conjur-api 5.3.7.pre.168 → 5.3.8.pre.8

data/lib/conjur/api/router/v4.rb

@@ -1,206 +0,0 @@
-module Conjur
-  class API
-    module Router
-      module V4
-        extend Conjur::Escape::ClassMethods
-        extend Conjur::QueryString
-        extend self
-
-        def authn_login account, username, password
-          verify_account(account)
-          RestClient::Resource.new(
-            Conjur.configuration.authn_url,
-            Conjur.configuration.create_rest_client_options(
-              user: username,
-              password: password
-            )
-          )['users/login']
-        end
-
-        def authn_authenticate account, username
-          verify_account(account)
-          RestClient::Resource.new(
-            Conjur.configuration.authn_url,
-            Conjur.configuration.rest_client_options
-          )['users'][fully_escape username]['authenticate']
-        end
-
-        # For v4, the authn-local message is the username.
-        def authn_authenticate_local username, account, expiration, cidr, &block
-          verify_account(account)
-
-          raise "'expiration' is not supported for authn-local v4" if expiration
-          raise "'cidr' is not supported for authn-local v4" if cidr
-
-          username
-        end
-
-        def authn_rotate_api_key credentials, account, id
-          verify_account(account)
-          username = id.kind == "user" ? id.identifier : [id.kind, id.identifier].join('/')
-          RestClient::Resource.new(
-            Conjur.configuration.authn_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['users']["api_key?id=#{username}"]
-        end
-
-        def authn_rotate_own_api_key account, username, password
-          verify_account(account)
-          RestClient::Resource.new(
-            Conjur.configuration.authn_url,
-            Conjur.configuration.create_rest_client_options(user: username, password: password)
-          )['users']["api_key"]
-        end
-
-        def host_factory_create_host token
-          http_options = {
-            headers: { authorization: %Q(Token token="#{token}") }
-          }
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(http_options)
-          )['host_factories']['hosts']
-        end
-
-        def host_factory_create_tokens credentials, id
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['host_factories'][id.identifier]['tokens']
-        end
-
-        def host_factory_revoke_token credentials, token
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['host_factories']['tokens'][token]
-        end
-
-        def resources_resource credentials, id
-
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['authz'][id.account]['resources'][id.kind][id.identifier]
-        end
-
-        def resources_check credentials, id, privilege, role
-          options = {}
-          options[:check] = true
-          options[:privilege] = privilege
-          if role
-            options[:resource_id] = id
-            roles_role(credentials, Id.new(role))[options_querystring options].get
-          else
-            resources_resource(credentials, id)[options_querystring options].get
-          end
-        end
-
-        def resources_permitted_roles credentials, id, privilege
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['authz'][id.account]['roles']['allowed_to'][privilege][id.kind][id.identifier]
-        end
-
-        def roles_role credentials, id
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['authz'][id.account]['roles'][id.kind][id.identifier]
-        end
-
-        def secrets_add credentials, id
-          verify_account(id.account)
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['variables'][fully_escape id.identifier]['values']
-        end
-
-        def variable credentials, id
-          verify_account(id.account)
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['variables'][fully_escape id.identifier]
-        end
-
-        def secrets_value credentials, id, options
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['variables'][fully_escape id.identifier]['value'][options_querystring options]
-        end
-
-        def secrets_values credentials, variable_ids
-          options = {
-            vars: Array(variable_ids).map { |v| fully_escape(v.identifier) }.join(',')
-          }
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['variables']['values'][options_querystring options]
-        end
-
-        def group_attributes credentials, resource, id
-          verify_account(id.account)
-          JSON.parse(
-            RestClient::Resource.new(
-              Conjur.configuration.core_url,
-              Conjur.configuration.create_rest_client_options(credentials)
-            )['groups'][fully_escape id.identifier].get
-          )
-        end
-
-        def variable_attributes credentials, resource, id
-          verify_account(id.account)
-          JSON.parse(
-            RestClient::Resource.new(
-              Conjur.configuration.core_url,
-              Conjur.configuration.create_rest_client_options(credentials)
-            )['variables'][fully_escape id.identifier].get
-          )
-        end
-
-        def user_attributes credentials, resource, id
-          verify_account(id.account)
-          JSON.parse(
-            RestClient::Resource.new(
-              Conjur.configuration.core_url,
-              Conjur.configuration.create_rest_client_options(credentials)
-            )['users'][fully_escape id.identifier].get
-          )
-        end
-
-        def parse_group_gidnumber attributes
-          attributes['gidnumber']
-        end
-
-        def parse_user_uidnumber attributes
-          attributes['uidnumber']
-        end
-
-        def parse_variable_kind attributes
-          attributes['kind']
-        end
-
-        def parse_variable_mime_type attributes
-          attributes['mime_type']
-        end
-
-        def parse_members credentials, result
-          result.collect do |json|
-            RoleGrant.parse_from_json(json, credentials)
-          end
-        end
-
-        protected
-
-        def verify_account account
-          raise "Expecting account to be #{Conjur.configuration.account.inspect}, got #{account.inspect}" unless Conjur.configuration.account == account
-        end
-      end
-    end
-  end
-end

data/lib/conjur/api/router/v5.rb

@@ -1,248 +0,0 @@
-# frozen_string_literal: true
-
-# Copyright 2017-2018 CyberArk Ltd.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# rubocop:disable Metrics/ModuleLength
-module Conjur
-  class API
-    module Router
-      # V5 translates method arguments to rest-ful API request parameters.
-      # because of this, most of the methods suffer from :reek:LongParameterList:
-      # and :reek:UtilityFunction:
-      module V5
-        extend Conjur::Escape::ClassMethods
-        extend Conjur::QueryString
-        extend self
-
-        def authn_login account, username, password
-          RestClient::Resource.new(
-            Conjur.configuration.authn_url,
-            Conjur.configuration.create_rest_client_options(
-              user: username,
-              password: password
-            )
-          )[fully_escape account]['login']
-        end
-
-        def authn_authenticate account, username
-          RestClient::Resource.new(
-            Conjur.configuration.authn_url,
-            Conjur.configuration.rest_client_options
-          )[fully_escape account][fully_escape username]['authenticate']
-        end
-
-        def authenticator account, authenticator, service_id, credentials
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )[fully_escape authenticator][fully_escape service_id][fully_escape account]
-        end
-
-        def authenticators
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.rest_client_options
-          )['authenticators']
-        end
-
-        # For v5, the authn-local message is a JSON string with account, sub, and optional fields.
-        def authn_authenticate_local username, account, expiration, cidr, &block
-          { account: account, sub: username }.tap do |params|
-            params[:exp] = expiration if expiration
-            params[:cidr] = cidr if cidr
-          end.to_json
-        end
-
-        def authn_update_password account, username, password
-          RestClient::Resource.new(
-            Conjur.configuration.authn_url,
-            Conjur.configuration.create_rest_client_options(
-              user: username,
-              password: password
-            )
-          )[fully_escape account]['password']
-        end
-
-        def authn_rotate_api_key credentials, account, id
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['authn'][fully_escape account]["api_key?role=#{id}"]
-        end
-
-        def authn_rotate_own_api_key account, username, password
-          RestClient::Resource.new(
-            Conjur.configuration.authn_url,
-            Conjur.configuration.create_rest_client_options(
-              user: username,
-              password: password
-            )
-          )[fully_escape account]['api_key']
-        end
-
-        def host_factory_create_host token
-          http_options = {
-            headers: { authorization: %Q(Token token="#{token}") }
-          }
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(http_options)
-          )["host_factories"]["hosts"]
-        end
-
-        def host_factory_create_tokens credentials, id
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['host_factory_tokens']
-        end
-
-        def host_factory_revoke_token credentials, token
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['host_factory_tokens'][token]
-        end
-
-        def policies_load_policy credentials, account, id
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['policies'][fully_escape account]['policy'][fully_escape id]
-        end
-
-        def public_keys_for_user account, username
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.rest_client_options
-          )['public_keys'][fully_escape account]['user'][fully_escape username]
-        end
-
-        def resources credentials, account, kind, options
-          credentials ||= {}
-
-          path = "/resources/#{fully_escape account}"
-          path += "/#{fully_escape kind}" if kind
-
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )[path][options_querystring options]
-        end
-
-        def resources_resource credentials, id
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['resources'][id.to_url_path]
-        end
-
-        def resources_permitted_roles credentials, id, privilege
-          options = {}
-          options[:permitted_roles] = true
-          options[:privilege] = privilege
-          resources_resource(credentials, id)[options_querystring options]
-        end
-
-        def resources_check credentials, id, privilege, role
-          options = {}
-          options[:check] = true
-          options[:privilege] = privilege
-          options[:role] = query_escape(Id.new(role)) if role
-          resources_resource(credentials, id)[options_querystring options].get
-        end
-
-        def roles_role credentials, id
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['roles'][id.to_url_path]
-        end
-
-        def secrets_add credentials, id
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['secrets'][id.to_url_path]
-        end
-
-        def secrets_value credentials, id, options
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['secrets'][id.to_url_path][options_querystring options]
-        end
-
-        def secrets_values credentials, variable_ids
-          options = {
-            variable_ids: Array(variable_ids).join(',')
-          }
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['secrets'][options_querystring(options).gsub("%2C", ',')]
-        end
-
-        def group_attributes credentials, resource, id
-          resource_annotations resource
-        end
-
-        def variable_attributes credentials, resource, id
-          resource_annotations resource
-        end
-
-        def user_attributes credentials, resource, id
-          resource_annotations resource
-        end
-
-        def parse_group_gidnumber attributes
-          HasAttributes.annotation_value attributes, 'conjur/gidnumber'
-        end
-
-        def parse_user_uidnumber attributes
-          HasAttributes.annotation_value attributes, 'conjur/uidnumber'
-        end
-
-        def parse_variable_kind attributes
-          HasAttributes.annotation_value attributes, 'conjur/kind'
-        end
-
-        def parse_variable_mime_type attributes
-          HasAttributes.annotation_value attributes, 'conjur/mime_type'
-        end
-
-        def parse_members credentials, result
-          result.map do |json|
-            RoleGrant.parse_from_json(json, credentials)
-          end
-        end
-
-        def ldap_sync_policy(credentials, config_name)
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
-        end
-
-        private
-
-        def resource_annotations resource
-          resource.attributes['annotations']
-        end
-      end
-    end
-  end
-end
-# rubocop:enable Metrics/ModuleLength

data/lib/conjur/api/variables.rb

@@ -1,59 +0,0 @@
-#
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-require 'conjur/variable'
-
-module Conjur
-  class API
-  
-    #@!group Variables
-
-    # Fetch the values of a list of variables.  This operation is more efficient than fetching the
-    # values one by one.
-    #
-    # This method will fail unless:
-    #   * All of the variables exist
-    #   * You have permission to `'execute'` all of the variables
-    #
-    # @example Fetch multiple variable values
-    #   values = variable_values ['myorg:variable:postgres_uri', 'myorg:variable:aws_secret_access_key', 'myorg:variable:aws_access_key_id']
-    #   values # =>
-    #   {
-    #      "postgres://...",
-    #      "the-secret-key",
-    #      "the-access-key-id"
-    #   }
-    # 
-    # This method is used to implement the {http://developer.conjur.net/reference/tools/utilities/conjurenv `conjur env`}
-    # commands.  You may consider using that instead to run your program in an environment with the necessary secrets.
-    #
-    # @param [Array<String>] variable_ids list of variable ids to fetch
-    # @return [Array<String>] a list of variable values corresponding to the variable ids.
-    # @raise [RestClient::Forbidden, RestClient::ResourceNotFound] if any of the variables don't exist or aren't accessible.
-    def variable_values variable_ids
-      raise ArgumentError, "Variables list must be an array" unless variable_ids.kind_of? Array 
-      raise ArgumentError, "Variables list is empty" if variable_ids.empty?
-
-      JSON.parse(url_for(:secrets_values, credentials, variable_ids).get.body)
-    end
-    
-    #@!endgroup
-  end
-end

data/lib/conjur/api.rb

@@ -1,105 +0,0 @@
-#
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-require 'active_support'
-require 'active_support/deprecation'
-
-require 'conjur/configuration'
-require 'conjur/routing'
-require 'conjur/id'
-require 'conjur/base'
-require 'conjur/exceptions'
-require 'conjur/build_object'
-require 'conjur/base_object'
-require 'conjur/acts_as_resource'
-require 'conjur/acts_as_role'
-require 'conjur/acts_as_rolsource'
-require 'conjur/acts_as_user'
-require 'conjur/log_source'
-require 'conjur/has_attributes'
-require 'conjur/api/authenticators'
-require 'conjur/api/authn'
-require 'conjur/api/roles'
-require 'conjur/api/resources'
-require 'conjur/api/pubkeys'
-require 'conjur/api/variables'
-require 'conjur/api/policies'
-require 'conjur/api/host_factories'
-require 'conjur/api/ldap_sync'
-require 'conjur/host'
-require 'conjur/group'
-require 'conjur/variable'
-require 'conjur/layer'
-require 'conjur/cache'
-require 'conjur-api/version'
-
-# @api private
-class RestClient::Resource
-  include Conjur::Escape
-  include Conjur::LogSource
-
-  # @api private
-  # This method exists so that all {RestClient::Resource}s support JSON serialization.  It returns an
-  # empty hash.
-  # @return [Hash] the empty hash
-  def to_json(options = {})
-    {}
-  end
-
-  # Creates a Conjur API from this resource's authorization header.
-  #
-  # The new API is created using the token, so it will not be able to refresh
-  # when the token expires (after about 8 minutes).  This is equivalent to creating
-  # an {Conjur::API} instance with {Conjur::API.new_from_token}.
-  #
-  # @return {Conjur::API} the new api
-  def conjur_api
-    api = Conjur::API.new_from_token token, remote_ip: remote_ip
-    api
-  end
-
-  # Get an authentication token from the clients Authorization header.
-  #
-  # Useful fields in the token include `"data"`, which holds the username for which the
-  # token was issued, and `"timestamp"`, which contains the time at which the token was issued.
-  # The token will expire 8 minutes after timestamp, but we recommend you treat the lifespan as
-  # about 5  minutes to account for time differences.
-  #
-  # @return [Hash] the parsed authentication token
-  def token
-    authorization = options[:headers][:authorization]
-    if authorization && authorization.to_s[/^Token token="(.*)"/]
-      JSON.parse(Base64.decode64($1))
-    else
-      raise AuthorizationError.new("Authorization missing")
-    end
-  end
-
-  def remote_ip
-    options[:headers][:x_forwarded_for]
-  end
-
-  # The username this resource authenticates as.
-  #
-  # @return [String] the username
-  def username
-    options[:user] || options[:username]
-  end
-end