conjur-cli 5.3.0 → 5.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 45db6cca737f188f732a2684c54952df012e4da0
-  data.tar.gz: c39fc7be243e1508a4a71459e77c1248efff5ba4
+  metadata.gz: b2bb2f6423b56a36f979bdd3d26be85172e986a9
+  data.tar.gz: 8a35bfcafee51a86fe6fd28112049bace77ebf98
 SHA512:
-  metadata.gz: 3c2db8ea4d3cef7dbb0c099e89fe02416dc2247a3463c9796d46ad572a591e4c7d796d17bee5f3b7eb479ebf047469491459116a654205575d2932cb36c019ea
-  data.tar.gz: 302e5e260a4169265c2b2cae9e7f23fcfb37197ef51532662cc71dac1fe2abd463e831c15db8b043d2e690c3bb3d9e3c16f513b21cd60d809b79e3beb3fbb438
+  metadata.gz: 8253351f69a787a362e355d45e13a8249a9500c0a3693ae1e902ee3c6413d0667ff202c21165ed574fb6448fbb9381367c3ad1103f37d6fbe0cb73bf299a7729
+  data.tar.gz: 3b6a5f2ddc3c965ed51302132f6bf9fe365c2e139643ce47a72031c324a0f250c6d72bbdfb58939fa5b6ae79b11945f630fd10c1e62caf40f40f2a165470cc6c

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+# 5.4.0
+
+* Deprecated several commands in favor of using policy.
+* Add `policy` subcommand for `ldap-sync`, get rid of `jobs` and `now` subcommands.
+* Relax constraint on activesupport gem
+
 # 5.3.0
 
 * Add `jobs` subcommands for `ldap-sync`.

data/Gemfile

@@ -6,11 +6,13 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in conjur.gemspec
 gemspec
 
-gem 'conjur-api', '>= 4.26.2', git: 'https://github.com/conjurinc/api-ruby.git', branch: 'master'
+gem 'activesupport', '~> 4.2'
+
+gem 'conjur-api', '>= 4.28.1', git: 'https://github.com/conjurinc/api-ruby.git', branch: 'master'
 gem 'semantic', '>= 1.4.1', git: 'https://github.com/jlindsey/semantic.git'
 
 group :test, :development do
-  gem 'pry'
+  gem 'pry'                     # Don't be tempted to change this to pry-byebug until we drop support for 1.9
   gem 'pry-doc'
   gem 'ruby-prof'
   gem 'conjur-debify', '~> 1.0'

data/bin/conjur

@@ -23,4 +23,6 @@
 require 'active_support'
 require 'conjur/cli'
 
+require 'patches/gli'
+
 exit Conjur::CLI.run(ARGV)

data/conjur.gemspec

@@ -15,8 +15,8 @@ Gem::Specification.new do |gem|
   gem.require_paths = ["lib"]
   gem.version       = Conjur::VERSION
 
-  gem.add_dependency 'activesupport', '~> 4.2'
-  gem.add_dependency 'conjur-api', '~> 4.21'
+  gem.add_dependency 'activesupport', '>= 4.2'
+  gem.add_dependency 'conjur-api', '>= 4.28.1'
   gem.add_dependency 'gli', '>=2.8.0'
   gem.add_dependency 'highline', '~> 1.7'
   gem.add_dependency 'netrc', '~> 0.10'

data/deprecations.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+searchstring='DEPRECATED'
+
+function bundleexec {
+  bundle exec "$@" 2> /dev/null
+}
+
+echo "Planned deprecations for Conjur CLI"
+echo "-----"
+
+echo "group"
+bundleexec conjur group | grep "$searchstring"
+echo "group members"
+bundleexec conjur group members | grep "$searchstring"
+
+echo "hostfactory"
+bundleexec conjur hostfactory | grep "$searchstring"
+
+echo "host"
+bundleexec conjur host | grep "$searchstring"
+
+echo "layer"
+bundleexec conjur layer | grep "$searchstring"
+echo "layer hosts"
+bundleexec conjur layer hosts | grep "$searchstring"
+
+echo "resource"
+bundleexec conjur resource | grep "$searchstring"
+
+echo "role"
+bundleexec conjur role | grep "$searchstring"
+
+echo "user"
+bundleexec conjur user | grep "$searchstring"
+
+echo "variable"
+bundleexec conjur variable | grep "$searchstring"

data/lib/conjur/command.rb

@@ -29,7 +29,7 @@ module Conjur
     
     class << self
       attr_accessor :prefix
-      
+
       def method_missing *a, &b
         Conjur::CLI.send *a, &b
       end
@@ -466,6 +466,10 @@ an alternative destination role.)
         false
       end
 
