├── .dockerignore ├── .github └── CODEOWNERS ├── .gitignore ├── .goreleaser.yml ├── CHANGELOG.md ├── CONTRIBUTING.md ├── Dockerfile.test ├── Jenkinsfile ├── LICENSE ├── NOTICES.txt ├── README.md ├── SECURITY.md ├── bin ├── functions.sh ├── test-entrypoint.sh ├── test.sh └── wait_for_server.sh ├── build.sh ├── cmd └── main.go ├── dev.sh ├── docker-compose.yml ├── go.mod ├── go.sum ├── install.sh ├── pkg └── summon_conjur │ └── version.go └── test ├── files ├── fake.pem └── real.pem ├── helpers.go └── package_oss_test.go /.dockerignore: -------------------------------------------------------------------------------- 1 | .git 2 | summon-conjur 3 | junit.xml 4 | output/ 5 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @cyberark/community-and-integrations-team @conjurinc/community-and-integrations-team @conjurdemos/community-and-integrations-team @conjur-enterprise/community-and-integrations 2 | 3 | # Changes to .trivyignore require Security Architect approval 4 | .trivyignore @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects @conjur-enterprise/conjur-security 5 | 6 | # Changes to .codeclimate.yml require Quality Architect approval 7 | .codeclimate.yml @cyberark/quality-architects @conjurinc/quality-architects @conjurdemos/quality-architects @conjur-enterprise/conjur-quality 8 | # Changes to SECURITY.md require Security Architect approval 9 | SECURITY.md @cyberark/security-architects @conjurinc/security-architects @conjurdemos/security-architects @conjur-enterprise/conjur-security 10 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | output/ 2 | dist/ 3 | webapp1.json 4 | junit.xml 5 | summon-conjur 6 | *.sublime-project 7 | secrets.yml 8 | 9 | *.exe 10 | *.prof 11 | .DS_Store 12 | 13 | # VIM swapfiles 14 | *.sw[po] 15 | -------------------------------------------------------------------------------- /.goreleaser.yml: -------------------------------------------------------------------------------- 1 | # All available options: https://goreleaser.com/customization/ 2 | version: 2 3 | 4 | project_name: summon-conjur 5 | 6 | builds: 7 | - binary: summon-conjur 8 | env: 9 | - CGO_ENABLED=0 10 | goos: 11 | - darwin # MacOS 12 | - linux 13 | - solaris 14 | - windows 15 | goarch: 16 | - amd64 17 | ldflags: [] 18 | main: cmd/main.go 19 | 20 | # Apple silicon support 21 | - id: summon-conjur-arm 22 | binary: summon-conjur 23 | env: 24 | - CGO_ENABLED=0 25 | goos: 26 | - darwin # MacOS 27 | goarch: 28 | - arm64 29 | ldflags: [] 30 | main: ./cmd/main.go 31 | 32 | archives: 33 | - id: summon-conjur-release-archive 34 | name_template: "{{.ProjectName}}-{{.Os}}-{{.Arch}}" 35 | format_overrides: 36 | - goos: windows 37 | format: zip 38 | files: 39 | - none* # only package the binary - not defaults: readme, license, changelog 40 | 41 | checksum: 42 | name_template: 'SHA256SUMS.txt' 43 | 44 | brews: 45 | - description: Conjur provider for Summon 46 | homepage: https://github.com/cyberark/summon-conjur 47 | url_template: https://github.com/cyberark/summon-conjur/releases/download/v{{.Version}}/summon-conjur-{{.Os}}-{{.Arch}}.tar.gz 48 | install: | 49 | target = lib/"summon" 50 | target.install "summon-conjur" 51 | test: | 52 | system lib/"summon"/"summon-conjur", "-V" 53 | 54 | repository: 55 | owner: cyberark 56 | name: homebrew-tools 57 | skip_upload: true 58 | 59 | nfpms: 60 | - file_name_template: "{{ .ProjectName }}" 61 | vendor: CyberArk 62 | homepage: https://github.com/cyberark/summon-conjur 63 | maintainer: Conjur Maintainers 64 | 65 | description: Conjur provider for Summon 66 | recommends: 67 | - summon 68 | license: MIT 69 | formats: 70 | - deb 71 | - rpm 72 | bindir: /usr/local/lib/summon # where the binary is placed, default summon provider dir 73 | 74 | dist: ./dist/goreleaser 75 | 76 | release: 77 | disable: false 78 | draft: true 79 | extra_files: 80 | - glob: NOTICES.txt 81 | - glob: LICENSE 82 | - glob: CHANGELOG.md 83 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) 5 | and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). 6 | 7 | ## [Unreleased] 8 | 9 | ## [0.8.0] - 2024-06-06 10 | 11 | ### Changed 12 | - Updated provider to stream secrets instead and leverage new Summon API (CNJR-4814) 13 | - Upgraded Go to 1.22.4 14 | 15 | ## [0.7.2] - 2024-03-21 16 | 17 | ### Security 18 | - Upgrade Go to 1.22 (CONJSE-1842) 19 | 20 | ## [0.7.1] - 2023-06-14 21 | 22 | ### Security 23 | - Update golang.org/x/sys to v0.8.0, gopkg.in/yaml.v3 to v3.0.1, and Go to 1.20 24 | in Dockerfile.text 25 | [cyberark/summon-conjur#112](https://github.com/cyberark/summon-conjur/pull/112) 26 | 27 | ## [0.7.0] - 2023-03-10 28 | ### Added 29 | - Added support for Conjur's OIDC and LDAP authenticators 30 | [cyberark/summon-conjur#108](https://github.com/cyberark/summon-conjur/pull/108) 31 | 32 | ### Changed 33 | - Updated Golang to 1.19 34 | [cyberark/summon-conjur#108](https://github.com/cyberark/summon-conjur/pull/108) 35 | 36 | ### Security 37 | - Update golang.org/x/sys to v0.1.0 for CVE-2022-29526 (not vulnerable) 38 | [cyberark/summon-conjur#110](https://github.com/cyberark/summon-conjur/pull/110) 39 | 40 | ### Removed 41 | - Removed support for Conjur v4 42 | [cyberark/summon-conjur#108](https://github.com/cyberark/summon-conjur/pull/108) 43 | 44 | ## [0.6.4] - 2022-07-06 45 | ### Changed 46 | - Updated direct dependencies (github.com/cyberark/conjur-api-go -> v0.10.1, 47 | github.com/stretchr/testify -> 1.7.2) 48 | [cyberark/summon-conjur#106](https://github.com/cyberark/summon-conjur/pull/106) 49 | 50 | ## [0.6.3] - 2022-05-19 51 | ### Changed 52 | - Updated the Conjur API to 0.10.0 to support the new `CONJUR_AUTHN_JWT_HOST_ID` environment variable 53 | [cyberark/summon-conjur#103](https://github.com/cyberark/summon-conjur/pull/103/) 54 | 55 | ### Security 56 | - Update test env Golang to 1.17 to fix CVE-2022-0778 and CVE-2022-1292. 57 | [cyberark/summon-conjur#102](https://github.com/cyberark/summon-conjur/pull/102/) 58 | 59 | ## [0.6.2] - 2022-02-25 60 | ### Changed 61 | - Updated Conjur API to 0.9.0 to support authn-JWT 62 | [cyberark/summon-conjur#99](https://github.com/cyberark/summon-conjur/pull/99/) 63 | 64 | ## [0.6.1] - 2021-12-31 65 | ### Changed 66 | - Updated Golang to 1.17 and the Conjur API to 0.8.1 67 | [cyberark/summon-conjur#96](https://github.com/cyberark/summon-conjur/pull/96/) 68 | 69 | ## [0.6.0] - 2021-08-11 70 | ### Added 71 | - Build for Apple M1 silicon. 72 | [cyberark/summon-conjur#88](https://github.com/cyberark/summon-conjur/issues/88) 73 | 74 | ## [0.5.5] - 2021-06-01 75 | ### Security 76 | - Update golang.org/x/crypto to address CVE-2020-29652. 77 | [PR cyberark/summon-conjur#84](https://github.com/cyberark/summon-conjur/pull/84) 78 | 79 | ## [0.5.4] - 2021-03-16 80 | ### Added 81 | - Update conjur-api-go dependency to v0.7.1. 82 | - Preliminary support for building Solaris binaries. 83 | [cyberark/summon-conjur#67](https://github.com/cyberark/summon-conjur/issues/67) 84 | 85 | ### Fixed 86 | - Verbose debug output with the -v flag, silently lost in v0.5.3 due to changes 87 | to the logging interface in 88 | [conjur-api-go](https://github.com/cyberark/conjur-api-go), is reintroduced. 89 | [cyberark/summon-conjur#77](https://github.com/cyberark/summon-conjur/issues/77) 90 | 91 | ## [0.5.3] - 2019-02-06 92 | ### Changed 93 | - Go modules are now used for dependency management 94 | - Newer goreleaser syntax is used to build artifacts 95 | - Fixed issues with spaces in variable IDs (via conjur-api-go version increase) 96 | - Fixed issues with homedir pathing (via conjur-api-go version increase) 97 | 98 | ## [0.5.2] - 2018-08-06 99 | ### Added 100 | - deb and rpm packages 101 | - homebrew formula 102 | 103 | ### Changed 104 | - Update build/package process to use [goreleaser](https://github.com/goreleaser/goreleaser). 105 | 106 | ## [0.5.1] - 2018-07-19 107 | ### Added 108 | - Add some logging to help debug configuration [PR #31](https://github.com/cyberark/summon-conjur/pull/31). 109 | 110 | ### Changed 111 | - Update to the latest version of conjur-api-go. 112 | 113 | ## [0.5.0] - 2017-11-20 114 | ### Added 115 | - Support new v5 token format and summon-conjur version flag [PR #23](https://github.com/cyberark/summon-conjur/pull/23). 116 | 117 | ## [0.4.0] - 2017-09-19 118 | ### Changed 119 | - Support v4, https and configuration from machine identity files, [PR #20](https://github.com/cyberark/summon-conjur/pull/20). 120 | 121 | ## [0.3.0] - 2017-08-16 122 | ### Changed 123 | - Provider updated to use [cyberark/conjur-api-go](https://github.com/cyberark/conjur-api-go). This provides compatibility with [cyberark/conjur](https://github.com/cyberark/conjur), Conjur 5 CE. PR [#13](https://github.com/cyberark/summon-conjur/pull/13). 124 | 125 | ## [0.2.0] - 2016-07-20 126 | ### Added 127 | - `CONJUR_SSL_CERTIFICATE` can now be passed (content of cert file) [#3](https://github.com/conjurinc/summon-conjur/issues/3) 128 | - netrc file is now only read if required [#4](https://github.com/conjurinc/summon-conjur/issues/4) 129 | - `CONJUR_AUTHN_TOKEN` can now be used for identity [#5](https://github.com/conjurinc/summon-conjur/issues/5) 130 | 131 | ## [0.1.4] - 2016-02-29 132 | ### Fixed 133 | - A friendly error is now returned when no argument is given [GH-2](https://github.com/conjurinc/summon-conjur/issues/2) 134 | 135 | ## [0.1.3] - 2016-02-24 136 | ### Changed 137 | - Config now looks at `netrc_path` in conjurrc to find identity.file 138 | 139 | ## [0.1.2] - 2015-12-09 140 | ### Changed 141 | - Config now uses env var `CONJUR_AUTHN_API_KEY` instead of `CONJUR_API_KEY`. 142 | 143 | ## [0.1.1] - 2015-10-08 144 | ### Fixed 145 | - Fixed an issue authenticating hosts - `/` is now properly escaped. 146 | 147 | ## 0.1.0 - 2015-06-04 148 | ### Added 149 | - Initial release 150 | 151 | [Unreleased]: https://github.com/cyberark/summon-conjur/compare/v0.8.0...HEAD 152 | [0.8.0]: https://github.com/cyberark/summon-conjur/compare/v0.7.2...v0.8.0 153 | [0.7.2]: https://github.com/cyberark/summon-conjur/compare/v0.7.1...v0.7.2 154 | [0.7.1]: https://github.com/cyberark/summon-conjur/compare/v0.7.0...v0.7.1 155 | [0.7.0]: https://github.com/cyberark/summon-conjur/compare/v0.6.4...v0.7.0 156 | [0.6.4]: https://github.com/cyberark/summon-conjur/compare/v0.6.3...v0.6.4 157 | [0.6.3]: https://github.com/cyberark/summon-conjur/compare/v0.6.2...v0.6.3 158 | [0.6.2]: https://github.com/cyberark/summon-conjur/compare/v0.6.1...v0.6.2 159 | [0.6.1]: https://github.com/cyberark/summon-conjur/compare/v0.6.0...v0.6.1 160 | [0.6.0]: https://github.com/cyberark/summon-conjur/compare/v0.5.5...v0.6.0 161 | [0.5.5]: https://github.com/cyberark/summon-conjur/compare/v0.5.4...v0.5.5 162 | [0.5.4]: https://github.com/cyberark/summon-conjur/compare/v0.5.3...v0.5.4 163 | [0.5.3]: https://github.com/cyberark/summon-conjur/compare/v0.5.2...v0.5.3 164 | [0.5.2]: https://github.com/cyberark/summon-conjur/compare/v0.5.1...v0.5.2 165 | [0.5.1]: https://github.com/cyberark/summon-conjur/compare/v0.5.0...v0.5.1 166 | [0.5.0]: https://github.com/cyberark/summon-conjur/compare/v0.4.0...v0.5.0 167 | [0.4.0]: https://github.com/cyberark/summon-conjur/compare/v0.3.0...v0.4.0 168 | [0.3.0]: https://github.com/cyberark/summon-conjur/compare/v0.2.0...v0.3.0 169 | [0.2.0]: https://github.com/cyberark/summon-conjur/compare/v0.1.4...v0.2.0 170 | [0.1.4]: https://github.com/cyberark/summon-conjur/compare/v0.1.3...v0.1.4 171 | [0.1.3]: https://github.com/cyberark/summon-conjur/compare/v0.1.2...v0.1.3 172 | [0.1.2]: https://github.com/cyberark/summon-conjur/compare/v0.1.1...v0.1.2 173 | [0.1.1]: https://github.com/cyberark/summon-conjur/compare/v0.1.0...v0.1.1 174 | [0.1.0]: https://github.com/cyberark/summon-conjur/releases/tag/v0.1.0 175 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community). 4 | 5 | ## Contributing 6 | 7 | 1. [Fork the project](https://help.github.com/en/github/getting-started-with-github/fork-a-repo) 8 | 2. [Clone your fork](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/cloning-a-repository) 9 | 3. Make local changes to your fork by editing files 10 | 3. [Commit your changes](https://help.github.com/en/github/managing-files-in-a-repository/adding-a-file-to-a-repository-using-the-command-line) 11 | 4. [Push your local changes to the remote server](https://help.github.com/en/github/using-git/pushing-commits-to-a-remote-repository) 12 | 5. [Create new Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request-from-a-fork) 13 | 14 | From here your pull request will be reviewed and once you've responded to all 15 | feedback it will be merged into the project. Congratulations, you're a 16 | contributor! 17 | 18 | ## Development 19 | 20 | You can start a Docker Compose development environment by running 21 | 22 | ```sh 23 | $ ./dev.sh 24 | ``` 25 | 26 | ### Running tests 27 | 28 | Automated CI pipelines: 29 | - [Jenkinsfile](Jenkinsfile) 30 | 31 | Run `./bin/test.sh` 32 | 33 | ## Releasing 34 | 35 | ### Verify and update dependencies 36 | 1. Review the changes to `go.mod` since the last release and make any needed 37 | updates to [NOTICES.txt](./NOTICES.txt): 38 | - Add any dependencies that have been added since the last tag, including 39 | an entry for them alphabetically under the license type (make sure you 40 | check the license type for the version of the project we use) and a copy 41 | of the copyright later in the same file. 42 | - Update any dependencies whose versions have changed - there are usually at 43 | least two version entries that need to be modified, but if the license type 44 | of the dependency has also changed, then you will need to remove the old 45 | entries and add it as if it were a new dependency. 46 | - Remove any dependencies we no longer include. 47 | 48 | If no dependencies have changed, you can move on to the next step. 49 | 50 | ### Update the version and changelog 51 | 1. Create a new branch for the version bump. 52 | 1. Based on the unreleased content, determine the new version number and update 53 | the [version.go](pkg/summon_conjur/version.go) file. 54 | 1. Review the [changelog](CHANGELOG.md) to make sure all relevant changes since 55 | the last release have been captured. You may find it helpful to look at the 56 | list of commits since the last release - you can find this by visiting the 57 | [releases page](https://github.com/cyberark/summon-conjur/releases) and 58 | clicking the "`N commits` to main since this release" link for the latest 59 | release. 60 | 61 | This is also a good time to make sure all entries conform to our 62 | [changelog guidelines](https://github.com/cyberark/community/blob/main/Conjur/CONTRIBUTING.md#changelog-guidelines). 63 | 1. Commit these changes - `Bump version to x.y.z` is an acceptable commit message - and open a PR 64 | for review. Your PR should include updates to `pkg/summon_conjur/version.go`, 65 | `CHANGELOG.md`, and if there are any license updates, to `NOTICES.txt`. 66 | 67 | ### Add a git tag 68 | 1. Once your changes have been reviewed and merged into main, tag the version 69 | using `git tag -s v0.1.1`. Note this requires you to be able to sign releases. 70 | Consult the [github documentation on signing commits](https://help.github.com/articles/signing-commits-with-gpg/) 71 | on how to set this up. `vx.y.z` is an acceptable tag message. 72 | 1. Push the tag: `git push vx.y.z` (or `git push origin vx.y.z` if you are working 73 | from your local machine). 74 | 75 | ### Make the release public 76 | **Note:** Until the stable quality exercises have completed, the GitHub release 77 | should be officially marked as a `pre-release` (eg "non-production ready") 78 | 79 | 1. The tagged commit should have caused a Draft release to be created in GitHub. 80 | Replace the commits in the Draft release's description with the relevant entries 81 | from the CHANGELOG. 82 | 1. If everything else looks good, release the draft. 83 | 1. Copy the `summon-conjur.rb` homebrew formula output by goreleaser 84 | to the [homebrew formula for Summon-Conjur](https://github.com/cyberark/homebrew-tools/blob/main/summon-conjur.rb) 85 | and submit a PR to update the version of Summon-Conjur available in brew. 86 | -------------------------------------------------------------------------------- /Dockerfile.test: -------------------------------------------------------------------------------- 1 | FROM golang:1.22-alpine 2 | 3 | MAINTAINER Conjur Inc 4 | 5 | RUN apk add --no-cache bash \ 6 | build-base \ 7 | curl \ 8 | git \ 9 | jq \ 10 | less && \ 11 | go install github.com/jstemmer/go-junit-report@latest && \ 12 | go install github.com/axw/gocov/gocov@latest && \ 13 | go install github.com/AlekSi/gocov-xml@latest && \ 14 | mkdir -p /summon-conjur/output 15 | 16 | WORKDIR /summon-conjur 17 | 18 | COPY go.mod go.sum ./ 19 | 20 | COPY . . 21 | RUN go build -o summon-conjur cmd/main.go 22 | 23 | EXPOSE 8080 24 | -------------------------------------------------------------------------------- /Jenkinsfile: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env groovy 2 | @Library("product-pipelines-shared-library") _ 3 | 4 | pipeline { 5 | agent { label 'conjur-enterprise-common-agent' } 6 | 7 | options { 8 | timestamps() 9 | buildDiscarder(logRotator(daysToKeepStr: '30')) 10 | } 11 | 12 | triggers { 13 | cron(getDailyCronString()) 14 | } 15 | 16 | stages { 17 | stage('Scan for internal URLs') { 18 | steps { 19 | script { 20 | detectInternalUrls() 21 | } 22 | } 23 | } 24 | 25 | stage('Get InfraPool ExecutorV2 Agent') { 26 | steps { 27 | script { 28 | // Request ExecutorV2 agents for 1 hour(s) 29 | INFRAPOOL_EXECUTORV2_AGENT_0 = getInfraPoolAgent.connected(type: "ExecutorV2", quantity: 1, duration: 1)[0] 30 | } 31 | } 32 | } 33 | 34 | stage('Get latest upstream dependencies') { 35 | steps { 36 | script { 37 | updatePrivateGoDependencies("${WORKSPACE}/go.mod") 38 | // Copy the vendor directory onto infrapool 39 | INFRAPOOL_EXECUTORV2_AGENT_0.agentPut from: "vendor", to: "${WORKSPACE}" 40 | INFRAPOOL_EXECUTORV2_AGENT_0.agentPut from: "go.*", to: "${WORKSPACE}" 41 | } 42 | } 43 | } 44 | 45 | stage('Validate') { 46 | parallel { 47 | stage('Changelog') { 48 | steps { 49 | parseChangelog(INFRAPOOL_EXECUTORV2_AGENT_0) 50 | } 51 | } 52 | } 53 | } 54 | 55 | stage('Run unit tests') { 56 | steps { 57 | script { 58 | INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './bin/test.sh' 59 | INFRAPOOL_EXECUTORV2_AGENT_0.agentStash name: 'output-xml', includes: 'output/*.xml' 60 | unstash 'output-xml' 61 | junit 'output/junit.xml' 62 | cobertura autoUpdateHealth: true, autoUpdateStability: true, coberturaReportFile: 'output/coverage.xml', conditionalCoverageTargets: '30, 0, 0', failUnhealthy: true, failUnstable: false, lineCoverageTargets: '30, 0, 0', maxNumberOfBuilds: 0, methodCoverageTargets: '30, 0, 0', onlyStable: false, sourceEncoding: 'ASCII', zoomCoverageChart: false 63 | INFRAPOOL_EXECUTORV2_AGENT_0.agentSh 'cp output/c.out .' 64 | codacy action: 'reportCoverage', filePath: "output/coverage.xml" 65 | } 66 | } 67 | } 68 | 69 | stage('Build Release Artifacts') { 70 | when { 71 | not { buildingTag() } 72 | } 73 | 74 | steps { 75 | script { 76 | INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './build.sh --snapshot' 77 | INFRAPOOL_EXECUTORV2_AGENT_0.agentArchiveArtifacts artifacts: 'dist/goreleaser/' 78 | } 79 | } 80 | } 81 | 82 | stage('Build Release Artifacts and Create Pre Release') { 83 | // Only run this stage when triggered by a tag 84 | when { buildingTag() } 85 | 86 | steps { 87 | script { 88 | INFRAPOOL_EXECUTORV2_AGENT_0.agentDir('./pristine-checkout') { 89 | // Go releaser requires a pristine checkout 90 | checkout scm 91 | 92 | // Copy the checkout content onto infrapool 93 | INFRAPOOL_EXECUTORV2_AGENT_0.agentPut from: "./", to: "." 94 | 95 | // Create draft release 96 | INFRAPOOL_EXECUTORV2_AGENT_0.agentSh 'summon --yaml "GITHUB_TOKEN: !var github/users/conjur-jenkins/api-token" ./build.sh' 97 | } 98 | } 99 | } 100 | } 101 | } 102 | 103 | post { 104 | always { 105 | script { 106 | releaseInfraPoolAgent(".infrapool/release_agents") 107 | } 108 | } 109 | } 110 | } 111 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2020 CyberArk Software Ltd. All rights reserved. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /NOTICES.txt: -------------------------------------------------------------------------------- 1 | =============== TABLE OF CONTENTS ============================= 2 | 3 | The following is a listing of the summon-conjur open source components detailed 4 | in this document. This list is provided for your convenience; please read 5 | further if you wish to review the copyright notice(s) and the full text 6 | of the license associated with each component. 7 | 8 | 9 | Section 1: Apache License 2.0 10 | >>> https://github.com/cyberark/conjur-api-go/tree/v0.11.0 11 | 12 | Section 2: MIT License 13 | >>> https://github.com/sirupsen/logrus/tree/v1.8.1 14 | >>> https://github.com/stretchr/testify/v1.7.2 15 | 16 | Section 3: BSD 3-clause "New" or "Revised" License 17 | >>> https://github.com/karrick/golf/tree/v1.1.0 18 | 19 | 20 | APPENDIX: Standard License Files and Templates 21 | 22 | >>> Apache License 2.0 23 | >>> MIT License 24 | >>> BSD 3-clause "New" or "Revised" License 25 | 26 | --------------- SECTION 1: Apache License 2.0 ---------- 27 | 28 | Apache License 2.0 is applicable to the following component(s). 29 | 30 | >>> https://github.com/cyberark/conjur-api-go/tree/v0.11.0 31 | 32 | Copyright (c) 2020 CyberArk Software Ltd. All rights reserved. 33 | 34 | Licensed under the Apache License, Version 2.0 (the "License"); 35 | you may not use this file except in compliance with the License. 36 | You may obtain a copy of the License at 37 | 38 | http://www.apache.org/licenses/LICENSE-2.0 39 | 40 | Unless required by applicable law or agreed to in writing, software 41 | distributed under the License is distributed on an "AS IS" BASIS, 42 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 43 | See the License for the specific language governing permissions and 44 | limitations under the License. 45 | 46 | --------------- SECTION 2: MIT License ---------- 47 | 48 | MIT License is applicable to the following component(s). 49 | 50 | >>> https://github.com/sirupsen/logrus/tree/v1.8.1 51 | 52 | Copyright (c) 2014 Simon Eskildsen 53 | 54 | Permission is hereby granted, free of charge, to any person obtaining a copy 55 | of this software and associated documentation files (the "Software"), to deal 56 | in the Software without restriction, including without limitation the rights 57 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 58 | copies of the Software, and to permit persons to whom the Software is 59 | furnished to do so, subject to the following conditions: 60 | 61 | The above copyright notice and this permission notice shall be included in 62 | all copies or substantial portions of the Software. 63 | 64 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 65 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 66 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 67 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 68 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 69 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 70 | THE SOFTWARE. 71 | 72 | >>> https://github.com/stretchr/testify/v1.7.2 73 | 74 | MIT License 75 | 76 | Copyright (c) 2012-2020 Mat Ryer, Tyler Bunnell and contributors. 77 | 78 | Permission is hereby granted, free of charge, to any person obtaining a copy 79 | of this software and associated documentation files (the "Software"), to deal 80 | in the Software without restriction, including without limitation the rights 81 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 82 | copies of the Software, and to permit persons to whom the Software is 83 | furnished to do so, subject to the following conditions: 84 | 85 | The above copyright notice and this permission notice shall be included in all 86 | copies or substantial portions of the Software. 87 | 88 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 89 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 90 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 91 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 92 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 93 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 94 | SOFTWARE. 95 | 96 | 97 | --------------- SECTION 3: BSD 3-clause "New" or "Revised" License ---------- 98 | 99 | BSD 3-clause "New" or "Revised" License is applicable to the following component(s). 100 | 101 | >>> https://github.com/karrick/golf/tree/v1.1.0 102 | 103 | BSD 3-Clause License 104 | 105 | Copyright (c) 2018, Karrick McDermott 106 | All rights reserved. 107 | 108 | Redistribution and use in source and binary forms, with or without 109 | modification, are permitted provided that the following conditions are met: 110 | 111 | * Redistributions of source code must retain the above copyright notice, this 112 | list of conditions and the following disclaimer. 113 | 114 | * Redistributions in binary form must reproduce the above copyright notice, 115 | this list of conditions and the following disclaimer in the documentation 116 | and/or other materials provided with the distribution. 117 | 118 | * Neither the name of the copyright holder nor the names of its 119 | contributors may be used to endorse or promote products derived from 120 | this software without specific prior written permission. 121 | 122 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 123 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 124 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 125 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 126 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 127 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 128 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 129 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 130 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 131 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 132 | 133 | =============== APPENDIX: License Files and Templates ============== 134 | 135 | 136 | 137 | --------------- APPENDIX 1: Apache License 2.0 (Template) ----------- 138 | 139 | Apache License 140 | Version 2.0, January 2004 141 | http://www.apache.org/licenses/ 142 | 143 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 144 | 145 | 1. Definitions. 146 | 147 | "License" shall mean the terms and conditions for use, reproduction, 148 | and distribution as defined by Sections 1 through 9 of this document. 149 | 150 | "Licensor" shall mean the copyright owner or entity authorized by 151 | the copyright owner that is granting the License. 152 | 153 | "Legal Entity" shall mean the union of the acting entity and all 154 | other entities that control, are controlled by, or are under common 155 | control with that entity. For the purposes of this definition, 156 | "control" means (i) the power, direct or indirect, to cause the 157 | direction or management of such entity, whether by contract or 158 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 159 | outstanding shares, or (iii) beneficial ownership of such entity. 160 | 161 | "You" (or "Your") shall mean an individual or Legal Entity 162 | exercising permissions granted by this License. 163 | 164 | "Source" form shall mean the preferred form for making modifications, 165 | including but not limited to software source code, documentation 166 | source, and configuration files. 167 | 168 | "Object" form shall mean any form resulting from mechanical 169 | transformation or translation of a Source form, including but 170 | not limited to compiled object code, generated documentation, 171 | and conversions to other media types. 172 | 173 | "Work" shall mean the work of authorship, whether in Source or 174 | Object form, made available under the License, as indicated by a 175 | copyright notice that is included in or attached to the work 176 | (an example is provided in the Appendix below). 177 | 178 | "Derivative Works" shall mean any work, whether in Source or Object 179 | form, that is based on (or derived from) the Work and for which the 180 | editorial revisions, annotations, elaborations, or other modifications 181 | represent, as a whole, an original work of authorship. For the purposes 182 | of this License, Derivative Works shall not include works that remain 183 | separable from, or merely link (or bind by name) to the interfaces of, 184 | the Work and Derivative Works thereof. 