enfcli 4.0.0 → 5.0.0.pre.alpha
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.circleci/Dockerfile +2 -2
- data/.circleci/config.yml +5 -0
- data/Gemfile.lock +38 -26
- data/Makefile +7 -0
- data/README.md +52 -7
- data/enfcli.gemspec +28 -26
- data/format.sh +9 -0
- data/lib/enfapi.rb +184 -237
- data/lib/enfapi/dns.rb +95 -0
- data/lib/enfapi/firewall.rb +37 -0
- data/lib/enfapi/user.rb +75 -0
- data/lib/enfcli.rb +211 -111
- data/lib/enfcli/commands/captive.rb +518 -157
- data/lib/enfcli/commands/user.rb +208 -160
- data/lib/enfcli/commands/xcr.rb +151 -119
- data/lib/enfcli/commands/xdns.rb +65 -55
- data/lib/enfcli/commands/xfw.rb +37 -37
- data/lib/enfcli/commands/xiam.rb +87 -80
- data/lib/enfcli/version.rb +2 -2
- data/lib/enfthor.rb +38 -14
- metadata +65 -5
data/lib/enfcli/commands/user.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright 2018 Xaptum,Inc
|
2
|
+
# Copyright 2018-2020 Xaptum,Inc
|
3
3
|
#
|
4
4
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
5
|
# you may not use this file except in compliance with the License.
|
@@ -13,252 +13,300 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
#
|
16
|
-
require
|
17
|
-
require
|
16
|
+
require "enfthor"
|
17
|
+
require "enfapi/user"
|
18
18
|
|
19
19
|
module EnfCli
|
20
|
-
|
21
20
|
module Cmd
|
22
|
-
|
21
|
+
##
|
22
|
+
# This class handles the commands that maniupulate users and roles
|
23
23
|
class User < EnfThor
|
24
24
|
no_commands {
|
25
|
-
def display_invites
|
26
|
-
headings = [
|
27
|
-
rows = invites.map{ |hash|
|
28
|
-
[
|
25
|
+
def display_invites(invites)
|
26
|
+
headings = ["Id", "User Name", "Full Name", "Invited By", "Invite Code"]
|
27
|
+
rows = invites.map { |hash|
|
28
|
+
[hash[:id], hash[:email], hash[:name], hash[:created_by], hash[:invite_token]]
|
29
29
|
}
|
30
30
|
|
31
31
|
render_table(headings, rows)
|
32
32
|
end
|
33
33
|
|
34
|
-
def display_users
|
35
|
-
headings = [
|
36
|
-
rows =
|
37
|
-
|
38
|
-
|
39
|
-
|
34
|
+
def display_users(users)
|
35
|
+
headings = ["Id", "Name", "Username", "Domain", "Last Login", "Status"]
|
36
|
+
rows = []
|
37
|
+
users.each do |hash|
|
38
|
+
hash[:roles].each do |role|
|
39
|
+
rows.push [hash[:id],
|
40
|
+
hash[:full_name],
|
41
|
+
hash[:username],
|
42
|
+
hash[:domain],
|
43
|
+
hash[:last_login],
|
44
|
+
hash[:status]]
|
45
|
+
end
|
46
|
+
end
|
40
47
|
render_table(headings, rows)
|
41
48
|
end
|
42
49
|
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
# get params
|
48
|
-
name = options[:'name'].join(" ").gsub(/\A"+(.*?)"+\Z/m, '\1')
|
49
|
-
email = options[:'email']
|
50
|
-
|
51
|
-
# call api
|
52
|
-
hash = { :email => email, :full_name => name, :welcome_text => "", :user_type => user_type }
|
53
|
-
data = EnfApi::API.instance.invite domain_network, hash
|
54
|
-
invite = data[:data]
|
55
|
-
display_invites invite
|
56
|
-
end
|
57
|
-
}
|
50
|
+
# Display the roles as a table
|
51
|
+
def display_roles(roles)
|
52
|
+
headings = ["Cidr", "Role"]
|
58
53
|
|
59
|
-
|
60
|
-
|
61
|
-
method_option :'name', :type => :array, :required => true, :banner => "NAME"
|
62
|
-
method_option :'email', :type => :string, :required => true, :banner => "EMAIL"
|
63
|
-
def invite_read_only_user
|
64
|
-
try_with_rescue_in_session do
|
65
|
-
# use the domain network of the user
|
66
|
-
domain_network = EnfCli::CTX.instance.session[:domain_network]
|
67
|
-
raise EnfCli::ERROR, "User not in a valid domain!" unless domain_network
|
68
|
-
|
69
|
-
# Get user role
|
70
|
-
user_role = EnfCli::CTX.instance.session[:type]
|
71
|
-
|
72
|
-
# check user roles
|
73
|
-
if user_role == "XAPTUM_ADMIN"
|
74
|
-
raise "--domain is required" unless options[:domain]
|
75
|
-
else
|
76
|
-
say "Warning: Ignoring command option --domain #{options[:domain]}", :yellow if options[:domain]
|
77
|
-
options[:domain] = domain_network
|
54
|
+
rows = roles.map do |role|
|
55
|
+
[role[:cidr], role[:role]]
|
78
56
|
end
|
79
57
|
|
80
|
-
|
58
|
+
render_table(headings, rows)
|
81
59
|
end
|
82
|
-
end
|
83
60
|
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
method_option :'email', :type => :string, :required => true, :banner => "EMAIL"
|
88
|
-
def invite_domain_admin_user
|
89
|
-
try_with_rescue_in_session do
|
90
|
-
# use the domain network of the user
|
91
|
-
domain_network = EnfCli::CTX.instance.session[:domain_network]
|
92
|
-
raise EnfCli::ERROR, "User not in a valid domain!" unless domain_network
|
93
|
-
|
94
|
-
# Get user role
|
95
|
-
user_role = EnfCli::CTX.instance.session[:type]
|
96
|
-
|
97
|
-
# check user roles
|
98
|
-
if user_role == "XAPTUM_ADMIN"
|
99
|
-
raise "--domain is required" unless options[:domain]
|
100
|
-
else
|
101
|
-
say "Warning: Ignoring command option --domain #{options[:domain]}", :yellow if options[:domain]
|
102
|
-
options[:domain] = domain_network
|
103
|
-
end
|
104
|
-
|
105
|
-
send_invite options, "DOMAIN_ADMIN"
|
61
|
+
def display_user_details(user)
|
62
|
+
display_users([user])
|
63
|
+
display_roles(user[:roles])
|
106
64
|
end
|
107
|
-
|
65
|
+
}
|
108
66
|
|
109
|
-
desc "invite
|
110
|
-
|
111
|
-
method_option :
|
112
|
-
|
67
|
+
desc "send-invite",
|
68
|
+
"Send an invite to a new user or one with a modified role."
|
69
|
+
method_option :email, type: :string, required: true, banner: "EMAIL",
|
70
|
+
desc: "Full email address of user to invite."
|
71
|
+
method_option :name, type: :array, required: true, banner: "NAME",
|
72
|
+
desc: "Full name of user to invite."
|
73
|
+
method_option :domain, type: :string, default: nil, banner: "DOMAIN",
|
74
|
+
aliases: "-d"
|
75
|
+
method_option :network, type: :string, default: nil, banner: "NETWORK",
|
76
|
+
aliases: "-n"
|
77
|
+
method_option :role, type: :string, default: nil, banner: "ROLE",
|
78
|
+
aliases: "-r"
|
79
|
+
|
80
|
+
def send_invite
|
113
81
|
try_with_rescue_in_session do
|
114
|
-
#
|
115
|
-
|
82
|
+
# get params
|
83
|
+
name = options[:name].join(" ").gsub(/\A"+(.*?)"+\Z/m, '\1')
|
84
|
+
email = options[:email]
|
116
85
|
|
117
|
-
|
86
|
+
# get correct domain
|
87
|
+
domain = EnfCli::CTX.instance.session[:domain]
|
88
|
+
raise EnfCli::ERROR, "User not in a valid domain!" unless domain
|
118
89
|
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
end
|
90
|
+
# check if admin
|
91
|
+
if EnfCli::CTX.instance.xaptum_admin?
|
92
|
+
raise EnfCli::ERROR, "--domain is required" unless options[:domain]
|
123
93
|
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
try_with_rescue_in_session do
|
129
|
-
# Get user role
|
130
|
-
user_role = EnfCli::CTX.instance.session[:type]
|
94
|
+
domain = options[:domain]
|
95
|
+
elsif options[:domain]
|
96
|
+
say "Warning: Ignoring command option --domain #{options[:domain]}", :yellow
|
97
|
+
end
|
131
98
|
|
132
|
-
|
99
|
+
invite_hash = { email: email,
|
100
|
+
full_name: name,
|
101
|
+
domain: domain }
|
133
102
|
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
end
|
103
|
+
role = options[:role]
|
104
|
+
role = role.upcase if role
|
105
|
+
network = options[:network]
|
138
106
|
|
139
|
-
|
140
|
-
method_option :'captive-domain', :type => :string, :required => true, :banner => "CAPTIVE CONTROL DOMAIN"
|
141
|
-
method_option :'name', :type => :array, :required => true, :banner => "NAME"
|
142
|
-
method_option :'email', :type => :string, :required => true, :banner => "EMAIL"
|
143
|
-
def invite_captive_admin_user
|
144
|
-
try_with_rescue_in_session do
|
145
|
-
# Get user role
|
146
|
-
user_role = EnfCli::CTX.instance.session[:type]
|
107
|
+
roles_hash = nil
|
147
108
|
|
148
|
-
|
109
|
+
case role
|
110
|
+
when "XAPTUM_ADMIN", "IAM_ADMIN"
|
111
|
+
roles_hash = [{ cidr: "::/0", role: role }]
|
112
|
+
when "DOMAIN_ADMIN", "DOMAIN_USER", "CAPTIVE_ADMIN"
|
113
|
+
roles_hash = [{ cidr: domain, role: role }]
|
114
|
+
when "NETWORK_ADMIN", "NETWORK_USER"
|
115
|
+
roles_hash = [{ cidr: network, role: role }]
|
116
|
+
end
|
149
117
|
|
150
|
-
|
151
|
-
|
118
|
+
if roles_hash
|
119
|
+
invite_hash[:roles] = roles_hash
|
120
|
+
end
|
121
|
+
|
122
|
+
resp_data = EnfApi::UserManager.instance.invite invite_hash
|
123
|
+
invite = resp_data[:data]
|
124
|
+
display_invites invite
|
152
125
|
end
|
153
126
|
end
|
154
127
|
|
128
|
+
desc "delete-invite", "Delete an invite"
|
129
|
+
method_option :id, type: :string, required: true
|
155
130
|
|
156
|
-
|
157
|
-
method_option :email, :type => :string, :required => true
|
158
|
-
def cancel_user_invite
|
131
|
+
def delete_invite
|
159
132
|
try_with_rescue_in_session do
|
133
|
+
id = options[:id]
|
160
134
|
# call api
|
161
|
-
EnfApi::
|
162
|
-
|
163
|
-
# print success
|
164
|
-
say "Invite Canceled!", :green
|
135
|
+
EnfApi::UserManager.instance.delete_invite id
|
136
|
+
say "Invite: #{id} successfully deleted", :green
|
165
137
|
end
|
166
138
|
end
|
167
139
|
|
168
|
-
desc "resend-
|
169
|
-
method_option :
|
170
|
-
|
140
|
+
desc "resend-invite", "Resend an invite"
|
141
|
+
method_option :id, type: :string, required: true
|
142
|
+
|
143
|
+
def resend_invite
|
171
144
|
try_with_rescue_in_session do
|
145
|
+
id = options[:id]
|
172
146
|
# call api
|
173
|
-
EnfApi::
|
174
|
-
|
175
|
-
# print success
|
176
|
-
say "Resent invite email!", :green
|
147
|
+
EnfApi::UserManager.instance.resend_invite id
|
148
|
+
say "Resent invite: #{id}!", :green
|
177
149
|
end
|
178
150
|
end
|
179
151
|
|
180
152
|
desc "list-invites", "List user invites"
|
181
153
|
method_option :domain, :default => nil, :type => :string, :aliases => "-d"
|
154
|
+
|
182
155
|
def list_invites
|
183
156
|
try_with_rescue_in_session do
|
184
157
|
# use the domain network of the user
|
185
|
-
|
186
|
-
raise EnfCli::ERROR, "User not in a valid domain!" unless domain_network
|
158
|
+
domain = nil
|
187
159
|
|
188
|
-
#
|
189
|
-
|
190
|
-
|
191
|
-
|
192
|
-
|
193
|
-
domain_network = options[:domain] if options[:domain]
|
194
|
-
else
|
195
|
-
say "Warning: Ignoring command option --domain #{options[:domain]}", :yellow if options[:domain]
|
160
|
+
# only XAPTUM_ADMIN can specify --domain (but doesn't have to)
|
161
|
+
if EnfCli::CTX.instance.xaptum_admin?
|
162
|
+
domain = options[:domain] if options[:domain]
|
163
|
+
elsif options[:domain]
|
164
|
+
say "Warning: Ignoring command option --domain #{options[:domain]}", :yellow
|
196
165
|
end
|
197
166
|
|
198
167
|
# call the api
|
199
|
-
data = EnfApi::
|
168
|
+
data = EnfApi::UserManager.instance.list_invites domain
|
200
169
|
invites = data[:data]
|
201
170
|
|
202
171
|
display_invites invites
|
203
172
|
end
|
204
173
|
end
|
205
174
|
|
206
|
-
desc "
|
207
|
-
method_option :
|
208
|
-
|
175
|
+
desc "get-user-details", "Get User Details"
|
176
|
+
method_option :email, required: true, type: :string, banner: "EMAIL",
|
177
|
+
aliases: "-e"
|
178
|
+
|
179
|
+
def get_user_details
|
209
180
|
try_with_rescue_in_session do
|
210
|
-
#
|
211
|
-
|
212
|
-
|
181
|
+
# call the api
|
182
|
+
data = EnfApi::UserManager.instance.get_user options[:email]
|
183
|
+
user = data[:data][0]
|
184
|
+
|
185
|
+
display_user_details user
|
186
|
+
end
|
187
|
+
end
|
213
188
|
|
214
|
-
|
215
|
-
|
189
|
+
desc "list-users", "List users"
|
190
|
+
method_option :domain, default: nil, type: :string, banner: "DOMAIN",
|
191
|
+
aliases: "-d"
|
192
|
+
method_option :network, default: nil, type: :string, banner: "NETWORK",
|
193
|
+
aliases: "-n"
|
216
194
|
|
217
|
-
|
218
|
-
|
219
|
-
|
220
|
-
|
221
|
-
|
195
|
+
def list_users
|
196
|
+
try_with_rescue_in_session do
|
197
|
+
domain = options[:domain]
|
198
|
+
network = options[:network]
|
199
|
+
|
200
|
+
## initalize query param
|
201
|
+
query_param = ""
|
202
|
+
if domain
|
203
|
+
query_param = "?domain=#{domain}"
|
204
|
+
elsif network
|
205
|
+
query_param = "?network=#{network}"
|
222
206
|
end
|
223
207
|
|
224
208
|
# call the api
|
225
|
-
data = EnfApi::
|
209
|
+
data = EnfApi::UserManager.instance.list_users query_param
|
226
210
|
users = data[:data]
|
227
211
|
|
228
212
|
display_users users
|
229
213
|
end
|
230
214
|
end
|
231
215
|
|
216
|
+
desc "list-user-roles", "List user roles"
|
217
|
+
method_option :email, type: :string, required: true, banner: "EMAIL"
|
218
|
+
method_option :network, default: nil, type: :string, banner: "NETWORK",
|
219
|
+
aliases: "-n"
|
220
|
+
|
221
|
+
def list_user_roles
|
222
|
+
try_with_rescue_in_session do
|
223
|
+
# call api
|
224
|
+
data = EnfApi::UserManager.instance.list_user_roles options[:email], options[:network]
|
225
|
+
roles = data[:data]
|
226
|
+
|
227
|
+
# print roles
|
228
|
+
display_roles roles
|
229
|
+
end
|
230
|
+
end
|
231
|
+
|
232
|
+
desc "delete-user-roles", "Remove a user's roles"
|
233
|
+
method_option :email, type: :string, required: true, banner: "EMAIL"
|
234
|
+
method_option :network, default: nil, type: :string, banner: "NETWORK",
|
235
|
+
aliases: "-n",
|
236
|
+
desc: 'Can be a /64 cidr or "ALL"'
|
237
|
+
method_option :roles, type: :string, required: true, banner: "ROLES",
|
238
|
+
aliases: "-r",
|
239
|
+
desc: "Can be a valid DOMAIN or NETWORK role. " \
|
240
|
+
"Can take '*' wildcards."
|
241
|
+
|
242
|
+
def delete_user_roles
|
243
|
+
try_with_rescue_in_session do
|
244
|
+
user_id = options[:email]
|
245
|
+
roles = options[:roles]
|
246
|
+
roles = roles.upcase if roles
|
247
|
+
network = options[:network]
|
248
|
+
|
249
|
+
if roles[0..6] == "NETWORK" && !network
|
250
|
+
raise EnfCli::ERROR, "--network option must be included for --roles=#{roles}"
|
251
|
+
end
|
252
|
+
|
253
|
+
EnfApi::UserManager.instance.delete_user_roles user_id, roles, network
|
254
|
+
say "Role: #{roles} successfully removed from user: #{user_id}", :green
|
255
|
+
end
|
256
|
+
end
|
257
|
+
|
232
258
|
desc "deactivate-user", "Deactivate User"
|
233
|
-
method_option :
|
259
|
+
method_option :email, required: true, type: :string, banner: "EMAIL"
|
260
|
+
|
234
261
|
def deactivate_user
|
235
262
|
try_with_rescue_in_session do
|
236
|
-
|
237
263
|
## call the api
|
238
|
-
status = { :
|
239
|
-
EnfApi::
|
264
|
+
status = { status: "INACTIVE" }
|
265
|
+
EnfApi::UserManager.instance.update_user_status options[:email], status
|
240
266
|
|
241
267
|
say "Deactivated user!", :green
|
268
|
+
end
|
269
|
+
end
|
242
270
|
|
271
|
+
desc "add-user-role", "Add a new role to the specified rule."
|
272
|
+
method_option :email, type: :string, required: true, banner: "EMAIL"
|
273
|
+
method_option :cidr, type: :string, required: true, banner: "CIDR",
|
274
|
+
desc: "Can be a /64 cidr for NETWORK user or " \
|
275
|
+
"/48 cidr for DOMAIN user."
|
276
|
+
method_option :role, type: :string, required: true, banner: "ROLE",
|
277
|
+
aliases: "-r",
|
278
|
+
desc: "Can be a valid DOMAIN or NETWORK role. ",
|
279
|
+
enum: ["XAPTUM_ADMIN", "DOMAIN_ADMIN", "DOMAIN_USER", "NETWORK_ADMIN", "NETWORK_USER", "CAPTIVE_ADMIN", "IAM_ADMIN"]
|
280
|
+
|
281
|
+
def add_user_role
|
282
|
+
try_with_rescue_in_session do
|
283
|
+
## get options
|
284
|
+
email = options[:email]
|
285
|
+
role = options[:role]
|
286
|
+
role = role.upcase if role
|
287
|
+
cidr = EnfCli::IPV6Cidr.new(options[:cidr]).to_s
|
288
|
+
|
289
|
+
## call api
|
290
|
+
role_hash = [{ cidr: cidr, role: role }]
|
291
|
+
resp = EnfApi::UserManager.instance.add_user_role email, role_hash
|
292
|
+
resp_roles = resp[:data]
|
293
|
+
|
294
|
+
## display response
|
295
|
+
display_roles resp_roles
|
243
296
|
end
|
244
297
|
end
|
245
298
|
|
246
299
|
desc "activate-user", "Activate User"
|
247
|
-
method_option :
|
300
|
+
method_option :email, required: true, type: :string, banner: "EMAIL"
|
301
|
+
|
248
302
|
def activate_user
|
249
303
|
try_with_rescue_in_session do
|
250
|
-
|
251
304
|
## call the api
|
252
|
-
status = { :
|
253
|
-
EnfApi::
|
254
|
-
|
305
|
+
status = { status: "ACTIVE" }
|
306
|
+
EnfApi::UserManager.instance.update_user_status options[:email], status
|
255
307
|
say "Activated user!", :green
|
256
|
-
|
257
308
|
end
|
258
309
|
end
|
259
|
-
|
260
310
|
end
|
261
|
-
|
262
311
|
end
|
263
|
-
|
264
312
|
end
|