v1.0.0 Release (#203)

* Add aws-cli based role assumption for authn-iam (#190)

* Typo in doc cybr_accounts_add (#192)

* Typo in doc cybr_accounts_add

Secret parameter should be -c, not -s

* Update account.go

* Bump golang.org/x/sys from 0.0.0-20220405052023-b1e9470b6e64 to 0.1.0 (#191)

Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.0.0-20220405052023-b1e9470b6e64 to 0.1.0.
- [Release notes](https://github.com/golang/sys/releases)
- [Commits](https://github.com/golang/sys/commits/v0.1.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* [Snyk] Security upgrade ubuntu from latest to 22.10 (#194)

* fix: Dockerfile to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-UBUNTU2204-OPENSSL-3314672
- https://snyk.io/vuln/SNYK-UBUNTU2204-OPENSSL-3314696
- https://snyk.io/vuln/SNYK-UBUNTU2204-OPENSSL-3314792
- https://snyk.io/vuln/SNYK-UBUNTU2204-SYSTEMD-3098846
- https://snyk.io/vuln/SNYK-UBUNTU2204-TAR-3261138

* Set non-root `cybr` user as default

---------

Co-authored-by: snyk-bot <[email protected]>

* Update action versions & add Conjur fetching (#195) (#196)

* Update action versions & add Conjur fetching

* flip Go install to after source checkout

* update go-version

* go-version to version

* version set to latest

* add debug step

* switch from authn-jwt to authn due to iat issues

* Add unlock & checkin to cybr accounts (#199)

* [Snyk] Security upgrade ubuntu from latest to kinetic (#197)

* Update action versions & add Conjur fetching (#195)

* Update action versions & add Conjur fetching

* flip Go install to after source checkout

* update go-version

* go-version to version

* version set to latest

* add debug step

* switch from authn-jwt to authn due to iat issues

* fix: Dockerfile to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-UBUNTU2204-BASH-3098342
- https://snyk.io/vuln/SNYK-UBUNTU2204-OPENSSL-5296052
- https://snyk.io/vuln/SNYK-UBUNTU2204-OPENSSL-5296082
- https://snyk.io/vuln/SNYK-UBUNTU2204-SHADOW-5425688
- https://snyk.io/vuln/SNYK-UBUNTU2204-SHADOW-5425688

---------

Co-authored-by: snyk-bot <[email protected]>

* Fixes #189 add support for cyberark identity authentication (#202)

* Initial commit

* Implement Identity check for httpjson

* Update GitHub Workflows for successful tests (#200)

* Update action versions & add Conjur fetching (#195)

* Update action versions & add Conjur fetching

* flip Go install to after source checkout

* update go-version

* go-version to version

* version set to latest

* add debug step

* switch from authn-jwt to authn due to iat issues

* Update README.md

* Identity StartAuthentication implemented

* refactored StartAuth

* Began implementation of Password AdvanceAuth

* Identity auth-type tested successfully

* Added color to terminal

* Update /docs

* Updated README

* Use platform discovery instead of requiring TenantID

* Derive PCloud URL from Platform Discovery

* Derive PCloud URL from Platform Discovery

* Updated docs to remove tenant ID requirement

* Fix 7 code smells

* remove duplicate tests on v* branch

* Only test on push

* Fix go test failures

* Generate new docs

* Bump version to 1.0.0-release

* add ReadInput function (#204)

* Added SignOutSession function (#205)

* Update Makefile

* Add Polling of OOBPending (#206)

* channel oob polling & otp input

* Have otp code on same line

* rm bin and add to .gitignore

* Add .gitignore

* Add version to binary release

* Fixes #207 Add remaining scopes to cybr accounts change (#208)

* Add remaining scopes to cybr accounts change

* Remove VaultOnly tests & fix code smell

* fixed account credentials unit tests

* final unit tests fix

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Matias Siracusa <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: snyk-bot <[email protected]>

.github/workflows/ci.yml

@@ -1,10 +1,6 @@
 name: cybr-cli CI
 
 on:
-  pull_request:
-    branches:
-      - main
-      - v*
   push:
     branches-ignore:
       - main

.github/workflows/release-binary.yml

@@ -37,5 +37,5 @@ jobs:
         goversion: "https://dl.google.com/go/go${{ steps.go_version.outputs.prop }}.linux-amd64.tar.gz"
         project_path: "./"
         binary_name: "cybr"
-        asset_name: cybr-cli_${{ matrix.goos }}_${{ matrix.goarch }}
+        asset_name: cybr-cli_${{ steps.client_version.outputs.prop }}_${{ matrix.goos }}_${{ matrix.goarch }}
         extra_files: LICENSE README.md SECURITY.md

.gitignore

@@ -13,4 +13,5 @@
 # vendor/
 
 .DS_Store
-.dccache
+.dccache
+bin/

Dockerfile

@@ -13,11 +13,12 @@ COPY . .
 
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o /app/cybr .
 
-FROM ubuntu
+FROM ubuntu:kinetic
 COPY --from=builder /app/cybr /app/
 RUN useradd -ms /bin/bash cybr && \
     chmod 777 /home/cybr && \
     mkdir -p /home/cybr/.cybr && \
     chown -R cybr /home/cybr/.cybr
+USER cybr
 ENV PATH="/app:${PATH}"
 ENTRYPOINT ["/app/cybr"]

Makefile

@@ -49,7 +49,7 @@ test:
 compile:
 ### If GOOS is not defined, then throw an error
 ifeq (${GOOS}, unset)
-	@echo "GOOS is undefined"
+	@echo "GOOS is undefined. If you ran 'make release', run './release.sh' instead."
 	@exit 1
 endif
 ### If GOARCH is not defined, then throw an error

README.md

@@ -5,7 +5,9 @@
 A "Swiss Army Knife" command-line interface (CLI) for easy human and non-human interaction with CyberArk's suite of products.
 
 Current products supported:
-* CyberArk Privileged Access Manager (PAM)
+* CyberArk Identity Security Platform Shared Services (ISPSS)
+* CyberArk Privilege Cloud SaaS
+* CyberArk Self-Hosted Privileged Access Manager (PAM)
 * CyberArk Secrets Manager Central Credential Provider (CCP)
 * CyberArk Conjur Secrets Manager Enterprise & [Open Source](https://conjur.org)
 * CyberArk Cloud Entitlements Manager ([Free trial](https://www.cyberark.com/try-buy/cloud-entitlements-manager/))
@@ -23,6 +25,9 @@ Current products supported:
 	- [Install from Source](#install-from-source)
 - [Usage](#usage)
 	- [Authenticating with authn-iam (AWS IAM Role Authentication)](#authenticating-with-authn-iam-aws-iam-role-authentication)
+	- [Authenticating to Privilege Cloud via ISPSS (Identity)](#authenticating-to-privilege-cloud-via-ispss-identity)
+		- [Password Authentication](#password-authentication)
+		- [MFA Authentication](#mfa-authentication)
 	- [Documentation](#documentation)
 - [Autocomplete](#autocomplete)
 - [Example Source Code](#example-source-code)
@@ -89,6 +94,39 @@ Once environment variables are set, ensure no .conjurrc or .netrc exists in the
 
 Then run any command you wish to run within `cybr conjur`. Use the `--help` flag to see all available commands.
 
+### Authenticating to Privilege Cloud via ISPSS (Identity)
+
+You will need to know the following information to authenticate to Privilege Cloud via ISPSS:
+	* `-b, --base-url` - The base URL of CyberArk Cloud (e.g. https://example.cyberark.cloud or https://example.privilegecloud.cyberark.cloud)
+	* `-u, --username` - The username of the Privilege Cloud user (e.g. [email protected].1234)
+
+#### Password Authentication
+
+```shell
+$ cybr logon -u [email protected] -a identity -b https://example.cyberark.cloud
++ Challenge #1
+Enter password:
+```
+
+After providing the password, if no other challenges are required, the CLI will handle the token exchange and a successful logon will be displayed.
+
+#### MFA Authentication
+
+If MFA is required, the CLI will prompt for the challenge method to use out of those available:
+
+```shell
+$ cybr logon -u [email protected] -a identity -b https://example.cyberark.cloud
++ Challenge #1
+Enter password:
++ Challenge #2
+1. Email... @joe-garcia.com
+2. SMS... XXX-1234
+> 2
+Enter code: 12341234
+```
+
+After providing the MFA code, if no other challenges are required, the CLI will handle the token exchange and a successful logon will be displayed.
+
 ### Documentation
 
 All commands are documentated [in the docs/ directory](docs/cybr.md).

cmd/accounts.go

@@ -3,12 +3,14 @@ package cmd
 import (
 	"fmt"
 	"log"
+	"strings"
 
 	pasapi "github.com/infamousjoeg/cybr-cli/pkg/cybr/api"
 	"github.com/infamousjoeg/cybr-cli/pkg/cybr/api/queries"
 	"github.com/infamousjoeg/cybr-cli/pkg/cybr/api/requests"
 	"github.com/infamousjoeg/cybr-cli/pkg/cybr/api/shared"
 	"github.com/infamousjoeg/cybr-cli/pkg/cybr/helpers/prettyprint"
+	"github.com/infamousjoeg/cybr-cli/pkg/cybr/helpers/util"
 	"github.com/spf13/cobra"
 )
 
@@ -72,6 +74,12 @@ var (
 
 	// ChangeEntireGroup change account group
 	ChangeEntireGroup bool
+
+	// Scope of password change on account
+	Scope string
+
+	// NewPassword to set on account
+	NewPassword string
 )
 
 var accountsCmd = &cobra.Command{
@@ -148,7 +156,7 @@ var addAccountsCmd = &cobra.Command{
 	Long: `Add an account to PAS.
 	
 	Example Usage:
-	$ cybr accounts add -s SafeName -p platformID -u username -a 10.0.0.1 -t password -s SuperSecret`,
+	$ cybr accounts add -s SafeName -p platformID -u username -a 10.0.0.1 -t password -c SuperSecret`,
 	Run: func(cmd *cobra.Command, args []string) {
 		client, err := pasapi.GetConfigWithLogger(getLogger())
 		if err != nil {
@@ -271,15 +279,34 @@ var changeAccountCmd = &cobra.Command{
 	Long: `This method marks an account for credential change
 	
 	Example Usage:
-	$ cybr accounts change -i 24_1`,
+	$ cybr accounts change -i 24_1
+	$ cybr accounts change -i 24_1 -s immediately
+	$ cybr accounts change -i 24_1 -s set
+	$ cybr accounts change -i 24_1 -s set -p $(openssl rand -base64 12)`,
 	Run: func(cmd *cobra.Command, args []string) {
 		client, err := pasapi.GetConfigWithLogger(getLogger())
 		if err != nil {
 			log.Fatalf("Failed to read configuration file. %s", err)
 			return
 		}
 
-		err = client.ChangeAccountCredentials(AccountID, ChangeEntireGroup)
+		if NewPassword == "" && strings.ToLower(Scope) == "set" {
+			NewPassword, err = util.ReadPassword()
+			if NewPassword == "" {
+				log.Fatalf("Password cannot be empty")
+				return
+			}
+			if err != nil {
+				log.Fatalf("Failed to read password. %s", err)
+				return
+			}
+		}
+		if Scope == "" || strings.ToLower(Scope) == "immediate" {
+			err = client.ChangeAccountCredentials(AccountID, ChangeEntireGroup, "change", "")
+		}
+		if strings.ToLower(Scope) == "set" {
+			err = client.ChangeAccountCredentials(AccountID, ChangeEntireGroup, "setnextpassword", NewPassword)
+		}
 		if err != nil {
 			log.Fatalf("%s", err)
 			return
@@ -364,6 +391,54 @@ var moveAccountCmd = &cobra.Command{
 	},
 }
 
