conjur-api 5.3.8.pre.319 → 5.4.0

data/ci/submit-coverage

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -eux
+
+DIR="coverage"
+BIN="cc-test-reporter"
+REPORT="${DIR}/.resultset.json"
+
+if [[ ! -e ${REPORT} ]]; then
+    echo "SimpleCov report (${REPORT}) not found"
+    ls -laR ${DIR}
+    exit 1
+fi
+
+if [[ ! -x ${BIN} ]]; then
+    echo "cc-test-reporter binary not found, not reporting coverage data to code climate"
+    ls -laR ${DIR}
+    # report is present but reporter binary is not, definitely a bug, exit error.
+    exit 1
+fi
+
+# Simplecov excludes files not within the current repo, it also needs to
+# be able to read all the files referenced within the report. As the reports
+# are generated in containers, the absolute paths contained in the report
+# are not valid outside that container. This sed fixes the paths
+# So they are correct relative to the Jenkins workspace.
+sed -i -E "s+/src/conjur-api+${WORKSPACE}+g" "${REPORT}"
+
+echo "Coverage reports prepared, submitting to CodeClimate."
+# vars GIT_COMMIT, GIT_BRANCH & TRID are set by ccCoverage.dockerPrep
+
+./${BIN} after-build \
+    --coverage-input-type "simplecov"\
+    --id "${TRID}"
+
+echo "Successfully Reported Coverage Data"

data/conjur-api.gemspec

@@ -0,0 +1,41 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/conjur-api/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["CyberArk Maintainers"]
+  gem.email         = ["conj_maintainers@cyberark.com"]
+  gem.description   = %q{Conjur API}
+  gem.summary       = %q{Conjur API}
+  gem.homepage      = "https://github.com/cyberark/conjur-api-ruby/"
+  gem.license       = "Apache-2.0"
+
+  gem.files         = `git ls-files`.split($\).append("VERSION") + Dir['build_number']
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "conjur-api"
+  gem.require_paths = ["lib"]
+  gem.version       = Conjur::API::VERSION
+
+  gem.required_ruby_version = '>= 1.9'
+
+  # Filter out development only executables
+  gem.executables -= %w{parse-changelog.sh}
+
+  gem.add_dependency 'rest-client'
+  gem.add_dependency 'activesupport', '>= 4.2'
+  gem.add_dependency 'addressable', '~> 2.0'
+
+  gem.add_development_dependency 'rake', '>= 12.3.3'
+  gem.add_development_dependency 'rspec', '~> 3'
+  gem.add_development_dependency 'rspec-expectations', '~> 3.4'
+  gem.add_development_dependency 'json_spec'
+  gem.add_development_dependency 'cucumber', '~> 2.99'
+  gem.add_development_dependency 'ci_reporter_rspec'
+  gem.add_development_dependency 'simplecov', '~> 0.17', '< 0.18'
+  gem.add_development_dependency 'io-grab'
+  gem.add_development_dependency 'rdoc'
+  gem.add_development_dependency 'yard'
+  gem.add_development_dependency 'fakefs'
+  gem.add_development_dependency 'pry-byebug'
+  gem.add_development_dependency 'nokogiri'
+end

data/dev/Dockerfile.dev

@@ -0,0 +1,12 @@
+FROM ruby:2.7
+
+RUN apt-get update && apt-get install -y vim curl
+
+WORKDIR /src/conjur-api
+
+COPY Gemfile conjur-api.gemspec ./
+COPY lib/conjur-api/version.rb ./lib/conjur-api/
+
+RUN bundle
+
+COPY . ./

data/dev/docker-compose.yml

@@ -0,0 +1,56 @@
+version: '3'
+services:
+  pg:
+    image: postgres:9.3
+
+  conjur_5:
+    image: cyberark/conjur
+    command: server -a cucumber
+    environment:
+      DATABASE_URL: postgres://postgres@pg/postgres
+      CONJUR_DATA_KEY: 'WMfApcDBtocRWV+ZSUP3Tjr5XNU+Z2FdBb6BEezejIs='
+    volumes:
+      - authn_local_5:/run/authn-local
+    depends_on:
+      - pg
+
+  conjur_4:
+    image: registry2.itci.conjur.net/conjur-appliance-cuke-master:4.9-stable
+    security_opt:
+      - seccomp:unconfined
+    volumes:
+      - ../features_v4/support/policy.yml:/etc/policy.yml
+      - authn_local_4:/run/authn-local
+
+  gem:
+    build:
+      context: ../
+      dockerfile: dev/Dockerfile.dev
+    entrypoint: sleep
+    command: infinity
+    environment:
+      CONJUR_APPLIANCE_URL: http://conjur_5
+      CONJUR_VERSION: 5
+      CONJUR_ACCOUNT: cucumber
+    links:
+      - conjur_5:conjur_5
+      - conjur_4:conjur_4
+    volumes:
+      - ..:/src/conjur-api
+      - authn_local_4:/run/authn-local-4
+      - authn_local_5:/run/authn-local-5
+
+  client:
+    image: conjurinc/cli5
+    entrypoint: sleep
+    command: infinity
+    environment:
+      CONJUR_APPLIANCE_URL: http://conjur_5
+      CONJUR_ACCOUNT: cucumber
+      CONJUR_AUTHN_LOGIN: admin
+    links:
+    - conjur_5:conjur_5
+
+volumes:
+  authn_local_5:
+  authn_local_4:

data/dev/start

@@ -0,0 +1,22 @@
+#!/bin/bash -ex
+
+function v5_development() {
+  docker-compose up -d --no-deps conjur_5 pg gem client
+
+  docker-compose exec -T conjur_5 conjurctl wait
+
+  local api_key=$(docker-compose exec -T conjur_5 rake 'role:retrieve-key[cucumber:user:admin]')
+  api_key=$(docker-compose exec -T conjur_5 conjurctl role retrieve-key cucumber:user:admin | tr -d '\r')
+
+  docker exec -e CONJUR_AUTHN_API_KEY="$api_key" -it --detach-keys 'ctrl-\' $(docker-compose ps -q gem) bash
+}
+
+# Set up VERSION file for local development
+if [ ! -f "../VERSION" ]; then
+  echo -n "0.0.dev" > ../VERSION
+fi
+
+docker-compose pull
+docker-compose build
+
+v5_development

data/dev/stop

@@ -0,0 +1,5 @@
+#!/bin/bash -ex
+
+echo 'Removing test environment'
+echo '---'
+docker-compose down --rmi 'local' --volumes

data/docker-compose.yml

@@ -0,0 +1,98 @@
+version: '2.1'
+services:
+  pg:
+    image: postgres:9.3
+
+  conjur_5:
+    image: cyberark/conjur:edge
+    command: server -a cucumber
+    environment:
+      DATABASE_URL: postgres://postgres@pg/postgres
+      CONJUR_DATA_KEY: 'WMfApcDBtocRWV+ZSUP3Tjr5XNU+Z2FdBb6BEezejIs='
+    volumes:
+      - authn_local_5:/run/authn-local
+      - ./ci/oauth/keycloak:/scripts
+    depends_on:
+      - pg
+      - keycloak
+
+  keycloak:
+    image: jboss/keycloak:4.3.0.Final
+    environment:
+      - KEYCLOAK_USER=admin
+      - KEYCLOAK_PASSWORD=admin
+      - KEYCLOAK_APP_USER=alice
+      - KEYCLOAK_APP_USER_PASSWORD=alice
+      - KEYCLOAK_APP_USER_EMAIL=alice@conjur.net
+      - DB_VENDOR=H2
+      - KEYCLOAK_CLIENT_ID=conjurClient
+      - KEYCLOAK_REDIRECT_URI=http://conjur_5/authn-oidc/keycloak/cucumber/authenticate
+      - KEYCLOAK_CLIENT_SECRET=1234
+      - KEYCLOAK_SCOPE=openid
+    ports:
+      - "7777:8080"
+    volumes:
+      - ./ci/oauth/keycloak/standalone.xml:/opt/jboss/keycloak/standalone/configuration/standalone.xml
+      - ./ci/oauth/keycloak:/scripts
+
+  conjur_4:
+    image: registry2.itci.conjur.net/conjur-appliance-cuke-master:4.9-stable
+    security_opt:
+      - seccomp:unconfined
+    volumes:
+      - ./features_v4/support/policy.yml:/etc/policy.yml
+      - authn_local_4:/run/authn-local
+
+  tester_5:
+    build:
+        context: .
+        dockerfile: Dockerfile
+        args:
+          RUBY_VERSION: ${RUBY_VERSION}
+    volumes:
+      - ./spec/reports:/src/conjur-api/spec/reports
+      - ./features/reports:/src/conjur-api/features/reports
+      - ./coverage:/src/conjur-api/coverage
+      - authn_local_5:/run/authn-local-5
+      - ./ci/oauth/keycloak:/scripts
+    environment:
+      CONJUR_APPLIANCE_URL: http://conjur_5
+      CONJUR_VERSION: 5
+      CONJUR_ACCOUNT: cucumber
+
+  tester_4:
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        RUBY_VERSION: ${RUBY_VERSION}
+    volumes:
+      - ./features_v4/reports:/src/conjur-api/features_v4/reports
+      - ./tmp/conjur.pem:/src/conjur-api/tmp/conjur.pem
+      - ./coverage_v4:/src/conjur-api/coverage
+      - authn_local_4:/run/authn-local-4
+    environment:
+      CONJUR_APPLIANCE_URL: https://conjur_4/api
+      CONJUR_VERSION: 4
+      CONJUR_ACCOUNT: cucumber
+
+  dev:
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        RUBY_VERSION: ${RUBY_VERSION}
+    entrypoint: bash
+    volumes:
+      - .:/src/conjur-api
+      - authn_local_4:/run/authn-local-4
+      - authn_local_5:/run/authn-local-5
+    environment:
+      CONJUR_ACCOUNT: cucumber
+    depends_on:
+      - conjur_4
+      - conjur_5
+
+volumes:
+  authn_local_4:
+  authn_local_5:

data/example/demo_v4.rb

@@ -0,0 +1,49 @@
+#!/usr/bin/env ruby
+
+require 'conjur-api'
+require 'securerandom'
+
+username = "admin"
+password = "secret"
+
+Conjur.configuration.appliance_url = "https://conjur_4/api"
+Conjur.configuration.account = "cucumber"
+Conjur.configuration.cert_file = "./tmp/conjur.pem"
+Conjur.configuration.version = 4
+Conjur.configuration.apply_cert_config!
+
+puts "Configured with Conjur version: #{Conjur.configuration.version}"
+puts
+
+api_key = Conjur::API.login username, password
+api = Conjur::API.new_from_key username, api_key
+
+db_password = SecureRandom.hex(12)
+puts "Populating variable 'db-password' = #{db_password.inspect}"
+api.resource("cucumber:variable:db-password").add_value db_password
+puts "Value added"
+puts
+
+puts "Creating host factory token for 'myapp'"
+expiration = Time.now + 1.day
+hf_token = api.resource("cucumber:host_factory:myapp").create_token expiration
+puts "Created: #{hf_token.token}"
+puts
+
+puts "Creating new host 'host-01' with host factory"
+host = Conjur::API.host_factory_create_host(hf_token, "host-01")
+puts "Created: #{host}"
+puts
+
+puts "Logging in as #{host.id}"
+host_api = Conjur::API.new_from_key "host/host-01", host.api_key
+puts "Logged in"
+puts
+
+
+puts "Fetching db-password as #{host.id}"
+value = host_api.resource("cucumber:variable:db-password").value
+puts value
+puts
+
+puts "Done!"

data/example/demo_v5.rb

@@ -0,0 +1,57 @@
+#!/usr/bin/env ruby
+
+require 'conjur-api'
+require 'securerandom'
+
+username = "admin"
+
+arguments = ARGV.dup
+
+api_key = arguments.shift or raise "Usage: ./demo_v5 <admin-api-key>"
+
+Conjur.configuration.appliance_url = "http://conjur_5"
+Conjur.configuration.account = "cucumber"
+# This is the default
+# Conjur.configuration.version = 5
+
+puts "Configured with Conjur version: #{Conjur.configuration.version}"
+puts
+
+api = Conjur::API.new_from_key username, api_key
+
+policy = File.read("features_v4/support/policy.yml")
+
+puts "Loading policy 'root'"
+policy_result = api.load_policy "root", policy
+puts "Loaded: #{policy_result}"
+puts
+
+db_password = SecureRandom.hex(12)
+puts "Populating variable 'db-password' = #{db_password.inspect}"
+api.resource("cucumber:variable:db-password").add_value db_password
+puts "Value added"
+puts
+
+puts "Creating host factory token for 'myapp'"
+expiration = Time.now + 1.day
+hf_token = api.resource("cucumber:host_factory:myapp").create_token expiration
+puts "Created: #{hf_token.token}"
+puts
+
+puts "Creating new host 'host-01' with host factory"
+host = Conjur::API.host_factory_create_host(hf_token, "host-01")
+puts "Created: #{host}"
+puts
+
+puts "Logging in as #{host.id}"
+host_api = Conjur::API.new_from_key "host/host-01", host.api_key
+puts "Logged in"
+puts
+
+
+puts "Fetching db-password as #{host.id}"
+value = host_api.resource("cucumber:variable:db-password").value
+puts value
+puts
+
+puts "Done!"

data/features/authenticators.feature

@@ -0,0 +1,41 @@
+Feature: List and manage authenticators
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !webservice conjur/authn-k8s/my-auth
+    POLICY
+    """
+    And I setup a keycloak authenticator
+
+  Scenario: Authenticator list includes the authenticator status
+    When I run the code:
+    """
+    $conjur.authenticator_list
+    """
+    Then the JSON should have "installed"
+    And the JSON should have "configured"
+    And the JSON should have "enabled"
+    And the JSON at "enabled" should be ["authn"]
+
+  Scenario: Enable and disable authenticator
+    When I run the code:
+    """
+    $conjur.authenticator_enable("authn-k8s", "my-auth")
+    $conjur.authenticator_list
+    """
+    Then the JSON at "enabled" should be ["authn", "authn-k8s/my-auth"]
+    When I run the code:
+    """
+    $conjur.authenticator_disable("authn-k8s", "my-auth")
+    $conjur.authenticator_list
+    """
+    Then the JSON at "enabled" should be ["authn"]
+
+  Scenario: Get a list of OIDC providers
+    When I run the code:
+    """
+    $conjur.authentication_providers("authn-oidc")
+    """
+    Then the providers list contains service id "keycloak"

data/features/authn.feature

@@ -0,0 +1,14 @@
+Feature: Authenticate with Conjur
+
+  Background:
+    Given I setup a keycloak authenticator
+
+  Scenario: Authenticate with OIDC state and code
+    When I retrieve the login url for OIDC authenticator "keycloak"
+    And I retrieve auth info for the OIDC provider with username: "alice" and password: "alice"
+    And I run the code:
+    """
+    $conjur.authenticator_enable "authn-oidc", "keycloak"
+    Conjur::API.authenticator_authenticate("authn-oidc", "keycloak", options: @auth_body)
+    """
+    Then the JSON should have "payload"

data/features/authn_local.feature

@@ -0,0 +1,32 @@
+Feature: When co-located with the Conjur server, the API can use the authn-local service to authenticate.
+
+  Scenario: authn-local can be used to obtain an access token.
+    When I run the code:
+    """
+    Conjur::API.authenticate_local "alice"
+    """
+    Then the JSON should have "payload"
+    And I run the code:
+    """
+    JSON.parse(Base64.decode64(@result['payload']))
+    """
+    Then the JSON should have "sub"
+    And the JSON should have "iat"
+
+  Scenario: Conjur API supports construction from authn-local.
+    When I run the code:
+    """
+    @api = Conjur::API.new_from_authn_local "alice"
+    @api.token
+    """
+    Then the JSON should have "payload"
+
+  Scenario: Conjur API will automatically refresh the token.
+    When I run the code:
+    """
+    @api = Conjur::API.new_from_authn_local "alice"
+    @api.token
+    @api.force_token_refresh
+    @api.token
+    """
+    Then the JSON should have "payload"

data/features/exists.feature

@@ -0,0 +1,37 @@
+Feature: Check if an object exists.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !group developers
+    POLICY
+    """
+
+  Scenario: A created group resource exists
+    When I run the code:
+    """
+    $conjur.resource('cucumber:group:developers').exists?
+    """
+    Then the result should be "true"
+
+  Scenario: An un-created resource doesn't exist
+    When I run the code:
+    """
+    $conjur.resource('cucumber:food:bacon').exists?
+    """
+    Then the result should be "false"
+
+  Scenario: A created group role exists
+    When I run the code:
+    """
+    $conjur.role('cucumber:group:developers').exists?
+    """
+    Then the result should be "true"
+
+  Scenario: An un-created role doesn't exist
+    When I run the code:
+    """
+    $conjur.role('cucumber:food:bacon').exists?
+    """
+    Then the result should be "false"

data/features/group.feature

@@ -0,0 +1,11 @@
+Feature: Display Group object fields.
+
+  Background:
+    Given a new group
+
+  Scenario: Group has a gidnumber.
+    Then I run the code:
+    """
+    @group.gidnumber
+    """
+    Then the result should be "1000"

data/features/host.feature

@@ -0,0 +1,50 @@
+Feature: Host object
+
+  Scenario: API key of a newly created host is available and valid
+    Given a new host
+    Then I can run the code:
+    """
+    expect(@host.exists?).to be(true)
+    expect(@host.api_key).to be
+    Conjur::API.new_from_key(@host.login, @host.api_key).token
+    """
+
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: Host's own API key cannot be rotated with an API key
+    Given a new host
+    Then this code should fail with "You cannot rotate your own API key via this method"
+    """
+    host = Conjur::API.new_from_key(@host.login, @host.api_key).resource(@host.id)
+    host.rotate_api_key
+    """
+
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: Host's own API key cannot be rotated with a token
+    Given a new host
+    Then this code should fail with "You cannot rotate your own API key via this method"
+    """
+    token = Conjur::API.new_from_key(@host.login, @host.api_key).token
+
+    host = Conjur::API.new_from_token(token).resource(@host.id)
+    host.rotate_api_key
+    """
+
+  Scenario: Delegated host's API key can be rotated with an API key
+    Given a new delegated host
+    Then I can run the code:
+    """
+    delegated_host_resource = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).resource(@host.id)
+    api_key = delegated_host_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
+    """
+
+  Scenario: Delegated host's API key can be rotated with a token
+    Given a new delegated host
+    Then I can run the code:
+    """
+    token = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).token
+
+    delegated_host_resource = Conjur::API.new_from_token(token).resource(@host.id)
+    api_key = delegated_host_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
+    """

data/features/host_factory_create_host.feature

@@ -0,0 +1,28 @@
+Feature: Create a host using a host factory token.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !policy
+      id: myapp
+      body:
+      - !layer
+
+      - !host-factory
+        layers: [ !layer ]
+    POLICY
+    @expiration = (DateTime.now + 1.hour).change(sec: 0)
+    @host_factory = $conjur.resource('cucumber:host_factory:myapp')
+    @token = @host_factory.create_token @expiration
+    """
+
+  Scenario: I can create a host from the token
+    When I run the code:
+    """
+    Conjur::API.host_factory_create_host(@token.token, "app-01")
+    """
+    Then the JSON should have "id"
+    And the JSON should have "permissions"
+    And the JSON should have "owner"
+    And the JSON should have "api_key"

data/features/host_factory_token.feature

@@ -0,0 +1,63 @@
+Feature: Working with host factory tokens.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !policy
+      id: myapp
+      body:
+      - !layer
+
+      - !host-factory
+        layers: [ !layer ]
+    POLICY
+    @expiration = (DateTime.now + 1.hour).change(sec: 0)
+    @host_factory = $conjur.resource('cucumber:host_factory:myapp')
+    """
+
+  @wip
+  Scenario: Create a new host factory token.
+    When I run the code:
+    """
+    @token = @host_factory.create_token @expiration
+    """
+    Then I can run the code:
+    """
+    expect(@token).to be_instance_of(Conjur::HostFactoryToken)
+    expect(@token.token).to be_instance_of(String)
+    expiration = @token.expiration
+    expiration = expiration.change(sec: 0)
+    expect(expiration).to eq(@expiration)
+    """
+    And I can run the code:
+    """
+    expect(@host_factory.tokens).to eq([@token])
+    """
+
+  Scenario: Create multiple new host factory tokens.
+    When I run the code:
+    """
+    @host_factory.create_tokens @expiration, count: 2
+    """
+    Then the JSON should have 2 items
+
+  Scenario: Revoke a host factory token using the token object.
+    When I run the code:
+    """
+    @token = @host_factory.create_token @expiration
+    """
+    Then I can run the code:
+    """
+    @token.revoke
+    """
+
+  Scenario: Revoke a host factory token using the API.
+    When I run the code:
+    """
+    @token = @host_factory.create_token @expiration
+    """
+    Then I can run the code:
+    """
+    $conjur.revoke_host_factory_token @token.token
+    """