conjur-cli 5.6.6 → 6.0.0.rc1

data/lib/conjur/command/authn.rb

@@ -31,10 +31,6 @@ for the username. Password can be provided as -p, --password, or the command wil
 On successful login, the password is exchanged for the API key, which is cached in the operating system user's
 .netrc file. Subsequent "conjur" commands will authenticate with the cached login name and API key. To switch users, 
 login again using the new user credentials. To erase credentials, use the 'authn logout' command.
-
-If specified, the CAS server URL should be in the form https://<hostname>/v1.
-It should be running the CAS RESTful services at the /v1 path
-(or other path as specified by this argument).
     DESC
     authn.command :login do |c|
       c.arg_name 'username'
@@ -43,10 +39,6 @@ It should be running the CAS RESTful services at the /v1 path
       c.arg_name 'password'
       c.flag [:p,:password]
 
-      c.arg_name 'CAS server'
-      c.desc 'Specifies a CAS server URL to use for login'
-      c.flag [:"cas-server"]
-
       c.action do |global_options,options,args|
         if options[:username].blank? && !args.empty?
           options[:username] = args.pop
@@ -60,16 +52,32 @@ It should be running the CAS RESTful services at the /v1 path
 
     authn.desc "Obtains an authentication token using the current logged-in user"
     authn.command :authenticate do |c|
-      c.arg_name 'header'
       c.desc "Base64 encode the result and format as an HTTP Authorization header"
       c.switch [:H,:header]
 
+      c.arg_name 'filename'
+      c.desc 'Keeps a fresh access token in the indicated file. With this argument, the command runs forever.'
+      c.flag [ :f, :filename ]
+
       c.action do |global_options,options,args|
-        token = Conjur::Authn.authenticate(options)
-        if options[:header]
-          puts "Authorization: Token token=\"#{Base64.strict_encode64(token.to_json)}\""
+        # Authenticate will try and parse the token file to read the expiration time.
+        # It only knows how to do that if the token file contains a JSON access token.
+        raise "--header option is not supported with --filename option" if options[:header] && options[:filename]
+
+        authenticate = lambda { 
+          Conjur::Authn.authenticate
+        }
+    
+        if filename = options[:filename]
+          Conjur::Authenticator.run authenticate: authenticate, filename: filename
         else
-          display token
+          formatter = if options[:header]
+            lambda {|token| "Authorization: Token token=\"#{Base64.strict_encode64(JSON.generate token)}\"" }
+          else
+            lambda {|token| JSON.pretty_generate token }
+          end
+
+          puts formatter.call(authenticate.call)
         end
       end
     end
@@ -88,11 +96,11 @@ It should be running the CAS RESTful services at the /v1 path
       c.action do
         begin
           creds = Conjur::Authn.get_credentials(noask: true)
-          puts({account: Conjur::Core::API.conjur_account, username: creds[0]}.to_json)
+          puts({account: Conjur.configuration.account, username: creds[0]}.to_json)
         rescue Conjur::Authn::NoCredentialsError
           exit_now! 'Not logged in.', -1
         end
       end
     end
   end
-end
+end

data/lib/conjur/command/host_factories.rb

@@ -23,66 +23,6 @@ class Conjur::Command::HostFactories < Conjur::Command
   desc "Manage host factories"
 
