conjur-cli 4.28.2 → 4.29.0

data/lib/conjur/conjurize.rb

@@ -2,14 +2,7 @@ require 'methadone'
 require 'json'
 require 'open-uri'
 require 'conjur/version.rb'
-
-def latest_conjur_release
-  url = 'https://api.github.com/repos/conjur-cookbooks/conjur/releases'
-  resp = open(url)
-  json = JSON.parse(resp.read)
-  latest = json[0]['assets'].select {|asset| asset['name'] =~ /conjur-v\d.\d.\d.tar.gz/}[0]
-  latest['browser_download_url']
-end
+require "conjur/conjurize/script"
 
 module Conjur
   class Conjurize
@@ -31,77 +24,37 @@ DESC
       else
         STDIN.read
       end
-      host = JSON.parse input
 
-      login = host['id'] or raise "No 'id' field in host JSON"
-      api_key = host['api_key'] or raise "No 'api_key' field in host JSON"
+      puts generate JSON.parse input
+    end
+
+    def self.generate host
+      config = configuration host
 
-      require 'conjur/cli'
+      if options[:json]
+        JSON.dump config
+      else
+        Script.generate config, options
+      end
+    end
+
+    def self.apply_client_config
+      require "conjur/cli"
       if conjur_config = options[:c]
         Conjur::Config.load [ conjur_config ]
       else
         Conjur::Config.load
       end
       Conjur::Config.apply
+    end
 
-      conjur_cookbook_url = conjur_run_list = nil
-
-      conjur_run_list = options[:"conjur-run-list"]
-      conjur_cookbook_url = options[:"conjur-cookbook-url"]
-      chef_executable = options[:"chef-executable"]
-
-      if options[:ssh]
-        conjur_run_list ||= "conjur"
-        conjur_cookbook_url ||= latest_conjur_release()
-      end
-
-      sudo = lambda{|str|
-        [ options[:sudo] ? "sudo -n" : nil, str ].compact.join(" ")
-      }
-
-      header = <<-HEADER
-#!/bin/sh
-set -e
-
-# Implementation note: 'tee' is used as a sudo-friendly 'cat' to populate a file with the contents provided below.
-      HEADER
-
-      configure_conjur = <<-CONFIGURE
-#{sudo.call 'tee'} /etc/conjur.conf > /dev/null << CONJUR_CONF
-account: #{Conjur.configuration.account}
-appliance_url: #{Conjur.configuration.appliance_url}
-cert_file: /etc/conjur-#{Conjur.configuration.account}.pem
-netrc_path: /etc/conjur.identity
-plugins: []
-CONJUR_CONF
-
-#{sudo.call 'tee'} /etc/conjur-#{Conjur.configuration.account}.pem > /dev/null << CONJUR_CERT
-#{File.read(Conjur.configuration.cert_file).strip}
-CONJUR_CERT
-
-#{sudo.call 'tee'} /etc/conjur.identity > /dev/null << CONJUR_IDENTITY
-machine #{Conjur.configuration.appliance_url}/authn
-  login host/#{login}
-  password #{api_key}
-CONJUR_IDENTITY
-#{sudo.call 'chmod'} 0600 /etc/conjur.identity
-      CONFIGURE
-
-      install_chef = if conjur_cookbook_url && !chef_executable
-        %Q(curl -L https://www.opscode.com/chef/install.sh | #{sudo.call 'bash'})
-      else
-        nil
-      end
-
-      chef_executable ||= "chef-solo"
-
-      run_chef = if conjur_cookbook_url
-        %Q(#{sudo.call "#{chef_executable} -r #{conjur_cookbook_url} -o #{conjur_run_list}"})
-      else
-        nil
-      end
+    def self.configuration host
+      apply_client_config
 
-      puts [ header, configure_conjur, install_chef, run_chef ].compact.join("\n")
+      host.merge \
+        "account" => Conjur.configuration.account,
+        "appliance_url" => Conjur.configuration.appliance_url,
+        "certificate" => File.read(Conjur.configuration.cert_file).strip
     end
 
     on("-c CONJUR_CONFIG_FILE", "Overrides defaults (CONJURRC env var, ~/.conjurrc, /etc/conjur.conf).")
@@ -111,5 +64,8 @@ CONJUR_IDENTITY
     on("--sudo", "Indicates that all commands should be run via 'sudo'.")
     on("--conjur-cookbook-url NAME", "Overrides the default Chef cookbook URL for Conjur SSH.")
     on("--conjur-run-list RUNLIST", "Overrides the default Chef run list for Conjur SSH.")
+    on \
+      "--json",
+      "Don't generate the script, instead just dump the configuration as JSON"
   end
 end

data/lib/conjur/conjurize/script.rb

@@ -0,0 +1,133 @@
+require "json"
+require "open-uri"
+
+class Conjur::Conjurize
+  # generates a shell script to conjurize a host
+  class Script
+    COOKBOOK_RELEASES_URL =
+      "https://api.github.com/repos/conjur-cookbooks/conjur/releases".freeze
+
+    def self.latest_conjur_cookbook_release
+      json = JSON.parse open(COOKBOOK_RELEASES_URL).read
+      tarballs = json[0]["assets"].select do |asset|
+        asset["name"] =~ /conjur-v\d.\d.\d.tar.gz/
+      end
+      tarballs.first["browser_download_url"]
+    end
+
+    HEADER = <<-HEADER.freeze
+#!/bin/sh
+set -e
+
+# Implementation note: 'tee' is used as a sudo-friendly 'cat' to populate a file with the contents provided below.
+    HEADER
+
+    def initialize options
+      @options = options
+    end
+
+    attr_reader :options
+
+    def sudo
+      @sudo ||= options["sudo"] ? ->(x) { "sudo -n #{x}" } : ->(x) { x }
+    end
+
+    # Generate a piece of shell to write to a file
+    # @param path [String] absolute path to write to
+    # @param content [String] contents to write
+    # @option options [String, Fixnum] :mode mode to apply to the file
+    def write_file path, content, options = {}
+      [
+        ((mode = options[:mode]) && set_mode(path, mode)),
+        [sudo["tee"], path, "> /dev/null << EOF"].join(" "),
+        content.strip,
+        "EOF\n"
+      ].compact.join("\n")
+    end
+
+    def set_mode path, mode
+      mode = mode.to_s(8) if mode.respond_to? :to_int
+      [
+        [sudo["touch"], path].join(" "),
+        [sudo["chmod"], mode, path].join(" ")
+      ].join("\n")
+    end
+
+    def self.generate configuration, options
+      new(options).generate configuration
+    end
+
+    def install_chef?
+      run_chef? && !options[:"chef-executable"]
+    end
+
+    def run_chef?
+      options.values_at(:ssh, :"conjur-run-list").any?
+    end
+
+    def chef_executable
+      options[:"chef-executable"] || "chef-solo"
+    end
+
+    def conjur_cookbook_url
+      options[:"conjur-cookbook-url"] || Script.latest_conjur_cookbook_release
+    end
+
+    def conjur_run_list
+      options[:"conjur-run-list"] || "conjur"
+    end
+
+    def chef_script
+      @chef_script ||= [
+        ("curl -L https://www.opscode.com/chef/install.sh | " + sudo["bash"] \
+          if install_chef?),
+        (sudo["#{chef_executable} -r #{conjur_cookbook_url} " \
+            "-o #{conjur_run_list}"] if run_chef?)
+      ].join "\n"
+    end
+
+    def self.rc configuration
+      [
+        "account: #{configuration['account']}",
+        "appliance_url: #{configuration['appliance_url']}",
+        "cert_file: /etc/conjur-#{configuration['account']}.pem",
+        "netrc_path: /etc/conjur.identity",
+        "plugins: []"
+      ].join "\n"
+    end
+
+    def self.identity configuration
+      """
+        machine #{configuration['appliance_url']}/authn
+        login host/#{configuration['id']}
+        password #{configuration['api_key']}
+      """
+    end
+
+    def configure_conjur configuration
+      [
+        write_file("/etc/conjur.conf", Script.rc(configuration)),
+        write_file(
+          "/etc/conjur-#{configuration['account']}.pem",
+          configuration["certificate"]
+        ),
+        write_file(
+          "/etc/conjur.identity",
+          Script.identity(configuration),
+          mode: 0600
+        )
+      ].join "\n"
+    end
+
+    def generate configuration
+      fail "No 'id' field in host JSON" unless configuration["id"]
+      fail "No 'api_key' field in host JSON" unless configuration["api_key"]
+
+      [
+        HEADER,
+        configure_conjur(configuration),
+        chef_script
+      ].join("\n")
+    end
+  end
+end

data/lib/conjur/version.rb

@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = "4.28.2"
+  VERSION = "4.29.0"
   ::Version=VERSION
 end

data/publish.sh

@@ -0,0 +1,6 @@
+#!/bin/bash -ex
+
+export DEBUG=true 
+export GLI_DEBUG=true 
+
+debify publish 4.6 cli

data/spec/command/elevate_spec.rb

@@ -17,7 +17,7 @@ describe Conjur::Command::Elevate do
       
       expect(RestClient::Request).to receive(:execute).with({
         method: :get,
-        url: "https://core.example.com/users/alice",
+        url: "https://core.example.com/api/users/alice",
         username: "dknuth",
         headers: {:authorization=>"Token token=\"eyJsb2dpbiI6ImRrbnV0aCJ9\"", x_conjur_privilege: "elevate"}
       }).and_return(double(:response, body: "[]"))

data/spec/command/host_factories_spec.rb

@@ -0,0 +1,38 @@
+require 'spec_helper'
+require 'conjur/command/host_factories'
+
+describe Conjur::Command::HostFactories, :logged_in => true do
+  let (:group_memberships) { double(:group_memberships, :roleid => 'the-account:group:security_admin') }
+  let (:group) { double(:group, :exists? => true, :memberships => [group_memberships]) }
+  let (:layer_members) { double(:layer_members, :member => double(:member, :roleid => 'the-account:group:security_admin'), :admin_option => true ) }
+  let (:layer_role) { double(:layer_role, :members => [layer_members]) }
+  let (:layer) { double(:layer, :exists? => true, :role => layer_role) }
+
+  before do
+    allow(Conjur::Command.api).to receive(:role).with("the-account:group:the-group").and_return group
+    allow(Conjur::Command.api).to receive(:layer).with("layer1").and_return layer
+  end
+
+  describe_command 'hostfactory:create --as-group the-group --layer layer1 hf1 ' do
+
+    it 'calls api.create_host_factory and prints the results' do
+      expect_any_instance_of(Conjur::API).to receive(:create_host_factory).and_return '{}'
+      expect { invoke }.to write('{}')
+    end
+  end
+
+  context 'command-line errors' do
+    describe_command 'hostfactory:create hf1' do
+      it "fails without owner" do
+        expect {invoke}.to raise_error('Use --as-group or --as-role to indicate the host factory role') 
+      end
+    end
+    describe_command 'hostfactory:create --as-group the-group hf' do
+      it "fails without layer" do
+        expect {invoke}.to raise_error('Provide at least one layer') 
+      end
+    end
+
+  end
+
+end

data/spec/command/hosts_spec.rb

@@ -1,30 +1,94 @@
 require 'spec_helper'
 
 describe Conjur::Command::Hosts, logged_in: true do
-  let(:collection_url) { "https://core.example.com/hosts" }
-  
-  describe_command "host:create" do
-    it "lets the server assign the id" do
-     expect(RestClient::Request).to receive(:execute).with({
-        method: :post,
-        url: collection_url,
-        headers: {},
-        payload: {}
-        }).and_return(post_response('assigned-id'))
-
-      expect { invoke }.to write({ id: 'assigned-id' }).to(:stdout)
+  let(:collection_url) { "https://core.example.com/api/hosts" }
+
+  context "creating a host" do
+    let(:new_host) { double("new-host") }
+
+    describe_command "host:create" do
+      it "lets the server assign the id" do
+       expect(RestClient::Request).to receive(:execute).with({
+          method: :post,
+          url: collection_url,
+          headers: {},
+          payload: {}
+          }).and_return(post_response('assigned-id'))
+
+        expect { invoke }.to write({ id: 'assigned-id' }).to(:stdout)
+      end
+    end
+    describe_command "host:create the-id" do
+      it "propagates the user-assigned id" do
+       expect(RestClient::Request).to receive(:execute).with({
+          method: :post,
+          url: collection_url,
+          headers: {},
+          payload: { id: 'the-id' }
+        }).and_return(post_response('the-id'))
+
+        expect { invoke }.to write({ id: 'the-id' }).to(:stdout)
+      end
+    end
+    describe_command "host:create --cidr 192.168.1.1,127.0.0.0/32" do
+      it "Creates a host with specified CIDR" do
+        expect_any_instance_of(Conjur::API).to receive(:create_host).with(
+            { cidr: ['192.168.1.1', '127.0.0.0/32'] }
+        ).and_return new_host
+        invoke
+      end
+    end
+    describe_command "host:create --as-group security_admin --cidr 192.168.1.1,127.0.0.0/32" do
+      it "Creates a host with specified CIDR" do
+        expect(api).to receive(:group).with("security_admin").and_return(double(:group, roleid: "the-account:group:security_admin"))
+        expect(api).to receive(:role).with("the-account:group:security_admin").and_return(double(:group_role, exists?: true))
+        expect_any_instance_of(Conjur::API).to receive(:create_host).with(
+            { ownerid: "the-account:group:security_admin", cidr: ['192.168.1.1', '127.0.0.0/32'] }
+        ).and_return new_host
+        invoke
+      end
     end
   end
-  describe_command "host:create the-id" do
-    it "propagates the user-assigned id" do
-     expect(RestClient::Request).to receive(:execute).with({
-        method: :post,
-        url: collection_url,
-        headers: {},
-        payload: { id: 'the-id' }
-      }).and_return(post_response('the-id'))
-
-      expect { invoke }.to write({ id: 'the-id' }).to(:stdout)
+
+  context "updating host attributes" do
+    describe_command "host update --cidr 127.0.0.0/32 the-user" do
+      it "updates the CIDR" do
+        stub_host = double()
+        expect_any_instance_of(Conjur::API).to receive(:host).with("the-user").and_return stub_host
+        expect(stub_host).to receive(:update).with(cidr: ['127.0.0.0/32']).and_return ""
+        expect { invoke }.to write "Host updated"
+      end
+    end
+
+    describe_command "host update --cidr all the-user" do
+      it "resets the CIDR restrictions" do
+        stub_host = double()
+        expect_any_instance_of(Conjur::API).to receive(:host).with("the-user").and_return stub_host
+        expect(stub_host).to receive(:update).with(cidr: []).and_return ""
+        expect { invoke }.to write "Host updated"
+      end
+    end
+  end
+
+  context 'rotating api key' do
+    describe_command 'host rotate_api_key --host redis001' do
+      before do
+        expect(RestClient::Request).to receive(:execute).with({
+          method: :head,
+          url: 'https://core.example.com/api/hosts/redis001',
+          headers: {}
+        }).and_return true
+        expect(RestClient::Request).to receive(:execute).with({
+            method: :put,
+            url: 'https://authn.example.com/users/api_key?id=host%2Fredis001',
+            headers: {},
+            payload: ''
+        }).and_return double(:response, body: 'new api key')
+      end
+
+      it 'puts with basic auth' do
+        invoke
+      end
     end
   end
 end

data/spec/command/users_spec.rb

@@ -1,7 +1,7 @@
 require 'spec_helper'
 
 describe Conjur::Command::Users, logged_in: true do
-  let(:create_user_url) { "https://core.example.com/users" }
+  let(:create_user_url) { "https://core.example.com/api/users" }
   let(:update_password_url) { "https://authn.example.com/users/password" }
   
   context "creating a user" do
@@ -31,16 +31,41 @@ describe Conjur::Command::Users, logged_in: true do
           invoke
         end
       end
+      describe_command "#{cmd} --cidr 192.168.1.1,127.0.0.0/32 the-user" do
+        it "Creates a user with specified CIDR" do
+          expect_any_instance_of(Conjur::API).to receive(:create_user).with(
+              "the-user", { cidr: ['192.168.1.1', '127.0.0.0/32'] }
+          ).and_return new_user
+          invoke
+        end
+      end
     end
   end
 
-  context "updating UID number" do  
+  context "updating user attributes" do
     describe_command "user update --uidnumber 12345 the-user" do
       it "updates the uidnumber" do
         stub_user = double()
         expect_any_instance_of(Conjur::API).to receive(:user).with("the-user").and_return stub_user
         expect(stub_user).to receive(:update).with(uidnumber: 12345).and_return ""
-        expect { invoke }.to write "UID set"
+        expect { invoke }.to write "User updated"
+      end
+    end
+    describe_command "user update --cidr 127.0.0.0/32 the-user" do
+      it "updates the CIDR" do
+        stub_user = double()
+        expect_any_instance_of(Conjur::API).to receive(:user).with("the-user").and_return stub_user
+        expect(stub_user).to receive(:update).with(cidr: ['127.0.0.0/32']).and_return ""
+        expect { invoke }.to write "User updated"
+      end
+    end
+
+    describe_command "user update --cidr all the-user" do
+      it "resets the CIDR restrictions" do
+        stub_user = double()
+        expect_any_instance_of(Conjur::API).to receive(:user).with("the-user").and_return stub_user
+        expect(stub_user).to receive(:update).with(cidr: []).and_return ""
+        expect { invoke }.to write "User updated"
       end
     end
   end
@@ -81,4 +106,27 @@ describe Conjur::Command::Users, logged_in: true do
       end
     end
   end
+
+  context 'rotating api key' do
+    describe_command 'user rotate_api_key' do
+      before do
+        expect(RestClient::Request).to receive(:execute).with({
+                    method: :put,
+                    url: 'https://authn.example.com/users/api_key',
+                    user: username,
+                    password: api_key,
+                    headers: {},
+                    payload: ''
+                }).and_return double(:response, body: 'new api key')
+        expect(Conjur::Authn).to receive(:save_credentials).with({
+                    username: username,
+                    password: 'new api key'
+                })
+      end
+
+      it 'puts with basic auth' do
+        invoke
+      end
+    end
+  end
 end