conjur-api 5.3.7 → 5.3.8.pre.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- metadata +23 -193
- data/.codeclimate.yml +0 -10
- data/.dockerignore +0 -1
- data/.github/CODEOWNERS +0 -10
- data/.gitignore +0 -32
- data/.gitleaks.toml +0 -219
- data/.overcommit.yml +0 -16
- data/.project +0 -18
- data/.rubocop.yml +0 -3
- data/.rubocop_settings.yml +0 -86
- data/.rubocop_todo.yml +0 -709
- data/.yardopts +0 -1
- data/CHANGELOG.md +0 -433
- data/CONTRIBUTING.md +0 -141
- data/Dockerfile +0 -16
- data/Gemfile +0 -7
- data/Jenkinsfile +0 -168
- data/LICENSE +0 -202
- data/README.md +0 -162
- data/Rakefile +0 -47
- data/SECURITY.md +0 -42
- data/bin/parse-changelog.sh +0 -12
- data/ci/configure_v4.sh +0 -12
- data/ci/configure_v5.sh +0 -14
- data/ci/submit-coverage +0 -36
- data/conjur-api.gemspec +0 -40
- data/dev/Dockerfile.dev +0 -12
- data/dev/docker-compose.yml +0 -56
- data/dev/start +0 -22
- data/dev/stop +0 -5
- data/docker-compose.yml +0 -76
- data/example/demo_v4.rb +0 -49
- data/example/demo_v5.rb +0 -57
- data/features/authenticators.feature +0 -33
- data/features/authn_local.feature +0 -32
- data/features/exists.feature +0 -37
- data/features/group.feature +0 -11
- data/features/host.feature +0 -50
- data/features/host_factory_create_host.feature +0 -28
- data/features/host_factory_token.feature +0 -63
- data/features/load_policy.feature +0 -61
- data/features/members.feature +0 -51
- data/features/new_api.feature +0 -36
- data/features/permitted.feature +0 -70
- data/features/permitted_roles.feature +0 -30
- data/features/public_keys.feature +0 -11
- data/features/resource_fields.feature +0 -53
- data/features/role_fields.feature +0 -15
- data/features/rotate_api_key.feature +0 -13
- data/features/step_definitions/api_steps.rb +0 -18
- data/features/step_definitions/policy_steps.rb +0 -75
- data/features/step_definitions/result_steps.rb +0 -7
- data/features/support/env.rb +0 -18
- data/features/support/hooks.rb +0 -3
- data/features/support/world.rb +0 -12
- data/features/update_password.feature +0 -14
- data/features/user.feature +0 -58
- data/features/variable_fields.feature +0 -20
- data/features/variable_value.feature +0 -60
- data/features_v4/authn_local.feature +0 -27
- data/features_v4/exists.feature +0 -29
- data/features_v4/host.feature +0 -18
- data/features_v4/host_factory_token.feature +0 -49
- data/features_v4/members.feature +0 -39
- data/features_v4/permitted.feature +0 -15
- data/features_v4/permitted_roles.feature +0 -8
- data/features_v4/resource_fields.feature +0 -47
- data/features_v4/rotate_api_key.feature +0 -13
- data/features_v4/step_definitions/api_steps.rb +0 -17
- data/features_v4/step_definitions/result_steps.rb +0 -3
- data/features_v4/support/env.rb +0 -23
- data/features_v4/support/policy.yml +0 -34
- data/features_v4/support/world.rb +0 -12
- data/features_v4/variable_fields.feature +0 -11
- data/features_v4/variable_value.feature +0 -54
- data/lib/conjur/acts_as_resource.rb +0 -123
- data/lib/conjur/acts_as_role.rb +0 -142
- data/lib/conjur/acts_as_rolsource.rb +0 -32
- data/lib/conjur/acts_as_user.rb +0 -68
- data/lib/conjur/api/authenticators.rb +0 -35
- data/lib/conjur/api/authn.rb +0 -125
- data/lib/conjur/api/host_factories.rb +0 -71
- data/lib/conjur/api/ldap_sync.rb +0 -38
- data/lib/conjur/api/policies.rb +0 -56
- data/lib/conjur/api/pubkeys.rb +0 -53
- data/lib/conjur/api/resources.rb +0 -109
- data/lib/conjur/api/roles.rb +0 -98
- data/lib/conjur/api/router/v4.rb +0 -206
- data/lib/conjur/api/router/v5.rb +0 -248
- data/lib/conjur/api/variables.rb +0 -59
- data/lib/conjur/api.rb +0 -105
- data/lib/conjur/base.rb +0 -355
- data/lib/conjur/base_object.rb +0 -57
- data/lib/conjur/build_object.rb +0 -47
- data/lib/conjur/cache.rb +0 -26
- data/lib/conjur/cert_utils.rb +0 -63
- data/lib/conjur/cidr.rb +0 -71
- data/lib/conjur/configuration.rb +0 -460
- data/lib/conjur/escape.rb +0 -129
- data/lib/conjur/exceptions.rb +0 -4
- data/lib/conjur/group.rb +0 -41
- data/lib/conjur/has_attributes.rb +0 -98
- data/lib/conjur/host.rb +0 -27
- data/lib/conjur/host_factory.rb +0 -75
- data/lib/conjur/host_factory_token.rb +0 -78
- data/lib/conjur/id.rb +0 -71
- data/lib/conjur/layer.rb +0 -9
- data/lib/conjur/log.rb +0 -72
- data/lib/conjur/log_source.rb +0 -60
- data/lib/conjur/policy.rb +0 -34
- data/lib/conjur/policy_load_result.rb +0 -61
- data/lib/conjur/query_string.rb +0 -12
- data/lib/conjur/resource.rb +0 -29
- data/lib/conjur/role.rb +0 -29
- data/lib/conjur/role_grant.rb +0 -85
- data/lib/conjur/routing.rb +0 -29
- data/lib/conjur/user.rb +0 -40
- data/lib/conjur/variable.rb +0 -208
- data/lib/conjur/webservice.rb +0 -30
- data/lib/conjur-api/version.rb +0 -24
- data/lib/conjur-api.rb +0 -2
- data/publish.sh +0 -5
- data/spec/api/host_factories_spec.rb +0 -34
- data/spec/api_spec.rb +0 -254
- data/spec/base_object_spec.rb +0 -13
- data/spec/cert_utils_spec.rb +0 -173
- data/spec/cidr_spec.rb +0 -34
- data/spec/configuration_spec.rb +0 -330
- data/spec/has_attributes_spec.rb +0 -63
- data/spec/helpers/errors_matcher.rb +0 -34
- data/spec/helpers/request_helpers.rb +0 -10
- data/spec/id_spec.rb +0 -29
- data/spec/ldap_sync_spec.rb +0 -21
- data/spec/log_source_spec.rb +0 -13
- data/spec/log_spec.rb +0 -42
- data/spec/roles_spec.rb +0 -24
- data/spec/spec_helper.rb +0 -113
- data/spec/ssl_spec.rb +0 -109
- data/spec/uri_escape_spec.rb +0 -21
- data/test.sh +0 -73
- data/tmp/.keep +0 -0
@@ -1,49 +0,0 @@
|
|
1
|
-
Feature: Working with host factory tokens.
|
2
|
-
|
3
|
-
Background:
|
4
|
-
Given I run the code:
|
5
|
-
"""
|
6
|
-
@expiration = (DateTime.now + 1.hour).change(sec: 0)
|
7
|
-
"""
|
8
|
-
|
9
|
-
|
10
|
-
Scenario: Create a new host factory token.
|
11
|
-
When I run the code:
|
12
|
-
"""
|
13
|
-
@token = $host_factory.create_token(@expiration)
|
14
|
-
"""
|
15
|
-
Then I can run the code:
|
16
|
-
"""
|
17
|
-
expect(@token).to be_instance_of(Conjur::HostFactoryToken)
|
18
|
-
expect(@token.token).to be_instance_of(String)
|
19
|
-
expiration = @token.expiration
|
20
|
-
expiration = expiration.change(sec: 0)
|
21
|
-
expect(expiration).to eq(@expiration)
|
22
|
-
"""
|
23
|
-
|
24
|
-
Scenario: Create multiple new host factory tokens.
|
25
|
-
When I run the code:
|
26
|
-
"""
|
27
|
-
$host_factory.create_tokens @expiration, count: 2
|
28
|
-
"""
|
29
|
-
Then the JSON should have 2 items
|
30
|
-
|
31
|
-
Scenario: Revoke a host factory token using the token object.
|
32
|
-
When I run the code:
|
33
|
-
"""
|
34
|
-
@token = $host_factory.create_token @expiration
|
35
|
-
"""
|
36
|
-
Then I can run the code:
|
37
|
-
"""
|
38
|
-
@token.revoke
|
39
|
-
"""
|
40
|
-
|
41
|
-
Scenario: Revoke a host factory token using the API.
|
42
|
-
When I run the code:
|
43
|
-
"""
|
44
|
-
@token = $host_factory.create_token @expiration
|
45
|
-
"""
|
46
|
-
Then I can run the code:
|
47
|
-
"""
|
48
|
-
$conjur.revoke_host_factory_token @token.token
|
49
|
-
"""
|
data/features_v4/members.feature
DELETED
@@ -1,39 +0,0 @@
|
|
1
|
-
Feature: Display role members and memberships.
|
2
|
-
|
3
|
-
Scenario: Show a role's members.
|
4
|
-
When I run the code:
|
5
|
-
"""
|
6
|
-
$conjur.role('cucumber:group:everyone').members.map(&:as_json)
|
7
|
-
"""
|
8
|
-
Then the JSON should be:
|
9
|
-
"""
|
10
|
-
[
|
11
|
-
{
|
12
|
-
"admin_option": false,
|
13
|
-
"member": "cucumber:group:developers",
|
14
|
-
"role": "cucumber:group:everyone"
|
15
|
-
},
|
16
|
-
{
|
17
|
-
"admin_option": true,
|
18
|
-
"member": "cucumber:group:security_admin",
|
19
|
-
"role": "cucumber:group:everyone"
|
20
|
-
}
|
21
|
-
]
|
22
|
-
"""
|
23
|
-
|
24
|
-
Scenario: Show a role's memberships.
|
25
|
-
When I run the code:
|
26
|
-
"""
|
27
|
-
$conjur.role('cucumber:group:developers').memberships.map(&:as_json)
|
28
|
-
"""
|
29
|
-
Then the JSON should be:
|
30
|
-
"""
|
31
|
-
[
|
32
|
-
{
|
33
|
-
"id": "cucumber:group:developers"
|
34
|
-
},
|
35
|
-
{
|
36
|
-
"id": "cucumber:group:everyone"
|
37
|
-
}
|
38
|
-
]
|
39
|
-
"""
|
@@ -1,15 +0,0 @@
|
|
1
|
-
Feature: Check if a role has permission on a resource.
|
2
|
-
|
3
|
-
Scenario: Check if the current user has the privilege.
|
4
|
-
When I run the code:
|
5
|
-
"""
|
6
|
-
$conjur.resource('cucumber:variable:db-password').permitted? 'execute'
|
7
|
-
"""
|
8
|
-
Then the result should be "true"
|
9
|
-
|
10
|
-
Scenario: Check if a different user has the privilege.
|
11
|
-
When I run the code:
|
12
|
-
"""
|
13
|
-
$conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:user:bob"
|
14
|
-
"""
|
15
|
-
Then the result should be "false"
|
@@ -1,8 +0,0 @@
|
|
1
|
-
Feature: Enumerate roles which have a permission on a resource.
|
2
|
-
|
3
|
-
Scenario: Permitted roles can be enumerated.
|
4
|
-
When I run the code:
|
5
|
-
"""
|
6
|
-
$conjur.resource('cucumber:variable:db-password').permitted_roles 'execute'
|
7
|
-
"""
|
8
|
-
Then the JSON should include "cucumber:layer:myapp"
|
@@ -1,47 +0,0 @@
|
|
1
|
-
Feature: Display basic resource fields.
|
2
|
-
|
3
|
-
Scenario: Group exposes id, kind, identifier, and gidnumber.
|
4
|
-
When I run the code:
|
5
|
-
"""
|
6
|
-
resource = $conjur.resource('cucumber:group:developers')
|
7
|
-
[ resource.id, resource.account, resource.kind, resource.identifier, resource.gidnumber ]
|
8
|
-
"""
|
9
|
-
Then the JSON should be:
|
10
|
-
"""
|
11
|
-
[
|
12
|
-
"cucumber:group:developers",
|
13
|
-
"cucumber",
|
14
|
-
"group",
|
15
|
-
"developers",
|
16
|
-
2000
|
17
|
-
]
|
18
|
-
"""
|
19
|
-
|
20
|
-
Scenario: User exposes id, kind, identifier, and uidnumber.
|
21
|
-
When I run the code:
|
22
|
-
"""
|
23
|
-
resource = $conjur.resource('cucumber:user:alice')
|
24
|
-
[ resource.id, resource.account, resource.kind, resource.identifier, resource.uidnumber ]
|
25
|
-
"""
|
26
|
-
Then the JSON should be:
|
27
|
-
"""
|
28
|
-
[
|
29
|
-
"cucumber:user:alice",
|
30
|
-
"cucumber",
|
31
|
-
"user",
|
32
|
-
"alice",
|
33
|
-
2000
|
34
|
-
]
|
35
|
-
"""
|
36
|
-
|
37
|
-
Scenario: Resource#owner is the owner object
|
38
|
-
When I run the code:
|
39
|
-
"""
|
40
|
-
$conjur.resource('cucumber:group:developers').owner.id
|
41
|
-
"""
|
42
|
-
Then the result should be "cucumber:group:security_admin"
|
43
|
-
And I run the code:
|
44
|
-
"""
|
45
|
-
$conjur.resource('cucumber:group:developers').class
|
46
|
-
"""
|
47
|
-
Then the result should be "Conjur::Group"
|
@@ -1,13 +0,0 @@
|
|
1
|
-
Feature: Rotate the API key.
|
2
|
-
|
3
|
-
Scenario: Logged-in user can rotate the API key.
|
4
|
-
When I run the code:
|
5
|
-
"""
|
6
|
-
$conjur.role('cucumber:user:alice').rotate_api_key
|
7
|
-
"""
|
8
|
-
Then I can run the code:
|
9
|
-
"""
|
10
|
-
@api_key = @result.strip
|
11
|
-
@conjur = Conjur::API.new_from_key 'alice', @api_key
|
12
|
-
@conjur.token
|
13
|
-
"""
|
@@ -1,17 +0,0 @@
|
|
1
|
-
Given(/^a new host$/) do
|
2
|
-
@host_id = "app-#{random_hex}"
|
3
|
-
host = Conjur::API.host_factory_create_host($token, @host_id)
|
4
|
-
@host_api_key = host.api_key
|
5
|
-
expect(@host_api_key).to be
|
6
|
-
|
7
|
-
@host = $conjur.resource("cucumber:host:#{@host_id}")
|
8
|
-
@host.attributes['api_key'] = @host_api_key
|
9
|
-
end
|
10
|
-
|
11
|
-
When(/^I(?: can)? run the code:$/) do |code|
|
12
|
-
@result = eval(code).tap do |result|
|
13
|
-
if ENV['DEBUG']
|
14
|
-
puts result
|
15
|
-
end
|
16
|
-
end
|
17
|
-
end
|
data/features_v4/support/env.rb
DELETED
@@ -1,23 +0,0 @@
|
|
1
|
-
require 'simplecov'
|
2
|
-
|
3
|
-
SimpleCov.start
|
4
|
-
|
5
|
-
require 'json_spec/cucumber'
|
6
|
-
require 'conjur/api'
|
7
|
-
|
8
|
-
Conjur.configuration.appliance_url = ENV['CONJUR_APPLIANCE_URL'] || 'https://conjur_4/api'
|
9
|
-
Conjur.configuration.account = ENV['CONJUR_ACCOUNT'] || 'cucumber'
|
10
|
-
Conjur.configuration.cert_file = "./tmp/conjur.pem"
|
11
|
-
Conjur.configuration.authn_local_socket = "/run/authn-local-4/.socket"
|
12
|
-
Conjur.configuration.version = 4
|
13
|
-
|
14
|
-
Conjur.configuration.apply_cert_config!
|
15
|
-
|
16
|
-
$username = ENV['CONJUR_AUTHN_LOGIN'] || 'admin'
|
17
|
-
$password = ENV['CONJUR_AUTHN_API_KEY'] || 'secret'
|
18
|
-
|
19
|
-
$api_key = Conjur::API.login $username, $password
|
20
|
-
$conjur = Conjur::API.new_from_key $username, $api_key
|
21
|
-
|
22
|
-
$host_factory = $conjur.resource('cucumber:host_factory:myapp')
|
23
|
-
$token = $host_factory.create_token(Time.now + 1.hour)
|
@@ -1,34 +0,0 @@
|
|
1
|
-
- !user
|
2
|
-
id: alice
|
3
|
-
uidnumber: 2000
|
4
|
-
|
5
|
-
- !group
|
6
|
-
id: developers
|
7
|
-
gidnumber: 2000
|
8
|
-
|
9
|
-
- !group everyone
|
10
|
-
|
11
|
-
- !grant
|
12
|
-
role: !group everyone
|
13
|
-
member: !group developers
|
14
|
-
|
15
|
-
- !variable db-password
|
16
|
-
|
17
|
-
- !variable ssh-key
|
18
|
-
|
19
|
-
- !variable
|
20
|
-
id: ssl-certificate
|
21
|
-
kind: SSL certificate
|
22
|
-
mime_type: application/x-pem-file
|
23
|
-
|
24
|
-
- !layer myapp
|
25
|
-
|
26
|
-
- !host-factory
|
27
|
-
id: myapp
|
28
|
-
layers: [ !layer myapp ]
|
29
|
-
|
30
|
-
- !permit
|
31
|
-
role: !layer myapp
|
32
|
-
privileges: [ read, execute ]
|
33
|
-
resources:
|
34
|
-
- !variable db-password
|
@@ -1,11 +0,0 @@
|
|
1
|
-
Feature: Display Variable fields.
|
2
|
-
|
3
|
-
Background:
|
4
|
-
When I run the code:
|
5
|
-
"""
|
6
|
-
$conjur.resource('cucumber:variable:ssl-certificate')
|
7
|
-
"""
|
8
|
-
|
9
|
-
Scenario: Display MIME type and kind
|
10
|
-
Then the JSON at "mime_type" should be "application/x-pem-file"
|
11
|
-
And the JSON at "kind" should be "SSL certificate"
|
@@ -1,54 +0,0 @@
|
|
1
|
-
Feature: Work with Variable values.
|
2
|
-
Background:
|
3
|
-
Given I run the code:
|
4
|
-
"""
|
5
|
-
@variable = $conjur.resource("cucumber:variable:db-password")
|
6
|
-
@variable_2 = $conjur.resource("cucumber:variable:ssh-key")
|
7
|
-
"""
|
8
|
-
|
9
|
-
Scenario: Add a value, retrieve the variable metadata and the value.
|
10
|
-
Given I run the code:
|
11
|
-
"""
|
12
|
-
@initial_count = @variable.version_count
|
13
|
-
@variable.add_value 'value-0'
|
14
|
-
"""
|
15
|
-
When I run the code:
|
16
|
-
"""
|
17
|
-
expect(@variable.version_count).to eq(@initial_count + 1)
|
18
|
-
"""
|
19
|
-
And I run the code:
|
20
|
-
"""
|
21
|
-
@variable.value
|
22
|
-
"""
|
23
|
-
Then the result should be "value-0"
|
24
|
-
|
25
|
-
Scenario: Retrieve a historical value.
|
26
|
-
Given I run the code:
|
27
|
-
"""
|
28
|
-
@variable.add_value 'value-0'
|
29
|
-
@variable.add_value 'value-1'
|
30
|
-
@variable.add_value 'value-2'
|
31
|
-
"""
|
32
|
-
When I run the code:
|
33
|
-
"""
|
34
|
-
@variable.value(@variable.version_count - 2)
|
35
|
-
"""
|
36
|
-
Then the result should be "value-0"
|
37
|
-
|
38
|
-
Scenario: Retrieve multiple values in a batch
|
39
|
-
Given I run the code:
|
40
|
-
"""
|
41
|
-
@variable.add_value 'value-0'
|
42
|
-
@variable_2.add_value 'value-2'
|
43
|
-
"""
|
44
|
-
When I run the code:
|
45
|
-
"""
|
46
|
-
$conjur.variable_values([ @variable, @variable_2 ].map(&:id))
|
47
|
-
"""
|
48
|
-
Then the JSON should be:
|
49
|
-
"""
|
50
|
-
{
|
51
|
-
"db-password": "value-0",
|
52
|
-
"ssh-key": "value-2"
|
53
|
-
}
|
54
|
-
"""
|
@@ -1,123 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
|
22
|
-
module Conjur
|
23
|
-
# This module is included in object classes that have resource behavior.
|
24
|
-
module ActsAsResource
|
25
|
-
# @api private
|
26
|
-
def self.included(base)
|
27
|
-
base.include HasAttributes
|
28
|
-
base.include Escape
|
29
|
-
base.extend QueryString
|
30
|
-
end
|
31
|
-
|
32
|
-
# The full role id of the role that owns this resource.
|
33
|
-
#
|
34
|
-
# @example
|
35
|
-
# api.current_role # => 'conjur:user:jon'
|
36
|
-
# resource = api.create_resource 'conjur:example:resource-owner'
|
37
|
-
# resource.owner # => 'conjur:user:jon'
|
38
|
-
#
|
39
|
-
# @return [String] the full role id of this resource's owner.
|
40
|
-
def owner
|
41
|
-
build_object attributes['owner'], default_class: Role
|
42
|
-
end
|
43
|
-
|
44
|
-
# Check whether this object exists by performing a HEAD request to its URL.
|
45
|
-
#
|
46
|
-
# This method will return false if the object doesn't exist.
|
47
|
-
#
|
48
|
-
# @example
|
49
|
-
# does_not_exist = api.user 'does-not-exist' # This returns without error.
|
50
|
-
#
|
51
|
-
# # this is wrong!
|
52
|
-
# owner = does_not_exist.owner # raises RestClient::ResourceNotFound
|
53
|
-
#
|
54
|
-
# # this is right!
|
55
|
-
# owner = if does_not_exist.exists?
|
56
|
-
# does_not_exist.owner
|
57
|
-
# else
|
58
|
-
# nil # or some sensible default
|
59
|
-
# end
|
60
|
-
#
|
61
|
-
# @return [Boolean] does it exist?
|
62
|
-
def exists?
|
63
|
-
begin
|
64
|
-
url_for(:resources_resource, credentials, id).head
|
65
|
-
true
|
66
|
-
rescue RestClient::Forbidden
|
67
|
-
true
|
68
|
-
rescue RestClient::ResourceNotFound
|
69
|
-
false
|
70
|
-
end
|
71
|
-
end
|
72
|
-
|
73
|
-
# Lists roles that have a specified privilege on the resource.
|
74
|
-
#
|
75
|
-
# This will return only roles of which api.current_user is a member.
|
76
|
-
#
|
77
|
-
# Options:
|
78
|
-
#
|
79
|
-
# * **offset** Zero-based offset into the result set.
|
80
|
-
# * **limit** Total number of records returned.
|
81
|
-
#
|
82
|
-
# @example
|
83
|
-
# resource = api.resource 'conjur:variable:example'
|
84
|
-
# resource.permitted_roles 'execute' # => ['conjur:user:admin']
|
85
|
-
# # After permitting 'execute' to user 'jon'
|
86
|
-
# resource.permitted_roles 'execute' # => ['conjur:user:admin', 'conjur:user:jon']
|
87
|
-
#
|
88
|
-
# @param privilege [String] the privilege
|
89
|
-
# @return [Array<String>] the ids of roles that have `privilege` on this resource.
|
90
|
-
def permitted_roles privilege
|
91
|
-
result = JSON.parse url_for(:resources_permitted_roles, credentials, id, privilege).get
|
92
|
-
if result.is_a?(Hash) && ( count = result['count'] )
|
93
|
-
count
|
94
|
-
else
|
95
|
-
result
|
96
|
-
end
|
97
|
-
end
|
98
|
-
|
99
|
-
# True if the logged-in role, or a role specified using the :role option, has the
|
100
|
-
# specified +privilege+ on this resource.
|
101
|
-
#
|
102
|
-
# @example
|
103
|
-
# api.current_role # => 'conjur:cat:mouse'
|
104
|
-
# resource.permitted_roles 'execute' # => ['conjur:user:admin', 'conjur:cat:mouse']
|
105
|
-
# resource.permitted_roles 'update', # => ['conjur:user:admin', 'conjur:cat:gino']
|
106
|
-
#
|
107
|
-
# resource.permitted? 'update' # => false, `mouse` can't update this resource
|
108
|
-
# resource.permitted? 'execute' # => true, `mouse` can execute it.
|
109
|
-
# resource.permitted? 'update', role: 'conjur:cat:gino' # => true, `gino` can update it.
|
110
|
-
# @param privilege [String] the privilege to check
|
111
|
-
# @param role [String,nil] :role check whether the role given by this full role id is permitted
|
112
|
-
# instead of checking +api.current_role+.
|
113
|
-
# @return [Boolean]
|
114
|
-
def permitted? privilege, role: nil
|
115
|
-
url_for(:resources_check, credentials, id, privilege, role)
|
116
|
-
true
|
117
|
-
rescue RestClient::Forbidden
|
118
|
-
false
|
119
|
-
rescue RestClient::ResourceNotFound
|
120
|
-
false
|
121
|
-
end
|
122
|
-
end
|
123
|
-
end
|
data/lib/conjur/acts_as_role.rb
DELETED
@@ -1,142 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
# Copyright 2013-2018 CyberArk Ltd.
|
4
|
-
#
|
5
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
-
# you may not use this file except in compliance with the License.
|
7
|
-
# You may obtain a copy of the License at
|
8
|
-
#
|
9
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
-
#
|
11
|
-
# Unless required by applicable law or agreed to in writing, software
|
12
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
-
# See the License for the specific language governing permissions and
|
15
|
-
# limitations under the License.
|
16
|
-
|
17
|
-
module Conjur
|
18
|
-
|
19
|
-
# This module provides methods for things that have an associated {Conjur::Role}.
|
20
|
-
#
|
21
|
-
# All high level Conjur assets (groups and users, for example) are composed of both a role and a resource. This allows
|
22
|
-
# these assets to have permissions on other assets, and for other assets to have permission
|
23
|
-
# on them.
|
24
|
-
#
|
25
|
-
# The {Conjur::ActsAsRole} module itself should be considered private, but it's methods are
|
26
|
-
# public when added to a Conjur asset class.
|
27
|
-
module ActsAsRole
|
28
|
-
|
29
|
-
# Login name of the role. This is formed from the role kind and role id.
|
30
|
-
# For users, the role kind can be omitted.
|
31
|
-
def login
|
32
|
-
[ kind, identifier ].delete_if{|t| t == "user"}.join('/')
|
33
|
-
end
|
34
|
-
|
35
|
-
# Check whether this object exists by performing a HEAD request to its URL.
|
36
|
-
#
|
37
|
-
# This method will return false if the object doesn't exist.
|
38
|
-
#
|
39
|
-
# @example
|
40
|
-
# does_not_exist = api.user 'does-not-exist' # This returns without error.
|
41
|
-
#
|
42
|
-
# # this is wrong!
|
43
|
-
# owner = does_not_exist.members # raises RestClient::ResourceNotFound
|
44
|
-
#
|
45
|
-
# # this is right!
|
46
|
-
# owner = if does_not_exist.exists?
|
47
|
-
# does_not_exist.members
|
48
|
-
# else
|
49
|
-
# nil # or some sensible default
|
50
|
-
# end
|
51
|
-
#
|
52
|
-
# @return [Boolean] does it exist?
|
53
|
-
def exists?
|
54
|
-
begin
|
55
|
-
rbac_role_resource.head
|
56
|
-
true
|
57
|
-
rescue RestClient::Forbidden
|
58
|
-
true
|
59
|
-
rescue RestClient::ResourceNotFound
|
60
|
-
false
|
61
|
-
end
|
62
|
-
end
|
63
|
-
|
64
|
-
# Find all roles of which this role is a member. By default, role relationships are recursively expanded,
|
65
|
-
# so if `a` is a member of `b`, and `b` is a member of `c`, `a.all` will include `c`.
|
66
|
-
#
|
67
|
-
# ### Permissions
|
68
|
-
# You must be a member of the role to call this method.
|
69
|
-
#
|
70
|
-
# You can restrict the roles returned to one or more role ids. This feature is mainly useful
|
71
|
-
# for checking whether this role is a member of any of a set of roles.
|
72
|
-
#
|
73
|
-
# ### Options
|
74
|
-
#
|
75
|
-
# * **recursive** Defaults to +true+, performs recursive expansion of the memberships.
|
76
|
-
#
|
77
|
-
# @example Show all roles of which `"conjur:group:pubkeys-1.0/key-managers"` is a member
|
78
|
-
# # Add alice to the group, so we see something interesting
|
79
|
-
# key_managers = api.group('pubkeys-1.0/key-managers')
|
80
|
-
# key_managers.add_member api.user('alice')
|
81
|
-
#
|
82
|
-
# # Show the memberships, mapped to the member ids.
|
83
|
-
# key_managers.role.all.map(&:id)
|
84
|
-
# # => ["conjur:group:pubkeys-1.0/admin", "conjur:user:alice"]
|
85
|
-
#
|
86
|
-
# @example See if role `"conjur:user:alice"` is a member of either `"conjur:groups:developers"` or `"conjur:group:ops"`
|
87
|
-
# is_member = api.role('conjur:user:alice').all(filter: ['conjur:group:developers', 'conjur:group:ops']).any?
|
88
|
-
#
|
89
|
-
# @param [Hash] options options for the request
|
90
|
-
# @return [Array<Conjur::Role>] Roles of which this role is a member
|
91
|
-
def memberships options = {}
|
92
|
-
request = if options.delete(:recursive) == false
|
93
|
-
options["memberships"] = true
|
94
|
-
else
|
95
|
-
options["all"] = true
|
96
|
-
end
|
97
|
-
if filter = options.delete(:filter)
|
98
|
-
filter = [filter] unless filter.is_a?(Array)
|
99
|
-
options["filter"] = filter.map(&Id.method(:new))
|
100
|
-
end
|
101
|
-
|
102
|
-
result = JSON.parse(rbac_role_resource[options_querystring options].get)
|
103
|
-
if result.is_a?(Hash) && ( count = result['count'] )
|
104
|
-
count
|
105
|
-
else
|
106
|
-
host = Conjur.configuration.core_url
|
107
|
-
result.collect do |item|
|
108
|
-
if item.is_a?(String)
|
109
|
-
build_object(item, default_class: Role)
|
110
|
-
else
|
111
|
-
RoleGrant.parse_from_json(item, self.options)
|
112
|
-
end
|
113
|
-
end
|
114
|
-
end
|
115
|
-
end
|
116
|
-
|
117
|
-
# Fetch the direct members of this role. The results are *not* recursively expanded).
|
118
|
-
#
|
119
|
-
# ### Permissions
|
120
|
-
# You must be a member of the role to call this method.
|
121
|
-
#
|
122
|
-
# @param options [Hash, nil] extra parameters to pass to the webservice method.
|
123
|
-
# @return [Array<Conjur::RoleGrant>] the role memberships
|
124
|
-
# @raise [RestClient::Forbidden] if you don't have permission to perform this operation
|
125
|
-
def members options = {}
|
126
|
-
options["members"] = true
|
127
|
-
result = JSON.parse(rbac_role_resource[options_querystring options].get)
|
128
|
-
if result.is_a?(Hash) && ( count = result['count'] )
|
129
|
-
count
|
130
|
-
else
|
131
|
-
parser_for(:members, credentials, result)
|
132
|
-
end
|
133
|
-
end
|
134
|
-
|
135
|
-
private
|
136
|
-
|
137
|
-
# RestClient::Resource for RBAC role operations.
|
138
|
-
def rbac_role_resource
|
139
|
-
url_for(:roles_role, credentials, id)
|
140
|
-
end
|
141
|
-
end
|
142
|
-
end
|
@@ -1,32 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright (C) 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
module Conjur
|
22
|
-
|
23
|
-
# This module provides methods for things that have an associated {Conjur::Role} and
|
24
|
-
# {Conjur::Resource}.
|
25
|
-
module ActsAsRolsource
|
26
|
-
# @api private
|
27
|
-
def self.included(base)
|
28
|
-
base.include ActsAsRole
|
29
|
-
base.include ActsAsResource
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|