conjur-cli 5.6.6 → 6.0.0.rc1

data/acceptance-features/step_definitions/user_steps.rb

@@ -1,51 +0,0 @@
-Given(/^I login as a new user$/) do
-  @username_index ||= 0
-  username = %w(alice bob charles dave edward)[@username_index]
-  raise "I'm out of usernames!" unless username
-  @username_index += 1
-  @username = "#{username}@$ns"
-  step %Q(I login as new user "#{@username}")
-end
-
-Given(/^I create a new user named "(.*?)"$/) do |username|
-  step "I successfully run `conjur user create --as-role user:admin@#{namespace} #{username}`"
-  
-  user_info = JSON.parse(last_command_started.stdout)
-  save_password username, user_info['api_key']
-end
-
-Given(/^I create a new host with id "(.*?)"$/) do |hostid|
-  step "I successfully run `conjur host create #{namespace}/monitoring/server`"
-  host = JSON.parse(last_json)
-  @host_id = host['id']
-  @host_api_key = host['api_key']
-end
-
-Given(/^I login as the new host/) do
-  step %Q(I set the environment variable "CONJUR_AUTHN_LOGIN" to "host/#{@host_id}")
-  step %Q(I set the environment variable "CONJUR_AUTHN_API_KEY" to "#{@host_api_key}")
-end
-
-Given(/^I login as new user "(.*?)"$/) do |username|
-  step %Q(I create a new user named "#{username}")
-  step %Q(I login as "#{username}")
-end
-
-Given(/^I login as "(.*?)"$/) do |username|
-  password = find_password(username)
-  
-  step %Q(I set the environment variable "CONJUR_AUTHN_LOGIN" to "#{username}")
-  step %Q(I set the environment variable "CONJUR_AUTHN_API_KEY" to "#{password}")
-end
-
-Then(/^I(?: can)? type and confirm a new password/) do
-  @password = SecureRandom.hex(12)
-  step %Q(I type "#{@password}")
-  step %Q(I type "#{@password}")
-  step "the exit status should be 0"
-end
-
-When(/^I enter the password/) do
-  raise "No current password" unless @password
-  step %Q(I type "#{@password}")
-end

data/acceptance-features/support/env.rb

@@ -1,23 +0,0 @@
-require "aruba/cucumber"
-require "json_spec/cucumber"
-require 'cucumber-api'
-require 'addressable/uri'
-
-$LOAD_PATH.unshift File.expand_path('../..', File.dirname(__FILE__))
-
-# Overwrite cucumber-api's resolve function so it will use the scheme
-# and host from ENV['CONJUR_APPLIANCE_URL'] if url doesn't already
-# have a host.
-$orig_resolve = self.method(:resolve)
-def resolve url
-  # disable cucumber-api's ill-considered cache. Re-authenticate in
-  # case it (cucumber-api) wiped out the headers
-  $cache = {} 
-  add_user_auth_header
-  url = Addressable::URI.parse(url)
-  unless url.host
-    conjur_url = Addressable::URI.parse(Conjur.configuration.appliance_url)
-    url.merge!(:scheme => conjur_url.scheme, :host => conjur_url.host)
-  end
-  $orig_resolve.call(url.to_s)
-end

data/acceptance-features/support/hooks.rb

@@ -1,178 +0,0 @@
-
-require 'conjur/api'
-require 'conjur/cli'
-require 'conjur/authn'
-
-netrc = Conjur::Authn.netrc
-username, password = Conjur::Authn.get_credentials
-raise "Not logged in to Conjur" unless username && password
-puts "Performing acceptance tests as root-ish user '#{username}'"
-
-Aruba.configure do |config|
-  config.exit_timeout = 30
-  config.io_wait_timeout = 2
-end
-
-Before('@conjurapi-log') do
-  set_env 'CONJURAPI_LOG', 'stderr'
-end
-
-Before do
-  step %Q(I set the environment variable "CONJUR_AUTHN_LOGIN" to "#{username}")
-  step %Q(I set the environment variable "CONJUR_AUTHN_API_KEY" to "#{password}")
-
-  @admin_api = Conjur::Authn.connect
-  @test_user = admin_api.create_user "admin@#{namespace}", ownerid: "#{Conjur.configuration.account}:user:#{username}"
-
-  @security_admin = admin_api.create_group [ namespace, "security_admin" ].join('/')
-  @security_admin.add_member test_user, admin_option: true
-  
-  JsonSpec.memorize "MY_ROLEID", %Q("#{test_user.roleid}")
-  JsonSpec.memorize "NAMESPACE", namespace
-  
-  admin_api.group("pubkeys-1.0/key-managers").add_member @security_admin
-  admin_api.resource('!:!:conjur').permit 'elevate', test_user, grant_option: true
-  admin_api.resource('!:!:conjur').permit 'reveal',  test_user, grant_option: true
-  
-  admin_api.create_user "attic@#{namespace}"
-
-  # Set up the environment so the CLI will authenticate
-  # correctly. Note that the API caches credentials, so these
-  # variables won't have any effect on future calls to
-  # Conjur::Authn.connect
-  step %Q(I set the environment variable "CONJUR_AUTHN_LOGIN" to "#{test_user.login}")
-  step %Q(I set the environment variable "CONJUR_AUTHN_API_KEY" to "#{test_user.api_key}")
-end
-
-After do
-  if admin_api
-    admin_api.group("pubkeys-1.0/key-managers").remove_member @security_admin
-    admin_api = nil
-    namespace = nil
-  end
-  tempfiles.each { |tempfile| File.unlink(tempfile) unless tempfile.nil? }
-end
-
-require 'ostruct'
-
-class MockAPI
-  attr_reader :things
-
-  def initialize
-    @things = {}
-  end
-
-  def thing(kind, id)
-    (@things[kind.to_sym] || []).find{|r| r.id == id}
-  end
-
-  def thing_like(kind, id_pattern)
-    (@things[kind.to_sym] || []).find{|r| id_pattern.match(r.id)}
-  end
-
-  def create_host(options = {})
-    id = options.delete(:id)
-    if id
-      host = thing(:host, id)
-    else
-      id = SecureRandom.uuid
-    end
-    host ||= create_thing(:host, id, options, role: true, api_key: true)
-  end
-
-  def create_user(id, options = {})
-    thing(:user, id) || create_thing(:user, id, options, role: true, api_key: true)
-  end
-
-  def create_variable(mime_type, kind)
-    create_thing(:user, SecureRandom.uuid, mime_type: mime_type, kind: kind)
-  end
-
-  def create_resource(id, options = {})
-    resource(id).tap do |resource|
-      resource.send(:"exists?=", true)
-      populate_options resource, options
-    end
-  end
-
-  def create_role(id, options = {})
-    role(id).tap do |role|
-      role.send(:"exists?=", true)
-      populate_options role, options
-    end
-  end
-
-  [ :user, :host ].each do |kind|
-    define_method kind do |id|
-      thing(kind, id)
-    end
-  end
-
-  def role(id)
-    raise "Role id must be a string" unless id.is_a?(String)
-    thing(:role, id) || create_thing(:role, id, { exists?: false }, role: true)
-  end
-
-  def resource(id)
-    raise "Resource id must be a string" unless id.is_a?(String)
-    thing(:resource, id) || create_thing(:resource, id, exists?: false)
-  end
-
-  protected
-
-  def create_thing(kind, id, options, kind_options = {})
-    thing = OpenStruct.new(kind: kind, id: id, exists?: true)
-
-    class << thing
-      def permit(privilege, role, options = {})
-        (self.permissions ||= []) << OpenStruct.new(privilege: privilege, role: role.id, grant_option: !!options[:grant_option])
-      end
-    end
-
-    if kind_options[:api_key]
-      thing.api_key = SecureRandom.uuid
-    end
-    if kind_options[:role]
-      thing.roleid = id
-      class << thing
-        def can(privilege, resource, options = {})
-          resource.permit privilege, self, options
-        end
-      end
-    end
-
-    populate_options(thing, options)
-
-    store_thing kind, thing
-
-    thing
-  end
-
-  def populate_options(thing, options)
-    options.each do |k,v|
-      thing.send("#{k}=", v)
-    end
-  end
-
-  def store_thing(kind, thing)
-    (things[kind] ||= []) << thing
-  end
-end
-
-Before("@dsl") do
-  puts "Using MockAPI"
-  puts "Using account 'cucumber'"
-
-  require 'conjur/api'
-  require 'conjur/config'
-  require 'conjur/dsl/runner'
-
-  Conjur.stub(:env).and_return "ci"
-  Conjur.stub(:stack).and_return "ci"
-  Conjur.stub(:account).and_return "cucumber"
-
-  Conjur::Core::API.stub(:conjur_account).and_return 'cucumber'
-  @mock_api ||= MockAPI.new
-  Conjur::DSL::Runner.any_instance.stub(:api).and_return @mock_api
-end
-

