conjur-api 5.3.7 → 5.3.8.pre.3

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1990ae6f69e9c48c4c95548f6fdfa5d015df69a418651a4a6e598733587fbd8e
4
- data.tar.gz: a10e6eebfdd2c16fddbe6020ee7b6408c701a22838bab4adc0950d8a3715439b
3
+ metadata.gz: 6e542258c40773ab19a843a4f736ecc11aaebf6af17845d18ccd7f66ad9984be
4
+ data.tar.gz: aab3735f0a132de15e9d70d87ad6382fe8678339e2bab0f4d9164985095077c0
5
5
  SHA512:
6
- metadata.gz: e01cc82e4c59d198065b036ccc085e8a71f600dabc2f42674dd733cce5634a4b190ac88e9b776f7c70dc5da09ae7664a12ba57db71b6d64ce5f7953ac363f8a5
7
- data.tar.gz: 2f6e8cce4ef892993e2bffa89acf8e88631f413d98414b50486251caf73b132dccfc5dfb99f8faac069b58b04e1ad9cb184beefd9719ecf33217030b090c9b2c
6
+ metadata.gz: 0bf6b1653ade8fa65e6a6f63c87303a5112df9c61871a783dcc6bae21a698bf11b214c74fccbf8124182150d086db233bb26bb803e78a85c5fc9afc93e461882
7
+ data.tar.gz: 9dbf3a5fca29ba9dd88d1e087985956b2fc7414a06fca45d20c6bafda903abbe5dbc5a3df245b084651e6592b97ea980b603cb076cbd72e0e5316a47d6f3de7e
@@ -1,5 +1,5 @@
1
1
  AllCops:
2
- TargetRubyVersion: 2.5
2
+ TargetRubyVersion: 2.7
3
3
 
4
4
  # These non-default settings best reflect our current code style.
5
5
  Style/MethodDefParentheses:
data/CHANGELOG.md CHANGED
@@ -9,6 +9,20 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
9
9
  - Nothing should go in this section, please add to the latest unreleased version
10
10
  (and update the corresponding date), or add a new version.
11
11
 
12
+ ## [5.3.8] - 2022-07-19
13
+
14
+ ### Added
15
+ - Added support for OIDC V2 authentication endpoint.
16
+ [cyberark/cojnur-api-ruby#207](https://github.com/cyberark/conjur-api-ruby/pull/207)
17
+ - Added support for OIDC authenticator providers endpoint.
18
+ [cyberark/cojnur-api-ruby#207](https://github.com/cyberark/conjur-api-ruby/pull/207)
19
+
20
+ ### Changed
21
+ - Remove support for Ruby versions <2.7 which are [end of life](https://endoflife.date/ruby).
22
+ [cyberark/conjur-api-ruby#206](https://github.com/cyberark/conjur-api-ruby/pull/206)
23
+ - Adding operation call to fetch authentication providers
24
+ [cyberark/conjur-api-ruby#206](https://github.com/cyberark/conjur-api-ruby/pull/206)
25
+
12
26
  ## [5.3.7] - 2021-12-28
13
27
 
14
28
  ### Changed
@@ -362,7 +376,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
362
376
 
363
377
  ## [2.0.0] - 2013-13-12
364
378
 
365
- [Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.6...HEAD
379
+ [Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.8...HEAD
380
+ [5.3.8]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.7...v5.3.8
366
381
  [5.3.7]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.6...v5.3.7
367
382
  [5.3.6]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.5...v5.3.6
368
383
  [5.3.5]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.4...v5.3.5
data/CONTRIBUTING.md CHANGED
@@ -123,11 +123,8 @@ $ docker-compose down
123
123
  ### Update the version and changelog
124
124
 
125
125
  1. Create a new branch for the version bump.
126
- 1. Based on the unreleased content, determine the new version number and update
127
- the [version.rb](lib/conjur-api/version.rb) file.
128
126
  1. Commit these changes - `Bump version to x.y.z` is an acceptable commit message - and open a PR
129
- for review. Your PR should include updates to `lib/conjur-api/version.rb`, and
130
- `CHANGELOG.md`.
127
+ for review. Your PR should include updates to `CHANGELOG.md`.
131
128
 
132
129
  ### Add a git tag
133
130
 
data/Jenkinsfile CHANGED
@@ -1,4 +1,5 @@
1
1
  #!/usr/bin/env groovy
2
+ @Library('conjur@test-fix-git-directory-permissions') _
2
3
 
3
4
  // Automated release, promotion and dependencies
4
5
  properties([
@@ -58,40 +59,6 @@ pipeline {
58
59
  }
59
60
  }
60
61
 
61
- stage('Test Ruby 2.5') {
62
- environment {
63
- RUBY_VERSION = '2.5'
64
- }
65
- steps {
66
- sh './test.sh'
67
- }
68
-
69
- post {
70
- always {
71
- junit 'spec/reports/*.xml'
72
- junit 'features/reports/*.xml'
73
- junit 'features_v4/reports/*.xml'
74
- }
75
- }
76
- }
77
-
78
- stage('Test Ruby 2.6') {
79
- environment {
80
- RUBY_VERSION = '2.6'
81
- }
82
- steps {
83
- sh './test.sh'
84
- }
85
-
86
- post {
87
- always {
88
- junit 'spec/reports/*.xml'
89
- junit 'features/reports/*.xml'
90
- junit 'features_v4/reports/*.xml'
91
- }
92
- }
93
- }
94
-
95
62
  stage('Test Ruby 2.7') {
96
63
  environment {
97
64
  RUBY_VERSION = '2.7'
@@ -149,10 +116,12 @@ pipeline {
149
116
  steps {
150
117
  release {
151
118
  // Clean up all but the calculated VERSION
152
- sh '''docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd \
153
- -e VERSION \
154
- -e bom-assets/ \
155
- -e release-assets/ '''
119
+ sh '''docker run -i --rm -v $(pwd):/src -w /src --entrypoint /bin/sh alpine/git \
120
+ -c "git config --global --add safe.directory /src && \
121
+ git clean -fdx \
122
+ -e VERSION \
123
+ -e bom-assets/ \
124
+ -e release-assets" '''
156
125
  sh './publish.sh'
157
126
  sh 'cp conjur-api-*.gem release-assets/.'
158
127
  }
data/VERSION CHANGED
@@ -1 +1 @@
1
- 5.3.7
1
+ 5.3.8-3
@@ -5,7 +5,7 @@ cd "$(dirname "$0")"
5
5
  docker run --rm \
6
6
  -v "$PWD/..:/work" \
7
7
  -w "/work" \
8
- ruby:2.5 bash -ec "
8
+ ruby:2.7 bash -ec "
9
9
  gem install -N parse_a_changelog
10
10
  parse ./CHANGELOG.md
11
11
  "
data/ci/configure_v5.sh CHANGED
@@ -1,5 +1,7 @@
1
1
  #!/bin/bash -e
2
2
 
3
+ source ./ci/oauth/keycloak/keycloak_functions.sh
4
+
3
5
  cat << "CONFIGURE" | docker exec -i $(docker-compose ps -q conjur_5) bash
4
6
  set -e
5
7
 
@@ -12,3 +14,6 @@ done
12
14
  # So we fail if the server isn't up yet:
13
15
  curl -o /dev/null -fs -X OPTIONS http://localhost > /dev/null
14
16
  CONFIGURE
17
+
18
+ fetch_keycloak_certificate
19
+ create_keycloak_users
@@ -0,0 +1,18 @@
1
+ #!/bin/sh
2
+
3
+
4
+ keycloak/bin/kcreg.sh config credentials \
5
+ --server http://localhost:8080/auth \
6
+ --realm master \
7
+ --user "$KEYCLOAK_USER" \
8
+ --password "$KEYCLOAK_PASSWORD"
9
+
10
+ keycloak/bin/kcreg.sh create \
11
+ -s clientId="$KEYCLOAK_CLIENT_ID" \
12
+ -s "redirectUris=[\"$KEYCLOAK_REDIRECT_URI\"]" \
13
+ -s "secret=$KEYCLOAK_CLIENT_SECRET"
14
+
15
+ # Enable direct access to get an id token with username & password
16
+ keycloak/bin/kcreg.sh update conjurClient -s directAccessGrantsEnabled=true
17
+
18
+ keycloak/bin/kcreg.sh get "$KEYCLOAK_CLIENT_ID" | jq '.secret'
@@ -0,0 +1,21 @@
1
+ #!/bin/sh
2
+
3
+ echo "login as admin with user $KEYCLOAK_USER"
4
+
5
+ keycloak/bin/kcadm.sh config credentials \
6
+ --server http://localhost:8080/auth \
7
+ --realm master \
8
+ --user "$KEYCLOAK_USER" \
9
+ --password "$KEYCLOAK_PASSWORD"
10
+
11
+ echo "creating user $1 with email $3"
12
+
13
+ keycloak/bin/kcadm.sh create users \
14
+ -s username="$1" \
15
+ -s email="$3" \
16
+ -s enabled=true
17
+
18
+ echo "setting password of user $1 to $2"
19
+ keycloak/bin/kcadm.sh set-password \
20
+ --username "$1" \
21
+ -p "$2"
@@ -0,0 +1,18 @@
1
+ #!/bin/sh
2
+
3
+ # This script retrieves a certificate from the keycloak OIDC provider
4
+ # and puts it to a trusted operating system store.
5
+ # It is needed to communicate with the provider via SSL for validating ID tokens
6
+
7
+ openssl s_client \
8
+ -showcerts \
9
+ -connect keycloak:8443 \
10
+ -servername keycloak \
11
+ </dev/null | \
12
+ openssl x509 \
13
+ -outform PEM \
14
+ >/etc/ssl/certs/keycloak.pem
15
+
16
+ hash=$(openssl x509 -hash -in /etc/ssl/certs/keycloak.pem -out /dev/null)
17
+
18
+ ln -s /etc/ssl/certs/keycloak.pem "/etc/ssl/certs/${hash}.0"
@@ -0,0 +1,71 @@
1
+ #!/usr/bin/env bash
2
+
3
+ KEYCLOAK_SERVICE_NAME="keycloak"
4
+
5
+ # Note: the single arg is a nameref, which this function sets to an array
6
+ # containing items of the form "KEY=VAL".
7
+ function _hydrate_keycloak_env_args() {
8
+ local -n arr=$1
9
+ local keycloak_items
10
+
11
+ readarray -t keycloak_items < <(
12
+ set -o pipefail
13
+ # Note: This prints all lines that look like:
14
+ # KEYCLOAK_XXX=someval
15
+ docker-compose exec -T ${KEYCLOAK_SERVICE_NAME} printenv | awk '/KEYCLOAK/'
16
+ )
17
+
18
+ # shellcheck disable=SC2034
19
+ arr=(
20
+ "${keycloak_items[@]}"
21
+ "PROVIDER_URI=https://keycloak:8443/auth/realms/master"
22
+ "PROVIDER_INTERNAL_URI=http://keycloak:8080/auth/realms/master/protocol/openid-connect"
23
+ "PROVIDER_ISSUER=http://keycloak:8080/auth/realms/master"
24
+ "ID_TOKEN_USER_PROPERTY=preferred_username"
25
+ )
26
+ }
27
+
28
+ # The arguments must be unexpanded variable names. Eg:
29
+ #
30
+ # _create_keycloak_user '$APP_USER' '$APP_PW' '$APP_EMAIL'
31
+ #
32
+ # This is because those variables are not available to this script. They are
33
+ # available to bash commands run via "docker-compose exec keycloak bash
34
+ # -c...", since they're defined in the docker-compose.yml.
35
+ function _create_keycloak_user() {
36
+ local user_var=$1
37
+ local pw_var=$2
38
+ local email_var=$3
39
+
40
+ docker-compose exec -T \
41
+ ${KEYCLOAK_SERVICE_NAME} \
42
+ bash -c "/scripts/create_user \"$user_var\" \"$pw_var\" \"$email_var\""
43
+ }
44
+
45
+ function create_keycloak_users() {
46
+ echo "Defining keycloak client"
47
+
48
+ docker-compose exec -T ${KEYCLOAK_SERVICE_NAME} /scripts/create_client
49
+
50
+ echo "Creating user 'alice' in Keycloak"
51
+
52
+ # Note: We want to pass the bash command thru without expansion here.
53
+ # shellcheck disable=SC2016
54
+ _create_keycloak_user \
55
+ '$KEYCLOAK_APP_USER' \
56
+ '$KEYCLOAK_APP_USER_PASSWORD' \
57
+ '$KEYCLOAK_APP_USER_EMAIL'
58
+ }
59
+
60
+ function wait_for_keycloak_server() {
61
+ docker-compose exec -T \
62
+ ${KEYCLOAK_SERVICE_NAME} /scripts/wait_for_server
63
+ }
64
+
65
+ function fetch_keycloak_certificate() {
66
+ # there's a dep on the docker-compose.yml volumes.
67
+ # Fetch SSL cert to communicate with keycloak (OIDC provider).
68
+ echo "Initialize keycloak certificate in conjur server"
69
+ docker-compose exec -T \
70
+ conjur_5 /scripts/fetch_certificate
71
+ }