conjur-api 5.3.8.pre.319 → 5.3.8.pre.321

data/features/load_policy.feature

@@ -0,0 +1,61 @@
+Feature: Load a policy.
+
+  Scenario: Policy can be loaded into a policy id.
+    Then I can run the code:
+    """
+    policy = <<-POLICY
+    - !group security_admin
+
+    - !policy
+      id: myapp
+      body:
+      - !layer
+
+      - !host-factory
+        layers: [ !layer ]
+
+    - !host app-01
+
+    - !grant
+      role: !layer myapp
+      member: !host app-01
+    POLICY
+
+    $conjur.load_policy 'root', policy
+    """
+
+  Scenario: The policy load reports the API keys of created roles.
+    Then I can run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !host app-#{random_hex}
+    POLICY
+    """
+    Then the JSON should have "version"
+    And the JSON should have "created_roles"
+    And the JSON at "created_roles" should have 1 item
+
+  Scenario: Policy contents can be replaced using POLICY_METHOD_PUT.
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !group developers
+    - !group operations
+    POLICY
+    """
+    And I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY, method: Conjur::API::POLICY_METHOD_PUT
+    --- []
+    POLICY
+    """
+    And I run the code:
+    """
+    $conjur.resources.map(&:id)
+    """
+    Then the JSON should be:
+    """
+    [
+      "cucumber:policy:root"
+    ]
+    """

data/features/members.feature

@@ -0,0 +1,51 @@
+Feature: Display role members and memberships.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !group everyone
+    - !group developers
+    - !grant
+      role: !group everyone
+      member: !group developers
+    POLICY
+    """
+
+  Scenario: Show a role's members.
+    When I run the code:
+    """
+    $conjur.role('cucumber:group:everyone').members.map(&:as_json)
+    """
+    Then the JSON should be:
+    """
+    [
+      {
+        "admin_option": false,
+        "member": "cucumber:group:developers",
+        "role": "cucumber:group:everyone"
+      },
+      {
+        "admin_option": true,
+        "member": "cucumber:user:admin",
+        "role": "cucumber:group:everyone"
+      }
+    ]
+    """
+
+  Scenario: Show a role's memberships.
+    When I run the code:
+    """
+    $conjur.role('cucumber:group:developers').memberships.map(&:as_json)
+    """
+    Then the JSON should be:
+    """
+    [
+      {
+        "id": "cucumber:group:developers"
+      },
+      {
+        "id": "cucumber:group:everyone"
+      }
+    ]
+    """

data/features/new_api.feature

@@ -0,0 +1,36 @@
+Feature: Constructing a new API object.
+  Background:
+    Given a new host
+
+  Scenario: From API key.
+    Then I run the code:
+    """
+    api = Conjur::API.new_from_key "host/#{@host_id}", @host_api_key
+    expect(api.token).to be_instance_of(Hash)
+    expect($conjur.resource("cucumber:host:#{@host_id}")).to exist
+    """
+
+  Scenario: From access token.
+    Given I run the code:
+    """
+    @token = Conjur::API.new_from_key("host/#{@host_id}", @host_api_key).token
+    """
+    Then I run the code:
+    """
+    api = Conjur::API.new_from_token @token
+    expect($conjur.resource("cucumber:host:#{@host_id}")).to exist
+    """
+
+  Scenario: From access token file.
+    Given I run the code:
+    """
+    token = Conjur::API.new_from_key("host/#{@host_id}", @host_api_key).token
+    @temp_file = Tempfile.new("token.json")
+    @temp_file.write(token.to_json)
+    @temp_file.flush
+    """
+    Then I run the code:
+    """
+    api = Conjur::API.new_from_token_file @temp_file.path
+    expect($conjur.resource("cucumber:host:#{@host_id}")).to exist
+    """

data/features/permitted.feature

@@ -0,0 +1,70 @@
+Feature: Check if a role has permission on a resource.
+
+  Background:
+    Given I run the code:
+    """
+    @host_id = "app-#{random_hex}"
+    @test_user = "user$#{random_hex}"
+    @test_host = "host?#{random_hex}"
+    response = $conjur.load_policy 'root', <<-POLICY
+    - !variable db-password
+
+    - !layer myapp
+
+    - !host #{@host_id}
+
+    - !permit
+      role: !layer myapp
+      privilege: execute
+      resource: !variable db-password
+
+    - !policy
+      id: test
+      body:
+        - !user #{@test_user}
+        - !host #{@test_host}
+
+    - !permit
+      role: !user #{@test_user}@test
+      privilege: execute
+      resource: !variable db-password
+    POLICY
+    @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
+    expect(@host_api_key).to be
+    """
+
+  Scenario: Check if the current user has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute'
+    """
+    Then the result should be "true"
+
+  Scenario: Check if a different user has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:host:#{@host_id}"
+    """
+    Then the result should be "false"
+
+  Scenario: Check if a different user from subpolicy has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:user:#{@test_user}@test"
+    """
+    Then the result should be "true"
+
+  Scenario: Check if a different host from subpolicy has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:host:test/#{@test_host}"
+    """
+    Then the result should be "false"
+
+  Scenario: Check if a different user has the privilege, while logged in as that user.
+    When I run the code:
+    """
+    host_api = Conjur::API.new_from_key "host/#{@host_id}", @host_api_key
+    host_api.resource('cucumber:variable:db-password').permitted? 'execute'
+    """
+    Then the result should be "false"

data/features/permitted_roles.feature

@@ -0,0 +1,30 @@
+Feature: Enumerate roles which have a permission on a resource.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !variable db-password
+
+    - !layer myapp
+
+    - !permit
+      role: !layer myapp
+      privilege: execute
+      resource: !variable db-password
+    POLICY
+    """
+
+  @wip
+  Scenario: Permitted roles can be enumerated.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted_roles 'execute'
+    """
+    Then the JSON should be:
+    """
+    [
+      "cucumber:layer:myapp",
+      "cucumber:user:admin"
+    ]
+    """

data/features/public_keys.feature

@@ -0,0 +1,11 @@
+Feature: Fetch public keys for a user.
+
+  Background:
+    Given a new user
+
+  Scenario: User has a uidnumber.
+    When I run the code:
+    """
+    Conjur::API.public_keys @user.login
+    """
+    Then the result should be the public key

data/features/resource_fields.feature

@@ -0,0 +1,53 @@
+Feature: Display basic resource fields.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !group
+      id: developers
+      annotations:
+        gidnumber: 2000
+    POLICY
+    """
+
+  Scenario: Resource exposes id, kind, identifier, and attributes.
+    When I run the code:
+    """
+    resource = $conjur.resource('cucumber:group:developers')
+    [ resource.id, resource.account, resource.kind, resource.identifier, resource.attributes ]
+    """
+    Then the JSON should be:
+    """
+    [
+      "cucumber:group:developers",
+      "cucumber",
+      "group",
+      "developers",
+      {
+        "annotations": [
+          {
+            "name": "gidnumber",
+            "policy": "cucumber:policy:root",
+            "value": "2000"
+          }
+        ],
+        "owner": "cucumber:user:admin",
+        "permissions": [
+        ],
+        "policy": "cucumber:policy:root"
+      }
+    ]
+    """
+
+  Scenario: Resource#owner is the owner object
+    When I run the code:
+    """
+    $conjur.resource('cucumber:group:developers').owner.id
+    """
+    Then the result should be "cucumber:user:admin"
+    And I run the code:
+    """
+    $conjur.resource('cucumber:group:developers').class
+    """
+    Then the result should be "Conjur::Group"

data/features/role_fields.feature

@@ -0,0 +1,15 @@
+Feature: Display basic role fields.
+
+  Scenario: Login of a user is the login name.
+    When I run the code:
+    """
+    $conjur.role('cucumber:user:alice').login
+    """
+    Then the result should be "alice"
+
+  Scenario: Login of a non-user is prefixed with the role kind.
+    When I run the code:
+    """
+    $conjur.role('cucumber:host:myapp').login
+    """
+    Then the result should be "host/myapp"

