conjur-cli 2.6.0 → 4.1.0

data/lib/conjur/command/ids.rb

@@ -1,3 +1,23 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
 require 'conjur/command'
 
 class Conjur::Command::Id < Conjur::Command

data/lib/conjur/command/resources.rb

@@ -1,19 +1,38 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
 require 'conjur/authn'
 require 'conjur/resource'
 require 'conjur/command'
 
 class Conjur::Command::Resources < Conjur::Command
   self.prefix = :resource
-  
+
   desc "Create a new resource"
-  arg_name "kind resource-id"
+  arg_name "resource-id"
   command :create do |c|
     acting_as_option(c)
     
     c.action do |global_options,options,args|
-      kind = require_arg(args, "kind")
-      id = require_arg(args, "resource-id")
-      resource = api.resource([ conjur_account, kind, id ].join(':'))
+      id = full_resource_id( require_arg(args, "resource-id") )
+      resource = api.resource(id)
 
       if ownerid = options.delete(:ownerid)
         options[:acting_as] = ownerid
@@ -25,48 +44,43 @@ class Conjur::Command::Resources < Conjur::Command
   end
   
   desc "Show a resource"
-  arg_name "kind resource-id"
+  arg_name "resource-id"
   command :show do |c|
     c.action do |global_options,options,args|
-      kind = require_arg(args, "kind")
-      id = require_arg(args, "resource-id")
-      display api.resource([ conjur_account, kind, id ].join(':')).attributes
+      id = full_resource_id( require_arg(args, "resource-id") )
+      display api.resource(id).attributes
     end
   end
   
   desc "Determines whether a resource exists"
-  arg_name "kind resource-id"
+  arg_name "resource-id"
   command :exists do |c|
     c.action do |global_options,options,args|
-      kind = require_arg(args, "kind")
-      id = require_arg(args, "resource-id")
-      resource = api.resource([ conjur_account, kind, id ].join(':'))
-      puts resource.exists?
+      id = full_resource_id( require_arg(args, "resource-id") )
+      puts api.resource(id).exists?
     end
   end
 
-  desc "Grant a privilege on a resource"
-  arg_name "kind resource-id role privilege"
+  desc "Give a privilege on a resource"
+  arg_name "resource-id role privilege"
   command :permit do |c|
     c.action do |global_options,options,args|
-      kind = require_arg(args, "kind")
-      id = require_arg(args, "resource-id")
+      id = full_resource_id( require_arg(args, "resource-id") )
       role = require_arg(args, "role")
       privilege = require_arg(args, "privilege")
-      api.resource([ conjur_account, kind, id ].join(':')).permit privilege, role
+      api.resource(id).permit privilege, role
       puts "Permission granted"
     end
   end
 
-  desc "Revoke a privilege on a resource"
-  arg_name "kind resource-id role privilege"
+  desc "Deny a privilege on a resource"
+  arg_name "resource-id role privilege"
   command :deny do |c|
     c.action do |global_options,options,args|
-      kind = require_arg(args, "kind")
-      id = require_arg(args, "resource-id")
+      id = full_resource_id( require_arg(args, "resource-id") )
       role = require_arg(args, "role")
       privilege = require_arg(args, "privilege")
-      api.resource([ conjur_account, kind, id ].join(':')).deny privilege, role
+      api.resource(id).deny privilege, role
       puts "Permission revoked"
     end
   end
@@ -78,44 +92,41 @@ class Conjur::Command::Resources < Conjur::Command
   When the role argument is used, either the logged-in user must either own the specified
   resource or be an admin of the specified role (i.e. be granted the specified role with grant option).
   """
-  arg_name "kind resource-id privilege"
+  arg_name "resource-id privilege"
   command :check do |c|
     c.desc "Role to check. By default, the current logged-in role is used"
     c.flag [:r,:role]
 
     c.action do |global_options,options,args|
-      kind = args.shift or raise "Missing parameter: resource-kind"
-      resource_id = args.shift or raise "Missing parameter: resource-id"
+      id = full_resource_id( require_arg(args, "resource-id") )
       privilege = args.shift or raise "Missing parameter: privilege"
       if role = options[:role]
         role = api.role(role)
-        puts role.permitted? kind, resource_id, privilege
+        puts role.permitted? id, privilege
       else
-        puts api.resource([ conjur_account, kind, resource_id ].join(':')).permitted? privilege
+        puts api.resource(id).permitted? privilege
       end
     end
   end
 
   desc "Grant ownership on a resource to a new owner"
-  arg_name "kind resource-id owner"
+  arg_name "resource-id owner"
   command :give do |c|
     c.action do |global_options,options,args|
-      kind = require_arg(args, "kind")
-      id = require_arg(args, "resource-id")
+      id = full_resource_id( require_arg(args, "resource-id") )
       owner = require_arg(args, "owner")
-      api.resource([ conjur_account, kind, id ].join(':')).give_to owner
+      api.resource(id).give_to owner
       puts "Ownership granted"
     end
   end
 
-  desc "List roles with a specified permission on a resource"
-  arg_name "kind resource-id permission"
+  desc "List roles with a specified permission on the resource"
+  arg_name "resource-id permission"
   command :permitted_roles do |c|
     c.action do |global_options,options,args|
-      kind = require_arg(args, "kind")
-      id = require_arg(args, "resource-id")
+      id = full_resource_id( require_arg(args, "resource-id") )
       permission = require_arg(args, "permission")
-      display api.resource([ conjur_account, kind, id ].join(':')).permitted_roles(permission)
+      display api.resource(id).permitted_roles(permission)
     end
   end
-end
+end

data/lib/conjur/command/roles.rb

@@ -1,3 +1,23 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
 require 'conjur/authn'
 require 'conjur/command'
 
@@ -91,4 +111,4 @@ class Conjur::Command::Roles < Conjur::Command
       puts "Role revoked"
     end
   end
-end
+end

data/lib/conjur/command/secrets.rb

@@ -1,3 +1,23 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
 require 'conjur/authn'
 require 'conjur/command'
 
@@ -23,4 +43,4 @@ class Conjur::Command::Secrets < Conjur::Command
       puts api.secret(id).value
     end
   end
-end
+end

data/lib/conjur/command/users.rb

@@ -1,13 +1,47 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur/api/authn'
 require 'conjur/authn'
 require 'conjur/command'
 
 class Conjur::Command::Users < Conjur::Command
   self.prefix = :user
   
+  def self.prompt_for_password
+    # use stderr to allow output redirection, e.g.
+    # conjur user:create -p username > user.json
+    hl = HighLine.new($stdin, $stderr)
+
+    password = hl.ask("Enter the password (it will not be echoed): "){ |q| q.echo = false }
+    confirmation = hl.ask("Confirm the password: "){ |q| q.echo = false }
+    
+    raise "Password does not match confirmation" unless password == confirmation
+    
+    password
+  end
+  
   desc "Create a new user"
   arg_name "login"
   command :create do |c|
-    c.desc "Prompt for a password for the user"
+    c.desc "Prompt for a password for the user (default: --no-password)"
     c.switch [:p,:password]
     
     acting_as_option(c)
@@ -16,21 +50,25 @@ class Conjur::Command::Users < Conjur::Command
       login = require_arg(args, 'login')
       
       opts = options.slice(:ownerid)
-      if options[:p]
-
-        # use stderr to allow output redirection, e.g.
-        # conjur user:create -p username > user.json
-        hl = HighLine.new($stdin, $stderr)
 
-        password = hl.ask("Enter the password (it will not be echoed): "){ |q| q.echo = false }
-        confirmation = hl.ask("Confirm the password: "){ |q| q.echo = false }
-        
-        raise "Password does not match confirmation" unless password == confirmation
-        
-        opts[:password] = password
+      if options[:p]
+        opts[:password] = prompt_for_password
       end
       
       display api.create_user(login, opts)
     end
   end
+
+  desc "Update the password of the logged-in user"
+  command :update_password do |c|
+    c.desc "Password to use, otherwise you will be prompted"
+    c.flag [:p,:password]
+
+    c.action do |global_options,options,args|
+      username, password = Conjur::Authn.read_credentials
+      new_password = options[:password] || prompt_for_password
+      
+      Conjur::API.update_password username, password, new_password
+    end
+  end
 end

data/lib/conjur/command/variables.rb

@@ -1,3 +1,23 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
 require 'conjur/authn'
 require 'conjur/command'
 
@@ -62,4 +82,4 @@ class Conjur::Command::Variables < Conjur::Command
       $stdout.write api.variable(id).value(options[:version])
     end
   end
-end
+end

data/lib/conjur/config.rb

@@ -1,3 +1,23 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
 module Conjur
   class Config
     @@attributes = {}

data/lib/conjur/version.rb

@@ -1,3 +1,23 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
 module Conjur
-  VERSION = "2.6.0"
+  VERSION = "4.1.0"
 end

data/spec/command/assets_spec.rb

@@ -0,0 +1,137 @@
+require 'spec_helper'
+
+describe Conjur::Command::Assets, logged_in: true do
+
+  let(:asset) {  double(attributes: asset_attributes ) }
+  let(:asset_attributes) { {"some"=>"attributes" } }
+  before(:each) { api.stub(KIND.to_sym).and_return(asset) }
+  def invoke_silently
+    expect { invoke }.to write
+  end
+
+  context "asset:create" do
+    before(:each) { 
+      api.stub(:method).with("create_#{KIND}").and_return(double(arity:1))
+      api.stub("create_#{KIND}".to_sym).and_return(asset)
+    }
+    describe_command "asset:create #{KIND}:#{ID}" do
+      it "calls api.create_#{KIND}(id:#{ID})" do
+        api.should_receive("create_#{KIND}".to_sym).with(id: ID)
+        invoke_silently
+      end
+      it "writes JSONised attributes to stdout" do
+        JSON.parse( expect { invoke }.to write ).should == asset_attributes
+      end
+    end
+    describe_command "asset:create #{KIND}" do
+      it "calls api.create_#{KIND}({})" do
+        api.should_receive("create_#{KIND}".to_sym).with({})
+        invoke_silently
+      end
+      it "writes JSONised attributes to stdout" do
+        JSON.parse( expect { invoke }.to write ).should == asset_attributes
+      end
+    end
+  end
+
+  describe_command "asset:show #{KIND}:#{ID}" do
+    it "obtains asset instance as api.#{KIND}(#{ID})" do
+      api.should_receive(KIND.to_sym).with(ID)
+      invoke_silently
+    end
+    it "writes JSONised attributes to stdout" do
+      JSON.parse( expect { invoke }.to write ).should == asset_attributes
+    end
+  end
+
+  describe_command "asset:exists #{KIND}:#{ID}" do
+    let(:exists_response) { "exists? response" }
+    before(:each) { asset.stub(:exists?).and_return(exists_response) }
+    it "obtains asset instance as api.#{KIND}(#{ID})" do
+      api.should_receive(KIND.to_sym).with(ID)
+      invoke_silently
+    end
+    it "calls asset.exists?" do
+      asset.should_receive(:exists?)
+      invoke_silently
+    end
+    it "writes response to stdout" do
+      expect { invoke }.to write exists_response
+    end
+  end
+
+  describe_command "asset:list #{KIND}" do
+    let(:assets_names) { %W[klaatu barada nikto] }
+    let(:assets_list) { 
+      assets_names.map { |x| 
+        double(attributes: { "id" => x } )
+      }
+    }
+    before(:each) { api.stub("#{KIND}s".to_sym).and_return(assets_list) }
+
+    it "calls api.#{KIND}s" do
+      api.should_receive("#{KIND}s".to_sym)
+      invoke_silently
+    end
+    it "for each asset from response displays it's attributes" do
+      expect { invoke }.to write assets_names.
+                                  map { |x| 
+                                    JSON.pretty_generate(id:x)
+                                  }.join("\n")
+    end
+  end
+
+  shared_examples 'it obtains role via asset' do
+    it "obtains asset instance as api.#{KIND}(#{ID})" do
+      api.should_receive(KIND.to_sym).with(ID)
+      invoke_silently
+    end
+    it "account=asset.core_conjur_account" do
+      asset.should_receive(:core_conjur_account)
+      invoke_silently
+    end
+    it "kind=asset.resource_kind" do
+      asset.should_receive(:resource_kind)
+      invoke_silently
+    end
+    it "id=asset.resource_id" do
+      asset.should_receive(:resource_id)
+      invoke_silently
+    end
+
+    it "obtains role as #{ACCOUNT}:@:#{KIND}/#{ID}/#{ROLE}" do
+      api.should_receive(:role).with("#{ACCOUNT}:@:#{KIND}/#{ID}/#{ROLE}")
+      invoke_silently
+    end
+  end
+
+  shared_context "asset with role" do
+    before(:each) {
+      asset.stub(:core_conjur_account).and_return(ACCOUNT)
+      asset.stub(:resource_kind).and_return(KIND)
+      asset.stub(:resource_id).and_return(ID)
+      api.stub(:role).and_return(role_instance)
+    }
+    let(:role_instance) { double(grant_to: true, revoke_from: true) }
+  end
+
+  describe_command "asset:members:add #{KIND}:#{ID} #{ROLE} #{MEMBER}" do
+    include_context "asset with role"
+    it_behaves_like "it obtains role via asset"
+    it 'calls role.grant_to(member,...)' do
+      role_instance.should_receive(:grant_to).with(MEMBER, anything)
+      invoke_silently
+    end
+    it { expect { invoke }.to write "Membership granted" }
+  end
+  
+  describe_command "asset:members:remove #{KIND}:#{ID} #{ROLE} #{MEMBER}" do
+    include_context "asset with role"
+    it_behaves_like "it obtains role via asset"
+    it 'calls role.revoke_from(member)' do
+      role_instance.should_receive(:revoke_from).with(MEMBER)
+      invoke_silently
+    end
+    it { expect { invoke }.to write "Membership revoked" }
+  end
+end