conjur-api 5.3.8.pre.319 → 5.4.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (150) hide show
  1. checksums.yaml +4 -4
  2. data/.codeclimate.yml +10 -0
  3. data/.dockerignore +1 -0
  4. data/.github/CODEOWNERS +10 -0
  5. data/.gitignore +32 -0
  6. data/.gitleaks.toml +219 -0
  7. data/.overcommit.yml +16 -0
  8. data/.project +18 -0
  9. data/.rubocop.yml +3 -0
  10. data/.rubocop_settings.yml +86 -0
  11. data/.rubocop_todo.yml +709 -0
  12. data/.yardopts +1 -0
  13. data/CHANGELOG.md +448 -0
  14. data/CONTRIBUTING.md +138 -0
  15. data/Dockerfile +16 -0
  16. data/Gemfile +7 -0
  17. data/Jenkinsfile +136 -0
  18. data/LICENSE +202 -0
  19. data/README.md +162 -0
  20. data/Rakefile +47 -0
  21. data/SECURITY.md +42 -0
  22. data/VERSION +1 -1
  23. data/bin/parse-changelog.sh +12 -0
  24. data/ci/configure_v4.sh +12 -0
  25. data/ci/configure_v5.sh +19 -0
  26. data/ci/oauth/keycloak/create_client +18 -0
  27. data/ci/oauth/keycloak/create_user +21 -0
  28. data/ci/oauth/keycloak/fetch_certificate +18 -0
  29. data/ci/oauth/keycloak/keycloak_functions.sh +71 -0
  30. data/ci/oauth/keycloak/standalone.xml +578 -0
  31. data/ci/oauth/keycloak/wait_for_server +56 -0
  32. data/ci/submit-coverage +36 -0
  33. data/conjur-api.gemspec +41 -0
  34. data/dev/Dockerfile.dev +12 -0
  35. data/dev/docker-compose.yml +56 -0
  36. data/dev/start +22 -0
  37. data/dev/stop +5 -0
  38. data/docker-compose.yml +98 -0
  39. data/example/demo_v4.rb +49 -0
  40. data/example/demo_v5.rb +57 -0
  41. data/features/authenticators.feature +41 -0
  42. data/features/authn.feature +14 -0
  43. data/features/authn_local.feature +32 -0
  44. data/features/exists.feature +37 -0
  45. data/features/group.feature +11 -0
  46. data/features/host.feature +50 -0
  47. data/features/host_factory_create_host.feature +28 -0
  48. data/features/host_factory_token.feature +63 -0
  49. data/features/load_policy.feature +61 -0
  50. data/features/members.feature +51 -0
  51. data/features/new_api.feature +36 -0
  52. data/features/permitted.feature +70 -0
  53. data/features/permitted_roles.feature +30 -0
  54. data/features/public_keys.feature +11 -0
  55. data/features/resource_fields.feature +53 -0
  56. data/features/role_fields.feature +15 -0
  57. data/features/rotate_api_key.feature +13 -0
  58. data/features/step_definitions/api_steps.rb +52 -0
  59. data/features/step_definitions/policy_steps.rb +134 -0
  60. data/features/step_definitions/result_steps.rb +11 -0
  61. data/features/support/env.rb +19 -0
  62. data/features/support/hooks.rb +3 -0
  63. data/features/support/world.rb +12 -0
  64. data/features/update_password.feature +14 -0
  65. data/features/user.feature +58 -0
  66. data/features/variable_fields.feature +20 -0
  67. data/features/variable_value.feature +60 -0
  68. data/features_v4/authn_local.feature +27 -0
  69. data/features_v4/exists.feature +29 -0
  70. data/features_v4/host.feature +18 -0
  71. data/features_v4/host_factory_token.feature +49 -0
  72. data/features_v4/members.feature +39 -0
  73. data/features_v4/permitted.feature +15 -0
  74. data/features_v4/permitted_roles.feature +8 -0
  75. data/features_v4/resource_fields.feature +47 -0
  76. data/features_v4/rotate_api_key.feature +13 -0
  77. data/features_v4/step_definitions/api_steps.rb +17 -0
  78. data/features_v4/step_definitions/result_steps.rb +3 -0
  79. data/features_v4/support/env.rb +23 -0
  80. data/features_v4/support/policy.yml +34 -0
  81. data/features_v4/support/world.rb +12 -0
