conjur-api 5.3.8.pre.319 → 5.4.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (150) hide show
  1. checksums.yaml +4 -4
  2. data/.codeclimate.yml +10 -0
  3. data/.dockerignore +1 -0
  4. data/.github/CODEOWNERS +10 -0
  5. data/.gitignore +32 -0
  6. data/.gitleaks.toml +219 -0
  7. data/.overcommit.yml +16 -0
  8. data/.project +18 -0
  9. data/.rubocop.yml +3 -0
  10. data/.rubocop_settings.yml +86 -0
  11. data/.rubocop_todo.yml +709 -0
  12. data/.yardopts +1 -0
  13. data/CHANGELOG.md +448 -0
  14. data/CONTRIBUTING.md +138 -0
  15. data/Dockerfile +16 -0
  16. data/Gemfile +7 -0
  17. data/Jenkinsfile +136 -0
  18. data/LICENSE +202 -0
  19. data/README.md +162 -0
  20. data/Rakefile +47 -0
  21. data/SECURITY.md +42 -0
  22. data/VERSION +1 -1
  23. data/bin/parse-changelog.sh +12 -0
  24. data/ci/configure_v4.sh +12 -0
  25. data/ci/configure_v5.sh +19 -0
  26. data/ci/oauth/keycloak/create_client +18 -0
  27. data/ci/oauth/keycloak/create_user +21 -0
  28. data/ci/oauth/keycloak/fetch_certificate +18 -0
  29. data/ci/oauth/keycloak/keycloak_functions.sh +71 -0
  30. data/ci/oauth/keycloak/standalone.xml +578 -0
  31. data/ci/oauth/keycloak/wait_for_server +56 -0
  32. data/ci/submit-coverage +36 -0
  33. data/conjur-api.gemspec +41 -0
  34. data/dev/Dockerfile.dev +12 -0
  35. data/dev/docker-compose.yml +56 -0
  36. data/dev/start +22 -0
  37. data/dev/stop +5 -0
  38. data/docker-compose.yml +98 -0
  39. data/example/demo_v4.rb +49 -0
  40. data/example/demo_v5.rb +57 -0
  41. data/features/authenticators.feature +41 -0
  42. data/features/authn.feature +14 -0
  43. data/features/authn_local.feature +32 -0
  44. data/features/exists.feature +37 -0
  45. data/features/group.feature +11 -0
  46. data/features/host.feature +50 -0
  47. data/features/host_factory_create_host.feature +28 -0
  48. data/features/host_factory_token.feature +63 -0
  49. data/features/load_policy.feature +61 -0
  50. data/features/members.feature +51 -0
  51. data/features/new_api.feature +36 -0
  52. data/features/permitted.feature +70 -0
  53. data/features/permitted_roles.feature +30 -0
  54. data/features/public_keys.feature +11 -0
  55. data/features/resource_fields.feature +53 -0
  56. data/features/role_fields.feature +15 -0
  57. data/features/rotate_api_key.feature +13 -0
  58. data/features/step_definitions/api_steps.rb +52 -0
  59. data/features/step_definitions/policy_steps.rb +134 -0
  60. data/features/step_definitions/result_steps.rb +11 -0
  61. data/features/support/env.rb +19 -0
  62. data/features/support/hooks.rb +3 -0
  63. data/features/support/world.rb +12 -0
  64. data/features/update_password.feature +14 -0
  65. data/features/user.feature +58 -0
  66. data/features/variable_fields.feature +20 -0
  67. data/features/variable_value.feature +60 -0
  68. data/features_v4/authn_local.feature +27 -0
  69. data/features_v4/exists.feature +29 -0
  70. data/features_v4/host.feature +18 -0
  71. data/features_v4/host_factory_token.feature +49 -0
  72. data/features_v4/members.feature +39 -0
  73. data/features_v4/permitted.feature +15 -0
  74. data/features_v4/permitted_roles.feature +8 -0
  75. data/features_v4/resource_fields.feature +47 -0
  76. data/features_v4/rotate_api_key.feature +13 -0
  77. data/features_v4/step_definitions/api_steps.rb +17 -0
  78. data/features_v4/step_definitions/result_steps.rb +3 -0
  79. data/features_v4/support/env.rb +23 -0
  80. data/features_v4/support/policy.yml +34 -0
  81. data/features_v4/support/world.rb +12 -0
  82. data/features_v4/variable_fields.feature +11 -0
  83. data/features_v4/variable_value.feature +54 -0
  84. data/lib/conjur/acts_as_resource.rb +123 -0
  85. data/lib/conjur/acts_as_role.rb +142 -0
  86. data/lib/conjur/acts_as_rolsource.rb +32 -0
  87. data/lib/conjur/acts_as_user.rb +68 -0
  88. data/lib/conjur/api/authenticators.rb +43 -0
  89. data/lib/conjur/api/authn.rb +144 -0
  90. data/lib/conjur/api/host_factories.rb +71 -0
  91. data/lib/conjur/api/ldap_sync.rb +38 -0
  92. data/lib/conjur/api/policies.rb +56 -0
  93. data/lib/conjur/api/pubkeys.rb +53 -0
  94. data/lib/conjur/api/resources.rb +109 -0
  95. data/lib/conjur/api/roles.rb +98 -0
  96. data/lib/conjur/api/router/v4.rb +206 -0
  97. data/lib/conjur/api/router/v5.rb +269 -0
  98. data/lib/conjur/api/variables.rb +59 -0
  99. data/lib/conjur/api.rb +105 -0
  100. data/lib/conjur/base.rb +355 -0
  101. data/lib/conjur/base_object.rb +57 -0
  102. data/lib/conjur/build_object.rb +47 -0
  103. data/lib/conjur/cache.rb +26 -0
  104. data/lib/conjur/cert_utils.rb +63 -0
  105. data/lib/conjur/cidr.rb +71 -0
  106. data/lib/conjur/configuration.rb +460 -0
  107. data/lib/conjur/escape.rb +129 -0
  108. data/lib/conjur/exceptions.rb +4 -0
  109. data/lib/conjur/group.rb +41 -0
  110. data/lib/conjur/has_attributes.rb +98 -0
  111. data/lib/conjur/host.rb +27 -0
  112. data/lib/conjur/host_factory.rb +75 -0
  113. data/lib/conjur/host_factory_token.rb +78 -0
  114. data/lib/conjur/id.rb +71 -0
  115. data/lib/conjur/layer.rb +9 -0
  116. data/lib/conjur/log.rb +72 -0
  117. data/lib/conjur/log_source.rb +60 -0
  118. data/lib/conjur/policy.rb +34 -0
  119. data/lib/conjur/policy_load_result.rb +61 -0
  120. data/lib/conjur/query_string.rb +12 -0
  121. data/lib/conjur/resource.rb +29 -0
  122. data/lib/conjur/role.rb +29 -0
  123. data/lib/conjur/role_grant.rb +85 -0
  124. data/lib/conjur/routing.rb +29 -0
  125. data/lib/conjur/user.rb +40 -0
  126. data/lib/conjur/variable.rb +208 -0
  127. data/lib/conjur/webservice.rb +30 -0
  128. data/lib/conjur-api/version.rb +24 -0
  129. data/lib/conjur-api.rb +2 -0
  130. data/publish.sh +5 -0
  131. data/spec/api/host_factories_spec.rb +34 -0
  132. data/spec/api_spec.rb +254 -0
  133. data/spec/base_object_spec.rb +13 -0
  134. data/spec/cert_utils_spec.rb +173 -0
  135. data/spec/cidr_spec.rb +34 -0
  136. data/spec/configuration_spec.rb +330 -0
  137. data/spec/has_attributes_spec.rb +63 -0
  138. data/spec/helpers/errors_matcher.rb +34 -0
  139. data/spec/helpers/request_helpers.rb +10 -0
  140. data/spec/id_spec.rb +29 -0
  141. data/spec/ldap_sync_spec.rb +21 -0
  142. data/spec/log_source_spec.rb +13 -0
  143. data/spec/log_spec.rb +42 -0
  144. data/spec/roles_spec.rb +24 -0
  145. data/spec/spec_helper.rb +113 -0
  146. data/spec/ssl_spec.rb +109 -0
  147. data/spec/uri_escape_spec.rb +21 -0
  148. data/test.sh +76 -0
  149. data/tmp/.keep +0 -0
  150. metadata +196 -5
data/Jenkinsfile ADDED
@@ -0,0 +1,136 @@
1
+ #!/usr/bin/env groovy
2
+
3
+ // Automated release, promotion and dependencies
4
+ properties([
5
+ release.addParams()
6
+ ])
7
+
8
+ if (params.MODE == "PROMOTE") {
9
+ release.promote(params.VERSION_TO_PROMOTE) { sourceVersion, targetVersion, assetDirectory ->
10
+ sh './publish.sh'
11
+ }
12
+ return
13
+ }
14
+
15
+ pipeline {
16
+ agent { label 'executor-v2' }
17
+
18
+ options {
19
+ timestamps()
20
+ buildDiscarder(logRotator(numToKeepStr: '30'))
21
+ }
22
+
23
+ triggers {
24
+ cron(getDailyCronString())
25
+ }
26
+
27
+ environment {
28
+ MODE = release.canonicalizeMode()
29
+ }
30
+
31
+ stages {
32
+ stage ("Skip build if triggering job didn't create a release") {
33
+ when {
34
+ expression {
35
+ MODE == "SKIP"
36
+ }
37
+ }
38
+ steps {
39
+ script {
40
+ currentBuild.result = 'ABORTED'
41
+ error("Aborting build because this build was triggered from upstream, but no release was built")
42
+ }
43
+ }
44
+ }
45
