torus-cli

Docs update

Fixes

• The spinners released in v0.30.0 can now be disabled by setting the
  core.progress preference to false via torus prefs set core.progress false.
• Fixed a bug where spinners were enabled for sessions not attached to a
  terminal such as in a CI environment or on a server.
• Fixed a bug where the spinner during torus run, torus view, or torus export would not be removed resulting in a stuck state for users.
• Fixed a bug preventing non-Mac OS X users from setting preferences via torus prefs set.

Breaking Changes

The concept of instance and identity as a part of the secret path has been
deprecated. Existing secrets set with non * identity and instance values can
still be set and unset by providing the full 7 segment path (e.g. torus set /org/project/environment/service/identity/instance/secret).

Torus will only display the full 7 segment path if identity or instance is a
non * value (e.g. /org/project/environment/service/machine-api/1/secret).
In all other cases, a 5 segment path will be displayed (e.g.
/org/project/environment/service/secret).

Notable Changes

• The status of your account is now displayed via torus profile view
• When updating your email address via torus profile update you are now
  prompted for the verification code to re-verify your account.
• More precise errors are returned to users when invalid usernames, org,
  project, team, or policy names are submitted to a ui prompt.
• The experimental and hidden policies test command has been removed.
• Added spinners to represent progress. This means fewer lasting print-outs
  for certain commands.
• The user, machine, and instance flags have been removed from torus set, torus unset, torus import, torus export, and torus view.
• Instance and identity values are no longer displayed via torus status.
• torus allow and torus deny now accept a 5 segment path along with the
  deprecated 7 path version (e.g. torus allow crudl /org/project/env/service/secret <team>).
• torus policies view will only display the full 7 segment path if the
  identity or identity components are not a *.
• torus view and torus list will only display the full 7 segment path in
  verbose mode if the instance and identity components are not a *.
• Added --team, -t flag to torus list
• The current org, project, environment, and service is now injected into the
  process started by torus run.

Fixes

• torus orgs remove will now prompt the user to confirm the action before proceed
• torus machines destroy and torus unset will default to No instead of Yes
  when prompting the user to confirm the action.
• When asking for a user's complete name, we now refer to it as Full Name
  instead of Fullname
• torus list did not display secrets which were not set with an instance of *.

Build

• Torus is now built using go1.10

2017-12-22

Notable Changes

• Redesigned the output of view and removed the --format flag.
• Updated formatting and flags of envs list, services list, invites list,
  machines list, machines view, policies list and policies view.
• Added styling, color and org/project prompts throughout commands. Colors can
  be disable by running torus prefs set core.colors false.

Fixes

• Torus will only print out secondary information such as when it's attempting
  to authenticate using credentials from TORUS_EMAIL, TORUS_PASSWORD,
  TORUS_TOKEN_ID, and TORUS_TOKEN_SECRET if stdout is attached to a
  terminal window.

Notable Changes

• Introduced command orgs members --org ORG to list all members within an
  organization.
• Changed the output style of teams members to match the output style of
  orgs members --org ORG.
• Introduced the torus export command making it easy to export secrets from a
  specific environment and service. As a result the torus view --format, -f
  flas has been deprecated and will be removed on December 31st 2017.
• Using torus export, you can now export secrets to terraform's tfvars file format.
• Encryption keys, user passwords, and machine secret tokens are now stored in
  secure and guarded memory making it more difficult to extract data from a
  running process.
• Replaced torus ls with torus list making it easy to list and search for secrets within a project. Listing secrets is now twice as fast as torus ls.

Fixes

• Fixed a bug preventing old credential values from being decrypted.
• Previously, expiration of a key was set to be one year, instead, we've set it
  to be three. This fixes a bug which prevented users from setting secrets as
  their keys had expired. A corresponding change was made to the torus server.

Notable Changes

• Significant performance increases when secrets are sourced from multiple
  keyrings. For example if a secret is brought in from dev-* and dev-user
  Torus will no longer unseal the private encryption key twice which leads to a
  signficiant reduction in decryption time. Users should notice this
  improvement when using torus view and torus run.
• Significant reduction in the number of round trips made to the Torus server
  to fetch an organizations claimtree (web of trust) when decrypting or
  encrypting secrets. Users should notice this improvement when many different
  users are contributing secrets to the same keyrings when using torus view,
  torus run, torus set, or torus unset.
• Parallelized fetching of keypairs and an orgs claimtree during secret
  decryption. Users should notice a modest improvement when using torus view
  and torus run.

Fixes

• Request timeout to the server has been increased from 6s to 60s.
• Fixed a bug preventing a user's invitation from being approved after a user
  was removed from the organization.

No changelog entry

Notable Changes

• Introduced torus policies attach allowing a user to attach a policy to
  multiple teams or machine roles.
• Introduced torus policies delete allowing a user to delete a policy and all
  of it's attachment from an org. System policies cannot be deleted.
• When generating a policy using torus allow or torus deny you can now
  specify it's name and description using the --name and --description
  flags. If no description is provided, one will be generated.

