conjur-cli 6.1.0 → 6.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0533b1c7e9164260ba4a86d41004a71811d24b034230909cbcb6967cc8ac71e5
-  data.tar.gz: 305ee4fc8b00b049b65eb7bd8742bd69d4bf41716c926291f21801b2139ce8f5
+  metadata.gz: f36460d10d570d5ff2a54a398d29306fe1219fafb7ba2840ae6ddf58c49371ba
+  data.tar.gz: ea60423bdea6801c241156bc4a286f198fdc1540aa3688b127ce5ead8e7c293b
 SHA512:
-  metadata.gz: f4bdae507abdcb0032bb312bbdba75fb5e6f94bc5292cfe773ee2ca691951ca3fe3616018b54bd9993e2d1f45bcb7ce5c7d87f9884f1d16e0d73e4dc238bddb3
-  data.tar.gz: 4a2d081ada6358818ec5b1607600e5b841e8d85bb3299da4fc9107a13bfc25700ebe72a1fbb3ac05b7b3dbf09834ec76b38df50def439292f958c5025bd4346a
+  metadata.gz: 5461e4818f8b51ec34099e488e58b37722e592b1238ab7ce275935710b25890fd4ba1cbe5a464b74e7fedafdbc21320ab4fa206871cfbad124473c74ed3c79a0
+  data.tar.gz: 6691b092ec9669c544234ac0f47449d915b0cbcae2562b5133b32378ea591c3987a716fa22daa8370b71e0e3988b9eda7a621f8062e9b32068f25c45acb05b31

data/CHANGELOG.md

@@ -1,11 +1,25 @@
-# 6.0.1
+# 6.2.0
+
+* Add `ldap-sync` subcommand.
+
+# 6.1.1
+
+* No longer displaying error stack traces by default when an exception occurs duing CLI
+  initialization (e.g when trying to open a missing conjur certificate file). Stack traces
+  can be enabled for all errors in the CLI by setting the environment variable `GLI_DEBUG=true`.
+
+# [6.1.0](https://github.com/cyberark/conjur-cli/releases/tag/v6.1.0)
+
+* Pin dependency 'conjur-api' to '~> 5.1'. This update adds authn-local support to the API. [conjur-api PR #131](https://github.com/cyberark/conjur-api-ruby/pull/131)
+
+# [6.0.1](https://github.com/cyberark/conjur-cli/releases/tag/v6.0.1)
 
 * Pushes to `cyberark/conjur-cli:5` on DockerHub when tests pass
 * Use SNI when fetching certificate with `conjur init`.
 * Correctly specify dependency versions in gemspec.
 * Allow ActiveSupport v5 as a dependency.
 
-# 6.0.0
+# [6.0.0](https://github.com/cyberark/conjur-cli/releases/tag/v6.0.0)
 
 * Provides compatibility with [cyberark/conjur](https://github.com/cyberark/conjur), Conjur 5 CE.
 * License changed to Apache 2.0.
@@ -14,196 +28,3 @@
 
 [v4-branch]: https://github.com/cyberark/conjur-cli/tree/v4
 [v4-changelog]: https://github.com/cyberark/conjur-cli/blob/v4/CHANGELOG.md
-
-# 5.3.0
-
-* Add `jobs` subcommands for `ldap-sync`.
-* Add `--detach` switch to `now` subcommand.
-* Relax dependency gem versions.
-
-# 5.2.5
-
-* Fix behavior of `conjur env` when [policy plugin](https://github.com/conjurinc/conjur-asset-policy) is installed.
-
-# 5.2.4
-
-* Fix behavior of `conjur env`, when detecting variables vs literals
-
-# 5.2.3
-
-* Disable prompts in bootstrap when there's no tty
-* Bump api-ruby, fixes 404 core bug
-
-# 5.2.1
-
-* Fix handling of `ldap-sync` dry-run argument.
-
-# 5.2.0
-
-* Add `ldap-sync` management commands (requires Conjur 4.7 or later).
-* Use `CONJUR_AUTHN_TOKEN` as the Conjur access token, if it's available in the environment.
-* `conjurize` will ignore `conjur` cookbook releases that don't have an associated tarball.
-* Pass `--recipe-url` argument to Chef, which is now required.
-
-# 5.1.2
-
-* Fix problem finding config files for plugin installation.
-
-# 5.1.1
-
-* Global CLI plugin config is now stored in `/opt/conjur/etc/plugins.yml`.
-
-# 5.0.0
-
-* **Breaking change** Ruby Policy DSL is now deprecated in favor of 
-[new YML policy markup](https://developer.conjur.net/reference/policy-markup.html).
-The existing `policy` subcommand has been moved to the `rubydsl` subcommand. 
-The new `policy` command operates on YML policies.
-* Created a new non-Omnibus Debian packaging of the Ruby gems.
-
-# 4.30.1
-
-* Fix the `conjur-api` gem dependency version
-
-# 4.30.0
-
-* Implementation of `conjur bootstrap` is moved to the API gem, and made extensible.
-* Added new steps to `conjur bootstrap`, including the creation of service identities, and giving `elevate` and `reveal` to the `security_admin` group.
-* `hostfactory create` verifies that the current role is able to admin the host factory group; otherwise, host factory creation will fail.
-
-# 4.29.0
-* Add `conjur host rotate_api_key` command.
-* Add `conjur version` (as well as `conjur server version`) command to show server version info.
-* Add `conjur server health` and `conjur server info` to display server health and info.
-* Add `conjur version` (as well as `conjur server version`) command to show server version info.
-* Add `conjur server health` and `conjur server info` to display server health and info.
-* Check server version compatibility if exception occurs and command has configured minimum version
-* Add `conjur layer retire` to allow retiring a layer.
-* Add `cidr` commands to `user`, `host`, and `hostfactory token`
-* Move `audit send` and `host factory` commands from plugins into the core CLI
-* Add `variable expire` and `variable expirations` subcommands. Variable expirations is available in version 4.6 of the Conjur server.
-* Add `--json` option to `conjurize` to print the Conjur configuration and host identity as a JSON file
-* Require `--layer` argument to `hostfactory create`, ensure that the owner is an admin of the layer.
-
-# 4.28.2
-* `--collection` is now optional (with no default) for both `conjur script execute` and `conjur policy load`.
-
-# 4.28.1
-* Add `--collection` option for `conjur script execute`. Scripts are now portable across environments, like policies.
-
-# 4.28.0
-* Add `conjur policy retire` to allow retiring a policy.
-* Fix `--as-group` and `--as-role` options for `conjur policy load`. Either can now be used to specify ownership of the policy.
-* Fix `--follow` option for `conjur audit`.
-* Remove support for per-project `.conjurrc` files.
-
-# 4.27.0
-
-* New commands `elevate` and `reveal` for execution of privileged commands on Conjur 4.5+.
-
-# 4.26.0
-
-* New implementation of bash completions.
-
-# 4.25.2
-* Fixes a conflict with RVM: Sets `GEM_HOME` and `GEM_PATH to nil.
-
-# 4.25.1
-
-* Remove spurious line written to stdout during user creation.
-* Fix up-front permission checking in `conjur bootstrap` so that it will run on a fresh server.
-
-# 4.25.0
-
-* A record can be retired to a specific role, in addition to the default behavior of retiring to the `attic` user.
-* Variable can be created with the id only, without becoming interactive.
-* Run `conjur variable create -i -a` to create interactively with annotations.
-* Interactive annotation can be performed on bare resources with `conjur resource annotate -i`.
-* Don't require 'admin' user to bootstrap, prompt to create a new security admin during bootstrap.
-* Check if user privileges are sufficient before running `retire`.
-* Don't revoke a user's access to a record in the middle of retire, because doing so leads to 403 errors later on.
-* Interactive mode of user, group and pubkey creation.
-
-# 4.24.0
-
-* Interactive mode for variable creation.
-
-# 4.23.0
-
-* Don't check if netrc is world-readable on Windows, since the answer is not reliable.
-* Use new [conjur](https://supermarket.chef.io/cookbooks/conjur) cookbook for conjurize.
-* Fix faulty initialization of plugins list, if it's nil, in the .conjurrc.
-* Log DSL commands to stderr, even if CONJURAPI_LOG is not explicitly configured.
-* In policy DSL, allow creation of records without an explicit `id`. In this case, the current scope is used as the `id`.
-
-# 4.22.0
-
-* New 'plugin' subcommand to manage CLI plugins.
-* Configure SSL certificate from Conjur.configuration.
-* Print the error message if there's a problem loading a plugin.
-
-# 4.21.1
-
-* Configure trust to the new certificate in `conjur init`, before attempting to contact the Conjur server.
-
-# 4.21.0
-
-* Use user cache dir for mimetype cache.
-* Retrieve the whole certificate chain on conjur init.
-
-# 4.20.1
-
-* Improve the error reporting.
-
-# 4.20.0
-
-* GID manipulation commands.
-
-# 4.19.0
-
-* Add command `conjur role graph` for batch retrieval of role relationships.
-
-# 4.18.5
-
-* Bump conjur-api version to mime-types problem
-
-# 4.18.4
-
-* Revert "Find (and store) credentials by only a hostname as the machine in netrc"
-
-# 4.18.3
-
-* Use the latest conjur-ssh cookbook version for conjurize
-
-# 4.18.2
-
-* Require a recent version of netrc
-* Complain if netrc is world readable
-* Find (and store) credentials by only a hostname as the machine in netrc
-* Make the command start up faster by lazy loading some gems
-* `authn whoami` will notice if the user is logged in via env vars
-* `conjurize` default conjur-ssh cookbook updated to 1.2.2
-
-# 4.18.0
-
-* New `conjurize` command
-* Deprecate the `host enroll` command
-* `variable create` command now takes an optional value for the variable after the variable id
-* Configure "permissive" netrc to allow the `conjur` Unix group to read the `.netrc` or `conjur.identity` file.
-
-# 4.17.0
-
-* Support --policy parameter in `conjur env`
-* Bugfix: failures on 'variable retire'
-* Raise a better error in case of missing config
-
-# 4.16.0
-
-* Add 'bootstrap' CLI command
-* Raise a better error if conjur env encounters a variable with no value
-
-# 4.15.0
-
-* Migration to rspec 3
-* Commands to retire(decommission) variable, host, user, group
-* Bugfix (in some situations `conjur init` logged config file location incorrectly)

