conjur-api 5.3.8.pre.8 → 5.3.8.pre.194

data/lib/conjur/has_attributes.rb

@@ -0,0 +1,98 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+module Conjur
+  # Many Conjur assets have key-value attributes.  Although these should generally be accessed via
+  # methods on specific asset classes (for example, {Conjur::Resource#owner}), the are available as
+  # a `Hash` on all types supporting attributes.
+  module HasAttributes
+    class << self
+
+      # @api private
+      def annotation_value annotations, name
+        (annotations.find{|a| a['name'] == name} || {})['value']
+      end
+    end
+
+    def as_json options={}
+      result = super(options)
+      if @attributes
+        result.merge!(@attributes.as_json(options))
+      end
+      result
+    end
+    
+    def to_s
+      to_json.to_s
+    end
+
+    # @api private
+    # Set the attributes for this Resource.
+    # @param [Hash] attributes new attributes for the object.
+    # @return [Hash] the new attributes
+    def attributes=(attributes); @attributes = attributes; end
+
+    # Get the attributes for this asset. This is an immutable Hash, unless the attributes
+    # are changed via policy update.
+    #
+    # @return [Hash] the asset's attributes.
+    def attributes
+      return @attributes if @attributes
+      fetch
+    end
+
+    # Call a block that will perform actions that might change the asset's attributes.
+    # No matter what happens in the block, this method ensures that the cached attributes
+    # will be invalidated.
+    #
+    # @note this is mainly used internally, but included in the public api for completeness.
+    #
+    # @return [void]
+    def invalidate(&block)
+      yield
+    ensure
+      @attributes = nil
+    end
+
+    def annotations
+      Hash[(attributes['annotations']||{}).collect {|e| [e['name'],e['value']]}]
+    end
+    
+    protected
+
+    def annotation_value name
+      annotations[name]
+    end
+
+    # @api private
+    # Fetch the attributes, overwriting any current ones.
+    def fetch
+      @attributes ||= fetch_attributes
+    end
+
+    # @api private
+    def fetch_attributes
+      cache_key = Conjur.cache_key username, url_for(:resources_resource, credentials, id).url
+      Conjur.cache.fetch_attributes cache_key do
+        JSON.parse(url_for(:resources_resource, credentials, id).get.body)
+      end
+    end
+  end
+end

data/lib/conjur/host.rb

@@ -0,0 +1,27 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+module Conjur
+  # This class represents a Conjur Host. Hosts are created in Conjur policy, or with
+  # {Conjur::HostFactory}.
+  class Host < BaseObject
+    include ActsAsUser
+  end
+end

data/lib/conjur/host_factory.rb

@@ -0,0 +1,75 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur/host_factory_token'
+
+module Conjur
+  # A Host Factory is a way to allow clients to create Conjur hosts without giving them
+  # any other access to Conjur.
+  #
+  # Each Host Factory can have 0 or more tokens, each of which is a random string that
+  # has an associated expiration and optional CIDR restriction. A user or machine who has
+  # a host factory token can use it to create new hosts, or to rotate the API keys of 
+  # existing hosts.
+  #
+  # @see API#host_factory_create_host
+  # @see HostFactoryToken
+  class HostFactory < BaseObject
+    include ActsAsRolsource
+    
+    # Create one or more host factory tokens. Each token can be used to create
+    # hosts, using {API#host_factory_create_host}. 
+    #
+    # @param expiration [Time] the future time at which the token will stop working.
+    # @param count [Integer] the number of (identical) tokens to create (default: 1).
+    # @param cidr [String] a CIDR restriction on the usage of the token.
+    # @return [Array<HostFactoryToken>] the token or tokens.
+    def create_tokens expiration, count: 1, cidr: nil
+      options = {}
+      options[:expiration] = expiration.iso8601
+      options[:host_factory] = id
+      options[:count] = count
+      options[:cidr] = cidr if cidr
+      response = JSON.parse url_for(:host_factory_create_tokens, credentials, id).post(options)
+      response.map do |data|
+        HostFactoryToken.new data, credentials
+      end
+    end
+    
+    # Create a new token.
+    #
+    # @see #create_tokens
+    def create_token expiration, cidr: nil
+      create_tokens(expiration, cidr: cidr).first
+    end
+
+    # Enumerate the tokens on the host factory.
+    #
+    # @return [Array<HostFactoryToken>] the token or tokens.
+    def tokens
+      # Tokens list is not returned by +show+ if the caller doesn't have permission
+      return nil unless self.attributes['tokens']
+
+      self.attributes['tokens'].collect do |data|
+        HostFactoryToken.new data, credentials
+      end
+    end
+  end
+end

data/lib/conjur/host_factory_token.rb

@@ -0,0 +1,78 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+module Conjur
+  class HostFactoryToken
+    def initialize data, credentials
+      @data = data
+      @credentials = credentials
+    end
+    
+    # Convert the object to JSON.
+    #
+    # Fields:
+    #
+    # * token
+    # * expiration
+    # * cidr
+    def to_json(options = {})
+      { token: token, expiration: expiration, cidr: cidr }
+    end
+  
+    # Format the token as a string, using JSON format.
+    def to_s
+      to_json.to_s
+    end
+  
+    # Gets the token string.
+    #
+    # @return [String]
+    def token
+      @data['token']
+    end    
+    
+    # Gets the expiration.
+    #
+    # @return [DateTime]
+    def expiration
+      DateTime.iso8601(@data['expiration'])
+    end
+    
+    # Gets the CIDR restriction.
+    #
+    # @return [String]
+    def cidr
+      @data['cidr']
+    end
+
+    # Revokes the token, after which it cannot be used any more.
+    def revoke
+      Conjur::API.revoke_host_factory_token @credentials, token
+    end
+
+    def ==(other)
+      other.class == self.class &&
+        other.token == self.token &&
+        other.expiration == self.expiration &&
+        other.cidr == self.cidr
+    end
+
+  end
+end

data/lib/conjur/id.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+# Copyright 2013-2018 CyberArk Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'conjur/escape'
+
+module Conjur
+  # Encapsulates a Conjur id, which consists of account, kind, and identifier.
+  class Id
+    include Conjur::Escape
+
+    attr_reader :id
+
+    def initialize id
+      @id = Id.normalize id
+    end
+
+    # The organization account, obtained from the first component of the id.
+    def account; id.split(':', 3)[0]; end
+    # The object kind, obtained from the second component of the id.
+    def kind; id.split(':', 3)[1]; end
+    # The object identifier, obtained from the third component of the id. The
+    # identifier must be unique within the `account` and `kind`.
+    def identifier; id.split(':', 3)[2]; end
+    
+    # Defines id equivalence using the string representation.
+    def == other
+      if other.is_a?(String)
+        to_s == other
+      else
+        super
+      end
+    end
+
+    # @return [String] the id string.
+    def as_json options={}
+      @id
+    end
+
+    # Splits the id into 3 components, and then joins them with a forward-slash `/`.
+    def to_url_path
+      id.split(':', 3)
+        .map(&method(:fully_escape))
+        .join('/')
+    end
+    
+    # @return [String] the id string
+    def to_s
+      id
+    end
+
+    def self.normalize id
+      Array(id).join(':').tap do |id|
+        raise ArgumentError, "id must be fully qualified: #{id}" \
+          unless id =~ /.*:.*:.*/
+      end
+    end
+  end
+end

data/lib/conjur/layer.rb

@@ -0,0 +1,9 @@
+module Conjur
+
+  # A Conjur Layer is a type of role whose members are Conjur Hosts. The hosts inherit
+  # permissions from the layer. Automatic roles on the layer can also be used to manage
+  # SSH permissions to the hosts.
+  class Layer < BaseObject
+    include ActsAsRolsource
+  end
+end

data/lib/conjur/log.rb

@@ -0,0 +1,72 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'logger'
+
+module Conjur
+  # Assign a Logger for use by Conjur API methods.  This method accepts
+  # several argument forms:
+  # * The strings 'stdout' and 'stderr' cause log messages to be sent to the corresponding stream.
+  # * Other stings are treated as paths and will cause log messages to be sent to those files.
+  # * A `Logger` instance will be used as is.
+  #
+  # Note that the logger specified by the `CONJURAPI_LOG` environment variable will override
+  # the value set here.
+  #
+  # @param [String, Logger,nil] log the new logger to use
+  # @return [void]
+  def self.log= log
+    @@log = create_log log
+  end
+
+  # @api private
+  # Create a log from a String or Logger param
+  #
+  # @param [String, Logger, nil] param the value to create the logger from
+  # @return Logger
+  def self.create_log param
+    if param
+      if param.is_a? String
+        if param == 'stdout'
+          Logger.new $stdout
+        elsif param == 'stderr'
+          Logger.new $stderr
+        else
+          Logger.new param
+        end
+      else
+        param
+      end
+    end
+  end
+
+  @@env_log = create_log ENV['CONJURAPI_LOG']
+
+  @@log = nil
+
+  # @api private
+  # @note this method may return nil if no log has been set, so you **must** check the value
+  # before attempting to use the logger.
+  #
+  # You should consider using {Conjur::LogSource} instead.
+  def self.log
+    @@env_log || @@log
+  end
+end

data/lib/conjur/log_source.rb

@@ -0,0 +1,60 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+module Conjur
+  # This module provides logging support for actions taken by the Conjur API.
+  #
+  # @example
+  #     class Example
+  #       include LogSource
+  #
+  #       def something_interesting param
+  #         log{|l| l << "doing something interesting with #{param}"}
+  #
+  #         # Do something interesting...
+  #       end
+  #
+  #     end
+  #     # ...
+  #
+  #     Example.new.something_interesting 'foo'
+  #     # will log:
+  #     # [admin] doing something interesting with foo
+  #
+  module LogSource
+    # Yield a logger to the block.  You should use the `<<` method to write to the
+    # logger so that you don't send newlines or formatting.  The block will only be called
+    # if {Conjur.log} is not nil.
+    #
+    # The log format is `"[<username>]<messages logged in block>\n"`.
+    #
+    # @yieldparam [#<<] logger a logger to write messages
+    # @return [void]
+    def log(&block)
+      if Conjur.log
+        Conjur.log << "["
+        Conjur.log << username
+        Conjur.log << "] "
+        yield Conjur.log
+        Conjur.log << "\n"
+      end
+    end
+  end
+end

data/lib/conjur/policy.rb

@@ -0,0 +1,34 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+module Conjur
+
+  # Defines an set of objects, permission grants and role grants. All objects in a policy
+  # share a common naming prefix, which is the id of the policy. (Exception: the root
+  # policy does not add a naming prefix to each of its objects).
+  #
+  # Policies are defined using a YAML syntax, which is extensively documented on the Conjur 
+  # web site. To load a policy, define it using YAML and then use {API#load_policy}.
+  #
+  # @see API#load_policy
+  class Policy < BaseObject
+    include ActsAsRolsource
+  end
+end

data/lib/conjur/policy_load_result.rb

@@ -0,0 +1,61 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+module Conjur
+  # The result of loading a policy. When a policy is loaded, two types of data
+  # are always provided:
+  #
+  # * {#created_roles} the API keys of any new roles which were created
+  # * {#version} the new version of the policy.
+  class PolicyLoadResult
+    def initialize data
+      @data = data
+    end
+    
+    # @api private
+    def to_h
+      @data
+    end
+    
+    # @api private
+    def to_json options = {}
+      @data.to_json(options)
+    end
+    
+    # @api private
+    def to_s
+      @data.to_s
+    end
+
+    # API keys for roles which were created when loading the policy.
+    #
+    # @return [Hash] Hash keys are the role ids, and hash values are the API keys.    
+    def created_roles
+      @data['created_roles']
+    end
+    
+    # The new version of the policy. When a policy is updated, a new version is appended
+    # to that policy. The YAML of previous versions of the policy can be obtained 
+    # by fetching the policy resource using {API#resource}.
+    def version
+      @data['version']
+    end
+  end
+end

data/lib/conjur/query_string.rb

@@ -0,0 +1,12 @@
+# @api private
+module Conjur::QueryString
+  protected
+
+  def options_querystring options
+    if options.empty?
+      ""
+    else
+      "?#{options.to_query}"
+    end
+  end
+end

data/lib/conjur/resource.rb

@@ -0,0 +1,29 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+
+module Conjur
+
+  # A Conjur custom Resource. This object is used for resources whose `kind` is not
+  # any of the pre-defined common types such as {Group}, {Host}, {Variable}, etc.
+  class Resource < BaseObject
+    include ActsAsResource
+  end
+end

data/lib/conjur/role.rb

@@ -0,0 +1,29 @@
+#
+# Copyright 2013-2017 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur/role_grant'
+
+module Conjur
+  # A Conjur custom Role. This object is used for roles whose `kind` is not
+  # any of the pre-defined common types such as {Group}, {Host}, {Layer}, etc.
+  class Role < BaseObject
+    include ActsAsRole
+  end
+end