conjur-cli 4.18.0 → 4.18.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 72781b9c56ed02155378f270c0c36ca4041870e4
-  data.tar.gz: babddd4db4c6af48e79f68b5efefdaef2af9ae33
+  metadata.gz: 48872bafebcf0d1adecc8364f839bd7318839c14
+  data.tar.gz: 523c5883db7eb7faf4afad5f31543e8629490685
 SHA512:
-  metadata.gz: 02429a61b261a87cbb604fea379de4b096431dd6b385df0c3924e637a30ee4e08560867b6e28cc8de1deff349f9c1f156f4a2382ccd4de0bcf45634e1619e6e2
-  data.tar.gz: 26ee97af5b20b8568cac44be5f293d9fb157b80d7ffe3d87d71dd3589df43152f557d89ca71777c0cda57a99256f76e1ae7bc08af8856f17c0ac67d50e5e272c
+  metadata.gz: e00e1a4898d768816840ee41887b5ed59f6d3fa68d3bf1677ff0ce9388c88bb844b476581bf64e076b903b5fe6c7822047f30e68416d7fe789da7afbc85928aa
+  data.tar.gz: 018110603af0cda168cc4bc7d525fd12cf8e3332135abd2c73013bfaa7cacbf27ca471e8ae1b3ef83dc22a5daaf3faab144fb0c074c14a291af0bbdf2856f0b9

data/.gitignore

@@ -1,3 +1,5 @@
+.gems
+.rbenv*
 *.policy
 .conjurrc
 *.cert

data/CHANGELOG.md

@@ -1,6 +1,27 @@
+# 4.18.5
+
+* Bump conjur-api version to mime-types problem
+
+# 4.18.4
+
+* Revert "Find (and store) credentials by only a hostname as the machine in netrc"
+
+# 4.18.3
+
+* Use the latest conjur-ssh cookbook version for conjurize
+
+# 4.18.2
+
+* Require a recent version of netrc
+* Complain if netrc is world readable
+* Find (and store) credentials by only a hostname as the machine in netrc
+* Make the command start up faster by lazy loading some gems
+* `authn whoami` will notice if the user is logged in via env vars
+* `conjurize` default conjur-ssh cookbook updated to 1.2.2
+
 # 4.18.0
 
-* New `conjurize` command 
+* New `conjurize` command
 * Deprecate the `host enroll` command
 * `variable create` command now takes an optional value for the variable after the variable id
 * Configure "permissive" netrc to allow the `conjur` Unix group to read the `.netrc` or `conjur.identity` file.
@@ -14,7 +35,7 @@
 # 4.16.0
 
 * Add 'bootstrap' CLI command
-* Raise a better error if conjur env encounters a variable with no value 
+* Raise a better error if conjur env encounters a variable with no value
 
 # 4.15.0
 

data/Rakefile

@@ -11,7 +11,7 @@ Cucumber::Rake::Task.new :features
 
 task :jenkins => ['ci:setup:rspec', :spec, 'ci:setup:cucumber_report_cleanup'] do
   Cucumber::Rake::Task.new do |t|
-    t.cucumber_opts = "--format CI::Reporter::Cucumber"
+    t.cucumber_opts = "--format progress --format CI::Reporter::Cucumber --out features/reports"
   end.runner.run
   File.write('build_number', ENV['BUILD_NUMBER']) if ENV['BUILD_NUMBER']
 end

data/bin/_conjur_completions.yaml

@@ -17,6 +17,7 @@
   :authenticate: true
   :logout: true
   :whoami: true
+:bootstrap: true
 :env:
   :run: true
   :check: true
@@ -26,6 +27,7 @@
   :create: true
   :list: true
   :show: true
+  :retire: true
   :members:
     :list: true
     :add: true
@@ -33,6 +35,7 @@
 :host:
   :create: true
   :show: true
+  :retire: true
   :list: true
   :enroll: true
   :layers: true
@@ -85,6 +88,7 @@
 :user:
   :create: true
   :show: true
+  :retire: true
   :list: true
   :update_password: true
   :update: true
@@ -92,6 +96,7 @@
 :variable:
   :create: true
   :show: true
+  :retire: true
   :list: true
   :values:
     :add: true

data/conjur.gemspec

@@ -17,15 +17,15 @@ Gem::Specification.new do |gem|
 
 
   gem.add_dependency 'activesupport'
-  gem.add_dependency 'conjur-api', '>=4.11.0'
+  gem.add_dependency 'conjur-api', '~> 4.11.2'
   gem.add_dependency 'gli', '>=2.8.0'
   gem.add_dependency 'highline'
-  gem.add_dependency 'netrc'
+  gem.add_dependency 'netrc', '~> 0.10.2'
   gem.add_dependency 'methadone'
   gem.add_dependency 'deep_merge'
-  
+
   gem.add_runtime_dependency 'cas_rest_client'
-  
+
   gem.add_development_dependency 'rspec', '~> 3.0'
   gem.add_development_dependency 'simplecov'
   gem.add_development_dependency 'aruba', '~> 0.6.1'

data/features/conjurize.feature

@@ -58,10 +58,10 @@ CONJUR_IDENTITY
 chmod 0600 /etc/conjur.identity
 
 """
-    
+
   Scenario: conjurize with SSH installation
     When I conjurize "--ssh"
-    Then the stdout should contain exactly:
+    Then the stdout should contain:
 """
 #!/bin/sh
 set -e
@@ -108,14 +108,17 @@ CONJUR_IDENTITY
 chmod 0600 /etc/conjur.identity
 
 curl -L https://www.opscode.com/chef/install.sh | bash
-chef-solo -r https://github.com/conjur-cookbooks/conjur-ssh/releases/download/v1.2.0/conjur-ssh-v1.2.0.tar.gz -o conjur-ssh
 
 """
+    And the output should match:
+    """
+    chef-solo -r https:\/\/github.com\/conjur-cookbooks\/conjur-ssh\/releases\/download/v\d\.\d\.\d/conjur-ssh-v\d\.\d\.\d.tar.gz -o conjur-ssh
+    """
 
   Scenario: conjurize with arbitrary cookbook
     When I conjurize "--conjur-cookbook-url https://example.com --conjur-run-list fry"
     Then the stdout should contain "chef-solo -r https://example.com -o fry"
-    
+
   Scenario: conjurize with path to chef-solo
     When I conjurize "--chef-executable /path/to/chef-solo --conjur-cookbook-url https://example.com --conjur-run-list fry"
     Then the stdout should contain "/path/to/chef-solo -r https://example.com -o fry"
@@ -128,4 +131,4 @@ chef-solo -r https://github.com/conjur-cookbooks/conjur-ssh/releases/download/v1
     And the stdout should contain "sudo -n tee /etc/conjur.identity > /dev/null << CONJUR_IDENTITY"
     And the stdout should contain "sudo -n chmod 0600 /etc/conjur.identity"
     And the stdout should contain "curl -L https://www.opscode.com/chef/install.sh | sudo -n bash"
-    
+

data/features/dsl_user_create.feature

@@ -10,7 +10,7 @@ namespace do
   user "bob"
 end
     """
-    Then the model should contain "user" /^bob@/
+    Then the model should contain "user" /bob@.+/
 
   Scenario: Namespace can be used as a no-arg method
     When I run script:

data/features/step_definitions/dsl_steps.rb

@@ -12,7 +12,9 @@ end
 Then(/^the model should contain "(.*?)" "(.*?)"$/) do |kind, id|
   @mock_api.thing(kind, id).should_not be_nil
 end
-
+Then(/^the model should contain "(.*?)" \/(.*?)\/$/) do |kind, id|
+  @mock_api.thing_like(kind, Regexp.new(id)).should_not be_nil
+end
 Then(/^the "(.*?)" "(.*?)" should be owned by "(.*?)"$/) do |kind, id, owner|
   step "the model should contain \"#{kind}\" \"#{id}\""
   @mock_api.thing(kind, id).ownerid.should == owner

data/features/support/hooks.rb

@@ -11,6 +11,10 @@ class MockAPI
     (@things[kind.to_sym] || []).find{|r| r.id == id}  
   end
   
+  def thing_like(kind, id_pattern)
+    (@things[kind.to_sym] || []).find{|r| id_pattern.match(r.id)}  
+  end
+
   def create_host(options = {})
     id = options.delete(:id)
     if id

data/lib/conjur/authn.rb

@@ -28,6 +28,12 @@ Netrc.configure do |config|
 end
 
 module Conjur::Authn
+  class NoCredentialsError < RuntimeError
+    def initialize
+      super "No Conjur credentials provided or found"
+    end
+  end
+  
   autoload :API,      'conjur/authn-api'
   class << self
     def login(options = {})
@@ -50,11 +56,18 @@ module Conjur::Authn
     end
     
     def netrc
+      @netrc ||= read_netrc
+    end
+    
+    def read_netrc
       args = []
       if path = Conjur::Config[:netrc_path]
         args.unshift(path)
+      else
+        path = Netrc.default_path
       end
-      @netrc ||= Netrc.read(*args)
+      fail "netrc (#{path}) shouldn't be world-readable" if File.world_readable?(path)
+      Netrc.read(*args)
     end
     
     def get_credentials(options = {})
@@ -85,7 +98,7 @@ module Conjur::Authn
     end
     
     def ask_for_credentials(options = {})
-      raise "No Conjur credentials provided or found" if options[:noask]
+      raise NoCredentialsError if options[:noask]
 
       # also use stderr here, because we might be prompting for a password as part
       # of a command like user:create that we'd want to send to a file.

data/lib/conjur/cli.rb

@@ -22,7 +22,12 @@ require 'gli'
 # need this to prevent an active support bug in some versions
 require 'active_support'
 require 'active_support/deprecation'
+require 'tmpdir'
 
+# this makes mime/types gem load much faster by lazy loading
+# mime types and caching them in binary form
+ENV['RUBY_MIME_TYPES_LAZY_LOAD'] ||= 'true'
+ENV['RUBY_MIME_TYPES_CACHE'] ||= File.join Dir.tmpdir, 'conjur.mimetype.cache'
 
 module Conjur
   autoload :Config,                 'conjur/config'

data/lib/conjur/command/authn.rb

@@ -86,9 +86,10 @@ It should be running the CAS RESTful services at the /v1 path
     authn.desc "Prints out the current logged in username"
     authn.command :whoami do |c|
       c.action do
-        if creds = Conjur::Authn.read_credentials
+        begin
+          creds = Conjur::Authn.get_credentials(noask: true)
           puts({account: Conjur::Core::API.conjur_account, username: creds[0]}.to_json)
-        else
+        rescue Conjur::Authn::NoCredentialsError
           exit_now! 'Not logged in.', -1
         end
       end

data/lib/conjur/command/env.rb

@@ -17,10 +17,7 @@
 # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-#require 'conjur/authn'
-#require 'conjur/command'
-require 'conjur/conjurenv'
+
 require 'tempfile'
 
 class Conjur::Command::Env < Conjur::Command
@@ -41,6 +38,8 @@ class Conjur::Command::Env < Conjur::Command
   end
 
   def self.get_env_object options
+    require 'conjur/conjurenv'
+
     if options[:yaml] and options[:c]!='.conjurenv'
       exit_now! "Options -c and --yaml can not be provided together"
     end

data/lib/conjur/command/init.rb

@@ -18,7 +18,6 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
-require 'highline'
 require 'conjur/command'
 require 'openssl'
 require 'socket'
@@ -29,8 +28,7 @@ class Conjur::Command::Init < Conjur::Command
   def self.write_file(filename, force, &block)
     if File.exists?(filename)
       unless force
-        hl = HighLine.new $stdin, $stderr
-        force = true if hl.ask("File #{filename} exists. Overwrite (yes/no): ").strip == "yes"
+        force = true if highline.ask("File #{filename} exists. Overwrite (yes/no): ").strip == "yes"
       end
       exit_now! "Not overwriting #{filename}" unless force
     end
@@ -56,9 +54,7 @@ class Conjur::Command::Init < Conjur::Command
     c.flag "force"
 
     c.action do |global_options,options,args|
-      hl = HighLine.new $stdin, $stderr
-
-      hostname = options[:hostname] || hl.ask("Enter the hostname (and optional port) of your Conjur endpoint: ").to_s
+      hostname = options[:hostname] || highline.ask("Enter the hostname (and optional port) of your Conjur endpoint: ").to_s
       protocol, hostname = (hostname.scan %r(^(?:(.*)://)?(.*))).first
       exit_now! "only https protocol supported" unless protocol.nil? || protocol == 'https'
       if hostname
@@ -70,7 +66,7 @@ class Conjur::Command::Init < Conjur::Command
         account = Conjur::Core::API.info['account'] or raise "Expecting 'account' in Core info"
       else
         # using .to_s to overcome https://github.com/JEG2/highline/issues/69
-        hl.ask("Enter your organization account name: ").to_s
+        highline.ask("Enter your organization account name: ").to_s
       end
 
       if (certificate = options[:certificate]).blank?
@@ -87,7 +83,7 @@ class Conjur::Command::Init < Conjur::Command
 
           puts "\nPlease verify this certificate on the appliance using command:
                 openssl x509 -fingerprint -noout -in ~conjur/etc/ssl/conjur.pem\n\n"
-          exit_now! "You decided not to trust the certificate" unless hl.ask("Trust this certificate (yes/no): ").strip == "yes"
+          exit_now! "You decided not to trust the certificate" unless highline.ask("Trust this certificate (yes/no): ").strip == "yes"
         end
       end
 
@@ -146,4 +142,12 @@ class Conjur::Command::Init < Conjur::Command
     ssock.close if ssock
     sock.close if sock
   end
+
+  private
+
+  def self.highline
+    # isolated here so that highline is only loaded on demand
+    require 'highline'
+    @hl ||= HighLine.new $stdin, $stderr
+  end
 end

data/lib/conjur/conjurize.rb

@@ -1,12 +1,21 @@
 require 'methadone'
 require 'json'
+require 'open-uri'
 require 'conjur/version.rb'
 
+def latest_conjur_ssh_release
+  url = 'https://api.github.com/repos/conjur-cookbooks/conjur-ssh/releases'
+  resp = open(url)
+  json = JSON.parse(resp.read)
+  latest = json[0]['assets'].select {|asset| asset['name'] =~ /conjur-ssh-v\d.\d.\d.tar.gz/}[0]
+  latest['browser_download_url']
+end
+
 module Conjur
   class Conjurize
     include Methadone::Main
     include Methadone::CLILogging
-  
+
     description <<-DESC
 Generate a script to install Conjur onto a machine. "conjurize" is designed to be used
 in a piped execution, along with "conjur host create" and "ssh". For example:
@@ -15,7 +24,7 @@ conjur host create myhost.example.com | tee host.json | conjurize --ssh | ssh my
 DESC
 
     version Conjur::VERSION
-    
+
     main do
       input = if input_file = options[:f]
         File.read(input_file)
@@ -23,10 +32,10 @@ DESC
         STDIN.read
       end
       host = JSON.parse input
-      
+
       login = host['id'] or raise "No 'id' field in host JSON"
       api_key = host['api_key'] or raise "No 'api_key' field in host JSON"
-        
+
       require 'conjur/cli'
       if conjur_config = options[:c]
         Conjur::Config.load [ conjur_config ]
@@ -34,29 +43,29 @@ DESC
         Conjur::Config.load
       end
       Conjur::Config.apply
-        
+
       conjur_cookbook_url = conjur_run_list = nil
-        
+
       conjur_run_list = options[:"conjur-run-list"]
       conjur_cookbook_url = options[:"conjur-cookbook-url"]
       chef_executable = options[:"chef-executable"]
-      
+
       if options[:ssh]
         conjur_run_list ||= "conjur-ssh"
-        conjur_cookbook_url ||= "https://github.com/conjur-cookbooks/conjur-ssh/releases/download/v1.2.0/conjur-ssh-v1.2.0.tar.gz"
+        conjur_cookbook_url ||= latest_conjur_ssh_release()
       end
-      
-      sudo = lambda{|str| 
+
+      sudo = lambda{|str|
         [ options[:sudo] ? "sudo -n" : nil, str ].compact.join(" ")
       }
-      
+
       header = <<-HEADER
 #!/bin/sh
 set -e
 
 # Implementation note: 'tee' is used as a sudo-friendly 'cat' to populate a file with the contents provided below.
       HEADER
-      
+
       configure_conjur = <<-CONFIGURE
 #{sudo.call 'tee'} /etc/conjur.conf > /dev/null << CONJUR_CONF
 account: #{Conjur.configuration.account}
@@ -77,13 +86,13 @@ machine #{Conjur.configuration.appliance_url}/authn
 CONJUR_IDENTITY
 #{sudo.call 'chmod'} 0600 /etc/conjur.identity
       CONFIGURE
-      
+
       install_chef = if conjur_cookbook_url && !chef_executable
         %Q(curl -L https://www.opscode.com/chef/install.sh | #{sudo.call 'bash'})
       else
         nil
       end
-      
+
       chef_executable ||= "chef-solo"
 
       run_chef = if conjur_cookbook_url
@@ -91,10 +100,10 @@ CONJUR_IDENTITY
       else
         nil
       end
-      
+
       puts [ header, configure_conjur, install_chef, run_chef ].compact.join("\n")
     end
-    
+
     on("-c CONJUR_CONFIG_FILE", "Overrides defaults (CONJURRC env var, ~/.conjurrc, /etc/conjur.conf).")
     on("-f HOST_JSON_FILE", "Host login and API key can be read from the output emitted from 'conjur host create'. This data can be obtained from stdin, or from a file.")
     on("--chef-executable PATH", "If specified, the designated chef-solo executable is used, otherwise Chef is installed on the target machine.")

data/lib/conjur/version.rb

@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = "4.18.0"
+  VERSION = "4.18.6"
   ::Version=VERSION
 end

data/spec/authn_spec.rb

@@ -2,38 +2,46 @@ require 'conjur/authn'
 require 'conjur/config'
 
 describe Conjur::Authn do
+  let(:netrc) { Netrc.read '' }
+  before do
+    Conjur::Authn.instance_variable_set("@netrc", netrc)
+  end
+
   describe "credentials from environment" do
-    before {
+    before do
       Conjur::Authn.instance_variable_set("@credentials", nil)
       expect(ENV).to receive(:[]).with("CONJUR_AUTHN_LOGIN").and_return "the-login"
       expect(ENV).to receive(:[]).with("CONJUR_AUTHN_API_KEY").and_return "the-api-key"
-    }
-    after {
+    end
+
+    after do
       Conjur::Authn.instance_variable_set("@credentials", nil)
-    }
+    end
+
     it "are used to authn" do
       expect(Conjur::Authn.get_credentials).to eq([ "the-login", "the-api-key" ])
     end
+
     it "are not written to netrc" do
-      allow(Conjur::Authn).to receive(:write_credentials).and_raise "should not write credentials"
+      expect(Conjur::Authn).not_to receive(:write_credentials)
       Conjur::Authn.get_credentials
     end
   end
+
   describe "netrc" do
-    before {
-      Conjur::Authn.instance_variable_set("@netrc", nil)
-      expect(Conjur::Config).to receive(:[]).with(:netrc_path).and_return path
-    }
-    after {
-      Conjur::Authn.instance_variable_set("@netrc", nil)
-    }
+    let(:netrc) { nil }
+    before do
+      allow(Conjur::Config).to receive(:[]).with(:netrc_path).and_return path
+    end
+
     context "with specified netrc_path" do
-      let(:path) { double("path") }
+      let(:path) { "/a/dummy/netrc/path" }
       it "consults Conjur::Config for netrc_path" do
         expect(Netrc).to receive(:read).with(path).and_return netrc = double("netrc")
         expect(Conjur::Authn.netrc).to eq(netrc)
       end
     end
+
     context "without specified netrc_path" do
       let(:path) { nil }
       it "uses default netrc path" do

data/spec/command/authn_spec.rb

@@ -44,6 +44,16 @@ describe Conjur::Command::Authn do
       end
     end
   end
+  
+  context "when login credentials are available in the environment" do
+    before do
+      expect(ENV).to receive(:[]).with("CONJUR_AUTHN_LOGIN").and_return username
+      expect(ENV).to receive(:[]).with("CONJUR_AUTHN_API_KEY").and_return 'the-password'
+      it "prints the current account and username to stdout" do
+        expect { invoke }.to write({ account: account, username: username }.to_json)
+      end
+    end
+  end
 
   context "when logged in", logged_in: true do
     describe_command 'authn:logout' do

data/spec/command/init_spec.rb

@@ -1,4 +1,5 @@
 require 'spec_helper'
+require 'highline'
 
 GITHUB_FP = "SHA1 Fingerprint=A0:C4:A7:46:00:ED:A7:2D:C0:BE:CB:9A:8C:B6:07:CA:58:EE:74:5E"
 GITHUB_CERT = <<EOF

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-cli
 version: !ruby/object:Gem::Version
-  version: 4.18.0
+  version: 4.18.6
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-12-07 00:00:00.000000000 Z
+date: 2015-01-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -29,16 +29,16 @@ dependencies:
   name: conjur-api
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: 4.11.0
+        version: 4.11.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: 4.11.0
+        version: 4.11.2
 - !ruby/object:Gem::Dependency
   name: gli
   requirement: !ruby/object:Gem::Requirement
@@ -71,16 +71,16 @@ dependencies:
   name: netrc
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.10.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.10.2
 - !ruby/object:Gem::Dependency
   name: methadone
   requirement: !ruby/object:Gem::Requirement