conjur-cli 6.1.0 → 6.2.4

data/lib/conjur/command/hosts.rb

@@ -36,7 +36,7 @@ class Conjur::Command::Hosts < Conjur::Command
           host_resourceid = full_resource_id("host:#{host}")
 
           unless api.resource(host_resourceid).exists?
-            exit_now! "host '#{host}' not found"
+            exit_now! "Host '#{host}' not found"
           end
 
           # Prepend 'host/' if it wasn't passed in

data/lib/conjur/command/ldap_sync.rb

@@ -0,0 +1,37 @@
+require 'conjur/command'
+
+class Conjur::Command::LDAPSync < Conjur::Command
+  desc 'LDAP sync management commands'
+  command :'ldap-sync' do |cgrp|
+
+    cgrp.desc 'Manage the policy used to sync Conjur and the LDAP server'
+    cgrp.command :policy do |policy|
+
+      policy.desc 'Show the current policy'
+      policy.command :show do |show|
+
+        show.desc 'LDAP Sync profile to use (defined in UI)'
+        show.arg_name 'profile'
+        show.flag ['p', 'profile'], default_value: 'default'
+
+        show.action do |_,options,_|
+          begin
+            resp = api.ldap_sync_policy(config_name: options[:profile])
+            
+            if (policy = resp['policy'])
+              if resp['ok']
+                puts(policy)
+              else
+                exit_now! 'Failed creating the policy.'
+              end
+            else
+              exit_now! resp['error']['message']
+            end
+          rescue RestClient::ResourceNotFound => ex
+            exit_now! "LDAP sync is not supported by the server #{Conjur.configuration.appliance_url}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/conjur/command/rspec/describe_command.rb

@@ -5,15 +5,34 @@ RSpec::Core::DSL.change_global_dsl do
         
       before do
         allow(cert_store).to receive(:add_file)
+        # Stub the constant OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE which is
+        # implicitly used in many places in the CLI and in conjur-api-ruby as the de facto
+        # cert store.
         stub_const 'OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE', cert_store
+
+        # Reset the rest_client_options defaults to avoid using expired rspec doubles.
+        #
+        # Conjur.configuration is a lazy-loaded singleton. There is single CLI instance
+        # shared across this test suite. When Conjur.configuration is loaded for the first
+        # time it assumes the defaults value for Conjur.configuration.rest_client_options
+        # of:
+        # {
+        #  :ssl_cert_store => OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
+        # }
+        #
+        # Notice above that each test case stubs the constant
+        # OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE with a double. Without further
+        # modification this means the first time the CLI is run and Conjur.configuration
+        # is loaded Conjur.configuration.rest_client_options[:ssl_cert_store] it is set to
+        # the double associated with the test case at that point in time. Since
+        # Conjur.configuration is only loaded once, without modification, that double will
+        # be retained and its usage will result in a RSpec::Mocks::ExpiredTestDoubleError.
+        # To avoid this for each test case we must reset
+        # Conjur.configuration.rest_client_options[:ssl_cert_store] with the double for
+        # the current test case.
+        Conjur.configuration.rest_client_options[:ssl_cert_store] = cert_store
       end
-      
-      let(:cert_store_options) do
-        {
-          ssl_cert_store: cert_store
-        }
-      end
-      
+
       let(:invoke) do
         Conjur::CLI.error_device = $stderr
         # TODO: allow proper handling of description like "audit:send 'hello world'"

data/lib/conjur/command/rspec/mock_services.rb

@@ -29,7 +29,13 @@ end
 shared_context "when logged in", logged_in: true do
   include_context "with mock authn"
   before do
-    allow(api).to receive(:credentials) { {} }
+    allow(api).to receive(:credentials) do
+      {
+        :username => 'dknuth',
+        :headers => { :authorization => "fakeauth" },
+      }
+    end
+
     netrc[authn_host] = [username, api_key]
     allow(Conjur::Command).to receive_messages api: api
   end

data/lib/conjur/command/users.rb

@@ -47,7 +47,11 @@ class Conjur::Command::Users < Conjur::Command
           if api.username == options[:user]
             exit_now! 'To rotate the API key of the currently logged-in user, use this command without any flags or options'
           end
-          puts api.resource([ Conjur.configuration.account, "user", options[:user] ].join(":")).rotate_api_key
+          user_resource_id = [Conjur.configuration.account, "user", options[:user]].join(":")
+          unless api.resource(user_resource_id).exists?
+            exit_now! "User '#{options[:user]}' not found"
+          end
+          puts api.resource(user_resource_id).rotate_api_key
         else
           username, password = Conjur::Authn.read_credentials
           new_api_key = Conjur::API.rotate_api_key username, password

data/lib/conjur/version.rb

@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = '6.1.0'
+  VERSION = '6.2.4'
   ::Version=VERSION
 end

data/needs-publishing

@@ -0,0 +1,28 @@
+#!/bin/bash -ex
+
+echo "Determining if publishing is requested..."
+
+VERSION=$(ruby -I lib -r conjur/version -e 'puts Conjur::VERSION')
+echo Declared version: $VERSION
+
+if curl -s https://rubygems.org/api/v1/versions/conjur-cli.json | jq -e ".[] | select(.number == \"$VERSION\")" >/dev/null; then
+   echo "Found $VERSION on rubygems, not republishing"
+   exit 1
+fi
+   
+# Jenkins git plugin is broken and always fetches with `--no-tags`
+# (or `--tags`, neither of which is what you want), so tags end up
+# not being fetched. Try to fix that.
+# (Unfortunately this fetches all remote heads, so we may have to find
+# another solution for bigger repos.)
+git fetch -q
+
+# note when tag not found git rev-parse will just print its name
+# TAG=`git rev-parse tags/v$VERSION 2>/dev/null || :`
+TAG=`git rev-list -n 1 "v$VERSION" 2>/dev/null || :`
+echo Tag v$VERSION: $TAG
+
+HEAD=`git rev-parse HEAD`
+echo HEAD: $HEAD
+
+test "$HEAD" = "$TAG"

data/push-image

@@ -1,28 +1,46 @@
-#!/bin/bash -eu
-
-# Push the 'cli:5' image to Dockerhub when on the 'master' branch
-
-cd "$(git rev-parse --show-toplevel)"
-
-IMAGE='cyberark/conjur-cli'
-
-function tag_and_push() {
-    local image="$1"
-    local tag="$2"
-    local description="$3"
-
-    echo "TAG = $tag, $description"
-
-    docker tag "$image" "$image:$tag"
-    docker push "$image:$tag"
-}
-
-version_tag="5-$(cat VERSION)"
-
-tag_and_push $IMAGE '5'        'latest image'
-tag_and_push $IMAGE '5-latest'   'same as "5"'
-tag_and_push $IMAGE $version_tag 'version-specific image'
-
-# push to legacy `conjurinc/cli5` tag
-docker tag "$IMAGE" conjurinc/cli5:latest
-docker push conjurinc/cli5:latest
+#!/bin/bash
+
+set -e
+
+readonly REGISTRY="cyberark"
+readonly INTERNAL_REGISTRY="registry2.itci.conjur.net"
+readonly VERSION="$(cat VERSION)"
+readonly VERSION_TAG="5-${VERSION}"
+readonly image_name="conjur-cli"
+readonly full_image_name="${REGISTRY}/${image_name}:latest"
+
+readonly TAGS=(
+  "5"
+  "5-latest"
+  "$VERSION_TAG"
+)
+
+# fetching tags is required for git_description to work
+git fetch --tags
+git_description=$(git describe)
+
+# if it’s not a tagged commit, VERSION will have extra junk (i.e. -g666c4b2), so we won’t publish that commit
+# only when tag matches the VERSION, push VERSION and latest releases
+# and x and x.y releases
+#Ex: v5-6.2.1
+if [ "${git_description}" = "v${VERSION}" ]; then
+  echo "Revision ${git_description} matches version ${VERSION} exactly. Pushing to Dockerhub..."
+
+  for tag in "${TAGS[@]}"; do
+    echo "Tagging and pushing ${REGISTRY}/${image_name}:${tag}"
+
+    # push to dockerhub
+    docker tag "${full_image_name}" "${REGISTRY}/${image_name}:${tag}"
+    docker push "${REGISTRY}/${image_name}:${tag}"
+
+    # push to internal registry
+    # necessary because some cyberark teams/networks can't pull from dockerhub
+    docker tag "${full_image_name}" "${INTERNAL_REGISTRY}/${image_name}:${tag}"
+    docker push "${INTERNAL_REGISTRY}/${image_name}:${tag}"
+
+  done
+
+  # push to legacy `conjurinc/cli5` tag
+  docker tag "${full_image_name}" conjurinc/cli5:latest
+  docker push conjurinc/cli5:latest
+fi

data/spec/authn_spec.rb

@@ -37,11 +37,11 @@ describe Conjur::Authn do
       allow(ENV).to receive(:[]).with("CONJUR_AUTHN_LOGIN").and_return "the-login"
       allow(ENV).to receive(:[]).with("CONJUR_AUTHN_API_KEY").and_return "the-api-key"
     end
-    
+
     context "login and API key" do
       it "are used to authn" do
         expect(Conjur::Authn.get_credentials).to eq([ "the-login", "the-api-key" ])
-          
+
         expect(api.username).to eq('the-login')
         expect(api.api_key).to eq('the-api-key')
       end
@@ -94,7 +94,7 @@ describe Conjur::Authn do
       before do
         allow(Conjur::Config).to receive(:[]).with(:netrc_path).and_return path
       end
-      
+
       context "with specified netrc_path" do
         let(:path) { "/a/dummy/netrc/path" }
         it "consults Conjur::Config for netrc_path" do
@@ -102,7 +102,7 @@ describe Conjur::Authn do
           expect(Conjur::Authn.netrc).to eq(netrc)
         end
       end
-  
+
       context "without specified netrc_path" do
         let(:path) { nil }
         it "uses default netrc path" do

data/spec/command/authn_spec.rb

@@ -10,14 +10,14 @@ describe Conjur::Command::Authn do
         describe_command "#{cmd}" do
           it "prompts for username and password and logs in the user" do
             expect(Conjur::Authn).to receive(:ask_for_credentials).with({}).and_return [ "the-user", "the-api-key" ]
-  
+
             expect { invoke }.to write("Logged in")
           end
         end
         describe_command "#{cmd} -u the-user" do
           it "prompts for password and logs in the user" do
             expect(Conjur::Authn).to receive(:ask_for_credentials).with({username: 'the-user'}).and_return [ "the-user", "the-api-key" ]
-  
+
             expect { invoke }.to write("Logged in")
           end
         end

data/spec/command/hosts_spec.rb

@@ -9,13 +9,21 @@ describe Conjur::Command::Hosts, logged_in: true do
         expect(RestClient::Request).to receive(:execute).with({
           method: :head,
           url: "https://core.example.com/api/resources/#{account}/host/redis001",
-          headers: {}
+          headers: {
+            authorization: "fakeauth",
+          },
+          username: "dknuth",
+          ssl_cert_store: cert_store
         }).and_return true
         expect(RestClient::Request).to receive(:execute).with({
             method: :put,
             url: "https://core.example.com/api/authn/#{account}/api_key?role=#{account}:host:redis001",
-            headers: {},
-            payload: ''
+            headers: {
+              authorization: "fakeauth",
+            },
+            payload: '',
+            username: "dknuth",
+            ssl_cert_store: cert_store
         }).and_return double(:response, body: 'new api key')
       end
 
@@ -23,5 +31,20 @@ describe Conjur::Command::Hosts, logged_in: true do
         invoke
       end
     end
+
+    describe_command 'host rotate_api_key --host non-existing' do
+      before do
+        expect(RestClient::Request).to receive(:execute).with({
+                  method: :head,
+                  url: "https://core.example.com/api/resources/#{account}/host/non-existing",
+                  headers: {authorization: "fakeauth"},
+                  username: username,
+                  ssl_cert_store: cert_store
+              }).and_raise RestClient::ResourceNotFound
+      end
+      it 'rotate_api_key with non-existing --host option' do
+        expect { invoke }.to raise_error(GLI::CustomExit, /Host 'non-existing' not found/i)
+      end
+    end
   end
 end

data/spec/command/init_spec.rb

@@ -1,36 +1,36 @@
 require 'spec_helper'
 require 'highline'
 
-GITHUB_FP = "SHA1 Fingerprint=D7:9F:07:61:10:B3:92:93:E3:49:AC:89:84:5B:03:80:C1:9E:2F:8B"
+GITHUB_FP = "SHA1 Fingerprint=84:63:B3:A9:29:12:CC:FD:1D:31:47:05:98:9B:EC:13:99:37:D0:D7"
 GITHUB_CERT = <<EOF
 -----BEGIN CERTIFICATE-----
-MIIEtjCCA56gAwIBAgIQDHmpRLCMEZUgkmFf4msdgzANBgkqhkiG9w0BAQsFADBs
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
-ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowdTEL
-MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
-LmRpZ2ljZXJ0LmNvbTE0MDIGA1UEAxMrRGlnaUNlcnQgU0hBMiBFeHRlbmRlZCBW
-YWxpZGF0aW9uIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBANdTpARR+JmmFkhLZyeqk0nQOe0MsLAAh/FnKIaFjI5j2ryxQDji0/XspQUY
-uD0+xZkXMuwYjPrxDKZkIYXLBxA0sFKIKx9om9KxjxKws9LniB8f7zh3VFNfgHk/
-LhqqqB5LKw2rt2O5Nbd9FLxZS99RStKh4gzikIKHaq7q12TWmFXo/a8aUGxUvBHy
-/Urynbt/DvTVvo4WiRJV2MBxNO723C3sxIclho3YIeSwTQyJ3DkmF93215SF2AQh
-cJ1vb/9cuhnhRctWVyh+HA1BV6q3uCe7seT6Ku8hI3UarS2bhjWMnHe1c63YlC3k
-8wyd7sFOYn4XwHGeLN7x+RAoGTMCAwEAAaOCAUkwggFFMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
-BQcDAjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp
-Z2ljZXJ0LmNvbTBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsNC5kaWdpY2Vy
-dC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3JsMD0GA1UdIAQ2
-MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5j
-b20vQ1BTMB0GA1UdDgQWBBQ901Cl1qCt7vNKYApl0yHU+PjWDzAfBgNVHSMEGDAW
-gBSxPsNpA/i/RwHUmCYaCALvY2QrwzANBgkqhkiG9w0BAQsFAAOCAQEAnbbQkIbh
-hgLtxaDwNBx0wY12zIYKqPBKikLWP8ipTa18CK3mtlC4ohpNiAexKSHc59rGPCHg
-4xFJcKx6HQGkyhE6V6t9VypAdP3THYUYUN9XR3WhfVUgLkc3UHKMf4Ib0mKPLQNa
-2sPIoc4sUqIAY+tzunHISScjl2SFnjgOrWNoPLpSgVh5oywM395t6zHyuqB8bPEs
-1OG9d4Q3A84ytciagRpKkk47RpqF/oOi+Z6Mo8wNXrM9zwR4jxQUezKcxwCmXMS1
-oVWNWlZopCJwqjyBcdmdqEU79OX2olHdx3ti6G8MdOu42vi/hw15UJGQmxg7kVkn
-8TUoE6smftX3eg==
------END CERTIFICATE-----
+MIIFBjCCBK2gAwIBAgIQDovzdw2S0Zbwu2H5PEFmvjAKBggqhkjOPQQDAjBnMQsw
+CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xPzA9BgNVBAMTNkRp
+Z2lDZXJ0IEhpZ2ggQXNzdXJhbmNlIFRMUyBIeWJyaWQgRUNDIFNIQTI1NiAyMDIw
+IENBMTAeFw0yMTAzMjUwMDAwMDBaFw0yMjAzMzAyMzU5NTlaMGYxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
+MRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdpdGh1Yi5jb20wWTAT
+BgcqhkjOPQIBBggqhkjOPQMBBwNCAASt9vd1sdNJVApdEHG93CUGSyIcoiNOn6H+
+udCMvTm8DCPHz5GmkFrYRasDE77BI3q5xMidR/aW4Ll2a1A2ZvcNo4IDOjCCAzYw
+HwYDVR0jBBgwFoAUUGGmoNI1xBEqII0fD6xC8M0pz0swHQYDVR0OBBYEFCexfp+7
+JplQ2PPDU1v+MRawux5yMCUGA1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRo
+dWIuY29tMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
+BQUHAwIwgbEGA1UdHwSBqTCBpjBRoE+gTYZLaHR0cDovL2NybDMuZGlnaWNlcnQu
+Y29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZVRMU0h5YnJpZEVDQ1NIQTI1NjIwMjBD
+QTEuY3JsMFGgT6BNhktodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRI
+aWdoQXNzdXJhbmNlVExTSHlicmlkRUNDU0hBMjU2MjAyMENBMS5jcmwwPgYDVR0g
+BDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2Vy
+dC5jb20vQ1BTMIGSBggrBgEFBQcBAQSBhTCBgjAkBggrBgEFBQcwAYYYaHR0cDov
+L29jc3AuZGlnaWNlcnQuY29tMFoGCCsGAQUFBzAChk5odHRwOi8vY2FjZXJ0cy5k
+aWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlVExTSHlicmlkRUNDU0hB
+MjU2MjAyMENBMS5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisGAQQB1nkCBAIEgfYE
+gfMA8QB2ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABeGq/vRoA
+AAQDAEcwRQIhAJ7miER//DRFnDJNn6uUhgau3WMt4vVfY5dGigulOdjXAiBIVCfR
+xjK1v4F31+sVaKzyyO7JAa0fzDQM7skQckSYWQB3ACJFRQdZVSRWlj+hL/H3bYbg
+IyZjrcBLf13Gg1xu4g8CAAABeGq/vTkAAAQDAEgwRgIhAJgAEkoJQRivBlwo7x67
+3oVsf1ip096WshZqmRCuL/JpAiEA3cX4rb3waLDLq4C48NSoUmcw56PwO/m2uwnQ
+prb+yh0wCgYIKoZIzj0EAwIDRwAwRAIgK+Kv7G+/KkWkNZg3PcQFp866Z7G6soxo
+a4etSZ+SRlYCIBSiXS20Wc+yjD111nPzvQUCfsP4+DKZ3K+2GKsERD6d
 EOF
 
 describe Conjur::Command::Init do

data/spec/command/ldap_sync_spec.rb

@@ -0,0 +1,38 @@
+require 'spec_helper'
+
+describe Conjur::Command::LDAPSync, logged_in: true do
+  let (:policy_response) { { 'ok' => true, 'events' => [], 'policy' => <<eop
+"---
+- !user
+  annotations:
+    ldap-sync/source: ldap-server:389
+    ldap-sync/upstream-dn: CN=Administrator,OU=functest,OU=testdata,OU=dev-ci,DC=dev-ci,DC=conjur
+  id: Administrator
+  uidnumber:"}
+eop
+  }
+}
+
+  describe_command "ldap-sync policy show" do
+
+    context "on a server that supports LDAP sync" do
+      before do 
+        expect_any_instance_of(Conjur::API).to receive(:ldap_sync_policy).with(config_name: 'default').and_return policy_response
+      end
+      
+      it "shows the policy" do
+        expect { invoke }.to write policy_response['policy']
+      end
+    end
+
+    context "on a server that doesn't support LDAP sync" do
+      before do
+        expect_any_instance_of(Conjur::API).to receive(:ldap_sync_policy).and_raise(RestClient::ResourceNotFound)
+      end
+
+      it "shows an error message" do
+        expect {invoke}.to raise_error(GLI::CustomExit, /LDAP sync is not supported by the server/)
+      end
+    end
+  end
+end

data/spec/command/users_spec.rb

@@ -12,7 +12,8 @@ describe Conjur::Command::Users, logged_in: true do
         user: username, 
         password: api_key,
         headers: { },
-        payload: "new-password"
+        payload: "new-password",
+        ssl_cert_store: cert_store
        })
     end
     
@@ -40,7 +41,8 @@ describe Conjur::Command::Users, logged_in: true do
                     user: username,
                     password: api_key,
                     headers: {},
-                    payload: ''
+                    payload: '',
+                    ssl_cert_store: cert_store
                 }).and_return double(:response, body: 'new api key')
         expect(Conjur::Authn).to receive(:save_credentials).with({
                     username: username,
@@ -52,5 +54,19 @@ describe Conjur::Command::Users, logged_in: true do
         invoke
       end
     end
+    describe_command 'user rotate_api_key --user non-existing' do
+      before do
+      expect(RestClient::Request).to receive(:execute).with({
+            method: :head,
+            url: "https://core.example.com/api/resources/#{account}/user/non-existing",
+            headers: {authorization: "fakeauth"},
+            username: username,
+            ssl_cert_store: cert_store
+        }).and_raise RestClient::ResourceNotFound
+      end
+      it 'rotate_api_key with non-existing --user option' do
+        expect { invoke }.to raise_error(GLI::CustomExit, /User 'non-existing' not found/i)
+      end
+    end
   end
 end