v0.1.12-beta Release (#171)

* Fixes #165 use builder image (#166)

* Fixes #140 authenticate to conjur using authn-iam (#162)

* Fix #149 add cybr conjur whoami to see identity currently logged in as (#152)

* Add whoami support

* deprecate -i from go build & rm sudo

* bump version to v0.1.11-beta

* Fix #91 add support to query platforms in pas (#153)

* Add platforms cmd

* Fix accounts var name

* Update docs

* Fix linting errors

* Fix cybr safes add not setting PasswordManager as default

* Initial commit authn-iam

* WIP begin authenticator strategy for authn & authn-iam

* Merge conflicts

* Fix current golint errors

* Initial implementation of authn strategy

* Successfully tested initial authn-iam integration

* Bump version to v0.1.12-beta

* Update binaries

* Update documentation for authn-iam

* Fix no client side certificate dictating InsecureSkipVerify

* Add authn-iam docs to README

* Fixes 167 Update cybr users unsuspend to v2 API (#168)

* Fix #169 safe permission set properly now (#170)

.dockerignore

@@ -0,0 +1,14 @@
+.DS_STORE
+.github
+bin
+dev
+docs
+.git
+.gitignore
+.gitlab-ci.yml
+Jenkinsfile
+generate-docs
+install
+install.sh
+make
+secrets.yml

Dockerfile

@@ -1,16 +1,9 @@
-FROM golang:1-bullseye
+FROM golang as builder
 
 ENV GO111MODULE=on
 
 WORKDIR /app
 
-ENV PATH="/app:${PATH}"
-
-RUN useradd -ms /bin/bash cybr && \
-    chmod 777 /home/cybr && \
-    mkdir -p /home/cybr/.cybr && \
-    chown -R cybr /home/cybr/.cybr 
-
 COPY go.mod .
 COPY go.sum .
 
@@ -20,5 +13,11 @@ COPY . .
 
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o /app/cybr .
 
-USER cybr
+FROM ubuntu
+COPY --from=builder /app/cybr /app/
+RUN useradd -ms /bin/bash cybr && \
+    chmod 777 /home/cybr && \
+    mkdir -p /home/cybr/.cybr && \
+    chown -R cybr /home/cybr/.cybr
+ENV PATH="/app:${PATH}"
 ENTRYPOINT ["/app/cybr"]

README.md

@@ -20,6 +20,7 @@ Current products supported:
 	- [AWS CloudShell](#aws-cloudshell)
 	- [Install from Source](#install-from-source)
 - [Usage](#usage)
+	- [Authenticating with authn-iam (AWS IAM Role Authentication)](#authenticating-with-authn-iam-aws-iam-role-authentication)
 	- [Documentation](#documentation)
 - [Autocomplete](#autocomplete)
 - [Example Source Code](#example-source-code)
@@ -69,6 +70,23 @@ $ cybr help
 * `$ cybr help` for top-level commands list
 * `$ cybr [command] -h` for specific command details and sub-commands list
 
+### Authenticating with authn-iam (AWS IAM Role Authentication)
+
+Set the following environment variables:
+
+* `CONJUR_ACCOUNT` - The Conjur account name
+* `CONJUR_APPLIANCE_URL` - The URL of the Conjur service (e.g. https://conjur.example.com)
+* `CONJUR_AUTHN_LOGIN` - The Host ID for the IAM role (e.g. `host/cloud/aws/ec2/1234567890/ConjurAWSRoleEC2`)
+* `CONJUR_AUTHENTICATOR` - The authenticator ID (e.g. `authn-iam`)
+* `CONJUR_AUTHN_SERVICE_ID` - The authenticator web service ID (e.g. `prod`)
+* `CONJUR_AWS_TYPE` - The AWS type (e.g. `ec2` or `ecs` or `lambda`)
+
+Once environment variables are set, ensure no .conjurrc or .netrc exists in the user's home directory:
+
+`rm -f ~/.conjurrc ~/.netrc`
+
+Then run any command you wish to run within `cybr conjur`. Use the `--help` flag to see all available commands.
+
 ### Documentation
 
 All commands are documentated [in the docs/ directory](docs/cybr.md).

cmd/conjur.go

@@ -11,6 +11,7 @@ import (
 	"github.com/cyberark/conjur-api-go/conjurapi"
 	"github.com/cyberark/conjur-api-go/conjurapi/authn"
 	"github.com/infamousjoeg/cybr-cli/pkg/cybr/conjur"
+	"github.com/infamousjoeg/cybr-cli/pkg/cybr/helpers/authenticators"
 	"github.com/infamousjoeg/cybr-cli/pkg/cybr/helpers/prettyprint"
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/ssh/terminal"
@@ -85,7 +86,8 @@ var conjurLogonCmd = &cobra.Command{
 	Long: `Authenticate to Conjur using API Key or password
 	
 	Example Usage:
-	$ cybr conjur logon -a account -b https://conjur.example.com -l admin`,
+	$ cybr conjur logon -a account -b https://conjur.example.com -l admin
+	$ cybr conjur logon -a account -b https://conjur.example.com -l serviceAccountUser --authn-ldap`,
 	Aliases: []string{"login"},
 	Run: func(cmd *cobra.Command, args []string) {
 		fmt.Print("Enter password: ")
@@ -114,9 +116,9 @@ var conjurLogonCmd = &cobra.Command{
 			log.Fatalf("Failed to create ~/.conjurrc file. %s\n", err)
 		}
 
-		authnURL := conjur.GetAuthURL(BaseURL, "authn", "")
+		authnURL := authenticators.GetAuthURL(BaseURL, "authn", "")
 		if AuthnLDAP != "" {
-			authnURL = conjur.GetAuthURL(BaseURL, "authn-ldap", AuthnLDAP)
+			authnURL = authenticators.GetAuthURL(BaseURL, "authn-ldap", AuthnLDAP)
 		}
 
 		apiKey, err := conjur.Login(authnURL, Account, Username, byteSecretVal, certPath)

cmd/safes.go

@@ -86,7 +86,7 @@ var (
 	// Role of safe member to determine pre-defined safe permissions
 	Role string
 	// RolePermissions contain the pre-defined safe permissions of defined role
-	RolePermissions []requests.PermissionKeyValue
+	RolePermissions map[string]string
 	// User is the user to search for as a safe member
 	User string
 	// Group is the group to search for as a safe member
@@ -242,95 +242,12 @@ var addMembersCmd = &cobra.Command{
 
 		// If no role is specified, default to user-provided safe permissions
 		if Role == "" {
-			RolePermissions = []requests.PermissionKeyValue{
-				{
-					Key:   "UseAccounts",
-					Value: UseAccounts,
-				},
-				{
-					Key:   "RetrieveAccounts",
-					Value: RetrieveAccounts,
-				},
-				{
-					Key:   "ListAccounts",
-					Value: ListAccounts,
-				},
-				{
-					Key:   "AddAccounts",
-					Value: AddAccounts,
-				},
-				{
-					Key:   "UpdateAccountContent",
-					Value: UpdateAccountContent,
-				},
-				{
-					Key:   "UpdateAccountProperties",
-					Value: UpdateAccountProperties,
-				},
-				{
-					Key:   "InitiateCPMAccountManagementOperations",
-					Value: InitiateCPMAccountManagementOperations,
-				},
-				{
-					Key:   "SpecifyNextAccountContent",
-					Value: SpecifyNextAccountContent,
-				},
-				{
-					Key:   "RenameAccounts",
-					Value: RenameAccounts,
-				},
-				{
-					Key:   "DeleteAccounts",
-					Value: DeleteAccounts,
-				},
-				{
-					Key:   "UnlockAccounts",
-					Value: UnlockAccounts,
-				},
-				{
-					Key:   "ManageSafe",
-					Value: ManageSafe,
-				},
-				{
-					Key:   "ManageSafeMembers",
-					Value: ManageSafeMembers,
-				},
-				{
-					Key:   "BackupSafe",
-					Value: BackupSafe,
-				},
-				{
-					Key:   "ViewAuditLog",
-					Value: ViewAuditLog,
-				},
-				{
-					Key:   "ViewSafeMembers",
-					Value: ViewSafeMembers,
-				},
-				{
-					Key:   "AccessWithoutConfirmation",
-					Value: AccessWithoutConfirmation,
-				},
-				{
-					Key:   "CreateFolders",
-					Value: CreateFolders,
-				},
-				{
-					Key:   "DeleteFolders",
-					Value: DeleteFolders,
-				},
-				{
-					Key:   "MoveAccountsAndFolders",
-					Value: MoveAccountsAndFolders,
-				},
-				{
-					Key:   "RequestsAuthorizationLevel1",
-					Value: RequestsAuthorizationLevel1,
-				},
-				{
-					Key:   "RequestsAuthorizationLevel2",
-					Value: RequestsAuthorizationLevel2,
-				},
+			var RolePermissionsString string
+			RolePermissionsString = fmt.Sprintf("UseAccounts=%v,RetrieveAccounts=%v,ListAccounts=%v,AddAccounts=%v,UpdateAccountContent=%v,UpdateAccountProperties=%v,InitiateCPMAccountManagementOperations=%v,SpecifyNextAccountContent=%v,RenameAccounts=%v,DeleteAccounts=%v,UnlockAccounts=%v,ManageSafe=%v,ManageSafeMembers=%v,BackupSafe=%v,ViewAuditLog=%v,ViewSafeMembers=%v,AccessWithoutConfirmation=%v,CreateFolders=%v,DeleteFolders=%v,MoveAccountsAndFolders=%v,RequestsAuthorizationLevel1=%v,RequestsAuthorizationLevel2=%v", UseAccounts, RetrieveAccounts, ListAccounts, AddAccounts, UpdateAccountContent, UpdateAccountProperties, InitiateCPMAccountManagementOperations, SpecifyNextAccountContent, RenameAccounts, DeleteAccounts, UnlockAccounts, ManageSafe, ManageSafeMembers, BackupSafe, ViewAuditLog, ViewSafeMembers, AccessWithoutConfirmation, CreateFolders, DeleteFolders, MoveAccountsAndFolders, RequestsAuthorizationLevel1, RequestsAuthorizationLevel2)
+			RolePermissions, err = keyValueStringToMap(RolePermissionsString)
+			if err != nil {
+				log.Fatalf("Failed to parse role permissions. %s", err)
+				return
 			}
 		}
 