185 | 186 | "Contribution" shall mean any work of authorship, including 187 | the original version of the Work and any modifications or additions 188 | to that Work or Derivative Works thereof, that is intentionally 189 | submitted to Licensor for inclusion in the Work by the copyright owner 190 | or by an individual or Legal Entity authorized to submit on behalf of 191 | the copyright owner. For the purposes of this definition, "submitted" 192 | means any form of electronic, verbal, or written communication sent 193 | to the Licensor or its representatives, including but not limited to 194 | communication on electronic mailing lists, source code control systems, 195 | and issue tracking systems that are managed by, or on behalf of, the 196 | Licensor for the purpose of discussing and improving the Work, but 197 | excluding communication that is conspicuously marked or otherwise 198 | designated in writing by the copyright owner as "Not a Contribution." 199 | 200 | "Contributor" shall mean Licensor and any individual or Legal Entity 201 | on behalf of whom a Contribution has been received by Licensor and 202 | subsequently incorporated within the Work. 203 | 204 | 2. Grant of Copyright License. Subject to the terms and conditions of 205 | this License, each Contributor hereby grants to You a perpetual, 206 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 207 | copyright license to reproduce, prepare Derivative Works of, 208 | publicly display, publicly perform, sublicense, and distribute the 209 | Work and such Derivative Works in Source or Object form. 210 | 211 | 3. Grant of Patent License. Subject to the terms and conditions of 212 | this License, each Contributor hereby grants to You a perpetual, 213 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 214 | (except as stated in this section) patent license to make, have made, 215 | use, offer to sell, sell, import, and otherwise transfer the Work, 216 | where such license applies only to those patent claims licensable 217 | by such Contributor that are necessarily infringed by their 218 | Contribution(s) alone or by combination of their Contribution(s) 219 | with the Work to which such Contribution(s) was submitted. If You 220 | institute patent litigation against any entity (including a 221 | cross-claim or counterclaim in a lawsuit) alleging that the Work 222 | or a Contribution incorporated within the Work constitutes direct 223 | or contributory patent infringement, then any patent licenses 224 | granted to You under this License for that Work shall terminate 225 | as of the date such litigation is filed. 226 | 227 | 4. Redistribution. You may reproduce and distribute copies of the 228 | Work or Derivative Works thereof in any medium, with or without 229 | modifications, and in Source or Object form, provided that You 230 | meet the following conditions: 231 | 232 | (a) You must give any other recipients of the Work or 233 | Derivative Works a copy of this License; and 234 | 235 | (b) You must cause any modified files to carry prominent notices 236 | stating that You changed the files; and 237 | 238 | (c) You must retain, in the Source form of any Derivative Works 239 | that You distribute, all copyright, patent, trademark, and 240 | attribution notices from the Source form of the Work, 241 | excluding those notices that do not pertain to any part of 242 | the Derivative Works; and 243 | 244 | (d) If the Work includes a "NOTICE" text file as part of its 245 | distribution, then any Derivative Works that You distribute must 246 | include a readable copy of the attribution notices contained 247 | within such NOTICE file, excluding those notices that do not 248 | pertain to any part of the Derivative Works, in at least one 249 | of the following places: within a NOTICE text file distributed 250 | as part of the Derivative Works; within the Source form or 251 | documentation, if provided along with the Derivative Works; or, 252 | within a display generated by the Derivative Works, if and 253 | wherever such third-party notices normally appear. The contents 254 | of the NOTICE file are for informational purposes only and 255 | do not modify the License. You may add Your own attribution 256 | notices within Derivative Works that You distribute, alongside 257 | or as an addendum to the NOTICE text from the Work, provided 258 | that such additional attribution notices cannot be construed 259 | as modifying the License. 260 | 261 | You may add Your own copyright statement to Your modifications and 262 | may provide additional or different license terms and conditions 263 | for use, reproduction, or distribution of Your modifications, or 264 | for any such Derivative Works as a whole, provided Your use, 265 | reproduction, and distribution of the Work otherwise complies with 266 | the conditions stated in this License. 267 | 268 | 5. Submission of Contributions. Unless You explicitly state otherwise, 269 | any Contribution intentionally submitted for inclusion in the Work 270 | by You to the Licensor shall be under the terms and conditions of 271 | this License, without any additional terms or conditions. 272 | Notwithstanding the above, nothing herein shall supersede or modify 273 | the terms of any separate license agreement you may have executed 274 | with Licensor regarding such Contributions. 275 | 276 | 6. Trademarks. This License does not grant permission to use the trade 277 | names, trademarks, service marks, or product names of the Licensor, 278 | except as required for reasonable and customary use in describing the 279 | origin of the Work and reproducing the content of the NOTICE file. 280 | 281 | 7. Disclaimer of Warranty. Unless required by applicable law or 282 | agreed to in writing, Licensor provides the Work (and each 283 | Contributor provides its Contributions) on an "AS IS" BASIS, 284 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 285 | implied, including, without limitation, any warranties or conditions 286 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 287 | PARTICULAR PURPOSE. You are solely responsible for determining the 288 | appropriateness of using or redistributing the Work and assume any 289 | risks associated with Your exercise of permissions under this License. 290 | 291 | 8. Limitation of Liability. In no event and under no legal theory, 292 | whether in tort (including negligence), contract, or otherwise, 293 | unless required by applicable law (such as deliberate and grossly 294 | negligent acts) or agreed to in writing, shall any Contributor be 295 | liable to You for damages, including any direct, indirect, special, 296 | incidental, or consequential damages of any character arising as a 297 | result of this License or out of the use or inability to use the 298 | Work (including but not limited to damages for loss of goodwill, 299 | work stoppage, computer failure or malfunction, or any and all 300 | other commercial damages or losses), even if such Contributor 301 | has been advised of the possibility of such damages. 302 | 303 | 9. Accepting Warranty or Additional Liability. While redistributing 304 | the Work or Derivative Works thereof, You may choose to offer, 305 | and charge a fee for, acceptance of support, warranty, indemnity, 306 | or other liability obligations and/or rights consistent with this 307 | License. However, in accepting such obligations, You may act only 308 | on Your own behalf and on Your sole responsibility, not on behalf 309 | of any other Contributor, and only if You agree to indemnify, 310 | defend, and hold each Contributor harmless for any liability 311 | incurred by, or claims asserted against, such Contributor by reason 312 | of your accepting any such warranty or additional liability. 313 | 314 | END OF TERMS AND CONDITIONS 315 | 316 | APPENDIX: How to apply the Apache License to your work. 317 | 318 | To apply the Apache License to your work, attach the following 319 | boilerplate notice, with the fields enclosed by brackets "[]" 320 | replaced with your own identifying information. (Don't include 321 | the brackets!) The text should be enclosed in the appropriate 322 | comment syntax for the file format. We also recommend that a 323 | file or class name and description of purpose be included on the 324 | same "printed page" as the copyright notice for easier 325 | identification within third-party archives. 326 | 327 | Copyright 328 | 329 | Licensed under the Apache License, Version 2.0 (the "License"); 330 | you may not use this file except in compliance with the License. 331 | You may obtain a copy of the License at 332 | 333 | http://www.apache.org/licenses/LICENSE-2.0 334 | 335 | Unless required by applicable law or agreed to in writing, software 336 | distributed under the License is distributed on an "AS IS" BASIS, 337 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 338 | See the License for the specific language governing permissions and 339 | limitations under the License. 340 | 341 | --------------- APPENDIX 2: MIT License (Template) ----------- 342 | 343 | Copyright 344 | 345 | Permission is hereby granted, free of charge, to any person obtaining a copy 346 | of this software and associated documentation files (the "Software"), to deal 347 | in the Software without restriction, including without limitation the rights 348 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 349 | copies of the Software, and to permit persons to whom the Software is 350 | furnished to do so, subject to the following conditions: 351 | 352 | The above copyright notice and this permission notice shall be included in all 353 | copies or substantial portions of the Software. 354 | 355 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 356 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 357 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 358 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 359 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 360 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 361 | SOFTWARE. 