conjur-cli 6.0.1 → 6.2.3

data/Rakefile

@@ -3,7 +3,6 @@ require "bundler/gem_tasks"
 
 begin
   require 'ci/reporter/rake/rspec'
-  require 'ci/reporter/rake/cucumber'
   require 'cucumber'
   require 'cucumber/rake/task'
   require 'rspec/core/rake_task'

data/SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for the CyberArk Conjur
+suite of tools and products.
+
+  * [Reporting a Bug](#reporting-a-bug)
+  * [Disclosure Policy](#disclosure-policy)
+  * [Comments on this Policy](#comments-on-this-policy)
+
+## Reporting a Bug
+
+The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
+Thank you for improving the security of the Conjur suite. We appreciate your efforts and
+responsible disclosure and will make every effort to acknowledge your
+contributions.
+
+Report security bugs by emailing the lead maintainers at security@conjur.org.
+
+The maintainers will acknowledge your email within 2 business days. Subsequently, we will 
+send a more detailed response within 2 business days of our acknowledgement indicating
+the next steps in handling your report. After the initial reply to your report, the security
+team will endeavor to keep you informed of the progress towards a fix and full
+announcement, and may ask for additional information or guidance.
+
+Report security bugs in third-party modules to the person or team maintaining
+the module.
+
+## Disclosure Policy
+
+When the security team receives a security bug report, they will assign it to a
+primary handler. This person will coordinate the fix and release process,
+involving the following steps:
+
+  * Confirm the problem and determine the affected versions.
+  * Audit code to find any potential similar problems.
+  * Prepare fixes for all releases still under maintenance. These fixes will be
+    released as fast as possible.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+pull request.

data/VERSION

@@ -1 +1 @@
-6.0.1
+6.2.3

data/bin/conjur

@@ -22,5 +22,7 @@
 
 require 'active_support'
 require 'conjur/cli'
-
+if ENV['RAILS_ENV'] == 'development'
+  require 'pry'
+end
 exit Conjur::CLI.run(ARGV)

data/bin/parse-changelog.sh

@@ -0,0 +1,12 @@
+#!/bin/bash -ex
+
+cd "$(dirname "$0")"
+
+docker run --rm \
+  -v "$PWD/..:/work" \
+  -w "/work" \
+  ruby:2.5 bash -ec "
+    gem install -N parse_a_changelog
+    parse ./CHANGELOG.md
+  "
+

data/build-standalone

@@ -1,6 +1,45 @@
 #!/bin/bash -e
 
-# build the cli standalone container image
+IMAGE="cyberark/conjur-cli:latest"
+
+ENV_VARS=(
+  "CONJUR_MAJOR_VERSION=5"
+  "CONJUR_VERSION=5"
+  "PATH=/usr/local/lib/summon:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+)
+
+# Flatten resulting image.
+flatten() {
+  local image="$1"
+  echo "Flattening image '$image'..."
+
+  # Since `--squash` is still experimental, we have to flatten the image
+  # by exporting and importing a container based on the source image. By
+  # doing this though, we lose a lot of the Dockerfile variables that are
+  # required for running the image (ENV, EXPOSE, WORKDIR, etc) so we
+  # manually rebuild them.
+  # See here for more details: https://github.com/moby/moby/issues/8334
+  local container
+  container=$(docker create "$image")
+
+  env_var_params=()
+  for env_var in "${ENV_VARS[@]}"; do
+    env_var_params+=("--change")
+    env_var_params+=("ENV $env_var")
+  done
+
+  docker export "$container" | docker import \
+    "${env_var_params[@]}" \
+    --change 'ENTRYPOINT ["/bin/entry"]' \
+    - "$image"
+  docker rm "$container"
+}
+
+# Build the cli standalone container image
+echo "Building image $IMAGE"
+
 docker build . \
-       -f Dockerfile.standalone \
-       -t cyberark/conjur-cli
+       --file Dockerfile.standalone \
+       --tag "$IMAGE"
+
+flatten "$IMAGE"

data/ci/cli-test.sh

@@ -1,6 +1,10 @@
 #!/bin/bash -ex
 
+# This can run with mounted source directory which is used in different Ruby versions.
+# Since library support is different for different versions, clear out the lock to
+# make sure full gem resolution runs each time.
+rm -f Gemfile.lock
 bundle install
 
