conjur-api 5.3.3 → 5.3.7.pre.167

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4d068a6fcf42161573c1d317260549dd7e30001e1c53d9edeb36e8c8646f7db7
-  data.tar.gz: 0ea117aee05921d67c2feef6b863fae286f5556833134f410dbab73a18cc13b9
+  metadata.gz: ad1a073ba389391d9ed2e0770f947a0a7e30c982154063c9a488925c05050efa
+  data.tar.gz: 7abc458cd851260b3f96aa1ede3abf4dfe338c42197a501bdfe6b37d672d1707
 SHA512:
-  metadata.gz: bda454b83559d845aad1a5b13e824937f9574420c9c14d0743fd93c56f79ac6de462648901bc3c9d7612ad6243099a659f1292d9b4fe7628865e6f6ca8dfa562
-  data.tar.gz: a6e5d7397c882d4d43ee95eead36bf51519fa5d6ea7c754b0c2648388769b9800180df8757c1ac5d3e968738e6e92dd013ba71c08686f2a3e6f85b1700556558
+  metadata.gz: 75079d3b4699e33e470643f9c0d75aa095cb937217619cd316c69cb36a80d73addaa6d1c238d1920d712e7483bf6d69d28c1f1f8256bceab5de27f5f3e73752d
+  data.tar.gz: 8f73519cf1241e9aae9034ca51727507b3390af92e93ee0008fce2934368f31e581876c66b53e50f58755669ff823ab57ced16d4037e1c0c4dcadda83468986b

data/.github/CODEOWNERS

@@ -1,4 +1,4 @@
-* @cyberark/conjur-core-team @conjurinc/conjur-core-team @conjurdemos/conjur-core-team
+* @cyberark/community-and-integrations-team @conjurinc/community-and-integrations-team @conjurdemos/community-and-integrations-team
 
 # Changes to .trivyignore require Security Architect approval
 .trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects

data/.gitleaks.toml

@@ -1,4 +1,4 @@
-title = "Secretless Broker gitleaks config"
+title = "Conjur API Ruby gitleaks config"
 
 # This is the config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
 # If GITLEAKS_CONFIG environment variable

data/CHANGELOG.md

@@ -4,13 +4,54 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+## Unreleased
+### Changed
+- Nothing should go in this section, please add to the latest unreleased version
+  (and update the corresponding date), or add a new version.
+
+## [5.3.7] - 2021-12-28
+
+### Changed
+- Change addressable gem dependency.
+  [cyberark/conjur-api-ruby#199](https://github.com/cyberark/conjur-api-ruby/pull/199)
+- Update to use automated release process
+
+## [5.3.6] - 2021-12-09
+
+### Changed
+- Support ruby-3.0.2.
+  [cyberark/conjur-api-ruby#197](https://github.com/cyberark/conjur-api-ruby/pull/197)
+
+## [5.3.5] - 2021-05-04
+
+### Added
+- Add `rest_client_options` option to `Conjur.configuration`. This allows users to
+  configure the RestClient instance used by Conjur API to communicate with the Conjur 
+  server.
+  [cyberark/conjur-api-ruby#188](https://github.com/cyberark/conjur-api-ruby/issues/188)
+
+### Changed
+- Replace monkey patching `RestClient::Request` with defaults on `Conjur.configuration.rest_client_options`
+  in order to limit the scope of the default `:ssl_cert_store` option only to inside
+  Conjur API. 
+  [cyberark/conjur-api-ruby#188](https://github.com/cyberark/conjur-api-ruby/issues/188)
+
+## [5.3.4] - 2020-10-29
+
+### Changed
+- When rotating the currently logged in user's/host's API key, we now explictily
+  prevent use of `resource({own_id}).rotate_api_key` for that action as the
+  `Conjur::API.rotate_api_key` should be used instead for that. This change is a
+  downstream enforcement of the stricter key rotation requirements on the server
+  covered by [this](https://github.com/cyberark/conjur/security/advisories/GHSA-qhjf-g9gm-64jq)
+  security bulletin.
+  [cyberark/conjur-api-ruby#181](https://github.com/cyberark/conjur-api-ruby/issues/181)
 
 ## [5.3.3] - 2020-08-18
 ### Changed
 - Release process is updated to ensure that the published Ruby Gem matches a tag in this repository,
   so that consumers of this gem can always reference the correct source code included in any given version.
-  [cyberark/conjur-api-ruby](https://github.com/cyberark/conjur-api-ruby/issues/173)
+  [cyberark/conjur-api-ruby#173](https://github.com/cyberark/conjur-api-ruby/issues/173)
 
 ## 5.3.2 - 2018-09-24
 ### Added
@@ -321,7 +362,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [2.0.0] - 2013-13-12
 
-[Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.3...HEAD
+[Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.6...HEAD
+[5.3.7]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.6...v5.3.7
+[5.3.6]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.5...v5.3.6
+[5.3.5]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.4...v5.3.5
+[5.3.4]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.3...v5.3.4
 [5.3.3]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.1...v5.3.3
 [5.3.1]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.0...v5.3.1
 [5.3.0]: https://github.com/cyberark/conjur-api-ruby/compare/v5.1.0...v5.3.0

data/CONTRIBUTING.md

@@ -131,7 +131,7 @@ $ docker-compose down
 
 ### Add a git tag
 
-1. Once your changes have been **reviewed and merged into master**, tag the version
+1. Once your changes have been **reviewed and merged into main**, tag the version
    using `git tag -a "vx.y.z" -m "vx.y.z release"`. Note this requires you to be able to sign releases.
    Consult the [github documentation on signing commits](https://help.github.com/articles/signing-commits-with-gpg/)
    on how to set this up. `vx.y.z release` is an acceptable tag message.

data/Dockerfile

@@ -1,10 +1,11 @@
-FROM ruby:2.3
+ARG RUBY_VERSION
+FROM ruby:$RUBY_VERSION
 
 RUN apt-get update && apt-get install -y vim curl
 
 WORKDIR /src/conjur-api
 
-COPY Gemfile conjur-api.gemspec ./
+COPY Gemfile conjur-api.gemspec VERSION ./
 COPY lib/conjur-api/version.rb ./lib/conjur-api/
 
 RUN bundle

data/Gemfile

@@ -1,11 +1,7 @@
 source 'https://rubygems.org'
 
-#ruby=ruby-2.3
+#ruby=ruby-3.0
 #ruby-gemset=conjur-api
 
 # Specify your gem's dependencies in conjur-api.gemspec
 gemspec
-
-group :test do
-  gem 'simplecov-cobertura', require: false
-end

data/Jenkinsfile

@@ -1,5 +1,17 @@
 #!/usr/bin/env groovy
 
+// Automated release, promotion and dependencies
+properties([
+  release.addParams()
+])
+
+if (params.MODE == "PROMOTE") {
+  release.promote(params.VERSION_TO_PROMOTE) { sourceVersion, targetVersion, assetDirectory ->
+    sh './publish.sh'
+  }
+  return
+}
+
 pipeline {
   agent { label 'executor-v2' }
 
@@ -12,21 +24,62 @@ pipeline {
     cron(getDailyCronString())
   }
 
+  environment {
+    MODE = release.canonicalizeMode()
+  }
+
   stages {
-    stage('Validate') {
-      parallel {
-        stage('Changelog') {
-          steps { sh './bin/parse-changelog.sh' }
+    stage ("Skip build if triggering job didn't create a release") {
+      when {
+        expression {
+          MODE == "SKIP"
         }
       }
+      steps {
+        script {
+          currentBuild.result = 'ABORTED'
+          error("Aborting build because this build was triggered from upstream, but no release was built")
+        }
+      }
+    }
+    stage('Validate Changelog and set version') {
+      steps {
+        sh './bin/parse-changelog.sh'
+        updateVersion("CHANGELOG.md", "${BUILD_NUMBER}")
+      }
     }
 
-    stage('Test') {
+    stage('Prepare CC Report Dir'){
       steps {
         script {
-          ccCoverage.setGitEnvVars();
+          ccCoverage.dockerPrep()
+          sh 'mkdir -p coverage'
         }
-        milestone(1)
+      }
+    }
+
+    stage('Test Ruby 2.5') {
+      environment {
+        RUBY_VERSION = '2.5'
+      }
+      steps {
+        sh './test.sh'
+      }
+
+      post {
+        always {
+          junit 'spec/reports/*.xml'
+          junit 'features/reports/*.xml'
+          junit 'features_v4/reports/*.xml'
+        }
+      }
+    }
+
+    stage('Test Ruby 2.6') {
+      environment {
+        RUBY_VERSION = '2.6'
+      }
+      steps {
         sh './test.sh'
       }
 
@@ -35,28 +88,72 @@ pipeline {
           junit 'spec/reports/*.xml'
           junit 'features/reports/*.xml'
           junit 'features_v4/reports/*.xml'
-          cobertura autoUpdateHealth: true, autoUpdateStability: true, coberturaReportFile: 'coverage/coverage.xml', conditionalCoverageTargets: '100, 0, 0', failUnhealthy: true, failUnstable: false, lineCoverageTargets: '99, 0, 0', maxNumberOfBuilds: 0, methodCoverageTargets: '100, 0, 0', onlyStable: false, sourceEncoding: 'ASCII', zoomCoverageChart: false
         }
       }
     }
 
-    // Only publish to RubyGems if the tag begins with 'v' ex) v5.3.2
-    stage('Publish to RubyGems?') {
-      agent { label 'executor-v2' }
+    stage('Test Ruby 2.7') {
+      environment {
+        RUBY_VERSION = '2.7'
+      }
+      steps {
+        sh './test.sh'
+      }
+
+      post {
+        always {
+          junit 'spec/reports/*.xml'
+          junit 'features/reports/*.xml'
+          junit 'features_v4/reports/*.xml'
+        }
+      }
+    }
 
-      when { tag "v*" }
+    stage('Test Ruby 3.0') {
+      environment {
+        RUBY_VERSION = '3.0'
+      }
       steps {
-        // Clean up first
-        sh 'docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd'
+        sh("./test.sh")
+      }
+      post {
+        always {
+          junit 'spec/reports/*.xml'
+          junit 'features/reports/*.xml'
+          junit 'features_v4/reports/*.xml'
+        }
+      }
+    }
 
-        sh './publish.sh'
+    stage('Submit Coverage Report'){
+      steps{
+        sh 'ci/submit-coverage'
+        publishHTML([reportDir: 'coverage', reportFiles: 'index.html', reportName: 'Coverage Report', reportTitles: '',
+          allowMissing: false, alwaysLinkToLastBuild: true, keepAll: true])
+      }
 
-        // Clean up again...
-        sh 'docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd'
-        deleteDir()
+      post {
+        always {
+          archiveArtifacts artifacts: "coverage/.resultset.json", fingerprint: false
+        }
       }
     }
 
+    stage('Release') {
+      when {
+        expression {
+          MODE == "RELEASE"
+        }
+      }
+
+      steps {
+        release {
+          // Clean up all but the calculated VERSION
+          sh 'docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd -e VERSION'
+          sh './publish.sh'
+        }
+      }
+    }
   }
 
   post {

data/LICENSE

@@ -187,7 +187,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
+   Copyright (c) 2021 CyberArk Software Ltd. All rights reserved.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

data/README.md

@@ -11,7 +11,7 @@ The Conjur server comes in two major versions:
 * **4.x** Conjur 4 is a commercial, non-open-source product, which is documented at [https://developer.conjur.net/](https://developer.conjur.net/).
 * **5.x** Conjur 5 is open-source software, hosted and documented at [https://www.conjur.org/](https://www.conjur.org/).
 
-You can use the `master` branch of this project, which is `conjur-api` version `5.x`, to do all of the following things against either type of Conjur server:
+You can use the `main` branch of this project, which is `conjur-api` version `5.x`, to do all of the following things against either type of Conjur server:
 
 * Authenticate
 * Fetch secrets
@@ -24,9 +24,9 @@ Use the configuration setting `Conjur.configuration.version` to select your serv
 
 If you are using Conjur server version `4.x`, you can also choose to use the `conjur-api` version `4.x`. In this case, the `Configuration.version` setting is not required (actually, it doesn't exist).
 
-## Using conjur-api-ruby with Conjur OSS 
+## Using conjur-api-ruby with Conjur Open Source 
 
-Are you using this project with [Conjur OSS](https://github.com/cyberark/conjur)? Then we 
+Are you using this project with [Conjur Open Source](https://github.com/cyberark/conjur)? Then we 
 **strongly** recommend choosing the version of this project to use from the latest [Conjur OSS 
 suite release](https://docs.conjur.org/Latest/en/Content/Overview/Conjur-OSS-Suite-Overview.html). 
 Conjur maintainers perform additional testing on the suite release versions to ensure 
@@ -128,12 +128,34 @@ Conjur::API.new_from_key login, api_key
 Note that if you are connecting as a [Host](http://developer.conjur.net/reference/services/directory/host), the login should be
 prefixed with `host/`. For example: `host/myhost.example.com`, not just `myhost.example.com`.
 
+## Configuring RestClient
+
+[Conjur::Configuration](https://github.com/conjurinc/api-ruby/blob/master/lib/conjur/configuration.rb)
+allows optional configuration of the [RestClient](https://github.com/rest-client/rest-client)
+instance used by Conjur API to communicate with the Conjur server, via the options hash
+`Conjur.configuration.rest_client_options`.
+
+The default value for the options hash is:
+```ruby
+{
+  ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+}
+```
+
+For example, here's how you would configure the client to use a proxy and `ssl_ca_file` (instead of the default `ssl_cert_store`).
+```ruby
+Conjur.configuration.rest_client_options = {
+    ssl_ca_file: "ca_certificate.pem",
+    proxy: "http://proxy.example.com/"
+}
+```
+
 ## Contributing
 
 We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our [contributing
 guide][contrib].
 
-[contrib]: https://github.com/cyberark/conjur-api-ruby/blob/master/CONTRIBUTING.md
+[contrib]: https://github.com/cyberark/conjur-api-ruby/blob/main/CONTRIBUTING.md
 
 ## License
 

data/VERSION

@@ -0,0 +1 @@
+5.3.7-167

data/ci/submit-coverage

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -eux
+
+DIR="coverage"
+BIN="cc-test-reporter"
+REPORT="${DIR}/.resultset.json"
+
+if [[ ! -e ${REPORT} ]]; then
+    echo "SimpleCov report (${REPORT}) not found"
+    ls -laR ${DIR}
+    exit 1
+fi
+
+if [[ ! -x ${BIN} ]]; then
+    echo "cc-test-reporter binary not found, not reporting coverage data to code climate"
+    ls -laR ${DIR}
+    # report is present but reporter binary is not, definitely a bug, exit error.
+    exit 1
+fi
+
+# Simplecov excludes files not within the current repo, it also needs to
+# be able to read all the files referenced within the report. As the reports
+# are generated in containers, the absolute paths contained in the report
+# are not valid outside that container. This sed fixes the paths
+# So they are correct relative to the Jenkins workspace.
+sed -i -E "s+/src/conjur-api+${WORKSPACE}+g" "${REPORT}"
+
+echo "Coverage reports prepared, submitting to CodeClimate."
+# vars GIT_COMMIT, GIT_BRANCH & TRID are set by ccCoverage.dockerPrep
+
+./${BIN} after-build \
+    --coverage-input-type "simplecov"\
+    --id "${TRID}"
+
+echo "Successfully Reported Coverage Data"

data/conjur-api.gemspec

@@ -2,14 +2,14 @@
 require File.expand_path('../lib/conjur-api/version', __FILE__)
 
 Gem::Specification.new do |gem|
-  gem.authors       = ["Rafal Rzepecki","Kevin Gilpin"]
-  gem.email         = ["rafal@conjur.net","kgilpin@conjur.net"]
+  gem.authors       = ["CyberArk Maintainers"]
+  gem.email         = ["conj_maintainers@cyberark.com"]
   gem.description   = %q{Conjur API}
   gem.summary       = %q{Conjur API}
   gem.homepage      = "https://github.com/cyberark/conjur-api-ruby/"
   gem.license       = "Apache-2.0"
 
-  gem.files         = `git ls-files`.split($\) + Dir['build_number']
+  gem.files         = `git ls-files`.split($\).append("VERSION") + Dir['build_number']
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.name          = "conjur-api"
@@ -22,7 +22,8 @@ Gem::Specification.new do |gem|
   gem.executables -= %w{parse-changelog.sh}
 
   gem.add_dependency 'rest-client'
-  gem.add_dependency 'activesupport'
+  gem.add_dependency 'activesupport', '>= 4.2'
+  gem.add_dependency 'addressable', '~> 2.0'
 
   gem.add_development_dependency 'rake', '>= 12.3.3'
   gem.add_development_dependency 'rspec', '~> 3'
@@ -30,7 +31,7 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency 'json_spec'
   gem.add_development_dependency 'cucumber', '~> 2.99'
   gem.add_development_dependency 'ci_reporter_rspec'
-  gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency 'simplecov', '~> 0.17', '< 0.18'
   gem.add_development_dependency 'io-grab'
   gem.add_development_dependency 'rdoc'
   gem.add_development_dependency 'yard'

data/docker-compose.yml

@@ -23,7 +23,11 @@ services:
       - authn_local_4:/run/authn-local
 
   tester_5:
-    build: .
+    build:
+        context: .
+        dockerfile: Dockerfile
+        args:
+          RUBY_VERSION: ${RUBY_VERSION}
     volumes:
       - ./spec/reports:/src/conjur-api/spec/reports
       - ./features/reports:/src/conjur-api/features/reports
@@ -35,7 +39,11 @@ services:
       CONJUR_ACCOUNT: cucumber
 
   tester_4:
-    build: .
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        RUBY_VERSION: ${RUBY_VERSION}
     volumes:
       - ./features_v4/reports:/src/conjur-api/features_v4/reports
       - ./tmp/conjur.pem:/src/conjur-api/tmp/conjur.pem
@@ -47,7 +55,11 @@ services:
       CONJUR_ACCOUNT: cucumber
 
   dev:
-    build: .
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        RUBY_VERSION: ${RUBY_VERSION}
     entrypoint: bash
     volumes:
       - .:/src/conjur-api

data/features/host.feature

@@ -1,20 +1,50 @@
-Feature: Display Host object fields.
+Feature: Host object
 
-  Background:
+  Scenario: API key of a newly created host is available and valid
     Given a new host
-
-  Scenario: API key of a newly created host is available and valid.
-    Then I run the code:
+    Then I can run the code:
     """
     expect(@host.exists?).to be(true)
     expect(@host.api_key).to be
     Conjur::API.new_from_key(@host.login, @host.api_key).token
     """
 
-  Scenario: API key of a a host can be rotated.
-    Then I run the code:
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: Host's own API key cannot be rotated with an API key
+    Given a new host
+    Then this code should fail with "You cannot rotate your own API key via this method"
     """
     host = Conjur::API.new_from_key(@host.login, @host.api_key).resource(@host.id)
-    api_key = host.rotate_api_key
-    Conjur::API.new_from_key(@host.login, api_key).token
+    host.rotate_api_key
+    """
+
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: Host's own API key cannot be rotated with a token
+    Given a new host
+    Then this code should fail with "You cannot rotate your own API key via this method"
+    """
+    token = Conjur::API.new_from_key(@host.login, @host.api_key).token
+
+    host = Conjur::API.new_from_token(token).resource(@host.id)
+    host.rotate_api_key
+    """
+
+  Scenario: Delegated host's API key can be rotated with an API key
+    Given a new delegated host
+    Then I can run the code:
+    """
+    delegated_host_resource = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).resource(@host.id)
+    api_key = delegated_host_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
+    """
+
+  Scenario: Delegated host's API key can be rotated with a token
+    Given a new delegated host
+    Then I can run the code:
+    """
+    token = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).token
+
+    delegated_host_resource = Conjur::API.new_from_token(token).resource(@host.id)
+    api_key = delegated_host_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
     """

data/features/permitted.feature

@@ -4,6 +4,8 @@ Feature: Check if a role has permission on a resource.
     Given I run the code:
     """
     @host_id = "app-#{random_hex}"
+    @test_user = "user$#{random_hex}"
+    @test_host = "host?#{random_hex}"
     response = $conjur.load_policy 'root', <<-POLICY
     - !variable db-password
 
@@ -15,6 +17,17 @@ Feature: Check if a role has permission on a resource.
       role: !layer myapp
       privilege: execute
       resource: !variable db-password
+
+    - !policy
+      id: test
+      body:
+        - !user #{@test_user}
+        - !host #{@test_host}
+
+    - !permit
+      role: !user #{@test_user}@test
+      privilege: execute
+      resource: !variable db-password
     POLICY
     @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
     expect(@host_api_key).to be
@@ -34,6 +47,20 @@ Feature: Check if a role has permission on a resource.
     """
     Then the result should be "false"
 
+  Scenario: Check if a different user from subpolicy has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:user:#{@test_user}@test"
+    """
+    Then the result should be "true"
+
+  Scenario: Check if a different host from subpolicy has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:host:test/#{@test_host}"
+    """
+    Then the result should be "false"
+
   Scenario: Check if a different user has the privilege, while logged in as that user.
     When I run the code:
     """

data/features/step_definitions/api_steps.rb

@@ -1,7 +1,18 @@
-When(/^I(?: can)? run the code:$/) do |code|
+Then(/^I(?: can)? run the code:$/) do |code|
   @result = eval(code).tap do |result|
-    if ENV['DEBUG']
-      puts result
+    puts result if ENV['DEBUG']
+  end
+end
+
+Then(/^this code should fail with "([^"]*)"$/) do |error_msg, code|
+  begin
+    @result = eval(code)
+  rescue Exception => exc
+    if not exc.message =~ %r{#{error_msg}}
+      fail "'#{error_msg}' was not found in '#{exc.message}'"
     end
+  else
+    puts @result if ENV['DEBUG']
+    fail "The provided block did not raise an error"
   end
 end

data/features/step_definitions/policy_steps.rb

@@ -13,6 +13,25 @@ Given(/^a new user$/) do
   expect(@user_api_key).to be
 end
 
+Given(/^a new delegated user$/) do
+  # Create a new host that is owned by that user
+  step 'a new user'
+  @user_owner = @user
+  @user_owner_id = @user_id
+  @user_owner_api_key = @user_api_key
+
+  # Create a new user that is owned by the user created earlier
+  @user_id = "user-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !user
+    id: #{@user_id}
+    owner: !user #{@user_owner_id}
+  POLICY
+  @user = $conjur.resource("cucumber:user:#{@user_id}")
+  @user_api_key = response.created_roles["cucumber:user:#{@user_id}"]['api_key']
+  expect(@user_api_key).to be
+end
+
 Given(/^a new group$/) do
   @group_id = "group-#{random_hex}"
   response = $conjur.load_policy 'root', <<-POLICY
@@ -33,3 +52,24 @@ Given(/^a new host$/) do
   @host = $conjur.resource("cucumber:host:#{@host_id}")
   @host.attributes['api_key'] = @host_api_key
 end
+
+Given(/^a new delegated host$/) do
+  # Create an owner user
+  step 'a new user'
+  @host_owner = @user
+  @host_owner_id = @user_id
+  @host_owner_api_key = @user_api_key
+
+  # Create a new host that is owned by that user
+  @host_id = "app-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !host
+    id: #{@host_id}
+    owner: !user #{@host_owner_id}
+  POLICY
+
+  @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
+  expect(@host_api_key).to be
+  @host = $conjur.resource("cucumber:host:#{@host_id}")
+  @host.attributes['api_key'] = @host_api_key
+end