conjur-cli 4.8.0 → 4.9.3

data/.gitignore

@@ -1,3 +1,4 @@
+*.policy
 .conjurrc
 *.cert
 *.credential

data/Gemfile

@@ -3,15 +3,8 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in conjur.gemspec
 gemspec
 
-gem 'conjur-api', git: 'https://github.com/conjurinc/api-ruby.git', branch: 'master'
+gem 'conjur-api', '>=4.8', git: 'https://github.com/conjurinc/api-ruby.git', branch: 'master'
 
 group :test, :development do
   gem 'pry'
 end
-
-group :development do
-  gem 'conjur-asset-environment-api', git: 'git@github.com:inscitiv/conjur-asset-environment', branch: 'master'
-  gem 'conjur-asset-key-pair-api', git: 'git@github.com:conjurinc/conjur-asset-key-pair', branch: 'master'
-  gem 'conjur-asset-layer-api', git: 'git@github.com:conjurinc/conjur-asset-layer', branch: 'master'
-  gem 'conjur-asset-ui-api', git: 'git@github.com:conjurinc/conjur-asset-ui', branch: 'master'
-end

data/bin/conjur

@@ -20,6 +20,7 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 
+require 'active_support'
 require 'conjur/cli'
 
 exit Conjur::CLI.run(ARGV)

data/conjur.gemspec

@@ -14,8 +14,10 @@ Gem::Specification.new do |gem|
   gem.name          = "conjur-cli"
   gem.require_paths = ["lib"]
   gem.version       = Conjur::VERSION
-  
-  gem.add_dependency 'conjur-api', '>=4.7.2'
+
+
+  gem.add_dependency 'activesupport'
+  gem.add_dependency 'conjur-api', '>=4.8'
   gem.add_dependency 'gli', '>=2.8.0'
   gem.add_dependency 'highline'
   gem.add_dependency 'netrc'

data/lib/conjur/authn.rb

@@ -19,6 +19,8 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 require 'highline'
+require 'active_support'
+require 'active_support/deprecation'
 require 'conjur/api'
 require 'netrc'
 

data/lib/conjur/command/assets.rb

@@ -27,6 +27,7 @@ class Conjur::Command::Assets < Conjur::Command
   desc "Create an asset"
   arg_name "kind:id"
   command :create do |c|
+    def c.nodoc; true end
     acting_as_option(c)
     
     c.action do |global_options, options, args|
@@ -55,6 +56,7 @@ class Conjur::Command::Assets < Conjur::Command
   desc "Show an asset"
   arg_name "id"
   command :show do |c|
+    def c.nodoc; true end
     c.action do |global_options,options,args|
       kind, id = get_kind_and_id_from_args(args, 'id')
       display api.send(kind, id).attributes
@@ -64,6 +66,7 @@ class Conjur::Command::Assets < Conjur::Command
   desc "Checks for the existance of an asset"
   arg_name "id"
   command :exists do |c|
+    def c.nodoc; true end
     c.action do |global_options,options,args|
       kind, id = get_kind_and_id_from_args(args, 'id')
       puts api.send(kind, id).exists?
@@ -73,6 +76,7 @@ class Conjur::Command::Assets < Conjur::Command
   desc "List an asset"
   arg_name "kind"
   command :list do |c|
+    def c.nodoc; true end
     c.action do |global_options,options,args|
       kind = require_arg(args, "kind").gsub('-', '_')
       if api.respond_to?(kind.pluralize)

data/lib/conjur/command/dsl_command.rb

@@ -36,6 +36,7 @@ class Conjur::DSLCommand < Conjur::Command
       
       require 'conjur/dsl/runner'
       runner = Conjur::DSL::Runner.new(script, filename)
+      runner.owner = options[:ownerid] if options[:ownerid]
 