@@ -344,12 +261,10 @@ var addMembersCmd = &cobra.Command{
 		}
 
 		newMember := requests.AddSafeMember{
-			Member: requests.AddSafeMemberInternal{
-				MemberName:               MemberName,
-				SearchIn:                 SearchIn,
-				MembershipExpirationDate: MembershipExpirationDate,
-				Permissions:              RolePermissions,
-			},
+			MemberName:               MemberName,
+			SearchIn:                 SearchIn,
+			MembershipExpirationDate: MembershipExpirationDate,
+			Permissions:              RolePermissions,
 		}
 
 		// Add a safe with the configuration options given via CLI subcommands

cmd/users.go

@@ -74,21 +74,21 @@ var unsuspendUserCmd = &cobra.Command{
 	Long: `Activates a suspended user. It does not activate an inactive user.
 	
 	Example Usage:
-	$ cybr users unsuspend --username userName`,
+	$ cybr users unsuspend --id 9`,
 	Run: func(cmd *cobra.Command, args []string) {
 		client, err := pasapi.GetConfig()
 		if err != nil {
 			log.Fatalf("Failed to read configuration file. %s", err)
 			return
 		}
 
-		err = client.UnsuspendUser(Username)
+		err = client.UnsuspendUser(UserID)
 		if err != nil {
-			log.Fatalf("Failed to unsuspend user '%s'. %s", Username, err)
+			log.Fatalf("Failed to unsuspend user with id '%d'. %s", UserID, err)
 			return
 		}
 
-		fmt.Printf("Successfully unsuspended user '%s'\n", Username)
+		fmt.Printf("Successfully unsuspended user with id '%d'\n", UserID)
 	},
 }
 
@@ -224,8 +224,8 @@ var addUserCmd = &cobra.Command{
 
 func init() {
 	// unsuspend
-	unsuspendUserCmd.Flags().StringVarP(&Username, "username", "u", "", "The user you would like to unsuspend")
-	unsuspendUserCmd.MarkFlagRequired("username")
+	unsuspendUserCmd.Flags().IntVarP(&UserID, "id", "i", 0, "The ID of the user you wish to unsuspend")
+	unsuspendUserCmd.MarkFlagRequired("id")
 
 	// list
 	listUsersCmd.Flags().StringVarP(&Search, "search", "s", "", "Search for the username, first name or last name of a user")

docs/cybr.md

@@ -31,4 +31,4 @@ Security.
 * [cybr users](cybr_users.md)	 - User actions for PAS REST API
 * [cybr version](cybr_version.md)	 - Display current version
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_accounts.md

