conjur-cli 5.6.6 → 6.0.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.dockerignore +1 -1
- data/.gitignore +2 -0
- data/.rubocop.yml +1 -1
- data/APPLIANCE_VERSION +1 -1
- data/CHANGELOG.md +3 -42
- data/Gemfile +4 -7
- data/Humanfile.md +31 -0
- data/Jenkinsfile +34 -63
- data/README.md +41 -55
- data/Rakefile +5 -1
- data/bin/conjur +0 -2
- data/build-deb.sh +1 -3
- data/ci/cli-test.sh +6 -0
- data/ci/package.sh +3 -1
- data/ci/publish.sh +2 -2
- data/ci/secrets/publish.yml +2 -2
- data/ci/wait_for_server.sh +10 -0
- data/conjur-cli.gemspec +7 -7
- data/dev/docker-compose.yml +24 -0
- data/dev/start.sh +15 -0
- data/dev/stop.sh +5 -0
- data/docker-compose.yml +30 -0
- data/features/authentication/authenticate.feature +34 -0
- data/features/authentication/login.feature +13 -0
- data/features/authentication/logout.feature +15 -0
- data/{acceptance-features → features}/authentication/whoami.feature +0 -0
- data/features/authorization/resource/annotate.feature +22 -0
- data/features/authorization/resource/check.feature +47 -0
- data/{acceptance-features → features}/authorization/resource/exists.feature +18 -6
- data/features/authorization/resource/permitted_roles.feature +35 -0
- data/features/authorization/resource/show.feature +34 -0
- data/features/authorization/role/exists.feature +28 -0
- data/features/authorization/role/members.feature +45 -0
- data/features/authorization/role/memberships.feature +43 -0
- data/features/conjurenv/check.feature +34 -0
- data/features/conjurenv/run.feature +15 -0
- data/{acceptance-features → features}/conjurenv/template.feature +8 -3
- data/{acceptance-features → features}/directory/user/update_password.feature +8 -2
- data/{acceptance-features → features}/directory/variable/value.feature +9 -5
- data/{acceptance-features → features}/directory/variable/values-add.feature +8 -3
- data/features/hostfactory/tokens.feature +22 -0
- data/features/pubkeys/show.feature +18 -0
- data/features/step_definitions/authn_steps.rb +22 -0
- data/features/step_definitions/cli_steps.rb +28 -0
- data/features/step_definitions/file_steps.rb +12 -0
- data/features/step_definitions/flow_control_steps.rb +7 -0
- data/features/step_definitions/graph_steps.rb +4 -3
- data/{acceptance-features → features}/step_definitions/http_steps.rb +0 -0
- data/features/step_definitions/overrides.rb +9 -0
- data/features/step_definitions/policy_steps.rb +11 -0
- data/{acceptance-features → features}/step_definitions/trusted_proxy_steps.rb +0 -0
- data/features/support/blank.yml +1 -0
- data/features/support/env.rb +21 -7
- data/features/support/hooks.rb +31 -116
- data/features/support/world.rb +16 -76
- data/jenkins.sh +33 -0
- data/lib/conjur/authenticator.rb +83 -0
- data/lib/conjur/authn.rb +5 -20
- data/lib/conjur/cli.rb +13 -6
- data/lib/conjur/command.rb +30 -350
- data/lib/conjur/command/authn.rb +23 -15
- data/lib/conjur/command/host_factories.rb +2 -74
- data/lib/conjur/command/hosts.rb +6 -113
- data/lib/conjur/command/init.rb +20 -35
- data/lib/conjur/command/{secrets.rb → policies.rb} +33 -22
- data/lib/conjur/command/pubkeys.rb +3 -63
- data/lib/conjur/command/resources.rb +45 -162
- data/lib/conjur/command/roles.rb +11 -181
- data/lib/conjur/command/rspec/helpers.rb +0 -1
- data/lib/conjur/command/rspec/mock_services.rb +4 -4
- data/lib/conjur/command/users.rb +2 -159
- data/lib/conjur/command/variables.rb +5 -218
- data/lib/conjur/complete.rb +2 -2
- data/lib/conjur/config.rb +1 -11
- data/lib/conjur/conjurenv.rb +12 -9
- data/lib/conjur/identifier_manipulation.rb +3 -5
- data/lib/conjur/version.rb +2 -2
- data/{publish-rubygem.sh → publish.sh} +0 -4
- data/spec/authn_spec.rb +4 -0
- data/spec/command/hosts_spec.rb +2 -69
- data/spec/command/init_spec.rb +16 -11
- data/spec/command/pubkeys_spec.rb +1 -46
- data/spec/command/resources_spec.rb +21 -170
- data/spec/command/roles_spec.rb +5 -181
