Fix #87 Add role-based safe permissions when adding safe member (#141)

* go mod tidy

* Initial commit

* Add missing safe member perms & accept roles

* Added addt'l roles based on PPO recommendations

* Update exported func comment

* change logic; reduce LoC

* Fix x/sys issues

* Add safe member roles and docs for authz

* Bump version from 0.1.8 to 0.1.9

* Add addt'l clarification to safe member authz roles

* combined dupe code

* Snyk code scan enabled

* Add final release binaries

.dccache

@@ -0,0 +1 @@
+{"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/main.go":[92,1648050361920.2852,"3faa97d46eacdb9b75694ba322113441ae2a11602b4c97500d03805626ee3107"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/cmd/accounts.go":[14536,1648050361895.2126,"36c9df4b987e1e36a88e70d8260dea7ac2dd4e20365ee25a36bf8395dd0723c0"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/cmd/applications.go":[10581,1648050361895.526,"b6299e609511736c8c63c36258d576060f9006d3e0cf319bf8dd4bdc8ab69366"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/cmd/ccp.go":[5858,1648050361895.8848,"821d5f16c5344210bc7e8b2e5476ab92c8bdcc371c08743f21928cd5d1814f21"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/cmd/cem.go":[9790,1648050361896.1357,"df90b0d849ac04a4ed203c5f132409ecf2f3d6eafc658d9989edf2fc88c9db6f"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/cmd/completion.go":[1750,1648050361896.3733,"9956b96382536e1a9f90a137f8eb4cefc5cb0a8a7fab7da96f168bdf220e7805"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/cmd/conjur.go":[14700,1648050361896.75,"773ad6fa20da95bde22770e3e2ebc7c31071abd6be84127e54fb1d380495a9ed"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/cmd/logoff.go":[864,1648050361897.0269,"d6efee31c96f702c643b1502dffa58c8745ecb492e6ebba7a2b8c1edef9dec11"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/cmd/logon.go":[4074,1648050361897.486,"6bd25cfeece016d477f0679745ccf3004560b95f480a513fb0ffe71f3fe3d535"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/cmd/root.go":[1172,1648050361897.711,"654017edd9c9ad063db510f7a61738954ff51f8725b1442cab83317130155da4"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/cmd/safes.go":[18302,1649953129822.6284,"a67f68e93dc55f37169ef49cd12806930ad8c61fab727827a4f1fa8860f0e044"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/cmd/users.go":[8925,1648050361898.1567,"2db984a5718e5ca60faa4922b5d2e9377eded735ef519b57460ad4f6c1c48990"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/cmd/util.go":[988,1648050361898.3176,"b1120552e208f416544d8638b1d824b624a1101caeefac288fe536aa116e4a43"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/cmd/version.go":[882,1648050361898.4817,"3fb7702d9c1667dbd88cb054c439d18a1ab6c36857fcb9bc3e4227030515e574"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/docs/main.go":[246,1648050361917.6965,"8eed0fcd126e5f1a98cdb2500877ea68729882fe5f9b4da4fc3fdb68b4950220"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/logger/cmd.go":[1116,1648050361941.5835,"d17c1d837bf5e112b5206a33889fdf4b373d696b243eff838ff3df409108f7c8"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/logger/logger.go":[454,1648050361941.8965,"97a29bfe935d3c6b6eb572bdcf75dac8742606586681df807cd32b9a545a5d62"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/version.go":[473,1649965361506.6033,"4f37e6c914c247050739d89a7462be7ec02ebdecff69488a1b693dfd9db0bd55"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/cem/cem.go":[1944,1648050361936.8147,"aa204cf83a501740f923b70840929bf56f53abe4ac0e9a5b1209a28635db3a85"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/accounts.go":[6612,1648050361921.5513,"d4e264870db2f8640d3d721cc48aeb34082a9a623e5a5098234745c9ef8bafd9"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/accounts_test.go":[5390,1648050361921.8787,"649cca4f209f30a3bc8df5df60ac79fdf13b47fbbfa45ece2738c65d26d4cb12"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/applications.go":[4126,1648050361922.1743,"ff288795cf6c36fb045dd7a7db42102b021a766512db411e5a57eb1311cd6334"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/applications_test.go":[3365,1648050361922.489,"f62af774c471893e01f9eb42baa605ec4f6fcf98d0197baadfc225472c52e74d"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/auth.go":[1198,1648050361922.7942,"17d9d23962f5f2462dbbd11581e7f320506da722ab86474e4d3e1941dfa7dfb4"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/auth_test.go":[2182,1648050361923.0527,"f605ea8cef188b802511f313f9a06927e682225d1eb619bdd465f10cbe41ae2b"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/client.go":[3292,1648050361923.4119,"5d47536b5770d756bc2609f0f0d1695a2c7283b48ad772ebceba0b1250fc79cf"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/client_test.go":[2134,1648050361923.6643,"0a0fbdf0525a606d569312b9f05b1336536d6fed512c9563e440c28dad4bc286"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/roles.go":[4190,1649965604726.4006,"6925a4684d99be01ad25732f8e85c640ca86902e0004abe6da7cf676237a4a79"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/safes.go":[4088,1648050361932.6843,"5e0d55ced253abf9c86b03564a77ee8898d6477bc5483b275fed16b894d6dcb6"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/safes_test.go":[3520,1648050361932.965,"3643f5ec6647cda19816b435fe7bbd6028610609e47d43ce1a4d9f91bff5e498"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/server.go":[788,1648050361933.2942,"a22e2464470862ea17875421a4db010e8480a9d538321f9ac776b4316558e0fe"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/server_test.go":[728,1648050361933.9438,"c442a80d458d0bf1919234222d42ca7cdc478e1e9033d2d499b14ddc07030c96"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/users.go":[2577,1648050361934.7822,"016e4d7584ebd6fac2b49dc6ba2ccdf1caa6421beccb19bcfdabfae9ac8d7bec"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/users_test.go":[2240,1648050361935.112,"a2e5fba3f8b9c15bd2bbe8d731d208bedb56d3e99e0752675287242b7477d047"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/ccp/ccp.go":[3731,1648050361935.995,"d36da8eb074e909fa1f94f49c9aa716257ca27b309a75ad0514c58a1d761ce00"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/ccp/ccp_test.go":[1566,1648050361936.3032,"578a05d38bc9223470dbc461fe0a1eec726b4f52218351edd2c5f19b21700b3e"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/conjur/client.go":[4770,1648050361937.3357,"acc068426a4857b36cc45979747d7125892d1a35abff16b7ee51ef7a9bf010bf"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/conjur/conjurrc.go":[5640,1648050361937.6963,"cc411a95b51e1c57332d5c92e0571637d730c4ce1d682e09f312b280f08a454f"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/conjur/enableauthn.go":[732,1648050361938.0098,"2399a491f47b5ff81c376bb5b2d915ea10d61ad66466456fa2453b039911afbd"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/conjur/info.go":[905,1648050361938.3105,"d7378980489596a74aafcdba2784412e97cd21b6cbeeb54da9c3c29aaa02f913"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/conjur/logon.go":[1745,1648050361938.5986,"d1834cd10b9bbe5ac930fec124006abe23f4c3a3e3ac1b1bef6c94ae355beb9f"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/conjur/netrc.go":[1543,1648050361938.8755,"eafb03139d11c773fdc5888f0871ad6243132f21a69a43ac08aa720e74206dba"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/queries/listaccounts.go":[359,1648050361924.0796,"6fb72fd5498ae7cc523ec4aad80f363b20cc799c804965caded4b8e2f05aa03b"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/queries/listusers.go":[181,1648050361924.3755,"cd0cb32c0fe931666d1a0b5a5ed9a991f00aac4a503cb32ffa4ea5bfff30301c"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/responses/adduser.go":[2699,1648050361928.8745,"8ecb5368ffe48e535757a587fb3934f89ae124114a8ec46f76487436216838bd"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/responses/getaccount.go":[966,1648050361929.2498,"197456dfdb22c03cbe85bafdd7e21ef46ebba3a006179084c0fccc1b21101383"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/responses/listaccounts.go":[163,1648050361929.5664,"d515ef43777f01e35e34360a682dfce1a5ec4883279