+      def notify_deprecated
+        STDERR.puts 'WARNING! This command is deprecated and will be removed. Use policy instead.'
+      end
+
     end
   end
 end

data/lib/conjur/command/groups.rb

@@ -29,16 +29,17 @@ class Conjur::Command::Groups < Conjur::Command
   
   desc "Manage groups"
   command :group do |group|
-    group.desc "Create a new group"
+    group.desc "Create a new group [DEPRECATED]"
     group.command :create do |c|
       c.desc "GID number to be associated with the group (optional)"
       c.flag [:gidnumber]
 
       acting_as_option(c)
-
       interactive_option c
 
       c.action do |global_options,options,args|
+        notify_deprecated
+
         id = args.shift
         
         interactive = options[:interactive] || id.blank?
@@ -86,12 +87,14 @@ class Conjur::Command::Groups < Conjur::Command
       end
     end
     
-    group.desc "Update group's attributes (eg. gidnumber)"
+    group.desc "Update group's attributes (eg. gidnumber) [DEPRECATED]"
     group.arg_name "GROUP"
     group.command :update do |c|
       c.desc "GID number to be associated with the group"
       c.flag [:gidnumber]
       c.action do |global_options, options, args|
+        notify_deprecated
+
         id = require_arg(args, 'GROUP')
 
         options[:gidnumber] = Integer(options[:gidnumber])
@@ -110,12 +113,14 @@ class Conjur::Command::Groups < Conjur::Command
       end
     end
 
-    group.desc "Decommission a group"
+    group.desc "Decommission a group [DEPRECATED]"
     group.arg_name "GROUP"
     group.command :retire do |c|
       retire_options c
 
       c.action do |global_options,options,args|
+        notify_deprecated
+
         id = require_arg(args, 'GROUP')
         
         group = api.group(id)
@@ -144,7 +149,7 @@ class Conjur::Command::Groups < Conjur::Command
         end
       end
 
-      members.desc "Add a new group member"
+      members.desc "Add a new group member [DEPRECATED]"
       members.arg_name "GROUP USER"
       members.command :add do |c|
         c.desc "Also grant the admin option"
@@ -157,6 +162,8 @@ class Conjur::Command::Groups < Conjur::Command
         c.switch [:r, :'revoke-admin']
 
         c.action do |global_options,options,args|
+          notify_deprecated
+
           group = require_arg(args, 'GROUP')
           member = require_arg(args, 'USER')
           member = assume_user_kind(member)
@@ -177,10 +184,12 @@ class Conjur::Command::Groups < Conjur::Command
         end
       end
 
-      members.desc "Remove a group member"
+      members.desc "Remove a group member [DEPRECATED]"
       members.arg_name "GROUP USER"
       members.command :remove do |c|
         c.action do |global_options,options,args|
+          notify_deprecated
+
           group = require_arg(args, 'GROUP')
           member = require_arg(args, 'USER')
           member = assume_user_kind(member)

data/lib/conjur/command/host_factories.rb

@@ -23,7 +23,7 @@ class Conjur::Command::HostFactories < Conjur::Command
   desc "Manage host factories"
 
   command :hostfactory do |hf|
-    hf.desc "Create a new host factory"
+    hf.desc "Create a new host factory [DEPRECATED]"
     hf.arg_name "id"
     hf.command :create do |c|
       acting_as_option(c)
@@ -33,6 +33,8 @@ class Conjur::Command::HostFactories < Conjur::Command
       c.flag [:l, :layer]
 
       c.action do |global_options,options,args|
+        notify_deprecated
+
         id = require_arg(args, 'hostfactory')
         
         unless options[:ownerid]

data/lib/conjur/command/hosts.rb

@@ -26,7 +26,7 @@ class Conjur::Command::Hosts < Conjur::Command
   
   desc "Manage hosts"
   command :host do |hosts|
-    hosts.desc "Create a new host"
+    hosts.desc "Create a new host [DEPRECATED]"
     hosts.arg_name "NAME"
     hosts.command :create do |c|
       c.arg_name "password"
@@ -38,6 +38,8 @@ class Conjur::Command::Hosts < Conjur::Command
       acting_as_option(c)
 
       c.action do |global_options,options,args|
+        notify_deprecated
+
         id = args.shift
 
         unless id
@@ -61,12 +63,14 @@ class Conjur::Command::Hosts < Conjur::Command
       end
     end
 
-    hosts.desc "Decommission a host"
+    hosts.desc "Decommission a host [DEPRECATED]"
     hosts.arg_name "HOST"
     hosts.command :retire do |c|
       retire_options c
 
       c.action do |global_options,options,args|
+        notify_deprecated
+
         id = require_arg(args, 'HOST')
         
         host = api.host(id)
@@ -132,13 +136,15 @@ class Conjur::Command::Hosts < Conjur::Command
       end
     end
 
-    hosts.desc "Update a hosts's attributes"
+    hosts.desc "Update a hosts's attributes [DEPRECATED]"
     hosts.arg_name "HOST"
     hosts.command :update do |c|
       c.desc "A comma-delimited list of CIDR addresses to restrict host to (optional). Use 'all' to reset"
       c.flag [:cidr]
 
       c.action do |global_options, options, args|
+        notify_deprecated
+
         id = require_arg(args, 'HOST')
 
         host = api.host(id)
@@ -153,7 +159,7 @@ class Conjur::Command::Hosts < Conjur::Command
       end
     end
 
-    hosts.desc "[Deprecated] Enroll a new host into conjur"
+    hosts.desc "Enroll a new host into conjur [DEPRECATED]"
     hosts.arg_name "HOST"
     hosts.command :enroll do |c|
       hide_docs(c)

data/lib/conjur/command/layers.rb

@@ -35,12 +35,14 @@ class Conjur::Command::Layers < Conjur::Command
   desc "Operations on layers"
   command :layer do |layer|
 
-    layer.desc "Create a new layer"
+    layer.desc "Create a new layer [DEPRECATED]"
     layer.arg_name "LAYER"
     layer.command :create do |c|
       acting_as_option(c)
 
       c.action do |global_options,options,args|
+        notify_deprecated
+
         id = require_arg(args, 'LAYER')
 
         layer = api.create_layer(id, options)
@@ -104,12 +106,14 @@ class Conjur::Command::Layers < Conjur::Command
       end
     end
 
-    layer.desc "Decommission a layer"
+    layer.desc "Decommission a layer [DEPRECATED]"
     layer.arg_name "LAYER"
     layer.command :retire do |c|
       retire_options c
 
       c.action do |global_options,options,args|
+        notify_deprecated
+
         id = require_arg(args, 'LAYER')
         
         layer = api.layer(id)
@@ -134,23 +138,27 @@ class Conjur::Command::Layers < Conjur::Command
 
     layer.desc "Operations on hosts"
     layer.command :hosts do |hosts|
-      hosts.desc "Permit a privilege on hosts in the layer"
+      hosts.desc "Permit a privilege on hosts in the layer [DEPRECATED]"
       hosts.long_desc <<-DESC
 Privilege may be : execute, update
       DESC
       hosts.arg_name "LAYER ROLE PRIVILEGE"
       hosts.command :permit do |c|
         c.action do |global_options,options,args|
+          notify_deprecated
+
           id, role_name, role = parse_layer_permission_args(global_options, options, args)
           api.layer(id).add_member role_name, role
           puts "Permission granted"
         end
       end
 
-      hosts.desc "Remove a privilege on hosts in the layer"
+      hosts.desc "Remove a privilege on hosts in the layer [DEPRECATED]"
       hosts.arg_name "LAYER ROLE PRIVILEGE"
       hosts.command :deny do |c|
         c.action do |global_options,options,args|
+          notify_deprecated
+
           id, role_name, role = parse_layer_permission_args(global_options, options, args)
           api.layer(id).remove_member role_name, role
           puts "Permission removed"
@@ -171,10 +179,12 @@ Privilege may be : execute, update
         end
       end
 
-      hosts.desc "Add a host to an layer"
+      hosts.desc "Add a host to an layer [DEPRECATED]"
       hosts.arg_name "LAYER HOST"
       hosts.command :add do |c|
         c.action do |global_options, options, args|
+          notify_deprecated
+
           id = require_arg(args, 'LAYER')
           hostid = require_hostid_arg(args)
 
@@ -183,10 +193,12 @@ Privilege may be : execute, update
         end
       end
 
-      hosts.desc "Remove a host from an layer"
+      hosts.desc "Remove a host from an layer [DEPRECATED]"
       hosts.arg_name "LAYER HOST"
       hosts.command :remove do |c|
         c.action do |global_options, options, args|
+          notify_deprecated
+
           id = require_arg(args, 'LAYER')
           hostid = require_hostid_arg(args)
 

data/lib/conjur/command/ldapsync.rb

@@ -4,127 +4,115 @@ class Conjur::Command::LDAPSync < Conjur::Command
 
   LIST_FORMATS = %w(pretty json)
 
-  def self.find_job_by_id args
-    job_id = require_arg args, 'JOB-ID'
+  def self.error_messages(resp)
+    resp['events'].collect {|e| e['message'] if e['severity'] == 'error'}.compact
+  end
 
