conjur-cli 4.25.2 → 4.26.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: dde915a0ec9af1f0bce229b5c8d12ad79087b8c3
-  data.tar.gz: 1d47c18a905a8a2d650f438fdd6e2c76854220dd
+  metadata.gz: 54ffbd129d6c3a3fc980ff0d44ad733b1eb384b6
+  data.tar.gz: 44d584a5a9a9e8aecff993113a31462fb7903392
 SHA512:
-  metadata.gz: 337bdf5d0fb43f7a9619a90166d8821bb7cf30c56f6d04ecddd0cef88d08dc6360e47985034ed2a402c306d730ceceb66843609f63ac1d8251f28dcaa874de8e
-  data.tar.gz: 002ed6b73ea3a21e24d1661cfb1973489da1d37d424b54297bf61895ebe600d5aebbd3022c8fd9887bd80374867c1cdbbf112df717b27135999c1e740559c795
+  metadata.gz: 65c39293a9f24b0dc0ae51c13bf7921c30c99e74ed4f45a158f5f08c45dcc78eae530379bbcf264014150ab4a9e5d23bfa494f26f2e6a2b29bcb81732ddc10e9
+  data.tar.gz: c4f362e466e4fd8b3b0bd75e79a8e888849b8e51f3df8c29a92389d1f37c2ca14559877a95693a1c9a983d334ee6b0dcfd879167bc9cb83e84429e18ef3b16c6

data/.gitignore

@@ -31,3 +31,4 @@ tmp
 update_ci.sh
 .ruby-version
 .ruby-gemset
+vendor/bundle

data/Gemfile

@@ -9,5 +9,6 @@ gem 'conjur-api', git: 'https://github.com/conjurinc/api-ruby.git', branch: 'mas
 
 group :test, :development do
   gem 'pry'
+  gem 'pry-doc'
   gem 'ruby-prof'
 end

data/README.md

@@ -18,6 +18,12 @@ Or install it yourself as:
 
     $ gem install conjur-cli
 
+### Bash completion
+
+To enable bash completions, run this command:
+
+    $ conjur shellinit >> ~/.bashrc
+
 ## Contributing
 
 1. Fork it

data/Rakefile

@@ -16,36 +16,4 @@ task :jenkins => ['ci:setup:rspec', :spec, 'ci:setup:cucumber_report_cleanup'] d
   File.write('build_number', ENV['BUILD_NUMBER']) if ENV['BUILD_NUMBER']
 end
 
-desc "Generate the update completions file"
-task :completions do
-  # having 'lib' in the load path, which happens to be the case when running rake,
-  # messes up GLIs commands_from
-  $:.delete('lib')
-  require 'conjur/cli'
-  require 'yaml'
-
-  Conjur::CLI.init!
-  def ignore? name
-    name = name.to_s
-    # Ignore GLIs internal commands and one of our deprecated ones
-    name.start_with?('_') or name.include?(':')
-  end
-
-  def visit cmd
-    child = {}
-    cmd.commands.each do |name, ccmd|
-      next if ignore?(name)
-      child[name] = visit(ccmd)
-      child[name] = true if child[name].empty?
-    end
-    child
-  end
-
-  commands = visit Conjur::CLI
-
-  File.open("#{File.dirname(__FILE__)}/bin/_conjur_completions.yaml", "w") do |io|
-    YAML.dump(commands, io)
-  end
-end
-
-task default: [:completions, :spec, :features]
+task default: [:spec, :features]

data/bin/{_conjur_completions → _conjur}

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 #
-# Copyright (C) 2013 Conjur Inc
+# Copyright (C) 2015 Conjur Inc
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of
 # this software and associated documentation files (the "Software"), to deal in
@@ -20,29 +20,8 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 
-# You can use this file by adding the following to something that gets sourced (like .bashrc)
-#
-# _conjur()
-# {
-#     COMPREPLY=($(_conjur_completions $COMP_CWORD ${COMP_WORDS[@]}))
-# }
-# complete -F _conjur conjur
-
-require 'yaml'
-completions = File.open("#{File.dirname(__FILE__)}/_conjur_completions.yaml"){ |_| YAML.load(_) }
-# ARGV[0] is the index into ARGV[1...] of the current word
-index = ARGV[0].to_i - 1
-words = ARGV[2..-1]
-parents = words[0...index]
-word = words[index] || ""
-
-current = completions
-previous = current
-until parents.empty? or current.nil? or not current.kind_of?(Hash) # make sure to stop if we hit a 'true' entry
-  previous = current
-  current = current[parents.shift.to_sym]
-end
+require 'conjur/complete'
 
