conjur-cli 4.6.1 → 4.7.0

data/Gemfile

@@ -4,7 +4,13 @@ source 'https://rubygems.org'
 gemspec
 
 gem 'conjur-api', git: 'https://github.com/inscitiv/api-ruby.git', branch: 'master'
-
 group :test, :development do
   gem 'pry'
 end
+
+group :development do
+  gem 'conjur-asset-environment-api'
+  gem 'conjur-asset-key-pair-api'
+  gem 'conjur-asset-layer-api'
+#  gem 'conjur-asset-ui-api', github: 'conjurinc/conjur-asset-ui', branch: 'new-audit'
+end

data/lib/conjur/command/assets.rb

@@ -75,7 +75,11 @@ class Conjur::Command::Assets < Conjur::Command
   command :list do |c|
     c.action do |global_options,options,args|
       kind = require_arg(args, "kind").gsub('-', '_')
-      api.send(kind.pluralize).each do |e|
+      if api.respond_to?(kind.pluralize)
+        api.send(kind.pluralize)
+      else
+        api.resources(kind: kind)
+      end.each do |e|
         display(e, options)
       end
     end

data/lib/conjur/command/dsl_command.rb

@@ -0,0 +1,65 @@
+#
+# Copyright (C) 2014 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur/command'
+
+class Conjur::DSLCommand < Conjur::Command
+  class << self
+    def file_or_stdin_arg(args)
+    end
+
+    def run_script(args, options, &block)
+      filename = nil
+      script = if script = args.pop
+        filename = script
+        script = File.read(script)
+      else
+        STDIN.read
+      end
+      
+      require 'conjur/dsl/runner'
+      runner = Conjur::DSL::Runner.new(script, filename)
+
+      if context = options[:context]
+        runner.context = begin
+          JSON.parse(File.read(context)) 
+        rescue Errno::ENOENT 
+          {}
+        end
+      end
+      
+      if block_given?
+        block.call(runner) do
+          runner.execute
+        end
+      else
+        runner.execute
+      end
+      
+      if context
+        File.write(context, JSON.pretty_generate(runner.context))
+        File.chmod(0600, context)
+      end
+
+      puts JSON.pretty_generate(runner.context)
+    end
+  end
+
+end

data/lib/conjur/command/policy.rb

@@ -0,0 +1,83 @@
+#
+# Copyright (C) 2014 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur/command/dsl_command'
+
+class Conjur::Command::Policy < Conjur::DSLCommand
+  self.prefix = :policy
+  
+  class << self
+    def default_collection_user
+      ( ENV['USER'] ).strip
+    end
+    
+    def default_collection_hostname
+      ( ENV['HOSTNAME'] || `hostname` ).strip
+    end
+  
+    def default_collection_name
+      [ default_collection_user, default_collection_hostname ].join('@')
+    end
+  end
+
+  desc "Load a policy from Conjur DSL"
+  long_desc <<-DESC
+This method is EXPERIMENTAL and subject to change
+
+Loads a Conjur policy from DSL, applying particular conventions to the role and resource
+ids. 
+
+The first path element of each id is the collection. Policies are separated into collections
+according to software development lifecycle. The default collection for a policy is $USER@$HOSTNAME,
+in other words, the username and hostname on which the policy is created. This is approriate for
+policy development and local testing. Once tested, policies can be created in more official 
+environments such as ci, stage, and production. 
+
+The second path element of each id is the policy name and version, following the convention
+policy-x.y.z, where x, y, and z are the semantic version of the policy.
+
+Next, each policy creates a policy role and policy resource. The policy resource is used to store
+annotations on the policy. The policy role becomes the owner of the owned policy assets. The
+--as-group and --as-role options can be used to set the owner of the policy role. The default
+owner of the policy role is the logged-in user (you), as always.
+  DESC
+  arg_name "(policy-file | STDIN)"
+  command :load do |c|
+    acting_as_option(c)
+    
+    c.desc "Policy collection (default: #{default_collection_user}@#{default_collection_hostname})"
+    c.arg_name "collection"
+    c.flag [:collection]
+    
+    c.desc "Load context from this config file, and save it when finished. The file permissions will be 0600 by default."
+    c.arg_name "context"
+    c.flag [:c, :context]
+    
+    c.action do |global_options,options,args|
+      collection = options[:collection] || default_collection_name
+      
+      run_script args, options do |runner, &block|
+        runner.scope collection do
+          block.call
+        end
+      end
+    end
+  end
+end

data/lib/conjur/command/resources.rb

@@ -51,7 +51,7 @@ class Conjur::Command::Resources < Conjur::Command
       display api.resource(id).attributes
     end
   end
-  
+    
   desc "Determines whether a resource exists"
   arg_name "resource-id"
   command :exists do |c|
@@ -129,4 +129,82 @@ class Conjur::Command::Resources < Conjur::Command
       display api.resource(id).permitted_roles(permission)
     end
   end
+  
+  desc "Set an annotation on a resource"
+  arg_name "resource-id name value"
+  command :annotate do |c|
+    c.action do |global_options, options, args|
+      id = full_resource_id require_arg(args, 'resource-id')
+      name = require_arg args, 'name'
+      value = require_arg args, 'value'
+      api.resource(id).annotations[name] = value
+      puts "Set annotation '#{name}' to '#{value}' for resource '#{id}'"
+    end
+  end
+  
+  desc "Show an annotation for a resource"
+  arg_name "resource-id name"
+  command :annotation do |c|
+    c.action do |global_options, options, args|
+      id = full_resource_id require_arg args, 'resource-id'
+      name = require_arg args, 'name'
+      value = api.resource(id).annotations[name]
+      puts value unless value.nil?
+    end
+  end
+  
+  desc "Print annotations as JSON"
+  arg_name 'resource-id'
+  command :annotations do |c|
+    c.action do |go, o, args|
+      id = full_resource_id require_arg args, 'resource-id'
+      annots = api.resource(id).annotations.to_h
+      puts annots.to_json
+    end
+  end
+  
+  desc "List all resources"
+  command :list do |c| 
+    c.desc "Role to act as. By default, the current logged-in role is used."
+    c.flag [:role]
+
+    c.desc "Filter by kind"
+    c.flag [:k, :kind]
+    
+    c.desc "Full-text search on resource id and annotation values" 
+    c.flag [:s, :search]
+    
+    c.desc "Maximum number of records to return"
+    c.flag [:l, :limit]
+    
+    c.desc "Offset to start from"
+    c.flag [:o, :offset]
+    
+    c.desc "Show only ids"
+    c.switch [:i, :ids]
+    
+    c.desc "Show annotations in 'raw' format"
+    c.switch [:r, :"raw-annotations"]
+    
+    c.action do |global_options, options, args| 
+      opts = options.slice(:search, :limit, :options, :kind) 
+      opts[:acting_as] = options[:role] if options[:role]
+      resources = api.resources(opts)
+      if options[:ids]
+        puts resources.map(&:resourceid)
+      else
+        resources = resources.map &:attributes
+        unless options[:'raw-annotations']
+          resources = resources.map do |r|
+            r['annotations'] = (r['annotations'] || []).inject({}) do |hash, annot|
+              hash[annot['name']] = annot['value']
+              hash
+            end
+            r
+          end
+        end
+        puts JSON.pretty_generate resources
+      end
+    end
+  end
 end

data/lib/conjur/command/script.rb

@@ -19,9 +19,9 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 require 'conjur/authn'
-require 'conjur/command'
+require 'conjur/command/dsl_command'
 
-class Conjur::Command::Authn < Conjur::Command
+class Conjur::Command::Script < Conjur::DSLCommand
   self.prefix = :script
 
   desc "Run a Conjur DSL script"
@@ -34,31 +34,7 @@ class Conjur::Command::Authn < Conjur::Command
     c.flag [:c, :context]
     
     c.action do |global_options,options,args|
-      filename = nil
-      if script = args.pop
-        filename = script
-        script = File.read(script)
-      else
-        script = STDIN.read
-      end
-      require 'conjur/dsl/runner'
-      runner = Conjur::DSL::Runner.new(script, filename)
-      if options[:context]
-        runner.context = begin
-          JSON.parse(File.read(options[:context])) 
-        rescue Errno::ENOENT 
-          {}
-        end
-      end
-      
-      result = runner.execute
-      
-      if options[:context]
-        File.write(options[:context], JSON.pretty_generate(runner.context))
-        File.chmod(0600, options[:context])
-      end
-
-      puts JSON.pretty_generate(result)
+      run_script args, options
     end
   end
 end

data/lib/conjur/config.rb

@@ -20,6 +20,7 @@
 #
 require 'active_support/core_ext/hash/deep_merge'
 require 'active_support/core_ext/hash/indifferent_access'
+
 module Conjur
   class Config
     @@attributes = {}
@@ -62,7 +63,6 @@ module Conjur
         end
         if Config[:cert_file]
           OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE.add_file Config[:cert_file]
-          #OpenSSL::X509::Store.add_file Config[:cert_file]
         end
       end
       

data/lib/conjur/dsl/runner.rb

@@ -47,10 +47,16 @@ module Conjur
         !@objects.empty? ? @objects.last : nil
       end
       
