conjur-api 5.3.8.pre.194 → 5.4.0.pre.341

data/docker-compose.yml

@@ -4,15 +4,36 @@ services:
     image: postgres:9.3
 
   conjur_5:
-    image: cyberark/conjur
+    image: cyberark/conjur:edge
     command: server -a cucumber
     environment:
       DATABASE_URL: postgres://postgres@pg/postgres
       CONJUR_DATA_KEY: 'WMfApcDBtocRWV+ZSUP3Tjr5XNU+Z2FdBb6BEezejIs='
     volumes:
       - authn_local_5:/run/authn-local
+      - ./ci/oauth/keycloak:/scripts
     depends_on:
       - pg
+      - keycloak
+
+  keycloak:
+    image: jboss/keycloak:4.3.0.Final
+    environment:
+      - KEYCLOAK_USER=admin
+      - KEYCLOAK_PASSWORD=admin
+      - KEYCLOAK_APP_USER=alice
+      - KEYCLOAK_APP_USER_PASSWORD=alice
+      - KEYCLOAK_APP_USER_EMAIL=alice@conjur.net
+      - DB_VENDOR=H2
+      - KEYCLOAK_CLIENT_ID=conjurClient
+      - KEYCLOAK_REDIRECT_URI=http://conjur_5/authn-oidc/keycloak/cucumber/authenticate
+      - KEYCLOAK_CLIENT_SECRET=1234
+      - KEYCLOAK_SCOPE=openid
+    ports:
+      - "7777:8080"
+    volumes:
+      - ./ci/oauth/keycloak/standalone.xml:/opt/jboss/keycloak/standalone/configuration/standalone.xml
+      - ./ci/oauth/keycloak:/scripts
 
   conjur_4:
     image: registry2.itci.conjur.net/conjur-appliance-cuke-master:4.9-stable
@@ -33,6 +54,7 @@ services:
       - ./features/reports:/src/conjur-api/features/reports
       - ./coverage:/src/conjur-api/coverage
       - authn_local_5:/run/authn-local-5
+      - ./ci/oauth/keycloak:/scripts
     environment:
       CONJUR_APPLIANCE_URL: http://conjur_5
       CONJUR_VERSION: 5

data/features/authenticators.feature

@@ -7,6 +7,7 @@ Feature: List and manage authenticators
     - !webservice conjur/authn-k8s/my-auth
     POLICY
     """
+    And I setup a keycloak authenticator
 
   Scenario: Authenticator list includes the authenticator status
     When I run the code:
@@ -31,3 +32,10 @@ Feature: List and manage authenticators
     $conjur.authenticator_list
     """
     Then the JSON at "enabled" should be ["authn"]
+
+  Scenario: Get a list of OIDC providers
+    When I run the code:
+    """
+    $conjur.authentication_providers("authn-oidc")
+    """
+    Then the providers list contains service id "keycloak"

data/features/authn.feature

@@ -0,0 +1,14 @@
+Feature: Authenticate with Conjur
+
+  Background:
+    Given I setup a keycloak authenticator
+
+  Scenario: Authenticate with OIDC state and code
+    When I retrieve the login url for OIDC authenticator "keycloak"
+    And I retrieve auth info for the OIDC provider with username: "alice" and password: "alice"
+    And I run the code:
+    """
+    $conjur.authenticator_enable "authn-oidc", "keycloak"
+    Conjur::API.authenticator_authenticate("authn-oidc", "keycloak", options: @auth_body)
+    """
+    Then the JSON should have "payload"

data/features/step_definitions/api_steps.rb

@@ -16,3 +16,37 @@ Then(/^this code should fail with "([^"]*)"$/) do |error_msg, code|
     fail "The provided block did not raise an error"
   end
 end
+
+Given(/^I retrieve the login url for OIDC authenticator "([^"]+)"$/) do |service_id|
+  provider = $conjur.authentication_providers("authn-oidc").select {|provider_details| provider_details["service_id"] == service_id}
+  @login_url = provider[0]["redirect_uri"]
+  puts @login_url
+end
+
+Given(/^I retrieve auth info for the OIDC provider with username: "([^"]+)" and password: "([^"]+)"$/) do |username, password|
+  res = Net::HTTP.get_response(URI(@login_url))
+  raise res if res.is_a?(Net::HTTPError) || res.is_a?(Net::HTTPClientError)
+
+  all_cookies = res.get_fields('set-cookie')
+  puts all_cookies
+  cookies_arrays = Array.new
+  all_cookies.each do |cookie|
+    cookies_arrays.push(cookie.split('; ')[0])
+  end
+
+  html = Nokogiri::HTML(res.body)
+  post_uri = URI(html.xpath('//form').first.attributes['action'].value)
+
+  http = Net::HTTP.new(post_uri.host, post_uri.port)
+  http.use_ssl = true
+  request = Net::HTTP::Post.new(post_uri.request_uri)
+  request['Cookie'] = cookies_arrays.join('; ')
+  request.set_form_data({'username' => username, 'password' => password})
+
+  response = http.request(request)
+
+  if response.is_a?(Net::HTTPRedirection)
+    response_details = URI.decode_www_form(URI(response['location']).query)
+    @auth_body = {state: response_details.assoc('state')[1], code: response_details.assoc('code')[1]}
+  end
+end

data/features/step_definitions/policy_steps.rb

@@ -13,6 +13,15 @@ Given(/^a new user$/) do
   expect(@user_api_key).to be
 end
 
+Given(/^a user "([^"]+)"$/) do |user_id|
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !user #{user_id}
+  POLICY
+  @user = $conjur.resource("cucumber:user:#{user_id}")
+  @user_api_key = response.created_roles["cucumber:user:#{user_id}"]['api_key']
+  expect(@user_api_key).to be
+end
+
 Given(/^a new delegated user$/) do
   # Create a new host that is owned by that user
   step 'a new user'
@@ -73,3 +82,53 @@ Given(/^a new delegated host$/) do
   @host = $conjur.resource("cucumber:host:#{@host_id}")
   @host.attributes['api_key'] = @host_api_key
 end
+
+Given(/^I setup a keycloak authenticator$/) do
+    $conjur.load_policy 'root', <<-POLICY
+    - !policy 
+      id: conjur/authn-oidc/keycloak
+      body: 
+      - !webservice  
+     
+      - !variable provider-uri 
+      - !variable client-id 
+      - !variable client-secret 
+      - !variable name
+     
+      - !variable claim-mapping 
+       
+      - !variable nonce 
+      - !variable state
+
+      - !variable redirect-uri
+
+      - !group users
+
+      - !permit
+        role: !group users
+        privilege: [ read, authenticate ]
+        resource: !webservice
+
+    - !user alice
+    - !grant
+      role: !group conjur/authn-oidc/keycloak/users
+      member: !user alice
+    POLICY
+    @provider_uri = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/provider-uri")
+    @client_id = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/client-id")
+    @client_secret = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/client-secret")
+    @name = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/name")
+    @claim_mapping = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/claim-mapping")
+    @nonce = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/nonce")
+    @state = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/state")
+    @redirect_uri = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/redirect-uri")
+
+    @provider_uri.add_value "https://keycloak:8443/auth/realms/master"
+    @client_id.add_value "conjurClient"
+    @client_secret.add_value "1234"
+    @claim_mapping.add_value "preferred_username"
+    @nonce.add_value SecureRandom.uuid
+    @state.add_value SecureRandom.uuid
+    @name.add_value "keycloak"
+    @redirect_uri.add_value "http://conjur_5/authn-oidc/keycloak/cucumber/authenticate"
+end

data/features/step_definitions/result_steps.rb

@@ -5,3 +5,7 @@ end
 Then(/^the result should be the public key$/) do
   expect(@result).to eq(@public_key + "\n")
 end
+
+Then(/^the providers list contains service id "([^"]+)"$/) do |service_id|
+  expect(@result.map{ |x| x["service_id"]}).to include(service_id)
+end

data/features/support/env.rb

@@ -1,4 +1,5 @@
 require 'simplecov'
+require 'nokogiri'
 
 SimpleCov.start do
   command_name "#{ENV['RUBY_VERSION']}"

data/lib/conjur/api/authenticators.rb

@@ -13,6 +13,14 @@ module Conjur
       JSON.parse(url_for(:authenticators).get)
     end
 
+    # Fetches the available authentication providers for the authenticator and account.
+    # The authenticators must be loaded in Conjur policy prior to fetching.
+    #
+    # @param [String] authenticator the authenticator type to retrieve providers for
+    def authentication_providers authenticator, account: Conjur.configuration.account
+      JSON.parse(url_for(:authentication_providers, account, authenticator, credentials).get)
+    end
+
     # Enables an authenticator in Conjur. The authenticator must be defined and
     # loaded in Conjur policy prior to enabling it.
     # 

data/lib/conjur/api/authn.rb

@@ -22,6 +22,10 @@ require 'conjur/user'
 
 module Conjur
   class API
+    def whoami
+      JSON.parse(url_for(:whoami, credentials).get)
+    end
+
     class << self
       #@!group Authentication
 
