conjur-cli 5.6.6 → 6.0.0.rc1

data/.githooks/pre_commit/run_specs.rb

@@ -1,23 +0,0 @@
-require 'English'
-
-module Overcommit::GitHook
-  # Try to avoid commiting code which breaks specs.
-  # Install the hook with `overcommit .` in the top directory.
-  class SpecsPass < HookSpecificCheck
-    include HookRegistry
-    file_types :rb
-
-    def run_check
-      unless in_path?('rspec')
-        return :warn, 'rspec not installed -- run `gem install rspec`'
-      end
-
-      output = `rspec 2>&1`
-      if $CHILD_STATUS.exitstatus == 0
-        return :good
-      else
-        return :bad, output
-      end
-    end
-  end
-end

data/Dockerfile

@@ -1,15 +0,0 @@
-FROM ruby:2.2.4
-
-RUN mkdir /src
-WORKDIR /src
-
-COPY Gemfile Gemfile
-COPY conjur-cli.gemspec conjur-cli.gemspec
-COPY lib/conjur/version.rb lib/conjur/version.rb
-
-# Make sure only one version of bundler is available
-RUN gem uninstall bundler -i /usr/local/lib/ruby/gems/2.1.0 bundler || true && \
-  gem uninstall bundler -i /usr/local/lib/ruby/gems/2.2.0 bundler || true && \
-  gem uninstall bundler -aIx && \
-  gem install bundler -v 1.11.2 && \
-  bundle install

data/Dockerfile.fpm

@@ -1,18 +0,0 @@
-FROM ubuntu:14.04
-
-RUN apt-get update -y && apt-get install -y software-properties-common git build-essential
-
-RUN apt-add-repository ppa:brightbox/ruby-ng
-
-RUN apt-get update -y && apt-get install -y ruby2.2 ruby2.2-dev
-
-RUN gem install --no-rdoc --no-ri bundler:1.11.2 fpm
-
-RUN mkdir /conjur-cli
-
-WORKDIR /conjur-cli
-
-COPY . .
-
-ENTRYPOINT [ "./ci/package.sh" ]
-

data/Dockerfile.publish

@@ -1,12 +0,0 @@
-FROM ubuntu:14.04
-
-RUN apt-get update -y && apt-get install -y curl
-
-RUN curl -kL \
-  -o /usr/bin/art \
-  https://bintray.com/artifact/download/jfrog/artifactory-cli-go/1.2.1/artifactory-cli-linux-amd64/art && \
-  chmod +x /usr/bin/art
-
-WORKDIR /src
-
-ENTRYPOINT [ "art" ]

data/Dockerfile.standalone

@@ -1,33 +0,0 @@
-FROM ruby:2.2.9
-
-#---install useful tools and dependencies---#
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-      jq curl vim nano sudo openssh-client
-# as per https://hub.docker.com/r/conjurinc/cli5/~/dockerfile/
-
-#---install summon and summon-conjur---#
-ENV CONJUR_MAJOR_VERSION=4
-ENV CONJUR_VERSION=4
-RUN curl -sSL https://raw.githubusercontent.com/cyberark/summon/master/install.sh \
-      | env TMPDIR=$(mktemp -d) bash && \
-    curl -sSL https://raw.githubusercontent.com/cyberark/summon-conjur/master/install.sh \
-      | env TMPDIR=$(mktemp -d) bash
-# as per https://github.com/cyberark/summon#linux
-# and    https://github.com/cyberark/summon-conjur#install
-
-# Note: these install scripts^^ conflict with one another if they are not given
-# different TMPDIRs.
-
-#---install Conjur 4 CLI---#
-WORKDIR /src
-COPY . .
-RUN gem build conjur-cli.gemspec && \
-    gem install conjur-cli && \
-    cd /root && \
-    rm -rf /src
-
-#---set defaults---#
-WORKDIR /root
-COPY standalone.entrypoint /bin/entry
-ENTRYPOINT ["/bin/entry"]

data/Dockerfile.validate-packaging

@@ -1,9 +0,0 @@
-FROM ubuntu:14.04
-
-RUN apt-get update && apt-get install -y software-properties-common
-RUN apt-add-repository ppa:brightbox/ruby-ng
-RUN apt-get update -y && apt-get install -y ruby2.2 dpkg-dev
-
-ADD ci/install.sh /
-
-CMD [ "/install.sh" ]

data/VERSION

@@ -1 +0,0 @@
-5.6.6

data/acceptance-features/audit/audit_event_send.feature

@@ -1,107 +0,0 @@
-Feature: Write and read custom audit events (full-stack test, not for publication)
-
-    Background: 
-        Given I create a new user named "eve@$ns"
-        And I create a new host with id "monitoring/server"
-        And I create a new user named "observer@$ns"
-        And I run `conjur resource permit host:$ns/monitoring/server user:observer@$ns read`
-        And I run `conjur role grant_to user:eve@$ns user:observer@$ns`
-        And I run `conjur role grant_to host:$ns/monitoring/server user:observer@$ns`
-        And I login as the new host
-        And I send the audit event:
-        """
-        {
-          "facility": "custom",
-          "action": "sudo",
-          "system_user": "eve",
-          "allowed": false,
-          "role": "user:eve@$ns",
-          "resource_id": "host:$ns/monitoring/server",
-          "error": "user NOT in sudoers",
-          "audit_message": "eve tried to run '/bin/cat /etc/shadow' as root",   
-          "command": "/bin/cat /etc/shadow",
-          "target_user": "root",
-          "sudo": {
-            "TTY": "pts/0",
-            "PWD": "/home/eve",
-            "USER": "root",
-            "COMMAND": "/bin/cat /etc/shadow"
-          },
-          "timestamp": "2014-06-30T03:25:00.542768+00:00"
-        }
-        """   
-        And I login as "observer@$ns"
-        And I reset the command list
-
-    Scenario: Custom event is indexed by explictly submitted resources
-        When I run `conjur audit resource -s host:$ns/monitoring/server`
-        Then the stdout should contain "reported custom:sudo by cucumber:user:eve"
-        And  the stdout should contain "allowed: false"
-        And  the stdout should contain "eve tried to run"
-
-    Scenario: Custom event is indexed by the role which submitted it
-        When I run `conjur audit role -s host:$ns/monitoring/server`
-        Then the stdout should contain "reported custom:sudo by cucumber:user:eve"
-        And  the stdout should contain "allowed: false"
-        And  the stdout should contain "eve tried to run"
-
-    Scenario: Custom event is indexed by explicitly submitted roles
-        When I run `conjur audit role -s user:eve@$ns`
-        Then the stdout should contain "reported custom:sudo by cucumber:user:eve"
-        And  the stdout should contain "allowed: false"
-        And  the stdout should contain "eve tried to run"
-
-    Scenario: Default fields are included in audit event
-        When I run `conjur audit resource -l 1 -o 3 host:$ns/monitoring/server`
-        Then the JSON response should have the following:
-            | id                    |
-            | event_id              |
-            | timestamp             |
-            | submission_timestamp  |
-            | kind                  |
-            | action                |
-            | user                  |
-            | acting_as             |
-            | roles                 |
-            | resources             |
-            | resource              |
-            | request               |
-            | conjur                |
-
-    Scenario: Default fields are filled properly
-        When I run `conjur audit resource -l 1 -o 3 host:$ns/monitoring/server`
-        Then the JSON response at "timestamp" should include "2014-06-30T03:25:00"
-        And the JSON response at "kind" should be "audit"
-        And the JSON response at "action" should be "sudo"
-        And the JSON response at "user" should include "/monitoring/server"
-        And the JSON response at "roles/0" should include "/monitoring/server"
-        And the JSON response at "roles/1" should include "user:eve@"
-        And the JSON response at "resource" should include "/monitoring/server"
-        And the JSON response at "resources/0" should include "/monitoring/server"
-        And the JSON response at "conjur/user" should include "/monitoring/server"
-        
-    Scenario: All custom fields are exposed
-        When I run `conjur audit resource -l 1 -o 3 host:$ns/monitoring/server`
-        Then the JSON response should have the following:
-            | facility              |
-            | system_user           |   
-            | allowed               |
-            | role                  |
-            | resource_id           |
-            | error                 |
-            | audit_message         |
-            | command               |
-            | target_user           |
-            | sudo                  |
-    
-    Scenario: Custom fields are filled properly
-        When I run `conjur audit resource -l 1 -o 3 host:$ns/monitoring/server`
-        And the JSON response at "facility" should be "custom"
-        And the JSON response at "system_user" should include "eve"
-        And the JSON response at "allowed" should be false
-        And the JSON response at "role" should include "user:eve@"
-        And the JSON response at "resource_id" should include "/monitoring/server"
-        And the JSON response at "error" should be "user NOT in sudoers"
-        And the JSON response at "command" should be "/bin/cat /etc/shadow"
-        And the JSON response at "target_user" should be "root"
-        And the JSON response at "sudo/PWD" should be "/home/eve"

data/acceptance-features/audit/fetch.feature

@@ -1,16 +0,0 @@
-Feature: Fetch audit events
-
-  Background:
-    Given I successfully run `conjur variable create $ns/secret MY_SECRET`
-    And I successfully run `conjur variable value $ns/secret`
-    
-  Scenario: Fetch works
-    When I successfully run `conjur audit resource -s variable:$ns/secret`
-    Then the output should match /checked that they can execute .*:variable:.*secret/
-
-  Scenario: Follow works
-      # Implementation constraints prevent an exit code of 0 when using
-    # --follow and --limit, so can't say "When I run successfully..."
-    When I run `conjur audit resource -s -f -l 2 variable:$ns/secret`
-    Then the output should match /checked that they can execute .*:variable:.*secret/
-    

data/acceptance-features/audit/send.feature

@@ -1,51 +0,0 @@
-Feature: Create custom audit events
-
-    Background:
-        Given I login as new user "joe@$ns"
-
-    Scenario: Simplest audit event
-        When I successfully run `conjur audit send '{"action":"login"}'`
-        And I run `conjur audit all -s`
-        Then the output should match /user:joe@.* reported login/
-    
-    Scenario: Expose facility
-        When I successfully run `conjur audit send '{"action":"login", "facility":"ssh"}'`
-        And I run `conjur audit all -s`
-        Then the output should match /user:joe@.* reported ssh:login/
-
-    Scenario: Link to role
-        When I successfully run `conjur audit send '{"action":"login", "role":"user:bob"}'`
-        And I run `conjur audit all -s`
-        Then the output should match /user:joe@.* reported login by .*:user:bob/
-        
-    Scenario: Link to resource
-        When I successfully run `conjur audit send '{"action":"login", "resource_id":"host:server"}'`
-        And I run `conjur audit all -s`
-        Then the output should match /user:joe@.* reported login on .*:host:server/
-
-
-    Scenario: 'Allowed' flag
-        When I successfully run `conjur audit send '{"action":"login", "allowed": false}'`
-        And I run `conjur audit all -s`
-        Then the output should match /user:joe@.* reported login \(allowed: false\)/
-
-    Scenario: Custom message
-        When I successfully run `conjur audit send '{"action":"login", "audit_message": "Client IP is 1.2.3.4"}'`
-        And I run `conjur audit all -s`
-        Then the output should match /user:joe@.* reported login; message: Client IP is 1.2.3.4/
-    
-    Scenario: Error details
-        When I successfully run `conjur audit send '{"action":"login", "error": "password mismatch"}'`
-        And I run `conjur audit all -s`
-        Then the output should match /user:joe@.* reported login \(failed with password mismatch\)/
-
-    Scenario: Specify timestamp as IS08601 with timezone
-        When I successfully run `conjur audit send '{"action":"login", "timestamp": "2014-07-01T01:02:03Z"}'`
-        And I run `conjur audit all -s`
-        Then the output should match /\[2014-07-01 01:02:03 UTC\] .*:user:joe@.* reported login/
-
-    Scenario: Arbitrary field (exposed in full audit output)
-        When I successfully run `conjur audit send '{"action":"login", "syslog": { "message" : "Accepted publickey for alice from 192.168.1.11 port 38977 ssh2" }}'`
-        And I run `conjur audit all -o 3` 
-        Then the JSON response at "syslog/message" should be "Accepted publickey for alice from 192.168.1.11 port 38977 ssh2"
-        

data/acceptance-features/authentication/authenticate.feature

@@ -1,10 +0,0 @@
-Feature: Authenticate a role
-
-  Scenario: Get a JSON token
-    When I successfully run `conjur authn authenticate`
-    Then the JSON should have "data"
-    And the JSON should have "signature"
- 
-  Scenario: Get an auth token as HTTP Authorize header
-    When I successfully run `conjur authn authenticate -H`
-    Then the output should match /Authorization: Token token=".*"/

data/acceptance-features/authentication/login.feature

@@ -1,12 +0,0 @@
-Feature: Login a new user
-
-  Scenario: Login a new user with a password
-    Given I run `conjur user create -p alice@$ns` interactively
-    And I type "foobar"
-    And I type "foobar"
-    And the exit status should be 0
-    And I keep the JSON response at "login" as "LOGIN"
-    And I run `conjur authn login alice@$ns` interactively
-    And I type "foobar"
-    And the exit status should be 0
-    

data/acceptance-features/authentication/logout.feature

@@ -1,13 +0,0 @@
-Feature: Logout the user
-
-  Scenario: Login a new user with a password
-    Given I run `conjur user create -p alice@$ns` interactively
-    And I type "foobar"
-    And I type "foobar"
-    And the exit status should be 0
-    And I keep the JSON response at "login" as "LOGIN"
-    And I run `conjur authn login alice@$ns` interactively
-    And I type "foobar"
-    And the exit status should be 0
-    And I successfully run `conjur authn logout`
-    Then the stdout from "conjur authn logout" should contain exactly "Logged out\n"

data/acceptance-features/authorization/resource/annotate.feature

@@ -1,35 +0,0 @@
-Feature: Annotate a resource
-
-  Background:
-    Given I successfully run `conjur resource create food:$ns/bacon`
-  
-  Scenario: Annotations are stored and returned when the resource is displayed
-    Given I successfully run `conjur resource annotate food:$ns/bacon preparation-style crispy`
-    When I successfully run `conjur resource show food:$ns/bacon`
-    And the JSON at "annotations" should have 1 entry
-    And the JSON at "annotations/0/name" should be "preparation-style"
-    And the JSON at "annotations/0/value" should be "crispy"
-    
-  Scenario: Privilege is required to manage annotations
-    Given I login as a new user
-    And I run `conjur resource annotate food:$ns/bacon preparation-style crispy`
-    Then the exit status should be 1
-
-  Scenario: Read privilege is insufficient to manage annotations
-    Given I create a new user named "alice@$ns"
-    And I successfully run `conjur resource permit food:$ns/bacon user:alice@$ns read`
-    And I login as "alice@$ns"
-    Then I run `conjur resource annotate food:$ns/bacon preparation-style crispy`
-    Then the exit status should be 1
-
-  Scenario: Update privilege is sufficient to manage annotations
-    Given I create a new user named "alice@$ns"
-    And I successfully run `conjur resource permit food:$ns/bacon user:alice@$ns update`
-    And I login as "alice@$ns"
-    Then I successfully run `conjur resource annotate food:$ns/bacon preparation-style crispy`
-  
-  Scenario: Annotations are searchable
-    Given I successfully run `conjur resource annotate food:$ns/bacon preparation-style crispy`
-    When I successfully run `conjur resource list -k food -s "$ns crispy"`
-    Then the JSON should have 1 entry
-    And the JSON at "0/annotations/preparation-style" should be "crispy"

