Class: Conjur::API
- Inherits:
-
Object
show all
- Includes:
- Escape, LogSource, StandardMethods
- Defined in:
- lib/conjur/base.rb,
lib/conjur/core-api.rb,
lib/conjur/api/audit.rb,
lib/conjur/api/authn.rb,
lib/conjur/api/hosts.rb,
lib/conjur/api/roles.rb,
lib/conjur/api/users.rb,
lib/conjur/api/groups.rb,
lib/conjur-api/version.rb,
lib/conjur/api/secrets.rb,
lib/conjur/api/deputies.rb,
lib/conjur/api/resources.rb,
lib/conjur/api/variables.rb
Constant Summary
collapse
- VERSION =
"4.4.1"
Instance Attribute Summary collapse
Class Method Summary
collapse
-
.authenticate(username, password) ⇒ Object
-
.core_asset_host ⇒ Object
-
.enroll_host(url) ⇒ Object
-
.login(username, password) ⇒ Object
Perform login by Basic authentication.
-
.login_cas(username, password, cas_api_url) ⇒ Object
Perform login by CAS authentication.
-
.new_from_key(username, api_key) ⇒ Object
-
.new_from_token(token) ⇒ Object
-
.parse_id(id, kind) ⇒ Object
Converts flat id into path components, with mixed-in “super-kind” (not that kind which is part of id) NOTE: name is a bit confusing, as result of ‘parse’ is just recombined representation of parts, not an object of higher abstraction level.
-
.parse_resource_id(id) ⇒ Object
Parse a resource id into [ account, ‘resources’, kind, id ].
-
.parse_role_id(id) ⇒ Object
Parse a role id into [ account, ‘roles’, kind, id ].
-
.update_password(username, password, new_password) ⇒ Object
Instance Method Summary
collapse
-
#audit_current_role(options = {}) ⇒ Object
Return audit events related to the current authenticated role.
-
#audit_resource(resource, options = {}) ⇒ Object
Return audit events related to the given resource.
-
#audit_role(role, options = {}) ⇒ Object
Return audit events related to the given role_id.
-
#create_authn_user(login, options = {}) ⇒ Object
-
#create_deputy(options) ⇒ Object
-
#create_group(id, options = {}) ⇒ Object
-
#create_host(options) ⇒ Object
-
#create_resource(identifier, options = {}) ⇒ Object
-
#create_role(role, options = {}) ⇒ Object
-
#create_secret(value, options = {}) ⇒ Object
-
#create_user(login, options = {}) ⇒ Object
-
#create_variable(mime_type, kind, options = {}) ⇒ Object
-
#credentials ⇒ Object
Authenticate the username and api_key to obtain a request token.
-
#current_role ⇒ Object
-
#deputy(id) ⇒ Object
-
#group(id) ⇒ Object
-
#groups(options = {}) ⇒ Object
-
#host(id) ⇒ Object
-
#initialize(username, api_key, token) ⇒ API
constructor
-
#resource(identifier) ⇒ Object
-
#resources(opts = {}) ⇒ Object
Return all visible resources.
-
#role(role) ⇒ Object
-
#role_from_username(username) ⇒ Object
-
#role_name_from_username(username = self.username) ⇒ Object
-
#secret(id) ⇒ Object
-
#token ⇒ Object
-
#user(login) ⇒ Object
-
#variable(id) ⇒ Object
Methods included from LogSource
#log
Methods included from Escape
#fully_escape, included, #path_escape, #query_escape
Constructor Details
#initialize(username, api_key, token) ⇒ API
Returns a new instance of API.
91
92
93
94
95
96
97
|
# File 'lib/conjur/base.rb', line 91
def initialize username, api_key, token
@username = username
@api_key = api_key
@token = token
raise "Expecting ( username and api_key ) or token" unless ( username && api_key ) || token
end
|
Instance Attribute Details
#api_key ⇒ Object
Returns the value of attribute api_key.
99
100
101
|
# File 'lib/conjur/base.rb', line 99
def api_key
@api_key
end
|
#username ⇒ Object
Returns the value of attribute username.
99
100
101
|
# File 'lib/conjur/base.rb', line 99
def username
@username
end
|
Class Method Details
.authenticate(username, password) ⇒ Object
44
45
46
47
48
49
|
# File 'lib/conjur/api/authn.rb', line 44
def authenticate username, password
if Conjur.log
Conjur.log << "Authenticating #{username}\n"
end
JSON::parse(RestClient::Resource.new(Conjur::Authn::API.host)["users/#{fully_escape username}/authenticate"].post password, content_type: 'text/plain')
end
|
.core_asset_host ⇒ Object
24
25
26
|
# File 'lib/conjur/core-api.rb', line 24
def core_asset_host
::Conjur::Core::API.host
end
|
.enroll_host(url) ⇒ Object
26
27
28
29
30
31
32
33
34
35
36
37
|
# File 'lib/conjur/api/hosts.rb', line 26
def enroll_host(url)
if Conjur.log
Conjur.log << "Enrolling host with URL #{url}\n"
end
require 'uri'
url = URI.parse(url) if url.is_a?(String)
response = Net::HTTP.get_response url
raise "Host enrollment failed with status #{response.code} : #{response.body}" unless response.code.to_i == 200
mime_type = response['Content-Type']
body = response.body
[ mime_type, body ]
end
|
.login(username, password) ⇒ Object
Perform login by Basic authentication.
27
28
29
30
31
32
|
# File 'lib/conjur/api/authn.rb', line 27
def login username, password
if Conjur.log
Conjur.log << "Logging in #{username} via Basic authentication\n"
end
RestClient::Resource.new(Conjur::Authn::API.host, user: username, password: password)['users/login'].get
end
|
.login_cas(username, password, cas_api_url) ⇒ Object
Perform login by CAS authentication.
35
36
37
38
39
40
41
42
|
# File 'lib/conjur/api/authn.rb', line 35
def login_cas username, password, cas_api_url
if Conjur.log
Conjur.log << "Logging in #{username} via CAS authentication\n"
end
require 'cas_rest_client'
client = CasRestClient.new(:username => username, :password => password, :uri => [ cas_api_url, 'v1', 'tickets' ].join('/'), :use_cookies => false)
client.get("#{Conjur::Authn::API.host}/users/login").body
end
|
.new_from_key(username, api_key) ⇒ Object
82
83
84
|
# File 'lib/conjur/base.rb', line 82
def new_from_key(username, api_key)
self.new username, api_key, nil
end
|
.new_from_token(token) ⇒ Object
86
87
88
|
# File 'lib/conjur/base.rb', line 86
def new_from_token(token)
self.new nil, nil, token
end
|
.parse_id(id, kind) ⇒ Object
Converts flat id into path components, with mixed-in “super-kind”
(not that kind which is part of id)
NOTE: name is a bit confusing, as result of ‘parse’ is just recombined
representation of parts, not an object of higher abstraction level
69
70
71
72
73
74
75
76
77
78
79
80
|
# File 'lib/conjur/base.rb', line 69
def parse_id(id, kind)
raise "Unexpected class #{id.class} for #{id}" unless id.is_a?(String)
paths = path_escape(id).split(':')
if paths.size < 2
raise "Expecting at least two tokens in #{id}"
elsif paths.size == 2
paths.unshift Conjur::Core::API.conjur_account
end
[ paths[0], kind, paths[1], paths[2..-1].join(':') ]
end
|
.parse_resource_id(id) ⇒ Object
Parse a resource id into [ account, ‘resources’, kind, id ]
54
55
56
57
58
59
60
61
62
63
|
# File 'lib/conjur/base.rb', line 54
def parse_resource_id(id)
id = id.resource if id.respond_to?(:resource)
if id.is_a?(Resource)
[ id.account, 'resources', id.kind, id.identifier ]
elsif id.respond_to?(:resource_kind)
[ Conjur::Core::API.conjur_account, 'resources', id.resource_kind, id.resource_id ]
else
parse_id id, 'resources'
end
end
|
.parse_role_id(id) ⇒ Object
Parse a role id into [ account, ‘roles’, kind, id ]
42
43
44
45
46
47
48
49
50
51
|
# File 'lib/conjur/base.rb', line 42
def parse_role_id(id)
id = id.role if id.respond_to?(:role)
if id.is_a?(Role)
[ id.account, 'roles', id.kind, id.identifier ]
elsif id.respond_to?(:role_kind)
[ Conjur::Core::API.conjur_account, 'roles', id.role_kind, id.identifier ]
else
parse_id id, 'roles'
end
end
|
.update_password(username, password, new_password) ⇒ Object
51
52
53
54
55
56
|
# File 'lib/conjur/api/authn.rb', line 51
def update_password username, password, new_password
if Conjur.log
Conjur.log << "Updating password for #{username}\n"
end
RestClient::Resource.new(Conjur::Authn::API.host, user: username, password: password)['users/password'].put new_password
end
|
Instance Method Details
#audit_current_role(options = {}) ⇒ Object
Return audit events related to the current authenticated role.
31
32
33
|
# File 'lib/conjur/api/audit.rb', line 31
def audit_current_role options={}
audit_event_feed 'role', nil, options
end
|
#audit_resource(resource, options = {}) ⇒ Object
Return audit events related to the given resource
36
37
38
|
# File 'lib/conjur/api/audit.rb', line 36
def audit_resource resource, options={}
audit_event_feed 'resource', (resource.resourceid rescue resource), options
end
|
#audit_role(role, options = {}) ⇒ Object
Return audit events related to the given role_id. Identitical to audit_events except that a String may be given instead of a Role object.
25
26
27
|
# File 'lib/conjur/api/audit.rb', line 25
def audit_role role, options={}
audit_event_feed 'role', (role.roleid rescue role), options
end
|
#create_authn_user(login, options = {}) ⇒ Object
Options: password
Response: login
api_key
65
66
67
68
69
70
|
# File 'lib/conjur/api/authn.rb', line 65
def create_authn_user login, options = {}
log do |logger|
logger << "Creating authn user #{login}"
end
JSON.parse RestClient::Resource.new(Conjur::Authn::API.host, credentials)['users'].post(options.merge(login: login))
end
|
#create_deputy(options) ⇒ Object
25
26
27
|
# File 'lib/conjur/api/deputies.rb', line 25
def create_deputy options
standard_create Conjur::Core::API.host, :deputy, nil, options
end
|
#create_group(id, options = {}) ⇒ Object
29
30
31
|
# File 'lib/conjur/api/groups.rb', line 29
def create_group(id, options = {})
standard_create Conjur::Core::API.host, :group, id, options
end
|
#create_host(options) ⇒ Object
40
41
42
|
# File 'lib/conjur/api/hosts.rb', line 40
def create_host options
standard_create Conjur::Core::API.host, :host, nil, options
end
|
#create_resource(identifier, options = {}) ⇒ Object
25
26
27
28
29
|
# File 'lib/conjur/api/resources.rb', line 25
def create_resource(identifier, options = {})
resource(identifier).tap do |r|
r.create(options)
end
end
|
#create_role(role, options = {}) ⇒ Object
25
26
27
28
29
|
# File 'lib/conjur/api/roles.rb', line 25
def create_role(role, options = {})
role(role).tap do |r|
r.create(options)
end
end
|
#create_secret(value, options = {}) ⇒ Object
25
26
27
|
# File 'lib/conjur/api/secrets.rb', line 25
def create_secret(value, options = {})
standard_create Conjur::Core::API.host, :secret, nil, options.merge(value: value)
end
|
#create_user(login, options = {}) ⇒ Object
25
26
27
|
# File 'lib/conjur/api/users.rb', line 25
def create_user(login, options = {})
standard_create Conjur::Core::API.host, :user, nil, options.merge(login: login)
end
|
#create_variable(mime_type, kind, options = {}) ⇒ Object
25
26
27
|
# File 'lib/conjur/api/variables.rb', line 25
def create_variable(mime_type, kind, options = {})
standard_create Conjur::Core::API.host, :variable, nil, options.merge(mime_type: mime_type, kind: kind)
end
|
#credentials ⇒ Object
Authenticate the username and api_key to obtain a request token. Tokens are cached by username for a short period of time.
115
116
117
|
# File 'lib/conjur/base.rb', line 115
def credentials
{ headers: { authorization: "Token token=\"#{Base64.strict_encode64 token.to_json}\"" }, username: username }
end
|
#current_role ⇒ Object
35
36
37
|
# File 'lib/conjur/api/roles.rb', line 35
def current_role
role_from_username username
end
|
#deputy(id) ⇒ Object
29
30
31
|
# File 'lib/conjur/api/deputies.rb', line 29
def deputy id
standard_show Conjur::Core::API.host, :deputy, id
end
|
#group(id) ⇒ Object
33
34
35
|
# File 'lib/conjur/api/groups.rb', line 33
def group id
standard_show Conjur::Core::API.host, :group, id
end
|
#groups(options = {}) ⇒ Object
25
26
27
|
# File 'lib/conjur/api/groups.rb', line 25
def groups(options={})
standard_list Conjur::Core::API.host, :group, options
end
|
#host(id) ⇒ Object
105
106
107
|
# File 'lib/conjur/base.rb', line 105
def host
self.class.host
end
|
#resource(identifier) ⇒ Object
31
32
33
34
35
36
|
# File 'lib/conjur/api/resources.rb', line 31
def resource identifier
paths = path_escape(identifier).split(':')
raise ArgumentError, "Expected at least 3 tokens in resource identifier '#{identifier}'" if paths.length < 3
path = [ paths[0], 'resources', paths[1], paths[2..-1].join(':') ].flatten.join('/')
Resource.new(Conjur::Authz::API.host, credentials)[path]
end
|
#resources(opts = {}) ⇒ Object
Return all visible resources. In opts you should pass an account to filter by, and optionally a kind.
40
41
42
43
44
45
46
|
# File 'lib/conjur/api/resources.rb', line 40
def resources opts = {}
Resource.all({ host: Conjur::Authz::API.host, credentials: credentials }.merge opts).map do |result|
resource(result['id']).tap do |r|
r.attributes = result
end
end
end
|
#role(role) ⇒ Object
31
32
33
|
# File 'lib/conjur/api/roles.rb', line 31
def role role
Role.new(Conjur::Authz::API.host, credentials)[self.class.parse_role_id(role).join('/')]
end
|
#role_from_username(username) ⇒ Object
39
40
41
|
# File 'lib/conjur/api/roles.rb', line 39
def role_from_username username
role(role_name_from_username username)
end
|
#role_name_from_username(username = self.username) ⇒ Object
43
44
45
46
47
48
49
50
|
# File 'lib/conjur/api/roles.rb', line 43
def role_name_from_username username = self.username
tokens = username.split('/')
if tokens.size == 1
[ 'user', username ].join(':')
else
[ tokens[0], tokens[1..-1].join('/') ].join(':')
end
end
|
#secret(id) ⇒ Object
29
30
31
|
# File 'lib/conjur/api/secrets.rb', line 29
def secret id
standard_show Conjur::Core::API.host, :secret, id
end
|
#token ⇒ Object
109
110
111
|
# File 'lib/conjur/base.rb', line 109
def token
@token ||= Conjur::API.authenticate(@username, @api_key)
end
|
#user(login) ⇒ Object
29
30
31
|
# File 'lib/conjur/api/users.rb', line 29
def user login
standard_show Conjur::Core::API.host, :user, login
end
|
#variable(id) ⇒ Object
29
30
31
|
# File 'lib/conjur/api/variables.rb', line 29
def variable id
standard_show Conjur::Core::API.host, :variable, id
end
|