conjur-cli 6.0.1 → 6.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/CODEOWNERS +10 -0
- data/.github/ISSUE_TEMPLATE/bug.md +42 -0
- data/.github/ISSUE_TEMPLATE/feature_request.md +27 -0
- data/.github/PULL_REQUEST_TEMPLATE.md +21 -0
- data/.gitleaks.toml +216 -0
- data/CHANGELOG.md +63 -209
- data/CONTRIBUTING.md +81 -0
- data/Jenkinsfile +84 -40
- data/LICENSE +202 -0
- data/NOTICES.txt +421 -0
- data/README.md +285 -41
- data/Rakefile +0 -1
- data/SECURITY.md +42 -0
- data/VERSION +1 -1
- data/bin/conjur +3 -1
- data/bin/parse-changelog.sh +12 -0
- data/build-standalone +42 -3
- data/ci/cli-test.sh +5 -1
- data/ci/submit-coverage +36 -0
- data/ci/test.sh +1 -1
- data/conjur-cli.gemspec +15 -13
- data/dev/docker-compose.yml +1 -0
- data/dev/start.sh +24 -4
- data/docker-compose.yml +2 -1
- data/features/authorization/resource/check.feature +6 -0
- data/features/authorization/resource/exists.feature +10 -3
- data/features/hostfactory/tokens.feature +1 -1
- data/features/pubkeys/show.feature +0 -4
- data/features/step_definitions/authn_steps.rb +1 -1
- data/features/step_definitions/cli_steps.rb +0 -19
- data/features/step_definitions/overrides.rb +3 -5
- data/features/support/env.rb +3 -1
- data/features/support/hooks.rb +0 -11
- data/lib/conjur/cli.rb +4 -3
- data/lib/conjur/command/hosts.rb +1 -1
- data/lib/conjur/command/ldap_sync.rb +37 -0
- data/lib/conjur/command/rspec/mock_services.rb +7 -1
- data/lib/conjur/command/users.rb +5 -1
- data/lib/conjur/version.rb +1 -1
- data/needs-publishing +28 -0
- data/push-image +46 -28
- data/spec/authn_spec.rb +4 -4
- data/spec/command/authn_spec.rb +2 -2
- data/spec/command/hosts_spec.rb +23 -3
- data/spec/command/init_spec.rb +37 -27
- data/spec/command/ldap_sync_spec.rb +38 -0
- data/spec/command/users_spec.rb +13 -0
- data/spec/spec_helper.rb +5 -2
- data/test.sh +5 -0
- metadata +80 -77
- data/LICENSE.md +0 -195
data/Rakefile
CHANGED
data/SECURITY.md
ADDED
@@ -0,0 +1,42 @@
|
|
1
|
+
# Security Policies and Procedures
|
2
|
+
|
3
|
+
This document outlines security procedures and general policies for the CyberArk Conjur
|
4
|
+
suite of tools and products.
|
5
|
+
|
6
|
+
* [Reporting a Bug](#reporting-a-bug)
|
7
|
+
* [Disclosure Policy](#disclosure-policy)
|
8
|
+
* [Comments on this Policy](#comments-on-this-policy)
|
9
|
+
|
10
|
+
## Reporting a Bug
|
11
|
+
|
12
|
+
The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
|
13
|
+
Thank you for improving the security of the Conjur suite. We appreciate your efforts and
|
14
|
+
responsible disclosure and will make every effort to acknowledge your
|
15
|
+
contributions.
|
16
|
+
|
17
|
+
Report security bugs by emailing the lead maintainers at security@conjur.org.
|
18
|
+
|
19
|
+
The maintainers will acknowledge your email within 2 business days. Subsequently, we will
|
20
|
+
send a more detailed response within 2 business days of our acknowledgement indicating
|
21
|
+
the next steps in handling your report. After the initial reply to your report, the security
|
22
|
+
team will endeavor to keep you informed of the progress towards a fix and full
|
23
|
+
announcement, and may ask for additional information or guidance.
|
24
|
+
|
25
|
+
Report security bugs in third-party modules to the person or team maintaining
|
26
|
+
the module.
|
27
|
+
|
28
|
+
## Disclosure Policy
|
29
|
+
|
30
|
+
When the security team receives a security bug report, they will assign it to a
|
31
|
+
primary handler. This person will coordinate the fix and release process,
|
32
|
+
involving the following steps:
|
33
|
+
|
34
|
+
* Confirm the problem and determine the affected versions.
|
35
|
+
* Audit code to find any potential similar problems.
|
36
|
+
* Prepare fixes for all releases still under maintenance. These fixes will be
|
37
|
+
released as fast as possible.
|
38
|
+
|
39
|
+
## Comments on this Policy
|
40
|
+
|
41
|
+
If you have suggestions on how this process could be improved please submit a
|
42
|
+
pull request.
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
6.
|
1
|
+
6.2.3
|
data/bin/conjur
CHANGED
data/build-standalone
CHANGED
@@ -1,6 +1,45 @@
|
|
1
1
|
#!/bin/bash -e
|
2
2
|
|
3
|
-
|
3
|
+
IMAGE="cyberark/conjur-cli:latest"
|
4
|
+
|
5
|
+
ENV_VARS=(
|
6
|
+
"CONJUR_MAJOR_VERSION=5"
|
7
|
+
"CONJUR_VERSION=5"
|
8
|
+
"PATH=/usr/local/lib/summon:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
9
|
+
)
|
10
|
+
|
11
|
+
# Flatten resulting image.
|
12
|
+
flatten() {
|
13
|
+
local image="$1"
|
14
|
+
echo "Flattening image '$image'..."
|
15
|
+
|
16
|
+
# Since `--squash` is still experimental, we have to flatten the image
|
17
|
+
# by exporting and importing a container based on the source image. By
|
18
|
+
# doing this though, we lose a lot of the Dockerfile variables that are
|
19
|
+
# required for running the image (ENV, EXPOSE, WORKDIR, etc) so we
|
20
|
+
# manually rebuild them.
|
21
|
+
# See here for more details: https://github.com/moby/moby/issues/8334
|
22
|
+
local container
|
23
|
+
container=$(docker create "$image")
|
24
|
+
|
25
|
+
env_var_params=()
|
26
|
+
for env_var in "${ENV_VARS[@]}"; do
|
27
|
+
env_var_params+=("--change")
|
28
|
+
env_var_params+=("ENV $env_var")
|
29
|
+
done
|
30
|
+
|
31
|
+
docker export "$container" | docker import \
|
32
|
+
"${env_var_params[@]}" \
|
33
|
+
--change 'ENTRYPOINT ["/bin/entry"]' \
|
34
|
+
- "$image"
|
35
|
+
docker rm "$container"
|
36
|
+
}
|
37
|
+
|
38
|
+
# Build the cli standalone container image
|
39
|
+
echo "Building image $IMAGE"
|
40
|
+
|
4
41
|
docker build . \
|
5
|
-
|
6
|
-
|
42
|
+
--file Dockerfile.standalone \
|
43
|
+
--tag "$IMAGE"
|
44
|
+
|
45
|
+
flatten "$IMAGE"
|
data/ci/cli-test.sh
CHANGED
@@ -1,6 +1,10 @@
|
|
1
1
|
#!/bin/bash -ex
|
2
2
|
|
3
|
+
# This can run with mounted source directory which is used in different Ruby versions.
|
4
|
+
# Since library support is different for different versions, clear out the lock to
|
5
|
+
# make sure full gem resolution runs each time.
|
6
|
+
rm -f Gemfile.lock
|
3
7
|
bundle install
|
4
8
|
|
5
9
|
# If we got passed arguments, run that as the test command. Otherwise, run the full suite of tests.
|
6
|
-
${@-bundle exec rake jenkins}
|
10
|
+
exec ${@-bundle exec rake jenkins}
|
data/ci/submit-coverage
ADDED
@@ -0,0 +1,36 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
set -eux
|
4
|
+
|
5
|
+
DIR="coverage"
|
6
|
+
BIN="cc-test-reporter"
|
7
|
+
REPORT="${DIR}/.resultset.json"
|
8
|
+
|
9
|
+
if [[ ! -e ${REPORT} ]]; then
|
10
|
+
echo "SimpleCov report (${REPORT}) not found"
|
11
|
+
ls -laR ${DIR}
|
12
|
+
exit 1
|
13
|
+
fi
|
14
|
+
|
15
|
+
if [[ ! -x ${BIN} ]]; then
|
16
|
+
echo "cc-test-reporter binary not found, not reporting coverage data to code climate"
|
17
|
+
ls -laR ${DIR}
|
18
|
+
# report is present but reporter binary is not, definitely a bug, exit error.
|
19
|
+
exit 1
|
20
|
+
fi
|
21
|
+
|
22
|
+
# Simplecov excludes files not within the current repo, it also needs to
|
23
|
+
# be able to read all the files referenced within the report. As the reports
|
24
|
+
# are generated in containers, the absolute paths contained in the report
|
25
|
+
# are not valid outside that container. This sed fixes the paths
|
26
|
+
# So they are correct relative to the Jenkins workspace.
|
27
|
+
sed -i -E "s+/src+${WORKSPACE}+g" "${REPORT}"
|
28
|
+
|
29
|
+
echo "Coverage reports prepared, submitting to CodeClimate."
|
30
|
+
# vars GIT_COMMIT, GIT_BRANCH & TRID are set by ccCoverage.dockerPrep
|
31
|
+
|
32
|
+
./${BIN} after-build \
|
33
|
+
--coverage-input-type "simplecov"\
|
34
|
+
--id "${TRID}"
|
35
|
+
|
36
|
+
echo "Successfully Reported Coverage Data"
|
data/ci/test.sh
CHANGED
@@ -11,7 +11,7 @@ unset CONJUR_AUTHN_LOGIN
|
|
11
11
|
|
12
12
|
bundle exec rake jenkins || true
|
13
13
|
|
14
|
-
env CONJUR_AUTHN_LOGIN=admin CONJUR_AUTHN_API_KEY=
|
14
|
+
env CONJUR_AUTHN_LOGIN=admin CONJUR_AUTHN_API_KEY='ADmin123!!!!' bundle exec cucumber -r acceptance-features/support \
|
15
15
|
-r acceptance-features/step_definitions \
|
16
16
|
-f pretty \
|
17
17
|
-f junit --out acceptance-features/reports \
|
data/conjur-cli.gemspec
CHANGED
@@ -3,11 +3,11 @@ require File.expand_path('../lib/conjur/version', __FILE__)
|
|
3
3
|
require "English"
|
4
4
|
|
5
5
|
Gem::Specification.new do |gem|
|
6
|
-
gem.authors = ["
|
7
|
-
gem.email = ["
|
6
|
+
gem.authors = ["Conjur Maintainers"]
|
7
|
+
gem.email = ["conj_maintainers@cyberark.com",]
|
8
8
|
gem.summary = %q{Conjur command line interface}
|
9
|
-
gem.homepage = "https://github.com/
|
10
|
-
gem.license = '
|
9
|
+
gem.homepage = "https://github.com/cyberark/conjur-cli"
|
10
|
+
gem.license = 'Apache 2.0'
|
11
11
|
|
12
12
|
gem.files = (`git ls-files`.split($OUTPUT_RECORD_SEPARATOR)
|
13
13
|
.select { |x| x !~ /^Dockerfile/ }
|
@@ -18,24 +18,26 @@ Gem::Specification.new do |gem|
|
|
18
18
|
gem.require_paths = ["lib"]
|
19
19
|
gem.version = Conjur::VERSION
|
20
20
|
|
21
|
+
# Filter out development only executables
|
22
|
+
gem.executables -= %w{parse-changelog.sh}
|
23
|
+
|
21
24
|
gem.add_dependency 'activesupport', '>= 4.2', '< 6'
|
22
|
-
gem.add_dependency 'conjur-api', '~> 5.
|
25
|
+
gem.add_dependency 'conjur-api', '~> 5.3'
|
26
|
+
gem.add_dependency 'deep_merge', '~> 1.0'
|
23
27
|
gem.add_dependency 'gli', '>=2.8.0'
|
24
28
|
gem.add_dependency 'highline', '~> 1.7'
|
25
29
|
gem.add_dependency 'netrc', '~> 0.10'
|
26
|
-
gem.add_dependency 'deep_merge', '~> 1.0'
|
27
|
-
gem.add_dependency 'xdg', '~> 2.2'
|
28
30
|
gem.add_dependency 'table_print', '~> 1.5'
|
31
|
+
gem.add_dependency 'xdg', '= 2.2.3'
|
29
32
|
|
30
|
-
gem.add_development_dependency '
|
31
|
-
gem.add_development_dependency 'simplecov'
|
33
|
+
gem.add_development_dependency 'addressable'
|
32
34
|
gem.add_development_dependency 'aruba', '~> 0.12'
|
33
35
|
gem.add_development_dependency 'ci_reporter_rspec', '~> 1.0'
|
34
|
-
gem.add_development_dependency '
|
35
|
-
gem.add_development_dependency 'rake', '~> 10.0'
|
36
|
+
gem.add_development_dependency 'cucumber-api'
|
36
37
|
gem.add_development_dependency 'io-grab', '~> 0.0'
|
37
38
|
gem.add_development_dependency 'json_spec'
|
38
|
-
gem.add_development_dependency 'cucumber-api'
|
39
|
-
gem.add_development_dependency 'addressable'
|
40
39
|
gem.add_development_dependency 'pry-byebug'
|
40
|
+
gem.add_development_dependency 'rake', '~> 12.3.3'
|
41
|
+
gem.add_development_dependency 'rspec', '~> 3.0'
|
42
|
+
gem.add_development_dependency 'simplecov', '~> 0.17', '< 0.18'
|
41
43
|
end
|
data/dev/docker-compose.yml
CHANGED
data/dev/start.sh
CHANGED
@@ -1,15 +1,35 @@
|
|
1
|
-
#!/bin/bash
|
1
|
+
#!/bin/bash
|
2
|
+
set -ex
|
2
3
|
|
3
4
|
export COMPOSE_PROJECT_NAME=clirubydev
|
4
5
|
|
5
6
|
docker-compose build
|
6
7
|
|
7
8
|
if [ ! -f data_key ]; then
|
8
|
-
|
9
|
-
|
9
|
+
echo "Generating data key"
|
10
|
+
docker-compose pull
|
11
|
+
docker-compose run --no-deps --rm conjur data-key generate > data_key
|
10
12
|
fi
|
11
13
|
|
12
|
-
export
|
14
|
+
export CONJUR_DATA_KEY="$(cat data_key)"
|
13
15
|
|
14
16
|
docker-compose up -d
|
17
|
+
docker-compose exec conjur conjurctl wait
|
18
|
+
|
19
|
+
apikey=$(docker-compose exec conjur \
|
20
|
+
conjurctl role retrieve-key cucumber:user:admin)
|
21
|
+
|
22
|
+
set +x
|
23
|
+
echo ''
|
24
|
+
echo ''
|
25
|
+
echo '=============== LOGIN WITH THESE CREDENTIALS ==============='
|
26
|
+
echo ''
|
27
|
+
echo 'username: admin'
|
28
|
+
echo "api key : ${apikey}"
|
29
|
+
echo ''
|
30
|
+
echo '============================================================'
|
31
|
+
echo ''
|
32
|
+
echo ''
|
33
|
+
set -x
|
34
|
+
|
15
35
|
docker-compose exec cli bash
|
data/docker-compose.yml
CHANGED
@@ -6,7 +6,7 @@ services:
|
|
6
6
|
conjur:
|
7
7
|
image: cyberark/conjur
|
8
8
|
command: server -a cucumber
|
9
|
-
depends_on:
|
9
|
+
depends_on:
|
10
10
|
- pg
|
11
11
|
environment:
|
12
12
|
- CONJUR_DATA_KEY
|
@@ -25,6 +25,7 @@ services:
|
|
25
25
|
- CONJUR_ACCOUNT=cucumber
|
26
26
|
- CONJUR_AUTHN_LOGIN=admin
|
27
27
|
- CONJUR_AUTHN_API_KEY
|
28
|
+
- RUBY_VERSION=${RUBY_VERSION}
|
28
29
|
volumes:
|
29
30
|
- .:/src
|
30
31
|
|
@@ -18,11 +18,18 @@ Feature: Test the existence of a resource
|
|
18
18
|
Scenario: Even foreign user can check existence of a resource
|
19
19
|
Given I load the policy:
|
20
20
|
"""
|
21
|
-
-
|
22
|
-
|
23
|
-
|
21
|
+
- &resources
|
22
|
+
- !resource
|
23
|
+
kind: food
|
24
|
+
id: bacon
|
24
25
|
|
25
26
|
- !user alice
|
27
|
+
|
28
|
+
- !permit
|
29
|
+
role: !user alice
|
30
|
+
privileges:
|
31
|
+
- read
|
32
|
+
resources: *resources
|
26
33
|
"""
|
27
34
|
And I login as "alice"
|
28
35
|
And I reset the command list
|
@@ -18,5 +18,5 @@ Feature: Host factory tokens
|
|
18
18
|
Scenario: create a host using a token
|
19
19
|
When I successfully run `conjur hostfactory tokens create myapp`
|
20
20
|
And I keep the JSON response at "0/token" as "TOKEN"
|
21
|
-
Then I successfully run `conjur hostfactory hosts create %{TOKEN} host-01`
|
21
|
+
Then I use it to successfully run `conjur hostfactory hosts create %{TOKEN} host-01`
|
22
22
|
And the JSON should have "api_key"
|
@@ -12,7 +12,3 @@ Feature: Show public keys for a user
|
|
12
12
|
Scenario: After adding a key, the key is shown
|
13
13
|
When I run `conjur pubkeys show alice`
|
14
14
|
And the output should match /^ssh-rsa .* laptop$/
|
15
|
-
|
16
|
-
Scenario: Public keys can be listed using cURL, without authentication
|
17
|
-
When I successfully run `curl -k $conjur_url/public_keys/cucumber/user/alice`
|
18
|
-
Then the output should match /^ssh-rsa .* laptop$/
|
@@ -1,22 +1,3 @@
|
|
1
|
-
Transform /\$ns/ do |s|
|
2
|
-
s.gsub('$ns', namespace)
|
3
|
-
end
|
4
|
-
|
5
|
-
Transform /\$user_role/ do |s|
|
6
|
-
s.gsub('$user_role', test_user.role_id)
|
7
|
-
end
|
8
|
-
|
9
|
-
Transform /^table:/ do |table|
|
10
|
-
table.tap do |t|
|
11
|
-
t.hashes.each do |row|
|
12
|
-
row.each do |_,v|
|
13
|
-
v.gsub!('$ns', namespace)
|
14
|
-
v.gsub!('$user_role', test_user.role_id)
|
15
|
-
end
|
16
|
-
end
|
17
|
-
end
|
18
|
-
end
|
19
|
-
|
20
1
|
When /^the command completes successfully/ do
|
21
2
|
last_command_started.wait
|
22
3
|
last_command_started.terminate
|
@@ -1,9 +1,7 @@
|
|
1
1
|
# Use a json_spec style memorized value as an environment variable
|
2
|
-
When /I
|
2
|
+
When /I use it to (.*)/ do |statement|
|
3
3
|
JsonSpec.memory.each do |k,v|
|
4
|
-
|
5
|
-
v = v[1...-1] if v[0] == '"'
|
6
|
-
value.gsub! "%{#{k}}", v
|
4
|
+
statement = statement.gsub("%{#{k}}", v)
|
7
5
|
end
|
8
|
-
|
6
|
+
step "I #{statement}"
|
9
7
|
end
|
data/features/support/env.rb
CHANGED
@@ -6,7 +6,9 @@ require 'aruba/cucumber'
|
|
6
6
|
require 'json_spec/cucumber'
|
7
7
|
require 'simplecov'
|
8
8
|
|
9
|
-
SimpleCov.start
|
9
|
+
SimpleCov.start do
|
10
|
+
command_name "#{ENV['RUBY_VERSION']}"
|
11
|
+
end
|
10
12
|
|
11
13
|
ENV['CONJUR_APPLIANCE_URL'] ||= 'http://localhost/api/v6'
|
12
14
|
ENV['CONJUR_ACCOUNT'] ||= 'cucumber'
|
data/features/support/hooks.rb
CHANGED
@@ -4,17 +4,6 @@ Aruba.configure do |config|
|
|
4
4
|
config.io_wait_timeout = 2
|
5
5
|
end
|
6
6
|
|
7
|
-
Transform /\$conjur_url/ do |statement|
|
8
|
-
statement.gsub "$conjur_url", Conjur.configuration.appliance_url
|
9
|
-
end
|
10
|
-
|
11
|
-
Transform /\%\{\w+\}/ do |statement|
|
12
|
-
JsonSpec.memory.each do |k,v|
|
13
|
-
statement = statement.gsub("%{#{k}}", v)
|
14
|
-
end
|
15
|
-
statement
|
16
|
-
end
|
17
|
-
|
18
7
|
Before('@conjurapi-log') do
|
19
8
|
set_env 'CONJURAPI_LOG', 'stderr'
|
20
9
|
end
|
data/lib/conjur/cli.rb
CHANGED
@@ -25,9 +25,7 @@ require 'active_support/deprecation'
|
|
25
25
|
require 'xdg'
|
26
26
|
require 'fileutils'
|
27
27
|
|
28
|
-
# this makes mime/types gem load much faster by
|
29
|
-
# mime types and caching them in binary form
|
30
|
-
ENV['RUBY_MIME_TYPES_LAZY_LOAD'] ||= 'true'
|
28
|
+
# this makes mime/types gem load much faster by caching them in binary form
|
31
29
|
ENV['RUBY_MIME_TYPES_CACHE'] ||= (
|
32
30
|
XDG['CACHE'].to_path.tap(&FileUtils.method(:mkdir_p)) + 'ruby-mime-types.cache'
|
33
31
|
).to_s
|
@@ -93,6 +91,9 @@ module Conjur
|
|
93
91
|
apply_config
|
94
92
|
load_plugins
|
95
93
|
commands_from 'conjur/command'
|
94
|
+
rescue => ex
|
95
|
+
stderr.puts "error: #{ex.message}"
|
96
|
+
raise if ENV['GLI_DEBUG'] == 'true'
|
96
97
|
end
|
97
98
|
|
98
99
|
def appliance_version
|