CLI arguments made order invariant

README.md

@@ -1,4 +1,4 @@
-# Kamus ![logo](images/logo.png) 
+# Kamus ![logo](images/logo.png)
 An open source, git-ops, zero-trust secrets encryption and decryption solution for Kubernetes applications.
 Kamus enable users to easily encrypt secrets than can be decrypted only by the application running on Kubernetes.
 The encryption is done using strong encryption providers (currently supported: Azure KeyVault and AES).
@@ -10,15 +10,20 @@ The simple way to run Kamus is by using the Helm chart:
 helm repo add soluto https://charts.soluto.io
 helm upgrade --install kamus soluto/kamus
 ```
-Refer to the installation guide for more details.
+Refer to the [installation guide](./docs/install.md) for more details.
 After installing Kamus, you can start using it to encrypt secrets.
 Kamus encrypt secrets for a specific application, represent by a [Kubernetes Service Account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account).
-Create a service account for your application, and mount it on the pods running your application. 
-Now, when you know the name of the service account, and the namespace it exists in, use Kamus CLI to encrypt the secret:
+Create a service account for your application, and mount it on the pods running your application.
+Now, when you know the name of the service account, and the namespace it exists in, install Kamus CLI:
 ```
 npm install -g @soluto-asurion/kamus-cli
-kamus-cli encrypt super-secret kamus-example-sa default --kamus-url <Kamus URL>
 ```
+Use Kamus CLI to encrypt the secret:
+```
+kamus-cli encrypt --secret super-secret --service-account kamus-example-sa --namespace default --kamus-url <Kamus URL>
+```
+*If you're running Kamus locally the Kamus URL will be like `http://localhost:<port>`. So you need to add `--allow-insecure-url` flag to enable http protocol.*
+
 Pass the value returned by the CLI to your pod, and use Kamus Decrypt API to decrypt the value.
 The simplest way to achieve that is by using the init container.
 An alternative is to use Kamus decrypt API directly in the application code.
@@ -31,32 +36,32 @@ Kamus has 3 components:
 * Decrypt API
 * Key Management System (KMS)
 
-The encrypt and decrypt APIs handle encryption and decryption requests. 
+The encrypt and decrypt APIs handle encryption and decryption requests.
 The KMS is a wrapper for various cryptographic solutions. Currently supported:
 * AES - uses one key for all secrets
-* Azure KeyVault - creates one key per service account. 
-* Google Cloud KMS - creates one key per service account. 
+* Azure KeyVault - creates one key per service account.
+* Google Cloud KMS - creates one key per service account.
 
-We look forward to add support for other cloud solutions, like AWS KMS. 
-If you're interested in such a feature, please let us know. 
+We look forward to add support for other cloud solutions, like AWS KMS.
+If you're interested in such a feature, please let us know.
 We would like help with testing it out.
 Consult the [installation guide](docs/install.md) for more details on how to deploy Kamus using the relevant KMS.
-  
+
 ### Utilities
 Kamus is shipped with 2 utilities that make it easier to use:
 * Kamus CLI - a small CLI that eases the interaction with the Encrypt API. Refer to the docs for more details.
 * Kamus init container - a init container that interacts with the Decrypt API. Refer to the docs for more details.
 
 ## Security
-We take security seriously at Soluto. 
+We take security seriously at Soluto.
 To learn more about the security aspects of Kamus refer to the Threat Modeling docs containing all the various threats and mitigations we discussed.
 Before installing Kamus in production refer the installation guide to learn the best practices of deploying Kamus securely.
 In case you find a security issue or have something you would like to discuss refer to our [security.md](security.md) policy.
 
 ## Contributing
-Find a bug? Have a missing feature? Please open an issue and let us know. 
+Find a bug? Have a missing feature? Please open an issue and let us know.
 We would like to help you using Kamus!
-Please notice: Do not report security issues on GitHub. 
+Please notice: Do not report security issues on GitHub.
 We will immediately delete such issues.
 
 ## Attribution

cli/.eslintrc

@@ -0,0 +1,9 @@
+{
+    "env": {
+        "browser": false,
+        "node": true
+    },
+    "parserOptions": {
+        "ecmaVersion":  2017
+    }
+}

cli/README.md

@@ -1,11 +1,11 @@
 [![npm version](https://badge.fury.io/js/%40soluto-asurion%2Fkamus-cli.svg)](https://badge.fury.io/js/%40soluto-asurion%2Fkamus-cli)
 [![Known Vulnerabilities](https://snyk.io/test/github/soluto/kamus/badge.svg?targetFile=cli/package.json)](https://snyk.io/test/github/soluto/kamus) [![docker hub](https://images.microbadger.com/badges/image/soluto/kamus-cli.svg)](https://hub.docker.com/r/soluto/kamus-cli "Get your own image badge on microbadger.com")
 
-## Kamus CLI 
+## Kamus CLI
 
 This cli was created to provide an easy interface to interact with Kamus API.
 
-It supports azure device flow authentication out of the box. 
+It supports azure device flow authentication out of the box.
 
 To install, use the following NPM command:
 ```
@@ -24,10 +24,10 @@ kubectl run -it --rm --restart=Never kamus-cli --image=soluto/kamus-cli -- encry
 #### Supported commands:
 
 ##### Encrypt
-`kamus-cli encrypt <data> <serviceAccount> <namespace>`
+`kamus-cli encrypt --secret <data> --service-account <serviceAccount> --namespace <namespace> --kamus-url <kamus-url> `
 
 ---
-#### How to enable azure active directory authentication 
+#### How to enable azure active directory authentication
 You need working active directory [tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) and designated [native app registration](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-register-an-app), Then just set all the `auth` prefixed options.
 Once the user will run the cli with the auth options, he will get a small code and and azure URL to login into.
 

cli/actions/encrypt.js

@@ -1,4 +1,4 @@
-var bluebird = require('bluebird');
+const bluebird = require('bluebird');
 const opn = require('opn');
 const { AuthenticationContext } = require('adal-node');
 const activeDirectoryEndpoint = "https://login.microsoftonline.com/";
@@ -14,32 +14,31 @@ module.exports = async (args, options, logger) => {
     _logger = logger;
     if (useAuth(options)) {
         const token = await acquireToken(options);
-        
-        await encrypt(args, options, token);
+
+        await encrypt(options, token);
     }
     else {
-        await encrypt(args, options)
+        await encrypt(options);
     }
 }
 
-const encrypt = async ({ data, serviceAccount, namespace }, { kamusUrl, allowInsecureUrl, certFingerprint }, token = null) => {
+const encrypt = async ({ data, serviceAccount, namespace, kamusUrl, allowInsecureUrl, certFingerprint }, token = null) => {
     _logger.log('Encryption started...');
     _logger.log('service account:', serviceAccount);
     _logger.log('namespace:', namespace);
 
-    if (!allowInsecureUrl && url.parse(kamusUrl).protocol !== "https:"){
+    if (!allowInsecureUrl && url.parse(kamusUrl).protocol !== 'https:') {
         _logger.error("Insecure Kamus URL is not allowed");
         process.exit(1);
     }
-
     try {
-        var response = await performEncryptRequestAsync(data, serviceAccount, namespace, kamusUrl, certFingerprint, token)
-        if (response.statusCode >= 300) {
+        const response = await performEncryptRequestAsync(data, serviceAccount, namespace, kamusUrl, certFingerprint, token);
+        if (response && response.statusCode >= 300) {
             _logger.error(`Encrypt request failed due to unexpected error. Status code: ${response.statusCode}`);
             process.exit(1);
         }
         _logger.info(`Successfully encrypted data to ${serviceAccount} service account in ${namespace} namespace`);
-        _logger.info('Encrypted data:\n' + response.body);
+        _logger.info(`Encrypted data:\n${response.body}`);
         process.exit(0);
     }
     catch (err) {
@@ -49,7 +48,7 @@ const encrypt = async ({ data, serviceAccount, namespace }, { kamusUrl, allowIns
 }
 
 const acquireToken = async ({ authTenant, authApplication, authResource }) => {
-    const context = new AuthenticationContext(activeDirectoryEndpoint + authTenant);
+    const context = new AuthenticationContext(`${activeDirectoryEndpoint}${authTenant}`);
     bluebird.promisifyAll(context);
     refreshToken = await acquireTokenWithDeviceCode(context, authApplication, authResource);
     const refreshTokenResponse =
@@ -78,16 +77,14 @@ const useAuth = ({ authTenant, authApplication, authResource }) => {
     if (authTenant && authApplication && authResource) {
         return true;
     }
-    else {
-        _logger.warn('Auth options were not provided, will try to encrypt without authentication to kamus');
-        return false;
-    }
+    _logger.warn('Auth options were not provided, will try to encrypt without authentication to kamus');
+    return false;
 }
 
 //Source: http://hassansin.github.io/certificate-pinning-in-nodejs
 const performEncryptRequest = (data, serviceAccount, namespace, kamusUrl, certficateFingerprint, token, cb) => {
 
-    var headers = {
+    const headers = {
         'User-Agent': `kamus-cli-${pjson.version}`,
         'Content-Type': 'application/json'
     };
@@ -96,21 +93,21 @@ const performEncryptRequest = (data, serviceAccount, namespace, kamusUrl, certfi
         headers['Authorization'] = `Bearer ${token}`
     }
 
-    var options = {
+    const options = {
         url: kamusUrl + '/api/v1/encrypt',
         headers: headers,
         // Certificate validation
         strictSSL: true,
         method: 'POST',
     };
-    
-    var req = request(options, cb);
-    
+
+    const req = request(options, cb);
+
     req.on('socket', socket => {
         socket.on('secureConnect', () => {
-            var fingerprint = socket.getPeerCertificate().fingerprint;
+            const fingerprint = socket.getPeerCertificate().fingerprint;
             // Match the fingerprint with our saved fingerprints
-            if(certficateFingerprint != undefined && certficateFingerprint != fingerprint){
+            if(certficateFingerprint !== undefined && certficateFingerprint !== fingerprint) {
             // Abort request, optionally emit an error event
                 req.emit('error', new Error(`Server fingerprint ${fingerprint} does not match provided fingerprint ${certficateFingerprint}`));
                 return req.abort();
@@ -120,8 +117,8 @@ const performEncryptRequest = (data, serviceAccount, namespace, kamusUrl, certfi
 
     req.write(JSON.stringify({
         data,
-        "service-account": serviceAccount,
-        namespace
+        ['service-account']: serviceAccount,
+        namespace,
     }));
 }
 

cli/index.js

@@ -1,21 +1,21 @@
 #!/usr/bin/env node
 
-var pjson = require('./package.json');
+const pjson = require('./package.json');
 const prog = require('caporal');
 const encrypt = require('./actions/encrypt');
 const regexGuid = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
 
 prog
   .version(pjson.version)
   .command('encrypt', 'Encrypt data')
-    .argument('<data>','Data to encrypt')
-    .argument('<service-account>', 'Deployment service account')
-    .argument('<namespace>', 'Deployment namespace')
-    .action(encrypt)
+  .action(encrypt)
+  .option('--secret <data>','Data to encrypt', prog.REQUIRED)
+  .option('--service-account <service-account>', 'Deployment service account', prog.REQUIRED)
+  .option('--namespace <namespace>', 'Deployment namespace', prog.REQUIRED)
+  .option('--kamus-url <kamusUrl>', 'Kamus URL', prog.REQUIRED)
   .option('--auth-tenant <id>', 'Azure tenant id', regexGuid)
   .option('--auth-application <id>', 'Azure application id', regexGuid)
   .option('--auth-resource <name>', 'Azure resource name', prog.STRING)
-  .option('--kamus-url <url>', 'Kamus URL', prog.REQUIRED)
   .option('--allow-insecure-url', 'Allow insecure (http) Kamus URL', prog.BOOL)
   .option('--cert-fingerprint <certFingerprint>', 'Force server certificate to match the given fingerprint', prog.STRING);
 

cli/is-docker.js

@@ -1,6 +1,6 @@
-var fs = require('fs');
+const fs = require('fs');
 
-var isDocker;
+let isDocker;
 
 function hasDockerEnv() {
 	try {

cli/package.json

@@ -4,7 +4,7 @@
   "description": "CLI Tool to encrypt secrets for kamus",
   "main": "index.js",
   "scripts": {
-    "test": "node_modules/.bin/mocha",
+    "test": "node_modules/.bin/mocha ./test/*.spec.js",
     "ci-publish": "ci-publish"
   },
   "repository": {
@@ -36,6 +36,7 @@
   },
   "devDependencies": {
     "chai": "^4.2.0",
+    "eslint": "^5.12.0",
     "mocha": "^5.2.0",
     "nock": "^10.0.5",
     "sinon": "^7.2.2"

cli/test/encrypt.js → cli/test/encrypt.spec.js

@@ -2,9 +2,9 @@ const expect = require('chai').expect;
 const nock = require('nock');
 const sinon = require('sinon');
 
-const encrypt = require('../actions/encrypt.js');
+const encrypt = require('../actions/encrypt');
 
-const logger = 
+const logger =
 {
     info: sinon.spy(),
     error: console.error,
@@ -17,16 +17,19 @@ const data = 'super-secret';
 const serviceAccount = 'dummy';
 const namespace = 'team-a';
 
+let kamusApiScope;
+
 describe('Encrypt', () => {
   beforeEach(() => {
     sinon.stub(process, 'exit');
-    nock(kamusUrl)
-      .post('/api/v1/encrypt', { data, "service-account": serviceAccount, namespace})
+    kamusApiScope = nock(kamusUrl)
+      .post('/api/v1/encrypt', { data, ['service-account']: serviceAccount, namespace})
       .reply(200, '123ABC');
   });
 
   it('Should return encrypted data', async () => {
-    await encrypt({data, serviceAccount, namespace}, {kamusUrl}, logger);
+    await encrypt(null, {data, serviceAccount, namespace, kamusUrl}, logger);
+    expect(kamusApiScope.isDone()).to.be.true;
     expect(process.exit.called).to.be.true;
     expect(process.exit.calledWith(0)).to.be.true;
     expect(logger.info.lastCall.lastArg).to.equal('Encrypted data:\n123ABC')