conjur-api 5.3.4 → 5.3.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 476ea2f5b5e2a375363e03e6c4659f5a425837b5e3036f41ae5aea208c56f781
-  data.tar.gz: 973be7e50f9a8a86c78770125723e42460e2264ceb7d71823fbd5d4962a31195
+  metadata.gz: a664240f5431ca1fb74de0bd5e32f9ee7e6cf2b8f1097b11fb208632d95854d8
+  data.tar.gz: 1e2c3a22bc9c592bf24c8c66e9912f34fbcc60ada3025d0d4fd35c617d367df0
 SHA512:
-  metadata.gz: 5c1cb2ded26fe6dfd44992ef4a81e5e71a01551f2874c1045a66fb556da05b55268cceef5124323dfbe14c7e032da3382e0d48cf21732a443a3c52e70af53b38
-  data.tar.gz: 58e061632c5c072134f5d2a23dab0103d73790750c054d5f6167ee0fa239598908130fc921aa3f74b9f57a93ced1092ec6165b55ae54728b3e16114baca486f1
+  metadata.gz: 19ad919e8defda0e5ca25c3d68b3837221301764827c9f365f7e69cd81d7e217f89e23f714a66990aa0448362687266d98f5eb870d2a53d7d72fbc4f23f91aca
+  data.tar.gz: a2549d4e49565c8b533385dd71e4c2886acda2d5b1a98c4585ded7461ea0a9e7234c92e3010dc1c1270524d6916fa6ab8e0e641c99d42cd5ee045464a07a9c7c

data/.github/CODEOWNERS

@@ -1,4 +1,4 @@
-* @cyberark/conjur-core-team @conjurinc/conjur-core-team @conjurdemos/conjur-core-team
+* @cyberark/community-and-integrations-team @conjurinc/community-and-integrations-team @conjurdemos/community-and-integrations-team
 
 # Changes to .trivyignore require Security Architect approval
 .trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects

data/.gitleaks.toml

@@ -1,4 +1,4 @@
-title = "Secretless Broker gitleaks config"
+title = "Conjur API Ruby gitleaks config"
 
 # This is the config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
 # If GITLEAKS_CONFIG environment variable

data/CHANGELOG.md

@@ -6,11 +6,25 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [5.3.5] - 2021-05-04
+
+### Added
+- Add `rest_client_options` option to `Conjur.configuration`. This allows users to
+  configure the RestClient instance used by Conjur API to communicate with the Conjur 
+  server.
+  [cyberark/conjur-api-ruby#188](https://github.com/cyberark/conjur-api-ruby/issues/188)
+
+### Changed
+- Replace monkey patching `RestClient::Request` with defaults on `Conjur.configuration.rest_client_options`
+  in order to limit the scope of the default `:ssl_cert_store` option only to inside
+  Conjur API. 
+  [cyberark/conjur-api-ruby#188](https://github.com/cyberark/conjur-api-ruby/issues/188)
+
 ## [5.3.4] - 2020-10-29
 
 ### Changed
 - When rotating the currently logged in user's/host's API key, we now explictily
-  prevent use of `resource(<own_id>).rotate_api_key` for that action as the
+  prevent use of `resource({own_id}).rotate_api_key` for that action as the
   `Conjur::API.rotate_api_key` should be used instead for that. This change is a
   downstream enforcement of the stricter key rotation requirements on the server
   covered by [this](https://github.com/cyberark/conjur/security/advisories/GHSA-qhjf-g9gm-64jq)
@@ -332,7 +346,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [2.0.0] - 2013-13-12
 
-[Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.4...HEAD
+[Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.5...HEAD
+[5.3.5]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.4...v5.3.5
 [5.3.4]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.3...v5.3.4
 [5.3.3]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.1...v5.3.3
 [5.3.1]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.0...v5.3.1

data/README.md

@@ -128,6 +128,28 @@ Conjur::API.new_from_key login, api_key
 Note that if you are connecting as a [Host](http://developer.conjur.net/reference/services/directory/host), the login should be
 prefixed with `host/`. For example: `host/myhost.example.com`, not just `myhost.example.com`.
 
+## Configuring RestClient
+
+[Conjur::Configuration](https://github.com/conjurinc/api-ruby/blob/master/lib/conjur/configuration.rb)
+allows optional configuration of the [RestClient](https://github.com/rest-client/rest-client)
+instance used by Conjur API to communicate with the Conjur server, via the options hash
+`Conjur.configuration.rest_client_options`.
+
+The default value for the options hash is:
+```ruby
+{
+  ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+}
+```
+
+For example, here's how you would configure the client to use a proxy and `ssl_ca_file` (instead of the default `ssl_cert_store`).
+```ruby
+Conjur.configuration.rest_client_options = {
+    ssl_ca_file: "ca_certificate.pem",
+    proxy: "http://proxy.example.com/"
+}
+```
+
 ## Contributing
 
 We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our [contributing

data/lib/conjur-api/version.rb

@@ -19,6 +19,6 @@
 
 module Conjur
   class API
-    VERSION = "5.3.4"
+    VERSION = "5.3.5"
   end
 end

data/lib/conjur/api.rb

@@ -50,24 +50,6 @@ require 'conjur/layer'
 require 'conjur/cache'
 require 'conjur-api/version'
 
-# Monkey patch RestClient::Request so it always uses
-# :ssl_cert_store. (RestClient::Resource uses Request to send
-# requests, so it sees :ssl_cert_store, too).
-# @api private
-class RestClient::Request
-  alias_method :initialize_without_defaults, :initialize
-
-  def default_args
-    {
-      ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
-    }
-  end
-
-  def initialize args
-    initialize_without_defaults default_args.merge(args)
-  end
-end
-
 # @api private
 class RestClient::Resource
   include Conjur::Escape

data/lib/conjur/api/authn.rb

@@ -50,7 +50,7 @@ module Conjur
         url_for(:authn_login, account, username, password).get
       end
 
-      # Exchanges Conjur the API key (refresh token) for an access token.  The access token can 
+      # Exchanges Conjur the API key (refresh token) for an access token.  The access token can
       # then be used to authenticate further API calls.
       #
       # @param [String] username The username or host id for which we want a token
@@ -65,7 +65,7 @@ module Conjur
         JSON.parse url_for(:authn_authenticate, account, username).post(api_key, content_type: 'text/plain')
       end
 
-      # Obtains an access token from the +authn_local+ service. The access token can 
+      # Obtains an access token from the +authn_local+ service. The access token can
       # then be used to authenticate further API calls.
       #
       # @param [String] username The username or host id for which we want a token
@@ -80,7 +80,7 @@ module Conjur
         require 'json'
         require 'socket'
         message = url_for(:authn_authenticate_local, username, account, expiration, cidr)
-        JSON.parse(UNIXSocket.open(Conjur.configuration.authn_local_socket) {|s| s.puts message; s.gets })        
+        JSON.parse(UNIXSocket.open(Conjur.configuration.authn_local_socket) {|s| s.puts message; s.gets })
       end
 
       # Change a user's password.  To do this, you must have the user's current password.  This does not change or rotate

data/lib/conjur/api/router/v4.rb

@@ -8,18 +8,27 @@ module Conjur
 
         def authn_login account, username, password
           verify_account(account)
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)['users/login']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )['users/login']
         end
 
         def authn_authenticate account, username
           verify_account(account)
-          RestClient::Resource.new(Conjur.configuration.authn_url)['users'][fully_escape username]['authenticate']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.rest_client_options
+          )['users'][fully_escape username]['authenticate']
         end
 
         # For v4, the authn-local message is the username.
         def authn_authenticate_local username, account, expiration, cidr, &block
           verify_account(account)
-          
+
           raise "'expiration' is not supported for authn-local v4" if expiration
           raise "'cidr' is not supported for authn-local v4" if cidr
 
@@ -28,36 +37,51 @@ module Conjur
 
         def authn_rotate_api_key credentials, account, id
           verify_account(account)
-          username = if id.kind == "user"
-            id.identifier
-          else
-            [ id.kind, id.identifier ].join('/')
-          end
-          RestClient::Resource.new(Conjur.configuration.authn_url, credentials)['users']["api_key?id=#{username}"]
+          username = id.kind == "user" ? id.identifier : [id.kind, id.identifier].join('/')
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['users']["api_key?id=#{username}"]
         end
 
         def authn_rotate_own_api_key account, username, password
           verify_account(account)
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)['users']["api_key"]
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(user: username, password: password)
+          )['users']["api_key"]
         end
 
         def host_factory_create_host token
           http_options = {
             headers: { authorization: %Q(Token token="#{token}") }
           }
-          RestClient::Resource.new(Conjur.configuration.core_url, http_options)['host_factories']['hosts']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(http_options)
+          )['host_factories']['hosts']
         end
 
         def host_factory_create_tokens credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factories'][id.identifier]['tokens']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factories'][id.identifier]['tokens']
         end
 
         def host_factory_revoke_token credentials, token
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factories']['tokens'][token]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factories']['tokens'][token]
         end
 
         def resources_resource credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authz'][id.account]['resources'][id.kind][id.identifier]
+
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['resources'][id.kind][id.identifier]
         end
 
         def resources_check credentials, id, privilege, role
@@ -73,47 +97,80 @@ module Conjur
         end
 
         def resources_permitted_roles credentials, id, privilege
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authz'][id.account]['roles']['allowed_to'][privilege][id.kind][id.identifier]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['roles']['allowed_to'][privilege][id.kind][id.identifier]
         end
 
         def roles_role credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authz'][id.account]['roles'][id.kind][id.identifier]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['roles'][id.kind][id.identifier]
         end
 
         def secrets_add credentials, id
           verify_account(id.account)
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier]['values']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]['values']
         end
 
         def variable credentials, id
           verify_account(id.account)
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]
         end
 
         def secrets_value credentials, id, options
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier]['value'][options_querystring options]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]['value'][options_querystring options]
         end
 
         def secrets_values credentials, variable_ids
           options = {
             vars: Array(variable_ids).map { |v| fully_escape(v.identifier) }.join(',')
           }
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables']['values'][options_querystring options]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables']['values'][options_querystring options]
         end
 
         def group_attributes credentials, resource, id
           verify_account(id.account)
-          JSON.parse(RestClient::Resource.new(Conjur.configuration.core_url, credentials)['groups'][fully_escape id.identifier].get)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['groups'][fully_escape id.identifier].get
+          )
         end
 
         def variable_attributes credentials, resource, id
           verify_account(id.account)
-          JSON.parse(RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier].get)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['variables'][fully_escape id.identifier].get
+          )
         end
 
         def user_attributes credentials, resource, id
           verify_account(id.account)
-          JSON.parse(RestClient::Resource.new(Conjur.configuration.core_url, credentials)['users'][fully_escape id.identifier].get)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['users'][fully_escape id.identifier].get
+          )
         end
 
         def parse_group_gidnumber attributes

data/lib/conjur/api/router/v5.rb

@@ -27,19 +27,34 @@ module Conjur
         extend self
 
         def authn_login account, username, password
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)[fully_escape account]['login']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )[fully_escape account]['login']
         end
 
         def authn_authenticate account, username
-          RestClient::Resource.new(Conjur.configuration.authn_url)[fully_escape account][fully_escape username]['authenticate']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.rest_client_options
+          )[fully_escape account][fully_escape username]['authenticate']
         end
 
         def authenticator account, authenticator, service_id, credentials
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)[fully_escape authenticator][fully_escape service_id][fully_escape account]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )[fully_escape authenticator][fully_escape service_id][fully_escape account]
         end
 
         def authenticators
-          RestClient::Resource.new(Conjur.configuration.core_url)['authenticators']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.rest_client_options
+          )['authenticators']
         end
 
         # For v5, the authn-local message is a JSON string with account, sub, and optional fields.
@@ -51,38 +66,68 @@ module Conjur
         end
 
         def authn_update_password account, username, password
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)[fully_escape account]['password']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )[fully_escape account]['password']
         end
 
         def authn_rotate_api_key credentials, account, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authn'][fully_escape account]["api_key?role=#{id}"]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authn'][fully_escape account]["api_key?role=#{id}"]
         end
 
         def authn_rotate_own_api_key account, username, password
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)[fully_escape account]['api_key']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )[fully_escape account]['api_key']
         end
 
         def host_factory_create_host token
           http_options = {
             headers: { authorization: %Q(Token token="#{token}") }
           }
-          RestClient::Resource.new(Conjur.configuration.core_url, http_options)["host_factories"]["hosts"]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(http_options)
+          )["host_factories"]["hosts"]
         end
 
         def host_factory_create_tokens credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factory_tokens']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factory_tokens']
         end
 
         def host_factory_revoke_token credentials, token
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factory_tokens'][token]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factory_tokens'][token]
         end
 
         def policies_load_policy credentials, account, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['policies'][fully_escape account]['policy'][fully_escape id]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['policies'][fully_escape account]['policy'][fully_escape id]
         end
 
         def public_keys_for_user account, username
-          RestClient::Resource.new(Conjur.configuration.core_url)['public_keys'][fully_escape account]['user'][fully_escape username]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.rest_client_options
+          )['public_keys'][fully_escape account]['user'][fully_escape username]
         end
 
         def resources credentials, account, kind, options
@@ -91,11 +136,17 @@ module Conjur
           path = "/resources/#{fully_escape account}"
           path += "/#{fully_escape kind}" if kind
 
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)[path][options_querystring options]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )[path][options_querystring options]
         end
 
         def resources_resource credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['resources'][id.to_url_path]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['resources'][id.to_url_path]
         end
 
         def resources_permitted_roles credentials, id, privilege
@@ -114,22 +165,34 @@ module Conjur
         end
 
         def roles_role credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['roles'][id.to_url_path]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['roles'][id.to_url_path]
         end
 
         def secrets_add credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['secrets'][id.to_url_path]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['secrets'][id.to_url_path]
         end
 
         def secrets_value credentials, id, options
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['secrets'][id.to_url_path][options_querystring options]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['secrets'][id.to_url_path][options_querystring options]
         end
 
         def secrets_values credentials, variable_ids
           options = {
             variable_ids: Array(variable_ids).join(',')
           }
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['secrets'][options_querystring(options).gsub("%2C", ',')]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['secrets'][options_querystring(options).gsub("%2C", ',')]
         end
 
         def group_attributes credentials, resource, id
@@ -167,13 +230,16 @@ module Conjur
         end
 
         def ldap_sync_policy(credentials, config_name)
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['ldap-sync']["policy?config_name=#{fully_escape(config_name)}"]
         end
 
         private
 
         def resource_annotations resource
-          resource.attributes['annotations'] || {}
+          resource.attributes['annotations']
         end
       end
     end

data/lib/conjur/configuration.rb

@@ -24,7 +24,6 @@ require 'set'
 require 'conjur/cert_utils'
 
 module Conjur
-  
   class << self
     # Saves the current thread local {Conjur::Configuration},
     # sets the thread local {Conjur::Configuration} to `config`, yields to the block, and ensures that
@@ -68,7 +67,7 @@ module Conjur
     ensure
       Thread.current[:conjur_configuration] = oldvalue
     end
-    
+
     # Gets the current thread-local or global configuration.
     #
     # The thread-local Conjur configuration can only be set using the {Conjur.with_configuration}
@@ -79,7 +78,7 @@ module Conjur
     def configuration
       Thread.current[:conjur_configuration] || (@config ||= Configuration.new)
     end
-    
+
     # Sets the global configuration.
     #
     # This method *has no effect* on the thread local configuration.  Use {Conjur.with_configuration} instead if
@@ -191,25 +190,25 @@ module Conjur
       @supplied = options.dup
       @computed = Hash.new
     end
-    
+
     class << self
       # @api private
       def accepted_options
         require 'set'
         @options ||= Set.new
       end
-      
+
       # @param [Symbol] name
       # @param [Hash] options
-      # @option options [Boolean] :boolean (false) whether this option should have a '?' accessor 
+      # @option options [Boolean] :boolean (false) whether this option should have a '?' accessor
       # @option options [Boolean, String] :env Environment variable for this option.  Set to false
       #   to disallow environment based configuration.  Default is CONJUR_<OPTION_NAME>.
       # @option options [Proc, *] :default Default value or proc to provide it
       # @option options [Boolean] :required (false) when true, raise an exception if the option is
       #   not set
-      # @option options [Proc, #to_proc] :convert proc-ish to convert environment 
+      # @option options [Proc, #to_proc] :convert proc-ish to convert environment
       #   values to appropriate types
-      # @param [Proc] def_proc block to provide default values 
+      # @param [Proc] def_proc block to provide default values
       # @api private
       def add_option name, options = {}, &def_proc
         accepted_options << name
@@ -217,7 +216,7 @@ module Conjur
         env_var = options[:env] || "CONJUR_#{name.to_s.upcase}"
         def_val = options[:default]
         opt_name = name
-        
+
         def_proc ||= if def_val.respond_to?(:call)
           def_val
         elsif options[:required]
@@ -225,10 +224,10 @@ module Conjur
         else
           proc { def_val }
         end
-        
+
         convert = options[:convert] || ->(x){ x }
         # Allow a Symbol, for example
-        convert = convert.to_proc if convert.respond_to?(:to_proc) 
+        convert = convert.to_proc if convert.respond_to?(:to_proc)
 
         define_method("#{name}=") do |value|
           set name, value
@@ -237,7 +236,7 @@ module Conjur
         define_method("#{name}_env_var") do
           allow_env ? env_var : nil
         end
-        
+
         define_method(name) do
           value = computed[name]
           return value unless value.nil?
@@ -246,7 +245,7 @@ module Conjur
             supplied[name]
           elsif allow_env && ENV.member?(env_var)
             instance_exec(ENV[env_var], &convert)
-          else 
+          else
             instance_eval(&def_proc)
           end.tap do |value|
             computed[name] = value
@@ -256,7 +255,7 @@ module Conjur
         alias_method("#{name}?", name) if options[:boolean]
       end
     end
-    
+
     # Return a copy of this {Conjur::Configuration} instance, optionally
     # updating the copy with options from the `override_options` hash.
     #
@@ -290,8 +289,8 @@ module Conjur
     #
     # The url for the {http://developer.conjur.net/reference/services/authentication Conjur authentication service}.
     #
-    # By default, this will be built from the +appliance_url+. To use a custom authenticator, 
-    # set this option in code or set `CONJUR_AUTHN_URL`. 
+    # By default, this will be built from the +appliance_url+. To use a custom authenticator,
+    # set this option in code or set `CONJUR_AUTHN_URL`.
     #
     #
     # @return [String] the authentication service url
@@ -369,10 +368,30 @@ module Conjur
     # @see cert_file
     add_option :ssl_certificate
 
+    # @!attribute rest_client_options
+    #
+    # Custom options for the underlying RestClient Requests. This defaults to:
+    # ```
+    # {
+    #   ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+    # }
+    # ``
+    #
+    # The `ssl_cert_store` value aligns with the default certificate store used by
+    # {#apply_cert_config!}.
+    #
+    # NOTE: When setting the value of rest_client_options the defaults are not retained,
+    # you must manually set them on the value you provide.
+    add_option :rest_client_options do
+      {
+        ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+      }
+    end
+
     # @!attribute version
     #
     # Selects the major API version of the Conjur server. With this setting, the API
-    # will use the routing scheme for API version `4` or `5`. 
+    # will use the routing scheme for API version `4` or `5`.
     #
     # Methods which are not available in the selected version will raise NoMethodError.
     add_option :version, default: 5
@@ -383,6 +402,12 @@ module Conjur
     # This is only available when the API client is running on the Conjur server.
     add_option :authn_local_socket, default: "/run/authn-local/.socket"
 
+    # Create rest_client_options by merging the input with the
+    # rest_client_options present on the configuration object.
+    def create_rest_client_options options
+      rest_client_options.merge(options || {})
+    end
+
     # Calls a major-version-specific function.
     def version_logic v4_logic, v5_logic
       case version.to_s
@@ -398,6 +423,9 @@ module Conjur
     # Add the certificate configured by the {#ssl_certificate} and {#cert_file} options to the certificate
     # store used by Conjur clients.
     #
+    # NOTE: If you specify a non-default `store` value, you must manually set the
+    # `ssl_cert_store` value on {#rest_client_options} to the same value.
+    #
     # @param [OpenSSL::X509::Store] store the certificate store that the certificate will be installed in.
     # @return [Boolean]  whether a certificate was added to the store.
     def apply_cert_config! store=OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE

data/spec/configuration_spec.rb

@@ -29,6 +29,28 @@ describe Conjur::Configuration do
       configuration.account = "the-account"
       configuration.appliance_url = "https://conjur/api"
     }
+
+    it "rest_client_options defaults" do
+      expected = {
+        ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+      }
+      expect(configuration.rest_client_options).to eq(expected)
+    end
+
+    it "rest_client_options propagate to RestClient::Resource" do
+      expected = {
+        ssl_ca_file: "ca_certificate.pem",
+        proxy: "http://proxy.example.com/"
+      }
+      configuration.rest_client_options = {
+        ssl_ca_file: "ca_certificate.pem",
+        proxy: "http://proxy.example.com/"
+      }
+
+      resource = Conjur::API.url_for(:authn_login, *["account", "username", "password"])
+      expect(resource.options).to include(expected)
+    end
+
     it "can still be changed by changing the appliance_url" do
       configuration.appliance_url = "https://other/api"
       expect(configuration.core_url).to eq "https://other/api"
@@ -40,7 +62,7 @@ describe Conjur::Configuration do
       expect(configuration.authn_url).to eq "http://authn-docker"
     end
 
-    context "and duplicated" do 
+    context "and duplicated" do
       subject { configuration.clone override_options }
       let(:override_options) { Hash.new }
 
@@ -72,7 +94,7 @@ describe Conjur::Configuration do
       end
     end
   end
-    
+
   describe "url generation" do
     describe 'authn_url' do
       before {
@@ -281,7 +303,7 @@ RjvSxre4Xg2qlI9Laybb4oZ4g6DI8hRbL0VdFAsveg6SXg2RxgJcXeJUFw==
           expect(subject).to be_truthy
         end
       end
-      
+
     end
 
     context 'when cert file is not readable' do

data/spec/spec_helper.rb

@@ -84,7 +84,7 @@ end
 require 'conjur/api'
 
 KIND="asset_kind"
-ID="unique_id" 
+ID="unique_id"
 ROLE='<role>'
 MEMBER='<member>'
 PRIVILEGE='<privilege>'

data/spec/ssl_spec.rb

@@ -16,16 +16,14 @@ describe 'SSL connection' do
 
   context 'with certificate added to the default OpenSSL cert store' do
     before do
-      store = OpenSSL::X509::Store.new
-      store.add_cert cert
-      stub_const 'OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE', store
+      cert_store.add_cert(cert)
     end
 
     it 'works' do
       expect { Conjur::API.login 'foo', 'bar', account: "the-account" }.to raise_error RestClient::ResourceNotFound
     end
   end
-  
+
   let(:server) do
     server = WEBrick::HTTPServer.new \
         Port: 0, SSLEnable: true,
@@ -33,8 +31,14 @@ describe 'SSL connection' do
         SSLCertificate: cert, SSLPrivateKey: key
   end
   let(:port) { server.config[:Port] }
+  let(:cert_store) { OpenSSL::X509::Store.new }
 
   before do
+    # Reset configuration to allow each test to use its own stub
+    # of OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE.
+    Conjur.configuration = nil
+    stub_const 'OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE', cert_store
+
     allow(Conjur.configuration).to receive(:authn_url).and_return "https://localhost:#{port}"
   end
 
@@ -50,15 +54,23 @@ describe 'SSL connection' do
   let(:cert) do
     OpenSSL::X509::Certificate.new """
       -----BEGIN CERTIFICATE-----
-      MIIBpDCCAQ2gAwIBAgIJALVPXQuF0w39MA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
-      BAMMCWxvY2FsaG9zdDAeFw0xNTAyMTQxNTE0MDFaFw0yNTAyMTExNTE0MDFaMBQx
-      EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-      n+IqEsmbuZk7E2GdPZpBxETjXC+dGze5XlZHPyKviekQ9sachAsBWApVrjM2QDtf
-      KOwa6GuBqGQ0bdl4Ui7I0CIGB4a0UJHU/EvuDhI1cTzAVVWemW1QaqKxI/2xDgs9
-      bqY471iVirRiSYD+6lm2pFYqOnnR/d+QKIMXhPOi0DMCAwEAATANBgkqhkiG9w0B
-      AQsFAAOBgQCSPchDKAiVPNJlRkaY9KPIXfPbFX6h/+ilJRl1xtHqY+y4SxURbnU0
-      fbYVnapKiuMnrnxTWXwl1z1iMbuuzjUC0RDz8F9pZkQ9IJpBSOaSfyUmk1JrrBRU
-      INyaxnJjtc7YIzW1Yz7+aKtzZAQuFXNhiQa+CIIGeWrpzbExo2ce3Q==
+      MIIDCzCCAfOgAwIBAgIUaApjB95cJZlMTwDg4EBk4Mf1y4swDQYJKoZIhvcNAQEL
+      BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MCAXDTIxMDQyODIxNTA1OFoYDzQ3NTkw
+      MzI1MjE1MDU4WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB
+      AQUAA4IBDwAwggEKAoIBAQC+MIx1LCzBeAl7kHfI21wYmA6W8luyq14+DecaQPMd
+      bW7fMlHSMJC/nlFDQyqmfYfKlVCiJRV/QTdUtA9hCytPlEKjlVmm4WIYLKfjj8Sp
+      A+X9VURk75Fz+Z7UsF8u2J3pF9wFfhBzznwePlFdcWYyQMIRtghoHk/WSsbJVXVQ
+      so7+0BLFyMYB3otfCyK+H/iyoXWLZll2irYZJedVm/lyTlnc9dT1XDAWWI8kSeUV
+      lCkEulqOf8qZyU7wNUafRkzBuYkR7ddp1Qdkq+QYw7blmfZXyJbAYSt4gEMyDMk8
+      ArScP8j+Efz5D54wS7fZFwmQp41+iP5WTxGsSU3dh44fAgMBAAGjUzBRMB0GA1Ud
+      DgQWBBS4ZJDxXOs8rK3+SyfLopDFqK0IWDAfBgNVHSMEGDAWgBS4ZJDxXOs8rK3+
+      SyfLopDFqK0IWDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAE
+      WuzjqQ/gyho/pluX31hq7EMAFgqqz7ECN6DqmvpqabMD6s1kQ662KTo7gCBEcNtA
+      nC7QycFp4v/Cr8+aUEa1W3+q2MqbmshORonUrLE/vxejK+NUvhSCWnmrM8v60zhR
+      pn9lSSgQCBKWDgaU0VQVn0I9MuexeAj64Qv2uUHnZK3QUx+Gk3uurTmhKEN5FI+D
+      sC7xO0qquTZ1Vv1EkLEso4dnFVW84EjdfmfeiW6JmHO7z1p1ebGsRwoQead/qTKw
+      ze+Y1A1w3GzuhDo55aHlWE/Wvnou0aM3O9gUd++a2j+XJ2P7qaTB/L7SJk4qZ9RA
+      t2PbKVP+tyZjXKtXmgzp
       -----END CERTIFICATE-----
     """.lines.map(&:strip).join("\n")
   end
@@ -66,19 +78,31 @@ describe 'SSL connection' do
   let(:key) do
     OpenSSL::PKey.read """
       -----BEGIN RSA PRIVATE KEY-----
-      MIICXAIBAAKBgQCf4ioSyZu5mTsTYZ09mkHERONcL50bN7leVkc/Iq+J6RD2xpyE
-      CwFYClWuMzZAO18o7Broa4GoZDRt2XhSLsjQIgYHhrRQkdT8S+4OEjVxPMBVVZ6Z
-      bVBqorEj/bEOCz1upjjvWJWKtGJJgP7qWbakVio6edH935AogxeE86LQMwIDAQAB
-      AoGAUCDb7zCFUB4gglUgpfgCT+gqflAKj9J8n2/kIxsyGI7rBpKBbJfLY6FCUZyu
-      6sAWr/6seaEviQI3WHpuF9oEn6gzb1XWpKH7h9ZAu5O2sscdrc5MrpFmBvGjMBnd
-      80u/TcsDHX453QbPgqOJTi+Qt15Y+Ot/iE8ccQjW6pMPiCECQQDLQvNekVF7YJ9e
-      iJNZSJMcx2c9hjAuywm/jPX+57k0xRlxGKCQxyujmxDfztDYU9kHMRHknbxz0sFr
-      0Vkaxo1DAkEAyV3z6vvTtUx7R5IYOUkZqIfeQ6k6ZItQoZdZPKoBW0s7QhqvJyZN
-      qeYJMaFR87A6273LwhpXZTvQwSYUUw6KUQJAQAIfXaJphG7TARQFQtKF8UQiEM/X
-      EIVD1pxvQwx52FJRRro4ph7ycRz93Vzli5or+AXN2q6Jj/fIjUlpw/LOvQJAfyPO
-      FUjpM+hVUiwhFVJdW/ZlVK0tzDvWLiDkXBQvBRhsEuHMQ1jA4ov2tBpaJxXXI9Uj
-      KKv/EFEDDmDfpk1g8QJBAIJhDsxKWgUy1lk+lGYdWRQi/D/BnkNbySklCypmZghu
-      Q6oXJNYB9NWLRWDJaGHlHrAn40Wq6MUx95Aomvj+uHA=
+      MIIEowIBAAKCAQEAvjCMdSwswXgJe5B3yNtcGJgOlvJbsqtePg3nGkDzHW1u3zJR
+      0jCQv55RQ0Mqpn2HypVQoiUVf0E3VLQPYQsrT5RCo5VZpuFiGCyn44/EqQPl/VVE
+      ZO+Rc/me1LBfLtid6RfcBX4Qc858Hj5RXXFmMkDCEbYIaB5P1krGyVV1ULKO/tAS
+      xcjGAd6LXwsivh/4sqF1i2ZZdoq2GSXnVZv5ck5Z3PXU9VwwFliPJEnlFZQpBLpa
+      jn/KmclO8DVGn0ZMwbmJEe3XadUHZKvkGMO25Zn2V8iWwGEreIBDMgzJPAK0nD/I
+      /hH8+Q+eMEu32RcJkKeNfoj+Vk8RrElN3YeOHwIDAQABAoIBAQCnW0ctkDqt3/fQ
+      MHcHWue2iI9GCmvgU+WxC0DSHFcSDQrkAn53S98DjseJPaBZMtr7y9pRY/p/qR6M
+      PYnO5iotc5QUKEbkjy1nglwV5Zuy8kg+XPq7Kwg+GmjGVZDcQybpRuKIPr8xeIBF
+      iKbGaBP6ontjZGAPZqTwN4qm/bkm0QRQkMEVQLpBaOlXjl0BCknhCMgyNA1F0jGc
+      HLqJpFO46qvWDkDaKriMY/ezrkGYxlvV8xGJ2lzoaNWBsQeMXtcDJXuFMJO3lZl4
+      VUjeNbyPprUzL6/kLZGMVFdRWhzKAluJEy3B6zybY4xxmgmifqn8/OxIaT172IXN
+      KACuEorpAoGBAOYZEfuON+73dcstpjq3062+XUOxAAc77aFcGFQ2pqDTUtvoR05R
+      o0uXrSuQqt0/FJVdZqdDx1and6idI7j/LfkOwvmPPg2dJIwKV73T2HdR7BpJaYlI
+      KS6Bgl0AiW2ibjZJbBFJMiINb2tRGeYcOPfWlis309D2DXxl1f1TJTKTAoGBANOZ
+      aDH1VJXh7rdAHrwNonTjoCeYKG7oAh0WTfqmCqcBjAkXsVc7dBd/98XKGS5LPRtl
+      dIaJdYngeYyH5Ey5O2l/63tk0d4sqE8l+GVy+OHFn2AZMuaVXS0JXIQspn4s/U7F
+      CuawmFszE8fv41WgVNhF00ijheoRz/X19yu0ULHFAoGAYmJZ1AutUtowXZ25M+Yh
+      9motCqKF9pHjO1lbdbagbKevCCQ7SPuTLOE/xB7pUAyGyo7TM7XBaAXXHhuCiLlj
+      eNic+YQL7lpApDhP5/TK28oFf//fxjk6ko4Bpa5zFJOdOE0QjhuT+gdwmpxkzIVI
+      vn/cWcJXKUPr5ELOyrBgeU0CgYBWqIUbsLWrjJQPSJtNuOfHp1F35cDpausyrmfR
+      Nx81tlR7hNCEQT0SQr5eqp4Vb4rfJXXLg5A3n08oVp8RLOtAEbuHFYs9ylxDzfEk
+      2ylCjYTv/mHyPUmjoCnbl8237wTutZP5VmmPMCPxxjT8ZGVbDX2ySgYWDqV0vf80
+      TuydYQKBgG24Wpes1CJmKiuWGnPi5I/+iIKZRfpEGidpjnsktkr3O+VZSZNQtDfC
+      uWp/NgMxzxXxYdmmaQTwektB5axrsPUnxxiHmb8KkVU1IcMpYvUulFYiKVvFx+JJ
+      bx/fkItCZ4AP3CG2Onz8xZdosg+c+MEdIlCrg94dA1EmHewCt2Hv
       -----END RSA PRIVATE KEY-----
     """.lines.map(&:strip).join("\n")
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-api
 version: !ruby/object:Gem::Version
-  version: 5.3.4
+  version: 5.3.5
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-10-29 00:00:00.000000000 Z
+date: 2021-05-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -356,7 +356,6 @@ files:
 - spec/spec_helper.rb
 - spec/ssl_spec.rb
 - spec/uri_escape_spec.rb
-- spec/vendor/rest_client_spec.rb
 - test.sh
 - tmp/.keep
 homepage: https://github.com/cyberark/conjur-api-ruby/
@@ -378,7 +377,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Conjur API
@@ -426,4 +425,3 @@ test_files:
 - spec/spec_helper.rb
 - spec/ssl_spec.rb
 - spec/uri_escape_spec.rb
-- spec/vendor/rest_client_spec.rb

data/spec/vendor/rest_client_spec.rb

@@ -1,41 +0,0 @@
-# Copyright (C) 2014 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-require 'spec_helper'
-require 'tempfile'
-
-# RestClient monkey patches MIME::Types, breaking it in certain situations.
-# Let's make sure we monkey patch the monkey patch if necessary.
-
-describe RestClient::Request do
-  shared_examples :restclient do
-    it "can be initialized" do
-      expect { RestClient::Request.new method: 'GET', url: 'http://example.com' }.to_not raise_error
-    end
-  end
-
-  context 'default arguments' do
-    let(:cache) { nil }
-    let(:lazy) { false }
-    it "sets cert_store to OpenSSL's default cert store" do
-      request = RestClient::Request.new(method: 'GET', url: 'http://example.com')
-      expect(request.ssl_opts[:cert_store]).to eq(OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE)
-    end
-  end
-end