Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conjurctl create account with password #2042

Merged
merged 7 commits into from
Mar 30, 2021
Merged

Conjurctl create account with password #2042

merged 7 commits into from
Mar 30, 2021

Conversation

jvanderhoof
Copy link
Contributor

@jvanderhoof jvanderhoof commented Feb 17, 2021
edited by h-artzi
Loading

What does this PR do?

  • Enable operators to specify an admin user's password:

    • conjurctl account create --name demo --password-from-stdin (STDIN)
    • conjurctl server --account demo --password-from-stdin (STDIN)

  • How to manually test?

    • cd dev
    • dev: docker-compose up -d --no-deps pg conjur client
    • dev: docker-compose exec conjur bundle
    • dev: docker-compose exec conjur conjurctl db migrate
    • exec into the conjur container and run echo -n "testP@SS1alice" | conjurctl server --account demo --password-file -
    • Attempt to authenticate the admin user with the password set above
    • Also test echo -n "testP@SS1alice" | conjurctl account create demo1 -
    • Attempt to authenticate the admin user with the password set above
    • Repeat the previous steps but write the password to a file and provide the path instead of utilizing STDIN

What ticket does this PR close?

Resolves #2043

Checklists

Change log

  • The CHANGELOG has been updated, or
  • This PR does not include user-facing changes and doesn't require a CHANGELOG update

Test coverage

  • This PR includes new unit and integration tests to go with the code changes, or
  • The changes in this PR do not require tests

Documentation

  • Docs (e.g. READMEs) were updated in this PR, and/or there is a follow-on issue to update docs, or
  • This PR does not require updating any documentation

@jvanderhoof jvanderhoof requested a review from a team as a code owner February 17, 2021 14:27
codeclimate[bot]
codeclimate bot reviewed Feb 17, 2021
View reviewed changes
bin/conjur-cli.rb Outdated Show resolved Hide resolved
lib/tasks/account.rake Outdated Show resolved Hide resolved
lib/tasks/account.rake Outdated Show resolved Hide resolved
lib/conjur/password_complexity.rb Outdated Show resolved Hide resolved
lib/conjur/password_complexity.rb Outdated Show resolved Hide resolved
jonahx
jonahx reviewed Feb 17, 2021
View reviewed changes
bin/conjur-cli.rb Outdated Show resolved Hide resolved
jonahx
jonahx reviewed Feb 17, 2021
View reviewed changes
bin/conjur-cli.rb Outdated Show resolved Hide resolved
@h-artzi h-artzi linked an issue Feb 17, 2021 that may be closed by this pull request
Set admin password via conjurctl #2043
Closed
@h-artzi h-artzi force-pushed the conjurctl_create_account_with_password branch 5 times, most recently from 8ffc5ae to 753a3c2 Compare February 19, 2021 16:44
codeclimate[bot]
codeclimate bot reviewed Feb 19, 2021
View reviewed changes
lib/conjur/password.rb
VALID_PASSWORD_REGEX = %r{^(?=.*?[A-Z].*[A-Z]) # 2 uppercase letters
(?=.*?[a-z].*[a-z]) # 2 lowercase letters
(?=.*?[0-9]) # 1 digit
(?=.*[ !"#$%&'()*+,-.\/:;<=>?@\[\\\]^_`{|}~]). # 1 special character
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Redundant escape inside regexp literal

@h-artzi h-artzi changed the title [WIP] Conjurctl create account with password Conjurctl create account with password Feb 19, 2021
@h-artzi h-artzi requested a review from jonahx February 19, 2021 18:15
micahlee
micahlee reviewed Feb 23, 2021
View reviewed changes
bin/conjur-cli.rb Outdated
Example:

$ conjurctl account create myorg
$ conjurctl account create myorg [password_file]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given it's optional, would it make since for this to be a flag (--password-file) instead? That also has the benefit of being consistent with the server command.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is small, but there is a difference between providing a reference to a file and to providing the file contents. should we be overloading the same flag with both use cases? maybe it would be better to have a password flag for the password value, and a password-file flag for a reference to a file containing the value?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am leaning towards just including a password flag (which would only accept input via STDIN). If there is value in adding the flag password-file I will be happy to add it in the future.

bin/conjur-cli.rb Outdated
Comment on lines 39 to 43
def file_input(path)
if path == '-'
$stdin.read.force_encoding('ASCII-8BIT')
else
File.read(path, mode: 'rb')
end
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like there are a number of potential failure cases here. Do these manifest in the messages you would want the user to see?

For example:

  • The file doesn't exist
  • The file is empty
  • The - argument is given, but nothing is provided to STDIN

Along these lines, is there any way some of this could be unit tested? Or is there no infrastructure/fixture for that now with this CLI?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the file doesn't exist the user will see the following error:
conjurctl server --account demo --password-file /no_such_file error: No such file or directory @ rb_sysopen - /no_such_file.
I can wrap this error if you think it would provide a better UX.

If the - argument is given, but nothing is provided to STDIN ex.
conjurctl server --account demo --password-file, it will hang.
However, a user could still provide input by typing in a password and then Ctrl+D.
I could add a timeout if you think this would improve the UX, but there are pros and cons to that approach as well.

We currently do not have any unit tests for conjurctl. I will look into adding a cucumber test for conjurctl account create

Copy link
Contributor

@micahlee micahlee Feb 24, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding:

If the - argument is given, but nothing is provided to STDIN ex.
conjurctl server --account demo --password-file, it will hang.
However, a user could still provide input by typing in a password and then Ctrl+D.
I could add a timeout if you think this would improve the UX, but there are pros and cons to that approach as well.

