conjur-cli 5.5.0 → 5.6.3

data/build-deb.sh

@@ -3,7 +3,9 @@
 export DEBUG=true 
 export GLI_DEBUG=true 
 
-debify clean
+if [[ "$(id -un)" == "jenkins" ]]; then
+  docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd
+fi  
 
 docker build -t conjur-cli-fpm -f Dockerfile.fpm .
 docker build -t conjur-cli-validate-packaging -f Dockerfile.validate-packaging .

data/ci/secrets/publish.yml

@@ -1,2 +1,2 @@
-ART_USERNAME: !var artifactory/users/jenkins/username
-ART_PASSWORD: !var artifactory/users/jenkins/password
+ART_USERNAME: !var ci/artifactory/users/jenkins/username
+ART_PASSWORD: !var ci/artifactory/users/jenkins/password

data/{conjur.gemspec → conjur-cli.gemspec}

@@ -15,8 +15,8 @@ Gem::Specification.new do |gem|
   gem.require_paths = ["lib"]
   gem.version       = Conjur::VERSION
 
-  gem.add_dependency 'activesupport', '>= 4.2'
-  gem.add_dependency 'conjur-api', '>= 4.28.1'
+  gem.add_dependency 'activesupport', '~> 4.2'
+  gem.add_dependency 'conjur-api', '~> 4.30'
   gem.add_dependency 'gli', '>=2.8.0'
   gem.add_dependency 'highline', '~> 1.7'
   gem.add_dependency 'netrc', '~> 0.10'
@@ -24,6 +24,7 @@ Gem::Specification.new do |gem|
   gem.add_dependency 'deep_merge', '~> 1.0'
   gem.add_dependency 'xdg', '~> 2.2'
   gem.add_dependency 'table_print', '~> 1.5'
+  gem.add_dependency 'semantic', '>= 1.4.1'
 
   gem.add_runtime_dependency 'cas_rest_client', '~> 1.3'
 

data/lib/conjur/command.rb

@@ -142,35 +142,60 @@ module Conjur
           end
         end.join("\n")
       end
-      
-      def command_options_for_list(c)
+
+      def command_option_kind c
+        c.desc "Filter by kind"
+        c.flag [:k, :kind]
+      end
+
+      def command_option_as_role c
         return if c.flags.member?(:role) # avoid duplicate flags
         c.desc "Role to act as. By default, the current logged-in role is used."
         c.arg_name 'ROLE'
         c.flag [:role]
-    
+      end
+
+      def command_options_for_search c
         c.desc "Full-text search on resource id and annotation values" 
         c.flag [:s, :search]
         
-        c.desc "Maximum number of records to return"
-        c.flag [:l, :limit]
-        
         c.desc "Offset to start from"
         c.flag [:o, :offset]
         
+        c.desc "Maximum number of records to return"
+        c.flag [:l, :limit]
+
+        c.desc "Show the number of results, rather than printing them"
+        c.switch [:count]
+      end
+
+      def command_options_for_list(c)
+        command_option_as_role c
+        command_options_for_search c
+
         c.desc "Show only ids"
         c.switch [:i, :ids]
-        
+
         c.desc "Show annotations in 'raw' format"
         c.switch [:r, :"raw-annotations"]
       end
+
+      def process_command_options_for_search options
+        opts = options.slice(:search, :count, :limit, :offset, :kind)
+        opts[:acting_as] = options[:role] if options[:role]
+        opts[:search] = opts[:search].gsub('-',' ') if opts[:search]
+        if opts[:kind] && opts[:kind].index(',')
+          opts[:kind] = opts[:kind].split(',')
+        end
+        opts
+      end
       
       def command_impl_for_list(global_options, options, args)
-        opts = options.slice(:search, :limit, :options, :kind) 
-        opts[:acting_as] = options[:role] if options[:role]
-        opts[:search]=opts[:search].gsub('-',' ') if opts[:search]
+        opts = process_command_options_for_search(options)
         resources = api.resources(opts)
-        if options[:ids]
+        if resources.is_a?(Numeric)
+          puts resources
+        elsif options[:ids]
           puts JSON.pretty_generate(resources.map(&:resourceid))
         else
           resources = resources.map &:attributes
@@ -297,23 +322,58 @@ an alternative destination role.)
         obj.resource.give_to destination_role
       end
       
-      def display_members(members, options)
-        result = if options[:V]
-          members.collect {|member|
-            {
-              member: member.member.roleid,
-              grantor: member.grantor.roleid,
-              admin_option: member.admin_option
-            }
-          }
+      # Displays members, which may be either:
+      #
+      # * A numeric count
+      # * A list of role ids
+      # * A list of RoleGrant
+      #
+      # +options+ may include:
+      #
+      # * **V** Show full RoleGrant info
+      # * **system** show system (internal) roles
+      #
+      # @return [Numeric, Hash] Convert the input to a number or Hash.
+      def display_members(members, member_field, options)
+        # Get this case out of the way
+        return display(members) if members.is_a?(Numeric)
+
+        result, roleid_function = if members.blank?
+          [ [], nil ]
+        elsif members.first.is_a?(Conjur::RoleGrant)
+          if options[:V]
+            items = members.collect do |member|
+              {
+                member: member.member.roleid,
+                grantor: member.grantor.roleid,
+                admin_option: member.admin_option
+              }.tap do |obj|
+                obj[:role] = member.role.roleid if member.role
+              end
+            end
+            [
+              items, lambda {|member| member[member_field] }
+            ]
+          else
+            [ members.map{|m| m.send(member_field) }.map(&:roleid), lambda{|r| r} ]
+          end
         else
-          members.map(&:member).map(&:roleid)
+          [ members.map(&:roleid), lambda{|r| r} ]
         end
+
+        unless options[:system]
+          result.reject! do |member|
+            roleid_function.call(member) =~ /^.+?:@/
+          end
+        end
+
         display result
       end
 
       def display(obj, options = {})
-        str = if obj.respond_to?(:attributes)
+        str = if obj.is_a?(Numeric)
+          obj.to_s
+        elsif obj.respond_to?(:attributes)
           JSON.pretty_generate obj.attributes
         elsif obj.respond_to?(:id)
           obj.id

data/lib/conjur/command/groups.rb

@@ -145,7 +145,7 @@ class Conjur::Command::Groups < Conjur::Command
         c.switch [:V,:verbose]
         c.action do |global_options,options,args|
           group = require_arg(args, 'GROUP')
-          display_members api.group(group).role.members, options
+          display_members api.group(group).role.members, :member, options
         end
       end
 

data/lib/conjur/command/resources.rb

@@ -137,10 +137,15 @@ class Conjur::Command::Resources < Conjur::Command
     resource.desc "List roles with a specified permission on the resource"
     resource.arg_name "RESOURCE PERMISSION"
     resource.command :permitted_roles do |c|
+      command_option_kind c
+      command_options_for_search c
+
       c.action do |global_options,options,args|
         id = full_resource_id( require_arg(args, "RESOURCE") )
         permission = require_arg(args, "PERMISSION")
-        display api.resource(id).permitted_roles(permission)
+
+        opts = process_command_options_for_search(options)
+        display api.resource(id).permitted_roles(permission, opts)
       end
     end
 
@@ -191,9 +196,7 @@ class Conjur::Command::Resources < Conjur::Command
 
     resource.desc "List all resources"
     resource.command :list do |c|
-      c.desc "Filter by kind"
-      c.flag [:k, :kind]
-
+      command_option_kind c
       command_options_for_list c
 
       c.action do |global_options, options, args|

data/lib/conjur/command/roles.rb

@@ -74,21 +74,32 @@ class Conjur::Command::Roles < Conjur::Command
       end
     end
 
