conjur-cli 5.6.6 → 6.0.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.dockerignore +1 -1
- data/.gitignore +2 -0
- data/.rubocop.yml +1 -1
- data/APPLIANCE_VERSION +1 -1
- data/CHANGELOG.md +3 -42
- data/Gemfile +4 -7
- data/Humanfile.md +31 -0
- data/Jenkinsfile +34 -63
- data/README.md +41 -55
- data/Rakefile +5 -1
- data/bin/conjur +0 -2
- data/build-deb.sh +1 -3
- data/ci/cli-test.sh +6 -0
- data/ci/package.sh +3 -1
- data/ci/publish.sh +2 -2
- data/ci/secrets/publish.yml +2 -2
- data/ci/wait_for_server.sh +10 -0
- data/conjur-cli.gemspec +7 -7
- data/dev/docker-compose.yml +24 -0
- data/dev/start.sh +15 -0
- data/dev/stop.sh +5 -0
- data/docker-compose.yml +30 -0
- data/features/authentication/authenticate.feature +34 -0
- data/features/authentication/login.feature +13 -0
- data/features/authentication/logout.feature +15 -0
- data/{acceptance-features → features}/authentication/whoami.feature +0 -0
- data/features/authorization/resource/annotate.feature +22 -0
- data/features/authorization/resource/check.feature +47 -0
- data/{acceptance-features → features}/authorization/resource/exists.feature +18 -6
- data/features/authorization/resource/permitted_roles.feature +35 -0
- data/features/authorization/resource/show.feature +34 -0
- data/features/authorization/role/exists.feature +28 -0
- data/features/authorization/role/members.feature +45 -0
- data/features/authorization/role/memberships.feature +43 -0
- data/features/conjurenv/check.feature +34 -0
- data/features/conjurenv/run.feature +15 -0
- data/{acceptance-features → features}/conjurenv/template.feature +8 -3
- data/{acceptance-features → features}/directory/user/update_password.feature +8 -2
- data/{acceptance-features → features}/directory/variable/value.feature +9 -5
- data/{acceptance-features → features}/directory/variable/values-add.feature +8 -3
- data/features/hostfactory/tokens.feature +22 -0
- data/features/pubkeys/show.feature +18 -0
- data/features/step_definitions/authn_steps.rb +22 -0
- data/features/step_definitions/cli_steps.rb +28 -0
- data/features/step_definitions/file_steps.rb +12 -0
- data/features/step_definitions/flow_control_steps.rb +7 -0
- data/features/step_definitions/graph_steps.rb +4 -3
- data/{acceptance-features → features}/step_definitions/http_steps.rb +0 -0
- data/features/step_definitions/overrides.rb +9 -0
- data/features/step_definitions/policy_steps.rb +11 -0
- data/{acceptance-features → features}/step_definitions/trusted_proxy_steps.rb +0 -0
- data/features/support/blank.yml +1 -0
- data/features/support/env.rb +21 -7
- data/features/support/hooks.rb +31 -116
- data/features/support/world.rb +16 -76
- data/jenkins.sh +33 -0
- data/lib/conjur/authenticator.rb +83 -0
- data/lib/conjur/authn.rb +5 -20
- data/lib/conjur/cli.rb +13 -6
- data/lib/conjur/command.rb +30 -350
- data/lib/conjur/command/authn.rb +23 -15
- data/lib/conjur/command/host_factories.rb +2 -74
- data/lib/conjur/command/hosts.rb +6 -113
- data/lib/conjur/command/init.rb +20 -35
- data/lib/conjur/command/{secrets.rb → policies.rb} +33 -22
- data/lib/conjur/command/pubkeys.rb +3 -63
- data/lib/conjur/command/resources.rb +45 -162
- data/lib/conjur/command/roles.rb +11 -181
- data/lib/conjur/command/rspec/helpers.rb +0 -1
- data/lib/conjur/command/rspec/mock_services.rb +4 -4
- data/lib/conjur/command/users.rb +2 -159
- data/lib/conjur/command/variables.rb +5 -218
- data/lib/conjur/complete.rb +2 -2
- data/lib/conjur/config.rb +1 -11
- data/lib/conjur/conjurenv.rb +12 -9
- data/lib/conjur/identifier_manipulation.rb +3 -5
- data/lib/conjur/version.rb +2 -2
- data/{publish-rubygem.sh → publish.sh} +0 -4
- data/spec/authn_spec.rb +4 -0
- data/spec/command/hosts_spec.rb +2 -69
- data/spec/command/init_spec.rb +16 -11
- data/spec/command/pubkeys_spec.rb +1 -46
- data/spec/command/resources_spec.rb +21 -170
- data/spec/command/roles_spec.rb +5 -181
- data/spec/command/users_spec.rb +3 -79
- data/spec/command_spec.rb +1 -20
- data/spec/complete_spec.rb +1 -23
- data/spec/config_spec.rb +1 -1
- data/spec/spec_helper.rb +4 -5
- data/test.sh +29 -25
- metadata +92 -212
- data/.githooks/pre_commit/run_specs.rb +0 -23
- data/Dockerfile +0 -15
- data/Dockerfile.fpm +0 -18
- data/Dockerfile.publish +0 -12
- data/Dockerfile.standalone +0 -33
- data/Dockerfile.validate-packaging +0 -9
- data/VERSION +0 -1
- data/acceptance-features/audit/audit_event_send.feature +0 -107
- data/acceptance-features/audit/fetch.feature +0 -16
- data/acceptance-features/audit/send.feature +0 -51
- data/acceptance-features/authentication/authenticate.feature +0 -10
- data/acceptance-features/authentication/login.feature +0 -12
- data/acceptance-features/authentication/logout.feature +0 -13
- data/acceptance-features/authorization/resource/annotate.feature +0 -35
- data/acceptance-features/authorization/resource/check.feature +0 -24
- data/acceptance-features/authorization/resource/create.feature +0 -21
- data/acceptance-features/authorization/resource/deny.feature +0 -12
- data/acceptance-features/authorization/resource/give.feature +0 -24