+ stage('Validate Changelog and set version') {
46
+ steps {
47
+ sh './bin/parse-changelog.sh'
48
+ updateVersion("CHANGELOG.md", "${BUILD_NUMBER}")
49
+ }
50
+ }
51
+
52
+ stage('Prepare CC Report Dir'){
53
+ steps {
54
+ script {
55
+ ccCoverage.dockerPrep()
56
+ sh 'mkdir -p coverage'
57
+ }
58
+ }
59
+ }
60
+
61
+ stage('Test Ruby 2.7') {
62
+ environment {
63
+ RUBY_VERSION = '2.7'
64
+ }
65
+ steps {
66
+ sh './test.sh'
67
+ }
68
+
69
+ post {
70
+ always {
71
+ junit 'spec/reports/*.xml'
72
+ junit 'features/reports/*.xml'
73
+ junit 'features_v4/reports/*.xml'
74
+ }
75
+ }
76
+ }
77
+
78
+ stage('Test Ruby 3.0') {
79
+ environment {
80
+ RUBY_VERSION = '3.0'
81
+ }
82
+ steps {
83
+ sh("./test.sh")
84
+ }
85
+ post {
86
+ always {
87
+ junit 'spec/reports/*.xml'
88
+ junit 'features/reports/*.xml'
89
+ junit 'features_v4/reports/*.xml'
90
+ }
91
+ }
92
+ }
93
+
94
+ stage('Submit Coverage Report'){
95
+ steps{
96
+ sh 'ci/submit-coverage'
97
+ publishHTML([reportDir: 'coverage', reportFiles: 'index.html', reportName: 'Coverage Report', reportTitles: '',
98
+ allowMissing: false, alwaysLinkToLastBuild: true, keepAll: true])
99
+ }
100
+
101
+ post {
102
+ always {
103
+ archiveArtifacts artifacts: "coverage/.resultset.json", fingerprint: false
104
+ }
105
+ }
106
+ }
107
+
108
+ stage('Release') {
109
+ when {
110
+ expression {
111
+ MODE == "RELEASE"
112
+ }
113
+ }
114
+
115
+ steps {
116
+ release {
117
+ // Clean up all but the calculated VERSION
118
+ sh '''docker run -i --rm -v $(pwd):/src -w /src --entrypoint /bin/sh alpine/git \
119
+ -c "git config --global --add safe.directory /src && \
120
+ git clean -fdx \
121
+ -e VERSION \
122
+ -e bom-assets/ \
123
+ -e release-assets" '''
124
+ sh './publish.sh'
125
+ sh 'cp conjur-api-*.gem release-assets/.'
126
+ }
127
+ }
128
+ }
129
+ }
130
+
131
+ post {
132
+ always {
133
+ cleanupAndNotify(currentBuild.currentResult)
134
+ }
135
+ }
136
+ }
data/LICENSE ADDED
@@ -0,0 +1,202 @@
1
+
2
+ Apache License
3
+ Version 2.0, January 2004
4
+ http://www.apache.org/licenses/
5
+
6
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
7
+
8
+ 1. Definitions.
9
+
10
+ "License" shall mean the terms and conditions for use, reproduction,
11
+ and distribution as defined by Sections 1 through 9 of this document.
12
+
13
+ "Licensor" shall mean the copyright owner or entity authorized by
14
+ the copyright owner that is granting the License.
15
+
16
+ "Legal Entity" shall mean the union of the acting entity and all
17
+ other entities that control, are controlled by, or are under common
18
+ control with that entity. For the purposes of this definition,
19
+ "control" means (i) the power, direct or indirect, to cause the
20
+ direction or management of such entity, whether by contract or
21
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
22
+ outstanding shares, or (iii) beneficial ownership of such entity.
23
+
24
+ "You" (or "Your") shall mean an individual or Legal Entity
25
+ exercising permissions granted by this License.
26
+
27
+ "Source" form shall mean the preferred form for making modifications,
28
+ including but not limited to software source code, documentation
29
+ source, and configuration files.
30
+
31
+ "Object" form shall mean any form resulting from mechanical
32
+ transformation or translation of a Source form, including but
33
+ not limited to compiled object code, generated documentation,
34
+ and conversions to other media types.
35
+
36
+ "Work" shall mean the work of authorship, whether in Source or
37
+ Object form, made available under the License, as indicated by a
38
+ copyright notice that is included in or attached to the work
39
+ (an example is provided in the Appendix below).
40
+
41
+ "Derivative Works" shall mean any work, whether in Source or Object
42
+ form, that is based on (or derived from) the Work and for which the
43
+ editorial revisions, annotations, elaborations, or other modifications
44
+ represent, as a whole, an original work of authorship. For the purposes
45
+ of this License, Derivative Works shall not include works that remain
46
+ separable from, or merely link (or bind by name) to the interfaces of,
47
+ the Work and Derivative Works thereof.
48
+
49
+ "Contribution" shall mean any work of authorship, including
50
+ the original version of the Work and any modifications or additions
51
+ to that Work or Derivative Works thereof, that is intentionally
52
+ submitted to Licensor for inclusion in the Work by the copyright owner
53
+ or by an individual or Legal Entity authorized to submit on behalf of
54
+ the copyright owner. For the purposes of this definition, "submitted"
55
+ means any form of electronic, verbal, or written communication sent
56
+ to the Licensor or its representatives, including but not limited to
57
+ communication on electronic mailing lists, source code control systems,
58
+ and issue tracking systems that are managed by, or on behalf of, the
59
+ Licensor for the purpose of discussing and improving the Work, but
60
+ excluding communication that is conspicuously marked or otherwise
61
+ designated in writing by the copyright owner as "Not a Contribution."
62
+
63
+ "Contributor" shall mean Licensor and any individual or Legal Entity
64
+ on behalf of whom a Contribution has been received by Licensor and
65
+ subsequently incorporated within the Work.
66
+
67
+ 2. Grant of Copyright License. Subject to the terms and conditions of
68
+ this License, each Contributor hereby grants to You a perpetual,
69
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
70
+ copyright license to reproduce, prepare Derivative Works of,
71
+ publicly display, publicly perform, sublicense, and distribute the
72
+ Work and such Derivative Works in Source or Object form.
73
+
74
+ 3. Grant of Patent License. Subject to the terms and conditions of
75
+ this License, each Contributor hereby grants to You a perpetual,
76
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
77
+ (except as stated in this section) patent license to make, have made,
78
+ use, offer to sell, sell, import, and otherwise transfer the Work,
79
+ where such license applies only to those patent claims licensable
80
+ by such Contributor that are necessarily infringed by their
81
+ Contribution(s) alone or by combination of their Contribution(s)
82
+ with the Work to which such Contribution(s) was submitted. If You
83
+ institute patent litigation against any entity (including a
84
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
85
+ or a Contribution incorporated within the Work constitutes direct
86
+ or contributory patent infringement, then any patent licenses
87
+ granted to You under this License for that Work shall terminate
88
+ as of the date such litigation is filed.
89
+
90
+ 4. Redistribution. You may reproduce and distribute copies of the
91
+ Work or Derivative Works thereof in any medium, with or without
92
+ modifications, and in Source or Object form, provided that You
93
+ meet the following conditions:
94
+
95
+ (a) You must give any other recipients of the Work or
96
+ Derivative Works a copy of this License; and
97
+
98
+ (b) You must cause any modified files to carry prominent notices
99
+ stating that You changed the files; and
100
+
101
+ (c) You must retain, in the Source form of any Derivative Works
102
+ that You distribute, all copyright, patent, trademark, and
103
+ attribution notices from the Source form of the Work,
104
+ excluding those notices that do not pertain to any part of
105
+ the Derivative Works; and
106
+
107
+ (d) If the Work includes a "NOTICE" text file as part of its
108
+ distribution, then any Derivative Works that You distribute must
109
+ include a readable copy of the attribution notices contained
110
+ within such NOTICE file, excluding those notices that do not
111
+ pertain to any part of the Derivative Works, in at least one
112
+ of the following places: within a NOTICE text file distributed
113
+ as part of the Derivative Works; within the Source form or
114
+ documentation, if provided along with the Derivative Works; or,
115
+ within a display generated by the Derivative Works, if and
116
+ wherever such third-party notices normally appear. The contents
117
+ of the NOTICE file are for informational purposes only and
118
+ do not modify the License. You may add Your own attribution
119
+ notices within Derivative Works that You distribute, alongside
120
+ or as an addendum to the NOTICE text from the Work, provided
121
+ that such additional attribution notices cannot be construed
122
+ as modifying the License.
123
+
124
+ You may add Your own copyright statement to Your modifications and
125
+ may provide additional or different license terms and conditions
126
+ for use, reproduction, or distribution of Your modifications, or
127
+ for any such Derivative Works as a whole, provided Your use,
128
+ reproduction, and distribution of the Work otherwise complies with
129
+ the conditions stated in this License.
130
+
131
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
132
+ any Contribution intentionally submitted for inclusion in the Work
133
+ by You to the Licensor shall be under the terms and conditions of
134
+ this License, without any additional terms or conditions.