-    role.desc "Lists role memberships. The role membership list is recursively expanded."
+    role.desc "Lists role memberships. The role membership list is recursively expanded by default."
     role.arg_name "ROLE"
 
     role.command :memberships do |c|
+      c.desc "Verbose output. Only meaningful with --no-recursive."
+      c.switch [:V,:verbose]
+
+      c.desc "Whether to recursively expand role memberships"
+      c.default_value true
+      c.switch [:r, :recursive]
+
       c.desc "Whether to show system (internal) roles"
-      c.switch [:s, :system]
+      c.switch [:system]
+
+      command_option_kind c
+      command_options_for_search c
 
       c.action do |global_options,options,args|
         roleid = args.shift
+        assert_empty(args)
         role = roleid.nil? && api.current_role || api.role(roleid)
-        memberships = role.all.map(&:roleid)
-        unless options[:system]
-          memberships.reject!{|id| id =~ /^.+?:@/}
-        end
-        display memberships
+
+        opts = process_command_options_for_search(options)
+        opts[:recursive] = false unless options[:recursive]
+        memberships = role.all(opts)
+        display_members memberships, :role, options
       end
     end
 
@@ -98,9 +109,20 @@ class Conjur::Command::Roles < Conjur::Command
       c.desc "Verbose output"
       c.switch [:V,:verbose]
 
+      c.desc "Whether to show system (internal) roles"
+      c.switch [:system]
+
+      command_option_kind c
+      command_options_for_search c
+
       c.action do |global_options,options,args|
-        role = args.shift || api.user(api.username).roleid
-        display_members api.role(role).members, options
+        roleid = args.shift
+        assert_empty(args)
+        role = roleid.nil? && api.current_role || api.role(roleid)
+        opts = process_command_options_for_search(options)
+
+        members = role.members(opts)
+        display_members members, :member, options
       end
     end
 

data/lib/conjur/version.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2014-2016 Conjur Inc.
+# Copyright (C) 2014-2017 Conjur Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = '5.5.0'
+  VERSION = '5.6.3'.freeze
   ::Version=VERSION
 end

data/publish-rubygem.sh

@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd
+
+docker pull registry.tld/conjurinc/publish-rubygem
+
+summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
+  docker run --rm --env-file @SUMMONENVFILE -v "$(pwd)":/opt/src \
+  registry.tld/conjurinc/publish-rubygem conjur-cli
+
+docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd

data/spec/command/resources_spec.rb

@@ -7,6 +7,7 @@ describe Conjur::Command::Resources, logged_in: true do
   let (:resource_attributes) { { "some" => "attribute"} }
 
   before :each do
+    allow(api).to receive(:resource).and_call_original
     allow(api).to receive(:resource).with(full_resource_id).and_return(resource_instance)
   end 
 
@@ -135,18 +136,99 @@ describe Conjur::Command::Resources, logged_in: true do
     it { expect { invoke }.to write "Ownership granted" }
   end
 
-  describe_command "resource:permitted_roles #{KIND}:#{ID} #{PRIVILEGE}" do
-    let(:roles_list) { %W[klaatu barada nikto] }
-    before(:each) { 
-      allow(resource_instance).to receive(:permitted_roles).and_return(roles_list) 
+  context "list" do
+    def make_resource(kind, identifier, attributes)
+      authz_host = "http://conjur/authz"
+      credentials = {}
+      id = "the-account:#{kind}:#{identifier}"
+      api.resource(id).tap do |resource|
+        resource.attributes = attributes.merge(resourceid: id)
+      end
+    end
+    let(:resources) {
+      [
+        make_resource("food", "bacon", {}),
+        make_resource("food", "eggs", {})
+      ]
     }
-    it_behaves_like "it obtains resource by id"
-    it "calls resource.permitted_roles(#{PRIVILEGE}" do
-      expect(resource_instance).to receive(:permitted_roles)
-      invoke_silently
+    let(:resource_ids) {
+      [
+        "the-account:food:bacon",
+        "the-account:food:eggs"
+      ]      
+    }
+    describe_command "resource:list" do
+      it "displays JSONised list of resources" do
+        expect(api).to receive(:resources).with({}).and_return(resources)
+        expect(JSON.parse( expect { invoke }.to write )).to eq([
+          {"resourceid"=>"the-account:food:bacon", "annotations"=>{}}, 
+          {"resourceid"=>"the-account:food:eggs", "annotations"=>{}}
+        ])
+      end
+    end
+    describe_command "resource:list -i -k jobs" do
+      it "searches by resource kind" do
+        expect(api).to receive(:resources).with({kind: 'jobs'}).and_return(resources)
+        expect(JSON.parse( expect { invoke }.to write )).to eq(resource_ids)
+      end
+    end
+    describe_command "resource:list -i" do
+      it "displays resource ids" do
+        expect(api).to receive(:resources).with({}).and_return(resources)
+        expect(JSON.parse( expect { invoke }.to write )).to eq(resource_ids)
+      end
+    end
+    { search: "hamster", offset: 10, limit: 10 }.each do |k,v|
+      describe_command "resource:list -i --#{k} #{v}" do
+        it "displays the items" do
+          expect(api).to receive(:resources).with({k => v.to_s}).and_return(resources)
+          expect(JSON.parse( expect { invoke }.to write )).to eq(resource_ids)
+        end
+      end
+    end
+  end
+
+  context "permitted roles" do
+    let(:roles_list) { %W[klaatu barada nikto] }
+    describe_command "resource:permitted_roles #{KIND}:#{ID} #{PRIVILEGE}" do
+      before(:each) { 
+        allow(resource_instance).to receive(:permitted_roles).and_return(roles_list) 
+      }
+      it_behaves_like "it obtains resource by id"
+      it "calls resource.permitted_roles(#{PRIVILEGE}" do
+        expect(resource_instance).to receive(:permitted_roles).with(PRIVILEGE, {})
+        invoke_silently
+      end
+      it "displays JSONised list of roles" do
+        expect(JSON.parse( expect { invoke }.to write )).to eq(roles_list)
+      end
+    end
+
+    describe_command "resource:permitted_roles --count #{KIND}:#{ID} #{PRIVILEGE}" do
+      before {
+        expect(resource_instance).to receive(:permitted_roles).with(PRIVILEGE, count: true).
+          and_return(12) 
+      }
+      it_behaves_like "it obtains resource by id"
+      it "calls resource.permitted_roles(#{PRIVILEGE}" do
+        invoke_silently
+      end
+      it "displays role count" do
+        expect(JSON.parse( expect { invoke }.to write )).to eq(12)
+      end
     end
-    it "displays JSONised list of roles" do
-      expect(JSON.parse( expect { invoke }.to write )).to eq(roles_list)
+
+
+    describe_command "resource:permitted_roles -s frontend #{KIND}:#{ID} #{PRIVILEGE}" do
+      let(:roles_list) { %W[klaatu barada nikto] }
+      before {
+        expect(resource_instance).to receive(:permitted_roles).with(PRIVILEGE, search: "frontend").
+          and_return(roles_list) 
+      }
+      it_behaves_like "it obtains resource by id"
+      it "displays JSONised list of roles" do
+        expect(JSON.parse( expect { invoke }.to write )).to eq(roles_list)
+      end
     end
   end
   

data/spec/command/roles_spec.rb

@@ -46,13 +46,92 @@ describe Conjur::Command::Roles, logged_in: true do
     end
   end
   
