DOD

• Design has been created for the init CLI command with the following
• Proper documentation has been added to README
• Implementation + UTs have been done
• Manual tests have been mapped out
• All epic DOD points have been checked and open questions answered

Helpful resources:
Init epic - #79

There have been numerous recommendations from the internal team to switch from argparse to click.

For this task, we will need to look into the following:

1. Pros/Cons of both
2. What would be required to make this change in terms of effort?

Click: https://click.palletsprojects.com/en/7.x/

We need to support the running of the CLI across multiple platforms and to say this, we need our tests to run cross-platform. Therefore we need to build one across to the design done as part of this ticket.

DOD

• Build cross-platform testing infrastructure as per the design linked above

As part of the Dockerless CLI effort we not only want to update the README for the repo but also the actual forward facing documentation

DOD

• Write draft documentation for all CLI commands with instructions on how to use the new CLI
• Open card for Shuli + sit with Shuli
• Troubleshooting section was added to README

https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/Latest/en/Content/Tools/CLI_Install_CLI.htm?Highlight=conjur%20cli

https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/Latest/en/Content/Tools/CLI_Help.htm

Add the ability to the cli and api client to support a flag such as:

conjur-cli --insecure -l https://myserver -a orgname -u "host/aws/<aws-account-id>/<iam-role-name>" --authn iam --authn-id authServiceId \
  variable get foo/bar

Where the --authn flag should support both iam and k8s and when this flag is provided a -p should not be required.
If the --authn is provided then the --authn-id will also be required since this is used to authenticate correctly.

The main difference between the authenticators is just the 'authenticate' endpoint being used, the rest of the cli/api client should remain unchanged.

Current plan but open RFC

FS structure:

$ tree $HOME
├── 700: drwx------  .conjur/
│   ├── 755: drwxr-xr-x  default.yml -> <profile_nameXX>.yml
│   ├── 600: drw-------  <profile_name1>.yml
│   ├── 755: drwxr-xr-x  <profile_name1>.pem -> <hostname1>.pem
│   ├── 600: drw-------  <profile_name2>.yml
│   ├── 755: drwxr-xr-x  <profile_name2>.pem -> <hostname2>.pem
│   ├── 644: drw-r--r--  <hostname1>.pem
│   ├── 644: drw-r--r--  <hostname2>.pem
...

<profile_name>.yml:

<profile_name>:
    account: <account>
    appliance_url: <url>
    login_id: <login_id>

    # Optional fields. Credentials will be plaintext for now but maybe encrypted later.
    api_key: <api_key>
    ca_bundle: <path>          # default: ./<profile_name>.pem
    debug: <bool>              # default: false
    password: <password>
    insecure: <bool>           # default: false
    tofu: <bool>               # default: true

Usage:

# Create config - omitted profile name == "default" (TBD)
$ cli profile create <url> <account> <login_id> \
    [--tofu <bool>]|[--insecure <bool>]|[--ca-bundle <pem_path>] \
    [--password <password]|[--api-key <api_key>]

# Delete config
$ cli profile delete <profile_name>

# Profile switch for all further CLI commands
$ cli profile <profile_name>

# Show current profile name
$ cli profile

# Use $(cli profile) config
$ cli …

# Use "<profile_name>" config without switching
$ cli -C <profile_name> …

CC: @izgeri / @ismarc / @apotterri / @infamousjoeg / @jodyhuntatx / @ryanprior / @garymoon / @jonahx

As part of the effort to get the CLI to GA, we need to create a NOTICES file for all our dependencies that we require in our project.

DOD

• Collect all dependencies for the project
• Create the NOTICES with the proper licenses
• Send to ravital for approval

Feature Overview & Customer Need

As a Conjur user
I would like to use the conjur cli
In order to update my password

As a Conjur user or host
I would like to use the conjur cli
In order to rotate API Key of a user or a host (it can also be me :))

COMMANDS

rotate-api-key Rotate a user's or host's API key. If no user/host ID is provided the logged in resource's API Key is rotated.

change-password Update the password of the logged-in user the command is both interactive meaning password is requested from the user and non-interactive using a flag -p

Help

For each command and subcommand a help is needed see here:
Help for host: https://ljfz3b.axshare.com/#id=paicg6&p=conjur_help__user&g=1
Help for user: https://ljfz3b.axshare.com/#id=paicg6&p=conjur_help__user&g=1

User messages

please use the following user messages for success scenarios
conjur user rotate-api-key
Success! API key was rotated. New key: 198qmk51cgsa061ghh80x2s56ct99grch1j066xcgnke5431rj3v

conjur host rotate-api-key -i <host_id>
Success! API key was rotated. New key: 3k7k0vb2sf2emjjcphtx14jfvrbbfn8vm3t79mnz19tk2252dsz9wf

conjur user change-password
--request for password--
Success! password was changed.

conjur user change-password -p New-password
Success! password was changed.

All user messages regarding host and user should be reviewed again. Especially error messages.
If an argument is missing we need to return the help of the command

Quality

Make sure we have test coverage of the host commands. Create test plan and execute accordingly.

Process logic and Demo

Conjur use with a machine that the Python CLI already been installed and conjur init & login ran

Now the user run the following commands:

conjur user rotate-api-key -i <user_id>

show the result of rotate-api-key (3v087323qv....ryq38201w9wvx)

conjur user change-password
The user is expected to fill in the new password
show response

conjur host rotate-api-key -i <host_id>
show the result of rotate-api-key

UX Guidelines

Follow guidelines here: https://github.com/cyberark/conjur-api-python3/blob/master/guidelines/python-cli-ux-guidelines.md

Documentation

Please provide enhance documentation in online help and readme

Helpful resources:
user/host epic - https://app.zenhub.com/workspaces/palmtree-5d99d900491c060001c85cba/issues/cyberark/conjur-api-python3/101

DOD

User (2 commands)

• Integration tests have been added
• Implementation has been done
• Log errors/messages have received approval from Inbal + TW

Host (1 command)

• Integration tests have been added
• Log errors/messages have received approval from Inbal + TW
• Implement the user command & subcommands Conjur Python CLI in all 3 platforms
• Implement the host command & subcommands Conjur Python CLI in all 3 platforms

Currently client.list() returns all resource ids the client has access too.
I would like to get a list of resources according to the list resources endpoint.

returning a list of dicts I think is fine for now. While doing this we should create another client method named client.search(kind, search) so we can search for specific kinds and words within our resource. This can be done in the ruby conjur-cli using the command conjur list -k variable -s word.

Our help screens and stdout and stderr after accepting user input is controlled by a module called argparser. Therefore we will need to invest in gaining a deeper understanding into how to manipulate/override what is given to use out-of-box to output the logs UX and PM have given us.

DOD

• Research how to override argparser
• test this in the current CLI code for one of the CLI commands

Consult with @sgnn7 if required

Helpful resources

• https://stackoverflow.com/questions/35847084/customize-argparse-help-message
• https://docs.python.org/3/howto/argparse.html
• https://hg.python.org/cpython/file/3.5/Lib/argparse.py#l1616

Review the trivy output in Jenkins. Once the review is complete, set the scanAndReport function to "HIGH".

Feature Overview & Customer Need

As a Conjur user
I would like to configure my work env once
In order to perform the actions I like most in Conjur against the same environment and not retype them again

The init command help will look as follows
NAME
init - Initialize the Conjur configuration

SYNOPSIS
conjur [global options] init [command options]

COMMAND OPTIONS
-a, --account=arg - Conjur organization account name (will be obtained from host unless provided by this option) (default: none)
Dont ask for account in init if there is only one account in the conjur you are running against
-c, --certificate=arg - Conjur SSL certificate (will be obtained from host unless provided by this option) (default: none)
-f, --file=FILE - File to write the configuration to (default: none)
--force=arg - Force overwrite of existing files (default: none)
-u, --url=URL - URL of the Conjur service (default: none)

The bolded line is a change from behavior from what is provided today in our Ruby CLI

The common use case will be

conjur init --url

Where is the URL of the Conjur/DAP Server in the following format https://.

Same UX as today in Ruby CLI - Except of 2 thins:

1. The account becomes not mandatory and should be taken from info of the node if possible
2. We will not accept the cert by default but will make sure the user explicitly type yes to accept the cert. By default we will consider the response to be NO. That way we are making sure the user is well aware of his/her action. Kinda like EULA

As a result

1. The cert pem file is created if not provided
2. a file named.conjurrc is created with the Conjur env parameters:

---

account: XXX

plugins: []

appliance_url: https://<Conjur_host_name>

cert_file: "/path/for/cert.pem"

open issue

Do we need plugins? lets make sure we understand what is provided in Ruby CLI

Security

Can we implement this statement we give in our docs (also below) today?

NOTE: Conjur uses a persistent .netrc file by default and for convenience. For a more secure setup, we recommend that you change .conjurrc by adding a directive netrc_path pointing to a file in the /dev/shm directory (on the OSes that support such a filesystem). This way, credentials and authentication context are wiped out automatically on each reboot, and also are not part of any disk snapshots of the working environment.

open issue

1. Do we need to remove the insecure option from the init?
2. Who should have permissions to .conjurrc?

Process logic and Demo

Conjur use with a machine that the Python CLI already been installed in now runs

``conjur init --url `

he is able to run other commands conjur python cli on this env like login and so on

User messages

All user messages that are part of init today in Ruby CLI should remain the same.

