conjur-cli 4.22.0 → 4.23.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (14) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +10 -0
  3. data/features/conjurize.feature +1 -1
  4. data/lib/conjur/authn.rb +14 -1
  5. data/lib/conjur/command/dsl_command.rb +2 -3
  6. data/lib/conjur/command/plugin.rb +1 -1
  7. data/lib/conjur/config.rb +7 -7
  8. data/lib/conjur/conjurize.rb +5 -5
  9. data/lib/conjur/dsl/runner.rb +10 -4
  10. data/lib/conjur/version.rb +1 -1
  11. data/spec/authn_spec.rb +44 -16
  12. data/spec/config_spec.rb +1 -1
  13. data/spec/dsl/runner_spec.rb +73 -48
  14. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 3327a3212d116f7989090b9a1aed6de2f202b698
4
- data.tar.gz: 37954aa133694126b93021e5d57d7d90f8f15927
3
+ metadata.gz: cf3b61260f8129d53e15aaca659af65769bdd729
4
+ data.tar.gz: b40c45ae844b63e70d1975b2fc2934806562a8b3
5
5
  SHA512:
6
- metadata.gz: e0855d2122e2af07cf868cb1da21f6e6426c2fa5e7c6f05d9a23528f6d7abcd73458b3d831377153275d0bdd39b65b566f2c8cde8d3a301b938ef20daa989676
7
- data.tar.gz: bc1675b9fca3d60bf3ac5dfcb007649a872e370b441a41c4ede7294f5ab5fad1cf92a2adf605c92664d1164b634ba645da0d35c3bc2bebc2919f5d0253bedfbc
6
+ metadata.gz: 0105965b5726d5449fe576a034f7b4f90627d0277d44d9f7c5f95744052fe9a012a037d28ca70f1ba1deef793a5aa0c71bcf9546e221769348aaca60faf37a29
7
+ data.tar.gz: d0b1bd9f7f6b094bc846439914d4fbcb852b6b3d6a20a195dd24bc7f2bc6e69b781c4494d3def7d51d188620aabf7432d668fd6c1bd5c51bcdf9ad16d1df8fbb
data/CHANGELOG.md CHANGED
@@ -1,3 +1,13 @@
1
+ # Unreleased
2
+
3
+ # 4.23.0
4
+
5
+ * Don't check if netrc is world-readable on Windows, since the answer is not reliable
6
+ * Use new [conjur](https://supermarket.chef.io/cookbooks/conjur) cookbook for conjurize
7
+ * Fix faulty initialization of plugins list, if it's nil, in the .conjurrc
8
+ * Log DSL commands to stderr, even if CONJURAPI_LOG is not explicitly configured
9
+ * In policy DSL, allow creation of records without an explicit `id`. In this case, the current scope is used as the `id`.
10
+
1
11
  # 4.22.0
2
12
 
3
13
  * New 'plugin' subcommand to manage CLI plugins
data/features/conjurize.feature CHANGED
@@ -112,7 +112,7 @@ curl -L https://www.opscode.com/chef/install.sh | bash
112
112
  """
113
113
  And the output should match:
114
114
  """
115
- chef-solo -r https:\/\/github.com\/conjur-cookbooks\/conjur-ssh\/releases\/download/v\d\.\d\.\d/conjur-ssh-v\d\.\d\.\d.tar.gz -o conjur-ssh
115
+ chef-solo -r https:\/\/github.com\/conjur-cookbooks\/conjur\/releases\/download/v\d\.\d\.\d/conjur-v\d\.\d\.\d.tar.gz -o conjur
116
116
  """
117
117
 
118
118
  Scenario: conjurize with arbitrary cookbook
data/lib/conjur/authn.rb CHANGED
@@ -66,7 +66,7 @@ module Conjur::Authn
66
66
  else
67
67
  path = Netrc.default_path
68
68
  end
69
- fail "netrc (#{path}) shouldn't be world-readable" if File.world_readable?(path)
69
+ fail_if_world_readable path
70
70
  Netrc.read(*args)
71
71
  end
72
72
 
@@ -126,5 +126,18 @@ module Conjur::Authn
126
126
  end
127
127
  cls.new_from_key(*get_credentials(options))
128
128
  end
129
+
130
+ protected
131
+
132
+ def fail_if_world_readable path
133
+ if !windows? && File.world_readable?(path)
134
+ fail "netrc (#{path}) shouldn't be world-readable"
135
+ end
136
+ end
137
+
138
+ # see http://stackoverflow.com/questions/4871309/what-is-the-correct-way-to-detect-if-ruby-is-running-on-windows
139
+ def windows?
140
+ RbConfig::CONFIG["host_os"] =~ /mswin|mingw|cygwin/
141
+ end
129
142
  end
130
143
  end
data/lib/conjur/command/dsl_command.rb CHANGED
@@ -21,10 +21,9 @@
21
21
 
22
22
  class Conjur::DSLCommand < Conjur::Command
23
23
  class << self
24
- def file_or_stdin_arg(args)
25
- end
26
-
27
24
  def run_script(args, options, &block)
25
+ Conjur.log = "stderr"
26
+
28
27
  filename = nil
29
28
  script = if script = args.pop
30
29
  filename = script
data/lib/conjur/command/plugin.rb CHANGED
@@ -126,7 +126,7 @@ def modify_plugin_list(op, plugin_name)
126
126
  config_exists = true
127
127
  config = YAML.load(IO.read(f)).stringify_keys rescue {}
128
128
 
129
- config['plugins'] ||= {}
129
+ config['plugins'] ||= []
130
130
  config['plugins'] += [plugin_name] if op == 'add'
131
131
  config['plugins'] -= [plugin_name] if op == 'remove'
132
132
  config['plugins'].uniq!
data/lib/conjur/config.rb CHANGED
@@ -87,14 +87,14 @@ module Conjur
87
87
  end
88
88
 
89
89
  if Conjur.log
90
- begin
91
- require 'conjur/api'
92
- Conjur.log << "Using authn host #{Conjur::Authn::API.host}\n"
90
+ require 'conjur/api'
91
+ host = begin
92
+ Conjur::Authn::API.host
93
93
  rescue RuntimeError
94
- if $!.message == "Missing required option account"
95
- $stderr.puts "Your config is invalid, did you run 'conjur init'?"
96
- end
97
- raise $!
94
+ nil
95
+ end
96
+ if host
97
+ Conjur.log << "Using authn host #{Conjur::Authn::API.host}\n"
98
98
  end
99
99
  end
100
100
 
data/lib/conjur/conjurize.rb CHANGED
@@ -3,11 +3,11 @@ require 'json'
3
3
  require 'open-uri'
4
4
  require 'conjur/version.rb'
5
5
 
6
- def latest_conjur_ssh_release
7
- url = 'https://api.github.com/repos/conjur-cookbooks/conjur-ssh/releases'
6
+ def latest_conjur_release
7
+ url = 'https://api.github.com/repos/conjur-cookbooks/conjur/releases'
8
8
  resp = open(url)
9
9
  json = JSON.parse(resp.read)
10
- latest = json[0]['assets'].select {|asset| asset['name'] =~ /conjur-ssh-v\d.\d.\d.tar.gz/}[0]
10
+ latest = json[0]['assets'].select {|asset| asset['name'] =~ /conjur-v\d.\d.\d.tar.gz/}[0]
11
11
  latest['browser_download_url']
12
12
  end
13
13
 
@@ -51,8 +51,8 @@ DESC
51
51
  chef_executable = options[:"chef-executable"]
52
52
 
53
53
  if options[:ssh]
54
- conjur_run_list ||= "conjur-ssh"
55
- conjur_cookbook_url ||= latest_conjur_ssh_release()
54
+ conjur_run_list ||= "conjur"
55
+ conjur_cookbook_url ||= latest_conjur_release()
56
56
  end
57
57
 
58
58
  sudo = lambda{|str|
data/lib/conjur/dsl/runner.rb CHANGED
@@ -112,12 +112,12 @@ module Conjur
112
112
  instance_eval(*args)
113
113
  end
114
114
 
115
- def resource kind, id, options = {}, &block
115
+ def resource kind, id = nil, options = {}, &block
116
116
  id = full_resource_id([kind, qualify_id(id, kind) ].join(':'))
117
117
  find_or_create :resource, id, options, &block
118
118
  end
119
119
 
120
- def role kind, id, options = {}, &block
120
+ def role kind, id = nil, options = {}, &block
121
121
  id = full_resource_id([ kind, qualify_id(id, kind) ].join(':'))
122
122
  find_or_create :role, id, options, &block
123
123
  end
@@ -146,11 +146,12 @@ module Conjur
146
146
  protected
147
147
 
148
148
  def qualify_id id, kind
149
- if id[0] == "/"
149
+ if id && id[0] == "/"
150
150
  id[1..-1]
151
151
  else
152
152
  case kind.to_sym
153
153
  when :user
154
+ raise "User id is required" unless id
154
155
  [ id, current_user_scope ].compact.join('@')
155
156
  else
156
157
  [ current_scope, id ].compact.join('/')
@@ -175,6 +176,11 @@ module Conjur
175
176
  lambda { args.length == 1 },
176
177
  lambda { args.length == 2 && args[1].is_a?(Hash) }
177
178
  ]
179
+ if current_scope
180
+ # If there is a scope, it's valid to create a record without an id, because the
181
+ # scope name will be used as the id.
182
+ valid_prototypes << lambda { args.length == 0 }
183
+ end
178
184
  !valid_prototypes.find{|p| p.call}.nil?
179
185
  end
180
186
 
@@ -213,7 +219,7 @@ module Conjur
213
219
 
214
220
  def do_object obj, &block
215
221
  begin
216
- api_keys[obj.roleid] = obj.api_key if obj.api_key
222
+ api_keys[obj.roleid] = obj.api_key if obj.respond_to?(:api_key) && obj.api_key
217
223
  rescue
218
224
  end
219
225
 
data/lib/conjur/version.rb CHANGED
@@ -19,6 +19,6 @@
19
19
  # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
20
  #
21
21
  module Conjur
22
- VERSION = "4.22.0"
22
+ VERSION = "4.23.0"
23
23
  ::Version=VERSION
24
24
  end
data/spec/authn_spec.rb CHANGED
@@ -27,26 +27,54 @@ describe Conjur::Authn do
27
27
  Conjur::Authn.get_credentials
28
28
  end
29
29
  end
30
-
30
+
31
31
  describe "netrc" do
32
- let(:netrc) { nil }
33
- before do
34
- allow(Conjur::Config).to receive(:[]).with(:netrc_path).and_return path
35
- end
36
-
37
- context "with specified netrc_path" do
38
- let(:path) { "/a/dummy/netrc/path" }
39
- it "consults Conjur::Config for netrc_path" do
40
- expect(Netrc).to receive(:read).with(path).and_return netrc = double("netrc")
41
- expect(Conjur::Authn.netrc).to eq(netrc)
32
+ describe "fail_if_world_readable" do
33
+ let(:path) { "the-path" }
34
+ around { |example|
35
+ host_os = RbConfig::CONFIG["host_os"]
36
+ RbConfig::CONFIG["host_os"] = os
37
+ begin
38
+ example.run
39
+ ensure
40
+ RbConfig::CONFIG["host_os"] = host_os
41
+ end
42
+ }
43
+ context "on Windows" do
44
+ let(:os) { "mswin" }
45
+ it "bypasses the readability check" do
46
+ Conjur::Authn.send :fail_if_world_readable, path
47
+ end
48
+ end
49
+ context "on Linux" do
50
+ let(:os) { "linux" }
51
+ it "raises an error if the file is world readable" do
52
+ expect(File).to receive(:world_readable?).with(path).and_return(true)
53
+ expect { Conjur::Authn.send :fail_if_world_readable, path }.to raise_error("netrc (the-path) shouldn't be world-readable")
54
+ end
42
55
  end
43
56
  end
44
57
 
45
- context "without specified netrc_path" do
46
- let(:path) { nil }
47
- it "uses default netrc path" do
48
- expect(Netrc).to receive(:read).with(no_args).and_return netrc = double("netrc")
49
- expect(Conjur::Authn.netrc).to eq(netrc)
58
+ context "loading" do
59
+ let(:netrc) { nil }
60
+ before do
61
+ allow(Conjur::Config).to receive(:[]).with(:netrc_path).and_return path
62
+ end
63
+
64
+ context "with specified netrc_path" do
65
+ let(:path) { "/a/dummy/netrc/path" }
66
+ it "consults Conjur::Config for netrc_path" do
67
+ expect(Netrc).to receive(:read).with(path).and_return netrc = double("netrc")
68
+ expect(Conjur::Authn.netrc).to eq(netrc)
69
+ end
70
+ end
71
+
72
+ context "without specified netrc_path" do
73
+ let(:path) { nil }
74
+ it "uses default netrc path" do
75
+ expect(Netrc).to receive(:read).with(no_args).and_return netrc = double("netrc")
76
+ expect(Conjur::Authn.netrc).to eq(netrc)
77
+ end
50
78
  end
51
79
  end
52
80
  end
data/spec/config_spec.rb CHANGED
@@ -114,7 +114,7 @@ describe Conjur::Config do
114
114
  }
115
115
 
116
116
  context "ssl_certificate string" do
117
- let(:ssl_certificate){ 'the certificate' }
117
+ let(:ssl_certificate){ 'the-certificate' }
118
118
  let(:certificate){ double('Certificate') }
119
119
  before{
120
120
  Conjur::Config.class_variable_set('@@attributes', {'ssl_certificate' => ssl_certificate})
data/spec/dsl/runner_spec.rb CHANGED
@@ -6,63 +6,88 @@ describe Conjur::DSL::Runner, logged_in: true do
6
6
 
7
7
  let(:filename) { nil }
8
8
  let(:runner) { Conjur::DSL::Runner.new script, filename }
9
- let(:script) { "user 'alice'" }
10
- let(:alice) {
11
- Conjur::User.new("alice").tap do |user|
12
- user.attributes = { "api_key" => "the-api-key" }
13
- end
14
- }
15
9
  before {
16
10
  allow(Conjur).to receive(:account).and_return "the-account"
17
11
  allow(runner).to receive(:api).and_return api
18
12
  }
19
- it "should populate the root ownerid" do
20
- expect(api).to receive(:user).with("alice").and_return double("alice-exists", exists?: false)
21
- expect(api).to receive(:create_user).with(id: "alice", ownerid: "user:bob").and_return alice
22
-
23
- runner.owner = "user:bob"
24
- runner.execute
25
- end
26
- it "should store the api_key in the context keyed by roleid" do
27
- expect(api).to receive(:user).with("alice").and_return double("alice-exists", exists?: false)
28
- expect(api).to receive(:create_user).with(id: "alice").and_return alice
29
-
30
- runner.execute
31
-
32
- expect(runner.context['api_keys']).to eq({
33
- "the-account:user:alice" => "the-api-key"
34
- })
35
- end
36
-
37
- it "doesn't store default env and stack in context" do
38
- expect(runner.context).to_not have_key 'env'
39
- expect(runner.context).to_not have_key 'stack'
40
- end
41
-
42
- context "with non-default stack and env" do
43
- let(:runner) do
44
- Conjur::Config.merge env: 'baz', stack: 'bar'
45
- Conjur::Config.apply
46
- Conjur::DSL::Runner.new '', nil
13
+ context "nil record ids" do
14
+ subject { runner.execute }
15
+ context "creating a user" do
16
+ let(:script) { "user" }
17
+ it "isn't allowed" do
18
+ expect{ subject }.to raise_error
19
+ end
47
20
  end
48
-
49
- it "stores them in context" do
50
- expect(runner.context['env']).to eq 'baz'
51
- expect(runner.context['stack']).to eq 'bar'
21
+ context "creating a resource" do
22
+ let(:script) { "scope 'kitchen' do; resource 'food'; end" }
23
+ it "creates resource with id matching the scope" do
24
+ expect(api).to receive(:resource).with("the-account:food:kitchen").and_return double("kitchen-exists", :exists? => true)
25
+ subject
26
+ end
27
+ end
28
+ context "creating a layer" do
29
+ let(:script) { "scope 'kitchen' do; layer; end" }
30
+ it "creates layer with id matching the scope" do
31
+ expect(api).to receive(:layer).with("kitchen").and_return double("kitchen-exists", :exists? => true)
32
+ subject
33
+ end
52
34
  end
53
35
  end
54
-
55
- context "with appliance url" do
56
- let(:appliance_url) { "https://conjur.example.com/api" }
57
- let(:runner) do
58
- Conjur::Config.merge appliance_url: appliance_url
59
- Conjur::Config.apply
36
+ context "creating user:alice" do
37
+ let(:script) { "user 'alice'" }
38
+ let(:alice) {
39
+ Conjur::User.new("alice").tap do |user|
40
+ user.attributes = { "api_key" => "the-api-key" }
41
+ end
42
+ }
43
+ it "should populate the root ownerid" do
44
+ expect(api).to receive(:user).with("alice").and_return double("alice-exists", exists?: false)
45
+ expect(api).to receive(:create_user).with(id: "alice", ownerid: "user:bob").and_return alice
60
46
 
61
- Conjur::DSL::Runner.new '', nil
47
+ runner.owner = "user:bob"
48
+ runner.execute
62
49
  end
63
-
64
- it "stores appliance url in the context" do
65
- expect(runner.context['appliance_url']).to eq appliance_url
50
+ it "should store the api_key in the context keyed by roleid" do
51
+ expect(api).to receive(:user).with("alice").and_return double("alice-exists", exists?: false)
52
+ expect(api).to receive(:create_user).with(id: "alice").and_return alice
53
+
54
+ runner.execute
55
+
56
+ expect(runner.context['api_keys']).to eq({
57
+ "the-account:user:alice" => "the-api-key"
58
+ })
59
+ end
60
+
61
+ it "doesn't store default env and stack in context" do
62
+ expect(runner.context).to_not have_key 'env'
63
+ expect(runner.context).to_not have_key 'stack'
64
+ end
65
+
66
+ context "with non-default stack and env" do
67
+ let(:runner) do
68
+ Conjur::Config.merge env: 'baz', stack: 'bar'
69
+ Conjur::Config.apply
70
+ Conjur::DSL::Runner.new '', nil
71
+ end
72
+
73
+ it "stores them in context" do
74
+ expect(runner.context['env']).to eq 'baz'
75
+ expect(runner.context['stack']).to eq 'bar'
76
+ end
77
+ end
78
+
79
+ context "with appliance url" do
80
+ let(:appliance_url) { "https://conjur.example.com/api" }
81
+ let(:runner) do
82
+ Conjur::Config.merge appliance_url: appliance_url
83
+ Conjur::Config.apply
84
+
85
+ Conjur::DSL::Runner.new '', nil
86
+ end
87
+
88
+ it "stores appliance url in the context" do
89
+ expect(runner.context['appliance_url']).to eq appliance_url
90
+ end
66
91
  end
67
92
  end
68
93
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: conjur-cli
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.22.0
4
+ version: 4.23.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2015-04-28 00:00:00.000000000 Z
12
+ date: 2015-05-04 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: activesupport