Add CyberArk Conjur Secrets Manager support

Author: infamousjoeg

.teller.example.yml

@@ -85,3 +85,18 @@ providers:
   #     SAVE_TIME:
   #       # need to supply the relevant version (versions/1)
   #       path: redis/config/savetime
+
+  # cyberark_conjur:
+  #   # configures client from environment:
+  #   # CONJUR_AUTHN_LOGIN
+  #   # CONJUR_AUTHN_API_KEY
+  #   # also, configures client from file:
+  #   # FILENAME: ~/.conjurrc
+  #   # appliance_url: https://conjur.cyberark.com
+  #   # account: cyberarkdemo
+  #   # cert_file: /root/conjur-cyberarkdemo.pem
+  #   env:
+  #     DB_USERNAME:
+  #       path: secrets/database/username
+  #     DB_PASSWORD:
+  #       path: secrets/database/passwords

.teller.yml

@@ -22,8 +22,8 @@ opts:
 providers:
   # Configure via environment:
   # CONSUL_HTTP_ADDR
-  dotenv:
+  cyberark_conjur:
     env:
-      FOO:
-        path: ~/my-dot-env.env
+      GH_USERNAME:
+        path: github/username
 

README.md

@@ -755,6 +755,47 @@ vercel:
       path: my-app-dev
 ```
 
+
+## CyberArk Conjur
+
+### Authentication
+
+Requires a username and API key populated in your environment:
+* `CONJUR_AUTHN_LOGIN`
+* `CONJUR_AUTHN_API_KEY`
+
+Requires a .conjurrc file in your User's home directory:
+```yaml
+---
+account: cyberarkdemo
+plugins: []
+appliance_url: https://dap.joegarcia.dev
+cert_file: ""
+```
+* `account` is the organization account created during initial deployment
+* `plugins` will be blank
+* `appliance_url` should be the Base URI for the Conjur service
+* `cert_file` should be the public key certificate if running in self-signed mode
+
+### Features
+
+* Sync - `no`
+* Mapping - `no`
+* Modes - `read`
+* Key format
+  * `env` - the secret variable path in Conjur Secrets Manager
+
+### Example Config
+
+```yaml
+cyberark_conjur:
+  env:
+    DB_USERNAME:
+      path: /secrets/prod/pgsql/username
+    DB_PASSWORD:
+      path: /secrets/prod/pgsql/password
+```
+
 # Semantics
 
 ## Addressing

go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/config v1.1.1
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.1.1
 	github.com/aws/aws-sdk-go-v2/service/ssm v1.1.1
-	github.com/cyberark/conjur-api-go v0.7.1 // indirect
+	github.com/cyberark/conjur-api-go v0.7.1
 	github.com/dghubble/sling v1.3.0
 	github.com/fatih/color v1.10.0
 	github.com/golang/mock v1.4.4

pkg/providers.go

@@ -28,6 +28,7 @@ func (p *BuiltinProviders) ProviderHumanToMachine() map[string]string {
 		"Vercel":                   "vercel",
 		"Azure Key Vault":          "azure_keyvault",
 		"Doppler":                  "doppler",
+		"CyberArk Conjur":          "cyberark_conjur",
 	}
 }
 
@@ -55,6 +56,8 @@ func (p *BuiltinProviders) GetProvider(name string) (core.Provider, error) {
 		return providers.NewAzureKeyVault()
 	case "doppler":
 		return providers.NewDoppler()
+	case "cyberark_conjur":
+		return providers.NewConjurClient()
 	default:
 		return nil, fmt.Errorf("provider '%s' does not exist", name)
 	}

pkg/providers/cyberark_conjur.go

@@ -1,7 +1,6 @@
 package providers
 
 import (
-	"context"
 	"fmt"
 	"os"
 
@@ -11,7 +10,7 @@ import (
 )
 
 type ConjurClient interface {
-	RetrieveSecret(ctx context.Context, variableId string) (string, error)
+	RetrieveSecret(variableId string) ([]byte, error)
 }
 
 type CyberArkConjur struct {
@@ -57,15 +56,15 @@ func (c *CyberArkConjur) Get(p core.KeyPath) (*core.EnvEntry, error) {
 	if err != nil {
 		return nil, err
 	}
-	if secret == "" {
+	if secret == nil {
 		ent := p.Missing()
 		return &ent, nil
 	}
 
-	ent := p.Found(secret)
+	ent := p.Found(string(secret))
 	return &ent, nil
 }
 
-func (c *CyberArkConjur) getSecret(kp core.KeyPath) (string, error) {
-	return c.client.RetrieveSecret(context.TODO(), kp.Path)
+func (c *CyberArkConjur) getSecret(kp core.KeyPath) ([]byte, error) {
+	return c.client.RetrieveSecret(kp.Path)
 }