If more than 2 accounts are provided an error should be given to ask the user to provide the account

Documentation

Please provide enhance documentation in online help and readme

DOD

• Implement the init command Conjur Python CLI in all 3 platforms
• Demo the flow described above
• Do we need plugins? lets make sure we understand what is provided in Ruby CLI
• Automatic integration tests written according to a test plan and passed successfully
• UT written for all classes\functions\major logic flows and passed successfully
• Security action items were taken
• Supportability was taken into account - troubleshooting section in the readme enhanced and reviewed by TW & PO
• Fill in the logs and place here a link to the logs files - https://github.com/cyberark/conjur-docs/issues/1294
• Logs were reviewed by TW and PO
• Are there new Audits to this feature? If so please document them and provide here a link
• Configurations were reviewed by PO - link if something changed
• Documentation HO to TW and review docs

During the sending of a request, we are failing on netrc error when adding a port to the conjurrc. we will need to understand why.
Customer's should be able to configure any port they want

currently we are only allowing 443
#123

Feature Overview & Customer Need

As a Conjur user
I would like to use the conjur cli
In order to manage policy in Conjur

As a Conjur user
I would like to use the conjur cli
In order to create update and delete Conjur's resources

We will use 3 sub commands

• load - load a policy and create resource that were not defined before. Create mode. Wraps POST API
• replace - Fully replace of the existing policy, deleting any data that is not declared in the new policy. Wraps PUT API
• update - Update an existing resource in a policy, The resource may be explicitly deleted or changed using the !delete, !revoke, and !deny statements. Unlike “replace” mode, resources that are not in the policy are not implicitly deleted. Wraps PATCH API
  remark also new resource can be define

The commands will be used as follow:

conjur [global options] policy load -f < policy file name > -b < branch name>
conjur [global options] policy replace -f < policy file name > -b < branch name>
conjur [global options] policy update -f < policy file name > -b < branch name>

Args description:

-b --branch - provide the policy name/identifier under which the file will be loaded. Provide the policy branch name

-f --file - provide the file name of the policy

Corresponding command in Ruby CLI

Help is according to https://ljfz3b.axshare.com/#id=s9nycf&p=conjur_help__policy&g=1

Quality

Make sure we have test coverage of the policy commands. Create test plan and execute accordingly.

Process logic and Demo

Conjur use with a' machine that the Python CLI already been installed and conjur init run

given a file name "myPolicy.yaml"

- !policy
  id: azure-apps
  body:
    - !group
    - &hosts
      - !host
        id: azureVM
        annotations:
          authn-azure/subscription-id: subscr1pt10n-1dmy-subsc-r1pt10n1d
          authn-azure/resource-group: myResourceGroup
          authn-azure/system-assigned-identity: 0000aaaa-00aa-00aa-00aa-00000aaaaa

- !grant
  role: !group
  members: *hosts

One runs

     conjur policy load -f myPolicy.yaml -b root 

as a result host myapp got API Key

{

"created_roles": {

​ "default:host:azure-apps/azureVM": {

​ "id": "default:host:azure-apps/azureVM",

​ "api_key": "c1h1v83tqv3zz2b0q60s2znv4xw3s2t6981phakxf1058gd7t4t58f"

​ }

},

"version": 8

}

Now create a file called replace.yaml with

- !policy
  id: azure-apps
  body:
    - !group
    - &hosts
      - !host
        id: azureVM
        annotations:
          authn-azure/subscription-id: subscr1pt10n-1dmy-subsc-r1pt10n1d
          authn-azure/resource-group: myResourceGroup
          authn-azure/user-assigned-identity: user-id #replaced
    
      - !host 
         id: myapp2
         annotations:
          authn-azure/subscription-id: subscription-id
          authn-azure/resource-group: resource-group
          
    - !grant
      role: !group
      members: *hosts

`conjur policy replace -f replace.yaml -b root

As a result hosts myapp2 got API Key

{

"created_roles": {

​ "default:host:azure-apps/myapp2": {

​ "id": "default:host:azure-apps/myapp2",

​ "api_key": "2t6fs8asp5bzd9qbjh23eekhfdhsa6b419dtt0kmb5rab2qwkbr4"

​ }

},

"version": 2

}

now create a file called update.yaml with

- !delete
 record: !host myapp1



 - !host #UPDATED`
 id: myapp2
 annotations:
 authn-azure/subscription-id: subscription-id
 authn-azure/resource-group: resource-group
 authn-azure/user-assigned-identity: user-id #ADDED

one run

conjur policy update update.yaml azure-apps

As a result host myapp2 got API Key and my app is deleted

{

"created_roles": {},

"version": 1

}

Demo each option that was implemented

User messages

All user messages regarding policy actions should be reviewed again

Especially error messages

if an argument is missing we need to return the help of the command

After update command we will present a message recommend load or replace for creating new resources .... @sharonr78 to fill in

Documentation

Please provide enhance documentation in online help and readme

DOD

• Implement the policy's commands Conjur Python CLI in all 3 platforms
• Demo the flow described above
• Automatic integration tests written according to a test plan and passed successfully
• Fill in the user messages - link to a page with all user messages for CLI saved and reviewed.
• Fill in the logs and place here a link to the logs files - link to a page with all logs for CLI saved and reviewed.
• Logs were reviewed by TW and PO
• Are there new Audits to this feature? If so please document them and provide here a link (N/A)

We need our integration tests cross-platform. Therefore we need to design a model for building the infrastructure to do so and which integration tests should run when.

DOD

• Create a design for cross-platform testing infrastructure
• Include which tests should be run and when

DOD

• A demo has been created that shows the different capabilities and flows for all enhanced/added functionality

Feature Overview & Customer Need
As a Conjur user
I would like to install and run my Conjur CLI in my local machine
In order to perform the actions I like most in Conjur and operate it

As a Conjur user
I would like to be able to install from my CD pipeline
In order to run Conjur CLI in my pipeline and tests if needed

Conjur Python CLI to be on deployed on VMs or local computers of our users.
The platforms the CLI needs to support are:

• RHEL 7 , 8
• Windows 10
• Mac

The deployment of the should be

1. Manual
2. Using a single executable file. Recommended - be the same UX for each platform.
3. The name of the CLI when running it should be "python-conjur-cli" or better yet conjur

Process Logic & Demo flow
Conjur user goes to release site of the Python CLI and download the CLI file
Conjur user is running the cli for example:

conjur --help
The current response is OK.

The Conjur user can see what version of the cli s/he is using by running
conjur -v or conjur --version
conjur cli version 6.0.0

see mocks for more details on the response: https://ljfz3b.axshare.com/#id=yokln4&p=conjur_main_help&g=1

Support
If any prerequisite is not met while running the cli a proper message should be given to the user.

Documentation
Please provide enhance documentation in online help and readme

Open issue
Do we need to sign this single executable? find out with PM
h2. DOD

• Implement an easy way to deploy Conjur Python CLI in all 3 platforms
• Implement the command version as described here ^
• Implement the command help according to look and feel of Ruby CLI
• Demo the flow described above
• Automatic integration tests written according to a test plan and passed successfully
• UT written for all classes\functions\major logic flows and passed successfully
• Security action items were taken
• Supportability was taken into account - troubleshooting section in the readme enhanced and reviewed by TW & PO
• Fill in the logs and place here a link to the logs files - link to a page with all logs for CLI saved and reviewed.
• Logs were reviewed by TW and PO
• Are there new Audits to this feature? If so please document them and provide here a link
• Configurations were reviewed by PO - link if something changed
• Documentation HO to TW and review docs

Feature Overview & Customer Need
Make sure we have full documentation for python CLI

-[ ] Overview
-[ ] Conjur help
-[ ] Version
-[ ] init
-[ ] Authn commands
-[ ] Policy commands
-[ ] Variable commands
-[ ] list
-[ ] host and user commands
-[ ] repo +contributing docs
For each command test that it is well and corrected documented.

Summary

When attempting to load a policy that includes YAML anchors, it doesn't load successfully and doesn't error.

From @whip113:

It appears that the policy load method might not be working as expected. I've used it in the past successfully, but not with a YAML anchor. That's what we were doing this time, and while the python client didn't show any errors loading the policy, it also didn't create the host. I switched to the CLI and as the same user, loading the same policy, into the same branch as I tried with python the host was created.

Steps to Reproduce

Attempt to load a policy with the Python client like:

- &my-hosts
  - !host cxflow_host
- !grant
  role: !group consumers
  member: *my-hosts

Expected Results

The host will be created and will be a member of the consumers group.

Actual Results (including error logs, if applicable)

The host is not created, and no errors are given.

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

Unknown

Environment setup

Unknown

Additional Information

Add any other context about the problem here.

This epic is for items that have been deprioritized or backlogged, not blocking the GA release

Is your feature request related to a problem? Please describe.

When attempting to use the conjur.client with Conjur identity files stored in /etc/ like other clients, you encounter an error that the ~/.conjurrc and ~/.netrc files can't be found.

Describe the solution you would like

The client should be able to read credential details from either the user profile or /etc. Being able to use Conjur identity files stored in /etc will make the client more compatible with other clients.

Describe alternatives you have considered

A clear and concise description of any alternative solutions or features that may be related to this that
you have considered.