-if current.kind_of?(Hash)
-  puts current.keys.map(&:to_s).select{|k| k.start_with?(word)}.sort.join("\n")
-end
+line = ENV['COMP_LINE']
+point = ENV['COMP_POINT'].to_i
+puts Conjur::CLI::Complete.new(line, point).completions

data/lib/conjur/command.rb

@@ -62,11 +62,13 @@ module Conjur
 
       def acting_as_option command
         return if command.flags.member?(:"as-group") # avoid duplicate flags
-        command.arg_name 'Perform all actions as the specified Group'
-        command.flag [:"as-group"]
+        command.desc 'Perform all actions as the specified Group'
+        command.arg_name 'GROUP'
+        command.flag [:'as-group']
 
-        command.arg_name 'Perform all actions as the specified Role'
-        command.flag [:"as-role"]
+        command.desc 'Perform all actions as the specified Role'
+        command.arg_name 'ROLE'
+        command.flag [:'as-role']
       end
       
       def interactive_option command
@@ -111,6 +113,7 @@ module Conjur
       def command_options_for_list(c)
         return if c.flags.member?(:role) # avoid duplicate flags
         c.desc "Role to act as. By default, the current logged-in role is used."
+        c.arg_name 'ROLE'
         c.flag [:role]
     
         c.desc "Full-text search on resource id and annotation values" 

data/lib/conjur/command/audit.rb

@@ -24,12 +24,22 @@ class Conjur::Command
           "reported #{statement}"+ message_part
         }
       }
+
+      def ssh_sudo_message(e)
+        s = "#{e[:system_user]}"
+        s << " " << (e[:allowed] ? "ran" : "attempted to run")
+        s << " '" << e[:command] << "' as " << e[:target_user]
+        s
+      end
       
       def short_event_format e
         e.symbolize_keys!
         s = "[#{Time.parse(e[:timestamp])}]"
         s << " #{e[:user]}"
         s << " (as #{e[:acting_as]})" if e[:acting_as] != e[:user]
+        if e[:facility] == 'ssh' && e[:action] == 'sudo'
+          e[:audit_message] = ssh_sudo_message(e)
+        end
         formatter = SHORT_FORMATS["#{e[:kind]}:#{e[:action]}"] || SHORT_FORMATS[e[:kind]]
         if formatter
           s << " " << formatter.call(e)

data/lib/conjur/command/env.rb

@@ -27,6 +27,7 @@ class Conjur::Command::Env < Conjur::Command
 
   def self.common_parameters c
     c.desc "Environment configuration file"
+    c.arg_name "FILE"
     c.default_value ".conjurenv"
     c.flag ["c"]
     

data/lib/conjur/command/groups.rb

@@ -30,7 +30,6 @@ class Conjur::Command::Groups < Conjur::Command
   desc "Manage groups"
   command :group do |group|
     group.desc "Create a new group"
-    group.arg_name "id"
     group.command :create do |c|
       c.desc "GID number to be associated with the group (optional)"
       c.flag [:gidnumber]
@@ -79,21 +78,21 @@ class Conjur::Command::Groups < Conjur::Command
     end
 
     group.desc "Show a group"
-    group.arg_name "id"
+    group.arg_name "GROUP"
     group.command :show do |c|
       c.action do |global_options,options,args|
-        id = require_arg(args, 'id')
+        id = require_arg(args, 'GROUP')
         display(api.group(id), options)
       end
     end
     
     group.desc "Update group's attributes (eg. gidnumber)"
-    group.arg_name "id"
+    group.arg_name "GROUP"
     group.command :update do |c|
       c.desc "GID number to be associated with the group"
       c.flag [:gidnumber]
       c.action do |global_options, options, args|
-        id = require_arg(args, 'id')
+        id = require_arg(args, 'GROUP')
 
         options[:gidnumber] = Integer(options[:gidnumber])
         api.group(id).update(options)
@@ -112,12 +111,12 @@ class Conjur::Command::Groups < Conjur::Command
     end
 
     group.desc "Decommission a group"
-    group.arg_name "id"
+    group.arg_name "GROUP"
     group.command :retire do |c|
       retire_options c
 
       c.action do |global_options,options,args|
-        id = require_arg(args, 'id')
+        id = require_arg(args, 'GROUP')
         
         group = api.group(id)
         
@@ -135,18 +134,18 @@ class Conjur::Command::Groups < Conjur::Command
     group.command :members do |members|
 
       members.desc "Lists all direct members of the group. The membership list is not recursively expanded."
-      members.arg_name "group"
+      members.arg_name "GROUP"
       members.command :list do |c|
         c.desc "Verbose output"
         c.switch [:V,:verbose]
         c.action do |global_options,options,args|
-          group = require_arg(args, 'group')
+          group = require_arg(args, 'GROUP')
           display_members api.group(group).role.members, options
         end
       end
 
       members.desc "Add a new group member"
-      members.arg_name "group member"
+      members.arg_name "GROUP USER"
       members.command :add do |c|
         c.desc "Also grant the admin option"
         c.switch [:a, :admin]
@@ -158,8 +157,8 @@ class Conjur::Command::Groups < Conjur::Command
         c.switch [:r, :'revoke-admin']
 
         c.action do |global_options,options,args|
-          group = require_arg(args, 'group')
-          member = require_arg(args, 'member')
+          group = require_arg(args, 'GROUP')
+          member = require_arg(args, 'USER')
           member = assume_user_kind(member)
 
           group = api.group(group)
@@ -179,11 +178,11 @@ class Conjur::Command::Groups < Conjur::Command
       end
 
       members.desc "Remove a group member"
-      members.arg_name "group member"
+      members.arg_name "GROUP USER"
       members.command :remove do |c|
         c.action do |global_options,options,args|
-          group = require_arg(args, 'group')
-          member = require_arg(args, 'member')
+          group = require_arg(args, 'GROUP')
+          member = require_arg(args, 'USER')
           member = assume_user_kind(member)
 
           api.group(group).remove_member member

data/lib/conjur/command/hosts.rb

@@ -27,7 +27,7 @@ class Conjur::Command::Hosts < Conjur::Command
   desc "Manage hosts"
   command :host do |hosts|
     hosts.desc "Create a new host"
-    hosts.arg_name "id"
+    hosts.arg_name "NAME"
     hosts.command :create do |c|
       c.arg_name "password"
       c.flag [:p,:password]
@@ -47,21 +47,21 @@ class Conjur::Command::Hosts < Conjur::Command
     end
 
     hosts.desc "Show a host"
-    hosts.arg_name "id"
+    hosts.arg_name "HOST"
     hosts.command :show do |c|
       c.action do |global_options,options,args|
-        id = require_arg(args, 'id')
+        id = require_arg(args, 'HOST')
         display(api.host(id), options)
       end
     end
 
     hosts.desc "Decommission a host"
-    hosts.arg_name "id"
+    hosts.arg_name "HOST"
     hosts.command :retire do |c|
       retire_options c
 
       c.action do |global_options,options,args|
-        id = require_arg(args, 'id')
+        id = require_arg(args, 'HOST')
         
         host = api.host(id)
 
@@ -89,11 +89,11 @@ class Conjur::Command::Hosts < Conjur::Command
     end
 
     hosts.desc "[Deprecated] Enroll a new host into conjur"
-    hosts.arg_name "host"
+    hosts.arg_name "HOST"
     hosts.command :enroll do |c|
       hide_docs(c)
       c.action do |global_options, options, args|
-        id = require_arg(args, 'host')
+        id = require_arg(args, 'HOST')
         enrollment_url = api.host(id).enrollment_url
         puts enrollment_url
         $stderr.puts "On the target host, please execute the following command:"
@@ -102,10 +102,10 @@ class Conjur::Command::Hosts < Conjur::Command
     end
 
     hosts.desc "List the layers to which the host belongs"
-    hosts.arg_name "id"
+    hosts.arg_name "HOST"
     hosts.command :layers do |c|
       c.action do |global_options, options, args|
-        id = require_arg(args, 'id')
+        id = require_arg(args, 'HOST')
         host = api.host(id)
         display host_layer_roles(host).map(&:identifier), options
       end

data/lib/conjur/command/init.rb

@@ -39,6 +39,7 @@ class Conjur::Command::Init < Conjur::Command
 
   Conjur::CLI.command :init do |c|
     c.desc "Hostname of the Conjur endpoint (required for virtual appliance)"
+    c.arg_name 'HOSTNAME'
     c.flag ["h", "hostname"]
 
     c.desc "Conjur organization account name (not required for appliance)"
@@ -48,6 +49,7 @@ class Conjur::Command::Init < Conjur::Command
     c.flag ["c", "certificate"]
 
     c.desc "File to write the configuration to"
+    c.arg_name 'FILE'
     c.flag ["f", "file"]
 
     c.desc "Force overwrite of existing files"

data/lib/conjur/command/layers.rb

@@ -6,7 +6,7 @@ class Conjur::Command::Layers < Conjur::Command
   # Form an account:kind:hostid from the host argument
   # Or interpret a fully-qualified role id
   def self.require_hostid_arg(args)
-    hostid = require_arg(args, 'host')
+    hostid = require_arg(args, 'HOST')
     unless hostid.index(':')
       hostid = [ Conjur::Core::API.conjur_account, 'host', hostid ].join(':')
     end
@@ -25,9 +25,9 @@ class Conjur::Command::Layers < Conjur::Command
   end
 
   def self.parse_layer_permission_args(global_options, options, args)
-    id = require_arg(args, "layer")
-    role = require_arg(args, "role")
-    privilege = require_arg(args, "privilege")
+    id = require_arg(args, "LAYER")
+    role = require_arg(args, "ROLE")
+    privilege = require_arg(args, "PRIVILEGE")
     role_name = interpret_layer_privilege privilege
     [ id, role_name, role ]
   end
@@ -36,12 +36,12 @@ class Conjur::Command::Layers < Conjur::Command
   command :layer do |layer|
 
     layer.desc "Create a new layer"
-    layer.arg_name "id"
+    layer.arg_name "LAYER"
     layer.command :create do |c|
       acting_as_option(c)
 
       c.action do |global_options,options,args|
-        id = require_arg(args, 'id')
+        id = require_arg(args, 'LAYER')
 
         layer = api.create_layer(id, options)
         display(layer, options)
@@ -58,33 +58,33 @@ class Conjur::Command::Layers < Conjur::Command
     end
 
     layer.desc "Show a layer"
-    layer.arg_name "id"
+    layer.arg_name "LAYER"
     layer.command :show do |c|
       c.action do |global_options,options,args|
-        id = require_arg(args, 'id')
+        id = require_arg(args, 'LAYER')
         display(api.layer(id), options)
       end
     end
 
     layer.desc "Provision a layer by creating backing resources in an IaaS / PaaS system"
-    layer.arg_name "layer"
+    layer.arg_name "LAYER"
     layer.command :provision do |c|
       hide_docs(c)
 
       c.desc "Provisioner to use (aws)"
-      c.arg_name "provisioner"
+      c.arg_name "PROVISIONER"
       c.flag [ :provisioner ]
 
       c.desc "Variable holding a credential used to connect to the provisioner"
-      c.arg_name "variableid"
+      c.arg_name "VARIABLE"
       c.flag [ :credential ]
 
       c.desc "AWS bucket to contain the bootstrap credentials (will be created if missing)"
-      c.arg_name "bucket"
+      c.arg_name "BUCKET"
       c.flag [ :bucket ]
 
       c.action do |global_options, options, args|
-        id = require_arg(args, 'layer')
+        id = require_arg(args, 'LAYER')
         provisioner = options[:provisioner] or exit_now!("Missing argument: provisioner")
         credential = options[:credential] or exit_now!("Missing argument: credential")
         bucket = options[:bucket] or exit_now!("Missing argument: bucket")
@@ -110,7 +110,7 @@ class Conjur::Command::Layers < Conjur::Command
       hosts.long_desc <<-DESC
 Privilege may be : execute, update
       DESC
-      hosts.arg_name "layer role privilege"
+      hosts.arg_name "LAYER ROLE PRIVILEGE"
       hosts.command :permit do |c|
         c.action do |global_options,options,args|
           id, role_name, role = parse_layer_permission_args(global_options, options, args)
@@ -120,7 +120,7 @@ Privilege may be : execute, update
       end
 
       hosts.desc "Remove a privilege on hosts in the layer"
-      hosts.arg_name "layer role privilege"
+      hosts.arg_name "LAYER ROLE PRIVILEGE"
       hosts.command :deny do |c|
         c.action do |global_options,options,args|
           id, role_name, role = parse_layer_permission_args(global_options, options, args)
@@ -130,11 +130,11 @@ Privilege may be : execute, update
       end
 
       hosts.desc "List roles that have permission on the hosts"
-      hosts.arg_name "layer privilege"
+      hosts.arg_name "LAYER PRIVILEGE"
       hosts.command :permitted_roles do |c|
         c.action do |global_options,options,args|
-          id = require_arg(args, "layer")
-          role_name = interpret_layer_privilege require_arg(args, "privilege")
+          id = require_arg(args, 'LAYER')
+          role_name = interpret_layer_privilege require_arg(args, 'PRIVILEGE')
 
           members = api.layer(id).hosts_members(role_name).map(&:member).select do |m|
             m.kind != "@"
@@ -144,10 +144,10 @@ Privilege may be : execute, update
       end
 
       hosts.desc "Add a host to an layer"
-      hosts.arg_name "layer host"
+      hosts.arg_name "LAYER HOST"
       hosts.command :add do |c|
         c.action do |global_options, options, args|
-          id = require_arg(args, 'layer')
+          id = require_arg(args, 'LAYER')
           hostid = require_hostid_arg(args)
 
           api.layer(id).add_host hostid
@@ -156,10 +156,10 @@ Privilege may be : execute, update
       end
 
       hosts.desc "Remove a host from an layer"
-      hosts.arg_name "layer host"
+      hosts.arg_name "LAYER HOST"
       hosts.command :remove do |c|
         c.action do |global_options, options, args|
-          id = require_arg(args, 'layer')
+          id = require_arg(args, 'LAYER')
           hostid = require_hostid_arg(args)
 
           api.layer(id).remove_host hostid