conjur-cli 4.1.1 → 4.3.0

data/.githooks/pre_commit/run_specs.rb

@@ -0,0 +1,23 @@
+require 'English'
+
+module Overcommit::GitHook
+  # Try to avoid commiting code which breaks specs.
+  # Install the hook with `overcommit .` in the top directory.
+  class SpecsPass < HookSpecificCheck
+    include HookRegistry
+    file_types :rb
+
+    def run_check
+      unless in_path?('rspec')
+        return :warn, 'rspec not installed -- run `gem install rspec`'
+      end
+
+      output = `rspec 2>&1`
+      if $CHILD_STATUS.exitstatus == 0
+        return :good
+      else
+        return :bad, output
+      end
+    end
+  end
+end

data/.gitignore

@@ -24,4 +24,4 @@ tmp
 .kateproject.d
 .idea
 .rvmrc
-
+update_ci.sh

data/Gemfile

@@ -3,5 +3,4 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in conjur.gemspec
 gemspec
 
-# when developing in parallel, you might want to uncomment the following:
 gem 'conjur-api', git: 'https://github.com/inscitiv/api-ruby.git', branch: 'master'

data/conjur.gemspec

@@ -20,6 +20,7 @@ Gem::Specification.new do |gem|
   gem.add_dependency 'highline'
   gem.add_dependency 'netrc'
   gem.add_dependency 'methadone'
+  gem.add_dependency 'deep_merge'
   
   gem.add_runtime_dependency 'cas_rest_client'
   

data/features/dsl_context.feature

@@ -0,0 +1,36 @@
+@dsl
+Feature: Saving and restoring context
+
+  Background:
+
+  Scenario: Environment and api keys are saved in the context
+    When I run script:
+    """
+namespace do
+  user "bob"
+end
+    """
+    Then the context should contain "env"
+    And the context should contain "namespace"
+    And the context should contain "stack"
+    And the context should contain "account"
+    And the context should contain "api_keys"
+    And the context "api_keys" should contain "1" item
+
+  Scenario: API keys are restored from the context
+    When I use script context:
+    """
+{
+  "namespace": "foobar",
+  "api_keys": [
+    "the-api-key"
+  ]
+}
+    """
+    And I run script:
+    """
+namespace
+    """
+    Then the context "namespace" should be "foobar"
+    And the context "api_keys" should contain "1" item
+    

data/features/dsl_host_create.feature

@@ -0,0 +1,11 @@
+@dsl
+Feature: Creating a Host
+
+  Background:
+
+  Scenario: Host id is propagated properly to API#create_host
+    When I run script:
+    """
+host "the-host"
+    """
+    Then the model should contain "host" "the-host"

data/features/dsl_ownership.feature

@@ -0,0 +1,30 @@
+@dsl
+Feature: Assigning ownership
+
+  Background:
+
+  Scenario: Create without ownership
+    When I run script:
+    """
+role "user", "bob"
+    """
+    Then the "role" "cucumber:user:bob" should not have an owner
+
+  Scenario: Create with explicit ownership
+    When I run script:
+    """
+role "user", "bob", ownerid: "foobar"
+    """
+    Then the "role" "cucumber:user:bob" should be owned by "foobar"
+    
+  Scenario: Create with scoped ownership
+    When I run script:
+    """
+role "user", "bob" do
+  owns do
+    resource "food", "bacon"
+  end
+end
+    """
+    Then the "resource" "cucumber:food:bacon" should be owned by "cucumber:user:bob"
+    

data/features/dsl_permission.feature

@@ -0,0 +1,45 @@
+@dsl
+Feature: Manpipulating permissions
+
+  Background:
+
+  Scenario: Permit using Role#can
+    When I run script:
+    """
+bacon = resource "food", "bacon"
+role "user", "bob" do
+  can "fry", bacon
+end
+    """
+    Then "cucumber:user:bob" can "fry" "cucumber:food:bacon"
+
+  Scenario: Permit using Role#can with grant option
+    When I run script:
+    """
+bacon = resource "food", "bacon"
+role "user", "bob" do
+  can "fry", bacon, grant_option: true
+end
+    """
+    Then "cucumber:user:bob" can "fry" "cucumber:food:bacon" with grant option
+    
+  Scenario: Permit using Resource#permit
+    When I run script:
+    """
+bob = role "user", "bob"
+resource "food", "bacon" do
+  permit "fry", bob
+end
+    """
+    Then "cucumber:user:bob" can "fry" "cucumber:food:bacon"
+
+  Scenario: Permit using Resource#permit with grant option
+    When I run script:
+    """
+bob = role "user", "bob"
+resource "food", "bacon" do
+  permit "fry", bob, grant_option: true
+end
+    """
+    Then "cucumber:user:bob" can "fry" "cucumber:food:bacon" with grant option
+    

data/features/dsl_resource_create.feature

@@ -0,0 +1,23 @@
+@dsl
+Feature: Creating a resource
+
+  Background:
+
+  Scenario: Create with simple kind and id
+    When I run script:
+    """
+resource "food", "bacon"
+    """
+    Then the model should contain "resource" "cucumber:food:bacon"
+
+  Scenario: Create with scope
+    When I run script:
+    """
+scope "test" do
+  resource "food", "bacon"
+end
+resource "food", "eggs"
+    """
+    Then the model should contain "resource" "cucumber:food:test/bacon"
+    And the model should contain "resource" "cucumber:food:eggs"
+    

data/features/dsl_role_create.feature

@@ -0,0 +1,11 @@
+@dsl
+Feature: Creating a role
+
+  Background:
+
+  Scenario: Create with simple kind and id
+    When I run script:
+    """
+role "user", "bob"
+    """
+    Then the model should contain "role" "cucumber:user:bob"

data/features/dsl_user_create.feature

@@ -0,0 +1,23 @@
+@dsl
+Feature: Creating a User
+
+  Background:
+
+  Scenario: Users don't incorporate the namespace as a path prefix
+    When I run script:
+    """
+namespace do
+  user "bob"
+end
+    """
+    Then the model should contain "user" "bob"
+
+  Scenario: Namespace can be used as a no-arg method
+    When I run script:
+    """
+namespace "foobar" do
+  user "#{namespace}-bob"
+end
+    """
+    Then the model should contain "user" "foobar-bob"
+    

data/features/step_definitions/dsl_steps.rb

@@ -0,0 +1,46 @@
+When(/^I use script context:$/) do |context|
+  @context = JSON.parse context
+end
+
+When(/^I run script:$/) do |script|
+  require 'conjur/dsl/runner'
+  @runner = Conjur::DSL::Runner.new(script)
+  @runner.context = @context if @context
+  @runner.execute
+end
+
+Then(/^the model should contain "(.*?)" "(.*?)"$/) do |kind, id|
+  @mock_api.thing(kind, id).should_not be_nil
+end
+
+Then(/^the "(.*?)" "(.*?)" should be owned by "(.*?)"$/) do |kind, id, owner|
+  step "the model should contain \"#{kind}\" \"#{id}\""
+  @mock_api.thing(kind, id).ownerid.should == owner
+end
+
+Then(/^the "(.*?)" "(.*?)" should not have an owner$/) do |kind, id|
+  step "the model should contain \"#{kind}\" \"#{id}\""
+  @mock_api.thing(kind, id).ownerid.should be_nil
+end
+
+Then(/^"(.*?)" can "(.*?)" "(.*?)"( with grant option)?$/) do |role, privilege, resource, grant_option|
+  resource = @mock_api.thing(:resource, resource)
+  permission = resource.permissions.find do |p|
+    p.privilege == privilege && p.role == role && p.grant_option == !grant_option.nil?
+  end
+  raise "#{role} cannot #{privilege} #{resource.id} with#{grant_option ? "" : "out"} grant_option" unless permission
+end
+
+Then(/^the context should contain "(.*?)"$/) do |key|
+  @runner.context.should have_key(key.to_s)
+end
+
+Then(/^the context "(.*?)" should be "(.*?)"$/) do |key, value|
+  @runner.context[key].should == value
+end
+
+Then(/^the context "(.*?)" should contain "(.*?)" item$/) do |key, key_count|
+  step "the context should contain \"#{key}\""
+  @runner.context[key].should have(key_count.to_i).items
+end
+

data/features/support/env.rb

@@ -1,4 +1,5 @@
 require 'simplecov'
 require 'aruba/cucumber'
+require 'cucumber/rspec/doubles'
 
 SimpleCov.start

data/features/support/hooks.rb

@@ -0,0 +1,117 @@
+require 'ostruct'
+
+class MockAPI
+  attr_reader :things
+  
+  def initialize
+    @things = {}
+  end
+  
+  def thing(kind, id)
+    (@things[kind.to_sym] || []).find{|r| r.id == id}  
+  end
+  
+  def create_host(options = {})
+    id = options.delete(:id)
+    if id
+      host = thing(:host, id)
+    else
+      id = SecureRandom.uuid
+    end
+    host ||= create_thing(:host, id, options, role: true)
+  end
+  
+  def create_user(id, options = {})
+    thing(:user, id) || create_thing(:user, id, options, role: true)
+  end
+  
+  def create_variable(mime_type, kind)
+    create_thing(:user, SecureRandom.uuid, mime_type: mime_type, kind: kind)
+  end
+  
+  def create_resource(id, options = {})
+    resource(id).tap do |resource|
+      resource.send(:"exists?=", true)
+      populate_options resource, options
+    end
+  end
+  
+  def create_role(id, options = {})
+    role(id).tap do |role|
+      role.send(:"exists?=", true)
+      populate_options role, options
+    end
+  end
+  
+  [ :user, :host ].each do |kind|
+    define_method kind do |id|
+      thing(kind, id)
+    end
+  end
+  
+  def role(id)
+    raise "Role id must be a string" unless id.is_a?(String)
+    thing(:role, id) || create_thing(:role, id, { exists?: false }, role: true)
+  end
+  
+  def resource(id)
+    raise "Resource id must be a string" unless id.is_a?(String)
+    thing(:resource, id) || create_thing(:resource, id, exists?: false)
+  end
+  
+  protected
+  
+  def create_thing(kind, id, options, kind_options = {})
+    p kind, id, options, kind_options
+    
+    thing = OpenStruct.new(kind: kind, id: id, exists?: true)
+    
+    class << thing
+      def permit(privilege, role, options = {})
+        (self.permissions ||= []) << OpenStruct.new(privilege: privilege, role: role.id, grant_option: !!options[:grant_option])
+      end
+    end
+    
+    if kind_options[:role]
+      thing.roleid = id
+      class << thing
+        def can(privilege, resource, options = {})
+          resource.permit privilege, self, options
+        end
+      end
+    end
+    
+    populate_options(thing, options)
+    
+    store_thing kind, thing
+    
+    thing
+  end
+  
+  def populate_options(thing, options)
+    options.each do |k,v|
+      thing.send("#{k}=", v)
+    end
+  end
+  
+  def store_thing(kind, thing)
+    (things[kind] ||= []) << thing
+  end
+end
+
+Before("@dsl") do
+  puts "Using MockAPI"
+  puts "Using account 'cucumber'"
+  
+  require 'conjur/api'
+  require 'conjur/config'
+  require 'conjur/dsl/runner'
+  
+  Conjur.stub(:env).and_return "ci"
+  Conjur.stub(:stack).and_return "ci"
+  Conjur.stub(:account).and_return "cucumber"
+
+  Conjur::Core::API.stub(:conjur_account).and_return 'cucumber'
+  @mock_api ||= MockAPI.new
+  Conjur::DSL::Runner.any_instance.stub(:api).and_return @mock_api
+end

data/lib/conjur/cli.rb

@@ -21,6 +21,7 @@
 require 'gli'
 require 'conjur/config'
 require 'conjur/log'
+require 'conjur/identifier_manipulation'
 
 module Conjur
   class CLI
@@ -28,34 +29,29 @@ module Conjur
 
     class << self
       def load_config
-        [ File.join("/etc", "conjur.conf"), ( ENV['CONJURRC'] || File.join(ENV['HOME'], ".conjurrc") ) ].each do |f|
-          if File.exists?(f)
-            if Conjur.log
-              Conjur.log << "Loading #{f}\n"
-            end
-            Conjur::Config.merge YAML.load(IO.read(f))
-          end
-        end
+        Conjur::Config.load
+      end
+      
+      def apply_config
+        Conjur::Config.apply
       end
     end
           
     load_config
 
     Conjur::Config.plugins.each do |plugin|
-      require "conjur-asset-#{plugin}"
+      begin
+        filename = "conjur-asset-#{plugin}"
+        require filename
+      rescue LoadError
+        warn "Could not load plugin '#{plugin}' specified in your config file.\nMake sure you have the #{filename}-api gem installed."
+      end
     end
 
     commands_from 'conjur/command'
 
     pre do |global,command,options,args|
-      ENV['CONJUR_ENV'] = Config[:env] || "production"
-      ENV['CONJUR_STACK'] = Config[:stack] if Config[:stack]
-      ENV['CONJUR_STACK'] ||= 'v4' if ENV['CONJUR_ENV'] == 'production'
-      ENV['CONJUR_ACCOUNT'] = Config[:account] or raise "Missing configuration setting: account. Please set it in ~/.conjurrc"
-
-      if Conjur.log
-        Conjur.log << "Using host #{Conjur::Authn::API.host}\n"
-      end
+      apply_config
 
       require 'active_support/core_ext'
       options.delete_if{|k,v| v.blank?}
@@ -85,6 +81,10 @@ module Conjur
           $stderr.puts exception.response.body if exception.response
         end
       end
+      
+      if Conjur.log
+        Conjur.log << "error: #{exception}\n#{exception.backtrace rescue 'NO BACKTRACE?'}"
+      end
       true
     end
   end

data/lib/conjur/command.rb

@@ -20,6 +20,8 @@
 #
 module Conjur
   class Command
+    extend IdentifierManipulation
+    
     @@api = nil
     
     class << self
@@ -40,32 +42,6 @@ module Conjur
       def api
         @@api ||= Conjur::Authn.connect
       end
-
-      # injects account into 2-tokens id
-      def full_resource_id id
-        parts = id.split(':') unless id.nil? 
-        if id.blank? or parts.size < 2
-          raise "Expecting at least two tokens in #{id}"
-        end
-        if parts.size == 2
-          id = [conjur_account, parts].flatten.join(":")
-        end
-        id
-      end
-
-      # removes accounts from 3+-tokens id, extracts kind
-      def get_kind_and_id_from_args args, argname='id'
-        flat_id = require_arg(args, argname)
-        tokens=flat_id.split(':')
-        raise "At least 2 tokens expected in #{flat_id}" if tokens.size<2
-        tokens.shift if tokens.size>=3 # get rid of account
-        kind=tokens.shift.gsub('-','_')
-        [kind, tokens.join(':')]
-      end
-
-      def conjur_account
-        Conjur::Core::API.conjur_account
-      end
       
       def acting_as_option(command)
         command.arg_name 'Perform all actions as the specified Group'

data/lib/conjur/command/assets.rb

@@ -93,11 +93,7 @@ class Conjur::Command::Assets < Conjur::Command
       member = require_arg(args, 'member')
       admin_option = !options.delete(:admin).nil?
       
-      asset = api.send(kind, id)
-      tokens = [ asset.resource_kind, asset.resource_id, role_name ]
-      grant_role = [ asset.core_conjur_account, '@', tokens.join('/') ].join(':')
-      api.role(grant_role).grant_to member, admin_option
-      
+      api.send(kind, id).add_member role_name, member, admin_option: admin_option
       puts "Membership granted"
     end
   end
@@ -109,13 +105,8 @@ class Conjur::Command::Assets < Conjur::Command
       kind, id = get_kind_and_id_from_args(args, 'id')
       role_name = require_arg(args, 'role-name')
       member = require_arg(args, 'member')
-      
-      asset = api.send(kind, id)
-      tokens = [ asset.resource_kind, asset.resource_id, role_name ]
-      grant_role = [ asset.core_conjur_account, '@', tokens.join('/') ].join(':')
-      api.role(grant_role).revoke_from member
-      
+      api.send(kind, id).remove_member role_name, member
       puts "Membership revoked"
     end
   end
-end
+end

data/lib/conjur/command/audit.rb

@@ -0,0 +1,64 @@
+require 'conjur/command'
+require 'active_support/ordered_hash'
+
+class Conjur::Command
+  class Audit < self
+    self.prefix = 'audit'
+    
+    class << self
+      private
+      def extract_int_option(source, name, dest=nil)
+        if val = source[name]
+          raise "Expected an integer for #{name}, but got #{val}" unless /\d+/ =~ val
+          val.to_i.tap{ |i| dest[name] = i if dest }
+        end
+      end
+      
+      def extract_audit_options options
+        {}.tap do |opts|
+          [:limit, :offset].each do |name|
+            extract_int_option(options, name, opts)
+          end
+        end
+      end
+      
+      def show_audit_events events
+        puts JSON.pretty_generate(events)
+      end
+
+      def audit_feed_command kind, &block
+        command kind do |c|
+          c.desc "Maximum number of events to fetch"
+          c.flag [:l, :limit]
+
+          c.desc "Offset of the first event to return"
+          c.flag [:o, :offset]
+
+          c.action do |global_options, options, args|
+            opts = extract_audit_options options
+            show_audit_events instance_exec(args, opts, &block)
+          end
+        end
+      end
+    end
+
+    
+    desc "Show audit events related to a role"
+    arg_name 'role?'
+    audit_feed_command :role do |args, options|
+      if id = args.shift 
+        method_name, method_args = :audit_role, [full_resource_id(id), options]
+      else
+        method_name, method_args = :audit_current_role, [options]
+      end
+      api.send method_name, *method_args
+    end
+    
+    desc "Show audit events related to a resource"
+    arg_name 'resource'
+    audit_feed_command :resource do |args, options|
+      id = full_resource_id(require_arg args, "resource")
+      api.audit_resource id, options
+    end
+  end
+end

data/lib/conjur/command/groups.rb

@@ -63,7 +63,8 @@ class Conjur::Command::Groups < Conjur::Command
         opts = { admin_option: false }
         message = "Adminship revoked"
       end
-      api.role(group.roleid).grant_to member, opts
+      
+      group.add_member member, opts
       puts message
     end
   end
@@ -75,9 +76,7 @@ class Conjur::Command::Groups < Conjur::Command
       group = require_arg(args, 'group')
       member = require_arg(args, 'member')
       
-      group = api.group(group)
-      api.role(group.roleid).revoke_from member
-      
+      api.group(group).remove_member member
       puts "Membership revoked"
     end
   end

data/lib/conjur/command/script.rb

@@ -0,0 +1,63 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur/authn'
+require 'conjur/command'
+
+class Conjur::Command::Authn < Conjur::Command
+  self.prefix = :script
+
+  desc "Run a Conjur DSL script"
+  arg_name "script"
+  command :execute do |c|
+    acting_as_option(c)
+    
+    c.desc "Load context from this config file; save it when finished"
+    c.arg_name "context"
+    c.flag [:c, :context]
+    
+    c.action do |global_options,options,args|
+      filename = nil
+      if script = args.pop
+        filename = script
+        script = File.read(script)
+      else
+        script = STDIN.read
+      end
+      require 'conjur/dsl/runner'
+      runner = Conjur::DSL::Runner.new(script, filename)
+      if options[:context]
+        runner.context = begin
+          JSON.parse(File.read(options[:context])) 
+        rescue Errno::ENOENT 
+          {}
+        end
+      end
+      
+      result = runner.execute
+      
+      if options[:context]
+        File.write(options[:context], JSON.pretty_generate(runner.context))
+      end
+
+      puts JSON.pretty_generate(result)
+    end
+  end
+end

data/lib/conjur/config.rb

@@ -23,6 +23,29 @@ module Conjur
     @@attributes = {}
     
     class << self
+      def load
+        require 'yaml'
+        [ File.join("/etc", "conjur.conf"), ( ENV['CONJURRC'] || File.join(ENV['HOME'], ".conjurrc") ) ].each do |f|
+          if File.exists?(f)
+            if Conjur.log
+              Conjur.log << "Loading #{f}\n"
+            end
+            Conjur::Config.merge YAML.load(IO.read(f))
+          end
+        end
+      end
+      
+      def apply
+        ENV['CONJUR_ENV'] = Config[:env] || "production"
+        ENV['CONJUR_STACK'] = Config[:stack] if Config[:stack]
+        ENV['CONJUR_STACK'] ||= 'v4' if ENV['CONJUR_ENV'] == 'production'
+        ENV['CONJUR_ACCOUNT'] = Config[:account] or raise "Missing configuration setting: account. Please set it in ~/.conjurrc"
+  
+        if Conjur.log
+          Conjur.log << "Using host #{Conjur::Authn::API.host}\n"
+        end
+      end
+      
       def inspect
         @@attributes.inspect
       end

data/lib/conjur/dsl/runner.rb

@@ -0,0 +1,197 @@
+require 'conjur/identifier_manipulation'
+
+module Conjur
+  module DSL
+    # Entry point for the Conjur DSL.
+    # 
+    # Methods are available in two categories: name scoping and asset building.
+    class Runner
+      include Conjur::IdentifierManipulation
+      
+      attr_reader :script, :filename, :context
+      
+      def initialize(script, filename = nil)
+        @context = {
+          "env" => Conjur.env,
+          "stack" => Conjur.stack,
+          "account" => Conjur.account,
+          "api_keys" => {}
+        }
+        @script = script
+        @filename = filename
+        @api = nil
+        @scopes = Array.new
+        @owners = Array.new
+        @objects = Array.new
+      end
+      
+      def api
+        @api ||= connect
+      end
+      
+      def context=(context)
+        @context.deep_merge! context
+      end
+      
+      def api_keys
+        @context["api_keys"]
+      end
+      
+      def current_object
+        !@objects.empty? ? @objects.last : nil
+      end
+      
+      def current_scope
+        !@scopes.empty? ? @scopes.join('/') : nil
+      end
+      
+      def scope name = nil, &block
+        if name != nil
+          do_scope name, &block
+        else
+          current_scope
+        end
+      end
+      
+      def namespace ns = nil, &block
+        if block_given?
+          ns ||= context["namespace"]
+          if ns.nil?
+            require 'conjur/api/variables'
+            ns = context["namespace"] = api.create_variable("text/plain", "namespace").id
+          end
+          do_scope ns, &block
+          context
+        else
+          @scopes[0]
+        end
+      end
+      
+      alias model namespace
+      
+      def execute
+        args = [ script ]
+        args << filename if filename
+        instance_eval(*args)
+      end
+      
+      def resource kind, id, options = {}, &block
+        id = full_resource_id([kind, qualify_id(id) ].join(':'))
+        find_or_create :resource, id, options, &block
+      end
+      
+      def role kind, id, options = {}, &block
+        id = full_resource_id([ kind, qualify_id(id) ].join(':'))
+        find_or_create :role, id, options, &block
+      end
+
+      def create_variable id = nil, options = {}, &block
+        options[:id] = id if id
+        mime_type = options.delete(:mime_type)
+        kind = options.delete(:kind)
+      end
+      
+      def owns
+        @owners.push current_object
+        begin
+          yield
+        ensure
+          @owners.pop
+        end
+      end
+      
+      protected
+      
+      def qualify_id id
+        if id[0] == "/"
+          id[1..-1]
+        else
+          [ current_scope, id ].compact.join('/')
+        end
+      end
+      
+      def method_missing(sym, *args, &block)
+        if create_compatible_args?(args) && api.respond_to?(sym)
+          id = args[0]
+          id = qualify_id(id) unless sym == :user
+          find_or_create sym, id, args[1] || {}, &block
+        elsif current_object && current_object.respond_to?(sym)
+          current_object.send(sym, *args, &block)
+        else
+          super
+        end
+      end
+      
+      def create_compatible_args?(args)
+        valid_prototypes = [
+          lambda { args.length == 1 },
+          lambda { args.length == 2 && args[1].is_a?(Hash) }
+        ]
+        !valid_prototypes.find{|p| p.call}.nil?      
+      end
+      
+      def find_or_create(type, id, options, &block)
+        find_method = type.to_sym
+        create_method = "create_#{type}".to_sym
+        unless (obj = api.send(find_method, id)) && obj.exists?
+          options = expand_options(options)
+          obj = if create_method == :create_variable
+            options[:id] = id
+            api.send(create_method, options.delete(:mime_type), options.delete(:kind), options)
+          elsif [ 2, -2 ].member?(api.method(create_method).arity)
+            api.send(create_method, id, options)
+          else
+            options[:id] = id
+            api.send(create_method, options)
+          end
+        end
+        do_object obj, &block
+      end
+      
+      def do_object obj, &block
+        begin
+          api_keys[obj.resourceid] = obj.api_key 
+        rescue
+        end
+        
+        @objects.push obj
+        begin
+          yield obj if block_given?
+          obj
+        ensure
+          @objects.pop
+        end
+      end
+      
+      def do_scope name, &block
+        return unless block_given?
+        
+        @scopes.push(name)
+        begin
+          yield
+        ensure
+          @scopes.pop
+        end
+      end
+      
+      def owner(options)
+        owner = options[:owner] || @owners.last
+        owner = owner.roleid if owner.respond_to?(:roleid)
+        owner
+      end
+      
+      def expand_options(opts)
+        (opts || {}).tap do |options|
+          if owner = owner(options)
+            options[:ownerid] = owner
+          end
+        end
+      end
+      
+      def connect
+        require 'conjur/authn'
+        Conjur::Authn.connect      
+      end
+    end
+  end
+end

data/lib/conjur/identifier_manipulation.rb

@@ -0,0 +1,29 @@
+module Conjur
+  module IdentifierManipulation
+    # injects account into 2-tokens id
+    def full_resource_id id
+      parts = id.split(':') unless id.nil? 
+      if id.blank? or parts.size < 2
+        raise "Expecting at least two tokens in #{id}"
+      end
+      if parts.size == 2
+        id = [conjur_account, parts].flatten.join(":")
+      end
+      id
+    end
+
+    # removes accounts from 3+-tokens id, extracts kind
+    def get_kind_and_id_from_args args, argname='id'
+      flat_id = require_arg(args, argname)
+      tokens=flat_id.split(':')
+      raise "At least 2 tokens expected in #{flat_id}" if tokens.size<2
+      tokens.shift if tokens.size>=3 # get rid of account
+      kind=tokens.shift.gsub('-','_')
+      [kind, tokens.join(':')]
+    end
+
+    def conjur_account
+      Conjur::Core::API.conjur_account
+    end
+  end
+end

data/lib/conjur/version.rb

@@ -19,5 +19,5 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = "4.1.1"
+  VERSION = "4.3.0"
 end

data/spec/command/assets_spec.rb

@@ -81,55 +81,36 @@ describe Conjur::Command::Assets, logged_in: true do
     end
   end
 
-  shared_examples 'it obtains role via asset' do
+  shared_examples 'it obtains asset by kind and id' do
     it "obtains asset instance as api.#{KIND}(#{ID})" do
       api.should_receive(KIND.to_sym).with(ID)
       invoke_silently
     end
-    it "account=asset.core_conjur_account" do
-      asset.should_receive(:core_conjur_account)
-      invoke_silently
-    end
-    it "kind=asset.resource_kind" do
-      asset.should_receive(:resource_kind)
-      invoke_silently
-    end
-    it "id=asset.resource_id" do
-      asset.should_receive(:resource_id)
-      invoke_silently
-    end
-
-    it "obtains role as #{ACCOUNT}:@:#{KIND}/#{ID}/#{ROLE}" do
-      api.should_receive(:role).with("#{ACCOUNT}:@:#{KIND}/#{ID}/#{ROLE}")
-      invoke_silently
-    end
   end
-
-  shared_context "asset with role" do
-    before(:each) {
-      asset.stub(:core_conjur_account).and_return(ACCOUNT)
-      asset.stub(:resource_kind).and_return(KIND)
-      asset.stub(:resource_id).and_return(ID)
-      api.stub(:role).and_return(role_instance)
+  
+  shared_context "asset instance" do
+    before(:each) { 
+      api.stub(KIND.to_sym).and_return(asset) 
+      asset.stub(:add_member)
+      asset.stub(:remove_member)
     }
-    let(:role_instance) { double(grant_to: true, revoke_from: true) }
   end
 
   describe_command "asset:members:add #{KIND}:#{ID} #{ROLE} #{MEMBER}" do
-    include_context "asset with role"
-    it_behaves_like "it obtains role via asset"
+    include_context "asset instance"
+    it_behaves_like "it obtains asset by kind and id"
     it 'calls role.grant_to(member,...)' do
-      role_instance.should_receive(:grant_to).with(MEMBER, anything)
+      asset.should_receive(:add_member).with(ROLE, MEMBER, anything)
       invoke_silently
     end
     it { expect { invoke }.to write "Membership granted" }
   end
   
   describe_command "asset:members:remove #{KIND}:#{ID} #{ROLE} #{MEMBER}" do
-    include_context "asset with role"
-    it_behaves_like "it obtains role via asset"
+    include_context "asset instance"
+    it_behaves_like "it obtains asset by kind and id"
     it 'calls role.revoke_from(member)' do
-      role_instance.should_receive(:revoke_from).with(MEMBER)
+      asset.should_receive(:remove_member).with(ROLE, MEMBER)
       invoke_silently
     end
     it { expect { invoke }.to write "Membership revoked" }

data/spec/command/audit_spec.rb

@@ -0,0 +1,100 @@
+require 'spec_helper'
+
+describe Conjur::Command::Audit, logged_in: true do
+  let(:events) { [{'foo' => 'bar', 'zelda' => 'link', 'abc' => 'xyz'}, {'some' => 'other event'}] }
+
+  def expect_api_call method, *args
+    api.should_receive(method.to_sym).with(*args).and_return events
+    described_class.should_receive(:show_audit_events).with(events)
+  end
+
+  def invoke_expecting_api_call method, *args
+    expect_api_call method, *args
+    invoke
+  end
+
+  def invoke_silently
+    silence_stderr { invoke }
+  end
+
+  def self.describe_command_success cmd, method, *expected_args, &block
+    describe_command cmd do
+      it "calls api.#{method}(#{expected_args.map(&:inspect).join(',')})" do
+        instance_eval(&block) if block
+        invoke_expecting_api_call method, *expected_args
+      end
+    end
+  end
+
+  def self.it_calls_the_api command, api_method, *api_args, &block
+    describe_command_success command, api_method, *api_args, &block
+    accepts_pagination_params command, api_method, *api_args, &block
+  end
+
+
+  def self.it_fails command, *raise_error_args
+    unless raise_error_args.empty? or ::Class === raise_error_args.first
+      raise_error_args.unshift Exception
+    end
+    describe_command command do
+      it "raises #{raise_error_args.map(&:inspect).join ' '}" do
+        expect { invoke_silently }.to raise_error(*raise_error_args)
+      end
+    end
+  end
+
+  def self.accepts_pagination_params cmd, api_method, *api_method_args, &block
+    context "with valid pagination options" do
+      expected_opts   = {limit: 12, offset: 2}
+      api_method_args = case api_method_args.last
+      when Hash
+        api_method_args[0..-2] << api_method_args.last.merge(expected_opts)
+      else
+        api_method_args.dup << expected_opts
+      end
+      describe_command_success cmd + " --limit 12 --offset 2", api_method, *api_method_args, &block
+    end
+    context "with garbage pagination options" do
+      it_fails cmd + " --limit hiythere", RuntimeError, /expected an integer for limit/i
+      it_fails cmd + " --offset hiythere", RuntimeError, /expected an integer for offset/i
+    end
+  end
+
+  describe "audit:role" do
+    context "without an argument" do
+      it_calls_the_api "audit:role", :audit_current_role, {}
+    end
+    context "with an argument" do
+      context "of a full id" do
+        it_calls_the_api "audit:role foo:bar:baz", :audit_role, 'foo:bar:baz', {}
+      end
+      context "without an account" do
+        it_calls_the_api "audit:role bar:baz", :audit_role, 'the-conjur-account:bar:baz', {} do
+          Conjur::Command.stub(conjur_account: "the-conjur-account")
+        end
+      end
+      context "without enough tokens" do
+        it_fails "audit:role not-enough-tokens", RuntimeError, /expecting at least two tokens/i
+      end
+    end
+  end
+
+  describe "audit:resource" do
+    context "without an argument" do
+      it_fails "audit:resource", /missing parameter: resource/i
+    end
+    context "with an argument of" do
+      context "a full id" do
+        it_calls_the_api "audit:resource foo:bar:baz", :audit_resource, "foo:bar:baz", {}
+      end
+      context "an id with two tokens" do
+        it_calls_the_api "audit:resource foo:bar", :audit_resource, "the-conjur-account:foo:bar", {} do
+          Conjur::Command.stub(conjur_account: "the-conjur-account")
+        end
+      end
+      context "an id with one token" do
+        it_fails "audit:resource foo", /expecting at least two tokens/i
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -71,15 +71,16 @@ def post_response(id, attributes = {})
 end
 
 # stub parameters to be used in resource/asset tests
-  KIND="asset_kind"
-  ID="unique_id" 
-  ROLE='<role>'
-  MEMBER='<member>'
-  PRIVILEGE='<privilege>'
-  OWNER='<owner/userid>'
-  ACCOUNT='<core_account>'
-
+KIND="asset_kind"
+ID="unique_id" 
+ROLE='<role>'
+MEMBER='<member>'
+PRIVILEGE='<privilege>'
+OWNER='<owner/userid>'
+ACCOUNT='<core_account>'
 
 require 'write_expectation'
 
+ENV['CONJURRC'] = '/dev/null'
+
 require 'conjur/cli'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-cli
 version: !ruby/object:Gem::Version
-  version: 4.1.1
+  version: 4.3.0
   prerelease: 
 platform: ruby
 authors:
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-10-28 00:00:00.000000000 Z
+date: 2013-11-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: conjur-api
@@ -92,6 +92,22 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: deep_merge
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: cas_rest_client
   requirement: !ruby/object:Gem::Requirement
@@ -198,6 +214,7 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- .githooks/pre_commit/run_specs.rb
 - .gitignore
 - .kateproject
 - .project
@@ -208,8 +225,17 @@ files:
 - bin/conjur
 - bin/jsonfield
 - conjur.gemspec
+- features/dsl_context.feature
+- features/dsl_host_create.feature
+- features/dsl_ownership.feature
+- features/dsl_permission.feature
+- features/dsl_resource_create.feature
+- features/dsl_role_create.feature
+- features/dsl_user_create.feature
 - features/jsonfield.feature
+- features/step_definitions/dsl_steps.rb
 - features/support/env.rb
+- features/support/hooks.rb
 - lib/conjur.rb
 - lib/conjur/authn.rb
 - lib/conjur/cli.rb
@@ -223,10 +249,13 @@ files:
 - lib/conjur/command/ids.rb
 - lib/conjur/command/resources.rb
 - lib/conjur/command/roles.rb
+- lib/conjur/command/script.rb
 - lib/conjur/command/secrets.rb
 - lib/conjur/command/users.rb
 - lib/conjur/command/variables.rb
 - lib/conjur/config.rb
+- lib/conjur/dsl/runner.rb
+- lib/conjur/identifier_manipulation.rb
 - lib/conjur/version.rb
 - spec/command/assets_spec.rb
 - spec/command/audit_spec.rb
@@ -240,6 +269,7 @@ files:
 - spec/command_spec.rb
 - spec/spec_helper.rb
 - spec/write_expectation.rb
+- update_ci.sh
 homepage: https://github.com/inscitiv/cli-ruby
 licenses:
 - MIT
@@ -255,7 +285,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -3349228530066988265
+      hash: -1644875280166095669
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -264,7 +294,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -3349228530066988265
+      hash: -1644875280166095669
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.25
@@ -272,8 +302,17 @@ signing_key:
 specification_version: 3
 summary: Conjur command line interface
 test_files:
+- features/dsl_context.feature
+- features/dsl_host_create.feature
+- features/dsl_ownership.feature
+- features/dsl_permission.feature
+- features/dsl_resource_create.feature
+- features/dsl_role_create.feature
+- features/dsl_user_create.feature
 - features/jsonfield.feature
+- features/step_definitions/dsl_steps.rb
 - features/support/env.rb
+- features/support/hooks.rb
 - spec/command/assets_spec.rb
 - spec/command/audit_spec.rb
 - spec/command/authn_spec.rb