conjur-cli 4.26.0 → 4.27.0

data/acceptance-features/support/hooks.rb

@@ -0,0 +1,179 @@
+
+require 'conjur/api'
+require 'conjur/cli'
+require 'conjur/authn'
+
+netrc = Conjur::Authn.netrc
+username, password = Conjur::Authn.get_credentials
+raise "Not logged in to Conjur" unless username && password
+puts "Logging in as #{username}"
+
+# Future Aruba
+#Aruba.configure do |config|
+#  config.exit_timeout = 15
+#end
+
+Before('@conjurapi-log') do
+  set_env 'CONJURAPI_LOG', 'stderr'
+end
+
+Before do
+  Conjur::Authn.save_credentials username: username, password: password
+  
+  @admin_api = conjur_api = Conjur::Authn.connect
+  
+  @namespace = conjur_api.create_variable("text/plain", "id").id
+  user = conjur_api.create_user "admin@#{@namespace}", ownerid: "#{Conjur.configuration.account}:user:#{username}"
+
+  netrc[Conjur::Authn.host] = [ "admin@#{@namespace}", user.api_key ]
+  netrc.save
+
+  conjur_api = Conjur::Authn.connect
+  @security_admin = conjur_api.create_group [ @namespace, "security_admin" ].join('/')
+  @security_admin.add_member user, admin_option: true
+  
+  JsonSpec.memorize "MY_ROLEID", %Q("#{user.roleid}")
+  
+  @admin_api.group("pubkeys-1.0/key-managers").add_member @security_admin
+  @admin_api.resource('!:!:conjur').permit 'elevate', user, grant_option: true
+  @admin_api.resource('!:!:conjur').permit 'reveal',  user, grant_option: true
+  
+  conjur_api.create_user "attic@#{@namespace}"
+  
+  @aruba_timeout_seconds = 30
+end
+
+After do
+  if @admin_api
+    @admin_api.group("pubkeys-1.0/key-managers").remove_member @security_admin
+  end
+  tempfiles.each { |tempfile| File.unlink(tempfile) unless tempfile.nil? }
+end
+
+at_exit do
+  Conjur::Authn.save_credentials username: username, password: password
+end
+
+require 'ostruct'
+
+class MockAPI
+  attr_reader :things
+
+  def initialize
+    @things = {}
+  end
+
+  def thing(kind, id)
+    (@things[kind.to_sym] || []).find{|r| r.id == id}
+  end
+
+  def thing_like(kind, id_pattern)
+    (@things[kind.to_sym] || []).find{|r| id_pattern.match(r.id)}
+  end
+
+  def create_host(options = {})
+    id = options.delete(:id)
+    if id
+      host = thing(:host, id)
+    else
+      id = SecureRandom.uuid
+    end
+    host ||= create_thing(:host, id, options, role: true, api_key: true)
+  end
+
+  def create_user(id, options = {})
+    thing(:user, id) || create_thing(:user, id, options, role: true, api_key: true)
+  end
+
+  def create_variable(mime_type, kind)
+    create_thing(:user, SecureRandom.uuid, mime_type: mime_type, kind: kind)
+  end
+
+  def create_resource(id, options = {})
+    resource(id).tap do |resource|
+      resource.send(:"exists?=", true)
+      populate_options resource, options
+    end
+  end
+
+  def create_role(id, options = {})
+    role(id).tap do |role|
+      role.send(:"exists?=", true)
+      populate_options role, options
+    end
+  end
+
+  [ :user, :host ].each do |kind|
+    define_method kind do |id|
+      thing(kind, id)
+    end
+  end
+
+  def role(id)
+    raise "Role id must be a string" unless id.is_a?(String)
+    thing(:role, id) || create_thing(:role, id, { exists?: false }, role: true)
+  end
+
+  def resource(id)
+    raise "Resource id must be a string" unless id.is_a?(String)
+    thing(:resource, id) || create_thing(:resource, id, exists?: false)
+  end
+
+  protected
+
+  def create_thing(kind, id, options, kind_options = {})
+    thing = OpenStruct.new(kind: kind, id: id, exists?: true)
+
+    class << thing
+      def permit(privilege, role, options = {})
+        (self.permissions ||= []) << OpenStruct.new(privilege: privilege, role: role.id, grant_option: !!options[:grant_option])
+      end
+    end
+
+    if kind_options[:api_key]
+      thing.api_key = SecureRandom.uuid
+    end
+    if kind_options[:role]
+      thing.roleid = id
+      class << thing
+        def can(privilege, resource, options = {})
+          resource.permit privilege, self, options
+        end
+      end
+    end
+
+    populate_options(thing, options)
+
+    store_thing kind, thing
+
+    thing
+  end
+
+  def populate_options(thing, options)
+    options.each do |k,v|
+      thing.send("#{k}=", v)
+    end
+  end
+
+  def store_thing(kind, thing)
+    (things[kind] ||= []) << thing
+  end
+end
+
+Before("@dsl") do
+  puts "Using MockAPI"
+  puts "Using account 'cucumber'"
+
+  require 'conjur/api'
+  require 'conjur/config'
+  require 'conjur/dsl/runner'
+
+  Conjur.stub(:env).and_return "ci"
+  Conjur.stub(:stack).and_return "ci"
+  Conjur.stub(:account).and_return "cucumber"
+
+  Conjur::Core::API.stub(:conjur_account).and_return 'cucumber'
+  @mock_api ||= MockAPI.new
+  Conjur::DSL::Runner.any_instance.stub(:api).and_return @mock_api
+end
+

