conjur-cli 4.18.6 → 4.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 48872bafebcf0d1adecc8364f839bd7318839c14
-  data.tar.gz: 523c5883db7eb7faf4afad5f31543e8629490685
+  metadata.gz: 88cb451c93417c3943171c8948b0b8fca26e9faf
+  data.tar.gz: fec1d704173532741c53bfe76b81dd71286fe8d7
 SHA512:
-  metadata.gz: e00e1a4898d768816840ee41887b5ed59f6d3fa68d3bf1677ff0ce9388c88bb844b476581bf64e076b903b5fe6c7822047f30e68416d7fe789da7afbc85928aa
-  data.tar.gz: 018110603af0cda168cc4bc7d525fd12cf8e3332135abd2c73013bfaa7cacbf27ca471e8ae1b3ef83dc22a5daaf3faab144fb0c074c14a291af0bbdf2856f0b9
+  metadata.gz: bdb26d0ec021d83bcdbcf176a6899584b0db21a010c841b3416ab58e3d105a3f89d3ce6591563d6d3869543cb5c58cb3716a0561277e35a72facfb02ecbac86e
+  data.tar.gz: a99ecb30867ea4090bc660b6836dc7ff19a95ddc2517fe20aafb7502f25c8dc481d8640dc5f0d59f1033b3414ce7b21b2b2a6f49a211da37dc9e702e8872c318

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+# 4.19.0
+
+* Add command `conjur role graph` for batch retrieval of role relationships
+
 # 4.18.5
 
 * Bump conjur-api version to mime-types problem

data/Rakefile

@@ -11,7 +11,7 @@ Cucumber::Rake::Task.new :features
 
 task :jenkins => ['ci:setup:rspec', :spec, 'ci:setup:cucumber_report_cleanup'] do
   Cucumber::Rake::Task.new do |t|
-    t.cucumber_opts = "--format progress --format CI::Reporter::Cucumber --out features/reports"
+    t.cucumber_opts = "--tags ~@real-api --format progress --format CI::Reporter::Cucumber --out features/reports"
   end.runner.run
   File.write('build_number', ENV['BUILD_NUMBER']) if ENV['BUILD_NUMBER']
 end

data/conjur.gemspec

@@ -17,7 +17,7 @@ Gem::Specification.new do |gem|
 
 
   gem.add_dependency 'activesupport'
-  gem.add_dependency 'conjur-api', '~> 4.11.2'
+  gem.add_dependency 'conjur-api', '~> 4.12.0'
   gem.add_dependency 'gli', '>=2.8.0'
   gem.add_dependency 'highline'
   gem.add_dependency 'netrc', '~> 0.10.2'
@@ -33,4 +33,5 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency 'ci_reporter_cucumber'
   gem.add_development_dependency 'rake', '~> 10.0'
   gem.add_development_dependency 'io-grab', '~> 0.0.1'
+  gem.add_development_dependency 'json_spec'
 end

data/features/role_graph.feature

@@ -0,0 +1,58 @@
+@real-api
+Feature: Retrieving role graphs
+  As a Conjur user
+  In order to understand the role hierarchy
+  I want to retrieve role graphs and present them in a useful format
+
+Background:
+  Given a graph with edges
+    | Tywin     | Jamie         |
+    | Tywin     | Cersei        |
+    | Cersei    | Joffrey       |
+    | Jamie     | Joffrey       |
+    | Aerys     | Tyrion        |
+    | Joanna    | Tyrion        |
+
+  Scenario: Showing the graph as JSON
+    When I successfully run with role expansion "conjur role graph --as-role Joffrey Joffrey"
+    Then the graph JSON should be:
+      """
+        {
+          "graph": [
+            { "parent": "Tywin",  "child": "Jamie" },
+            { "parent": "Tywin",  "child": "Cersei"},
+            { "parent": "Cersei", "child": "Joffrey"},
+            { "parent": "Jamie",  "child": "Joffrey" }
+          ]
+        }
+      """
+
+  Scenario: Short JSON output
+    When I successfully run with role expansion "conjur role graph --short --as-role Joffrey Joffrey"
+    Then the graph JSON should be:
+      """
+        [
+          [ "Tywin", "Jamie"   ],
+          [ "Tywin", "Cersei"  ],
+          [ "Jamie", "Joffrey" ],
+          [ "Cersei", "Joffrey"]
+        ]
+      """
+
+  Scenario: I can restrict the output to show only ancestors or descendants
+    When I successfully run with role expansion "conjur role graph --short --no-ancestors --as-role Cersei Cersei"
+    Then the graph JSON should be:
+      """
+        [
+          [ "Cersei", "Joffrey" ]
+        ]
+      """
+    When I successfully run with role expansion "conjur role graph --short --no-descendants --as-role Cersei Cersei Jamie"
+    Then the graph JSON should be:
+      """
+        [
+          [ "Tywin", "Cersei" ],
+          [ "Tywin", "Jamie"  ]
+        ]
+      """
+

data/features/step_definitions/graph_steps.rb

@@ -0,0 +1,21 @@
+Given /a graph with edges/ do |table|
+  graph table.raw
+end
+
+Then %r{the graph JSON should be} do |json|
+  json = expand_roles json
+  last_graph = extract_filtered_graph json
+  expect(last_graph.to_json).to be_json_eql(json)
+end
+
+When(/^I( successfully)? run with role expansion "(.*)"$/) do |successfully, cmd|
+  role_id_map.each do |role, expanded_role|
+    cmd.gsub! role, expanded_role
+  end
+  self.last_cmd = cmd
+  if successfully
+    step "I successfully run \"#{cmd}\""
+  else
+    step "I run \"#{cmd}\""
+  end
+end

data/features/support/env.rb

@@ -2,5 +2,7 @@ require 'simplecov'
 require 'aruba/cucumber'
 require 'methadone/cucumber'
 require 'cucumber/rspec/doubles'
+require "json_spec/cucumber"
+
 
 SimpleCov.start

data/features/support/hooks.rb

@@ -2,17 +2,17 @@ require 'ostruct'
 
 class MockAPI
   attr_reader :things
-  
+
   def initialize
     @things = {}
   end
-  
+
   def thing(kind, id)
-    (@things[kind.to_sym] || []).find{|r| r.id == id}  
+    (@things[kind.to_sym] || []).find{|r| r.id == id}
   end
-  
+
   def thing_like(kind, id_pattern)
-    (@things[kind.to_sym] || []).find{|r| id_pattern.match(r.id)}  
+    (@things[kind.to_sym] || []).find{|r| id_pattern.match(r.id)}
   end
 
   def create_host(options = {})
@@ -24,56 +24,56 @@ class MockAPI
     end
     host ||= create_thing(:host, id, options, role: true, api_key: true)
   end
-  
+
   def create_user(id, options = {})
     thing(:user, id) || create_thing(:user, id, options, role: true, api_key: true)
   end
-  
+
   def create_variable(mime_type, kind)
     create_thing(:user, SecureRandom.uuid, mime_type: mime_type, kind: kind)
   end
-  
+
   def create_resource(id, options = {})
     resource(id).tap do |resource|
       resource.send(:"exists?=", true)
       populate_options resource, options
     end
   end
-  
+
   def create_role(id, options = {})
     role(id).tap do |role|
       role.send(:"exists?=", true)
       populate_options role, options
     end
   end
-  
+
   [ :user, :host ].each do |kind|
     define_method kind do |id|
       thing(kind, id)
     end
   end
-  
+
   def role(id)
     raise "Role id must be a string" unless id.is_a?(String)
     thing(:role, id) || create_thing(:role, id, { exists?: false }, role: true)
   end
-  
+
   def resource(id)
     raise "Resource id must be a string" unless id.is_a?(String)
     thing(:resource, id) || create_thing(:resource, id, exists?: false)
   end
-  
+
   protected
-  
+
   def create_thing(kind, id, options, kind_options = {})
     thing = OpenStruct.new(kind: kind, id: id, exists?: true)
-    
+
     class << thing
       def permit(privilege, role, options = {})
         (self.permissions ||= []) << OpenStruct.new(privilege: privilege, role: role.id, grant_option: !!options[:grant_option])
       end
     end
-    
+
     if kind_options[:api_key]
       thing.api_key = SecureRandom.uuid
     end
@@ -85,20 +85,20 @@ class MockAPI
         end
       end
     end
-    
+
     populate_options(thing, options)
-    
+
     store_thing kind, thing
-    
+
     thing
   end
-  
+
   def populate_options(thing, options)
     options.each do |k,v|
       thing.send("#{k}=", v)
     end
   end
-  
+
   def store_thing(kind, thing)
     (things[kind] ||= []) << thing
   end
@@ -107,11 +107,11 @@ end
 Before("@dsl") do
   puts "Using MockAPI"
   puts "Using account 'cucumber'"
-  
+
   require 'conjur/api'
   require 'conjur/config'
   require 'conjur/dsl/runner'
-  
+
   Conjur.stub(:env).and_return "ci"
   Conjur.stub(:stack).and_return "ci"
   Conjur.stub(:account).and_return "cucumber"
@@ -119,4 +119,14 @@ Before("@dsl") do
   Conjur::Core::API.stub(:conjur_account).and_return 'cucumber'
   @mock_api ||= MockAPI.new
   Conjur::DSL::Runner.any_instance.stub(:api).and_return @mock_api
-end
+end
+
+Before('@real-api') do
+  require 'conjur/config'
+  cfg = File.absolute_path("#{File.dirname __FILE__}/../../.conjurrc")
+  puts "cfg_path = #{cfg}"
+  puts "contents = #{File.read(cfg)}"
+  Conjur::Config.load([cfg])
+  Conjur::Config.apply
+  @aruba_timeout_seconds = 15
+end

data/features/support/world.rb

@@ -0,0 +1,88 @@
+require 'conjur/api'
+module ConjurWorld
+  def last_json
+    last_stdout
+  end
+
+  def last_stdout
+    raise "No commands have been run" unless last_cmd
+    stdout_from last_cmd
+  end
+  
+  attr_accessor :last_cmd
+  
+  def account
+    Conjur::Core::API.conjur_account
+  end
+
+  def role_kind
+    @role_kind ||= "cli-cukes"
+  end
+
+  def role_id_map
+    @role_id_map ||= {}
+  end
+
+  def extract_filtered_graph json
+    graph = JSON.parse(json) if json.kind_of?(String)
+    case graph
+      when Hash then filter_hash_graph(graph)
+      when Array then filter_array_graph(graph)
+      else raise "WTF: graph was #{graph.class}?"
+    end
+  end
+  
+  def filter_hash_graph graph
+    allowed = role_id_map.values
+    edges = graph['graph']
+    filtered = edges.select do |edge|
+      allowed.member?(edge['parent']) and allowed.member?(edge['child'])
+    end
+    {'graph' => filtered}
+  end
+  
+  def filter_array_graph graph
+    allowed = role_id_map.values
+    graph.select do |edge|
+      edge.all?{|v| allowed.member?(v)}
+    end
+  end
+  
+  def graph edges
+    # generate roles
+    edges.flatten.uniq.each do |role_id|
+      role_id_map[role_id] = expanded = expand_role_id(role_id)
+      run_command "conjur role create '#{expanded}'"
+    end
+
+    # generate memberships
+    edges.each do |parent, child|
+      run_command "conjur role grant_to #{expand_role_id(parent)} #{expand_role_id(child)}"
+    end
+  end
+
+  def run_command cmd
+    step "I successfully run " + '`' + cmd + '`'
+  end
+
+  def expand_role_id role_id
+    "#{account}:#{role_kind}:#{prepend_namespace role_id}"
+  end
+  
+  def prepend_namespace id
+    "#{namespace}-#{id}"
+  end
+  
+  def namespace
+    @namespace ||= "ns-#{Time.now.to_i}-#{rand(1 << 32)}"
+  end
+  
+  def expand_roles string
+    role_id_map.each do |role, expanded|
+      string.gsub! role, expanded
+    end
+    string
+  end
+end
+
+World(ConjurWorld)

data/lib/conjur/command/roles.rb

@@ -20,6 +20,8 @@
 #
 
 class Conjur::Command::Roles < Conjur::Command
+  GRAPH_FORMATS = %w(json dot)
+
 
   desc "Manage roles"
   command :role do |role|
@@ -117,6 +119,7 @@ class Conjur::Command::Roles < Conjur::Command
       end
     end
 
+
     role.desc "Revoke a role from another role. You must have admin permission on the revoking role."
     role.arg_name "role member"
     role.command :revoke_from do |c|
@@ -128,6 +131,87 @@ class Conjur::Command::Roles < Conjur::Command
         puts "Role revoked"
       end
     end
-  end
 
+
+    role.long_desc <<-EOD
+Retrieves a digraph representing the role members and memberships of one or more roles.
+
+The --[no-]ancestors and --[no-descendants] determine whether the graph should include ancestors, descendants, or both.  Both
+are included in the graph by default.
+
+The --acting-as flag specifies, as usual, a role as which to perform the action.  The default is the role of the currently
+authenticated user.  Only roles visible to this role will be included in the resulting graph.
+
+The output is always written to the standard output, and can be one of the following forms (specified with the --format flag):
+
+   * png: use the 'dot' command to generate a png image representing the graph.
+
+   * dot: produce a file in a suitable format for use with the 'dot' program.
+
+   * json [default]: output a JSON representation of the graph.
+
+In order to generate png images, the 'dot' program must be present and on your path.  This program is usually installed
+as part of the 'graphviz' package, and is available via apt-get on debian like systems and homebrew on OSX.
+
+The JSON format is determined by the presence of the --short flag.  If the --short flag is present, the JSON will be an array of
+edges, with each edge represented as an array:
+
+  [
+    [ 'parent1', 'child1' ],
+    [ 'parent2', 'child2'],
+    ...
+  ]
+
+If the --short flag is not present, the JSON output will be more verbose:
+
+  {
+    "graph": [
+      {
+        "parent": "parent1",
+        "child":  "child1"
+      },
+      ...
+    ]
+  }
+EOD
+    
+    role.desc "Describe role memberships as a digraph"
+    role.arg_name "role", :multiple
+    role.command :graph do |c|
+      c.desc "Output formats [#{GRAPH_FORMATS}]"
+      c.flag [:f,:format], default_value: 'json', must_match: GRAPH_FORMATS
+
+      c.desc "Use a more compact JSON format"
+      c.switch [:s, :short]
+
+      c.desc "Whether to show ancestors"
+      c.switch [:a, :ancestors], default_value: true
+
+      c.desc "Whether to show descendants"
+      c.switch [:d, :descendants], default_value: true
+
+      acting_as_option(c)
+
+      c.action do |_, options, args|
+        format = options[:format].downcase.to_sym
+        if options[:short] and format != :json
+          $stderr.puts "WARNING: the --short option is meaningless when --format is not json"
+        end
+
+        params = options.slice(:ancestors, :descendants)
+        params[:as_role] = options[:acting_as] if options.member?(:acting_as)
+
+        graph = api.role_graph(args, params)
+
+        output = case format
+          when :json then graph.to_json(options[:short]) + "\n"
+          when :dot then graph.to_dot + "\n"
+          else raise "Unsupported format: #{format}" # not strictly necessary, because GLI must_match checks it,
+                                                     # but might as well?
+        end
+
+        $stdout.write output
+      end
+    end
+  end
 end

data/lib/conjur/version.rb

@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = "4.18.6"
+  VERSION = "4.19.0"
   ::Version=VERSION
 end

data/spec/command/roles_spec.rb

@@ -85,4 +85,63 @@ describe Conjur::Command::Roles, logged_in: true do
       end
     end
   end
+  
+  describe "role graph" do 
+    let(:roles){ [] }
+    let(:options){ { ancestors: true, descendants: true } }
+    let(:extra_options){ {} }
+    let(:role_graph_args){ [roles, options.merge(extra_options)] }
+    let(:graph_edges){ [['a', 'b'], ['b', 'c']] }
+    let(:graph){ Conjur::Graph.new graph_edges }
+    def output
+      JSON::parse(expect{invoke}.to write)
+    end
+    
+    before do
+      allow(api).to receive(:role_graph).with(*role_graph_args).and_return graph
+    end
+    
+    describe_command "role graph foo bar" do
+      let(:roles){ %w(foo bar) }
+      it "outputs the graph as non-short json" do
+        expect(output).to eq(graph.as_json)
+      end
+    end
+    
+    describe_command 'role graph --short foo' do
+      let(:roles){ %w(foo) }
+      it 'outputs the graph as short json' do
+        expect(output).to eq(graph.as_json(true))
+      end
+    end
+    
+    describe_command 'role graph --no-ancestors foo' do
+      let(:roles){ %w(foo) }
+      let(:options){{descendants: true}}
+      it "calls role_graph with the expected options and output" do
+        expect(output).to eq(graph.as_json(false))
+      end
+    end
+    
+    describe 'output formats' do
+      let(:formatted){ "formatted by #{format_method}" }
+      let(:roles){ %w(foo) }
+      before do
+
+        expect_any_instance_of(Conjur::Graph).to receive(format_method).with(any_args).and_return formatted
+      end
+      
+      def self.it_formats_the_graph_as method
+        let(:format_method){ method }
+        it "formats the graph with #{method}" do
+          expect((expect{invoke}.to write).chomp).to eq(formatted)
+        end
+      end
+      
+      describe_command 'role graph -fdot foo' do
+        it_formats_the_graph_as :to_dot
+      end
+    end
+
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-cli
 version: !ruby/object:Gem::Version
-  version: 4.18.6
+  version: 4.19.0
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-22 00:00:00.000000000 Z
+date: 2015-01-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -31,14 +31,14 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 4.11.2
+        version: 4.12.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 4.11.2
+        version: 4.12.0
 - !ruby/object:Gem::Dependency
   name: gli
   requirement: !ruby/object:Gem::Requirement
@@ -221,6 +221,20 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: 0.0.1
+- !ruby/object:Gem::Dependency
+  name: json_spec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: 
 email:
 - rafal@conjur.net
@@ -258,13 +272,16 @@ files:
 - features/dsl_role_create.feature
 - features/dsl_user_create.feature
 - features/jsonfield.feature
+- features/role_graph.feature
 - features/step_definitions/conjurize_steps.rb
 - features/step_definitions/dsl_steps.rb
+- features/step_definitions/graph_steps.rb
 - features/support/conjur-test.pem
 - features/support/conjur.conf
 - features/support/env.rb
 - features/support/hooks.rb
 - features/support/host.json
+- features/support/world.rb
 - lib/conjur.rb
 - lib/conjur/audit/follower.rb
 - lib/conjur/authn.rb
@@ -357,13 +374,16 @@ test_files:
 - features/dsl_role_create.feature
 - features/dsl_user_create.feature
 - features/jsonfield.feature
+- features/role_graph.feature
 - features/step_definitions/conjurize_steps.rb
 - features/step_definitions/dsl_steps.rb
+- features/step_definitions/graph_steps.rb
 - features/support/conjur-test.pem
 - features/support/conjur.conf
 - features/support/env.rb
 - features/support/hooks.rb
 - features/support/host.json
+- features/support/world.rb
 - spec/authn_spec.rb
 - spec/command/assets_spec.rb
 - spec/command/audit_spec.rb