- data/spec/command/users_spec.rb +3 -79
- data/spec/command_spec.rb +1 -20
- data/spec/complete_spec.rb +1 -23
- data/spec/config_spec.rb +1 -1
- data/spec/spec_helper.rb +4 -5
- data/test.sh +29 -25
- metadata +92 -212
- data/.githooks/pre_commit/run_specs.rb +0 -23
- data/Dockerfile +0 -15
- data/Dockerfile.fpm +0 -18
- data/Dockerfile.publish +0 -12
- data/Dockerfile.standalone +0 -33
- data/Dockerfile.validate-packaging +0 -9
- data/VERSION +0 -1
- data/acceptance-features/audit/audit_event_send.feature +0 -107
- data/acceptance-features/audit/fetch.feature +0 -16
- data/acceptance-features/audit/send.feature +0 -51
- data/acceptance-features/authentication/authenticate.feature +0 -10
- data/acceptance-features/authentication/login.feature +0 -12
- data/acceptance-features/authentication/logout.feature +0 -13
- data/acceptance-features/authorization/resource/annotate.feature +0 -35
- data/acceptance-features/authorization/resource/check.feature +0 -24
- data/acceptance-features/authorization/resource/create.feature +0 -21
- data/acceptance-features/authorization/resource/deny.feature +0 -12
- data/acceptance-features/authorization/resource/give.feature +0 -24
- data/acceptance-features/authorization/resource/permit.feature +0 -20
- data/acceptance-features/authorization/resource/permitted_roles.feature +0 -16
- data/acceptance-features/authorization/resource/show.feature +0 -28
- data/acceptance-features/authorization/role/create.feature +0 -13
- data/acceptance-features/authorization/role/exists.feature +0 -19
- data/acceptance-features/authorization/role/grant_to.feature +0 -21
- data/acceptance-features/authorization/role/graph.feature +0 -57
- data/acceptance-features/authorization/role/members.feature +0 -23
- data/acceptance-features/authorization/role/memberships.feature +0 -27
- data/acceptance-features/bootstrap.feature +0 -13
- data/acceptance-features/conjurenv/check.feature +0 -21
- data/acceptance-features/conjurenv/run.feature +0 -10
- data/acceptance-features/directory/group/create.feature +0 -20
- data/acceptance-features/directory/group/retire.feature +0 -54
- data/acceptance-features/directory/host/create.feature +0 -23
- data/acceptance-features/directory/host/retire.feature +0 -6
- data/acceptance-features/directory/hostfactory/create.feature +0 -28
- data/acceptance-features/directory/hostfactory/tokens.feature +0 -16
- data/acceptance-features/directory/layer/create.feature +0 -10
- data/acceptance-features/directory/layer/hosts-add.feature +0 -9
- data/acceptance-features/directory/layer/hosts-remove.feature +0 -10
- data/acceptance-features/directory/layer/retire.feature +0 -43
- data/acceptance-features/directory/user/create.feature +0 -23
- data/acceptance-features/directory/user/retire.feature +0 -6
- data/acceptance-features/directory/variable/create.feature +0 -14
- data/acceptance-features/directory/variable/retire.feature +0 -17
- data/acceptance-features/dsl/policy_owner.feature +0 -45
- data/acceptance-features/dsl/resource_owner.feature +0 -17
- data/acceptance-features/dsl/retire.feature +0 -15
- data/acceptance-features/global-privilege/elevate.feature +0 -20
- data/acceptance-features/global-privilege/reveal.privilege +0 -20
- data/acceptance-features/pubkeys/add.feature +0 -22
- data/acceptance-features/pubkeys/delete.feature +0 -9
- data/acceptance-features/pubkeys/names.feature +0 -26
- data/acceptance-features/pubkeys/show.feature +0 -27
- data/acceptance-features/step_definitions/cli_steps.rb +0 -57
- data/acceptance-features/step_definitions/graph_steps.rb +0 -22
- data/acceptance-features/step_definitions/user_steps.rb +0 -51
- data/acceptance-features/support/env.rb +0 -23
- data/acceptance-features/support/hooks.rb +0 -178
- data/acceptance-features/support/world.rb +0 -176
- data/acceptance-features/trusted_proxies.feature +0 -82
- data/bin/conjurize +0 -26
- data/bin/jsonfield +0 -70
