Class: Conjur::API
- Inherits:
-
Object
show all
- Includes:
- Cast, Escape, LogSource, StandardMethods, Wrong
- Defined in:
- lib/conjur/base.rb,
lib/conjur/core-api.rb,
lib/conjur/api/audit.rb,
lib/conjur/api/authn.rb,
lib/conjur/api/hosts.rb,
lib/conjur/api/roles.rb,
lib/conjur/api/users.rb,
lib/conjur/layer-api.rb,
lib/conjur/api/groups.rb,
lib/conjur/api/layers.rb,
lib/conjur-api/version.rb,
lib/conjur/api/pubkeys.rb,
lib/conjur/api/secrets.rb,
lib/conjur/pubkeys-api.rb,
lib/conjur/api/deputies.rb,
lib/conjur/api/resources.rb,
lib/conjur/api/variables.rb
Constant Summary
collapse
- VERSION =
"4.10.2"
Instance Attribute Summary collapse
Class Method Summary
collapse
-
.authenticate(username, password) ⇒ Object
-
.core_asset_host ⇒ Object
-
.enroll_host(url) ⇒ Object
-
.layer_asset_host ⇒ Object
-
.login(username, password) ⇒ Object
Perform login by Basic authentication.
-
.login_cas(username, password, cas_api_url) ⇒ Object
Perform login by CAS authentication.
-
.new_from_key(username, api_key) ⇒ Object
-
.new_from_token(token) ⇒ Object
-
.parse_id(id, kind) ⇒ Object
Converts flat id into path components, with mixed-in “super-kind” (not that kind which is part of id) NOTE: name is a bit confusing, as result of ‘parse’ is just recombined representation of parts, not an object of higher abstraction level.
-
.parse_resource_id(id) ⇒ Object
Parse a resource id into [ account, ‘resources’, kind, id ].
-
.parse_role_id(id) ⇒ Object
Parse a role id into [ account, ‘roles’, kind, id ].
-
.pubkeys_asset_host ⇒ Object
-
.update_password(username, password, new_password) ⇒ Object
Instance Method Summary
collapse
-
#add_public_key(username, key) ⇒ Object
Add a public key for the given user.
-
#audit(options = {}, &block) ⇒ Object
Return all events visible to the current authorized role.
-
#audit_resource(resource, options = {}, &block) ⇒ Object
Return audit events related to the given resource.
-
#audit_role(role, options = {}, &block) ⇒ Object
Return audit events related to the given role_id.
-
#create_authn_user(login, options = {}) ⇒ Object
-
#create_deputy(options = {}) ⇒ Object
-
#create_group(id, options = {}) ⇒ Object
-
#create_host(options = {}) ⇒ Object
-
#create_layer(id, options = {}) ⇒ Object
-
#create_resource(identifier, options = {}) ⇒ Object
-
#create_role(role, options = {}) ⇒ Object
-
#create_secret(value, options = {}) ⇒ Object
-
#create_user(login, options = {}) ⇒ Object
-
#create_variable(mime_type, kind, options = {}) ⇒ Object
-
#credentials ⇒ Object
Authenticate the username and api_key to obtain a request token.
-
#current_role ⇒ Object
-
#delete_public_key(username, keyname) ⇒ Object
Delete a public key for the given user and key name.
-
#deputy(id) ⇒ Object
-
#find_users(options) ⇒ Object
-
#group(id) ⇒ Object
-
#groups(options = {}) ⇒ Object
-
#host(id) ⇒ Object
-
#initialize(username, api_key, token) ⇒ API
constructor
-
#layer(id) ⇒ Object
-
#layers(options = {}) ⇒ Object
-
#public_key(username, keyname) ⇒ Object
Return a specific public key for a given user and key name.
-
#public_keys(username) ⇒ Object
Return all of a user’s public keys, as a newline delimited string (the format expected by authorized-keys).
-
#resource(resource) ⇒ Object
-
#resources(opts = {}) ⇒ Object
Return all visible resources.
-
#role(role) ⇒ Object
-
#role_from_username(username) ⇒ Object
-
#role_name_from_username(username = self.username) ⇒ Object
-
#secret(id) ⇒ Object
-
#token ⇒ Object
-
#user(login) ⇒ Object
-
#variable(id) ⇒ Object
-
#variable_values(varlist) ⇒ Object
Methods included from LogSource
#log
Methods included from Escape
#fully_escape, included, #path_escape, #query_escape
Constructor Details
#initialize(username, api_key, token) ⇒ API
Returns a new instance of API.
95
96
97
98
99
100
101
|
# File 'lib/conjur/base.rb', line 95
def initialize username, api_key, token
@username = username
@api_key = api_key
@token = token
raise "Expecting ( username and api_key ) or token" unless ( username && api_key ) || token
end
|
Instance Attribute Details
#api_key ⇒ Object
Returns the value of attribute api_key.
103
104
105
|
# File 'lib/conjur/base.rb', line 103
def api_key
@api_key
end
|
#username ⇒ Object
Returns the value of attribute username.
103
104
105
|
# File 'lib/conjur/base.rb', line 103
def username
@username
end
|
Class Method Details
.authenticate(username, password) ⇒ Object
44
45
46
47
48
49
|
# File 'lib/conjur/api/authn.rb', line 44
def authenticate username, password
if Conjur.log
Conjur.log << "Authenticating #{username}\n"
end
JSON::parse(RestClient::Resource.new(Conjur::Authn::API.host)["users/#{fully_escape username}/authenticate"].post password, content_type: 'text/plain')
end
|
.core_asset_host ⇒ Object
24
25
26
|
# File 'lib/conjur/core-api.rb', line 24
def core_asset_host
::Conjur::Core::API.host
end
|
.enroll_host(url) ⇒ Object
26
27
28
29
30
31
32
33
34
35
36
37
|
# File 'lib/conjur/api/hosts.rb', line 26
def enroll_host(url)
if Conjur.log
Conjur.log << "Enrolling host with URL #{url}\n"
end
require 'uri'
url = URI.parse(url) if url.is_a?(String)
response = Net::HTTP.get_response url
raise "Host enrollment failed with status #{response.code} : #{response.body}" unless response.code.to_i == 200
mime_type = response['Content-Type']
body = response.body
[ mime_type, body ]
end
|
.layer_asset_host ⇒ Object
3
4
5
|
# File 'lib/conjur/layer-api.rb', line 3
def layer_asset_host
ENV["CONJUR_LAYER_ASSET_URL"] || Conjur::Core::API.host
end
|
.login(username, password) ⇒ Object
Perform login by Basic authentication.
27
28
29
30
31
32
|
# File 'lib/conjur/api/authn.rb', line 27
def login username, password
if Conjur.log
Conjur.log << "Logging in #{username} via Basic authentication\n"
end
RestClient::Resource.new(Conjur::Authn::API.host, user: username, password: password)['users/login'].get
end
|
.login_cas(username, password, cas_api_url) ⇒ Object
Perform login by CAS authentication.
35
36
37
38
39
40
41
42
|
# File 'lib/conjur/api/authn.rb', line 35
def login_cas username, password, cas_api_url
if Conjur.log
Conjur.log << "Logging in #{username} via CAS authentication\n"
end
require 'cas_rest_client'
client = CasRestClient.new(:username => username, :password => password, :uri => [ cas_api_url, 'v1', 'tickets' ].join('/'), :use_cookies => false)
client.get("#{Conjur::Authn::API.host}/users/login").body
end
|
.new_from_key(username, api_key) ⇒ Object
86
87
88
|
# File 'lib/conjur/base.rb', line 86
def new_from_key(username, api_key)
self.new username, api_key, nil
end
|
.new_from_token(token) ⇒ Object
90
91
92
|
# File 'lib/conjur/base.rb', line 90
def new_from_token(token)
self.new nil, nil, token
end
|
.parse_id(id, kind) ⇒ Object
Converts flat id into path components, with mixed-in “super-kind”
(not that kind which is part of id)
NOTE: name is a bit confusing, as result of ‘parse’ is just recombined
representation of parts, not an object of higher abstraction level
73
74
75
76
77
78
79
80
81
82
83
84
|
# File 'lib/conjur/base.rb', line 73
def parse_id(id, kind)
raise "Unexpected class #{id.class} for #{id}" unless id.is_a?(String)
paths = path_escape(id).split(':')
if paths.size < 2
raise "Expecting at least two tokens in #{id}"
elsif paths.size == 2
paths.unshift Conjur::Core::API.conjur_account
end
[ paths[0], kind, paths[1], paths[2..-1].join(':') ]
end
|
.parse_resource_id(id) ⇒ Object
Parse a resource id into [ account, ‘resources’, kind, id ]
58
59
60
61
62
63
64
65
66
67
|
# File 'lib/conjur/base.rb', line 58
def parse_resource_id(id)
id = id.resource if id.respond_to?(:resource)
if id.is_a?(Resource)
[ id.account, 'resources', id.kind, id.identifier ]
elsif id.respond_to?(:resource_kind)
[ Conjur::Core::API.conjur_account, 'resources', id.resource_kind, id.resource_id ]
else
parse_id id, 'resources'
end
end
|
.parse_role_id(id) ⇒ Object
Parse a role id into [ account, ‘roles’, kind, id ]
46
47
48
49
50
51
52
53
54
55
|
# File 'lib/conjur/base.rb', line 46
def parse_role_id(id)
id = id.role if id.respond_to?(:role)
if id.is_a?(Role)
[ id.account, 'roles', id.kind, id.identifier ]
elsif id.respond_to?(:role_kind)
[ Conjur::Core::API.conjur_account, 'roles', id.role_kind, id.identifier ]
else
parse_id id, 'roles'
end
end
|
.pubkeys_asset_host ⇒ Object
32
33
34
|
# File 'lib/conjur/pubkeys-api.rb', line 32
def pubkeys_asset_host
Conjur.configuration.pubkeys_url
end
|
.update_password(username, password, new_password) ⇒ Object
51
52
53
54
55
56
|
# File 'lib/conjur/api/authn.rb', line 51
def update_password username, password, new_password
if Conjur.log
Conjur.log << "Updating password for #{username}\n"
end
RestClient::Resource.new(Conjur::Authn::API.host, user: username, password: password)['users/password'].put new_password
end
|
Instance Method Details
#add_public_key(username, key) ⇒ Object
Add a public key for the given user
36
37
38
|
# File 'lib/conjur/api/pubkeys.rb', line 36
def add_public_key username, key
public_keys_resource(username).post key
end
|
#audit(options = {}, &block) ⇒ Object
Return all events visible to the current authorized role
25
26
27
|
# File 'lib/conjur/api/audit.rb', line 25
def audit options={}, &block
audit_event_feed "", options, &block
end
|
#audit_resource(resource, options = {}, &block) ⇒ Object
Return audit events related to the given resource
37
38
39
|
# File 'lib/conjur/api/audit.rb', line 37
def audit_resource resource, options={}, &block
audit_event_feed "resources/#{CGI.escape cast(resource, :resourceid)}", options, &block
end
|
#audit_role(role, options = {}, &block) ⇒ Object
Return audit events related to the given role_id. Identitical to audit_events except that a String may be given instead of a Role object.
32
33
34
|
# File 'lib/conjur/api/audit.rb', line 32
def audit_role role, options={}, &block
audit_event_feed "roles/#{CGI.escape cast(role, :roleid)}", options, &block
end
|
#create_authn_user(login, options = {}) ⇒ Object
Options: password
Response: login
api_key
65
66
67
68
69
70
|
# File 'lib/conjur/api/authn.rb', line 65
def create_authn_user login, options = {}
log do |logger|
logger << "Creating authn user #{login}"
end
JSON.parse RestClient::Resource.new(Conjur::Authn::API.host, credentials)['users'].post(options.merge(login: login))
end
|
#create_deputy(options = {}) ⇒ Object
25
26
27
|
# File 'lib/conjur/api/deputies.rb', line 25
def create_deputy options = {}
standard_create Conjur::Core::API.host, :deputy, nil, options
end
|
#create_group(id, options = {}) ⇒ Object
29
30
31
|
# File 'lib/conjur/api/groups.rb', line 29
def create_group(id, options = {})
standard_create Conjur::Core::API.host, :group, id, options
end
|
#create_host(options = {}) ⇒ Object
40
41
42
|
# File 'lib/conjur/api/hosts.rb', line 40
def create_host options = {}
standard_create Conjur::Core::API.host, :host, nil, options
end
|
#create_layer(id, options = {}) ⇒ Object
5
6
7
|
# File 'lib/conjur/api/layers.rb', line 5
def create_layer(id, options = {})
standard_create Conjur::API.layer_asset_host, :layer, id, options
end
|
#create_resource(identifier, options = {}) ⇒ Object
25
26
27
28
29
|
# File 'lib/conjur/api/resources.rb', line 25
def create_resource(identifier, options = {})
resource(identifier).tap do |r|
r.create(options)
end
end
|
#create_role(role, options = {}) ⇒ Object
25
26
27
28
29
|
# File 'lib/conjur/api/roles.rb', line 25
def create_role(role, options = {})
role(role).tap do |r|
r.create(options)
end
end
|
#create_secret(value, options = {}) ⇒ Object
25
26
27
|
# File 'lib/conjur/api/secrets.rb', line 25
def create_secret(value, options = {})
standard_create Conjur::Core::API.host, :secret, nil, options.merge(value: value)
end
|
#create_user(login, options = {}) ⇒ Object
25
26
27
|
# File 'lib/conjur/api/users.rb', line 25
def create_user(login, options = {})
standard_create Conjur::Core::API.host, :user, nil, options.merge(login: login)
end
|
#create_variable(mime_type, kind, options = {}) ⇒ Object
25
26
27
|
# File 'lib/conjur/api/variables.rb', line 25
def create_variable(mime_type, kind, options = {})
standard_create Conjur::Core::API.host, :variable, nil, options.merge(mime_type: mime_type, kind: kind)
end
|
#credentials ⇒ Object
Authenticate the username and api_key to obtain a request token. Tokens are cached by username for a short period of time.
124
125
126
|
# File 'lib/conjur/base.rb', line 124
def credentials
{ headers: { authorization: "Token token=\"#{Base64.strict_encode64 token.to_json}\"" }, username: username }
end
|
#current_role ⇒ Object
35
36
37
|
# File 'lib/conjur/api/roles.rb', line 35
def current_role
role_from_username username
end
|
#delete_public_key(username, keyname) ⇒ Object
Delete a public key for the given user and key name
41
42
43
|
# File 'lib/conjur/api/pubkeys.rb', line 41
def delete_public_key username, keyname
public_keys_resource(username, keyname).delete
end
|
#deputy(id) ⇒ Object
29
30
31
|
# File 'lib/conjur/api/deputies.rb', line 29
def deputy id
standard_show Conjur::Core::API.host, :deputy, id
end
|
#find_users(options) ⇒ Object
33
34
35
|
# File 'lib/conjur/api/users.rb', line 33
def find_users options
JSON.parse( RestClient::Resource.new(Conjur::Core::API.host, credentials)["users/search?#{options.to_query}"].get )
end
|
#group(id) ⇒ Object
33
34
35
|
# File 'lib/conjur/api/groups.rb', line 33
def group id
standard_show Conjur::Core::API.host, :group, id
end
|
#groups(options = {}) ⇒ Object
25
26
27
|
# File 'lib/conjur/api/groups.rb', line 25
def groups(options={})
standard_list Conjur::Core::API.host, :group, options
end
|
#host(id) ⇒ Object
109
110
111
|
# File 'lib/conjur/base.rb', line 109
def host
self.class.host
end
|
#layers(options = {}) ⇒ Object
9
10
11
|
# File 'lib/conjur/api/layers.rb', line 9
def layers(options = {})
standard_list Conjur::API.layer_asset_host, :layer, options
end
|
#public_key(username, keyname) ⇒ Object
Return a specific public key for a given user and key name
31
32
33
|
# File 'lib/conjur/api/pubkeys.rb', line 31
def public_key username, keyname
public_keys_resource(username, keyname).get
end
|
#public_keys(username) ⇒ Object
Return all of a user’s public keys, as a newline delimited string (the format expected by authorized-keys)
26
27
28
|
# File 'lib/conjur/api/pubkeys.rb', line 26
def public_keys username
public_keys_resource(username).get
end
|
#resource(resource) ⇒ Object
31
32
33
|
# File 'lib/conjur/api/resources.rb', line 31
def resource resource
Resource.new(Conjur::Authz::API.host, credentials)[self.class.parse_resource_id(resource).join('/')]
end
|
#resources(opts = {}) ⇒ Object
Return all visible resources. In opts you should pass an account to filter by, and optionally a kind.
37
38
39
40
41
42
43
44
45
46
|
# File 'lib/conjur/api/resources.rb', line 37
def resources opts = {}
opts = { host: Conjur::Authz::API.host, credentials: credentials }.merge opts
opts[:account] ||= Conjur.account
Resource.all(opts).map do |result|
resource(result['id']).tap do |r|
r.attributes = result
end
end
end
|
#role(role) ⇒ Object
31
32
33
|
# File 'lib/conjur/api/roles.rb', line 31
def role role
Role.new(Conjur::Authz::API.host, credentials)[self.class.parse_role_id(role).join('/')]
end
|
#role_from_username(username) ⇒ Object
39
40
41
|
# File 'lib/conjur/api/roles.rb', line 39
def role_from_username username
role(role_name_from_username username)
end
|
#role_name_from_username(username = self.username) ⇒ Object
43
44
45
46
47
48
49
50
|
# File 'lib/conjur/api/roles.rb', line 43
def role_name_from_username username = self.username
tokens = username.split('/')
if tokens.size == 1
[ 'user', username ].join(':')
else
[ tokens[0], tokens[1..-1].join('/') ].join(':')
end
end
|
#secret(id) ⇒ Object
29
30
31
|
# File 'lib/conjur/api/secrets.rb', line 29
def secret id
standard_show Conjur::Core::API.host, :secret, id
end
|
#token ⇒ Object
113
114
115
116
117
118
119
120
|
# File 'lib/conjur/base.rb', line 113
def token
@token = nil unless token_valid?
@token ||= Conjur::API.authenticate(@username, @api_key)
assert { token_valid? }
return @token
end
|
#user(login) ⇒ Object
29
30
31
|
# File 'lib/conjur/api/users.rb', line 29
def user login
standard_show Conjur::Core::API.host, :user, login
end
|
#variable(id) ⇒ Object
29
30
31
|
# File 'lib/conjur/api/variables.rb', line 29
def variable id
standard_show Conjur::Core::API.host, :variable, id
end
|
#variable_values(varlist) ⇒ Object
33
34
35
36
37
38
39
40
41
42
43
|
# File 'lib/conjur/api/variables.rb', line 33
def variable_values(varlist)
raise ArgumentError, "Variables list must be an array" unless varlist.kind_of? Array
raise ArgumentError, "Variables list is empty" if varlist.empty?
opts = "?vars=#{varlist.map { |v| fully_escape(v) }.join(',')}"
begin
resp = RestClient::Resource.new(Conjur::Core::API.host, self.credentials)['variables/values'+opts].get
return JSON.parse( resp.body )
rescue RestClient::ResourceNotFound
return Hash[ *varlist.map { |v| [ v, variable(v).value ] }.flatten ]
end
end
|