conjur-cli 4.22.0 → 4.23.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3327a3212d116f7989090b9a1aed6de2f202b698
-  data.tar.gz: 37954aa133694126b93021e5d57d7d90f8f15927
+  metadata.gz: cf3b61260f8129d53e15aaca659af65769bdd729
+  data.tar.gz: b40c45ae844b63e70d1975b2fc2934806562a8b3
 SHA512:
-  metadata.gz: e0855d2122e2af07cf868cb1da21f6e6426c2fa5e7c6f05d9a23528f6d7abcd73458b3d831377153275d0bdd39b65b566f2c8cde8d3a301b938ef20daa989676
-  data.tar.gz: bc1675b9fca3d60bf3ac5dfcb007649a872e370b441a41c4ede7294f5ab5fad1cf92a2adf605c92664d1164b634ba645da0d35c3bc2bebc2919f5d0253bedfbc
+  metadata.gz: 0105965b5726d5449fe576a034f7b4f90627d0277d44d9f7c5f95744052fe9a012a037d28ca70f1ba1deef793a5aa0c71bcf9546e221769348aaca60faf37a29
+  data.tar.gz: d0b1bd9f7f6b094bc846439914d4fbcb852b6b3d6a20a195dd24bc7f2bc6e69b781c4494d3def7d51d188620aabf7432d668fd6c1bd5c51bcdf9ad16d1df8fbb

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+# Unreleased
+
+# 4.23.0
+
+* Don't check if netrc is world-readable on Windows, since the answer is not reliable
+* Use new [conjur](https://supermarket.chef.io/cookbooks/conjur) cookbook for conjurize
+* Fix faulty initialization of plugins list, if it's nil, in the .conjurrc
+* Log DSL commands to stderr, even if CONJURAPI_LOG is not explicitly configured
+* In policy DSL, allow creation of records without an explicit `id`. In this case, the current scope is used as the `id`.
+
 # 4.22.0
 
 * New 'plugin' subcommand to manage CLI plugins

data/features/conjurize.feature

@@ -112,7 +112,7 @@ curl -L https://www.opscode.com/chef/install.sh | bash
 """
     And the output should match:
     """
-    chef-solo -r https:\/\/github.com\/conjur-cookbooks\/conjur-ssh\/releases\/download/v\d\.\d\.\d/conjur-ssh-v\d\.\d\.\d.tar.gz -o conjur-ssh
+    chef-solo -r https:\/\/github.com\/conjur-cookbooks\/conjur\/releases\/download/v\d\.\d\.\d/conjur-v\d\.\d\.\d.tar.gz -o conjur
     """
 
   Scenario: conjurize with arbitrary cookbook

data/lib/conjur/authn.rb

@@ -66,7 +66,7 @@ module Conjur::Authn
       else
         path = Netrc.default_path
       end
-      fail "netrc (#{path}) shouldn't be world-readable" if File.world_readable?(path)
+      fail_if_world_readable path
       Netrc.read(*args)
     end
     
@@ -126,5 +126,18 @@ module Conjur::Authn
       end
       cls.new_from_key(*get_credentials(options))
     end
+    
+    protected
+    
+    def fail_if_world_readable path
+      if !windows? && File.world_readable?(path)
+        fail "netrc (#{path}) shouldn't be world-readable" 
+      end
+    end
+    
+    # see http://stackoverflow.com/questions/4871309/what-is-the-correct-way-to-detect-if-ruby-is-running-on-windows
+    def windows?
+      RbConfig::CONFIG["host_os"] =~ /mswin|mingw|cygwin/
+    end
   end
 end

data/lib/conjur/command/dsl_command.rb

@@ -21,10 +21,9 @@
 
 class Conjur::DSLCommand < Conjur::Command
   class << self
-    def file_or_stdin_arg(args)
-    end
-
     def run_script(args, options, &block)
+      Conjur.log = "stderr"
+
       filename = nil
       script = if script = args.pop
         filename = script

data/lib/conjur/command/plugin.rb

@@ -126,7 +126,7 @@ def modify_plugin_list(op, plugin_name)
       config_exists = true
       config = YAML.load(IO.read(f)).stringify_keys rescue {}
 
-      config['plugins'] ||= {}
+      config['plugins'] ||= []
       config['plugins'] += [plugin_name] if op == 'add'
       config['plugins'] -= [plugin_name] if op == 'remove'
       config['plugins'].uniq!

data/lib/conjur/config.rb

@@ -87,14 +87,14 @@ module Conjur
         end
 
         if Conjur.log
-          begin
-            require 'conjur/api'
-            Conjur.log << "Using authn host #{Conjur::Authn::API.host}\n"
+          require 'conjur/api'
+          host = begin
+            Conjur::Authn::API.host
           rescue RuntimeError
-            if $!.message == "Missing required option account"
-              $stderr.puts "Your config is invalid, did you run 'conjur init'?"
-            end
-            raise $!
+            nil
+          end
+          if host
+            Conjur.log << "Using authn host #{Conjur::Authn::API.host}\n"
           end
         end
 

data/lib/conjur/conjurize.rb

@@ -3,11 +3,11 @@ require 'json'
 require 'open-uri'
 require 'conjur/version.rb'
 
-def latest_conjur_ssh_release
-  url = 'https://api.github.com/repos/conjur-cookbooks/conjur-ssh/releases'
+def latest_conjur_release
+  url = 'https://api.github.com/repos/conjur-cookbooks/conjur/releases'
   resp = open(url)
   json = JSON.parse(resp.read)
-  latest = json[0]['assets'].select {|asset| asset['name'] =~ /conjur-ssh-v\d.\d.\d.tar.gz/}[0]
+  latest = json[0]['assets'].select {|asset| asset['name'] =~ /conjur-v\d.\d.\d.tar.gz/}[0]
   latest['browser_download_url']
 end
 
@@ -51,8 +51,8 @@ DESC
       chef_executable = options[:"chef-executable"]
 
       if options[:ssh]
-        conjur_run_list ||= "conjur-ssh"
-        conjur_cookbook_url ||= latest_conjur_ssh_release()
+        conjur_run_list ||= "conjur"
+        conjur_cookbook_url ||= latest_conjur_release()
       end
 
       sudo = lambda{|str|

data/lib/conjur/dsl/runner.rb

@@ -112,12 +112,12 @@ module Conjur
         instance_eval(*args)
       end
       
-      def resource kind, id, options = {}, &block
+      def resource kind, id = nil, options = {}, &block
         id = full_resource_id([kind, qualify_id(id, kind) ].join(':'))
         find_or_create :resource, id, options, &block
       end
       
-      def role kind, id, options = {}, &block
+      def role kind, id = nil, options = {}, &block
         id = full_resource_id([ kind, qualify_id(id, kind) ].join(':'))
         find_or_create :role, id, options, &block
       end
@@ -146,11 +146,12 @@ module Conjur
       protected
       
       def qualify_id id, kind
-        if id[0] == "/"
+        if id && id[0] == "/"
           id[1..-1]
         else
           case kind.to_sym
           when :user
+            raise "User id is required" unless id
             [ id, current_user_scope ].compact.join('@')
           else
             [ current_scope, id ].compact.join('/')
@@ -175,6 +176,11 @@ module Conjur
           lambda { args.length == 1 },
           lambda { args.length == 2 && args[1].is_a?(Hash) }
         ]
+        if current_scope
+          # If there is a scope, it's valid to create a record without an id, because the
+          # scope name will be used as the id.
+          valid_prototypes << lambda { args.length == 0 }
+        end
         !valid_prototypes.find{|p| p.call}.nil?      
       end
       
