conjur-asset-dsl2 0.3.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1f54a2250aa76f9ecd167caa91122a99ffeb388b
+  data.tar.gz: 2084a24c0bc0c6c64d4c7c91a552039e033edfd7
+SHA512:
+  metadata.gz: de9819ba823e23fda6e4ee2053d369c3b981343eb933efac1b57e974ed9bf781626a3ecca761e6a30e2efe6bb0e466da2a461e336edfe9379428ac1533d741a8
+  data.tar.gz: 8792bf0c8f7208fdf60c4ab5854c8add51911f073e28e83f5a10555112c437a4ce7db336f20064432e9fdfecdb79ca9e8b3dc97596e0d769b893a50f70d90c76

data/.dockerignore

@@ -0,0 +1,2 @@
+.git
+tmp

data/.gitignore

@@ -0,0 +1,14 @@
+plan*.yaml
+plan*.yml
+.DS_Store
+*.txt
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/features/reports/

data/.project

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>conjur-asset-dsl2</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>com.aptana.ide.core.unifiedBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>com.aptana.ruby.core.rubynature</nature>
+		<nature>com.aptana.projects.webnature</nature>
+	</natures>
+</projectDescription>

data/.rspec

@@ -0,0 +1 @@
+-fdoc --color

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.0.0
+before_install: gem install bundler -v 1.10.5

data/CHANGELOG

@@ -0,0 +1 @@
+* 0.3.0 Initial stable version

data/Dockerfile.dev

@@ -0,0 +1,19 @@
+FROM registry.tld/conjur-appliance-cuke-master:4.6-stable
+
+WORKDIR /src/conjur-asset-dsl2
+
+RUN mkdir -p /src/conjur-asset-dsl2
+RUN mkdir -p /src/conjur-asset-dsl2/lib
+RUN mkdir -p /src/conjur-asset-dsl2/tmp
+
+ADD Gemfile ./
+ADD conjur-asset-dsl2.gemspec ./
+ADD lib/conjur-asset-dsl2-version.rb ./lib/
+RUN bundle
+ADD . .
+
+ENV CONJUR_AUTHN_LOGIN   admin
+ENV CONJUR_AUTHN_API_KEY secret
+ENV CONJUR_ACCOUNT cucumber
+ENV CONJUR_APPLIANCE_URL https://localhost/api
+ENV CONJUR_CERT_FILE     /opt/conjur/etc/ssl/ca.pem

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in conjur-asset-dsl2.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Kevin Gilpin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,248 @@
+# Conjur `dsl2` plugin
+
+This is a Conjur plugin for a next-generation DSL, used for both policies (self contained RBAC models) and entitlements (roles and permissions which span policies and global records).
+
+The goals of the DSL are:
+
+* Fully declarative
+* Human and machine readable
+* Simplified (relative to the older Ruby DSL)
+* Safe to execute in any environment
+
+The DSL basically supports the following high-level capabilities. Each one is idempotent (it can be run repeatedly without harmful-side effects):
+
+* **Create / Update** records, such as Role, User, and Webservice
+* **Grant** roles. This basic concept covers everything from group members to adding abstract roles. Grant list can be "exclusive", which revokes the role from anyone not in the list.
+* **Permit** priviliges on resources. Each permission ("transaction" in RBAC parlance) consists of a role, a privilege, and a resource. Permission list can also be "exclusive".
+
+Also possible:
+
+* Update ownership of a record
+* Revoke roles
+* Deny privileges 
+
+# Functionality overview
+
+## `policy`
+
+A `policy` definition creates a versioned policy role and resource. The policy role is the owner of all new records contained with in it.
+
+In Ruby, when a DSL is loaded as a policy, the policy record is already created an in scope. Policy fields such as `id`, `records`, `permissions` etc can be populated directly.
+
+```ruby
+policy "myapp/v1" do
+	body do
+		group "secrets-managers"
+	
+		layer "webserver"
+	end
+end
+```
+
+In YAML:
+
+```yaml
+- !policy
+  id: myapp/v1
+```
+
+## Create and Update Records
+
+In Ruby, record create/update is enclosed in a `records` block. Each record is created by calling a function with the record `kind`, passing the record id as the argument. Attributes and annotations can be set in a block.
+
+
+```ruby
+user "alice"
+
+user "bob" do
+	uidnumber 1001
+	annotation "email", "bob@mycorp.com"
+end
+```
+
+Here's how to create two users in YAML:
+
+```yaml
+- !user alice
+- !user
+  id: bob
+```
+
+The type of record that you want to create is indicated by the YAML tag. The id of the record can either be specified inline (like the first example), or as an explicit `id` field (like the second example).
+
+## Role members
+
+`grant` is used to grant roles, which includes group membership.
+
+An example in which `alice` and the `ops` group are the only members of the `developers` group.
+
+```ruby
+grant do
+	role group("developers")
+	member user("alice")
+	member group("ops)", admin:true
+	exclusive true
+end
+```
+
+And in YAML:
+
+
+```yaml
+- !grant
+  role: !group developers
+  members:
+    - !user alice
+    - 
+      role: !group ops
+      admin: true
+  exclusive: true
+```
+
+A member is composed of the `role` (or `roles`) being granted and the `member` (or `members`) which will get the role. 
+
+The `member` can be a plain role (again using the YAML tag to indicate the record type), if the role is granted without admin capability. To grant a role with admin, the role member is a structured entry composed of the `role` and the `admin` flag.
+
+Note that when the `exclusive` feature is used, any existing role members that are **not** specified in the policy will be revoked. So in the example above, `!user alice` and `!group ops` will be the *only* members of `!group developers`.
+
+## Permissions
+
+Like `grant` is used to grant roles, `permit` is used to give permissions on a resource.
+
+```ruby
+permit %w(read execute) do
+	resource variable("db-password")
+	role group("developers")
+	role layer("app-server")
+end
+	
+permit "update" do
+	resource variable("db-password")
+	role group("developers")
+	exclusive: true
+end
+```
+
+```yaml
+# developers group and the app-server layer are
+# the only roles which can read and execute the secret.
+- !permit
+  resource: !variable db-password
+  privilege: [ read, execute ]
+  roles:
+  - !group developers
+  - !layer app-server
+  
+# developers is the only role which can update the secret.
+- !permit
+  resource: !variable db-password
+  privilege: update
+  role: !group developers
+  exclusive: true
+```
+
+Use `deny` to remove a privilege without affecting the other privileges:
+
+```ruby
+deny %w(read execute) do
+	resource variable("db-password")
+	role layer("app-server")
+end
+```
+
+In YAML:
+
+```yaml
+- !deny
+  resource: !variable dev/db-password
+  privilege: [ read, execute ]
+  role: !layer dev/app-server
+```
+
+# Ownership
+
+Ownership of a record (or group of records) can be assigned using the `owner` field:
+
+```ruby
+variable "db_password" do
+	owner group("developers")
+end
+```
+
+In YAML:
+
+```yaml
+- !variable
+  id: db_password
+  owner: !group developers
+```
+
+The owner tag will update both:
+
+* **resource owner** the role will be given ownership of the `record` resource.
+* **role owner** if the record has a corresponding role, the `owner` will be given the record role with `admin` option.
+
+# Expanded discussion of design goals
+
+This DSL format is designed to work better within automated policy management frameworks. Using these declaractive policy files, the entire authorization model of Conjur can be managed using policies.
+
+Whenever Conjur needs to be changed, a new policy is  created or an existing policy is modified. This policy is typically managed through standard source control techniques (e.g. Git pull requests), with the security team having authority to approve and merge.
+
+In this way, management of a Conjur system can be treated as code and leverage corresponding best pratices such as branches, pull requests, post-receive hooks, repository permissions and access rights, etc.
+
+In addition, because the DSL format (YAML) is machine-readable, it will be straightforward to develop visual tools for editing and managing policies. Automated generation of policy files is also simple.
+
+# Benefits
+
+These are the benefits of the policy DSL, as imagined internally by the Conjur team:
+
+* Large permission changes are described in a coherent way (modification of many corresponding rules can be described in single policy)
+* The history of permission changes is more clear and easier to track. For example, it’s easy to list and view all policies which included references to particular ID, and understand how and why specific permissions were applied/revoked. With the current CLI it’s possible to only figure out the operations done on particular object, but not the bigger context (probably involving many corresponding changes on other objects)  in which they were applied.
+* Policies can be formally validated before deployment
+* Policies will implement `dry run` mode which shows the changes that will be applied to Conjur.
+* Policies can be machine-generated:
+	* It's easy to provision many similar assets at once
+   * It's easy to generate and deploy policies from within configuration scripts
+   * It will be possible and easy to write custom ‘access management’ services, which would allow users to modify some permissions and create assets in Conjur, but will be able to enforce additional fine-grained restrictions, such as id naming conventions, etc.
+   * It will be possible and easy to write custom ‘policy builders’. After all, policy is just a data structure, which can be generated by any code.
+* Deprovisioning of users is robust, and does not violate consistency of the database
+* Export and import of permission models will be very straightforward, making it possible to implement Conjur “staging” setups.
+
+# Examples
+
+For many examples of sample policy files, see the [examples directory](https://github.com/conjurinc/conjur-asset-dsl2/tree/master/spec/lib/round-trip). 
+
+# Policy conflicts
+
+Please note that it's pretty easy to write policies which say contradictory things. For example, Policy A might use `!members` to control the members of the developers group. Another Policy B might use `!grant` to add a specific user to the developers group. When Policy B runs, it will add the user to the group. When Policy A runs, it will revoke the user. If B is run again, the user will be re-added. 
+
+So usually good ensure that the members of a role and the privileges on a resource are managed by one approach or the other, but not both.
+
+## Installation
+
+Add the plugin to Conjur:
+
+```sh-session
+$ sudo -E conjur plugin install dsl2
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake rspec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Todo
+
+* Planner : implement change of ownership for roles.
+* Planner : verify that all records referenced by permissions and grants will exist (either pre-existing, or will be created by the policy).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/conjur-asset-dsl2.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+

data/Rakefile

@@ -0,0 +1,18 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+require 'ci/reporter/rake/rspec'
+require 'cucumber'
+require 'cucumber/rake/task'
+
+RSpec::Core::RakeTask.new :spec
+Cucumber::Rake::Task.new :features
+
+task :jenkins => ['ci:setup:rspec', :spec] do
+  Cucumber::Rake::Task.new do |t|
+    t.cucumber_opts = "--tags ~@wip --format progress --format junit --out features/reports"
+  end.runner.run
+
+
+end
+
+task default: [:spec, :features]

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "conjur-asset-dsl2"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+require "pry"
+Pry.start
+
+#require "irb"
+#IRB.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/conjur-asset-dsl2.gemspec

@@ -0,0 +1,32 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'conjur-asset-dsl2-version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "conjur-asset-dsl2"
+  spec.version       = Conjur::Asset::DSL2::VERSION
+  spec.authors       = ["Kevin Gilpin"]
+  spec.email         = ["kgilpin@conjur.net"]
+
+  spec.summary       = %q{A fully declarative DSL for Conjur with Ruby and YAML syntax.}
+  spec.homepage      = "https://github.com/conjurinc/conjur-asset-dsl2"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+  
+  spec.add_dependency "safe_yaml"
+
+  spec.add_development_dependency "conjur-cli"
+  spec.add_development_dependency "bundler", "~> 1.10"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec-expectations"
+  spec.add_development_dependency "pry"
+  spec.add_development_dependency "json_spec"
+  spec.add_development_dependency "cucumber"
+  spec.add_development_dependency "ci_reporter_rspec"
+  spec.add_development_dependency "aruba"
+end

data/jenkins.sh

@@ -0,0 +1,36 @@
+#!/bin/bash -e
+
+mkdir -p tmp
+
+function wait_for_conjur {
+	docker pull registry.tld/wait-for-conjur
+	docker run -i --rm --link $cid:conjur registry.tld/wait-for-conjur
+}
+
+PROJECT=conjur-asset-dsl2
+BASE_IMAGE=registry.tld/conjur-appliance-cuke-master:4.6-stable
+docker pull $BASE_IMAGE
+
+cid_file=tmp/$PROJECT-dev.cid
+
+docker build -t $PROJECT-dev -f Dockerfile.dev . 
+
+docker run \
+	-d \
+	--cidfile=$cid_file \
+	-v $PWD:/src/conjur-asset-dsl2 \
+	$PROJECT-dev
+
+cid=$(cat $cid_file)
+
+function finish {
+	rm -f $cid_file
+	docker rm -f $cid
+}
+
+wait_for_conjur
+
+
+trap finish EXIT
+
+docker exec $cid bash -c "bundle exec rake jenkins" || true

data/lib/conjur/command/dsl2.rb

@@ -0,0 +1,175 @@
+#
+# Copyright (C) 2014 Conjur Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+require 'conjur-asset-dsl2'
+
+class Conjur::Command::DSL2 < Conjur::DSLCommand
+  def self.load filename, syntax
+    script = script_from_filename filename
+    loader(filename, syntax).load script, filename
+  end
+  
+  def self.script_from_filename filename
+    if filename
+      if File.exists?(filename)
+        File.read(filename)
+      else
+        require 'open-uri'
+        uri = URI.parse(filename)
+        raise "Unable to read this kind of URL : #{filename}" unless uri.respond_to?(:read)
+        begin
+          uri.read
+        rescue OpenURI::HTTPError
+          raise "Unable to read URI #{filename} : #{$!.message}"
+        end
+      end
+    else
+      STDIN.read
+    end
+  end
+  
+  def self.loader filename, syntax
+    if syntax.nil? && filename
+      filename =~ /\.([^.]+)$/
+      syntax = $1
+    end
+    raise "No syntax provided or detected" unless syntax
+    syntax = case syntax
+    when 'yaml', 'yml'
+      'YAML'
+    when 'rb', 'ruby'
+      'Ruby'
+    end
+    mod = Conjur::DSL2.const_get syntax
+    mod.const_get "Loader"
+  end
+  
+  def self.execute api, records
+    actions = []
+    records.each do |record|
+      executor = Conjur::DSL2::Executor.class_for(record).new(record, actions, Conjur::Core::API.conjur_account)
+      executor.execute
+    end
+    Conjur::DSL2::HTTPExecutor.new(api).execute actions
+  end
+  
+  desc "Load a DSL2 policy"
+  command :policy2 do |policy|
+    
+    policy.desc "Load a policy from Conjur YAML DSL"
+    policy.long_desc <<-DESC
+Using this command, Conjur data can be specified as Ruby or YAML statements and 
+loaded into the server.
+
+Each statement performs one of the following functions:
+
+* Find or create a record, for example a group
+
+* Give a permission on a resource, e.g. permission to 'execute' a variable
+
+* Grant a role, e.g. add a member to a group.
+
+When finding or creating a record, the "namespace" option can be used to prepend
+a common prefix to each record. 
+
+If the statements are enclosed by a "policy", the id of the policy is also prepended
+to the id of each record, after the namespace.
+
+This command can load the policy directly into Conjur, and it can also operate
+in "dry run" mode. In dry run mode, an execution plan will be computed and printed,
+but the actions will not be performed. The execution plan includes only the minimal 
+set of commands which are required to apply the policy to Conjur. In effect, it's
+a "diff" between the policy and the current state of the Conjur database.
+
+The execution plan can be printed in machine-readable YAML format, or in a more 
+human-friendly text format.
+
+The YAML output of dry run mode can be used as input for the "conjur policy import"
+command. Therefore, a policy can be loaded in three steps, if desired:
+
+1) Load the policy in dry run mode to print the execution plan.
+
+2) Review the execution plan, manually or programatically.
+
+3) Import the execution plan.
+    DESC
+    policy.arg_name "(policy-file | STDIN)"
+    policy.command :load do |c|
+      
+      # Undefine options which are declared in the base (default) implementation.
+      # TODO: This code can be removed if and when dsl2 becomes the default.
+      %w(as-group as-role collection context c).each do |switch|
+        c.switches.delete switch.to_sym
+        c.flags.delete switch.to_sym
+        c.switches_declaration_order.delete_if{|s| s.name == switch.to_sym}
+        c.flags_declaration_order.delete_if{|s| s.name == switch.to_sym}
+      end
+
+      acting_as_option(c)
+
+      c.desc "Policy namespace (optional)"
+      c.flag [:namespace]
+
+      c.desc "Syntax (ruby or YAML, will be auto-detected from file extension)"
+      c.flag [:"syntax"]
+      
+      c.desc "Print the actions that would be performed"
+      c.switch [:"dry-run"]
+
+      c.desc "Output format of --dry-run mode (text, yaml)"
+      c.default_value "yaml"
+      c.flag [:"format"]
+
+      c.action do |global_options,options,args|
+        Conjur.log = "stderr"
+  
+        filename = args.pop
+        records = load filename, options[:syntax]
+        plan = Conjur::DSL2::Planner.plan(records, api, options.slice(:namespace, :ownerid))
+
+        if options[:"dry-run"]
+          case options[:"format"]
+          when 'text'
+            puts plan.actions.map(&:to_s)
+          else
+            puts plan.actions.to_yaml
+          end
+        else
+          execute api, plan.actions
+        end
+      end
+    end
+    
+    policy.desc "Import policy statements from a policy plan (aka --dry-run)"
+    policy.arg_name "(statements-file | STDIN)"
+    policy.command :import do |c|
+      acting_as_option(c)
+      
+      c.action do |global_options,options,args|
+        Conjur.log = "stderr"
+  
+        filename = args.pop
+        script = script_from_filename filename
+        actions = YAML.load(script, filename)
+        execute api, actions, options
+      end
+    end
+  end
+end