conjur-cli 4.28.2 → 4.29.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 840c544d5183fcf90aa59bf7a42e6cf690607c0d
-  data.tar.gz: 20a2f241ec1acc83f84623faa9ea97c60803960a
+  metadata.gz: 974b0f72a352691fba5f49e01849a56518cf3afe
+  data.tar.gz: 1ae44b2cbaca17695bfeec8192bba636a43ca6bc
 SHA512:
-  metadata.gz: de5e19dcd506890c7e27276a58a5f89f00af5f8e1bb9b40cd865ba9087b41fc866995b0348d068bd3532603992323b89ee78cdd23ea0e810897540544f2a07df
-  data.tar.gz: 065b00d3f9ec129e5cbd2906a213ab44735456b19d0936e7417afa597c75e33034063dd20fd32cc7c3b8bb86aba635a20036ebf77c414745c1fe858d5fd7bd87
+  metadata.gz: 01f136c95c3467917990b66611bc71f0f3684d0c371e481c3700fdb3532975b9b52f530423da96c6980dbd06518d66571123cc3b5caba10d75de56e6a36819d8
+  data.tar.gz: 8492137a6c4bc4852dcc85ddec8e826d80ce1d1675a7d198c71680f3fd2fa1d45f3fb15c90f01892153b258dd6f79230008543327ae9da7eb37e1d42ca6d99c3

data/.dockerignore

@@ -0,0 +1,8 @@
+*.deb
+coverage
+*/reports
+.git
+vendor
+.idea
+pkg
+Gemfile.lock

data/.gitignore

@@ -1,3 +1,4 @@
+*.deb
 .gems
 .rbenv*
 *.policy
@@ -32,3 +33,4 @@ update_ci.sh
 .ruby-version
 .ruby-gemset
 vendor/bundle
+Dockerfile.*

data/.overcommit.yml

@@ -0,0 +1,10 @@
+PreCommit:
+  HardTabs:
+    enabled: true
+    problem_on_unmodified_line: warn
+  RuboCop:
+    enabled: true
+    problem_on_unmodified_line: warn
+PostCheckout:
+  BundleInstall:
+   enabled: true

data/.rubocop.yml

@@ -0,0 +1,14 @@
+Style/ClassAndModuleChildren:
+  EnforcedStyle: compact
+
+Style/MethodDefParentheses:
+  EnforcedStyle: require_no_parentheses
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+Lint/EndAlignment:
+  AlignWith: start_of_line
+
+Style/AndOr:
+  EnforcedStyle: conditionals

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+# Unreleased
+
+# 4.29.0
+* Add `conjur host rotate_api_key` command.
+* Add `conjur version` (as well as `conjur server version`) command to show server version info.
+* Add `conjur server health` and `conjur server info` to display server health and info.
+* Add `conjur version` (as well as `conjur server version`) command to show server version info.
+* Add `conjur server health` and `conjur server info` to display server health and info.
+* Check server version compatibility if exception occurs and command has configured minimum version
+* Add `conjur layer retire` to allow retiring a layer.
+* Add `cidr` commands to `user`, `host`, and `hostfactory token`
+* Move `audit send` and `host factory` commands from plugins into the core CLI
+* Add `variable expire` and `variable expirations` subcommands. Variable expirations is available in version 4.6 of the Conjur server.
+* Add `--json` option to `conjurize` to print the Conjur configuration and host identity as a JSON file
+* Require `--layer` argument to `hostfactory create`, ensure that the owner is an admin of the layer.
+
 # 4.28.2
 * `--collection` is now optional (with no default) for both `conjur script execute` and `conjur policy load`.
 

data/Dockerfile

@@ -0,0 +1,10 @@
+FROM ruby:2.1.5
+
+RUN mkdir /src
+WORKDIR /src
+
+COPY Gemfile Gemfile
+COPY conjur.gemspec conjur.gemspec
+COPY lib/conjur/version.rb lib/conjur/version.rb
+
+RUN bundle install

data/Gemfile

@@ -7,9 +7,11 @@ source 'https://rubygems.org'
 gemspec
 
 gem 'conjur-api', git: 'https://github.com/conjurinc/api-ruby.git', branch: 'master'
+gem 'semantic', '>= 1.4.1', git: 'https://github.com/jlindsey/semantic.git'
 
 group :test, :development do
   gem 'pry'
   gem 'pry-doc'
   gem 'ruby-prof'
+  gem 'conjur-debify', '>= 0.7.0'
 end

data/Rakefile

@@ -11,7 +11,7 @@ Cucumber::Rake::Task.new :features
 
 task :jenkins => ['ci:setup:rspec', :spec, 'ci:setup:cucumber_report_cleanup'] do
   Cucumber::Rake::Task.new do |t|
-    t.cucumber_opts = "--tags ~@real-api --format progress --format CI::Reporter::Cucumber --out features/reports"
+    t.cucumber_opts = "--tags ~@real-api --format pretty --format CI::Reporter::Cucumber --out features/reports"
   end.runner.run
   File.write('build_number', ENV['BUILD_NUMBER']) if ENV['BUILD_NUMBER']
 end

data/acceptance-features/audit/audit_event_send.feature

@@ -7,36 +7,52 @@ Feature: Write and read custom audit events (full-stack test, not for publicatio
         And I run `conjur resource permit host:$ns/monitoring/server user:observer@$ns read`
         And I run `conjur role grant_to user:eve@$ns user:observer@$ns`
         And I run `conjur role grant_to host:$ns/monitoring/server user:observer@$ns`
-        And a file named "audit_event.json" with namespace substitution:
-            """
-              {
-                "facility": "custom",
-                "action": "sudo",
-                "system_user": "eve",
-                "allowed": false,
-                "role": "user:eve@$ns",
-                "resource_id": "host:$ns/monitoring/server",
-                "error": "user NOT in sudoers",
-                "audit_message": "eve tried to run '/bin/cat /etc/shadow' as root",   
-                "command": "/bin/cat /etc/shadow",
-                "target_user": "root",
-                "sudo": {
-                  "TTY": "pts/0",
-                  "PWD": "/home/eve",
-                  "USER": "root",
-                  "COMMAND": "/bin/cat /etc/shadow"
-                },
-                "timestamp": "2014-06-30T03:25:00.542768+00:00"
-              }
-            """   
-        And I login as a new host
-        And I run `conjur audit send` interactively
-        And I pipe in the file "audit_event.json"
-        And the exit status should be 0
+        And I login as the new host
+        And I send the audit event:
+        """
+        {
+          "facility": "custom",
+          "action": "sudo",
+          "system_user": "eve",
+          "allowed": false,
+          "role": "user:eve@$ns",
+          "resource_id": "host:$ns/monitoring/server",
+          "error": "user NOT in sudoers",
+          "audit_message": "eve tried to run '/bin/cat /etc/shadow' as root",   
+          "command": "/bin/cat /etc/shadow",
+          "target_user": "root",
+          "sudo": {
+            "TTY": "pts/0",
+            "PWD": "/home/eve",
+            "USER": "root",
+            "COMMAND": "/bin/cat /etc/shadow"
+          },
+          "timestamp": "2014-06-30T03:25:00.542768+00:00"
+        }
+        """   
         And I login as "observer@$ns"
+        And I reset the command list
+
+    Scenario: Custom event is indexed by explictly submitted resources
+        When I run `conjur audit resource -s host:$ns/monitoring/server`
+        Then the stdout should contain "reported custom:sudo by cucumber:user:eve"
+        And  the stdout should contain "allowed: false"
+        And  the stdout should contain "eve tried to run"
+
+    Scenario: Custom event is indexed by the role which submitted it
+        When I run `conjur audit role -s host:$ns/monitoring/server`
+        Then the stdout should contain "reported custom:sudo by cucumber:user:eve"
+        And  the stdout should contain "allowed: false"
+        And  the stdout should contain "eve tried to run"
+
+    Scenario: Custom event is indexed by explicitly submitted roles
+        When I run `conjur audit role -s user:eve@$ns`
+        Then the stdout should contain "reported custom:sudo by cucumber:user:eve"
+        And  the stdout should contain "allowed: false"
+        And  the stdout should contain "eve tried to run"
 
     Scenario: Default fields are included in audit event
-        When I run `conjur audit role -l 1 -o 3 host:$ns/monitoring/server`
+        When I run `conjur audit resource -l 1 -o 3 host:$ns/monitoring/server`
         Then the JSON response should have the following:
             | id                    |
             | event_id              |
@@ -53,7 +69,7 @@ Feature: Write and read custom audit events (full-stack test, not for publicatio
             | conjur                |
 
