conjur-api 4.31.0 → 5.0.0.rc1

data/features/host_factory_create_host.feature

@@ -0,0 +1,28 @@
+Feature: Create a host using a host factory token.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !policy
+      id: myapp
+      body:
+      - !layer
+
+      - !host-factory
+        layers: [ !layer ]
+    POLICY
+    @expiration = (DateTime.now + 1.hour).change(sec: 0)
+    @host_factory = $conjur.resource('cucumber:host_factory:myapp')
+    @token = @host_factory.create_token @expiration
+    """
+
+  Scenario: I can create a host from the token
+    When I run the code:
+    """
+    Conjur::API.host_factory_create_host(@token.token, "app-01")
+    """
+    Then the JSON should have "id"
+    And the JSON should have "permissions"
+    And the JSON should have "owner"
+    And the JSON should have "api_key"

data/features/host_factory_token.feature

@@ -0,0 +1,63 @@
+Feature: Working with host factory tokens.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !policy
+      id: myapp
+      body:
+      - !layer
+
+      - !host-factory
+        layers: [ !layer ]
+    POLICY
+    @expiration = (DateTime.now + 1.hour).change(sec: 0)
+    @host_factory = $conjur.resource('cucumber:host_factory:myapp')
+    """
+
+  @wip
+  Scenario: Create a new host factory token.
+    When I run the code:
+    """
+    @token = @host_factory.create_token @expiration
+    """
+    Then I can run the code:
+    """
+    expect(@token).to be_instance_of(Conjur::HostFactoryToken)
+    expect(@token.token).to be_instance_of(String)
+    expiration = @token.expiration
+    expiration = expiration.change(sec: 0)
+    expect(expiration).to eq(@expiration)
+    """
+    And I can run the code:
+    """
+    expect(@host_factory.tokens).to eq([@token])
+    """
+
+  Scenario: Create multiple new host factory tokens.
+    When I run the code:
+    """
+    @host_factory.create_tokens @expiration, count: 2
+    """
+    Then the JSON should have 2 items
+
+  Scenario: Revoke a host factory token using the token object.
+    When I run the code:
+    """
+    @token = @host_factory.create_token @expiration
+    """
+    Then I can run the code:
+    """
+    @token.revoke
+    """
+
+  Scenario: Revoke a host factory token using the API.
+    When I run the code:
+    """
+    @token = @host_factory.create_token @expiration
+    """
+    Then I can run the code:
+    """
+    $conjur.revoke_host_factory_token @token.token
+    """

data/features/load_policy.feature

@@ -0,0 +1,61 @@
+Feature: Load a policy.
+
+  Scenario: Policy can be loaded into a policy id.
+    Then I can run the code:
+    """
+    policy = <<-POLICY
+    - !group security_admin
+
+    - !policy
+      id: myapp
+      body:
+      - !layer
+
+      - !host-factory
+        layers: [ !layer ]
+
+    - !host app-01
+
+    - !grant
+      role: !layer myapp
+      member: !host app-01
+    POLICY
+
+    $conjur.load_policy 'root', policy
+    """
+
+  Scenario: The policy load reports the API keys of created roles.
+    Then I can run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !host app-#{random_hex}
+    POLICY
+    """
+    Then the JSON should have "version"
+    And the JSON should have "created_roles"
+    And the JSON at "created_roles" should have 1 item
+
+  Scenario: Policy contents can be replaced using POLICY_METHOD_PUT.
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !group developers
+    - !group operations
+    POLICY
+    """
+    And I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY, method: Conjur::API::POLICY_METHOD_PUT
+    --- []
+    POLICY
+    """
+    And I run the code:
+    """
+    $conjur.resources.map(&:id)
+    """
+    Then the JSON should be:
+    """
+    [
+      "cucumber:policy:root"
+    ]
+    """

data/features/members.feature

@@ -0,0 +1,51 @@
+Feature: Display role members and memberships.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !group everyone
+    - !group developers
+    - !grant
+      role: !group everyone
+      member: !group developers
+    POLICY
+    """
+
+  Scenario: Show a role's members.
+    When I run the code:
+    """
+    $conjur.role('cucumber:group:everyone').members.map(&:as_json)
+    """
+    Then the JSON should be:
+    """
+    [
+      {
+        "admin_option": true,
+        "member": "cucumber:user:admin",
+        "role": "cucumber:group:everyone"
+      },
+      {
+        "admin_option": false,
+        "member": "cucumber:group:developers",
+        "role": "cucumber:group:everyone"
+      }
+    ]
+    """
+
+  Scenario: Show a role's memberships.
+    When I run the code:
+    """
+    $conjur.role('cucumber:group:developers').memberships.map(&:as_json)
+    """
+    Then the JSON should be:
+    """
+    [
+      {
+        "id": "cucumber:group:developers"
+      },
+      {
+        "id": "cucumber:group:everyone"
+      }
+    ]
+    """

data/features/new_api.feature

@@ -0,0 +1,36 @@
+Feature: Constructing a new API object.
+  Background:
+    Given a new host
+
+  Scenario: From API key.
+    Then I run the code:
+    """
+    api = Conjur::API.new_from_key "host/#{@host_id}", @host_api_key
+    expect(api.token).to be_instance_of(Hash)
+    expect(api.resource("cucumber:host:#{@host_id}")).to exist
+    """
+
+  Scenario: From access token.
+    Given I run the code:
+    """
+    @token = Conjur::API.new_from_key("host/#{@host_id}", @host_api_key).token
+    """
+    Then I run the code:
+    """
+    api = Conjur::API.new_from_token @token
+    expect(api.resource("cucumber:host:#{@host_id}")).to exist
+    """
+
+  Scenario: From access token file.
+    Given I run the code:
+    """
+    token = Conjur::API.new_from_key("host/#{@host_id}", @host_api_key).token
+    @temp_file = Tempfile.new("token.json")
+    @temp_file.write(token.to_json)
+    @temp_file.flush
+    """
+    Then I run the code:
+    """
+    api = Conjur::API.new_from_token_file @temp_file.path
+    expect(api.resource("cucumber:host:#{@host_id}")).to exist
+    """

data/features/permitted.feature

@@ -0,0 +1,43 @@
+Feature: Check if a role has permission on a resource.
+
+  Background:
+    Given I run the code:
+    """
+    @host_id = "app-#{random_hex}"
+    response = $conjur.load_policy 'root', <<-POLICY
+    - !variable db-password
+
+    - !layer myapp
+
+    - !host #{@host_id}
+
+    - !permit
+      role: !layer myapp
+      privilege: execute
+      resource: !variable db-password
+    POLICY
+    @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
+    expect(@host_api_key).to be
+    """
+
+  Scenario: Check if the current user has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute'
+    """
+    Then the result should be "true"
+
+  Scenario: Check if a different user has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:host:#{@host_id}"
+    """
+    Then the result should be "false"
+
+  Scenario: Check if a different user has the privilege, while logged in as that user.
+    When I run the code:
+    """
+    host_api = Conjur::API.new_from_key "host/#{@host_id}", @host_api_key
+    host_api.resource('cucumber:variable:db-password').permitted? 'execute'
+    """
+    Then the result should be "false"

data/features/permitted_roles.feature

@@ -0,0 +1,30 @@
+Feature: Enumerate roles which have a permission on a resource.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !variable db-password
+
+    - !layer myapp
+
+    - !permit
+      role: !layer myapp
+      privilege: execute
+      resource: !variable db-password
+    POLICY
+    """
+
+  @wip
+  Scenario: Permitted roles can be enumerated.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted_roles 'execute'
+    """
+    Then the JSON should be:
+    """
+    [
+      "cucumber:layer:myapp",
+      "cucumber:user:admin"
+    ]
+    """

data/features/public_keys.feature

@@ -0,0 +1,11 @@
+Feature: Fetch public keys for a user.
+
+  Background:
+    Given a new user
+
+  Scenario: User has a uidnumber.
+    When I run the code:
+    """
+    Conjur::API.public_keys @user.login
+    """
+    Then the result should be the public key

data/features/resource_fields.feature

@@ -0,0 +1,53 @@
+Feature: Display basic resource fields.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !group
+      id: developers
+      annotations:
+        gidnumber: 2000
+    POLICY
+    """
+
+  Scenario: Resource exposes id, kind, identifier, and attributes.
+    When I run the code:
+    """
+    resource = $conjur.resource('cucumber:group:developers')
+    [ resource.id, resource.account, resource.kind, resource.identifier, resource.attributes ]
+    """
+    Then the JSON should be:
+    """
+    [
+      "cucumber:group:developers",
+      "cucumber",
+      "group",
+      "developers",
+      {
+        "annotations": [
+          {
+            "name": "gidnumber",
+            "policy": "cucumber:policy:root",
+            "value": "2000"
+          }
+        ],
+        "owner": "cucumber:user:admin",
+        "permissions": [
+        ],
+        "policy": "cucumber:policy:root"
+      }
+    ]
+    """
+
+  Scenario: Resource#owner is the owner object
+    When I run the code:
+    """
+    $conjur.resource('cucumber:group:developers').owner.id
+    """
+    Then the result should be "cucumber:user:admin"
+    And I run the code:
+    """
+    $conjur.resource('cucumber:group:developers').class
+    """
+    Then the result should be "Conjur::Group"

data/features/role_fields.feature

@@ -0,0 +1,15 @@
+Feature: Display basic role fields.
+
+  Scenario: Login of a user is the login name.
+    When I run the code:
+    """
+    $conjur.role('cucumber:user:alice').login
+    """
+    Then the result should be "alice"
+
+  Scenario: Login of a non-user is prefixed with the role kind.
+    When I run the code:
+    """
+    $conjur.role('cucumber:host:myapp').login
+    """
+    Then the result should be "host/myapp"

data/features/rotate_api_key.feature

@@ -0,0 +1,13 @@
+Feature: Rotate the API key.
+
+  Scenario: Logged-in user can rotate the API key.
+    When I run the code:
+    """
+    Conjur::API.rotate_api_key 'admin', $api_key
+    """
+    Then I can run the code:
+    """
+    $api_key = @result.strip
+    $conjur = Conjur::API.new_from_key $username, @result
+    $conjur.token
+    """

data/features/step_definitions/api_steps.rb

@@ -1,57 +1,7 @@
-Then(/^I bootstrap$/) do
-  class Listener
-    attr_accessor :messages
-    
-    def initialize
-      @messages = []
+When(/^I(?: can)? run the code:$/) do |code|
+  @result = eval(code).tap do |result|
+    if ENV['DEBUG']
+      puts result
     end
-    
-    def echo msg
-      @messages.push msg
-    end
-  end
-  @listener = Listener.new
-  
-  $conjur.bootstrap @listener
-end
-
-Then(/^expressions "([^"]*)" and "([^"]*)" are equal$/) do |code, test|
-  expect(eval(code)).to eq(eval(test))
-end
-
-Then(/^expression "(.*?)" is equal to$/) do |code, test| 
-  step %Q{expressions "#{code}" and "#{test}" are equal}
-end
-    
-Then(/^expression "([^"]*)" includes "([^"]*)"$/) do |code, test|
-  expect(eval(code)).to include(eval(test))
-end
-
-Then(/^I evaluate the expression "([^"]*)"$/) do |code|
-  eval(code)
-end
-
-Then(/^I evaluate the expression$/) do |code|
-  step %Q{I evaluate the expression "#{code}"}
-end
-
-Then(/^I create the variable "(.*?)"$/) do |var|
-  api.create_variable('text/plain', 'secret', :id => var)
-end
-
-Then(/^I create an api with the additional audit (role|resource)[s]* "(.*?)"$/) do |type, things|
-  @api = api.send("with_audit_#{type}s", things.split(','))
-end
-
-Then(/^I check to see if I'm permitted to "(.*?)" variable "(.*?)"$/) do |priv, var|
-  api.variable(var).resource.permitted?(priv)
-end
-
-Then(/^an audit event for variable "(.*?)" with action "(.*?)" and (role|resource)[s]* "(.*?)" is generated$/) do |var, action, type, things|
-  resource_ids = things.split(',').collect {|id| api.resource(id).resourceid }
-  event_found = api.audit_resource(api.resource("variable:#{var}")).any? do |e|
-    e['action'] == action &&
-      Set.new(e["#{type}s"]).superset?(Set.new(resource_ids))
   end
-  expect(event_found).to be true
 end

data/features/step_definitions/policy_steps.rb

@@ -0,0 +1,35 @@
+Given(/^a new user$/) do
+  @user_id = "user-#{random_hex}"
+  @public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd/PAcCL9rW/zAS7DRns/KYiAvRAEKxBu/0IF32z7x6YiMFcA2hmH4DMYaIY45Xlj7L9uTZamUlRZNjSS9Xm6Lhh7XGceIX2067/MDnH+or9xh5LZs6gb3x7QVtNz26Au5h5kP0xoJ+wpVxvY707BeSax/WQZI8akqd0fD1IqOoafWkcX0ucu5iIgDh08R7zq3vrDHEK7+SoYo9ncHfmOUJ5lmImGiU/WMqM0OzN3RsgxJi/aaHjW1IASTY8TmAtTtjEsxbQXxRVUCAP9vWUZg7p3aqIB6sEP8skgncCUtHBQxUtE1XN8Q8NeFOzau6+9sQTXlPl8c/L4Jc4K96C75 #{@user_id}@example.com"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !user
+    id: #{@user_id}
+    uidnumber: 1000
+    public_keys:
+    - #{@public_key}
+  POLICY
+  @user = $conjur.resource("cucumber:user:#{@user_id}")
+  @user_api_key = response.created_roles["cucumber:user:#{@user_id}"]['api_key']
+  expect(@user_api_key).to be
+end
+
+Given(/^a new group$/) do
+  @group_id = "group-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !group
+    id: #{@group_id}
+    gidnumber: 1000
+  POLICY
+  @group = $conjur.resource("cucumber:group:#{@group_id}")
+end
+
+Given(/^a new host$/) do
+  @host_id = "app-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !host #{@host_id}
+  POLICY
+  @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
+  expect(@host_api_key).to be
+  @host = $conjur.resource("cucumber:host:#{@host_id}")
+  @host.attributes['api_key'] = @host_api_key
+end

data/features/step_definitions/result_steps.rb

@@ -0,0 +1,7 @@
+Then(/^the result should be "([^"]+)"$/) do |expected|
+  expect(@result.to_s).to eq(expected.to_s)
+end
+
+Then(/^the result should be the public key$/) do
+  expect(@result).to eq(@public_key + "\n")
+end

data/features/support/env.rb

@@ -1,6 +1,15 @@
-require 'aruba/cucumber'
-require 'conjur/cli'
+require 'simplecov'
 
-Conjur::Config.load
-Conjur::Config.apply
-$conjur = Conjur::Authn.connect nil, noask: true
+SimpleCov.start
+
+require 'json_spec/cucumber'
+require 'conjur/api'
+
+Conjur.configuration.appliance_url = ENV['CONJUR_APPLIANCE_URL'] || 'http://localhost/api/v6'
+Conjur.configuration.account = ENV['CONJUR_ACCOUNT'] || 'cucumber'
+
+$username = ENV['CONJUR_AUTHN_LOGIN'] || 'admin'
+$password = ENV['CONJUR_AUTHN_API_KEY'] || 'secret'
+
+$api_key = Conjur::API.login $username, $password
+$conjur = Conjur::API.new_from_key $username, $api_key

data/features/support/hooks.rb

@@ -0,0 +1,3 @@
+Before do
+  $conjur.load_policy 'root', "--- []"
+end

data/features/support/world.rb

@@ -1,13 +1,12 @@
 module ApiWorld
-
-  def api
-    @api ||= Conjur::Authn.connect(nil, :noask => true)
+  def last_json
+    @result.to_json
   end
 
-  def namespace
-    @namespace ||= api.create_variable('text/plain', 'id').id.tap {|ns| puts "namespace: #{ns}"}
+  def random_hex nbytes = 12
+    @random ||= Random.new
+    @random.bytes(nbytes).unpack('h*').first
   end
-
 end
 
 World ApiWorld

data/features/update_password.feature

@@ -0,0 +1,14 @@
+Feature: Change a user's password.
+  Background:
+    Given a new user
+
+  Scenario: A user can set/change her password using the current API key.
+    When I run the code:
+    """
+    Conjur::API.update_password @user_id, @user_api_key, 'secret'
+    @new_api_key = Conjur::API.login @user_id, 'secret'
+    """
+    Then I can run the code:
+    """
+    Conjur::API.new_from_key(@user_id, @new_api_key).token
+    """

data/features/user.feature

@@ -0,0 +1,17 @@
+Feature: Display User object fields.
+
+  Background:
+    Given a new user
+
+  Scenario: User has a uidnumber.
+    Then I run the code:
+    """
+    @user.uidnumber
+    """
+    Then the result should be "1000"
+
+  Scenario: Logged-in user is the current_role.
+    Then I run the code:
+    """
+    expect($conjur.current_role(Conjur.configuration.account).id.to_s).to eq("cucumber:user:admin")
+    """

data/features/variable_fields.feature

@@ -0,0 +1,20 @@
+Feature: Display Variable fields.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !variable
+      id: ssl-certificate
+      kind: SSL certificate
+      mime_type: application/x-pem-file
+    POLICY
+    """
+    And I run the code:
+    """
+    $conjur.resource('cucumber:variable:ssl-certificate')
+    """
+
+  Scenario: Display MIME type and kind
+    Then the JSON at "mime_type" should be "application/x-pem-file"
+    And the JSON at "kind" should be "SSL certificate"