-    if (job = api.ldap_sync_jobs.find{|j| j.id == job_id})
-      job
-    else
-      exit_now! "No job found with ID '#{job_id}'"
+  def self.show_messages(resp)
+    msgs = resp['events'].each_with_object([]) do |e, arr|
+      if e['severity'] == 'warn' || e['severity'] == 'error'
+        arr << "\n#{e['severity'].upcase}: #{e['message']}"
+      end
     end
+    $stderr.puts(msgs.join("\n") + "\n\n") unless msgs.empty?
   end
 
   desc 'LDAP sync management commands'
   command :'ldap-sync' do |cgrp|
 
-    cgrp.desc 'Manage detached LDAP sync jobs'
-    cgrp.command :jobs do |jobs|
-
-      jobs.desc 'List detached jobs'
-      jobs.command :list do |cmd|
-
-        cmd.desc "Specify output format (#{LIST_FORMATS.join(',')})"
-        cmd.flag %w(f format), default_value: 'json', must_match: LIST_FORMATS
-
-        cmd.desc 'Show only JOB ids'
-        cmd.switch %w(i ids-only), default_value: false
-
-        cmd.action do |_,options,_|
-          jobs = api.ldap_sync_jobs.map(&:to_h)
-
-
-          if options[:format] == 'pretty'
-            require 'table_print'
-            fields = [{id: {width: 38}}]
-
-            fields.concat([:type, :state, :exclusive]) unless options[:'ids-only']
-
-            tp jobs, *fields
+    cgrp.desc 'Manage the policy used to sync Conjur and the LDAP server'
+    cgrp.command :policy do |policy|
+      min_version policy, '4.8.0'
+
+      policy.desc 'Show the current policy'
+      policy.command :show do |show|
+        min_version show, '4.8.0'
+        show.desc 'LDAP Sync profile to use (defined in UI)'
+        show.arg_name 'profile'
+        show.flag ['p', 'profile']
+
+        show.action do |_,options,_|
+
+          config_name = options[:profile] || 'default'
+          resp = api.ldap_sync_policy(config_name)
+          
+          show_messages(resp)
+
+          if (policy = resp['policy'])
+            if resp['ok']
+              puts(resp['policy'])
+            else
+              exit_now! "Failed creating the policy."
+            end
           else
-            jobs = jobs.map{|j| j[:id]} if options[:'ids-only']
-
-            display(jobs)
+            exit_now! resp['error']['message']
           end
-
         end
       end
+    end
 
-      jobs.desc 'Delete a detached job'
-      jobs.arg_name 'JOB-ID'
-      jobs.command :delete do |cmd|
-        cmd.action do |_, _, args|
-          find_job_by_id(args).delete
-          puts "Job deleted"
+    # Currently hidden. It's easier to use the CLI than cURL, though,
+    # so we might want to expose the profile subcommands.
+    cgrp.desc 'Manage profiles for LDAP sync'
+    cgrp.command :profile do |profile|
+      hide_docs(profile)
+      min_version profile, '4.8.0'
+      
+      profile.desc 'Show the profile'
+      profile.command :show do |show|
+        min_version show, '4.8.0'
+
+        show.arg_name 'profile'
+        show.flag ['p', 'profile']
+        show.action do |_,options,_|
+          display(api.ldap_sync_show_profile(options[:profile]))
         end
       end
 
-      jobs.desc 'Show the output from a detached job'
-      jobs.arg_name 'JOB-ID'
-      jobs.command :show do |cmd|
-        cmd.action do |_,_,args|
-          find_job_by_id(args).output do |event|
-            display(event)
-          end
+      profile.desc 'Create or update a profile'
+      profile.arg_name 'PROFILE_JSON'
+      profile.long_desc %Q{Create or update the given profile.
+The profile JSON may be provided in two ways:
+
+1. As a literal (quoted) JSON string.
+
+2. In a file, by prepending an '@' to the path to the file
+}
+      profile.command :update do |update|
+        min_version update, '4.8.0'
+        
+        update.arg_name 'profile'
+        update.flag ['p', 'profile']
+        update.action do |_, options, args|
+          config = require_arg(args, 'PROFILE_JSON')
+          config = File.read(config[1..-1]) if config[0] == '@'
+          display(api.ldap_sync_update_profile(options[:profile], JSON.parse(config)))
         end
       end
+
     end
 
-    cgrp.desc 'Trigger a sync of users/groups from LDAP to Conjur'
-    cgrp.command :now do |cmd|
-      cmd.desc 'LDAP Sync profile to use (defined in UI)'
-      cmd.default_value 'default'
-      cmd.arg_name 'profile'
-      cmd.flag ['p', 'profile']
-  
-      cmd.desc 'Print the actions that would be performed'
-      cmd.default_value false
-      cmd.switch ['dry-run']
-  
-      cmd.desc 'Output format of sync operation (text, yaml)'
-      cmd.default_value 'text'
-      cmd.arg_name 'format'
-      cmd.flag ['f', 'format'], :must_match => ['text', 'yaml']
-
-      cmd.desc 'Run sync as a detached job'
-      cmd.default_value true
-      cmd.switch ['detach']
-
-      cmd.action do |_ ,options, args|
-        assert_empty args
-        
-        format = options[:format] == 'text' ? 'application/json' : 'text/yaml'
-
-        dry_run = !!options[:'dry-run']
-
-        # Don't ever run dry-run jobs detached
-        options[:detach] = false if dry_run
-
-        $stderr.puts "Performing #{dry_run ? 'dry run ' : ''}LDAP sync"
-  
-        response = api.ldap_sync_now(:config_name => options[:profile], 
-          :format => format, 
-          :dry_run => dry_run,
-          :detach_job => options[:detach]
-        )
-  
-        if !options[:detach]
-          if options[:format] == 'text'
-            puts "Messages:"
-            response['events'].each do |event|
-              puts [ event['timestamp'], event['severity'], event['message'] ].join("\t")
-            end
-            puts
-            puts "Actions:"
-            response['result']['actions'].each do |action|
-              puts action
-            end
-          else
-            puts response
-          end
+    cgrp.desc 'Search using an LDAP sync profile'
+    cgrp.command :search do |search|
+      hide_docs(search)
+      min_version search, '4.8.0'
+      
+      search.desc 'LDAP Sync profile to use (defined in UI)'
+      search.arg_name 'profile'
+      search.flag ['p', 'profile']
+      search.action do |_,options,_|
+        resp = api.ldap_sync_search(options[:profile] || 'default')
+                                                                    
+        show_messages(resp)
+
+        if resp['ok']
+          display resp
         else
-          display response
+          exit_now! "Search failed."
         end
+
       end
     end
+
   end
 end

data/lib/conjur/command/resources.rb

@@ -23,12 +23,14 @@ class Conjur::Command::Resources < Conjur::Command
   desc "Manage resources"
   command :resource do |resource|
 
-    resource.desc "Create a new resource"
+    resource.desc "Create a new resource [DEPRECATED]"
     resource.arg_name "RESOURCE"
     resource.command :create do |c|
       acting_as_option(c)
 
       c.action do |global_options,options,args|
+        notify_deprecated
+
         id = full_resource_id( require_arg(args, "RESOURCE") )
         resource = api.resource(id)
 
@@ -59,12 +61,14 @@ class Conjur::Command::Resources < Conjur::Command
       end
     end
 
-    resource.desc "Give a privilege on a resource"
+    resource.desc "Give a privilege on a resource [DEPRECATED]"
     resource.arg_name "RESOURCE ROLE PRIVILEGE"
     resource.command :permit do |c|
       c.desc "allow transfer to other roles"
       c.switch [:g, :grantable]
       c.action do |global_options,options,args|
+        notify_deprecated
+
         id = full_resource_id( require_arg(args, "RESOURCE") )
         role = require_arg(args, "ROLE")
         privilege = require_arg(args, "PRIVILEGE")
@@ -79,10 +83,12 @@ class Conjur::Command::Resources < Conjur::Command
       end
     end
 
-    resource.desc "Deny a privilege on a resource"
+    resource.desc "Deny a privilege on a resource [DEPRECATED]"
     resource.arg_name "RESOURCE ROLE PRIVILEGE"
     resource.command :deny do |c|
       c.action do |global_options,options,args|
+        notify_deprecated
+
         id = full_resource_id( require_arg(args, "RESOURCE") )
         role = require_arg(args, "ROLE")
         privilege = require_arg(args, "PRIVILEGE")
@@ -115,10 +121,12 @@ class Conjur::Command::Resources < Conjur::Command
       end
     end
 
-    resource.desc "Grant ownership on a resource to a new owner"
+    resource.desc "Grant ownership on a resource to a new owner [DEPRECATED]"
     resource.arg_name "RESOURCE USER"
     resource.command :give do |c|
       c.action do |global_options,options,args|
+        notify_deprecated
+
         id = full_resource_id( require_arg(args, "RESOURCE") )
         owner = require_arg(args, "USER")
         api.resource(id).give_to owner
@@ -136,12 +144,14 @@ class Conjur::Command::Resources < Conjur::Command
       end
     end
 