+var unlockAccountCmd = &cobra.Command{
+	Use:   "unlock",
+	Short: "Unlock an account",
+	Long: `Unlock an account
+
+	Example Usage:
+	$ cybr accounts unlock -i 24_1`,
+	Run: func(cmd *cobra.Command, args []string) {
+		client, err := pasapi.GetConfigWithLogger(getLogger())
+		if err != nil {
+			log.Fatalf("Failed to read configuration file. %s", err)
+			return
+		}
+
+		err = client.Unlock(AccountID)
+		if err != nil {
+			log.Fatalf("%s", err)
+			return
+		}
+
+		fmt.Printf("Successfully unlocked account '%s'.\n", AccountID)
+	},
+}
+
+var checkInAccountCmd = &cobra.Command{
+	Use:   "checkin",
+	Short: "Check-in an account",
+	Long: `Check-in an account that was checked-out by the same user
+
+	Example Usage:
+	$ cybr accounts checkin -i 24_1`,
+	Run: func(cmd *cobra.Command, args []string) {
+		client, err := pasapi.GetConfigWithLogger(getLogger())
+		if err != nil {
+			log.Fatalf("Failed to read configuration file. %s", err)
+			return
+		}
+
+		err = client.CheckIn(AccountID)
+		if err != nil {
+			log.Fatalf("%s", err)
+			return
+		}
+
+		fmt.Printf("Successfully checked in account '%s'\n", AccountID)
+	},
+}
+
 func init() {
 	// Listing an account
 	listAccountsCmd.Flags().StringVarP(&Search, "search", "s", "", "List of keywords to search for in accounts, separated by a space")
@@ -410,7 +485,9 @@ func init() {
 	// change account
 	changeAccountCmd.Flags().StringVarP(&AccountID, "account-id", "i", "", "Account ID to change")
 	changeAccountCmd.MarkFlagRequired("account-id")
+	changeAccountCmd.Flags().StringVarP(&Scope, "scope", "s", "", "Scope of change. Valid values: Immediate (Default) or Set")
 	changeAccountCmd.Flags().BoolVarP(&ChangeEntireGroup, "change-entire-group", "c", false, "If account is part of account group, change the entire group")
+	changeAccountCmd.Flags().StringVarP(&NewPassword, "password", "p", "", "New password to set on account")
 
 	// reconcile
 	reconcileAccountCmd.Flags().StringVarP(&AccountID, "account-id", "i", "", "Account ID to reconcile")
@@ -422,6 +499,14 @@ func init() {
 	moveAccountCmd.Flags().StringVarP(&Safe, "safe", "s", "", "Safe name in which the account will be moved into")
 	moveAccountCmd.MarkFlagRequired("safe")
 
+	// unlock
+	unlockAccountCmd.Flags().StringVarP(&AccountID, "account-id", "i", "", "Account ID to unlock")
+	unlockAccountCmd.MarkFlagRequired("account-id")
+
+	// check-in
+	checkInAccountCmd.Flags().StringVarP(&AccountID, "account-id", "i", "", "Account ID to check-in")
+	checkInAccountCmd.MarkFlagRequired("account-id")
+
 	// Add cmd to account cmd
 	accountsCmd.AddCommand(listAccountsCmd)
 	accountsCmd.AddCommand(getAccountsCmd)
@@ -432,6 +517,8 @@ func init() {
 	accountsCmd.AddCommand(changeAccountCmd)
 	accountsCmd.AddCommand(reconcileAccountCmd)
 	accountsCmd.AddCommand(moveAccountCmd)
+	accountsCmd.AddCommand(unlockAccountCmd)
+	accountsCmd.AddCommand(checkInAccountCmd)
 
 	// Add accounts cmd to root
 	rootCmd.AddCommand(accountsCmd)

cmd/conjur.go

@@ -413,9 +413,6 @@ var conjurListResourcesCmd = &cobra.Command{
 			log.Fatalf("Failed to initialize conjur client. %s", err)
 		}
 
-		fmt.Printf("client: %+v\n", client)
-		fmt.Printf("error: %+v\n", err)
-
 		filter := conjurapi.ResourceFilter{
 			Kind:   Kind,
 			Search: Search,

cmd/logoff.go

@@ -5,6 +5,7 @@ import (
 	"log"
 
 	pasapi "github.com/infamousjoeg/cybr-cli/pkg/cybr/api"
+	"github.com/infamousjoeg/cybr-cli/pkg/cybr/identity"
 	"github.com/spf13/cobra"
 )
 
@@ -27,6 +28,10 @@ var logoffCmd = &cobra.Command{
 			log.Fatalf("Failed to remove configuration file. %s", err)
 		}
 		// Logoff the PAS REST API
+		if client.TenantID != "" {
+			_ = identity.SignOutSession(client)
+		}
+
 		_ = client.Logoff()
 
 		fmt.Println("Successfully logged off PAS.")