conjur-api 5.3.8.pre.319 → 5.4.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (150) hide show
  1. checksums.yaml +4 -4
  2. data/.codeclimate.yml +10 -0
  3. data/.dockerignore +1 -0
  4. data/.github/CODEOWNERS +10 -0
  5. data/.gitignore +32 -0
  6. data/.gitleaks.toml +219 -0
  7. data/.overcommit.yml +16 -0
  8. data/.project +18 -0
  9. data/.rubocop.yml +3 -0
  10. data/.rubocop_settings.yml +86 -0
  11. data/.rubocop_todo.yml +709 -0
  12. data/.yardopts +1 -0
  13. data/CHANGELOG.md +448 -0
  14. data/CONTRIBUTING.md +138 -0
  15. data/Dockerfile +16 -0
  16. data/Gemfile +7 -0
  17. data/Jenkinsfile +136 -0
  18. data/LICENSE +202 -0
  19. data/README.md +162 -0
  20. data/Rakefile +47 -0
  21. data/SECURITY.md +42 -0
  22. data/VERSION +1 -1
  23. data/bin/parse-changelog.sh +12 -0
  24. data/ci/configure_v4.sh +12 -0
  25. data/ci/configure_v5.sh +19 -0
  26. data/ci/oauth/keycloak/create_client +18 -0
  27. data/ci/oauth/keycloak/create_user +21 -0
  28. data/ci/oauth/keycloak/fetch_certificate +18 -0
  29. data/ci/oauth/keycloak/keycloak_functions.sh +71 -0
  30. data/ci/oauth/keycloak/standalone.xml +578 -0
  31. data/ci/oauth/keycloak/wait_for_server +56 -0
  32. data/ci/submit-coverage +36 -0
  33. data/conjur-api.gemspec +41 -0
  34. data/dev/Dockerfile.dev +12 -0
  35. data/dev/docker-compose.yml +56 -0
  36. data/dev/start +22 -0
  37. data/dev/stop +5 -0
  38. data/docker-compose.yml +98 -0
  39. data/example/demo_v4.rb +49 -0
  40. data/example/demo_v5.rb +57 -0
  41. data/features/authenticators.feature +41 -0
  42. data/features/authn.feature +14 -0
  43. data/features/authn_local.feature +32 -0
  44. data/features/exists.feature +37 -0
  45. data/features/group.feature +11 -0
  46. data/features/host.feature +50 -0
  47. data/features/host_factory_create_host.feature +28 -0
  48. data/features/host_factory_token.feature +63 -0
  49. data/features/load_policy.feature +61 -0
  50. data/features/members.feature +51 -0
  51. data/features/new_api.feature +36 -0
  52. data/features/permitted.feature +70 -0
  53. data/features/permitted_roles.feature +30 -0
  54. data/features/public_keys.feature +11 -0
  55. data/features/resource_fields.feature +53 -0
  56. data/features/role_fields.feature +15 -0
  57. data/features/rotate_api_key.feature +13 -0
  58. data/features/step_definitions/api_steps.rb +52 -0
  59. data/features/step_definitions/policy_steps.rb +134 -0
  60. data/features/step_definitions/result_steps.rb +11 -0
  61. data/features/support/env.rb +19 -0
  62. data/features/support/hooks.rb +3 -0
  63. data/features/support/world.rb +12 -0
  64. data/features/update_password.feature +14 -0
  65. data/features/user.feature +58 -0
  66. data/features/variable_fields.feature +20 -0
  67. data/features/variable_value.feature +60 -0
  68. data/features_v4/authn_local.feature +27 -0
  69. data/features_v4/exists.feature +29 -0
  70. data/features_v4/host.feature +18 -0
  71. data/features_v4/host_factory_token.feature +49 -0
  72. data/features_v4/members.feature +39 -0
  73. data/features_v4/permitted.feature +15 -0
  74. data/features_v4/permitted_roles.feature +8 -0
  75. data/features_v4/resource_fields.feature +47 -0
  76. data/features_v4/rotate_api_key.feature +13 -0
  77. data/features_v4/step_definitions/api_steps.rb +17 -0
  78. data/features_v4/step_definitions/result_steps.rb +3 -0
  79. data/features_v4/support/env.rb +23 -0
  80. data/features_v4/support/policy.yml +34 -0
  81. data/features_v4/support/world.rb +12 -0
  82. data/features_v4/variable_fields.feature +11 -0
  83. data/features_v4/variable_value.feature +54 -0
  84. data/lib/conjur/acts_as_resource.rb +123 -0
  85. data/lib/conjur/acts_as_role.rb +142 -0
  86. data/lib/conjur/acts_as_rolsource.rb +32 -0
  87. data/lib/conjur/acts_as_user.rb +68 -0
  88. data/lib/conjur/api/authenticators.rb +43 -0
  89. data/lib/conjur/api/authn.rb +144 -0
  90. data/lib/conjur/api/host_factories.rb +71 -0
  91. data/lib/conjur/api/ldap_sync.rb +38 -0
  92. data/lib/conjur/api/policies.rb +56 -0
  93. data/lib/conjur/api/pubkeys.rb +53 -0
  94. data/lib/conjur/api/resources.rb +109 -0
  95. data/lib/conjur/api/roles.rb +98 -0
  96. data/lib/conjur/api/router/v4.rb +206 -0
  97. data/lib/conjur/api/router/v5.rb +269 -0
  98. data/lib/conjur/api/variables.rb +59 -0
  99. data/lib/conjur/api.rb +105 -0
  100. data/lib/conjur/base.rb +355 -0
  101. data/lib/conjur/base_object.rb +57 -0
  102. data/lib/conjur/build_object.rb +47 -0
  103. data/lib/conjur/cache.rb +26 -0
  104. data/lib/conjur/cert_utils.rb +63 -0
  105. data/lib/conjur/cidr.rb +71 -0
  106. data/lib/conjur/configuration.rb +460 -0
  107. data/lib/conjur/escape.rb +129 -0
  108. data/lib/conjur/exceptions.rb +4 -0
  109. data/lib/conjur/group.rb +41 -0
  110. data/lib/conjur/has_attributes.rb +98 -0
  111. data/lib/conjur/host.rb +27 -0
  112. data/lib/conjur/host_factory.rb +75 -0
  113. data/lib/conjur/host_factory_token.rb +78 -0
  114. data/lib/conjur/id.rb +71 -0
  115. data/lib/conjur/layer.rb +9 -0
  116. data/lib/conjur/log.rb +72 -0
  117. data/lib/conjur/log_source.rb +60 -0
  118. data/lib/conjur/policy.rb +34 -0
  119. data/lib/conjur/policy_load_result.rb +61 -0
  120. data/lib/conjur/query_string.rb +12 -0
  121. data/lib/conjur/resource.rb +29 -0
  122. data/lib/conjur/role.rb +29 -0
  123. data/lib/conjur/role_grant.rb +85 -0
  124. data/lib/conjur/routing.rb +29 -0
  125. data/lib/conjur/user.rb +40 -0
  126. data/lib/conjur/variable.rb +208 -0
  127. data/lib/conjur/webservice.rb +30 -0
  128. data/lib/conjur-api/version.rb +24 -0
  129. data/lib/conjur-api.rb +2 -0
  130. data/publish.sh +5 -0
  131. data/spec/api/host_factories_spec.rb +34 -0
  132. data/spec/api_spec.rb +254 -0
  133. data/spec/base_object_spec.rb +13 -0
  134. data/spec/cert_utils_spec.rb +173 -0
  135. data/spec/cidr_spec.rb +34 -0
  136. data/spec/configuration_spec.rb +330 -0
  137. data/spec/has_attributes_spec.rb +63 -0
  138. data/spec/helpers/errors_matcher.rb +34 -0
  139. data/spec/helpers/request_helpers.rb +10 -0
  140. data/spec/id_spec.rb +29 -0
  141. data/spec/ldap_sync_spec.rb +21 -0
  142. data/spec/log_source_spec.rb +13 -0
  143. data/spec/log_spec.rb +42 -0
  144. data/spec/roles_spec.rb +24 -0
  145. data/spec/spec_helper.rb +113 -0
  146. data/spec/ssl_spec.rb +109 -0
  147. data/spec/uri_escape_spec.rb +21 -0
  148. data/test.sh +76 -0
  149. data/tmp/.keep +0 -0
  150. metadata +196 -5
data/ci/oauth/keycloak/fetch_certificate ADDED
@@ -0,0 +1,18 @@
1
+ #!/bin/sh
2
+
3
+ # This script retrieves a certificate from the keycloak OIDC provider
4
+ # and puts it to a trusted operating system store.
5
+ # It is needed to communicate with the provider via SSL for validating ID tokens
6
+
7
+ openssl s_client \
8
+ -showcerts \
9
+ -connect keycloak:8443 \
10
+ -servername keycloak \
11
+ </dev/null | \
12
+ openssl x509 \
13
+ -outform PEM \
14
+ >/etc/ssl/certs/keycloak.pem
15
+
16
+ hash=$(openssl x509 -hash -in /etc/ssl/certs/keycloak.pem -out /dev/null)
17
+
18
+ ln -s /etc/ssl/certs/keycloak.pem "/etc/ssl/certs/${hash}.0"
data/ci/oauth/keycloak/keycloak_functions.sh ADDED
@@ -0,0 +1,71 @@
1
+ #!/usr/bin/env bash
2
+
3
+ KEYCLOAK_SERVICE_NAME="keycloak"
4
+
5
+ # Note: the single arg is a nameref, which this function sets to an array
6
+ # containing items of the form "KEY=VAL".
7
+ function _hydrate_keycloak_env_args() {
8
+ local -n arr=$1
9
+ local keycloak_items
10
+
11
+ readarray -t keycloak_items < <(
12
+ set -o pipefail
13
+ # Note: This prints all lines that look like:
14
+ # KEYCLOAK_XXX=someval
15
+ docker-compose exec -T ${KEYCLOAK_SERVICE_NAME} printenv | awk '/KEYCLOAK/'
16
+ )
17
+
18
+ # shellcheck disable=SC2034
19
+ arr=(
20
+ "${keycloak_items[@]}"
21
+ "PROVIDER_URI=https://keycloak:8443/auth/realms/master"
22
+ "PROVIDER_INTERNAL_URI=http://keycloak:8080/auth/realms/master/protocol/openid-connect"
23
+ "PROVIDER_ISSUER=http://keycloak:8080/auth/realms/master"
24
+ "ID_TOKEN_USER_PROPERTY=preferred_username"
25
+ )
26
+ }
27
+
28
+ # The arguments must be unexpanded variable names. Eg:
29
+ #
30
+ # _create_keycloak_user '$APP_USER' '$APP_PW' '$APP_EMAIL'
31
+ #
32
+ # This is because those variables are not available to this script. They are
33
+ # available to bash commands run via "docker-compose exec keycloak bash
34
+ # -c...", since they're defined in the docker-compose.yml.
35
+ function _create_keycloak_user() {
36
+ local user_var=$1
37
+ local pw_var=$2
38
+ local email_var=$3
39
+
40
+ docker-compose exec -T \
41
+ ${KEYCLOAK_SERVICE_NAME} \
42
+ bash -c "/scripts/create_user \"$user_var\" \"$pw_var\" \"$email_var\""
43
+ }
44
+
45
+ function create_keycloak_users() {
46
+ echo "Defining keycloak client"
47
+
48
+ docker-compose exec -T ${KEYCLOAK_SERVICE_NAME} /scripts/create_client
49
+
50
+ echo "Creating user 'alice' in Keycloak"
51
+
52
+ # Note: We want to pass the bash command thru without expansion here.
53
+ # shellcheck disable=SC2016
54
+ _create_keycloak_user \
55
+ '$KEYCLOAK_APP_USER' \
56
+ '$KEYCLOAK_APP_USER_PASSWORD' \
57
+ '$KEYCLOAK_APP_USER_EMAIL'
58
+ }
59
+
60
+ function wait_for_keycloak_server() {
61
+ docker-compose exec -T \
62
+ ${KEYCLOAK_SERVICE_NAME} /scripts/wait_for_server
63
+ }
64
+
65
+ function fetch_keycloak_certificate() {
66
+ # there's a dep on the docker-compose.yml volumes.
67
+ # Fetch SSL cert to communicate with keycloak (OIDC provider).
68
+ echo "Initialize keycloak certificate in conjur server"
69
+ docker-compose exec -T \
70
+ conjur_5 /scripts/fetch_certificate
71
+ }