V0.1.0 beta release (#63)

* Do not list unless prompted to list (#21) * Push current README changes for review * Fix typo to resolve issue #23 (#24) * modify the application CMD for authn-<action> (#25) * Fix unit tests (#26) * More than on account in this safe now * Create application used for list authentication test * Safe Members permissions is not an array * If failure to send request do not attempt to get body * fix dev example * Added code of conduct, contributing, updated readme * v0.0.4-alpha * Conjur commands (#27) * Add the conjur-api-go library * CMD for conjur actions * Helper functions for conjur * Upgraded deps * Added comment to GetHomeDirectory() * refactor code and place into pkg. Added list resources cmd * go mod tidy * Refactor duplicate code * Refactor * Rotate api key cmd * ~/.netrc file should have 0400 permissions Co-authored-by: Joe Garcia <joe@joe-garcia.com> * Update conjur.go * Safe members (#29) * Added add-member and remove-member to the safe action * Added add member and remove member to cybr api * Added aliases to actions so plural or singular works * Number of Days will not be omitted when 0 * Dev creating application flow (#34) * Dev creating application flow * preventing globbing using double-quotes * v0.0.5-alpha Ready for Release (#35) * bump release version * Ready for release * remove plural aliases * Add new line to commands #33 (#39) * #38 Add cybr conjur logoff command (#40) * #44 refactor api tests (#45) * Add #37 add verbose v006 (#41) * Added logger to httpjson package * Create logger interface and implement interface for CMD logging * When init pas client also init with logger depending on --verbose flag * Add logger to the PAS apis * Do not log added account password. Implemented secrets in logger that will be scrubed when logging * Scrub the password by creating a new logger with secrets * Fix #42 RADIUS authentication support for push, append, challenge/response modes (#48) * support for radius authentication append, push and challened/response * #30 Unsuspend a user from failed logon attempts (#43) * #30 Unsuspend a user from failed logon attempts * Fix typos in cmd * Use old unsuspend endpoint because it uses username name rather than user ID * HERE'S YOUR SPACE * Add logger to user api pkg * Remove duplicate tests * Implement client.GetLogger() function so null logger cannot be returned * Fix 52 conjur logon fail (#53) * add --self-signed flag to conjur logon * Retrieve the certificate path from the conjurrc file * only retrieve the certificate if self signed is enabled * implement a getLoginClient function * Fix #52 conjur logon fail (#54) * add --self-signed flag to conjur logon * Retrieve the certificate path from the conjurrc file * only retrieve the certificate if self signed is enabled * implement a getLoginClient function * Make files path os-agnostic * increase default --limit to 25 Co-authored-by: Joe Garcia <joe@joe-garcia.com> * Fix #32 add cybr logon --non-interactive (#56) * #49 add account actions (#57) * Add ability to auto generate docs (#61) * Fix #31 users cmds v0.1.0 (#55) * Users API implementation * Where responses and requests should be located * remove unneeded files * Remove add user commands because running into issues * Add CMD to list and delete users * prep for v0.1.0-beta release (#62) * prep for v0.1.0-beta release * Remove docs pkg html files * Update default to 25 in description Co-authored-by: AndrewCopeland <andcope1995@gmail.com> Co-authored-by: Joe Garcia <joe@joe-garcia.com> Co-authored-by: Joe Garcia <infamousjoeg@users.noreply.github.com>
infamousjoeg · Jan 28, 2021 · 02600e2 · 02600e2
1 parent 353a65f
commit 02600e2
Show file tree

Hide file tree

Showing 84 changed files with 2,664 additions and 2,192 deletions.
diff --git a/README.md b/README.md
diff --git a/bin/cybr b/bin/cybr
diff --git a/bin/darwin_cybr b/bin/darwin_cybr
diff --git a/bin/linux_cybr b/bin/linux_cybr
diff --git a/bin/windows_cybr.exe b/bin/windows_cybr.exe
diff --git a/cmd/accounts.go b/cmd/accounts.go
@@ -55,6 +55,21 @@ var (
 
 	// Filter Search for accounts filtered by safeName or modificationTime
 	Filter string
+
+	// Reason to access account
+	Reason string
+
+	// TicketingSystemName name of the ticketing system
+	TicketingSystemName string
+
+	// TicketID the ticket ID
+	TicketID string
+
+	// Version of the secret/password being retrieved
+	Version int
+
+	// ChangeEntireGroup change account group
+	ChangeEntireGroup bool
 )
 
 var accountsCmd = &cobra.Command{
@@ -76,7 +91,7 @@ var listAccountsCmd = &cobra.Command{
 	Example Usage:
 	$ cybr accounts list`,
 	Run: func(cmd *cobra.Command, args []string) {
-		client, err := pasapi.GetConfig()
+		client, err := pasapi.GetConfigWithLogger(getLogger())
 		if err != nil {
 			log.Fatalf("Failed to read configuration file. %s", err)
 			return
@@ -109,7 +124,7 @@ var getAccountsCmd = &cobra.Command{
 	Example Usage:
 	$ cybr accounts get -i 24_1`,
 	Run: func(cmd *cobra.Command, args []string) {
-		client, err := pasapi.GetConfig()
+		client, err := pasapi.GetConfigWithLogger(getLogger())
 		if err != nil {
 			log.Fatalf("Failed to read configuration file. %s", err)
 			return
@@ -165,7 +180,7 @@ var addAccountsCmd = &cobra.Command{
 	Example Usage:
 	$ cybr accounts add -s SafeName -p platformID -u username -a 10.0.0.1 -t password -s SuperSecret`,
 	Run: func(cmd *cobra.Command, args []string) {
-		client, err := pasapi.GetConfig()
+		client, err := pasapi.GetConfigWithLogger(getLogger())
 		if err != nil {
 			log.Fatalf("Failed to read configuration file. %s", err)
 			return
@@ -207,9 +222,9 @@ var deleteAccountsCmd = &cobra.Command{
 	Long: `Delete a specific account from PAS REST API.
 	
 	Example Usage:
-	$ cybr accounts delete 24_1`,
+	$ cybr accounts delete -i 24_1`,
 	Run: func(cmd *cobra.Command, args []string) {
-		client, err := pasapi.GetConfig()
+		client, err := pasapi.GetConfigWithLogger(getLogger())
 		if err != nil {
 			log.Fatalf("Failed to read configuration file. %s", err)
 			return
@@ -225,6 +240,109 @@ var deleteAccountsCmd = &cobra.Command{
 	},
 }
 
+var getPasswordAccountCmd = &cobra.Command{
+	Use:   "get-password",
+	Short: "Get password of a specific account",
+	Long: `This method enables users to retrieve the password or SSH key of an existing account that is identified by its Account ID. It enables users to specify a reason and ticket ID, if required.
+	
+	Example Usage:
+	$ cybr accounts get-password -i 24_1`,
+	Run: func(cmd *cobra.Command, args []string) {
+		client, err := pasapi.GetConfigWithLogger(getLogger())
+		if err != nil {
+			log.Fatalf("Failed to read configuration file. %s", err)
+			return
+		}
+
+		request := pasapi.GetAccountPasswordRequest{
+			Reason:              Reason,
+			TicketingSystemName: TicketingSystemName,
+			TicketID:            TicketID,
+			Version:             Version,
+		}
+
+		response, err := client.GetAccountPassword(AccountID, request)
+		if err != nil {
+			log.Fatalf("%s", err)
+			return
+		}
+
+		fmt.Println(response)
+	},
+}
+
+var verifyAccountCmd = &cobra.Command{
+	Use:   "verify",
+	Short: "Mark an account for verification",
+	Long: `This method marks an account for credential verification
+	
+	Example Usage:
+	$ cybr accounts verify -i 24_1`,
+	Run: func(cmd *cobra.Command, args []string) {
+		client, err := pasapi.GetConfigWithLogger(getLogger())
+		if err != nil {
+			log.Fatalf("Failed to read configuration file. %s", err)
+			return
+		}
+
+		err = client.VerifyAccountCredentials(AccountID)
+		if err != nil {
+			log.Fatalf("%s", err)
+			return
+		}
+
+		fmt.Printf("Successfully marked account '%s' for verification\n", AccountID)
+	},
+}
+
+var changeAccountCmd = &cobra.Command{
+	Use:   "change",
+	Short: "Mark an account for change",
+	Long: `This method marks an account for credential change
+	
+	Example Usage:
+	$ cybr accounts change -i 24_1`,
+	Run: func(cmd *cobra.Command, args []string) {
+		client, err := pasapi.GetConfigWithLogger(getLogger())
+		if err != nil {
+			log.Fatalf("Failed to read configuration file. %s", err)
+			return
+		}
+
+		err = client.ChangeAccountCredentials(AccountID, ChangeEntireGroup)
+		if err != nil {
+			log.Fatalf("%s", err)
+			return
+		}
+
+		fmt.Printf("Successfully marked account '%s' for change\n", AccountID)
+	},
+}
+
+var reconcileAccountCmd = &cobra.Command{
+	Use:   "reconcile",
+	Short: "Mark an account for reconciliation",
+	Long: `This method marks an account for credential reconciliation
+	
+	Example Usage:
+	$ cybr accounts reconcile -i 24_1`,
+	Run: func(cmd *cobra.Command, args []string) {
+		client, err := pasapi.GetConfigWithLogger(getLogger())
+		if err != nil {
+			log.Fatalf("Failed to read configuration file. %s", err)
+			return
+		}
+
+		err = client.ReconileAccountCredentials(AccountID)
+		if err != nil {
+			log.Fatalf("%s", err)
+			return
+		}
+
+		fmt.Printf("Successfully marked account '%s' for reconciliation\n", AccountID)
+	},
+}
+
 func init() {
 	// Listing an account
 	listAccountsCmd.Flags().StringVarP(&Search, "search", "s", "", "List of keywords to search for in accounts, separated by a space")
@@ -256,11 +374,36 @@ func init() {
 	deleteAccountsCmd.Flags().StringVarP(&AccountID, "account-id", "i", "", "Account ID to delete")
 	deleteAccountsCmd.MarkFlagRequired("account-id")
 
+	// Get password for account
+	getPasswordAccountCmd.Flags().StringVarP(&AccountID, "account-id", "i", "", "Account ID to retrieve password value of")
+	getPasswordAccountCmd.MarkFlagRequired("account-id")
+	getPasswordAccountCmd.Flags().IntVarP(&Version, "version", "v", 0, "Version of the account password")
+	getPasswordAccountCmd.Flags().StringVarP(&Reason, "reason", "r", "", "Reason for retriving account password")
+	getPasswordAccountCmd.Flags().StringVarP(&TicketingSystemName, "ticketing-system", "s", "", "Ticketing system name")
+	getPasswordAccountCmd.Flags().StringVarP(&TicketID, "ticket-id", "t", "", "The ticket ID related to the ticketing system")
+
+	// verify account
+	verifyAccountCmd.Flags().StringVarP(&AccountID, "account-id", "i", "", "Account ID to verify")
+	verifyAccountCmd.MarkFlagRequired("account-id")
+
+	// change account
+	changeAccountCmd.Flags().StringVarP(&AccountID, "account-id", "i", "", "Account ID to change")
+	changeAccountCmd.MarkFlagRequired("account-id")
+	changeAccountCmd.Flags().BoolVarP(&ChangeEntireGroup, "change-entire-group", "c", false, "If account is part of account group, change the entire group")
+
+	// reconcile
+	reconcileAccountCmd.Flags().StringVarP(&AccountID, "account-id", "i", "", "Account ID to reconcile")
+	reconcileAccountCmd.MarkFlagRequired("account-id")
+
 	// Add cmd to account cmd
 	accountsCmd.AddCommand(listAccountsCmd)
 	accountsCmd.AddCommand(getAccountsCmd)
 	accountsCmd.AddCommand(addAccountsCmd)
 	accountsCmd.AddCommand(deleteAccountsCmd)
+	accountsCmd.AddCommand(getPasswordAccountCmd)
+	accountsCmd.AddCommand(verifyAccountCmd)
+	accountsCmd.AddCommand(changeAccountCmd)
+	accountsCmd.AddCommand(reconcileAccountCmd)
 
 	// Add accounts cmd to root
 	rootCmd.AddCommand(accountsCmd)

diff --git a/cmd/applications.go b/cmd/applications.go
@@ -65,7 +65,7 @@ var listApplicationsCmd = &cobra.Command{
 	$ cybr applications list`,
 	Run: func(cmd *cobra.Command, args []string) {
 		// Get config file written to local file system
-		client, err := pasapi.GetConfig()
+		client, err := pasapi.GetConfigWithLogger(getLogger())
 		if err != nil {
 			log.Fatalf("Failed to read configuration file. %s", err)
 			return
@@ -91,7 +91,7 @@ var listMethodsCmd = &cobra.Command{
 	$ cybr applications list-authn -a AppID`,
 	Run: func(cmd *cobra.Command, args []string) {
 		// Get config file written to local file system
-		client, err := pasapi.GetConfig()
+		client, err := pasapi.GetConfigWithLogger(getLogger())
 		if err != nil {
 			log.Fatalf("Failed to read configuration file. %s", err)
 			return
@@ -115,7 +115,7 @@ var addApplicationCmd = &cobra.Command{
 	Example Usage:
 	$ cybr applications add -a AppID -l "\\"`,
 	Run: func(cmd *cobra.Command, args []string) {
-		client, err := pasapi.GetConfig()
+		client, err := pasapi.GetConfigWithLogger(getLogger())
 		if err != nil {
 			log.Fatalf("Failed to read configuration file. %s", err)
 			return
@@ -155,7 +155,7 @@ var deleteApplicationCmd = &cobra.Command{
 	Example Usage:
 	$ cybr applications delete -a AppID`,
 	Run: func(cmd *cobra.Command, args []string) {
-		client, err := pasapi.GetConfig()
+		client, err := pasapi.GetConfigWithLogger(getLogger())
 		if err != nil {
 			log.Fatalf("Failed to read configuration file. %s", err)
 			return
@@ -179,7 +179,7 @@ var addApplicationAuthenticationMethodCmd = &cobra.Command{
 	Example Usage:
 	$ cybr applications add-authn -a AppID -t path -v /some/path`,
 	Run: func(cmd *cobra.Command, args []string) {
-		client, err := pasapi.GetConfig()
+		client, err := pasapi.GetConfigWithLogger(getLogger())
 		if err != nil {
 			log.Fatalf("Failed to read configuration file. %s", err)
 			return
@@ -212,7 +212,7 @@ var deleteApplicationAuthenticationMethodCmd = &cobra.Command{
 	Example Usage:
 	$ cybr applications delete-authn -a AppID -i 1`,
 	Run: func(cmd *cobra.Command, args []string) {
-		client, err := pasapi.GetConfig()
+		client, err := pasapi.GetConfigWithLogger(getLogger())
 		if err != nil {
 			log.Fatalf("Failed to read configuration file. %s", err)
 			return

diff --git a/cmd/conjur.go b/cmd/conjur.go
@@ -63,6 +63,13 @@ func loadPolicy(policyBranch string, policyFilePath string, policyMode conjurapi
 	prettyprint.PrintJSON(response)
 }
 
+func removeFile(path string) {
+	err := os.Remove(path)
+	if err != nil {
+		log.Fatalf("Failed to remove file '%s'. %s", path, err)
+	}
+}
+
 var conjurCmd = &cobra.Command{
 	Use:   "conjur",
 	Short: "Conjur actions",
@@ -91,10 +98,15 @@ var conjurLogonCmd = &cobra.Command{
 			log.Fatalf("%s\n", err)
 		}
 
-		netrcPath := fmt.Sprintf("%s/.netrc", homeDir)
-		certPath := fmt.Sprintf("%s/conjur-%s.pem", homeDir, Account)
+		netrcPath := conjur.GetNetRcPath(homeDir)
 
-		err = conjur.CreateConjurRc(Account, BaseURL)
+		// certPath remains empty if not using self-signed-cert
+		certPath := ""
+		if InsecureTLS {
+			certPath = conjur.GetConjurPemPath(homeDir, Account)
+		}
+
+		err = conjur.CreateConjurRc(Account, BaseURL, InsecureTLS)
 		if err != nil {
 			log.Fatalf("Failed to create ~/.conjurrc file. %s\n", err)
 		}
@@ -155,6 +167,29 @@ var conjurNonInteractiveLogonCmd = &cobra.Command{
 	},
 }
 
+var conjurLogoffCmd = &cobra.Command{
+	Use:   "logoff",
+	Short: "Logoff to Conjur",
+	Long: `Logoff to conjur and remove the ~/.netrc and ~/.conjurrc files
+	
+	Example Usage:
+	$ cybr conjur logoff`,
+	Run: func(cmd *cobra.Command, args []string) {
+		homeDir, err := conjur.GetHomeDirectory()
+		if err != nil {
+			log.Fatalf("%s\n", err)
+		}
+
+		netrcPath := fmt.Sprintf("%s/.netrc", homeDir)
+		conjurrcPath := fmt.Sprintf("%s/.conjurrc", homeDir)
+
+		removeFile(netrcPath)
+		removeFile(conjurrcPath)
+
+		fmt.Println("Logged off conjur")
+	},
+}
+
 var conjurAppendPolicyCmd = &cobra.Command{
 	Use:   "append-policy",
 	Short: "Append policy to conjur",
@@ -361,6 +396,7 @@ func init() {
 	conjurLogonCmd.MarkFlagRequired("account")
 	conjurLogonCmd.Flags().StringVarP(&BaseURL, "base-url", "b", "", "Conjur appliance URL")
 	conjurLogonCmd.MarkFlagRequired("base-url")
+	conjurLogonCmd.Flags().BoolVar(&InsecureTLS, "self-signed", false, "Retrieve and use self-signed certificate when sending requests to the Conjur API")
 
 	// append-policy
 	conjurAppendPolicyCmd.Flags().StringVarP(&PolicyBranch, "branch", "b", "", "The policy branch in which policy is being loaded")
@@ -398,7 +434,7 @@ func init() {
 	// list
 	conjurListResourcesCmd.Flags().StringVarP(&Kind, "kind", "k", "", "Narrows results to only resources of that kind")
 	conjurListResourcesCmd.Flags().StringVarP(&Search, "search", "s", "", "Narrows results to those pertaining to the search query")
-	conjurListResourcesCmd.Flags().IntVarP(&Limit, "limit", "l", 10, "Maximum number of returned resource. Default is 10")
+	conjurListResourcesCmd.Flags().IntVarP(&Limit, "limit", "l", 25, "Maximum number of returned resource")
 	conjurListResourcesCmd.Flags().IntVarP(&Offset, "offset", "o", 0, "Index to start returning results from for pagination")
 	conjurListResourcesCmd.Flags().BoolVarP(&InspectResources, "inspect", "i", false, "Show full object information")
 
@@ -416,5 +452,6 @@ func init() {
 	conjurCmd.AddCommand(conjurInfoCmd)
 	conjurCmd.AddCommand(conjurListResourcesCmd)
 	conjurCmd.AddCommand(conjurRotateAPIKeyCmd)
+	conjurCmd.AddCommand(conjurLogoffCmd)
 	rootCmd.AddCommand(conjurCmd)
 }
diff --git a/cmd/logoff.go b/cmd/logoff.go
@@ -17,21 +17,17 @@ var logoffCmd = &cobra.Command{
 	$ cybr logoff`,
 	Run: func(cmd *cobra.Command, args []string) {
 		// Get config file written to local file system
-		client, err := pasapi.GetConfig()
+		client, err := pasapi.GetConfigWithLogger(getLogger())
 		if err != nil {
 			log.Fatalf("Failed to read configuration file. %s", err)
 		}
-		// Logoff the PAS REST API
-		err = client.Logoff()
-		if err != nil {
-			log.Fatalf("Failed to log off. %s", err)
-			return
-		}
 		// Remove the config file written to local file system
 		err = client.RemoveConfig()
 		if err != nil {
 			log.Fatalf("Failed to remove configuration file. %s", err)
 		}
+		// Logoff the PAS REST API
+		_ = client.Logoff()
 
 		fmt.Println("Successfully logged off PAS.")
 	},