data/acceptance-features/authorization/resource/check.feature

@@ -1,24 +0,0 @@
-Feature: Checking permissions on a resource
-
-  Background:
-    Given I successfully run `conjur resource create food:$ns/bacon`
-    And I reset the command list
-
-  Scenario: By default I check my own privilege
-    In this case, I have the privilege because I own the resource
-  
-    When I successfully run `conjur resource check food:$ns/bacon fry`
-    Then the stdout should contain exactly "true"
-
-  Scenario: I can check the privileges of roles that I own
-    When I successfully run `conjur role create job:$ns/cook`
-    And I reset the command list
-    And I successfully run `conjur resource check -r job:$ns/cook food:$ns/bacon fry`
-    Then the stdout should contain exactly "false"
-    
-  Scenario: I can check the privileges of roles that I own
-    When I successfully run `conjur role create job:$ns/cook`
-    And I successfully run `conjur resource permit food:$ns/bacon job:$ns/cook fry`
-    And I reset the command list
-    And I successfully run `conjur resource check -r job:$ns/cook food:$ns/bacon fry`
-    Then the stdout should contain exactly "true"

data/acceptance-features/authorization/resource/create.feature

@@ -1,21 +0,0 @@
-Feature: Create a Resource
-
-  Scenario: Create an abstract resource
-    When I successfully run `conjur resource create food:$ns/bacon`
-    Then the JSON should have "id"
-    And the JSON should have "owner"
-    And the JSON should have "permissions"
-    And the JSON should have "annotations"
-
-  Scenario: The resource owner has all privileges on it
-    When I successfully run `conjur resource create food:$ns/bacon`
-    And I reset the command list
-    And I successfully run `conjur resource check food:$ns/bacon fry`
-    Then the stdout should contain exactly "true"
-
-  Scenario: A different role can be assigned as the owner of the resource
-    When I successfully run `conjur role create job:$ns/chefs`
-    And I successfully run `conjur resource create --as-role job:$ns/chefs food:$ns/bacon`
-    And I reset the command list
-    And I successfully run `conjur resource check -r job:$ns/chefs food:$ns/bacon fry`
-    Then the stdout should contain exactly "true"

data/acceptance-features/authorization/resource/deny.feature

@@ -1,12 +0,0 @@
-Feature: Deny a privilege on a Resource
-
-  Background:
-    Given I successfully run `conjur resource create food:$ns/bacon`
-
-  Scenario: Once granted, privileges can be revoked
-  
-    Given I create a new user named "alice@$ns"
-    And I successfully run `conjur resource permit food:$ns/bacon user:alice@$ns fry`
-    When I successfully run `conjur resource deny food:$ns/bacon user:alice@$ns fry`
-    And I successfully run `conjur resource show food:$ns/bacon`
-    Then the JSON at "permissions" should have 0 items

data/acceptance-features/authorization/resource/give.feature

@@ -1,24 +0,0 @@
-Feature: Give a resource to another role
-
-  Scenario: I can give a resource which I own to another role
-    Given I successfully run `conjur resource create food:$ns/bacon`
-    And I create a new user named "alice@$ns"
-    Then I successfully run `conjur resource give food:$ns/bacon user:alice@$ns`
-    And I reset the command list
-
-  Scenario: Resource owner is in the 'owner' field
-    Given I successfully run `conjur resource create food:$ns/bacon`
-    And I create a new user named "alice@$ns"
-    And I keep the JSON at "roleid" as "USERID"
-    Then I successfully run `conjur resource give food:$ns/bacon user:alice@$ns`
-    And I successfully run `conjur resource show food:$ns/bacon`
-    Then the JSON at "owner" should be %{USERID}
-
-  Scenario: When I give a resource away, I give all permissions
-    Given I successfully run `conjur resource create food:$ns/bacon`
-    And I create a new user named "alice@$ns"
-    And I successfully run `conjur resource give food:$ns/bacon user:alice@$ns`
-    And I login as "alice@$ns"
-    And I reset the command list
-    When I successfully run `conjur resource check food:$ns/bacon fry`
-    Then the stdout should contain exactly "true"