conjur-cli 5.6.6 → 6.0.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.dockerignore +1 -1
- data/.gitignore +2 -0
- data/.rubocop.yml +1 -1
- data/APPLIANCE_VERSION +1 -1
- data/CHANGELOG.md +3 -42
- data/Gemfile +4 -7
- data/Humanfile.md +31 -0
- data/Jenkinsfile +34 -63
- data/README.md +41 -55
- data/Rakefile +5 -1
- data/bin/conjur +0 -2
- data/build-deb.sh +1 -3
- data/ci/cli-test.sh +6 -0
- data/ci/package.sh +3 -1
- data/ci/publish.sh +2 -2
- data/ci/secrets/publish.yml +2 -2
- data/ci/wait_for_server.sh +10 -0
- data/conjur-cli.gemspec +7 -7
- data/dev/docker-compose.yml +24 -0
- data/dev/start.sh +15 -0
- data/dev/stop.sh +5 -0
- data/docker-compose.yml +30 -0
- data/features/authentication/authenticate.feature +34 -0
- data/features/authentication/login.feature +13 -0
- data/features/authentication/logout.feature +15 -0
- data/{acceptance-features → features}/authentication/whoami.feature +0 -0
- data/features/authorization/resource/annotate.feature +22 -0
- data/features/authorization/resource/check.feature +47 -0
- data/{acceptance-features → features}/authorization/resource/exists.feature +18 -6
- data/features/authorization/resource/permitted_roles.feature +35 -0
- data/features/authorization/resource/show.feature +34 -0
- data/features/authorization/role/exists.feature +28 -0
- data/features/authorization/role/members.feature +45 -0
- data/features/authorization/role/memberships.feature +43 -0
- data/features/conjurenv/check.feature +34 -0
- data/features/conjurenv/run.feature +15 -0
- data/{acceptance-features → features}/conjurenv/template.feature +8 -3
- data/{acceptance-features → features}/directory/user/update_password.feature +8 -2
- data/{acceptance-features → features}/directory/variable/value.feature +9 -5
- data/{acceptance-features → features}/directory/variable/values-add.feature +8 -3
- data/features/hostfactory/tokens.feature +22 -0
- data/features/pubkeys/show.feature +18 -0
- data/features/step_definitions/authn_steps.rb +22 -0
- data/features/step_definitions/cli_steps.rb +28 -0
- data/features/step_definitions/file_steps.rb +12 -0
- data/features/step_definitions/flow_control_steps.rb +7 -0
- data/features/step_definitions/graph_steps.rb +4 -3
- data/{acceptance-features → features}/step_definitions/http_steps.rb +0 -0
- data/features/step_definitions/overrides.rb +9 -0
- data/features/step_definitions/policy_steps.rb +11 -0
- data/{acceptance-features → features}/step_definitions/trusted_proxy_steps.rb +0 -0
- data/features/support/blank.yml +1 -0
- data/features/support/env.rb +21 -7
- data/features/support/hooks.rb +31 -116
- data/features/support/world.rb +16 -76
- data/jenkins.sh +33 -0
- data/lib/conjur/authenticator.rb +83 -0
- data/lib/conjur/authn.rb +5 -20
- data/lib/conjur/cli.rb +13 -6
- data/lib/conjur/command.rb +30 -350
- data/lib/conjur/command/authn.rb +23 -15
- data/lib/conjur/command/host_factories.rb +2 -74
- data/lib/conjur/command/hosts.rb +6 -113
- data/lib/conjur/command/init.rb +20 -35
- data/lib/conjur/command/{secrets.rb → policies.rb} +33 -22
- data/lib/conjur/command/pubkeys.rb +3 -63
- data/lib/conjur/command/resources.rb +45 -162
- data/lib/conjur/command/roles.rb +11 -181
- data/lib/conjur/command/rspec/helpers.rb +0 -1
- data/lib/conjur/command/rspec/mock_services.rb +4 -4
- data/lib/conjur/command/users.rb +2 -159
- data/lib/conjur/command/variables.rb +5 -218
- data/lib/conjur/complete.rb +2 -2
- data/lib/conjur/config.rb +1 -11
- data/lib/conjur/conjurenv.rb +12 -9
- data/lib/conjur/identifier_manipulation.rb +3 -5
- data/lib/conjur/version.rb +2 -2
- data/{publish-rubygem.sh → publish.sh} +0 -4
- data/spec/authn_spec.rb +4 -0
- data/spec/command/hosts_spec.rb +2 -69
- data/spec/command/init_spec.rb +16 -11
- data/spec/command/pubkeys_spec.rb +1 -46
- data/spec/command/resources_spec.rb +21 -170
- data/spec/command/roles_spec.rb +5 -181
- data/spec/command/users_spec.rb +3 -79
- data/spec/command_spec.rb +1 -20
- data/spec/complete_spec.rb +1 -23
- data/spec/config_spec.rb +1 -1
- data/spec/spec_helper.rb +4 -5
- data/test.sh +29 -25
- metadata +92 -212
- data/.githooks/pre_commit/run_specs.rb +0 -23
- data/Dockerfile +0 -15
- data/Dockerfile.fpm +0 -18
- data/Dockerfile.publish +0 -12
- data/Dockerfile.standalone +0 -33
- data/Dockerfile.validate-packaging +0 -9
- data/VERSION +0 -1
- data/acceptance-features/audit/audit_event_send.feature +0 -107
- data/acceptance-features/audit/fetch.feature +0 -16
- data/acceptance-features/audit/send.feature +0 -51
- data/acceptance-features/authentication/authenticate.feature +0 -10
- data/acceptance-features/authentication/login.feature +0 -12
- data/acceptance-features/authentication/logout.feature +0 -13
- data/acceptance-features/authorization/resource/annotate.feature +0 -35
- data/acceptance-features/authorization/resource/check.feature +0 -24
- data/acceptance-features/authorization/resource/create.feature +0 -21
- data/acceptance-features/authorization/resource/deny.feature +0 -12
- data/acceptance-features/authorization/resource/give.feature +0 -24
- data/acceptance-features/authorization/resource/permit.feature +0 -20
- data/acceptance-features/authorization/resource/permitted_roles.feature +0 -16
- data/acceptance-features/authorization/resource/show.feature +0 -28
- data/acceptance-features/authorization/role/create.feature +0 -13
- data/acceptance-features/authorization/role/exists.feature +0 -19
- data/acceptance-features/authorization/role/grant_to.feature +0 -21
- data/acceptance-features/authorization/role/graph.feature +0 -57
- data/acceptance-features/authorization/role/members.feature +0 -23
- data/acceptance-features/authorization/role/memberships.feature +0 -27
- data/acceptance-features/bootstrap.feature +0 -13
- data/acceptance-features/conjurenv/check.feature +0 -21
- data/acceptance-features/conjurenv/run.feature +0 -10
- data/acceptance-features/directory/group/create.feature +0 -20
- data/acceptance-features/directory/group/retire.feature +0 -54
- data/acceptance-features/directory/host/create.feature +0 -23
- data/acceptance-features/directory/host/retire.feature +0 -6
- data/acceptance-features/directory/hostfactory/create.feature +0 -28
- data/acceptance-features/directory/hostfactory/tokens.feature +0 -16
- data/acceptance-features/directory/layer/create.feature +0 -10
- data/acceptance-features/directory/layer/hosts-add.feature +0 -9
- data/acceptance-features/directory/layer/hosts-remove.feature +0 -10
- data/acceptance-features/directory/layer/retire.feature +0 -43
- data/acceptance-features/directory/user/create.feature +0 -23
- data/acceptance-features/directory/user/retire.feature +0 -6
- data/acceptance-features/directory/variable/create.feature +0 -14
- data/acceptance-features/directory/variable/retire.feature +0 -17
- data/acceptance-features/dsl/policy_owner.feature +0 -45
- data/acceptance-features/dsl/resource_owner.feature +0 -17
- data/acceptance-features/dsl/retire.feature +0 -15
- data/acceptance-features/global-privilege/elevate.feature +0 -20
- data/acceptance-features/global-privilege/reveal.privilege +0 -20
- data/acceptance-features/pubkeys/add.feature +0 -22
- data/acceptance-features/pubkeys/delete.feature +0 -9
- data/acceptance-features/pubkeys/names.feature +0 -26
- data/acceptance-features/pubkeys/show.feature +0 -27
- data/acceptance-features/step_definitions/cli_steps.rb +0 -57
- data/acceptance-features/step_definitions/graph_steps.rb +0 -22
- data/acceptance-features/step_definitions/user_steps.rb +0 -51
- data/acceptance-features/support/env.rb +0 -23
- data/acceptance-features/support/hooks.rb +0 -178
- data/acceptance-features/support/world.rb +0 -176
- data/acceptance-features/trusted_proxies.feature +0 -82
- data/bin/conjurize +0 -26
- data/bin/jsonfield +0 -70
- data/build-standalone +0 -6
- data/deprecations.sh +0 -38
- data/features/conjurize.feature +0 -134
- data/features/dsl_context.feature +0 -36
- data/features/dsl_host_create.feature +0 -11
- data/features/dsl_ownership.feature +0 -30
- data/features/dsl_permission.feature +0 -45
- data/features/dsl_resource_create.feature +0 -23
- data/features/dsl_role_create.feature +0 -11
- data/features/dsl_user_create.feature +0 -23
- data/features/jsonfield.feature +0 -49
- data/features/role_graph.feature +0 -58
- data/features/step_definitions/conjurize_steps.rb +0 -5
- data/features/step_definitions/dsl_steps.rb +0 -52
- data/features/support/conjur.conf +0 -6
- data/lib/conjur/command/assets.rb +0 -121
- data/lib/conjur/command/audit.rb +0 -155
- data/lib/conjur/command/bootstrap.rb +0 -129
- data/lib/conjur/command/dsl_command.rb +0 -75
- data/lib/conjur/command/elevate.rb +0 -76
- data/lib/conjur/command/field.rb +0 -45
- data/lib/conjur/command/groups.rb +0 -208
- data/lib/conjur/command/ids.rb +0 -34
- data/lib/conjur/command/layers.rb +0 -211
- data/lib/conjur/command/ldapsync.rb +0 -118
- data/lib/conjur/command/rspec/audit_helpers.rb +0 -68
- data/lib/conjur/command/rubydsl.rb +0 -93
- data/lib/conjur/command/script.rb +0 -48
- data/lib/conjur/command/server.rb +0 -67
- data/lib/conjur/conjurize.rb +0 -71
- data/lib/conjur/conjurize/script.rb +0 -150
- data/lib/conjur/dsl/runner.rb +0 -273
- data/publish-deb.sh +0 -6
- data/push-image +0 -29
- data/spec/command/assets_spec.rb +0 -115
- data/spec/command/audit_spec.rb +0 -376
- data/spec/command/elevate_spec.rb +0 -28
- data/spec/command/env_spec.rb +0 -168
- data/spec/command/groups_spec.rb +0 -77
- data/spec/command/host_factories_spec.rb +0 -38
- data/spec/command/layers_spec.rb +0 -35
- data/spec/command/ldapsync_spec.rb +0 -28
- data/spec/command/rubydsl_spec.rb +0 -63
- data/spec/command/variable_expiration_spec.rb +0 -164
- data/spec/command/variables_spec.rb +0 -192
- data/spec/conjurize/script_spec.rb +0 -62
- data/spec/conjurize_spec.rb +0 -70
- data/spec/dsl/runner_spec.rb +0 -93
- data/spec/env_spec.rb +0 -214
data/lib/conjur/command/ids.rb
DELETED
@@ -1,34 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright (C) 2013 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
|
22
|
-
class Conjur::Command::Id < Conjur::Command
|
23
|
-
desc "Manage ids"
|
24
|
-
command :id do |id|
|
25
|
-
id.desc "Creates a new unique id"
|
26
|
-
id.command :create do |c|
|
27
|
-
c.action do |global_options,options,args|
|
28
|
-
var = api.create_variable("text/plain", "unique-id", {})
|
29
|
-
puts var.id
|
30
|
-
end
|
31
|
-
end
|
32
|
-
|
33
|
-
end
|
34
|
-
end
|
@@ -1,211 +0,0 @@
|
|
1
|
-
require 'conjur/command'
|
2
|
-
|
3
|
-
class Conjur::Command::Layers < Conjur::Command
|
4
|
-
|
5
|
-
|
6
|
-
# Form an account:kind:hostid from the host argument
|
7
|
-
# Or interpret a fully-qualified role id
|
8
|
-
def self.require_hostid_arg(args)
|
9
|
-
hostid = require_arg(args, 'HOST')
|
10
|
-
unless hostid.index(':')
|
11
|
-
hostid = [ Conjur::Core::API.conjur_account, 'host', hostid ].join(':')
|
12
|
-
end
|
13
|
-
hostid
|
14
|
-
end
|
15
|
-
|
16
|
-
def self.interpret_layer_privilege(privilege)
|
17
|
-
case privilege
|
18
|
-
when 'execute'
|
19
|
-
'use_host'
|
20
|
-
when 'update'
|
21
|
-
'admin_host'
|
22
|
-
else
|
23
|
-
exit_now! "Invalid privilege '#{privilege}'. Acceptable values are : execute, update"
|
24
|
-
end
|
25
|
-
end
|
26
|
-
|
27
|
-
def self.parse_layer_permission_args(global_options, options, args)
|
28
|
-
id = require_arg(args, "LAYER")
|
29
|
-
role = require_arg(args, "ROLE")
|
30
|
-
privilege = require_arg(args, "PRIVILEGE")
|
31
|
-
role_name = interpret_layer_privilege privilege
|
32
|
-
[ id, role_name, role ]
|
33
|
-
end
|
34
|
-
|
35
|
-
desc "Operations on layers"
|
36
|
-
command :layer do |layer|
|
37
|
-
|
38
|
-
layer.desc "Create a new layer [DEPRECATED]"
|
39
|
-
layer.arg_name "LAYER"
|
40
|
-
layer.command :create do |c|
|
41
|
-
acting_as_option(c)
|
42
|
-
|
43
|
-
c.action do |global_options,options,args|
|
44
|
-
notify_deprecated
|
45
|
-
|
46
|
-
id = require_arg(args, 'LAYER')
|
47
|
-
|
48
|
-
layer = api.create_layer(id, options)
|
49
|
-
display(layer, options)
|
50
|
-
end
|
51
|
-
end
|
52
|
-
|
53
|
-
layer.desc "List layers"
|
54
|
-
layer.command :list do |c|
|
55
|
-
command_options_for_list c
|
56
|
-
|
57
|
-
c.action do |global_options, options, args|
|
58
|
-
command_impl_for_list global_options, options.merge(kind: "layer"), args
|
59
|
-
end
|
60
|
-
end
|
61
|
-
|
62
|
-
layer.desc "Show a layer"
|
63
|
-
layer.arg_name "LAYER"
|
64
|
-
layer.command :show do |c|
|
65
|
-
c.action do |global_options,options,args|
|
66
|
-
id = require_arg(args, 'LAYER')
|
67
|
-
display(api.layer(id), options)
|
68
|
-
end
|
69
|
-
end
|
70
|
-
|
71
|
-
layer.desc "Provision a layer by creating backing resources in an IaaS / PaaS system"
|
72
|
-
layer.arg_name "LAYER"
|
73
|
-
layer.command :provision do |c|
|
74
|
-
hide_docs(c)
|
75
|
-
|
76
|
-
c.desc "Provisioner to use (aws)"
|
77
|
-
c.arg_name "PROVISIONER"
|
78
|
-
c.flag [ :provisioner ]
|
79
|
-
|
80
|
-
c.desc "Variable holding a credential used to connect to the provisioner"
|
81
|
-
c.arg_name "VARIABLE"
|
82
|
-
c.flag [ :credential ]
|
83
|
-
|
84
|
-
c.desc "AWS bucket to contain the bootstrap credentials (will be created if missing)"
|
85
|
-
c.arg_name "BUCKET"
|
86
|
-
c.flag [ :bucket ]
|
87
|
-
|
88
|
-
c.action do |global_options, options, args|
|
89
|
-
id = require_arg(args, 'LAYER')
|
90
|
-
provisioner = options[:provisioner] or exit_now!("Missing argument: provisioner")
|
91
|
-
credential = options[:credential] or exit_now!("Missing argument: credential")
|
92
|
-
bucket = options[:bucket] or exit_now!("Missing argument: bucket")
|
93
|
-
raise "Supported provisioners: aws" unless provisioner == "aws"
|
94
|
-
|
95
|
-
require "conjur/provisioner/layer/aws"
|
96
|
-
|
97
|
-
layer = api.layer(id)
|
98
|
-
class << layer
|
99
|
-
include Conjur::Provisioner::Layer::AWS
|
100
|
-
end
|
101
|
-
layer.aws_bucket_name = bucket
|
102
|
-
layer.aws_credentialid = credential
|
103
|
-
layer.provision
|
104
|
-
|
105
|
-
puts "Layer provisioned by #{provisioner}"
|
106
|
-
end
|
107
|
-
end
|
108
|
-
|
109
|
-
layer.desc "Decommission a layer [DEPRECATED]"
|
110
|
-
layer.arg_name "LAYER"
|
111
|
-
layer.command :retire do |c|
|
112
|
-
retire_options c
|
113
|
-
|
114
|
-
c.action do |global_options,options,args|
|
115
|
-
notify_deprecated
|
116
|
-
|
117
|
-
id = require_arg(args, 'LAYER')
|
118
|
-
|
119
|
-
layer = api.layer(id)
|
120
|
-
|
121
|
-
validate_retire_privileges layer, options
|
122
|
-
|
123
|
-
retire_resource layer
|
124
|
-
retire_role layer
|
125
|
-
# retire internal roles for observe, use_host, admin_host
|
126
|
-
account = Conjur::Core::API.conjur_account
|
127
|
-
['observe', 'use_host', 'admin_host'].each do |priv|
|
128
|
-
role_name = ['layer', id, priv].join('/')
|
129
|
-
role_id = [ account, '@', role_name].join(':')
|
130
|
-
role_obj = api.role(role_id)
|
131
|
-
retire_internal_role role_obj
|
132
|
-
end
|
133
|
-
give_away_resource layer, options
|
134
|
-
|
135
|
-
puts "Layer retired"
|
136
|
-
end
|
137
|
-
end
|
138
|
-
|
139
|
-
layer.desc "Operations on hosts"
|
140
|
-
layer.command :hosts do |hosts|
|
141
|
-
hosts.desc "Permit a privilege on hosts in the layer [DEPRECATED]"
|
142
|
-
hosts.long_desc <<-DESC
|
143
|
-
Privilege may be : execute, update
|
144
|
-
DESC
|
145
|
-
hosts.arg_name "LAYER ROLE PRIVILEGE"
|
146
|
-
hosts.command :permit do |c|
|
147
|
-
c.action do |global_options,options,args|
|
148
|
-
notify_deprecated
|
149
|
-
|
150
|
-
id, role_name, role = parse_layer_permission_args(global_options, options, args)
|
151
|
-
api.layer(id).add_member role_name, role
|
152
|
-
puts "Permission granted"
|
153
|
-
end
|
154
|
-
end
|
155
|
-
|
156
|
-
hosts.desc "Remove a privilege on hosts in the layer [DEPRECATED]"
|
157
|
-
hosts.arg_name "LAYER ROLE PRIVILEGE"
|
158
|
-
hosts.command :deny do |c|
|
159
|
-
c.action do |global_options,options,args|
|
160
|
-
notify_deprecated
|
161
|
-
|
162
|
-
id, role_name, role = parse_layer_permission_args(global_options, options, args)
|
163
|
-
api.layer(id).remove_member role_name, role
|
164
|
-
puts "Permission removed"
|
165
|
-
end
|
166
|
-
end
|
167
|
-
|
168
|
-
hosts.desc "List roles that have permission on the hosts"
|
169
|
-
hosts.arg_name "LAYER PRIVILEGE"
|
170
|
-
hosts.command :permitted_roles do |c|
|
171
|
-
c.action do |global_options,options,args|
|
172
|
-
id = require_arg(args, 'LAYER')
|
173
|
-
role_name = interpret_layer_privilege require_arg(args, 'PRIVILEGE')
|
174
|
-
|
175
|
-
members = api.layer(id).hosts_members(role_name).map(&:member).select do |m|
|
176
|
-
m.kind != "@"
|
177
|
-
end
|
178
|
-
display members.map(&:roleid)
|
179
|
-
end
|
180
|
-
end
|
181
|
-
|
182
|
-
hosts.desc "Add a host to an layer [DEPRECATED]"
|
183
|
-
hosts.arg_name "LAYER HOST"
|
184
|
-
hosts.command :add do |c|
|
185
|
-
c.action do |global_options, options, args|
|
186
|
-
notify_deprecated
|
187
|
-
|
188
|
-
id = require_arg(args, 'LAYER')
|
189
|
-
hostid = require_hostid_arg(args)
|
190
|
-
|
191
|
-
api.layer(id).add_host hostid
|
192
|
-
puts "Host added"
|
193
|
-
end
|
194
|
-
end
|
195
|
-
|
196
|
-
hosts.desc "Remove a host from an layer [DEPRECATED]"
|
197
|
-
hosts.arg_name "LAYER HOST"
|
198
|
-
hosts.command :remove do |c|
|
199
|
-
c.action do |global_options, options, args|
|
200
|
-
notify_deprecated
|
201
|
-
|
202
|
-
id = require_arg(args, 'LAYER')
|
203
|
-
hostid = require_hostid_arg(args)
|
204
|
-
|
205
|
-
api.layer(id).remove_host hostid
|
206
|
-
puts "Host removed"
|
207
|
-
end
|
208
|
-
end
|
209
|
-
end
|
210
|
-
end
|
211
|
-
end
|
@@ -1,118 +0,0 @@
|
|
1
|
-
require 'conjur/command'
|
2
|
-
|
3
|
-
class Conjur::Command::LDAPSync < Conjur::Command
|
4
|
-
|
5
|
-
LIST_FORMATS = %w(pretty json)
|
6
|
-
|
7
|
-
def self.error_messages(resp)
|
8
|
-
resp['events'].collect {|e| e['message'] if e['severity'] == 'error'}.compact
|
9
|
-
end
|
10
|
-
|
11
|
-
def self.show_messages(resp)
|
12
|
-
msgs = resp['events'].each_with_object([]) do |e, arr|
|
13
|
-
if e['severity'] == 'warn' || e['severity'] == 'error'
|
14
|
-
arr << "\n#{e['severity'].upcase}: #{e['message']}"
|
15
|
-
end
|
16
|
-
end
|
17
|
-
$stderr.puts(msgs.join("\n") + "\n\n") unless msgs.empty?
|
18
|
-
end
|
19
|
-
|
20
|
-
desc 'LDAP sync management commands'
|
21
|
-
command :'ldap-sync' do |cgrp|
|
22
|
-
|
23
|
-
cgrp.desc 'Manage the policy used to sync Conjur and the LDAP server'
|
24
|
-
cgrp.command :policy do |policy|
|
25
|
-
min_version policy, '4.8.0'
|
26
|
-
|
27
|
-
policy.desc 'Show the current policy'
|
28
|
-
policy.command :show do |show|
|
29
|
-
min_version show, '4.8.0'
|
30
|
-
show.desc 'LDAP Sync profile to use (defined in UI)'
|
31
|
-
show.arg_name 'profile'
|
32
|
-
show.flag ['p', 'profile']
|
33
|
-
|
34
|
-
show.action do |_,options,_|
|
35
|
-
|
36
|
-
config_name = options[:profile] || 'default'
|
37
|
-
resp = api.ldap_sync_policy(config_name)
|
38
|
-
|
39
|
-
show_messages(resp)
|
40
|
-
|
41
|
-
if (policy = resp['policy'])
|
42
|
-
if resp['ok']
|
43
|
-
puts(resp['policy'])
|
44
|
-
else
|
45
|
-
exit_now! "Failed creating the policy."
|
46
|
-
end
|
47
|
-
else
|
48
|
-
exit_now! resp['error']['message']
|
49
|
-
end
|
50
|
-
end
|
51
|
-
end
|
52
|
-
end
|
53
|
-
|
54
|
-
# Currently hidden. It's easier to use the CLI than cURL, though,
|
55
|
-
# so we might want to expose the profile subcommands.
|
56
|
-
cgrp.desc 'Manage profiles for LDAP sync'
|
57
|
-
cgrp.command :profile do |profile|
|
58
|
-
hide_docs(profile)
|
59
|
-
min_version profile, '4.8.0'
|
60
|
-
|
61
|
-
profile.desc 'Show the profile'
|
62
|
-
profile.command :show do |show|
|
63
|
-
min_version show, '4.8.0'
|
64
|
-
|
65
|
-
show.arg_name 'profile'
|
66
|
-
show.flag ['p', 'profile']
|
67
|
-
show.action do |_,options,_|
|
68
|
-
display(api.ldap_sync_show_profile(options[:profile]))
|
69
|
-
end
|
70
|
-
end
|
71
|
-
|
72
|
-
profile.desc 'Create or update a profile'
|
73
|
-
profile.arg_name 'PROFILE_JSON'
|
74
|
-
profile.long_desc %Q{Create or update the given profile.
|
75
|
-
The profile JSON may be provided in two ways:
|
76
|
-
|
77
|
-
1. As a literal (quoted) JSON string.
|
78
|
-
|
79
|
-
2. In a file, by prepending an '@' to the path to the file
|
80
|
-
}
|
81
|
-
profile.command :update do |update|
|
82
|
-
min_version update, '4.8.0'
|
83
|
-
|
84
|
-
update.arg_name 'profile'
|
85
|
-
update.flag ['p', 'profile']
|
86
|
-
update.action do |_, options, args|
|
87
|
-
config = require_arg(args, 'PROFILE_JSON')
|
88
|
-
config = File.read(config[1..-1]) if config[0] == '@'
|
89
|
-
display(api.ldap_sync_update_profile(options[:profile], JSON.parse(config)))
|
90
|
-
end
|
91
|
-
end
|
92
|
-
|
93
|
-
end
|
94
|
-
|
95
|
-
cgrp.desc 'Search using an LDAP sync profile'
|
96
|
-
cgrp.command :search do |search|
|
97
|
-
hide_docs(search)
|
98
|
-
min_version search, '4.8.0'
|
99
|
-
|
100
|
-
search.desc 'LDAP Sync profile to use (defined in UI)'
|
101
|
-
search.arg_name 'profile'
|
102
|
-
search.flag ['p', 'profile']
|
103
|
-
search.action do |_,options,_|
|
104
|
-
resp = api.ldap_sync_search(options[:profile] || 'default')
|
105
|
-
|
106
|
-
show_messages(resp)
|
107
|
-
|
108
|
-
if resp['ok']
|
109
|
-
display resp
|
110
|
-
else
|
111
|
-
exit_now! "Search failed."
|
112
|
-
end
|
113
|
-
|
114
|
-
end
|
115
|
-
end
|
116
|
-
|
117
|
-
end
|
118
|
-
end
|
@@ -1,68 +0,0 @@
|
|
1
|
-
shared_context "default audit behavior" do
|
2
|
-
let(:common_prefix) { "[#{default_audit_event["timestamp"]}] #{default_audit_event["user"]}" }
|
3
|
-
|
4
|
-
let(:default_audit_event) {
|
5
|
-
{
|
6
|
-
"request" => {
|
7
|
-
"ip" => "1.2.3.4",
|
8
|
-
"url"=>"https://conjur/api",
|
9
|
-
"method"=>"POST",
|
10
|
-
"uuid" => "abcdef",
|
11
|
-
"params"=> {
|
12
|
-
"controller"=>"role",
|
13
|
-
"action"=>"create",
|
14
|
-
"account"=>"the-account"
|
15
|
-
}
|
16
|
-
},
|
17
|
-
"acting_as" => "account:group:admins",
|
18
|
-
"conjur" => { # new behaviour
|
19
|
-
"user" => "account:user:alice",
|
20
|
-
"role" => "account:group:admins",
|
21
|
-
"domain" => "authz",
|
22
|
-
"env" => "test",
|
23
|
-
"account" => "the-account"
|
24
|
-
},
|
25
|
-
"completely_custom_field" => "with some value",
|
26
|
-
"kind" => "some_asset",
|
27
|
-
"action" => "some_action",
|
28
|
-
"user" => "account:user:alice",
|
29
|
-
"id" => 12345,
|
30
|
-
"timestamp" => Time.now().to_s,
|
31
|
-
"event_id" => "xaxaxaxaxa",
|
32
|
-
"resources" => ["the-account:layer:resources/production", "layer:resources/frontend"],
|
33
|
-
"roles" => ["the-account:group:roles/qa", "group:roles/ssh_users"]
|
34
|
-
}
|
35
|
-
}
|
36
|
-
|
37
|
-
shared_examples_for "it supports standard prefix:" do
|
38
|
-
describe "if acting_as is the same as user" do
|
39
|
-
let(:audit_event) { test_event.tap { |e| e["acting_as"]=e["user"] } }
|
40
|
-
it "prints default prefix" do
|
41
|
-
expect { invoke }.to write(common_prefix)
|
42
|
-
end
|
43
|
-
it "does not print 'acting_as' statement" do
|
44
|
-
expect { invoke }.to_not write(common_prefix+" (as ")
|
45
|
-
end
|
46
|
-
end
|
47
|
-
|
48
|
-
describe "if acting_as is different from user" do
|
49
|
-
it 'prints default prefix followed by (acting as..) statement' do
|
50
|
-
expect { invoke }.to write(common_prefix+" (as #{audit_event['acting_as']})")
|
51
|
-
end
|
52
|
-
end
|
53
|
-
end
|
54
|
-
|
55
|
-
shared_examples_for "it recognizes error messages:" do
|
56
|
-
describe "if :error is not empty" do
|
57
|
-
let(:audit_event) { test_event.merge("error"=>"everything's down") }
|
58
|
-
it 'appends (failed with...) statement' do
|
59
|
-
expect { invoke }.to write(" (failed with everything's down)")
|
60
|
-
end
|
61
|
-
end
|
62
|
-
describe "if :error is empty" do
|
63
|
-
it 'does not print "failed with" statement' do
|
64
|
-
expect { invoke }.not_to write(" (failed with ")
|
65
|
-
end
|
66
|
-
end
|
67
|
-
end
|
68
|
-
end
|
@@ -1,93 +0,0 @@
|
|
1
|
-
#
|
2
|
-
# Copyright (C) 2014 Conjur Inc
|
3
|
-
#
|
4
|
-
# Permission is hereby granted, free of charge, to any person obtaining a copy of
|
5
|
-
# this software and associated documentation files (the "Software"), to deal in
|
6
|
-
# the Software without restriction, including without limitation the rights to
|
7
|
-
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
8
|
-
# the Software, and to permit persons to whom the Software is furnished to do so,
|
9
|
-
# subject to the following conditions:
|
10
|
-
#
|
11
|
-
# The above copyright notice and this permission notice shall be included in all
|
12
|
-
# copies or substantial portions of the Software.
|
13
|
-
#
|
14
|
-
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
15
|
-
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
16
|
-
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
17
|
-
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
18
|
-
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
19
|
-
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
20
|
-
#
|
21
|
-
require 'conjur/command/dsl_command'
|
22
|
-
|
23
|
-
class Conjur::Command::RubyDSL < Conjur::DSLCommand
|
24
|
-
desc "Manage Ruby DSL policies [DEPRECATED]"
|
25
|
-
long_desc 'DEPRECATED. Declarative YML policy supercedes Ruby policy DSL.'
|
26
|
-
command :rubydsl do |rubydsl|
|
27
|
-
rubydsl.desc "Load a policy from Conjur DSL"
|
28
|
-
rubydsl.long_desc <<-DESC
|
29
|
-
Loads a Conjur policy from Ruby DSL, applying particular conventions to the role and resource
|
30
|
-
ids.
|
31
|
-
|
32
|
-
The first path element of each id is the collection. Policies can be separated into collections
|
33
|
-
according to software development lifecycle. This allows you to migrate the same policy across environments.
|
34
|
-
Often-used collection names: ci, stage, and production.
|
35
|
-
|
36
|
-
The second path element of each id is the policy name and version, following the convention
|
37
|
-
policy-x.y.z, where x, y, and z are the semantic version of the policy.
|
38
|
-
|
39
|
-
Next, each policy creates a policy role and policy resource. The policy resource is used to store
|
40
|
-
annotations on the policy. The policy role becomes the owner of the owned policy assets. The
|
41
|
-
--as-group and --as-role options can be used to set the owner of the policy role. The default
|
42
|
-
owner of the policy role is the logged-in user (you), as always.
|
43
|
-
DESC
|
44
|
-
rubydsl.arg_name "FILE"
|
45
|
-
rubydsl.command :load do |c|
|
46
|
-
acting_as_option(c)
|
47
|
-
collection_option(c)
|
48
|
-
context_option(c)
|
49
|
-
|
50
|
-
c.action do |_, options, args|
|
51
|
-
collection = options[:collection]
|
52
|
-
|
53
|
-
if collection.nil?
|
54
|
-
run_script args, options
|
55
|
-
else
|
56
|
-
run_script args, options do |runner, &block|
|
57
|
-
runner.scope collection do
|
58
|
-
block.call
|
59
|
-
end
|
60
|
-
end
|
61
|
-
end
|
62
|
-
end
|
63
|
-
end
|
64
|
-
|
65
|
-
rubydsl.desc 'Decommision a policy'
|
66
|
-
rubydsl.arg_name 'POLICY'
|
67
|
-
rubydsl.command :retire do |c|
|
68
|
-
retire_options c
|
69
|
-
|
70
|
-
c.action do |global_options, options, args |
|
71
|
-
id = "policy:#{require_arg(args, 'POLICY')}"
|
72
|
-
|
73
|
-
# policy isn't a rolsource (yet), but we can pretend
|
74
|
-
Policy = Struct.new(:role, :resource)
|
75
|
-
rubydsl = Policy.new(api.role(id), api.resource(id))
|
76
|
-
|
77
|
-
validate_retire_privileges(rubydsl, options)
|
78
|
-
|
79
|
-
retire_resource(rubydsl)
|
80
|
-
|
81
|
-
# The policy resource is owned by the policy role. Having the
|
82
|
-
# policy role is what allows us to administer it. So, we have
|
83
|
-
# to give the resource away before we can revoke the role.
|
84
|
-
give_away_resource(rubydsl, options)
|
85
|
-
|
86
|
-
retire_role(rubydsl)
|
87
|
-
|
88
|
-
puts 'Policy retired'
|
89
|
-
end
|
90
|
-
end
|
91
|
-
|
92
|
-
end
|
93
|
-
end
|