conjur-debify 1.6.0 → 1.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 62779275043b6c8ea024b9daacc6676e3360ea9c
-  data.tar.gz: bf3df3918cd8b4d50677d9d2656ee019cd8d7e33
+  metadata.gz: 8855639443d69bd88b95e4c6ba08bf24f2b165ca
+  data.tar.gz: f3c6e6d781021d263caa26bdc1f15dbb5abc75d4
 SHA512:
-  metadata.gz: 39daa1114f7198fa8502e42abd3a6724eb0f13371fc15347ccb0e38fa1309e1d09010a7cc4276d43a05c534d143ad366889c9e7af0ac910b4a5a37016e4b7d92
-  data.tar.gz: 144d95e054af19588aa17fc3d9a4c36d2db305e1843a3ad7171bb160fc57377a9d6a1d00bbf0db875c471937547e60132a9145804d6f6588975c7e0a30a281fc
+  metadata.gz: 8efa8c22f09f29eaa660f96cb6313b35995774d01f4d735ddb65223fbb3e7e135348e5a9f91670a75e358f458fc63cc7d798c370e898ef1c9bc097c97b19461e
+  data.tar.gz: 9e67e5c2496368e1cfb09924263f7ed8adae19b19defc6444bdd3424aacddc1cccfac799c307ffae43c0ed1f14d77523b05c5242f45242ee6d6f876f35318082

data/.dockerignore

@@ -1,2 +1 @@
-Dockerfile
 Gemfile.lock

data/.gitignore

@@ -16,3 +16,4 @@ features/reports
 results.html
 mkmf.log
 *.deb
+*.gem

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+# 1.7.0
+
+* Read artifactory credentials from the environment
+  (`ARTIFACTORY_USER`, `ARTIFACTORY_PASSWORD`), only contact Conjur if
+  they're not set.
+
+# 1.6.1
+
+* Buils a docker image to run debify, convert tests to use it, pipeline build
+
 # 1.6.0
 
 * When not on the master branch, `debify publish` uses the branch name as the component name, rather than always using

data/Dockerfile

@@ -1,9 +1,42 @@
-FROM ruby:2.2.6
+FROM ruby:2.2
 
-RUN mkdir -p /src
-WORKDIR /src
+### DockerInDocker support is take from
+### https://github.com/jpetazzo/dind/blob/master/Dockerfile . I
+### elected to base this image on ruby, then pull in the (slightly
+### outdated) support for DockerInDocker. Creation of the official
+### docker:dind image much more complicated and didn't lend itself to
+### also running ruby.
 
-COPY . /src/
-RUN bundle
+RUN apt-get update -qq && apt-get install -qqy \
+    apt-transport-https \
+    ca-certificates \
+    curl \
+    lxc \
+    iptables
+    
+# Install Docker from Docker Inc. repositories.
+RUN curl -sSL https://get.docker.com/ | sh
 
-ENTRYPOINT ["bundle", "exec", "debify"]
+# Install the magic wrapper.
+RUN curl -sSL -o /usr/local/bin/wrapdocker https://raw.githubusercontent.com/jpetazzo/dind/master/wrapdocker
+RUN chmod +x /usr/local/bin/wrapdocker
+
+# Define additional metadata for our image.
+VOLUME /var/lib/docker
+
+### End of DockerInDocker support
+
+RUN mkdir -p /debify
+WORKDIR /debify
+
+COPY . ./
+
+RUN gem build debify.gemspec
+
+ARG VERSION
+RUN gem install -N conjur-debify-${VERSION}.gem
+
+ARG CONJUR_APPLIANCE_URL
+ENV CONJUR_APPLIANCE_URL ${CONJUR_APPLIANCE_URL:-https://conjur-master-v2.itp.conjur.net/api}
+
+ENTRYPOINT ["/debify/distrib/entrypoint.sh"]