  82. data/features_v4/variable_fields.feature +11 -0
  83. data/features_v4/variable_value.feature +54 -0
  84. data/lib/conjur/acts_as_resource.rb +123 -0
  85. data/lib/conjur/acts_as_role.rb +142 -0
  86. data/lib/conjur/acts_as_rolsource.rb +32 -0
  87. data/lib/conjur/acts_as_user.rb +68 -0
  88. data/lib/conjur/api/authenticators.rb +43 -0
  89. data/lib/conjur/api/authn.rb +144 -0
  90. data/lib/conjur/api/host_factories.rb +71 -0
  91. data/lib/conjur/api/ldap_sync.rb +38 -0
  92. data/lib/conjur/api/policies.rb +56 -0
  93. data/lib/conjur/api/pubkeys.rb +53 -0
  94. data/lib/conjur/api/resources.rb +109 -0
  95. data/lib/conjur/api/roles.rb +98 -0
  96. data/lib/conjur/api/router/v4.rb +206 -0
  97. data/lib/conjur/api/router/v5.rb +269 -0
  98. data/lib/conjur/api/variables.rb +59 -0
  99. data/lib/conjur/api.rb +105 -0
  100. data/lib/conjur/base.rb +355 -0
  101. data/lib/conjur/base_object.rb +57 -0
  102. data/lib/conjur/build_object.rb +47 -0
  103. data/lib/conjur/cache.rb +26 -0
  104. data/lib/conjur/cert_utils.rb +63 -0
  105. data/lib/conjur/cidr.rb +71 -0
  106. data/lib/conjur/configuration.rb +460 -0
  107. data/lib/conjur/escape.rb +129 -0
  108. data/lib/conjur/exceptions.rb +4 -0
  109. data/lib/conjur/group.rb +41 -0
  110. data/lib/conjur/has_attributes.rb +98 -0
  111. data/lib/conjur/host.rb +27 -0
  112. data/lib/conjur/host_factory.rb +75 -0
  113. data/lib/conjur/host_factory_token.rb +78 -0
  114. data/lib/conjur/id.rb +71 -0
  115. data/lib/conjur/layer.rb +9 -0
  116. data/lib/conjur/log.rb +72 -0
  117. data/lib/conjur/log_source.rb +60 -0
  118. data/lib/conjur/policy.rb +34 -0
  119. data/lib/conjur/policy_load_result.rb +61 -0
  120. data/lib/conjur/query_string.rb +12 -0
  121. data/lib/conjur/resource.rb +29 -0
  122. data/lib/conjur/role.rb +29 -0
  123. data/lib/conjur/role_grant.rb +85 -0
  124. data/lib/conjur/routing.rb +29 -0
  125. data/lib/conjur/user.rb +40 -0
  126. data/lib/conjur/variable.rb +208 -0
  127. data/lib/conjur/webservice.rb +30 -0
  128. data/lib/conjur-api/version.rb +24 -0
  129. data/lib/conjur-api.rb +2 -0
  130. data/publish.sh +5 -0
  131. data/spec/api/host_factories_spec.rb +34 -0
  132. data/spec/api_spec.rb +254 -0
  133. data/spec/base_object_spec.rb +13 -0
  134. data/spec/cert_utils_spec.rb +173 -0
  135. data/spec/cidr_spec.rb +34 -0
  136. data/spec/configuration_spec.rb +330 -0
  137. data/spec/has_attributes_spec.rb +63 -0
  138. data/spec/helpers/errors_matcher.rb +34 -0
  139. data/spec/helpers/request_helpers.rb +10 -0
  140. data/spec/id_spec.rb +29 -0
  141. data/spec/ldap_sync_spec.rb +21 -0
  142. data/spec/log_source_spec.rb +13 -0
  143. data/spec/log_spec.rb +42 -0
  144. data/spec/roles_spec.rb +24 -0
  145. data/spec/spec_helper.rb +113 -0
  146. data/spec/ssl_spec.rb +109 -0
  147. data/spec/uri_escape_spec.rb +21 -0
  148. data/test.sh +76 -0
  149. data/tmp/.keep +0 -0
  150. metadata +196 -5
@@ -0,0 +1,34 @@
1
+ #
2
+ # Copyright 2013-2017 Conjur Inc
3
+ #
4
+ # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
+ # this software and associated documentation files (the "Software"), to deal in
6
+ # the Software without restriction, including without limitation the rights to
7
+ # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
+ # the Software, and to permit persons to whom the Software is furnished to do so,
9
+ # subject to the following conditions:
10
+ #
11
+ # The above copyright notice and this permission notice shall be included in all
12
+ # copies or substantial portions of the Software.
