conjur-api 5.3.8.pre.319 → 5.4.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (150) hide show
  1. checksums.yaml +4 -4
  2. data/.codeclimate.yml +10 -0
  3. data/.dockerignore +1 -0
  4. data/.github/CODEOWNERS +10 -0
  5. data/.gitignore +32 -0
  6. data/.gitleaks.toml +219 -0
  7. data/.overcommit.yml +16 -0
  8. data/.project +18 -0
  9. data/.rubocop.yml +3 -0
  10. data/.rubocop_settings.yml +86 -0
  11. data/.rubocop_todo.yml +709 -0
  12. data/.yardopts +1 -0
  13. data/CHANGELOG.md +448 -0
  14. data/CONTRIBUTING.md +138 -0
  15. data/Dockerfile +16 -0
  16. data/Gemfile +7 -0
  17. data/Jenkinsfile +136 -0
  18. data/LICENSE +202 -0
  19. data/README.md +162 -0
  20. data/Rakefile +47 -0
  21. data/SECURITY.md +42 -0
  22. data/VERSION +1 -1
  23. data/bin/parse-changelog.sh +12 -0
  24. data/ci/configure_v4.sh +12 -0
  25. data/ci/configure_v5.sh +19 -0
  26. data/ci/oauth/keycloak/create_client +18 -0
  27. data/ci/oauth/keycloak/create_user +21 -0
  28. data/ci/oauth/keycloak/fetch_certificate +18 -0
  29. data/ci/oauth/keycloak/keycloak_functions.sh +71 -0
  30. data/ci/oauth/keycloak/standalone.xml +578 -0
  31. data/ci/oauth/keycloak/wait_for_server +56 -0
  32. data/ci/submit-coverage +36 -0
  33. data/conjur-api.gemspec +41 -0
  34. data/dev/Dockerfile.dev +12 -0
  35. data/dev/docker-compose.yml +56 -0
  36. data/dev/start +22 -0
  37. data/dev/stop +5 -0
  38. data/docker-compose.yml +98 -0
  39. data/example/demo_v4.rb +49 -0
  40. data/example/demo_v5.rb +57 -0
  41. data/features/authenticators.feature +41 -0
  42. data/features/authn.feature +14 -0
  43. data/features/authn_local.feature +32 -0
  44. data/features/exists.feature +37 -0
  45. data/features/group.feature +11 -0
  46. data/features/host.feature +50 -0
  47. data/features/host_factory_create_host.feature +28 -0
  48. data/features/host_factory_token.feature +63 -0
  49. data/features/load_policy.feature +61 -0
  50. data/features/members.feature +51 -0
  51. data/features/new_api.feature +36 -0
  52. data/features/permitted.feature +70 -0
  53. data/features/permitted_roles.feature +30 -0
  54. data/features/public_keys.feature +11 -0
  55. data/features/resource_fields.feature +53 -0
  56. data/features/role_fields.feature +15 -0
  57. data/features/rotate_api_key.feature +13 -0
  58. data/features/step_definitions/api_steps.rb +52 -0
  59. data/features/step_definitions/policy_steps.rb +134 -0
  60. data/features/step_definitions/result_steps.rb +11 -0
  61. data/features/support/env.rb +19 -0
  62. data/features/support/hooks.rb +3 -0
  63. data/features/support/world.rb +12 -0
  64. data/features/update_password.feature +14 -0
  65. data/features/user.feature +58 -0
  66. data/features/variable_fields.feature +20 -0
  67. data/features/variable_value.feature +60 -0
  68. data/features_v4/authn_local.feature +27 -0
  69. data/features_v4/exists.feature +29 -0
  70. data/features_v4/host.feature +18 -0
  71. data/features_v4/host_factory_token.feature +49 -0
  72. data/features_v4/members.feature +39 -0
  73. data/features_v4/permitted.feature +15 -0
  74. data/features_v4/permitted_roles.feature +8 -0
  75. data/features_v4/resource_fields.feature +47 -0
  76. data/features_v4/rotate_api_key.feature +13 -0
  77. data/features_v4/step_definitions/api_steps.rb +17 -0
  78. data/features_v4/step_definitions/result_steps.rb +3 -0
  79. data/features_v4/support/env.rb +23 -0
  80. data/features_v4/support/policy.yml +34 -0
