conjur-asset-dsl2 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (54) hide show
  1. checksums.yaml +7 -0
  2. data/.dockerignore +2 -0
  3. data/.gitignore +14 -0
  4. data/.project +18 -0
  5. data/.rspec +1 -0
  6. data/.travis.yml +4 -0
  7. data/CHANGELOG +1 -0
  8. data/Dockerfile.dev +19 -0
  9. data/Gemfile +4 -0
  10. data/LICENSE.txt +21 -0
  11. data/README.md +248 -0
  12. data/Rakefile +18 -0
  13. data/backup.tar +0 -0
  14. data/bin/console +14 -0
  15. data/bin/setup +7 -0
  16. data/conjur-asset-dsl2.gemspec +32 -0
  17. data/jenkins.sh +36 -0
  18. data/lib/conjur/command/dsl2.rb +175 -0
  19. data/lib/conjur/dsl2/executor/base.rb +50 -0
  20. data/lib/conjur/dsl2/executor/create.rb +117 -0
  21. data/lib/conjur/dsl2/executor/deny.rb +13 -0
  22. data/lib/conjur/dsl2/executor/give.rb +12 -0
  23. data/lib/conjur/dsl2/executor/grant.rb +13 -0
  24. data/lib/conjur/dsl2/executor/permit.rb +16 -0
  25. data/lib/conjur/dsl2/executor/retire.rb +7 -0
  26. data/lib/conjur/dsl2/executor/revoke.rb +11 -0
  27. data/lib/conjur/dsl2/executor/update.rb +31 -0
  28. data/lib/conjur/dsl2/executor.rb +99 -0
  29. data/lib/conjur/dsl2/invalid.rb +12 -0
  30. data/lib/conjur/dsl2/plan.rb +49 -0
  31. data/lib/conjur/dsl2/planner/base.rb +215 -0
  32. data/lib/conjur/dsl2/planner/grants.rb +85 -0
  33. data/lib/conjur/dsl2/planner/permissions.rb +80 -0
  34. data/lib/conjur/dsl2/planner/record.rb +102 -0
  35. data/lib/conjur/dsl2/planner.rb +38 -0
  36. data/lib/conjur/dsl2/ruby/loader.rb +263 -0
  37. data/lib/conjur/dsl2/types/base.rb +376 -0
  38. data/lib/conjur/dsl2/types/create.rb +15 -0
  39. data/lib/conjur/dsl2/types/deny.rb +17 -0
  40. data/lib/conjur/dsl2/types/give.rb +14 -0
  41. data/lib/conjur/dsl2/types/grant.rb +24 -0
  42. data/lib/conjur/dsl2/types/member.rb +14 -0
  43. data/lib/conjur/dsl2/types/permit.rb +22 -0
  44. data/lib/conjur/dsl2/types/policy.rb +129 -0
  45. data/lib/conjur/dsl2/types/records.rb +243 -0
  46. data/lib/conjur/dsl2/types/retire.rb +14 -0
  47. data/lib/conjur/dsl2/types/revoke.rb +14 -0
  48. data/lib/conjur/dsl2/types/update.rb +16 -0
  49. data/lib/conjur/dsl2/yaml/handler.rb +400 -0
  50. data/lib/conjur/dsl2/yaml/loader.rb +29 -0
  51. data/lib/conjur-asset-dsl2-version.rb +7 -0
  52. data/lib/conjur-asset-dsl2.rb +27 -0
  53. data/syntax.md +147 -0
  54. metadata +237 -0
@@ -0,0 +1,29 @@
1
+ require 'conjur-asset-dsl2'
2
+
3
+ module Conjur
4
+ module DSL2
5
+ module YAML
6
+ class Loader
7
+ class << self
8
+ def load yaml, filename = nil
9
+ parser = Psych::Parser.new(handler = Handler.new)
10
+ handler.filename = filename
11
+ handler.parser = parser
12
+ begin
13
+ parser.parse(yaml)
14
+ rescue
15
+ handler.log { $!.message }
16
+ handler.log { $!.backtrace.join(" \n") }
17
+ raise Invalid.new($!.message, filename, parser.mark)
18
+ end
19
+ handler.result
20
+ end
21
+
22
+ def load_file filename
23