- data/build-standalone +0 -6
- data/deprecations.sh +0 -38
- data/features/conjurize.feature +0 -134
- data/features/dsl_context.feature +0 -36
- data/features/dsl_host_create.feature +0 -11
- data/features/dsl_ownership.feature +0 -30
- data/features/dsl_permission.feature +0 -45
- data/features/dsl_resource_create.feature +0 -23
- data/features/dsl_role_create.feature +0 -11
- data/features/dsl_user_create.feature +0 -23
- data/features/jsonfield.feature +0 -49
- data/features/role_graph.feature +0 -58
- data/features/step_definitions/conjurize_steps.rb +0 -5
- data/features/step_definitions/dsl_steps.rb +0 -52
- data/features/support/conjur.conf +0 -6
- data/lib/conjur/command/assets.rb +0 -121
- data/lib/conjur/command/audit.rb +0 -155
- data/lib/conjur/command/bootstrap.rb +0 -129
- data/lib/conjur/command/dsl_command.rb +0 -75
- data/lib/conjur/command/elevate.rb +0 -76
- data/lib/conjur/command/field.rb +0 -45
- data/lib/conjur/command/groups.rb +0 -208
- data/lib/conjur/command/ids.rb +0 -34
- data/lib/conjur/command/layers.rb +0 -211
- data/lib/conjur/command/ldapsync.rb +0 -118
- data/lib/conjur/command/rspec/audit_helpers.rb +0 -68
- data/lib/conjur/command/rubydsl.rb +0 -93
- data/lib/conjur/command/script.rb +0 -48
- data/lib/conjur/command/server.rb +0 -67
- data/lib/conjur/conjurize.rb +0 -71
- data/lib/conjur/conjurize/script.rb +0 -150
- data/lib/conjur/dsl/runner.rb +0 -273
- data/publish-deb.sh +0 -6
- data/push-image +0 -29
- data/spec/command/assets_spec.rb +0 -115
- data/spec/command/audit_spec.rb +0 -376
- data/spec/command/elevate_spec.rb +0 -28
- data/spec/command/env_spec.rb +0 -168
- data/spec/command/groups_spec.rb +0 -77
- data/spec/command/host_factories_spec.rb +0 -38
- data/spec/command/layers_spec.rb +0 -35
- data/spec/command/ldapsync_spec.rb +0 -28
- data/spec/command/rubydsl_spec.rb +0 -63
- data/spec/command/variable_expiration_spec.rb +0 -164
- data/spec/command/variables_spec.rb +0 -192
- data/spec/conjurize/script_spec.rb +0 -62
- data/spec/conjurize_spec.rb +0 -70
- data/spec/dsl/runner_spec.rb +0 -93
- data/spec/env_spec.rb +0 -214
@@ -1,23 +0,0 @@
|
|
1
|
-
require 'English'
|
2
|
-
|
3
|
-
module Overcommit::GitHook
|
4
|
-
# Try to avoid commiting code which breaks specs.
|
5
|
-
# Install the hook with `overcommit .` in the top directory.
|
6
|
-
class SpecsPass < HookSpecificCheck
|
7
|
-
include HookRegistry
|
8
|
-
file_types :rb
|
9
|
-
|
10
|
-
def run_check
|
11
|
-
unless in_path?('rspec')
|
12
|
-
return :warn, 'rspec not installed -- run `gem install rspec`'
|
13
|
-
end
|
14
|
-
|
15
|
-
output = `rspec 2>&1`
|
16
|
-
if $CHILD_STATUS.exitstatus == 0
|
17
|
-
return :good
|
18
|
-
else
|
19
|
-
return :bad, output
|
20
|
-
end
|
21
|
-
end
|
22
|
-
end
|
23
|
-
end
|
data/Dockerfile
DELETED
@@ -1,15 +0,0 @@
|
|
1
|
-
FROM ruby:2.2.4
|
2
|
-
|
3
|
-
RUN mkdir /src
|
4
|
-
WORKDIR /src
|
5
|
-
|
6
|
-
COPY Gemfile Gemfile
|
7
|
-
COPY conjur-cli.gemspec conjur-cli.gemspec
|
8
|
-
COPY lib/conjur/version.rb lib/conjur/version.rb
|
9
|
-
|
10
|
-
# Make sure only one version of bundler is available
|
11
|
-
RUN gem uninstall bundler -i /usr/local/lib/ruby/gems/2.1.0 bundler || true && \
|
12
|
-
gem uninstall bundler -i /usr/local/lib/ruby/gems/2.2.0 bundler || true && \
|
13
|
-
gem uninstall bundler -aIx && \
|
14
|
-
gem install bundler -v 1.11.2 && \
|
15
|
-
bundle install
|
data/Dockerfile.fpm
DELETED
@@ -1,18 +0,0 @@
|
|
1
|
-
FROM ubuntu:14.04
|
2
|
-
|
3
|
-
RUN apt-get update -y && apt-get install -y software-properties-common git build-essential
|
4
|
-
|
5
|
-
RUN apt-add-repository ppa:brightbox/ruby-ng
|
6
|
-
|
7
|
-
RUN apt-get update -y && apt-get install -y ruby2.2 ruby2.2-dev
|
8
|
-
|
9
|
-
RUN gem install --no-rdoc --no-ri bundler:1.11.2 fpm
|
10
|
-
|
11
|
-
RUN mkdir /conjur-cli
|
12
|
-
|
13
|
-
WORKDIR /conjur-cli
|
14
|
-
|
15
|
-
COPY . .
