search

cyberark / conjur-cli-go

CyberArk Conjur command line interface (Go)
Apache License 2.0
4 stars 2 forks source link

Policy with `--dry-run` flag is overwriting policy #149

Open gchappel opened 2 weeks ago

gchappel commented 2 weeks ago

Summary

We control Conjur via Git repositories, I'm looking to build a pre-commit style check to make sure what you're about to push to a PR for review is in fact a valid policy. We have issues sometimes where reviewing a policy looks good, but when it is merged there may be an issue in the policy which then blocks the policy from being loaded. My intention is that these issues can be caught earlier by using --dry-run to validate the intended Conjur policy, but without actually loading it to Conjur. This flag is documented as:

Fully replace an existing policy.

Examples:
- conjur policy replace -b staging -f /policy/staging.yml

Usage:
  conjur policy replace [flags]

Flags:
  -h, --help   help for replace

Global Flags:
  -b, --branch string   The parent policy branch
  -d, --debug           Debug logging enabled
      --dry-run         Dry run mode (input policy will be validated without applying the changes)
  -f, --file string     The policy file to load

When testing this, I've found that even though I have --dry-run on my command line, my policy in Conjur is being affected and replaced.

Steps to Reproduce

  1. Install via Homebrew (cyberark/tools/conjur-cli)
  2. Verify before policy (see screenshots of our internal custom UI)
  3. Create a valid policy file
  4. Run conjur policy replace --dry-run --file policy.yml --branch policy:my/namespace/gchappel-testing/dry-run-load
  5. See that the output confirms dry run mode was used: 
    Dry run policy 'policy:my/namespace/gchappel-testing/dry-run-load'
{
"status": "",
"errors": null
}
  6. Verify after policy

Expected Results

Since --dry-run was used, the policy should NOT be changed.

Actual Results

The policy was entirely overridden with the file provided on the command line

Reproducible

Version/Tag number

Conjur CLI version 8.0.16-6f9eefb

Environment setup

Additional Information

Original policy:

- !policy
  id: before-dry-run
  body:

Before screenshot: Before

New policy:

- !policy
  id: after-dry-run
  body:

After screenshot: After

CLI demonstration:

$ conjur list
[
  "company:policy:my/namespace/gchappel-testing/dry-run-load",
  "company:policy:my/namespace/gchappel-testing/dry-run-load/old",
  "company:variable:my/namespace/gchappel-testing/dry-run-load/test-variable"
]

$ cat after.yml
- !policy
  id: new
  body:

$ conjur policy replace --dry-run --file after.yml --branch my/namespace/gchappel-testing/dry-run-load
Dry run policy 'my/namespace/gchappel-testing/dry-run-load'
{
  "status": "",
  "errors": null
}

$ conjur list
[
  "company:policy:my/namespace/gchappel-testing/dry-run-load",
  "company:policy:my/namespace/gchappel-testing/dry-run-load/new",
  "company:variable:my/namespace/gchappel-testing/dry-run-load/test-variable"
]
gchappel commented 5 days ago

Bump.

I see now from the release notes that this is a new feature in the 8.0.16 version of the CLI tool - does this need a particular release on the server side? I just accidentally loaded a policy over another policy because I had temporarily forgotten that dry-run isn't working so I thought I'd check in.