conjur-cli 6.2.2 → 6.2.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/CODEOWNERS +10 -0
- data/.github/ISSUE_TEMPLATE/bug.md +16 -1
- data/.github/PULL_REQUEST_TEMPLATE.md +21 -0
- data/CHANGELOG.md +8 -1
- data/Jenkinsfile +13 -12
- data/NOTICES.txt +421 -0
- data/README.md +298 -1
- data/SECURITY.md +42 -0
- data/VERSION +1 -1
- data/build-standalone +12 -11
- data/conjur-cli.gemspec +4 -4
- data/lib/conjur/command/hosts.rb +1 -1
- data/lib/conjur/command/rspec/mock_services.rb +7 -1
- data/lib/conjur/command/users.rb +5 -1
- data/lib/conjur/version.rb +1 -1
- data/push-image +14 -6
- data/spec/command/hosts_spec.rb +23 -3
- data/spec/command/init_spec.rb +37 -40
- data/spec/command/users_spec.rb +13 -0
- metadata +11 -9
data/README.md
CHANGED
@@ -6,7 +6,18 @@ Command-line interface for Conjur.
|
|
6
6
|
|
7
7
|
A complete reference guide is available at [conjur.org](https://www.conjur.org).
|
8
8
|
|
9
|
-
##
|
9
|
+
## Table of Contents
|
10
|
+
- [Getting Started](#getting-started)
|
11
|
+
- [Quick Start](#quick-start)
|
12
|
+
- [Using This Project With Conjur OSS](#Using-conjur-cli-with-Conjur-OSS)
|
13
|
+
- [Using Docker](#using-docker)
|
14
|
+
- [Usage](#usage)
|
15
|
+
- [Contributing](#contributing)
|
16
|
+
- [License](#license)
|
17
|
+
|
18
|
+
## Getting Started
|
19
|
+
|
20
|
+
### Quick start
|
10
21
|
|
11
22
|
```sh-session
|
12
23
|
$ gem install conjur-cli
|
@@ -15,7 +26,19 @@ $ conjur -v
|
|
15
26
|
conjur version 6.0.0
|
16
27
|
```
|
17
28
|
|
29
|
+
### Using conjur-cli with Conjur OSS
|
30
|
+
|
31
|
+
Are you using this project with [Conjur OSS](https://github.com/cyberark/conjur)? Then we
|
32
|
+
**strongly** recommend choosing the version of this project to use from the latest [Conjur OSS
|
33
|
+
suite release](https://docs.conjur.org/Latest/en/Content/Overview/Conjur-OSS-Suite-Overview.html).
|
34
|
+
Conjur maintainers perform additional testing on the suite release versions to ensure
|
35
|
+
compatibility. When possible, upgrade your Conjur version to match the
|
36
|
+
[latest suite release](https://docs.conjur.org/Latest/en/Content/ReleaseNotes/ConjurOSS-suite-RN.htm);
|
37
|
+
when using integrations, choose the latest suite release that matches your Conjur version. For any
|
38
|
+
questions, please contact us on [Discourse](https://discuss.cyberarkcommons.org/c/conjur/5).
|
39
|
+
|
18
40
|
## Using Docker
|
41
|
+
|
19
42
|
[![Docker Build Status](https://img.shields.io/docker/build/conjurinc/cli5.svg)](https://hub.docker.com/r/conjurinc/cli5/)
|
20
43
|
This software is included in the standalone cyberark/conjur-cli:5 Docker image. Docker containers are designed to be ephemeral, which means they don't store state after the container exits.
|
21
44
|
|
@@ -59,6 +82,280 @@ drwxr-xr-x 2 you staff 68 Mar 29 14:16 .cache
|
|
59
82
|
```
|
60
83
|
*Security notice:* the file `.netrc`, created or updated by `conjur authn login`, contains a user identity credential that can be used to access the Conjur API. You should remove it after use or otherwise secure it like you would another netrc file.