data/Jenkinsfile

@@ -0,0 +1,75 @@
+#!/usr/bin/env groovy
+
+pipeline {
+  agent { label 'executor-v2' }
+
+  options {
+    timestamps()
+    buildDiscarder(logRotator(daysToKeepStr: '30'))
+    skipDefaultCheckout()
+  }
+
+  stages {
+    stage('Checkout') {
+      steps {
+        // One of our cukes tests to see if debify can correctly
+        // determine the version for the package being created, based
+        // on the tags in the repo. By default, the Git SCM plugin
+        // doesn't pull tags, causing the cuke to fail.
+        //
+        // I couldn't find any way to configure the plugin, so I used
+        // the Snippet Generator to create this:
+        checkout([$class: 'GitSCM', branches: [[name: env.BRANCH_NAME]], doGenerateSubmoduleConfigurations: false, extensions: [[$class: 'CloneOption', depth: 0, noTags: false, reference: '', shallow: false]], submoduleCfg: [], userRemoteConfigs: [[credentialsId: 'conjur-jenkins', url: 'git@github.com:conjurinc/debify.git']]])
+      }
+    }
+    stage('Build docker image') {
+      steps {
+        sh './build.sh'
+      }
+    }
+
+    stage('Run feature tests') {
+      steps {
+        sh './test.sh'
+        junit 'features/reports/*.xml'
+      }
+    }
+
+    stage('Push Docker image') {
+      when {
+        branch 'master'
+      }
+
+      steps {
+        sh './tag-image.sh'
+        sh './push-image.sh'
+      }
+    }
+
+    stage('Publish to RubyGems') {
+      agent { label 'releaser-v2' }
+      when {
+        branch 'master'
+      }
+
+      steps {
+        checkout scm
+        sh './publish-rubygem.sh'
+        deleteDir()
+      }
+    }
+  }
+
+  post {
+    always {
+      sh 'docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd'
+      deleteDir()
+    }
+    failure {
+      slackSend(color: 'danger', message: "${env.JOB_NAME} #${env.BUILD_NUMBER} FAILURE (<${env.BUILD_URL}|Open>)")
+    }
+    unstable {
+      slackSend(color: 'warning', message: "${env.JOB_NAME} #${env.BUILD_NUMBER} UNSTABLE (<${env.BUILD_URL}|Open>)")
+    }
+  }
+}

data/README.md

@@ -2,6 +2,9 @@
 
 ## Installation
 
+There are two different ways of installing debify: as a gem, or as a Docker image.
+
+### Installing the gem
 Add this line to your application's Gemfile:
 
 ```ruby
@@ -9,15 +12,74 @@ gem 'conjur-debify'
 ```
 
 And then execute:
+
 ```sh-session
 $ bundle
 ```
 
 Or install it yourself as a ruby gem:
+
 ```sh-session
 $ gem install conjur-debify
 ```
 
+### Installing the Docker image
+Pull the Docker image:
+
+```sh-session
+$ VERSION=1.7.0
+$ docker pull registry.tld/conjurinc/debify:$VERSION
+```
+
+Images are tagged with the version specified in [VERSION](./VERSION)
+
+Use the `config` subcommand to get a copy of the wrapper script and the secret definitions for publishing:
+
+```sh-session
+$ docker run --rm debify:$VERSION config script > docker-debify
+$ chmod +x docker-debify
+# Optionally, if publishing a deb
+$ docker run --rm debify:$VERSION config secrets > publishing-secrets.yml
+```
+
+Running `docker-debify` will then start a container configured to run debify:
+
+```sh-session
+$ ./docker-debify help
+NAME
+    debify - Utility commands for building and testing Conjur appliance Debian packages
+
+SYNOPSIS
+    debify [global options] command [command options] [arguments...]
+
+VERSION
+    1.7.0
+
+
+GLOBAL OPTIONS
+    --env=arg           - Set an environment variable (e.g. TERM=xterm) when starting a container (may be used more than once, default:
+                          none)
+    --help              - Show this message
+    --[no-]local-bundle - Mount local bundle to reuse gems from previous installation
+    --version           - Display the program version
+
+COMMANDS
+    clean          - Clean current working directory of non-Git-managed files
+    config         - Show the given configuration
+    detect-version - Auto-detect and print the repository verison
+    help           - Shows a list of commands or help for one command
+    initconfig     - Initialize the config file using current global options
+    package        - Build a debian package for a project
+    publish        - Publish a debian package to apt repository
+    sandbox        - Setup a development sandbox for a Conjur debian package in a Conjur appliance container
+    test           - Test a Conjur debian package in a Conjur appliance container
+```
+
+
+Note that debify itself creates images and starts containers, so it
+needs access to the host's `docker.sock`. Additionally, it requires
+that it be started in root directory of the project being packaged.
+
 ## Build a package
 
 Builds a Conjur Debian package from a Ruby gem.
@@ -29,7 +91,7 @@ NAME
     
 SYNOPSIS
     debify [global options] package [command options] project_name -- <fpm-arguments>
-
+b
 DESCRIPTION
     The package is built using fpm (https://github.com/jordansissel/fpm).
 
@@ -109,43 +171,32 @@ NAME
     publish - Publish a debian package to apt repository
 
 SYNOPSIS
-    debify [global options] publish [command options] package
+    debify [global options] publish [command options] distribution project-name
 
 DESCRIPTION
-    Publishes a deb created with `debify package` to our private apt
-    repository.
-
-    You can use wildcards to select packages to publish, e.g., debify
-    publish *.deb.
+    Publishes a deb created with `debify package` to our private apt repository.
 
-    --distribution should match the major/minor version of the Conjur
-    appliance you want to install to.
+    "distribution" should match the major/minor version of the Conjur appliance you want to install to.
 
-    --component should be 'stable' if run after package tests pass or
-    'testing' if the package is not yet ready for release.
+    The package name is a required option. The package version can be specified as a CLI option, or it will be auto-detected from Git.
 
-    ARTIFACTORY_USERNAME and ARTIFACTORY_PASSWORD must be available
-    in the environment for upload to succeed.
+    --component should be 'stable' if run after package tests pass or 'testing' if the package is not yet ready for release. If you don't specify the component, it will be set to
+    'testing' unless the current git branch is 'master' or 'origin/master'. The git branch is first detected from the env var GIT_BRANCH, and then by checking `git rev-parse
+    --abbrev-ref HEAD` (which won't give you the answer you want when detached).
 
 COMMAND OPTIONS
-    -c, --component=arg    - Maturity stage of the package, 'testing'
-                             or 'stable' (default: testing)
-    -d, --distribution=arg - Lock packages to a Conjur appliance
-                             version (default: 4.6)
+    -c, --component=arg - Maturity stage of the package, 'testing' or 'stable' (default: none)
+    -d, --dir=arg       - Set the current working directory (default: none)
+    -v, --version=arg   - Specify the deb package version; by default, it's computed automatically (default: none)
 ```
 
 ### Example usage
 
-Assuming a `secrets.yml` like this exists in the source directory and that you have `summon` with the Conjur provider installed on the machine:
-
-```yaml
-ARTIFACTORY_USERNAME: !var artifactory/users/jenkins/username
-ARTIFACTORY_PASSWORD: !var artifactory/users/jenkins/password
-```
+You will need read permission for the `ci/artifactory/users/jenkins/username` and `ci/artifactory/users/jenkins/password` variables in order to run this command from your local machine.
 
 ```sh-session
-$ summon debify publish -c stable conjur-example_0.0.1_amd64.deb
-[Thread 0] Uploading artifact: https://conjurinc.artifactoryonline.com/conjurinc/debian-local/test.deb;deb.distribution=4.6;deb.component=stable;deb.architecture=amd64
+$ debify publish -c stable 0.0.1 example
+[Thread 0] Uploading artifact: https://conjurinc.artifactoryonline.com/conjurinc/debian-local/conjur-example_0.1.1-c9fd618_amd64.deb;deb.distribution=0.1.1;deb.component=possum;deb.architecture=amd64
 [Thread 0] Artifactory response: 201 Created
 Uploaded 1 artifacts to Artifactory.
 ```

data/Rakefile

@@ -10,6 +10,11 @@ rescue LoadError
   false
 end
 
+def rspec?
+  require 'rspec/core/rake_task'
+  require 'ci/reporter/rake/rspec'
+end
+  
 Rake::RDocTask.new do |rd|
   rd.main = "README.rdoc"
   rd.rdoc_files.include("README.rdoc","lib/**/*.rb","bin/**/*")
@@ -22,12 +27,11 @@ Gem::PackageTask.new(spec) do |pkg|
 end
 
 if cucumber?
-  CUKE_RESULTS = 'results.html'
-  CLEAN << CUKE_RESULTS
+  CUKE_RESULTS = 'features/reports'
 
   desc 'Run features'
   Cucumber::Rake::Task.new(:features) do |t|
-    opts = "features --format html -o #{CUKE_RESULTS} --format progress -x"
+    opts = "features --format junit -o #{CUKE_RESULTS} --format pretty -x"
     opts += " --tags #{ENV['TAGS']}" if ENV['TAGS']
     t.cucumber_opts =  opts
     t.fork = false
@@ -37,7 +41,7 @@ if cucumber?
   Cucumber::Rake::Task.new('features:wip') do |t|
     tag_opts = ' --tags ~@pending'
     tag_opts = ' --tags @wip'
-    t.cucumber_opts = "features --format html -o #{CUKE_RESULTS} --format pretty -x -s#{tag_opts}"
+    t.cucumber_opts = "features --format junit -o #{CUKE_RESULTS} --format pretty -x -s#{tag_opts}"
     t.fork = false
   end
 
@@ -46,4 +50,8 @@ if cucumber?
   task :wip => 'features:wip'
 end
 
-task :default => [:features]
+if rspec?
+  desc 'Run specs'
+  RSpec::Core::RakeTask.new(:spec)
+  task :spec => 'ci:setup:rspec'
+end

data/VERSION

@@ -0,0 +1 @@
+1.7.0

data/build.sh

@@ -0,0 +1,4 @@
+#!/bin/bash -ex
+
+VERSION=$(< VERSION)
+docker build --build-arg VERSION=$VERSION -t debify:$VERSION .

data/ci/test.sh

@@ -0,0 +1,8 @@
+#!/bin/bash -ex
+
+bundle
+
+for target in spec cucumber; do
+  bundle exec rake $target || true
+done
+

data/debify.gemspec

@@ -19,10 +19,18 @@ Gem::Specification.new do |spec|
   
   spec.add_dependency "gli"
   spec.add_dependency "docker-api", "~> 1.33"
-  spec.add_dependency "conjur-cli"
+  spec.add_dependency "conjur-cli" , "~> 5"
+  spec.add_dependency "conjur-api", "~> 4"
 
   spec.add_development_dependency "bundler", "~> 1.7"
   spec.add_development_dependency "rake", "~> 10.0"
-  spec.add_development_dependency "cucumber"
+  
+  # Pin to cucumbe v2. cucumber v3 changes (breaks) the behavior of
+  # unmatched capture groups with \(d+). In v3, the value of such a
+  # group is 0 instead of nil, which breaks aruba's "I successfully
+  # run...." steps.
+  spec.add_development_dependency "cucumber", '~> 2'
   spec.add_development_dependency "aruba"
+  spec.add_development_dependency 'rspec', '~> 3'
+  spec.add_development_dependency 'ci_reporter_rspec', '~> 1.0'
 end

data/distrib/conjur_creds.rb

@@ -0,0 +1,7 @@
+require 'netrc'
+Netrc.configure do |c|
+  c[:allow_permissive_netrc_file] = true
+end
+
+creds = Netrc.read('/root/.netrc')[ENV['CONJUR_APPLIANCE_URL'] + '/authn']
+print "#{creds.login} #{creds.password}" if creds

data/distrib/docker-debify

@@ -0,0 +1,27 @@
+#!/bin/bash -e
+
+# If we're running in jenkins, there will be a conjur.identity file
+# with Conjur creds in it. Otherwise, assume the user's netrc has
+# them.
+if [[ -f /etc/conjur.identity ]]; then
+  netrc=/etc/conjur.identity
+else
+  netrc=$HOME/.netrc
+fi
+
+: ${CONJUR_APPLIANCE_URL=https://conjur-master-v2.itp.conjur.net/api}
+export CONJUR_APPLIANCE_URL
+
+[[ -f "$HOME/.debifyrc" ]] && rc_arg="-v $HOME/.debifyrc:/root/.debifyrc:ro"
+
+# mounting docker socket is required because subcommands launch
+# containers
+tty=$(tty -s && echo "-t" || true)
+docker run -i $tty --rm \
+  -e GLI_DEBUG -e DEBUG -e CONJUR_APPLIANCE_URL \
+  -v $PWD:$PWD -w $PWD \
+  -v /var/run/docker.sock:/var/run/docker.sock \
+  -v ${netrc}:/root/.netrc:ro \
+  ${rc_arg} \
+  ${DEBIFY_ENTRYPOINT+--entrypoint $DEBIFY_ENTRYPOINT} \
+  ${DEBIFY_IMAGE-registry.tld/conjurinc/debify:@@DEBIFY_VERSION@@} "$@"

data/distrib/entrypoint.sh

@@ -0,0 +1,22 @@
+#!/bin/bash -e
+
+# Make sure we don't echo commands as executed, otherwise the user's
+# Conjur API key will show up in the logs.
+set +x
+
+creds=( $(ruby /debify/distrib/conjur_creds.rb) )
+
+# If there are creds, use them to log in to the registry. Then, run
+# the magic DockerInDocker wrapper script so debify can interact with
+# the Docker daemon.
+#
+# If there are no creds, just run debify itself. Any commands that do
+# Docker stuff will fail, but the non-Docker commands (e.g. the config
+# subcommands) will work fine.
+if [[ ${#creds[*]} > 0 ]]; then
+  echo -n "${creds[1]}" | docker login registry.tld -u ${creds[0]} --password-stdin >/dev/null 2>&1
+  exec wrapdocker debify "$@"
+else
+  exec debify "$@"
+fi
+

data/distrib/script

@@ -0,0 +1 @@
+distrib/docker-debify

data/distrib/secrets

@@ -0,0 +1 @@
+distrib/secrets.yml

data/distrib/secrets.yml

@@ -0,0 +1,2 @@
+ARTIFACTORY_USER: !var ci/artifactory/users/jenkins/username
+ARTIFACTORY_PASSWORD: !var ci/artifactory/users/jenkins/password

data/features/detect_version.feature

@@ -4,4 +4,4 @@ Feature: Automatic version string
   Scenario: 'example' project gets a default version
     When I run `env DEBUG=true GLI_DEBUG=true debify detect-version -d ../../example`
     Then the exit status should be 0
-    And the output should match /\d.\d.\d-\d-.*/
+    And the output should match /\d+.\d+.\d+-\d+-.*/

data/features/package.feature

@@ -16,6 +16,6 @@ Feature: Packaging
 	@announce-output
 	Scenario: 'example' project can be tested successfully
 		Given I successfully run `env DEBUG=true GLI_DEBUG=true debify package -d ../../example -v 0.0.1 example -- --post-install /distrib/postinstall.sh`
-		When I run `env DEBUG=true GLI_DEBUG=true debify test -t 4.8-stable -v 0.0.1 -d ../../example --no-pull example test.sh`
+		When I run `env DEBUG=true GLI_DEBUG=true debify test -t 4.9-stable -v 0.0.1 -d ../../example --no-pull example test.sh`
 		Then the exit status should be 0
 		And the stderr should contain "Test succeeded"

data/lib/conjur/debify.rb

@@ -296,9 +296,6 @@ def container_command container, *args
 end
 
 def wait_for_conjur appliance_image, container
-  # Add a hosts entry for now, get rid of it when wait_for_conjur no
-  # longer requires it.
-  system("docker exec #{container.id} /bin/bash -c 'echo 127.0.0.1 conjur >> /etc/hosts'")
   container_command container, '/opt/conjur/evoke/bin/wait_for_conjur'
 end
 
@@ -641,73 +638,13 @@ command "publish" do |c|
   c.flag [ :c, :component ]
 
   c.action do |global_options,cmd_options,args|
+    require 'conjur/debify/action/publish'
     raise "distribution is required" unless distribution = args.shift
     raise "project-name is required" unless project_name = args.shift
     raise "Received extra command-line arguments" if args.shift
 
-    def detect_component
