conjur-cli 4.24.0 → 4.25.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f4a996c0914a820ab371451e111785dc061c89a7
-  data.tar.gz: 3469ca2580a5df324247818f181515e530d4bc03
+  metadata.gz: 9327368d238b90717af3151f2fc1a2091ff4f051
+  data.tar.gz: a90f6d8e898919557b9b20f54435a5b07d508f61
 SHA512:
-  metadata.gz: c73f490d57c0dbd9cfc0c69aab11d6832442be416c29cc4b147d048669ca7c0914bdeda8ed6f82f8bde7d171ca955680b201af0685f879ba85334de850e0438b
-  data.tar.gz: b4a2f624525b425cfbfbb69eb03f2b04fd84cbe02772f47ac4dbe14371860aa764dfaa69151e8cc0a021108388ed7c491420cdd16a6944bf539b673c13f03dee
+  metadata.gz: d3b6e29c9c849478d5a67e50d0d59b6e5973dced0d58010d00fbdd1c2dc5287911a9f308c5b9ba9bc6320ea6fedfcb9e098b53582227b1231e95b3693d2a6bb1
+  data.tar.gz: a7a9a8fb315d6fd1dd089e6e0e3cd2330ea98f8ccb37f555eea056d09a5d258660b9b6f793f475951390d2de0c597e01ec04f339dd2e4a670d14c78e93b526be

data/CHANGELOG.md

@@ -1,4 +1,13 @@
-# Unreleased
+# 4.25.0
+
+* A record can be retired to a specific role, in addition to the default behavior of retiring to the `attic` user.
+* Variable can be created with the id only, without becoming interactive
+* Run `conjur variable create -i -a` to create interactively with annotations
+* Interactive annotation can be performed on bare resources with `conjur resource annotate -i`.
+* Don't require 'admin' user to bootstrap, prompt to create a new security admin during bootstrap
+* Check if user privileges are sufficient before running `retire`
+* Don't revoke a user's access to a record in the middle of retire, because doing so leads to 403 errors later on.
+* Interactive mode of user, group and pubkey creation
 
 # 4.24.0
 

data/PUBLISH.md

@@ -0,0 +1,26 @@
+# Publishing the CLI
+
+We distribute the Conjur CLI as a package for Ubuntu, Centos, OSX and also as a rubygem.
+
+Steps to publish a new version of the CLI:
+
+1. Update `VERSION` in [lib/conjur/version.rb](lib/conjur/version.rb)
+2. Update the [CHANGELOG.md](CHANGELOG.md) with any changes for this version
+3. Commit these changes with the message `"v#{VERSION}"`, where `VERSION` = the new version
+4. Go to the specific build page for the commit [in Jenkins](https://jenkins.conjur.net/job/cli-ruby/)
+5. In the left sidebar, open `Promotion Status`
+6. Click `Approve` for the "rubygems" promotion and wait for it to finish
+7. Click `Approve` for the "packages" promotion, this will kick off the [omnibus-conjur](https://jenkins.conjur.net/job/omnibus-conjur/) build flow [1](#ref1).
+8. Download the [deb](https://jenkins.conjur.net/job/omnibus-conjur-ubuntu/), [rpm](https://jenkins.conjur.net/job/omnibus-conjur-centos/) and [pkg](https://jenkins.conjur.net/job/omnibus-conjur-osx/) packages from their build pages in Jenkins.
+9. Move the downloaded files to the `pkg` folder in your local [omnibus-conjur](https://github.com/conjurinc/omnibus-conjur) project.
+10. In the `omnibus-conjur` project, upload each file to S3 with `./publish pkg/<filename>`.
+11. Update the links on the [CLI page](https://github.com/conjurinc/developer-www/blob/master/app/views/pages/cli/index.html.haml) for the devsite.
+12. Promote the devsite to production [in Jenkins](https://jenkins.conjur.net/job/developer-www/) [2](#ref2).
+
+---
+
+<a id="ref1">1</a>:
+The packages promotion depends on the new gem version being published.
+
+<a id="ref2">2</a>
+After deploy it will take a few minutes for the cache to update.

data/lib/conjur/authn.rb

@@ -91,6 +91,8 @@ module Conjur::Authn
       write_credentials
     end
     
+    alias save_credentials fetch_credentials
+    
     def write_credentials
       netrc[host] = @credentials
       netrc.save

data/lib/conjur/cli.rb

@@ -113,12 +113,12 @@ module Conjur
         group = Conjur::Command.api.group(as_group)
         role = Conjur::Command.api.role(group.roleid)
         exit_now!("Group '#{as_group}' doesn't exist, or you don't have permission to use it") unless role.exists?
-        options[:"ownerid"] = group.roleid
+        options[:ownerid] = group.roleid
       end
       if as_role = options.delete(:"as-role")
         role = Conjur::Command.api.role(as_role)
         exit_now!("Role '#{as_role}' does not exist, or you don't have permission to use it") unless role.exists?
-        options[:"ownerid"] = role.roleid
+        options[:ownerid] = role.roleid
       end
       
       true

data/lib/conjur/command.rb

@@ -18,6 +18,8 @@
 # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
+require 'base64'
+
 module Conjur
   class Command
     extend Conjur::IdentifierManipulation
@@ -42,13 +44,23 @@ module Conjur
       def api
         @@api ||= Conjur::Authn.connect
       end
+      
+      def current_user
+        username = api.username
+        kind, id = username.split('/')
+        unless kind && id
+          id = kind
+          kind = 'user'
+        end
+        api.send(kind, username)
+      end
 
       # Prevent a deprecated command from being displayed in the help output
       def hide_docs(command)
         def command.nodoc; true end
       end
 
-      def acting_as_option(command)
+      def acting_as_option command
         return if command.flags.member?(:"as-group") # avoid duplicate flags
         command.arg_name 'Perform all actions as the specified Group'
         command.flag [:"as-group"]
@@ -57,6 +69,45 @@ module Conjur
         command.flag [:"as-role"]
       end
       
+      def interactive_option command
+        command.arg_name 'interactive'
+        command.desc 'Create variable interactively'
+        command.switch [:i, :'interactive']
+      end
+      
+      def annotate_option command
+        command.arg_name 'annotate'
+        command.desc 'Add variable annotations interactively'
+        command.switch [:a, :annotate]
+      end
+
+      def prompt_for_annotations
+        highline.say('Add annotations (a name and value for each one):')
+        {}.tap do |annotations|
+          until (name = highline.ask('  annotation name (press enter to quit annotations): ')).empty?
+            annotations[name] = read_till_eof('  annotation value (^D on its own line to finish):')
+          end
+        end
+      end
+      
+      def highline
+        require 'highline'
+        @highline ||= HighLine.new($stdin,$stderr)
+      end
+    
+      def read_till_eof(prompt = nil)
+        highline.say(prompt) if prompt
+        [].tap do |lines|
+          loop do
+            begin
+              lines << highline.ask('')
+            rescue EOFError
+              break
+            end
+          end
+        end.join("\n")
+      end
+      
       def command_options_for_list(c)
         return if c.flags.member?(:role) # avoid duplicate flags
         c.desc "Role to act as. By default, the current logged-in role is used."
@@ -100,6 +151,53 @@ module Conjur
         end
       end
       
+      def validate_privileges message, &block
+        valid = begin
+          yield
+        rescue RestClient::Forbidden
+          false
+        end
+        exit_now! message unless valid
+      end
+      
+      def retire_options command
+        command.arg_name 'role'
+        command.desc "Specify a role to give the retired record to (default: the 'attic' user)"
+        command.long_desc %Q(When retired, all a record's roles and permissions are revoked.
+        
+As a final step, the record is 'given' (e.g. 'conjur resource give') to a destination role.
+The default role to receive the record is the user 'attic'. This option can be used to specify
+an alternative destination role.)
+        command.flag [:d, :"destination-role"]
+      end
+      
+      def destination_role options
+        destination = options[:"destination-role"]
+        if destination
+          api.role(destination)
+        else
+          api.user('attic')
+        end
+      end
+      
+      def validate_retire_privileges record, options
+        if record.respond_to?(:role)
+          memberships = current_user.role.memberships.map(&:roleid)
+          validate_privileges "You can't administer this record" do
+            # The current user has a role which is admin of the record's role
+            record.role.members.find{|m| memberships.member?(m.member.roleid) && m.admin_option}
+          end
+        end
+        
+        validate_privileges "You don't own the record" do
+          # The current user has the role which owns the record's resource
+          current_user.role.member_of?(record.resource.ownerid)
+        end
+        
+        role = destination_role(options)
+        exit_now! "Destination role '#{role.roleid}' doesn't exist" unless role.exists?
+      end
+      
       def retire_resource obj
         obj.resource.attributes['permissions'].each do |p|
           role = api.role(p['role'])
@@ -111,13 +209,36 @@ module Conjur
       end
         
       def retire_role obj
-        obj.role.members.each do |r|
+        members = obj.role.members
+        # Move the invoking role to the end of the roles list, so that it doesn't
+        # lose its permissions in the middle of this operation.
+        # I'm sure there's a cleaner way to do this.
+        self_member = members.select{|m| m.member.roleid == current_user.role.roleid}
+        self_member.each do |m|
+          members.delete m
+        end
+        members.concat self_member if self_member
+        members.each do |r|
           member = api.role(r.member)
           puts "Revoking from role #{member.roleid}"
           obj.role.revoke_from member
         end
       end
       
+      def give_away_resource obj, options
+        destination = options[:"destination-role"]
+        destination_role = if destination
+          api.role(destination)
+        else
+          api.user('attic')
+        end
+
+        exit_now! "Role #{destination_role.roleid} doesn't exist" unless destination_role.exists?
+        
+        puts "Giving ownership to '#{destination_role.roleid}'"
+        obj.resource.give_to destination_role
+      end
+      
       def display_members(members, options)
         result = if options[:V]
           members.collect {|member|
@@ -148,6 +269,106 @@ module Conjur
         puts str
       end
 
+      def prompt_to_confirm kind, properties
+        puts
+        puts "A new #{kind} will be created with the following properties:"
+        puts
+        properties.select{|k,v| !v.blank?}.each do |k,v|
+          printf "%-10s: %s\n", k, v
+        end
+        puts
+        
+        exit(0) unless %w(yes y).member?(highline.ask("Proceed? (yes/no): ").strip.downcase)
+      end
+      
+      def integer? v
+        Integer(v, 10) rescue false
+      end
+    
+      def prompt_for_id kind, label = 'id'
+        highline.ask("Enter the #{label}: ") do |q|
+          q.readline = true
+          q.validate = lambda{|id|
+            !id.blank? && !api.send(kind, id).exists?
+          }
+          q.responses[:not_valid] = "<% if @answer.blank? %>"\
+              "#{label} cannot be blank<% else %>"\
+              "A #{kind} called '<%= @answer %>' already exists<% end %>"
+        end
+      end
+
+      def prompt_for_public_key
+        public_key = highline.ask("Enter the public key (press enter to skip): ") do |q|
+          q.validate = lambda{|key|
+            if key.blank?
+              true
+            else
+              validate_public_key key
+            end
+          }
+          q.responses[:not_valid] = "Public key format is invalid; please try again"
+        end
+        public_key.blank? ? nil : public_key.strip
+      end
+    
+      # http://serverfault.com/questions/453296/how-do-i-validate-a-rsa-ssh-public-key-file-id-rsa-pub
+      def validate_public_key key
+        if system('which ssh-keygen 2>&1 > /dev/null')
+          Conjur.log.debug "Using ssh-keygen to verify the public key\n" if Conjur.log
+          require 'tempfile'
+          tempfile = Tempfile.new 'public_key'
+          tempfile.write(key)
+          tempfile.close
+          `ssh-keygen -l -f #{tempfile.path}`
+          $? == 0
+        else
+          Conjur.log.debug "ssh-keygen is not available; falling back to simple string testing\n" if Conjur.log
+          # Should be a line with at least 2 components,
+          # first one being the algo id and second a base64 string.
+          # In principle this means:
+          #   Base64.strict_decode64 key.strip[/\Assh-\w+ (\S+).*/, 1]
+
+          # Since the pubkeys service is more strict: needs a name and
+          # rejects ones with a space, instead reproduce its algorithm here.
+          begin
+            components = key.strip.split ' '
+            Base64.strict_decode64 components[1]
+            components.length == 3
+          rescue NoMethodError, ArgumentError
+            false
+          end
+        end
+      end
+      
+      def prompt_for_group options = {}
+        options[:hint] ||= "press enter to own the record yourself"
+        group_ids = api.groups.map(&:id)
+        
+        highline.ask("Enter the group which will own the record (#{options[:hint]}): ", [ "" ] + group_ids) do |q|
+          require 'readline'
+          Readline.completion_append_character = ""
+          Readline.completer_word_break_characters = ""
+          
+          q.readline = true
+          q.validate = lambda{|id|
+            @group = nil
+            id.empty? || (@group = api.group(id)).exists?
+          }
+          q.responses[:not_valid] = "Group '<%= @answer %>' doesn't exist, or you don't have permission to use it"
+        end
+        @group ? @group.roleid : nil
+      end
+
+      def prompt_for_idnumber label
+        result = highline.ask("Enter a #{label}: ") do |q|
+          q.validate = lambda{|id|
+            id.blank? || integer?(id)
+          }
+          q.responses[:not_valid] = "The #{label} must be an integer"
+        end
+        result.blank? ? nil : result.to_i
+      end
+
       def prompt_for_password
         require 'highline'
         # use stderr to allow output redirection, e.g.
@@ -155,6 +376,14 @@ module Conjur
         hl = HighLine.new($stdin, $stderr)
     
         password = hl.ask("Enter the password (it will not be echoed): "){ |q| q.echo = false }
+        if password.blank?
+          if hl.agree "No password (y/n)?"
+            return nil
+          else
+            return prompt_for_password
+          end
+        end
+
         confirmation = hl.ask("Confirm the password: "){ |q| q.echo = false }
         
         raise "Password does not match confirmation" unless password == confirmation

data/lib/conjur/command/bootstrap.rb

@@ -21,12 +21,61 @@
 
 class Conjur::Command::Bootstrap < Conjur::Command
   desc "Create initial users, groups, and permissions"
+  long_desc %Q(When you launch a new Conjur master server, it contains only one login: the "admin" user. 
+  The bootstrap command will finish the setup of a new Conjur system by creating other essential records.
+
+  Actions performed by "bootstrap" include:
+
+  * Creation of a group called "security_admin".
+
+  * Giving the "security_admin" the power to manage public keys.
+
+  * Creation of a user called "attic", which will be the owner of retired records.
+
+  * Storing the "attic" user's API key in a variable called "conjur/users/attic/api-key".
+
+  * (optional) Create a new user who will be made a member and admin of the "security_admin" group.
+
+  * (optional) If a new user was created, login as that user.
+  )
+  
+  # Determines whether the current logged-in user is sufficiently powerful to perform bootstrap.
+  # This is currently determined by detecting whether the logged-in role:
+  #
+  # * Is a user
+  # * Has admin privilege on the security_admin group role
+  # * Is an owner of the security_admin group resource
+  #
+  # The admin user will always satisfy these conditions, unless they are revoked for some reason.
+  # Other users created by the bootstrap command will (typically) also have these powers.
+  def self.security_admin_manager? api
+    username = api.username
+    user = if username.index('/')
+      nil
+    else
+      api.user(username)
+    end
+    security_admin = api.group("security_admin")
+    memberships = user.role.memberships.map(&:roleid) if user
+    begin
+      # The user exists
+      # The security_admin group exists
+      # The user has a role which is admin of the security_admin role
+      # The user has the role which owns the security_admin resource
+      user && 
+        security_admin.exists? && 
+        security_admin.role.members.find{|m| memberships.member?(m.member.roleid) && m.admin_option} &&
+        memberships.member?(security_admin.resource.ownerid)
+    rescue RestClient::Forbidden
+      false
+    end
+  end
 
   Conjur::CLI.command :bootstrap do |c|
     c.action do |global_options,options,args|
       require 'highline/import'
 
-      exit_now! "You must be logged in as 'admin' to bootstrap Conjur" unless api.username == "admin"
+      exit_now! "You must be an administrator to bootstrap Conjur" unless security_admin_manager?(api)
         
       if (security_admin = api.group("security_admin")).exists?
         puts "Group 'security_admin' exists"
@@ -35,16 +84,22 @@ class Conjur::Command::Bootstrap < Conjur::Command
         security_admin = api.create_group("security_admin")
       end
       
-      puts "Permitting group 'security_admin' to manage public keys"
-      api.group("pubkeys-1.0/key-managers").add_member security_admin, admin_option: true
+      security_admin.resource.give_to(security_admin) unless security_admin.resource.ownerid == security_admin.role.roleid
+      
+      key_managers = api.group("pubkeys-1.0/key-managers")
+      unless security_admin.role.memberships.map(&:roleid).member?(key_managers.role.roleid)
+        puts "Permitting group 'security_admin' to manage public keys"
+        key_managers.add_member security_admin, admin_option: true
+      end
       
       security_administrators = security_admin.role.members.select{|m| m.member.roleid.split(':')[1..-1] != [ 'user', 'admin'] }
       puts "Current 'security_admin' members are : #{security_administrators.map{|m| m.member.roleid.split(':')[-1]}.join(', ')}" unless security_administrators.blank?
+      created_user = nil
       if security_administrators.empty? || agree("Create a new security_admin? (answer 'y' or 'yes'):")
         username = ask("Enter #{security_administrators.empty? ? 'your' : 'the'} username:")
         password = prompt_for_password
         puts "Creating user '#{username}'"
-        user = api.create_user(username, password: password)
+        created_user = user = api.create_user(username, password: password)
         Conjur::API.new_from_key(user.login, password).user(user.login).resource.give_to security_admin
         puts "User created"
         puts "Making '#{username}' a member and admin of group 'security_admin'"
@@ -53,11 +108,22 @@ class Conjur::Command::Bootstrap < Conjur::Command
         puts "Adminship granted"
       end
       
-      if (attic = api.user("attic")).exists?
-        puts "User 'attic' exists"
+      attic_user_name = "attic"
+      if (attic = api.user(attic_user_name)).exists?
+        puts "User '#{attic_user_name}' already exists"
       else
-        puts "Creating user 'attic'"
-        attic = api.create_user("attic")
+        puts "Creating user '#{attic_user_name}' to own retired records"
+        attic = api.create_user(attic_user_name)
+        api.create_variable "text/plain", 
+          "conjur-api-key", 
+          id: "conjur/users/#{attic_user_name}/api-key", 
+          value: attic.api_key,
+          ownerid: security_admin.role.roleid
+      end
+      
+      if created_user && agree("Login as user '#{created_user.login}'? (answer 'y' or 'yes'):")
+        Conjur::Authn.fetch_credentials(username: created_user.login, password: created_user.api_key)
+        puts "Logged in as '#{created_user.login}'"
       end
     end
   end

data/lib/conjur/command/groups.rb

@@ -37,12 +37,34 @@ class Conjur::Command::Groups < Conjur::Command
 
       acting_as_option(c)
 
-      c.action do |global_options,options,args|
-        id = require_arg(args, 'id')
+      interactive_option c
 
-        options[:gidnumber] = Integer(options[:gidnumber]) if options[:gidnumber]
-
-        group = api.create_group(id, options)
+      c.action do |global_options,options,args|
+        id = args.shift
+        
+        interactive = options[:interactive] || id.blank?
+
+        groupid = options[:ownerid]
+        gidnumber = options[:gidnumber]
+
+        if interactive
+          id ||= prompt_for_id :group
+          
+          groupid ||= prompt_for_group
+          gidnumber ||= prompt_for_gidnumber
+          
+          prompt_to_confirm :group, {
+            "Id"    => id,
+            "Owner" => groupid,
+            "Gidnumber" => gidnumber
+          }
+        end
+        
+        group_options = { }
+        group_options[:ownerid] = groupid if groupid
+        group_options[:gidnumber] = gidnumber.to_i unless gidnumber.blank?
+          
+        group = api.create_group(id, group_options)
         display(group, options)
       end
     end
@@ -92,16 +114,18 @@ class Conjur::Command::Groups < Conjur::Command
     group.desc "Decommission a group"
     group.arg_name "id"
     group.command :retire do |c|
+      retire_options c
+
       c.action do |global_options,options,args|
         id = require_arg(args, 'id')
         
         group = api.group(id)
         
+        validate_retire_privileges group, options
+        
         retire_resource group
         retire_role group
-        
-        puts "Giving ownership to 'attic'"
-        group.resource.give_to api.user('attic')
+        give_away_resource group, options
         
         puts "Group retired"
       end
@@ -168,7 +192,9 @@ class Conjur::Command::Groups < Conjur::Command
       end
 
     end
-
+  end
+    
+  def self.prompt_for_gidnumber
+    prompt_for_idnumber "gid number"
   end
 end
-

data/lib/conjur/command/hosts.rb

@@ -58,10 +58,14 @@ class Conjur::Command::Hosts < Conjur::Command
     hosts.desc "Decommission a host"
     hosts.arg_name "id"
     hosts.command :retire do |c|
+      retire_options c
+
       c.action do |global_options,options,args|
         id = require_arg(args, 'id')
         
         host = api.host(id)
+
+        validate_retire_privileges host, options
         
         host_layer_roles(host).each do |layer|
           puts "Removing from layer #{layer.id}"
@@ -70,9 +74,7 @@ class Conjur::Command::Hosts < Conjur::Command
 
         retire_resource host
         retire_role host
-        
-        puts "Giving ownership to 'attic'"
-        host.resource.give_to api.user('attic')
+        give_away_resource host, options
         
         puts "Host retired"
       end

data/lib/conjur/command/pubkeys.rb

@@ -47,17 +47,39 @@ class Conjur::Command::Pubkeys < Conjur::Command
     end
 
     pubkeys.desc "Add a public key for a user"
-    pubkeys.arg_name "username key"
+    pubkeys.long_desc %Q(Adds a public key for a user. The username is a required argument of this method.
+    
+The public key itself may be provided in several ways.
+
+1. After the username argument, the public key can be provided as a literal (quoted) string.
+
+2. After the username argument, the path to the public key file can be provided with a leading @ character.
+
+3. If the only argument to this command is the username, the key will be read from stdin.
+
+4. If you provide the -i (interactive) command option, you'll be prompted for the public key
+)
+    pubkeys.arg_name "username key?"
     pubkeys.command :add do |c|
+      interactive_option c
+      
       c.action do |global_options, options, args|
+        options[:interactive] = $stdin.isatty if options[:interactive].nil?
         username = require_arg args, "username"
         if key = args.shift
           if /^@(.+)$/ =~ key
             key = File.read(File.expand_path($1))
           end
         else
-          key = STDIN.read.strip
+          key = if options[:interactive]
+            prompt_for_public_key
+          else
+            STDIN.read.strip.tap do |k|
+              exit_now! "Invalid public key format" unless validate_public_key(k)
+            end
+          end
         end
+        fail "Cancelled by the user" if key.blank?
         api.add_public_key username, key
         puts "Public key '#{key.split(' ').last}' added"
       end
@@ -74,4 +96,4 @@ class Conjur::Command::Pubkeys < Conjur::Command
       end
     end
   end
-end
+end

data/lib/conjur/command/resources.rb

@@ -138,12 +138,22 @@ class Conjur::Command::Resources < Conjur::Command
     resource.desc "Set an annotation on a resource"
     resource.arg_name "resource-id name value"
     resource.command :annotate do |c|
+      interactive_option c
+      
       c.action do |global_options, options, args|
         id = full_resource_id require_arg(args, 'resource-id')
-        name = require_arg args, 'name'
-        value = require_arg args, 'value'
-        api.resource(id).annotations[name] = value
-        puts "Set annotation '#{name}' to '#{value}' for resource '#{id}'"
+
+        annotations = if options[:interactive]
+          prompt_for_annotations
+        else
+          name = require_arg args, 'name'
+          value = require_arg args, 'value'
+          { name => value }
+        end
+        unless annotations.blank?
+          api.resource(id).annotations.merge!(annotations)
+          puts "Set annotations #{annotations.keys} for resource '#{id}'"
+        end
       end
     end
 

data/lib/conjur/command/rspec/mock_services.rb

@@ -37,4 +37,7 @@ end
 
 shared_context "when not logged in", logged_in: false do
   include_context "with mock authn"
+  before do
+    Conjur::Authn.instance_variable_set :@credentials, nil
+  end
 end

data/lib/conjur/command/users.rb

@@ -35,20 +35,54 @@ class Conjur::Command::Users < Conjur::Command
 
       acting_as_option(c)
 
-      c.action do |global_options,options,args|
-        login = require_arg(args, 'login')
+      interactive_option c
 
-        opts = options.slice(:ownerid, :uidnumber)
-        if opts[:uidnumber] 
-          raise "uidnumber should be integer" unless /\d+/ =~ opts[:uidnumber]
-          opts[:uidnumber] = opts[:uidnumber].to_i
+      c.action do |global_options,options,args|
+        login = args.shift
+
+        interactive = options[:interactive] || login.blank?
+
+        groupid = options[:ownerid]
+        uidnumber = options[:uidnumber]
+        password = nil
+        exit_now! "uidnumber should be integer" unless uidnumber.blank? || /\d+/ =~ uidnumber
+          
+        if interactive
+          login ||= prompt_for_id :user, "login name"
+          
+          groupid ||= prompt_for_group hint: "press enter to have the user own their own record"
+          uidnumber ||= prompt_for_uidnumber
+          password = prompt_for_password unless options[:"no-password"]
+          
+          attributes = {
+            "Login"    => login,
+            "Owner" => groupid,
+            "UID Number"  => uidnumber
+          }
+          attributes["Password"] = "********" unless password.blank?
+          prompt_to_confirm :user, attributes
         end
-
-        if options[:p]
-          opts[:password] = prompt_for_password
+        
+        if options[:p] && password.blank?
+          password = prompt_for_password
         end
         
-        display api.create_user(login, opts)
+        user_options = { }
+        user_options[:ownerid] = groupid if groupid
+        user_options[:uidnumber] = uidnumber.to_i if uidnumber
+        user_options[:password] = password if password
+        user = api.create_user(login, user_options)
+
+        puts "User created"
+        display user
+        
+        if interactive
+          public_key = prompt_for_public_key
+          if public_key
+            api.add_public_key user.login, public_key
+            puts "Public key added"
+          end
+        end
       end
     end
 
@@ -64,16 +98,18 @@ class Conjur::Command::Users < Conjur::Command
     user.desc "Decommission a user"
     user.arg_name "id"
     user.command :retire do |c|
+      retire_options c
+
       c.action do |global_options,options,args|
         id = require_arg(args, 'id')
         
         user = api.user(id)
         
+        validate_retire_privileges user, options
+
         retire_resource user
         retire_role user
-        
-        puts "Giving ownership to 'attic'"
-        user.resource.give_to api.user('attic')
+        give_away_resource user, options
         
         puts "User retired"
       end
@@ -125,7 +161,9 @@ class Conjur::Command::Users < Conjur::Command
         display api.find_users(uidnumber: uidnumber)
       end
     end
-
   end
-
+    
+  def self.prompt_for_uidnumber
+    prompt_for_idnumber "uid number"
+  end
 end

data/lib/conjur/command/variables.rb

@@ -34,55 +34,57 @@ class Conjur::Command::Variables < Conjur::Command
       c.desc "Initial value, which may also be specified as the second command argument after the variable id"
       c.flag [:v, :"value"]
 
-      acting_as_option(c)
-
-      c.arg_name 'interactive'
-      c.desc 'Create variable interactively'
-      c.switch [:i, :'interactive']
+      acting_as_option c
+      
+      annotate_option c
       
+      interactive_option c
+
       c.action do |global_options,options, args|
         @default_mime_type = c.flags[:m].default_value
         @default_kind = c.flags[:k].default_value
         
         id = args.shift unless args.empty?
-
         value = args.shift unless args.empty?
         
-        raise "Received conflicting value arguments" if value && options[:value]
-
-        groupid = options[:'ownerid']
-        mime_type = options.delete(:m)
-        kind = options.delete(:k)
-        value ||= options.delete(:v)
-        
-        options.delete(:'interactive')
-        options.delete(:"mime-type")
-        options.delete(:"kind")
-        options.delete(:'value')
-
+        exit_now! "Received conflicting value arguments" if value && options[:value]
+
+        groupid = options[:ownerid]
+        mime_type = options[:m]
+        kind = options[:k]
+        value ||= options[:v]
+        interactive = options[:interactive] || id.blank?
+        annotate = options[:annotate]
+          
+        exit_now! "Received --annotate option without --interactive" if annotate && !interactive
+          
         annotations = {}
-
-        # If the user asked for interactive mode, or he didn't specify
-        # both an id and a value, prompt for any missing options.
-        if options.delete(:i) || !(id && value)
-          id ||= prompt_for_id
-
+        # If the user asked for interactive mode, or he didn't specify and id
+        # prompt for any missing options.
+        if interactive
+          id ||= prompt_for_id :variable
+          
           groupid ||= prompt_for_group
 
           kind = prompt_for_kind if !kind || kind == @default_kind
+          
+          mime_type = prompt_for_mime_type if mime_type.blank? || mime_type == @default_mime_type
 
-          mime_type = prompt_for_mime_type if !mime_type || mime_type == @default_mime_type
-
-          annotations = prompt_for_annotations
+          annotations = prompt_for_annotations if annotate
 
           value ||= prompt_for_value
+          
+          prompt_to_confirm :variable, "Id"    => id,
+            "Kind"  => kind,
+            "MIME type" => mime_type,
+            "Owner" => groupid,
+            "Value" => value
         end
         
-        options[:id] = id
-        options[:value] = value
-        options[:'ownerid'] = groupid if groupid
-        
-        var = api.create_variable(mime_type, kind, options)
+        variable_options = { id: id }
+        variable_options[:ownerid] = groupid if groupid
+        variable_options[:value] = value unless value.blank?
+        var = api.create_variable(mime_type, kind, variable_options)
         api.resource(var).annotations.merge!(annotations) if annotations && !annotations.empty?
         display(var, options)
       end
@@ -100,15 +102,17 @@ class Conjur::Command::Variables < Conjur::Command
     var.desc "Decommission a variable"
     var.arg_name "id"
     var.command :retire do |c|
+      retire_options c
+      
       c.action do |global_options,options,args|
         id = require_arg(args, 'id')
         
         variable = api.variable(id)
+
+        validate_retire_privileges variable, options
         
         retire_resource variable
-        
-        puts "Giving ownership to 'attic'"
-        variable.resource.give_to api.user('attic')
+        give_away_resource variable, options
         
         puts "Variable retired"
       end
@@ -149,58 +153,24 @@ class Conjur::Command::Variables < Conjur::Command
         $stdout.write api.variable(id).value(options[:version])
       end
     end
-
   end
-
-  def self.prompt_for_id
-    highline.ask('Enter the id: ')
-  end
-
-  def self.prompt_for_group
-    highline.ask('Enter the group: ', ->(name) { @group && @group.roleid } ) do |q|
-      q.validate = ->(name) do
-        name.empty? || (@group = api.group(name)).exists?
-      end
-      q.responses[:not_valid] = "Group '<%= @answer %>' doesn't exist, or you don't have permission to use it"
-    end
-  end
-
+  
   def self.prompt_for_kind
     highline.ask('Enter the kind: ') {|q| q.default = @default_kind }
   end
 
   def self.prompt_for_mime_type
-    highline.ask('Enter the MIME type: ') {|q| q.default = @default_mime_type }
-  end
-
-  def self.prompt_for_annotations
-    highline.say('Add annotations (press enter to finish):')
-    {}.tap do |annotations|
-      until (name = highline.ask('annotation name: ')).empty?
-        annotations[name] = read_till_eof('annotation value (^D to finish):')
+    highline.choose do |menu|
+      menu.prompt = 'Enter the MIME type: '
+      menu.choice  @default_mime_type 
+      menu.choices *%w(application/json application/xml application/x-yaml application/x-pem-file)
+      menu.choice "other", nil do |c|
+        @highline.ask('Enter a custom mime type: ')
       end
     end
   end
 
   def self.prompt_for_value
-    read_till_eof('Enter the value (^D on its own line to finish):')
-  end
-  
-  def self.highline
-    require 'highline'
-    @highline ||= HighLine.new($stdin,$stderr)
-  end
-
-  def self.read_till_eof(prompt = nil)
-    highline.say(prompt) if prompt
-    [].tap do |lines|
-      loop do
-        begin
-          lines << highline.ask('')
-        rescue EOFError
-          break
-        end
-      end
-    end.join("\n")
+    read_till_eof('Enter the secret value (^D on its own line to finish):')
   end
 end

data/lib/conjur/version.rb

@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = "4.24.0"
+  VERSION = "4.25.0"
   ::Version=VERSION
 end

data/spec/command/pubkeys_spec.rb

@@ -61,6 +61,8 @@ describe Conjur::Command::Pubkeys, logged_in: true do
     let(:stdin_contents){ "ssh-rsa blahblah keyname" }
     it "calls api.add_public_key('alice', stdin) and prints the key name" do
       expect(STDIN).to receive(:read).and_return(stdin_contents)
+      allow(STDIN).to receive(:isatty).and_return(false)
+      expect(described_class).to receive(:validate_public_key).and_return(true)
       expect(described_class.api).to receive(:add_public_key).with('alice', stdin_contents)
       expect{ invoke }.to write("Public key 'keyname' added")
     end

data/spec/command/resources_spec.rb

@@ -149,4 +149,14 @@ describe Conjur::Command::Resources, logged_in: true do
       expect(JSON.parse( expect { invoke }.to write )).to eq(roles_list)
     end
   end
+  
+  context "interactivity" do
+    subject { Conjur::Command::Resources }
+    describe_command 'resource:annotate -i #{KIND}:#{ID}' do
+      it { 
+        is_expected.to receive(:prompt_for_annotations) 
+        invoke_silently
+      }
+    end
+  end
 end

data/spec/command/variables_spec.rb

@@ -12,10 +12,10 @@ describe Conjur::Command::Variables, logged_in: true do
   end
   let(:id) { 'the-id' }
   let(:variable) { post_response(id) }
-  let (:group) { nil }
-  let (:annotation) { {} }
-  let (:value) { 'the-value' }
-  let (:full_payload) { base_payload }
+  let(:group) { nil }
+  let(:annotation) { {} }
+  let(:value) { 'the-value' }
+  let(:full_payload) { base_payload }
   
   context 'when there are command-line errors' do
     describe_command "variable:create -v the-value-1 the-id the-value-2" do
@@ -25,16 +25,34 @@ describe Conjur::Command::Variables, logged_in: true do
     end
   end
 
+  context "-a without -i" do
+    describe_command 'variable:create -a the-id' do
+      it "is an error" do
+        expect { invoke }.to raise_error("Received --annotate option without --interactive")
+      end
+    end
+  end
+  
+  context 'non-interactive' do
+    describe_command "variable:create the-id" do
+      it "is non-interactive" do
+        allow(Conjur::Command::Variables).to receive(:prompt_for_id).and_raise("Unexpected prompt for id")
+        expect(RestClient::Request).to receive(:execute).and_return(variable)
+        invoke
+      end
+    end
+  end
+
   context 'when there are no command-line errors' do
-    
     before do
+      allow(Conjur::Command::Variables).to receive(:prompt_to_confirm) { "yes"}
       allow(Conjur::Command::Variables).to receive(:prompt_for_id) { id }
       allow(Conjur::Command::Variables).to receive(:prompt_for_group) { group }
       allow(Conjur::Command::Variables).to receive(:prompt_for_kind) { kind }
       allow(Conjur::Command::Variables).to receive(:prompt_for_mime_type) { mime_type }
       allow(Conjur::Command::Variables).to receive(:prompt_for_annotations) { annotation }
       allow(Conjur::Command::Variables).to receive(:prompt_for_value)  { value }
-
+        
       expect(RestClient::Request).to receive(:execute).with({
           method: :post,
           url: collection_url,
@@ -43,29 +61,42 @@ describe Conjur::Command::Variables, logged_in: true do
         }.merge(cert_store_options)).and_return(variable)
     end
     
-    describe_command "variable:create the-different-id" do
-      let (:id) { 'the-different-id' }
+    describe_command "variable:create the-id the-different-value" do
+      let (:value) { 'the-different-value' }
       it "propagates the user-assigned id" do
-        expect { invoke }.to write({ id: 'the-different-id' }).to(:stdout)
+        expect { invoke }.to write({ id: 'the-id' }).to(:stdout)
       end
     end
     
-    describe_command "variable:create the-id the-different-value" do
-      let (:value) { 'the-different-value' }
-      it "propagates the user-assigned id" do
+    describe_command "variable:create the-id" do
+      let(:value) { "" }
+      let(:full_payload) { 
+        base_payload.dup.tap do |m|
+          m.delete_if{|k,_| k == :value}
+        end
+      }
+      it "will propagate the user-assigned id without a value" do
         expect { invoke }.to write({ id: 'the-id' }).to(:stdout)
       end
     end
     
+    let(:base_payload) do
+      { id: id, value: value, mime_type: mime_type, kind: kind }.tap do |t|
+        group && t.merge(ownerid: group)
+      end
+    end
+
     describe_command "variable:create -m application/json" do
-      let (:mime_type) { 'application/json' }
+      let(:mime_type) { 'application/json' }
+      let(:payload) { valueless_payload }
       it "propagates the user-assigned MIME type" do
         expect { invoke }.to write({ id: 'the-id' }).to(:stdout)
       end
     end
     
     describe_command "variable:create -k password" do
-      let (:kind) { 'password' }
+      let(:kind) { 'password' }
+      let(:payload) { valueless_payload }
       it "propagates the user-assigned kind" do
         expect { invoke }.to write({ id: 'the-id' }).to(:stdout)
       end
@@ -84,25 +115,22 @@ describe Conjur::Command::Variables, logged_in: true do
           it { is_expected.to receive(:prompt_for_group) }
           it { is_expected.to receive(:prompt_for_kind) }
           it { is_expected.to receive(:prompt_for_mime_type) }
-          it { is_expected.to receive(:prompt_for_annotations) }
+          it { is_expected.not_to receive(:prompt_for_annotations) }
           it { is_expected.to receive(:prompt_for_value) }
         end
         
-        describe_command 'variable:create the-id' do
-          it { is_expected.not_to receive(:prompt_for_id) }
-        end
-        
         describe_command 'variable:create the-id the-value' do
+          it { is_expected.not_to receive(:prompt_for_id) }
           it { is_expected.not_to receive(:prompt_for_value) }
         end
         
         describe_command 'variable:create -m application/json' do
-          let (:mime_type) { 'application/json' }
+          let(:mime_type) { 'application/json' }
           it { is_expected.not_to receive(:prompt_for_mime_type) }
         end
         
         describe_command 'variable:create -k password' do
-          let (:kind) { 'password' }
+          let(:kind) { 'password' }
           it { is_expected.not_to receive(:prompt_for_kind) }
         end
         
@@ -119,7 +147,7 @@ describe Conjur::Command::Variables, logged_in: true do
               }.merge(cert_store_options)).and_return(OpenStruct.new(headers: {}, body: '{}'))
           end
             
-          let (:full_payload) { base_payload.merge(ownerid: 'the-account:group:the-group') }
+          let(:full_payload) { base_payload.merge(ownerid: 'the-account:group:the-group') }
 
           it { is_expected.not_to receive(:prompt_for_group) }
         end
@@ -133,25 +161,32 @@ describe Conjur::Command::Variables, logged_in: true do
               }.merge(cert_store_options)).and_return(OpenStruct.new(headers: {}, body: '{}'))
           end
             
-          let (:full_payload) { base_payload.merge(ownerid: 'the-account:group:the-group') }
+          let(:full_payload) { base_payload.merge(ownerid: 'the-account:group:the-group') }
 
           it { is_expected.not_to receive(:prompt_for_group) }
         end
         
       end
       
-      context "when -i is provided" do
+      context "explicit interactivity" do
         describe_command 'variable:create -i the-id the-value' do
           it { is_expected.not_to receive(:prompt_for_id) }
           it { is_expected.not_to receive(:prompt_for_value) }
           it { is_expected.to receive(:prompt_for_group) }
           it { is_expected.to receive(:prompt_for_mime_type) }
           it { is_expected.to receive(:prompt_for_kind) }
-          it { is_expected.to receive(:prompt_for_annotations) }
+          it { is_expected.not_to receive(:prompt_for_annotations) }
         end
       end
       
+      context "interactive annotations" do
+        describe_command 'variable:create -a' do
+          it { is_expected.to receive(:prompt_for_annotations) }
+        end
+        describe_command 'variable:create -ia the-id' do
+          it { is_expected.to receive(:prompt_for_annotations) }
+        end
+      end
     end
-    
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-cli
 version: !ruby/object:Gem::Version
-  version: 4.24.0
+  version: 4.25.0
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-05-06 00:00:00.000000000 Z
+date: 2015-05-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -269,6 +269,7 @@ files:
 - CHANGELOG.md
 - Gemfile
 - LICENSE
+- PUBLISH.md
 - README.md
 - Rakefile
 - bin/_conjur_completions