conjur-cli 4.26.0 → 4.27.0

data/acceptance-features/conjurenv/check.feature

@@ -0,0 +1,28 @@
+Feature: Check an environment
+
+  Background: 
+    Given I run `conjur variable create $ns/access_key ABCDEF`
+    And I run `conjur variable create $ns/secret_key XYZQWER`
+    And I run `conjur variable create $ns/ssh_private_key PRIVATE_KEY_BODY`
+    And I run `conjur user create -p alice@$ns` interactively
+    And I type "foobar"
+    And I type "foobar"
+    And the exit status should be 0
+    And I run `conjur resource permit variable:$ns/access_key user:alice@$ns execute`
+    And I run `conjur resource permit variable:$ns/secret_key user:alice@$ns execute`
+    And I run `conjur authn login -u alice@$ns` interactively
+    And I type "foobar"
+    And the exit status should be 0
+
+
+  Scenario: Check against permitted variables
+
+    When I run `conjur env check --yaml '{ aws_access_key: !var $ns/access_key , aws_secret_key: !var $ns/secret_key }'`
+    Then the exit status should be 0
+    And the stdout should contain "aws_access_key: available\naws_secret_key: available\n"
+
+  Scenario: Check against restricted variables
+    When I run `conjur env check --yaml '{ aws_access_key: !var $ns/access_key , ssh_private_key: !var $ns/ssh_private_key }'`
+    Then the exit status should be 1
+    And the stdout should contain "aws_access_key: available\nssh_private_key: unavailable\n"
+                                                 

data/acceptance-features/conjurenv/run.feature

@@ -0,0 +1,10 @@
+Feature: Run command in an environment populated from Conjur variables
+
+  Background: 
+    Given I run `conjur variable create $ns/access_key ABCDEF`
+    And I run `conjur variable create $ns/secret_key XYZQWER`
+
+  Scenario:
+    When I run `conjur env run --yaml '{ cloud_access_key: !var $ns/access_key , cloud_secret_key: !var $ns/secret_key }' -- printenv CLOUD_ACCESS_KEY CLOUD_SECRET_KEY`
+    Then the stdout should contain "ABCDEF\nXYZQWER"
+

data/acceptance-features/conjurenv/template.feature

@@ -0,0 +1,11 @@
+Feature: Embed values of Conjur variables into ERB template
+
+  Background: 
+    Given a file named "template.erb" with: 'aws credentials: [<%= conjurenv["aws_access_key"] %>, <%= conjurenv["aws_secret_key"] %>]'
+    And I run `conjur variable create $ns/access_key ABCDEF`
+    And I run `conjur variable create $ns/secret_key XYZQWER`
+
+  Scenario:
+    When I run `conjur env template --yaml '{ aws_access_key: !var $ns/access_key , aws_secret_key: !var $ns/secret_key }' template.erb `
+    Then it prints the path to temporary file which contains: 'aws credentials: [ABCDEF, XYZQWER]'
+

data/acceptance-features/directory/group/create.feature

@@ -0,0 +1,20 @@
+Feature: Create a group
+  
+  Scenario: Create a new group
+    When I successfully run `conjur group create $ns/ops`
+    Then the JSON response should have the following:
+      | id         |
+      | ownerid    |
+      | resource_identifier |
+      | roleid     |
+    And the JSON response at "id" should include "/ops"
+    
+  Scenario: Add a user to the group and show the list of members
+    Given I successfully run `conjur user create bob@$ns`
+    And I successfully run `conjur group create $ns/ops`
+    And I successfully run `conjur group members add $ns/ops user:bob@$ns`
+    When I successfully run `conjur group members list $ns/ops`
+    Then the JSON response should have 2 entries
+    And the JSON response at "0" should include "admin@"
+    And the JSON response at "1" should include "bob@"
+      

data/acceptance-features/directory/group/retire.feature

@@ -0,0 +1,54 @@
+Feature: Retire a group
+  Background:
+    When I successfully run `conjur group create $ns/ops`
+
+  Scenario: Basic retirement
+    Then I successfully run `conjur group retire -d user:attic@$ns $ns/ops`
+
+  Scenario: Retiring a non-existent thing propagates the 404
+    Then I run `conjur group retire -d user:attic@$ns $ns/foobar`
+    Then the exit status should be 1
+    And the stderr should contain "Resource Not Found"
+
+  Scenario: A foreign user can't retire a group
+    Given I login as a new user
+    And I run `conjur group retire -d user:attic@$ns $ns/ops`
+    Then the exit status should be 1
+    And the stderr should contain "You can't administer this record"
+
+  Scenario: Can't retire to a non-existant role
+    And I run `conjur group retire -d user:foobar $ns/ops`
+    Then the exit status should be 1
+    And the output should match /error: Destination role/
+    And the output should match /doesn't exist$/
+
+  Scenario: I can retire a group which I've granted to another group
+    Given I successfully run `conjur group create $ns/admin`
+    And I successfully run `conjur role grant_to group:$ns/ops group:$ns/admin`
+    Then I successfully run `conjur group retire -d user:attic@$ns $ns/ops`
+
+  Scenario: I can retire a group which I've given to a group that I can admin
+    Given I successfully run `conjur group create $ns/admin`
+    And I successfully run `conjur resource give group:$ns/ops group:$ns/admin`
+    Then I successfully run `conjur group retire -d user:attic@$ns $ns/ops`
+
+  Scenario: I can't retire a group if I can't admin the group's role
+    Given I successfully run `conjur group create $ns/admin`
+    And I successfully run `conjur role grant_to group:$ns/ops group:$ns/admin`
+    Given I create a new user named "alice@$ns"
+    And I successfully run `conjur group members add -a $ns/admin alice@$ns`
+    And I login as "alice@$ns"
+    And I run `conjur group retire -d user:attic@$ns $ns/ops`
+    Then the exit status should be 1
+    And the stderr should contain "You can't administer this record"
+
+  Scenario: I can't retire a group if I can't admin the group's record
+    Given I successfully run `conjur group create $ns/admin`
+    And I successfully run `conjur role grant_to -a group:$ns/ops group:$ns/admin`
+    Given I create a new user named "alice@$ns"
+    And I successfully run `conjur group members add -a $ns/admin alice@$ns`
+    And I login as "alice@$ns"
+    And I run `conjur group retire -d user:attic@$ns $ns/ops`
+    Then the exit status should be 1
+    And the stderr should contain "You don't own the record"
+    

data/acceptance-features/directory/host/create.feature

@@ -0,0 +1,23 @@
+Feature: Create a Host
+
+  Scenario: Create a host with automatically generated ID
+    When I successfully run `conjur host create`
+    And the JSON should have "api_key" 
+    And the JSON should have "id"
+
+  Scenario: Create a host with explicit ID
+    When I successfully run `conjur host create $ns.myhost.example.com`
+    And the JSON should have "api_key" 
+    And I keep the JSON response at "id" as "ID" 
+    Then the output should contain "myhost.example.com"
+  
+  Scenario: Create a host owned by the security_admin group
+    When I successfully run `conjur host create --as-group $ns/security_admin`
+    And I keep the JSON response at "ownerid" as "OWNERID"
+    Then the output should contain "/security_admin"
+  
+  Scenario: Host does not belong to any layers by default
+    When I successfully run `conjur host create $ns.myhost.example.com`
+    And I successfully run `conjur host layers $ns.myhost.example.com`
+    And the JSON should be []  
+     

data/acceptance-features/directory/host/retire.feature

@@ -0,0 +1,6 @@
+Feature: Retire a host
+  Background:
+    When I successfully run `conjur host create $ns/host`
+
+  Scenario: Basic retirement
+    Then I successfully run `conjur host retire -d user:attic@$ns $ns/host`

data/acceptance-features/directory/layer/create.feature

@@ -0,0 +1,10 @@
+Feature: Create a layer
+  
+  Scenario: Create a layer
+    When I successfully run `conjur layer create $ns/test_layer`
+    Then the JSON response at "id" should include "test_layer"
+    And the JSON response at "hosts" should be []
+  
+  Scenario: Create a layer owned by the security_admin group
+    When I successfully run `conjur layer create --as-group $ns/security_admin $ns/test_layer`
+    Then the JSON response at "ownerid" should include "security_admin"

data/acceptance-features/directory/layer/hosts-add.feature

@@ -0,0 +1,9 @@
+Feature: Add hosts to layer
+
+  Background:
+    Given I run `conjur layer create $ns/testlayer`
+    And I run `conjur host create $ns.example.com`
+    
+  Scenario: Add host to layer
+    When I successfully run `conjur layer hosts add $ns/testlayer $ns.example.com`
+    Then the output should contain "Host added"

data/acceptance-features/directory/layer/hosts-remove.feature

@@ -0,0 +1,10 @@
+Feature: Remove hosts from layer
+
+  Background:
+    Given I run `conjur layer create $ns/testlayer`
+    And I run `conjur host create $ns.example.com`
+    And I run `conjur layer hosts add $ns/testlayer $ns.example.com`
+    
+  Scenario: Remove host from layer
+    When I successfully run `conjur layer hosts remove $ns/testlayer $ns.example.com`
+    Then the output should contain "Host removed"

data/acceptance-features/directory/user/create.feature

@@ -0,0 +1,23 @@
+Feature: Create a User
+
+  Scenario: Create a passwordless user
+    When I successfully run `conjur user create alice-without-password@$ns`
+    And the JSON should have "api_key"
+ 
+  Scenario: Create a user with a password
+    When I run `conjur user create -p alice-with-password@$ns` interactively
+    And I type "foobar"
+    And I type "foobar"
+    Then the exit status should be 0
+    And the JSON should have "api_key"
+
+  Scenario: Create a user owned by the security_admin group
+    When I successfully run `conjur user create --as-group $ns/security_admin alice-without-password@$ns`
+    And I keep the JSON response at "ownerid" as "OWNERID"
+    Then the output should contain "/security_admin"
+ 
+  Scenario: Some characters are disallowed in user ids, such as /
+    When I run `conjur user create alice/$ns`
+    Then the exit status should be 1
+    And the stderr should contain "error: 403 Forbidden"
+    And the stdout should not contain anything

data/acceptance-features/directory/user/retire.feature

@@ -0,0 +1,6 @@
+Feature: Retire a user
+  Background:
+    When I successfully run `conjur user create --as-role user:admin@$ns alice@$ns`
+
+  Scenario: Basic retirement
+    Then I successfully run `conjur user retire -d user:attic@$ns alice@$ns`

data/acceptance-features/directory/user/update_password.feature

@@ -0,0 +1,16 @@
+Feature: Update the password of the logged-in user
+
+  Background:
+    Given I login as a new user
+
+  Scenario: A user can update her own password
+    And I run `conjur user update_password` interactively
+    Then I can type and confirm a new password
+
+  @announce
+  Scenario: The new password can be used to login
+    And I run `conjur user update_password` interactively
+    And I type and confirm a new password
+    And I run `conjur authn login alice@$ns` interactively
+    And I enter the password
+    Then the exit status should be 0

data/acceptance-features/directory/variable/create.feature

@@ -0,0 +1,14 @@
+Feature: create an empty variable
+
+  Background:
+    Given I successfully run `conjur variable create $ns/secret` 
+
+  Scenario: Variable is created and responds to metadata
+    When I run `conjur variable show $ns/secret`
+    Then the JSON should have "id"
+    And the JSON should have "ownerid"
+    And the JSON at "version_count" should be 0
+  
+  Scenario: Variable keeps no value
+    When I run `conjur variable value $ns/secret`
+    Then the exit status should be 1

