conjur-cli 5.6.6 → 6.0.0.rc1

data/spec/command/elevate_spec.rb

@@ -1,28 +0,0 @@
-require 'spec_helper'
-
-describe Conjur::Command::Elevate do
-  describe_command "elevate user show alice" do
-    include_context "with mock authn"
-    
-    let(:token) { {login: 'dknuth'} }
-    before{
-      expect(Conjur::Authn).to receive(:connect).and_return(api)
-    }
-    it "invokes the sub-command with X-Conjur-Privilege header" do
-      allow_any_instance_of(Conjur::API).to receive(:token).and_return(token)
-      expect(Conjur::Command).to receive(:api=) do |api|
-        expect(api.api_key).to eq("sekrit")
-        expect(api.privilege).to eq("elevate")
-      end.and_call_original
-      
-      expect(RestClient::Request).to receive(:execute).with({
-        method: :get,
-        url: "https://core.example.com/api/users/alice",
-        username: "dknuth",
-        headers: {:authorization=>"Token token=\"eyJsb2dpbiI6ImRrbnV0aCJ9\"", x_conjur_privilege: "elevate"}
-      }).and_return(double(:response, body: "[]"))
-      
-      invoke
-    end
-  end
-end

data/spec/command/env_spec.rb

@@ -1,168 +0,0 @@
-require 'spec_helper'
-require 'conjur/conjurenv'
-require 'tempfile'
-
-
-shared_examples_for "processes environment definition" do |cmd, options|
-  before {  # suspend all interaction with the environment
-    allow(Kernel).to receive(:system).and_return(true) 
-  }
-  let(:stub_object) { double(obtain:{}, check:{}) }
-
-  describe_command "env:#{cmd} #{options}" do
-    it "uses .conjurenv file by default" do
-      expect(Conjur::Env).to receive(:new).with(file:".conjurenv").and_return(stub_object)
-      invoke
-    end
-  end
-
-  describe_command "env:#{cmd} -c somefile #{options}" do
-    it "uses desired file" do
-      expect(Conjur::Env).to receive(:new).with(file:"somefile").and_return(stub_object)
-      invoke
-    end
-  end
-  
-  describe_command "env:#{cmd} --yaml someyaml #{options}" do
-    it "uses inline yaml" do
-      expect(Conjur::Env).to receive(:new).with(yaml:"someyaml").and_return(stub_object)
-      invoke
-    end
-  end
-
-  describe_command "env:#{cmd} -c somefile --yaml someyaml #{options}" do
-    it "refuses to accept mutually exclusive options" do      
-      expect(Conjur::Env).not_to receive(:new)
-      expect { invoke }.to raise_error /Options -c and --yaml can not be provided together/
-    end
-  end
-end
-
-shared_examples_for "accepts policy option" do |cmd, options|
-  before {  # suspend all interaction with the environment
-    allow(Kernel).to receive(:system).and_return(true) 
-  }
-  let(:stub_object) { double(obtain:{}, check:{}) }
-  describe_command "env:#{cmd} --policy foobar #{options}" do
-    it "uses .conjurenv file by default" do
-      expect(Conjur::Env).to receive(:new).with(file:".conjurenv", substitutions: { "$policy" => "foobar" }).and_return(stub_object)
-      invoke
-    end
-  end
-end
-
-describe Conjur::Command::Env, logged_in: true do
-
-  let(:stub_env)    { double() }
-  describe ":check" do
-    it_behaves_like "processes environment definition", "check", ''
-    it_behaves_like "accepts policy option", "check", ''
-
-    describe_command "env:check" do
-      before { expect(Conjur::Env).to receive(:new).and_return(stub_env) }
-      describe "without api errors" do
-        let(:stub_result) {  { "a" => :available, "b"=> :available } }
-        before {
-          expect(stub_env).to receive(:check).with(an_instance_of(Conjur::API)).and_return(stub_result)
-        }
-
-        describe "if all variables are available" do
-          it "prints #check result to the output" do
-            expect { invoke }.to write "a: available\nb: available\n"
-          end
-
-          it "does not crash" do
-            expect { invoke }.to_not raise_error
-          end
-        end
-
-        describe "if some variables are unavailable" do
-          let(:stub_result) {  { "a" => :unavailable, "b"=> :available } }
-          it "prints #check result to the output" do
-            expect { invoke rescue true }.to write "a: unavailable\nb: available\n"
-          end
-          it "crashes in the end" do
-            expect { invoke  }.to raise_error "Some variables are not available"
-          end
-        end
-      end
-      it 'does not rescue unexpected errors' do
-        expect(stub_env).to receive(:check).with(an_instance_of(Conjur::API)) { raise "Custom error" }
-        expect { invoke }.to raise_error "Custom error"
-      end
-    end
-  end
-
-  describe ":run" do
-    it_behaves_like "processes environment definition", "run","-- extcmd"
-    it_behaves_like "accepts policy option", "run", '-- extcmd'
-    describe_command "env:run" do
-      it 'fails because of missing argument' do 
-        expect(Kernel).not_to receive(:system)
-        expect { invoke }.to raise_error "External command with optional arguments should be provided" 
-      end 
-    end
-    describe_command "env:run -- extcmd --arg1 arg2" do
-      before { 
-        expect(Conjur::Env).to receive(:new).and_return(stub_env)
-      }
-
-      describe "if no errors are raised" do
-        let(:stub_result) { { "a" => "value_a", "b" => "value_b" } }
-        before {
-          expect(stub_env).to receive(:obtain).with(an_instance_of(Conjur::API)).and_return(stub_result)
-        }
-        it "performs #exec with environment (names in uppercase)" do
-          expect(Kernel).to receive(:system).with({"A"=>"value_a", "B"=>"value_b"}, "extcmd", "--arg1","arg2").and_return(true)
-          invoke 
-        end
-      end
-      it "does not rescue unexpected errors" do
-        expect(stub_env).to receive(:obtain).with(an_instance_of(Conjur::API)) { raise "Custom error" } 
-        expect { invoke }.to raise_error "Custom error"
-      end
-    end
-  end
-
-  describe ":template" do
-    context do 
-      before { # prevent real operation
-        allow(File).to receive(:readable?).with("config.erb").and_return(true)
-        allow(File).to receive(:read).with("config.erb").and_return("template")
-        allow(ERB).to receive(:new).and_return(double(result:''))
-        allow(Tempfile).to receive(:new).and_return(double(write: true, close: true, path: 'somepath'))
-        allow(FileUtils).to receive(:copy).and_return(true)
-      }
-      it_behaves_like "processes environment definition", "template","config.erb"
-      it_behaves_like "accepts policy option", "template", 'config.erb'
-    end
-    describe_command "env:template" do
-      it 'fails because of missing argument' do 
-        expect(Tempfile).not_to receive(:new)
-        expect { invoke }.to raise_error "Location of readable ERB template should be provided"
-      end 
-    end
-    describe_command "env:template config.erb" do
-      let(:erb_template) { """
-variable <%= conjurenv['a'] %>
-other variable <%= conjurenv['b'] %>
-"""
-      }
-      before { 
-        allow(File).to receive(:readable?).with("config.erb").and_return(true)
-        allow(File).to receive(:read).with("config.erb").and_return(erb_template)
-        expect(Conjur::Env).to receive(:new).and_return(stub_env)
-        expect(stub_env).to receive(:obtain).with(an_instance_of(Conjur::API)).and_return( {"a"=>"value_a","b"=>"value_b","c"=>"value_c"} )
-      }
-
-      it "creates persistent tempfile, saves rendered template into it, prints out name of the file" do 
-        stubpath="/tmp/temp.file"
-        tempfile=double(close: true, path: stubpath)
-        expect(Tempfile).to receive(:new).and_return(tempfile)
-        expect(tempfile).to receive(:write).with("\nvariable value_a\nother variable value_b\n")  
-        expect(FileUtils).to receive(:copy).with(stubpath,stubpath+'.saved') # avoid garbage collection
-        expect { invoke }.to write stubpath+".saved"
-      end
-    end
-  end
-end

data/spec/command/groups_spec.rb

@@ -1,77 +0,0 @@
-require 'spec_helper'
-
-describe Conjur::Command::Groups, logged_in: true do
-  describe_command 'group create --gidnumber 12345 some-group' do
-    it "creates the group with a specified gidnumber" do
-      expect_any_instance_of(Conjur::API).to receive(:create_group).with('some-group', gidnumber: 12345).and_return "something"
-      expect { invoke }.to write "something"
-    end
-  end
-
-  describe_command 'group update --gidnumber 12345 some-group' do
-    it "updates the gid" do
-      expect_any_instance_of(Conjur::API).to \
-          receive(:group).with('some-group').and_return(group = double("group"))
-      expect(group).to receive(:update).with(gidnumber: 12_345)
-      expect { invoke }.to write "GID set"
-    end
-  end
-
-  context "lookup by GID" do
-    let(:search_result) { %w(g1 g2) }
-    describe_command "group gidsearch 12345" do
-      it "finds the groups" do
-        expect_any_instance_of(Conjur::API).to \
-            receive(:find_groups).with(gidnumber: 12_345).and_return search_result
-        expect { invoke }.to write(JSON.pretty_generate(search_result))
-      end
-    end
-  end
-
-  describe_command "group:members:add group user:alice" do
-    it "adds the role to the group" do
-      expect(RestClient::Request).to receive(:execute).with({
-        method: :put,
-        url: "https://authz.example.com/the-account/roles/group/group/?members&member=user:alice",
-        headers: {},
-        payload: nil
-      })
-      invoke
-    end
-  end
-
-  describe_command "group:members:add -a group user:alice" do
-    it "adds the role to the group with admin option" do
-      expect(RestClient::Request).to receive(:execute).with({
-        method: :put,
-        url: "https://authz.example.com/the-account/roles/group/group/?members&member=user:alice",
-        headers: {},
-        payload: { admin_option: true }
-      })
-      invoke
-    end
-  end
-  describe_command "group:members:add -a group alice" do
-    it "assumes that a nake member name is a user" do
-     expect(RestClient::Request).to receive(:execute).with({
-        method: :put,
-        url: "https://authz.example.com/the-account/roles/group/group/?members&member=user:alice",
-        headers: {},
-        payload: { admin_option: true }
-      })
-      invoke
-    end
-  end
-
-  describe_command "group:members:add -r group alice" do
-    it "revokes the admin rights" do
-       expect(RestClient::Request).to receive(:execute).with({
-        method: :put,
-        url: "https://authz.example.com/the-account/roles/group/group/?members&member=user:alice",
-        headers: {},
-        payload: { admin_option: false }
-       })
-      invoke
-    end
-  end
-end

data/spec/command/host_factories_spec.rb

@@ -1,38 +0,0 @@
-require 'spec_helper'
-require 'conjur/command/host_factories'
-
-describe Conjur::Command::HostFactories, :logged_in => true do
-  let (:group_memberships) { double(:group_memberships, :roleid => 'the-account:group:security_admin') }
-  let (:current_role) { double(:current_role, roleid: 'the-account:user:dknuth', :memberships => [ double(:current_role_role, roleid: 'the-account:user:dknuth') ]) }
-  let (:group_members) { double(:layer_members, :member => double(:member, :roleid => 'the-account:user:dknuth'), :admin_option => true ) }
-  let (:group) { double(:group, roleid: 'the-account:group:the-group', :exists? => true, :memberships => [group_memberships], :members => [group_members]) }
-  let (:layer_members) { double(:layer_members, :member => double(:member, :roleid => 'the-account:group:security_admin'), :admin_option => true ) }
-  let (:layer_role) { double(:layer_role, roleid: 'the-account:layer:layer1', :members => [layer_members]) }
-  let (:layer) { double(:layer, :exists? => true, :role => layer_role) }
-
-  before do
-    allow(Conjur::Command.api).to receive(:role).with("user:dknuth").and_return current_role
-    allow(Conjur::Command.api).to receive(:role).with("the-account:group:the-group").and_return group
-    allow(Conjur::Command.api).to receive(:layer).with("layer1").and_return layer
-  end
-
-  describe_command 'hostfactory:create --as-group the-group --layer layer1 hf1 ' do
-    it 'calls api.create_host_factory and prints the results' do
-      expect_any_instance_of(Conjur::API).to receive(:create_host_factory).and_return '{}'
-      expect { invoke }.to write('{}')
-    end
-  end
-
-  context 'command-line errors' do
-    describe_command 'hostfactory:create hf1' do
-      it "fails without owner" do
-        expect {invoke}.to raise_error('Use --as-group or --as-role to indicate the host factory role') 
-      end
-    end
-    describe_command 'hostfactory:create --as-group the-group hf' do
-      it "fails without layer" do
-        expect {invoke}.to raise_error('Provide at least one layer') 
-      end
-    end
-  end
-end

data/spec/command/layers_spec.rb

@@ -1,35 +0,0 @@
-require 'spec_helper'
-
-describe Conjur::Command::Layers, logged_in: true do
-  let(:layer) { double(:layer) }
-  
-  [ "layer hosts add", "layer:hosts:add" ].each do |cmd|
-    describe_command "#{cmd} the-layer the-host" do
-      it "adds a host id to the layer" do
-        expect_any_instance_of(Conjur::API).to receive(:layer).with("the-layer").and_return layer
-        expect(layer).to receive(:add_host).with("the-account:host:the-host")
-  
-        expect { invoke }.to write("Host added")
-      end
-    end
-    describe_command "#{cmd} the-layer host:the-host" do
-      it "adds a qualified host id to the layer" do
-        expect_any_instance_of(Conjur::API).to receive(:layer).with("the-layer").and_return layer
-        expect(layer).to receive(:add_host).with("host:the-host")
-  
-        expect { invoke }.to write("Host added")
-      end
-    end
-  end
-
-  [ "layer hosts remove", "layer:hosts:remove" ].each do |cmd|
-    describe_command "#{cmd} the-layer the-host" do
-      it "adds a host to the layer" do
-        expect_any_instance_of(Conjur::API).to receive(:layer).with("the-layer").and_return layer
-        expect(layer).to receive(:remove_host).with("the-account:host:the-host")
-  
-        expect { invoke }.to write("Host removed")
-      end
-    end
-  end
-end

data/spec/command/ldapsync_spec.rb

@@ -1,28 +0,0 @@
-require 'spec_helper'
-
-describe Conjur::Command::LDAPSync, logged_in: true do
-
-  let (:policy_response) { { 'ok' => true, 'events' => [], 'policy' => <<eop
-"---
-- !user
-  annotations:
-    ldap-sync/source: ldap-server:389
-    ldap-sync/upstream-dn: CN=Administrator,OU=functest,OU=testdata,OU=dev-ci,DC=dev-ci,DC=conjur
-  id: Administrator
-  uidnumber:"}
-eop
-  }
-}
-
-  describe_command "ldap-sync policy show" do
-    
-    before do 
-      expect_any_instance_of(Conjur::API).to receive(:ldap_sync_policy).with('default').and_return policy_response
-    end
-
-    it "shows the policy" do
-      expect { invoke }.to write policy_response['policy']
-    end
-  end
-
-end

data/spec/command/rubydsl_spec.rb

@@ -1,63 +0,0 @@
-require 'spec_helper'
-require 'conjur/dsl/runner'
-
-describe Conjur::Command::RubyDSL do
-  context "when logged in", logged_in: true do
-    let(:role) do
-      double("role", exists?: true, api_key: "the-api-key", roleid: "the-role")
-    end
-    let(:resource) do
-      double("resource", exists?: true).as_null_object
-    end
-    before {
-      allow(File).to receive(:read).and_call_original
-      allow(File).to receive(:exists?).and_call_original
-      allow(File).to receive(:exists?).with("policy.rb").and_return true
-      allow(File).to receive(:read).with("policy.rb").and_return "{}"
-      allow_any_instance_of(Conjur::DSL::Runner).to receive(:api).and_return api
-    }
-    before {
-      allow(api).to receive(:role).and_call_original
-      allow(api).to receive(:resource).and_call_original
-      allow(api).to receive(:role).with("the-account:policy:#{collection}/the-policy-1.0.0").and_return role
-      allow(api).to receive(:resource).with("the-account:policy:#{collection}/the-policy-1.0.0").and_return resource
-    }
-
-    describe_command 'rubydsl:load --collection the-collection http://example.com/policy.rb' do
-      let(:collection) { "the-collection" }
-      before {
-        allow(File).to receive(:exists?).with("http://example.com/policy.rb").and_return false
-        allow(URI).to receive(:parse).with("http://example.com/policy.rb").and_return double(:uri, read: "{}")
-      }
-      it "creates the policy" do
-        expect(invoke).to eq(0)
-      end
-    end
-    describe_command 'rubydsl:load --collection the-collection policy.rb' do
-      let(:collection) { "the-collection" }
-      it "creates the policy" do
-        expect(invoke).to eq(0)
-      end
-    end
-    context "default collection" do
-      let(:collection) { "alice@localhost" }
-      before {
-        stub_const("ENV", "USER" => "alice", "HOSTNAME" => "localhost")
-      }
-      describe_command 'rubydsl:load --as-group the-group policy.rb' do
-        let(:group) { double(:group, exists?: true) }
-        it "creates the policy" do
-          allow(Conjur::Command.api).to receive(:role).with("the-account:group:the-group").and_return group
-          expect_any_instance_of(Conjur::DSL::Runner).to receive(:owner=).with("the-account:group:the-group")
-
-          expect(invoke).to eq(0)
-        end
-      end
-      describe_command 'rubydsl:load policy.rb' do
-        it "creates the policy with default collection" do
-          expect(invoke).to eq(0)
-        end
-      end
-    end
-  end
-end

data/spec/command/variable_expiration_spec.rb

@@ -1,164 +0,0 @@
-require 'spec_helper'
-require 'conjur/command/variables'
-
-describe Conjur::Command::Variables, :logged_in => true do
-  let (:variable) { double(:name => 'foo') }
-  let (:incompatible_server_msg) { /not supported/ }
-  
-  context "expiring a variable" do
-    
-    let (:duration) { nil }
-
-    context "with valid arguments" do 
-      before do
-        expect(RestClient::Request).to receive(:execute).with({
-            :method => :post,
-            :url => 'https://core.example.com/api/variables/foo/expiration',
-            :headers => {},
-            :payload => {:duration => duration}
-          }).and_return(double('response', :body => '{}'))
-      end
-      
-      shared_examples 'it sets variable expiration' do 
-        it do
-          expect {invoke}.to write
-        end
-      end
-      
-      describe_command 'variable:expire --now foo' do
-        let (:duration) { 'P0Y' }
-        it_behaves_like 'it sets variable expiration'
-      end
-      
-      describe_command 'variable:expire --days 1 foo' do
-        let (:duration) { 'P1D' }
-        it_behaves_like 'it sets variable expiration'
-      end
-      
-      describe_command 'variable:expire --months 1 foo' do
-        let (:duration) { 'P1M' }
-        it_behaves_like 'it sets variable expiration'
-      end
-
-      describe_command 'variable:expire --in PT1M foo' do
-        let (:duration) { 'PT1M' }
-        it_behaves_like 'it sets variable expiration'
-      end
-
-    end
-
-    describe_command 'variable:expire --now --days 1 foo' do
-      it "fails" do
-        expect { invoke_silently }.to raise_error GLI::CustomExit
-      end
-
-    end
-
-    describe_command 'variable:expire' do
-      it 'should fail' do
-        expect { invoke_silently }.to raise_error RuntimeError
-      end
-    end
-
-  end
-
-  context "getting variable expirations" do
-    context "with valid arguments" do
-      let (:expected_params) { nil }
-      let (:expected_headers) { {}.tap {|h| h.merge!(:params => expected_params) if expected_params} }
-      before do
-        expect(RestClient::Request).to receive(:execute).with({
-            :method => :get,
-            :url => 'https://core.example.com/api/variables/expirations',
-            :headers => expected_headers
-          }).and_return(double('response', :body => '[]'))
-      end
-
-      shared_examples 'it writes expiration list' do
-        it do
-          expect { invoke }.to write "[\n\n]\n"
-        end
-      end
-
-      describe_command 'variable:expirations' do
-        it_behaves_like 'it writes expiration list' 
-      end
-
-      describe_command 'variable:expirations --days 1' do
-        let (:expected_params) { { :duration => 'P1D' } }
-        it_behaves_like 'it writes expiration list' 
-      end
-
-      describe_command 'variable:expirations --months 1' do
-        let (:expected_params) { { :duration => 'P1M' } }
-        it_behaves_like 'it writes expiration list' 
-      end
-
-      describe_command 'variable:expirations --in P1D' do
-        let (:expected_params) { { :duration => 'P1D' } }
-        it_behaves_like 'it writes expiration list' 
-      end
-
-    end
-  end
-
-  let(:certificate) do
-    OpenSSL::X509::Certificate.new.tap do |cert|
-      key = OpenSSL::PKey::RSA.new 512
-      cert.public_key = key.public_key
-      cert.not_before = Time.now
-      cert.not_after = 1.minute.from_now
-      cert.sign key, OpenSSL::Digest::SHA256.new
-    end
-  end
-
-  let(:certfile) do
-    Tempfile.new("cert").tap do |file|
-      file.write certificate.to_pem
-      file.close
-    end
-  end
-
-  context 'connecting to incompatible server version while' do
-    before do
-      allow(Conjur.config).to receive_messages \
-                              cert_file: certfile.path,
-                              appliance_url: core_host
-
-      expect(RestClient::Request).to receive(:execute).with({
-          :method => :get,
-          :url => "https://core.example.com/info",
-          :headers => {}
-      }).and_raise(RestClient::ResourceNotFound)
-    end
-
-    context 'setting variable expiration' do
-      describe_command 'variable:expire --days 1 foo' do
-        it 'should display error message' do
-          expect(RestClient::Request).to receive(:execute).with({
-              :method => :post,
-              :url => "https://core.example.com/api/variables/foo/expiration",
-              :headers => {},
-              :payload => anything
-          }).and_raise(RestClient::ResourceNotFound)
-          expect { invoke }.to raise_error(RestClient::ResourceNotFound)
-                           .and write(incompatible_server_msg).to(:stderr)
-        end
-      end
-    end
-
-    context 'getting variable expirations' do
-      describe_command 'variable:expirations' do
-        it 'should display error message' do
-          expect(RestClient::Request).to receive(:execute).with({
-              :method => :get,
-              :url => 'https://core.example.com/api/variables/expirations',
-              :headers => {}
-          }).and_raise(RestClient::ResourceNotFound)
-          expect { invoke }.to raise_error(RestClient::ResourceNotFound)
-                           .and write(incompatible_server_msg).to(:stderr)
-        end
-      end
-    end
-  end
-end