-    resource.desc "Set an annotation on a resource"
+    resource.desc "Set an annotation on a resource [DEPRECATED]"
     resource.arg_name "RESOURCE ANNOTATION value"
     resource.command :annotate do |c|
       interactive_option c
       
       c.action do |global_options, options, args|
+        notify_deprecated
+
         id = full_resource_id require_arg(args, 'RESOURCE')
 
         annotations = if options[:interactive]

data/lib/conjur/command/roles.rb

@@ -26,7 +26,7 @@ class Conjur::Command::Roles < Conjur::Command
   desc "Manage roles"
   command :role do |role|
 
-    role.desc "Create a new role"
+    role.desc "Create a new role [DEPRECATED]"
     role.arg_name "ROLE"
     role.command :create do |c|
       acting_as_option(c)
@@ -35,6 +35,8 @@ class Conjur::Command::Roles < Conjur::Command
       c.switch "json"
 
       c.action do |global_options,options,args|
+        notify_deprecated
+
         id = require_arg(args, 'ROLE')
         role = api.role(id)
 
@@ -102,13 +104,15 @@ class Conjur::Command::Roles < Conjur::Command
       end
     end
 
-    role.desc "Grant a role to another role. You must have admin permission on the granting role."
+    role.desc "Grant a role to another role. You must have admin permission on the granting role. [DEPRECATED]"
     role.arg_name "ROLE-1 ROLE-2"
     role.command :grant_to do |c|
       c.desc "Whether to grant with admin option"
       c.switch [:a,:admin]
 
       c.action do |global_options,options,args|
+        notify_deprecated
+
         id = require_arg(args, 'ROLE-1')
         member = require_arg(args, 'ROLE-2')
         role = api.role(id)
@@ -120,10 +124,12 @@ class Conjur::Command::Roles < Conjur::Command
     end
 
 
-    role.desc "Revoke a role from another role. You must have admin permission on the revoking role."
+    role.desc "Revoke a role from another role. You must have admin permission on the revoking role. [DEPRECATED]"
     role.arg_name "ROLE-1 ROLE-2"
     role.command :revoke_from do |c|
       c.action do |global_options,options,args|
+        notify_deprecated
+
         id = require_arg(args, 'ROLE-1')
         member = require_arg(args, 'ROLE-2')
         role = api.role(id)

data/lib/conjur/command/rubydsl.rb

@@ -21,7 +21,7 @@
 require 'conjur/command/dsl_command'
 
 class Conjur::Command::RubyDSL < Conjur::DSLCommand
-  desc "Manage Ruby DSL policies (deprecated)"
+  desc "Manage Ruby DSL policies [DEPRECATED]"
   long_desc 'DEPRECATED. Declarative YML policy supercedes Ruby policy DSL.'
   command :rubydsl do |rubydsl|
     rubydsl.desc "Load a policy from Conjur DSL"

data/lib/conjur/command/users.rb

@@ -24,7 +24,7 @@ class Conjur::Command::Users < Conjur::Command
   desc "Manage users"
   command :user do |user|
 
-    user.desc "Create a new user"
+    user.desc "Create a new user [DEPRECATED]"
     user.arg_name "NAME"
     user.command :create do |c|
       c.desc "Prompt for a password for the user (default: --no-password)"
@@ -41,6 +41,8 @@ class Conjur::Command::Users < Conjur::Command
       interactive_option c
 
       c.action do |global_options,options,args|
+        notify_deprecated
+
         login = args.shift
 
         interactive = options[:interactive] || login.blank?
@@ -101,12 +103,14 @@ class Conjur::Command::Users < Conjur::Command
       end
     end
 
-    user.desc "Decommission a user"
+    user.desc "Decommission a user [DEPRECATED]"
     user.arg_name "USER"
     user.command :retire do |c|
       retire_options c
 
       c.action do |global_options,options,args|
+        notify_deprecated
+
         id = require_arg(args, 'USER')
         
         user = api.user(id)
@@ -164,7 +168,7 @@ class Conjur::Command::Users < Conjur::Command
       end
     end
 
-    user.desc "Update a user's attributes"
+    user.desc "Update a user's attributes [DEPRECATED]"
     user.arg_name "USER"
     user.command :update do |c|
       c.desc "UID number to be associated with user (optional)"
@@ -174,6 +178,8 @@ class Conjur::Command::Users < Conjur::Command
       c.flag [:cidr]
 
       c.action do |global_options, options, args|
+        notify_deprecated
+
         login=require_arg(args,'USER')
 
         uidnumber = options[:uidnumber]

data/lib/conjur/command/variables.rb

@@ -21,7 +21,7 @@
 class Conjur::Command::Variables < Conjur::Command
   desc "Manage variables"
   command :variable do |var|
-    var.desc "Create and store a variable"
+    var.desc "Create and store a variable [DEPRECATED]"
     var.arg_name "NAME VALUE"
     var.command :create do |c|
       c.arg_name "MIME-TYPE"
@@ -41,6 +41,8 @@ class Conjur::Command::Variables < Conjur::Command
       interactive_option c
 
       c.action do |global_options,options, args|
+        notify_deprecated
+
         @default_mime_type = c.flags[:m].default_value
         @default_kind = c.flags[:k].default_value
         
