conjur-api 5.3.7.pre.168 → 5.3.8.pre.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rubocop_settings.yml +1 -1
- data/CHANGELOG.md +16 -1
- data/CONTRIBUTING.md +1 -4
- data/Jenkinsfile +8 -38
- data/VERSION +1 -1
- data/bin/parse-changelog.sh +1 -1
- data/ci/configure_v5.sh +5 -0
- data/ci/oauth/keycloak/create_client +18 -0
- data/ci/oauth/keycloak/create_user +21 -0
- data/ci/oauth/keycloak/fetch_certificate +18 -0
- data/ci/oauth/keycloak/keycloak_functions.sh +71 -0
- data/ci/oauth/keycloak/standalone.xml +578 -0
- data/ci/oauth/keycloak/wait_for_server +56 -0
- data/conjur-api.gemspec +1 -0
- data/dev/Dockerfile.dev +1 -1
- data/dev/start +5 -0
- data/docker-compose.yml +23 -1
- data/features/authenticators.feature +8 -0
- data/features/authn.feature +14 -0
- data/features/step_definitions/api_steps.rb +34 -0
- data/features/step_definitions/policy_steps.rb +59 -0
- data/features/step_definitions/result_steps.rb +4 -0
- data/features/support/env.rb +1 -0
- data/lib/conjur/api/authenticators.rb +8 -0
- data/lib/conjur/api/authn.rb +19 -0
- data/lib/conjur/api/router/v5.rb +21 -0
- data/publish.sh +3 -5
- data/test.sh +8 -1
- metadata +28 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6e542258c40773ab19a843a4f736ecc11aaebf6af17845d18ccd7f66ad9984be
|
4
|
+
data.tar.gz: aab3735f0a132de15e9d70d87ad6382fe8678339e2bab0f4d9164985095077c0
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0bf6b1653ade8fa65e6a6f63c87303a5112df9c61871a783dcc6bae21a698bf11b214c74fccbf8124182150d086db233bb26bb803e78a85c5fc9afc93e461882
|
7
|
+
data.tar.gz: 9dbf3a5fca29ba9dd88d1e087985956b2fc7414a06fca45d20c6bafda903abbe5dbc5a3df245b084651e6592b97ea980b603cb076cbd72e0e5316a47d6f3de7e
|
data/.rubocop_settings.yml
CHANGED
data/CHANGELOG.md
CHANGED
@@ -9,6 +9,20 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
|
|
9
9
|
- Nothing should go in this section, please add to the latest unreleased version
|
10
10
|
(and update the corresponding date), or add a new version.
|
11
11
|
|
12
|
+
## [5.3.8] - 2022-07-19
|
13
|
+
|
14
|
+
### Added
|
15
|
+
- Added support for OIDC V2 authentication endpoint.
|
16
|
+
[cyberark/cojnur-api-ruby#207](https://github.com/cyberark/conjur-api-ruby/pull/207)
|
17
|
+
- Added support for OIDC authenticator providers endpoint.
|
18
|
+
[cyberark/cojnur-api-ruby#207](https://github.com/cyberark/conjur-api-ruby/pull/207)
|
19
|
+
|
20
|
+
### Changed
|
21
|
+
- Remove support for Ruby versions <2.7 which are [end of life](https://endoflife.date/ruby).
|
22
|
+
[cyberark/conjur-api-ruby#206](https://github.com/cyberark/conjur-api-ruby/pull/206)
|
23
|
+
- Adding operation call to fetch authentication providers
|
24
|
+
[cyberark/conjur-api-ruby#206](https://github.com/cyberark/conjur-api-ruby/pull/206)
|
25
|
+
|
12
26
|
## [5.3.7] - 2021-12-28
|
13
27
|
|
14
28
|
### Changed
|
@@ -362,7 +376,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
|
|
362
376
|
|
363
377
|
## [2.0.0] - 2013-13-12
|
364
378
|
|
365
|
-
[Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.
