conjur-cli 4.28.2 → 4.29.0

data/acceptance-features/directory/hostfactory/create.feature

@@ -0,0 +1,13 @@
+Feature: Create a Host Factory
+  Background:
+    Given I successfully run `conjur layer create --as-group $ns/security_admin $ns/layer`
+
+  Scenario: Create a host factory successfully
+    When I successfully run `conjur hostfactory create --as-group $ns/security_admin --layer $ns/layer $ns/hostfactory`
+    Then the JSON should have "deputy_api_key"
+
+  Scenario: Host factory owner must have admin on layer
+    Given I successfully run `conjur user create unprivileged@$ns`
+    When I run `conjur hostfactory create --as-role user:unprivileged@$ns --layer $ns/layer $ns/hostfactory`
+    Then the stderr should contain "must be an admin of layer"
+    And the stdout should not contain anything

data/acceptance-features/directory/hostfactory/tokens.feature

@@ -0,0 +1,16 @@
+Feature: Host factory tokens
+
+  Background:
+    Given I successfully run `conjur layer create --as-group $ns/security_admin $ns/layer`
+    And I successfully run `conjur hostfactory create --as-group $ns/security_admin --layer $ns/layer $ns/hostfactory`
+
+  Scenario: create a host factory token
+    When I successfully run `conjur hostfactory token create $ns/hostfactory`
+    Then the JSON should have "0/token"
+
+  Scenario: create a host using a token
+    When I successfully run `conjur hostfactory token create $ns/hostfactory`
+    And I keep the JSON response at "0/token" as "TOKEN"
+    Then I successfully run `conjur hostfactory host create %{TOKEN} $ns/host`
+    And the JSON should have "api_key"
+ 

data/acceptance-features/directory/layer/retire.feature

@@ -0,0 +1,43 @@
+Feature: Retire a layer
+  Background:
+    When I successfully run `conjur layer create $ns/applayer`
+
+  Scenario: Basic retirement
+    Then I successfully run `conjur layer retire -d user:attic@$ns $ns/applayer`
+
+  Scenario: Retiring a non-existent thing propagates the 404
+    Then I run `conjur layer retire -d user:attic@$ns $ns/foobar`
+    Then the exit status should be 1
+    And the stderr should contain "Resource Not Found"
+
+  Scenario: A foreign user can't retire a layer
+    Given I login as a new user
+    And I run `conjur layer retire -d user:attic@$ns $ns/applayer`
+    Then the exit status should be 1
+    And the stderr should contain "You can't administer this record"
+
+  Scenario: Can't retire to a non-existant role
+    And I run `conjur layer retire -d user:foobar $ns/applayer`
+    Then the exit status should be 1
+    And the output should match /error: Destination role/
+    And the output should match /doesn't exist$/
+
+  Scenario: I can retire a layer which I've granted to a group
+    Given I successfully run `conjur group create $ns/admin`
+    And I successfully run `conjur role grant_to layer:$ns/applayer group:$ns/admin`
+    Then I successfully run `conjur layer retire -d user:attic@$ns $ns/applayer`
+
+  Scenario: I can retire a layer which I've given to a group that I can admin
+    Given I successfully run `conjur group create $ns/admin`
+    And I successfully run `conjur resource give layer:$ns/applayer group:$ns/admin`
+    Then I successfully run `conjur layer retire -d user:attic@$ns $ns/applayer`
+
+  Scenario: I can't retire a layer if I can't admin the layer's role
+    Given I successfully run `conjur group create $ns/admin`
+    And I successfully run `conjur role grant_to layer:$ns/applayer group:$ns/admin`
+    Given I create a new user named "alice@$ns"
+    And I successfully run `conjur group members add -a $ns/admin alice@$ns`
+    And I login as "alice@$ns"
+    And I run `conjur layer retire -d user:attic@$ns $ns/applayer`
+    Then the exit status should be 1
+    And the stderr should contain "You can't administer this record"

data/acceptance-features/directory/user/update_password.feature

@@ -7,7 +7,6 @@ Feature: Update the password of the logged-in user
     And I run `conjur user update_password` interactively
     Then I can type and confirm a new password
 
-  @announce
   Scenario: The new password can be used to login
     And I run `conjur user update_password` interactively
     And I type and confirm a new password

data/acceptance-features/directory/variable/value.feature

@@ -3,11 +3,12 @@ Feature: Obtain value from variable
   Background:
     Given I successfully run `conjur variable create $ns/secret secretvalue` 
     And I successfully run `conjur variable values add $ns/secret updatedvalue`
+    And I reset the command list
 
   Scenario: Recent value is obtained by default
     When I run `conjur variable value $ns/secret`
-    Then the output should match /updatedvalue$/
+    Then the stdout should contain exactly "updatedvalue"
   
   Scenario: Previous values can be obtained by version
     When I run `conjur variable value -v 1 $ns/secret`
-    Then the output should match /secretvalue$/
+    Then the stdout should contain exactly "secretvalue"

data/acceptance-features/dsl/policy_owner.feature

@@ -8,24 +8,38 @@ policy 'test-policy-1.0' do
   user "test_user"
 end
     """
+    And I reset the command list
 
   Scenario: --as-group works
     When I run `conjur policy load --as-group $ns/admin --collection $ns` interactively
     And I pipe in the file "policy.rb"
-    And the exit status should be 0
+    And the command completes successfully
+    And I reset the command list
     When I run `conjur role members policy:$ns/test-policy-1.0`
-    Then the output from "conjur role members policy:$ns/test-policy-1.0" should match /group:.*$ns.admin/
+    Then the JSON should be:
+    """
+    [
+	    "cucumber:group:%{NAMESPACE}/admin"
+	  ]
+	  """
 
   Scenario: --as-role works
     When I run `conjur policy load --as-role group:$ns/admin --collection $ns` interactively
     And I pipe in the file "policy.rb"
-    And the exit status should be 0
+    And the command completes successfully
+    And I reset the command list
     When I run `conjur role members policy:$ns/test-policy-1.0`
-    Then the output from "conjur role members policy:$ns/test-policy-1.0" should match /group:.*$ns.admin/
+    Then the JSON should be:
+    """
+    [
+	    "cucumber:group:%{NAMESPACE}/admin"
+	  ]
+	  """
 
   Scenario: --as-group doesn't interfere with policy ownership of other resources
     When I run `conjur policy load --as-group $ns/admin --collection $ns` interactively
     And I pipe in the file "policy.rb"
-    And the exit status should be 0
-    When I run `conjur resource show user:test_user@$ns-test-policy-1-0 | jsonfield owner`
-    Then the output from "conjur resource show user:test_user@$ns-test-policy-1-0 | jsonfield owner" should match /policy:$ns.test-policy-1.0/
+    And the command completes successfully
+    And I reset the command list
+    When I run `conjur resource show user:test_user@$ns-test-policy-1-0`
+    Then the JSON at "owner" should be "cucumber:policy:%{NAMESPACE}/test-policy-1.0"

data/acceptance-features/dsl/resource_owner.feature

@@ -11,7 +11,7 @@ end
   Scenario: resource is create with correct ownership
     When I run `conjur policy load --collection $ns` interactively
     And I pipe in the file "policy.rb"
-    And the exit status should be 0
-    When I run `conjur resource show webservice:$ns/test-policy-1.0/web1 | jsonfield owner`
-    Then the output from "conjur resource show webservice:$ns/test-policy-1.0/web1 | jsonfield owner" should match /policy:$ns.test-policy-1.0/
-
+    And the command completes successfully
+    And I reset the command list
+    When I run `conjur resource show webservice:$ns/test-policy-1.0/web1`
+    Then the JSON at "owner" should be "cucumber:policy:%{NAMESPACE}/test-policy-1.0"

data/acceptance-features/pubkeys/add.feature

@@ -3,6 +3,7 @@ Feature: Register a public key
   Background:
     Given I successfully run `conjur user create alice@$ns`
     And I successfully run `ssh-keygen -t rsa -C "laptop" -N "" -f ./id_alice_$ns`
+    And I reset the command list
 
   Scenario: Register a public key file for a user
     When I run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
@@ -11,10 +12,11 @@ Feature: Register a public key
   Scenario: You can't accidentally register the private key
     When I run `conjur pubkeys add alice@$ns @id_alice_$ns`
     Then the exit status should be 1
-    And the stderr from "conjur pubkeys add alice@$ns @id_alice_$ns" should contain "Unprocessable Entity"
+    And the stderr should contain "Unprocessable Entity"
 
   Scenario: Unauthorized users cannot modify public keys
     Given I login as new user "bob@$ns"
+    And I reset the command list
     And I run `conjur pubkeys add alice@$ns @id_alice_$ns.pub` 
     Then the exit status should be 1
-    And the stderr from "conjur pubkeys add alice@$ns @id_alice_$ns.pub" should contain "Forbidden"
+    And the stderr should contain "Forbidden"

data/acceptance-features/pubkeys/names.feature

@@ -3,15 +3,17 @@ Feature: List known public key names for a user
   Background:
     Given I successfully run `conjur user create alice@$ns`
     And I successfully run `ssh-keygen -t rsa -C "laptop" -N "" -f ./id_alice_$ns`
+    And I reset the command list
 
   Scenario: Initial key names list is empty
     When I run `conjur pubkeys names alice@$ns`
-    Then the stdout from "conjur pubkeys names alice@$ns" should contain exactly ""
+    Then the stdout should contain exactly ""
 
   Scenario: After adding a key, the key name is shown
     Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
+    And I reset the command list
     And I run `conjur pubkeys names alice@$ns`
-    Then the stdout from "conjur pubkeys names alice@$ns" should contain exactly:
+    Then the stdout should contain exactly:
     """
     laptop\n
     """
@@ -19,5 +21,6 @@ Feature: List known public key names for a user
   Scenario: After deleting the key, the key names list is empty again
     Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
     And I successfully run `conjur pubkeys delete alice@$ns laptop`
+    And I reset the command list
     And I run `conjur pubkeys names alice@$ns`
-    Then the stdout from "conjur pubkeys names alice@$ns" should contain exactly ""
+    Then the stdout should contain exactly ""

data/acceptance-features/pubkeys/show.feature

@@ -3,10 +3,11 @@ Feature: Show public keys for a user
   Background:
     Given I successfully run `conjur user create alice@$ns`
     And I successfully run `ssh-keygen -t rsa -C "laptop" -N "" -f ./id_alice_$ns`
+    And I reset the command list
 
   Scenario: Initial key list is empty
     When I run `conjur pubkeys show alice@$ns`
-    Then the stdout from "conjur pubkeys show alice@$ns" should contain exactly "\n"
+    Then the stdout should contain exactly "\n"
 
   Scenario: After adding a key, the key is shown
     Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
@@ -16,8 +17,9 @@ Feature: Show public keys for a user
   Scenario: After deleting the key, the key list is empty again
     Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
     And I successfully run `conjur pubkeys delete alice@$ns laptop`
+    And I reset the command list
     And I run `conjur pubkeys show alice@$ns`
-    Then the stdout from "conjur pubkeys show alice@$ns" should contain exactly "\n"
+    Then the stdout should contain exactly "\n"
 
   Scenario: Public keys can be listed using cURL, without authentication
     Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`

data/acceptance-features/step_definitions/{cli.rb → cli_steps.rb}

@@ -1,5 +1,19 @@
-Then /^I show the output$/ do
-  puts all_output
+Then /^I reset the command list/ do
+  aruba.command_monitor.clear
+end
+
+When /^the command completes successfully/ do
+  last_command_started.wait
+  last_command_started.terminate
+  expect(last_command_started.exit_status).to eq(0)
+end
+
+Then /^I send the audit event:/ do |event|
+  event = event.gsub('$ns',@namespace)
+  step "I run `env RESTCLIENT_LOG=stderr conjur audit send` interactively"
+  last_command_started.write event
+  last_command_started.close_io :stdin
+  step "the command completes successfully"
 end
 
 # this is step copypasted from https://github.com/cucumber/aruba/blob/master/lib/aruba/cucumber.rb#L24 
@@ -14,9 +28,9 @@ Given(/^a file named "([^"]*?)" with namespace substitution:$/) do |file_name, f
 end
 
 Then /^it prints the path to temporary file which contains: '(.*)'$/ do |content|
-  filename = all_output.split("\n").last
+  filename = last_command_started.stdout.strip
   tempfiles << filename
-  actual_content=File.read(filename) rescue ""
+  actual_content = File.read(filename)
   expect(actual_content).to match(content)
 end
 

data/acceptance-features/step_definitions/user_steps.rb

@@ -9,23 +9,23 @@ end
 
 Given(/^I create a new user named "(.*?)"$/) do |username|
   username_ns = username.gsub('$ns',@namespace)
-  password = find_or_create_password(username_ns)
  
-  step "I run `conjur user create --as-role user:admin@#{@namespace} -p #{username_ns}` interactively"
-  step %Q(I type "#{password}")
-  step %Q(I type "#{password}")
-  step "the exit status should be 0"
+  step "I successfully run `conjur user create --as-role user:admin@#{@namespace} #{username_ns}`"
+  
+  user_info = JSON.parse(last_command_started.stdout)
+  save_password username_ns, user_info['api_key']
 end
 
 Given(/^I create a new host with id "(.*?)"$/) do |hostid|
   step "I successfully run `conjur host create #{@namespace}/monitoring/server`"
-  step 'I keep the JSON response at "api_key" as "API_KEY"'
-  step 'I keep the JSON response at "id" as "HOST_ID"'
+  host = JSON.parse(last_json)
+  @host_id = host['id']
+  @host_api_key = host['api_key']
 end
 
-Given(/^I login as a new host/) do
-  step "I run `conjur authn login -u host/%{HOST_ID} -p %{API_KEY}` interactively"
-  step "the exit status should be 0"
+Given(/^I login as the new host/) do
+  step %Q(I set the environment variable "CONJUR_AUTHN_LOGIN" to "host/#{@host_id}")
+  step %Q(I set the environment variable "CONJUR_AUTHN_API_KEY" to "#{@host_api_key}")
 end
 
 Given(/^I login as new user "(.*?)"$/) do |username|
@@ -36,9 +36,10 @@ end
 
 Given(/^I login as "(.*?)"$/) do |username|
   username_ns = username.gsub('$ns',@namespace)
-  password = find_or_create_password(username_ns)
+  password = find_password(username_ns)
   
-  Conjur::Authn.save_credentials username: username_ns, password: password
+  step %Q(I set the environment variable "CONJUR_AUTHN_LOGIN" to "#{username_ns}")
+  step %Q(I set the environment variable "CONJUR_AUTHN_API_KEY" to "#{password}")
 end
 
 Then(/^I(?: can)? type and confirm a new password/) do

data/acceptance-features/support/env.rb

@@ -1,5 +1,4 @@
 require "aruba/cucumber"
 require "json_spec/cucumber"
-require "conjur-asset-audit-send"
 
 $LOAD_PATH.unshift File.expand_path('../..', File.dirname(__FILE__))

data/acceptance-features/support/hooks.rb

@@ -6,41 +6,42 @@ require 'conjur/authn'
 netrc = Conjur::Authn.netrc
 username, password = Conjur::Authn.get_credentials
 raise "Not logged in to Conjur" unless username && password
-puts "Logging in as #{username}"
+puts "Performing acceptance tests as root-ish user '#{username}'"
 
 # Future Aruba
-#Aruba.configure do |config|
-#  config.exit_timeout = 15
-#end
+Aruba.configure do |config|
+  config.exit_timeout = 15
+  config.io_wait_timeout = 2
+end
 
