Merge pull request #189 from cyberark/rest_client_options

Custom rest_client_options via Conjur configuration

Author: ismarc

.gitleaks.toml

@@ -1,4 +1,4 @@
-title = "Secretless Broker gitleaks config"
+title = "Conjur API Ruby gitleaks config"
 
 # This is the config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
 # If GITLEAKS_CONFIG environment variable

CHANGELOG.md

@@ -6,6 +6,18 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+### Added
+- Add `rest_client_options` option to `Conjur.configuration`. This allows users to
+  configure the RestClient instance used by Conjur API to communicate with the Conjur 
+  server.
+  [cyberark/conjur-api-ruby#188](https://github.com/cyberark/conjur-api-ruby/issues/188)
+
+### Changed
+- Replace monkey patching `RestClient::Request` with defaults on `Conjur.configuration.rest_client_options`
+  in order to limit the scope of the default `:ssl_cert_store` option only to inside
+  Conjur API. 
+  [cyberark/conjur-api-ruby#188](https://github.com/cyberark/conjur-api-ruby/issues/188)
+
 ## [5.3.4] - 2020-10-29
 
 ### Changed

README.md

@@ -128,6 +128,28 @@ Conjur::API.new_from_key login, api_key
 Note that if you are connecting as a [Host](http://developer.conjur.net/reference/services/directory/host), the login should be
 prefixed with `host/`. For example: `host/myhost.example.com`, not just `myhost.example.com`.
 
+## Configuring RestClient
+
+[Conjur::Configuration](https://github.com/conjurinc/api-ruby/blob/master/lib/conjur/configuration.rb)
+allows optional configuration of the [RestClient](https://github.com/rest-client/rest-client)
+instance used by Conjur API to communicate with the Conjur server, via the options hash
+`Conjur.configuration.rest_client_options`.
+
+The default value for the options hash is:
+```ruby
+{
+  ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+}
+```
+
+For example, here's how you would configure the client to use a proxy and `ssl_ca_file` (instead of the default `ssl_cert_store`).
+```ruby
+Conjur.configuration.rest_client_options = {
+    ssl_ca_file: "ca_certificate.pem",
+    proxy: "http://proxy.example.com/"
+}
+```
+
 ## Contributing
 
 We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our [contributing

lib/conjur/api.rb

@@ -50,24 +50,6 @@
 require 'conjur/cache'
 require 'conjur-api/version'
 
-# Monkey patch RestClient::Request so it always uses
-# :ssl_cert_store. (RestClient::Resource uses Request to send
-# requests, so it sees :ssl_cert_store, too).
-# @api private
-class RestClient::Request
-  alias_method :initialize_without_defaults, :initialize
-
-  def default_args
-    {
-      ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
-    }
-  end
-
-  def initialize args
-    initialize_without_defaults default_args.merge(args)
-  end
-end
-
 # @api private
 class RestClient::Resource
   include Conjur::Escape

lib/conjur/api/authn.rb

@@ -50,7 +50,7 @@ def login username, password, account: Conjur.configuration.account
         url_for(:authn_login, account, username, password).get
       end
 
-      # Exchanges Conjur the API key (refresh token) for an access token.  The access token can 
+      # Exchanges Conjur the API key (refresh token) for an access token.  The access token can
       # then be used to authenticate further API calls.
       #
       # @param [String] username The username or host id for which we want a token
@@ -65,7 +65,7 @@ def authenticate username, api_key, account: Conjur.configuration.account
         JSON.parse url_for(:authn_authenticate, account, username).post(api_key, content_type: 'text/plain')
       end
 
-      # Obtains an access token from the +authn_local+ service. The access token can 
+      # Obtains an access token from the +authn_local+ service. The access token can
       # then be used to authenticate further API calls.
       #
       # @param [String] username The username or host id for which we want a token
@@ -80,7 +80,7 @@ def authenticate_local username, account: Conjur.configuration.account, expirati
         require 'json'
         require 'socket'
         message = url_for(:authn_authenticate_local, username, account, expiration, cidr)
-        JSON.parse(UNIXSocket.open(Conjur.configuration.authn_local_socket) {|s| s.puts message; s.gets })        
+        JSON.parse(UNIXSocket.open(Conjur.configuration.authn_local_socket) {|s| s.puts message; s.gets })
       end
 
       # Change a user's password.  To do this, you must have the user's current password.  This does not change or rotate

lib/conjur/api/router/v4.rb

@@ -8,18 +8,27 @@ module V4
 
         def authn_login account, username, password
           verify_account(account)
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)['users/login']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(
+              user: username,
+              password: password
+            )
+          )['users/login']
         end
 
         def authn_authenticate account, username
           verify_account(account)
-          RestClient::Resource.new(Conjur.configuration.authn_url)['users'][fully_escape username]['authenticate']
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.rest_client_options
+          )['users'][fully_escape username]['authenticate']
         end
 
         # For v4, the authn-local message is the username.
         def authn_authenticate_local username, account, expiration, cidr, &block
           verify_account(account)
-          
+
           raise "'expiration' is not supported for authn-local v4" if expiration
           raise "'cidr' is not supported for authn-local v4" if cidr
 
@@ -28,36 +37,51 @@ def authn_authenticate_local username, account, expiration, cidr, &block
 
         def authn_rotate_api_key credentials, account, id
           verify_account(account)
-          username = if id.kind == "user"
-            id.identifier
-          else
-            [ id.kind, id.identifier ].join('/')
-          end
-          RestClient::Resource.new(Conjur.configuration.authn_url, credentials)['users']["api_key?id=#{username}"]
+          username = id.kind == "user" ? id.identifier : [id.kind, id.identifier].join('/')
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['users']["api_key?id=#{username}"]
         end
 
         def authn_rotate_own_api_key account, username, password
           verify_account(account)
-          RestClient::Resource.new(Conjur.configuration.authn_url, user: username, password: password)['users']["api_key"]
+          RestClient::Resource.new(
+            Conjur.configuration.authn_url,
+            Conjur.configuration.create_rest_client_options(user: username, password: password)
+          )['users']["api_key"]
         end
 
         def host_factory_create_host token
           http_options = {
             headers: { authorization: %Q(Token token="#{token}") }
           }
-          RestClient::Resource.new(Conjur.configuration.core_url, http_options)['host_factories']['hosts']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(http_options)
+          )['host_factories']['hosts']
         end
 
         def host_factory_create_tokens credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factories'][id.identifier]['tokens']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factories'][id.identifier]['tokens']
         end
 
         def host_factory_revoke_token credentials, token
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['host_factories']['tokens'][token]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['host_factories']['tokens'][token]
         end
 
         def resources_resource credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authz'][id.account]['resources'][id.kind][id.identifier]
+
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['resources'][id.kind][id.identifier]
         end
 
         def resources_check credentials, id, privilege, role
@@ -73,47 +97,80 @@ def resources_check credentials, id, privilege, role
         end
 
         def resources_permitted_roles credentials, id, privilege
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authz'][id.account]['roles']['allowed_to'][privilege][id.kind][id.identifier]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['roles']['allowed_to'][privilege][id.kind][id.identifier]
         end
 
         def roles_role credentials, id
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['authz'][id.account]['roles'][id.kind][id.identifier]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['authz'][id.account]['roles'][id.kind][id.identifier]
         end
 
         def secrets_add credentials, id
           verify_account(id.account)
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier]['values']
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]['values']
         end
 
         def variable credentials, id
           verify_account(id.account)
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]
         end
 
         def secrets_value credentials, id, options
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier]['value'][options_querystring options]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables'][fully_escape id.identifier]['value'][options_querystring options]
         end
 
         def secrets_values credentials, variable_ids
           options = {
             vars: Array(variable_ids).map { |v| fully_escape(v.identifier) }.join(',')
           }
-          RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables']['values'][options_querystring options]
+          RestClient::Resource.new(
+            Conjur.configuration.core_url,
+            Conjur.configuration.create_rest_client_options(credentials)
+          )['variables']['values'][options_querystring options]
         end
 
         def group_attributes credentials, resource, id
           verify_account(id.account)
-          JSON.parse(RestClient::Resource.new(Conjur.configuration.core_url, credentials)['groups'][fully_escape id.identifier].get)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['groups'][fully_escape id.identifier].get
+          )
         end
 
         def variable_attributes credentials, resource, id
           verify_account(id.account)
-          JSON.parse(RestClient::Resource.new(Conjur.configuration.core_url, credentials)['variables'][fully_escape id.identifier].get)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['variables'][fully_escape id.identifier].get
+          )
         end
 
         def user_attributes credentials, resource, id
           verify_account(id.account)
-          JSON.parse(RestClient::Resource.new(Conjur.configuration.core_url, credentials)['users'][fully_escape id.identifier].get)
+          JSON.parse(
+            RestClient::Resource.new(
+              Conjur.configuration.core_url,
+              Conjur.configuration.create_rest_client_options(credentials)
+            )['users'][fully_escape id.identifier].get
+          )
         end
 
         def parse_group_gidnumber attributes