conjur-api 5.4.2.pre.638 → 6.0.0.pre.94
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/CODEOWNERS +4 -4
- data/.rubocop_todo.yml +3 -5
- data/CHANGELOG.md +6 -3
- data/CONTRIBUTING.md +27 -71
- data/Jenkinsfile +69 -30
- data/README.md +1 -21
- data/Rakefile +2 -7
- data/VERSION +1 -1
- data/ci/{configure_v5.sh → configure.sh} +1 -1
- data/ci/oauth/keycloak/keycloak_functions.sh +7 -7
- data/conjur-api.gemspec +1 -0
- data/dev/docker-compose.yml +12 -21
- data/dev/start +9 -9
- data/dev/stop +1 -1
- data/docker-compose.yml +13 -38
- data/example/{demo_v5.rb → demo.rb} +3 -8
- data/features/step_definitions/policy_steps.rb +1 -1
- data/features/support/env.rb +5 -1
- data/lib/conjur/api/router.rb +267 -0
- data/lib/conjur/base.rb +2 -2
- data/lib/conjur/configuration.rb +0 -20
- data/lib/conjur/routing.rb +2 -12
- data/lib/conjur/variable.rb +7 -15
- data/spec/spec_helper.rb +4 -0
- data/spec/uri_escape_spec.rb +3 -3
- data/test.sh +16 -29
- metadata +21 -24
- data/ci/configure_v4.sh +0 -12
- data/example/demo_v4.rb +0 -49
- data/features_v4/authn_local.feature +0 -27
- data/features_v4/exists.feature +0 -29
- data/features_v4/host.feature +0 -18
- data/features_v4/host_factory_token.feature +0 -49
- data/features_v4/members.feature +0 -39
- data/features_v4/permitted.feature +0 -15
- data/features_v4/permitted_roles.feature +0 -8
- data/features_v4/resource_fields.feature +0 -47
- data/features_v4/rotate_api_key.feature +0 -13
- data/features_v4/step_definitions/api_steps.rb +0 -17
- data/features_v4/step_definitions/result_steps.rb +0 -3
- data/features_v4/support/env.rb +0 -23
- data/features_v4/support/world.rb +0 -12
- data/features_v4/variable_fields.feature +0 -11
- data/features_v4/variable_value.feature +0 -54
- data/lib/conjur/api/router/v4.rb +0 -206
- data/lib/conjur/api/router/v5.rb +0 -269
- /data/{features_v4 → features}/support/policy.yml +0 -0
data/dev/stop
CHANGED
data/docker-compose.yml
CHANGED
@@ -1,16 +1,19 @@
|
|
1
1
|
version: '2.1'
|
2
2
|
services:
|
3
3
|
pg:
|
4
|
-
image: postgres:
|
4
|
+
image: postgres:15
|
5
|
+
environment:
|
6
|
+
POSTGRES_HOST_AUTH_METHOD: trust
|
5
7
|
|
6
|
-
|
8
|
+
conjur:
|
7
9
|
image: cyberark/conjur:edge
|
10
|
+
# TODO: Test with a version that supports authn-sut
|
8
11
|
command: server -a cucumber
|
9
12
|
environment:
|
10
13
|
DATABASE_URL: postgres://postgres@pg/postgres
|
11
14
|
CONJUR_DATA_KEY: 'WMfApcDBtocRWV+ZSUP3Tjr5XNU+Z2FdBb6BEezejIs='
|
12
15
|
volumes:
|
13
|
-
-
|
16
|
+
- authn_local:/run/authn-local
|
14
17
|
- ./ci/oauth/keycloak:/scripts
|
15
18
|
depends_on:
|
16
19
|
- pg
|
@@ -26,7 +29,7 @@ services:
|
|
26
29
|
- KEYCLOAK_APP_USER_EMAIL=alice@conjur.net
|
27
30
|
- DB_VENDOR=H2
|
28
31
|
- KEYCLOAK_CLIENT_ID=conjurClient
|
29
|
-
- KEYCLOAK_REDIRECT_URI=http://
|
32
|
+
- KEYCLOAK_REDIRECT_URI=http://conjur/authn-oidc/keycloak/cucumber/authenticate
|
30
33
|
- KEYCLOAK_CLIENT_SECRET=1234
|
31
34
|
- KEYCLOAK_SCOPE=openid
|
32
35
|
ports:
|
@@ -35,15 +38,7 @@ services:
|
|
35
38
|
- ./ci/oauth/keycloak/standalone.xml:/opt/jboss/keycloak/standalone/configuration/standalone.xml
|
36
39
|
- ./ci/oauth/keycloak:/scripts
|
37
40
|
|
38
|
-
|
39
|
-
image: registry2.itci.conjur.net/conjur-appliance-cuke-master:4.9-stable
|
40
|
-
security_opt:
|
41
|
-
- seccomp:unconfined
|
42
|
-
volumes:
|
43
|
-
- ./features_v4/support/policy.yml:/etc/policy.yml
|
44
|
-
- authn_local_4:/run/authn-local
|
45
|
-
|
46
|
-
tester_5:
|
41
|
+
tester:
|
47
42
|
build:
|
48
43
|
context: .
|
49
44
|
dockerfile: Dockerfile
|
@@ -53,27 +48,10 @@ services:
|
|
53
48
|
- ./spec/reports:/src/conjur-api/spec/reports
|
54
49
|
- ./features/reports:/src/conjur-api/features/reports
|
55
50
|
- ./coverage:/src/conjur-api/coverage
|
56
|
-
-
|
51
|
+
- authn_local:/run/authn-local
|
57
52
|
- ./ci/oauth/keycloak:/scripts
|
58
53
|
environment:
|
59
|
-
CONJUR_APPLIANCE_URL: http://
|
60
|
-
CONJUR_VERSION: 5
|
61
|
-
CONJUR_ACCOUNT: cucumber
|
62
|
-
|
63
|
-
tester_4:
|
64
|
-
build:
|
65
|
-
context: .
|
66
|
-
dockerfile: Dockerfile
|
67
|
-
args:
|
68
|
-
RUBY_VERSION: ${RUBY_VERSION}
|
69
|
-
volumes:
|
70
|
-
- ./features_v4/reports:/src/conjur-api/features_v4/reports
|
71
|
-
- ./tmp/conjur.pem:/src/conjur-api/tmp/conjur.pem
|
72
|
-
- ./coverage_v4:/src/conjur-api/coverage
|
73
|
-
- authn_local_4:/run/authn-local-4
|
74
|
-
environment:
|
75
|
-
CONJUR_APPLIANCE_URL: https://conjur_4/api
|
76
|
-
CONJUR_VERSION: 4
|
54
|
+
CONJUR_APPLIANCE_URL: http://conjur
|
77
55
|
CONJUR_ACCOUNT: cucumber
|
78
56
|
|
79
57
|
dev:
|
@@ -85,14 +63,11 @@ services:
|
|
85
63
|
entrypoint: bash
|
86
64
|
volumes:
|
87
65
|
- .:/src/conjur-api
|
88
|
-
-
|
89
|
-
- authn_local_5:/run/authn-local-5
|
66
|
+
- authn_local:/run/authn-local
|
90
67
|
environment:
|
91
68
|
CONJUR_ACCOUNT: cucumber
|
92
69
|
depends_on:
|
93
|
-
-
|
94
|
-
- conjur_5
|
70
|
+
- conjur
|
95
71
|
|
96
72
|
volumes:
|
97
|
-
|
98
|
-
authn_local_5:
|
73
|
+
authn_local:
|
@@ -7,19 +7,14 @@ username = "admin"
|
|
7
7
|
|
8
8
|
arguments = ARGV.dup
|
9
9
|
|
10
|
-
api_key = arguments.shift or raise "Usage: ./
|
10
|
+
api_key = arguments.shift or raise "Usage: ./demo <admin-api-key>"
|
11
11
|
|
12
|
-
Conjur.configuration.appliance_url = "http://
|
12
|
+
Conjur.configuration.appliance_url = "http://conjur"
|
13
13
|
Conjur.configuration.account = "cucumber"
|
14
|
-
# This is the default
|
15
|
-
# Conjur.configuration.version = 5
|
16
|
-
|
17
|
-
puts "Configured with Conjur version: #{Conjur.configuration.version}"
|
18
|
-
puts
|
19
14
|
|
20
15
|
api = Conjur::API.new_from_key username, api_key
|
21
16
|
|
22
|
-
policy = File.read("
|
17
|
+
policy = File.read("features/support/policy.yml")
|
23
18
|
|
24
19
|
puts "Loading policy 'root'"
|
25
20
|
policy_result = api.load_policy "root", policy
|
@@ -130,6 +130,6 @@ Given(/^I setup a keycloak authenticator$/) do
|
|
130
130
|
@nonce.add_value SecureRandom.uuid
|
131
131
|
@state.add_value SecureRandom.uuid
|
132
132
|
@name.add_value "keycloak"
|
133
|
-
@redirect_uri.add_value "http://
|
133
|
+
@redirect_uri.add_value "http://conjur/authn-oidc/keycloak/cucumber/authenticate"
|
134
134
|
@ca_cert.add_value File.read("/etc/ssl/certs/keycloak.pem")
|
135
135
|
end
|
data/features/support/env.rb
CHANGED
@@ -1,5 +1,9 @@
|
|
1
1
|
require 'simplecov'
|
2
2
|
require 'nokogiri'
|
3
|
+
require 'simplecov-cobertura'
|
4
|
+
|
5
|
+
SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
|
6
|
+
|
3
7
|
|
4
8
|
SimpleCov.start do
|
5
9
|
command_name "#{ENV['RUBY_VERSION']}"
|
@@ -10,7 +14,7 @@ require 'conjur/api'
|
|
10
14
|
|
11
15
|
Conjur.configuration.appliance_url = ENV['CONJUR_APPLIANCE_URL'] || 'http://localhost/api/v6'
|
12
16
|
Conjur.configuration.account = ENV['CONJUR_ACCOUNT'] || 'cucumber'
|
13
|
-
Conjur.configuration.authn_local_socket = "/run/authn-local
|
17
|
+
Conjur.configuration.authn_local_socket = "/run/authn-local/.socket"
|
14
18
|
|
15
19
|
$username = ENV['CONJUR_AUTHN_LOGIN'] || 'admin'
|
16
20
|
$password = ENV['CONJUR_AUTHN_API_KEY'] || 'secret'
|
@@ -0,0 +1,267 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Copyright 2017-2018 CyberArk Ltd.
|
4
|
+
#
|
5
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
+
# you may not use this file except in compliance with the License.
|
7
|
+
# You may obtain a copy of the License at
|
8
|
+
#
|
9
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
+
#
|
11
|
+
# Unless required by applicable law or agreed to in writing, software
|
12
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
+
# See the License for the specific language governing permissions and
|
15
|
+
# limitations under the License.
|
16
|
+
|
17
|
+
# rubocop:disable Metrics/ModuleLength
|
18
|
+
module Conjur
|
19
|
+
class API
|
20
|
+
# Router translates method arguments to rest-ful API request parameters.
|
21
|
+
# because of this, most of the methods suffer from :reek:LongParameterList:
|
22
|
+
# and :reek:UtilityFunction:
|
23
|
+
module Router
|
24
|
+
extend Conjur::Escape::ClassMethods
|
25
|
+
extend Conjur::QueryString
|
26
|
+
extend self
|
27
|
+
|
28
|
+
def authn_login account, username, password
|
29
|
+
RestClient::Resource.new(
|
30
|
+
Conjur.configuration.authn_url,
|
31
|
+
Conjur.configuration.create_rest_client_options(
|
32
|
+
user: username,
|
33
|
+
password: password
|
34
|
+
)
|
35
|
+
)[fully_escape account]['login']
|
36
|
+
end
|
37
|
+
|
38
|
+
def authn_authenticate account, username
|
39
|
+
RestClient::Resource.new(
|
40
|
+
Conjur.configuration.authn_url,
|
41
|
+
Conjur.configuration.rest_client_options
|
42
|
+
)[fully_escape account][fully_escape username]['authenticate']
|
43
|
+
end
|
44
|
+
|
45
|
+
def authenticator_authenticate(account, service_id, authenticator, options)
|
46
|
+
RestClient::Resource.new(
|
47
|
+
Conjur.configuration.core_url,
|
48
|
+
Conjur.configuration.rest_client_options
|
49
|
+
)[fully_escape authenticator][fully_escape service_id][fully_escape account]['authenticate'][options_querystring options]
|
50
|
+
end
|
51
|
+
|
52
|
+
def authenticator account, authenticator, service_id, credentials
|
53
|
+
RestClient::Resource.new(
|
54
|
+
Conjur.configuration.core_url,
|
55
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
56
|
+
)[fully_escape authenticator][fully_escape service_id][fully_escape account]
|
57
|
+
end
|
58
|
+
|
59
|
+
def authenticators
|
60
|
+
RestClient::Resource.new(
|
61
|
+
Conjur.configuration.core_url,
|
62
|
+
Conjur.configuration.rest_client_options
|
63
|
+
)['authenticators']
|
64
|
+
end
|
65
|
+
|
66
|
+
def authentication_providers(account, authenticator, credentials)
|
67
|
+
RestClient::Resource.new(
|
68
|
+
Conjur.configuration.core_url,
|
69
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
70
|
+
)[fully_escape authenticator][fully_escape account]['providers']
|
71
|
+
end
|
72
|
+
|
73
|
+
# The authn-local message is a JSON string with account, sub, and optional fields.
|
74
|
+
def authn_authenticate_local username, account, expiration, cidr, &block
|
75
|
+
{ account: account, sub: username }.tap do |params|
|
76
|
+
params[:exp] = expiration if expiration
|
77
|
+
params[:cidr] = cidr if cidr
|
78
|
+
end.to_json
|
79
|
+
end
|
80
|
+
|
81
|
+
def authn_update_password account, username, password
|
82
|
+
RestClient::Resource.new(
|
83
|
+
Conjur.configuration.authn_url,
|
84
|
+
Conjur.configuration.create_rest_client_options(
|
85
|
+
user: username,
|
86
|
+
password: password
|
87
|
+
)
|
88
|
+
)[fully_escape account]['password']
|
89
|
+
end
|
90
|
+
|
91
|
+
def authn_rotate_api_key credentials, account, id
|
92
|
+
RestClient::Resource.new(
|
93
|
+
Conjur.configuration.core_url,
|
94
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
95
|
+
)['authn'][fully_escape account]["api_key?role=#{id}"]
|
96
|
+
end
|
97
|
+
|
98
|
+
def authn_rotate_own_api_key account, username, password
|
99
|
+
RestClient::Resource.new(
|
100
|
+
Conjur.configuration.authn_url,
|
101
|
+
Conjur.configuration.create_rest_client_options(
|
102
|
+
user: username,
|
103
|
+
password: password
|
104
|
+
)
|
105
|
+
)[fully_escape account]['api_key']
|
106
|
+
end
|
107
|
+
|
108
|
+
def host_factory_create_host token
|
109
|
+
http_options = {
|
110
|
+
headers: { authorization: %Q(Token token="#{token}") }
|
111
|
+
}
|
112
|
+
RestClient::Resource.new(
|
113
|
+
Conjur.configuration.core_url,
|
114
|
+
Conjur.configuration.create_rest_client_options(http_options)
|
115
|
+
)["host_factories"]["hosts"]
|
116
|
+
end
|
117
|
+
|
118
|
+
def host_factory_create_tokens credentials, id
|
119
|
+
RestClient::Resource.new(
|
120
|
+
Conjur.configuration.core_url,
|
121
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
122
|
+
)['host_factory_tokens']
|
123
|
+
end
|
124
|
+
|
125
|
+
def host_factory_revoke_token credentials, token
|
126
|
+
RestClient::Resource.new(
|
127
|
+
Conjur.configuration.core_url,
|
128
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
129
|
+
)['host_factory_tokens'][token]
|
130
|
+
end
|
131
|
+
|
132
|
+
def policies_load_policy credentials, account, id
|
133
|
+
RestClient::Resource.new(
|
134
|
+
Conjur.configuration.core_url,
|
135
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
136
|
+
)['policies'][fully_escape account]['policy'][fully_escape id]
|
137
|
+
end
|
138
|
+
|
139
|
+
def public_keys_for_user account, username
|
140
|
+
RestClient::Resource.new(
|
141
|
+
Conjur.configuration.core_url,
|
142
|
+
Conjur.configuration.rest_client_options
|
143
|
+
)['public_keys'][fully_escape account]['user'][fully_escape username]
|
144
|
+
end
|
145
|
+
|
146
|
+
def resources credentials, account, kind, options
|
147
|
+
credentials ||= {}
|
148
|
+
|
149
|
+
path = "/resources/#{fully_escape account}"
|
150
|
+
path += "/#{fully_escape kind}" if kind
|
151
|
+
|
152
|
+
RestClient::Resource.new(
|
153
|
+
Conjur.configuration.core_url,
|
154
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
155
|
+
)[path][options_querystring options]
|
156
|
+
end
|
157
|
+
|
158
|
+
def resources_resource credentials, id
|
159
|
+
RestClient::Resource.new(
|
160
|
+
Conjur.configuration.core_url,
|
161
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
162
|
+
)['resources'][id.to_url_path]
|
163
|
+
end
|
164
|
+
|
165
|
+
def resources_permitted_roles credentials, id, privilege
|
166
|
+
options = {}
|
167
|
+
options[:permitted_roles] = true
|
168
|
+
options[:privilege] = privilege
|
169
|
+
resources_resource(credentials, id)[options_querystring options]
|
170
|
+
end
|
171
|
+
|
172
|
+
def resources_check credentials, id, privilege, role
|
173
|
+
options = {}
|
174
|
+
options[:check] = true
|
175
|
+
options[:privilege] = privilege
|
176
|
+
options[:role] = query_escape(Id.new(role)) if role
|
177
|
+
resources_resource(credentials, id)[options_querystring options].get
|
178
|
+
end
|
179
|
+
|
180
|
+
def roles_role credentials, id
|
181
|
+
RestClient::Resource.new(
|
182
|
+
Conjur.configuration.core_url,
|
183
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
184
|
+
)['roles'][id.to_url_path]
|
185
|
+
end
|
186
|
+
|
187
|
+
def secrets_add credentials, id
|
188
|
+
RestClient::Resource.new(
|
189
|
+
Conjur.configuration.core_url,
|
190
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
191
|
+
)['secrets'][id.to_url_path]
|
192
|
+
end
|
193
|
+
|
194
|
+
def secrets_value credentials, id, options
|
195
|
+
RestClient::Resource.new(
|
196
|
+
Conjur.configuration.core_url,
|
197
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
198
|
+
)['secrets'][id.to_url_path][options_querystring options]
|
199
|
+
end
|
200
|
+
|
201
|
+
def secrets_values credentials, variable_ids
|
202
|
+
options = {
|
203
|
+
variable_ids: Array(variable_ids).join(',')
|
204
|
+
}
|
205
|
+
RestClient::Resource.new(
|
206
|
+
Conjur.configuration.core_url,
|
207
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
208
|
+
)['secrets'][options_querystring(options).gsub("%2C", ',')]
|
209
|
+
end
|
210
|
+
|
211
|
+
def group_attributes credentials, resource, id
|
212
|
+
resource_annotations resource
|
213
|
+
end
|
214
|
+
|
215
|
+
def variable_attributes credentials, resource, id
|
216
|
+
resource_annotations resource
|
217
|
+
end
|
218
|
+
|
219
|
+
def user_attributes credentials, resource, id
|
220
|
+
resource_annotations resource
|
221
|
+
end
|
222
|
+
|
223
|
+
def parse_group_gidnumber attributes
|
224
|
+
HasAttributes.annotation_value attributes, 'conjur/gidnumber'
|
225
|
+
end
|
226
|
+
|
227
|
+
def parse_user_uidnumber attributes
|
228
|
+
HasAttributes.annotation_value attributes, 'conjur/uidnumber'
|
229
|
+
end
|
230
|
+
|
231
|
+
def parse_variable_kind attributes
|
232
|
+
HasAttributes.annotation_value attributes, 'conjur/kind'
|
233
|
+
end
|
234
|
+
|
235
|
+
def parse_variable_mime_type attributes
|
236
|
+
HasAttributes.annotation_value attributes, 'conjur/mime_type'
|
237
|
+
end
|
238
|
+
|
239
|
+
def parse_members credentials, result
|
240
|
+
result.map do |json|
|
241
|
+
RoleGrant.parse_from_json(json, credentials)
|
242
|
+
end
|
243
|
+
end
|
244
|
+
|
245
|
+
def ldap_sync_policy(credentials, config_name)
|
246
|
+
RestClient::Resource.new(
|
247
|
+
Conjur.configuration.core_url,
|
248
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
249
|
+
)['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
|
250
|
+
end
|
251
|
+
|
252
|
+
def whoami(credentials)
|
253
|
+
RestClient::Resource.new(
|
254
|
+
Conjur.configuration.core_url,
|
255
|
+
Conjur.configuration.create_rest_client_options(credentials)
|
256
|
+
)['whoami']
|
257
|
+
end
|
258
|
+
|
259
|
+
private
|
260
|
+
|
261
|
+
def resource_annotations resource
|
262
|
+
resource.attributes['annotations']
|
263
|
+
end
|
264
|
+
end
|
265
|
+
end
|
266
|
+
end
|
267
|
+
# rubocop:enable Metrics/ModuleLength
|
data/lib/conjur/base.rb
CHANGED
@@ -110,8 +110,8 @@ module Conjur
|
|
110
110
|
# @param [String] username the username to use when making authenticated requests.
|
111
111
|
# @param [String] account The organization account.
|
112
112
|
# @param [String] remote_ip the optional IP address to be recorded in the audit record.
|
113
|
-
# @param [String] expiration the optional expiration time of the token
|
114
|
-
# @param [String] cidr the optional CIDR restriction on the token
|
113
|
+
# @param [String] expiration the optional expiration time of the token.
|
114
|
+
# @param [String] cidr the optional CIDR restriction on the token.
|
115
115
|
# @return [Conjur::API] an api that will authenticate with the given username.
|
116
116
|
def new_from_authn_local username, account: Conjur.configuration.account, remote_ip: nil, expiration: nil, cidr: nil
|
117
117
|
self.new.init_from_authn_local username, account: account, remote_ip: remote_ip, expiration: expiration, cidr: cidr
|
data/lib/conjur/configuration.rb
CHANGED
@@ -388,14 +388,6 @@ module Conjur
|
|
388
388
|
}
|
389
389
|
end
|
390
390
|
|
391
|
-
# @!attribute version
|
392
|
-
#
|
393
|
-
# Selects the major API version of the Conjur server. With this setting, the API
|
394
|
-
# will use the routing scheme for API version `4` or `5`.
|
395
|
-
#
|
396
|
-
# Methods which are not available in the selected version will raise NoMethodError.
|
397
|
-
add_option :version, default: 5
|
398
|
-
|
399
391
|
# @!attribute authn_local_socket
|
400
392
|
#
|
401
393
|
# File path to the Unix socket used for local authentication.
|
@@ -408,18 +400,6 @@ module Conjur
|
|
408
400
|
rest_client_options.merge(options || {})
|
409
401
|
end
|
410
402
|
|
411
|
-
# Calls a major-version-specific function.
|
412
|
-
def version_logic v4_logic, v5_logic
|
413
|
-
case version.to_s
|
414
|
-
when "4"
|
415
|
-
v4_logic.call
|
416
|
-
when "5"
|
417
|
-
v5_logic.call
|
418
|
-
else
|
419
|
-
raise "Unsupported major version #{version}"
|
420
|
-
end
|
421
|
-
end
|
422
|
-
|
423
403
|
# Add the certificate configured by the {#ssl_certificate} and {#cert_file} options to the certificate
|
424
404
|
# store used by Conjur clients.
|
425
405
|
#
|
data/lib/conjur/routing.rb
CHANGED
@@ -11,19 +11,9 @@ module Conjur
|
|
11
11
|
protected
|
12
12
|
|
13
13
|
def router
|
14
|
-
require 'conjur/api/router
|
15
|
-
require 'conjur/api/router/v5'
|
14
|
+
require 'conjur/api/router'
|
16
15
|
|
17
|
-
|
18
|
-
router = instance_variable_get variable_id
|
19
|
-
if router.nil?
|
20
|
-
router = instance_variable_set variable_id, router_for_version
|
21
|
-
end
|
22
|
-
router
|
23
|
-
end
|
24
|
-
|
25
|
-
def router_for_version
|
26
|
-
Conjur::API::Router.const_get("V#{Conjur.configuration.version}")
|
16
|
+
Conjur::API::Router
|
27
17
|
end
|
28
18
|
end
|
29
19
|
end
|
data/lib/conjur/variable.rb
CHANGED
@@ -131,11 +131,7 @@ module Conjur
|
|
131
131
|
end
|
132
132
|
invalidate do
|
133
133
|
route = url_for(:secrets_add, credentials, id)
|
134
|
-
|
135
|
-
route.post value: value
|
136
|
-
}, lambda {
|
137
|
-
route.post value
|
138
|
-
}
|
134
|
+
route.post value
|
139
135
|
end
|
140
136
|
end
|
141
137
|
|
@@ -150,16 +146,12 @@ module Conjur
|
|
150
146
|
#
|
151
147
|
# @return [Integer] the number of versions
|
152
148
|
def version_count
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
else
|
160
|
-
secrets.last['version']
|
161
|
-
end
|
162
|
-
}
|
149
|
+
secrets = attributes['secrets']
|
150
|
+
if secrets.empty?
|
151
|
+
0
|
152
|
+
else
|
153
|
+
secrets.last['version']
|
154
|
+
end
|
163
155
|
end
|
164
156
|
|
165
157
|
# Return the version of a variable.
|
data/spec/spec_helper.rb
CHANGED
data/spec/uri_escape_spec.rb
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
require 'spec_helper'
|
2
2
|
require 'conjur/id'
|
3
|
-
require 'conjur/api/router
|
3
|
+
require 'conjur/api/router'
|
4
4
|
|
5
5
|
describe 'url escaping' do
|
6
6
|
it 'Id to path is escaped' do
|
@@ -9,13 +9,13 @@ describe 'url escaping' do
|
|
9
9
|
end
|
10
10
|
|
11
11
|
it 'Resources path is escaped' do
|
12
|
-
request = Conjur::API::Router
|
12
|
+
request = Conjur::API::Router.resources(nil, 'cucumber/two', 'extended variable', {})
|
13
13
|
expect(request.url).to eq('http://localhost:5000/resources/cucumber%2Ftwo/extended%20variable/')
|
14
14
|
end
|
15
15
|
|
16
16
|
it 'Resource path is escaped' do
|
17
17
|
resource = Conjur::Id.new('cucumber:variable:one two/three')
|
18
|
-
request = Conjur::API::Router
|
18
|
+
request = Conjur::API::Router.resources_resource(nil, resource)
|
19
19
|
expect(request.url).to eq('http://localhost:5000/resources/cucumber/variable/one%20two%2Fthree')
|
20
20
|
end
|
21
21
|
end
|
data/test.sh
CHANGED
@@ -5,18 +5,19 @@
|
|
5
5
|
RUBY_VERSION="$(cut -d '-' -f 2 <<< "$RUBY_VERSION")"
|
6
6
|
|
7
7
|
source ./ci/oauth/keycloak/keycloak_functions.sh
|
8
|
+
TOP_LEVEL=$(git rev-parse --show-toplevel)
|
8
9
|
|
9
10
|
function finish {
|
10
11
|
echo 'Removing test environment'
|
11
12
|
echo '---'
|
12
|
-
docker
|
13
|
+
docker compose down --rmi 'local' --volumes
|
13
14
|
}
|
14
15
|
|
15
16
|
trap finish EXIT
|
16
17
|
|
17
18
|
# Set up VERSION file for local development
|
18
|
-
if [ ! -f "
|
19
|
-
echo -n "0.0.dev" >
|
19
|
+
if [ ! -f "${TOP_LEVEL}/VERSION" ]; then
|
20
|
+
echo -n "0.0.dev" > "${TOP_LEVEL}/VERSION"
|
20
21
|
fi
|
21
22
|
|
22
23
|
function main() {
|
@@ -25,11 +26,10 @@ function main() {
|
|
25
26
|
exit 1
|
26
27
|
fi
|
27
28
|
# Generate reports folders locally
|
28
|
-
mkdir -p spec/reports features/reports
|
29
|
+
mkdir -p spec/reports features/reports
|
29
30
|
|
30
31
|
startConjur
|
31
|
-
|
32
|
-
runTests_4
|
32
|
+
runTests
|
33
33
|
}
|
34
34
|
|
35
35
|
function startConjur() {
|
@@ -40,37 +40,24 @@ function startConjur() {
|
|
40
40
|
# failing to ensure that has caused many mysterious failures in CI.
|
41
41
|
# However, unconditionally pulling prevents working offline even
|
42
42
|
# with a warm cache. So try to pull, but ignore failures.
|
43
|
-
docker
|
44
|
-
docker
|
45
|
-
docker
|
43
|
+
docker compose pull --ignore-pull-failures
|
44
|
+
docker compose build --build-arg RUBY_VERSION="$RUBY_VERSION"
|
45
|
+
docker compose up -d pg conjur
|
46
46
|
}
|
47
47
|
|
48
|
-
function
|
49
|
-
echo 'Waiting for Conjur
|
50
|
-
./ci/
|
48
|
+
function runTests() {
|
49
|
+
echo 'Waiting for Conjur to come up, and configuring it...'
|
50
|
+
./ci/configure.sh
|
51
51
|
|
52
|
-
local api_key=$(docker
|
52
|
+
local api_key=$(docker compose exec -T conjur rake 'role:retrieve-key[cucumber:user:admin]')
|
53
53
|
|
54
54
|
echo 'Running tests'
|
55
55
|
echo '-----'
|
56
|
-
docker
|
56
|
+
docker compose run --rm \
|
57
57
|
-e CONJUR_AUTHN_API_KEY="$api_key" \
|
58
58
|
-e SSL_CERT_FILE=/etc/ssl/certs/keycloak.pem \
|
59
|
-
|
60
|
-
"/scripts/fetch_certificate && rake jenkins_init jenkins_spec
|
61
|
-
}
|
62
|
-
|
63
|
-
function runTests_4() {
|
64
|
-
echo 'Waiting for Conjur v4 to come up, and configuring it...'
|
65
|
-
./ci/configure_v4.sh
|
66
|
-
|
67
|
-
local api_key=$(docker-compose exec -T conjur_4 su conjur -c "conjur-plugin-service authn env RAILS_ENV=appliance rails r \"puts User['admin'].api_key\" 2>/dev/null")
|
68
|
-
|
69
|
-
echo 'Running tests'
|
70
|
-
echo '-----'
|
71
|
-
docker-compose run --rm \
|
72
|
-
-e CONJUR_AUTHN_API_KEY="$api_key" \
|
73
|
-
tester_4 rake jenkins_cucumber_v4
|
59
|
+
tester \
|
60
|
+
"/scripts/fetch_certificate && rake jenkins_init jenkins_spec jenkins_cucumber"
|
74
61
|
}
|
75
62
|
|
76
63
|
main
|