conjur-cli 5.6.6 → 6.0.0.rc1

data/lib/conjur/command/bootstrap.rb

@@ -1,129 +0,0 @@
-#
-# Copyright (C) 2014-2016 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-
-class Conjur::Command::Bootstrap < Conjur::Command
-  desc "Create initial users, groups, permissions, and service identities."
-  long_desc %Q(When you launch a new Conjur master server, it contains only one login: the "admin" user. 
-  The bootstrap command will finish the setup of a new Conjur system by creating other essential records.
-
-  Actions performed by "bootstrap" include:
-
-  * Creation of a group called "security_admin".
-
-	* Giving the "security_admin" the power to manage public keys.
-
-	* Creation of a user called "attic", which will be the owner of retired records.
-
-	* Create system identities for use services such as pubkeys, rotator, and ldap-sync.
-
-	* (optional) Create a new user who will be made a member and admin of the "security_admin" group.
-
-	* (optional) If a new user was created, login as that user.
-
-  The Bootstrap command can be extended to perform additional actions by CLI plugins. The plugin just 
-  needs to define a new class in Conjur::Bootstrap::Command. Its "perform" method will be run automatically.
-  )
-  
-  class BootstrapListener
-    def echo msg
-      $stderr.puts msg
-    end
-  end
-  
-  class << self
-    def quiet? options
-      !$stdin.tty? || options[:quiet]
-    end
-  end
-
-  Conjur::CLI.command :bootstrap do |c|
-    c.desc "Print out all the commands to stderr as they run."
-    c.default_value true
-    c.switch [:v, :verbose]
-      
-    c.desc "Don't prompt for any user input, even if there's a TTY."
-    c.long_desc %Q(By default, 'bootstrap' may issue prompts on the TTY. For example, it will prompt you
-    to login if you aren't currently logged in as any user. It will also ask you if you want to create a new
-    'security_admin' user. This switch can be used to disable all such prompts, making it safe to run
-    'bootstrap' even when requests for user input cannot be handled. Prompts are also disabled if STDIN
-    is not a tty.)
-    c.default_value false
-    c.switch [:q, :quiet]
-      
-    c.action do |global_options,options,args|
-      require 'highline/import'
-      
-      # Ensure there's a logged in user
-      connect_options = {}
-      connect_options[:noask] = true if quiet?(options)
-      Conjur::Authn.connect nil, connect_options
-
-      unless api.global_privilege_permitted?('elevate')
-        $stderr.puts [
-          "You must have 'elevate' privilege to bootstrap Conjur.",
-          "If are performing a first-time bootstrap of Conjur, you should login as the 'admin' user",
-          "using the admin password you selected when you ran 'evoke configure master'.",
-          "",
-          "If you have run 'conjur bootstrap' before, using CLI version 4.30.0 or later, the 'elevate'",
-          "privilege is available to all members of the security_admin group."
-          ].join("\n")
-        exit_now! "Insufficient privileges to run 'bootstrap'."
-      end
-
-      saved_log = Conjur.log
-      Conjur.log = $stderr if options[:verbose]
-            
-      api = self.api.with_privilege('elevate')
-      self.api = api
-      
-      api.bootstrap BootstrapListener.new
-      
-      unless quiet?(options)
-        security_admin = api.group('security_admin')
-        security_administrators = security_admin.role.members.select{|m| m.member.roleid.split(':')[1..-1] != [ 'user', 'admin'] }
-        $stderr.puts "Current 'security_admin' members are : #{security_administrators.map{|m| m.member.roleid.split(':', 3)[1..-1].join(':')}.sort.join(', ')}" unless security_administrators.blank?
-        created_user = nil
-        if security_administrators.empty? || agree("Create a new security_admin? (answer 'y' or 'yes'):")
-          username = ask("Enter #{security_administrators.empty? ? 'your' : 'the'} username:")
-          password = prompt_for_password
-          begin
-            # Don't echo the new admin user's password
-            Conjur.log = nil
-            $stderr.puts "Creating user '#{username}'"
-            created_user = user = api.create_user(username, password: password)
-          ensure
-            Conjur.log = saved_log
-          end
-          Conjur::API.new_from_key(user.login, password).user(user.login).resource.give_to security_admin
-          $stderr.puts "User created"
-          $stderr.puts "Making '#{username}' a member and admin of group 'security_admin'"
-          security_admin.add_member user, admin_option: true
-          $stderr.puts "Adminship granted"
-        end
-        
-        if created_user && agree("Login as user '#{created_user.login}'? (answer 'y' or 'yes'):")
-          Conjur::Authn.fetch_credentials(username: created_user.login, password: created_user.api_key)
-          $stderr.puts "Logged in as '#{created_user.login}'"
-        end
-      end
-    end
-  end
-end

data/lib/conjur/command/dsl_command.rb

@@ -1,75 +0,0 @@
-#
-# Copyright (C) 2014 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-
-class Conjur::DSLCommand < Conjur::Command
-  class << self
-    def run_script(args, options, &block)
-      Conjur.log = "stderr"
-
-      filename = nil
-      script = if script = args.pop
-        filename = script
-        script = if File.exists?(script)
-          File.read(script)
-        else
-          require 'open-uri'
-          uri = URI.parse(script)
-          raise "Unable to read this kind of URL : #{script}" unless uri.respond_to?(:read)
-          begin
-            uri.read
-          rescue OpenURI::HTTPError
-            raise "Unable to read URI #{script} : #{$!.message}"
-          end
-        end
-      else
-        STDIN.read
-      end
-      
-      require 'conjur/dsl/runner'
-      runner = Conjur::DSL::Runner.new(script, filename)
-      runner.owner = options[:ownerid] if options[:ownerid]
-
-      if context = options[:context]
-        runner.context = begin
-          JSON.parse(File.read(context)) 
-        rescue Errno::ENOENT 
-          {}
-        end
-      end
-      
-      if block_given?
-        block.call(runner) do
-          runner.execute
-        end
-      else
-        runner.execute
-      end
-      
-      if context
-        File.write(context, JSON.pretty_generate(runner.context))
-        File.chmod(0600, context)
-      end
-
-      puts JSON.pretty_generate(runner.context)
-    end
-  end
-
-end

data/lib/conjur/command/elevate.rb

@@ -1,76 +0,0 @@
-#
-# Copyright (C) 2015 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-
-# Implement privileged modes such as 'elevate' and 'reveal'
-class Conjur::Command::Elevate < Conjur::DSLCommand
-  
-  def self.subcommand args
-    code = Conjur::CLI.run args
-    raise GLI::CustomExit.new("Subcommand failed", code) unless code == 0
-  end
-  
-  desc "Run a sub-command with elevated privileges"
-  long_desc <<-DESC
-If you are allowed to do this by the Conjur server, all server-side permission checks will be bypassed and any
-action will be allowed.
-
-To be able to run this command, you must have the 'elevate' privilege on the resource '!:!:conjur'.
-
-EXAMPLE
-
-Force retirement of a user:
-
-$ conjur elevate user retire alice
-  DESC
-  command :elevate do |c|
-    c.action do |global_options,options,args|
-      exit_now! "Subcommand is required" if args.empty?
-      
-      Conjur::Command.api = api.with_privilege "elevate"
-      subcommand args
-    end
-  end
-  
-  desc "Run a sub-command in 'reveal' mode"
-  long_desc <<-DESC
-If you are allowed to do this by the Conjur server, you can inspect all data in the Conjur
-authorization service. For example, you can list and search for all resources, regardless of
-your ownership and privileges. You can also show details on any resource, and you can perform
-permission checks on any resource.
-
-To be able to run this command, you must have the 'reveal' privilege on the resource '!:!:conjur'.
-
-EXAMPLE
-
-List all groups:
-
-$ conjur reveal group list -i
-
-  DESC
-  command :reveal do |c|
-    c.action do |global_options,options,args|
-      exit_now! "Subcommand is required" if args.empty?
-      
-      Conjur::Command.api = api.with_privilege "reveal"
-      subcommand args
-    end
-  end
-end

data/lib/conjur/command/field.rb

@@ -1,45 +0,0 @@
-#
-# Copyright (C) 2013 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-class Conjur::Command::Field < Conjur::Command
-  self.prefix = :field
-  
-  desc "(Deprecated. See standalone jsonfield command instead.)"
-  command :select do |c|
-    hide_docs(c)
-
-    c.action do |global_options,options,args|
-      pattern = require_arg(args, 'pattern')
-      value = args.shift || STDIN.read
-
-      warn "field:select is deprecated. Please use jsonfield command instead."
-      require 'json'
-      json = JSON.parse(value)
-      class << json
-        def get_binding
-          record = self
-          
-          binding
-        end
-      end
-      puts json.get_binding.eval(pattern)
-    end
-  end
-end

data/lib/conjur/command/groups.rb

@@ -1,208 +0,0 @@
-#
-# Copyright (C) 2013 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-
-class Conjur::Command::Groups < Conjur::Command
-  def self.assume_user_kind(role)
-    if role.split(':').length == 1
-      role = [ "user", role ].join(':')
-    end
-    role
-  end
-  
-  desc "Manage groups"
-  command :group do |group|
-    group.desc "Create a new group [DEPRECATED]"
-    group.command :create do |c|
-      c.desc "GID number to be associated with the group (optional)"
-      c.flag [:gidnumber]
-
-      acting_as_option(c)
-      interactive_option c
-
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = args.shift
-        
-        interactive = options[:interactive] || id.blank?
-
-        groupid = options[:ownerid]
-        gidnumber = options[:gidnumber]
-
-        if interactive
-          id ||= prompt_for_id :group
-          
-          groupid ||= prompt_for_group
-          gidnumber ||= prompt_for_gidnumber
-          
-          prompt_to_confirm :group, {
-            "Id"    => id,
-            "Owner" => groupid,
-            "Gidnumber" => gidnumber
-          }
-        end
-        
-        group_options = { }
-        group_options[:ownerid] = groupid if groupid
-        group_options[:gidnumber] = gidnumber.to_i unless gidnumber.blank?
-          
-        group = api.create_group(id, group_options)
-        display(group, options)
-      end
-    end
-
-    group.desc "List groups"
-    group.command :list do |c|
-      command_options_for_list c
-
-      c.action do |global_options, options, args|
-        command_impl_for_list global_options, options.merge(kind: "group"), args
-      end
-    end
-
-    group.desc "Show a group"
-    group.arg_name "GROUP"
-    group.command :show do |c|
-      c.action do |global_options,options,args|
-        id = require_arg(args, 'GROUP')
-        display(api.group(id), options)
-      end
-    end
-    
-    group.desc "Update group's attributes (eg. gidnumber) [DEPRECATED]"
-    group.arg_name "GROUP"
-    group.command :update do |c|
-      c.desc "GID number to be associated with the group"
-      c.flag [:gidnumber]
-      c.action do |global_options, options, args|
-        notify_deprecated
-
-        id = require_arg(args, 'GROUP')
-
-        options[:gidnumber] = Integer(options[:gidnumber])
-        api.group(id).update(options)
-
-        puts "GID set"
-      end
-    end
-
-    group.desc "Find groups by GID"
-    group.arg_name "gid"
-    group.command :gidsearch do |c|
-      c.action do |global_options, options, args|
-        gidnumber = Integer require_arg args, 'gid'
-        display api.find_groups(gidnumber: gidnumber)
-      end
-    end
-
-    group.desc "Decommission a group [DEPRECATED]"
-    group.arg_name "GROUP"
-    group.command :retire do |c|
-      retire_options c
-
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = require_arg(args, 'GROUP')
-        
-        group = api.group(id)
-        
-        validate_retire_privileges group, options
-        
-        retire_resource group
-        retire_role group
-        give_away_resource group, options
-        
-        puts "Group retired"
-      end
-    end
-
-    group.desc "Show and manage group members"
-    group.command :members do |members|
-
-      members.desc "Lists all direct members of the group. The membership list is not recursively expanded."
-      members.arg_name "GROUP"
-      members.command :list do |c|
-        c.desc "Verbose output"
-        c.switch [:V,:verbose]
-        c.action do |global_options,options,args|
-          group = require_arg(args, 'GROUP')
-          display_members api.group(group).role.members, :member, options
-        end
-      end
-
-      members.desc "Add a new group member [DEPRECATED]"
-      members.arg_name "GROUP USER"
-      members.command :add do |c|
-        c.desc "Also grant the admin option"
-        c.switch [:a, :admin]
-
-        # perhaps this belongs to member:remove, but then either
-        # it would be possible to grant membership with member:revoke,
-        # or we would need two round-trips to authz
-        c.desc "Revoke the grant option if it's granted"
-        c.switch [:r, :'revoke-admin']
-
-        c.action do |global_options,options,args|
-          notify_deprecated
-
-          group = require_arg(args, 'GROUP')
-          member = require_arg(args, 'USER')
-          member = assume_user_kind(member)
-
-          group = api.group(group)
-          opts = nil
-          message = "Membership granted"
-          if options[:admin] then
-            opts = { admin_option: true }
-            message = "Adminship granted"
-          elsif options[:'revoke-admin'] then
-            opts = { admin_option: false }
-            message = "Adminship revoked"
-          end
-
-          group.add_member member, opts
-          puts message
-        end
-      end
-
-      members.desc "Remove a group member [DEPRECATED]"
-      members.arg_name "GROUP USER"
-      members.command :remove do |c|
-        c.action do |global_options,options,args|
-          notify_deprecated
-
-          group = require_arg(args, 'GROUP')
-          member = require_arg(args, 'USER')
-          member = assume_user_kind(member)
-
-          api.group(group).remove_member member
-          puts "Membership revoked"
-        end
-      end
-
-    end
-  end
-    
-  def self.prompt_for_gidnumber
-    prompt_for_idnumber "gid number"
-  end
-end