cyberark / conjur-api-dotnet Goto Github PK

Current build automation is obscure at best and rusty and we should ensure that it is optimal for the current needs.

Describe the solution you would like

• Project build automation is updated (e.g. Jenkinsfile)
• (Optional) Project automation is in some part done w/ GitHub Actions (TBD)

The Dotnet client for the CyberArk Conjur API has tests today that are run only against the OSS.

As part of the configurable TLS change and because the client libraries are run and used by our customers we should add additional tests that run against the EE to reduce the manual testing around these.

Suggest adding to Readme.md a configuration step to ensure System.json package is intalled.

GIVEN I'm a .Net developer
WHEN I develop an app
THEN I should be able to retrieve secrets I have permission using the Conjur .Net library

Conjur v4 has a .Net API that wraps the REST API of Conjur.

In V5 the API has been changed in an uncompatible way.

Your task, if you wish to accept it, is to create a new .Net API compatible to v5 givving out the same functionality.

Please pay attention to the following:

1. Update the READ ME file and mention there:

A. Where can one fine usage example

B. What version on this API supports

2. Test coverage - should be the same as before

3. Understand if this can be part of the CE Github projects

To insure the broadest access possible, we want this library to be available through NuGet. This will allow people to install it directly into their projects. As part of the delivery of this feature, we'll need to understand the steps necessary to submit a project to NuGet.

REVIEWING ca-conjur-api-dotnet-v5-master BRANCH

Review this repo and document items in the following categories with links to filed issues.

In addition, document succinctly whether this integration works with Conjur OSS / DAP and what methods are supported.

Supported flows

Note which flows are supported, and next to each that is supported note the method name. We can use this to improve the README documentation.

• Conjur OSS
• DAP
• Instantiate with API key
• Instantiate with access token
• Configure from environment
• Configure from .netrc
• Configure from .conjurrc
• Policy
  • Notes on what's possible: (PUT / PATCH / DELETE?)
  • Load Policy
• Get a secret value
• Set a secret value
• Batch secret value retrieval
• Get list of resources visible to authenticating user (eg as in conjur list)

Methods

Client

Client Client(uri, account)

• Create new Conjur instance
  • uri - URI of the Conjur server. Example: https://myconjur.org.com
  • account - Name of the Conjur account

LogIn(string userName, string password)

• Login to a Conjur user
  • userName - Username of Conjur user to login as
  • password - Passwordof user

TrustedCertificates.ImportPem (string certPath)

• Add Conjur root certificate to system trust store
  • certPath = Path to cert

<Client>.Credential = new NetworkCredential(string userName, string apiKey)

• To login with an API key, use it directly
  • userName - Username of user to login as
  • apiKey - API key of user

IEnumerable<Variable> ListVariables(string query = null)

• Returns a list of variable objects
  • name="query" - Additional Query parameters, not required

uint CountVariables(string query = null)

• Count Conjur resource of kind variable
  • name="query" - Additional Query parameters, not required

Host CreateHost(string name, string hostFactoryToken)

• Creates a host using a host factory token
  • name - Name of the host to create
  • hostFactoryToken - Host factory token

Policy

Policy <Client>.Policy(string policyName)

• Create a Conjur policy object
  • policyName - Name of policy

policy.LoadPolicy(Stream policyContent)

• Load policy into Conjur
  • policyContent - The policy

Variable

Variable <Client>.Variable(string name)

• Instantiate a Variable object
  • name - Name of the variable

Boolean Check(string privilege)

• Check if the current user has specified privilege on this variable
  • privilege - string name of the privilege to check for
    • Privileges: read, create, update, delete, execute

AddSecret(string val)

• Change current Variable to val
  • val - Value to update current Variable to

String GetValue()

• Return the value of the current Variable

Improvements to release process

• Tagging of images is weird (to say the least) (#50)
• Jenkinsfile outdated (#51)
• Could move more process to GitHub actions (#51)
  
- Release of this project to NuGet (#17)

• Release dll artifact (#52)

Repo documentation improvements

• The documentation is solid for IDE use but not for CLI use. Was buildable with VS2019, so maybe that could be updated in the README. (#53)
• The step in USAGE says to use -h in the conjur init command, this did not work in Conjur OSS and I needed to use -u (Conjur v4 leftover?) (#53)
• Example very limited (#53)
• Needs a bit more prod-like usage example (#53)
• Needs a bit better full-spectrum usage (similar to the demo given) (#53)

Test suite improvements (in particular, tests to add to alert us early to breakages)

