conjur-cli 4.25.2 → 4.26.0

data/lib/conjur/command/variables.rb

@@ -22,15 +22,15 @@ class Conjur::Command::Variables < Conjur::Command
   desc "Manage variables"
   command :variable do |var|
     var.desc "Create and store a variable"
-    var.arg_name "id [value]"
+    var.arg_name "NAME VALUE"
     var.command :create do |c|
-      c.arg_name "mime_type"
+      c.arg_name "MIME-TYPE"
       c.flag [:m, :"mime-type"], default_value: 'text/plain'
 
-      c.arg_name "kind"
+      c.arg_name "KIND"
       c.flag [:k, :"kind"], default_value: 'secret'
 
-      c.arg_name "value"
+      c.arg_name "VALUE"
       c.desc "Initial value, which may also be specified as the second command argument after the variable id"
       c.flag [:v, :"value"]
 
@@ -91,21 +91,21 @@ class Conjur::Command::Variables < Conjur::Command
     end
 
     var.desc "Show a variable"
-    var.arg_name "id"
+    var.arg_name "VARIABLE"
     var.command :show do |c|
       c.action do |global_options,options,args|
-        id = require_arg(args, 'id')
+        id = require_arg(args, 'VARIABLE')
         display(api.variable(id), options)
       end
     end
 
     var.desc "Decommission a variable"
-    var.arg_name "id"
+    var.arg_name "VARIABLE"
     var.command :retire do |c|
       retire_options c
       
       c.action do |global_options,options,args|
-        id = require_arg(args, 'id')
+        id = require_arg(args, 'VARIABLE')
         
         variable = api.variable(id)
 
@@ -130,10 +130,10 @@ class Conjur::Command::Variables < Conjur::Command
     var.desc "Access variable values"
     var.command :values do |values|
       values.desc "Add a value"
-      values.arg_name "variable ( value | STDIN )"
+      values.arg_name "VARIABLE VALUE"
       values.command :add do |c|
         c.action do |global_options,options,args|
-          id = require_arg(args, 'variable')
+          id = require_arg(args, 'VARIABLE')
           value = args.shift || STDIN.read
 
           api.variable(id).add_value(value)
@@ -143,13 +143,13 @@ class Conjur::Command::Variables < Conjur::Command
     end
 
     var.desc "Get a value"
-    var.arg_name "variable"
+    var.arg_name "VARIABLE"
     var.command :value do |c|
       c.desc "Version number"
       c.flag [:v, :version]
 
       c.action do |global_options,options,args|
-        id = require_arg(args, 'variable')
+        id = require_arg(args, 'VARIABLE')
         $stdout.write api.variable(id).value(options[:version])
       end
     end

data/lib/conjur/complete.rb

@@ -0,0 +1,263 @@
+#
+# Copyright (C) 2015 Conjur Inc.
+#
+# Permission is hereby granted, free of charge, to any person
+# obtaining a copy of this software and associated documentation files
+# (the "Software"), to deal in the Software without restriction,
+# including without limitation the rights to use, copy, modify, merge,
+# publish, distribute, sublicense, and/or sell copies of the Software,
+# and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+#
+require 'conjur/cli'
+require 'shellwords'
+
+# Class for generating `conjur` bash completions
+class Conjur::CLI::Complete
+  attr_reader :line, :words, :current_word_index, :commands,
+              :switch_words, :flag_words, :arg_words, :command_words
+  def initialize line, point=nil
+    @line = line
+    @words = tokenize_cmd @line
+    point ||= @line.length
+    @current_word_index=(tokenize_cmd @line.slice(0,point)).length-1
+    # fix arrays for empty "current word"
+    # ie "conjur group list "
+    if @line.match(/[ =]$/)
+      @words << ''
+      @current_word_index += 1
+    end
+    @commands,
+    @switch_words,
+    @flag_words,
+    @arg_words = parse_command @words, @current_word_index
+    @command_words = @commands
+                     .drop(1)
+                     .map(&:name)
+                     .map(&:to_s)
+                     .unshift('conjur')
+  end
+
+  def current_word offset=0
+    @words[@current_word_index + offset]
+  end
+
+  # Generate array of subcommands for which documentation is not hidden
+  #
+  # @param cmd [Conjur::CLI::Command] the command to search
+  # @return [Array] the subcommands
+  def subcommands cmd
+    cmd.commands.select do |_, c|
+      c.nodoc.nil?
+    end
+  end
+
+  # Generate array of symbols representing switches for +cmd+ and
+  # their aliases
+  #
+  # @param cmd [Conjur::CLI::Command] the command to search
+  # @return [Array] the symbols representing switches and their aliases
+  def switches cmd
+    cmd.switches.map { |_,switch|
+      [switch.name] + (switch.aliases or [])
+    }.flatten
+  end
+
+  # Split line according on spaces and after '='
+  #
+  # @param line [String] to split
+  # @return [Array] the substrings
+  def tokenize_cmd line
+    line.split(/ |(?<==)/)
+  end
+
+  def flag_to_sym flag
+    flag.match(/--?([^=]+)=?/)[1].to_sym
+  end
+
+  def parse_command words, current_word_index
+    command = Conjur::CLI
+    commands = [command]
+    switches = []
+    flags = []
+    arguments = []
+    index = 1
+    until index >= current_word_index do
+      word = words[index]
+      case classify_word word, command
+      when :switch
+        switches.push word
+      when :flag
+        flags.push [word, words[index+1]]
+        index += 1
+      when :subcommand
+        command = command.commands[word.to_sym]
+        commands.push command
+      when :argument
+        arguments.push word
+      end
+      index += 1
+    end
+    return commands, switches, flags, arguments
+  end
+
+  def classify_word word, command
+    if word.start_with? '-'
+      sym = flag_to_sym word
+      if switches(command).member? sym
+        :switch
+      else
+        :flag
+      end
+    else
+      if subcommands(command).has_key? word.to_sym
+        :subcommand
+      else
+        :argument
+      end
+    end
+  end
+
+  def complete kind
+    kind = kind.to_s.downcase.gsub(/[^a-z]/, '')
+    case kind
+    when 'resource'
+      complete_resource
+    when 'role'
+      complete_role
+    when 'file'
+      complete_file current_word
+    when 'hostname'
+      complete_hostname
+    else
+      complete_resource kind if [
+        'group',
+        'user',
+        'variable',
+        'host',
+        'layer',
+      ].member? kind
+    end or []
+  end
+
+  # generate completions for the switches and flags of a Conjur::CLI::Command
+  #
+  # @param cmd [Conjur::CLI::Command] command for which to search for flags
+  #   and switches
+  # @return [Array] completion words
+  def complete_flags cmd
+    cmd.flags.values.map do |flag|
+      candidates = [flag.name]
+      candidates += flag.aliases if flag.aliases
+      candidates.map do |c|
+        "-#{'-' if c.length > 1}#{c}#{'=' if c.length > 1}"
+      end
+    end + cmd.switches.values.map do |switch|
+      candidates = [switch.name]
+      candidates += switch.aliases if switch.aliases
+      candidates.map do |c|
+        "-#{'-' if c.length > 1}#{c}"
+      end
+    end
+  end
+
+  def complete_args cmd, prev, num_args
+    kind=nil
+    if prev.start_with? '-'
+      flag_name=flag_to_sym prev
+      flag = cmd.flags[flag_name]
+      desc = flag.argument_name if defined? flag.argument_name
+      kind = desc.to_s.downcase
+    else
+      desc = cmd.arguments_description if defined? cmd.arguments_description
+      kind = desc.to_s.downcase.split[num_args-1]
+    end
+    complete kind
+  end
+
+  def complete_resource resource_kind=nil
+    Conjur::Command.api.resources({kind: resource_kind})
+      .map do |r|
+      res = Resource.new r.attributes['id']
+      if resource_kind
+        res.name
+      else
+        res.to_s
+      end
+    end
+  end
+
+  def complete_role
+    Conjur::Command.api.current_role.all
+      .map { |r| Resource.new(r.roleid) }
+      .reject { |r| r.kind.start_with? '@' }
+      .map(&:to_s)
+  end
+
+  def complete_file word
+    # use Bash's file completion for compatibility
+    `bash -c "compgen -f #{word}"`.shellsplit
+  end
+
+  def complete_hostname
+    `bash -c "compgen -A hostname"`.shellsplit
+  end
+
+  def completions
+    prev = current_word(-1)
+    if current_word.start_with? '-'
+      complete_flags @commands.last
+    else
+      (subcommands @commands.last).keys.map(&:to_s) +
+        (complete_args @commands.last, prev, @arg_words.length)
+    end.flatten
+      .select do |candidate|
+      candidate.start_with? current_word.sub('\:',':') end
+      .map do |candidate|
+      # if the current word is colon separated, strip its complete tokens
+      # eg. for --as-role=user:ryanprior, we're actually only completing 'ryanprior'
+      # because bash treats 'user' as a separate word
+      non_escaped_colon_regex = /(?<!\\):/
+      num_tokens = current_word.split(non_escaped_colon_regex).length
+      if num_tokens > 1
+        candidate = candidate
+                    .split(non_escaped_colon_regex)
+                    .drop(num_tokens-1)
+                    .join(':')
+      end
+      "#{candidate}#{' ' if not candidate.end_with? '='}" end
+  end
+  public :current_word, :completions
+end
+
+class Conjur::CLI::Complete::Resource
+  attr_reader :account, :kind, :name
+  attr_accessor :include_account
+  def initialize resource_string, include_account=false
+    @include_account = include_account
+    fields = resource_string.split ':'
+    raise ArgumentError.new "too many fields (#{resource_string})" if fields.length > 3
+    fields.unshift nil while fields.length < 3
+    @account, @kind, @name = fields
+  end
+
+  def to_ary
+    [(@account if @include_account), @kind, @name].reject { |a| a.nil? }
+  end
+
+  def to_s
+    to_ary.join ':'
+  end
+end

