conjur-cli 5.6.6 → 6.0.0.rc1

data/lib/conjur/complete.rb

@@ -200,8 +200,8 @@ class Conjur::CLI::Complete
   end
 
   def complete_role
-    Conjur::Command.api.current_role.all
-      .map { |r| Resource.new(r.roleid) }
+    Conjur::Command.api.current_role(Conjur.configuration.account).memberships
+      .map { |r| Resource.new(r.id) }
       .reject { |r| r.kind.start_with? '@' }
       .map(&:to_s)
   end

data/lib/conjur/config.rb

@@ -90,17 +90,7 @@ module Conjur
           cfg.set k, value if value
         end
 
-        if Conjur.log
-          require 'conjur/api'
-          host = begin
-            Conjur::Authn::API.host
-          rescue RuntimeError
-            nil
-          end
-          if host
-            Conjur.log << "Using authn host #{Conjur::Authn::API.host}\n"
-          end
-        end
+        Conjur.log << "Using authn url #{Conjur.configuration.authn_url}\n" if Conjur.log
 
         Conjur.config.apply_cert_config!
       end

data/lib/conjur/conjurenv.rb

@@ -37,7 +37,7 @@ module Conjur
         initialize(coder.scalar)
       end
       def conjur_id
-        @id
+        [ Conjur.configuration.account, "variable", @id ].join(":")
       end
     end
 
@@ -104,14 +104,17 @@ module Conjur
     end
 
     def obtain(api)
-      runtime_environment={}
-      variable_ids= @definition.values.map { |v| v.conjur_id rescue nil }.compact
-      conjur_values=api.variable_values(variable_ids)
-      @definition.each do |environment_name, reference|
-        if reference.respond_to?(:evaluate)
-          runtime_environment[environment_name] = reference.evaluate( conjur_values[reference.conjur_id] )
+      runtime_environment = {}
+      @definition.each do |environment_name, v|
+        value = if v.conjur_id
+          api.resource(v.conjur_id).value
         else
-          runtime_environment[environment_name] = reference # is a literal value
+          v
+        end
+        if v.respond_to?(:evaluate)
+          runtime_environment[environment_name] = v.evaluate(value)
+        else
+          runtime_environment[environment_name] = v # is a literal value
         end
       end
       return runtime_environment
@@ -121,7 +124,7 @@ module Conjur
       Hash[
         @definition.map.each do |k,v|
           if v.respond_to? :conjur_id
-            if api.resource("variable:"+v.conjur_id).permitted?(:execute)
+            if api.resource(v.conjur_id).permitted?(:execute)
               status = :available
             else
               status = :unavailable

data/lib/conjur/identifier_manipulation.rb

@@ -7,10 +7,12 @@ module Conjur
         raise "Expecting at least two tokens in #{id}"
       end
       if parts.size == 2
-        id = [conjur_account, parts].flatten.join(":")
+        id = [Conjur.configuration.account, parts].flatten.join(":")
       end
       id
     end
+    
+    alias full_role_id full_resource_id
 
     # removes accounts from 3+-tokens id, extracts kind
     def get_kind_and_id_from_args args, argname='id'
@@ -21,9 +23,5 @@ module Conjur
       kind=tokens.shift.gsub('-','_')
       [kind, tokens.join(':')]
     end
-
-    def conjur_account
-      Conjur::Core::API.conjur_account
-    end
   end
 end

data/lib/conjur/version.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2014-2017 Conjur Inc.
+# Copyright (C) 2014-2016 Conjur Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = '5.6.6'.freeze
+  VERSION = '6.0.0.rc1'
   ::Version=VERSION
 end

data/{publish-rubygem.sh → publish.sh}

@@ -1,11 +1,7 @@
 #!/bin/bash -e
 
-docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd
-
 docker pull registry.tld/conjurinc/publish-rubygem
 
 summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
   docker run --rm --env-file @SUMMONENVFILE -v "$(pwd)":/opt/src \
   registry.tld/conjurinc/publish-rubygem conjur-cli
-
-docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd

data/spec/authn_spec.rb

@@ -1,7 +1,11 @@
+require 'spec_helper'
+
 require 'conjur/authn'
 require 'conjur/config'
 
 describe Conjur::Authn do
+  include_context "fresh config"
+
   let(:netrc) { Netrc.read '' }
   before do
     Conjur::Authn.instance_variable_set("@netrc", netrc)

data/spec/command/hosts_spec.rb

@@ -3,84 +3,17 @@ require 'spec_helper'
 describe Conjur::Command::Hosts, logged_in: true do
   let(:collection_url) { "https://core.example.com/api/hosts" }
 
-  context "creating a host" do
-    let(:new_host) { double("new-host") }
-
-    describe_command "host:create" do
-      it "lets the server assign the id" do
-       expect(RestClient::Request).to receive(:execute).with({
-          method: :post,
-          url: collection_url,
-          headers: {},
-          payload: {}
-          }).and_return(post_response('assigned-id'))
-
-        expect { invoke }.to write({ id: 'assigned-id' }).to(:stdout)
-      end
-    end
-    describe_command "host:create the-id" do
-      it "propagates the user-assigned id" do
-       expect(RestClient::Request).to receive(:execute).with({
-          method: :post,
-          url: collection_url,
-          headers: {},
-          payload: { id: 'the-id' }
-        }).and_return(post_response('the-id'))
-
-        expect { invoke }.to write({ id: 'the-id' }).to(:stdout)
-      end
-    end
-    describe_command "host:create --cidr 192.168.1.1,127.0.0.0/32" do
-      it "Creates a host with specified CIDR" do
-        expect_any_instance_of(Conjur::API).to receive(:create_host).with(
-            { cidr: ['192.168.1.1', '127.0.0.0/32'] }
-        ).and_return new_host
-        invoke
-      end
-    end
-    describe_command "host:create --as-group security_admin --cidr 192.168.1.1,127.0.0.0/32" do
-      it "Creates a host with specified CIDR" do
-        expect(api).to receive(:group).with("security_admin").and_return(double(:group, roleid: "the-account:group:security_admin"))
-        expect(api).to receive(:role).with("the-account:group:security_admin").and_return(double(:group_role, exists?: true))
-        expect_any_instance_of(Conjur::API).to receive(:create_host).with(
-            { ownerid: "the-account:group:security_admin", cidr: ['192.168.1.1', '127.0.0.0/32'] }
-        ).and_return new_host
-        invoke
-      end
-    end
-  end
-
-  context "updating host attributes" do
-    describe_command "host update --cidr 127.0.0.0/32 the-user" do
-      it "updates the CIDR" do
-        stub_host = double()
-        expect_any_instance_of(Conjur::API).to receive(:host).with("the-user").and_return stub_host
-        expect(stub_host).to receive(:update).with(cidr: ['127.0.0.0/32']).and_return ""
-        expect { invoke }.to write "Host updated"
-      end
-    end
-
-    describe_command "host update --cidr all the-user" do
-      it "resets the CIDR restrictions" do
-        stub_host = double()
-        expect_any_instance_of(Conjur::API).to receive(:host).with("the-user").and_return stub_host
-        expect(stub_host).to receive(:update).with(cidr: []).and_return ""
-        expect { invoke }.to write "Host updated"
-      end
-    end
-  end
-
   context 'rotating api key' do
     describe_command 'host rotate_api_key --host redis001' do
       before do
         expect(RestClient::Request).to receive(:execute).with({
           method: :head,
-          url: 'https://core.example.com/api/hosts/redis001',
+          url: "https://core.example.com/api/resources/#{account}/host/redis001",
           headers: {}
         }).and_return true
         expect(RestClient::Request).to receive(:execute).with({
             method: :put,
-            url: 'https://authn.example.com/users/api_key?id=host%2Fredis001',
+            url: "https://core.example.com/api/authn/#{account}/api_key?role=#{account}:host:redis001",
             headers: {},
             payload: ''
         }).and_return double(:response, body: 'new api key')

data/spec/command/init_spec.rb

@@ -49,15 +49,15 @@ describe Conjur::Command::Init do
 
     context "auto-fetching fingerprint" do
       before {
-        allow_any_instance_of(HighLine).to receive(:ask).with("Enter the hostname (and optional port) of your Conjur endpoint: ").and_return "the-host"
+        allow_any_instance_of(HighLine).to receive(:ask).with("Enter the URL of your Conjur service: ").and_return "http://host.example.com"
         allow(Conjur::Command::Init).to receive_messages get_certificate: ["the-fingerprint", nil]
         allow_any_instance_of(HighLine).to receive(:ask).with(/^Trust this certificate/).and_return "yes"
       }
 
       describe_command 'init' do
-        it "fetches account and writes config file" do
-          # Stub hostname
-          expect(Conjur::Core::API).to receive(:info).and_return "account" => "the-account"
+        it "writes config file" do
+          expect_any_instance_of(HighLine).to receive(:ask).with("Enter the URL of your Conjur service: ").and_return "http://host.example.com"
+          expect_any_instance_of(HighLine).to receive(:ask).with("Enter your organization account name: ").and_return "the-account"
           expect(File).to receive(:open)
           invoke
         end
@@ -71,13 +71,18 @@ describe Conjur::Command::Init do
       end
     end
 
-    describe_command 'init -a the-account -h foobar' do
+    describe_command 'init -a the-account -u https://nohost.example.com' do
       it "can't get the cert" do
+        # GLI only raises CustomExit if GLI_DEBUG is set
+        ENV['GLI_DEBUG'] = 'true'
+
+        expect(TCPSocket).to receive(:new).and_raise "can't connect"
+        
         expect { invoke }.to raise_error(GLI::CustomExit, /unable to retrieve certificate/i)
       end
     end
 
-    describe_command 'init -a the-account -h localhost -c the-cert' do
+    describe_command 'init -a the-account -u https://localhost -c the-cert' do
       it "writes config and cert files" do
         expect(File).to receive(:open).twice
         expect(Conjur::Command::Init).to receive(:configure_cert_store).with "the-cert"
@@ -107,7 +112,7 @@ describe Conjur::Command::Init do
 
           expect(YAML.load(File.read(file))).to eq({
             account: 'the-account',
-            appliance_url: "https://localhost/api",
+            appliance_url: "https://localhost",
             cert_file: File.join(File.dirname(file), "conjur-the-account.pem"),
             plugins: [],
           }.stringify_keys)
@@ -115,7 +120,7 @@ describe Conjur::Command::Init do
       end
       
       context "default behavior" do
-        describe_command "init -a the-account -h localhost -c the-cert" do
+        describe_command "init -a the-account -u https://localhost -c the-cert" do
           before(:each) {
             allow(File).to receive(:expand_path).and_call_original
             allow(File).to receive(:expand_path).with('~/.conjurrc').and_return("#{tmpdir}/.conjurrc")
@@ -132,7 +137,7 @@ describe Conjur::Command::Init do
       end
 
       context "explicit output file" do
-        describe_command "init -f #{tmpdir}/.conjurrc2 -a the-account -h localhost -c the-cert" do
+        describe_command "init -f #{tmpdir}/.conjurrc2 -a the-account -u https://localhost -c the-cert" do
           include_examples "check config and cert files", File.join(tmpdir, ".conjurrc2")
           it "prints the config file location" do
             expect { invoke }.to write("Wrote configuration to #{tmpdir}/.conjurrc2")
@@ -141,14 +146,14 @@ describe Conjur::Command::Init do
       end
 
       context "to CONJURRC" do
-        describe_command "init -a the-account -h localhost -c the-cert" do
+        describe_command "init -a the-account -u https://localhost -c the-cert" do
           file = File.join(tmpdir, ".conjurrc_env")
           include_examples "check config and cert files", file, file
         end
       end
       
       context "explicit output file overrides CONJURRC" do
-        describe_command "init -f #{tmpdir}/.conjurrc_2 -a the-account -h localhost -c the-cert" do
+        describe_command "init -f #{tmpdir}/.conjurrc_2 -a the-account -u https://localhost -c the-cert" do
           ENV['CONJURRC'] = "#{tmpdir}/.conjurrc_env_2"
           include_examples "check config and cert files", File.join(tmpdir, ".conjurrc_2")
         end

data/spec/command/pubkeys_spec.rb

@@ -24,54 +24,9 @@ require 'conjur/command/pubkeys'
 describe Conjur::Command::Pubkeys, logged_in: true do
   describe_command "pubkeys:show alice" do
     it "calls api.public_keys('alice') and prints the result" do
-      expect(described_class.api).to receive(:public_keys).with('alice').and_return "a public key"
+      expect(Conjur::API).to receive(:public_keys).with('alice', account: account).and_return "a public key"
       expect{ invoke }.to write("a public key")
     end
   end
   
-  describe_command "pubkeys:names alice" do
-    let(:keys){ ["x y foo", "x y bar"].join("\n") }
-    let(:names){ "bar\nfoo" }
-    it "calls api.public_keys('alice') and prints the names" do
-      expect(described_class.api).to receive(:public_keys).with('alice').and_return keys
-      expect{ invoke }.to write(names) 
-    end
-  end
-  
-  describe_command "pubkeys:add alice data" do
-    it "calls api.add_public_key('alice', 'data') and prints the key name" do
-      expect(described_class.api).to receive(:add_public_key).with('alice', 'data')
-      expect{ invoke }.to write("Public key 'data' added")
-    end
-  end
-  
-  describe_command "pubkeys:add alice @id_rsa.pub" do
-    let(:file_contents){ "ssh-rsa blahblah keyname" }
-    it "calls api.add_public_key('alice', data) and prints the key name" do
-      expect(File).to receive(:read) do |filename|
-        expect(filename).to end_with("id_rsa.pub")
-        file_contents
-      end
-      expect(described_class.api).to receive(:add_public_key).with('alice', file_contents)
-      expect{ invoke }.to write("Public key 'keyname' added")
-    end
-  end
-  
-  describe_command "pubkeys:add alice" do
-    let(:stdin_contents){ "ssh-rsa blahblah keyname" }
-    it "calls api.add_public_key('alice', stdin) and prints the key name" do
-      expect(STDIN).to receive(:read).and_return(stdin_contents)
-      allow(STDIN).to receive(:isatty).and_return(false)
-      expect(described_class).to receive(:validate_public_key).and_return(true)
-      expect(described_class.api).to receive(:add_public_key).with('alice', stdin_contents)
-      expect{ invoke }.to write("Public key 'keyname' added")
-    end
-  end
-  
-  describe_command "pubkeys:delete alice keyname" do
-    it "calls api.delete_public_key('alice', 'keyname')" do
-      expect(described_class.api).to receive(:delete_public_key).with("alice", "keyname")
-      expect{ invoke }.to write("Public key 'keyname' deleted")
-    end
-  end
 end

data/spec/command/resources_spec.rb

@@ -3,14 +3,17 @@ require 'spec_helper'
 describe Conjur::Command::Resources, logged_in: true do
 
   let (:full_resource_id) { [account, KIND, ID].join(":") }
-  let (:resource_instance) { double(attributes: resource_attributes) }
+  let (:resource_instance) { double('resource_instance', attributes: resource_attributes) }
   let (:resource_attributes) { { "some" => "attribute"} }
 
   before :each do
-    allow(api).to receive(:resource).and_call_original
     allow(api).to receive(:resource).with(full_resource_id).and_return(resource_instance)
   end 
 
+  def invoke_silently
+    expect { invoke }.to write
+  end
+
   shared_examples 'it displays resource attributes' do
     it "as JSON to stdout" do
       expect(JSON::parse( expect { invoke }.to write )).to eq(resource_attributes)
@@ -28,19 +31,7 @@ describe Conjur::Command::Resources, logged_in: true do
     end
   end
 
-  describe_command "resource:create #{KIND}:#{ID}"  do
-    before :each do
-      allow(resource_instance).to receive(:create)
-    end
-    it "calls resource.create()" do
-      expect(resource_instance).to receive(:create)
-      invoke_silently
-    end
-    it_behaves_like "it obtains resource by id"
-    it_behaves_like "it displays resource attributes"
-  end
-
-  describe_command "resource:show #{KIND}:#{ID}" do
+  describe_command "show #{KIND}:#{ID}" do
     it_behaves_like "it obtains resource by id"
     it_behaves_like "it displays resource attributes"
   end
@@ -67,174 +58,34 @@ describe Conjur::Command::Resources, logged_in: true do
     end
   end
 
-  describe_command "resource:permit #{KIND}:#{ID} #{ROLE} #{PRIVILEGE}" do
-    before(:each) { allow(resource_instance).to receive(:permit).and_return(true) }
-    it_behaves_like "it obtains resource by id"
-    it "calls resource.permit(#{PRIVILEGE}, #{ROLE})" do
-      expect(resource_instance).to receive(:permit).with(PRIVILEGE, ROLE)
-      invoke_silently
-    end
-    it {  expect { invoke }.to write "Permission granted" }
-  end
-
-  describe_command "resource:permit -g #{KIND}:#{ID} #{ROLE} #{PRIVILEGE}" do
-    it 'calls resource.permit() with grant option' do
-      expect(resource_instance).to receive(:permit).with(PRIVILEGE, ROLE, grant_option: true)
-      invoke_silently
-    end
-  end
-
-  describe_command "resource:deny #{KIND}:#{ID} #{ROLE} #{PRIVILEGE}" do
-    before(:each) { allow(resource_instance).to receive(:deny).and_return(true) }
-    it_behaves_like "it obtains resource by id"
-    it "calls resource.deny(#{PRIVILEGE},#{ROLE})" do
-      expect(resource_instance).to receive(:deny).with(PRIVILEGE, ROLE)
-      invoke_silently
-    end
-    it { expect { invoke }.to write "Permission revoked" }
-  end
-
-  describe_command "resource:check #{KIND}:#{ID} #{PRIVILEGE}" do
+  describe_command "check #{KIND}:#{ID} #{PRIVILEGE}" do
     it "performs a permission check for the logged-in user" do
-      expect(api).to receive(:resource).with("the-account:#{KIND}:#{ID}").and_return bacon = double("the-account:#{KIND}:#{ID}")
-      expect(bacon).to receive(:permitted?).with(PRIVILEGE)
+      expect(resource_instance).to receive(:permitted?).with(PRIVILEGE, role: nil)
       
       invoke
     end
   end
 
-  describe_command "resource:check -r #{ROLE} #{KIND}:#{ID} #{PRIVILEGE}" do
-    let (:role_instance) { double() }
-    let (:role_response) { "role response: true|false" }
-    let (:account) { ACCOUNT }
-    before(:each) { 
-      allow(api).to receive(:role).and_return(role_instance)
-      allow(role_instance).to receive(:permitted?).and_return(role_response)
-    }
-    it 'obtains role object by id' do
-      expect(api).to receive(:role).with(ROLE)
-      invoke_silently
-    end
-    it "calls role.permitted?('#{ACCOUNT}:#{KIND}:#{ID}', #{PRIVILEGE})" do
-      expect(role_instance).to receive(:permitted?).with([ACCOUNT,KIND,ID].join(":"),PRIVILEGE)
-      invoke_silently
-    end
-    it { expect { invoke }.to write role_response }
-  end
+  describe_command "check -r #{ROLE} #{KIND}:#{ID} #{PRIVILEGE}" do
+    it "performs a permission check for #{ROLE}" do
 
-  describe_command "resource:give #{KIND}:#{ID} #{OWNER}" do
-    before(:each) { allow(resource_instance).to receive(:give_to).and_return(true) }
-    it_behaves_like "it obtains resource by id"
-    it "calls resource.give_to(#{OWNER})" do
-      expect(resource_instance).to receive(:give_to).with(OWNER)
+      expect(resource_instance).to receive(:permitted?).with(PRIVILEGE, role: ROLE)
       invoke_silently
     end
-    it { expect { invoke }.to write "Ownership granted" }
-  end
-
-  context "list" do
-    def make_resource(kind, identifier, attributes)
-      authz_host = "http://conjur/authz"
-      credentials = {}
-      id = "the-account:#{kind}:#{identifier}"
-      api.resource(id).tap do |resource|
-        resource.attributes = attributes.merge(resourceid: id)
-      end
-    end
-    let(:resources) {
-      [
-        make_resource("food", "bacon", {}),
-        make_resource("food", "eggs", {})
-      ]
-    }
-    let(:resource_ids) {
-      [
-        "the-account:food:bacon",
-        "the-account:food:eggs"
-      ]      
-    }
-    describe_command "resource:list" do
-      it "displays JSONised list of resources" do
-        expect(api).to receive(:resources).with({}).and_return(resources)
-        expect(JSON.parse( expect { invoke }.to write )).to eq([
-          {"resourceid"=>"the-account:food:bacon", "annotations"=>{}}, 
-          {"resourceid"=>"the-account:food:eggs", "annotations"=>{}}
-        ])
-      end
-    end
-    describe_command "resource:list -i -k jobs" do
-      it "searches by resource kind" do
-        expect(api).to receive(:resources).with({kind: 'jobs'}).and_return(resources)
-        expect(JSON.parse( expect { invoke }.to write )).to eq(resource_ids)
-      end
-    end
-    describe_command "resource:list -i" do
-      it "displays resource ids" do
-        expect(api).to receive(:resources).with({}).and_return(resources)
-        expect(JSON.parse( expect { invoke }.to write )).to eq(resource_ids)
-      end
-    end
-    { search: "hamster", offset: 10, limit: 10 }.each do |k,v|
-      describe_command "resource:list -i --#{k} #{v}" do
-        it "displays the items" do
-          expect(api).to receive(:resources).with({k => v.to_s}).and_return(resources)
-          expect(JSON.parse( expect { invoke }.to write )).to eq(resource_ids)
-        end
-      end
-    end
   end
 
-  context "permitted roles" do
+  describe_command "resource:permitted_roles #{KIND}:#{ID} #{PRIVILEGE}" do
     let(:roles_list) { %W[klaatu barada nikto] }
-    describe_command "resource:permitted_roles #{KIND}:#{ID} #{PRIVILEGE}" do
-      before(:each) { 
-        allow(resource_instance).to receive(:permitted_roles).and_return(roles_list) 
-      }
-      it_behaves_like "it obtains resource by id"
-      it "calls resource.permitted_roles(#{PRIVILEGE}" do
-        expect(resource_instance).to receive(:permitted_roles).with(PRIVILEGE, {})
-        invoke_silently
-      end
-      it "displays JSONised list of roles" do
-        expect(JSON.parse( expect { invoke }.to write )).to eq(roles_list)
-      end
-    end
-
-    describe_command "resource:permitted_roles --count #{KIND}:#{ID} #{PRIVILEGE}" do
-      before {
-        expect(resource_instance).to receive(:permitted_roles).with(PRIVILEGE, count: true).
-          and_return(12) 
-      }
-      it_behaves_like "it obtains resource by id"
-      it "calls resource.permitted_roles(#{PRIVILEGE}" do
-        invoke_silently
-      end
-      it "displays role count" do
-        expect(JSON.parse( expect { invoke }.to write )).to eq(12)
-      end
-    end
-
-
-    describe_command "resource:permitted_roles -s frontend #{KIND}:#{ID} #{PRIVILEGE}" do
-      let(:roles_list) { %W[klaatu barada nikto] }
-      before {
-        expect(resource_instance).to receive(:permitted_roles).with(PRIVILEGE, search: "frontend").
-          and_return(roles_list) 
-      }
-      it_behaves_like "it obtains resource by id"
-      it "displays JSONised list of roles" do
-        expect(JSON.parse( expect { invoke }.to write )).to eq(roles_list)
-      end
+    before(:each) { 
+      allow(resource_instance).to receive(:permitted_roles).and_return(roles_list) 
+    }
+    it_behaves_like "it obtains resource by id"
+    it "calls resource.permitted_roles(#{PRIVILEGE}" do
+      expect(resource_instance).to receive(:permitted_roles)
+      invoke_silently
     end
-  end
-  
-  context "interactivity" do
-    subject { Conjur::Command::Resources }
-    describe_command 'resource:annotate -i #{KIND}:#{ID}' do
-      it { 
-        is_expected.to receive(:prompt_for_annotations) 
-        invoke_silently
-      }
+    it "displays JSONised list of roles" do
+      expect(JSON.parse( expect { invoke }.to write )).to eq(roles_list)
     end
   end
 end