conjur-api 5.3.7 → 5.3.8.pre.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1990ae6f69e9c48c4c95548f6fdfa5d015df69a418651a4a6e598733587fbd8e
-  data.tar.gz: a10e6eebfdd2c16fddbe6020ee7b6408c701a22838bab4adc0950d8a3715439b
+  metadata.gz: 6e542258c40773ab19a843a4f736ecc11aaebf6af17845d18ccd7f66ad9984be
+  data.tar.gz: aab3735f0a132de15e9d70d87ad6382fe8678339e2bab0f4d9164985095077c0
 SHA512:
-  metadata.gz: e01cc82e4c59d198065b036ccc085e8a71f600dabc2f42674dd733cce5634a4b190ac88e9b776f7c70dc5da09ae7664a12ba57db71b6d64ce5f7953ac363f8a5
-  data.tar.gz: 2f6e8cce4ef892993e2bffa89acf8e88631f413d98414b50486251caf73b132dccfc5dfb99f8faac069b58b04e1ad9cb184beefd9719ecf33217030b090c9b2c
+  metadata.gz: 0bf6b1653ade8fa65e6a6f63c87303a5112df9c61871a783dcc6bae21a698bf11b214c74fccbf8124182150d086db233bb26bb803e78a85c5fc9afc93e461882
+  data.tar.gz: 9dbf3a5fca29ba9dd88d1e087985956b2fc7414a06fca45d20c6bafda903abbe5dbc5a3df245b084651e6592b97ea980b603cb076cbd72e0e5316a47d6f3de7e

data/.rubocop_settings.yml

@@ -1,5 +1,5 @@
 AllCops:
-  TargetRubyVersion: 2.5
+  TargetRubyVersion: 2.7
 
 # These non-default settings best reflect our current code style.
 Style/MethodDefParentheses:

data/CHANGELOG.md

@@ -9,6 +9,20 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Nothing should go in this section, please add to the latest unreleased version
   (and update the corresponding date), or add a new version.
 
+## [5.3.8] - 2022-07-19
+
+### Added
+- Added support for OIDC V2 authentication endpoint.
+  [cyberark/cojnur-api-ruby#207](https://github.com/cyberark/conjur-api-ruby/pull/207)
+- Added support for OIDC authenticator providers endpoint.
+  [cyberark/cojnur-api-ruby#207](https://github.com/cyberark/conjur-api-ruby/pull/207)
+
+### Changed
+- Remove support for Ruby versions <2.7 which are [end of life](https://endoflife.date/ruby).
+  [cyberark/conjur-api-ruby#206](https://github.com/cyberark/conjur-api-ruby/pull/206)
+- Adding operation call to fetch authentication providers
+  [cyberark/conjur-api-ruby#206](https://github.com/cyberark/conjur-api-ruby/pull/206)
+
 ## [5.3.7] - 2021-12-28
 
 ### Changed
@@ -362,7 +376,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [2.0.0] - 2013-13-12
 
-[Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.6...HEAD
+[Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.8...HEAD
+[5.3.8]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.7...v5.3.8
 [5.3.7]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.6...v5.3.7
 [5.3.6]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.5...v5.3.6
 [5.3.5]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.4...v5.3.5

data/CONTRIBUTING.md

@@ -123,11 +123,8 @@ $ docker-compose down
 ### Update the version and changelog
 
 1. Create a new branch for the version bump.
-1. Based on the unreleased content, determine the new version number and update
-    the [version.rb](lib/conjur-api/version.rb) file.
 1. Commit these changes - `Bump version to x.y.z` is an acceptable commit message - and open a PR
-   for review. Your PR should include updates to `lib/conjur-api/version.rb`, and
-    `CHANGELOG.md`.
+   for review. Your PR should include updates to `CHANGELOG.md`.
 
 ### Add a git tag
 

data/Jenkinsfile

@@ -1,4 +1,5 @@
 #!/usr/bin/env groovy
+@Library('conjur@test-fix-git-directory-permissions') _
 
 // Automated release, promotion and dependencies
 properties([
@@ -58,40 +59,6 @@ pipeline {
       }
     }
 
-    stage('Test Ruby 2.5') {
-      environment {
-        RUBY_VERSION = '2.5'
-      }
-      steps {
-        sh './test.sh'
-      }
-
-      post {
-        always {
-          junit 'spec/reports/*.xml'
-          junit 'features/reports/*.xml'
-          junit 'features_v4/reports/*.xml'
-        }
-      }
-    }
-
-    stage('Test Ruby 2.6') {
-      environment {
-        RUBY_VERSION = '2.6'
-      }
-      steps {
-        sh './test.sh'
-      }
-
-      post {
-        always {
-          junit 'spec/reports/*.xml'
-          junit 'features/reports/*.xml'
-          junit 'features_v4/reports/*.xml'
-        }
-      }
-    }
-
     stage('Test Ruby 2.7') {
       environment {
         RUBY_VERSION = '2.7'
@@ -149,10 +116,12 @@ pipeline {
       steps {
         release {
           // Clean up all but the calculated VERSION
-          sh '''docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd \
-                -e VERSION \
-                -e bom-assets/ \
-                -e release-assets/ '''
+          sh '''docker run -i --rm -v $(pwd):/src -w /src --entrypoint /bin/sh alpine/git \
+                -c "git config --global --add safe.directory /src && \
+                    git clean -fdx \
+                      -e VERSION \
+                      -e bom-assets/ \
+                      -e release-assets" '''
           sh './publish.sh'
           sh 'cp conjur-api-*.gem release-assets/.'
         }

data/VERSION

@@ -1 +1 @@
-5.3.7
+5.3.8-3

data/bin/parse-changelog.sh

@@ -5,7 +5,7 @@ cd "$(dirname "$0")"
 docker run --rm \
   -v "$PWD/..:/work" \
   -w "/work" \
-  ruby:2.5 bash -ec "
+  ruby:2.7 bash -ec "
     gem install -N parse_a_changelog
     parse ./CHANGELOG.md
   "

data/ci/configure_v5.sh

@@ -1,5 +1,7 @@
 #!/bin/bash -e
 
+source ./ci/oauth/keycloak/keycloak_functions.sh
+
 cat << "CONFIGURE" | docker exec -i $(docker-compose ps -q conjur_5) bash
 set -e
 
@@ -12,3 +14,6 @@ done
 # So we fail if the server isn't up yet:
 curl -o /dev/null -fs -X OPTIONS http://localhost > /dev/null
 CONFIGURE
+
+fetch_keycloak_certificate
+create_keycloak_users

data/ci/oauth/keycloak/create_client

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+
+keycloak/bin/kcreg.sh config credentials \
+  --server http://localhost:8080/auth \
+  --realm master \
+  --user "$KEYCLOAK_USER" \
+  --password "$KEYCLOAK_PASSWORD"
+
+keycloak/bin/kcreg.sh create \
+  -s clientId="$KEYCLOAK_CLIENT_ID" \
+  -s "redirectUris=[\"$KEYCLOAK_REDIRECT_URI\"]" \
+  -s "secret=$KEYCLOAK_CLIENT_SECRET"
+
+# Enable direct access to get an id token with username & password
+keycloak/bin/kcreg.sh update conjurClient -s directAccessGrantsEnabled=true
+
+keycloak/bin/kcreg.sh get "$KEYCLOAK_CLIENT_ID" | jq '.secret'

data/ci/oauth/keycloak/create_user

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+echo "login as admin with user $KEYCLOAK_USER"
+
+keycloak/bin/kcadm.sh config credentials \
+  --server http://localhost:8080/auth \
+  --realm master \
+  --user "$KEYCLOAK_USER" \
+  --password "$KEYCLOAK_PASSWORD"
+
+echo "creating user $1 with email $3"
+
+keycloak/bin/kcadm.sh create users \
+  -s username="$1" \
+  -s email="$3" \
+  -s enabled=true
+
+echo "setting password of user $1 to $2"
+keycloak/bin/kcadm.sh set-password \
+  --username "$1" \
+  -p "$2"

data/ci/oauth/keycloak/fetch_certificate

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# This script retrieves a certificate from the keycloak OIDC provider
+# and puts it to a trusted operating system store.
+# It is needed to communicate with the provider via SSL for validating ID tokens
+
+openssl s_client \
+  -showcerts \
+  -connect keycloak:8443 \
+  -servername keycloak \
+  </dev/null | \
+  openssl x509 \
+    -outform PEM \
+    >/etc/ssl/certs/keycloak.pem
+
+hash=$(openssl x509 -hash -in /etc/ssl/certs/keycloak.pem -out /dev/null)
+
+ln -s /etc/ssl/certs/keycloak.pem "/etc/ssl/certs/${hash}.0"

data/ci/oauth/keycloak/keycloak_functions.sh

@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+
+KEYCLOAK_SERVICE_NAME="keycloak"
+
+# Note: the single arg is a nameref, which this function sets to an array
+# containing items of the form "KEY=VAL".
+function _hydrate_keycloak_env_args() {
+  local -n arr=$1
+  local keycloak_items
+
+  readarray -t keycloak_items < <(
+    set -o pipefail
+    # Note: This prints all lines that look like:
+    # KEYCLOAK_XXX=someval
+    docker-compose exec -T ${KEYCLOAK_SERVICE_NAME} printenv | awk '/KEYCLOAK/'
+  )
+
+  # shellcheck disable=SC2034
+  arr=(
+    "${keycloak_items[@]}"
+    "PROVIDER_URI=https://keycloak:8443/auth/realms/master"
+    "PROVIDER_INTERNAL_URI=http://keycloak:8080/auth/realms/master/protocol/openid-connect"
+    "PROVIDER_ISSUER=http://keycloak:8080/auth/realms/master"
+    "ID_TOKEN_USER_PROPERTY=preferred_username"
+  )
+}
+
+# The arguments must be unexpanded variable names.  Eg:
+#
+# _create_keycloak_user '$APP_USER' '$APP_PW' '$APP_EMAIL'
+#
+# This is because those variables are not available to this script. They are
+# available to bash commands run via "docker-compose exec keycloak bash
+# -c...", since they're defined in the docker-compose.yml.
+function _create_keycloak_user() {
+  local user_var=$1
+  local pw_var=$2
+  local email_var=$3
+
+  docker-compose exec -T \
+    ${KEYCLOAK_SERVICE_NAME} \
+    bash -c "/scripts/create_user \"$user_var\" \"$pw_var\" \"$email_var\""
+}
+
+function create_keycloak_users() {
+  echo "Defining keycloak client"
+
+  docker-compose exec -T ${KEYCLOAK_SERVICE_NAME} /scripts/create_client
+
+  echo "Creating user 'alice' in Keycloak"
+
+  # Note: We want to pass the bash command thru without expansion here.
+  # shellcheck disable=SC2016
+  _create_keycloak_user \
+    '$KEYCLOAK_APP_USER' \
+    '$KEYCLOAK_APP_USER_PASSWORD' \
+    '$KEYCLOAK_APP_USER_EMAIL'
+}
+
+function wait_for_keycloak_server() {
+  docker-compose exec -T \
+    ${KEYCLOAK_SERVICE_NAME} /scripts/wait_for_server
+}
+
+function fetch_keycloak_certificate() {
+  # there's a dep on the docker-compose.yml volumes.
+  # Fetch SSL cert to communicate with keycloak (OIDC provider).
+  echo "Initialize keycloak certificate in conjur server"
+  docker-compose exec -T \
+    conjur_5 /scripts/fetch_certificate
+}