From 9908695613adbf74a84e5f74c8930135d9cd0258 Mon Sep 17 00:00:00 2001 From: Hadar Artzi Date: Wed, 3 Jun 2020 10:11:49 -0400 Subject: [PATCH 1/4] Test Rake task to load Conjur policy --- cucumber/policy/features/rake.feature | 12 ++++++++++++ .../policy/features/step_definitions/rake_steps.rb | 7 +++++++ cucumber/policy/features/support/env.rb | 4 ++++ cucumber/policy/features/support/policy.yml | 1 + 4 files changed, 24 insertions(+) create mode 100644 cucumber/policy/features/rake.feature create mode 100644 cucumber/policy/features/step_definitions/rake_steps.rb create mode 100644 cucumber/policy/features/support/policy.yml diff --git a/cucumber/policy/features/rake.feature b/cucumber/policy/features/rake.feature new file mode 100644 index 0000000000..aa2864402b --- /dev/null +++ b/cucumber/policy/features/rake.feature @@ -0,0 +1,12 @@ +Feature: Rake task to load Conjur policy + +Conjur includes a Rake task (`rake policy:load`) for loading policies from +within the Conjur container. This rake task is used by the `conjurctl policy +load` + + Scenario: Load a simple policy using `rake policy:load` + + When I load a policy from file "policy.yml" using conjurctl + Then user "test" exists + + \ No newline at end of file diff --git a/cucumber/policy/features/step_definitions/rake_steps.rb b/cucumber/policy/features/step_definitions/rake_steps.rb new file mode 100644 index 0000000000..1c69a14ba6 --- /dev/null +++ b/cucumber/policy/features/step_definitions/rake_steps.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +When(/^I load a policy from file "([^"]*)" using conjurctl/) do |filename| + absolute_path = "#{File.dirname __FILE__}/../support/#{filename}" + rake_task = ["rake", "policy:load[cucumber, #{absolute_path}]"] + system(*rake_task) +end diff --git a/cucumber/policy/features/support/env.rb b/cucumber/policy/features/support/env.rb index c8ef2263dc..fb01fa21a5 100644 --- a/cucumber/policy/features/support/env.rb +++ b/cucumber/policy/features/support/env.rb @@ -7,6 +7,10 @@ Conjur.configuration.appliance_url = ENV['CONJUR_APPLIANCE_URL'] || 'http://conjur' Conjur.configuration.account = ENV['CONJUR_ACCOUNT'] || 'cucumber' +# This is needed to run the cucumber --profile policy successfully +# otherwise it fails due to the way root_loader sets its admin password +ENV.delete('CONJUR_ADMIN_PASSWORD') + # so that we can require relative to the project root $LOAD_PATH.unshift File.expand_path '../../../..', __dir__ require 'config/environment' diff --git a/cucumber/policy/features/support/policy.yml b/cucumber/policy/features/support/policy.yml new file mode 100644 index 0000000000..1691d80d90 --- /dev/null +++ b/cucumber/policy/features/support/policy.yml @@ -0,0 +1 @@ +- !user test From dae299eeeafb6835d961f15843d2599c734eab87 Mon Sep 17 00:00:00 2001 From: Hadar Artzi Date: Wed, 3 Jun 2020 10:12:07 -0400 Subject: [PATCH 2/4] Restart conjur if there are any non default authenticators If enabled authenticators changed after initial Conjur config, then the Conjur container is recreated to set the ENV CONJUR_AUTHENTICATORS. Which requires a restart of the Conjur server --- dev/start | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/dev/start b/dev/start index 46a0f3ca70..4048e495ae 100755 --- a/dev/start +++ b/dev/start @@ -132,7 +132,8 @@ docker-compose exec -d conjur conjurctl server echo 'Checking if Conjur server is ready' conjur_isready? -enabled_authenticators="authn,authn-config/env" +default_authenticators="authn,authn-config/env" +enabled_authenticators="$default_authenticators" env_args= if [[ $ENABLE_AUTHN_LDAP = true ]]; then @@ -256,6 +257,15 @@ env_args="$env_args -e CONJUR_AUTHENTICATORS=$enabled_authenticators" docker-compose up -d --no-deps $services +# If the enabled authenticators changed after initial Conjur configuration, +# then docker-compose recreates the container to set the environment variable, +# and we need to restart the Conjur server process. +if [[ $enabled_authenticators != $default_authenticators ]]; then + echo "Starting Conjur server" + docker-compose exec -d conjur conjurctl server + conjur_isready? +fi + echo "Creating user alice" docker-compose exec client conjur policy load root /src/conjur-server/dev/files/policy.yml From aa241aa70ddfe31538fbe7a50696829a928231bf Mon Sep 17 00:00:00 2001 From: Hadar Artzi Date: Wed, 3 Jun 2020 10:12:23 -0400 Subject: [PATCH 3/4] Separate classes into their own file Previously we were defining multiple classes in a file and we believe that this caused issues with rails auto loading. --- app/models/loader/create_policy.rb | 26 ++++++++++ app/models/loader/modify_policy.rb | 28 +++++++++++ app/models/loader/orchestrate.rb | 75 ----------------------------- app/models/loader/replace_policy.rb | 30 ++++++++++++ 4 files changed, 84 insertions(+), 75 deletions(-) create mode 100644 app/models/loader/create_policy.rb create mode 100644 app/models/loader/modify_policy.rb create mode 100644 app/models/loader/replace_policy.rb diff --git a/app/models/loader/create_policy.rb b/app/models/loader/create_policy.rb new file mode 100644 index 0000000000..9d1d15445f --- /dev/null +++ b/app/models/loader/create_policy.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +# Responsible for creating policy. Called when a POST request is received +module Loader + class CreatePolicy + def initialize(loader) + @loader = loader + end + + def self.from_policy(policy_version) + CreatePolicy.new(Loader::Orchestrate.new(policy_version)) + end + + def call + @loader.setup_db_for_new_policy + + @loader.delete_shadowed_and_duplicate_rows + + @loader.store_policy_in_db + end + + def new_roles + @loader.new_roles + end + end +end diff --git a/app/models/loader/modify_policy.rb b/app/models/loader/modify_policy.rb new file mode 100644 index 0000000000..b7959f1205 --- /dev/null +++ b/app/models/loader/modify_policy.rb @@ -0,0 +1,28 @@ +# frozen_string_literal: true + +# Responsible for modifying policy. Called when a PATCH request is received +module Loader + class ModifyPolicy + def initialize(loader) + @loader = loader + end + + def self.from_policy(policy_version) + ModifyPolicy.new(Loader::Orchestrate.new(policy_version)) + end + + def call + @loader.setup_db_for_new_policy + + @loader.delete_shadowed_and_duplicate_rows + + @loader.update_changed + + @loader.store_policy_in_db + end + + def new_roles + @loader.new_roles + end + end +end diff --git a/app/models/loader/orchestrate.rb b/app/models/loader/orchestrate.rb index 73b22fb36b..3c873071ac 100644 --- a/app/models/loader/orchestrate.rb +++ b/app/models/loader/orchestrate.rb @@ -380,79 +380,4 @@ def db Sequel::Model.db end end - - # Responsible for creating policy. Called when a POST request is received - class CreatePolicy - def initialize(loader) - @loader = loader - end - - def self.from_policy(policy_version) - CreatePolicy.new(Loader::Orchestrate.new(policy_version)) - end - - def call - @loader.setup_db_for_new_policy - - @loader.delete_shadowed_and_duplicate_rows - - @loader.store_policy_in_db - end - - def new_roles - @loader.new_roles - end - end - - # Responsible for replacing policy. Called when a PUT request is received - class ReplacePolicy - def initialize(loader) - @loader = loader - end - - def self.from_policy(policy_version) - ReplacePolicy.new(Loader::Orchestrate.new(policy_version)) - end - - def call - @loader.setup_db_for_new_policy - - @loader.delete_removed - - @loader.delete_shadowed_and_duplicate_rows - - @loader.update_changed - - @loader.store_policy_in_db - end - - def new_roles - @loader.new_roles - end - end - - # Responsible for modifying policy. Called when a PATCH request is received - class ModifyPolicy - def initialize(loader) - @loader = loader - end - - def self.from_policy(policy_version) - ModifyPolicy.new(Loader::Orchestrate.new(policy_version)) - end - - def call - @loader.setup_db_for_new_policy - - @loader.delete_shadowed_and_duplicate_rows - - @loader.update_changed - - @loader.store_policy_in_db - end - - def new_roles - @loader.new_roles - end - end end diff --git a/app/models/loader/replace_policy.rb b/app/models/loader/replace_policy.rb new file mode 100644 index 0000000000..6a01125469 --- /dev/null +++ b/app/models/loader/replace_policy.rb @@ -0,0 +1,30 @@ +# frozen_string_literal: true + +# Responsible for replacing policy. Called when a PUT request is received +module Loader + class ReplacePolicy + def initialize(loader) + @loader = loader + end + + def self.from_policy(policy_version) + ReplacePolicy.new(Loader::Orchestrate.new(policy_version)) + end + + def call + @loader.setup_db_for_new_policy + + @loader.delete_removed + + @loader.delete_shadowed_and_duplicate_rows + + @loader.update_changed + + @loader.store_policy_in_db + end + + def new_roles + @loader.new_roles + end + end +end From 6383fa32b8aa2b39c3c5dc183179a490fc425587 Mon Sep 17 00:00:00 2001 From: Hadar Artzi Date: Wed, 3 Jun 2020 10:12:41 -0400 Subject: [PATCH 4/4] Add necessary require statement I am not sure why we were getting errors. However, the hypothesis is that rails auto-loading was causing the classes not to be found. --- lib/root_loader.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/root_loader.rb b/lib/root_loader.rb index 86add7c902..a88ce503b7 100644 --- a/lib/root_loader.rb +++ b/lib/root_loader.rb @@ -1,6 +1,7 @@ # frozen_string_literal: true require 'json' +require 'logs' # BootstrapLoader is used to load an initial "root" policy when the database is completely empty. class RootLoader