RubyGems - conjur-asset-dsl2 - Versions diffs - 0.3.0 - Mend

conjur-asset-dsl2 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

checksums.yaml +7 -0
data/.dockerignore +2 -0
data/.gitignore +14 -0
data/.project +18 -0
data/.rspec +1 -0
data/.travis.yml +4 -0
data/CHANGELOG +1 -0
data/Dockerfile.dev +19 -0
data/Gemfile +4 -0
data/LICENSE.txt +21 -0
data/README.md +248 -0
data/Rakefile +18 -0
data/backup.tar +0 -0
data/bin/console +14 -0
data/bin/setup +7 -0
data/conjur-asset-dsl2.gemspec +32 -0
data/jenkins.sh +36 -0
data/lib/conjur/command/dsl2.rb +175 -0
data/lib/conjur/dsl2/executor/base.rb +50 -0
data/lib/conjur/dsl2/executor/create.rb +117 -0
data/lib/conjur/dsl2/executor/deny.rb +13 -0
data/lib/conjur/dsl2/executor/give.rb +12 -0
data/lib/conjur/dsl2/executor/grant.rb +13 -0
data/lib/conjur/dsl2/executor/permit.rb +16 -0
data/lib/conjur/dsl2/executor/retire.rb +7 -0
data/lib/conjur/dsl2/executor/revoke.rb +11 -0
data/lib/conjur/dsl2/executor/update.rb +31 -0
data/lib/conjur/dsl2/executor.rb +99 -0
data/lib/conjur/dsl2/invalid.rb +12 -0
data/lib/conjur/dsl2/plan.rb +49 -0
data/lib/conjur/dsl2/planner/base.rb +215 -0
data/lib/conjur/dsl2/planner/grants.rb +85 -0
data/lib/conjur/dsl2/planner/permissions.rb +80 -0
data/lib/conjur/dsl2/planner/record.rb +102 -0
data/lib/conjur/dsl2/planner.rb +38 -0
data/lib/conjur/dsl2/ruby/loader.rb +263 -0
data/lib/conjur/dsl2/types/base.rb +376 -0
data/lib/conjur/dsl2/types/create.rb +15 -0
data/lib/conjur/dsl2/types/deny.rb +17 -0
data/lib/conjur/dsl2/types/give.rb +14 -0
data/lib/conjur/dsl2/types/grant.rb +24 -0
data/lib/conjur/dsl2/types/member.rb +14 -0
data/lib/conjur/dsl2/types/permit.rb +22 -0
data/lib/conjur/dsl2/types/policy.rb +129 -0
data/lib/conjur/dsl2/types/records.rb +243 -0
data/lib/conjur/dsl2/types/retire.rb +14 -0
data/lib/conjur/dsl2/types/revoke.rb +14 -0
data/lib/conjur/dsl2/types/update.rb +16 -0
data/lib/conjur/dsl2/yaml/handler.rb +400 -0
data/lib/conjur/dsl2/yaml/loader.rb +29 -0
data/lib/conjur-asset-dsl2-version.rb +7 -0
data/lib/conjur-asset-dsl2.rb +27 -0
data/syntax.md +147 -0
metadata +237 -0

data/lib/conjur/dsl2/yaml/loader.rb ADDED Viewed

@@ -0,0 +1,29 @@
+require 'conjur-asset-dsl2'
+module Conjur
+  module DSL2
+    module YAML
+      class Loader
+        class << self
+          def load yaml, filename = nil
+            parser = Psych::Parser.new(handler = Handler.new)
+            handler.filename = filename
+            handler.parser = parser
+            begin
+              parser.parse(yaml)
+            rescue
+              handler.log { $!.message }
+              handler.log { $!.backtrace.join("  \n") }
+              raise Invalid.new($!.message, filename, parser.mark)
+            end
+            handler.result
+          end
+          def load_file filename
+            load File.read(filename), filename
+          end
+        end
+      end
+    end
+  end
+end

data/lib/conjur-asset-dsl2-version.rb ADDED Viewed

@@ -0,0 +1,7 @@
+module Conjur
+  module Asset
+    module DSL2
+      VERSION = "0.3.0"
+    end
+  end
+end

data/lib/conjur-asset-dsl2.rb ADDED Viewed

@@ -0,0 +1,27 @@
+require 'conjur-asset-dsl2-version'
+require 'yaml'
+require 'safe_yaml'
+require 'active_support'
+require 'active_support/core_ext'
+SafeYAML::OPTIONS[:default_mode] = :safe
+SafeYAML::OPTIONS[:deserialize_symbols] = false
+require 'rest-client'
+require 'conjur/dsl2/invalid'
+require 'conjur/dsl2/types/base'
+require 'conjur/dsl2/types/records'
+require 'conjur/dsl2/types/member'
+require 'conjur/dsl2/types/grant'
+require 'conjur/dsl2/types/revoke'
+require 'conjur/dsl2/types/permit'
+require 'conjur/dsl2/types/deny'
+require 'conjur/dsl2/types/create'
+require 'conjur/dsl2/types/give'
+require 'conjur/dsl2/types/retire'
+require 'conjur/dsl2/types/update'
+require 'conjur/dsl2/types/policy'
+require 'conjur/dsl2/yaml/handler'
+require 'conjur/dsl2/yaml/loader'
+require 'conjur/dsl2/ruby/loader'
+require 'conjur/dsl2/planner'
+require 'conjur/dsl2/executor'

data/syntax.md ADDED Viewed

@@ -0,0 +1,147 @@
+# Conjur DSL2 YAML Syntax
+## Nomenclature
+We refer to any element of a policy document that may occur in a top level sequence or
+in the `body` field of a `policy` as a *top level element*.  Note that a `policy` is a
+`top level element`.
+We use terms such as `anchor`, `sequence`, `mapping`, and `scalar`, as well as commonly understood types such
+as `string`s and `integer`s in their usual sense with respect to the YAML language.
+## Policy Documents
+A policy document is a file containing a description (perhaps partial) of the desired state of a Conjur
+permissions model.
+A policy document used by Conjur DSL2 can be either a **sequence** of *top level elements*, or a `policy` declaration.
+### `policy` Element
+A policy definition has the following form:
+```yaml
+policy:
+  id: "my-policy-id"
+  body:
+    # sequence of top level elements
+```
+A policy element creates a `policy` resource and role.  The *role* will be the default owner of all records created in
+the policy.  The resource can be used to grant permissions on the policy as a whole.  The `id` of the policy is prefixed
+to the id of all records created in the `body` of the policy.  If a policy has `id` `"foo"` and a record is created in its
+body with id `"bar"`, the record will have an `id` of `"foo/bar"`.
+A policy has the following children:
+    * `id`: the policy id as a string. Required.
+    * `body`: a *sequence* of top-level elements contained by the policy.  Required.
+        **Note** the body may contain other `policy` elements, but this is generally considered bad practice.
+### Records
+A record element is used to create or update a Conjur asset, such as a `group`, `user`, `webservice`, or `host_factory`.
+If a policy is loaded containing a record that already exists, that record will be updated if any of its mutable
+attributes have changed.  If it does not exist, it will be created with the defined attributes.
+All **record** elements share the following members:
+  * `id`: the identifier for the record as a string. Required.
+  * `annotations`: A yaml `Mapping` of annotation keys to annotation values, as strings.
+  * `owner`: a reference to a Conjur role that should be the `owner` of this record.
+  * `account`: a record can specify an explicit Conjur account. You should generally not
+    have to use this.
+Create a user with id `'alice'` and an annotation:
+```yaml
+- !user
+  id: alice
+  annotations:
+    hair-color: blonde
+```
+#### User records
+In addition to the standard record members, users can have an optional `uidnumber`.  This is used for SSH login and certain
+LDAP features, and must be globally unique.
+```yaml
+- !user
+    id: bob
+    uidnumber: 123
+```
+#### Group records
+In addition to the standard record members, groups can have an optional `gidnumber`.  This is used for SSH login and
+certain LDAP features. It need not be unique.
+```yaml
+- !group
+    id: ops
+    gidnumber: 5050
+```
+#### Host, Layer, and Webservice records
+These records have no special attributes.
+#### Variable Records
+In addition to the standard record members, variables support the following members:
+  * `kind` A human-friendly description of the kind of secret stored in this variable, e.g. 'database uri'
+  * `mime_type` A **MIME Type** string used when serving the contents of this variable via HTTP.
+Note that both of these attributes are immutable once the variable has been created.
+### Permit and Deny
+These elements give a role permission on a resource, or take it away.  For example,
+this element will permit `ops` to `update` and `execute` `layer-a`:
+```yaml
+- !permit
+    privilege: [update, execute]
+    role: !group ops
+    resource: !layer layer-a
+```
+Notice that the `role`s and `resource`s must be *tagged* with their kind: `!group` and `!layer` in this example.
+Permit elements can have a `replace` member set to `true`: this directs Conjur to replace existing permissions on the resource with
+those listed in this element.
+A `deny` element is similar, but does not support the `replace` member.
+### Grant and Revoke
+These elements grant roles to other roles, and revoke those grants.
+A typical `grant` element looks like this:
+```yaml
+- !grant
+  role: !group everyone
+  members:
+    - !group developers
+    - !group
+      id: support
+    - !group marketing
+    -
+      role: !group ops
+      admin: true
+```
+This will grant the role `group:everyone` to groups `developers`, `support`, `marketing` and `ops`.  The
+`admin: true` member of the `ops` entry will allow `ops` to grant the role `group:everyone` to other roles.  Note
+that `admin: false` can be used in a grant statement to take this ability away from a member.
+A `grant` element may also have a `replace: true` member, which will revoke any existing grants of the role before
+adding the new one.
+A `revoke` element revokes a grant, and is like the `grant` element except that `admin` and `replace` are meaningless.

