conjur-api 5.4.1 → 6.0.0.pre.94

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (49) hide show
  1. checksums.yaml +4 -4
  2. data/.github/CODEOWNERS +4 -4
  3. data/.rubocop_todo.yml +3 -5
  4. data/CHANGELOG.md +7 -1
  5. data/CONTRIBUTING.md +27 -71
  6. data/Jenkinsfile +69 -30
  7. data/README.md +1 -21
  8. data/Rakefile +2 -7
  9. data/VERSION +1 -1
  10. data/ci/{configure_v5.sh → configure.sh} +1 -1
  11. data/ci/oauth/keycloak/fetch_certificate +0 -4
  12. data/ci/oauth/keycloak/keycloak_functions.sh +7 -7
  13. data/conjur-api.gemspec +1 -0
  14. data/dev/docker-compose.yml +12 -21
  15. data/dev/start +9 -9
  16. data/dev/stop +1 -1
  17. data/docker-compose.yml +13 -38
  18. data/example/{demo_v5.rb → demo.rb} +3 -8
  19. data/features/step_definitions/policy_steps.rb +13 -12
  20. data/features/support/env.rb +5 -1
  21. data/lib/conjur/api/router.rb +267 -0
  22. data/lib/conjur/base.rb +2 -2
  23. data/lib/conjur/configuration.rb +0 -20
  24. data/lib/conjur/routing.rb +2 -12
  25. data/lib/conjur/variable.rb +7 -15
  26. data/spec/spec_helper.rb +4 -0
  27. data/spec/uri_escape_spec.rb +3 -3
  28. data/test.sh +16 -29
  29. metadata +27 -30
  30. data/ci/configure_v4.sh +0 -12
  31. data/example/demo_v4.rb +0 -49
  32. data/features_v4/authn_local.feature +0 -27
  33. data/features_v4/exists.feature +0 -29
  34. data/features_v4/host.feature +0 -18
  35. data/features_v4/host_factory_token.feature +0 -49
  36. data/features_v4/members.feature +0 -39
  37. data/features_v4/permitted.feature +0 -15
  38. data/features_v4/permitted_roles.feature +0 -8
  39. data/features_v4/resource_fields.feature +0 -47
  40. data/features_v4/rotate_api_key.feature +0 -13
  41. data/features_v4/step_definitions/api_steps.rb +0 -17
  42. data/features_v4/step_definitions/result_steps.rb +0 -3
  43. data/features_v4/support/env.rb +0 -23
  44. data/features_v4/support/world.rb +0 -12
  45. data/features_v4/variable_fields.feature +0 -11
  46. data/features_v4/variable_value.feature +0 -54
  47. data/lib/conjur/api/router/v4.rb +0 -206
  48. data/lib/conjur/api/router/v5.rb +0 -269
  49. /data/{features_v4 → features}/support/policy.yml +0 -0
data/lib/conjur/api/router/v4.rb DELETED
@@ -1,206 +0,0 @@
1
- module Conjur
2
- class API
3
- module Router
4
- module V4
5
- extend Conjur::Escape::ClassMethods
6
- extend Conjur::QueryString
7
- extend self
8
-
9
- def authn_login account, username, password
10
- verify_account(account)
11
- RestClient::Resource.new(
12
- Conjur.configuration.authn_url,
13
- Conjur.configuration.create_rest_client_options(
14
- user: username,
15
- password: password
16
- )
17
- )['users/login']
18
- end
19
-
20
- def authn_authenticate account, username
21
- verify_account(account)
22
- RestClient::Resource.new(
23
- Conjur.configuration.authn_url,
24
- Conjur.configuration.rest_client_options
25
- )['users'][fully_escape username]['authenticate']
26
- end
27
-
28
- # For v4, the authn-local message is the username.