 # If we got passed arguments, run that as the test command. Otherwise, run the full suite of tests.
-${@-bundle exec rake jenkins}
+exec ${@-bundle exec rake jenkins}

data/ci/submit-coverage

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -eux
+
+DIR="coverage"
+BIN="cc-test-reporter"
+REPORT="${DIR}/.resultset.json"
+
+if [[ ! -e ${REPORT} ]]; then
+    echo "SimpleCov report (${REPORT}) not found"
+    ls -laR ${DIR}
+    exit 1
+fi
+
+if [[ ! -x ${BIN} ]]; then
+    echo "cc-test-reporter binary not found, not reporting coverage data to code climate"
+    ls -laR ${DIR}
+    # report is present but reporter binary is not, definitely a bug, exit error.
+    exit 1
+fi
+
+# Simplecov excludes files not within the current repo, it also needs to
+# be able to read all the files referenced within the report. As the reports
+# are generated in containers, the absolute paths contained in the report
+# are not valid outside that container. This sed fixes the paths
+# So they are correct relative to the Jenkins workspace.
+sed -i -E "s+/src+${WORKSPACE}+g" "${REPORT}"
+
+echo "Coverage reports prepared, submitting to CodeClimate."
+# vars GIT_COMMIT, GIT_BRANCH & TRID are set by ccCoverage.dockerPrep
+
+./${BIN} after-build \
+    --coverage-input-type "simplecov"\
+    --id "${TRID}"
+
+echo "Successfully Reported Coverage Data"

data/ci/test.sh

@@ -11,7 +11,7 @@ unset CONJUR_AUTHN_LOGIN
 
 bundle exec rake jenkins || true
 
-env CONJUR_AUTHN_LOGIN=admin CONJUR_AUTHN_API_KEY=secret bundle exec cucumber -r acceptance-features/support \
+env CONJUR_AUTHN_LOGIN=admin CONJUR_AUTHN_API_KEY='ADmin123!!!!' bundle exec cucumber -r acceptance-features/support \
 	-r acceptance-features/step_definitions \
 	-f pretty \
 	-f junit --out acceptance-features/reports \

data/conjur-cli.gemspec

@@ -3,11 +3,11 @@ require File.expand_path('../lib/conjur/version', __FILE__)
 require "English"
 
 Gem::Specification.new do |gem|
-  gem.authors       = ["Rafal Rzepecki", "Kevin Gilpin"]
-  gem.email         = ["rafal@conjur.net", "kgilpin@conjur.net",]
+  gem.authors       = ["Conjur Maintainers"]
+  gem.email         = ["conj_maintainers@cyberark.com",]
   gem.summary       = %q{Conjur command line interface}
-  gem.homepage      = "https://github.com/conjurinc/cli-ruby"
-  gem.license       = 'MIT'
+  gem.homepage      = "https://github.com/cyberark/conjur-cli"
+  gem.license       = 'Apache 2.0'
 
   gem.files         = (`git ls-files`.split($OUTPUT_RECORD_SEPARATOR)
                                      .select { |x| x !~ /^Dockerfile/ }
@@ -18,24 +18,26 @@ Gem::Specification.new do |gem|
   gem.require_paths = ["lib"]
   gem.version       = Conjur::VERSION
 
+  # Filter out development only executables
+  gem.executables -= %w{parse-changelog.sh}
+
   gem.add_dependency 'activesupport', '>= 4.2', '< 6'
-  gem.add_dependency 'conjur-api', '~> 5.0'
+  gem.add_dependency 'conjur-api', '~> 5.3'
+  gem.add_dependency 'deep_merge', '~> 1.0'
   gem.add_dependency 'gli', '>=2.8.0'
   gem.add_dependency 'highline', '~> 1.7'
   gem.add_dependency 'netrc', '~> 0.10'
-  gem.add_dependency 'deep_merge', '~> 1.0'
-  gem.add_dependency 'xdg', '~> 2.2'
   gem.add_dependency 'table_print', '~> 1.5'
+  gem.add_dependency 'xdg', '= 2.2.3'
 
-  gem.add_development_dependency 'rspec', '~> 3.0'
-  gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency 'addressable'
   gem.add_development_dependency 'aruba', '~> 0.12'
   gem.add_development_dependency 'ci_reporter_rspec', '~> 1.0'
-  gem.add_development_dependency 'ci_reporter_cucumber', '~> 1.0'
-  gem.add_development_dependency 'rake', '~> 10.0'
+  gem.add_development_dependency 'cucumber-api'
   gem.add_development_dependency 'io-grab', '~> 0.0'
   gem.add_development_dependency 'json_spec'
-  gem.add_development_dependency 'cucumber-api'
-  gem.add_development_dependency 'addressable'
   gem.add_development_dependency 'pry-byebug'
+  gem.add_development_dependency 'rake', '~> 12.3.3'
+  gem.add_development_dependency 'rspec', '~> 3.0'
+  gem.add_development_dependency 'simplecov', '~> 0.17', '< 0.18'
 end

data/dev/docker-compose.yml

@@ -17,6 +17,7 @@ services:
     entrypoint: sleep
     command: infinity
     environment:
+      RAILS_ENV: development
       CONJUR_APPLIANCE_URL: http://conjur
       CONJUR_ACCOUNT: cucumber
     working_dir: /src/conjur-cli

data/dev/start.sh

@@ -1,15 +1,35 @@
-#!/bin/bash -ex
+#!/bin/bash
+set -ex
 
 export COMPOSE_PROJECT_NAME=clirubydev
 
 docker-compose build
 
 if [ ! -f data_key ]; then
-	echo "Generating data key"
-	docker-compose run --no-deps --rm conjur data-key generate > data_key
+  echo "Generating data key"
+  docker-compose pull
+  docker-compose run --no-deps --rm conjur data-key generate > data_key
 fi
 
-export POSSUM_DATA_KEY="$(cat data_key)"
+export CONJUR_DATA_KEY="$(cat data_key)"
 
 docker-compose up -d
+docker-compose exec conjur conjurctl wait
+
+apikey=$(docker-compose exec conjur \
+  conjurctl role retrieve-key cucumber:user:admin)
+
+set +x
+echo ''
+echo ''
+echo '=============== LOGIN WITH THESE CREDENTIALS ==============='
+echo ''
+echo 'username: admin'
+echo "api key : ${apikey}"
+echo ''
+echo '============================================================'
+echo ''
+echo ''
+set -x
+
 docker-compose exec cli bash

data/docker-compose.yml

@@ -6,7 +6,7 @@ services:
   conjur:
     image: cyberark/conjur
     command: server -a cucumber
-    depends_on: 
+    depends_on:
       - pg
     environment:
       - CONJUR_DATA_KEY
@@ -25,6 +25,7 @@ services:
       - CONJUR_ACCOUNT=cucumber
       - CONJUR_AUTHN_LOGIN=admin
       - CONJUR_AUTHN_API_KEY
+      - RUBY_VERSION=${RUBY_VERSION}
     volumes:
       - .:/src
 

data/features/authorization/resource/check.feature

@@ -33,6 +33,12 @@ Feature: Checking permissions on a resource
       kind: job
       id: cook
 
+    - !grant
+      role: !role
+        kind: job
+        id: cook
+      member: !user admin
+
     - !permit
       role: !role
         kind: job

data/features/authorization/resource/exists.feature

@@ -18,11 +18,18 @@ Feature: Test the existence of a resource
   Scenario: Even foreign user can check existence of a resource 
     Given I load the policy:
     """
-    - !resource
-      kind: food
-      id: bacon
+    - &resources
+      - !resource
+        kind: food
+        id: bacon
 
     - !user alice
+
+    - !permit
+      role: !user alice
+      privileges:
+        - read
+      resources: *resources
     """
     And I login as "alice"
     And I reset the command list

data/features/hostfactory/tokens.feature

@@ -18,5 +18,5 @@ Feature: Host factory tokens
   Scenario: create a host using a token
     When I successfully run `conjur hostfactory tokens create myapp`
     And I keep the JSON response at "0/token" as "TOKEN"
-    Then I successfully run `conjur hostfactory hosts create %{TOKEN} host-01`
+    Then I use it to successfully run `conjur hostfactory hosts create %{TOKEN} host-01`
     And the JSON should have "api_key"

data/features/pubkeys/show.feature

@@ -12,7 +12,3 @@ Feature: Show public keys for a user
   Scenario: After adding a key, the key is shown
     When I run `conjur pubkeys show alice`
     And the output should match /^ssh-rsa .* laptop$/
-
-  Scenario: Public keys can be listed using cURL, without authentication
-    When I successfully run `curl -k $conjur_url/public_keys/cucumber/user/alice`
-    Then the output should match /^ssh-rsa .* laptop$/

data/features/step_definitions/authn_steps.rb

@@ -1,5 +1,5 @@
 Then(/^I(?: can)? type and confirm a new password/) do
-  @password = SecureRandom.hex(12)
+  @password = "SEcret12!!!!"
   step %Q(I type "#{@password}")
   step %Q(I type "#{@password}")
   step "the exit status should be 0"

data/features/step_definitions/cli_steps.rb

@@ -1,22 +1,3 @@
-Transform /\$ns/ do |s|
-  s.gsub('$ns', namespace)
-end
-
-Transform /\$user_role/ do |s|
-  s.gsub('$user_role', test_user.role_id)
-end
-
-Transform /^table:/ do |table|
-  table.tap do |t|
-    t.hashes.each do |row|
-      row.each do |_,v|
-        v.gsub!('$ns', namespace)
-        v.gsub!('$user_role', test_user.role_id)
-      end
-    end
-  end
-end
-
 When /^the command completes successfully/ do
   last_command_started.wait
   last_command_started.terminate

data/features/step_definitions/overrides.rb

@@ -1,9 +1,7 @@
 # Use a json_spec style memorized value as an environment variable
-When /I set the environment variable "(.*)" to memorized value "(.*)"/ do |key, value|
+When /I use it to (.*)/ do |statement|
   JsonSpec.memory.each do |k,v|
-    # JSON parser doesn't function properly on a JSON encoded string
-    v = v[1...-1] if v[0] == '"'
-    value.gsub! "%{#{k}}", v
+    statement = statement.gsub("%{#{k}}", v)
   end
-  set_environment_variable key, value
+  step "I #{statement}"
 end

data/features/support/env.rb

@@ -6,7 +6,9 @@ require 'aruba/cucumber'
 require 'json_spec/cucumber'
 require 'simplecov'
 
-SimpleCov.start
+SimpleCov.start do
+  command_name "#{ENV['RUBY_VERSION']}"
+end
 
 ENV['CONJUR_APPLIANCE_URL'] ||= 'http://localhost/api/v6'
 ENV['CONJUR_ACCOUNT'] ||= 'cucumber'

data/features/support/hooks.rb

@@ -4,17 +4,6 @@ Aruba.configure do |config|
   config.io_wait_timeout = 2
 end
 
-Transform /\$conjur_url/ do |statement|
-  statement.gsub "$conjur_url", Conjur.configuration.appliance_url
-end
-
-Transform /\%\{\w+\}/ do |statement|
-  JsonSpec.memory.each do |k,v|
-    statement = statement.gsub("%{#{k}}", v)
-  end
-  statement
-end
-
 Before('@conjurapi-log') do
   set_env 'CONJURAPI_LOG', 'stderr'
 end

data/lib/conjur/cli.rb

@@ -25,9 +25,7 @@ require 'active_support/deprecation'
 require 'xdg'
 require 'fileutils'
 
-# this makes mime/types gem load much faster by lazy loading
-# mime types and caching them in binary form
-ENV['RUBY_MIME_TYPES_LAZY_LOAD'] ||= 'true'
+# this makes mime/types gem load much faster by caching them in binary form
 ENV['RUBY_MIME_TYPES_CACHE'] ||= (
   XDG['CACHE'].to_path.tap(&FileUtils.method(:mkdir_p)) + 'ruby-mime-types.cache'
 ).to_s
@@ -93,6 +91,9 @@ module Conjur
         apply_config
         load_plugins
         commands_from 'conjur/command'
+      rescue => ex
+        stderr.puts "error: #{ex.message}"
+        raise if ENV['GLI_DEBUG'] == 'true'
       end
 
       def appliance_version