Allow automated or headless one-liner configuration about wordfence-cli HOT 11 CLOSED

We will be implementing a non-interactive version of wordfence configure in an upcoming release to support automated installation. Thanks for the suggestion @michaellehmkuhl.

from wordfence-cli.

@davidnuzik I agree on removing "Interactively" from the subcommand description since it can now be used non-interactively as well. I will proceed with that change.

As for the options used with wordfence configure, the --default/-D flag can be used to specify that the default values should be used for any options that aren't explicitly specified, such as the cache directory.

I'll add two examples to the configure command help output, one each for interactive and non-interactive configuration. I don't see a need to add the Register to receive... message anywhere else at this point; it's already included with the --accept-terms option which I think is sufficient.

from wordfence-cli.

I noticed this when I try to configure interactively (simply execute wordfence for the first time to trigger interactive configure) - just following normal flow basically yes to all. Posting here since it's related to changes in this issue.

Wordfence CLI cannot be used until it has been configured. Would you like to configure it now? [y/n] (default: n): y
Would you like to automatically request a free Wordfence CLI license? [y/n] (default: y): y
Your access to and use of Wordfence CLI Free edition is subject to the Wordfence CLI License Terms and Conditions set forth at https://www.wordfence.com/wordfence-cli-license-terms-and-conditions/. By entering "y" and selecting Enter, you agree that you have read and accept the Wordfence CLI License Terms and Conditions. [y/n] (default: n): y
Free Wordfence CLI license obtained successfully: {free license key redacted}
Traceback (most recent call last):
  File "/usr/local/bin/wordfence", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/home/david/dev/defiant/temp/wordfence-cli/venv/lib64/python3.11/site-packages/wordfence/cli/cli.py", line 202, in main
    exit_code = cli.invoke()
                ^^^^^^^^^^^^
  File "/home/david/dev/defiant/temp/wordfence-cli/venv/lib64/python3.11/site-packages/wordfence/cli/cli.py", line 175, in invoke
    configurer.check_config()
  File "/home/david/dev/defiant/temp/wordfence-cli/venv/lib64/python3.11/site-packages/wordfence/cli/configurer.py", line 409, in check_config
    self.prompt_for_missing_config()
  File "/home/david/dev/defiant/temp/wordfence-cli/venv/lib64/python3.11/site-packages/wordfence/cli/configurer.py", line 386, in prompt_for_missing_config
    self.prompt_for_config()
  File "/home/david/dev/defiant/temp/wordfence-cli/venv/lib64/python3.11/site-packages/wordfence/cli/configurer.py", line 327, in prompt_for_config
    self._prompt_for_cache_directory()
  File "/home/david/dev/defiant/temp/wordfence-cli/venv/lib64/python3.11/site-packages/wordfence/cli/configurer.py", line 271, in _prompt_for_cache_directory
    if self.config.is_from_cli('cache_directory') or self.config.default:
                                                     ^^^^^^^^^^^^^^^^^^^
AttributeError: 'Config' object has no attribute 'default'

from wordfence-cli.

To supported automated installation we need to make some modifications to how users can access the terms of service in order to have a legal acceptance of ToS. Updated terms to be provided by legal. The following includes new or updated behavior to accommodate the new automated installation.

• terms subcommand: to display the current terms along with the date of the terms update.

  • If not already included in the terms fetched from https://www.wordfence.com/wordfence-cli-license-terms-and-conditions, include this statement: "Register to receive updated Wordfence CLI Terms of Service via email at https://www.wordfence.com/products/wordfence-cli/#terms. Join our WordPress Security mailing list at https://www.wordfence.com/subscribe-to-the-wordfence-email-list/ to get security alerts, news, and research directly to your inbox.“
  • Include line "Use --accept-terms to agree to the terms of service. (wordfence terms --accept terms)”

• --accept terms option: Anywhere the accept-terms param is documented, we must include a link to our terms URL, along with a mention of the wordfence terms subcommand that will allow viewing of our terms. Include it as the following:
  "Automatically accept the terms required to invoke the specified command. The latest terms can be viewed using the
  wordfence terms command and found at https://www.wordfence.com/wordfence-cli-license-terms-and-conditions/. Register to receive updated Wordfence CLI Terms of Service via email at https://www.wordfence.com/products/wordfence-cli/#terms. Join our WordPress Security mailing list at https://www.wordfence.com/subscribe-to-the-wordfence-email-list/ to get security alerts, news, and research directly to your inbox."

• Installing from command line: Continue to prompt for acceptance of terms during existing configuration calls such as when installing via wordfence configure or new installs from the command line, and when the --accept-terms option is omitted. Upon completing the configuration, following the line that states "The configuration for Wordfence CLI has been successfully updated." add the following:
  "Register to receive updated Wordfence CLI Terms of Service via email at https://www.wordfence.com/products/wordfence-cli/#terms. Join our WordPress Security mailing list at https://www.wordfence.com/subscribe-to-the-wordfence-email-list/ to get security alerts, news, and research directly to your inbox.“

Updates to the Wordfence website to address the new CLI terms registration field will be documented in a separate case in the website repository.

from wordfence-cli.

Note, did initial testing at 4ddb7b0. Will retest when is qa-ready, esp. w.r.t. terms subcommand which requires new API.

I propose a couple of small tweaks @akenion

• Recommend we update configure definition.py such that "Interactively configure Wordfence CLI" now reads "Configure Wordfence CLI" since it can be done interactively or non-interactively now. Also, perhaps a couple of examples -- perhaps like:
  • wordfence configure Interactively configure Wordfence CLI
  • wordfence configure --request-license --accept-terms --cache-directory=/tmp/wordfence --workers=2 Example configuring Wordfence CLI to automatically accept terms, request a free license, set custom cache-directory, and workers count.
    Note, regarding the above -- would we have to also specify Register to receive updated Wordfence CLI Terms of Service via email at https://www.wordfence.com/products/wordfence-cli/#terms. Join our WordPress Security mailing list at https://www.wordfence.com/subscribe-to-the-wordfence-email-list/ to get security alerts, news, and research directly to your inbox.? (possible, hopefully not). Also a thought -- advanced users configuring non-interactively perhaps don't need an example. (this could save us from a super long help/example if we have to supply that long explanation each time it's mentioned even in CLI help?) We may want to document though in the repo. I got tripped up on having to pass --cache-directory, else the non-interactive prompt I expected becomes interactive asking for me to specify it. I expected the CLI to use default cache dir.

from wordfence-cli.

@davidnuzik That issue should be resolved by #154.

from wordfence-cli.

v2.1.0rc4 11/30/23 (also tested with rc1 thru rc3 over the past week at various times, majority of testing done with rc4 to ensure all works as expected)

SUMMARY:
QA validation PASSED. I was successfully able to leverage all aspects of the new non-interactive configuration capabilities and did not find any issues after the aforementioned issues were fixed. I also am working on some Wordfence CLI automation and was able to utilize it to perform some validation on the cli in a non-interactive way. All means of testing either via a script, my automation, or with a tty work as I would expect.

VALIDATION STEPS

1. Test usage of configure subcommand in a non-interactive way on my tty, commands like as follows for example all work for me (note that -o to overwrite is always required if a config ini exists already on disk)

• wordfence configure --request-license --accept-terms -D
• wordfence configure --request-license --accept-terms --workers 3 -D -o
• wordfence configure --request-license --accept-terms --workers 3 --cache-directory /tmp/tempCache -o
• wordfence configure -l <valid_license> --accept-terms -D -o
• ...and more variations all tested, such as order of args, not passing various (such as to ensure --accept-terms is always required, not passing -o doesn't allow overwriting, etc. Additional tests included (but are not limited to): checking that if cache-directory is not writable configuration is not allowed to continue, passing -c <config.ini> as well and ensuring it works as expected, not passing -D flag (where needed) results in the command not succeeding, and more. Various test cases were added to our internal regression test doc.

2. Test but via a bash script the some of the most common ways of configure non-interactively.
3. Test but via automation I am building using BATS some of the most common ways of configure non-interactively.
4. Check the CLI help for --accept-terms - it should mention the following (it does):

      --accept-terms       Automatically accept the terms required to invoke the specified command. The latest terms can be viewed using the wordfence terms command  and found at https://www.wordfence.com/wordfence-cli-license-terms-and-conditions/. Register to receive updated Wordfence CLI Terms of
                           Service via email at https://www.wordfence.com/products/wordfence-cli/#terms. Join our WordPress Security mailing list at https://www.wordfence.com/subscribe-to-the-wordfence-email-list/ to get security alerts, news, and research directly to your inbox.at https://www.wordfence.com/subscribe-to-the-wordfence-email-list/ to get security alerts, news, and research directly to your inbox.

5. Check that for step for the URLs also work (they do). However, do note that the anchor to #terms on the /products/wordfence-cli on our website isn't there just yet -- we have an issue open internally to track adding this.
6. Check that wordfence terms works as expected (it does). I spot checked the terms by checking that each section was there and the first and last paragraph show in the CLI. There is also a line after the terms that repeats the block of text above under step four.

NOTES:
Note the CLI help was updated as well, an example is provided for interactive and non-interactive configure now. This change looks good and makes sense to me.

My testing was pretty exhaustive and included a lot of exploratory testing; I am confident non-interactive configure should work in 99%+ of situations but it could be possible strange values passed to these arguments, unique environments, etc could result in issues. I used my best judgement while testing and tested in a few different linux environments, although I basically smoke tested environments outside of Ubuntu 22.04.

from wordfence-cli.

Reopening.

Now on my environment with the same rc4 I have been seeing the following as per slack discussion with Alex:

david@ilovelamp:~$ ./wordfence-v2.1.0rc4-binary configure --request-license --accept-terms --workers 8 -D -o --debug
Current license: 734d<REDACTED>b8d
Free Wordfence CLI license obtained successfully: e306<REDACTED>ac2e
Writing config to /home/david/.config/wordfence/wordfence-cli.ini...
Config saved to /home/david/.config/wordfence/wordfence-cli.ini
Traceback (most recent call last):
  File "main.py", line 4, in <module>
  File "wordfence/cli/cli.py", line 173, in main
  File "wordfence/cli/cli.py", line 43, in process_exception
  File "wordfence/cli/cli.py", line 171, in main
  File "wordfence/cli/cli.py", line 164, in invoke
  File "wordfence/cli/configure/configure.py", line 21, in invoke
  File "wordfence/cli/configurer.py", line 348, in prompt_for_config
NameError: name 'license' is not defined
[1106495] Failed to execute script 'main' due to unhandled exception!

from wordfence-cli.

v2.1.0rc5 12/1/23

SUMMARY:
QA validation PASSED. I can confirm the latest reported issue (my last comment) is now resolved. It was an environmental problem and as such other QA did not observe this; that said it was something worth fixing as others could possibly run into it. The issue is now resolved (a la PR number 179) in my environment where I originally saw the issue (and could reproduce each time prior to the fix).

VALIDATION STEPS

1. On my environment where I reproduced the problem "Error: 'license' is not defined", attempt to run the same command again but with RC5 -- the command now succeeds without issue. Smoke test of vuln-scan and malware-scan look good.

from wordfence-cli.

Reopening 12/12/23 - v2.1.0rc[1-8]

I noticed last night while writing out automation for the terms subcommand that a license needs to be passed or configuration done. My apologies for not finding this sooner during regression testing. I've added this as a test case for our regression test plan so its checked going forward. I am also adding automation for this to check that wordfence terms does not require any prior configuration or a license passed.

from wordfence-cli.

v2.1.0rc9 12/12/23

I can confirm I can run wordfence terms now without any issues in an environment that has not configure'd before (no .cache/wordfence folder and .config/wordfence folder. The terms are displayed without issue and show all expected content.Passing this issue.

from wordfence-cli.