conjur-api 5.3.2 → 5.3.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 184486b0770526d9426247e1d6add16572cc73791a160bc828265ea39f01e288
-  data.tar.gz: 35f3aae54507b549c5c43e7b66034eff28ab4ed331574c4f80301c32c6c42070
+  metadata.gz: 7ff5a377ccb9f8a1e9bf489c3c4e8a403adf795ce73f2eb88d204ff9963f9e15
+  data.tar.gz: ce065cc5820c6deaabd504f8cc3893da57ed0043ef621327134e53df4ce689b9
 SHA512:
-  metadata.gz: b289c3c2e41af4e7847d08b0a7229df9d9a96a2ef1c981ad6ac69bc1db588f99e4f63467152678d34f55c37eeb2ae30daf7ed55f39eb8e3ec9630b1749af6509
-  data.tar.gz: 0a3aba01a8046572a9a1dfea88a71c250727731e2df836f2a262c70a08514dde2b8281c544feb55243fd081f9da0dabf13ecaa7a99bf5d7adf86c0ed1fc7d370
+  metadata.gz: 888764fb96ae3122eb82a9ed9d652548a46c33109d5c85ab09ece0ce0cd65982f429376b559ebdd47d77c76ed911d2de0cec36b92bf6eeff1e92051d7ce36892
+  data.tar.gz: 4ecd8d2df762195c14167e513e4379a985076f8dec2fc7f62d09d013ad472c24a3e44c068c733859a2b9051a852be709521251ce46d049fd54b56db7b2a9d8ed

data/.github/CODEOWNERS

@@ -0,0 +1,10 @@
+* @cyberark/community-and-integrations-team @conjurinc/community-and-integrations-team @conjurdemos/community-and-integrations-team
+
+# Changes to .trivyignore require Security Architect approval
+.trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects
+
+# Changes to .codeclimate.yml require Quality Architect approval
+.codeclimate.yml @cyberark/quality-architects @conjurinc/quality-architects @conjurdemos/quality-architects
+
+# Changes to SECURITY.md require Security Architect approval
+SECURITY.md @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects

data/.gitleaks.toml

@@ -1,4 +1,4 @@
-title = "Secretless Broker gitleaks config"
+title = "Conjur API Ruby gitleaks config"
 
 # This is the config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
 # If GITLEAKS_CONFIG environment variable

data/CHANGELOG.md

@@ -6,6 +6,42 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [5.3.6] - 2021-12-09
+### Changed
+- Support ruby-3.0.2.
+  [cyberark/conjur-api-ruby#197](https://github.com/cyberark/conjur-api-ruby/pull/197)
+
+## [5.3.5] - 2021-05-04
+
+### Added
+- Add `rest_client_options` option to `Conjur.configuration`. This allows users to
+  configure the RestClient instance used by Conjur API to communicate with the Conjur 
+  server.
+  [cyberark/conjur-api-ruby#188](https://github.com/cyberark/conjur-api-ruby/issues/188)
+
+### Changed
+- Replace monkey patching `RestClient::Request` with defaults on `Conjur.configuration.rest_client_options`
+  in order to limit the scope of the default `:ssl_cert_store` option only to inside
+  Conjur API. 
+  [cyberark/conjur-api-ruby#188](https://github.com/cyberark/conjur-api-ruby/issues/188)
+
+## [5.3.4] - 2020-10-29
+
+### Changed
+- When rotating the currently logged in user's/host's API key, we now explictily
+  prevent use of `resource({own_id}).rotate_api_key` for that action as the
+  `Conjur::API.rotate_api_key` should be used instead for that. This change is a
+  downstream enforcement of the stricter key rotation requirements on the server
+  covered by [this](https://github.com/cyberark/conjur/security/advisories/GHSA-qhjf-g9gm-64jq)
+  security bulletin.
+  [cyberark/conjur-api-ruby#181](https://github.com/cyberark/conjur-api-ruby/issues/181)
+
+## [5.3.3] - 2020-08-18
+### Changed
+- Release process is updated to ensure that the published Ruby Gem matches a tag in this repository,
+  so that consumers of this gem can always reference the correct source code included in any given version.
+  [cyberark/conjur-api-ruby#173](https://github.com/cyberark/conjur-api-ruby/issues/173)
+
 ## 5.3.2 - 2018-09-24
 ### Added
 - Add `Conjur::API.authenticator_list`, `Conjur::API.authenticator_enable`, and
@@ -315,7 +351,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [2.0.0] - 2013-13-12
 
-[Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.1...HEAD
+[Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.6...HEAD
+[5.3.6]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.5...v5.3.6
+[5.3.5]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.4...v5.3.5
+[5.3.4]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.3...v5.3.4
+[5.3.3]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.1...v5.3.3
 [5.3.1]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.0...v5.3.1
 [5.3.0]: https://github.com/cyberark/conjur-api-ruby/compare/v5.1.0...v5.3.0
 [5.1.0]: https://github.com/cyberark/conjur-api-ruby/compare/v5.0.0...v5.1.0

data/CONTRIBUTING.md

@@ -120,30 +120,22 @@ $ docker-compose down
 
 ## Releasing
 
-Releasing a new version of this Gem involves a two step process:
-1. Tag and Release (using `bin/release`)
-2. Approving the push to RubyGems in Jenkins
+### Update the version and changelog
 
-### Step 1: Tag and Release
+1. Create a new branch for the version bump.
+1. Based on the unreleased content, determine the new version number and update
+    the [version.rb](lib/conjur-api/version.rb) file.
+1. Commit these changes - `Bump version to x.y.z` is an acceptable commit message - and open a PR
+   for review. Your PR should include updates to `lib/conjur-api/version.rb`, and
+    `CHANGELOG.md`.
 
-First, update the following files:
+### Add a git tag
 
-- The version file (`lib/conjur-api/version.rb`) has been updated with an appropriate Semantic version number.
-- The `CHANGELOG.md` file has been updated to reflect the release version and appropriate release notes.
+1. Once your changes have been **reviewed and merged into main**, tag the version
+   using `git tag -a "vx.y.z" -m "vx.y.z release"`. Note this requires you to be able to sign releases.
+   Consult the [github documentation on signing commits](https://help.github.com/articles/signing-commits-with-gpg/)
+   on how to set this up. `vx.y.z release` is an acceptable tag message.
+1. Push the tag: `git push vx.y.z` (or `git push origin vx.y.z` if you are working
+   from your local machine).
 
-Next, save -- but do not commit -- the changes above.
-
-Finally, when you're ready to release, run the following:
-
-```sh
-$ bin/release
-```
-
-### Step 2: Approve the push to RubyGems in Jenkins
-
-- Navigate to Jenkins: https://jenkins.conjur.net/job/cyberark--conjur-api-ruby/job/master/.
-- Once the pipeline reaches the `Publish to RubyGems?` stage, click the blue box, and then click `Logs`.
-- Open the confirmation step (`Wait for interactive input -- Publish to RubyGems?`), and click `Proceed`. Nothing appears to happen, but the "Publish" stage will be run.
-- Finally, verify that the new library is present in RubyGems: https://rubygems.org/gems/conjur-api
-
-The release is now complete.
+After pushing the tag, a matching version will be published to [RubyGems](https://rubygems.org/gems/conjur-api/versions)!

data/Dockerfile

@@ -1,4 +1,5 @@
-FROM ruby:2.3
+ARG RUBY_VERSION
+FROM ruby:$RUBY_VERSION
 
 RUN apt-get update && apt-get install -y vim curl
 

data/Gemfile

@@ -1,11 +1,7 @@
 source 'https://rubygems.org'
 
-#ruby=ruby-2.3
+#ruby=ruby-3.0
 #ruby-gemset=conjur-api
 
 # Specify your gem's dependencies in conjur-api.gemspec
 gemspec
-
-group :test do
-  gem 'simplecov-cobertura', require: false
-end

data/Jenkinsfile

@@ -13,20 +13,41 @@ pipeline {
   }
 
   stages {
-    stage('Validate') {
-      parallel {
-        stage('Changelog') {
-          steps { sh './bin/parse-changelog.sh' }
+    stage('Validate Changelog') {
+      steps { sh './bin/parse-changelog.sh' }
+    }
+
+    stage('Prepare CC Report Dir'){
+      steps {
+        script {
+          ccCoverage.dockerPrep()
+          sh 'mkdir -p coverage'
         }
       }
     }
 
-    stage('Test') {
+    stage('Test Ruby 2.5') {
+      environment {
+        RUBY_VERSION = '2.5'
+      }
       steps {
-        script {
-          ccCoverage.setGitEnvVars();
+        sh './test.sh'
+      }
+
+      post {
+        always {
+          junit 'spec/reports/*.xml'
+          junit 'features/reports/*.xml'
+          junit 'features_v4/reports/*.xml'
         }
-        milestone(1)
+      }
+    }
+
+    stage('Test Ruby 2.6') {
+      environment {
+        RUBY_VERSION = '2.6'
+      }
+      steps {
         sh './test.sh'
       }
 
@@ -35,39 +56,62 @@ pipeline {
           junit 'spec/reports/*.xml'
           junit 'features/reports/*.xml'
           junit 'features_v4/reports/*.xml'
-          cobertura autoUpdateHealth: true, autoUpdateStability: true, coberturaReportFile: 'coverage/coverage.xml', conditionalCoverageTargets: '100, 0, 0', failUnhealthy: true, failUnstable: false, lineCoverageTargets: '99, 0, 0', maxNumberOfBuilds: 0, methodCoverageTargets: '100, 0, 0', onlyStable: false, sourceEncoding: 'ASCII', zoomCoverageChart: false
         }
       }
     }
 
-    // Only publish to RubyGems if branch is 'master'
-    // AND someone confirms this stage within 5 minutes
-    stage('Publish to RubyGems?') {
-      agent { label 'releaser-v2' }
-
-      when {
-        allOf {
-          branch 'master'
-          expression {
-            boolean publish = false
-
-            if (env.PUBLISH_GEM == "true") {
-                return true
-            }
-
-            try {
-              timeout(time: 5, unit: 'MINUTES') {
-                input(message: 'Publish to RubyGems?')
-                publish = true
-              }
-            } catch (final ignore) {
-              publish = false
-            }
-
-            return publish
-          }
+    stage('Test Ruby 2.7') {
+      environment {
+        RUBY_VERSION = '2.7'
+      }
+      steps {
+        sh './test.sh'
+      }
+
+      post {
+        always {
+          junit 'spec/reports/*.xml'
+          junit 'features/reports/*.xml'
+          junit 'features_v4/reports/*.xml'
         }
       }
+    }
+
+    stage('Test Ruby 3.0') {
+      environment {
+        RUBY_VERSION = '3.0'
+      }
+      steps {
+        sh("./test.sh")
+      }
+      post {
+        always {
+          junit 'spec/reports/*.xml'
+          junit 'features/reports/*.xml'
+          junit 'features_v4/reports/*.xml'
+        }
+      }
+    }
+
+    stage('Submit Coverage Report'){
+      steps{
+        sh 'ci/submit-coverage'
+        publishHTML([reportDir: 'coverage', reportFiles: 'index.html', reportName: 'Coverage Report', reportTitles: '',
+          allowMissing: false, alwaysLinkToLastBuild: true, keepAll: true])
+      }
+
+      post {
+        always {
+          archiveArtifacts artifacts: "coverage/.resultset.json", fingerprint: false
+        }
+      }
+    }
+
+    // Only publish to RubyGems if the tag begins with 'v' ex) v5.3.2
+    stage('Publish to RubyGems?') {
+      agent { label 'executor-v2' }
+
+      when { tag "v*" }
       steps {
         // Clean up first
         sh 'docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd'

data/LICENSE

@@ -187,7 +187,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
+   Copyright (c) 2021 CyberArk Software Ltd. All rights reserved.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

data/README.md

@@ -11,7 +11,7 @@ The Conjur server comes in two major versions:
 * **4.x** Conjur 4 is a commercial, non-open-source product, which is documented at [https://developer.conjur.net/](https://developer.conjur.net/).
 * **5.x** Conjur 5 is open-source software, hosted and documented at [https://www.conjur.org/](https://www.conjur.org/).
 
-You can use the `master` branch of this project, which is `conjur-api` version `5.x`, to do all of the following things against either type of Conjur server:
+You can use the `main` branch of this project, which is `conjur-api` version `5.x`, to do all of the following things against either type of Conjur server:
 
 * Authenticate
 * Fetch secrets
@@ -24,6 +24,17 @@ Use the configuration setting `Conjur.configuration.version` to select your serv
 
 If you are using Conjur server version `4.x`, you can also choose to use the `conjur-api` version `4.x`. In this case, the `Configuration.version` setting is not required (actually, it doesn't exist).
 
+## Using conjur-api-ruby with Conjur Open Source 
+
+Are you using this project with [Conjur Open Source](https://github.com/cyberark/conjur)? Then we 
+**strongly** recommend choosing the version of this project to use from the latest [Conjur OSS 
+suite release](https://docs.conjur.org/Latest/en/Content/Overview/Conjur-OSS-Suite-Overview.html). 
+Conjur maintainers perform additional testing on the suite release versions to ensure 
+compatibility. When possible, upgrade your Conjur version to match the 
+[latest suite release](https://docs.conjur.org/Latest/en/Content/ReleaseNotes/ConjurOSS-suite-RN.htm); 
+when using integrations, choose the latest suite release that matches your Conjur version. For any 
+questions, please contact us on [Discourse](https://discuss.cyberarkcommons.org/c/conjur/5).
+
 # Installation
 
 Add this line to your application's Gemfile:
@@ -117,12 +128,34 @@ Conjur::API.new_from_key login, api_key
 Note that if you are connecting as a [Host](http://developer.conjur.net/reference/services/directory/host), the login should be
 prefixed with `host/`. For example: `host/myhost.example.com`, not just `myhost.example.com`.
 
+## Configuring RestClient
+
+[Conjur::Configuration](https://github.com/conjurinc/api-ruby/blob/master/lib/conjur/configuration.rb)
+allows optional configuration of the [RestClient](https://github.com/rest-client/rest-client)
+instance used by Conjur API to communicate with the Conjur server, via the options hash
+`Conjur.configuration.rest_client_options`.
+
+The default value for the options hash is:
+```ruby
+{
+  ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+}
+```
+
+For example, here's how you would configure the client to use a proxy and `ssl_ca_file` (instead of the default `ssl_cert_store`).
+```ruby
+Conjur.configuration.rest_client_options = {
+    ssl_ca_file: "ca_certificate.pem",
+    proxy: "http://proxy.example.com/"
+}
+```
+
 ## Contributing
 
 We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our [contributing
 guide][contrib].
 
-[contrib]: https://github.com/cyberark/conjur-api-ruby/blob/master/CONTRIBUTING.md
+[contrib]: https://github.com/cyberark/conjur-api-ruby/blob/main/CONTRIBUTING.md
 
 ## License
 

data/SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for the CyberArk Conjur
+suite of tools and products.
+
+  * [Reporting a Bug](#reporting-a-bug)
+  * [Disclosure Policy](#disclosure-policy)
+  * [Comments on this Policy](#comments-on-this-policy)
+
+## Reporting a Bug
+
+The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
+Thank you for improving the security of the Conjur suite. We appreciate your efforts and
+responsible disclosure and will make every effort to acknowledge your
+contributions.
+
+Report security bugs by emailing the lead maintainers at security@conjur.org.
+
+The maintainers will acknowledge your email within 2 business days. Subsequently, we will 
+send a more detailed response within 2 business days of our acknowledgement indicating
+the next steps in handling your report. After the initial reply to your report, the security
+team will endeavor to keep you informed of the progress towards a fix and full
+announcement, and may ask for additional information or guidance.
+
+Report security bugs in third-party modules to the person or team maintaining
+the module.
+
+## Disclosure Policy
+
+When the security team receives a security bug report, they will assign it to a
+primary handler. This person will coordinate the fix and release process,
+involving the following steps:
+
+  * Confirm the problem and determine the affected versions.
+  * Audit code to find any potential similar problems.
+  * Prepare fixes for all releases still under maintenance. These fixes will be
+    released as fast as possible.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+pull request.

data/ci/submit-coverage

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -eux
+
+DIR="coverage"
+BIN="cc-test-reporter"
+REPORT="${DIR}/.resultset.json"
+
+if [[ ! -e ${REPORT} ]]; then
+    echo "SimpleCov report (${REPORT}) not found"
+    ls -laR ${DIR}
+    exit 1
+fi
+
+if [[ ! -x ${BIN} ]]; then
+    echo "cc-test-reporter binary not found, not reporting coverage data to code climate"
+    ls -laR ${DIR}
+    # report is present but reporter binary is not, definitely a bug, exit error.
+    exit 1
+fi
+
+# Simplecov excludes files not within the current repo, it also needs to
+# be able to read all the files referenced within the report. As the reports
+# are generated in containers, the absolute paths contained in the report
+# are not valid outside that container. This sed fixes the paths
+# So they are correct relative to the Jenkins workspace.
+sed -i -E "s+/src/conjur-api+${WORKSPACE}+g" "${REPORT}"
+
+echo "Coverage reports prepared, submitting to CodeClimate."
+# vars GIT_COMMIT, GIT_BRANCH & TRID are set by ccCoverage.dockerPrep
+
+./${BIN} after-build \
+    --coverage-input-type "simplecov"\
+    --id "${TRID}"
+
+echo "Successfully Reported Coverage Data"

data/conjur-api.gemspec

@@ -2,8 +2,8 @@
 require File.expand_path('../lib/conjur-api/version', __FILE__)
 
 Gem::Specification.new do |gem|
-  gem.authors       = ["Rafal Rzepecki","Kevin Gilpin"]
-  gem.email         = ["rafal@conjur.net","kgilpin@conjur.net"]
+  gem.authors       = ["CyberArk Maintainers"]
+  gem.email         = ["conj_maintainers@cyberark.com"]
   gem.description   = %q{Conjur API}
   gem.summary       = %q{Conjur API}
   gem.homepage      = "https://github.com/cyberark/conjur-api-ruby/"
@@ -22,7 +22,8 @@ Gem::Specification.new do |gem|
   gem.executables -= %w{parse-changelog.sh}
 
   gem.add_dependency 'rest-client'
-  gem.add_dependency 'activesupport'
+  gem.add_dependency 'activesupport', '>= 4.2'
+  gem.add_dependency 'addressable', '~> 2.8.0'
 
   gem.add_development_dependency 'rake', '>= 12.3.3'
   gem.add_development_dependency 'rspec', '~> 3'
@@ -30,7 +31,7 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency 'json_spec'
   gem.add_development_dependency 'cucumber', '~> 2.99'
   gem.add_development_dependency 'ci_reporter_rspec'
-  gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency 'simplecov', '~> 0.17', '< 0.18'
   gem.add_development_dependency 'io-grab'
   gem.add_development_dependency 'rdoc'
   gem.add_development_dependency 'yard'

data/docker-compose.yml

@@ -23,7 +23,11 @@ services:
       - authn_local_4:/run/authn-local
 
   tester_5:
-    build: .
+    build:
+        context: .
+        dockerfile: Dockerfile
+        args:
+          RUBY_VERSION: ${RUBY_VERSION}
     volumes:
       - ./spec/reports:/src/conjur-api/spec/reports
       - ./features/reports:/src/conjur-api/features/reports
@@ -35,7 +39,11 @@ services:
       CONJUR_ACCOUNT: cucumber
 
   tester_4:
-    build: .
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        RUBY_VERSION: ${RUBY_VERSION}
     volumes:
       - ./features_v4/reports:/src/conjur-api/features_v4/reports
       - ./tmp/conjur.pem:/src/conjur-api/tmp/conjur.pem
@@ -47,7 +55,11 @@ services:
       CONJUR_ACCOUNT: cucumber
 
   dev:
-    build: .
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        RUBY_VERSION: ${RUBY_VERSION}
     entrypoint: bash
     volumes:
       - .:/src/conjur-api

data/features/host.feature

@@ -1,20 +1,50 @@
-Feature: Display Host object fields.
+Feature: Host object
 
-  Background:
+  Scenario: API key of a newly created host is available and valid
     Given a new host
-
-  Scenario: API key of a newly created host is available and valid.
-    Then I run the code:
+    Then I can run the code:
     """
     expect(@host.exists?).to be(true)
     expect(@host.api_key).to be
     Conjur::API.new_from_key(@host.login, @host.api_key).token
     """
 
-  Scenario: API key of a a host can be rotated.
-    Then I run the code:
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: Host's own API key cannot be rotated with an API key
+    Given a new host
+    Then this code should fail with "You cannot rotate your own API key via this method"
     """
     host = Conjur::API.new_from_key(@host.login, @host.api_key).resource(@host.id)
-    api_key = host.rotate_api_key
-    Conjur::API.new_from_key(@host.login, api_key).token
+    host.rotate_api_key
+    """
+
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: Host's own API key cannot be rotated with a token
+    Given a new host
+    Then this code should fail with "You cannot rotate your own API key via this method"
+    """
+    token = Conjur::API.new_from_key(@host.login, @host.api_key).token
+
+    host = Conjur::API.new_from_token(token).resource(@host.id)
+    host.rotate_api_key
+    """
+
+  Scenario: Delegated host's API key can be rotated with an API key
+    Given a new delegated host
+    Then I can run the code:
+    """
+    delegated_host_resource = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).resource(@host.id)
+    api_key = delegated_host_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
+    """
+
+  Scenario: Delegated host's API key can be rotated with a token
+    Given a new delegated host
+    Then I can run the code:
+    """
+    token = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).token
+
+    delegated_host_resource = Conjur::API.new_from_token(token).resource(@host.id)
+    api_key = delegated_host_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
     """

data/features/step_definitions/api_steps.rb

@@ -1,7 +1,18 @@
-When(/^I(?: can)? run the code:$/) do |code|
+Then(/^I(?: can)? run the code:$/) do |code|
   @result = eval(code).tap do |result|
-    if ENV['DEBUG']
-      puts result
+    puts result if ENV['DEBUG']
+  end
+end
+
+Then(/^this code should fail with "([^"]*)"$/) do |error_msg, code|
+  begin
+    @result = eval(code)
+  rescue Exception => exc
+    if not exc.message =~ %r{#{error_msg}}
+      fail "'#{error_msg}' was not found in '#{exc.message}'"
     end
+  else
+    puts @result if ENV['DEBUG']
+    fail "The provided block did not raise an error"
   end
 end

data/features/step_definitions/policy_steps.rb

@@ -13,6 +13,25 @@ Given(/^a new user$/) do
   expect(@user_api_key).to be
 end
 
+Given(/^a new delegated user$/) do
+  # Create a new host that is owned by that user
+  step 'a new user'
+  @user_owner = @user
+  @user_owner_id = @user_id
+  @user_owner_api_key = @user_api_key
+
+  # Create a new user that is owned by the user created earlier
+  @user_id = "user-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !user
+    id: #{@user_id}
+    owner: !user #{@user_owner_id}
+  POLICY
+  @user = $conjur.resource("cucumber:user:#{@user_id}")
+  @user_api_key = response.created_roles["cucumber:user:#{@user_id}"]['api_key']
+  expect(@user_api_key).to be
+end
+
 Given(/^a new group$/) do
   @group_id = "group-#{random_hex}"
   response = $conjur.load_policy 'root', <<-POLICY
@@ -33,3 +52,24 @@ Given(/^a new host$/) do
   @host = $conjur.resource("cucumber:host:#{@host_id}")
   @host.attributes['api_key'] = @host_api_key
 end
+
+Given(/^a new delegated host$/) do
+  # Create an owner user
+  step 'a new user'
+  @host_owner = @user
+  @host_owner_id = @user_id
+  @host_owner_api_key = @user_api_key
+
+  # Create a new host that is owned by that user
+  @host_id = "app-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !host
+    id: #{@host_id}
+    owner: !user #{@host_owner_id}
+  POLICY
+
+  @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
+  expect(@host_api_key).to be
+  @host = $conjur.resource("cucumber:host:#{@host_id}")
+  @host.attributes['api_key'] = @host_api_key
+end

data/features/support/env.rb

@@ -1,8 +1,8 @@
 require 'simplecov'
-require 'simplecov-cobertura'
 
-SimpleCov.formatter = SimpleCov::Formatter::CoberturaFormatter
-SimpleCov.start
+SimpleCov.start do
+  command_name "#{ENV['RUBY_VERSION']}"
+end
 
 require 'json_spec/cucumber'
 require 'conjur/api'