@@ -213,7 +219,7 @@ module Conjur
       
       def do_object obj, &block
         begin
-          api_keys[obj.roleid] = obj.api_key if obj.api_key 
+          api_keys[obj.roleid] = obj.api_key if obj.respond_to?(:api_key) && obj.api_key 
         rescue
         end
         

data/lib/conjur/version.rb

@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = "4.22.0"
+  VERSION = "4.23.0"
   ::Version=VERSION
 end

data/spec/authn_spec.rb

@@ -27,26 +27,54 @@ describe Conjur::Authn do
       Conjur::Authn.get_credentials
     end
   end
-
+  
   describe "netrc" do
-    let(:netrc) { nil }
-    before do
-      allow(Conjur::Config).to receive(:[]).with(:netrc_path).and_return path
-    end
-
-    context "with specified netrc_path" do
-      let(:path) { "/a/dummy/netrc/path" }
-      it "consults Conjur::Config for netrc_path" do
-        expect(Netrc).to receive(:read).with(path).and_return netrc = double("netrc")
-        expect(Conjur::Authn.netrc).to eq(netrc)
+    describe "fail_if_world_readable" do
+      let(:path) { "the-path" }
+      around { |example|
+        host_os = RbConfig::CONFIG["host_os"]
+        RbConfig::CONFIG["host_os"] = os
+        begin
+          example.run
+        ensure 
+          RbConfig::CONFIG["host_os"] = host_os
+        end
+      }
+      context "on Windows" do
+        let(:os) { "mswin" }
+        it "bypasses the readability check" do
+          Conjur::Authn.send :fail_if_world_readable, path
+        end
+      end
+      context "on Linux" do
+        let(:os) { "linux" }
+        it "raises an error if the file is world readable" do
+          expect(File).to receive(:world_readable?).with(path).and_return(true)
+          expect { Conjur::Authn.send :fail_if_world_readable, path }.to raise_error("netrc (the-path) shouldn't be world-readable")
+        end
       end
     end
 
-    context "without specified netrc_path" do
-      let(:path) { nil }
-      it "uses default netrc path" do
-        expect(Netrc).to receive(:read).with(no_args).and_return netrc = double("netrc")
-        expect(Conjur::Authn.netrc).to eq(netrc)
+    context "loading" do
+      let(:netrc) { nil }
+      before do
+        allow(Conjur::Config).to receive(:[]).with(:netrc_path).and_return path
+      end
+      
+      context "with specified netrc_path" do
+        let(:path) { "/a/dummy/netrc/path" }
+        it "consults Conjur::Config for netrc_path" do
+          expect(Netrc).to receive(:read).with(path).and_return netrc = double("netrc")
+          expect(Conjur::Authn.netrc).to eq(netrc)
+        end
+      end
+  
+      context "without specified netrc_path" do
+        let(:path) { nil }
+        it "uses default netrc path" do
+          expect(Netrc).to receive(:read).with(no_args).and_return netrc = double("netrc")
+          expect(Conjur::Authn.netrc).to eq(netrc)
+        end
       end
     end
   end

data/spec/config_spec.rb

@@ -114,7 +114,7 @@ describe Conjur::Config do
     }
 
     context "ssl_certificate string" do
-      let(:ssl_certificate){ 'the certificate' }
+      let(:ssl_certificate){ 'the-certificate' }
       let(:certificate){ double('Certificate') }
       before{
           Conjur::Config.class_variable_set('@@attributes', {'ssl_certificate' => ssl_certificate})

