Class: Conjur::API
- Inherits:
-
Object
- Object
- Conjur::API
- Defined in:
- lib/conjur/base.rb,
lib/conjur/core-api.rb,
lib/conjur/api/audit.rb,
lib/conjur/api/authn.rb,
lib/conjur/api/hosts.rb,
lib/conjur/api/roles.rb,
lib/conjur/api/users.rb,
lib/conjur/layer-api.rb,
lib/conjur/api/groups.rb,
lib/conjur/api/layers.rb,
lib/conjur-api/version.rb,
lib/conjur/api/pubkeys.rb,
lib/conjur/api/secrets.rb,
lib/conjur/pubkeys-api.rb,
lib/conjur/api/deputies.rb,
lib/conjur/api/resources.rb,
lib/conjur/api/variables.rb
Overview
This class provides access to the Conjur services.
Direct Known Subclasses
Conjur::Audit::API, Conjur::Authn::API, Conjur::Authz::API, Core::API
Constant Summary collapse
- VERSION =
"4.16.0"
Instance Attribute Summary collapse
-
#api_key ⇒ String
readonly
The api key used to create this instance.
Audit Service collapse
-
#audit(options = {}, &block) ⇒ Array<Hash>
Return up to 100 audit events visible to the current authorized role.
-
#audit_resource(resource, options = {}, &block) ⇒ Array<Hash>
Return up to 100 audit events visible to the current role and related to the given resource.
-
#audit_role(role, options = {}, &block) ⇒ Array<Hash>
Return up to 100 audit events visible to the current role and related to the given role.
Authentication Methods collapse
-
.authenticate(username, password) ⇒ String
The Conjur authenticate operation exchanges Conjur credentials for a token.
-
.login(username, password) ⇒ String
The Conjur login operation exchanges a username and a password for an api key.
-
.login_cas(username, password, cas_api_url) ⇒ String
This method logs in via CAS.
-
.update_password(username, password, new_password)
Change a user's password.
Directory: Hosts collapse
-
#create_host(options = nil) ⇒ Conjur::Host
Create a new
host
asset. -
#host(id) ⇒ Conjur::Host
Get a host by its unqualified id.
Authorization: Roles collapse
-
#create_role(role, options = {}) ⇒ Conjur::Role
Create a Role with the given id.
-
#current_role ⇒ Conjur::Role
Return a Role object representing the role (typically a user or host) that this api is authenticated as.
-
#role(role) ⇒ Conjur::Role
Return a Role representing a role with the given id.
-
#role_graph(roles, options = {}) ⇒ Conjur::Graph
Fetch a Graph representing the relationships of a given role or roles.
Directory: Users collapse
-
#create_user(login, options = {}) ⇒ Conjur::User
Create a Conjur User.
-
#user(login) ⇒ Conjur::User
Return an object representing a user with the given login.
Directory: Groups collapse
-
#create_group(id, options = {}) ⇒ Conjur::Group
Create a new group with the given identifier.
-
#find_groups(options) ⇒ Array<String>
Find groups by GID.
-
#group(id) ⇒ Conjur::Group
Fetch a group with the given id.
-
#groups(options = {}) ⇒ Array<Conjur::Group>
List all Conjur groups visible to the current role.
Directory: Layers collapse
-
#create_layer(id, options = {}) ⇒ Conjur::Layer
Create a new layer with the given id.
-
#layer(id) ⇒ Conjur::Layer
Get a layer by its unqualified id.
-
#layers(options = {}) ⇒ Array<Conjur::Layer>
Get all layers visible to the current role.
Public Keys Service collapse
-
#add_public_key(username, key) ⇒ Object
Add an SSH public key for
username
. -
#delete_public_key(username, keyname)
Delete a specific public key for a user.
-
#public_key(username, keyname) ⇒ String
Fetch a specific key by name.
-
#public_key_names(username) ⇒ Array<String>
List the public key names for the given user.
-
#public_keys(username) ⇒ String
Fetch all public keys for the user.
Directory: Deputies collapse
-
#create_deputy(options = {}) ⇒ Conjur::Deputy
Create a Conjur deputy.
-
#deputy(id) ⇒ Conjur::Deputy
Find a Conjur deputy by id.
Authorization: Resources collapse
-
#create_resource(identifier, options = {}) ⇒ Conjur::Role
Create a Conjur Resource.
-
#resource(identifier) ⇒ Conjur::Resource
Find a resource by it's id.
-
#resources(opts = {}) ⇒ Array<Conjur::Resource>
Find all resources visible to the current role that match the given search criteria.
Directory: Variables collapse
-
#create_variable(mime_type, kind, options = {}) ⇒ Conjur::Variable
Create a Conjur Variable.
-
#variable(id) ⇒ Conjur::Variable
Retrieve an object representing a Conjur Variable.
-
#variable_values(varlist) ⇒ Hash
Fetch the values of a list of variables.
Class Method Summary collapse
-
.new_from_key(username, api_key) ⇒ Conjur::API
Create a new API instance from a username and a password or api key.
-
.new_from_token(token) ⇒ Conjur::API
Create a new API instance from a token issued by the Conjur authentication service.
Instance Method Summary collapse
-
#credentials ⇒ Hash
Credentials that can be merged with options to be passed to
RestClient::Resource
HTTP request methods. -
#initialize(username, api_key, token) ⇒ API
constructor
Create a new instance from a username and api key or a token.
-
#token ⇒ Hash
The token used to authenticate requests made with the api.
-
#username ⇒ String
The name of the user as which this api instance is authenticated.
Methods included from LogSource
Methods included from Escape
#fully_escape, #path_escape, #query_escape
Constructor Details
#initialize(username, api_key, token) ⇒ API
You should use new_from_token or new_from_key instead of calling this method directly.
Create a new instance from a username and api key or a token.
This method requires that you pass either a username and api_key or a token Hash.
156 157 158 159 160 161 162 |
# File 'lib/conjur/base.rb', line 156 def initialize username, api_key, token @username = username @api_key = api_key @token = token raise "Expecting ( username and api_key ) or token" unless ( username && api_key ) || token end |
Instance Attribute Details
#api_key ⇒ String (readonly)
The api key used to create this instance. This is only present when you created the api with new_from_key.#
168 169 170 |
# File 'lib/conjur/base.rb', line 168 def api_key @api_key end |
Class Method Details
.authenticate(username, password) ⇒ String
The Conjur authenticate operation exchanges Conjur credentials for a token. The token can then be used to authenticate further API calls.
You will generally not need to use this method, as the API manages tokens automatically for you.
82 83 84 85 86 87 |
# File 'lib/conjur/api/authn.rb', line 82 def authenticate username, password if Conjur.log Conjur.log << "Authenticating #{username}\n" end JSON::parse(RestClient::Resource.new(Conjur::Authn::API.host)["users/#{fully_escape username}/authenticate"].post password, content_type: 'text/plain') end |
.login(username, password) ⇒ String
The Conjur login operation exchanges a username and a password for an api key. The api key is preferable for storage and use in code, as it can be rotated and has far greater entropy than a user memorizable password.
48 49 50 51 52 53 |
# File 'lib/conjur/api/authn.rb', line 48 def login username, password if Conjur.log Conjur.log << "Logging in #{username} via Basic authentication\n" end RestClient::Resource.new(Conjur::Authn::API.host, user: username, password: password)['users/login'].get end |
.login_cas(username, password, cas_api_url) ⇒ String
This method logs in via CAS. It is similar to the login method, the only difference being that
you need a cas_api_url
, provided by the administrator of your CAS
service.
65 66 67 68 69 70 71 72 |
# File 'lib/conjur/api/authn.rb', line 65 def login_cas username, password, cas_api_url if Conjur.log Conjur.log << "Logging in #{username} via CAS authentication\n" end require 'cas_rest_client' client = CasRestClient.new(:username => username, :password => password, :uri => [ cas_api_url, 'v1', 'tickets' ].join('/'), :use_cookies => false) client.get("#{Conjur::Authn::API.host}/users/login").body end |
.new_from_key(username, api_key) ⇒ Conjur::API
Create a new Conjur::API instance from a username and a password or api key.
105 106 107 |
# File 'lib/conjur/base.rb', line 105 def new_from_key(username, api_key) self.new username, api_key, nil end |
.new_from_token(token) ⇒ Conjur::API
Create a new Conjur::API instance from a token issued by the Conjur authentication service
Generally, you will have a Conjur identitiy (username and api key), and create an Conjur::API instance for the identity using new_from_key. This method is useful when you are performing authorization checks given a token. For example, a Conjur gateway that requires you to prove that you can 'read' a resource named 'super-secret' might get the token from a request header, create an Conjur::API instance with this method, and use Resource#permitted? to decide whether to accept and forward the request.
Note that Conjur tokens are issued as JSON. This method expects to get the token as a parsed JSON Hash.
When sending tokens as headers, you will normally use base64 encoded strings. Authorization headers
used by Conjur have the form 'Token token="#{b64encode token.to_json}"'
, but this format is in no way
required.
139 140 141 |
# File 'lib/conjur/base.rb', line 139 def new_from_token(token) self.new nil, nil, token end |
.update_password(username, password, new_password)
This method returns an undefined value.
Change a user's password. To do this, you must have the user's current password. This does not change or rotate api keys. However, you can use the user's api key as the current password, if the user was not created with a password.
97 98 99 100 101 102 |
# File 'lib/conjur/api/authn.rb', line 97 def update_password username, password, new_password if Conjur.log Conjur.log << "Updating password for #{username}\n" end RestClient::Resource.new(Conjur::Authn::API.host, user: username, password: password)['users/password'].put new_password end |
Instance Method Details
#add_public_key(username, key) ⇒ Object
Add an SSH public key for username
.
Key Format
This method will raise an exception if key
is not of the format
"<algorithm> <data> <name>"
(that is, key.split(\s+)).length must be 3). The <name>
field is used by the service
to identify individual keys for a user.
Permissions
You must have permission to 'update'
the pubkeys service resource. When the Conjur appliance
is configured, it creates the pubkeys service resource with this identifier
'<organizational account>:service:pubkeys-1.0/public-keys'
.
Rather than granting permissions to this resource directly to user roles, we recommend that you add them to the 'key-managers' group, whose unqualified identifier is 'pubkeys-1.0/key-managers', which has permission to add public keys.
Hiding Existence
Because attackers could use this method to determine the existence of Conjur users, it will not raise an error if the user does not exist.
134 135 136 |
# File 'lib/conjur/api/pubkeys.rb', line 134 def add_public_key username, key public_keys_resource(username).post key end |
#audit(options = {}, &block) ⇒ Array<Hash>
Return up to 100 audit events visible to the current authorized role.
An audit event is visible to a role if that role or one of it's ancestors is in the
event's :roles
field, or the role has a privilege any of the event's :resources
field.
42 43 44 |
# File 'lib/conjur/api/audit.rb', line 42 def audit ={}, &block audit_event_feed "", , &block end |
#audit_resource(resource, options = {}, &block) ⇒ Array<Hash>
Return up to 100 audit events visible to the current role and related to the given resource.
See #audit for the conditions under which an event is visible to a role.
An event is said to be "related to" a role iff the role is a member of the event's
:roles
field.
81 82 83 |
# File 'lib/conjur/api/audit.rb', line 81 def audit_resource resource, ={}, &block audit_event_feed "resources/#{CGI.escape cast(resource, :resourceid)}", , &block end |
#audit_role(role, options = {}, &block) ⇒ Array<Hash>
Return up to 100 audit events visible to the current role and related to the given role.
See #audit for the conditions under which an event is visible to a role.
An event is said to be "related to" a role iff the role is a member of the event's
:roles
field.
62 63 64 |
# File 'lib/conjur/api/audit.rb', line 62 def audit_role role, ={}, &block audit_event_feed "roles/#{CGI.escape cast(role, :roleid)}", , &block end |
#create_deputy(options = {}) ⇒ Conjur::Deputy
Create a Conjur deputy.
Deputies are used internally by Conjur services that need to perform actions as a particular role. While the deputies API is stable, it isn't intended for use by end users.
40 41 42 |
# File 'lib/conjur/api/deputies.rb', line 40 def create_deputy = {} standard_create Conjur::Core::API.host, :deputy, nil, end |
#create_group(id, options = {}) ⇒ Conjur::Group
Create a new group with the given identifier.
Groups can be created with a gidnumber attribute, which is used when mapping LDAP/ActiveDirectory groups to Conjur groups, and when performing PAM authentication to assign a unix GID.
69 70 71 |
# File 'lib/conjur/api/groups.rb', line 69 def create_group(id, = {}) standard_create Conjur::Core::API.host, :group, id, end |
#create_host(options = nil) ⇒ Conjur::Host
Create a new host
asset.
By default this method will create a host with a random id. However, you may create a host with a
specific name by passing an :id
option.
Permissions
- Any Conjur role may perform this method without an
:ownerid
option. The new hosts owner will be the current role. - If you pass an `
:ownerid
option, you must be a member of the given role.
80 81 82 |
# File 'lib/conjur/api/hosts.rb', line 80 def create_host = nil standard_create Conjur::Core::API.host, :host, nil, end |
#create_layer(id, options = {}) ⇒ Conjur::Layer
Create a new layer with the given id
22 23 24 |
# File 'lib/conjur/api/layers.rb', line 22 def create_layer(id, = {}) standard_create Conjur::API.layer_asset_host, :layer, id, end |
#create_resource(identifier, options = {}) ⇒ Conjur::Role
Create a Conjur Resource. Resources are entities on which roles have permissions. A resource might represent a secret, a web service route, or be part of a higher level construct such as a user or group.
If :acting_as
is not present in options
, you will be the owner of the new role. If it is present,
your role must be a member of the given role (see Role#member_of?).
58 59 60 61 62 |
# File 'lib/conjur/api/resources.rb', line 58 def create_resource(identifier, = {}) resource(identifier).tap do |r| r.create() end end |
#create_role(role, options = {}) ⇒ Conjur::Role
Create a Role with the given id.
Permissions
- All Conjur roles can create new roles.
- The creator role (either the current role or the role given by the
:acting_as
option) is made a member of the new role. The new role is also made a member of itself. - If you give an
:acting_as
option, you must be a (transitive) member of the:acting_as
role. - The new role is granted to the creator role with admin option: that is, the creator role is able to grant the created role to other roles.
79 80 81 82 83 |
# File 'lib/conjur/api/roles.rb', line 79 def create_role(role, = {}) role(role).tap do |r| r.create() end end |
#create_user(login, options = {}) ⇒ Conjur::User
Create a Conjur User. Conjur users are identities for humans.
When you create a user for the first time, the returned object will have an api_key
field. You can then
use this to set a password for the user if you want to. Note that when the user is fetched later with the #user
method, it will not have an api_key. Use it or lose it.
Permissions
Any authenticated role may call this method.
56 57 58 |
# File 'lib/conjur/api/users.rb', line 56 def create_user(login, = {}) standard_create Conjur::Core::API.host, :user, nil, .merge(login: login) end |
#create_variable(mime_type, kind, options = {}) ⇒ Conjur::Variable
Create a Conjur Variable. See Variable for operations on Conjur variables.
Permissions
Any authenticated role may call this method
57 58 59 |
# File 'lib/conjur/api/variables.rb', line 57 def create_variable(mime_type, kind, = {}) standard_create Conjur::Core::API.host, :variable, nil, .merge(mime_type: mime_type, kind: kind) end |
#credentials ⇒ Hash
Credentials that can be merged with options to be passed to RestClient::Resource
HTTP request methods.
These include a username and an Authorization header containing the authentication token.
210 211 212 |
# File 'lib/conjur/base.rb', line 210 def credentials { headers: { authorization: "Token token=\"#{Base64.strict_encode64 token.to_json}\"" }, username: username } end |
#current_role ⇒ Conjur::Role
Return a Role object representing the role (typically a user or host) that this api is authenticated
as. This is derived either from the login
argument to new_from_key or from the contents of the
token
given to new_from_token.
130 131 132 |
# File 'lib/conjur/api/roles.rb', line 130 def current_role role_from_username username end |
#delete_public_key(username, keyname)
This method returns an undefined value.
Delete a specific public key for a user.
Permissions
You must have permission to 'update'
the pubkeys service resource. When the Conjur appliance
is configured, it creates the pubkeys service resource with this identifier
'<organizational account>:service:pubkeys-1.0/public-keys'
.
Rather than granting permissions to this resource directly to user roles, we recommend that you add them to the 'key-managers' group, whose unqualified identifier is 'pubkeys-1.0/key-managers', which has permission to add public keys.
Hiding Existence
Because attackers could use this method to determine the existence of Conjur users, it will not raise an error if the user does not exist.
166 167 168 |
# File 'lib/conjur/api/pubkeys.rb', line 166 def delete_public_key username, keyname public_keys_resource(username, keyname).delete end |
#deputy(id) ⇒ Conjur::Deputy
Find a Conjur deputy by id. Deputies are used internally by Conjur services that need to perform actions as a particular role. While the deputies API is stable, it isn't intended for use by end users.
53 54 55 |
# File 'lib/conjur/api/deputies.rb', line 53 def deputy id standard_show Conjur::Core::API.host, :deputy, id end |
#find_groups(options) ⇒ Array<String>
Find groups by GID. Note that gidnumbers are not unique for groups.
106 107 108 |
# File 'lib/conjur/api/groups.rb', line 106 def find_groups JSON.parse(RestClient::Resource.new(Conjur::Core::API.host, credentials)["groups/search?#{.to_query}"].get) end |
#group(id) ⇒ Conjur::Group
Fetch a group with the given id. Note that the id is unqualified -- it must not contain
account
or id
parts. For example,
87 88 89 |
# File 'lib/conjur/api/groups.rb', line 87 def group id standard_show Conjur::Core::API.host, :group, id end |
#groups(options = {}) ⇒ Array<Conjur::Group>
List all Conjur groups visible to the current role. This method does not
support advanced query options. If you want those, use #resources
with
the :kind
option set to 'group'
.
37 38 39 |
# File 'lib/conjur/api/groups.rb', line 37 def groups(={}) standard_list Conjur::Core::API.host, :group, end |
#host(id) ⇒ Conjur::Host
Get a host by its unqualified id.
Like other Conjur methods, this will return a Host whether or not the record is found, and you must use the Exists#exists? method to check this.
181 182 183 |
# File 'lib/conjur/base.rb', line 181 def host self.class.host end |
#layer(id) ⇒ Conjur::Layer
Get a layer by its unqualified id.
Like other Conjur methods, this will return a Layer whether or not the record is found, and you must use the Exists#exists? method to check this.
56 57 58 |
# File 'lib/conjur/api/layers.rb', line 56 def layer id standard_show Conjur::API.layer_asset_host, :layer, id end |
#layers(options = {}) ⇒ Array<Conjur::Layer>
Get all layers visible to the current role.
The options
parameter is only included for backwards
compatibility and has no effect. You should call this method
without arguments.
34 35 36 |
# File 'lib/conjur/api/layers.rb', line 34 def layers ={} standard_list Conjur::API.layer_asset_host, :layer, end |
#public_key(username, keyname) ⇒ String
Fetch a specific key by name. The key name is the last token in the public key itself,
typically formatted as '<login>@<hostname>'
.
Permissions
You do not need any special permissions to call this method, since public keys are, well, public.
69 70 71 |
# File 'lib/conjur/api/pubkeys.rb', line 69 def public_key username, keyname public_keys_resource(username, keyname).get end |
#public_key_names(username) ⇒ Array<String>
List the public key names for the given user.
If the given user does not exist, an empty Array will be returned. This is to prevent attackers from determining whether a user exists.
Permissions
You do not need any special permissions to call this method, since public keys are, well, public.
94 95 96 |
# File 'lib/conjur/api/pubkeys.rb', line 94 def public_key_names username public_keys(username).lines.map{|s| s.split(' ')[-1]} end |
#public_keys(username) ⇒ String
Fetch all public keys for the user. This method returns a newline delimited String for compatibility with the authorized_keys SSH format.
If the given user does not exist, an empty String will be returned. This is to prevent attackers from determining whether a user exists.
Permissions
You do not need any special permissions to call this method, since public keys are, well, public.
45 46 47 |
# File 'lib/conjur/api/pubkeys.rb', line 45 def public_keys username public_keys_resource(username).get end |
#resource(identifier) ⇒ Conjur::Resource
Find a resource by it's id. The id given to this method must be qualified by a kind, but the account is optional.
Permissions
The resource must be visible to the current role. This is the case if the current role is the owner of the resource, or has any privilege on it.
87 88 89 |
# File 'lib/conjur/api/resources.rb', line 87 def resource identifier Resource.new(Conjur::Authz::API.host, credentials)[self.class.parse_resource_id(identifier).join('/')] end |
#resources(opts = {}) ⇒ Array<Conjur::Resource>
Find all resources visible to the current role that match the given search criteria.
Full Text Search
Conjur supports full text search over the identifiers and annotation values
of resources. For example, if opts[:search]
is "pubkeys"
, any resource with
an id containing "pubkeys"
or an annotation whose value contains "pubkeys"
will match.
Notes
- Annotation keys are not indexed for full text search.
- Conjur indexes the content of ids and annotation values by word.
- Only resources visible to the current role (either owned by that role or having a privilege on it) are returned.
- If you do not provide
:offset
or:limit
, all records will be returned. For systems with a huge number of resources, you may want to paginate as shown in the example below. - If
:offset
is provided and:limit
is not, 10 records starting at:offset
will be returned. You may choose an arbitrarily large number for:limit
, but the same performance considerations apply as when omitting:offset
and:limit
.
141 142 143 144 145 146 147 148 149 150 |
# File 'lib/conjur/api/resources.rb', line 141 def resources opts = {} opts = { host: Conjur::Authz::API.host, credentials: credentials }.merge opts opts[:account] ||= Conjur.account Resource.all(opts).map do |result| resource(result['id']).tap do |r| r.attributes = result end end end |
#role(role) ⇒ Conjur::Role
Return a Role representing a role with the given id. Note that the Role may or may not exist (see Exists#exists?).
Permissions
Because this method returns roles that may or may not exist, it doesn't require any permissions to call it: in fact, it does not perform an HTTP request (except for authentication if necessary).
110 111 112 |
# File 'lib/conjur/api/roles.rb', line 110 def role role Role.new(Conjur::Authz::API.host, credentials)[self.class.parse_role_id(role).join('/')] end |
#role_graph(roles, options = {}) ⇒ Conjur::Graph
Fetch a Graph representing the relationships of a given role or roles. Such graphs are transitive, and follow the normal permissions for role visibility.
38 39 40 41 42 43 44 45 46 47 48 |
# File 'lib/conjur/api/roles.rb', line 38 def role_graph roles, = {} roles = [roles] unless roles.kind_of? Array roles.map!{|r| normalize_roleid(r) } [:as_role] = normalize_roleid([:as_role]) if .include?(:as_role) .reverse_merge! as_role: normalize_roleid(current_role), descendants: true, ancestors: true query = {from_role: .delete(:as_role)} .merge(.slice(:ancestors, :descendants)) .merge(roles: roles).to_query Conjur::Graph.new RestClient::Resource.new(Conjur::Authz::API.host, credentials)["#{Conjur.account}/roles?#{query}"].get end |
#token ⇒ Hash
calling this method on an Conjur::API instance created with new_from_token will have
The token used to authenticate requests made with the api. The token will be fetched if it hasn't already, or if it has expired. Accordingly, this method may raise a RestClient::Unauthorized exception if the credentials are invalid.
undefined behavior if the token is expired.
194 195 196 197 198 199 200 201 202 |
# File 'lib/conjur/base.rb', line 194 def token @token = nil unless token_valid? @token ||= Conjur::API.authenticate(@username, @api_key) fail "obtained token is invalid" unless token_valid? # sanity check return @token end |
#user(login) ⇒ Conjur::User
Return an object representing a user with the given login. The User object returned may or may not exist. You can check whether it exists with the Exists#exists? method.
The returned User will not have an api_key.
Permissions
Any authenticated role may call this method.
70 71 72 |
# File 'lib/conjur/api/users.rb', line 70 def user login standard_show Conjur::Core::API.host, :user, login end |
#username ⇒ String
The name of the user as which this api instance is authenticated. This is available whether the api instance was created from credentials or an authentication token.
174 175 176 |
# File 'lib/conjur/base.rb', line 174 def username @username || @token['data'] end |
#variable(id) ⇒ Conjur::Variable
Retrieve an object representing a Conjur Variable. The Variable returned may or may not exist, and your permissions on the corresponding resource determine the operations you can perform on it.
Permissions
Any authenticated role can call this method.
70 71 72 |
# File 'lib/conjur/api/variables.rb', line 70 def variable id standard_show Conjur::Core::API.host, :variable, id end |
#variable_values(varlist) ⇒ Hash
Fetch the values of a list of variables. This operation is more efficient than fetching the values one by one.
This method will fail unless:
- All of the variables exist
- You have permission to
'execute'
all of the variables
This method is used to implement the conjur env
commands. You may consider using that instead to run your program in an environment with the necessary secrets.
96 97 98 99 100 101 102 103 104 105 106 |
# File 'lib/conjur/api/variables.rb', line 96 def variable_values(varlist) raise ArgumentError, "Variables list must be an array" unless varlist.kind_of? Array raise ArgumentError, "Variables list is empty" if varlist.empty? opts = "?vars=#{varlist.map { |v| fully_escape(v) }.join(',')}" begin resp = RestClient::Resource.new(Conjur::Core::API.host, self.credentials)['variables/values'+opts].get return JSON.parse( resp.body ) rescue RestClient::ResourceNotFound return Hash[ *varlist.map { |v| [ v, variable(v).value ] }.flatten ] end end |