conjur-cli 4.9.3 → 4.10.1

data/lib/conjur/command/policy.rb

@@ -24,8 +24,6 @@ require 'etc'
 require 'socket'
 
 class Conjur::Command::Policy < Conjur::DSLCommand
-  self.prefix = :policy
-  
   class << self
     def default_collection_user
       Etc.getlogin
@@ -40,18 +38,20 @@ class Conjur::Command::Policy < Conjur::DSLCommand
     end
   end
 
-  desc "Load a policy from Conjur DSL"
-  long_desc <<-DESC
+  desc "Manage policies"
+  command :policy do |policy|
+    policy.desc "Load a policy from Conjur DSL"
+    policy.long_desc <<-DESC
 This method is EXPERIMENTAL and subject to change
 
 Loads a Conjur policy from DSL, applying particular conventions to the role and resource
-ids. 
+ids.
 
 The first path element of each id is the collection. Policies are separated into collections
 according to software development lifecycle. The default collection for a policy is $USER@$HOSTNAME,
 in other words, the username and hostname on which the policy is created. This is approriate for
-policy development and local testing. Once tested, policies can be created in more official 
-environments such as ci, stage, and production. 
+policy development and local testing. Once tested, policies can be created in more official
+environments such as ci, stage, and production.
 
 The second path element of each id is the policy name and version, following the convention
 policy-x.y.z, where x, y, and z are the semantic version of the policy.
@@ -60,25 +60,26 @@ Next, each policy creates a policy role and policy resource. The policy resource
 annotations on the policy. The policy role becomes the owner of the owned policy assets. The
 --as-group and --as-role options can be used to set the owner of the policy role. The default
 owner of the policy role is the logged-in user (you), as always.
-  DESC
-  arg_name "(policy-file | STDIN)"
-  command :load do |c|
-    acting_as_option(c)
-    
-    c.desc "Policy collection (default: #{default_collection_user}@#{default_collection_hostname})"
-    c.arg_name "collection"
-    c.flag [:collection]
-    
-    c.desc "Load context from this config file, and save it when finished. The file permissions will be 0600 by default."
-    c.arg_name "context"
-    c.flag [:c, :context]
-    
-    c.action do |global_options,options,args|
-      collection = options[:collection] || default_collection_name
-      
-      run_script args, options do |runner, &block|
-        runner.scope collection do
-          block.call
+    DESC
+    policy.arg_name "(policy-file | STDIN)"
+    policy.command :load do |c|
+      acting_as_option(c)
+
+      c.desc "Policy collection (default: #{default_collection_user}@#{default_collection_hostname})"
+      c.arg_name "collection"
+      c.flag [:collection]
+
+      c.desc "Load context from this config file, and save it when finished. The file permissions will be 0600 by default."
+      c.arg_name "context"
+      c.flag [:c, :context]
+
+      c.action do |global_options,options,args|
+        collection = options[:collection] || default_collection_name
+
+        run_script args, options do |runner, &block|
+          runner.scope collection do
+            block.call
+          end
         end
       end
     end

data/lib/conjur/command/pubkeys.rb

@@ -0,0 +1,77 @@
+#
+# Copyright (C) 2013 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+
+require 'conjur/cli'
+
+class Conjur::Command::Pubkeys < Conjur::Command
+  desc "Public keys service operations"
+  command :pubkeys do |pubkeys|
+
+    pubkeys.desc "List public keys for the given user"
+    pubkeys.arg_name "username"
+    pubkeys.command :show do |c|
+      c.action do |global_options, options, args|
+        username = require_arg args, "username"
+        puts api.public_keys(username)
+      end
+    end
+
+    pubkeys.desc "List the names of a user's public keys"
+    pubkeys.arg_name "username"
+    pubkeys.command :names do |c|
+      c.action do |global_options, options, args|
+        username = require_arg args, "username"
+        api.public_keys(username)
+        .split("\n")
+        .map{|k| k.split(' ').last}
+        .sort.each{|n| puts n}
+      end
+    end
+
+    pubkeys.desc "Add a public key for a user"
+    pubkeys.arg_name "username key"
+    pubkeys.command :add do |c|
+      c.action do |global_options, options, args|
+        username = require_arg args, "username"
+        if key = args.shift
+          if /^@(.+)$/ =~ key
+            key = File.read(File.expand_path($1))
+          end
+        else
+          key = STDIN.read.strip
+        end
+        api.add_public_key username, key
+        puts "Public key '#{key.split(' ').last}' added"
+      end
+    end
+
+    pubkeys.desc "Removes a public key for a user"
+    pubkeys.arg_name "username keyname"
+    pubkeys.command :delete do |c|
+      c.action do |global_options, options, args|
+        username = require_arg args, "username"
+        keyname = require_arg args, "keyname"
+        api.delete_public_key username, keyname
+        puts "Public key '#{keyname}' deleted"
+      end
+    end
+  end
+end

data/lib/conjur/command/resources.rb

@@ -18,160 +18,159 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
-require 'conjur/authn'
-require 'conjur/resource'
-require 'conjur/command'
-
 class Conjur::Command::Resources < Conjur::Command
-  self.prefix = :resource
-
-  desc "Create a new resource"
-  arg_name "resource-id"
-  command :create do |c|
-    acting_as_option(c)
-    
-    c.action do |global_options,options,args|
-      id = full_resource_id( require_arg(args, "resource-id") )
-      resource = api.resource(id)
-
-      if ownerid = options.delete(:ownerid)
-        options[:acting_as] = ownerid
-      end
 
-      resource.create(options)
-      display resource.attributes
+  desc "Manage resources"
+  command :resource do |resource|
+
+    resource.desc "Create a new resource"
+    resource.arg_name "resource-id"
+    resource.command :create do |c|
+      acting_as_option(c)
+
+      c.action do |global_options,options,args|
+        id = full_resource_id( require_arg(args, "resource-id") )
+        resource = api.resource(id)
+
+        if ownerid = options.delete(:ownerid)
+          options[:acting_as] = ownerid
+        end
+
+        resource.create(options)
+        display resource.attributes
+      end
     end
-  end
-  
-  desc "Show a resource"
-  arg_name "resource-id"
-  command :show do |c|
-    c.action do |global_options,options,args|
-      id = full_resource_id( require_arg(args, "resource-id") )
-      display api.resource(id).attributes
+
+    resource.desc "Show a resource"
+    resource.arg_name "resource-id"
+    resource.command :show do |c|
+      c.action do |global_options,options,args|
+        id = full_resource_id( require_arg(args, "resource-id") )
+        display api.resource(id).attributes
+      end
     end
-  end
-    
-  desc "Determines whether a resource exists"
-  arg_name "resource-id"
-  command :exists do |c|
-    c.action do |global_options,options,args|
-      id = full_resource_id( require_arg(args, "resource-id") )
-      puts api.resource(id).exists?
+
+    resource.desc "Determines whether a resource exists"
+    resource.arg_name "resource-id"
+    resource.command :exists do |c|
+      c.action do |global_options,options,args|
+        id = full_resource_id( require_arg(args, "resource-id") )
+        puts api.resource(id).exists?
+      end
     end
-  end
 
-  desc "Give a privilege on a resource"
-  arg_name "resource-id role privilege"
-  command :permit do |c|
-    c.action do |global_options,options,args|
-      id = full_resource_id( require_arg(args, "resource-id") )
-      role = require_arg(args, "role")
-      privilege = require_arg(args, "privilege")
-      api.resource(id).permit privilege, role
-      puts "Permission granted"
+    resource.desc "Give a privilege on a resource"
+    resource.arg_name "resource-id role privilege"
+    resource.command :permit do |c|
+      c.action do |global_options,options,args|
+        id = full_resource_id( require_arg(args, "resource-id") )
+        role = require_arg(args, "role")
+        privilege = require_arg(args, "privilege")
+        api.resource(id).permit privilege, role
+        puts "Permission granted"
+      end
     end
-  end
 
-  desc "Deny a privilege on a resource"
-  arg_name "resource-id role privilege"
-  command :deny do |c|
-    c.action do |global_options,options,args|
-      id = full_resource_id( require_arg(args, "resource-id") )
-      role = require_arg(args, "role")
-      privilege = require_arg(args, "privilege")
-      api.resource(id).deny privilege, role
-      puts "Permission revoked"
+    resource.desc "Deny a privilege on a resource"
+    resource.arg_name "resource-id role privilege"
+    resource.command :deny do |c|
+      c.action do |global_options,options,args|
+        id = full_resource_id( require_arg(args, "resource-id") )
+        role = require_arg(args, "role")
+        privilege = require_arg(args, "privilege")
+        api.resource(id).deny privilege, role
+        puts "Permission revoked"
+      end
     end
-  end
 
-  desc "Check for a privilege on a resource"
-  long_desc """
+    resource.desc "Check for a privilege on a resource"
+    resource.long_desc """
   By default, the privilege is checked for the logged-in user.
   Permission checks may be performed for other roles using the optional role argument.
   When the role argument is used, either the logged-in user must either own the specified
   resource or be an admin of the specified role (i.e. be granted the specified role with grant option).
   """
-  arg_name "resource-id privilege"
-  command :check do |c|
-    c.desc "Role to check. By default, the current logged-in role is used"
-    c.flag [:r,:role]
-
-    c.action do |global_options,options,args|
-      id = full_resource_id( require_arg(args, "resource-id") )
-      privilege = args.shift or raise "Missing parameter: privilege"
-      if role = options[:role]
-        role = api.role(role)
-        puts role.permitted? id, privilege
-      else
-        puts api.resource(id).permitted? privilege
+    resource.arg_name "resource-id privilege"
+    resource.command :check do |c|
+      c.desc "Role to check. By default, the current logged-in role is used"
+      c.flag [:r,:role]
+
+      c.action do |global_options,options,args|
+        id = full_resource_id( require_arg(args, "resource-id") )
+        privilege = args.shift or raise "Missing parameter: privilege"
+        if role = options[:role]
+          role = api.role(role)
+          puts role.permitted? id, privilege
+        else
+          puts api.resource(id).permitted? privilege
+        end
       end
     end
-  end
 
-  desc "Grant ownership on a resource to a new owner"
-  arg_name "resource-id owner"
-  command :give do |c|
-    c.action do |global_options,options,args|
-      id = full_resource_id( require_arg(args, "resource-id") )
-      owner = require_arg(args, "owner")
-      api.resource(id).give_to owner
-      puts "Ownership granted"
+    resource.desc "Grant ownership on a resource to a new owner"
+    resource.arg_name "resource-id owner"
+    resource.command :give do |c|
+      c.action do |global_options,options,args|
+        id = full_resource_id( require_arg(args, "resource-id") )
+        owner = require_arg(args, "owner")
+        api.resource(id).give_to owner
+        puts "Ownership granted"
+      end
     end
-  end
 
-  desc "List roles with a specified permission on the resource"
-  arg_name "resource-id permission"
-  command :permitted_roles do |c|
-    c.action do |global_options,options,args|
-      id = full_resource_id( require_arg(args, "resource-id") )
-      permission = require_arg(args, "permission")
-      display api.resource(id).permitted_roles(permission)
+    resource.desc "List roles with a specified permission on the resource"
+    resource.arg_name "resource-id permission"
+    resource.command :permitted_roles do |c|
+      c.action do |global_options,options,args|
+        id = full_resource_id( require_arg(args, "resource-id") )
+        permission = require_arg(args, "permission")
+        display api.resource(id).permitted_roles(permission)
+      end
     end
-  end
-  
-  desc "Set an annotation on a resource"
-  arg_name "resource-id name value"
-  command :annotate do |c|
-    c.action do |global_options, options, args|
-      id = full_resource_id require_arg(args, 'resource-id')
-      name = require_arg args, 'name'
-      value = require_arg args, 'value'
-      api.resource(id).annotations[name] = value
-      puts "Set annotation '#{name}' to '#{value}' for resource '#{id}'"
+
+    resource.desc "Set an annotation on a resource"
+    resource.arg_name "resource-id name value"
+    resource.command :annotate do |c|
+      c.action do |global_options, options, args|
+        id = full_resource_id require_arg(args, 'resource-id')
+        name = require_arg args, 'name'
+        value = require_arg args, 'value'
+        api.resource(id).annotations[name] = value
+        puts "Set annotation '#{name}' to '#{value}' for resource '#{id}'"
+      end
     end
-  end
-  
-  desc "Show an annotation for a resource"
-  arg_name "resource-id name"
-  command :annotation do |c|
-    c.action do |global_options, options, args|
-      id = full_resource_id require_arg args, 'resource-id'
-      name = require_arg args, 'name'
-      value = api.resource(id).annotations[name]
-      puts value unless value.nil?
+
+    resource.desc "Show an annotation for a resource"
+    resource.arg_name "resource-id name"
+    resource.command :annotation do |c|
+      c.action do |global_options, options, args|
+        id = full_resource_id require_arg args, 'resource-id'
+        name = require_arg args, 'name'
+        value = api.resource(id).annotations[name]
+        puts value unless value.nil?
+      end
     end
-  end
-  
-  desc "Print annotations as JSON"
-  arg_name 'resource-id'
-  command :annotations do |c|
-    c.action do |go, o, args|
-      id = full_resource_id require_arg args, 'resource-id'
-      annots = api.resource(id).annotations.to_h
-      puts annots.to_json
+
+    resource.desc "Print annotations as JSON"
+    resource.arg_name 'resource-id'
+    resource.command :annotations do |c|
+      c.action do |go, o, args|
+        id = full_resource_id require_arg args, 'resource-id'
+        annots = api.resource(id).annotations.to_h
+        puts annots.to_json
+      end
     end
-  end
-  
-  desc "List all resources"
-  command :list do |c| 
-    c.desc "Filter by kind"
-    c.flag [:k, :kind]
-    
-    command_options_for_list c
-
-    c.action do |global_options, options, args| 
-      command_impl_for_list global_options, options, args
+
+    resource.desc "List all resources"
+    resource.command :list do |c|
+      c.desc "Filter by kind"
+      c.flag [:k, :kind]
+
+      command_options_for_list c
+
+      c.action do |global_options, options, args|
+        command_impl_for_list global_options, options, args
+      end
     end
   end
 end

data/lib/conjur/command/roles.rb

@@ -18,88 +18,116 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
-require 'conjur/authn'
-require 'conjur/command'
 
 class Conjur::Command::Roles < Conjur::Command
-  self.prefix = :role
-  
-  desc "Create a new role"
-  arg_name "role"
-  command :create do |c|
-    acting_as_option(c)
-
-    c.action do |global_options,options,args|
-      id = require_arg(args, 'role')
-      role = api.role(id)
+
+  desc "Manage roles"
+  command :role do |role|
+
+    role.desc "Create a new role"
+    role.arg_name "role"
+    role.command :create do |c|
+      acting_as_option(c)
       
-      if ownerid = options.delete(:ownerid)
-        options[:acting_as] = ownerid
+      c.desc "Output a JSON response with a single field, roleid"
+      c.switch "json"
+
+      c.action do |global_options,options,args|
+        id = require_arg(args, 'role')
+        role = api.role(id)
+
+        if ownerid = options.delete(:ownerid)
+          options[:acting_as] = ownerid
+        end
+
+        role.create(options)
+        if options[:json]
+          display({
+            roleid: role.roleid
+          })
+        else
+          puts "Created role #{role.roleid}"
+        end
       end
-      
-      role.create(options)
-      puts "Created role #{role.roleid}"
     end
-  end
-  
-  desc "Determines whether a role exists"
-  arg_name "role"
-  command :exists do |c|
-    c.action do |global_options,options,args|
-      id = require_arg(args, 'role')
-      role = api.role(id)
-      puts role.exists?
+
+    role.desc "Determines whether a role exists"
+    role.arg_name "role"
+    role.command :exists do |c|
+      c.desc "Output a JSON response with a single field, exists"
+      c.switch "json"
+      
+      c.action do |global_options,options,args|
+        id = require_arg(args, 'role')
+        role = api.role(id)
+        if options[:json]
+          display({
+            exists: role.exists?
+          })
+        else
+          puts role.exists?
+        end
+      end
     end
-  end
 
-  desc "Lists role memberships. The role membership list is recursively expanded."
-  arg_name "role"
-  command :memberships do |c|
-    c.action do |global_options,options,args|
-      roleid = args.shift
-      role = roleid.nil? && api.current_role || api.role(roleid)
-      display role.all.map(&:roleid)
+    role.desc "Lists role memberships. The role membership list is recursively expanded."
+    role.arg_name "role"
+
+    role.command :memberships do |c|
+      c.desc "Whether to show system (internal) roles"
+      c.switch [:s, :system]
+
+      c.action do |global_options,options,args|
+        roleid = args.shift
+        role = roleid.nil? && api.current_role || api.role(roleid)
+        memberships = role.all.map(&:roleid)
+        unless options[:system]
+          memberships.reject!{|id| id =~ /^.+?:@/}
+        end
+        display memberships
+      end
     end
-  end
 
-  desc "Lists all direct members of the role. The membership list is not recursively expanded."
-  arg_name "role"
-  command :members do |c|
-    c.desc "Verbose output"
-    c.switch [:V,:verbose]
-    
-    c.action do |global_options,options,args|
-      role = args.shift || api.user(api.username).roleid
-      display_members api.role(role).members, options
+    role.desc "Lists all direct members of the role. The membership list is not recursively expanded."
+    role.arg_name "role"
+    role.command :members do |c|
+      c.desc "Verbose output"
+      c.switch [:V,:verbose]
+
+      c.action do |global_options,options,args|
+        role = args.shift || api.user(api.username).roleid
+        display_members api.role(role).members, options
+      end
     end
-  end
 
-  desc "Grant a role to another role. You must have admin permission on the granting role."
-  arg_name "role member"
-  command :grant_to do |c|
-    c.desc "Whether to grant with admin option"
-    c.switch [:a,:admin]
-    
-    c.action do |global_options,options,args|
-      id = require_arg(args, 'role')
-      member = require_arg(args, 'member')
-      role = api.role(id)
-      grant_options = {}
-      grant_options[:admin_option] = true if options[:admin]
-      role.grant_to member, grant_options
-      puts "Role granted"
+    role.desc "Grant a role to another role. You must have admin permission on the granting role."
+    role.arg_name "role member"
+    role.command :grant_to do |c|
+      c.desc "Whether to grant with admin option"
+      c.switch [:a,:admin]
+
+      c.action do |global_options,options,args|
+        id = require_arg(args, 'role')
+        member = require_arg(args, 'member')
+        role = api.role(id)
+        grant_options = {}
+        grant_options[:admin_option] = true if options[:admin]
+        role.grant_to member, grant_options
+        puts "Role granted"
+      end
     end
-  end
 
-  desc "Revoke a role from another role. You must have admin permission on the revoking role."
-  arg_name "role member"
-  command :revoke_from do |c|
-    c.action do |global_options,options,args|
-      id = require_arg(args, 'role')
-      member = require_arg(args, 'member')
-      role = api.role(id)
-      role.revoke_from member
-      puts "Role revoked"
+    role.desc "Revoke a role from another role. You must have admin permission on the revoking role."
+    role.arg_name "role member"
+    role.command :revoke_from do |c|
+      c.action do |global_options,options,args|
+        id = require_arg(args, 'role')
+        member = require_arg(args, 'member')
+        role = api.role(id)
+        role.revoke_from member
+        puts "Role revoked"
+      end
     end
   end
+
 end