+      # Current scope, used as a path/delimited/prefix to a role or resource id.
       def current_scope
         !@scopes.empty? ? @scopes.join('/') : nil
       end
       
+      # Current scope, used for user@scope.
+      def current_user_scope
+        current_scope ? current_scope.gsub(/[^\w]/, '-') : nil
+      end
+      
       def scope name = nil, &block
         if name != nil
           do_scope name, &block
@@ -73,6 +79,19 @@ module Conjur
         end
       end
       
+      def policy id, &block
+        self.role "policy", id do |role|
+          context["policy"] = role.identifier
+          self.owns do
+            self.resource "policy", id do
+              scope id do
+                block.call if block_given?
+              end
+            end
+          end
+        end
+      end
+      
       alias model namespace
       
       def execute
@@ -82,15 +101,19 @@ module Conjur
       end
       
       def resource kind, id, options = {}, &block
-        id = full_resource_id([kind, qualify_id(id) ].join(':'))
+        id = full_resource_id([kind, qualify_id(id, kind) ].join(':'))
         find_or_create :resource, id, options, &block
       end
       
       def role kind, id, options = {}, &block
-        id = full_resource_id([ kind, qualify_id(id) ].join(':'))
+        id = full_resource_id([ kind, qualify_id(id, kind) ].join(':'))
         find_or_create :role, id, options, &block
       end
 
+      # purpose and existence of this method are unobvious for model designer 
+      # just "variable" in DSL works fine through method_missing
+      # is this method OBSOLETED ?
+      #   https://basecamp.com/1949725/projects/4268938-api-version-4-x/todos/84972543-low-variable
       def create_variable id = nil, options = {}, &block
         options[:id] = id if id
         mime_type = options.delete(:mime_type) || 'text/plain'
@@ -110,18 +133,23 @@ module Conjur
       
       protected
       
-      def qualify_id id
+      def qualify_id id, kind
         if id[0] == "/"
           id[1..-1]
         else
-          [ current_scope, id ].compact.join('/')
+          case kind.to_sym
+          when :user
+            [ id, current_user_scope ].compact.join('@')
+          else
+            [ current_scope, id ].compact.join('/')
+          end
         end
       end
       
       def method_missing(sym, *args, &block)
         if create_compatible_args?(args) && api.respond_to?(sym)
           id = args[0]
-          id = qualify_id(id) unless sym == :user
+          id = qualify_id(id, sym)
           find_or_create sym, id, args[1] || {}, &block
         elsif current_object && current_object.respond_to?(sym)
           current_object.send(sym, *args, &block)
@@ -141,11 +169,20 @@ module Conjur
       def find_or_create(type, id, options, &block)
         find_method = type.to_sym
         create_method = "create_#{type}".to_sym
+
+        # TODO: find a way to pass annotations as part of top-level options hash
+        #   https://basecamp.com/1949725/projects/4268938-api-version-4-x/todos/84965324-low-dsl-design
+        annotations = options.delete(:annotations)
+
         unless (obj = api.send(find_method, id)) && obj.exists?
           options = expand_options(options)
           obj = if create_method == :create_variable
+            #NOTE: it duplicates logic of "create_variable" method above
+            #   https://basecamp.com/1949725/projects/4268938-api-version-4-x/todos/84972543-low-variable
             options[:id] = id
-            api.send(create_method, options.delete(:mime_type), options.delete(:kind), options)
+            mime_type = options.delete(:mime_type) || annotations[:mime_type] || 'text/plain'
+            kind = options.delete(:kind) || annotations[:kind] || 'secret'
+            api.send(create_method, mime_type, kind, options)
           elsif [ 2, -2 ].member?(api.method(create_method).arity)
             api.send(create_method, id, options)
           else
@@ -153,6 +190,12 @@ module Conjur
             api.send(create_method, options)
           end
         end
+        if annotations.kind_of? Hash
+          # TODO: fix API to make 'annotations' available directly on objects
+          #   https://basecamp.com/1949725/projects/4268938-api-version-4-x/todos/84970444-high-support
+          obj_as_resource = obj.resource
+          annotations.each { |k,v| obj_as_resource.annotations[k]=v }
+        end
         do_object obj, &block
       end
       
@@ -202,4 +245,4 @@ module Conjur
       end
     end
   end
-end
+end

data/lib/conjur/version.rb

@@ -19,5 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = "4.6.1"
+  VERSION = "4.7.0"
+  ::Version=VERSION
 end

data/spec/command/policy_spec.rb

@@ -0,0 +1,43 @@
+require 'spec_helper'
+require 'conjur/dsl/runner'
+
+describe Conjur::Command::Policy do
+  context logged_in: true do
+    let(:role) do
+      double("role", exists?: true, api_key: "the-api-key", roleid: "the-role")
+    end
+    let(:resource) do
+      double("resource", exists?: true).as_null_object
+    end
+    let(:name) { nil }
+    before {
+      File.stub(:read).with("policy-body").and_return "{}"
+      Conjur::DSL::Runner.any_instance.stub(:api).and_return api
+    }
+    before {
+      api.stub(:role).with("the-account:policy:#{collection}/the-policy-1.0.0").and_return role
+      api.stub(:resource).with("the-account:policy:#{collection}/the-policy-1.0.0").and_return resource
+      if name
+        resource.should_receive(:[]).with(:name, name)
+      end
+    }
+    
+    describe_command 'policy:load --collection the-collection policy-body' do
+      let(:collection) { "the-collection" }
+      it "creates the policy" do
+        invoke.should == 0
+      end
+    end
+    context "default collection" do
+      let(:collection) { "alice@localhost" }
+      before {
+        stub_const("ENV", "USER" => "alice", "HOSTNAME" => "localhost")
+      }
+      describe_command 'policy:load policy-body' do
+        it "creates the policy with default collection" do
+          invoke.should == 0
+        end
+      end
+    end
+  end
+end

data/tamr.rb

@@ -0,0 +1,15 @@
+policy "tamr-1.0.0" do
+  group "admin" do
+    owns do
+      ops, developers, build = [
+        group("ops"),
+        group("developers"),
+        group("build")
+      ]
+
+      layer "sandbox" do
+        add_member "admin_host", developers
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-cli
 version: !ruby/object:Gem::Version
-  version: 4.6.1
+  version: 4.7.0
   prerelease: 
 platform: ruby
 authors:
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-03-03 00:00:00.000000000 Z
+date: 2014-03-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: conjur-api
@@ -218,6 +218,7 @@ files:
 - .gitignore
 - .kateproject
 - .project
+- .tamr.rb.swp
 - Gemfile
 - LICENSE
 - README.md
@@ -244,11 +245,13 @@ files:
 - lib/conjur/command/assets.rb
 - lib/conjur/command/audit.rb
 - lib/conjur/command/authn.rb
+- lib/conjur/command/dsl_command.rb
 - lib/conjur/command/field.rb
 - lib/conjur/command/groups.rb
 - lib/conjur/command/hosts.rb
 - lib/conjur/command/ids.rb
 - lib/conjur/command/init.rb
+- lib/conjur/command/policy.rb
 - lib/conjur/command/resources.rb
 - lib/conjur/command/roles.rb
 - lib/conjur/command/rspec/describe_command.rb
@@ -271,6 +274,7 @@ files:
 - spec/command/groups_spec.rb
 - spec/command/hosts_spec.rb
 - spec/command/init_spec.rb
+- spec/command/policy_spec.rb
 - spec/command/resources_spec.rb
 - spec/command/roles_spec.rb
 - spec/command/users_spec.rb
@@ -280,6 +284,7 @@ files:
 - spec/conjurrc
 - spec/dsl/runner_spec.rb
 - spec/spec_helper.rb
+- tamr.rb
 - update_ci.sh
 homepage: https://github.com/conjurinc/cli-ruby
 licenses:
@@ -294,12 +299,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: -1938562320841533221
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: -1938562320841533221
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.25
@@ -326,6 +337,7 @@ test_files:
 - spec/command/groups_spec.rb
 - spec/command/hosts_spec.rb
 - spec/command/init_spec.rb
+- spec/command/policy_spec.rb
 - spec/command/resources_spec.rb
 - spec/command/roles_spec.rb
 - spec/command/users_spec.rb