data/spec/dsl/runner_spec.rb

@@ -6,63 +6,88 @@ describe Conjur::DSL::Runner, logged_in: true do
 
   let(:filename) { nil }
   let(:runner) { Conjur::DSL::Runner.new script, filename }
-  let(:script) { "user 'alice'" }
-  let(:alice) {
-    Conjur::User.new("alice").tap do |user|
-      user.attributes = { "api_key" => "the-api-key" }    
-    end
-  }
   before {
     allow(Conjur).to receive(:account).and_return "the-account"
     allow(runner).to receive(:api).and_return api
   }
-  it "should populate the root ownerid" do
-    expect(api).to receive(:user).with("alice").and_return double("alice-exists", exists?: false)
-    expect(api).to receive(:create_user).with(id: "alice", ownerid: "user:bob").and_return alice
-    
-    runner.owner = "user:bob"
-    runner.execute
-  end
-  it "should store the api_key in the context keyed by roleid" do
-    expect(api).to receive(:user).with("alice").and_return double("alice-exists", exists?: false)
-    expect(api).to receive(:create_user).with(id: "alice").and_return alice
-    
-    runner.execute
-    
-    expect(runner.context['api_keys']).to eq({
-      "the-account:user:alice" => "the-api-key"
-    })
-  end
-
-  it "doesn't store default env and stack in context" do
-    expect(runner.context).to_not have_key 'env'
-    expect(runner.context).to_not have_key 'stack'
-  end
-
-  context "with non-default stack and env" do
-    let(:runner) do
-      Conjur::Config.merge env: 'baz', stack: 'bar'
-      Conjur::Config.apply
-      Conjur::DSL::Runner.new '', nil
+  context "nil record ids" do
+    subject { runner.execute }
+    context "creating a user" do
+      let(:script) { "user" }
+      it "isn't allowed" do
+        expect{ subject }.to raise_error
+      end
     end
-
-    it "stores them in context" do
-      expect(runner.context['env']).to eq 'baz'
-      expect(runner.context['stack']).to eq 'bar'
+    context "creating a resource" do
+      let(:script) { "scope 'kitchen' do; resource 'food'; end" }
+      it "creates resource with id matching the scope" do
+        expect(api).to receive(:resource).with("the-account:food:kitchen").and_return double("kitchen-exists", :exists? => true)
+        subject
+      end
+    end
+    context "creating a layer" do
+      let(:script) { "scope 'kitchen' do; layer; end" }
+      it "creates layer with id matching the scope" do
+        expect(api).to receive(:layer).with("kitchen").and_return double("kitchen-exists", :exists? => true)
+        subject
+      end
     end
   end
-
-  context "with appliance url" do
-    let(:appliance_url) { "https://conjur.example.com/api" }
-    let(:runner) do
-      Conjur::Config.merge appliance_url: appliance_url
-      Conjur::Config.apply
+  context "creating user:alice" do
+    let(:script) { "user 'alice'" }
+    let(:alice) {
+      Conjur::User.new("alice").tap do |user|
+        user.attributes = { "api_key" => "the-api-key" }    
+      end
+    }
+    it "should populate the root ownerid" do
+      expect(api).to receive(:user).with("alice").and_return double("alice-exists", exists?: false)
+      expect(api).to receive(:create_user).with(id: "alice", ownerid: "user:bob").and_return alice
       
-      Conjur::DSL::Runner.new '', nil
+      runner.owner = "user:bob"
+      runner.execute
     end
-
-    it "stores appliance url in the context" do
-      expect(runner.context['appliance_url']).to eq appliance_url
+    it "should store the api_key in the context keyed by roleid" do
+      expect(api).to receive(:user).with("alice").and_return double("alice-exists", exists?: false)
+      expect(api).to receive(:create_user).with(id: "alice").and_return alice
+      
+      runner.execute
+      
+      expect(runner.context['api_keys']).to eq({
+        "the-account:user:alice" => "the-api-key"
+      })
+    end
+  
+    it "doesn't store default env and stack in context" do
+      expect(runner.context).to_not have_key 'env'
+      expect(runner.context).to_not have_key 'stack'
+    end
+  
+    context "with non-default stack and env" do
+      let(:runner) do
+        Conjur::Config.merge env: 'baz', stack: 'bar'
+        Conjur::Config.apply
+        Conjur::DSL::Runner.new '', nil
+      end
+  
+      it "stores them in context" do
+        expect(runner.context['env']).to eq 'baz'
+        expect(runner.context['stack']).to eq 'bar'
+      end
+    end
+  
+    context "with appliance url" do
+      let(:appliance_url) { "https://conjur.example.com/api" }
+      let(:runner) do
+        Conjur::Config.merge appliance_url: appliance_url
+        Conjur::Config.apply
+        
+        Conjur::DSL::Runner.new '', nil
+      end
+  
+      it "stores appliance url in the context" do
+        expect(runner.context['appliance_url']).to eq appliance_url
+      end
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-cli
 version: !ruby/object:Gem::Version
-  version: 4.22.0
+  version: 4.23.0
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-04-28 00:00:00.000000000 Z
+date: 2015-05-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport