conjur-cli 4.28.2 → 4.29.0

data/build-deb.sh

@@ -0,0 +1,19 @@
+#!/bin/bash -ex
+
+export DEBUG=true 
+export GLI_DEBUG=true 
+
+# Make sure Gemfile.lock exists
+gem install -N bundler
+bundle
+
+debify clean
+
+debify package \
+	--dockerfile ci/Dockerfile.fpm \
+	cli \
+	-- \
+	--depends ruby2.0
+
+debify test -t 4.6-stable cli ci/test.sh
+

data/ci/test.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+conjur_cid="$1"
+
+cat << TEST | docker exec -i $conjur_cid bash
+#!/bin/bash -ex
+
+cd /src/cli
+
+unset CONJUR_AUTHN_LOGIN
+
+bundle exec rake jenkins || true
+
+env CONJUR_AUTHN_LOGIN=admin CONJUR_AUTHN_API_KEY=secret bundle exec cucumber -r acceptance-features/support \
+	-r acceptance-features/step_definitions \
+	-f pretty \
+	-f junit --out acceptance-features/reports \
+	acceptance-features || true
+TEST

data/conjur.gemspec

@@ -16,26 +16,23 @@ Gem::Specification.new do |gem|
   gem.version       = Conjur::VERSION
 
 
-  gem.add_dependency 'activesupport'
-  gem.add_dependency 'conjur-api', '~> 4.19'
+  gem.add_dependency 'activesupport', '~> 4.2'
+  gem.add_dependency 'conjur-api', '~> 4.20'
   gem.add_dependency 'gli', '>=2.8.0'
-  gem.add_dependency 'highline'
+  gem.add_dependency 'highline', '~> 1.7'
   gem.add_dependency 'netrc', '~> 0.10.2'
-  gem.add_dependency 'methadone'
-  gem.add_dependency 'deep_merge'
-  gem.add_dependency 'xdg'
+  gem.add_dependency 'methadone', '~> 1.9'
+  gem.add_dependency 'deep_merge', '~> 1.0'
+  gem.add_dependency 'xdg', '~> 2.2'
 
-  gem.add_runtime_dependency 'cas_rest_client'
+  gem.add_runtime_dependency 'cas_rest_client', '~> 1.3'
 
   gem.add_development_dependency 'rspec', '~> 3.0'
   gem.add_development_dependency 'simplecov'
-  gem.add_development_dependency 'aruba', '~> 0.6.1'
+  gem.add_development_dependency 'aruba', '~> 0.12.0'
   gem.add_development_dependency 'ci_reporter_rspec', '~> 1.0'
-  gem.add_development_dependency 'ci_reporter_cucumber'
+  gem.add_development_dependency 'ci_reporter_cucumber', '~> 1.0'
   gem.add_development_dependency 'rake', '~> 10.0'
   gem.add_development_dependency 'io-grab', '~> 0.0.1'
   gem.add_development_dependency 'json_spec'
-  # For cukes
-  gem.add_development_dependency 'conjur-asset-audit-send'
-  gem.add_development_dependency 'conjur-asset-host-factory'
 end

data/debify.sh

@@ -0,0 +1,4 @@
+#!/bin/bash -ex
+
+mkdir -p usr/local/bin
+cp -a opt/conjur/cli/distrib/bin/* usr/local/bin

data/distrib/bin/_conjur

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+conjur-plugin-service cli ./bin/_conjur "$@"

data/distrib/bin/conjur

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+conjur-plugin-service cli ./bin/conjur "$@"

data/distrib/bin/conjurize

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+conjur-plugin-service cli ./bin/conjurize "$@"

data/distrib/bin/jsonfield

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+conjur-plugin-service cli ./bin/jsonfield "$@"

data/features/conjurize.feature

@@ -11,22 +11,22 @@ Feature: conjurize program generates install scripts
 
   Scenario: Minimal conjurize script
     When I conjurize ""
-    Then the stdout should contain exactly:
+    Then the stdout should contain:
 """
 #!/bin/sh
 set -e
 
 # Implementation note: 'tee' is used as a sudo-friendly 'cat' to populate a file with the contents provided below.
 
-tee /etc/conjur.conf > /dev/null << CONJUR_CONF
+tee /etc/conjur.conf > /dev/null << EOF
 account: test
 appliance_url: https://conjur/api
 cert_file: /etc/conjur-test.pem
 netrc_path: /etc/conjur.identity
 plugins: []
-CONJUR_CONF
+EOF
 
-tee /etc/conjur-test.pem > /dev/null << CONJUR_CERT
+tee /etc/conjur-test.pem > /dev/null << EOF
 -----BEGIN CERTIFICATE-----
 MIIDZTCCAk2gAwIBAgIJAMzfPBZBq82XMA0GCSqGSIb3DQEBBQUAMDMxMTAvBgNV
 BAMTKGVjMi01NC04My05OS0xMzUuY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20wHhcN
@@ -48,15 +48,15 @@ yvml0YdVSiMdTdIk58qG84pkmteSX9VYE1IF7xfWb3ji8292fm5q6cgqFLNYx2MI
 MVs0y+HobWbOKKhyfxpMT59dJxGu21QPbWfQLkHCCOlo2P4z9oku23sbvQQ7CbvS
 VoykXurdaZo9
 -----END CERTIFICATE-----
-CONJUR_CERT
+EOF
 
-tee /etc/conjur.identity > /dev/null << CONJUR_IDENTITY
+touch /etc/conjur.identity
+chmod 600 /etc/conjur.identity
+tee /etc/conjur.identity > /dev/null << EOF
 machine https://conjur/api/authn
-  login host/ec2/i-eaa5f700
-  password 3a4rb19rpjejr89h6r29kd2fb3808cpy
-CONJUR_IDENTITY
-chmod 0600 /etc/conjur.identity
-
+        login host/ec2/i-eaa5f700
+        password 3a4rb19rpjejr89h6r29kd2fb3808cpy
+EOF
 """
 
   Scenario: conjurize with SSH installation
@@ -68,15 +68,15 @@ set -e
 
 # Implementation note: 'tee' is used as a sudo-friendly 'cat' to populate a file with the contents provided below.
 
-tee /etc/conjur.conf > /dev/null << CONJUR_CONF
+tee /etc/conjur.conf > /dev/null << EOF
 account: test
 appliance_url: https://conjur/api
 cert_file: /etc/conjur-test.pem
 netrc_path: /etc/conjur.identity
 plugins: []
-CONJUR_CONF
+EOF
 
-tee /etc/conjur-test.pem > /dev/null << CONJUR_CERT
+tee /etc/conjur-test.pem > /dev/null << EOF
 -----BEGIN CERTIFICATE-----
 MIIDZTCCAk2gAwIBAgIJAMzfPBZBq82XMA0GCSqGSIb3DQEBBQUAMDMxMTAvBgNV
 BAMTKGVjMi01NC04My05OS0xMzUuY29tcHV0ZS0xLmFtYXpvbmF3cy5jb20wHhcN
@@ -98,17 +98,17 @@ yvml0YdVSiMdTdIk58qG84pkmteSX9VYE1IF7xfWb3ji8292fm5q6cgqFLNYx2MI
 MVs0y+HobWbOKKhyfxpMT59dJxGu21QPbWfQLkHCCOlo2P4z9oku23sbvQQ7CbvS
 VoykXurdaZo9
 -----END CERTIFICATE-----
-CONJUR_CERT
+EOF
 
-tee /etc/conjur.identity > /dev/null << CONJUR_IDENTITY
+touch /etc/conjur.identity
+chmod 600 /etc/conjur.identity
+tee /etc/conjur.identity > /dev/null << EOF
 machine https://conjur/api/authn
-  login host/ec2/i-eaa5f700
-  password 3a4rb19rpjejr89h6r29kd2fb3808cpy
-CONJUR_IDENTITY
-chmod 0600 /etc/conjur.identity
+        login host/ec2/i-eaa5f700
+        password 3a4rb19rpjejr89h6r29kd2fb3808cpy
+EOF
 
 curl -L https://www.opscode.com/chef/install.sh | bash
-
 """
     And the output should match:
     """
@@ -126,9 +126,9 @@ curl -L https://www.opscode.com/chef/install.sh | bash
 
   Scenario: conjurize with sudo-ized commands
     When I conjurize "--sudo --ssh"
-    Then the stdout should contain "sudo -n tee /etc/conjur.conf > /dev/null << CONJUR_CONF"
-    And the stdout should contain "sudo -n tee /etc/conjur-test.pem > /dev/null << CONJUR_CERT"
-    And the stdout should contain "sudo -n tee /etc/conjur.identity > /dev/null << CONJUR_IDENTITY"
-    And the stdout should contain "sudo -n chmod 0600 /etc/conjur.identity"
+    Then the stdout should contain "sudo -n tee /etc/conjur.conf > /dev/null << EOF"
+    And the stdout should contain "sudo -n tee /etc/conjur-test.pem > /dev/null << EOF"
+    And the stdout should contain "sudo -n tee /etc/conjur.identity > /dev/null << EOF"
+    And the stdout should contain "sudo -n chmod 600 /etc/conjur.identity"
     And the stdout should contain "curl -L https://www.opscode.com/chef/install.sh | sudo -n bash"
 

data/features/support/env.rb

@@ -4,5 +4,9 @@ require 'methadone/cucumber'
 require 'cucumber/rspec/doubles'
 require "json_spec/cucumber"
 
-
 SimpleCov.start
+
+Aruba.configure do |config|
+  config.exit_timeout    = 15
+  config.io_wait_timeout = 2
+end

data/features/support/hooks.rb

@@ -124,5 +124,4 @@ end
 Before('@real-api') do
   Conjur::Config.load
   Conjur::Config.apply
-  @aruba_timeout_seconds = 15
 end

data/jenkins.sh

@@ -1,5 +1,33 @@
-#!/bin/bash -e
+#!/bin/bash -ex
 
+# Constants
+RUBY_VERSION_DEFAULT="2.1.5"
+
+# Arguments
+RUBY_VERSION=${1-${RUBY_VERSION_DEFAULT}}
+
+# Script
+
+# Clones 'Dockerfile' and updates the Ruby version in FROM, returning the cloned file's path
+function dockerfile_path {
+    echo "Setting Ruby version as ${RUBY_VERSION}" >&2
+    cp "Dockerfile" "Dockerfile.${RUBY_VERSION}"
+    sed -i -e "s/${RUBY_VERSION_DEFAULT}/${RUBY_VERSION}/g" Dockerfile.${RUBY_VERSION}
+
+    echo "Dockerfile.${RUBY_VERSION}"
+}
+
+rm -f Gemfile.lock # Needed for bundle to work right
+
+IMAGE_NAME="cli-ruby:${RUBY_VERSION}" # The tag is the version of Ruby tested against
+
+docker build -t ${IMAGE_NAME} -f $(dockerfile_path) .
+
+docker run --rm \
+-v $PWD:/src \
+${IMAGE_NAME} \
+bash -c '''
 bundle update
 bundle exec rake jenkins
 bundle exec rake build
+'''

data/lib/conjur/cli.rb

@@ -49,6 +49,8 @@ module Conjur
   class CLI
     extend GLI::App
 
+    @current_command = nil
+
     class << self
       def load_config
         Conjur::Config.load
@@ -69,8 +71,7 @@ module Conjur
 
       def load_plugins
         # These used to be plugins but now they are in the core CLI
-        plugins = Conjur::Config.plugins - %w(layer pubkeys)
-        
+        plugins = Conjur::Config.plugins - %w(audit-send host-factory layer pubkeys)
         plugins.each do |plugin|
           begin
             filename = "conjur-asset-#{plugin}"
@@ -92,6 +93,19 @@ module Conjur
         load_plugins
         commands_from 'conjur/command'
       end
+
+      def appliance_version
+        Conjur::API.service_version 'appliance'
+      rescue
+        nil
+      end
+
+      def command_version_compatible? command
+        !command.instance_variable_defined?(:@conjur_min_version) ||
+          (appliance_version &&
+           command.instance_variable_get(:@conjur_min_version) <= appliance_version
+          )
+      end
     end
 
     init!
@@ -123,13 +137,22 @@ module Conjur
       
       true
     end
+
+    around do |global,command,options,args,code|
+      @current_command = command
+      code.call
+      @current_command = nil
+    end
     
     on_error do |exception|
       require 'rest-client'
       require 'patches/conjur/error'
-
+        
       run_default_handler = true
-      if exception.is_a?(RestClient::Exception) && exception.response
+      if @current_command != nil && !command_version_compatible?(@current_command)
+        $stderr.puts "error: this command is not supported by the current Conjur server version"
+        run_default_handler = false
+      elsif exception.is_a?(RestClient::Exception) && exception.response
         err = Conjur::Error.create exception.response.body
         if err
           $stderr.puts "error: " + err.message

data/lib/conjur/command.rb

@@ -19,6 +19,7 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 require 'base64'
+require 'semantic'
 
 module Conjur
   class Command
@@ -104,6 +105,17 @@ module Conjur
         command.switch [:a, :annotate]
       end
 
+      def min_version command, version
+        version = Semantic::Version.new version
+        if version.pre == nil
+          # Version check doesn't work correctly if one version has
+          # the "-###" suffix and the other does not. Versions
+          # returned by the server have the suffix.
+          version.pre = "0"
+        end
+        command.instance_variable_set(:@conjur_min_version, version)
+      end
+
       def prompt_for_annotations
         highline.say('Add annotations (a name and value for each one):')
         {}.tap do |annotations|
@@ -254,6 +266,22 @@ an alternative destination role.)
           obj.role.revoke_from member
         end
       end
+
+      def retire_internal_role roleObj
+        members = roleObj.members
+        # Move the invoking role to the end of the roles list, so that it doesn't
+        # lose its permissions in the middle of this operation.
+        self_member = members.select{|m| m.member.roleid == current_user.role.roleid}
+        self_member.each do |m|
+          members.delete m
+        end
+        members.concat self_member if self_member
+        members.each do |r|
+          member = api.role(r.member)
+          puts "Revoking from role #{member.roleid}"
+          roleObj.revoke_from member
+        end
+      end
       
       def give_away_resource obj, options
         destination = options[:"destination-role"]
@@ -420,6 +448,14 @@ an alternative destination role.)
         
         password
       end
+      
+      def has_admin?(role, other_role)
+        memberships = role.memberships.map(&:roleid)
+        other_role.members.any? { |m| memberships.member?(m.member.roleid) && m.admin_option }
+      rescue RestClient::Forbidden
+        false
+      end
+
     end
   end
 end

data/lib/conjur/command/audit.rb

@@ -138,6 +138,18 @@ class Conjur::Command
         id = full_resource_id(require_arg args, "resource")
         api.audit_resource(id, options){|es| show_audit_events es, options}
       end 
+
+      audit.desc "Send custom event(s) to audit system"
+      audit.long_desc "Send custom event(s) to audit system. Events should be provided in JSON format, describing either single hash or array of hashes."
+      audit.arg_name "( json_string | STDIN )"
+      audit.command :send do |c| 
+        c.action do |global_options, options, args|
+          json = ( args.shift || STDIN.read )
+          api.audit_send json
+          puts "Events sent successfully"
+        end
+      end
+
     end
   end
 end

data/lib/conjur/command/bootstrap.rb

@@ -58,18 +58,14 @@ class Conjur::Command::Bootstrap < Conjur::Command
       api.user(username)
     end
     security_admin = api.group("security_admin")
-    memberships = user.role.memberships.map(&:roleid) if user
     
     if user
+      memberships = user.role.memberships.map(&:roleid)
       if security_admin.exists?
-        begin
-          # The user has a role which is admin of the security_admin role
-          # The user has the role which owns the security_admin resource
-          security_admin.role.members.find{|m| memberships.member?(m.member.roleid) && m.admin_option} &&
-            memberships.member?(security_admin.resource.ownerid)
-        rescue RestClient::Forbidden
-          false
-        end
+        # The user has a role which is admin of the security_admin role
+        # The user has the role which owns the security_admin resource
+        has_admin?(user.role, security_admin.role) &&
+          memberships.member?(security_admin.resource.ownerid)
       else
         user.login == "admin"
       end

data/lib/conjur/command/host_factories.rb

@@ -0,0 +1,187 @@
+#
+# Copyright (C) 2014 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+
+class Conjur::Command::HostFactories < Conjur::Command
+  desc "Manage host factories"
+
+  command :hostfactory do |hf|
+    hf.desc "Create a new host factory"
+    hf.arg_name "id"
+    hf.command :create do |c|
+      acting_as_option(c)
+
+      c.arg_name "layer"
+      c.desc "A space-delimited list of layers to which new hosts will belong"
+      c.flag [:l, :layer]
+
+      c.action do |global_options,options,args|
+        id = require_arg(args, 'hostfactory')
+        
+        unless options[:ownerid]
+          exit_now! "Use --as-group or --as-role to indicate the host factory role"
+        end
+        
+        owner_role = api.role(options[:ownerid])
+
+        layers = (options[:layer] || "").split(/\s/)
+        exit_now! "Provide at least one layer" unless layers.count > 0
+
+        layers.each do |layerid|
+          layer = api.layer(layerid)
+          exit_now! "Layer '#{layerid}' does not exist" unless layer.exists?
+          unless has_admin?(owner_role, layer.role)
+            exit_now! "#{owner_role.id} must be an admin of layer '#{layerid}' to create a host factory for it" 
+          end
+        end
+        
+        command_options = options.dup
+        command_options[:layers] = layers
+        command_options[:roleid] = options[:ownerid]
+          
+        host_factory = api.create_host_factory id, command_options
+        display host_factory
+      end
+    end
+
+    hf.desc "Show a host factory"
+    hf.arg_name "id"
+    hf.command :show do |c|
+      c.action do |global_options,options,args|
+        id = require_arg(args, 'id')
+        display(api.host_factory(id), options)
+      end
+    end
+
+    hf.desc "List host factories"
+    hf.command :list do |c|
+      command_options_for_list c
+      c.action do |global_options, options, args|
+        command_impl_for_list global_options, options.merge(kind: "host_factory"), args
+      end
+    end
+
+    hf.desc "Operations on tokens"
+    hf.long_desc <<-DESC
+This command creates one or more identical tokens. A token is always created with an 
+expiration time, which by default is 1 hour from now. The expiration time can be customized
+with command arguments specifying the number of minutes, hours, days for which the token
+will be valid.
+
+By default, this command creates one token. Optionally, it can be used to create multiple identical tokens.
+    DESC
+    hf.command :tokens do |tokens|
+      
+      tokens.desc "Create one or more tokens"
+      tokens.arg_name "hostfactory"
+      tokens.command :create do |c|
+        c.arg_name "duration in minutes"
+        c.desc "Number of minutes from now in which the token will expire"
+        c.flag [:"duration-minutes"]
+
+        c.arg_name "duration in hours"
+        c.desc "Number of hours from now in which the token will expire"
+        c.flag [:"duration-hours"]
+          
+        c.arg_name "duration in days"
+        c.desc "Number of days from now in which the token will expire"
+        c.flag [:"duration-days"]
+        
+        c.arg_name "count"
+        c.desc "Number of identical tokens to create"
+        c.flag [:c, :count]
+
+        c.arg_name "cidr"
+        c.desc "A comma-delimited list of CIDR addresses to restrict token to (optional)"
+        c.flag [:cidr]
+
+        c.action do |global_options,options,args|
+          id = require_arg(args, 'hostfactory')
+
+          duration = 0
+          %w(duration-minutes duration-hours duration-days).each do |d|
+            if t = options[d.to_sym]
+              duration += t.to_i.send(d.split('-')[-1])
+            end
+          end
+          if duration == 0
+            duration = 1.hour
+          end
+          expiration = Time.now + duration
+          count = (options[:count] || 1).to_i
+          command_options = {}
+          
+          cidr = format_cidr(options.delete(:cidr))
+          command_options[:cidr] = cidr unless cidr.nil?
+
+          tokens = api.host_factory(id).create_tokens expiration, count, command_options
+          display tokens.map(&:to_json)
+        end
+      end
+
+      tokens.desc "Revoke (delete) a token"
+      tokens.arg_name "token"
+      tokens.command :revoke do |c|
+        c.action do |global_options,options,args|
+          token = require_arg(args, 'token')
+          
+          api.revoke_host_factory_token token
+          puts "Token revoked"
+        end
+      end
+      
+      tokens.desc "Show a token"
+      tokens.arg_name "token"
+      tokens.command :show do |c|
+        c.action do |global_options,options,args|
+          token = require_arg(args, 'token')
+          
+          display api.show_host_factory_token(token), options
+        end
+      end
+    end
+
+    hf.desc "Operations on hosts"
+    hf.command :hosts do |hosts|
+      hosts.desc "Use a token to create a host"
+      hosts.arg_name "token host-id"
+      hosts.command :create do |c|
+        c.action do |global_options,options,args|
+          token = require_arg(args, 'token')
+          id = require_arg(args, 'host-id')
+          
+          host = Conjur::API.host_factory_create_host token, id, options
+          display host
+        end
+      end
+    end
+  end
+
+  def self.format_cidr(cidr)
+    case cidr
+    when 'all'
+      []
+    when nil
+      nil
+    else
+      cidr.split(',').each {|x| x.strip!}
+    end
+  end
+end