@@ -50,6 +54,21 @@ module Conjur
         url_for(:authn_login, account, username, password).get
       end
 
+      # Authenticates using a third party authenticator like authn-oidc.  It will return an
+      # access token to be used to authenticate further API calls.
+      #
+      # @param [String] authenticator
+      # @param [String] service_id
+      # @param [String] account The organization account.
+      # @param [Hash] params Additional params to send to authenticator
+      # @return [String] A JSON formatted authentication token.
+      def authenticator_authenticate authenticator, service_id, account: Conjur.configuration.account, options: {}
+        if Conjur.log
+          Conjur.log << "Authenticating to account #{account} using #{authenticator}/#{service_id}\n"
+        end
+        JSON.parse url_for(:authenticator_authenticate, account, service_id, authenticator, options).get
+      end
+
       # Exchanges Conjur the API key (refresh token) for an access token.  The access token can
       # then be used to authenticate further API calls.
       #

data/lib/conjur/api/router/v5.rb

@@ -43,6 +43,13 @@ module Conjur
           )[fully_escape account][fully_escape username]['authenticate']
         end
 
+        def authenticator_authenticate(account, service_id, authenticator, options)
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.rest_client_options
+          )[fully_escape authenticator][fully_escape service_id][fully_escape account]['authenticate'][options_querystring options]
+        end
+
         def authenticator account, authenticator, service_id, credentials
           RestClient::Resource.new(
             Conjur.configuration.core_url,
@@ -57,6 +64,13 @@ module Conjur
           )['authenticators']
         end
 
+        def authentication_providers(account, authenticator, credentials)
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )[fully_escape authenticator][fully_escape account]['providers']
+        end
+
         # For v5, the authn-local message is a JSON string with account, sub, and optional fields.
         def authn_authenticate_local username, account, expiration, cidr, &block
           { account: account, sub: username }.tap do |params|
@@ -236,6 +250,13 @@ module Conjur
           )['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
         end
 
+        def whoami(credentials)
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['whoami']
+        end
+
         private
 
         def resource_annotations resource

data/test.sh

@@ -4,6 +4,7 @@
 # My local RUBY_VERSION is set to ruby-#.#.# so this allows running locally.
 RUBY_VERSION="$(cut -d '-' -f 2 <<< "$RUBY_VERSION")"
 
+source ./ci/oauth/keycloak/keycloak_functions.sh
 
 function finish {
   echo 'Removing test environment'
@@ -54,7 +55,9 @@ function runTests_5() {
   echo '-----'
   docker-compose run --rm \
     -e CONJUR_AUTHN_API_KEY="$api_key" \
-    tester_5 rake jenkins_init jenkins_spec jenkins_cucumber_v5
+    -e SSL_CERT_FILE=/etc/ssl/certs/keycloak.pem \
+    tester_5 \
+    "/scripts/fetch_certificate && rake jenkins_init jenkins_spec jenkins_cucumber_v5"
 }
 
 function runTests_4() {

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 5.3.8.pre.194
+  version: 5.4.0.pre.341
 platform: ruby
 authors:
 - CyberArk Maintainers
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-01-31 00:00:00.000000000 Z
+date: 2022-08-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -226,6 +226,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Conjur API
 email:
 - conj_maintainers@cyberark.com
@@ -257,6 +271,12 @@ files:
 - bin/parse-changelog.sh
 - ci/configure_v4.sh
 - ci/configure_v5.sh
+- ci/oauth/keycloak/create_client
+- ci/oauth/keycloak/create_user
+- ci/oauth/keycloak/fetch_certificate
+- ci/oauth/keycloak/keycloak_functions.sh
+- ci/oauth/keycloak/standalone.xml
+- ci/oauth/keycloak/wait_for_server
 - ci/submit-coverage
 - conjur-api.gemspec
 - dev/Dockerfile.dev
@@ -267,6 +287,7 @@ files:
 - example/demo_v4.rb
 - example/demo_v5.rb
 - features/authenticators.feature
+- features/authn.feature
 - features/authn_local.feature
 - features/exists.feature
 - features/group.feature
@@ -378,7 +399,7 @@ homepage: https://github.com/cyberark/conjur-api-ruby/
 licenses:
 - Apache-2.0
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -393,13 +414,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6.2
-signing_key: 
+rubygems_version: 3.2.33
+signing_key:
 specification_version: 4
 summary: Conjur API
 test_files:
 - features/authenticators.feature
+- features/authn.feature
 - features/authn_local.feature
 - features/exists.feature
 - features/group.feature