data/Jenkinsfile

@@ -54,32 +54,33 @@ pipeline {
 
       when {
         expression { currentBuild.resultIsBetterOrEqualTo('SUCCESS') }
-        // expression {
-        //   def exitCode = sh returnStatus: true, script: ''' set +x
-        //     echo "Determining if publishing is requested..."
-        //
-        //     VERSION=`cat lib/conjur/version.rb | grep \'VERSION\\s*=\' | sed -e "s/.*\'\\(.*\\)\'.*/\\1/"`
-        //     echo Declared version: $VERSION
-        //
-        //     # Jenkins git plugin is broken and always fetches with `--no-tags`
-        //     # (or `--tags`, neither of which is what you want), so tags end up
-        //     # not being fetched. Try to fix that.
-        //     # (Unfortunately this fetches all remote heads, so we may have to find
-        //     # another solution for bigger repos.)
-        //     git fetch -q
-        //
-        //     # note when tag not found git rev-parse will just print its name
-        //     # TAG=`git rev-parse tags/v$VERSION 2>/dev/null || :`
-        //     TAG=`git rev-list -n 1 "v$VERSION 2>/dev/null || :`
-        //     echo Tag v$VERSION: $TAG
-        //
-        //     HEAD=`git rev-parse HEAD`
-        //     echo HEAD: $HEAD
-        //
-        //     test "$HEAD" = "$TAG"
-        //   '''
-        //   return exitCode == 0
-        // }
+        branch "master"
+        expression {
+          def exitCode = sh returnStatus: true, script: ''' set +x
+            echo "Determining if publishing is requested..."
+
+            VERSION=`cat lib/conjur/version.rb | grep \'VERSION\\s*=\' | sed -e "s/.*\'\\(.*\\)\'.*/\\1/"`
+            echo Declared version: $VERSION
+
+            # Jenkins git plugin is broken and always fetches with `--no-tags`
+            # (or `--tags`, neither of which is what you want), so tags end up
+            # not being fetched. Try to fix that.
+            # (Unfortunately this fetches all remote heads, so we may have to find
+            # another solution for bigger repos.)
+            git fetch -q
+
+            # note when tag not found git rev-parse will just print its name
+            # TAG=`git rev-parse tags/v$VERSION 2>/dev/null || :`
+            TAG=`git rev-list -n 1 "v$VERSION" 2>/dev/null || :`
+            echo Tag v$VERSION: $TAG
+
+            HEAD=`git rev-parse HEAD`
+            echo HEAD: $HEAD
+
+            test "$HEAD" = "$TAG"
+          '''
+          return exitCode == 0
+        }
       }
       steps {
         // Clean up first

data/VERSION

@@ -1 +1 @@
-6.1.0
+6.1.1

data/conjur-cli.gemspec

@@ -19,7 +19,7 @@ Gem::Specification.new do |gem|
   gem.version       = Conjur::VERSION
 
   gem.add_dependency 'activesupport', '>= 4.2', '< 6'
-  gem.add_dependency 'conjur-api', '~> 5.1'
+  gem.add_dependency 'conjur-api', '~> 5.3'
   gem.add_dependency 'gli', '>=2.8.0'
   gem.add_dependency 'highline', '~> 1.7'
   gem.add_dependency 'netrc', '~> 0.10'

data/features/authorization/resource/check.feature

@@ -33,6 +33,12 @@ Feature: Checking permissions on a resource
       kind: job
       id: cook
 
+    - !grant
+      role: !role
+        kind: job
+        id: cook
+      member: !user admin
+
     - !permit
       role: !role
         kind: job

data/features/authorization/resource/exists.feature

@@ -18,11 +18,18 @@ Feature: Test the existence of a resource
   Scenario: Even foreign user can check existence of a resource 
     Given I load the policy:
     """
-    - !resource
-      kind: food
-      id: bacon
+    - &resources
+      - !resource
+        kind: food
+        id: bacon
 
     - !user alice
+
+    - !permit
+      role: !user alice
+      privileges:
+        - read
+      resources: *resources
     """
     And I login as "alice"
     And I reset the command list

data/lib/conjur/cli.rb

@@ -93,6 +93,9 @@ module Conjur
         apply_config
         load_plugins
         commands_from 'conjur/command'
+      rescue => ex
+        stderr.puts "error: #{ex.message}"
+        raise if ENV['GLI_DEBUG'] == 'true'
       end
 
       def appliance_version

data/lib/conjur/command/ldap_sync.rb

@@ -0,0 +1,37 @@
+require 'conjur/command'
+
+class Conjur::Command::LDAPSync < Conjur::Command
+  desc 'LDAP sync management commands'
+  command :'ldap-sync' do |cgrp|
+
+    cgrp.desc 'Manage the policy used to sync Conjur and the LDAP server'
+    cgrp.command :policy do |policy|
+
+      policy.desc 'Show the current policy'
+      policy.command :show do |show|
+
+        show.desc 'LDAP Sync profile to use (defined in UI)'
+        show.arg_name 'profile'
+        show.flag ['p', 'profile'], default_value: 'default'
+
+        show.action do |_,options,_|
+          begin
+            resp = api.ldap_sync_policy(config_name: options[:profile])
+            
+            if (policy = resp['policy'])
+              if resp['ok']
+                puts(policy)
+              else
+                exit_now! 'Failed creating the policy.'
+              end
+            else
+              exit_now! resp['error']['message']
+            end
+          rescue RestClient::ResourceNotFound => ex
+            exit_now! "LDAP sync is not supported by the server #{Conjur.configuration.appliance_url}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/conjur/version.rb

@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = '6.1.0'
+  VERSION = '6.2.0'
   ::Version=VERSION
 end

data/spec/command/init_spec.rb

@@ -1,35 +1,48 @@
 require 'spec_helper'
 require 'highline'
 
-GITHUB_FP = "SHA1 Fingerprint=D7:9F:07:61:10:B3:92:93:E3:49:AC:89:84:5B:03:80:C1:9E:2F:8B"
+GITHUB_FP = "SHA1 Fingerprint=CA:06:F5:6B:25:8B:7A:0D:4F:2B:05:47:09:39:47:86:51:15:19:84"
 GITHUB_CERT = <<EOF
 -----BEGIN CERTIFICATE-----
-MIIEtjCCA56gAwIBAgIQDHmpRLCMEZUgkmFf4msdgzANBgkqhkiG9w0BAQsFADBs
+MIIHQjCCBiqgAwIBAgIQCgYwQn9bvO1pVzllk7ZFHzANBgkqhkiG9w0BAQsFADB1
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
-ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowdTEL
-MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
-LmRpZ2ljZXJ0LmNvbTE0MDIGA1UEAxMrRGlnaUNlcnQgU0hBMiBFeHRlbmRlZCBW
-YWxpZGF0aW9uIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBANdTpARR+JmmFkhLZyeqk0nQOe0MsLAAh/FnKIaFjI5j2ryxQDji0/XspQUY
-uD0+xZkXMuwYjPrxDKZkIYXLBxA0sFKIKx9om9KxjxKws9LniB8f7zh3VFNfgHk/
-LhqqqB5LKw2rt2O5Nbd9FLxZS99RStKh4gzikIKHaq7q12TWmFXo/a8aUGxUvBHy
-/Urynbt/DvTVvo4WiRJV2MBxNO723C3sxIclho3YIeSwTQyJ3DkmF93215SF2AQh
-cJ1vb/9cuhnhRctWVyh+HA1BV6q3uCe7seT6Ku8hI3UarS2bhjWMnHe1c63YlC3k
-8wyd7sFOYn4XwHGeLN7x+RAoGTMCAwEAAaOCAUkwggFFMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
-BQcDAjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp
-Z2ljZXJ0LmNvbTBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsNC5kaWdpY2Vy
-dC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3JsMD0GA1UdIAQ2
-MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5j
-b20vQ1BTMB0GA1UdDgQWBBQ901Cl1qCt7vNKYApl0yHU+PjWDzAfBgNVHSMEGDAW
-gBSxPsNpA/i/RwHUmCYaCALvY2QrwzANBgkqhkiG9w0BAQsFAAOCAQEAnbbQkIbh
-hgLtxaDwNBx0wY12zIYKqPBKikLWP8ipTa18CK3mtlC4ohpNiAexKSHc59rGPCHg
-4xFJcKx6HQGkyhE6V6t9VypAdP3THYUYUN9XR3WhfVUgLkc3UHKMf4Ib0mKPLQNa
-2sPIoc4sUqIAY+tzunHISScjl2SFnjgOrWNoPLpSgVh5oywM395t6zHyuqB8bPEs
-1OG9d4Q3A84ytciagRpKkk47RpqF/oOi+Z6Mo8wNXrM9zwR4jxQUezKcxwCmXMS1
-oVWNWlZopCJwqjyBcdmdqEU79OX2olHdx3ti6G8MdOu42vi/hw15UJGQmxg7kVkn
-8TUoE6smftX3eg==
+d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
+IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE4MDUwODAwMDAwMFoXDTIwMDYwMzEy
+MDAwMFowgccxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
+BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
+Ewc1MTU3NTUwMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
+A1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRMwEQYD
+VQQDEwpnaXRodWIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+xjyq8jyXDDrBTyitcnB90865tWBzpHSbindG/XqYQkzFMBlXmqkzC+FdTRBYyneZ
+w5Pz+XWQvL+74JW6LsWNc2EF0xCEqLOJuC9zjPAqbr7uroNLghGxYf13YdqbG5oj
+/4x+ogEG3dF/U5YIwVr658DKyESMV6eoYV9mDVfTuJastkqcwero+5ZAKfYVMLUE
+sMwFtoTDJFmVf6JlkOWwsxp1WcQ/MRQK1cyqOoUFUgYylgdh3yeCDPeF22Ax8AlQ
+xbcaI+GwfQL1FB7Jy+h+KjME9lE/UpgV6Qt2R1xNSmvFCBWu+NFX6epwFP/JRbkM
+fLz0beYFUvmMgLtwVpEPSwIDAQABo4IDeTCCA3UwHwYDVR0jBBgwFoAUPdNQpdag
+re7zSmAKZdMh1Pj41g8wHQYDVR0OBBYEFMnCU2FmnV+rJfQmzQ84mqhJ6kipMCUG
+A1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRodWIuY29tMA4GA1UdDwEB/wQE
+AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0
+oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWcy
+LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItZXYtc2Vy
+dmVyLWcyLmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwCATAqMCgGCCsGAQUFBwIB
+FhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAEBMIGIBggrBgEF
+BQcBAQR8MHowJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBS
+BggrBgEFBQcwAoZGaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0
+U0hBMkV4dGVuZGVkVmFsaWRhdGlvblNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAA
+MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWY
+BPkb37jjd80OyA3cEAAAAWNBYm0KAAAEAwBHMEUCIQDRZp38cTWsWH2GdBpe/uPT
+Wnsu/m4BEC2+dIcvSykZYgIgCP5gGv6yzaazxBK2NwGdmmyuEFNSg2pARbMJlUFg
+U5UAdgBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAWNBYm0tAAAE
+AwBHMEUCIQCi7omUvYLm0b2LobtEeRAYnlIo7n6JxbYdrtYdmPUWJQIgVgw1AZ51
+vK9ENinBg22FPxb82TvNDO05T17hxXRC2IYAdgC72d+8H4pxtZOUI5eqkntHOFeV
+CqtS6BqQlmQ2jh7RhQAAAWNBYm3fAAAEAwBHMEUCIQChzdTKUU2N+XcqcK0OJYrN
+8EYynloVxho4yPk6Dq3EPgIgdNH5u8rC3UcslQV4B9o0a0w204omDREGKTVuEpxG
+eOQwDQYJKoZIhvcNAQELBQADggEBAHAPWpanWOW/ip2oJ5grAH8mqQfaunuCVE+v
+ac+88lkDK/LVdFgl2B6kIHZiYClzKtfczG93hWvKbST4NRNHP9LiaQqdNC17e5vN
+HnXVUGw+yxyjMLGqkgepOnZ2Rb14kcTOGp4i5AuJuuaMwXmCo7jUwPwfLe1NUlVB
+Kqg6LK0Hcq4K0sZnxE8HFxiZ92WpV2AVWjRMEc/2z2shNoDvxvFUYyY1Oe67xINk
+myQKc+ygSBZzyLnXSFVWmHr3u5dcaaQGGAR42v6Ydr4iL38Hd4dOiBma+FXsXBIq
+WUjbST4VXmdaol7uzFMojA4zkxQDZAvF5XgJlAFadfySna/teik=
 -----END CERTIFICATE-----
 EOF
 

data/spec/command/ldap_sync_spec.rb

@@ -0,0 +1,38 @@
+require 'spec_helper'
+
+describe Conjur::Command::LDAPSync, logged_in: true do
+  let (:policy_response) { { 'ok' => true, 'events' => [], 'policy' => <<eop
+"---
+- !user
+  annotations:
+    ldap-sync/source: ldap-server:389
+    ldap-sync/upstream-dn: CN=Administrator,OU=functest,OU=testdata,OU=dev-ci,DC=dev-ci,DC=conjur
+  id: Administrator
+  uidnumber:"}
+eop
+  }
+}
+
+  describe_command "ldap-sync policy show" do
+
+    context "on a server that supports LDAP sync" do
+      before do 
+        expect_any_instance_of(Conjur::API).to receive(:ldap_sync_policy).with(config_name: 'default').and_return policy_response
+      end
+      
+      it "shows the policy" do
+        expect { invoke }.to write policy_response['policy']
+      end
+    end
+
+    context "on a server that doesn't support LDAP sync" do
+      before do
+        expect_any_instance_of(Conjur::API).to receive(:ldap_sync_policy).and_raise(RestClient::ResourceNotFound)
+      end
+
+      it "shows an error message" do
+        expect {invoke}.to raise_error(GLI::CustomExit, /LDAP sync is not supported by the server/)
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-cli
 version: !ruby/object:Gem::Version
-  version: 6.1.0
+  version: 6.2.0
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-04-06 00:00:00.000000000 Z
+date: 2018-06-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -37,14 +37,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: '5.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.1'
+        version: '5.3'
 - !ruby/object:Gem::Dependency
   name: gli
   requirement: !ruby/object:Gem::Requirement
@@ -372,6 +372,7 @@ files:
 - lib/conjur/command/host_factories.rb
 - lib/conjur/command/hosts.rb
 - lib/conjur/command/init.rb
+- lib/conjur/command/ldap_sync.rb
 - lib/conjur/command/plugin.rb
 - lib/conjur/command/policies.rb
 - lib/conjur/command/pubkeys.rb
@@ -398,6 +399,7 @@ files:
 - spec/command/authn_spec.rb
 - spec/command/hosts_spec.rb
 - spec/command/init_spec.rb
+- spec/command/ldap_sync_spec.rb
 - spec/command/pubkeys_spec.rb
 - spec/command/resources_spec.rb
 - spec/command/roles_spec.rb
@@ -471,6 +473,7 @@ test_files:
 - spec/command/authn_spec.rb
 - spec/command/hosts_spec.rb
 - spec/command/init_spec.rb
+- spec/command/ldap_sync_spec.rb
 - spec/command/pubkeys_spec.rb
 - spec/command/resources_spec.rb
 - spec/command/roles_spec.rb