Merge pull request #108 from cyberark/udpate-api

Update API to enable OIDC, Keychain, etc
cyberark · Mar 23, 2023 · ef2507f · ef2507f
2 parents 9ec4164 + d701e41
commit ef2507f
Show file tree

Hide file tree

Showing 18 changed files with 115 additions and 283 deletions.
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,10 +5,24 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+
+## [0.7.0] - 2023-03-10
+### Added
+- Added support for Conjur's OIDC and LDAP authenticators
+  [cyberark/summon-conjur#108](https://github.com/cyberark/summon-conjur/pull/108)
+
+### Changed
+- Updated Golang to 1.19
+  [cyberark/summon-conjur#108](https://github.com/cyberark/summon-conjur/pull/108)
+
 ### Security
 - Update golang.org/x/sys to v0.1.0 for CVE-2022-29526 (not vulnerable)
   [cyberark/summon-conjur#110](https://github.com/cyberark/summon-conjur/pull/110)
 
+### Removed
+- Removed support for Conjur v4
+  [cyberark/summon-conjur#108](https://github.com/cyberark/summon-conjur/pull/108)
+
 ## [0.6.4] - 2022-07-06
 ### Changed
 - Updated direct dependencies (github.com/cyberark/conjur-api-go -> v0.10.1,
@@ -116,7 +130,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
 - Initial release
 
-[Unreleased]: https://github.com/cyberark/summon-conjur/compare/v0.6.4...HEAD
+[Unreleased]: https://github.com/cyberark/summon-conjur/compare/v0.7.0...HEAD
+[0.7.0]: https://github.com/cyberark/summon-conjur/compare/v0.6.4...v0.7.0
 [0.6.4]: https://github.com/cyberark/summon-conjur/compare/v0.6.3...v0.6.4
 [0.6.3]: https://github.com/cyberark/summon-conjur/compare/v0.6.2...v0.6.3
 [0.6.2]: https://github.com/cyberark/summon-conjur/compare/v0.6.1...v0.6.2

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -26,11 +26,9 @@ $ ./dev.sh
 ### Running tests
 
 Automated CI pipelines:
-- [.gitlab.ci.yml](.gitlab.ci.yml)
 - [Jenkinsfile](Jenkinsfile)
 
-Run `./bin/test.sh oss` for OSS tests, `./bin/test.sh enterprise` for Enterprise tests.
-This defaults to both.
+Run `./bin/test.sh`
 
 ## Releasing
 

diff --git a/Dockerfile.test b/Dockerfile.test
@@ -1,17 +1,16 @@
-FROM golang:1.17-alpine
+FROM golang:1.19-alpine
 
 MAINTAINER Conjur Inc
 
-
 RUN apk add --no-cache bash \
                        build-base \
                        curl \
                        git \
                        jq \
                        less && \
-    go get -u github.com/jstemmer/go-junit-report && \
-    go get -u github.com/axw/gocov/gocov && \
-    go get -u github.com/AlekSi/gocov-xml && \
+    go install github.com/jstemmer/go-junit-report@latest && \
+    go install github.com/axw/gocov/gocov@latest && \
+    go install github.com/AlekSi/gocov-xml@latest && \
     mkdir -p /summon-conjur/output
 
 WORKDIR /summon-conjur

diff --git a/NOTICES.txt b/NOTICES.txt
@@ -7,7 +7,7 @@ of the license associated with each component.
 
 
 Section 1: Apache License 2.0
->>> https://github.com/cyberark/conjur-api-go/tree/v0.10.1
+>>> https://github.com/cyberark/conjur-api-go/tree/v0.11.0
 
 Section 2: MIT License
 >>> https://github.com/sirupsen/logrus/tree/v1.8.1
@@ -27,7 +27,7 @@ APPENDIX: Standard License Files and Templates
 
 Apache License 2.0 is applicable to the following component(s).
 
->>> https://github.com/cyberark/conjur-api-go/tree/v0.10.1
+>>> https://github.com/cyberark/conjur-api-go/tree/v0.11.0
 
 Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
 

diff --git a/README.md b/README.md
@@ -8,29 +8,25 @@ Conjur provider for [Summon](https://github.com/cyberark/summon).
 
 ---
 
-**Note** Use the [summon-conjurcli](https://github.com/conjurinc/summon-conjurcli) provider if you are on Conjur v4.4.0 or earlier.
-
-**Note** You **must** set environment variable `CONJUR_MAJOR_VERSION=4` for this provider to work with Conjur v4.9.
-
 ## Install
 
 Pre-built binaries and packages are available from GitHub releases
 [here](https://github.com/cyberark/summon-conjur/releases).
 
-### Using summon-conjur with Conjur Open Source 
+### Using summon-conjur with Conjur Open Source
 
-Are you using this project with [Conjur Open Source](https://github.com/cyberark/conjur)? Then we 
-**strongly** recommend choosing the version of this project to use from the latest [Conjur OSS 
-suite release](https://docs.conjur.org/Latest/en/Content/Overview/Conjur-OSS-Suite-Overview.html). 
-Conjur maintainers perform additional testing on the suite release versions to ensure 
-compatibility. When possible, upgrade your Conjur version to match the 
-[latest suite release](https://docs.conjur.org/Latest/en/Content/ReleaseNotes/ConjurOSS-suite-RN.htm); 
-when using integrations, choose the latest suite release that matches your Conjur version. For any 
+Are you using this project with [Conjur Open Source](https://github.com/cyberark/conjur)? Then we
+**strongly** recommend choosing the version of this project to use from the latest [Conjur OSS
+suite release](https://docs.conjur.org/Latest/en/Content/Overview/Conjur-OSS-Suite-Overview.html).
+Conjur maintainers perform additional testing on the suite release versions to ensure
+compatibility. When possible, upgrade your Conjur version to match the
+[latest suite release](https://docs.conjur.org/Latest/en/Content/ReleaseNotes/ConjurOSS-suite-RN.htm);
+when using integrations, choose the latest suite release that matches your Conjur version. For any
 questions, please contact us on [Discourse](https://discuss.cyberarkcommons.org/c/conjur/5).
 
 ### Homebrew
 
-```
+```bash
 brew tap cyberark/tools
 brew install summon-conjur
 ```
@@ -48,40 +44,40 @@ These can be installed with `dpkg -i summon-conjur_*.deb` and
 Use the auto-install script. This will install the latest version of summon-conjur.
 The script requires sudo to place summon-conjur in dir `/usr/local/lib/summon`.
 
-```
+```bash
 curl -sSL https://raw.githubusercontent.com/cyberark/summon-conjur/main/install.sh | bash
 ```
 
 ### Manual Install
+
 Otherwise, download the [latest release](https://github.com/cyberark/summon-conjur/releases) and extract it to the directory `/usr/local/lib/summon`.
 
 ## Usage in isolation
 
 Give summon-conjur a variable name and it will fetch it for you and print the value to stdout.
 
 ```sh-session
-$ # export CONJUR_MAJOR_VERSION=4 for Conjur v4.9
 $ summon-conjur prod/aws/iam/user/robot/access_key_id
 8h9psadf89sdahfp98
 ```
 
 ### Flags
 
-```
+```txt
 Usage of summon-conjur:
   -h, --help
-	show help (default: false)
+ show help (default: false)
   -V, --version
-	show version (default: false)
+ show version (default: false)
   -v, --verbose
-	be verbose (default: false)
+ be verbose (default: false)
 ```
 
 ## Usage as a provider for Summon
 
 [Summon](https://github.com/cyberark/summon/) is a command-line tool that reads a file in secrets.yml format and injects secrets as environment variables into any process. Once the process exits, the secrets are gone.
 
-*Example*
+### Example
 
 As an example let's use the `env` command:
 
@@ -97,7 +93,6 @@ By default, summon will look for `secrets.yml` in the directory it is called fro
 Wrap the `env` in summon:
 
