conjur-cli 4.9.3 → 4.10.1

data/lib/conjur/command/assets.rb

@@ -17,104 +17,105 @@
 # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-require 'conjur/authn'
-require 'conjur/command'
 
 class Conjur::Command::Assets < Conjur::Command
-  self.prefix = :asset
-
-  desc "Create an asset"
-  arg_name "kind:id"
-  command :create do |c|
-    def c.nodoc; true end
-    acting_as_option(c)
-    
-    c.action do |global_options, options, args|
-      # NOTE: no generic functions there, as :id is optional
-      kind, id = require_arg(args, 'kind:id').split(':')
-      id = nil if id.blank?
-      kind.gsub!('-', '_')
+  # Toplevel command
+  desc "Manage assets"
+  command :asset do |asset|
+    hide_docs(asset)
+    asset.desc "Create an asset"
+    asset.arg_name "kind:id"
+    asset.command :create do |create|
+      hide_docs(create)
+      acting_as_option(create)
+      create.action do |global_options, options, args|
+        # NOTE: no generic functions there, as :id is optional
+        kind, id = require_arg(args, 'kind:id').split(':')
+        id = nil if id.blank?
+        kind.gsub!('-', '_')
 
- 
-      m = "create_#{kind}"
-      record = if [ 1, -1 ].member?(api.method(m).arity)
-        if id
-          options[:id] = id
-        end
-        api.send(m, options)
-      else
-        unless id
-          raise "for kind #{kind} id should be specified explicitly after colon"
-        end
-        api.send(m, id, options)
+        m = "create_#{kind}"
+        record = if [ 1, -1 ].member?(api.method(m).arity)
+                   if id
+                     options[:id] = id
+                   end
+                   api.send(m, options)
+                 else
+                   unless id
+                     raise "for kind #{kind} id should be specified explicitly after colon"
+                   end
+                   api.send(m, id, options)
+                 end
+        display(record, options)
       end
-      display(record, options)
     end
-  end
-  
-  desc "Show an asset"
-  arg_name "id"
-  command :show do |c|
-    def c.nodoc; true end
-    c.action do |global_options,options,args|
-      kind, id = get_kind_and_id_from_args(args, 'id')
-      display api.send(kind, id).attributes
+
+    asset.desc "Show an asset"
+    asset.arg_name "id"
+    asset.command :show do |c|
+      c.action do |global_options,options,args|
+        kind, id = get_kind_and_id_from_args(args, 'id')
+        display api.send(kind, id).attributes
+      end
     end
-  end
 
-  desc "Checks for the existance of an asset"
-  arg_name "id"
-  command :exists do |c|
-    def c.nodoc; true end
-    c.action do |global_options,options,args|
-      kind, id = get_kind_and_id_from_args(args, 'id')
-      puts api.send(kind, id).exists?
+    asset.desc "Checks for the exisistance of an asset"
+    asset.arg_name "id"
+    asset.command :exists do |c|
+      c.action do |global_options,options,args|
+        kind, id = get_kind_and_id_from_args(args, 'id')
+        puts api.send(kind, id).exists?
+      end
     end
-  end
 
-  desc "List an asset"
-  arg_name "kind"
-  command :list do |c|
-    def c.nodoc; true end
-    c.action do |global_options,options,args|
-      kind = require_arg(args, "kind").gsub('-', '_')
-      if api.respond_to?(kind.pluralize)
-        api.send(kind.pluralize)
-      else
-        api.resources(kind: kind)
-      end.each do |e|
-        display(e, options)
+    asset.desc "List assets of a given kind"
+    asset.arg_name "kind"
+    asset.command :list do |c|
+      hide_docs c
+      c.action do |global_options,options,args|
+        kind = require_arg(args, "kind").gsub('-', '_')
+        if api.respond_to?(kind.pluralize)
+          api.send(kind.pluralize)
+        else
+          api.resources(kind: kind)
+        end.each do |e|
+          display(e, options)
+        end
       end
     end
-  end
 
-  desc "Add a member to an asset"
-  arg_name "id role-name member"
-  command :"members:add" do |c|
-    c.desc "Grant with admin option"
-    c.flag [:a, :admin]
+    asset.desc "Manage asset membership"
+    asset.command :members do |members|
+      members.desc "Add a member to an asset"
+      members.arg_name "id role-name member"
+      members.command :add do |c|
+        hide_docs(c)
+        c.desc "Grant with admin option"
+        c.flag [:a, :admin]
 
-    c.action do |global_options, options, args|
-      kind, id = get_kind_and_id_from_args(args, 'id')
-      role_name = require_arg(args, 'role-name')
-      member = require_arg(args, 'member')
-      admin_option = !options.delete(:admin).nil?
-      
-      api.send(kind, id).add_member role_name, member, admin_option: admin_option
-      puts "Membership granted"
-    end
-  end
+        c.action do |global_options, options, args|
+          kind, id = get_kind_and_id_from_args(args, 'id')
+          role_name = require_arg(args, 'role-name')
+          member = require_arg(args, 'member')
+          admin_option = !options.delete(:admin).nil?
 
-  desc "Remove a member from an asset"
-  arg_name "id role-name member"
-  command :"members:remove" do |c|
-    c.action do |global_options, options, args|
-      kind, id = get_kind_and_id_from_args(args, 'id')
-      role_name = require_arg(args, 'role-name')
-      member = require_arg(args, 'member')
-      api.send(kind, id).remove_member role_name, member
-      puts "Membership revoked"
+          api.send(kind, id).add_member role_name, member, admin_option: admin_option
+          puts "Membership granted"
+        end
+      end
+
+      members.desc "Remove a member from an asset"
+      members.arg_name "id role-name member"
+      members.command :remove do |c|
+        hide_docs c
+        c.action do |global_options, options, args|
+          kind, id = get_kind_and_id_from_args(args, 'id')
+          role_name = require_arg(args, 'role-name')
+          member = require_arg(args, 'member')
+          api.send(kind, id).remove_member role_name, member
+          puts "Membership revoked"
+        end
+      end
     end
   end
 end

data/lib/conjur/command/audit.rb

@@ -1,11 +1,5 @@
-require 'conjur/command'
-require 'active_support/ordered_hash'
-require 'conjur/audit/follower'
-
 class Conjur::Command
   class Audit < self
-    self.prefix = 'audit'
-    
     class << self
       private
       SHORT_FORMATS = {
@@ -15,7 +9,7 @@ class Conjur::Command
         'resource:destroy' => lambda{|e| "destroyed resource #{e[:resource]}" },
         'resource:permit' => lambda{|e| "permitted #{e[:grantee]} to #{e[:privilege]} #{e[:resource]} (grant option: #{!!e[:grant_option]})" },
         'resource:deny' => lambda{|e| "denied #{e[:privilege]} from #{e[:grantee]} on #{e[:resource]}" },
-        'resource:permitted_roles' => lambda{|e| "listed roles permitted to #{e[:permission]} on #{e[:resource]}" },
+        'resource:permitted_roles' => lambda{|e| "listed roles permitted to #{e[:privilege]} on #{e[:resource]}" },
         'role:check' => lambda{|e| "checked that #{e[:role] == e[:user] ? 'they' : e[:role]} can #{e[:privilege]} #{e[:resource]} (#{e[:allowed]})" },
         'role:grant' => lambda{|e| "granted role #{e[:role]} to #{e[:member]} #{e[:admin_option] ? ' with ' : ' without '}admin" },
         'role:revoke' => lambda{|e| "revoked role #{e[:role]} from #{e[:member]}" },
@@ -66,8 +60,8 @@ class Conjur::Command
         end
       end
 
-      def audit_feed_command kind, &block
-        command kind do |c|
+      def audit_feed_command parent, kind, &block
+        parent.command kind do |c|
           c.desc "Maximum number of events to fetch"
           c.flag [:l, :limit]
 
@@ -88,23 +82,28 @@ class Conjur::Command
       end
     end
 
-    desc "Show all audit events visible to the current user"
-    audit_feed_command :all do |args, options|
-      api.audit(options){ |es| show_audit_events es, options }
-    end
-    
-    desc "Show audit events related to a role"
-    arg_name 'role'
-    audit_feed_command :role do |args, options|
-      id = full_resource_id(require_arg(args, "role"))
-      api.audit_role(id, options){ |es| show_audit_events es, options }
-    end
-    
-    desc "Show audit events related to a resource"
-    arg_name 'resource'
-    audit_feed_command :resource do |args, options|
-      id = full_resource_id(require_arg args, "resource")
-      api.audit_resource(id, options){|es| show_audit_events es, options} 
+    desc "Show audit events"
+    command  :audit do |audit|
+      audit.desc "Show all audit events visible to the current user"
+      audit_feed_command audit, :all do |args, options|
+        api.audit(options){ |es| show_audit_events es, options }
+      end
+
+
+      audit.desc "Show audit events related to a role"
+      audit.arg_name 'role'
+      audit_feed_command audit, :role do |args, options|
+        id = full_resource_id(require_arg(args, "role"))
+        api.audit_role(id, options){ |es| show_audit_events es, options }
+      end
+
+
+      audit.desc "Show audit events related to a resource"
+      audit.arg_name 'resource'
+      audit_feed_command audit, :resource do |args, options|
+        id = full_resource_id(require_arg args, "resource")
+        api.audit_resource(id, options){|es| show_audit_events es, options}
+      end
     end
   end
 end

data/lib/conjur/command/authn.rb

@@ -17,68 +17,80 @@
 # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-require 'conjur/authn'
-require 'conjur/command'
+
 
 class Conjur::Command::Authn < Conjur::Command
-  self.prefix = :authn
-  
-  desc "Logs in and caches credentials to netrc"
-  long_desc <<-DESC
-After successful login, subsequent commands automatically use the cached credentials. To switch users, login again using the new user credentials.
-To erase credentials, use the authn:logout command.
+  desc "Login and logout"
+  command :authn do |authn|
+    authn.desc "Logs in and caches credentials to netrc."
+    authn.arg_name "login-name"
+    authn.long_desc <<-DESC
+Logins in a user. Login name can be provided as the command argument, as -u or --username, or the command will prompt
+for the username. Password can be provided as -p, --password, or the command will prompt for the password.
+
+On successful login, the password is exchanged for the API key, which is cached in the operating system user's
+.netrc file. Subsequent "conjur" commands will authenticate with the cached login name and API key. To switch users, 
+login again using the new user credentials. To erase credentials, use the 'authn logout' command.
 
 If specified, the CAS server URL should be in the form https://<hostname>/v1.
 It should be running the CAS RESTful services at the /v1 path
 (or other path as specified by this argument).
-DESC
-  command :login do |c|
-    c.arg_name 'username'
-    c.flag [:u,:username]
+    DESC
+    authn.command :login do |c|
+      c.arg_name 'username'
+      c.flag [:u,:username]
 
-    c.arg_name 'password'
-    c.flag [:p,:password]
+      c.arg_name 'password'
+      c.flag [:p,:password]
 
-    c.arg_name 'CAS server'
-    c.desc 'Specifies a CAS server URL to use for login'
-    c.flag [:"cas-server"]
-    
-    c.action do |global_options,options,args|
-      Conjur::Authn.login(options)
+      c.arg_name 'CAS server'
+      c.desc 'Specifies a CAS server URL to use for login'
+      c.flag [:"cas-server"]
+
+      c.action do |global_options,options,args|
+        if options[:username].blank? && !args.empty?
+          options[:username] = args.pop
+        end
+        
+        Conjur::Authn.login(options.slice(:username, :password))
+        
+        puts "Logged in"
+      end
     end
-  end
-  
-  desc "Obtains an authentication token using the current logged-in user"
-  command :authenticate do |c|
-    c.arg_name 'header'
-    c.desc "Base64 encode the result and format as an HTTP Authorization header"
-    c.switch [:H,:header]
 
-    c.action do |global_options,options,args|
-      token = Conjur::Authn.authenticate(options)
-      if options[:header]
-        puts "Authorization: Token token=\"#{Base64.strict_encode64(token.to_json)}\""
-      else
-        puts token
+    authn.desc "Obtains an authentication token using the current logged-in user"
+    authn.command :authenticate do |c|
+      c.arg_name 'header'
+      c.desc "Base64 encode the result and format as an HTTP Authorization header"
+      c.switch [:H,:header]
+
+      c.action do |global_options,options,args|
+        token = Conjur::Authn.authenticate(options)
+        if options[:header]
+          puts "Authorization: Token token=\"#{Base64.strict_encode64(token.to_json)}\""
+        else
+          display token
+        end
       end
     end
-  end
-  
-  desc "Logs out"
-  command :logout do |c|
-    c.action do
-      Conjur::Authn.delete_credentials
+
+    authn.desc "Logs out"
+    authn.command :logout do |c|
+      c.action do
+        Conjur::Authn.delete_credentials
+
+        puts "Logged out"
+      end
     end
-  end
 
-  desc "Prints out the current logged in username"
-  command :whoami do |c|
-    c.action do
-      if creds = Conjur::Authn.read_credentials
-        puts({account: Conjur::Core::API.conjur_account, username: creds[0]}.to_json)
-      else
-        exit_now! 'Not logged in.', -1
+    authn.desc "Prints out the current logged in username"
+    authn.command :whoami do |c|
+      c.action do
+        if creds = Conjur::Authn.read_credentials
+          puts({account: Conjur::Core::API.conjur_account, username: creds[0]}.to_json)
+        else
+          exit_now! 'Not logged in.', -1
+        end
       end
     end
   end

data/lib/conjur/command/dsl_command.rb

@@ -18,7 +18,6 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
-require 'conjur/command'
 
 class Conjur::DSLCommand < Conjur::Command
   class << self

data/lib/conjur/command/env.rb

@@ -18,14 +18,15 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
-require 'conjur/authn'
-require 'conjur/command'
+#require 'conjur/authn'
+#require 'conjur/command'
 require 'conjur/conjurenv'
 require 'tempfile'
 
 class Conjur::Command::Env < Conjur::Command
-
-  self.prefix = :env
+  
+  desc "Use values of Conjur variables in local context"
+  #self.prefix = :env
 
   def self.common_parameters c
     c.desc "Environment configuration file"
@@ -49,8 +50,9 @@ class Conjur::Command::Env < Conjur::Command
     return env
   end
 
-  desc "Execute external command with environment variables populated from Conjur"
-  long_desc <<'RUNLONGDESC' 
+  command :env do |env|
+    env.desc "Execute external command with environment variables populated from Conjur"
+    env.long_desc <<'RUNLONGDESC' 
 Processes environment configuration (see env:help for details), and executes a command (with optional arguments) in the modified environment.
 Local names are uppercased and used as names of environment variables. 
 
@@ -66,38 +68,37 @@ KEY_PAIR_NAME="jenkins_key",
 SSH_KEYPAIR_PATH="/dev/shm/temp_file_with_key_obtained_from_Conjur",
 API_KEY="api key obtained from Conjur"
 RUNLONGDESC
-  arg_name "-- command [arg1, arg2 ...] "
-  command :run do |c|
-    common_parameters(c)
-
-    c.action do |global_options,options,args|
-      if args.empty? 
-        exit_now! "External command with optional arguments should be provided"
-      end
-      env = get_env_object(options)
-      runtime_environment = Hash[ env.obtain(api).map {|k,v| [k.upcase, v] } ]
-      if Conjur.log 
-        Conjur.log << "Running command in the prepared environment: #{args}"
+    env.arg_name "-- command [arg1, arg2 ...] "
+    env.command :run do |c|
+      common_parameters(c)
+
+      c.action do |global_options,options,args|
+        if args.empty? 
+          exit_now! "External command with optional arguments should be provided"
+        end
+        env = get_env_object(options)
+        runtime_environment = Hash[ env.obtain(api).map {|k,v| [k.upcase, v] } ]
+        if Conjur.log 
+          Conjur.log << "Running command in the prepared environment: #{args}"
+        end
+        Kernel.system(runtime_environment, *args) or exit($?.to_i) # keep original exit code in case of failure
       end
-      Kernel.system(runtime_environment, *args) or exit($?.to_i) # keep original exit code in case of failure
     end
-  end
-
-  desc "Check availability of Conjur variables" 
-  long_desc "Checks availability of Conjur variables mentioned in an environment configuration (see env:help for details), and prints out each local name and appropriate status"
 
-  command :check do |c|
-    common_parameters(c)
-    c.action do |global_options,options,args|
-      env = get_env_object(options)
-      result = env.check(api)
-      result.each { |k,v| puts "#{k}: #{v}" }
-      raise "Some variables are not available" unless result.values.select {|v| v == :unavailable }.empty?
-    end
-  end # command
+    env.desc "Check availability of Conjur variables" 
+    env.long_desc "Checks availability of Conjur variables mentioned in an environment configuration (see env:help for details), and prints out each local name and appropriate status"
+    env.command :check do |c|
+      common_parameters(c)
+      c.action do |global_options,options,args|
+        env = get_env_object(options)
+        result = env.check(api)
+        result.each { |k,v| puts "#{k}: #{v}" }
+        raise "Some variables are not available" unless result.values.select {|v| v == :unavailable }.empty?
+      end
+    end # command
 
-  desc "Render ERB template with variables obtained from Conjur"
-  long_desc <<'TEMPLATEDESC' 
+    env.desc "Render ERB template with variables obtained from Conjur"
+    env.long_desc <<'TEMPLATEDESC' 
 Processes environment configuration (see env:help for details), and creates a temporary file, which contains result of ERB template rendering in appropriate context.
 Template should refer to Conjur values by local name as "%<= conjurenv['local_name'] %>".
 
@@ -117,37 +118,38 @@ key_pair=jenkins_key, path_to_ssh_key=/dev/shm/temp_file_with_key_obtained_from_
 
 Result of the rendering will be stored in temporary file, which location is than printed to stdout
 TEMPLATEDESC
-  arg_name "template.erb" 
-  command :template do |c|
-    common_parameters(c)
-
-    c.action do |global_options,options,args|
-      template_file = args.first
-      exit_now! "Location of readable ERB template should be provided" unless template_file and File.readable?(template_file)
-      template = File.read(template_file)
-      env = get_env_object(options)
-      conjurenv = env.obtain(api)  # needed for binding
-      rendered = ERB.new(template).result(binding)
-
-      # 
-      tempfile = if File.directory?("/dev/shm") and File.writable?("/dev/shm")
-                    Tempfile.new("conjur","/dev/shm")
-                 else
-                    Tempfile.new("conjur")
-                 end
-      tempfile.write(rendered)
-      tempfile.close()
-      old_path = tempfile.path
-      new_path = old_path+".saved"
-      FileUtils.copy(old_path, new_path) # prevent garbage collection
-      puts new_path
+    env.arg_name "template.erb" 
+
+    env.command :template do |c|
+      common_parameters(c)
+
+      c.action do |global_options,options,args|
+        template_file = args.first
+        exit_now! "Location of readable ERB template should be provided" unless template_file and File.readable?(template_file)
+        template = File.read(template_file)
+        env = get_env_object(options)
+        conjurenv = env.obtain(api)  # needed for binding
+        rendered = ERB.new(template).result(binding)
+
+        # 
+        tempfile = if File.directory?("/dev/shm") and File.writable?("/dev/shm")
+                      Tempfile.new("conjur","/dev/shm")
+                   else
+                      Tempfile.new("conjur")
+                   end
+        tempfile.write(rendered)
+        tempfile.close()
+        old_path = tempfile.path
+        new_path = old_path+".saved"
+        FileUtils.copy(old_path, new_path) # prevent garbage collection
+        puts new_path
+      end
     end
-  end
 
-  desc "Print description of environment configuration format" 
-  command :help do |c|
-    c.action do |global_options,options,args|
-      puts """
+    env.desc "Print description of environment configuration format" 
+    env.command :help do |c|
+      c.action do |global_options,options,args|
+        puts """
 Environment configuration (either stored in file referred by -f option or provided inline with --yaml option) should be a YAML document describing one-level Hash.
 Keys of the hash are 'local names', used to refer to variable values in convenient manner.  (See help for env:run and env:template for more details about how they are interpreted).
 
@@ -163,8 +165,9 @@ Example of environment configuration:
 
 { local_variable_1: 'literal value', local_variable_2: !var id/of/Conjur/Variable , local_variable_3: !tmp id/of/another/Conjur/variable }
 
-    """ 
+""" 
+      end
     end
-  end
 
+  end
 end