conjur-api 5.3.8.pre.3 → 5.3.8.pre.8

Sign up to get free protection for your applications and to get access to all the features.
Files changed (150) hide show
  1. checksums.yaml +4 -4
  2. data/VERSION +1 -1
  3. metadata +2 -193
  4. data/.codeclimate.yml +0 -10
  5. data/.dockerignore +0 -1
  6. data/.github/CODEOWNERS +0 -10
  7. data/.gitignore +0 -32
  8. data/.gitleaks.toml +0 -219
  9. data/.overcommit.yml +0 -16
  10. data/.project +0 -18
  11. data/.rubocop.yml +0 -3
  12. data/.rubocop_settings.yml +0 -86
  13. data/.rubocop_todo.yml +0 -709
  14. data/.yardopts +0 -1
  15. data/CHANGELOG.md +0 -448
  16. data/CONTRIBUTING.md +0 -138
  17. data/Dockerfile +0 -16
  18. data/Gemfile +0 -7
  19. data/Jenkinsfile +0 -137
  20. data/LICENSE +0 -202
  21. data/README.md +0 -162
  22. data/Rakefile +0 -47
  23. data/SECURITY.md +0 -42
  24. data/bin/parse-changelog.sh +0 -12
  25. data/ci/configure_v4.sh +0 -12
  26. data/ci/configure_v5.sh +0 -19
  27. data/ci/oauth/keycloak/create_client +0 -18
  28. data/ci/oauth/keycloak/create_user +0 -21
  29. data/ci/oauth/keycloak/fetch_certificate +0 -18
  30. data/ci/oauth/keycloak/keycloak_functions.sh +0 -71
  31. data/ci/oauth/keycloak/standalone.xml +0 -578
  32. data/ci/oauth/keycloak/wait_for_server +0 -56
  33. data/ci/submit-coverage +0 -36
  34. data/conjur-api.gemspec +0 -41
  35. data/dev/Dockerfile.dev +0 -12
  36. data/dev/docker-compose.yml +0 -56
  37. data/dev/start +0 -22
  38. data/dev/stop +0 -5
  39. data/docker-compose.yml +0 -98
  40. data/example/demo_v4.rb +0 -49
  41. data/example/demo_v5.rb +0 -57
  42. data/features/authenticators.feature +0 -41
  43. data/features/authn.feature +0 -14
  44. data/features/authn_local.feature +0 -32
  45. data/features/exists.feature +0 -37
  46. data/features/group.feature +0 -11
  47. data/features/host.feature +0 -50
  48. data/features/host_factory_create_host.feature +0 -28
  49. data/features/host_factory_token.feature +0 -63
  50. data/features/load_policy.feature +0 -61
  51. data/features/members.feature +0 -51
  52. data/features/new_api.feature +0 -36
  53. data/features/permitted.feature +0 -70
  54. data/features/permitted_roles.feature +0 -30
  55. data/features/public_keys.feature +0 -11
  56. data/features/resource_fields.feature +0 -53
  57. data/features/role_fields.feature +0 -15
  58. data/features/rotate_api_key.feature +0 -13
  59. data/features/step_definitions/api_steps.rb +0 -52
  60. data/features/step_definitions/policy_steps.rb +0 -134
  61. data/features/step_definitions/result_steps.rb +0 -11
  62. data/features/support/env.rb +0 -19
  63. data/features/support/hooks.rb +0 -3
  64. data/features/support/world.rb +0 -12
  65. data/features/update_password.feature +0 -14
  66. data/features/user.feature +0 -58
  67. data/features/variable_fields.feature +0 -20
  68. data/features/variable_value.feature +0 -60
  69. data/features_v4/authn_local.feature +0 -27
  70. data/features_v4/exists.feature +0 -29
  71. data/features_v4/host.feature +0 -18
  72. data/features_v4/host_factory_token.feature +0 -49
  73. data/features_v4/members.feature +0 -39
  74. data/features_v4/permitted.feature +0 -15
  75. data/features_v4/permitted_roles.feature +0 -8
  76. data/features_v4/resource_fields.feature +0 -47
  77. data/features_v4/rotate_api_key.feature +0 -13
  78. data/features_v4/step_definitions/api_steps.rb +0 -17
  79. data/features_v4/step_definitions/result_steps.rb +0 -3
  80. data/features_v4/support/env.rb +0 -23
  81. data/features_v4/support/policy.yml +0 -34
  82. data/features_v4/support/world.rb +0 -12
  83. data/features_v4/variable_fields.feature +0 -11
  84. data/features_v4/variable_value.feature +0 -54
  85. data/lib/conjur/acts_as_resource.rb +0 -123
  86. data/lib/conjur/acts_as_role.rb +0 -142
  87. data/lib/conjur/acts_as_rolsource.rb +0 -32
  88. data/lib/conjur/acts_as_user.rb +0 -68
  89. data/lib/conjur/api/authenticators.rb +0 -43
  90. data/lib/conjur/api/authn.rb +0 -144
  91. data/lib/conjur/api/host_factories.rb +0 -71
  92. data/lib/conjur/api/ldap_sync.rb +0 -38
  93. data/lib/conjur/api/policies.rb +0 -56
  94. data/lib/conjur/api/pubkeys.rb +0 -53
  95. data/lib/conjur/api/resources.rb +0 -109
  96. data/lib/conjur/api/roles.rb +0 -98
  97. data/lib/conjur/api/router/v4.rb +0 -206
  98. data/lib/conjur/api/router/v5.rb +0 -269
  99. data/lib/conjur/api/variables.rb +0 -59
  100. data/lib/conjur/api.rb +0 -105
  101. data/lib/conjur/base.rb +0 -355
  102. data/lib/conjur/base_object.rb +0 -57
  103. data/lib/conjur/build_object.rb +0 -47
  104. data/lib/conjur/cache.rb +0 -26
  105. data/lib/conjur/cert_utils.rb +0 -63
  106. data/lib/conjur/cidr.rb +0 -71
  107. data/lib/conjur/configuration.rb +0 -460
  108. data/lib/conjur/escape.rb +0 -129
  109. data/lib/conjur/exceptions.rb +0 -4
  110. data/lib/conjur/group.rb +0 -41
  111. data/lib/conjur/has_attributes.rb +0 -98
  112. data/lib/conjur/host.rb +0 -27
  113. data/lib/conjur/host_factory.rb +0 -75
  114. data/lib/conjur/host_factory_token.rb +0 -78
  115. data/lib/conjur/id.rb +0 -71
  116. data/lib/conjur/layer.rb +0 -9
  117. data/lib/conjur/log.rb +0 -72
  118. data/lib/conjur/log_source.rb +0 -60
  119. data/lib/conjur/policy.rb +0 -34
  120. data/lib/conjur/policy_load_result.rb +0 -61
  121. data/lib/conjur/query_string.rb +0 -12
  122. data/lib/conjur/resource.rb +0 -29
  123. data/lib/conjur/role.rb +0 -29
  124. data/lib/conjur/role_grant.rb +0 -85
  125. data/lib/conjur/routing.rb +0 -29
  126. data/lib/conjur/user.rb +0 -40
  127. data/lib/conjur/variable.rb +0 -208
  128. data/lib/conjur/webservice.rb +0 -30
  129. data/lib/conjur-api/version.rb +0 -24
  130. data/lib/conjur-api.rb +0 -2
  131. data/publish.sh +0 -5
  132. data/spec/api/host_factories_spec.rb +0 -34
  133. data/spec/api_spec.rb +0 -254
  134. data/spec/base_object_spec.rb +0 -13
  135. data/spec/cert_utils_spec.rb +0 -173
  136. data/spec/cidr_spec.rb +0 -34
  137. data/spec/configuration_spec.rb +0 -330
  138. data/spec/has_attributes_spec.rb +0 -63
  139. data/spec/helpers/errors_matcher.rb +0 -34
  140. data/spec/helpers/request_helpers.rb +0 -10
  141. data/spec/id_spec.rb +0 -29
  142. data/spec/ldap_sync_spec.rb +0 -21
  143. data/spec/log_source_spec.rb +0 -13
  144. data/spec/log_spec.rb +0 -42
  145. data/spec/roles_spec.rb +0 -24
  146. data/spec/spec_helper.rb +0 -113
  147. data/spec/ssl_spec.rb +0 -109
  148. data/spec/uri_escape_spec.rb +0 -21
  149. data/test.sh +0 -76
  150. data/tmp/.keep +0 -0
@@ -1,142 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- # Copyright 2013-2018 CyberArk Ltd.
4
- #
5
- # Licensed under the Apache License, Version 2.0 (the "License");
6
- # you may not use this file except in compliance with the License.
7
- # You may obtain a copy of the License at
8
- #
9
- # http://www.apache.org/licenses/LICENSE-2.0
10
- #
11
- # Unless required by applicable law or agreed to in writing, software
12
- # distributed under the License is distributed on an "AS IS" BASIS,
13
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
- # See the License for the specific language governing permissions and
15
- # limitations under the License.
16
-
17
- module Conjur
18
-
19
- # This module provides methods for things that have an associated {Conjur::Role}.
20
- #
21
- # All high level Conjur assets (groups and users, for example) are composed of both a role and a resource. This allows
22
- # these assets to have permissions on other assets, and for other assets to have permission
23
- # on them.
24
- #
25
- # The {Conjur::ActsAsRole} module itself should be considered private, but it's methods are
26
- # public when added to a Conjur asset class.
27
- module ActsAsRole
28
-
29
- # Login name of the role. This is formed from the role kind and role id.
30
- # For users, the role kind can be omitted.
31
- def login
32
- [ kind, identifier ].delete_if{|t| t == "user"}.join('/')
33
- end
34
-
35
- # Check whether this object exists by performing a HEAD request to its URL.
36
- #
37
- # This method will return false if the object doesn't exist.
38
- #
39
- # @example
40
- # does_not_exist = api.user 'does-not-exist' # This returns without error.
41
- #
42
- # # this is wrong!
43
- # owner = does_not_exist.members # raises RestClient::ResourceNotFound
44
- #
45
- # # this is right!
46
- # owner = if does_not_exist.exists?
47
- # does_not_exist.members
48
- # else
49
- # nil # or some sensible default
50
- # end
51
- #
52
- # @return [Boolean] does it exist?
53
- def exists?
54
- begin
55
- rbac_role_resource.head
56
- true
57
- rescue RestClient::Forbidden
58
- true
59
- rescue RestClient::ResourceNotFound
60
- false
61
- end
62
- end
63
-
64
- # Find all roles of which this role is a member. By default, role relationships are recursively expanded,
65
- # so if `a` is a member of `b`, and `b` is a member of `c`, `a.all` will include `c`.
66
- #
67
- # ### Permissions
68
- # You must be a member of the role to call this method.
69
- #
70
- # You can restrict the roles returned to one or more role ids. This feature is mainly useful
71
- # for checking whether this role is a member of any of a set of roles.
72
- #
73
- # ### Options
74
- #
75
- # * **recursive** Defaults to +true+, performs recursive expansion of the memberships.
76
- #
77
- # @example Show all roles of which `"conjur:group:pubkeys-1.0/key-managers"` is a member
78
- # # Add alice to the group, so we see something interesting
79
- # key_managers = api.group('pubkeys-1.0/key-managers')
80
- # key_managers.add_member api.user('alice')
81
- #
82
- # # Show the memberships, mapped to the member ids.
83
- # key_managers.role.all.map(&:id)
84
- # # => ["conjur:group:pubkeys-1.0/admin", "conjur:user:alice"]
85
- #
86
- # @example See if role `"conjur:user:alice"` is a member of either `"conjur:groups:developers"` or `"conjur:group:ops"`
87
- # is_member = api.role('conjur:user:alice').all(filter: ['conjur:group:developers', 'conjur:group:ops']).any?
