search

cyberark / summon-conjur

CyberArk Conjur provider for Summon
MIT License
38 stars 8 forks source link

ignores /etc/conjur* files in absence of env vars or .netrc #29

Closed jodyhuntatx closed 6 years ago

jodyhuntatx commented 6 years ago

CONJUR.CONF file contents

jenkins@936ec69a14e6:/demo$ cat /etc/conjur.conf

appliance_url: https://conjur_master/api account: dev cert_file: "/etc/conjur-dev.pem" plugins: []

CERT contents (elided)

jenkins@936ec69a14e6:/demo$ cat /etc/conjur-dev.pem

-----BEGIN CERTIFICATE----- MIIDPzCCAiegAwIBAgIVAPY+cK34D5EBbNVdJO1BYPfA2ixrMA0GCSqGSIb3DQEB ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDgzCCAmugAwIBAgIJAM85CGdoWoIeMA0GCSqGSIb3DQEBCwUAMDoxDDAKBgNV ... -----END CERTIFICATE-----

IDENTITY file contents

jenkins@936ec69a14e6:/demo$ cat /etc/conjur.identity

machine https://conjur_master/api/authn login host/jenkins/master password 1gshgcc423yqs10cw3mj2pkp98d2qjnx0e1ejm43e1jpdd4y16tfeh4

LOGIN as host

jenkins@936ec69a14e6:/demo$ conjur authn login -u host/jenkins/master \

-p 1gshgcc423yqs10cw3mj2pkp98d2qjnx0e1ejm43e1jpdd4y16tfeh4 Logged in

IDENTITY is functional

jenkins@936ec69a14e6:/demo$ conjur variable list -i

[ "dev:variable:secrets/db_password", "dev:variable:secrets/db_username" ]

NO AUTHN environment variables

jjenkins@936ec69a14e6:/demo$ env | grep CONJUR

CONJUR_MAJOR_VERSION=4

NO .netrc file

jenkins@936ec69a14e6:/demo$ rm ~/.netrc

NOT logged in

jenkins@936ec69a14e6:/demo$ conjur authn whoami

error: Not logged in.

summon-conjur ignores /etc/conjur* files

jenkins@936ec69a14e6:/demo$ summon -e prod ./secrets_echo.sh

Error fetching variable DB_UNAME: exit status 1: Environment variables and machine identity files satisfying at least one authentication strategy must be present!

dividedmind commented 6 years ago

It appears to me that this is simply for the lack of handling of the default /etc/conjur.identity path at https://github.com/cyberark/conjur-api-go/blob/3913dfda8820d6e625209c24b8d91156ba1e942d/conjurapi/client.go#L89 -- an issue should be filed there.

apotterri commented 6 years ago

Neither the Ruby CLI nor the Go API read /etc/conjur.identity by default. Both will honor a netrc_path setting in the config. (When you conjurize a machine, it adds the entry "netrc_path": "/etc/conjur.identity" to /etc/conjur.conf.) Currently, the Go API doesn't read ~/.netrc by default.

The /etc/conjur.conf above doesn't contain an entry for netrc_path. However, the conjur auth login step updates ~/.netrc. This causes the subsequent conjur variable list to succeed because it uses the new entry in ~/.netrc. If conjur variable list was attempted after ~/.netrc was removed, it would have failed, just like summon did.