conjur-api 5.3.8.pre.3 → 5.3.8.pre.8

data/features/load_policy.feature

@@ -1,61 +0,0 @@
-Feature: Load a policy.
-
-  Scenario: Policy can be loaded into a policy id.
-    Then I can run the code:
-    """
-    policy = <<-POLICY
-    - !group security_admin
-
-    - !policy
-      id: myapp
-      body:
-      - !layer
-
-      - !host-factory
-        layers: [ !layer ]
-
-    - !host app-01
-
-    - !grant
-      role: !layer myapp
-      member: !host app-01
-    POLICY
-
-    $conjur.load_policy 'root', policy
-    """
-
-  Scenario: The policy load reports the API keys of created roles.
-    Then I can run the code:
-    """
-    $conjur.load_policy 'root', <<-POLICY
-    - !host app-#{random_hex}
-    POLICY
-    """
-    Then the JSON should have "version"
-    And the JSON should have "created_roles"
-    And the JSON at "created_roles" should have 1 item
-
-  Scenario: Policy contents can be replaced using POLICY_METHOD_PUT.
-    Given I run the code:
-    """
-    $conjur.load_policy 'root', <<-POLICY
-    - !group developers
-    - !group operations
-    POLICY
-    """
-    And I run the code:
-    """
-    $conjur.load_policy 'root', <<-POLICY, method: Conjur::API::POLICY_METHOD_PUT
-    --- []
-    POLICY
-    """
-    And I run the code:
-    """
-    $conjur.resources.map(&:id)
-    """
-    Then the JSON should be:
-    """
-    [
-      "cucumber:policy:root"
-    ]
-    """

data/features/members.feature

@@ -1,51 +0,0 @@
-Feature: Display role members and memberships.
-
-  Background:
-    Given I run the code:
-    """
-    $conjur.load_policy 'root', <<-POLICY
-    - !group everyone
-    - !group developers
-    - !grant
-      role: !group everyone
-      member: !group developers
-    POLICY
-    """
-
-  Scenario: Show a role's members.
-    When I run the code:
-    """
-    $conjur.role('cucumber:group:everyone').members.map(&:as_json)
-    """
-    Then the JSON should be:
-    """
-    [
-      {
-        "admin_option": false,
-        "member": "cucumber:group:developers",
-        "role": "cucumber:group:everyone"
-      },
-      {
-        "admin_option": true,
-        "member": "cucumber:user:admin",
-        "role": "cucumber:group:everyone"
-      }
-    ]
-    """
-
-  Scenario: Show a role's memberships.
-    When I run the code:
-    """
-    $conjur.role('cucumber:group:developers').memberships.map(&:as_json)
-    """
-    Then the JSON should be:
-    """
-    [
-      {
-        "id": "cucumber:group:developers"
-      },
-      {
-        "id": "cucumber:group:everyone"
-      }
-    ]
-    """

data/features/new_api.feature

@@ -1,36 +0,0 @@
-Feature: Constructing a new API object.
-  Background:
-    Given a new host
-
-  Scenario: From API key.
-    Then I run the code:
-    """
-    api = Conjur::API.new_from_key "host/#{@host_id}", @host_api_key
-    expect(api.token).to be_instance_of(Hash)
-    expect($conjur.resource("cucumber:host:#{@host_id}")).to exist
-    """
-
-  Scenario: From access token.
-    Given I run the code:
-    """
-    @token = Conjur::API.new_from_key("host/#{@host_id}", @host_api_key).token
-    """
-    Then I run the code:
-    """
-    api = Conjur::API.new_from_token @token
-    expect($conjur.resource("cucumber:host:#{@host_id}")).to exist
-    """
-
-  Scenario: From access token file.
-    Given I run the code:
-    """
-    token = Conjur::API.new_from_key("host/#{@host_id}", @host_api_key).token
-    @temp_file = Tempfile.new("token.json")
-    @temp_file.write(token.to_json)
-    @temp_file.flush
-    """
-    Then I run the code:
-    """
-    api = Conjur::API.new_from_token_file @temp_file.path
-    expect($conjur.resource("cucumber:host:#{@host_id}")).to exist
-    """

data/features/permitted.feature

@@ -1,70 +0,0 @@
-Feature: Check if a role has permission on a resource.
-
-  Background:
-    Given I run the code:
-    """
-    @host_id = "app-#{random_hex}"
-    @test_user = "user$#{random_hex}"
-    @test_host = "host?#{random_hex}"
-    response = $conjur.load_policy 'root', <<-POLICY
-    - !variable db-password
-
-    - !layer myapp
-
-    - !host #{@host_id}
-
-    - !permit
-      role: !layer myapp
-      privilege: execute
-      resource: !variable db-password
-
-    - !policy
-      id: test
-      body:
-        - !user #{@test_user}
-        - !host #{@test_host}
-
-    - !permit
-      role: !user #{@test_user}@test
-      privilege: execute
-      resource: !variable db-password
-    POLICY
-    @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
-    expect(@host_api_key).to be
-    """
-
-  Scenario: Check if the current user has the privilege.
-    When I run the code:
-    """
-    $conjur.resource('cucumber:variable:db-password').permitted? 'execute'
-    """
-    Then the result should be "true"
-
-  Scenario: Check if a different user has the privilege.
-    When I run the code:
-    """
-    $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:host:#{@host_id}"
-    """
-    Then the result should be "false"
-
-  Scenario: Check if a different user from subpolicy has the privilege.
-    When I run the code:
-    """
-    $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:user:#{@test_user}@test"
-    """
-    Then the result should be "true"
-
-  Scenario: Check if a different host from subpolicy has the privilege.
-    When I run the code:
-    """
-    $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:host:test/#{@test_host}"
-    """
-    Then the result should be "false"
-
-  Scenario: Check if a different user has the privilege, while logged in as that user.
-    When I run the code:
-    """
-    host_api = Conjur::API.new_from_key "host/#{@host_id}", @host_api_key
-    host_api.resource('cucumber:variable:db-password').permitted? 'execute'
-    """
-    Then the result should be "false"

data/features/permitted_roles.feature

@@ -1,30 +0,0 @@
-Feature: Enumerate roles which have a permission on a resource.
-
-  Background:
-    Given I run the code:
-    """
-    $conjur.load_policy 'root', <<-POLICY
-    - !variable db-password
-
-    - !layer myapp
-
-    - !permit
-      role: !layer myapp
-      privilege: execute
-      resource: !variable db-password
-    POLICY
-    """
-
-  @wip
-  Scenario: Permitted roles can be enumerated.
-    When I run the code:
-    """
-    $conjur.resource('cucumber:variable:db-password').permitted_roles 'execute'
-    """
-    Then the JSON should be:
-    """
-    [
-      "cucumber:layer:myapp",
-      "cucumber:user:admin"
-    ]
-    """

data/features/public_keys.feature

@@ -1,11 +0,0 @@
-Feature: Fetch public keys for a user.
-
-  Background:
-    Given a new user
-
-  Scenario: User has a uidnumber.
-    When I run the code:
-    """
-    Conjur::API.public_keys @user.login
-    """
-    Then the result should be the public key

data/features/resource_fields.feature

@@ -1,53 +0,0 @@
-Feature: Display basic resource fields.
-
-  Background:
-    Given I run the code:
-    """
-    $conjur.load_policy 'root', <<-POLICY
-    - !group
-      id: developers
-      annotations:
-        gidnumber: 2000
-    POLICY
-    """
-
-  Scenario: Resource exposes id, kind, identifier, and attributes.
-    When I run the code:
-    """
-    resource = $conjur.resource('cucumber:group:developers')
-    [ resource.id, resource.account, resource.kind, resource.identifier, resource.attributes ]
-    """
-    Then the JSON should be:
-    """
-    [
-      "cucumber:group:developers",
-      "cucumber",
-      "group",
-      "developers",
-      {
-        "annotations": [
-          {
-            "name": "gidnumber",
-            "policy": "cucumber:policy:root",
-            "value": "2000"
-          }
-        ],
-        "owner": "cucumber:user:admin",
-        "permissions": [
-        ],
-        "policy": "cucumber:policy:root"
-      }
-    ]
-    """
-
-  Scenario: Resource#owner is the owner object
-    When I run the code:
-    """
-    $conjur.resource('cucumber:group:developers').owner.id
-    """
-    Then the result should be "cucumber:user:admin"
-    And I run the code:
-    """
-    $conjur.resource('cucumber:group:developers').class
-    """
-    Then the result should be "Conjur::Group"

data/features/role_fields.feature

@@ -1,15 +0,0 @@
-Feature: Display basic role fields.
-
-  Scenario: Login of a user is the login name.
-    When I run the code:
-    """
-    $conjur.role('cucumber:user:alice').login
-    """
-    Then the result should be "alice"
-
-  Scenario: Login of a non-user is prefixed with the role kind.
-    When I run the code:
-    """
-    $conjur.role('cucumber:host:myapp').login
-    """
-    Then the result should be "host/myapp"