   command :hostfactory do |hf|
-    hf.desc "Create a new host factory [DEPRECATED]"
-    hf.arg_name "id"
-    hf.command :create do |c|
-      acting_as_option(c)
-
-      c.arg_name "layer"
-      c.desc "A space-delimited list of layers to which new hosts will belong"
-      c.flag [:l, :layer]
-
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = require_arg(args, 'hostfactory')
-        
-        unless options[:ownerid]
-          exit_now! "Use --as-group or --as-role to indicate the host factory role"
-        end
-        
-        owner_role = api.role(options[:ownerid])
-
-        layers = (options[:layer] || "").split(/\s/)
-        exit_now! "Provide at least one layer" unless layers.count > 0
-
-        unless has_admin?(current_role, owner_role)
-          exit_now! "#{owner_role.id} must be an admin of role '#{owner_role.roleid}' to create a host factory for it" 
-        end
-        layers.each do |layerid|
-          layer = api.layer(layerid)
-          exit_now! "Layer '#{layerid}' does not exist" unless layer.exists?
-          unless has_admin?(owner_role, layer.role)
-            exit_now! "#{owner_role.id} must be an admin of layer '#{layerid}' to create a host factory for it" 
-          end
-        end
-        
-        command_options = options.dup
-        command_options[:layers] = layers
-        command_options[:roleid] = options[:ownerid]
-          
-        host_factory = api.create_host_factory id, command_options
-        display host_factory
-      end
-    end
-
-    hf.desc "Show a host factory"
-    hf.arg_name "id"
-    hf.command :show do |c|
-      c.action do |global_options,options,args|
-        id = require_arg(args, 'id')
-        display(api.host_factory(id), options)
-      end
-    end
-
-    hf.desc "List host factories"
-    hf.command :list do |c|
-      command_options_for_list c
-      c.action do |global_options, options, args|
-        command_impl_for_list global_options, options.merge(kind: "host_factory"), args
-      end
-    end
-
     hf.desc "Operations on tokens"
     hf.long_desc <<-DESC
 This command creates one or more identical tokens. A token is always created with an 
@@ -131,12 +71,10 @@ By default, this command creates one token. Optionally, it can be used to create
           end
           expiration = Time.now + duration
           count = (options[:count] || 1).to_i
-          command_options = {}
           
           cidr = format_cidr(options.delete(:cidr))
-          command_options[:cidr] = cidr unless cidr.nil?
 
-          tokens = api.host_factory(id).create_tokens expiration, count, command_options
+          tokens = api.resource(full_resource_id("host_factory:#{id}")).create_tokens expiration, count: count, cidr: cidr
           display tokens.map(&:to_json)
         end
       end
@@ -151,16 +89,6 @@ By default, this command creates one token. Optionally, it can be used to create
           puts "Token revoked"
         end
       end
-      
-      tokens.desc "Show a token"
-      tokens.arg_name "token"
-      tokens.command :show do |c|
-        c.action do |global_options,options,args|
-          token = require_arg(args, 'token')
-          
-          display api.show_host_factory_token(token), options
-        end
-      end
     end
 
     hf.desc "Operations on hosts"
@@ -171,7 +99,7 @@ By default, this command creates one token. Optionally, it can be used to create
         c.action do |global_options,options,args|
           token = require_arg(args, 'token')
           id = require_arg(args, 'host-id')
-          
+
           host = Conjur::API.host_factory_create_host token, id, options
           display host
         end

data/lib/conjur/command/hosts.rb

@@ -21,83 +21,11 @@
 
 class Conjur::Command::Hosts < Conjur::Command
   def self.host_layer_roles host
-    host.role.all.select{|r| r.kind == "layer"}
+    host.memberships.select{|r| r.kind == "layer"}
   end
   
   desc "Manage hosts"
   command :host do |hosts|
-    hosts.desc "Create a new host [DEPRECATED]"
-    hosts.arg_name "NAME"
-    hosts.command :create do |c|
-      c.arg_name "password"
-      c.flag [:p,:password]
-
-      c.desc "A comma-delimited list of CIDR addresses to restrict host to (optional)"
-      c.flag [:cidr]
-
-      acting_as_option(c)
-
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = args.shift
-
-        unless id
-          ActiveSupport::Deprecation.warn "id argument will be required in future releases"
-        end
-
-        cidr = format_cidr(options.delete(:cidr))
-        options[:id] = id if id
-        options[:cidr] = cidr unless cidr.nil?
-          
-        display api.create_host(options), options
-      end
-    end
-
-    hosts.desc "Show a host"
-    hosts.arg_name "HOST"
-    hosts.command :show do |c|
-      c.action do |global_options,options,args|
-        id = require_arg(args, 'HOST')
-        display(api.host(id), options)
-      end
-    end
-
-    hosts.desc "Decommission a host [DEPRECATED]"
-    hosts.arg_name "HOST"
-    hosts.command :retire do |c|
-      retire_options c
-
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = require_arg(args, 'HOST')
-        
-        host = api.host(id)
-
-        validate_retire_privileges host, options
-        
-        host_layer_roles(host).each do |layer|
-          puts "Removing from layer #{layer.id}"
-          api.layer(layer.id).remove_host host
-        end
-
-        retire_resource host
-        retire_role host
-        give_away_resource host, options
-        
-        puts "Host retired"
-      end
-    end
-
-    hosts.desc "List hosts"
-    hosts.command :list do |c|
-      command_options_for_list c
-      c.action do |global_options, options, args|
-        command_impl_for_list global_options, options.merge(kind: "host"), args
-      end
-    end
-
     hosts.desc "Rotate a host's API key"
     hosts.command :rotate_api_key do |c|
       c.desc "Login of host whose API key we want to rotate (default: logged-in host)"
@@ -105,8 +33,9 @@ class Conjur::Command::Hosts < Conjur::Command
       c.action do |_global, options, _args|
         if options.include?(:host)
           host = options[:host]
+          host_resourceid = full_resource_id("host:#{host}")
 
-          unless api.host(host).exists?
+          unless api.resource(host_resourceid).exists?
             exit_now! "host '#{host}' not found"
           end
 
@@ -117,10 +46,10 @@ class Conjur::Command::Hosts < Conjur::Command
 
           # Make sure we're not trying to rotate our own key with the user flag.
           if api.username == host
-            exit_now! 'To rotate your own API key, use this command without the --host flag'
+            exit_now! 'To rotate the API key of the currently logged-in host, use this command without any flags or options'
           end
 
-          puts api.user(host).rotate_api_key
+          puts api.resource(host_resourceid).rotate_api_key
         else
           username, password = Conjur::Authn.read_credentials
           # Make sure the current identity is a host
@@ -136,48 +65,12 @@ class Conjur::Command::Hosts < Conjur::Command
       end
     end
 
-    hosts.desc "Update a hosts's attributes [DEPRECATED]"
-    hosts.arg_name "HOST"
-    hosts.command :update do |c|
-      c.desc "A comma-delimited list of CIDR addresses to restrict host to (optional). Use 'all' to reset"
-      c.flag [:cidr]
-
-      c.action do |global_options, options, args|
-        notify_deprecated
-
-        id = require_arg(args, 'HOST')
-
-        host = api.host(id)
-
-        cidr = format_cidr(options[:cidr])
-
-        host_options = { }
-        host_options[:cidr] = cidr unless cidr.nil?
-
-        host.update(host_options)
-        puts "Host updated"
-      end
-    end
-
-    hosts.desc "Enroll a new host into conjur [DEPRECATED]"
-    hosts.arg_name "HOST"
-    hosts.command :enroll do |c|
-      hide_docs(c)
-      c.action do |global_options, options, args|
-        id = require_arg(args, 'HOST')
-        enrollment_url = api.host(id).enrollment_url
-        puts enrollment_url
-        $stderr.puts "On the target host, please execute the following command:"
-        $stderr.puts "curl -L #{enrollment_url} | bash"
-      end
-    end
-
     hosts.desc "List the layers to which the host belongs"
     hosts.arg_name "HOST"
     hosts.command :layers do |c|
       c.action do |global_options, options, args|
         id = require_arg(args, 'HOST')
-        host = api.host(id)
+        host = api.resource(full_resource_id("host:#{id}"))
         display host_layer_roles(host).map(&:identifier), options
       end
     end

data/lib/conjur/command/init.rb

@@ -38,11 +38,11 @@ class Conjur::Command::Init < Conjur::Command
   end
 
   Conjur::CLI.command :init do |c|
-    c.desc "Hostname of the Conjur endpoint (required for virtual appliance)"
-    c.arg_name 'HOSTNAME'
-    c.flag ["h", "hostname"]
+    c.desc "URL of the Conjur service"
+    c.arg_name 'URL'
+    c.flag ["u", "url"]
 
-    c.desc "Conjur organization account name (not required for appliance)"
+    c.desc "Conjur organization account name"
     c.flag ["a", "account"]
 
     c.desc "Conjur SSL certificate (will be obtained from host unless provided by this option)"
@@ -56,40 +56,26 @@ class Conjur::Command::Init < Conjur::Command
     c.flag "force"
 
     c.action do |global_options,options,args|
-      hostname = options[:hostname] || highline.ask("Enter the hostname (and optional port) of your Conjur endpoint: ").to_s
-      protocol, hostname = (hostname.scan %r(^(?:(.*)://)?(.*))).first
-      exit_now! "only https protocol supported" unless protocol.nil? || protocol == 'https'
-      if hostname
-        Conjur.configuration.core_url = "https://#{hostname}/api"
-      end
+      url = options[:url] || highline.ask("Enter the URL of your Conjur service: ").to_s
+      url = URI.parse(url)
 
-      if (certificate = options[:certificate]).blank?
-        unless hostname.blank?
-          connect_hostname = if hostname.include?(':')
-            hostname
-          else
-            hostname + ':443'
-          end
-          fingerprint, certificate = get_certificate connect_hostname
-
-          puts
-          puts fingerprint
-
-          puts "\nPlease verify this certificate on the appliance using command:
-                openssl x509 -fingerprint -noout -in ~conjur/etc/ssl/conjur.pem\n\n"
-          exit_now! "You decided not to trust the certificate" unless highline.ask("Trust this certificate (yes/no): ").strip == "yes"
-        end
+      Conjur.configuration.appliance_url = url.to_s
+
+      if (certificate = options[:certificate]).blank? && url.scheme == "https"
+        connect_hostname = [ url.host, url.port ].join(":")
+        fingerprint, certificate = get_certificate connect_hostname
+
+        puts
+        puts fingerprint
+
+        puts "\nPlease verify this certificate on the appliance using command:
+              openssl x509 -fingerprint -noout -in ~conjur/etc/ssl/conjur.pem\n\n"
+        exit_now! "You decided not to trust the certificate" unless highline.ask("Trust this certificate (yes/no): ").strip == "yes"
       end
       
       configure_cert_store certificate
       
-      account = options[:account]
-      account ||= if hostname
-        account = Conjur::Core::API.info['account'] or raise "Expecting 'account' in Core info"
-      else
-        # using .to_s to overcome https://github.com/JEG2/highline/issues/69
-        highline.ask("Enter your organization account name: ").to_s
-      end
+      account = options[:account] || highline.ask("Enter your organization account name: ").to_s
 
       exit_now! "account is required" if account.blank?
 
@@ -98,7 +84,7 @@ class Conjur::Command::Init < Conjur::Command
         plugins: []
       }
 
-      config[:appliance_url] = "https://#{hostname}/api" unless hostname.blank?
+      config[:appliance_url] = url.to_s
 
       config_file = File.expand_path('~/.conjurrc')
 
@@ -140,7 +126,6 @@ class Conjur::Command::Init < Conjur::Command
 
     sock = TCPSocket.new host, port.to_i
     ssock = SSLSocket.new sock
-    ssock.hostname = host
     ssock.connect
     chain = ssock.peer_cert_chain
     cert = chain.first

data/lib/conjur/command/{secrets.rb → policies.rb}

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright (C) 2017 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -17,30 +17,41 @@
 # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-
-class Conjur::Command::Secrets < Conjur::Command
-  desc "Manage secrets"
-  command :secret do |secret|
-    hide_docs(secret)
-    secret.desc "Create and store a secret"
-    secret.arg_name "secret"
-    secret.command :create do |c|
-      acting_as_option(c)
 
-      c.action do |global_options,options,args|
-        secret = args.shift or raise "Missing parameter: secret"
-        display api.create_secret(secret, options), options
-      end
-    end
+class Conjur::Command::Policies < Conjur::Command
+  desc "Manage policies"
+  command :policy do |p|
+    p.desc "Load a policy"
+    p.arg_name "POLICY FILENAME"
+    p.command :load do |c|
+      c.desc "Fully replace the existing policy, deleting any data that is not declared in the new policy."
+      c.switch :replace
 
-    secret.desc "Retrieve a secret"
-    secret.arg_name "id"
-    secret.command :value do |c|
+      c.desc "Allow explicit deletion statements in the policy."
+      c.switch :delete
+      
       c.action do |global_options,options,args|
-        id = args.shift or raise "Missing parameter: id"
-        puts api.secret(id).value
+        policy_id = require_arg(args, 'POLICY')
+        filename = require_arg(args, 'FILENAME')
+        policy = if filename == '-'
+          STDIN.read
+        else
+          require 'open-uri'
+          open(filename).read
+        end
+        
+        method = if options[:replace]
+          Conjur::API::POLICY_METHOD_PUT
+        elsif options[:delete]
+          Conjur::API::POLICY_METHOD_PATCH
+        else
+          Conjur::API::POLICY_METHOD_POST
+        end
+        
+        result = api.load_policy policy_id, policy, method: method
+        $stderr.puts "Loaded policy '#{policy_id}'"
+        puts JSON.pretty_generate(result)
       end
     end
   end
-end
+end