conjur-cli 4.27.0 → 4.28.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 269e8ed2d2f6b69c7562c3c40fb4f34ff96e0788
-  data.tar.gz: db804ffbb9219ece6834a554aa142a76a731fab5
+  metadata.gz: 8e6ae515f092a2c41963452c0a2fcc0aa8ec0f2c
+  data.tar.gz: 0ecbfa2d23e3dcc763afa1be03e978b709c515c0
 SHA512:
-  metadata.gz: 0b77f202ea2b76ec7593d1bd98c2799b4771ce6a9e05564cde88c6dc09150097dfd23fb9a72902c53886aa1f85d0472f32185a42d6ae230209066245fa80c91d
-  data.tar.gz: 39a144652fc0ae5dbfc59af883bbfaab2deb6c87a8a59da62403500eecf1497f77f5797e81ccee68f21892efe185d0a1a53726133f48b990436472e6165a673b
+  metadata.gz: f587e417fdcb8a9f0832ce3682706e4363cf8a3b69c3e14eb965ffdff84f157c7578387dd9f5e8c860eb5fcd912d6e263ee28b71d6961c1015f45a64a70a4c0b
+  data.tar.gz: 558101ef2d363276511d821b217563ffaec1595b0c1799a4f785e3eec7663aec40a95d5fec8f20fc8d12ca19e21a680c5a96ffae194c4849b1433ab53fc3d10d

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+# 4.28.0
+* Add `conjur policy retire` to allow retiring a policy.
+* Fix `--as-group` and `--as-role` options for `conjur policy load`. Either can now be used to specify ownership of the policy.
+* Fix `--follow` option for `conjur audit`.
+* Remove support for per-project `.conjurrc` files.
+
 # 4.27.0
 
 * New commands `elevate` and `reveal` for execution of privileged commands on Conjur 4.5+.

data/Gemfile

@@ -1,5 +1,6 @@
 source 'https://rubygems.org'
 
+#ruby=ruby-2.1.5
 #ruby-gemset=conjur-cli
 
 # Specify your gem's dependencies in conjur.gemspec

data/acceptance-features/audit/fetch.feature

@@ -0,0 +1,16 @@
+Feature: Fetch audit events
+
+  Background:
+    Given I successfully run `conjur variable create $ns/secret MY_SECRET`
+    And I successfully run `conjur variable value $ns/secret`
+    
+  Scenario: Fetch works
+    When I successfully run `conjur audit resource -s variable:$ns/secret`
+    Then the output should match /checked that they can execute .*:variable:.*secret/
+
+  Scenario: Follow works
+      # Implementation constraints prevent an exit code of 0 when using
+    # --follow and --limit, so can't say "When I run successfully..."
+    When I run `conjur audit resource -s -f -l 2 variable:$ns/secret`
+    Then the output should match /checked that they can execute .*:variable:.*secret/
+    

data/acceptance-features/dsl/policy_owner.feature

@@ -0,0 +1,31 @@
+Feature: Loading a policy can specify the policy's admin
+
+  Background:
+    Given I successfully run `conjur group create $ns/admin`
+    And a file named "policy.rb" with:
+    """
+policy 'test-policy-1.0' do
+  user "test_user"
+end
+    """
+
+  Scenario: --as-group works
+    When I run `conjur policy load --as-group $ns/admin --collection $ns` interactively
+    And I pipe in the file "policy.rb"
+    And the exit status should be 0
+    When I run `conjur role members policy:$ns/test-policy-1.0`
+    Then the output from "conjur role members policy:$ns/test-policy-1.0" should match /group:.*$ns.admin/
+
+  Scenario: --as-role works
+    When I run `conjur policy load --as-role group:$ns/admin --collection $ns` interactively
+    And I pipe in the file "policy.rb"
+    And the exit status should be 0
+    When I run `conjur role members policy:$ns/test-policy-1.0`
+    Then the output from "conjur role members policy:$ns/test-policy-1.0" should match /group:.*$ns.admin/
+
+  Scenario: --as-group doesn't interfere with policy ownership of other resources
+    When I run `conjur policy load --as-group $ns/admin --collection $ns` interactively
+    And I pipe in the file "policy.rb"
+    And the exit status should be 0
+    When I run `conjur resource show user:test_user@$ns-test-policy-1-0 | jsonfield owner`
+    Then the output from "conjur resource show user:test_user@$ns-test-policy-1-0 | jsonfield owner" should match /policy:$ns.test-policy-1.0/

data/acceptance-features/dsl/resource_owner.feature

@@ -0,0 +1,17 @@
+Feature: Resources created by a policy are owned by the policy
+
+  Background:
+    Given a file named "policy.rb" with:
+    """
+policy 'test-policy-1.0' do
+  resource 'webservice', 'web1'
+end
+    """
+
+  Scenario: resource is create with correct ownership
+    When I run `conjur policy load --collection $ns` interactively
+    And I pipe in the file "policy.rb"
+    And the exit status should be 0
+    When I run `conjur resource show webservice:$ns/test-policy-1.0/web1 | jsonfield owner`
+    Then the output from "conjur resource show webservice:$ns/test-policy-1.0/web1 | jsonfield owner" should match /policy:$ns.test-policy-1.0/
+

data/acceptance-features/dsl/retire.feature

@@ -0,0 +1,15 @@
+Feature: Retire a policy
+  Background:
+    Given a file named "policy.rb" with:
+    """
+policy 'test-policy-1.0' do
+end
+    """
+    And I run `conjur policy load --as-role user:admin@$ns --collection $ns` interactively
+    And I pipe in the file "policy.rb"
+    And the exit status should be 0
+
+  @wip
+  Scenario: Basic retirement
+    Then I successfully run `conjur policy retire -d user:attic@$ns $ns/test-policy-1.0`
+

data/acceptance-features/step_definitions/cli.rb

@@ -19,3 +19,7 @@ Then /^it prints the path to temporary file which contains: '(.*)'$/ do |content
   actual_content=File.read(filename) rescue ""
   expect(actual_content).to match(content)
 end
+
+Then /^the output from "([^"]*)" should match \/([^\/]*)\/$/ do |cmd, expected|
+  assert_matching_output(expected, output_from(cmd))
+end

data/features/step_definitions/dsl_steps.rb

@@ -17,7 +17,11 @@ Then(/^the model should contain "(.*?)" \/(.*?)\/$/) do |kind, id|
 end
 Then(/^the "(.*?)" "(.*?)" should be owned by "(.*?)"$/) do |kind, id, owner|
   step "the model should contain \"#{kind}\" \"#{id}\""
-  @mock_api.thing(kind, id).ownerid.should == owner
+  if kind == 'role' || kind == 'resource'
+    @mock_api.thing(kind, id).acting_as.should == owner
+  else
+    @mock_api.thing(kind, id).ownerid.should == owner
+  end
 end
 
 Then(/^the "(.*?)" "(.*?)" should not have an owner$/) do |kind, id|

data/lib/conjur/command/audit.rb

@@ -22,7 +22,8 @@ class Conjur::Command
           message_part = e[:audit_message] ? "; message: #{e[:audit_message]}" : ""
           statement = [ action_part, actor_part, resource_part, allowed_part ].compact.join(" ")
           "reported #{statement}"+ message_part
-        }
+        },
+        'conjur:use_extra_privilege' => lambda{|e| "requested extra privilege #{e[:privilege]}"}
       }
 
       def ssh_sudo_message(e)
@@ -70,13 +71,26 @@ class Conjur::Command
       end
       
       def show_audit_events events, options
+        @count ||= 0
+        
         events = [events] unless events.kind_of?(Array)
         # offset and limit options seem to be broken. this is a temporary workaround (should be applied on server-side eventually)
         events = events.drop(options[:offset]) if options[:offset]
         events = events.take(options[:limit]) if options[:limit]
 
         if options[:short]
-          events.each{|e| puts short_event_format(e)}
+          events.each do |e|
+            puts short_event_format(e)
+            
+            # Undocumented, but for the sake of testing.... Allow
+            # --limit with --follow. When we hit the limit, bail out
+            # immediately: don't raise any exceptions, don't print any
+            # messages, just exit with status 0.
+            @count += 1
+            if options[:follow] && @count == options[:limit]
+              exit_now! 0
+            end
+          end
         else
           events.each{|e| puts JSON.pretty_generate(e) }
         end

data/lib/conjur/command/policy.rb

@@ -50,7 +50,7 @@ ids.
 
 The first path element of each id is the collection. Policies are separated into collections
 according to software development lifecycle. The default collection for a policy is $USER@$HOSTNAME,
-in other words, the username and hostname on which the policy is created. This is approriate for
+in other words, the username and hostname on which the policy is created. This is appropriate for
 policy development and local testing. Once tested, policies can be created in more official
 environments such as ci, stage, and production.
 
@@ -84,5 +84,33 @@ owner of the policy role is the logged-in user (you), as always.
         end
       end
     end
+
+    policy.desc 'Decommision a policy'
+    policy.arg_name 'POLICY'
+    policy.command :retire do |c|
+      retire_options c
+
+      c.action do |global_options, options, args |
+        id = "policy:#{require_arg(args, 'POLICY')}"
+
+        # policy isn't a rolsource (yet), but we can pretend
+        Policy = Struct.new(:role, :resource)
+        policy = Policy.new(api.role(id), api.resource(id))
+
+        validate_retire_privileges(policy, options)
+        
+        retire_resource(policy)
+        
+        # The policy resource is owned by the policy role. Having the
+        # policy role is what allows us to administer it. So, we have
+        # to give the resource away before we can revoke the role.
+        give_away_resource(policy, options)
+        
+        retire_role(policy)
+
+        puts 'Policy retired'
+      end
+    end
+    
   end
 end

data/lib/conjur/config.rb

@@ -37,11 +37,11 @@ module Conjur
           homefile = File.expand_path "~/.conjurrc"
           pwdfile = File.expand_path ".conjurrc"
           if homefile != pwdfile && File.file?(pwdfile)
-            $stderr.puts "WARNING: .conjurrc file from current directory is " +
-                "used. This behaviour is deprecated. Use ENV['CONJURRC'] to " +
-                "explicitly define custom configuration file if needed"
+            $stderr.puts """NOTE:\t.conjurrc file detected in the current directory.\n"\
+                "\tIt's no longer consulted in this version. Please explicitly\n"\
+                "\tset CONJURRC=./.conjurrc if you're sure you want to use it."
           end
-          [ homefile, pwdfile ]
+          [ homefile ]
         end
       end
 

data/lib/conjur/dsl/runner.rb

@@ -194,6 +194,13 @@ module Conjur
 
         unless (obj = api.send(find_method, id)) && obj.exists?
           options = expand_options(options)
+
+          # create_resource and create_role expect :acting_as to
+          # specify the "owning" role.
+          if create_method == :create_resource || create_method == :create_role
+            options[:acting_as] = options.delete(:ownerid) if options[:ownerid]
+          end
+
           obj = if create_method == :create_variable
             #NOTE: it duplicates logic of "create_variable" method above
             #   https://basecamp.com/1949725/projects/4268938-api-version-4-x/todos/84972543-low-variable

data/lib/conjur/version.rb

@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = "4.27.0"
+  VERSION = "4.28.0"
   ::Version=VERSION
 end

data/spec/command/audit_spec.rb

@@ -330,6 +330,17 @@ describe Conjur::Command::Audit, logged_in: true do
           end
         end
       end
+
+      describe '(conjur:use_extra_privilege)' do
+        let(:priv) { 'elevate' }
+        let(:test_event) { default_audit_event.merge('kind' => 'conjur', 'action' => 'use_extra_privilege', 'privilege' => priv) }
+        
+        it_behaves_like 'it supports standard prefix:'
+        it_behaves_like 'it recognizes error messages:'
+        it 'prints the extra privilege' do
+          expect { invoke }.to write(" requested extra privilege #{priv}")
+        end
+      end
         
     end
   end

data/spec/command/elevate_spec.rb

@@ -20,7 +20,7 @@ describe Conjur::Command::Elevate do
         url: "https://core.example.com/users/alice",
         username: "dknuth",
         headers: {:authorization=>"Token token=\"eyJsb2dpbiI6ImRrbnV0aCJ9\"", x_conjur_privilege: "elevate"}
-      }.merge(cert_store_options)).and_return(double(:response, body: "[]"))
+      }).and_return(double(:response, body: "[]"))
       
       invoke
     end

data/spec/command/groups_spec.rb

@@ -35,7 +35,7 @@ describe Conjur::Command::Groups, logged_in: true do
         url: "https://authz.example.com/the-account/roles/group/group/?members&member=user:alice",
         headers: {},
         payload: nil
-      }.merge(cert_store_options))
+      })
       invoke
     end
   end
@@ -47,7 +47,7 @@ describe Conjur::Command::Groups, logged_in: true do
         url: "https://authz.example.com/the-account/roles/group/group/?members&member=user:alice",
         headers: {},
         payload: { admin_option: true }
-      }.merge(cert_store_options))
+      })
       invoke
     end
   end
@@ -58,7 +58,7 @@ describe Conjur::Command::Groups, logged_in: true do
         url: "https://authz.example.com/the-account/roles/group/group/?members&member=user:alice",
         headers: {},
         payload: { admin_option: true }
-      }.merge(cert_store_options))
+      })
       invoke
     end
   end
@@ -70,7 +70,7 @@ describe Conjur::Command::Groups, logged_in: true do
         url: "https://authz.example.com/the-account/roles/group/group/?members&member=user:alice",
         headers: {},
         payload: { admin_option: false }
-       }.merge(cert_store_options))
+       })
       invoke
     end
   end

data/spec/command/hosts_spec.rb

@@ -10,7 +10,7 @@ describe Conjur::Command::Hosts, logged_in: true do
         url: collection_url,
         headers: {},
         payload: {}
-        }.merge(cert_store_options)).and_return(post_response('assigned-id'))
+        }).and_return(post_response('assigned-id'))
 
       expect { invoke }.to write({ id: 'assigned-id' }).to(:stdout)
     end
@@ -22,9 +22,9 @@ describe Conjur::Command::Hosts, logged_in: true do
         url: collection_url,
         headers: {},
         payload: { id: 'the-id' }
-      }.merge(cert_store_options)).and_return(post_response('the-id'))
+      }).and_return(post_response('the-id'))
 
       expect { invoke }.to write({ id: 'the-id' }).to(:stdout)
     end
   end
-end
+end

data/spec/command/users_spec.rb

@@ -64,7 +64,7 @@ describe Conjur::Command::Users, logged_in: true do
         password: api_key,
         headers: { },
         payload: "new-password"
-       }.merge(cert_store_options))
+       })
     end
     
     describe_command "user:update_password -p new-password" do

data/spec/command/variables_spec.rb

@@ -58,7 +58,7 @@ describe Conjur::Command::Variables, logged_in: true do
           url: collection_url,
           headers: {},
           payload: full_payload
-        }.merge(cert_store_options)).and_return(variable)
+        }).and_return(variable)
     end
     
     describe_command "variable:create the-id the-different-value" do
@@ -144,7 +144,7 @@ describe Conjur::Command::Variables, logged_in: true do
                 method: :head,
                 url: 'https://authz.example.com/the-account/roles/group/the-group',
                 headers: {}
-              }.merge(cert_store_options)).and_return(OpenStruct.new(headers: {}, body: '{}'))
+              }).and_return(OpenStruct.new(headers: {}, body: '{}'))
           end
             
           let(:full_payload) { base_payload.merge(ownerid: 'the-account:group:the-group') }
@@ -158,7 +158,7 @@ describe Conjur::Command::Variables, logged_in: true do
                 method: :head,
                 url: 'https://authz.example.com/the-account/roles/group/the-group',
                 headers: {}
-              }.merge(cert_store_options)).and_return(OpenStruct.new(headers: {}, body: '{}'))
+              }).and_return(OpenStruct.new(headers: {}, body: '{}'))
           end
             
           let(:full_payload) { base_payload.merge(ownerid: 'the-account:group:the-group') }

data/spec/config_spec.rb

@@ -16,7 +16,7 @@ describe Conjur::Config do
       ENV['HOME'] = realhome
     end
 
-    let(:deprecation_warning) { "WARNING: .conjurrc file from current directory is used. This behaviour is deprecated. Use ENV['CONJURRC'] to explicitly define custom configuration file if needed" }
+    let(:deprecation_warning) { /\.conjurrc/ }
 
     shared_examples "no deprecation warning" do
       it "does not issue a deprecation warning" do
@@ -36,7 +36,6 @@ describe Conjur::Config do
 
       it { is_expected.to include('/etc/conjur.conf') }
       it { is_expected.to include("#{homedir}/.conjurrc") }
-      it { is_expected.to include('.conjurrc') }
 
       before do
         allow(File).to receive(:expand_path).and_call_original
@@ -49,6 +48,10 @@ describe Conjur::Config do
           expect { subject }.to write(deprecation_warning).to(:stderr)
         end
 
+        it "doesn't use the file" do
+          expect(subject).to_not include '.conjurrc'
+        end
+
         context "but the current directory is home" do
           before do
             allow(File).to receive(:expand_path).and_call_original
@@ -114,7 +117,29 @@ describe Conjur::Config do
     }
 
     context "ssl_certificate string" do
-      let(:ssl_certificate){ 'the-certificate' }
+      let(:ssl_certificate) do
+        """-----BEGIN CERTIFICATE-----
+MIIDPjCCAiagAwIBAgIVAKW1gdmOFrXt6xB0iQmYQ4z8Pf+kMA0GCSqGSIb3DQEB
+CwUAMD0xETAPBgNVBAoTCGN1Y3VtYmVyMRIwEAYDVQQLEwlDb25qdXIgQ0ExFDAS
+BgNVBAMTC2N1a2UtbWFzdGVyMB4XDTE1MTAwNzE2MzAwNloXDTI1MTAwNDE2MzAw
+NlowFjEUMBIGA1UEAwwLY3VrZS1tYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC9e8bGIHOLOypKA4lsLcAOcDLAq+ICuVxn9Vg0No0m32Ok/K7G
+uEGtlC8RidObntblUwqdX2uP7mqAQm19j78UTl1KT97vMmmFrpVZ7oQvEm1FUq3t
+FBmJglthJrSbpdZjLf7a7eL1NnunkfBdI1DK9QL9ndMjNwZNFbXhld4fC5zuSr/L
+PxawSzTEsoTaB0Nw0DdRowaZgrPxc0hQsrj9OF20gTIJIYO7ctZzE/JJchmBzgI4
+CdfAYg7zNS+0oc0ylV0CWMerQtLICI6BtiQ482bCuGYJ00NlDcdjd3w+A2cj7PrH
+wH5UhtORL5Q6i9EfGGUCDbmfpiVD9Bd3ukbXAgMBAAGjXDBaMA4GA1UdDwEB/wQE
+AwIFoDAdBgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwKQYDVR0RBCIwIIIL
+Y3VrZS1tYXN0ZXKCCWxvY2FsaG9zdIIGY29uanVyMA0GCSqGSIb3DQEBCwUAA4IB
+AQBCepy6If67+sjuVnT9NGBmjnVaLa11kgGNEB1BZQnvCy0IN7gpLpshoZevxYDR
+3DnPAetQiZ70CSmCwjL4x6AVxQy59rRj0Awl9E1dgFTYI3JxxgLsI9ePdIRVEPnH
+dhXqPY5ZIZhvdHlLStjsXX7laaclEtMeWfSzxe4AmP/Sm/er4ks0gvLQU6/XJNIu
+RnRH59ZB1mZMsIv9Ii790nnioYFR54JmQu1JsIib77ZdSXIJmxAtraJSTLcZbU1E
++SM3XCE423Xols7onyluMYDy3MCUTFwoVMRBcRWCAk5gcv6XvZDfLi6Zwdne6x3Y
+bGenr4vsPuSFsycM03/EcQDT
+-----END CERTIFICATE-----
+"""
+      end
       let(:certificate){ double('Certificate') }
       before{
           Conjur::Config.class_variable_set('@@attributes', {'ssl_certificate' => ssl_certificate})

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-cli
 version: !ruby/object:Gem::Version
-  version: 4.27.0
+  version: 4.28.0
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-08-28 00:00:00.000000000 Z
+date: 2015-10-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -300,6 +300,7 @@ files:
 - README.md
 - Rakefile
 - acceptance-features/audit/audit_event_send.feature
+- acceptance-features/audit/fetch.feature
 - acceptance-features/audit/send.feature
 - acceptance-features/authentication/authenticate.feature
 - acceptance-features/authentication/login.feature
@@ -337,6 +338,9 @@ files:
 - acceptance-features/directory/variable/retire.feature
 - acceptance-features/directory/variable/value.feature
 - acceptance-features/directory/variable/values-add.feature
+- acceptance-features/dsl/policy_owner.feature
+- acceptance-features/dsl/resource_owner.feature
+- acceptance-features/dsl/retire.feature
 - acceptance-features/global-privilege/elevate.feature
 - acceptance-features/global-privilege/reveal.privilege
 - acceptance-features/pubkeys/add.feature