conjur-cli 5.6.6 → 6.0.0.rc1

data/lib/conjur/command/script.rb

@@ -1,48 +0,0 @@
-#
-# Copyright (C) 2013 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-require 'conjur/command/dsl_command'
-
-class Conjur::Command::Script < Conjur::DSLCommand
-  desc "Execute Ruby DSL scripts"
-  command :script do |script|
-    script.desc "Run a Conjur DSL script"
-    script.arg_name "script"
-    script.command :execute do |c|
-      acting_as_option(c)
-      collection_option(c)
-      context_option(c)
-
-      c.action do |_, options, args|
-        collection = options[:collection]
-
-        if collection.nil?
-          run_script args, options
-        else
-          run_script args, options do |runner, &block|
-            runner.scope collection do
-              block.call
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/conjur/command/server.rb

@@ -1,67 +0,0 @@
-#
-# Copyright (C) 2016 Conjur Inc
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy of
-# this software and associated documentation files (the "Software"), to deal in
-# the Software without restriction, including without limitation the rights to
-# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-# the Software, and to permit persons to whom the Software is furnished to do so,
-# subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-class Conjur::Command::Server < Conjur::Command
-  desc 'Show Conjur client and server versions'
-  command :version do |v|
-    v.action do |*_|
-      puts "Conjur client version #{Conjur::VERSION}"
-      show_server_version
-    end
-  end
-
-  desc 'Server information'
-  command :server do |server|
-    server.desc 'Show service versions'
-    server.command :version do |c|
-      c.action do |*_|
-        show_server_version
-      end
-    end
-
-    server.desc 'Show general server information'
-    server.command :info do |c|
-      c.action do |*_|
-        display Conjur::API.appliance_info
-      end
-    end
-
-    server.desc 'Show server health information'
-    server.command :health do |c|
-      c.desc 'Show health information for a remote host, from the perspective of this server'
-      c.flag :h, :host
-      c.action do |_, options, _|
-        display Conjur::API.appliance_health(options[:host])
-      end
-    end
-  end
-
-  class << self
-    def show_server_version
-      services = Conjur::API.appliance_info['services']
-      appliance = services.delete 'appliance'
-      puts "Conjur appliance version: #{appliance['version']}"
-      puts 'Conjur service versions:'
-      services.each do |name,info|
-        puts "  #{name}: #{info['version']}"
-      end
-    end
-  end
-end

data/lib/conjur/conjurize.rb

@@ -1,71 +0,0 @@
-require 'methadone'
-require 'json'
-require 'open-uri'
-require 'conjur/version.rb'
-require "conjur/conjurize/script"
-
-module Conjur
-  class Conjurize
-    include Methadone::Main
-    include Methadone::CLILogging
-
-    description <<-DESC
-Generate a script to install Conjur onto a machine. "conjurize" is designed to be used
-in a piped execution, along with "conjur host create" and "ssh". For example:
-
-conjur host create myhost.example.com | tee host.json | conjurize --ssh | ssh myhost.example.com
-DESC
-
-    version Conjur::VERSION
-
-    main do
-      input = if input_file = options[:f]
-        File.read(input_file)
-      else
-        STDIN.read
-      end
-
-      puts generate JSON.parse input
-    end
-
-    def self.generate host
-      config = configuration host
-
-      if options[:json]
-        JSON.dump config
-      else
-        Script.generate config, options
-      end
-    end
-
-    def self.apply_client_config
-      require "conjur/cli"
-      if conjur_config = options[:c]
-        Conjur::Config.load [ conjur_config ]
-      else
-        Conjur::Config.load
-      end
-      Conjur::Config.apply
-    end
-
-    def self.configuration host
-      apply_client_config
-
-      host.merge \
-        "account" => Conjur.configuration.account,
-        "appliance_url" => Conjur.configuration.appliance_url,
-        "certificate" => File.read(Conjur.configuration.cert_file).strip
-    end
-
-    on("-c CONJUR_CONFIG_FILE", "Overrides defaults (CONJURRC env var, ~/.conjurrc, /etc/conjur.conf).")
-    on("-f HOST_JSON_FILE", "Host login and API key can be read from the output emitted from 'conjur host create'. This data can be obtained from stdin, or from a file.")
-    on("--chef-executable PATH", "If specified, the designated chef-solo executable is used, otherwise Chef is installed on the target machine.")
-    on("--ssh", "Indicates that Conjur SSH should be installed.")
-    on("--sudo", "Indicates that all commands should be run via 'sudo'.")
-    on("--conjur-cookbook-url NAME", "Overrides the default Chef cookbook URL for Conjur SSH.")
-    on("--conjur-run-list RUNLIST", "Overrides the default Chef run list for Conjur SSH.")
-    on \
-      "--json",
-      "Don't generate the script, instead just dump the configuration as JSON"
-  end
-end

data/lib/conjur/conjurize/script.rb

@@ -1,150 +0,0 @@
-require "json"
-require "open-uri"
-
-class Conjur::Conjurize
-  # generates a shell script to conjurize a host
-  class Script
-    COOKBOOK_RELEASES_URL =
-      "https://api.github.com/repos/conjur-cookbooks/conjur/releases".freeze
-
-    def self.tarballs_of_releases releases
-      releases.map do |release|
-        assets = release["assets"].select do |asset|
-          asset["name"] =~ /conjur-v\d.\d.\d.tar.gz/
-        end
-
-        [release["name"], assets.map { |asset| asset["browser_download_url"] }]
-      end
-    end
-
-    def self.latest_conjur_cookbook_release
-      json = JSON.parse open(COOKBOOK_RELEASES_URL).read
-      tarballs = tarballs_of_releases json
-
-      latest = tarballs.first
-      selected = tarballs.find { |release| !release[1].empty? }
-
-      if selected != latest
-        warn "WARNING: Latest cookbook release (#{latest.first}) does not "\
-            "contain a valid package. Falling back to #{selected.first}."
-      end
-
-      selected[1].first
-    end
-
-    HEADER = <<-HEADER.freeze
-#!/bin/sh
-set -e
-
-# Implementation note: 'tee' is used as a sudo-friendly 'cat' to populate a file with the contents provided below.
-    HEADER
-
-    def initialize options
-      @options = options
-    end
-
-    attr_reader :options
-
-    def sudo
-      @sudo ||= options["sudo"] ? ->(x) { "sudo -n #{x}" } : ->(x) { x }
-    end
-
-    # Generate a piece of shell to write to a file
-    # @param path [String] absolute path to write to
-    # @param content [String] contents to write
-    # @option options [String, Fixnum] :mode mode to apply to the file
-    def write_file path, content, options = {}
-      [
-        ((mode = options[:mode]) && set_mode(path, mode)),
-        [sudo["tee"], path, "> /dev/null << EOF"].join(" "),
-        content.strip,
-        "EOF\n"
-      ].compact.join("\n")
-    end
-
-    def set_mode path, mode
-      mode = mode.to_s(8) if mode.respond_to? :to_int
-      [
-        [sudo["touch"], path].join(" "),
-        [sudo["chmod"], mode, path].join(" ")
-      ].join("\n")
-    end
-
-    def self.generate configuration, options
-      new(options).generate configuration
-    end
-
-    def install_chef?
-      run_chef? && !options[:"chef-executable"]
-    end
-
-    def run_chef?
-      options.values_at(:ssh, :"conjur-run-list").any?
-    end
-
-    def chef_executable
-      options[:"chef-executable"] || "chef-solo"
-    end
-
-    def conjur_cookbook_url
-      options[:"conjur-cookbook-url"] || Script.latest_conjur_cookbook_release
-    end
-
-    def conjur_run_list
-      options[:"conjur-run-list"] || "conjur"
-    end
-
-    def chef_script
-      @chef_script ||= [
-        ("curl -L https://www.opscode.com/chef/install.sh | " + sudo["bash"] \
-          if install_chef?),
-        (sudo["#{chef_executable} --recipe-url #{conjur_cookbook_url} " \
-            "-o #{conjur_run_list}"] if run_chef?)
-      ].join "\n"
-    end
-
-    def self.rc configuration
-      [
-        "account: #{configuration['account']}",
-        "appliance_url: #{configuration['appliance_url']}",
-        "cert_file: /etc/conjur-#{configuration['account']}.pem",
-        "netrc_path: /etc/conjur.identity",
-        "plugins: []"
-      ].join "\n"
-    end
-
-    def self.identity configuration
-      """
-        machine #{configuration['appliance_url']}/authn
-        login host/#{configuration['id']}
-        password #{configuration['api_key']}
-      """
-    end
-
-    def configure_conjur configuration
-      [
-        write_file("/etc/conjur.conf", Script.rc(configuration)),
-        write_file(
-          "/etc/conjur-#{configuration['account']}.pem",
-          configuration["certificate"]
-        ),
-        write_file(
-          "/etc/conjur.identity",
-          Script.identity(configuration),
-          mode: 0600
-        )
-      ].join "\n"
-    end
-
-    def generate configuration
-      fail "No 'id' field in host JSON" unless configuration["id"]
-      fail "No 'api_key' field in host JSON" unless configuration["api_key"]
-
-      [
-        HEADER,
-        configure_conjur(configuration),
-        chef_script
-      ].join("\n")
-    end
-  end
-end

data/lib/conjur/dsl/runner.rb

@@ -1,273 +0,0 @@
-require 'conjur/identifier_manipulation'
-
-module Conjur
-  module DSL
-    # Entry point for the Conjur DSL.
-    # 
-    # Methods are available in two categories: name scoping and asset building.
-    class Runner
-      include Conjur::IdentifierManipulation
-      
-      attr_reader :script, :filename, :context
-      attr_reader :policy_role, :policy_resource
-      
-      def initialize(script, filename = nil)
-        @context = {
-          "account" => Conjur.account,
-          "api_keys" => {}
-        }
-        
-        @context['env']   = Conjur.env unless Conjur.env == 'production'
-        @context['stack'] = Conjur.stack unless Conjur.stack == 'v4'
-        @context['appliance_url']   = Conjur.configuration.appliance_url unless Conjur.configuration.appliance_url.nil?
-        @context['ssl_certificate'] = File.read(Conjur.configuration.cert_file) unless Conjur.configuration.cert_file.nil?
-
-        @script = script
-        @filename = filename
-        @api = nil
-        @scopes = Array.new
-        @owners = Array.new
-        @objects = Array.new
-      end
-      
-      def owner=(owner)
-        raise "Owner should only be set once" unless @owners.empty?
-        @owners.push owner
-      end
-      
-      # Provides a hash to export various application specific
-      # asset ids (or anything else you want)
-      def assets
-        @context['assets'] ||= {}
-      end
-      
-      def api
-        @api ||= connect
-      end
-      
-      def context=(context)
-        @context.deep_merge! context
-      end
-      
-      def api_keys
-        @context["api_keys"]
-      end
-      
-      def current_object
-        !@objects.empty? ? @objects.last : nil
-      end
-      
-      # Current scope, used as a path/delimited/prefix to a role or resource id.
-      def current_scope
-        !@scopes.empty? ? @scopes.join('/') : nil
-      end
-      
-      # Current scope, used for user@scope.
-      def current_user_scope
-        current_scope ? current_scope.gsub(/[^\w]/, '-') : nil
-      end
-      
-      def scope name = nil, &block
-        if name != nil
-          do_scope name, &block
-        else
-          current_scope
-        end
-      end
-      
-      def namespace ns = nil, &block
-        if block_given?
-          ns ||= context["namespace"]
-          if ns.nil?
-            require 'conjur/api/variables'
-            ns = context["namespace"] = api.create_variable("text/plain", "namespace").id
-          end
-          do_scope ns, &block
-          context
-        else
-          @scopes[0]
-        end
-      end
-      
-      def policy id, &block
-        self.role "policy", id do |role|
-          @policy_role = role
-          context["policy"] = role.identifier
-          self.owns do
-            self.resource "policy", id do |resource|
-              @policy_resource = resource
-              scope id do
-                block.call if block_given?
-              end
-            end
-          end
-        end
-      end
-      
-      alias model namespace
-      
-      def execute
-        args = [ script ]
-        args << filename if filename
-        instance_eval(*args)
-      end
-      
-      def resource kind, id = nil, options = {}, &block
-        id = full_resource_id([kind, qualify_id(id, kind) ].join(':'))
-        find_or_create :resource, id, options, &block
-      end
-      
-      def role kind, id = nil, options = {}, &block
-        id = full_resource_id([ kind, qualify_id(id, kind) ].join(':'))
-        find_or_create :role, id, options, &block
-      end
-
-      # purpose and existence of this method are unobvious for model designer 
-      # just "variable" in DSL works fine through method_missing
-      # is this method OBSOLETED ?
-      #   https://basecamp.com/1949725/projects/4268938-api-version-4-x/todos/84972543-low-variable
-      def create_variable id = nil, options = {}, &block
-        options[:id] = id if id
-        mime_type = options.delete(:mime_type) || 'text/plain'
-        kind = options.delete(:kind) || 'secret'
-        var = api.create_variable(mime_type, kind, options)
-        do_object var, &block
-      end
-      
-      def owns
-        @owners.push current_object
-        begin
-          yield
-        ensure
-          @owners.pop
-        end
-      end
-      
-      protected
-      
-      def qualify_id id, kind
-        if id && id[0] == "/"
-          id[1..-1]
-        else
-          case kind.to_sym
-          when :user
-            raise "User id is required" unless id
-            [ id, current_user_scope ].compact.join('@')
-          else
-            [ current_scope, id ].compact.join('/')
-          end
-        end
-      end
-      
-      def method_missing(sym, *args, &block)
-        if create_compatible_args?(args) && api.respond_to?(sym)
-          id = args[0]
-          id = qualify_id(id, sym)
-          find_or_create sym, id, args[1] || {}, &block
-        elsif current_object && current_object.respond_to?(sym)
-          current_object.send(sym, *args, &block)
-        else
-          super
-        end
-      end
-      
-      def create_compatible_args?(args)
-        valid_prototypes = [
-          lambda { args.length == 1 },
-          lambda { args.length == 2 && args[1].is_a?(Hash) }
-        ]
-        if current_scope
-          # If there is a scope, it's valid to create a record without an id, because the
-          # scope name will be used as the id.
-          valid_prototypes << lambda { args.length == 0 }
-        end
-        !valid_prototypes.find{|p| p.call}.nil?      
-      end
-      
-      def find_or_create(type, id, options, &block)
-        find_method = type.to_sym
-        create_method = "create_#{type}".to_sym
-
-        # TODO: find a way to pass annotations as part of top-level options hash
-        #   https://basecamp.com/1949725/projects/4268938-api-version-4-x/todos/84965324-low-dsl-design
-        annotations = options.delete(:annotations) || {}
-
-        unless (obj = api.send(find_method, id)) && obj.exists?
-          options = expand_options(options)
-
-          # create_resource and create_role expect :acting_as to
-          # specify the "owning" role.
-          if create_method == :create_resource || create_method == :create_role
-            options[:acting_as] = options.delete(:ownerid) if options[:ownerid]
-          end
-
-          obj = if create_method == :create_variable
-            #NOTE: it duplicates logic of "create_variable" method above
-            #   https://basecamp.com/1949725/projects/4268938-api-version-4-x/todos/84972543-low-variable
-            options[:id] = id
-            mime_type = options.delete(:mime_type) || annotations[:mime_type] || 'text/plain'
-            kind = options.delete(:kind) || annotations[:kind] || 'secret'
-            api.send(create_method, mime_type, kind, options)
-          elsif [ 2, -2 ].member?(api.method(create_method).arity)
-            api.send(create_method, id, options)
-          else
-            options[:id] = id
-            api.send(create_method, options)
-          end
-        end
-        if annotations.kind_of?(Hash) && !annotations.blank?
-          # TODO: fix API to make 'annotations' available directly on objects
-          #   https://basecamp.com/1949725/projects/4268938-api-version-4-x/todos/84970444-high-support
-          obj_as_resource = obj.resource
-          annotations.each { |k,v| obj_as_resource.annotations[k]=v }
-        end
-        do_object obj, &block
-      end
-      
-      def do_object obj, &block
-        begin
-          api_keys[obj.roleid] = obj.api_key if obj.respond_to?(:api_key) && obj.api_key 
-        rescue
-        end
-        
-        @objects.push obj
-        begin
-          yield obj if block_given?
-          obj
-        ensure
-          @objects.pop
-        end
-      end
-      
-      def do_scope name, &block
-        return unless block_given?
-        
-        @scopes.push(name)
-        begin
-          yield
-        ensure
-          @scopes.pop
-        end
-      end
-      
-      def owner(options)
-        owner = options[:owner] || @owners.last
-        owner = owner.roleid if owner.respond_to?(:roleid)
-        owner
-      end
-      
-      def expand_options(opts)
-        (opts || {}).tap do |options|
-          if owner = owner(options)
-            options[:ownerid] = owner
-          end
-        end
-      end
-      
-      def connect
-        require 'conjur/authn'
-        Conjur::Authn.connect      
-      end
-    end
-  end
-end