RubyGems - conjur-asset-dsl2 - Versions diffs - 0.3.0 - Mend

conjur-asset-dsl2 0.3.0

Files changed (54) hide show

checksums.yaml +7 -0
data/.dockerignore +2 -0
data/.gitignore +14 -0
data/.project +18 -0
data/.rspec +1 -0
data/.travis.yml +4 -0
data/CHANGELOG +1 -0
data/Dockerfile.dev +19 -0
data/Gemfile +4 -0
data/LICENSE.txt +21 -0
data/README.md +248 -0
data/Rakefile +18 -0
data/backup.tar +0 -0
data/bin/console +14 -0
data/bin/setup +7 -0
data/conjur-asset-dsl2.gemspec +32 -0
data/jenkins.sh +36 -0
data/lib/conjur/command/dsl2.rb +175 -0
data/lib/conjur/dsl2/executor/base.rb +50 -0
data/lib/conjur/dsl2/executor/create.rb +117 -0
data/lib/conjur/dsl2/executor/deny.rb +13 -0
data/lib/conjur/dsl2/executor/give.rb +12 -0
data/lib/conjur/dsl2/executor/grant.rb +13 -0
data/lib/conjur/dsl2/executor/permit.rb +16 -0
data/lib/conjur/dsl2/executor/retire.rb +7 -0
data/lib/conjur/dsl2/executor/revoke.rb +11 -0
data/lib/conjur/dsl2/executor/update.rb +31 -0
data/lib/conjur/dsl2/executor.rb +99 -0
data/lib/conjur/dsl2/invalid.rb +12 -0
data/lib/conjur/dsl2/plan.rb +49 -0
data/lib/conjur/dsl2/planner/base.rb +215 -0
data/lib/conjur/dsl2/planner/grants.rb +85 -0
data/lib/conjur/dsl2/planner/permissions.rb +80 -0
data/lib/conjur/dsl2/planner/record.rb +102 -0
data/lib/conjur/dsl2/planner.rb +38 -0
data/lib/conjur/dsl2/ruby/loader.rb +263 -0
data/lib/conjur/dsl2/types/base.rb +376 -0
data/lib/conjur/dsl2/types/create.rb +15 -0
data/lib/conjur/dsl2/types/deny.rb +17 -0
data/lib/conjur/dsl2/types/give.rb +14 -0
data/lib/conjur/dsl2/types/grant.rb +24 -0
data/lib/conjur/dsl2/types/member.rb +14 -0
data/lib/conjur/dsl2/types/permit.rb +22 -0
data/lib/conjur/dsl2/types/policy.rb +129 -0
data/lib/conjur/dsl2/types/records.rb +243 -0
data/lib/conjur/dsl2/types/retire.rb +14 -0
data/lib/conjur/dsl2/types/revoke.rb +14 -0
data/lib/conjur/dsl2/types/update.rb +16 -0
data/lib/conjur/dsl2/yaml/handler.rb +400 -0
data/lib/conjur/dsl2/yaml/loader.rb +29 -0
data/lib/conjur-asset-dsl2-version.rb +7 -0
data/lib/conjur-asset-dsl2.rb +27 -0
data/syntax.md +147 -0
metadata +237 -0

data/lib/conjur/dsl2/yaml/loader.rb ADDED Viewed

@@ -0,0 +1,29 @@
+require 'conjur-asset-dsl2'
+module Conjur
+  module DSL2
+    module YAML
+      class Loader
+        class << self
+          def load yaml, filename = nil
+            parser = Psych::Parser.new(handler = Handler.new)
+            handler.filename = filename
+            handler.parser = parser
+            begin
+              parser.parse(yaml)
+            rescue
+              handler.log { $!.message }
+              handler.log { $!.backtrace.join("  \n") }
+              raise Invalid.new($!.message, filename, parser.mark)
+            end
+            handler.result
+          end
+          def load_file filename
+            load File.read(filename), filename
+          end
+        end
+      end
+    end
+  end
+end

data/lib/conjur-asset-dsl2-version.rb ADDED Viewed

@@ -0,0 +1,7 @@
+module Conjur
+  module Asset
+    module DSL2
+      VERSION = "0.3.0"
+    end
+  end
+end