13
+ #
14
+ # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
+ # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
+ # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
+ # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
+ # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
+ # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
+ #
21
+ module Conjur
22
+
23
+ # Defines an set of objects, permission grants and role grants. All objects in a policy
24
+ # share a common naming prefix, which is the id of the policy. (Exception: the root
25
+ # policy does not add a naming prefix to each of its objects).
26
+ #
27
+ # Policies are defined using a YAML syntax, which is extensively documented on the Conjur
28
+ # web site. To load a policy, define it using YAML and then use {API#load_policy}.
29
+ #
30
+ # @see API#load_policy
31
+ class Policy < BaseObject
32
+ include ActsAsRolsource
33
+ end
34
+ end
@@ -0,0 +1,61 @@
1
+ #
2
+ # Copyright 2013-2017 Conjur Inc
3
+ #
4
+ # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
+ # this software and associated documentation files (the "Software"), to deal in
6
+ # the Software without restriction, including without limitation the rights to
7
+ # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
+ # the Software, and to permit persons to whom the Software is furnished to do so,
9
+ # subject to the following conditions:
10
+ #
11
+ # The above copyright notice and this permission notice shall be included in all
12
+ # copies or substantial portions of the Software.
13
+ #
14
+ # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
+ # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
+ # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
+ # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
+ # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
+ # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
+ #
21
+ module Conjur
22
+ # The result of loading a policy. When a policy is loaded, two types of data
23
+ # are always provided:
24
+ #
25
+ # * {#created_roles} the API keys of any new roles which were created
26
+ # * {#version} the new version of the policy.
27
+ class PolicyLoadResult
28
+ def initialize data
29
+ @data = data
30
+ end
31
+
32
+ # @api private
33
+ def to_h
34
+ @data
35
+ end
36
+
37
+ # @api private
38
+ def to_json options = {}
39
+ @data.to_json(options)
40
+ end
41
+
42
+ # @api private
43
+ def to_s
44
+ @data.to_s
45
+ end
46
+
47
+ # API keys for roles which were created when loading the policy.
48
+ #
49
+ # @return [Hash] Hash keys are the role ids, and hash values are the API keys.
50
+ def created_roles
51
+ @data['created_roles']
52
+ end
53
+
54
+ # The new version of the policy. When a policy is updated, a new version is appended
55
+ # to that policy. The YAML of previous versions of the policy can be obtained
56
+ # by fetching the policy resource using {API#resource}.
57
+ def version
58
+ @data['version']
59
+ end
60
+ end
61
+ end
@@ -0,0 +1,12 @@
1
+ # @api private
2
+ module Conjur::QueryString
3
+ protected
4
+
5
+ def options_querystring options
6
+ if options.empty?
7
+ ""
8
+ else
9
+ "?#{options.to_query}"
10
+ end
11
+ end
12
+ end
@@ -0,0 +1,29 @@
1
+ #
2
+ # Copyright 2013-2017 Conjur Inc
3
+ #
4
+ # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
+ # this software and associated documentation files (the "Software"), to deal in
6
+ # the Software without restriction, including without limitation the rights to
7
+ # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
+ # the Software, and to permit persons to whom the Software is furnished to do so,
9
+ # subject to the following conditions:
10
+ #
11
+ # The above copyright notice and this permission notice shall be included in all
12
+ # copies or substantial portions of the Software.
13
+ #
14
+ # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
+ # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
+ # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
+ # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
+ # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
+ # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
+ #
21
+
22
+ module Conjur
23
+
24
+ # A Conjur custom Resource. This object is used for resources whose `kind` is not
25
+ # any of the pre-defined common types such as {Group}, {Host}, {Variable}, etc.
26
+ class Resource < BaseObject
27
+ include ActsAsResource
28
+ end
29
+ end
@@ -0,0 +1,29 @@
1
+ #
2
+ # Copyright 2013-2017 Conjur Inc
3
+ #
4
+ # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
+ # this software and associated documentation files (the "Software"), to deal in
6
+ # the Software without restriction, including without limitation the rights to
7
+ # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
+ # the Software, and to permit persons to whom the Software is furnished to do so,
9
+ # subject to the following conditions:
10
+ #
11
+ # The above copyright notice and this permission notice shall be included in all
12
+ # copies or substantial portions of the Software.
13
+ #
14
+ # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
+ # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
+ # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
+ # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
+ # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
+ # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
+ #
21
+ require 'conjur/role_grant'
22
+
23
+ module Conjur
24
+ # A Conjur custom Role. This object is used for roles whose `kind` is not
25
+ # any of the pre-defined common types such as {Group}, {Host}, {Layer}, etc.
26
+ class Role < BaseObject
27
+ include ActsAsRole
28
+ end
29
+ end
@@ -0,0 +1,85 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Copyright 2013-2018 CyberArk Ltd.
4
+ #
5
+ # Licensed under the Apache License, Version 2.0 (the "License");
6
+ # you may not use this file except in compliance with the License.
7
+ # You may obtain a copy of the License at
8
+ #
9
+ # http://www.apache.org/licenses/LICENSE-2.0
10
+ #
11
+ # Unless required by applicable law or agreed to in writing, software
12
+ # distributed under the License is distributed on an "AS IS" BASIS,
13
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ # See the License for the specific language governing permissions and
15
+ # limitations under the License.
16
+
17
+ module Conjur
18
+ # Represents the membership of a role. `RoleGrant`s are returned
19
+ # by {ActsAsRole#members} and represent members of the role on which the method was invoked.
20
+ #
21
+ # @example
22
+ # alice.members.map{|grant| grant.member}.include? admin_role # => true
23
+ # admin_role.members.map{|grant| grant.member}.include? alice # => true
24
+ #
25
+ class RoleGrant
26
+ extend BuildObject::ClassMethods
27
+
28
+ # The role which was granted.
29
+ # @return [Conjur::Role]
30
+ attr_reader :role
31
+
32
+ # The member role in the relationship
33
+ # @return [Conjur::Role]
34
+ attr_reader :member
35
+
36
+ # When true, the role {#member} is allowed to give this grant to other roles
37
+ #
38
+ # @return [Boolean]
39
+ attr_reader :admin_option
40
+
41
+ # @api private
42
+ #
43
+ # Create a new RoleGrant instance.
44
+ #
45
+ # @param [Conjur::Role] member the member to which the role was granted
46
+ # @param [Boolean] admin_option whether `member` can give the grant to other roles
47
+ def initialize role, member, admin_option
48
+ @role = role
49
+ @member = member
50
+ @admin_option = admin_option
51
+ end
52
+
53
+ # Representation of the role grant as a hash.
54
+ def to_h
55
+ {
56
+ role: role.id,
57
+ member: member.id,
58
+ admin_option: admin_option
59
+ }
60
+ end
61
+
62
+ def to_s
63
+ to_h.to_s
64
+ end
65
+
66
+ def as_json options = {}
67
+ to_h.as_json(options)
68
+ end
69
+
70
+ class << self
71
+ # @api private
72
+ #
73
+ # Create a `RoleGrant` from a JSON respnose
74
+ #
75
+ # @param [Hash] json the parsed JSON response
76
+ # @param [Hash] credentials the credentials used to create APIs for the member and grantor role objects
77
+ # @return [Conjur::RoleGrant]
78
+ def parse_from_json(json, credentials)
79
+ role = build_object(json['role'], credentials, default_class: Role)
80
+ member = build_object(json['member'], credentials, default_class: Role)
81
+ RoleGrant.new(role, member, json['admin_option'])
82
+ end
83
+ end
84
+ end
85
+ end
@@ -0,0 +1,29 @@
1
+ module Conjur
2
+ module Routing
3
+ def url_for method, *args
4
+ router.send method, *args
5
+ end
6
+
7
+ def parser_for method, *args
8
+ router.send "parse_#{method}", *args
9
+ end
10
+
11
+ protected
12
+
13
+ def router
14
+ require 'conjur/api/router/v4'
15
+ require 'conjur/api/router/v5'
16
+
17
+ variable_id = "@v#{Conjur.configuration.version}_router"
18
+ router = instance_variable_get variable_id
19
+ if router.nil?
20
+ router = instance_variable_set variable_id, router_for_version
21
+ end
22
+ router
23
+ end
24
+
25
+ def router_for_version
26
+ Conjur::API::Router.const_get("V#{Conjur.configuration.version}")
27
+ end
28
+ end
29
+ end
@@ -0,0 +1,40 @@
1
+ #
2
+ # Copyright 2013-2017 Conjur Inc
3
+ #
4
+ # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
+ # this software and associated documentation files (the "Software"), to deal in
6
+ # the Software without restriction, including without limitation the rights to
7
+ # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
+ # the Software, and to permit persons to whom the Software is furnished to do so,
9
+ # subject to the following conditions:
10
+ #
11
+ # The above copyright notice and this permission notice shall be included in all
12
+ # copies or substantial portions of the Software.
13
+ #
14
+ # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
+ # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
+ # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
+ # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
+ # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
+ # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
+ #
21
+ module Conjur
22
+ # A Conjur User.
23
+ class User < BaseObject
24
+ include ActsAsUser
25
+
26
+ # Get the user's uidnumber, which can be used by LDAP and SSH login, among other things.
27
+ #
28
+ # @return [Fixnum] the uidnumber
29
+ # @raise [RestClient::Forbidden] if you don't have permission to `show` the user.
30
+ def uidnumber
31
+ parser_for(:user_uidnumber, user_attributes)
32
+ end
33
+
34
+ private
35
+
36
+ def user_attributes
37
+ @user_attributes ||= url_for(:user_attributes, credentials, self, id)
38
+ end
39
+ end
40
+ end
@@ -0,0 +1,208 @@
1
+ #
2
+ # Copyright 2013-2017 Conjur Inc
3
+ #
4
+ # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
+ # this software and associated documentation files (the "Software"), to deal in
6
+ # the Software without restriction, including without limitation the rights to
7
+ # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
+ # the Software, and to permit persons to whom the Software is furnished to do so,
9
+ # subject to the following conditions:
10
+ #
11
+ # The above copyright notice and this permission notice shall be included in all
12
+ # copies or substantial portions of the Software.
13
+ #
14
+ # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
+ # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
+ # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
+ # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
+ # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
+ # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
+ #
21
+ module Conjur
22
+
23
+ # Protected (secret) data stored in Conjur.
24
+ #
25
+ # The code responsible for the actual encryption of variables is open source as part of the
26
+ # {https://github.com/conjurinc/slosilo Slosilo} library.
27
+ #
28
+ # Each variables has some standard metadata (`mime-type` and secret `kind`).
29
+ #
30
+ # Variables are *versioned*. Storing secrets in multiple places is a bad security practice, but
31
+ # overwriting a secret accidentally can create a major problem for development and ops teams. Conjur
32
+ # discourages bad security practices while avoiding ops disasters by storing previous versions of
33
+ # a secret (up to a fixed limit, to avoid unbounded database growth).
34
+ #
35
+ # ### Important
36
+ # A common pitfall when trying to access older versions of a variable is to assume that `0` is the oldest
37
+ # version. Variable versions are `1`-based, with `1` being the oldest.
38
+ #
39
+ # ### Permissions
40
+ #
41
+ # * To *fetch* the value of a `variable`, you must have permission to `'execute'` the variable.
42
+ # * To *add* a value to a `variable`, you must have permission to `'update'` the variable.
43
+ # * To *show* metadata associated with a variable, but *not* the value of the secret, you must have `'read'`
44
+ # permission on the variable.
45
+ #
46
+ # @example Get a variable and access its metadata and the latest value
47
+ # variable = api.resource 'myorg:variable:example'
48
+ # puts variable.kind # "example-secret"
49
+ # puts variable.mime_type # "text/plain"
50
+ # puts variable.value # "supahsecret"
51
+
52
+ # @example Variables are versioned
53
+ # variable = api.resource 'myorg:variable:example'
54
+ # # Unless you set a variables value when you create it, the variable starts out without a value and version_count
55
+ # # is 0.
56
+ # var.version_count # => 0
57
+ # var.value # raises RestClient::ResourceNotFound (404)
58
+ #
59
+ # # Add a value
60
+ # var.add_value 'value 1'
61
+ # var.version_count # => 1
62
+ # var.value # => 'value 1'
63
+ #
64
+ # # Add another value
65
+ # var.add_value 'value 2'
66
+ # var.version_count # => 2
67
+ #
68
+ # # 'value' with no argument returns the most recent value
69
+ # var.value # => 'value 2'
70
+ #
71
+ # # We can access older versions by their 1 based index:
72
+ # var.value 1 # => 'value 1'
73
+ # var.value 2 # => 'value 2'
74
+ # # Notice that version 0 of a variable is always the most recent:
75
+ # var.value 0 # => 'value 2'
76
+ #
77
+ class Variable < BaseObject
78
+ include ActsAsResource
79
+
80
+ def as_json options={}
81
+ result = super(options)
82
+ result["mime_type"] = mime_type
83
+ result["kind"] = kind
84
+ result
85
+ end
86
+
87
+ # The kind of secret represented by this variable, for example, `'postgres-url'` or
88
+ # `'aws-secret-access-key'`.
89
+ #
90
+ # You must have the **`'read'`** permission on a variable to call this method.
91
+ #
92
+ # This attribute is only for human consumption, and does not take part in the Conjur permissions
93
+ # model.
94
+ #
95
+ # @note this is **not** the same as the `kind` part of a qualified Conjur id.
96
+ # @return [String] a string representing the kind of secret.
97
+ def kind
98
+ parser_for(:variable_kind, variable_attributes) || "secret"
99
+ end
100
+
101
+ # The MIME Type of the variable's value.
102
+ #
103
+ # You must have the **`'read'`** permission on a variable to call this method.
104
+ #
105
+ # This attribute is used by the Conjur services to set a response `Content-Type` header when
106
+ # returning the value of a variable. Conjur applies the same MIME Type to all versions of a variable,
107
+ # so if you plan on accessing the variable in a way that depends on a correct `Content-Type` header
108
+ # you should make sure to store appropriate data for the mime type in all versions.
109
+ #
110
+ # @return [String] a MIME type, such as `'text/plain'` or `'application/octet-stream'`.
111
+ def mime_type
112
+ parser_for(:variable_mime_type, variable_attributes) || "text/plain"
113
+ end
114
+
115
+ # Add a new value to the variable.
116
+ #
117
+ # You must have the **`'update'`** permission on a variable to call this method.
118
+ #
119
+ # @example Add a value to a variable
120
+ # var = api.variable 'my-secret'
121
+ # puts var.version_count # 1
122
+ # puts var.value # 'supersecret'
123
+ # var.add_value "new_secret"
124
+ # puts var.version_count # 2
125
+ # puts var.value # 'new_secret'
126
+ # @param [String] value the new value to add
127
+ # @return [void]
128
+ def add_value value
129
+ log do |logger|
130
+ logger << "Adding a value to variable #{id}"
131
+ end
132
+ invalidate do
133
+ route = url_for(:secrets_add, credentials, id)
134
+ Conjur.configuration.version_logic lambda {
135
+ route.post value: value
136
+ }, lambda {
137
+ route.post value
138
+ }
139
+ end
140
+ end
141
+
142
+ # Return the number of versions of the variable.
143
+ #
144
+ # You must have the **`'read'`** permission on a variable to call this method.
145
+ #
146
+ # @example
147
+ # var.version_count # => 4
148
+ # var.add_value "something new"
149
+ # var.version_count # => 5
150
+ #
151
+ # @return [Integer] the number of versions
152
+ def version_count
153
+ Conjur.configuration.version_logic lambda {
154
+ JSON.parse(url_for(:variable, credentials, id).get)['version_count']
155
+ }, lambda {
156
+ secrets = attributes['secrets']
157
+ if secrets.empty?
158
+ 0
159
+ else
160
+ secrets.last['version']
161
+ end
162
+ }
163
+ end
164
+
165
+ # Return the version of a variable.
166
+ #
167
+ # You must have the **`'execute'`** permission on a variable to call this method.
168
+ #
169
+ # When no argument is given, the most recent version is returned.
170
+ #
171
+ # When a `version` argument is given, the method returns a version according to the following rules:
172
+ # * If `version` is 0, the *most recent* version is returned.
173
+ # * If `version` is less than 0 or greater than {#version_count}, a `RestClient::ResourceNotFound` exception
174
+ # will be raised.
175
+ # * If {#version_count} is 0, a `RestClient::ResourceNotFound` exception will be raised.
176
+ # * If `version` is >= 1 and `version` <= {#version_count}, the version at the **1 based** index given by `version`
177
+ # will be returned.
178
+ #
179
+ # @example Fetch all versions of a variable
180
+ # versions = (1..var.version_count).map do |version|
181
+ # var.value version
182
+ # end
183
+ #
184
+ # @example Get the current version of a variable
185
+ # # All of these return the same thing:
186
+ # var.value
187
+ # var.value 0
188
+ # var.value var.version_count
189
+ #
190
+ # @example Get the value of an expired variable
191
+ # var.value nil, show_expired: true
192
+ #
193
+ # @param [Integer] version the **1 based** version.
194
+ # @param options [Hash]
195
+ # @option options [Boolean, false] :show_expired show value even if variable has expired
196
+ # @return [String] the value of the variable
197
+ def value version = nil, options = {}
198
+ options['version'] = version if version
199
+ url_for(:secrets_value, credentials, id, options).get.body
200
+ end
201
+
202
+ private
203
+
204
+ def variable_attributes
205
+ @variable_attributes ||= url_for(:variable_attributes, credentials, self, id)
206
+ end
207
+ end
208
+ end
@@ -0,0 +1,30 @@
1
+ #
2
+ # Copyright 2013-2017 Conjur Inc
3
+ #
4
+ # Permission is hereby granted, free of charge, to any person obtaining a copy of
5
+ # this software and associated documentation files (the "Software"), to deal in
6
+ # the Software without restriction, including without limitation the rights to
7
+ # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
8
+ # the Software, and to permit persons to whom the Software is furnished to do so,
9
+ # subject to the following conditions:
10
+ #
11
+ # The above copyright notice and this permission notice shall be included in all
12
+ # copies or substantial portions of the Software.
13
+ #
14
+ # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15
+ # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
16
+ # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
17
+ # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
18
+ # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19
+ # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
+ #
21
+ module Conjur
22
+ # A Conjur Webservice, which protects access to service code.
23
+ #
24
+ # Permissions on webservices can be granted and interpreted in a free-form way
25
+ # which is appropriate to the domain. For example, for a Docker registry
26
+ # which is guarded by a Webservice, the likely privileges would be `pull` and `push`.
27
+ class Webservice < BaseObject
28
+ include ActsAsResource
29
+ end
30
+ end
@@ -0,0 +1,24 @@
1
+ # Copyright 2013-2021 Conjur Inc.
2
+ #
3
+ # Permission is hereby granted, free of charge, to any person obtaining a copy of
4
+ # this software and associated documentation files (the "Software"), to deal in
5
+ # the Software without restriction, including without limitation the rights to
6
+ # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
7
+ # the Software, and to permit persons to whom the Software is furnished to do so,
8
+ # subject to the following conditions:
9
+ #
10
+ # The above copyright notice and this permission notice shall be included in all
11
+ # copies or substantial portions of the Software.
12
+ #
13
+ # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14
+ # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
15
+ # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
16
+ # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
17
+ # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
18
+ # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
19
+
20
+ module Conjur
21
+ class API
22
+ VERSION = File.read(File.expand_path('../../VERSION', __dir__))
23
+ end
24
+ end
data/lib/conjur-api.rb ADDED
@@ -0,0 +1,2 @@
1
+ # Just a stub so that require 'conjur-api' works
2
+ require 'conjur/api'
data/publish.sh ADDED
@@ -0,0 +1,5 @@
1
+ #!/usr/bin/env bash
2
+ set -e
3
+
4
+ summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
5
+ publish-rubygem conjur-api
@@ -0,0 +1,34 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'spec_helper'
4
+ require 'conjur/api/host_factories'
5
+
6
+ describe "Conjur::API.host_factory_create_host", api: :dummy do
7
+ it "returns a Host instance correctly on v4" do
8
+ token = "host factory token"
9
+ id = "test-host"
10
+
11
+ allow(Conjur::API).to receive(:url_for)
12
+ .with(:host_factory_create_host, token).and_return(
13
+ resource = instance_double(RestClient::Resource, "hosts")
14
+ )
15
+
16
+ allow(resource).to receive(:post).with(id: id).and_return(
17
+ instance_double(RestClient::Response, "host response", body: '
18
+ {
19
+ "id": "test-host",
20
+ "userid": "hosts",
21
+ "created_at": "2015-11-13T22:57:14Z",
22
+ "ownerid": "cucumber:group:ops",
23
+ "roleid": "cucumber:host:test-host",
24
+ "resource_identifier": "cucumber:host:test-host",
25
+ "api_key": "14x82x72syhnnd1h8jj24zj1kqd2j09sjy3tddwxc35cmy5nx33ph7"
26
+ }
27
+ ')
28
+ )
29
+
30
+ host = Conjur::API.host_factory_create_host token, id
31
+
32
+ expect(host).to be_a Conjur::Host
33
+ end
34
+ end