conjur-cli 4.9.3 → 4.10.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +2 -0
- data/Gemfile +2 -1
- data/Rakefile +32 -1
- data/bin/_conjur_completions +48 -0
- data/bin/_conjur_completions.yaml +96 -0
- data/conjur.gemspec +2 -2
- data/lib/conjur/authn.rb +14 -4
- data/lib/conjur/cli.rb +54 -18
- data/lib/conjur/command.rb +23 -11
- data/lib/conjur/command/assets.rb +85 -84
- data/lib/conjur/command/audit.rb +25 -26
- data/lib/conjur/command/authn.rb +60 -48
- data/lib/conjur/command/dsl_command.rb +0 -1
- data/lib/conjur/command/env.rb +68 -65
- data/lib/conjur/command/field.rb +1 -3
- data/lib/conjur/command/groups.rb +91 -78
- data/lib/conjur/command/hosts.rb +50 -50
- data/lib/conjur/command/ids.rb +9 -8
- data/lib/conjur/command/init.rb +1 -0
- data/lib/conjur/command/layers.rb +171 -0
- data/lib/conjur/command/policy.rb +27 -26
- data/lib/conjur/command/pubkeys.rb +77 -0
- data/lib/conjur/command/resources.rb +129 -130
- data/lib/conjur/command/roles.rb +97 -69
- data/lib/conjur/command/script.rb +13 -14
- data/lib/conjur/command/secrets.rb +18 -21
- data/lib/conjur/command/users.rb +46 -45
- data/lib/conjur/command/variables.rb +72 -85
- data/lib/conjur/config.rb +3 -0
- data/lib/conjur/dsl/runner.rb +0 -1
- data/lib/conjur/version.rb +1 -1
- data/profile.rb +19 -0
- data/spec/command/authn_spec.rb +37 -1
- data/spec/command/groups_spec.rb +18 -7
- data/spec/command/layers_spec.rb +35 -0
- data/spec/command/pubkeys_spec.rb +75 -0
- data/spec/command/users_spec.rb +25 -0
- metadata +50 -67
@@ -24,8 +24,6 @@ require 'etc'
|
|
24
24
|
require 'socket'
|
25
25
|
|
26
26
|
class Conjur::Command::Policy < Conjur::DSLCommand
|
27
|
-
self.prefix = :policy
|
28
|
-
|
29
27
|
class << self
|
30
28
|
def default_collection_user
|
31
29
|
Etc.getlogin
|
@@ -40,18 +38,20 @@ class Conjur::Command::Policy < Conjur::DSLCommand
|
|
40
38
|
end
|
41
39
|
end
|
42
40
|
|
43
|
-
desc "
|
44
|
-
|
41
|
+
desc "Manage policies"
|
42
|
+
command :policy do |policy|
|
43
|
+
policy.desc "Load a policy from Conjur DSL"
|
44
|
+
policy.long_desc <<-DESC
|
45
45
|
This method is EXPERIMENTAL and subject to change
|
46
46
|
|
47
47
|
Loads a Conjur policy from DSL, applying particular conventions to the role and resource
|
48
|
-
ids.
|
48
|
+
ids.
|
49
49
|
|
50
50
|
The first path element of each id is the collection. Policies are separated into collections
|
51
51
|
according to software development lifecycle. The default collection for a policy is $USER@$HOSTNAME,
|
52
52
|
in other words, the username and hostname on which the policy is created. This is approriate for
|
53
|
-
policy development and local testing. Once tested, policies can be created in more official
|
54
|
-
environments such as ci, stage, and production.
|
53
|
+
policy development and local testing. Once tested, policies can be created in more official
|
54
|
+
environments such as ci, stage, and production.
|
55
55
|
|
56
56
|
The second path element of each id is the policy name and version, following the convention
|
57
57
|
policy-x.y.z, where x, y, and z are the semantic version of the policy.
|
@@ -60,25 +60,26 @@ Next, each policy creates a policy role and policy resource. The policy resource
|
|
60
60
|
annotations on the policy. The policy role becomes the owner of the owned policy assets. The
|
61
61
|
--as-group and --as-role options can be used to set the owner of the policy role. The default
|
62
62
|
owner of the policy role is the logged-in user (you), as always.
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
63
|
+
DESC
|
64
|
+
policy.arg_name "(policy-file | STDIN)"
|
65
|
+
policy.command :load do |c|
|
66
|
+
acting_as_option(c)
|
67
|
+
|
68
|
+
c.desc "Policy collection (default: #{default_collection_user}@#{default_collection_hostname})"
|
69
|
+
c.arg_name "collection"
|
70
|
+
c.flag [:collection]
|
71
|
+
|
72
|
+
c.desc "Load context from this config file, and save it when finished. The file permissions will be 0600 by default."
|
73
|
+
c.arg_name "context"
|
74
|
+
c.flag [:c, :context]
|
75
|
+
|
76
|
+
c.action do |global_options,options,args|
|
77
|
+
collection = options[:collection] || default_collection_name
|
78
|
+
|
79
|
+
run_script args, options do |runner, &block|
|
80
|
+
runner.scope collection do
|
81
|
+
block.call
|
82
|
+
end
|
82
83
|
end
|
83
84
|
end
|
84
85
|
end
|
@@ -0,0 +1,77 @@
|
|
1
|
+
#
|
2
|
+
# Copyright (C) 2013 Conjur Inc
|
3
|
+
#
|
4
|
+
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
+
# this software and associated documentation files (the "Software"), to deal in
|
6
|
+
# the Software without restriction, including without limitation the rights to
|
7
|
+
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
+
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
+
# subject to the following conditions:
|
10
|
+
#
|
11
|
+
# The above copyright notice and this permission notice shall be included in all
|
12
|
+
# copies or substantial portions of the Software.
|
13
|
+
#
|
14
|
+
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
+
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
+
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
+
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
+
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
+
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
+
#
|
21
|
+
|
22
|
+
require 'conjur/cli'
|
23
|
+
|
24
|
+
class Conjur::Command::Pubkeys < Conjur::Command
|
25
|
+
desc "Public keys service operations"
|
26
|
+
command :pubkeys do |pubkeys|
|
27
|
+
|
28
|
+
pubkeys.desc "List public keys for the given user"
|
29
|
+
pubkeys.arg_name "username"
|
30
|
+
pubkeys.command :show do |c|
|
31
|
+
c.action do |global_options, options, args|
|
32
|
+
username = require_arg args, "username"
|
33
|
+
puts api.public_keys(username)
|
34
|
+
end
|
35
|
+
end
|
36
|
+
|
37
|
+
pubkeys.desc "List the names of a user's public keys"
|
38
|
+
pubkeys.arg_name "username"
|
39
|
+
pubkeys.command :names do |c|
|
40
|
+
c.action do |global_options, options, args|
|
41
|
+
username = require_arg args, "username"
|
42
|
+
api.public_keys(username)
|
43
|
+
.split("\n")
|
44
|
+
.map{|k| k.split(' ').last}
|
45
|
+
.sort.each{|n| puts n}
|
46
|
+
end
|
47
|
+
end
|
48
|
+
|
49
|
+
pubkeys.desc "Add a public key for a user"
|
50
|
+
pubkeys.arg_name "username key"
|
51
|
+
pubkeys.command :add do |c|
|
52
|
+
c.action do |global_options, options, args|
|
53
|
+
username = require_arg args, "username"
|
54
|
+
if key = args.shift
|
55
|
+
if /^@(.+)$/ =~ key
|
56
|
+
key = File.read(File.expand_path($1))
|
57
|
+
end
|
58
|
+
else
|
59
|
+
key = STDIN.read.strip
|
60
|
+
end
|
61
|
+
api.add_public_key username, key
|
62
|
+
puts "Public key '#{key.split(' ').last}' added"
|
63
|
+
end
|
64
|
+
end
|
65
|
+
|
66
|
+
pubkeys.desc "Removes a public key for a user"
|
67
|
+
pubkeys.arg_name "username keyname"
|
68
|
+
pubkeys.command :delete do |c|
|
69
|
+
c.action do |global_options, options, args|
|
70
|
+
username = require_arg args, "username"
|
71
|
+
keyname = require_arg args, "keyname"
|
72
|
+
api.delete_public_key username, keyname
|
73
|
+
puts "Public key '#{keyname}' deleted"
|
74
|
+
end
|
75
|
+
end
|
76
|
+
end
|
77
|
+
end
|
@@ -18,160 +18,159 @@
|
|
18
18
|
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
19
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
20
|
#
|
21
|
-
require 'conjur/authn'
|
22
|
-
require 'conjur/resource'
|
23
|
-
require 'conjur/command'
|
24
|
-
|
25
21
|
class Conjur::Command::Resources < Conjur::Command
|
26
|
-
self.prefix = :resource
|
27
|
-
|
28
|
-
desc "Create a new resource"
|
29
|
-
arg_name "resource-id"
|
30
|
-
command :create do |c|
|
31
|
-
acting_as_option(c)
|
32
|
-
|
33
|
-
c.action do |global_options,options,args|
|
34
|
-
id = full_resource_id( require_arg(args, "resource-id") )
|
35
|
-
resource = api.resource(id)
|
36
|
-
|
37
|
-
if ownerid = options.delete(:ownerid)
|
38
|
-
options[:acting_as] = ownerid
|
39
|
-
end
|
40
22
|
|
41
|
-
|
42
|
-
|
23
|
+
desc "Manage resources"
|
24
|
+
command :resource do |resource|
|
25
|
+
|
26
|
+
resource.desc "Create a new resource"
|
27
|
+
resource.arg_name "resource-id"
|
28
|
+
resource.command :create do |c|
|
29
|
+
acting_as_option(c)
|
30
|
+
|
31
|
+
c.action do |global_options,options,args|
|
32
|
+
id = full_resource_id( require_arg(args, "resource-id") )
|
33
|
+
resource = api.resource(id)
|
34
|
+
|
35
|
+
if ownerid = options.delete(:ownerid)
|
36
|
+
options[:acting_as] = ownerid
|
37
|
+
end
|
38
|
+
|
39
|
+
resource.create(options)
|
40
|
+
display resource.attributes
|
41
|
+
end
|
43
42
|
end
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
43
|
+
|
44
|
+
resource.desc "Show a resource"
|
45
|
+
resource.arg_name "resource-id"
|
46
|
+
resource.command :show do |c|
|
47
|
+
c.action do |global_options,options,args|
|
48
|
+
id = full_resource_id( require_arg(args, "resource-id") )
|
49
|
+
display api.resource(id).attributes
|
50
|
+
end
|
52
51
|
end
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
52
|
+
|
53
|
+
resource.desc "Determines whether a resource exists"
|
54
|
+
resource.arg_name "resource-id"
|
55
|
+
resource.command :exists do |c|
|
56
|
+
c.action do |global_options,options,args|
|
57
|
+
id = full_resource_id( require_arg(args, "resource-id") )
|
58
|
+
puts api.resource(id).exists?
|
59
|
+
end
|
61
60
|
end
|
62
|
-
end
|
63
61
|
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
62
|
+
resource.desc "Give a privilege on a resource"
|
63
|
+
resource.arg_name "resource-id role privilege"
|
64
|
+
resource.command :permit do |c|
|
65
|
+
c.action do |global_options,options,args|
|
66
|
+
id = full_resource_id( require_arg(args, "resource-id") )
|
67
|
+
role = require_arg(args, "role")
|
68
|
+
privilege = require_arg(args, "privilege")
|
69
|
+
api.resource(id).permit privilege, role
|
70
|
+
puts "Permission granted"
|
71
|
+
end
|
73
72
|
end
|
74
|
-
end
|
75
73
|
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
74
|
+
resource.desc "Deny a privilege on a resource"
|
75
|
+
resource.arg_name "resource-id role privilege"
|
76
|
+
resource.command :deny do |c|
|
77
|
+
c.action do |global_options,options,args|
|
78
|
+
id = full_resource_id( require_arg(args, "resource-id") )
|
79
|
+
role = require_arg(args, "role")
|
80
|
+
privilege = require_arg(args, "privilege")
|
81
|
+
api.resource(id).deny privilege, role
|
82
|
+
puts "Permission revoked"
|
83
|
+
end
|
85
84
|
end
|
86
|
-
end
|
87
85
|
|
88
|
-
|
89
|
-
|
86
|
+
resource.desc "Check for a privilege on a resource"
|
87
|
+
resource.long_desc """
|
90
88
|
By default, the privilege is checked for the logged-in user.
|
91
89
|
Permission checks may be performed for other roles using the optional role argument.
|
92
90
|
When the role argument is used, either the logged-in user must either own the specified
|
93
91
|
resource or be an admin of the specified role (i.e. be granted the specified role with grant option).
