conjur-cli 5.6.6 → 6.0.0.rc1

data/lib/conjur/command/pubkeys.rb

@@ -23,76 +23,16 @@ require 'conjur/cli'
 
 class Conjur::Command::Pubkeys < Conjur::Command
   desc "Public keys service operations"
+
   command :pubkeys do |pubkeys|
+    pubkeys.default_command :show
 
     pubkeys.desc "List public keys for the given user"
     pubkeys.arg_name "USER"
     pubkeys.command :show do |c|
       c.action do |global_options, options, args|
         username = require_arg args, "USER"
-        puts api.public_keys(username)
-      end
-    end
-
-    pubkeys.desc "List the names of a user's public keys"
-    pubkeys.arg_name "USER"
-    pubkeys.command :names do |c|
-      c.action do |global_options, options, args|
-        username = require_arg args, "USER"
-        api.public_keys(username)
-        .split("\n")
-        .map{|k| k.split(' ').last}
-        .sort.each{|n| puts n}
-      end
-    end
-
-    pubkeys.desc "Add a public key for a user"
-    pubkeys.long_desc %Q(Adds a public key for a user. The username is a required argument of this method.
-    
-The public key itself may be provided in several ways.
-
-1. After the username argument, the public key can be provided as a literal (quoted) string.
-
-2. After the username argument, the path to the public key file can be provided with a leading @ character.
-
-3. If the only argument to this command is the username, the key will be read from stdin.
-
-4. If you provide the -i (interactive) command option, you'll be prompted for the public key
-)
-    pubkeys.arg_name "username key?"
-    pubkeys.command :add do |c|
-      interactive_option c
-      
-      c.action do |global_options, options, args|
-        options[:interactive] = $stdin.isatty if options[:interactive].nil?
-        username = require_arg args, "USER"
-        if key = args.shift
-          if /^@(.+)$/ =~ key
-            key = File.read(File.expand_path($1))
-          end
-        else
-          key = if options[:interactive]
-            prompt_for_public_key
-          else
-            STDIN.read.strip.tap do |k|
-              exit_now! "Invalid public key format" unless validate_public_key(k)
-            end
-          end
-        end
-        fail "Cancelled by the user" if key.blank?
-        api.add_public_key username, key
-        puts "Public key '#{key.split(' ').last}' added"
-      end
-    end
-
-    pubkeys.desc "Removes a public key for a user"
-    pubkeys.arg_name "USER KEY"
-    pubkeys.command :delete do |c|
-      c.action do |global_options, options, args|
-        username = require_arg args, "USER"
-        keyname = require_arg args, "KEY"
-        api.delete_public_key username, keyname
-        puts "Public key '#{keyname}' deleted"
+        puts Conjur::API.public_keys(username, account: Conjur.configuration.account)
       end
     end
   end

data/lib/conjur/command/resources.rb

@@ -20,38 +20,53 @@
 #
 class Conjur::Command::Resources < Conjur::Command
 
-  desc "Manage resources"
-  command :resource do |resource|
-
-    resource.desc "Create a new resource [DEPRECATED]"
-    resource.arg_name "RESOURCE"
-    resource.command :create do |c|
-      acting_as_option(c)
-
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = full_resource_id( require_arg(args, "RESOURCE") )
-        resource = api.resource(id)
+  desc "Show an object"
+  arg_name "RESOURCE"
+  command :show do |c|
+    c.action do |global_options,options,args|
+      id = full_resource_id( require_arg(args, "RESOURCE") )
+      display api.resource(id).attributes
+    end
+  end
+  
+  desc "List objects"
+  command :list do |c|
+    c.desc "Filter by kind"
+    c.flag [:k, :kind]
 
-        if ownerid = options.delete(:ownerid)
-          options[:acting_as] = ownerid
-        end
+    command_options_for_list c
 
-        resource.create(options)
-        display resource.attributes
-      end
+    c.action do |global_options, options, args|
+      command_impl_for_list global_options, options, args
     end
+  end
 
-    resource.desc "Show a resource"
-    resource.arg_name "RESOURCE"
-    resource.command :show do |c|
-      c.action do |global_options,options,args|
-        id = full_resource_id( require_arg(args, "RESOURCE") )
-        display api.resource(id).attributes
+  desc "Check for a privilege on a resource"
+  long_desc """
+By default, the privilege is checked for the logged-in user.
+Permission checks may be performed for other roles using the optional role argument.
+When the role argument is used, either the logged-in user must either own the specified
+resource or must have specified role in its memberships.
+"""
+  arg_name "RESOURCE PRIVILEGE"
+  command :check do |c|
+    c.desc "Role to check. By default, the current logged-in role is used"
+    c.flag [:r,:role]
+
+    c.action do |global_options,options,args|
+      id = full_resource_id(require_arg(args, "RESOURCE"))
+      privilege = args.shift or raise "Missing parameter: privilege"
+      role = if options[:role]
+        full_role_id(options[:role])
+      else
+        nil
       end
+      puts api.resource(id).permitted? privilege, role: role
     end
+  end
 
+  desc "Manage resources"
+  command :resource do |resource|
     resource.desc "Determines whether a resource exists"
     resource.arg_name "RESOURCE"
     resource.command :exists do |c|
@@ -60,147 +75,15 @@ class Conjur::Command::Resources < Conjur::Command
         puts api.resource(id).exists?
       end
     end
-
-    resource.desc "Give a privilege on a resource [DEPRECATED]"
-    resource.arg_name "RESOURCE ROLE PRIVILEGE"
-    resource.command :permit do |c|
-      c.desc "allow transfer to other roles"
-      c.switch [:g, :grantable]
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = full_resource_id( require_arg(args, "RESOURCE") )
-        role = require_arg(args, "ROLE")
-        privilege = require_arg(args, "PRIVILEGE")
-        $stderr.print "Granting #{role} permission to #{privilege} #{id}... "
-        unless options[:g]
-          api.resource(id).permit privilege, role
-        else
-          api.resource(id).permit privilege, role, grant_option: true
-        end
-        
-        puts "Permission granted"
-      end
-    end
-
-    resource.desc "Deny a privilege on a resource [DEPRECATED]"
-    resource.arg_name "RESOURCE ROLE PRIVILEGE"
-    resource.command :deny do |c|
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = full_resource_id( require_arg(args, "RESOURCE") )
-        role = require_arg(args, "ROLE")
-        privilege = require_arg(args, "PRIVILEGE")
-        api.resource(id).deny privilege, role
-        puts "Permission revoked"
-      end
-    end
-
-    resource.desc "Check for a privilege on a resource"
-    resource.long_desc """
-  By default, the privilege is checked for the logged-in user.
-  Permission checks may be performed for other roles using the optional role argument.
-  When the role argument is used, either the logged-in user must either own the specified
-  resource or be an admin of the specified role (i.e. be granted the specified role with grant option).
-  """
+    
+    resource.desc "List roles with a specified privilege on the resource"
     resource.arg_name "RESOURCE PRIVILEGE"
-    resource.command :check do |c|
-      c.desc "Role to check. By default, the current logged-in role is used"
-      c.flag [:r,:role]
-
-      c.action do |global_options,options,args|
-        id = full_resource_id( require_arg(args, "RESOURCE") )
-        privilege = args.shift or raise "Missing parameter: privilege"
-        if role = options[:role]
-          role = api.role(role)
-          puts role.permitted? id, privilege
-        else
-          puts api.resource(id).permitted? privilege
-        end
-      end
-    end
-
-    resource.desc "Grant ownership on a resource to a new owner [DEPRECATED]"
-    resource.arg_name "RESOURCE USER"
-    resource.command :give do |c|
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = full_resource_id( require_arg(args, "RESOURCE") )
-        owner = require_arg(args, "USER")
-        api.resource(id).give_to owner
-        puts "Ownership granted"
-      end
-    end
-
-    resource.desc "List roles with a specified permission on the resource"
-    resource.arg_name "RESOURCE PERMISSION"
     resource.command :permitted_roles do |c|
-      command_option_kind c
-      command_options_for_search c
-
       c.action do |global_options,options,args|
-        id = full_resource_id( require_arg(args, "RESOURCE") )
-        permission = require_arg(args, "PERMISSION")
-
-        opts = process_command_options_for_search(options)
-        display api.resource(id).permitted_roles(permission, opts)
-      end
-    end
-
-    resource.desc "Set an annotation on a resource [DEPRECATED]"
-    resource.arg_name "RESOURCE ANNOTATION value"
-    resource.command :annotate do |c|
-      interactive_option c
-      
-      c.action do |global_options, options, args|
-        notify_deprecated
-
-        id = full_resource_id require_arg(args, 'RESOURCE')
-
-        annotations = if options[:interactive]
-          prompt_for_annotations
-        else
-          name = require_arg args, 'ANNOTATION'
-          value = require_arg args, 'value'
-          { name => value }
-        end
-        unless annotations.blank?
-          api.resource(id).annotations.merge!(annotations)
-          puts "Set annotations #{annotations.keys} for resource '#{id}'"
-        end
-      end
-    end
-
-    resource.desc "Show an annotation for a resource"
-    resource.arg_name "RESOURCE ANNOTATION"
-    resource.command :annotation do |c|
-      c.action do |global_options, options, args|
-        id = full_resource_id require_arg args, 'RESOURCE'
-        name = require_arg args, 'ANNOTATION'
-        value = api.resource(id).annotations[name]
-        puts value unless value.nil?
-      end
-    end
-
-    resource.desc "Print annotations as JSON"
-    resource.arg_name 'RESOURCE'
-    resource.command :annotations do |c|
-      c.action do |go, o, args|
-        id = full_resource_id require_arg args, 'RESOURCE'
-        annots = api.resource(id).annotations.to_h
-        puts annots.to_json
-      end
-    end
-
-    resource.desc "List all resources"
-    resource.command :list do |c|
-      command_option_kind c
-      command_options_for_list c
+        id = full_resource_id(require_arg(args, "RESOURCE"))
+        permission = require_arg(args, "PRIVILEGE")
 
-      c.action do |global_options, options, args|
-        command_impl_for_list global_options, options, args
+        display api.resource(id).permitted_roles(permission)
       end
     end
   end

data/lib/conjur/command/roles.rb

@@ -20,41 +20,8 @@
 #
 
 class Conjur::Command::Roles < Conjur::Command
-  GRAPH_FORMATS = %w(json dot)
-
-
   desc "Manage roles"
   command :role do |role|
-
-    role.desc "Create a new role [DEPRECATED]"
-    role.arg_name "ROLE"
-    role.command :create do |c|
-      acting_as_option(c)
-      
-      c.desc "Output a JSON response with a single field, roleid"
-      c.switch "json"
-
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = require_arg(args, 'ROLE')
-        role = api.role(id)
-
-        if ownerid = options.delete(:ownerid)
-          options[:acting_as] = ownerid
-        end
-
-        role.create(options)
-        if options[:json]
-          display({
-            roleid: role.roleid
-          })
-        else
-          puts "Created role #{role.roleid}"
-        end
-      end
-    end
-
     role.desc "Determines whether a role exists"
     role.arg_name "ROLE"
     role.command :exists do |c|
@@ -62,7 +29,7 @@ class Conjur::Command::Roles < Conjur::Command
       c.switch "json"
       
       c.action do |global_options,options,args|
-        id = require_arg(args, 'ROLE')
+        id = full_role_id(require_arg(args, 'ROLE'))
         role = api.role(id)
         if options[:json]
           display({
@@ -74,32 +41,21 @@ class Conjur::Command::Roles < Conjur::Command
       end
     end
 
-    role.desc "Lists role memberships. The role membership list is recursively expanded by default."
+    role.desc "Lists role memberships. The role membership list is recursively expanded."
     role.arg_name "ROLE"
 
     role.command :memberships do |c|
-      c.desc "Verbose output. Only meaningful with --no-recursive."
-      c.switch [:V,:verbose]
-
-      c.desc "Whether to recursively expand role memberships"
-      c.default_value true
-      c.switch [:r, :recursive]
-
       c.desc "Whether to show system (internal) roles"
-      c.switch [:system]
-
-      command_option_kind c
-      command_options_for_search c
+      c.switch [:s, :system]
 
       c.action do |global_options,options,args|
         roleid = args.shift
-        assert_empty(args)
-        role = roleid.nil? && api.current_role || api.role(roleid)
-
-        opts = process_command_options_for_search(options)
-        opts[:recursive] = false unless options[:recursive]
-        memberships = role.all(opts)
-        display_members memberships, :role, options
+        role = roleid.nil? && api.current_role(Conjur.configuration.account) || api.role(full_role_id(roleid))
+        memberships = role.memberships.map(&:id)
+        unless options[:system]
+          memberships.reject!{|id| id =~ /^.+?:@/}
+        end
+        display memberships
       end
     end
 
@@ -109,136 +65,10 @@ class Conjur::Command::Roles < Conjur::Command
       c.desc "Verbose output"
       c.switch [:V,:verbose]
 
-      c.desc "Whether to show system (internal) roles"
-      c.switch [:system]
-
-      command_option_kind c
-      command_options_for_search c
-
       c.action do |global_options,options,args|
         roleid = args.shift
-        assert_empty(args)
-        role = roleid.nil? && api.current_role || api.role(roleid)
-        opts = process_command_options_for_search(options)
-
-        members = role.members(opts)
-        display_members members, :member, options
-      end
-    end
-
-    role.desc "Grant a role to another role. You must have admin permission on the granting role. [DEPRECATED]"
-    role.arg_name "ROLE-1 ROLE-2"
-    role.command :grant_to do |c|
-      c.desc "Whether to grant with admin option"
-      c.switch [:a,:admin]
-
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = require_arg(args, 'ROLE-1')
-        member = require_arg(args, 'ROLE-2')
-        role = api.role(id)
-        grant_options = {}
-        grant_options[:admin_option] = true if options[:admin]
-        role.grant_to member, grant_options
-        puts "Role granted"
-      end
-    end
-
-
-    role.desc "Revoke a role from another role. You must have admin permission on the revoking role. [DEPRECATED]"
-    role.arg_name "ROLE-1 ROLE-2"
-    role.command :revoke_from do |c|
-      c.action do |global_options,options,args|
-        notify_deprecated
-
-        id = require_arg(args, 'ROLE-1')
-        member = require_arg(args, 'ROLE-2')
-        role = api.role(id)
-        role.revoke_from member
-        puts "Role revoked"
-      end
-    end
-
-
-    role.long_desc <<-EOD
-Retrieves a digraph representing the role members and memberships of one or more roles.
-
-The --[no-]ancestors and --[no-descendants] determine whether the graph should include ancestors, descendants, or both.  Both
-are included in the graph by default.
-
-The --acting-as flag specifies, as usual, a role as which to perform the action.  The default is the role of the currently
-authenticated user.  Only roles visible to this role will be included in the resulting graph.
-
-The output is always written to the standard output, and can be one of the following forms (specified with the --format flag):
-
-   * png: use the 'dot' command to generate a png image representing the graph.
-
-   * dot: produce a file in a suitable format for use with the 'dot' program.
-
-   * json [default]: output a JSON representation of the graph.
-
-In order to generate png images, the 'dot' program must be present and on your path.  This program is usually installed
-as part of the 'graphviz' package, and is available via apt-get on debian like systems and homebrew on OSX.
-
-The JSON format is determined by the presence of the --short flag.  If the --short flag is present, the JSON will be an array of
-edges, with each edge represented as an array:
-
-  [
-    [ 'parent1', 'child1' ],
-    [ 'parent2', 'child2'],
-    ...
-  ]
-
-If the --short flag is not present, the JSON output will be more verbose:
-
-  {
-    "graph": [
-      {
-        "parent": "parent1",
-        "child":  "child1"
-      },
-      ...
-    ]
-  }
-EOD
-    
-    role.desc "Describe role memberships as a digraph"
-    role.arg_name "ROLE", :multiple
-    role.command :graph do |c|
-      c.desc "Output formats [#{GRAPH_FORMATS}]"
-      c.flag [:f,:format], default_value: 'json', must_match: GRAPH_FORMATS
-
-      c.desc "Use a more compact JSON format"
-      c.switch [:s, :short]
-
-      c.desc "Whether to show ancestors"
-      c.switch [:a, :ancestors], default_value: true
-
-      c.desc "Whether to show descendants"
-      c.switch [:d, :descendants], default_value: true
-
-      acting_as_option(c)
-
-      c.action do |_, options, args|
-        format = options[:format].downcase.to_sym
-        if options[:short] and format != :json
-          $stderr.puts "WARNING: the --short option is meaningless when --format is not json"
-        end
-
-        params = options.slice(:ancestors, :descendants)
-        params[:as_role] = options[:acting_as] if options.member?(:acting_as)
-
-        graph = api.role_graph(args, params)
-
-        output = case format
-          when :json then graph.to_json(options[:short]) + "\n"
-          when :dot then graph.to_dot + "\n"
-          else raise "Unsupported format: #{format}" # not strictly necessary, because GLI must_match checks it,
-                                                     # but might as well?
-        end
-
-        $stdout.write output
+        role = roleid.nil? && api.current_role(Conjur.configuration.account) || api.role(full_role_id(roleid))
+        display_members role.members, options
       end
     end
   end