conjur-cli 4.28.2 → 4.29.0

data/lib/conjur/command/hosts.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright (C) 2013-2015 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -32,16 +32,22 @@ class Conjur::Command::Hosts < Conjur::Command
       c.arg_name "password"
       c.flag [:p,:password]
 
+      c.desc "A comma-delimited list of CIDR addresses to restrict host to (optional)"
+      c.flag [:cidr]
+
       acting_as_option(c)
 
       c.action do |global_options,options,args|
         id = args.shift
-        options[:id] = id if id
 
         unless id
           ActiveSupport::Deprecation.warn "id argument will be required in future releases"
         end
 
+        cidr = format_cidr(options.delete(:cidr))
+        options[:id] = id if id
+        options[:cidr] = cidr unless cidr.nil?
+          
         display api.create_host(options), options
       end
     end
@@ -88,6 +94,65 @@ class Conjur::Command::Hosts < Conjur::Command
       end
     end
 
+    hosts.desc "Rotate a host's API key"
+    hosts.command :rotate_api_key do |c|
+      c.desc "Login of host whose API key we want to rotate (default: logged-in host)"
+      c.flag [:host, :h]
+      c.action do |_global, options, _args|
+        if options.include?(:host)
+          host = options[:host]
+
+          unless api.host(host).exists?
+            exit_now! "host '#{host}' not found"
+          end
+
+          # Prepend 'host/' if it wasn't passed in
+          unless is_host_login?(host)
+            host = 'host/' + host
+          end
+
+          # Make sure we're not trying to rotate our own key with the user flag.
+          if api.username == host
+            exit_now! 'To rotate your own API key, use this command without the --host flag'
+          end
+
+          puts api.user(host).rotate_api_key
+        else
+          username, password = Conjur::Authn.read_credentials
+          # Make sure the current identity is a host
+          unless is_host_login?(username)
+            exit_now! "'#{username}' is not a valid host login, specify a host with the --host flag"
+          end
+
+          new_api_key = Conjur::API.rotate_api_key username, password
+          # Show the new one before saving credentials so we don't lose it on failure.
+          puts new_api_key
+          Conjur::Authn.save_credentials username: username, password: new_api_key
+        end
+      end
+    end
+
+    hosts.desc "Update a hosts's attributes"
+    hosts.arg_name "HOST"
+    hosts.command :update do |c|
+      c.desc "A comma-delimited list of CIDR addresses to restrict host to (optional). Use 'all' to reset"
+      c.flag [:cidr]
+
+      c.action do |global_options, options, args|
+        id = require_arg(args, 'HOST')
+
+        host = api.host(id)
+
+        cidr = format_cidr(options[:cidr])
+
+        host_options = { }
+        host_options[:cidr] = cidr unless cidr.nil?
+
+        host.update(host_options)
+        puts "Host updated"
+      end
+    end
+
     hosts.desc "[Deprecated] Enroll a new host into conjur"
     hosts.arg_name "HOST"
     hosts.command :enroll do |c|
@@ -111,4 +176,19 @@ class Conjur::Command::Hosts < Conjur::Command
       end
     end
   end
+
+  def self.format_cidr(cidr)
+    case cidr
+    when 'all'
+      []
+    when nil
+      nil
+    else
+      cidr.split(',').each {|x| x.strip!}
+    end
+  end
+
+  def self.is_host_login?(username)
+    username.start_with?('host/')
+  end
 end

data/lib/conjur/command/layers.rb

@@ -104,6 +104,34 @@ class Conjur::Command::Layers < Conjur::Command
       end
     end
 
+    layer.desc "Decommission a layer"
+    layer.arg_name "LAYER"
+    layer.command :retire do |c|
+      retire_options c
+
+      c.action do |global_options,options,args|
+        id = require_arg(args, 'LAYER')
+        
+        layer = api.layer(id)
+        
+        validate_retire_privileges layer, options
+        
+        retire_resource layer
+        retire_role layer
+        # retire internal roles for observe, use_host, admin_host
+        account = Conjur::Core::API.conjur_account
+        ['observe', 'use_host', 'admin_host'].each do |priv|
+          role_name = ['layer', id, priv].join('/')
+          role_id = [ account, '@', role_name].join(':')
+          role_obj = api.role(role_id)
+          retire_internal_role role_obj
+        end
+        give_away_resource layer, options
+        
+        puts "Layer retired"
+      end
+    end
+
     layer.desc "Operations on hosts"
     layer.command :hosts do |hosts|
       hosts.desc "Permit a privilege on hosts in the layer"

data/lib/conjur/command/resources.rb

@@ -68,6 +68,7 @@ class Conjur::Command::Resources < Conjur::Command
         id = full_resource_id( require_arg(args, "RESOURCE") )
         role = require_arg(args, "ROLE")
         privilege = require_arg(args, "PRIVILEGE")
+        $stderr.print "Granting #{role} permission to #{privilege} #{id}... "
         unless options[:g]
           api.resource(id).permit privilege, role
         else

data/lib/conjur/command/rspec/mock_services.rb

@@ -1,7 +1,7 @@
 shared_context "with fake endpoints and test config" do
   let(:authn_host) { 'https://authn.example.com' }
   let(:authz_host) { 'https://authz.example.com' }
-  let(:core_host) { 'https://core.example.com' }
+  let(:core_host) { 'https://core.example.com/api' }
   before do
     allow(Conjur::Authn::API).to receive(:host) { authn_host }
     allow(Conjur::Authz::API).to receive(:host) { authz_host }

data/lib/conjur/command/server.rb

@@ -0,0 +1,67 @@
+#
+# Copyright (C) 2016 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+class Conjur::Command::Server < Conjur::Command
+  desc 'Show Conjur client and server versions'
+  command :version do |v|
+    v.action do |*_|
+      puts "Conjur client version #{Conjur::VERSION}"
+      show_server_version
+    end
+  end
+
+  desc 'Server information'
+  command :server do |server|
+    server.desc 'Show service versions'
+    server.command :version do |c|
+      c.action do |*_|
+        show_server_version
+      end
+    end
+
+    server.desc 'Show general server information'
+    server.command :info do |c|
+      c.action do |*_|
+        display Conjur::API.appliance_info
+      end
+    end
+
+    server.desc 'Show server health information'
+    server.command :health do |c|
+      c.desc 'Show health information for a remote host, from the perspective of this server'
+      c.flag :h, :host
+      c.action do |_, options, _|
+        display Conjur::API.appliance_health(options[:host])
+      end
+    end
+  end
+
+  class << self
+    def show_server_version
+      services = Conjur::API.appliance_info['services']
+      appliance = services.delete 'appliance'
+      puts "Conjur appliance version: #{appliance['version']}"
+      puts 'Conjur service versions:'
+      services.each do |name,info|
+        puts "  #{name}: #{info['version']}"
+      end
+    end
+  end
+end

data/lib/conjur/command/users.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright (C) 2013-2015 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -33,6 +33,9 @@ class Conjur::Command::Users < Conjur::Command
       c.desc "UID number to be associated with user (optional)"
       c.flag [:uidnumber]
 
+      c.desc "A comma-delimited list of CIDR addresses to restrict user to (optional)"
+      c.flag [:cidr]
+
       acting_as_option(c)
 
       interactive_option c
@@ -44,9 +47,11 @@ class Conjur::Command::Users < Conjur::Command
 
         groupid = options[:ownerid]
         uidnumber = options[:uidnumber]
+        cidr = format_cidr(options[:cidr])
         password = nil
-        exit_now! "uidnumber should be integer" unless uidnumber.blank? || /\d+/ =~ uidnumber
-          
+
+        validate_uidnumber(uidnumber)
+
         if interactive
           login ||= prompt_for_id :user, "login name"
           
@@ -57,7 +62,8 @@ class Conjur::Command::Users < Conjur::Command
           attributes = {
             "Login"    => login,
             "Owner" => groupid,
-            "UID Number"  => uidnumber
+            "UID Number"  => uidnumber,
+            "CIDR" => cidr
           }
           attributes["Password"] = "********" unless password.blank?
           prompt_to_confirm :user, attributes
@@ -70,6 +76,7 @@ class Conjur::Command::Users < Conjur::Command
         user_options = { }
         user_options[:ownerid] = groupid if groupid
         user_options[:uidnumber] = uidnumber.to_i if uidnumber
+        user_options[:cidr] = cidr unless cidr.nil?
         user_options[:password] = password if password
         user = api.create_user(login, user_options)
 
@@ -129,24 +136,57 @@ class Conjur::Command::Users < Conjur::Command
       c.flag [:p,:password]
 
       c.action do |global_options,options,args|
-        username, password = Conjur::Authn.read_credentials
+        username, password = Conjur::Authn.get_credentials
         new_password = options[:password] || prompt_for_password
 
         Conjur::API.update_password username, password, new_password
       end
     end
 
-    user.desc "Update user's attributes (only uidnumber supported now)"
-    user.arg_name "USER" 
+    user.desc "Rotate a user's API key"
+    user.command :rotate_api_key do |c|
+      c.desc "Login of user whose API key we want to rotate (default: logged-in user)"
+      c.flag [:user, :u]
+      c.action do |_global, options, _args|
+        if options.include?(:user)
+          # Make sure we're not trying to rotate our own key with the user flag.
+          if api.username == options[:user]
+            exit_now! 'To rotate your own API key, use this command without the --user flag'
+          end
+          puts api.user(options[:user]).rotate_api_key
+        else
+          username, password = Conjur::Authn.read_credentials
+          new_api_key = Conjur::API.rotate_api_key username, password
+          # Show the new one before saving credentials so we don't lose it on failure.
+          puts new_api_key
+          Conjur::Authn.save_credentials username: username, password: new_api_key
+        end
+      end
+    end
+
+    user.desc "Update a user's attributes"
+    user.arg_name "USER"
     user.command :update do |c|
-      c.desc "UID number to be associated with user"
+      c.desc "UID number to be associated with user (optional)"
       c.flag [:uidnumber]
+
+      c.desc "A comma-delimited list of CIDR addresses to restrict user to (optional). Use 'all' to reset"
+      c.flag [:cidr]
+
       c.action do |global_options, options, args|
         login=require_arg(args,'USER')
-        raise "Uidnumber should be integer" unless /\d+/ =~ options[:uidnumber]
-        options[:uidnumber]=options[:uidnumber].to_i
-        api.user(login).update(options)
-        puts "UID set" 
+
+        uidnumber = options[:uidnumber]
+        cidr = format_cidr(options[:cidr])
+
+        validate_uidnumber(uidnumber)
+
+        user_options = { }
+        user_options[:uidnumber] = uidnumber.to_i if uidnumber
+        user_options[:cidr] = cidr unless cidr.nil?
+
+        api.user(login).update(user_options)
+        puts "User updated"
       end
     end
 
@@ -165,4 +205,19 @@ class Conjur::Command::Users < Conjur::Command
   def self.prompt_for_uidnumber
     prompt_for_idnumber "uid number"
   end
+
+  def self.format_cidr(cidr)
+    case cidr
+    when 'all'
+      []
+    when nil
+      nil
+    else
+      cidr.split(',').each {|x| x.strip!}
+    end
+  end
+
+  def self.validate_uidnumber(uidnumber)
+    exit_now! 'uidnumber should be integer' unless uidnumber.blank? || /\d+/ =~ uidnumber
+  end
 end

data/lib/conjur/command/variables.rb

@@ -153,24 +153,111 @@ class Conjur::Command::Variables < Conjur::Command
         $stdout.write api.variable(id).value(options[:version])
       end
     end
-  end
-  
-  def self.prompt_for_kind
-    highline.ask('Enter the kind: ') {|q| q.default = @default_kind }
-  end
 
-  def self.prompt_for_mime_type
-    highline.choose do |menu|
-      menu.prompt = 'Enter the MIME type: '
-      menu.choice  @default_mime_type 
-      menu.choices *%w(application/json application/xml application/x-yaml application/x-pem-file)
-      menu.choice "other", nil do |c|
-        @highline.ask('Enter a custom mime type: ')
+    var.desc 'Set the expiration for a variable'
+    var.command :expire do |c|
+      c.arg_name "NOW"
+      c.desc 'Set variable to expire immediately'
+      min_version c, '4.6.0'
+      c.switch [:n, :'now'], :negatable => false
+
+      c.arg_name "DAYS"
+      c.desc 'Set variable to expire after the given number of days'
+      c.flag [:d, :'days']
+
+      c.arg_name "MONTHS"
+      c.desc 'Set variable to expire after the given number of months'
+      c.flag [:m, :'months']
+
+      c.arg_name "DURATION"
+      c.desc 'Set variable to expire after the given ISO8601 duration'
+      c.flag [:i, :'in']
+
+      c.action do |global_options, options, args|
+        id = require_arg(args, 'VARIABLE')
+
+        exit_now! 'Specify only one duration' if durations(options) > 1
+        exit_now! 'Specify at least one duration' if durations(options) == 0
+
+        now = options[:n]
+        days = options[:d]
+        months = options[:m]
+
+        case
+        when now.present?
+          duration = 'P0Y'
+        when days.present?
+          duration = "P#{days.to_i}D"
+        when months.present?
+          duration = "P#{months.to_i}M"
+        else
+          duration = options[:i]
+        end
+
+        display api.variable(id).expires_in(duration)
+      end
+    end
+
+    var.desc 'Display expiring variables'
+    var.long_desc 'Only variables that expire within the given duration are displayed. If no duration is provided, show all visible variables that are set to expire.'
+    var.command :expirations do |c|
+      c.arg_name 'DAYS'
+      c.desc 'Display variables that expire within the given number of days'
+      min_version c, '4.6.0'
+      c.flag [:d, :'days']
+
+      c.arg_name 'MONTHS'
+      c.desc 'Display variables that expire within the given number of months'
+      c.flag [:m, :'months']
+
+      c.arg_name 'IN'
+      c.desc 'Display variables that expire within the given ISO8601 interval'
+      c.flag [:i, :'in']
+
+      c.action do | global_options, options, args|
+
+        days = options[:d]
+        months = options[:m]
+        duration = options[:i]
+
+        exit_now! 'Specify only one duration' if durations(options) > 1
+
+        case
+        when days.present?
+          duration = "P#{days.to_i}D"
+        when months.present?
+          duration = "P#{months.to_i}M"
+        end
+
+        display api.variable_expirations(duration)
       end
     end
+
   end
 
-  def self.prompt_for_value
-    read_till_eof('Enter the secret value (^D on its own line to finish):')
+  class << self
+    def prompt_for_kind
+      highline.ask('Enter the kind: ') {|q| q.default = @default_kind }
+    end
+    
+    def prompt_for_mime_type
+      highline.choose do |menu|
+        menu.prompt = 'Enter the MIME type: '
+        menu.choice  @default_mime_type 
+        menu.choices *%w(application/json application/xml application/x-yaml application/x-pem-file)
+        menu.choice "other", nil do |c|
+          @highline.ask('Enter a custom mime type: ')
+        end
+      end
+    end
+    
+    def prompt_for_value
+      read_till_eof('Enter the secret value (^D on its own line to finish):')
+    end
+    
+    def durations(options)
+      [options[:n],options[:d],options[:m],options[:i]].count {|o| o.present?}
+    end
   end
+
 end