-      branch = ENV['GIT_BRANCH'] || ENV['BRANCH_NAME'] || `git rev-parse --abbrev-ref HEAD`.strip
-      if %w(master origin/master).include?(branch)
-        'stable'
-      else
-        branch.gsub('/', '.')
-      end
-    end
-
-    dir = cmd_options[:dir] || '.'
-    dir = File.expand_path(dir)
-    raise "Directory #{dir} does not exist or is not a directory" unless File.directory?(dir)
-        
-    Dir.chdir dir do
-      version = cmd_options[:version] || detect_version
-      component = cmd_options[:component] || detect_component
-      package_name = "conjur-#{project_name}_#{version}_amd64.deb"
-
-      publish_image = Docker::Image.build_from_dir File.expand_path('publish', File.dirname(__FILE__)), tag: "debify-publish", &DebugMixin::DOCKER
-      DebugMixin.debug_write "Built base publish image '#{publish_image.id}'\n"
-      
-      require 'conjur/cli'
-      require 'conjur/authn'
-      Conjur::Config.load
-      Conjur::Config.apply
-      conjur = Conjur::Authn.connect nil, noask: true
-
-      username_var = 'artifactory/users/jenkins/username'
-      password_var = 'artifactory/users/jenkins/password'
-
-      if conjur.variable('ci/artifactory/users/jenkins/username').exists?  # we're on new conjurops
-        username_var.insert(0, 'ci/')
-        password_var.insert(0, 'ci/')
-      end
-
-      art_username = conjur.variable(username_var).value
-      art_password = conjur.variable(password_var).value
-
-      options = {
-          'Image' => publish_image.id,
-          'Cmd' => [
-              "art", "upload",
-              "--url", "https://conjurinc.artifactoryonline.com/conjurinc",
-              "--user", art_username,
-              "--password", art_password,
-              "--deb", "#{distribution}/#{component}/amd64",
-              package_name, "debian-local/"
-          ],
-          'Binds' => [
-              [ dir, "/src" ].join(':')
-          ]
-      }
-      options['Privileged'] = true if Docker.version['Version'] >= '1.10.0'
-  
-      container = Docker::Container.create(options)
-      begin
-        container.tap(&:start).streaming_logs(follow: true, stdout: true, stderr: true) { |stream, chunk| puts "#{chunk}" }
-        status = container.wait
-        raise "Failed to publish #{package_name}" unless status['StatusCode'] == 0
-      ensure
-        container.delete(force: true)
-      end
-    end
+    require 'pry'; binding.pry
+    Conjur::Debify::Action::Publish.new(distribution, project_name, cmd_options).run
   end
 end
   
@@ -729,6 +666,20 @@ command "detect-version" do |c|
   end
 end
 
+desc 'Show the given configuration'
+arg_name 'configuration'
+command 'config' do |c|
+  c.action do |_,_,args|
+    raise 'no configuration provided' unless config = args.shift
+    raise "Received extra command-line arguments" if args.shift
+
+    File.open(File.join('distrib', config)).each do |line|
+      puts line.gsub(/@@DEBIFY_VERSION@@/, Conjur::Debify::VERSION)
+    end
+  end
+end
+
+  
 pre do |global,command,options,args|
   # Pre logic here
   # Return true to proceed; false to abort and not call the

data/lib/conjur/debify/action/publish.rb

@@ -0,0 +1,90 @@
+module Conjur::Debify
+  module Action
+    class Publish
+
+      def detect_component
+        branch = ENV['GIT_BRANCH'] || ENV['BRANCH_NAME'] || `git rev-parse --abbrev-ref HEAD`.strip
+        if %w(master origin/master).include?(branch)
+          'stable'
+        else
+          branch.gsub('/', '.')
+        end
+      end
+
+      attr_reader :distribution, :project_name, :cmd_options
+      def initialize(distribution, project_name, cmd_options)
+        @distribution = distribution
+        @project_name = project_name
+        @cmd_options = cmd_options
+      end
+      
+      def run
+        dir = cmd_options[:dir] || '.'
+        dir = File.expand_path(dir)
+        raise "Directory #{dir} does not exist or is not a directory" unless File.directory?(dir)
+        
+        Dir.chdir dir do
+          version = cmd_options[:version] || detect_version
+          component = cmd_options[:component] || detect_component
+          package_name = "conjur-#{project_name}_#{version}_amd64.deb"
+
+          publish_image = create_image 
+          DebugMixin.debug_write "Built base publish image '#{publish_image.id}'\n"
+
+          art_user = ENV['ARTIFACTORY_USER']
+          art_password = ENV['ARTIFACTORY_PASSWORD']
+          unless art_user && art_password
+            art_user, art_password = fetch_art_creds
+          end
+
+          options = {
+            'Image' => publish_image.id,
+            'Cmd' => [
+              "art", "upload",
+              "--url", "https://conjurinc.artifactoryonline.com/conjurinc",
+              "--user", art_user,
+              "--password", art_password,
+              "--deb", "#{distribution}/#{component}/amd64",
+              package_name, "debian-local/"
+            ],
+            'Binds' => [
+              [ dir, "/src" ].join(':')
+            ]
+          }
+          options['Privileged'] = true if Docker.version['Version'] >= '1.10.0'
+
+          publish(options)
+        end
+      end
+
+      def create_image
+        Docker::Image.build_from_dir File.expand_path('publish', File.dirname(__FILE__)), tag: "debify-publish", &DebugMixin::DOCKER
+      end
+
+      def fetch_art_creds
+        require 'conjur/cli'
+        require 'conjur/authn'
+        Conjur::Config.load
+        Conjur::Config.apply
+        conjur = Conjur::Authn.connect nil, noask: true
+        
+        username_var = 'ci/artifactory/users/jenkins/username'
+        password_var = 'ci/artifactory/users/jenkins/password'
+
+        [conjur.variable(username_var).value, conjur.variable(password_var).value]
+      end
+
+      def publish(options)
+        container = Docker::Container.create(options)
+        begin
+          container.tap(&:start).streaming_logs(follow: true, stdout: true, stderr: true) { |stream, chunk| puts "#{chunk}" }
+          status = container.wait
+          raise "Failed to publish #{package_name}" unless status['StatusCode'] == 0
+        ensure
+          container.delete(force: true)
+        end
+      end
+      
+    end
+  end
+end

data/lib/conjur/debify/version.rb

@@ -1,5 +1,5 @@
 module Conjur
   module Debify
-    VERSION = "1.6.0"
+    VERSION = File.read(File.expand_path('../../../VERSION', __dir__))
   end
 end

data/publish-rubygem.sh

@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+docker pull registry.tld/conjurinc/publish-rubygem
+
+docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd
+
+summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
+  docker run --rm --env-file @SUMMONENVFILE -v "$(pwd)":/opt/src \
+  registry.tld/conjurinc/publish-rubygem debify
+
+docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd

data/push-image.sh

@@ -0,0 +1,6 @@
+#!/bin/bash -ex
+
+TAG=$(< VERSION)
+
+docker push registry.tld/conjurinc/debify:$TAG
+docker push registry.tld/conjurinc/debify:latest

data/spec/action/publish_spec.rb

@@ -0,0 +1,54 @@
+require 'spec_helper'
+require 'conjur/debify/action/publish'
+
+describe Conjur::Debify::Action::Publish do
+
+  let (:cmd_options) {
+    {
+      :version => '1.0.0',
+      :component => 'stable'
+    }
+  }
+
+  let (:action) { Conjur::Debify::Action::Publish.new('dist', 'proj', cmd_options) }
+
+  before do
+    allow(DebugMixin).to receive(:debug_write)
+    
+    allow(action).to receive(:create_image).and_return(double('publish_image', :id => 'a1b2c3d4'))
+  end
+  
+  context 'with artifactory creds in the environment' do
+
+    before do
+      ENV['ARTIFACTORY_USER'] = 'art_user'
+      ENV['ARTIFACTORY_PASSWORD'] = 'art_password'
+    end
+
+    after do
+      ENV.delete('ARTIFACTORY_USER')
+      ENV.delete('ARTIFACTORY_PASSWORD')
+    end
+    
+    it 'runs' do
+      expect(action).to receive(:publish)
+      
+      action.run
+    end
+    
+  end
+
+  context 'without artifactory creds in the environment' do
+
+    it 'runs' do
+      expect(action).to receive(:fetch_art_creds)
+      expect(action).to receive(:publish)
+      
+      action.run
+    end
+  end
+  
+end
+
+    
+    

data/spec/spec_helper.rb

@@ -0,0 +1 @@
+require 'conjur/debify'

data/tag-image.sh

@@ -0,0 +1,5 @@
+#!/bin/bash -ex
+TAG=$(< VERSION)
+
+docker tag debify:$TAG registry.tld/conjurinc/debify:$TAG
+docker tag debify:$TAG registry.tld/conjurinc/debify:latest

data/test.sh

@@ -0,0 +1,6 @@
+#!/bin/bash -ex
+
+VERSION=$(< VERSION)
+docker run --rm debify:$VERSION config script > docker-debify
+chmod +x docker-debify
+DEBIFY_IMAGE=debify:$VERSION DEBIFY_ENTRYPOINT=ci/test.sh ./docker-debify

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: conjur-debify
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.7.0
 platform: ruby
 authors:
 - Kevin Gilpin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-07-25 00:00:00.000000000 Z
+date: 2017-10-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gli
@@ -42,16 +42,30 @@ dependencies:
   name: conjur-cli
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '5'
+- !ruby/object:Gem::Dependency
+  name: conjur-api
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -84,16 +98,16 @@ dependencies:
   name: cucumber
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: aruba
   requirement: !ruby/object:Gem::Requirement
@@ -108,6 +122,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3'
+- !ruby/object:Gem::Dependency
+  name: ci_reporter_rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 description: 
 email:
 - kgilpin@conjur.net
@@ -123,11 +165,21 @@ files:
 - CHANGELOG.md
 - Dockerfile
 - Gemfile
+- Jenkinsfile
 - LICENSE.txt
 - README.md
 - Rakefile
+- VERSION
 - bin/debify
+- build.sh
+- ci/test.sh
 - debify.gemspec
+- distrib/conjur_creds.rb
+- distrib/docker-debify
+- distrib/entrypoint.sh
+- distrib/script
+- distrib/secrets
+- distrib/secrets.yml
 - example/Gemfile
 - example/Gemfile.lock
 - example/debify.sh
@@ -140,12 +192,19 @@ files:
 - jenkins.sh
 - lib/conjur/debify.rb
 - lib/conjur/debify/Dockerfile.fpm
+- lib/conjur/debify/action/publish.rb
 - lib/conjur/debify/version.rb
 - lib/conjur/fpm/Dockerfile
 - lib/conjur/fpm/debify_utils.sh
 - lib/conjur/fpm/package.sh
 - lib/conjur/publish/Dockerfile
+- publish-rubygem.sh
+- push-image.sh
 - secrets.yml
+- spec/action/publish_spec.rb
+- spec/spec_helper.rb
+- tag-image.sh
+- test.sh
 homepage: https://github.com/conjurinc/debify
 licenses:
 - MIT
@@ -166,7 +225,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5.2
+rubygems_version: 2.6.14
 signing_key: 
 specification_version: 4
 summary: Utility commands to build and package Conjur services as Debian packages
@@ -175,4 +234,5 @@ test_files:
 - features/package.feature
 - features/step_definitions/debify_steps.rb
 - features/support/env.rb
-has_rdoc: 
+- spec/action/publish_spec.rb
+- spec/spec_helper.rb