|
61
84
|
|
85
|
+
## Usage
|
86
|
+
|
87
|
+
```
|
88
|
+
NAME
|
89
|
+
conjur - Command-line toolkit for managing roles, resources and privileges
|
90
|
+
|
91
|
+
SYNOPSIS
|
92
|
+
conjur [global options] command [command options] [arguments...]
|
93
|
+
|
94
|
+
GLOBAL OPTIONS
|
95
|
+
--help - Show this message
|
96
|
+
--version - Display the program version
|
97
|
+
```
|
98
|
+
|
99
|
+
### Commands
|
100
|
+
|
101
|
+
| Command | Description |
|
102
|
+
| ---------------------------------- | ------------------------------------------------- |
|
103
|
+
| [authn](#conjur-authn) | - Login and logout |
|
104
|
+
| [check](#conjur-check) | - Check for a privilege on a resource |
|
105
|
+
| [env](#conjur-env) | - Use values of Conjur variables in local context |
|
106
|
+
| [host](#conjur-host) | - Manage hosts |
|
107
|
+
| [hostfactory](#conjur-hostfactory) | - Manage host factories |
|
108
|
+
| [init](#conjur-init) | - Initialize the Conjur configuration |
|
109
|
+
| [ldap-sync](#conjur-ldap-sync) | - LDAP sync management commands |
|
110
|
+
| [list](#conjur-list) | - List objects |
|
111
|
+
| [plugin](#conjur-plugin) | - Manage plugins |
|
112
|
+
| [policy](#conjur-policy) | - Manage policies |
|
113
|
+
| [pubkeys](#conjur-pubkeys) | - Public keys service operations |
|
114
|
+
| [resource](#conjur-resource) | - Manage resources |
|
115
|
+
| [role](#conjur-role) | - Manage roles |
|
116
|
+
| [show](#conjur-show) | - Show an object |
|
117
|
+
| [user](#conjur-user) | - Manage users |
|
118
|
+
| [variable](#conjur-variable) | - Manage variables |
|
119
|
+
|
120
|
+
#### `conjur authn`
|
121
|
+
|
122
|
+
```
|
123
|
+
NAME
|
124
|
+
authn - Login and logout
|
125
|
+
SYNOPSIS
|
126
|
+
conjur [global options] authn authenticate [-H|--header] [-f filename|--filename filename]
|
127
|
+
conjur [global options] authn login [-p password|--password password] [-u username|--username username] login-name
|
128
|
+
conjur [global options] authn logout
|
129
|
+
conjur [global options] authn whoami
|
130
|
+
COMMANDS
|
131
|
+
authenticate - Obtains an authentication token using the current logged-in
|
132
|
+
user
|
133
|
+
login - Logs in and caches credentials to netrc.
|
134
|
+
logout - Logs out
|
135
|
+
whoami - Prints out the current logged in username
|
136
|
+
```
|
137
|
+
|
138
|
+
#### `conjur check`
|
139
|
+
|
140
|
+
```
|
141
|
+
NAME
|
142
|
+
check - Check for a user’s privilege on a resource
|
143
|
+
SYNOPSIS
|
144
|
+
conjur check [object] [privilege] [user]
|
145
|
+
PRIVILEGES
|
146
|
+
read, write, execute
|
147
|
+
```
|
148
|
+
|
149
|
+
#### `conjur env`
|
150
|
+
|
151
|
+
```
|
152
|
+
NAME
|
153
|
+
env - Use values of Conjur variables in local context
|
154
|
+
SYNOPSIS
|
155
|
+
conjur [global options] env check [--policy arg] [--yaml arg] [-c FILE]
|
156
|
+
conjur [global options] env help
|
157
|
+
conjur [global options] env run [--policy arg] [--yaml arg] [-c FILE] -- command [arg1, arg2 ...]