       if context = options[:context]
         runner.context = begin

data/lib/conjur/command/env.rb

@@ -0,0 +1,170 @@
+#
+# Copyright (C) 2014 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur/authn'
+require 'conjur/command'
+require 'conjur/conjurenv'
+require 'tempfile'
+
+class Conjur::Command::Env < Conjur::Command
+
+  self.prefix = :env
+
+  def self.common_parameters c
+    c.desc "Environment configuration file"
+    c.default_value ".conjurenv"
+    c.flag ["c"]
+    
+    c.desc "Environment configuration as inline yaml"
+    c.flag ["yaml"]
+  end
+
+  def self.get_env_object options
+    if options[:yaml] and options[:c]!='.conjurenv'
+      exit_now! "Options -c and --yaml can not be provided together"
+    end
+
+    env = if options[:yaml] 
+            Conjur::Env.new(yaml: options[:yaml])
+          else
+            Conjur::Env.new(file: (options[:c]||'.conjurenv'))
+          end
+    return env
+  end
+
+  desc "Execute external command with environment variables populated from Conjur"
+  long_desc <<'RUNLONGDESC' 
+Processes environment configuration (see env:help for details), and executes a command (with optional arguments) in the modified environment.
+Local names are uppercased and used as names of environment variables. 
+
+Consider following environment configuration: 
+
+{ key_pair_name: jenkins_key, ssh_keypair_path: !tmp jenkins/private_key, api_key: !var jenkins/api_key }
+
+Values of the variables "jenkins/private_key" and "jenkins/api_key" will be obtained from Conjur. Value of "jenkins/api_key" will be associated with local name 'api_key'. Value of "jenkins/private_key" will be stored in the temporary file, which name will be associated with local name "ssh_keypair_path". 
+
+Than, external command with appropriate arguments will be launched in the environment which has following variables:
+
+KEY_PAIR_NAME="jenkins_key",
+SSH_KEYPAIR_PATH="/dev/shm/temp_file_with_key_obtained_from_Conjur",
+API_KEY="api key obtained from Conjur"
+RUNLONGDESC
+  arg_name "-- command [arg1, arg2 ...] "
+  command :run do |c|
+    common_parameters(c)
+
+    c.action do |global_options,options,args|
+      if args.empty? 
+        exit_now! "External command with optional arguments should be provided"
+      end
+      env = get_env_object(options)
+      runtime_environment = Hash[ env.obtain(api).map {|k,v| [k.upcase, v] } ]
+      if Conjur.log 
+        Conjur.log << "Running command in the prepared environment: #{args}"
+      end
+      Kernel.system(runtime_environment, *args) or exit($?.to_i) # keep original exit code in case of failure
+    end
+  end
+
+  desc "Check availability of Conjur variables" 
+  long_desc "Checks availability of Conjur variables mentioned in an environment configuration (see env:help for details), and prints out each local name and appropriate status"
+
+  command :check do |c|
+    common_parameters(c)
+    c.action do |global_options,options,args|
+      env = get_env_object(options)
+      result = env.check(api)
+      result.each { |k,v| puts "#{k}: #{v}" }
+      raise "Some variables are not available" unless result.values.select {|v| v == :unavailable }.empty?
+    end
+  end # command
+
+  desc "Render ERB template with variables obtained from Conjur"
+  long_desc <<'TEMPLATEDESC' 
+Processes environment configuration (see env:help for details), and creates a temporary file, which contains result of ERB template rendering in appropriate context.
+Template should refer to Conjur values by local name as "%<= conjurenv['local_name'] %>".
+
+Consider following environment configuration: 
+
+{ key_pair_name: jenkins_key, ssh_keypair_path: !tmp jenkins/private_key, api_key: !var jenkins/api_key }
+
+Values of the variables "jenkins/private_key" and "jenkins/api_key" will be obtained from Conjur. Value of "jenkins/api_key" will be associated with local name 'api_key'. Value of "jenkins/private_key" will be stored in the temporary file, which name will be associated with local name "ssh_keypair_path". 
+
+Than, following template 
+
+key_pair=<%= conjurenv["key_pair_name"] %>, path_to_ssh_key= <%= conjurenv["ssh_keypair_path"] %>, api_key = '<%= conjurenv["api_key"] %>'
+
+will be rendered to 
+
+key_pair=jenkins_key, path_to_ssh_key=/dev/shm/temp_file_with_key_obtained_from_Conjur, api_key='api key obtained from Conjur'
+
+Result of the rendering will be stored in temporary file, which location is than printed to stdout
+TEMPLATEDESC
+  arg_name "template.erb" 
+  command :template do |c|
+    common_parameters(c)
+
+    c.action do |global_options,options,args|
+      template_file = args.first
+      exit_now! "Location of readable ERB template should be provided" unless template_file and File.readable?(template_file)
+      template = File.read(template_file)
+      env = get_env_object(options)
+      conjurenv = env.obtain(api)  # needed for binding
+      rendered = ERB.new(template).result(binding)
+
+      # 
+      tempfile = if File.directory?("/dev/shm") and File.writable?("/dev/shm")
+                    Tempfile.new("conjur","/dev/shm")
+                 else
+                    Tempfile.new("conjur")
+                 end
+      tempfile.write(rendered)
+      tempfile.close()
+      old_path = tempfile.path
+      new_path = old_path+".saved"
+      FileUtils.copy(old_path, new_path) # prevent garbage collection
+      puts new_path
+    end
+  end
+
+  desc "Print description of environment configuration format" 
+  command :help do |c|
+    c.action do |global_options,options,args|
+      puts """
+Environment configuration (either stored in file referred by -f option or provided inline with --yaml option) should be a YAML document describing one-level Hash.
+Keys of the hash are 'local names', used to refer to variable values in convenient manner.  (See help for env:run and env:template for more details about how they are interpreted).
+
+Values of the hash may take one of the following forms: a) string b) string preceeded with !var tag c) string preceeded with !tmp tag.
+
+a) Plain string is just associated with local name without any calls to Conjur.
+
+b) String preceeded by !var tag is interpreted as an ID of the Conjur variable, which value should be obtained and associated with appropriate local name.
+
+c) String preceeded by !tmp tag is interpreted as an ID of the Conjur variable, which value should be stored in temporary file, which location should in turn be associated with appropriate local name.
+
+Example of environment configuration: 
+
+{ local_variable_1: 'literal value', local_variable_2: !var id/of/Conjur/Variable , local_variable_3: !tmp id/of/another/Conjur/variable }
+
+    """ 
+    end
+  end
+
+end

data/lib/conjur/command/field.rb

@@ -25,6 +25,8 @@ class Conjur::Command::Field < Conjur::Command
   
   desc "(Deprecated. See standalone jsonfield command instead.)"
   command :select do |c|
+    def c.nodoc; true end
+
     c.action do |global_options,options,args|
       pattern = require_arg(args, 'pattern')
       value = args.shift || STDIN.read

data/lib/conjur/command/hosts.rb

@@ -62,6 +62,15 @@ class Conjur::Command::Hosts < Conjur::Command
     end
   end
   
+  desc "List the layers to which the host belongs"
+  arg_name "id"
+  command :layers do |c|
+    c.action do |global_options, options, args|
+      id = require_arg(args, 'id')
+      display api.host(id).role.all.select{|r| r.kind == "layer"}.map(&:identifier), options
+    end
+  end
+  
   desc "Enroll a new host into conjur"
   arg_name "host"
   command :enroll do |c|

data/lib/conjur/command/init.rb

@@ -19,6 +19,8 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 require 'conjur/command'
+require 'openssl'
+require 'socket'
 
 class Conjur::Command::Init < Conjur::Command
   desc "Initialize the Conjur configuration"
@@ -40,14 +42,14 @@ class Conjur::Command::Init < Conjur::Command
     c.desc "Hostname of the Conjur endpoint (required for virtual appliance)"
     c.flag ["h", "hostname"]
 
-    c.desc "Conjur account name (will be obtained from the host unless provided by this option)"
+    c.desc "Conjur organization account name (not required for appliance)"
     c.flag ["a", "account"]
     
     c.desc "Conjur SSL certificate (will be obtained from host unless provided by this option)"
     c.flag ["c", "certificate"]
 
     c.desc "File to write the configuration to"
-    c.default_value File.join(ENV['HOME'], '.conjurrc')
+    c.default_value File.expand_path('~/.conjurrc')
     c.flag ["f","file"]
     
     c.desc "Force overwrite of existing files"
@@ -57,17 +59,18 @@ class Conjur::Command::Init < Conjur::Command
       hl = HighLine.new $stdin, $stderr
 
       hostname = options[:hostname] || hl.ask("Enter the hostname (and optional port) of your Conjur endpoint: ").to_s
-      exit_now! "Hostname should not include the protocol" if hostname =~ /^https?\:/
+      protocol, hostname = (hostname.scan %r(^(?:(.*)://)?(.*))).first
+      exit_now! "only https protocol supported" unless protocol.nil? || protocol == 'https'
       if hostname
         Conjur.configuration.core_url = "https://#{hostname}/api"
       end
       
       account = options[:account]
       account ||= if hostname
-        account = Conjur::Core::API.info['account'] or raise "Exepcting 'account' in Core info"
+        account = Conjur::Core::API.info['account'] or raise "Expecting 'account' in Core info"
       else
         # using .to_s to overcome https://github.com/JEG2/highline/issues/69
-        hl.ask("Enter your account name: ").to_s
+        hl.ask("Enter your organization account name: ").to_s
       end
       
       if (certificate = options[:certificate]).blank?
@@ -77,13 +80,7 @@ class Conjur::Command::Init < Conjur::Command
           else
             hostname + ':443'
           end
-          certificate = \
-            `echo | openssl s_client -connect #{connect_hostname}  2>/dev/null | openssl x509 -fingerprint`
-          exit_now! "Unable to retrieve certificate from #{hostname}" if certificate.blank?
-          
-          lines = certificate.split("\n")
-          fingerprint = lines[0]
-          certificate = lines[1..-1].join("\n")
+          fingerprint, certificate = get_certificate connect_hostname
 
           puts
           puts fingerprint
@@ -118,4 +115,26 @@ class Conjur::Command::Init < Conjur::Command
       puts "Wrote configuration to #{options[:file]}"
     end
   end
+
+  def self.get_certificate connect_hostname
+    include OpenSSL::SSL
+    host, port = connect_hostname.split ':'
+    port ||= 443
+
+    sock = TCPSocket.new host, port.to_i
+    ssock = SSLSocket.new sock
+    ssock.connect
+    cert = ssock.peer_cert
+    fp = Digest::SHA1.digest cert.to_der
+
+    # convert to hex, then split into bytes with :
+    hexfp = (fp.unpack 'H*').first.upcase.scan(/../).join(':')
+
+    ["SHA1 Fingerprint=#{hexfp}", cert.to_pem]
+  rescue
+    exit_now! "Unable to retrieve certificate from #{connect_hostname}"
+  ensure
+    ssock.close if ssock
+    sock.close if sock
+  end
 end

data/lib/conjur/command/policy.rb

@@ -20,16 +20,19 @@
 #
 require 'conjur/command/dsl_command'
 
+require 'etc'
+require 'socket'
+
 class Conjur::Command::Policy < Conjur::DSLCommand
   self.prefix = :policy
   
   class << self
     def default_collection_user
-      ( ENV['USER'] ).strip
+      Etc.getlogin
     end
     
     def default_collection_hostname
-      ( ENV['HOSTNAME'] || `hostname` ).strip
+      Socket.gethostname
     end
   
     def default_collection_name
@@ -80,4 +83,4 @@ owner of the policy role is the logged-in user (you), as always.
       end
     end
   end
-end
+end

data/lib/conjur/command/roles.rb

@@ -38,7 +38,7 @@ class Conjur::Command::Roles < Conjur::Command
       end
       
       role.create(options)
-      display(role, options)
+      puts "Created role #{role.roleid}"
     end
   end
   

data/lib/conjur/command/secrets.rb

@@ -27,6 +27,8 @@ class Conjur::Command::Secrets < Conjur::Command
   desc "Create and store a secret"
   arg_name "secret"
   command :create do |c|
+    def c.nodoc; true end
+
     acting_as_option(c)
 
     c.action do |global_options,options,args|
@@ -38,6 +40,7 @@ class Conjur::Command::Secrets < Conjur::Command
   desc "Retrieve a secret"
   arg_name "id"
   command :value do |c|
+    def c.nodoc; true end
     c.action do |global_options,options,args|
       id = args.shift or raise "Missing parameter: id"
       puts api.secret(id).value

data/lib/conjur/command/variables.rb

@@ -87,6 +87,7 @@ class Conjur::Command::Variables < Conjur::Command
       puts "Value added"
     end
   end
+  
 
   desc "Get a value"
   arg_name "variable"