Additional context

Client was called via a script as below with Conjur identity stored in /etc/conjur.conf and /etc/conjur.identity. This results in an error that the ~/.conjurrc and ~/.netrc files weren't present. Copying the Conjur identity files to the user profile with the expected names resolved the issue, however we don't want to store the Conjur identity files in the user profile. Note: ~ was expanded to the user profile path as expected.

#!/usr/bin/env python3

from conjur import Client

client = Client()

print("Fetching variable...")
new_value = client.get('conjur/my/variable')

print("Variable value is:", new_value.decode('utf-8'))

DOD

• Logs have received approval from Inbal + TW
• Integration tests have been written
• Implementation has been done

Recommendation: provide a short write up with images of the flow

Helpful resources:
Variable epic - https://app.zenhub.com/workspaces/appliance-development-5c9cf04bfa1c204b63eddcc6/issues/cyberark/conjur-api-python3/80

When using the conjur-cli with .conjurrc the url, account and ca_bundle variables are set to None resulting in a "Account cannot be empty" exception. The reason for this is how we update the config dictionary here.
https://github.com/cyberark/conjur-api-python3/blob/master/conjur/client.py#L72-L74

To fix this issue we must filter the config of all values that are None:

filtered_config = {k:v for k, v in config.items() if v is not None}
on_disk_config.update(filtered_config)
config = on_disk_config

• Integration tests have been added
• Implementation has been done

Helpful resources:
list epic - https://app.zenhub.com/workspaces/appliance-development-5c9cf04bfa1c204b63eddcc6/issues/cyberark/conjur-api-python3/81

Summary

Currently the lint step of the build process fails due to the pkg_bin folder not being treated as a "package".

Upstream: pylint-dev/pylint#352

Also relevant: https://stackoverflow.com/a/54963445

AC:

• Fix linting build step(s)

Feature Overview & Customer Need

As a Conjur user
I would like to use the conjur cli
In order to login and logout of Conjur

login - Logs in and caches credentials so that the users details are kept throughout his work.

logout - Logs out

Basically these are the commands

conjur [global options] login -i user or host id -p password

conjur [global options] logout

Right now authenticate is out of scope

User Experience

Use these links to the help mockup:

Login: https://ljfz3b.axshare.com/#id=wy4eju&p=conjur_help__login&c=1

Logout: https://ljfz3b.axshare.com/#id=j2pl87&p=conjur_help__logout&c=1

Login

Login can run without any arguments or flags at all and then the username and password is prompt to the user, like so:
conjur login

Enter your login name to log into Conjur: admin
Please enter your login password or API key (this will not be echoed):
Successfully logged in to Conjur!

After a successful login we save the logged in user so it will continue on the next actions with these credentials. If we do save it in a cache/file we need to notify the user of it. This feature assumes that we save it in a cache, R&D should challenge that.

When executing the command with the login-name (e.g., bob), the user will be prompted to enter a password/API key, like so:
conjur login -i bob

Please enter bob’s password or API key (this will not be echoed):
Successfully logged in to Conjur!

When the user enters wrong credentials, or the .netrc file is missing/corrupted, the response would be according to template -
Failed to -action on something-. -Reason- (Error: code) suggestion to fix the problem

Failed to list. Unable to authenticate with Conjur (Error: 401). Please check your credentials and log in again.

When the user is not logged in and tries to run a command, like “list”, he is directly promoted to log in to Conjur, like so:
Failed to login. Unable to authenticate with Conjur (Error: 401). Please log in and try again.
Do not state the creation of .netrc

Logout

conjur logout
Assumption a cache is found with user credentials.

We would like to improve the UX of logout message for successful "Logged out from Conjur"

Making sure that the user is aware if the logout scenarios and we are able to distinguish between

1. If it is the first logout attempt (netrc is not empty), then the message: “Successfully logged out from Conjur” is a good one.
2. The next attempts to log out should output different message, like: “You are already logged out”.
3. If the netrc is deleted, trying to logout would output: “Successfully logged out from Conjur” (today in Ruby there’s no error.. see below).
4. If the netrc has no write permissions, trying to logout would output: “Failed to log out. (error: permission denied).”

Messages should be reviewed by PO, TW

Quality

Make sure we have test coverage of the policy commands. Create test plan and execute accordingly.

Process logic and Demo

Demo flow 1
Conjur use with a machine that the Python CLI already been installed and conjur init run

conjur login -i alice

the user is prompt with

Please enter alice's password (it will not be echoed):

Successfully logged in to Conjur!

conjur logout

The user sees the following message

Logged out from Conjur

Demo flow 2
Demo same scenario without user name.
conjur login
Demo flow 3
Demo same scenario with user name and password or api key as argument
conjur login -i alice -p $ENV_VAR
Demo flow 4
Conjur use with a machine that the Python CLI already been installed and conjur init run
then run
conjur logout
The user sees the following message

Failed to log out. Log in first.

