conjur-api 5.3.3 → 5.3.7.pre.167

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4d068a6fcf42161573c1d317260549dd7e30001e1c53d9edeb36e8c8646f7db7
4
- data.tar.gz: 0ea117aee05921d67c2feef6b863fae286f5556833134f410dbab73a18cc13b9
3
+ metadata.gz: ad1a073ba389391d9ed2e0770f947a0a7e30c982154063c9a488925c05050efa
4
+ data.tar.gz: 7abc458cd851260b3f96aa1ede3abf4dfe338c42197a501bdfe6b37d672d1707
5
5
  SHA512:
6
- metadata.gz: bda454b83559d845aad1a5b13e824937f9574420c9c14d0743fd93c56f79ac6de462648901bc3c9d7612ad6243099a659f1292d9b4fe7628865e6f6ca8dfa562
7
- data.tar.gz: a6e5d7397c882d4d43ee95eead36bf51519fa5d6ea7c754b0c2648388769b9800180df8757c1ac5d3e968738e6e92dd013ba71c08686f2a3e6f85b1700556558
6
+ metadata.gz: 75079d3b4699e33e470643f9c0d75aa095cb937217619cd316c69cb36a80d73addaa6d1c238d1920d712e7483bf6d69d28c1f1f8256bceab5de27f5f3e73752d
7
+ data.tar.gz: 8f73519cf1241e9aae9034ca51727507b3390af92e93ee0008fce2934368f31e581876c66b53e50f58755669ff823ab57ced16d4037e1c0c4dcadda83468986b
data/.github/CODEOWNERS CHANGED
@@ -1,4 +1,4 @@
1
- * @cyberark/conjur-core-team @conjurinc/conjur-core-team @conjurdemos/conjur-core-team
1
+ * @cyberark/community-and-integrations-team @conjurinc/community-and-integrations-team @conjurdemos/community-and-integrations-team
2
2
 
3
3
  # Changes to .trivyignore require Security Architect approval
4
4
  .trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects
data/.gitleaks.toml CHANGED
@@ -1,4 +1,4 @@
1
- title = "Secretless Broker gitleaks config"
1
+ title = "Conjur API Ruby gitleaks config"
2
2
 
3
3
  # This is the config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
4
4
  # If GITLEAKS_CONFIG environment variable
data/CHANGELOG.md CHANGED
@@ -4,13 +4,54 @@ All notable changes to this project will be documented in this file.
4
4
  The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
5
5
  and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
6
6
 
7
- ## [Unreleased]
7
+ ## Unreleased
8
+ ### Changed
9
+ - Nothing should go in this section, please add to the latest unreleased version
10
+ (and update the corresponding date), or add a new version.
11
+
12
+ ## [5.3.7] - 2021-12-28
13
+
14
+ ### Changed
15
+ - Change addressable gem dependency.
16
+ [cyberark/conjur-api-ruby#199](https://github.com/cyberark/conjur-api-ruby/pull/199)
17
+ - Update to use automated release process
18
+
19
+ ## [5.3.6] - 2021-12-09
20
+
21
+ ### Changed
22
+ - Support ruby-3.0.2.
23
+ [cyberark/conjur-api-ruby#197](https://github.com/cyberark/conjur-api-ruby/pull/197)
24
+
25
+ ## [5.3.5] - 2021-05-04
26
+
27
+ ### Added
28
+ - Add `rest_client_options` option to `Conjur.configuration`. This allows users to
29
+ configure the RestClient instance used by Conjur API to communicate with the Conjur
30
+ server.
31
+ [cyberark/conjur-api-ruby#188](https://github.com/cyberark/conjur-api-ruby/issues/188)
32
+
33
+ ### Changed
34
+ - Replace monkey patching `RestClient::Request` with defaults on `Conjur.configuration.rest_client_options`
35
+ in order to limit the scope of the default `:ssl_cert_store` option only to inside
36
+ Conjur API.
37
+ [cyberark/conjur-api-ruby#188](https://github.com/cyberark/conjur-api-ruby/issues/188)
38
+
39
+ ## [5.3.4] - 2020-10-29
40
+
41
+ ### Changed
42
+ - When rotating the currently logged in user's/host's API key, we now explictily
43
+ prevent use of `resource({own_id}).rotate_api_key` for that action as the
44
+ `Conjur::API.rotate_api_key` should be used instead for that. This change is a
45
+ downstream enforcement of the stricter key rotation requirements on the server
46
+ covered by [this](https://github.com/cyberark/conjur/security/advisories/GHSA-qhjf-g9gm-64jq)
47
+ security bulletin.
48
+ [cyberark/conjur-api-ruby#181](https://github.com/cyberark/conjur-api-ruby/issues/181)
8
49
 
9
50
  ## [5.3.3] - 2020-08-18
10
51
  ### Changed
11
52
  - Release process is updated to ensure that the published Ruby Gem matches a tag in this repository,
12
53
  so that consumers of this gem can always reference the correct source code included in any given version.
13
- [cyberark/conjur-api-ruby](https://github.com/cyberark/conjur-api-ruby/issues/173)
54
+ [cyberark/conjur-api-ruby#173](https://github.com/cyberark/conjur-api-ruby/issues/173)
14
55
 
15
56
  ## 5.3.2 - 2018-09-24
16
57
  ### Added
@@ -321,7 +362,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
321
362
 
322
363
  ## [2.0.0] - 2013-13-12
323
364
 
324
- [Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.3...HEAD
365
+ [Unreleased]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.6...HEAD
366
+ [5.3.7]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.6...v5.3.7
367
+ [5.3.6]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.5...v5.3.6
368
+ [5.3.5]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.4...v5.3.5
369
+ [5.3.4]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.3...v5.3.4
325
370
  [5.3.3]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.1...v5.3.3
326
371
  [5.3.1]: https://github.com/cyberark/conjur-api-ruby/compare/v5.3.0...v5.3.1
327
372
  [5.3.0]: https://github.com/cyberark/conjur-api-ruby/compare/v5.1.0...v5.3.0
data/CONTRIBUTING.md CHANGED
@@ -131,7 +131,7 @@ $ docker-compose down
131
131
 
132
132
  ### Add a git tag
133
133
 
134
- 1. Once your changes have been **reviewed and merged into master**, tag the version
134
+ 1. Once your changes have been **reviewed and merged into main**, tag the version
135
135
  using `git tag -a "vx.y.z" -m "vx.y.z release"`. Note this requires you to be able to sign releases.
136
136
  Consult the [github documentation on signing commits](https://help.github.com/articles/signing-commits-with-gpg/)
137
137
  on how to set this up. `vx.y.z release` is an acceptable tag message.
data/Dockerfile CHANGED
@@ -1,10 +1,11 @@
1
- FROM ruby:2.3
1
+ ARG RUBY_VERSION
2
+ FROM ruby:$RUBY_VERSION
2
3
 
3
4
  RUN apt-get update && apt-get install -y vim curl
4
5
 
5
6
  WORKDIR /src/conjur-api
6
7
 
7
- COPY Gemfile conjur-api.gemspec ./
8
+ COPY Gemfile conjur-api.gemspec VERSION ./
8
9
  COPY lib/conjur-api/version.rb ./lib/conjur-api/
9
10
 
10
11
  RUN bundle
data/Gemfile CHANGED
@@ -1,11 +1,7 @@
1
1
  source 'https://rubygems.org'
2
2
 
3
- #ruby=ruby-2.3
3
+ #ruby=ruby-3.0
4
4
  #ruby-gemset=conjur-api
5
5
 
6
6
  # Specify your gem's dependencies in conjur-api.gemspec
7
7
  gemspec
8
-
9
- group :test do
10
- gem 'simplecov-cobertura', require: false
11
- end
data/Jenkinsfile CHANGED
@@ -1,5 +1,17 @@
1
1
  #!/usr/bin/env groovy
2
2
 
3
+ // Automated release, promotion and dependencies
4
+ properties([
5
+ release.addParams()
6
+ ])
7
+
8
+ if (params.MODE == "PROMOTE") {
9
+ release.promote(params.VERSION_TO_PROMOTE) { sourceVersion, targetVersion, assetDirectory ->
10
+ sh './publish.sh'
11
+ }
12
+ return
13
+ }
14
+
3
15
  pipeline {
4
16
  agent { label 'executor-v2' }
5
17
 
@@ -12,21 +24,62 @@ pipeline {
12
24
  cron(getDailyCronString())
13
25
  }
14
26
 
27
+ environment {
28
+ MODE = release.canonicalizeMode()
29
+ }
30
+
15
31
  stages {
16
- stage('Validate') {
17
- parallel {
18
- stage('Changelog') {
19
- steps { sh './bin/parse-changelog.sh' }
32
+ stage ("Skip build if triggering job didn't create a release") {
33
+ when {
34
+ expression {
35
+ MODE == "SKIP"
20
36
  }
21
37
  }
38
+ steps {
39
+ script {
40
+ currentBuild.result = 'ABORTED'
41
+ error("Aborting build because this build was triggered from upstream, but no release was built")
42
+ }
43
+ }
44
+ }
45
+ stage('Validate Changelog and set version') {
46
+ steps {
47
+ sh './bin/parse-changelog.sh'
48
+ updateVersion("CHANGELOG.md", "${BUILD_NUMBER}")
49
+ }
22
50
  }
23
51
 
24
- stage('Test') {
52
+ stage('Prepare CC Report Dir'){
25
53
  steps {
26
54
  script {
27
- ccCoverage.setGitEnvVars();
55
+ ccCoverage.dockerPrep()
56
+ sh 'mkdir -p coverage'
28
57
  }
29
- milestone(1)
58
+ }
59
+ }
60
+
61
+ stage('Test Ruby 2.5') {
62
+ environment {
63
+ RUBY_VERSION = '2.5'
64
+ }
65
+ steps {
66
+ sh './test.sh'
67
+ }
68
+
69
+ post {
70
+ always {
71
+ junit 'spec/reports/*.xml'
72
+ junit 'features/reports/*.xml'
73
+ junit 'features_v4/reports/*.xml'
74
+ }
75
+ }
76
+ }
77
+
78
+ stage('Test Ruby 2.6') {
79
+ environment {
80
+ RUBY_VERSION = '2.6'
81
+ }
82
+ steps {
30
83
  sh './test.sh'
31
84
  }
32
85
 
@@ -35,28 +88,72 @@ pipeline {
35
88
  junit 'spec/reports/*.xml'
36
89
  junit 'features/reports/*.xml'
37
90
  junit 'features_v4/reports/*.xml'
38
- cobertura autoUpdateHealth: true, autoUpdateStability: true, coberturaReportFile: 'coverage/coverage.xml', conditionalCoverageTargets: '100, 0, 0', failUnhealthy: true, failUnstable: false, lineCoverageTargets: '99, 0, 0', maxNumberOfBuilds: 0, methodCoverageTargets: '100, 0, 0', onlyStable: false, sourceEncoding: 'ASCII', zoomCoverageChart: false
39
91
  }
40
92
  }
41
93
  }
42
94
 
43
- // Only publish to RubyGems if the tag begins with 'v' ex) v5.3.2
44
- stage('Publish to RubyGems?') {
45
- agent { label 'executor-v2' }
95
+ stage('Test Ruby 2.7') {
96
+ environment {
97
+ RUBY_VERSION = '2.7'
98
+ }
99
+ steps {
100
+ sh './test.sh'
101
+ }
102
+
103
+ post {
104
+ always {
105
+ junit 'spec/reports/*.xml'
106
+ junit 'features/reports/*.xml'
107
+ junit 'features_v4/reports/*.xml'
108
+ }
109
+ }
110
+ }
46
111
 
47
- when { tag "v*" }
112
+ stage('Test Ruby 3.0') {
113
+ environment {
114
+ RUBY_VERSION = '3.0'
115
+ }
48
116
  steps {
49
- // Clean up first
50
- sh 'docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd'
117
+ sh("./test.sh")
118
+ }
119
+ post {
120
+ always {
121
+ junit 'spec/reports/*.xml'
122
+ junit 'features/reports/*.xml'
123
+ junit 'features_v4/reports/*.xml'
124
+ }
125
+ }
126
+ }
51
127
 
52
- sh './publish.sh'
128
+ stage('Submit Coverage Report'){
129
+ steps{
130
+ sh 'ci/submit-coverage'
131
+ publishHTML([reportDir: 'coverage', reportFiles: 'index.html', reportName: 'Coverage Report', reportTitles: '',
132
+ allowMissing: false, alwaysLinkToLastBuild: true, keepAll: true])
133
+ }
53
134
 
