conjur-cli 6.2.2 → 6.2.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/CODEOWNERS +10 -0
- data/CHANGELOG.md +33 -1
- data/CONTRIBUTING.md +1 -1
- data/Gemfile +1 -1
- data/Jenkinsfile +35 -18
- data/NOTICES.txt +421 -0
- data/README.md +299 -2
- data/SECURITY.md +42 -0
- data/VERSION +1 -1
- data/build-standalone +12 -11
- data/conjur-cli.gemspec +7 -7
- data/jenkins.sh +1 -1
- data/lib/conjur/command/hosts.rb +1 -1
- data/lib/conjur/command/rspec/describe_command.rb +26 -7
- data/lib/conjur/command/rspec/mock_services.rb +7 -1
- data/lib/conjur/command/users.rb +5 -1
- data/lib/conjur/version.rb +1 -1
- data/push-image +14 -6
- data/spec/command/hosts_spec.rb +26 -3
- data/spec/command/init_spec.rb +28 -41
- data/spec/command/users_spec.rb +18 -2
- data/test.sh +5 -1
- metadata +18 -25
- data/.github/ISSUE_TEMPLATE/bug.md +0 -27
- data/.github/ISSUE_TEMPLATE/feature_request.md +0 -27
data/README.md
CHANGED
@@ -6,7 +6,18 @@ Command-line interface for Conjur.
|
|
6
6
|
|
7
7
|
A complete reference guide is available at [conjur.org](https://www.conjur.org).
|
8
8
|
|
9
|
-
##
|
9
|
+
## Table of Contents
|
10
|
+
- [Getting Started](#getting-started)
|
11
|
+
- [Quick Start](#quick-start)
|
12
|
+
- [Using This Project With Conjur Open Source](#Using-conjur-cli-with-Conjur-Open-Source)
|
13
|
+
- [Using Docker](#using-docker)
|
14
|
+
- [Usage](#usage)
|
15
|
+
- [Contributing](#contributing)
|
16
|
+
- [License](#license)
|
17
|
+
|
18
|
+
## Getting Started
|
19
|
+
|
20
|
+
### Quick start
|
10
21
|
|
11
22
|
```sh-session
|
12
23
|
$ gem install conjur-cli
|
@@ -15,7 +26,19 @@ $ conjur -v
|
|
15
26
|
conjur version 6.0.0
|
16
27
|
```
|
17
28
|
|
29
|
+
### Using conjur-cli with Conjur Open Source
|
30
|
+
|
31
|
+
Are you using this project with [Conjur Open Source](https://github.com/cyberark/conjur)? Then we
|
32
|
+
**strongly** recommend choosing the version of this project to use from the latest [Conjur OSS
|
33
|
+
suite release](https://docs.conjur.org/Latest/en/Content/Overview/Conjur-OSS-Suite-Overview.html).
|
34
|
+
Conjur maintainers perform additional testing on the suite release versions to ensure
|
35
|
+
compatibility. When possible, upgrade your Conjur version to match the
|
36
|
+
[latest suite release](https://docs.conjur.org/Latest/en/Content/ReleaseNotes/ConjurOSS-suite-RN.htm);
|
37
|
+
when using integrations, choose the latest suite release that matches your Conjur version. For any
|
38
|
+
questions, please contact us on [Discourse](https://discuss.cyberarkcommons.org/c/conjur/5).
|
39
|
+
|
18
40
|
## Using Docker
|
41
|
+
|
19
42
|
[![Docker Build Status](https://img.shields.io/docker/build/conjurinc/cli5.svg)](https://hub.docker.com/r/conjurinc/cli5/)
|
20
43
|
This software is included in the standalone cyberark/conjur-cli:5 Docker image. Docker containers are designed to be ephemeral, which means they don't store state after the container exits.
|
21
44
|
|
@@ -59,12 +82,286 @@ drwxr-xr-x 2 you staff 68 Mar 29 14:16 .cache
|
|
59
82
|
```
|
60
83
|
*Security notice:* the file `.netrc`, created or updated by `conjur authn login`, contains a user identity credential that can be used to access the Conjur API. You should remove it after use or otherwise secure it like you would another netrc file.
