conjur-asset-dsl2 0.3.0

data/lib/conjur/dsl2/planner/grants.rb

@@ -0,0 +1,85 @@
+require 'conjur/dsl2/planner/base'
+
+module Conjur
+  module DSL2
+    module Planner
+      class Grant < Base
+        # Plans a role grant.
+        # 
+        # The Grant record can list multiple roles and members. Each member should
+        # be granted every role. If the +replace+ option is set, then any existing
+        # grant on a role that is *not* given should be revoked, except for role admins.
+        def do_plan
+
+          roles = Array(record.roles)
+          members = Array(record.members)
+          given_grants = Hash.new { |hash, key| hash[key] = [] }
+          given_admins = Set.new
+          requested_grants = Hash.new { |hash, key| hash[key] = [] }
+
+          # Check all roles / members involved
+          (roles + members.map(&:role)).each do |role|
+            error("role not found: #{scoped_roleid(role)} in #{plan.roles_created.to_a}") unless role_exists?(role)
+          end
+
+          roles.each do |role|
+            grants = begin
+              api.role(scoped_roleid(role)).members
+            rescue RestClient::ResourceNotFound
+              []
+            end
+            
+            grants.each do |grant|
+              member_roleid = grant.member.roleid
+              given_grants[scoped_roleid(role)].push [ member_roleid, grant.admin_option ]
+              given_admins << member_roleid if grant.admin_option
+            end
+            members.each do |member|
+              requested_grants[scoped_roleid(role)].push [ scoped_roleid(member.role), !!member.admin ]
+            end
+          end
+          
+          roles.each do |role|
+            roleid = scoped_roleid(role)
+            given = given_grants[roleid]
+            requested = requested_grants[roleid]
+            
+            (Set.new(requested) - Set.new(given)).each do |p|
+              member, admin = p
+              grant = Conjur::DSL2::Types::Grant.new
+              grant.role = role_record roleid
+              grant.member = Conjur::DSL2::Types::Member.new role_record(member)
+              grant.member.admin = true if admin
+              action grant
+            end
+
+            if record.replace
+              (Set.new(given) - Set.new(requested)).each do |p|
+                member, _ = p
+                member_roleid = role_record(member).roleid(account)
+                next if given_admins.member?(member_roleid)
+                revoke = Conjur::DSL2::Types::Revoke.new
+                revoke.role = role_record roleid
+                revoke.member = role_record(member)
+                action revoke
+              end
+            end
+          end
+        end
+      end
+      
+      class Revoke < Base
+        def do_plan
+          Array(record.roles).each do |role|
+            Array(record.members).each do |member|
+              revoke = Conjur::DSL2::Types::Revoke.new
+              revoke.role = role
+              revoke.member = member
+              action revoke
+            end
+          end
+        end        
+      end
+    end
+  end
+end

data/lib/conjur/dsl2/planner/permissions.rb

@@ -0,0 +1,80 @@
+require 'conjur/dsl2/planner/base'
+require 'set'
+
+module Conjur
+  module DSL2
+    module Planner
+      # Plans a permission.
+      #
+      # The Permit record can list multiple roles, privileges, and resources. Each privilege should
+      # be allowed to each role on each resource. If the +replace+ option is set, then any existing
+      # privilege on an existing resource that is *not* given should be denied.
+      class Permit < Base
+        def do_plan
+
+          resources = Array(record.resources)
+          privileges = Array(record.privilege)
+          given_permissions = Hash.new { |hash, key| hash[key] = [] }
+          requested_permissions = Hash.new { |hash, key| hash[key] = [] }
+
+
+
+          resources.each do |resource|
+            permissions = begin
+              JSON.parse(api.resource(scoped_resourceid(resource)).get)['permissions'] 
+            rescue RestClient::ResourceNotFound
+              []
+            end
+
+            permissions.each do |permission|
+              if privileges.member?(permission['privilege'])
+                given_permissions[[permission['privilege'], permission['resource']]].push [ permission['role'], permission['grant_option'] ]
+              end
+            end
+
+            privileges.each do |privilege|
+              Array(record.roles).each do |role|
+                requested_permissions[[privilege, scoped_resourceid(resource)]].push [ scoped_roleid(role.role), !!role.admin ]
+              end
+            end
+          end
+                      
+          resources.each do |resource|
+            error("resource not found: #{resource}") unless resource_exists?(resource)
+
+            privileges.each do |privilege|
+
+              target = scoped_resourceid(resource)
+              given = given_permissions[[privilege, target]]
+              requested = requested_permissions[[privilege, target]]
+
+              (Set.new(requested) - Set.new(given)).each do |p|
+                role, admin = p
+
+                error("role not found: #{role}") unless role_exists?(role)
+
+                permit = Conjur::DSL2::Types::Permit.new
+                permit.resource = resource_record target
+                permit.privilege = privilege
+                permit.role = Conjur::DSL2::Types::Member.new role_record(role)
+                permit.role.admin = true if admin
+                action permit
+              end
+
+              if record.replace
+                (Set.new(given) - Set.new(requested)).each do |p|
+                  role, admin = p
+                  deny = Conjur::DSL2::Types::Deny.new
+                  deny.resource = resource_record target
+                  deny.privilege = privilege
+                  deny.role = role_record(role)
+                  action deny
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/conjur/dsl2/planner/record.rb

@@ -0,0 +1,102 @@
+require 'conjur/dsl2/planner/base'
+
+module Conjur
+  module DSL2
+    module Planner      
+      module ActsAsRecord
+        # Record objects sort before everything else
+        def <=> other
+          other.kind_of?(ActsAsRecord) ? 0 : -1
+        end
+
+        def do_plan
+          if object.exists?
+            update_record
+          else
+            create_record
+          end
+        end
+
+        def to_s
+          "<#{self.class.name} #{record.to_s}>"
+        end
+      end
+      
+      class Role < Base
+        include ActsAsRecord
+        
+        alias object role
+      end
+      
+      class Resource < Base
+        include ActsAsRecord
+        
+        alias object resource
+      end
+      
+      class Record < Base
+        include ActsAsRecord
+        
+        def object
+          @object ||= api.send(record.resource_kind, scoped_id(record))
+        end
+      end
+      
+      class Webservice < Resource
+      end
+
+      class Policy < Base
+        def do_plan
+          role = record.role(default_account)
+          Role.new(role, api).tap do |role|
+            role.plan = plan
+            role.do_plan
+          end
+
+          if record.body.nil?
+            error('missing body element in policy')
+          end
+
+          plan.ownerid = role.roleid(account)
+          resource = record.resource(default_account)
+          if record.annotations
+            resource.annotations = record.annotations
+          end
+
+          Resource.new(resource, api).tap do |resource|
+            resource.plan = plan
+            resource.do_plan
+          end
+
+          planners = record.body.map do |record|
+            Planner.planner_for(record, api)
+          end.sort
+
+          planners.each do |planner|
+            ownerid = plan.ownerid
+            begin
+              plan.policy = self.record
+              
+              # Set the ownerid to the namespace-scoped roleid of the policy
+              ownerid = plan.policy.roleid(account)
+              if plan.namespace
+                account, kind, id = ownerid.split(':', 3)
+                ownerid = [ account, kind, [ plan.namespace, id ].join("/") ].join(":")
+              end
+              ownerid = ownerid
+              plan.ownerid = ownerid
+
+              planner.plan = plan
+              planner.trace("planning...")
+              planner.do_plan
+              planner.trace("ok!")
+            ensure
+              plan.policy = nil
+              plan.ownerid = ownerid
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/conjur/dsl2/planner.rb

@@ -0,0 +1,38 @@
+require 'conjur/dsl2/plan'
+require 'conjur/dsl2/planner/record'
+require 'conjur/dsl2/planner/permissions'
+require 'conjur/dsl2/planner/grants'
+
+module Conjur
+  module DSL2
+    module Planner
+      class << self
+        def plan records, api, options = {}
+          namespace = options[:namespace]
+          ownerid   = options[:ownerid]
+          Plan.new.tap do |plan|
+            plan.namespace = namespace if namespace
+            plan.ownerid = ownerid if ownerid
+            records.map{ |record| planner_for(record, api) }.sort.each do |planner|
+              planner.plan = plan
+              begin
+                planner.do_plan
+              ensure
+                planner.plan = nil
+              end
+            end        
+          end
+        end
+        
+        def planner_for record, api
+          cls = begin
+            const_get record.class.name.split("::")[-1]
+          rescue NameError
+            Record
+          end
+          cls.new record, api
+        end
+      end
+    end
+  end
+end

data/lib/conjur/dsl2/ruby/loader.rb

@@ -0,0 +1,263 @@
+class Object
+  # Dear Ruby, I wish instance variables order was stable, because if it was
+  # then YAML would always come out the same.
+  def to_yaml_properties
+    instance_variables.sort
+  end
+end
+
+module Conjur
+  module DSL2
+    module Ruby
+      module RecordLoader
+        def respond_to_missing? sym, include_all = false
+          super or Conjur::DSL2::Types.const_get sym.to_s.classify rescue nil
+        end
+      end
+      
+      # Implement +method_missing+ to reference basic types like Group, User, Layer, etc.
+      # Anything from Conjur::DSL2::Types is fair game.
+      module RecordReferenceFactory
+        include RecordLoader
+        
+        # The record can have a constructor with 0 or 1 arguments. If it takes 1 argument,
+        # it will be populated with the first +args+, if any. It's assumed to be the id.
+        def method_missing sym, *args, &block
+          kind = Conjur::DSL2::Types.const_get sym.to_s.classify rescue nil
+          if kind
+            object = kind.new(*args)
+            raise "#{kind.short_name} is not createable here" unless object.role? || object.resource?
+            handle_object object, &block
+            object
+          else
+            super
+          end
+        end
+        
+        def handle_object object, &block
+          # pass
+        end
+      end
+      
+      # Construct record properties in a block and yield the record to the loader.
+      module RecordFactory
+        include RecordReferenceFactory
+        
+        def handle_object object, &block
+          push object
+          do_scope object, &block
+        end
+      end
+      
+      class YAMLList < Array
+        def tag
+          [ "!", self.class.name.split("::")[-1].underscore ].join
+        end
+        
+        def encode_with coder
+          coder.represent_seq tag, self
+        end
+      end
+      
+      module Tagless
+        def tag; nil; end
+      end
+      
+      module CustomStatement
+        def custom_statement handler, &block
+          record = yield
+          class << record
+            include RecordReferenceFactory
+          end
+          push record
+          do_scope record, &handler
+        end
+      end
+      
+      module Grants
+        include CustomStatement
+        
+        def grant &block
+          custom_statement(block) do
+            Conjur::DSL2::Types::Grant.new
+          end
+        end
+        
+        def revoke &block
+          custom_statement(block) do
+            Conjur::DSL2::Types::Revoke.new
+          end
+        end
+      end
+      
+      module Permissions
+        include CustomStatement
+        
+        def permit privilege, &block
+          custom_statement(block) do
+            Conjur::DSL2::Types::Permit.new(privilege)
+          end
+        end
+        
+        def give &block
+          custom_statement(block) do
+            Conjur::DSL2::Types::Give.new
+          end
+        end
+        
+        def retire &block
+          custom_statement(block) do
+            Conjur::DSL2::Types::Retire.new
+          end
+        end
+      end
+      
+      # Entitlements will allow creation of any record, as well as declaration
+      # of permit, deny, grant and revoke.
+      class Entitlements < YAMLList
+        include Tagless
+        include RecordFactory
+        include Grants
+        include Permissions
+        
+        def policy id=nil, &block
+          policy = Policy.new
+          policy.id(id) unless id.nil?
+          push policy
+
+          do_scope policy, &block
+        end
+      end
+      
+      class Body < YAMLList
+        include RecordFactory
+        include Grants
+        include Permissions
+      end
+      
+      # Policy includes the functionality of Entitlements, wrapped in a 
+      # policy role, policy resource, policy id and policy version.
+      class Policy < Conjur::DSL2::Types::Base
+        include Conjur::DSL2::Types::ActsAsResource
+        include Conjur::DSL2::Types::ActsAsRole
+        
+        def body &block
+          singleton :body, lambda { Body.new }, &block
+          @body
+        end
+        
+        def body= body
+          @body = body
+        end
+        
+        protected
+        
+        def singleton id, factory, &block
+          object = instance_variable_get("@#{id}")
+          unless object
+            object = factory.call
+            class << object
+              include Tagless
+            end
+            instance_variable_set("@#{id}", object)
+          end
+          do_scope object, &block
+        end
+      end
+      
+      module Delegation
+        def respond_to? sym, include_all = false
+          super or scope.respond_to?(sym, include_all)
+        end
+        
+        def method_missing(sym, *args, &block)
+          if scope.respond_to?(sym)
+            scope.send sym, *args, &block
+          else
+            raise NoMethodError, "undefined method `#{sym}` for #{scope}:#{scope.class}"
+          end
+        end
+      end
+      
+      class Loader
+        include Delegation
+        
+        attr_reader :script, :filename
+        
+        class << self
+          def load_file filename
+            load File.read(filename), filename
+          end
+
+          def load yaml, filename = nil
+            create(yaml, filename).load
+          end
+
+          def create(yaml, filename=nil)
+            new(yaml, filename)
+          end
+
+        end
+        
+        def initialize script, filename = nil
+          @script = script
+          @filename = filename
+          @scope = []
+        end
+
+        def loader
+          self
+        end
+
+        def load root = nil
+          args = [ script ]
+          args << filename if filename
+          root ||= Entitlements.new
+          do_scope root do
+            instance_eval(*args)
+          end
+          root
+        end
+        
+        def push_scope obj
+          @scope.push obj
+        end
+        
+        def scope
+          @scope.last
+        end
+        
+        def pop_scope
+          @scope.pop
+        end
+        
+        def do_scope obj, &block
+          push_scope obj
+          class << obj
+            attr_accessor :loader
+            
+            def do_scope obj, &block
+              loader.do_scope obj, &block
+            end
+            
+            def scope
+              loader.scope
+            end
+            
+            def to_yaml_properties
+              super - [ :"@loader" ]
+            end
+          end
+          obj.loader = self
+          begin
+            yield if block_given?
+          ensure
+            pop_scope
+          end
+        end
+      end
+      
+      Psych.add_tag "!policy", Policy
+    end
+  end
+end