88
- #
89
- # @param [Hash] options options for the request
90
- # @return [Array<Conjur::Role>] Roles of which this role is a member
91
- def memberships options = {}
92
- request = if options.delete(:recursive) == false
93
- options["memberships"] = true
94
- else
95
- options["all"] = true
96
- end
97
- if filter = options.delete(:filter)
98
- filter = [filter] unless filter.is_a?(Array)
99
- options["filter"] = filter.map(&Id.method(:new))
100
- end
101
-
102
- result = JSON.parse(rbac_role_resource[options_querystring options].get)
103
- if result.is_a?(Hash) && ( count = result['count'] )
104
- count
105
- else
106
- host = Conjur.configuration.core_url
107
- result.collect do |item|
108
- if item.is_a?(String)
109
- build_object(item, default_class: Role)
110
- else
111
- RoleGrant.parse_from_json(item, self.options)
112
- end
113
- end
114
- end
115
- end
116
-
117
- # Fetch the direct members of this role. The results are *not* recursively expanded).
118
- #
119
- # ### Permissions
120
- # You must be a member of the role to call this method.
121
- #
122
- # @param options [Hash, nil] extra parameters to pass to the webservice method.
123
- # @return [Array<Conjur::RoleGrant>] the role memberships
124
- # @raise [RestClient::Forbidden] if you don't have permission to perform this operation
125
- def members options = {}
126
- options["members"] = true
127
- result = JSON.parse(rbac_role_resource[options_querystring options].get)
128
- if result.is_a?(Hash) && ( count = result['count'] )
129
- count
130
- else
131
- parser_for(:members, credentials, result)
132
- end
133
- end
134
-
135
- private
136
-
137
- # RestClient::Resource for RBAC role operations.
138
- def rbac_role_resource
139
- url_for(:roles_role, credentials, id)
140
- end
141
- end
142
- end
@@ -1,32 +0,0 @@
1
- #
2
- # Copyright (C) 2013-2017 Conjur Inc
3
- #
4
- # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
- # this software and associated documentation files (the "Software"), to deal in
6
- # the Software without restriction, including without limitation the rights to
7
- # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
- # the Software, and to permit persons to whom the Software is furnished to do so,
9
- # subject to the following conditions:
10
- #
11
- # The above copyright notice and this permission notice shall be included in all
12
- # copies or substantial portions of the Software.
13
- #
14
- # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
- # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
- # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
- # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
- # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
- # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
- #
21
- module Conjur
22
-
23
- # This module provides methods for things that have an associated {Conjur::Role} and
24
- # {Conjur::Resource}.
25
- module ActsAsRolsource
26
- # @api private
27
- def self.included(base)
28
- base.include ActsAsRole
29
- base.include ActsAsResource
30
- end
31
- end
32
- end
@@ -1,68 +0,0 @@
1
- #
2
- # Copyright 2013-2017 Conjur Inc
3
- #
4
- # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
- # this software and associated documentation files (the "Software"), to deal in
6
- # the Software without restriction, including without limitation the rights to
7
- # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
- # the Software, and to permit persons to whom the Software is furnished to do so,
9
- # subject to the following conditions:
10
- #
11
- # The above copyright notice and this permission notice shall be included in all
12
- # copies or substantial portions of the Software.
13
- #
14
- # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
- # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
- # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
- # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
- # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
- # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
- #
21
- module Conjur
22
- # This module provides methods for things that are like users (specifically, those that have
23
- # api keys).
24
- module ActsAsUser
25
- # @api private
26
- def self.included(base)
27
- base.include ActsAsRolsource
28
- end
29
-
30
- # Returns a newly created user's api_key.
31
- #
32
- # @note The API key is not returned by {API#resource}. It is only available
33
- # via {API#login}, when the object is newly created, and when the API key is rotated.
34
- #
35
- # @return [String] the api key
36
- # @raise [Exception] when the object isn't newly created.
37
- def api_key
38
- attributes['api_key'] or raise "api_key is only available on a newly created #{kind}"
39
- end
40
-
41
- # Create an api logged in as this user-like thing.
42
- #
43
- # @note As with {#api_key}, this method only works on newly created instances.
