conjur-cli 5.6.6 → 6.0.0.rc1

data/features/authorization/role/members.feature

@@ -0,0 +1,45 @@
+Feature: List members of a role
+
+  Background:
+    Given I load the policy:
+    """
+    - !user alice
+
+    - !group cooks
+    """
+
+  Scenario: Role members list is initally just the creator of the role
+    When I successfully run `conjur role members group:cooks`
+    Then the JSON should be:
+    """
+    [
+      "cucumber:user:admin"
+    ]
+    """
+
+  Scenario: Members can be added to the role by granting them the role
+    Given I apply the policy:
+    """
+    - !grant
+      role: !group cooks
+      member: !user alice
+    """
+    When I successfully run `conjur role members group:cooks`
+    Then the JSON should have 2 entries
+
+  Scenario: Members list is not expanded transitively
+    Given I apply the policy:
+    """
+    - !group employees
+
+    - !grant
+      role: !group employees
+      member: !group cooks
+
+    - !grant
+      role: !group cooks
+      member: !user alice
+    """
+    When I successfully run `conjur role members group:cooks`
+    Then the JSON should have 2 entries
+    

data/features/authorization/role/memberships.feature

@@ -0,0 +1,43 @@
+Feature: List memberships of a role
+
+  Scenario: The role memberships list includes the role itself
+    Given I load the policy:
+    """
+    - !group cooks
+    """
+    When I successfully run `conjur role memberships group:cooks`
+    Then the JSON should have 1 entries
+
+  Scenario: Memberships can be added to a role by granting it a new role
+    Given I load the policy:
+    """
+    - !group employees
+
+    - !group cooks
+
+    - !grant
+      role: !group employees
+      member: !group cooks
+    """
+    When I successfully run `conjur role memberships group:cooks`
+    Then the JSON should have 2 entries
+
+  Scenario: Members list is expanded transitively
+    Given I load the policy:
+    """
+    - !user alice
+
+    - !group employees
+
+    - !group cooks
+
+    - !grant
+      role: !group employees
+      member: !group cooks
+
+    - !grant
+      role: !group cooks
+      member: !user alice
+    """
+    When I successfully run `conjur role memberships user:alice`
+    Then the JSON should have 3 entries

data/features/conjurenv/check.feature

@@ -0,0 +1,34 @@
+Feature: Check an environment
+
+  Background: 
+    Given I load the policy:
+    """
+    - !variable access_key
+    - !variable secret_key
+    - !variable ssh_private_key
+
+    - !user alice
+
+    - !permit
+        role: !user alice
+        privilege: execute
+        resources:
+        - !variable access_key
+        - !variable secret_key
+
+    """
+    And I run `conjur variable values add access_key ABCDEF`
+    And I run `conjur variable values add secret_key XYZQWER`
+    And I run `conjur variable values add ssh_private_key PRIVATE_KEY_BODY`
+    And I login as "alice"
+    And I reset the command list
+
+  Scenario: Check against permitted variables
+    When I run `conjur env check --yaml '{ aws_access_key: !var access_key, aws_secret_key: !var secret_key }'`
+    Then the exit status should be 0
+    And the stdout should contain "aws_access_key: available\naws_secret_key: available\n"
+
+  Scenario: Check against restricted variables
+    When I run `conjur env check --yaml '{ aws_access_key: !var access_key, ssh_private_key: !var ssh_private_key }'`
+    Then the exit status should be 1
+    And the stdout should contain "aws_access_key: available\nssh_private_key: unavailable\n"

data/features/conjurenv/run.feature

@@ -0,0 +1,15 @@
+Feature: Run command in an environment populated from Conjur variables
+
+  Background: 
+    Given I load the policy:
+    """
+    - !variable access_key
+    - !variable secret_key
+    """
+    And I run `conjur variable values add access_key ABCDEF`
+    And I run `conjur variable values add secret_key XYZQWER`
+    And I reset the command list
+
+  Scenario:
+    When I run `bash -c "conjur env run --yaml '{ cloud_access_key: !var access_key , cloud_secret_key: !var secret_key }' -- env | grep CLOUD_"`
+    Then the stdout should contain exactly "CLOUD_ACCESS_KEY=ABCDEF\nCLOUD_SECRET_KEY=XYZQWER"

data/{acceptance-features → features}/conjurenv/template.feature

@@ -2,10 +2,15 @@ Feature: Embed values of Conjur variables into ERB template
 
   Background: 
     Given a file named "template.erb" with: 'aws credentials: [<%= conjurenv["aws_access_key"] %>, <%= conjurenv["aws_secret_key"] %>]'
-    And I run `conjur variable create $ns/access_key ABCDEF`
-    And I run `conjur variable create $ns/secret_key XYZQWER`
+    And I load the policy:
+    """
+    - !variable access_key
+    - !variable secret_key
+    """
+    And I run `conjur variable values add access_key ABCDEF`
+    And I run `conjur variable values add secret_key XYZQWER`
     And I reset the command list
 
   Scenario:
-    When I run `conjur env template --yaml '{ aws_access_key: !var $ns/access_key , aws_secret_key: !var $ns/secret_key }' template.erb `
+    When I run `conjur env template --yaml '{ aws_access_key: !var access_key , aws_secret_key: !var secret_key }' template.erb `
     Then it prints the path to temporary file which contains: 'aws credentials: [ABCDEF, XYZQWER]'

data/{acceptance-features → features}/directory/user/update_password.feature

@@ -1,15 +1,21 @@
 Feature: Update the password of the logged-in user
 
   Background:
-    Given I login as a new user
+    Given I load the policy:
+    """
+    - !user alice
+    """
+    And I login as "alice"
 
+  @restore-login
   Scenario: A user can update her own password
     And I run `conjur user update_password` interactively
     Then I can type and confirm a new password
 
+  @restore-login
   Scenario: The new password can be used to login
     And I run `conjur user update_password` interactively
     And I type and confirm a new password
-    And I run `conjur authn login alice@$ns` interactively
+    And I run `conjur authn login alice` interactively
     And I enter the password
     Then the exit status should be 0

data/{acceptance-features → features}/directory/variable/value.feature

@@ -1,14 +1,18 @@
 Feature: Obtain value from variable
 
   Background:
-    Given I successfully run `conjur variable create $ns/secret secretvalue` 
-    And I successfully run `conjur variable values add $ns/secret updatedvalue`
+    Given I load the policy:
+    """
+    - !variable secret
+    """
+    And I run `conjur variable values add secret secretvalue`
+    And I run `conjur variable values add secret updatedvalue`
     And I reset the command list
 
   Scenario: Recent value is obtained by default
-    When I run `conjur variable value $ns/secret`
+    When I run `conjur variable value secret`
     Then the stdout should contain exactly "updatedvalue"
-  
+
   Scenario: Previous values can be obtained by version
-    When I run `conjur variable value -v 1 $ns/secret`
+    When I run `conjur variable value -v 1 secret`
     Then the stdout should contain exactly "secretvalue"

data/{acceptance-features → features}/directory/variable/values-add.feature

@@ -1,12 +1,17 @@
 Feature: Populate variable with values
 
   Background:
-    Given I successfully run `conjur variable create $ns/secret initialvalue` 
+    Given I load the policy:
+    """
+    - !variable secret
+    """
+    And I run `conjur variable values add secret initialvalue`
+    And I reset the command list
 
   Scenario: Value provided via command-line parameter
-    When I run `conjur variable values add $ns/secret secretvalue`
+    When I run `conjur variable values add secret secretvalue`
     Then the output should contain "Value added"
    
   Scenario: Value provided via stdin
-    When I run `bash -c 'echo "secretvalue" | conjur variable values add $ns/secret'`
+    When I run `bash -c 'echo "secretvalue" | conjur variable values add secret'`
     Then the output should contain "Value added"

data/features/hostfactory/tokens.feature

@@ -0,0 +1,22 @@
+Feature: Host factory tokens
+
+  Background: 
+    Given I load the policy:
+    """
+    - !policy
+      id: myapp
+      body:
+      - !layer
+      - !host-factory
+        layers: [ !layer ]
+    """
+
+  Scenario: create a host factory token
+    When I successfully run `conjur hostfactory tokens create myapp`
+    Then the JSON should have "0/token"
+
+  Scenario: create a host using a token
+    When I successfully run `conjur hostfactory tokens create myapp`
+    And I keep the JSON response at "0/token" as "TOKEN"
+    Then I successfully run `conjur hostfactory hosts create %{TOKEN} host-01`
+    And the JSON should have "api_key"

data/features/pubkeys/show.feature

@@ -0,0 +1,18 @@
+Feature: Show public keys for a user
+
+  Background:
+    Given I load the policy:
+    """
+    - !user
+      id: alice
+      public_keys:
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQ laptop
+    """
+
+  Scenario: After adding a key, the key is shown
+    When I run `conjur pubkeys show alice`
+    And the output should match /^ssh-rsa .* laptop$/
+
+  Scenario: Public keys can be listed using cURL, without authentication
+    When I successfully run `curl -k $conjur_url/public_keys/cucumber/user/alice`
+    Then the output should match /^ssh-rsa .* laptop$/

data/features/step_definitions/authn_steps.rb

@@ -0,0 +1,22 @@
+Then(/^I(?: can)? type and confirm a new password/) do
+  @password = SecureRandom.hex(12)
+  step %Q(I type "#{@password}")
+  step %Q(I type "#{@password}")
+  step "the exit status should be 0"
+end
+
+When(/^I enter the password/) do
+  raise "No current password" unless @password
+  step %Q(I type "#{@password}")
+end
+
+When(/^I type the API key for "(.*?)"$/) do |username|
+  step %Q(I type "#{api_key_of username}")
+end
+
+Given(/^I login as "(.*?)"$/) do |username|
+  api_key = api_key_of username
+
+  step %Q(I set the environment variable "CONJUR_AUTHN_LOGIN" to "#{username}")
+  step %Q(I set the environment variable "CONJUR_AUTHN_API_KEY" to "#{api_key}")
+end

data/features/step_definitions/cli_steps.rb

@@ -0,0 +1,28 @@
+Transform /\$ns/ do |s|
+  s.gsub('$ns', namespace)
+end
+
+Transform /\$user_role/ do |s|
+  s.gsub('$user_role', test_user.role_id)
+end
+
+Transform /^table:/ do |table|
+  table.tap do |t|
+    t.hashes.each do |row|
+      row.each do |_,v|
+        v.gsub!('$ns', namespace)
+        v.gsub!('$user_role', test_user.role_id)
+      end
+    end
+  end
+end
+
+When /^the command completes successfully/ do
+  last_command_started.wait
+  last_command_started.terminate
+  expect(last_command_started.exit_status).to eq(0)
+end
+
+Then /^the output from "([^"]*)" should match \/([^\/]*)\/$/ do |cmd, expected|
+  assert_matching_output(expected, output_from(cmd))
+end

data/features/step_definitions/file_steps.rb

@@ -0,0 +1,12 @@
+# this is step copypasted from https://github.com/cucumber/aruba/blob/master/lib/aruba/cucumber.rb#L24 
+# original has typo in regexp, which is fixed here
+Given(/^a file named "([^"]*?)" with: '(.*?)'$/) do |file_name, file_content|
+  write_file(file_name, file_content)
+end
+
+Then /^it prints the path to temporary file which contains: '(.*)'$/ do |content|
+  filename = last_command_started.stdout.strip
+  tempfiles << filename
+  actual_content = File.read(filename)
+  expect(actual_content).to match(content)
+end

data/features/step_definitions/flow_control_steps.rb

@@ -0,0 +1,7 @@
+When /^I clear the JSON response$/ do
+  clear_last_json
+end
+
+When /^I reset the command list/ do
+  aruba.command_monitor.clear
+end

data/features/step_definitions/graph_steps.rb

@@ -1,8 +1,9 @@
-Given /a graph with edges/ do |table|
+
+Given /^a graph with edges$/ do |table|
   graph table.raw
 end
 
-Then %r{the graph JSON should be} do |json|
+Then %r{^the graph JSON should be:$} do |json|
   json = expand_roles json
   last_graph = extract_filtered_graph json
   expect(last_graph.to_json).to be_json_eql(json)
@@ -18,4 +19,4 @@ When(/^I( successfully)? run with role expansion "(.*)"$/) do |successfully, cmd
   else
     step "I run `#{cmd}`"
   end
-end
+end

data/features/step_definitions/overrides.rb

@@ -0,0 +1,9 @@
+# Use a json_spec style memorized value as an environment variable
+When /I set the environment variable "(.*)" to memorized value "(.*)"/ do |key, value|
+  JsonSpec.memory.each do |k,v|
+    # JSON parser doesn't function properly on a JSON encoded string
+    v = v[1...-1] if v[0] == '"'
+    value.gsub! "%{#{k}}", v
+  end
+  set_environment_variable key, value
+end

data/features/step_definitions/policy_steps.rb

@@ -0,0 +1,11 @@
+Given /^I load the policy:$/ do |policy|
+  load_policy 'root', policy, Conjur::API::POLICY_METHOD_PUT
+end
+
+Given /^I apply the policy:$/ do |policy|
+  load_policy 'root', policy, Conjur::API::POLICY_METHOD_PATCH
+end
+
+Given /^I add the policy:$/ do |policy|
+  load_policy 'root', policy, Conjur::API::POLICY_METHOD_POST
+end

data/features/support/blank.yml

@@ -0,0 +1 @@
+--- []

data/features/support/env.rb

@@ -1,12 +1,26 @@
-require 'simplecov'
+$LOAD_PATH.unshift File.expand_path('../..', File.dirname(__FILE__))
+
+require 'json_spec/cucumber'
+
 require 'aruba/cucumber'
-require 'methadone/cucumber'
-require 'cucumber/rspec/doubles'
-require "json_spec/cucumber"
+require 'json_spec/cucumber'
+require 'simplecov'
 
 SimpleCov.start
 
-Aruba.configure do |config|
-  config.exit_timeout    = 15
-  config.io_wait_timeout = 2
+ENV['CONJUR_APPLIANCE_URL'] ||= 'http://localhost/api/v6'
+ENV['CONJUR_ACCOUNT'] ||= 'cucumber'
+
+require 'conjur/cli'
+
+Conjur::Config.load
+Conjur::Config.apply
+
+$netrc_file_path = ENV['CONJURRC'] || File.expand_path('~/.netrc')
+if File.exists?($netrc_file_path)
+  $netrc_file = File.read($netrc_file_path)
 end
+
+$conjur = Conjur::Authn.connect nil, noask: true
+
+puts "Performing CLI tests as user '#{$conjur.current_role(Conjur.configuration.account).login}'"

data/features/support/hooks.rb

@@ -1,127 +1,42 @@
-require 'ostruct'
-
-class MockAPI
-  attr_reader :things
-
-  def initialize
-    @things = {}
-  end
-
-  def thing(kind, id)
-    (@things[kind.to_sym] || []).find{|r| r.id == id}
-  end
-
-  def thing_like(kind, id_pattern)
-    (@things[kind.to_sym] || []).find{|r| id_pattern.match(r.id)}
-  end
-
-  def create_host(options = {})
-    id = options.delete(:id)
-    if id
-      host = thing(:host, id)
-    else
-      id = SecureRandom.uuid
-    end
-    host ||= create_thing(:host, id, options, role: true, api_key: true)
-  end
-
-  def create_user(id, options = {})
-    thing(:user, id) || create_thing(:user, id, options, role: true, api_key: true)
-  end
-
-  def create_variable(mime_type, kind)
-    create_thing(:user, SecureRandom.uuid, mime_type: mime_type, kind: kind)
-  end
-
-  def create_resource(id, options = {})
-    resource(id).tap do |resource|
-      resource.send(:"exists?=", true)
-      populate_options resource, options
-    end
-  end
-
-  def create_role(id, options = {})
-    role(id).tap do |role|
-      role.send(:"exists?=", true)
-      populate_options role, options
-    end
-  end
-
-  [ :user, :host ].each do |kind|
-    define_method kind do |id|
-      thing(kind, id)
-    end
-  end
-
-  def role(id)
-    raise "Role id must be a string" unless id.is_a?(String)
-    thing(:role, id) || create_thing(:role, id, { exists?: false }, role: true)
-  end
-
-  def resource(id)
-    raise "Resource id must be a string" unless id.is_a?(String)
-    thing(:resource, id) || create_thing(:resource, id, exists?: false)
-  end
-
-  protected
-
-  def create_thing(kind, id, options, kind_options = {})
-    thing = OpenStruct.new(kind: kind, id: id, exists?: true)
-
-    class << thing
-      def permit(privilege, role, options = {})
-        (self.permissions ||= []) << OpenStruct.new(privilege: privilege, role: role.id, grant_option: !!options[:grant_option])
-      end
-    end
-
-    if kind_options[:api_key]
-      thing.api_key = SecureRandom.uuid
-    end
-    if kind_options[:role]
-      thing.roleid = id
-      class << thing
-        def can(privilege, resource, options = {})
-          resource.permit privilege, self, options
-        end
-      end
-    end
-
-    populate_options(thing, options)
-
-    store_thing kind, thing
-
-    thing
-  end
+# Future Aruba
+Aruba.configure do |config|
+  config.exit_timeout = 15
+  config.io_wait_timeout = 2
+end
 
-  def populate_options(thing, options)
-    options.each do |k,v|
-      thing.send("#{k}=", v)
-    end
-  end
+Transform /\$conjur_url/ do |statement|
+  statement.gsub "$conjur_url", Conjur.configuration.appliance_url
+end
 
-  def store_thing(kind, thing)
-    (things[kind] ||= []) << thing
+Transform /\%\{\w+\}/ do |statement|
+  JsonSpec.memory.each do |k,v|
+    statement = statement.gsub("%{#{k}}", v)
   end
+  statement
 end
 
-Before("@dsl") do
-  puts "Using MockAPI"
-  puts "Using account 'cucumber'"
+Before('@conjurapi-log') do
+  set_env 'CONJURAPI_LOG', 'stderr'
+end
 
-  require 'conjur/api'
-  require 'conjur/config'
-  require 'conjur/dsl/runner'
+Before do
+  step %Q(I set the environment variable "CONJUR_AUTHN_LOGIN" to "#{$conjur.username}")
+  step %Q(I set the environment variable "CONJUR_AUTHN_API_KEY" to "#{$conjur.api_key}")
 
-  Conjur.stub(:env).and_return "ci"
-  Conjur.stub(:stack).and_return "ci"
-  Conjur.stub(:account).and_return "cucumber"
+  $conjur.load_policy "root", File.read(File.expand_path('blank.yml', File.dirname(__FILE__))), method: Conjur::API::POLICY_METHOD_PUT
+end
 
-  Conjur::Core::API.stub(:conjur_account).and_return 'cucumber'
-  @mock_api ||= MockAPI.new
-  Conjur::DSL::Runner.any_instance.stub(:api).and_return @mock_api
+After '@restore-login' do
+  step %Q(I run `conjur authn login #{$conjur.username}` interactively)
+  step %Q(I type "#{$conjur.api_key}")
 end
 
-Before('@real-api') do
-  Conjur::Config.load
-  Conjur::Config.apply
+After do
+  tempfiles.each { |tempfile| File.unlink(tempfile) unless tempfile.nil? }
+  if $netrc_file && File.read($netrc_file_path) != $netrc_file
+    $stderr.puts "Restoring #{$netrc_file_path}"
+    require 'fileutils'
+    File.write($netrc_file_path, $netrc_file)
+    FileUtils.chmod 0600, $netrc_file_path
+  end
 end