cd823e650f5127bae38ce"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/responses/listapplicationauthenticationmethods.go":[698,1648050361930.0913,"1ae1644684736a24ccfd07a4e426ba1445178194f88a6f6f1c6ab27b73c7339f"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/responses/listapplications.go":[1227,1648050361930.3994,"e7aadb2d991c94a1228bcacc1a04ae7a985984f4da57781659e68c3ef72aba95"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/responses/listsafemembers.go":[1283,1648050361930.6948,"556d28d90e856137dea5f8c0114fda2e35be5922c656d7637bf6912be441c86f"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/responses/listsafes.go":[450,1648050361931.0176,"91eaa217a5d0dd92e25429adedbc58d1b0758ac1a564365789162e9082768461"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/responses/listusers.go":[977,1648050361931.373,"3746c14848f6306361287f0e35056b82a722e9709978b8a8a6279a850e2dfac6"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/responses/serververify.go":[544,1648050361932.07,"ef43ffcf762dd11e464880967c510e50d5b712eaa3b352698cc1df8bc6b49492"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/responses/updatesafe.go":[416,1648050361932.397,"e3898b201d6c22b68a0da1f2901bb58b1f3571e6f66c48232e8aadbffa54315f"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/requests/addaccount.go":[829,1648050361924.9312,"9f33ba010de232b13d6f7c3e76dfd9b7829db6cc5f624121bcf898c467d8ace9"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/requests/addapplication.go":[875,1648050361925.282,"cef951dbb2f13dcd250ba2d457d66451552929db584fab93152d1f41dadb56f3"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/requests/addapplicationauthenticationmethod.go":[572,1648050361925.589,"ad57f636de66d5e024084ce21dd6cc715bab14d4389d3d9bed203c38ab5bb0bc"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/requests/addsafe.go":[502,1648050361925.9182,"641968e6361a828a0fb0b5b628f29c9c58f31f812a33e14eb776f251383d2690"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/requests/addsafemember.go":[715,1648050361926.206,"3b2b3d09c172d2d76c00777b0f2fd6c5f602115976379c3774d0c9f7f6f53ebc"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/requests/adduser.go":[1272,1648050361926.4678,"44b442a0522720185cfac9503d544b91953289285e2a4ab560fd05ccf8afb8ca"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/requests/changeaccountcredential.go":[188,1648050361926.7983,"4cef6a5bc8d96250e0c0879341513a840e4534e8c88d6f43174c5a271a5ec17f"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/requests/getaccountpassword.go":[573,1648050361927.072,"cf70410f42367afcc66285cb62f658abacff5e5b5d3f1eec512bd31727d7ca27"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/requests/logon.go":[250,1648050361927.3052,"4ba6f90a88279833f8a85477c5d46b0eaab8266926d3d6d986812bf047efd95e"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/requests/unsuspenduser.go":[136,1648050361927.7324,"7fdccf5a639acf31f90fceaf509d8c46504f200ffe5110001b5715a6746898b7"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/requests/updatesafe.go":[316,1648050361928.3804,"205d8041dfa09aafa67a25de327656c250d80417bf2b3822e5bd6f824add480a"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/api/shared/secretmanagement.go":[376,1648050361934.4226,"5022463c030caaec9adb4568ab4e1bce980534df554679baae1cedb07f020eef"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/helpers/httpjson/httpjson.go":[4849,1648050361939.5632,"f1e07cf64394950e06dba2aa3f7ae4a63c6d63289b5c2631dd6f6e0156f52aaa"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/helpers/httpjson/query.go":[882,1648050361939.8804,"7c4112058215bbd802189df6d8e3a80e01d3b9c31782a9080fdd07c24dc03962"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/helpers/prettyprint/prettyprint.go":[288,1648050361940.3652,"bef4a2d47b3198639ee99a13f0879ef85485c0f94efaa745aae09a85fc845c77"],"/Users/joe.garcia/go/src/github.com/infamousjoeg/cybr-cli/pkg/cybr/helpers/util/util.go":[325,1648050361940.8423,"f97b6ce72f3aa5981cbf58fe1e5f04cba5feaaec12cebda732d24c19720babc7"]}

.github/workflows/ci.yml

@@ -71,6 +71,8 @@ jobs:
         run: export GO111MODULE=on
       - name: Create ./bin/ directory
         run: mkdir -p bin
+      - name: Fix x/sys Issues
+        run: go get -u golang.org/x/sys
       - name: Build Binaries
         run: |
           CGO_ENABLED=0 GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} go build -o ./bin/${{ matrix.goos }}_cybr .

README.md

@@ -3,8 +3,10 @@
 A "Swiss Army Knife" command-line interface (CLI) for easy human and non-human interaction with CyberArk's suite of products.
 
 Current products supported:
-* CyberArk Privileged Access Security (PAS)
-* CyberArk Conjur Secrets Manager Enterprise & Open Source
+* CyberArk Privileged Access Manager (PAM)
+* CyberArk Secrets Manager Central Credential Provider (CCP)
+* CyberArk Conjur Secrets Manager Enterprise & [Open Source](https://conjur.org)
+* CyberArk Cloud Entitlements Manager ([Free trial](https://www.cyberark.com/try-buy/cloud-entitlements-manager/))
 
 **Want to get dangerous quickly?** Check out the example bash script at [dev/add-delete-pas-application.sh](dev/add-delete-pas-application.sh).
 
@@ -13,13 +15,16 @@ Current products supported:
 ## Table of Contents <!-- omit in toc -->
 
 - [Install](#install)
-  - [MacOS](#macos)
-  - [Windows or Linux](#windows-or-linux)
-  - [AWS CloudShell](#aws-cloudshell)
-  - [Install from Source](#install-from-source)
+	- [MacOS](#macos)
+	- [Windows or Linux](#windows-or-linux)
+	- [AWS CloudShell](#aws-cloudshell)
+	- [Install from Source](#install-from-source)
 - [Usage](#usage)
+- [Autocomplete](#autocomplete)
 - [Example Source Code](#example-source-code)
-  - [Logon to the PAS REST API Web Service](#logon-to-the-pas-rest-api-web-service)
+	- [Logon to the PAS REST API Web Service](#logon-to-the-pas-rest-api-web-service)
+- [Security](#security)
+	- [`cybr safes add-member --role` Role Permissions](#cybr-safes-add-member---role-role-permissions)
 - [Testing](#testing)
 - [Maintainers](#maintainers)
 - [Contributions](#contributions)
@@ -116,6 +121,32 @@ func main() {
 }
 ```
 
+## Security
+
+If there is a security concern or bug discovered, please responsibly disclose all information to joe (dot) garcia (at) cyberark (dot) com.
+
+### `cybr safes add-member --role` Role Permissions
+
+All safe member roles defined below are based on best practices and recommendations put forth by CyberArk's PAS Programs Office, creators of the CyberArk Blueprint for Identity Security.
+
+|Role|Safe Authorizations|
+|---|---|
+|BreakGlass|All authorizations except Authorize Password Requests|
+|VaultAdmin|- List Accounts<br>- View Audit Log<br>- View Safe Members|
+|SafeManager|- Manage Safe<br>- Manage Safe Members<br>- View Audit Log<br>- View Safe Members<br>- Access Safe w/o Confirmation|
+|EndUser|- Use/Retrieve/List Accounts<br>- View Audit Log<br>- View Safe Members|
+|Auditor|- List Accounts<br>- View Audit Log<br>- View Safe Members|
+|AIMWebService|No authorizations|
+|AppProvider|- Retrieve/List Accounts<br>- View Safe Members|
+|ApplicationIdentity|- Retrieve/List Accounts|
+|AccountProvisioner|- List/Add/Delete Accounts<br>- Update Password Properties<br>- Initiate CPM Password Management Operations<br>- View Audit Log<br>- View Safe Members<br>- Access Safe w/o Confirmation|
+|CPDeployer|- List/Add Accounts<br>- Update Password Properties<br>- Initiate CPM Password Management Operations<br>- Manage Safe Member<br>- View Audit Log, View Safe Members<br>- Access Safe w/o Confirmation|
+|ComponentOrchestrator|- List/Add Accounts<br>- Update Password Properties<br>- Initiate CPM Password Management Operations<br>- View Audit Log<br>- Access Safe w/o Confirmation|
+|APIAutomation|- List/Add/Rename/Delete/Unlock Accounts<br>- Update Password Content/Properties<br>- Initiate CPM Password Management Operations<br>- Manage Safe<br>- Manage Safe Members<br>- View Audit Log<br>- View Safe Members<br>- Create/Delete Folders<br>- Move Accounts/Folders|
+|PasswordScheduler|- List Accounts<br>- Initiate CPM Password Management Operation<br>- View Audit Log<br>- View Safe Members<br>- Access Safe w/o Confirmation|
+|ApproverLevel1|- List Accounts<br>- View Audit Log<br>- View Safe Members<br>- Authorize Password Requests (Level 1)|
+|ApproverLevel2|- List Acccounts<br>- View Audit Log<br>- View Safe Members<br>- Authorize Password Requests (Level 2)|
+
 ## Testing
 
 `go test -v ./...`