conjur-cli 4.9.3 → 4.10.1

data/lib/conjur/command/field.rb

@@ -18,14 +18,12 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
-require 'conjur/command'
-
 class Conjur::Command::Field < Conjur::Command
   self.prefix = :field
   
   desc "(Deprecated. See standalone jsonfield command instead.)"
   command :select do |c|
-    def c.nodoc; true end
+    hide_docs(c)
 
     c.action do |global_options,options,args|
       pattern = require_arg(args, 'pattern')

data/lib/conjur/command/groups.rb

@@ -18,97 +18,110 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
-require 'conjur/authn'
-require 'conjur/command'
 
 class Conjur::Command::Groups < Conjur::Command
-  self.prefix = :group
-  
-  desc "Create a new group"
-  arg_name "id"
-  command :create do |c|
-    acting_as_option(c)
-    
-    c.action do |global_options,options,args|
-      id = require_arg(args, 'id')
-      
-      group = api.create_group(id, options)
-      display(group, options)
+  def self.assume_user_kind(role)
+    if role.split(':').length == 1
+      role = [ "user", role ].join(':')
     end
+    role
   end
+  
+  desc "Manage groups"
+  command :group do |group|
+    group.desc "Create a new group"
+    group.arg_name "id"
+    group.command :create do |c|
+      acting_as_option(c)
 
-  desc "List groups"
-  command :list do |c|
-    command_options_for_list c
-
-    c.action do |global_options, options, args|
-      command_impl_for_list global_options, options.merge(kind: "group"), args
-    end
-  end
+      c.action do |global_options,options,args|
+        id = require_arg(args, 'id')
 
-  desc "Show a group"
-  arg_name "id"
-  command :show do |c|
-    c.action do |global_options,options,args|
-      id = require_arg(args, 'id')
-      display(api.group(id), options)
+        group = api.create_group(id, options)
+        display(group, options)
+      end
     end
-  end
 
-  desc "Lists all direct members of the group. The membership list is not recursively expanded."
-  arg_name "group"
-  command "members" do |c|
-    c.desc "Verbose output"
-    c.switch [:V,:verbose]
+    group.desc "List groups"
+    group.command :list do |c|
+      command_options_for_list c
 
-    c.action do |global_options,options,args|
-      group = require_arg(args, 'group')
-      
-      display_members api.group(group).role.members, options
+      c.action do |global_options, options, args|
+        command_impl_for_list global_options, options.merge(kind: "group"), args
+      end
     end
-  end
 
-  desc "Add a new group member"
-  arg_name "group member"
-  command :"members:add" do |c|
-    c.desc "Also grant the admin option"
-    c.switch [:a, :admin]
-
-    # perhaps this belongs to member:remove, but then either
-    # it would be possible to grant membership with member:revoke,
-    # or we would need two round-trips to authz
-    c.desc "Revoke the grant option if it's granted"
-    c.switch [:r, :'revoke-admin']
-    
-    c.action do |global_options,options,args|
-      group = require_arg(args, 'group')
-      member = require_arg(args, 'member')
-      
-      group = api.group(group)
-      opts = nil
-      message = "Membership granted"
-      if options[:admin] then
-        opts = { admin_option: true }
-        message = "Adminship granted"
-      elsif options[:'revoke-admin'] then
-        opts = { admin_option: false }
-        message = "Adminship revoked"
+    group.desc "Show a group"
+    group.arg_name "id"
+    group.command :show do |c|
+      c.action do |global_options,options,args|
+        id = require_arg(args, 'id')
+        display(api.group(id), options)
       end
-      
-      group.add_member member, opts
-      puts message
     end
-  end
 
-  desc "Remove a group member"
-  arg_name "group member"
-  command :"members:remove" do |c|
-    c.action do |global_options,options,args|
-      group = require_arg(args, 'group')
-      member = require_arg(args, 'member')
-      
-      api.group(group).remove_member member
-      puts "Membership revoked"
+    group.desc "Show and manage group members"
+    group.command :members do |members|
+
+      members.desc "Lists all direct members of the group. The membership list is not recursively expanded."
+      members.arg_name "group"
+      members.command :list do |c|
+        c.desc "Verbose output"
+        c.switch [:V,:verbose]
+        c.action do |global_options,options,args|
+          group = require_arg(args, 'group')
+          display_members api.group(group).role.members, options
+        end
+      end
+
+      members.desc "Add a new group member"
+      members.arg_name "group member"
+      members.command :add do |c|
+        c.desc "Also grant the admin option"
+        c.switch [:a, :admin]
+
+        # perhaps this belongs to member:remove, but then either
+        # it would be possible to grant membership with member:revoke,
+        # or we would need two round-trips to authz
+        c.desc "Revoke the grant option if it's granted"
+        c.switch [:r, :'revoke-admin']
+
+        c.action do |global_options,options,args|
+          group = require_arg(args, 'group')
+          member = require_arg(args, 'member')
+          member = assume_user_kind(member)
+
+          group = api.group(group)
+          opts = nil
+          message = "Membership granted"
+          if options[:admin] then
+            opts = { admin_option: true }
+            message = "Adminship granted"
+          elsif options[:'revoke-admin'] then
+            opts = { admin_option: false }
+            message = "Adminship revoked"
+          end
+
+          group.add_member member, opts
+          puts message
+        end
+      end
+
+      members.desc "Remove a group member"
+      members.arg_name "group member"
+      members.command :remove do |c|
+        c.action do |global_options,options,args|
+          group = require_arg(args, 'group')
+          member = require_arg(args, 'member')
+          member = assume_user_kind(member)
+
+          api.group(group).remove_member member
+          puts "Membership revoked"
+        end
+      end
+
     end
+
   end
-end
+end
+

data/lib/conjur/command/hosts.rb

@@ -18,68 +18,68 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
-require 'conjur/authn'
-require 'conjur/command'
 
 class Conjur::Command::Hosts < Conjur::Command
-  self.prefix = :host
+  desc "Manage hosts"
+  command :host do |hosts|
+    hosts.desc "Create a new host"
+    hosts.arg_name "id"
+    hosts.command :create do |c|
+      c.arg_name "password"
+      c.flag [:p,:password]
 
-  desc "Create a new host"
-  arg_name "id"
-  command :create do |c|
-    c.arg_name "password"
-    c.flag [:p,:password]
-    
-    acting_as_option(c)
+      acting_as_option(c)
 
-    c.action do |global_options,options,args|
-      id = args.shift
-      options[:id] = id if id
+      c.action do |global_options,options,args|
+        id = args.shift
+        options[:id] = id if id
 
-      unless id
-        ActiveSupport::Deprecation.warn "id argument will be required in future releases"
+        unless id
+          ActiveSupport::Deprecation.warn "id argument will be required in future releases"
+        end
+
+        display api.create_host(options), options
       end
-      
-      display api.create_host(options), options
     end
-  end
-  
-  desc "Show a host"
-  arg_name "id"
-  command :show do |c|
-    c.action do |global_options,options,args|
-      id = require_arg(args, 'id')
-      display(api.host(id), options)
+
+    hosts.desc "Show a host"
+    hosts.arg_name "id"
+    hosts.command :show do |c|
+      c.action do |global_options,options,args|
+        id = require_arg(args, 'id')
+        display(api.host(id), options)
+      end
     end
-  end
 
-  desc "List hosts"
-  command :list do |c|
-    command_options_for_list c
 
-    c.action do |global_options, options, args|
-      command_impl_for_list global_options, options.merge(kind: "host"), args
+
+    hosts.desc "List hosts"
+    hosts.command :list do |c|
+      command_options_for_list c
+      c.action do |global_options, options, args|
+        command_impl_for_list global_options, options.merge(kind: "host"), args
+      end
     end
-  end
-  
-  desc "List the layers to which the host belongs"
-  arg_name "id"
-  command :layers do |c|
-    c.action do |global_options, options, args|
-      id = require_arg(args, 'id')
-      display api.host(id).role.all.select{|r| r.kind == "layer"}.map(&:identifier), options
+
+    hosts.desc "Enroll a new host into conjur"
+    hosts.arg_name "host"
+    hosts.command :enroll do |c|
+      c.action do |global_options, options, args|
+        id = require_arg(args, 'host')
+        enrollment_url = api.host(id).enrollment_url
+        puts enrollment_url
+        $stderr.puts "On the target host, please execute the following command:"
+        $stderr.puts "curl -L #{enrollment_url} | bash"
+      end
     end
-  end
-  
-  desc "Enroll a new host into conjur"
-  arg_name "host"
-  command :enroll do |c|
-    c.action do |global_options, options, args|
-      id = require_arg(args, 'host')
-      enrollment_url = api.host(id).enrollment_url
-      puts enrollment_url
-      $stderr.puts "On the target host, please execute the following command:"
-      $stderr.puts "curl -L #{enrollment_url} | bash"
+
+    hosts.desc "List the layers to which the host belongs"
+    hosts.arg_name "id"
+    hosts.command :layers do |c|
+      c.action do |global_options, options, args|
+        id = require_arg(args, 'id')
+        display api.host(id).role.all.select{|r| r.kind == "layer"}.map(&:identifier), options
+      end
     end
   end
 end

data/lib/conjur/command/ids.rb

@@ -18,16 +18,17 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
-require 'conjur/command'
 
 class Conjur::Command::Id < Conjur::Command
-  self.prefix = :id
-
-  desc "Creates a new unique id"
-  command :create do |c|
-    c.action do |global_options,options,args|
-      var = api.create_variable("text/plain", "unique-id", {})
-      puts var.id
+  desc "Manage ids"
+  command :id do |id|
+    id.desc "Creates a new unique id"
+    id.command :create do |c|
+      c.action do |global_options,options,args|
+        var = api.create_variable("text/plain", "unique-id", {})
+        puts var.id
+      end
     end
+
   end
 end

data/lib/conjur/command/init.rb

@@ -18,6 +18,7 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
+require 'highline'
 require 'conjur/command'
 require 'openssl'
 require 'socket'

data/lib/conjur/command/layers.rb

@@ -0,0 +1,171 @@
+require 'conjur/command'
+
+class Conjur::Command::Layers < Conjur::Command
+
+
+  # Form an account:kind:hostid from the host argument
+  # Or interpret a fully-qualified role id
+  def self.require_hostid_arg(args)
+    hostid = require_arg(args, 'host')
+    unless hostid.index(':')
+      hostid = [ Conjur::Core::API.conjur_account, 'host', hostid ].join(':')
+    end
+    hostid
+  end
+
+  def self.interpret_layer_privilege(privilege)
+    case privilege
+      when 'execute'
+        'use_host'
+      when 'update'
+        'admin_host'
+      else
+        exit_now! "Invalid privilege '#{privilege}'. Acceptable values are : execute, update"
+    end
+  end
+
+  def self.parse_layer_permission_args(global_options, options, args)
+    id = require_arg(args, "layer")
+    role = require_arg(args, "role")
+    privilege = require_arg(args, "privilege")
+    role_name = interpret_layer_privilege privilege
+    [ id, role_name, role ]
+  end
+
+  desc "Operations on layers"
+  command :layer do |layer|
+
+    layer.desc "Create a new layer"
+    layer.arg_name "id"
+    layer.command :create do |c|
+      acting_as_option(c)
+
+      c.action do |global_options,options,args|
+        id = require_arg(args, 'id')
+
+        layer = api.create_layer(id, options)
+        display(layer, options)
+      end
+    end
+
+    layer.desc "List layers"
+    layer.command :list do |c|
+      command_options_for_list c
+
+      c.action do |global_options, options, args|
+        command_impl_for_list global_options, options.merge(kind: "layer"), args
+      end
+    end
+
+    layer.desc "Show a layer"
+    layer.arg_name "id"
+    layer.command :show do |c|
+      c.action do |global_options,options,args|
+        id = require_arg(args, 'id')
+        display(api.layer(id), options)
+      end
+    end
+
+    layer.desc "Provision a layer by creating backing resources in an IaaS / PaaS system"
+    layer.arg_name "layer"
+    layer.command :provision do |c|
+      hide_docs(c)
+
+      c.desc "Provisioner to use (aws)"
+      c.arg_name "provisioner"
+      c.flag [ :provisioner ]
+
+      c.desc "Variable holding a credential used to connect to the provisioner"
+      c.arg_name "variableid"
+      c.flag [ :credential ]
+
+      c.desc "AWS bucket to contain the bootstrap credentials (will be created if missing)"
+      c.arg_name "bucket"
+      c.flag [ :bucket ]
+
+      c.action do |global_options, options, args|
+        id = require_arg(args, 'layer')
+        provisioner = options[:provisioner] or exit_now!("Missing argument: provisioner")
+        credential = options[:credential] or exit_now!("Missing argument: credential")
+        bucket = options[:bucket] or exit_now!("Missing argument: bucket")
+        raise "Supported provisioners: aws" unless provisioner == "aws"
+
+        require "conjur/provisioner/layer/aws"
+
+        layer = api.layer(id)
+        class << layer
+          include Conjur::Provisioner::Layer::AWS
+        end
+        layer.aws_bucket_name = bucket
+        layer.aws_credentialid = credential
+        layer.provision
+
+        puts "Layer provisioned by #{provisioner}"
+      end
+    end
+
+    layer.desc "Operations on hosts"
+    layer.command :hosts do |hosts|
+      hosts.desc "Permit a privilege on hosts in the layer"
+      hosts.long_desc <<-DESC
+Privilege may be : execute, update
+      DESC
+      hosts.arg_name "layer role privilege"
+      hosts.command :permit do |c|
+        c.action do |global_options,options,args|
+          id, role_name, role = parse_layer_permission_args(global_options, options, args)
+          api.layer(id).add_member role_name, role
+          puts "Permission granted"
+        end
+      end
+
+      hosts.desc "Remove a privilege on hosts in the layer"
+      hosts.arg_name "layer role privilege"
+      hosts.command :deny do |c|
+        c.action do |global_options,options,args|
+          id, role_name, role = parse_layer_permission_args(global_options, options, args)
+          api.layer(id).remove_member role_name, role
+          puts "Permission removed"
+        end
+      end
+
+      hosts.desc "List roles that have permission on the hosts"
+      hosts.arg_name "layer privilege"
+      hosts.command :permitted_roles do |c|
+        c.action do |global_options,options,args|
+          id = require_arg(args, "layer")
+          role_name = interpret_layer_privilege require_arg(args, "privilege")
+
+          members = api.layer(id).hosts_members(role_name).map(&:member).select do |m|
+            m.kind != "@"
+          end
+          display members.map(&:roleid)
+        end
+      end
+
+      hosts.desc "Add a host to an layer"
+      hosts.arg_name "layer host"
+      hosts.command :add do |c|
+        c.action do |global_options, options, args|
+          id = require_arg(args, 'layer')
+          hostid = require_hostid_arg(args)
+
+          api.layer(id).add_host hostid
+          puts "Host added"
+        end
+      end
+
+      hosts.desc "Remove a host from an layer"
+      hosts.arg_name "layer host"
+      hosts.command :remove do |c|
+        c.action do |global_options, options, args|
+          id = require_arg(args, 'layer')
+          hostid = require_hostid_arg(args)
+
+          api.layer(id).remove_host hostid
+          puts "Host removed"
+        end
+      end
+    end
+  end
+end