You can actually detect this without a timeout using $stdin.tty?

command $stdin.tty?
echo 'password' | conjurctl ... --password-file - false
conjurctl ... --password-file - < password-file.txt false
conjurctl ... --password-file - true

That would give you either an opportunity to interactively prompt for it, or just raise an error if the standard input isn't piped in.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TIL

izgeri
izgeri reviewed Feb 24, 2021
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@izgeri
Copy link
Contributor

izgeri commented Feb 24, 2021

will this flow have test cases added for it? just wanted to flag that here, since the PR doesn't say WIP / it's not a draft - if we can add tests, we should do that before merging.

also, is there a docs card?

@h-artzi
Copy link
Contributor

h-artzi commented Feb 24, 2021
edited
Loading

will this flow have test cases added for it? just wanted to flag that here, since the PR doesn't say WIP / it's not a draft - if we can add tests, we should do that before merging.

also, is there a docs card?

@izgeri I do not believe we currently have tests for the conjurctl commands. That doesn't mean they can't be added for this PR.

I was unable to find the docs for the conjurctl commands, do you mind pointing me in the right direction?

@izgeri
Copy link
Contributor

izgeri commented Feb 26, 2021

@h-artzi I hoped we had something in the docs, but it looks like the best reference is actually the quick start :(

Maybe we can create a new small section after "Next Steps" here that explains "Configuring Conjur with a pre-defined admin password"?

I am uncomfortable merging this without tests, or if the scope of adding tests is too big, without and issue filed with a plan to address it that will add the appropriate tests. There are a few cukes that test conjurctl functionality - can we add some cukes or a new test file here: https://github.com/cyberark/conjur/tree/master/lib/test - something that gives us assurance we won't inadvertently break this in a future release?

On a totally separate note - is there a default value for account if you don't pass one to conjurctl? If not, I'd like to consider a follow-up that sets it to default, so that our clients can start assuming a sane default for account value.

@h-artzi h-artzi force-pushed the conjurctl_create_account_with_password branch from fd5a194 to 9d17bad Compare March 19, 2021 20:56
@h-artzi h-artzi requested a review from izgeri March 19, 2021 20:56
@h-artzi h-artzi force-pushed the conjurctl_create_account_with_password branch from 9d17bad to bf310cb Compare March 19, 2021 21:37
izgeri
izgeri reviewed Mar 22, 2021
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@h-artzi h-artzi force-pushed the conjurctl_create_account_with_password branch 5 times, most recently from 364057f to 542089d Compare March 23, 2021 20:55
@h-artzi h-artzi force-pushed the conjurctl_create_account_with_password branch from 01664eb to 635a10f Compare March 24, 2021 16:19
@h-artzi
Copy link
Contributor

h-artzi commented Mar 24, 2021

Relative follow up tickets:
add test when no STDIN is provided but --password-from-stdin is present
default account when none is provided

@h-artzi h-artzi force-pushed the conjurctl_create_account_with_password branch from 635a10f to d7df439 Compare March 24, 2021 23:10
@h-artzi h-artzi requested a review from a team March 25, 2021 15:50
@h-artzi h-artzi force-pushed the conjurctl_create_account_with_password branch from d7df439 to 4961f34 Compare March 26, 2021 15:01
@h-artzi h-artzi assigned h-artzi and unassigned jvanderhoof Mar 26, 2021
@h-artzi h-artzi force-pushed the conjurctl_create_account_with_password branch from 4961f34 to 5a86e65 Compare March 29, 2021 13:10
micahlee
micahlee previously approved these changes Mar 30, 2021
View reviewed changes
Copy link
Contributor

@micahlee micahlee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me!

It might be helpful to get a quick check from @izgeri and @jonahx to make sure their suggestions have been addressed though.

@h-artzi h-artzi force-pushed the conjurctl_create_account_with_password branch 3 times, most recently from 1672553 to fe8f44c Compare March 30, 2021 16:55
micahlee
micahlee previously approved these changes Mar 30, 2021
View reviewed changes
@h-artzi h-artzi force-pushed the conjurctl_create_account_with_password branch from fe8f44c to 3b30d11 Compare March 30, 2021 18:00
micahlee
micahlee previously approved these changes Mar 30, 2021
View reviewed changes
@h-artzi h-artzi force-pushed the conjurctl_create_account_with_password branch from 3b30d11 to 2aecf28 Compare March 30, 2021 19:00
@codeclimate
Copy link

codeclimate bot commented Mar 30, 2021

Code Climate has analyzed commit 2aecf28 and detected 2 issues on this pull request.

Here's the issue category breakdown:

Category Count
Complexity 1
Style 1

The test coverage on the diff in this pull request is 48.1% (50% is the threshold).

This pull request will bring the total coverage in the repository to 89.2% (-0.2% change).

View more on Code Climate.

@h-artzi h-artzi merged commit a168d44 into master Mar 30, 2021
@h-artzi h-artzi deleted the conjurctl_create_account_with_password branch March 30, 2021 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@izgeri izgeri izgeri left review comments

@codeclimate codeclimate[bot] codeclimate[bot] left review comments

@h-artzi h-artzi h-artzi left review comments

@micahlee micahlee micahlee approved these changes

@jonahx jonahx Awaiting requested review from jonahx

Assignees

@h-artzi h-artzi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Set admin password via conjurctl
5 participants
@jvanderhoof @izgeri @h-artzi @jonahx @micahlee