+ load File.read(filename), filename
24
+ end
25
+ end
26
+ end
27
+ end
28
+ end
29
+ end
@@ -0,0 +1,7 @@
1
+ module Conjur
2
+ module Asset
3
+ module DSL2
4
+ VERSION = "0.3.0"
5
+ end
6
+ end
7
+ end
@@ -0,0 +1,27 @@
1
+ require 'conjur-asset-dsl2-version'
2
+ require 'yaml'
3
+ require 'safe_yaml'
4
+ require 'active_support'
5
+ require 'active_support/core_ext'
6
+ SafeYAML::OPTIONS[:default_mode] = :safe
7
+ SafeYAML::OPTIONS[:deserialize_symbols] = false
8
+
9
+ require 'rest-client'
10
+ require 'conjur/dsl2/invalid'
11
+ require 'conjur/dsl2/types/base'
12
+ require 'conjur/dsl2/types/records'
13
+ require 'conjur/dsl2/types/member'
14
+ require 'conjur/dsl2/types/grant'
15
+ require 'conjur/dsl2/types/revoke'
16
+ require 'conjur/dsl2/types/permit'
17
+ require 'conjur/dsl2/types/deny'
18
+ require 'conjur/dsl2/types/create'
19
+ require 'conjur/dsl2/types/give'
20
+ require 'conjur/dsl2/types/retire'
21
+ require 'conjur/dsl2/types/update'
22
+ require 'conjur/dsl2/types/policy'
23
+ require 'conjur/dsl2/yaml/handler'
24
+ require 'conjur/dsl2/yaml/loader'
25
+ require 'conjur/dsl2/ruby/loader'
26
+ require 'conjur/dsl2/planner'
27
+ require 'conjur/dsl2/executor'
data/syntax.md ADDED
@@ -0,0 +1,147 @@
1
+ # Conjur DSL2 YAML Syntax
2
+
3
+ ## Nomenclature
4
+
5
+ We refer to any element of a policy document that may occur in a top level sequence or
6
+ in the `body` field of a `policy` as a *top level element*. Note that a `policy` is a
7
+ `top level element`.
8
+
9
+ We use terms such as `anchor`, `sequence`, `mapping`, and `scalar`, as well as commonly understood types such
10
+ as `string`s and `integer`s in their usual sense with respect to the YAML language.
11
+
12
+ ## Policy Documents
13
+
14
+ A policy document is a file containing a description (perhaps partial) of the desired state of a Conjur
15
+ permissions model.
16
+
17
+ A policy document used by Conjur DSL2 can be either a **sequence** of *top level elements*, or a `policy` declaration.
18
+
19
+ ### `policy` Element
20
+
21
+ A policy definition has the following form:
22
+
23
+ ```yaml
24
+ policy:
25
+ id: "my-policy-id"
26
+ body:
27
+ # sequence of top level elements
28
+ ```
29
+
30
+ A policy element creates a `policy` resource and role. The *role* will be the default owner of all records created in
31
+ the policy. The resource can be used to grant permissions on the policy as a whole. The `id` of the policy is prefixed
32
+ to the id of all records created in the `body` of the policy. If a policy has `id` `"foo"` and a record is created in its
33
+ body with id `"bar"`, the record will have an `id` of `"foo/bar"`.
34
+
35
+ A policy has the following children:
36
+ * `id`: the policy id as a string. Required.
37
+ * `body`: a *sequence* of top-level elements contained by the policy. Required.
38
+ **Note** the body may contain other `policy` elements, but this is generally considered bad practice.
39
+
40
+ ### Records
41
+
42
+ A record element is used to create or update a Conjur asset, such as a `group`, `user`, `webservice`, or `host_factory`.
43
+
44
+ If a policy is loaded containing a record that already exists, that record will be updated if any of its mutable
45
+ attributes have changed. If it does not exist, it will be created with the defined attributes.
46
+
47
+ All **record** elements share the following members:
48
+
49
+ * `id`: the identifier for the record as a string. Required.
50
+ * `annotations`: A yaml `Mapping` of annotation keys to annotation values, as strings.
51
+ * `owner`: a reference to a Conjur role that should be the `owner` of this record.
52
+ * `account`: a record can specify an explicit Conjur account. You should generally not
53
+ have to use this.
54
+
55
+
56
+
57
+ Create a user with id `'alice'` and an annotation:
58
+ ```yaml
59
+ - !user
60
+ id: alice
61
+ annotations:
62
+ hair-color: blonde
63
+ ```
64
+
65
+ #### User records
66
+
67
+ In addition to the standard record members, users can have an optional `uidnumber`. This is used for SSH login and certain
68
+ LDAP features, and must be globally unique.
69
+
70
+ ```yaml
71
+ - !user
72
+ id: bob
73
+ uidnumber: 123
74
+ ```
75
+
76
+ #### Group records
77
+
78
+ In addition to the standard record members, groups can have an optional `gidnumber`. This is used for SSH login and
79
+ certain LDAP features. It need not be unique.
80
+
81
+ ```yaml
82
+ - !group
83
+ id: ops
84
+ gidnumber: 5050
85
+ ```
86
+
87
+ #### Host, Layer, and Webservice records
88
+
89
+ These records have no special attributes.
90
+
91
+ #### Variable Records
92
+
93
+ In addition to the standard record members, variables support the following members:
94
+
95
+ * `kind` A human-friendly description of the kind of secret stored in this variable, e.g. 'database uri'
96
+ * `mime_type` A **MIME Type** string used when serving the contents of this variable via HTTP.
97
+
98
+ Note that both of these attributes are immutable once the variable has been created.
99
+
100
+ ### Permit and Deny
101
+
102
+ These elements give a role permission on a resource, or take it away. For example,
103
+ this element will permit `ops` to `update` and `execute` `layer-a`:
104
+
105
+ ```yaml
106
+ - !permit
107
+ privilege: [update, execute]
108
+ role: !group ops
109
+ resource: !layer layer-a
110
+ ```
111
+
112
+ Notice that the `role`s and `resource`s must be *tagged* with their kind: `!group` and `!layer` in this example.
113
+
114
+ Permit elements can have a `replace` member set to `true`: this directs Conjur to replace existing permissions on the resource with
115
+ those listed in this element.
116
+
117
+ A `deny` element is similar, but does not support the `replace` member.
118
+
119
+ ### Grant and Revoke
120
+
121
+ These elements grant roles to other roles, and revoke those grants.
122
+
123
+ A typical `grant` element looks like this:
124
+
125
+ ```yaml
126
+ - !grant
127
+ role: !group everyone
128
+ members:
129
+ - !group developers
130
+ - !group
131
+ id: support
132
+ - !group marketing
133
+ -
134
+ role: !group ops
135
+ admin: true
136
+ ```
137
+
138
+ This will grant the role `group:everyone` to groups `developers`, `support`, `marketing` and `ops`. The
139
+ `admin: true` member of the `ops` entry will allow `ops` to grant the role `group:everyone` to other roles. Note
140
+ that `admin: false` can be used in a grant statement to take this ability away from a member.
141
+
142
+ A `grant` element may also have a `replace: true` member, which will revoke any existing grants of the role before
143
+ adding the new one.
144
+
145
+ A `revoke` element revokes a grant, and is like the `grant` element except that `admin` and `replace` are meaningless.
146
+
147
+
metadata ADDED
@@ -0,0 +1,237 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: conjur-asset-dsl2
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.3.0
5
+ platform: ruby
6
+ authors:
7
+ - Kevin Gilpin
8
+ autorequire:
9
+ bindir: exe
10
+ cert_chain: []
11
+ date: 2016-01-11 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: safe_yaml
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - '>='
18
+ - !ruby/object:Gem::Version
19
+ version: '0'
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - '>='
25
+ - !ruby/object:Gem::Version
26
+ version: '0'
27
+ - !ruby/object:Gem::Dependency
28
+ name: conjur-cli
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - '>='
32
+ - !ruby/object:Gem::Version
33
+ version: '0'
34
+ type: :development
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - '>='
39
+ - !ruby/object:Gem::Version
40
+ version: '0'
41
+ - !ruby/object:Gem::Dependency
42
+ name: bundler
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - ~>
46
+ - !ruby/object:Gem::Version
47
+ version: '1.10'
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - ~>
53
+ - !ruby/object:Gem::Version
54
+ version: '1.10'
55
+ - !ruby/object:Gem::Dependency
56
+ name: rake
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ~>
60
+ - !ruby/object:Gem::Version
61
+ version: '10.0'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ~>
67
+ - !ruby/object:Gem::Version
68
+ version: '10.0'
69
+ - !ruby/object:Gem::Dependency
70
+ name: rspec-expectations
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - '>='
74
+ - !ruby/object:Gem::Version
75
+ version: '0'
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - '>='
81
+ - !ruby/object:Gem::Version
82
+ version: '0'
83
+ - !ruby/object:Gem::Dependency
84
+ name: pry
85
+ requirement: !ruby/object:Gem::Requirement
86
+ requirements:
87
+ - - '>='
88
+ - !ruby/object:Gem::Version
89
+ version: '0'
90
+ type: :development
91
+ prerelease: false
92
+ version_requirements: !ruby/object:Gem::Requirement
93
+ requirements:
94
+ - - '>='
95
+ - !ruby/object:Gem::Version
96
+ version: '0'
97
+ - !ruby/object:Gem::Dependency
98
+ name: json_spec
99
+ requirement: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - '>='
102
+ - !ruby/object:Gem::Version
103
+ version: '0'
104
+ type: :development
105
+ prerelease: false
106
+ version_requirements: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - '>='
109
+ - !ruby/object:Gem::Version
110
+ version: '0'
111
+ - !ruby/object:Gem::Dependency
112
+ name: cucumber
113
+ requirement: !ruby/object:Gem::Requirement
114
+ requirements:
115
+ - - '>='
116
+ - !ruby/object:Gem::Version
117
+ version: '0'
118
+ type: :development
119
+ prerelease: false
120
+ version_requirements: !ruby/object:Gem::Requirement
121
+ requirements:
122
+ - - '>='
123
+ - !ruby/object:Gem::Version
124
+ version: '0'
125
+ - !ruby/object:Gem::Dependency
126
+ name: ci_reporter_rspec
127
+ requirement: !ruby/object:Gem::Requirement
128
+ requirements:
129
+ - - '>='
130
+ - !ruby/object:Gem::Version
131
+ version: '0'
132
+ type: :development
133
+ prerelease: false
134
+ version_requirements: !ruby/object:Gem::Requirement
135
+ requirements:
136
+ - - '>='
137
+ - !ruby/object:Gem::Version
138
+ version: '0'
139
+ - !ruby/object:Gem::Dependency
140
+ name: aruba
141
+ requirement: !ruby/object:Gem::Requirement
142
+ requirements:
143
+ - - '>='
144
+ - !ruby/object:Gem::Version
145
+ version: '0'
146
+ type: :development
147
+ prerelease: false
148
+ version_requirements: !ruby/object:Gem::Requirement
149
+ requirements:
150
+ - - '>='
151
+ - !ruby/object:Gem::Version
152
+ version: '0'
153
+ description:
154
+ email:
155
+ - kgilpin@conjur.net
156
+ executables: []
157
+ extensions: []
158
+ extra_rdoc_files: []
159
+ files:
160
+ - .dockerignore
161
+ - .gitignore
162
+ - .project
163
+ - .rspec
164
+ - .travis.yml
165
+ - CHANGELOG
166
+ - Dockerfile.dev
167
+ - Gemfile
168
+ - LICENSE.txt
169
+ - README.md
170
+ - Rakefile
171
+ - backup.tar
172
+ - bin/console
173
+ - bin/setup
174
+ - conjur-asset-dsl2.gemspec
175
+ - jenkins.sh
176
+ - lib/conjur-asset-dsl2-version.rb
177
+ - lib/conjur-asset-dsl2.rb
178
+ - lib/conjur/command/dsl2.rb
179
+ - lib/conjur/dsl2/executor.rb
180
+ - lib/conjur/dsl2/executor/base.rb
181
+ - lib/conjur/dsl2/executor/create.rb
182
+ - lib/conjur/dsl2/executor/deny.rb
183
+ - lib/conjur/dsl2/executor/give.rb
184
+ - lib/conjur/dsl2/executor/grant.rb
185
+ - lib/conjur/dsl2/executor/permit.rb
186
+ - lib/conjur/dsl2/executor/retire.rb
187
+ - lib/conjur/dsl2/executor/revoke.rb
188
+ - lib/conjur/dsl2/executor/update.rb
189
+ - lib/conjur/dsl2/invalid.rb
190
+ - lib/conjur/dsl2/plan.rb
191
+ - lib/conjur/dsl2/planner.rb
192
+ - lib/conjur/dsl2/planner/base.rb
193
+ - lib/conjur/dsl2/planner/grants.rb
194
+ - lib/conjur/dsl2/planner/permissions.rb
195
+ - lib/conjur/dsl2/planner/record.rb
196
+ - lib/conjur/dsl2/ruby/loader.rb
197
+ - lib/conjur/dsl2/types/base.rb
198
+ - lib/conjur/dsl2/types/create.rb
199
+ - lib/conjur/dsl2/types/deny.rb
200
+ - lib/conjur/dsl2/types/give.rb
201
+ - lib/conjur/dsl2/types/grant.rb
202
+ - lib/conjur/dsl2/types/member.rb
203
+ - lib/conjur/dsl2/types/permit.rb
204
+ - lib/conjur/dsl2/types/policy.rb
205
+ - lib/conjur/dsl2/types/records.rb
206
+ - lib/conjur/dsl2/types/retire.rb
207
+ - lib/conjur/dsl2/types/revoke.rb
208
+ - lib/conjur/dsl2/types/update.rb
209
+ - lib/conjur/dsl2/yaml/handler.rb
210
+ - lib/conjur/dsl2/yaml/loader.rb
211
+ - syntax.md
212
+ homepage: https://github.com/conjurinc/conjur-asset-dsl2
213
+ licenses:
214
+ - MIT
215
+ metadata: {}
216
+ post_install_message:
217
+ rdoc_options: []
218
+ require_paths:
219
+ - lib
220
+ required_ruby_version: !ruby/object:Gem::Requirement
221
+ requirements:
222
+ - - '>='
223
+ - !ruby/object:Gem::Version
224
+ version: '0'
225
+ required_rubygems_version: !ruby/object:Gem::Requirement
226
+ requirements:
227
+ - - '>='
228
+ - !ruby/object:Gem::Version
229
+ version: '0'
230
+ requirements: []
231
+ rubyforge_project:
232
+ rubygems_version: 2.0.14.1
233
+ signing_key:
234
+ specification_version: 4
235
+ summary: A fully declarative DSL for Conjur with Ruby and YAML syntax.
236
+ test_files: []
237
+ has_rdoc: