cyberark / cyberark-conjur-cli-docker-based Goto Github PK

View Code? Open in Web Editor NEW

14.0 28.0 12.0 1.19 MB

CyberArk Conjur command line interface (Ruby)

Home Page: https://rubygems.org/gems/conjur-cli

License: Apache License 2.0

Ruby 85.56% Shell 6.06% Gherkin 8.12% Dockerfile 0.26%

command-line-tool secret-management secret-distribution ruby-gem conjur core conjbot-notify conjur-core

cyberark-conjur-cli-docker-based's Introduction

conjur-cli

Command-line interface for Conjur.

NOTE: Conjur v4 users should use the v5.x.x release path. Conjur CLI v6.0.0 only supports Conjur v5 and newer.

A complete reference guide is available at conjur.org.

Getting Started
- Quick Start
- Using This Project With Conjur Open Source
Using Docker
Usage
Contributing
License

Getting Started

Quick start

$ gem install conjur-cli

$ conjur -v
conjur version 6.0.0

Using conjur-cli with Conjur Open Source

Are you using this project with Conjur Open Source? Then we strongly recommend choosing the version of this project to use from the latest Conjur OSS suite release. Conjur maintainers perform additional testing on the suite release versions to ensure compatibility. When possible, upgrade your Conjur version to match the latest suite release; when using integrations, choose the latest suite release that matches your Conjur version. For any questions, please contact us on Discourse.

Using Docker

This software is included in the standalone cyberark/conjur-cli:5 Docker image. Docker containers are designed to be ephemeral, which means they don't store state after the container exits.

You can start an ephemeral session with the Conjur CLI software like so:

$ docker run --rm -it cyberark/conjur-cli:5
root@b27a95721e7d:~#

Any initialization you do or files you create in that session will be discarded (permanently lost) when you exit the shell. Changes that you make to the Conjur server will remain.

You can also use a folder on your filesystem to persist the data that the Conjur CLI uses to connect. For example:

$ mkdir mydata
$ chmod 700 mydata
$ docker run --rm -it -v $(PWD)/mydata:/root cyberark/conjur-cli:5 init -u https://eval.conjur.org

SHA1 Fingerprint=E6:F7:AC:E3:3A:54:83:4F:D0:06:9B:49:45:C3:85:58:ED:34:4C:4C

Please verify this certificate on the appliance using command:
              openssl x509 -fingerprint -noout -in ~conjur/etc/ssl/conjur.pem

Trust this certificate (yes/no): yes
Enter your organization account name: [email protected]
Wrote certificate to /root/[email protected]
Wrote configuration to /root/.conjurrc
$ ls -lA mydata
total 16
drwxr-xr-x  2 you  staff    68 Mar 29 14:16 .cache
-rw-r--r--  1 you  staff   136 Mar 29 14:16 .conjurrc
-rw-r--r--  1 you  staff  3444 Mar 29 14:16 [email protected]
$ docker run --rm -it -v $(PWD)/mydata:/root cyberark/conjur-cli:5 authn login -u admin 
Please enter admin's password (it will not be echoed): 
Logged in
$ ls -lA mydata
total 24
drwxr-xr-x  2 you  staff    68 Mar 29 14:16 .cache
-rw-r--r--  1 you  staff   136 Mar 29 14:16 .conjurrc
-rw-------  1 you  staff   119 Mar 29 14:19 .netrc
-rw-r--r--  1 you  staff  3444 Mar 29 14:16 [email protected]

Security notice: the file .netrc, created or updated by conjur authn login, contains a user identity credential that can be used to access the Conjur API. You should remove it after use or otherwise secure it like you would another netrc file.

Usage

NAME
    conjur - Command-line toolkit for managing roles, resources and privileges

SYNOPSIS
    conjur [global options] command [command options] [arguments...]

GLOBAL OPTIONS
    --help    - Show this message
    --version - Display the program version

Commands

Command	Description
authn	- Login and logout
check	- Check for a privilege on a resource
env	- Use values of Conjur variables in local context
host	- Manage hosts
hostfactory	- Manage host factories
init	- Initialize the Conjur configuration
ldap-sync	- LDAP sync management commands
list	- List objects
plugin	- Manage plugins
policy	- Manage policies
pubkeys	- Public keys service operations
resource	- Manage resources
role	- Manage roles
show	- Show an object
user	- Manage users
variable	- Manage variables

`conjur authn`

NAME
   authn       - Login and logout
SYNOPSIS
    conjur [global options] authn authenticate [-H|--header] [-f filename|--filename filename]
    conjur [global options] authn login [-p password|--password password] [-u username|--username username] login-name
    conjur [global options] authn logout
    conjur [global options] authn whoami
COMMANDS
    authenticate - Obtains an authentication token using the current logged-in
                   user
    login        - Logs in and caches credentials to netrc.
    logout       - Logs out
    whoami       - Prints out the current logged in username

`conjur check`

NAME
   check       - Check for a user’s privilege on a resource
SYNOPSIS
   conjur check [object] [privilege] [user]
PRIVILEGES
   read, write, execute

`conjur env`

NAME
    env         - Use values of Conjur variables in local context
SYNOPSIS
    conjur [global options] env check [--policy arg] [--yaml arg] [-c FILE]
    conjur [global options] env help
    conjur [global options] env run [--policy arg] [--yaml arg] [-c FILE] -- command [arg1, arg2 ...]
    conjur [global options] env template [--policy arg] [--yaml arg] [-c FILE] template.erb

COMMANDS
    check    - Check availability of Conjur variables
    help     - Print description of environment configuration format
    run      - Execute external command with environment variables populated
               from Conjur
    template - Render ERB template with variables obtained from Conjur

root@e1bfc649b68d:/# conjur env help

Environment configuration (either stored in file referred by -c option or provided inline with --yaml option) should be a YAML document describing one-level Hash.
Keys of the hash are 'local names', used to refer to variable values in convenient manner.  (See help for env:run and env:template for more details about how they are interpreted).

Values of the hash may take one of the following forms: a) string b) string preceeded with !var tag c) string preceeded with !tmp tag.

a) Plain string is just associated with local name without any calls to Conjur.

b) String preceeded by !var tag is interpreted as an ID of the Conjur variable, which value should be obtained and associated with appropriate local name.

c) String preceeded by !tmp tag is interpreted as an ID of the Conjur variable, which value should be stored in temporary file, which location should in turn be associated with appropriate local name.

Example of environment configuration: 

{ local_variable_1: 'literal value', local_variable_2: !var id/of/Conjur/Variable , local_variable_3: !tmp id/of/another/Conjur/variable }

`conjur host`

NAME
    host - Manage hosts

SYNOPSIS
    conjur [global options] host layers HOST
    conjur [global options] host rotate_api_key [--host arg|-h arg]

COMMANDS
    layers         - List the layers to which the host belongs
    rotate_api_key - Rotate a host's API key

`conjur hostfactory`

NAME
    hostfactory - Manage host factories

SYNOPSIS
    conjur [global options] hostfactory hosts
    conjur [global options] hostfactory tokens

COMMANDS
    hosts  - Operations on hosts
    tokens - Operations on tokens

`conjur init`

NAME
   init – Initialize the Conjur configuration
SYNOPSIS
   conjur [global options] init [-u URL of Conjur service] [-a account name]

`conjur ldap-sync`

NAME
    ldap-sync - LDAP sync management commands

SYNOPSIS
    conjur [global options] ldap-sync policy

COMMANDS
    policy - Manage the policy used to sync Conjur and the LDAP server

`conjur list`

Lists conjur objects

`conjur plugin`

NAME
    plugin - Manage plugins

SYNOPSIS
    conjur [global options] plugin install [-v version|--version version] PLUGIN
    conjur [global options] plugin list
    conjur [global options] plugin show PLUGIN
    conjur [global options] plugin uninstall PLUGIN

COMMANDS
    install   - Install a plugin
    list      - List installed plugins
    show      - Show a plugin's details
    uninstall - Uninstall a plugin

`conjur policy`

NAME
    policy - Manage policies

SYNOPSIS
    conjur [global options] policy load [--delete] [--replace] POLICY FILENAME

COMMANDS
    load - Load a policy
--delete – deletes a policy
--replace – replaces a policy

`conjur pubkeys`

NAME
   pubkeys - Public keys service operations
SYNOPSIS
   conjur [global options] pubkeys [USER]

`conjur resource`

NAME
    resource - Manage resources

SYNOPSIS
    conjur [global options] resource exists RESOURCE
    conjur [global options] resource permitted_roles RESOURCE PRIVILEGE

COMMANDS
    exists          - Determines whether a resource exists
    permitted_roles - List roles with a specified privilege on the resource

`conjur role`

NAME
    role - Manage roles

SYNOPSIS
    conjur [global options] role exists [--json] ROLE
    conjur [global options] role members [-V|--verbose] ROLE
    conjur [global options] role memberships [-s|--system] ROLE

COMMANDS
    exists      - Determines whether a role exists
    members     - Lists all direct members of the role. The membership list is
                  not recursively expanded.
    memberships - Lists role memberships. The role membership list is
                  recursively expanded.

`conjur show`

NAME
   show        - Show an object
SYNOPSIS
   conjur show [object]

`conjur user`

NAME
    user - Manage users

SYNOPSIS
    conjur [global options] user rotate_api_key [--user arg|-u arg]
    conjur [global options] user update_password [-p arg|--password arg]

COMMANDS
    rotate_api_key  - Rotate a user's API key
    update_password - Update the password of the logged-in user

`conjur variable`

NAME
    variable - Manage variables

SYNOPSIS
    conjur [global options] variable value [-v arg|--version arg] VARIABLE
    conjur [global options] variable values

COMMANDS
    value  - Get a value
    values - Access variable values

Contributing

We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our contributing guide.

License

This repository is licensed under Apache License 2.0 - see LICENSE for more details.

cyberark-conjur-cli-docker-based's People

Contributors

Stargazers

Watchers

Forkers

takestar15 apotterri jeepapichet banisham gramali guygiat andrewcopeland quincycheng bink923 ekmixon samtimur

cyberark-conjur-cli-docker-based's Issues

audit-short must support Ruby 1.9

no "short" format for audit event "annotation:update"

Should be something like "updated annotation on resource".... (not listing exact annotation).

criterias: kind=='annotation', action='update'

Need it to be cuked and implemented, pretty trivial, but I have no time for this right now (although doing the same in UI)

Conjur init should respect ENV['CONJURRC']

dividevictoria/t/ldapdev➨ set -x CONJURRC /tmp/ldapdev/conjurrc
dividevictoria/t/ldapdev➨ conjur authn:whoami
error: Missing required option account
dividevictoria/t/ldapdev➨ conjur init
Enter the hostname (and optional port) of your Conjur endpoint: ec2-54-220-106-115.eu-west-1.compute.amazonaws.com

SHA1 Fingerprint=18:CB:77:9A:F4:DB:03:A1:28:27:DC:4A:B4:04:06:CB:BD:80:45:9F

Please verify this certificate on the appliance using command:
                openssl x509 -fingerprint -noout -in ~conjur/etc/ssl/conjur.pem

Trust this certificate (yes/no): yes
Wrote certificate to /home/divide/conjur-ldapdev.pem
File /home/divide/.conjurrc exists. Overwrite (yes/no): no
error: Not overwriting /home/divide/.conjurrc
dividevictoria/t/ldapdev➨

Error from completions keying 'tab'

When I start typing a command and then use the 'tab' key to complete a file path, I get the error below:

conjur authn login -p `cat ../source/opt/conjur/embedded/lib/ruby/gems/1.9.1/gems/conjur-cli-dalek-4.8.2/bin/_conjur_completions:43:in `<top (required)>': undefined method `[]' for true:TrueClass (NoMethodError)
    from /opt/conjur/embedded/bin/_conjur_completions:23:in `load'
    from /opt/conjur/embedded/bin/_conjur_completions:23:in `<main>'

./.conjurrc should not be included into config chain by default

This breaks backwards-compatibility, but is needed due to security reasons.

Should be released not earlier than Aug 1st.

`host enroll` command is confusing

It does not report an error when a host doesn't exist, and instead it prints a confusing message:

On the target host, please execute the following command:
curl -L  | bash

making it appear as if everything's fine.

BTW, there's several other problems with the enroll command as it is:

the url is not quoted, so it's not safe to paste directly in every shell,
curl will probably complain about SSL certificate anyway, but adding '-k' to disregard the warning makes me uncomfortable and we shouldn't recommend it,
the initial idea was to have the enrollment password only valid for a few minutes, making it safe to copy the command over potentially unencrypted channels. As it is now, it's permanent.

In general I'm not sure what utility does this command have anymore. Maybe we should remove it not to confuse people? Pradeep got confused.

conjur init fails without openssl available

On Windows there may not be openssl and conjur init fails.

Any role should be able to test the existence of any resource

This cuke should pass, but it doesn't

  Scenario: A role doesn't have to have permissions to test existence of a resource
    Since creating a duplicate would result in failure anyway

    Given I successfully run `conjur resource create food:$ns/bacon`
    And I login as a new user
    When I successfully run `conjur resource exists food:$ns/bacon`
    Then the stdout from "conjur resource exists food:$ns/bacon" should contain "true"

"retire" a variable fails

$ conjur variable retire github.com/conjur-ops/private-key
error: undefined method `roleid' for #Conjur::Variable:0x007f850b31eb00

audit --follow option stops working when the token expires

--follow option should periodically renew the token.

"resource permit" doesn't have a flag for grant_option

The engine supports resource "grant option" but the CLI doesn't expose it. For example, this is a cuke that we should be able to write:

  Scenario: When granted with grant_option, the grantee can grant the privilege to other roles
    Given I create a new user named "alice@$ns"
    And I create a new user named "bob@$ns"
    And I successfully run `conjur resource permit -a food:$ns/bacon user:alice@$ns fry`
    And I login as "alice@$ns"
    Then I successfully run `conjur resource permit food:$ns/bacon user:bob@$ns fry`

But we can't because there's no such flag -a.

"conjur authn whoami" doesn't notice if the user is logged in through env vars

the whoami command should be using:

get_credentials(noask: true)

to find out the user credentials. Otherwise it misses the case where the login info is available from the environment.

audit-short must have all specs passing

Oddly, CLI "resource:permit" doesn't have grant option

The help text states:

grant_option (optional) allows the role to grant the permission to others

However, the grant_option isn't in the CLI options.

    resource.desc "Give a privilege on a resource"
    resource.arg_name "resource-id role privilege"
    resource.command :permit do |c|
      c.action do |global_options,options,args|
        id = full_resource_id( require_arg(args, "resource-id") )
        role = require_arg(args, "role")
        privilege = require_arg(args, "privilege")
        api.resource(id).permit privilege, role
        puts "Permission granted"
      end
    end

new-syntax branch vs completions branch

What's the relationship of these two branches, and are they both active?

Warn if giving ownership locks out

conjurdemos/conjur-kitchen@ad21a94#commitcomment-8707946

And then maybe refuse to proceed unless -f/--forced.

"deny" command is not scoped within the parent

8234f93...b282ae7#diff-13df2a33123e5a290d88fbc789ec97f6R139

in appliance 4.3-beta, conjurenv:check fails on forbidden variables

http://jenkins.inscitivops.com/job/ami-acceptance/327/testReport/junit/(root)/Check%20an%20environment/Check_against_restricted_variables/

Call to "permitted?" method now ends with "403 Forbidden", details are here:
http://jenkins.inscitivops.com/job/ami-acceptance/327/artifact/ami-acceptance/src/conjurapi.log/*view*/
(grep for "Authenticating alice@bdf800")

Possibly, regression is related to changes in authz:
https://github.com/conjurinc/authz/commit/e4bc7a513a57ab2000bd621c572b76e94b74a68b
https://github.com/conjurinc/authz/commit/c2657cb4b437f181eaee584bcd2a452a492781cd (cherry-pick of the commit above)

Use "Bender" robot icon for hosts instead of the terminal icon

https://docs.google.com/a/conjur.net/presentation/d/1ZHuUZj2GQmI7S_4v-8LTuFE31I81amCtAJWTeHW3Atw/edit#slide=id.p14

hide_docs does not actually hide anything

@jjmason , you may be interested in this

Here's the code with deprecation directive (plus explicit "Deprecated" mark in docstring)

   hosts.desc "[Deprecated] Enroll a new host into conjur"
    hosts.arg_name "host"
    hosts.command :enroll do |c|
      hide_docs(c)
      c.action do |global_options, options, args|
        id = require_arg(args, 'host')
        enrollment_url = api.host(id).enrollment_url
        puts enrollment_url
        $stderr.puts "On the target host, please execute the following command:"
        $stderr.puts "curl -L #{enrollment_url} | bash"
      end
    end

Here's the result (note that only explicit mark appears in the output, nothing is actually hidden)

$ conjur help host
Loading /home/hleb/conjur/src/core/.conjurrc
Not overriding environment setting account=ci
Using authn host http://localhost:5000
NAME
    host - Manage hosts

SYNOPSIS
    conjur [global options] host create [--as-group Perform all actions as the specified Group] [--as-role Perform all actions as the specified Role] [-p password|--password password] id
    conjur [global options] host enroll host
    conjur [global options] host layers id
    conjur [global options] host list [--role arg] [-i|--ids] [-l arg|--limit arg] [-o arg|--offset arg] [-r|--raw-annotations] [-s arg|--search arg]
    conjur [global options] host retire id
    conjur [global options] host show id

COMMANDS
    create - Create a new host
    enroll - [Deprecated] Enroll a new host into conjur
    layers - List the layers to which the host belongs
    list   - List hosts
    retire - Decommission a host
    show   - Show a host
hleb@Inspiron-5537:~/conjur/src/cli-ruby$ conjur help host enroll
Loading /home/hleb/conjur/src/core/.conjurrc
Not overriding environment setting account=ci
Using authn host http://localhost:5000
NAME
    enroll - [Deprecated] Enroll a new host into conjur

SYNOPSIS
    conjur [global options] host enroll host

[dalek] group:members:add results in HTTP 411

$ RESTCLIENT_LOG=stderr conjur group:members:add demo/developers "user:alice@demo"
RestClient.post "https://ec2-54-81-242-78.compute-1.amazonaws.com/api/authn/users/admin/authenticate", "<snip>", "Accept"=>"*/*; q=0.5, application/xml", "Accept-Encoding"=>"gzip, deflate", "Content-Length"=>"53", "Content-Type"=>"text/plain"
# => 200 OK | application/json 494 bytes
RestClient.get "https://ec2-54-81-242-78.compute-1.amazonaws.com/api/info", "Accept"=>"*/*; q=0.5, application/xml", "Accept-Encoding"=>"gzip, deflate"
# => 200 OK | application/json 17 bytes
RestClient.put "https://ec2-54-81-242-78.compute-1.amazonaws.com/api/authz/grt/roles/group/demo/developers/?members&member=user:alice@demo", "Accept"=>"*/*; q=0.5, application/xml", "Accept-Encoding"=>"gzip, deflate", "Authorization"=>"Token token=\"eyJkYXRhIjoiYWRtaW4iLCJ0aW1lc3RhbXAiOiIyMDE0LTA1LTA4IDE2OjAwOjI3IFVUQyIsInNpZ25hdHVyZSI6ImE4N0ZiYkFOSENvcTJzb2dQMmFxZ1RWb3p5Vk5ZUVlxMDZGQUJGZHRlV2E4TXpCZy1QZ1VxMGoyMTFfeTNMTWdMSzM4N1NEVGVieFFodml3VTQyVmFsV0RXcF9FUnVGM3FUY3ZTMUs0MnlMMkFQWkVnRGZEaTlwb1dtRjl3X3NETHFfLTJQTHdVTFNCYWVIMk1EelczNll5dndoMWd6VFhoNWxmZUtsdW5PUW1oTGtKRWxJNDFUOTFKZUlWeGpIOHJQQ1lJRk9JMHdRbWkyNkgtM0hxWnY5SW5hb05qNFNoM0VTMHdudjdpMHpHZXFkX1NHcUUyLWNUR2x6N3RfN3pxZkZDZEUtUi1KaFljVDM0cFpnRnQ5ZEpGOVRPczQxcExHNmpQMnlKTU9WakdJZ1ZwVTQyQXZjcDN5SWNZZVdqUWNpOXVsOXJYQk1BcWM1NmM5dWg0ZTZZMnNZTUJjalN2aEYyblM2MUJIQXdEaXJWbEpUY0NtU0t5T0ZMOFNIYiIsImtleSI6ImE2ZWEyNWU4NzQyZTZkMGZmZTA1ODczMDRjZThjOGE1In0=\""
# => 411 LengthRequired | text/html 180 bytes
<html>
<head><title>411 Length Required</title></head>
<body bgcolor="white">
<center><h1>411 Length Required</h1></center>
<hr><center>nginx/1.2.9</center>
</body>
</html>
error: 411 Length Required

Confusing error message on `role grant_to`

dividevictoria~/p/c/netflix➨ conjur role grant_to -a user:bar admin

error: 422 Unprocessable Entity
dividevictoria~/p/c/netflix➨ conjur role grant_to -a user:bar user:admin
Role granted

[dalek] default command doesn't operate as expected

Command conjur group should list groups and accept the same options as the conjur group list command.

wm164-1b7:conjur-cli kgilpin$ conjur group list -i -l 5
ci:group:b8adb2fc-7a7a-45dd-930c-5f4e08db04d3
ci:group:6d9593a6-adb9-4bec-97cd-bcf8e9b93b41
ci:group:2ca55fd7-17e3-497f-a786-ed913bc45235
ci:group:53733ad9-94e7-4cab-894a-5de3a846ed56
ci:group:cd4555cb-03fc-4852-89bd-4b33a94ec07b

wm164-1b7:conjur-cli kgilpin$ conjur group -i -l 5
error: Unknown option -i

NAME
    group - Manage groups

SYNOPSIS
    conjur [global options] group create [--as-group Perform all actions as the specified Group] [--as-role Perform all actions as the specified Role] id
    conjur [global options] group list [--role arg] [-i|--ids] [-l arg|--limit arg] [-o arg|--offset arg] [-r|--raw-annotations] [-s arg|--search arg]
    conjur [global options] group members
    conjur [global options] group show id

COMMANDS
    create  - Create a new group
    list    - List groups
    members - Show and manage group members
    show    - Show a group

403 on script:execute doesn't fail fast

When running a script and encountering a resource already created but forbidden to current user, I'd expect conjur to fail at that point and tell me why. Currently it just keeps going and fails later for a related reason.

conjurenv run handles missing scripts poorly

I have a script called 'macstadium.sh' in the current directory that ssh's to our macstadium box using values from conjur variables. When I foolishly run it like conjur env run macstadium.sh, I get the meaningless error message error: exit. Obviously the problem here is that I need to do conjur env run ./macstadium.sh. However, a clearer error (whatever bash issues in this case, perhaps), would be nice.

variable retire throws exceptions

conjur variable retire test/asecret 
error: undefined method `roleid' for #<Conjur::Variable:0x007fcd1d8596b0>

[dalek] user:create -p option is ignored

-p option does not result in a password prompt

Audit record printing for permission checks could be simplified a bit

There is a lot of repetition of the role, and it always seems to be "x checked that x can ..."

[2014-01-09 12:46:58 -0500]  ci:host:vm2-2.0.4/ci/vm2 checked that ci:host:vm2-2.0.4/ci/vm2 can execute ci:variable:queue/vm2-2.0.4/ci/launch/credentials/sender
[2014-01-09 12:46:59 -0500]  ci:host:vm2-2.0.4/ci/vm2 checked that ci:host:vm2-2.0.4/ci/vm2 can execute ci:variable:a87yw0
[2014-01-09 12:57:20 -0500]  ci:host:vm2-2.0.4/ci/vm2 checked that ci:host:vm2-2.0.4/ci/vm2 can execute ci:variable:k26sc0
[2014-01-09 13:01:59 -0500]  ci:host:vm2-2.0.4/ci/vm2 checked that ci:host:vm2-2.0.4/ci/vm2 can execute ci:variable:k26sc0
[2014-01-09 13:02:00 -0500]  ci:host:vm2-2.0.4/ci/vm2 checked that ci:host:vm2-2.0.4/ci/vm2 can execute ci:variable:queue/vm2-2.0.4/ci/launch/credentials/sender
[2014-01-09 13:02:01 -0500]  ci:host:vm2-2.0.4/ci/vm2 checked that ci:host:vm2-2.0.4/ci/vm2 can execute ci:variable:a87yw0

"role check" should support "--as-role" as a way to specify "-r" option

For consistency with other commands, --as-role should be a way to act as another role. In this case, to check if the foreign role has the privilege.

`authn:login` shouldn't delete the old login first

Not until a new one is successful. Otherwise accidentally running login in a wrong context logs out from it, even if you Ctrl-C.

bootstrap command fails for me

Enter your username:
hleb
error: undefined method `prompt_for_password' for Conjur::CLI:Class
/home/hleb/.rvm/gems/ruby-2.0.0-p353@conjur-asset-ui/bundler/gems/cli-ruby-839ed23382d0/lib/conjur/command.rb:30:in `method_missing'
/home/hleb/.rvm/gems/ruby-2.0.0-p353@conjur-asset-ui/bundler/gems/cli-ruby-839ed23382d0/lib/conjur/command/bootstrap.rb:45:in `block (2 levels) in <class:Bootstrap>'
/home/hleb/.rvm/gems/ruby-2.0.0-p353@conjur-asset-ui/gems/gli-2.12.2/lib/gli/command_support.rb:126:in `call'
/home/hleb/.rvm/gems/ruby-2.0.0-p353@conjur-asset-ui/gems/gli-2.12.2/lib/gli/command_support.rb:126:in `execute'
/home/hleb/.rvm/gems/ruby-2.0.0-p353@conjur-asset-ui/gems/gli-2.12.2/lib/gli/app_support.rb:290:in `block in call_command'
/home/hleb/.rvm/gems/ruby-2.0.0-p353@conjur-asset-ui/gems/gli-2.12.2/lib/gli/app_support.rb:303:in `call'
/home/hleb/.rvm/gems/ruby-2.0.0-p353@conjur-asset-ui/gems/gli-2.12.2/lib/gli/app_support.rb:303:in `call_command'
/home/hleb/.rvm/gems/ruby-2.0.0-p353@conjur-asset-ui/gems/gli-2.12.2/lib/gli/app_support.rb:81:in `run'
/home/hleb/.rvm/gems/ruby-2.0.0-p353@conjur-asset-ui/bundler/gems/cli-ruby-839ed23382d0/lib/conjur/cli.rb:58:in `run'
/home/hleb/.rvm/gems/ruby-2.0.0-p353@conjur-asset-ui/bundler/gems/cli-ruby-839ed23382d0/bin/conjur:26:in `<top (required)>'
/home/hleb/.rvm/gems/ruby-2.0.0-p353@conjur-asset-ui/bin/conjur:23:in `load'
/home/hleb/.rvm/gems/ruby-2.0.0-p353@conjur-asset-ui/bin/conjur:23:in `<main>'
/home/hleb/.rvm/gems/ruby-2.0.0-p353@conjur-asset-ui/bin/ruby_executable_hooks:15:in `eval'
/home/hleb/.rvm/gems/ruby-2.0.0-p353@conjur-asset-ui/bin/ruby_executable_hooks:15:in `<main>'error: undefined method `prompt_for_password' for Conjur::CLI:Class

Gemfile.lock:

GIT
  remote: https://github.com/conjurinc/cli-ruby.git
  revision: 839ed23382d029bbc9052366b4a8d3d0993ba89a
  branch: master
  specs:
    conjur-cli (4.15.0)

conjur env collapses when there is no variable value

For example

Variable has been created by policy's runner and don't have any value:

$ conjur variable value asakura/docker-registry-2.0/s3/bucket_id

error: 404 Resource Not Found

conjurenv file:

$ cat conjurenv
AWS_BUCKET: !var asakura/docker-registry-2.0/s3/bucket_id

$ conjur env run -c conjurenv -- env
error: undefined method `chomp' for nil:NilClass

Error message is not obvious. Better to show something like this:

error: variable asakura/docker-registry-2.0/s3/bucket_id exists but don't have a value

And in case of many errors:

error: there were several errors:
1. variable asakura/docker-registry-2.0/s3/bucket_id exists but don't have a value
2. variable asakura/docker-registry-2.0/s3/aws doesn't exists

"help -c" shows some extraneous stuff

See _doc, hidden (asset) methods, and field:select

$ conjur help -c
_doc
asset
audit
authn
field:select
group
help
host
id
init
layer
policy
pubkeys
resource
role
script
secret
user
variable

Needs to let .netrc have permissive security, to support logshipper

When creating a User with --as-role option that the user doesn't have, a user is partially created

Suppose I run the command:

conjur user create --as-role user:admin bob

But I don't have role user:admin. Then the user is partially created, and can't be re-created, but it's not created with the expected owner either.

CLI audit eventually kills the web server

error: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server session ticket A/Users/kgilpin/.rvm/gems/ruby-1.9.3-p429@conjur-cli/gems/rest-client-1.6.7/lib/restclient/request.rb:182:in `rescue in transmit': Server broke connection (RestClient::ServerBrokeConnection)
    from /Users/kgilpin/.rvm/gems/ruby-1.9.3-p429@conjur-cli/gems/rest-client-1.6.7/lib/restclient/request.rb:140:in `transmit'
    from /Users/kgilpin/.rvm/gems/ruby-1.9.3-p429@conjur-cli/gems/rest-client-1.6.7/lib/restclient/request.rb:64:in `execute'
    from /Users/kgilpin/.rvm/gems/ruby-1.9.3-p429@conjur-cli/gems/rest-client-1.6.7/lib/restclient/request.rb:33:in `execute'
    from /Users/kgilpin/.rvm/gems/ruby-1.9.3-p429@conjur-cli/gems/rest-client-1.6.7/lib/restclient/resource.rb:51:in `get'
    from /Users/kgilpin/source/inscitiv/conjur-api/lib/conjur/api/audit.rb:46:in `audit_event_feed'
    from /Users/kgilpin/source/inscitiv/conjur-api/lib/conjur/api/audit.rb:26:in `audit_role'
    from /Users/kgilpin/source/inscitiv/conjur-cli/lib/conjur/webserver/audit_stream.rb:66:in `fetch_events'
    from /Users/kgilpin/source/inscitiv/conjur-cli/lib/conjur/webserver/audit_stream.rb:36:in `block (2 levels) in stream_events'
    from /Users/kgilpin/source/inscitiv/conjur-cli/lib/conjur/audit/follower.rb:44:in `call'
    from /Users/kgilpin/source/inscitiv/conjur-cli/lib/conjur/audit/follower.rb:44:in `fetch_new_events'
    from /Users/kgilpin/source/inscitiv/conjur-cli/lib/conjur/audit/follower.rb:25:in `block in follow'
    from /Users/kgilpin/source/inscitiv/conjur-cli/lib/conjur/audit/follower.rb:24:in `loop'
    from /Users/kgilpin/source/inscitiv/conjur-cli/lib/conjur/audit/follower.rb:24:in `follow'
    from /Users/kgilpin/source/inscitiv/conjur-cli/lib/conjur/webserver/audit_stream.rb:38:in `block in stream_events'
    from /Users/kgilpin/.rvm/gems/ruby-1.9.3-p429@conjur-cli/gems/eventmachine-1.0.3/lib/eventmachine.rb:1037:in `call'
    from /Users/kgilpin/.rvm/gems/ruby-1.9.3-p429@conjur-cli/gems/eventmachine-1.0.3/lib/eventmachine.rb:1037:in `block in spawn_threadpool'

Variable in DSL without annotations breaks

variable "aws/access_key_id", kind: "credentials"

/home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:187:in `find_or_create': undefined method `[]' for nil:NilClass (NoMethodError)
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:157:in `method_missing'
        from scripts/policy.rb:2:in `block in execute'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:92:in `call'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:92:in `block (4 levels) in policy'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:226:in `do_scope'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:66:in `scope'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:91:in `block (3 levels) in policy'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:214:in `do_object'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:203:in `find_or_create'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:109:in `resource'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:90:in `block (2 levels) in policy'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:132:in `owns'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:89:in `block in policy'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:214:in `do_object'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:203:in `find_or_create'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:114:in `role'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:87:in `policy'
        from scripts/policy.rb:1:in `execute'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:104:in `instance_eval'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:104:in `execute'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/command/dsl_command.rb:50:in `block in run_script'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/command/policy.rb:81:in `call'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/command/policy.rb:81:in `block (5 levels) in <class:Policy>'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:226:in `do_scope'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/dsl/runner.rb:66:in `scope'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/command/policy.rb:80:in `block (4 levels) in <class:Policy>'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/command/dsl_command.rb:49:in `call'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/command/dsl_command.rb:49:in `run_script'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/command/policy.rb:79:in `block (3 levels) in <class:Policy>'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/gli-2.11.0/lib/gli/command_support.rb:126:in `call'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/gli-2.11.0/lib/gli/command_support.rb:126:in `execute'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/gli-2.11.0/lib/gli/app_support.rb:284:in `block in call_command'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/gli-2.11.0/lib/gli/app_support.rb:297:in `call'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/gli-2.11.0/lib/gli/app_support.rb:297:in `call_command'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/gli-2.11.0/lib/gli/app_support.rb:79:in `run'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/lib/conjur/cli.rb:58:in `run'
        from /home/divide/.rvm/gems/ruby-2.1.1/gems/conjur-cli-4.10.1/bin/conjur:26:in `<top (required)>'
        from /home/divide/.rvm/gems/ruby-2.1.1/bin/conjur:23:in `load'
        from /home/divide/.rvm/gems/ruby-2.1.1/bin/conjur:23:in `<main>'
        from /home/divide/.rvm/gems/ruby-2.1.1/bin/ruby_executable_hooks:15:in `eval'
        from /home/divide/.rvm/gems/ruby-2.1.1/bin/ruby_executable_hooks:15:in `<main>'

Allow supplying a policy name in `conjur env`

When working on the docker image I came across the problem of using the correct policy. The policy name is passed as $CONJUR_POLICY to the container, but to apply it I have to sed the env file.

How about adding a --prefix argument to conjur env? I imagine this would add the given prefix to variable names; perhaps just some, ie.

foo: !var /foo # -> policy/foo
bar: !var bar # -> bar -- prefix not applied

License missing from gemspec

Some companies will only use gems with a certain license.
The canonical and easy way to check is via the gemspec
via e.g.

spec.license = 'MIT'
# or
spec.licenses = ['MIT', 'GPL-2']

There is even a License Finder to help companies ensure all gems they use
meet their licensing needs. This tool depends on license information being available in the gemspec.
Including a license in your gemspec is a good practice, in any case.

How did I find you?

I'm using a script to collect stats on gems, originally looking for download data, but decided to collect licenses too,
and make issues for missing ones as a public service :)
https://gist.github.com/bf4/5952053#file-license_issue-rb-L13 So far it's going pretty well

policy.rb requires HOME and HOSTNAME

On Windows environment, HOME and HOSTNAME aren't always available.

new "bootstrap" command is untested

a8b7a66#commitcomment-7966441

audit output for permitted_roles is missing the privilege that was checked

Short output:

$ conjur audit:resource --short service:pubkeys-1.0/public-keys
[2014-05-24 17:05:21 UTC] demo:user:kgilpin listed roles permitted to  on demo:service:pubkeys-1.0/public-keys

Full output:

$ conjur audit:resource service:pubkeys-1.0/public-keys

{
  "id": 6034,
  "timestamp": "2014-05-24T17:05:21Z",
  "user": "demo:user:kgilpin",
  "acting_as": "demo:user:kgilpin",
  "kind": "resource",
  "action": "permitted_roles",
  "resource": "demo:service:pubkeys-1.0/public-keys",
  "request": {
    "ip": "65.96.212.255",
    "url": "https://localhost:5100/demo/roles/allowed_to/update/service/pubkeys-1.0/public-keys",
    "method": "GET",
    "params": {
      "controller": "resources",
      "action": "permitted_roles",
      "account": "demo",
      "permission": "update",
      "kind": "service",
      "identifier": "pubkeys-1.0/public-keys"
    },
    "uuid": "89eaf6f1867aeeab569a9d360f0d9b93"
  }
}

conjur cli only requires command prefix

It seems that the conjur cli is completely prefix based, eg. conjur athn logo is interpreted as conjur athn logout and conjur u l is intepreted as conjur user list. Is this intended behaviour? It seems a bit prone to fat-fingering.

Unexpected deprecation warning

Expected this to not print a warning?

$ CONJURRC=.conjurrc conjur help
WARNING: .conjurrc file from current directory is used. This behaviour is deprecated. Use ENV['CONJURRC'] to explicitly define custom configuration file if needed

settings from ENV["CONJURRC"] are forcibly overriden by ones from ./.conjurrc

Custom config should be always last in chain.

'conjur init' fails to print the destination of the config file

$ conjur init -h ec2-54-81-46-135.compute-1.amazonaws.com

SHA1 Fingerprint=2B:99:47:50:6D:86:42:8C:B0:E6:B8:10:22:63:67:AD:5D:BF:A7:35

Please verify this certificate on the appliance using command:
                openssl x509 -fingerprint -noout -in ~conjur/etc/ssl/conjur.pem

Trust this certificate (yes/no): yes
Wrote certificate to /Users/kgilpin/conjur-conjurops.pem
Wrote configuration to

"resource give" against non-existing resource just creates it (without transfer) instead of error

In the scenario below, a resource give command unexpectedly creates a resource, and it seems to be owned by the current user, not the target user.

spudling:conjurops kgilpin$ conjur variable list -s trial -i
[
  "conjurops:variable:trials/grt/admin-password",
  "conjurops:variable:trials/grt/appliance-url",
  "conjurops:variable:trials/opendns/admin_password",
  "conjurops:variable:trials/opendns/public_hostname"
]
spudling:conjurops kgilpin$ conjur resource give variable:trials/opendns/admin_password user:nobody
Ownership granted
spudling:conjurops kgilpin$ conjur resource give variable:trials/opendns/public-hostname user:nobody
Ownership granted
spudling:conjurops kgilpin$ conjur variable list -s trial -i
[
  "conjurops:variable:trials/grt/admin-password",
  "conjurops:variable:trials/grt/appliance-url",
  "conjurops:variable:trials/opendns/public_hostname",
  "conjurops:variable:trials/opendns/public-hostname"
]
spudling:conjurops kgilpin$ conjur resource give variable:trials/opendns/public_hostname user:nobody
Ownership granted
spudling:conjurops kgilpin$ conjur resource give variable:trials/opendns/public-hostname user:nobody
Ownership granted
spudling:conjurops kgilpin$ conjur variable list -s trial -i
[
  "conjurops:variable:trials/grt/admin-password",
  "conjurops:variable:trials/grt/appliance-url",
]

omitting the step of "conjur init" produces a poor error message

$ conjur authn login admin
error: Missing required option account

[dalek] resource listing should use pretty JSON format

I'd like to see this be pretty JSON. Also, what about showing the adminship of the members? We should reconcile this with the role:memberships command and make sure they match.

$ conjur group members list demo/developers
["grt:group:security_admin","grt:user:alice@demo"]

[dalek] "variables values add" is mis-named

The command is shown as variable values:add

cyberark / cyberark-conjur-cli-docker-based Goto Github PK

cyberark-conjur-cli-docker-based's Introduction

conjur-cli

Table of Contents

Getting Started

Quick start

Using conjur-cli with Conjur Open Source

Using Docker

Usage

Commands

conjur authn

conjur check

conjur env

conjur host

conjur hostfactory

conjur init

conjur ldap-sync

conjur list

conjur plugin

conjur policy

conjur pubkeys

conjur resource

conjur role

conjur show

conjur user

conjur variable