Configuration can be viewed with conjurctl

[jtuttle]

Add a conjurctl configuration show command that loads an instance of Conjur::ConjurConfig and outputs the values and sources (env / file / default) of the loaded configuration attributes. The command should accept --output flag w/ text (YAML) or json values to affect how output is displayed. The command description should include a disclaimer about how these values may not represent the state of the currently running server.

Add unit tests to confirm:

• conjurctl configuration show displays configuration in YAML format (default behavior)
• conjurctl configuration show --output text displays configuration in YAML format
• conjurctl configuration show --output json displays configuration in JSON format

[micahlee]

@jtuttle , I know at one point there was a question about whether or not the values should be shown or not for audit/logging. Is the assumption here that showing values is expected? Or should that also be a flag, and by default values are not shown?

[jtuttle]

We should probably get @andytinkham 's input. I was thinking it's okay to display the values because it's a CLI command rather than something that will get called as part of logging. Andy: do you think it's okay to display values in response to a CLI command?

[andytinkham]

Answered in Slack, but capturing here too:
There's a difference between showing a sensitive value in direct response to a user request and writing a sensitive value out somewhere the user isn't necessarily expecting it. As far as I can see, directly responding to a request with a sensitive value to stdout should be fine. The user needs to make the request and if any redirection occurs that might send the sensitive value somewhere, the user should have explicitly done that as well. it's in the indirect stuff like log messages where users might not even know the sensitive value was echoed or the whole class of messages may be sent elsewhere that there are security issues.