 ```sh
-$ # export CONJUR_MAJOR_VERSION=4 for Conjur v4.9
 $ summon --provider summon-conjur env
 ...
 AWS_ACCESS_KEY_ID=AKIAJS34242K1123J3K43
@@ -113,52 +108,46 @@ This provider uses the same configuration pattern as the [Conjur CLI
 Client](https://github.com/conjurinc/api-ruby#configuration) to connect to Conjur.
 Specifically, it loads configuration from:
 
- * `.conjurrc` files, located in the home and current directories, or at the
+* `.conjurrc` files, located in the home and current directories, or at the
     path specified by the `CONJURRC` environment variable.
- * Reads the `.conjurrc` file from `/etc/conjur.conf` on Linux/macOS and `C:\Windows\conjur.conf` on Windows.
- * Environment variables:
-   * Version
-     * `CONJUR_MAJOR_VERSION` - must be set to `4` in order for summon-conjur to work with Conjur v4.9.
-   * Appliance URLs
-     * `CONJUR_APPLIANCE_URL`
-     * `CONJUR_CORE_URL`
-     * `CONJUR_AUTHN_URL`
-   * SSL certificate
-     * `CONJUR_CERT_FILE`
-     * `CONJUR_SSL_CERTIFICATE`
-   * Authentication
-     * Account
-       * `CONJUR_ACCOUNT`
-     * Login
-       * `CONJUR_AUTHN_LOGIN`
-       * `CONJUR_AUTHN_API_KEY`
-     * Token
-       * `CONJUR_AUTHN_TOKEN`
-       * `CONJUR_AUTHN_TOKEN_FILE`
-     * JWT Token
-       * `CONJUR_AUTHN_JWT_SERVICE_ID`  (e.g. `kubernetes`) **NEW!**
-       * `JWT_TOKEN_PATH` (optional)  (default: `/var/run/secrets/kubernetes.io/serviceaccount/token`) **NEW!**
-
-If `CONJUR_AUTHN_LOGIN` and `CONJUR_AUTHN_API_KEY` or `CONJUR_AUTHN_TOKEN` or `CONJUR_AUTHN_TOKEN_FILE` or `CONJUR_AUTHN_JWT_SERVICE_ID` are not provided, the username and API key are read from `~/.netrc`, stored there by `conjur authn login`.
-
-`$HOME/.netrc` is used as the default `.netrc` location but you can also specify its location
-in `.conjurrc`'s field `netrc_path`:
+* Reads the `.conjurrc` file from `/etc/conjur.conf` on Linux/macOS and `C:\Windows\conjur.conf` on Windows.
+* Environment variables:
+  * Appliance URLs
+    * `CONJUR_APPLIANCE_URL`
+  * SSL certificate
+    * `CONJUR_CERT_FILE`
+    * `CONJUR_SSL_CERTIFICATE`
+  * Authentication
+    * Account
+      * `CONJUR_ACCOUNT`
+    * Login
+      * `CONJUR_AUTHN_LOGIN`
+      * `CONJUR_AUTHN_API_KEY`
+    * Token
+      * `CONJUR_AUTHN_TOKEN`
+      * `CONJUR_AUTHN_TOKEN_FILE`
+    * JWT Token
+      * `CONJUR_AUTHN_JWT_SERVICE_ID`  (e.g. `kubernetes`)
+      * `JWT_TOKEN_PATH` (optional)  (default: `/var/run/secrets/kubernetes.io/serviceaccount/token`)
+
+If `CONJUR_AUTHN_LOGIN` and `CONJUR_AUTHN_API_KEY` or `CONJUR_AUTHN_TOKEN` or `CONJUR_AUTHN_TOKEN_FILE` or `CONJUR_AUTHN_JWT_SERVICE_ID` are not provided, the username and API key are read from system keychain or `~/.netrc`, stored there by `conjur login`.
+
+On systems that support keychain storage, that will be used by default, and if that fails the `~/.netrc` file will be used,
+though this behavior can be modified in the `.conjurrc` file:
+
 ```yaml
 ...
+credential_storage: "netrc"
 netrc_path: "/etc/conjur.identity"
 ...
 ```
 