54
- // Clean up again...
55
- sh 'docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd'
56
- deleteDir()
135
+ post {
136
+ always {
137
+ archiveArtifacts artifacts: "coverage/.resultset.json", fingerprint: false
138
+ }
57
139
  }
58
140
  }
59
141
 
142
+ stage('Release') {
143
+ when {
144
+ expression {
145
+ MODE == "RELEASE"
146
+ }
147
+ }
148
+
149
+ steps {
150
+ release {
151
+ // Clean up all but the calculated VERSION
152
+ sh 'docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd -e VERSION'
153
+ sh './publish.sh'
154
+ }
155
+ }
156
+ }
60
157
  }
61
158
 
62
159
  post {
data/LICENSE CHANGED
@@ -187,7 +187,7 @@
187
187
  same "printed page" as the copyright notice for easier
188
188
  identification within third-party archives.
189
189
 
190
- Copyright (c) 2020 CyberArk Software Ltd. All rights reserved.
190
+ Copyright (c) 2021 CyberArk Software Ltd. All rights reserved.
191
191
 
192
192
  Licensed under the Apache License, Version 2.0 (the "License");
193
193
  you may not use this file except in compliance with the License.
data/README.md CHANGED
@@ -11,7 +11,7 @@ The Conjur server comes in two major versions:
11
11
  * **4.x** Conjur 4 is a commercial, non-open-source product, which is documented at [https://developer.conjur.net/](https://developer.conjur.net/).
12
12
  * **5.x** Conjur 5 is open-source software, hosted and documented at [https://www.conjur.org/](https://www.conjur.org/).
13
13
 
14
- You can use the `master` branch of this project, which is `conjur-api` version `5.x`, to do all of the following things against either type of Conjur server:
14
+ You can use the `main` branch of this project, which is `conjur-api` version `5.x`, to do all of the following things against either type of Conjur server:
15
15
 
16
16
  * Authenticate
17
17
  * Fetch secrets
@@ -24,9 +24,9 @@ Use the configuration setting `Conjur.configuration.version` to select your serv
24
24
 
25
25
  If you are using Conjur server version `4.x`, you can also choose to use the `conjur-api` version `4.x`. In this case, the `Configuration.version` setting is not required (actually, it doesn't exist).
26
26
 
27
- ## Using conjur-api-ruby with Conjur OSS
27
+ ## Using conjur-api-ruby with Conjur Open Source
28
28
 
29
- Are you using this project with [Conjur OSS](https://github.com/cyberark/conjur)? Then we
29
+ Are you using this project with [Conjur Open Source](https://github.com/cyberark/conjur)? Then we
30
30
  **strongly** recommend choosing the version of this project to use from the latest [Conjur OSS
31
31
  suite release](https://docs.conjur.org/Latest/en/Content/Overview/Conjur-OSS-Suite-Overview.html).
32
32
  Conjur maintainers perform additional testing on the suite release versions to ensure
@@ -128,12 +128,34 @@ Conjur::API.new_from_key login, api_key
128
128
  Note that if you are connecting as a [Host](http://developer.conjur.net/reference/services/directory/host), the login should be
129
129
  prefixed with `host/`. For example: `host/myhost.example.com`, not just `myhost.example.com`.
130
130
 
131
+ ## Configuring RestClient
132
+
133
+ [Conjur::Configuration](https://github.com/conjurinc/api-ruby/blob/master/lib/conjur/configuration.rb)
134
+ allows optional configuration of the [RestClient](https://github.com/rest-client/rest-client)
135
+ instance used by Conjur API to communicate with the Conjur server, via the options hash
136
+ `Conjur.configuration.rest_client_options`.
137
+
138
+ The default value for the options hash is:
139
+ ```ruby
140
+ {
141
+ ssl_cert_store: OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
142
+ }
143
+ ```
144
+
145
+ For example, here's how you would configure the client to use a proxy and `ssl_ca_file` (instead of the default `ssl_cert_store`).
146
+ ```ruby
147
+ Conjur.configuration.rest_client_options = {
148
+ ssl_ca_file: "ca_certificate.pem",
149
+ proxy: "http://proxy.example.com/"
150
+ }
151
+ ```
152
+
131
153
  ## Contributing
132
154
 
133
155
  We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our [contributing
134
156
  guide][contrib].
135
157
 
136
- [contrib]: https://github.com/cyberark/conjur-api-ruby/blob/master/CONTRIBUTING.md
158
+ [contrib]: https://github.com/cyberark/conjur-api-ruby/blob/main/CONTRIBUTING.md
137
159
 
138
160
  ## License
139
161
 
data/VERSION ADDED
@@ -0,0 +1 @@
1
+ 5.3.7-167
@@ -0,0 +1,36 @@
1
+ #!/bin/bash
2
+
3
+ set -eux
4
+
5
+ DIR="coverage"
6
+ BIN="cc-test-reporter"
7
+ REPORT="${DIR}/.resultset.json"
8
+
9
+ if [[ ! -e ${REPORT} ]]; then
10
+ echo "SimpleCov report (${REPORT}) not found"
11
+ ls -laR ${DIR}
12
+ exit 1
13
+ fi
14
+
15
+ if [[ ! -x ${BIN} ]]; then
16
+ echo "cc-test-reporter binary not found, not reporting coverage data to code climate"
17
+ ls -laR ${DIR}
18
+ # report is present but reporter binary is not, definitely a bug, exit error.
19
+ exit 1
20
+ fi
21
+
22
+ # Simplecov excludes files not within the current repo, it also needs to
23
+ # be able to read all the files referenced within the report. As the reports
24
+ # are generated in containers, the absolute paths contained in the report
25
+ # are not valid outside that container. This sed fixes the paths
26
+ # So they are correct relative to the Jenkins workspace.
27
+ sed -i -E "s+/src/conjur-api+${WORKSPACE}+g" "${REPORT}"
28
+
29
+ echo "Coverage reports prepared, submitting to CodeClimate."
30
+ # vars GIT_COMMIT, GIT_BRANCH & TRID are set by ccCoverage.dockerPrep
31
+
32
+ ./${BIN} after-build \
33
+ --coverage-input-type "simplecov"\
34
+ --id "${TRID}"
35
+
36
+ echo "Successfully Reported Coverage Data"
data/conjur-api.gemspec CHANGED
@@ -2,14 +2,14 @@
2
2
  require File.expand_path('../lib/conjur-api/version', __FILE__)
3
3
 
4
4
  Gem::Specification.new do |gem|
5
- gem.authors = ["Rafal Rzepecki","Kevin Gilpin"]
6
- gem.email = ["rafal@conjur.net","kgilpin@conjur.net"]
5
+ gem.authors = ["CyberArk Maintainers"]
6
+ gem.email = ["conj_maintainers@cyberark.com"]
7
7
  gem.description = %q{Conjur API}
8
8
  gem.summary = %q{Conjur API}
9
9
  gem.homepage = "https://github.com/cyberark/conjur-api-ruby/"
10
10
  gem.license = "Apache-2.0"
11
11
 
12
- gem.files = `git ls-files`.split($\) + Dir['build_number']
12
+ gem.files = `git ls-files`.split($\).append("VERSION") + Dir['build_number']
13
13
  gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
14
14
  gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
15
15
  gem.name = "conjur-api"
@@ -22,7 +22,8 @@ Gem::Specification.new do |gem|
22
22
  gem.executables -= %w{parse-changelog.sh}
23
23
 
24
24
  gem.add_dependency 'rest-client'
25
- gem.add_dependency 'activesupport'
25
+ gem.add_dependency 'activesupport', '>= 4.2'
26
+ gem.add_dependency 'addressable', '~> 2.0'
26
27
 
27
28
  gem.add_development_dependency 'rake', '>= 12.3.3'
28
29
  gem.add_development_dependency 'rspec', '~> 3'
@@ -30,7 +31,7 @@ Gem::Specification.new do |gem|
30
31
  gem.add_development_dependency 'json_spec'
31
32
  gem.add_development_dependency 'cucumber', '~> 2.99'
32
33
  gem.add_development_dependency 'ci_reporter_rspec'
33
- gem.add_development_dependency 'simplecov'
34
+ gem.add_development_dependency 'simplecov', '~> 0.17', '< 0.18'
34
35
  gem.add_development_dependency 'io-grab'
35
36
  gem.add_development_dependency 'rdoc'
36
37
  gem.add_development_dependency 'yard'
data/docker-compose.yml CHANGED
@@ -23,7 +23,11 @@ services:
23
23
  - authn_local_4:/run/authn-local
24
24
 
25
25
  tester_5:
26
- build: .
26
+ build:
27
+ context: .
28
+ dockerfile: Dockerfile
29
+ args:
30
+ RUBY_VERSION: ${RUBY_VERSION}
27
31
  volumes:
28
32
  - ./spec/reports:/src/conjur-api/spec/reports
29
33
  - ./features/reports:/src/conjur-api/features/reports
@@ -35,7 +39,11 @@ services:
35
39
  CONJUR_ACCOUNT: cucumber
36
40
 
37
41
  tester_4:
38
- build: .
42
+ build:
43
+ context: .
44
+ dockerfile: Dockerfile
45
+ args:
46
+ RUBY_VERSION: ${RUBY_VERSION}
39
47
  volumes:
40
48
  - ./features_v4/reports:/src/conjur-api/features_v4/reports
41
49
  - ./tmp/conjur.pem:/src/conjur-api/tmp/conjur.pem
@@ -47,7 +55,11 @@ services:
47
55
  CONJUR_ACCOUNT: cucumber
48
56
 
49
57
  dev:
50
- build: .
58
+ build:
59
+ context: .
60
+ dockerfile: Dockerfile
61
+ args:
62
+ RUBY_VERSION: ${RUBY_VERSION}
51
63
  entrypoint: bash
52
64
  volumes:
53
65
  - .:/src/conjur-api
@@ -1,20 +1,50 @@
1
- Feature: Display Host object fields.
1
+ Feature: Host object
2
2
 
3
- Background:
3
+ Scenario: API key of a newly created host is available and valid
4
4
  Given a new host
5
-
6
- Scenario: API key of a newly created host is available and valid.
7
- Then I run the code:
5
+ Then I can run the code:
8
6
  """
9
7
  expect(@host.exists?).to be(true)
10
8
  expect(@host.api_key).to be
11
9
  Conjur::API.new_from_key(@host.login, @host.api_key).token
12
10
  """
13
11
 
14
- Scenario: API key of a a host can be rotated.
15
- Then I run the code:
12
+ # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
13
+ Scenario: Host's own API key cannot be rotated with an API key
14
+ Given a new host
15
+ Then this code should fail with "You cannot rotate your own API key via this method"
16
16
  """
17
17
  host = Conjur::API.new_from_key(@host.login, @host.api_key).resource(@host.id)
18
- api_key = host.rotate_api_key
19
- Conjur::API.new_from_key(@host.login, api_key).token
18
+ host.rotate_api_key
19
+ """
20
+
21
+ # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
22
+ Scenario: Host's own API key cannot be rotated with a token
23
+ Given a new host
24
+ Then this code should fail with "You cannot rotate your own API key via this method"
25
+ """
26
+ token = Conjur::API.new_from_key(@host.login, @host.api_key).token
27
+
28
+ host = Conjur::API.new_from_token(token).resource(@host.id)
29
+ host.rotate_api_key
30
+ """
31
+
32
+ Scenario: Delegated host's API key can be rotated with an API key
33
+ Given a new delegated host
34
+ Then I can run the code:
35
+ """
36
+ delegated_host_resource = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).resource(@host.id)
37
+ api_key = delegated_host_resource.rotate_api_key
38
+ Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
39
+ """
40
+
41
+ Scenario: Delegated host's API key can be rotated with a token
42
+ Given a new delegated host
43
+ Then I can run the code:
44
+ """
45
+ token = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).token
46
+
47
+ delegated_host_resource = Conjur::API.new_from_token(token).resource(@host.id)
48
+ api_key = delegated_host_resource.rotate_api_key
49
+ Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
20
50
  """
@@ -4,6 +4,8 @@ Feature: Check if a role has permission on a resource.
4
4
  Given I run the code:
5
5
  """
6
6
  @host_id = "app-#{random_hex}"
7
+ @test_user = "user$#{random_hex}"
8
+ @test_host = "host?#{random_hex}"
7
9
  response = $conjur.load_policy 'root', <<-POLICY
8
10
  - !variable db-password
9
11
 
