conjur-cli 4.28.2 → 4.29.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (73) hide show
  1. checksums.yaml +4 -4
  2. data/.dockerignore +8 -0
  3. data/.gitignore +2 -0
  4. data/.overcommit.yml +10 -0
  5. data/.rubocop.yml +14 -0
  6. data/CHANGELOG.md +16 -0
  7. data/Dockerfile +10 -0
  8. data/Gemfile +2 -0
  9. data/Rakefile +1 -1
  10. data/acceptance-features/audit/audit_event_send.feature +46 -43
  11. data/acceptance-features/audit/send.feature +0 -19
  12. data/acceptance-features/authentication/login.feature +0 -2
  13. data/acceptance-features/authentication/logout.feature +0 -3
  14. data/acceptance-features/authorization/resource/check.feature +6 -4
  15. data/acceptance-features/authorization/resource/create.feature +4 -2
  16. data/acceptance-features/authorization/resource/exists.feature +8 -6
  17. data/acceptance-features/authorization/resource/give.feature +3 -1
  18. data/acceptance-features/authorization/resource/show.feature +3 -1
  19. data/acceptance-features/authorization/role/graph.feature +0 -1
  20. data/acceptance-features/conjurenv/check.feature +3 -10
  21. data/acceptance-features/conjurenv/run.feature +3 -3
  22. data/acceptance-features/conjurenv/template.feature +1 -1
  23. data/acceptance-features/directory/hostfactory/create.feature +13 -0
  24. data/acceptance-features/directory/hostfactory/tokens.feature +16 -0
  25. data/acceptance-features/directory/layer/retire.feature +43 -0
  26. data/acceptance-features/directory/user/update_password.feature +0 -1
  27. data/acceptance-features/directory/variable/value.feature +3 -2
  28. data/acceptance-features/dsl/policy_owner.feature +21 -7
  29. data/acceptance-features/dsl/resource_owner.feature +4 -4
  30. data/acceptance-features/pubkeys/add.feature +4 -2
  31. data/acceptance-features/pubkeys/names.feature +6 -3
  32. data/acceptance-features/pubkeys/show.feature +4 -2
  33. data/acceptance-features/step_definitions/{cli.rb → cli_steps.rb} +18 -4
  34. data/acceptance-features/step_definitions/user_steps.rb +13 -12
  35. data/acceptance-features/support/env.rb +0 -1
  36. data/acceptance-features/support/hooks.rb +11 -14
  37. data/acceptance-features/support/world.rb +16 -18
  38. data/build-deb.sh +19 -0
  39. data/ci/test.sh +19 -0
  40. data/conjur.gemspec +9 -12
  41. data/debify.sh +4 -0
  42. data/distrib/bin/_conjur +3 -0
  43. data/distrib/bin/conjur +3 -0
  44. data/distrib/bin/conjurize +3 -0
  45. data/distrib/bin/jsonfield +3 -0
  46. data/features/conjurize.feature +25 -25
  47. data/features/support/env.rb +5 -1
  48. data/features/support/hooks.rb +0 -1
  49. data/jenkins.sh +29 -1
  50. data/lib/conjur/cli.rb +27 -4
  51. data/lib/conjur/command.rb +36 -0
  52. data/lib/conjur/command/audit.rb +12 -0
  53. data/lib/conjur/command/bootstrap.rb +5 -9
  54. data/lib/conjur/command/host_factories.rb +187 -0
  55. data/lib/conjur/command/hosts.rb +82 -2
  56. data/lib/conjur/command/layers.rb +28 -0
  57. data/lib/conjur/command/resources.rb +1 -0
  58. data/lib/conjur/command/rspec/mock_services.rb +1 -1
  59. data/lib/conjur/command/server.rb +67 -0
  60. data/lib/conjur/command/users.rb +67 -12
  61. data/lib/conjur/command/variables.rb +101 -14
  62. data/lib/conjur/conjurize.rb +25 -69
  63. data/lib/conjur/conjurize/script.rb +133 -0
  64. data/lib/conjur/version.rb +1 -1
  65. data/publish.sh +6 -0
  66. data/spec/command/elevate_spec.rb +1 -1
  67. data/spec/command/host_factories_spec.rb +38 -0
  68. data/spec/command/hosts_spec.rb +86 -22
  69. data/spec/command/users_spec.rb +51 -3
  70. data/spec/command/variable_expiration_spec.rb +174 -0
  71. data/spec/command/variables_spec.rb +1 -1
  72. data/spec/conjurize_spec.rb +70 -0
  73. metadata +61 -64
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 840c544d5183fcf90aa59bf7a42e6cf690607c0d
4
- data.tar.gz: 20a2f241ec1acc83f84623faa9ea97c60803960a
3
+ metadata.gz: 974b0f72a352691fba5f49e01849a56518cf3afe
4
+ data.tar.gz: 1ae44b2cbaca17695bfeec8192bba636a43ca6bc
5
5
  SHA512:
6
- metadata.gz: de5e19dcd506890c7e27276a58a5f89f00af5f8e1bb9b40cd865ba9087b41fc866995b0348d068bd3532603992323b89ee78cdd23ea0e810897540544f2a07df
7
- data.tar.gz: 065b00d3f9ec129e5cbd2906a213ab44735456b19d0936e7417afa597c75e33034063dd20fd32cc7c3b8bb86aba635a20036ebf77c414745c1fe858d5fd7bd87
6
+ metadata.gz: 01f136c95c3467917990b66611bc71f0f3684d0c371e481c3700fdb3532975b9b52f530423da96c6980dbd06518d66571123cc3b5caba10d75de56e6a36819d8
7
+ data.tar.gz: 8492137a6c4bc4852dcc85ddec8e826d80ce1d1675a7d198c71680f3fd2fa1d45f3fb15c90f01892153b258dd6f79230008543327ae9da7eb37e1d42ca6d99c3
data/.dockerignore ADDED
@@ -0,0 +1,8 @@
1
+ *.deb
2
+ coverage
3
+ */reports
4
+ .git
5
+ vendor
6
+ .idea
7
+ pkg
8
+ Gemfile.lock
data/.gitignore CHANGED
@@ -1,3 +1,4 @@
1
+ *.deb
1
2
  .gems
2
3
  .rbenv*
3
4
  *.policy
@@ -32,3 +33,4 @@ update_ci.sh
32
33
  .ruby-version
33
34
  .ruby-gemset
34
35
  vendor/bundle
36
+ Dockerfile.*
data/.overcommit.yml ADDED
@@ -0,0 +1,10 @@
1
+ PreCommit:
2
+ HardTabs:
3
+ enabled: true
4
+ problem_on_unmodified_line: warn
5
+ RuboCop:
6
+ enabled: true
7
+ problem_on_unmodified_line: warn
8
+ PostCheckout:
9
+ BundleInstall:
10
+ enabled: true
data/.rubocop.yml ADDED
@@ -0,0 +1,14 @@
1
+ Style/ClassAndModuleChildren:
2
+ EnforcedStyle: compact
3
+
4
+ Style/MethodDefParentheses:
5
+ EnforcedStyle: require_no_parentheses
6
+
7
+ Style/StringLiterals:
8
+ EnforcedStyle: double_quotes
9
+
10
+ Lint/EndAlignment:
11
+ AlignWith: start_of_line
12
+
13
+ Style/AndOr:
14
+ EnforcedStyle: conditionals
data/CHANGELOG.md CHANGED
@@ -1,3 +1,19 @@
1
+ # Unreleased
2
+
3
+ # 4.29.0
4
+ * Add `conjur host rotate_api_key` command.
5
+ * Add `conjur version` (as well as `conjur server version`) command to show server version info.
6
+ * Add `conjur server health` and `conjur server info` to display server health and info.
7
+ * Add `conjur version` (as well as `conjur server version`) command to show server version info.
8
+ * Add `conjur server health` and `conjur server info` to display server health and info.
9
+ * Check server version compatibility if exception occurs and command has configured minimum version
10
+ * Add `conjur layer retire` to allow retiring a layer.
11
+ * Add `cidr` commands to `user`, `host`, and `hostfactory token`
12
+ * Move `audit send` and `host factory` commands from plugins into the core CLI
13
+ * Add `variable expire` and `variable expirations` subcommands. Variable expirations is available in version 4.6 of the Conjur server.
14
+ * Add `--json` option to `conjurize` to print the Conjur configuration and host identity as a JSON file
15
+ * Require `--layer` argument to `hostfactory create`, ensure that the owner is an admin of the layer.
16
+
1
17
  # 4.28.2
2
18
  * `--collection` is now optional (with no default) for both `conjur script execute` and `conjur policy load`.
3
19
 
data/Dockerfile ADDED
@@ -0,0 +1,10 @@
1
+ FROM ruby:2.1.5
2
+
3
+ RUN mkdir /src
4
+ WORKDIR /src
5
+
6
+ COPY Gemfile Gemfile
7
+ COPY conjur.gemspec conjur.gemspec
8
+ COPY lib/conjur/version.rb lib/conjur/version.rb
9
+
10
+ RUN bundle install
data/Gemfile CHANGED
@@ -7,9 +7,11 @@ source 'https://rubygems.org'
7
7
  gemspec
8
8
 
9
9
  gem 'conjur-api', git: 'https://github.com/conjurinc/api-ruby.git', branch: 'master'
10
+ gem 'semantic', '>= 1.4.1', git: 'https://github.com/jlindsey/semantic.git'
10
11
 
11
12
  group :test, :development do
12
13
  gem 'pry'
13
14
  gem 'pry-doc'
14
15
  gem 'ruby-prof'
16
+ gem 'conjur-debify', '>= 0.7.0'
15
17
  end
data/Rakefile CHANGED
@@ -11,7 +11,7 @@ Cucumber::Rake::Task.new :features
11
11
 
12
12
  task :jenkins => ['ci:setup:rspec', :spec, 'ci:setup:cucumber_report_cleanup'] do
13
13
  Cucumber::Rake::Task.new do |t|
14
- t.cucumber_opts = "--tags ~@real-api --format progress --format CI::Reporter::Cucumber --out features/reports"
14
+ t.cucumber_opts = "--tags ~@real-api --format pretty --format CI::Reporter::Cucumber --out features/reports"
15
15
  end.runner.run
16
16
  File.write('build_number', ENV['BUILD_NUMBER']) if ENV['BUILD_NUMBER']
17
17
  end
@@ -7,36 +7,52 @@ Feature: Write and read custom audit events (full-stack test, not for publicatio
7
7
  And I run `conjur resource permit host:$ns/monitoring/server user:observer@$ns read`
8
8
  And I run `conjur role grant_to user:eve@$ns user:observer@$ns`
9
9
  And I run `conjur role grant_to host:$ns/monitoring/server user:observer@$ns`
10
- And a file named "audit_event.json" with namespace substitution:
11
- """
12
- {
13
- "facility": "custom",
14
- "action": "sudo",
15
- "system_user": "eve",
16
- "allowed": false,
17
- "role": "user:eve@$ns",
18
- "resource_id": "host:$ns/monitoring/server",
19
- "error": "user NOT in sudoers",
20
- "audit_message": "eve tried to run '/bin/cat /etc/shadow' as root",
21
- "command": "/bin/cat /etc/shadow",
22
- "target_user": "root",
23
- "sudo": {
24
- "TTY": "pts/0",
25
- "PWD": "/home/eve",
26
- "USER": "root",
27
- "COMMAND": "/bin/cat /etc/shadow"
28
- },
29
- "timestamp": "2014-06-30T03:25:00.542768+00:00"
30
- }
31
- """
32
- And I login as a new host
33
- And I run `conjur audit send` interactively
34
- And I pipe in the file "audit_event.json"
35
- And the exit status should be 0
10
+ And I login as the new host
11
+ And I send the audit event:
12
+ """
13
+ {
14
+ "facility": "custom",
15
+ "action": "sudo",
16
+ "system_user": "eve",
17
+ "allowed": false,
18
+ "role": "user:eve@$ns",
19
+ "resource_id": "host:$ns/monitoring/server",
20
+ "error": "user NOT in sudoers",
21
+ "audit_message": "eve tried to run '/bin/cat /etc/shadow' as root",
22
+ "command": "/bin/cat /etc/shadow",
23
+ "target_user": "root",
24
+ "sudo": {
25
+ "TTY": "pts/0",
26
+ "PWD": "/home/eve",
27
+ "USER": "root",
28
+ "COMMAND": "/bin/cat /etc/shadow"
29
+ },
30
+ "timestamp": "2014-06-30T03:25:00.542768+00:00"
31
+ }
32
+ """
36
33
  And I login as "observer@$ns"
34
+ And I reset the command list
35
+
36
+ Scenario: Custom event is indexed by explictly submitted resources
37
+ When I run `conjur audit resource -s host:$ns/monitoring/server`
38
+ Then the stdout should contain "reported custom:sudo by cucumber:user:eve"
39
+ And the stdout should contain "allowed: false"
40
+ And the stdout should contain "eve tried to run"
41
+
42
+ Scenario: Custom event is indexed by the role which submitted it
43
+ When I run `conjur audit role -s host:$ns/monitoring/server`
44
+ Then the stdout should contain "reported custom:sudo by cucumber:user:eve"
45
+ And the stdout should contain "allowed: false"
46
+ And the stdout should contain "eve tried to run"
47
+
48
+ Scenario: Custom event is indexed by explicitly submitted roles
49
+ When I run `conjur audit role -s user:eve@$ns`
50
+ Then the stdout should contain "reported custom:sudo by cucumber:user:eve"
51
+ And the stdout should contain "allowed: false"
52
+ And the stdout should contain "eve tried to run"
37
53
 
38
54
  Scenario: Default fields are included in audit event
39
- When I run `conjur audit role -l 1 -o 3 host:$ns/monitoring/server`
55
+ When I run `conjur audit resource -l 1 -o 3 host:$ns/monitoring/server`
40
56
  Then the JSON response should have the following:
41
57
  | id |
42
58
  | event_id |
@@ -53,7 +69,7 @@ Feature: Write and read custom audit events (full-stack test, not for publicatio
53
69
  | conjur |
54
70
 
55
71
  Scenario: Default fields are filled properly
56
- When I run `conjur audit role -l 1 -o 3 host:$ns/monitoring/server`
72
+ When I run `conjur audit resource -l 1 -o 3 host:$ns/monitoring/server`
57
73
  Then the JSON response at "timestamp" should include "2014-06-30T03:25:00"
58
74
  And the JSON response at "kind" should be "audit"
59
75
  And the JSON response at "action" should be "sudo"
@@ -65,7 +81,7 @@ Feature: Write and read custom audit events (full-stack test, not for publicatio
65
81
  And the JSON response at "conjur/user" should include "/monitoring/server"
66
82
 
67
83
  Scenario: All custom fields are exposed
68
- When I run `conjur audit role -l 1 -o 3 host:$ns/monitoring/server`
84
+ When I run `conjur audit resource -l 1 -o 3 host:$ns/monitoring/server`
69
85
  Then the JSON response should have the following:
70
86
  | facility |
71
87
  | system_user |
@@ -79,7 +95,7 @@ Feature: Write and read custom audit events (full-stack test, not for publicatio
79
95
  | sudo |
80
96
 
81
97
  Scenario: Custom fields are filled properly
82
- When I run `conjur audit role -l 1 -o 3 host:$ns/monitoring/server`
98
+ When I run `conjur audit resource -l 1 -o 3 host:$ns/monitoring/server`
83
99
  And the JSON response at "facility" should be "custom"
84
100
  And the JSON response at "system_user" should include "eve"
85
101
  And the JSON response at "allowed" should be false
@@ -89,16 +105,3 @@ Feature: Write and read custom audit events (full-stack test, not for publicatio
89
105
  And the JSON response at "command" should be "/bin/cat /etc/shadow"
90
106
  And the JSON response at "target_user" should be "root"
91
107
  And the JSON response at "sudo/PWD" should be "/home/eve"
92
-
93
- Scenario: Custom event is indexed per resource
94
- When I run `conjur audit resource -s host:$ns/monitoring/server`
95
- Then the output should match /monitoring.server reported custom:sudo by .*:user:eve@(.*) on .*:host:(.*).monitoring.server \(allowed: false\); message: eve tried to run .* as root \(failed with user NOT in sudoers\)/
96
-
97
-
98
- Scenario: Custom event is indexed per submitter role
99
- When I run `conjur audit role -s host:$ns/monitoring/server`
100
- Then the output should match /monitoring.server reported custom:sudo by .*:user:eve@(.*) on .*:host:(.*).monitoring.server \(allowed: false\); message: eve tried to run .* as root \(failed with user NOT in sudoers\)/
101
-
102
- Scenario: Custom event is indexed per other roles
103
- When I run `conjur audit role -s user:eve@$ns`
104
- Then the output should match /monitoring.server reported custom:sudo by .*:user:eve@(.*) on .*:host:(.*).monitoring.server \(allowed: false\); message: eve tried to run .* as root \(failed with user NOT in sudoers\)/
@@ -39,25 +39,6 @@ Feature: Create custom audit events
39
39
  And I run `conjur audit all -s`
40
40
  Then the output should match /user:joe@.* reported login \(failed with password mismatch\)/
41
41
 
42
- Scenario: Fully described audit event (sent from file)
43
- When a file named "audit_event.json" with:
44
- """
45
- {
46
- "action": "login",
47
- "facility": "ssh",
48
- "role": "user:bob",
49
- "resource_id": "host:server",
50
- "allowed": false,
51
- "audit_message": "Client IP is 1.2.3.4",
52
- "error": "password mismatch"
53
- }
54
- """
55
- And I run `conjur audit send` interactively
56
- And I pipe in the file "audit_event.json"
57
- And the exit status should be 0
58
- And I run `conjur audit all -s`
59
- Then the output should match /user:joe@.* reported ssh:login by .*:user:bob on .*:host:server \(allowed: false\); message: Client IP is 1.2.3.4 \(failed with password mismatch\)/
60
-
61
42
  Scenario: Specify timestamp as IS08601 with timezone
62
43
  When I successfully run `conjur audit send '{"action":"login", "timestamp": "2014-07-01T01:02:03Z"}'`
63
44
  And I run `conjur audit all -s`
@@ -9,6 +9,4 @@ Feature: Login a new user
9
9
  And I run `conjur authn login alice@$ns` interactively
10
10
  And I type "foobar"
11
11
  And the exit status should be 0
12
- And I successfully run `conjur authn whoami`
13
- Then the JSON at "username" should be %{LOGIN}
14
12
 
@@ -11,6 +11,3 @@ Feature: Logout the user
11
11
  And the exit status should be 0
12
12
  And I successfully run `conjur authn logout`
13
13
  Then the stdout from "conjur authn logout" should contain exactly "Logged out\n"
14
- And I run `conjur authn whoami`
15
- And the exit status should be 255
16
- And the stderr from "conjur authn whoami" should contain "error: Not logged in"
@@ -2,21 +2,23 @@ Feature: Checking permissions on a resource
2
2
 
3
3
  Background:
4
4
  Given I successfully run `conjur resource create food:$ns/bacon`
5
+ And I reset the command list
5
6
 
6
7
  Scenario: By default I check my own privilege
7
8
  In this case, I have the privilege because I own the resource
8
9
 
9
10
  When I successfully run `conjur resource check food:$ns/bacon fry`
10
- Then the stdout from "conjur resource check food:$ns/bacon fry" should contain "true"
11
+ Then the stdout should contain exactly "true"
11
12
 
12
13
  Scenario: I can check the privileges of roles that I own
13
14
  When I successfully run `conjur role create job:$ns/cook`
15
+ And I reset the command list
14
16
  And I successfully run `conjur resource check -r job:$ns/cook food:$ns/bacon fry`
15
- Then the stdout from "conjur resource check -r job:$ns/cook food:$ns/bacon fry" should contain "false"
17
+ Then the stdout should contain exactly "false"
16
18
 