@@ -35,4 +35,4 @@ All account actions that can be taken via PAS REST API.
 * [cybr accounts reconcile](cybr_accounts_reconcile.md)	 - Mark an account for reconciliation
 * [cybr accounts verify](cybr_accounts_verify.md)	 - Mark an account for verification
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_accounts_add.md

@@ -39,4 +39,4 @@ cybr accounts add [flags]
 
 * [cybr accounts](cybr_accounts.md)	 - Account actions for PAS REST API
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_accounts_change.md

@@ -31,4 +31,4 @@ cybr accounts change [flags]
 
 * [cybr accounts](cybr_accounts.md)	 - Account actions for PAS REST API
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_accounts_delete.md

@@ -30,4 +30,4 @@ cybr accounts delete [flags]
 
 * [cybr accounts](cybr_accounts.md)	 - Account actions for PAS REST API
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_accounts_get-password.md

@@ -34,4 +34,4 @@ cybr accounts get-password [flags]
 
 * [cybr accounts](cybr_accounts.md)	 - Account actions for PAS REST API
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_accounts_get.md

@@ -30,4 +30,4 @@ cybr accounts get [flags]
 
 * [cybr accounts](cybr_accounts.md)	 - Account actions for PAS REST API
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_accounts_list.md

@@ -35,4 +35,4 @@ cybr accounts list [flags]
 
 * [cybr accounts](cybr_accounts.md)	 - Account actions for PAS REST API
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_accounts_move.md

@@ -31,4 +31,4 @@ cybr accounts move [flags]
 
 * [cybr accounts](cybr_accounts.md)	 - Account actions for PAS REST API
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_accounts_reconcile.md

@@ -30,4 +30,4 @@ cybr accounts reconcile [flags]
 
 * [cybr accounts](cybr_accounts.md)	 - Account actions for PAS REST API
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_accounts_verify.md

@@ -30,4 +30,4 @@ cybr accounts verify [flags]
 
 * [cybr accounts](cybr_accounts.md)	 - Account actions for PAS REST API
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_applications.md

@@ -33,4 +33,4 @@ All applications actions that can be taken via PAS REST API.
 * [cybr applications list](cybr_applications_list.md)	 - List all applications
 * [cybr applications list-authn](cybr_applications_list-authn.md)	 - List all authn methods on a specific application
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_applications_add-authn.md

@@ -34,4 +34,4 @@ cybr applications add-authn [flags]
 
 * [cybr applications](cybr_applications.md)	 - Applications actions for PAS REST API
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_applications_add.md

@@ -40,4 +40,4 @@ cybr applications add [flags]
 
 * [cybr applications](cybr_applications.md)	 - Applications actions for PAS REST API
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_applications_delete-authn.md

@@ -31,4 +31,4 @@ cybr applications delete-authn [flags]
 
 * [cybr applications](cybr_applications.md)	 - Applications actions for PAS REST API
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_applications_delete.md

@@ -30,4 +30,4 @@ cybr applications delete [flags]
 
 * [cybr applications](cybr_applications.md)	 - Applications actions for PAS REST API
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_applications_list-authn.md

@@ -31,4 +31,4 @@ cybr applications list-authn [flags]
 
 * [cybr applications](cybr_applications.md)	 - Applications actions for PAS REST API
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_applications_list.md

@@ -30,4 +30,4 @@ cybr applications list [flags]
 
 * [cybr applications](cybr_applications.md)	 - Applications actions for PAS REST API
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_ccp.md

@@ -26,4 +26,4 @@ All actions that can be performed with the Central Credential Provider.
 * [cybr](cybr.md)	 - cybr is CyberArk's PAS command-line interface utility
 * [cybr ccp get-account](cybr_ccp_get-account.md)	 - Get account from CCP
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_ccp_get-account.md

@@ -47,4 +47,4 @@ cybr ccp get-account [flags]
 
 * [cybr ccp](cybr_ccp.md)	 - CCP actions
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022

docs/cybr_cem.md

@@ -32,4 +32,4 @@ All actions that can be performed with the Cloud Entitlements Manager.
 * [cybr cem recommendations](cybr_cem_recommendations.md)	 - Get Entity Recommendations
 * [cybr cem remediations](cybr_cem_remediations.md)	 - Get Entity Remediations
 
-###### Auto generated by spf13/cobra on 28-Jun-2022
+###### Auto generated by spf13/cobra on 13-Oct-2022