data/features/rotate_api_key.feature

@@ -0,0 +1,13 @@
+Feature: Rotate the API key.
+
+  Scenario: Logged-in user can rotate the API key.
+    When I run the code:
+    """
+    Conjur::API.rotate_api_key 'admin', $api_key
+    """
+    Then I can run the code:
+    """
+    $api_key = @result.strip
+    $conjur = Conjur::API.new_from_key $username, @result
+    $conjur.token
+    """

data/features/step_definitions/api_steps.rb

@@ -0,0 +1,52 @@
+Then(/^I(?: can)? run the code:$/) do |code|
+  @result = eval(code).tap do |result|
+    puts result if ENV['DEBUG']
+  end
+end
+
+Then(/^this code should fail with "([^"]*)"$/) do |error_msg, code|
+  begin
+    @result = eval(code)
+  rescue Exception => exc
+    if not exc.message =~ %r{#{error_msg}}
+      fail "'#{error_msg}' was not found in '#{exc.message}'"
+    end
+  else
+    puts @result if ENV['DEBUG']
+    fail "The provided block did not raise an error"
+  end
+end
+
+Given(/^I retrieve the login url for OIDC authenticator "([^"]+)"$/) do |service_id|
+  provider = $conjur.authentication_providers("authn-oidc").select {|provider_details| provider_details["service_id"] == service_id}
+  @login_url = provider[0]["redirect_uri"]
+  puts @login_url
+end
+
+Given(/^I retrieve auth info for the OIDC provider with username: "([^"]+)" and password: "([^"]+)"$/) do |username, password|
+  res = Net::HTTP.get_response(URI(@login_url))
+  raise res if res.is_a?(Net::HTTPError) || res.is_a?(Net::HTTPClientError)
+
+  all_cookies = res.get_fields('set-cookie')
+  puts all_cookies
+  cookies_arrays = Array.new
+  all_cookies.each do |cookie|
+    cookies_arrays.push(cookie.split('; ')[0])
+  end
+
+  html = Nokogiri::HTML(res.body)
+  post_uri = URI(html.xpath('//form').first.attributes['action'].value)
+
+  http = Net::HTTP.new(post_uri.host, post_uri.port)
+  http.use_ssl = true
+  request = Net::HTTP::Post.new(post_uri.request_uri)
+  request['Cookie'] = cookies_arrays.join('; ')
+  request.set_form_data({'username' => username, 'password' => password})
+
+  response = http.request(request)
+
+  if response.is_a?(Net::HTTPRedirection)
+    response_details = URI.decode_www_form(URI(response['location']).query)
+    @auth_body = {state: response_details.assoc('state')[1], code: response_details.assoc('code')[1]}
+  end
+end

data/features/step_definitions/policy_steps.rb

@@ -0,0 +1,134 @@
+Given(/^a new user$/) do
+  @user_id = "user-#{random_hex}"
+  @public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd/PAcCL9rW/zAS7DRns/KYiAvRAEKxBu/0IF32z7x6YiMFcA2hmH4DMYaIY45Xlj7L9uTZamUlRZNjSS9Xm6Lhh7XGceIX2067/MDnH+or9xh5LZs6gb3x7QVtNz26Au5h5kP0xoJ+wpVxvY707BeSax/WQZI8akqd0fD1IqOoafWkcX0ucu5iIgDh08R7zq3vrDHEK7+SoYo9ncHfmOUJ5lmImGiU/WMqM0OzN3RsgxJi/aaHjW1IASTY8TmAtTtjEsxbQXxRVUCAP9vWUZg7p3aqIB6sEP8skgncCUtHBQxUtE1XN8Q8NeFOzau6+9sQTXlPl8c/L4Jc4K96C75 #{@user_id}@example.com"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !user
+    id: #{@user_id}
+    uidnumber: 1000
+    public_keys:
+    - #{@public_key}
+  POLICY
+  @user = $conjur.resource("cucumber:user:#{@user_id}")
+  @user_api_key = response.created_roles["cucumber:user:#{@user_id}"]['api_key']
+  expect(@user_api_key).to be
+end
+
+Given(/^a user "([^"]+)"$/) do |user_id|
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !user #{user_id}
+  POLICY
+  @user = $conjur.resource("cucumber:user:#{user_id}")
+  @user_api_key = response.created_roles["cucumber:user:#{user_id}"]['api_key']
+  expect(@user_api_key).to be
+end
+
+Given(/^a new delegated user$/) do
+  # Create a new host that is owned by that user
+  step 'a new user'
+  @user_owner = @user
+  @user_owner_id = @user_id
+  @user_owner_api_key = @user_api_key
+
+  # Create a new user that is owned by the user created earlier
+  @user_id = "user-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !user
+    id: #{@user_id}
+    owner: !user #{@user_owner_id}
+  POLICY
+  @user = $conjur.resource("cucumber:user:#{@user_id}")
+  @user_api_key = response.created_roles["cucumber:user:#{@user_id}"]['api_key']
+  expect(@user_api_key).to be
+end
+
+Given(/^a new group$/) do
+  @group_id = "group-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !group
+    id: #{@group_id}
+    gidnumber: 1000
+  POLICY
+  @group = $conjur.resource("cucumber:group:#{@group_id}")
+end
+
+Given(/^a new host$/) do
+  @host_id = "app-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !host #{@host_id}
+  POLICY
+  @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
+  expect(@host_api_key).to be
+  @host = $conjur.resource("cucumber:host:#{@host_id}")
+  @host.attributes['api_key'] = @host_api_key
+end
+
+Given(/^a new delegated host$/) do
+  # Create an owner user
+  step 'a new user'
+  @host_owner = @user
+  @host_owner_id = @user_id
+  @host_owner_api_key = @user_api_key
+
+  # Create a new host that is owned by that user
+  @host_id = "app-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !host
+    id: #{@host_id}
+    owner: !user #{@host_owner_id}
+  POLICY
+
+  @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
+  expect(@host_api_key).to be
+  @host = $conjur.resource("cucumber:host:#{@host_id}")
+  @host.attributes['api_key'] = @host_api_key
+end
+
+Given(/^I setup a keycloak authenticator$/) do
+    $conjur.load_policy 'root', <<-POLICY
+    - !policy 
+      id: conjur/authn-oidc/keycloak
+      body: 
+      - !webservice  
+     
+      - !variable provider-uri 
+      - !variable client-id 
+      - !variable client-secret 
+      - !variable name
+     
+      - !variable claim-mapping 
+       
+      - !variable nonce 
+      - !variable state
+
+      - !variable redirect-uri
+
+      - !group users
+
+      - !permit
+        role: !group users
+        privilege: [ read, authenticate ]
+        resource: !webservice
+
+    - !user alice
+    - !grant
+      role: !group conjur/authn-oidc/keycloak/users
+      member: !user alice
+    POLICY
+    @provider_uri = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/provider-uri")
+    @client_id = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/client-id")
+    @client_secret = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/client-secret")
+    @name = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/name")
+    @claim_mapping = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/claim-mapping")
+    @nonce = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/nonce")
+    @state = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/state")
+    @redirect_uri = $conjur.resource("cucumber:variable:conjur/authn-oidc/keycloak/redirect-uri")
+
+    @provider_uri.add_value "https://keycloak:8443/auth/realms/master"
+    @client_id.add_value "conjurClient"
+    @client_secret.add_value "1234"
+    @claim_mapping.add_value "preferred_username"
+    @nonce.add_value SecureRandom.uuid
+    @state.add_value SecureRandom.uuid
+    @name.add_value "keycloak"
+    @redirect_uri.add_value "http://conjur_5/authn-oidc/keycloak/cucumber/authenticate"
+end

data/features/step_definitions/result_steps.rb

@@ -0,0 +1,11 @@
+Then(/^the result should be "([^"]+)"$/) do |expected|
+  expect(@result.to_s).to eq(expected.to_s)
+end
+
+Then(/^the result should be the public key$/) do
+  expect(@result).to eq(@public_key + "\n")
+end
+
+Then(/^the providers list contains service id "([^"]+)"$/) do |service_id|
+  expect(@result.map{ |x| x["service_id"]}).to include(service_id)
+end

data/features/support/env.rb

@@ -0,0 +1,19 @@
+require 'simplecov'
+require 'nokogiri'
+
+SimpleCov.start do
+  command_name "#{ENV['RUBY_VERSION']}"
+end
+
+require 'json_spec/cucumber'
+require 'conjur/api'
+
+Conjur.configuration.appliance_url = ENV['CONJUR_APPLIANCE_URL'] || 'http://localhost/api/v6'
+Conjur.configuration.account = ENV['CONJUR_ACCOUNT'] || 'cucumber'
+Conjur.configuration.authn_local_socket = "/run/authn-local-5/.socket"
+
+$username = ENV['CONJUR_AUTHN_LOGIN'] || 'admin'
+$password = ENV['CONJUR_AUTHN_API_KEY'] || 'secret'
+
+$api_key = Conjur::API.login $username, $password
+$conjur = Conjur::API.new_from_key $username, $api_key

data/features/support/hooks.rb

@@ -0,0 +1,3 @@
+Before do
+  $conjur.load_policy 'root', "--- []"
+end

data/features/support/world.rb

@@ -0,0 +1,12 @@
+module ApiWorld
+  def last_json
+    @result.to_json
+  end
+
+  def random_hex nbytes = 12
+    @random ||= Random.new
+    @random.bytes(nbytes).unpack('h*').first
+  end
+end
+
+World ApiWorld

data/features/update_password.feature

@@ -0,0 +1,14 @@
+Feature: Change a user's password.
+  Background:
+    Given a new user
+
+  Scenario: A user can set/change her password using the current API key.
+    When I run the code:
+    """
+    Conjur::API.update_password @user_id, @user_api_key, 'SEcret12!!!!'
+    @new_api_key = Conjur::API.login @user_id, 'SEcret12!!!!'
+    """
+    Then I can run the code:
+    """
+    Conjur::API.new_from_key(@user_id, @new_api_key).token
+    """

data/features/user.feature

@@ -0,0 +1,58 @@
+Feature: User object
+
+  Background:
+
+  Scenario: User has a uidnumber
+    Given a new user
+    Then I can run the code:
+    """
+    @user.uidnumber
+    """
+    Then the result should be "1000"
+
+  Scenario: Logged-in user is the current_role
+    Given a new user
+    Then I can run the code:
+    """
+    expect($conjur.current_role(Conjur.configuration.account).id.to_s).to eq("cucumber:user:admin")
+    """
+
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: User's own API key cannot be rotated with an API key
+    Given a new user
+    Then this code should fail with "You cannot rotate your own API key via this method"
+    """
+    user = Conjur::API.new_from_key(@user.login, @user_api_key).resource(@user.id)
+    user.rotate_api_key
+    """
+
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: User's own API key cannot be rotated with a token
+    Given a new user
+    Then this code should fail with "You cannot rotate your own API key via this method"
+    """
+    token = Conjur::API.new_from_key(@user.login, @user_api_key).token
+
+    user = Conjur::API.new_from_token(token).resource(@user.id)
+    user.rotate_api_key
+    """
+
+  Scenario: Delegated user's API key can be rotated with an API key
+    Given a new delegated user
+    Then I can run the code:
+    """
+    delegated_user_resource = Conjur::API.new_from_key(@user_owner.login, @user_owner_api_key).resource(@user.id)
+    api_key = delegated_user_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_user_resource.login, api_key).token
+    """
+
+  Scenario: Delegated user's API key can be rotated with a token
+    Given a new delegated user
+    Then I can run the code:
+    """
+    token = Conjur::API.new_from_key(@user_owner.login, @user_owner_api_key).token
+
+    delegated_user_resource = Conjur::API.new_from_token(token).resource(@user.id)
+    api_key = delegated_user_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_user_resource.login, api_key).token
+    """

data/features/variable_fields.feature

@@ -0,0 +1,20 @@
+Feature: Display Variable fields.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !variable
+      id: ssl-certificate
+      kind: SSL certificate
+      mime_type: application/x-pem-file
+    POLICY
+    """
+    And I run the code:
+    """
+    $conjur.resource('cucumber:variable:ssl-certificate')
+    """
+
+  Scenario: Display MIME type and kind
+    Then the JSON at "mime_type" should be "application/x-pem-file"
+    And the JSON at "kind" should be "SSL certificate"