conjur-api 5.3.8.pre.194 → 5.3.8.pre.319
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- metadata +21 -191
- data/.codeclimate.yml +0 -10
- data/.dockerignore +0 -1
- data/.github/CODEOWNERS +0 -10
- data/.gitignore +0 -32
- data/.gitleaks.toml +0 -219
- data/.overcommit.yml +0 -16
- data/.project +0 -18
- data/.rubocop.yml +0 -3
- data/.rubocop_settings.yml +0 -86
- data/.rubocop_todo.yml +0 -709
- data/.yardopts +0 -1
- data/CHANGELOG.md +0 -435
- data/CONTRIBUTING.md +0 -141
- data/Dockerfile +0 -16
- data/Gemfile +0 -7
- data/Jenkinsfile +0 -168
- data/LICENSE +0 -202
- data/README.md +0 -162
- data/Rakefile +0 -47
- data/SECURITY.md +0 -42
- data/bin/parse-changelog.sh +0 -12
- data/ci/configure_v4.sh +0 -12
- data/ci/configure_v5.sh +0 -14
- data/ci/submit-coverage +0 -36
- data/conjur-api.gemspec +0 -40
- data/dev/Dockerfile.dev +0 -12
- data/dev/docker-compose.yml +0 -56
- data/dev/start +0 -22
- data/dev/stop +0 -5
- data/docker-compose.yml +0 -76
- data/example/demo_v4.rb +0 -49
- data/example/demo_v5.rb +0 -57
- data/features/authenticators.feature +0 -33
- data/features/authn_local.feature +0 -32
- data/features/exists.feature +0 -37
- data/features/group.feature +0 -11
- data/features/host.feature +0 -50
- data/features/host_factory_create_host.feature +0 -28
- data/features/host_factory_token.feature +0 -63
- data/features/load_policy.feature +0 -61
- data/features/members.feature +0 -51
- data/features/new_api.feature +0 -36
- data/features/permitted.feature +0 -70
- data/features/permitted_roles.feature +0 -30
- data/features/public_keys.feature +0 -11
- data/features/resource_fields.feature +0 -53
- data/features/role_fields.feature +0 -15
- data/features/rotate_api_key.feature +0 -13
- data/features/step_definitions/api_steps.rb +0 -18
- data/features/step_definitions/policy_steps.rb +0 -75
- data/features/step_definitions/result_steps.rb +0 -7
- data/features/support/env.rb +0 -18
- data/features/support/hooks.rb +0 -3
- data/features/support/world.rb +0 -12
- data/features/update_password.feature +0 -14
- data/features/user.feature +0 -58
- data/features/variable_fields.feature +0 -20
- data/features/variable_value.feature +0 -60
- data/features_v4/authn_local.feature +0 -27
- data/features_v4/exists.feature +0 -29
- data/features_v4/host.feature +0 -18
- data/features_v4/host_factory_token.feature +0 -49
- data/features_v4/members.feature +0 -39
- data/features_v4/permitted.feature +0 -15
- data/features_v4/permitted_roles.feature +0 -8
- data/features_v4/resource_fields.feature +0 -47
- data/features_v4/rotate_api_key.feature +0 -13
- data/features_v4/step_definitions/api_steps.rb +0 -17
- data/features_v4/step_definitions/result_steps.rb +0 -3
- data/features_v4/support/env.rb +0 -23
- data/features_v4/support/policy.yml +0 -34
- data/features_v4/support/world.rb +0 -12
- data/features_v4/variable_fields.feature +0 -11
- data/features_v4/variable_value.feature +0 -54
- data/lib/conjur/acts_as_resource.rb +0 -123
- data/lib/conjur/acts_as_role.rb +0 -142
- data/lib/conjur/acts_as_rolsource.rb +0 -32
- data/lib/conjur/acts_as_user.rb +0 -68
- data/lib/conjur/api/authenticators.rb +0 -35
- data/lib/conjur/api/authn.rb +0 -125
- data/lib/conjur/api/host_factories.rb +0 -71
- data/lib/conjur/api/ldap_sync.rb +0 -38
- data/lib/conjur/api/policies.rb +0 -56
- data/lib/conjur/api/pubkeys.rb +0 -53
- data/lib/conjur/api/resources.rb +0 -109
- data/lib/conjur/api/roles.rb +0 -98
- data/lib/conjur/api/router/v4.rb +0 -206
- data/lib/conjur/api/router/v5.rb +0 -248
- data/lib/conjur/api/variables.rb +0 -59
- data/lib/conjur/api.rb +0 -105
- data/lib/conjur/base.rb +0 -355
- data/lib/conjur/base_object.rb +0 -57
- data/lib/conjur/build_object.rb +0 -47
- data/lib/conjur/cache.rb +0 -26
- data/lib/conjur/cert_utils.rb +0 -63
- data/lib/conjur/cidr.rb +0 -71
- data/lib/conjur/configuration.rb +0 -460
- data/lib/conjur/escape.rb +0 -129
- data/lib/conjur/exceptions.rb +0 -4
- data/lib/conjur/group.rb +0 -41
- data/lib/conjur/has_attributes.rb +0 -98
- data/lib/conjur/host.rb +0 -27
- data/lib/conjur/host_factory.rb +0 -75
- data/lib/conjur/host_factory_token.rb +0 -78
- data/lib/conjur/id.rb +0 -71
- data/lib/conjur/layer.rb +0 -9
- data/lib/conjur/log.rb +0 -72
- data/lib/conjur/log_source.rb +0 -60
- data/lib/conjur/policy.rb +0 -34
- data/lib/conjur/policy_load_result.rb +0 -61
- data/lib/conjur/query_string.rb +0 -12
- data/lib/conjur/resource.rb +0 -29
- data/lib/conjur/role.rb +0 -29
- data/lib/conjur/role_grant.rb +0 -85
- data/lib/conjur/routing.rb +0 -29
- data/lib/conjur/user.rb +0 -40
- data/lib/conjur/variable.rb +0 -208
- data/lib/conjur/webservice.rb +0 -30
- data/lib/conjur-api/version.rb +0 -24
- data/lib/conjur-api.rb +0 -2
- data/publish.sh +0 -5
- data/spec/api/host_factories_spec.rb +0 -34
- data/spec/api_spec.rb +0 -254
- data/spec/base_object_spec.rb +0 -13
- data/spec/cert_utils_spec.rb +0 -173
- data/spec/cidr_spec.rb +0 -34
- data/spec/configuration_spec.rb +0 -330
- data/spec/has_attributes_spec.rb +0 -63
- data/spec/helpers/errors_matcher.rb +0 -34
- data/spec/helpers/request_helpers.rb +0 -10
- data/spec/id_spec.rb +0 -29
- data/spec/ldap_sync_spec.rb +0 -21
- data/spec/log_source_spec.rb +0 -13
- data/spec/log_spec.rb +0 -42
- data/spec/roles_spec.rb +0 -24
- data/spec/spec_helper.rb +0 -113
- data/spec/ssl_spec.rb +0 -109
- data/spec/uri_escape_spec.rb +0 -21
- data/test.sh +0 -73
- data/tmp/.keep +0 -0
data/lib/conjur/acts_as_user.rb
DELETED
@@ -1,68 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
module Conjur
|
22
|
-
# This module provides methods for things that are like users (specifically, those that have
|
23
|
-
# api keys).
|
24
|
-
module ActsAsUser
|
25
|
-
# @api private
|
26
|
-
def self.included(base)
|
27
|
-
base.include ActsAsRolsource
|
28
|
-
end
|
29
|
-
|
30
|
-
# Returns a newly created user's api_key.
|
31
|
-
#
|
32
|
-
# @note The API key is not returned by {API#resource}. It is only available
|
33
|
-
# via {API#login}, when the object is newly created, and when the API key is rotated.
|
34
|
-
#
|
35
|
-
# @return [String] the api key
|
36
|
-
# @raise [Exception] when the object isn't newly created.
|
37
|
-
def api_key
|
38
|
-
attributes['api_key'] or raise "api_key is only available on a newly created #{kind}"
|
39
|
-
end
|
40
|
-
|
41
|
-
# Create an api logged in as this user-like thing.
|
42
|
-
#
|
43
|
-
# @note As with {#api_key}, this method only works on newly created instances.
|
44
|
-
# @see #api_key
|
45
|
-
# @return [Conjur::API] an api logged in as this user-like thing.
|
46
|
-
def api
|
47
|
-
Conjur::API.new_from_key login, api_key, account: account
|
48
|
-
end
|
49
|
-
|
50
|
-
# Rotate this role's API key. You must have `update` permission on the user to do so.
|
51
|
-
#
|
52
|
-
# @note You will not be able to access the API key returned by this method later, so you should
|
53
|
-
# probably hang onto it it.
|
54
|
-
#
|
55
|
-
# @note You cannot rotate your own API key with this method. To do so, use `Conjur::API.rotate_api_key`.
|
56
|
-
#
|
57
|
-
# @note This feature requires a Conjur appliance running version 4.6 or higher.
|
58
|
-
#
|
59
|
-
# @return [String] the new API key for this user.
|
60
|
-
def rotate_api_key
|
61
|
-
if login == username
|
62
|
-
raise 'You cannot rotate your own API key via this method. To do so, use `Conjur::API.rotate_api_key`'
|
63
|
-
end
|
64
|
-
|
65
|
-
url_for(:authn_rotate_api_key, credentials, account, id).put("").body
|
66
|
-
end
|
67
|
-
end
|
68
|
-
end
|
@@ -1,35 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require 'conjur/webservice'
|
4
|
-
|
5
|
-
module Conjur
|
6
|
-
# API contains each of the methods for access the Conjur API endpoints
|
7
|
-
#-- :reek:DataClump for authenticator identifier fields (name, id, account)
|
8
|
-
class API
|
9
|
-
# @!group Authenticators
|
10
|
-
|
11
|
-
# List all configured authenticators
|
12
|
-
def authenticator_list
|
13
|
-
JSON.parse(url_for(:authenticators).get)
|
14
|
-
end
|
15
|
-
|
16
|
-
# Enables an authenticator in Conjur. The authenticator must be defined and
|
17
|
-
# loaded in Conjur policy prior to enabling it.
|
18
|
-
#
|
19
|
-
# @param [String] authenticator the authenticator type to enable (e.g. authn-k8s)
|
20
|
-
# @param [String] id the service ID of the authenticator to enable
|
21
|
-
def authenticator_enable authenticator, id, account: Conjur.configuration.account
|
22
|
-
url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: true)
|
23
|
-
end
|
24
|
-
|
25
|
-
# Disables an authenticator in Conjur.
|
26
|
-
#
|
27
|
-
# @param [String] authenticator the authenticator type to disable (e.g. authn-k8s)
|
28
|
-
# @param [String] id the service ID of the authenticator to disable
|
29
|
-
def authenticator_disable authenticator, id, account: Conjur.configuration.account
|
30
|
-
url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: false)
|
31
|
-
end
|
32
|
-
|
33
|
-
# @!endgroup
|
34
|
-
end
|
35
|
-
end
|
data/lib/conjur/api/authn.rb
DELETED
@@ -1,125 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
require 'conjur/user'
|
22
|
-
|
23
|
-
module Conjur
|
24
|
-
class API
|
25
|
-
class << self
|
26
|
-
#@!group Authentication
|
27
|
-
|
28
|
-
# Exchanges a username and a password for an api key. The api key
|
29
|
-
# is preferable for storage and use in code, as it can be rotated and has far greater entropy than
|
30
|
-
# a user memorizable password.
|
31
|
-
#
|
32
|
-
# * Note that this method works only for {Conjur::User}s. While
|
33
|
-
# {Conjur::Host}s are roles, they do not have passwords.
|
34
|
-
# * If you pass an api key to this method instead of a password, it will verify and return the API key.
|
35
|
-
# * This method uses HTTP Basic Authentication to send the credentials.
|
36
|
-
#
|
37
|
-
# @example
|
38
|
-
# bob_api_key = Conjur::API.login('bob', 'bob_password')
|
39
|
-
# bob_api_key == Conjur::API.login('bob', bob_api_key) # => true
|
40
|
-
#
|
41
|
-
# @param [String] username The `username` or `login` for the
|
42
|
-
# {http://developer.conjur.net/reference/services/directory/user Conjur User}.
|
43
|
-
# @param [String] password The `password` or `api key` to authenticate with.
|
44
|
-
# @param [String] account The organization account.
|
45
|
-
# @return [String] the API key.
|
46
|
-
def login username, password, account: Conjur.configuration.account
|
47
|
-
if Conjur.log
|
48
|
-
Conjur.log << "Logging in #{username} to account #{account} via Basic authentication\n"
|
49
|
-
end
|
50
|
-
url_for(:authn_login, account, username, password).get
|
51
|
-
end
|
52
|
-
|
53
|
-
# Exchanges Conjur the API key (refresh token) for an access token. The access token can
|
54
|
-
# then be used to authenticate further API calls.
|
55
|
-
#
|
56
|
-
# @param [String] username The username or host id for which we want a token
|
57
|
-
# @param [String] api_key The api key
|
58
|
-
# @param [String] account The organization account.
|
59
|
-
# @return [String] A JSON formatted authentication token.
|
60
|
-
def authenticate username, api_key, account: Conjur.configuration.account
|
61
|
-
account ||= Conjur.configuration.account
|
62
|
-
if Conjur.log
|
63
|
-
Conjur.log << "Authenticating #{username} to account #{account}\n"
|
64
|
-
end
|
65
|
-
JSON.parse url_for(:authn_authenticate, account, username).post(api_key, content_type: 'text/plain')
|
66
|
-
end
|
67
|
-
|
68
|
-
# Obtains an access token from the +authn_local+ service. The access token can
|
69
|
-
# then be used to authenticate further API calls.
|
70
|
-
#
|
71
|
-
# @param [String] username The username or host id for which we want a token
|
72
|
-
# @param [String] account The organization account.
|
73
|
-
# @return [String] A JSON formatted authentication token.
|
74
|
-
def authenticate_local username, account: Conjur.configuration.account, expiration: nil, cidr: nil
|
75
|
-
account ||= Conjur.configuration.account
|
76
|
-
if Conjur.log
|
77
|
-
Conjur.log << "Authenticating #{username} to account #{account} using authn_local\n"
|
78
|
-
end
|
79
|
-
|
80
|
-
require 'json'
|
81
|
-
require 'socket'
|
82
|
-
message = url_for(:authn_authenticate_local, username, account, expiration, cidr)
|
83
|
-
JSON.parse(UNIXSocket.open(Conjur.configuration.authn_local_socket) {|s| s.puts message; s.gets })
|
84
|
-
end
|
85
|
-
|
86
|
-
# Change a user's password. To do this, you must have the user's current password. This does not change or rotate
|
87
|
-
# api keys. However, you *can* use the user's api key as the *current* password, if the user was not created
|
88
|
-
# with a password.
|
89
|
-
#
|
90
|
-
# @param [String] username the name of the user whose password we want to change.
|
91
|
-
# @param [String] password the user's *current* password *or* api key.
|
92
|
-
# @param [String] new_password the new password for the user.
|
93
|
-
# @param [String] account The organization account.
|
94
|
-
# @return [void]
|
95
|
-
def update_password username, password, new_password, account: Conjur.configuration.account
|
96
|
-
if Conjur.log
|
97
|
-
Conjur.log << "Updating password for #{username} in account #{account}\n"
|
98
|
-
end
|
99
|
-
url_for(:authn_update_password, account, username, password).put new_password
|
100
|
-
end
|
101
|
-
|
102
|
-
#@!endgroup
|
103
|
-
|
104
|
-
#@!group Password and API key management
|
105
|
-
|
106
|
-
# Rotate the currently authenticated user or host API key by generating and returning a new one.
|
107
|
-
# The old API key is no longer valid after calling this method. You must have the current
|
108
|
-
# API key or password to perform this operation. This method *does not* affect a user's password.
|
109
|
-
#
|
110
|
-
# @param [String] username the name of the user or host whose API key we want to change
|
111
|
-
# @param [String] password the user's current api key
|
112
|
-
# @param [String] account The organization account.
|
113
|
-
# @return [String] the new API key
|
114
|
-
def rotate_api_key username, password, account: Conjur.configuration.account
|
115
|
-
if Conjur.log
|
116
|
-
Conjur.log << "Rotating API key for self (#{username} in account #{account})\n"
|
117
|
-
end
|
118
|
-
|
119
|
-
url_for(:authn_rotate_own_api_key, account, username, password).put('').body
|
120
|
-
end
|
121
|
-
|
122
|
-
#@!endgroup
|
123
|
-
end
|
124
|
-
end
|
125
|
-
end
|
@@ -1,71 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
# Copyright 2013-2018 CyberArk Ltd.
|
4
|
-
#
|
5
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
-
# you may not use this file except in compliance with the License.
|
7
|
-
# You may obtain a copy of the License at
|
8
|
-
#
|
9
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
-
#
|
11
|
-
# Unless required by applicable law or agreed to in writing, software
|
12
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
-
# See the License for the specific language governing permissions and
|
15
|
-
# limitations under the License.
|
16
|
-
|
17
|
-
require 'conjur/host_factory'
|
18
|
-
|
19
|
-
module Conjur
|
20
|
-
class API
|
21
|
-
#@!group Host Factory
|
22
|
-
|
23
|
-
class << self
|
24
|
-
# Use a host factory token to create a new host. Unlike most other methods, this
|
25
|
-
# method does not require a Conjur access token. The host factory token is the
|
26
|
-
# authentication and authorization to create the host.
|
27
|
-
#
|
28
|
-
# The token must be valid. The host id can be a new host, or an existing host.
|
29
|
-
# If the host already exists, the server verifies that its layer memberships
|
30
|
-
# match the host factory exactly. Then, its API key is rotated and returned with
|
31
|
-
# the response.
|
32
|
-
#
|
33
|
-
# @param [String] token the host factory token.
|
34
|
-
# @param [String] id the id of a new or existing host.
|
35
|
-
# @param options [Hash] additional host creation options.
|
36
|
-
# @return [Host]
|
37
|
-
def host_factory_create_host token, id, options = {}
|
38
|
-
token = token.token if token.is_a?(HostFactoryToken)
|
39
|
-
response = url_for(:host_factory_create_host, token)
|
40
|
-
.post(options.merge(id: id)).body
|
41
|
-
|
42
|
-
attributes = JSON.parse(response)
|
43
|
-
# in v4 'id' is just the identifier
|
44
|
-
host_id = attributes['roleid'] || attributes['id']
|
45
|
-
|
46
|
-
Host.new(host_id, {}).tap do |host|
|
47
|
-
host.attributes = attributes
|
48
|
-
end
|
49
|
-
end
|
50
|
-
|
51
|
-
# Revokes a host factory token. After revocation, the token can no longer be used to
|
52
|
-
# create hosts.
|
53
|
-
#
|
54
|
-
# @param [Hash] credentials authentication credentials of the current user.
|
55
|
-
# @param [String] token the host factory token.
|
56
|
-
def revoke_host_factory_token credentials, token
|
57
|
-
url_for(:host_factory_revoke_token, credentials, token).delete
|
58
|
-
end
|
59
|
-
end
|
60
|
-
|
61
|
-
# Revokes a host factory token. After revocation, the token can no longer be used to
|
62
|
-
# create hosts.
|
63
|
-
#
|
64
|
-
# @param [String] token the host factory token.
|
65
|
-
def revoke_host_factory_token token
|
66
|
-
self.class.revoke_host_factory_token credentials, token
|
67
|
-
end
|
68
|
-
|
69
|
-
#@!endgroup
|
70
|
-
end
|
71
|
-
end
|
data/lib/conjur/api/ldap_sync.rb
DELETED
@@ -1,38 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2018 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
|
22
|
-
module Conjur
|
23
|
-
class API
|
24
|
-
|
25
|
-
# Retrieve the policy for the given LDAP sync
|
26
|
-
# configuration. Configurations created through the Conjur UI are
|
27
|
-
# named +default+, so the default value of +config_name+ can be
|
28
|
-
# used.
|
29
|
-
#
|
30
|
-
# For details on the use of LDAP sync, see
|
31
|
-
# https://developer.conjur.net/reference/services/ldap_sync/ .
|
32
|
-
#
|
33
|
-
# @param [String] config_name the name of the LDAP sync configuration.
|
34
|
-
def ldap_sync_policy config_name: 'default'
|
35
|
-
JSON.parse(url_for(:ldap_sync_policy, credentials, config_name).get)
|
36
|
-
end
|
37
|
-
end
|
38
|
-
end
|
data/lib/conjur/api/policies.rb
DELETED
@@ -1,56 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
require 'conjur/policy_load_result'
|
22
|
-
require 'conjur/policy'
|
23
|
-
|
24
|
-
module Conjur
|
25
|
-
class API
|
26
|
-
#@!group Policy management
|
27
|
-
|
28
|
-
# Append only.
|
29
|
-
POLICY_METHOD_POST = :post
|
30
|
-
# Allow explicit deletion statements, but don't delete implicitly delete data.
|
31
|
-
POLICY_METHOD_PATCH = :patch
|
32
|
-
# Replace the policy entirely, deleting any existing data that is not declared in the new policy.
|
33
|
-
POLICY_METHOD_PUT = :put
|
34
|
-
|
35
|
-
# Load a policy document into the server.
|
36
|
-
#
|
37
|
-
# The modes are support for policy loading:
|
38
|
-
#
|
39
|
-
# * POLICY_METHOD_POST Policy data will be added to the named policy. Deletions are not allowed.
|
40
|
-
# * POLICY_METHOD_PATCH Policy data can be added to or deleted from the named policy. Deletions
|
41
|
-
# are performed by an explicit `!delete` statement.
|
42
|
-
# * POLICY_METHOD_PUT The policy completely replaces the name policy. Policy data which is present
|
43
|
-
# in the server, but not present in the new policy definition, is deleted.
|
44
|
-
#
|
45
|
-
# @param id [String] id of the policy to load.
|
46
|
-
# @param policy [String] YAML-formatted policy definition.
|
47
|
-
# @param account [String] Conjur organization account
|
48
|
-
# @param method [Symbol] Policy load method to use: {POLICY_METHOD_POST} (default), {POLICY_METHOD_PATCH}, or {POLICY_METHOD_PUT}.
|
49
|
-
def load_policy id, policy, account: Conjur.configuration.account, method: POLICY_METHOD_POST
|
50
|
-
request = url_for(:policies_load_policy, credentials, account, id)
|
51
|
-
PolicyLoadResult.new JSON.parse(request.send(method, policy))
|
52
|
-
end
|
53
|
-
|
54
|
-
#@!endgroup
|
55
|
-
end
|
56
|
-
end
|
data/lib/conjur/api/pubkeys.rb
DELETED
@@ -1,53 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
|
22
|
-
module Conjur
|
23
|
-
|
24
|
-
class API
|
25
|
-
class << self
|
26
|
-
# @!group Public Keys
|
27
|
-
|
28
|
-
# Fetch *all* public keys for the user. This method returns a newline delimited
|
29
|
-
# String for compatibility with the authorized_keys SSH format.
|
30
|
-
#
|
31
|
-
#
|
32
|
-
# If the given user does not exist, an empty String will be returned. This is to prevent attackers from determining whether
|
33
|
-
# a user exists.
|
34
|
-
#
|
35
|
-
# ## Permissions
|
36
|
-
# You do not need any special permissions to call this method, since public keys are, well, public.
|
37
|
-
#
|
38
|
-
#
|
39
|
-
# @example
|
40
|
-
# puts api.public_keys('jon')
|
41
|
-
# # ssh-rsa [big long string] jon@albert
|
42
|
-
# # ssh-rsa [big long string] jon@conjurops
|
43
|
-
#
|
44
|
-
# @param [String] username the *unqualified* Conjur username
|
45
|
-
# @return [String] newline delimited public keys
|
46
|
-
def public_keys username, account: Conjur.configuration.account
|
47
|
-
url_for(:public_keys_for_user, account, username).get
|
48
|
-
end
|
49
|
-
|
50
|
-
#@!endgroup
|
51
|
-
end
|
52
|
-
end
|
53
|
-
end
|
data/lib/conjur/api/resources.rb
DELETED
@@ -1,109 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
# Copyright 2013-2018 CyberArk Ltd.
|
4
|
-
#
|
5
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
-
# you may not use this file except in compliance with the License.
|
7
|
-
# You may obtain a copy of the License at
|
8
|
-
#
|
9
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
-
#
|
11
|
-
# Unless required by applicable law or agreed to in writing, software
|
12
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
-
# See the License for the specific language governing permissions and
|
15
|
-
# limitations under the License.
|
16
|
-
|
17
|
-
require 'conjur/resource'
