conjur-api 5.3.8.pre.3 → 5.3.8.pre.8

data/lib/conjur/api/resources.rb

@@ -1,109 +0,0 @@
-# frozen_string_literal: true
-
-# Copyright 2013-2018 CyberArk Ltd.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-require 'conjur/resource'
-
-module Conjur
-  class API
-    include QueryString
-    include BuildObject
-
-    #@!group Resources
-
-    # Find a resource by its id.
-    # @note The id given to this method must be fully qualified.
-    #
-    # ### Permissions
-    #
-    # The resource **must** be visible to the current role.  This is the case if the current role is the owner of
-    # the resource, or has any privilege on it.
-    #
-    # @param id [String] a fully qualified resource identifier
-    # @return [Conjur::Resource] the resource, which may or may not exist
-    def resource id
-      build_object id
-    end
-
-    # Find all resources visible to the current role that match the given search criteria.
-    #
-    # ## Full Text Search
-    # Conjur supports full text search over the identifiers and annotation *values*
-    # of resources.  For example, if `opts[:search]` is `"pubkeys"`, any resource with
-    # an id containing `"pubkeys"` or an annotation whose value contains `"pubkeys"` will match.
-    #
-    # **Notes**
-    #   * Annotation *keys* are *not* indexed for full text search.
-    #   * Conjur indexes the content of ids and annotation values by word.
-    #   * Only resources visible to the current role (either owned by that role or
-    #       having a privilege on it) are returned.
-    #   * If you do not provide `:offset` or `:limit`, all records will be returned. For systems
-    #       with a huge number of resources, you may want to paginate as shown in the example below.
-    #   * If `:offset` is provided and `:limit` is not, 10 records starting at `:offset` will be
-    #       returned.  You may choose an arbitrarily large number for `:limit`, but the same performance
-    #       considerations apply as when omitting `:offset` and `:limit`.
-    #
-    # @example Search for resources annotated with the text "WebService Route"
-    #    webservice_routes = api.resources search: "WebService Route"
-    #
-    # @example Restrict the search to 'group' resources
-    #   groups = api.resources kind: 'group'
-    #
-    #   # Correct behavior:
-    #   expect(groups.all?{|g| g.kind == 'group'}).to be_true
-    #
-    # @example Get every single resource in a performant way
-    #   resources = []
-    #   limit = 25
-    #   offset = 0
-    #   until (batch = api.resources limit: limit, offset: offset).empty?
-    #     offset += batch.length
-    #     resources.concat results
-    #   end
-    #   # do something with your resources
-    #
-    # @param options [Hash] search criteria
-    # @option options [String]   :search find resources whose ids or annotations contain this string
-    # @option options [String]   :kind find resources whose `kind` matches this string
-    # @option options [Integer]  :limit the maximum number of records to return (Conjur may return fewer)
-    # @option options [Integer]  :offset offset of the first record to return
-    # @option options [Boolean]  :count return a count of records instead of the records themselves when set to true
-    # @return [Array<Conjur::Resource>] the resources matching the criteria given
-    def resources options = {}
-      options = { host: Conjur.configuration.core_url, credentials: credentials }.merge options
-      options[:account] ||= Conjur.configuration.account
-
-      host, credentials, account, kind = options.values_at(*[:host, :credentials, :account, :kind])
-      fail ArgumentError, "host and account are required" unless [host, account].all?
-      %w(host credentials account kind).each do |name|
-        options.delete(name.to_sym)
-      end
-
-      result = JSON.parse(url_for(:resources, credentials, account, kind, options).get)
-
-      result = result['count'] if result.is_a?(Hash)
-
-      if result.is_a?(Numeric)
-        result
-      else
-        result.map do |result|
-          resource(result['id']).tap do |r|
-            r.attributes = result
-          end
-        end
-      end
-    end
-  end
-end

data/lib/conjur/api/roles.rb

@@ -1,98 +0,0 @@
-#
-# Copyright 2013-2017 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-require 'conjur/role'
-
-module Conjur
-  class API
-    include BuildObject
-
-    #@!group Roles
-
-    # Return a {Conjur::Role} representing a role with the given id.  Note that the {Conjur::Role} may or
-    # may not exist (see {Conjur::Exists#exists?}).
-    #
-    # ### Permissions
-    #
-    # Because this method returns roles that may or may not exist, it doesn't require any permissions to call it:
-    # in fact, it does not perform an HTTP request (except for authentication if necessary).
-    #
-    # @example Create and show a role
-    #   iggy = api.role 'cat:iggy'
-    #   iggy.exists? # true
-    #   iggy.members.map(&:member).map(&:id) # => ['conjur:user:admin']
-    #   api.current_role.id # => 'conjur:user:admin' # creator role is a member of created role.
-    #
-    # @example No permissions are required to call this method
-    #   api.current_role # => "user:no-access"
-    #
-    #   # current role is only a member of itself, so it can't see other roles.
-    #   api.current_role.memberships.count # => 1
-    #   admin = api.role 'user:admin' # OK
-    #   admin.exists? # => true
-    #   admin.members # => RestClient::Forbidden: 403 Forbidden
-    #
-    # @param id [String] a fully qualified role identifier
-    # @return [Conjur::Role] an object representing the role
-    def role id
-      build_object id, default_class: Role
-    end
-
-    # Return a {Conjur::Role} object representing the role (typically a user or host) that this API instance is authenticated
-    # as.  This is derived either from the `login` argument to {Conjur::API.new_from_key} or from the contents of the
-    # `token` given to {Conjur::API.new_from_token} or {Conjur::API.new_from_token_file}.
-    #
-    # @example Current role for a user
-    #   api = Conjur::API.new_from_key 'jon', 'somepassword'
-    #   api.current_role.id # => 'conjur:user:jon'
-    #
-    # @example Current role for a host
-    #   host = api.create_host id: 'exapmle-host'
-    #
-    #   # Host and User have an `api` method that returns an api with their credentials.  Note
-    #   # that this only works with a newly created host or user, which has an `api_key` attribute.
-    #   host.api.current_role.id # => 'conjur:host:example-host'
-    #
-    # @param [String] account the organization account 
-    # @return [Conjur::Role] the authenticated role for this API instance
-    def current_role account
-      self.class.role_from_username self, username, account
-    end
-
-    #@!endgroup
-
-    class << self
-      # @api private
-      def role_from_username api, username, account
-        api.role role_name_from_username(username, account)
-      end
-
-      # @api private
-      def role_name_from_username username, account
-        tokens = username.split('/')
-        if tokens.size == 1
-          [ account, 'user', username ].join(':')
-        else
-          [ account, tokens[0], tokens[1..-1].join('/') ].join(':')
-        end
-      end
-    end
-  end
-end

data/lib/conjur/api/router/v4.rb

@@ -1,206 +0,0 @@
-module Conjur
-  class API
-    module Router
-      module V4
-        extend Conjur::Escape::ClassMethods
-        extend Conjur::QueryString
-        extend self
-
-        def authn_login account, username, password
-          verify_account(account)
-          RestClient::Resource.new(
-            Conjur.configuration.authn_url,
-            Conjur.configuration.create_rest_client_options(
-              user: username,
-              password: password
-            )
-          )['users/login']
-        end
-
-        def authn_authenticate account, username
-          verify_account(account)
-          RestClient::Resource.new(
-            Conjur.configuration.authn_url,
-            Conjur.configuration.rest_client_options
-          )['users'][fully_escape username]['authenticate']
-        end
-
-        # For v4, the authn-local message is the username.
-        def authn_authenticate_local username, account, expiration, cidr, &block
-          verify_account(account)
-
-          raise "'expiration' is not supported for authn-local v4" if expiration
-          raise "'cidr' is not supported for authn-local v4" if cidr
-
-          username
-        end
-
-        def authn_rotate_api_key credentials, account, id
-          verify_account(account)
-          username = id.kind == "user" ? id.identifier : [id.kind, id.identifier].join('/')
-          RestClient::Resource.new(
-            Conjur.configuration.authn_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['users']["api_key?id=#{username}"]
-        end
-
-        def authn_rotate_own_api_key account, username, password
-          verify_account(account)
-          RestClient::Resource.new(
-            Conjur.configuration.authn_url,
-            Conjur.configuration.create_rest_client_options(user: username, password: password)
-          )['users']["api_key"]
-        end
-
-        def host_factory_create_host token
-          http_options = {
-            headers: { authorization: %Q(Token token="#{token}") }
-          }
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(http_options)
-          )['host_factories']['hosts']
-        end
-
-        def host_factory_create_tokens credentials, id
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['host_factories'][id.identifier]['tokens']
-        end
-
-        def host_factory_revoke_token credentials, token
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['host_factories']['tokens'][token]
-        end
-
-        def resources_resource credentials, id
-
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['authz'][id.account]['resources'][id.kind][id.identifier]
-        end
-
-        def resources_check credentials, id, privilege, role
-          options = {}
-          options[:check] = true
-          options[:privilege] = privilege
-          if role
-            options[:resource_id] = id
-            roles_role(credentials, Id.new(role))[options_querystring options].get
-          else
-            resources_resource(credentials, id)[options_querystring options].get
-          end
-        end
-
-        def resources_permitted_roles credentials, id, privilege
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['authz'][id.account]['roles']['allowed_to'][privilege][id.kind][id.identifier]
-        end
-
-        def roles_role credentials, id
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['authz'][id.account]['roles'][id.kind][id.identifier]
-        end
-
-        def secrets_add credentials, id
-          verify_account(id.account)
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['variables'][fully_escape id.identifier]['values']
-        end
-
-        def variable credentials, id
-          verify_account(id.account)
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['variables'][fully_escape id.identifier]
-        end
-
-        def secrets_value credentials, id, options
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['variables'][fully_escape id.identifier]['value'][options_querystring options]
-        end
-
-        def secrets_values credentials, variable_ids
-          options = {
-            vars: Array(variable_ids).map { |v| fully_escape(v.identifier) }.join(',')
-          }
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['variables']['values'][options_querystring options]
-        end
-
-        def group_attributes credentials, resource, id
-          verify_account(id.account)
-          JSON.parse(
-            RestClient::Resource.new(
-              Conjur.configuration.core_url,
-              Conjur.configuration.create_rest_client_options(credentials)
-            )['groups'][fully_escape id.identifier].get
-          )
-        end
-
-        def variable_attributes credentials, resource, id
-          verify_account(id.account)
-          JSON.parse(
-            RestClient::Resource.new(
-              Conjur.configuration.core_url,
-              Conjur.configuration.create_rest_client_options(credentials)
-            )['variables'][fully_escape id.identifier].get
-          )
-        end
-
-        def user_attributes credentials, resource, id
-          verify_account(id.account)
-          JSON.parse(
-            RestClient::Resource.new(
-              Conjur.configuration.core_url,
-              Conjur.configuration.create_rest_client_options(credentials)
-            )['users'][fully_escape id.identifier].get
-          )
-        end
-
-        def parse_group_gidnumber attributes
-          attributes['gidnumber']
-        end
-
-        def parse_user_uidnumber attributes
-          attributes['uidnumber']
-        end
-
-        def parse_variable_kind attributes
-          attributes['kind']
-        end
-
-        def parse_variable_mime_type attributes
-          attributes['mime_type']
-        end
-
-        def parse_members credentials, result
-          result.collect do |json|
-            RoleGrant.parse_from_json(json, credentials)
-          end
-        end
-
-        protected
-
-        def verify_account account
-          raise "Expecting account to be #{Conjur.configuration.account.inspect}, got #{account.inspect}" unless Conjur.configuration.account == account
-        end
-      end
-    end
-  end
-end

data/lib/conjur/api/router/v5.rb

@@ -1,269 +0,0 @@
-# frozen_string_literal: true
-
-# Copyright 2017-2018 CyberArk Ltd.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# rubocop:disable Metrics/ModuleLength
-module Conjur
-  class API
-    module Router
-      # V5 translates method arguments to rest-ful API request parameters.
-      # because of this, most of the methods suffer from :reek:LongParameterList:
-      # and :reek:UtilityFunction:
-      module V5
-        extend Conjur::Escape::ClassMethods
-        extend Conjur::QueryString
-        extend self
-
-        def authn_login account, username, password
-          RestClient::Resource.new(
-            Conjur.configuration.authn_url,
-            Conjur.configuration.create_rest_client_options(
-              user: username,
-              password: password
-            )
-          )[fully_escape account]['login']
-        end
-
-        def authn_authenticate account, username
-          RestClient::Resource.new(
-            Conjur.configuration.authn_url,
-            Conjur.configuration.rest_client_options
-          )[fully_escape account][fully_escape username]['authenticate']
-        end
-
-        def authenticator_authenticate(account, service_id, authenticator, options)
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.rest_client_options
-          )[fully_escape authenticator][fully_escape service_id][fully_escape account]['authenticate'][options_querystring options]
-        end
-
-        def authenticator account, authenticator, service_id, credentials
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )[fully_escape authenticator][fully_escape service_id][fully_escape account]
-        end
-
-        def authenticators
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.rest_client_options
-          )['authenticators']
-        end
-
-        def authentication_providers(account, authenticator, credentials)
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )[fully_escape authenticator][fully_escape account]['providers']
-        end
-
-        # For v5, the authn-local message is a JSON string with account, sub, and optional fields.
-        def authn_authenticate_local username, account, expiration, cidr, &block
-          { account: account, sub: username }.tap do |params|
-            params[:exp] = expiration if expiration
-            params[:cidr] = cidr if cidr
-          end.to_json
-        end
-
-        def authn_update_password account, username, password
-          RestClient::Resource.new(
-            Conjur.configuration.authn_url,
-            Conjur.configuration.create_rest_client_options(
-              user: username,
-              password: password
-            )
-          )[fully_escape account]['password']
-        end
-
-        def authn_rotate_api_key credentials, account, id
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['authn'][fully_escape account]["api_key?role=#{id}"]
-        end
-
-        def authn_rotate_own_api_key account, username, password
-          RestClient::Resource.new(
-            Conjur.configuration.authn_url,
-            Conjur.configuration.create_rest_client_options(
-              user: username,
-              password: password
-            )
-          )[fully_escape account]['api_key']
-        end
-
-        def host_factory_create_host token
-          http_options = {
-            headers: { authorization: %Q(Token token="#{token}") }
-          }
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(http_options)
-          )["host_factories"]["hosts"]
-        end
-
-        def host_factory_create_tokens credentials, id
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['host_factory_tokens']
-        end
-
-        def host_factory_revoke_token credentials, token
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['host_factory_tokens'][token]
-        end
-
-        def policies_load_policy credentials, account, id
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['policies'][fully_escape account]['policy'][fully_escape id]
-        end
-
-        def public_keys_for_user account, username
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.rest_client_options
-          )['public_keys'][fully_escape account]['user'][fully_escape username]
-        end
-
-        def resources credentials, account, kind, options
-          credentials ||= {}
-
-          path = "/resources/#{fully_escape account}"
-          path += "/#{fully_escape kind}" if kind
-
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )[path][options_querystring options]
-        end
-
-        def resources_resource credentials, id
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['resources'][id.to_url_path]
-        end
-
-        def resources_permitted_roles credentials, id, privilege
-          options = {}
-          options[:permitted_roles] = true
-          options[:privilege] = privilege
-          resources_resource(credentials, id)[options_querystring options]
-        end
-
-        def resources_check credentials, id, privilege, role
-          options = {}
-          options[:check] = true
-          options[:privilege] = privilege
-          options[:role] = query_escape(Id.new(role)) if role
-          resources_resource(credentials, id)[options_querystring options].get
-        end
-
-        def roles_role credentials, id
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['roles'][id.to_url_path]
-        end
-
-        def secrets_add credentials, id
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['secrets'][id.to_url_path]
-        end
-
-        def secrets_value credentials, id, options
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['secrets'][id.to_url_path][options_querystring options]
-        end
-
-        def secrets_values credentials, variable_ids
-          options = {
-            variable_ids: Array(variable_ids).join(',')
-          }
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['secrets'][options_querystring(options).gsub("%2C", ',')]
-        end
-
-        def group_attributes credentials, resource, id
-          resource_annotations resource
-        end
-
-        def variable_attributes credentials, resource, id
-          resource_annotations resource
-        end
-
-        def user_attributes credentials, resource, id
-          resource_annotations resource
-        end
-
-        def parse_group_gidnumber attributes
-          HasAttributes.annotation_value attributes, 'conjur/gidnumber'
-        end
-
-        def parse_user_uidnumber attributes
-          HasAttributes.annotation_value attributes, 'conjur/uidnumber'
-        end
-
-        def parse_variable_kind attributes
-          HasAttributes.annotation_value attributes, 'conjur/kind'
-        end
-
-        def parse_variable_mime_type attributes
-          HasAttributes.annotation_value attributes, 'conjur/mime_type'
-        end
-
-        def parse_members credentials, result
-          result.map do |json|
-            RoleGrant.parse_from_json(json, credentials)
-          end
-        end
-
-        def ldap_sync_policy(credentials, config_name)
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
-        end
-
-        def whoami(credentials)
-          RestClient::Resource.new(
-            Conjur.configuration.core_url,
-            Conjur.configuration.create_rest_client_options(credentials)
-          )['whoami']
-        end
-
-        private
-
-        def resource_annotations resource
-          resource.attributes['annotations']
-        end
-      end
-    end
-  end
-end
-# rubocop:enable Metrics/ModuleLength