conjur-cli 4.26.0 → 4.27.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 54ffbd129d6c3a3fc980ff0d44ad733b1eb384b6
-  data.tar.gz: 44d584a5a9a9e8aecff993113a31462fb7903392
+  metadata.gz: 269e8ed2d2f6b69c7562c3c40fb4f34ff96e0788
+  data.tar.gz: db804ffbb9219ece6834a554aa142a76a731fab5
 SHA512:
-  metadata.gz: 65c39293a9f24b0dc0ae51c13bf7921c30c99e74ed4f45a158f5f08c45dcc78eae530379bbcf264014150ab4a9e5d23bfa494f26f2e6a2b29bcb81732ddc10e9
-  data.tar.gz: c4f362e466e4fd8b3b0bd75e79a8e888849b8e51f3df8c29a92389d1f37c2ca14559877a95693a1c9a983d334ee6b0dcfd879167bc9cb83e84429e18ef3b16c6
+  metadata.gz: 0b77f202ea2b76ec7593d1bd98c2799b4771ce6a9e05564cde88c6dc09150097dfd23fb9a72902c53886aa1f85d0472f32185a42d6ae230209066245fa80c91d
+  data.tar.gz: 39a144652fc0ae5dbfc59af883bbfaab2deb6c87a8a59da62403500eecf1497f77f5797e81ccee68f21892efe185d0a1a53726133f48b990436472e6165a673b

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+# 4.27.0
+
+* New commands `elevate` and `reveal` for execution of privileged commands on Conjur 4.5+.
+
+# 4.26.0
+
+* New implementation of bash completions.
+
 # 4.25.2
 * Fixes a conflict with RVM: Sets `GEM_HOME` and `GEM_PATH to nil.
 

data/acceptance-features/audit/audit_event_send.feature

@@ -0,0 +1,104 @@
+Feature: Write and read custom audit events (full-stack test, not for publication)
+
+    Background: 
+        Given I create a new user named "eve@$ns"
+        And I create a new host with id "monitoring/server"
+        And I create a new user named "observer@$ns"
+        And I run `conjur resource permit host:$ns/monitoring/server user:observer@$ns read`
+        And I run `conjur role grant_to user:eve@$ns user:observer@$ns`
+        And I run `conjur role grant_to host:$ns/monitoring/server user:observer@$ns`
+        And a file named "audit_event.json" with namespace substitution:
+            """
+              {
+                "facility": "custom",
+                "action": "sudo",
+                "system_user": "eve",
+                "allowed": false,
+                "role": "user:eve@$ns",
+                "resource_id": "host:$ns/monitoring/server",
+                "error": "user NOT in sudoers",
+                "audit_message": "eve tried to run '/bin/cat /etc/shadow' as root",   
+                "command": "/bin/cat /etc/shadow",
+                "target_user": "root",
+                "sudo": {
+                  "TTY": "pts/0",
+                  "PWD": "/home/eve",
+                  "USER": "root",
+                  "COMMAND": "/bin/cat /etc/shadow"
+                },
+                "timestamp": "2014-06-30T03:25:00.542768+00:00"
+              }
+            """   
+        And I login as a new host
+        And I run `conjur audit send` interactively
+        And I pipe in the file "audit_event.json"
+        And the exit status should be 0
+        And I login as "observer@$ns"
+
+    Scenario: Default fields are included in audit event
+        When I run `conjur audit role -l 1 -o 3 host:$ns/monitoring/server`
+        Then the JSON response should have the following:
+            | id                    |
+            | event_id              |
+            | timestamp             |
+            | submission_timestamp  |
+            | kind                  |
+            | action                |
+            | user                  |
+            | acting_as             |
+            | roles                 |
+            | resources             |
+            | resource              |
+            | request               |
+            | conjur                |
+
+    Scenario: Default fields are filled properly
+        When I run `conjur audit role -l 1 -o 3 host:$ns/monitoring/server`
+        Then the JSON response at "timestamp" should include "2014-06-30T03:25:00"
+        And the JSON response at "kind" should be "audit"
+        And the JSON response at "action" should be "sudo"
+        And the JSON response at "user" should include "/monitoring/server"
+        And the JSON response at "roles/0" should include "/monitoring/server"
+        And the JSON response at "roles/1" should include "user:eve@"
+        And the JSON response at "resource" should include "/monitoring/server"
+        And the JSON response at "resources/0" should include "/monitoring/server"
+        And the JSON response at "conjur/user" should include "/monitoring/server"
+        
+    Scenario: All custom fields are exposed
+        When I run `conjur audit role -l 1 -o 3 host:$ns/monitoring/server`
+        Then the JSON response should have the following:
+            | facility              |
+            | system_user           |   
+            | allowed               |
+            | role                  |
+            | resource_id           |
+            | error                 |
+            | audit_message         |
+            | command               |
+            | target_user           |
+            | sudo                  |
+    
+    Scenario: Custom fields are filled properly
+        When I run `conjur audit role -l 1 -o 3 host:$ns/monitoring/server`
+        And the JSON response at "facility" should be "custom"
+        And the JSON response at "system_user" should include "eve"
+        And the JSON response at "allowed" should be false
+        And the JSON response at "role" should include "user:eve@"
+        And the JSON response at "resource_id" should include "/monitoring/server"
+        And the JSON response at "error" should be "user NOT in sudoers"
+        And the JSON response at "command" should be "/bin/cat /etc/shadow"
+        And the JSON response at "target_user" should be "root"
+        And the JSON response at "sudo/PWD" should be "/home/eve"
+
+    Scenario: Custom event is indexed per resource
+        When I run `conjur audit resource -s host:$ns/monitoring/server`
+        Then the output should match /monitoring.server reported custom:sudo by .*:user:eve@(.*) on .*:host:(.*).monitoring.server \(allowed: false\); message: eve tried to run .* as root \(failed with user NOT in sudoers\)/
+           
+
+    Scenario: Custom event is indexed per submitter role
+        When I run `conjur audit role -s host:$ns/monitoring/server`
+        Then the output should match /monitoring.server reported custom:sudo by .*:user:eve@(.*) on .*:host:(.*).monitoring.server \(allowed: false\); message: eve tried to run .* as root \(failed with user NOT in sudoers\)/
+    
+    Scenario: Custom event is indexed per other roles
+        When I run `conjur audit role -s user:eve@$ns`
+        Then the output should match /monitoring.server reported custom:sudo by .*:user:eve@(.*) on .*:host:(.*).monitoring.server \(allowed: false\); message: eve tried to run .* as root \(failed with user NOT in sudoers\)/

data/acceptance-features/audit/send.feature

@@ -0,0 +1,70 @@
+Feature: Create custom audit events
+
+    Background:
+        Given I login as new user "joe@$ns"
+
+    Scenario: Simplest audit event
+        When I successfully run `conjur audit send '{"action":"login"}'`
+        And I run `conjur audit all -s`
+        Then the output should match /user:joe@.* reported login/
+    
+    Scenario: Expose facility
+        When I successfully run `conjur audit send '{"action":"login", "facility":"ssh"}'`
+        And I run `conjur audit all -s`
+        Then the output should match /user:joe@.* reported ssh:login/
+
+    Scenario: Link to role
+        When I successfully run `conjur audit send '{"action":"login", "role":"user:bob"}'`
+        And I run `conjur audit all -s`
+        Then the output should match /user:joe@.* reported login by .*:user:bob/
+        
+    Scenario: Link to resource
+        When I successfully run `conjur audit send '{"action":"login", "resource_id":"host:server"}'`
+        And I run `conjur audit all -s`
+        Then the output should match /user:joe@.* reported login on .*:host:server/
+
+
+    Scenario: 'Allowed' flag
+        When I successfully run `conjur audit send '{"action":"login", "allowed": false}'`
+        And I run `conjur audit all -s`
+        Then the output should match /user:joe@.* reported login \(allowed: false\)/
+
+    Scenario: Custom message
+        When I successfully run `conjur audit send '{"action":"login", "audit_message": "Client IP is 1.2.3.4"}'`
+        And I run `conjur audit all -s`
+        Then the output should match /user:joe@.* reported login; message: Client IP is 1.2.3.4/
+    
+    Scenario: Error details
+        When I successfully run `conjur audit send '{"action":"login", "error": "password mismatch"}'`
+        And I run `conjur audit all -s`
+        Then the output should match /user:joe@.* reported login \(failed with password mismatch\)/
+
+    Scenario: Fully described audit event (sent from file)
+        When a file named "audit_event.json" with:
+            """
+            { 
+                "action": "login",
+                "facility": "ssh",
+                "role": "user:bob",
+                "resource_id": "host:server",
+                "allowed": false,
+                "audit_message": "Client IP is 1.2.3.4",
+                "error": "password mismatch"
+            }
+            """ 
+        And I run `conjur audit send` interactively
+        And I pipe in the file "audit_event.json"
+        And the exit status should be 0
+        And I run `conjur audit all -s`
+        Then the output should match /user:joe@.* reported ssh:login by .*:user:bob on .*:host:server \(allowed: false\); message: Client IP is 1.2.3.4 \(failed with password mismatch\)/
+
+    Scenario: Specify timestamp as IS08601 with timezone
+        When I successfully run `conjur audit send '{"action":"login", "timestamp": "2014-07-01T01:02:03Z"}'`
+        And I run `conjur audit all -s`
+        Then the output should match /\[2014-07-01 01:02:03 UTC\] .*:user:joe@.* reported login/
+
+    Scenario: Arbitrary field (exposed in full audit output)
+        When I successfully run `conjur audit send '{"action":"login", "syslog": { "message" : "Accepted publickey for alice from 192.168.1.11 port 38977 ssh2" }}'`
+        And I run `conjur audit all -o 3` 
+        Then the JSON response at "syslog/message" should be "Accepted publickey for alice from 192.168.1.11 port 38977 ssh2"
+        

data/acceptance-features/authentication/authenticate.feature

@@ -0,0 +1,10 @@
+Feature: Authenticate a role
+
+  Scenario: Get a JSON token
+    When I successfully run `conjur authn authenticate`
+    Then the JSON should have "data"
+    And the JSON should have "signature"
+ 
+  Scenario: Get an auth token as HTTP Authorize header
+    When I successfully run `conjur authn authenticate -H`
+    Then the output should match /Authorization: Token token=".*"/

data/acceptance-features/authentication/login.feature

@@ -0,0 +1,14 @@
+Feature: Login a new user
+
+  Scenario: Login a new user with a password
+    Given I run `conjur user create -p alice@$ns` interactively
+    And I type "foobar"
+    And I type "foobar"
+    And the exit status should be 0
+    And I keep the JSON response at "login" as "LOGIN"
+    And I run `conjur authn login alice@$ns` interactively
+    And I type "foobar"
+    And the exit status should be 0
+    And I successfully run `conjur authn whoami`
+    Then the JSON at "username" should be %{LOGIN}
+    

data/acceptance-features/authentication/logout.feature

@@ -0,0 +1,16 @@
+Feature: Logout the user
+
+  Scenario: Login a new user with a password
+    Given I run `conjur user create -p alice@$ns` interactively
+    And I type "foobar"
+    And I type "foobar"
+    And the exit status should be 0
+    And I keep the JSON response at "login" as "LOGIN"
+    And I run `conjur authn login alice@$ns` interactively
+    And I type "foobar"
+    And the exit status should be 0
+    And I successfully run `conjur authn logout`
+    Then the stdout from "conjur authn logout" should contain exactly "Logged out\n"
+    And I run `conjur authn whoami`
+    And the exit status should be 255
+    And the stderr from "conjur authn whoami" should contain "error: Not logged in"

data/acceptance-features/authentication/whoami.feature

@@ -0,0 +1,5 @@
+Feature: Show the current user
+
+  Scenario: Show the current user
+    When I successfully run `conjur authn whoami`
+    Then the JSON should have "username"

data/acceptance-features/authorization/resource/annotate.feature

@@ -0,0 +1,35 @@
+Feature: Annotate a resource
+
+  Background:
+    Given I successfully run `conjur resource create food:$ns/bacon`
+  
+  Scenario: Annotations are stored and returned when the resource is displayed
+    Given I successfully run `conjur resource annotate food:$ns/bacon preparation-style crispy`
+    When I successfully run `conjur resource show food:$ns/bacon`
+    And the JSON at "annotations" should have 1 entry
+    And the JSON at "annotations/0/name" should be "preparation-style"
+    And the JSON at "annotations/0/value" should be "crispy"
+    
+  Scenario: Privilege is required to manage annotations
+    Given I login as a new user
+    And I run `conjur resource annotate food:$ns/bacon preparation-style crispy`
+    Then the exit status should be 1
+
+  Scenario: Read privilege is insufficient to manage annotations
+    Given I create a new user named "alice@$ns"
+    And I successfully run `conjur resource permit food:$ns/bacon user:alice@$ns read`
+    And I login as "alice@$ns"
+    Then I run `conjur resource annotate food:$ns/bacon preparation-style crispy`
+    Then the exit status should be 1
+
+  Scenario: Update privilege is sufficient to manage annotations
+    Given I create a new user named "alice@$ns"
+    And I successfully run `conjur resource permit food:$ns/bacon user:alice@$ns update`
+    And I login as "alice@$ns"
+    Then I successfully run `conjur resource annotate food:$ns/bacon preparation-style crispy`
+  
+  Scenario: Annotations are searchable
+    Given I successfully run `conjur resource annotate food:$ns/bacon preparation-style crispy`
+    When I successfully run `conjur resource list -k food -s "$ns crispy"`
+    Then the JSON should have 1 entry
+    And the JSON at "0/annotations/preparation-style" should be "crispy"

data/acceptance-features/authorization/resource/check.feature

@@ -0,0 +1,22 @@
+Feature: Checking permissions on a resource
+
+  Background:
+    Given I successfully run `conjur resource create food:$ns/bacon`
+
+  Scenario: By default I check my own privilege
+    In this case, I have the privilege because I own the resource
+  
+    When I successfully run `conjur resource check food:$ns/bacon fry`
+    Then the stdout from "conjur resource check food:$ns/bacon fry" should contain "true"
+
+  Scenario: I can check the privileges of roles that I own
+    When I successfully run `conjur role create job:$ns/cook`
+    And I successfully run `conjur resource check -r job:$ns/cook food:$ns/bacon fry`
+    Then the stdout from "conjur resource check -r job:$ns/cook food:$ns/bacon fry" should contain "false"
+    
+  Scenario: I can check the privileges of roles that I own
+    When I successfully run `conjur role create job:$ns/cook`
+    And I successfully run `conjur resource permit food:$ns/bacon job:$ns/cook fry`
+    And I successfully run `conjur resource check -r job:$ns/cook food:$ns/bacon fry`
+    Then the stdout from "conjur resource check -r job:$ns/cook food:$ns/bacon fry" should contain "true"
+    

data/acceptance-features/authorization/resource/create.feature

@@ -0,0 +1,19 @@
+Feature: Create a Resource
+
+  Scenario: Create an abstract resource
+    When I successfully run `conjur resource create food:$ns/bacon`
+    Then the JSON should have "id"
+    And the JSON should have "owner"
+    And the JSON should have "permissions"
+    And the JSON should have "annotations"
+
+  Scenario: The resource owner has all privileges on it
+    When I successfully run `conjur resource create food:$ns/bacon`
+    And I successfully run `conjur resource check food:$ns/bacon fry`
+    Then the stdout from "conjur resource check food:$ns/bacon fry" should contain "true"
+
+  Scenario: A different role can be assigned as the owner of the resource
+    When I successfully run `conjur role create job:$ns/chefs`
+    And I successfully run `conjur resource create --as-role job:$ns/chefs food:$ns/bacon`
+    And I successfully run `conjur resource check -r job:$ns/chefs food:$ns/bacon fry`
+    Then the stdout from "conjur resource check -r job:$ns/chefs food:$ns/bacon fry" should contain "true"

data/acceptance-features/authorization/resource/deny.feature

@@ -0,0 +1,12 @@
+Feature: Deny a privilege on a Resource
+
+  Background:
+    Given I successfully run `conjur resource create food:$ns/bacon`
+
+  Scenario: Once granted, privileges can be revoked
+  
+    Given I create a new user named "alice@$ns"
+    And I successfully run `conjur resource permit food:$ns/bacon user:alice@$ns fry`
+    When I successfully run `conjur resource deny food:$ns/bacon user:alice@$ns fry`
+    And I successfully run `conjur resource show food:$ns/bacon`
+    Then the JSON at "permissions" should have 0 items

data/acceptance-features/authorization/resource/exists.feature

@@ -0,0 +1,16 @@
+Feature: Test the existance of a resource
+
+  Scenario: Existing resources can be detected
+    Given I successfully run `conjur resource create food:$ns/bacon`
+    When I successfully run `conjur resource exists food:$ns/bacon`
+    Then the stdout from "conjur resource exists food:$ns/bacon" should contain "true"
+
+  Scenario: Non-existant resources are reported as such
+    When I successfully run `conjur resource exists food:$ns/bacon`
+    Then the stdout from "conjur resource exists food:$ns/bacon" should contain "false"
+  
+  Scenario: Even foreign user can check existance of a resource 
+    Given I successfully run `conjur resource create food:$ns/bacon`
+    And I login as a new user 
+    And I run `conjur resource exists food:$ns/bacon`
+    Then the stdout from "conjur resource exists food:$ns/bacon" should contain "true"

data/acceptance-features/authorization/resource/give.feature

@@ -0,0 +1,22 @@
+Feature: Give a resource to another role
+
+  Scenario: I can give a resource which I own to another role
+    Given I successfully run `conjur resource create food:$ns/bacon`
+    And I create a new user named "alice@$ns"
+    Then I successfully run `conjur resource give food:$ns/bacon user:alice@$ns`
+
+  Scenario: Resource owner is in the 'owner' field
+    Given I successfully run `conjur resource create food:$ns/bacon`
+    And I create a new user named "alice@$ns"
+    And I keep the JSON at "roleid" as "USERID"
+    Then I successfully run `conjur resource give food:$ns/bacon user:alice@$ns`
+    And I successfully run `conjur resource show food:$ns/bacon`
+    Then the JSON at "owner" should be %{USERID}
+
+  Scenario: When I give a resource away, I give all permissions
+    Given I successfully run `conjur resource create food:$ns/bacon`
+    And I create a new user named "alice@$ns"
+    And I successfully run `conjur resource give food:$ns/bacon user:alice@$ns`
+    And I login as "alice@$ns"
+    When I successfully run `conjur resource check food:$ns/bacon fry`
+    Then the stdout from "conjur resource check food:$ns/bacon fry" should contain "true"

data/acceptance-features/authorization/resource/permit.feature

@@ -0,0 +1,20 @@
+Feature: Permit a privilege on a Resource
+
+  Background:
+    Given I successfully run `conjur resource create food:$ns/bacon`
+
+  Scenario: Permission can be granted to a new user
+  
+    Given I create a new user named "alice@$ns"
+    And I successfully run `conjur resource permit food:$ns/bacon user:alice@$ns fry`
+    And I successfully run `conjur resource show food:$ns/bacon`
+    Then the JSON at "permissions" should have 1 item
+    And the JSON at "permissions/0/privilege" should be "fry"
+    And the JSON at "permissions/0/grant_option" should be false
+
+   Scenario: When granted with "grantable" option, the grantee can grant the privilege to other roles (supported since CLI 4.10.2)
+    Given I create a new user named "alice@$ns"
+    And I create a new user named "bob@$ns"
+    And I successfully run `conjur resource permit --grantable food:$ns/bacon user:alice@$ns fry`
+    And I login as "alice@$ns"
+    Then I successfully run `conjur resource permit food:$ns/bacon user:bob@$ns fry`

data/acceptance-features/authorization/resource/permitted_roles.feature

@@ -0,0 +1,16 @@
+Feature: List roles which have a permission on a resource
+
+  Background:
+    Given I successfully run `conjur resource create food:$ns/bacon`
+
+  Scenario: The owner of a resource is always listed in permitted_roles
+    When I successfully run `conjur resource permitted_roles food:$ns/bacon fry`
+    Then the JSON should include %{MY_ROLEID}
+
+  Scenario: When a permission is granted to a new user, the user is listed in permitted_roles
+    Given I create a new user named "alice@$ns"
+    And I keep the JSON at "roleid" as "USERID"
+    And I successfully run `conjur resource permit food:$ns/bacon user:alice@$ns fry`
+    When I successfully run `conjur resource permitted_roles food:$ns/bacon fry`
+    Then the JSON should include %{USERID}
+    

data/acceptance-features/authorization/resource/show.feature

@@ -0,0 +1,26 @@
+Feature: Show a resource
+
+  Background:
+    Given I successfully run `conjur resource create food:$ns/bacon`
+  
+  Scenario: Showing a resource displays all its fields
+    When I successfully run `conjur resource show food:$ns/bacon`
+    Then the JSON should have "id"
+    And the JSON should have "owner"
+    And the JSON should have "permissions"
+    And the JSON should have "annotations"
+
+  Scenario: You can't show a resource on which you have no privileges
+    Given I login as a new user
+    When I run `conjur resource show food:$ns/bacon`
+    Then the exit status should be 1
+    And the output from "conjur resource show food:$ns/bacon" should contain "Forbidden"
+    
+  Scenario: You can show any resource if you have a privilege on it
+    Once alice has a permission to fry bacon, she can show everything
+    about bacon.
+  
+    Given I create a new user named "alice@$ns"
+    And I successfully run `conjur resource permit food:$ns/bacon user:alice@$ns fry`
+    And I login as "alice@$ns"
+    Then I successfully run `conjur resource show food:$ns/bacon`

data/acceptance-features/authorization/role/create.feature

@@ -0,0 +1,13 @@
+Feature: Create a Role
+
+  Scenario: Create an abstract role
+    When I run `conjur role create job:$ns/chef`
+    Then the exit status should be 0
+    And the output should contain "Created role"
+
+  Scenario: Role owner has the new role listed in its memberships
+    When I run `conjur role create --json --as-group $ns/security_admin job:$ns/chef`
+    Then the exit status should be 0
+    And I keep the JSON response at "roleid" as "ROLEID"
+    And I run `conjur role memberships group:$ns/security_admin`
+    And the JSON should include %{ROLEID}

data/acceptance-features/authorization/role/exists.feature

@@ -0,0 +1,19 @@
+Feature: Test existance of a role
+
+  Scenario: A never-created role does not exist
+    When I successfully run `conjur role exists --json food:$ns/nonesuch`
+    Then the JSON at "exists" should be false
+
+  Scenario: A created role does exist
+    When I successfully run `conjur role create --json food:$ns/bacon`
+    And I keep the JSON response at "roleid" as "ROLEID"
+    And I successfully run `conjur role exists --json %{ROLEID}`
+    Then the JSON at "exists" should be true
+
+  Scenario: Even foreign user can check existance of a role 
+    When I successfully run `conjur role create --json food:$ns/bacon`
+    And I keep the JSON response at "roleid" as "ROLEID"
+    And I login as a new user 
+    And I run `conjur role exists --json %{ROLEID}`
+    Then the JSON at "exists" should be true
+  

data/acceptance-features/authorization/role/grant_to.feature

@@ -0,0 +1,21 @@
+Feature: Grant membership in a role to another role
+  
+  Scenario: Granting a role confers membership
+    When I successfully run `conjur role create job:$ns/cooks`
+    And I successfully run `conjur role create people:$ns/alice`
+    And I successfully run `conjur role grant_to job:$ns/cooks people:$ns/alice`
+    And I successfully run `conjur role members job:$ns/cooks`
+    Then the JSON should have 2 entries
+    
+  Scenario: Granting a role gives the grantee permissions of the granted role
+    When I successfully run `conjur role create job:$ns/cooks`
+    And I successfully run `conjur role create people:$ns/alice`
+    And  I successfully run `conjur resource create food:$ns/bacon`
+    And I successfully run `conjur resource permit food:$ns/bacon job:$ns/cooks fry`
+    And I successfully run `conjur resource check -r job:$ns/cooks food:$ns/bacon fry`
+    Then the output should contain "true"
+    When I successfully run `conjur resource check -r people:$ns/alice food:$ns/bacon fry`
+    Then the output should contain "false"
+    When I successfully run `conjur role grant_to job:$ns/cooks people:$ns/alice`
+    And I successfully run `conjur resource check -r people:$ns/alice food:$ns/bacon fry`
+    Then the output should contain "true"

data/acceptance-features/authorization/role/graph.feature

@@ -0,0 +1,58 @@
+@real-api
+Feature: Retrieving role graphs
+  As a Conjur user
+  In order to understand the role hierarchy
+  I want to retrieve role graphs and present them in a useful format
+
+Background:
+  Given a graph with edges
+    | Tywin     | Jamie         |
+    | Tywin     | Cersei        |
+    | Cersei    | Joffrey       |
+    | Jamie     | Joffrey       |
+    | Aerys     | Tyrion        |
+    | Joanna    | Tyrion        |
+
+  Scenario: Showing the graph as JSON
+    When I successfully run with role expansion "conjur role graph --as-role Joffrey Joffrey"
+    Then the graph JSON should be:
+      """
+        {
+          "graph": [
+            { "parent": "Tywin",  "child": "Jamie" },
+            { "parent": "Tywin",  "child": "Cersei"},
+            { "parent": "Cersei", "child": "Joffrey"},
+            { "parent": "Jamie",  "child": "Joffrey" }
+          ]
+        }
+      """
+
+  Scenario: Short JSON output
+    When I successfully run with role expansion "conjur role graph --short --as-role Joffrey Joffrey"
+    Then the graph JSON should be:
+      """
+        [
+          [ "Tywin", "Jamie"   ],
+          [ "Tywin", "Cersei"  ],
+          [ "Jamie", "Joffrey" ],
+          [ "Cersei", "Joffrey"]
+        ]
+      """
+
+  Scenario: I can restrict the output to show only ancestors or descendants
+    When I successfully run with role expansion "conjur role graph --short --no-ancestors --as-role Cersei Cersei"
+    Then the graph JSON should be:
+      """
+        [
+          [ "Cersei", "Joffrey" ]
+        ]
+      """
+    When I successfully run with role expansion "conjur role graph --short --no-descendants --as-role Cersei Cersei Jamie"
+    Then the graph JSON should be:
+      """
+        [
+          [ "Tywin", "Cersei" ],
+          [ "Tywin", "Jamie"  ]
+        ]
+      """
+

data/acceptance-features/authorization/role/members.feature

@@ -0,0 +1,23 @@
+Feature: List members of a role
+
+  Scenario: Role members list is initally just the creator of the role
+    When I successfully run `conjur role create job:$ns/chef`
+    And I successfully run `conjur role members job:$ns/chef`
+    Then the JSON should have 1 entries
+
+  Scenario: Members can be added to the role by granting them the role
+    When I successfully run `conjur role create job:$ns/chef`
+    And I successfully run `conjur user create alice@$ns`
+    And I successfully run `conjur role grant_to job:$ns/chef user:alice@$ns`
+    And I successfully run `conjur role members job:$ns/chef`
+    Then the JSON should have 2 entries
+
+  Scenario: Members list is not expanded transitively
+    When I successfully run `conjur role create job:$ns/chef`
+    And I successfully run `conjur group create $ns/cooks`
+    And I successfully run `conjur user create alice@$ns`
+    And I successfully run `conjur group members add $ns/cooks user:alice@$ns`
+    When I successfully run `conjur role grant_to job:$ns/chef group:$ns/cooks`
+    And I successfully run `conjur role members job:$ns/chef`
+    Then the JSON should have 2 entries
+    

data/acceptance-features/authorization/role/memberships.feature

@@ -0,0 +1,27 @@
+Feature: List memberships of a role
+
+  Scenario: The role memberships list includes the role itself
+    Given I successfully run `conjur role create job:$ns/chef`
+    When I successfully run `conjur role memberships job:$ns/chef`
+    Then the JSON should have 1 entries
+
+  Scenario: Memberships can be added to a role by granting it a new role
+    Given I successfully run `conjur role create job:$ns/cook`
+    And I successfully run `conjur role create job:$ns/chef`
+    # Cooks are chefs
+    And I successfully run `conjur role grant_to job:$ns/cook job:$ns/chef`
+    When I successfully run `conjur role memberships job:$ns/chef`
+    # Therefore chefs are cooks and chefs
+    Then the JSON should have 2 entries
+
+  Scenario: Members list is expanded transitively
+    Given I successfully run `conjur role create person:$ns/myself`
+    And I successfully run `conjur role create job:$ns/cook`
+    And I successfully run `conjur role create job:$ns/chef`
+    # I am a chef
+    And I successfully run `conjur role grant_to job:$ns/chef person:$ns/myself`
+    # Chefs are cooks
+    And I successfully run `conjur role grant_to job:$ns/cook job:$ns/chef`
+    When I successfully run `conjur role memberships person:$ns/myself`
+    # Therefore I am me, a cook, and a chef
+    Then the JSON should have 3 entries