conjur-cli 5.6.6 → 6.0.0.rc1

data/spec/command/roles_spec.rb

@@ -2,204 +2,28 @@ require 'spec_helper'
 
 describe Conjur::Command::Roles, logged_in: true do
 
-  describe "role:grant_to" do
-    describe_command "role:grant_to test:a test:b" do
-      it "grants the role without options" do
-        expect_any_instance_of(Conjur::Role).to receive(:grant_to).with("test:b", {})
-        invoke
-      end
-    end
-    describe_command "role:grant_to --admin test:a test:b" do
-      it "grants the role with admin option" do
-        expect_any_instance_of(Conjur::Role).to receive(:grant_to).with("test:b", {admin_option: true})
-        invoke
-      end
-    end
-  end
-
-  describe "role:create" do
-    describe_command "role:create test:the-role" do
-      it "creates the role with no options" do
-        expect_any_instance_of(Conjur::Role).to receive(:create).with({})
-        
-        invoke
-      end
-    end
-    describe_command "role:create --as-role test:foo test:the-role" do
-      it "creates the role with acting_as option" do
-        expect(api).to receive(:role).with("test:foo").and_return double("test:foo", exists?: true, roleid: "test:test:foo")
-        expect(api).to receive(:role).with("test:the-role").and_return role = double("new-role", roleid: "test:the-role")
-        expect(role).to receive(:create).with({acting_as: "test:test:foo"})
-        
-        expect { invoke }.to write("Created role test:the-role")
-      end
-    end
-    describe_command "role:create --as-group the-group test:the-role" do
-      it "creates the role with with acting_as option" do
-        expect(api).to receive(:group).with("the-group").and_return group = double("the-group", roleid: "test:group:the-group")
-        expect(api).to receive(:role).with(group.roleid).and_return double("group:the-group", exists?: true, roleid: "test:group:the-group")
-        expect(api).to receive(:role).with("test:the-role").and_return role = double("new-role", roleid: "test:the-role")
-        expect(role).to receive(:create).with({acting_as: "test:group:the-group"})
-        
-        expect { invoke }.to write("Created role test:the-role")
-      end
-    end
-  end
-  
-  describe "role:members" do
-    let(:all_roles) { %w(foo:user:joerandom foo:something:cool foo:something:else foo:group:admins) }
-    let(:all_role_grants) { 
-      all_roles.map do |r| 
-        Conjur::RoleGrant.new(api.role("foo:user:joerandom"), api.role(r), api.role("foo:user:admin"), false)
-      end
-    }
-    let(:role) do
-      double "the role", members: all_role_grants
-    end
-  
-    before do
-      allow(api).to receive(:role).and_call_original
-      allow(api).to receive(:role).with(rolename).and_return role
-    end
-
-    context "when logged in as a user" do
-      let(:username) { "joerandom" }
-      let(:rolename) { "user:joerandom" }
-      
-      describe_command "role:members" do
-        it "lists all roles" do
-          expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
-        end
-      end
-
-      describe_command "role:members -V" do
-        it "lists all roles verbosely" do
-          expect(JSON::parse(expect { invoke }.to write)).to eq(all_role_grants.map(&:to_h).map(&:stringify_keys))
-        end
-        describe "without RoleGrant.role field" do
-          it "lists the roles verbosely" do
-            all_role_grants.each do |rg|
-              rg.instance_variable_set "@role", nil
-            end
-            expect(JSON::parse(expect { invoke }.to write)).to eq(all_role_grants.map(&:to_h).map(&:stringify_keys))
-          end
-        end
-      end
-
-      describe_command "role:members --count" do
-        it "counts the roles" do
-          expect(role).to receive(:members).with({count: true}).and_return(all_roles.size)
-          expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles.size)
-        end
-      end
-
-      describe_command "role:members -k hamster -s frontend -o 10 -l 10" do
-        it "lists selected roles" do
-          expect(role).to receive(:members).with({kind: 'hamster', search: 'frontend', offset: "10", limit: "10"}).and_return(all_role_grants)
-          expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
-        end
-      end
-
-      describe_command "role:members -k hamster,giraffe" do
-        it "lists selected roles" do
-          expect(role).to receive(:members).with({kind: %w(hamster giraffe)}).and_return(all_role_grants)
-          expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
-        end
-      end
-
-      describe_command "role:members -k hamster -k giraffe" do
-        it "applies only the last 'kind' filter" do
-          expect(role).to receive(:members).with({kind: 'giraffe'}).and_return(all_role_grants)
-          expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
-        end
-      end
-  
-      describe_command "role:members foo:bar" do
-        let(:rolename) { 'foo:bar' }
-        it "lists all roles of foo:bar" do
-          expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
-        end
-      end
-    end
-  end
-
   describe "role:memberships" do
     let(:all_roles) { %w(foo:user:joerandom foo:something:cool foo:something:else foo:group:admins) }
-    let(:all_role_objects) { all_roles.map{|r| double r, roleid: r } }
     let(:role) do
-      double "the role", all: all_role_objects
+      double "the role", memberships: all_roles.map{|r| double r, id: r }
     end
   
     before do
-      allow(api).to receive(:role).and_call_original
       allow(api).to receive(:role).with(rolename).and_return role
     end
 
     context "when logged in as a user" do
       let(:username) { "joerandom" }
-      let(:rolename) { "user:joerandom" }
+      let(:rolename) { "#{account}:user:joerandom" }
       
       describe_command "role:memberships" do
         it "lists all roles" do
           expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
         end
       end
-
-      describe_command "when empty" do
-        let(:all_roles) { [] }
-        describe_command "role:memberships" do
-          it "prints an empty array" do
-            expect(JSON::parse(expect { invoke }.to write)).to eq([])
-          end
-        end
-      end
-
-      describe_command "role:memberships" do
-        it "hides system roles" do
-          expect(role).to receive(:all).with({}).and_return([
-            double(:role, roleid: "the-account:@:hamster")
-          ])
-          expect(JSON::parse(expect { invoke }.to write)).to eq([])
-        end
-      end
-
-      describe_command "role:memberships --count" do
-        it "counts the roles" do
-          expect(role).to receive(:all).with({count: true}).and_return(all_roles.size)
-          expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles.size)
-        end
-      end
-
-      context "with full role grant info" do
-        let(:all_role_grants) { 
-          all_roles.map do |r| 
-            Conjur::RoleGrant.new(api.role(r), api.role("foo:user:joerandom"), api.role("foo:user:admin"), false)
-          end
-        }
-        before {
-          expect(role).to receive(:all).with({recursive: false}).and_return(all_role_grants)
-        }
-        describe_command "role:memberships --no-recursive" do
-          it "lists the roles" do
-            expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
-          end
-        end
-        describe_command "role:memberships -V --no-recursive" do
-          it "shows all the roles" do
-            expect(JSON::parse(expect { invoke }.to write)).to eq(all_role_grants.map(&:to_h).map(&:stringify_keys))
-          end
-        end
-      end
-  
-      describe_command "role:memberships -k hamster -s frontend -o 10 -l 10" do
-        it "lists selected roles" do
-          expect(role).to receive(:all).with({kind: 'hamster', search: 'frontend', offset: "10", limit: "10"}).and_return(all_role_objects)
-          expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
-        end
-      end
   
       describe_command "role:memberships foo:bar" do
-        let(:rolename) { 'foo:bar' }
+        let(:rolename) { "#{account}:foo:bar" }
         it "lists all roles of foo:bar" do
           expect(JSON::parse(expect { invoke }.to write)).to eq(all_roles)
         end
@@ -208,7 +32,7 @@ describe Conjur::Command::Roles, logged_in: true do
   
     context "when logged in as a host" do
       let(:username) { "host/foobar" }
-      let(:rolename) { "host:foobar" }
+      let(:rolename) { "#{account}:host:foobar" }
   
       describe_command "role:memberships" do
         it "lists all roles" do
@@ -218,7 +42,7 @@ describe Conjur::Command::Roles, logged_in: true do
     end
   end
   
-  describe "role graph" do 
+  describe "role graph", wip: true do 
     let(:roles){ [] }
     let(:options){ { ancestors: true, descendants: true } }
     let(:extra_options){ {} }

data/spec/command/users_spec.rb

@@ -1,85 +1,9 @@
 require 'spec_helper'
 
 describe Conjur::Command::Users, logged_in: true do
-  let(:create_user_url) { "https://core.example.com/api/users" }
-  let(:update_password_url) { "https://authn.example.com/users/password" }
-  
-  context "creating a user" do
-    let(:new_user) { double("new-user") }
-    before do
-      expect(Conjur::Command::Users).to receive(:display).with(new_user)
-    end
-
-    [ "user:create", "user create" ].each do |cmd|
-      describe_command "#{cmd} -p the-user" do
-        it "Creates a user with a password obtained by prompting the user" do
-          expect_any_instance_of(Conjur::API).to receive(:create_user).with("the-user", password: "the-password").and_return new_user
-          expect(Conjur::Command::Users).to receive(:prompt_for_password).and_return "the-password"
-  
-          invoke
-        end
-      end
-      describe_command "#{cmd} the-user" do
-        it "Creates a user without a password" do
-          expect_any_instance_of(Conjur::API).to receive(:create_user).with("the-user", {}).and_return new_user
-          invoke
-        end
-      end
-      describe_command "#{cmd} --uidnumber 12345 the-user" do
-        it "Creates a user with specified uidnumber" do
-          expect_any_instance_of(Conjur::API).to receive(:create_user).with("the-user", { uidnumber: 12345 }).and_return new_user
-          invoke
-        end
-      end
-      describe_command "#{cmd} --cidr 192.168.1.1,127.0.0.0/32 the-user" do
-        it "Creates a user with specified CIDR" do
-          expect_any_instance_of(Conjur::API).to receive(:create_user).with(
-              "the-user", { cidr: ['192.168.1.1', '127.0.0.0/32'] }
-          ).and_return new_user
-          invoke
-        end
-      end
-    end
-  end
-
-  context "updating user attributes" do
-    describe_command "user update --uidnumber 12345 the-user" do
-      it "updates the uidnumber" do
-        stub_user = double()
-        expect_any_instance_of(Conjur::API).to receive(:user).with("the-user").and_return stub_user
-        expect(stub_user).to receive(:update).with(uidnumber: 12345).and_return ""
-        expect { invoke }.to write "User updated"
-      end
-    end
-    describe_command "user update --cidr 127.0.0.0/32 the-user" do
-      it "updates the CIDR" do
-        stub_user = double()
-        expect_any_instance_of(Conjur::API).to receive(:user).with("the-user").and_return stub_user
-        expect(stub_user).to receive(:update).with(cidr: ['127.0.0.0/32']).and_return ""
-        expect { invoke }.to write "User updated"
-      end
-    end
-
-    describe_command "user update --cidr all the-user" do
-      it "resets the CIDR restrictions" do
-        stub_user = double()
-        expect_any_instance_of(Conjur::API).to receive(:user).with("the-user").and_return stub_user
-        expect(stub_user).to receive(:update).with(cidr: []).and_return ""
-        expect { invoke }.to write "User updated"
-      end
-    end
-  end
+  let (:rotate_api_key_url) { [Conjur.configuration.authn_url, account, 'api_key'].join('/') }
+  let (:update_password_url) { [Conjur.configuration.authn_url, account, 'password'].join('/') }
 
-  context "lookup per UID" do
-    let(:search_result) { {id: "the-user"} }
-    describe_command "user uidsearch 12345" do
-      it "finds user" do
-        expect_any_instance_of(Conjur::API).to receive(:find_users).with(uidnumber: 12345).and_return search_result
-        expect { invoke }.to write(JSON.pretty_generate(search_result))
-      end
-    end
-  end
-  
   context "updating password" do
     before do
      expect(RestClient::Request).to receive(:execute).with({
@@ -112,7 +36,7 @@ describe Conjur::Command::Users, logged_in: true do
       before do
         expect(RestClient::Request).to receive(:execute).with({
                     method: :put,
-                    url: 'https://authn.example.com/users/api_key',
+                    url: rotate_api_key_url,
                     user: username,
                     password: api_key,
                     headers: {},

data/spec/command_spec.rb

@@ -10,7 +10,7 @@ describe Conjur::Command do
           end
         end 
         context "brief id(2 tokens)" do
-          before(:each) { allow(described_class).to receive(:conjur_account).and_return("current/acc") }
+          before(:each) { allow(Conjur.configuration).to receive(:account).and_return("current/acc") }
           it "injects current account as a prefix" do
             expect(described_class.full_resource_id("a:b")).to eq("current/acc:a:b")
           end
@@ -58,23 +58,4 @@ describe Conjur::Command do
     end
   end
 
-  describe "supports asset retirement" do
-    let(:role){ double('Role', roleid: 'the-role-id')}
-    let(:permission){ { 'role' => 'the-role-id', 'privilege' => 'read' } }
-    let(:permissions){ [ permission ] }
-    let(:resource){ double('Resource', deny: nil, attributes: {'permissions' => permissions}) }
-    let(:resources){ [resource] }
-    let(:api){ double('API') }
-    let(:asset){ double('Asset', resources: resources, resource: resource) }
-    describe "#retire_resource" do
-      context "when given an object without a role" do
-        it 'works' do
-          expect(described_class).to receive(:api).and_return api
-          expect(api).to receive(:role).with('the-role-id').and_return role
-          described_class.retire_resource(asset)
-        end
-      end
-    end
-  end
-
 end

data/spec/complete_spec.rb

@@ -1,6 +1,6 @@
 require 'spec_helper'
 
-describe Conjur::CLI::Complete do
+describe Conjur::CLI::Complete, wip: true do
   def expects_completions_for string, point=nil
     expect(described_class.new("conjur #{string}",point)
             .completions
@@ -28,10 +28,6 @@ describe Conjur::CLI::Complete do
         it { expects_completions_for('host l').to include 'layers',
                                                           'list' }
       end
-
-      context 'with "conjur rubydsl"' do
-        it { expects_completions_for('rubydsl ').to include 'load' }
-      end
     end
 
     describe 'for deprecated subcommands such as `conjur field`' do
@@ -56,16 +52,6 @@ describe Conjur::CLI::Complete do
              .to include '-f', '--follow', '-l', '--limit=',
                          '-o', '--offset=', '-s', '--short' }
       end
-
-      context 'conjur layer create --as-' do
-        it { expects_completions_for('layer create --as-')
-             .to include '--as-role=' }
-      end
-
-      context 'conjur group create --as-role' do
-        it { expects_completions_for('layer create --as-role')
-             .to contain_exactly '--as-role=' }
-      end
     end
 
     describe 'for arguments' do
@@ -108,10 +94,6 @@ describe Conjur::CLI::Complete do
             it { expects_completions_for('group show ')
                  .to contain_exactly(*groups) }
           end
-          context 'for a flag' do
-            it { expects_completions_for('group create --as-group=')
-                 .to contain_exactly(*groups) }
-          end
         end
 
         context 'with kind "layer"' do
@@ -175,10 +157,6 @@ describe Conjur::CLI::Complete do
     end
 
     describe 'completes mid-line' do
-      it 'completes a subcommand not at the end of a line' do
-        expect(described_class.new('conjur gr create dwarves/7', 9).completions)
-          .to include 'group '
-      end
       it 'tolerates garbage flags and arguments' do
         expect(described_class.new('conjur omg --lol wat pu').completions)
           .to include 'pubkeys '

data/spec/config_spec.rb

@@ -113,8 +113,8 @@ describe Conjur::Config do
 
   describe "#apply" do
     before { 
-      allow_any_instance_of(Conjur::Configuration).to receive(:ensure_cert_readable!) 
       allow(OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE).to receive(:add_file) 
+      allow(File).to receive(:open)
     }
 
     context "ssl_certificate string" do

data/spec/spec_helper.rb

@@ -18,15 +18,16 @@ end
 # stub parameters to be used in resource/asset tests
 KIND="asset_kind"
 ID="unique_id" 
-ROLE='<role>'
 MEMBER='<member>'
 PRIVILEGE='<privilege>'
 OWNER='<owner/userid>'
 ACCOUNT='<core_account>'
+ROLE="#{ACCOUNT}:user:user"
 
 require 'conjur/command/rspec/helpers'
 
 ENV['CONJURRC'] = '/dev/null'
+ENV['CONJUR_ACCOUNT'] = ACCOUNT
 
 require 'conjur/cli'
 require 'conjur/api'
@@ -35,6 +36,8 @@ require 'conjur/complete'
 shared_context "fresh config" do
   before {
     ENV.delete_if do |k,v|
+      next if k == 'CONJUR_ACCOUNT'
+
       k =~ /^CONJUR_/
     end
     
@@ -47,10 +50,6 @@ shared_context "fresh config" do
   }
 end
 
-def invoke_silently
-  STDERR.grab { return invoke }
-end
-
 RSpec::Core::DSL.change_global_dsl do
   def describe_conjurize *argv, &block
     describe *argv do