conjur-api 5.3.7.pre.168 → 5.3.8.pre.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- metadata +21 -190
- data/.codeclimate.yml +0 -10
- data/.dockerignore +0 -1
- data/.github/CODEOWNERS +0 -10
- data/.gitignore +0 -32
- data/.gitleaks.toml +0 -219
- data/.overcommit.yml +0 -16
- data/.project +0 -18
- data/.rubocop.yml +0 -3
- data/.rubocop_settings.yml +0 -86
- data/.rubocop_todo.yml +0 -709
- data/.yardopts +0 -1
- data/CHANGELOG.md +0 -433
- data/CONTRIBUTING.md +0 -141
- data/Dockerfile +0 -16
- data/Gemfile +0 -7
- data/Jenkinsfile +0 -167
- data/LICENSE +0 -202
- data/README.md +0 -162
- data/Rakefile +0 -47
- data/SECURITY.md +0 -42
- data/bin/parse-changelog.sh +0 -12
- data/ci/configure_v4.sh +0 -12
- data/ci/configure_v5.sh +0 -14
- data/ci/submit-coverage +0 -36
- data/conjur-api.gemspec +0 -40
- data/dev/Dockerfile.dev +0 -12
- data/dev/docker-compose.yml +0 -56
- data/dev/start +0 -17
- data/dev/stop +0 -5
- data/docker-compose.yml +0 -76
- data/example/demo_v4.rb +0 -49
- data/example/demo_v5.rb +0 -57
- data/features/authenticators.feature +0 -33
- data/features/authn_local.feature +0 -32
- data/features/exists.feature +0 -37
- data/features/group.feature +0 -11
- data/features/host.feature +0 -50
- data/features/host_factory_create_host.feature +0 -28
- data/features/host_factory_token.feature +0 -63
- data/features/load_policy.feature +0 -61
- data/features/members.feature +0 -51
- data/features/new_api.feature +0 -36
- data/features/permitted.feature +0 -70
- data/features/permitted_roles.feature +0 -30
- data/features/public_keys.feature +0 -11
- data/features/resource_fields.feature +0 -53
- data/features/role_fields.feature +0 -15
- data/features/rotate_api_key.feature +0 -13
- data/features/step_definitions/api_steps.rb +0 -18
- data/features/step_definitions/policy_steps.rb +0 -75
- data/features/step_definitions/result_steps.rb +0 -7
- data/features/support/env.rb +0 -18
- data/features/support/hooks.rb +0 -3
- data/features/support/world.rb +0 -12
- data/features/update_password.feature +0 -14
- data/features/user.feature +0 -58
- data/features/variable_fields.feature +0 -20
- data/features/variable_value.feature +0 -60
- data/features_v4/authn_local.feature +0 -27
- data/features_v4/exists.feature +0 -29
- data/features_v4/host.feature +0 -18
- data/features_v4/host_factory_token.feature +0 -49
- data/features_v4/members.feature +0 -39
- data/features_v4/permitted.feature +0 -15
- data/features_v4/permitted_roles.feature +0 -8
- data/features_v4/resource_fields.feature +0 -47
- data/features_v4/rotate_api_key.feature +0 -13
- data/features_v4/step_definitions/api_steps.rb +0 -17
- data/features_v4/step_definitions/result_steps.rb +0 -3
- data/features_v4/support/env.rb +0 -23
- data/features_v4/support/policy.yml +0 -34
- data/features_v4/support/world.rb +0 -12
- data/features_v4/variable_fields.feature +0 -11
- data/features_v4/variable_value.feature +0 -54
- data/lib/conjur/acts_as_resource.rb +0 -123
- data/lib/conjur/acts_as_role.rb +0 -142
- data/lib/conjur/acts_as_rolsource.rb +0 -32
- data/lib/conjur/acts_as_user.rb +0 -68
- data/lib/conjur/api/authenticators.rb +0 -35
- data/lib/conjur/api/authn.rb +0 -125
- data/lib/conjur/api/host_factories.rb +0 -71
- data/lib/conjur/api/ldap_sync.rb +0 -38
- data/lib/conjur/api/policies.rb +0 -56
- data/lib/conjur/api/pubkeys.rb +0 -53
- data/lib/conjur/api/resources.rb +0 -109
- data/lib/conjur/api/roles.rb +0 -98
- data/lib/conjur/api/router/v4.rb +0 -206
- data/lib/conjur/api/router/v5.rb +0 -248
- data/lib/conjur/api/variables.rb +0 -59
- data/lib/conjur/api.rb +0 -105
- data/lib/conjur/base.rb +0 -355
- data/lib/conjur/base_object.rb +0 -57
- data/lib/conjur/build_object.rb +0 -47
- data/lib/conjur/cache.rb +0 -26
- data/lib/conjur/cert_utils.rb +0 -63
- data/lib/conjur/cidr.rb +0 -71
- data/lib/conjur/configuration.rb +0 -460
- data/lib/conjur/escape.rb +0 -129
- data/lib/conjur/exceptions.rb +0 -4
- data/lib/conjur/group.rb +0 -41
- data/lib/conjur/has_attributes.rb +0 -98
- data/lib/conjur/host.rb +0 -27
- data/lib/conjur/host_factory.rb +0 -75
- data/lib/conjur/host_factory_token.rb +0 -78
- data/lib/conjur/id.rb +0 -71
- data/lib/conjur/layer.rb +0 -9
- data/lib/conjur/log.rb +0 -72
- data/lib/conjur/log_source.rb +0 -60
- data/lib/conjur/policy.rb +0 -34
- data/lib/conjur/policy_load_result.rb +0 -61
- data/lib/conjur/query_string.rb +0 -12
- data/lib/conjur/resource.rb +0 -29
- data/lib/conjur/role.rb +0 -29
- data/lib/conjur/role_grant.rb +0 -85
- data/lib/conjur/routing.rb +0 -29
- data/lib/conjur/user.rb +0 -40
- data/lib/conjur/variable.rb +0 -208
- data/lib/conjur/webservice.rb +0 -30
- data/lib/conjur-api/version.rb +0 -24
- data/lib/conjur-api.rb +0 -2
- data/publish.sh +0 -7
- data/spec/api/host_factories_spec.rb +0 -34
- data/spec/api_spec.rb +0 -254
- data/spec/base_object_spec.rb +0 -13
- data/spec/cert_utils_spec.rb +0 -173
- data/spec/cidr_spec.rb +0 -34
- data/spec/configuration_spec.rb +0 -330
- data/spec/has_attributes_spec.rb +0 -63
- data/spec/helpers/errors_matcher.rb +0 -34
- data/spec/helpers/request_helpers.rb +0 -10
- data/spec/id_spec.rb +0 -29
- data/spec/ldap_sync_spec.rb +0 -21
- data/spec/log_source_spec.rb +0 -13
- data/spec/log_spec.rb +0 -42
- data/spec/roles_spec.rb +0 -24
- data/spec/spec_helper.rb +0 -113
- data/spec/ssl_spec.rb +0 -109
- data/spec/uri_escape_spec.rb +0 -21
- data/test.sh +0 -69
- data/tmp/.keep +0 -0
data/lib/conjur/acts_as_user.rb
DELETED
@@ -1,68 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
module Conjur
|
22
|
-
# This module provides methods for things that are like users (specifically, those that have
|
23
|
-
# api keys).
|
24
|
-
module ActsAsUser
|
25
|
-
# @api private
|
26
|
-
def self.included(base)
|
27
|
-
base.include ActsAsRolsource
|
28
|
-
end
|
29
|
-
|
30
|
-
# Returns a newly created user's api_key.
|
31
|
-
#
|
32
|
-
# @note The API key is not returned by {API#resource}. It is only available
|
33
|
-
# via {API#login}, when the object is newly created, and when the API key is rotated.
|
34
|
-
#
|
35
|
-
# @return [String] the api key
|
36
|
-
# @raise [Exception] when the object isn't newly created.
|
37
|
-
def api_key
|
38
|
-
attributes['api_key'] or raise "api_key is only available on a newly created #{kind}"
|
39
|
-
end
|
40
|
-
|
41
|
-
# Create an api logged in as this user-like thing.
|
42
|
-
#
|
43
|
-
# @note As with {#api_key}, this method only works on newly created instances.
|
44
|
-
# @see #api_key
|
45
|
-
# @return [Conjur::API] an api logged in as this user-like thing.
|
46
|
-
def api
|
47
|
-
Conjur::API.new_from_key login, api_key, account: account
|
48
|
-
end
|
49
|
-
|
50
|
-
# Rotate this role's API key. You must have `update` permission on the user to do so.
|
51
|
-
#
|
52
|
-
# @note You will not be able to access the API key returned by this method later, so you should
|
53
|
-
# probably hang onto it it.
|
54
|
-
#
|
55
|
-
# @note You cannot rotate your own API key with this method. To do so, use `Conjur::API.rotate_api_key`.
|
56
|
-
#
|
57
|
-
# @note This feature requires a Conjur appliance running version 4.6 or higher.
|
58
|
-
#
|
59
|
-
# @return [String] the new API key for this user.
|
60
|
-
def rotate_api_key
|
61
|
-
if login == username
|
62
|
-
raise 'You cannot rotate your own API key via this method. To do so, use `Conjur::API.rotate_api_key`'
|
63
|
-
end
|
64
|
-
|
65
|
-
url_for(:authn_rotate_api_key, credentials, account, id).put("").body
|
66
|
-
end
|
67
|
-
end
|
68
|
-
end
|
@@ -1,35 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require 'conjur/webservice'
|
4
|
-
|
5
|
-
module Conjur
|
6
|
-
# API contains each of the methods for access the Conjur API endpoints
|
7
|
-
#-- :reek:DataClump for authenticator identifier fields (name, id, account)
|
8
|
-
class API
|
9
|
-
# @!group Authenticators
|
10
|
-
|
11
|
-
# List all configured authenticators
|
12
|
-
def authenticator_list
|
13
|
-
JSON.parse(url_for(:authenticators).get)
|
14
|
-
end
|
15
|
-
|
16
|
-
# Enables an authenticator in Conjur. The authenticator must be defined and
|
17
|
-
# loaded in Conjur policy prior to enabling it.
|
18
|
-
#
|
19
|
-
# @param [String] authenticator the authenticator type to enable (e.g. authn-k8s)
|
20
|
-
# @param [String] id the service ID of the authenticator to enable
|
21
|
-
def authenticator_enable authenticator, id, account: Conjur.configuration.account
|
22
|
-
url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: true)
|
23
|
-
end
|
24
|
-
|
25
|
-
# Disables an authenticator in Conjur.
|
26
|
-
#
|
27
|
-
# @param [String] authenticator the authenticator type to disable (e.g. authn-k8s)
|
28
|
-
# @param [String] id the service ID of the authenticator to disable
|
29
|
-
def authenticator_disable authenticator, id, account: Conjur.configuration.account
|
30
|
-
url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: false)
|
31
|
-
end
|
32
|
-
|
33
|
-
# @!endgroup
|
34
|
-
end
|
35
|
-
end
|
data/lib/conjur/api/authn.rb
DELETED
@@ -1,125 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
require 'conjur/user'
|
22
|
-
|
23
|
-
module Conjur
|
24
|
-
class API
|
25
|
-
class << self
|
26
|
-
#@!group Authentication
|
27
|
-
|
28
|
-
# Exchanges a username and a password for an api key. The api key
|
29
|
-
# is preferable for storage and use in code, as it can be rotated and has far greater entropy than
|
30
|
-
# a user memorizable password.
|
31
|
-
#
|
32
|
-
# * Note that this method works only for {Conjur::User}s. While
|
33
|
-
# {Conjur::Host}s are roles, they do not have passwords.
|
34
|
-
# * If you pass an api key to this method instead of a password, it will verify and return the API key.
|
35
|
-
# * This method uses HTTP Basic Authentication to send the credentials.
|
36
|
-
#
|
37
|
-
# @example
|
38
|
-
# bob_api_key = Conjur::API.login('bob', 'bob_password')
|
39
|
-
# bob_api_key == Conjur::API.login('bob', bob_api_key) # => true
|
40
|
-
#
|
41
|
-
# @param [String] username The `username` or `login` for the
|
42
|
-
# {http://developer.conjur.net/reference/services/directory/user Conjur User}.
|
43
|
-
# @param [String] password The `password` or `api key` to authenticate with.
|
44
|
-
# @param [String] account The organization account.
|
45
|
-
# @return [String] the API key.
|
46
|
-
def login username, password, account: Conjur.configuration.account
|
47
|
-
if Conjur.log
|
48
|
-
Conjur.log << "Logging in #{username} to account #{account} via Basic authentication\n"
|
49
|
-
end
|
50
|
-
url_for(:authn_login, account, username, password).get
|
51
|
-
end
|
52
|
-
|
53
|
-
# Exchanges Conjur the API key (refresh token) for an access token. The access token can
|
54
|
-
# then be used to authenticate further API calls.
|
55
|
-
#
|
56
|
-
# @param [String] username The username or host id for which we want a token
|
57
|
-
# @param [String] api_key The api key
|
58
|
-
# @param [String] account The organization account.
|
59
|
-
# @return [String] A JSON formatted authentication token.
|
60
|
-
def authenticate username, api_key, account: Conjur.configuration.account
|
61
|
-
account ||= Conjur.configuration.account
|
62
|
-
if Conjur.log
|
63
|
-
Conjur.log << "Authenticating #{username} to account #{account}\n"
|
64
|
-
end
|
65
|
-
JSON.parse url_for(:authn_authenticate, account, username).post(api_key, content_type: 'text/plain')
|
66
|
-
end
|
67
|
-
|
68
|
-
# Obtains an access token from the +authn_local+ service. The access token can
|
69
|
-
# then be used to authenticate further API calls.
|
70
|
-
#
|
71
|
-
# @param [String] username The username or host id for which we want a token
|
72
|
-
# @param [String] account The organization account.
|
73
|
-
# @return [String] A JSON formatted authentication token.
|
74
|
-
def authenticate_local username, account: Conjur.configuration.account, expiration: nil, cidr: nil
|
75
|
-
account ||= Conjur.configuration.account
|
76
|
-
if Conjur.log
|
77
|
-
Conjur.log << "Authenticating #{username} to account #{account} using authn_local\n"
|
78
|
-
end
|
79
|
-
|
80
|
-
require 'json'
|
81
|
-
require 'socket'
|
82
|
-
message = url_for(:authn_authenticate_local, username, account, expiration, cidr)
|
83
|
-
JSON.parse(UNIXSocket.open(Conjur.configuration.authn_local_socket) {|s| s.puts message; s.gets })
|
84
|
-
end
|
85
|
-
|
86
|
-
# Change a user's password. To do this, you must have the user's current password. This does not change or rotate
|
87
|
-
# api keys. However, you *can* use the user's api key as the *current* password, if the user was not created
|
88
|
-
# with a password.
|
89
|
-
#
|
90
|
-
# @param [String] username the name of the user whose password we want to change.
|
91
|
-
# @param [String] password the user's *current* password *or* api key.
|
92
|
-
# @param [String] new_password the new password for the user.
|
93
|
-
# @param [String] account The organization account.
|
94
|
-
# @return [void]
|
95
|
-
def update_password username, password, new_password, account: Conjur.configuration.account
|
96
|
-
if Conjur.log
|
97
|
-
Conjur.log << "Updating password for #{username} in account #{account}\n"
|
98
|
-
end
|
99
|
-
url_for(:authn_update_password, account, username, password).put new_password
|
100
|
-
end
|
101
|
-
|
102
|
-
#@!endgroup
|
103
|
-
|
104
|
-
#@!group Password and API key management
|
105
|
-
|
106
|
-
# Rotate the currently authenticated user or host API key by generating and returning a new one.
|
107
|
-
# The old API key is no longer valid after calling this method. You must have the current
|
108
|
-
# API key or password to perform this operation. This method *does not* affect a user's password.
|
109
|
-
#
|
110
|
-
# @param [String] username the name of the user or host whose API key we want to change
|
111
|
-
# @param [String] password the user's current api key
|
112
|
-
# @param [String] account The organization account.
|
113
|
-
# @return [String] the new API key
|
114
|
-
def rotate_api_key username, password, account: Conjur.configuration.account
|
115
|
-
if Conjur.log
|
116
|
-
Conjur.log << "Rotating API key for self (#{username} in account #{account})\n"
|
117
|
-
end
|
118
|
-
|
119
|
-
url_for(:authn_rotate_own_api_key, account, username, password).put('').body
|
120
|
-
end
|
121
|
-
|
122
|
-
#@!endgroup
|
123
|
-
end
|
124
|
-
end
|
125
|
-
end
|
@@ -1,71 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
# Copyright 2013-2018 CyberArk Ltd.
|
4
|
-
#
|
5
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
-
# you may not use this file except in compliance with the License.
|
7
|
-
# You may obtain a copy of the License at
|
8
|
-
#
|
9
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
-
#
|
11
|
-
# Unless required by applicable law or agreed to in writing, software
|
12
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
-
# See the License for the specific language governing permissions and
|
15
|
-
# limitations under the License.
|
16
|
-
|
17
|
-
require 'conjur/host_factory'
|
18
|
-
|
19
|
-
module Conjur
|
20
|
-
class API
|
21
|
-
#@!group Host Factory
|
22
|
-
|
23
|
-
class << self
|
24
|
-
# Use a host factory token to create a new host. Unlike most other methods, this
|
25
|
-
# method does not require a Conjur access token. The host factory token is the
|
26
|
-
# authentication and authorization to create the host.
|
27
|
-
#
|
28
|
-
# The token must be valid. The host id can be a new host, or an existing host.
|
29
|
-
# If the host already exists, the server verifies that its layer memberships
|
30
|
-
# match the host factory exactly. Then, its API key is rotated and returned with
|
31
|
-
# the response.
|
32
|
-
#
|
33
|
-
# @param [String] token the host factory token.
|
34
|
-
# @param [String] id the id of a new or existing host.
|
35
|
-
# @param options [Hash] additional host creation options.
|
36
|
-
# @return [Host]
|
37
|
-
def host_factory_create_host token, id, options = {}
|
38
|
-
token = token.token if token.is_a?(HostFactoryToken)
|
39
|
-
response = url_for(:host_factory_create_host, token)
|
40
|
-
.post(options.merge(id: id)).body
|
41
|
-
|
42
|
-
attributes = JSON.parse(response)
|
43
|
-
# in v4 'id' is just the identifier
|
44
|
-
host_id = attributes['roleid'] || attributes['id']
|
45
|
-
|
46
|
-
Host.new(host_id, {}).tap do |host|
|
47
|
-
host.attributes = attributes
|
48
|
-
end
|
49
|
-
end
|
50
|
-
|
51
|
-
# Revokes a host factory token. After revocation, the token can no longer be used to
|
52
|
-
# create hosts.
|
53
|
-
#
|
54
|
-
# @param [Hash] credentials authentication credentials of the current user.
|
55
|
-
# @param [String] token the host factory token.
|
56
|
-
def revoke_host_factory_token credentials, token
|
57
|
-
url_for(:host_factory_revoke_token, credentials, token).delete
|
58
|
-
end
|
59
|
-
end
|
60
|
-
|
61
|
-
# Revokes a host factory token. After revocation, the token can no longer be used to
|
62
|
-
# create hosts.
|
63
|
-
#
|
64
|
-
# @param [String] token the host factory token.
|
65
|
-
def revoke_host_factory_token token
|
66
|
-
self.class.revoke_host_factory_token credentials, token
|
67
|
-
end
|
68
|
-
|
69
|
-
#@!endgroup
|
70
|
-
end
|
71
|
-
end
|
data/lib/conjur/api/ldap_sync.rb
DELETED
@@ -1,38 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2018 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
|
22
|
-
module Conjur
|
23
|
-
class API
|
24
|
-
|
25
|
-
# Retrieve the policy for the given LDAP sync
|
26
|
-
# configuration. Configurations created through the Conjur UI are
|
27
|
-
# named +default+, so the default value of +config_name+ can be
|
28
|
-
# used.
|
29
|
-
#
|
30
|
-
# For details on the use of LDAP sync, see
|
31
|
-
# https://developer.conjur.net/reference/services/ldap_sync/ .
|
32
|
-
#
|
33
|
-
# @param [String] config_name the name of the LDAP sync configuration.
|
34
|
-
def ldap_sync_policy config_name: 'default'
|
35
|
-
JSON.parse(url_for(:ldap_sync_policy, credentials, config_name).get)
|
36
|
-
end
|
37
|
-
end
|
38
|
-
end
|
data/lib/conjur/api/policies.rb
DELETED
@@ -1,56 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
require 'conjur/policy_load_result'
|
22
|
-
require 'conjur/policy'
|
23
|
-
|
24
|
-
module Conjur
|
25
|
-
class API
|
26
|
-
#@!group Policy management
|
27
|
-
|
28
|
-
# Append only.
|
29
|
-
POLICY_METHOD_POST = :post
|
30
|
-
# Allow explicit deletion statements, but don't delete implicitly delete data.
|
31
|
-
POLICY_METHOD_PATCH = :patch
|
32
|
-
# Replace the policy entirely, deleting any existing data that is not declared in the new policy.
|
33
|
-
POLICY_METHOD_PUT = :put
|
34
|
-
|
35
|
-
# Load a policy document into the server.
|
36
|
-
#
|
37
|
-
# The modes are support for policy loading:
|
38
|
-
#
|
39
|
-
# * POLICY_METHOD_POST Policy data will be added to the named policy. Deletions are not allowed.
|
40
|
-
# * POLICY_METHOD_PATCH Policy data can be added to or deleted from the named policy. Deletions
|
41
|
-
# are performed by an explicit `!delete` statement.
|
42
|
-
# * POLICY_METHOD_PUT The policy completely replaces the name policy. Policy data which is present
|
43
|
-
# in the server, but not present in the new policy definition, is deleted.
|
44
|
-
#
|
45
|
-
# @param id [String] id of the policy to load.
|
46
|
-
# @param policy [String] YAML-formatted policy definition.
|
47
|
-
# @param account [String] Conjur organization account
|
48
|
-
# @param method [Symbol] Policy load method to use: {POLICY_METHOD_POST} (default), {POLICY_METHOD_PATCH}, or {POLICY_METHOD_PUT}.
|
49
|
-
def load_policy id, policy, account: Conjur.configuration.account, method: POLICY_METHOD_POST
|
50
|
-
request = url_for(:policies_load_policy, credentials, account, id)
|
51
|
-
PolicyLoadResult.new JSON.parse(request.send(method, policy))
|
52
|
-
end
|
53
|
-
|
54
|
-
#@!endgroup
|
55
|
-
end
|
56
|
-
end
|
data/lib/conjur/api/pubkeys.rb
DELETED
@@ -1,53 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
|
22
|
-
module Conjur
|
23
|
-
|
24
|
-
class API
|
25
|
-
class << self
|
26
|
-
# @!group Public Keys
|
27
|
-
|
28
|
-
# Fetch *all* public keys for the user. This method returns a newline delimited
|
29
|
-
# String for compatibility with the authorized_keys SSH format.
|
30
|
-
#
|
31
|
-
#
|
32
|
-
# If the given user does not exist, an empty String will be returned. This is to prevent attackers from determining whether
|
33
|
-
# a user exists.
|
34
|
-
#
|
35
|
-
# ## Permissions
|
36
|
-
# You do not need any special permissions to call this method, since public keys are, well, public.
|
37
|
-
#
|
38
|
-
#
|
39
|
-
# @example
|
40
|
-
# puts api.public_keys('jon')
|
41
|
-
# # ssh-rsa [big long string] jon@albert
|
42
|
-
# # ssh-rsa [big long string] jon@conjurops
|
43
|
-
#
|
44
|
-
# @param [String] username the *unqualified* Conjur username
|
45
|
-
# @return [String] newline delimited public keys
|
46
|
-
def public_keys username, account: Conjur.configuration.account
|
47
|
-
url_for(:public_keys_for_user, account, username).get
|
48
|
-
end
|
49
|
-
|
50
|
-
#@!endgroup
|
51
|
-
end
|
52
|
-
end
|
53
|
-
end
|
data/lib/conjur/api/resources.rb
DELETED
@@ -1,109 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
# Copyright 2013-2018 CyberArk Ltd.
|
4
|
-
#
|
5
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
-
# you may not use this file except in compliance with the License.
|
7
|
-
# You may obtain a copy of the License at
|
8
|
-
#
|
9
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
-
#
|
11
|
-
# Unless required by applicable law or agreed to in writing, software
|
12
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
-
# See the License for the specific language governing permissions and
|
15
|
-
# limitations under the License.
|
16
|
-
|
17
|
-
require 'conjur/resource'
|
18
|
-
|
19
|
-
module Conjur
|
20
|
-
class API
|
21
|
-
include QueryString
|
22
|
-
include BuildObject
|
23
|
-
|
24
|
-
#@!group Resources
|
25
|
-
|
26
|
-
# Find a resource by its id.
|
27
|
-
# @note The id given to this method must be fully qualified.
|
28
|
-
#
|
29
|
-
# ### Permissions
|
30
|
-
#
|
31
|
-
# The resource **must** be visible to the current role. This is the case if the current role is the owner of
|
32
|
-
# the resource, or has any privilege on it.
|
33
|
-
#
|
34
|
-
# @param id [String] a fully qualified resource identifier
|
35
|
-
# @return [Conjur::Resource] the resource, which may or may not exist
|
36
|
-
def resource id
|
37
|
-
build_object id
|
38
|
-
end
|
39
|
-
|
40
|
-
# Find all resources visible to the current role that match the given search criteria.
|
41
|
-
#
|
42
|
-
# ## Full Text Search
|
43
|
-
# Conjur supports full text search over the identifiers and annotation *values*
|
44
|
-
# of resources. For example, if `opts[:search]` is `"pubkeys"`, any resource with
|
45
|
-
# an id containing `"pubkeys"` or an annotation whose value contains `"pubkeys"` will match.
|
46
|
-
#
|
47
|
-
# **Notes**
|
48
|
-
# * Annotation *keys* are *not* indexed for full text search.
|
49
|
-
# * Conjur indexes the content of ids and annotation values by word.
|
50
|
-
# * Only resources visible to the current role (either owned by that role or
|
51
|
-
# having a privilege on it) are returned.
|
52
|
-
# * If you do not provide `:offset` or `:limit`, all records will be returned. For systems
|
53
|
-
# with a huge number of resources, you may want to paginate as shown in the example below.
|
54
|
-
# * If `:offset` is provided and `:limit` is not, 10 records starting at `:offset` will be
|
55
|
-
# returned. You may choose an arbitrarily large number for `:limit`, but the same performance
|
56
|
-
# considerations apply as when omitting `:offset` and `:limit`.
|
57
|
-
#
|
58
|
-
# @example Search for resources annotated with the text "WebService Route"
|
59
|
-
# webservice_routes = api.resources search: "WebService Route"
|
60
|
-
#
|
61
|
-
# @example Restrict the search to 'group' resources
|
62
|
-
# groups = api.resources kind: 'group'
|
63
|
-
#
|
64
|
-
# # Correct behavior:
|
65
|
-
# expect(groups.all?{|g| g.kind == 'group'}).to be_true
|
66
|
-
#
|
67
|
-
# @example Get every single resource in a performant way
|
68
|
-
# resources = []
|
69
|
-
# limit = 25
|
70
|
-
# offset = 0
|
71
|
-
# until (batch = api.resources limit: limit, offset: offset).empty?
|
72
|
-
# offset += batch.length
|
73
|
-
# resources.concat results
|
74
|
-
# end
|
75
|
-
# # do something with your resources
|
76
|
-
#
|
77
|
-
# @param options [Hash] search criteria
|
78
|
-
# @option options [String] :search find resources whose ids or annotations contain this string
|
79
|
-
# @option options [String] :kind find resources whose `kind` matches this string
|
80
|
-
# @option options [Integer] :limit the maximum number of records to return (Conjur may return fewer)
|
81
|
-
# @option options [Integer] :offset offset of the first record to return
|
82
|
-
# @option options [Boolean] :count return a count of records instead of the records themselves when set to true
|
83
|
-
# @return [Array<Conjur::Resource>] the resources matching the criteria given
|
84
|
-
def resources options = {}
|
85
|
-
options = { host: Conjur.configuration.core_url, credentials: credentials }.merge options
|
86
|
-
options[:account] ||= Conjur.configuration.account
|
87
|
-
|
88
|
-
host, credentials, account, kind = options.values_at(*[:host, :credentials, :account, :kind])
|
89
|
-
fail ArgumentError, "host and account are required" unless [host, account].all?
|
90
|
-
%w(host credentials account kind).each do |name|
|
91
|
-
options.delete(name.to_sym)
|
92
|
-
end
|
93
|
-
|
94
|
-
result = JSON.parse(url_for(:resources, credentials, account, kind, options).get)
|
95
|
-
|
96
|
-
result = result['count'] if result.is_a?(Hash)
|
97
|
-
|
98
|
-
if result.is_a?(Numeric)
|
99
|
-
result
|
100
|
-
else
|
101
|
-
result.map do |result|
|
102
|
-
resource(result['id']).tap do |r|
|
103
|
-
r.attributes = result
|
104
|
-
end
|
105
|
-
end
|
106
|
-
end
|
107
|
-
end
|
108
|
-
end
|
109
|
-
end
|
data/lib/conjur/api/roles.rb
DELETED
@@ -1,98 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
require 'conjur/role'
|
22
|
-
|
23
|
-
module Conjur
|
24
|
-
class API
|
25
|
-
include BuildObject
|
26
|
-
|
27
|
-
#@!group Roles
|
28
|
-
|
29
|
-
# Return a {Conjur::Role} representing a role with the given id. Note that the {Conjur::Role} may or
|
30
|
-
# may not exist (see {Conjur::Exists#exists?}).
|
31
|
-
#
|
32
|
-
# ### Permissions
|
33
|
-
#
|
34
|
-
# Because this method returns roles that may or may not exist, it doesn't require any permissions to call it:
|
35
|
-
# in fact, it does not perform an HTTP request (except for authentication if necessary).
|
36
|
-
#
|
37
|
-
# @example Create and show a role
|
38
|
-
# iggy = api.role 'cat:iggy'
|
39
|
-
# iggy.exists? # true
|
40
|
-
# iggy.members.map(&:member).map(&:id) # => ['conjur:user:admin']
|
41
|
-
# api.current_role.id # => 'conjur:user:admin' # creator role is a member of created role.
|
42
|
-
#
|
43
|
-
# @example No permissions are required to call this method
|
44
|
-
# api.current_role # => "user:no-access"
|
45
|
-
#
|
46
|
-
# # current role is only a member of itself, so it can't see other roles.
|
47
|
-
# api.current_role.memberships.count # => 1
|
48
|
-
# admin = api.role 'user:admin' # OK
|
49
|
-
# admin.exists? # => true
|
50
|
-
# admin.members # => RestClient::Forbidden: 403 Forbidden
|
51
|
-
#
|
52
|
-
# @param id [String] a fully qualified role identifier
|
53
|
-
# @return [Conjur::Role] an object representing the role
|
54
|
-
def role id
|
55
|
-
build_object id, default_class: Role
|
56
|
-
end
|
57
|
-
|
58
|
-
# Return a {Conjur::Role} object representing the role (typically a user or host) that this API instance is authenticated
|
59
|
-
# as. This is derived either from the `login` argument to {Conjur::API.new_from_key} or from the contents of the
|
60
|
-
# `token` given to {Conjur::API.new_from_token} or {Conjur::API.new_from_token_file}.
|
61
|
-
#
|
62
|
-
# @example Current role for a user
|
63
|
-
# api = Conjur::API.new_from_key 'jon', 'somepassword'
|
64
|
-
# api.current_role.id # => 'conjur:user:jon'
|
65
|
-
#
|
66
|
-
# @example Current role for a host
|
67
|
-
# host = api.create_host id: 'exapmle-host'
|
68
|
-
#
|
69
|
-
# # Host and User have an `api` method that returns an api with their credentials. Note
|
70
|
-
# # that this only works with a newly created host or user, which has an `api_key` attribute.
|
71
|
-
# host.api.current_role.id # => 'conjur:host:example-host'
|
72
|
-
#
|
73
|
-
# @param [String] account the organization account
|
74
|
-
# @return [Conjur::Role] the authenticated role for this API instance
|
75
|
-
def current_role account
|
76
|
-
self.class.role_from_username self, username, account
|
77
|
-
end
|
78
|
-
|
79
|
-
#@!endgroup
|
80
|
-
|
81
|
-
class << self
|
82
|
-
# @api private
|
83
|
-
def role_from_username api, username, account
|
84
|
-
api.role role_name_from_username(username, account)
|
85
|
-
end
|
86
|
-
|
87
|
-
# @api private
|
88
|
-
def role_name_from_username username, account
|
89
|
-
tokens = username.split('/')
|
90
|
-
if tokens.size == 1
|
91
|
-
[ account, 'user', username ].join(':')
|
92
|
-
else
|
93
|
-
[ account, tokens[0], tokens[1..-1].join('/') ].join(':')
|
94
|
-
end
|
95
|
-
end
|
96
|
-
end
|
97
|
-
end
|
98
|
-
end
|