 Before('@conjurapi-log') do
   set_env 'CONJURAPI_LOG', 'stderr'
 end
 
 Before do
-  Conjur::Authn.save_credentials username: username, password: password
+  step %Q(I set the environment variable "CONJUR_AUTHN_LOGIN" to "#{username}")
+  step %Q(I set the environment variable "CONJUR_AUTHN_API_KEY" to "#{password}")
   
   @admin_api = conjur_api = Conjur::Authn.connect
   
   @namespace = conjur_api.create_variable("text/plain", "id").id
   user = conjur_api.create_user "admin@#{@namespace}", ownerid: "#{Conjur.configuration.account}:user:#{username}"
 
-  netrc[Conjur::Authn.host] = [ "admin@#{@namespace}", user.api_key ]
-  netrc.save
-
   conjur_api = Conjur::Authn.connect
   @security_admin = conjur_api.create_group [ @namespace, "security_admin" ].join('/')
   @security_admin.add_member user, admin_option: true
   
   JsonSpec.memorize "MY_ROLEID", %Q("#{user.roleid}")
+  JsonSpec.memorize "NAMESPACE", @namespace
   
   @admin_api.group("pubkeys-1.0/key-managers").add_member @security_admin
   @admin_api.resource('!:!:conjur').permit 'elevate', user, grant_option: true
   @admin_api.resource('!:!:conjur').permit 'reveal',  user, grant_option: true
   
   conjur_api.create_user "attic@#{@namespace}"
-  
-  @aruba_timeout_seconds = 30
+
+  step %Q(I set the environment variable "CONJUR_AUTHN_LOGIN" to "#{user.login}")
+  step %Q(I set the environment variable "CONJUR_AUTHN_API_KEY" to "#{user.api_key}")
 end
 
 After do
@@ -50,10 +51,6 @@ After do
   tempfiles.each { |tempfile| File.unlink(tempfile) unless tempfile.nil? }
 end
 
-at_exit do
-  Conjur::Authn.save_credentials username: username, password: password
-end
-
 require 'ostruct'
 
 class MockAPI

data/acceptance-features/support/world.rb

@@ -5,13 +5,25 @@ module ConjurCLIWorld
   include Aruba::Api
   
   def last_json
-    stdout_from(@last_cmd)
+    process_cmd last_command_started.stdout
   end
   
-  def find_or_create_password(username)
+  def passwords
     @passwords ||= {}
-    unless password = @passwords[username] 
-      password = @passwords[username] = SecureRandom.hex(12)
+  end
+  
+  def save_password username, password
+    raise "Found existing password for user '#{username}'" if passwords[username]
+    passwords[username] = password
+  end
+  
+  def find_password username
+    passwords[username] or raise "No password for user '#{username}'"
+  end 
+  
+  def find_or_create_password(username)
+    unless password = passwords[username] 
+      password = passwords[username] = SecureRandom.hex(12)
     end
     password
   end
@@ -24,21 +36,8 @@ module ConjurCLIWorld
   def run(cmd, *args)
     # it's a thunk now so it should be returned. puts can be added back as block if we want to
     super process_cmd(cmd), *args
-
-    #puts stderr_from(cmd)
-    #puts stdout_from(cmd)
   end 
 
-  def stderr_from(cmd)
-    super process_cmd(cmd)
-  end
-  def stdout_from(cmd)
-    super process_cmd(cmd)
-  end 
-  def output_from(cmd)
-    super process_cmd(cmd)
-  end
-  
   # Substitute the namespace for marker $ns
   def unescape(string)
     string = super
@@ -60,7 +59,6 @@ module ConjurCLIWorld
     cmd.gsub!("$ns", namespace)
     cmd.gsub!("$pubkeys_url", Conjur.configuration.pubkeys_url)
     
-    @last_cmd = cmd
     JsonSpec.memory.each do |k,v|
       cmd.gsub!("%{#{k}}", v)
     end