  81. data/features_v4/support/world.rb +12 -0
  82. data/features_v4/variable_fields.feature +11 -0
  83. data/features_v4/variable_value.feature +54 -0
  84. data/lib/conjur/acts_as_resource.rb +123 -0
  85. data/lib/conjur/acts_as_role.rb +142 -0
  86. data/lib/conjur/acts_as_rolsource.rb +32 -0
  87. data/lib/conjur/acts_as_user.rb +68 -0
  88. data/lib/conjur/api/authenticators.rb +43 -0
  89. data/lib/conjur/api/authn.rb +144 -0
  90. data/lib/conjur/api/host_factories.rb +71 -0
  91. data/lib/conjur/api/ldap_sync.rb +38 -0
  92. data/lib/conjur/api/policies.rb +56 -0
  93. data/lib/conjur/api/pubkeys.rb +53 -0
  94. data/lib/conjur/api/resources.rb +109 -0
  95. data/lib/conjur/api/roles.rb +98 -0
  96. data/lib/conjur/api/router/v4.rb +206 -0
  97. data/lib/conjur/api/router/v5.rb +269 -0
  98. data/lib/conjur/api/variables.rb +59 -0
  99. data/lib/conjur/api.rb +105 -0
  100. data/lib/conjur/base.rb +355 -0
  101. data/lib/conjur/base_object.rb +57 -0
  102. data/lib/conjur/build_object.rb +47 -0
  103. data/lib/conjur/cache.rb +26 -0
  104. data/lib/conjur/cert_utils.rb +63 -0
  105. data/lib/conjur/cidr.rb +71 -0
  106. data/lib/conjur/configuration.rb +460 -0
  107. data/lib/conjur/escape.rb +129 -0
  108. data/lib/conjur/exceptions.rb +4 -0
  109. data/lib/conjur/group.rb +41 -0
  110. data/lib/conjur/has_attributes.rb +98 -0
  111. data/lib/conjur/host.rb +27 -0
  112. data/lib/conjur/host_factory.rb +75 -0
  113. data/lib/conjur/host_factory_token.rb +78 -0
  114. data/lib/conjur/id.rb +71 -0
  115. data/lib/conjur/layer.rb +9 -0
  116. data/lib/conjur/log.rb +72 -0
  117. data/lib/conjur/log_source.rb +60 -0
  118. data/lib/conjur/policy.rb +34 -0
  119. data/lib/conjur/policy_load_result.rb +61 -0
  120. data/lib/conjur/query_string.rb +12 -0
  121. data/lib/conjur/resource.rb +29 -0
  122. data/lib/conjur/role.rb +29 -0
  123. data/lib/conjur/role_grant.rb +85 -0
  124. data/lib/conjur/routing.rb +29 -0
  125. data/lib/conjur/user.rb +40 -0
  126. data/lib/conjur/variable.rb +208 -0
  127. data/lib/conjur/webservice.rb +30 -0
  128. data/lib/conjur-api/version.rb +24 -0
  129. data/lib/conjur-api.rb +2 -0
  130. data/publish.sh +5 -0
  131. data/spec/api/host_factories_spec.rb +34 -0
  132. data/spec/api_spec.rb +254 -0
  133. data/spec/base_object_spec.rb +13 -0
  134. data/spec/cert_utils_spec.rb +173 -0
  135. data/spec/cidr_spec.rb +34 -0
  136. data/spec/configuration_spec.rb +330 -0
  137. data/spec/has_attributes_spec.rb +63 -0
  138. data/spec/helpers/errors_matcher.rb +34 -0
  139. data/spec/helpers/request_helpers.rb +10 -0
  140. data/spec/id_spec.rb +29 -0
  141. data/spec/ldap_sync_spec.rb +21 -0
  142. data/spec/log_source_spec.rb +13 -0
  143. data/spec/log_spec.rb +42 -0
  144. data/spec/roles_spec.rb +24 -0
  145. data/spec/spec_helper.rb +113 -0
  146. data/spec/ssl_spec.rb +109 -0
  147. data/spec/uri_escape_spec.rb +21 -0
  148. data/test.sh +76 -0
  149. data/tmp/.keep +0 -0
  150. metadata +196 -5
@@ -0,0 +1,36 @@
1
+ #!/bin/bash
2
+
3
+ set -eux
4
+
5
+ DIR="coverage"
6
+ BIN="cc-test-reporter"
7
+ REPORT="${DIR}/.resultset.json"
8
+
9
+ if [[ ! -e ${REPORT} ]]; then
10
+ echo "SimpleCov report (${REPORT}) not found"
11
+ ls -laR ${DIR}
12
+ exit 1
13
+ fi
14
+
15
+ if [[ ! -x ${BIN} ]]; then
16
+ echo "cc-test-reporter binary not found, not reporting coverage data to code climate"
17
+ ls -laR ${DIR}
18
+ # report is present but reporter binary is not, definitely a bug, exit error.
19
+ exit 1
20
+ fi
21
+
22
+ # Simplecov excludes files not within the current repo, it also needs to
23
+ # be able to read all the files referenced within the report. As the reports
24
+ # are generated in containers, the absolute paths contained in the report
25
+ # are not valid outside that container. This sed fixes the paths
26
+ # So they are correct relative to the Jenkins workspace.
27
+ sed -i -E "s+/src/conjur-api+${WORKSPACE}+g" "${REPORT}"
28
+
29
+ echo "Coverage reports prepared, submitting to CodeClimate."
30
+ # vars GIT_COMMIT, GIT_BRANCH & TRID are set by ccCoverage.dockerPrep
31
+
32
+ ./${BIN} after-build \
33
+ --coverage-input-type "simplecov"\
34
+ --id "${TRID}"
35
+
36
+ echo "Successfully Reported Coverage Data"
@@ -0,0 +1,41 @@
1
+ # -*- encoding: utf-8 -*-
2
+ require File.expand_path('../lib/conjur-api/version', __FILE__)
3
+
4
+ Gem::Specification.new do |gem|
5
+ gem.authors = ["CyberArk Maintainers"]
6
+ gem.email = ["conj_maintainers@cyberark.com"]
7
+ gem.description = %q{Conjur API}
8
+ gem.summary = %q{Conjur API}
9
+ gem.homepage = "https://github.com/cyberark/conjur-api-ruby/"
10
+ gem.license = "Apache-2.0"
11
+
12
+ gem.files = `git ls-files`.split($\).append("VERSION") + Dir['build_number']
13
+ gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
14
+ gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
15
+ gem.name = "conjur-api"
16
+ gem.require_paths = ["lib"]
17
+ gem.version = Conjur::API::VERSION
18
+
19
+ gem.required_ruby_version = '>= 1.9'
20
+
21
+ # Filter out development only executables
22
+ gem.executables -= %w{parse-changelog.sh}
23
+
24
+ gem.add_dependency 'rest-client'
25
+ gem.add_dependency 'activesupport', '>= 4.2'
26
+ gem.add_dependency 'addressable', '~> 2.0'
27
+
28
+ gem.add_development_dependency 'rake', '>= 12.3.3'
29
+ gem.add_development_dependency 'rspec', '~> 3'
30
+ gem.add_development_dependency 'rspec-expectations', '~> 3.4'
31
+ gem.add_development_dependency 'json_spec'
32
+ gem.add_development_dependency 'cucumber', '~> 2.99'
33
+ gem.add_development_dependency 'ci_reporter_rspec'
34
+ gem.add_development_dependency 'simplecov', '~> 0.17', '< 0.18'
35
+ gem.add_development_dependency 'io-grab'
36
+ gem.add_development_dependency 'rdoc'
37
+ gem.add_development_dependency 'yard'
38
+ gem.add_development_dependency 'fakefs'
39
+ gem.add_development_dependency 'pry-byebug'
40
+ gem.add_development_dependency 'nokogiri'
41
+ end
@@ -0,0 +1,12 @@
1
+ FROM ruby:2.7
2
+
3
+ RUN apt-get update && apt-get install -y vim curl
4
+
5
+ WORKDIR /src/conjur-api
6
+
7
+ COPY Gemfile conjur-api.gemspec ./
8
+ COPY lib/conjur-api/version.rb ./lib/conjur-api/
9
+
10
+ RUN bundle
11
+
12
+ COPY . ./
@@ -0,0 +1,56 @@
1
+ version: '3'
2
+ services:
3
+ pg:
4
+ image: postgres:9.3
5
+
6
+ conjur_5:
7
+ image: cyberark/conjur
8
+ command: server -a cucumber
9
+ environment:
10
+ DATABASE_URL: postgres://postgres@pg/postgres
11
+ CONJUR_DATA_KEY: 'WMfApcDBtocRWV+ZSUP3Tjr5XNU+Z2FdBb6BEezejIs='
12
+ volumes:
13
+ - authn_local_5:/run/authn-local
14
+ depends_on:
15
+ - pg
16
+
17
+ conjur_4:
18
+ image: registry2.itci.conjur.net/conjur-appliance-cuke-master:4.9-stable
19
+ security_opt:
20
+ - seccomp:unconfined
21
+ volumes:
22
+ - ../features_v4/support/policy.yml:/etc/policy.yml
23
+ - authn_local_4:/run/authn-local
24
+
25
+ gem:
26
+ build:
27
+ context: ../
28
+ dockerfile: dev/Dockerfile.dev
29
+ entrypoint: sleep
30
+ command: infinity
31
+ environment:
32
+ CONJUR_APPLIANCE_URL: http://conjur_5
33
+ CONJUR_VERSION: 5
34
+ CONJUR_ACCOUNT: cucumber
35
+ links:
36
+ - conjur_5:conjur_5
37
+ - conjur_4:conjur_4
38
+ volumes:
39
+ - ..:/src/conjur-api
40
+ - authn_local_4:/run/authn-local-4
41
+ - authn_local_5:/run/authn-local-5
42
+
43
+ client:
44
+ image: conjurinc/cli5
45
+ entrypoint: sleep
46
+ command: infinity
47
+ environment:
48
+ CONJUR_APPLIANCE_URL: http://conjur_5
49
+ CONJUR_ACCOUNT: cucumber
50
+ CONJUR_AUTHN_LOGIN: admin
51
+ links:
52
+ - conjur_5:conjur_5
53
+
54
+ volumes:
55
+ authn_local_5:
56
+ authn_local_4:
data/dev/start ADDED
@@ -0,0 +1,22 @@
1
+ #!/bin/bash -ex
2
+
3
+ function v5_development() {
4
+ docker-compose up -d --no-deps conjur_5 pg gem client
5
+
6
+ docker-compose exec -T conjur_5 conjurctl wait
7
+
8
+ local api_key=$(docker-compose exec -T conjur_5 rake 'role:retrieve-key[cucumber:user:admin]')
9
+ api_key=$(docker-compose exec -T conjur_5 conjurctl role retrieve-key cucumber:user:admin | tr -d '\r')
10
+
11
+ docker exec -e CONJUR_AUTHN_API_KEY="$api_key" -it --detach-keys 'ctrl-\' $(docker-compose ps -q gem) bash
12
+ }
13
+
14
+ # Set up VERSION file for local development
15
+ if [ ! -f "../VERSION" ]; then
16
+ echo -n "0.0.dev" > ../VERSION
17
+ fi
18
+
19
+ docker-compose pull
20
+ docker-compose build
21
+
22
+ v5_development
data/dev/stop ADDED
@@ -0,0 +1,5 @@
1
+ #!/bin/bash -ex
2
+
3
+ echo 'Removing test environment'
4
+ echo '---'
5
+ docker-compose down --rmi 'local' --volumes
@@ -0,0 +1,98 @@
1
+ version: '2.1'
2
+ services:
3
+ pg:
4
+ image: postgres:9.3
5
+
6
+ conjur_5:
7
+ image: cyberark/conjur:edge
8
+ command: server -a cucumber
9
+ environment:
10
+ DATABASE_URL: postgres://postgres@pg/postgres
11
+ CONJUR_DATA_KEY: 'WMfApcDBtocRWV+ZSUP3Tjr5XNU+Z2FdBb6BEezejIs='
12
+ volumes:
13
+ - authn_local_5:/run/authn-local
14
+ - ./ci/oauth/keycloak:/scripts
15
+ depends_on:
16
+ - pg
17
+ - keycloak
18
+
19
+ keycloak:
20
+ image: jboss/keycloak:4.3.0.Final
21
+ environment:
22
+ - KEYCLOAK_USER=admin
23
+ - KEYCLOAK_PASSWORD=admin
24
+ - KEYCLOAK_APP_USER=alice
25
+ - KEYCLOAK_APP_USER_PASSWORD=alice
26
+ - KEYCLOAK_APP_USER_EMAIL=alice@conjur.net
27
+ - DB_VENDOR=H2
28
+ - KEYCLOAK_CLIENT_ID=conjurClient
29
+ - KEYCLOAK_REDIRECT_URI=http://conjur_5/authn-oidc/keycloak/cucumber/authenticate
30
+ - KEYCLOAK_CLIENT_SECRET=1234
31
+ - KEYCLOAK_SCOPE=openid
32
+ ports:
33
+ - "7777:8080"
34
+ volumes:
35
+ - ./ci/oauth/keycloak/standalone.xml:/opt/jboss/keycloak/standalone/configuration/standalone.xml
36
+ - ./ci/oauth/keycloak:/scripts
37
+
38
+ conjur_4:
39
+ image: registry2.itci.conjur.net/conjur-appliance-cuke-master:4.9-stable
40
+ security_opt:
41
+ - seccomp:unconfined
42
+ volumes:
43
+ - ./features_v4/support/policy.yml:/etc/policy.yml
44
+ - authn_local_4:/run/authn-local
45
+
46
+ tester_5:
47
+ build:
48
+ context: .
49
+ dockerfile: Dockerfile
50
+ args:
51
+ RUBY_VERSION: ${RUBY_VERSION}
52
+ volumes:
53
+ - ./spec/reports:/src/conjur-api/spec/reports
54
+ - ./features/reports:/src/conjur-api/features/reports
55
+ - ./coverage:/src/conjur-api/coverage
56
+ - authn_local_5:/run/authn-local-5
57
+ - ./ci/oauth/keycloak:/scripts
58
+ environment:
59
+ CONJUR_APPLIANCE_URL: http://conjur_5
60
+ CONJUR_VERSION: 5
61
+ CONJUR_ACCOUNT: cucumber
62
+
63
+ tester_4:
64
+ build:
65
+ context: .
66
+ dockerfile: Dockerfile
67
+ args:
68
+ RUBY_VERSION: ${RUBY_VERSION}
69
+ volumes:
70
+ - ./features_v4/reports:/src/conjur-api/features_v4/reports
71
+ - ./tmp/conjur.pem:/src/conjur-api/tmp/conjur.pem
72
+ - ./coverage_v4:/src/conjur-api/coverage
73
+ - authn_local_4:/run/authn-local-4
74
+ environment:
75
+ CONJUR_APPLIANCE_URL: https://conjur_4/api
76
+ CONJUR_VERSION: 4
77
+ CONJUR_ACCOUNT: cucumber
78
+
79
+ dev:
80
+ build:
81
+ context: .
82
+ dockerfile: Dockerfile
83
+ args:
84
+ RUBY_VERSION: ${RUBY_VERSION}
85
+ entrypoint: bash
86
+ volumes:
87
+ - .:/src/conjur-api
88
+ - authn_local_4:/run/authn-local-4
89
+ - authn_local_5:/run/authn-local-5
90
+ environment:
91
+ CONJUR_ACCOUNT: cucumber
92
+ depends_on:
93
+ - conjur_4
94
+ - conjur_5
95
+
96
+ volumes:
97
+ authn_local_4:
98
+ authn_local_5:
@@ -0,0 +1,49 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require 'conjur-api'
4
+ require 'securerandom'
5
+
6
+ username = "admin"
7
+ password = "secret"
8
+
9
+ Conjur.configuration.appliance_url = "https://conjur_4/api"
10
+ Conjur.configuration.account = "cucumber"
11
+ Conjur.configuration.cert_file = "./tmp/conjur.pem"
12
+ Conjur.configuration.version = 4
13
+ Conjur.configuration.apply_cert_config!
14
+
15
+ puts "Configured with Conjur version: #{Conjur.configuration.version}"
16
+ puts
17
+
18
+ api_key = Conjur::API.login username, password
19
+ api = Conjur::API.new_from_key username, api_key
20
+
21
+ db_password = SecureRandom.hex(12)
22
+ puts "Populating variable 'db-password' = #{db_password.inspect}"
23
+ api.resource("cucumber:variable:db-password").add_value db_password
24
+ puts "Value added"
25
+ puts
26
+
27
+ puts "Creating host factory token for 'myapp'"
28
+ expiration = Time.now + 1.day
29
+ hf_token = api.resource("cucumber:host_factory:myapp").create_token expiration
30
+ puts "Created: #{hf_token.token}"
31
+ puts
32
+
33
+ puts "Creating new host 'host-01' with host factory"
34
+ host = Conjur::API.host_factory_create_host(hf_token, "host-01")
35
+ puts "Created: #{host}"
36
+ puts
37
+
38
+ puts "Logging in as #{host.id}"
39
+ host_api = Conjur::API.new_from_key "host/host-01", host.api_key
40
+ puts "Logged in"
41
+ puts
42
+
43
+
44
+ puts "Fetching db-password as #{host.id}"
45
+ value = host_api.resource("cucumber:variable:db-password").value
46
+ puts value
47
+ puts
48
+
49
+ puts "Done!"
@@ -0,0 +1,57 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require 'conjur-api'
4
+ require 'securerandom'
5
+
6
+ username = "admin"
7
+
8
+ arguments = ARGV.dup
9
+
10
+ api_key = arguments.shift or raise "Usage: ./demo_v5 <admin-api-key>"
11
+
12
+ Conjur.configuration.appliance_url = "http://conjur_5"
13
+ Conjur.configuration.account = "cucumber"
14
+ # This is the default
15
+ # Conjur.configuration.version = 5
16
+
17
+ puts "Configured with Conjur version: #{Conjur.configuration.version}"
18
+ puts
19
+
20
+ api = Conjur::API.new_from_key username, api_key
21
+
22
+ policy = File.read("features_v4/support/policy.yml")
23
+
24
+ puts "Loading policy 'root'"
25
+ policy_result = api.load_policy "root", policy
26
+ puts "Loaded: #{policy_result}"
27
+ puts
28
+
29
+ db_password = SecureRandom.hex(12)
30
+ puts "Populating variable 'db-password' = #{db_password.inspect}"
31
+ api.resource("cucumber:variable:db-password").add_value db_password
32
+ puts "Value added"
33
+ puts
34
+
35
+ puts "Creating host factory token for 'myapp'"
36
+ expiration = Time.now + 1.day
37
+ hf_token = api.resource("cucumber:host_factory:myapp").create_token expiration
38
+ puts "Created: #{hf_token.token}"
39
+ puts
40
+
41
+ puts "Creating new host 'host-01' with host factory"
42
+ host = Conjur::API.host_factory_create_host(hf_token, "host-01")
43
+ puts "Created: #{host}"
44
+ puts
45
+
46
+ puts "Logging in as #{host.id}"
47
+ host_api = Conjur::API.new_from_key "host/host-01", host.api_key
48
+ puts "Logged in"
49
+ puts
50
+
51
+
52
+ puts "Fetching db-password as #{host.id}"
53
+ value = host_api.resource("cucumber:variable:db-password").value
54
+ puts value
55
+ puts
56
+
57
+ puts "Done!"
@@ -0,0 +1,41 @@
1
+ Feature: List and manage authenticators
2
+
3
+ Background:
4
+ Given I run the code:
5
+ """
6
+ $conjur.load_policy 'root', <<-POLICY
7
+ - !webservice conjur/authn-k8s/my-auth
8
+ POLICY
9
+ """
10
+ And I setup a keycloak authenticator
11
+
12
+ Scenario: Authenticator list includes the authenticator status
13
+ When I run the code:
14
+ """
15
+ $conjur.authenticator_list
16
+ """
17
+ Then the JSON should have "installed"
18
+ And the JSON should have "configured"
19
+ And the JSON should have "enabled"
20
+ And the JSON at "enabled" should be ["authn"]
21
+
22
+ Scenario: Enable and disable authenticator
23
+ When I run the code:
24
+ """
25
+ $conjur.authenticator_enable("authn-k8s", "my-auth")
26
+ $conjur.authenticator_list
27
+ """
28
+ Then the JSON at "enabled" should be ["authn", "authn-k8s/my-auth"]
29
+ When I run the code:
30
+ """
31
+ $conjur.authenticator_disable("authn-k8s", "my-auth")
32
+ $conjur.authenticator_list
33
+ """
34
+ Then the JSON at "enabled" should be ["authn"]
35
+
36
+ Scenario: Get a list of OIDC providers
37
+ When I run the code:
38
+ """
39
+ $conjur.authentication_providers("authn-oidc")
40
+ """
41
+ Then the providers list contains service id "keycloak"
@@ -0,0 +1,14 @@
1
+ Feature: Authenticate with Conjur
2
+
3
+ Background:
4
+ Given I setup a keycloak authenticator
5
+
6
+ Scenario: Authenticate with OIDC state and code
7
+ When I retrieve the login url for OIDC authenticator "keycloak"
8
+ And I retrieve auth info for the OIDC provider with username: "alice" and password: "alice"
9
+ And I run the code:
10
+ """
11
+ $conjur.authenticator_enable "authn-oidc", "keycloak"
12
+ Conjur::API.authenticator_authenticate("authn-oidc", "keycloak", options: @auth_body)
13
+ """
14
+ Then the JSON should have "payload"
@@ -0,0 +1,32 @@
1
+ Feature: When co-located with the Conjur server, the API can use the authn-local service to authenticate.
2
+
3
+ Scenario: authn-local can be used to obtain an access token.
4
+ When I run the code:
5
+ """
6
+ Conjur::API.authenticate_local "alice"
7
+ """
8
+ Then the JSON should have "payload"
9
+ And I run the code:
10
+ """
11
+ JSON.parse(Base64.decode64(@result['payload']))
12
+ """
13
+ Then the JSON should have "sub"
14
+ And the JSON should have "iat"
15
+
16
+ Scenario: Conjur API supports construction from authn-local.
17
+ When I run the code:
18
+ """
19
+ @api = Conjur::API.new_from_authn_local "alice"
20
+ @api.token
21
+ """
22
+ Then the JSON should have "payload"
23
+
24
+ Scenario: Conjur API will automatically refresh the token.
25
+ When I run the code:
26
+ """
27
+ @api = Conjur::API.new_from_authn_local "alice"
28
+ @api.token
29
+ @api.force_token_refresh
30
+ @api.token
31
+ """
32
+ Then the JSON should have "payload"
@@ -0,0 +1,37 @@
1
+ Feature: Check if an object exists.
2
+
3
+ Background:
4
+ Given I run the code:
5
+ """
6
+ $conjur.load_policy 'root', <<-POLICY
7
+ - !group developers
8
+ POLICY
9
+ """
10
+
11
+ Scenario: A created group resource exists
12
+ When I run the code:
13
+ """
14
+ $conjur.resource('cucumber:group:developers').exists?
15
+ """
16
+ Then the result should be "true"
17
+
18
+ Scenario: An un-created resource doesn't exist
19
+ When I run the code:
20
+ """
21
+ $conjur.resource('cucumber:food:bacon').exists?
22
+ """
23
+ Then the result should be "false"
24
+
25
+ Scenario: A created group role exists
26
+ When I run the code:
27
+ """
28
+ $conjur.role('cucumber:group:developers').exists?
29
+ """
30
+ Then the result should be "true"
31
+
32
+ Scenario: An un-created role doesn't exist
33
+ When I run the code:
34
+ """
35
+ $conjur.role('cucumber:food:bacon').exists?
36
+ """
37
+ Then the result should be "false"
@@ -0,0 +1,11 @@
1
+ Feature: Display Group object fields.
2
+
3
+ Background:
4
+ Given a new group
5
+
6
+ Scenario: Group has a gidnumber.
7
+ Then I run the code:
8
+ """
9
+ @group.gidnumber
10
+ """
11
+ Then the result should be "1000"
@@ -0,0 +1,50 @@
1
+ Feature: Host object
2
+
3
+ Scenario: API key of a newly created host is available and valid
4
+ Given a new host
5
+ Then I can run the code:
6
+ """
7
+ expect(@host.exists?).to be(true)
8
+ expect(@host.api_key).to be
9
+ Conjur::API.new_from_key(@host.login, @host.api_key).token
10
+ """
11
+
12
+ # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
13
+ Scenario: Host's own API key cannot be rotated with an API key
14
+ Given a new host
15
+ Then this code should fail with "You cannot rotate your own API key via this method"
16
+ """
17
+ host = Conjur::API.new_from_key(@host.login, @host.api_key).resource(@host.id)
18
+ host.rotate_api_key
19
+ """
20
+
21
+ # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
22
+ Scenario: Host's own API key cannot be rotated with a token
23
+ Given a new host
24
+ Then this code should fail with "You cannot rotate your own API key via this method"
25
+ """
26
+ token = Conjur::API.new_from_key(@host.login, @host.api_key).token
27
+
28
+ host = Conjur::API.new_from_token(token).resource(@host.id)
29
+ host.rotate_api_key
30
+ """
31
+
32
+ Scenario: Delegated host's API key can be rotated with an API key
33
+ Given a new delegated host
34
+ Then I can run the code:
35
+ """
36
+ delegated_host_resource = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).resource(@host.id)
37
+ api_key = delegated_host_resource.rotate_api_key
38
+ Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
39
+ """
40
+
41
+ Scenario: Delegated host's API key can be rotated with a token
42
+ Given a new delegated host
43
+ Then I can run the code:
44
+ """
45
+ token = Conjur::API.new_from_key(@host_owner.login, @host_owner_api_key).token
46
+
47
+ delegated_host_resource = Conjur::API.new_from_token(token).resource(@host.id)
48
+ api_key = delegated_host_resource.rotate_api_key
49
+ Conjur::API.new_from_key(delegated_host_resource.login, api_key).token
50
+ """
@@ -0,0 +1,28 @@
1
+ Feature: Create a host using a host factory token.
2
+
3
+ Background:
4
+ Given I run the code:
5
+ """
6
+ $conjur.load_policy 'root', <<-POLICY
7
+ - !policy
8
+ id: myapp
9
+ body:
10
+ - !layer
11
+
12
+ - !host-factory
13
+ layers: [ !layer ]
14
+ POLICY
15
+ @expiration = (DateTime.now + 1.hour).change(sec: 0)
16
+ @host_factory = $conjur.resource('cucumber:host_factory:myapp')
17
+ @token = @host_factory.create_token @expiration
18
+ """
19
+
20
+ Scenario: I can create a host from the token
21
+ When I run the code:
22
+ """
23
+ Conjur::API.host_factory_create_host(@token.token, "app-01")
24
+ """
25
+ Then the JSON should have "id"
26
+ And the JSON should have "permissions"
27
+ And the JSON should have "owner"
28
+ And the JSON should have "api_key"
@@ -0,0 +1,63 @@
1
+ Feature: Working with host factory tokens.
2
+
3
+ Background:
4
+ Given I run the code:
5
+ """
6
+ $conjur.load_policy 'root', <<-POLICY
7
+ - !policy
8
+ id: myapp
9
+ body:
10
+ - !layer
11
+
12
+ - !host-factory
13
+ layers: [ !layer ]
14
+ POLICY
15
+ @expiration = (DateTime.now + 1.hour).change(sec: 0)
16
+ @host_factory = $conjur.resource('cucumber:host_factory:myapp')
17
+ """
18
+
19
+ @wip
20
+ Scenario: Create a new host factory token.
21
+ When I run the code:
22
+ """
23
+ @token = @host_factory.create_token @expiration
24
+ """
25
+ Then I can run the code:
26
+ """
27
+ expect(@token).to be_instance_of(Conjur::HostFactoryToken)
28
+ expect(@token.token).to be_instance_of(String)
29
+ expiration = @token.expiration
30
+ expiration = expiration.change(sec: 0)
31
+ expect(expiration).to eq(@expiration)
32
+ """
33
+ And I can run the code:
34
+ """
35
+ expect(@host_factory.tokens).to eq([@token])
36
+ """
37
+
38
+ Scenario: Create multiple new host factory tokens.
39
+ When I run the code:
40
+ """
41
+ @host_factory.create_tokens @expiration, count: 2
42
+ """
43
+ Then the JSON should have 2 items
44
+
45
+ Scenario: Revoke a host factory token using the token object.
46
+ When I run the code:
47
+ """
48
+ @token = @host_factory.create_token @expiration
49
+ """
50
+ Then I can run the code:
51
+ """
52
+ @token.revoke
53
+ """
54
+
55
+ Scenario: Revoke a host factory token using the API.
56
+ When I run the code:
57
+ """
58
+ @token = @host_factory.create_token @expiration
59
+ """
60
+ Then I can run the code:
61
+ """
62
+ $conjur.revoke_host_factory_token @token.token
63
+ """