conjur-cli 5.6.6 → 6.0.0.rc1

data/features/dsl_user_create.feature

@@ -1,23 +0,0 @@
-@dsl
-Feature: Creating a User
-
-  Background:
-
-  Scenario: Users don't incorporate the namespace as a path prefix
-    When I run script:
-    """
-namespace do
-  user "bob"
-end
-    """
-    Then the model should contain "user" /bob@.+/
-
-  Scenario: Namespace can be used as a no-arg method
-    When I run script:
-    """
-namespace "foobar" do
-  user "bob"
-end
-    """
-    Then the model should contain "user" "bob@foobar"
-    

data/features/jsonfield.feature

@@ -1,49 +0,0 @@
-Feature: Extracting JSON fields
-
-  In order to use conjur output in shell scripts
-  As a Conjur user
-  I want to extract fields from JSON data
-
-  Scenario: An array element
-    When I successfully run `jsonfield 2 '[1, 2, 3]'`
-    Then the output should contain "3"
-
-  Scenario: An out of bounds array element
-    When I run `jsonfield 3 '[1, 2, 3]'`
-    Then the output should contain "No field 3"
-    And the exit status should be 2
-
-  Scenario: A hash element
-    When I successfully run `jsonfield a '{"a": 4}'`
-    Then the output should contain "4"
-
-  Scenario: A non-existent hash element
-    When I run `jsonfield b '{"a": 4}'`
-    Then the output should contain "No field b"
-    And the exit status should be 2
-
-  Scenario: Nested elements
-    When I successfully run `jsonfield 0.a.1.b '[{"a": [42, {"b": "foo", "d": null}, 33], "bar": true}]'`
-    Then the output should contain "foo"
-
-  Scenario: Standard input
-    Given a file named "test.json" with:
-      """
-        {
-          "a": [
-            42,
-            {
-              "b": "foo",
-              "d": null
-            },
-            33
-          ],
-          "bar": true
-        }
-      """
-    When I run `cat test.json | jsonfield 0.a.1.b`
-    Then the output should contain "foo"
-
-  Scenario: An element with hyphen in key
-    When I successfully run `jsonfield variables.db-password '{"variables": {"db-password": "foo"}}'`
-    Then the output should contain "foo"

data/features/role_graph.feature

@@ -1,58 +0,0 @@
-@real-api
-Feature: Retrieving role graphs
-  As a Conjur user
-  In order to understand the role hierarchy
-  I want to retrieve role graphs and present them in a useful format
-
-Background:
-  Given a graph with edges
-    | Tywin     | Jamie         |
-    | Tywin     | Cersei        |
-    | Cersei    | Joffrey       |
-    | Jamie     | Joffrey       |
-    | Aerys     | Tyrion        |
-    | Joanna    | Tyrion        |
-
-  Scenario: Showing the graph as JSON
-    When I successfully run with role expansion "conjur role graph --as-role Joffrey Joffrey"
-    Then the graph JSON should be:
-      """
-        {
-          "graph": [
-            { "parent": "Tywin",  "child": "Jamie" },
-            { "parent": "Tywin",  "child": "Cersei"},
-            { "parent": "Cersei", "child": "Joffrey"},
-            { "parent": "Jamie",  "child": "Joffrey" }
-          ]
-        }
-      """
-
-  Scenario: Short JSON output
-    When I successfully run with role expansion "conjur role graph --short --as-role Joffrey Joffrey"
-    Then the graph JSON should be:
-      """
-        [
-          [ "Tywin", "Jamie"   ],
-          [ "Tywin", "Cersei"  ],
-          [ "Jamie", "Joffrey" ],
-          [ "Cersei", "Joffrey"]
-        ]
-      """
-
-  Scenario: I can restrict the output to show only ancestors or descendants
-    When I successfully run with role expansion "conjur role graph --short --no-ancestors --as-role Cersei Cersei"
-    Then the graph JSON should be:
-      """
-        [
-          [ "Cersei", "Joffrey" ]
-        ]
-      """
-    When I successfully run with role expansion "conjur role graph --short --no-descendants --as-role Cersei Cersei Jamie"
-    Then the graph JSON should be:
-      """
-        [
-          [ "Tywin", "Cersei" ],
-          [ "Tywin", "Jamie"  ]
-        ]
-      """
-

data/features/step_definitions/conjurize_steps.rb

@@ -1,5 +0,0 @@
-When(/^I conjurize "(.*?)"$/) do |args|
-  cmd = "conjurize -f ../../features/support/host.json -c ../../features/support/conjur.conf"
-  step %Q(I run `#{[ cmd, args ].compact.join(' ')}`)
-end
-

data/features/step_definitions/dsl_steps.rb

@@ -1,52 +0,0 @@
-When(/^I use script context:$/) do |context|
-  @context = JSON.parse context
-end
-
-When(/^I run script:$/) do |script|
-  require 'conjur/dsl/runner'
-  @runner = Conjur::DSL::Runner.new(script)
-  @runner.context = @context if @context
-  @runner.execute
-end
-
-Then(/^the model should contain "(.*?)" "(.*?)"$/) do |kind, id|
-  @mock_api.thing(kind, id).should_not be_nil
-end
-Then(/^the model should contain "(.*?)" \/(.*?)\/$/) do |kind, id|
-  @mock_api.thing_like(kind, Regexp.new(id)).should_not be_nil
-end
-Then(/^the "(.*?)" "(.*?)" should be owned by "(.*?)"$/) do |kind, id, owner|
-  step "the model should contain \"#{kind}\" \"#{id}\""
-  if kind == 'role' || kind == 'resource'
-    @mock_api.thing(kind, id).acting_as.should == owner
-  else
-    @mock_api.thing(kind, id).ownerid.should == owner
-  end
-end
-
-Then(/^the "(.*?)" "(.*?)" should not have an owner$/) do |kind, id|
-  step "the model should contain \"#{kind}\" \"#{id}\""
-  @mock_api.thing(kind, id).ownerid.should be_nil
-end
-
-Then(/^"(.*?)" can "(.*?)" "(.*?)"( with grant option)?$/) do |role, privilege, resource, grant_option|
-  resource = @mock_api.thing(:resource, resource)
-  permission = resource.permissions.find do |p|
-    p.privilege == privilege && p.role == role && p.grant_option == !grant_option.nil?
-  end
-  raise "#{role} cannot #{privilege} #{resource.id} with#{grant_option ? "" : "out"} grant_option" unless permission
-end
-
-Then(/^the context should contain "(.*?)"$/) do |key|
-  @runner.context.should have_key(key.to_s)
-end
-
-Then(/^the context "(.*?)" should be "(.*?)"$/) do |key, value|
-  @runner.context[key].should == value
-end
-
-Then(/^the context "(.*?)" should contain "(.*?)" item$/) do |key, key_count|
-  step "the context should contain \"#{key}\""
-  expect(@runner.context[key].length).to eq key_count.to_i
-end
-

data/features/support/conjur.conf

@@ -1,6 +0,0 @@
----
-account: test
-plugins:
-- ui
-appliance_url: https://conjur/api
-cert_file: ../../features/support/conjur-test.pem

data/lib/conjur/command/assets.rb

@@ -1,121 +0,0 @@
-#
-# Copyright (C) 2013 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-class Conjur::Command::Assets < Conjur::Command
-  # Toplevel command
-  desc "Manage assets"
-  command :asset do |asset|
-    hide_docs(asset)
-    asset.desc "Create an asset"
-    asset.arg_name "kind:id"
-    asset.command :create do |create|
-      hide_docs(create)
-      acting_as_option(create)
-      create.action do |global_options, options, args|
-        # NOTE: no generic functions there, as :id is optional
-        kind, id = require_arg(args, 'kind:id').split(':')
-        id = nil if id.blank?
-        kind.gsub!('-', '_')
-
-        m = "create_#{kind}"
-        record = if [ 1, -1 ].member?(api.method(m).arity)
-                   if id
-                     options[:id] = id
-                   end
-                   api.send(m, options)
-                 else
-                   unless id
-                     raise "for kind #{kind} id should be specified explicitly after colon"
-                   end
-                   api.send(m, id, options)
-                 end
-        display(record, options)
-      end
-    end
-
-    asset.desc "Show an asset"
-    asset.arg_name "id"
-    asset.command :show do |c|
-      c.action do |global_options,options,args|
-        kind, id = get_kind_and_id_from_args(args, 'id')
-        display api.send(kind, id).attributes
-      end
-    end
-
-    asset.desc "Checks for the exisistance of an asset"
-    asset.arg_name "id"
-    asset.command :exists do |c|
-      c.action do |global_options,options,args|
-        kind, id = get_kind_and_id_from_args(args, 'id')
-        puts api.send(kind, id).exists?
-      end
-    end
-
-    asset.desc "List assets of a given kind"
-    asset.arg_name "kind"
-    asset.command :list do |c|
-      hide_docs c
-      c.action do |global_options,options,args|
-        kind = require_arg(args, "kind").gsub('-', '_')
-        if api.respond_to?(kind.pluralize)
-          api.send(kind.pluralize)
-        else
-          api.resources(kind: kind)
-        end.each do |e|
-          display(e, options)
-        end
-      end
-    end
-
-    asset.desc "Manage asset membership"
-    asset.command :members do |members|
-      members.desc "Add a member to an asset"
-      members.arg_name "id role-name member"
-      members.command :add do |c|
-        hide_docs(c)
-        c.desc "Grant with admin option"
-        c.flag [:a, :admin]
-
-        c.action do |global_options, options, args|
-          kind, id = get_kind_and_id_from_args(args, 'id')
-          role_name = require_arg(args, 'role-name')
-          member = require_arg(args, 'member')
-          admin_option = !options.delete(:admin).nil?
-
-          api.send(kind, id).add_member role_name, member, admin_option: admin_option
-          puts "Membership granted"
-        end
-      end
-
-      members.desc "Remove a member from an asset"
-      members.arg_name "id role-name member"
-      members.command :remove do |c|
-        hide_docs c
-        c.action do |global_options, options, args|
-          kind, id = get_kind_and_id_from_args(args, 'id')
-          role_name = require_arg(args, 'role-name')
-          member = require_arg(args, 'member')
-          api.send(kind, id).remove_member role_name, member
-          puts "Membership revoked"
-        end
-      end
-    end
-  end
-end

data/lib/conjur/command/audit.rb

@@ -1,155 +0,0 @@
-class Conjur::Command
-  class Audit < self
-    class << self
-      private
-      SHORT_FORMATS = {
-        'resource:check' => lambda{|e| "checked that they can #{e[:privilege]} #{e[:resource]} (#{e[:allowed]})" },
-        'resource:create' => lambda{|e| "created resource #{e[:resource]} owned by #{e[:owner]}" },
-        'resource:update' => lambda{|e| "gave #{e[:resource]} to #{e[:owner]}" },
-        'resource:destroy' => lambda{|e| "destroyed resource #{e[:resource]}" },
-        'resource:permit' => lambda{|e| "permitted #{e[:grantee]} to #{e[:privilege]} #{e[:resource]} (grant option: #{!!e[:grant_option]})" },
-        'resource:deny' => lambda{|e| "denied #{e[:privilege]} from #{e[:grantee]} on #{e[:resource]}" },
-        'resource:permitted_roles' => lambda{|e| "listed roles permitted to #{e[:privilege]} on #{e[:resource]}" },
-        'role:check' => lambda{|e| "checked that #{e[:role] == e[:user] ? 'they' : e[:role]} can #{e[:privilege]} #{e[:resource]} (#{e[:allowed]})" },
-        'role:grant' => lambda{|e| "granted role #{e[:role]} to #{e[:member]} #{e[:admin_option] ? 'with' : 'without'} admin" },
-        'role:revoke' => lambda{|e| "revoked role #{e[:role]} from #{e[:member]}" },
-        'role:create' => lambda{|e| "created role #{e[:role]}" },
-        'audit' => lambda{ |e| 
-          action_part = [ e[:facility], e[:action] ].compact.join(":")
-          actor_part = e[:role] ? "by #{e[:role]}" : nil
-          resource_part = e[:resource_id] ? "on #{e[:resource_id]}" : nil
-          allowed_part = e.has_key?(:allowed) ? "(allowed: #{e[:allowed]})" : nil
-          message_part = e[:audit_message] ? "; message: #{e[:audit_message]}" : ""
-          statement = [ action_part, actor_part, resource_part, allowed_part ].compact.join(" ")
-          "reported #{statement}"+ message_part
-        },
-        'conjur:use_extra_privilege' => lambda{|e| "requested extra privilege #{e[:privilege]}"}
-      }
-
-      def ssh_sudo_message(e)
-        s = "#{e[:system_user]}"
-        s << " " << (e[:allowed] ? "ran" : "attempted to run")
-        s << " '" << e[:command] << "' as " << e[:target_user]
-        s
-      end
-      
-      def short_event_format e
-        e.symbolize_keys!
-        s = "[#{Time.parse(e[:timestamp])}]"
-        s << " #{e[:user]}"
-        s << " (as #{e[:acting_as]})" if e[:acting_as] != e[:user]
-        if e[:facility] == 'ssh' && e[:action] == 'sudo'
-          e[:audit_message] = ssh_sudo_message(e)
-        end
-        formatter = SHORT_FORMATS["#{e[:kind]}:#{e[:action]}"] || SHORT_FORMATS[e[:kind]]
-        if formatter
-          s << " " << formatter.call(e)
-        else
-          s << " unknown event: #{e[:kind]}:#{e[:action]}!"
-        end
-        s << " (failed with #{e[:error]})" if e[:error]
-        s
-      end
-      
-      def extract_int_option(source, name, dest=nil)
-        if val = source[name]
-          raise "Expected an integer for #{name}, but got #{val}" unless /\d+/ =~ val
-          val.to_i.tap{ |i| dest[name] = i if dest }
-        end
-      end
-      
-      def extract_audit_options options
-        # Do a little song and dance to simplify testing
-        extracted = options.slice :follow, :short
-        [:limit, :offset].each do |name|
-            extract_int_option(options, name, extracted)
-        end
-        if extracted[:follow] && extracted[:offset]
-            exit_now! "--offset option not allowed for --follow", 1
-        end
-        extracted
-      end
-      
-      def show_audit_events events, options
-        @count ||= 0
-        
-        events = [events] unless events.kind_of?(Array)
-        # offset and limit options seem to be broken. this is a temporary workaround (should be applied on server-side eventually)
-        events = events.drop(options[:offset]) if options[:offset]
-        events = events.take(options[:limit]) if options[:limit]
-
-        if options[:short]
-          events.each do |e|
-            puts short_event_format(e)
-            
-            # Undocumented, but for the sake of testing.... Allow
-            # --limit with --follow. When we hit the limit, bail out
-            # immediately: don't raise any exceptions, don't print any
-            # messages, just exit with status 0.
-            @count += 1
-            if options[:follow] && @count == options[:limit]
-              exit_now! 0
-            end
-          end
-        else
-          events.each{|e| puts JSON.pretty_generate(e) }
-        end
-      end
-
-      def audit_feed_command parent, kind, &block
-        parent.command kind do |c|
-          c.desc "Maximum number of events to fetch"
-          c.flag [:l, :limit]
-
-          c.desc "Offset of the first event to return"
-          c.flag [:o, :offset]
-
-          c.desc "Short output format"
-          c.switch [:s, :short]
-          
-          c.desc "Follow events as they are generated"
-          c.switch [:f, :follow]
-          
-          c.action do |global_options, options, args|
-            options = extract_audit_options options 
-            instance_exec(args, options, &block)
-          end
-        end
-      end
-    end
-
-    desc "Fetch audit events"
-    command :audit do |audit|
-      audit.desc "Show all audit events visible to the current user"
-      audit_feed_command audit, :all do |args, options|
-        api.audit(options){ |es| show_audit_events es, options }
-      end
-
-      audit.desc "Show audit events related to a role"
-      audit.arg_name 'role'
-      audit_feed_command audit, :role do |args, options|
-        id = full_resource_id(require_arg(args, "role"))
-        api.audit_role(id, options){ |es| show_audit_events es, options }
-      end
-
-      audit.desc "Show audit events related to a resource"
-      audit.arg_name 'resource'
-      audit_feed_command audit, :resource do |args, options|
-        id = full_resource_id(require_arg args, "resource")
-        api.audit_resource(id, options){|es| show_audit_events es, options}
-      end 
-
-      audit.desc "Send custom event(s) to audit system"
-      audit.long_desc "Send custom event(s) to audit system. Events should be provided in JSON format, describing either single hash or array of hashes."
-      audit.arg_name "( json_string | STDIN )"
-      audit.command :send do |c| 
-        c.action do |global_options, options, args|
-          json = ( args.shift || STDIN.read )
-          api.audit_send json
-          puts "Events sent successfully"
-        end
-      end
-
-    end
-  end
-end