|
61
84
|
|
85
|
+
## Usage
|
86
|
+
|
87
|
+
```
|
88
|
+
NAME
|
89
|
+
conjur - Command-line toolkit for managing roles, resources and privileges
|
90
|
+
|
91
|
+
SYNOPSIS
|
92
|
+
conjur [global options] command [command options] [arguments...]
|
93
|
+
|
94
|
+
GLOBAL OPTIONS
|
95
|
+
--help - Show this message
|
96
|
+
--version - Display the program version
|
97
|
+
```
|
98
|
+
|
99
|
+
### Commands
|
100
|
+
|
101
|
+
| Command | Description |
|
102
|
+
| ---------------------------------- | ------------------------------------------------- |
|
103
|
+
| [authn](#conjur-authn) | - Login and logout |
|
104
|
+
| [check](#conjur-check) | - Check for a privilege on a resource |
|
105
|
+
| [env](#conjur-env) | - Use values of Conjur variables in local context |
|
106
|
+
| [host](#conjur-host) | - Manage hosts |
|
107
|
+
| [hostfactory](#conjur-hostfactory) | - Manage host factories |
|
108
|
+
| [init](#conjur-init) | - Initialize the Conjur configuration |
|
109
|
+
| [ldap-sync](#conjur-ldap-sync) | - LDAP sync management commands |
|
110
|
+
| [list](#conjur-list) | - List objects |
|
111
|
+
| [plugin](#conjur-plugin) | - Manage plugins |
|
112
|
+
| [policy](#conjur-policy) | - Manage policies |
|
113
|
+
| [pubkeys](#conjur-pubkeys) | - Public keys service operations |
|
114
|
+
| [resource](#conjur-resource) | - Manage resources |
|
115
|
+
| [role](#conjur-role) | - Manage roles |
|
116
|
+
| [show](#conjur-show) | - Show an object |
|
117
|
+
| [user](#conjur-user) | - Manage users |
|
118
|
+
| [variable](#conjur-variable) | - Manage variables |
|
119
|
+
|
120
|
+
#### `conjur authn`
|
121
|
+
|
122
|
+
```
|
123
|
+
NAME
|
124
|
+
authn - Login and logout
|
125
|
+
SYNOPSIS
|
126
|
+
conjur [global options] authn authenticate [-H|--header] [-f filename|--filename filename]
|
127
|
+
conjur [global options] authn login [-p password|--password password] [-u username|--username username] login-name
|
128
|
+
conjur [global options] authn logout
|
129
|
+
conjur [global options] authn whoami
|
130
|
+
COMMANDS
|
131
|
+
authenticate - Obtains an authentication token using the current logged-in
|
132
|
+
user
|
133
|
+
login - Logs in and caches credentials to netrc.
|
134
|
+
logout - Logs out
|
135
|
+
whoami - Prints out the current logged in username
|
136
|
+
```
|
137
|
+
|
138
|
+
#### `conjur check`
|
139
|
+
|
140
|
+
```
|
141
|
+
NAME
|
142
|
+
check - Check for a user’s privilege on a resource
|
143
|
+
SYNOPSIS
|
144
|
+
conjur check [object] [privilege] [user]
|
145
|
+
PRIVILEGES
|
146
|
+
read, write, execute
|
147
|
+
```
|
148
|
+
|
149
|
+
#### `conjur env`
|
150
|
+
|
151
|
+
```
|
152
|
+
NAME
|
153
|
+
env - Use values of Conjur variables in local context
|
154
|
+
SYNOPSIS
|
155
|
+
conjur [global options] env check [--policy arg] [--yaml arg] [-c FILE]
|
156
|
+
conjur [global options] env help
|
157
|
+
conjur [global options] env run [--policy arg] [--yaml arg] [-c FILE] -- command [arg1, arg2 ...]
|
158
|
+
conjur [global options] env template [--policy arg] [--yaml arg] [-c FILE] template.erb
|
159
|
+
|
160
|
+
COMMANDS
|
161
|
+
check - Check availability of Conjur variables
|
162
|
+
help - Print description of environment configuration format
|
163
|
+
run - Execute external command with environment variables populated
|
164
|
+
from Conjur
|
165
|
+
template - Render ERB template with variables obtained from Conjur
|
166
|
+
|
167
|
+
root@e1bfc649b68d:/# conjur env help
|
168
|
+
|
169
|
+
Environment configuration (either stored in file referred by -c option or provided inline with --yaml option) should be a YAML document describing one-level Hash.
|
170
|
+
Keys of the hash are 'local names', used to refer to variable values in convenient manner. (See help for env:run and env:template for more details about how they are interpreted).
|
171
|
+
|
172
|
+
Values of the hash may take one of the following forms: a) string b) string preceeded with !var tag c) string preceeded with !tmp tag.
|
173
|
+
|
174
|
+
a) Plain string is just associated with local name without any calls to Conjur.
|
175
|
+
|
176
|
+
b) String preceeded by !var tag is interpreted as an ID of the Conjur variable, which value should be obtained and associated with appropriate local name.
|
177
|
+
|
178
|
+
c) String preceeded by !tmp tag is interpreted as an ID of the Conjur variable, which value should be stored in temporary file, which location should in turn be associated with appropriate local name.
|
179
|
+
|
180
|
+
Example of environment configuration:
|
181
|
+
|
182
|
+
{ local_variable_1: 'literal value', local_variable_2: !var id/of/Conjur/Variable , local_variable_3: !tmp id/of/another/Conjur/variable }
|
183
|
+
```
|
184
|
+
|
185
|
+
#### `conjur host`
|
186
|
+
|
187
|
+
```
|
188
|
+
NAME
|
189
|
+
host - Manage hosts
|
190
|
+
|
191
|
+
SYNOPSIS
|
192
|
+
conjur [global options] host layers HOST
|
193
|
+
conjur [global options] host rotate_api_key [--host arg|-h arg]
|
194
|
+
|
195
|
+
COMMANDS
|
196
|
+
layers - List the layers to which the host belongs
|
197
|
+
rotate_api_key - Rotate a host's API key
|
198
|
+
```
|
199
|
+
|
200
|
+
#### `conjur hostfactory`
|
201
|
+
|
202
|
+
```
|
203
|
+
NAME
|
204
|
+
hostfactory - Manage host factories
|
205
|
+
|
206
|
+
SYNOPSIS
|
207
|
+
conjur [global options] hostfactory hosts
|
208
|
+
conjur [global options] hostfactory tokens
|
209
|
+
|
210
|
+
COMMANDS
|
211
|
+
hosts - Operations on hosts
|
212
|
+
tokens - Operations on tokens
|
213
|
+
```
|
214
|
+
|
215
|
+
#### `conjur init`
|
216
|
+
|
217
|
+
```
|
218
|
+
NAME
|
219
|
+
init – Initialize the Conjur configuration
|
220
|
+
SYNOPSIS
|
221
|
+
conjur [global options] init [-u URL of Conjur service] [-a account name]
|
222
|
+
```
|
223
|
+
|
224
|
+
#### `conjur ldap-sync`
|
225
|
+
|
226
|
+
```
|
227
|
+
NAME
|
228
|
+
ldap-sync - LDAP sync management commands
|
229
|
+
|
230
|
+
SYNOPSIS
|
231
|
+
conjur [global options] ldap-sync policy
|
232
|
+
|
233
|
+
COMMANDS
|
234
|
+
policy - Manage the policy used to sync Conjur and the LDAP server
|
235
|
+
```
|
236
|
+
|
237
|
+
#### `conjur list`
|
238
|
+
|
239
|
+
```
|
240
|
+
Lists conjur objects
|
241
|
+
```
|
242
|
+
|
243
|
+
#### `conjur plugin`
|
244
|
+
|
245
|
+
```
|
246
|
+
NAME
|
247
|
+
plugin - Manage plugins
|
248
|
+
|
249
|
+
SYNOPSIS
|
250
|
+
conjur [global options] plugin install [-v version|--version version] PLUGIN
|
251
|
+
conjur [global options] plugin list
|
252
|
+
conjur [global options] plugin show PLUGIN
|
253
|
+
conjur [global options] plugin uninstall PLUGIN
|
254
|
+
|
255
|
+
COMMANDS
|
256
|
+
install - Install a plugin
|
257
|
+
list - List installed plugins
|
258
|
+
show - Show a plugin's details
|
259
|
+
uninstall - Uninstall a plugin
|
260
|
+
```
|
261
|
+
|
262
|
+
#### `conjur policy`
|
263
|
+
|
264
|
+
```
|
265
|
+
NAME
|
266
|
+
policy - Manage policies
|
267
|
+
|
268
|
+
SYNOPSIS
|
269
|
+
conjur [global options] policy load [--delete] [--replace] POLICY FILENAME
|
270
|
+
|
271
|
+
COMMANDS
|
272
|
+
load - Load a policy
|
273
|
+
--delete – deletes a policy
|
274
|
+
--replace – replaces a policy
|
275
|
+
```
|
276
|
+
|
277
|
+
#### `conjur pubkeys`
|
278
|
+
|
279
|
+
```
|
280
|
+
NAME
|
281
|
+
pubkeys - Public keys service operations
|
282
|
+
SYNOPSIS
|
283
|
+
conjur [global options] pubkeys [USER]
|
284
|
+
```
|
285
|
+
|
286
|
+
#### `conjur resource`
|
287
|
+
|
288
|
+
```
|
289
|
+
NAME
|
290
|
+
resource - Manage resources
|
291
|
+
|
292
|
+
SYNOPSIS
|
293
|
+
conjur [global options] resource exists RESOURCE
|
294
|
+
conjur [global options] resource permitted_roles RESOURCE PRIVILEGE
|
295
|
+
|
296
|
+
COMMANDS
|
297
|
+
exists - Determines whether a resource exists
|
298
|
+
permitted_roles - List roles with a specified privilege on the resource
|
299
|
+
```
|
300
|
+
|
301
|
+
#### `conjur role`
|
302
|
+
|
303
|
+
```
|
304
|
+
NAME
|
305
|
+
role - Manage roles
|
306
|
+
|
307
|
+
SYNOPSIS
|
308
|
+
conjur [global options] role exists [--json] ROLE
|
309
|
+
conjur [global options] role members [-V|--verbose] ROLE
|
310
|
+
conjur [global options] role memberships [-s|--system] ROLE
|
311
|
+
|
312
|
+
COMMANDS
|
313
|
+
exists - Determines whether a role exists
|
314
|
+
members - Lists all direct members of the role. The membership list is
|
315
|
+
not recursively expanded.
|
316
|
+
memberships - Lists role memberships. The role membership list is
|
317
|
+
recursively expanded.
|
318
|
+
```
|
319
|
+
|
320
|
+
#### `conjur show`
|
321
|
+
|
322
|
+
```
|
323
|
+
NAME
|
324
|
+
show - Show an object
|
325
|
+
SYNOPSIS
|
326
|
+
conjur show [object]
|
327
|
+
```
|
328
|
+
|
329
|
+
#### `conjur user`
|
330
|
+
|
331
|
+
```
|
332
|
+
NAME
|
333
|
+
user - Manage users
|
334
|
+
|
335
|
+
SYNOPSIS
|
336
|
+
conjur [global options] user rotate_api_key [--user arg|-u arg]
|
337
|
+
conjur [global options] user update_password [-p arg|--password arg]
|
338
|
+
|
339
|
+
COMMANDS
|
340
|
+
rotate_api_key - Rotate a user's API key
|
341
|
+
update_password - Update the password of the logged-in user
|
342
|
+
```
|
343
|
+
|
344
|
+
#### `conjur variable`
|
345
|
+
|
346
|
+
```
|
347
|
+
NAME
|
348
|
+
variable - Manage variables
|
349
|
+
|
350
|
+
SYNOPSIS
|
351
|
+
conjur [global options] variable value [-v arg|--version arg] VARIABLE
|
352
|
+
conjur [global options] variable values
|
353
|
+
|
354
|
+
COMMANDS
|
355
|
+
value - Get a value
|
356
|
+
values - Access variable values
|
357
|
+
```
|
358
|
+
|
62
359
|
## Contributing
|
63
360
|
|
64
361
|
We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our [contributing
|
65
362
|
guide][contrib].
|
66
363
|
|
67
|
-
[contrib]: https://github.com/cyberark/conjur/blob/
|
364
|
+
[contrib]: https://github.com/cyberark/conjur-cli/blob/main/CONTRIBUTING.md
|
68
365
|
|
69
366
|
## License
|
70
367
|
|
data/SECURITY.md
ADDED
@@ -0,0 +1,42 @@
|
|
1
|
+
# Security Policies and Procedures
|
2
|
+
|
3
|
+
This document outlines security procedures and general policies for the CyberArk Conjur
|
4
|
+
suite of tools and products.
|
5
|
+
|
6
|
+
* [Reporting a Bug](#reporting-a-bug)
|
7
|
+
* [Disclosure Policy](#disclosure-policy)
|
8
|
+
* [Comments on this Policy](#comments-on-this-policy)
|
9
|
+
|
10
|
+
## Reporting a Bug
|
11
|
+
|
12
|
+
The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously.
|
13
|
+
Thank you for improving the security of the Conjur suite. We appreciate your efforts and
|
14
|
+
responsible disclosure and will make every effort to acknowledge your
|
15
|
+
contributions.
|
16
|
+
|
17
|
+
Report security bugs by emailing the lead maintainers at security@conjur.org.
|
18
|
+
|
19
|
+
The maintainers will acknowledge your email within 2 business days. Subsequently, we will
|
20
|
+
send a more detailed response within 2 business days of our acknowledgement indicating
|
21
|
+
the next steps in handling your report. After the initial reply to your report, the security
|
22
|
+
team will endeavor to keep you informed of the progress towards a fix and full
|
23
|
+
announcement, and may ask for additional information or guidance.
|
24
|
+
|
25
|
+
Report security bugs in third-party modules to the person or team maintaining
|
26
|
+
the module.
|
27
|
+
|
28
|
+
## Disclosure Policy
|
29
|
+
|
30
|
+
When the security team receives a security bug report, they will assign it to a
|
31
|
+
primary handler. This person will coordinate the fix and release process,
|
32
|
+
involving the following steps:
|
33
|
+
|
34
|
+
* Confirm the problem and determine the affected versions.
|
35
|
+
* Audit code to find any potential similar problems.
|
36
|
+
* Prepare fixes for all releases still under maintenance. These fixes will be
|
37
|
+
released as fast as possible.
|
38
|
+
|
39
|
+
## Comments on this Policy
|
40
|
+
|
41
|
+
If you have suggestions on how this process could be improved please submit a
|
42
|
+
pull request.
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
6.2.
|
1
|
+
6.2.6
|
data/build-standalone
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
#!/bin/bash -e
|
2
2
|
|
3
|
-
|
3
|
+
IMAGE="cyberark/conjur-cli:latest"
|
4
4
|
|
5
5
|
ENV_VARS=(
|
6
6
|
"CONJUR_MAJOR_VERSION=5"
|
@@ -9,7 +9,7 @@ ENV_VARS=(
|
|
9
9
|
)
|
10
10
|
|
11
11
|
# Flatten resulting image.
|
12
|
-
|
12
|
+
flatten() {
|
13
13
|
local image="$1"
|
14
14
|
echo "Flattening image '$image'..."