@@ -99,12 +101,14 @@ class Conjur::Command::Variables < Conjur::Command
       end
     end
 
-    var.desc "Decommission a variable"
+    var.desc "Decommission a variable [DEPRECATED]"
     var.arg_name "VARIABLE"
     var.command :retire do |c|
       retire_options c
       
       c.action do |global_options,options,args|
+        notify_deprecated
+
         id = require_arg(args, 'VARIABLE')
         
         variable = api.variable(id)

data/lib/conjur/version.rb

@@ -19,6 +19,6 @@
 # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 module Conjur
-  VERSION = '5.3.0'
+  VERSION = '5.4.0'
   ::Version=VERSION
 end

data/lib/patches/gli.rb

@@ -0,0 +1,31 @@
+# Patch GLI's help formatters so they don't show subcommands that are
+# supposed to be hidden.
+module CommandHelpFormatPatch
+  def format
+    @command.commands.reject! {|k,c| c.nodoc}
+    @command.commands_declaration_order.reject! {|c| c.nodoc}
+
+    super
+  end
+end
+
+module HelpCompletionFormatPatch
+  def format
+    name = @args.shift
+    
+    base = @command_finder.find_command(name)
+    base = @command_finder.last_found_command if base.nil?
+    base = @app if base.nil?
+    
+    prefix_to_match = @command_finder.last_unknown_command
+    
+    base.commands.reject {|_,c| c.nodoc}.values.map { |command|
+      [command.name,command.aliases]
+    }.flatten.compact.map(&:to_s).sort.select { |command_name|
+      prefix_to_match.nil? || command_name =~ /^#{prefix_to_match}/
+    }.join("\n")
+  end
+end
+
+GLI::Commands::HelpModules::CommandHelpFormat.send(:prepend, CommandHelpFormatPatch)
+GLI::Commands::HelpModules::HelpCompletionFormat.send(:prepend, HelpCompletionFormatPatch)

data/spec/command/ldapsync_spec.rb

@@ -1,145 +1,28 @@
 require 'spec_helper'
 
 describe Conjur::Command::LDAPSync, logged_in: true do
-  let(:timestamp) { Time.now.to_s }
-  let(:json_response) { {
-      'events' => [
-        { "timestamp" => timestamp,
-          "severity" => "info",
-          "message" => "Performing sync"
-        }
-      ],
-      'result' => {
-        'actions' => [
-            "user 'Guest'", "group 'Domain Computers'"
-        ]
-      }
-  } }
-  let(:yaml_response) { [
-      'annotations' => {
-          'ldap-sync/source' => '192.168.99.100:389',
-          'ldap-sync/upstream-dn' => 'cn=Guest,dc=example,dc=org',
-      }
-  ].to_yaml }
 
-
-
-  context 'when testing ldap-sync jobs commands' do
-    let(:jobs){
-      [
-          Conjur::LdapSyncJob.new(api, :id => 'job-1', :type => 'sync', :state => 'running', :exclusive => true),
-          Conjur::LdapSyncJob.new(api, :id => 'job-2', :type => 'connect', :state => 'success', :exclusive => false)
-      ]
-    }
-
-    before do
-      expect_any_instance_of(Conjur::API).to receive(:ldap_sync_jobs).and_return jobs
-    end
-
-    describe_command 'ldap-sync jobs list' do
-      it 'prints the jobs as json' do
-        expect { invoke }.to write(JSON.pretty_generate jobs.map(&:as_json))
-      end
-    end
-
-    describe_command 'ldap-sync jobs list -i' do
-      it 'prints the job ids only' do
-        expect { invoke }.to write(JSON.pretty_generate jobs.map(&:id))
-      end
-    end
-
-    describe_command 'ldap-sync jobs list -f pretty' do
-
-      it 'prints the jobs in a fancy table' do
-        expect{ invoke }.to write /ID\s*|\s*TYPE\s*|\s*STATE\s*|\s*EXCLUSIVE.*?
-job-1\s*|\s*sync\s*|\s*running\s*|\s*true
-job-2\s*|\s*connect\s*|\s*success\s*|\s*false/x
-      end
-    end
-
-
-    describe_command 'ldap-sync jobs delete job-2' do
-      let(:victim){ jobs[1] }
-      it 'deletes the job' do
-        expect(victim).to receive(:delete)
-        invoke
-      end
-    end
-
-    describe_command 'ldap-sync jobs delete no-such-job' do
-      it 'fails with a sensible error message' do
-        expect{ invoke }.to raise_exception(/No job found with ID 'no-such-job'/)
-      end
-    end
-
-    describe_command 'ldap-sync jobs show job-1' do
-      let(:victim){ jobs[0] }
-      it 'prints the values passed to output' do
-        expect(victim).to receive(:output) do |&block|
-          block.call({foo: 'bar'})
-          block.call({spam: 'eggs'})
-        end
-
-        expect{invoke}.to write(<<EOS)
-{
-  "foo": "bar"
+  let (:policy_response) { { 'ok' => true, 'events' => [], 'policy' => <<eop
+"---
+- !user
+  annotations:
+    ldap-sync/source: ldap-server:389
+    ldap-sync/upstream-dn: CN=Administrator,OU=functest,OU=testdata,OU=dev-ci,DC=dev-ci,DC=conjur
+  id: Administrator
+  uidnumber:"}
+eop
+  }
 }
-{
-  "spam": "eggs"
-}
-EOS
-
-      end
-    end
-  end
 
-  describe_command 'ldap-sync now --no-detach -f text' do
-    before {
-      expect_any_instance_of(Conjur::API).to receive(:ldap_sync_now).and_return json_response
-    }
-    it 'prints out diagnostic events' do
-      expect { invoke }.to write([ timestamp, "info", "Performing sync" ].join("\t"))
+  describe_command "ldap-sync policy show" do
+    
+    before do 
+      expect_any_instance_of(Conjur::API).to receive(:ldap_sync_policy).with('default').and_return policy_response
     end
-    it 'prints out actions as text' do
-      expect { invoke }.to write("user 'Guest'\ngroup 'Domain Computers'")
-    end
-  end
 
-  describe_command 'ldap-sync now --no-detach -f yaml' do
-    it 'prints out actions as unparsed yaml' do
-      expect_any_instance_of(Conjur::API).to receive(:ldap_sync_now).and_return yaml_response
-      expect { invoke }.to write(yaml_response)
+    it "shows the policy" do
+      expect { invoke }.to write policy_response['policy']
     end
   end
 
-  context 'when testing dry-run' do
-    let (:detach) { true }
-    before do
-      expect_any_instance_of(Conjur::API).to receive(:ldap_sync_now)
-                                              .with(:config_name => 'default', :format => 'application/json', :dry_run => dry_run, :detach_job => detach)
-                                              .and_return json_response
-    end
-
-    describe_command 'ldap-sync now' do
-      let(:dry_run) { false }
-      it 'passes falsey dry-run value' do
-        invoke
-      end
-    end
-
-    describe_command 'ldap-sync now --no-dry-run' do
-      let(:dry_run) { false }
-      it 'passes falsey dry-run value' do
-        invoke
-      end
-    end
-
-    describe_command 'ldap-sync now --dry-run' do
-      let(:dry_run) { true }
-      let(:detach) { false }
-      it 'passes truthy dry-run value' do
-        invoke
-      end
-    end
-  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: conjur-cli
 version: !ruby/object:Gem::Version
-  version: 5.3.0
+  version: 5.4.0
 platform: ruby
 authors:
 - Rafal Rzepecki
@@ -9,36 +9,36 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-10-14 00:00:00.000000000 Z
+date: 2016-12-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - '>='
       - !ruby/object:Gem::Version
         version: '4.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - '>='
       - !ruby/object:Gem::Version
         version: '4.2'
 - !ruby/object:Gem::Dependency
   name: conjur-api
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - '>='
       - !ruby/object:Gem::Version
-        version: '4.21'
+        version: 4.28.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - '>='
       - !ruby/object:Gem::Version
-        version: '4.21'
+        version: 4.28.1
 - !ruby/object:Gem::Dependency
   name: gli
   requirement: !ruby/object:Gem::Requirement
@@ -394,6 +394,7 @@ files:
 - ci/test.sh
 - conjur.gemspec
 - debify.sh
+- deprecations.sh
 - features/conjurize.feature
 - features/dsl_context.feature
 - features/dsl_host_create.feature
@@ -460,6 +461,7 @@ files:
 - lib/conjur/identifier_manipulation.rb
 - lib/conjur/version.rb
 - lib/patches/conjur/error.rb
+- lib/patches/gli.rb
 - profile.rb
 - publish.sh
 - spec/authn_spec.rb