Security News
GitHub Removes Malicious Pull Requests Targeting Open Source Repositories
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
@leisurelink/authentic-cli
Advanced tools
Command line interface and utilities for working with the authentic-api and LeisureLink's federated security.
Command line interface and utilities for working with the authentic-api and LeisureLink's federated security.
First, install a bunch of dependencies as documented on the Node Development Setup Guide.
Then, use npm to install the CLI directly from this repository. It is recommended that you install the CLI globally.
$ npm install @leisurelink/authentic-cli # or npm install -g git+ssh://git@github.com/LeisureLink/authentic-cli.git
You can verify installation by running authentic
with no options or command.
$ authentic
The command above should display usage information.
The Authentic API and CLI both require that the other endpoint authenticate itself by signing all communication. To execute any command that communicates with Authentic API, you must provide the CLI with input to perform the following tasks:
The CLI can impersonate any endpoint. You must indicate which endpoint you want it to impersonate by supplying an endpoint key id. The CLI will include the supplied endpoint key id in messages it sends to the API. You must also supply a private key that the CLI can use to sign messages it sends to the API. The API will use the endpoint key id to lookup a previously registered public key that it will use to verify the signature of the message. This process is how the API authenticates the endpoint that is calling it.
NOTE: The CLI uses 'scripts/internal' as a default endpoint key id if another value is not provided. This identifies it as the 'scripts' endpoint and is correct for most situations. You'll only want to override this default when you need to impersonate another endpoint. In that case you'll supply that endpoint's endpoint key id and private key.
You must supply a public key that the CLI can use to verify the signature included in the response from the API. This process is how the CLI authenticates the API it is calling.
Authenticating the CLI as an endpoint will only authorize commands for which that endpoint has been granted permission. The 'scripts' endpoint the CLI identifies itself as by default has very limited permission (only 'auth'). To really do anything, you must identify yourself as a user by supplying your username and password. The API will then authorize commands for which you have been granted permission instead of those for which the endpoint has been granted permission.
For information about setting up a new installation of the Authentic API and gaining CLI access to it, see the Getting Started section of the Authentic API README file. To gain CLI access to an existing installation of Authentic API in another environment, email devops@leisurelink.com.
Authentic CLI loads values for its inputs from several sources in the following order:
Values loaded from later sources will override those from sources loaded earlier.
The recommended way to use the CLI manually is to configure one or many profiles and load one by using
the profile
option to execute a command. To use the CLI from within a script, it may be best to use
command line arguments or environment variables.
The CLI contains hardcoded default values for inputs when a reasonable default exists. These defaults
are also suggested when configuring a new profile. There are no default values for host
, issuer-key
, or key
.
Use the configure
command to create one or more user-specific profiles:
$ authentic configure
The CLI will prompt for the required values and store them in a configuration file (located at ~/.authentic).
You can then use the --profile option instead of specifying a value for each input with every call (example). Authentic always loads the "default" profile, allowing for environment variables and command line arguments to override profile-specified values.
All commands and inputs are described below. This information is also available via a help command:
$ authentic --help
Usage: authentic [options] [command]
Commands:
create-user [options] [principalId] [firstName] [lastName] [email] Creates a user principal; the principalId is analagous to user-name and must be unique within the system.
delete-user [systemId] Delete a user principal; the systemId is the system generated identifier for the principal.
create-password [systemId] [password] Creates a password for the specified principal
user-query [options] [pattern] Queries users by the specified pattern.
create-endpoint [principalId] Creates an endpoint for the specified principalId.
delete-endpoint [principalId] Delete an endpoint for the specified principalId.
add-apikey [principalId] [apiKey] Add an api key for the specified principalId
delete-apikey [apiKey] Delete an api key.
get-endpoint [principalId] Gets an endpoint.
get-endpoint-key [principalId] [keyId] Gets an endpoint key.
add-endpoint-key [principalId] [keyId] [keyPath] Adds an endpoint key for the specified principal.
add-claimset-spec [csPath] Adds a claimset spec for a particular claimset specification id.
get-claimset-spec [csid] Gets a registered claimset spec.
set-endpoint-claim [principalId] [claimId] [value] Sets an endpoint claim to a value
remove-endpoint-claim [principalId] [claimId] Sets an endpoint claim to a value
register-endpoint [principalId] [keyId] [keyPath] Registers the endpoint with the specified keyId and keyPath.
configure Configures a new profile, or the default profile for the current user
Utilities for communicating with LeisureLink's authentic-api from the command line. Many of the supported commands have additional options: 'authentic [command] --help' to view the specifics.
Options:
-h, --help output usage information
-V, --version output the version number
--profile <profile> Use a specific profile from your credential file
-H, --host <host> the authentic-api host uri, env: AUTHENTIC_HOST, default: http://localhost:8081.
-K, --issuer-key <issuer-key> path to the authentic-api host's public key, env: JWT_ISSUER_KEY_PATH
-I, --issuer <issuer> the JWT issuer, env: JWT_ISSUER, default: test
-A, --audience <audience> the JWT audience, env: JWT_AUDIENCE, default: test
-i, --id <id> the CLI endpoint's id, env: ENDPOINT_ID, default: scripts/internal
-k, --key <key> path to the CLI endpoint's key, env: ENDPOINT_KEY_PATH
-l, --lang <lang> the CLI's lang, default: en-US
-u, --user-name <user-name> the user with authority to perform the operation
-p, --password <password> the user's password
-v, --verbose turns on verbose logging
tl;dr - No need to specify these.
Authentic API returns a JSON Web Token (JWT) as the result of a user authentication call. The JWT contains an issuer claim, identifying who issued the token, and an audience claim, identifying who is intended to process the JWT. The issuer and audience inputs to the CLI allow you to specify which values the JWT should contain in order to be considered valid. Currently the CLI ignores the fact that the JWT is not valid due to the issuer and audience not matching what you said you would accept. So you can let the CLI use the default values and work effectively with any deployment of Authentic API.
$ authentic --key cli-key.pem --issuer-key authentic-key.pub --host http://localhost:3000 \
-u admin -p soopersekritpass \
get-endpoint authentic
$ authentic --key cli-key.pem -issuer-key authentic-key.pub --host http://localhost:3000 \
-u admin -p soopersekritpass \
create-endpoint my-new-api
$ openssl genrsa -out ./my-new-api-key.pem 2048
$ openssl rsa -pubout -in ./my-new-api-key.pem -out ./my-new-api-key.pub
$ authentic -k cli-key.pem -K authentic-key.pub -H http://localhost:3000 \
-u admin -p soopersekritpass \
add-endpoint-key my-new-api my-new-api-key ./my-new-api-key.pub
$ ENDPOINT_KEY_PATH=cli-key.pem
$ JWT_ISSUER_KEY_PATH=authentic-key.pub
$ AUTHENTIC_HOST=https://localhost:3000
$ authentic -u admin -p soopersekritpass \
get-endpoint authentic
$ authentic --profile dev \
-u admin -p soopersekritpass \
get-endpoint authentic
FAQs
Command line interface and utilities for working with the authentic-api and LeisureLink's federated security.
We found that @leisurelink/authentic-cli demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 18 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.