data/features/rotate_api_key.feature

@@ -1,13 +0,0 @@
-Feature: Rotate the API key.
-
-  Scenario: Logged-in user can rotate the API key.
-    When I run the code:
-    """
-    Conjur::API.rotate_api_key 'admin', $api_key
-    """
-    Then I can run the code:
-    """
-    $api_key = @result.strip
-    $conjur = Conjur::API.new_from_key $username, @result
-    $conjur.token
-    """

data/features/step_definitions/api_steps.rb

@@ -1,52 +0,0 @@
-Then(/^I(?: can)? run the code:$/) do |code|
-  @result = eval(code).tap do |result|
-    puts result if ENV['DEBUG']
-  end
-end
-
-Then(/^this code should fail with "([^"]*)"$/) do |error_msg, code|
-  begin
-    @result = eval(code)
-  rescue Exception => exc
-    if not exc.message =~ %r{#{error_msg}}
-      fail "'#{error_msg}' was not found in '#{exc.message}'"
-    end
-  else
-    puts @result if ENV['DEBUG']
-    fail "The provided block did not raise an error"
-  end
-end
-
-Given(/^I retrieve the login url for OIDC authenticator "([^"]+)"$/) do |service_id|
-  provider = $conjur.authentication_providers("authn-oidc").select {|provider_details| provider_details["service_id"] == service_id}
-  @login_url = provider[0]["redirect_uri"]
-  puts @login_url
-end
-
-Given(/^I retrieve auth info for the OIDC provider with username: "([^"]+)" and password: "([^"]+)"$/) do |username, password|
-  res = Net::HTTP.get_response(URI(@login_url))
-  raise res if res.is_a?(Net::HTTPError) || res.is_a?(Net::HTTPClientError)
-
-  all_cookies = res.get_fields('set-cookie')
-  puts all_cookies
-  cookies_arrays = Array.new
-  all_cookies.each do |cookie|
-    cookies_arrays.push(cookie.split('; ')[0])
-  end
-
-  html = Nokogiri::HTML(res.body)
-  post_uri = URI(html.xpath('//form').first.attributes['action'].value)
-
-  http = Net::HTTP.new(post_uri.host, post_uri.port)
-  http.use_ssl = true
-  request = Net::HTTP::Post.new(post_uri.request_uri)
-  request['Cookie'] = cookies_arrays.join('; ')
-  request.set_form_data({'username' => username, 'password' => password})
-
-  response = http.request(request)
-
-  if response.is_a?(Net::HTTPRedirection)
-    response_details = URI.decode_www_form(URI(response['location']).query)
-    @auth_body = {state: response_details.assoc('state')[1], code: response_details.assoc('code')[1]}
-  end
-end

data/features/step_definitions/policy_steps.rb

@@ -1,134 +0,0 @@
-Given(/^a new user$/) do
-  @user_id = "user-#{random_hex}"
-  @public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd/PAcCL9rW/zAS7DRns/KYiAvRAEKxBu/0IF32z7x6YiMFcA2hmH4DMYaIY45Xlj7L9uTZamUlRZNjSS9Xm6Lhh7XGceIX2067/MDnH+or9xh5LZs6gb3x7QVtNz26Au5h5kP0xoJ+wpVxvY707BeSax/WQZI8akqd0fD1IqOoafWkcX0ucu5iIgDh08R7zq3vrDHEK7+SoYo9ncHfmOUJ5lmImGiU/WMqM0OzN3RsgxJi/aaHjW1IASTY8TmAtTtjEsxbQXxRVUCAP9vWUZg7p3aqIB6sEP8skgncCUtHBQxUtE1XN8Q8NeFOzau6+9sQTXlPl8c/L4Jc4K96C75 #{@user_id}@example.com"
-  response = $conjur.load_policy 'root', <<-POLICY
-  - !user
-    id: #{@user_id}
-    uidnumber: 1000
-    public_keys:
-    - #{@public_key}
-  POLICY
-  @user = $conjur.resource("cucumber:user:#{@user_id}")
-  @user_api_key = response.created_roles["cucumber:user:#{@user_id}"]['api_key']
-  expect(@user_api_key).to be
-end
-
-Given(/^a user "([^"]+)"$/) do |user_id|
-  response = $conjur.load_policy 'root', <<-POLICY
-  - !user #{user_id}
-  POLICY
-  @user = $conjur.resource("cucumber:user:#{user_id}")
-  @user_api_key = response.created_roles["cucumber:user:#{user_id}"]['api_key']
-  expect(@user_api_key).to be
-end
-
-Given(/^a new delegated user$/) do
-  # Create a new host that is owned by that user
-  step 'a new user'
-  @user_owner = @user
-  @user_owner_id = @user_id
-  @user_owner_api_key = @user_api_key
-
-  # Create a new user that is owned by the user created earlier
-  @user_id = "user-#{random_hex}"
-  response = $conjur.load_policy 'root', <<-POLICY
-  - !user
-    id: #{@user_id}
-    owner: !user #{@user_owner_id}
-  POLICY
-  @user = $conjur.resource("cucumber:user:#{@user_id}")
-  @user_api_key = response.created_roles["cucumber:user:#{@user_id}"]['api_key']
-  expect(@user_api_key).to be
-end
-
-Given(/^a new group$/) do
-  @group_id = "group-#{random_hex}"
-  response = $conjur.load_policy 'root', <<-POLICY
-  - !group
-    id: #{@group_id}
-    gidnumber: 1000
-  POLICY
-  @group = $conjur.resource("cucumber:group:#{@group_id}")
-end
-
-Given(/^a new host$/) do
-  @host_id = "app-#{random_hex}"
-  response = $conjur.load_policy 'root', <<-POLICY
-  - !host #{@host_id}
-  POLICY
-  @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
-  expect(@host_api_key).to be
-  @host = $conjur.resource("cucumber:host:#{@host_id}")
-  @host.attributes['api_key'] = @host_api_key
-end
-
-Given(/^a new delegated host$/) do
-  # Create an owner user
-  step 'a new user'
-  @host_owner = @user
-  @host_owner_id = @user_id
-  @host_owner_api_key = @user_api_key
-
-  # Create a new host that is owned by that user
-  @host_id = "app-#{random_hex}"
-  response = $conjur.load_policy 'root', <<-POLICY
-  - !host
-    id: #{@host_id}
-    owner: !user #{@host_owner_id}
-  POLICY
-
-  @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
-  expect(@host_api_key).to be
-  @host = $conjur.resource("cucumber:host:#{@host_id}")
-  @host.attributes['api_key'] = @host_api_key
-end
-
-Given(/^I setup a keycloak authenticator$/) do
-    $conjur.load_policy 'root', <<-POLICY
-    - !policy 
-      id: conjur/authn-oidc/keycloak
-      body: 
-      - !webservice  
-     
-      - !variable provider-uri 
-      - !variable client-id 
-      - !variable client-secret 
-      - !variable name
-     
-      - !variable claim-mapping 
-       
-      - !variable nonce 
-      - !variable state
-
-      - !variable redirect-uri
-
-      - !group users
-
-      - !permit
-        role: !group users
-        privilege: [ read, authenticate ]
-        resource: !webservice
-
-    - !user alice
-    - !grant
-      role: !group conjur/authn-oidc/keycloak/users
-      member: !user alice
-    POLICY
-    @provider_uri = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/provider-uri")
-    @client_id = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/client-id")
-    @client_secret = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/client-secret")
-    @name = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/name")
-    @claim_mapping = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/claim-mapping")
-    @nonce = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/nonce")
-    @state = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/state")
-    @redirect_uri = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/redirect-uri")
-
-    @provider_uri.add_value "https://keycloak:8443/auth/realms/master"
-    @client_id.add_value "conjurClient"
-    @client_secret.add_value "1234"
-    @claim_mapping.add_value "preferred_username"
-    @nonce.add_value SecureRandom.uuid
-    @state.add_value SecureRandom.uuid
-    @name.add_value "keycloak"
-    @redirect_uri.add_value "http://conjur_5/authn-oidc/keycloak/cucumber/authenticate"
-end

data/features/step_definitions/result_steps.rb

@@ -1,11 +0,0 @@
-Then(/^the result should be "([^"]+)"$/) do |expected|
-  expect(@result.to_s).to eq(expected.to_s)
-end
-
-Then(/^the result should be the public key$/) do
-  expect(@result).to eq(@public_key + "\n")
-end
-
-Then(/^the providers list contains service id "([^"]+)"$/) do |service_id|
-  expect(@result.map{ |x| x["service_id"]}).to include(service_id)
-end