17
19
  Scenario: I can check the privileges of roles that I own
18
20
  When I successfully run `conjur role create job:$ns/cook`
19
21
  And I successfully run `conjur resource permit food:$ns/bacon job:$ns/cook fry`
22
+ And I reset the command list
20
23
  And I successfully run `conjur resource check -r job:$ns/cook food:$ns/bacon fry`
21
- Then the stdout from "conjur resource check -r job:$ns/cook food:$ns/bacon fry" should contain "true"
22
-
24
+ Then the stdout should contain exactly "true"
@@ -9,11 +9,13 @@ Feature: Create a Resource
9
9
 
10
10
  Scenario: The resource owner has all privileges on it
11
11
  When I successfully run `conjur resource create food:$ns/bacon`
12
+ And I reset the command list
12
13
  And I successfully run `conjur resource check food:$ns/bacon fry`
13
- Then the stdout from "conjur resource check food:$ns/bacon fry" should contain "true"
14
+ Then the stdout should contain exactly "true"
14
15
 
15
16
  Scenario: A different role can be assigned as the owner of the resource
16
17
  When I successfully run `conjur role create job:$ns/chefs`
17
18
  And I successfully run `conjur resource create --as-role job:$ns/chefs food:$ns/bacon`
19
+ And I reset the command list
18
20
  And I successfully run `conjur resource check -r job:$ns/chefs food:$ns/bacon fry`
19
- Then the stdout from "conjur resource check -r job:$ns/chefs food:$ns/bacon fry" should contain "true"
21
+ Then the stdout should contain exactly "true"
@@ -1,16 +1,18 @@
1
- Feature: Test the existance of a resource
1
+ Feature: Test the existence of a resource
2
2
 
3
3
  Scenario: Existing resources can be detected
4
4
  Given I successfully run `conjur resource create food:$ns/bacon`
5
+ And I reset the command list
5
6
  When I successfully run `conjur resource exists food:$ns/bacon`
6
- Then the stdout from "conjur resource exists food:$ns/bacon" should contain "true"
7
+ Then the stdout should contain exactly "true"
7
8
 
8
- Scenario: Non-existant resources are reported as such
9
+ Scenario: Non-existent resources are reported as such
9
10
  When I successfully run `conjur resource exists food:$ns/bacon`
10
- Then the stdout from "conjur resource exists food:$ns/bacon" should contain "false"
11
+ Then the stdout should contain exactly "false"
11
12
 
12
- Scenario: Even foreign user can check existance of a resource
13
+ Scenario: Even foreign user can check existence of a resource
13
14
  Given I successfully run `conjur resource create food:$ns/bacon`
14
15
  And I login as a new user
16
+ And I reset the command list
15
17
  And I run `conjur resource exists food:$ns/bacon`
16
- Then the stdout from "conjur resource exists food:$ns/bacon" should contain "true"
18
+ Then the stdout should contain exactly "true"
@@ -4,6 +4,7 @@ Feature: Give a resource to another role
4
4
  Given I successfully run `conjur resource create food:$ns/bacon`
5
5
  And I create a new user named "alice@$ns"
6
6
  Then I successfully run `conjur resource give food:$ns/bacon user:alice@$ns`
7
+ And I reset the command list
7
8
 
8
9
  Scenario: Resource owner is in the 'owner' field
9
10
  Given I successfully run `conjur resource create food:$ns/bacon`
@@ -18,5 +19,6 @@ Feature: Give a resource to another role
18
19
  And I create a new user named "alice@$ns"
19
20
  And I successfully run `conjur resource give food:$ns/bacon user:alice@$ns`
20
21
  And I login as "alice@$ns"
22
+ And I reset the command list
21
23
  When I successfully run `conjur resource check food:$ns/bacon fry`
22
- Then the stdout from "conjur resource check food:$ns/bacon fry" should contain "true"
24
+ Then the stdout should contain exactly "true"
@@ -2,6 +2,7 @@ Feature: Show a resource
2
2
 
3
3
  Background:
4
4
  Given I successfully run `conjur resource create food:$ns/bacon`
5
+ And I reset the command list
5
6
 
6
7
  Scenario: Showing a resource displays all its fields
7
8
  When I successfully run `conjur resource show food:$ns/bacon`
@@ -12,9 +13,10 @@ Feature: Show a resource
12
13
 
