conjur-api 5.3.8.pre.319 → 5.3.8.pre.321
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.codeclimate.yml +10 -0
- data/.dockerignore +1 -0
- data/.github/CODEOWNERS +10 -0
- data/.gitignore +32 -0
- data/.gitleaks.toml +219 -0
- data/.overcommit.yml +16 -0
- data/.project +18 -0
- data/.rubocop.yml +3 -0
- data/.rubocop_settings.yml +86 -0
- data/.rubocop_todo.yml +709 -0
- data/.yardopts +1 -0
- data/CHANGELOG.md +448 -0
- data/CONTRIBUTING.md +138 -0
- data/Dockerfile +16 -0
- data/Gemfile +7 -0
- data/Jenkinsfile +136 -0
- data/LICENSE +202 -0
- data/README.md +162 -0
- data/Rakefile +47 -0
- data/SECURITY.md +42 -0
- data/VERSION +1 -1
- data/bin/parse-changelog.sh +12 -0
- data/ci/configure_v4.sh +12 -0
- data/ci/configure_v5.sh +19 -0
- data/ci/oauth/keycloak/create_client +18 -0
- data/ci/oauth/keycloak/create_user +21 -0
- data/ci/oauth/keycloak/fetch_certificate +18 -0
- data/ci/oauth/keycloak/keycloak_functions.sh +71 -0
- data/ci/oauth/keycloak/standalone.xml +578 -0
- data/ci/oauth/keycloak/wait_for_server +56 -0
- data/ci/submit-coverage +36 -0
- data/conjur-api.gemspec +41 -0
- data/dev/Dockerfile.dev +12 -0
- data/dev/docker-compose.yml +56 -0
- data/dev/start +22 -0
- data/dev/stop +5 -0
- data/docker-compose.yml +98 -0
- data/example/demo_v4.rb +49 -0
- data/example/demo_v5.rb +57 -0
- data/features/authenticators.feature +41 -0
- data/features/authn.feature +14 -0
- data/features/authn_local.feature +32 -0
- data/features/exists.feature +37 -0
- data/features/group.feature +11 -0
- data/features/host.feature +50 -0
- data/features/host_factory_create_host.feature +28 -0
- data/features/host_factory_token.feature +63 -0
- data/features/load_policy.feature +61 -0
- data/features/members.feature +51 -0
- data/features/new_api.feature +36 -0
- data/features/permitted.feature +70 -0
- data/features/permitted_roles.feature +30 -0
- data/features/public_keys.feature +11 -0
- data/features/resource_fields.feature +53 -0
- data/features/role_fields.feature +15 -0
- data/features/rotate_api_key.feature +13 -0
- data/features/step_definitions/api_steps.rb +52 -0
- data/features/step_definitions/policy_steps.rb +134 -0
- data/features/step_definitions/result_steps.rb +11 -0
- data/features/support/env.rb +19 -0
- data/features/support/hooks.rb +3 -0
- data/features/support/world.rb +12 -0
- data/features/update_password.feature +14 -0
- data/features/user.feature +58 -0
- data/features/variable_fields.feature +20 -0
- data/features/variable_value.feature +60 -0
- data/features_v4/authn_local.feature +27 -0
- data/features_v4/exists.feature +29 -0
- data/features_v4/host.feature +18 -0
- data/features_v4/host_factory_token.feature +49 -0
- data/features_v4/members.feature +39 -0
- data/features_v4/permitted.feature +15 -0
- data/features_v4/permitted_roles.feature +8 -0
- data/features_v4/resource_fields.feature +47 -0
- data/features_v4/rotate_api_key.feature +13 -0
- data/features_v4/step_definitions/api_steps.rb +17 -0
- data/features_v4/step_definitions/result_steps.rb +3 -0
- data/features_v4/support/env.rb +23 -0
- data/features_v4/support/policy.yml +34 -0
- data/features_v4/support/world.rb +12 -0
- data/features_v4/variable_fields.feature +11 -0
- data/features_v4/variable_value.feature +54 -0
- data/lib/conjur/acts_as_resource.rb +123 -0
- data/lib/conjur/acts_as_role.rb +142 -0
- data/lib/conjur/acts_as_rolsource.rb +32 -0
- data/lib/conjur/acts_as_user.rb +68 -0
- data/lib/conjur/api/authenticators.rb +43 -0
- data/lib/conjur/api/authn.rb +144 -0
- data/lib/conjur/api/host_factories.rb +71 -0
- data/lib/conjur/api/ldap_sync.rb +38 -0
- data/lib/conjur/api/policies.rb +56 -0
- data/lib/conjur/api/pubkeys.rb +53 -0
- data/lib/conjur/api/resources.rb +109 -0
- data/lib/conjur/api/roles.rb +98 -0
- data/lib/conjur/api/router/v4.rb +206 -0
- data/lib/conjur/api/router/v5.rb +269 -0
- data/lib/conjur/api/variables.rb +59 -0
- data/lib/conjur/api.rb +105 -0
- data/lib/conjur/base.rb +355 -0
- data/lib/conjur/base_object.rb +57 -0
- data/lib/conjur/build_object.rb +47 -0
- data/lib/conjur/cache.rb +26 -0
- data/lib/conjur/cert_utils.rb +63 -0
- data/lib/conjur/cidr.rb +71 -0
- data/lib/conjur/configuration.rb +460 -0
- data/lib/conjur/escape.rb +129 -0
- data/lib/conjur/exceptions.rb +4 -0
- data/lib/conjur/group.rb +41 -0
- data/lib/conjur/has_attributes.rb +98 -0
- data/lib/conjur/host.rb +27 -0
- data/lib/conjur/host_factory.rb +75 -0
- data/lib/conjur/host_factory_token.rb +78 -0
- data/lib/conjur/id.rb +71 -0
- data/lib/conjur/layer.rb +9 -0
- data/lib/conjur/log.rb +72 -0
- data/lib/conjur/log_source.rb +60 -0
- data/lib/conjur/policy.rb +34 -0
- data/lib/conjur/policy_load_result.rb +61 -0
- data/lib/conjur/query_string.rb +12 -0
- data/lib/conjur/resource.rb +29 -0
- data/lib/conjur/role.rb +29 -0
- data/lib/conjur/role_grant.rb +85 -0
- data/lib/conjur/routing.rb +29 -0
- data/lib/conjur/user.rb +40 -0
- data/lib/conjur/variable.rb +208 -0
- data/lib/conjur/webservice.rb +30 -0
- data/lib/conjur-api/version.rb +24 -0
- data/lib/conjur-api.rb +2 -0
- data/publish.sh +5 -0
- data/spec/api/host_factories_spec.rb +34 -0
- data/spec/api_spec.rb +254 -0
- data/spec/base_object_spec.rb +13 -0
- data/spec/cert_utils_spec.rb +173 -0
- data/spec/cidr_spec.rb +34 -0
- data/spec/configuration_spec.rb +330 -0
- data/spec/has_attributes_spec.rb +63 -0
- data/spec/helpers/errors_matcher.rb +34 -0
- data/spec/helpers/request_helpers.rb +10 -0
- data/spec/id_spec.rb +29 -0
- data/spec/ldap_sync_spec.rb +21 -0
- data/spec/log_source_spec.rb +13 -0
- data/spec/log_spec.rb +42 -0
- data/spec/roles_spec.rb +24 -0
- data/spec/spec_helper.rb +113 -0
- data/spec/ssl_spec.rb +109 -0
- data/spec/uri_escape_spec.rb +21 -0
- data/test.sh +76 -0
- data/tmp/.keep +0 -0
- metadata +194 -3
@@ -0,0 +1,129 @@
|
|
1
|
+
#
|
2
|
+
# Copyright (C) 2013-2017 Conjur Inc
|
3
|
+
#
|
4
|
+
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
+
# this software and associated documentation files (the "Software"), to deal in
|
6
|
+
# the Software without restriction, including without limitation the rights to
|
7
|
+
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
+
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
+
# subject to the following conditions:
|
10
|
+
#
|
11
|
+
# The above copyright notice and this permission notice shall be included in all
|
12
|
+
# copies or substantial portions of the Software.
|
13
|
+
#
|
14
|
+
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
+
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
+
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
+
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
+
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
+
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
+
#
|
21
|
+
module Conjur
|
22
|
+
|
23
|
+
# Provides helpers for escaping url components.
|
24
|
+
#
|
25
|
+
# The helpers are added as both class and isntance methods.
|
26
|
+
module Escape
|
27
|
+
module ClassMethods
|
28
|
+
# URL escape the entire string. This is essentially the same as calling `CGI.escape str`,
|
29
|
+
# and then substituting `%20` for `+`.
|
30
|
+
#
|
31
|
+
# @example
|
32
|
+
# fully_escape 'foo/bar@baz'
|
33
|
+
# # => "foo%2Fbar%40baz"
|
34
|
+
#
|
35
|
+
# @example
|
36
|
+
# fully_escape 'test/Domain Controllers'
|
37
|
+
# # => "test%2FDomain%20Controllers"
|
38
|
+
#
|
39
|
+
# @param [String] str the string to escape
|
40
|
+
# @return [String] the escaped string
|
41
|
+
def fully_escape(str)
|
42
|
+
# CGI escape uses + for spaces, which our services don't support :-(
|
43
|
+
# We just gsub it.
|
44
|
+
CGI.escape(str.to_s).gsub('+', '%20')
|
45
|
+
end
|
46
|
+
|
47
|
+
|
48
|
+
# Escape a URI path component.
|
49
|
+
#
|
50
|
+
# This method simply calls {Conjur::Escape::ClassMethods#path_or_query_escape}.
|
51
|
+
#
|
52
|
+
# @param [String] str the string to escape
|
53
|
+
# @return [String] the escaped string
|
54
|
+
# @see Conjur::Escape::ClassMethods#path_or_query_escape
|
55
|
+
def path_escape(str)
|
56
|
+
path_or_query_escape str
|
57
|
+
end
|
58
|
+
|
59
|
+
# Escape a URI query value.
|
60
|
+
#
|
61
|
+
# This method simply calls {Conjur::Escape::ClassMethods#path_or_query_escape}.
|
62
|
+
#
|
63
|
+
# @param [String] str the string to escape
|
64
|
+
# @return [String] the escaped string
|
65
|
+
# @see Conjur::Escape::ClassMethods#path_or_query_escape
|
66
|
+
def query_escape(str)
|
67
|
+
path_or_query_escape str
|
68
|
+
end
|
69
|
+
|
70
|
+
# Escape a path or query value.
|
71
|
+
#
|
72
|
+
# This method is *similar* to `URI.escape`, but it has several important differences:
|
73
|
+
# * If a falsey value is given, the string `"false"` is returned.
|
74
|
+
# * If the value given responds to `#id`, the value returned by `str.id` is escaped instead.
|
75
|
+
# * The value is escaped without modifying `':'` or `'/'`.
|
76
|
+
#
|
77
|
+
# @param [String, FalseClass, NilClass, #id] str the value to escape
|
78
|
+
# @return [String] the value escaped as described
|
79
|
+
def path_or_query_escape(str)
|
80
|
+
return "false" unless str
|
81
|
+
str = str.id if str.respond_to?(:id)
|
82
|
+
# Leave colons and forward slashes alone
|
83
|
+
require 'addressable/uri'
|
84
|
+
Addressable::URI.encode(str.to_s)
|
85
|
+
end
|
86
|
+
end
|
87
|
+
|
88
|
+
# @api private
|
89
|
+
def self.included(base)
|
90
|
+
base.extend ClassMethods
|
91
|
+
end
|
92
|
+
|
93
|
+
# URL escape the entire string. This is essentially the same as calling `CGI.escape str`.
|
94
|
+
#
|
95
|
+
# @example
|
96
|
+
# fully_escape 'foo/bar@baz'
|
97
|
+
# # => "foo%2Fbar%40baz"
|
98
|
+
#
|
99
|
+
# @param [String] str the string to escape
|
100
|
+
# @return [String] the escaped string
|
101
|
+
# @see Conjur::Escape::ClassMethods#fully_escape
|
102
|
+
def fully_escape(str)
|
103
|
+
self.class.fully_escape str
|
104
|
+
end
|
105
|
+
|
106
|
+
# Escape a URI path component.
|
107
|
+
#
|
108
|
+
# This method simply calls {Conjur::Escape::ClassMethods#path_or_query_escape}.
|
109
|
+
#
|
110
|
+
# @param [String] str the string to escape
|
111
|
+
# @return [String] the escaped string
|
112
|
+
# @see Conjur::Escape::ClassMethods#path_or_query_escape
|
113
|
+
def path_escape(str)
|
114
|
+
self.class.path_escape str
|
115
|
+
end
|
116
|
+
|
117
|
+
|
118
|
+
# Escape a URI query value.
|
119
|
+
#
|
120
|
+
# This method simply calls {Conjur::Escape::ClassMethods#path_or_query_escape}.
|
121
|
+
#
|
122
|
+
# @param [String] str the string to escape
|
123
|
+
# @return [String] the escaped string
|
124
|
+
# @see Conjur::Escape::ClassMethods#path_or_query_escape
|
125
|
+
def query_escape(str)
|
126
|
+
self.class.query_escape str
|
127
|
+
end
|
128
|
+
end
|
129
|
+
end
|
data/lib/conjur/group.rb
ADDED
@@ -0,0 +1,41 @@
|
|
1
|
+
# Copyright 2013-2017 Conjur Inc.
|
2
|
+
#
|
3
|
+
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
4
|
+
# this software and associated documentation files (the "Software"), to deal in
|
5
|
+
# the Software without restriction, including without limitation the rights to
|
6
|
+
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
7
|
+
# the Software, and to permit persons to whom the Software is furnished to do so,
|
8
|
+
# subject to the following conditions:
|
9
|
+
#
|
10
|
+
# The above copyright notice and this permission notice shall be included in all
|
11
|
+
# copies or substantial portions of the Software.
|
12
|
+
#
|
13
|
+
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
14
|
+
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
15
|
+
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
16
|
+
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
17
|
+
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
18
|
+
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
19
|
+
#
|
20
|
+
module Conjur
|
21
|
+
|
22
|
+
# A Conjur Group represents a collection of Conjur Users, Groups and Layers.
|
23
|
+
#
|
24
|
+
class Group < BaseObject
|
25
|
+
include ActsAsRolsource
|
26
|
+
|
27
|
+
# Get the group's gidnumber, which can be used by LDAP and SSH login, among other things.
|
28
|
+
#
|
29
|
+
# @return [Fixnum] the gidnumber
|
30
|
+
# @raise [RestClient::Forbidden] if you don't have permission to `show` the group.
|
31
|
+
def gidnumber
|
32
|
+
parser_for(:group_gidnumber, group_attributes)
|
33
|
+
end
|
34
|
+
|
35
|
+
private
|
36
|
+
|
37
|
+
def group_attributes
|
38
|
+
@group_attributes ||= url_for(:group_attributes, credentials, self, id)
|
39
|
+
end
|
40
|
+
end
|
41
|
+
end
|
@@ -0,0 +1,98 @@
|
|
1
|
+
#
|
2
|
+
# Copyright 2013-2017 Conjur Inc
|
3
|
+
#
|
4
|
+
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
+
# this software and associated documentation files (the "Software"), to deal in
|
6
|
+
# the Software without restriction, including without limitation the rights to
|
7
|
+
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
+
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
+
# subject to the following conditions:
|
10
|
+
#
|
11
|
+
# The above copyright notice and this permission notice shall be included in all
|
12
|
+
# copies or substantial portions of the Software.
|
13
|
+
#
|
14
|
+
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
+
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
+
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
+
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
+
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
+
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
+
#
|
21
|
+
module Conjur
|
22
|
+
# Many Conjur assets have key-value attributes. Although these should generally be accessed via
|
23
|
+
# methods on specific asset classes (for example, {Conjur::Resource#owner}), the are available as
|
24
|
+
# a `Hash` on all types supporting attributes.
|
25
|
+
module HasAttributes
|
26
|
+
class << self
|
27
|
+
|
28
|
+
# @api private
|
29
|
+
def annotation_value annotations, name
|
30
|
+
(annotations.find{|a| a['name'] == name} || {})['value']
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
def as_json options={}
|
35
|
+
result = super(options)
|
36
|
+
if @attributes
|
37
|
+
result.merge!(@attributes.as_json(options))
|
38
|
+
end
|
39
|
+
result
|
40
|
+
end
|
41
|
+
|
42
|
+
def to_s
|
43
|
+
to_json.to_s
|
44
|
+
end
|
45
|
+
|
46
|
+
# @api private
|
47
|
+
# Set the attributes for this Resource.
|
48
|
+
# @param [Hash] attributes new attributes for the object.
|
49
|
+
# @return [Hash] the new attributes
|
50
|
+
def attributes=(attributes); @attributes = attributes; end
|
51
|
+
|
52
|
+
# Get the attributes for this asset. This is an immutable Hash, unless the attributes
|
53
|
+
# are changed via policy update.
|
54
|
+
#
|
55
|
+
# @return [Hash] the asset's attributes.
|
56
|
+
def attributes
|
57
|
+
return @attributes if @attributes
|
58
|
+
fetch
|
59
|
+
end
|
60
|
+
|
61
|
+
# Call a block that will perform actions that might change the asset's attributes.
|
62
|
+
# No matter what happens in the block, this method ensures that the cached attributes
|
63
|
+
# will be invalidated.
|
64
|
+
#
|
65
|
+
# @note this is mainly used internally, but included in the public api for completeness.
|
66
|
+
#
|
67
|
+
# @return [void]
|
68
|
+
def invalidate(&block)
|
69
|
+
yield
|
70
|
+
ensure
|
71
|
+
@attributes = nil
|
72
|
+
end
|
73
|
+
|
74
|
+
def annotations
|
75
|
+
Hash[(attributes['annotations']||{}).collect {|e| [e['name'],e['value']]}]
|
76
|
+
end
|
77
|
+
|
78
|
+
protected
|
79
|
+
|
80
|
+
def annotation_value name
|
81
|
+
annotations[name]
|
82
|
+
end
|
83
|
+
|
84
|
+
# @api private
|
85
|
+
# Fetch the attributes, overwriting any current ones.
|
86
|
+
def fetch
|
87
|
+
@attributes ||= fetch_attributes
|
88
|
+
end
|
89
|
+
|
90
|
+
# @api private
|
91
|
+
def fetch_attributes
|
92
|
+
cache_key = Conjur.cache_key username, url_for(:resources_resource, credentials, id).url
|
93
|
+
Conjur.cache.fetch_attributes cache_key do
|
94
|
+
JSON.parse(url_for(:resources_resource, credentials, id).get.body)
|
95
|
+
end
|
96
|
+
end
|
97
|
+
end
|
98
|
+
end
|
data/lib/conjur/host.rb
ADDED
@@ -0,0 +1,27 @@
|
|
1
|
+
#
|
2
|
+
# Copyright 2013-2017 Conjur Inc
|
3
|
+
#
|
4
|
+
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
+
# this software and associated documentation files (the "Software"), to deal in
|
6
|
+
# the Software without restriction, including without limitation the rights to
|
7
|
+
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
+
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
+
# subject to the following conditions:
|
10
|
+
#
|
11
|
+
# The above copyright notice and this permission notice shall be included in all
|
12
|
+
# copies or substantial portions of the Software.
|
13
|
+
#
|
14
|
+
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
+
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
+
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
+
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
+
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
+
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
+
#
|
21
|
+
module Conjur
|
22
|
+
# This class represents a Conjur Host. Hosts are created in Conjur policy, or with
|
23
|
+
# {Conjur::HostFactory}.
|
24
|
+
class Host < BaseObject
|
25
|
+
include ActsAsUser
|
26
|
+
end
|
27
|
+
end
|
@@ -0,0 +1,75 @@
|
|
1
|
+
#
|
2
|
+
# Copyright 2013-2017 Conjur Inc
|
3
|
+
#
|
4
|
+
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
+
# this software and associated documentation files (the "Software"), to deal in
|
6
|
+
# the Software without restriction, including without limitation the rights to
|
7
|
+
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
+
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
+
# subject to the following conditions:
|
10
|
+
#
|
11
|
+
# The above copyright notice and this permission notice shall be included in all
|
12
|
+
# copies or substantial portions of the Software.
|
13
|
+
#
|
14
|
+
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
+
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
+
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
+
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
+
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
+
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
+
#
|
21
|
+
require 'conjur/host_factory_token'
|
22
|
+
|
23
|
+
module Conjur
|
24
|
+
# A Host Factory is a way to allow clients to create Conjur hosts without giving them
|
25
|
+
# any other access to Conjur.
|
26
|
+
#
|
27
|
+
# Each Host Factory can have 0 or more tokens, each of which is a random string that
|
28
|
+
# has an associated expiration and optional CIDR restriction. A user or machine who has
|
29
|
+
# a host factory token can use it to create new hosts, or to rotate the API keys of
|
30
|
+
# existing hosts.
|
31
|
+
#
|
32
|
+
# @see API#host_factory_create_host
|
33
|
+
# @see HostFactoryToken
|
34
|
+
class HostFactory < BaseObject
|
35
|
+
include ActsAsRolsource
|
36
|
+
|
37
|
+
# Create one or more host factory tokens. Each token can be used to create
|
38
|
+
# hosts, using {API#host_factory_create_host}.
|
39
|
+
#
|
40
|
+
# @param expiration [Time] the future time at which the token will stop working.
|
41
|
+
# @param count [Integer] the number of (identical) tokens to create (default: 1).
|
42
|
+
# @param cidr [String] a CIDR restriction on the usage of the token.
|
43
|
+
# @return [Array<HostFactoryToken>] the token or tokens.
|
44
|
+
def create_tokens expiration, count: 1, cidr: nil
|
45
|
+
options = {}
|
46
|
+
options[:expiration] = expiration.iso8601
|
47
|
+
options[:host_factory] = id
|
48
|
+
options[:count] = count
|
49
|
+
options[:cidr] = cidr if cidr
|
50
|
+
response = JSON.parse url_for(:host_factory_create_tokens, credentials, id).post(options)
|
51
|
+
response.map do |data|
|
52
|
+
HostFactoryToken.new data, credentials
|
53
|
+
end
|
54
|
+
end
|
55
|
+
|
56
|
+
# Create a new token.
|
57
|
+
#
|
58
|
+
# @see #create_tokens
|
59
|
+
def create_token expiration, cidr: nil
|
60
|
+
create_tokens(expiration, cidr: cidr).first
|
61
|
+
end
|
62
|
+
|
63
|
+
# Enumerate the tokens on the host factory.
|
64
|
+
#
|
65
|
+
# @return [Array<HostFactoryToken>] the token or tokens.
|
66
|
+
def tokens
|
67
|
+
# Tokens list is not returned by +show+ if the caller doesn't have permission
|
68
|
+
return nil unless self.attributes['tokens']
|
69
|
+
|
70
|
+
self.attributes['tokens'].collect do |data|
|
71
|
+
HostFactoryToken.new data, credentials
|
72
|
+
end
|
73
|
+
end
|
74
|
+
end
|
75
|
+
end
|
@@ -0,0 +1,78 @@
|
|
1
|
+
#
|
2
|
+
# Copyright 2013-2017 Conjur Inc
|
3
|
+
#
|
4
|
+
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
+
# this software and associated documentation files (the "Software"), to deal in
|
6
|
+
# the Software without restriction, including without limitation the rights to
|
7
|
+
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
+
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
+
# subject to the following conditions:
|
10
|
+
#
|
11
|
+
# The above copyright notice and this permission notice shall be included in all
|
12
|
+
# copies or substantial portions of the Software.
|
13
|
+
#
|
14
|
+
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
+
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
+
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
+
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
+
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
+
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
+
#
|
21
|
+
module Conjur
|
22
|
+
class HostFactoryToken
|
23
|
+
def initialize data, credentials
|
24
|
+
@data = data
|
25
|
+
@credentials = credentials
|
26
|
+
end
|
27
|
+
|
28
|
+
# Convert the object to JSON.
|
29
|
+
#
|
30
|
+
# Fields:
|
31
|
+
#
|
32
|
+
# * token
|
33
|
+
# * expiration
|
34
|
+
# * cidr
|
35
|
+
def to_json(options = {})
|
36
|
+
{ token: token, expiration: expiration, cidr: cidr }
|
37
|
+
end
|
38
|
+
|
39
|
+
# Format the token as a string, using JSON format.
|
40
|
+
def to_s
|
41
|
+
to_json.to_s
|
42
|
+
end
|
43
|
+
|
44
|
+
# Gets the token string.
|
45
|
+
#
|
46
|
+
# @return [String]
|
47
|
+
def token
|
48
|
+
@data['token']
|
49
|
+
end
|
50
|
+
|
51
|
+
# Gets the expiration.
|
52
|
+
#
|
53
|
+
# @return [DateTime]
|
54
|
+
def expiration
|
55
|
+
DateTime.iso8601(@data['expiration'])
|
56
|
+
end
|
57
|
+
|
58
|
+
# Gets the CIDR restriction.
|
59
|
+
#
|
60
|
+
# @return [String]
|
61
|
+
def cidr
|
62
|
+
@data['cidr']
|
63
|
+
end
|
64
|
+
|
65
|
+
# Revokes the token, after which it cannot be used any more.
|
66
|
+
def revoke
|
67
|
+
Conjur::API.revoke_host_factory_token @credentials, token
|
68
|
+
end
|
69
|
+
|
70
|
+
def ==(other)
|
71
|
+
other.class == self.class &&
|
72
|
+
other.token == self.token &&
|
73
|
+
other.expiration == self.expiration &&
|
74
|
+
other.cidr == self.cidr
|
75
|
+
end
|
76
|
+
|
77
|
+
end
|
78
|
+
end
|
data/lib/conjur/id.rb
ADDED
@@ -0,0 +1,71 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2013-2018 CyberArk Ltd.
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
require 'conjur/escape'
|
18
|
+
|
19
|
+
module Conjur
|
20
|
+
# Encapsulates a Conjur id, which consists of account, kind, and identifier.
|
21
|
+
class Id
|
22
|
+
include Conjur::Escape
|
23
|
+
|
24
|
+
attr_reader :id
|
25
|
+
|
26
|
+
def initialize id
|
27
|
+
@id = Id.normalize id
|
28
|
+
end
|
29
|
+
|
30
|
+
# The organization account, obtained from the first component of the id.
|
31
|
+
def account; id.split(':', 3)[0]; end
|
32
|
+
# The object kind, obtained from the second component of the id.
|
33
|
+
def kind; id.split(':', 3)[1]; end
|
34
|
+
# The object identifier, obtained from the third component of the id. The
|
35
|
+
# identifier must be unique within the `account` and `kind`.
|
36
|
+
def identifier; id.split(':', 3)[2]; end
|
37
|
+
|
38
|
+
# Defines id equivalence using the string representation.
|
39
|
+
def == other
|
40
|
+
if other.is_a?(String)
|
41
|
+
to_s == other
|
42
|
+
else
|
43
|
+
super
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
# @return [String] the id string.
|
48
|
+
def as_json options={}
|
49
|
+
@id
|
50
|
+
end
|
51
|
+
|
52
|
+
# Splits the id into 3 components, and then joins them with a forward-slash `/`.
|
53
|
+
def to_url_path
|
54
|
+
id.split(':', 3)
|
55
|
+
.map(&method(:fully_escape))
|
56
|
+
.join('/')
|
57
|
+
end
|
58
|
+
|
59
|
+
# @return [String] the id string
|
60
|
+
def to_s
|
61
|
+
id
|
62
|
+
end
|
63
|
+
|
64
|
+
def self.normalize id
|
65
|
+
Array(id).join(':').tap do |id|
|
66
|
+
raise ArgumentError, "id must be fully qualified: #{id}" \
|
67
|
+
unless id =~ /.*:.*:.*/
|
68
|
+
end
|
69
|
+
end
|
70
|
+
end
|
71
|
+
end
|
data/lib/conjur/layer.rb
ADDED
@@ -0,0 +1,9 @@
|
|
1
|
+
module Conjur
|
2
|
+
|
3
|
+
# A Conjur Layer is a type of role whose members are Conjur Hosts. The hosts inherit
|
4
|
+
# permissions from the layer. Automatic roles on the layer can also be used to manage
|
5
|
+
# SSH permissions to the hosts.
|
6
|
+
class Layer < BaseObject
|
7
|
+
include ActsAsRolsource
|
8
|
+
end
|
9
|
+
end
|
data/lib/conjur/log.rb
ADDED
@@ -0,0 +1,72 @@
|
|
1
|
+
#
|
2
|
+
# Copyright 2013-2017 Conjur Inc
|
3
|
+
#
|
4
|
+
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
+
# this software and associated documentation files (the "Software"), to deal in
|
6
|
+
# the Software without restriction, including without limitation the rights to
|
7
|
+
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
+
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
+
# subject to the following conditions:
|
10
|
+
#
|
11
|
+
# The above copyright notice and this permission notice shall be included in all
|
12
|
+
# copies or substantial portions of the Software.
|
13
|
+
#
|
14
|
+
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
+
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
+
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
+
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
+
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
+
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
+
#
|
21
|
+
require 'logger'
|
22
|
+
|
23
|
+
module Conjur
|
24
|
+
# Assign a Logger for use by Conjur API methods. This method accepts
|
25
|
+
# several argument forms:
|
26
|
+
# * The strings 'stdout' and 'stderr' cause log messages to be sent to the corresponding stream.
|
27
|
+
# * Other stings are treated as paths and will cause log messages to be sent to those files.
|
28
|
+
# * A `Logger` instance will be used as is.
|
29
|
+
#
|
30
|
+
# Note that the logger specified by the `CONJURAPI_LOG` environment variable will override
|
31
|
+
# the value set here.
|
32
|
+
#
|
33
|
+
# @param [String, Logger,nil] log the new logger to use
|
34
|
+
# @return [void]
|
35
|
+
def self.log= log
|
36
|
+
@@log = create_log log
|
37
|
+
end
|
38
|
+
|
39
|
+
# @api private
|
40
|
+
# Create a log from a String or Logger param
|
41
|
+
#
|
42
|
+
# @param [String, Logger, nil] param the value to create the logger from
|
43
|
+
# @return Logger
|
44
|
+
def self.create_log param
|
45
|
+
if param
|
46
|
+
if param.is_a? String
|
47
|
+
if param == 'stdout'
|
48
|
+
Logger.new $stdout
|
49
|
+
elsif param == 'stderr'
|
50
|
+
Logger.new $stderr
|
51
|
+
else
|
52
|
+
Logger.new param
|
53
|
+
end
|
54
|
+
else
|
55
|
+
param
|
56
|
+
end
|
57
|
+
end
|
58
|
+
end
|
59
|
+
|
60
|
+
@@env_log = create_log ENV['CONJURAPI_LOG']
|
61
|
+
|
62
|
+
@@log = nil
|
63
|
+
|
64
|
+
# @api private
|
65
|
+
# @note this method may return nil if no log has been set, so you **must** check the value
|
66
|
+
# before attempting to use the logger.
|
67
|
+
#
|
68
|
+
# You should consider using {Conjur::LogSource} instead.
|
69
|
+
def self.log
|
70
|
+
@@env_log || @@log
|
71
|
+
end
|
72
|
+
end
|
@@ -0,0 +1,60 @@
|
|
1
|
+
#
|
2
|
+
# Copyright 2013-2017 Conjur Inc
|
3
|
+
#
|
4
|
+
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
+
# this software and associated documentation files (the "Software"), to deal in
|
6
|
+
# the Software without restriction, including without limitation the rights to
|
7
|
+
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
+
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
+
# subject to the following conditions:
|
10
|
+
#
|
11
|
+
# The above copyright notice and this permission notice shall be included in all
|
12
|
+
# copies or substantial portions of the Software.
|
13
|
+
#
|
14
|
+
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
+
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
+
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
+
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
+
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
+
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
+
#
|
21
|
+
module Conjur
|
22
|
+
# This module provides logging support for actions taken by the Conjur API.
|
23
|
+
#
|
24
|
+
# @example
|
25
|
+
# class Example
|
26
|
+
# include LogSource
|
27
|
+
#
|
28
|
+
# def something_interesting param
|
29
|
+
# log{|l| l << "doing something interesting with #{param}"}
|
30
|
+
#
|
31
|
+
# # Do something interesting...
|
32
|
+
# end
|
33
|
+
#
|
34
|
+
# end
|
35
|
+
# # ...
|
36
|
+
#
|
37
|
+
# Example.new.something_interesting 'foo'
|
38
|
+
# # will log:
|
39
|
+
# # [admin] doing something interesting with foo
|
40
|
+
#
|
41
|
+
module LogSource
|
42
|
+
# Yield a logger to the block. You should use the `<<` method to write to the
|
43
|
+
# logger so that you don't send newlines or formatting. The block will only be called
|
44
|
+
# if {Conjur.log} is not nil.
|
45
|
+
#
|
46
|
+
# The log format is `"[<username>]<messages logged in block>\n"`.
|
47
|
+
#
|
48
|
+
# @yieldparam [#<<] logger a logger to write messages
|
49
|
+
# @return [void]
|
50
|
+
def log(&block)
|
51
|
+
if Conjur.log
|
52
|
+
Conjur.log << "["
|
53
|
+
Conjur.log << username
|
54
|
+
Conjur.log << "] "
|
55
|
+
yield Conjur.log
|
56
|
+
Conjur.log << "\n"
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
60
|
+
end
|