conjur-api 5.4.1 → 6.0.0.pre.94

data/dev/start

@@ -1,14 +1,14 @@
 #!/bin/bash -ex
 
-function v5_development() {
-  docker-compose up -d --no-deps conjur_5 pg gem client
+function development() {
+  docker compose up -d --no-deps conjur pg gem client
 
-  docker-compose exec -T conjur_5 conjurctl wait
+  docker compose exec -T conjur conjurctl wait
 
-  local api_key=$(docker-compose exec -T conjur_5 rake 'role:retrieve-key[cucumber:user:admin]')
-  api_key=$(docker-compose exec -T conjur_5 conjurctl role retrieve-key cucumber:user:admin | tr -d '\r')
+  local api_key=$(docker compose exec -T conjur rake 'role:retrieve-key[cucumber:user:admin]')
+  api_key=$(docker compose exec -T conjur conjurctl role retrieve-key cucumber:user:admin | tr -d '\r')
 
-  docker exec -e CONJUR_AUTHN_API_KEY="$api_key" -it --detach-keys 'ctrl-\' $(docker-compose ps -q gem) bash
+  docker exec -e CONJUR_AUTHN_API_KEY="$api_key" -it --detach-keys 'ctrl-\' $(docker compose ps -q gem) bash
 }
 
 # Set up VERSION file for local development
@@ -16,7 +16,7 @@ if [ ! -f "../VERSION" ]; then
   echo -n "0.0.dev" > ../VERSION
 fi
 
-docker-compose pull
-docker-compose build
+docker compose pull
+docker compose build
 
-v5_development
+development

data/dev/stop

@@ -2,4 +2,4 @@
 
 echo 'Removing test environment'
 echo '---'
-docker-compose down --rmi 'local' --volumes
+docker compose down --rmi 'local' --volumes

data/docker-compose.yml

@@ -1,16 +1,19 @@
 version: '2.1'
 services:
   pg:
-    image: postgres:9.3
+    image: postgres:15
+    environment:
+      POSTGRES_HOST_AUTH_METHOD: trust
 
-  conjur_5:
+  conjur:
     image: cyberark/conjur:edge
+    # TODO: Test with a version that supports authn-sut
     command: server -a cucumber
     environment:
       DATABASE_URL: postgres://postgres@pg/postgres
       CONJUR_DATA_KEY: 'WMfApcDBtocRWV+ZSUP3Tjr5XNU+Z2FdBb6BEezejIs='
     volumes:
-      - authn_local_5:/run/authn-local
+      - authn_local:/run/authn-local
       - ./ci/oauth/keycloak:/scripts
     depends_on:
       - pg
@@ -26,7 +29,7 @@ services:
       - KEYCLOAK_APP_USER_EMAIL=alice@conjur.net
       - DB_VENDOR=H2
       - KEYCLOAK_CLIENT_ID=conjurClient
-      - KEYCLOAK_REDIRECT_URI=http://conjur_5/authn-oidc/keycloak/cucumber/authenticate
+      - KEYCLOAK_REDIRECT_URI=http://conjur/authn-oidc/keycloak/cucumber/authenticate
       - KEYCLOAK_CLIENT_SECRET=1234
       - KEYCLOAK_SCOPE=openid
     ports:
@@ -35,15 +38,7 @@ services:
       - ./ci/oauth/keycloak/standalone.xml:/opt/jboss/keycloak/standalone/configuration/standalone.xml
       - ./ci/oauth/keycloak:/scripts
 
