conjur-api 5.3.8.pre.194 → 5.4.0.pre.341

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 55410ede74a66c16a7fec901e52d6b934ff385317c6563610e3143a331a2c379
-  data.tar.gz: bda62f61a578d58845a0f78ede6141aea1c074a02ba5fa74b02ebc95f154aae1
+  metadata.gz: ebf83cd8d162a64929094a300fa96a7d1a3bac22ef728826d0bb4dd2addf3ad9
+  data.tar.gz: b10ff6b557c5cc16879950f638b0cacf7149a4fa68c752125d54f94bea78b298
 SHA512:
-  metadata.gz: e17d66e8b4cddcf0ad19c9c8c4acad960a4392718a03d284fc97be650fd5b4bad590f7fd80cc448a3587c8f1485c3fd23fa7504b2e2ce1e649e65ad540762db3
-  data.tar.gz: 6d46d1442222981f6b36899a6f8cd247dd55dea420c6c621677af2780c750f5d72ebed1d283701be1514a43b646c8ca22ba4998b43c5221e05b25722113b3962
+  metadata.gz: 8e72a11c756d9bbf6517f5a6298a73ede7ef4087d74f021808471fe831d06db86bf23c9cf8f7e5efe78da248d032ec577c51813d5f0bbc12a345701f3d89eb61
+  data.tar.gz: 4614348f7e47a4eb1643740e5015512d9b66413331ab8a7e777047811fdf7370fa40e4e4ae455919cf0fa4398dad754718c0ca44fa3e16f80eb55b0a16d44648

data/.rubocop_settings.yml

@@ -1,5 +1,5 @@
 AllCops:
-  TargetRubyVersion: 2.5
+  TargetRubyVersion: 2.7
 
 # These non-default settings best reflect our current code style.
 Style/MethodDefParentheses:

data/CHANGELOG.md

@@ -9,7 +9,19 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Nothing should go in this section, please add to the latest unreleased version
   (and update the corresponding date), or add a new version.
 
-## [5.3.8] - 2022-01-31
+## [5.4.0] - 2022-08-16
+
+### Added
+- Added support for OIDC V2 authentication endpoint.
+  [cyberark/cojnur-api-ruby#207](https://github.com/cyberark/conjur-api-ruby/pull/207)
+- Added support for OIDC authenticator providers endpoint.
+  [cyberark/cojnur-api-ruby#207](https://github.com/cyberark/conjur-api-ruby/pull/207)
+
+### Changed
+- Remove support for Ruby versions <2.7 which are [end of life](https://endoflife.date/ruby).
+  [cyberark/conjur-api-ruby#206](https://github.com/cyberark/conjur-api-ruby/pull/206)
+- Adding operation call to fetch authentication providers
+  [cyberark/conjur-api-ruby#206](https://github.com/cyberark/conjur-api-ruby/pull/206)
 
 ## [5.3.7] - 2021-12-28
 
@@ -364,7 +376,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [2.0.0] - 2013-13-12
 
-[Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.6...HEAD
+[Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.4.0...HEAD
+[5.4.0]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.7...v5.4.0
 [5.3.7]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.6...v5.3.7
 [5.3.6]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.5...v5.3.6
 [5.3.5]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.4...v5.3.5

data/CONTRIBUTING.md

@@ -123,11 +123,8 @@ $ docker-compose down
 ### Update the version and changelog
 
 1. Create a new branch for the version bump.
-1. Based on the unreleased content, determine the new version number and update
-    the [version.rb](lib/conjur-api/version.rb) file.
 1. Commit these changes - `Bump version to x.y.z` is an acceptable commit message - and open a PR
-   for review. Your PR should include updates to `lib/conjur-api/version.rb`, and
-    `CHANGELOG.md`.
+   for review. Your PR should include updates to `CHANGELOG.md`.
 
 ### Add a git tag
 

data/Jenkinsfile

@@ -58,40 +58,6 @@ pipeline {
       }
     }
 
-    stage('Test Ruby 2.5') {
-      environment {
-        RUBY_VERSION = '2.5'
-      }
-      steps {
-        sh './test.sh'
-      }
-
-      post {
-        always {
-          junit 'spec/reports/*.xml'
-          junit 'features/reports/*.xml'
-          junit 'features_v4/reports/*.xml'
-        }
-      }
-    }
-
-    stage('Test Ruby 2.6') {
-      environment {
-        RUBY_VERSION = '2.6'
-      }
-      steps {
-        sh './test.sh'
-      }
-
-      post {
-        always {
-          junit 'spec/reports/*.xml'
-          junit 'features/reports/*.xml'
-          junit 'features_v4/reports/*.xml'
-        }
-      }
-    }
-
     stage('Test Ruby 2.7') {
       environment {
         RUBY_VERSION = '2.7'
@@ -149,10 +115,12 @@ pipeline {
       steps {
         release {
           // Clean up all but the calculated VERSION
-          sh '''docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd \
-                -e VERSION \
-                -e bom-assets/ \
-                -e release-assets/ '''
+          sh '''docker run -i --rm -v $(pwd):/src -w /src --entrypoint /bin/sh alpine/git \
+                -c "git config --global --add safe.directory /src && \
+                    git clean -fdx \
+                      -e VERSION \
+                      -e bom-assets/ \
+                      -e release-assets" '''
           sh './publish.sh'
           sh 'cp conjur-api-*.gem release-assets/.'
         }

data/VERSION

@@ -1 +1 @@
-5.3.8-194
+5.4.0-341

data/bin/parse-changelog.sh

@@ -5,7 +5,7 @@ cd "$(dirname "$0")"
 docker run --rm \
   -v "$PWD/..:/work" \
   -w "/work" \
-  ruby:2.5 bash -ec "
+  ruby:2.7 bash -ec "
     gem install -N parse_a_changelog
     parse ./CHANGELOG.md
   "

data/ci/configure_v5.sh

@@ -1,5 +1,7 @@
 #!/bin/bash -e
 
+source ./ci/oauth/keycloak/keycloak_functions.sh
+
 cat << "CONFIGURE" | docker exec -i $(docker-compose ps -q conjur_5) bash
 set -e
 