13
14
  Scenario: You can't show a resource on which you have no privileges
14
15
  Given I login as a new user
16
+ And I reset the command list
15
17
  When I run `conjur resource show food:$ns/bacon`
16
18
  Then the exit status should be 1
17
- And the output from "conjur resource show food:$ns/bacon" should contain "Forbidden"
19
+ And the output should contain "Forbidden"
18
20
 
19
21
  Scenario: You can show any resource if you have a privilege on it
20
22
  Once alice has a permission to fry bacon, she can show everything
@@ -1,4 +1,3 @@
1
- @real-api
2
1
  Feature: Retrieving role graphs
3
2
  As a Conjur user
4
3
  In order to understand the role hierarchy
@@ -4,19 +4,13 @@ Feature: Check an environment
4
4
  Given I run `conjur variable create $ns/access_key ABCDEF`
5
5
  And I run `conjur variable create $ns/secret_key XYZQWER`
6
6
  And I run `conjur variable create $ns/ssh_private_key PRIVATE_KEY_BODY`
7
- And I run `conjur user create -p alice@$ns` interactively
8
- And I type "foobar"
9
- And I type "foobar"
10
- And the exit status should be 0
7
+ And I create a new user named "alice@$ns"
11
8
  And I run `conjur resource permit variable:$ns/access_key user:alice@$ns execute`
12
9
  And I run `conjur resource permit variable:$ns/secret_key user:alice@$ns execute`
13
- And I run `conjur authn login -u alice@$ns` interactively
14
- And I type "foobar"
15
- And the exit status should be 0
16
-
10
+ And I login as "alice@$ns"
11
+ And I reset the command list
17
12
 
18
13
  Scenario: Check against permitted variables
19
-
20
14
  When I run `conjur env check --yaml '{ aws_access_key: !var $ns/access_key , aws_secret_key: !var $ns/secret_key }'`
21
15
  Then the exit status should be 0
22
16
  And the stdout should contain "aws_access_key: available\naws_secret_key: available\n"
@@ -25,4 +19,3 @@ Feature: Check an environment
25
19
  When I run `conjur env check --yaml '{ aws_access_key: !var $ns/access_key , ssh_private_key: !var $ns/ssh_private_key }'`
26
20
  Then the exit status should be 1
27
21
  And the stdout should contain "aws_access_key: available\nssh_private_key: unavailable\n"
28
-
@@ -3,8 +3,8 @@ Feature: Run command in an environment populated from Conjur variables
3
3
  Background:
4
4
  Given I run `conjur variable create $ns/access_key ABCDEF`
5
5
  And I run `conjur variable create $ns/secret_key XYZQWER`
6
+ And I reset the command list
6
7
 
7
8
  Scenario:
8
- When I run `conjur env run --yaml '{ cloud_access_key: !var $ns/access_key , cloud_secret_key: !var $ns/secret_key }' -- printenv CLOUD_ACCESS_KEY CLOUD_SECRET_KEY`
9
- Then the stdout should contain "ABCDEF\nXYZQWER"
10
-
9
+ When I run `bash -c "conjur env run --yaml '{ cloud_access_key: !var $ns/access_key , cloud_secret_key: !var $ns/secret_key }' -- env | grep CLOUD_"`
10
+ Then the stdout should contain exactly "CLOUD_ACCESS_KEY=ABCDEF\nCLOUD_SECRET_KEY=XYZQWER"
@@ -4,8 +4,8 @@ Feature: Embed values of Conjur variables into ERB template
4
4
  Given a file named "template.erb" with: 'aws credentials: [<%= conjurenv["aws_access_key"] %>, <%= conjurenv["aws_secret_key"] %>]'
5
5
  And I run `conjur variable create $ns/access_key ABCDEF`
6
6
  And I run `conjur variable create $ns/secret_key XYZQWER`
7
+ And I reset the command list
7
8
 
8
9
  Scenario:
9
10
  When I run `conjur env template --yaml '{ aws_access_key: !var $ns/access_key , aws_secret_key: !var $ns/secret_key }' template.erb `
10
11
  Then it prints the path to temporary file which contains: 'aws credentials: [ABCDEF, XYZQWER]'
11
-