conjur-api 5.3.7.pre.168 → 5.3.8.pre.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- metadata +21 -190
- data/.codeclimate.yml +0 -10
- data/.dockerignore +0 -1
- data/.github/CODEOWNERS +0 -10
- data/.gitignore +0 -32
- data/.gitleaks.toml +0 -219
- data/.overcommit.yml +0 -16
- data/.project +0 -18
- data/.rubocop.yml +0 -3
- data/.rubocop_settings.yml +0 -86
- data/.rubocop_todo.yml +0 -709
- data/.yardopts +0 -1
- data/CHANGELOG.md +0 -433
- data/CONTRIBUTING.md +0 -141
- data/Dockerfile +0 -16
- data/Gemfile +0 -7
- data/Jenkinsfile +0 -167
- data/LICENSE +0 -202
- data/README.md +0 -162
- data/Rakefile +0 -47
- data/SECURITY.md +0 -42
- data/bin/parse-changelog.sh +0 -12
- data/ci/configure_v4.sh +0 -12
- data/ci/configure_v5.sh +0 -14
- data/ci/submit-coverage +0 -36
- data/conjur-api.gemspec +0 -40
- data/dev/Dockerfile.dev +0 -12
- data/dev/docker-compose.yml +0 -56
- data/dev/start +0 -17
- data/dev/stop +0 -5
- data/docker-compose.yml +0 -76
- data/example/demo_v4.rb +0 -49
- data/example/demo_v5.rb +0 -57
- data/features/authenticators.feature +0 -33
- data/features/authn_local.feature +0 -32
- data/features/exists.feature +0 -37
- data/features/group.feature +0 -11
- data/features/host.feature +0 -50
- data/features/host_factory_create_host.feature +0 -28
- data/features/host_factory_token.feature +0 -63
- data/features/load_policy.feature +0 -61
- data/features/members.feature +0 -51
- data/features/new_api.feature +0 -36
- data/features/permitted.feature +0 -70
- data/features/permitted_roles.feature +0 -30
- data/features/public_keys.feature +0 -11
- data/features/resource_fields.feature +0 -53
- data/features/role_fields.feature +0 -15
- data/features/rotate_api_key.feature +0 -13
- data/features/step_definitions/api_steps.rb +0 -18
- data/features/step_definitions/policy_steps.rb +0 -75
- data/features/step_definitions/result_steps.rb +0 -7
- data/features/support/env.rb +0 -18
- data/features/support/hooks.rb +0 -3
- data/features/support/world.rb +0 -12
- data/features/update_password.feature +0 -14
- data/features/user.feature +0 -58
- data/features/variable_fields.feature +0 -20
- data/features/variable_value.feature +0 -60
- data/features_v4/authn_local.feature +0 -27
- data/features_v4/exists.feature +0 -29
- data/features_v4/host.feature +0 -18
- data/features_v4/host_factory_token.feature +0 -49
- data/features_v4/members.feature +0 -39
- data/features_v4/permitted.feature +0 -15
- data/features_v4/permitted_roles.feature +0 -8
- data/features_v4/resource_fields.feature +0 -47
- data/features_v4/rotate_api_key.feature +0 -13
- data/features_v4/step_definitions/api_steps.rb +0 -17
- data/features_v4/step_definitions/result_steps.rb +0 -3
- data/features_v4/support/env.rb +0 -23
- data/features_v4/support/policy.yml +0 -34
- data/features_v4/support/world.rb +0 -12
- data/features_v4/variable_fields.feature +0 -11
- data/features_v4/variable_value.feature +0 -54
- data/lib/conjur/acts_as_resource.rb +0 -123
- data/lib/conjur/acts_as_role.rb +0 -142
- data/lib/conjur/acts_as_rolsource.rb +0 -32
- data/lib/conjur/acts_as_user.rb +0 -68
- data/lib/conjur/api/authenticators.rb +0 -35
- data/lib/conjur/api/authn.rb +0 -125
- data/lib/conjur/api/host_factories.rb +0 -71
- data/lib/conjur/api/ldap_sync.rb +0 -38
- data/lib/conjur/api/policies.rb +0 -56
- data/lib/conjur/api/pubkeys.rb +0 -53
- data/lib/conjur/api/resources.rb +0 -109
- data/lib/conjur/api/roles.rb +0 -98
- data/lib/conjur/api/router/v4.rb +0 -206
- data/lib/conjur/api/router/v5.rb +0 -248
- data/lib/conjur/api/variables.rb +0 -59
- data/lib/conjur/api.rb +0 -105
- data/lib/conjur/base.rb +0 -355
- data/lib/conjur/base_object.rb +0 -57
- data/lib/conjur/build_object.rb +0 -47
- data/lib/conjur/cache.rb +0 -26
- data/lib/conjur/cert_utils.rb +0 -63
- data/lib/conjur/cidr.rb +0 -71
- data/lib/conjur/configuration.rb +0 -460
- data/lib/conjur/escape.rb +0 -129
- data/lib/conjur/exceptions.rb +0 -4
- data/lib/conjur/group.rb +0 -41
- data/lib/conjur/has_attributes.rb +0 -98
- data/lib/conjur/host.rb +0 -27
- data/lib/conjur/host_factory.rb +0 -75
- data/lib/conjur/host_factory_token.rb +0 -78
- data/lib/conjur/id.rb +0 -71
- data/lib/conjur/layer.rb +0 -9
- data/lib/conjur/log.rb +0 -72
- data/lib/conjur/log_source.rb +0 -60
- data/lib/conjur/policy.rb +0 -34
- data/lib/conjur/policy_load_result.rb +0 -61
- data/lib/conjur/query_string.rb +0 -12
- data/lib/conjur/resource.rb +0 -29
- data/lib/conjur/role.rb +0 -29
- data/lib/conjur/role_grant.rb +0 -85
- data/lib/conjur/routing.rb +0 -29
- data/lib/conjur/user.rb +0 -40
- data/lib/conjur/variable.rb +0 -208
- data/lib/conjur/webservice.rb +0 -30
- data/lib/conjur-api/version.rb +0 -24
- data/lib/conjur-api.rb +0 -2
- data/publish.sh +0 -7
- data/spec/api/host_factories_spec.rb +0 -34
- data/spec/api_spec.rb +0 -254
- data/spec/base_object_spec.rb +0 -13
- data/spec/cert_utils_spec.rb +0 -173
- data/spec/cidr_spec.rb +0 -34
- data/spec/configuration_spec.rb +0 -330
- data/spec/has_attributes_spec.rb +0 -63
- data/spec/helpers/errors_matcher.rb +0 -34
- data/spec/helpers/request_helpers.rb +0 -10
- data/spec/id_spec.rb +0 -29
- data/spec/ldap_sync_spec.rb +0 -21
- data/spec/log_source_spec.rb +0 -13
- data/spec/log_spec.rb +0 -42
- data/spec/roles_spec.rb +0 -24
- data/spec/spec_helper.rb +0 -113
- data/spec/ssl_spec.rb +0 -109
- data/spec/uri_escape_spec.rb +0 -21
- data/test.sh +0 -69
- data/tmp/.keep +0 -0
data/lib/conjur/api/router/v4.rb
DELETED
@@ -1,206 +0,0 @@
|
|
1
|
-
module Conjur
|
2
|
-
class API
|
3
|
-
module Router
|
4
|
-
module V4
|
5
|
-
extend Conjur::Escape::ClassMethods
|
6
|
-
extend Conjur::QueryString
|
7
|
-
extend self
|
8
|
-
|
9
|
-
def authn_login account, username, password
|
10
|
-
verify_account(account)
|
11
|
-
RestClient::Resource.new(
|
12
|
-
Conjur.configuration.authn_url,
|
13
|
-
Conjur.configuration.create_rest_client_options(
|
14
|
-
user: username,
|
15
|
-
password: password
|
16
|
-
)
|
17
|
-
)['users/login']
|
18
|
-
end
|
19
|
-
|
20
|
-
def authn_authenticate account, username
|
21
|
-
verify_account(account)
|
22
|
-
RestClient::Resource.new(
|
23
|
-
Conjur.configuration.authn_url,
|
24
|
-
Conjur.configuration.rest_client_options
|
25
|
-
)['users'][fully_escape username]['authenticate']
|
26
|
-
end
|
27
|
-
|
28
|
-
# For v4, the authn-local message is the username.
|
29
|
-
def authn_authenticate_local username, account, expiration, cidr, &block
|
30
|
-
verify_account(account)
|
31
|
-
|
32
|
-
raise "'expiration' is not supported for authn-local v4" if expiration
|
33
|
-
raise "'cidr' is not supported for authn-local v4" if cidr
|
34
|
-
|
35
|
-
username
|
36
|
-
end
|
37
|
-
|
38
|
-
def authn_rotate_api_key credentials, account, id
|
39
|
-
verify_account(account)
|
40
|
-
username = id.kind == "user" ? id.identifier : [id.kind, id.identifier].join('/')
|
41
|
-
RestClient::Resource.new(
|
42
|
-
Conjur.configuration.authn_url,
|
43
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
44
|
-
)['users']["api_key?id=#{username}"]
|
45
|
-
end
|
46
|
-
|
47
|
-
def authn_rotate_own_api_key account, username, password
|
48
|
-
verify_account(account)
|
49
|
-
RestClient::Resource.new(
|
50
|
-
Conjur.configuration.authn_url,
|
51
|
-
Conjur.configuration.create_rest_client_options(user: username, password: password)
|
52
|
-
)['users']["api_key"]
|
53
|
-
end
|
54
|
-
|
55
|
-
def host_factory_create_host token
|
56
|
-
http_options = {
|
57
|
-
headers: { authorization: %Q(Token token="#{token}") }
|
58
|
-
}
|
59
|
-
RestClient::Resource.new(
|
60
|
-
Conjur.configuration.core_url,
|
61
|
-
Conjur.configuration.create_rest_client_options(http_options)
|
62
|
-
)['host_factories']['hosts']
|
63
|
-
end
|
64
|
-
|
65
|
-
def host_factory_create_tokens credentials, id
|
66
|
-
RestClient::Resource.new(
|
67
|
-
Conjur.configuration.core_url,
|
68
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
69
|
-
)['host_factories'][id.identifier]['tokens']
|
70
|
-
end
|
71
|
-
|
72
|
-
def host_factory_revoke_token credentials, token
|
73
|
-
RestClient::Resource.new(
|
74
|
-
Conjur.configuration.core_url,
|
75
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
76
|
-
)['host_factories']['tokens'][token]
|
77
|
-
end
|
78
|
-
|
79
|
-
def resources_resource credentials, id
|
80
|
-
|
81
|
-
RestClient::Resource.new(
|
82
|
-
Conjur.configuration.core_url,
|
83
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
84
|
-
)['authz'][id.account]['resources'][id.kind][id.identifier]
|
85
|
-
end
|
86
|
-
|
87
|
-
def resources_check credentials, id, privilege, role
|
88
|
-
options = {}
|
89
|
-
options[:check] = true
|
90
|
-
options[:privilege] = privilege
|
91
|
-
if role
|
92
|
-
options[:resource_id] = id
|
93
|
-
roles_role(credentials, Id.new(role))[options_querystring options].get
|
94
|
-
else
|
95
|
-
resources_resource(credentials, id)[options_querystring options].get
|
96
|
-
end
|
97
|
-
end
|
98
|
-
|
99
|
-
def resources_permitted_roles credentials, id, privilege
|
100
|
-
RestClient::Resource.new(
|
101
|
-
Conjur.configuration.core_url,
|
102
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
103
|
-
)['authz'][id.account]['roles']['allowed_to'][privilege][id.kind][id.identifier]
|
104
|
-
end
|
105
|
-
|
106
|
-
def roles_role credentials, id
|
107
|
-
RestClient::Resource.new(
|
108
|
-
Conjur.configuration.core_url,
|
109
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
110
|
-
)['authz'][id.account]['roles'][id.kind][id.identifier]
|
111
|
-
end
|
112
|
-
|
113
|
-
def secrets_add credentials, id
|
114
|
-
verify_account(id.account)
|
115
|
-
RestClient::Resource.new(
|
116
|
-
Conjur.configuration.core_url,
|
117
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
118
|
-
)['variables'][fully_escape id.identifier]['values']
|
119
|
-
end
|
120
|
-
|
121
|
-
def variable credentials, id
|
122
|
-
verify_account(id.account)
|
123
|
-
RestClient::Resource.new(
|
124
|
-
Conjur.configuration.core_url,
|
125
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
126
|
-
)['variables'][fully_escape id.identifier]
|
127
|
-
end
|
128
|
-
|
129
|
-
def secrets_value credentials, id, options
|
130
|
-
RestClient::Resource.new(
|
131
|
-
Conjur.configuration.core_url,
|
132
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
133
|
-
)['variables'][fully_escape id.identifier]['value'][options_querystring options]
|
134
|
-
end
|
135
|
-
|
136
|
-
def secrets_values credentials, variable_ids
|
137
|
-
options = {
|
138
|
-
vars: Array(variable_ids).map { |v| fully_escape(v.identifier) }.join(',')
|
139
|
-
}
|
140
|
-
RestClient::Resource.new(
|
141
|
-
Conjur.configuration.core_url,
|
142
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
143
|
-
)['variables']['values'][options_querystring options]
|
144
|
-
end
|
145
|
-
|
146
|
-
def group_attributes credentials, resource, id
|
147
|
-
verify_account(id.account)
|
148
|
-
JSON.parse(
|
149
|
-
RestClient::Resource.new(
|
150
|
-
Conjur.configuration.core_url,
|
151
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
152
|
-
)['groups'][fully_escape id.identifier].get
|
153
|
-
)
|
154
|
-
end
|
155
|
-
|
156
|
-
def variable_attributes credentials, resource, id
|
157
|
-
verify_account(id.account)
|
158
|
-
JSON.parse(
|
159
|
-
RestClient::Resource.new(
|
160
|
-
Conjur.configuration.core_url,
|
161
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
162
|
-
)['variables'][fully_escape id.identifier].get
|
163
|
-
)
|
164
|
-
end
|
165
|
-
|
166
|
-
def user_attributes credentials, resource, id
|
167
|
-
verify_account(id.account)
|
168
|
-
JSON.parse(
|
169
|
-
RestClient::Resource.new(
|
170
|
-
Conjur.configuration.core_url,
|
171
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
172
|
-
)['users'][fully_escape id.identifier].get
|
173
|
-
)
|
174
|
-
end
|
175
|
-
|
176
|
-
def parse_group_gidnumber attributes
|
177
|
-
attributes['gidnumber']
|
178
|
-
end
|
179
|
-
|
180
|
-
def parse_user_uidnumber attributes
|
181
|
-
attributes['uidnumber']
|
182
|
-
end
|
183
|
-
|
184
|
-
def parse_variable_kind attributes
|
185
|
-
attributes['kind']
|
186
|
-
end
|
187
|
-
|
188
|
-
def parse_variable_mime_type attributes
|
189
|
-
attributes['mime_type']
|
190
|
-
end
|
191
|
-
|
192
|
-
def parse_members credentials, result
|
193
|
-
result.collect do |json|
|
194
|
-
RoleGrant.parse_from_json(json, credentials)
|
195
|
-
end
|
196
|
-
end
|
197
|
-
|
198
|
-
protected
|
199
|
-
|
200
|
-
def verify_account account
|
201
|
-
raise "Expecting account to be #{Conjur.configuration.account.inspect}, got #{account.inspect}" unless Conjur.configuration.account == account
|
202
|
-
end
|
203
|
-
end
|
204
|
-
end
|
205
|
-
end
|
206
|
-
end
|
data/lib/conjur/api/router/v5.rb
DELETED
@@ -1,248 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
# Copyright 2017-2018 CyberArk Ltd.
|
4
|
-
#
|
5
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
-
# you may not use this file except in compliance with the License.
|
7
|
-
# You may obtain a copy of the License at
|
8
|
-
#
|
9
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
-
#
|
11
|
-
# Unless required by applicable law or agreed to in writing, software
|
12
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
-
# See the License for the specific language governing permissions and
|
15
|
-
# limitations under the License.
|
16
|
-
|
17
|
-
# rubocop:disable Metrics/ModuleLength
|
18
|
-
module Conjur
|
19
|
-
class API
|
20
|
-
module Router
|
21
|
-
# V5 translates method arguments to rest-ful API request parameters.
|
22
|
-
# because of this, most of the methods suffer from :reek:LongParameterList:
|
23
|
-
# and :reek:UtilityFunction:
|
24
|
-
module V5
|
25
|
-
extend Conjur::Escape::ClassMethods
|
26
|
-
extend Conjur::QueryString
|
27
|
-
extend self
|
28
|
-
|
29
|
-
def authn_login account, username, password
|
30
|
-
RestClient::Resource.new(
|
31
|
-
Conjur.configuration.authn_url,
|
32
|
-
Conjur.configuration.create_rest_client_options(
|
33
|
-
user: username,
|
34
|
-
password: password
|
35
|
-
)
|
36
|
-
)[fully_escape account]['login']
|
37
|
-
end
|
38
|
-
|
39
|
-
def authn_authenticate account, username
|
40
|
-
RestClient::Resource.new(
|
41
|
-
Conjur.configuration.authn_url,
|
42
|
-
Conjur.configuration.rest_client_options
|
43
|
-
)[fully_escape account][fully_escape username]['authenticate']
|
44
|
-
end
|
45
|
-
|
46
|
-
def authenticator account, authenticator, service_id, credentials
|
47
|
-
RestClient::Resource.new(
|
48
|
-
Conjur.configuration.core_url,
|
49
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
50
|
-
)[fully_escape authenticator][fully_escape service_id][fully_escape account]
|
51
|
-
end
|
52
|
-
|
53
|
-
def authenticators
|
54
|
-
RestClient::Resource.new(
|
55
|
-
Conjur.configuration.core_url,
|
56
|
-
Conjur.configuration.rest_client_options
|
57
|
-
)['authenticators']
|
58
|
-
end
|
59
|
-
|
60
|
-
# For v5, the authn-local message is a JSON string with account, sub, and optional fields.
|
61
|
-
def authn_authenticate_local username, account, expiration, cidr, &block
|
62
|
-
{ account: account, sub: username }.tap do |params|
|
63
|
-
params[:exp] = expiration if expiration
|
64
|
-
params[:cidr] = cidr if cidr
|
65
|
-
end.to_json
|
66
|
-
end
|
67
|
-
|
68
|
-
def authn_update_password account, username, password
|
69
|
-
RestClient::Resource.new(
|
70
|
-
Conjur.configuration.authn_url,
|
71
|
-
Conjur.configuration.create_rest_client_options(
|
72
|
-
user: username,
|
73
|
-
password: password
|
74
|
-
)
|
75
|
-
)[fully_escape account]['password']
|
76
|
-
end
|
77
|
-
|
78
|
-
def authn_rotate_api_key credentials, account, id
|
79
|
-
RestClient::Resource.new(
|
80
|
-
Conjur.configuration.core_url,
|
81
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
82
|
-
)['authn'][fully_escape account]["api_key?role=#{id}"]
|
83
|
-
end
|
84
|
-
|
85
|
-
def authn_rotate_own_api_key account, username, password
|
86
|
-
RestClient::Resource.new(
|
87
|
-
Conjur.configuration.authn_url,
|
88
|
-
Conjur.configuration.create_rest_client_options(
|
89
|
-
user: username,
|
90
|
-
password: password
|
91
|
-
)
|
92
|
-
)[fully_escape account]['api_key']
|
93
|
-
end
|
94
|
-
|
95
|
-
def host_factory_create_host token
|
96
|
-
http_options = {
|
97
|
-
headers: { authorization: %Q(Token token="#{token}") }
|
98
|
-
}
|
99
|
-
RestClient::Resource.new(
|
100
|
-
Conjur.configuration.core_url,
|
101
|
-
Conjur.configuration.create_rest_client_options(http_options)
|
102
|
-
)["host_factories"]["hosts"]
|
103
|
-
end
|
104
|
-
|
105
|
-
def host_factory_create_tokens credentials, id
|
106
|
-
RestClient::Resource.new(
|
107
|
-
Conjur.configuration.core_url,
|
108
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
109
|
-
)['host_factory_tokens']
|
110
|
-
end
|
111
|
-
|
112
|
-
def host_factory_revoke_token credentials, token
|
113
|
-
RestClient::Resource.new(
|
114
|
-
Conjur.configuration.core_url,
|
115
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
116
|
-
)['host_factory_tokens'][token]
|
117
|
-
end
|
118
|
-
|
119
|
-
def policies_load_policy credentials, account, id
|
120
|
-
RestClient::Resource.new(
|
121
|
-
Conjur.configuration.core_url,
|
122
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
123
|
-
)['policies'][fully_escape account]['policy'][fully_escape id]
|
124
|
-
end
|
125
|
-
|
126
|
-
def public_keys_for_user account, username
|
127
|
-
RestClient::Resource.new(
|
128
|
-
Conjur.configuration.core_url,
|
129
|
-
Conjur.configuration.rest_client_options
|
130
|
-
)['public_keys'][fully_escape account]['user'][fully_escape username]
|
131
|
-
end
|
132
|
-
|
133
|
-
def resources credentials, account, kind, options
|
134
|
-
credentials ||= {}
|
135
|
-
|
136
|
-
path = "/resources/#{fully_escape account}"
|
137
|
-
path += "/#{fully_escape kind}" if kind
|
138
|
-
|
139
|
-
RestClient::Resource.new(
|
140
|
-
Conjur.configuration.core_url,
|
141
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
142
|
-
)[path][options_querystring options]
|
143
|
-
end
|
144
|
-
|
145
|
-
def resources_resource credentials, id
|
146
|
-
RestClient::Resource.new(
|
147
|
-
Conjur.configuration.core_url,
|
148
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
149
|
-
)['resources'][id.to_url_path]
|
150
|
-
end
|
151
|
-
|
152
|
-
def resources_permitted_roles credentials, id, privilege
|
153
|
-
options = {}
|
154
|
-
options[:permitted_roles] = true
|
155
|
-
options[:privilege] = privilege
|
156
|
-
resources_resource(credentials, id)[options_querystring options]
|
157
|
-
end
|
158
|
-
|
159
|
-
def resources_check credentials, id, privilege, role
|
160
|
-
options = {}
|
161
|
-
options[:check] = true
|
162
|
-
options[:privilege] = privilege
|
163
|
-
options[:role] = query_escape(Id.new(role)) if role
|
164
|
-
resources_resource(credentials, id)[options_querystring options].get
|
165
|
-
end
|
166
|
-
|
167
|
-
def roles_role credentials, id
|
168
|
-
RestClient::Resource.new(
|
169
|
-
Conjur.configuration.core_url,
|
170
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
171
|
-
)['roles'][id.to_url_path]
|
172
|
-
end
|
173
|
-
|
174
|
-
def secrets_add credentials, id
|
175
|
-
RestClient::Resource.new(
|
176
|
-
Conjur.configuration.core_url,
|
177
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
178
|
-
)['secrets'][id.to_url_path]
|
179
|
-
end
|
180
|
-
|
181
|
-
def secrets_value credentials, id, options
|
182
|
-
RestClient::Resource.new(
|
183
|
-
Conjur.configuration.core_url,
|
184
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
185
|
-
)['secrets'][id.to_url_path][options_querystring options]
|
186
|
-
end
|
187
|
-
|
188
|
-
def secrets_values credentials, variable_ids
|
189
|
-
options = {
|
190
|
-
variable_ids: Array(variable_ids).join(',')
|
191
|
-
}
|
192
|
-
RestClient::Resource.new(
|
193
|
-
Conjur.configuration.core_url,
|
194
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
195
|
-
)['secrets'][options_querystring(options).gsub("%2C", ',')]
|
196
|
-
end
|
197
|
-
|
198
|
-
def group_attributes credentials, resource, id
|
199
|
-
resource_annotations resource
|
200
|
-
end
|
201
|
-
|
202
|
-
def variable_attributes credentials, resource, id
|
203
|
-
resource_annotations resource
|
204
|
-
end
|
205
|
-
|
206
|
-
def user_attributes credentials, resource, id
|
207
|
-
resource_annotations resource
|
208
|
-
end
|
209
|
-
|
210
|
-
def parse_group_gidnumber attributes
|
211
|
-
HasAttributes.annotation_value attributes, 'conjur/gidnumber'
|
212
|
-
end
|
213
|
-
|
214
|
-
def parse_user_uidnumber attributes
|
215
|
-
HasAttributes.annotation_value attributes, 'conjur/uidnumber'
|
216
|
-
end
|
217
|
-
|
218
|
-
def parse_variable_kind attributes
|
219
|
-
HasAttributes.annotation_value attributes, 'conjur/kind'
|
220
|
-
end
|
221
|
-
|
222
|
-
def parse_variable_mime_type attributes
|
223
|
-
HasAttributes.annotation_value attributes, 'conjur/mime_type'
|
224
|
-
end
|
225
|
-
|
226
|
-
def parse_members credentials, result
|
227
|
-
result.map do |json|
|
228
|
-
RoleGrant.parse_from_json(json, credentials)
|
229
|
-
end
|
230
|
-
end
|
231
|
-
|
232
|
-
def ldap_sync_policy(credentials, config_name)
|
233
|
-
RestClient::Resource.new(
|
234
|
-
Conjur.configuration.core_url,
|
235
|
-
Conjur.configuration.create_rest_client_options(credentials)
|
236
|
-
)['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
|
237
|
-
end
|
238
|
-
|
239
|
-
private
|
240
|
-
|
241
|
-
def resource_annotations resource
|
242
|
-
resource.attributes['annotations']
|
243
|
-
end
|
244
|
-
end
|
245
|
-
end
|
246
|
-
end
|
247
|
-
end
|
248
|
-
# rubocop:enable Metrics/ModuleLength
|
data/lib/conjur/api/variables.rb
DELETED
@@ -1,59 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
require 'conjur/variable'
|
22
|
-
|
23
|
-
module Conjur
|
24
|
-
class API
|
25
|
-
|
26
|
-
#@!group Variables
|
27
|
-
|
28
|
-
# Fetch the values of a list of variables. This operation is more efficient than fetching the
|
29
|
-
# values one by one.
|
30
|
-
#
|
31
|
-
# This method will fail unless:
|
32
|
-
# * All of the variables exist
|
33
|
-
# * You have permission to `'execute'` all of the variables
|
34
|
-
#
|
35
|
-
# @example Fetch multiple variable values
|
36
|
-
# values = variable_values ['myorg:variable:postgres_uri', 'myorg:variable:aws_secret_access_key', 'myorg:variable:aws_access_key_id']
|
37
|
-
# values # =>
|
38
|
-
# {
|
39
|
-
# "postgres://...",
|
40
|
-
# "the-secret-key",
|
41
|
-
# "the-access-key-id"
|
42
|
-
# }
|
43
|
-
#
|
44
|
-
# This method is used to implement the {http://developer.conjur.net/reference/tools/utilities/conjurenv `conjur env`}
|
45
|
-
# commands. You may consider using that instead to run your program in an environment with the necessary secrets.
|
46
|
-
#
|
47
|
-
# @param [Array<String>] variable_ids list of variable ids to fetch
|
48
|
-
# @return [Array<String>] a list of variable values corresponding to the variable ids.
|
49
|
-
# @raise [RestClient::Forbidden, RestClient::ResourceNotFound] if any of the variables don't exist or aren't accessible.
|
50
|
-
def variable_values variable_ids
|
51
|
-
raise ArgumentError, "Variables list must be an array" unless variable_ids.kind_of? Array
|
52
|
-
raise ArgumentError, "Variables list is empty" if variable_ids.empty?
|
53
|
-
|
54
|
-
JSON.parse(url_for(:secrets_values, credentials, variable_ids).get.body)
|
55
|
-
end
|
56
|
-
|
57
|
-
#@!endgroup
|
58
|
-
end
|
59
|
-
end
|
data/lib/conjur/api.rb
DELETED
@@ -1,105 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
require 'active_support'
|
22
|
-
require 'active_support/deprecation'
|
23
|
-
|
24
|
-
require 'conjur/configuration'
|
25
|
-
require 'conjur/routing'
|
26
|
-
require 'conjur/id'
|
27
|
-
require 'conjur/base'
|
28
|
-
require 'conjur/exceptions'
|
29
|
-
require 'conjur/build_object'
|
30
|
-
require 'conjur/base_object'
|
31
|
-
require 'conjur/acts_as_resource'
|
32
|
-
require 'conjur/acts_as_role'
|
33
|
-
require 'conjur/acts_as_rolsource'
|
34
|
-
require 'conjur/acts_as_user'
|
35
|
-
require 'conjur/log_source'
|
36
|
-
require 'conjur/has_attributes'
|
37
|
-
require 'conjur/api/authenticators'
|
38
|
-
require 'conjur/api/authn'
|
39
|
-
require 'conjur/api/roles'
|
40
|
-
require 'conjur/api/resources'
|
41
|
-
require 'conjur/api/pubkeys'
|
42
|
-
require 'conjur/api/variables'
|
43
|
-
require 'conjur/api/policies'
|
44
|
-
require 'conjur/api/host_factories'
|
45
|
-
require 'conjur/api/ldap_sync'
|
46
|
-
require 'conjur/host'
|
47
|
-
require 'conjur/group'
|
48
|
-
require 'conjur/variable'
|
49
|
-
require 'conjur/layer'
|
50
|
-
require 'conjur/cache'
|
51
|
-
require 'conjur-api/version'
|
52
|
-
|
53
|
-
# @api private
|
54
|
-
class RestClient::Resource
|
55
|
-
include Conjur::Escape
|
56
|
-
include Conjur::LogSource
|
57
|
-
|
58
|
-
# @api private
|
59
|
-
# This method exists so that all {RestClient::Resource}s support JSON serialization. It returns an
|
60
|
-
# empty hash.
|
61
|
-
# @return [Hash] the empty hash
|
62
|
-
def to_json(options = {})
|
63
|
-
{}
|
64
|
-
end
|
65
|
-
|
66
|
-
# Creates a Conjur API from this resource's authorization header.
|
67
|
-
#
|
68
|
-
# The new API is created using the token, so it will not be able to refresh
|
69
|
-
# when the token expires (after about 8 minutes). This is equivalent to creating
|
70
|
-
# an {Conjur::API} instance with {Conjur::API.new_from_token}.
|
71
|
-
#
|
72
|
-
# @return {Conjur::API} the new api
|
73
|
-
def conjur_api
|
74
|
-
api = Conjur::API.new_from_token token, remote_ip: remote_ip
|
75
|
-
api
|
76
|
-
end
|
77
|
-
|
78
|
-
# Get an authentication token from the clients Authorization header.
|
79
|
-
#
|
80
|
-
# Useful fields in the token include `"data"`, which holds the username for which the
|
81
|
-
# token was issued, and `"timestamp"`, which contains the time at which the token was issued.
|
82
|
-
# The token will expire 8 minutes after timestamp, but we recommend you treat the lifespan as
|
83
|
-
# about 5 minutes to account for time differences.
|
84
|
-
#
|
85
|
-
# @return [Hash] the parsed authentication token
|
86
|
-
def token
|
87
|
-
authorization = options[:headers][:authorization]
|
88
|
-
if authorization && authorization.to_s[/^Token token="(.*)"/]
|
89
|
-
JSON.parse(Base64.decode64($1))
|
90
|
-
else
|
91
|
-
raise AuthorizationError.new("Authorization missing")
|
92
|
-
end
|
93
|
-
end
|
94
|
-
|
95
|
-
def remote_ip
|
96
|
-
options[:headers][:x_forwarded_for]
|
97
|
-
end
|
98
|
-
|
99
|
-
# The username this resource authenticates as.
|
100
|
-
#
|
101
|
-
# @return [String] the username
|
102
|
-
def username
|
103
|
-
options[:user] || options[:username]
|
104
|
-
end
|
105
|
-
end
|