Add ability to persist/use CLI configurations

[sgnn7]

Current plan but open RFC

FS structure:

$ tree $HOME
├── 700: drwx------  .conjur/
│   ├── 755: drwxr-xr-x  default.yml -> <profile_nameXX>.yml
│   ├── 600: drw-------  <profile_name1>.yml
│   ├── 755: drwxr-xr-x  <profile_name1>.pem -> <hostname1>.pem
│   ├── 600: drw-------  <profile_name2>.yml
│   ├── 755: drwxr-xr-x  <profile_name2>.pem -> <hostname2>.pem
│   ├── 644: drw-r--r--  <hostname1>.pem
│   ├── 644: drw-r--r--  <hostname2>.pem
...

<profile_name>.yml:

<profile_name>:
    account: <account>
    appliance_url: <url>
    login_id: <login_id>

    # Optional fields. Credentials will be plaintext for now but maybe encrypted later.
    api_key: <api_key>
    ca_bundle: <path>          # default: ./<profile_name>.pem
    debug: <bool>              # default: false
    password: <password>
    insecure: <bool>           # default: false
    tofu: <bool>               # default: true

Usage:

# Create config - omitted profile name == "default" (TBD)
$ cli profile create <url> <account> <login_id> \
    [--tofu <bool>]|[--insecure <bool>]|[--ca-bundle <pem_path>] \
    [--password <password]|[--api-key <api_key>]

# Delete config
$ cli profile delete <profile_name>

# Profile switch for all further CLI commands
$ cli profile <profile_name>

# Show current profile name
$ cli profile

# Use $(cli profile) config
$ cli …

# Use "<profile_name>" config without switching
$ cli -C <profile_name> …

CC: @izgeri / @ismarc / @apotterri / @infamousjoeg / @jodyhuntatx / @ryanprior / @garymoon / @jonahx

[izgeri]

How does this map to current conjur init and conjur authn login? What other info can you send in the cli profile create command?

TODO: This seems gnarly - wil need some more UX pondering

I agree, overall I like the direction but the create command still doesn't seem very elegant

[sgnn7]

How does this map to current conjur init and conjur authn login? What other info can you send in the cli profile create command?

conjur init and conjur authn login is all one command rolled into cli profile create in this proposal. All fields provided would end up in the profile config.

I like the direction but the create command still doesn't seem very elegant

Yeah this is mostly to make the v1 easier to implement since all commands accept these flags. I think the ideal solution would probably be something like:

$ cli profile create <url> <account> <login_id> \
    [--tofu <bool>]|[--insecure <bool>]|[--ca-bundle <pem_path>] \
    [--password <password]|[--api-key <api_key>]

Common use would be something like:

cli profile create https://hostname myaccount myuser -p mypassword

which would add all the needed info into the profile and TOFU the cert

[izgeri]

One of the things I've run into a bunch is that you do the login and then only when you try a request do you find out your login creds were invalid. Will the CLI have a login command that actually tries to login and returns meaningful success / failure information?

[sgnn7]

Will the CLI have a login command that actually tries to login and returns meaningful success / failure information?

Oooh! I like this a lot! Maybe we can try cli list as a preconf step to verify things are working?

[garymoon]

@gary Super jelly of your Github handle, and love your emoji selection! ^5 I apologize for Srdjan, he thinks Github is Slack :wink:

I'd prefer keeping at least the files that the original CLI and Go CLI use. I agree they're cumbersome relatively speaking, but if we're going to revamp it should be a group effort (i.e. the projects should all have near-future support of the new format, and the maintainers be in agreement about the best way forward) IMO.

[sgnn7]

I'd prefer keeping at least the files that the original CLI and Go CLI use

@garymoon That part (reading of those configs) is already there in the CLI. This logic probably should be conditional depending on if you have .conjur/ dir so it will use .conjurrc/netrc if the dir is not there but if you create a profile, you will no longer use the old-style config. Thoughts?

[garymoon]

@sgnn7 Oh nice! :clap:

I would add @apotterri for comment, and if he's on board then :shipit: