conjur-asset-dsl2 0.3.0

data/lib/conjur/dsl2/executor/base.rb

@@ -0,0 +1,50 @@
+module Conjur::DSL2
+  module Executor
+    # Builds a list of execution actions for a statement. The statement
+    # is an object from Conjur::DSL2::Types. Each execution action is
+    # an HTTP method, a request path, and request parameters.
+    class Base
+      attr_reader :statement, :actions, :default_account
+      
+      def initialize statement, actions, default_account
+        @statement = statement
+        @actions = actions
+        @default_account = default_account
+      end
+      
+      def action obj
+        @actions.push obj
+      end
+      
+      def execute
+        raise "execute not implemented in #{self.class.name}"
+      end
+      
+      def resource_path record = nil
+        record ||= self.statement
+        [ "authz", record.account || default_account, "resources", record.resource_kind, record.id ].join('/')
+      end
+
+      def role_path record = nil
+        record ||= self.statement
+        [ "authz", record.account || default_account, "roles", record.role_kind, record.id ].join('/')
+      end
+    end
+    
+    module Annotate
+      def annotate
+        Array(annotate_record.annotations).each do |k,v|
+          action({
+            'method' => 'put',
+            'path' => update_annotation_path,
+            'parameters' => { "name" => k, "value" => v }
+          })
+        end
+      end
+      
+      def update_annotation_path
+        [ "authz", annotate_record.account || default_account, "annotations", annotate_record.resource_kind, annotate_record.id ].join('/')
+      end
+    end
+  end
+end

data/lib/conjur/dsl2/executor/create.rb

@@ -0,0 +1,117 @@
+module Conjur::DSL2::Executor
+  # Abstract base class for creating a new record.
+  class Create < Base
+    def record
+      statement.record
+    end
+    
+    def account
+      record.account || default_account
+    end
+  end
+
+  # Generic 'create' implementation which POSTs to a resources URL.
+  class CreateRecord < Create
+    include Annotate
+    
+    def execute
+      action({
+        'method' => 'post',
+        'path' => create_path,
+        'parameters' => create_parameters
+      })
+      annotate
+    end
+    
+    def annotate_record
+      record
+    end
+    
+    def create_path
+      [ kind_path ].join('/')
+    end
+
+    def kind_path
+      record.resource_kind.pluralize
+    end
+
+    # Each record is assumed to have an 'id' attribute required for creation.
+    # In addition, other create parameters can be specified by the +custom_attribute_names+
+    # method on the record.
+    def create_parameters
+      {
+        record.id_attribute => record.id
+      }.tap do |params|
+        custom_attrs = record.custom_attribute_names.inject({}) do |memo, attr|
+          value = record.send(attr)
+          memo[attr.to_s] = value if value
+          memo
+        end
+        params.merge! custom_attrs
+        params["ownerid"] = record.owner.roleid(record.owner.account || default_account) if record.owner
+      end
+    end
+  end
+
+  # When creating a host factory, the +roleid+ and +layer+ are required.
+  class CreateHostFactory < CreateRecord
+    def create_parameters
+      super.tap do |params|
+        params['roleid'] = record.role.roleid(default_account)
+        params['layers'] =  Array(record.layers).map(&:id)
+      end
+    end
+  end
+
+  # When creating a variable, set default values for the +mime_type+ and +kind+.  
+  class CreateVariable < CreateRecord
+    def create_parameters
+      super.tap do |params|
+        params['mime_type'] ||= 'text/plain'
+        params['kind'] ||= 'secret'
+      end
+    end
+  end
+  
+  # When creating a raw Role or Resource, the owner of the new record is specified by
+  # the +acting_as+ parameter.
+  module ActingAs
+    def acting_as_parameters
+      {}.tap do |params|
+        params["acting_as"] = record.owner.roleid(default_account) if record.owner
+      end
+    end
+  end
+
+  # Create a new Resource with a PUT request to the resource path.
+  class CreateResource < Create
+    include ActingAs
+    include Annotate
+    
+    def execute
+      action({
+        'method' => 'put',
+        'path' => resource_path(statement.record),
+        'parameters' => acting_as_parameters
+      })
+      annotate
+    end
+    
+    def annotate_record
+      statement.record
+    end
+  end
+
+  # Create a new Role with a PUT request to the role path.
+  class CreateRole < Create
+    include ActingAs
+
+    def execute
+      action({
+        'method' => 'put',
+        'path' => role_path(statement.record),
+        'parameters' => acting_as_parameters
+      })
+    end
+  end
+end

data/lib/conjur/dsl2/executor/deny.rb

@@ -0,0 +1,13 @@
+module Conjur::DSL2::Executor
+  # Deny a privilege with a POST request to the +deny+ url of the resource, with the privilege
+  # and role as parameters.
+  class Deny < Base
+    def execute
+      action({
+        'method' => 'post',
+        'path' => "#{resource_path(statement.resource)}?deny",
+        'parameters' => { "privilege" => statement.privilege, "role" => statement.role.roleid(default_account) }
+      })
+    end
+  end
+end

data/lib/conjur/dsl2/executor/give.rb

@@ -0,0 +1,12 @@
+module Conjur::DSL2::Executor
+  # Change the owner of a resource with a PUT request to the resource path, specifying the new owner.
+  class Give < Base
+    def execute
+      action({
+        'method' => 'put',
+        'path' => resource_path(statement.resource),
+        'parameters' => { "owner" => statement.owner.roleid(default_account) }
+      })
+    end
+  end
+end

data/lib/conjur/dsl2/executor/grant.rb

@@ -0,0 +1,13 @@
+module Conjur::DSL2::Executor
+  class Grant < Base
+    def execute
+      parameters = { "member" => statement.member.role.roleid(default_account) }
+      parameters['admin_option'] = statement.member.admin unless statement.member.admin.nil?
+      action({
+        'method' => 'put',
+        'path' => "authz/#{statement.role.account || default_account}/roles/#{statement.role.role_kind}/#{statement.role.id}?members",
+        'parameters' => parameters
+      })
+    end
+  end
+end

data/lib/conjur/dsl2/executor/permit.rb

@@ -0,0 +1,16 @@
+module Conjur::DSL2::Executor
+  # Permit a privilege with a POST request to the +permit+ url of the resource, with the privilege
+  # and role as parameters. +grant_option+ is also provided if it is explicitly stated on the Permit
+  # record.
+  class Permit < Base
+    def execute
+      parameters = { "privilege" => statement.privilege, "role" => statement.role.role.roleid(default_account) }
+      parameters['grant_option'] = admin unless statement.role.admin.nil?
+      action({
+        'method' => 'post',
+        'path' => "#{resource_path(statement.resource)}?permit",
+        'parameters' => parameters
+      })
+    end
+  end
+end

data/lib/conjur/dsl2/executor/retire.rb

@@ -0,0 +1,7 @@
+module Conjur::DSL2::Executor
+  class Retire < Base
+    def execute
+      raise "Retire is not implemented"
+    end
+  end
+end

data/lib/conjur/dsl2/executor/revoke.rb

@@ -0,0 +1,11 @@
+module Conjur::DSL2::Executor
+  class Revoke < Base
+    def execute
+      action({
+        'method' => 'delete',
+        'path' => "#{role_path(statement.role)}?members",
+        'parameters' => { "member" => statement.member.roleid(default_account)}
+      })
+    end
+  end
+end

data/lib/conjur/dsl2/executor/update.rb

@@ -0,0 +1,31 @@
+module Conjur::DSL2::Executor
+  class Update < Base
+    include Annotate
+    
+    def execute
+      statement.record.custom_attribute_names.each do |attr|
+        value = statement.record.send(attr)
+        action({ 
+          'method' => 'put',
+          'path' => update_path,
+          'parameters' => { attr.to_s => value }
+        })
+      end
+      
+      annotate
+    end
+
+    def kind_path
+      statement.record.resource_kind.pluralize
+    end
+    
+    def update_path
+      require 'cgi'
+      [ kind_path, CGI.escape(statement.record.id) ].join('/')
+    end
+    
+    def annotate_record
+      statement.record
+    end
+  end
+end

data/lib/conjur/dsl2/executor.rb

@@ -0,0 +1,99 @@
+module Conjur
+  module DSL2
+    module Executor
+    end
+  end
+end
+
+require 'conjur/dsl2/executor/base'
+require 'conjur/dsl2/executor/create'
+require 'conjur/dsl2/executor/give'
+require 'conjur/dsl2/executor/grant'
+require 'conjur/dsl2/executor/revoke'
+require 'conjur/dsl2/executor/permit'
+require 'conjur/dsl2/executor/deny'
+require 'conjur/dsl2/executor/retire'
+require 'conjur/dsl2/executor/update'
+
+module Conjur
+  module DSL2
+    module Executor
+      class << self
+        def class_for action
+          if action.is_a?(Conjur::DSL2::Types::Create)
+            class_name = action.record.class.name.split("::")[-1]
+            begin
+              Conjur::DSL2::Executor.const_get([ "Create", class_name ].join)
+            rescue NameError
+              Conjur::DSL2::Executor::CreateRecord
+            end
+          else
+            class_name = action.class.name.split("::")[-1]
+            Conjur::DSL2::Executor.const_get(class_name)
+          end
+        end
+      end
+    end
+        
+    class HTTPExecutor
+      def initialize api
+        @api = api
+      end
+      
+      def execute actions
+        require 'net/https'
+        uri = URI.parse(Conjur.configuration.appliance_url)
+        @base_path = uri.path
+        Net::HTTP.start uri.host, uri.port, use_ssl: true do |http|
+          @http = http
+          actions.each do |step|
+            invoke step
+          end
+        end
+      end
+      
+      protected
+      
+      def invoke step
+        send step['method'], step['path'], step['parameters']
+      end
+      
+      def create path, parameters
+        request = Net::HTTP::Post.new [ @base_path, path ].join('/')
+        request.set_form_data parameters
+        send_request request
+      end
+
+      alias post create
+      
+      def update path, parameters
+        request = Net::HTTP::Put.new [ @base_path, path ].join('/')
+        request.set_form_data parameters
+        send_request request
+      end
+      
+      alias put update
+      
+      def delete path, parameters
+        uri = URI.parse([ @base_path, path ].join('/'))
+        uri.query = [uri.query, parameters.map{|k,v| [ k, URI.escape(v) ].join('=')}.join("&")].compact.join('&') 
+        request = Net::HTTP::Delete.new [ uri.path, '?', uri.query ].join
+          
+        send_request request
+      end
+
+      def send_request request
+        # $stderr.puts "#{request.method.upcase} #{request.path} #{request.body}"
+        require 'base64'
+        request['Authorization'] = "Token token=\"#{Base64.strict_encode64 @api.token.to_json}\""
+        response = @http.request request
+        # $stderr.puts response.code
+        if response.code.to_i >= 300
+          $stderr.puts "#{request.method.upcase} #{request.path} #{request.body} failed with error #{response.code}:"
+          # $stderr.puts "Request failed with error #{response.code}:"
+          $stderr.puts response.body
+        end
+      end
+    end
+  end
+end

data/lib/conjur/dsl2/invalid.rb

@@ -0,0 +1,12 @@
+module Conjur
+  module DSL2
+    class Invalid < Exception
+      attr_reader :mark
+      
+      def initialize message, filename, mark
+        super [ "Error at line #{mark.line}, column #{mark.column} in #{filename}", message ].join(' : ')
+        @mark = mark
+      end
+    end
+  end
+end

data/lib/conjur/dsl2/plan.rb

@@ -0,0 +1,49 @@
+module Conjur
+  module DSL2
+    class Plan
+      attr_reader :actions, :policy, :roles_created, :resources_created
+      attr_accessor :namespace, :ownerid
+
+      
+      def initialize namespace = nil
+        @namespace = namespace
+        @actions = []
+        @policy = nil
+        @roles_created = Set.new
+        @resources_created = Set.new
+      end
+      
+      def scoped_id id
+        id = id.id if id.respond_to?(:id)
+
+        # id is nil means it should have the same id as the policy
+        id = '' if id.nil?
+
+        if id[0] == '/'
+          id[1..-1]
+        else
+
+          tokens = []
+          tokens.push @namespace if @namespace
+          tokens.push @policy.id if @policy
+
+          if id.start_with?(tokens.join('/') + '/')
+            id
+          else
+            tokens.push id unless id.empty?
+            tokens.join('/')
+          end
+        end
+      end
+      
+      def policy= policy
+        raise "Plan policy is already specified" if @policy && policy
+        @policy = policy
+      end
+      
+      def action a
+        @actions.push a
+      end
+    end
+  end
+end

data/lib/conjur/dsl2/planner/base.rb

@@ -0,0 +1,215 @@
+module Conjur
+  module DSL2
+    module Planner
+      class Base
+
+        attr_reader :record, :api
+        attr_accessor :plan
+
+
+        def initialize record, api
+          @record = record
+          @api = api
+        end
+        
+        def action a
+          @plan.action a
+        end
+        
+        def scoped_id id
+          @plan.scoped_id id
+        end
+        
+        def scoped_roleid record
+          record = record.roleid(default_account) unless record.kind_of?(String)
+          account, kind, id = record.split(':', 3)
+          [ account, kind, scoped_id(id) ].join(":")
+        end
+
+        def scoped_resourceid record
+          record = record.resourceid(default_account) unless record.kind_of?(String)
+          account, kind, id = record.split(':', 3)
+          [ account, kind, scoped_id(id) ].join(":")
+        end
+          
+        def account
+          (record.account rescue nil) || default_account
+        end
+
+        def default_account
+          Conjur.configuration.account
+        end
+        
+        def role_record fullid
+          account, kind, id = fullid.split(':', 3)
+          if kind == '@'
+            Conjur::DSL2::Types::ManagedRole.build fullid, default_account
+          else
+            if record_class = record_type(kind)
+              record_class.new.tap do |record|
+                record.account = account unless account == default_account
+                unless record.is_a?(Conjur::DSL2::Types::Variable)
+                  record.kind = kind if record.respond_to?(:kind=)
+                end
+                record.id = id
+              end
+            else
+              Conjur::DSL2::Types::Role.new(fullid, default_account: default_account)
+            end
+          end
+        end
+        
+        def record_type kind
+          begin
+            Conjur::DSL2::Types.const_get(kind.classify)
+          rescue NameError
+            nil
+          end
+        end
+        
+        alias resource_record role_record
+        
+        def resource
+          api.resource(scoped_resourceid record)
+        end
+        
+        def role
+          api.role(scoped_roleid record)
+        end
+
+        # Sort in canonical order -- basically, a `Record` or `Create` comes before everything
+        # else.  So the base class's sort just places those before us, and anything else gets 0.
+        def <=> other
+          other.kind_of?(Conjur::DSL2::Planner::ActsAsRecord) ? 1 : 0
+        end
+
+        def resource_exists? resource
+          resource_id = resource.kind_of?(String) ? resource : scoped_resourceid(resource)
+          (plan.resources_created.include?(resource_id) ||  api.resource(resource_id).exists?)
+        end
+
+        def role_exists? role
+          role_id = role.kind_of?(String) ? role : scoped_roleid(role)
+          # I believe it's correct to assume manged roles exist?
+          return true if role_id.split(':',2).last.start_with?('@')
+
+          plan.roles_created.include?(role_id) || api.role(role_id).exists?
+        end
+
+        def error message
+          # For now raise it, we can think about trying to recover down the road
+          raise message
+        end
+
+        def trace message
+          if trace_enabled?
+            $stderr.puts "[trace #{record}] #{message}"
+          end
+        end
+
+        def trace_enabled?
+          ENV["DSL_PLANNER_TRACE"] || !!@trace_enabled
+        end
+
+        def trace_enabled= enabled
+          @trace_enabled = enabled
+        end
+
+
+        def update_record
+          update = Conjur::DSL2::Types::Update.new
+          update.record = record
+          record.id = scoped_id(record)
+
+          changed = false
+          record.custom_attribute_names.each do |attr|
+            existing_value = object.attributes[attr]
+            new_value = record.send(attr)
+            if new_value
+              if new_value == existing_value
+                record.send "#{attr}=", nil
+              else
+                raise "Cannot modify immutable attribute '#{record.resource_kind}.#{attr}'" if record.immutable_attribute_names.member?(attr)
+                changed = true
+              end
+            end
+          end
+          
+          if record.resource?
+            existing = resource.exists? ? resource.annotations : {}
+            current = record.annotations.kind_of?(::Array) ? record.annotations[0] : record.annotations
+            (record.annotations||{}).keys.each do |attr|
+              existing_value = existing[attr]
+              new_value = record.annotations[attr]
+              if new_value == existing_value
+                record.annotations.delete attr
+              else
+                changed = true
+              end
+            end
+            
+            if record.owner && resource.owner != scoped_roleid(record.owner)
+              give = Conjur::DSL2::Types::Give.new
+              give.resource = Conjur::DSL2::Types::Resource.new(record.resourceid(default_account), default_account: default_account)
+              give.owner = Conjur::DSL2::Types::Role.new(scoped_roleid(record.owner), default_account: default_account)
+              action give
+              
+              if record.role?
+                grant = Conjur::DSL2::Types::Grant.new
+                grant.role = Conjur::DSL2::Types::Role.new(record.roleid(default_account), default_account: default_account)
+                grant.member = Conjur::DSL2::Types::Member.new
+                grant.member.role = Conjur::DSL2::Types::Role.new(scoped_roleid(record.owner), default_account: default_account)
+                grant.member.admin = true
+                action grant
+              end
+            end
+          end
+          
+          action update if changed
+        end
+        
+        def create_record
+          create = Conjur::DSL2::Types::Create.new
+          create.record = record
+          record.id = scoped_id(record)
+          if record.owner
+            record.owner = Conjur::DSL2::Types::Role.new(scoped_roleid(record.owner), default_account: default_account)
+          elsif plan.ownerid
+            record.owner = Conjur::DSL2::Types::Role.new(plan.ownerid, default_account: default_account)
+          end
+          
+          if record.resource?
+            existing = resource.exists? ? resource.annotations : {}
+            # And this is why we don't name a class Array.
+            current  = record.annotations.kind_of?(::Array) ? record.annotations[0] : record.annotations
+            (current||{}).keys.each do |attr|
+              existing_value = existing[attr]
+              new_value = current[attr]
+              if new_value == existing_value
+               current.delete attr
+              end
+            end
+          end
+
+          plan.roles_created.add(record.roleid(account)) if record.role?
+          plan.resources_created.add(record.resourceid(account)) if record.resource?
+          action create
+        end
+      end
+      
+      class Array < Base
+
+        def do_plan
+          planners = record.map do |item|
+            Planner.planner_for(item, api)
+          end.sort
+
+          planners.each do |planner|
+            planner.plan = self.plan
+            planner.do_plan
+          end
+        end
+      end
+    end
+  end
+end