data/acceptance-features/support/world.rb

@@ -1,176 +0,0 @@
-require 'aruba/api'
-require 'conjur/api'
-
-module ConjurCLIWorld
-  include Aruba::Api
-  
-  attr_accessor :admin_api, :namespace, :test_user, :headers
-
-  def last_json
-    process_cmd last_command_started.stdout
-  end
-  
-  def passwords
-    @passwords ||= {}
-  end
-  
-  def save_password username, password
-    raise "Password for #{username} not found" if password.blank?
-    raise "Found existing password for user '#{username}'" if passwords[username]
-    passwords[username] = password
-  end
-  
-  def find_password username
-    passwords[username] or raise "No password for user '#{username}'"
-  end 
-  
-  def find_or_create_password(username)
-    unless password = passwords[username] 
-      password = passwords[username] = SecureRandom.hex(12)
-    end
-    password
-  end
-
-  def admin_role
-    admin_api.current_role.role_id
-  end
-
-  def random_hex nbytes = 12
-    @random ||= Random.new
-    @random.bytes(nbytes).unpack('h*').first
-  end
-
-  def namespace
-    @namespace ||= random_hex
-  end
-  
-  # Aruba's method
-  def run(cmd, *args)
-    # it's a thunk now so it should be returned. puts can be added back as block if we want to
-    super process_cmd(cmd), *args
-  end 
-
-  # Substitute the namespace for marker $ns
-  def sanitize_text string
-    string = super
-    string.gsub("$ns", namespace)
-  end
-  
-  def get_process(wanted)
-    super wanted.gsub("$ns", namespace)
-  end
-
-  def tempfiles 
-    @tempfiles||=[]
-  end       
-
-  def headers
-    @headers ||= {}
-  end
-
-  def add_user_auth_header
-    return if headers['Authorization']
-
-    token = Conjur::API.authenticate(test_user.login, test_user.api_key)
-    headers.merge!(
-      'Authorization' => %Q{Token token="#{Base64.strict_encode64(token.to_json)}"}
-    )
-  end
- 
-  protected
-  
-  def process_cmd(cmd)
-    cmd = cmd.dup
-    cmd.gsub!("$ns", namespace)
-    cmd.gsub!("$pubkeys_url", Conjur.configuration.pubkeys_url)
-    
-    JsonSpec.memory.each do |k,v|
-      cmd.gsub!("%{#{k}}", v)
-    end
-    cmd
-  end
-end
-
-module ConjurWorld
-  def last_json
-    last_stdout
-  end
-
-  def last_stdout
-    raise "No commands have been run" unless last_cmd
-    stdout_from last_cmd
-  end
-
-  attr_accessor :last_cmd
-
-  def account
-    Conjur::Core::API.conjur_account
-  end
-
-  def role_kind
-    @role_kind ||= "cli-cukes"
-  end
-
-  def role_id_map
-    @role_id_map ||= {}
-  end
-
-  def extract_filtered_graph json
-    graph = JSON.parse(json.to_s)
-    case graph
-      when Hash then filter_hash_graph(graph)
-      when Array then filter_array_graph(graph)
-      else raise "WTF: graph was #{graph.class}?"
-    end
-  end
-
-  def filter_hash_graph graph
-    allowed = role_id_map.values
-    edges = graph['graph']
-    filtered = edges.select do |edge|
-      allowed.member?(edge['parent']) and allowed.member?(edge['child'])
-    end
-    {'graph' => filtered}
-  end
-
-  def filter_array_graph graph
-    allowed = role_id_map.values
-    graph.select do |edge|
-      edge.all?{|v| allowed.member?(v)}
-    end
-  end
-
-  def graph edges
-    # generate roles
-    edges.flatten.uniq.each do |role_id|
-      role_id_map[role_id] = expanded = expand_role_id(role_id)
-      run_command "conjur role create '#{expanded}'"
-    end
-
-    # generate memberships
-    edges.each do |parent, child|
-      run_command "conjur role grant_to #{expand_role_id(parent)} #{expand_role_id(child)}"
-    end
-  end
-
-  def run_command cmd
-    step "I successfully run " + '`' + cmd + '`'
-  end
-
-  def expand_role_id role_id
-    "#{account}:#{role_kind}:#{prepend_namespace role_id}"
-  end
-
-  def prepend_namespace id
-    "#{namespace}-#{id}"
-  end
-
-  def expand_roles string
-    role_id_map.each do |role, expanded|
-      string.gsub! role, expanded
-    end
-    string
-  end
-end
-
-World(ConjurWorld, ConjurCLIWorld)

data/acceptance-features/trusted_proxies.feature

@@ -1,82 +0,0 @@
-Feature: Conjur services support trusted proxies
-
-  As an administrator of the Conjur Appliance, I want to be able to
-  specify CIDRs for machines that should be regarded as trusted
-  proxies. IP addresses that match those CIDRs can be regarded as
-  coming from localhost. Other addresses should not be remapped (even
-  if those addresses are non-routable), and so will appear in audit
-  events and be used to validate CIDR restrictions (e.g. on
-  hostfactory tokens).
-
-  Scenario: authn supports trusted proxies for CIDR restrictions
-    Given I set the JSON request body to:
-    """
-    {
-      "login": "restricted@$ns",
-      "password": "restricted",
-      "ownerid": "cucumber:user:admin@$ns",
-      "cidr": ["192.168.0.0/24"]
-    }
-    """
-    And I send a POST request to "/api/users"
-    And the response status should be "201"
-    Given I send "text/plain" and accept JSON
-    And I set the request body to "restricted"
-    When I send a POST request forwarded from "192.168.0.1" to "/api/authn/users/restricted@$ns/authenticate"
-    Then the response status should be "200"
-
-  Scenario: authz supports trusted proxies
-    Given I send a PUT request forwarded from "192.168.0.1" to "/api/authz/cucumber/resources/test/$ns/resource?acting_as=$user_role" 
-    And the response status should be "204"
-    When I successfully run `conjur audit resource test:$ns/resource`
-    Then the JSON response at "request/ip" should be "192.168.0.1"
-
-  Scenario: core supports trusted proxies
-    Given I set the JSON request body to:
-    """
-    {
-      "id": "$ns/var",
-      "kind": "password",
-      "mime_type": "text/plain"
-    }    
-    """
-    And I send a POST request forwarded from "192.168.0.1" to "/api/variables"
-    And the response status should be "201"
-    When I successfully run `conjur audit resource variable:$ns/var`
-    Then the JSON response at "request/ip" should be "192.168.0.1"
-
-  Scenario: expiration supports trusted proxies
-    Given I successfully run `conjur variable create $ns_expiration_var value`
-    And I send a GET request forwarded from "192.168.0.1" to "/api/variables/$ns_expiration_var/value"
-    And the response status should be "200"
-    When I get the audit event for the resource "cucumber:variable:$ns_expiration_var" with action "check"
-    Then the audit event should show the request from "192.168.0.1"
-
-  Scenario: host-factory supports trusted proxies when creating hostfactories
-    Given I successfully run `conjur layer create --as-role $user_role $ns/layer`
-    When I send a POST request forwarded from "192.168.0.1" to "/api/host_factories" with: 
-      | id     | roleid    | ownerid    | layers[]  |
-      | $ns/hf | $user_role | $user_role | $ns/layer |
-
-    And the response status should be "201"
-    And I successfully run `conjur audit resource host_factory:$ns/hf`
-    Then the JSON response at "request/ip" should be "192.168.0.1"
-
-  Scenario: hostfactory supports trusted proxies when creating hosts
-    Given I successfully run `conjur layer create --as-role $user_role $ns/layer`
-    And I successfully run `conjur hostfactory create --as-role $user_role --layer $ns/layer $ns/hf`
-    And I create a hostfactory token for "$ns/hf" with CIDR "192.168.0.0/16"
-    When I use the hostfactory token from "192.168.0.1" to create host "$ns/host"
-    And I get the audit event for the resource "cucumber:host:$ns/host" with action "create"
-    Then the audit event should show the request from "192.168.0.1"
-
-  Scenario: hostfactory supports trusted proxies when validating token CIDR restrictions
-    Given I successfully run `conjur layer create --as-role $user_role $ns/layer`
-    And I successfully run `conjur hostfactory create --as-role $user_role --layer $ns/layer $ns/hf`
-    And I create a hostfactory token for "$ns/hf" with CIDR "192.168.0.0/16"
-    Then I can use the hostfactory token from "192.168.0.1" to create host "$ns/host1"
-
-  Scenario: pubkeys supports trusted proxies
-    Given I create a pubkey for "pubkeys_user@$ns" from "192.168.0.1" with "ssh-rsa foobar pubkeys_user@host"
-    When I get the audit event for the pubkey variable with action "create"
-    Then the audit event should show the request from "192.168.0.1"