data/features/support/env.rb

@@ -1,19 +0,0 @@
-require 'simplecov'
-require 'nokogiri'
-
-SimpleCov.start do
-  command_name "#{ENV['RUBY_VERSION']}"
-end
-
-require 'json_spec/cucumber'
-require 'conjur/api'
-
-Conjur.configuration.appliance_url = ENV['CONJUR_APPLIANCE_URL'] || 'http://localhost/api/v6'
-Conjur.configuration.account = ENV['CONJUR_ACCOUNT'] || 'cucumber'
-Conjur.configuration.authn_local_socket = "/run/authn-local-5/.socket"
-
-$username = ENV['CONJUR_AUTHN_LOGIN'] || 'admin'
-$password = ENV['CONJUR_AUTHN_API_KEY'] || 'secret'
-
-$api_key = Conjur::API.login $username, $password
-$conjur = Conjur::API.new_from_key $username, $api_key

data/features/support/hooks.rb

@@ -1,3 +0,0 @@
-Before do
-  $conjur.load_policy 'root', "--- []"
-end

data/features/support/world.rb

@@ -1,12 +0,0 @@
-module ApiWorld
-  def last_json
-    @result.to_json
-  end
-
-  def random_hex nbytes = 12
-    @random ||= Random.new
-    @random.bytes(nbytes).unpack('h*').first
-  end
-end
-
-World ApiWorld

data/features/update_password.feature

@@ -1,14 +0,0 @@
-Feature: Change a user's password.
-  Background:
-    Given a new user
-
-  Scenario: A user can set/change her password using the current API key.
-    When I run the code:
-    """
-    Conjur::API.update_password @user_id, @user_api_key, 'SEcret12!!!!'
-    @new_api_key = Conjur::API.login @user_id, 'SEcret12!!!!'
-    """
-    Then I can run the code:
-    """
-    Conjur::API.new_from_key(@user_id, @new_api_key).token
-    """

data/features/user.feature

@@ -1,58 +0,0 @@
-Feature: User object
-
-  Background:
-
-  Scenario: User has a uidnumber
-    Given a new user
-    Then I can run the code:
-    """
-    @user.uidnumber
-    """
-    Then the result should be "1000"
-
-  Scenario: Logged-in user is the current_role
-    Given a new user
-    Then I can run the code:
-    """
-    expect($conjur.current_role(Conjur.configuration.account).id.to_s).to eq("cucumber:user:admin")
-    """
-
-  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
-  Scenario: User's own API key cannot be rotated with an API key
-    Given a new user
-    Then this code should fail with "You cannot rotate your own API key via this method"
-    """
-    user = Conjur::API.new_from_key(@user.login, @user_api_key).resource(@user.id)
-    user.rotate_api_key
-    """
-
-  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
-  Scenario: User's own API key cannot be rotated with a token
-    Given a new user
-    Then this code should fail with "You cannot rotate your own API key via this method"
-    """
-    token = Conjur::API.new_from_key(@user.login, @user_api_key).token
-
-    user = Conjur::API.new_from_token(token).resource(@user.id)
-    user.rotate_api_key
-    """
-
-  Scenario: Delegated user's API key can be rotated with an API key
-    Given a new delegated user
-    Then I can run the code:
-    """
-    delegated_user_resource = Conjur::API.new_from_key(@user_owner.login, @user_owner_api_key).resource(@user.id)
-    api_key = delegated_user_resource.rotate_api_key
-    Conjur::API.new_from_key(delegated_user_resource.login, api_key).token
-    """
-
-  Scenario: Delegated user's API key can be rotated with a token
-    Given a new delegated user
-    Then I can run the code:
-    """
-    token = Conjur::API.new_from_key(@user_owner.login, @user_owner_api_key).token
-
-    delegated_user_resource = Conjur::API.new_from_token(token).resource(@user.id)
-    api_key = delegated_user_resource.rotate_api_key
-    Conjur::API.new_from_key(delegated_user_resource.login, api_key).token
-    """

data/features/variable_fields.feature

@@ -1,20 +0,0 @@
-Feature: Display Variable fields.
-
-  Background:
-    Given I run the code:
-    """
-    $conjur.load_policy 'root', <<-POLICY
-    - !variable
-      id: ssl-certificate
-      kind: SSL certificate
-      mime_type: application/x-pem-file
-    POLICY
-    """
-    And I run the code:
-    """
-    $conjur.resource('cucumber:variable:ssl-certificate')
-    """
-
-  Scenario: Display MIME type and kind
-    Then the JSON at "mime_type" should be "application/x-pem-file"
-    And the JSON at "kind" should be "SSL certificate"