|
158
|
+
conjur [global options] env template [--policy arg] [--yaml arg] [-c FILE] template.erb
|
159
|
+
|
160
|
+
COMMANDS
|
161
|
+
check - Check availability of Conjur variables
|
162
|
+
help - Print description of environment configuration format
|
163
|
+
run - Execute external command with environment variables populated
|
164
|
+
from Conjur
|
165
|
+
template - Render ERB template with variables obtained from Conjur
|
166
|
+
|
167
|
+
root@e1bfc649b68d:/# conjur env help
|
168
|
+
|
169
|
+
Environment configuration (either stored in file referred by -c option or provided inline with --yaml option) should be a YAML document describing one-level Hash.
|
170
|
+
Keys of the hash are 'local names', used to refer to variable values in convenient manner. (See help for env:run and env:template for more details about how they are interpreted).
|
171
|
+
|
172
|
+
Values of the hash may take one of the following forms: a) string b) string preceeded with !var tag c) string preceeded with !tmp tag.
|
173
|
+
|
174
|
+
a) Plain string is just associated with local name without any calls to Conjur.
|
175
|
+
|
176
|
+
b) String preceeded by !var tag is interpreted as an ID of the Conjur variable, which value should be obtained and associated with appropriate local name.
|
177
|
+
|
178
|
+
c) String preceeded by !tmp tag is interpreted as an ID of the Conjur variable, which value should be stored in temporary file, which location should in turn be associated with appropriate local name.
|
179
|
+
|
180
|
+
Example of environment configuration:
|
181
|
+
|
182
|
+
{ local_variable_1: 'literal value', local_variable_2: !var id/of/Conjur/Variable , local_variable_3: !tmp id/of/another/Conjur/variable }
|
183
|
+
```
|
184
|
+
|
185
|
+
#### `conjur host`
|
186
|
+
|
187
|
+
```
|
188
|
+
NAME
|
189
|
+
host - Manage hosts
|
190
|
+
|
191
|
+
SYNOPSIS
|
192
|
+
conjur [global options] host layers HOST
|
193
|
+
conjur [global options] host rotate_api_key [--host arg|-h arg]
|
194
|
+
|
195
|
+
COMMANDS
|
196
|
+
layers - List the layers to which the host belongs
|
197
|
+
rotate_api_key - Rotate a host's API key
|
198
|
+
```
|
199
|
+
|
200
|
+
#### `conjur hostfactory`
|
201
|
+
|
202
|
+
```
|
203
|
+
NAME
|
204
|
+
hostfactory - Manage host factories
|
205
|
+
|
206
|
+
SYNOPSIS
|
207
|
+
conjur [global options] hostfactory hosts
|
208
|
+
conjur [global options] hostfactory tokens
|
209
|
+
|
210
|
+
COMMANDS
|
211
|
+
hosts - Operations on hosts
|
212
|
+
tokens - Operations on tokens
|
213
|
+
```
|
214
|
+
|
215
|
+
#### `conjur init`
|
216
|
+
|
217
|
+
```
|
218
|
+
NAME
|
219
|
+
init – Initialize the Conjur configuration
|
220
|
+
SYNOPSIS
|
221
|
+
conjur [global options] init [-u URL of Conjur service] [-a account name]
|
222
|
+
```
|
223
|
+
|
224
|
+
#### `conjur ldap-sync`
|
225
|
+
|
226
|
+
```
|
227
|
+
NAME
|
228
|
+
ldap-sync - LDAP sync management commands
|
229
|
+
|
230
|
+
SYNOPSIS
|
231
|
+
conjur [global options] ldap-sync policy
|
232
|
+
|
233
|
+
COMMANDS
|
234
|
+
policy - Manage the policy used to sync Conjur and the LDAP server
|
235
|
+
```
|
236
|
+
|
237
|
+
#### `conjur list`
|
238
|
+
|
239
|
+
```
|
240
|
+
Lists conjur objects
|
241
|
+
```
|
242
|
+
|
243
|
+
#### `conjur plugin`
|
244
|
+
|
245
|
+
```
|
246
|
+
NAME
|
247
|
+
plugin - Manage plugins
|
248
|
+
|
249
|
+
SYNOPSIS
|
250
|
+
conjur [global options] plugin install [-v version|--version version] PLUGIN
|
251
|
+
conjur [global options] plugin list
|
252
|
+
conjur [global options] plugin show PLUGIN
|
253
|
+
conjur [global options] plugin uninstall PLUGIN
|
254
|
+
|
255
|
+
COMMANDS
|
256
|
+
install - Install a plugin
|
257
|
+
list - List installed plugins
|
258
|
+
show - Show a plugin's details
|
259
|
+
uninstall - Uninstall a plugin
|
260
|
+
```
|
261
|
+
|
262
|
+
#### `conjur policy`
|
263
|
+
|
264
|
+
```
|
265
|
+
NAME
|
266
|
+
policy - Manage policies
|
267
|
+
|
268
|
+
SYNOPSIS
|
269
|
+
conjur [global options] policy load [--delete] [--replace] POLICY FILENAME
|
270
|
+
|
271
|
+
COMMANDS
|
272
|
+
load - Load a policy
|
273
|
+
--delete – deletes a policy
|
274
|
+
--replace – replaces a policy
|
275
|
+
```
|
276
|
+
|
277
|
+
#### `conjur pubkeys`
|
278
|
+
|
279
|
+
```
|
280
|
+
NAME
|
281
|
+
pubkeys - Public keys service operations
|
282
|
+
SYNOPSIS
|
283
|
+
conjur [global options] pubkeys [USER]
|
284
|
+
```
|
285
|
+
|
286
|
+
#### `conjur resource`
|
287
|
+
|
288
|
+
```
|
289
|
+
NAME
|
290
|
+
resource - Manage resources
|
291
|
+
|
292
|
+
SYNOPSIS
|
293
|
+
conjur [global options] resource exists RESOURCE
|
294
|
+
conjur [global options] resource permitted_roles RESOURCE PRIVILEGE
|
295
|
+
|
296
|
+
COMMANDS
|
297
|
+
exists - Determines whether a resource exists
|
298
|
+
permitted_roles - List roles with a specified privilege on the resource
|
299
|
+
```
|
300
|
+
|
301
|
+
#### `conjur role`
|
302
|
+
|
303
|
+
```
|
304
|
+
NAME
|
305
|
+
role - Manage roles
|
306
|
+
|
307
|
+
SYNOPSIS
|
308
|
+
conjur [global options] role exists [--json] ROLE
|
309
|
+
conjur [global options] role members [-V|--verbose] ROLE
|
310
|
+
conjur [global options] role memberships [-s|--system] ROLE
|
311
|
+
|
312
|
+
COMMANDS
|
313
|
+
exists - Determines whether a role exists
|
314
|
+
members - Lists all direct members of the role. The membership list is
|
315
|
+
not recursively expanded.
|
316
|
+
memberships - Lists role memberships. The role membership list is
|
317
|
+
recursively expanded.