|
94
92
|
"""
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
93
|
+
resource.arg_name "resource-id privilege"
|
94
|
+
resource.command :check do |c|
|
95
|
+
c.desc "Role to check. By default, the current logged-in role is used"
|
96
|
+
c.flag [:r,:role]
|
97
|
+
|
98
|
+
c.action do |global_options,options,args|
|
99
|
+
id = full_resource_id( require_arg(args, "resource-id") )
|
100
|
+
privilege = args.shift or raise "Missing parameter: privilege"
|
101
|
+
if role = options[:role]
|
102
|
+
role = api.role(role)
|
103
|
+
puts role.permitted? id, privilege
|
104
|
+
else
|
105
|
+
puts api.resource(id).permitted? privilege
|
106
|
+
end
|
108
107
|
end
|
109
108
|
end
|
110
|
-
end
|
111
109
|
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
110
|
+
resource.desc "Grant ownership on a resource to a new owner"
|
111
|
+
resource.arg_name "resource-id owner"
|
112
|
+
resource.command :give do |c|
|
113
|
+
c.action do |global_options,options,args|
|
114
|
+
id = full_resource_id( require_arg(args, "resource-id") )
|
115
|
+
owner = require_arg(args, "owner")
|
116
|
+
api.resource(id).give_to owner
|
117
|
+
puts "Ownership granted"
|
118
|
+
end
|
120
119
|
end
|
121
|
-
end
|
122
120
|
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
|
121
|
+
resource.desc "List roles with a specified permission on the resource"
|
122
|
+
resource.arg_name "resource-id permission"
|
123
|
+
resource.command :permitted_roles do |c|
|
124
|
+
c.action do |global_options,options,args|
|
125
|
+
id = full_resource_id( require_arg(args, "resource-id") )
|
126
|
+
permission = require_arg(args, "permission")
|
127
|
+
display api.resource(id).permitted_roles(permission)
|
128
|
+
end
|
130
129
|
end
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
130
|
+
|
131
|
+
resource.desc "Set an annotation on a resource"
|
132
|
+
resource.arg_name "resource-id name value"
|
133
|
+
resource.command :annotate do |c|
|
134
|
+
c.action do |global_options, options, args|
|
135
|
+
id = full_resource_id require_arg(args, 'resource-id')
|
136
|
+
name = require_arg args, 'name'
|
137
|
+
value = require_arg args, 'value'
|
138
|
+
api.resource(id).annotations[name] = value
|
139
|
+
puts "Set annotation '#{name}' to '#{value}' for resource '#{id}'"
|
140
|
+
end
|
142
141
|
end
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
142
|
+
|
143
|
+
resource.desc "Show an annotation for a resource"
|
144
|
+
resource.arg_name "resource-id name"
|
145
|
+
resource.command :annotation do |c|
|
146
|
+
c.action do |global_options, options, args|
|
147
|
+
id = full_resource_id require_arg args, 'resource-id'
|
148
|
+
name = require_arg args, 'name'
|
149
|
+
value = api.resource(id).annotations[name]
|
150
|
+
puts value unless value.nil?
|
151
|
+
end
|
153
152
|
end
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
162
|
-
|
153
|
+
|
154
|
+
resource.desc "Print annotations as JSON"
|
155
|
+
resource.arg_name 'resource-id'
|
156
|
+
resource.command :annotations do |c|
|
157
|
+
c.action do |go, o, args|
|
158
|
+
id = full_resource_id require_arg args, 'resource-id'
|
159
|
+
annots = api.resource(id).annotations.to_h
|
160
|
+
puts annots.to_json
|
161
|
+
end
|
163
162
|
end
|
164
|
-
|
165
|
-
|
166
|
-
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
171
|
-
|
172
|
-
|
173
|
-
|
174
|
-
|
163
|
+
|
164
|
+
resource.desc "List all resources"
|
165
|
+
resource.command :list do |c|
|
166
|
+
c.desc "Filter by kind"
|
167
|
+
c.flag [:k, :kind]
|
168
|
+
|
169
|
+
command_options_for_list c
|
170
|
+
|
171
|
+
c.action do |global_options, options, args|
|
172
|
+
command_impl_for_list global_options, options, args
|
173
|
+
end
|
175
174
|
end
|
176
175
|
end
|
177
176
|
end
|
data/lib/conjur/command/roles.rb
CHANGED
@@ -18,88 +18,116 @@
|
|
18
18
|
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
19
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
20
|
#
|
21
|
-
require 'conjur/authn'
|
22
|
-
require 'conjur/command'
|
23
21
|
|
24
22
|
class Conjur::Command::Roles < Conjur::Command
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
id = require_arg(args, 'role')
|
34
|
-
role = api.role(id)
|
23
|
+
|
24
|
+
desc "Manage roles"
|
25
|
+
command :role do |role|
|
26
|
+
|
27
|
+
role.desc "Create a new role"
|
28
|
+
role.arg_name "role"
|
29
|
+
role.command :create do |c|
|
30
|
+
acting_as_option(c)
|
35
31
|
|
36
|
-
|
37
|
-
|
32
|
+
c.desc "Output a JSON response with a single field, roleid"
|
33
|
+
c.switch "json"
|
34
|
+
|
35
|
+
c.action do |global_options,options,args|
|
36
|
+
id = require_arg(args, 'role')
|
37
|
+
role = api.role(id)
|
38
|
+
|
39
|
+
if ownerid = options.delete(:ownerid)
|
40
|
+
options[:acting_as] = ownerid
|
41
|
+
end
|
42
|
+
|
43
|
+
role.create(options)
|
44
|
+
if options[:json]
|
45
|
+
display({
|
46
|
+
roleid: role.roleid
|
47
|
+
})
|
48
|
+
else
|
49
|
+
puts "Created role #{role.roleid}"
|
50
|
+
end
|
38
51
|
end
|
39
|
-
|
40
|
-
role.create(options)
|
41
|
-
puts "Created role #{role.roleid}"
|
42
52
|
end
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
53
|
+
|
54
|
+
role.desc "Determines whether a role exists"
|
55
|
+
role.arg_name "role"
|
56
|
+
role.command :exists do |c|
|
57
|
+
c.desc "Output a JSON response with a single field, exists"
|
58
|
+
c.switch "json"
|
59
|
+
|
60
|
+
c.action do |global_options,options,args|
|
61
|
+
id = require_arg(args, 'role')
|
62
|
+
role = api.role(id)
|
63
|
+
if options[:json]
|
64
|
+
display({
|
65
|
+
exists: role.exists?
|
66
|
+
})
|
67
|
+
else
|
68
|
+
puts role.exists?
|
69
|
+
end
|
70
|
+
end
|
52
71
|
end
|
53
|
-
end
|
54
72
|
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
73
|
+
role.desc "Lists role memberships. The role membership list is recursively expanded."
|
74
|
+
role.arg_name "role"
|
75
|
+
|
76
|
+
role.command :memberships do |c|
|
77
|
+
c.desc "Whether to show system (internal) roles"
|
78
|
+
c.switch [:s, :system]
|
79
|
+
|
80
|
+
c.action do |global_options,options,args|
|
81
|
+
roleid = args.shift
|
82
|
+
role = roleid.nil? && api.current_role || api.role(roleid)
|
83
|
+
memberships = role.all.map(&:roleid)
|
84
|
+
unless options[:system]
|
85
|
+
memberships.reject!{|id| id =~ /^.+?:@/}
|
86
|
+
end
|
87
|
+
display memberships
|
88
|
+
end
|
62
89
|
end
|
63
|
-
end
|
64
90
|
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
91
|
+
role.desc "Lists all direct members of the role. The membership list is not recursively expanded."
|
92
|
+
role.arg_name "role"
|
93
|
+
role.command :members do |c|
|
94
|
+
c.desc "Verbose output"
|
95
|
+
c.switch [:V,:verbose]
|
96
|
+
|
97
|
+
c.action do |global_options,options,args|
|
98
|
+
role = args.shift || api.user(api.username).roleid
|
99
|
+
display_members api.role(role).members, options
|
100
|
+
end
|
74
101
|
end
|
75
|
-
end
|
76
102
|
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
103
|
+
role.desc "Grant a role to another role. You must have admin permission on the granting role."
|
104
|
+
role.arg_name "role member"
|
105
|
+
role.command :grant_to do |c|
|
106
|
+
c.desc "Whether to grant with admin option"
|
107
|
+
c.switch [:a,:admin]
|
108
|
+
|
109
|
+
c.action do |global_options,options,args|
|
110
|
+
id = require_arg(args, 'role')
|
111
|
+
member = require_arg(args, 'member')
|
112
|
+
role = api.role(id)
|
113
|
+
grant_options = {}
|
114
|
+
grant_options[:admin_option] = true if options[:admin]
|
115
|
+
role.grant_to member, grant_options
|
116
|
+
puts "Role granted"
|
117
|
+
end
|
91
118
|
end
|
92
|
-
end
|
93
119
|
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
120
|
+
role.desc "Revoke a role from another role. You must have admin permission on the revoking role."
|
121
|
+
role.arg_name "role member"
|
122
|
+
role.command :revoke_from do |c|
|
123
|
+
c.action do |global_options,options,args|
|
124
|
+
id = require_arg(args, 'role')
|
125
|
+
member = require_arg(args, 'member')
|
126
|
+
role = api.role(id)
|
127
|
+
role.revoke_from member
|
128
|
+
puts "Role revoked"
|
129
|
+
end
|
103
130
|
end
|
104
131
|
end
|
132
|
+
|
105
133
|
end
|