data/acceptance-features/directory/variable/retire.feature

@@ -0,0 +1,17 @@
+Feature: Retire a variable
+  Background:
+    Given I successfully run `conjur variable create $ns/secret the-value` 
+
+  Scenario: Basic retirement
+    Then I successfully run `conjur variable retire -d user:attic@$ns $ns/secret`
+
+  Scenario: A foreign user can't retire a secret
+    Given I login as a new user
+    And I run `conjur variable retire -d user:attic@$ns $ns/secret`
+    Then the exit status should be 1
+    And the stderr should contain "You don't own the record"
+
+  Scenario: I can retire a variable which I've given to a group that I can admin
+    Given I successfully run `conjur group create $ns/admin`
+    And I successfully run `conjur resource give variable:$ns/secret group:$ns/admin`
+    Then I successfully run `conjur variable retire -d user:attic@$ns $ns/secret`

data/acceptance-features/directory/variable/value.feature

@@ -0,0 +1,13 @@
+Feature: Obtain value from variable
+
+  Background:
+    Given I successfully run `conjur variable create $ns/secret secretvalue` 
+    And I successfully run `conjur variable values add $ns/secret updatedvalue`
+
+  Scenario: Recent value is obtained by default
+    When I run `conjur variable value $ns/secret`
+    Then the output should match /updatedvalue$/
+  
+  Scenario: Previous values can be obtained by version
+    When I run `conjur variable value -v 1 $ns/secret`
+    Then the output should match /secretvalue$/

data/acceptance-features/directory/variable/values-add.feature

@@ -0,0 +1,12 @@
+Feature: Populate variable with values
+
+  Background:
+    Given I successfully run `conjur variable create $ns/secret initialvalue` 
+
+  Scenario: Value provided via command-line parameter
+    When I run `conjur variable values add $ns/secret secretvalue`
+    Then the output should contain "Value added"
+   
+  Scenario: Value provided via stdin
+    When I run `bash -c 'echo "secretvalue" | conjur variable values add $ns/secret'`
+    Then the output should contain "Value added"

data/acceptance-features/global-privilege/elevate.feature

@@ -0,0 +1,20 @@
+Feature: 'elevate' can be used to activate root-like privileges
+
+  Background:
+    Given I successfully run `conjur variable create $ns/secret secretvalue`
+    And I create a new user named "alice@$ns"
+    
+  Scenario: The secret value is not accessible without 'elevate' privilege
+    Given I login as "alice@$ns"
+    When I run `conjur variable value $ns/secret`
+    Then the exit status should be 1
+  
+  Scenario: 'elevate' can't be used without permission
+    Given I login as "alice@$ns"
+    When I run `conjur elevate variable show $ns/secret`
+    Then the exit status should be 1
+  
+  Scenario: The secret value is accessible with 'elevate' privilege
+    Given I successfully run `conjur resource permit '!:!:conjur' user:alice@$ns elevate`
+    And I login as "alice@$ns"
+    Then I successfully run `conjur elevate variable value $ns/secret`

data/acceptance-features/global-privilege/reveal.privilege

@@ -0,0 +1,20 @@
+Feature: 'reveal' can be used to see all records
+
+  Background:
+    Given I successfully run `conjur variable create $ns/secret secretvalue`
+    And I create a new user named "alice@$ns"
+    
+  Scenario: The secret value is not accessible without 'reveal' privilege
+    Given I login as "alice@$ns"
+    When I run `conjur variable show $ns/secret`
+    Then the exit status should be 1
+
+  Scenario: 'reveal' can't be used without permission
+    Given I login as "alice@$ns"
+    When I run `conjur reveal variable show $ns/secret`
+    Then the exit status should be 1
+  
+  Scenario: The secret value is accessible with 'reveal' privilege
+    Given I successfully run `conjur resource permit '!:!:conjur' user:alice@$ns reveal`
+    And I login as "alice@$ns"
+    Then I successfully run `conjur reveal variable show $ns/secret`

