conjur-api 5.3.8.pre.319 → 5.3.8.pre.321
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.codeclimate.yml +10 -0
- data/.dockerignore +1 -0
- data/.github/CODEOWNERS +10 -0
- data/.gitignore +32 -0
- data/.gitleaks.toml +219 -0
- data/.overcommit.yml +16 -0
- data/.project +18 -0
- data/.rubocop.yml +3 -0
- data/.rubocop_settings.yml +86 -0
- data/.rubocop_todo.yml +709 -0
- data/.yardopts +1 -0
- data/CHANGELOG.md +448 -0
- data/CONTRIBUTING.md +138 -0
- data/Dockerfile +16 -0
- data/Gemfile +7 -0
- data/Jenkinsfile +136 -0
- data/LICENSE +202 -0
- data/README.md +162 -0
- data/Rakefile +47 -0
- data/SECURITY.md +42 -0
- data/VERSION +1 -1
- data/bin/parse-changelog.sh +12 -0
- data/ci/configure_v4.sh +12 -0
- data/ci/configure_v5.sh +19 -0
- data/ci/oauth/keycloak/create_client +18 -0
- data/ci/oauth/keycloak/create_user +21 -0
- data/ci/oauth/keycloak/fetch_certificate +18 -0
- data/ci/oauth/keycloak/keycloak_functions.sh +71 -0
- data/ci/oauth/keycloak/standalone.xml +578 -0
- data/ci/oauth/keycloak/wait_for_server +56 -0
- data/ci/submit-coverage +36 -0
- data/conjur-api.gemspec +41 -0
- data/dev/Dockerfile.dev +12 -0
- data/dev/docker-compose.yml +56 -0
- data/dev/start +22 -0
- data/dev/stop +5 -0
- data/docker-compose.yml +98 -0
- data/example/demo_v4.rb +49 -0
- data/example/demo_v5.rb +57 -0
- data/features/authenticators.feature +41 -0
- data/features/authn.feature +14 -0
- data/features/authn_local.feature +32 -0
- data/features/exists.feature +37 -0
- data/features/group.feature +11 -0
- data/features/host.feature +50 -0
- data/features/host_factory_create_host.feature +28 -0
- data/features/host_factory_token.feature +63 -0
- data/features/load_policy.feature +61 -0
- data/features/members.feature +51 -0
- data/features/new_api.feature +36 -0
- data/features/permitted.feature +70 -0
- data/features/permitted_roles.feature +30 -0
- data/features/public_keys.feature +11 -0
- data/features/resource_fields.feature +53 -0
- data/features/role_fields.feature +15 -0
- data/features/rotate_api_key.feature +13 -0
- data/features/step_definitions/api_steps.rb +52 -0
- data/features/step_definitions/policy_steps.rb +134 -0
- data/features/step_definitions/result_steps.rb +11 -0
- data/features/support/env.rb +19 -0
- data/features/support/hooks.rb +3 -0
- data/features/support/world.rb +12 -0
- data/features/update_password.feature +14 -0
- data/features/user.feature +58 -0
- data/features/variable_fields.feature +20 -0
- data/features/variable_value.feature +60 -0
- data/features_v4/authn_local.feature +27 -0
- data/features_v4/exists.feature +29 -0
- data/features_v4/host.feature +18 -0
- data/features_v4/host_factory_token.feature +49 -0
- data/features_v4/members.feature +39 -0
- data/features_v4/permitted.feature +15 -0
- data/features_v4/permitted_roles.feature +8 -0
- data/features_v4/resource_fields.feature +47 -0
- data/features_v4/rotate_api_key.feature +13 -0
- data/features_v4/step_definitions/api_steps.rb +17 -0
- data/features_v4/step_definitions/result_steps.rb +3 -0
- data/features_v4/support/env.rb +23 -0
- data/features_v4/support/policy.yml +34 -0
- data/features_v4/support/world.rb +12 -0
- data/features_v4/variable_fields.feature +11 -0
- data/features_v4/variable_value.feature +54 -0
- data/lib/conjur/acts_as_resource.rb +123 -0
- data/lib/conjur/acts_as_role.rb +142 -0
- data/lib/conjur/acts_as_rolsource.rb +32 -0
- data/lib/conjur/acts_as_user.rb +68 -0
- data/lib/conjur/api/authenticators.rb +43 -0
- data/lib/conjur/api/authn.rb +144 -0
- data/lib/conjur/api/host_factories.rb +71 -0
- data/lib/conjur/api/ldap_sync.rb +38 -0
- data/lib/conjur/api/policies.rb +56 -0
- data/lib/conjur/api/pubkeys.rb +53 -0
- data/lib/conjur/api/resources.rb +109 -0
- data/lib/conjur/api/roles.rb +98 -0
- data/lib/conjur/api/router/v4.rb +206 -0
- data/lib/conjur/api/router/v5.rb +269 -0
- data/lib/conjur/api/variables.rb +59 -0
- data/lib/conjur/api.rb +105 -0
- data/lib/conjur/base.rb +355 -0
- data/lib/conjur/base_object.rb +57 -0
- data/lib/conjur/build_object.rb +47 -0
- data/lib/conjur/cache.rb +26 -0
- data/lib/conjur/cert_utils.rb +63 -0
- data/lib/conjur/cidr.rb +71 -0
- data/lib/conjur/configuration.rb +460 -0
- data/lib/conjur/escape.rb +129 -0
- data/lib/conjur/exceptions.rb +4 -0
- data/lib/conjur/group.rb +41 -0
- data/lib/conjur/has_attributes.rb +98 -0
- data/lib/conjur/host.rb +27 -0
- data/lib/conjur/host_factory.rb +75 -0
- data/lib/conjur/host_factory_token.rb +78 -0
- data/lib/conjur/id.rb +71 -0
- data/lib/conjur/layer.rb +9 -0
- data/lib/conjur/log.rb +72 -0
- data/lib/conjur/log_source.rb +60 -0
- data/lib/conjur/policy.rb +34 -0
- data/lib/conjur/policy_load_result.rb +61 -0
- data/lib/conjur/query_string.rb +12 -0
- data/lib/conjur/resource.rb +29 -0
- data/lib/conjur/role.rb +29 -0
- data/lib/conjur/role_grant.rb +85 -0
- data/lib/conjur/routing.rb +29 -0
- data/lib/conjur/user.rb +40 -0
- data/lib/conjur/variable.rb +208 -0
- data/lib/conjur/webservice.rb +30 -0
- data/lib/conjur-api/version.rb +24 -0
- data/lib/conjur-api.rb +2 -0
- data/publish.sh +5 -0
- data/spec/api/host_factories_spec.rb +34 -0
- data/spec/api_spec.rb +254 -0
- data/spec/base_object_spec.rb +13 -0
- data/spec/cert_utils_spec.rb +173 -0
- data/spec/cidr_spec.rb +34 -0
- data/spec/configuration_spec.rb +330 -0
- data/spec/has_attributes_spec.rb +63 -0
- data/spec/helpers/errors_matcher.rb +34 -0
- data/spec/helpers/request_helpers.rb +10 -0
- data/spec/id_spec.rb +29 -0
- data/spec/ldap_sync_spec.rb +21 -0
- data/spec/log_source_spec.rb +13 -0
- data/spec/log_spec.rb +42 -0
- data/spec/roles_spec.rb +24 -0
- data/spec/spec_helper.rb +113 -0
- data/spec/ssl_spec.rb +109 -0
- data/spec/uri_escape_spec.rb +21 -0
- data/test.sh +76 -0
- data/tmp/.keep +0 -0
- metadata +194 -3
@@ -0,0 +1,18 @@
|
|
1
|
+
#!/bin/sh
|
2
|
+
|
3
|
+
# This script retrieves a certificate from the keycloak OIDC provider
|
4
|
+
# and puts it to a trusted operating system store.
|
5
|
+
# It is needed to communicate with the provider via SSL for validating ID tokens
|
6
|
+
|
7
|
+
openssl s_client \
|
8
|
+
-showcerts \
|
9
|
+
-connect keycloak:8443 \
|
10
|
+
-servername keycloak \
|
11
|
+
</dev/null | \
|
12
|
+
openssl x509 \
|
13
|
+
-outform PEM \
|
14
|
+
>/etc/ssl/certs/keycloak.pem
|
15
|
+
|
16
|
+
hash=$(openssl x509 -hash -in /etc/ssl/certs/keycloak.pem -out /dev/null)
|
17
|
+
|
18
|
+
ln -s /etc/ssl/certs/keycloak.pem "/etc/ssl/certs/${hash}.0"
|
@@ -0,0 +1,71 @@
|
|
1
|
+
#!/usr/bin/env bash
|
2
|
+
|
3
|
+
KEYCLOAK_SERVICE_NAME="keycloak"
|
4
|
+
|
5
|
+
# Note: the single arg is a nameref, which this function sets to an array
|
6
|
+
# containing items of the form "KEY=VAL".
|
7
|
+
function _hydrate_keycloak_env_args() {
|
8
|
+
local -n arr=$1
|
9
|
+
local keycloak_items
|
10
|
+
|
11
|
+
readarray -t keycloak_items < <(
|
12
|
+
set -o pipefail
|
13
|
+
# Note: This prints all lines that look like:
|
14
|
+
# KEYCLOAK_XXX=someval
|
15
|
+
docker-compose exec -T ${KEYCLOAK_SERVICE_NAME} printenv | awk '/KEYCLOAK/'
|
16
|
+
)
|
17
|
+
|
18
|
+
# shellcheck disable=SC2034
|
19
|
+
arr=(
|
20
|
+
"${keycloak_items[@]}"
|
21
|
+
"PROVIDER_URI=https://keycloak:8443/auth/realms/master"
|
22
|
+
"PROVIDER_INTERNAL_URI=http://keycloak:8080/auth/realms/master/protocol/openid-connect"
|
23
|
+
"PROVIDER_ISSUER=http://keycloak:8080/auth/realms/master"
|
24
|
+
"ID_TOKEN_USER_PROPERTY=preferred_username"
|
25
|
+
)
|
26
|
+
}
|
27
|
+
|
28
|
+
# The arguments must be unexpanded variable names. Eg:
|
29
|
+
#
|
30
|
+
# _create_keycloak_user '$APP_USER' '$APP_PW' '$APP_EMAIL'
|
31
|
+
#
|
32
|
+
# This is because those variables are not available to this script. They are
|
33
|
+
# available to bash commands run via "docker-compose exec keycloak bash
|
34
|
+
# -c...", since they're defined in the docker-compose.yml.
|
35
|
+
function _create_keycloak_user() {
|
36
|
+
local user_var=$1
|
37
|
+
local pw_var=$2
|
38
|
+
local email_var=$3
|
39
|
+
|
40
|
+
docker-compose exec -T \
|
41
|
+
${KEYCLOAK_SERVICE_NAME} \
|
42
|
+
bash -c "/scripts/create_user \"$user_var\" \"$pw_var\" \"$email_var\""
|
43
|
+
}
|
44
|
+
|
45
|
+
function create_keycloak_users() {
|
46
|
+
echo "Defining keycloak client"
|
47
|
+
|
48
|
+
docker-compose exec -T ${KEYCLOAK_SERVICE_NAME} /scripts/create_client
|
49
|
+
|
50
|
+
echo "Creating user 'alice' in Keycloak"
|
51
|
+
|
52
|
+
# Note: We want to pass the bash command thru without expansion here.
|
53
|
+
# shellcheck disable=SC2016
|
54
|
+
_create_keycloak_user \
|
55
|
+
'$KEYCLOAK_APP_USER' \
|
56
|
+
'$KEYCLOAK_APP_USER_PASSWORD' \
|
57
|
+
'$KEYCLOAK_APP_USER_EMAIL'
|
58
|
+
}
|
59
|
+
|
60
|
+
function wait_for_keycloak_server() {
|
61
|
+
docker-compose exec -T \
|
62
|
+
${KEYCLOAK_SERVICE_NAME} /scripts/wait_for_server
|
63
|
+
}
|
64
|
+
|
65
|
+
function fetch_keycloak_certificate() {
|
66
|
+
# there's a dep on the docker-compose.yml volumes.
|
67
|
+
# Fetch SSL cert to communicate with keycloak (OIDC provider).
|
68
|
+
echo "Initialize keycloak certificate in conjur server"
|
69
|
+
docker-compose exec -T \
|
70
|
+
conjur_5 /scripts/fetch_certificate
|
71
|
+
}
|