data/lib/conjur-asset-dsl2.rb ADDED Viewed

@@ -0,0 +1,27 @@
+require 'conjur-asset-dsl2-version'
+require 'yaml'
+require 'safe_yaml'
+require 'active_support'
+require 'active_support/core_ext'
+SafeYAML::OPTIONS[:default_mode] = :safe
+SafeYAML::OPTIONS[:deserialize_symbols] = false
+require 'rest-client'
+require 'conjur/dsl2/invalid'
+require 'conjur/dsl2/types/base'
+require 'conjur/dsl2/types/records'
+require 'conjur/dsl2/types/member'
+require 'conjur/dsl2/types/grant'
+require 'conjur/dsl2/types/revoke'
+require 'conjur/dsl2/types/permit'
+require 'conjur/dsl2/types/deny'
+require 'conjur/dsl2/types/create'
+require 'conjur/dsl2/types/give'
+require 'conjur/dsl2/types/retire'
+require 'conjur/dsl2/types/update'
+require 'conjur/dsl2/types/policy'
+require 'conjur/dsl2/yaml/handler'
+require 'conjur/dsl2/yaml/loader'
+require 'conjur/dsl2/ruby/loader'
+require 'conjur/dsl2/planner'
+require 'conjur/dsl2/executor'

data/syntax.md ADDED Viewed

@@ -0,0 +1,147 @@
+# Conjur DSL2 YAML Syntax
+## Nomenclature
+We refer to any element of a policy document that may occur in a top level sequence or
+in the `body` field of a `policy` as a *top level element*.  Note that a `policy` is a
+`top level element`.
+We use terms such as `anchor`, `sequence`, `mapping`, and `scalar`, as well as commonly understood types such
+as `string`s and `integer`s in their usual sense with respect to the YAML language.
+## Policy Documents
+A policy document is a file containing a description (perhaps partial) of the desired state of a Conjur
+permissions model.
+A policy document used by Conjur DSL2 can be either a **sequence** of *top level elements*, or a `policy` declaration.
+### `policy` Element
+A policy definition has the following form:
+```yaml
+policy:
+  id: "my-policy-id"
+  body:
+    # sequence of top level elements
+```
+A policy element creates a `policy` resource and role.  The *role* will be the default owner of all records created in
+the policy.  The resource can be used to grant permissions on the policy as a whole.  The `id` of the policy is prefixed
+to the id of all records created in the `body` of the policy.  If a policy has `id` `"foo"` and a record is created in its
+body with id `"bar"`, the record will have an `id` of `"foo/bar"`.
+A policy has the following children:
+    * `id`: the policy id as a string. Required.
+    * `body`: a *sequence* of top-level elements contained by the policy.  Required.
+        **Note** the body may contain other `policy` elements, but this is generally considered bad practice.
+### Records
+A record element is used to create or update a Conjur asset, such as a `group`, `user`, `webservice`, or `host_factory`.
+If a policy is loaded containing a record that already exists, that record will be updated if any of its mutable
+attributes have changed.  If it does not exist, it will be created with the defined attributes.
+All **record** elements share the following members:
+  * `id`: the identifier for the record as a string. Required.
+  * `annotations`: A yaml `Mapping` of annotation keys to annotation values, as strings.
+  * `owner`: a reference to a Conjur role that should be the `owner` of this record.
+  * `account`: a record can specify an explicit Conjur account. You should generally not
+    have to use this.
+Create a user with id `'alice'` and an annotation:
+```yaml
+- !user
+  id: alice
+  annotations:
+    hair-color: blonde
+```
+#### User records
+In addition to the standard record members, users can have an optional `uidnumber`.  This is used for SSH login and certain
+LDAP features, and must be globally unique.
+```yaml
+- !user
+    id: bob
+    uidnumber: 123
+```
+#### Group records
+In addition to the standard record members, groups can have an optional `gidnumber`.  This is used for SSH login and
+certain LDAP features. It need not be unique.
+```yaml
+- !group
+    id: ops
+    gidnumber: 5050
+```
+#### Host, Layer, and Webservice records
+These records have no special attributes.
+#### Variable Records
+In addition to the standard record members, variables support the following members:
+  * `kind` A human-friendly description of the kind of secret stored in this variable, e.g. 'database uri'
+  * `mime_type` A **MIME Type** string used when serving the contents of this variable via HTTP.
+Note that both of these attributes are immutable once the variable has been created.
+### Permit and Deny
+These elements give a role permission on a resource, or take it away.  For example,
+this element will permit `ops` to `update` and `execute` `layer-a`:
+```yaml
+- !permit
+    privilege: [update, execute]
+    role: !group ops
+    resource: !layer layer-a
+```
+Notice that the `role`s and `resource`s must be *tagged* with their kind: `!group` and `!layer` in this example.
+Permit elements can have a `replace` member set to `true`: this directs Conjur to replace existing permissions on the resource with
+those listed in this element.
+A `deny` element is similar, but does not support the `replace` member.
+### Grant and Revoke
+These elements grant roles to other roles, and revoke those grants.
+A typical `grant` element looks like this:
+```yaml
+- !grant
+  role: !group everyone
+  members:
+    - !group developers
+    - !group
+      id: support
+    - !group marketing
+    -
+      role: !group ops
+      admin: true
+```
+This will grant the role `group:everyone` to groups `developers`, `support`, `marketing` and `ops`.  The
+`admin: true` member of the `ops` entry will allow `ops` to grant the role `group:everyone` to other roles.  Note
+that `admin: false` can be used in a grant statement to take this ability away from a member.
+A `grant` element may also have a `replace: true` member, which will revoke any existing grants of the role before
+adding the new one.
+A `revoke` element revokes a grant, and is like the `grant` element except that `admin` and `replace` are meaningless.

metadata ADDED Viewed

@@ -0,0 +1,237 @@
+--- !ruby/object:Gem::Specification
+name: conjur-asset-dsl2
+version: !ruby/object:Gem::Version
+  version: 0.3.0
+platform: ruby
+authors:
+- Kevin Gilpin
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2016-01-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: safe_yaml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: conjur-cli
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: json_spec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cucumber
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ci_reporter_rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aruba
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description:
+email:
+- kgilpin@conjur.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .dockerignore
+- .gitignore
+- .project
+- .rspec
+- .travis.yml
+- CHANGELOG
+- Dockerfile.dev
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- backup.tar
+- bin/console
+- bin/setup
+- conjur-asset-dsl2.gemspec
+- jenkins.sh
+- lib/conjur-asset-dsl2-version.rb
+- lib/conjur-asset-dsl2.rb
+- lib/conjur/command/dsl2.rb
+- lib/conjur/dsl2/executor.rb
+- lib/conjur/dsl2/executor/base.rb
+- lib/conjur/dsl2/executor/create.rb
+- lib/conjur/dsl2/executor/deny.rb
+- lib/conjur/dsl2/executor/give.rb
+- lib/conjur/dsl2/executor/grant.rb
+- lib/conjur/dsl2/executor/permit.rb
+- lib/conjur/dsl2/executor/retire.rb
+- lib/conjur/dsl2/executor/revoke.rb
+- lib/conjur/dsl2/executor/update.rb
+- lib/conjur/dsl2/invalid.rb
+- lib/conjur/dsl2/plan.rb
+- lib/conjur/dsl2/planner.rb
+- lib/conjur/dsl2/planner/base.rb
+- lib/conjur/dsl2/planner/grants.rb
+- lib/conjur/dsl2/planner/permissions.rb
+- lib/conjur/dsl2/planner/record.rb
+- lib/conjur/dsl2/ruby/loader.rb
+- lib/conjur/dsl2/types/base.rb
+- lib/conjur/dsl2/types/create.rb
+- lib/conjur/dsl2/types/deny.rb
+- lib/conjur/dsl2/types/give.rb
+- lib/conjur/dsl2/types/grant.rb
+- lib/conjur/dsl2/types/member.rb
+- lib/conjur/dsl2/types/permit.rb
+- lib/conjur/dsl2/types/policy.rb
+- lib/conjur/dsl2/types/records.rb
+- lib/conjur/dsl2/types/retire.rb
+- lib/conjur/dsl2/types/revoke.rb
+- lib/conjur/dsl2/types/update.rb
+- lib/conjur/dsl2/yaml/handler.rb
+- lib/conjur/dsl2/yaml/loader.rb
+- syntax.md
+homepage: https://github.com/conjurinc/conjur-asset-dsl2
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.0.14.1
+signing_key:
+specification_version: 4
+summary: A fully declarative DSL for Conjur with Ruby and YAML syntax.
+test_files: []
+has_rdoc: