enfcli 4.2.2.pre.alpha → 5.0.2

data/lib/enfapi/firewall.rb

@@ -0,0 +1,44 @@
+#
+# Copyright 2020 Xaptum,Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "singleton"
+
+module EnfApi
+  class Firewall
+    include Singleton
+
+    def list_firewall_rules(network)
+      EnfApi::API.instance.get "/api/xfw/v2/#{network}/rule"
+    end
+
+    def add_firewall_rule(network, rule)
+      rule_json = EnfApi::to_json(rule)
+
+      if network
+        url = "/api/xfw/v2/#{network}/rule"
+      else
+        url = "/api/xfw/v2/rule"
+      end
+
+      EnfApi::API.instance.post url, rule_json
+    end
+
+    def delete_firewall_rules(network, id = nil)
+      # Same method to call to delete all firewall rules in a network. if id is nil
+      EnfApi::API.instance.delete "/api/xfw/v2/#{network}/rule/#{id}"
+    end
+  end
+end

data/lib/enfapi/user.rb

@@ -0,0 +1,75 @@
+#
+# Copyright 2020 Xaptum,Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module EnfApi
+  class UserManager
+    include Singleton
+
+    def initialize
+      @version = "v3"
+      @xcr_base_url = "/api/xcr/#{@version}"
+    end
+
+    def list_users(query)
+      EnfApi::API.instance.get "#{@xcr_base_url}/users#{query}"
+    end
+
+    def get_user(email)
+      EnfApi::API.instance.get "#{@xcr_base_url}/users/#{email}"
+    end
+
+    def list_user_roles(user, network)
+      url = "#{@xcr_base_url}/users/#{user}/roles"
+      url += "?network=#{network}" if network
+      EnfApi::API.instance.get url
+    end
+
+    def delete_user_roles(user_id, roles, network)
+      url = "#{@xcr_base_url}/users/#{user_id}/roles?roles=#{roles}"
+      url += "&network=#{network}" if network
+      EnfApi::API.instance.delete url
+    end
+
+    def add_user_role(user_id, role_hash)
+      json = EnfApi::to_json(role_hash)
+      url = "#{@xcr_base_url}/users/#{user_id}/roles"
+      EnfApi::API.instance.post url, json
+    end
+
+    def list_invites(domain)
+      url = "#{@xcr_base_url}/invites"
+      url += "?domain=#{domain}" if domain
+      EnfApi::API.instance.get url
+    end
+
+    def invite(hash)
+      json = EnfApi::to_json(hash)
+      EnfApi::API.instance.post "#{@xcr_base_url}/invites", json
+    end
+
+    def delete_invite(invite_id)
+      EnfApi::API.instance.delete "#{@xcr_base_url}/invites/#{invite_id}"
+    end
+
+    def resend_invite(invite_id)
+      EnfApi::API.instance.put "#{@xcr_base_url}/invites/#{invite_id}", "{}"
+    end
+
+    def update_user_status(user_id, status)
+      json = EnfApi::to_json(status)
+      EnfApi::API.instance.put "#{@xcr_base_url}/users/#{user_id}/status", json
+    end
+  end
+end

data/lib/enfcli.rb

@@ -1,5 +1,5 @@
 #
-# Copyright 2018 Xaptum,Inc
+# Copyright 2018-2020 Xaptum,Inc
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -112,7 +112,7 @@ module EnfCli
 
   def self.ask_password(prompt = nil)
     begin
-      prompt = "Enter Password:" unless prompt
+      prompt ||= "Enter Password:"
       print prompt
       # We hide the entered characters before to ask for the password
       system "stty -echo"
@@ -134,7 +134,7 @@ module EnfCli
 
     # Generate cert
     cert = OpenSSL::X509::Certificate.new
-    cert.subject = cert.issuer = OpenSSL::X509::Name.new([["CN", "#{ipv6}"]])
+    cert.subject = cert.issuer = OpenSSL::X509::Name.new([["CN", ipv6.to_s]])
     cert.not_before = Time.now
     cert.not_after = Time.now + 365 * 24 * 60 * 60
     cert.public_key = key
@@ -190,15 +190,41 @@ module EnfCli
     end
 
     def xaptum_admin?
-      self.user_role == "XAPTUM_ADMIN"
+      has_role? "XAPTUM_ADMIN"
     end
 
-    def user_role
-      @session[:type]
+    def domain_admin?
+      has_role? "DOMAIN_ADMIN"
+    end
+
+    def domain_user?
+      has_role? "DOMAIN_USER"
+    end
+
+    def network_admin?
+      has_role? "NETWORK_ADMIN"
+    end
+
+    def network_user?
+      has_role? "NETWORK_USER"
+    end
+
+    def edit_domain_role?
+      xaptum_admin? || domain_admin?
+    end
+
+    def has_role?(role)
+      all_roles = @session[:roles]
+      all_roles.each do |cur_role|
+        if cur_role[:role] == role
+          return true
+        end
+      end
+      false
     end
 
     def host
-      "#{@host}"
+      @host.to_s
     end
 
     def auth_token
@@ -229,8 +255,8 @@ module EnfCli
     }
 
     desc "connect", "Connect to ENF Controller"
-    method_option :host, :type => :string
-    method_option :user, :type => :string
+    method_option :host, type: :string
+    method_option :user, type: :string
 
     def connect(*names)
       host = ""
@@ -278,7 +304,7 @@ module EnfCli
       puts EnfCli::VERSION
     end
 
-    desc "update", "", :hide => true
+    desc "update", "", hide: true
 
     def update
       cmd = Gem::Commands::UpdateCommand.new
@@ -286,7 +312,7 @@ module EnfCli
       execute_gem_cmd cmd
     end
 
-    desc "search", "", :hide => true
+    desc "search", "", hide: true
 
     def search
       cmd = Gem::Commands::SearchCommand.new
@@ -295,14 +321,14 @@ module EnfCli
     end
 
     desc "create-config-file", "Create a Xaptum configuration file in your home directory"
-    method_option :host, :type => :string, :required => true
-    method_option :user, :type => :string, :required => true
+    method_option :host, type: :string, required: true
+    method_option :user, type: :string, required: true
 
     def create_config_file
       host = options[:host]
       user = options[:user]
       config_file = File.new(CONFIG_FILE, "w+")
-      config_file.puts({ :host => host, :user => user }.to_json)
+      config_file.puts({ host: host, user: user }.to_json)
       config_file.close
       say "Config file created successfully at #{CONFIG_FILE}!", :green
     end
@@ -349,7 +375,7 @@ module EnfCli
           trap("INT") { system("stty", stty_save); exit }
 
           while input = Readline.readline(EnfCli::CTX.instance.prompt, true)
-            break if input == "exit" or input == "\\q" or input == "quit"
+            break if input == "exit" or input == '\q' or input == "quit"
 
             # Remove blank lines from history
             Readline::HISTORY.pop if input == ""
@@ -362,12 +388,12 @@ module EnfCli
 
     # Shell CLI class
     class CLI < EnfCli::EnfThor
-      desc "ls [<dir>]", "List files in a directory", :hide => true
-      method_option :dir, :type => :string, :required => false
+      desc "ls [<dir>]", "List files in a directory", hide: true
+      method_option :dir, type: :string, required: false
 
       def ls(dir = nil)
         try_with_rescue do
-          dir = "." unless dir
+          dir ||= "."
           dir = EnfCli::expand_path(dir)
 
           Dir.entries(dir).each { |f|
@@ -376,7 +402,7 @@ module EnfCli
         end
       end
 
-      desc "cat <file>", "Display contents of a file", :hide => true
+      desc "cat <file>", "Display contents of a file", hide: true
 
       def cat(file)
         try_with_rescue do
@@ -390,7 +416,7 @@ module EnfCli
         end
       end
 
-      desc "pwd", "Current Working Directory", :hide => true
+      desc "pwd", "Current Working Directory", hide: true
 
       def pwd
         try_with_rescue do
@@ -398,17 +424,18 @@ module EnfCli
         end
       end
 
-      desc "cd [<dir>]", "Change working directory", :hide => true
+      desc "cd [<dir>]", "Change working directory", hide: true
 
       def cd(dir = "~")
         try_with_rescue do
           dir = EnfCli::expand_path(dir)
           raise EnfCli::ERROR, "No such directory #{dir}" unless Dir.exist?(dir)
+
           Dir.chdir(dir)
         end
       end
 
-      desc "host", "Display ENF Controller host", :hide => true
+      desc "host", "Display ENF Controller host", hide: true
 
       def host
         try_with_rescue do
@@ -416,7 +443,7 @@ module EnfCli
         end
       end
 
-      desc "clear", "Clear Terminal Screen", :hide => true
+      desc "clear", "Clear Terminal Screen", hide: true
 
       def clear
         try_with_rescue do
@@ -429,7 +456,7 @@ module EnfCli
 
       def display_session_token
         try_with_rescue_in_session do
-          say "#{EnfCli::CTX.instance.auth_token}"
+          say EnfCli::CTX.instance.auth_token.to_s
         end
       end
 

data/lib/enfcli/commands/user.rb

@@ -1,5 +1,5 @@
 #
-# Copyright 2018 Xaptum,Inc
+# Copyright 2018-2020 Xaptum,Inc
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,170 +14,138 @@
 # limitations under the License.
 #
 require "enfthor"
-require "enfapi"
+require "enfapi/user"
 
 module EnfCli
   module Cmd
+    ##
+    # This class handles the commands that maniupulate users and roles
     class User < EnfThor
       no_commands {
         def display_invites(invites)
           headings = ["Id", "User Name", "Full Name", "Invited By", "Invite Code"]
           rows = invites.map { |hash|
-            [hash[:id], hash[:email], hash[:name], hash[:invited_by], hash[:invite_token]]
+            [hash[:id], hash[:email], hash[:name], hash[:created_by], hash[:invite_token]]
           }
 
           render_table(headings, rows)
         end
 
         def display_users(users)
-          headings = ["Id", "User Name", "Full Name", "Last Login", "Type", "Reset Code", "Reset Time", "Status"]
-          rows = users.map { |hash|
-            [hash[:user_id], hash[:username], hash[:full_name], hash[:last_login], hash[:type], hash[:reset_code],
-             format_date(hash[:reset_time]), hash[:status]]
-          }
+          headings = ["Id", "Name", "Username", "Domain", "Last Login", "Status"]
+          rows = []
+          users.each do |hash|
+            hash[:roles].each do |role|
+              rows.push [hash[:id],
+                         hash[:full_name],
+                         hash[:username],
+                         hash[:domain],
+                         hash[:last_login],
+                         hash[:status]]
+            end
+          end
           render_table(headings, rows)
         end
 
-        def send_invite(options, user_type)
-          # Get options
-          domain_network = options.domain
-
-          # get params
-          name = options[:'name'].join(" ").gsub(/\A"+(.*?)"+\Z/m, '\1')
-          email = options[:'email']
-
-          # call api
-          hash = { :email => email, :full_name => name, :welcome_text => "", :user_type => user_type }
-          data = EnfApi::API.instance.invite domain_network, hash
-          invite = data[:data]
-          display_invites invite
-        end
-      }
-
-      desc "invite-read-only-user", "Invite a domain user"
-      method_option :domain, :default => nil, :type => :string, :aliases => "-d"
-      method_option :'name', :type => :array, :required => true, :banner => "NAME"
-      method_option :'email', :type => :string, :required => true, :banner => "EMAIL"
+        # Display the roles as a table
+        def display_roles(roles)
+          headings = ["Cidr", "Role"]
 
-      def invite_read_only_user
-        try_with_rescue_in_session do
-          # use the domain network of the user
-          domain_network = EnfCli::CTX.instance.session[:domain_network]
-          raise EnfCli::ERROR, "User not in a valid domain!" unless domain_network
-
-          # Get user role
-          user_role = EnfCli::CTX.instance.session[:type]
-
-          # check user roles
-          if user_role == "XAPTUM_ADMIN"
-            raise "--domain is required" unless options[:domain]
-          else
-            say "Warning: Ignoring command option --domain #{options[:domain]}", :yellow if options[:domain]
-            options[:domain] = domain_network
+          rows = roles.map do |role|
+            [role[:cidr], role[:role]]
           end
 
-          send_invite options, "DOMAIN_USER"
+          render_table(headings, rows)
         end
-      end
-
-      desc "invite-domain-admin-user", "Invite a domain administrator"
-      method_option :domain, :default => nil, :type => :string, :aliases => "-d"
-      method_option :'name', :type => :array, :required => true, :banner => "NAME"
-      method_option :'email', :type => :string, :required => true, :banner => "EMAIL"
-
-      def invite_domain_admin_user
-        try_with_rescue_in_session do
-          # use the domain network of the user
-          domain_network = EnfCli::CTX.instance.session[:domain_network]
-          raise EnfCli::ERROR, "User not in a valid domain!" unless domain_network
-
-          # Get user role
-          user_role = EnfCli::CTX.instance.session[:type]
-
-          # check user roles
-          if user_role == "XAPTUM_ADMIN"
-            raise "--domain is required" unless options[:domain]
-          else
-            say "Warning: Ignoring command option --domain #{options[:domain]}", :yellow if options[:domain]
-            options[:domain] = domain_network
-          end
 
-          send_invite options, "DOMAIN_ADMIN"
+        def display_user_details(user)
+          display_users([user])
+          display_roles(user[:roles])
         end
-      end
-
-      desc "invite-enf-admin-user", "Invite an ENF administrator"
-      method_option :'name', :type => :array, :required => true, :banner => "NAME"
-      method_option :'email', :type => :string, :required => true, :banner => "EMAIL"
+      }
 
-      def invite_enf_admin_user
+      desc "send-invite",
+           "Send an invite to a new user or one with a modified role."
+      method_option :email, type: :string, required: true, banner: "EMAIL",
+                            desc: "Full email address of user to invite."
+      method_option :name, type: :array, required: true, banner: "NAME",
+                           desc: "Full name of user to invite."
+      method_option :domain, type: :string, default: nil, banner: "DOMAIN",
+                             aliases: "-d"
+      method_option :network, type: :string, default: nil, banner: "NETWORK",
+                              aliases: "-n"
+      method_option :role, type: :string, default: nil, banner: "ROLE",
+                           aliases: "-r"
+
+      def send_invite
         try_with_rescue_in_session do
-          # Get user role
-          user_role = EnfCli::CTX.instance.session[:type]
-
-          raise EnfCli::ERROR, "Only ENF Administrators can invite ENF Administrator" unless user_role == "XAPTUM_ADMIN"
+          # get params
+          name = options[:name].join(" ").gsub(/\A"+(.*?)"+\Z/m, '\1')
+          email = options[:email]
 
-          options[:domain] = EnfCli::CTX.instance.session[:domain_network]
-          send_invite options, "XAPTUM_ADMIN"
-        end
-      end
+          # get correct domain
+          domain = EnfCli::CTX.instance.session[:domain]
+          raise EnfCli::ERROR, "User not in a valid domain!" unless domain
 
-      desc "invite-iam-admin-user", "Invite an IAM administrator"
-      method_option :'name', :type => :array, :required => true, :banner => "NAME"
-      method_option :'email', :type => :string, :required => true, :banner => "EMAIL"
+          # check if admin
+          if EnfCli::CTX.instance.xaptum_admin?
+            raise EnfCli::ERROR, "--domain is required" unless options[:domain]
 
-      def invite_iam_admin_user
-        try_with_rescue_in_session do
-          # Get user role
-          user_role = EnfCli::CTX.instance.session[:type]
+            domain = options[:domain]
+          elsif options[:domain]
+            say "Warning: Ignoring command option --domain #{options[:domain]}", :yellow
+          end
 
-          raise EnfCli::ERROR, "Only ENF Administrators can invite IAM Administrator" unless user_role == "XAPTUM_ADMIN"
+          invite_hash = { email: email,
+                          full_name: name,
+                          domain: domain }
 
-          options[:domain] = EnfCli::CTX.instance.session[:domain_network]
-          send_invite options, "IAM_ADMIN"
-        end
-      end
+          role = options[:role]
+          role = role.upcase if role
+          network = options[:network]
 
-      desc "invite-captive-admin-user", "Invite a captive administrator"
-      method_option :'captive-domain', :type => :string, :required => true, :banner => "CAPTIVE CONTROL DOMAIN"
-      method_option :'name', :type => :array, :required => true, :banner => "NAME"
-      method_option :'email', :type => :string, :required => true, :banner => "EMAIL"
+          roles_hash = nil
 
-      def invite_captive_admin_user
-        try_with_rescue_in_session do
-          # Get user role
-          user_role = EnfCli::CTX.instance.session[:type]
+          case role
+          when "XAPTUM_ADMIN", "IAM_ADMIN"
+            roles_hash = [{ cidr: "::/0", role: role }]
+          when "DOMAIN_ADMIN", "DOMAIN_USER", "CAPTIVE_ADMIN"
+            roles_hash = [{ cidr: domain, role: role }]
+          when "NETWORK_ADMIN", "NETWORK_USER"
+            roles_hash = [{ cidr: network, role: role }]
+          end
 
-          raise EnfCli::ERROR, "Only ENF Administrators can invite CAPTIVE Administrator" unless user_role == "XAPTUM_ADMIN"
+          if roles_hash
+            invite_hash[:roles] = roles_hash
+          end
 
-          options[:domain] = options[:'captive-domain']
-          send_invite options, "CAPTIVE_ADMIN"
+          resp_data = EnfApi::UserManager.instance.invite invite_hash
+          invite = resp_data[:data]
+          display_invites invite
         end
       end
 
-      desc "cancel-user-invite", "Cancel an invite"
-      method_option :email, :type => :string, :required => true
+      desc "delete-invite", "Delete an invite"
+      method_option :id, type: :string, required: true
 
-      def cancel_user_invite
+      def delete_invite
         try_with_rescue_in_session do
+          id = options[:id]
           # call api
-          EnfApi::API.instance.cancel_invite options.email
-
-          # print success
-          say "Invite Canceled!", :green
+          EnfApi::UserManager.instance.delete_invite id
+          say "Invite: #{id} successfully deleted", :green
         end
       end
 
-      desc "resend-user-invite", "Resend an invite"
-      method_option :email, :type => :string, :required => true
+      desc "resend-invite", "Resend an invite"
+      method_option :id, type: :string, required: true
 
-      def resend_user_invite
+      def resend_invite
         try_with_rescue_in_session do
+          id = options[:id]
           # call api
-          EnfApi::API.instance.resend_invite options.email
-
-          # print success
-          say "Resent invite email!", :green
+          EnfApi::UserManager.instance.resend_invite id
+          say "Resent invite: #{id}!", :green
         end
       end
 
@@ -187,78 +155,155 @@ module EnfCli
       def list_invites
         try_with_rescue_in_session do
           # use the domain network of the user
-          domain_network = EnfCli::CTX.instance.session[:domain_network]
-          raise EnfCli::ERROR, "User not in a valid domain!" unless domain_network
-
-          # Get user role
-          user_role = EnfCli::CTX.instance.session[:type]
+          domain = nil
 
-          # check user roles
-          if user_role == "XAPTUM_ADMIN"
-            domain_network = options[:domain] if options[:domain]
-          else
-            say "Warning: Ignoring command option --domain #{options[:domain]}", :yellow if options[:domain]
+          # only XAPTUM_ADMIN can specify --domain (but doesn't have to)
+          if EnfCli::CTX.instance.xaptum_admin?
+            domain = options[:domain] if options[:domain]
+          elsif options[:domain]
+            say "Warning: Ignoring command option --domain #{options[:domain]}", :yellow
           end
 
           # call the api
-          data = EnfApi::API.instance.list_domain_invites domain_network
+          data = EnfApi::UserManager.instance.list_invites domain
           invites = data[:data]
 
           display_invites invites
         end
       end
 
-      desc "list-users", "List users"
-      method_option :domain, :default => nil, :type => :string, :aliases => "-d"
+      desc "get-user-details", "Get User Details"
+      method_option :email, required: true, type: :string, banner: "EMAIL",
+                            aliases: "-e"
 
-      def list_users
+      def get_user_details
         try_with_rescue_in_session do
-          # use the domain network of the user
-          domain_network = EnfCli::CTX.instance.session[:domain_network]
-          raise EnfCli::ERROR, "User not in a valid domain!" unless domain_network
+          # call the api
+          data = EnfApi::UserManager.instance.get_user options[:email]
+          user = data[:data][0]
+
+          display_user_details user
+        end
+      end
 
-          # Get user role
-          user_role = EnfCli::CTX.instance.session[:type]
+      desc "list-users", "List users"
+      method_option :domain, default: nil, type: :string, banner: "DOMAIN",
+                             aliases: "-d"
+      method_option :network, default: nil, type: :string, banner: "NETWORK",
+                              aliases: "-n"
 
-          # check user roles
-          if user_role == "XAPTUM_ADMIN"
-            domain_network = options[:domain] if options[:domain]
-          else
-            say "Warning: Ignoring command option -d #{options[:domain]}", :yellow if options[:domain]
+      def list_users
+        try_with_rescue_in_session do
+          domain = options[:domain]
+          network = options[:network]
+
+          ## initalize query param
+          query_param = ""
+          if domain
+            query_param = "?domain=#{domain}"
+          elsif network
+            query_param = "?network=#{network}"
           end
 
           # call the api
-          data = EnfApi::API.instance.list_domain_users domain_network
+          data = EnfApi::UserManager.instance.list_users query_param
           users = data[:data]
 
           display_users users
         end
       end
 
+      desc "list-user-roles", "List user roles"
+      method_option :email, type: :string, required: true, banner: "EMAIL"
+      method_option :network, default: nil, type: :string, banner: "NETWORK",
+                              aliases: "-n"
+
+      def list_user_roles
+        try_with_rescue_in_session do
+          # call api
+          data = EnfApi::UserManager.instance.list_user_roles options[:email], options[:network]
+          roles = data[:data]
+
+          # print roles
+          display_roles roles
+        end
+      end
+
+      desc "delete-user-roles", "Remove a user's roles"
+      method_option :email, type: :string, required: true, banner: "EMAIL"
+      method_option :network, default: nil, type: :string, banner: "NETWORK",
+                              aliases: "-n",
+                              desc: 'Can be a /64 cidr or "ALL"'
+      method_option :roles, type: :string, required: true, banner: "ROLES",
+                            aliases: "-r",
+                            desc: "Can be a valid DOMAIN or NETWORK role. " \
+                                  "Can take '*' wildcards."
+
+      def delete_user_roles
+        try_with_rescue_in_session do
+          user_id = options[:email]
+          roles = options[:roles]
+          roles = roles.upcase if roles
+          network = options[:network]
+
+          if roles[0..6] == "NETWORK" && !network
+            raise EnfCli::ERROR, "--network option must be included for --roles=#{roles}"
+          end
+
+          EnfApi::UserManager.instance.delete_user_roles user_id, roles, network
+          say "Role: #{roles} successfully removed from user: #{user_id}", :green
+        end
+      end
+
       desc "deactivate-user", "Deactivate User"
-      method_option :user_id, :required => true, :type => :numeric
+      method_option :email, required: true, type: :string, banner: "EMAIL"
 
       def deactivate_user
         try_with_rescue_in_session do
-
           ## call the api
-          status = { :status => "INACTIVE" }
-          EnfApi::API.instance.update_user_status options[:user_id], status
+          status = { status: "INACTIVE" }
+          EnfApi::UserManager.instance.update_user_status options[:email], status
 
           say "Deactivated user!", :green
         end
       end
 
+      desc "add-user-role", "Add a new role to the specified rule."
+      method_option :email, type: :string, required: true, banner: "EMAIL"
+      method_option :cidr, type: :string, required: true, banner: "CIDR",
+                           desc: "Can be a /64 cidr for NETWORK user or " \
+                           "/48 cidr for DOMAIN user."
+      method_option :role, type: :string, required: true, banner: "ROLE",
+                           aliases: "-r",
+                           desc: "Can be a valid DOMAIN or NETWORK role. ",
+                           enum: ["XAPTUM_ADMIN", "DOMAIN_ADMIN", "DOMAIN_USER", "NETWORK_ADMIN", "NETWORK_USER", "CAPTIVE_ADMIN", "IAM_ADMIN"]
+
+      def add_user_role
+        try_with_rescue_in_session do
+          ## get options
+          email = options[:email]
+          role = options[:role]
+          role = role.upcase if role
+          cidr = EnfCli::IPV6Cidr.new(options[:cidr]).to_s
+
+          ## call api
+          role_hash = [{ cidr: cidr, role: role }]
+          resp = EnfApi::UserManager.instance.add_user_role email, role_hash
+          resp_roles = resp[:data]
+
+          ## display response
+          display_roles resp_roles
+        end
+      end
+
       desc "activate-user", "Activate User"
-      method_option :user_id, :required => true, :type => :numeric
+      method_option :email, required: true, type: :string, banner: "EMAIL"
 
       def activate_user
         try_with_rescue_in_session do
-
           ## call the api
-          status = { :status => "ACTIVE" }
-          EnfApi::API.instance.update_user_status options[:user_id], status
-
+          status = { status: "ACTIVE" }
+          EnfApi::UserManager.instance.update_user_status options[:email], status
           say "Activated user!", :green
         end
       end