conjur-api 5.3.8.pre.8 → 5.3.8.pre.194

data/features/members.feature

@@ -0,0 +1,51 @@
+Feature: Display role members and memberships.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !group everyone
+    - !group developers
+    - !grant
+      role: !group everyone
+      member: !group developers
+    POLICY
+    """
+
+  Scenario: Show a role's members.
+    When I run the code:
+    """
+    $conjur.role('cucumber:group:everyone').members.map(&:as_json)
+    """
+    Then the JSON should be:
+    """
+    [
+      {
+        "admin_option": false,
+        "member": "cucumber:group:developers",
+        "role": "cucumber:group:everyone"
+      },
+      {
+        "admin_option": true,
+        "member": "cucumber:user:admin",
+        "role": "cucumber:group:everyone"
+      }
+    ]
+    """
+
+  Scenario: Show a role's memberships.
+    When I run the code:
+    """
+    $conjur.role('cucumber:group:developers').memberships.map(&:as_json)
+    """
+    Then the JSON should be:
+    """
+    [
+      {
+        "id": "cucumber:group:developers"
+      },
+      {
+        "id": "cucumber:group:everyone"
+      }
+    ]
+    """

data/features/new_api.feature

@@ -0,0 +1,36 @@
+Feature: Constructing a new API object.
+  Background:
+    Given a new host
+
+  Scenario: From API key.
+    Then I run the code:
+    """
+    api = Conjur::API.new_from_key "host/#{@host_id}", @host_api_key
+    expect(api.token).to be_instance_of(Hash)
+    expect($conjur.resource("cucumber:host:#{@host_id}")).to exist
+    """
+
+  Scenario: From access token.
+    Given I run the code:
+    """
+    @token = Conjur::API.new_from_key("host/#{@host_id}", @host_api_key).token
+    """
+    Then I run the code:
+    """
+    api = Conjur::API.new_from_token @token
+    expect($conjur.resource("cucumber:host:#{@host_id}")).to exist
+    """
+
+  Scenario: From access token file.
+    Given I run the code:
+    """
+    token = Conjur::API.new_from_key("host/#{@host_id}", @host_api_key).token
+    @temp_file = Tempfile.new("token.json")
+    @temp_file.write(token.to_json)
+    @temp_file.flush
+    """
+    Then I run the code:
+    """
+    api = Conjur::API.new_from_token_file @temp_file.path
+    expect($conjur.resource("cucumber:host:#{@host_id}")).to exist
+    """

data/features/permitted.feature

@@ -0,0 +1,70 @@
+Feature: Check if a role has permission on a resource.
+
+  Background:
+    Given I run the code:
+    """
+    @host_id = "app-#{random_hex}"
+    @test_user = "user$#{random_hex}"
+    @test_host = "host?#{random_hex}"
+    response = $conjur.load_policy 'root', <<-POLICY
+    - !variable db-password
+
+    - !layer myapp
+
+    - !host #{@host_id}
+
+    - !permit
+      role: !layer myapp
+      privilege: execute
+      resource: !variable db-password
+
+    - !policy
+      id: test
+      body:
+        - !user #{@test_user}
+        - !host #{@test_host}
+
+    - !permit
+      role: !user #{@test_user}@test
+      privilege: execute
+      resource: !variable db-password
+    POLICY
+    @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
+    expect(@host_api_key).to be
+    """
+
+  Scenario: Check if the current user has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute'
+    """
+    Then the result should be "true"
+
+  Scenario: Check if a different user has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:host:#{@host_id}"
+    """
+    Then the result should be "false"
+
+  Scenario: Check if a different user from subpolicy has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:user:#{@test_user}@test"
+    """
+    Then the result should be "true"
+
+  Scenario: Check if a different host from subpolicy has the privilege.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted? 'execute', role: "cucumber:host:test/#{@test_host}"
+    """
+    Then the result should be "false"
+
+  Scenario: Check if a different user has the privilege, while logged in as that user.
+    When I run the code:
+    """
+    host_api = Conjur::API.new_from_key "host/#{@host_id}", @host_api_key
+    host_api.resource('cucumber:variable:db-password').permitted? 'execute'
+    """
+    Then the result should be "false"

data/features/permitted_roles.feature

@@ -0,0 +1,30 @@
+Feature: Enumerate roles which have a permission on a resource.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !variable db-password
+
+    - !layer myapp
+
+    - !permit
+      role: !layer myapp
+      privilege: execute
+      resource: !variable db-password
+    POLICY
+    """
+
+  @wip
+  Scenario: Permitted roles can be enumerated.
+    When I run the code:
+    """
+    $conjur.resource('cucumber:variable:db-password').permitted_roles 'execute'
+    """
+    Then the JSON should be:
+    """
+    [
+      "cucumber:layer:myapp",
+      "cucumber:user:admin"
+    ]
+    """

data/features/public_keys.feature

@@ -0,0 +1,11 @@
+Feature: Fetch public keys for a user.
+
+  Background:
+    Given a new user
+
+  Scenario: User has a uidnumber.
+    When I run the code:
+    """
+    Conjur::API.public_keys @user.login
+    """
+    Then the result should be the public key

data/features/resource_fields.feature

@@ -0,0 +1,53 @@
+Feature: Display basic resource fields.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !group
+      id: developers
+      annotations:
+        gidnumber: 2000
+    POLICY
+    """
+
+  Scenario: Resource exposes id, kind, identifier, and attributes.
+    When I run the code:
+    """
+    resource = $conjur.resource('cucumber:group:developers')
+    [ resource.id, resource.account, resource.kind, resource.identifier, resource.attributes ]
+    """
+    Then the JSON should be:
+    """
+    [
+      "cucumber:group:developers",
+      "cucumber",
+      "group",
+      "developers",
+      {
+        "annotations": [
+          {
+            "name": "gidnumber",
+            "policy": "cucumber:policy:root",
+            "value": "2000"
+          }
+        ],
+        "owner": "cucumber:user:admin",
+        "permissions": [
+        ],
+        "policy": "cucumber:policy:root"
+      }
+    ]
+    """
+
+  Scenario: Resource#owner is the owner object
+    When I run the code:
+    """
+    $conjur.resource('cucumber:group:developers').owner.id
+    """
+    Then the result should be "cucumber:user:admin"
+    And I run the code:
+    """
+    $conjur.resource('cucumber:group:developers').class
+    """
+    Then the result should be "Conjur::Group"

data/features/role_fields.feature

@@ -0,0 +1,15 @@
+Feature: Display basic role fields.
+
+  Scenario: Login of a user is the login name.
+    When I run the code:
+    """
+    $conjur.role('cucumber:user:alice').login
+    """
+    Then the result should be "alice"
+
+  Scenario: Login of a non-user is prefixed with the role kind.
+    When I run the code:
+    """
+    $conjur.role('cucumber:host:myapp').login
+    """
+    Then the result should be "host/myapp"

data/features/rotate_api_key.feature

@@ -0,0 +1,13 @@
+Feature: Rotate the API key.
+
+  Scenario: Logged-in user can rotate the API key.
+    When I run the code:
+    """
+    Conjur::API.rotate_api_key 'admin', $api_key
+    """
+    Then I can run the code:
+    """
+    $api_key = @result.strip
+    $conjur = Conjur::API.new_from_key $username, @result
+    $conjur.token
+    """

data/features/step_definitions/api_steps.rb

@@ -0,0 +1,18 @@
+Then(/^I(?: can)? run the code:$/) do |code|
+  @result = eval(code).tap do |result|
+    puts result if ENV['DEBUG']
+  end
+end
+
+Then(/^this code should fail with "([^"]*)"$/) do |error_msg, code|
+  begin
+    @result = eval(code)
+  rescue Exception => exc
+    if not exc.message =~ %r{#{error_msg}}
+      fail "'#{error_msg}' was not found in '#{exc.message}'"
+    end
+  else
+    puts @result if ENV['DEBUG']
+    fail "The provided block did not raise an error"
+  end
+end

data/features/step_definitions/policy_steps.rb

@@ -0,0 +1,75 @@
+Given(/^a new user$/) do
+  @user_id = "user-#{random_hex}"
+  @public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd/PAcCL9rW/zAS7DRns/KYiAvRAEKxBu/0IF32z7x6YiMFcA2hmH4DMYaIY45Xlj7L9uTZamUlRZNjSS9Xm6Lhh7XGceIX2067/MDnH+or9xh5LZs6gb3x7QVtNz26Au5h5kP0xoJ+wpVxvY707BeSax/WQZI8akqd0fD1IqOoafWkcX0ucu5iIgDh08R7zq3vrDHEK7+SoYo9ncHfmOUJ5lmImGiU/WMqM0OzN3RsgxJi/aaHjW1IASTY8TmAtTtjEsxbQXxRVUCAP9vWUZg7p3aqIB6sEP8skgncCUtHBQxUtE1XN8Q8NeFOzau6+9sQTXlPl8c/L4Jc4K96C75 #{@user_id}@example.com"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !user
+    id: #{@user_id}
+    uidnumber: 1000
+    public_keys:
+    - #{@public_key}
+  POLICY
+  @user = $conjur.resource("cucumber:user:#{@user_id}")
+  @user_api_key = response.created_roles["cucumber:user:#{@user_id}"]['api_key']
+  expect(@user_api_key).to be
+end
+
+Given(/^a new delegated user$/) do
+  # Create a new host that is owned by that user
+  step 'a new user'
+  @user_owner = @user
+  @user_owner_id = @user_id
+  @user_owner_api_key = @user_api_key
+
+  # Create a new user that is owned by the user created earlier
+  @user_id = "user-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !user
+    id: #{@user_id}
+    owner: !user #{@user_owner_id}
+  POLICY
+  @user = $conjur.resource("cucumber:user:#{@user_id}")
+  @user_api_key = response.created_roles["cucumber:user:#{@user_id}"]['api_key']
+  expect(@user_api_key).to be
+end
+
+Given(/^a new group$/) do
+  @group_id = "group-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !group
+    id: #{@group_id}
+    gidnumber: 1000
+  POLICY
+  @group = $conjur.resource("cucumber:group:#{@group_id}")
+end
+
+Given(/^a new host$/) do
+  @host_id = "app-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !host #{@host_id}
+  POLICY
+  @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
+  expect(@host_api_key).to be
+  @host = $conjur.resource("cucumber:host:#{@host_id}")
+  @host.attributes['api_key'] = @host_api_key
+end
+
+Given(/^a new delegated host$/) do
+  # Create an owner user
+  step 'a new user'
+  @host_owner = @user
+  @host_owner_id = @user_id
+  @host_owner_api_key = @user_api_key
+
+  # Create a new host that is owned by that user
+  @host_id = "app-#{random_hex}"
+  response = $conjur.load_policy 'root', <<-POLICY
+  - !host
+    id: #{@host_id}
+    owner: !user #{@host_owner_id}
+  POLICY
+
+  @host_api_key = response.created_roles["cucumber:host:#{@host_id}"]['api_key']
+  expect(@host_api_key).to be
+  @host = $conjur.resource("cucumber:host:#{@host_id}")
+  @host.attributes['api_key'] = @host_api_key
+end

data/features/step_definitions/result_steps.rb

@@ -0,0 +1,7 @@
+Then(/^the result should be "([^"]+)"$/) do |expected|
+  expect(@result.to_s).to eq(expected.to_s)
+end
+
+Then(/^the result should be the public key$/) do
+  expect(@result).to eq(@public_key + "\n")
+end

data/features/support/env.rb

@@ -0,0 +1,18 @@
+require 'simplecov'
+
+SimpleCov.start do
+  command_name "#{ENV['RUBY_VERSION']}"
+end
+
+require 'json_spec/cucumber'
+require 'conjur/api'
+
+Conjur.configuration.appliance_url = ENV['CONJUR_APPLIANCE_URL'] || 'http://localhost/api/v6'
+Conjur.configuration.account = ENV['CONJUR_ACCOUNT'] || 'cucumber'
+Conjur.configuration.authn_local_socket = "/run/authn-local-5/.socket"
+
+$username = ENV['CONJUR_AUTHN_LOGIN'] || 'admin'
+$password = ENV['CONJUR_AUTHN_API_KEY'] || 'secret'
+
+$api_key = Conjur::API.login $username, $password
+$conjur = Conjur::API.new_from_key $username, $api_key

data/features/support/hooks.rb

@@ -0,0 +1,3 @@
+Before do
+  $conjur.load_policy 'root', "--- []"
+end

data/features/support/world.rb

@@ -0,0 +1,12 @@
+module ApiWorld
+  def last_json
+    @result.to_json
+  end
+
+  def random_hex nbytes = 12
+    @random ||= Random.new
+    @random.bytes(nbytes).unpack('h*').first
+  end
+end
+
+World ApiWorld

data/features/update_password.feature

@@ -0,0 +1,14 @@
+Feature: Change a user's password.
+  Background:
+    Given a new user
+
+  Scenario: A user can set/change her password using the current API key.
+    When I run the code:
+    """
+    Conjur::API.update_password @user_id, @user_api_key, 'SEcret12!!!!'
+    @new_api_key = Conjur::API.login @user_id, 'SEcret12!!!!'
+    """
+    Then I can run the code:
+    """
+    Conjur::API.new_from_key(@user_id, @new_api_key).token
+    """

data/features/user.feature

@@ -0,0 +1,58 @@
+Feature: User object
+
+  Background:
+
+  Scenario: User has a uidnumber
+    Given a new user
+    Then I can run the code:
+    """
+    @user.uidnumber
+    """
+    Then the result should be "1000"
+
+  Scenario: Logged-in user is the current_role
+    Given a new user
+    Then I can run the code:
+    """
+    expect($conjur.current_role(Conjur.configuration.account).id.to_s).to eq("cucumber:user:admin")
+    """
+
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: User's own API key cannot be rotated with an API key
+    Given a new user
+    Then this code should fail with "You cannot rotate your own API key via this method"
+    """
+    user = Conjur::API.new_from_key(@user.login, @user_api_key).resource(@user.id)
+    user.rotate_api_key
+    """
+
+  # Rotation of own API key should be done via `Conjur::API.rotate_api_key()`
+  Scenario: User's own API key cannot be rotated with a token
+    Given a new user
+    Then this code should fail with "You cannot rotate your own API key via this method"
+    """
+    token = Conjur::API.new_from_key(@user.login, @user_api_key).token
+
+    user = Conjur::API.new_from_token(token).resource(@user.id)
+    user.rotate_api_key
+    """
+
+  Scenario: Delegated user's API key can be rotated with an API key
+    Given a new delegated user
+    Then I can run the code:
+    """
+    delegated_user_resource = Conjur::API.new_from_key(@user_owner.login, @user_owner_api_key).resource(@user.id)
+    api_key = delegated_user_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_user_resource.login, api_key).token
+    """
+
+  Scenario: Delegated user's API key can be rotated with a token
+    Given a new delegated user
+    Then I can run the code:
+    """
+    token = Conjur::API.new_from_key(@user_owner.login, @user_owner_api_key).token
+
+    delegated_user_resource = Conjur::API.new_from_token(token).resource(@user.id)
+    api_key = delegated_user_resource.rotate_api_key
+    Conjur::API.new_from_key(delegated_user_resource.login, api_key).token
+    """

data/features/variable_fields.feature

@@ -0,0 +1,20 @@
+Feature: Display Variable fields.
+
+  Background:
+    Given I run the code:
+    """
+    $conjur.load_policy 'root', <<-POLICY
+    - !variable
+      id: ssl-certificate
+      kind: SSL certificate
+      mime_type: application/x-pem-file
+    POLICY
+    """
+    And I run the code:
+    """
+    $conjur.resource('cucumber:variable:ssl-certificate')
+    """
+
+  Scenario: Display MIME type and kind
+    Then the JSON at "mime_type" should be "application/x-pem-file"
+    And the JSON at "kind" should be "SSL certificate"