data/acceptance-features/pubkeys/add.feature

@@ -0,0 +1,20 @@
+Feature: Register a public key
+
+  Background:
+    Given I successfully run `conjur user create alice@$ns`
+    And I successfully run `ssh-keygen -t rsa -C "laptop" -N "" -f ./id_alice_$ns`
+
+  Scenario: Register a public key file for a user
+    When I run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
+    Then the exit status should be 0
+
+  Scenario: You can't accidentally register the private key
+    When I run `conjur pubkeys add alice@$ns @id_alice_$ns`
+    Then the exit status should be 1
+    And the stderr from "conjur pubkeys add alice@$ns @id_alice_$ns" should contain "Unprocessable Entity"
+
+  Scenario: Unauthorized users cannot modify public keys
+    Given I login as new user "bob@$ns"
+    And I run `conjur pubkeys add alice@$ns @id_alice_$ns.pub` 
+    Then the exit status should be 1
+    And the stderr from "conjur pubkeys add alice@$ns @id_alice_$ns.pub" should contain "Forbidden"

data/acceptance-features/pubkeys/delete.feature

@@ -0,0 +1,9 @@
+Feature: Remove a public key
+
+  Background:
+    Given I successfully run `conjur user create alice@$ns`
+    And I successfully run `ssh-keygen -t rsa -C "laptop" -N "" -f ./id_alice_$ns`
+
+  Scenario: To remove a public key, use the user's login name and the key name (-C option to ssh-keygen)
+    Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
+    Then I successfully run `conjur pubkeys delete alice@$ns laptop`

data/acceptance-features/pubkeys/names.feature

@@ -0,0 +1,23 @@
+Feature: List known public key names for a user
+
+  Background:
+    Given I successfully run `conjur user create alice@$ns`
+    And I successfully run `ssh-keygen -t rsa -C "laptop" -N "" -f ./id_alice_$ns`
+
+  Scenario: Initial key names list is empty
+    When I run `conjur pubkeys names alice@$ns`
+    Then the stdout from "conjur pubkeys names alice@$ns" should contain exactly ""
+
+  Scenario: After adding a key, the key name is shown
+    Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
+    And I run `conjur pubkeys names alice@$ns`
+    Then the stdout from "conjur pubkeys names alice@$ns" should contain exactly:
+    """
+    laptop\n
+    """
+
+  Scenario: After deleting the key, the key names list is empty again
+    Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
+    And I successfully run `conjur pubkeys delete alice@$ns laptop`
+    And I run `conjur pubkeys names alice@$ns`
+    Then the stdout from "conjur pubkeys names alice@$ns" should contain exactly ""

data/acceptance-features/pubkeys/show.feature

@@ -0,0 +1,25 @@
+Feature: Show public keys for a user
+
+  Background:
+    Given I successfully run `conjur user create alice@$ns`
+    And I successfully run `ssh-keygen -t rsa -C "laptop" -N "" -f ./id_alice_$ns`
+
+  Scenario: Initial key list is empty
+    When I run `conjur pubkeys show alice@$ns`
+    Then the stdout from "conjur pubkeys show alice@$ns" should contain exactly "\n"
+
+  Scenario: After adding a key, the key is shown
+    Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
+    And I run `conjur pubkeys show alice@$ns`
+    And the output should match /^ssh-rsa .* laptop$/
+
+  Scenario: After deleting the key, the key list is empty again
+    Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
+    And I successfully run `conjur pubkeys delete alice@$ns laptop`
+    And I run `conjur pubkeys show alice@$ns`
+    Then the stdout from "conjur pubkeys show alice@$ns" should contain exactly "\n"
+
+  Scenario: Public keys can be listed using cURL, without authentication
+    Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
+    When I successfully run `curl -k $pubkeys_url/alice@$ns`
+    Then the output should match /^ssh-rsa .* laptop$/

