conjur-cli 4.29.0 → 4.30.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 974b0f72a352691fba5f49e01849a56518cf3afe
-  data.tar.gz: 1ae44b2cbaca17695bfeec8192bba636a43ca6bc
+  metadata.gz: 7a8e5171dfa3fb930e4d09c7b48c70f6b572d66a
+  data.tar.gz: 38aeb8c329f096825dc1b6273e84d863f3e0a24d
 SHA512:
-  metadata.gz: 01f136c95c3467917990b66611bc71f0f3684d0c371e481c3700fdb3532975b9b52f530423da96c6980dbd06518d66571123cc3b5caba10d75de56e6a36819d8
-  data.tar.gz: 8492137a6c4bc4852dcc85ddec8e826d80ce1d1675a7d198c71680f3fd2fa1d45f3fb15c90f01892153b258dd6f79230008543327ae9da7eb37e1d42ca6d99c3
+  metadata.gz: a98b539b66a03f4949372a8d056dde90564d2637d84bc46ada647363cb8aef662cdd85fe852d1adad6364fc211ff7e6e1d75df3edee3a0b91fc9de5bb28aab93
+  data.tar.gz: 3bb5257cebd5c670d22f290fea687c0b8a5c9f37669abb87128c39d4a8679f6f247850123825ee37a3aba812d10840df6f754cc9b4f487358da2b21fc6ff6b21

data/.gitignore

@@ -23,6 +23,7 @@ pkg
 rdoc
 spec/reports
 features/reports
+acceptance-features/reports
 test/tmp
 test/version_tmp
 tmp

data/CHANGELOG.md

@@ -1,4 +1,8 @@
-# Unreleased
+# 4.30.0
+
+* Implementation of `conjur bootstrap` is moved to the API gem, and made extensible.
+* Added new steps to `conjur bootstrap`, including the creation of service identities, and giving `elevate` and `reveal` to the `security_admin` group.
+* `hostfactory create` verifies that the current role is able to admin the host factory group; otherwise, host factory creation will fail.
 
 # 4.29.0
 * Add `conjur host rotate_api_key` command.

data/Rakefile

@@ -9,11 +9,13 @@ require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new :spec
 Cucumber::Rake::Task.new :features
 
-task :jenkins => ['ci:setup:rspec', :spec, 'ci:setup:cucumber_report_cleanup'] do
+task :jenkins => ['ci:setup:rspec', :spec] do
+  File.write('build_number', ENV['BUILD_NUMBER']) if ENV['BUILD_NUMBER']
+  require 'fileutils'
+  FileUtils.rm_rf 'features/reports'
   Cucumber::Rake::Task.new do |t|
-    t.cucumber_opts = "--tags ~@real-api --format pretty --format CI::Reporter::Cucumber --out features/reports"
+    t.cucumber_opts = "--tags ~@real-api --format pretty --format junit --out features/reports"
   end.runner.run
-  File.write('build_number', ENV['BUILD_NUMBER']) if ENV['BUILD_NUMBER']
 end
 
 task default: [:spec, :features]

data/acceptance-features/bootstrap.feature

@@ -0,0 +1,13 @@
+Feature: "conjur bootstrap" creates default resources, privileges and roles
+
+	Background:
+    Given I successfully run `conjur bootstrap -q`
+
+	Scenario: A new security admin can use 'elevate'
+    When I successfully run `conjur resource permitted_roles '!:!:conjur' elevate`
+    Then the stdout should contain "cucumber:group:security_admin"
+
+	Scenario: Run bootstrap and test for the existence of things
+    Then I successfully run `conjur elevate group show security_admin`
+    And  I successfully run `conjur elevate host show conjur/secrets-rotator`
+    And  I successfully run `conjur elevate resource show webservice:conjur/authn-tv`

data/acceptance-features/directory/hostfactory/create.feature

@@ -1,13 +1,29 @@
 Feature: Create a Host Factory
+
   Background:
-    Given I successfully run `conjur layer create --as-group $ns/security_admin $ns/layer`
 
   Scenario: Create a host factory successfully
-    When I successfully run `conjur hostfactory create --as-group $ns/security_admin --layer $ns/layer $ns/hostfactory`
-    Then the JSON should have "deputy_api_key"
+    Given I successfully run `conjur layer create --as-group $ns/security_admin $ns/layer`
+    Then I successfully run `conjur hostfactory create --as-group $ns/security_admin --layer $ns/layer $ns/hostfactory`
+    And the JSON should have "deputy_api_key"
 
-  Scenario: Host factory owner must have admin on layer
+	Scenario: The client role can use itself as the hostfactory role
     Given I successfully run `conjur user create unprivileged@$ns`
+    And I successfully run `conjur layer create $ns/layer`
     When I run `conjur hostfactory create --as-role user:unprivileged@$ns --layer $ns/layer $ns/hostfactory`
-    Then the stderr should contain "must be an admin of layer"
-    And the stdout should not contain anything
+
+	Scenario: If current role cannot admin the layer, the error is reported
+		Given I successfully run `conjur layer create $ns/the-layer`
+		And I login as a new user
+		Given I successfully run `conjur group create $ns/the-group`
+		And I run `conjur hostfactory create --as-group $ns/the-group -l $ns/the-layer $ns/the-factory`
+		Then the exit status should not be 0
+		And the output should contain "must be an admin of layer"
+	
+	Scenario: If current role cannot admin the HF role, the error is reported
+		Given I successfully run `conjur group create $ns/the-group`
+		And I login as a new user
+		Given I successfully run `conjur layer create $ns/the-layer`
+		And I run `conjur hostfactory create --as-group $ns/the-group -l $ns/the-layer $ns/the-factory`
+		Then the exit status should not be 0
+		And the output should contain "must be an admin of role"

data/lib/conjur-cli.rb

@@ -0,0 +1,21 @@
+#
+# Copyright (C) 2016 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require "conjur/cli"

data/lib/conjur/command.rb

@@ -449,7 +449,17 @@ an alternative destination role.)
         password
       end
       
+      def current_role
+        kind, id = api.username.split('/', 2)
+        if id.nil?
+          id = kind
+          kind = 'user'
+        end
+        api.role([ kind, id ].join(":"))
+      end
+      
       def has_admin?(role, other_role)
+        return true if role.roleid == other_role.roleid
         memberships = role.memberships.map(&:roleid)
         other_role.members.any? { |m| memberships.member?(m.member.roleid) && m.admin_option }
       rescue RestClient::Forbidden

data/lib/conjur/command/bootstrap.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2014 Conjur Inc
+# Copyright (C) 2014-2016 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -20,7 +20,7 @@
 #
 
 class Conjur::Command::Bootstrap < Conjur::Command
-  desc "Create initial users, groups, and permissions"
+  desc "Create initial users, groups, permissions, and service identities."
   long_desc %Q(When you launch a new Conjur master server, it contains only one login: the "admin" user. 
   The bootstrap command will finish the setup of a new Conjur system by creating other essential records.
 
@@ -28,111 +28,101 @@ class Conjur::Command::Bootstrap < Conjur::Command
 
   * Creation of a group called "security_admin".
 
-  * Giving the "security_admin" the power to manage public keys.
+	* Giving the "security_admin" the power to manage public keys.
 
-  * Creation of a user called "attic", which will be the owner of retired records.
+	* Creation of a user called "attic", which will be the owner of retired records.
 
-  * Storing the "attic" user's API key in a variable called "conjur/users/attic/api-key".
+	* Create system identities for use services such as pubkeys, rotator, and ldap-sync.
 
-  * (optional) Create a new user who will be made a member and admin of the "security_admin" group.
+	* (optional) Create a new user who will be made a member and admin of the "security_admin" group.
 