data/features/variable_value.feature

@@ -0,0 +1,60 @@
+Feature: Work with Variable values.
+
+  Background:
+    Given I run the code:
+    """
+    @variable_id = "password"
+    $conjur.load_policy 'root', <<-POLICY
+    - !variable #{@variable_id}
+    - !variable #{@variable_id}-2
+    POLICY
+    @variable = $conjur.resource("cucumber:variable:#{@variable_id}")
+    @variable_2 = $conjur.resource("cucumber:variable:#{@variable_id}-2")
+    """
+
+  Scenario: Add a value, retrieve the variable metadata and the value.
+    When I run the code:
+    """
+    @initial_count = @variable.version_count
+    @variable.add_value 'value-0'
+    """
+    And I run the code:
+    """
+    expect(@variable.version_count).to eq(@initial_count + 1)
+    """
+    And I run the code:
+    """
+    @variable.value(@variable.version_count)
+    """
+    Then the result should be "value-0"
+
+  Scenario: Retrieve a historical value.
+    Given I run the code:
+    """
+    @variable.add_value 'value-0'
+    @variable.add_value 'value-1'
+    @variable.add_value 'value-2'
+    """
+    When I run the code:
+    """
+    @variable.value(@variable.version_count - 2)
+    """
+    Then the result should be "value-0"
+
+  Scenario: Retrieve multiple values in a batch
+    Given I run the code:
+    """
+    @variable.add_value 'value-0'
+    @variable_2.add_value 'value-2'
+    """
+    When I run the code:
+    """
+    $conjur.variable_values([ @variable, @variable_2 ].map(&:id))
+    """
+    Then the JSON should be:
+    """
+    {
+      "cucumber:variable:password": "value-0",
+      "cucumber:variable:password-2": "value-2"
+    }
+    """

data/features_v4/authn_local.feature

@@ -0,0 +1,27 @@
+Feature: When co-located with the Conjur server, the API can use the authn-local service to authenticate.
+
+  Scenario: authn-local can be used to obtain an access token.
+    When I run the code:
+    """
+    Conjur::API.authenticate_local "alice"
+    """
+    Then the JSON should have "data"
+
+  Scenario: Conjur API supports construction from authn-local.
+    When I run the code:
+    """
+    @api = Conjur::API.new_from_authn_local "alice"
+    @api.token
+    """
+    Then the JSON should have "data"
+
+  Scenario: Conjur API will automatically refresh the token.
+    When I run the code:
+    """
+    @api = Conjur::API.new_from_authn_local "alice"
+    @api.token
+    @api.force_token_refresh
+    @api.token
+    """
+    Then the JSON should have "data"
+    And the JSON at "data" should be "alice"

data/features_v4/exists.feature

@@ -0,0 +1,29 @@
+Feature: Check if an object exists.
+
+  Scenario: A created group resource exists
+    When I run the code:
+    """
+    $conjur.resource('cucumber:group:developers').exists?
+    """
+    Then the result should be "true"
+
+  Scenario: An un-created resource doesn't exist
+    When I run the code:
+    """
+    $conjur.resource('cucumber:food:bacon').exists?
+    """
+    Then the result should be "false"
+
+  Scenario: A created group role exists
+    When I run the code:
+    """
+    $conjur.role('cucumber:group:developers').exists?
+    """
+    Then the result should be "true"
+
+  Scenario: An un-created role doesn't exist
+    When I run the code:
+    """
+    $conjur.role('cucumber:food:bacon').exists?
+    """
+    Then the result should be "false"

data/features_v4/host.feature

@@ -0,0 +1,18 @@
+Feature: Display Host object fields.
+
+  Background:
+    Given a new host
+
+  Scenario: API key of a newly created host is available and valid.
+    Then I run the code:
+    """
+    expect(@host.exists?).to be(true)
+    expect(@host.api_key).to be
+    """
+
+  Scenario: API key of a a host can be rotated.
+    Then I run the code:
+    """
+    api_key = @host.rotate_api_key
+    Conjur::API.new_from_key("host/#{@host.id.identifier}", api_key).token
+    """