|
379
|
+
[Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.8...HEAD
|
380
|
+
[5.3.8]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.7...v5.3.8
|
366
381
|
[5.3.7]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.6...v5.3.7
|
367
382
|
[5.3.6]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.5...v5.3.6
|
368
383
|
[5.3.5]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.4...v5.3.5
|
data/CONTRIBUTING.md
CHANGED
@@ -123,11 +123,8 @@ $ docker-compose down
|
|
123
123
|
### Update the version and changelog
|
124
124
|
|
125
125
|
1. Create a new branch for the version bump.
|
126
|
-
1. Based on the unreleased content, determine the new version number and update
|
127
|
-
the [version.rb](lib/conjur-api/version.rb) file.
|
128
126
|
1. Commit these changes - `Bump version to x.y.z` is an acceptable commit message - and open a PR
|
129
|
-
for review. Your PR should include updates to `
|
130
|
-
`CHANGELOG.md`.
|
127
|
+
for review. Your PR should include updates to `CHANGELOG.md`.
|
131
128
|
|
132
129
|
### Add a git tag
|
133
130
|
|
data/Jenkinsfile
CHANGED
@@ -1,4 +1,5 @@
|
|
1
1
|
#!/usr/bin/env groovy
|
2
|
+
@Library('conjur@test-fix-git-directory-permissions') _
|
2
3
|
|
3
4
|
// Automated release, promotion and dependencies
|
4
5
|
properties([
|
@@ -58,40 +59,6 @@ pipeline {
|
|
58
59
|
}
|
59
60
|
}
|
60
61
|
|
61
|
-
stage('Test Ruby 2.5') {
|
62
|
-
environment {
|
63
|
-
RUBY_VERSION = '2.5'
|
64
|
-
}
|
65
|
-
steps {
|
66
|
-
sh './test.sh'
|
67
|
-
}
|
68
|
-
|
69
|
-
post {
|
70
|
-
always {
|
71
|
-
junit 'spec/reports/*.xml'
|
72
|
-
junit 'features/reports/*.xml'
|
73
|
-
junit 'features_v4/reports/*.xml'
|
74
|
-
}
|
75
|
-
}
|
76
|
-
}
|
77
|
-
|
78
|
-
stage('Test Ruby 2.6') {
|
79
|
-
environment {
|
80
|
-
RUBY_VERSION = '2.6'
|
81
|
-
}
|
82
|
-
steps {
|
83
|
-
sh './test.sh'
|
84
|
-
}
|
85
|
-
|
86
|
-
post {
|
87
|
-
always {
|
88
|
-
junit 'spec/reports/*.xml'
|
89
|
-
junit 'features/reports/*.xml'
|
90
|
-
junit 'features_v4/reports/*.xml'
|
91
|
-
}
|
92
|
-
}
|
93
|
-
}
|
94
|
-
|
95
62
|
stage('Test Ruby 2.7') {
|
96
63
|
environment {
|
97
64
|
RUBY_VERSION = '2.7'
|
@@ -149,11 +116,14 @@ pipeline {
|
|
149
116
|
steps {
|
150
117
|
release {
|
151
118
|
// Clean up all but the calculated VERSION
|
152
|
-
sh '''docker run -i --rm -v $
|
153
|
-
-
|
154
|
-
|
155
|
-
|
119
|
+
sh '''docker run -i --rm -v $(pwd):/src -w /src --entrypoint /bin/sh alpine/git \
|
120
|
+
-c "git config --global --add safe.directory /src && \
|
121
|
+
git clean -fdx \
|
122
|
+
-e VERSION \
|
123
|
+
-e bom-assets/ \
|
124
|
+
-e release-assets" '''
|
156
125
|
sh './publish.sh'
|
126
|
+
sh 'cp conjur-api-*.gem release-assets/.'
|
157
127
|
}
|
158
128
|
}
|
159
129
|
}
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
5.3.
|
1
|
+
5.3.8-3
|
data/bin/parse-changelog.sh
CHANGED
data/ci/configure_v5.sh
CHANGED
@@ -1,5 +1,7 @@
|
|
1
1
|
#!/bin/bash -e
|
2
2
|
|
3
|
+
source ./ci/oauth/keycloak/keycloak_functions.sh
|
4
|
+
|
3
5
|
cat << "CONFIGURE" | docker exec -i $(docker-compose ps -q conjur_5) bash
|
4
6
|
set -e
|
5
7
|
|
@@ -12,3 +14,6 @@ done
|
|
12
14
|
# So we fail if the server isn't up yet:
|
13
15
|
curl -o /dev/null -fs -X OPTIONS http://localhost > /dev/null
|
14
16
|
CONFIGURE
|
17
|
+
|
18
|
+
fetch_keycloak_certificate
|
19
|
+
create_keycloak_users
|
@@ -0,0 +1,18 @@
|
|
1
|
+
#!/bin/sh
|
2
|
+
|
3
|
+
|
4
|
+
keycloak/bin/kcreg.sh config credentials \
|
5
|
+
--server http://localhost:8080/auth \
|
6
|
+
--realm master \
|
7
|
+
--user "$KEYCLOAK_USER" \
|
8
|
+
--password "$KEYCLOAK_PASSWORD"
|
9
|
+
|
10
|
+
keycloak/bin/kcreg.sh create \
|
11
|
+
-s clientId="$KEYCLOAK_CLIENT_ID" \
|
12
|
+
-s "redirectUris=[\"$KEYCLOAK_REDIRECT_URI\"]" \
|
13
|
+
-s "secret=$KEYCLOAK_CLIENT_SECRET"
|
14
|
+
|
15
|
+
# Enable direct access to get an id token with username & password
|
16
|
+
keycloak/bin/kcreg.sh update conjurClient -s directAccessGrantsEnabled=true
|
17
|
+
|
18
|
+
keycloak/bin/kcreg.sh get "$KEYCLOAK_CLIENT_ID" | jq '.secret'
|
@@ -0,0 +1,21 @@
|
|
1
|
+
#!/bin/sh
|
2
|
+
|
3
|
+
echo "login as admin with user $KEYCLOAK_USER"
|
4
|
+
|
5
|
+
keycloak/bin/kcadm.sh config credentials \
|
6
|
+
--server http://localhost:8080/auth \
|
7
|
+
--realm master \
|
8
|
+
--user "$KEYCLOAK_USER" \
|
9
|
+
--password "$KEYCLOAK_PASSWORD"
|
10
|
+
|
11
|
+
echo "creating user $1 with email $3"
|
12
|
+
|
13
|
+
keycloak/bin/kcadm.sh create users \
|
14
|
+
-s username="$1" \
|
15
|
+
-s email="$3" \
|
16
|
+
-s enabled=true
|
17
|
+
|
18
|
+
echo "setting password of user $1 to $2"
|
19
|
+
keycloak/bin/kcadm.sh set-password \
|
20
|
+
--username "$1" \
|
21
|
+
-p "$2"
|
@@ -0,0 +1,18 @@
|
|
1
|
+
#!/bin/sh
|
2
|
+
|
3
|
+
# This script retrieves a certificate from the keycloak OIDC provider
|
4
|
+
# and puts it to a trusted operating system store.
|
5
|
+
# It is needed to communicate with the provider via SSL for validating ID tokens
|
6
|
+
|
7
|
+
openssl s_client \
|
8
|
+
-showcerts \
|
9
|
+
-connect keycloak:8443 \
|
10
|
+
-servername keycloak \
|
11
|
+
</dev/null | \
|
12
|
+
openssl x509 \
|
13
|
+
-outform PEM \
|
14
|
+
>/etc/ssl/certs/keycloak.pem
|
15
|
+
|
16
|
+
hash=$(openssl x509 -hash -in /etc/ssl/certs/keycloak.pem -out /dev/null)
|
17
|
+
|
18
|
+
ln -s /etc/ssl/certs/keycloak.pem "/etc/ssl/certs/${hash}.0"
|
@@ -0,0 +1,71 @@
|
|
1
|
+
#!/usr/bin/env bash
|
2
|
+
|
3
|
+
KEYCLOAK_SERVICE_NAME="keycloak"
|
4
|
+
|
5
|
+
# Note: the single arg is a nameref, which this function sets to an array
|
6
|
+
# containing items of the form "KEY=VAL".
|
7
|
+
function _hydrate_keycloak_env_args() {
|
8
|
+
local -n arr=$1
|
9
|
+
local keycloak_items
|
10
|
+
|
11
|
+
readarray -t keycloak_items < <(
|
12
|
+
set -o pipefail
|
13
|
+
# Note: This prints all lines that look like:
|
14
|
+
# KEYCLOAK_XXX=someval
|
15
|
+
docker-compose exec -T ${KEYCLOAK_SERVICE_NAME} printenv | awk '/KEYCLOAK/'
|
16
|
+
)
|
17
|
+
|
18
|
+
# shellcheck disable=SC2034
|
19
|
+
arr=(
|
20
|
+
"${keycloak_items[@]}"
|
21
|
+
"PROVIDER_URI=https://keycloak:8443/auth/realms/master"
|
22
|
+
"PROVIDER_INTERNAL_URI=http://keycloak:8080/auth/realms/master/protocol/openid-connect"
|
23
|
+
"PROVIDER_ISSUER=http://keycloak:8080/auth/realms/master"
|
24
|
+
"ID_TOKEN_USER_PROPERTY=preferred_username"
|
25
|
+
)
|
26
|
+
}
|
27
|
+
|
28
|
+
# The arguments must be unexpanded variable names. Eg:
|
29
|
+
#
|
30
|
+
# _create_keycloak_user '$APP_USER' '$APP_PW' '$APP_EMAIL'
|
31
|
+
#
|
32
|
+
# This is because those variables are not available to this script. They are
|
33
|
+
# available to bash commands run via "docker-compose exec keycloak bash
|
34
|
+
# -c...", since they're defined in the docker-compose.yml.
|
35
|
+
function _create_keycloak_user() {
|
36
|
+
local user_var=$1
|
37
|
+
local pw_var=$2
|
38
|
+
local email_var=$3
|
39
|
+
|
40
|
+
docker-compose exec -T \
|
41
|
+
${KEYCLOAK_SERVICE_NAME} \
|
42
|
+
bash -c "/scripts/create_user \"$user_var\" \"$pw_var\" \"$email_var\""
|
43
|
+
}
|
44
|
+
|
45
|
+
function create_keycloak_users() {
|
46
|
+
echo "Defining keycloak client"
|
47
|
+
|
48
|
+
docker-compose exec -T ${KEYCLOAK_SERVICE_NAME} /scripts/create_client
|
49
|
+
|
50
|
+
echo "Creating user 'alice' in Keycloak"
|
51
|
+
|
52
|
+
# Note: We want to pass the bash command thru without expansion here.
|
53
|
+
# shellcheck disable=SC2016
|
54
|
+
_create_keycloak_user \
|
55
|
+
'$KEYCLOAK_APP_USER' \
|
56
|
+
'$KEYCLOAK_APP_USER_PASSWORD' \
|
57
|
+
'$KEYCLOAK_APP_USER_EMAIL'
|
58
|
+
}
|
59
|
+
|
60
|
+
function wait_for_keycloak_server() {
|
61
|
+
docker-compose exec -T \
|
62
|
+
${KEYCLOAK_SERVICE_NAME} /scripts/wait_for_server
|
63
|
+
}
|
64
|
+
|
65
|
+
function fetch_keycloak_certificate() {
|
66
|
+
# there's a dep on the docker-compose.yml volumes.
|
67
|
+
# Fetch SSL cert to communicate with keycloak (OIDC provider).
|
68
|
+
echo "Initialize keycloak certificate in conjur server"
|
69
|
+
docker-compose exec -T \
|
70
|
+
conjur_5 /scripts/fetch_certificate
|
71
|
+
}
|