Merge pull request #1582 from cyberark/1581-conjurctl-start

1581 `rake policy:load` caused start script to fail

app/models/loader/create_policy.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+# Responsible for creating policy. Called when a POST request is received
+module Loader
+  class CreatePolicy
+    def initialize(loader)
+      @loader = loader
+    end
+
+    def self.from_policy(policy_version)
+      CreatePolicy.new(Loader::Orchestrate.new(policy_version))
+    end
+
+    def call
+      @loader.setup_db_for_new_policy
+
+      @loader.delete_shadowed_and_duplicate_rows
+
+      @loader.store_policy_in_db
+    end
+
+    def new_roles
+      @loader.new_roles
+    end
+  end
+end

app/models/loader/modify_policy.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+# Responsible for modifying policy. Called when a PATCH request is received
+module Loader
+  class ModifyPolicy
+    def initialize(loader)
+      @loader = loader
+    end
+
+    def self.from_policy(policy_version)
+      ModifyPolicy.new(Loader::Orchestrate.new(policy_version))
+    end
+
+    def call
+      @loader.setup_db_for_new_policy
+
+      @loader.delete_shadowed_and_duplicate_rows
+
+      @loader.update_changed
+
+      @loader.store_policy_in_db
+    end
+
+    def new_roles
+      @loader.new_roles
+    end
+  end
+end

app/models/loader/orchestrate.rb

@@ -380,79 +380,4 @@ def db
       Sequel::Model.db
     end
   end
-
-  # Responsible for creating policy. Called when a POST request is received
-  class CreatePolicy
-    def initialize(loader)
-      @loader = loader
-    end
-
-    def self.from_policy(policy_version)
-      CreatePolicy.new(Loader::Orchestrate.new(policy_version))
-    end
-
-    def call
-      @loader.setup_db_for_new_policy
-
-      @loader.delete_shadowed_and_duplicate_rows
-
-      @loader.store_policy_in_db
-    end
-
-    def new_roles
-      @loader.new_roles
-    end
-  end
-
-  # Responsible for replacing policy. Called when a PUT request is received
-  class ReplacePolicy
-    def initialize(loader)
-      @loader = loader
-    end
-
-    def self.from_policy(policy_version)
-      ReplacePolicy.new(Loader::Orchestrate.new(policy_version))
-    end
-
-    def call
-      @loader.setup_db_for_new_policy
-
-      @loader.delete_removed
-
-      @loader.delete_shadowed_and_duplicate_rows
-
-      @loader.update_changed
-
-      @loader.store_policy_in_db
-    end
-
-    def new_roles
-      @loader.new_roles
-    end
-  end
-
-  # Responsible for modifying policy. Called when a PATCH request is received
-  class ModifyPolicy
-    def initialize(loader)
-      @loader = loader
-    end
-
-    def self.from_policy(policy_version)
-      ModifyPolicy.new(Loader::Orchestrate.new(policy_version))
-    end
-
-    def call
-      @loader.setup_db_for_new_policy
-
-      @loader.delete_shadowed_and_duplicate_rows
-
-      @loader.update_changed
-
-      @loader.store_policy_in_db
-    end
-
-    def new_roles
-      @loader.new_roles
-    end
-  end
 end

app/models/loader/replace_policy.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+# Responsible for replacing policy. Called when a PUT request is received
+module Loader
+  class ReplacePolicy
+    def initialize(loader)
+      @loader = loader
+    end
+
+    def self.from_policy(policy_version)
+      ReplacePolicy.new(Loader::Orchestrate.new(policy_version))
+    end
+
+    def call
+      @loader.setup_db_for_new_policy
+
+      @loader.delete_removed
+
+      @loader.delete_shadowed_and_duplicate_rows
+
+      @loader.update_changed
+
+      @loader.store_policy_in_db
+    end
+
+    def new_roles
+      @loader.new_roles
+    end
+  end
+end

cucumber/policy/features/rake.feature

@@ -0,0 +1,12 @@
+Feature: Rake task to load Conjur policy
+
+Conjur includes a Rake task (`rake policy:load`) for loading policies from 
+within the Conjur container. This rake task is used by the `conjurctl policy 
+load`
+
+  Scenario: Load a simple policy using `rake policy:load`
+
+    When I load a policy from file "policy.yml" using conjurctl
+    Then user "test" exists
+
+

cucumber/policy/features/step_definitions/rake_steps.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+When(/^I load a policy from file "([^"]*)" using conjurctl/) do |filename|
+  absolute_path = "#{File.dirname __FILE__}/../support/#{filename}"
+  rake_task = ["rake", "policy:load[cucumber, #{absolute_path}]"]
+  system(*rake_task)
+end

cucumber/policy/features/support/env.rb

@@ -7,6 +7,10 @@
 Conjur.configuration.appliance_url = ENV['CONJUR_APPLIANCE_URL'] || 'http://conjur'
 Conjur.configuration.account = ENV['CONJUR_ACCOUNT'] || 'cucumber'
 
+# This is needed to run the cucumber --profile policy successfully
+# otherwise it fails due to the way root_loader sets its admin password
+ENV.delete('CONJUR_ADMIN_PASSWORD')
+
 # so that we can require relative to the project root
 $LOAD_PATH.unshift File.expand_path '../../../..', __dir__
 require 'config/environment'

cucumber/policy/features/support/policy.yml

@@ -0,0 +1 @@
+- !user test

dev/start

@@ -132,7 +132,8 @@ docker-compose exec -d conjur conjurctl server
 echo 'Checking if Conjur server is ready'
 conjur_isready?
 
-enabled_authenticators="authn,authn-config/env"
+default_authenticators="authn,authn-config/env"
+enabled_authenticators="$default_authenticators"
 
 env_args=
 if [[ $ENABLE_AUTHN_LDAP = true ]]; then
@@ -256,6 +257,15 @@ env_args="$env_args -e CONJUR_AUTHENTICATORS=$enabled_authenticators"
 
 docker-compose up -d --no-deps $services
 
+# If the enabled authenticators changed after initial Conjur configuration,
+# then docker-compose recreates the container to set the environment variable,
+# and we need to restart the Conjur server process.
+if [[ $enabled_authenticators != $default_authenticators ]]; then
+  echo "Starting Conjur server"
+  docker-compose exec -d conjur conjurctl server
+  conjur_isready?
+fi
+
 echo "Creating user alice"
 docker-compose exec client conjur policy load root /src/conjur-server/dev/files/policy.yml
 

lib/root_loader.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'json'
+require 'logs'
 
 # BootstrapLoader is used to load an initial "root" policy when the database is completely empty.
 class RootLoader