@@ -15,6 +17,17 @@ Feature: Check if a role has permission on a resource.
15
17
  role: !layer myapp
16
18
  privilege: execute
17
19
  resource: !variable db-password
20
+
21
+ - !policy
22
+ id: test
23
+ body:
24
+ - !user #{@test_user}
25
+ - !host #{@test_host}
26
+
27
+ - !permit
28
+ role: !user #{@test_user}@test
29
+ privilege: execute
30
+ resource: !variable db-password
18
31
  POLICY
19
32
  @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
20
33
  expect(@host_api_key).to be
@@ -34,6 +47,20 @@ Feature: Check if a role has permission on a resource.
34
47
  """
35
48
  Then the result should be "false"
36
49
 
50
+ Scenario: Check if a different user from subpolicy has the privilege.
51
+ When I run the code:
52
+ """
53
+ $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:user:#{@test_user}@test"
54
+ """
55
+ Then the result should be "true"
56
+
57
+ Scenario: Check if a different host from subpolicy has the privilege.
58
+ When I run the code:
59
+ """
60
+ $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:host:test/#{@test_host}"
61
+ """
62
+ Then the result should be "false"
63
+
37
64
  Scenario: Check if a different user has the privilege, while logged in as that user.
38
65
  When I run the code:
39
66
  """
@@ -1,7 +1,18 @@
1
- When(/^I(?: can)? run the code:$/) do |code|
1
+ Then(/^I(?: can)? run the code:$/) do |code|
2
2
  @result = eval(code).tap do |result|
3
- if ENV['DEBUG']
4
- puts result
3
+ puts result if ENV['DEBUG']
4
+ end
5
+ end
6
+
7
+ Then(/^this code should fail with "([^"]*)"$/) do |error_msg, code|
8
+ begin
9
+ @result = eval(code)
10
+ rescue Exception => exc
11
+ if not exc.message =~ %r{#{error_msg}}
12
+ fail "'#{error_msg}' was not found in '#{exc.message}'"
5
13
  end
14
+ else
15
+ puts @result if ENV['DEBUG']
16
+ fail "The provided block did not raise an error"
6
17
  end
7
18
  end
@@ -13,6 +13,25 @@ Given(/^a new user$/) do
13
13
  expect(@user_api_key).to be
14
14
  end
15
15
 
16
+ Given(/^a new delegated user$/) do
17
+ # Create a new host that is owned by that user
18
+ step 'a new user'
19
+ @user_owner = @user
20
+ @user_owner_id = @user_id
21
+ @user_owner_api_key = @user_api_key
22
+
23
+ # Create a new user that is owned by the user created earlier
24
+ @user_id = "user-#{random_hex}"
25
+ response = $conjur.load_policy 'root', <<-POLICY
26
+ - !user
27
+ id: #{@user_id}
28
+ owner: !user #{@user_owner_id}
29
+ POLICY
30
+ @user = $conjur.resource("cucumber:user:#{@user_id}")
31
+ @user_api_key = response.created_roles["cucumber:user:#{@user_id}"]['api_key']
32
+ expect(@user_api_key).to be
33
+ end
34
+
16
35
  Given(/^a new group$/) do
17
36
  @group_id = "group-#{random_hex}"
18
37
  response = $conjur.load_policy 'root', <<-POLICY
@@ -33,3 +52,24 @@ Given(/^a new host$/) do
33
52
  @host = $conjur.resource("cucumber:host:#{@host_id}")
34
53
  @host.attributes['api_key'] = @host_api_key
35
54
  end
55
+
56
+ Given(/^a new delegated host$/) do
57
+ # Create an owner user
58
+ step 'a new user'
59
+ @host_owner = @user
60
+ @host_owner_id = @user_id
61
+ @host_owner_api_key = @user_api_key
62
+
63
+ # Create a new host that is owned by that user
64
+ @host_id = "app-#{random_hex}"
65
+ response = $conjur.load_policy 'root', <<-POLICY
66
+ - !host
67
+ id: #{@host_id}
68
+ owner: !user #{@host_owner_id}
69
+ POLICY
70
+
71
+ @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
72
+ expect(@host_api_key).to be
73
+ @host = $conjur.resource("cucumber:host:#{@host_id}")
74
+ @host.attributes['api_key'] = @host_api_key
75
+ end