135
+ Notwithstanding the above, nothing herein shall supersede or modify
136
+ the terms of any separate license agreement you may have executed
137
+ with Licensor regarding such Contributions.
138
+
139
+ 6. Trademarks. This License does not grant permission to use the trade
140
+ names, trademarks, service marks, or product names of the Licensor,
141
+ except as required for reasonable and customary use in describing the
142
+ origin of the Work and reproducing the content of the NOTICE file.
143
+
144
+ 7. Disclaimer of Warranty. Unless required by applicable law or
145
+ agreed to in writing, Licensor provides the Work (and each
146
+ Contributor provides its Contributions) on an "AS IS" BASIS,
147
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148
+ implied, including, without limitation, any warranties or conditions
149
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150
+ PARTICULAR PURPOSE. You are solely responsible for determining the
151
+ appropriateness of using or redistributing the Work and assume any
152
+ risks associated with Your exercise of permissions under this License.
153
+
154
+ 8. Limitation of Liability. In no event and under no legal theory,
155
+ whether in tort (including negligence), contract, or otherwise,
156
+ unless required by applicable law (such as deliberate and grossly
157
+ negligent acts) or agreed to in writing, shall any Contributor be
158
+ liable to You for damages, including any direct, indirect, special,
159
+ incidental, or consequential damages of any character arising as a
160
+ result of this License or out of the use or inability to use the
161
+ Work (including but not limited to damages for loss of goodwill,
162
+ work stoppage, computer failure or malfunction, or any and all
163
+ other commercial damages or losses), even if such Contributor
164
+ has been advised of the possibility of such damages.
165
+
166
+ 9. Accepting Warranty or Additional Liability. While redistributing
167
+ the Work or Derivative Works thereof, You may choose to offer,
168
+ and charge a fee for, acceptance of support, warranty, indemnity,
169
+ or other liability obligations and/or rights consistent with this
170
+ License. However, in accepting such obligations, You may act only
171
+ on Your own behalf and on Your sole responsibility, not on behalf
172
+ of any other Contributor, and only if You agree to indemnify,
173
+ defend, and hold each Contributor harmless for any liability
174
+ incurred by, or claims asserted against, such Contributor by reason
175
+ of your accepting any such warranty or additional liability.
176
+
177
+ END OF TERMS AND CONDITIONS
178
+
179
+ APPENDIX: How to apply the Apache License to your work.
180
+
181
+ To apply the Apache License to your work, attach the following
182
+ boilerplate notice, with the fields enclosed by brackets "[]"
183
+ replaced with your own identifying information. (Don't include
184
+ the brackets!) The text should be enclosed in the appropriate
185
+ comment syntax for the file format. We also recommend that a
186
+ file or class name and description of purpose be included on the
187
+ same "printed page" as the copyright notice for easier
188
+ identification within third-party archives.
189
+
190
+ Copyright (c) 2021 CyberArk Software Ltd. All rights reserved.
191
+
192
+ Licensed under the Apache License, Version 2.0 (the "License");
193
+ you may not use this file except in compliance with the License.
194
+ You may obtain a copy of the License at
195
+
196
+ http://www.apache.org/licenses/LICENSE-2.0
197
+
198
+ Unless required by applicable law or agreed to in writing, software
199
+ distributed under the License is distributed on an "AS IS" BASIS,
200
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201
+ See the License for the specific language governing permissions and
202
+ limitations under the License.
data/README.md ADDED
@@ -0,0 +1,162 @@
1
+ # Conjur::API
2
+
3
+ Programmatic Ruby access to the Conjur API.
4
+
5
+ RDocs are available from the through the [Ruby Gem details page](https://rubygems.org/gems/conjur-api)
6
+
7
+ # Server Versions
8
+
9
+ The Conjur server comes in two major versions:
10
+
11
+ * **4.x** Conjur 4 is a commercial, non-open-source product, which is documented at [https://developer.conjur.net/](https://developer.conjur.net/).
12
+ * **5.x** Conjur 5 is open-source software, hosted and documented at [https://www.conjur.org/](https://www.conjur.org/).
13
+
14
+ You can use the `main` branch of this project, which is `conjur-api` version `5.x`, to do all of the following things against either type of Conjur server:
15
+
16
+ * Authenticate
17
+ * Fetch secrets
18
+ * Check permissions
19
+ * List roles, resources, members, memberships and permitted roles.
20
+ * Create hosts using host factory
21
+ * Rotate API keys
22
+
23
+ Use the configuration setting `Conjur.configuration.version` to select your server version, or set the environment variable `CONJUR_VERSION`. In either case, the valid values are `4` and `5`; the default is `5`.
24
+
25
+ If you are using Conjur server version `4.x`, you can also choose to use the `conjur-api` version `4.x`. In this case, the `Configuration.version` setting is not required (actually, it doesn't exist).
26
+
27
+ ## Using conjur-api-ruby with Conjur Open Source
28
+
29
+ Are you using this project with [Conjur Open Source](https://github.com/cyberark/conjur)? Then we
30
+ **strongly** recommend choosing the version of this project to use from the latest [Conjur OSS
31
+ suite release](https://docs.conjur.org/Latest/en/Content/Overview/Conjur-OSS-Suite-Overview.html).
32
+ Conjur maintainers perform additional testing on the suite release versions to ensure
33
+ compatibility. When possible, upgrade your Conjur version to match the
34
+ [latest suite release](https://docs.conjur.org/Latest/en/Content/ReleaseNotes/ConjurOSS-suite-RN.htm);
35
+ when using integrations, choose the latest suite release that matches your Conjur version. For any
36
+ questions, please contact us on [Discourse](https://discuss.cyberarkcommons.org/c/conjur/5).
37
+
38
+ # Installation
39
+
40
+ Add this line to your application's Gemfile:
41
+
42
+ gem 'conjur-api'
43
+
44
+ And then execute:
45
+
46
+ $ bundle
47
+
48
+ Or install it yourself as:
49
+
50
+ $ gem install conjur-api
51
+
52
+ # Usage
53
+
54
+ Connecting to Conjur is a two-step process:
55
+
56
+ * **Configuration** Instruct the API where to find the Conjur endpoint and how to secure the connection.
57
+ * **Authentication** Provide the API with credentials that it can use to authenticate.
58
+
59
+ ## Configuration
60
+
61
+ The simplest way to configure the Conjur API is to use the configuration file stored on the machine.
62
+ If you have configured the machine with [conjur init](http://developer.conjur.net/reference/tools/init.html),
63
+ its default location is `~/.conjurrc`.
64
+
65
+ The Conjur configuration process also checks `/etc/conjur.conf` for global settings. This is typically used
66
+ in server environments.
67
+
68
+ For custom scenarios, the location of the file can be overridden using the `CONJURRC` environment variable.
69
+
70
+ You can load the Conjur configuration file using the following Ruby code:
71
+
72
+ ```ruby
73
+ require 'conjur/cli'
74
+ Conjur::Config.load
75
+ Conjur::Config.apply
76
+ ```
77
+
78
+ **Note** this code requires the [conjur-cli](https://github.com/conjurinc/cli-ruby) gem, which should also be in your
79
+ gemset or bundle.
80
+
81
+ ## Authentication
82
+
83
+ Once Conjur is configured, the connection can be established like this:
84
+
85
+ ```
86
+ conjur = Conjur::Authn.connect nil, noask: true
87
+ ```
88
+
89
+ To [authenticate](http://developer.conjur.net/reference/services/authentication/authenticate.html), the API client must
90
+ provide a `login` name and `api_key`. The `Conjur::Authn.connect` will attempt the following, in order:
91
+
92
+ 1. Look for `login` in environment variable `CONJUR_AUTHN_LOGIN`, and `api_key` in `CONJUR_AUTHN_API_KEY`
93
+ 2. Look for credentials on disk. The default credentials file is `~/.netrc`. The location of the credentials file
94
+ can be overridden using the configuration file `netrc_path` option.
95
+ 3. Prompt for credentials. This can be disabled using the option `noask: true`.
96
+
97
+ ## Connecting Without Files
98
+
99
+ It's possible to configure and authenticate the Conjur connection without using any files, and without requiring
100
+ the `conjur-cli` gem.
101
+
102
+ To accomplish this, apply the configuration settings directly to the [Conjur::Configuration](https://github.com/conjurinc/api-ruby/blob/master/lib/conjur/configuration.rb)
103
+ object.
104
+
105
+ For example, specify the `account` and `appliance_url` (both of which are required) like this:
106
+
107
+ ```
108
+ Conjur.configuration.account = 'my-account'
109
+ Conjur.configuration.appliance_url = 'https://conjur.mydomain.com/api'
110
+ ```
111
+
112
+ You can also specify these values using environment variables, which is often a bit more convenient.
113
+ Environment variables are mapped to configuration variables by prepending `CONJUR_` to the all-caps name of the
114
+ configuration variable. For example, `appliance_url` is `CONJUR_APPLIANCE_URL`, `account` is `CONJUR_ACCOUNT`.
115
+
116
+ In either case, you will also need to configure certificate trust. For example:
117
+
118
+ ```
119
+ OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE.add_file "/etc/conjur-yourorg.pem"
120
+ ```
121
+
122
+ Once Conjur is configured, you can create a new API client by providing a `login` and `api_key`:
123
+
124
+ ```
125
+ Conjur::API.new_from_key login, api_key
126
+ ```
127
+
128
+ Note that if you are connecting as a [Host](http://developer.conjur.net/reference/services/directory/host), the login should be
129
+ prefixed with `host/`. For example: `host/myhost.example.com`, not just `myhost.example.com`.
130
+
131
+ ## Configuring RestClient
132
+
133
+ [Conjur::Configuration](https://github.com/conjurinc/api-ruby/blob/master/lib/conjur/configuration.rb)
134
+ allows optional configuration of the [RestClient](https://github.com/rest-client/rest-client)
135
+ instance used by Conjur API to communicate with the Conjur server, via the options hash
136
+ `Conjur.configuration.rest_client_options`.
137
+
138
+ The default value for the options hash is:
139
+ ```ruby
140
+ {
141
+ ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
142
+ }
143
+ ```
144
+
145
+ For example, here's how you would configure the client to use a proxy and `ssl_ca_file` (instead of the default `ssl_cert_store`).
146
+ ```ruby
147
+ Conjur.configuration.rest_client_options = {
148
+ ssl_ca_file: "ca_certificate.pem",
149
+ proxy: "http://proxy.example.com/"
150
+ }
151
+ ```
152
+
153
+ ## Contributing
154
+
155
+ We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our [contributing
156
+ guide][contrib].
157
+
158
+ [contrib]: https://github.com/cyberark/conjur-api-ruby/blob/main/CONTRIBUTING.md
159
+
160
+ ## License
161
+
162
+ This repository is licensed under Apache License 2.0 - see [`LICENSE`](LICENSE) for more details.
data/Rakefile ADDED
@@ -0,0 +1,47 @@
1
+ #!/usr/bin/env rake
2
+ require "bundler/gem_tasks"
3
+
4
+ begin
5
+ require 'rspec/core/rake_task'
6
+ RSpec::Core::RakeTask.new :spec
7
+ rescue LoadError
8
+ warn "rspec-core not found, rspec task will be unavailable"
9
+ end
10
+
11
+ begin
12
+ require "yard"
13
+ YARD::Rake::YardocTask.new(:yard)
14
+ rescue LoadError
15
+ warn "yard not found, yard task will be unavailable"
16
+ end
17
+
18
+ require 'fileutils'
19
+ task(:init_coverage) { FileUtils.rm_rf 'coverage' }
20
+ task(:cuke_report_cleanup) { FileUtils.rm_rf 'features/reports' }
21
+
22
+ begin
23
+ require 'cucumber'
24
+ require 'cucumber/rake/task'
25
+
26
+ Cucumber::Rake::Task.new(:cucumber_4) do |t|
27
+ t.cucumber_opts = "--tags ~@wip --format pretty --format junit --out features_v4/reports -r features_v4/step_definitions/ -r features_v4/support/ features_v4/"
28
+ end
29
+
30
+ Cucumber::Rake::Task.new(:cucumber_5) do |t|
31
+ t.cucumber_opts = "--tags ~@wip --format pretty --format junit --out features/reports"
32
+ end
33
+
34
+ begin
35
+ require 'ci/reporter/rake/rspec'
36
+ desc "Run the spec and cucumber suites, compute the test results and coverage statistics, build Yard docs"
37
+ task :jenkins_init => [ :init_coverage, :cuke_report_cleanup ]
38
+ task :jenkins_spec => [ :"ci:setup:rspec", :spec ]
39
+ task :jenkins_cucumber_v4 => [ :cucumber_4 ]
40
+ task :jenkins_cucumber_v5 => [ :cucumber_5 ]
41
+ rescue LoadError
42
+ warn "ci_reporter_rspec not found, jenkins task will be unavailable"
43
+ end
44
+ rescue LoadError
45
+ warn "cucumber not found, cucumber task will be unavailable"
46
+ end
47
+
data/SECURITY.md ADDED
@@ -0,0 +1,42 @@
1
+ # Security Policies and Procedures
2
+
3
+ This document outlines security procedures and general policies for the CyberArk Conjur
4
+ suite of tools and products.
5
+
6
+ * [Reporting a Bug](#reporting-a-bug)
7
+ * [Disclosure Policy](#disclosure-policy)
8
+ * [Comments on this Policy](#comments-on-this-policy)
9
+
10
+ ## Reporting a Bug
11
+
12
+ The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
13
+ Thank you for improving the security of the Conjur suite. We appreciate your efforts and
14
+ responsible disclosure and will make every effort to acknowledge your
15
+ contributions.
16
+
17
+ Report security bugs by emailing the lead maintainers at security@conjur.org.
18
+
19
+ The maintainers will acknowledge your email within 2 business days. Subsequently, we will
20
+ send a more detailed response within 2 business days of our acknowledgement indicating
21
+ the next steps in handling your report. After the initial reply to your report, the security
22
+ team will endeavor to keep you informed of the progress towards a fix and full
23
+ announcement, and may ask for additional information or guidance.
24
+
25
+ Report security bugs in third-party modules to the person or team maintaining
26
+ the module.
27
+
28
+ ## Disclosure Policy
29
+
30
+ When the security team receives a security bug report, they will assign it to a
31
+ primary handler. This person will coordinate the fix and release process,
32
+ involving the following steps:
33
+
34
+ * Confirm the problem and determine the affected versions.
35
+ * Audit code to find any potential similar problems.
36
+ * Prepare fixes for all releases still under maintenance. These fixes will be
37
+ released as fast as possible.
38
+
39
+ ## Comments on this Policy
40
+
41
+ If you have suggestions on how this process could be improved please submit a
42
+ pull request.
data/VERSION CHANGED
@@ -1 +1 @@
1
- 5.3.8-319
1
+ 5.4.0
@@ -0,0 +1,12 @@
1
+ #!/bin/bash -ex
2
+
3
+ cd "$(dirname "$0")"
4
+
5
+ docker run --rm \
6
+ -v "$PWD/..:/work" \
7
+ -w "/work" \
8
+ ruby:2.7 bash -ec "
9
+ gem install -N parse_a_changelog
10
+ parse ./CHANGELOG.md
11
+ "
12
+
@@ -0,0 +1,12 @@
1
+ #!/bin/bash -e
2
+
3
+ cat << "CONFIGURE" | docker exec -i $(docker-compose ps -q conjur_4) bash
4
+ set -e
5
+
6
+ /opt/conjur/evoke/bin/wait_for_conjur
7
+ evoke ca regenerate conjur_4
8
+ /opt/conjur/evoke/bin/wait_for_conjur
9
+ env CONJUR_AUTHN_LOGIN=admin CONJUR_AUTHN_API_KEY=secret conjur policy load --as-group security_admin /etc/policy.yml
10
+ CONFIGURE
11
+
12
+ docker cp $(docker-compose ps -q conjur_4):/opt/conjur/etc/ssl/ca.pem ./tmp/conjur.pem
@@ -0,0 +1,19 @@
1
+ #!/bin/bash -e
2
+
3
+ source ./ci/oauth/keycloak/keycloak_functions.sh
4
+
5
+ cat << "CONFIGURE" | docker exec -i $(docker-compose ps -q conjur_5) bash
6
+ set -e
7
+
8
+ for _ in $(seq 20); do
9
+ curl -o /dev/null -fs -X OPTIONS http://localhost > /dev/null && break
10
+ echo .
11
+ sleep 2
12
+ done
13
+
14
+ # So we fail if the server isn't up yet:
15
+ curl -o /dev/null -fs -X OPTIONS http://localhost > /dev/null
16
+ CONFIGURE
17
+
18
+ fetch_keycloak_certificate
19
+ create_keycloak_users
@@ -0,0 +1,18 @@
1
+ #!/bin/sh
2
+
3
+
4
+ keycloak/bin/kcreg.sh config credentials \
5
+ --server http://localhost:8080/auth \
6
+ --realm master \
7
+ --user "$KEYCLOAK_USER" \
8
+ --password "$KEYCLOAK_PASSWORD"
9
+
10
+ keycloak/bin/kcreg.sh create \
11
+ -s clientId="$KEYCLOAK_CLIENT_ID" \
12
+ -s "redirectUris=[\"$KEYCLOAK_REDIRECT_URI\"]" \
13
+ -s "secret=$KEYCLOAK_CLIENT_SECRET"
14
+
15
+ # Enable direct access to get an id token with username & password
16
+ keycloak/bin/kcreg.sh update conjurClient -s directAccessGrantsEnabled=true
17
+
18
+ keycloak/bin/kcreg.sh get "$KEYCLOAK_CLIENT_ID" | jq '.secret'
@@ -0,0 +1,21 @@
1
+ #!/bin/sh
2
+
3
+ echo "login as admin with user $KEYCLOAK_USER"
4
+
5
+ keycloak/bin/kcadm.sh config credentials \
6
+ --server http://localhost:8080/auth \
7
+ --realm master \
8
+ --user "$KEYCLOAK_USER" \
9
+ --password "$KEYCLOAK_PASSWORD"
10
+
11
+ echo "creating user $1 with email $3"
12
+
13
+ keycloak/bin/kcadm.sh create users \
14
+ -s username="$1" \
15
+ -s email="$3" \
16
+ -s enabled=true
17
+
18
+ echo "setting password of user $1 to $2"
19
+ keycloak/bin/kcadm.sh set-password \
20
+ --username "$1" \
21
+ -p "$2"