data/lib/conjur/version.rb

@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = "4.25.2"
+  VERSION = "4.26.0"
   ::Version=VERSION
 end

data/spec/command/audit_spec.rb

@@ -312,6 +312,25 @@ describe Conjur::Command::Audit, logged_in: true do
           expect { invoke }.to write(" created role super:user")
         end
       end
+
+      describe 'audit of ssh:sudo' do
+        let(:ssh_event) { default_audit_event.merge('kind' => 'audit', 'facility' => 'ssh',  'action' => 'sudo', 'command' => '/bin/ls', 'system_user' => 'test_user', 'target_user' => 'root') }
+        context 'when sudo successful' do
+          let(:test_event) { ssh_event.merge('allowed' => true) }
+          it 'prints <user> ran <command>' do
+            expect { invoke }.to write(" test_user ran '/bin/ls' as root")
+          end
+        end
+
+        context 'when sudo fails' do
+          let(:test_event) { ssh_event.merge('allowed' => false) }
+          
+          it 'prints <user> attempted to run <command>' do
+            expect { invoke }.to write(" test_user attempted to run '/bin/ls' as root")
+          end
+        end
+      end
+        
     end
   end
 

data/spec/complete_spec.rb

@@ -0,0 +1,265 @@
+require 'spec_helper'
+
+describe Conjur::CLI::Complete do
+  def expects_completions_for string, point=nil
+    expect(described_class.new("conjur #{string}",point)
+            .completions
+            .map { |c| c.chomp ' ' })
+  end
+
+  describe 'conjur bash completion' do
+    describe 'for conjur subcommands beginning' do
+
+      before(:each) { expect(Conjur::Command).not_to receive :api }
+
+      context 'with "conjur gr"' do
+        it { expects_completions_for('gr').to include 'group' }
+      end
+
+      context 'with "conjur group"' do
+        it { expects_completions_for('group').to contain_exactly 'group' }
+      end
+
+      context 'with "conjur p"' do
+        it { expects_completions_for('p').to include 'plugin',
+                                                     'policy',
+                                                     'pubkeys' }
+      end
+
+      context 'with "conjur host l"' do
+        it { expects_completions_for('host l').to include 'layers',
+                                                          'list' }
+      end
+
+      context 'with "conjur policy"' do
+        it { expects_completions_for('policy ').to include 'load' }
+      end
+    end
+
+    describe 'for deprecated subcommands such as `conjur field`' do
+      it { expects_completions_for('fi').not_to include 'field' }
+    end
+
+    describe 'for command flags beginning' do
+
+      before(:each) { expect(Conjur::Command).not_to receive :api }
+
+      context 'conjur -' do
+        it { expects_completions_for('-').to include '--version' }
+      end
+
+      context 'conjur role memberships -' do
+        it { expects_completions_for('role memberships -')
+             .to include '-s', '--system'}
+      end
+
+      context 'conjur audit all -' do
+        it { expects_completions_for('audit all -s -')
+             .to include '-f', '--follow', '-l', '--limit=',
+                         '-o', '--offset=', '-s', '--short' }
+      end
+
+      context 'conjur layer create --as-' do
+        it { expects_completions_for('layer create --as-')
+             .to include '--as-role=' }
+      end
+
+      context 'conjur group create --as-role' do
+        it { expects_completions_for('layer create --as-role')
+             .to contain_exactly '--as-role=' }
+      end
+    end
+
+    describe 'for arguments' do
+
+      let (:api) { double('api') }
+      before(:each) {
+        expect(Conjur::Command).to receive(:api).at_least(:once).and_return api
+      }
+
+      describe 'expecting a resource' do
+
+        let (:users) { ['Tweedledum', 'Tweedledee'] }
+        let (:groups) { ['sharks', 'jets'] }
+        let (:layers) { ['limbo', 'lust', 'gluttony', 'greed',
+                           'anger', 'heresy', 'violence', 'fraud',
+                           'treachery'] }
+        let (:variables) { ['id/superman', 'id/batman', 'id/spiderman'] }
+        let (:hosts) { ['skynet', 'hal9000', 'deep-thought'] }
+
+
+        def mock_resources
+          fake_results = yield.map { |result|
+            double('resource', :attributes => { 'id' => result })
+          }
+          expect(Conjur::Command.api).to receive(:resources)
+                                          .once.and_return fake_results
+        end
+
+        context 'with kind "user"' do
+          before(:each) { mock_resources { users.map { |user| "user:#{user}" }}}
+          it { expects_completions_for('user show ')
+               .to contain_exactly(*users) }
+        end
+
+        context 'with kind "group"' do
+          before(:each) {
+            mock_resources { groups.map { |group| "group:#{group}" }}
+          }
+          context 'for a command' do
+            it { expects_completions_for('group show ')
+                 .to contain_exactly(*groups) }
+          end
+          context 'for a flag' do
+            it { expects_completions_for('group create --as-group=')
+                 .to contain_exactly(*groups) }
+          end
+        end
+
+        context 'with kind "layer"' do
+          before(:each) {
+            mock_resources { layers.map { |layer| "layer:#{layer}" }}
+          }
+          it { expects_completions_for('layer show ')
+               .to contain_exactly(*layers) }
+        end
+
+        context 'with kind "variable"' do
+          before(:each) {
+            mock_resources { variables.map { |variable| "variable:#{variable}" }}
+          }
+          it { expects_completions_for('variable show ')
+               .to contain_exactly(*variables) }
+        end
+
+        context 'with kind "host"' do
+          before(:each) {
+            mock_resources { hosts.map { |host| "host:#{host}" }}
+          }
+          it { expects_completions_for('host show ')
+               .to contain_exactly(*hosts)
+          }
+        end
+
+        context 'without kind specified' do
+          let (:resources) { (users+groups+layers+variables+hosts)
+                             .map { |res| "arbitrarykind:#{res}" }}
+          before(:each) { mock_resources { resources }}
+          it 'should show all resources with their reported kinds' do
+            expects_completions_for('resource show ')
+               .to contain_exactly(*resources)
+          end
+        end
+      end
+
+      describe 'expecting a role' do
+        let (:roles) { ['layer:population/tire',
+                        'host:bubs-4k',
+                        'user:strongbad',
+                        'user:strongsad',
+                        'user:strongmad']}
+        before(:each) {
+          role_doubles = roles.map { |role| double('role', :roleid => role) }
+          expect(api).to receive(:current_role).once
+                          .and_return double('current_role', :all => role_doubles)
+        }
+        it { expects_completions_for('role memberships ')
+             .to contain_exactly(*roles) }
+        it 'completes colon separated values per-token' do
+          expects_completions_for('layer list --role=host:b')
+            .to contain_exactly 'bubs-4k'
+        end
+        it 'recognizes shell-escaped colons' do
+          expects_completions_for('role members layer\:pop')
+            .to contain_exactly 'layer:population/tire'
+        end
+      end
+    end
+
+    describe 'completes mid-line' do
+      it 'completes a subcommand not at the end of a line' do
+        expect(described_class.new('conjur gr create dwarves/7', 9).completions)
+          .to include 'group '
+      end
+      it 'tolerates garbage flags and arguments' do
+        expect(described_class.new('conjur omg --lol wat pu').completions)
+          .to include 'pubkeys '
+        end
+    end
+  end
+end
+
+describe Conjur::CLI::Complete::Resource do
+  describe 'splits resource ids' do
+    describe '#initialize(resource_string)' do
+      describe 'accepts long or brief ids' do
+        context 'gratuitous id (4+ tokens)' do
+          it 'raises an ArgumentError' do
+            expect {
+              described_class.new '1:2:3:4'
+            }.to raise_error ArgumentError
+          end
+        end
+        context 'long id (3 tokens)' do
+          it 'stores all 3 tokens' do
+            dummy_string = 'acct:kind:name'
+            dummy = described_class.new dummy_string
+            expect(dummy.account).to eq 'acct'
+            expect(dummy.kind).to eq 'kind'
+            expect(dummy.name).to eq 'name'
+          end
+        end
+        context 'brief id (2 tokens)' do
+          it 'stores tokens in kind and name' do
+            dummy = described_class.new 'kind:name'
+            expect(dummy.account).to eq nil
+            expect(dummy.kind).to eq 'kind'
+            expect(dummy.name).to eq 'name'
+          end
+        end
+        context 'tiny id (1 token)' do
+          it 'stores token in name' do
+            dummy = described_class.new 'name'
+            expect(dummy.account).to eq nil
+            expect(dummy.kind).to eq nil
+            expect(dummy.name).to eq 'name'
+          end
+        end
+      end
+      it 'hides the account by default' do
+        expect(described_class.new('a:b:c').include_account).to eq false
+        expect(described_class.new('a:b:c', true).include_account).to eq true
+      end
+    end
+
+    describe '#to_ary' do
+      context 'account not important' do
+        it 'hides account when converting to array' do
+          dummy = described_class.new 'a:b:c'
+          expect(dummy.to_ary).to eq ['b','c']
+        end
+      end
+      context 'account is important' do
+        it 'includes account when converting to array' do
+          dummy = described_class.new 'a:b:c', true
+          expect(dummy.to_ary).to eq ['a','b','c']
+        end
+      end
+    end
+
+    describe '#to_s' do
+      context 'account not important' do
+        it 'hides account when converting to string' do
+          dummy = described_class.new 'test:user:admin'
+          expect(dummy.to_s).to eq 'user:admin'
+        end
+      end
+      context 'account is important' do
+        it 'includes account when converting to string' do
+          dummy = described_class.new 'test:user:admin', true
+          expect(dummy.to_s).to eq 'test:user:admin'
+        end
+      end
+    end
+  end
+end