+  describe "role:members" do
+    let(:all_roles) { %w(foo:user:joerandom foo:something:cool foo:something:else foo:group:admins) }
+    let(:all_role_grants) { 
+      all_roles.map do |r| 
+        Conjur::RoleGrant.new(api.role("foo:user:joerandom"), api.role(r), api.role("foo:user:admin"), false)
+      end
+    }
+    let(:role) do
+      double "the role", members: all_role_grants
+    end
+  
+    before do
+      allow(api).to receive(:role).and_call_original
+      allow(api).to receive(:role).with(rolename).and_return role
+    end
+
+    context "when logged in as a user" do
+      let(:username) { "joerandom" }
+      let(:rolename) { "user:joerandom" }
+      
+      describe_command "role:members" do
+        it "lists all roles" do
+          expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
+        end
+      end
+
+      describe_command "role:members -V" do
+        it "lists all roles verbosely" do
+          expect(JSON::parse(expect { invoke }.to write)).to eq(all_role_grants.map(&:to_h).map(&:stringify_keys))
+        end
+        describe "without RoleGrant.role field" do
+          it "lists the roles verbosely" do
+            all_role_grants.each do |rg|
+              rg.instance_variable_set "@role", nil
+            end
+            expect(JSON::parse(expect { invoke }.to write)).to eq(all_role_grants.map(&:to_h).map(&:stringify_keys))
+          end
+        end
+      end
+
+      describe_command "role:members --count" do
+        it "counts the roles" do
+          expect(role).to receive(:members).with({count: true}).and_return(all_roles.size)
+          expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles.size)
+        end
+      end
+
+      describe_command "role:members -k hamster -s frontend -o 10 -l 10" do
+        it "lists selected roles" do
+          expect(role).to receive(:members).with({kind: 'hamster', search: 'frontend', offset: "10", limit: "10"}).and_return(all_role_grants)
+          expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
+        end
+      end
+
+      describe_command "role:members -k hamster,giraffe" do
+        it "lists selected roles" do
+          expect(role).to receive(:members).with({kind: %w(hamster giraffe)}).and_return(all_role_grants)
+          expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
+        end
+      end
+
+      describe_command "role:members -k hamster -k giraffe" do
+        it "applies only the last 'kind' filter" do
+          expect(role).to receive(:members).with({kind: 'giraffe'}).and_return(all_role_grants)
+          expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
+        end
+      end
+  
+      describe_command "role:members foo:bar" do
+        let(:rolename) { 'foo:bar' }
+        it "lists all roles of foo:bar" do
+          expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
+        end
+      end
+    end
+  end
+
   describe "role:memberships" do
     let(:all_roles) { %w(foo:user:joerandom foo:something:cool foo:something:else foo:group:admins) }
+    let(:all_role_objects) { all_roles.map{|r| double r, roleid: r } }
     let(:role) do
-      double "the role", all: all_roles.map{|r| double r, roleid: r }
+      double "the role", all: all_role_objects
     end
   
     before do
+      allow(api).to receive(:role).and_call_original
       allow(api).to receive(:role).with(rolename).and_return role
     end
 
@@ -65,6 +144,59 @@ describe Conjur::Command::Roles, logged_in: true do
           expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
         end
       end
+
+      describe_command "when empty" do
+        let(:all_roles) { [] }
+        describe_command "role:memberships" do
+          it "prints an empty array" do
+            expect(JSON::parse(expect { invoke }.to write)).to eq([])
+          end
+        end
+      end
+
+      describe_command "role:memberships" do
+        it "hides system roles" do
+          expect(role).to receive(:all).with({}).and_return([
+            double(:role, roleid: "the-account:@:hamster")
+          ])
+          expect(JSON::parse(expect { invoke }.to write)).to eq([])
+        end
+      end
+
+      describe_command "role:memberships --count" do
+        it "counts the roles" do
+          expect(role).to receive(:all).with({count: true}).and_return(all_roles.size)
+          expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles.size)
+        end
+      end
+
+      context "with full role grant info" do
+        let(:all_role_grants) { 
+          all_roles.map do |r| 
+            Conjur::RoleGrant.new(api.role(r), api.role("foo:user:joerandom"), api.role("foo:user:admin"), false)
+          end
+        }
+        before {
+          expect(role).to receive(:all).with({recursive: false}).and_return(all_role_grants)
+        }
+        describe_command "role:memberships --no-recursive" do
+          it "lists the roles" do
+            expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
+          end
+        end
+        describe_command "role:memberships -V --no-recursive" do
+          it "shows all the roles" do
+            expect(JSON::parse(expect { invoke }.to write)).to eq(all_role_grants.map(&:to_h).map(&:stringify_keys))
+          end
+        end
+      end
+  
+      describe_command "role:memberships -k hamster -s frontend -o 10 -l 10" do
+        it "lists selected roles" do
+          expect(role).to receive(:all).with({kind: 'hamster', search: 'frontend', offset: "10", limit: "10"}).and_return(all_role_objects)
+          expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
+        end
+      end
   
       describe_command "role:memberships foo:bar" do
         let(:rolename) { 'foo:bar' }