metadata ADDED Viewed

@@ -0,0 +1,237 @@
+--- !ruby/object:Gem::Specification
+name: conjur-asset-dsl2
+version: !ruby/object:Gem::Version
+  version: 0.3.0
+platform: ruby
+authors:
+- Kevin Gilpin
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2016-01-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: safe_yaml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: conjur-cli
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: json_spec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cucumber
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ci_reporter_rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aruba
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description:
+email:
+- kgilpin@conjur.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .dockerignore
+- .gitignore
+- .project
+- .rspec
+- .travis.yml
+- CHANGELOG
+- Dockerfile.dev
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- backup.tar
+- bin/console
+- bin/setup
+- conjur-asset-dsl2.gemspec
+- jenkins.sh
+- lib/conjur-asset-dsl2-version.rb
+- lib/conjur-asset-dsl2.rb
+- lib/conjur/command/dsl2.rb
+- lib/conjur/dsl2/executor.rb
+- lib/conjur/dsl2/executor/base.rb
+- lib/conjur/dsl2/executor/create.rb
+- lib/conjur/dsl2/executor/deny.rb
+- lib/conjur/dsl2/executor/give.rb
+- lib/conjur/dsl2/executor/grant.rb
+- lib/conjur/dsl2/executor/permit.rb
+- lib/conjur/dsl2/executor/retire.rb
+- lib/conjur/dsl2/executor/revoke.rb
+- lib/conjur/dsl2/executor/update.rb
+- lib/conjur/dsl2/invalid.rb
+- lib/conjur/dsl2/plan.rb
+- lib/conjur/dsl2/planner.rb
+- lib/conjur/dsl2/planner/base.rb
+- lib/conjur/dsl2/planner/grants.rb
+- lib/conjur/dsl2/planner/permissions.rb
+- lib/conjur/dsl2/planner/record.rb
+- lib/conjur/dsl2/ruby/loader.rb
+- lib/conjur/dsl2/types/base.rb
+- lib/conjur/dsl2/types/create.rb
+- lib/conjur/dsl2/types/deny.rb
+- lib/conjur/dsl2/types/give.rb
+- lib/conjur/dsl2/types/grant.rb
+- lib/conjur/dsl2/types/member.rb
+- lib/conjur/dsl2/types/permit.rb
+- lib/conjur/dsl2/types/policy.rb
+- lib/conjur/dsl2/types/records.rb
+- lib/conjur/dsl2/types/retire.rb
+- lib/conjur/dsl2/types/revoke.rb
+- lib/conjur/dsl2/types/update.rb
+- lib/conjur/dsl2/yaml/handler.rb
+- lib/conjur/dsl2/yaml/loader.rb
+- syntax.md
+homepage: https://github.com/conjurinc/conjur-asset-dsl2
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.0.14.1
+signing_key:
+specification_version: 4
+summary: A fully declarative DSL for Conjur with Ruby and YAML syntax.
+test_files: []
+has_rdoc: