conjur-cli 5.1.2 → 5.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bb5d58e501794d2bdde119a07dd60ec123833b46
-  data.tar.gz: 73f64423dccb08d198b33d9446981c974a5b5806
+  metadata.gz: 4737c65684b90ddd2b62d5fb186573b7099e496b
+  data.tar.gz: c6ff97b50c512c96568e0361991af49309b868ac
 SHA512:
-  metadata.gz: a4166b496d0a570e9864417466478c3ea13b05633462350c98a28e6f0ae5fca110791abf682237fb0c328acc7921b4d5f5b0db6a95fbfa36eb2b1263c65f2b0f
-  data.tar.gz: 4d440e3b0feb5a8a6ab65cd5efc5b1d414ab6a58b8e6eb9f5777d97998ae91dfeb5bc10dbd7540a96ec10e4884d5b52dafb15886bab326839399506e459633b5
+  metadata.gz: 6bcb80c73f81df2f96f1d18780c2d94f69c1fe3d8ec9153e6276b529ecd21429836a8ec08a058c2975471d751e9f6cc5bf3332a1f0e9640fbc67ca48ac1a3ca1
+  data.tar.gz: 3a355ec8286f3b4d198777b5f34666c4cfaf6dbf9db3a9f558c47ee54166439e259a3aabd3a5ae3bcc12086137a434bba2d415ac8c2c4e47c27bd279ff1392a7

data/CHANGELOG.md

@@ -1,6 +1,13 @@
+# 5.2.0
+
+* Add `ldap-sync` management commands (requires Conjur 4.7 or later).
+* Use `CONJUR_AUTHN_TOKEN` as the Conjur access token, if it's available in the environment.
+* `conjurize` will ignore `conjur` cookbook releases that don't have an associated tarball.
+* Pass `--recipe-url` argument to Chef, which is now required.
+
 # 5.1.2
 
-* Fix problem finding config files for plugin installation
+* Fix problem finding config files for plugin installation.
 
 # 5.1.1
 

data/Dockerfile

@@ -7,4 +7,4 @@ COPY Gemfile Gemfile
 COPY conjur.gemspec conjur.gemspec
 COPY lib/conjur/version.rb lib/conjur/version.rb
 
-RUN bundle install
+RUN gem install bundler -v 1.11.2 && bundle install

data/Gemfile

@@ -6,7 +6,7 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in conjur.gemspec
 gemspec
 
-gem 'conjur-api', git: 'https://github.com/conjurinc/api-ruby.git', branch: 'master'
+gem 'conjur-api', '>= 4.24', git: 'https://github.com/conjurinc/api-ruby.git', branch: 'master'
 gem 'semantic', '>= 1.4.1', git: 'https://github.com/jlindsey/semantic.git'
 
 group :test, :development do

data/acceptance-features/directory/hostfactory/create.feature

@@ -5,7 +5,6 @@ Feature: Create a Host Factory
   Scenario: Create a host factory successfully
     Given I successfully run `conjur layer create --as-group $ns/security_admin $ns/layer`
     Then I successfully run `conjur hostfactory create --as-group $ns/security_admin --layer $ns/layer $ns/hostfactory`
-    And the JSON should have "deputy_api_key"
 
 	Scenario: The client role can use itself as the hostfactory role
     Given I successfully run `conjur user create unprivileged@$ns`

data/ci/publish.sh

@@ -31,5 +31,5 @@ for package in *.deb; do
     --password $ART_PASSWORD \
     --deb "$distribution"/"$component"/amd64 \
     $package \
-    debian-public
+    debian-local
 done

data/features/conjurize.feature

@@ -112,16 +112,16 @@ curl -L https://www.opscode.com/chef/install.sh | bash
 """
     And the output should match:
     """
-    chef-solo -r https:\/\/github.com\/conjur-cookbooks\/conjur\/releases\/download/v\d\.\d\.\d/conjur-v\d\.\d\.\d.tar.gz -o conjur
+    chef-solo --recipe-url https:\/\/github.com\/conjur-cookbooks\/conjur\/releases\/download/v\d\.\d\.\d/conjur-v\d\.\d\.\d.tar.gz -o conjur
     """
 
   Scenario: conjurize with arbitrary cookbook
     When I conjurize "--conjur-cookbook-url https://example.com --conjur-run-list fry"
-    Then the stdout should contain "chef-solo -r https://example.com -o fry"
+    Then the stdout should contain "chef-solo --recipe-url https://example.com -o fry"
 
   Scenario: conjurize with path to chef-solo
     When I conjurize "--chef-executable /path/to/chef-solo --conjur-cookbook-url https://example.com --conjur-run-list fry"
-    Then the stdout should contain "/path/to/chef-solo -r https://example.com -o fry"
+    Then the stdout should contain "/path/to/chef-solo --recipe-url https://example.com -o fry"
     And the stdout should not contain "curl -L https://www.opscode.com/chef/install.sh"
 
   Scenario: conjurize with sudo-ized commands

data/lib/conjur/authn.rb

@@ -126,7 +126,11 @@ module Conjur::Authn
         require 'conjur/base'
         cls = Conjur::API
       end
-      cls.new_from_key(*get_credentials(options))
+      if token = token_from_environment
+        cls.new_from_token token
+      else
+        cls.new_from_key(*get_credentials(options))
+      end
     end
     
     protected
@@ -141,5 +145,13 @@ module Conjur::Authn
     def windows?
       RbConfig::CONFIG["host_os"] =~ /mswin|mingw|cygwin/
     end
+    
+    def token_from_environment
+      return nil unless token = ENV['CONJUR_AUTHN_TOKEN']
+      
+      require 'json'
+      require 'base64'
+      JSON.parse(Base64.decode64(token))
+    end
   end
 end

data/lib/conjur/command/ldapsync.rb

@@ -0,0 +1,49 @@
+require 'conjur/command'
+
+class Conjur::Command::LDAPSync < Conjur::Command
+  desc 'LDAP sync management commands'
+  command :'ldap-sync' do |cgrp|
+
+    cgrp.desc 'Trigger a sync of users/groups from LDAP to Conjur'
+    cgrp.command :now do |cmd|
+      cmd.desc 'LDAP Sync profile to use (defined in UI)'
+      cmd.default_value 'default'
+      cmd.arg_name 'profile'
+      cmd.flag ['p', 'profile']
+  
+      cmd.desc 'Print the actions that would be performed'
+      cmd.default_value false
+      cmd.switch ['dry-run']
+  
+      cmd.desc 'Output format of sync operation (text, yaml)'
+      cmd.default_value 'text'
+      cmd.arg_name 'format'
+      cmd.flag ['f', 'format'], :must_match => ['text', 'yaml']
+  
+      cmd.action do |_ ,options, args|
+        assert_empty args
+        
+        format = options[:format] == 'text' ? 'application/json' : 'text/yaml'
+        dry_run = options[:'dry-run']
+          
+        $stderr.puts "Performing #{dry_run ? 'dry run ' : ''}LDAP sync"
+  
+        response = api.ldap_sync_now(options[:profile], format, dry_run)
+  
+        if options[:format] == 'text'
+          puts "Messages:"
+          response['events'].each do |event|
+            puts [ event['timestamp'], event['severity'], event['message'] ].join("\t")
+          end
+          puts
+          puts "Actions:"
+          response['result']['actions'].each do |action|
+            puts action
+          end
+        else
+          puts response
+        end
+      end
+    end
+  end
+end

data/lib/conjur/conjurize/script.rb

@@ -7,12 +7,29 @@ class Conjur::Conjurize
     COOKBOOK_RELEASES_URL =
       "https://api.github.com/repos/conjur-cookbooks/conjur/releases".freeze
 
+    def self.tarballs_of_releases releases
+      releases.map do |release|
+        assets = release["assets"].select do |asset|
+          asset["name"] =~ /conjur-v\d.\d.\d.tar.gz/
+        end
+
+        [release["name"], assets.map { |asset| asset["browser_download_url"] }]
+      end
+    end
+
     def self.latest_conjur_cookbook_release
       json = JSON.parse open(COOKBOOK_RELEASES_URL).read
-      tarballs = json[0]["assets"].select do |asset|
-        asset["name"] =~ /conjur-v\d.\d.\d.tar.gz/
+      tarballs = tarballs_of_releases json
+
+      latest = tarballs.first
+      selected = tarballs.find { |release| !release[1].empty? }
+
+      if selected != latest
+        warn "WARNING: Latest cookbook release (#{latest.first}) does not "\
+            "contain a valid package. Falling back to #{selected.first}."
       end
-      tarballs.first["browser_download_url"]
+
+      selected[1].first
     end
 
     HEADER = <<-HEADER.freeze
@@ -81,7 +98,7 @@ set -e
       @chef_script ||= [
         ("curl -L https://www.opscode.com/chef/install.sh | " + sudo["bash"] \
           if install_chef?),
-        (sudo["#{chef_executable} -r #{conjur_cookbook_url} " \
+        (sudo["#{chef_executable} --recipe-url #{conjur_cookbook_url} " \
             "-o #{conjur_run_list}"] if run_chef?)
       ].join "\n"
     end

data/lib/conjur/version.rb

@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = '5.1.2'
+  VERSION = '5.2.0'
   ::Version=VERSION
 end

data/spec/authn_spec.rb

@@ -8,23 +8,53 @@ describe Conjur::Authn do
   end
 
   describe "credentials from environment" do
+    shared_examples_for "is_not_written_to_netrc" do
+      it "are not written to netrc" do
+        expect(Conjur::Authn).not_to receive(:write_credentials)
+        Conjur::Authn.get_credentials
+      end
+    end
+
+    let(:api) { Conjur::Authn.connect }
+    
     before do
       Conjur::Authn.instance_variable_set("@credentials", nil)
-      expect(ENV).to receive(:[]).with("CONJUR_AUTHN_LOGIN").and_return "the-login"
-      expect(ENV).to receive(:[]).with("CONJUR_AUTHN_API_KEY").and_return "the-api-key"
     end
 
     after do
       Conjur::Authn.instance_variable_set("@credentials", nil)
     end
 
-    it "are used to authn" do
-      expect(Conjur::Authn.get_credentials).to eq([ "the-login", "the-api-key" ])
-    end
+    let(:encoded_token) { nil }
 
-    it "are not written to netrc" do
-      expect(Conjur::Authn).not_to receive(:write_credentials)
-      Conjur::Authn.get_credentials
+    before do
+      allow(ENV).to receive(:[]).and_call_original
+      allow(ENV).to receive(:[]).with("CONJUR_AUTHN_TOKEN").and_return encoded_token
+      allow(ENV).to receive(:[]).with("CONJUR_AUTHN_LOGIN").and_return "the-login"
+      allow(ENV).to receive(:[]).with("CONJUR_AUTHN_API_KEY").and_return "the-api-key"
+    end
+    
+    context "login and API key" do
+      it "are used to authn" do
+        expect(Conjur::Authn.get_credentials).to eq([ "the-login", "the-api-key" ])
+          
+        expect(api.username).to eq('the-login')
+        expect(api.api_key).to eq('the-api-key')
+      end
+      it_should_behave_like "is_not_written_to_netrc"
+    end
+    context "token" do
+      let(:token) { { "data" => "the-token-login" } }
+      let(:encoded_token) { Base64.strict_encode64(token.to_json) }
+      before {
+        allow_any_instance_of(Conjur::API).to receive(:validate_token)
+      }
+      it "is used to authn" do
+        expect(api.username).to eq('the-token-login')
+        expect(api.api_key).to_not be
+        expect(api.token).to eq(token)
+      end
+      it_should_behave_like "is_not_written_to_netrc"
     end
   end
   

data/spec/command/ldapsync_spec.rb

@@ -0,0 +1,43 @@
+require 'spec_helper'
+
+describe Conjur::Command::LDAPSync, logged_in: true do
+  let(:timestamp) { Time.now.to_s }
+  let(:json_response) { {
+      'events' => [
+        { "timestamp" => timestamp,
+          "severity" => "info",
+          "message" => "Performing sync"
+        }
+      ],
+      'result' => {
+        'actions' => [
+            "user 'Guest'", "group 'Domain Computers'"
+        ]
+      }
+  } }
+  let(:yaml_response) { [
+      'annotations' => {
+          'ldap-sync/source' => '192.168.99.100:389',
+          'ldap-sync/upstream-dn' => 'cn=Guest,dc=example,dc=org',
+      }
+  ].to_yaml }
+
+  describe_command 'ldap-sync now -f text' do
+    before {
+      expect_any_instance_of(Conjur::API).to receive(:ldap_sync_now).and_return json_response
+    }
+    it 'prints out diagnostic events' do
+      expect { invoke }.to write([ timestamp, "info", "Performing sync" ].join("\t"))
+    end
+    it 'prints out actions as text' do
+      expect { invoke }.to write("user 'Guest'\ngroup 'Domain Computers'")
+    end
+  end
+
+  describe_command 'ldap-sync now -f yaml' do
+    it 'prints out actions as unparsed yaml' do
+      expect_any_instance_of(Conjur::API).to receive(:ldap_sync_now).and_return yaml_response
+      expect { invoke }.to write(yaml_response)
+    end
+  end
+end

data/spec/conjurize/script_spec.rb

@@ -0,0 +1,62 @@
+require "spec_helper"
+require "conjur/conjurize/script"
+
+describe Conjur::Conjurize::Script do
+  describe ".latest_conjur_cookbook_release" do
+    let(:releases_json) do
+      %([
+        {
+          "name": "v0.4.0",
+          "assets": [{
+            "name": "conjur-v0.4.0.tar.gz",
+            "browser_download_url": "http://example.com/conjur-v0.4.0.tar.gz"
+          }]
+        },
+        {
+          "name": "v0.3.0",
+          "assets": [{
+            "name": "conjur-v0.3.0.tar.gz",
+            "browser_download_url": "http://example.com/conjur-v0.3.0.tar.gz"
+          }]
+        }
+      ])
+    end
+
+    before do
+      allow(Conjur::Conjurize::Script).to receive(:open)\
+        .with("https://api.github.com/repos/conjur-cookbooks/conjur/releases")\
+        .and_return double(read: releases_json)
+    end
+
+    it "looks up the latest release download url" do
+      expect(Conjur::Conjurize::Script.latest_conjur_cookbook_release).to \
+        eq "http://example.com/conjur-v0.4.0.tar.gz"
+    end
+
+    context "with latest release is without any tarballs" do
+      let(:releases_json) do
+        %([
+          {
+            "name": "v0.4.0",
+            "assets": []
+          },
+          {
+            "name": "v0.3.0",
+            "assets": [{
+              "name": "conjur-v0.3.0.tar.gz",
+              "browser_download_url": "http://example.com/conjur-v0.3.0.tar.gz"
+            }]
+          }
+        ])
+      end
+
+      it "returns the previous one and warns" do
+        err = $stderr.grab do
+          expect(Conjur::Conjurize::Script.latest_conjur_cookbook_release).to \
+            eq "http://example.com/conjur-v0.3.0.tar.gz"
+        end
+        expect(err).to include "WARNING"
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-cli
 version: !ruby/object:Gem::Version
-  version: 5.1.2
+  version: 5.2.0
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-04-20 00:00:00.000000000 Z
+date: 2016-05-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -389,6 +389,7 @@ files:
 - lib/conjur/command/ids.rb
 - lib/conjur/command/init.rb
 - lib/conjur/command/layers.rb
+- lib/conjur/command/ldapsync.rb
 - lib/conjur/command/plugin.rb
 - lib/conjur/command/pubkeys.rb
 - lib/conjur/command/resources.rb
@@ -427,6 +428,7 @@ files:
 - spec/command/hosts_spec.rb
 - spec/command/init_spec.rb
 - spec/command/layers_spec.rb
+- spec/command/ldapsync_spec.rb
 - spec/command/pubkeys_spec.rb
 - spec/command/resources_spec.rb
 - spec/command/roles_spec.rb
@@ -437,6 +439,7 @@ files:
 - spec/command_spec.rb
 - spec/complete_spec.rb
 - spec/config_spec.rb
+- spec/conjurize/script_spec.rb
 - spec/conjurize_spec.rb
 - spec/conjurrc
 - spec/dsl/runner_spec.rb
@@ -497,6 +500,7 @@ test_files:
 - spec/command/hosts_spec.rb
 - spec/command/init_spec.rb
 - spec/command/layers_spec.rb
+- spec/command/ldapsync_spec.rb
 - spec/command/pubkeys_spec.rb
 - spec/command/resources_spec.rb
 - spec/command/roles_spec.rb
@@ -507,6 +511,7 @@ test_files:
 - spec/command_spec.rb
 - spec/complete_spec.rb
 - spec/config_spec.rb
+- spec/conjurize/script_spec.rb
 - spec/conjurize_spec.rb
 - spec/conjurrc
 - spec/dsl/runner_spec.rb