RubyGems - conjur-asset-dsl2 - Versions diffs - 0.3.0 → 0.3.1 - Mend

conjur-asset-dsl2 0.3.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/.gitignore +1 -0
data/CHANGELOG +6 -1
data/README.md +46 -89
data/lib/conjur/command/dsl2.rb +3 -2
data/lib/conjur/dsl2/executor/permit.rb +1 -1
data/lib/conjur-asset-dsl2-version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1f54a2250aa76f9ecd167caa91122a99ffeb388b
-  data.tar.gz: 2084a24c0bc0c6c64d4c7c91a552039e033edfd7
+  metadata.gz: e915d65bc1f467993ab51ed838e84588d8598ca1
+  data.tar.gz: 0afcc5306330c1cb033860029b3b2cc66211a85a
 SHA512:
-  metadata.gz: de9819ba823e23fda6e4ee2053d369c3b981343eb933efac1b57e974ed9bf781626a3ecca761e6a30e2efe6bb0e466da2a461e336edfe9379428ac1533d741a8
-  data.tar.gz: 8792bf0c8f7208fdf60c4ab5854c8add51911f073e28e83f5a10555112c437a4ce7db336f20064432e9fdfecdb79ca9e8b3dc97596e0d769b893a50f70d90c76
+  metadata.gz: 5a20646d032545e0a9a0ba18420287b6c10931cdfa50f4c6286b4cc06f1b2162eaa74cf6ede6dd1c9fb08ceff21f5ac95fb43f336b992676adbb2eb6f04613a6
+  data.tar.gz: 70bab16389541cb67e40981fa7677b10a7717cf2aa9a90a6d57cf1022b469cd6f4c029c319b7f6d0e79276bd4e31b8ce0cbdee9cf9fd59e4dd81f585103fc26c

data/.gitignore CHANGED Viewed

@@ -12,3 +12,4 @@ plan*.yml
 /spec/reports/
 /tmp/
 /features/reports/
+.idea

data/CHANGELOG CHANGED Viewed

@@ -1 +1,6 @@
-* 0.3.0 Initial stable version
+# 0.3.1
+ * Fix bug in executor for permissions
+# 0.3.0
+ * Initial stable version

data/README.md CHANGED Viewed

@@ -21,24 +21,46 @@ Also possible:
 * Revoke roles
 * Deny privileges
+# Installation
+DSL2 is available as a conjur plugin (via rubygems).  You can install it with the following command:
+```ssh-session
+conjur plugin install dsl2
+```
+Upon successful installation, running `conjur help` should show a toplevel `policy2` command.
+# Command Line Usage
+Conjur DSL2 accepts policies in the new YAML format, described below.
+The `policy2` command has two subcommands, `load` and `import`.  The `load` command is used to load a policy file
+in one shot, or to "preview" the actions that would be taken if the policy were loaded (using the `--dry-run` option).
+For details on the usage of this command, run `conjur help policy2 load`.
+The `conjur policy2 import` command can be used to execute a plan produced by the `conjur policy2 load --dry-run --format yaml`
+command.
+# Examples
+You can find many examples of the new YAML syntax in the
+[Conjur enterprise example repo](https://github.com/conjurdemos/enterprise-example/tree/dsl2/policy).  Note that only
+the YAML syntax is currently supported, not the ruby DSL.
+You can also find examples in the [test fixtures](https://github.com/conjurinc/conjur-asset-dsl2/tree/master/spec/lib/fixtures)
+for this project.  These fixtures embed the policy in a yaml document that also describes the initial state of the
+Conjur server, the expected plan, and the expected execution (or in the case of a fixture that is expected to fail,
+the expected exception).
 # Functionality overview
 ## `policy`
 A `policy` definition creates a versioned policy role and resource. The policy role is the owner of all new records contained with in it.
-In Ruby, when a DSL is loaded as a policy, the policy record is already created an in scope. Policy fields such as `id`, `records`, `permissions` etc can be populated directly.
-```ruby
-policy "myapp/v1" do
-	body do
-		group "secrets-managers"
-		layer "webserver"
-	end
-end
-```
 In YAML:
 ```yaml
@@ -48,18 +70,6 @@ In YAML:
 ## Create and Update Records
-In Ruby, record create/update is enclosed in a `records` block. Each record is created by calling a function with the record `kind`, passing the record id as the argument. Attributes and annotations can be set in a block.
-```ruby
-user "alice"
-user "bob" do
-	uidnumber 1001
-	annotation "email", "bob@mycorp.com"
-end
-```
 Here's how to create two users in YAML:
 ```yaml
@@ -76,56 +86,30 @@ The type of record that you want to create is indicated by the YAML tag. The id
 An example in which `alice` and the `ops` group are the only members of the `developers` group.
-```ruby
-grant do
-	role group("developers")
-	member user("alice")
-	member group("ops)", admin:true
-	exclusive true
-end
-```
-And in YAML:
 ```yaml
 - !grant
   role: !group developers
   members:
     - !user alice
-    -
+    - !member
       role: !group ops
       admin: true
-  exclusive: true
+  replace: true
 ```
 A member is composed of the `role` (or `roles`) being granted and the `member` (or `members`) which will get the role.
 The `member` can be a plain role (again using the YAML tag to indicate the record type), if the role is granted without admin capability. To grant a role with admin, the role member is a structured entry composed of the `role` and the `admin` flag.
-Note that when the `exclusive` feature is used, any existing role members that are **not** specified in the policy will be revoked. So in the example above, `!user alice` and `!group ops` will be the *only* members of `!group developers`.
+Note that when the `replace` feature is used, any existing role members that are **not** specified in the policy will be revoked. So in the example above, `!user alice` and `!group ops` will be the *only* members of `!group developers`.
 ## Permissions
 Like `grant` is used to grant roles, `permit` is used to give permissions on a resource.
-```ruby
-permit %w(read execute) do
-	resource variable("db-password")
-	role group("developers")
-	role layer("app-server")
-end
-permit "update" do
-	resource variable("db-password")
-	role group("developers")
-	exclusive: true
-end
-```
 ```yaml
 # developers group and the app-server layer are
-# the only roles which can read and execute the secret.
+# granted permission to read and execute the secret.
 - !permit
   resource: !variable db-password
   privilege: [ read, execute ]
@@ -138,20 +122,11 @@ end
   resource: !variable db-password
   privilege: update
   role: !group developers
-  exclusive: true
+  replace: true
 ```
 Use `deny` to remove a privilege without affecting the other privileges:
-```ruby
-deny %w(read execute) do
-	resource variable("db-password")
-	role layer("app-server")
-end
-```
-In YAML:
 ```yaml
 - !deny
   resource: !variable dev/db-password
@@ -163,13 +138,6 @@ In YAML:
 Ownership of a record (or group of records) can be assigned using the `owner` field:
-```ruby
-variable "db_password" do
-	owner group("developers")
-end
-```
-In YAML:
 ```yaml
 - !variable
@@ -208,38 +176,27 @@ These are the benefits of the policy DSL, as imagined internally by the Conjur t
 * Deprovisioning of users is robust, and does not violate consistency of the database
 * Export and import of permission models will be very straightforward, making it possible to implement Conjur “staging” setups.
-# Examples
-For many examples of sample policy files, see the [examples directory](https://github.com/conjurinc/conjur-asset-dsl2/tree/master/spec/lib/round-trip).
 # Policy conflicts
 Please note that it's pretty easy to write policies which say contradictory things. For example, Policy A might use `!members` to control the members of the developers group. Another Policy B might use `!grant` to add a specific user to the developers group. When Policy B runs, it will add the user to the group. When Policy A runs, it will revoke the user. If B is run again, the user will be re-added.
-So usually good ensure that the members of a role and the privileges on a resource are managed by one approach or the other, but not both.
-## Installation
+So it's usually good ensure that the members of a role and the privileges on a resource are managed by one approach or the other, but not both.
-Add the plugin to Conjur:
-```sh-session
-$ sudo -E conjur plugin install dsl2
-```
 ## Development
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake rspec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+After cloning this repo, run `bundle install` to install dependencies, and `rspec` to run the specs.  Note that development
+typically requires a properly configured Conjur appliance, although the specs should work without one.
 ## Todo
+ * Better error messages.
+ * More checks, for example, conflicts and permissions.
-* Planner : implement change of ownership for roles.
-* Planner : verify that all records referenced by permissions and grants will exist (either pre-existing, or will be created by the policy).
 ## Contributing
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/conjur-asset-dsl2.
+Bug reports and pull requests are welcome on GitHub at https://github.com/conjurinc/conjur-asset-dsl2.
 ## License

data/lib/conjur/command/dsl2.rb CHANGED Viewed

@@ -61,9 +61,10 @@ class Conjur::Command::DSL2 < Conjur::DSLCommand
     mod.const_get "Loader"
   end
-  def self.execute api, records
+  def self.execute api, records, options = {}
     actions = []
     records.each do |record|
+      executor_class = Conjur::DSL2::Executor.class_for(record)
       executor = Conjur::DSL2::Executor.class_for(record).new(record, actions, Conjur::Core::API.conjur_account)
       executor.execute
     end
@@ -167,7 +168,7 @@ command. Therefore, a policy can be loaded in three steps, if desired:
         filename = args.pop
         script = script_from_filename filename
-        actions = YAML.load(script, filename)
+        actions = Conjur::DSL2::YAML::Loader.load(script, filename)
         execute api, actions, options
       end
     end

data/lib/conjur/dsl2/executor/permit.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Conjur::DSL2::Executor
   class Permit < Base
     def execute
       parameters = { "privilege" => statement.privilege, "role" => statement.role.role.roleid(default_account) }
-      parameters['grant_option'] = admin unless statement.role.admin.nil?
+      parameters['grant_option'] = statement.role.admin unless statement.role.admin.nil?
       action({
         'method' => 'post',
         'path' => "#{resource_path(statement.resource)}?permit",

data/lib/conjur-asset-dsl2-version.rb CHANGED Viewed

@@ -1,7 +1,7 @@
 module Conjur
   module Asset
     module DSL2
-      VERSION = "0.3.0"
+      VERSION = "0.3.1"
     end
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: conjur-asset-dsl2
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Kevin Gilpin
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2016-01-11 00:00:00.000000000 Z
+date: 2016-01-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: safe_yaml