Fixes

• Clarify the behaviour of the --environment, --service, --instance,
  --user, and --machine flags when reading or writing secrets.

2017-10-19

Fixes

• Fixed a bug preventing Torus from being used once installed via npm on win32.

Fixes

• Fixed a bug preventing Torus being installed from a Brew formula

Notable Changes

• You can now install the windows client via npm (e.g. npm install -g torus-cli).
• Multiple secrets can be imported at once from a .env file using torus import (e.g. torus import .env).

Fixes

• Torus can now be installed on Mac OS X High Sierra via brew.
• torus signup will no longer error unexpectedly if you provide name with
  less than 3 characters.
• Changing your password using torus profile update will no longer lock you
  out of your account.
• The daemon will no longer crash if it cannot reach get.torus.sh during
  version checking.
• New version checking has been re-enabled after being disabled in v0.24.2
  whcih will be checked at startup of the daemon and every day at 6am.
• Torus is now compiled using go1.9.1

Thanks

• Luiz Branco

Fixes

• Disabled version checking against get.torus.sh as a temporary work around
  to torus DNS outage.
• Disabled update checking by default if a ~/.torusrc does not already exist.

2017-05-31

Fixes

• Hints will no longer be displayed if stdout is not a terminal.
• The CLI will now wait indefinitely for a request to be completed by the daemon.

Notable Changes

• torus set now supports name=path syntax (e.g. torus set foo=bar or
  torus set /org/project/env/*/*/*/foo=bar)
• We now refer to Name as Full Name to differentiate between a user's full
  name and username.

Thanks

• Luiz Branco

Notable Changes

• keyring type worklog items are now organized by user, not keyring. Keyrings
  are internal structures that hold secrets; they shouild rarely appear in the
  UI. Focusing on users that are missing access they should have is much more
  understandable.
• Torus now checks for available updates to itself, and reports on them during
  the login and version commands. This behaviour can be disabled with
  torus prefs set core.check_updates false.
• Exciting new worklog ui:
  • Items are grouped by type, making the display more compact and usable.
  • Lots of color and formatting!
  • Each worklog item includes details visible with view. For example, secret
    rotation items include which users caused the need for rotation, and why
    (i.e. 'james was removed from the org.').
• A beta version of the windows client is now available on
  get.torus.sh!

Fixes

• Correct the help message for invites accept's org flag.
• Fixed a problem where machine's with a name containing machine- (but as a
  prefix) could not interact with credential.

Security

• Added documentation to the README.md regarding the default security profile
  of Torus on Windows.

Thanks

• Federico Ruggi
• Jelmer Snoeck

Notable Changes

• Publish release details to GitHub as proper releases.
• Show more details in the summary of invite and keypairs worklog items.
• Passphrase derived public key authentication (PDPKA) is now used to
  authenticate users. Old users will be upgraded to support this auth method on
  their next login once they've upgraded to the latest version of Torus. New
  users will support PDPKA out of the box. Once a user has upgraded to support
  PDPKA, HMAC authentication is no longer supported.
• When creating a project, a default service is always created as well. As a
  result, the --bare option has been removed from torus link.

Fixes

• If a user is missing access to a keyring, but they do not yet have a valid
  keypair, don't alert other users to add this user to the keyring; they won't
  be able to!
• Removed forgotten debug logs from appearing in ~/.torus/daemon.log

Security

• Resolved information leak to daemon log file during machine login.

Notable Changes

• Update the style of selection lists for improved readability.
• Added hint output to core commands, prompting the user during signup if they
  wish to enable them.
• Confirm dialogues now show default value as uppercase
• Teach worklog how to identify and fix cases where users or machines
  haven't been included in a keyring for secrets access when they should be.

Fixes

• Resolved possible race condition in the progress notification code.
• Ensure the user is logged in when trying to create an org.

Thanks

• Jelmer Snoeck

Notable Changes

• Support Ubuntu 16.10 (Yakkety Yak) for deb packages.
• Secrets set on the command line are now always treated as strings. Previously,
  We would attempt to convert to ints or floats. Torus doesn't know if
  you want -007 to be a string suffix for your spy identifiers, or the number
  -7; so no longer guess, and use the provided value.
  This change will affect newly set values, but not existing ones.

Fixes

• Ensure keypairs generate does not panic when used against an org that has
  existing keypairs.
• Teach keypairs list to display the real validity state of a key, not just
  always "YES".
• Under NPM/Node.js, run via a passthrough script that will select the right
  binary. This replaces the previous install time symlinking script, which
  was error prone and unusable with sudo installs in some cases.
• Skip over users without encryption keys when storing secrets, instead of
  erroring out, allowing other users to still access the secrets.
• Teach the keypairs worklog item how to handle users that have been
  removed from a keyring (or had their keys revoked), and then subsequently
  re-added: The old secret values still require rotation, but the user can be
  given access to the secrets once again.
• Allow non-admin users to run worklog list, by continuing passed unauthorized
  requests when looking at invites. Only admins can view invites.