|
16
|
-
|
17
|
-
ENTRYPOINT [ "./ci/package.sh" ]
|
18
|
-
|
data/Dockerfile.publish
DELETED
@@ -1,12 +0,0 @@
|
|
1
|
-
FROM ubuntu:14.04
|
2
|
-
|
3
|
-
RUN apt-get update -y && apt-get install -y curl
|
4
|
-
|
5
|
-
RUN curl -kL \
|
6
|
-
-o /usr/bin/art \
|
7
|
-
https://bintray.com/artifact/download/jfrog/artifactory-cli-go/1.2.1/artifactory-cli-linux-amd64/art && \
|
8
|
-
chmod +x /usr/bin/art
|
9
|
-
|
10
|
-
WORKDIR /src
|
11
|
-
|
12
|
-
ENTRYPOINT [ "art" ]
|
data/Dockerfile.standalone
DELETED
@@ -1,33 +0,0 @@
|
|
1
|
-
FROM ruby:2.2.9
|
2
|
-
|
3
|
-
#---install useful tools and dependencies---#
|
4
|
-
RUN apt-get update && \
|
5
|
-
apt-get install -y --no-install-recommends \
|
6
|
-
jq curl vim nano sudo openssh-client
|
7
|
-
# as per https://hub.docker.com/r/conjurinc/cli5/~/dockerfile/
|
8
|
-
|
9
|
-
#---install summon and summon-conjur---#
|
10
|
-
ENV CONJUR_MAJOR_VERSION=4
|
11
|
-
ENV CONJUR_VERSION=4
|
12
|
-
RUN curl -sSL https://raw.githubusercontent.com/cyberark/summon/master/install.sh \
|
13
|
-
| env TMPDIR=$(mktemp -d) bash && \
|
14
|
-
curl -sSL https://raw.githubusercontent.com/cyberark/summon-conjur/master/install.sh \
|
15
|
-
| env TMPDIR=$(mktemp -d) bash
|
16
|
-
# as per https://github.com/cyberark/summon#linux
|
17
|
-
# and https://github.com/cyberark/summon-conjur#install
|
18
|
-
|
19
|
-
# Note: these install scripts^^ conflict with one another if they are not given
|
20
|
-
# different TMPDIRs.
|
21
|
-
|
22
|
-
#---install Conjur 4 CLI---#
|
23
|
-
WORKDIR /src
|
24
|
-
COPY . .
|
25
|
-
RUN gem build conjur-cli.gemspec && \
|
26
|
-
gem install conjur-cli && \
|
27
|
-
cd /root && \
|
28
|
-
rm -rf /src
|
29
|
-
|
30
|
-
#---set defaults---#
|
31
|
-
WORKDIR /root
|
32
|
-
COPY standalone.entrypoint /bin/entry
|
33
|
-
ENTRYPOINT ["/bin/entry"]
|
data/VERSION
DELETED
@@ -1 +0,0 @@
|
|
1
|
-
5.6.6
|
@@ -1,107 +0,0 @@
|
|
1
|
-
Feature: Write and read custom audit events (full-stack test, not for publication)
|
2
|
-
|
3
|
-
Background:
|
4
|
-
Given I create a new user named "eve@$ns"
|
5
|
-
And I create a new host with id "monitoring/server"
|
6
|
-
And I create a new user named "observer@$ns"
|
7
|
-
And I run `conjur resource permit host:$ns/monitoring/server user:observer@$ns read`
|
8
|
-
And I run `conjur role grant_to user:eve@$ns user:observer@$ns`
|
9
|
-
And I run `conjur role grant_to host:$ns/monitoring/server user:observer@$ns`
|
10
|
-
And I login as the new host
|
11
|
-
And I send the audit event:
|
12
|
-
"""
|
13
|
-
{
|
14
|
-
"facility": "custom",
|
15
|
-
"action": "sudo",
|
16
|
-
"system_user": "eve",
|
17
|
-
"allowed": false,
|
18
|
-
"role": "user:eve@$ns",
|
19
|
-
"resource_id": "host:$ns/monitoring/server",
|
20
|
-
"error": "user NOT in sudoers",
|
21
|
-
"audit_message": "eve tried to run '/bin/cat /etc/shadow' as root",
|
22
|
-
"command": "/bin/cat /etc/shadow",
|
23
|
-
"target_user": "root",
|
24
|
-
"sudo": {
|
25
|
-
"TTY": "pts/0",
|
26
|
-
"PWD": "/home/eve",
|
27
|
-
"USER": "root",
|
28
|
-
"COMMAND": "/bin/cat /etc/shadow"
|
29
|
-
},
|
30
|
-
"timestamp": "2014-06-30T03:25:00.542768+00:00"
|
31
|
-
}
|
32
|
-
"""
|
33
|
-
And I login as "observer@$ns"
|
34
|
-
And I reset the command list
|
35
|
-
|
36
|
-
Scenario: Custom event is indexed by explictly submitted resources
|
37
|
-
When I run `conjur audit resource -s host:$ns/monitoring/server`
|
38
|
-
Then the stdout should contain "reported custom:sudo by cucumber:user:eve"
|
39
|
-
And the stdout should contain "allowed: false"
|
40
|
-
And the stdout should contain "eve tried to run"
|
41
|
-
|
42
|
-
Scenario: Custom event is indexed by the role which submitted it
|
43
|
-
When I run `conjur audit role -s host:$ns/monitoring/server`
|
44
|
-
Then the stdout should contain "reported custom:sudo by cucumber:user:eve"
|
45
|
-
And the stdout should contain "allowed: false"
|
46
|
-
And the stdout should contain "eve tried to run"
|
47
|
-
|
48
|
-
Scenario: Custom event is indexed by explicitly submitted roles
|
49
|
-
When I run `conjur audit role -s user:eve@$ns`
|
50
|
-
Then the stdout should contain "reported custom:sudo by cucumber:user:eve"
|
51
|
-
And the stdout should contain "allowed: false"
|
52
|
-
And the stdout should contain "eve tried to run"
|
53
|
-
|
54
|
-
Scenario: Default fields are included in audit event
|
55
|
-
When I run `conjur audit resource -l 1 -o 3 host:$ns/monitoring/server`
|
56
|
-
Then the JSON response should have the following:
|
57
|
-
| id |
|
58
|
-
| event_id |
|
59
|
-
| timestamp |
|
60
|
-
| submission_timestamp |
|
61
|
-
| kind |
|
62
|
-
| action |
|
63
|
-
| user |
|
64
|
-
| acting_as |
|
65
|
-
| roles |
|
66
|
-
| resources |
|
67
|
-
| resource |
|
68
|
-
| request |
|
69
|
-
| conjur |
|
70
|
-
|
71
|
-
Scenario: Default fields are filled properly
|
72
|
-
When I run `conjur audit resource -l 1 -o 3 host:$ns/monitoring/server`
|
73
|
-
Then the JSON response at "timestamp" should include "2014-06-30T03:25:00"
|
74
|
-
And the JSON response at "kind" should be "audit"
|
75
|
-
And the JSON response at "action" should be "sudo"
|
76
|
-
And the JSON response at "user" should include "/monitoring/server"
|
77
|
-
And the JSON response at "roles/0" should include "/monitoring/server"
|
78
|
-
And the JSON response at "roles/1" should include "user:eve@"
|
79
|
-
And the JSON response at "resource" should include "/monitoring/server"
|
80
|
-
And the JSON response at "resources/0" should include "/monitoring/server"
|
81
|
-
And the JSON response at "conjur/user" should include "/monitoring/server"
|
82
|
-
|
83
|
-
Scenario: All custom fields are exposed
|
84
|
-
When I run `conjur audit resource -l 1 -o 3 host:$ns/monitoring/server`
|
85
|
-
Then the JSON response should have the following:
|
86
|
-
| facility |
|
87
|
-
| system_user |
|
88
|
-
| allowed |
|
89
|
-
| role |
|
90
|
-
| resource_id |
|
91
|
-
| error |
|
92
|
-
| audit_message |
|
93
|
-
| command |
|
94
|
-
| target_user |
|
95
|
-
| sudo |
|
96
|
-
|
97
|
-
Scenario: Custom fields are filled properly
|
98
|
-
When I run `conjur audit resource -l 1 -o 3 host:$ns/monitoring/server`
|
99
|
-
And the JSON response at "facility" should be "custom"
|
100
|
-
And the JSON response at "system_user" should include "eve"
|
101
|
-
And the JSON response at "allowed" should be false
|
102
|
-
And the JSON response at "role" should include "user:eve@"
|
103
|
-
And the JSON response at "resource_id" should include "/monitoring/server"
|
104
|
-
And the JSON response at "error" should be "user NOT in sudoers"
|
105
|
-
And the JSON response at "command" should be "/bin/cat /etc/shadow"
|
106
|
-
And the JSON response at "target_user" should be "root"
|
107
|
-
And the JSON response at "sudo/PWD" should be "/home/eve"
|
@@ -1,16 +0,0 @@
|
|
1
|
-
Feature: Fetch audit events
|
2
|
-
|
3
|
-
Background:
|
4
|
-
Given I successfully run `conjur variable create $ns/secret MY_SECRET`
|
5
|
-
And I successfully run `conjur variable value $ns/secret`
|
6
|
-
|
7
|
-
Scenario: Fetch works
|
8
|
-
When I successfully run `conjur audit resource -s variable:$ns/secret`
|
9
|
-
Then the output should match /checked that they can execute .*:variable:.*secret/
|
10
|
-
|
11
|
-
Scenario: Follow works
|
12
|
-
# Implementation constraints prevent an exit code of 0 when using
|
13
|
-
# --follow and --limit, so can't say "When I run successfully..."
|
14
|
-
When I run `conjur audit resource -s -f -l 2 variable:$ns/secret`
|
15
|
-
Then the output should match /checked that they can execute .*:variable:.*secret/
|
16
|
-
|
@@ -1,51 +0,0 @@
|
|
1
|
-
Feature: Create custom audit events
|
2
|
-
|
3
|
-
Background:
|
4
|
-
Given I login as new user "joe@$ns"
|
5
|
-
|
6
|
-
Scenario: Simplest audit event
|
7
|
-
When I successfully run `conjur audit send '{"action":"login"}'`
|
8
|
-
And I run `conjur audit all -s`
|
9
|
-
Then the output should match /user:joe@.* reported login/
|
10
|
-
|
11
|
-
Scenario: Expose facility
|
12
|
-
When I successfully run `conjur audit send '{"action":"login", "facility":"ssh"}'`
|
13
|
-
And I run `conjur audit all -s`
|
14
|
-
Then the output should match /user:joe@.* reported ssh:login/
|
15
|
-
|
16
|
-
Scenario: Link to role
|
17
|
-
When I successfully run `conjur audit send '{"action":"login", "role":"user:bob"}'`
|
18
|
-
And I run `conjur audit all -s`
|
19
|
-
Then the output should match /user:joe@.* reported login by .*:user:bob/
|
20
|
-
|
21
|
-
Scenario: Link to resource
|
22
|
-
When I successfully run `conjur audit send '{"action":"login", "resource_id":"host:server"}'`
|
23
|
-
And I run `conjur audit all -s`
|
24
|
-
Then the output should match /user:joe@.* reported login on .*:host:server/
|
25
|
-
|
26
|
-
|
27
|
-
Scenario: 'Allowed' flag
|
28
|
-
When I successfully run `conjur audit send '{"action":"login", "allowed": false}'`
|
29
|
-
And I run `conjur audit all -s`
|
30
|
-
Then the output should match /user:joe@.* reported login \(allowed: false\)/
|
31
|
-
|
32
|
-
Scenario: Custom message
|
33
|
-
When I successfully run `conjur audit send '{"action":"login", "audit_message": "Client IP is 1.2.3.4"}'`
|
34
|
-
And I run `conjur audit all -s`
|
35
|
-
Then the output should match /user:joe@.* reported login; message: Client IP is 1.2.3.4/
|
36
|
-
|
37
|
-
Scenario: Error details
|
38
|
-
When I successfully run `conjur audit send '{"action":"login", "error": "password mismatch"}'`
|
39
|
-
And I run `conjur audit all -s`
|
40
|
-
Then the output should match /user:joe@.* reported login \(failed with password mismatch\)/
|
41
|
-
|
42
|
-
Scenario: Specify timestamp as IS08601 with timezone
|
43
|
-
When I successfully run `conjur audit send '{"action":"login", "timestamp": "2014-07-01T01:02:03Z"}'`
|
44
|
-
And I run `conjur audit all -s`
|
45
|
-
Then the output should match /\[2014-07-01 01:02:03 UTC\] .*:user:joe@.* reported login/
|
46
|
-
|
47
|
-
Scenario: Arbitrary field (exposed in full audit output)
|
48
|
-
When I successfully run `conjur audit send '{"action":"login", "syslog": { "message" : "Accepted publickey for alice from 192.168.1.11 port 38977 ssh2" }}'`
|
49
|
-
And I run `conjur audit all -o 3`
|
50
|
-
Then the JSON response at "syslog/message" should be "Accepted publickey for alice from 192.168.1.11 port 38977 ssh2"
|
51
|
-
|
@@ -1,10 +0,0 @@
|
|
1
|
-
Feature: Authenticate a role
|
2
|
-
|
3
|
-
Scenario: Get a JSON token
|
4
|
-
When I successfully run `conjur authn authenticate`
|
5
|
-
Then the JSON should have "data"
|
6
|
-
And the JSON should have "signature"
|
7
|
-
|
8
|
-
Scenario: Get an auth token as HTTP Authorize header
|
9
|
-
When I successfully run `conjur authn authenticate -H`
|
10
|
-
Then the output should match /Authorization: Token token=".*"/
|
@@ -1,12 +0,0 @@
|
|
1
|
-
Feature: Login a new user
|
2
|
-
|
3
|
-
Scenario: Login a new user with a password
|
4
|
-
Given I run `conjur user create -p alice@$ns` interactively
|
5
|
-
And I type "foobar"
|
6
|
-
And I type "foobar"
|
7
|
-
And the exit status should be 0
|
8
|
-
And I keep the JSON response at "login" as "LOGIN"
|
9
|
-
And I run `conjur authn login alice@$ns` interactively
|
10
|
-
And I type "foobar"
|
11
|
-
And the exit status should be 0
|
12
|
-
|
@@ -1,13 +0,0 @@
|
|
1
|
-
Feature: Logout the user
|
2
|
-
|
3
|
-
Scenario: Login a new user with a password
|
4
|
-
Given I run `conjur user create -p alice@$ns` interactively
|
5
|
-
And I type "foobar"
|
6
|
-
And I type "foobar"
|
7
|
-
And the exit status should be 0
|
8
|
-
And I keep the JSON response at "login" as "LOGIN"
|
9
|
-
And I run `conjur authn login alice@$ns` interactively
|
10
|
-
And I type "foobar"
|
11
|
-
And the exit status should be 0
|
12
|
-
And I successfully run `conjur authn logout`
|
13
|
-
Then the stdout from "conjur authn logout" should contain exactly "Logged out\n"
|
@@ -1,35 +0,0 @@
|
|
1
|
-
Feature: Annotate a resource
|
2
|
-
|
3
|
-
Background:
|
4
|
-
Given I successfully run `conjur resource create food:$ns/bacon`
|
5
|
-
|
6
|
-
Scenario: Annotations are stored and returned when the resource is displayed
|
7
|
-
Given I successfully run `conjur resource annotate food:$ns/bacon preparation-style crispy`
|
8
|
-
When I successfully run `conjur resource show food:$ns/bacon`
|
9
|
-
And the JSON at "annotations" should have 1 entry
|
10
|
-
And the JSON at "annotations/0/name" should be "preparation-style"
|
11
|
-
And the JSON at "annotations/0/value" should be "crispy"
|
12
|
-
|
13
|
-
Scenario: Privilege is required to manage annotations
|
14
|
-
Given I login as a new user
|
15
|
-
And I run `conjur resource annotate food:$ns/bacon preparation-style crispy`
|
16
|
-
Then the exit status should be 1
|
17
|
-
|
18
|
-
Scenario: Read privilege is insufficient to manage annotations
|
19
|
-
Given I create a new user named "alice@$ns"
|
20
|
-
And I successfully run `conjur resource permit food:$ns/bacon user:alice@$ns read`
|
21
|
-
And I login as "alice@$ns"
|
22
|
-
Then I run `conjur resource annotate food:$ns/bacon preparation-style crispy`
|
23
|
-
Then the exit status should be 1
|
24
|
-
|
25
|
-
Scenario: Update privilege is sufficient to manage annotations
|
26
|
-
Given I create a new user named "alice@$ns"
|
27
|
-
And I successfully run `conjur resource permit food:$ns/bacon user:alice@$ns update`
|
28
|
-
And I login as "alice@$ns"
|
29
|
-
Then I successfully run `conjur resource annotate food:$ns/bacon preparation-style crispy`
|
30
|
-
|
31
|
-
Scenario: Annotations are searchable
|
32
|
-
Given I successfully run `conjur resource annotate food:$ns/bacon preparation-style crispy`
|
33
|
-
When I successfully run `conjur resource list -k food -s "$ns crispy"`
|
34
|
-
Then the JSON should have 1 entry
|
35
|
-
And the JSON at "0/annotations/preparation-style" should be "crispy"
|
@@ -1,24 +0,0 @@
|
|
1
|
-
Feature: Checking permissions on a resource
|
2
|
-
|
3
|
-
Background:
|
4
|
-
Given I successfully run `conjur resource create food:$ns/bacon`
|
5
|
-
And I reset the command list
|
6
|
-
|
7
|
-
Scenario: By default I check my own privilege
|
8
|
-
In this case, I have the privilege because I own the resource
|
9
|
-
|
10
|
-
When I successfully run `conjur resource check food:$ns/bacon fry`
|
11
|
-
Then the stdout should contain exactly "true"
|
12
|
-
|
13
|
-
Scenario: I can check the privileges of roles that I own
|
14
|
-
When I successfully run `conjur role create job:$ns/cook`
|
15
|
-
And I reset the command list
|
16
|
-
And I successfully run `conjur resource check -r job:$ns/cook food:$ns/bacon fry`
|
17
|
-
Then the stdout should contain exactly "false"
|
18
|
-
|
19
|
-
Scenario: I can check the privileges of roles that I own
|
20
|
-
When I successfully run `conjur role create job:$ns/cook`
|
21
|
-
And I successfully run `conjur resource permit food:$ns/bacon job:$ns/cook fry`
|
22
|
-
And I reset the command list
|
23
|
-
And I successfully run `conjur resource check -r job:$ns/cook food:$ns/bacon fry`
|
24
|
-
Then the stdout should contain exactly "true"
|
@@ -1,21 +0,0 @@
|
|
1
|
-
Feature: Create a Resource
|
2
|
-
|
3
|
-
Scenario: Create an abstract resource
|
4
|
-
When I successfully run `conjur resource create food:$ns/bacon`
|
5
|
-
Then the JSON should have "id"
|
6
|
-
And the JSON should have "owner"
|
7
|
-
And the JSON should have "permissions"
|
8
|
-
And the JSON should have "annotations"
|
9
|
-
|
10
|
-
Scenario: The resource owner has all privileges on it
|
11
|
-
When I successfully run `conjur resource create food:$ns/bacon`
|
12
|
-
And I reset the command list
|
13
|
-
And I successfully run `conjur resource check food:$ns/bacon fry`
|
14
|
-
Then the stdout should contain exactly "true"
|
15
|
-
|
16
|
-
Scenario: A different role can be assigned as the owner of the resource
|
17
|
-
When I successfully run `conjur role create job:$ns/chefs`
|
18
|
-
And I successfully run `conjur resource create --as-role job:$ns/chefs food:$ns/bacon`
|
19
|
-
And I reset the command list
|
20
|
-
And I successfully run `conjur resource check -r job:$ns/chefs food:$ns/bacon fry`
|
21
|
-
Then the stdout should contain exactly "true"
|
@@ -1,12 +0,0 @@
|
|
1
|
-
Feature: Deny a privilege on a Resource
|
2
|
-
|
3
|
-
Background:
|
4
|
-
Given I successfully run `conjur resource create food:$ns/bacon`
|
5
|
-
|
6
|
-
Scenario: Once granted, privileges can be revoked
|
7
|
-
|
8
|
-
Given I create a new user named "alice@$ns"
|
9
|
-
And I successfully run `conjur resource permit food:$ns/bacon user:alice@$ns fry`
|
10
|
-
When I successfully run `conjur resource deny food:$ns/bacon user:alice@$ns fry`
|
11
|
-
And I successfully run `conjur resource show food:$ns/bacon`
|
12
|
-
Then the JSON at "permissions" should have 0 items
|
@@ -1,24 +0,0 @@
|
|
1
|
-
Feature: Give a resource to another role
|
2
|
-
|
3
|
-
Scenario: I can give a resource which I own to another role
|
4
|
-
Given I successfully run `conjur resource create food:$ns/bacon`
|
5
|
-
And I create a new user named "alice@$ns"
|
6
|
-
Then I successfully run `conjur resource give food:$ns/bacon user:alice@$ns`
|
7
|
-
And I reset the command list
|
8
|
-
|
9
|
-
Scenario: Resource owner is in the 'owner' field
|
10
|
-
Given I successfully run `conjur resource create food:$ns/bacon`
|
11
|
-
And I create a new user named "alice@$ns"
|
12
|
-
And I keep the JSON at "roleid" as "USERID"
|
13
|
-
Then I successfully run `conjur resource give food:$ns/bacon user:alice@$ns`
|
14
|
-
And I successfully run `conjur resource show food:$ns/bacon`
|
15
|
-
Then the JSON at "owner" should be %{USERID}
|
16
|
-
|
17
|
-
Scenario: When I give a resource away, I give all permissions
|
18
|
-
Given I successfully run `conjur resource create food:$ns/bacon`
|
19
|
-
And I create a new user named "alice@$ns"
|
20
|
-
And I successfully run `conjur resource give food:$ns/bacon user:alice@$ns`
|
21
|
-
And I login as "alice@$ns"
|
22
|
-
And I reset the command list
|
23
|
-
When I successfully run `conjur resource check food:$ns/bacon fry`
|
24
|
-
Then the stdout should contain exactly "true"
|