conjur-cli 4.8.0 → 4.9.3

data/lib/conjur/config.rb

@@ -31,7 +31,7 @@ module Conjur
       end
       
       def default_config_files
-        [ File.join("/etc", "conjur.conf"), ( ENV['CONJURRC'] || File.join(ENV['HOME'], ".conjurrc") ), '.conjurrc' ]
+        [ File.join("/etc", "conjur.conf"), ( ENV['CONJURRC'] || File.expand_path("~/.conjurrc") ), '.conjurrc' ]
       end
       
       def load(config_files = default_config_files)

data/lib/conjur/conjurenv.rb

@@ -0,0 +1,121 @@
+#
+# Copyright (C) 2014 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur/api'
+require 'yaml'
+
+module Conjur
+  class Env
+
+    class CustomTag
+      def initialize id 
+        raise "#{self.class.name.split('::').last} requires a parameter" if id.to_s.empty?
+        @id=id
+      end
+      def init_with(coder)
+        initialize(coder.scalar)
+      end
+      def conjur_id
+        @id
+      end
+    end
+
+    class ConjurVariable < CustomTag
+      def evaluate value
+        value.chomp
+      end
+    end
+
+    class ConjurTempfile < CustomTag
+      def evaluate value
+        @tempfile = if File.directory?("/dev/shm") and File.writable?("/dev/shm") 
+                      Tempfile.new("conjur","/dev/shm")
+                    else  
+                      Tempfile.new("conjur")
+                    end
+        @tempfile.write(value)
+        @tempfile.close
+        @tempfile.path
+      end
+    end
+
+    def initialize(options={})
+      raise ":file and :yaml options can not be provided together" if ( options.has_key?(:file) and options.has_key?(:yaml) )
+
+      yaml = if options.has_key?(:yaml) 
+                raise ":yaml option should be non-empty string" unless options[:yaml].kind_of?(String)
+                raise ":yaml option should be non-empty string" if options[:yaml].empty?
+                options[:yaml]
+              elsif options.has_key?(:file)
+                raise ":file option should be non-empty string" unless options[:file].kind_of?(String)
+                raise ":file option should be non-empty string" if options[:file].empty?
+                File.read(options[:file])
+              else
+                raise "either :file or :yaml option is mandatory"
+              end
+
+       @definition = parse(yaml)
+    end
+
+    def parse(yaml)
+      YAML.add_tag("!var", ConjurVariable)
+      YAML.add_tag("!tmp", ConjurTempfile)
+      definition = YAML.load(yaml)
+      raise "Definition should be a Hash" unless definition.kind_of?(Hash)
+      bad_types = definition.values.select { |v| not (v.kind_of?(String) or v.kind_of?(CustomTag)) }.map {|v| v.class}.uniq
+      raise "Definition can not include values of types: #{bad_types}" unless bad_types.empty?
+      definition
+    end
+
+    def obtain(api)
+      runtime_environment={}
+      variable_ids= @definition.values.map { |v| v.conjur_id rescue nil }.compact
+      conjur_values=api.variable_values(variable_ids)
+      @definition.each { |environment_name, reference| 
+        runtime_environment[environment_name]= if reference.respond_to?(:evaluate)
+                                                  reference.evaluate( conjur_values[reference.conjur_id] )
+                                               else
+                                                  reference # is a literal value
+                                               end
+      }
+      return runtime_environment
+    end
+
+    def check(api)
+      Hash[ 
+        @definition.map { |k,v| 
+
+          status = if v.respond_to? :conjur_id
+                     if api.resource("variable:"+v.conjur_id).permitted?(:execute)
+                       :available   
+                     else
+                       :unavailable
+                     end
+                   else
+                     :literal
+                   end
+ 
+          [ k, status ]
+        }
+      ]
+    end
+
+  end
+end

data/lib/conjur/dsl/runner.rb

@@ -25,6 +25,11 @@ module Conjur
         @objects = Array.new
       end
       
+      def owner=(owner)
+        raise "Owner should only be set once" unless @owners.empty?
+        @owners.push owner
+      end
+      
       # Provides a hash to export various application specific
       # asset ids (or anything else you want)
       def assets

data/lib/conjur/version.rb

@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = "4.8.0"
+  VERSION = "4.9.3"
   ::Version=VERSION
 end

data/spec/command/env_spec.rb

@@ -0,0 +1,152 @@
+require 'spec_helper'
+require 'conjur/conjurenv'
+require 'tempfile'
+
+
+shared_examples_for "processes environment definition" do |cmd, options|
+  before {  # suspend all interaction with the environment
+    Kernel.stub(:system).and_return(true) 
+  }
+  let(:stub_object) { double(obtain:{}, check:{}) }
+
+  describe_command "env:#{cmd} #{options}" do
+    it "uses .conjurenv file by default" do
+      Conjur::Env.should_receive(:new).with(file:".conjurenv").and_return(stub_object)
+      invoke
+    end
+  end
+
+  describe_command "env:#{cmd} -c somefile #{options}" do
+    it "uses desired file" do
+      Conjur::Env.should_receive(:new).with(file:"somefile").and_return(stub_object)
+      invoke
+    end
+  end
+  
+  describe_command "env:#{cmd} --yaml someyaml #{options}" do
+    it "uses inline yaml" do
+      Conjur::Env.should_receive(:new).with(yaml:"someyaml").and_return(stub_object)
+      invoke
+    end
+  end
+
+  describe_command "env:#{cmd} -c somefile --yaml someyaml #{options}" do
+    it "refuses to accept mutually exclusive options" do      
+      Conjur::Env.should_not_receive(:new)
+      expect { invoke }.to raise_error /Options -c and --yaml can not be provided together/
+    end
+  end
+end
+
+describe Conjur::Command::Env, logged_in: true do
+
+  let(:stub_env)    { double() }
+  describe ":check" do
+    it_behaves_like "processes environment definition", "check", ''
+
+    describe_command "env:check" do
+      before { Conjur::Env.should_receive(:new).and_return(stub_env) }
+      describe "without api errors" do
+        let(:stub_result) {  { "a" => :available, "b"=> :available } }
+        before {
+          stub_env.should_receive(:check).with(an_instance_of(Conjur::API)).and_return(stub_result)
+        }
+
+        describe "if all variables are available" do
+          it "prints #check result to the output" do
+            expect { invoke }.to write "a: available\nb: available\n"
+          end
+
+          it "does not crash" do
+            expect { invoke }.to_not raise_error
+          end
+        end
+
+        describe "if some variables are unavailable" do
+          let(:stub_result) {  { "a" => :unavailable, "b"=> :available } }
+          it "prints #check result to the output" do
+            expect { invoke rescue true }.to write "a: unavailable\nb: available\n"
+          end
+          it "crashes in the end" do
+            expect { invoke  }.to raise_error "Some variables are not available"
+          end
+        end
+      end
+      it 'does not rescue unexpected errors' do
+        stub_env.should_receive(:check).with(an_instance_of(Conjur::API)).and_return { raise "Custom error" }
+        expect { invoke }.to raise_error "Custom error"
+      end
+    end
+  end
+
+  describe ":run" do
+    it_behaves_like "processes environment definition", "run","-- extcmd"
+    describe_command "env:run" do
+      it 'fails because of missing argument' do 
+        Kernel.should_not_receive(:system)
+        expect { invoke }.to raise_error "External command with optional arguments should be provided" 
+      end 
+    end
+    describe_command "env:run -- extcmd --arg1 arg2" do
+      before { 
+        Conjur::Env.should_receive(:new).and_return(stub_env)
+      }
+
+      describe "if no errors are raised" do
+        let(:stub_result) { { "a" => "value_a", "b" => "value_b" } }
+        before {
+          stub_env.should_receive(:obtain).with(an_instance_of(Conjur::API)).and_return(stub_result)
+        }
+        it "performs #exec with environment (names in uppercase)" do
+          Kernel.should_receive(:system).with({"A"=>"value_a", "B"=>"value_b"}, "extcmd", "--arg1","arg2").and_return(true)
+          invoke 
+        end
+      end
+      it "does not rescue unexpected errors" do
+        stub_env.should_receive(:obtain).with(an_instance_of(Conjur::API)).and_return { raise "Custom error" } 
+        expect { invoke }.to raise_error "Custom error"
+      end
+    end
+  end
+
+  describe ":template" do
+    context do 
+      before { # prevent real operation
+        File.stub(:readable?).with("config.erb").and_return(true)
+        File.stub(:read).with("config.erb").and_return("template")
+        ERB.stub(:new).and_return(double(result:''))
+        Tempfile.stub(:new).and_return(double(write: true, close: true, path: 'somepath'))
+        FileUtils.stub(:copy).and_return(true)
+      }
+      it_behaves_like "processes environment definition", "template","config.erb"
+    end
+    describe_command "env:template" do
+      it 'fails because of missing argument' do 
+        Tempfile.should_not_receive(:new)
+        expect { invoke }.to raise_error "Location of readable ERB template should be provided"
+      end 
+    end
+    describe_command "env:template config.erb" do
+      let(:erb_template) { """
+variable <%= conjurenv['a'] %>
+other variable <%= conjurenv['b'] %>
+"""
+      }
+      before { 
+        File.stub(:readable?).with("config.erb").and_return(true)
+        File.stub(:read).with("config.erb").and_return(erb_template)
+        Conjur::Env.should_receive(:new).and_return(stub_env)
+        stub_env.should_receive(:obtain).with(an_instance_of(Conjur::API)).and_return( {"a"=>"value_a","b"=>"value_b","c"=>"value_c"} )
+      }
+
+      it "creates persistent tempfile, saves rendered template into it, prints out name of the file" do 
+        stubpath="/tmp/temp.file"
+        tempfile=double(close: true, path: stubpath)
+        Tempfile.should_receive(:new).and_return(tempfile)
+        tempfile.should_receive(:write).with("\nvariable value_a\nother variable value_b\n")  
+        FileUtils.should_receive(:copy).with(stubpath,stubpath+'.saved') # avoid garbage collection
+        expect { invoke }.to write stubpath+".saved"
+      end
+    end
+  end
+end

data/spec/command/init_spec.rb

@@ -2,7 +2,57 @@ require 'spec_helper'
 
 tmpdir = Dir.mktmpdir
 
+GITHUB_FP = "SHA1 Fingerprint=A0:C4:A7:46:00:ED:A7:2D:C0:BE:CB:9A:8C:B6:07:CA:58:EE:74:5E"
+GITHUB_CERT = <<EOF
+-----BEGIN CERTIFICATE-----
+MIIF4DCCBMigAwIBAgIQDACTENIG2+M3VTWAEY3chzANBgkqhkiG9w0BAQsFADB1
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
+IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE0MDQwODAwMDAwMFoXDTE2MDQxMjEy
+MDAwMFowgfAxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
+BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
+Ewc1MTU3NTUwMRcwFQYDVQQJEw41NDggNHRoIFN0cmVldDEOMAwGA1UEERMFOTQx
+MDcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdp
+dGh1Yi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx1Nw8r/3z
+Tu3BZ63myyLot+KrKPL33GJwCNEMr9YWaiGwNksXDTZjBK6/6iBRlWVm8r+5TaQM
+Kev1FbHoNbNwEJTVG1m0Jg/Wg1dZneF8Cd3gE8pNb0Obzc+HOhWnhd1mg+2TDP4r
+bTgceYiQz61YGC1R0cKj8keMbzgJubjvTJMLy4OUh+rgo7XZe5trD0P5yu6ADSin
+dvEl9ME1PPZ0rd5qM4J73P1LdqfC7vJqv6kkpl/nLnwO28N0c/p+xtjPYOs2ViG2
+wYq4JIJNeCS66R2hiqeHvmYlab++O3JuT+DkhSUIsZGJuNZ0ZXabLE9iH6H6Or6c
+JL+fyrDFwGeNAgMBAAGjggHuMIIB6jAfBgNVHSMEGDAWgBQ901Cl1qCt7vNKYApl
+0yHU+PjWDzAdBgNVHQ4EFgQUakOQfTuYFHJSlTqqKApD+FF+06YwJQYDVR0RBB4w
+HIIKZ2l0aHViLmNvbYIOd3d3LmdpdGh1Yi5jb20wDgYDVR0PAQH/BAQDAgWgMB0G
+A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5o
+dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1ldi1zZXJ2ZXItZzEuY3JsMDSg
+MqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1ldi1zZXJ2ZXItZzEu
+Y3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBz
+Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgYgGCCsGAQUFBwEBBHwwejAkBggrBgEF
+BQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFIGCCsGAQUFBzAChkZodHRw
+Oi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyRXh0ZW5kZWRWYWxp
+ZGF0aW9uU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQAD
+ggEBAG/nbcuC8++QhwnXDxUiLIz+06scipbbXRJd0XjAMbD/RciJ9wiYUhcfTEsg
+ZGpt21DXEL5+q/4vgNipSlhBaYFyGQiDm5IQTmIte0ZwQ26jUxMf4pOmI1v3kj43
+FHU7uUskQS6lPUgND5nqHkKXxv6V2qtHmssrA9YNQMEK93ga2rWDpK21mUkgLviT
+PB5sPdE7IzprOCp+Ynpf3RcFddAkXb6NqJoQRPrStMrv19C1dqUmJRwIQdhkkqev
+ff6IQDlhC8BIMKmCNK33cEYDfDWROtW7JNgBvBTwww8jO1gyug8SbGZ6bZ3k8OV8
+XX4C2NesiZcLYbc2n7B9O+63M2k=
+-----END CERTIFICATE-----
+EOF
+
 describe Conjur::Command::Init do
+  it "properly defaults to a file path" do
+    expect(Conjur::CLI.commands[:init].flags[:f].default_value).to eq("#{ENV['HOME']}/.conjurrc")
+  end
+
+  describe ".get_certificate" do
+    it "returns the right certificate from github" do
+      fingerprint, certificate = Conjur::Command::Init.get_certificate('github.com:443')
+      expect(fingerprint).to eq(GITHUB_FP)
+      expect(certificate.strip).to eq(GITHUB_CERT.strip)
+    end
+  end
+
   context logged_in: false do
     before {
       File.stub(:exists?).and_return false
@@ -10,7 +60,7 @@ describe Conjur::Command::Init do
     context "auto-fetching fingerprint" do
       before {
         HighLine.any_instance.stub(:ask).with("Enter the hostname (and optional port) of your Conjur endpoint: ").and_return "the-host"
-        Object.any_instance.should_receive(:`).with("echo | openssl s_client -connect the-host:443  2>/dev/null | openssl x509 -fingerprint").and_return "the-fingerprint"
+        Conjur::Command::Init.stub get_certificate: ["the-fingerprint", nil]
         HighLine.any_instance.stub(:ask).with(/^Trust this certificate/).and_return "yes"
       }
       describe_command 'init' do
@@ -40,6 +90,13 @@ describe Conjur::Command::Init do
         invoke
       end
     end
+    describe_command 'init -a the-account -h https://google.com' do
+      it "writes the config and cert" do
+        HighLine.any_instance.stub(:ask).and_return "yes"
+        File.should_receive(:open).twice
+        invoke
+      end
+    end
     describe_command 'init -a the-account -h localhost -c the-cert' do
       it "writes config and cert files" do
         File.should_receive(:open).twice
@@ -51,16 +108,13 @@ describe Conjur::Command::Init do
         it "writes config and cert files" do
           invoke
           
-          File.read(File.join(tmpdir, ".conjurrc")).should == """---
-account: the-account
-plugins:
-- environment
-- layer
-- key-pair
-- pubkeys
-appliance_url: https://localhost/api
-cert_file: #{tmpdir}/conjur-the-account.pem
-"""
+          expect(YAML.load(File.read(File.join(tmpdir, ".conjurrc")))).to eq({
+            account: 'the-account',
+            plugins: %w(environment layer key-pair pubkeys),
+            appliance_url: "https://localhost/api",
+            cert_file: "#{tmpdir}/conjur-the-account.pem"
+          }.stringify_keys)
+
           File.read(File.join(tmpdir, "conjur-the-account.pem")).should == "the-cert\n"
         end
       end

data/spec/command/policy_spec.rb

@@ -2,6 +2,18 @@ require 'spec_helper'
 require 'conjur/dsl/runner'
 
 describe Conjur::Command::Policy do
+  describe ".default_collection_user" do
+    it "returns the current username" do
+      expect(Conjur::Command::Policy.default_collection_user).to eq(`whoami`.strip)
+    end
+  end
+
+  describe ".default_collection_hostname" do
+    it "returns the current hostname" do
+      expect(Conjur::Command::Policy.default_collection_hostname).to eq(`hostname`.strip)
+    end
+  end
+
   context logged_in: true do
     let(:role) do
       double("role", exists?: true, api_key: "the-api-key", roleid: "the-role")
@@ -9,17 +21,15 @@ describe Conjur::Command::Policy do
     let(:resource) do
       double("resource", exists?: true).as_null_object
     end
-    let(:name) { nil }
     before {
       File.stub(:read).with("policy-body").and_return "{}"
       Conjur::DSL::Runner.any_instance.stub(:api).and_return api
     }
     before {
+      api.stub(:role).and_call_original
+      api.stub(:resource).and_call_original
       api.stub(:role).with("the-account:policy:#{collection}/the-policy-1.0.0").and_return role
       api.stub(:resource).with("the-account:policy:#{collection}/the-policy-1.0.0").and_return resource
-      if name
-        resource.should_receive(:[]).with(:name, name)
-      end
     }
     
     describe_command 'policy:load --collection the-collection policy-body' do
@@ -33,6 +43,15 @@ describe Conjur::Command::Policy do
       before {
         stub_const("ENV", "USER" => "alice", "HOSTNAME" => "localhost")
       }
+      describe_command 'policy:load --as-group the-group policy-body' do
+        let(:group) { double(:group, exists?: true) }
+        it "creates the policy" do
+          Conjur::Command.api.stub(:role).with("the-account:group:the-group").and_return group
+          Conjur::DSL::Runner.any_instance.should_receive(:owner=).with("the-account:group:the-group")
+          
+          invoke.should == 0
+        end
+      end
       describe_command 'policy:load policy-body' do
         it "creates the policy with default collection" do
           invoke.should == 0
@@ -40,4 +59,4 @@ describe Conjur::Command::Policy do
       end
     end
   end
-end
+end