conjur-cli 5.6.6 → 6.0.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.dockerignore +1 -1
- data/.gitignore +2 -0
- data/.rubocop.yml +1 -1
- data/APPLIANCE_VERSION +1 -1
- data/CHANGELOG.md +3 -42
- data/Gemfile +4 -7
- data/Humanfile.md +31 -0
- data/Jenkinsfile +34 -63
- data/README.md +41 -55
- data/Rakefile +5 -1
- data/bin/conjur +0 -2
- data/build-deb.sh +1 -3
- data/ci/cli-test.sh +6 -0
- data/ci/package.sh +3 -1
- data/ci/publish.sh +2 -2
- data/ci/secrets/publish.yml +2 -2
- data/ci/wait_for_server.sh +10 -0
- data/conjur-cli.gemspec +7 -7
- data/dev/docker-compose.yml +24 -0
- data/dev/start.sh +15 -0
- data/dev/stop.sh +5 -0
- data/docker-compose.yml +30 -0
- data/features/authentication/authenticate.feature +34 -0
- data/features/authentication/login.feature +13 -0
- data/features/authentication/logout.feature +15 -0
- data/{acceptance-features → features}/authentication/whoami.feature +0 -0
- data/features/authorization/resource/annotate.feature +22 -0
- data/features/authorization/resource/check.feature +47 -0
- data/{acceptance-features → features}/authorization/resource/exists.feature +18 -6
- data/features/authorization/resource/permitted_roles.feature +35 -0
- data/features/authorization/resource/show.feature +34 -0
- data/features/authorization/role/exists.feature +28 -0
- data/features/authorization/role/members.feature +45 -0
- data/features/authorization/role/memberships.feature +43 -0
- data/features/conjurenv/check.feature +34 -0
- data/features/conjurenv/run.feature +15 -0
- data/{acceptance-features → features}/conjurenv/template.feature +8 -3
- data/{acceptance-features → features}/directory/user/update_password.feature +8 -2
- data/{acceptance-features → features}/directory/variable/value.feature +9 -5
- data/{acceptance-features → features}/directory/variable/values-add.feature +8 -3
- data/features/hostfactory/tokens.feature +22 -0
- data/features/pubkeys/show.feature +18 -0
- data/features/step_definitions/authn_steps.rb +22 -0
- data/features/step_definitions/cli_steps.rb +28 -0
- data/features/step_definitions/file_steps.rb +12 -0
- data/features/step_definitions/flow_control_steps.rb +7 -0
- data/features/step_definitions/graph_steps.rb +4 -3
- data/{acceptance-features → features}/step_definitions/http_steps.rb +0 -0
- data/features/step_definitions/overrides.rb +9 -0
- data/features/step_definitions/policy_steps.rb +11 -0
- data/{acceptance-features → features}/step_definitions/trusted_proxy_steps.rb +0 -0
- data/features/support/blank.yml +1 -0
- data/features/support/env.rb +21 -7
- data/features/support/hooks.rb +31 -116
- data/features/support/world.rb +16 -76
- data/jenkins.sh +33 -0
- data/lib/conjur/authenticator.rb +83 -0
- data/lib/conjur/authn.rb +5 -20
- data/lib/conjur/cli.rb +13 -6
- data/lib/conjur/command.rb +30 -350
- data/lib/conjur/command/authn.rb +23 -15
- data/lib/conjur/command/host_factories.rb +2 -74
- data/lib/conjur/command/hosts.rb +6 -113
- data/lib/conjur/command/init.rb +20 -35
- data/lib/conjur/command/{secrets.rb → policies.rb} +33 -22
- data/lib/conjur/command/pubkeys.rb +3 -63
- data/lib/conjur/command/resources.rb +45 -162
- data/lib/conjur/command/roles.rb +11 -181
- data/lib/conjur/command/rspec/helpers.rb +0 -1
- data/lib/conjur/command/rspec/mock_services.rb +4 -4
- data/lib/conjur/command/users.rb +2 -159
- data/lib/conjur/command/variables.rb +5 -218
- data/lib/conjur/complete.rb +2 -2
- data/lib/conjur/config.rb +1 -11
- data/lib/conjur/conjurenv.rb +12 -9
- data/lib/conjur/identifier_manipulation.rb +3 -5
- data/lib/conjur/version.rb +2 -2
- data/{publish-rubygem.sh → publish.sh} +0 -4
- data/spec/authn_spec.rb +4 -0
- data/spec/command/hosts_spec.rb +2 -69
- data/spec/command/init_spec.rb +16 -11
- data/spec/command/pubkeys_spec.rb +1 -46
- data/spec/command/resources_spec.rb +21 -170
- data/spec/command/roles_spec.rb +5 -181
- data/spec/command/users_spec.rb +3 -79
- data/spec/command_spec.rb +1 -20
- data/spec/complete_spec.rb +1 -23
- data/spec/config_spec.rb +1 -1
- data/spec/spec_helper.rb +4 -5
- data/test.sh +29 -25
- metadata +92 -212
- data/.githooks/pre_commit/run_specs.rb +0 -23
- data/Dockerfile +0 -15
- data/Dockerfile.fpm +0 -18
- data/Dockerfile.publish +0 -12
- data/Dockerfile.standalone +0 -33
- data/Dockerfile.validate-packaging +0 -9
- data/VERSION +0 -1
- data/acceptance-features/audit/audit_event_send.feature +0 -107
- data/acceptance-features/audit/fetch.feature +0 -16
- data/acceptance-features/audit/send.feature +0 -51
- data/acceptance-features/authentication/authenticate.feature +0 -10
- data/acceptance-features/authentication/login.feature +0 -12
- data/acceptance-features/authentication/logout.feature +0 -13
- data/acceptance-features/authorization/resource/annotate.feature +0 -35
- data/acceptance-features/authorization/resource/check.feature +0 -24
- data/acceptance-features/authorization/resource/create.feature +0 -21
- data/acceptance-features/authorization/resource/deny.feature +0 -12
- data/acceptance-features/authorization/resource/give.feature +0 -24
- data/acceptance-features/authorization/resource/permit.feature +0 -20
- data/acceptance-features/authorization/resource/permitted_roles.feature +0 -16
- data/acceptance-features/authorization/resource/show.feature +0 -28
- data/acceptance-features/authorization/role/create.feature +0 -13
- data/acceptance-features/authorization/role/exists.feature +0 -19
- data/acceptance-features/authorization/role/grant_to.feature +0 -21
- data/acceptance-features/authorization/role/graph.feature +0 -57
- data/acceptance-features/authorization/role/members.feature +0 -23
- data/acceptance-features/authorization/role/memberships.feature +0 -27
- data/acceptance-features/bootstrap.feature +0 -13
- data/acceptance-features/conjurenv/check.feature +0 -21
- data/acceptance-features/conjurenv/run.feature +0 -10
- data/acceptance-features/directory/group/create.feature +0 -20
- data/acceptance-features/directory/group/retire.feature +0 -54
- data/acceptance-features/directory/host/create.feature +0 -23
- data/acceptance-features/directory/host/retire.feature +0 -6
- data/acceptance-features/directory/hostfactory/create.feature +0 -28
- data/acceptance-features/directory/hostfactory/tokens.feature +0 -16
- data/acceptance-features/directory/layer/create.feature +0 -10
- data/acceptance-features/directory/layer/hosts-add.feature +0 -9
- data/acceptance-features/directory/layer/hosts-remove.feature +0 -10
- data/acceptance-features/directory/layer/retire.feature +0 -43
- data/acceptance-features/directory/user/create.feature +0 -23
- data/acceptance-features/directory/user/retire.feature +0 -6
- data/acceptance-features/directory/variable/create.feature +0 -14
- data/acceptance-features/directory/variable/retire.feature +0 -17
- data/acceptance-features/dsl/policy_owner.feature +0 -45
- data/acceptance-features/dsl/resource_owner.feature +0 -17
- data/acceptance-features/dsl/retire.feature +0 -15
- data/acceptance-features/global-privilege/elevate.feature +0 -20
- data/acceptance-features/global-privilege/reveal.privilege +0 -20
- data/acceptance-features/pubkeys/add.feature +0 -22
- data/acceptance-features/pubkeys/delete.feature +0 -9
- data/acceptance-features/pubkeys/names.feature +0 -26
- data/acceptance-features/pubkeys/show.feature +0 -27
- data/acceptance-features/step_definitions/cli_steps.rb +0 -57
- data/acceptance-features/step_definitions/graph_steps.rb +0 -22
- data/acceptance-features/step_definitions/user_steps.rb +0 -51
- data/acceptance-features/support/env.rb +0 -23
- data/acceptance-features/support/hooks.rb +0 -178
- data/acceptance-features/support/world.rb +0 -176
- data/acceptance-features/trusted_proxies.feature +0 -82
- data/bin/conjurize +0 -26
- data/bin/jsonfield +0 -70
- data/build-standalone +0 -6
- data/deprecations.sh +0 -38
- data/features/conjurize.feature +0 -134
- data/features/dsl_context.feature +0 -36
- data/features/dsl_host_create.feature +0 -11
- data/features/dsl_ownership.feature +0 -30
- data/features/dsl_permission.feature +0 -45
- data/features/dsl_resource_create.feature +0 -23
- data/features/dsl_role_create.feature +0 -11
- data/features/dsl_user_create.feature +0 -23
- data/features/jsonfield.feature +0 -49
- data/features/role_graph.feature +0 -58
- data/features/step_definitions/conjurize_steps.rb +0 -5
- data/features/step_definitions/dsl_steps.rb +0 -52
- data/features/support/conjur.conf +0 -6
- data/lib/conjur/command/assets.rb +0 -121
- data/lib/conjur/command/audit.rb +0 -155
- data/lib/conjur/command/bootstrap.rb +0 -129
- data/lib/conjur/command/dsl_command.rb +0 -75
- data/lib/conjur/command/elevate.rb +0 -76
- data/lib/conjur/command/field.rb +0 -45
- data/lib/conjur/command/groups.rb +0 -208
- data/lib/conjur/command/ids.rb +0 -34
- data/lib/conjur/command/layers.rb +0 -211
- data/lib/conjur/command/ldapsync.rb +0 -118
- data/lib/conjur/command/rspec/audit_helpers.rb +0 -68
- data/lib/conjur/command/rubydsl.rb +0 -93
- data/lib/conjur/command/script.rb +0 -48
- data/lib/conjur/command/server.rb +0 -67
- data/lib/conjur/conjurize.rb +0 -71
- data/lib/conjur/conjurize/script.rb +0 -150
- data/lib/conjur/dsl/runner.rb +0 -273
- data/publish-deb.sh +0 -6
- data/push-image +0 -29
- data/spec/command/assets_spec.rb +0 -115
- data/spec/command/audit_spec.rb +0 -376
- data/spec/command/elevate_spec.rb +0 -28
- data/spec/command/env_spec.rb +0 -168
- data/spec/command/groups_spec.rb +0 -77
- data/spec/command/host_factories_spec.rb +0 -38
- data/spec/command/layers_spec.rb +0 -35
- data/spec/command/ldapsync_spec.rb +0 -28
- data/spec/command/rubydsl_spec.rb +0 -63
- data/spec/command/variable_expiration_spec.rb +0 -164
- data/spec/command/variables_spec.rb +0 -192
- data/spec/conjurize/script_spec.rb +0 -62
- data/spec/conjurize_spec.rb +0 -70
- data/spec/dsl/runner_spec.rb +0 -93
- data/spec/env_spec.rb +0 -214
@@ -23,76 +23,16 @@ require 'conjur/cli'
|
|
23
23
|
|
24
24
|
class Conjur::Command::Pubkeys < Conjur::Command
|
25
25
|
desc "Public keys service operations"
|
26
|
+
|
26
27
|
command :pubkeys do |pubkeys|
|
28
|
+
pubkeys.default_command :show
|
27
29
|
|
28
30
|
pubkeys.desc "List public keys for the given user"
|
29
31
|
pubkeys.arg_name "USER"
|
30
32
|
pubkeys.command :show do |c|
|
31
33
|
c.action do |global_options, options, args|
|
32
34
|
username = require_arg args, "USER"
|
33
|
-
puts
|
34
|
-
end
|
35
|
-
end
|
36
|
-
|
37
|
-
pubkeys.desc "List the names of a user's public keys"
|
38
|
-
pubkeys.arg_name "USER"
|
39
|
-
pubkeys.command :names do |c|
|
40
|
-
c.action do |global_options, options, args|
|
41
|
-
username = require_arg args, "USER"
|
42
|
-
api.public_keys(username)
|
43
|
-
.split("\n")
|
44
|
-
.map{|k| k.split(' ').last}
|
45
|
-
.sort.each{|n| puts n}
|
46
|
-
end
|
47
|
-
end
|
48
|
-
|
49
|
-
pubkeys.desc "Add a public key for a user"
|
50
|
-
pubkeys.long_desc %Q(Adds a public key for a user. The username is a required argument of this method.
|
51
|
-
|
52
|
-
The public key itself may be provided in several ways.
|
53
|
-
|
54
|
-
1. After the username argument, the public key can be provided as a literal (quoted) string.
|
55
|
-
|
56
|
-
2. After the username argument, the path to the public key file can be provided with a leading @ character.
|
57
|
-
|
58
|
-
3. If the only argument to this command is the username, the key will be read from stdin.
|
59
|
-
|
60
|
-
4. If you provide the -i (interactive) command option, you'll be prompted for the public key
|
61
|
-
)
|
62
|
-
pubkeys.arg_name "username key?"
|
63
|
-
pubkeys.command :add do |c|
|
64
|
-
interactive_option c
|
65
|
-
|
66
|
-
c.action do |global_options, options, args|
|
67
|
-
options[:interactive] = $stdin.isatty if options[:interactive].nil?
|
68
|
-
username = require_arg args, "USER"
|
69
|
-
if key = args.shift
|
70
|
-
if /^@(.+)$/ =~ key
|
71
|
-
key = File.read(File.expand_path($1))
|
72
|
-
end
|
73
|
-
else
|
74
|
-
key = if options[:interactive]
|
75
|
-
prompt_for_public_key
|
76
|
-
else
|
77
|
-
STDIN.read.strip.tap do |k|
|
78
|
-
exit_now! "Invalid public key format" unless validate_public_key(k)
|
79
|
-
end
|
80
|
-
end
|
81
|
-
end
|
82
|
-
fail "Cancelled by the user" if key.blank?
|
83
|
-
api.add_public_key username, key
|
84
|
-
puts "Public key '#{key.split(' ').last}' added"
|
85
|
-
end
|
86
|
-
end
|
87
|
-
|
88
|
-
pubkeys.desc "Removes a public key for a user"
|
89
|
-
pubkeys.arg_name "USER KEY"
|
90
|
-
pubkeys.command :delete do |c|
|
91
|
-
c.action do |global_options, options, args|
|
92
|
-
username = require_arg args, "USER"
|
93
|
-
keyname = require_arg args, "KEY"
|
94
|
-
api.delete_public_key username, keyname
|
95
|
-
puts "Public key '#{keyname}' deleted"
|
35
|
+
puts Conjur::API.public_keys(username, account: Conjur.configuration.account)
|
96
36
|
end
|
97
37
|
end
|
98
38
|
end
|
@@ -20,38 +20,53 @@
|
|
20
20
|
#
|
21
21
|
class Conjur::Command::Resources < Conjur::Command
|
22
22
|
|
23
|
-
desc "
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
23
|
+
desc "Show an object"
|
24
|
+
arg_name "RESOURCE"
|
25
|
+
command :show do |c|
|
26
|
+
c.action do |global_options,options,args|
|
27
|
+
id = full_resource_id( require_arg(args, "RESOURCE") )
|
28
|
+
display api.resource(id).attributes
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
desc "List objects"
|
33
|
+
command :list do |c|
|
34
|
+
c.desc "Filter by kind"
|
35
|
+
c.flag [:k, :kind]
|
36
36
|
|
37
|
-
|
38
|
-
options[:acting_as] = ownerid
|
39
|
-
end
|
37
|
+
command_options_for_list c
|
40
38
|
|
41
|
-
|
42
|
-
|
43
|
-
end
|
39
|
+
c.action do |global_options, options, args|
|
40
|
+
command_impl_for_list global_options, options, args
|
44
41
|
end
|
42
|
+
end
|
45
43
|
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
44
|
+
desc "Check for a privilege on a resource"
|
45
|
+
long_desc """
|
46
|
+
By default, the privilege is checked for the logged-in user.
|
47
|
+
Permission checks may be performed for other roles using the optional role argument.
|
48
|
+
When the role argument is used, either the logged-in user must either own the specified
|
49
|
+
resource or must have specified role in its memberships.
|
50
|
+
"""
|
51
|
+
arg_name "RESOURCE PRIVILEGE"
|
52
|
+
command :check do |c|
|
53
|
+
c.desc "Role to check. By default, the current logged-in role is used"
|
54
|
+
c.flag [:r,:role]
|
55
|
+
|
56
|
+
c.action do |global_options,options,args|
|
57
|
+
id = full_resource_id(require_arg(args, "RESOURCE"))
|
58
|
+
privilege = args.shift or raise "Missing parameter: privilege"
|
59
|
+
role = if options[:role]
|
60
|
+
full_role_id(options[:role])
|
61
|
+
else
|
62
|
+
nil
|
52
63
|
end
|
64
|
+
puts api.resource(id).permitted? privilege, role: role
|
53
65
|
end
|
66
|
+
end
|
54
67
|
|
68
|
+
desc "Manage resources"
|
69
|
+
command :resource do |resource|
|
55
70
|
resource.desc "Determines whether a resource exists"
|
56
71
|
resource.arg_name "RESOURCE"
|
57
72
|
resource.command :exists do |c|
|
@@ -60,147 +75,15 @@ class Conjur::Command::Resources < Conjur::Command
|
|
60
75
|
puts api.resource(id).exists?
|
61
76
|
end
|
62
77
|
end
|
63
|
-
|
64
|
-
resource.desc "
|
65
|
-
resource.arg_name "RESOURCE ROLE PRIVILEGE"
|
66
|
-
resource.command :permit do |c|
|
67
|
-
c.desc "allow transfer to other roles"
|
68
|
-
c.switch [:g, :grantable]
|
69
|
-
c.action do |global_options,options,args|
|
70
|
-
notify_deprecated
|
71
|
-
|
72
|
-
id = full_resource_id( require_arg(args, "RESOURCE") )
|
73
|
-
role = require_arg(args, "ROLE")
|
74
|
-
privilege = require_arg(args, "PRIVILEGE")
|
75
|
-
$stderr.print "Granting #{role} permission to #{privilege} #{id}... "
|
76
|
-
unless options[:g]
|
77
|
-
api.resource(id).permit privilege, role
|
78
|
-
else
|
79
|
-
api.resource(id).permit privilege, role, grant_option: true
|
80
|
-
end
|
81
|
-
|
82
|
-
puts "Permission granted"
|
83
|
-
end
|
84
|
-
end
|
85
|
-
|
86
|
-
resource.desc "Deny a privilege on a resource [DEPRECATED]"
|
87
|
-
resource.arg_name "RESOURCE ROLE PRIVILEGE"
|
88
|
-
resource.command :deny do |c|
|
89
|
-
c.action do |global_options,options,args|
|
90
|
-
notify_deprecated
|
91
|
-
|
92
|
-
id = full_resource_id( require_arg(args, "RESOURCE") )
|
93
|
-
role = require_arg(args, "ROLE")
|
94
|
-
privilege = require_arg(args, "PRIVILEGE")
|
95
|
-
api.resource(id).deny privilege, role
|
96
|
-
puts "Permission revoked"
|
97
|
-
end
|
98
|
-
end
|
99
|
-
|
100
|
-
resource.desc "Check for a privilege on a resource"
|
101
|
-
resource.long_desc """
|
102
|
-
By default, the privilege is checked for the logged-in user.
|
103
|
-
Permission checks may be performed for other roles using the optional role argument.
|
104
|
-
When the role argument is used, either the logged-in user must either own the specified
|
105
|
-
resource or be an admin of the specified role (i.e. be granted the specified role with grant option).
|
106
|
-
"""
|
78
|
+
|
79
|
+
resource.desc "List roles with a specified privilege on the resource"
|
107
80
|
resource.arg_name "RESOURCE PRIVILEGE"
|
108
|
-
resource.command :check do |c|
|
109
|
-
c.desc "Role to check. By default, the current logged-in role is used"
|
110
|
-
c.flag [:r,:role]
|
111
|
-
|
112
|
-
c.action do |global_options,options,args|
|
113
|
-
id = full_resource_id( require_arg(args, "RESOURCE") )
|
114
|
-
privilege = args.shift or raise "Missing parameter: privilege"
|
115
|
-
if role = options[:role]
|
116
|
-
role = api.role(role)
|
117
|
-
puts role.permitted? id, privilege
|
118
|
-
else
|
119
|
-
puts api.resource(id).permitted? privilege
|
120
|
-
end
|
121
|
-
end
|
122
|
-
end
|
123
|
-
|
124
|
-
resource.desc "Grant ownership on a resource to a new owner [DEPRECATED]"
|
125
|
-
resource.arg_name "RESOURCE USER"
|
126
|
-
resource.command :give do |c|
|
127
|
-
c.action do |global_options,options,args|
|
128
|
-
notify_deprecated
|
129
|
-
|
130
|
-
id = full_resource_id( require_arg(args, "RESOURCE") )
|
131
|
-
owner = require_arg(args, "USER")
|
132
|
-
api.resource(id).give_to owner
|
133
|
-
puts "Ownership granted"
|
134
|
-
end
|
135
|
-
end
|
136
|
-
|
137
|
-
resource.desc "List roles with a specified permission on the resource"
|
138
|
-
resource.arg_name "RESOURCE PERMISSION"
|
139
81
|
resource.command :permitted_roles do |c|
|
140
|
-
command_option_kind c
|
141
|
-
command_options_for_search c
|
142
|
-
|
143
82
|
c.action do |global_options,options,args|
|
144
|
-
id = full_resource_id(
|
145
|
-
permission = require_arg(args, "
|
146
|
-
|
147
|
-
opts = process_command_options_for_search(options)
|
148
|
-
display api.resource(id).permitted_roles(permission, opts)
|
149
|
-
end
|
150
|
-
end
|
151
|
-
|
152
|
-
resource.desc "Set an annotation on a resource [DEPRECATED]"
|
153
|
-
resource.arg_name "RESOURCE ANNOTATION value"
|
154
|
-
resource.command :annotate do |c|
|
155
|
-
interactive_option c
|
156
|
-
|
157
|
-
c.action do |global_options, options, args|
|
158
|
-
notify_deprecated
|
159
|
-
|
160
|
-
id = full_resource_id require_arg(args, 'RESOURCE')
|
161
|
-
|
162
|
-
annotations = if options[:interactive]
|
163
|
-
prompt_for_annotations
|
164
|
-
else
|
165
|
-
name = require_arg args, 'ANNOTATION'
|
166
|
-
value = require_arg args, 'value'
|
167
|
-
{ name => value }
|
168
|
-
end
|
169
|
-
unless annotations.blank?
|
170
|
-
api.resource(id).annotations.merge!(annotations)
|
171
|
-
puts "Set annotations #{annotations.keys} for resource '#{id}'"
|
172
|
-
end
|
173
|
-
end
|
174
|
-
end
|
175
|
-
|
176
|
-
resource.desc "Show an annotation for a resource"
|
177
|
-
resource.arg_name "RESOURCE ANNOTATION"
|
178
|
-
resource.command :annotation do |c|
|
179
|
-
c.action do |global_options, options, args|
|
180
|
-
id = full_resource_id require_arg args, 'RESOURCE'
|
181
|
-
name = require_arg args, 'ANNOTATION'
|
182
|
-
value = api.resource(id).annotations[name]
|
183
|
-
puts value unless value.nil?
|
184
|
-
end
|
185
|
-
end
|
186
|
-
|
187
|
-
resource.desc "Print annotations as JSON"
|
188
|
-
resource.arg_name 'RESOURCE'
|
189
|
-
resource.command :annotations do |c|
|
190
|
-
c.action do |go, o, args|
|
191
|
-
id = full_resource_id require_arg args, 'RESOURCE'
|
192
|
-
annots = api.resource(id).annotations.to_h
|
193
|
-
puts annots.to_json
|
194
|
-
end
|
195
|
-
end
|
196
|
-
|
197
|
-
resource.desc "List all resources"
|
198
|
-
resource.command :list do |c|
|
199
|
-
command_option_kind c
|
200
|
-
command_options_for_list c
|
83
|
+
id = full_resource_id(require_arg(args, "RESOURCE"))
|
84
|
+
permission = require_arg(args, "PRIVILEGE")
|
201
85
|
|
202
|
-
|
203
|
-
command_impl_for_list global_options, options, args
|
86
|
+
display api.resource(id).permitted_roles(permission)
|
204
87
|
end
|
205
88
|
end
|
206
89
|
end
|
data/lib/conjur/command/roles.rb
CHANGED
@@ -20,41 +20,8 @@
|
|
20
20
|
#
|
21
21
|
|
22
22
|
class Conjur::Command::Roles < Conjur::Command
|
23
|
-
GRAPH_FORMATS = %w(json dot)
|
24
|
-
|
25
|
-
|
26
23
|
desc "Manage roles"
|
27
24
|
command :role do |role|
|
28
|
-
|
29
|
-
role.desc "Create a new role [DEPRECATED]"
|
30
|
-
role.arg_name "ROLE"
|
31
|
-
role.command :create do |c|
|
32
|
-
acting_as_option(c)
|
33
|
-
|
34
|
-
c.desc "Output a JSON response with a single field, roleid"
|
35
|
-
c.switch "json"
|
36
|
-
|
37
|
-
c.action do |global_options,options,args|
|
38
|
-
notify_deprecated
|
39
|
-
|
40
|
-
id = require_arg(args, 'ROLE')
|
41
|
-
role = api.role(id)
|
42
|
-
|
43
|
-
if ownerid = options.delete(:ownerid)
|
44
|
-
options[:acting_as] = ownerid
|
45
|
-
end
|
46
|
-
|
47
|
-
role.create(options)
|
48
|
-
if options[:json]
|
49
|
-
display({
|
50
|
-
roleid: role.roleid
|
51
|
-
})
|
52
|
-
else
|
53
|
-
puts "Created role #{role.roleid}"
|
54
|
-
end
|
55
|
-
end
|
56
|
-
end
|
57
|
-
|
58
25
|
role.desc "Determines whether a role exists"
|
59
26
|
role.arg_name "ROLE"
|
60
27
|
role.command :exists do |c|
|
@@ -62,7 +29,7 @@ class Conjur::Command::Roles < Conjur::Command
|
|
62
29
|
c.switch "json"
|
63
30
|
|
64
31
|
c.action do |global_options,options,args|
|
65
|
-
id = require_arg(args, 'ROLE')
|
32
|
+
id = full_role_id(require_arg(args, 'ROLE'))
|
66
33
|
role = api.role(id)
|
67
34
|
if options[:json]
|
68
35
|
display({
|
@@ -74,32 +41,21 @@ class Conjur::Command::Roles < Conjur::Command
|
|
74
41
|
end
|
75
42
|
end
|
76
43
|
|
77
|
-
role.desc "Lists role memberships. The role membership list is recursively expanded
|
44
|
+
role.desc "Lists role memberships. The role membership list is recursively expanded."
|
78
45
|
role.arg_name "ROLE"
|
79
46
|
|
80
47
|
role.command :memberships do |c|
|
81
|
-
c.desc "Verbose output. Only meaningful with --no-recursive."
|
82
|
-
c.switch [:V,:verbose]
|
83
|
-
|
84
|
-
c.desc "Whether to recursively expand role memberships"
|
85
|
-
c.default_value true
|
86
|
-
c.switch [:r, :recursive]
|
87
|
-
|
88
48
|
c.desc "Whether to show system (internal) roles"
|
89
|
-
c.switch [:system]
|
90
|
-
|
91
|
-
command_option_kind c
|
92
|
-
command_options_for_search c
|
49
|
+
c.switch [:s, :system]
|
93
50
|
|
94
51
|
c.action do |global_options,options,args|
|
95
52
|
roleid = args.shift
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
memberships
|
102
|
-
display_members memberships, :role, options
|
53
|
+
role = roleid.nil? && api.current_role(Conjur.configuration.account) || api.role(full_role_id(roleid))
|
54
|
+
memberships = role.memberships.map(&:id)
|
55
|
+
unless options[:system]
|
56
|
+
memberships.reject!{|id| id =~ /^.+?:@/}
|
57
|
+
end
|
58
|
+
display memberships
|
103
59
|
end
|
104
60
|
end
|
105
61
|
|
@@ -109,136 +65,10 @@ class Conjur::Command::Roles < Conjur::Command
|
|
109
65
|
c.desc "Verbose output"
|
110
66
|
c.switch [:V,:verbose]
|
111
67
|
|
112
|
-
c.desc "Whether to show system (internal) roles"
|
113
|
-
c.switch [:system]
|
114
|
-
|
115
|
-
command_option_kind c
|
116
|
-
command_options_for_search c
|
117
|
-
|
118
68
|
c.action do |global_options,options,args|
|
119
69
|
roleid = args.shift
|
120
|
-
|
121
|
-
role
|
122
|
-
opts = process_command_options_for_search(options)
|
123
|
-
|
124
|
-
members = role.members(opts)
|
125
|
-
display_members members, :member, options
|
126
|
-
end
|
127
|
-
end
|
128
|
-
|
129
|
-
role.desc "Grant a role to another role. You must have admin permission on the granting role. [DEPRECATED]"
|
130
|
-
role.arg_name "ROLE-1 ROLE-2"
|
131
|
-
role.command :grant_to do |c|
|
132
|
-
c.desc "Whether to grant with admin option"
|
133
|
-
c.switch [:a,:admin]
|
134
|
-
|
135
|
-
c.action do |global_options,options,args|
|
136
|
-
notify_deprecated
|
137
|
-
|
138
|
-
id = require_arg(args, 'ROLE-1')
|
139
|
-
member = require_arg(args, 'ROLE-2')
|
140
|
-
role = api.role(id)
|
141
|
-
grant_options = {}
|
142
|
-
grant_options[:admin_option] = true if options[:admin]
|
143
|
-
role.grant_to member, grant_options
|
144
|
-
puts "Role granted"
|
145
|
-
end
|
146
|
-
end
|
147
|
-
|
148
|
-
|
149
|
-
role.desc "Revoke a role from another role. You must have admin permission on the revoking role. [DEPRECATED]"
|
150
|
-
role.arg_name "ROLE-1 ROLE-2"
|
151
|
-
role.command :revoke_from do |c|
|
152
|
-
c.action do |global_options,options,args|
|
153
|
-
notify_deprecated
|
154
|
-
|
155
|
-
id = require_arg(args, 'ROLE-1')
|
156
|
-
member = require_arg(args, 'ROLE-2')
|
157
|
-
role = api.role(id)
|
158
|
-
role.revoke_from member
|
159
|
-
puts "Role revoked"
|
160
|
-
end
|
161
|
-
end
|
162
|
-
|
163
|
-
|
164
|
-
role.long_desc <<-EOD
|
165
|
-
Retrieves a digraph representing the role members and memberships of one or more roles.
|
166
|
-
|
167
|
-
The --[no-]ancestors and --[no-descendants] determine whether the graph should include ancestors, descendants, or both. Both
|
168
|
-
are included in the graph by default.
|
169
|
-
|
170
|
-
The --acting-as flag specifies, as usual, a role as which to perform the action. The default is the role of the currently
|
171
|
-
authenticated user. Only roles visible to this role will be included in the resulting graph.
|
172
|
-
|
173
|
-
The output is always written to the standard output, and can be one of the following forms (specified with the --format flag):
|
174
|
-
|
175
|
-
* png: use the 'dot' command to generate a png image representing the graph.
|
176
|
-
|
177
|
-
* dot: produce a file in a suitable format for use with the 'dot' program.
|
178
|
-
|
179
|
-
* json [default]: output a JSON representation of the graph.
|
180
|
-
|
181
|
-
In order to generate png images, the 'dot' program must be present and on your path. This program is usually installed
|
182
|
-
as part of the 'graphviz' package, and is available via apt-get on debian like systems and homebrew on OSX.
|
183
|
-
|
184
|
-
The JSON format is determined by the presence of the --short flag. If the --short flag is present, the JSON will be an array of
|
185
|
-
edges, with each edge represented as an array:
|
186
|
-
|
187
|
-
[
|
188
|
-
[ 'parent1', 'child1' ],
|
189
|
-
[ 'parent2', 'child2'],
|
190
|
-
...
|
191
|
-
]
|
192
|
-
|
193
|
-
If the --short flag is not present, the JSON output will be more verbose:
|
194
|
-
|
195
|
-
{
|
196
|
-
"graph": [
|
197
|
-
{
|
198
|
-
"parent": "parent1",
|
199
|
-
"child": "child1"
|
200
|
-
},
|
201
|
-
...
|
202
|
-
]
|
203
|
-
}
|
204
|
-
EOD
|
205
|
-
|
206
|
-
role.desc "Describe role memberships as a digraph"
|
207
|
-
role.arg_name "ROLE", :multiple
|
208
|
-
role.command :graph do |c|
|
209
|
-
c.desc "Output formats [#{GRAPH_FORMATS}]"
|
210
|
-
c.flag [:f,:format], default_value: 'json', must_match: GRAPH_FORMATS
|
211
|
-
|
212
|
-
c.desc "Use a more compact JSON format"
|
213
|
-
c.switch [:s, :short]
|
214
|
-
|
215
|
-
c.desc "Whether to show ancestors"
|
216
|
-
c.switch [:a, :ancestors], default_value: true
|
217
|
-
|
218
|
-
c.desc "Whether to show descendants"
|
219
|
-
c.switch [:d, :descendants], default_value: true
|
220
|
-
|
221
|
-
acting_as_option(c)
|
222
|
-
|
223
|
-
c.action do |_, options, args|
|
224
|
-
format = options[:format].downcase.to_sym
|
225
|
-
if options[:short] and format != :json
|
226
|
-
$stderr.puts "WARNING: the --short option is meaningless when --format is not json"
|
227
|
-
end
|
228
|
-
|
229
|
-
params = options.slice(:ancestors, :descendants)
|
230
|
-
params[:as_role] = options[:acting_as] if options.member?(:acting_as)
|
231
|
-
|
232
|
-
graph = api.role_graph(args, params)
|
233
|
-
|
234
|
-
output = case format
|
235
|
-
when :json then graph.to_json(options[:short]) + "\n"
|
236
|
-
when :dot then graph.to_dot + "\n"
|
237
|
-
else raise "Unsupported format: #{format}" # not strictly necessary, because GLI must_match checks it,
|
238
|
-
# but might as well?
|
239
|
-
end
|
240
|
-
|
241
|
-
$stdout.write output
|
70
|
+
role = roleid.nil? && api.current_role(Conjur.configuration.account) || api.role(full_role_id(roleid))
|
71
|
+
display_members role.members, options
|
242
72
|
end
|
243
73
|
end
|
244
74
|
end
|