conjur-asset-proxy-basic-demo 0.5.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +15 -0
- data/.gitignore +22 -0
- data/.project +18 -0
- data/Gemfile +6 -0
- data/LICENSE.txt +22 -0
- data/Makefile +22 -0
- data/README.md +42 -0
- data/Rakefile +25 -0
- data/conjur-asset-proxy-basic-demo.gemspec +32 -0
- data/lib/conjur-asset-proxy.rb +22 -0
- data/lib/conjur/asset/proxy/version.rb +27 -0
- data/lib/conjur/command/proxy.rb +124 -0
- data/lib/conjur/proxy.rb +121 -0
- data/policy.rb +6 -0
- data/test-basic/Makefile +18 -0
- data/test-basic/test-data.rb +2 -0
- data/test-basic/test-policy.rb +6 -0
- metadata +216 -0
checksums.yaml
ADDED
@@ -0,0 +1,15 @@
|
|
1
|
+
---
|
2
|
+
!binary "U0hBMQ==":
|
3
|
+
metadata.gz: !binary |-
|
4
|
+
ZmY4OGVmY2YxMjNjNjZiMzRlNDM0MThkZWNlYWVmNzg3NzBjNjMyOA==
|
5
|
+
data.tar.gz: !binary |-
|
6
|
+
Yjg1NzA0OGZmYThmMzAyZjFiMmY2ZDk0Nzk2MjdmOWFiNWI3MDZlNg==
|
7
|
+
SHA512:
|
8
|
+
metadata.gz: !binary |-
|
9
|
+
ZDMzY2M5NGFjN2ZiOTE5OGI4MjFkOWRiYjI0YTM3ZDI5Y2Y2Njg1MjFjZjdh
|
10
|
+
Y2ZkYzY0ZTdiNGVmMGJjMjIxMjU0ZGFlZjIwZDkxNWY4NjU3MGI0OTE5ODg4
|
11
|
+
NTk1YjEzNWYzZTY2NTNjMzhkZjE4MjI5YzAzNDExZmVhMzI1MTE=
|
12
|
+
data.tar.gz: !binary |-
|
13
|
+
MGY1YTViYjYzYmJkZTBmYzcxZTQ0NTUxZTJmYTJhODczMTAyZWRlYjI4OTQ1
|
14
|
+
Njc4YmM5ZGU2NDgyMmYyY2ViMDRjYjhmZGJjMWFhZWQ4MDU4MzEyNDllNmQ5
|
15
|
+
NmFmOTA3YTU4MmJmOWJjNmRjMDhiOWY0YzVjMzM4M2Y1NjM1MDU=
|
data/.gitignore
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
*.gem
|
2
|
+
*.rbc
|
3
|
+
.bundle
|
4
|
+
.config
|
5
|
+
.yardoc
|
6
|
+
Gemfile.lock
|
7
|
+
InstalledFiles
|
8
|
+
_yardoc
|
9
|
+
coverage
|
10
|
+
doc/
|
11
|
+
lib/bundler/man
|
12
|
+
pkg
|
13
|
+
rdoc
|
14
|
+
spec/reports
|
15
|
+
test/tmp
|
16
|
+
test/version_tmp
|
17
|
+
tmp
|
18
|
+
*.bundle
|
19
|
+
*.so
|
20
|
+
*.o
|
21
|
+
*.a
|
22
|
+
mkmf.log
|
data/.project
ADDED
@@ -0,0 +1,18 @@
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
2
|
+
<projectDescription>
|
3
|
+
<name>conjur-asset-proxy-basic-demo</name>
|
4
|
+
<comment></comment>
|
5
|
+
<projects>
|
6
|
+
</projects>
|
7
|
+
<buildSpec>
|
8
|
+
<buildCommand>
|
9
|
+
<name>com.aptana.ide.core.unifiedBuilder</name>
|
10
|
+
<arguments>
|
11
|
+
</arguments>
|
12
|
+
</buildCommand>
|
13
|
+
</buildSpec>
|
14
|
+
<natures>
|
15
|
+
<nature>com.aptana.ruby.core.rubynature</nature>
|
16
|
+
<nature>com.aptana.projects.webnature</nature>
|
17
|
+
</natures>
|
18
|
+
</projectDescription>
|
data/Gemfile
ADDED
data/LICENSE.txt
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
Copyright (c) 2014 Conjur Inc.
|
2
|
+
|
3
|
+
MIT License
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
6
|
+
a copy of this software and associated documentation files (the
|
7
|
+
"Software"), to deal in the Software without restriction, including
|
8
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
9
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
10
|
+
permit persons to whom the Software is furnished to do so, subject to
|
11
|
+
the following conditions:
|
12
|
+
|
13
|
+
The above copyright notice and this permission notice shall be
|
14
|
+
included in all copies or substantial portions of the Software.
|
15
|
+
|
16
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
17
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
18
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
19
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
20
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
21
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/Makefile
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
name=proxy-basic-demo
|
2
|
+
old_version=0.5.3
|
3
|
+
version=0.6.0
|
4
|
+
|
5
|
+
build: clean
|
6
|
+
gem build conjur-asset-$(name).gemspec
|
7
|
+
|
8
|
+
install: build
|
9
|
+
gem install conjur-asset-$(name)-$(version).gem
|
10
|
+
conjur plugin install -v $(version) $(name)
|
11
|
+
|
12
|
+
clean:
|
13
|
+
#conjur plugin uninstall fails when there is
|
14
|
+
#a bug in the plugin, so we need to manuall remove the plugin
|
15
|
+
cat ~/.conjurrc | grep -v $(name) > /tmp/.conjurrc-$(name)
|
16
|
+
mv /tmp/.conjurrc-$(name) ~/.conjurrc
|
17
|
+
touch conjur-asset-$(name)-$(old_version).gem
|
18
|
+
rm conjur-asset-$(name)-$(old_version).gem
|
19
|
+
|
20
|
+
test-conjur:
|
21
|
+
conjur proxy http://httpbin.org
|
22
|
+
|
data/README.md
ADDED
@@ -0,0 +1,42 @@
|
|
1
|
+
# Conjur::Asset::Proxy
|
2
|
+
|
3
|
+
Simple HTTP proxy which adds Conjur authentication headers.
|
4
|
+
|
5
|
+
## Installation
|
6
|
+
|
7
|
+
$ conjur plugin install proxy
|
8
|
+
|
9
|
+
## Usage
|
10
|
+
|
11
|
+
$ conjur proxy http://protected-service.example.com
|
12
|
+
|
13
|
+
Conjur proxy to http://protected-service.example.com started on http://localhost:32123
|
14
|
+
Press Ctrl-C to stop.
|
15
|
+
## Working with Plugins
|
16
|
+
To change the version of the plugin - you modify the lib/conjur/asset/proxy/version.rb file
|
17
|
+
```
|
18
|
+
module Conjur
|
19
|
+
module Asset
|
20
|
+
module Proxy
|
21
|
+
VERSION = "0.5.3"
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
25
|
+
```
|
26
|
+
To change the description when you run conjur plugin show, modify the conjur-asset-proxy.gemspec
|
27
|
+
```
|
28
|
+
spec.name = "conjur-asset-proxy-basic-demo"
|
29
|
+
spec.version = Conjur::Asset::Proxy::VERSION
|
30
|
+
spec.authors = ["Rafa Rzepecki", "Mikalai Sevastsyana","Josh Bregman"]
|
31
|
+
spec.email = ["rafal@conjur.net", "mikalai@conjur.net","josh.bregman@conjur.net"]
|
32
|
+
spec.summary = %q{Simple HTTP proxy which adds authentication headers from Conjur"}
|
33
|
+
spec.homepage = "https://github.com/conjurinc/conjur-asset-proxy-basic-demo"
|
34
|
+
spec.license = "MIT"
|
35
|
+
```
|
36
|
+
## Contributing
|
37
|
+
|
38
|
+
1. Fork it ( https://github.com/[my-github-username]/conjur-asset-proxy/fork )
|
39
|
+
2. Create your feature branch (`git checkout -b my-new-feature`)
|
40
|
+
3. Commit your changes (`git commit -am 'Add some feature'`)
|
41
|
+
4. Push to the branch (`git push origin my-new-feature`)
|
42
|
+
5. Create a new Pull Request
|
data/Rakefile
ADDED
@@ -0,0 +1,25 @@
|
|
1
|
+
require "bundler/gem_tasks"
|
2
|
+
|
3
|
+
desc "Update copyright headers"
|
4
|
+
task :headers do
|
5
|
+
require 'rubygems'
|
6
|
+
require 'copyright_header'
|
7
|
+
|
8
|
+
args = {
|
9
|
+
:license => 'MIT',
|
10
|
+
:copyright_software => 'Conjur CLI proxy plugin',
|
11
|
+
:copyright_software_description => "Simple HTTP proxy which adds authentication headers from Conjurs",
|
12
|
+
:copyright_holders => ['Conjur Inc.'],
|
13
|
+
:copyright_years => ['2016'],
|
14
|
+
:add_path => 'lib',
|
15
|
+
:output_dir => './'
|
16
|
+
}
|
17
|
+
|
18
|
+
command_line = CopyrightHeader::CommandLine.new( args )
|
19
|
+
command_line.execute
|
20
|
+
end
|
21
|
+
|
22
|
+
task :jenkins do
|
23
|
+
# TODO
|
24
|
+
puts "No tests, maybe add some specs?"
|
25
|
+
end
|
@@ -0,0 +1,32 @@
|
|
1
|
+
# coding: utf-8
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
+
require 'conjur/asset/proxy/version'
|
5
|
+
|
6
|
+
Gem::Specification.new do |spec|
|
7
|
+
spec.name = "conjur-asset-proxy-basic-demo"
|
8
|
+
spec.version = Conjur::Asset::Proxy::VERSION
|
9
|
+
spec.authors = ["Rafał Rzepecki", "Mikalai Sevastsyana","Josh Bregman"]
|
10
|
+
spec.email = ["rafal@conjur.net", "mikalai@conjur.net","josh.bregman@conjur.net"]
|
11
|
+
spec.summary = %q{Simple HTTP proxy which adds authentication headers from Conjur"}
|
12
|
+
spec.homepage = "https://github.com/conjurinc/conjur-asset-proxy-basic-demo"
|
13
|
+
spec.license = "MIT"
|
14
|
+
|
15
|
+
spec.files = `git ls-files -z`.split("\x0")
|
16
|
+
spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
|
17
|
+
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
18
|
+
spec.require_paths = ["lib"]
|
19
|
+
|
20
|
+
spec.add_dependency "gli", "~> 2.12"
|
21
|
+
|
22
|
+
spec.add_runtime_dependency "conjur-cli", "~> 4.12"
|
23
|
+
spec.add_runtime_dependency "rack", "~> 1.5"
|
24
|
+
spec.add_runtime_dependency "rack-streaming-proxy", "~> 2.0"
|
25
|
+
spec.add_runtime_dependency "unicorn", ">= 4.8.3", "~> 4.8"
|
26
|
+
spec.add_runtime_dependency "unicorn-rails", ">= 2.2.0", "~> 2.2"
|
27
|
+
spec.add_runtime_dependency "escape_utils", "~> 1.0"
|
28
|
+
|
29
|
+
spec.add_development_dependency "bundler", "~> 1.6"
|
30
|
+
spec.add_development_dependency "rake"
|
31
|
+
spec.add_development_dependency "copyright-header"
|
32
|
+
end
|
@@ -0,0 +1,22 @@
|
|
1
|
+
#
|
2
|
+
# Copyright (C) 2014 Conjur Inc.
|
3
|
+
#
|
4
|
+
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
+
# this software and associated documentation files (the "Software"), to deal in
|
6
|
+
# the Software without restriction, including without limitation the rights to
|
7
|
+
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
+
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
+
# subject to the following conditions:
|
10
|
+
#
|
11
|
+
# The above copyright notice and this permission notice shall be included in all
|
12
|
+
# copies or substantial portions of the Software.
|
13
|
+
#
|
14
|
+
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
+
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
+
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
+
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
+
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
+
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
+
#
|
21
|
+
|
22
|
+
require 'conjur/asset/proxy/version'
|
@@ -0,0 +1,27 @@
|
|
1
|
+
#
|
2
|
+
# Copyright (C) 2014 Conjur Inc.
|
3
|
+
#
|
4
|
+
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
+
# this software and associated documentation files (the "Software"), to deal in
|
6
|
+
# the Software without restriction, including without limitation the rights to
|
7
|
+
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
+
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
+
# subject to the following conditions:
|
10
|
+
#
|
11
|
+
# The above copyright notice and this permission notice shall be included in all
|
12
|
+
# copies or substantial portions of the Software.
|
13
|
+
#
|
14
|
+
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
+
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
+
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
+
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
+
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
+
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
+
#
|
21
|
+
module Conjur
|
22
|
+
module Asset
|
23
|
+
module Proxy
|
24
|
+
VERSION = "0.5.3"
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
@@ -0,0 +1,124 @@
|
|
1
|
+
#
|
2
|
+
# Copyright (C) 2014 Conjur Inc.
|
3
|
+
#
|
4
|
+
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
+
# this software and associated documentation files (the "Software"), to deal in
|
6
|
+
# the Software without restriction, including without limitation the rights to
|
7
|
+
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
+
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
+
# subject to the following conditions:
|
10
|
+
#
|
11
|
+
# The above copyright notice and this permission notice shall be included in all
|
12
|
+
# copies or substantial portions of the Software.
|
13
|
+
#
|
14
|
+
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
+
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
+
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
+
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
+
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
+
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
+
#
|
21
|
+
|
22
|
+
class Conjur::Command::Proxy < Conjur::Command
|
23
|
+
desc "Proxy to a protected HTTP service"
|
24
|
+
long_desc <<-DESC
|
25
|
+
Launch an HTTP proxy to a protected service.
|
26
|
+
|
27
|
+
If the service is protected by Conjur, then the proxy adds a Conjur authorization header to every request. This allows eg. using browser to access
|
28
|
+
a UI of a Conjur-protected web application.
|
29
|
+
|
30
|
+
If the service is protected by basic authentication, then the proxy retrives the username and password from Conjur, and adds them to the authorization header of every request.
|
31
|
+
|
32
|
+
The proxy will keep running until terminated.
|
33
|
+
DESC
|
34
|
+
|
35
|
+
arg :url
|
36
|
+
command :proxy do |c|
|
37
|
+
c.flag :p, :port,
|
38
|
+
desc: "port to bind to",
|
39
|
+
default_value: 8080,
|
40
|
+
type: Integer
|
41
|
+
|
42
|
+
c.flag :a, :address,
|
43
|
+
desc: "address to bind to",
|
44
|
+
default_value: "127.0.0.1"
|
45
|
+
|
46
|
+
c.switch :k,
|
47
|
+
desc: "Don't verificate HTTPS certificate"
|
48
|
+
|
49
|
+
c.flag :cacert,
|
50
|
+
desc: "Verify SSL using the provided cert file"
|
51
|
+
|
52
|
+
c.flag :u, :basic_username,
|
53
|
+
desc: "Conjur variable for the username added to the basic authorization header"
|
54
|
+
|
55
|
+
c.flag :w, :basic_password,
|
56
|
+
desc: "Conjur variable for the password added to the basic authorzation header"
|
57
|
+
|
58
|
+
c.flag :t, :auth_type,
|
59
|
+
desc: "The authentication type for the proxy - conjur or basic",
|
60
|
+
default_value: "conjur"
|
61
|
+
|
62
|
+
c.action do |global_options, options, args|
|
63
|
+
url = args.shift or help_now!("missing URL")
|
64
|
+
|
65
|
+
#check the auth_type
|
66
|
+
if options[:t] == "basic"
|
67
|
+
|
68
|
+
|
69
|
+
username = options[:u]
|
70
|
+
if username.blank?
|
71
|
+
help_now!("--u is required for --t basic")
|
72
|
+
else
|
73
|
+
#check if the proxy has execute permission on the variable
|
74
|
+
username_resource = api.variable(username).resource
|
75
|
+
|
76
|
+
unless username_resource.permitted? 'execute'
|
77
|
+
help_now!("proxy does not have execute permission on #{username}")
|
78
|
+
end
|
79
|
+
end
|
80
|
+
|
81
|
+
|
82
|
+
password = options[:w]
|
83
|
+
if password.blank?
|
84
|
+
help_now!("--w is required for --t basic")
|
85
|
+
else
|
86
|
+
#check if the proxy has execute permission on the variable
|
87
|
+
password_resource = api.variable(password).resource
|
88
|
+
|
89
|
+
unless password_resource.permitted? 'execute'
|
90
|
+
help_now!("proxy does not have execute permission on #{password}")
|
91
|
+
end
|
92
|
+
end
|
93
|
+
elsif options[:t] == "conjur"
|
94
|
+
## NOOP
|
95
|
+
else
|
96
|
+
help_now!("Invalid auth_type: #{options[:t]}")
|
97
|
+
end
|
98
|
+
|
99
|
+
if options[:k]
|
100
|
+
options[:insecure] = true
|
101
|
+
end
|
102
|
+
|
103
|
+
unless url.start_with?('http://') || url.start_with?('https://')
|
104
|
+
url = url.gsub(/^(.+?\:(\/)?(\/)?)?/, 'https://')
|
105
|
+
end
|
106
|
+
|
107
|
+
require 'uri'
|
108
|
+
|
109
|
+
uri = URI.parse(url)
|
110
|
+
uri.path = ''
|
111
|
+
uri.query = nil
|
112
|
+
|
113
|
+
url = uri.to_s
|
114
|
+
|
115
|
+
options.slice! :port, :address, :insecure, :cacert, :t, :u, :w
|
116
|
+
options.delete :port unless options[:port].respond_to? :to_i
|
117
|
+
|
118
|
+
require 'conjur/proxy'
|
119
|
+
print options
|
120
|
+
print "-------"
|
121
|
+
Conjur::Proxy.new(url, api).start options
|
122
|
+
end
|
123
|
+
end
|
124
|
+
end
|
data/lib/conjur/proxy.rb
ADDED
@@ -0,0 +1,121 @@
|
|
1
|
+
#
|
2
|
+
# Copyright (C) 2014 Conjur Inc.
|
3
|
+
#
|
4
|
+
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
+
# this software and associated documentation files (the "Software"), to deal in
|
6
|
+
# the Software without restriction, including without limitation the rights to
|
7
|
+
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
+
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
+
# subject to the following conditions:
|
10
|
+
#
|
11
|
+
# The above copyright notice and this permission notice shall be included in all
|
12
|
+
# copies or substantial portions of the Software.
|
13
|
+
#
|
14
|
+
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
+
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
+
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
+
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
+
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
+
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
+
#
|
21
|
+
|
22
|
+
require 'rack'
|
23
|
+
require 'rack/streaming_proxy'
|
24
|
+
require 'unicorn-rails'
|
25
|
+
|
26
|
+
module Conjur
|
27
|
+
class Proxy
|
28
|
+
def initialize url, conjur
|
29
|
+
@conjur = conjur
|
30
|
+
@proxy = Rack::StreamingProxy::Proxy.new nil do |request|
|
31
|
+
ret = "#{url}#{request.path}"
|
32
|
+
|
33
|
+
unless request.query_string.empty?
|
34
|
+
ret = "#{ret}?#{request.query_string}"
|
35
|
+
end
|
36
|
+
|
37
|
+
ret
|
38
|
+
end
|
39
|
+
|
40
|
+
#Added support for multiple authorization headers
|
41
|
+
@auth_method = "conjur"
|
42
|
+
@basic_username = ""
|
43
|
+
@basic_password = ""
|
44
|
+
end
|
45
|
+
|
46
|
+
attr_reader :proxy, :conjur, :auth_method, :basic_username, :basic_password
|
47
|
+
|
48
|
+
def call env
|
49
|
+
|
50
|
+
if @auth_method == "basic"
|
51
|
+
header = Base64.strict_encode64(@basic_username+':'+@basic_password)
|
52
|
+
authorization_header = 'Basic '+header
|
53
|
+
env['HTTP_AUTHORIZATION'] = authorization_header
|
54
|
+
else
|
55
|
+
env['HTTP_AUTHORIZATION'] = conjur.credentials[:headers][:authorization]
|
56
|
+
end
|
57
|
+
|
58
|
+
if (env['REQUEST_METHOD'] == 'POST' || env['REQUEST_METHOD'] == 'PUT')
|
59
|
+
if !env.include?('CONTENT_LENGTH') && (!env.include?('TRANSFER_ENCODING') ||
|
60
|
+
env['TRANSFER_ENCODING'] != 'chunked')
|
61
|
+
env['CONTENT_LENGTH'] = '0'
|
62
|
+
end
|
63
|
+
end
|
64
|
+
|
65
|
+
ret = proxy.call env
|
66
|
+
|
67
|
+
# hack for Docker Hub & Registry API
|
68
|
+
if ret[1].include?('x-docker-endpoints')
|
69
|
+
ret[1]['x-docker-endpoints'] = env['HTTP_HOST']
|
70
|
+
end
|
71
|
+
|
72
|
+
ret
|
73
|
+
end
|
74
|
+
|
75
|
+
def configure options = {}
|
76
|
+
if options[:insecure]
|
77
|
+
Net::HTTP.class_eval do
|
78
|
+
def use_ssl=(flag)
|
79
|
+
flag = flag ? true : false
|
80
|
+
if started? and @use_ssl != flag
|
81
|
+
raise IOError, "use_ssl value changed, but session already started"
|
82
|
+
end
|
83
|
+
@use_ssl = flag
|
84
|
+
|
85
|
+
self.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
86
|
+
end
|
87
|
+
end
|
88
|
+
end
|
89
|
+
|
90
|
+
if options[:cacert]
|
91
|
+
OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE.add_file options[:cacert]
|
92
|
+
end
|
93
|
+
|
94
|
+
Rack::StreamingProxy::Session.class_eval do
|
95
|
+
# set timeout to 30 min, 30 seconds is not enought for uploading
|
96
|
+
def start
|
97
|
+
@piper = Servolux::Piper.new 'r', timeout: 1600
|
98
|
+
@piper.child { child }
|
99
|
+
@piper.parent { parent }
|
100
|
+
end
|
101
|
+
end
|
102
|
+
|
103
|
+
#check if the auth method is basic
|
104
|
+
if options[:t] == "basic"
|
105
|
+
|
106
|
+
@auth_method = "basic"
|
107
|
+
@basic_username = @conjur.variable(options[:u]).value
|
108
|
+
@basic_password = @conjur.variable(options[:w]).value
|
109
|
+
|
110
|
+
|
111
|
+
end
|
112
|
+
|
113
|
+
end
|
114
|
+
|
115
|
+
def start options = {}
|
116
|
+
configure options
|
117
|
+
|
118
|
+
Rack::Server.start app: self, Port: options[:port] || 8080, Host: options[:address] || '127.0.0.1'
|
119
|
+
end
|
120
|
+
end
|
121
|
+
end
|
data/policy.rb
ADDED
data/test-basic/Makefile
ADDED
@@ -0,0 +1,18 @@
|
|
1
|
+
name=proxy
|
2
|
+
old_version=0.5.3
|
3
|
+
version=0.6
|
4
|
+
|
5
|
+
default: test
|
6
|
+
|
7
|
+
test:
|
8
|
+
conjur plugin show $(name)
|
9
|
+
conjur policy load --collection $(name)/$(version) test-policy.rb
|
10
|
+
#conjur script execute --collection $(name)/$(version) test-data.rb
|
11
|
+
conjur variable values add $(name)/$(version)/test/password test
|
12
|
+
conjur variable values add $(name)/$(version)/test/username test
|
13
|
+
conjur proxy -t basic \
|
14
|
+
-u $(name)/$(version)/test/username \
|
15
|
+
-w $(name)/$(version)/test/password \
|
16
|
+
http://browserspy.dk &
|
17
|
+
sleep 10
|
18
|
+
curl http://localhost:8080/password-ok.php | grep Success
|
metadata
ADDED
@@ -0,0 +1,216 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: conjur-asset-proxy-basic-demo
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.5.3
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Rafał Rzepecki
|
8
|
+
- Mikalai Sevastsyana
|
9
|
+
- Josh Bregman
|
10
|
+
autorequire:
|
11
|
+
bindir: bin
|
12
|
+
cert_chain: []
|
13
|
+
date: 2016-02-17 00:00:00.000000000 Z
|
14
|
+
dependencies:
|
15
|
+
- !ruby/object:Gem::Dependency
|
16
|
+
name: gli
|
17
|
+
requirement: !ruby/object:Gem::Requirement
|
18
|
+
requirements:
|
19
|
+
- - ~>
|
20
|
+
- !ruby/object:Gem::Version
|
21
|
+
version: '2.12'
|
22
|
+
type: :runtime
|
23
|
+
prerelease: false
|
24
|
+
version_requirements: !ruby/object:Gem::Requirement
|
25
|
+
requirements:
|
26
|
+
- - ~>
|
27
|
+
- !ruby/object:Gem::Version
|
28
|
+
version: '2.12'
|
29
|
+
- !ruby/object:Gem::Dependency
|
30
|
+
name: conjur-cli
|
31
|
+
requirement: !ruby/object:Gem::Requirement
|
32
|
+
requirements:
|
33
|
+
- - ~>
|
34
|
+
- !ruby/object:Gem::Version
|
35
|
+
version: '4.12'
|
36
|
+
type: :runtime
|
37
|
+
prerelease: false
|
38
|
+
version_requirements: !ruby/object:Gem::Requirement
|
39
|
+
requirements:
|
40
|
+
- - ~>
|
41
|
+
- !ruby/object:Gem::Version
|
42
|
+
version: '4.12'
|
43
|
+
- !ruby/object:Gem::Dependency
|
44
|
+
name: rack
|
45
|
+
requirement: !ruby/object:Gem::Requirement
|
46
|
+
requirements:
|
47
|
+
- - ~>
|
48
|
+
- !ruby/object:Gem::Version
|
49
|
+
version: '1.5'
|
50
|
+
type: :runtime
|
51
|
+
prerelease: false
|
52
|
+
version_requirements: !ruby/object:Gem::Requirement
|
53
|
+
requirements:
|
54
|
+
- - ~>
|
55
|
+
- !ruby/object:Gem::Version
|
56
|
+
version: '1.5'
|
57
|
+
- !ruby/object:Gem::Dependency
|
58
|
+
name: rack-streaming-proxy
|
59
|
+
requirement: !ruby/object:Gem::Requirement
|
60
|
+
requirements:
|
61
|
+
- - ~>
|
62
|
+
- !ruby/object:Gem::Version
|
63
|
+
version: '2.0'
|
64
|
+
type: :runtime
|
65
|
+
prerelease: false
|
66
|
+
version_requirements: !ruby/object:Gem::Requirement
|
67
|
+
requirements:
|
68
|
+
- - ~>
|
69
|
+
- !ruby/object:Gem::Version
|
70
|
+
version: '2.0'
|
71
|
+
- !ruby/object:Gem::Dependency
|
72
|
+
name: unicorn
|
73
|
+
requirement: !ruby/object:Gem::Requirement
|
74
|
+
requirements:
|
75
|
+
- - ! '>='
|
76
|
+
- !ruby/object:Gem::Version
|
77
|
+
version: 4.8.3
|
78
|
+
- - ~>
|
79
|
+
- !ruby/object:Gem::Version
|
80
|
+
version: '4.8'
|
81
|
+
type: :runtime
|
82
|
+
prerelease: false
|
83
|
+
version_requirements: !ruby/object:Gem::Requirement
|
84
|
+
requirements:
|
85
|
+
- - ! '>='
|
86
|
+
- !ruby/object:Gem::Version
|
87
|
+
version: 4.8.3
|
88
|
+
- - ~>
|
89
|
+
- !ruby/object:Gem::Version
|
90
|
+
version: '4.8'
|
91
|
+
- !ruby/object:Gem::Dependency
|
92
|
+
name: unicorn-rails
|
93
|
+
requirement: !ruby/object:Gem::Requirement
|
94
|
+
requirements:
|
95
|
+
- - ! '>='
|
96
|
+
- !ruby/object:Gem::Version
|
97
|
+
version: 2.2.0
|
98
|
+
- - ~>
|
99
|
+
- !ruby/object:Gem::Version
|
100
|
+
version: '2.2'
|
101
|
+
type: :runtime
|
102
|
+
prerelease: false
|
103
|
+
version_requirements: !ruby/object:Gem::Requirement
|
104
|
+
requirements:
|
105
|
+
- - ! '>='
|
106
|
+
- !ruby/object:Gem::Version
|
107
|
+
version: 2.2.0
|
108
|
+
- - ~>
|
109
|
+
- !ruby/object:Gem::Version
|
110
|
+
version: '2.2'
|
111
|
+
- !ruby/object:Gem::Dependency
|
112
|
+
name: escape_utils
|
113
|
+
requirement: !ruby/object:Gem::Requirement
|
114
|
+
requirements:
|
115
|
+
- - ~>
|
116
|
+
- !ruby/object:Gem::Version
|
117
|
+
version: '1.0'
|
118
|
+
type: :runtime
|
119
|
+
prerelease: false
|
120
|
+
version_requirements: !ruby/object:Gem::Requirement
|
121
|
+
requirements:
|
122
|
+
- - ~>
|
123
|
+
- !ruby/object:Gem::Version
|
124
|
+
version: '1.0'
|
125
|
+
- !ruby/object:Gem::Dependency
|
126
|
+
name: bundler
|
127
|
+
requirement: !ruby/object:Gem::Requirement
|
128
|
+
requirements:
|
129
|
+
- - ~>
|
130
|
+
- !ruby/object:Gem::Version
|
131
|
+
version: '1.6'
|
132
|
+
type: :development
|
133
|
+
prerelease: false
|
134
|
+
version_requirements: !ruby/object:Gem::Requirement
|
135
|
+
requirements:
|
136
|
+
- - ~>
|
137
|
+
- !ruby/object:Gem::Version
|
138
|
+
version: '1.6'
|
139
|
+
- !ruby/object:Gem::Dependency
|
140
|
+
name: rake
|
141
|
+
requirement: !ruby/object:Gem::Requirement
|
142
|
+
requirements:
|
143
|
+
- - ! '>='
|
144
|
+
- !ruby/object:Gem::Version
|
145
|
+
version: '0'
|
146
|
+
type: :development
|
147
|
+
prerelease: false
|
148
|
+
version_requirements: !ruby/object:Gem::Requirement
|
149
|
+
requirements:
|
150
|
+
- - ! '>='
|
151
|
+
- !ruby/object:Gem::Version
|
152
|
+
version: '0'
|
153
|
+
- !ruby/object:Gem::Dependency
|
154
|
+
name: copyright-header
|
155
|
+
requirement: !ruby/object:Gem::Requirement
|
156
|
+
requirements:
|
157
|
+
- - ! '>='
|
158
|
+
- !ruby/object:Gem::Version
|
159
|
+
version: '0'
|
160
|
+
type: :development
|
161
|
+
prerelease: false
|
162
|
+
version_requirements: !ruby/object:Gem::Requirement
|
163
|
+
requirements:
|
164
|
+
- - ! '>='
|
165
|
+
- !ruby/object:Gem::Version
|
166
|
+
version: '0'
|
167
|
+
description:
|
168
|
+
email:
|
169
|
+
- rafal@conjur.net
|
170
|
+
- mikalai@conjur.net
|
171
|
+
- josh.bregman@conjur.net
|
172
|
+
executables: []
|
173
|
+
extensions: []
|
174
|
+
extra_rdoc_files: []
|
175
|
+
files:
|
176
|
+
- .gitignore
|
177
|
+
- .project
|
178
|
+
- Gemfile
|
179
|
+
- LICENSE.txt
|
180
|
+
- Makefile
|
181
|
+
- README.md
|
182
|
+
- Rakefile
|
183
|
+
- conjur-asset-proxy-basic-demo.gemspec
|
184
|
+
- lib/conjur-asset-proxy.rb
|
185
|
+
- lib/conjur/asset/proxy/version.rb
|
186
|
+
- lib/conjur/command/proxy.rb
|
187
|
+
- lib/conjur/proxy.rb
|
188
|
+
- policy.rb
|
189
|
+
- test-basic/Makefile
|
190
|
+
- test-basic/test-data.rb
|
191
|
+
- test-basic/test-policy.rb
|
192
|
+
homepage: https://github.com/conjurinc/conjur-asset-proxy-basic-demo
|
193
|
+
licenses:
|
194
|
+
- MIT
|
195
|
+
metadata: {}
|
196
|
+
post_install_message:
|
197
|
+
rdoc_options: []
|
198
|
+
require_paths:
|
199
|
+
- lib
|
200
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
201
|
+
requirements:
|
202
|
+
- - ! '>='
|
203
|
+
- !ruby/object:Gem::Version
|
204
|
+
version: '0'
|
205
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
206
|
+
requirements:
|
207
|
+
- - ! '>='
|
208
|
+
- !ruby/object:Gem::Version
|
209
|
+
version: '0'
|
210
|
+
requirements: []
|
211
|
+
rubyforge_project:
|
212
|
+
rubygems_version: 2.4.8
|
213
|
+
signing_key:
|
214
|
+
specification_version: 4
|
215
|
+
summary: Simple HTTP proxy which adds authentication headers from Conjur"
|
216
|
+
test_files: []
|