@@ -12,3 +14,6 @@ done
 # So we fail if the server isn't up yet:
 curl -o /dev/null -fs -X OPTIONS http://localhost > /dev/null
 CONFIGURE
+
+fetch_keycloak_certificate
+create_keycloak_users

data/ci/oauth/keycloak/create_client

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+
+keycloak/bin/kcreg.sh config credentials \
+  --server http://localhost:8080/auth \
+  --realm master \
+  --user "$KEYCLOAK_USER" \
+  --password "$KEYCLOAK_PASSWORD"
+
+keycloak/bin/kcreg.sh create \
+  -s clientId="$KEYCLOAK_CLIENT_ID" \
+  -s "redirectUris=[\"$KEYCLOAK_REDIRECT_URI\"]" \
+  -s "secret=$KEYCLOAK_CLIENT_SECRET"
+
+# Enable direct access to get an id token with username & password
+keycloak/bin/kcreg.sh update conjurClient -s directAccessGrantsEnabled=true
+
+keycloak/bin/kcreg.sh get "$KEYCLOAK_CLIENT_ID" | jq '.secret'

data/ci/oauth/keycloak/create_user

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+echo "login as admin with user $KEYCLOAK_USER"
+
+keycloak/bin/kcadm.sh config credentials \
+  --server http://localhost:8080/auth \
+  --realm master \
+  --user "$KEYCLOAK_USER" \
+  --password "$KEYCLOAK_PASSWORD"
+
+echo "creating user $1 with email $3"
+
+keycloak/bin/kcadm.sh create users \
+  -s username="$1" \
+  -s email="$3" \
+  -s enabled=true
+
+echo "setting password of user $1 to $2"
+keycloak/bin/kcadm.sh set-password \
+  --username "$1" \
+  -p "$2"

data/ci/oauth/keycloak/fetch_certificate

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# This script retrieves a certificate from the keycloak OIDC provider
+# and puts it to a trusted operating system store.
+# It is needed to communicate with the provider via SSL for validating ID tokens
+
+openssl s_client \
+  -showcerts \
+  -connect keycloak:8443 \
+  -servername keycloak \
+  </dev/null | \
+  openssl x509 \
+    -outform PEM \
+    >/etc/ssl/certs/keycloak.pem
+
+hash=$(openssl x509 -hash -in /etc/ssl/certs/keycloak.pem -out /dev/null)
+
+ln -s /etc/ssl/certs/keycloak.pem "/etc/ssl/certs/${hash}.0"

data/ci/oauth/keycloak/keycloak_functions.sh

@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+
+KEYCLOAK_SERVICE_NAME="keycloak"
+
+# Note: the single arg is a nameref, which this function sets to an array
+# containing items of the form "KEY=VAL".
+function _hydrate_keycloak_env_args() {
+  local -n arr=$1
+  local keycloak_items
+
+  readarray -t keycloak_items < <(
+    set -o pipefail
+    # Note: This prints all lines that look like:
+    # KEYCLOAK_XXX=someval
+    docker-compose exec -T ${KEYCLOAK_SERVICE_NAME} printenv | awk '/KEYCLOAK/'
+  )
+
+  # shellcheck disable=SC2034
+  arr=(
+    "${keycloak_items[@]}"
+    "PROVIDER_URI=https://keycloak:8443/auth/realms/master"
+    "PROVIDER_INTERNAL_URI=http://keycloak:8080/auth/realms/master/protocol/openid-connect"
+    "PROVIDER_ISSUER=http://keycloak:8080/auth/realms/master"
+    "ID_TOKEN_USER_PROPERTY=preferred_username"
+  )
+}
+
+# The arguments must be unexpanded variable names.  Eg:
+#
+# _create_keycloak_user '$APP_USER' '$APP_PW' '$APP_EMAIL'
+#
+# This is because those variables are not available to this script. They are
+# available to bash commands run via "docker-compose exec keycloak bash
+# -c...", since they're defined in the docker-compose.yml.
+function _create_keycloak_user() {
+  local user_var=$1
+  local pw_var=$2
+  local email_var=$3
+
+  docker-compose exec -T \
+    ${KEYCLOAK_SERVICE_NAME} \
+    bash -c "/scripts/create_user \"$user_var\" \"$pw_var\" \"$email_var\""
+}
+
+function create_keycloak_users() {
+  echo "Defining keycloak client"
+
+  docker-compose exec -T ${KEYCLOAK_SERVICE_NAME} /scripts/create_client
+
+  echo "Creating user 'alice' in Keycloak"
+
+  # Note: We want to pass the bash command thru without expansion here.
+  # shellcheck disable=SC2016
+  _create_keycloak_user \
+    '$KEYCLOAK_APP_USER' \
+    '$KEYCLOAK_APP_USER_PASSWORD' \
+    '$KEYCLOAK_APP_USER_EMAIL'
+}
+
+function wait_for_keycloak_server() {
+  docker-compose exec -T \
+    ${KEYCLOAK_SERVICE_NAME} /scripts/wait_for_server
+}
+
+function fetch_keycloak_certificate() {
+  # there's a dep on the docker-compose.yml volumes.
+  # Fetch SSL cert to communicate with keycloak (OIDC provider).
+  echo "Initialize keycloak certificate in conjur server"
+  docker-compose exec -T \
+    conjur_5 /scripts/fetch_certificate
+}