conjur-api 5.3.7 → 5.3.8.pre.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- metadata +23 -193
- data/.codeclimate.yml +0 -10
- data/.dockerignore +0 -1
- data/.github/CODEOWNERS +0 -10
- data/.gitignore +0 -32
- data/.gitleaks.toml +0 -219
- data/.overcommit.yml +0 -16
- data/.project +0 -18
- data/.rubocop.yml +0 -3
- data/.rubocop_settings.yml +0 -86
- data/.rubocop_todo.yml +0 -709
- data/.yardopts +0 -1
- data/CHANGELOG.md +0 -433
- data/CONTRIBUTING.md +0 -141
- data/Dockerfile +0 -16
- data/Gemfile +0 -7
- data/Jenkinsfile +0 -168
- data/LICENSE +0 -202
- data/README.md +0 -162
- data/Rakefile +0 -47
- data/SECURITY.md +0 -42
- data/bin/parse-changelog.sh +0 -12
- data/ci/configure_v4.sh +0 -12
- data/ci/configure_v5.sh +0 -14
- data/ci/submit-coverage +0 -36
- data/conjur-api.gemspec +0 -40
- data/dev/Dockerfile.dev +0 -12
- data/dev/docker-compose.yml +0 -56
- data/dev/start +0 -22
- data/dev/stop +0 -5
- data/docker-compose.yml +0 -76
- data/example/demo_v4.rb +0 -49
- data/example/demo_v5.rb +0 -57
- data/features/authenticators.feature +0 -33
- data/features/authn_local.feature +0 -32
- data/features/exists.feature +0 -37
- data/features/group.feature +0 -11
- data/features/host.feature +0 -50
- data/features/host_factory_create_host.feature +0 -28
- data/features/host_factory_token.feature +0 -63
- data/features/load_policy.feature +0 -61
- data/features/members.feature +0 -51
- data/features/new_api.feature +0 -36
- data/features/permitted.feature +0 -70
- data/features/permitted_roles.feature +0 -30
- data/features/public_keys.feature +0 -11
- data/features/resource_fields.feature +0 -53
- data/features/role_fields.feature +0 -15
- data/features/rotate_api_key.feature +0 -13
- data/features/step_definitions/api_steps.rb +0 -18
- data/features/step_definitions/policy_steps.rb +0 -75
- data/features/step_definitions/result_steps.rb +0 -7
- data/features/support/env.rb +0 -18
- data/features/support/hooks.rb +0 -3
- data/features/support/world.rb +0 -12
- data/features/update_password.feature +0 -14
- data/features/user.feature +0 -58
- data/features/variable_fields.feature +0 -20
- data/features/variable_value.feature +0 -60
- data/features_v4/authn_local.feature +0 -27
- data/features_v4/exists.feature +0 -29
- data/features_v4/host.feature +0 -18
- data/features_v4/host_factory_token.feature +0 -49
- data/features_v4/members.feature +0 -39
- data/features_v4/permitted.feature +0 -15
- data/features_v4/permitted_roles.feature +0 -8
- data/features_v4/resource_fields.feature +0 -47
- data/features_v4/rotate_api_key.feature +0 -13
- data/features_v4/step_definitions/api_steps.rb +0 -17
- data/features_v4/step_definitions/result_steps.rb +0 -3
- data/features_v4/support/env.rb +0 -23
- data/features_v4/support/policy.yml +0 -34
- data/features_v4/support/world.rb +0 -12
- data/features_v4/variable_fields.feature +0 -11
- data/features_v4/variable_value.feature +0 -54
- data/lib/conjur/acts_as_resource.rb +0 -123
- data/lib/conjur/acts_as_role.rb +0 -142
- data/lib/conjur/acts_as_rolsource.rb +0 -32
- data/lib/conjur/acts_as_user.rb +0 -68
- data/lib/conjur/api/authenticators.rb +0 -35
- data/lib/conjur/api/authn.rb +0 -125
- data/lib/conjur/api/host_factories.rb +0 -71
- data/lib/conjur/api/ldap_sync.rb +0 -38
- data/lib/conjur/api/policies.rb +0 -56
- data/lib/conjur/api/pubkeys.rb +0 -53
- data/lib/conjur/api/resources.rb +0 -109
- data/lib/conjur/api/roles.rb +0 -98
- data/lib/conjur/api/router/v4.rb +0 -206
- data/lib/conjur/api/router/v5.rb +0 -248
- data/lib/conjur/api/variables.rb +0 -59
- data/lib/conjur/api.rb +0 -105
- data/lib/conjur/base.rb +0 -355
- data/lib/conjur/base_object.rb +0 -57
- data/lib/conjur/build_object.rb +0 -47
- data/lib/conjur/cache.rb +0 -26
- data/lib/conjur/cert_utils.rb +0 -63
- data/lib/conjur/cidr.rb +0 -71
- data/lib/conjur/configuration.rb +0 -460
- data/lib/conjur/escape.rb +0 -129
- data/lib/conjur/exceptions.rb +0 -4
- data/lib/conjur/group.rb +0 -41
- data/lib/conjur/has_attributes.rb +0 -98
- data/lib/conjur/host.rb +0 -27
- data/lib/conjur/host_factory.rb +0 -75
- data/lib/conjur/host_factory_token.rb +0 -78
- data/lib/conjur/id.rb +0 -71
- data/lib/conjur/layer.rb +0 -9
- data/lib/conjur/log.rb +0 -72
- data/lib/conjur/log_source.rb +0 -60
- data/lib/conjur/policy.rb +0 -34
- data/lib/conjur/policy_load_result.rb +0 -61
- data/lib/conjur/query_string.rb +0 -12
- data/lib/conjur/resource.rb +0 -29
- data/lib/conjur/role.rb +0 -29
- data/lib/conjur/role_grant.rb +0 -85
- data/lib/conjur/routing.rb +0 -29
- data/lib/conjur/user.rb +0 -40
- data/lib/conjur/variable.rb +0 -208
- data/lib/conjur/webservice.rb +0 -30
- data/lib/conjur-api/version.rb +0 -24
- data/lib/conjur-api.rb +0 -2
- data/publish.sh +0 -5
- data/spec/api/host_factories_spec.rb +0 -34
- data/spec/api_spec.rb +0 -254
- data/spec/base_object_spec.rb +0 -13
- data/spec/cert_utils_spec.rb +0 -173
- data/spec/cidr_spec.rb +0 -34
- data/spec/configuration_spec.rb +0 -330
- data/spec/has_attributes_spec.rb +0 -63
- data/spec/helpers/errors_matcher.rb +0 -34
- data/spec/helpers/request_helpers.rb +0 -10
- data/spec/id_spec.rb +0 -29
- data/spec/ldap_sync_spec.rb +0 -21
- data/spec/log_source_spec.rb +0 -13
- data/spec/log_spec.rb +0 -42
- data/spec/roles_spec.rb +0 -24
- data/spec/spec_helper.rb +0 -113
- data/spec/ssl_spec.rb +0 -109
- data/spec/uri_escape_spec.rb +0 -21
- data/test.sh +0 -73
- data/tmp/.keep +0 -0
data/lib/conjur/configuration.rb
DELETED
@@ -1,460 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
|
22
|
-
require 'openssl'
|
23
|
-
require 'set'
|
24
|
-
require 'conjur/cert_utils'
|
25
|
-
|
26
|
-
module Conjur
|
27
|
-
class << self
|
28
|
-
# Saves the current thread local {Conjur::Configuration},
|
29
|
-
# sets the thread local {Conjur::Configuration} to `config`, yields to the block, and ensures that
|
30
|
-
# the original thread local configuration is restored.
|
31
|
-
#
|
32
|
-
# Because Conjur configuration is accessed from the 'global' {Conjur.configuration} method by all Conjur
|
33
|
-
# API methods, this method provides the ability to set a thread local value for use within the current,
|
34
|
-
# or within a block in a single threaded application.
|
35
|
-
#
|
36
|
-
# Note that the {Conjur.configuration=} method sets the *global* {Conjur::Configuration}, not the thread-local
|
37
|
-
# value.
|
38
|
-
#
|
39
|
-
# @example Override Configuration in a Thread
|
40
|
-
# # in this rather contrived example, we'll override the {Conjur::Configuration#appliance_url} parameter
|
41
|
-
# # used by calls within a thread.
|
42
|
-
#
|
43
|
-
# # Set up the configuration in the main thread
|
44
|
-
# Conjur.configure do |c|
|
45
|
-
# # ...
|
46
|
-
# c.appliance_url = 'https://conjur.main-url.com/api'
|
47
|
-
# end
|
48
|
-
#
|
49
|
-
# # Start a new thread that will perform requests to another server. In practice, you might
|
50
|
-
# # have a web server that uses a Conjur endpoint specified by a request header.
|
51
|
-
# Thread.new do
|
52
|
-
# Conjur.with_configuration Conjur.config.clone(appliance_url: 'https://conjur.local-url.com/api') do
|
53
|
-
# sleep 2
|
54
|
-
# puts "Thread local url is #{Conjur.config.appliance_url}"
|
55
|
-
# end
|
56
|
-
# end
|
57
|
-
# puts "Global url is #{Conjur.config.appliance_url}"
|
58
|
-
# # Outputs:
|
59
|
-
# Global url is https://conjur.main-url.com/api
|
60
|
-
# Thread local url is https://conjur.local-url.com/api
|
61
|
-
#
|
62
|
-
# @return [void]
|
63
|
-
def with_configuration(config)
|
64
|
-
oldvalue = Thread.current[:conjur_configuration]
|
65
|
-
Thread.current[:conjur_configuration] = config
|
66
|
-
yield
|
67
|
-
ensure
|
68
|
-
Thread.current[:conjur_configuration] = oldvalue
|
69
|
-
end
|
70
|
-
|
71
|
-
# Gets the current thread-local or global configuration.
|
72
|
-
#
|
73
|
-
# The thread-local Conjur configuration can only be set using the {Conjur.with_configuration}
|
74
|
-
# method. This method will try to return that value first, then the global configuration as
|
75
|
-
# set with {Conjur.configuration=} (which is lazily initialized if not set).
|
76
|
-
#
|
77
|
-
# @return [Conjur::Configuration] the thread-local or global Conjur configuration.
|
78
|
-
def configuration
|
79
|
-
Thread.current[:conjur_configuration] || (@config ||= Configuration.new)
|
80
|
-
end
|
81
|
-
|
82
|
-
# Sets the global configuration.
|
83
|
-
#
|
84
|
-
# This method *has no effect* on the thread local configuration. Use {Conjur.with_configuration} instead if
|
85
|
-
# that's what you want.
|
86
|
-
#
|
87
|
-
# @param [Conjur::Configuration] config the new configuration
|
88
|
-
# @return [Conjur::Configuration] the new value of the configuration
|
89
|
-
def configuration=(config)
|
90
|
-
@config = config
|
91
|
-
end
|
92
|
-
|
93
|
-
alias config configuration
|
94
|
-
alias config= configuration=
|
95
|
-
|
96
|
-
# Configure Conjur with a block.
|
97
|
-
#
|
98
|
-
# @example
|
99
|
-
# Conjur.configure do |c|
|
100
|
-
# c.account = 'some-account'
|
101
|
-
# c.appliance_url = 'https://conjur.companyname.com/api'
|
102
|
-
# end
|
103
|
-
#
|
104
|
-
# @yieldparam [Conjur::Configuration] c the configuration instance to modify.
|
105
|
-
def configure
|
106
|
-
yield configuration
|
107
|
-
end
|
108
|
-
end
|
109
|
-
|
110
|
-
# Stores a configuration for the Conjur API client. This class provides *global* and *thread local* storage
|
111
|
-
# for common options used by the Conjur API. Most importantly, it specifies the
|
112
|
-
#
|
113
|
-
# * REST endpoints, derived from the {Conjur::Configuration#appliance_url} and {Conjur::Configuration#account} options
|
114
|
-
# * The certificate used for secure connections to the Conjur appliance ({Conjur::Configuration#cert_file})
|
115
|
-
#
|
116
|
-
# ### Environment Variables
|
117
|
-
#
|
118
|
-
# Option values used by Conjur can be given by environment variables, using a standard naming scheme. Specifically,
|
119
|
-
# an environment variable named `CONJUR_ACCOUNT` will be used to provide a default value for the {Conjur::Configuration#account}
|
120
|
-
# option.
|
121
|
-
#
|
122
|
-
#
|
123
|
-
# ### Required Options
|
124
|
-
#
|
125
|
-
# The {Conjur::Configuration#account} and {Conjur::Configuration#appliance_url} are always required. Except in
|
126
|
-
# special cases, the {Conjur::Configuration#cert_file} is also required, but you may omit it if your Conjur root
|
127
|
-
# certificate is in the OpenSSl default certificate store.
|
128
|
-
#
|
129
|
-
# ### Thread Local Configuration
|
130
|
-
#
|
131
|
-
# While using a globally available configuration is convenient for most applications, sometimes you will need to
|
132
|
-
# use different configurations in different threads. This is supported by returning a thread local version from {Conjur.configuration}
|
133
|
-
# if one has been set by {Conjur.with_configuration}.
|
134
|
-
#
|
135
|
-
# @see Conjur.configuration
|
136
|
-
# @see Conjur.configure
|
137
|
-
# @see Conjur.with_configuration
|
138
|
-
#
|
139
|
-
# @example Basic Configuration
|
140
|
-
# Conjur.configure do |c|
|
141
|
-
# c.account = 'the-account'
|
142
|
-
# c.cert_file = find_conjur_cert_file
|
143
|
-
# end
|
144
|
-
#
|
145
|
-
# @example Setting the appliance_url from an environment variable
|
146
|
-
# ENV['CONJUR_APPLIANCE_URL'] = 'https://some-host.com/api'
|
147
|
-
# Conjur::Configuration.new.appliance_url # => 'https://some-host.com/api'
|
148
|
-
#
|
149
|
-
# @example Using thread local configuration in a web application request handler
|
150
|
-
# # Assume that we're in a request handler thread in a multithreaded web server.
|
151
|
-
#
|
152
|
-
# requested_appliance_url = request.header 'X-Conjur-Appliance-Url'
|
153
|
-
#
|
154
|
-
# with_configuration Conjur.config.clone(appliance_url: requested_appliance_url) do
|
155
|
-
# # `api` is an instance attribute. Note that we can use an api that was created
|
156
|
-
# # before we modified the thread local configuration.
|
157
|
-
#
|
158
|
-
#
|
159
|
-
# # 404 if the user doesn't exist
|
160
|
-
#
|
161
|
-
# user = api.user request.header('X-Conjur-Login')
|
162
|
-
# raise HttpError, 404, "User #{user.login} does not exist" unless user.exists?
|
163
|
-
# # ... finish the request
|
164
|
-
# end
|
165
|
-
#
|
166
|
-
#
|
167
|
-
class Configuration
|
168
|
-
# @api private
|
169
|
-
attr_reader :explicit
|
170
|
-
|
171
|
-
# @api private
|
172
|
-
attr_reader :supplied
|
173
|
-
|
174
|
-
# @api private
|
175
|
-
attr_reader :computed
|
176
|
-
|
177
|
-
# Create a new {Conjur::Configuration}, setting initial values from
|
178
|
-
# `options`.
|
179
|
-
#
|
180
|
-
# @note `options` must use symbols for keys.
|
181
|
-
#
|
182
|
-
# @example
|
183
|
-
# Conjur.config = Conjur::Configuration.new account: 'companyname'
|
184
|
-
# Conjur.config.account # => 'companyname'
|
185
|
-
#
|
186
|
-
# @param [Hash] options hash of options to set on the new instance.
|
187
|
-
#
|
188
|
-
def initialize options = {}
|
189
|
-
@explicit = options.dup
|
190
|
-
@supplied = options.dup
|
191
|
-
@computed = Hash.new
|
192
|
-
end
|
193
|
-
|
194
|
-
class << self
|
195
|
-
# @api private
|
196
|
-
def accepted_options
|
197
|
-
require 'set'
|
198
|
-
@options ||= Set.new
|
199
|
-
end
|
200
|
-
|
201
|
-
# @param [Symbol] name
|
202
|
-
# @param [Hash] options
|
203
|
-
# @option options [Boolean] :boolean (false) whether this option should have a '?' accessor
|
204
|
-
# @option options [Boolean, String] :env Environment variable for this option. Set to false
|
205
|
-
# to disallow environment based configuration. Default is CONJUR_<OPTION_NAME>.
|
206
|
-
# @option options [Proc, *] :default Default value or proc to provide it
|
207
|
-
# @option options [Boolean] :required (false) when true, raise an exception if the option is
|
208
|
-
# not set
|
209
|
-
# @option options [Proc, #to_proc] :convert proc-ish to convert environment
|
210
|
-
# values to appropriate types
|
211
|
-
# @param [Proc] def_proc block to provide default values
|
212
|
-
# @api private
|
213
|
-
def add_option name, options = {}, &def_proc
|
214
|
-
accepted_options << name
|
215
|
-
allow_env = options[:env].nil? || options[:env]
|
216
|
-
env_var = options[:env] || "CONJUR_#{name.to_s.upcase}"
|
217
|
-
def_val = options[:default]
|
218
|
-
opt_name = name
|
219
|
-
|
220
|
-
def_proc ||= if def_val.respond_to?(:call)
|
221
|
-
def_val
|
222
|
-
elsif options[:required]
|
223
|
-
proc { raise "Missing required option #{opt_name}" }
|
224
|
-
else
|
225
|
-
proc { def_val }
|
226
|
-
end
|
227
|
-
|
228
|
-
convert = options[:convert] || ->(x){ x }
|
229
|
-
# Allow a Symbol, for example
|
230
|
-
convert = convert.to_proc if convert.respond_to?(:to_proc)
|
231
|
-
|
232
|
-
define_method("#{name}=") do |value|
|
233
|
-
set name, value
|
234
|
-
end
|
235
|
-
|
236
|
-
define_method("#{name}_env_var") do
|
237
|
-
allow_env ? env_var : nil
|
238
|
-
end
|
239
|
-
|
240
|
-
define_method(name) do
|
241
|
-
value = computed[name]
|
242
|
-
return value unless value.nil?
|
243
|
-
|
244
|
-
if supplied.member?(name)
|
245
|
-
supplied[name]
|
246
|
-
elsif allow_env && ENV.member?(env_var)
|
247
|
-
instance_exec(ENV[env_var], &convert)
|
248
|
-
else
|
249
|
-
instance_eval(&def_proc)
|
250
|
-
end.tap do |value|
|
251
|
-
computed[name] = value
|
252
|
-
end
|
253
|
-
end
|
254
|
-
|
255
|
-
alias_method("#{name}?", name) if options[:boolean]
|
256
|
-
end
|
257
|
-
end
|
258
|
-
|
259
|
-
# Return a copy of this {Conjur::Configuration} instance, optionally
|
260
|
-
# updating the copy with options from the `override_options` hash.
|
261
|
-
#
|
262
|
-
# @example
|
263
|
-
# original = Conjur.configuration
|
264
|
-
# original.account # => 'conjur'
|
265
|
-
# copy = original.clone account: 'some-other-account'
|
266
|
-
# copy.account # => 'some-other-account'
|
267
|
-
# original.account # => 'conjur'
|
268
|
-
#
|
269
|
-
# @param [Hash] override_options options to set on the new instance
|
270
|
-
# @return [Conjur::Configuration] a copy of this configuration
|
271
|
-
def clone override_options = {}
|
272
|
-
self.class.new self.explicit.dup.merge(override_options)
|
273
|
-
end
|
274
|
-
|
275
|
-
# Manually set an option. Note that setting an option not present in
|
276
|
-
# {Conjur::Configuration.accepted_options} is a no op.
|
277
|
-
# @api private
|
278
|
-
# @param [Symbol, String] key the name of the option to set
|
279
|
-
# @param [Object] value the option value.
|
280
|
-
def set(key, value)
|
281
|
-
if self.class.accepted_options.include?(key.to_sym)
|
282
|
-
explicit[key.to_sym] = value
|
283
|
-
supplied[key.to_sym] = value
|
284
|
-
computed.clear
|
285
|
-
end
|
286
|
-
end
|
287
|
-
|
288
|
-
# @!attribute authn_url
|
289
|
-
#
|
290
|
-
# The url for the {http://developer.conjur.net/reference/services/authentication Conjur authentication service}.
|
291
|
-
#
|
292
|
-
# By default, this will be built from the +appliance_url+. To use a custom authenticator,
|
293
|
-
# set this option in code or set `CONJUR_AUTHN_URL`.
|
294
|
-
#
|
295
|
-
#
|
296
|
-
# @return [String] the authentication service url
|
297
|
-
add_option :authn_url do
|
298
|
-
global_service_url 0, service_name: 'authn'
|
299
|
-
end
|
300
|
-
|
301
|
-
# @!attribute core_url
|
302
|
-
#
|
303
|
-
# The url for the core Conjur services.
|
304
|
-
#
|
305
|
-
# @note You should not generally set this value. Instead, Conjur will derive it from the
|
306
|
-
# {Conjur::Configuration#account} and {Conjur::Configuration#appliance_url}
|
307
|
-
# properties.
|
308
|
-
#
|
309
|
-
# @return [String] the base service url
|
310
|
-
add_option :core_url do
|
311
|
-
global_service_url 0
|
312
|
-
end
|
313
|
-
|
314
|
-
# @!attribute appliance_url
|
315
|
-
# The url for your Conjur appliance.
|
316
|
-
#
|
317
|
-
# If your appliance's hostname is `'conjur.companyname.com'`, then your `appliance_url` will
|
318
|
-
# be `'https://conjur.companyname.com/api'`.
|
319
|
-
#
|
320
|
-
# @note If you are using an appliance (if you're not sure, you probably are), this option is *required*.
|
321
|
-
#
|
322
|
-
# @return [String] the appliance URL
|
323
|
-
add_option :appliance_url
|
324
|
-
|
325
|
-
# NOTE DO NOT DOCUMENT THIS AS AN ATTRIBUTE, IT IS PRIVATE AND YARD DOESN'T SUPPORT @api private ON ATTRIBUTES.
|
326
|
-
#
|
327
|
-
# The port used to derive ports for conjur services running locally. You will only use this if you are
|
328
|
-
# running the Conjur services locally, in which case you are probably a Conjur developer, and should ask
|
329
|
-
# someone in chat ;-)
|
330
|
-
#
|
331
|
-
add_option :service_base_port, default: 5000
|
332
|
-
|
333
|
-
# @!attribute account
|
334
|
-
# The organizational account used by Conjur.
|
335
|
-
#
|
336
|
-
# On Conjur appliances, this option will be set once when the appliance is first configured. You can get the
|
337
|
-
# value for the acccount option from your conjur administrator, or if you have installed
|
338
|
-
# the {http://developer.conjur.net/client_setup/cli.html Conjur command line tools} by running
|
339
|
-
# {http://developer.conjur.net/reference/services/authentication/whoami.html conjur authn whoami},
|
340
|
-
# or examining your {http://developer.conjur.net/client_setup/cli.html#Configure .conjurrc file}.
|
341
|
-
#
|
342
|
-
# @note this option is **required**, and attempting to make any api calls prior to setting it (either
|
343
|
-
# explicitly or with the `"CONJUR_ACCOUNT"` environment variable) will raise an exception.
|
344
|
-
#
|
345
|
-
# @return [String]
|
346
|
-
add_option :account, required: true
|
347
|
-
|
348
|
-
# @!attribute cert_file
|
349
|
-
#
|
350
|
-
# Path to the certificate file to use when making secure connections to your Conjur appliance.
|
351
|
-
#
|
352
|
-
# This should be the path to the root Conjur SSL certificate in PEM format. You will normally get the
|
353
|
-
# certificate file using the {http://developer.conjur.net/reference/tools/utilities/init.html conjur init} command.
|
354
|
-
# This option is not required if the certificate or its root is in the OpenSSL default cert store.
|
355
|
-
# If your program throws an error indicating that SSL verification has failed, you probably need
|
356
|
-
# to set or fix this option.
|
357
|
-
#
|
358
|
-
# @return [String, nil] path to the certificate file, or nil if you aren't using one.
|
359
|
-
add_option :cert_file
|
360
|
-
|
361
|
-
# @!attribute ssl_certificate
|
362
|
-
#
|
363
|
-
# Contents of a certificate file. This can be used instead of :cert_file in environments like Heroku where you
|
364
|
-
# can't use a certificate file.
|
365
|
-
#
|
366
|
-
# This option overrides the value of {#cert_file} if both are given, and issues a warning.
|
367
|
-
#
|
368
|
-
# @see cert_file
|
369
|
-
add_option :ssl_certificate
|
370
|
-
|
371
|
-
# @!attribute rest_client_options
|
372
|
-
#
|
373
|
-
# Custom options for the underlying RestClient Requests. This defaults to:
|
374
|
-
# ```
|
375
|
-
# {
|
376
|
-
# ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
|
377
|
-
# }
|
378
|
-
# ``
|
379
|
-
#
|
380
|
-
# The `ssl_cert_store` value aligns with the default certificate store used by
|
381
|
-
# {#apply_cert_config!}.
|
382
|
-
#
|
383
|
-
# NOTE: When setting the value of rest_client_options the defaults are not retained,
|
384
|
-
# you must manually set them on the value you provide.
|
385
|
-
add_option :rest_client_options do
|
386
|
-
{
|
387
|
-
ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
|
388
|
-
}
|
389
|
-
end
|
390
|
-
|
391
|
-
# @!attribute version
|
392
|
-
#
|
393
|
-
# Selects the major API version of the Conjur server. With this setting, the API
|
394
|
-
# will use the routing scheme for API version `4` or `5`.
|
395
|
-
#
|
396
|
-
# Methods which are not available in the selected version will raise NoMethodError.
|
397
|
-
add_option :version, default: 5
|
398
|
-
|
399
|
-
# @!attribute authn_local_socket
|
400
|
-
#
|
401
|
-
# File path to the Unix socket used for local authentication.
|
402
|
-
# This is only available when the API client is running on the Conjur server.
|
403
|
-
add_option :authn_local_socket, default: "/run/authn-local/.socket"
|
404
|
-
|
405
|
-
# Create rest_client_options by merging the input with the
|
406
|
-
# rest_client_options present on the configuration object.
|
407
|
-
def create_rest_client_options options
|
408
|
-
rest_client_options.merge(options || {})
|
409
|
-
end
|
410
|
-
|
411
|
-
# Calls a major-version-specific function.
|
412
|
-
def version_logic v4_logic, v5_logic
|
413
|
-
case version.to_s
|
414
|
-
when "4"
|
415
|
-
v4_logic.call
|
416
|
-
when "5"
|
417
|
-
v5_logic.call
|
418
|
-
else
|
419
|
-
raise "Unsupported major version #{version}"
|
420
|
-
end
|
421
|
-
end
|
422
|
-
|
423
|
-
# Add the certificate configured by the {#ssl_certificate} and {#cert_file} options to the certificate
|
424
|
-
# store used by Conjur clients.
|
425
|
-
#
|
426
|
-
# NOTE: If you specify a non-default `store` value, you must manually set the
|
427
|
-
# `ssl_cert_store` value on {#rest_client_options} to the same value.
|
428
|
-
#
|
429
|
-
# @param [OpenSSL::X509::Store] store the certificate store that the certificate will be installed in.
|
430
|
-
# @return [Boolean] whether a certificate was added to the store.
|
431
|
-
def apply_cert_config! store=OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
|
432
|
-
if ssl_certificate
|
433
|
-
CertUtils.add_chained_cert(store, ssl_certificate)
|
434
|
-
elsif cert_file
|
435
|
-
ensure_cert_readable!(cert_file)
|
436
|
-
store.add_file cert_file
|
437
|
-
else
|
438
|
-
return false
|
439
|
-
end
|
440
|
-
true
|
441
|
-
end
|
442
|
-
|
443
|
-
private
|
444
|
-
|
445
|
-
def global_service_url service_port_offset, service_name: nil
|
446
|
-
if appliance_url
|
447
|
-
URI.join([appliance_url, service_name].compact.join('/')).to_s
|
448
|
-
else
|
449
|
-
"http://localhost:#{service_base_port + service_port_offset}"
|
450
|
-
end
|
451
|
-
end
|
452
|
-
|
453
|
-
def ensure_cert_readable!(path)
|
454
|
-
# Try to open the file to make sure it exists and that it's
|
455
|
-
# readable. Don't rescue exceptions from it, just let them
|
456
|
-
# propagate.
|
457
|
-
File.open(path) {}
|
458
|
-
end
|
459
|
-
end
|
460
|
-
end
|
data/lib/conjur/escape.rb
DELETED
@@ -1,129 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright (C) 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
module Conjur
|
22
|
-
|
23
|
-
# Provides helpers for escaping url components.
|
24
|
-
#
|
25
|
-
# The helpers are added as both class and isntance methods.
|
26
|
-
module Escape
|
27
|
-
module ClassMethods
|
28
|
-
# URL escape the entire string. This is essentially the same as calling `CGI.escape str`,
|
29
|
-
# and then substituting `%20` for `+`.
|
30
|
-
#
|
31
|
-
# @example
|
32
|
-
# fully_escape 'foo/bar@baz'
|
33
|
-
# # => "foo%2Fbar%40baz"
|
34
|
-
#
|
35
|
-
# @example
|
36
|
-
# fully_escape 'test/Domain Controllers'
|
37
|
-
# # => "test%2FDomain%20Controllers"
|
38
|
-
#
|
39
|
-
# @param [String] str the string to escape
|
40
|
-
# @return [String] the escaped string
|
41
|
-
def fully_escape(str)
|
42
|
-
# CGI escape uses + for spaces, which our services don't support :-(
|
43
|
-
# We just gsub it.
|
44
|
-
CGI.escape(str.to_s).gsub('+', '%20')
|
45
|
-
end
|
46
|
-
|
47
|
-
|
48
|
-
# Escape a URI path component.
|
49
|
-
#
|
50
|
-
# This method simply calls {Conjur::Escape::ClassMethods#path_or_query_escape}.
|
51
|
-
#
|
52
|
-
# @param [String] str the string to escape
|
53
|
-
# @return [String] the escaped string
|
54
|
-
# @see Conjur::Escape::ClassMethods#path_or_query_escape
|
55
|
-
def path_escape(str)
|
56
|
-
path_or_query_escape str
|
57
|
-
end
|
58
|
-
|
59
|
-
# Escape a URI query value.
|
60
|
-
#
|
61
|
-
# This method simply calls {Conjur::Escape::ClassMethods#path_or_query_escape}.
|
62
|
-
#
|
63
|
-
# @param [String] str the string to escape
|
64
|
-
# @return [String] the escaped string
|
65
|
-
# @see Conjur::Escape::ClassMethods#path_or_query_escape
|
66
|
-
def query_escape(str)
|
67
|
-
path_or_query_escape str
|
68
|
-
end
|
69
|
-
|
70
|
-
# Escape a path or query value.
|
71
|
-
#
|
72
|
-
# This method is *similar* to `URI.escape`, but it has several important differences:
|
73
|
-
# * If a falsey value is given, the string `"false"` is returned.
|
74
|
-
# * If the value given responds to `#id`, the value returned by `str.id` is escaped instead.
|
75
|
-
# * The value is escaped without modifying `':'` or `'/'`.
|
76
|
-
#
|
77
|
-
# @param [String, FalseClass, NilClass, #id] str the value to escape
|
78
|
-
# @return [String] the value escaped as described
|
79
|
-
def path_or_query_escape(str)
|
80
|
-
return "false" unless str
|
81
|
-
str = str.id if str.respond_to?(:id)
|
82
|
-
# Leave colons and forward slashes alone
|
83
|
-
require 'addressable/uri'
|
84
|
-
Addressable::URI.encode(str.to_s)
|
85
|
-
end
|
86
|
-
end
|
87
|
-
|
88
|
-
# @api private
|
89
|
-
def self.included(base)
|
90
|
-
base.extend ClassMethods
|
91
|
-
end
|
92
|
-
|
93
|
-
# URL escape the entire string. This is essentially the same as calling `CGI.escape str`.
|
94
|
-
#
|
95
|
-
# @example
|
96
|
-
# fully_escape 'foo/bar@baz'
|
97
|
-
# # => "foo%2Fbar%40baz"
|
98
|
-
#
|
99
|
-
# @param [String] str the string to escape
|
100
|
-
# @return [String] the escaped string
|
101
|
-
# @see Conjur::Escape::ClassMethods#fully_escape
|
102
|
-
def fully_escape(str)
|
103
|
-
self.class.fully_escape str
|
104
|
-
end
|
105
|
-
|
106
|
-
# Escape a URI path component.
|
107
|
-
#
|
108
|
-
# This method simply calls {Conjur::Escape::ClassMethods#path_or_query_escape}.
|
109
|
-
#
|
110
|
-
# @param [String] str the string to escape
|
111
|
-
# @return [String] the escaped string
|
112
|
-
# @see Conjur::Escape::ClassMethods#path_or_query_escape
|
113
|
-
def path_escape(str)
|
114
|
-
self.class.path_escape str
|
115
|
-
end
|
116
|
-
|
117
|
-
|
118
|
-
# Escape a URI query value.
|
119
|
-
#
|
120
|
-
# This method simply calls {Conjur::Escape::ClassMethods#path_or_query_escape}.
|
121
|
-
#
|
122
|
-
# @param [String] str the string to escape
|
123
|
-
# @return [String] the escaped string
|
124
|
-
# @see Conjur::Escape::ClassMethods#path_or_query_escape
|
125
|
-
def query_escape(str)
|
126
|
-
self.class.query_escape str
|
127
|
-
end
|
128
|
-
end
|
129
|
-
end
|
data/lib/conjur/exceptions.rb
DELETED
data/lib/conjur/group.rb
DELETED
@@ -1,41 +0,0 @@
|
|
1
|
-
# Copyright 2013-2017 Conjur Inc.
|
2
|
-
#
|
3
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
4
|
-
# this software and associated documentation files (the "Software"), to deal in
|
5
|
-
# the Software without restriction, including without limitation the rights to
|
6
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
7
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
8
|
-
# subject to the following conditions:
|
9
|
-
#
|
10
|
-
# The above copyright notice and this permission notice shall be included in all
|
11
|
-
# copies or substantial portions of the Software.
|
12
|
-
#
|
13
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
14
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
15
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
16
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
17
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
18
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
19
|
-
#
|
20
|
-
module Conjur
|
21
|
-
|
22
|
-
# A Conjur Group represents a collection of Conjur Users, Groups and Layers.
|
23
|
-
#
|
24
|
-
class Group < BaseObject
|
25
|
-
include ActsAsRolsource
|
26
|
-
|
27
|
-
# Get the group's gidnumber, which can be used by LDAP and SSH login, among other things.
|
28
|
-
#
|
29
|
-
# @return [Fixnum] the gidnumber
|
30
|
-
# @raise [RestClient::Forbidden] if you don't have permission to `show` the group.
|
31
|
-
def gidnumber
|
32
|
-
parser_for(:group_gidnumber, group_attributes)
|
33
|
-
end
|
34
|
-
|
35
|
-
private
|
36
|
-
|
37
|
-
def group_attributes
|
38
|
-
@group_attributes ||= url_for(:group_attributes, credentials, self, id)
|
39
|
-
end
|
40
|
-
end
|
41
|
-
end
|