conjur-cli 5.6.6 → 6.0.0.rc1

data/features/support/world.rb

@@ -1,88 +1,28 @@
-require 'conjur/api'
-module ConjurWorld
-  def last_json
-    last_stdout
-  end
-
-  def last_stdout
-    raise "No commands have been run" unless last_cmd
-    stdout_from last_cmd
-  end
-  
-  attr_accessor :last_cmd
-  
-  def account
-    Conjur::Core::API.conjur_account
-  end
-
-  def role_kind
-    @role_kind ||= "cli-cukes"
-  end
-
-  def role_id_map
-    @role_id_map ||= {}
+module CLIWorld
+  def tempfiles
+    @tempfiles ||= []
   end
 
-  def extract_filtered_graph json
-    graph = JSON.parse(json) if json.kind_of?(String)
-    case graph
-      when Hash then filter_hash_graph(graph)
-      when Array then filter_array_graph(graph)
-      else raise "WTF: graph was #{graph.class}?"
-    end
-  end
-  
-  def filter_hash_graph graph
-    allowed = role_id_map.values
-    edges = graph['graph']
-    filtered = edges.select do |edge|
-      allowed.member?(edge['parent']) and allowed.member?(edge['child'])
+  def api_key_of username
+    role = @policy_response.created_roles["cucumber:user:#{username}"]
+    if role
+      role['api_key']
+    else
+      $conjur.resource("cucumber:user:#{username}").rotate_api_key
     end
-    {'graph' => filtered}
   end
-  
-  def filter_array_graph graph
-    allowed = role_id_map.values
-    graph.select do |edge|
-      edge.all?{|v| allowed.member?(v)}
-    end
-  end
-  
-  def graph edges
-    # generate roles
-    edges.flatten.uniq.each do |role_id|
-      role_id_map[role_id] = expanded = expand_role_id(role_id)
-      run_command "conjur role create '#{expanded}'"
-    end
 
-    # generate memberships
-    edges.each do |parent, child|
-      run_command "conjur role grant_to #{expand_role_id(parent)} #{expand_role_id(child)}"
-    end
+  def clear_last_json
+    @last_json = nil
   end
 
-  def run_command cmd
-    step "I successfully run " + '`' + cmd + '`'
+  def last_json
+    @last_json || last_command_started.stdout
   end
 
-  def expand_role_id role_id
-    "#{account}:#{role_kind}:#{prepend_namespace role_id}"
-  end
-  
-  def prepend_namespace id
-    "#{namespace}-#{id}"
-  end
-  
-  def namespace
-    @namespace ||= "ns-#{Time.now.to_i}-#{rand(1 << 32)}"
-  end
-  
-  def expand_roles string
-    role_id_map.each do |role, expanded|
-      string.gsub! role, expanded
-    end
-    string
+  def load_policy id, policy, method
+    @policy_response = $conjur.load_policy id, policy, method: method
   end
 end
 
-World(ConjurWorld)
+World(CLIWorld)

data/jenkins.sh

@@ -0,0 +1,33 @@
+#!/bin/bash -ex
+
+# Constants
+RUBY_VERSION_DEFAULT="2.2.4"
+
+# Arguments
+RUBY_VERSION=${1-${RUBY_VERSION_DEFAULT}}
+
+# Script
+
+# Clones 'Dockerfile' and updates the Ruby version in FROM, returning the cloned file's path
+function dockerfile_path {
+    echo "Setting Ruby version as ${RUBY_VERSION}" >&2
+    cp "Dockerfile" "Dockerfile.${RUBY_VERSION}"
+    sed -i -e "s/${RUBY_VERSION_DEFAULT}/${RUBY_VERSION}/g" Dockerfile.${RUBY_VERSION}
+
+    echo "Dockerfile.${RUBY_VERSION}"
+}
+
+rm -f Gemfile.lock # Needed for bundle to work right
+
+IMAGE_NAME="cli-ruby:${RUBY_VERSION}" # The tag is the version of Ruby tested against
+
+docker build -t ${IMAGE_NAME} -f $(dockerfile_path) .
+
+docker run --rm \
+-v $PWD:/src \
+${IMAGE_NAME} \
+bash -c '''
+bundle update
+bundle exec rake jenkins
+bundle exec rake build
+'''

data/lib/conjur/authenticator.rb

@@ -0,0 +1,83 @@
+module Conjur
+  # Keeps a fresh Conjur access token in a named file by re-authenticating as needed.
+  class Authenticator
+    require 'tempfile'
+    require 'fileutils'
+
+    TOKEN_LIFESPAN = ( ENV['CONJUR_TOKEN_LIFESPAN'] || 5 * 60 ).to_i.seconds
+    DELAY = ( ENV['CONJUR_TOKEN_REFRESH_DELAY'] || 10 ).to_i.seconds
+
+    attr_reader :authenticate, :filename
+
+    # +authenticate+ should be a proc that authenticates with Conjur and returns an 
+    # access token as a Hash.
+    def initialize authenticate, filename
+      @authenticate = authenticate
+      @filename = filename
+    end
+
+    class << self
+      def default_filename
+        "/run/conjur-access-token"
+      end
+
+      # Check the token every +DELAY+ seconds and refresh it if it's out of date. 
+      def run authenticate:, filename: default_filename
+        while true
+          authenticator = Authenticator.new(authenticate, filename)
+          authenticator.refresh unless authenticator.fresh?
+          sleep DELAY
+        end
+      end
+    end
+
+    def fresh?
+      token && (token_age <= TOKEN_LIFESPAN)
+    end
+
+    # Perform atomic replacement of the token
+    def refresh
+      token = authenticate.call
+      file = Tempfile.new('conjur-access-token.')
+      begin
+        file.write JSON.pretty_generate(token)
+        file.close
+        FileUtils.mv file.path, filename
+        Conjur.log << "Refreshed Conjur auth token to #{filename.inspect}\n" if Conjur.log
+      ensure
+        file.unlink
+      end
+    rescue
+      $stderr.puts $!
+    end
+
+    def token
+      return false if @token == false
+      @token ||= load_token
+    end
+
+    protected
+
+    def random nbytes = 12
+      @random ||= Random.new
+      @random.bytes(nbytes).unpack('h*').first
+    end
+
+    def directory
+      File.dirname(filename)
+    end
+
+    def load_token
+      return false unless File.file?(filename)
+      JSON.parse(File.read(filename)) rescue false
+    end
+
+    def token_born
+      File.mtime(filename)
+    end
+
+    def token_age
+      Time.now - token_born
+    end
+  end
+end

data/lib/conjur/authn.rb

@@ -34,7 +34,6 @@ module Conjur::Authn
     end
   end
   
-  autoload :API,      'conjur/authn-api'
   class << self
     def login(options = {})
       delete_credentials
@@ -43,18 +42,14 @@ module Conjur::Authn
     
     def authenticate(options = {})
       require 'conjur/api'
-      Conjur::API.authenticate(*get_credentials(options))
+      Conjur::API.authenticate *get_credentials(options)
     end
     
     def delete_credentials
-      netrc.delete host
+      netrc.delete Conjur.configuration.authn_url
       netrc.save
     end
     
-    def host
-      Conjur::Authn::API.host
-    end
-    
     def netrc
       @netrc ||= read_netrc
     end
@@ -83,7 +78,7 @@ module Conjur::Authn
     end
     
     def read_credentials
-      netrc[host]
+      netrc[Conjur.configuration.authn_url]
     end
     
     def fetch_credentials(options = {})
@@ -94,7 +89,7 @@ module Conjur::Authn
     alias save_credentials fetch_credentials
     
     def write_credentials
-      netrc[host] = @credentials
+      netrc[Conjur.configuration.authn_url] = @credentials
       netrc.save
       @credentials
     end
@@ -128,10 +123,8 @@ module Conjur::Authn
       end
       if token = token_from_environment
         cls.new_from_token token
-      elsif token_file = token_from_file
-        cls.new_from_token_file token_file
       else
-        cls.new_from_key(*get_credentials(options))
+        cls.new_from_key *get_credentials(options)
       end
     end
     
@@ -155,13 +148,5 @@ module Conjur::Authn
       require 'base64'
       JSON.parse(Base64.decode64(token))
     end
-
-    def token_from_file
-      token_file = ENV['CONJUR_AUTHN_TOKEN_FILE']
-      if token_file && !File.exists?(token_file)
-        $stderr.puts "Warning: CONJUR_AUTHN_TOKEN_FILE #{token_file.inspect} does not exist"
-      end
-      token_file
-    end
   end
 end

data/lib/conjur/cli.rb

@@ -37,6 +37,7 @@ module Conjur
   autoload :Log,                    'conjur/log'
   autoload :IdentifierManipulation, 'conjur/identifier_manipulation'
   autoload :Authn,                  'conjur/authn'
+  autoload :Authenticator,          'conjur/authenticator'
   autoload :Command,                'conjur/command'
   autoload :DSL,                    'conjur/dsl/runner'
   autoload :DSLCommand,             'conjur/command/dsl_command'
@@ -117,7 +118,7 @@ module Conjur
       require 'conjur/api'
 
       if command.name_for_help.first == "init" and options.has_key?("account")
-        ENV["CONJUR_ACCOUNT"]=options["account"]
+        ENV["CONJUR_ACCOUNT"] = options["account"]
       end
       apply_config
       require 'active_support/core_ext'
@@ -154,12 +155,18 @@ module Conjur
         $stderr.puts "error: this command is not supported by the current Conjur server version"
         run_default_handler = false
       elsif exception.is_a?(RestClient::Exception) && exception.response
-        err = Conjur::Error.create exception.response.body
-        if err
-          $stderr.puts "error: " + err.message
-          run_default_handler = false # suppress default error message
+        if exception.http_code == 401
+          $stderr.puts "Unable to authenticate with Conjur. Please check your credentials."
+          run_default_handler = false
         else
-          $stderr.puts exception.response.body
+          err = Conjur::Error.create exception.response.body
+
+          if err
+            $stderr.puts "error: " + err.message
+            run_default_handler = false # suppress default error message
+          else
+            $stderr.puts exception.response.body
+          end
         end
       end
 

data/lib/conjur/command.rb

@@ -19,7 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 require 'base64'
-require 'semantic'
 
 module Conjur
   class Command
@@ -29,7 +28,7 @@ module Conjur
     
     class << self
       attr_accessor :prefix
-
+      
       def method_missing *a, &b
         Conjur::CLI.send *a, &b
       end
@@ -70,61 +69,12 @@ module Conjur
         def command.nodoc; true end
       end
 
-      def acting_as_option command
-        return if command.flags.member?(:"as-group") # avoid duplicate flags
-        command.desc 'Perform all actions as the specified Group'
-        command.arg_name 'GROUP'
-        command.flag [:'as-group']
-
-        command.desc 'Perform all actions as the specified Role'
-        command.arg_name 'ROLE'
-        command.flag [:'as-role']
-      end
-
-      def collection_option command
-        command.desc 'An optional prefix for created roles and resources'
-        command.arg_name 'collection'
-        command.flag [:collection]
-      end
-
       def context_option command
         command.desc "Load context from this config file, and save it when finished. The file permissions will be 0600 by default."
         command.arg_name "FILE"
         command.flag [:c, :context]
       end
       
-      def interactive_option command
-        command.arg_name 'interactive'
-        command.desc 'Create variable interactively'
-        command.switch [:i, :'interactive']
-      end
-      
-      def annotate_option command
-        command.arg_name 'annotate'
-        command.desc 'Add variable annotations interactively'
-        command.switch [:a, :annotate]
-      end
-
-      def min_version command, version
-        version = Semantic::Version.new version
-        if version.pre == nil
-          # Version check doesn't work correctly if one version has
-          # the "-###" suffix and the other does not. Versions
-          # returned by the server have the suffix.
-          version.pre = "0"
-        end
-        command.instance_variable_set(:@conjur_min_version, version)
-      end
-
-      def prompt_for_annotations
-        highline.say('Add annotations (a name and value for each one):')
-        {}.tap do |annotations|
-          until (name = highline.ask('  annotation name (press enter to quit annotations): ')).empty?
-            annotations[name] = read_till_eof('  annotation value (^D on its own line to finish):')
-          end
-        end
-      end
-      
       def highline
         require 'highline'
         @highline ||= HighLine.new($stdin,$stderr)
@@ -142,62 +92,35 @@ module Conjur
           end
         end.join("\n")
       end
-
-      def command_option_kind c
-        c.desc "Filter by kind"
-        c.flag [:k, :kind]
-      end
-
-      def command_option_as_role c
+      
+      def command_options_for_list(c)
         return if c.flags.member?(:role) # avoid duplicate flags
         c.desc "Role to act as. By default, the current logged-in role is used."
         c.arg_name 'ROLE'
         c.flag [:role]
-      end
-
-      def command_options_for_search c
+    
         c.desc "Full-text search on resource id and annotation values" 
         c.flag [:s, :search]
         
+        c.desc "Maximum number of records to return"
+        c.flag [:l, :limit]
+        
         c.desc "Offset to start from"
         c.flag [:o, :offset]
         
-        c.desc "Maximum number of records to return"
-        c.flag [:l, :limit]
-
-        c.desc "Show the number of results, rather than printing them"
-        c.switch [:count]
-      end
-
-      def command_options_for_list(c)
-        command_option_as_role c
-        command_options_for_search c
-
-        c.desc "Show only ids"
-        c.switch [:i, :ids]
-
+        c.desc "Show full object information"
+        c.switch [:inspect]
+        
         c.desc "Show annotations in 'raw' format"
         c.switch [:r, :"raw-annotations"]
       end
-
-      def process_command_options_for_search options
-        opts = options.slice(:search, :count, :limit, :offset, :kind)
-        opts[:acting_as] = options[:role] if options[:role]
-        opts[:search] = opts[:search].gsub('-',' ') if opts[:search]
-        if opts[:kind] && opts[:kind].index(',')
-          opts[:kind] = opts[:kind].split(',')
-        end
-        opts
-      end
       
       def command_impl_for_list(global_options, options, args)
-        opts = process_command_options_for_search(options)
+        opts = options.slice(:search, :limit, :options, :kind) 
+        opts[:acting_as] = options[:role] if options[:role]
+        opts[:search]=opts[:search].gsub('-',' ') if opts[:search]
         resources = api.resources(opts)
-        if resources.is_a?(Numeric)
-          puts resources
-        elsif options[:ids]
-          puts JSON.pretty_generate(resources.map(&:resourceid))
-        else
+        if options[:inspect]
           resources = resources.map &:attributes
           unless options[:'raw-annotations']
             resources = resources.map do |r|
@@ -209,6 +132,8 @@ module Conjur
             end
           end
           puts JSON.pretty_generate resources
+        else
+          puts JSON.pretty_generate(resources.map(&:id))
         end
       end
       
@@ -220,160 +145,24 @@ module Conjur
         end
         exit_now! message unless valid
       end
-      
-      def retire_options command
-        command.arg_name 'role'
-        command.desc "Specify a role to give the retired record to (default: the 'attic' user)"
-        command.long_desc %Q(When retired, all a record's roles and permissions are revoked.
-        
-As a final step, the record is 'given' (e.g. 'conjur resource give') to a destination role.
-The default role to receive the record is the user 'attic'. This option can be used to specify
-an alternative destination role.)
-        command.flag [:d, :"destination-role"]
-      end
-      
-      def destination_role options
-        destination = options[:"destination-role"]
-        if destination
-          api.role(destination)
-        else
-          api.user('attic')
-        end
-      end
-      
-      def elevated?
-        api.privilege == 'elevate' && api.global_privilege_permitted?('elevate')
-      end
-      
-      def validate_retire_privileges record, options
-        return true if elevated?
-        
-        if record.respond_to?(:role)
-          memberships = current_user.role.memberships.map(&:roleid)
-          validate_privileges "You can't administer this record" do
-            # The current user has a role which is admin of the record's role
-            record.role.members.find{|m| memberships.member?(m.member.roleid) && m.admin_option}
-          end
-        end
-        
-        validate_privileges "You don't own the record" do
-          # The current user has the role which owns the record's resource
-          current_user.role.member_of?(record.resource.ownerid)
-        end
-        
-        role = destination_role(options)
-        exit_now! "Destination role '#{role.roleid}' doesn't exist" unless role.exists?
-      end
-      
-      def retire_resource obj
-        obj.resource.attributes['permissions'].each do |p|
-          role = api.role(p['role'])
-          privilege = p['privilege']
-          next if obj.respond_to?(:roleid) && role.roleid == obj.roleid && privilege == 'read'
-          puts "Denying #{privilege} privilege to #{role.roleid}"
-          obj.resource.deny(privilege, role)
-        end
-      end
-        
-      def retire_role obj
-        members = obj.role.members
-        # Move the invoking role to the end of the roles list, so that it doesn't
-        # lose its permissions in the middle of this operation.
-        # I'm sure there's a cleaner way to do this.
-        self_member = members.select{|m| m.member.roleid == current_user.role.roleid}
-        self_member.each do |m|
-          members.delete m
-        end
-        members.concat self_member if self_member
-        members.each do |r|
-          member = api.role(r.member)
-          puts "Revoking from role #{member.roleid}"
-          obj.role.revoke_from member
-        end
-      end
-
-      def retire_internal_role roleObj
-        members = roleObj.members
-        # Move the invoking role to the end of the roles list, so that it doesn't
-        # lose its permissions in the middle of this operation.
-        self_member = members.select{|m| m.member.roleid == current_user.role.roleid}
-        self_member.each do |m|
-          members.delete m
-        end
-        members.concat self_member if self_member
-        members.each do |r|
-          member = api.role(r.member)
-          puts "Revoking from role #{member.roleid}"
-          roleObj.revoke_from member
-        end
-      end
-      
-      def give_away_resource obj, options
-        destination = options[:"destination-role"]
-        destination_role = if destination
-          api.role(destination)
-        else
-          api.user('attic')
-        end
 
-        exit_now! "Role #{destination_role.roleid} doesn't exist" unless destination_role.exists?
-        
-        puts "Giving ownership to '#{destination_role.roleid}'"
-        obj.resource.give_to destination_role
-      end
-      
-      # Displays members, which may be either:
-      #
-      # * A numeric count
-      # * A list of role ids
-      # * A list of RoleGrant
-      #
-      # +options+ may include:
-      #
-      # * **V** Show full RoleGrant info
-      # * **system** show system (internal) roles
-      #
-      # @return [Numeric, Hash] Convert the input to a number or Hash.
-      def display_members(members, member_field, options)
-        # Get this case out of the way
-        return display(members) if members.is_a?(Numeric)
-
-        result, roleid_function = if members.blank?
-          [ [], nil ]
-        elsif members.first.is_a?(Conjur::RoleGrant)
-          if options[:V]
-            items = members.collect do |member|
-              {
-                member: member.member.roleid,
-                grantor: member.grantor.roleid,
-                admin_option: member.admin_option
-              }.tap do |obj|
-                obj[:role] = member.role.roleid if member.role
-              end
-            end
-            [
-              items, lambda {|member| member[member_field] }
-            ]
-          else
-            [ members.map{|m| m.send(member_field) }.map(&:roleid), lambda{|r| r} ]
-          end
+      def display_members(members, options)
+        result = if options[:V]
+          members.collect {|member|
+            {
+              role: member.role.id,
+              member: member.member.id,
+              admin_option: member.admin_option
+            }
+          }
         else
-          [ members.map(&:roleid), lambda{|r| r} ]
+          members.map(&:member).map(&:id)
         end
-
-        unless options[:system]
-          result.reject! do |member|
-            roleid_function.call(member) =~ /^.+?:@/
-          end
-        end
-
         display result
       end
 
       def display(obj, options = {})
-        str = if obj.is_a?(Numeric)
-          obj.to_s
-        elsif obj.respond_to?(:attributes)
+        str = if obj.respond_to?(:attributes)
           JSON.pretty_generate obj.attributes
         elsif obj.respond_to?(:id)
           obj.id
@@ -387,105 +176,9 @@ an alternative destination role.)
         puts str
       end
 
-      def prompt_to_confirm kind, properties
-        puts
-        puts "A new #{kind} will be created with the following properties:"
-        puts
-        properties.select{|k,v| !v.blank?}.each do |k,v|
-          printf "%-10s: %s\n", k, v
-        end
-        puts
-        
-        exit(0) unless %w(yes y).member?(highline.ask("Proceed? (yes/no): ").strip.downcase)
-      end
-      
       def integer? v
         Integer(v, 10) rescue false
       end
-    
-      def prompt_for_id kind, label = 'id'
-        highline.ask("Enter the #{label}: ") do |q|
-          q.readline = true
-          q.validate = lambda{|id|
-            !id.blank? && !api.send(kind, id).exists?
-          }
-          q.responses[:not_valid] = "<% if @answer.blank? %>"\
-              "#{label} cannot be blank<% else %>"\
-              "A #{kind} called '<%= @answer %>' already exists<% end %>"
-        end
-      end
-
-      def prompt_for_public_key
-        public_key = highline.ask("Enter the public key (press enter to skip): ") do |q|
-          q.validate = lambda{|key|
-            if key.blank?
-              true
-            else
-              validate_public_key key
-            end
-          }
-          q.responses[:not_valid] = "Public key format is invalid; please try again"
-        end
-        public_key.blank? ? nil : public_key.strip
-      end
-    
-      # http://serverfault.com/questions/453296/how-do-i-validate-a-rsa-ssh-public-key-file-id-rsa-pub
-      def validate_public_key key
-        if system('which ssh-keygen 2>&1 > /dev/null')
-          Conjur.log.debug "Using ssh-keygen to verify the public key\n" if Conjur.log
-          require 'tempfile'
-          tempfile = Tempfile.new 'public_key'
-          tempfile.write(key)
-          tempfile.close
-          `ssh-keygen -l -f #{tempfile.path}`
-          $? == 0
-        else
-          Conjur.log.debug "ssh-keygen is not available; falling back to simple string testing\n" if Conjur.log
-          # Should be a line with at least 2 components,
-          # first one being the algo id and second a base64 string.
-          # In principle this means:
-          #   Base64.strict_decode64 key.strip[/\Assh-\w+ (\S+).*/, 1]
-
-          # Since the pubkeys service is more strict: needs a name and
-          # rejects ones with a space, instead reproduce its algorithm here.
-          begin
-            components = key.strip.split ' '
-            Base64.strict_decode64 components[1]
-            components.length == 3
-          rescue NoMethodError, ArgumentError
-            false
-          end
-        end
-      end
-      
-      def prompt_for_group options = {}
-        options[:hint] ||= "press enter to own the record yourself"
-        group_ids = api.groups.map(&:id)
-        
-        highline.ask("Enter the group which will own the record (#{options[:hint]}): ", [ "" ] + group_ids) do |q|
-          require 'readline'
-          Readline.completion_append_character = ""
-          Readline.completer_word_break_characters = ""
-          
-          q.readline = true
-          q.validate = lambda{|id|
-            @group = nil
-            id.empty? || (@group = api.group(id)).exists?
-          }
-          q.responses[:not_valid] = "Group '<%= @answer %>' doesn't exist, or you don't have permission to use it"
-        end
-        @group ? @group.roleid : nil
-      end
-
-      def prompt_for_idnumber label
-        result = highline.ask("Enter a #{label}: ") do |q|
-          q.validate = lambda{|id|
-            id.blank? || integer?(id)
-          }
-          q.responses[:not_valid] = "The #{label} must be an integer"
-        end
-        result.blank? ? nil : result.to_i
-      end
 
       def prompt_for_password
         require 'highline'
@@ -509,27 +202,14 @@ an alternative destination role.)
         password
       end
       
-      def current_role
-        kind, id = api.username.split('/', 2)
-        if id.nil?
-          id = kind
-          kind = 'user'
-        end
-        api.role([ kind, id ].join(":"))
-      end
-      
       def has_admin?(role, other_role)
-        return true if role.roleid == other_role.roleid
-        memberships = role.memberships.map(&:roleid)
-        other_role.members.any? { |m| memberships.member?(m.member.roleid) && m.admin_option }
+        return true if role.id == other_role.id
+        memberships = role.memberships.map(&:id)
+        other_role.members.any? { |m| memberships.member?(m.member.id) && m.admin_option }
       rescue RestClient::Forbidden
         false
       end
 
-      def notify_deprecated
-        STDERR.puts 'WARNING! This command is deprecated and will be removed. Use policy instead.'
-      end
-
     end
   end
 end