conjur-cli 6.2.1 → 6.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d0520b947529d571863374704ce0b613a07b6e63fa1e9cb37932e0d254e17353
-  data.tar.gz: 490b04289eb77fdbb1c7d56fc317ac6266111af4cde3fb6a655c92e48cf50cf3
+  metadata.gz: c89f84185304b441b9cbba2d24ae68e311b7faa22631c011e937b8315f1c4361
+  data.tar.gz: 0d179fa949fcde1c2d2e0c00a675b1162508bb91103fbd266377b2fda6dced5e
 SHA512:
-  metadata.gz: 726d627c741a1a7ae611316dd482e6b2d6633e8d193fef1879f1acd5d8a86e68f8f5a0e5f0d6679085b7f15a86930a2a747c6a43c307ebedcd31494d52b1714e
-  data.tar.gz: 0424f34f72f7b625270eb42cbfe432160ab4a063a2600d82b7a8efe51d07df5e95a42d85b5dc3138d4074e63d2e28b8fc2a448d6c6ffe61f1715cd477269b2a2
+  metadata.gz: '035833e08fb406fbf4eec6bbd8d29eb0699d2311314230c05078f028fee8c5c84cb0cfd0428108c8778770b0c04a0d484cb4874ca78a59d10b5866701954a045'
+  data.tar.gz: cf4f51130b8ae40af835274ed6e89400615f381769e8b069dd83215ca7d65df9012fe3b7b8c17b660f4cd26604c2715ddfcfbaf2f21f4d86b4990194d474f69f

data/.github/ISSUE_TEMPLATE/bug.md

@@ -0,0 +1,27 @@
+---
+name: Bug
+about: Create a bug report to help us improve
+title: ''
+labels: component/cli, kind/bug
+assignees: ''
+
+---
+
+## Summary
+A clear and concise description of what the bug is.
+
+## Steps to Reproduce
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+## Expected Results
+A clear and concise description of what you expected to happen.
+
+## Actual Results (including error logs, if applicable)
+A clear and concise description of what actually did happen.
+
+## Additional Information
+Add any other context about the problem here.

data/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,27 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: kind/enhancement, component/cli
+assignees: ''
+
+---
+
+## Is your feature request related to a problem? Please describe.
+
+A clear and concise description of what the problem is. Ex. `I would like to see [...] because [...]`.
+Please include the intended use case and what the feature would improve on so that we can prioritize
+the feature accordingly.
+
+## Describe the solution you would like
+
+A clear and concise description of what the desired end result(s) would be.
+
+## Describe alternatives you have considered
+
+A clear and concise description of any alternative solutions or features that may be related to this that
+you have considered.
+
+## Additional context
+
+Add any other context information about the feature request here.

data/.gitleaks.toml

@@ -0,0 +1,216 @@
+title = "Secretless Broker gitleaks config"
+
+# This is the config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
+# If GITLEAKS_CONFIG environment variable
+# is set, gitleaks will load configurations from that path. If option --config-path is set, gitleaks will load
+# configurations from that path. Gitleaks does not whitelist anything by default.
+# - https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04B-3_Meli_paper.pdf
+# - https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
+[[rules]]
+description = "AWS Client ID"
+regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+tags = ["key", "AWS"]
+
+[[rules]]
+description = "AWS Secret Key"
+regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]'''
+tags = ["key", "AWS"]
+
+[[rules]]
+description = "AWS MWS key"
+regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
+tags = ["key", "AWS", "MWS"]
+
+[[rules]]
+description = "PKCS8"
+regex = '''-----BEGIN PRIVATE KEY-----'''
+tags = ["key", "PKCS8"]
+
+[[rules]]
+description = "RSA"
+regex = '''-----BEGIN RSA PRIVATE KEY-----'''
+tags = ["key", "RSA"]
+
+[[rules]]
+description = "SSH"
+regex = '''-----BEGIN OPENSSH PRIVATE KEY-----'''
+tags = ["key", "SSH"]
+
+[[rules]]
+description = "PGP"
+regex = '''-----BEGIN PGP PRIVATE KEY BLOCK-----'''
+tags = ["key", "PGP"]
+
+[[rules]]
+description = "Facebook Secret Key"
+regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Facebook Client ID"
+regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Facebook access token"
+regex = '''EAACEdEose0cBA[0-9A-Za-z]+'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Twitter Secret Key"
+regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]'''
+tags = ["key", "Twitter"]
+
+[[rules]]
+description = "Twitter Client ID"
+regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]'''
+tags = ["client", "Twitter"]
+
+[[rules]]
+description = "Github"
+regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]'''
+tags = ["key", "Github"]
+
+[[rules]]
+description = "LinkedIn Client ID"
+regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]'''
+tags = ["client", "Twitter"]
+
+[[rules]]
+description = "LinkedIn Secret Key"
+regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]'''
+tags = ["secret", "Twitter"]
+
+[[rules]]
+description = "Slack"
+regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
+tags = ["key", "Slack"]
+
+[[rules]]
+description = "EC"
+regex = '''-----BEGIN EC PRIVATE KEY-----'''
+tags = ["key", "EC"]
+
+[[rules]]
+description = "Generic API key"
+regex = '''(?i)(api_key|apikey)(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
+tags = ["key", "API", "generic"]
+
+[[rules]]
+description = "Generic Secret"
+regex = '''(?i)secret(.{0,20})?['|"][0-9a-zA-Z]{32,45}['|"]'''
+tags = ["key", "Secret", "generic"]
+
+[[rules]]
+description = "Google API key"
+regex = '''AIza[0-9A-Za-z\\-_]{35}'''
+tags = ["key", "Google"]
+
+[[rules]]
+description = "Google Cloud Platform API key"
+regex = '''(?i)(google|gcp|youtube|drive|yt)(.{0,20})?['\"][AIza[0-9a-z\\-_]{35}]['\"]'''
+tags = ["key", "Google", "GCP"]
+
+[[rules]]
+description = "Google OAuth"
+regex = '''(?i)(google|gcp|auth)(.{0,20})?['"][0-9]+-[0-9a-z_]{32}\.apps\.googleusercontent\.com['"]'''
+tags = ["key", "Google", "OAuth"]
+
+[[rules]]
+description = "Google OAuth access token"
+regex = '''ya29\.[0-9A-Za-z\-_]+'''
+tags = ["key", "Google", "OAuth"]
+
+[[rules]]
+description = "Heroku API key"
+regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]'''
+tags = ["key", "Heroku"]
+
+[[rules]]
+description = "MailChimp API key"
+regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]'''
+tags = ["key", "Mailchimp"]
+
+[[rules]]
+description = "Mailgun API key"
+regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]'''
+tags = ["key", "Mailgun"]
+
+[[rules]]
+description = "Password in URL"
+regex = '''[a-zA-Z]{3,10}:\/\/[^\/\s:@]{3,20}:[^\/\s:@]{3,20}@.{1,100}\/?.?'''
+tags = ["key", "URL", "generic"]
+
+[[rules]]
+description = "PayPal Braintree access token"
+regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}'''
+tags = ["key", "Paypal"]
+
+[[rules]]
+description = "Picatic API key"
+regex = '''sk_live_[0-9a-z]{32}'''
+tags = ["key", "Picatic"]
+
+[[rules]]
+description = "Slack Webhook"
+regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}'''
+tags = ["key", "slack"]
+
+[[rules]]
+description = "Stripe API key"
+regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}'''
+tags = ["key", "Stripe"]
+
+[[rules]]
+description = "Square access token"
+regex = '''sq0atp-[0-9A-Za-z\-_]{22}'''
+tags = ["key", "square"]
+
+[[rules]]
+description = "Square OAuth secret"
+regex = '''sq0csp-[0-9A-Za-z\\-_]{43}'''
+tags = ["key", "square"]
+
+[[rules]]
+description = "Twilio API key"
+regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]'''
+tags = ["key", "twilio"]
+
+[whitelist]
+files = [
+#  "(.*?)(jpg|gif|doc|pdf|bin)$",
+  ".gitleaks.toml"
+]
+regexes = [
+  "3a4rb19rpjejr89h6r29kd2fb3808cpy" # sample host API key in test data
+]
+
+# Additional Examples
+
+# [[rules]]
+# description = "Generic Key"
+# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
+# entropies = [
+#     "4.1-4.3",
+#     "5.5-6.3",
+# ]
+# entropyROI = "line"
+# filetypes = [".go", ".py", ".c"]
+# tags = ["key"]
+# severity = "8"
+#
+#
+# [[rules]]
+# description = "Generic Key"
+# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
+# entropies = ["4.1-4.3"]
+# filetypes = [".gee"]
+# entropyROI = "line"
+# tags = ["key"]
+# severity = "medium"
+
+# [[rules]]
+# description = "Any pem file"
+# filetypes = [".key"]
+# tags = ["pem"]
+# severity = "high"

data/CHANGELOG.md

@@ -1,34 +1,56 @@
-# 6.2.1
-
-* Pin to xdg gem v2.2.3 due to a [crashing CLI](https://github.com/cyberark/conjur-cli/issues/243).
-
-# 6.2.0
-
-* Add `ldap-sync` subcommand.
-
-# 6.1.1
-
-* No longer displaying error stack traces by default when an exception occurs duing CLI
-  initialization (e.g when trying to open a missing conjur certificate file). Stack traces
-  can be enabled for all errors in the CLI by setting the environment variable `GLI_DEBUG=true`.
-
-# [6.1.0](https://github.com/cyberark/conjur-cli/releases/tag/v6.1.0)
-
-* Pin dependency 'conjur-api' to '~> 5.1'. This update adds authn-local support to the API. [conjur-api PR #131](https://github.com/cyberark/conjur-api-ruby/pull/131)
-
-# [6.0.1](https://github.com/cyberark/conjur-cli/releases/tag/v6.0.1)
-
-* Pushes to `cyberark/conjur-cli:5` on DockerHub when tests pass
-* Use SNI when fetching certificate with `conjur init`.
-* Correctly specify dependency versions in gemspec.
-* Allow ActiveSupport v5 as a dependency.
-
-# [6.0.0](https://github.com/cyberark/conjur-cli/releases/tag/v6.0.0)
-
-* Provides compatibility with [cyberark/conjur](https://github.com/cyberark/conjur), Conjur 5 CE.
-* License changed to Apache 2.0.
-* **Codebase forked: for changes to the 5.x (API [v4][v4-branch]) series, see
-  [CHANGELOG in `v4` branch][v4-changelog]**
-
-[v4-branch]: https://github.com/cyberark/conjur-cli/tree/v4
-[v4-changelog]: https://github.com/cyberark/conjur-cli/blob/v4/CHANGELOG.md
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [6.2.2] - 2020-04-02
+### Changed
+- Docker image updated to flatten to a single layer and reduce the image
+  size ([cyberark/conjur-cli#253](https://github.com/cyberark/conjur-cli/issues/253))
+
+### Fixed
+- CLI image is only updated in DockerHub when the project has a new tag
+  ([cyberark/conjur-cli#270](https://github.com/cyberark/conjur-cli/issues/270))
+
+### Security
+- Update rake for CVE-2020-8130 ([cyberark/conjur-cli#263](https://github.com/cyberark/conjur-cli/issues/263))
+
+## [6.2.1] - 2019-05-22
+### Added
+- Pin to xdg gem v2.2.3 due to a [crashing CLI](https://github.com/cyberark/conjur-cli/issues/243).
+
+## 6.2.0 - 2018-06-22
+### Added
+- Add `ldap-sync` subcommand.
+
+## 6.1.1 - 0000-00-00
+### Added
+- No longer displaying error stack traces by default when an exception occurs duing CLI initialization (e.g when trying to open a missing conjur certificate file). Stack traces can be enabled for all errors in the CLI by setting the environment variable `GLI_DEBUG=true`.
+
+## [6.1.0] - 2018-04-09
+### Added
+- Pin dependency 'conjur-api' to '~> 5.1'. This update adds authn-local support to the API. [conjur-api PR #131](https://github.com/cyberark/conjur-api-ruby/pull/131)
+
+## [6.0.1] - 2018-04-09
+### Added
+- Pushes to `cyberark/conjur-cli:5` on DockerHub when tests pass
+- Use SNI when fetching certificate with `conjur init`.
+- Correctly specify dependency versions in gemspec.
+- Allow ActiveSupport v5 as a dependency.
+
+## [6.0.0] - 2017-10-13
+### Added
+- Provides compatibility with [cyberark/conjur](https://github.com/cyberark/conjur), Conjur 5 CE.
+- License changed to Apache 2.0.
+- **Codebase forked: for changes to the 5.x (API [v4](https://github.com/cyberark/conjur-cli/tree/v4)) series, see
+  [CHANGELOG in `v4` branch][v4-changelog](https://github.com/cyberark/conjur-cli/blob/v4/CHANGELOG.md)**
+
+[Unreleased]: https://github.com/cyberark/conjur-cli/compare/v6.2.2...HEAD
+[6.2.2]: https://github.com/cyberark/conjur-cli/compare/v6.2.1...v6.2.2
+[6.2.1]: https://github.com/cyberark/conjur-cli/compare/v6.2.0...v6.2.1
+[6.1.0]: https://github.com/cyberark/conjur-cli/compare/v6.0.1...v6.1.0
+[6.0.1]: https://github.com/cyberark/conjur-cli/compare/v6.0.0...v6.0.1
+[6.0.0]: https://github.com/cyberark/conjur-cli/compare/v5.6.6...v6.0.0

data/CONTRIBUTING.md

@@ -0,0 +1,81 @@
+# Contributing
+
+For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community).
+
+## Contributing
+
+1. [Fork the project](https://help.github.com/en/github/getting-started-with-github/fork-a-repo)
+2. [Clone your fork](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/cloning-a-repository)
+3. Make local changes to your fork by editing files
+3. [Commit your changes](https://help.github.com/en/github/managing-files-in-a-repository/adding-a-file-to-a-repository-using-the-command-line)
+4. [Push your local changes to the remote server](https://help.github.com/en/github/using-git/pushing-commits-to-a-remote-repository)
+5. [Create new Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork)
+
+From here your pull request will be reviewed and once you've responded to all
+feedback it will be merged into the project. Congratulations, you're a
+contributor!
+
+## Development
+
+Create a sandbox environment in Docker using the `./dev` folder:
+
+```sh-session
+$ cd dev
+dev $ ./start.sh
+```
+
+This will drop you into a bash shell in a container called `cli`.
+
+The sandbox also includes a Postgres container and Conjur server container. The
+environment is already setup to connect the CLI to the server:
+
+* **CONJUR_APPLIANCE_URL** `http://conjur`
+* **CONJUR_ACCOUNT** `cucumber`
+
+To login to conjur, type the following and you'll be prompted for a password:
+
+```sh-session
+root@2b5f618dfdcb:/# conjur authn login admin
+Please enter admin's password (it will not be echoed):
+```
+
+The required password is the API key at the end of the output from the
+`start.sh` script.  It looks like this:
+
+```
+=============== LOGIN WITH THESE CREDENTIALS ===============
+
+username: admin
+api key : 9j113d35wag023rq7tnv201rsym1jg4pev1t1nb4419767ms1cnq00n
+
+============================================================
+```
+
+At this point, you can use any CLI command you like.
+
+## Running Cucumber
+
+To install dev packages, run `bundle` from within the container:
+
+```sh-session
+root@2b5f618dfdcb:/# cd /usr/src/cli-ruby/
+root@2b5f618dfdcb:/usr/src/cli-ruby# bundle
+```
+
+Then you can run the cucumber tests:
+
+```sh-session
+root@2b5f618dfdcb:/usr/src/cli-ruby# cucumber
+...
+```
+
+## Releasing
+
+To create a new release, follow the instructions in our general release
+guidelines [here](https://github.com/cyberark/community/blob/master/Conjur/CONTRIBUTING.md#release-process).
+
+Note: this project documents the version in two places:
+- The [VERSION](./VERSION) file
+- In [`lib/conjur/version.rb`](./lib/conjur/version.rb)
+
+Both version files must be updated when this project is preparing for a release.