362 | 363 | 364 | --------------- APPENDIX 3: BSD 3-clause "New" or "Revised" License (Template) ----------- 365 | 366 | Copyright 367 | 368 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 369 | 370 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 371 | 372 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 373 | 374 | 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 375 | 376 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 377 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # summon-conjur 2 | 3 | Conjur provider for [Summon](https://github.com/cyberark/summon). 4 | 5 | [![GitHub release](https://img.shields.io/github/release/cyberark/summon-conjur.svg)](https://github.com/cyberark/summon-conjur/releases/latest) 6 | 7 | [![Github commits (since latest release)](https://img.shields.io/github/commits-since/cyberark/summon-conjur/latest.svg)](https://github.com/cyberark/summon-conjur/commits/main) 8 | 9 | --- 10 | 11 | ## Install 12 | 13 | Pre-built binaries and packages are available from GitHub releases 14 | [here](https://github.com/cyberark/summon-conjur/releases). 15 | 16 | ### Using summon-conjur with Conjur Open Source 17 | 18 | Are you using this project with [Conjur Open Source](https://github.com/cyberark/conjur)? Then we 19 | **strongly** recommend choosing the version of this project to use from the latest [Conjur OSS 20 | suite release](https://docs.conjur.org/Latest/en/Content/Overview/Conjur-OSS-Suite-Overview.html). 21 | Conjur maintainers perform additional testing on the suite release versions to ensure 22 | compatibility. When possible, upgrade your Conjur version to match the 23 | [latest suite release](https://docs.conjur.org/Latest/en/Content/ReleaseNotes/ConjurOSS-suite-RN.htm); 24 | when using integrations, choose the latest suite release that matches your Conjur version. For any 25 | questions, please contact us on [Discourse](https://discuss.cyberarkcommons.org/c/conjur/5). 26 | 27 | ### Homebrew 28 | 29 | ```bash 30 | brew tap cyberark/tools 31 | brew install summon-conjur 32 | ``` 33 | 34 | ### Linux (Debian and Red Hat flavors) 35 | 36 | `deb` and `rpm` files are attached to new releases. 37 | These can be installed with `dpkg -i summon-conjur_*.deb` and 38 | `rpm -ivh summon-conjur_*.rpm`, respectively. 39 | 40 | ### Auto Install 41 | 42 | **Note** Check the release notes and select an appropriate release to ensure support for your version of Conjur. 43 | 44 | Use the auto-install script. This will install the latest version of summon-conjur. 45 | The script requires sudo to place summon-conjur in dir `/usr/local/lib/summon`. 46 | 47 | ```bash 48 | curl -sSL https://raw.githubusercontent.com/cyberark/summon-conjur/main/install.sh | bash 49 | ``` 50 | 51 | ### Manual Install 52 | 53 | Otherwise, download the [latest release](https://github.com/cyberark/summon-conjur/releases) and extract it to the directory `/usr/local/lib/summon`. 54 | 55 | ## Usage in isolation 56 | 57 | Give summon-conjur a variable name and it will fetch it for you and print the value to stdout. 58 | 59 | ```shell 60 | $ summon-conjur prod/aws/iam/user/robot/access_key_id 61 | flgwkeatfghhdqkflaqiwoagsmfgxool 62 | ``` 63 | 64 | You can also use interactive mode by starting the command without any arguments 65 | and then passing paths to secrets one by one. This way you can fetch multiple values in a single command run. 66 | Keep in mind that by using interactive mode outputted values will be in BASE64 format. 67 | 68 | ```shell 69 | $ summon-conjur 70 | prod/aws/iam/user/robot/access_key_id 71 | Zmxnd2tlYXRmZ2hoZHFrZmxhcWl3b2Fnc21mZ3hvb2w= 72 | prod/aws/s3/bucket_name/access_key_id 73 | YWNudmdlb3dycmd4dW1ic2tncW51Zm50dmRvYWVic3A= 74 | ``` 75 | 76 | ### Flags 77 | 78 | ```txt 79 | Usage of summon-conjur: 80 | -h, --help 81 | show help (default: false) 82 | -V, --version 83 | show version (default: false) 84 | -v, --verbose 85 | be verbose (default: false) 86 | ``` 87 | 88 | ## Usage as a provider for Summon 89 | 90 | [Summon](https://github.com/cyberark/summon/) is a command-line tool that reads a file in secrets.yml format and injects secrets as environment variables into any process. Once the process exits, the secrets are gone. 91 | 92 | ### Example 93 | 94 | As an example let's use the `env` command: 95 | 96 | Following installation, define your keys in a `secrets.yml` file 97 | 98 | ```yml 99 | AWS_ACCESS_KEY_ID: !var aws/iam/user/robot/access_key_id 100 | AWS_SECRET_ACCESS_KEY: !var aws/iam/user/robot/secret_access_key 101 | ``` 102 | 103 | By default, summon will look for `secrets.yml` in the directory it is called from and export the secret values to the environment of the command it wraps. 104 | 105 | Wrap the `env` in summon: 106 | 107 | ```sh 108 | $ summon --provider summon-conjur env 109 | ... 110 | AWS_ACCESS_KEY_ID=AKIAJS34242K1123J3K43 111 | AWS_SECRET_ACCESS_KEY=A23MSKSKSJASHDIWM 112 | ... 113 | ``` 114 | 115 | `summon` resolves the entries in secrets.yml with the conjur provider and makes the secret values available to the environment of the command `env`. 116 | 117 | ## Configuration 118 | 119 | This provider uses the same configuration pattern as the [Conjur CLI](https://github.com/cyberark/conjur-cli-go) 120 | to connect to Conjur. Specifically, it loads configuration from: 121 | 122 | * `.conjurrc` files, located in the home and current directories, or at the 123 | path specified by the `CONJURRC` environment variable. 124 | * Reads the `.conjurrc` file from `/etc/conjur.conf` on Linux/macOS and `C:\Windows\conjur.conf` on Windows. 125 | * Environment variables: 126 | * Appliance URLs 127 | * `CONJUR_APPLIANCE_URL` 128 | * SSL certificate 129 | * `CONJUR_CERT_FILE` 130 | * `CONJUR_SSL_CERTIFICATE` 131 | * Authentication 132 | * Account 133 | * `CONJUR_ACCOUNT` 134 | * Login 135 | * `CONJUR_AUTHN_LOGIN` 136 | * `CONJUR_AUTHN_API_KEY` 137 | * Token 138 | * `CONJUR_AUTHN_TOKEN` 139 | * `CONJUR_AUTHN_TOKEN_FILE` 140 | * JWT Token 141 | * `CONJUR_AUTHN_JWT_SERVICE_ID` (e.g. `kubernetes`) 142 | * `JWT_TOKEN_PATH` (optional) (default: `/var/run/secrets/kubernetes.io/serviceaccount/token`) 143 | 144 | If `CONJUR_AUTHN_LOGIN` and `CONJUR_AUTHN_API_KEY` or `CONJUR_AUTHN_TOKEN` or `CONJUR_AUTHN_TOKEN_FILE` or `CONJUR_AUTHN_JWT_SERVICE_ID` are not provided, the username and API key are read from system keychain or `~/.netrc`, stored there by `conjur login`. 145 | 146 | On systems that support keychain storage, that will be used by default, and if that fails the `~/.netrc` file will be used, 147 | though this behavior can be modified in the `.conjurrc` file: 148 | 149 | ```yaml 150 | ... 151 | credential_storage: "netrc" 152 | netrc_path: "/etc/conjur.identity" 153 | ... 154 | ``` 155 | 156 | The provider will fail unless all of the following values are provided: 157 | 158 | * An appliance url (`CONJUR_APPLIANCE_URL`) 159 | * An organization account (`CONJUR_ACCOUNT`) 160 | * A username and api key, or Conjur authn token, or a path to `CONJUR_AUTHN_TOKEN_FILE` a dynamic Conjur authn token 161 | * A path to (`CONJUR_CERT_FILE`) **or** content of (`CONJUR_SSL_CERTIFICATE`) the appliance's public SSL certificate 162 | 163 | --- 164 | 165 | ## Contributing 166 | 167 | We welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions of our development workflows, please see our [contributing 168 | guide][contrib]. 169 | 170 | [contrib]: CONTRIBUTING.md 171 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policies and Procedures 2 | 3 | This document outlines security procedures and general policies for the CyberArk Conjur 4 | suite of tools and products. 5 | 6 | * [Reporting a Bug](#reporting-a-bug) 7 | * [Disclosure Policy](#disclosure-policy) 8 | * [Comments on this Policy](#comments-on-this-policy) 9 | 10 | ## Reporting a Bug 11 | 12 | The CyberArk Conjur team and community take all security bugs in the Conjur suite seriously. 13 | Thank you for improving the security of the Conjur suite. We appreciate your efforts and 14 | responsible disclosure and will make every effort to acknowledge your 15 | contributions. 16 | 17 | Report security bugs by emailing the lead maintainers at security@conjur.org. 18 | 19 | The maintainers will acknowledge your email within 2 business days. Subsequently, we will 20 | send a more detailed response within 2 business days of our acknowledgement indicating 21 | the next steps in handling your report. After the initial reply to your report, the security 22 | team will endeavor to keep you informed of the progress towards a fix and full 23 | announcement, and may ask for additional information or guidance. 24 | 25 | Report security bugs in third-party modules to the person or team maintaining 26 | the module. 27 | 28 | ## Disclosure Policy 29 | 30 | When the security team receives a security bug report, they will assign it to a 31 | primary handler. This person will coordinate the fix and release process, 32 | involving the following steps: 33 | 34 | * Confirm the problem and determine the affected versions. 35 | * Audit code to find any potential similar problems. 36 | * Prepare fixes for all releases still under maintenance. These fixes will be 37 | released as fast as possible. 38 | 39 | ## Comments on this Policy 40 | 41 | If you have suggestions on how this process could be improved please submit a 42 | pull request. 