conjur-cli 6.0.1 → 6.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (52) hide show
  1. checksums.yaml +4 -4
  2. data/.github/CODEOWNERS +10 -0
  3. data/.github/ISSUE_TEMPLATE/bug.md +42 -0
  4. data/.github/ISSUE_TEMPLATE/feature_request.md +27 -0
  5. data/.github/PULL_REQUEST_TEMPLATE.md +21 -0
  6. data/.gitleaks.toml +216 -0
  7. data/CHANGELOG.md +63 -209
  8. data/CONTRIBUTING.md +81 -0
  9. data/Jenkinsfile +84 -40
  10. data/LICENSE +202 -0
  11. data/NOTICES.txt +421 -0
  12. data/README.md +285 -41
  13. data/Rakefile +0 -1
  14. data/SECURITY.md +42 -0
  15. data/VERSION +1 -1
  16. data/bin/conjur +3 -1
  17. data/bin/parse-changelog.sh +12 -0
  18. data/build-standalone +42 -3
  19. data/ci/cli-test.sh +5 -1
  20. data/ci/submit-coverage +36 -0
  21. data/ci/test.sh +1 -1
  22. data/conjur-cli.gemspec +15 -13
  23. data/dev/docker-compose.yml +1 -0
  24. data/dev/start.sh +24 -4
  25. data/docker-compose.yml +2 -1
  26. data/features/authorization/resource/check.feature +6 -0
  27. data/features/authorization/resource/exists.feature +10 -3
  28. data/features/hostfactory/tokens.feature +1 -1
  29. data/features/pubkeys/show.feature +0 -4
  30. data/features/step_definitions/authn_steps.rb +1 -1
  31. data/features/step_definitions/cli_steps.rb +0 -19
  32. data/features/step_definitions/overrides.rb +3 -5
  33. data/features/support/env.rb +3 -1
  34. data/features/support/hooks.rb +0 -11
  35. data/lib/conjur/cli.rb +4 -3
  36. data/lib/conjur/command/hosts.rb +1 -1
  37. data/lib/conjur/command/ldap_sync.rb +37 -0
  38. data/lib/conjur/command/rspec/mock_services.rb +7 -1
  39. data/lib/conjur/command/users.rb +5 -1
  40. data/lib/conjur/version.rb +1 -1
  41. data/needs-publishing +28 -0
  42. data/push-image +46 -28
  43. data/spec/authn_spec.rb +4 -4
  44. data/spec/command/authn_spec.rb +2 -2
  45. data/spec/command/hosts_spec.rb +23 -3
  46. data/spec/command/init_spec.rb +37 -27
  47. data/spec/command/ldap_sync_spec.rb +38 -0
  48. data/spec/command/users_spec.rb +13 -0
  49. data/spec/spec_helper.rb +5 -2
  50. data/test.sh +5 -0
  51. metadata +80 -77
  52. data/LICENSE.md +0 -195
data/Rakefile CHANGED
@@ -3,7 +3,6 @@ require "bundler/gem_tasks"
3
3
 
4
4
  begin
5
5
  require 'ci/reporter/rake/rspec'
6
- require 'ci/reporter/rake/cucumber'
7
6
  require 'cucumber'
8
7
  require 'cucumber/rake/task'
9
8
  require 'rspec/core/rake_task'
@@ -0,0 +1,42 @@
1
+ # Security Policies and Procedures
2
+
3
+ This document outlines security procedures and general policies for the CyberArk Conjur
4
+ suite of tools and products.
5
+
6
+ * [Reporting a Bug](#reporting-a-bug)
7
+ * [Disclosure Policy](#disclosure-policy)
8
+ * [Comments on this Policy](#comments-on-this-policy)
9
+
10
+ ## Reporting a Bug
11
+
12
+ The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
13
+ Thank you for improving the security of the Conjur suite. We appreciate your efforts and
14
+ responsible disclosure and will make every effort to acknowledge your
15
+ contributions.
16
+
17
+ Report security bugs by emailing the lead maintainers at security@conjur.org.
18
+
19
+ The maintainers will acknowledge your email within 2 business days. Subsequently, we will
20
+ send a more detailed response within 2 business days of our acknowledgement indicating
21
+ the next steps in handling your report. After the initial reply to your report, the security
22
+ team will endeavor to keep you informed of the progress towards a fix and full
23
+ announcement, and may ask for additional information or guidance.
24
+
25
+ Report security bugs in third-party modules to the person or team maintaining
26
+ the module.
27
+
28
+ ## Disclosure Policy
29
+
30
+ When the security team receives a security bug report, they will assign it to a
31
+ primary handler. This person will coordinate the fix and release process,
32
+ involving the following steps:
33
+
34
+ * Confirm the problem and determine the affected versions.
35
+ * Audit code to find any potential similar problems.
36
+ * Prepare fixes for all releases still under maintenance. These fixes will be
37
+ released as fast as possible.
38
+
39
+ ## Comments on this Policy
40
+
41
+ If you have suggestions on how this process could be improved please submit a
42
+ pull request.
data/VERSION CHANGED
@@ -1 +1 @@
1
- 6.0.1
1
+ 6.2.3
data/bin/conjur CHANGED
@@ -22,5 +22,7 @@
22
22
 
23
23
  require 'active_support'
24
24
  require 'conjur/cli'
25
-
25
+ if ENV['RAILS_ENV'] == 'development'
26
+ require 'pry'
27
+ end
26
28
  exit Conjur::CLI.run(ARGV)
@@ -0,0 +1,12 @@
1
+ #!/bin/bash -ex
2
+
3
+ cd "$(dirname "$0")"
4
+
5
+ docker run --rm \
6
+ -v "$PWD/..:/work" \
7
+ -w "/work" \
8
+ ruby:2.5 bash -ec "
9
+ gem install -N parse_a_changelog
10
+ parse ./CHANGELOG.md
11
+ "
12
+
@@ -1,6 +1,45 @@
1
1
  #!/bin/bash -e
2
2
 
3
- # build the cli standalone container image
3
+ IMAGE="cyberark/conjur-cli:latest"
4
+
5
+ ENV_VARS=(
6
+ "CONJUR_MAJOR_VERSION=5"
7
+ "CONJUR_VERSION=5"
8
+ "PATH=/usr/local/lib/summon:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
9
+ )
10
+
11
+ # Flatten resulting image.
12
+ flatten() {
13
+ local image="$1"
14
+ echo "Flattening image '$image'..."
15
+
16
+ # Since `--squash` is still experimental, we have to flatten the image
17
+ # by exporting and importing a container based on the source image. By
18
+ # doing this though, we lose a lot of the Dockerfile variables that are
19
+ # required for running the image (ENV, EXPOSE, WORKDIR, etc) so we
20
+ # manually rebuild them.
21
+ # See here for more details: https://github.com/moby/moby/issues/8334
22
+ local container
23
+ container=$(docker create "$image")
24
+
25
+ env_var_params=()
26
+ for env_var in "${ENV_VARS[@]}"; do
27
+ env_var_params+=("--change")
28
+ env_var_params+=("ENV $env_var")
29
+ done
30
+
31
+ docker export "$container" | docker import \
32
+ "${env_var_params[@]}" \
33
+ --change 'ENTRYPOINT ["/bin/entry"]' \
34
+ - "$image"
35
+ docker rm "$container"
36
+ }
37
+
38
+ # Build the cli standalone container image
39
+ echo "Building image $IMAGE"
40
+
4
41
  docker build . \
5
- -f Dockerfile.standalone \
6
- -t cyberark/conjur-cli
42
+ --file Dockerfile.standalone \
43
+ --tag "$IMAGE"
44
+
45
+ flatten "$IMAGE"
@@ -1,6 +1,10 @@
1
1
  #!/bin/bash -ex
2
2
 
3
+ # This can run with mounted source directory which is used in different Ruby versions.
4
+ # Since library support is different for different versions, clear out the lock to
5
+ # make sure full gem resolution runs each time.
6
+ rm -f Gemfile.lock
3
7
  bundle install
4
8
 
5
9
  # If we got passed arguments, run that as the test command. Otherwise, run the full suite of tests.
6
- ${@-bundle exec rake jenkins}
10
+ exec ${@-bundle exec rake jenkins}
@@ -0,0 +1,36 @@
1
+ #!/bin/bash
2
+
3
+ set -eux
4
+
5
+ DIR="coverage"
6
+ BIN="cc-test-reporter"
7
+ REPORT="${DIR}/.resultset.json"
8
+
9
+ if [[ ! -e ${REPORT} ]]; then
10
+ echo "SimpleCov report (${REPORT}) not found"
11
+ ls -laR ${DIR}
12
+ exit 1
13
+ fi
14
+
15
+ if [[ ! -x ${BIN} ]]; then
16
+ echo "cc-test-reporter binary not found, not reporting coverage data to code climate"
17
+ ls -laR ${DIR}
18
+ # report is present but reporter binary is not, definitely a bug, exit error.
19
+ exit 1
20
+ fi
21
+
22
+ # Simplecov excludes files not within the current repo, it also needs to
23
+ # be able to read all the files referenced within the report. As the reports
24
+ # are generated in containers, the absolute paths contained in the report
25
+ # are not valid outside that container. This sed fixes the paths
26
+ # So they are correct relative to the Jenkins workspace.
27
+ sed -i -E "s+/src+${WORKSPACE}+g" "${REPORT}"
28
+
29
+ echo "Coverage reports prepared, submitting to CodeClimate."
30
+ # vars GIT_COMMIT, GIT_BRANCH & TRID are set by ccCoverage.dockerPrep
31
+
32
+ ./${BIN} after-build \
33
+ --coverage-input-type "simplecov"\
34
+ --id "${TRID}"
35
+
36
+ echo "Successfully Reported Coverage Data"
data/ci/test.sh CHANGED
@@ -11,7 +11,7 @@ unset CONJUR_AUTHN_LOGIN
11
11
 
12
12
  bundle exec rake jenkins || true
13
13
 
14
- env CONJUR_AUTHN_LOGIN=admin CONJUR_AUTHN_API_KEY=secret bundle exec cucumber -r acceptance-features/support \
14
+ env CONJUR_AUTHN_LOGIN=admin CONJUR_AUTHN_API_KEY='ADmin123!!!!' bundle exec cucumber -r acceptance-features/support \
15
15
  -r acceptance-features/step_definitions \
16
16
  -f pretty \
17
17
  -f junit --out acceptance-features/reports \
@@ -3,11 +3,11 @@ require File.expand_path('../lib/conjur/version', __FILE__)
3
3
  require "English"
4
4
 
5
5
  Gem::Specification.new do |gem|
6
- gem.authors = ["Rafal Rzepecki", "Kevin Gilpin"]
7
- gem.email = ["rafal@conjur.net", "kgilpin@conjur.net",]
6
+ gem.authors = ["Conjur Maintainers"]
7
+ gem.email = ["conj_maintainers@cyberark.com",]
8
8
  gem.summary = %q{Conjur command line interface}
9
- gem.homepage = "https://github.com/conjurinc/cli-ruby"
10
- gem.license = 'MIT'
9
+ gem.homepage = "https://github.com/cyberark/conjur-cli"
10
+ gem.license = 'Apache 2.0'
11
11
 
12
12
  gem.files = (`git ls-files`.split($OUTPUT_RECORD_SEPARATOR)
13
13
  .select { |x| x !~ /^Dockerfile/ }
@@ -18,24 +18,26 @@ Gem::Specification.new do |gem|
18
18
  gem.require_paths = ["lib"]
19
19
  gem.version = Conjur::VERSION
20
20
 
21
+ # Filter out development only executables
22
+ gem.executables -= %w{parse-changelog.sh}
23
+
21
24
  gem.add_dependency 'activesupport', '>= 4.2', '< 6'
22
- gem.add_dependency 'conjur-api', '~> 5.0'
25
+ gem.add_dependency 'conjur-api', '~> 5.3'
26
+ gem.add_dependency 'deep_merge', '~> 1.0'
23
27
  gem.add_dependency 'gli', '>=2.8.0'
24
28
  gem.add_dependency 'highline', '~> 1.7'
25
29
  gem.add_dependency 'netrc', '~> 0.10'
26
- gem.add_dependency 'deep_merge', '~> 1.0'
27
- gem.add_dependency 'xdg', '~> 2.2'
28
30
  gem.add_dependency 'table_print', '~> 1.5'
31
+ gem.add_dependency 'xdg', '= 2.2.3'
29
32
 
30
- gem.add_development_dependency 'rspec', '~> 3.0'
31
- gem.add_development_dependency 'simplecov'
33
+ gem.add_development_dependency 'addressable'
32
34
  gem.add_development_dependency 'aruba', '~> 0.12'
33
35
  gem.add_development_dependency 'ci_reporter_rspec', '~> 1.0'
34
- gem.add_development_dependency 'ci_reporter_cucumber', '~> 1.0'
35
- gem.add_development_dependency 'rake', '~> 10.0'
36
+ gem.add_development_dependency 'cucumber-api'
36
37
  gem.add_development_dependency 'io-grab', '~> 0.0'
37
38
  gem.add_development_dependency 'json_spec'
38
- gem.add_development_dependency 'cucumber-api'
39
- gem.add_development_dependency 'addressable'
40
39
  gem.add_development_dependency 'pry-byebug'
40
+ gem.add_development_dependency 'rake', '~> 12.3.3'
41
+ gem.add_development_dependency 'rspec', '~> 3.0'
42
+ gem.add_development_dependency 'simplecov', '~> 0.17', '< 0.18'
41
43
  end
@@ -17,6 +17,7 @@ services:
17
17
  entrypoint: sleep
18
18
  command: infinity
19
19
  environment:
20
+ RAILS_ENV: development
20
21
  CONJUR_APPLIANCE_URL: http://conjur
21
22
  CONJUR_ACCOUNT: cucumber
22
23
  working_dir: /src/conjur-cli
@@ -1,15 +1,35 @@
1
- #!/bin/bash -ex
1
+ #!/bin/bash
2
+ set -ex
2
3
 
3
4
  export COMPOSE_PROJECT_NAME=clirubydev
4
5
 
5
6
  docker-compose build
6
7
 
7
8
  if [ ! -f data_key ]; then
8
- echo "Generating data key"
9
- docker-compose run --no-deps --rm conjur data-key generate > data_key
9
+ echo "Generating data key"
10
+ docker-compose pull
11
+ docker-compose run --no-deps --rm conjur data-key generate > data_key
10
12
  fi
11
13
 
12
- export POSSUM_DATA_KEY="$(cat data_key)"
14
+ export CONJUR_DATA_KEY="$(cat data_key)"
13
15
 
14
16
  docker-compose up -d
17
+ docker-compose exec conjur conjurctl wait
18
+
19
+ apikey=$(docker-compose exec conjur \
20
+ conjurctl role retrieve-key cucumber:user:admin)
21
+
22
+ set +x
23
+ echo ''
24
+ echo ''
25
+ echo '=============== LOGIN WITH THESE CREDENTIALS ==============='
26
+ echo ''
27
+ echo 'username: admin'
28
+ echo "api key : ${apikey}"
29
+ echo ''
30
+ echo '============================================================'
31
+ echo ''
32
+ echo ''
33
+ set -x
34
+
15
35
  docker-compose exec cli bash
@@ -6,7 +6,7 @@ services:
6
6
  conjur:
7
7
  image: cyberark/conjur
8
8
  command: server -a cucumber
9
- depends_on:
9
+ depends_on:
10
10
  - pg
11
11
  environment:
12
12
  - CONJUR_DATA_KEY
@@ -25,6 +25,7 @@ services:
25
25
  - CONJUR_ACCOUNT=cucumber
26
26
  - CONJUR_AUTHN_LOGIN=admin
27
27
  - CONJUR_AUTHN_API_KEY
28
+ - RUBY_VERSION=${RUBY_VERSION}
28
29
  volumes:
29
30
  - .:/src
30
31
 
@@ -33,6 +33,12 @@ Feature: Checking permissions on a resource
33
33
  kind: job
34
34
  id: cook
35
35
 
36
+ - !grant
37
+ role: !role
38
+ kind: job
39
+ id: cook
40
+ member: !user admin
41
+
36
42
  - !permit
37
43
  role: !role
38
44
  kind: job
@@ -18,11 +18,18 @@ Feature: Test the existence of a resource
18
18
  Scenario: Even foreign user can check existence of a resource
19
19
  Given I load the policy:
20
20
  """
21
- - !resource
22
- kind: food
23
- id: bacon
21
+ - &resources
22
+ - !resource
23
+ kind: food
24
+ id: bacon
24
25
 
25
26
  - !user alice
27
+
28
+ - !permit
29
+ role: !user alice
30
+ privileges:
31
+ - read
32
+ resources: *resources
26
33
  """
27
34
  And I login as "alice"
28
35
  And I reset the command list
@@ -18,5 +18,5 @@ Feature: Host factory tokens
18
18
  Scenario: create a host using a token
19
19
  When I successfully run `conjur hostfactory tokens create myapp`
20
20
  And I keep the JSON response at "0/token" as "TOKEN"
21
- Then I successfully run `conjur hostfactory hosts create %{TOKEN} host-01`
21
+ Then I use it to successfully run `conjur hostfactory hosts create %{TOKEN} host-01`
22
22
  And the JSON should have "api_key"
@@ -12,7 +12,3 @@ Feature: Show public keys for a user
12
12
  Scenario: After adding a key, the key is shown
13
13
  When I run `conjur pubkeys show alice`
14
14
  And the output should match /^ssh-rsa .* laptop$/
15
-
16
- Scenario: Public keys can be listed using cURL, without authentication
17
- When I successfully run `curl -k $conjur_url/public_keys/cucumber/user/alice`
18
- Then the output should match /^ssh-rsa .* laptop$/
@@ -1,5 +1,5 @@
1
1
  Then(/^I(?: can)? type and confirm a new password/) do
2
- @password = SecureRandom.hex(12)
2
+ @password = "SEcret12!!!!"
3
3
  step %Q(I type "#{@password}")
4
4
  step %Q(I type "#{@password}")
5
5
  step "the exit status should be 0"
@@ -1,22 +1,3 @@
1
- Transform /\$ns/ do |s|
2
- s.gsub('$ns', namespace)
3
- end
4
-
5
- Transform /\$user_role/ do |s|
6
- s.gsub('$user_role', test_user.role_id)
7
- end
8
-
9
- Transform /^table:/ do |table|
10
- table.tap do |t|
11
- t.hashes.each do |row|
12
- row.each do |_,v|
13
- v.gsub!('$ns', namespace)
14
- v.gsub!('$user_role', test_user.role_id)
15
- end
16
- end
17
- end
18
- end
19
-
20
1
  When /^the command completes successfully/ do
21
2
  last_command_started.wait
22
3
  last_command_started.terminate
@@ -1,9 +1,7 @@
1
1
  # Use a json_spec style memorized value as an environment variable
2
- When /I set the environment variable "(.*)" to memorized value "(.*)"/ do |key, value|
2
+ When /I use it to (.*)/ do |statement|
3
3
  JsonSpec.memory.each do |k,v|
4
- # JSON parser doesn't function properly on a JSON encoded string
5
- v = v[1...-1] if v[0] == '"'
6
- value.gsub! "%{#{k}}", v
4
+ statement = statement.gsub("%{#{k}}", v)
7
5
  end
8
- set_environment_variable key, value
6
+ step "I #{statement}"
9
7
  end
@@ -6,7 +6,9 @@ require 'aruba/cucumber'
6
6
  require 'json_spec/cucumber'
7
7
  require 'simplecov'
8
8
 
9
- SimpleCov.start
9
+ SimpleCov.start do
10
+ command_name "#{ENV['RUBY_VERSION']}"
11
+ end
10
12
 
11
13
  ENV['CONJUR_APPLIANCE_URL'] ||= 'http://localhost/api/v6'
12
14
  ENV['CONJUR_ACCOUNT'] ||= 'cucumber'
@@ -4,17 +4,6 @@ Aruba.configure do |config|
4
4
  config.io_wait_timeout = 2
5
5
  end
6
6
 
7
- Transform /\$conjur_url/ do |statement|
8
- statement.gsub "$conjur_url", Conjur.configuration.appliance_url
9
- end
10
-
11
- Transform /\%\{\w+\}/ do |statement|
12
- JsonSpec.memory.each do |k,v|
13
- statement = statement.gsub("%{#{k}}", v)
14
- end
15
- statement
16
- end
17
-
18
7
  Before('@conjurapi-log') do
19
8
  set_env 'CONJURAPI_LOG', 'stderr'
20
9
  end
@@ -25,9 +25,7 @@ require 'active_support/deprecation'
25
25
  require 'xdg'
26
26
  require 'fileutils'
27
27
 
28
- # this makes mime/types gem load much faster by lazy loading
29
- # mime types and caching them in binary form
30
- ENV['RUBY_MIME_TYPES_LAZY_LOAD'] ||= 'true'
28
+ # this makes mime/types gem load much faster by caching them in binary form
31
29
  ENV['RUBY_MIME_TYPES_CACHE'] ||= (
32
30
  XDG['CACHE'].to_path.tap(&FileUtils.method(:mkdir_p)) + 'ruby-mime-types.cache'
33
31
  ).to_s
@@ -93,6 +91,9 @@ module Conjur
93
91
  apply_config
94
92
  load_plugins
95
93
  commands_from 'conjur/command'
94
+ rescue => ex
95
+ stderr.puts "error: #{ex.message}"
96
+ raise if ENV['GLI_DEBUG'] == 'true'
96
97
  end
97
98
 
98
99
  def appliance_version