- data/acceptance-features/authorization/resource/permit.feature +0 -20
- data/acceptance-features/authorization/resource/permitted_roles.feature +0 -16
- data/acceptance-features/authorization/resource/show.feature +0 -28
- data/acceptance-features/authorization/role/create.feature +0 -13
- data/acceptance-features/authorization/role/exists.feature +0 -19
- data/acceptance-features/authorization/role/grant_to.feature +0 -21
- data/acceptance-features/authorization/role/graph.feature +0 -57
- data/acceptance-features/authorization/role/members.feature +0 -23
- data/acceptance-features/authorization/role/memberships.feature +0 -27
- data/acceptance-features/bootstrap.feature +0 -13
- data/acceptance-features/conjurenv/check.feature +0 -21
- data/acceptance-features/conjurenv/run.feature +0 -10
- data/acceptance-features/directory/group/create.feature +0 -20
- data/acceptance-features/directory/group/retire.feature +0 -54
- data/acceptance-features/directory/host/create.feature +0 -23
- data/acceptance-features/directory/host/retire.feature +0 -6
- data/acceptance-features/directory/hostfactory/create.feature +0 -28
- data/acceptance-features/directory/hostfactory/tokens.feature +0 -16
- data/acceptance-features/directory/layer/create.feature +0 -10
- data/acceptance-features/directory/layer/hosts-add.feature +0 -9
- data/acceptance-features/directory/layer/hosts-remove.feature +0 -10
- data/acceptance-features/directory/layer/retire.feature +0 -43
- data/acceptance-features/directory/user/create.feature +0 -23
- data/acceptance-features/directory/user/retire.feature +0 -6
- data/acceptance-features/directory/variable/create.feature +0 -14
- data/acceptance-features/directory/variable/retire.feature +0 -17
- data/acceptance-features/dsl/policy_owner.feature +0 -45
- data/acceptance-features/dsl/resource_owner.feature +0 -17
- data/acceptance-features/dsl/retire.feature +0 -15
- data/acceptance-features/global-privilege/elevate.feature +0 -20
- data/acceptance-features/global-privilege/reveal.privilege +0 -20
- data/acceptance-features/pubkeys/add.feature +0 -22
- data/acceptance-features/pubkeys/delete.feature +0 -9
- data/acceptance-features/pubkeys/names.feature +0 -26
- data/acceptance-features/pubkeys/show.feature +0 -27
- data/acceptance-features/step_definitions/cli_steps.rb +0 -57
- data/acceptance-features/step_definitions/graph_steps.rb +0 -22
- data/acceptance-features/step_definitions/user_steps.rb +0 -51
- data/acceptance-features/support/env.rb +0 -23
- data/acceptance-features/support/hooks.rb +0 -178
- data/acceptance-features/support/world.rb +0 -176
- data/acceptance-features/trusted_proxies.feature +0 -82
- data/bin/conjurize +0 -26
- data/bin/jsonfield +0 -70
- data/build-standalone +0 -6
- data/deprecations.sh +0 -38
- data/features/conjurize.feature +0 -134
- data/features/dsl_context.feature +0 -36
- data/features/dsl_host_create.feature +0 -11
- data/features/dsl_ownership.feature +0 -30
- data/features/dsl_permission.feature +0 -45
- data/features/dsl_resource_create.feature +0 -23
- data/features/dsl_role_create.feature +0 -11
- data/features/dsl_user_create.feature +0 -23
- data/features/jsonfield.feature +0 -49
- data/features/role_graph.feature +0 -58
- data/features/step_definitions/conjurize_steps.rb +0 -5
- data/features/step_definitions/dsl_steps.rb +0 -52
- data/features/support/conjur.conf +0 -6
- data/lib/conjur/command/assets.rb +0 -121
- data/lib/conjur/command/audit.rb +0 -155
- data/lib/conjur/command/bootstrap.rb +0 -129
- data/lib/conjur/command/dsl_command.rb +0 -75
- data/lib/conjur/command/elevate.rb +0 -76
- data/lib/conjur/command/field.rb +0 -45
- data/lib/conjur/command/groups.rb +0 -208
- data/lib/conjur/command/ids.rb +0 -34
- data/lib/conjur/command/layers.rb +0 -211
- data/lib/conjur/command/ldapsync.rb +0 -118
- data/lib/conjur/command/rspec/audit_helpers.rb +0 -68
- data/lib/conjur/command/rubydsl.rb +0 -93
- data/lib/conjur/command/script.rb +0 -48
- data/lib/conjur/command/server.rb +0 -67
- data/lib/conjur/conjurize.rb +0 -71
- data/lib/conjur/conjurize/script.rb +0 -150
- data/lib/conjur/dsl/runner.rb +0 -273
- data/publish-deb.sh +0 -6
- data/push-image +0 -29
- data/spec/command/assets_spec.rb +0 -115
- data/spec/command/audit_spec.rb +0 -376
- data/spec/command/elevate_spec.rb +0 -28
- data/spec/command/env_spec.rb +0 -168
- data/spec/command/groups_spec.rb +0 -77
- data/spec/command/host_factories_spec.rb +0 -38
- data/spec/command/layers_spec.rb +0 -35
- data/spec/command/ldapsync_spec.rb +0 -28
- data/spec/command/rubydsl_spec.rb +0 -63
- data/spec/command/variable_expiration_spec.rb +0 -164
- data/spec/command/variables_spec.rb +0 -192
- data/spec/conjurize/script_spec.rb +0 -62
- data/spec/conjurize_spec.rb +0 -70
- data/spec/dsl/runner_spec.rb +0 -93
- data/spec/env_spec.rb +0 -214
data/lib/conjur/complete.rb
CHANGED
@@ -200,8 +200,8 @@ class Conjur::CLI::Complete
|
|
200
200
|
end
|
201
201
|
|
202
202
|
def complete_role
|
203
|
-
Conjur::Command.api.current_role.
|
204
|
-
.map { |r| Resource.new(r.
|
203
|
+
Conjur::Command.api.current_role(Conjur.configuration.account).memberships
|
204
|
+
.map { |r| Resource.new(r.id) }
|
205
205
|
.reject { |r| r.kind.start_with? '@' }
|
206
206
|
.map(&:to_s)
|
207
207
|
end
|
data/lib/conjur/config.rb
CHANGED
@@ -90,17 +90,7 @@ module Conjur
|
|
90
90
|
cfg.set k, value if value
|
91
91
|
end
|
92
92
|
|
93
|
-
if Conjur.log
|
94
|
-
require 'conjur/api'
|
95
|
-
host = begin
|
96
|
-
Conjur::Authn::API.host
|
97
|
-
rescue RuntimeError
|
98
|
-
nil
|
99
|
-
end
|
100
|
-
if host
|
101
|
-
Conjur.log << "Using authn host #{Conjur::Authn::API.host}\n"
|
102
|
-
end
|
103
|
-
end
|
93
|
+
Conjur.log << "Using authn url #{Conjur.configuration.authn_url}\n" if Conjur.log
|
104
94
|
|
105
95
|
Conjur.config.apply_cert_config!
|
106
96
|
end
|
data/lib/conjur/conjurenv.rb
CHANGED
@@ -37,7 +37,7 @@ module Conjur
|
|
37
37
|
initialize(coder.scalar)
|
38
38
|
end
|
39
39
|
def conjur_id
|
40
|
-
@id
|
40
|
+
[ Conjur.configuration.account, "variable", @id ].join(":")
|
41
41
|
end
|
42
42
|
end
|
43
43
|
|
@@ -104,14 +104,17 @@ module Conjur
|
|
104
104
|
end
|
105
105
|
|
106
106
|
def obtain(api)
|
107
|
-
runtime_environment={}
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
if reference.respond_to?(:evaluate)
|
112
|
-
runtime_environment[environment_name] = reference.evaluate( conjur_values[reference.conjur_id] )
|
107
|
+
runtime_environment = {}
|
108
|
+
@definition.each do |environment_name, v|
|
109
|
+
value = if v.conjur_id
|
110
|
+
api.resource(v.conjur_id).value
|
113
111
|
else
|
114
|
-
|
112
|
+
v
|
113
|
+
end
|
114
|
+
if v.respond_to?(:evaluate)
|
115
|
+
runtime_environment[environment_name] = v.evaluate(value)
|
116
|
+
else
|
117
|
+
runtime_environment[environment_name] = v # is a literal value
|
115
118
|
end
|
116
119
|
end
|
117
120
|
return runtime_environment
|
@@ -121,7 +124,7 @@ module Conjur
|
|
121
124
|
Hash[
|
122
125
|
@definition.map.each do |k,v|
|
123
126
|
if v.respond_to? :conjur_id
|
124
|
-
if api.resource(
|
127
|
+
if api.resource(v.conjur_id).permitted?(:execute)
|
125
128
|
status = :available
|
126
129
|
else
|
127
130
|
status = :unavailable
|
@@ -7,10 +7,12 @@ module Conjur
|
|
7
7
|
raise "Expecting at least two tokens in #{id}"
|
8
8
|
end
|
9
9
|
if parts.size == 2
|
10
|
-
id = [
|
10
|
+
id = [Conjur.configuration.account, parts].flatten.join(":")
|
11
11
|
end
|
12
12
|
id
|
13
13
|
end
|
14
|
+
|
15
|
+
alias full_role_id full_resource_id
|
14
16
|
|
15
17
|
# removes accounts from 3+-tokens id, extracts kind
|
16
18
|
def get_kind_and_id_from_args args, argname='id'
|
@@ -21,9 +23,5 @@ module Conjur
|
|
21
23
|
kind=tokens.shift.gsub('-','_')
|
22
24
|
[kind, tokens.join(':')]
|
23
25
|
end
|
24
|
-
|
25
|
-
def conjur_account
|
26
|
-
Conjur::Core::API.conjur_account
|
27
|
-
end
|
28
26
|
end
|
29
27
|
end
|
data/lib/conjur/version.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright (C) 2014-
|
2
|
+
# Copyright (C) 2014-2016 Conjur Inc.
|
3
3
|
#
|
4
4
|
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
5
|
# this software and associated documentation files (the "Software"), to deal in
|
@@ -19,6 +19,6 @@
|
|
19
19
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
20
|
#
|
21
21
|
module Conjur
|
22
|
-
VERSION = '
|
22
|
+
VERSION = '6.0.0.rc1'
|
23
23
|
::Version=VERSION
|
24
24
|
end
|
@@ -1,11 +1,7 @@
|
|
1
1
|
#!/bin/bash -e
|
2
2
|
|
3
|
-
docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd
|
4
|
-
|
5
3
|
docker pull registry.tld/conjurinc/publish-rubygem
|
6
4
|
|
7
5
|
summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
|
8
6
|
docker run --rm --env-file @SUMMONENVFILE -v "$(pwd)":/opt/src \
|
9
7
|
registry.tld/conjurinc/publish-rubygem conjur-cli
|
10
|
-
|
11
|
-
docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd
|
data/spec/authn_spec.rb
CHANGED
data/spec/command/hosts_spec.rb
CHANGED
@@ -3,84 +3,17 @@ require 'spec_helper'
|
|
3
3
|
describe Conjur::Command::Hosts, logged_in: true do
|
4
4
|
let(:collection_url) { "https://core.example.com/api/hosts" }
|
5
5
|
|
6
|
-
context "creating a host" do
|
7
|
-
let(:new_host) { double("new-host") }
|
8
|
-
|
9
|
-
describe_command "host:create" do
|
10
|
-
it "lets the server assign the id" do
|
11
|
-
expect(RestClient::Request).to receive(:execute).with({
|
12
|
-
method: :post,
|
13
|
-
url: collection_url,
|
14
|
-
headers: {},
|
15
|
-
payload: {}
|
16
|
-
}).and_return(post_response('assigned-id'))
|
17
|
-
|
18
|
-
expect { invoke }.to write({ id: 'assigned-id' }).to(:stdout)
|
19
|
-
end
|
20
|
-
end
|
21
|
-
describe_command "host:create the-id" do
|
22
|
-
it "propagates the user-assigned id" do
|
23
|
-
expect(RestClient::Request).to receive(:execute).with({
|
24
|
-
method: :post,
|
25
|
-
url: collection_url,
|
26
|
-
headers: {},
|
27
|
-
payload: { id: 'the-id' }
|
28
|
-
}).and_return(post_response('the-id'))
|
29
|
-
|
30
|
-
expect { invoke }.to write({ id: 'the-id' }).to(:stdout)
|
31
|
-
end
|
32
|
-
end
|
33
|
-
describe_command "host:create --cidr 192.168.1.1,127.0.0.0/32" do
|
34
|
-
it "Creates a host with specified CIDR" do
|
35
|
-
expect_any_instance_of(Conjur::API).to receive(:create_host).with(
|
36
|
-
{ cidr: ['192.168.1.1', '127.0.0.0/32'] }
|
37
|
-
).and_return new_host
|
38
|
-
invoke
|
39
|
-
end
|
40
|
-
end
|
41
|
-
describe_command "host:create --as-group security_admin --cidr 192.168.1.1,127.0.0.0/32" do
|
42
|
-
it "Creates a host with specified CIDR" do
|
43
|
-
expect(api).to receive(:group).with("security_admin").and_return(double(:group, roleid: "the-account:group:security_admin"))
|
44
|
-
expect(api).to receive(:role).with("the-account:group:security_admin").and_return(double(:group_role, exists?: true))
|
45
|
-
expect_any_instance_of(Conjur::API).to receive(:create_host).with(
|
46
|
-
{ ownerid: "the-account:group:security_admin", cidr: ['192.168.1.1', '127.0.0.0/32'] }
|
47
|
-
).and_return new_host
|
48
|
-
invoke
|
49
|
-
end
|
50
|
-
end
|
51
|
-
end
|
52
|
-
|
53
|
-
context "updating host attributes" do
|
54
|
-
describe_command "host update --cidr 127.0.0.0/32 the-user" do
|
55
|
-
it "updates the CIDR" do
|
56
|
-
stub_host = double()
|
57
|
-
expect_any_instance_of(Conjur::API).to receive(:host).with("the-user").and_return stub_host
|
58
|
-
expect(stub_host).to receive(:update).with(cidr: ['127.0.0.0/32']).and_return ""
|
59
|
-
expect { invoke }.to write "Host updated"
|
60
|
-
end
|
61
|
-
end
|
62
|
-
|
63
|
-
describe_command "host update --cidr all the-user" do
|
64
|
-
it "resets the CIDR restrictions" do
|
65
|
-
stub_host = double()
|
66
|
-
expect_any_instance_of(Conjur::API).to receive(:host).with("the-user").and_return stub_host
|
67
|
-
expect(stub_host).to receive(:update).with(cidr: []).and_return ""
|
68
|
-
expect { invoke }.to write "Host updated"
|
69
|
-
end
|
70
|
-
end
|
71
|
-
end
|
72
|
-
|
73
6
|
context 'rotating api key' do
|
74
7
|
describe_command 'host rotate_api_key --host redis001' do
|
75
8
|
before do
|
76
9
|
expect(RestClient::Request).to receive(:execute).with({
|
77
10
|
method: :head,
|
78
|
-
url:
|
11
|
+
url: "https://core.example.com/api/resources/#{account}/host/redis001",
|
79
12
|
headers: {}
|
80
13
|
}).and_return true
|
81
14
|
expect(RestClient::Request).to receive(:execute).with({
|
82
15
|
method: :put,
|
83
|
-
url:
|
16
|
+
url: "https://core.example.com/api/authn/#{account}/api_key?role=#{account}:host:redis001",
|
84
17
|
headers: {},
|
85
18
|
payload: ''
|
86
19
|
}).and_return double(:response, body: 'new api key')
|
data/spec/command/init_spec.rb
CHANGED
@@ -49,15 +49,15 @@ describe Conjur::Command::Init do
|
|
49
49
|
|
50
50
|
context "auto-fetching fingerprint" do
|
51
51
|
before {
|
52
|
-
allow_any_instance_of(HighLine).to receive(:ask).with("Enter the
|
52
|
+
allow_any_instance_of(HighLine).to receive(:ask).with("Enter the URL of your Conjur service: ").and_return "http://host.example.com"
|
53
53
|
allow(Conjur::Command::Init).to receive_messages get_certificate: ["the-fingerprint", nil]
|
54
54
|
allow_any_instance_of(HighLine).to receive(:ask).with(/^Trust this certificate/).and_return "yes"
|
55
55
|
}
|
56
56
|
|
57
57
|
describe_command 'init' do
|
58
|
-
it "
|
59
|
-
|
60
|
-
|
58
|
+
it "writes config file" do
|
59
|
+
expect_any_instance_of(HighLine).to receive(:ask).with("Enter the URL of your Conjur service: ").and_return "http://host.example.com"
|
60
|
+
expect_any_instance_of(HighLine).to receive(:ask).with("Enter your organization account name: ").and_return "the-account"
|
61
61
|
expect(File).to receive(:open)
|
62
62
|
invoke
|
63
63
|
end
|
@@ -71,13 +71,18 @@ describe Conjur::Command::Init do
|
|
71
71
|
end
|
72
72
|
end
|
73
73
|
|
74
|
-
describe_command 'init -a the-account -
|
74
|
+
describe_command 'init -a the-account -u https://nohost.example.com' do
|
75
75
|
it "can't get the cert" do
|
76
|
+
# GLI only raises CustomExit if GLI_DEBUG is set
|
77
|
+
ENV['GLI_DEBUG'] = 'true'
|
78
|
+
|
79
|
+
expect(TCPSocket).to receive(:new).and_raise "can't connect"
|
80
|
+
|
76
81
|
expect { invoke }.to raise_error(GLI::CustomExit, /unable to retrieve certificate/i)
|
77
82
|
end
|
78
83
|
end
|
79
84
|
|
80
|
-
describe_command 'init -a the-account -
|
85
|
+
describe_command 'init -a the-account -u https://localhost -c the-cert' do
|
81
86
|
it "writes config and cert files" do
|
82
87
|
expect(File).to receive(:open).twice
|
83
88
|
expect(Conjur::Command::Init).to receive(:configure_cert_store).with "the-cert"
|
@@ -107,7 +112,7 @@ describe Conjur::Command::Init do
|
|
107
112
|
|
108
113
|
expect(YAML.load(File.read(file))).to eq({
|
109
114
|
account: 'the-account',
|
110
|
-
appliance_url: "https://localhost
|
115
|
+
appliance_url: "https://localhost",
|
111
116
|
cert_file: File.join(File.dirname(file), "conjur-the-account.pem"),
|
112
117
|
plugins: [],
|
113
118
|
}.stringify_keys)
|
@@ -115,7 +120,7 @@ describe Conjur::Command::Init do
|
|
115
120
|
end
|
116
121
|
|
117
122
|
context "default behavior" do
|
118
|
-
describe_command "init -a the-account -
|
123
|
+
describe_command "init -a the-account -u https://localhost -c the-cert" do
|
119
124
|
before(:each) {
|
120
125
|
allow(File).to receive(:expand_path).and_call_original
|
121
126
|
allow(File).to receive(:expand_path).with('~/.conjurrc').and_return("#{tmpdir}/.conjurrc")
|
@@ -132,7 +137,7 @@ describe Conjur::Command::Init do
|
|
132
137
|
end
|
133
138
|
|
134
139
|
context "explicit output file" do
|
135
|
-
describe_command "init -f #{tmpdir}/.conjurrc2 -a the-account -
|
140
|
+
describe_command "init -f #{tmpdir}/.conjurrc2 -a the-account -u https://localhost -c the-cert" do
|
136
141
|
include_examples "check config and cert files", File.join(tmpdir, ".conjurrc2")
|
137
142
|
it "prints the config file location" do
|
138
143
|
expect { invoke }.to write("Wrote configuration to #{tmpdir}/.conjurrc2")
|
@@ -141,14 +146,14 @@ describe Conjur::Command::Init do
|
|
141
146
|
end
|
142
147
|
|
143
148
|
context "to CONJURRC" do
|
144
|
-
describe_command "init -a the-account -
|
149
|
+
describe_command "init -a the-account -u https://localhost -c the-cert" do
|
145
150
|
file = File.join(tmpdir, ".conjurrc_env")
|
146
151
|
include_examples "check config and cert files", file, file
|
147
152
|
end
|
148
153
|
end
|
149
154
|
|
150
155
|
context "explicit output file overrides CONJURRC" do
|
151
|
-
describe_command "init -f #{tmpdir}/.conjurrc_2 -a the-account -
|
156
|
+
describe_command "init -f #{tmpdir}/.conjurrc_2 -a the-account -u https://localhost -c the-cert" do
|
152
157
|
ENV['CONJURRC'] = "#{tmpdir}/.conjurrc_env_2"
|
153
158
|
include_examples "check config and cert files", File.join(tmpdir, ".conjurrc_2")
|
154
159
|
end
|
@@ -24,54 +24,9 @@ require 'conjur/command/pubkeys'
|
|
24
24
|
describe Conjur::Command::Pubkeys, logged_in: true do
|
25
25
|
describe_command "pubkeys:show alice" do
|
26
26
|
it "calls api.public_keys('alice') and prints the result" do
|
27
|
-
expect(
|
27
|
+
expect(Conjur::API).to receive(:public_keys).with('alice', account: account).and_return "a public key"
|
28
28
|
expect{ invoke }.to write("a public key")
|
29
29
|
end
|
30
30
|
end
|
31
31
|
|
32
|
-
describe_command "pubkeys:names alice" do
|
33
|
-
let(:keys){ ["x y foo", "x y bar"].join("\n") }
|
34
|
-
let(:names){ "bar\nfoo" }
|
35
|
-
it "calls api.public_keys('alice') and prints the names" do
|
36
|
-
expect(described_class.api).to receive(:public_keys).with('alice').and_return keys
|
37
|
-
expect{ invoke }.to write(names)
|
38
|
-
end
|
39
|
-
end
|
40
|
-
|
41
|
-
describe_command "pubkeys:add alice data" do
|
42
|
-
it "calls api.add_public_key('alice', 'data') and prints the key name" do
|
43
|
-
expect(described_class.api).to receive(:add_public_key).with('alice', 'data')
|
44
|
-
expect{ invoke }.to write("Public key 'data' added")
|
45
|
-
end
|
46
|
-
end
|
47
|
-
|
48
|
-
describe_command "pubkeys:add alice @id_rsa.pub" do
|
49
|
-
let(:file_contents){ "ssh-rsa blahblah keyname" }
|
50
|
-
it "calls api.add_public_key('alice', data) and prints the key name" do
|
51
|
-
expect(File).to receive(:read) do |filename|
|
52
|
-
expect(filename).to end_with("id_rsa.pub")
|
53
|
-
file_contents
|
54
|
-
end
|
55
|
-
expect(described_class.api).to receive(:add_public_key).with('alice', file_contents)
|
56
|
-
expect{ invoke }.to write("Public key 'keyname' added")
|
57
|
-
end
|
58
|
-
end
|
59
|
-
|
60
|
-
describe_command "pubkeys:add alice" do
|
61
|
-
let(:stdin_contents){ "ssh-rsa blahblah keyname" }
|
62
|
-
it "calls api.add_public_key('alice', stdin) and prints the key name" do
|
63
|
-
expect(STDIN).to receive(:read).and_return(stdin_contents)
|
64
|
-
allow(STDIN).to receive(:isatty).and_return(false)
|
65
|
-
expect(described_class).to receive(:validate_public_key).and_return(true)
|
66
|
-
expect(described_class.api).to receive(:add_public_key).with('alice', stdin_contents)
|
67
|
-
expect{ invoke }.to write("Public key 'keyname' added")
|
68
|
-
end
|
69
|
-
end
|
70
|
-
|
71
|
-
describe_command "pubkeys:delete alice keyname" do
|
72
|
-
it "calls api.delete_public_key('alice', 'keyname')" do
|
73
|
-
expect(described_class.api).to receive(:delete_public_key).with("alice", "keyname")
|
74
|
-
expect{ invoke }.to write("Public key 'keyname' deleted")
|
75
|
-
end
|
76
|
-
end
|
77
32
|
end
|
@@ -3,14 +3,17 @@ require 'spec_helper'
|
|
3
3
|
describe Conjur::Command::Resources, logged_in: true do
|
4
4
|
|
5
5
|
let (:full_resource_id) { [account, KIND, ID].join(":") }
|
6
|
-
let (:resource_instance) { double(attributes: resource_attributes) }
|
6
|
+
let (:resource_instance) { double('resource_instance', attributes: resource_attributes) }
|
7
7
|
let (:resource_attributes) { { "some" => "attribute"} }
|
8
8
|
|
9
9
|
before :each do
|
10
|
-
allow(api).to receive(:resource).and_call_original
|
11
10
|
allow(api).to receive(:resource).with(full_resource_id).and_return(resource_instance)
|
12
11
|
end
|
13
12
|
|
13
|
+
def invoke_silently
|
14
|
+
expect { invoke }.to write
|
15
|
+
end
|
16
|
+
|
14
17
|
shared_examples 'it displays resource attributes' do
|
15
18
|
it "as JSON to stdout" do
|
16
19
|
expect(JSON::parse( expect { invoke }.to write )).to eq(resource_attributes)
|
@@ -28,19 +31,7 @@ describe Conjur::Command::Resources, logged_in: true do
|
|
28
31
|
end
|
29
32
|
end
|
30
33
|
|
31
|
-
describe_command "
|
32
|
-
before :each do
|
33
|
-
allow(resource_instance).to receive(:create)
|
34
|
-
end
|
35
|
-
it "calls resource.create()" do
|
36
|
-
expect(resource_instance).to receive(:create)
|
37
|
-
invoke_silently
|
38
|
-
end
|
39
|
-
it_behaves_like "it obtains resource by id"
|
40
|
-
it_behaves_like "it displays resource attributes"
|
41
|
-
end
|
42
|
-
|
43
|
-
describe_command "resource:show #{KIND}:#{ID}" do
|
34
|
+
describe_command "show #{KIND}:#{ID}" do
|
44
35
|
it_behaves_like "it obtains resource by id"
|
45
36
|
it_behaves_like "it displays resource attributes"
|
46
37
|
end
|
@@ -67,174 +58,34 @@ describe Conjur::Command::Resources, logged_in: true do
|
|
67
58
|
end
|
68
59
|
end
|
69
60
|
|
70
|
-
describe_command "
|
71
|
-
before(:each) { allow(resource_instance).to receive(:permit).and_return(true) }
|
72
|
-
it_behaves_like "it obtains resource by id"
|
73
|
-
it "calls resource.permit(#{PRIVILEGE}, #{ROLE})" do
|
74
|
-
expect(resource_instance).to receive(:permit).with(PRIVILEGE, ROLE)
|
75
|
-
invoke_silently
|
76
|
-
end
|
77
|
-
it { expect { invoke }.to write "Permission granted" }
|
78
|
-
end
|
79
|
-
|
80
|
-
describe_command "resource:permit -g #{KIND}:#{ID} #{ROLE} #{PRIVILEGE}" do
|
81
|
-
it 'calls resource.permit() with grant option' do
|
82
|
-
expect(resource_instance).to receive(:permit).with(PRIVILEGE, ROLE, grant_option: true)
|
83
|
-
invoke_silently
|
84
|
-
end
|
85
|
-
end
|
86
|
-
|
87
|
-
describe_command "resource:deny #{KIND}:#{ID} #{ROLE} #{PRIVILEGE}" do
|
88
|
-
before(:each) { allow(resource_instance).to receive(:deny).and_return(true) }
|
89
|
-
it_behaves_like "it obtains resource by id"
|
90
|
-
it "calls resource.deny(#{PRIVILEGE},#{ROLE})" do
|
91
|
-
expect(resource_instance).to receive(:deny).with(PRIVILEGE, ROLE)
|
92
|
-
invoke_silently
|
93
|
-
end
|
94
|
-
it { expect { invoke }.to write "Permission revoked" }
|
95
|
-
end
|
96
|
-
|
97
|
-
describe_command "resource:check #{KIND}:#{ID} #{PRIVILEGE}" do
|
61
|
+
describe_command "check #{KIND}:#{ID} #{PRIVILEGE}" do
|
98
62
|
it "performs a permission check for the logged-in user" do
|
99
|
-
expect(
|
100
|
-
expect(bacon).to receive(:permitted?).with(PRIVILEGE)
|
63
|
+
expect(resource_instance).to receive(:permitted?).with(PRIVILEGE, role: nil)
|
101
64
|
|
102
65
|
invoke
|
103
66
|
end
|
104
67
|
end
|
105
68
|
|
106
|
-
describe_command "
|
107
|
-
|
108
|
-
let (:role_response) { "role response: true|false" }
|
109
|
-
let (:account) { ACCOUNT }
|
110
|
-
before(:each) {
|
111
|
-
allow(api).to receive(:role).and_return(role_instance)
|
112
|
-
allow(role_instance).to receive(:permitted?).and_return(role_response)
|
113
|
-
}
|
114
|
-
it 'obtains role object by id' do
|
115
|
-
expect(api).to receive(:role).with(ROLE)
|
116
|
-
invoke_silently
|
117
|
-
end
|
118
|
-
it "calls role.permitted?('#{ACCOUNT}:#{KIND}:#{ID}', #{PRIVILEGE})" do
|
119
|
-
expect(role_instance).to receive(:permitted?).with([ACCOUNT,KIND,ID].join(":"),PRIVILEGE)
|
120
|
-
invoke_silently
|
121
|
-
end
|
122
|
-
it { expect { invoke }.to write role_response }
|
123
|
-
end
|
69
|
+
describe_command "check -r #{ROLE} #{KIND}:#{ID} #{PRIVILEGE}" do
|
70
|
+
it "performs a permission check for #{ROLE}" do
|
124
71
|
|
125
|
-
|
126
|
-
before(:each) { allow(resource_instance).to receive(:give_to).and_return(true) }
|
127
|
-
it_behaves_like "it obtains resource by id"
|
128
|
-
it "calls resource.give_to(#{OWNER})" do
|
129
|
-
expect(resource_instance).to receive(:give_to).with(OWNER)
|
72
|
+
expect(resource_instance).to receive(:permitted?).with(PRIVILEGE, role: ROLE)
|
130
73
|
invoke_silently
|
131
74
|
end
|
132
|
-
it { expect { invoke }.to write "Ownership granted" }
|
133
|
-
end
|
134
|
-
|
135
|
-
context "list" do
|
136
|
-
def make_resource(kind, identifier, attributes)
|
137
|
-
authz_host = "http://conjur/authz"
|
138
|
-
credentials = {}
|
139
|
-
id = "the-account:#{kind}:#{identifier}"
|
140
|
-
api.resource(id).tap do |resource|
|
141
|
-
resource.attributes = attributes.merge(resourceid: id)
|
142
|
-
end
|
143
|
-
end
|
144
|
-
let(:resources) {
|
145
|
-
[
|
146
|
-
make_resource("food", "bacon", {}),
|
147
|
-
make_resource("food", "eggs", {})
|
148
|
-
]
|
149
|
-
}
|
150
|
-
let(:resource_ids) {
|
151
|
-
[
|
152
|
-
"the-account:food:bacon",
|
153
|
-
"the-account:food:eggs"
|
154
|
-
]
|
155
|
-
}
|
156
|
-
describe_command "resource:list" do
|
157
|
-
it "displays JSONised list of resources" do
|
158
|
-
expect(api).to receive(:resources).with({}).and_return(resources)
|
159
|
-
expect(JSON.parse( expect { invoke }.to write )).to eq([
|
160
|
-
{"resourceid"=>"the-account:food:bacon", "annotations"=>{}},
|
161
|
-
{"resourceid"=>"the-account:food:eggs", "annotations"=>{}}
|
162
|
-
])
|
163
|
-
end
|
164
|
-
end
|
165
|
-
describe_command "resource:list -i -k jobs" do
|
166
|
-
it "searches by resource kind" do
|
167
|
-
expect(api).to receive(:resources).with({kind: 'jobs'}).and_return(resources)
|
168
|
-
expect(JSON.parse( expect { invoke }.to write )).to eq(resource_ids)
|
169
|
-
end
|
170
|
-
end
|
171
|
-
describe_command "resource:list -i" do
|
172
|
-
it "displays resource ids" do
|
173
|
-
expect(api).to receive(:resources).with({}).and_return(resources)
|
174
|
-
expect(JSON.parse( expect { invoke }.to write )).to eq(resource_ids)
|
175
|
-
end
|
176
|
-
end
|
177
|
-
{ search: "hamster", offset: 10, limit: 10 }.each do |k,v|
|
178
|
-
describe_command "resource:list -i --#{k} #{v}" do
|
179
|
-
it "displays the items" do
|
180
|
-
expect(api).to receive(:resources).with({k => v.to_s}).and_return(resources)
|
181
|
-
expect(JSON.parse( expect { invoke }.to write )).to eq(resource_ids)
|
182
|
-
end
|
183
|
-
end
|
184
|
-
end
|
185
75
|
end
|
186
76
|
|
187
|
-
|
77
|
+
describe_command "resource:permitted_roles #{KIND}:#{ID} #{PRIVILEGE}" do
|
188
78
|
let(:roles_list) { %W[klaatu barada nikto] }
|
189
|
-
|
190
|
-
|
191
|
-
|
192
|
-
|
193
|
-
|
194
|
-
|
195
|
-
|
196
|
-
invoke_silently
|
197
|
-
end
|
198
|
-
it "displays JSONised list of roles" do
|
199
|
-
expect(JSON.parse( expect { invoke }.to write )).to eq(roles_list)
|
200
|
-
end
|
201
|
-
end
|
202
|
-
|
203
|
-
describe_command "resource:permitted_roles --count #{KIND}:#{ID} #{PRIVILEGE}" do
|
204
|
-
before {
|
205
|
-
expect(resource_instance).to receive(:permitted_roles).with(PRIVILEGE, count: true).
|
206
|
-
and_return(12)
|
207
|
-
}
|
208
|
-
it_behaves_like "it obtains resource by id"
|
209
|
-
it "calls resource.permitted_roles(#{PRIVILEGE}" do
|
210
|
-
invoke_silently
|
211
|
-
end
|
212
|
-
it "displays role count" do
|
213
|
-
expect(JSON.parse( expect { invoke }.to write )).to eq(12)
|
214
|
-
end
|
215
|
-
end
|
216
|
-
|
217
|
-
|
218
|
-
describe_command "resource:permitted_roles -s frontend #{KIND}:#{ID} #{PRIVILEGE}" do
|
219
|
-
let(:roles_list) { %W[klaatu barada nikto] }
|
220
|
-
before {
|
221
|
-
expect(resource_instance).to receive(:permitted_roles).with(PRIVILEGE, search: "frontend").
|
222
|
-
and_return(roles_list)
|
223
|
-
}
|
224
|
-
it_behaves_like "it obtains resource by id"
|
225
|
-
it "displays JSONised list of roles" do
|
226
|
-
expect(JSON.parse( expect { invoke }.to write )).to eq(roles_list)
|
227
|
-
end
|
79
|
+
before(:each) {
|
80
|
+
allow(resource_instance).to receive(:permitted_roles).and_return(roles_list)
|
81
|
+
}
|
82
|
+
it_behaves_like "it obtains resource by id"
|
83
|
+
it "calls resource.permitted_roles(#{PRIVILEGE}" do
|
84
|
+
expect(resource_instance).to receive(:permitted_roles)
|
85
|
+
invoke_silently
|
228
86
|
end
|
229
|
-
|
230
|
-
|
231
|
-
context "interactivity" do
|
232
|
-
subject { Conjur::Command::Resources }
|
233
|
-
describe_command 'resource:annotate -i #{KIND}:#{ID}' do
|
234
|
-
it {
|
235
|
-
is_expected.to receive(:prompt_for_annotations)
|
236
|
-
invoke_silently
|
237
|
-
}
|
87
|
+
it "displays JSONised list of roles" do
|
88
|
+
expect(JSON.parse( expect { invoke }.to write )).to eq(roles_list)
|
238
89
|
end
|
239
90
|
end
|
240
91
|
end
|