data/acceptance-features/support/world.rb

@@ -0,0 +1,153 @@
+require 'aruba/api'
+require 'conjur/api'
+
+module ConjurCLIWorld
+  include Aruba::Api
+  
+  def last_json
+    stdout_from(@last_cmd)
+  end
+  
+  def find_or_create_password(username)
+    @passwords ||= {}
+    unless password = @passwords[username] 
+      password = @passwords[username] = SecureRandom.hex(12)
+    end
+    password
+  end
+
+  def namespace
+    @namespace or raise "@namespace is not initialized"
+  end
+  
+  # Aruba's method
+  def run(cmd, *args)
+    # it's a thunk now so it should be returned. puts can be added back as block if we want to
+    super process_cmd(cmd), *args
+
+    #puts stderr_from(cmd)
+    #puts stdout_from(cmd)
+  end 
+
+  def stderr_from(cmd)
+    super process_cmd(cmd)
+  end
+  def stdout_from(cmd)
+    super process_cmd(cmd)
+  end 
+  def output_from(cmd)
+    super process_cmd(cmd)
+  end
+  
+  # Substitute the namespace for marker $ns
+  def unescape(string)
+    string = super
+    string.gsub("$ns", namespace)
+  end
+  
+  def get_process(wanted)
+    super wanted.gsub("$ns", namespace)
+  end
+
+  def tempfiles 
+    @tempfiles||=[]
+  end       
+ 
+  protected
+  
+  def process_cmd(cmd)
+    cmd = cmd.dup
+    cmd.gsub!("$ns", namespace)
+    cmd.gsub!("$pubkeys_url", Conjur.configuration.pubkeys_url)
+    
+    @last_cmd = cmd
+    JsonSpec.memory.each do |k,v|
+      cmd.gsub!("%{#{k}}", v)
+    end
+    cmd
+  end
+end
+
+module ConjurWorld
+  def last_json
+    last_stdout
+  end
+
+  def last_stdout
+    raise "No commands have been run" unless last_cmd
+    stdout_from last_cmd
+  end
+
+  attr_accessor :last_cmd
+
+  def account
+    Conjur::Core::API.conjur_account
+  end
+
+  def role_kind
+    @role_kind ||= "cli-cukes"
+  end
+
+  def role_id_map
+    @role_id_map ||= {}
+  end
+
+  def extract_filtered_graph json
+    graph = JSON.parse(json.to_s)
+    case graph
+      when Hash then filter_hash_graph(graph)
+      when Array then filter_array_graph(graph)
+      else raise "WTF: graph was #{graph.class}?"
+    end
+  end
+
+  def filter_hash_graph graph
+    allowed = role_id_map.values
+    edges = graph['graph']
+    filtered = edges.select do |edge|
+      allowed.member?(edge['parent']) and allowed.member?(edge['child'])
+    end
+    {'graph' => filtered}
+  end
+
+  def filter_array_graph graph
+    allowed = role_id_map.values
+    graph.select do |edge|
+      edge.all?{|v| allowed.member?(v)}
+    end
+  end
+
+  def graph edges
+    # generate roles
+    edges.flatten.uniq.each do |role_id|
+      role_id_map[role_id] = expanded = expand_role_id(role_id)
+      run_command "conjur role create '#{expanded}'"
+    end
+
+    # generate memberships
+    edges.each do |parent, child|
+      run_command "conjur role grant_to #{expand_role_id(parent)} #{expand_role_id(child)}"
+    end
+  end
+
+  def run_command cmd
+    step "I successfully run " + '`' + cmd + '`'
+  end
+
+  def expand_role_id role_id
+    "#{account}:#{role_kind}:#{prepend_namespace role_id}"
+  end
+
+  def prepend_namespace id
+    "#{namespace}-#{id}"
+  end
+
+  def expand_roles string
+    role_id_map.each do |role, expanded|
+      string.gsub! role, expanded
+    end
+    string
+  end
+end
+
+World(ConjurWorld, ConjurCLIWorld)

data/conjur.gemspec

@@ -17,7 +17,7 @@ Gem::Specification.new do |gem|
 
 
   gem.add_dependency 'activesupport'
-  gem.add_dependency 'conjur-api', '~> 4.16'
+  gem.add_dependency 'conjur-api', '~> 4.19'
   gem.add_dependency 'gli', '>=2.8.0'
   gem.add_dependency 'highline'
   gem.add_dependency 'netrc', '~> 0.10.2'
@@ -35,4 +35,7 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency 'rake', '~> 10.0'
   gem.add_development_dependency 'io-grab', '~> 0.0.1'
   gem.add_development_dependency 'json_spec'
+  # For cukes
+  gem.add_development_dependency 'conjur-asset-audit-send'
+  gem.add_development_dependency 'conjur-asset-host-factory'
 end

data/features/step_definitions/graph_steps.rb

@@ -14,8 +14,8 @@ When(/^I( successfully)? run with role expansion "(.*)"$/) do |successfully, cmd
   end
   self.last_cmd = cmd
   if successfully
-    step "I successfully run \"#{cmd}\""
+    step "I successfully run `#{cmd}`"
   else
-    step "I run \"#{cmd}\""
+    step "I run `#{cmd}`"
   end
 end

data/features/support/hooks.rb

@@ -122,11 +122,7 @@ Before("@dsl") do
 end
 
 Before('@real-api') do
-  require 'conjur/config'
-  cfg = File.absolute_path("#{File.dirname __FILE__}/../../.conjurrc")
-  puts "cfg_path = #{cfg}"
-  puts "contents = #{File.read(cfg)}"
-  Conjur::Config.load([cfg])
+  Conjur::Config.load
   Conjur::Config.apply
   @aruba_timeout_seconds = 15
 end

data/lib/conjur/cli.rb

@@ -63,7 +63,7 @@ module Conjur
       # do too much effort, and GLIs support for aliasing doesn't work out so well with
       # subcommands.
       def run args
-       args = args.shift.split(':') + args unless args.empty?
+        args = args.shift.split(':') + args unless args.empty?
         super args
       end
 

data/lib/conjur/command/bootstrap.rb

@@ -49,6 +49,8 @@ class Conjur::Command::Bootstrap < Conjur::Command
   # The admin user will always satisfy these conditions, unless they are revoked for some reason.
   # Other users created by the bootstrap command will (typically) also have these powers.
   def self.security_admin_manager? api
+    return true if elevated?
+    
     username = api.username
     user = if username.index('/')
       nil
@@ -116,7 +118,6 @@ class Conjur::Command::Bootstrap < Conjur::Command
         puts "User created"
         puts "Making '#{username}' a member and admin of group 'security_admin'"
         security_admin.add_member user, admin_option: true
-        security_admin.resource.permit "read", user
         puts "Adminship granted"
       end
       
@@ -139,4 +140,4 @@ class Conjur::Command::Bootstrap < Conjur::Command
       end
     end
   end
-end
+end

data/lib/conjur/command/elevate.rb

@@ -0,0 +1,76 @@
+#
+# Copyright (C) 2015 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+
+# Implement privileged modes such as 'elevate' and 'reveal'
+class Conjur::Command::Elevate < Conjur::DSLCommand
+  
+  def self.subcommand args
+    code = Conjur::CLI.run args
+    raise GLI::CustomExit.new("Subcommand failed", code) unless code == 0
+  end
+  
+  desc "Run a sub-command with elevated privileges"
+  long_desc <<-DESC
+If you are allowed to do this by the Conjur server, all server-side permission checks will be bypassed and any
+action will be allowed.
+
+To be able to run this command, you must have the 'elevate' privilege on the resource '!:!:conjur'.
+
+EXAMPLE
+
+Force retirement of a user:
+
+$ conjur elevate user retire alice
+  DESC
+  command :elevate do |c|
+    c.action do |global_options,options,args|
+      exit_now! "Subcommand is required" if args.empty?
+      
+      Conjur::Command.api = api.with_privilege "elevate"
+      subcommand args
+    end
+  end
+  
+  desc "Run a sub-command in 'reveal' mode"
+  long_desc <<-DESC
+If you are allowed to do this by the Conjur server, you can inspect all data in the Conjur
+authorization service. For example, you can list and search for all resources, regardless of
+your ownership and privileges. You can also show details on any resource, and you can perform
+permission checks on any resource.
+
+To be able to run this command, you must have the 'reveal' privilege on the resource '!:!:conjur'.
+
+EXAMPLE
+
+List all groups:
+
+$ conjur reveal group list -i
+
+  DESC
+  command :reveal do |c|
+    c.action do |global_options,options,args|
+      exit_now! "Subcommand is required" if args.empty?
+      
+      Conjur::Command.api = api.with_privilege "reveal"
+      subcommand args
+    end
+  end
+end

data/lib/conjur/command/rspec/mock_services.rb

@@ -16,6 +16,9 @@ shared_context "with mock authn" do
   let(:netrcfile) { Tempfile.new 'authtest' }
   let(:netrc) { Netrc.read(netrcfile.path) }
   let(:account) { 'the-account' }
+  let(:username) { 'dknuth' }
+  let(:api_key) { 'sekrit' }
+  let(:api) { Conjur::API.new_from_key(username, api_key) }
   before do
     allow(Conjur::Core::API).to receive(:conjur_account) { account }
     allow(Conjur::Authn).to receive_messages(netrc: netrc, host: authn_host)
@@ -25,9 +28,6 @@ end
 
 shared_context "when logged in", logged_in: true do
   include_context "with mock authn"
-  let(:username) { 'dknuth' }
-  let(:api_key) { 'sekrit' }
-  let(:api) { Conjur::API.new_from_key(username, api_key) }
   before do
     allow(api).to receive(:credentials) { {} }
     netrc[authn_host] = [username, api_key]

data/lib/conjur/command.rb

@@ -28,6 +28,7 @@ module Conjur
     
     class << self
       attr_accessor :prefix
+      
       def method_missing *a, &b
         Conjur::CLI.send *a, &b
       end
@@ -41,6 +42,14 @@ module Conjur
         args.shift or raise "Missing parameter: #{name}"
       end
 
+      def assert_empty(args)
+        exit_now! "Received extra command arguments" unless args.empty?
+      end
+      
+      def api= api
+        @@api = api
+      end
+
       def api
         @@api ||= Conjur::Authn.connect
       end
@@ -183,7 +192,13 @@ an alternative destination role.)
         end
       end
       
+      def elevated?
+        api.privilege == 'elevate' && api.global_privilege_permitted?('elevate')
+      end
+      
       def validate_retire_privileges record, options
+        return true if elevated?
+        
         if record.respond_to?(:role)
           memberships = current_user.role.memberships.map(&:roleid)
           validate_privileges "You can't administer this record" do

data/lib/conjur/version.rb

@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = "4.26.0"
+  VERSION = "4.27.0"
   ::Version=VERSION
 end

data/spec/command/elevate_spec.rb

@@ -0,0 +1,28 @@
+require 'spec_helper'
+
+describe Conjur::Command::Elevate do
+  describe_command "elevate user show alice" do
+    include_context "with mock authn"
+    
+    let(:token) { {login: 'dknuth'} }
+    before{
+      expect(Conjur::Authn).to receive(:connect).and_return(api)
+    }
+    it "invokes the sub-command with X-Conjur-Privilege header" do
+      allow_any_instance_of(Conjur::API).to receive(:token).and_return(token)
+      expect(Conjur::Command).to receive(:api=) do |api|
+        expect(api.api_key).to eq("sekrit")
+        expect(api.privilege).to eq("elevate")
+      end.and_call_original
+      
+      expect(RestClient::Request).to receive(:execute).with({
+        method: :get,
+        url: "https://core.example.com/users/alice",
+        username: "dknuth",
+        headers: {:authorization=>"Token token=\"eyJsb2dpbiI6ImRrbnV0aCJ9\"", x_conjur_privilege: "elevate"}
+      }.merge(cert_store_options)).and_return(double(:response, body: "[]"))
+      
+      invoke
+    end
+  end
+end