conjur-cli 5.6.6 → 6.0.0.rc1

data/acceptance-features/authorization/resource/permit.feature

@@ -1,20 +0,0 @@
-Feature: Permit a privilege on a Resource
-
-  Background:
-    Given I successfully run `conjur resource create food:$ns/bacon`
-
-  Scenario: Permission can be granted to a new user
-  
-    Given I create a new user named "alice@$ns"
-    And I successfully run `conjur resource permit food:$ns/bacon user:alice@$ns fry`
-    And I successfully run `conjur resource show food:$ns/bacon`
-    Then the JSON at "permissions" should have 1 item
-    And the JSON at "permissions/0/privilege" should be "fry"
-    And the JSON at "permissions/0/grant_option" should be false
-
-   Scenario: When granted with "grantable" option, the grantee can grant the privilege to other roles (supported since CLI 4.10.2)
-    Given I create a new user named "alice@$ns"
-    And I create a new user named "bob@$ns"
-    And I successfully run `conjur resource permit --grantable food:$ns/bacon user:alice@$ns fry`
-    And I login as "alice@$ns"
-    Then I successfully run `conjur resource permit food:$ns/bacon user:bob@$ns fry`

data/acceptance-features/authorization/resource/permitted_roles.feature

@@ -1,16 +0,0 @@
-Feature: List roles which have a permission on a resource
-
-  Background:
-    Given I successfully run `conjur resource create food:$ns/bacon`
-
-  Scenario: The owner of a resource is always listed in permitted_roles
-    When I successfully run `conjur resource permitted_roles food:$ns/bacon fry`
-    Then the JSON should include %{MY_ROLEID}
-
-  Scenario: When a permission is granted to a new user, the user is listed in permitted_roles
-    Given I create a new user named "alice@$ns"
-    And I keep the JSON at "roleid" as "USERID"
-    And I successfully run `conjur resource permit food:$ns/bacon user:alice@$ns fry`
-    When I successfully run `conjur resource permitted_roles food:$ns/bacon fry`
-    Then the JSON should include %{USERID}
-    

data/acceptance-features/authorization/resource/show.feature

@@ -1,28 +0,0 @@
-Feature: Show a resource
-
-  Background:
-    Given I successfully run `conjur resource create food:$ns/bacon`
-    And I reset the command list
-  
-  Scenario: Showing a resource displays all its fields
-    When I successfully run `conjur resource show food:$ns/bacon`
-    Then the JSON should have "id"
-    And the JSON should have "owner"
-    And the JSON should have "permissions"
-    And the JSON should have "annotations"
-
-  Scenario: You can't show a resource on which you have no privileges
-    Given I login as a new user
-    And I reset the command list
-    When I run `conjur resource show food:$ns/bacon`
-    Then the exit status should be 1
-    And the output should contain "Forbidden"
-    
-  Scenario: You can show any resource if you have a privilege on it
-    Once alice has a permission to fry bacon, she can show everything
-    about bacon.
-  
-    Given I create a new user named "alice@$ns"
-    And I successfully run `conjur resource permit food:$ns/bacon user:alice@$ns fry`
-    And I login as "alice@$ns"
-    Then I successfully run `conjur resource show food:$ns/bacon`

data/acceptance-features/authorization/role/create.feature

@@ -1,13 +0,0 @@
-Feature: Create a Role
-
-  Scenario: Create an abstract role
-    When I run `conjur role create job:$ns/chef`
-    Then the exit status should be 0
-    And the output should contain "Created role"
-
-  Scenario: Role owner has the new role listed in its memberships
-    When I run `conjur role create --json --as-group $ns/security_admin job:$ns/chef`
-    Then the exit status should be 0
-    And I keep the JSON response at "roleid" as "ROLEID"
-    And I run `conjur role memberships group:$ns/security_admin`
-    And the JSON should include %{ROLEID}

data/acceptance-features/authorization/role/exists.feature

@@ -1,19 +0,0 @@
-Feature: Test existance of a role
-
-  Scenario: A never-created role does not exist
-    When I successfully run `conjur role exists --json food:$ns/nonesuch`
-    Then the JSON at "exists" should be false
-
-  Scenario: A created role does exist
-    When I successfully run `conjur role create --json food:$ns/bacon`
-    And I keep the JSON response at "roleid" as "ROLEID"
-    And I successfully run `conjur role exists --json %{ROLEID}`
-    Then the JSON at "exists" should be true
-
-  Scenario: Even foreign user can check existance of a role 
-    When I successfully run `conjur role create --json food:$ns/bacon`
-    And I keep the JSON response at "roleid" as "ROLEID"
-    And I login as a new user 
-    And I run `conjur role exists --json %{ROLEID}`
-    Then the JSON at "exists" should be true
-  

data/acceptance-features/authorization/role/grant_to.feature

@@ -1,21 +0,0 @@
-Feature: Grant membership in a role to another role
-  
-  Scenario: Granting a role confers membership
-    When I successfully run `conjur role create job:$ns/cooks`
-    And I successfully run `conjur role create people:$ns/alice`
-    And I successfully run `conjur role grant_to job:$ns/cooks people:$ns/alice`
-    And I successfully run `conjur role members job:$ns/cooks`
-    Then the JSON should have 2 entries
-    
-  Scenario: Granting a role gives the grantee permissions of the granted role
-    When I successfully run `conjur role create job:$ns/cooks`
-    And I successfully run `conjur role create people:$ns/alice`
-    And  I successfully run `conjur resource create food:$ns/bacon`
-    And I successfully run `conjur resource permit food:$ns/bacon job:$ns/cooks fry`
-    And I successfully run `conjur resource check -r job:$ns/cooks food:$ns/bacon fry`
-    Then the output should contain "true"
-    When I successfully run `conjur resource check -r people:$ns/alice food:$ns/bacon fry`
-    Then the output should contain "false"
-    When I successfully run `conjur role grant_to job:$ns/cooks people:$ns/alice`
-    And I successfully run `conjur resource check -r people:$ns/alice food:$ns/bacon fry`
-    Then the output should contain "true"

data/acceptance-features/authorization/role/graph.feature

@@ -1,57 +0,0 @@
-Feature: Retrieving role graphs
-  As a Conjur user
-  In order to understand the role hierarchy
-  I want to retrieve role graphs and present them in a useful format
-
-Background:
-  Given a graph with edges
-    | Tywin     | Jamie         |
-    | Tywin     | Cersei        |
-    | Cersei    | Joffrey       |
-    | Jamie     | Joffrey       |
-    | Aerys     | Tyrion        |
-    | Joanna    | Tyrion        |
-
-  Scenario: Showing the graph as JSON
-    When I successfully run with role expansion "conjur role graph --as-role Joffrey Joffrey"
-    Then the graph JSON should be:
-      """
-        {
-          "graph": [
-            { "parent": "Tywin",  "child": "Jamie" },
-            { "parent": "Tywin",  "child": "Cersei"},
-            { "parent": "Cersei", "child": "Joffrey"},
-            { "parent": "Jamie",  "child": "Joffrey" }
-          ]
-        }
-      """
-
-  Scenario: Short JSON output
-    When I successfully run with role expansion "conjur role graph --short --as-role Joffrey Joffrey"
-    Then the graph JSON should be:
-      """
-        [
-          [ "Tywin", "Jamie"   ],
-          [ "Tywin", "Cersei"  ],
-          [ "Jamie", "Joffrey" ],
-          [ "Cersei", "Joffrey"]
-        ]
-      """
-
-  Scenario: I can restrict the output to show only ancestors or descendants
-    When I successfully run with role expansion "conjur role graph --short --no-ancestors --as-role Cersei Cersei"
-    Then the graph JSON should be:
-      """
-        [
-          [ "Cersei", "Joffrey" ]
-        ]
-      """
-    When I successfully run with role expansion "conjur role graph --short --no-descendants --as-role Cersei Cersei Jamie"
-    Then the graph JSON should be:
-      """
-        [
-          [ "Tywin", "Cersei" ],
-          [ "Tywin", "Jamie"  ]
-        ]
-      """
-

data/acceptance-features/authorization/role/members.feature

@@ -1,23 +0,0 @@
-Feature: List members of a role
-
-  Scenario: Role members list is initally just the creator of the role
-    When I successfully run `conjur role create job:$ns/chef`
-    And I successfully run `conjur role members job:$ns/chef`
-    Then the JSON should have 1 entries
-
-  Scenario: Members can be added to the role by granting them the role
-    When I successfully run `conjur role create job:$ns/chef`
-    And I successfully run `conjur user create alice@$ns`
-    And I successfully run `conjur role grant_to job:$ns/chef user:alice@$ns`
-    And I successfully run `conjur role members job:$ns/chef`
-    Then the JSON should have 2 entries
-
-  Scenario: Members list is not expanded transitively
-    When I successfully run `conjur role create job:$ns/chef`
-    And I successfully run `conjur group create $ns/cooks`
-    And I successfully run `conjur user create alice@$ns`
-    And I successfully run `conjur group members add $ns/cooks user:alice@$ns`
-    When I successfully run `conjur role grant_to job:$ns/chef group:$ns/cooks`
-    And I successfully run `conjur role members job:$ns/chef`
-    Then the JSON should have 2 entries
-    

data/acceptance-features/authorization/role/memberships.feature

@@ -1,27 +0,0 @@
-Feature: List memberships of a role
-
-  Scenario: The role memberships list includes the role itself
-    Given I successfully run `conjur role create job:$ns/chef`
-    When I successfully run `conjur role memberships job:$ns/chef`
-    Then the JSON should have 1 entries
-
-  Scenario: Memberships can be added to a role by granting it a new role
-    Given I successfully run `conjur role create job:$ns/cook`
-    And I successfully run `conjur role create job:$ns/chef`
-    # Cooks are chefs
-    And I successfully run `conjur role grant_to job:$ns/cook job:$ns/chef`
-    When I successfully run `conjur role memberships job:$ns/chef`
-    # Therefore chefs are cooks and chefs
-    Then the JSON should have 2 entries
-
-  Scenario: Members list is expanded transitively
-    Given I successfully run `conjur role create person:$ns/myself`
-    And I successfully run `conjur role create job:$ns/cook`
-    And I successfully run `conjur role create job:$ns/chef`
-    # I am a chef
-    And I successfully run `conjur role grant_to job:$ns/chef person:$ns/myself`
-    # Chefs are cooks
-    And I successfully run `conjur role grant_to job:$ns/cook job:$ns/chef`
-    When I successfully run `conjur role memberships person:$ns/myself`
-    # Therefore I am me, a cook, and a chef
-    Then the JSON should have 3 entries

data/acceptance-features/bootstrap.feature

@@ -1,13 +0,0 @@
-Feature: "conjur bootstrap" creates default resources, privileges and roles
-
-	Background:
-    Given I successfully run `conjur bootstrap -q`
-
-	Scenario: A new security admin can use 'elevate'
-    When I successfully run `conjur resource permitted_roles '!:!:conjur' elevate`
-    Then the stdout should contain "cucumber:group:security_admin"
-
-	Scenario: Run bootstrap and test for the existence of things
-    Then I successfully run `conjur elevate group show security_admin`
-    And  I successfully run `conjur elevate host show conjur/secrets-rotator`
-    And  I successfully run `conjur elevate resource show webservice:conjur/authn-tv`

data/acceptance-features/conjurenv/check.feature

@@ -1,21 +0,0 @@
-Feature: Check an environment
-
-  Background: 
-    Given I run `conjur variable create $ns/access_key ABCDEF`
-    And I run `conjur variable create $ns/secret_key XYZQWER`
-    And I run `conjur variable create $ns/ssh_private_key PRIVATE_KEY_BODY`
-    And I create a new user named "alice@$ns"
-    And I run `conjur resource permit variable:$ns/access_key user:alice@$ns execute`
-    And I run `conjur resource permit variable:$ns/secret_key user:alice@$ns execute`
-    And I login as "alice@$ns"
-    And I reset the command list
-
-  Scenario: Check against permitted variables
-    When I run `conjur env check --yaml '{ aws_access_key: !var $ns/access_key , aws_secret_key: !var $ns/secret_key }'`
-    Then the exit status should be 0
-    And the stdout should contain "aws_access_key: available\naws_secret_key: available\n"
-
-  Scenario: Check against restricted variables
-    When I run `conjur env check --yaml '{ aws_access_key: !var $ns/access_key , ssh_private_key: !var $ns/ssh_private_key }'`
-    Then the exit status should be 1
-    And the stdout should contain "aws_access_key: available\nssh_private_key: unavailable\n"

data/acceptance-features/conjurenv/run.feature

@@ -1,10 +0,0 @@
-Feature: Run command in an environment populated from Conjur variables
-
-  Background: 
-    Given I run `conjur variable create $ns/access_key ABCDEF`
-    And I run `conjur variable create $ns/secret_key XYZQWER`
-    And I reset the command list
-
-  Scenario:
-    When I run `bash -c "conjur env run --yaml '{ cloud_access_key: !var $ns/access_key , cloud_secret_key: !var $ns/secret_key }' -- env | grep CLOUD_"`
-    Then the stdout should contain exactly "CLOUD_ACCESS_KEY=ABCDEF\nCLOUD_SECRET_KEY=XYZQWER"

data/acceptance-features/directory/group/create.feature

@@ -1,20 +0,0 @@
-Feature: Create a group
-  
-  Scenario: Create a new group
-    When I successfully run `conjur group create $ns/ops`
-    Then the JSON response should have the following:
-      | id         |
-      | ownerid    |
-      | resource_identifier |
-      | roleid     |
-    And the JSON response at "id" should include "/ops"
-    
-  Scenario: Add a user to the group and show the list of members
-    Given I successfully run `conjur user create bob@$ns`
-    And I successfully run `conjur group create $ns/ops`
-    And I successfully run `conjur group members add $ns/ops user:bob@$ns`
-    When I successfully run `conjur group members list $ns/ops`
-    Then the JSON response should have 2 entries
-    And the JSON response at "0" should include "admin@"
-    And the JSON response at "1" should include "bob@"
-      

data/acceptance-features/directory/group/retire.feature

@@ -1,54 +0,0 @@
-Feature: Retire a group
-  Background:
-    When I successfully run `conjur group create $ns/ops`
-
-  Scenario: Basic retirement
-    Then I successfully run `conjur group retire -d user:attic@$ns $ns/ops`
-
-  Scenario: Retiring a non-existent thing propagates the 404
-    Then I run `conjur group retire -d user:attic@$ns $ns/foobar`
-    Then the exit status should be 1
-    And the stderr should contain "Resource Not Found"
-
-  Scenario: A foreign user can't retire a group
-    Given I login as a new user
-    And I run `conjur group retire -d user:attic@$ns $ns/ops`
-    Then the exit status should be 1
-    And the stderr should contain "You can't administer this record"
-
-  Scenario: Can't retire to a non-existant role
-    And I run `conjur group retire -d user:foobar $ns/ops`
-    Then the exit status should be 1
-    And the output should match /error: Destination role/
-    And the output should match /doesn't exist$/
-
-  Scenario: I can retire a group which I've granted to another group
-    Given I successfully run `conjur group create $ns/admin`
-    And I successfully run `conjur role grant_to group:$ns/ops group:$ns/admin`
-    Then I successfully run `conjur group retire -d user:attic@$ns $ns/ops`
-
-  Scenario: I can retire a group which I've given to a group that I can admin
-    Given I successfully run `conjur group create $ns/admin`
-    And I successfully run `conjur resource give group:$ns/ops group:$ns/admin`
-    Then I successfully run `conjur group retire -d user:attic@$ns $ns/ops`
-
-  Scenario: I can't retire a group if I can't admin the group's role
-    Given I successfully run `conjur group create $ns/admin`
-    And I successfully run `conjur role grant_to group:$ns/ops group:$ns/admin`
-    Given I create a new user named "alice@$ns"
-    And I successfully run `conjur group members add -a $ns/admin alice@$ns`
-    And I login as "alice@$ns"
-    And I run `conjur group retire -d user:attic@$ns $ns/ops`
-    Then the exit status should be 1
-    And the stderr should contain "You can't administer this record"
-
-  Scenario: I can't retire a group if I can't admin the group's record
-    Given I successfully run `conjur group create $ns/admin`
-    And I successfully run `conjur role grant_to -a group:$ns/ops group:$ns/admin`
-    Given I create a new user named "alice@$ns"
-    And I successfully run `conjur group members add -a $ns/admin alice@$ns`
-    And I login as "alice@$ns"
-    And I run `conjur group retire -d user:attic@$ns $ns/ops`
-    Then the exit status should be 1
-    And the stderr should contain "You don't own the record"
-    

data/acceptance-features/directory/host/create.feature

@@ -1,23 +0,0 @@
-Feature: Create a Host
-
-  Scenario: Create a host with automatically generated ID
-    When I successfully run `conjur host create`
-    And the JSON should have "api_key" 
-    And the JSON should have "id"
-
-  Scenario: Create a host with explicit ID
-    When I successfully run `conjur host create $ns.myhost.example.com`
-    And the JSON should have "api_key" 
-    And I keep the JSON response at "id" as "ID" 
-    Then the output should contain "myhost.example.com"
-  
-  Scenario: Create a host owned by the security_admin group
-    When I successfully run `conjur host create --as-group $ns/security_admin`
-    And I keep the JSON response at "ownerid" as "OWNERID"
-    Then the output should contain "/security_admin"
-  
-  Scenario: Host does not belong to any layers by default
-    When I successfully run `conjur host create $ns.myhost.example.com`
-    And I successfully run `conjur host layers $ns.myhost.example.com`
-    And the JSON should be []  
-     

data/acceptance-features/directory/host/retire.feature

@@ -1,6 +0,0 @@
-Feature: Retire a host
-  Background:
-    When I successfully run `conjur host create $ns/host`
-
-  Scenario: Basic retirement
-    Then I successfully run `conjur host retire -d user:attic@$ns $ns/host`

data/acceptance-features/directory/hostfactory/create.feature

@@ -1,28 +0,0 @@
-Feature: Create a Host Factory
-
-  Background:
-
-  Scenario: Create a host factory successfully
-    Given I successfully run `conjur layer create --as-group $ns/security_admin $ns/layer`
-    Then I successfully run `conjur hostfactory create --as-group $ns/security_admin --layer $ns/layer $ns/hostfactory`
-
-	Scenario: The client role can use itself as the hostfactory role
-    Given I successfully run `conjur user create unprivileged@$ns`
-    And I successfully run `conjur layer create $ns/layer`
-    When I run `conjur hostfactory create --as-role user:unprivileged@$ns --layer $ns/layer $ns/hostfactory`
-
-	Scenario: If current role cannot admin the layer, the error is reported
-		Given I successfully run `conjur layer create $ns/the-layer`
-		And I login as a new user
-		Given I successfully run `conjur group create $ns/the-group`
-		And I run `conjur hostfactory create --as-group $ns/the-group -l $ns/the-layer $ns/the-factory`
-		Then the exit status should not be 0
-		And the output should contain "must be an admin of layer"
-	
-	Scenario: If current role cannot admin the HF role, the error is reported
-		Given I successfully run `conjur group create $ns/the-group`
-		And I login as a new user
-		Given I successfully run `conjur layer create $ns/the-layer`
-		And I run `conjur hostfactory create --as-group $ns/the-group -l $ns/the-layer $ns/the-factory`
-		Then the exit status should not be 0
-		And the output should contain "must be an admin of role"

data/acceptance-features/directory/hostfactory/tokens.feature

@@ -1,16 +0,0 @@
-Feature: Host factory tokens
-
-  Background:
-    Given I successfully run `conjur layer create --as-group $ns/security_admin $ns/layer`
-    And I successfully run `conjur hostfactory create --as-group $ns/security_admin --layer $ns/layer $ns/hostfactory`
-
-  Scenario: create a host factory token
-    When I successfully run `conjur hostfactory token create $ns/hostfactory`
-    Then the JSON should have "0/token"
-
-  Scenario: create a host using a token
-    When I successfully run `conjur hostfactory token create $ns/hostfactory`
-    And I keep the JSON response at "0/token" as "TOKEN"
-    Then I successfully run `conjur hostfactory host create %{TOKEN} $ns/host`
-    And the JSON should have "api_key"
-