conjur-cli 5.6.6 → 6.0.0.rc1

data/lib/conjur/command/ids.rb

@@ -1,34 +0,0 @@
-#
-# Copyright (C) 2013 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-
-class Conjur::Command::Id < Conjur::Command
-  desc "Manage ids"
-  command :id do |id|
-    id.desc "Creates a new unique id"
-    id.command :create do |c|
-      c.action do |global_options,options,args|
-        var = api.create_variable("text/plain", "unique-id", {})
-        puts var.id
-      end
-    end
-
-  end
-end

data/lib/conjur/command/layers.rb

@@ -1,211 +0,0 @@
-require 'conjur/command'
-
-class Conjur::Command::Layers < Conjur::Command
-
-
-  # Form an account:kind:hostid from the host argument
-  # Or interpret a fully-qualified role id
-  def self.require_hostid_arg(args)
-    hostid = require_arg(args, 'HOST')
-    unless hostid.index(':')
-      hostid = [ Conjur::Core::API.conjur_account, 'host', hostid ].join(':')
-    end
-    hostid
-  end
-
-  def self.interpret_layer_privilege(privilege)
-    case privilege
-      when 'execute'
-        'use_host'
-      when 'update'
-        'admin_host'
-      else
-        exit_now! "Invalid privilege '#{privilege}'. Acceptable values are : execute, update"
-    end
-  end
-
-  def self.parse_layer_permission_args(global_options, options, args)
-    id = require_arg(args, "LAYER")
-    role = require_arg(args, "ROLE")
-    privilege = require_arg(args, "PRIVILEGE")
-    role_name = interpret_layer_privilege privilege
-    [ id, role_name, role ]
-  end
-
-  desc "Operations on layers"
-  command :layer do |layer|
-
-    layer.desc "Create a new layer [DEPRECATED]"
-    layer.arg_name "LAYER"
-    layer.command :create do |c|
-      acting_as_option(c)
-
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = require_arg(args, 'LAYER')
-
-        layer = api.create_layer(id, options)
-        display(layer, options)
-      end
-    end
-
-    layer.desc "List layers"
-    layer.command :list do |c|
-      command_options_for_list c
-
-      c.action do |global_options, options, args|
-        command_impl_for_list global_options, options.merge(kind: "layer"), args
-      end
-    end
-
-    layer.desc "Show a layer"
-    layer.arg_name "LAYER"
-    layer.command :show do |c|
-      c.action do |global_options,options,args|
-        id = require_arg(args, 'LAYER')
-        display(api.layer(id), options)
-      end
-    end
-
-    layer.desc "Provision a layer by creating backing resources in an IaaS / PaaS system"
-    layer.arg_name "LAYER"
-    layer.command :provision do |c|
-      hide_docs(c)
-
-      c.desc "Provisioner to use (aws)"
-      c.arg_name "PROVISIONER"
-      c.flag [ :provisioner ]
-
-      c.desc "Variable holding a credential used to connect to the provisioner"
-      c.arg_name "VARIABLE"
-      c.flag [ :credential ]
-
-      c.desc "AWS bucket to contain the bootstrap credentials (will be created if missing)"
-      c.arg_name "BUCKET"
-      c.flag [ :bucket ]
-
-      c.action do |global_options, options, args|
-        id = require_arg(args, 'LAYER')
-        provisioner = options[:provisioner] or exit_now!("Missing argument: provisioner")
-        credential = options[:credential] or exit_now!("Missing argument: credential")
-        bucket = options[:bucket] or exit_now!("Missing argument: bucket")
-        raise "Supported provisioners: aws" unless provisioner == "aws"
-
-        require "conjur/provisioner/layer/aws"
-
-        layer = api.layer(id)
-        class << layer
-          include Conjur::Provisioner::Layer::AWS
-        end
-        layer.aws_bucket_name = bucket
-        layer.aws_credentialid = credential
-        layer.provision
-
-        puts "Layer provisioned by #{provisioner}"
-      end
-    end
-
-    layer.desc "Decommission a layer [DEPRECATED]"
-    layer.arg_name "LAYER"
-    layer.command :retire do |c|
-      retire_options c
-
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = require_arg(args, 'LAYER')
-        
-        layer = api.layer(id)
-        
-        validate_retire_privileges layer, options
-        
-        retire_resource layer
-        retire_role layer
-        # retire internal roles for observe, use_host, admin_host
-        account = Conjur::Core::API.conjur_account
-        ['observe', 'use_host', 'admin_host'].each do |priv|
-          role_name = ['layer', id, priv].join('/')
-          role_id = [ account, '@', role_name].join(':')
-          role_obj = api.role(role_id)
-          retire_internal_role role_obj
-        end
-        give_away_resource layer, options
-        
-        puts "Layer retired"
-      end
-    end
-
-    layer.desc "Operations on hosts"
-    layer.command :hosts do |hosts|
-      hosts.desc "Permit a privilege on hosts in the layer [DEPRECATED]"
-      hosts.long_desc <<-DESC
-Privilege may be : execute, update
-      DESC
-      hosts.arg_name "LAYER ROLE PRIVILEGE"
-      hosts.command :permit do |c|
-        c.action do |global_options,options,args|
-          notify_deprecated
-
-          id, role_name, role = parse_layer_permission_args(global_options, options, args)
-          api.layer(id).add_member role_name, role
-          puts "Permission granted"
-        end
-      end
-
-      hosts.desc "Remove a privilege on hosts in the layer [DEPRECATED]"
-      hosts.arg_name "LAYER ROLE PRIVILEGE"
-      hosts.command :deny do |c|
-        c.action do |global_options,options,args|
-          notify_deprecated
-
-          id, role_name, role = parse_layer_permission_args(global_options, options, args)
-          api.layer(id).remove_member role_name, role
-          puts "Permission removed"
-        end
-      end
-
-      hosts.desc "List roles that have permission on the hosts"
-      hosts.arg_name "LAYER PRIVILEGE"
-      hosts.command :permitted_roles do |c|
-        c.action do |global_options,options,args|
-          id = require_arg(args, 'LAYER')
-          role_name = interpret_layer_privilege require_arg(args, 'PRIVILEGE')
-
-          members = api.layer(id).hosts_members(role_name).map(&:member).select do |m|
-            m.kind != "@"
-          end
-          display members.map(&:roleid)
-        end
-      end
-
-      hosts.desc "Add a host to an layer [DEPRECATED]"
-      hosts.arg_name "LAYER HOST"
-      hosts.command :add do |c|
-        c.action do |global_options, options, args|
-          notify_deprecated
-
-          id = require_arg(args, 'LAYER')
-          hostid = require_hostid_arg(args)
-
-          api.layer(id).add_host hostid
-          puts "Host added"
-        end
-      end
-
-      hosts.desc "Remove a host from an layer [DEPRECATED]"
-      hosts.arg_name "LAYER HOST"
-      hosts.command :remove do |c|
-        c.action do |global_options, options, args|
-          notify_deprecated
-
-          id = require_arg(args, 'LAYER')
-          hostid = require_hostid_arg(args)
-
-          api.layer(id).remove_host hostid
-          puts "Host removed"
-        end
-      end
-    end
-  end
-end

data/lib/conjur/command/ldapsync.rb

@@ -1,118 +0,0 @@
-require 'conjur/command'
-
-class Conjur::Command::LDAPSync < Conjur::Command
-
-  LIST_FORMATS = %w(pretty json)
-
-  def self.error_messages(resp)
-    resp['events'].collect {|e| e['message'] if e['severity'] == 'error'}.compact
-  end
-
-  def self.show_messages(resp)
-    msgs = resp['events'].each_with_object([]) do |e, arr|
-      if e['severity'] == 'warn' || e['severity'] == 'error'
-        arr << "\n#{e['severity'].upcase}: #{e['message']}"
-      end
-    end
-    $stderr.puts(msgs.join("\n") + "\n\n") unless msgs.empty?
-  end
-
-  desc 'LDAP sync management commands'
-  command :'ldap-sync' do |cgrp|
-
-    cgrp.desc 'Manage the policy used to sync Conjur and the LDAP server'
-    cgrp.command :policy do |policy|
-      min_version policy, '4.8.0'
-
-      policy.desc 'Show the current policy'
-      policy.command :show do |show|
-        min_version show, '4.8.0'
-        show.desc 'LDAP Sync profile to use (defined in UI)'
-        show.arg_name 'profile'
-        show.flag ['p', 'profile']
-
-        show.action do |_,options,_|
-
-          config_name = options[:profile] || 'default'
-          resp = api.ldap_sync_policy(config_name)
-          
-          show_messages(resp)
-
-          if (policy = resp['policy'])
-            if resp['ok']
-              puts(resp['policy'])
-            else
-              exit_now! "Failed creating the policy."
-            end
-          else
-            exit_now! resp['error']['message']
-          end
-        end
-      end
-    end
-
-    # Currently hidden. It's easier to use the CLI than cURL, though,
-    # so we might want to expose the profile subcommands.
-    cgrp.desc 'Manage profiles for LDAP sync'
-    cgrp.command :profile do |profile|
-      hide_docs(profile)
-      min_version profile, '4.8.0'
-      
-      profile.desc 'Show the profile'
-      profile.command :show do |show|
-        min_version show, '4.8.0'
-
-        show.arg_name 'profile'
-        show.flag ['p', 'profile']
-        show.action do |_,options,_|
-          display(api.ldap_sync_show_profile(options[:profile]))
-        end
-      end
-
-      profile.desc 'Create or update a profile'
-      profile.arg_name 'PROFILE_JSON'
-      profile.long_desc %Q{Create or update the given profile.
-The profile JSON may be provided in two ways:
-
-1. As a literal (quoted) JSON string.
-
-2. In a file, by prepending an '@' to the path to the file
-}
-      profile.command :update do |update|
-        min_version update, '4.8.0'
-        
-        update.arg_name 'profile'
-        update.flag ['p', 'profile']
-        update.action do |_, options, args|
-          config = require_arg(args, 'PROFILE_JSON')
-          config = File.read(config[1..-1]) if config[0] == '@'
-          display(api.ldap_sync_update_profile(options[:profile], JSON.parse(config)))
-        end
-      end
-
-    end
-
-    cgrp.desc 'Search using an LDAP sync profile'
-    cgrp.command :search do |search|
-      hide_docs(search)
-      min_version search, '4.8.0'
-      
-      search.desc 'LDAP Sync profile to use (defined in UI)'
-      search.arg_name 'profile'
-      search.flag ['p', 'profile']
-      search.action do |_,options,_|
-        resp = api.ldap_sync_search(options[:profile] || 'default')
-                                                                    
-        show_messages(resp)
-
-        if resp['ok']
-          display resp
-        else
-          exit_now! "Search failed."
-        end
-
-      end
-    end
-
-  end
-end

data/lib/conjur/command/rspec/audit_helpers.rb

@@ -1,68 +0,0 @@
-shared_context "default audit behavior" do
-  let(:common_prefix) { "[#{default_audit_event["timestamp"]}] #{default_audit_event["user"]}" }
-
-  let(:default_audit_event) {
-    {
-      "request" => {
-                  "ip" => "1.2.3.4",
-                  "url"=>"https://conjur/api",
-                  "method"=>"POST",
-                  "uuid" => "abcdef",
-                  "params"=> {
-                    "controller"=>"role",
-                    "action"=>"create",
-                    "account"=>"the-account"
-                    }
-                  },
-      "acting_as" => "account:group:admins",
-      "conjur" =>   { # new behaviour
-                  "user" => "account:user:alice",
-                  "role" => "account:group:admins",
-                  "domain" => "authz",
-                  "env"    => "test",
-                  "account" => "the-account"
-                  },
-      "completely_custom_field" => "with some value",
-      "kind" => "some_asset",
-      "action" => "some_action",
-      "user" => "account:user:alice",
-      "id"   => 12345,
-      "timestamp" => Time.now().to_s,
-      "event_id" => "xaxaxaxaxa",
-      "resources" => ["the-account:layer:resources/production", "layer:resources/frontend"],
-      "roles" => ["the-account:group:roles/qa", "group:roles/ssh_users"]
-    }
-  }
-
-  shared_examples_for "it supports standard prefix:" do
-    describe "if acting_as is the same as user" do
-      let(:audit_event) { test_event.tap { |e| e["acting_as"]=e["user"] } }
-      it "prints default prefix" do
-        expect { invoke }.to write(common_prefix)
-      end
-      it "does not print 'acting_as' statement" do
-        expect { invoke }.to_not write(common_prefix+" (as ")
-      end
-    end
-
-    describe "if acting_as is different from user" do
-      it 'prints default prefix followed by (acting as..) statement' do
-        expect { invoke }.to write(common_prefix+" (as #{audit_event['acting_as']})")
-      end
-    end
-  end
-
-  shared_examples_for "it recognizes error messages:" do
-    describe "if :error is not empty" do
-      let(:audit_event) { test_event.merge("error"=>"everything's down") }
-      it 'appends (failed with...) statement' do
-        expect { invoke }.to write(" (failed with everything's down)")
-      end
-    end
-    describe "if :error is empty" do
-      it 'does not print "failed with" statement' do
-        expect { invoke }.not_to write(" (failed with ")
-      end
-    end
-  end
-end

data/lib/conjur/command/rubydsl.rb

@@ -1,93 +0,0 @@
-#
-# Copyright (C) 2014 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-require 'conjur/command/dsl_command'
-
-class Conjur::Command::RubyDSL < Conjur::DSLCommand
-  desc "Manage Ruby DSL policies [DEPRECATED]"
-  long_desc 'DEPRECATED. Declarative YML policy supercedes Ruby policy DSL.'
-  command :rubydsl do |rubydsl|
-    rubydsl.desc "Load a policy from Conjur DSL"
-    rubydsl.long_desc <<-DESC
-Loads a Conjur policy from Ruby DSL, applying particular conventions to the role and resource
-ids.
-
-The first path element of each id is the collection. Policies can be separated into collections
-according to software development lifecycle. This allows you to migrate the same policy across environments.
-Often-used collection names: ci, stage, and production.
-
-The second path element of each id is the policy name and version, following the convention
-policy-x.y.z, where x, y, and z are the semantic version of the policy.
-
-Next, each policy creates a policy role and policy resource. The policy resource is used to store
-annotations on the policy. The policy role becomes the owner of the owned policy assets. The
---as-group and --as-role options can be used to set the owner of the policy role. The default
-owner of the policy role is the logged-in user (you), as always.
-    DESC
-    rubydsl.arg_name "FILE"
-    rubydsl.command :load do |c|
-      acting_as_option(c)
-      collection_option(c)
-      context_option(c)
-
-      c.action do |_, options, args|
-        collection = options[:collection]
-
-        if collection.nil?
-          run_script args, options
-        else
-          run_script args, options do |runner, &block|
-            runner.scope collection do
-              block.call
-            end
-          end
-        end
-      end
-    end
-
-    rubydsl.desc 'Decommision a policy'
-    rubydsl.arg_name 'POLICY'
-    rubydsl.command :retire do |c|
-      retire_options c
-
-      c.action do |global_options, options, args |
-        id = "policy:#{require_arg(args, 'POLICY')}"
-
-        # policy isn't a rolsource (yet), but we can pretend
-        Policy = Struct.new(:role, :resource)
-        rubydsl = Policy.new(api.role(id), api.resource(id))
-
-        validate_retire_privileges(rubydsl, options)
-
-        retire_resource(rubydsl)
-
-        # The policy resource is owned by the policy role. Having the
-        # policy role is what allows us to administer it. So, we have
-        # to give the resource away before we can revoke the role.
-        give_away_resource(rubydsl, options)
-
-        retire_role(rubydsl)
-
-        puts 'Policy retired'
-      end
-    end
-
-  end
-end