|
15
15
|
|
@@ -19,26 +19,27 @@ function flatten() {
|
|
19
19
|
# required for running the image (ENV, EXPOSE, WORKDIR, etc) so we
|
20
20
|
# manually rebuild them.
|
21
21
|
# See here for more details: https://github.com/moby/moby/issues/8334
|
22
|
-
local container
|
22
|
+
local container
|
23
|
+
container=$(docker create "$image")
|
23
24
|
|
24
25
|
env_var_params=()
|
25
|
-
for env_var in ${ENV_VARS[@]}; do
|
26
|
+
for env_var in "${ENV_VARS[@]}"; do
|
26
27
|
env_var_params+=("--change")
|
27
28
|
env_var_params+=("ENV $env_var")
|
28
29
|
done
|
29
30
|
|
30
|
-
docker export $container | docker import \
|
31
|
+
docker export "$container" | docker import \
|
31
32
|
"${env_var_params[@]}" \
|
32
33
|
--change 'ENTRYPOINT ["/bin/entry"]' \
|
33
|
-
- $image
|
34
|
-
docker rm $container
|
34
|
+
- "$image"
|
35
|
+
docker rm "$container"
|
35
36
|
}
|
36
37
|
|
37
38
|
# Build the cli standalone container image
|
38
|
-
echo "Building image $
|
39
|
+
echo "Building image $IMAGE"
|
39
40
|
|
40
41
|
docker build . \
|
41
|
-
|
42
|
-
|
42
|
+
--file Dockerfile.standalone \
|
43
|
+
--tag "$IMAGE"
|
43
44
|
|
44
|
-
flatten "$
|
45
|
+
flatten "$IMAGE"
|
data/conjur-cli.gemspec
CHANGED
@@ -3,11 +3,11 @@ require File.expand_path('../lib/conjur/version', __FILE__)
|
|
3
3
|
require "English"
|
4
4
|
|
5
5
|
Gem::Specification.new do |gem|
|
6
|
-
gem.authors = ["
|
7
|
-
gem.email = ["
|
6
|
+
gem.authors = ["Conjur Maintainers"]
|
7
|
+
gem.email = ["conj_maintainers@cyberark.com",]
|
8
8
|
gem.summary = %q{Conjur command line interface}
|
9
|
-
gem.homepage = "https://github.com/
|
10
|
-
gem.license = '
|
9
|
+
gem.homepage = "https://github.com/cyberark/conjur-cli"
|
10
|
+
gem.license = 'Apache 2.0'
|
11
11
|
|
12
12
|
gem.files = (`git ls-files`.split($OUTPUT_RECORD_SEPARATOR)
|
13
13
|
.select { |x| x !~ /^Dockerfile/ }
|
@@ -21,11 +21,11 @@ Gem::Specification.new do |gem|
|
|
21
21
|
# Filter out development only executables
|
22
22
|
gem.executables -= %w{parse-changelog.sh}
|
23
23
|
|
24
|
-
gem.add_dependency 'activesupport', '
|
24
|
+
gem.add_dependency 'activesupport', '~> 6.0'
|
25
25
|
gem.add_dependency 'conjur-api', '~> 5.3'
|
26
26
|
gem.add_dependency 'deep_merge', '~> 1.0'
|
27
27
|
gem.add_dependency 'gli', '>=2.8.0'
|
28
|
-
gem.add_dependency 'highline', '~>
|
28
|
+
gem.add_dependency 'highline', '~> 2.0'
|
29
29
|
gem.add_dependency 'netrc', '~> 0.10'
|
30
30
|
gem.add_dependency 'table_print', '~> 1.5'
|
31
31
|
gem.add_dependency 'xdg', '= 2.2.3'
|
@@ -37,7 +37,7 @@ Gem::Specification.new do |gem|
|
|
37
37
|
gem.add_development_dependency 'io-grab', '~> 0.0'
|
38
38
|
gem.add_development_dependency 'json_spec'
|
39
39
|
gem.add_development_dependency 'pry-byebug'
|
40
|
-
gem.add_development_dependency 'rake', '~>
|
40
|
+
gem.add_development_dependency 'rake', '~> 13.0'
|
41
41
|
gem.add_development_dependency 'rspec', '~> 3.0'
|
42
42
|
gem.add_development_dependency 'simplecov', '~> 0.17', '< 0.18'
|
43
43
|
end
|
data/jenkins.sh
CHANGED
data/lib/conjur/command/hosts.rb
CHANGED
@@ -36,7 +36,7 @@ class Conjur::Command::Hosts < Conjur::Command
|
|
36
36
|
host_resourceid = full_resource_id("host:#{host}")
|
37
37
|
|
38
38
|
unless api.resource(host_resourceid).exists?
|
39
|
-
exit_now! "
|
39
|
+
exit_now! "Host '#{host}' not found"
|
40
40
|
end
|
41
41
|
|
42
42
|
# Prepend 'host/' if it wasn't passed in
|
@@ -5,15 +5,34 @@ RSpec::Core::DSL.change_global_dsl do
|
|
5
5
|
|
6
6
|
before do
|
7
7
|
allow(cert_store).to receive(:add_file)
|
8
|
+
# Stub the constant OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE which is
|
9
|
+
# implicitly used in many places in the CLI and in conjur-api-ruby as the de facto
|
10
|
+
# cert store.
|
8
11
|
stub_const 'OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE', cert_store
|
12
|
+
|
13
|
+
# Reset the rest_client_options defaults to avoid using expired rspec doubles.
|
14
|
+
#
|
15
|
+
# Conjur.configuration is a lazy-loaded singleton. There is single CLI instance
|
16
|
+
# shared across this test suite. When Conjur.configuration is loaded for the first
|
17
|
+
# time it assumes the defaults value for Conjur.configuration.rest_client_options
|
18
|
+
# of:
|
19
|
+
# {
|
20
|
+
# :ssl_cert_store => OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE
|
21
|
+
# }
|
22
|
+
#
|
23
|
+
# Notice above that each test case stubs the constant
|
24
|
+
# OpenSSL::SSL::SSLContext::DEFAULT_CERT_STORE with a double. Without further
|
25
|
+
# modification this means the first time the CLI is run and Conjur.configuration
|
26
|
+
# is loaded Conjur.configuration.rest_client_options[:ssl_cert_store] it is set to
|
27
|
+
# the double associated with the test case at that point in time. Since
|
28
|
+
# Conjur.configuration is only loaded once, without modification, that double will
|
29
|
+
# be retained and its usage will result in a RSpec::Mocks::ExpiredTestDoubleError.
|
30
|
+
# To avoid this for each test case we must reset
|
31
|
+
# Conjur.configuration.rest_client_options[:ssl_cert_store] with the double for
|
32
|
+
# the current test case.
|
33
|
+
Conjur.configuration.rest_client_options[:ssl_cert_store] = cert_store
|
9
34
|
end
|
10
|
-
|
11
|
-
let(:cert_store_options) do
|
12
|
-
{
|
13
|
-
ssl_cert_store: cert_store
|
14
|
-
}
|
15
|
-
end
|
16
|
-
|
35
|
+
|
17
36
|
let(:invoke) do
|
18
37
|
Conjur::CLI.error_device = $stderr
|
19
38
|
# TODO: allow proper handling of description like "audit:send 'hello world'"
|
@@ -29,7 +29,13 @@ end
|
|
29
29
|
shared_context "when logged in", logged_in: true do
|
30
30
|
include_context "with mock authn"
|
31
31
|
before do
|
32
|
-
allow(api).to receive(:credentials)
|
32
|
+
allow(api).to receive(:credentials) do
|
33
|
+
{
|
34
|
+
:username => 'dknuth',
|
35
|
+
:headers => { :authorization => "fakeauth" },
|
36
|
+
}
|
37
|
+
end
|
38
|
+
|
33
39
|
netrc[authn_host] = [username, api_key]
|
34
40
|
allow(Conjur::Command).to receive_messages api: api
|
35
41
|
end
|
data/lib/conjur/command/users.rb
CHANGED
@@ -47,7 +47,11 @@ class Conjur::Command::Users < Conjur::Command
|
|
47
47
|
if api.username == options[:user]
|
48
48
|
exit_now! 'To rotate the API key of the currently logged-in user, use this command without any flags or options'
|
49
49
|
end
|
50
|
-
|
50
|
+
user_resource_id = [Conjur.configuration.account, "user", options[:user]].join(":")
|
51
|
+
unless api.resource(user_resource_id).exists?
|
52
|
+
exit_now! "User '#{options[:user]}' not found"
|
53
|
+
end
|
54
|
+
puts api.resource(user_resource_id).rotate_api_key
|
51
55
|
else
|
52
56
|
username, password = Conjur::Authn.read_credentials
|
53
57
|
new_api_key = Conjur::API.rotate_api_key username, password
|
data/lib/conjur/version.rb
CHANGED
data/push-image
CHANGED
@@ -3,6 +3,7 @@
|
|
3
3
|
set -e
|
4
4
|
|
5
5
|
readonly REGISTRY="cyberark"
|
6
|
+
readonly INTERNAL_REGISTRY="registry2.itci.conjur.net"
|
6
7
|
readonly VERSION="$(cat VERSION)"
|
7
8
|
readonly VERSION_TAG="5-${VERSION}"
|
8
9
|
readonly image_name="conjur-cli"
|
@@ -22,17 +23,24 @@ git_description=$(git describe)
|
|
22
23
|
# only when tag matches the VERSION, push VERSION and latest releases
|
23
24
|
# and x and x.y releases
|
24
25
|
#Ex: v5-6.2.1
|
25
|
-
if [ "$git_description" = "v${
|
26
|
-
echo "Revision $git_description matches version $VERSION exactly. Pushing to Dockerhub..."
|
26
|
+
if [ "${git_description}" = "v${VERSION}" ]; then
|
27
|
+
echo "Revision ${git_description} matches version ${VERSION} exactly. Pushing to Dockerhub..."
|
27
28
|
|
28
29
|
for tag in "${TAGS[@]}"; do
|
29
|
-
echo "Tagging and pushing $REGISTRY/$image_name:$tag"
|
30
|
+
echo "Tagging and pushing ${REGISTRY}/${image_name}:${tag}"
|
31
|
+
|
32
|
+
# push to dockerhub
|
33
|
+
docker tag "${full_image_name}" "${REGISTRY}/${image_name}:${tag}"
|
34
|
+
docker push "${REGISTRY}/${image_name}:${tag}"
|
35
|
+
|
36
|
+
# push to internal registry
|
37
|
+
# necessary because some cyberark teams/networks can't pull from dockerhub
|
38
|
+
docker tag "${full_image_name}" "${INTERNAL_REGISTRY}/${image_name}:${tag}"
|
39
|
+
docker push "${INTERNAL_REGISTRY}/${image_name}:${tag}"
|
30
40
|
|
31
|
-
docker tag $full_image_name "$REGISTRY/$image_name:$tag"
|
32
|
-
docker push "$REGISTRY/$image_name:$tag"
|
33
41
|
done
|
34
42
|
|
35
43
|
# push to legacy `conjurinc/cli5` tag
|
36
|
-
docker tag $full_image_name conjurinc/cli5:latest
|
44
|
+
docker tag "${full_image_name}" conjurinc/cli5:latest
|
37
45
|
docker push conjurinc/cli5:latest
|
38
46
|
fi
|
data/spec/command/hosts_spec.rb
CHANGED
@@ -9,13 +9,21 @@ describe Conjur::Command::Hosts, logged_in: true do
|
|
9
9
|
expect(RestClient::Request).to receive(:execute).with({
|
10
10
|
method: :head,
|
11
11
|
url: "https://core.example.com/api/resources/#{account}/host/redis001",
|
12
|
-
headers: {
|
12
|
+
headers: {
|
13
|
+
authorization: "fakeauth",
|
14
|
+
},
|
15
|
+
username: "dknuth",
|
16
|
+
ssl_cert_store: cert_store
|
13
17
|
}).and_return true
|
14
18
|
expect(RestClient::Request).to receive(:execute).with({
|
15
19
|
method: :put,
|
16
20
|
url: "https://core.example.com/api/authn/#{account}/api_key?role=#{account}:host:redis001",
|
17
|
-
headers: {
|
18
|
-
|
21
|
+
headers: {
|
22
|
+
authorization: "fakeauth",
|
23
|
+
},
|
24
|
+
payload: '',
|
25
|
+
username: "dknuth",
|
26
|
+
ssl_cert_store: cert_store
|
19
27
|
}).and_return double(:response, body: 'new api key')
|
20
28
|
end
|
21
29
|
|
@@ -23,5 +31,20 @@ describe Conjur::Command::Hosts, logged_in: true do
|
|
23
31
|
invoke
|
24
32
|
end
|
25
33
|
end
|
34
|
+
|
35
|
+
describe_command 'host rotate_api_key --host non-existing' do
|
36
|
+
before do
|
37
|
+
expect(RestClient::Request).to receive(:execute).with({
|
38
|
+
method: :head,
|
39
|
+
url: "https://core.example.com/api/resources/#{account}/host/non-existing",
|
40
|
+
headers: {authorization: "fakeauth"},
|
41
|
+
username: username,
|
42
|
+
ssl_cert_store: cert_store
|
43
|
+
}).and_raise RestClient::ResourceNotFound
|
44
|
+
end
|
45
|
+
it 'rotate_api_key with non-existing --host option' do
|
46
|
+
expect { invoke }.to raise_error(GLI::CustomExit, /Host 'non-existing' not found/i)
|
47
|
+
end
|
48
|
+
end
|
26
49
|
end
|
27
50
|
end
|