|
+
# Create a new host that is owned by that user
|
18
|
+
step 'a new user'
|
19
|
+
@user_owner = @user
|
20
|
+
@user_owner_id = @user_id
|
21
|
+
@user_owner_api_key = @user_api_key
|
22
|
+
|
23
|
+
# Create a new user that is owned by the user created earlier
|
24
|
+
@user_id = "user-#{random_hex}"
|
25
|
+
response = $conjur.load_policy 'root', <<-POLICY
|
26
|
+
- !user
|
27
|
+
id: #{@user_id}
|
28
|
+
owner: !user #{@user_owner_id}
|
29
|
+
POLICY
|
30
|
+
@user = $conjur.resource("cucumber:user:#{@user_id}")
|
31
|
+
@user_api_key = response.created_roles["cucumber:user:#{@user_id}"]['api_key']
|
32
|
+
expect(@user_api_key).to be
|
33
|
+
end
|
34
|
+
|
16
35
|
Given(/^a new group$/) do
|
17
36
|
@group_id = "group-#{random_hex}"
|
18
37
|
response = $conjur.load_policy 'root', <<-POLICY
|
@@ -33,3 +52,24 @@ Given(/^a new host$/) do
|
|
33
52
|
@host = $conjur.resource("cucumber:host:#{@host_id}")
|
34
53
|
@host.attributes['api_key'] = @host_api_key
|
35
54
|
end
|
55
|
+
|
56
|
+
Given(/^a new delegated host$/) do
|
57
|
+
# Create an owner user
|
58
|
+
step 'a new user'
|
59
|
+
@host_owner = @user
|
60
|
+
@host_owner_id = @user_id
|
61
|
+
@host_owner_api_key = @user_api_key
|
62
|
+
|
63
|
+
# Create a new host that is owned by that user
|
64
|
+
@host_id = "app-#{random_hex}"
|
65
|
+
response = $conjur.load_policy 'root', <<-POLICY
|
66
|
+
- !host
|
67
|
+
id: #{@host_id}
|
68
|
+
owner: !user #{@host_owner_id}
|
69
|
+
POLICY
|
70
|
+
|
71
|
+
@host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
|
72
|
+
expect(@host_api_key).to be
|
73
|
+
@host = $conjur.resource("cucumber:host:#{@host_id}")
|
74
|
+
@host.attributes['api_key'] = @host_api_key
|
75
|
+
end
|