conjur-cli 6.0.1 → 6.2.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/CODEOWNERS +10 -0
- data/.github/ISSUE_TEMPLATE/bug.md +42 -0
- data/.github/ISSUE_TEMPLATE/feature_request.md +27 -0
- data/.github/PULL_REQUEST_TEMPLATE.md +21 -0
- data/.gitleaks.toml +216 -0
- data/CHANGELOG.md +63 -209
- data/CONTRIBUTING.md +81 -0
- data/Jenkinsfile +84 -40
- data/LICENSE +202 -0
- data/NOTICES.txt +421 -0
- data/README.md +285 -41
- data/Rakefile +0 -1
- data/SECURITY.md +42 -0
- data/VERSION +1 -1
- data/bin/conjur +3 -1
- data/bin/parse-changelog.sh +12 -0
- data/build-standalone +42 -3
- data/ci/cli-test.sh +5 -1
- data/ci/submit-coverage +36 -0
- data/ci/test.sh +1 -1
- data/conjur-cli.gemspec +15 -13
- data/dev/docker-compose.yml +1 -0
- data/dev/start.sh +24 -4
- data/docker-compose.yml +2 -1
- data/features/authorization/resource/check.feature +6 -0
- data/features/authorization/resource/exists.feature +10 -3
- data/features/hostfactory/tokens.feature +1 -1
- data/features/pubkeys/show.feature +0 -4
- data/features/step_definitions/authn_steps.rb +1 -1
- data/features/step_definitions/cli_steps.rb +0 -19
- data/features/step_definitions/overrides.rb +3 -5
- data/features/support/env.rb +3 -1
- data/features/support/hooks.rb +0 -11
- data/lib/conjur/cli.rb +4 -3
- data/lib/conjur/command/hosts.rb +1 -1
- data/lib/conjur/command/ldap_sync.rb +37 -0
- data/lib/conjur/command/rspec/mock_services.rb +7 -1
- data/lib/conjur/command/users.rb +5 -1
- data/lib/conjur/version.rb +1 -1
- data/needs-publishing +28 -0
- data/push-image +46 -28
- data/spec/authn_spec.rb +4 -4
- data/spec/command/authn_spec.rb +2 -2
- data/spec/command/hosts_spec.rb +23 -3
- data/spec/command/init_spec.rb +37 -27
- data/spec/command/ldap_sync_spec.rb +38 -0
- data/spec/command/users_spec.rb +13 -0
- data/spec/spec_helper.rb +5 -2
- data/test.sh +5 -0
- metadata +80 -77
- data/LICENSE.md +0 -195
data/Rakefile
CHANGED
data/SECURITY.md
ADDED
@@ -0,0 +1,42 @@
|
|
1
|
+
# Security Policies and Procedures
|
2
|
+
|
3
|
+
This document outlines security procedures and general policies for the CyberArk Conjur
|
4
|
+
suite of tools and products.
|
5
|
+
|
6
|
+
* [Reporting a Bug](#reporting-a-bug)
|
7
|
+
* [Disclosure Policy](#disclosure-policy)
|
8
|
+
* [Comments on this Policy](#comments-on-this-policy)
|
9
|
+
|
10
|
+
## Reporting a Bug
|
11
|
+
|
12
|
+
The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
|
13
|
+
Thank you for improving the security of the Conjur suite. We appreciate your efforts and
|
14
|
+
responsible disclosure and will make every effort to acknowledge your
|
15
|
+
contributions.
|
16
|
+
|
17
|
+
Report security bugs by emailing the lead maintainers at security@conjur.org.
|
18
|
+
|
19
|
+
The maintainers will acknowledge your email within 2 business days. Subsequently, we will
|
20
|
+
send a more detailed response within 2 business days of our acknowledgement indicating
|
21
|
+
the next steps in handling your report. After the initial reply to your report, the security
|
22
|
+
team will endeavor to keep you informed of the progress towards a fix and full
|
23
|
+
announcement, and may ask for additional information or guidance.
|
24
|
+
|
25
|
+
Report security bugs in third-party modules to the person or team maintaining
|
26
|
+
the module.
|
27
|
+
|
28
|
+
## Disclosure Policy
|
29
|
+
|
30
|
+
When the security team receives a security bug report, they will assign it to a
|
31
|
+
primary handler. This person will coordinate the fix and release process,
|
32
|
+
involving the following steps:
|
33
|
+
|
34
|
+
* Confirm the problem and determine the affected versions.
|
35
|
+
* Audit code to find any potential similar problems.
|
36
|
+
* Prepare fixes for all releases still under maintenance. These fixes will be
|
37
|
+
released as fast as possible.
|
38
|
+
|
39
|
+
## Comments on this Policy
|
40
|
+
|
41
|
+
If you have suggestions on how this process could be improved please submit a
|
42
|
+
pull request.
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
6.
|
1
|
+
6.2.3
|
data/bin/conjur
CHANGED
data/build-standalone
CHANGED
@@ -1,6 +1,45 @@
|
|
1
1
|
#!/bin/bash -e
|
2
2
|
|
3
|
-
|
3
|
+
IMAGE="cyberark/conjur-cli:latest"
|
4
|
+
|
5
|
+
ENV_VARS=(
|
6
|
+
"CONJUR_MAJOR_VERSION=5"
|
7
|
+
"CONJUR_VERSION=5"
|
8
|
+
"PATH=/usr/local/lib/summon:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
9
|
+
)
|
10
|
+
|
11
|
+
# Flatten resulting image.
|
12
|
+
flatten() {
|
13
|
+
local image="$1"
|
14
|
+
echo "Flattening image '$image'..."
|
15
|
+
|
16
|
+
# Since `--squash` is still experimental, we have to flatten the image
|
17
|
+
# by exporting and importing a container based on the source image. By
|
18
|
+
# doing this though, we lose a lot of the Dockerfile variables that are
|
19
|
+
# required for running the image (ENV, EXPOSE, WORKDIR, etc) so we
|
20
|
+
# manually rebuild them.
|
21
|
+
# See here for more details: https://github.com/moby/moby/issues/8334
|
22
|
+
local container
|
23
|
+
container=$(docker create "$image")
|
24
|
+
|
25
|
+
env_var_params=()
|
26
|
+
for env_var in "${ENV_VARS[@]}"; do
|
27
|
+
env_var_params+=("--change")
|
28
|
+
env_var_params+=("ENV $env_var")
|
29
|
+
done
|
30
|
+
|
31
|
+
docker export "$container" | docker import \
|
32
|
+
"${env_var_params[@]}" \
|
33
|
+
--change 'ENTRYPOINT ["/bin/entry"]' \
|
34
|
+
- "$image"
|
35
|
+
docker rm "$container"
|
36
|
+
}
|
37
|
+
|
38
|
+
# Build the cli standalone container image
|
39
|
+
echo "Building image $IMAGE"
|
40
|
+
|
4
41
|
docker build . \
|
5
|
-
|
6
|
-
|
42
|
+
--file Dockerfile.standalone \
|
43
|
+
--tag "$IMAGE"
|
44
|
+
|
45
|
+
flatten "$IMAGE"
|
data/ci/cli-test.sh
CHANGED
@@ -1,6 +1,10 @@
|
|
1
1
|
#!/bin/bash -ex
|
2
2
|
|
3
|
+
# This can run with mounted source directory which is used in different Ruby versions.
|
4
|
+
# Since library support is different for different versions, clear out the lock to
|
5
|
+
# make sure full gem resolution runs each time.
|
6
|
+
rm -f Gemfile.lock
|
3
7
|
bundle install
|
4
8
|
|
5
9
|
# If we got passed arguments, run that as the test command. Otherwise, run the full suite of tests.
|
6
|
-
${@-bundle exec rake jenkins}
|
10
|
+
exec ${@-bundle exec rake jenkins}
|
data/ci/submit-coverage
ADDED
@@ -0,0 +1,36 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
set -eux
|
4
|
+
|
5
|
+
DIR="coverage"
|
6
|
+
BIN="cc-test-reporter"
|
7
|
+
REPORT="${DIR}/.resultset.json"
|
8
|
+
|
9
|
+
if [[ ! -e ${REPORT} ]]; then
|
10
|
+
echo "SimpleCov report (${REPORT}) not found"
|
11
|
+
ls -laR ${DIR}
|
12
|
+
exit 1
|
13
|
+
fi
|
14
|
+
|
15
|
+
if [[ ! -x ${BIN} ]]; then
|
16
|
+
echo "cc-test-reporter binary not found, not reporting coverage data to code climate"
|
17
|
+
ls -laR ${DIR}
|
18
|
+
# report is present but reporter binary is not, definitely a bug, exit error.
|
19
|
+
exit 1
|
20
|
+
fi
|
21
|
+
|
22
|
+
# Simplecov excludes files not within the current repo, it also needs to
|
23
|
+
# be able to read all the files referenced within the report. As the reports
|
24
|
+
# are generated in containers, the absolute paths contained in the report
|
25
|
+
# are not valid outside that container. This sed fixes the paths
|
26
|
+
# So they are correct relative to the Jenkins workspace.
|
27
|
+
sed -i -E "s+/src+${WORKSPACE}+g" "${REPORT}"
|
28
|
+
|
29
|
+
echo "Coverage reports prepared, submitting to CodeClimate."
|
30
|
+
# vars GIT_COMMIT, GIT_BRANCH & TRID are set by ccCoverage.dockerPrep
|
31
|
+
|
32
|
+
./${BIN} after-build \
|
33
|
+
--coverage-input-type "simplecov"\
|
34
|
+
--id "${TRID}"
|
35
|
+
|
36
|
+
echo "Successfully Reported Coverage Data"
|
data/ci/test.sh
CHANGED
@@ -11,7 +11,7 @@ unset CONJUR_AUTHN_LOGIN
|
|
11
11
|
|
12
12
|
bundle exec rake jenkins || true
|
13
13
|
|
14
|
-
env CONJUR_AUTHN_LOGIN=admin CONJUR_AUTHN_API_KEY=
|
14
|
+
env CONJUR_AUTHN_LOGIN=admin CONJUR_AUTHN_API_KEY='ADmin123!!!!' bundle exec cucumber -r acceptance-features/support \
|
15
15
|
-r acceptance-features/step_definitions \
|
16
16
|
-f pretty \
|
17
17
|
-f junit --out acceptance-features/reports \
|
data/conjur-cli.gemspec
CHANGED
@@ -3,11 +3,11 @@ require File.expand_path('../lib/conjur/version', __FILE__)
|
|
3
3
|
require "English"
|
4
4
|
|
5
5
|
Gem::Specification.new do |gem|
|
6
|
-
gem.authors = ["
|
7
|
-
gem.email = ["
|
6
|
+
gem.authors = ["Conjur Maintainers"]
|
7
|
+
gem.email = ["conj_maintainers@cyberark.com",]
|
8
8
|
gem.summary = %q{Conjur command line interface}
|
9
|
-
gem.homepage = "https://github.com/
|
10
|
-
gem.license = '
|
9
|
+
gem.homepage = "https://github.com/cyberark/conjur-cli"
|
10
|
+
gem.license = 'Apache 2.0'
|
11
11
|
|
12
12
|
gem.files = (`git ls-files`.split($OUTPUT_RECORD_SEPARATOR)
|
13
13
|
.select { |x| x !~ /^Dockerfile/ }
|
@@ -18,24 +18,26 @@ Gem::Specification.new do |gem|
|
|
18
18
|
gem.require_paths = ["lib"]
|
19
19
|
gem.version = Conjur::VERSION
|
20
20
|
|
21
|
+
# Filter out development only executables
|
22
|
+
gem.executables -= %w{parse-changelog.sh}
|
23
|
+
|
21
24
|
gem.add_dependency 'activesupport', '>= 4.2', '< 6'
|
22
|
-
gem.add_dependency 'conjur-api', '~> 5.
|
25
|
+
gem.add_dependency 'conjur-api', '~> 5.3'
|
26
|
+
gem.add_dependency 'deep_merge', '~> 1.0'
|
23
27
|
gem.add_dependency 'gli', '>=2.8.0'
|
24
28
|
gem.add_dependency 'highline', '~> 1.7'
|
25
29
|
gem.add_dependency 'netrc', '~> 0.10'
|
26
|
-
gem.add_dependency 'deep_merge', '~> 1.0'
|
27
|
-
gem.add_dependency 'xdg', '~> 2.2'
|
28
30
|
gem.add_dependency 'table_print', '~> 1.5'
|
31
|
+
gem.add_dependency 'xdg', '= 2.2.3'
|
29
32
|
|
30
|
-
gem.add_development_dependency '
|
31
|
-
gem.add_development_dependency 'simplecov'
|
33
|
+
gem.add_development_dependency 'addressable'
|
32
34
|
gem.add_development_dependency 'aruba', '~> 0.12'
|
33
35
|
gem.add_development_dependency 'ci_reporter_rspec', '~> 1.0'
|
34
|
-
gem.add_development_dependency '
|
35
|
-
gem.add_development_dependency 'rake', '~> 10.0'
|
36
|
+
gem.add_development_dependency 'cucumber-api'
|
36
37
|
gem.add_development_dependency 'io-grab', '~> 0.0'
|
37
38
|
gem.add_development_dependency 'json_spec'
|
38
|
-
gem.add_development_dependency 'cucumber-api'
|
39
|
-
gem.add_development_dependency 'addressable'
|
40
39
|
gem.add_development_dependency 'pry-byebug'
|
40
|
+
gem.add_development_dependency 'rake', '~> 12.3.3'
|
41
|
+
gem.add_development_dependency 'rspec', '~> 3.0'
|
42
|
+
gem.add_development_dependency 'simplecov', '~> 0.17', '< 0.18'
|
41
43
|
end
|
data/dev/docker-compose.yml
CHANGED
data/dev/start.sh
CHANGED
@@ -1,15 +1,35 @@
|
|
1
|
-
#!/bin/bash
|
1
|
+
#!/bin/bash
|
2
|
+
set -ex
|
2
3
|
|
3
4
|
export COMPOSE_PROJECT_NAME=clirubydev
|
4
5
|
|
5
6
|
docker-compose build
|
6
7
|
|
7
8
|
if [ ! -f data_key ]; then
|
8
|
-
|
9
|
-
|
9
|
+
echo "Generating data key"
|
10
|
+
docker-compose pull
|
11
|
+
docker-compose run --no-deps --rm conjur data-key generate > data_key
|
10
12
|
fi
|
11
13
|
|
12
|
-
export
|
14
|
+
export CONJUR_DATA_KEY="$(cat data_key)"
|
13
15
|
|
14
16
|
docker-compose up -d
|
17
|
+
docker-compose exec conjur conjurctl wait
|
18
|
+
|
19
|
+
apikey=$(docker-compose exec conjur \
|
20
|
+
conjurctl role retrieve-key cucumber:user:admin)
|
21
|
+
|
22
|
+
set +x
|
23
|
+
echo ''
|
24
|
+
echo ''
|
25
|
+
echo '=============== LOGIN WITH THESE CREDENTIALS ==============='
|
26
|
+
echo ''
|
27
|
+
echo 'username: admin'
|
28
|
+
echo "api key : ${apikey}"
|
29
|
+
echo ''
|
30
|
+
echo '============================================================'
|
31
|
+
echo ''
|
32
|
+
echo ''
|
33
|
+
set -x
|
34
|
+
|
15
35
|
docker-compose exec cli bash
|
data/docker-compose.yml
CHANGED
@@ -6,7 +6,7 @@ services:
|
|
6
6
|
conjur:
|
7
7
|
image: cyberark/conjur
|
8
8
|
command: server -a cucumber
|
9
|
-
depends_on:
|
9
|
+
depends_on:
|
10
10
|
- pg
|
11
11
|
environment:
|
12
12
|
- CONJUR_DATA_KEY
|
@@ -25,6 +25,7 @@ services:
|
|
25
25
|
- CONJUR_ACCOUNT=cucumber
|
26
26
|
- CONJUR_AUTHN_LOGIN=admin
|
27
27
|
- CONJUR_AUTHN_API_KEY
|
28
|
+
- RUBY_VERSION=${RUBY_VERSION}
|
28
29
|
volumes:
|
29
30
|
- .:/src
|
30
31
|
|
@@ -18,11 +18,18 @@ Feature: Test the existence of a resource
|
|
18
18
|
Scenario: Even foreign user can check existence of a resource
|
19
19
|
Given I load the policy:
|
20
20
|
"""
|
21
|
-
-
|
22
|
-
|
23
|
-
|
21
|
+
- &resources
|
22
|
+
- !resource
|
23
|
+
kind: food
|
24
|
+
id: bacon
|
24
25
|
|
25
26
|
- !user alice
|
27
|
+
|
28
|
+
- !permit
|
29
|
+
role: !user alice
|
30
|
+
privileges:
|
31
|
+
- read
|
32
|
+
resources: *resources
|
26
33
|
"""
|
27
34
|
And I login as "alice"
|
28
35
|
And I reset the command list
|
@@ -18,5 +18,5 @@ Feature: Host factory tokens
|
|
18
18
|
Scenario: create a host using a token
|
19
19
|
When I successfully run `conjur hostfactory tokens create myapp`
|
20
20
|
And I keep the JSON response at "0/token" as "TOKEN"
|
21
|
-
Then I successfully run `conjur hostfactory hosts create %{TOKEN} host-01`
|
21
|
+
Then I use it to successfully run `conjur hostfactory hosts create %{TOKEN} host-01`
|
22
22
|
And the JSON should have "api_key"
|
@@ -12,7 +12,3 @@ Feature: Show public keys for a user
|
|
12
12
|
Scenario: After adding a key, the key is shown
|
13
13
|
When I run `conjur pubkeys show alice`
|
14
14
|
And the output should match /^ssh-rsa .* laptop$/
|
15
|
-
|
16
|
-
Scenario: Public keys can be listed using cURL, without authentication
|
17
|
-
When I successfully run `curl -k $conjur_url/public_keys/cucumber/user/alice`
|
18
|
-
Then the output should match /^ssh-rsa .* laptop$/
|
@@ -1,22 +1,3 @@
|
|
1
|
-
Transform /\$ns/ do |s|
|
2
|
-
s.gsub('$ns', namespace)
|
3
|
-
end
|
4
|
-
|
5
|
-
Transform /\$user_role/ do |s|
|
6
|
-
s.gsub('$user_role', test_user.role_id)
|
7
|
-
end
|
8
|
-
|
9
|
-
Transform /^table:/ do |table|
|
10
|
-
table.tap do |t|
|
11
|
-
t.hashes.each do |row|
|
12
|
-
row.each do |_,v|
|
13
|
-
v.gsub!('$ns', namespace)
|
14
|
-
v.gsub!('$user_role', test_user.role_id)
|
15
|
-
end
|
16
|
-
end
|
17
|
-
end
|
18
|
-
end
|
19
|
-
|
20
1
|
When /^the command completes successfully/ do
|
21
2
|
last_command_started.wait
|
22
3
|
last_command_started.terminate
|
@@ -1,9 +1,7 @@
|
|
1
1
|
# Use a json_spec style memorized value as an environment variable
|
2
|
-
When /I
|
2
|
+
When /I use it to (.*)/ do |statement|
|
3
3
|
JsonSpec.memory.each do |k,v|
|
4
|
-
|
5
|
-
v = v[1...-1] if v[0] == '"'
|
6
|
-
value.gsub! "%{#{k}}", v
|
4
|
+
statement = statement.gsub("%{#{k}}", v)
|
7
5
|
end
|
8
|
-
|
6
|
+
step "I #{statement}"
|
9
7
|
end
|
data/features/support/env.rb
CHANGED
@@ -6,7 +6,9 @@ require 'aruba/cucumber'
|
|
6
6
|
require 'json_spec/cucumber'
|
7
7
|
require 'simplecov'
|
8
8
|
|
9
|
-
SimpleCov.start
|
9
|
+
SimpleCov.start do
|
10
|
+
command_name "#{ENV['RUBY_VERSION']}"
|
11
|
+
end
|
10
12
|
|
11
13
|
ENV['CONJUR_APPLIANCE_URL'] ||= 'http://localhost/api/v6'
|
12
14
|
ENV['CONJUR_ACCOUNT'] ||= 'cucumber'
|
data/features/support/hooks.rb
CHANGED
@@ -4,17 +4,6 @@ Aruba.configure do |config|
|
|
4
4
|
config.io_wait_timeout = 2
|
5
5
|
end
|
6
6
|
|
7
|
-
Transform /\$conjur_url/ do |statement|
|
8
|
-
statement.gsub "$conjur_url", Conjur.configuration.appliance_url
|
9
|
-
end
|
10
|
-
|
11
|
-
Transform /\%\{\w+\}/ do |statement|
|
12
|
-
JsonSpec.memory.each do |k,v|
|
13
|
-
statement = statement.gsub("%{#{k}}", v)
|
14
|
-
end
|
15
|
-
statement
|
16
|
-
end
|
17
|
-
|
18
7
|
Before('@conjurapi-log') do
|
19
8
|
set_env 'CONJURAPI_LOG', 'stderr'
|
20
9
|
end
|
data/lib/conjur/cli.rb
CHANGED
@@ -25,9 +25,7 @@ require 'active_support/deprecation'
|
|
25
25
|
require 'xdg'
|
26
26
|
require 'fileutils'
|
27
27
|
|
28
|
-
# this makes mime/types gem load much faster by
|
29
|
-
# mime types and caching them in binary form
|
30
|
-
ENV['RUBY_MIME_TYPES_LAZY_LOAD'] ||= 'true'
|
28
|
+
# this makes mime/types gem load much faster by caching them in binary form
|
31
29
|
ENV['RUBY_MIME_TYPES_CACHE'] ||= (
|
32
30
|
XDG['CACHE'].to_path.tap(&FileUtils.method(:mkdir_p)) + 'ruby-mime-types.cache'
|
33
31
|
).to_s
|
@@ -93,6 +91,9 @@ module Conjur
|
|
93
91
|
apply_config
|
94
92
|
load_plugins
|
95
93
|
commands_from 'conjur/command'
|
94
|
+
rescue => ex
|
95
|
+
stderr.puts "error: #{ex.message}"
|
96
|
+
raise if ENV['GLI_DEBUG'] == 'true'
|
96
97
|
end
|
97
98
|
|
98
99
|
def appliance_version
|