conjur-cli 5.6.6 → 6.0.0.rc1

data/ci/cli-test.sh

@@ -0,0 +1,6 @@
+#!/bin/bash -ex
+
+bundle install
+
+# If we got passed arguments, run that as the test command. Otherwise, run the full suite of tests.
+${@-bundle exec rake jenkins}

data/ci/package.sh

@@ -9,7 +9,9 @@ rake build
 
 gem install --no-ri --no-rdoc --install-dir /tmp/gems pkg/*.gem
 
+ITERATION=$(date +%s)
+
 find /tmp/gems/cache -name '*.gem' | xargs -rn1 \
-fpm --prefix $(gem environment gemdir) -s gem -t deb
+fpm --prefix $(gem environment gemdir) --iteration $ITERATION -s gem -t deb
 
 cp -a *.deb /share

data/ci/publish.sh

@@ -26,10 +26,10 @@ for package in *.deb; do
     -v $PWD/tmp/deb:/src \
     conjur-cli-publish \
     upload \
-    --url https://conjurinc.jfrog.io/conjurinc \
+    --url https://conjurinc.artifactoryonline.com/conjurinc \
     --user $ART_USERNAME \
     --password $ART_PASSWORD \
     --deb "$distribution"/"$component"/amd64 \
     $package \
-    debian-private/
+    debian-local
 done

data/ci/secrets/publish.yml

@@ -1,2 +1,2 @@
-ART_USERNAME: !var ci/artifactory/users/jenkins/username
-ART_PASSWORD: !var ci/artifactory/users/jenkins/password
+ART_USERNAME: !var artifactory/users/jenkins/username
+ART_PASSWORD: !var artifactory/users/jenkins/password

data/ci/wait_for_server.sh

@@ -0,0 +1,10 @@
+#!/bin/bash -e
+
+for i in $(seq 10); do
+  curl -o /dev/null -fs -X OPTIONS http://conjur > /dev/null && break
+  echo .
+  sleep 2
+done
+
+# So we fail if the server isn't up yet:
+curl -o /dev/null -fs -X OPTIONS http://conjur > /dev/null

data/conjur-cli.gemspec

@@ -1,5 +1,6 @@
 # -*- encoding: utf-8 -*-
 require File.expand_path('../lib/conjur/version', __FILE__)
+require "English"
 
 Gem::Specification.new do |gem|
   gem.authors       = ["Rafal Rzepecki", "Kevin Gilpin"]
@@ -8,25 +9,23 @@ Gem::Specification.new do |gem|
   gem.homepage      = "https://github.com/conjurinc/cli-ruby"
   gem.license       = 'MIT'
 
-  gem.files         = `git ls-files`.split($\) + Dir['build_number']
+  gem.files         = (`git ls-files`.split($OUTPUT_RECORD_SEPARATOR)
+                                     .select { |x| x !~ /^Dockerfile/ }
+                      ) + Dir["build_number"]
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.name          = "conjur-cli"
   gem.require_paths = ["lib"]
   gem.version       = Conjur::VERSION
 
-  gem.add_dependency 'activesupport', '>= 4.2', '< 6'
-  gem.add_dependency 'conjur-api', '~> 4.30'
+  gem.add_dependency 'activesupport'
+  gem.add_dependency 'conjur-api', '~> 5.0.0.beta'
   gem.add_dependency 'gli', '>=2.8.0'
   gem.add_dependency 'highline', '~> 1.7'
   gem.add_dependency 'netrc', '~> 0.10'
-  gem.add_dependency 'methadone', '~> 1.9'
   gem.add_dependency 'deep_merge', '~> 1.0'
   gem.add_dependency 'xdg', '~> 2.2'
   gem.add_dependency 'table_print', '~> 1.5'
-  gem.add_dependency 'semantic', '>= 1.4.1'
-
-  gem.add_runtime_dependency 'cas_rest_client', '~> 1.3'
 
   gem.add_development_dependency 'rspec', '~> 3.0'
   gem.add_development_dependency 'simplecov'
@@ -38,4 +37,5 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency 'json_spec'
   gem.add_development_dependency 'cucumber-api'
   gem.add_development_dependency 'addressable'
+  gem.add_development_dependency 'pry-byebug'
 end

data/dev/docker-compose.yml

@@ -0,0 +1,24 @@
+version: '2'
+services:
+  pg:
+    image: postgres:9.3
+    
+  conjur:
+    image: cyberark/conjur
+    command: server -a cucumber
+    environment:
+      DATABASE_URL: postgres://postgres@pg/postgres
+      CONJUR_DATA_KEY:
+
+  cli:
+    build:
+      dockerfile: Dockerfile.standalone
+      context: ..
+    entrypoint: sleep
+    command: infinity
+    environment:
+      CONJUR_APPLIANCE_URL: http://conjur
+      CONJUR_ACCOUNT: cucumber
+    working_dir: /src/conjur-cli
+    volumes:
+    - ..:/src/conjur-cli

data/dev/start.sh

@@ -0,0 +1,15 @@
+#!/bin/bash -ex
+
+export COMPOSE_PROJECT_NAME=clirubydev
+
+docker-compose build
+
+if [ ! -f data_key ]; then
+	echo "Generating data key"
+	docker-compose run --no-deps --rm conjur data-key generate > data_key
+fi
+
+export POSSUM_DATA_KEY="$(cat data_key)"
+
+docker-compose up -d
+docker-compose exec cli bash

data/dev/stop.sh

@@ -0,0 +1,5 @@
+#!/bin/bash -ex
+
+export COMPOSE_PROJECT_NAME=clirubydev
+
+docker-compose down -v

data/docker-compose.yml

@@ -0,0 +1,30 @@
+version: '2'
+services:
+  pg:
+    image: postgres:9.3
+
+  conjur:
+    image: cyberark/conjur
+    command: server -a cucumber
+    depends_on: 
+      - pg
+    environment:
+      - CONJUR_DATA_KEY
+      - DATABASE_URL=postgres://postgres@pg/postgres
+
+  test:
+    image: cli-test:${RUBY_VERSION}
+    build:
+      context: .
+      dockerfile: Dockerfile.${RUBY_VERSION}
+    entrypoint: ci/cli-test.sh
+    environment:
+      - DATABASE_URL=postgres://postgres@pg/postgres
+      - RAILS_ENV=test
+      - CONJUR_APPLIANCE_URL=http://conjur
+      - CONJUR_ACCOUNT=cucumber
+      - CONJUR_AUTHN_LOGIN=admin
+      - CONJUR_AUTHN_API_KEY
+    volumes:
+      - .:/src
+

data/features/authentication/authenticate.feature

@@ -0,0 +1,34 @@
+Feature: Authenticate a role
+
+  Scenario: Get a JSON token
+    When I successfully run `conjur authn authenticate`
+    Then the JSON should have "data"
+    And the JSON should have "signature"
+ 
+  Scenario: Get an auth token as HTTP Authorize header
+    When I successfully run `conjur authn authenticate -H`
+    Then the output should match /Authorization: Token token=".*"/
+
+  Scenario: The API key of a new user is available and can be used to authenticate.
+    Given I load the policy:
+    """
+    - !user alice
+    """
+    And I login as "alice"
+    When I successfully run `conjur authn authenticate`
+    Then the JSON at "data" should be "alice"
+
+  @announce-command
+  @announce-output
+  Scenario: The access token can be continuously refreshed in a file.
+    When I run `env CONJUR_TOKEN_LIFESPAN=2 CONJUR_TOKEN_REFRESH_DELAY=1 CONJURAPI_LOG=stderr conjur authn authenticate -f /tmp/token` interactively
+    And I run `sleep inf`
+    Then the output should contain:
+    """
+    Authenticating admin to account cucumber
+    Refreshed Conjur auth token to "/tmp/token"
+    Authenticating admin to account cucumber
+    Refreshed Conjur auth token to "/tmp/token"
+    Authenticating admin to account cucumber
+    Refreshed Conjur auth token to "/tmp/token"
+    """

data/features/authentication/login.feature

@@ -0,0 +1,13 @@
+Feature: Login a new user
+
+  Background:
+    Given I load the policy:
+    """
+    - !user alice
+    """
+
+  @restore-login
+  Scenario: Login a new user with a password
+    When I run `conjur authn login alice` interactively
+    And I type the API key for "alice"
+    Then the exit status should be 0

data/features/authentication/logout.feature

@@ -0,0 +1,15 @@
+Feature: Logout the user
+
+  Background:
+    Given I load the policy:
+    """
+    - !user alice
+    """
+
+  @restore-login
+  Scenario: Login a logged-in user
+    When I run `conjur authn login alice` interactively
+    And I type the API key for "alice"
+    Then the exit status should be 0
+    And I successfully run `conjur authn logout`
+    Then the stdout from "conjur authn logout" should contain exactly "Logged out\n"

data/features/authorization/resource/annotate.feature

@@ -0,0 +1,22 @@
+Feature: Annotate a resource
+
+  Background:
+    Given I load the policy:
+    """
+    - !resource
+      kind: food
+      id: bacon
+      annotations:
+        preparation-style: crispy
+    """
+  
+  Scenario: Annotations are stored and returned when the resource is displayed
+    When I successfully run `conjur show food:bacon`
+    And the JSON at "annotations" should have 1 entry
+    And the JSON at "annotations/0/name" should be "preparation-style"
+    And the JSON at "annotations/0/value" should be "crispy"
+  
+  Scenario: Annotations are searchable
+    When I successfully run `conjur list --inspect -k food -s "crispy"`
+    Then the JSON should have 1 entry
+    And the JSON at "0/annotations/preparation-style" should be "crispy"

data/features/authorization/resource/check.feature

@@ -0,0 +1,47 @@
+Feature: Checking permissions on a resource
+
+  Background:
+    Given I load the policy:
+    """
+    - !resource
+      kind: food
+      id: bacon
+
+    - !role
+      kind: job
+      id: cook
+    """
+
+  Scenario: By default I check my own privilege
+    In this case, I have the privilege because I own the resource
+  
+    When I successfully run `conjur check food:bacon fry`
+    Then the stdout should contain exactly "true"
+
+  Scenario: I can check the privileges of roles that I own
+    And I successfully run `conjur check -r job:cook food:bacon fry`
+    Then the stdout should contain exactly "false"
+    
+  Scenario: I can check the privileges of roles that I own
+    Given I apply the policy:
+    """
+    - !resource
+      kind: food
+      id: bacon
+
+    - !role
+      kind: job
+      id: cook
+
+    - !permit
+      role: !role
+        kind: job
+        id: cook
+      resource: !resource
+        kind: food
+        id: bacon
+      privilege: fry
+    """
+    And I reset the command list
+    And I successfully run `conjur check -r job:cook food:bacon fry`
+    Then the stdout should contain exactly "true"

data/{acceptance-features → features}/authorization/resource/exists.feature

@@ -1,18 +1,30 @@
 Feature: Test the existence of a resource
 
   Scenario: Existing resources can be detected
-    Given I successfully run `conjur resource create food:$ns/bacon`
+    Given I load the policy:
+    """
+    - !resource
+      kind: food
+      id: bacon
+    """
     And I reset the command list
-    When I successfully run `conjur resource exists food:$ns/bacon`
+    When I successfully run `conjur resource exists food:bacon`
     Then the stdout should contain exactly "true"
 
   Scenario: Non-existent resources are reported as such
-    When I successfully run `conjur resource exists food:$ns/bacon`
+    When I successfully run `conjur resource exists food:bacon`
     Then the stdout should contain exactly "false"
   
   Scenario: Even foreign user can check existence of a resource 
-    Given I successfully run `conjur resource create food:$ns/bacon`
-    And I login as a new user 
+    Given I load the policy:
+    """
+    - !resource
+      kind: food
+      id: bacon
+
+    - !user alice
+    """
+    And I login as "alice"
     And I reset the command list
-    And I run `conjur resource exists food:$ns/bacon`
+    And I run `conjur resource exists food:bacon`
     Then the stdout should contain exactly "true"

data/features/authorization/resource/permitted_roles.feature

@@ -0,0 +1,35 @@
+Feature: List roles which have a permission on a resource
+
+  Background:
+    Given I load the policy:
+    """
+    - !user alice
+
+    - !resource
+      kind: food
+      id: bacon
+      owner: !user alice
+    """
+
+  Scenario: The owner of a resource is always listed in permitted_roles
+    When I successfully run `conjur resource permitted_roles food:bacon fry`
+    Then the JSON should include "cucumber:user:alice"
+
+  Scenario: When a permission is granted to a new user, the user is listed in permitted_roles
+    Given I apply the policy:
+    """
+    - !user bob
+
+    - !resource
+      kind: food
+      id: bacon
+
+    - !permit
+      role: !user bob
+      privilege: fry
+      resource: !resource
+        kind: food
+        id: bacon
+    """
+    When I successfully run `conjur resource permitted_roles food:bacon fry`
+    Then the JSON should include "cucumber:user:bob"

data/features/authorization/resource/show.feature

@@ -0,0 +1,34 @@
+Feature: Show a resource
+
+  Background:
+    Given I load the policy:
+    """
+    - !user eve
+
+    - !user alice
+
+    - !resource
+      kind: food
+      id: bacon
+
+    - !permit
+      role: !user alice
+      privilege: fry
+      resource: !resource
+        kind: food
+        id: bacon
+    """
+  
+  Scenario: Showing a resource displays all its fields
+    When I successfully run `conjur show food:bacon`
+    Then the JSON should have "id"
+    And the JSON should have "owner"
+    And the JSON should have "permissions"
+    And the JSON should have "annotations"
+    
+  Scenario: You can show any resource if you have a privilege on it
+    Once alice has a permission to fry bacon, she can show everything
+    about bacon.
+  
+    And I login as "alice"
+    Then I successfully run `conjur show food:bacon`

data/features/authorization/role/exists.feature

@@ -0,0 +1,28 @@
+Feature: Test existence of a role
+
+  Scenario: A never-created role does not exist
+    When I successfully run `conjur role exists --json food:nonesuch`
+    Then the JSON at "exists" should be false
+
+  Scenario: A created role does exist
+    Given I load the policy:
+    """
+    - !role
+      kind: job
+      id: cook
+    """
+    And I successfully run `conjur role exists --json job:cook`
+    Then the JSON at "exists" should be true
+
+  Scenario: Even foreign user can check existance of a role 
+    Given I load the policy:
+    """
+    - !user alice
+
+    - !role
+      kind: job
+      id: cook
+    """
+    And I login as "alice"
+    And I run `conjur role exists --json job:cook`
+    Then the JSON at "exists" should be true