-  * (optional) If a new user was created, login as that user.
+	* (optional) If a new user was created, login as that user.
+
+  The Bootstrap command can be extended to perform additional actions by CLI plugins. The plugin just 
+  needs to define a new class in Conjur::Bootstrap::Command. Its "perform" method will be run automatically.
   )
   
-  # Determines whether the current logged-in user is sufficiently powerful to perform bootstrap.
-  # This is currently determined by detecting whether the logged-in role:
-  #
-  # * Is a user
-  # * Has admin privilege on the security_admin group role
-  # * Is an owner of the security_admin group resource
-  #
-  # The admin user will always satisfy these conditions, unless they are revoked for some reason.
-  # Other users created by the bootstrap command will (typically) also have these powers.
-  def self.security_admin_manager? api
-    return true if elevated?
-    
-    username = api.username
-    user = if username.index('/')
-      nil
-    else
-      api.user(username)
+  class BootstrapListener
+    def echo msg
+      $stderr.puts msg
     end
-    security_admin = api.group("security_admin")
-    
-    if user
-      memberships = user.role.memberships.map(&:roleid)
-      if security_admin.exists?
-        # The user has a role which is admin of the security_admin role
-        # The user has the role which owns the security_admin resource
-        has_admin?(user.role, security_admin.role) &&
-          memberships.member?(security_admin.resource.ownerid)
-      else
-        user.login == "admin"
-      end
-    else
-      false
+  end
+  
+  class << self
+    def quiet? options
+      !$stdin.tty? || options[:quiet]
     end
   end
 
   Conjur::CLI.command :bootstrap do |c|
-    c.desc "Don't perform up-front checks to see if you are sufficiently privileged to run this command."
-    c.switch [:f, :force]
-        
+    c.desc "Print out all the commands to stderr as they run."
+    c.default_value true
+    c.switch [:v, :verbose]
+      
+    c.desc "Don't prompt for any user input, even if there's a TTY."
+    c.long_desc %Q(By default, 'bootstrap' may issue prompts on the TTY. For example, it will prompt you
+    to login if you aren't currently logged in as any user. It will also ask you if you want to create a new
+    'security_admin' user. This switch can be used to disable all such prompts, making it safe to run
+    'bootstrap' even when requests for user input cannot be handled. Prompts are also disabled if STDIN
+    is not a tty.)
+    c.default_value false
+    c.switch [:q, :quiet]
+      
     c.action do |global_options,options,args|
       require 'highline/import'
       
       # Ensure there's a logged in user
-      Conjur::Authn.connect
+      connect_options = {}
+      connect_options[:noask] = true if quiet?(options)
+      Conjur::Authn.connect nil, connect_options
 
-      force = options[:force]
-      exit_now! "You must be an administrator to bootstrap Conjur" unless force || security_admin_manager?(api)
-        
-      if (security_admin = api.group("security_admin")).exists?
-        puts "Group 'security_admin' exists"
-      else
-        puts "Creating group 'security_admin'"
-        security_admin = api.create_group("security_admin")
-      end
-      
-      security_admin.resource.give_to(security_admin) unless security_admin.resource.ownerid == security_admin.role.roleid
-      
-      key_managers = api.group("pubkeys-1.0/key-managers")
-      unless security_admin.role.memberships.map(&:roleid).member?(key_managers.role.roleid)
-        puts "Permitting group 'security_admin' to manage public keys"
-        key_managers.add_member security_admin, admin_option: true
-      end
-      
-      security_administrators = security_admin.role.members.select{|m| m.member.roleid.split(':')[1..-1] != [ 'user', 'admin'] }
-      puts "Current 'security_admin' members are : #{security_administrators.map{|m| m.member.roleid.split(':')[-1]}.join(', ')}" unless security_administrators.blank?
-      created_user = nil
-      if security_administrators.empty? || agree("Create a new security_admin? (answer 'y' or 'yes'):")
-        username = ask("Enter #{security_administrators.empty? ? 'your' : 'the'} username:")
-        password = prompt_for_password
-        puts "Creating user '#{username}'"
-        created_user = user = api.create_user(username, password: password)
-        Conjur::API.new_from_key(user.login, password).user(user.login).resource.give_to security_admin
-        puts "User created"
-        puts "Making '#{username}' a member and admin of group 'security_admin'"
-        security_admin.add_member user, admin_option: true
-        puts "Adminship granted"
+      unless api.global_privilege_permitted?('elevate')
+        $stderr.puts [
+          "You must have 'elevate' privilege to bootstrap Conjur.",
+          "If are performing a first-time bootstrap of Conjur, you should login as the 'admin' user",
+          "using the admin password you selected when you ran 'evoke configure master'.",
+          "",
+          "If you have run 'conjur bootstrap' before, using CLI version 4.30.0 or later, the 'elevate'",
+          "privilege is available to all members of the security_admin group."
+          ].join("\n")
+        exit_now! "Insufficient privileges to run 'bootstrap'."
       end
+
+      saved_log = Conjur.log
+      Conjur.log = $stderr if options[:verbose]
+            
+      api = self.api.with_privilege('elevate')
+      self.api = api
       
-      attic_user_name = "attic"
-      if (attic = api.user(attic_user_name)).exists?
-        puts "User '#{attic_user_name}' already exists"
-      else
-        puts "Creating user '#{attic_user_name}' to own retired records"
-        attic = api.create_user(attic_user_name)
-        api.create_variable "text/plain", 
-          "conjur-api-key", 
-          id: "conjur/users/#{attic_user_name}/api-key", 
-          value: attic.api_key,
-          ownerid: security_admin.role.roleid
-      end
+      api.bootstrap BootstrapListener.new
       
-      if created_user && agree("Login as user '#{created_user.login}'? (answer 'y' or 'yes'):")
-        Conjur::Authn.fetch_credentials(username: created_user.login, password: created_user.api_key)
-        puts "Logged in as '#{created_user.login}'"
+      unless quiet?(options)
+        security_admin = api.group('security_admin')
+        security_administrators = security_admin.role.members.select{|m| m.member.roleid.split(':')[1..-1] != [ 'user', 'admin'] }
+        $stderr.puts "Current 'security_admin' members are : #{security_administrators.map{|m| m.member.roleid.split(':', 3)[1..-1].join(':')}.sort.join(', ')}" unless security_administrators.blank?
+        created_user = nil
+        if security_administrators.empty? || agree("Create a new security_admin? (answer 'y' or 'yes'):")
+          username = ask("Enter #{security_administrators.empty? ? 'your' : 'the'} username:")
+          password = prompt_for_password
+          begin
+            # Don't echo the new admin user's password
+            Conjur.log = nil
+            $stderr.puts "Creating user '#{username}'"
+            created_user = user = api.create_user(username, password: password)
+          ensure
+            Conjur.log = saved_log
+          end
+          Conjur::API.new_from_key(user.login, password).user(user.login).resource.give_to security_admin
+          $stderr.puts "User created"
+          $stderr.puts "Making '#{username}' a member and admin of group 'security_admin'"
+          security_admin.add_member user, admin_option: true
+          $stderr.puts "Adminship granted"
+        end
+        
+        if created_user && agree("Login as user '#{created_user.login}'? (answer 'y' or 'yes'):")
+          Conjur::Authn.fetch_credentials(username: created_user.login, password: created_user.api_key)
+          $stderr.puts "Logged in as '#{created_user.login}'"
+        end
       end
     end
   end

data/lib/conjur/command/host_factories.rb

@@ -44,6 +44,9 @@ class Conjur::Command::HostFactories < Conjur::Command
         layers = (options[:layer] || "").split(/\s/)
         exit_now! "Provide at least one layer" unless layers.count > 0
 
+        unless has_admin?(current_role, owner_role)
+          exit_now! "#{owner_role.id} must be an admin of role '#{owner_role.roleid}' to create a host factory for it" 
+        end
         layers.each do |layerid|
           layer = api.layer(layerid)
           exit_now! "Layer '#{layerid}' does not exist" unless layer.exists?

data/lib/conjur/version.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2014-2015 Conjur Inc.
+# Copyright (C) 2014-2016 Conjur Inc.
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = "4.29.0"
+  VERSION = "4.30.0"
   ::Version=VERSION
 end

data/publish.sh

@@ -1,6 +1,9 @@
-#!/bin/bash -ex
+#!/bin/bash -exu
 
 export DEBUG=true 
 export GLI_DEBUG=true 
 
-debify publish 4.6 cli
+DISTRIBUTION=$1
+COMPONENT=${2:-`echo $GIT_BRANCH | sed 's/^origin\///' | tr '/' '.'`}
+
+debify publish --component $COMPONENT $DISTRIBUTION cli

data/spec/command/host_factories_spec.rb

@@ -3,18 +3,20 @@ require 'conjur/command/host_factories'
 
 describe Conjur::Command::HostFactories, :logged_in => true do
   let (:group_memberships) { double(:group_memberships, :roleid => 'the-account:group:security_admin') }
-  let (:group) { double(:group, :exists? => true, :memberships => [group_memberships]) }
+  let (:current_role) { double(:current_role, roleid: 'the-account:user:dknuth', :memberships => [ double(:current_role_role, roleid: 'the-account:user:dknuth') ]) }
+  let (:group_members) { double(:layer_members, :member => double(:member, :roleid => 'the-account:user:dknuth'), :admin_option => true ) }
+  let (:group) { double(:group, roleid: 'the-account:group:the-group', :exists? => true, :memberships => [group_memberships], :members => [group_members]) }
   let (:layer_members) { double(:layer_members, :member => double(:member, :roleid => 'the-account:group:security_admin'), :admin_option => true ) }
-  let (:layer_role) { double(:layer_role, :members => [layer_members]) }
+  let (:layer_role) { double(:layer_role, roleid: 'the-account:layer:layer1', :members => [layer_members]) }
   let (:layer) { double(:layer, :exists? => true, :role => layer_role) }
 
   before do
+    allow(Conjur::Command.api).to receive(:role).with("user:dknuth").and_return current_role
     allow(Conjur::Command.api).to receive(:role).with("the-account:group:the-group").and_return group
     allow(Conjur::Command.api).to receive(:layer).with("layer1").and_return layer
   end
 
   describe_command 'hostfactory:create --as-group the-group --layer layer1 hf1 ' do
-
     it 'calls api.create_host_factory and prints the results' do
       expect_any_instance_of(Conjur::API).to receive(:create_host_factory).and_return '{}'
       expect { invoke }.to write('{}')
@@ -32,7 +34,5 @@ describe Conjur::Command::HostFactories, :logged_in => true do
         expect {invoke}.to raise_error('Provide at least one layer') 
       end
     end
-
   end
-
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-cli
 version: !ruby/object:Gem::Version
-  version: 4.29.0
+  version: 4.30.0
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-05 00:00:00.000000000 Z
+date: 2016-02-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -297,6 +297,7 @@ files:
 - acceptance-features/authorization/role/graph.feature
 - acceptance-features/authorization/role/members.feature
 - acceptance-features/authorization/role/memberships.feature
+- acceptance-features/bootstrap.feature
 - acceptance-features/conjurenv/check.feature
 - acceptance-features/conjurenv/run.feature
 - acceptance-features/conjurenv/template.feature
@@ -365,6 +366,7 @@ files:
 - features/support/host.json
 - features/support/world.rb
 - jenkins.sh
+- lib/conjur-cli.rb
 - lib/conjur.rb
 - lib/conjur/audit/follower.rb
 - lib/conjur/authn.rb