data/acceptance-features/step_definitions/cli.rb

@@ -0,0 +1,21 @@
+Then /^I show the output$/ do
+  puts all_output
+end
+
+# this is step copypasted from https://github.com/cucumber/aruba/blob/master/lib/aruba/cucumber.rb#L24 
+# original has typo in regexp, which is fixed here
+Given(/^a file named "([^"]*?)" with: '(.*?)'$/) do |file_name, file_content|
+  file_content.gsub!('$ns',@namespace)
+  write_file(file_name, file_content)
+end
+
+Given(/^a file named "([^"]*?)" with namespace substitution:$/) do |file_name, file_content|
+  step "a file named \"#{file_name}\" with:", file_content.gsub('$ns',@namespace)
+end
+
+Then /^it prints the path to temporary file which contains: '(.*)'$/ do |content|
+  filename = all_output.split("\n").last
+  tempfiles << filename
+  actual_content=File.read(filename) rescue ""
+  expect(actual_content).to match(content)
+end

data/acceptance-features/step_definitions/graph_steps.rb

@@ -0,0 +1,22 @@
+
+Given /^a graph with edges$/ do |table|
+  graph table.raw
+end
+
+Then %r{^the graph JSON should be:$} do |json|
+  json = expand_roles json
+  last_graph = extract_filtered_graph json
+  expect(last_graph.to_json).to be_json_eql(json)
+end
+
+When(/^I( successfully)? run with role expansion "(.*)"$/) do |successfully, cmd|
+  role_id_map.each do |role, expanded_role|
+    cmd.gsub! role, expanded_role
+  end
+  self.last_cmd = cmd
+  if successfully
+    step "I successfully run `#{cmd}`"
+  else
+    step "I run `#{cmd}`"
+  end
+end

data/acceptance-features/step_definitions/user_steps.rb

@@ -0,0 +1,54 @@
+Given(/^I login as a new user$/) do
+  @username_index ||= 0
+  username = %w(alice bob charles dave edward)[@username_index]
+  raise "I'm out of usernames!" unless username
+  @username_index += 1
+  @username = "#{username}@$ns"
+  step %Q(I login as new user "#{@username}")
+end
+
+Given(/^I create a new user named "(.*?)"$/) do |username|
+  username_ns = username.gsub('$ns',@namespace)
+  password = find_or_create_password(username_ns)
+ 
+  step "I run `conjur user create --as-role user:admin@#{@namespace} -p #{username_ns}` interactively"
+  step %Q(I type "#{password}")
+  step %Q(I type "#{password}")
+  step "the exit status should be 0"
+end
+
+Given(/^I create a new host with id "(.*?)"$/) do |hostid|
+  step "I successfully run `conjur host create #{@namespace}/monitoring/server`"
+  step 'I keep the JSON response at "api_key" as "API_KEY"'
+  step 'I keep the JSON response at "id" as "HOST_ID"'
+end
+
+Given(/^I login as a new host/) do
+  step "I run `conjur authn login -u host/%{HOST_ID} -p %{API_KEY}` interactively"
+  step "the exit status should be 0"
+end
+
+Given(/^I login as new user "(.*?)"$/) do |username|
+  username_ns = username.gsub('$ns',@namespace)
+  step %Q(I create a new user named "#{username_ns}")
+  step %Q(I login as "#{username_ns}")
+end
+
+Given(/^I login as "(.*?)"$/) do |username|
+  username_ns = username.gsub('$ns',@namespace)
+  password = find_or_create_password(username_ns)
+  
+  Conjur::Authn.save_credentials username: username_ns, password: password
+end
+
+Then(/^I(?: can)? type and confirm a new password/) do
+  @password = SecureRandom.hex(12)
+  step %Q(I type "#{@password}")
+  step %Q(I type "#{@password}")
+  step "the exit status should be 0"
+end
+
+When(/^I enter the password/) do
+  raise "No current password" unless @password
+  step %Q(I type "#{@password}")
+end

data/acceptance-features/support/env.rb

@@ -0,0 +1,5 @@
+require "aruba/cucumber"
+require "json_spec/cucumber"
+require "conjur-asset-audit-send"
+
+$LOAD_PATH.unshift File.expand_path('../..', File.dirname(__FILE__))