|
318
|
+
```
|
319
|
+
|
320
|
+
#### `conjur show`
|
321
|
+
|
322
|
+
```
|
323
|
+
NAME
|
324
|
+
show - Show an object
|
325
|
+
SYNOPSIS
|
326
|
+
conjur show [object]
|
327
|
+
```
|
328
|
+
|
329
|
+
#### `conjur user`
|
330
|
+
|
331
|
+
```
|
332
|
+
NAME
|
333
|
+
user - Manage users
|
334
|
+
|
335
|
+
SYNOPSIS
|
336
|
+
conjur [global options] user rotate_api_key [--user arg|-u arg]
|
337
|
+
conjur [global options] user update_password [-p arg|--password arg]
|
338
|
+
|
339
|
+
COMMANDS
|
340
|
+
rotate_api_key - Rotate a user's API key
|
341
|
+
update_password - Update the password of the logged-in user
|
342
|
+
```
|
343
|
+
|
344
|
+
#### `conjur variable`
|
345
|
+
|
346
|
+
```
|
347
|
+
NAME
|
348
|
+
variable - Manage variables
|
349
|
+
|
350
|
+
SYNOPSIS
|
351
|
+
conjur [global options] variable value [-v arg|--version arg] VARIABLE
|
352
|
+
conjur [global options] variable values
|
353
|
+
|
354
|
+
COMMANDS
|
355
|
+
value - Get a value
|
356
|
+
values - Access variable values
|
357
|
+
```
|
358
|
+
|
62
359
|
## Contributing
|
63
360
|
|
64
361
|
We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our [contributing
|
data/SECURITY.md
ADDED
@@ -0,0 +1,42 @@
|
|
1
|
+
# Security Policies and Procedures
|
2
|
+
|
3
|
+
This document outlines security procedures and general policies for the CyberArk Conjur
|
4
|
+
suite of tools and products.
|
5
|
+
|
6
|
+
* [Reporting a Bug](#reporting-a-bug)
|
7
|
+
* [Disclosure Policy](#disclosure-policy)
|
8
|
+
* [Comments on this Policy](#comments-on-this-policy)
|
9
|
+
|
10
|
+
## Reporting a Bug
|
11
|
+
|
12
|
+
The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
|
13
|
+
Thank you for improving the security of the Conjur suite. We appreciate your efforts and
|
14
|
+
responsible disclosure and will make every effort to acknowledge your
|
15
|
+
contributions.
|
16
|
+
|
17
|
+
Report security bugs by emailing the lead maintainers at security@conjur.org.
|
18
|
+
|
19
|
+
The maintainers will acknowledge your email within 2 business days. Subsequently, we will
|
20
|
+
send a more detailed response within 2 business days of our acknowledgement indicating
|
21
|
+
the next steps in handling your report. After the initial reply to your report, the security
|
22
|
+
team will endeavor to keep you informed of the progress towards a fix and full
|
23
|
+
announcement, and may ask for additional information or guidance.
|
24
|
+
|
25
|
+
Report security bugs in third-party modules to the person or team maintaining
|
26
|
+
the module.
|
27
|
+
|
28
|
+
## Disclosure Policy
|
29
|
+
|
30
|
+
When the security team receives a security bug report, they will assign it to a
|
31
|
+
primary handler. This person will coordinate the fix and release process,
|
32
|
+
involving the following steps:
|
33
|
+
|
34
|
+
* Confirm the problem and determine the affected versions.
|
35
|
+
* Audit code to find any potential similar problems.
|
36
|
+
* Prepare fixes for all releases still under maintenance. These fixes will be
|
37
|
+
released as fast as possible.
|
38
|
+
|
39
|
+
## Comments on this Policy
|
40
|
+
|
41
|
+
If you have suggestions on how this process could be improved please submit a
|
42
|
+
pull request.
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
6.2.
|
1
|
+
6.2.3
|
data/build-standalone
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
#!/bin/bash -e
|
2
2
|
|
3
|
-
|
3
|
+
IMAGE="cyberark/conjur-cli:latest"
|
4
4
|
|
5
5
|
ENV_VARS=(
|
6
6
|
"CONJUR_MAJOR_VERSION=5"
|
@@ -9,7 +9,7 @@ ENV_VARS=(
|
|
9
9
|
)
|
10
10
|
|
11
11
|
# Flatten resulting image.
|
12
|
-
|
12
|
+
flatten() {
|
13
13
|
local image="$1"
|
14
14
|
echo "Flattening image '$image'..."
|
15
15
|
|
@@ -19,26 +19,27 @@ function flatten() {
|
|
19
19
|
# required for running the image (ENV, EXPOSE, WORKDIR, etc) so we
|
20
20
|
# manually rebuild them.
|
21
21
|
# See here for more details: https://github.com/moby/moby/issues/8334
|
22
|
-
local container
|
22
|
+
local container
|
23
|
+
container=$(docker create "$image")
|
23
24
|
|
24
25
|
env_var_params=()
|
25
|
-
for env_var in ${ENV_VARS[@]}; do
|
26
|
+
for env_var in "${ENV_VARS[@]}"; do
|
26
27
|
env_var_params+=("--change")
|
27
28
|
env_var_params+=("ENV $env_var")
|
28
29
|
done
|
29
30
|
|
30
|
-
docker export $container | docker import \
|
31
|
+
docker export "$container" | docker import \
|
31
32
|
"${env_var_params[@]}" \
|
32
33
|
--change 'ENTRYPOINT ["/bin/entry"]' \
|
33
|
-
- $image
|
34
|
-
docker rm $container
|
34
|
+
- "$image"
|
35
|
+
docker rm "$container"
|
35
36
|
}
|
36
37
|
|
37
38
|
# Build the cli standalone container image
|
38
|
-
echo "Building image $
|
39
|
+
echo "Building image $IMAGE"
|
39
40
|
|
40
41
|
docker build . \
|
41
|
-
|
42
|
-
|
42
|
+
--file Dockerfile.standalone \
|
43
|
+
--tag "$IMAGE"
|
43
44
|
|
44
|
-
flatten "$
|
45
|
+
flatten "$IMAGE"
|
data/conjur-cli.gemspec
CHANGED
@@ -3,11 +3,11 @@ require File.expand_path('../lib/conjur/version', __FILE__)
|
|
3
3
|
require "English"
|
4
4
|
|
5
5
|
Gem::Specification.new do |gem|
|
6
|
-
gem.authors = ["
|
7
|
-
gem.email = ["
|
6
|
+
gem.authors = ["Conjur Maintainers"]
|
7
|
+
gem.email = ["conj_maintainers@cyberark.com",]
|
8
8
|
gem.summary = %q{Conjur command line interface}
|
9
|
-
gem.homepage = "https://github.com/
|
10
|
-
gem.license = '
|
9
|
+
gem.homepage = "https://github.com/cyberark/conjur-cli"
|
10
|
+
gem.license = 'Apache 2.0'
|
11
11
|
|
12
12
|
gem.files = (`git ls-files`.split($OUTPUT_RECORD_SEPARATOR)
|
13
13
|
.select { |x| x !~ /^Dockerfile/ }
|
data/lib/conjur/command/hosts.rb
CHANGED
@@ -36,7 +36,7 @@ class Conjur::Command::Hosts < Conjur::Command
|
|
36
36
|
host_resourceid = full_resource_id("host:#{host}")
|
37
37
|
|
38
38
|
unless api.resource(host_resourceid).exists?
|
39
|
-
exit_now! "
|
39
|
+
exit_now! "Host '#{host}' not found"
|
40
40
|
end
|
41
41
|
|
42
42
|
# Prepend 'host/' if it wasn't passed in
|
@@ -29,7 +29,13 @@ end
|
|
29
29
|
shared_context "when logged in", logged_in: true do
|
30
30
|
include_context "with mock authn"
|
31
31
|
before do
|
32
|
-
allow(api).to receive(:credentials)
|
32
|
+
allow(api).to receive(:credentials) do
|
33
|
+
{
|
34
|
+
:username => 'dknuth',
|
35
|
+
:headers => { :authorization => "fakeauth" },
|
36
|
+
}
|
37
|
+
end
|
38
|
+
|
33
39
|
netrc[authn_host] = [username, api_key]
|
34
40
|
allow(Conjur::Command).to receive_messages api: api
|
35
41
|
end
|