29
- def authn_authenticate_local username, account, expiration, cidr, &block
30
- verify_account(account)
31
-
32
- raise "'expiration' is not supported for authn-local v4" if expiration
33
- raise "'cidr' is not supported for authn-local v4" if cidr
34
-
35
- username
36
- end
37
-
38
- def authn_rotate_api_key credentials, account, id
39
- verify_account(account)
40
- username = id.kind == "user" ? id.identifier : [id.kind, id.identifier].join('/')
41
- RestClient::Resource.new(
42
- Conjur.configuration.authn_url,
43
- Conjur.configuration.create_rest_client_options(credentials)
44
- )['users']["api_key?id=#{username}"]
45
- end
46
-
47
- def authn_rotate_own_api_key account, username, password
48
- verify_account(account)
49
- RestClient::Resource.new(
50
- Conjur.configuration.authn_url,
51
- Conjur.configuration.create_rest_client_options(user: username, password: password)
52
- )['users']["api_key"]
53
- end
54
-
55
- def host_factory_create_host token
56
- http_options = {
57
- headers: { authorization: %Q(Token token="#{token}") }
58
- }
59
- RestClient::Resource.new(
60
- Conjur.configuration.core_url,
61
- Conjur.configuration.create_rest_client_options(http_options)
62
- )['host_factories']['hosts']
63
- end
64
-
65
- def host_factory_create_tokens credentials, id
66
- RestClient::Resource.new(
67
- Conjur.configuration.core_url,
68
- Conjur.configuration.create_rest_client_options(credentials)
69
- )['host_factories'][id.identifier]['tokens']
70
- end
71
-
72
- def host_factory_revoke_token credentials, token
73
- RestClient::Resource.new(
74
- Conjur.configuration.core_url,
75
- Conjur.configuration.create_rest_client_options(credentials)
76
- )['host_factories']['tokens'][token]
77
- end
78
-
79
- def resources_resource credentials, id
80
-
81
- RestClient::Resource.new(
82
- Conjur.configuration.core_url,
83
- Conjur.configuration.create_rest_client_options(credentials)
84
- )['authz'][id.account]['resources'][id.kind][id.identifier]
85
- end
86
-
87
- def resources_check credentials, id, privilege, role
88
- options = {}
89
- options[:check] = true
90
- options[:privilege] = privilege
91
- if role
92
- options[:resource_id] = id
93
- roles_role(credentials, Id.new(role))[options_querystring options].get
94
- else
95
- resources_resource(credentials, id)[options_querystring options].get
96
- end
97
- end
98
-
99
- def resources_permitted_roles credentials, id, privilege
100
- RestClient::Resource.new(
101
- Conjur.configuration.core_url,
102
- Conjur.configuration.create_rest_client_options(credentials)
103
- )['authz'][id.account]['roles']['allowed_to'][privilege][id.kind][id.identifier]
104
- end
105
-
106
- def roles_role credentials, id
107
- RestClient::Resource.new(
108
- Conjur.configuration.core_url,
109
- Conjur.configuration.create_rest_client_options(credentials)
110
- )['authz'][id.account]['roles'][id.kind][id.identifier]
111
- end
112
-
113
- def secrets_add credentials, id
114
- verify_account(id.account)
115
- RestClient::Resource.new(
116
- Conjur.configuration.core_url,
117
- Conjur.configuration.create_rest_client_options(credentials)
118
- )['variables'][fully_escape id.identifier]['values']
119
- end
120
-
121
- def variable credentials, id
122
- verify_account(id.account)
123
- RestClient::Resource.new(
124
- Conjur.configuration.core_url,
125
- Conjur.configuration.create_rest_client_options(credentials)
126
- )['variables'][fully_escape id.identifier]
127
- end
128
-
129
- def secrets_value credentials, id, options
130
- RestClient::Resource.new(
131
- Conjur.configuration.core_url,
132
- Conjur.configuration.create_rest_client_options(credentials)
133
- )['variables'][fully_escape id.identifier]['value'][options_querystring options]
134
- end
135
-
136
- def secrets_values credentials, variable_ids
137
- options = {
138
- vars: Array(variable_ids).map { |v| fully_escape(v.identifier) }.join(',')
139
- }
140
- RestClient::Resource.new(
141
- Conjur.configuration.core_url,
142
- Conjur.configuration.create_rest_client_options(credentials)
143
- )['variables']['values'][options_querystring options]
144
- end
145
-
146
- def group_attributes credentials, resource, id
147
- verify_account(id.account)
148
- JSON.parse(
149
- RestClient::Resource.new(
150
- Conjur.configuration.core_url,
151
- Conjur.configuration.create_rest_client_options(credentials)
152
- )['groups'][fully_escape id.identifier].get
153
- )
154
- end
155
-
156
- def variable_attributes credentials, resource, id
157
- verify_account(id.account)
158
- JSON.parse(
159
- RestClient::Resource.new(
160
- Conjur.configuration.core_url,
161
- Conjur.configuration.create_rest_client_options(credentials)
162
- )['variables'][fully_escape id.identifier].get
163
- )
164
- end
165
-
166
- def user_attributes credentials, resource, id
167
- verify_account(id.account)
168
- JSON.parse(
169
- RestClient::Resource.new(
170
- Conjur.configuration.core_url,
171
- Conjur.configuration.create_rest_client_options(credentials)
172
- )['users'][fully_escape id.identifier].get
173
- )
174
- end
175
-
176
- def parse_group_gidnumber attributes
177
- attributes['gidnumber']
178
- end
179
-
180
- def parse_user_uidnumber attributes
181
- attributes['uidnumber']
182
- end
183
-
184
- def parse_variable_kind attributes
185
- attributes['kind']
186
- end
187
-
188
- def parse_variable_mime_type attributes
189
- attributes['mime_type']
190
- end
191
-
192
- def parse_members credentials, result
193
- result.collect do |json|
194
- RoleGrant.parse_from_json(json, credentials)
195
- end
196
- end
197
-
198
- protected
199
-
200
- def verify_account account
201
- raise "Expecting account to be #{Conjur.configuration.account.inspect}, got #{account.inspect}" unless Conjur.configuration.account == account
202
- end
203
- end
204
- end
205
- end
206
- end
data/lib/conjur/api/router/v5.rb DELETED
@@ -1,269 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- # Copyright 2017-2018 CyberArk Ltd.
4
- #
5
- # Licensed under the Apache License, Version 2.0 (the "License");
6
- # you may not use this file except in compliance with the License.
7
- # You may obtain a copy of the License at
8
- #
9
- # http://www.apache.org/licenses/LICENSE-2.0
10
- #
11
- # Unless required by applicable law or agreed to in writing, software
12
- # distributed under the License is distributed on an "AS IS" BASIS,
13
- # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
- # See the License for the specific language governing permissions and
15
- # limitations under the License.
16
-
17
- # rubocop:disable Metrics/ModuleLength
18
- module Conjur
19
- class API
20
- module Router
21
- # V5 translates method arguments to rest-ful API request parameters.
22
- # because of this, most of the methods suffer from :reek:LongParameterList:
23
- # and :reek:UtilityFunction:
24
- module V5
25
- extend Conjur::Escape::ClassMethods
26
- extend Conjur::QueryString
27
- extend self
28
-
29
- def authn_login account, username, password
30
- RestClient::Resource.new(
31
- Conjur.configuration.authn_url,
32
- Conjur.configuration.create_rest_client_options(
33
- user: username,
34
- password: password
35
- )
36
- )[fully_escape account]['login']
37
- end
38
-
39
- def authn_authenticate account, username
40
- RestClient::Resource.new(
41
- Conjur.configuration.authn_url,
42
- Conjur.configuration.rest_client_options
43
- )[fully_escape account][fully_escape username]['authenticate']
44
- end
45
-
46
- def authenticator_authenticate(account, service_id, authenticator, options)
47
- RestClient::Resource.new(
48
- Conjur.configuration.core_url,
49
- Conjur.configuration.rest_client_options
50
- )[fully_escape authenticator][fully_escape service_id][fully_escape account]['authenticate'][options_querystring options]
51
- end
52
-
53
- def authenticator account, authenticator, service_id, credentials
54
- RestClient::Resource.new(
55
- Conjur.configuration.core_url,
56
- Conjur.configuration.create_rest_client_options(credentials)
57
- )[fully_escape authenticator][fully_escape service_id][fully_escape account]
58
- end
59
-
60
- def authenticators
61
- RestClient::Resource.new(
62
- Conjur.configuration.core_url,
63
- Conjur.configuration.rest_client_options
64
- )['authenticators']
65
- end
66
-
67
- def authentication_providers(account, authenticator, credentials)
68
- RestClient::Resource.new(
69
- Conjur.configuration.core_url,
70
- Conjur.configuration.create_rest_client_options(credentials)
71
- )[fully_escape authenticator][fully_escape account]['providers']
72
- end
73
-
74
- # For v5, the authn-local message is a JSON string with account, sub, and optional fields.
75
- def authn_authenticate_local username, account, expiration, cidr, &block
76
- { account: account, sub: username }.tap do |params|
77
- params[:exp] = expiration if expiration
78
- params[:cidr] = cidr if cidr
79
- end.to_json
80
- end
81
-
82
- def authn_update_password account, username, password
83
- RestClient::Resource.new(
84
- Conjur.configuration.authn_url,
85
- Conjur.configuration.create_rest_client_options(
86
- user: username,
87
- password: password
88
- )
89
- )[fully_escape account]['password']
90
- end
91
-
92
- def authn_rotate_api_key credentials, account, id
93
- RestClient::Resource.new(
94
- Conjur.configuration.core_url,
95
- Conjur.configuration.create_rest_client_options(credentials)
96
- )['authn'][fully_escape account]["api_key?role=#{id}"]
97
- end
98
-
99
- def authn_rotate_own_api_key account, username, password
100
- RestClient::Resource.new(
101
- Conjur.configuration.authn_url,
102
- Conjur.configuration.create_rest_client_options(
103
- user: username,
104
- password: password
105
- )
106
- )[fully_escape account]['api_key']
107
- end
108
-
109
- def host_factory_create_host token
110
- http_options = {
111
- headers: { authorization: %Q(Token token="#{token}") }
112
- }
113
- RestClient::Resource.new(
114
- Conjur.configuration.core_url,
115
- Conjur.configuration.create_rest_client_options(http_options)
116
- )["host_factories"]["hosts"]
117
- end
118
-
119
- def host_factory_create_tokens credentials, id
120
- RestClient::Resource.new(
121
- Conjur.configuration.core_url,
122
- Conjur.configuration.create_rest_client_options(credentials)
123
- )['host_factory_tokens']
124
- end
125
-
126
- def host_factory_revoke_token credentials, token
127
- RestClient::Resource.new(
128
- Conjur.configuration.core_url,
129
- Conjur.configuration.create_rest_client_options(credentials)
130
- )['host_factory_tokens'][token]
131
- end
132
-
133
- def policies_load_policy credentials, account, id
134
- RestClient::Resource.new(
135
- Conjur.configuration.core_url,
136
- Conjur.configuration.create_rest_client_options(credentials)
137
- )['policies'][fully_escape account]['policy'][fully_escape id]
138
- end
139
-
140
- def public_keys_for_user account, username
141
- RestClient::Resource.new(
142
- Conjur.configuration.core_url,
143
- Conjur.configuration.rest_client_options
144
- )['public_keys'][fully_escape account]['user'][fully_escape username]
145
- end
146
-
147
- def resources credentials, account, kind, options
148
- credentials ||= {}
149
-
150
- path = "/resources/#{fully_escape account}"
151
- path += "/#{fully_escape kind}" if kind
152
-
153
- RestClient::Resource.new(
154
- Conjur.configuration.core_url,
155
- Conjur.configuration.create_rest_client_options(credentials)
156
- )[path][options_querystring options]
157
- end
158
-
159
- def resources_resource credentials, id
160
- RestClient::Resource.new(
161
- Conjur.configuration.core_url,
162
- Conjur.configuration.create_rest_client_options(credentials)
163
- )['resources'][id.to_url_path]
164
- end
165
-
166
- def resources_permitted_roles credentials, id, privilege
167
- options = {}
168
- options[:permitted_roles] = true
169
- options[:privilege] = privilege
170
- resources_resource(credentials, id)[options_querystring options]
171
- end
172
-
173
- def resources_check credentials, id, privilege, role
174
- options = {}
175
- options[:check] = true
176
- options[:privilege] = privilege
177
- options[:role] = query_escape(Id.new(role)) if role
178
- resources_resource(credentials, id)[options_querystring options].get
179
- end
180
-
181
- def roles_role credentials, id
182
- RestClient::Resource.new(
183
- Conjur.configuration.core_url,
184
- Conjur.configuration.create_rest_client_options(credentials)
185
- )['roles'][id.to_url_path]
186
- end
187
-
188
- def secrets_add credentials, id
189
- RestClient::Resource.new(
190
- Conjur.configuration.core_url,
191
- Conjur.configuration.create_rest_client_options(credentials)
192
- )['secrets'][id.to_url_path]
193
- end
194
-
195
- def secrets_value credentials, id, options
196
- RestClient::Resource.new(
197
- Conjur.configuration.core_url,
198
- Conjur.configuration.create_rest_client_options(credentials)
199
- )['secrets'][id.to_url_path][options_querystring options]
200
- end
201
-
202
- def secrets_values credentials, variable_ids
203
- options = {
204
- variable_ids: Array(variable_ids).join(',')
205
- }
206
- RestClient::Resource.new(
207
- Conjur.configuration.core_url,
208
- Conjur.configuration.create_rest_client_options(credentials)
209
- )['secrets'][options_querystring(options).gsub("%2C", ',')]
210
- end
211
-
212
- def group_attributes credentials, resource, id
213
- resource_annotations resource
214
- end
215
-
216
- def variable_attributes credentials, resource, id
217
- resource_annotations resource
218
- end
219
-
220
- def user_attributes credentials, resource, id
221
- resource_annotations resource
222
- end
223
-
224
- def parse_group_gidnumber attributes
225
- HasAttributes.annotation_value attributes, 'conjur/gidnumber'
226
- end
227
-
228
- def parse_user_uidnumber attributes
229
- HasAttributes.annotation_value attributes, 'conjur/uidnumber'
230
- end
231
-
232
- def parse_variable_kind attributes
233
- HasAttributes.annotation_value attributes, 'conjur/kind'
234
- end
235
-
236
- def parse_variable_mime_type attributes
237
- HasAttributes.annotation_value attributes, 'conjur/mime_type'
238
- end
239
-
240
- def parse_members credentials, result
241
- result.map do |json|
242
- RoleGrant.parse_from_json(json, credentials)
243
- end
244
- end
245
-
246
- def ldap_sync_policy(credentials, config_name)
247
- RestClient::Resource.new(
248
- Conjur.configuration.core_url,
249
- Conjur.configuration.create_rest_client_options(credentials)
250
- )['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
251
- end
252
-
253
- def whoami(credentials)
254
- RestClient::Resource.new(
255
- Conjur.configuration.core_url,
256
- Conjur.configuration.create_rest_client_options(credentials)
257
- )['whoami']
258
- end
259
-
260
- private
261
-
262
- def resource_annotations resource
263
- resource.attributes['annotations']
264
- end
265
- end
266
- end
267
- end
268
- end
269
- # rubocop:enable Metrics/ModuleLength
/data/{features_v4 → features}/support/policy.yml RENAMED
File without changes