conjur-api 5.0.0 → 5.1.0

data/features/support/env.rb

@@ -7,6 +7,7 @@ require 'conjur/api'
 
 Conjur.configuration.appliance_url = ENV['CONJUR_APPLIANCE_URL'] || 'http://localhost/api/v6'
 Conjur.configuration.account = ENV['CONJUR_ACCOUNT'] || 'cucumber'
+Conjur.configuration.authn_local_socket = "/run/authn-local-5/.socket"
 
 $username = ENV['CONJUR_AUTHN_LOGIN'] || 'admin'
 $password = ENV['CONJUR_AUTHN_API_KEY'] || 'secret'

data/features/variable_value.feature

@@ -12,26 +12,19 @@ Feature: Work with Variable values.
     @variable_2 = $conjur.resource("cucumber:variable:#{@variable_id}-2")
     """
 
-  Scenario: Initially the variable has no values
-    When I run the code:
-    """
-    @variable.version_count
-    """
-    Then the result should be "0"
-
   Scenario: Add a value, retrieve the variable metadata and the value.
-    Given I run the code:
+    When I run the code:
     """
+    @initial_count = @variable.version_count
     @variable.add_value 'value-0'
     """
-    When I run the code:
+    And I run the code:
     """
-    @variable.version_count
+    expect(@variable.version_count).to eq(@initial_count + 1)
     """
-    Then the result should be "1"
     And I run the code:
     """
-    @variable.value
+    @variable.value(@variable.version_count)
     """
     Then the result should be "value-0"
 
@@ -44,7 +37,7 @@ Feature: Work with Variable values.
     """
     When I run the code:
     """
-    @variable.value(1)
+    @variable.value(@variable.version_count - 2)
     """
     Then the result should be "value-0"
 

data/features_v4/authn_local.feature

@@ -0,0 +1,27 @@
+Feature: When co-located with the Conjur server, the API can use the authn-local service to authenticate.
+
+  Scenario: authn-local can be used to obtain an access token.
+    When I run the code:
+    """
+    Conjur::API.authenticate_local "alice"
+    """
+    Then the JSON should have "data"
+
+  Scenario: Conjur API supports construction from authn-local.
+    When I run the code:
+    """
+    @api = Conjur::API.new_from_authn_local "alice"
+    @api.token
+    """
+    Then the JSON should have "data"
+
+  Scenario: Conjur API will automatically refresh the token.
+    When I run the code:
+    """
+    @api = Conjur::API.new_from_authn_local "alice"
+    @api.token
+    @api.force_token_refresh
+    @api.token
+    """
+    Then the JSON should have "data"
+    And the JSON at "data" should be "alice"

data/features_v4/exists.feature

@@ -0,0 +1,29 @@
+Feature: Check if an object exists.
+
+  Scenario: A created group resource exists
+    When I run the code:
+    """
+    $conjur.resource('cucumber:group:developers').exists?
+    """
+    Then the result should be "true"
+
+  Scenario: An un-created resource doesn't exist
+    When I run the code:
+    """
+    $conjur.resource('cucumber:food:bacon').exists?
+    """
+    Then the result should be "false"
+
+  Scenario: A created group role exists
+    When I run the code:
+    """
+    $conjur.role('cucumber:group:developers').exists?
+    """
+    Then the result should be "true"
+
+  Scenario: An un-created role doesn't exist
+    When I run the code:
+    """
+    $conjur.role('cucumber:food:bacon').exists?
+    """
+    Then the result should be "false"

data/features_v4/host.feature

@@ -0,0 +1,18 @@
+Feature: Display Host object fields.
+
+  Background:
+    Given a new host
+
+  Scenario: API key of a newly created host is available and valid.
+    Then I run the code:
+    """
+    expect(@host.exists?).to be(true)
+    expect(@host.api_key).to be
+    """
+
+  Scenario: API key of a a host can be rotated.
+    Then I run the code:
+    """
+    api_key = @host.rotate_api_key
+    Conjur::API.new_from_key("host/#{@host.id.identifier}", api_key).token
+    """

data/features_v4/host_factory_token.feature

@@ -0,0 +1,49 @@
+Feature: Working with host factory tokens.
+
+  Background:
+    Given I run the code:
+    """
+    @expiration = (DateTime.now + 1.hour).change(sec: 0)
+    """
+
+
+  Scenario: Create a new host factory token.
+    When I run the code:
+    """
+    @token = $host_factory.create_token(@expiration)
+    """
+    Then I can run the code:
+    """
+    expect(@token).to be_instance_of(Conjur::HostFactoryToken)
+    expect(@token.token).to be_instance_of(String)
+    expiration = @token.expiration
+    expiration = expiration.change(sec: 0)
+    expect(expiration).to eq(@expiration)
+    """
+
+  Scenario: Create multiple new host factory tokens.
+    When I run the code:
+    """
+    $host_factory.create_tokens @expiration, count: 2
+    """
+    Then the JSON should have 2 items
+
+  Scenario: Revoke a host factory token using the token object.
+    When I run the code:
+    """
+    @token = $host_factory.create_token @expiration
+    """
+    Then I can run the code:
+    """
+    @token.revoke
+    """
+
+  Scenario: Revoke a host factory token using the API.
+    When I run the code:
+    """
+    @token = $host_factory.create_token @expiration
+    """
+    Then I can run the code:
+    """
+    $conjur.revoke_host_factory_token @token.token
+    """

data/features_v4/members.feature

@@ -0,0 +1,39 @@
+Feature: Display role members and memberships.
+
+  Scenario: Show a role's members.
+    When I run the code:
+    """
+    $conjur.role('cucumber:group:everyone').members.map(&:as_json)
+    """
+    Then the JSON should be:
+    """
+    [
+      {
+        "admin_option": false,
+        "member": "cucumber:group:developers",
+        "role": "cucumber:group:everyone"
+      },
+      {
+        "admin_option": true,
+        "member": "cucumber:group:security_admin",
+        "role": "cucumber:group:everyone"
+      }
+    ]
+    """
+
+  Scenario: Show a role's memberships.
+    When I run the code:
+    """
+    $conjur.role('cucumber:group:developers').memberships.map(&:as_json)
+    """
+    Then the JSON should be:
+    """
+    [
+      {
+        "id": "cucumber:group:developers"
+      },
+      {
+        "id": "cucumber:group:everyone"
+      }
+    ]
+    """

data/features_v4/permitted.feature

@@ -0,0 +1,15 @@
+Feature: Check if a role has permission on a resource.
+
+  Scenario: Check if the current user has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute'
+    """
+    Then the result should be "true"
+
+  Scenario: Check if a different user has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:user:bob"
+    """
+    Then the result should be "false"

data/features_v4/permitted_roles.feature

@@ -0,0 +1,8 @@
+Feature: Enumerate roles which have a permission on a resource.
+
+  Scenario: Permitted roles can be enumerated.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted_roles 'execute'
+    """
+    Then the JSON should include "cucumber:layer:myapp"

data/features_v4/resource_fields.feature

@@ -0,0 +1,47 @@
+Feature: Display basic resource fields.
+
+  Scenario: Group exposes id, kind, identifier, and gidnumber.
+    When I run the code:
+    """
+    resource = $conjur.resource('cucumber:group:developers')
+    [ resource.id, resource.account, resource.kind, resource.identifier, resource.gidnumber ]
+    """
+    Then the JSON should be:
+    """
+    [
+      "cucumber:group:developers",
+      "cucumber",
+      "group",
+      "developers",
+      2000
+    ]
+    """
+
+  Scenario: User exposes id, kind, identifier, and uidnumber.
+    When I run the code:
+    """
+    resource = $conjur.resource('cucumber:user:alice')
+    [ resource.id, resource.account, resource.kind, resource.identifier, resource.uidnumber ]
+    """
+    Then the JSON should be:
+    """
+    [
+      "cucumber:user:alice",
+      "cucumber",
+      "user",
+      "alice",
+      2000
+    ]
+    """
+
+  Scenario: Resource#owner is the owner object
+    When I run the code:
+    """
+    $conjur.resource('cucumber:group:developers').owner.id
+    """
+    Then the result should be "cucumber:group:security_admin"
+    And I run the code:
+    """
+    $conjur.resource('cucumber:group:developers').class
+    """
+    Then the result should be "Conjur::Group"

data/features_v4/rotate_api_key.feature

@@ -0,0 +1,13 @@
+Feature: Rotate the API key.
+
+  Scenario: Logged-in user can rotate the API key.
+    When I run the code:
+    """
+    $conjur.role('cucumber:user:alice').rotate_api_key
+    """
+    Then I can run the code:
+    """
+    @api_key = @result.strip
+    @conjur = Conjur::API.new_from_key 'alice', @api_key
+    @conjur.token
+    """

data/features_v4/step_definitions/api_steps.rb

@@ -0,0 +1,17 @@
+Given(/^a new host$/) do
+  @host_id = "app-#{random_hex}"
+  host = Conjur::API.host_factory_create_host($token, @host_id)
+  @host_api_key = host.api_key
+  expect(@host_api_key).to be
+
+  @host = $conjur.resource("cucumber:host:#{@host_id}")
+  @host.attributes['api_key'] = @host_api_key
+end
+
+When(/^I(?: can)? run the code:$/) do |code|
+  @result = eval(code).tap do |result|
+    if ENV['DEBUG']
+      puts result
+    end
+  end
+end

data/features_v4/step_definitions/result_steps.rb

@@ -0,0 +1,3 @@
+Then(/^the result should be "([^"]+)"$/) do |expected|
+  expect(@result.to_s).to eq(expected.to_s)
+end

data/features_v4/support/env.rb

@@ -0,0 +1,23 @@
+require 'simplecov'
+
+SimpleCov.start
+
+require 'json_spec/cucumber'
+require 'conjur/api'
+
+Conjur.configuration.appliance_url = ENV['CONJUR_APPLIANCE_URL'] || 'https://conjur_4/api'
+Conjur.configuration.account = ENV['CONJUR_ACCOUNT'] || 'cucumber'
+Conjur.configuration.cert_file = "./tmp/conjur.pem"
+Conjur.configuration.authn_local_socket = "/run/authn-local-4/.socket"
+Conjur.configuration.version = 4
+
+Conjur.configuration.apply_cert_config!
+
+$username = ENV['CONJUR_AUTHN_LOGIN'] || 'admin'
+$password = ENV['CONJUR_AUTHN_API_KEY'] || 'secret'
+
+$api_key = Conjur::API.login $username, $password
+$conjur = Conjur::API.new_from_key $username, $api_key
+
+$host_factory = $conjur.resource('cucumber:host_factory:myapp')
+$token = $host_factory.create_token(Time.now + 1.hour)

data/features_v4/support/policy.yml

@@ -0,0 +1,34 @@
+- !user
+  id: alice
+  uidnumber: 2000
+  
+- !group
+  id: developers
+  gidnumber: 2000
+
+- !group everyone
+
+- !grant
+  role: !group everyone
+  member: !group developers
+
+- !variable db-password
+
+- !variable ssh-key
+
+- !variable
+  id: ssl-certificate
+  kind: SSL certificate
+  mime_type: application/x-pem-file
+
+- !layer myapp
+
+- !host-factory
+  id: myapp
+  layers: [ !layer myapp ]
+
+- !permit
+  role: !layer myapp
+  privileges: [ read, execute ]
+  resources:
+    - !variable db-password

data/features_v4/support/world.rb

@@ -0,0 +1,12 @@
+module ApiWorld
+  def last_json
+    @result.to_json
+  end
+
+  def random_hex nbytes = 12
+    @random ||= Random.new
+    @random.bytes(nbytes).unpack('h*').first
+  end
+end
+
+World ApiWorld

data/features_v4/variable_fields.feature

@@ -0,0 +1,11 @@
+Feature: Display Variable fields.
+
+  Background:
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:ssl-certificate')
+    """
+
+  Scenario: Display MIME type and kind
+    Then the JSON at "mime_type" should be "application/x-pem-file"
+    And the JSON at "kind" should be "SSL certificate"

data/features_v4/variable_value.feature

@@ -0,0 +1,54 @@
+Feature: Work with Variable values.
+  Background:
+    Given I run the code:
+    """
+    @variable = $conjur.resource("cucumber:variable:db-password")
+    @variable_2 = $conjur.resource("cucumber:variable:ssh-key")
+    """
+
+  Scenario: Add a value, retrieve the variable metadata and the value.
+    Given I run the code:
+    """
+    @initial_count = @variable.version_count
+    @variable.add_value 'value-0'
+    """
+    When I run the code:
+    """
+    expect(@variable.version_count).to eq(@initial_count + 1)
+    """
+    And I run the code:
+    """
+    @variable.value
+    """
+    Then the result should be "value-0"
+
+  Scenario: Retrieve a historical value.
+    Given I run the code:
+    """
+    @variable.add_value 'value-0'
+    @variable.add_value 'value-1'
+    @variable.add_value 'value-2'
+    """
+    When I run the code:
+    """
+    @variable.value(@variable.version_count - 2)
+    """
+    Then the result should be "value-0"
+
+  Scenario: Retrieve multiple values in a batch
+    Given I run the code:
+    """
+    @variable.add_value 'value-0'
+    @variable_2.add_value 'value-2'
+    """
+    When I run the code:
+    """
+    $conjur.variable_values([ @variable, @variable_2 ].map(&:id))
+    """
+    Then the JSON should be:
+    """
+    {
+      "db-password": "value-0",
+      "ssh-key": "value-2"
+    }
+    """