conjur-cli 5.6.6 → 6.0.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.dockerignore +1 -1
- data/.gitignore +2 -0
- data/.rubocop.yml +1 -1
- data/APPLIANCE_VERSION +1 -1
- data/CHANGELOG.md +3 -42
- data/Gemfile +4 -7
- data/Humanfile.md +31 -0
- data/Jenkinsfile +34 -63
- data/README.md +41 -55
- data/Rakefile +5 -1
- data/bin/conjur +0 -2
- data/build-deb.sh +1 -3
- data/ci/cli-test.sh +6 -0
- data/ci/package.sh +3 -1
- data/ci/publish.sh +2 -2
- data/ci/secrets/publish.yml +2 -2
- data/ci/wait_for_server.sh +10 -0
- data/conjur-cli.gemspec +7 -7
- data/dev/docker-compose.yml +24 -0
- data/dev/start.sh +15 -0
- data/dev/stop.sh +5 -0
- data/docker-compose.yml +30 -0
- data/features/authentication/authenticate.feature +34 -0
- data/features/authentication/login.feature +13 -0
- data/features/authentication/logout.feature +15 -0
- data/{acceptance-features → features}/authentication/whoami.feature +0 -0
- data/features/authorization/resource/annotate.feature +22 -0
- data/features/authorization/resource/check.feature +47 -0
- data/{acceptance-features → features}/authorization/resource/exists.feature +18 -6
- data/features/authorization/resource/permitted_roles.feature +35 -0
- data/features/authorization/resource/show.feature +34 -0
- data/features/authorization/role/exists.feature +28 -0
- data/features/authorization/role/members.feature +45 -0
- data/features/authorization/role/memberships.feature +43 -0
- data/features/conjurenv/check.feature +34 -0
- data/features/conjurenv/run.feature +15 -0
- data/{acceptance-features → features}/conjurenv/template.feature +8 -3
- data/{acceptance-features → features}/directory/user/update_password.feature +8 -2
- data/{acceptance-features → features}/directory/variable/value.feature +9 -5
- data/{acceptance-features → features}/directory/variable/values-add.feature +8 -3
- data/features/hostfactory/tokens.feature +22 -0
- data/features/pubkeys/show.feature +18 -0
- data/features/step_definitions/authn_steps.rb +22 -0
- data/features/step_definitions/cli_steps.rb +28 -0
- data/features/step_definitions/file_steps.rb +12 -0
- data/features/step_definitions/flow_control_steps.rb +7 -0
- data/features/step_definitions/graph_steps.rb +4 -3
- data/{acceptance-features → features}/step_definitions/http_steps.rb +0 -0
- data/features/step_definitions/overrides.rb +9 -0
- data/features/step_definitions/policy_steps.rb +11 -0
- data/{acceptance-features → features}/step_definitions/trusted_proxy_steps.rb +0 -0
- data/features/support/blank.yml +1 -0
- data/features/support/env.rb +21 -7
- data/features/support/hooks.rb +31 -116
- data/features/support/world.rb +16 -76
- data/jenkins.sh +33 -0
- data/lib/conjur/authenticator.rb +83 -0
- data/lib/conjur/authn.rb +5 -20
- data/lib/conjur/cli.rb +13 -6
- data/lib/conjur/command.rb +30 -350
- data/lib/conjur/command/authn.rb +23 -15
- data/lib/conjur/command/host_factories.rb +2 -74
- data/lib/conjur/command/hosts.rb +6 -113
- data/lib/conjur/command/init.rb +20 -35
- data/lib/conjur/command/{secrets.rb → policies.rb} +33 -22
- data/lib/conjur/command/pubkeys.rb +3 -63
- data/lib/conjur/command/resources.rb +45 -162
- data/lib/conjur/command/roles.rb +11 -181
- data/lib/conjur/command/rspec/helpers.rb +0 -1
- data/lib/conjur/command/rspec/mock_services.rb +4 -4
- data/lib/conjur/command/users.rb +2 -159
- data/lib/conjur/command/variables.rb +5 -218
- data/lib/conjur/complete.rb +2 -2
- data/lib/conjur/config.rb +1 -11
- data/lib/conjur/conjurenv.rb +12 -9
- data/lib/conjur/identifier_manipulation.rb +3 -5
- data/lib/conjur/version.rb +2 -2
- data/{publish-rubygem.sh → publish.sh} +0 -4
- data/spec/authn_spec.rb +4 -0
- data/spec/command/hosts_spec.rb +2 -69
- data/spec/command/init_spec.rb +16 -11
- data/spec/command/pubkeys_spec.rb +1 -46
- data/spec/command/resources_spec.rb +21 -170
- data/spec/command/roles_spec.rb +5 -181
- data/spec/command/users_spec.rb +3 -79
- data/spec/command_spec.rb +1 -20
- data/spec/complete_spec.rb +1 -23
- data/spec/config_spec.rb +1 -1
- data/spec/spec_helper.rb +4 -5
- data/test.sh +29 -25
- metadata +92 -212
- data/.githooks/pre_commit/run_specs.rb +0 -23
- data/Dockerfile +0 -15
- data/Dockerfile.fpm +0 -18
- data/Dockerfile.publish +0 -12
- data/Dockerfile.standalone +0 -33
- data/Dockerfile.validate-packaging +0 -9
- data/VERSION +0 -1
- data/acceptance-features/audit/audit_event_send.feature +0 -107
- data/acceptance-features/audit/fetch.feature +0 -16
- data/acceptance-features/audit/send.feature +0 -51
- data/acceptance-features/authentication/authenticate.feature +0 -10
- data/acceptance-features/authentication/login.feature +0 -12
- data/acceptance-features/authentication/logout.feature +0 -13
- data/acceptance-features/authorization/resource/annotate.feature +0 -35
- data/acceptance-features/authorization/resource/check.feature +0 -24
- data/acceptance-features/authorization/resource/create.feature +0 -21
- data/acceptance-features/authorization/resource/deny.feature +0 -12
- data/acceptance-features/authorization/resource/give.feature +0 -24
- data/acceptance-features/authorization/resource/permit.feature +0 -20
- data/acceptance-features/authorization/resource/permitted_roles.feature +0 -16
- data/acceptance-features/authorization/resource/show.feature +0 -28
- data/acceptance-features/authorization/role/create.feature +0 -13
- data/acceptance-features/authorization/role/exists.feature +0 -19
- data/acceptance-features/authorization/role/grant_to.feature +0 -21
- data/acceptance-features/authorization/role/graph.feature +0 -57
- data/acceptance-features/authorization/role/members.feature +0 -23
- data/acceptance-features/authorization/role/memberships.feature +0 -27
- data/acceptance-features/bootstrap.feature +0 -13
- data/acceptance-features/conjurenv/check.feature +0 -21
- data/acceptance-features/conjurenv/run.feature +0 -10
- data/acceptance-features/directory/group/create.feature +0 -20
- data/acceptance-features/directory/group/retire.feature +0 -54
- data/acceptance-features/directory/host/create.feature +0 -23
- data/acceptance-features/directory/host/retire.feature +0 -6
- data/acceptance-features/directory/hostfactory/create.feature +0 -28
- data/acceptance-features/directory/hostfactory/tokens.feature +0 -16
- data/acceptance-features/directory/layer/create.feature +0 -10
- data/acceptance-features/directory/layer/hosts-add.feature +0 -9
- data/acceptance-features/directory/layer/hosts-remove.feature +0 -10
- data/acceptance-features/directory/layer/retire.feature +0 -43
- data/acceptance-features/directory/user/create.feature +0 -23
- data/acceptance-features/directory/user/retire.feature +0 -6
- data/acceptance-features/directory/variable/create.feature +0 -14
- data/acceptance-features/directory/variable/retire.feature +0 -17
- data/acceptance-features/dsl/policy_owner.feature +0 -45
- data/acceptance-features/dsl/resource_owner.feature +0 -17
- data/acceptance-features/dsl/retire.feature +0 -15
- data/acceptance-features/global-privilege/elevate.feature +0 -20
- data/acceptance-features/global-privilege/reveal.privilege +0 -20
- data/acceptance-features/pubkeys/add.feature +0 -22
- data/acceptance-features/pubkeys/delete.feature +0 -9
- data/acceptance-features/pubkeys/names.feature +0 -26
- data/acceptance-features/pubkeys/show.feature +0 -27
- data/acceptance-features/step_definitions/cli_steps.rb +0 -57
- data/acceptance-features/step_definitions/graph_steps.rb +0 -22
- data/acceptance-features/step_definitions/user_steps.rb +0 -51
- data/acceptance-features/support/env.rb +0 -23
- data/acceptance-features/support/hooks.rb +0 -178
- data/acceptance-features/support/world.rb +0 -176
- data/acceptance-features/trusted_proxies.feature +0 -82
- data/bin/conjurize +0 -26
- data/bin/jsonfield +0 -70
- data/build-standalone +0 -6
- data/deprecations.sh +0 -38
- data/features/conjurize.feature +0 -134
- data/features/dsl_context.feature +0 -36
- data/features/dsl_host_create.feature +0 -11
- data/features/dsl_ownership.feature +0 -30
- data/features/dsl_permission.feature +0 -45
- data/features/dsl_resource_create.feature +0 -23
- data/features/dsl_role_create.feature +0 -11
- data/features/dsl_user_create.feature +0 -23
- data/features/jsonfield.feature +0 -49
- data/features/role_graph.feature +0 -58
- data/features/step_definitions/conjurize_steps.rb +0 -5
- data/features/step_definitions/dsl_steps.rb +0 -52
- data/features/support/conjur.conf +0 -6
- data/lib/conjur/command/assets.rb +0 -121
- data/lib/conjur/command/audit.rb +0 -155
- data/lib/conjur/command/bootstrap.rb +0 -129
- data/lib/conjur/command/dsl_command.rb +0 -75
- data/lib/conjur/command/elevate.rb +0 -76
- data/lib/conjur/command/field.rb +0 -45
- data/lib/conjur/command/groups.rb +0 -208
- data/lib/conjur/command/ids.rb +0 -34
- data/lib/conjur/command/layers.rb +0 -211
- data/lib/conjur/command/ldapsync.rb +0 -118
- data/lib/conjur/command/rspec/audit_helpers.rb +0 -68
- data/lib/conjur/command/rubydsl.rb +0 -93
- data/lib/conjur/command/script.rb +0 -48
- data/lib/conjur/command/server.rb +0 -67
- data/lib/conjur/conjurize.rb +0 -71
- data/lib/conjur/conjurize/script.rb +0 -150
- data/lib/conjur/dsl/runner.rb +0 -273
- data/publish-deb.sh +0 -6
- data/push-image +0 -29
- data/spec/command/assets_spec.rb +0 -115
- data/spec/command/audit_spec.rb +0 -376
- data/spec/command/elevate_spec.rb +0 -28
- data/spec/command/env_spec.rb +0 -168
- data/spec/command/groups_spec.rb +0 -77
- data/spec/command/host_factories_spec.rb +0 -38
- data/spec/command/layers_spec.rb +0 -35
- data/spec/command/ldapsync_spec.rb +0 -28
- data/spec/command/rubydsl_spec.rb +0 -63
- data/spec/command/variable_expiration_spec.rb +0 -164
- data/spec/command/variables_spec.rb +0 -192
- data/spec/conjurize/script_spec.rb +0 -62
- data/spec/conjurize_spec.rb +0 -70
- data/spec/dsl/runner_spec.rb +0 -93
- data/spec/env_spec.rb +0 -214
data/publish-deb.sh
DELETED
data/push-image
DELETED
@@ -1,29 +0,0 @@
|
|
1
|
-
#!/bin/bash -e
|
2
|
-
|
3
|
-
# Push the 'cli:4' image to Dockerhub when on the 'v4' branch
|
4
|
-
|
5
|
-
cd "$(git rev-parse --show-toplevel)"
|
6
|
-
|
7
|
-
TAG="4-${1:-$(cat VERSION)-$(git rev-parse --short HEAD)}"
|
8
|
-
IMAGE='cyberark/conjur-cli'
|
9
|
-
|
10
|
-
function tag_and_push() {
|
11
|
-
local image="$1"
|
12
|
-
local tag="$2"
|
13
|
-
local description="$3"
|
14
|
-
|
15
|
-
echo "TAG = $tag, $description"
|
16
|
-
|
17
|
-
docker tag "$image" "$image:$tag"
|
18
|
-
docker push "$image:$tag"
|
19
|
-
}
|
20
|
-
|
21
|
-
if [[ "$BRANCH_NAME" == 'v4' ]]; then
|
22
|
-
bare_tag='4'
|
23
|
-
latest_tag='4-latest'
|
24
|
-
stable_tag="4-$(cat VERSION)"
|
25
|
-
|
26
|
-
tag_and_push $IMAGE $bare_tag 'latest image (bare)'
|
27
|
-
tag_and_push $IMAGE $latest_tag 'latest image'
|
28
|
-
tag_and_push $IMAGE $stable_tag 'stable image'
|
29
|
-
fi
|
data/spec/command/assets_spec.rb
DELETED
@@ -1,115 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
|
3
|
-
describe Conjur::Command::Assets, logged_in: true do
|
4
|
-
|
5
|
-
let(:asset) { double(attributes: asset_attributes ) }
|
6
|
-
let(:asset_attributes) { {"some"=>"attributes" } }
|
7
|
-
before(:each) { allow(api).to receive(KIND.to_sym).and_return(asset) }
|
8
|
-
|
9
|
-
context "asset:create" do
|
10
|
-
before(:each) {
|
11
|
-
allow(api).to receive(:method).with("create_#{KIND}").and_return(double(arity:1))
|
12
|
-
allow(api).to receive("create_#{KIND}".to_sym).and_return(asset)
|
13
|
-
}
|
14
|
-
describe_command "asset:create #{KIND}:#{ID}" do
|
15
|
-
it "calls api.create_#{KIND}(id:#{ID})" do
|
16
|
-
expect(api).to receive("create_#{KIND}".to_sym).with(id: ID)
|
17
|
-
invoke_silently
|
18
|
-
end
|
19
|
-
it "writes JSONised attributes to stdout" do
|
20
|
-
expect(JSON.parse( expect { invoke }.to write )).to eq(asset_attributes)
|
21
|
-
end
|
22
|
-
end
|
23
|
-
describe_command "asset:create #{KIND}" do
|
24
|
-
it "calls api.create_#{KIND}({})" do
|
25
|
-
expect(api).to receive("create_#{KIND}".to_sym).with({})
|
26
|
-
invoke_silently
|
27
|
-
end
|
28
|
-
it "writes JSONised attributes to stdout" do
|
29
|
-
expect(JSON.parse( expect { invoke }.to write )).to eq(asset_attributes)
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
33
|
-
|
34
|
-
describe_command "asset:show #{KIND}:#{ID}" do
|
35
|
-
it "obtains asset instance as api.#{KIND}(#{ID})" do
|
36
|
-
expect(api).to receive(KIND.to_sym).with(ID)
|
37
|
-
invoke_silently
|
38
|
-
end
|
39
|
-
it "writes JSONised attributes to stdout" do
|
40
|
-
expect(JSON.parse( expect { invoke }.to write )).to eq(asset_attributes)
|
41
|
-
end
|
42
|
-
end
|
43
|
-
|
44
|
-
describe_command "asset:exists #{KIND}:#{ID}" do
|
45
|
-
let(:exists_response) { "exists? response" }
|
46
|
-
before(:each) { allow(asset).to receive(:exists?).and_return(exists_response) }
|
47
|
-
it "obtains asset instance as api.#{KIND}(#{ID})" do
|
48
|
-
expect(api).to receive(KIND.to_sym).with(ID)
|
49
|
-
invoke_silently
|
50
|
-
end
|
51
|
-
it "calls asset.exists?" do
|
52
|
-
expect(asset).to receive(:exists?)
|
53
|
-
invoke_silently
|
54
|
-
end
|
55
|
-
it "writes response to stdout" do
|
56
|
-
expect { invoke }.to write exists_response
|
57
|
-
end
|
58
|
-
end
|
59
|
-
|
60
|
-
describe_command "asset:list #{KIND}" do
|
61
|
-
let(:assets_names) { %W[klaatu barada nikto] }
|
62
|
-
let(:assets_list) {
|
63
|
-
assets_names.map { |x|
|
64
|
-
double(attributes: { "id" => x } )
|
65
|
-
}
|
66
|
-
}
|
67
|
-
before(:each) { allow(api).to receive("#{KIND}s".to_sym).and_return(assets_list) }
|
68
|
-
|
69
|
-
it "calls api.#{KIND}s" do
|
70
|
-
expect(api).to receive("#{KIND}s".to_sym)
|
71
|
-
invoke_silently
|
72
|
-
end
|
73
|
-
it "for each asset from response displays it's attributes" do
|
74
|
-
expect { invoke }.to write assets_names.
|
75
|
-
map { |x|
|
76
|
-
JSON.pretty_generate(id:x)
|
77
|
-
}.join("\n")
|
78
|
-
end
|
79
|
-
end
|
80
|
-
|
81
|
-
shared_examples 'it obtains asset by kind and id' do
|
82
|
-
it "obtains asset instance as api.#{KIND}(#{ID})" do
|
83
|
-
expect(api).to receive(KIND.to_sym).with(ID)
|
84
|
-
invoke_silently
|
85
|
-
end
|
86
|
-
end
|
87
|
-
|
88
|
-
shared_context "asset instance" do
|
89
|
-
before(:each) {
|
90
|
-
allow(api).to receive(KIND.to_sym).and_return(asset)
|
91
|
-
allow(asset).to receive(:add_member)
|
92
|
-
allow(asset).to receive(:remove_member)
|
93
|
-
}
|
94
|
-
end
|
95
|
-
|
96
|
-
describe_command "asset:members:add #{KIND}:#{ID} #{ROLE} #{MEMBER}" do
|
97
|
-
include_context "asset instance"
|
98
|
-
it_behaves_like "it obtains asset by kind and id"
|
99
|
-
it 'calls role.grant_to(member,...)' do
|
100
|
-
expect(asset).to receive(:add_member).with(ROLE, MEMBER, anything)
|
101
|
-
invoke_silently
|
102
|
-
end
|
103
|
-
it { expect { invoke }.to write "Membership granted" }
|
104
|
-
end
|
105
|
-
|
106
|
-
describe_command "asset:members:remove #{KIND}:#{ID} #{ROLE} #{MEMBER}" do
|
107
|
-
include_context "asset instance"
|
108
|
-
it_behaves_like "it obtains asset by kind and id"
|
109
|
-
it 'calls role.revoke_from(member)' do
|
110
|
-
expect(asset).to receive(:remove_member).with(ROLE, MEMBER)
|
111
|
-
invoke_silently
|
112
|
-
end
|
113
|
-
it { expect { invoke }.to write "Membership revoked" }
|
114
|
-
end
|
115
|
-
end
|
data/spec/command/audit_spec.rb
DELETED
@@ -1,376 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
|
3
|
-
describe Conjur::Command::Audit, logged_in: true do
|
4
|
-
let(:events) { [{'foo' => 'bar', 'zelda' => 'link', 'abc' => 'xyz'}, {'some' => 'other event'}] }
|
5
|
-
|
6
|
-
def expect_api_call method, *args
|
7
|
-
expect(api).to receive(method.to_sym).with(*args).and_return events
|
8
|
-
#described_class.should_receive(:show_audit_events).with(events, an_instance_of(Hash))
|
9
|
-
end
|
10
|
-
|
11
|
-
def invoke_expecting_api_call method, *args
|
12
|
-
expect_api_call method, *args
|
13
|
-
invoke
|
14
|
-
end
|
15
|
-
|
16
|
-
def self.describe_command_success cmd, method, *expected_args, &block
|
17
|
-
describe_command cmd do
|
18
|
-
it "calls api.#{method}(#{expected_args.map(&:inspect).join(',')})" do
|
19
|
-
instance_eval(&block) if block
|
20
|
-
invoke_expecting_api_call method, *expected_args
|
21
|
-
end
|
22
|
-
end
|
23
|
-
end
|
24
|
-
|
25
|
-
def self.it_calls_the_api command, api_method, *api_args, &block
|
26
|
-
describe_command_success command, api_method, *api_args, &block
|
27
|
-
end
|
28
|
-
|
29
|
-
|
30
|
-
def self.it_fails command, *raise_error_args
|
31
|
-
unless raise_error_args.empty? or ::Class === raise_error_args.first
|
32
|
-
raise_error_args.unshift Exception
|
33
|
-
end
|
34
|
-
describe_command command do
|
35
|
-
it "raises #{raise_error_args.map(&:inspect).join ' '}" do
|
36
|
-
expect { invoke_silently }.to raise_error(*raise_error_args)
|
37
|
-
end
|
38
|
-
end
|
39
|
-
end
|
40
|
-
|
41
|
-
describe "audit:role" do
|
42
|
-
context "with an argument" do
|
43
|
-
context "of a full id" do
|
44
|
-
it_calls_the_api "audit:role foo:bar:baz", :audit_role, 'foo:bar:baz', {}
|
45
|
-
end
|
46
|
-
context "without an account" do
|
47
|
-
it_calls_the_api "audit:role bar:baz", :audit_role, 'the-conjur-account:bar:baz', {} do
|
48
|
-
allow(Conjur::Command).to receive_messages(conjur_account: "the-conjur-account")
|
49
|
-
end
|
50
|
-
end
|
51
|
-
context "without enough tokens" do
|
52
|
-
it_fails "audit:role not-enough-tokens", RuntimeError, /expecting at least two tokens/i
|
53
|
-
end
|
54
|
-
end
|
55
|
-
end
|
56
|
-
|
57
|
-
describe "audit:resource" do
|
58
|
-
context "without an argument" do
|
59
|
-
it_fails "audit:resource", /missing parameter: resource/i
|
60
|
-
end
|
61
|
-
context "with an argument of" do
|
62
|
-
context "a full id" do
|
63
|
-
it_calls_the_api "audit:resource foo:bar:baz", :audit_resource, "foo:bar:baz", {}
|
64
|
-
end
|
65
|
-
context "an id with two tokens" do
|
66
|
-
it_calls_the_api "audit:resource foo:bar", :audit_resource, "the-conjur-account:foo:bar", {} do
|
67
|
-
allow(Conjur::Command).to receive_messages(conjur_account: "the-conjur-account")
|
68
|
-
end
|
69
|
-
end
|
70
|
-
context "an id with one token" do
|
71
|
-
it_fails "audit:resource foo", /expecting at least two tokens/i
|
72
|
-
end
|
73
|
-
end
|
74
|
-
end
|
75
|
-
|
76
|
-
describe "audit:all" do
|
77
|
-
it_calls_the_api "audit:all", :audit, {}
|
78
|
-
end
|
79
|
-
|
80
|
-
describe "output formatting:" do
|
81
|
-
include_context "default audit behavior"
|
82
|
-
|
83
|
-
before {
|
84
|
-
allow(api).to receive(:audit_event_feed).and_yield([audit_event])
|
85
|
-
}
|
86
|
-
|
87
|
-
describe_command "audit all" do
|
88
|
-
let(:audit_event) { default_audit_event }
|
89
|
-
it 'prints full JSON retrieved from API' do
|
90
|
-
expect { invoke }.to write( JSON.pretty_generate(audit_event) )
|
91
|
-
end
|
92
|
-
end
|
93
|
-
|
94
|
-
describe_command "audit all -s" do
|
95
|
-
let(:common_prefix) { "[#{default_audit_event["timestamp"]}] #{default_audit_event["user"]}" }
|
96
|
-
let(:audit_event) { test_event }
|
97
|
-
shared_examples_for "it supports standard prefix:" do
|
98
|
-
describe "if acting_as is the same as user" do
|
99
|
-
let(:audit_event) { test_event.tap { |e| e["acting_as"]=e["user"] } }
|
100
|
-
it "prints default prefix" do
|
101
|
-
expect { invoke }.to write(common_prefix)
|
102
|
-
end
|
103
|
-
it "does not print 'acting_as' statement" do
|
104
|
-
expect { invoke }.to_not write(common_prefix+" (as ")
|
105
|
-
end
|
106
|
-
end
|
107
|
-
|
108
|
-
describe "if acting_as is different from user" do
|
109
|
-
it 'prints default prefix followed by (acting as..) statement' do
|
110
|
-
expect { invoke }.to write(common_prefix+" (as #{audit_event['acting_as']})")
|
111
|
-
end
|
112
|
-
end
|
113
|
-
end
|
114
|
-
|
115
|
-
shared_examples_for "it recognizes error messages:" do
|
116
|
-
describe "if :error is not empty" do
|
117
|
-
let(:audit_event) { test_event.merge("error"=>"everything's down") }
|
118
|
-
it 'appends (failed with...) statement' do
|
119
|
-
expect { invoke }.to write(" (failed with everything's down)")
|
120
|
-
end
|
121
|
-
end
|
122
|
-
describe "if :error is empty" do
|
123
|
-
it 'does not print "failed with" statement' do
|
124
|
-
expect { invoke }.not_to write(" (failed with ")
|
125
|
-
end
|
126
|
-
end
|
127
|
-
|
128
|
-
end
|
129
|
-
|
130
|
-
describe "(unknown kind:action)" do
|
131
|
-
let(:test_event) { default_audit_event }
|
132
|
-
it_behaves_like "it supports standard prefix:"
|
133
|
-
it_behaves_like "it recognizes error messages:"
|
134
|
-
it "prints 'unknown event: <kind>:<action>'" do
|
135
|
-
expect { invoke }.to write(" unknown event: some_asset:some_action!")
|
136
|
-
end
|
137
|
-
end
|
138
|
-
|
139
|
-
describe "(resource:check)" do
|
140
|
-
let(:test_event) { default_audit_event.merge("kind"=>"resource",
|
141
|
-
"action"=>"check",
|
142
|
-
"privilege"=>"fry",
|
143
|
-
"resource"=>"food:bacon",
|
144
|
-
"allowed" => "false"
|
145
|
-
)
|
146
|
-
}
|
147
|
-
it_behaves_like "it supports standard prefix:"
|
148
|
-
it_behaves_like "it recognizes error messages:"
|
149
|
-
it "prints 'checked that they...'" do
|
150
|
-
expect { invoke }.to write(" checked that they can fry food:bacon (false)")
|
151
|
-
end
|
152
|
-
|
153
|
-
end
|
154
|
-
|
155
|
-
describe "(resource:create)" do
|
156
|
-
let(:test_event) { default_audit_event.merge("kind"=>"resource", "action" => "create",
|
157
|
-
"resource" => "food:bacon",
|
158
|
-
"owner" => "user:cook"
|
159
|
-
)
|
160
|
-
}
|
161
|
-
it_behaves_like "it supports standard prefix:"
|
162
|
-
it_behaves_like "it recognizes error messages:"
|
163
|
-
it "prints 'created resource ... owned by ... '" do
|
164
|
-
expect { invoke }.to write(" created resource food:bacon owned by user:cook")
|
165
|
-
end
|
166
|
-
end
|
167
|
-
|
168
|
-
describe "(resource:update)" do
|
169
|
-
let(:test_event) { default_audit_event.merge("kind"=>"resource", "action" => "update",
|
170
|
-
"resource" => "food:bacon",
|
171
|
-
"owner" => "user:cook"
|
172
|
-
)
|
173
|
-
}
|
174
|
-
it_behaves_like "it supports standard prefix:"
|
175
|
-
it_behaves_like "it recognizes error messages:"
|
176
|
-
it "prints 'gave .. to .. '" do
|
177
|
-
expect { invoke }.to write(" gave food:bacon to user:cook")
|
178
|
-
end
|
179
|
-
end
|
180
|
-
|
181
|
-
describe "(resource:destroy)" do
|
182
|
-
let(:test_event) { default_audit_event.merge("kind"=>"resource", "action" => "destroy",
|
183
|
-
"resource" => "food:bacon"
|
184
|
-
)
|
185
|
-
}
|
186
|
-
it_behaves_like "it supports standard prefix:"
|
187
|
-
it_behaves_like "it recognizes error messages:"
|
188
|
-
it "prints 'destroyed resource ... '" do
|
189
|
-
expect { invoke }.to write(" destroyed resource food:bacon")
|
190
|
-
end
|
191
|
-
end
|
192
|
-
|
193
|
-
describe "(resource:permit)" do
|
194
|
-
let(:test_event) { default_audit_event.merge("kind"=>"resource", "action" => "permit",
|
195
|
-
"resource" => "food:bacon",
|
196
|
-
"privilege" => "fry",
|
197
|
-
"grantee" => "user:cook"
|
198
|
-
)
|
199
|
-
}
|
200
|
-
it_behaves_like "it supports standard prefix:"
|
201
|
-
it_behaves_like "it recognizes error messages:"
|
202
|
-
it "prints 'permitted .. to .. (grant option: .. ) '" do
|
203
|
-
expect { invoke }.to write(" permitted user:cook to fry food:bacon (grant option: false)")
|
204
|
-
end
|
205
|
-
end
|
206
|
-
|
207
|
-
describe "(resource:deny)" do
|
208
|
-
let(:test_event) { default_audit_event.merge("kind"=>"resource", "action" => "deny",
|
209
|
-
"resource" => "food:bacon",
|
210
|
-
"privilege" => "fry",
|
211
|
-
"grantee" => "user:cook"
|
212
|
-
)
|
213
|
-
}
|
214
|
-
it_behaves_like "it supports standard prefix:"
|
215
|
-
it_behaves_like "it recognizes error messages:"
|
216
|
-
it "prints 'denied .. from .. on ..'" do
|
217
|
-
expect { invoke }.to write(" denied fry from user:cook on food:bacon")
|
218
|
-
end
|
219
|
-
end
|
220
|
-
|
221
|
-
describe "(resource:permitted_roles)" do
|
222
|
-
let(:test_event) { default_audit_event.merge("kind"=>"resource", "action" => "permitted_roles",
|
223
|
-
"resource" => "food:bacon",
|
224
|
-
"privilege" => "fry"
|
225
|
-
)
|
226
|
-
}
|
227
|
-
it_behaves_like "it supports standard prefix:"
|
228
|
-
it_behaves_like "it recognizes error messages:"
|
229
|
-
it "prints 'listed roles permitted to .. on ..'" do
|
230
|
-
expect { invoke }.to write(" listed roles permitted to fry on food:bacon")
|
231
|
-
end
|
232
|
-
end
|
233
|
-
|
234
|
-
describe "(role:check)" do
|
235
|
-
let(:options_set) {
|
236
|
-
{
|
237
|
-
"kind"=>"role", "action" => "check",
|
238
|
-
"resource" => "food:bacon",
|
239
|
-
"privilege" => "fry",
|
240
|
-
"allowed" => "false"
|
241
|
-
}
|
242
|
-
}
|
243
|
-
describe 'on themselves' do
|
244
|
-
let(:test_event) { default_audit_event.merge(options_set).merge("role" => default_audit_event["user"]) }
|
245
|
-
it_behaves_like "it supports standard prefix:"
|
246
|
-
it_behaves_like "it recognizes error messages:"
|
247
|
-
it "prints 'checked that they...'" do
|
248
|
-
expect { invoke }.to write(" checked that they can fry food:bacon (false)")
|
249
|
-
end
|
250
|
-
end
|
251
|
-
describe 'on others' do
|
252
|
-
let(:test_event) { default_audit_event.merge(options_set).merge("role" => "some:other:guy") }
|
253
|
-
it_behaves_like "it supports standard prefix:"
|
254
|
-
it_behaves_like "it recognizes error messages:"
|
255
|
-
it "prints 'checked that they...'" do
|
256
|
-
expect { invoke }.to write(" checked that some:other:guy can fry food:bacon (false)")
|
257
|
-
end
|
258
|
-
end
|
259
|
-
end
|
260
|
-
|
261
|
-
describe "(role:grant)" do
|
262
|
-
let(:options_set) {
|
263
|
-
{
|
264
|
-
"kind"=>"role", "action" => "grant",
|
265
|
-
"member" => "other:guy",
|
266
|
-
"role" => "super:user"
|
267
|
-
}
|
268
|
-
}
|
269
|
-
describe 'without admin option' do
|
270
|
-
let(:test_event) { default_audit_event.merge(options_set) }
|
271
|
-
it_behaves_like "it supports standard prefix:"
|
272
|
-
it_behaves_like "it recognizes error messages:"
|
273
|
-
it "prints 'granted role .. to .. without admin'" do
|
274
|
-
expect { invoke }.to write(" granted role super:user to other:guy without admin")
|
275
|
-
end
|
276
|
-
end
|
277
|
-
describe 'with admin option' do
|
278
|
-
let(:test_event) { default_audit_event.merge(options_set).merge("admin_option" => true) }
|
279
|
-
it_behaves_like "it supports standard prefix:"
|
280
|
-
it_behaves_like "it recognizes error messages:"
|
281
|
-
it "prints 'granted role .. to .. with admin'" do
|
282
|
-
expect { invoke }.to write(" granted role super:user to other:guy with admin")
|
283
|
-
end
|
284
|
-
end
|
285
|
-
end
|
286
|
-
|
287
|
-
describe "(role:revoke)" do
|
288
|
-
let(:test_event) { default_audit_event.merge("kind"=>"role", "action" => "revoke",
|
289
|
-
"role" => "super:user",
|
290
|
-
"member" => "other:guy"
|
291
|
-
)
|
292
|
-
}
|
293
|
-
it_behaves_like "it supports standard prefix:"
|
294
|
-
it_behaves_like "it recognizes error messages:"
|
295
|
-
it "prints 'revoked role .. from .." do
|
296
|
-
expect { invoke }.to write(" revoked role super:user from other:guy")
|
297
|
-
end
|
298
|
-
end
|
299
|
-
|
300
|
-
describe "(role:create)" do
|
301
|
-
let(:test_event) { default_audit_event.merge("kind"=>"role", "action" => "create",
|
302
|
-
"role" => "super:user",
|
303
|
-
)
|
304
|
-
}
|
305
|
-
it_behaves_like "it supports standard prefix:"
|
306
|
-
it_behaves_like "it recognizes error messages:"
|
307
|
-
it "prints 'created role .. " do
|
308
|
-
expect { invoke }.to write(" created role super:user")
|
309
|
-
end
|
310
|
-
end
|
311
|
-
|
312
|
-
describe 'audit of ssh:sudo' do
|
313
|
-
let(:ssh_event) { default_audit_event.merge('kind' => 'audit', 'facility' => 'ssh', 'action' => 'sudo', 'command' => '/bin/ls', 'system_user' => 'test_user', 'target_user' => 'root') }
|
314
|
-
context 'when sudo successful' do
|
315
|
-
let(:test_event) { ssh_event.merge('allowed' => true) }
|
316
|
-
it 'prints <user> ran <command>' do
|
317
|
-
expect { invoke }.to write(" test_user ran '/bin/ls' as root")
|
318
|
-
end
|
319
|
-
end
|
320
|
-
|
321
|
-
context 'when sudo fails' do
|
322
|
-
let(:test_event) { ssh_event.merge('allowed' => false) }
|
323
|
-
|
324
|
-
it 'prints <user> attempted to run <command>' do
|
325
|
-
expect { invoke }.to write(" test_user attempted to run '/bin/ls' as root")
|
326
|
-
end
|
327
|
-
end
|
328
|
-
end
|
329
|
-
|
330
|
-
describe '(conjur:use_extra_privilege)' do
|
331
|
-
let(:priv) { 'elevate' }
|
332
|
-
let(:test_event) { default_audit_event.merge('kind' => 'conjur', 'action' => 'use_extra_privilege', 'privilege' => priv) }
|
333
|
-
|
334
|
-
it_behaves_like 'it supports standard prefix:'
|
335
|
-
it_behaves_like 'it recognizes error messages:'
|
336
|
-
it 'prints the extra privilege' do
|
337
|
-
expect { invoke }.to write(" requested extra privilege #{priv}")
|
338
|
-
end
|
339
|
-
end
|
340
|
-
|
341
|
-
end
|
342
|
-
end
|
343
|
-
|
344
|
-
describe "limit and offset" do
|
345
|
-
let(:events) { (1 .. 5).map { |x| { event: x } } }
|
346
|
-
before {
|
347
|
-
allow(api).to receive(:audit_event_feed).and_yield(events)
|
348
|
-
}
|
349
|
-
|
350
|
-
describe_command "audit all" do
|
351
|
-
it "prints all the elements" do
|
352
|
-
expect(expect { invoke }.to write).to eq(events.map {|e| JSON.pretty_generate(e)}.join("\n")+"\n")
|
353
|
-
end
|
354
|
-
end
|
355
|
-
|
356
|
-
describe_command "audit all -l 2" do
|
357
|
-
it "prints only <limit> elements" do
|
358
|
-
expect(expect { invoke }.to write).to eq(events[0..1].map {|e| JSON.pretty_generate(e)}.join("\n")+"\n")
|
359
|
-
end
|
360
|
-
end
|
361
|
-
|
362
|
-
describe_command "audit all -o 2" do
|
363
|
-
it "skips <offset> elements" do
|
364
|
-
expect(expect { invoke }.to write).to eq(events[2..4].map {|e| JSON.pretty_generate(e)}.join("\n")+"\n")
|
365
|
-
end
|
366
|
-
end
|
367
|
-
|
368
|
-
describe_command "audit all -o 2 -l 2" do
|
369
|
-
it "skips <offset> elements and prints only <limit> of remaining part" do
|
370
|
-
expect(expect { invoke }.to write).to eq(events[2..3].map {|e| JSON.pretty_generate(e)}.join("\n")+"\n")
|
371
|
-
end
|
372
|
-
end
|
373
|
-
|
374
|
-
end
|
375
|
-
|
376
|
-
end
|