User messages

All user messages regarding policy actions should be reviewed again

Especially error messages
if an argument is missing we need to return the help of the command

Documentation

Please provide enhance documentation in online help and readme

DOD

• Implement the login logout commands Conjur Python CLI in all 3 platforms
• ADDRESS the port issue. We should allow all ports and should be configurable.
• Demo the flow described above
• Automatic integration tests written according to a test plan and passed successfully
• Fill in the user messages - link to a page with all user messages for CLI saved and reviewed.
• Fill in the logs and place here a link to the logs files - link to a page with all logs for CLI saved and reviewed. (see below comment)
• Logs were reviewed by TW and PO
• Are there new Audits to this feature? If so please document them and provide here a link (N/A)

Feature Overview & Customer Need
We need to make sure the CLI is GA ready with all aspects related like
License
Notices
Final test on help and docs
and so on
Let's place all GA related tasks under this Epic and edit the DOD

DOD

• Release process documentation is ready
• Release artifacts should zip or tar for each OS type
• Test plan for release is ready
• Security review was done and issues were raised
• License is according to Legal instructions
• Notices file is added
• Final tests on help and docs
• Status should be changed to GA [here] (https://github.com/cyberark/conjur-api-python3#status-alpha) or erased? @izgeri WDYT?
• CLI should be release as GA

Currently we have a number of changes that are on master that would be useful to end users. This issue is to track this new release (probably v0.1.0).

AC:

• A new release of this project is done
• Smoke test of the binaries produced is done

DOD

• Flow/log error messages have received approval from Inbal + TW
• Main Help screen has been updated according to Sharon UX
• Mainscreen UTs have been implemented
• Error handling has been addressed
• Manual test list have been created
• Proper documentation has been added and reviewed by TW + @InbalZilberman
• All epic DOD points have been checked and open questions answered

Helpful resources:
main screen (version/help) epic - #78

We need to run manual tests according to @eladkug's doc. See here

DOD

• All manual tests were run according to the above doc and pass

Feature Overview & Customer Need

As a Conjur user
I would like to use the conjur cli
In order to understand what resources were defined in my Conjur

The list command help will look as follows

NAME

list - Lists all available resources beloging to this account

SYNOPSIS

conjur [global options] list [command options]

COMMAND OPTIONS

-i, --inspect - Show full object information

-k, --kind=arg - Filter by kind (default: none)

-l, --limit=arg - Maximum number of records to return (default: none)

-o, --offset=arg - Offset to start from (default: none)~~ (not implemented in Ruby)

-r, --[no-]raw-annotations - Show annotations in 'raw' format

-r --role=ROLE - Role to act as. By default, the current logged-in role is used. (default: none)

-s, --search=arg - Full-text search on resource id and annotation values (default: none)

We need to implement these options according to prioritisation: --inspect, kind, search, limit, offset and role

Please provide effort estimation for each one before implementation.

UX should be the same as in Ruby CLI today
Final help is here: https://ljfz3b.axshare.com/#id=obmn4b&p=conjur_help__list&g=1

Quality

Make sure we have test coverage of the variable commands. Create test plan and execute accordingly.

Process logic and Demo

Conjur use with a machine that the Python CLI already been installed and conjur init run

conjur list

result can with

[

"cucumber:policy:root",

"cucumber:policy:conjur/authn-azure/test",

"cucumber:webservice:conjur/authn-azure/test",

"cucumber:webservice:conjur/authn-azure/test/status",

"cucumber:variable:conjur/authn-azure/test/provider-uri",

"cucumber:group:conjur/authn-azure/test/apps",

"cucumber:group:conjur/authn-azure/test/operators",

"cucumber:user:authn-azure-test-operator",

"cucumber:user:bob",

"cucumber:host:azurehost",

"cucumber:host:needApiKey",

"cucumber:host:azureNgcpNapikeyhost"

]

Demo each option that was implemented

User messages

All user messages regarding list should be reviewed again

Especially error messages

if an argument is missing we need to return the help of the command

Documentation

Please provide enhance documentation in online help and readme

DOD

• Implement the list command Conjur Python CLI in all 3 platforms
• Demo the flow described above
• Automatic integration tests written according to a test plan and passed successfully
• Fill in the user messages - link to a page with all user messages for CLI saved and reviewed.
• Fill in the logs and place here a link to the logs files - link to a page with all logs for CLI saved and reviewed.
• Logs were reviewed by TW and PO
• Are there new Audits to this feature? If so please document them and provide here a link (N/A)

DOD

• Go through Python CLI codebase understand the flow and how we currently test our flows (unit/integration)

if required sit with @sgnn7 to discuss the test suite at a high level

We currently accept input from the user without validating it. We should verify the input so that the user does not experience failures in later steps after it becomes unclear where the problem originated.

We should verify that the account exists
We should verify that the cert file exists
We should verify that the URL is acceptable (mostly done today. We should move this logic to ConjurrcData)

The code of the CLI can go through these improve list to be easier to maintain and add more things in the future.
This design lists the changes planned to be done

DOD:

• Organize directory structure [Top Priority!]
• Improve Error Handling - Opened Issue
• Strong-type function parameters and return types - Opened Issue
• Explicit Import Statements

Overview

Priority
deployment CLI
init Command
login logout commands
variable commands
list Command
policy actions
host and user actions
CLI UX
CLI UT
CLI Docs
Release ready CLI
CLI - Release automation design

There is a typo in the latest setup.py commit. Version "PyYAML>=5.31" needs to be "PyYAML>=5.3.1".

I am getting results back from the conjur-cli, but getting an authentication error when trying to do the same thing in Python.

[root@lncd906 ~]# conjur-cli list | head -4 | sed '/REDACTED/s//REDACTED/'
[
"REDACTED:policy:root",
"REDACTED:policy:conjur/cluster/conjur",
"REDACTED:layer:conjur/cluster/conjur",
[root@lncd906 ~]# python3
Python 3.6.8 (default, Jun 11 2019, 15:15:01)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux
Type "help", "copyright", "credits" or "license" for more information.

from conjur import Client
c = Client()
c.list()
Traceback (most recent call last):
File "", line 1, in
File "/usr/local/lib/python3.6/site-packages/conjur/client.py", line 115, in list
return self._api.list_resources()
File "/usr/local/lib/python3.6/site-packages/conjur/api.py", line 147, in list_resources
api_token=self.api_token,
File "/usr/local/lib/python3.6/site-packages/conjur/api.py", line 90, in api_token
self._api_token = self.authenticate()
File "/usr/local/lib/python3.6/site-packages/conjur/api.py", line 133, in authenticate
self.api_key, ssl_verify=self._ssl_verify).text
File "/usr/local/lib/python3.6/site-packages/conjur/http.py", line 62, in invoke_endpoint
response.raise_for_status()
File "/usr/local/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://conjurmaster-qa.REDACTED.com/authn/default/admin/authenticate

Currently the debug flag prints debug logs as the user is current interacting with the CLI
For example:

2020-12-22 09:49:33,145 DEBUG: Initiating a TLS Connection with 'https://localhost'
2020-12-22 09:49:33,156 DEBUG: TLS Connection established. Fetching certificate from Conjur server...
2020-12-22 09:49:33,157 DEBUG: Certificates were fetched successfully

The server's certificate SHA-1 fingerprint is:
AD:49:D5:C9:4C:FD:22:F1:52:96:5D:6C:62:0B:01:DA:83:D8:A5:B2

It would be cleaner if at the end of all the actions just the logs would be printed if a user runs in -d mode

We will need to evaluate how to best deliver the CLI and how to best deploy the CLI

For example:
Hot key to start the conjur cli process (conjur/conjur-cli/etc)

DOD

• Create a design in the repo for how we intend to deliver and deploy the CLI
• Update name of executable. We can change the calling name here
• Deployment/Installation of CLI design has been reviewed and approved
• Understand how we will deliver the executable/zip to the user
• Manual test list have been created
• Proper documentation has been added and reviewed by TW + @InbalZilberman

Summary

Currently I cannot initialize a client when using python3.5.

Steps to Reproduce

Steps to reproduce the behavior:

1. Setup python3.5
2. Try to init the conjur client
3. Receive an exception

Expected Results

successfully init the client :D

Actual Results (including error logs, if applicable)

    from conjur import Client
  File "/root/.local/lib/python3.5/site-packages/conjur/__init__.py", line 29, in <module>
    from .client import Client
  File "/root/.local/lib/python3.5/site-packages/conjur/client.py", line 12, in <module>
    from .api import Api
  File "/root/.local/lib/python3.5/site-packages/conjur/api.py", line 15, in <module>
    from .http import HttpVerb, invoke_endpoint
  File "/root/.local/lib/python3.5/site-packages/conjur/http.py", line 11, in <module>
    from enum import auto, Enum
ImportError: cannot import name 'auto'

Additional Information

I think we should either decide to fix it or decide if python 3.5 is not supported for this library.