     Scenario: Default fields are filled properly
-        When I run `conjur audit role -l 1 -o 3 host:$ns/monitoring/server`
+        When I run `conjur audit resource -l 1 -o 3 host:$ns/monitoring/server`
         Then the JSON response at "timestamp" should include "2014-06-30T03:25:00"
         And the JSON response at "kind" should be "audit"
         And the JSON response at "action" should be "sudo"
@@ -65,7 +81,7 @@ Feature: Write and read custom audit events (full-stack test, not for publicatio
         And the JSON response at "conjur/user" should include "/monitoring/server"
         
     Scenario: All custom fields are exposed
-        When I run `conjur audit role -l 1 -o 3 host:$ns/monitoring/server`
+        When I run `conjur audit resource -l 1 -o 3 host:$ns/monitoring/server`
         Then the JSON response should have the following:
             | facility              |
             | system_user           |   
@@ -79,7 +95,7 @@ Feature: Write and read custom audit events (full-stack test, not for publicatio
             | sudo                  |
     
     Scenario: Custom fields are filled properly
-        When I run `conjur audit role -l 1 -o 3 host:$ns/monitoring/server`
+        When I run `conjur audit resource -l 1 -o 3 host:$ns/monitoring/server`
         And the JSON response at "facility" should be "custom"
         And the JSON response at "system_user" should include "eve"
         And the JSON response at "allowed" should be false
@@ -89,16 +105,3 @@ Feature: Write and read custom audit events (full-stack test, not for publicatio
         And the JSON response at "command" should be "/bin/cat /etc/shadow"
         And the JSON response at "target_user" should be "root"
         And the JSON response at "sudo/PWD" should be "/home/eve"
-
-    Scenario: Custom event is indexed per resource
-        When I run `conjur audit resource -s host:$ns/monitoring/server`
-        Then the output should match /monitoring.server reported custom:sudo by .*:user:eve@(.*) on .*:host:(.*).monitoring.server \(allowed: false\); message: eve tried to run .* as root \(failed with user NOT in sudoers\)/
-           
-
-    Scenario: Custom event is indexed per submitter role
-        When I run `conjur audit role -s host:$ns/monitoring/server`
-        Then the output should match /monitoring.server reported custom:sudo by .*:user:eve@(.*) on .*:host:(.*).monitoring.server \(allowed: false\); message: eve tried to run .* as root \(failed with user NOT in sudoers\)/
-    
-    Scenario: Custom event is indexed per other roles
-        When I run `conjur audit role -s user:eve@$ns`
-        Then the output should match /monitoring.server reported custom:sudo by .*:user:eve@(.*) on .*:host:(.*).monitoring.server \(allowed: false\); message: eve tried to run .* as root \(failed with user NOT in sudoers\)/

data/acceptance-features/audit/send.feature

@@ -39,25 +39,6 @@ Feature: Create custom audit events
         And I run `conjur audit all -s`
         Then the output should match /user:joe@.* reported login \(failed with password mismatch\)/
 
-    Scenario: Fully described audit event (sent from file)
-        When a file named "audit_event.json" with:
-            """
-            { 
-                "action": "login",
-                "facility": "ssh",
-                "role": "user:bob",
-                "resource_id": "host:server",
-                "allowed": false,
-                "audit_message": "Client IP is 1.2.3.4",
-                "error": "password mismatch"
-            }
-            """ 
-        And I run `conjur audit send` interactively
-        And I pipe in the file "audit_event.json"
-        And the exit status should be 0
-        And I run `conjur audit all -s`
-        Then the output should match /user:joe@.* reported ssh:login by .*:user:bob on .*:host:server \(allowed: false\); message: Client IP is 1.2.3.4 \(failed with password mismatch\)/
-
     Scenario: Specify timestamp as IS08601 with timezone
         When I successfully run `conjur audit send '{"action":"login", "timestamp": "2014-07-01T01:02:03Z"}'`
         And I run `conjur audit all -s`

data/acceptance-features/authentication/login.feature

@@ -9,6 +9,4 @@ Feature: Login a new user
     And I run `conjur authn login alice@$ns` interactively
     And I type "foobar"
     And the exit status should be 0
-    And I successfully run `conjur authn whoami`
-    Then the JSON at "username" should be %{LOGIN}
     

data/acceptance-features/authentication/logout.feature

@@ -11,6 +11,3 @@ Feature: Logout the user
     And the exit status should be 0
     And I successfully run `conjur authn logout`
     Then the stdout from "conjur authn logout" should contain exactly "Logged out\n"
-    And I run `conjur authn whoami`
-    And the exit status should be 255
-    And the stderr from "conjur authn whoami" should contain "error: Not logged in"

data/acceptance-features/authorization/resource/check.feature

@@ -2,21 +2,23 @@ Feature: Checking permissions on a resource
 
   Background:
     Given I successfully run `conjur resource create food:$ns/bacon`
+    And I reset the command list
 
   Scenario: By default I check my own privilege
     In this case, I have the privilege because I own the resource
   
     When I successfully run `conjur resource check food:$ns/bacon fry`
-    Then the stdout from "conjur resource check food:$ns/bacon fry" should contain "true"
+    Then the stdout should contain exactly "true"
 
   Scenario: I can check the privileges of roles that I own
     When I successfully run `conjur role create job:$ns/cook`
+    And I reset the command list
     And I successfully run `conjur resource check -r job:$ns/cook food:$ns/bacon fry`
-    Then the stdout from "conjur resource check -r job:$ns/cook food:$ns/bacon fry" should contain "false"
+    Then the stdout should contain exactly "false"
     
   Scenario: I can check the privileges of roles that I own
     When I successfully run `conjur role create job:$ns/cook`
     And I successfully run `conjur resource permit food:$ns/bacon job:$ns/cook fry`
+    And I reset the command list
     And I successfully run `conjur resource check -r job:$ns/cook food:$ns/bacon fry`
-    Then the stdout from "conjur resource check -r job:$ns/cook food:$ns/bacon fry" should contain "true"
-    
+    Then the stdout should contain exactly "true"

data/acceptance-features/authorization/resource/create.feature

@@ -9,11 +9,13 @@ Feature: Create a Resource
 
   Scenario: The resource owner has all privileges on it
     When I successfully run `conjur resource create food:$ns/bacon`
+    And I reset the command list
     And I successfully run `conjur resource check food:$ns/bacon fry`
-    Then the stdout from "conjur resource check food:$ns/bacon fry" should contain "true"
+    Then the stdout should contain exactly "true"
 
   Scenario: A different role can be assigned as the owner of the resource
     When I successfully run `conjur role create job:$ns/chefs`
     And I successfully run `conjur resource create --as-role job:$ns/chefs food:$ns/bacon`
+    And I reset the command list
     And I successfully run `conjur resource check -r job:$ns/chefs food:$ns/bacon fry`
-    Then the stdout from "conjur resource check -r job:$ns/chefs food:$ns/bacon fry" should contain "true"
+    Then the stdout should contain exactly "true"

data/acceptance-features/authorization/resource/exists.feature

@@ -1,16 +1,18 @@
-Feature: Test the existance of a resource
+Feature: Test the existence of a resource
 
   Scenario: Existing resources can be detected
     Given I successfully run `conjur resource create food:$ns/bacon`
+    And I reset the command list
     When I successfully run `conjur resource exists food:$ns/bacon`
-    Then the stdout from "conjur resource exists food:$ns/bacon" should contain "true"
+    Then the stdout should contain exactly "true"
 
-  Scenario: Non-existant resources are reported as such
+  Scenario: Non-existent resources are reported as such
     When I successfully run `conjur resource exists food:$ns/bacon`
-    Then the stdout from "conjur resource exists food:$ns/bacon" should contain "false"
+    Then the stdout should contain exactly "false"
   
-  Scenario: Even foreign user can check existance of a resource 
+  Scenario: Even foreign user can check existence of a resource 
     Given I successfully run `conjur resource create food:$ns/bacon`
     And I login as a new user 
+    And I reset the command list
     And I run `conjur resource exists food:$ns/bacon`
-    Then the stdout from "conjur resource exists food:$ns/bacon" should contain "true"
+    Then the stdout should contain exactly "true"

data/acceptance-features/authorization/resource/give.feature

@@ -4,6 +4,7 @@ Feature: Give a resource to another role
     Given I successfully run `conjur resource create food:$ns/bacon`
     And I create a new user named "alice@$ns"
     Then I successfully run `conjur resource give food:$ns/bacon user:alice@$ns`
+    And I reset the command list
 
   Scenario: Resource owner is in the 'owner' field
     Given I successfully run `conjur resource create food:$ns/bacon`
@@ -18,5 +19,6 @@ Feature: Give a resource to another role
     And I create a new user named "alice@$ns"
     And I successfully run `conjur resource give food:$ns/bacon user:alice@$ns`
     And I login as "alice@$ns"
+    And I reset the command list
     When I successfully run `conjur resource check food:$ns/bacon fry`
-    Then the stdout from "conjur resource check food:$ns/bacon fry" should contain "true"
+    Then the stdout should contain exactly "true"

data/acceptance-features/authorization/resource/show.feature

@@ -2,6 +2,7 @@ Feature: Show a resource
 
   Background:
     Given I successfully run `conjur resource create food:$ns/bacon`
+    And I reset the command list
   
   Scenario: Showing a resource displays all its fields
     When I successfully run `conjur resource show food:$ns/bacon`
@@ -12,9 +13,10 @@ Feature: Show a resource
 
   Scenario: You can't show a resource on which you have no privileges
     Given I login as a new user
+    And I reset the command list
     When I run `conjur resource show food:$ns/bacon`
     Then the exit status should be 1
-    And the output from "conjur resource show food:$ns/bacon" should contain "Forbidden"
+    And the output should contain "Forbidden"
     
   Scenario: You can show any resource if you have a privilege on it
     Once alice has a permission to fry bacon, she can show everything

data/acceptance-features/authorization/role/graph.feature

@@ -1,4 +1,3 @@
-@real-api
 Feature: Retrieving role graphs
   As a Conjur user
   In order to understand the role hierarchy

data/acceptance-features/conjurenv/check.feature

@@ -4,19 +4,13 @@ Feature: Check an environment
     Given I run `conjur variable create $ns/access_key ABCDEF`
     And I run `conjur variable create $ns/secret_key XYZQWER`
     And I run `conjur variable create $ns/ssh_private_key PRIVATE_KEY_BODY`
-    And I run `conjur user create -p alice@$ns` interactively
-    And I type "foobar"
-    And I type "foobar"
-    And the exit status should be 0
+    And I create a new user named "alice@$ns"
     And I run `conjur resource permit variable:$ns/access_key user:alice@$ns execute`
     And I run `conjur resource permit variable:$ns/secret_key user:alice@$ns execute`
-    And I run `conjur authn login -u alice@$ns` interactively
-    And I type "foobar"
-    And the exit status should be 0
-
+    And I login as "alice@$ns"
+    And I reset the command list
 
   Scenario: Check against permitted variables
-
     When I run `conjur env check --yaml '{ aws_access_key: !var $ns/access_key , aws_secret_key: !var $ns/secret_key }'`
     Then the exit status should be 0
     And the stdout should contain "aws_access_key: available\naws_secret_key: available\n"
@@ -25,4 +19,3 @@ Feature: Check an environment
     When I run `conjur env check --yaml '{ aws_access_key: !var $ns/access_key , ssh_private_key: !var $ns/ssh_private_key }'`
     Then the exit status should be 1
     And the stdout should contain "aws_access_key: available\nssh_private_key: unavailable\n"
-                                                 

data/acceptance-features/conjurenv/run.feature

@@ -3,8 +3,8 @@ Feature: Run command in an environment populated from Conjur variables
   Background: 
     Given I run `conjur variable create $ns/access_key ABCDEF`
     And I run `conjur variable create $ns/secret_key XYZQWER`
+    And I reset the command list
 
   Scenario:
-    When I run `conjur env run --yaml '{ cloud_access_key: !var $ns/access_key , cloud_secret_key: !var $ns/secret_key }' -- printenv CLOUD_ACCESS_KEY CLOUD_SECRET_KEY`
-    Then the stdout should contain "ABCDEF\nXYZQWER"
-
+    When I run `bash -c "conjur env run --yaml '{ cloud_access_key: !var $ns/access_key , cloud_secret_key: !var $ns/secret_key }' -- env | grep CLOUD_"`
+    Then the stdout should contain exactly "CLOUD_ACCESS_KEY=ABCDEF\nCLOUD_SECRET_KEY=XYZQWER"

data/acceptance-features/conjurenv/template.feature

@@ -4,8 +4,8 @@ Feature: Embed values of Conjur variables into ERB template
     Given a file named "template.erb" with: 'aws credentials: [<%= conjurenv["aws_access_key"] %>, <%= conjurenv["aws_secret_key"] %>]'
     And I run `conjur variable create $ns/access_key ABCDEF`
     And I run `conjur variable create $ns/secret_key XYZQWER`
+    And I reset the command list
 
   Scenario:
     When I run `conjur env template --yaml '{ aws_access_key: !var $ns/access_key , aws_secret_key: !var $ns/secret_key }' template.erb `
     Then it prints the path to temporary file which contains: 'aws credentials: [ABCDEF, XYZQWER]'
-