-  conjur_4:
-    image: registry2.itci.conjur.net/conjur-appliance-cuke-master:4.9-stable
-    security_opt:
-      - seccomp:unconfined
-    volumes:
-      - ./features_v4/support/policy.yml:/etc/policy.yml
-      - authn_local_4:/run/authn-local
-
-  tester_5:
+  tester:
     build:
         context: .
         dockerfile: Dockerfile
@@ -53,27 +48,10 @@ services:
       - ./spec/reports:/src/conjur-api/spec/reports
       - ./features/reports:/src/conjur-api/features/reports
       - ./coverage:/src/conjur-api/coverage
-      - authn_local_5:/run/authn-local-5
+      - authn_local:/run/authn-local
       - ./ci/oauth/keycloak:/scripts
     environment:
-      CONJUR_APPLIANCE_URL: http://conjur_5
-      CONJUR_VERSION: 5
-      CONJUR_ACCOUNT: cucumber
-
-  tester_4:
-    build:
-      context: .
-      dockerfile: Dockerfile
-      args:
-        RUBY_VERSION: ${RUBY_VERSION}
-    volumes:
-      - ./features_v4/reports:/src/conjur-api/features_v4/reports
-      - ./tmp/conjur.pem:/src/conjur-api/tmp/conjur.pem
-      - ./coverage_v4:/src/conjur-api/coverage
-      - authn_local_4:/run/authn-local-4
-    environment:
-      CONJUR_APPLIANCE_URL: https://conjur_4/api
-      CONJUR_VERSION: 4
+      CONJUR_APPLIANCE_URL: http://conjur
       CONJUR_ACCOUNT: cucumber
 
   dev:
@@ -85,14 +63,11 @@ services:
     entrypoint: bash
     volumes:
       - .:/src/conjur-api
-      - authn_local_4:/run/authn-local-4
-      - authn_local_5:/run/authn-local-5
+      - authn_local:/run/authn-local
     environment:
       CONJUR_ACCOUNT: cucumber
     depends_on:
-      - conjur_4
-      - conjur_5
+      - conjur
 
 volumes:
-  authn_local_4:
-  authn_local_5:
+  authn_local:

data/example/{demo_v5.rb → demo.rb}

@@ -7,19 +7,14 @@ username = "admin"
 
 arguments = ARGV.dup
 
-api_key = arguments.shift or raise "Usage: ./demo_v5 <admin-api-key>"
+api_key = arguments.shift or raise "Usage: ./demo <admin-api-key>"
 
-Conjur.configuration.appliance_url = "http://conjur_5"
+Conjur.configuration.appliance_url = "http://conjur"
 Conjur.configuration.account = "cucumber"
-# This is the default
-# Conjur.configuration.version = 5
-
-puts "Configured with Conjur version: #{Conjur.configuration.version}"
-puts
 
 api = Conjur::API.new_from_key username, api_key
 
-policy = File.read("features_v4/support/policy.yml")
+policy = File.read("features/support/policy.yml")
 
 puts "Loading policy 'root'"
 policy_result = api.load_policy "root", policy

data/features/step_definitions/policy_steps.rb

@@ -85,20 +85,19 @@ end
 
 Given(/^I setup a keycloak authenticator$/) do
     $conjur.load_policy 'root', <<-POLICY
-    - !policy 
+    - !policy
       id: conjur/authn-oidc/keycloak
-      body: 
-      - !webservice  
-     
-      - !variable provider-uri 
-      - !variable client-id 
-      - !variable client-secret 
+      body:
+      - !webservice
+
+      - !variable provider-uri
+      - !variable client-id
+      - !variable client-secret
       - !variable name
-     
-      - !variable claim-mapping 
-       
-      - !variable nonce 
+      - !variable claim-mapping
+      - !variable nonce
       - !variable state
+      - !variable ca-cert
 
       - !variable redirect-uri
 
@@ -122,6 +121,7 @@ Given(/^I setup a keycloak authenticator$/) do
     @nonce = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/nonce")
     @state = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/state")
     @redirect_uri = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/redirect-uri")
+    @ca_cert = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/ca-cert")
 
     @provider_uri.add_value "https://keycloak:8443/auth/realms/master"
     @client_id.add_value "conjurClient"
@@ -130,5 +130,6 @@ Given(/^I setup a keycloak authenticator$/) do
     @nonce.add_value SecureRandom.uuid
     @state.add_value SecureRandom.uuid
     @name.add_value "keycloak"
-    @redirect_uri.add_value "http://conjur_5/authn-oidc/keycloak/cucumber/authenticate"
+    @redirect_uri.add_value "http://conjur/authn-oidc/keycloak/cucumber/authenticate"
+    @ca_cert.add_value File.read("/etc/ssl/certs/keycloak.pem")
 end

data/features/support/env.rb

@@ -1,5 +1,9 @@
 require 'simplecov'
 require 'nokogiri'
+require 'simplecov-cobertura'
+
+SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
+
 
 SimpleCov.start do
   command_name "#{ENV['RUBY_VERSION']}"
@@ -10,7 +14,7 @@ require 'conjur/api'
 
 Conjur.configuration.appliance_url = ENV['CONJUR_APPLIANCE_URL'] || 'http://localhost/api/v6'
 Conjur.configuration.account = ENV['CONJUR_ACCOUNT'] || 'cucumber'
-Conjur.configuration.authn_local_socket = "/run/authn-local-5/.socket"
+Conjur.configuration.authn_local_socket = "/run/authn-local/.socket"
 
 $username = ENV['CONJUR_AUTHN_LOGIN'] || 'admin'
 $password = ENV['CONJUR_AUTHN_API_KEY'] || 'secret'

data/lib/conjur/api/router.rb

@@ -0,0 +1,267 @@
+# frozen_string_literal: true
+
+# Copyright 2017-2018 CyberArk Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# rubocop:disable Metrics/ModuleLength
+module Conjur
+  class API
+    # Router translates method arguments to rest-ful API request parameters.
+    # because of this, most of the methods suffer from :reek:LongParameterList:
+    # and :reek:UtilityFunction:
+    module Router
+      extend Conjur::Escape::ClassMethods
+      extend Conjur::QueryString
+      extend self
+
+      def authn_login account, username, password
+        RestClient::Resource.new(
+          Conjur.configuration.authn_url,
+          Conjur.configuration.create_rest_client_options(
+            user: username,
+            password: password
+          )
+        )[fully_escape account]['login']
+      end
+
+      def authn_authenticate account, username
+        RestClient::Resource.new(
+          Conjur.configuration.authn_url,
+          Conjur.configuration.rest_client_options
+        )[fully_escape account][fully_escape username]['authenticate']
+      end
+
+      def authenticator_authenticate(account, service_id, authenticator, options)
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.rest_client_options
+        )[fully_escape authenticator][fully_escape service_id][fully_escape account]['authenticate'][options_querystring options]
+      end
+
+      def authenticator account, authenticator, service_id, credentials
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.create_rest_client_options(credentials)
+        )[fully_escape authenticator][fully_escape service_id][fully_escape account]
+      end
+
+      def authenticators
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.rest_client_options
+        )['authenticators']
+      end
+
+      def authentication_providers(account, authenticator, credentials)
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.create_rest_client_options(credentials)
+        )[fully_escape authenticator][fully_escape account]['providers']
+      end
+
+      # The authn-local message is a JSON string with account, sub, and optional fields.
+      def authn_authenticate_local username, account, expiration, cidr, &block
+        { account: account, sub: username }.tap do |params|
+          params[:exp] = expiration if expiration
+          params[:cidr] = cidr if cidr
+        end.to_json
+      end
+
+      def authn_update_password account, username, password
+        RestClient::Resource.new(
+          Conjur.configuration.authn_url,
+          Conjur.configuration.create_rest_client_options(
+            user: username,
+            password: password
+          )
+        )[fully_escape account]['password']
+      end
+
+      def authn_rotate_api_key credentials, account, id
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.create_rest_client_options(credentials)
+        )['authn'][fully_escape account]["api_key?role=#{id}"]
+      end
+
+      def authn_rotate_own_api_key account, username, password
+        RestClient::Resource.new(
+          Conjur.configuration.authn_url,
+          Conjur.configuration.create_rest_client_options(
+            user: username,
+            password: password
+          )
+        )[fully_escape account]['api_key']
+      end
+
+      def host_factory_create_host token
+        http_options = {
+          headers: { authorization: %Q(Token token="#{token}") }
+        }
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.create_rest_client_options(http_options)
+        )["host_factories"]["hosts"]
+      end
+
+      def host_factory_create_tokens credentials, id
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.create_rest_client_options(credentials)
+        )['host_factory_tokens']
+      end
+
+      def host_factory_revoke_token credentials, token
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.create_rest_client_options(credentials)
+        )['host_factory_tokens'][token]
+      end
+
+      def policies_load_policy credentials, account, id
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.create_rest_client_options(credentials)
+        )['policies'][fully_escape account]['policy'][fully_escape id]
+      end
+
+      def public_keys_for_user account, username
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.rest_client_options
+        )['public_keys'][fully_escape account]['user'][fully_escape username]
+      end
+
+      def resources credentials, account, kind, options
+        credentials ||= {}
+
+        path = "/resources/#{fully_escape account}"
+        path += "/#{fully_escape kind}" if kind
+
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.create_rest_client_options(credentials)
+        )[path][options_querystring options]
+      end
+
+      def resources_resource credentials, id
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.create_rest_client_options(credentials)
+        )['resources'][id.to_url_path]
+      end
+
+      def resources_permitted_roles credentials, id, privilege
+        options = {}
+        options[:permitted_roles] = true
+        options[:privilege] = privilege
+        resources_resource(credentials, id)[options_querystring options]
+      end
+
+      def resources_check credentials, id, privilege, role
+        options = {}
+        options[:check] = true
+        options[:privilege] = privilege
+        options[:role] = query_escape(Id.new(role)) if role
+        resources_resource(credentials, id)[options_querystring options].get
+      end
+
+      def roles_role credentials, id
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.create_rest_client_options(credentials)
+        )['roles'][id.to_url_path]
+      end
+
+      def secrets_add credentials, id
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.create_rest_client_options(credentials)
+        )['secrets'][id.to_url_path]
+      end
+
+      def secrets_value credentials, id, options
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.create_rest_client_options(credentials)
+        )['secrets'][id.to_url_path][options_querystring options]
+      end
+
+      def secrets_values credentials, variable_ids
+        options = {
+          variable_ids: Array(variable_ids).join(',')
+        }
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.create_rest_client_options(credentials)
+        )['secrets'][options_querystring(options).gsub("%2C", ',')]
+      end
+
+      def group_attributes credentials, resource, id
+        resource_annotations resource
+      end
+
+      def variable_attributes credentials, resource, id
+        resource_annotations resource
+      end
+
+      def user_attributes credentials, resource, id
+        resource_annotations resource
+      end
+
+      def parse_group_gidnumber attributes
+        HasAttributes.annotation_value attributes, 'conjur/gidnumber'
+      end
+
+      def parse_user_uidnumber attributes
+        HasAttributes.annotation_value attributes, 'conjur/uidnumber'
+      end
+
+      def parse_variable_kind attributes
+        HasAttributes.annotation_value attributes, 'conjur/kind'
+      end
+
+      def parse_variable_mime_type attributes
+        HasAttributes.annotation_value attributes, 'conjur/mime_type'
+      end
+
+      def parse_members credentials, result
+        result.map do |json|
+          RoleGrant.parse_from_json(json, credentials)
+        end
+      end
+
+      def ldap_sync_policy(credentials, config_name)
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.create_rest_client_options(credentials)
+        )['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
+      end
+
+      def whoami(credentials)
+        RestClient::Resource.new(
+          Conjur.configuration.core_url,
+          Conjur.configuration.create_rest_client_options(credentials)
+        )['whoami']
+      end
+
+      private
+
+      def resource_annotations resource
+        resource.attributes['annotations']
+      end
+    end
+  end
+end
+# rubocop:enable Metrics/ModuleLength

data/lib/conjur/base.rb

@@ -110,8 +110,8 @@ module Conjur
       # @param [String] username the username to use when making authenticated requests.
       # @param [String] account The organization account.
       # @param [String] remote_ip the optional IP address to be recorded in the audit record.
-      # @param [String] expiration the optional expiration time of the token (supported in V5 only).
-      # @param [String] cidr the optional CIDR restriction on the token (supported in V5 only).
+      # @param [String] expiration the optional expiration time of the token.
+      # @param [String] cidr the optional CIDR restriction on the token.
       # @return [Conjur::API] an api that will authenticate with the given username.
       def new_from_authn_local username, account: Conjur.configuration.account, remote_ip: nil, expiration: nil, cidr: nil
         self.new.init_from_authn_local username, account: account, remote_ip: remote_ip, expiration: expiration, cidr: cidr

data/lib/conjur/configuration.rb

@@ -388,14 +388,6 @@ module Conjur
       }
     end
 
-    # @!attribute version
-    #
-    # Selects the major API version of the Conjur server. With this setting, the API
-    # will use the routing scheme for API version `4` or `5`.
-    #
-    # Methods which are not available in the selected version will raise NoMethodError.
-    add_option :version, default: 5
-
     # @!attribute authn_local_socket
     #
     # File path to the Unix socket used for local authentication.
@@ -408,18 +400,6 @@ module Conjur
       rest_client_options.merge(options || {})
     end
 
-    # Calls a major-version-specific function.
-    def version_logic v4_logic, v5_logic
-      case version.to_s
-      when "4"
-        v4_logic.call
-      when "5"
-        v5_logic.call
-      else
-        raise "Unsupported major version #{version}"
-      end
-    end
-
     # Add the certificate configured by the {#ssl_certificate} and {#cert_file} options to the certificate
     # store used by Conjur clients.
     #

data/lib/conjur/routing.rb

@@ -11,19 +11,9 @@ module Conjur
     protected
 
     def router
-      require 'conjur/api/router/v4'
-      require 'conjur/api/router/v5'
+      require 'conjur/api/router'
 
-      variable_id = "@v#{Conjur.configuration.version}_router"
-      router = instance_variable_get variable_id
-      if router.nil?
-        router = instance_variable_set variable_id, router_for_version
-      end
-      router
-    end
-
-    def router_for_version
-      Conjur::API::Router.const_get("V#{Conjur.configuration.version}")
+      Conjur::API::Router
     end
   end
 end

data/lib/conjur/variable.rb

@@ -131,11 +131,7 @@ module Conjur
       end
       invalidate do
         route = url_for(:secrets_add, credentials, id)
-        Conjur.configuration.version_logic lambda {
-            route.post value: value
-          }, lambda {
-            route.post value
-          }
+        route.post value
       end
     end
 
@@ -150,16 +146,12 @@ module Conjur
     #
     # @return [Integer] the number of versions
     def version_count
-      Conjur.configuration.version_logic lambda {
-          JSON.parse(url_for(:variable, credentials, id).get)['version_count']
-        }, lambda {
-          secrets = attributes['secrets']
-          if secrets.empty?
-            0
-          else
-            secrets.last['version']
-          end
-        }
+      secrets = attributes['secrets']
+      if secrets.empty?
+        0
+      else
+        secrets.last['version']
+      end
     end
 
     # Return the version of a variable.

data/spec/spec_helper.rb

@@ -1,4 +1,8 @@
 require 'simplecov'
+require 'simplecov-cobertura'
+
+SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
+
 
 SimpleCov.start do
   command_name "#{ENV['RUBY_VERSION']}"

data/spec/uri_escape_spec.rb

@@ -1,6 +1,6 @@
 require 'spec_helper'
 require 'conjur/id'
-require 'conjur/api/router/v5'
+require 'conjur/api/router'
 
 describe 'url escaping' do
   it 'Id to path is escaped' do
@@ -9,13 +9,13 @@ describe 'url escaping' do
   end
 
   it 'Resources path is escaped' do
-    request = Conjur::API::Router::V5.resources(nil, 'cucumber/two', 'extended variable', {})
+    request = Conjur::API::Router.resources(nil, 'cucumber/two', 'extended variable', {})
     expect(request.url).to eq('http://localhost:5000/resources/cucumber%2Ftwo/extended%20variable/')
   end
 
   it 'Resource path is escaped' do
     resource = Conjur::Id.new('cucumber:variable:one two/three')
-    request = Conjur::API::Router::V5.resources_resource(nil, resource)
+    request = Conjur::API::Router.resources_resource(nil, resource)
     expect(request.url).to eq('http://localhost:5000/resources/cucumber/variable/one%20two%2Fthree')
   end
 end