44
- # @see #api_key
45
- # @return [Conjur::API] an api logged in as this user-like thing.
46
- def api
47
- Conjur::API.new_from_key login, api_key, account: account
48
- end
49
-
50
- # Rotate this role's API key. You must have `update` permission on the user to do so.
51
- #
52
- # @note You will not be able to access the API key returned by this method later, so you should
53
- # probably hang onto it it.
54
- #
55
- # @note You cannot rotate your own API key with this method. To do so, use `Conjur::API.rotate_api_key`.
56
- #
57
- # @note This feature requires a Conjur appliance running version 4.6 or higher.
58
- #
59
- # @return [String] the new API key for this user.
60
- def rotate_api_key
61
- if login == username
62
- raise 'You cannot rotate your own API key via this method. To do so, use `Conjur::API.rotate_api_key`'
63
- end
64
-
65
- url_for(:authn_rotate_api_key, credentials, account, id).put("").body
66
- end
67
- end
68
- end
@@ -1,43 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require 'conjur/webservice'
4
-
5
- module Conjur
6
- # API contains each of the methods for access the Conjur API endpoints
7
- #-- :reek:DataClump for authenticator identifier fields (name, id, account)
8
- class API
9
- # @!group Authenticators
10
-
11
- # List all configured authenticators
12
- def authenticator_list
13
- JSON.parse(url_for(:authenticators).get)
14
- end
15
-
16
- # Fetches the available authentication providers for the authenticator and account.
17
- # The authenticators must be loaded in Conjur policy prior to fetching.
18
- #
19
- # @param [String] authenticator the authenticator type to retrieve providers for
20
- def authentication_providers authenticator, account: Conjur.configuration.account
21
- JSON.parse(url_for(:authentication_providers, account, authenticator, credentials).get)
22
- end
23
-
24
- # Enables an authenticator in Conjur. The authenticator must be defined and
25
- # loaded in Conjur policy prior to enabling it.
26
- #
27
- # @param [String] authenticator the authenticator type to enable (e.g. authn-k8s)
28
- # @param [String] id the service ID of the authenticator to enable
29
- def authenticator_enable authenticator, id, account: Conjur.configuration.account
30
- url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: true)
31
- end
32
-
33
- # Disables an authenticator in Conjur.
34
- #
35
- # @param [String] authenticator the authenticator type to disable (e.g. authn-k8s)
36
- # @param [String] id the service ID of the authenticator to disable
37
- def authenticator_disable authenticator, id, account: Conjur.configuration.account
38
- url_for(:authenticator, account, authenticator, id, credentials).patch(enabled: false)
39
- end
40
-
41
- # @!endgroup
42
- end
43
- end
@@ -1,144 +0,0 @@
1
- #
2
- # Copyright 2013-2017 Conjur Inc
3
- #
4
- # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
- # this software and associated documentation files (the "Software"), to deal in
6
- # the Software without restriction, including without limitation the rights to
7
- # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
- # the Software, and to permit persons to whom the Software is furnished to do so,
9
- # subject to the following conditions:
10
- #
11
- # The above copyright notice and this permission notice shall be included in all
12
- # copies or substantial portions of the Software.
13
- #
14
- # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
- # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
- # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
- # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
- # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
- # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
- #
21
- require 'conjur/user'
22
-
23
- module Conjur
24
- class API
25
- def whoami
26
- JSON.parse(url_for(:whoami, credentials).get)
27
- end
28
-
29
- class << self
30
- #@!group Authentication
31
-
32
- # Exchanges a username and a password for an api key. The api key
33
- # is preferable for storage and use in code, as it can be rotated and has far greater entropy than
34
- # a user memorizable password.
35
- #
36
- # * Note that this method works only for {Conjur::User}s. While
37
- # {Conjur::Host}s are roles, they do not have passwords.
38
- # * If you pass an api key to this method instead of a password, it will verify and return the API key.
39
- # * This method uses HTTP Basic Authentication to send the credentials.
