conjur-api 5.3.7 → 5.3.8.pre.319
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- metadata +23 -193
- data/.codeclimate.yml +0 -10
- data/.dockerignore +0 -1
- data/.github/CODEOWNERS +0 -10
- data/.gitignore +0 -32
- data/.gitleaks.toml +0 -219
- data/.overcommit.yml +0 -16
- data/.project +0 -18
- data/.rubocop.yml +0 -3
- data/.rubocop_settings.yml +0 -86
- data/.rubocop_todo.yml +0 -709
- data/.yardopts +0 -1
- data/CHANGELOG.md +0 -433
- data/CONTRIBUTING.md +0 -141
- data/Dockerfile +0 -16
- data/Gemfile +0 -7
- data/Jenkinsfile +0 -168
- data/LICENSE +0 -202
- data/README.md +0 -162
- data/Rakefile +0 -47
- data/SECURITY.md +0 -42
- data/bin/parse-changelog.sh +0 -12
- data/ci/configure_v4.sh +0 -12
- data/ci/configure_v5.sh +0 -14
- data/ci/submit-coverage +0 -36
- data/conjur-api.gemspec +0 -40
- data/dev/Dockerfile.dev +0 -12
- data/dev/docker-compose.yml +0 -56
- data/dev/start +0 -22
- data/dev/stop +0 -5
- data/docker-compose.yml +0 -76
- data/example/demo_v4.rb +0 -49
- data/example/demo_v5.rb +0 -57
- data/features/authenticators.feature +0 -33
- data/features/authn_local.feature +0 -32
- data/features/exists.feature +0 -37
- data/features/group.feature +0 -11
- data/features/host.feature +0 -50
- data/features/host_factory_create_host.feature +0 -28
- data/features/host_factory_token.feature +0 -63
- data/features/load_policy.feature +0 -61
- data/features/members.feature +0 -51
- data/features/new_api.feature +0 -36
- data/features/permitted.feature +0 -70
- data/features/permitted_roles.feature +0 -30
- data/features/public_keys.feature +0 -11
- data/features/resource_fields.feature +0 -53
- data/features/role_fields.feature +0 -15
- data/features/rotate_api_key.feature +0 -13
- data/features/step_definitions/api_steps.rb +0 -18
- data/features/step_definitions/policy_steps.rb +0 -75
- data/features/step_definitions/result_steps.rb +0 -7
- data/features/support/env.rb +0 -18
- data/features/support/hooks.rb +0 -3
- data/features/support/world.rb +0 -12
- data/features/update_password.feature +0 -14
- data/features/user.feature +0 -58
- data/features/variable_fields.feature +0 -20
- data/features/variable_value.feature +0 -60
- data/features_v4/authn_local.feature +0 -27
- data/features_v4/exists.feature +0 -29
- data/features_v4/host.feature +0 -18
- data/features_v4/host_factory_token.feature +0 -49
- data/features_v4/members.feature +0 -39
- data/features_v4/permitted.feature +0 -15
- data/features_v4/permitted_roles.feature +0 -8
- data/features_v4/resource_fields.feature +0 -47
- data/features_v4/rotate_api_key.feature +0 -13
- data/features_v4/step_definitions/api_steps.rb +0 -17
- data/features_v4/step_definitions/result_steps.rb +0 -3
- data/features_v4/support/env.rb +0 -23
- data/features_v4/support/policy.yml +0 -34
- data/features_v4/support/world.rb +0 -12
- data/features_v4/variable_fields.feature +0 -11
- data/features_v4/variable_value.feature +0 -54
- data/lib/conjur/acts_as_resource.rb +0 -123
- data/lib/conjur/acts_as_role.rb +0 -142
- data/lib/conjur/acts_as_rolsource.rb +0 -32
- data/lib/conjur/acts_as_user.rb +0 -68
- data/lib/conjur/api/authenticators.rb +0 -35
- data/lib/conjur/api/authn.rb +0 -125
- data/lib/conjur/api/host_factories.rb +0 -71
- data/lib/conjur/api/ldap_sync.rb +0 -38
- data/lib/conjur/api/policies.rb +0 -56
- data/lib/conjur/api/pubkeys.rb +0 -53
- data/lib/conjur/api/resources.rb +0 -109
- data/lib/conjur/api/roles.rb +0 -98
- data/lib/conjur/api/router/v4.rb +0 -206
- data/lib/conjur/api/router/v5.rb +0 -248
- data/lib/conjur/api/variables.rb +0 -59
- data/lib/conjur/api.rb +0 -105
- data/lib/conjur/base.rb +0 -355
- data/lib/conjur/base_object.rb +0 -57
- data/lib/conjur/build_object.rb +0 -47
- data/lib/conjur/cache.rb +0 -26
- data/lib/conjur/cert_utils.rb +0 -63
- data/lib/conjur/cidr.rb +0 -71
- data/lib/conjur/configuration.rb +0 -460
- data/lib/conjur/escape.rb +0 -129
- data/lib/conjur/exceptions.rb +0 -4
- data/lib/conjur/group.rb +0 -41
- data/lib/conjur/has_attributes.rb +0 -98
- data/lib/conjur/host.rb +0 -27
- data/lib/conjur/host_factory.rb +0 -75
- data/lib/conjur/host_factory_token.rb +0 -78
- data/lib/conjur/id.rb +0 -71
- data/lib/conjur/layer.rb +0 -9
- data/lib/conjur/log.rb +0 -72
- data/lib/conjur/log_source.rb +0 -60
- data/lib/conjur/policy.rb +0 -34
- data/lib/conjur/policy_load_result.rb +0 -61
- data/lib/conjur/query_string.rb +0 -12
- data/lib/conjur/resource.rb +0 -29
- data/lib/conjur/role.rb +0 -29
- data/lib/conjur/role_grant.rb +0 -85
- data/lib/conjur/routing.rb +0 -29
- data/lib/conjur/user.rb +0 -40
- data/lib/conjur/variable.rb +0 -208
- data/lib/conjur/webservice.rb +0 -30
- data/lib/conjur-api/version.rb +0 -24
- data/lib/conjur-api.rb +0 -2
- data/publish.sh +0 -5
- data/spec/api/host_factories_spec.rb +0 -34
- data/spec/api_spec.rb +0 -254
- data/spec/base_object_spec.rb +0 -13
- data/spec/cert_utils_spec.rb +0 -173
- data/spec/cidr_spec.rb +0 -34
- data/spec/configuration_spec.rb +0 -330
- data/spec/has_attributes_spec.rb +0 -63
- data/spec/helpers/errors_matcher.rb +0 -34
- data/spec/helpers/request_helpers.rb +0 -10
- data/spec/id_spec.rb +0 -29
- data/spec/ldap_sync_spec.rb +0 -21
- data/spec/log_source_spec.rb +0 -13
- data/spec/log_spec.rb +0 -42
- data/spec/roles_spec.rb +0 -24
- data/spec/spec_helper.rb +0 -113
- data/spec/ssl_spec.rb +0 -109
- data/spec/uri_escape_spec.rb +0 -21
- data/test.sh +0 -73
- data/tmp/.keep +0 -0
data/lib/conjur/base.rb
DELETED
@@ -1,355 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
require 'rest-client'
|
22
|
-
require 'active_support'
|
23
|
-
require 'active_support/core_ext'
|
24
|
-
require 'json'
|
25
|
-
require 'base64'
|
26
|
-
|
27
|
-
require 'conjur/query_string'
|
28
|
-
require 'conjur/has_attributes'
|
29
|
-
require 'conjur/escape'
|
30
|
-
require 'conjur/log'
|
31
|
-
require 'conjur/log_source'
|
32
|
-
|
33
|
-
module Conjur
|
34
|
-
# NOTE: You have to put all 'class level' api docs here, because YARD is stoopid :-(
|
35
|
-
|
36
|
-
# This class provides access to the Conjur services.
|
37
|
-
class API
|
38
|
-
include Escape
|
39
|
-
include LogSource
|
40
|
-
include Routing
|
41
|
-
extend Routing
|
42
|
-
|
43
|
-
class << self
|
44
|
-
# Create a new {Conjur::API} instance from a username and a password or api key.
|
45
|
-
#
|
46
|
-
# @example Create an API with valid credentials
|
47
|
-
# api = Conjur::API.new_from_key 'admin', '<admin password>'
|
48
|
-
# api.current_role # => 'conjur:user:admin'
|
49
|
-
# api.token['data'] # => 'admin'
|
50
|
-
#
|
51
|
-
# @example Authentication is lazy
|
52
|
-
# api = Conjur::API.new_from_key 'admin', 'wrongpassword' # succeeds
|
53
|
-
# api.user 'foo' # raises a 401 error
|
54
|
-
#
|
55
|
-
# @param [String] username the username to use when making authenticated requests.
|
56
|
-
# @param [String] api_key the api key or password for `username`
|
57
|
-
# @param [String] remote_ip the optional IP address to be recorded in the audit record.
|
58
|
-
# @param [String] account The organization account.
|
59
|
-
# @return [Conjur::API] an api that will authenticate with the given username and api key.
|
60
|
-
def new_from_key username, api_key, account: Conjur.configuration.account, remote_ip: nil
|
61
|
-
self.new.init_from_key username, api_key, remote_ip: remote_ip, account: account
|
62
|
-
end
|
63
|
-
|
64
|
-
# Create a new {Conjur::API} instance from an access token.
|
65
|
-
#
|
66
|
-
# Generally, you will have a Conjur identitiy (username and API key), and create an {Conjur::API} instance
|
67
|
-
# for the identity using {.new_from_key}. This method is useful when you are performing authorization checks
|
68
|
-
# given a token. For example, a Conjur gateway that requires you to prove that you can 'read' a resource named
|
69
|
-
# 'super-secret' might get the token from a request header, create an {Conjur::API} instance with this method,
|
70
|
-
# and use {Conjur::Resource#permitted?} to decide whether to accept and forward the request.
|
71
|
-
#
|
72
|
-
# @example A simple gatekeeper
|
73
|
-
# RESOURCE_NAME = 'protected-service'
|
74
|
-
#
|
75
|
-
# def handle_request request
|
76
|
-
# token_header = request.header 'X-Conjur-Token'
|
77
|
-
# token = JSON.parse Base64.b64decode(token_header)
|
78
|
-
#
|
79
|
-
# api = Conjur::API.new_from_token token
|
80
|
-
# raise Forbidden unless api.resource(RESOURCE_NAME).permitted? 'read'
|
81
|
-
#
|
82
|
-
# proxy_to_service request
|
83
|
-
# end
|
84
|
-
#
|
85
|
-
# @param [Hash] token the authentication token as parsed JSON to use when making authenticated requests
|
86
|
-
# @param [String] remote_ip the optional IP address to be recorded in the audit record.
|
87
|
-
# @return [Conjur::API] an api that will authenticate with the token
|
88
|
-
def new_from_token token, remote_ip: nil
|
89
|
-
self.new.init_from_token token, remote_ip: remote_ip
|
90
|
-
end
|
91
|
-
|
92
|
-
# Create a new {Conjur::API} instance from a file containing a token issued by the
|
93
|
-
# {http://developer.conjur.net/reference/services/authentication Conjur authentication service}.
|
94
|
-
# The file is read the first time that a token is required. It is also re-read
|
95
|
-
# whenever the API decides that the token it already has is getting close to expiration.
|
96
|
-
#
|
97
|
-
# This method is useful when an external process, such as a sidecar container, is continuously
|
98
|
-
# obtaining fresh tokens and writing them to a known file.
|
99
|
-
#
|
100
|
-
# @param [String] token_file the file path containing an authentication token as parsed JSON.
|
101
|
-
# @param [String] remote_ip the optional IP address to be recorded in the audit record.
|
102
|
-
# @return [Conjur::API] an api that will authenticate with the tokens provided in the file.
|
103
|
-
def new_from_token_file token_file, remote_ip: nil
|
104
|
-
self.new.init_from_token_file token_file, remote_ip: remote_ip
|
105
|
-
end
|
106
|
-
|
107
|
-
# Create a new {Conjur::API} instance which authenticates using +authn-local+
|
108
|
-
# using the specified username.
|
109
|
-
#
|
110
|
-
# @param [String] username the username to use when making authenticated requests.
|
111
|
-
# @param [String] account The organization account.
|
112
|
-
# @param [String] remote_ip the optional IP address to be recorded in the audit record.
|
113
|
-
# @param [String] expiration the optional expiration time of the token (supported in V5 only).
|
114
|
-
# @param [String] cidr the optional CIDR restriction on the token (supported in V5 only).
|
115
|
-
# @return [Conjur::API] an api that will authenticate with the given username.
|
116
|
-
def new_from_authn_local username, account: Conjur.configuration.account, remote_ip: nil, expiration: nil, cidr: nil
|
117
|
-
self.new.init_from_authn_local username, account: account, remote_ip: remote_ip, expiration: expiration, cidr: cidr
|
118
|
-
end
|
119
|
-
end
|
120
|
-
|
121
|
-
#@!attribute [r] api_key
|
122
|
-
# The api key used to create this instance. This is only present when you created the api with {Conjur::API.new_from_key}.#
|
123
|
-
#
|
124
|
-
# @return [String] the api key, or nil if this instance was created from a token.
|
125
|
-
attr_reader :api_key
|
126
|
-
|
127
|
-
#@!attribute [r] remote_ip
|
128
|
-
# An optional IP address to be recorded in the audit record for any actions performed by this API instance.
|
129
|
-
attr_reader :remote_ip
|
130
|
-
|
131
|
-
# The name of the user as which this api instance is authenticated. This is available whether the api
|
132
|
-
# instance was created from credentials or an authentication token. If the instance was created from
|
133
|
-
# credentials, we will use that value directly otherwise we will attempt to extract the username from
|
134
|
-
# the token (either the old-style data field or the new-style JWT `sub` field).
|
135
|
-
#
|
136
|
-
# @return [String] the login of the current user.
|
137
|
-
def username
|
138
|
-
@username || token['data'] || jwt_username(token)
|
139
|
-
end
|
140
|
-
|
141
|
-
# @api private
|
142
|
-
# used to delegate to host providing subclasses.
|
143
|
-
# @return [String] the host
|
144
|
-
def host
|
145
|
-
self.class.host
|
146
|
-
end
|
147
|
-
|
148
|
-
# The token used to authenticate requests made with the api. The token will be fetched,
|
149
|
-
# if possible, when not present or about to expire. Accordingly, this
|
150
|
-
# method may raise a RestClient::Unauthorized exception if the credentials are invalid.
|
151
|
-
#
|
152
|
-
# @return [Hash] the authentication token as a Hash
|
153
|
-
# @raise [RestClient::Unauthorized] if the username and api key are invalid.
|
154
|
-
def token
|
155
|
-
refresh_token if needs_token_refresh?
|
156
|
-
return @token
|
157
|
-
end
|
158
|
-
|
159
|
-
# @api private
|
160
|
-
# Force the API to obtain a new access token on the next invocation.
|
161
|
-
def force_token_refresh
|
162
|
-
@token = nil
|
163
|
-
end
|
164
|
-
|
165
|
-
# Credentials that can be merged with options to be passed to `RestClient::Resource` HTTP request methods.
|
166
|
-
# These include a username and an Authorization header containing the authentication token.
|
167
|
-
#
|
168
|
-
# @return [Hash] the options.
|
169
|
-
# @raise [RestClient::Unauthorized] if fetching the token fails.
|
170
|
-
def credentials
|
171
|
-
headers = {}.tap do |h|
|
172
|
-
h[:authorization] = "Token token=\"#{Base64.strict_encode64 token.to_json}\""
|
173
|
-
h[:x_forwarded_for] = @remote_ip if @remote_ip
|
174
|
-
end
|
175
|
-
{ headers: headers, username: username }
|
176
|
-
end
|
177
|
-
|
178
|
-
module TokenExpiration
|
179
|
-
|
180
|
-
# The four minutes is to work around a bug in Conjur < 4.7 causing a 404 on
|
181
|
-
# long-running operations (when the token is used right around the 5 minute mark).
|
182
|
-
TOKEN_STALE = 4.minutes
|
183
|
-
|
184
|
-
attr_accessor :token_born
|
185
|
-
|
186
|
-
def needs_token_refresh?
|
187
|
-
token_age > TOKEN_STALE
|
188
|
-
end
|
189
|
-
|
190
|
-
def update_token_born
|
191
|
-
self.token_born = gettime
|
192
|
-
end
|
193
|
-
|
194
|
-
def token_age
|
195
|
-
gettime - token_born
|
196
|
-
end
|
197
|
-
|
198
|
-
def gettime
|
199
|
-
Process.clock_gettime Process::CLOCK_MONOTONIC
|
200
|
-
rescue
|
201
|
-
# fall back to normal clock if there's no CLOCK_MONOTONIC
|
202
|
-
Time.now.to_f
|
203
|
-
end
|
204
|
-
end
|
205
|
-
|
206
|
-
# When the API is constructed with an API key, the token can be refreshed using
|
207
|
-
# the username and API key. This authenticator assumes that the token was
|
208
|
-
# minted immediately before the API instance was created.
|
209
|
-
class APIKeyAuthenticator
|
210
|
-
include TokenExpiration
|
211
|
-
|
212
|
-
attr_reader :account, :username, :api_key
|
213
|
-
|
214
|
-
def initialize account, username, api_key
|
215
|
-
@account = account
|
216
|
-
@username = username
|
217
|
-
@api_key = api_key
|
218
|
-
|
219
|
-
update_token_born
|
220
|
-
end
|
221
|
-
|
222
|
-
def refresh_token
|
223
|
-
Conjur::API.authenticate(username, api_key, account: account).tap do
|
224
|
-
update_token_born
|
225
|
-
end
|
226
|
-
end
|
227
|
-
end
|
228
|
-
|
229
|
-
# Obtains access tokens from the +authn-local+ service.
|
230
|
-
class LocalAuthenticator
|
231
|
-
include TokenExpiration
|
232
|
-
|
233
|
-
attr_reader :account, :username, :expiration, :cidr
|
234
|
-
|
235
|
-
def initialize account, username, expiration, cidr
|
236
|
-
@account = account
|
237
|
-
@username = username
|
238
|
-
@expiration = expiration
|
239
|
-
@cidr = cidr
|
240
|
-
|
241
|
-
update_token_born
|
242
|
-
end
|
243
|
-
|
244
|
-
def refresh_token
|
245
|
-
Conjur::API.authenticate_local(username, account: account, expiration: expiration, cidr: cidr).tap do
|
246
|
-
update_token_born
|
247
|
-
end
|
248
|
-
end
|
249
|
-
end
|
250
|
-
|
251
|
-
# When the API is constructed with a token, the token cannot be refreshed.
|
252
|
-
class UnableAuthenticator
|
253
|
-
def refresh_token
|
254
|
-
raise "Unable to re-authenticate using an access token"
|
255
|
-
end
|
256
|
-
|
257
|
-
def needs_token_refresh?
|
258
|
-
false
|
259
|
-
end
|
260
|
-
end
|
261
|
-
|
262
|
-
# Obtains fresh tokens by reading them from a file. Some other process is assumed
|
263
|
-
# to be acquiring tokens and storing them to the file on a regular basis.
|
264
|
-
#
|
265
|
-
# This authenticator assumes that the token was created immediately before
|
266
|
-
# it was written to the file.
|
267
|
-
class TokenFileAuthenticator
|
268
|
-
attr_reader :token_file
|
269
|
-
|
270
|
-
def initialize token_file
|
271
|
-
@token_file = token_file
|
272
|
-
end
|
273
|
-
|
274
|
-
attr_reader :last_mtime
|
275
|
-
|
276
|
-
def mtime
|
277
|
-
File.mtime token_file
|
278
|
-
end
|
279
|
-
|
280
|
-
def refresh_token
|
281
|
-
# There's a race condition here in which the file could be updated
|
282
|
-
# after we read the mtime but before we read the file contents. So to be
|
283
|
-
# conservative, use the oldest possible mtime.
|
284
|
-
mtime = self.mtime
|
285
|
-
File.open token_file, 'r' do |f|
|
286
|
-
JSON.load(f.read).tap { @last_mtime = mtime }
|
287
|
-
end
|
288
|
-
end
|
289
|
-
|
290
|
-
def needs_token_refresh?
|
291
|
-
mtime != last_mtime
|
292
|
-
end
|
293
|
-
end
|
294
|
-
|
295
|
-
def init_from_key username, api_key, account: Conjur.configuration.account, remote_ip: nil
|
296
|
-
@username = username
|
297
|
-
@api_key = api_key
|
298
|
-
@remote_ip = remote_ip
|
299
|
-
@authenticator = APIKeyAuthenticator.new(account, username, api_key)
|
300
|
-
self
|
301
|
-
end
|
302
|
-
|
303
|
-
def init_from_token token, remote_ip: nil
|
304
|
-
@token = token
|
305
|
-
@remote_ip = remote_ip
|
306
|
-
@authenticator = UnableAuthenticator.new
|
307
|
-
self
|
308
|
-
end
|
309
|
-
|
310
|
-
def init_from_token_file token_file, remote_ip: nil
|
311
|
-
@remote_ip = remote_ip
|
312
|
-
@authenticator = TokenFileAuthenticator.new(token_file)
|
313
|
-
self
|
314
|
-
end
|
315
|
-
|
316
|
-
def init_from_authn_local username, account: Conjur.configuration.account, remote_ip: nil, expiration: nil, cidr: nil
|
317
|
-
@username = username
|
318
|
-
@api_key = api_key
|
319
|
-
@remote_ip = remote_ip
|
320
|
-
@authenticator = LocalAuthenticator.new(account, username, expiration, cidr)
|
321
|
-
self
|
322
|
-
end
|
323
|
-
|
324
|
-
attr_reader :authenticator
|
325
|
-
|
326
|
-
private
|
327
|
-
|
328
|
-
# Tries to get the username (subject) from a JWT API token by examining
|
329
|
-
# its content.
|
330
|
-
#
|
331
|
-
# @return [String] of the 'sub' payload field from the JWT if present,
|
332
|
-
# otherwise return nil
|
333
|
-
def jwt_username raw_token
|
334
|
-
return nil unless raw_token
|
335
|
-
return nil unless raw_token.include? 'payload'
|
336
|
-
|
337
|
-
JSON.parse(Base64.strict_decode64(raw_token["payload"]))["sub"]
|
338
|
-
end
|
339
|
-
|
340
|
-
# Tries to refresh the token if possible.
|
341
|
-
#
|
342
|
-
# @return [Hash, false] false if the token couldn't be refreshed due to
|
343
|
-
# unavailable API key; otherwise, the new token.
|
344
|
-
def refresh_token
|
345
|
-
@token = @authenticator.refresh_token
|
346
|
-
end
|
347
|
-
|
348
|
-
# Checks if the token is old (or not present).
|
349
|
-
#
|
350
|
-
# @return [Boolean]
|
351
|
-
def needs_token_refresh?
|
352
|
-
!@token || @authenticator.needs_token_refresh?
|
353
|
-
end
|
354
|
-
end
|
355
|
-
end
|
data/lib/conjur/base_object.rb
DELETED
@@ -1,57 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
# Copyright 2013-2018 CyberArk Ltd.
|
4
|
-
#
|
5
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
-
# you may not use this file except in compliance with the License.
|
7
|
-
# You may obtain a copy of the License at
|
8
|
-
#
|
9
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
-
#
|
11
|
-
# Unless required by applicable law or agreed to in writing, software
|
12
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
-
# See the License for the specific language governing permissions and
|
15
|
-
# limitations under the License.
|
16
|
-
|
17
|
-
module Conjur
|
18
|
-
class BaseObject
|
19
|
-
include QueryString
|
20
|
-
include LogSource
|
21
|
-
include BuildObject
|
22
|
-
include Routing
|
23
|
-
|
24
|
-
attr_reader :id, :credentials
|
25
|
-
|
26
|
-
def initialize id, credentials
|
27
|
-
@id = Id.new id
|
28
|
-
@credentials = credentials
|
29
|
-
end
|
30
|
-
|
31
|
-
def as_json options={}
|
32
|
-
{
|
33
|
-
id: id.to_s
|
34
|
-
}
|
35
|
-
end
|
36
|
-
|
37
|
-
def account
|
38
|
-
id.account
|
39
|
-
end
|
40
|
-
|
41
|
-
def kind
|
42
|
-
id.kind
|
43
|
-
end
|
44
|
-
|
45
|
-
def identifier
|
46
|
-
id.identifier
|
47
|
-
end
|
48
|
-
|
49
|
-
def username
|
50
|
-
credentials[:username] or raise "No username found in credentials"
|
51
|
-
end
|
52
|
-
|
53
|
-
def inspect
|
54
|
-
"<#{self.class.name} id='#{id.to_s}'>"
|
55
|
-
end
|
56
|
-
end
|
57
|
-
end
|
data/lib/conjur/build_object.rb
DELETED
@@ -1,47 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
# Copyright 2013-2018 CyberArk Ltd.
|
4
|
-
#
|
5
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
-
# you may not use this file except in compliance with the License.
|
7
|
-
# You may obtain a copy of the License at
|
8
|
-
#
|
9
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
-
#
|
11
|
-
# Unless required by applicable law or agreed to in writing, software
|
12
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
-
# See the License for the specific language governing permissions and
|
15
|
-
# limitations under the License.
|
16
|
-
|
17
|
-
module Conjur
|
18
|
-
module BuildObject
|
19
|
-
def self.included base
|
20
|
-
base.module_eval do
|
21
|
-
extend ClassMethods
|
22
|
-
end
|
23
|
-
end
|
24
|
-
|
25
|
-
module ClassMethods
|
26
|
-
def build_object id, credentials, default_class:
|
27
|
-
id = Id.new id
|
28
|
-
class_name = id.kind.classify.to_sym
|
29
|
-
find_class(class_name, default_class)
|
30
|
-
.new(id, credentials)
|
31
|
-
end
|
32
|
-
|
33
|
-
def find_class class_name, default_class
|
34
|
-
cls = if Conjur.constants.member?(class_name)
|
35
|
-
Conjur.const_get(class_name)
|
36
|
-
else
|
37
|
-
default_class
|
38
|
-
end
|
39
|
-
cls < BaseObject ? cls : default_class
|
40
|
-
end
|
41
|
-
end
|
42
|
-
|
43
|
-
def build_object id, default_class: Resource
|
44
|
-
self.class.build_object id, credentials, default_class: default_class
|
45
|
-
end
|
46
|
-
end
|
47
|
-
end
|
data/lib/conjur/cache.rb
DELETED
@@ -1,26 +0,0 @@
|
|
1
|
-
module Conjur
|
2
|
-
# A cache which performs no caching.
|
3
|
-
class BaseCache
|
4
|
-
def fetch_attributes cache_key, &block
|
5
|
-
yield
|
6
|
-
end
|
7
|
-
end
|
8
|
-
|
9
|
-
class << self
|
10
|
-
@@cache = BaseCache.new
|
11
|
-
|
12
|
-
# Sets the global cache. It should implement +fetch_:method+ methods.
|
13
|
-
# The easy way to accomplish this is to extend BaseCache.
|
14
|
-
def cache= cache
|
15
|
-
@@cache = cache
|
16
|
-
end
|
17
|
-
|
18
|
-
# Gets the global cache.
|
19
|
-
def cache; @@cache; end
|
20
|
-
|
21
|
-
# Builds a cache key from a +username+, +url+ and optional +path+.
|
22
|
-
def cache_key username, url, path = nil
|
23
|
-
[ username, [ url, path ].compact.join ].join(".")
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
data/lib/conjur/cert_utils.rb
DELETED
@@ -1,63 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
|
22
|
-
require 'openssl'
|
23
|
-
|
24
|
-
module Conjur
|
25
|
-
module CertUtils
|
26
|
-
CERT_RE = /-----BEGIN CERTIFICATE-----\n.*?\n-----END CERTIFICATE-----\n/m
|
27
|
-
|
28
|
-
class << self
|
29
|
-
# Parse X509 DER-encoded certificates from a string
|
30
|
-
# @param certs [String] certificate(s) to parse in DER form
|
31
|
-
# @return [Array<OpenSSL::X509::Certificate>] certificates contained in the string
|
32
|
-
def parse_certs certs
|
33
|
-
# fix any mangled namespace
|
34
|
-
certs = certs.gsub /\s+/, "\n"
|
35
|
-
certs.gsub! "-----BEGIN\nCERTIFICATE-----", '-----BEGIN CERTIFICATE-----'
|
36
|
-
certs.gsub! "-----END\nCERTIFICATE-----", '-----END CERTIFICATE-----'
|
37
|
-
certs += "\n" unless certs[-1] == "\n"
|
38
|
-
|
39
|
-
certs.scan(CERT_RE).map do |cert|
|
40
|
-
begin
|
41
|
-
OpenSSL::X509::Certificate.new cert
|
42
|
-
rescue OpenSSL::X509::CertificateError => exn
|
43
|
-
raise exn, "Invalid certificate:\n#{cert} (#{exn.message})"
|
44
|
-
end
|
45
|
-
end
|
46
|
-
end
|
47
|
-
|
48
|
-
# Add a certificate to a given store. If the certificate has more than
|
49
|
-
# one certificate in its chain, it will be parsed and added to the store
|
50
|
-
# one by one. This is done because `OpenSSL::X509::Store.new.add_cert`
|
51
|
-
# adds only the intermediate certificate to the store.
|
52
|
-
def add_chained_cert store, chained_cert
|
53
|
-
parse_certs(chained_cert).each do |cert|
|
54
|
-
begin
|
55
|
-
store.add_cert cert
|
56
|
-
rescue OpenSSL::X509::StoreError => ex
|
57
|
-
raise unless ex.message == 'cert already in hash table'
|
58
|
-
end
|
59
|
-
end
|
60
|
-
end
|
61
|
-
end
|
62
|
-
end
|
63
|
-
end
|
data/lib/conjur/cidr.rb
DELETED
@@ -1,71 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
##
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
|
22
|
-
require 'ipaddr'
|
23
|
-
|
24
|
-
module Conjur
|
25
|
-
# Utility methods for CIDR network addresses
|
26
|
-
module CIDR
|
27
|
-
# Parse addr into an IPAddr if it's not one already, then extend it with CIDR
|
28
|
-
# module. This will force validation and will raise ArgumentError if invalid.
|
29
|
-
# @return [IPAddr] the address (extended with CIDR module)
|
30
|
-
def self.validate addr
|
31
|
-
addr = IPAddr.new addr unless addr.kind_of? IPAddr
|
32
|
-
addr.extend self
|
33
|
-
end
|
34
|
-
|
35
|
-
def self.extended addr
|
36
|
-
addr.prefixlen # validates
|
37
|
-
end
|
38
|
-
|
39
|
-
# Error raised when an address is not a valid CIDR network address
|
40
|
-
class InvalidCIDR < ArgumentError
|
41
|
-
end
|
42
|
-
|
43
|
-
attr_reader :mask_addr
|
44
|
-
|
45
|
-
# @return [String] the address as an "address/mask length" string
|
46
|
-
# @example
|
47
|
-
# IPAddr.new("192.0.2.0/255.255.255.0").extend(CIDR).to_s == "192.0.2.0/24"
|
48
|
-
def to_s
|
49
|
-
[super, prefixlen].join '/'
|
50
|
-
end
|
51
|
-
|
52
|
-
# @return [Fixnum] the length of the network mask prefix
|
53
|
-
def prefixlen
|
54
|
-
unless @prefixlen
|
55
|
-
return @prefixlen = 0 if (mask = mask_addr) == 0
|
56
|
-
|
57
|
-
@prefixlen = ipv4? ? 32 : 128
|
58
|
-
|
59
|
-
while (mask & 1) == 0
|
60
|
-
mask >>= 1
|
61
|
-
@prefixlen -= 1
|
62
|
-
end
|
63
|
-
|
64
|
-
if mask != ((1 << @prefixlen) - 1)
|
65
|
-
fail InvalidCIDR, "#{inspect} is not a valid CIDR network address"
|
66
|
-
end
|
67
|
-
end
|
68
|
-
return @prefixlen
|
69
|
-
end
|
70
|
-
end
|
71
|
-
end
|