cyberark · micahlee · Feb 15, 2019 · Feb 6, 2019 · Feb 8, 2019 · Feb 8, 2019
diff --git a/bin/compile b/bin/compile
@@ -1,14 +1,5 @@
-#!/bin/bash -e
-# bin/compile <build-dir>
+#!/bin/bash
 
-echo "[cyberark-conjur-buildpack]: compiling"
+# bin/compile is currently required, even though it's deprecated. This is likely a bug.
 
-BUILD_DIR=$1
-BIN_DIR=$(cd $(dirname $0); pwd)
-BUILDPACK_DIR=$(dirname $BIN_DIR)
-
-pushd ${BUILD_DIR}
-  mkdir -p .profile.d vendor
-  cp ${BUILDPACK_DIR}/vendor/conjur-env ./vendor/conjur-env
-  cp ${BUILDPACK_DIR}/lib/0001_retrieve-secrets.sh ./.profile.d/0001_retrieve-secrets.sh
-popd
+exit
diff --git a/bin/decorate b/bin/decorate
diff --git a/bin/detect b/bin/detect
diff --git a/bin/supply b/bin/supply
@@ -0,0 +1,36 @@
+#!/bin/bash -e
+# bin/supply <build-dir> <cache-dir> <deps-dir> <index>
+
+BUILD_DIR=$1
+CACHE_DIR=$2
+DEPS_DIR=$3
+INDEX_DIR=$4
+
+BIN_DIR=$(cd $(dirname $0); pwd)
+BUILDPACK_DIR=$(dirname $BIN_DIR)
+
+echo "[cyberark-conjur-buildpack]: supplying"
+
+if [ ! -f $BUILD_DIR/secrets.yml ]; then
+  echo "No secrets.yml file found in $BUILD_DIR."
+  exit 1
+fi
+
+if [[ false = $(echo $VCAP_SERVICES | jq 'has("cyberark-conjur")') ]]; then
+  echo "No credentials for cyberark-conjur service found in VCAP_SERVICES."
+  exit 1
+fi
+
+pushd ${DEPS_DIR}/${INDEX_DIR}
+  # We add the lib/0001_retrieve-secrets.sh script to .profile.d so that it will
+  # be run automatically to retrieve secrets when the app starts.
+  mkdir -p .profile.d
+  cp ${BUILDPACK_DIR}/lib/0001_retrieve-secrets.sh ./.profile.d/0001_retrieve-secrets.sh
+  sed "s/__BUILDPACK_INDEX__/$INDEX_DIR/g" ./.profile.d/0001_retrieve-secrets.sh -i
+
+  # conjur-env reads a secrets.yml file and uses it to retrieve secrets from
+  # Conjur. We copy it to the dependency directory to make it accessible to the
+  # /.profile.d script. The /vendor subdirectory is just for convenience.
+  mkdir -p vendor
+  cp ${BUILDPACK_DIR}/vendor/conjur-env ./vendor/conjur-env
+popd
diff --git a/ci/docker-compose.yml b/ci/docker-compose.yml
@@ -12,7 +12,7 @@ services:
     image: postgres:9.3
 
   conjur:
-    image: cyberark/conjur:0.3.0-stable
+    image: cyberark/conjur
     command: server -a cucumber -f /empty.yml
     environment:
       CONJUR_ADMIN_PASSWORD: admin

diff --git a/ci/features/buildpackless.feature b/ci/features/buildpackless.feature
@@ -3,7 +3,9 @@ Feature: profile d scripts without the buildpack
 
   @BUILD_DIR
   Scenario: Populates environment with secrets from Conjur
-    Given the compile script is run against the app's root folder
+    Given the build directory has a secrets.yml file
+    And VCAP_SERVICES contains cyberark-conjur credentials
+    And the supply script is run against the app's root folder
     And conjur-env is installed
     And a root policy:
     """
@@ -26,7 +28,7 @@ Feature: profile d scripts without the buildpack
     CONJUR_MULTI_LINE_SECRET: !var conjur_multi_line_secret_id
     LITERAL_SECRET: some literal secret
     """
-    When the .profile.d scripts are sourced
+    When the retrieve secrets .profile.d script is sourced
     And the 'env' command is run
     Then the environment contains
     """

diff --git a/ci/features/compile.feature b/ci/features/compile.feature
diff --git a/ci/features/decorate.feature b/ci/features/decorate.feature
diff --git a/ci/features/detect.feature b/ci/features/detect.feature
diff --git a/ci/features/profile_d.feature b/ci/features/profile_d.feature
@@ -3,7 +3,9 @@ Feature: profile d script
 
   @BUILD_DIR
   Scenario: Populates environment with secrets from Conjur
-    Given the 'compile' script is run
+    Given the build directory has a secrets.yml file
+    And VCAP_SERVICES contains cyberark-conjur credentials
+    And the supply script is run against the app's root folder
     And conjur-env is installed
     And a root policy:
     """

diff --git a/ci/features/step_definitions/common_steps.rb b/ci/features/step_definitions/common_steps.rb
@@ -22,13 +22,9 @@
   f.unlink
 end
 
-Given(/^the '([^"]*)' script is run$/) do |script|
-  step "the '#{ENV['BUILDPACK_BUILD_DIR']}/bin/#{script} #{@BUILD_DIR}' command is run"
-end
-
-Given(/^the compile script is run against the app's root folder$/) do
+Given(/^the supply script is run against the app's root folder$/) do
   step "the following command is run:", <<EOS
-#{ENV['BUILDPACK_BUILD_DIR']}/bin/compile #{@BUILD_DIR}
+#{ENV['BUILDPACK_BUILD_DIR']}/bin/supply #{@BUILD_DIR} #{@CACHE_DIR} #{@DEPS_DIR} #{@INDEX_DIR}
 EOS
 end
 

diff --git a/ci/features/step_definitions/profile_d_steps.rb b/ci/features/step_definitions/profile_d_steps.rb
@@ -1,17 +1,10 @@
 When(/^the retrieve secrets \.profile\.d script is sourced$/) do
   @commands ||= []
   @commands << <<EOL
-. #{@BUILD_DIR}/.profile.d/0001_retrieve-secrets.sh #{@BUILD_DIR}
+HOME=#{@BUILD_DIR} DEPS_DIR=#{@DEPS_DIR} . #{@DEPS_DIR}/#{@INDEX_DIR}/.profile.d/0001_retrieve-secrets.sh
 EOL
 end
 
 Then(/^the environment contains$/) do |text|
   expect(@output).to include(text)
 end
-
-When(/^the \.profile\.d scripts are sourced$/) do
-  @commands ||= []
-  @commands << <<EOL
-. #{@BUILD_DIR}/.profile.d/0001_retrieve-secrets.sh #{@BUILD_DIR}
-EOL
-end
diff --git a/...eatures/step_definitions/compile_steps.rb → ci/features/step_definitions/supply_steps.rb b/...eatures/step_definitions/compile_steps.rb → ci/features/step_definitions/supply_steps.rb
@@ -4,5 +4,5 @@
 end
 
 Then(/^the retrieve secrets \.profile\.d script is installed$/) do
-  expect(File.exist?("#{@BUILD_DIR}/.profile.d/0001_retrieve-secrets.sh")).to be_truthy
+  expect(File.exist?("#{@DEPS_DIR}/#{@INDEX_DIR}/.profile.d/0001_retrieve-secrets.sh")).to be_truthy
 end
diff --git a/ci/features/supply.feature b/ci/features/supply.feature
@@ -0,0 +1,23 @@
+Feature: Supply script
+  Supply script installs conjur-env and .profile.d script
+
+  @BUILD_DIR
+  Scenario: Successfully installs conjur-env and .profile.d scripts
+    Given the build directory has a secrets.yml file
+    And VCAP_SERVICES contains cyberark-conjur credentials
+    When the supply script is run against the app's root folder
+    Then the result should have a 0 exit status
+    And conjur-env is installed
+    And the retrieve secrets .profile.d script is installed
+
+  @BUILD_DIR
+  Scenario: When the app does not have a secrets.yml file
+    When the supply script is run against the app's root folder
+    Then the result should have a 1 exit status
+
+  @BUILD_DIR
+  Scenario: When VCAP_SERVICES does not have Conjur credentials
+    Given the build directory has a secrets.yml file
+    And VCAP_SERVICES does not have a cyberark-conjur key
+    When the supply script is run against the app's root folder
+    Then the result should have a 1 exit status
diff --git a/ci/features/support/env.rb b/ci/features/support/env.rb
@@ -13,11 +13,18 @@
 
 Before('@BUILD_DIR') do
   @BUILD_DIR = Dir.mktmpdir
-  @VENDOR_DIR = "#{@BUILD_DIR}/vendor"
+  @CACHE_DIR = Dir.mktmpdir
+  @DEPS_DIR = Dir.mktmpdir
+  @INDEX_DIR = "1"
+
+  Dir.mkdir(File.join(@DEPS_DIR, @INDEX_DIR), 0700)
+  @VENDOR_DIR = "#{@DEPS_DIR}/#{@INDEX_DIR}/vendor"
 end
 
 After('@BUILD_DIR') do
   FileUtils.remove_entry_secure @BUILD_DIR
+  FileUtils.remove_entry_secure @CACHE_DIR
+  FileUtils.remove_entry_secure @DEPS_DIR
 end
 
 def reset_root_policy

diff --git a/lib/0001_retrieve-secrets.sh b/lib/0001_retrieve-secrets.sh
@@ -25,16 +25,17 @@ trap 'err_report $LINENO' ERR
 #}
 #'
 
-# making sure that no tracing takes place, we're dealing with secrets here :)
+# Prevent tracing to ensures secrets won't be leaked.
 declare xtrace=""
 case $- in
   (*x*) xtrace="xtrace";;
 esac
 set +x
 
-# inject secrets into environment
-pushd $1
-  eval "$(./vendor/conjur-env)"
+# $HOME points to the app directory, which should contains a secrets.yml file.
+pushd $HOME
+  # __BUILDPACK_INDEX__ is replaced by sed in the 'supply' script.
+  eval "$($DEPS_DIR/__BUILDPACK_INDEX__/vendor/conjur-env)"
 popd
 
 [ ! -z "$xtrace" ] && set -x