40
- #
41
- # @example
42
- # bob_api_key = Conjur::API.login('bob', 'bob_password')
43
- # bob_api_key == Conjur::API.login('bob', bob_api_key) # => true
44
- #
45
- # @param [String] username The `username` or `login` for the
46
- # {http://developer.conjur.net/reference/services/directory/user Conjur User}.
47
- # @param [String] password The `password` or `api key` to authenticate with.
48
- # @param [String] account The organization account.
49
- # @return [String] the API key.
50
- def login username, password, account: Conjur.configuration.account
51
- if Conjur.log
52
- Conjur.log << "Logging in #{username} to account #{account} via Basic authentication\n"
53
- end
54
- url_for(:authn_login, account, username, password).get
55
- end
56
-
57
- # Authenticates using a third party authenticator like authn-oidc. It will return an
58
- # access token to be used to authenticate further API calls.
59
- #
60
- # @param [String] authenticator
61
- # @param [String] service_id
62
- # @param [String] account The organization account.
63
- # @param [Hash] params Additional params to send to authenticator
64
- # @return [String] A JSON formatted authentication token.
65
- def authenticator_authenticate authenticator, service_id, account: Conjur.configuration.account, options: {}
66
- if Conjur.log
67
- Conjur.log << "Authenticating to account #{account} using #{authenticator}/#{service_id}\n"
68
- end
69
- JSON.parse url_for(:authenticator_authenticate, account, service_id, authenticator, options).get
70
- end
71
-
72
- # Exchanges Conjur the API key (refresh token) for an access token. The access token can
73
- # then be used to authenticate further API calls.
74
- #
75
- # @param [String] username The username or host id for which we want a token
76
- # @param [String] api_key The api key
77
- # @param [String] account The organization account.
78
- # @return [String] A JSON formatted authentication token.
79
- def authenticate username, api_key, account: Conjur.configuration.account
80
- account ||= Conjur.configuration.account
81
- if Conjur.log
82
- Conjur.log << "Authenticating #{username} to account #{account}\n"
83
- end
84
- JSON.parse url_for(:authn_authenticate, account, username).post(api_key, content_type: 'text/plain')
85
- end
86
-
87
- # Obtains an access token from the +authn_local+ service. The access token can
88
- # then be used to authenticate further API calls.
89
- #
90
- # @param [String] username The username or host id for which we want a token
91
- # @param [String] account The organization account.
92
- # @return [String] A JSON formatted authentication token.
93
- def authenticate_local username, account: Conjur.configuration.account, expiration: nil, cidr: nil
94
- account ||= Conjur.configuration.account
95
- if Conjur.log
96
- Conjur.log << "Authenticating #{username} to account #{account} using authn_local\n"
97
- end
98
-
99
- require 'json'
100
- require 'socket'
101
- message = url_for(:authn_authenticate_local, username, account, expiration, cidr)
102
- JSON.parse(UNIXSocket.open(Conjur.configuration.authn_local_socket) {|s| s.puts message; s.gets })
103
- end
104
-
105
- # Change a user's password. To do this, you must have the user's current password. This does not change or rotate
106
- # api keys. However, you *can* use the user's api key as the *current* password, if the user was not created
107
- # with a password.
108
- #
109
- # @param [String] username the name of the user whose password we want to change.
110
- # @param [String] password the user's *current* password *or* api key.
111
- # @param [String] new_password the new password for the user.
112
- # @param [String] account The organization account.
113
- # @return [void]
114
- def update_password username, password, new_password, account: Conjur.configuration.account
115
- if Conjur.log
116
- Conjur.log << "Updating password for #{username} in account #{account}\n"
117
- end
118
- url_for(:authn_update_password, account, username, password).put new_password
119
- end
120
-
121
- #@!endgroup
122
-
123
- #@!group Password and API key management
124
-
125
- # Rotate the currently authenticated user or host API key by generating and returning a new one.
126
- # The old API key is no longer valid after calling this method. You must have the current
127
- # API key or password to perform this operation. This method *does not* affect a user's password.
128
- #
129
- # @param [String] username the name of the user or host whose API key we want to change
130
- # @param [String] password the user's current api key
131
- # @param [String] account The organization account.
132
- # @return [String] the new API key
133
- def rotate_api_key username, password, account: Conjur.configuration.account
134
- if Conjur.log
135
- Conjur.log << "Rotating API key for self (#{username} in account #{account})\n"
136
- end
137
-
138
- url_for(:authn_rotate_own_api_key, account, username, password).put('').body
139
- end
140
-
141
- #@!endgroup
142
- end
143
- end
144
- end
@@ -1,71 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- # Copyright 2013-2018 CyberArk Ltd.
4
- #
5
- # Licensed under the Apache License, Version 2.0 (the "License");
6
- # you may not use this file except in compliance with the License.
7
- # You may obtain a copy of the License at
8
- #
9
- # http://www.apache.org/licenses/LICENSE-2.0
10
- #
11
- # Unless required by applicable law or agreed to in writing, software
12
- # distributed under the License is distributed on an "AS IS" BASIS,
13
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
- # See the License for the specific language governing permissions and
15
- # limitations under the License.
16
-
17
- require 'conjur/host_factory'
18
-
19
- module Conjur
20
- class API
21
- #@!group Host Factory
22
-
23
- class << self
24
- # Use a host factory token to create a new host. Unlike most other methods, this
25
- # method does not require a Conjur access token. The host factory token is the
26
- # authentication and authorization to create the host.
27
- #
28
- # The token must be valid. The host id can be a new host, or an existing host.
29
- # If the host already exists, the server verifies that its layer memberships
30
- # match the host factory exactly. Then, its API key is rotated and returned with
31
- # the response.
32
- #
33
- # @param [String] token the host factory token.
34
- # @param [String] id the id of a new or existing host.
35
- # @param options [Hash] additional host creation options.
36
- # @return [Host]
37
- def host_factory_create_host token, id, options = {}
38
- token = token.token if token.is_a?(HostFactoryToken)
39
- response = url_for(:host_factory_create_host, token)
40
- .post(options.merge(id: id)).body
41
-
42
- attributes = JSON.parse(response)
43
- # in v4 'id' is just the identifier
44
- host_id = attributes['roleid'] || attributes['id']
45
-
46
- Host.new(host_id, {}).tap do |host|
47
- host.attributes = attributes
48
- end
49
- end
50
-
51
- # Revokes a host factory token. After revocation, the token can no longer be used to
52
- # create hosts.
53
- #
54
- # @param [Hash] credentials authentication credentials of the current user.
55
- # @param [String] token the host factory token.
56
- def revoke_host_factory_token credentials, token
57
- url_for(:host_factory_revoke_token, credentials, token).delete
58
- end
59
- end
60
-
61
- # Revokes a host factory token. After revocation, the token can no longer be used to
62
- # create hosts.
63
- #
64
- # @param [String] token the host factory token.
65
- def revoke_host_factory_token token
66
- self.class.revoke_host_factory_token credentials, token
67
- end
68
-
69
- #@!endgroup
70
- end
71
- end
@@ -1,38 +0,0 @@
1
- #
2
- # Copyright 2013-2018 Conjur Inc
3
- #
4
- # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
- # this software and associated documentation files (the "Software"), to deal in
6
- # the Software without restriction, including without limitation the rights to
7
- # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
- # the Software, and to permit persons to whom the Software is furnished to do so,
9
- # subject to the following conditions:
10
- #
11
- # The above copyright notice and this permission notice shall be included in all
12
- # copies or substantial portions of the Software.
13
- #
14
- # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
- # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
- # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
- # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
- # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
- # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
- #
21
-
22
- module Conjur
23
- class API
24
-
25
- # Retrieve the policy for the given LDAP sync
26
- # configuration. Configurations created through the Conjur UI are
27
- # named +default+, so the default value of +config_name+ can be
28
- # used.
29
- #
30
- # For details on the use of LDAP sync, see
31
- # https://developer.conjur.net/reference/services/ldap_sync/ .
32
- #
33
- # @param [String] config_name the name of the LDAP sync configuration.
34
- def ldap_sync_policy config_name: 'default'
35
- JSON.parse(url_for(:ldap_sync_policy, credentials, config_name).get)
36
- end
37
- end
38
- end
@@ -1,56 +0,0 @@
1
- #
2
- # Copyright 2013-2017 Conjur Inc
3
- #
4
- # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
- # this software and associated documentation files (the "Software"), to deal in
6
- # the Software without restriction, including without limitation the rights to
7
- # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
- # the Software, and to permit persons to whom the Software is furnished to do so,
9
- # subject to the following conditions:
10
- #
11
- # The above copyright notice and this permission notice shall be included in all
12
- # copies or substantial portions of the Software.
13
- #
14
- # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
- # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
- # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
- # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
- # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
- # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
- #
21
- require 'conjur/policy_load_result'
22
- require 'conjur/policy'
23
-
24
- module Conjur
25
- class API
26
- #@!group Policy management
27
-
28
- # Append only.
29
- POLICY_METHOD_POST = :post
30
- # Allow explicit deletion statements, but don't delete implicitly delete data.
31
- POLICY_METHOD_PATCH = :patch
32
- # Replace the policy entirely, deleting any existing data that is not declared in the new policy.
33
- POLICY_METHOD_PUT = :put
34
-
35
- # Load a policy document into the server.
36
- #
37
- # The modes are support for policy loading:
38
- #
39
- # * POLICY_METHOD_POST Policy data will be added to the named policy. Deletions are not allowed.
40
- # * POLICY_METHOD_PATCH Policy data can be added to or deleted from the named policy. Deletions
41
- # are performed by an explicit `!delete` statement.
42
- # * POLICY_METHOD_PUT The policy completely replaces the name policy. Policy data which is present
43
- # in the server, but not present in the new policy definition, is deleted.
44
- #
45
- # @param id [String] id of the policy to load.
46
- # @param policy [String] YAML-formatted policy definition.
47
- # @param account [String] Conjur organization account
48
- # @param method [Symbol] Policy load method to use: {POLICY_METHOD_POST} (default), {POLICY_METHOD_PATCH}, or {POLICY_METHOD_PUT}.
49
- def load_policy id, policy, account: Conjur.configuration.account, method: POLICY_METHOD_POST
50
- request = url_for(:policies_load_policy, credentials, account, id)
51
- PolicyLoadResult.new JSON.parse(request.send(method, policy))
52
- end
53
-
54
- #@!endgroup
55
- end
56
- end
@@ -1,53 +0,0 @@
1
- #
2
- # Copyright 2013-2017 Conjur Inc
3
- #
4
- # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
- # this software and associated documentation files (the "Software"), to deal in
6
- # the Software without restriction, including without limitation the rights to
7
- # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
- # the Software, and to permit persons to whom the Software is furnished to do so,
9
- # subject to the following conditions:
10
- #
11
- # The above copyright notice and this permission notice shall be included in all
12
- # copies or substantial portions of the Software.
13
- #
14
- # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
- # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
- # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
- # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
- # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
- # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
- #
21
-
22
- module Conjur
23
-
24
- class API
25
- class << self
26
- # @!group Public Keys
27
-
28
- # Fetch *all* public keys for the user. This method returns a newline delimited
29
- # String for compatibility with the authorized_keys SSH format.
30
- #
31
- #
32
- # If the given user does not exist, an empty String will be returned. This is to prevent attackers from determining whether
33
- # a user exists.
34
- #
35
- # ## Permissions
36
- # You do not need any special permissions to call this method, since public keys are, well, public.
37
- #
38
- #
39
- # @example
40
- # puts api.public_keys('jon')
41
- # # ssh-rsa [big long string] jon@albert
42
- # # ssh-rsa [big long string] jon@conjurops
43
- #
44
- # @param [String] username the *unqualified* Conjur username
45
- # @return [String] newline delimited public keys
46
- def public_keys username, account: Conjur.configuration.account
47
- url_for(:public_keys_for_user, account, username).get
48
- end
49
-
50
- #@!endgroup
51
- end
52
- end
53
- end