conjur-cli 5.6.6 → 6.0.0.rc1

data/acceptance-features/directory/layer/create.feature

@@ -1,10 +0,0 @@
-Feature: Create a layer
-  
-  Scenario: Create a layer
-    When I successfully run `conjur layer create $ns/test_layer`
-    Then the JSON response at "id" should include "test_layer"
-    And the JSON response at "hosts" should be []
-  
-  Scenario: Create a layer owned by the security_admin group
-    When I successfully run `conjur layer create --as-group $ns/security_admin $ns/test_layer`
-    Then the JSON response at "ownerid" should include "security_admin"

data/acceptance-features/directory/layer/hosts-add.feature

@@ -1,9 +0,0 @@
-Feature: Add hosts to layer
-
-  Background:
-    Given I run `conjur layer create $ns/testlayer`
-    And I run `conjur host create $ns.example.com`
-    
-  Scenario: Add host to layer
-    When I successfully run `conjur layer hosts add $ns/testlayer $ns.example.com`
-    Then the output should contain "Host added"

data/acceptance-features/directory/layer/hosts-remove.feature

@@ -1,10 +0,0 @@
-Feature: Remove hosts from layer
-
-  Background:
-    Given I run `conjur layer create $ns/testlayer`
-    And I run `conjur host create $ns.example.com`
-    And I run `conjur layer hosts add $ns/testlayer $ns.example.com`
-    
-  Scenario: Remove host from layer
-    When I successfully run `conjur layer hosts remove $ns/testlayer $ns.example.com`
-    Then the output should contain "Host removed"

data/acceptance-features/directory/layer/retire.feature

@@ -1,43 +0,0 @@
-Feature: Retire a layer
-  Background:
-    When I successfully run `conjur layer create $ns/applayer`
-
-  Scenario: Basic retirement
-    Then I successfully run `conjur layer retire -d user:attic@$ns $ns/applayer`
-
-  Scenario: Retiring a non-existent thing propagates the 404
-    Then I run `conjur layer retire -d user:attic@$ns $ns/foobar`
-    Then the exit status should be 1
-    And the stderr should contain "Resource Not Found"
-
-  Scenario: A foreign user can't retire a layer
-    Given I login as a new user
-    And I run `conjur layer retire -d user:attic@$ns $ns/applayer`
-    Then the exit status should be 1
-    And the stderr should contain "You can't administer this record"
-
-  Scenario: Can't retire to a non-existant role
-    And I run `conjur layer retire -d user:foobar $ns/applayer`
-    Then the exit status should be 1
-    And the output should match /error: Destination role/
-    And the output should match /doesn't exist$/
-
-  Scenario: I can retire a layer which I've granted to a group
-    Given I successfully run `conjur group create $ns/admin`
-    And I successfully run `conjur role grant_to layer:$ns/applayer group:$ns/admin`
-    Then I successfully run `conjur layer retire -d user:attic@$ns $ns/applayer`
-
-  Scenario: I can retire a layer which I've given to a group that I can admin
-    Given I successfully run `conjur group create $ns/admin`
-    And I successfully run `conjur resource give layer:$ns/applayer group:$ns/admin`
-    Then I successfully run `conjur layer retire -d user:attic@$ns $ns/applayer`
-
-  Scenario: I can't retire a layer if I can't admin the layer's role
-    Given I successfully run `conjur group create $ns/admin`
-    And I successfully run `conjur role grant_to layer:$ns/applayer group:$ns/admin`
-    Given I create a new user named "alice@$ns"
-    And I successfully run `conjur group members add -a $ns/admin alice@$ns`
-    And I login as "alice@$ns"
-    And I run `conjur layer retire -d user:attic@$ns $ns/applayer`
-    Then the exit status should be 1
-    And the stderr should contain "You can't administer this record"

data/acceptance-features/directory/user/create.feature

@@ -1,23 +0,0 @@
-Feature: Create a User
-
-  Scenario: Create a passwordless user
-    When I successfully run `conjur user create alice-without-password@$ns`
-    And the JSON should have "api_key"
- 
-  Scenario: Create a user with a password
-    When I run `conjur user create -p alice-with-password@$ns` interactively
-    And I type "foobar"
-    And I type "foobar"
-    Then the exit status should be 0
-    And the JSON should have "api_key"
-
-  Scenario: Create a user owned by the security_admin group
-    When I successfully run `conjur user create --as-group $ns/security_admin alice-without-password@$ns`
-    And I keep the JSON response at "ownerid" as "OWNERID"
-    Then the output should contain "/security_admin"
- 
-  Scenario: Some characters are disallowed in user ids, such as /
-    When I run `conjur user create alice/$ns`
-    Then the exit status should be 1
-    And the stderr should contain "error: 403 Forbidden"
-    And the stdout should not contain anything

data/acceptance-features/directory/user/retire.feature

@@ -1,6 +0,0 @@
-Feature: Retire a user
-  Background:
-    When I successfully run `conjur user create --as-role user:admin@$ns alice@$ns`
-
-  Scenario: Basic retirement
-    Then I successfully run `conjur user retire -d user:attic@$ns alice@$ns`

data/acceptance-features/directory/variable/create.feature

@@ -1,14 +0,0 @@
-Feature: create an empty variable
-
-  Background:
-    Given I successfully run `conjur variable create $ns/secret` 
-
-  Scenario: Variable is created and responds to metadata
-    When I run `conjur variable show $ns/secret`
-    Then the JSON should have "id"
-    And the JSON should have "ownerid"
-    And the JSON at "version_count" should be 0
-  
-  Scenario: Variable keeps no value
-    When I run `conjur variable value $ns/secret`
-    Then the exit status should be 1

data/acceptance-features/directory/variable/retire.feature

@@ -1,17 +0,0 @@
-Feature: Retire a variable
-  Background:
-    Given I successfully run `conjur variable create $ns/secret the-value` 
-
-  Scenario: Basic retirement
-    Then I successfully run `conjur variable retire -d user:attic@$ns $ns/secret`
-
-  Scenario: A foreign user can't retire a secret
-    Given I login as a new user
-    And I run `conjur variable retire -d user:attic@$ns $ns/secret`
-    Then the exit status should be 1
-    And the stderr should contain "You don't own the record"
-
-  Scenario: I can retire a variable which I've given to a group that I can admin
-    Given I successfully run `conjur group create $ns/admin`
-    And I successfully run `conjur resource give variable:$ns/secret group:$ns/admin`
-    Then I successfully run `conjur variable retire -d user:attic@$ns $ns/secret`

data/acceptance-features/dsl/policy_owner.feature

@@ -1,45 +0,0 @@
-Feature: Loading a policy can specify the policy's admin
-
-  Background:
-    Given I successfully run `conjur group create $ns/admin`
-    And a file named "policy.rb" with:
-    """
-policy 'test-policy-1.0' do
-  user "test_user"
-end
-    """
-    And I reset the command list
-
-  Scenario: --as-group works
-    When I run `conjur rubydsl load --as-group $ns/admin --collection $ns` interactively
-    And I pipe in the file "policy.rb"
-    And the command completes successfully
-    And I reset the command list
-    When I run `conjur role members policy:$ns/test-policy-1.0`
-    Then the JSON should be:
-    """
-    [
-	    "cucumber:group:%{NAMESPACE}/admin"
-	  ]
-	  """
-
-  Scenario: --as-role works
-    When I run `conjur rubydsl load --as-role group:$ns/admin --collection $ns` interactively
-    And I pipe in the file "policy.rb"
-    And the command completes successfully
-    And I reset the command list
-    When I run `conjur role members policy:$ns/test-policy-1.0`
-    Then the JSON should be:
-    """
-    [
-	    "cucumber:group:%{NAMESPACE}/admin"
-	  ]
-	  """
-
-  Scenario: --as-group doesn't interfere with policy ownership of other resources
-    When I run `conjur rubydsl load --as-group $ns/admin --collection $ns` interactively
-    And I pipe in the file "policy.rb"
-    And the command completes successfully
-    And I reset the command list
-    When I run `conjur resource show user:test_user@$ns-test-policy-1-0`
-    Then the JSON at "owner" should be "cucumber:policy:%{NAMESPACE}/test-policy-1.0"

data/acceptance-features/dsl/resource_owner.feature

@@ -1,17 +0,0 @@
-Feature: Resources created by a policy are owned by the policy
-
-  Background:
-    Given a file named "policy.rb" with:
-    """
-policy 'test-policy-1.0' do
-  resource 'webservice', 'web1'
-end
-    """
-
-  Scenario: resource is create with correct ownership
-    When I run `conjur rubydsl load --collection $ns` interactively
-    And I pipe in the file "policy.rb"
-    And the command completes successfully
-    And I reset the command list
-    When I run `conjur resource show webservice:$ns/test-policy-1.0/web1`
-    Then the JSON at "owner" should be "cucumber:policy:%{NAMESPACE}/test-policy-1.0"

data/acceptance-features/dsl/retire.feature

@@ -1,15 +0,0 @@
-Feature: Retire a policy
-  Background:
-    Given a file named "policy.rb" with:
-    """
-policy 'test-policy-1.0' do
-end
-    """
-    And I run `conjur rubydsl load --as-role user:admin@$ns --collection $ns` interactively
-    And I pipe in the file "policy.rb"
-    And the exit status should be 0
-
-  @wip
-  Scenario: Basic retirement
-    Then I successfully run `conjur rubydsl retire -d user:attic@$ns $ns/test-policy-1.0`
-

data/acceptance-features/global-privilege/elevate.feature

@@ -1,20 +0,0 @@
-Feature: 'elevate' can be used to activate root-like privileges
-
-  Background:
-    Given I successfully run `conjur variable create $ns/secret secretvalue`
-    And I create a new user named "alice@$ns"
-    
-  Scenario: The secret value is not accessible without 'elevate' privilege
-    Given I login as "alice@$ns"
-    When I run `conjur variable value $ns/secret`
-    Then the exit status should be 1
-  
-  Scenario: 'elevate' can't be used without permission
-    Given I login as "alice@$ns"
-    When I run `conjur elevate variable show $ns/secret`
-    Then the exit status should be 1
-  
-  Scenario: The secret value is accessible with 'elevate' privilege
-    Given I successfully run `conjur resource permit '!:!:conjur' user:alice@$ns elevate`
-    And I login as "alice@$ns"
-    Then I successfully run `conjur elevate variable value $ns/secret`

data/acceptance-features/global-privilege/reveal.privilege

@@ -1,20 +0,0 @@
-Feature: 'reveal' can be used to see all records
-
-  Background:
-    Given I successfully run `conjur variable create $ns/secret secretvalue`
-    And I create a new user named "alice@$ns"
-    
-  Scenario: The secret value is not accessible without 'reveal' privilege
-    Given I login as "alice@$ns"
-    When I run `conjur variable show $ns/secret`
-    Then the exit status should be 1
-
-  Scenario: 'reveal' can't be used without permission
-    Given I login as "alice@$ns"
-    When I run `conjur reveal variable show $ns/secret`
-    Then the exit status should be 1
-  
-  Scenario: The secret value is accessible with 'reveal' privilege
-    Given I successfully run `conjur resource permit '!:!:conjur' user:alice@$ns reveal`
-    And I login as "alice@$ns"
-    Then I successfully run `conjur reveal variable show $ns/secret`

data/acceptance-features/pubkeys/add.feature

@@ -1,22 +0,0 @@
-Feature: Register a public key
-
-  Background:
-    Given I successfully run `conjur user create alice@$ns`
-    And I successfully run `ssh-keygen -t rsa -C "laptop" -N "" -f ./id_alice_$ns`
-    And I reset the command list
-
-  Scenario: Register a public key file for a user
-    When I run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
-    Then the exit status should be 0
-
-  Scenario: You can't accidentally register the private key
-    When I run `conjur pubkeys add alice@$ns @id_alice_$ns`
-    Then the exit status should be 1
-    And the stderr should contain "Unprocessable Entity"
-
-  Scenario: Unauthorized users cannot modify public keys
-    Given I login as new user "bob@$ns"
-    And I reset the command list
-    And I run `conjur pubkeys add alice@$ns @id_alice_$ns.pub` 
-    Then the exit status should be 1
-    And the stderr should contain "Forbidden"

data/acceptance-features/pubkeys/delete.feature

@@ -1,9 +0,0 @@
-Feature: Remove a public key
-
-  Background:
-    Given I successfully run `conjur user create alice@$ns`
-    And I successfully run `ssh-keygen -t rsa -C "laptop" -N "" -f ./id_alice_$ns`
-
-  Scenario: To remove a public key, use the user's login name and the key name (-C option to ssh-keygen)
-    Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
-    Then I successfully run `conjur pubkeys delete alice@$ns laptop`

data/acceptance-features/pubkeys/names.feature

@@ -1,26 +0,0 @@
-Feature: List known public key names for a user
-
-  Background:
-    Given I successfully run `conjur user create alice@$ns`
-    And I successfully run `ssh-keygen -t rsa -C "laptop" -N "" -f ./id_alice_$ns`
-    And I reset the command list
-
-  Scenario: Initial key names list is empty
-    When I run `conjur pubkeys names alice@$ns`
-    Then the stdout should contain exactly ""
-
-  Scenario: After adding a key, the key name is shown
-    Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
-    And I reset the command list
-    And I run `conjur pubkeys names alice@$ns`
-    Then the stdout should contain exactly:
-    """
-    laptop\n
-    """
-
-  Scenario: After deleting the key, the key names list is empty again
-    Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
-    And I successfully run `conjur pubkeys delete alice@$ns laptop`
-    And I reset the command list
-    And I run `conjur pubkeys names alice@$ns`
-    Then the stdout should contain exactly ""

data/acceptance-features/pubkeys/show.feature

@@ -1,27 +0,0 @@
-Feature: Show public keys for a user
-
-  Background:
-    Given I successfully run `conjur user create alice@$ns`
-    And I successfully run `ssh-keygen -t rsa -C "laptop" -N "" -f ./id_alice_$ns`
-    And I reset the command list
-
-  Scenario: Initial key list is empty
-    When I run `conjur pubkeys show alice@$ns`
-    Then the stdout should contain exactly "\n"
-
-  Scenario: After adding a key, the key is shown
-    Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
-    And I run `conjur pubkeys show alice@$ns`
-    And the output should match /^ssh-rsa .* laptop$/
-
-  Scenario: After deleting the key, the key list is empty again
-    Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
-    And I successfully run `conjur pubkeys delete alice@$ns laptop`
-    And I reset the command list
-    And I run `conjur pubkeys show alice@$ns`
-    Then the stdout should contain exactly "\n"
-
-  Scenario: Public keys can be listed using cURL, without authentication
-    Given I successfully run `conjur pubkeys add alice@$ns @id_alice_$ns.pub`
-    When I successfully run `curl -k $pubkeys_url/alice@$ns`
-    Then the output should match /^ssh-rsa .* laptop$/

data/acceptance-features/step_definitions/cli_steps.rb

@@ -1,57 +0,0 @@
-Transform /\$ns/ do |s|
-  s.gsub('$ns', namespace)
-end
-
-Transform /\$user_role/ do |s|
-  s.gsub('$user_role', test_user.role_id)
-end
-
-Transform /^table:/ do |table|
-  table.tap do |t|
-    t.hashes.each do |row|
-      row.each do |_,v|
-        v.gsub!('$ns', namespace)
-        v.gsub!('$user_role', test_user.role_id)
-      end
-    end
-  end
-end
-
-
-Then /^I reset the command list/ do
-  aruba.command_monitor.clear
-end
-
-When /^the command completes successfully/ do
-  last_command_started.wait
-  last_command_started.terminate
-  expect(last_command_started.exit_status).to eq(0)
-end
-
-Then /^I send the audit event:/ do |event|
-  step "I run `env RESTCLIENT_LOG=stderr conjur audit send` interactively"
-  last_command_started.write event
-  last_command_started.close_io :stdin
-  step "the command completes successfully"
-end
-
-# this is step copypasted from https://github.com/cucumber/aruba/blob/master/lib/aruba/cucumber.rb#L24 
-# original has typo in regexp, which is fixed here
-Given(/^a file named "([^"]*?)" with: '(.*?)'$/) do |file_name, file_content|
-  write_file(file_name, file_content)
-end
-
-Given(/^a file named "([^"]*?)" with namespace substitution:$/) do |file_name, file_content|
-  step "a file named \"#{file_name}\" with:", file_content
-end
-
-Then /^it prints the path to temporary file which contains: '(.*)'$/ do |content|
-  filename = last_command_started.stdout.strip
-  tempfiles << filename
-  actual_content = File.read(filename)
-  expect(actual_content).to match(content)
-end
-
-Then /^the output from "([^"]*)" should match \/([^\/]*)\/$/ do |cmd, expected|
-  assert_matching_output(expected, output_from(cmd))
-end

data/acceptance-features/step_definitions/graph_steps.rb

@@ -1,22 +0,0 @@
-
-Given /^a graph with edges$/ do |table|
-  graph table.raw
-end
-
-Then %r{^the graph JSON should be:$} do |json|
-  json = expand_roles json
-  last_graph = extract_filtered_graph json
-  expect(last_graph.to_json).to be_json_eql(json)
-end
-
-When(/^I( successfully)? run with role expansion "(.*)"$/) do |successfully, cmd|
-  role_id_map.each do |role, expanded_role|
-    cmd.gsub! role, expanded_role
-  end
-  self.last_cmd = cmd
-  if successfully
-    step "I successfully run `#{cmd}`"
-  else
-    step "I run `#{cmd}`"
-  end
-end