When inputting an unexpected combinations, the python CLI returns the full stack trace and 1. this is bad UX and 2. it is hard to understand which makes it hard to troubleshoot

DOD

• Map out current logs and evaluate if log levels and messages are correct (might be done already by Sharon + Inbal)
• Get approval on log messages and when the user will get them
• Evaluate Ruby CLI/ Conjur error handing procedure. See conjur-cli.rb in Ruby CLI on_error
• Research if Python has the equivalent / how Python projects usually handle erroring
• Implement accordingly

Recommendation: Should have a list of error codes returned to user in a clear and non-overwhelming manner

Open questions:

• Do we want the same error handling / same messages as Ruby CLI? @InbalZilberman

Validate and fix any errors with the following workflows:

• Loading Policy with users and hosts with API keys disabled shows policy load success/failure, but not API keys
• Loading Policy updating users and hosts with previously enabled API keys shows policy load success/failure
• Loading Policy updating users and hosts with previously disabled API keys shows policy load success/failure and generated API keys
• Attempt to rotate disabled API results in a helpful error message
• Attempt to authenticate as a user/host with a disabled API key results in a authentication failure

Related to: cyberark/conjur/issues/1359

Feature Overview & Customer Need

As a Conjur user
I would like to use the conjur cli
In order to perform actions on variables defined in Conjur:

1. Read variable's value
2. Read multiple variables values
3. Write variable value

The variable command help will look as follows
NAME

variable - Manage variables

SYNOPSIS

conjur variable get -i <variable_id1> <variable_id2> <variable_id3>

conjur variable set -i <variable_id> -v

COMMANDS

{get, set}

get Get the value of a variable can be applied to get the value of several variables

set Set the value of a variable

optional arguments:

-h, --help show this help message and exit

final help is located here: https://ljfz3b.axshare.com/#id=gxnkww&p=conjur_help__variable&g=1

Quality

Make sure we have test coverage of the variable commands. Create test plan and execute accordingly.

Process logic and Demo

Conjur use with a machine that the Python CLI already been installed and conjur init run

The user is able to see a variable value

The user is able to set the variable value

The user is able to see several variable values

All variable ids with spaces should be wrapped with ". For example conjur variable get "secrets/spaces with spaces" secrets/nospaces

User messages

All user messages regarding variable should be reviewed again

Especially error messages

If an argument is missing we need to return the help of the command

Documentation

Please provide enhance documentation in online help and readme.

DOD

• Implement the variable commands Conjur Python CLI in all 3 platforms
• Demo the flow described above
• Automatic integration tests written according to a test plan and passed successfully
• Fill in the logs and place here a link to the logs files - link to a page with all logs for CLI saved and reviewed.
• Logs were reviewed by TW and PO
• Fill in the user messages - link to a page with all user messages for CLI saved and reviewed.
• Are there new Audits to this feature? If so please document them and provide here a link (N/A)

Is your feature request related to a problem? Please describe.

Given a recent bug report, we do not have robust enough validation of dependencies in setup.py which needs to be addressed.

Describe the solution you would like

AC:

• Either we add a test for these dependencies in some way
• Or we ensure that the dependencies from requirements.txt are used in both places

Describe alternatives you have considered

N/A

Additional context

N/A

If the repo has a changelog that doesn't meet the standard, do try to change earlier entries to match the standard.
If the repo doesn't have a changelog use this as a starter:

# Changelog
All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [Unreleased]

Acceptance criteria

• CHANGELOG.md exists and follows the KeepAChangeLog format. For reference consult https://github.com/cyberark/conjur/blob/master/CHANGELOG.md.
• Add parse-changelog validation step to Jenkinsfile. For reference consult https://github.com/cyberark/conjur/blob/master/Jenkinsfile#L27.

Because we publish tagged commits on main branch and nightly builds try to rebuild the same commit each night, failures in publishing cause problems for builds following the first one.

AC:

• Subsequent builds of tagged commits on master do not break the build
• Failures in publishing still fail the first publishing attempt

Steps to Reproduce

Steps to reproduce the behavior:

1. Rebuild a tagged build on master

Expected Results

Success

Actual Results (including error logs, if applicable)

Build failure

Reproducible

• Always
• Sometimes
• Non-Reproducible

Version/Tag number

v0.1.1

Environment setup

Jenkins

Additional Information

N/A

The Python CLI needs to be GA and therefore needs a security review

DOD

• @sashaCher / @moticless has performed a full security review
• All concerns have been addressed

Utility of this repo is limited without an easy way to use the bundled CLI. Placing it on DockerHub would remove this issue.

AC:

• Tagged commits of master are automatically pushed to DockerHub
• A container with the CLI is available from DockerHub

I want to be able to delete resources with conjur using the python library.
I want to use this api endpoint: https://docs.conjur.org/Latest/en/Content/API/#policies-update-a-policy-patch