43 | -------------------------------------------------------------------------------- /bin/functions.sh: -------------------------------------------------------------------------------- 1 | function startConjur() { 2 | local services='conjur' 3 | 4 | docker compose $COMPOSE_ARGS pull $services 5 | docker compose $COMPOSE_ARGS up -d $services 6 | } 7 | 8 | exec_on() { 9 | local container=$1; shift 10 | docker exec $(docker compose $COMPOSE_ARGS ps -q $container) "$@" 11 | } 12 | 13 | function initEnvironment() { 14 | exec_on conjur conjurctl wait 15 | } 16 | 17 | getKeys() { 18 | exec_on conjur conjurctl role retrieve-key cucumber:user:${CONJUR_AUTHN_LOGIN:-admin} 19 | } 20 | -------------------------------------------------------------------------------- /bin/test-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eo pipefail 2 | 3 | export PATH="$(pwd):$PATH" 4 | echo "Path: $PATH" 5 | 6 | echo "Running tests..." 7 | 8 | TEST_PARAMS="-run TestPackage*" 9 | 10 | echo "Running go tests: $TEST_PARAMS" 11 | echo "Current dir: $(pwd)" 12 | 13 | set -x 14 | go test --coverprofile=output/c.out -v ./test/... $TEST_PARAMS | tee output/junit.output 15 | 16 | go-junit-report < output/junit.output > output/junit.xml 17 | 18 | gocov convert output/c.out | gocov-xml > output/coverage.xml 19 | 20 | rm output/junit.output 21 | -------------------------------------------------------------------------------- /bin/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | 3 | export COMPOSE_ARGS='-f docker-compose.yml' 4 | 5 | export CONJUR_ACCOUNT=cucumber 6 | export CONJUR_AUTHN_LOGIN=admin 7 | 8 | source ./bin/functions.sh 9 | 10 | function finish { 11 | echo 'Removing environment' 12 | echo '-----' 13 | docker compose $COMPOSE_ARGS down -v 14 | } 15 | trap finish EXIT 16 | 17 | function main() { 18 | startConjur 19 | initEnvironment 20 | runTests 21 | } 22 | 23 | function runTests() { 24 | local api_key="$(getKeys)" 25 | 26 | local service=test 27 | 28 | docker compose $COMPOSE_ARGS build --pull $service 29 | 30 | docker compose $COMPOSE_ARGS run --rm \ 31 | -e GO_TEST_ARGS="$GO_TEST_ARGS" \ 32 | -e CONJUR_AUTHN_API_KEY="$api_key" \ 33 | $service 34 | } 35 | 36 | main 37 | -------------------------------------------------------------------------------- /bin/wait_for_server.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | 3 | for i in $(seq 20); do 4 | curl -o /dev/null -fs -X OPTIONS $CONJUR_APPLIANCE_URL > /dev/null \ 5 | && break 6 | echo . 7 | sleep 2 8 | done 9 | 10 | # So we fail if the server isn't up yet: 11 | curl -o /dev/null -fs -X OPTIONS $CONJUR_APPLIANCE_URL > /dev/null 12 | -------------------------------------------------------------------------------- /build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | 3 | CURRENT_DIR=$(pwd) 4 | 5 | echo "Current dir: $CURRENT_DIR" 6 | 7 | MOUNT_DIR="/summon-conjur" 8 | 9 | GORELEASER_IMAGE="goreleaser/goreleaser:latest" 10 | 11 | docker pull "${GORELEASER_IMAGE}" 12 | docker run --rm -t \ 13 | --env GITHUB_TOKEN \ 14 | --env GOTOOLCHAIN=auto \ 15 | --entrypoint "/sbin/tini" \ 16 | -v "$CURRENT_DIR:$MOUNT_DIR" \ 17 | -w "$MOUNT_DIR" \ 18 | "${GORELEASER_IMAGE}" \ 19 | -- sh -c "git config --global --add safe.directory $MOUNT_DIR && \ 20 | /entrypoint.sh --clean $@ && \ 21 | rm ./dist/goreleaser/artifacts.json" 22 | 23 | echo "Releases built. Archives can be found in dist/goreleaser" 24 | -------------------------------------------------------------------------------- /cmd/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "encoding/base64" 6 | "fmt" 7 | "os" 8 | 9 | "github.com/cyberark/conjur-api-go/conjurapi" 10 | "github.com/cyberark/conjur-api-go/conjurapi/logging" 11 | "github.com/cyberark/summon-conjur/pkg/summon_conjur" 12 | "github.com/karrick/golf" 13 | log "github.com/sirupsen/logrus" 14 | ) 15 | 16 | func makeSecretRetriever() (func(variableName string) ([]byte, error), error) { 17 | config, err := conjurapi.LoadConfig() 18 | if err != nil { 19 | return nil, fmt.Errorf("Failed loading Conjur API config: %s\n", err.Error()) 20 | } 21 | 22 | conjur, err := conjurapi.NewClientFromEnvironment(config) 23 | if err != nil { 24 | return nil, fmt.Errorf("Failed creating a Conjur client: %s\n", err.Error()) 25 | } 26 | 27 | return func(variableName string) ([]byte, error) { 28 | value, err := conjur.RetrieveSecret(variableName) 29 | if err != nil { 30 | return nil, err 31 | } 32 | 33 | return value, nil 34 | }, nil 35 | } 36 | 37 | func main() { 38 | var help = golf.BoolP('h', "help", false, "show help") 39 | var version = golf.BoolP('V', "version", false, "show version") 40 | var verbose = golf.BoolP('v', "verbose", false, "be verbose") 41 | 42 | golf.Parse() 43 | args := golf.Args() 44 | 45 | if *version { 46 | fmt.Println(summon_conjur.VERSION) 47 | os.Exit(0) 48 | } 49 | if *help { 50 | golf.Usage() 51 | os.Exit(0) 52 | } 53 | 54 | log.SetFormatter(&log.TextFormatter{DisableTimestamp: true, DisableLevelTruncation: true}) 55 | if *verbose { 56 | log.SetLevel(log.DebugLevel) 57 | logging.ApiLog.SetLevel(log.DebugLevel) 58 | } 59 | 60 | retrieveSecrets, err := makeSecretRetriever() 61 | if err != nil { 62 | log.Errorf("%s", err.Error()) 63 | os.Exit(1) 64 | } 65 | 66 | if len(args) == 0 { 67 | scanner := bufio.NewScanner(os.Stdin) 68 | // Breaking out of this loop is controlled by a parent process by sending EOF to the stdin 69 | for scanner.Scan() { 70 | variableName := scanner.Text() 71 | if variableName == "" { 72 | log.Errorln("Failed to retrieve variable from stdin") 73 | continue 74 | } 75 | value, err := retrieveSecrets(variableName) 76 | if err != nil { 77 | log.Errorln(err.Error()) 78 | continue 79 | } 80 | base64Value := make([]byte, base64.StdEncoding.EncodedLen(len(value))) 81 | base64.StdEncoding.Encode(base64Value, value) 82 | fmt.Fprintln(os.Stdout, string(base64Value)) 83 | } 84 | if err := scanner.Err(); err != nil { 85 | log.Errorln(err.Error()) 86 | os.Exit(1) 87 | } 88 | } else { 89 | value, err := retrieveSecrets(args[0]) 90 | if err != nil { 91 | log.Errorln(err.Error()) 92 | os.Exit(1) 93 | } 94 | os.Stdout.Write(value) 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /dev.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash -x 2 | 3 | # function finish { 4 | # echo 'Removing environment' 5 | # echo '-----' 6 | # docker compose down -v 7 | # } 8 | # trap finish EXIT 9 | # 10 | 11 | export CONJUR_ACCOUNT=cucumber 12 | export CONJUR_AUTHN_LOGIN=admin 13 | 14 | source $(dirname $0)/bin/functions.sh 15 | 16 | function main() { 17 | startConjur 'all' 18 | initEnvironment 'all' 19 | runDevelopment 20 | } 21 | 22 | function runDevelopment() { 23 | local keys=( $(getKeys) ) 24 | local api_key=${keys[0]} 25 | 26 | export CONJUR_AUTHN_API_KEY="$api_key" 27 | docker compose up -d cli 28 | 29 | docker compose build --pull dev 30 | 31 | docker compose run -d \ 32 | --service-ports \ 33 | dev 34 | } 35 | 36 | main 37 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | conjur: 3 | image: cyberark/conjur:latest 4 | command: server -a cucumber 5 | environment: 6 | DATABASE_URL: postgres://postgres@postgres/postgres 7 | CONJUR_DATA_KEY: 'WMfApcDBtocRWV+ZSUP3Tjr5XNU+Z2FdBb6BEezejIs=' 8 | depends_on: 9 | - postgres 10 | 11 | postgres: 12 | image: postgres:9.3 13 | 14 | test: 15 | build: 16 | context: . 17 | dockerfile: Dockerfile.test 18 | image: summon-conjur-tester 19 | ports: 20 | - "8080" 21 | entrypoint: /bin/bash 22 | command: './bin/test-entrypoint.sh' 23 | volumes: 24 | - ./output:/summon-conjur/output 25 | environment: 26 | CONJUR_APPLIANCE_URL: http://conjur 27 | CONJUR_ACCOUNT: 28 | CONJUR_AUTHN_LOGIN: 29 | CONJUR_AUTHN_API_KEY: 30 | 31 | dev: 32 | build: 33 | context: . 34 | dockerfile: Dockerfile.test 35 | image: summon-conjur-dev 36 | ports: 37 | - "8080" 38 | depends_on: 39 | - conjur 40 | entrypoint: /bin/bash 41 | command: './bin/test-entrypoint.sh' 42 | volumes: 43 | - .:/summon-conjur 44 | - ../conjur-api-go:/cconjur-api-go:ro 45 | 46 | environment: 47 | CONJUR_APPLIANCE_URL: http://conjur 48 | CONJUR_ACCOUNT: 49 | CONJUR_AUTHN_LOGIN: 50 | CONJUR_AUTHN_API_KEY: 51 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/cyberark/summon-conjur 2 | 3 | go 1.22.4 4 | 5 | require ( 6 | github.com/cyberark/conjur-api-go v0.11.0 7 | github.com/karrick/golf v1.1.0 8 | github.com/sirupsen/logrus v1.8.1 9 | github.com/stretchr/testify v1.7.2 10 | ) 11 | 12 | require ( 13 | github.com/alessio/shellescape v1.4.1 // indirect 14 | github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect 15 | github.com/danieljoos/wincred v1.1.2 // indirect 16 | github.com/davecgh/go-spew v1.1.1 // indirect 17 | github.com/godbus/dbus/v5 v5.1.0 // indirect 18 | github.com/kr/text v0.2.0 // indirect 19 | github.com/pmezard/go-difflib v1.0.0 // indirect 20 | github.com/zalando/go-keyring v0.2.2 // indirect 21 | golang.org/x/sys v0.8.0 // indirect 22 | gopkg.in/yaml.v2 v2.4.0 // indirect 23 | gopkg.in/yaml.v3 v3.0.1 // indirect 24 | ) 25 | 26 | replace golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 => golang.org/x/sys v0.8.0 27 | 28 | replace golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c => golang.org/x/sys v0.8.0 29 | 30 | replace gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c => gopkg.in/yaml.v3 v3.0.1 31 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0= 2 | github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30= 3 | github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas= 4 | github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4= 5 | github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= 6 | github.com/cyberark/conjur-api-go v0.11.0 h1:LIkdS0zSi2o9AlOwqrIAowxg26kyPFG+XOZSK0dq9dc= 7 | github.com/cyberark/conjur-api-go v0.11.0/go.mod h1:AbU7bDVW6ygUdgTDCKkh4wyfIVrOtdEeE/r01OE1EYo= 8 | github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0= 9 | github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0= 10 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 11 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 12 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 13 | github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= 14 | github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= 15 | github.com/karrick/golf v1.1.0 h1:pW5IaAZlmRaq2TVHp1ct0XouZw206+wSL+ifUF6fnp8= 16 | github.com/karrick/golf v1.1.0/go.mod h1:qGN0IhcEL+IEgCXp00RvH32UP59vtwc8w5YcIdArNRk= 17 | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 18 | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 19 | github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= 20 | github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= 21 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 22 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 23 | github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= 24 | github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= 25 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 26 | github.com/stretchr/objx v0.3.0 h1:NGXK3lHquSN08v5vWalVI/L8XU9hdzE/G6xsrze47As= 27 | github.com/stretchr/objx v0.3.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= 28 | github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= 29 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 30 | github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s= 31 | github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= 32 | github.com/zalando/go-keyring v0.2.2 h1:f0xmpYiSrHtSNAVgwip93Cg8tuF45HJM6rHq/A5RI/4= 33 | github.com/zalando/go-keyring v0.2.2/go.mod h1:sI3evg9Wvpw3+n4SqplGSJUMwtDeROfD4nsFz4z9PG0= 34 | golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= 35 | golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 36 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 37 | gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U= 38 | gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 39 | gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= 40 | gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 41 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 42 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 43 | -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | 3 | set -e 4 | 5 | ARCH=`uname -m` 6 | 7 | if [ "${ARCH}" != "x86_64" ]; then 8 | echo "summon-conjur only works on 64-bit systems" 9 | echo "exiting installer" 10 | exit 1 11 | fi 12 | 13 | DISTRO=`uname | tr "[:upper:]" "[:lower:]"` 14 | 15 | if [ "${DISTRO}" != "linux" ] && [ "${DISTRO}" != "darwin" ]; then 16 | echo "This installer only supports Linux and OSX" 17 | echo "exiting installer" 18 | exit 1 19 | fi 20 | 21 | if test "x$TMPDIR" = "x"; then 22 | tmp="/tmp" 23 | else 24 | tmp=$TMPDIR 25 | fi 26 | # secure-ish temp dir creation without having mktemp available (DDoS-able but not expliotable) 27 | tmp_dir="$tmp/install.sh.$$" 28 | (umask 077 && mkdir $tmp_dir) || exit 1 29 | 30 | # do_download URL DIR 31 | function do_download(){ 32 | echo "Downloading $1" 33 | if [[ $(type -t wget) ]]; then wget -q -c -O "$2" "$1" >/dev/null 34 | elif [[ $(type -t curl) ]]; then curl -sSL -o "$2" "$1" 35 | else 36 | error "Could not find wget or curl" 37 | return 1 38 | fi 39 | } 40 | 41 | LATEST_VERSION=$(curl -s https://api.github.com/repos/cyberark/summon-conjur/releases/latest | grep -o '"tag_name": "[^"]*' | grep -o '[^"]*$') 42 | BASEURL="https://github.com/cyberark/summon-conjur/releases/download/" 43 | URL=${BASEURL}"${LATEST_VERSION}/summon-conjur-${DISTRO}-amd64.tar.gz" 44 | 45 | ZIP_PATH="${tmp_dir}/summon-conjur.tar.gz" 46 | do_download ${URL} ${ZIP_PATH} 47 | 48 | echo "Installing summon-conjur ${LATEST_VERSION} into /usr/local/lib/summon" 49 | 50 | if sudo -h >/dev/null 2>&1; then 51 | sudo mkdir -p /usr/local/lib/summon 52 | sudo tar -C /usr/local/lib/summon -zxvf ${ZIP_PATH} 53 | else 54 | mkdir -p /usr/local/lib/summon 55 | tar -C /usr/local/lib/summon -zxvf ${ZIP_PATH} 56 | fi 57 | 58 | echo "Success!" 59 | echo "Run /usr/local/lib/summon/summon-conjur for usage" 60 | -------------------------------------------------------------------------------- /pkg/summon_conjur/version.go: -------------------------------------------------------------------------------- 1 | package summon_conjur 2 | 3 | // VERSION is the current version of summon-conjur 4 | const VERSION = "0.8.0" 5 | -------------------------------------------------------------------------------- /test/files/fake.pem: -------------------------------------------------------------------------------- 1 | cert for testing -------------------------------------------------------------------------------- /test/files/real.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDNjCCAh6gAwIBAgIVAI/ExyyZjUb2gtdwzXwgj2M0Sv5TMA0GCSqGSIb3DQEB 3 | CwUAMDkxDzANBgNVBAoTBmRvY2tlcjESMBAGA1UECxMJQ29uanVyIENBMRIwEAYD 4 | VQQDEwlsb2NhbGhvc3QwHhcNMTYwNzEzMTQ0MzI4WhcNMjYwNzExMTQ0MzI4WjAU 5 | MRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK 6 | AoIBAQCr3dcS/q+pVt+EK+uoGj6f6rcrYnEJGwnlAJZZJ7CYgr5FRxQV0nMlesLI 7 | Z8baQNXEnw2fNm5el7CmD7tkbS7RT7DmpzpA5UhAlLxelvuMMYw063pT01U8up6e 8 | +WcmOapJpPYuNxKsSxoIFsaxC0fN2k5cpGqgiqOs/VIwx1KQApwSpQ+BFVAgVACL 9 | 2zTYgtqmdcOyeLf55Jq6SzKevIrRDG7EiryS1SyvGEJXwfTkRRomHxsrIef0aUha 10 | i0ExC5urtf+u6Hranh4hF8xBpYi+ShJVFXpgqHWpVuKnaOXh8nSpgreKHEpP7i+j 11 | LguPHlvprqerLKVCJIbPSEzipTaZAgMBAAGjWjBYMA4GA1UdDwEB/wQEAwIFoDAd 12 | BgNVHQ4EFgQU2jmj7l5rSw0yVb/vlWAYkK/YBwkwJwYDVR0RBCAwHoIJbG9jYWxo 13 | b3N0gglsb2NhbGhvc3SCBmNvbmp1cjANBgkqhkiG9w0BAQsFAAOCAQEArFo26MGW 14 | GRKY0FY22VNRuie4gWlem2RMGhGfK2EluEQOSij9SRj2flwCdH0FP5FSXFx+woe+ 15 | zz17z1/AcDCrIGi7HEk4ynLhAxx7Few9JBKZiIXw2KGLUPPdxqBKVLrid3G5OL58 16 | Kkegd/A75KXh5Bnt49S/cfOyb2zYG2CtJGeDXHaLUDi3raROOAf/rS52CJFyP2aC 17 | DQ7krYiOGXSu+tDPKAw+p1gEJMl9+JJ0xr2UoRdac/S/+Dp6Yzy4zDag9TZbgQPm 18 | b4BZYuXgunay7rNAYYpaWOxwRC3/k/zt6RQzOJK36mOKuMybl9C8RjIhHs8RZcWC 19 | 3UJLxw1xs8zUjw== 20 | -----END CERTIFICATE----- 21 | -----BEGIN CERTIFICATE----- 22 | MIIDfTCCAmWgAwIBAgIJAIVsv1jdujjAMA0GCSqGSIb3DQEBCwUAMDkxDzANBgNV 23 | BAoTBmRvY2tlcjESMBAGA1UECxMJQ29uanVyIENBMRIwEAYDVQQDEwlsb2NhbGhv 24 | c3QwHhcNMTYwNzEzMTQ0MzI3WhcNMjYwNzExMTQ0MzI3WjA5MQ8wDQYDVQQKEwZk 25 | b2NrZXIxEjAQBgNVBAsTCUNvbmp1ciBDQTESMBAGA1UEAxMJbG9jYWxob3N0MIIB 26 | IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9bsdThDySDczRFjXtuRTRY1k 27 | T+z+KxrBcf8ZSqC5EF8Wp9jM34gPBsconlffYTkEVnynEe8n6kTwF2935HcDWKGE 28 | KGSEs3134KG9ZsJcWfj4J3E1Gd1kSvB0mPmv1/8t5yVsTM1/qnes73w0Xd/DYGRz 29 | qxyBKdBMVZ6vnjhgUOwJBIsUiiK4ovVBJL+JLSDStB4SctHyB8iQ0mprWbeQDSXC 30 | jKgLQrP3T7vql0KEBskvWnPsT/0+eApcUXfIxz32kFNxNDBmxLnPK0Z0y/JLsIRU 31 | /9/KY9LWuYX3ZzmyDuJOSTYx+1TgHT2fTCEm7WYPbRYYpiLy31rFfcXWK5gthwID 32 | AQABo4GHMIGEMCcGA1UdEQQgMB6CCWxvY2FsaG9zdIIJbG9jYWxob3N0ggZjb25q 33 | dXIwHQYDVR0OBBYEFJAT9JBlqn72r77cF8B3Kss6bwtbMB8GA1UdIwQYMBaAFJAT 34 | 9JBlqn72r77cF8B3Kss6bwtbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgHmMA0G 35 | CSqGSIb3DQEBCwUAA4IBAQCK6IG1xqszOFN20Ktwrbo4a/Kx2zCJR9Y3fCtIXJj1 36 | 04d7KkBzN6R23LpE/0ZthOouINmkRIoXj0eWEfzUzBmXhx87h2eIlR705j3AhO+A 37 | jGcoaj0K3zrpStGXnO1KSumibK1I2r80WaGVzK8f4NBpTidGkO/sUNPYzKL2uMCT 38 | JF9KQaXVWQfz+OdGymcvNVufTo1PJshuKaKaS5ATtSrld+kzNP67jKDHQqnf6y44 39 | H6IKra0Y1ru/OzoElYg81wBH8H71vqT4XOfVr/o1+SmQSt6akJ/xf3+qn7mKXLCC 40 | 9z4z/gNh8KlqwNMa6jjTVwcLZDdRcDlaXMfi04C0c35P 41 | -----END CERTIFICATE----- -------------------------------------------------------------------------------- /test/helpers.go: -------------------------------------------------------------------------------- 1 | package test 2 | 3 | import ( 4 | "bufio" 5 | "bytes" 6 | "encoding/base64" 7 | "fmt" 8 | "os" 9 | "os/exec" 10 | "strings" 11 | ) 12 | 13 | func splitEq(s string) (string, string) { 14 | a := strings.SplitN(s, "=", 2) 15 | return a[0], a[1] 16 | } 17 | 18 | type envSnapshot struct { 19 | env []string 20 | } 21 | 22 | func ClearEnv() *envSnapshot { 23 | e := os.Environ() 24 | 25 | for _, s := range e { 26 | k, _ := splitEq(s) 27 | os.Setenv(k, "") 28 | } 29 | return &envSnapshot{env: e} 30 | } 31 | 32 | func (e *envSnapshot) RestoreEnv() { 33 | ClearEnv() 34 | for _, s := range e.env { 35 | k, v := splitEq(s) 36 | os.Setenv(k, v) 37 | } 38 | } 39 | 40 | func RunCommand(name string, arg ...string) (bytes.Buffer, bytes.Buffer, error) { 41 | cmd := exec.Command(name, arg...) 42 | var stdout bytes.Buffer 43 | var stderr bytes.Buffer 44 | cmd.Stdout = &stdout 45 | cmd.Stderr = &stderr 46 | err := cmd.Run() 47 | return stdout, stderr, err 48 | } 49 | 50 | // RunCommandInteractively takes multiple paths to secrets and returns their values in Base64 and a last error that occurred 51 | func RunCommandInteractively(command string, values []string) ([][]byte, []byte) { 52 | errChan := make(chan []byte, 1) 53 | defer close(errChan) 54 | doneChan := make(chan bool, 1) 55 | cmd := exec.Command(command) 56 | 57 | stdinPipe, _ := cmd.StdinPipe() 58 | stdoutPipe, _ := cmd.StdoutPipe() 59 | stderrPipe, _ := cmd.StderrPipe() 60 | 61 | cmd.Start() 62 | 63 | go func() { 64 | defer stdinPipe.Close() 65 | for _, value := range values { 66 | fmt.Fprintln(stdinPipe, value) 67 | } 68 | }() 69 | 70 | var output [][]byte 71 | go func() { 72 | defer close(doneChan) 73 | defer stdoutPipe.Close() 74 | scanner := bufio.NewScanner(stdoutPipe) 75 | for scanner.Scan() { 76 | line := scanner.Bytes() 77 | output = append(output, line) 78 | } 79 | }() 80 | 81 | go func() { 82 | defer stderrPipe.Close() 83 | scanner := bufio.NewScanner(stderrPipe) 84 | for scanner.Scan() { 85 | line := scanner.Bytes() 86 | errChan <- line 87 | } 88 | }() 89 | 90 | select { 91 | case err := <-errChan: 92 | _ = cmd.Process.Signal(os.Kill) 93 | return output, err 94 | case <-doneChan: 95 | return output, nil 96 | } 97 | } 98 | 99 | // EncodeStringToBase64 encodes a string into a Base64 byte array 100 | func EncodeStringToBase64(inputString string) []byte { 101 | data := []byte(inputString) 102 | encodedLen := base64.StdEncoding.EncodedLen(len(data)) 103 | encodedData := make([]byte, encodedLen) 104 | base64.StdEncoding.Encode(encodedData, data) 105 | return encodedData 106 | } 107 | 108 | const PackageName = "summon-conjur" 109 | -------------------------------------------------------------------------------- /test/package_oss_test.go: -------------------------------------------------------------------------------- 1 | package test 2 | 3 | import ( 4 | "fmt" 5 | "math/rand" 6 | "os" 7 | "strings" 8 | "testing" 9 | "time" 10 | 11 | "github.com/cyberark/conjur-api-go/conjurapi" 12 | conjur_authn "github.com/cyberark/conjur-api-go/conjurapi/authn" 13 | "github.com/stretchr/testify/assert" 14 | ) 15 | 16 | func TestPackageOSS(t *testing.T) { 17 | ApplianceURL := os.Getenv("CONJUR_APPLIANCE_URL") 18 | Account := os.Getenv("CONJUR_ACCOUNT") 19 | Login := os.Getenv("CONJUR_AUTHN_LOGIN") 20 | APIKey := os.Getenv("CONJUR_AUTHN_API_KEY") 21 | 22 | Path := os.Getenv("PATH") 23 | 24 | t.Run("Given no configuration and no authentication information", func(t *testing.T) { 25 | e := ClearEnv() 26 | defer e.RestoreEnv() 27 | os.Setenv("PATH", Path) 28 | 29 | variableIdentifier := "variable" 30 | _, stderr, err := RunCommand(PackageName, variableIdentifier) 31 | 32 | //When both config and auth information is missing, then config errors take priority 33 | assert.Error(t, err) 34 | assert.Contains(t, stderr.String(), "Failed creating a Conjur client: Must specify an ApplianceURL -- Must specify an Account") 35 | }) 36 | 37 | t.Run("Given valid OSS configuration", func(t *testing.T) { 38 | e := ClearEnv() 39 | defer e.RestoreEnv() 40 | os.Setenv("PATH", Path) 41 | 42 | os.Setenv("CONJUR_APPLIANCE_URL", ApplianceURL) 43 | os.Setenv("CONJUR_ACCOUNT", Account) 44 | 45 | t.Run("Given valid APIKey credentials", func(t *testing.T) { 46 | os.Setenv("CONJUR_AUTHN_LOGIN", Login) 47 | os.Setenv("CONJUR_AUTHN_API_KEY", APIKey) 48 | os.Setenv("HOME", "/root") //Workaround for Conjur API sending a warning to the stderr 49 | 50 | t.Run("Given interactive mode active", func(t *testing.T) { 51 | t.Run("Retrieves multiple existing variable's values", func(t *testing.T) { 52 | variableIdentifierUsername := "db/username" 53 | variableIdentifierPassword := "db/password" 54 | 55 | secretValueUsername := fmt.Sprintf("secret-value-username") 56 | secretValuePassword := fmt.Sprintf("secret-value-%v", rand.Intn(123456)) 57 | policy := fmt.Sprintf(` 58 | - !variable %s 59 | - !variable %s 60 | `, variableIdentifierUsername, variableIdentifierPassword) 61 | 62 | config := conjurapi.Config{ 63 | ApplianceURL: ApplianceURL, 64 | Account: Account, 65 | } 66 | conjur, _ := conjurapi.NewClientFromKey(config, conjur_authn.LoginPair{Login: Login, APIKey: APIKey}) 67 | 68 | conjur.LoadPolicy( 69 | conjurapi.PolicyModePost, 70 | "root", 71 | strings.NewReader(policy), 72 | ) 73 | defer conjur.LoadPolicy( 74 | conjurapi.PolicyModePut, 75 | "root", 76 | strings.NewReader(""), 77 | ) 78 | 79 | conjur.AddSecret(variableIdentifierUsername, secretValueUsername) 80 | conjur.AddSecret(variableIdentifierPassword, secretValuePassword) 81 | values := []string{variableIdentifierUsername, variableIdentifierPassword} 82 | output, err := RunCommandInteractively(PackageName, values) 83 | 84 | assert.Nil(t, err) 85 | assert.Equal(t, EncodeStringToBase64(secretValueUsername), output[0]) 86 | assert.Equal(t, EncodeStringToBase64(secretValuePassword), output[1]) 87 | }) 88 | t.Run("Returns error on non-existent variables", func(t *testing.T) { 89 | variableIdentifier1 := "non-existent-variable1" 90 | variableIdentifier2 := "non-existent-variable2" 91 | 92 | values := []string{variableIdentifier1, variableIdentifier2} 93 | 94 | _, err := RunCommandInteractively(PackageName, values) 95 | 96 | assert.Contains(t, string(err), "404 Not Found") 97 | }) 98 | }) 99 | t.Run("Retrieves existing variable's defined value", func(t *testing.T) { 100 | variableIdentifier := "db/password" 101 | secretValue := fmt.Sprintf("secret-value-%v", rand.Intn(123456)) 102 | policy := fmt.Sprintf(` 103 | - !variable %s 104 | `, variableIdentifier) 105 | 106 | config := conjurapi.Config{ 107 | ApplianceURL: ApplianceURL, 108 | Account: Account, 109 | } 110 | conjur, _ := conjurapi.NewClientFromKey(config, conjur_authn.LoginPair{Login: Login, APIKey: APIKey}) 111 | 112 | conjur.LoadPolicy( 113 | conjurapi.PolicyModePost, 114 | "root", 115 | strings.NewReader(policy), 116 | ) 117 | defer conjur.LoadPolicy( 118 | conjurapi.PolicyModePut, 119 | "root", 120 | strings.NewReader(""), 121 | ) 122 | 123 | conjur.AddSecret(variableIdentifier, secretValue) 124 | 125 | stdout, _, err := RunCommand(PackageName, variableIdentifier) 126 | 127 | assert.NoError(t, err) 128 | assert.Equal(t, secretValue, stdout.String()) 129 | }) 130 | 131 | t.Run("Returns error on non-existent variable", func(t *testing.T) { 132 | variableIdentifier := "non-existent-variable" 133 | 134 | _, stderr, err := RunCommand(PackageName, variableIdentifier) 135 | 136 | assert.Error(t, err) 137 | assert.Contains(t, stderr.String(), "not found") 138 | }) 139 | 140 | t.Run("Given a non-existent Login is set", func(t *testing.T) { 141 | os.Setenv("CONJUR_AUTHN_LOGIN", "non-existent-user") 142 | 143 | t.Run("Returns 401", func(t *testing.T) { 144 | variableIdentifier := "existent-or-non-existent-variable" 145 | 146 | _, stderr, err := RunCommand(PackageName, variableIdentifier) 147 | 148 | assert.Error(t, err) 149 | assert.Contains(t, stderr.String(), "401") 150 | }) 151 | }) 152 | 153 | // Cleanup 154 | os.Unsetenv("CONJUR_AUTHN_LOGIN") 155 | os.Unsetenv("CONJUR_AUTHN_API_KEY") 156 | }) 157 | 158 | t.Run("Given valid TokenFile credentials", func(t *testing.T) { 159 | 160 | getToken := fmt.Sprintf(` 161 | token=$(curl --data "%s" "$CONJUR_APPLIANCE_URL/authn/$CONJUR_ACCOUNT/%s/authenticate") 162 | echo $token 163 | `, APIKey, Login) 164 | stdout, _, err := RunCommand("bash", "-c", getToken) 165 | 166 | assert.NoError(t, err) 167 | assert.Contains(t, stdout.String(), "signature") 168 | 169 | tokenFile, _ := os.CreateTemp("", "existent-token-file") 170 | tokenFileName := tokenFile.Name() 171 | tokenFileContents := stdout.String() 172 | os.Remove(tokenFileName) 173 | go func() { 174 | os.WriteFile(tokenFileName, []byte(tokenFileContents), 0600) 175 | }() 176 | defer os.Remove(tokenFileName) 177 | 178 | os.Setenv("CONJUR_AUTHN_TOKEN_FILE", tokenFileName) 179 | 180 | t.Run("Retrieves existent variable's defined value", func(t *testing.T) { 181 | variableIdentifier := "db/password" 182 | secretValue := fmt.Sprintf("secret-value-%v", rand.Intn(123456)) 183 | policy := fmt.Sprintf(` 184 | - !variable %s 185 | `, variableIdentifier) 186 | 187 | config := conjurapi.Config{ 188 | ApplianceURL: ApplianceURL, 189 | Account: Account, 190 | } 191 | conjur, _ := conjurapi.NewClientFromKey(config, conjur_authn.LoginPair{Login: Login, APIKey: APIKey}) 192 | 193 | conjur.LoadPolicy( 194 | conjurapi.PolicyModePost, 195 | "root", 196 | strings.NewReader(policy), 197 | ) 198 | defer conjur.LoadPolicy( 199 | conjurapi.PolicyModePut, 200 | "root", 201 | strings.NewReader(""), 202 | ) 203 | 204 | conjur.AddSecret(variableIdentifier, secretValue) 205 | 206 | stdout, _, err := RunCommand(PackageName, variableIdentifier) 207 | 208 | assert.NoError(t, err) 209 | assert.Equal(t, secretValue, stdout.String()) 210 | }) 211 | 212 | t.Run("Returns error on non-existent variable", func(t *testing.T) { 213 | variableIdentifier := "non-existent-variable" 214 | 215 | _, stderr, err := RunCommand(PackageName, variableIdentifier) 216 | 217 | assert.Error(t, err) 218 | assert.Contains(t, stderr.String(), "CONJ00076E Variable cucumber:variable:non-existent-variable is empty or not found") 219 | }) 220 | 221 | t.Run("Given a non-existent TokenFile is set", func(t *testing.T) { 222 | os.Setenv("CONJUR_AUTHN_TOKEN_FILE", "non-existent-token-file") 223 | 224 | t.Run("Waits for longer than a second", func(t *testing.T) { 225 | timeout := time.After(1 * time.Second) 226 | unexpectedResponse := make(chan struct{}) 227 | 228 | go func() { 229 | variableIdentifier := "existent-or-non-existent-variable" 230 | RunCommand(PackageName, variableIdentifier) 231 | unexpectedResponse <- struct{}{} 232 | }() 233 | 234 | select { 235 | case <-unexpectedResponse: 236 | assert.Fail(t, "unexpected response") 237 | case <-timeout: 238 | assert.True(t, true) 239 | } 240 | }) 241 | 242 | // Cleanup 243 | os.Unsetenv("CONJUR_AUTHN_TOKEN_FILE") 244 | }) 245 | }) 246 | 247 | t.Run("Given no authentication credentials", func(t *testing.T) { 248 | 249 | t.Run("Returns with error on non-existent variable", func(t *testing.T) { 250 | variableIdentifier := "existent-or-non-existent-variable" 251 | 252 | _, stderr, err := RunCommand(PackageName, variableIdentifier) 253 | 254 | assert.Error(t, err) 255 | assert.Contains(t, stderr.String(), "Failed creating a Conjur client") 256 | }) 257 | }) 258 | }) 259 | } 260 | --------------------------------------------------------------------------------