|
18
|
-
|
19
|
-
module Conjur
|
20
|
-
class API
|
21
|
-
include QueryString
|
22
|
-
include BuildObject
|
23
|
-
|
24
|
-
#@!group Resources
|
25
|
-
|
26
|
-
# Find a resource by its id.
|
27
|
-
# @note The id given to this method must be fully qualified.
|
28
|
-
#
|
29
|
-
# ### Permissions
|
30
|
-
#
|
31
|
-
# The resource **must** be visible to the current role. This is the case if the current role is the owner of
|
32
|
-
# the resource, or has any privilege on it.
|
33
|
-
#
|
34
|
-
# @param id [String] a fully qualified resource identifier
|
35
|
-
# @return [Conjur::Resource] the resource, which may or may not exist
|
36
|
-
def resource id
|
37
|
-
build_object id
|
38
|
-
end
|
39
|
-
|
40
|
-
# Find all resources visible to the current role that match the given search criteria.
|
41
|
-
#
|
42
|
-
# ## Full Text Search
|
43
|
-
# Conjur supports full text search over the identifiers and annotation *values*
|
44
|
-
# of resources. For example, if `opts[:search]` is `"pubkeys"`, any resource with
|
45
|
-
# an id containing `"pubkeys"` or an annotation whose value contains `"pubkeys"` will match.
|
46
|
-
#
|
47
|
-
# **Notes**
|
48
|
-
# * Annotation *keys* are *not* indexed for full text search.
|
49
|
-
# * Conjur indexes the content of ids and annotation values by word.
|
50
|
-
# * Only resources visible to the current role (either owned by that role or
|
51
|
-
# having a privilege on it) are returned.
|
52
|
-
# * If you do not provide `:offset` or `:limit`, all records will be returned. For systems
|
53
|
-
# with a huge number of resources, you may want to paginate as shown in the example below.
|
54
|
-
# * If `:offset` is provided and `:limit` is not, 10 records starting at `:offset` will be
|
55
|
-
# returned. You may choose an arbitrarily large number for `:limit`, but the same performance
|
56
|
-
# considerations apply as when omitting `:offset` and `:limit`.
|
57
|
-
#
|
58
|
-
# @example Search for resources annotated with the text "WebService Route"
|
59
|
-
# webservice_routes = api.resources search: "WebService Route"
|
60
|
-
#
|
61
|
-
# @example Restrict the search to 'group' resources
|
62
|
-
# groups = api.resources kind: 'group'
|
63
|
-
#
|
64
|
-
# # Correct behavior:
|
65
|
-
# expect(groups.all?{|g| g.kind == 'group'}).to be_true
|
66
|
-
#
|
67
|
-
# @example Get every single resource in a performant way
|
68
|
-
# resources = []
|
69
|
-
# limit = 25
|
70
|
-
# offset = 0
|
71
|
-
# until (batch = api.resources limit: limit, offset: offset).empty?
|
72
|
-
# offset += batch.length
|
73
|
-
# resources.concat results
|
74
|
-
# end
|
75
|
-
# # do something with your resources
|
76
|
-
#
|
77
|
-
# @param options [Hash] search criteria
|
78
|
-
# @option options [String] :search find resources whose ids or annotations contain this string
|
79
|
-
# @option options [String] :kind find resources whose `kind` matches this string
|
80
|
-
# @option options [Integer] :limit the maximum number of records to return (Conjur may return fewer)
|
81
|
-
# @option options [Integer] :offset offset of the first record to return
|
82
|
-
# @option options [Boolean] :count return a count of records instead of the records themselves when set to true
|
83
|
-
# @return [Array<Conjur::Resource>] the resources matching the criteria given
|
84
|
-
def resources options = {}
|
85
|
-
options = { host: Conjur.configuration.core_url, credentials: credentials }.merge options
|
86
|
-
options[:account] ||= Conjur.configuration.account
|
87
|
-
|
88
|
-
host, credentials, account, kind = options.values_at(*[:host, :credentials, :account, :kind])
|
89
|
-
fail ArgumentError, "host and account are required" unless [host, account].all?
|
90
|
-
%w(host credentials account kind).each do |name|
|
91
|
-
options.delete(name.to_sym)
|
92
|
-
end
|
93
|
-
|
94
|
-
result = JSON.parse(url_for(:resources, credentials, account, kind, options).get)
|
95
|
-
|
96
|
-
result = result['count'] if result.is_a?(Hash)
|
97
|
-
|
98
|
-
if result.is_a?(Numeric)
|
99
|
-
result
|
100
|
-
else
|
101
|
-
result.map do |result|
|
102
|
-
resource(result['id']).tap do |r|
|
103
|
-
r.attributes = result
|
104
|
-
end
|
105
|
-
end
|
106
|
-
end
|
107
|
-
end
|
108
|
-
end
|
109
|
-
end
|
data/lib/conjur/api/roles.rb
DELETED
@@ -1,98 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright 2013-2017 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
require 'conjur/role'
|
22
|
-
|
23
|
-
module Conjur
|
24
|
-
class API
|
25
|
-
include BuildObject
|
26
|
-
|
27
|
-
#@!group Roles
|
28
|
-
|
29
|
-
# Return a {Conjur::Role} representing a role with the given id. Note that the {Conjur::Role} may or
|
30
|
-
# may not exist (see {Conjur::Exists#exists?}).
|
31
|
-
#
|
32
|
-
# ### Permissions
|
33
|
-
#
|
34
|
-
# Because this method returns roles that may or may not exist, it doesn't require any permissions to call it:
|
35
|
-
# in fact, it does not perform an HTTP request (except for authentication if necessary).
|
36
|
-
#
|
37
|
-
# @example Create and show a role
|
38
|
-
# iggy = api.role 'cat:iggy'
|
39
|
-
# iggy.exists? # true
|
40
|
-
# iggy.members.map(&:member).map(&:id) # => ['conjur:user:admin']
|
41
|
-
# api.current_role.id # => 'conjur:user:admin' # creator role is a member of created role.
|
42
|
-
#
|
43
|
-
# @example No permissions are required to call this method
|
44
|
-
# api.current_role # => "user:no-access"
|
45
|
-
#
|
46
|
-
# # current role is only a member of itself, so it can't see other roles.
|
47
|
-
# api.current_role.memberships.count # => 1
|
48
|
-
# admin = api.role 'user:admin' # OK
|
49
|
-
# admin.exists? # => true
|
50
|
-
# admin.members # => RestClient::Forbidden: 403 Forbidden
|
51
|
-
#
|
52
|
-
# @param id [String] a fully qualified role identifier
|
53
|
-
# @return [Conjur::Role] an object representing the role
|
54
|
-
def role id
|
55
|
-
build_object id, default_class: Role
|
56
|
-
end
|
57
|
-
|
58
|
-
# Return a {Conjur::Role} object representing the role (typically a user or host) that this API instance is authenticated
|
59
|
-
# as. This is derived either from the `login` argument to {Conjur::API.new_from_key} or from the contents of the
|
60
|
-
# `token` given to {Conjur::API.new_from_token} or {Conjur::API.new_from_token_file}.
|
61
|
-
#
|
62
|
-
# @example Current role for a user
|
63
|
-
# api = Conjur::API.new_from_key 'jon', 'somepassword'
|
64
|
-
# api.current_role.id # => 'conjur:user:jon'
|
65
|
-
#
|
66
|
-
# @example Current role for a host
|
67
|
-
# host = api.create_host id: 'exapmle-host'
|
68
|
-
#
|
69
|
-
# # Host and User have an `api` method that returns an api with their credentials. Note
|
70
|
-
# # that this only works with a newly created host or user, which has an `api_key` attribute.
|
71
|
-
# host.api.current_role.id # => 'conjur:host:example-host'
|
72
|
-
#
|
73
|
-
# @param [String] account the organization account
|
74
|
-
# @return [Conjur::Role] the authenticated role for this API instance
|
75
|
-
def current_role account
|
76
|
-
self.class.role_from_username self, username, account
|
77
|
-
end
|
78
|
-
|
79
|
-
#@!endgroup
|
80
|
-
|
81
|
-
class << self
|
82
|
-
# @api private
|
83
|
-
def role_from_username api, username, account
|
84
|
-
api.role role_name_from_username(username, account)
|
85
|
-
end
|
86
|
-
|
87
|
-
# @api private
|
88
|
-
def role_name_from_username username, account
|
89
|
-
tokens = username.split('/')
|
90
|
-
if tokens.size == 1
|
91
|
-
[ account, 'user', username ].join(':')
|
92
|
-
else
|
93
|
-
[ account, tokens[0], tokens[1..-1].join('/') ].join(':')
|
94
|
-
end
|
95
|
-
end
|
96
|
-
end
|
97
|
-
end
|
98
|
-
end
|