RubyGems - conjur-asset-dsl2 - Versions diffs - 0.3.0 → 0.3.1 - Mend

conjur-asset-dsl2 0.3.0 → 0.3.1

Files changed (8) hide show

checksums.yaml +4 -4
data/.gitignore +1 -0
data/CHANGELOG +6 -1
data/README.md +46 -89
data/lib/conjur/command/dsl2.rb +3 -2
data/lib/conjur/dsl2/executor/permit.rb +1 -1
data/lib/conjur-asset-dsl2-version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1f54a2250aa76f9ecd167caa91122a99ffeb388b
-  data.tar.gz: 2084a24c0bc0c6c64d4c7c91a552039e033edfd7
+  metadata.gz: e915d65bc1f467993ab51ed838e84588d8598ca1
+  data.tar.gz: 0afcc5306330c1cb033860029b3b2cc66211a85a
 SHA512:
-  metadata.gz: de9819ba823e23fda6e4ee2053d369c3b981343eb933efac1b57e974ed9bf781626a3ecca761e6a30e2efe6bb0e466da2a461e336edfe9379428ac1533d741a8
-  data.tar.gz: 8792bf0c8f7208fdf60c4ab5854c8add51911f073e28e83f5a10555112c437a4ce7db336f20064432e9fdfecdb79ca9e8b3dc97596e0d769b893a50f70d90c76
+  metadata.gz: 5a20646d032545e0a9a0ba18420287b6c10931cdfa50f4c6286b4cc06f1b2162eaa74cf6ede6dd1c9fb08ceff21f5ac95fb43f336b992676adbb2eb6f04613a6
+  data.tar.gz: 70bab16389541cb67e40981fa7677b10a7717cf2aa9a90a6d57cf1022b469cd6f4c029c319b7f6d0e79276bd4e31b8ce0cbdee9cf9fd59e4dd81f585103fc26c

data/.gitignore CHANGED Viewed

@@ -12,3 +12,4 @@ plan*.yml
 /spec/reports/
 /tmp/
 /features/reports/
+.idea

data/CHANGELOG CHANGED Viewed

@@ -1 +1,6 @@
-* 0.3.0 Initial stable version
+# 0.3.1
+ * Fix bug in executor for permissions
+# 0.3.0
+ * Initial stable version

data/README.md CHANGED Viewed

@@ -21,24 +21,46 @@ Also possible:
 * Revoke roles
 * Deny privileges
+# Installation
+DSL2 is available as a conjur plugin (via rubygems).  You can install it with the following command:
+```ssh-session
+conjur plugin install dsl2
+```
+Upon successful installation, running `conjur help` should show a toplevel `policy2` command.
+# Command Line Usage
+Conjur DSL2 accepts policies in the new YAML format, described below.
+The `policy2` command has two subcommands, `load` and `import`.  The `load` command is used to load a policy file
+in one shot, or to "preview" the actions that would be taken if the policy were loaded (using the `--dry-run` option).
+For details on the usage of this command, run `conjur help policy2 load`.
+The `conjur policy2 import` command can be used to execute a plan produced by the `conjur policy2 load --dry-run --format yaml`
+command.
+# Examples
+You can find many examples of the new YAML syntax in the
+[Conjur enterprise example repo](https://github.com/conjurdemos/enterprise-example/tree/dsl2/policy).  Note that only
+the YAML syntax is currently supported, not the ruby DSL.
+You can also find examples in the [test fixtures](https://github.com/conjurinc/conjur-asset-dsl2/tree/master/spec/lib/fixtures)
+for this project.  These fixtures embed the policy in a yaml document that also describes the initial state of the
+Conjur server, the expected plan, and the expected execution (or in the case of a fixture that is expected to fail,
+the expected exception).
 # Functionality overview
 ## `policy`
 A `policy` definition creates a versioned policy role and resource. The policy role is the owner of all new records contained with in it.
-In Ruby, when a DSL is loaded as a policy, the policy record is already created an in scope. Policy fields such as `id`, `records`, `permissions` etc can be populated directly.
-```ruby
-policy "myapp/v1" do
-	body do
-		group "secrets-managers"
-		layer "webserver"
-	end
-end
-```
 In YAML:
 ```yaml
@@ -48,18 +70,6 @@ In YAML:
 ## Create and Update Records
-In Ruby, record create/update is enclosed in a `records` block. Each record is created by calling a function with the record `kind`, passing the record id as the argument. Attributes and annotations can be set in a block.
-```ruby
-user "alice"
-user "bob" do
-	uidnumber 1001
-	annotation "email", "bob@mycorp.com"
-end
-```
 Here's how to create two users in YAML:
 ```yaml
@@ -76,56 +86,30 @@ The type of record that you want to create is indicated by the YAML tag. The id
 An example in which `alice` and the `ops` group are the only members of the `developers` group.
-```ruby
-grant do
-	role group("developers")
-	member user("alice")
-	member group("ops)", admin:true
-	exclusive true
-end
-```
-And in YAML:
 ```yaml
 - !grant
   role: !group developers
   members:
     - !user alice
-    -
+    - !member
       role: !group ops
       admin: true
-  exclusive: true
+  replace: true
 ```
 A member is composed of the `role` (or `roles`) being granted and the `member` (or `members`) which will get the role.
 The `member` can be a plain role (again using the YAML tag to indicate the record type), if the role is granted without admin capability. To grant a role with admin, the role member is a structured entry composed of the `role` and the `admin` flag.
-Note that when the `exclusive` feature is used, any existing role members that are **not** specified in the policy will be revoked. So in the example above, `!user alice` and `!group ops` will be the *only* members of `!group developers`.
+Note that when the `replace` feature is used, any existing role members that are **not** specified in the policy will be revoked. So in the example above, `!user alice` and `!group ops` will be the *only* members of `!group developers`.
 ## Permissions
 Like `grant` is used to grant roles, `permit` is used to give permissions on a resource.
-```ruby
-permit %w(read execute) do
-	resource variable("db-password")
-	role group("developers")
-	role layer("app-server")
-end
-permit "update" do
-	resource variable("db-password")
-	role group("developers")
-	exclusive: true
-end
-```
 ```yaml
 # developers group and the app-server layer are
-# the only roles which can read and execute the secret.
+# granted permission to read and execute the secret.
 - !permit
   resource: !variable db-password
   privilege: [ read, execute ]
@@ -138,20 +122,11 @@ end
   resource: !variable db-password
   privilege: update
   role: !group developers
-  exclusive: true
+  replace: true
 ```
 Use `deny` to remove a privilege without affecting the other privileges:
-```ruby
-deny %w(read execute) do
-	resource variable("db-password")
-	role layer("app-server")
-end
-```
-In YAML:
 ```yaml
 - !deny
   resource: !variable dev/db-password
@@ -163,13 +138,6 @@ In YAML:
 Ownership of a record (or group of records) can be assigned using the `owner` field:
-```ruby
-variable "db_password" do
-	owner group("developers")
-end
-```
-In YAML:
 ```yaml
 - !variable
@@ -208,38 +176,27 @@ These are the benefits of the policy DSL, as imagined internally by the Conjur t
 * Deprovisioning of users is robust, and does not violate consistency of the database
 * Export and import of permission models will be very straightforward, making it possible to implement Conjur “staging” setups.
-# Examples
-For many examples of sample policy files, see the [examples directory](https://github.com/conjurinc/conjur-asset-dsl2/tree/master/spec/lib/round-trip).
 # Policy conflicts
 Please note that it's pretty easy to write policies which say contradictory things. For example, Policy A might use `!members` to control the members of the developers group. Another Policy B might use `!grant` to add a specific user to the developers group. When Policy B runs, it will add the user to the group. When Policy A runs, it will revoke the user. If B is run again, the user will be re-added.
-So usually good ensure that the members of a role and the privileges on a resource are managed by one approach or the other, but not both.
-## Installation
+So it's usually good ensure that the members of a role and the privileges on a resource are managed by one approach or the other, but not both.
-Add the plugin to Conjur:
-```sh-session
-$ sudo -E conjur plugin install dsl2
-```
 ## Development
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake rspec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+After cloning this repo, run `bundle install` to install dependencies, and `rspec` to run the specs.  Note that development
+typically requires a properly configured Conjur appliance, although the specs should work without one.
 ## Todo
+ * Better error messages.
+ * More checks, for example, conflicts and permissions.
-* Planner : implement change of ownership for roles.
-* Planner : verify that all records referenced by permissions and grants will exist (either pre-existing, or will be created by the policy).
 ## Contributing
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/conjur-asset-dsl2.
+Bug reports and pull requests are welcome on GitHub at https://github.com/conjurinc/conjur-asset-dsl2.
 ## License

data/lib/conjur/command/dsl2.rb CHANGED Viewed

@@ -61,9 +61,10 @@ class Conjur::Command::DSL2 < Conjur::DSLCommand
     mod.const_get "Loader"
   end
-  def self.execute api, records
+  def self.execute api, records, options = {}
     actions = []
     records.each do |record|
+      executor_class = Conjur::DSL2::Executor.class_for(record)
       executor = Conjur::DSL2::Executor.class_for(record).new(record, actions, Conjur::Core::API.conjur_account)
       executor.execute
     end
@@ -167,7 +168,7 @@ command. Therefore, a policy can be loaded in three steps, if desired:
         filename = args.pop
         script = script_from_filename filename
-        actions = YAML.load(script, filename)
+        actions = Conjur::DSL2::YAML::Loader.load(script, filename)
         execute api, actions, options
       end
     end

data/lib/conjur/dsl2/executor/permit.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Conjur::DSL2::Executor
   class Permit < Base
     def execute
       parameters = { "privilege" => statement.privilege, "role" => statement.role.role.roleid(default_account) }
-      parameters['grant_option'] = admin unless statement.role.admin.nil?
+      parameters['grant_option'] = statement.role.admin unless statement.role.admin.nil?
       action({
         'method' => 'post',
         'path' => "#{resource_path(statement.resource)}?permit",

data/lib/conjur-asset-dsl2-version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 module Conjur
   module Asset
     module DSL2
-      VERSION = "0.3.0"
+      VERSION = "0.3.1"
     end
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: conjur-asset-dsl2
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Kevin Gilpin
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2016-01-11 00:00:00.000000000 Z
+date: 2016-01-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: safe_yaml