Host and user Commands

[InbalZilberman]

Feature Overview & Customer Need

As a Conjur user
I would like to use the conjur cli
In order to update my password

As a Conjur user or host
I would like to use the conjur cli
In order to rotate API Key of a user or a host (it can also be me :))

COMMANDS

rotate-api-key Rotate a user's or host's API key. If no user/host ID is provided the logged in resource's API Key is rotated.

change-password Update the password of the logged-in user the command is both interactive meaning password is requested from the user and non-interactive using a flag -p

Help

For each command and subcommand a help is needed see here:
Help for host: https://ljfz3b.axshare.com/#id=paicg6&p=conjur_help__user&g=1
Help for user: https://ljfz3b.axshare.com/#id=paicg6&p=conjur_help__user&g=1

User messages

please use the following user messages for success scenarios
conjur user rotate-api-key
Success! API key was rotated. New key: 198qmk51cgsa061ghh80x2s56ct99grch1j066xcgnke5431rj3v

conjur host rotate-api-key -i <host_id>
Success! API key was rotated. New key: 3k7k0vb2sf2emjjcphtx14jfvrbbfn8vm3t79mnz19tk2252dsz9wf

conjur user change-password
--request for password--
Success! password was changed.

conjur user change-password -p New-password
Success! password was changed.

All user messages regarding host and user should be reviewed again. Especially error messages.
If an argument is missing we need to return the help of the command

Quality

Make sure we have test coverage of the host commands. Create test plan and execute accordingly.

Process logic and Demo

Conjur use with a machine that the Python CLI already been installed and conjur init & login ran

Now the user run the following commands:

conjur user rotate-api-key -i <user_id>

show the result of rotate-api-key (3v087323qv....ryq38201w9wvx)

conjur user change-password
The user is expected to fill in the new password
show response

conjur host rotate-api-key -i <host_id>
show the result of rotate-api-key

UX Guidelines

Follow guidelines here: https://github.com/cyberark/conjur-api-python3/blob/master/guidelines/python-cli-ux-guidelines.md

Documentation

Please provide enhance documentation in online help and readme

Helpful resources:
user/host epic - https://app.zenhub.com/workspaces/palmtree-5d99d900491c060001c85cba/issues/cyberark/conjur-api-python3/101

DOD

User (2 commands)

• Integration tests have been added
• Implementation has been done
• Log errors/messages have received approval from Inbal + TW

Host (1 command)

• Integration tests have been added
• Log errors/messages have received approval from Inbal + TW
• Implement the user command & subcommands Conjur Python CLI in all 3 platforms
• Implement the host command & subcommands Conjur Python CLI in all 3 platforms

[sigalsax]

@InbalZilberman @eladkug just a note that the secrets need to meet the following Conjur criteria

Choose a password that includes: 12-128 characters, 2 uppercase letters, 2 lowercase letters, 1 digit and 1 special character"

[sigalsax]

@sharonr78 for conjur user change-password -p new_pass I imagine we will need some sort of Success! Password has been changed response b/c currently in Ruby CLI, there is no such message. Just the following experience:

conjur user update_password sigal@usrsig
Enter the password (it will not be echoed):
Confirm the password:

@InbalZilberman Currently in the Ruby CLI, the -p / --password doesn't work (even though we offer that option in our --help. In the Ruby CLI, regardless if we do or don't the following message is displayed:

Enter the password (it will not be echoed):
Confirm the password:

I imagine we ignore the -p / --password because maybe we require that the user confirm their password twice so maybe it was purposeful?

[sharonr78]

@sharonr78 for conjur user change-password -p new_pass I imagine we will need some sort of Success! Password has been changed response b/c currently in Ruby CLI, there is no such message. Just the following experience:

conjur user update_password sigal@usrsig
Enter the password (it will not be echoed):
Confirm the password:

I totally agree. We should aim to provide such feedback messages whenever possible.
Let's use this message (according to our microcopy's voice and tone): Success! Password was changed

[sharonr78]

@InbalZilberman Following the password change feedback message, we should also have it for key rotation, as it's not enough to show the new key. I suggest to show the output message, like so:
conjur user rotate-api-key
Success! API key was rotated. New key: 198qmk51cgsa061ghh80x2s56ct99grch1j066xcgnke5431rj3v

conjur host rotate-api-key <host_id>
Success! API key was rotated. New key: 3k7k0vb2sf2emjjcphtx14jfvrbbfn8vm3t79mnz19tk2252dsz9wf

[sgnn7]

If we are really going for a consistent experience in the CLI, we need to stick to the same pattern for all commands:

conjur <action> <option1> <option2> ...

I would also discourage use of optional arguments when the parameter is not optional (e.g. conjur user change-password -p new_pass). Password here is not optional and as such doesn't need a flag and should be a positional arg.

If we do these two things, the more appropriate forms of these commands would look a bit different:

conjur rotate-api-key                             # Rotates own key
conjur rotate-api-key host <host_id>             # Rotates a host's key
conjur rotate-api-key user <host_id>              # Rotates a user's key
conjur update-password                            # Updates own password
conjur update-password user <username> <password> # Update user's password

[sharonr78]

@sgnn7 I really like this approach and would like to omit the options whenever possible, but there are commands which require options, like list or init, so the pattern is not always consistent.
Can we use the following general usage? conjur [global options] command [subcommand] [options...] [arguments...]

Here are a few possible use-cases:
conjur whoami - single command only
conjur --version - single global option only
conjur user rotate-api-key joe - command + subcommand + arg
conjur list --kind user --limit 4 - command + 2 options + 2 args (no subcommand for 'list')
conjur variable get secrets/mysecret - command + subcommand + arg

Actually, we can say that whenever we have a subcommand we can omit the use of options.
WDYT?

[sigalsax]

I like this approach. In my mind options (--) are for consolidating information and screening out the information you don't need. I think the best example of this would be with list where we have the option to add restrict or throw out the information we don't need.
For example with list --limit 4, we are screening out all the noise and just want 4 entries to be returned

In short, I think options should be reserved for screening out info and not providing info (like secret for example)

[InbalZilberman]

@sgnn7 I do like
conjur rotate-api-key # Rotates own key
But i think we can change
conjur rotate-api-key host <host_id>
into one simple
conjur rotate-api-key <resource_id>
WDYT?

Yet for update-password this option makes a lot of sense
conjur update-password # Updates own password
but this one
conjur update-password user <username> <password> # Update user's password
not so much :(
The sentence is broken I do think
conjur update-password -u <user> -p <password> # Update user's password
is clearer. WDYT?

[sgnn7]

@InbalZilberman The problem with conjur update-password -u <user> -p <password> is that it implies that both values are optional and unconnected to each other to where something like this might be allowed: conjur update-password -u <user>. By using positional arguments (conjur update-password alice "alicepassword"), you ensure that when a user is specified, you must also have a password associated with it.

[sgnn7]

@InbalZilberman Some links on this:

• https://git-scm.com/docs/git-remote - You can see how git here uses the mandatory params as positional args
• A stack overflow question I found on this has a good conversation about it: https://softwareengineering.stackexchange.com/questions/366218/positional-arguments-vs-options-in-a-command-line-interface

[sigalsax]

into one simple
conjur rotate-api-key <resource_id>
WDYT?

I like this idea but we need to understand the kind somehow since our REST looks like: /authn/{account}/api_key?role={kind}:{identifier}

conjur update-password user <username> <password>

@InbalZilberman where do you see the ability to update-password for other users? In our REST API for changing passwords I don't see the option of updating another user's password but the current logged-in one. See here

From my understanding you can only rotate_api_key on yourself and on someone else but changing the password can only be yours and not someone else's

[InbalZilberman]

Changed conjur user change-password to not include -p and be only on logged in user.
Also, added user messages

[sharonr78]

@InbalZilberman please see my comments below:

1. Link to host command help: https://ljfz3b.axshare.com/#id=wsk7ud&p=conjur_help__host&g=1
2. Link to user command help: https://ljfz3b.axshare.com/#id=mzfbsw&p=conjur_help__user&g=1
3. Examples of both commands:

conjur user rotate-api-key (rotates the API key for the logged-in user)
conjur user rotate-api-key admin (rotates the API key for the admin user)

conjur user change-password Myp@ssw0rd! (changes the password for the logged-in user to Myp@ssw0rd!)
conjur host rotate-api-key <host_id> (rotates the API key for <host_id>)

An example of success messages:
conjur user rotate-api-key
Success! API key was rotated. New key: 198qmk51cgsa061ghh80x2s56ct99grch1j066xcgnke5431rj3v

conjur user change-password Myp@ssw0rd!
Success! password was changed.

[sharonr78]

@InbalZilberman please update the link to the host help command to this: https://ljfz3b.axshare.com/#id=wsk7ud&p=conjur_help__host&g=1