Class: Conjur::Configuration

Inherits:

Object

• Object
• Conjur::Configuration

Defined in:

lib/conjur/configuration.rb,
lib/conjur/pubkeys-api.rb,
lib/conjur/host-factory-api.rb

Overview

Stores a configuration for the Conjur API client. This class provides global and thread local storage for common options used by the Conjur API. Most importantly, it specifies the

• REST endpoints, derived from the #appliance_url and #account options
• The certificate used for secure connections to the Conjur appliance (#cert_file)

Environment Variables

Option values used by Conjur can be given by environment variables, using a standard naming scheme. Specifically, an environment variable named CONJUR_ACCOUNT will be used to provide a default value for the #account option.

Required Options

The #account and #appliance_url are always required. Except in special cases, the #cert_file is also required, but you may omit it if your Conjur root certificate is in the OpenSSl default certificate store.

Thread Local Configuration

While using a globally available configuration is convenient for most applications, sometimes you will need to use different configurations in different threads. This is supported by returning a thread local version from configuration if one has been set by with_configuration.

Examples:

Basic Configuration

Conjur.configure do |c|
  c.account = 'the-account'
  c.cert_file = find_conjur_cert_file
end

Setting the appliance_url from an environment variable

ENV['CONJUR_APPLIANCE_URL'] = 'https://some-host.com/api'
Conjur::Configuration.new.appliance_url # => 'https://some-host.com/api'

Using thread local configuration in a web application request handler

# Assume that we're in a request handler thread in a multithreaded web server.

requested_appliance_url = request.header 'X-Conjur-Appliance-Url'

with_configuration Conjur.config.clone(appliance_url: requested_appliance_url) do
  # `api` is an instance attribute.  Note that we can use an api that was created
  # before we modified the thread local configuration.

  # 404 if the user doesn't exist

  user = api.user request.header('X-Conjur-Login')
  raise HttpError, 404, "User #{user.login} does not exist" unless user.exists?
  # ... finish the request
end

See Also:

• configuration
• configure
• with_configuration

Instance Attribute Summary

• #account ⇒ String

  The organizational account used by Conjur.

• #appliance_url ⇒ String

  The url for your Conjur appliance.

• #audit_url ⇒ String

  The url for the Conjur audit service.

• #authn_url ⇒ String

  The url for the Conjur authentication service.

• #authz_url ⇒ String

  The url for the Conjur authorization service.

• #cert_file ⇒ String^?

  Path to the certificate file to use when making secure connections to your Conjur appliance.

• #core_url ⇒ String

  The url for the Conjur core/directory service.

• #env ⇒ String deprecated Deprecated.
• #pubkeys_url ⇒ String

  The url for the Conjur public keys service.

• #ssl_certificate ⇒ Object

  Contents of a certificate file.

Instance Method Summary

• #apply_cert_config!(store = OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE) ⇒ Boolean

  Add the certificate configured by the #ssl_certificate and #cert_file options to the certificate store used by Conjur clients.

• #clone(override_options = {}) ⇒ Conjur::Configuration

  Return a copy of this Configuration instance, optionally updating the copy with options from the override_options hash.

• #initialize(options = {}) ⇒ Configuration constructor

  Create a new Configuration, setting initial values from options.

Constructor Details

#initialize(options = {}) ⇒ Configuration

Note:

options must use symbols for keys.

Create a new Conjur::Configuration, setting initial values from options.

Examples:

Conjur.config = Conjur::Configuration.new account: 'companyname'
Conjur.config.account # => 'companyname'

Parameters:

• options (Hash) (defaults to: {}) —

  hash of options to set on the new instance.

# File 'lib/conjur/configuration.rb', line 187

def initialize options = {}
  @explicit = options.dup
  @supplied = options.dup
end

Instance Attribute Details

#account ⇒ String

Note:

this option is required, and attempting to make any api calls prior to setting it (either explicitly or with the "CONJUR_ACCOUNT" environment variable) will raise an exception.

The organizational account used by Conjur.

On Conjur appliances, this option will be set once when the appliance is first configured. You can get the value for the acccount option from your conjur administrator, or if you have installed the Conjur command line tools by running conjur authn whoami, or examining your .conjurrc file.

Returns:

• (String)

# File 'lib/conjur/configuration.rb', line 359

add_option :account, required: true

#appliance_url ⇒ String

Note:

If you are using an appliance (if you're not sure, you probably are), this option is required.

The url for your Conjur appliance.

If your appliance's hostname is 'conjur.companyname.com', then your appliance_url will be 'https://conjur.companyname.com/api'.

Returns:

• (String) —

  the appliance URL

# File 'lib/conjur/configuration.rb', line 336

add_option :appliance_url

#audit_url ⇒ String

Note:

You should not generally set this value. Instead, Conjur will derive it from the #account and #appliance_url properties.

The url for the Conjur audit service.

Returns:

• (String) —

  the audit service url

# File 'lib/conjur/configuration.rb', line 323

add_option :audit_url do
  global_service_url  'audit', 300
end

#authn_url ⇒ String

Note:

You should not generally set this value. Instead, Conjur will derive it from the #account and #appliance_url properties.

The url for the Conjur authentication service.

Returns:

• (String) —

  the authentication service url

# File 'lib/conjur/configuration.rb', line 287

add_option :authn_url do
  account_service_url 'authn', 0
end

#authz_url ⇒ String

Note:

You should not generally set this value. Instead, Conjur will derive it from the #account and #appliance_url properties.

The url for the Conjur authorization service.

Returns:

• (String) —

  the authorization service url

# File 'lib/conjur/configuration.rb', line 299

add_option :authz_url do
  global_service_url  'authz', 100
end

#cert_file ⇒ String^?

Path to the certificate file to use when making secure connections to your Conjur appliance.

This should be the path to the root Conjur SSL certificate in PEM format. You will normally get the certificate file using the conjur init command. This option is not required if the certificate or its root is in the OpenSSL default cert store. If your program throws an error indicating that SSL verification has failed, you probably need to set or fix this option.

Returns:

• (String, nil) —

  path to the certificate file, or nil if you aren't using one.

# File 'lib/conjur/configuration.rb', line 394

add_option :cert_file

#core_url ⇒ String

Note:

You should not generally set this value. Instead, Conjur will derive it from the #account and #appliance_url properties.

The url for the Conjur core/directory service.

Returns:

• (String) —

  the core/directory service url

# File 'lib/conjur/configuration.rb', line 311

add_option :core_url do
  default_service_url 'core', 200
end

#env ⇒ String

Deprecated.

The type of environment your program is running in (e.g., development, production, test).

Returns:

• (String) —

  the environment name

# File 'lib/conjur/configuration.rb', line 369

add_option :env do
  ENV['CONJUR_ENV'] || ENV['RAILS_ENV'] || ENV['RACK_ENV'] || "production"
end

#pubkeys_url ⇒ String

Note:

You should not generally set this value. Instead, Conjur will derive it from the #account and #appliance_url properties.

The url for the Conjur public keys service.

Returns:

• (String) —

  the pubkeys service url

# File 'lib/conjur/pubkeys-api.rb', line 33

add_option :pubkeys_url do
  account_service_url 'pubkeys', 400
end

#ssl_certificate ⇒ Object

Contents of a certificate file. This can be used instead of :cert_file in environments like Heroku where you can't use a certificate file.

This option overrides the value of #cert_file if both are given, and issues a warning.

See Also:

• #cert_file

# File 'lib/conjur/configuration.rb', line 404

add_option :ssl_certificate

Instance Method Details

#apply_cert_config!(store = OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE) ⇒ Boolean

Add the certificate configured by the #ssl_certificate and #cert_file options to the certificate store used by Conjur clients.

Parameters:

• store (OpenSSL::X509::Store) (defaults to: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE) —

  the certificate store that the certificate will be installed in.

Returns:

• (Boolean) —

  whether a certificate was added to the store.

# File 'lib/conjur/configuration.rb', line 413

def apply_cert_config! store=OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
  if ssl_certificate
    CertUtils.parse_certs(ssl_certificate).each do |cert|
      begin
        store.add_cert cert
      rescue OpenSSL::X509::StoreError => ex
        raise unless ex.message == 'cert already in hash table'
      end
    end
  elsif cert_file
    ensure_cert_readable!(cert_file)
    store.add_file cert_file
  else
    return false
  end
  true
end

#clone(override_options = {}) ⇒ Conjur::Configuration

Return a copy of this Conjur::Configuration instance, optionally updating the copy with options from the override_options hash.

Examples:

original = Conjur.configuration
original.account  # => 'conjur'
copy = original.clone account: 'some-other-account'
copy.account    # => 'some-other-account'
original.account # => 'conjur'

Parameters:

• override_options (Hash) (defaults to: {}) —

  options to set on the new instance

Returns:

• (Conjur::Configuration) —

  a copy of this configuration

# File 'lib/conjur/configuration.rb', line 263

def clone override_options = {}
  self.class.new self.explicit.dup.merge(override_options)
end