conjur-cli 4.16.0 → 4.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7841ac532c814a5dbbcb6ac87ea78ab2e72f6e7a
-  data.tar.gz: 438f120d06064aa3fc2fbe4e8e59918629ac8ddc
+  metadata.gz: 432110704aeb067fe4daed4e19defb8bcfce73ba
+  data.tar.gz: e515bff89602f42ec641655ff89724f8ce0402c8
 SHA512:
-  metadata.gz: 8b9798edb33f962ed5cb1955aadd23e68a68bcf845e5e365280438596bafe7337706e2d650d8e8653f82cf407ce328d2b300ea5ba2b146817fc863183b22b295
-  data.tar.gz: 1883d777e70a3ae5d53d3129f7779b948b3b86a88364923d6f81a2e19bd47dfa173133925cb4a9c426f2d0abcfb774e4ce29272d7ffaecf89e37145512b76c4c
+  metadata.gz: f79560aa69622e389202e12ce79d328e5d61d055dfea15660503c5684de9b9a031843d8a219f1b68e563db8fa53a7456e745cdcc5d29cf46dc23c747c767f7b3
+  data.tar.gz: 6d0045244faab16cd1bd009ac9b1252a6d1ef950aec5bfa266531189d7109513250da60014a4037e89fbf63477ffdc02994e68f42c80888f759493e9b383dd70

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+# 4.17.0
+
+* Support --policy parameter in 'conjur env'
+* Bugfix: failures on 'variable retire'
+* Raise a better error in case of missing config
+
 # 4.16.0
 
 * Add 'bootstrap' CLI command

data/conjur.gemspec

@@ -28,7 +28,7 @@ Gem::Specification.new do |gem|
   
   gem.add_development_dependency 'rspec', '~> 3.0'
   gem.add_development_dependency 'simplecov'
-  gem.add_development_dependency 'aruba'
+  gem.add_development_dependency 'aruba', '~> 0.6.1'
   gem.add_development_dependency 'ci_reporter_rspec', '~> 1.0'
   gem.add_development_dependency 'ci_reporter_cucumber'
   gem.add_development_dependency 'rake', '~> 10.0'

data/lib/conjur/command.rb

@@ -104,7 +104,7 @@ module Conjur
         obj.resource.attributes['permissions'].each do |p|
           role = api.role(p['role'])
           privilege = p['privilege']
-          next if role.roleid == obj.roleid && privilege == 'read'
+          next if obj.respond_to?(:roleid) && role.roleid == obj.roleid && privilege == 'read'
           puts "Denying #{privilege} privilege to #{role.roleid}"
           obj.resource.deny(privilege, role)
         end

data/lib/conjur/command/env.rb

@@ -35,6 +35,9 @@ class Conjur::Command::Env < Conjur::Command
     
     c.desc "Environment configuration as inline yaml"
     c.flag ["yaml"]
+
+    c.desc "Policy id to substitute for $policy in the YAML values"
+    c.flag ["policy"]
   end
 
   def self.get_env_object options
@@ -42,12 +45,13 @@ class Conjur::Command::Env < Conjur::Command
       exit_now! "Options -c and --yaml can not be provided together"
     end
 
-    env = if options[:yaml] 
-            Conjur::Env.new(yaml: options[:yaml])
-          else
-            Conjur::Env.new(file: (options[:c]||'.conjurenv'))
-          end
-    return env
+    env_options = if options[:yaml] 
+      { yaml: options[:yaml]}
+    else
+      { file: (options[:c]||'.conjurenv') }
+    end
+    env_options[:substitutions] = { "$policy" => options[:policy] } if options[:policy]
+    Conjur::Env.new env_options
   end
 
   command :env do |env|
@@ -132,7 +136,6 @@ TEMPLATEDESC
         conjurenv = env.obtain(api)  # needed for binding
         rendered = ERB.new(template).result(binding)
 
-        # 
         tempfile = if File.directory?("/dev/shm") and File.writable?("/dev/shm")
                       Tempfile.new("conjur","/dev/shm")
                    else

data/lib/conjur/config.rb

@@ -52,6 +52,7 @@ module Conjur
       def load(config_files = default_config_files)
         require 'yaml'
         require 'conjur/log'
+
         config_files.each do |f|
           if File.file?(f)
             if Conjur.log
@@ -66,8 +67,10 @@ module Conjur
         end
       end
 
+
       def apply
         require 'conjur/configuration'
+
         keys = Config.keys.dup
         keys.delete(:plugins)
 
@@ -88,7 +91,10 @@ module Conjur
             require 'conjur/api'
             Conjur.log << "Using authn host #{Conjur::Authn::API.host}\n"
           rescue RuntimeError
-            raise $! unless $!.message == "Missing required option account"
+            if $!.message == "Missing required option account"
+              $stderr.puts "Your config is invalid, did you run 'conjur init'?"
+            end
+            raise $!
           end
         end
         if Config[:cert_file]
@@ -121,6 +127,18 @@ module Conjur
       def [](key)
         @@attributes[key.to_s]
       end
+
+      def member? key
+        @@attributes.member?(key) || @@attributes.member?(alternate_key(key))
+      end
+
+      def alternate_key key
+        case key
+          when String then key.to_sym
+          when Symbol then key.to_s
+          else key
+        end
+      end
     end
   end
 end

data/lib/conjur/conjurenv.rb

@@ -29,6 +29,9 @@ module Conjur
         raise "#{self.class.name.split('::').last} requires a parameter" if id.to_s.empty?
         @id=id
       end
+      def gsub! pattern, replace
+        @id.gsub! pattern, replace
+      end
       def init_with(coder)
         initialize(coder.scalar)
       end
@@ -61,21 +64,22 @@ module Conjur
       raise ":file and :yaml options can not be provided together" if ( options.has_key?(:file) and options.has_key?(:yaml) )
 
       yaml = if options.has_key?(:yaml) 
-                raise ":yaml option should be non-empty string" unless options[:yaml].kind_of?(String)
-                raise ":yaml option should be non-empty string" if options[:yaml].empty?
-                options[:yaml]
-              elsif options.has_key?(:file)
-                raise ":file option should be non-empty string" unless options[:file].kind_of?(String)
-                raise ":file option should be non-empty string" if options[:file].empty?
-                File.read(options[:file])
-              else
-                raise "either :file or :yaml option is mandatory"
-              end
-
-       @definition = parse(yaml)
+        raise ":yaml option should be non-empty string" unless options[:yaml].kind_of?(String)
+        raise ":yaml option should be non-empty string" if options[:yaml].empty?
+        options[:yaml]
+      elsif options.has_key?(:file)
+        raise ":file option should be non-empty string" unless options[:file].kind_of?(String)
+        raise ":file option should be non-empty string" if options[:file].empty?
+        File.read(options[:file])
+      else
+        raise "either :file or :yaml option is mandatory"
+      end
+      parse_arguments = [ yaml ]
+      parse_arguments << options[:substitutions] if options[:substitutions]
+      @definition = parse(*parse_arguments)
     end
 
-    def parse(yaml)
+    def parse(yaml, substitutions = {})
       YAML.add_tag("!var", ConjurVariable)
       YAML.add_tag("!tmp", ConjurTempfile)
       definition = YAML.load(yaml)
@@ -84,6 +88,14 @@ module Conjur
       definition.keys.select { |k| definition[k].kind_of? Fixnum }.each { |k| definition[k]="#{definition[k]}" }
       bad_types = definition.values.select { |v| not (v.kind_of?(String) or v.kind_of?(CustomTag)) }.map {|v| v.class}.uniq
       raise "Definition can not include values of types: #{bad_types}" unless bad_types.empty?
+      definition.inject({}) do |memo,e| 
+        key, value = e
+        substitutions.each do |k,v|
+          value.gsub! k, v
+        end
+        memo[key] = value
+        memo
+      end
       definition
     end
 

data/lib/conjur/version.rb

@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = "4.16.0"
+  VERSION = "4.17.0"
   ::Version=VERSION
 end

data/spec/command/env_spec.rb

@@ -38,11 +38,25 @@ shared_examples_for "processes environment definition" do |cmd, options|
   end
 end
 
+shared_examples_for "accepts policy option" do |cmd, options|
+  before {  # suspend all interaction with the environment
+    allow(Kernel).to receive(:system).and_return(true) 
+  }
+  let(:stub_object) { double(obtain:{}, check:{}) }
+  describe_command "env:#{cmd} --policy foobar #{options}" do
+    it "uses .conjurenv file by default" do
+      expect(Conjur::Env).to receive(:new).with(file:".conjurenv", substitutions: { "$policy" => "foobar" }).and_return(stub_object)
+      invoke
+    end
+  end
+end
+
 describe Conjur::Command::Env, logged_in: true do
 
   let(:stub_env)    { double() }
   describe ":check" do
     it_behaves_like "processes environment definition", "check", ''
+    it_behaves_like "accepts policy option", "check", ''
 
     describe_command "env:check" do
       before { expect(Conjur::Env).to receive(:new).and_return(stub_env) }
@@ -81,6 +95,7 @@ describe Conjur::Command::Env, logged_in: true do
 
   describe ":run" do
     it_behaves_like "processes environment definition", "run","-- extcmd"
+    it_behaves_like "accepts policy option", "run", '-- extcmd'
     describe_command "env:run" do
       it 'fails because of missing argument' do 
         expect(Kernel).not_to receive(:system)
@@ -119,6 +134,7 @@ describe Conjur::Command::Env, logged_in: true do
         allow(FileUtils).to receive(:copy).and_return(true)
       }
       it_behaves_like "processes environment definition", "template","config.erb"
+      it_behaves_like "accepts policy option", "template", 'config.erb'
     end
     describe_command "env:template" do
       it 'fails because of missing argument' do 

data/spec/command_spec.rb

@@ -57,4 +57,24 @@ describe Conjur::Command do
       end
     end
   end
+
+  describe "supports asset retirement" do
+    let(:role){ double('Role', roleid: 'the-role-id')}
+    let(:permission){ { 'role' => 'the-role-id', 'privilege' => 'read' } }
+    let(:permissions){ [ permission ] }
+    let(:resource){ double('Resource', deny: nil, attributes: {'permissions' => permissions}) }
+    let(:resources){ [resource] }
+    let(:api){ double('API') }
+    let(:asset){ double('Asset', resources: resources, resource: resource) }
+    describe "#retire_resource" do
+      context "when given an object without a role" do
+        it 'works' do
+          expect(described_class).to receive(:api).and_return api
+          expect(api).to receive(:role).with('the-role-id').and_return role
+          described_class.retire_resource(asset)
+        end
+      end
+    end
+  end
+
 end

data/spec/config_spec.rb

@@ -26,7 +26,10 @@ describe Conjur::Config do
     context "when CONJURRC is not set" do
       around do |example|
         oldrc = ENV.delete 'CONJURRC'
+
+
         example.run
+
         ENV['CONJURRC'] = oldrc
       end
 

data/spec/env_spec.rb

@@ -78,7 +78,29 @@ describe Conjur::Env do
       expect(result.keys.sort).to eq(["a","b","c"])
       expect(result["a"]).to eq('literal')
       expect(result["b"]).to be_a_kind_of(Conjur::Env::ConjurTempfile)
+      expect(result["b"].conjur_id).to eq('sometmp')
       expect(result["c"]).to be_a_kind_of(Conjur::Env::ConjurVariable)
+      expect(result["c"].conjur_id).to eq('somevar')
+    end
+    
+    it "Accepts empty string substitution" do
+      substitutions = {
+      }
+      result = Conjur::Env.new(yaml: "{a: $foo, b: !tmp '$foo$foo$bar', c: !var '$foo$bar'}", substitutions: substitutions).instance_variable_get("@definition")
+      expect(result["a"]).to eq('$foo')
+      expect(result["b"].conjur_id).to eq('$foo$foo$bar')
+      expect(result["c"].conjur_id).to eq('$foo$bar')
+    end
+
+    it "Performs requested string substitution" do
+      substitutions = {
+        "$foo" => "alice",
+        "$bar" => "bob"
+      }
+      result = Conjur::Env.new(yaml: "{a: $foo, b: !tmp '$foo$foo$bar', c: !var '$foo$bar'}", substitutions: substitutions).instance_variable_get("@definition")
+      expect(result["a"]).to eq('alice')
+      expect(result["b"].conjur_id).to eq('alicealicebob')
+      expect(result["c"].conjur_id).to eq('alicebob')
     end
 
     it "Converts numbers to string literals" do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-cli
 version: !ruby/object:Gem::Version
-  version: 4.16.0
+  version: 4.17.0
 platform: ruby
 authors:
 - Rafał Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-10-14 00:00:00.000000000 Z
+date: 2014-10-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -155,16 +155,16 @@ dependencies:
   name: aruba
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.6.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.6.1
 - !ruby/object:Gem::Dependency
   name: ci_reporter_rspec
   requirement: !ruby/object:Gem::Requirement
@@ -294,7 +294,6 @@ files:
 - lib/conjur/identifier_manipulation.rb
 - lib/conjur/version.rb
 - profile.rb
-- spec/audit/follower_spec.rb
 - spec/authn_spec.rb
 - spec/command/assets_spec.rb
 - spec/command/audit_spec.rb
@@ -336,7 +335,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.0.14
 signing_key: 
 specification_version: 4
 summary: Conjur command line interface
@@ -352,7 +351,6 @@ test_files:
 - features/step_definitions/dsl_steps.rb
 - features/support/env.rb
 - features/support/hooks.rb
-- spec/audit/follower_spec.rb
 - spec/authn_spec.rb
 - spec/command/assets_spec.rb
 - spec/command/audit_spec.rb

data/spec/audit/follower_spec.rb

@@ -1,5 +0,0 @@
-require 'spec_helper'
-
-describe Conjur::Audit::Follower do
-  
-end