conjur-cli 6.2.1 → 6.2.5

data/README.md

@@ -6,7 +6,18 @@ Command-line interface for Conjur.
 
 A complete reference guide is available at [conjur.org](https://www.conjur.org).
 
-## Quick start
+## Table of Contents
+- [Getting Started](#getting-started)
+    - [Quick Start](#quick-start)
+    - [Using This Project With Conjur Open Source](#Using-conjur-cli-with-Conjur-Open-Source)
+- [Using Docker](#using-docker)
+- [Usage](#usage)
+- [Contributing](#contributing)
+- [License](#license)
+
+## Getting Started 
+
+### Quick start
 
 ```sh-session
 $ gem install conjur-cli
@@ -15,7 +26,19 @@ $ conjur -v
 conjur version 6.0.0
 ```
 
+### Using conjur-cli with Conjur Open Source 
+
+Are you using this project with [Conjur Open Source](https://github.com/cyberark/conjur)? Then we 
+**strongly** recommend choosing the version of this project to use from the latest [Conjur OSS 
+suite release](https://docs.conjur.org/Latest/en/Content/Overview/Conjur-OSS-Suite-Overview.html). 
+Conjur maintainers perform additional testing on the suite release versions to ensure 
+compatibility. When possible, upgrade your Conjur version to match the 
+[latest suite release](https://docs.conjur.org/Latest/en/Content/ReleaseNotes/ConjurOSS-suite-RN.htm); 
+when using integrations, choose the latest suite release that matches your Conjur version. For any 
+questions, please contact us on [Discourse](https://discuss.cyberarkcommons.org/c/conjur/5).
+
 ## Using Docker
+
 [![Docker Build Status](https://img.shields.io/docker/build/conjurinc/cli5.svg)](https://hub.docker.com/r/conjurinc/cli5/)
 This software is included in the standalone cyberark/conjur-cli:5 Docker image. Docker containers are designed to be ephemeral, which means they don't store state after the container exits.
 
@@ -59,80 +82,287 @@ drwxr-xr-x  2 you  staff    68 Mar 29 14:16 .cache
 ```
 *Security notice:* the file `.netrc`, created or updated by `conjur authn login`, contains a user identity credential that can be used to access the Conjur API. You should remove it after use or otherwise secure it like you would another netrc file.
 
-## Development
+## Usage
 
-Create a sandbox environment in Docker using the `./dev` folder:
+```
+NAME
+    conjur - Command-line toolkit for managing roles, resources and privileges
+
+SYNOPSIS
+    conjur [global options] command [command options] [arguments...]
+
+GLOBAL OPTIONS
+    --help    - Show this message
+    --version - Display the program version
+```
+
+### Commands
+
+| Command                            | Description                                       |
+| ---------------------------------- | ------------------------------------------------- |
+| [authn](#conjur-authn)             | - Login and logout                                |
+| [check](#conjur-check)             | - Check for a privilege on a resource             |
+| [env](#conjur-env)                 | - Use values of Conjur variables in local context |
+| [host](#conjur-host)               | - Manage hosts                                    |
+| [hostfactory](#conjur-hostfactory) | - Manage host factories                           |
+| [init](#conjur-init)               | - Initialize the Conjur configuration             |
+| [ldap-sync](#conjur-ldap-sync)     | - LDAP sync management commands                   |
+| [list](#conjur-list)               | - List objects                                    |
+| [plugin](#conjur-plugin)           | - Manage plugins                                  |
+| [policy](#conjur-policy)           | - Manage policies                                 |
+| [pubkeys](#conjur-pubkeys)         | - Public keys service operations                  |
+| [resource](#conjur-resource)       | - Manage resources                                |
+| [role](#conjur-role)               | - Manage roles                                    |
+| [show](#conjur-show)               | - Show an object                                  |
+| [user](#conjur-user)               | - Manage users                                    |
+| [variable](#conjur-variable)       | - Manage variables                                |
+
+#### `conjur authn`
+
+```
+NAME
+   authn       - Login and logout
+SYNOPSIS
+    conjur [global options] authn authenticate [-H|--header] [-f filename|--filename filename]
+    conjur [global options] authn login [-p password|--password password] [-u username|--username username] login-name
+    conjur [global options] authn logout
+    conjur [global options] authn whoami
+COMMANDS
+    authenticate - Obtains an authentication token using the current logged-in
+                   user
+    login        - Logs in and caches credentials to netrc.
+    logout       - Logs out
+    whoami       - Prints out the current logged in username
+```
+
+#### `conjur check`
 
-```sh-session
-$ cd dev
-dev $ ./start.sh
+```
+NAME
+   check       - Check for a user’s privilege on a resource
+SYNOPSIS
+   conjur check [object] [privilege] [user]
+PRIVILEGES
+   read, write, execute
 ```
 
-This will drop you into a bash shell in a container called `cli`.
+#### `conjur env`
 
-The sandbox also includes a Postgres container and Conjur server container. The
-environment is already setup to connect the CLI to the server:
+```
+NAME
+    env         - Use values of Conjur variables in local context
+SYNOPSIS
+    conjur [global options] env check [--policy arg] [--yaml arg] [-c FILE]
+    conjur [global options] env help
+    conjur [global options] env run [--policy arg] [--yaml arg] [-c FILE] -- command [arg1, arg2 ...]
+    conjur [global options] env template [--policy arg] [--yaml arg] [-c FILE] template.erb
 
-* **CONJUR_APPLIANCE_URL** `http://conjur`
-* **CONJUR_ACCOUNT** `cucumber`
+COMMANDS
+    check    - Check availability of Conjur variables
+    help     - Print description of environment configuration format
+    run      - Execute external command with environment variables populated
+               from Conjur
+    template - Render ERB template with variables obtained from Conjur
 
-To login to conjur, type the following and you'll be prompted for a password:
+root@e1bfc649b68d:/# conjur env help
 
-```sh-session
-root@2b5f618dfdcb:/# conjur authn login admin
-Please enter admin's password (it will not be echoed):
+Environment configuration (either stored in file referred by -c option or provided inline with --yaml option) should be a YAML document describing one-level Hash.
+Keys of the hash are 'local names', used to refer to variable values in convenient manner.  (See help for env:run and env:template for more details about how they are interpreted).
+
+Values of the hash may take one of the following forms: a) string b) string preceeded with !var tag c) string preceeded with !tmp tag.
+
+a) Plain string is just associated with local name without any calls to Conjur.
+
+b) String preceeded by !var tag is interpreted as an ID of the Conjur variable, which value should be obtained and associated with appropriate local name.
+
+c) String preceeded by !tmp tag is interpreted as an ID of the Conjur variable, which value should be stored in temporary file, which location should in turn be associated with appropriate local name.
+
+Example of environment configuration: 
+
+{ local_variable_1: 'literal value', local_variable_2: !var id/of/Conjur/Variable , local_variable_3: !tmp id/of/another/Conjur/variable }
 ```
 
-The required password is the API key at the end of the output from the
-`start.sh` script.  It looks like this:
+#### `conjur host`
 
 ```
-=============== LOGIN WITH THESE CREDENTIALS ===============
+NAME
+    host - Manage hosts
 
-username: admin
-api key : 9j113d35wag023rq7tnv201rsym1jg4pev1t1nb4419767ms1cnq00n
+SYNOPSIS
+    conjur [global options] host layers HOST
+    conjur [global options] host rotate_api_key [--host arg|-h arg]
 
-============================================================
+COMMANDS
+    layers         - List the layers to which the host belongs
+    rotate_api_key - Rotate a host's API key
 ```
 
-At this point, you can use any CLI command you like.
+#### `conjur hostfactory`
 
-### Running Cucumber
+```
+NAME
+    hostfactory - Manage host factories
 
-To install dev packages, run `bundle` from within the container:
+SYNOPSIS
+    conjur [global options] hostfactory hosts
+    conjur [global options] hostfactory tokens
 
-```sh-session
-root@2b5f618dfdcb:/# cd /usr/src/cli-ruby/
-root@2b5f618dfdcb:/usr/src/cli-ruby# bundle
+COMMANDS
+    hosts  - Operations on hosts
+    tokens - Operations on tokens
 ```
 
-Then you can run the cucumber tests:
+#### `conjur init`
 
-```sh-session
-root@2b5f618dfdcb:/usr/src/cli-ruby# cucumber
-...
+```
+NAME
+   init – Initialize the Conjur configuration
+SYNOPSIS
+   conjur [global options] init [-u URL of Conjur service] [-a account name]
 ```
 
-## Contributing
+#### `conjur ldap-sync`
+
+```
+NAME
+    ldap-sync - LDAP sync management commands
 
-1. Fork it
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Added some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request
+SYNOPSIS
+    conjur [global options] ldap-sync policy
 
-## License
+COMMANDS
+    policy - Manage the policy used to sync Conjur and the LDAP server
+```
+
+#### `conjur list`
+
+```
+Lists conjur objects
+```
+
+#### `conjur plugin`
+
+```
+NAME
+    plugin - Manage plugins
+
+SYNOPSIS
+    conjur [global options] plugin install [-v version|--version version] PLUGIN
+    conjur [global options] plugin list
+    conjur [global options] plugin show PLUGIN
+    conjur [global options] plugin uninstall PLUGIN
+
+COMMANDS
+    install   - Install a plugin
+    list      - List installed plugins
+    show      - Show a plugin's details
+    uninstall - Uninstall a plugin
+```
+
+#### `conjur policy`
+
+```
+NAME
+    policy - Manage policies
+
+SYNOPSIS
+    conjur [global options] policy load [--delete] [--replace] POLICY FILENAME
+
+COMMANDS
+    load - Load a policy
+--delete – deletes a policy
+--replace – replaces a policy
+```
+
+#### `conjur pubkeys`
+
+```
+NAME
+   pubkeys - Public keys service operations
+SYNOPSIS
+   conjur [global options] pubkeys [USER]
+```
+
+#### `conjur resource`
+
+```
+NAME
+    resource - Manage resources
+
+SYNOPSIS
+    conjur [global options] resource exists RESOURCE
+    conjur [global options] resource permitted_roles RESOURCE PRIVILEGE
+
+COMMANDS
+    exists          - Determines whether a resource exists
+    permitted_roles - List roles with a specified privilege on the resource
+```
+
+#### `conjur role`
+
+```
+NAME
+    role - Manage roles
+
+SYNOPSIS
+    conjur [global options] role exists [--json] ROLE
+    conjur [global options] role members [-V|--verbose] ROLE
+    conjur [global options] role memberships [-s|--system] ROLE
+
+COMMANDS
+    exists      - Determines whether a role exists
+    members     - Lists all direct members of the role. The membership list is
+                  not recursively expanded.
+    memberships - Lists role memberships. The role membership list is
+                  recursively expanded.
+```
+
+#### `conjur show`
+
+```
+NAME
+   show        - Show an object
+SYNOPSIS
+   conjur show [object]
+```
+
+#### `conjur user`
+
+```
+NAME
+    user - Manage users
+
+SYNOPSIS
+    conjur [global options] user rotate_api_key [--user arg|-u arg]
+    conjur [global options] user update_password [-p arg|--password arg]
+
+COMMANDS
+    rotate_api_key  - Rotate a user's API key
+    update_password - Update the password of the logged-in user
+```
+
+#### `conjur variable`
+
+```
+NAME
+    variable - Manage variables
+
+SYNOPSIS
+    conjur [global options] variable value [-v arg|--version arg] VARIABLE
+    conjur [global options] variable values
 
-Copyright 2016-2017 CyberArk
+COMMANDS
+    value  - Get a value
+    values - Access variable values
+```
+
+## Contributing
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this software except in compliance with the License.
-You may obtain a copy of the License at
+We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our [contributing
+guide][contrib].
 
-    http://www.apache.org/licenses/LICENSE-2.0
+[contrib]: https://github.com/cyberark/conjur-cli/blob/main/CONTRIBUTING.md
+
+## License
 
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
+This repository is licensed under Apache License 2.0 - see [`LICENSE`](LICENSE) for more details.

data/SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policies and Procedures
+
+This document outlines security procedures and general policies for the CyberArk Conjur
+suite of tools and products.
+
+  * [Reporting a Bug](#reporting-a-bug)
+  * [Disclosure Policy](#disclosure-policy)
+  * [Comments on this Policy](#comments-on-this-policy)
+
+## Reporting a Bug
+
+The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
+Thank you for improving the security of the Conjur suite. We appreciate your efforts and
+responsible disclosure and will make every effort to acknowledge your
+contributions.
+
+Report security bugs by emailing the lead maintainers at security@conjur.org.
+
+The maintainers will acknowledge your email within 2 business days. Subsequently, we will 
+send a more detailed response within 2 business days of our acknowledgement indicating
+the next steps in handling your report. After the initial reply to your report, the security
+team will endeavor to keep you informed of the progress towards a fix and full
+announcement, and may ask for additional information or guidance.
+
+Report security bugs in third-party modules to the person or team maintaining
+the module.
+
+## Disclosure Policy
+
+When the security team receives a security bug report, they will assign it to a
+primary handler. This person will coordinate the fix and release process,
+involving the following steps:
+
+  * Confirm the problem and determine the affected versions.
+  * Audit code to find any potential similar problems.
+  * Prepare fixes for all releases still under maintenance. These fixes will be
+    released as fast as possible.
+
+## Comments on this Policy
+
+If you have suggestions on how this process could be improved please submit a
+pull request.

data/VERSION

@@ -1 +1 @@
-6.2.1
+6.2.5

data/bin/parse-changelog.sh

@@ -0,0 +1,12 @@
+#!/bin/bash -ex
+
+cd "$(dirname "$0")"
+
+docker run --rm \
+  -v "$PWD/..:/work" \
+  -w "/work" \
+  ruby:2.5 bash -ec "
+    gem install -N parse_a_changelog
+    parse ./CHANGELOG.md
+  "
+

data/build-standalone

@@ -1,6 +1,45 @@
 #!/bin/bash -e
 
-# build the cli standalone container image
+IMAGE="cyberark/conjur-cli:latest"
+
+ENV_VARS=(
+  "CONJUR_MAJOR_VERSION=5"
+  "CONJUR_VERSION=5"
+  "PATH=/usr/local/lib/summon:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+)
+
+# Flatten resulting image.
+flatten() {
+  local image="$1"
+  echo "Flattening image '$image'..."
+
+  # Since `--squash` is still experimental, we have to flatten the image
+  # by exporting and importing a container based on the source image. By
+  # doing this though, we lose a lot of the Dockerfile variables that are
+  # required for running the image (ENV, EXPOSE, WORKDIR, etc) so we
+  # manually rebuild them.
+  # See here for more details: https://github.com/moby/moby/issues/8334
+  local container
+  container=$(docker create "$image")
+
+  env_var_params=()
+  for env_var in "${ENV_VARS[@]}"; do
+    env_var_params+=("--change")
+    env_var_params+=("ENV $env_var")
+  done
+
+  docker export "$container" | docker import \
+    "${env_var_params[@]}" \
+    --change 'ENTRYPOINT ["/bin/entry"]' \
+    - "$image"
+  docker rm "$container"
+}
+
+# Build the cli standalone container image
+echo "Building image $IMAGE"
+
 docker build . \
-       -f Dockerfile.standalone \
-       -t cyberark/conjur-cli
+       --file Dockerfile.standalone \
+       --tag "$IMAGE"
+
+flatten "$IMAGE"

data/ci/submit-coverage

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -eux
+
+DIR="coverage"
+BIN="cc-test-reporter"
+REPORT="${DIR}/.resultset.json"
+
+if [[ ! -e ${REPORT} ]]; then
+    echo "SimpleCov report (${REPORT}) not found"
+    ls -laR ${DIR}
+    exit 1
+fi
+
+if [[ ! -x ${BIN} ]]; then
+    echo "cc-test-reporter binary not found, not reporting coverage data to code climate"
+    ls -laR ${DIR}
+    # report is present but reporter binary is not, definitely a bug, exit error.
+    exit 1
+fi
+
+# Simplecov excludes files not within the current repo, it also needs to
+# be able to read all the files referenced within the report. As the reports
+# are generated in containers, the absolute paths contained in the report
+# are not valid outside that container. This sed fixes the paths
+# So they are correct relative to the Jenkins workspace.
+sed -i -E "s+/src+${WORKSPACE}+g" "${REPORT}"
+
+echo "Coverage reports prepared, submitting to CodeClimate."
+# vars GIT_COMMIT, GIT_BRANCH & TRID are set by ccCoverage.dockerPrep
+
+./${BIN} after-build \
+    --coverage-input-type "simplecov"\
+    --id "${TRID}"
+
+echo "Successfully Reported Coverage Data"

data/ci/test.sh

@@ -11,7 +11,7 @@ unset CONJUR_AUTHN_LOGIN
 
 bundle exec rake jenkins || true
 
-env CONJUR_AUTHN_LOGIN=admin CONJUR_AUTHN_API_KEY=secret bundle exec cucumber -r acceptance-features/support \
+env CONJUR_AUTHN_LOGIN=admin CONJUR_AUTHN_API_KEY='ADmin123!!!!' bundle exec cucumber -r acceptance-features/support \
 	-r acceptance-features/step_definitions \
 	-f pretty \
 	-f junit --out acceptance-features/reports \

data/conjur-cli.gemspec

@@ -3,11 +3,11 @@ require File.expand_path('../lib/conjur/version', __FILE__)
 require "English"
 
 Gem::Specification.new do |gem|
-  gem.authors       = ["Rafal Rzepecki", "Kevin Gilpin"]
-  gem.email         = ["rafal@conjur.net", "kgilpin@conjur.net",]
+  gem.authors       = ["Conjur Maintainers"]
+  gem.email         = ["conj_maintainers@cyberark.com",]
   gem.summary       = %q{Conjur command line interface}
-  gem.homepage      = "https://github.com/conjurinc/cli-ruby"
-  gem.license       = 'MIT'
+  gem.homepage      = "https://github.com/cyberark/conjur-cli"
+  gem.license       = 'Apache 2.0'
 
   gem.files         = (`git ls-files`.split($OUTPUT_RECORD_SEPARATOR)
                                      .select { |x| x !~ /^Dockerfile/ }
@@ -18,23 +18,26 @@ Gem::Specification.new do |gem|
   gem.require_paths = ["lib"]
   gem.version       = Conjur::VERSION
 
+  # Filter out development only executables
+  gem.executables -= %w{parse-changelog.sh}
+
   gem.add_dependency 'activesupport', '>= 4.2', '< 6'
   gem.add_dependency 'conjur-api', '~> 5.3'
+  gem.add_dependency 'deep_merge', '~> 1.0'
   gem.add_dependency 'gli', '>=2.8.0'
-  gem.add_dependency 'highline', '~> 1.7'
+  gem.add_dependency 'highline', '~> 2.0'
   gem.add_dependency 'netrc', '~> 0.10'
-  gem.add_dependency 'deep_merge', '~> 1.0'
-  gem.add_dependency 'xdg', '= 2.2.3'
   gem.add_dependency 'table_print', '~> 1.5'
+  gem.add_dependency 'xdg', '= 2.2.3'
 
-  gem.add_development_dependency 'rspec', '~> 3.0'
-  gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency 'addressable'
   gem.add_development_dependency 'aruba', '~> 0.12'
   gem.add_development_dependency 'ci_reporter_rspec', '~> 1.0'
-  gem.add_development_dependency 'rake', '~> 10.0'
+  gem.add_development_dependency 'cucumber-api'
   gem.add_development_dependency 'io-grab', '~> 0.0'
   gem.add_development_dependency 'json_spec'
-  gem.add_development_dependency 'cucumber-api'
-  gem.add_development_dependency 'addressable'
   gem.add_development_dependency 'pry-byebug'
+  gem.add_development_dependency 'rake', '~> 12.3.3'
+  gem.add_development_dependency 'rspec', '~> 3.0'
+  gem.add_development_dependency 'simplecov', '~> 0.17', '< 0.18'
 end

data/docker-compose.yml

@@ -6,7 +6,7 @@ services:
   conjur:
     image: cyberark/conjur
     command: server -a cucumber
-    depends_on: 
+    depends_on:
       - pg
     environment:
       - CONJUR_DATA_KEY
@@ -25,6 +25,7 @@ services:
       - CONJUR_ACCOUNT=cucumber
       - CONJUR_AUTHN_LOGIN=admin
       - CONJUR_AUTHN_API_KEY
+      - RUBY_VERSION=${RUBY_VERSION}
     volumes:
       - .:/src
 

data/features/step_definitions/authn_steps.rb

@@ -1,5 +1,5 @@
 Then(/^I(?: can)? type and confirm a new password/) do
-  @password = SecureRandom.hex(12)
+  @password = "SEcret12!!!!"
   step %Q(I type "#{@password}")
   step %Q(I type "#{@password}")
   step "the exit status should be 0"

data/features/support/env.rb

@@ -6,7 +6,9 @@ require 'aruba/cucumber'
 require 'json_spec/cucumber'
 require 'simplecov'
 
-SimpleCov.start
+SimpleCov.start do
+  command_name "#{ENV['RUBY_VERSION']}"
+end
 
 ENV['CONJUR_APPLIANCE_URL'] ||= 'http://localhost/api/v6'
 ENV['CONJUR_ACCOUNT'] ||= 'cucumber'

data/jenkins.sh

@@ -1,7 +1,7 @@
 #!/bin/bash -ex
 
 # Constants
-RUBY_VERSION_DEFAULT="2.2.4"
+RUBY_VERSION_DEFAULT="2.7"
 
 # Arguments
 RUBY_VERSION=${1-${RUBY_VERSION_DEFAULT}}

data/lib/conjur/command/hosts.rb

@@ -36,7 +36,7 @@ class Conjur::Command::Hosts < Conjur::Command
           host_resourceid = full_resource_id("host:#{host}")
 
           unless api.resource(host_resourceid).exists?
-            exit_now! "host '#{host}' not found"
+            exit_now! "Host '#{host}' not found"
           end
 
           # Prepend 'host/' if it wasn't passed in