conjur-api 5.3.7 → 5.3.8.pre.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (143) hide show
  1. checksums.yaml +4 -4
  2. data/VERSION +1 -1
  3. metadata +23 -193
  4. data/.codeclimate.yml +0 -10
  5. data/.dockerignore +0 -1
  6. data/.github/CODEOWNERS +0 -10
  7. data/.gitignore +0 -32
  8. data/.gitleaks.toml +0 -219
  9. data/.overcommit.yml +0 -16
  10. data/.project +0 -18
  11. data/.rubocop.yml +0 -3
  12. data/.rubocop_settings.yml +0 -86
  13. data/.rubocop_todo.yml +0 -709
  14. data/.yardopts +0 -1
  15. data/CHANGELOG.md +0 -433
  16. data/CONTRIBUTING.md +0 -141
  17. data/Dockerfile +0 -16
  18. data/Gemfile +0 -7
  19. data/Jenkinsfile +0 -168
  20. data/LICENSE +0 -202
  21. data/README.md +0 -162
  22. data/Rakefile +0 -47
  23. data/SECURITY.md +0 -42
  24. data/bin/parse-changelog.sh +0 -12
  25. data/ci/configure_v4.sh +0 -12
  26. data/ci/configure_v5.sh +0 -14
  27. data/ci/submit-coverage +0 -36
  28. data/conjur-api.gemspec +0 -40
  29. data/dev/Dockerfile.dev +0 -12
  30. data/dev/docker-compose.yml +0 -56
  31. data/dev/start +0 -22
  32. data/dev/stop +0 -5
  33. data/docker-compose.yml +0 -76
  34. data/example/demo_v4.rb +0 -49
  35. data/example/demo_v5.rb +0 -57
  36. data/features/authenticators.feature +0 -33
  37. data/features/authn_local.feature +0 -32
  38. data/features/exists.feature +0 -37
  39. data/features/group.feature +0 -11
  40. data/features/host.feature +0 -50
  41. data/features/host_factory_create_host.feature +0 -28
  42. data/features/host_factory_token.feature +0 -63
  43. data/features/load_policy.feature +0 -61
  44. data/features/members.feature +0 -51
  45. data/features/new_api.feature +0 -36
  46. data/features/permitted.feature +0 -70
  47. data/features/permitted_roles.feature +0 -30
  48. data/features/public_keys.feature +0 -11
  49. data/features/resource_fields.feature +0 -53
  50. data/features/role_fields.feature +0 -15
  51. data/features/rotate_api_key.feature +0 -13
  52. data/features/step_definitions/api_steps.rb +0 -18
  53. data/features/step_definitions/policy_steps.rb +0 -75
  54. data/features/step_definitions/result_steps.rb +0 -7
  55. data/features/support/env.rb +0 -18
  56. data/features/support/hooks.rb +0 -3
  57. data/features/support/world.rb +0 -12
  58. data/features/update_password.feature +0 -14
  59. data/features/user.feature +0 -58
  60. data/features/variable_fields.feature +0 -20
  61. data/features/variable_value.feature +0 -60
  62. data/features_v4/authn_local.feature +0 -27
  63. data/features_v4/exists.feature +0 -29
  64. data/features_v4/host.feature +0 -18
  65. data/features_v4/host_factory_token.feature +0 -49
  66. data/features_v4/members.feature +0 -39
  67. data/features_v4/permitted.feature +0 -15
  68. data/features_v4/permitted_roles.feature +0 -8
  69. data/features_v4/resource_fields.feature +0 -47
  70. data/features_v4/rotate_api_key.feature +0 -13
  71. data/features_v4/step_definitions/api_steps.rb +0 -17
  72. data/features_v4/step_definitions/result_steps.rb +0 -3
  73. data/features_v4/support/env.rb +0 -23
  74. data/features_v4/support/policy.yml +0 -34
  75. data/features_v4/support/world.rb +0 -12
  76. data/features_v4/variable_fields.feature +0 -11
  77. data/features_v4/variable_value.feature +0 -54
  78. data/lib/conjur/acts_as_resource.rb +0 -123
  79. data/lib/conjur/acts_as_role.rb +0 -142
  80. data/lib/conjur/acts_as_rolsource.rb +0 -32
  81. data/lib/conjur/acts_as_user.rb +0 -68
  82. data/lib/conjur/api/authenticators.rb +0 -35
  83. data/lib/conjur/api/authn.rb +0 -125
  84. data/lib/conjur/api/host_factories.rb +0 -71
  85. data/lib/conjur/api/ldap_sync.rb +0 -38
  86. data/lib/conjur/api/policies.rb +0 -56
  87. data/lib/conjur/api/pubkeys.rb +0 -53
  88. data/lib/conjur/api/resources.rb +0 -109
  89. data/lib/conjur/api/roles.rb +0 -98
  90. data/lib/conjur/api/router/v4.rb +0 -206
  91. data/lib/conjur/api/router/v5.rb +0 -248
  92. data/lib/conjur/api/variables.rb +0 -59
  93. data/lib/conjur/api.rb +0 -105
  94. data/lib/conjur/base.rb +0 -355
  95. data/lib/conjur/base_object.rb +0 -57
  96. data/lib/conjur/build_object.rb +0 -47
  97. data/lib/conjur/cache.rb +0 -26
  98. data/lib/conjur/cert_utils.rb +0 -63
  99. data/lib/conjur/cidr.rb +0 -71
  100. data/lib/conjur/configuration.rb +0 -460
  101. data/lib/conjur/escape.rb +0 -129
  102. data/lib/conjur/exceptions.rb +0 -4
  103. data/lib/conjur/group.rb +0 -41
  104. data/lib/conjur/has_attributes.rb +0 -98
  105. data/lib/conjur/host.rb +0 -27
  106. data/lib/conjur/host_factory.rb +0 -75
  107. data/lib/conjur/host_factory_token.rb +0 -78
  108. data/lib/conjur/id.rb +0 -71
  109. data/lib/conjur/layer.rb +0 -9
  110. data/lib/conjur/log.rb +0 -72
  111. data/lib/conjur/log_source.rb +0 -60
  112. data/lib/conjur/policy.rb +0 -34
  113. data/lib/conjur/policy_load_result.rb +0 -61
  114. data/lib/conjur/query_string.rb +0 -12
  115. data/lib/conjur/resource.rb +0 -29
  116. data/lib/conjur/role.rb +0 -29
  117. data/lib/conjur/role_grant.rb +0 -85
  118. data/lib/conjur/routing.rb +0 -29
  119. data/lib/conjur/user.rb +0 -40
  120. data/lib/conjur/variable.rb +0 -208
  121. data/lib/conjur/webservice.rb +0 -30
  122. data/lib/conjur-api/version.rb +0 -24
  123. data/lib/conjur-api.rb +0 -2
  124. data/publish.sh +0 -5
  125. data/spec/api/host_factories_spec.rb +0 -34
  126. data/spec/api_spec.rb +0 -254
  127. data/spec/base_object_spec.rb +0 -13
  128. data/spec/cert_utils_spec.rb +0 -173
  129. data/spec/cidr_spec.rb +0 -34
  130. data/spec/configuration_spec.rb +0 -330
  131. data/spec/has_attributes_spec.rb +0 -63
  132. data/spec/helpers/errors_matcher.rb +0 -34
  133. data/spec/helpers/request_helpers.rb +0 -10
  134. data/spec/id_spec.rb +0 -29
  135. data/spec/ldap_sync_spec.rb +0 -21
  136. data/spec/log_source_spec.rb +0 -13
  137. data/spec/log_spec.rb +0 -42
  138. data/spec/roles_spec.rb +0 -24
  139. data/spec/spec_helper.rb +0 -113
  140. data/spec/ssl_spec.rb +0 -109
  141. data/spec/uri_escape_spec.rb +0 -21
  142. data/test.sh +0 -73
  143. data/tmp/.keep +0 -0
@@ -1,68 +0,0 @@
1
- #
2
- # Copyright 2013-2017 Conjur Inc
3
- #
4
- # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
- # this software and associated documentation files (the "Software"), to deal in
6
- # the Software without restriction, including without limitation the rights to
7
- # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
- # the Software, and to permit persons to whom the Software is furnished to do so,
9
- # subject to the following conditions:
10
- #
11
- # The above copyright notice and this permission notice shall be included in all
12
- # copies or substantial portions of the Software.
13
- #
14
- # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
- # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
- # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
- # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
- # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
- # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
- #
21
- module Conjur
22
- # This module provides methods for things that are like users (specifically, those that have
23
- # api keys).
24
- module ActsAsUser
25
- # @api private
26
- def self.included(base)
27
- base.include ActsAsRolsource
28
- end
29
-
30
- # Returns a newly created user's api_key.
31
- #
32
- # @note The API key is not returned by {API#resource}. It is only available
33
- # via {API#login}, when the object is newly created, and when the API key is rotated.
34
- #
35
- # @return [String] the api key
36
- # @raise [Exception] when the object isn't newly created.
37
- def api_key
38
- attributes['api_key'] or raise "api_key is only available on a newly created #{kind}"
39
- end
40
-
41
- # Create an api logged in as this user-like thing.
42
- #
43
- # @note As with {#api_key}, this method only works on newly created instances.
44
- # @see #api_key
45
- # @return [Conjur::API] an api logged in as this user-like thing.
46
- def api
47
- Conjur::API.new_from_key login, api_key, account: account
48
- end
49
-
50
- # Rotate this role's API key. You must have `update` permission on the user to do so.
51
- #
52
- # @note You will not be able to access the API key returned by this method later, so you should
53
- # probably hang onto it it.
54
- #
55
- # @note You cannot rotate your own API key with this method. To do so, use `Conjur::API.rotate_api_key`.
56
- #
57
- # @note This feature requires a Conjur appliance running version 4.6 or higher.
58
- #
59
- # @return [String] the new API key for this user.
60
- def rotate_api_key
61
- if login == username
62
- raise 'You cannot rotate your own API key via this method. To do so, use `Conjur::API.rotate_api_key`'
63
- end
64
-
65
- url_for(:authn_rotate_api_key, credentials, account, id).put("").body
66
- end
67
- end
68
- end
@@ -1,35 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require 'conjur/webservice'
4
-
5
- module Conjur
6
- # API contains each of the methods for access the Conjur API endpoints
7
- #-- :reek:DataClump for authenticator identifier fields (name, id, account)
8
- class API
9
- # @!group Authenticators
10
-
11
- # List all configured authenticators
12
- def authenticator_list
13
- JSON.parse(url_for(:authenticators).get)
14
- end
15
-
16
- # Enables an authenticator in Conjur. The authenticator must be defined and
17
- # loaded in Conjur policy prior to enabling it.
18
- #
19
- # @param [String] authenticator the authenticator type to enable (e.g. authn-k8s)
20
- # @param [String] id the service ID of the authenticator to enable
21
- def authenticator_enable authenticator, id, account: Conjur.configuration.account
22
- url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: true)
23
- end
24
-
25
- # Disables an authenticator in Conjur.
26
- #
27
- # @param [String] authenticator the authenticator type to disable (e.g. authn-k8s)
28
- # @param [String] id the service ID of the authenticator to disable
29
- def authenticator_disable authenticator, id, account: Conjur.configuration.account
30
- url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: false)
31
- end
32
-
33
- # @!endgroup
34
- end
35
- end
@@ -1,125 +0,0 @@
1
- #
2
- # Copyright 2013-2017 Conjur Inc
3
- #
4
- # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
- # this software and associated documentation files (the "Software"), to deal in
6
- # the Software without restriction, including without limitation the rights to
7
- # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
- # the Software, and to permit persons to whom the Software is furnished to do so,
9
- # subject to the following conditions:
10
- #
11
- # The above copyright notice and this permission notice shall be included in all
12
- # copies or substantial portions of the Software.
13
- #
14
- # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
- # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
- # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
- # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
- # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
- # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
- #
21
- require 'conjur/user'
22
-
23
- module Conjur
24
- class API
25
- class << self
26
- #@!group Authentication
27
-
28
- # Exchanges a username and a password for an api key. The api key
29
- # is preferable for storage and use in code, as it can be rotated and has far greater entropy than
30
- # a user memorizable password.
31
- #
32
- # * Note that this method works only for {Conjur::User}s. While
33
- # {Conjur::Host}s are roles, they do not have passwords.
34
- # * If you pass an api key to this method instead of a password, it will verify and return the API key.
35
- # * This method uses HTTP Basic Authentication to send the credentials.
36
- #
37
- # @example
38
- # bob_api_key = Conjur::API.login('bob', 'bob_password')
39
- # bob_api_key == Conjur::API.login('bob', bob_api_key) # => true
40
- #
41
- # @param [String] username The `username` or `login` for the
42
- # {http://developer.conjur.net/reference/services/directory/user Conjur User}.
43
- # @param [String] password The `password` or `api key` to authenticate with.
44
- # @param [String] account The organization account.
45
- # @return [String] the API key.
46
- def login username, password, account: Conjur.configuration.account
47
- if Conjur.log
48
- Conjur.log << "Logging in #{username} to account #{account} via Basic authentication\n"
49
- end
50
- url_for(:authn_login, account, username, password).get
51
- end
52
-
53
- # Exchanges Conjur the API key (refresh token) for an access token. The access token can
54
- # then be used to authenticate further API calls.
55
- #
56
- # @param [String] username The username or host id for which we want a token
57
- # @param [String] api_key The api key
58
- # @param [String] account The organization account.
59
- # @return [String] A JSON formatted authentication token.
60
- def authenticate username, api_key, account: Conjur.configuration.account
61
- account ||= Conjur.configuration.account
62
- if Conjur.log
63
- Conjur.log << "Authenticating #{username} to account #{account}\n"
64
- end
65
- JSON.parse url_for(:authn_authenticate, account, username).post(api_key, content_type: 'text/plain')
66
- end
67
-
68
- # Obtains an access token from the +authn_local+ service. The access token can
69
- # then be used to authenticate further API calls.
70
- #
71
- # @param [String] username The username or host id for which we want a token
72
- # @param [String] account The organization account.
73
- # @return [String] A JSON formatted authentication token.
74
- def authenticate_local username, account: Conjur.configuration.account, expiration: nil, cidr: nil
75
- account ||= Conjur.configuration.account
76
- if Conjur.log
77
- Conjur.log << "Authenticating #{username} to account #{account} using authn_local\n"
78
- end
79
-
80
- require 'json'
81
- require 'socket'
82
- message = url_for(:authn_authenticate_local, username, account, expiration, cidr)
83
- JSON.parse(UNIXSocket.open(Conjur.configuration.authn_local_socket) {|s| s.puts message; s.gets })
84
- end
85
-
86
- # Change a user's password. To do this, you must have the user's current password. This does not change or rotate
87
- # api keys. However, you *can* use the user's api key as the *current* password, if the user was not created
88
- # with a password.
89
- #
90
- # @param [String] username the name of the user whose password we want to change.
91
- # @param [String] password the user's *current* password *or* api key.
92
- # @param [String] new_password the new password for the user.
93
- # @param [String] account The organization account.
94
- # @return [void]
95
- def update_password username, password, new_password, account: Conjur.configuration.account
96
- if Conjur.log
97
- Conjur.log << "Updating password for #{username} in account #{account}\n"
98
- end
99
- url_for(:authn_update_password, account, username, password).put new_password
100
- end
101
-
102
- #@!endgroup
103
-
104
- #@!group Password and API key management
105
-
106
- # Rotate the currently authenticated user or host API key by generating and returning a new one.
107
- # The old API key is no longer valid after calling this method. You must have the current
108
- # API key or password to perform this operation. This method *does not* affect a user's password.
109
- #
110
- # @param [String] username the name of the user or host whose API key we want to change
111
- # @param [String] password the user's current api key
112
- # @param [String] account The organization account.
113
- # @return [String] the new API key
114
- def rotate_api_key username, password, account: Conjur.configuration.account
115
- if Conjur.log
116
- Conjur.log << "Rotating API key for self (#{username} in account #{account})\n"
117
- end
118
-
119
- url_for(:authn_rotate_own_api_key, account, username, password).put('').body
120
- end
121
-
122
- #@!endgroup
123
- end
124
- end
125
- end
@@ -1,71 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- # Copyright 2013-2018 CyberArk Ltd.
4
- #
5
- # Licensed under the Apache License, Version 2.0 (the "License");
6
- # you may not use this file except in compliance with the License.
7
- # You may obtain a copy of the License at
8
- #
9
- # http://www.apache.org/licenses/LICENSE-2.0
10
- #
11
- # Unless required by applicable law or agreed to in writing, software
12
- # distributed under the License is distributed on an "AS IS" BASIS,
13
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
- # See the License for the specific language governing permissions and
15
- # limitations under the License.
16
-
17
- require 'conjur/host_factory'
18
-
19
- module Conjur
20
- class API
21
- #@!group Host Factory
22
-
23
- class << self
24
- # Use a host factory token to create a new host. Unlike most other methods, this
25
- # method does not require a Conjur access token. The host factory token is the
26
- # authentication and authorization to create the host.
27
- #
28
- # The token must be valid. The host id can be a new host, or an existing host.
29
- # If the host already exists, the server verifies that its layer memberships
30
- # match the host factory exactly. Then, its API key is rotated and returned with
31
- # the response.
32
- #
33
- # @param [String] token the host factory token.
34
- # @param [String] id the id of a new or existing host.
35
- # @param options [Hash] additional host creation options.
36
- # @return [Host]
37
- def host_factory_create_host token, id, options = {}
38
- token = token.token if token.is_a?(HostFactoryToken)
39
- response = url_for(:host_factory_create_host, token)
40
- .post(options.merge(id: id)).body
41
-
42
- attributes = JSON.parse(response)
43
- # in v4 'id' is just the identifier
44
- host_id = attributes['roleid'] || attributes['id']
45
-
46
- Host.new(host_id, {}).tap do |host|
47
- host.attributes = attributes
48
- end
49
- end
50
-
51
- # Revokes a host factory token. After revocation, the token can no longer be used to
52
- # create hosts.
53
- #
54
- # @param [Hash] credentials authentication credentials of the current user.
55
- # @param [String] token the host factory token.
56
- def revoke_host_factory_token credentials, token
57
- url_for(:host_factory_revoke_token, credentials, token).delete
58
- end
59
- end
60
-
61
- # Revokes a host factory token. After revocation, the token can no longer be used to
62
- # create hosts.
63
- #
64
- # @param [String] token the host factory token.
65
- def revoke_host_factory_token token
66
- self.class.revoke_host_factory_token credentials, token
67
- end
68
-
69
- #@!endgroup
70
- end
71
- end
@@ -1,38 +0,0 @@
1
- #
2
- # Copyright 2013-2018 Conjur Inc
3
- #
4
- # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
- # this software and associated documentation files (the "Software"), to deal in
6
- # the Software without restriction, including without limitation the rights to
7
- # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
- # the Software, and to permit persons to whom the Software is furnished to do so,
9
- # subject to the following conditions:
10
- #
11
- # The above copyright notice and this permission notice shall be included in all
12
- # copies or substantial portions of the Software.
13
- #
14
- # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
- # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
- # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
- # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
- # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
- # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
- #
21
-
22
- module Conjur
23
- class API
24
-
25
- # Retrieve the policy for the given LDAP sync
26
- # configuration. Configurations created through the Conjur UI are
27
- # named +default+, so the default value of +config_name+ can be
28
- # used.
29
- #
30
- # For details on the use of LDAP sync, see
31
- # https://developer.conjur.net/reference/services/ldap_sync/ .
32
- #
33
- # @param [String] config_name the name of the LDAP sync configuration.
34
- def ldap_sync_policy config_name: 'default'
35
- JSON.parse(url_for(:ldap_sync_policy, credentials, config_name).get)
36
- end
37
- end
38
- end
@@ -1,56 +0,0 @@
1
- #
2
- # Copyright 2013-2017 Conjur Inc
3
- #
4
- # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
- # this software and associated documentation files (the "Software"), to deal in
6
- # the Software without restriction, including without limitation the rights to
7
- # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
- # the Software, and to permit persons to whom the Software is furnished to do so,
9
- # subject to the following conditions:
10
- #
11
- # The above copyright notice and this permission notice shall be included in all
12
- # copies or substantial portions of the Software.
13
- #
14
- # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
- # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
- # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
- # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
- # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
- # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
- #
21
- require 'conjur/policy_load_result'
22
- require 'conjur/policy'
23
-
24
- module Conjur
25
- class API
26
- #@!group Policy management
27
-
28
- # Append only.
29
- POLICY_METHOD_POST = :post
30
- # Allow explicit deletion statements, but don't delete implicitly delete data.
31
- POLICY_METHOD_PATCH = :patch
32
- # Replace the policy entirely, deleting any existing data that is not declared in the new policy.
33
- POLICY_METHOD_PUT = :put
34
-
35
- # Load a policy document into the server.
36
- #
37
- # The modes are support for policy loading:
38
- #
39
- # * POLICY_METHOD_POST Policy data will be added to the named policy. Deletions are not allowed.
40
- # * POLICY_METHOD_PATCH Policy data can be added to or deleted from the named policy. Deletions
41
- # are performed by an explicit `!delete` statement.
42
- # * POLICY_METHOD_PUT The policy completely replaces the name policy. Policy data which is present
43
- # in the server, but not present in the new policy definition, is deleted.
44
- #
45
- # @param id [String] id of the policy to load.
46
- # @param policy [String] YAML-formatted policy definition.
47
- # @param account [String] Conjur organization account
48
- # @param method [Symbol] Policy load method to use: {POLICY_METHOD_POST} (default), {POLICY_METHOD_PATCH}, or {POLICY_METHOD_PUT}.
49
- def load_policy id, policy, account: Conjur.configuration.account, method: POLICY_METHOD_POST
50
- request = url_for(:policies_load_policy, credentials, account, id)
51
- PolicyLoadResult.new JSON.parse(request.send(method, policy))
52
- end
53
-
54
- #@!endgroup
55
- end
56
- end
@@ -1,53 +0,0 @@
1
- #
2
- # Copyright 2013-2017 Conjur Inc
3
- #
4
- # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
- # this software and associated documentation files (the "Software"), to deal in
6
- # the Software without restriction, including without limitation the rights to
7
- # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
- # the Software, and to permit persons to whom the Software is furnished to do so,
9
- # subject to the following conditions:
10
- #
11
- # The above copyright notice and this permission notice shall be included in all
12
- # copies or substantial portions of the Software.
13
- #
14
- # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
- # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
- # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
- # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
- # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
- # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
- #
21
-
22
- module Conjur
23
-
24
- class API
25
- class << self
26
- # @!group Public Keys
27
-
28
- # Fetch *all* public keys for the user. This method returns a newline delimited
29
- # String for compatibility with the authorized_keys SSH format.
30
- #
31
- #
32
- # If the given user does not exist, an empty String will be returned. This is to prevent attackers from determining whether
33
- # a user exists.
34
- #
35
- # ## Permissions
36
- # You do not need any special permissions to call this method, since public keys are, well, public.
37
- #
38
- #
39
- # @example
40
- # puts api.public_keys('jon')
41
- # # ssh-rsa [big long string] jon@albert
42
- # # ssh-rsa [big long string] jon@conjurops
43
- #
44
- # @param [String] username the *unqualified* Conjur username
45
- # @return [String] newline delimited public keys
46
- def public_keys username, account: Conjur.configuration.account
47
- url_for(:public_keys_for_user, account, username).get
48
- end
49
-
50
- #@!endgroup
51
- end
52
- end
53
- end
@@ -1,109 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- # Copyright 2013-2018 CyberArk Ltd.
4
- #
5
- # Licensed under the Apache License, Version 2.0 (the "License");
6
- # you may not use this file except in compliance with the License.
7
- # You may obtain a copy of the License at
8
- #
9
- # http://www.apache.org/licenses/LICENSE-2.0
10
- #
11
- # Unless required by applicable law or agreed to in writing, software
12
- # distributed under the License is distributed on an "AS IS" BASIS,
13
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
- # See the License for the specific language governing permissions and
15
- # limitations under the License.
16
-
17
- require 'conjur/resource'
18
-
19
- module Conjur
20
- class API
21
- include QueryString
22
- include BuildObject
23
-
24
- #@!group Resources
25
-
26
- # Find a resource by its id.
27
- # @note The id given to this method must be fully qualified.
28
- #
29
- # ### Permissions
30
- #
31
- # The resource **must** be visible to the current role. This is the case if the current role is the owner of
32
- # the resource, or has any privilege on it.
33
- #
34
- # @param id [String] a fully qualified resource identifier
35
- # @return [Conjur::Resource] the resource, which may or may not exist
36
- def resource id
37
- build_object id
38
- end
39
-
40
- # Find all resources visible to the current role that match the given search criteria.
41
- #
42
- # ## Full Text Search
43
- # Conjur supports full text search over the identifiers and annotation *values*
44
- # of resources. For example, if `opts[:search]` is `"pubkeys"`, any resource with
45
- # an id containing `"pubkeys"` or an annotation whose value contains `"pubkeys"` will match.
46
- #
47
- # **Notes**
48
- # * Annotation *keys* are *not* indexed for full text search.
49
- # * Conjur indexes the content of ids and annotation values by word.
50
- # * Only resources visible to the current role (either owned by that role or
51
- # having a privilege on it) are returned.
52
- # * If you do not provide `:offset` or `:limit`, all records will be returned. For systems
53
- # with a huge number of resources, you may want to paginate as shown in the example below.
54
- # * If `:offset` is provided and `:limit` is not, 10 records starting at `:offset` will be
55
- # returned. You may choose an arbitrarily large number for `:limit`, but the same performance
56
- # considerations apply as when omitting `:offset` and `:limit`.
57
- #
58
- # @example Search for resources annotated with the text "WebService Route"
59
- # webservice_routes = api.resources search: "WebService Route"
60
- #
61
- # @example Restrict the search to 'group' resources
62
- # groups = api.resources kind: 'group'
63
- #
64
- # # Correct behavior:
65
- # expect(groups.all?{|g| g.kind == 'group'}).to be_true
66
- #
67
- # @example Get every single resource in a performant way
68
- # resources = []
69
- # limit = 25
70
- # offset = 0
71
- # until (batch = api.resources limit: limit, offset: offset).empty?
72
- # offset += batch.length
73
- # resources.concat results
74
- # end
75
- # # do something with your resources
76
- #
77
- # @param options [Hash] search criteria
78
- # @option options [String] :search find resources whose ids or annotations contain this string
79
- # @option options [String] :kind find resources whose `kind` matches this string
80
- # @option options [Integer] :limit the maximum number of records to return (Conjur may return fewer)
81
- # @option options [Integer] :offset offset of the first record to return
82
- # @option options [Boolean] :count return a count of records instead of the records themselves when set to true
83
- # @return [Array<Conjur::Resource>] the resources matching the criteria given
84
- def resources options = {}
85
- options = { host: Conjur.configuration.core_url, credentials: credentials }.merge options
86
- options[:account] ||= Conjur.configuration.account
87
-
88
- host, credentials, account, kind = options.values_at(*[:host, :credentials, :account, :kind])
89
- fail ArgumentError, "host and account are required" unless [host, account].all?
90
- %w(host credentials account kind).each do |name|
91
- options.delete(name.to_sym)
92
- end
93
-
94
- result = JSON.parse(url_for(:resources, credentials, account, kind, options).get)
95
-
96
- result = result['count'] if result.is_a?(Hash)
97
-
98
- if result.is_a?(Numeric)
99
- result
100
- else
101
- result.map do |result|
102
- resource(result['id']).tap do |r|
103
- r.attributes = result
104
- end
105
- end
106
- end
107
- end
108
- end
109
- end
@@ -1,98 +0,0 @@
1
- #
2
- # Copyright 2013-2017 Conjur Inc
3
- #
4
- # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
- # this software and associated documentation files (the "Software"), to deal in
6
- # the Software without restriction, including without limitation the rights to
7
- # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
- # the Software, and to permit persons to whom the Software is furnished to do so,
9
- # subject to the following conditions:
10
- #
11
- # The above copyright notice and this permission notice shall be included in all
12
- # copies or substantial portions of the Software.
13
- #
14
- # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
- # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
- # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
- # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
- # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
- # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
- #
21
- require 'conjur/role'
22
-
23
- module Conjur
24
- class API
25
- include BuildObject
26
-
27
- #@!group Roles
28
-
29
- # Return a {Conjur::Role} representing a role with the given id. Note that the {Conjur::Role} may or
30
- # may not exist (see {Conjur::Exists#exists?}).
31
- #
32
- # ### Permissions
33
- #
34
- # Because this method returns roles that may or may not exist, it doesn't require any permissions to call it:
35
- # in fact, it does not perform an HTTP request (except for authentication if necessary).
36
- #
37
- # @example Create and show a role
38
- # iggy = api.role 'cat:iggy'
39
- # iggy.exists? # true
40
- # iggy.members.map(&:member).map(&:id) # => ['conjur:user:admin']
41
- # api.current_role.id # => 'conjur:user:admin' # creator role is a member of created role.
42
- #
43
- # @example No permissions are required to call this method
44
- # api.current_role # => "user:no-access"
45
- #
46
- # # current role is only a member of itself, so it can't see other roles.
47
- # api.current_role.memberships.count # => 1
48
- # admin = api.role 'user:admin' # OK
49
- # admin.exists? # => true
50
- # admin.members # => RestClient::Forbidden: 403 Forbidden
51
- #
52
- # @param id [String] a fully qualified role identifier
53
- # @return [Conjur::Role] an object representing the role
54
- def role id
55
- build_object id, default_class: Role
56
- end
57
-
58
- # Return a {Conjur::Role} object representing the role (typically a user or host) that this API instance is authenticated
59
- # as. This is derived either from the `login` argument to {Conjur::API.new_from_key} or from the contents of the
60
- # `token` given to {Conjur::API.new_from_token} or {Conjur::API.new_from_token_file}.
61
- #
62
- # @example Current role for a user
63
- # api = Conjur::API.new_from_key 'jon', 'somepassword'
64
- # api.current_role.id # => 'conjur:user:jon'
65
- #
66
- # @example Current role for a host
67
- # host = api.create_host id: 'exapmle-host'
68
- #
69
- # # Host and User have an `api` method that returns an api with their credentials. Note
70
- # # that this only works with a newly created host or user, which has an `api_key` attribute.
71
- # host.api.current_role.id # => 'conjur:host:example-host'
72
- #
73
- # @param [String] account the organization account
74
- # @return [Conjur::Role] the authenticated role for this API instance
75
- def current_role account
76
- self.class.role_from_username self, username, account
77
- end
78
-
79
- #@!endgroup
80
-
81
- class << self
82
- # @api private
83
- def role_from_username api, username, account
84
- api.role role_name_from_username(username, account)
85
- end
86
-
87
- # @api private
88
- def role_name_from_username username, account
89
- tokens = username.split('/')
90
- if tokens.size == 1
91
- [ account, 'user', username ].join(':')
92
- else
93
- [ account, tokens[0], tokens[1..-1].join('/') ].join(':')
94
- end
95
- end
96
- end
97
- end
98
- end