• Address the list of failing tests that are currently failing. This is probably from the branch being updated to work with the REST API v5 routes, but not updating the tests along with them. (#46, #45)
• Tests use mono - I'm guessing this can be made better by .NET Core move (#24)
• Signing of the code for test artifact is pretty gnarly and uses specific certs from Rafal (#54)
• Tests coverage low (even with the above-mentioned ones fixed) (#35, #55)
• No integration tests as far as I can tell (#34, #56)

Repo standard maintenance tasks

• This branch needs to be merged into master, because master is not current with the v5 Conjur API

Enhancement requests to consider

• Although you can get manually get the environment variables and assign them to the needed variables to instantiate a Client, it would be nice if there was a built in way to do this like the Java API. In general configuration from outside of code is practically non-existent and it's not centralized. (#47)
• Adding batch secret retrieval as a feature of The API, so it doesn't need to be done in manually by user. (#49)
• .NET Framework base should be ideally moved to .NET Core. (#24)
• Overlapping lock objects are misused - can cause unnecessary waits (code not merged yet - no issue)
• Policy loading from file is not supported (#57)
• Much of the string interpolations in code are extremely fragile and sprinkled everywhere. (code not merged yet - no issue)
• Variables use "string" type instead of a binary format (code not merged yet - no issue)
• Policy replace/delete is missing. (#58)
• Certificate management is lackluster (#59)

• Updates to codebase/docs from Conjur -> CyberArk (#23)



## Bugs



- Fix error handling for policy loading for users/hosts w/ api_key_enabled (unconfirmed) - (#38)

Visual Studio 2019

• When running tests without making changes: 8 Fails, 9 Passed
  • api-dotnet.test.Conjur.Test.AuthenticatorTest.TestTokenCaching
  • api-dotnet.test.Conjur.Test.AuthenticatorTest.TestTokenThreadSafe
  • api-dotnet.test.Conjur.Test.ClientTest.ActingAsTest
  • api-dotnet.test.Conjur.Test.ClientTest.TestLogin
  • api-dotnet.test.Conjur.Test.HostFactoryTest.TestCreateHost
  • api-dotnet.test.Conjur.Test.ResourceTest.TestCheck
  • api-dotnet.test.Conjur.Test.UserTest.ListUserTest
  • api-dotnet.test.Conjur.Test.VariablesTest.GetVariableTest
  • api-dotnet.test.Conjur.Test.VariablesTest.ListVariableTest

In theory our artifact could be a droppable .dll file instead of needing to deal with the whole project import.

Describe the solution you would like

• Investigate and implement releasing .dlls as an additional project artifact

There are currently no integration tests in this repo

Describe the solution you would like

• This repo contains integration tests that at minimum cover Conjur OSS

Certificate management in the API is obscure and opaque. Expose certificate management better to the user.

Describe the solution you would like

• Certificate management in this API is easy to use and intuitive

• api-dotnet.test.Conjur.Test.HostFactoryTest.TestCreateHost
• api-dotnet.test.Conjur.Test.ResourceTest.TestCheck

These two tests are commented out, but fail when run. They give a "System.TypeLoadException" exception when run.

Update the master branch to add functionality to support Conjur OSS and DAP

AC:

• Update functionality
• Update README to be clear about functionality, and to list supported versions of Conjur OSS and DAP

We don't have a good release strategy for this project and the versioning "tag" seems arbitrary.

Describe the solution you would like

• Release process is documented in CONTRIBUTING.md
• Appropriate tagging/release strategy is chosen (TBD)
• Appropriate tags are used for all artifacts (TBD)

Is your feature request related to a problem? Please describe.

Although you can get manually get the environment variables and assign them to the needed variables to instantiate a Client, it would be nice if there was a built in way to do this like the Java API

Describe alternatives you have considered

Manually grabbing environment variables in the code, but this is an extra step that will have to be replicated for every application made.

Add the .NET version requirements to the README. Discussed in this comment, but moving to a separate issue for times sake.

There's a lot of unit tests in the repository but increasing coverage to cover all main usages is needed

Describe the solution you would like

• We have unit test code coverage over all logic used in most common scenarios

Connected to #35

There are various issues with the documentation that should be addressed.

Describe the solution you would like

• The documentation is solid for IDE use but not for CLI use. Was buildable with VS2019, so maybe that could be updated in the README.
• The step in USAGE says to use -h in the conjur init command, this did not work in Conjur OSS and I needed to use -u (Conjur v4 leftover?)
• Example very limited
  • Needs a bit more prod-like usage example
  • Needs a bit better full-spectrum usage (similar to the demo given)

Let's get the copyright notices updated from Conjur to CyberArk.

• api-dotnet.test.Conjur.Test.AuthenticatorTest.TestTokenCaching
• api-dotnet.test.Conjur.Test.AuthenticatorTest.TestTokenThreadSafe
• api-dotnet.test.Conjur.Test.ClientTest.TestLogin

These 3 tests are commented out, but fail when run. They use the GetToken() method in the ApiKeyAuthenticator class. This method uses:
HttpWebRequest request = WebRequest.CreateHttp(this.uri);
which causes an error, because the test uri is "test:///". The method expects an http uri, so it throws an error.

Notes:

• I looked into using WebMocker, but I am unfamiliar with it. When I tried to override the WebRequest.CreateHttp() in WebMocker it told me that the method was not overridable.
• There is a MockAuthenticator class that just returns "token" when you call GetToken(), but these tests are to make sure the authenticator is working and that would circumvent a good portion of the test.

There are two potential targets for .Net now, .Net Framework (and Mono) and .Net Core. The Conjur .Net API should support both of them.

Is your feature request related to a problem? Please describe.

Since httpClient is currently an internal field it makes unit testing and expanding the Client class significantly harder and involves vague techniques (e. g. to make possible HttpClient substitution with a mocked one I've changed RootNamespace property of my test project to Conjur).

Describe the solution you would like

Make httpClient field either protected, public or assignable from outside in some other way (e.g. parameter of constructor).

Additional context

Mocking HttpClient is essential in unit testing since we need predictable responses. In expanding of the Client class, accessing to an HttpClient instance also plays major role.

Add code coverage to this project.

Acceptance Criteria:

• Code coverage should be measured across all tests defined in this repository every time a build is run in any branch.
• Coverage report should include:
  • Line Coverage (including highlighting which lines are covered and which are not - not just giving a percentage)
  • Conditional Coverage
  • Optionally, other kinds of coverage such as Package, Class, File, or Method coverage
• Coverage report should be created in or converted to Cobertura format as part of build to allow for ingestion into coverage aggregation tools
• Coverage report should be archived in the Jenkins build using the cobertura command as shown at https://github.com/cyberark/conjur-api-ruby/blob/072d21e01e46382ee4d577e180c1269f8ff9f36e/Jenkinsfile#L27
• Coverage report should be uploaded to Code Climate with each build

If the repo has a changelog that doesn't meet the standard, do try to change earlier entries to match the standard.
If the repo doesn't have a changelog use this as a starter:

# Changelog
All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [Unreleased]

Acceptance criteria

• CHANGELOG.md exists and follows the KeepAChangeLog format. For reference consult https://github.com/cyberark/conjur/blob/master/CHANGELOG.md.
• Add parse-changelog validation step to Jenkinsfile. For reference consult https://github.com/cyberark/conjur/blob/master/Jenkinsfile#L27.

Policy loading from file should be part of base functionality and it isn't

Describe the solution you would like

• You can use the API to load a policy from file into Conjur

Signing of the code for test artifact is pretty gnarly and uses specific certs that are outdated. We may also need a real cert for distributing the dll (#52).

Describe the solution you would like

• Investigate and improve code/artifact signing

Is your feature request related to a problem? Please describe.

Adding batch secret retrieval similar to the REST API

Describe alternatives you have considered

This can be done manually, by using ListVariables() to grab the list and looping through to retrieve each secret, but will have to be done separately for each application.

Is there a way to access secrets form a dotnet client using the identity of the service under which code is running e.g. Windows Service or an API running in Kestrel/IIS under a service account?

Alternatively, can a machine be authenticated for access to secrets?

Validate and fix any errors with the following workflows:

• Loading Policy with users and hosts with API keys disabled shows policy load success/failure, but not API keys
• Loading Policy updating users and hosts with previously enabled API keys shows policy load success/failure
• Loading Policy updating users and hosts with previously disabled API keys shows policy load success/failure and generated API keys
• Attempt to rotate disabled API results in a helpful error message
• Attempt to authenticate as a user/host with a disabled API key results in a authentication failure

Related to: cyberark/conjur/issues/1359

• remove old docs links
• add supported versions for DAP and Conjur OSS
• remove “draft” language
• check against the cyberark/conjur-template README and CONTRIBUTING to make sure this repo meets our baseline requirements
  • link to CONTRIBUTING in README? etc
  • does not need a certification level yet
• does the license have an up-to-date copyright?
• does the repo have bug / issue templates?
• Add Table of Contents to README
• Update CHANGELOG from #48

The API should support policy operations other than just simple addition.

Describe the solution you would like

• API supports replacing and deleting policies