-In general, you can ignore the `CONJUR_CORE_URL` and `CONJUR_AUTHN_URL` unless
-you need to specify, for example, an authn proxy.
-
 The provider will fail unless all of the following values are provided:
 
-- `CONJUR_MAJOR_VERSION=4` for Conjur v4.9
-- An appliance url (`CONJUR_APPLIANCE_URL`)
-- An organization account (`CONJUR_ACCOUNT`)
-- A username and api key, or Conjur authn token, or a path to `CONJUR_AUTHN_TOKEN_FILE` a dynamic Conjur authn token
-- A path to (`CONJUR_CERT_FILE`) **or** content of (`CONJUR_SSL_CERTIFICATE`) the appliance's public SSL certificate
+* An appliance url (`CONJUR_APPLIANCE_URL`)
+* An organization account (`CONJUR_ACCOUNT`)
+* A username and api key, or Conjur authn token, or a path to `CONJUR_AUTHN_TOKEN_FILE` a dynamic Conjur authn token
+* A path to (`CONJUR_CERT_FILE`) **or** content of (`CONJUR_SSL_CERTIFICATE`) the appliance's public SSL certificate
 
 ---
 

diff --git a/bin/functions.sh b/bin/functions.sh
@@ -1,12 +1,5 @@
 function startConjur() {
-  local conjurType="$1"
-  local services='conjur cuke-master'
-
-  if [[ "$conjurType" == "oss" ]]; then
-    services='conjur'
-  elif [[ "$conjurType" == "enterprise" ]]; then
-    services='cuke-master'
-  fi
+  local services='conjur'
 
   docker-compose $COMPOSE_ARGS pull $services
   docker-compose $COMPOSE_ARGS up -d $services
@@ -18,32 +11,9 @@ exec_on() {
 }
 
 function initEnvironment() {
-  local conjurType="$1"
-
-  if [[ "$conjurType" == "all" || "$conjurType" == "oss" ]]; then
-    exec_on conjur conjurctl wait
-  fi
-
-  if [[ "$conjurType" == "all" || "$conjurType" == "enterprise" ]]; then
-    exec_on cuke-master /opt/conjur/evoke/bin/wait_for_conjur
-
-    exec_on cuke-master conjur authn login -u admin -p secret
-    exec_on cuke-master conjur variable create existent-variable-with-undefined-value
-    exec_on cuke-master conjur variable create existent-variable-with-defined-value
-    exec_on cuke-master conjur variable values add existent-variable-with-defined-value existent-variable-defined-value
-  fi
+  exec_on conjur conjurctl wait
 }
 
 getKeys() {
-  local conjurType="$1"
-
-  if [[ "$conjurType" == "enterprise" ]]; then
-    exec_on cuke-master conjur user rotate_api_key
-  elif [[ "$conjurType" == "oss" ]]; then
-    exec_on conjur conjurctl role retrieve-key cucumber:user:${CONJUR_AUTHN_LOGIN:-admin}
-  fi
-}
-
-getCert() {
-  exec_on cuke-master cat /opt/conjur/etc/ssl/ca.pem
+  exec_on conjur conjurctl role retrieve-key cucumber:user:${CONJUR_AUTHN_LOGIN:-admin}
 }
diff --git a/bin/test-entrypoint.sh b/bin/test-entrypoint.sh
@@ -5,20 +5,8 @@ echo "Path: $PATH"
 
 echo "Running tests..."
 
-# Type of Conjur to test against, 'all', 'oss' or 'enterprise'
-CONJUR_TYPE="${CONJUR_TYPE:-all}"
-echo "Test coverage: $CONJUR_TYPE"
-
 TEST_PARAMS="-run TestPackage*"
 
-if [[ "${CONJUR_TYPE}" == "enterprise" ]]; then
-  TEST_PARAMS="-run TestPackageEnterprise"
-fi
-
-if [[ "${CONJUR_TYPE}" == "oss" ]]; then
-  TEST_PARAMS="-run TestPackageOSS"
-fi
-
 echo "Running go tests: $TEST_PARAMS"
 echo "Current dir: $(pwd)"