conjur-asset-dsl2 0.4.4 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 233f1ca1ec584b5ac5bca8113871edaaacb3af3e
-  data.tar.gz: 8e5dfcfdb84591716c5ae0e7d64775e22480ed48
+  metadata.gz: 4e808b958cc3f5faac0227b00000b8b11d5ad255
+  data.tar.gz: 9f4f5bb57310b929f8b7d8f3e7785e39cb8441b1
 SHA512:
-  metadata.gz: 183166ebb0dbbcb2d5320a52ac41f799d896d2a01a53b3fd532ac885aaa8205b560e0a9b93ad0e19c95a7d826582d763de505671d457e41f68b95ceab63bd972
-  data.tar.gz: 0f97b59ad03fafeff8a526f926a55d424b3460484a575155049649b54724f6ef88b79fd0bd515013f98d584d762463cc064f13bc07c30173681ba3d1ec260441
+  metadata.gz: f7f304a0432b4cb7fbea8b079c8b690c081c073833b257c8f5fb14e8b17fc3ba28f63436e33e506ec5f812ef6c6a60d64ae4e23eb5b35b22ea0ba20255846728
+  data.tar.gz: a52561942757c5fef6c95dfdcb83eb8c85b864e1d738337d4e72e5bcd587057610dd2d42efbd68a8f11853a911eaa8deb4a9940d5fe51ce248048c32e6f58776

data/CHANGELOG

@@ -1,3 +1,7 @@
+# 0.5.0
+
+* Refactor how the policy statements are validated and normalized, fixing some bugs in the process.
+
 # 0.4.4
 
 * Enable immutable attributes to be set when the value is unchanged.

data/Rakefile

@@ -9,10 +9,8 @@ Cucumber::Rake::Task.new :features
 
 task :jenkins => ['ci:setup:rspec', :spec] do
   Cucumber::Rake::Task.new do |t|
-    t.cucumber_opts = "--tags ~@wip --format progress --format junit --out features/reports"
+    t.cucumber_opts = "--tags ~@wip --format pretty --format junit --out features/reports"
   end.runner.run
-
-
 end
 
 task default: [:spec, :features]

data/ci/test.sh

@@ -0,0 +1,13 @@
+#!/bin/bash -ex
+
+echo 127.0.0.1 conjur >> /etc/hosts
+
+/opt/conjur/evoke/bin/wait_for_conjur
+
+cd /src/conjur-asset-dsl2
+bundle
+
+export CONJUR_AUTHN_LOGIN=admin
+export CONJUR_AUTHN_API_KEY=secret
+
+bundle exec rake jenkins || true

data/jenkins.sh

@@ -1,36 +1,27 @@
-#!/bin/bash -e
-
-mkdir -p tmp
-
-function wait_for_conjur {
-	docker pull registry.tld/wait-for-conjur
-	docker run -i --rm --link $cid:conjur registry.tld/wait-for-conjur
-}
-
-PROJECT=conjur-asset-dsl2
-BASE_IMAGE=registry.tld/conjur-appliance-cuke-master:4.6-stable
-docker pull $BASE_IMAGE
-
-cid_file=tmp/$PROJECT-dev.cid
-
-docker build -t $PROJECT-dev -f Dockerfile.dev . 
-
-docker run \
-	-d \
-	--cidfile=$cid_file \
-	-v $PWD:/src/conjur-asset-dsl2 \
-	$PROJECT-dev
-
-cid=$(cat $cid_file)
-
-function finish {
-	rm -f $cid_file
-	docker rm -f $cid
-}
-
-wait_for_conjur
-
-
-trap finish EXIT
-
-docker exec $cid bash -c "bundle exec rake jenkins" || true
+#!/bin/bash -ex
+
+CONJUR_VERSION=${CONJUR_VERSION:-"4.6"}
+DOCKER_IMAGE=${DOCKER_IMAGE:-"registry.tld/conjur-appliance-cuke-master:$CONJUR_VERSION-stable"}
+NOKILL=${NOKILL:-"0"}
+PULL=${PULL:-"1"}
+
+if [ -z "$CONJUR_CONTAINER" ]; then
+	if [ "$PULL" == "1" ]; then
+	    docker pull $DOCKER_IMAGE
+	fi
+	
+	cid=$(docker run -d -v ${PWD}:/src/conjur-asset-dsl2 $DOCKER_IMAGE)
+	function finish {
+    	if [ "$NOKILL" != "1" ]; then
+			docker rm -f ${cid}
+		fi
+	}
+	trap finish EXIT
+	
+	>&2 echo "Container id:"
+	>&2 echo $cid
+else
+	cid=${CONJUR_CONTAINER}
+fi
+
+docker exec -i ${cid} /src/conjur-asset-dsl2/ci/test.sh

data/lib/conjur/command/dsl2.rb

@@ -65,7 +65,7 @@ class Conjur::Command::DSL2 < Conjur::DSLCommand
     actions = []
     records.each do |record|
       executor_class = Conjur::DSL2::Executor.class_for(record)
-      executor = Conjur::DSL2::Executor.class_for(record).new(record, actions, Conjur::Core::API.conjur_account)
+      executor = Conjur::DSL2::Executor.class_for(record).new(record, actions)
       executor.execute
     end
     Conjur::DSL2::HTTPExecutor.new(api).execute actions
@@ -157,7 +157,19 @@ command. Therefore, a policy can be loaded in three steps, if desired:
   
         filename = args.pop
         records = load filename, options[:syntax]
-        plan = Conjur::DSL2::Planner.plan(records, api, options.slice(:namespace, :ownerid))
+        
+        ownerid = options[:ownerid]
+        unless ownerid
+          user_kind, user_id = api.username.split('/', 2)
+          unless user_id
+            user_id = user_kind
+            user_kind = 'user'
+          end
+          ownerid = [ Conjur.configuration.account, user_kind, user_id ].join(":")
+        end
+        
+        records = Conjur::DSL2::Resolver.resolve(records, Conjur.configuration.account, ownerid, options[:namespace])
+        plan = Conjur::DSL2::Planner.plan(records, api)
 
         if options[:"dry-run"]
           case options[:"format"]

data/lib/conjur/dsl2/executor/base.rb

@@ -6,12 +6,11 @@ module Conjur::DSL2
     class Base
       include Conjur::DSL2::Logger
       
-      attr_reader :statement, :actions, :default_account
+      attr_reader :statement, :actions
       
-      def initialize statement, actions, default_account
+      def initialize statement, actions
         @statement = statement
         @actions = actions
-        @default_account = default_account
       end
       
       def action obj
@@ -24,12 +23,12 @@ module Conjur::DSL2
       
       def resource_path record = nil
         record ||= self.statement
-        [ "authz", record.account || default_account, "resources", record.resource_kind, record.id ].join('/')
+        [ "authz", record.account, "resources", record.resource_kind, record.id ].join('/')
       end
 
       def role_path record = nil
         record ||= self.statement
-        [ "authz", record.account || default_account, "roles", record.role_kind, record.id ].join('/')
+        [ "authz", record.account, "roles", record.role_kind, record.id ].join('/')
       end
     end
     
@@ -45,7 +44,10 @@ module Conjur::DSL2
       end
       
       def update_annotation_path
-        [ "authz", annotate_record.account || default_account, "annotations", annotate_record.resource_kind, annotate_record.id ].join('/')
+        [ "authz", annotate_record.account,
+            "annotations",
+            annotate_record.resource_kind,
+            CGI.escape(annotate_record.id) ].join('/')
       end
     end
   end

data/lib/conjur/dsl2/executor/create.rb

@@ -4,10 +4,6 @@ module Conjur::DSL2::Executor
     def record
       statement.record
     end
-    
-    def account
-      record.account || default_account
-    end
   end
 
   # Generic 'create' implementation which POSTs to a resources URL.
@@ -48,7 +44,7 @@ module Conjur::DSL2::Executor
           memo
         end
         params.merge! custom_attrs
-        params["ownerid"] = record.owner.roleid(record.owner.account || default_account) if record.owner
+        params["ownerid"] = record.owner.roleid if record.owner
       end
     end
   end
@@ -57,7 +53,7 @@ module Conjur::DSL2::Executor
   class CreateHostFactory < CreateRecord
     def create_parameters
       super.tap do |params|
-        params['roleid'] = record.role.roleid(default_account)
+        params['roleid'] = record.role.roleid
         params['layers'] =  Array(record.layers).map(&:id)
       end
     end
@@ -78,7 +74,7 @@ module Conjur::DSL2::Executor
   module ActingAs
     def acting_as_parameters
       {}.tap do |params|
-        params["acting_as"] = record.owner.roleid(default_account) if record.owner
+        params["acting_as"] = record.owner.roleid if record.owner
       end
     end
   end

data/lib/conjur/dsl2/executor/deny.rb

@@ -6,7 +6,7 @@ module Conjur::DSL2::Executor
       action({
         'method' => 'post',
         'path' => "#{resource_path(statement.resource)}?deny",
-        'parameters' => { "privilege" => statement.privilege, "role" => statement.role.roleid(default_account) }
+        'parameters' => { "privilege" => statement.privilege, "role" => statement.role.roleid }
       })
     end
   end

data/lib/conjur/dsl2/executor/give.rb

@@ -5,7 +5,7 @@ module Conjur::DSL2::Executor
       action({
         'method' => 'put',
         'path' => resource_path(statement.resource),
-        'parameters' => { "owner" => statement.owner.roleid(default_account) }
+        'parameters' => { "owner" => statement.owner.roleid }
       })
     end
   end

data/lib/conjur/dsl2/executor/grant.rb

@@ -1,11 +1,11 @@
 module Conjur::DSL2::Executor
   class Grant < Base
     def execute
-      parameters = { "member" => statement.member.role.roleid(default_account) }
+      parameters = { "member" => statement.member.role.roleid }
       parameters['admin_option'] = statement.member.admin unless statement.member.admin.nil?
       action({
         'method' => 'put',
-        'path' => "authz/#{statement.role.account || default_account}/roles/#{statement.role.role_kind}/#{statement.role.id}?members",
+        'path' => "authz/#{statement.role.account}/roles/#{statement.role.role_kind}/#{statement.role.id}?members",
         'parameters' => parameters
       })
     end

data/lib/conjur/dsl2/executor/permit.rb

@@ -4,7 +4,7 @@ module Conjur::DSL2::Executor
   # record.
   class Permit < Base
     def execute
-      parameters = { "privilege" => statement.privilege, "role" => statement.role.role.roleid(default_account) }
+      parameters = { "privilege" => statement.privilege, "role" => statement.role.role.roleid }
       parameters['grant_option'] = statement.role.admin unless statement.role.admin.nil?
       action({
         'method' => 'post',

data/lib/conjur/dsl2/executor/revoke.rb

@@ -4,7 +4,7 @@ module Conjur::DSL2::Executor
       action({
         'method' => 'delete',
         'path' => "#{role_path(statement.role)}?members",
-        'parameters' => { "member" => statement.member.roleid(default_account)}
+        'parameters' => { "member" => statement.member.roleid }
       })
     end
   end

data/lib/conjur/dsl2/executor.rb

@@ -36,6 +36,8 @@ module Conjur
     end
         
     class HTTPExecutor
+      attr_reader :api, :context
+      
       # @param [Conjur::API] api
       def initialize api
         @api = api
@@ -90,6 +92,7 @@ module Conjur
         # $stderr.puts "#{request.method.upcase} #{request.path} #{request.body}"
         require 'base64'
         request['Authorization'] = "Token token=\"#{Base64.strict_encode64 @api.token.to_json}\""
+        request['X-Conjur-Privilege'] = api.privilege if api.privilege
         response = @http.request request
         # $stderr.puts response.code
         if response.code.to_i >= 300

data/lib/conjur/dsl2/plan.rb

@@ -1,46 +1,14 @@
 module Conjur
   module DSL2
     class Plan
-      attr_reader :actions, :policy, :roles_created, :resources_created
-      attr_accessor :namespace, :ownerid
-
+      attr_reader :actions, :roles_created, :resources_created
       
-      def initialize namespace = nil
-        @namespace = namespace
+      def initialize
         @actions = []
-        @policy = nil
         @roles_created = Set.new
         @resources_created = Set.new
       end
       
-      def scoped_id id
-        id = id.id if id.respond_to?(:id)
-
-        # id is nil means it should have the same id as the policy
-        id = '' if id.nil?
-
-        if id[0] == '/'
-          id[1..-1]
-        else
-
-          tokens = []
-          tokens.push @namespace if @namespace
-          tokens.push @policy.id if @policy
-
-          if id.start_with?(tokens.join('/') + '/')
-            id
-          else
-            tokens.push id unless id.empty?
-            tokens.join('/')
-          end
-        end
-      end
-      
-      def policy= policy
-        raise "Plan policy is already specified" if @policy && policy
-        @policy = policy
-      end
-      
       def action a
         @actions.push a
       end

data/lib/conjur/dsl2/planner/base.rb

@@ -8,6 +8,7 @@ module Conjur
         attr_accessor :plan
 
         def initialize record, api
+          raise "Expecting Conjur::DSL2::Types::Base, got #{record.class}" unless record.is_a?(Conjur::DSL2::Types::Base)
           @record = record
           @api = api
         end
@@ -15,46 +16,26 @@ module Conjur
         def action a
           @plan.action a
         end
-        
-        def scoped_id id
-          @plan.scoped_id id
-        end
-        
-        def scoped_roleid record
-          record = record.roleid(default_account) unless record.kind_of?(String)
-          account, kind, id = record.split(':', 3)
-          [ account, kind, scoped_id(id) ].join(":")
-        end
-
-        def scoped_resourceid record
-          record = record.resourceid(default_account) unless record.kind_of?(String)
-          account, kind, id = record.split(':', 3)
-          [ account, kind, scoped_id(id) ].join(":")
-        end
-          
+                  
         def account
-          (record.account rescue nil) || default_account
-        end
-
-        def default_account
-          Conjur.configuration.account
+          record.account
         end
         
         def role_record fullid
           account, kind, id = fullid.split(':', 3)
           if kind == '@'
-            Conjur::DSL2::Types::ManagedRole.build fullid, default_account
+            Conjur::DSL2::Types::ManagedRole.build fullid
           else
             if record_class = record_type(kind)
               record_class.new.tap do |record|
-                record.account = account unless account == default_account
+                record.account = account
                 unless record.is_a?(Conjur::DSL2::Types::Variable)
                   record.kind = kind if record.respond_to?(:kind=)
                 end
                 record.id = id
               end
             else
-              Conjur::DSL2::Types::Role.new(fullid, default_account: default_account)
+              Conjur::DSL2::Types::Role.new(fullid)
             end
           end
         end
@@ -70,29 +51,30 @@ module Conjur
         alias resource_record role_record
         
         def resource
-          api.resource(scoped_resourceid record)
+          api.resource(record.resourceid)
         end
         
         def role
-          api.role(scoped_roleid record)
-        end
-
-        # Sort in canonical order -- basically, a `Record` or `Create` comes before everything
-        # else.  So the base class's sort just places those before us, and anything else gets 0.
-        def <=> other
-          (other.kind_of?(Conjur::DSL2::Planner::ActsAsRecord) or other.kind_of?(Conjur::DSL2::Planner::Array)) ? 1 : 0
+          api.role(record.roleid)
         end
 
         def resource_exists? resource
-          resource_id = resource.kind_of?(String) ? resource : scoped_resourceid(resource)
+          resource_id = resource.respond_to?(:resourceid) ? resource.resourceid : resource.to_s
           (plan.resources_created.include?(resource_id) ||  api.resource(resource_id).exists?)
         end
 
         def role_exists? role
-          role_id = role.kind_of?(String) ? role : scoped_roleid(role)
-          # I believe it's correct to assume manged roles exist?
-          return true if role_id.split(':',2).last.start_with?('@')
-
+          role_id = role.respond_to?(:roleid) ? role.roleid : role.to_s
+          
+          account, kind, id = role_id.split(':', 3)
+          if kind == "@"
+            # For managed role, check if the parent record will be created
+            role_tokens = id.split('/')
+            # This is the role_name
+            role_tokens.pop
+            role_kind = role_tokens.shift
+            role_id = [ account, role_kind, role_tokens.join('/') ].join(":")
+          end
           plan.roles_created.include?(role_id) || api.role(role_id).exists?
         end
 
@@ -110,11 +92,14 @@ module Conjur
         def update_record
           update = Conjur::DSL2::Types::Update.new
           update.record = record
-          record.id = scoped_id(record)
 
           changed = false
           record.custom_attribute_names.each do |attr|
-            existing_value = object.attributes[attr.to_s]
+            existing_value = if object.respond_to?(attr) 
+              object.send(attr)
+            else
+              object.attributes[attr.to_s]
+            end
             new_value = record.send(attr)
             if new_value
               if new_value == existing_value
@@ -139,17 +124,17 @@ module Conjur
               end
             end
             
-            if record.owner && resource.owner != scoped_roleid(record.owner)
+            if record.owner && resource.owner != record.owner.roleid
               give = Conjur::DSL2::Types::Give.new
-              give.resource = Conjur::DSL2::Types::Resource.new(record.resourceid(default_account), default_account: default_account)
-              give.owner = Conjur::DSL2::Types::Role.new(scoped_roleid(record.owner), default_account: default_account)
+              give.resource = Conjur::DSL2::Types::Resource.new(record.resourceid)
+              give.owner = Conjur::DSL2::Types::Role.new(record.owner.roleid)
               action give
               
               if record.role?
                 grant = Conjur::DSL2::Types::Grant.new
-                grant.role = Conjur::DSL2::Types::Role.new(record.roleid(default_account), default_account: default_account)
+                grant.role = Conjur::DSL2::Types::Role.new(record.roleid)
                 grant.member = Conjur::DSL2::Types::Member.new
-                grant.member.role = Conjur::DSL2::Types::Role.new(scoped_roleid(record.owner), default_account: default_account)
+                grant.member.role = Conjur::DSL2::Types::Role.new(record.owner.roleid)
                 grant.member.admin = true
                 action grant
               end
@@ -162,12 +147,6 @@ module Conjur
         def create_record
           create = Conjur::DSL2::Types::Create.new
           create.record = record
-          record.id = scoped_id(record)
-          if record.owner
-            record.owner = Conjur::DSL2::Types::Role.new(scoped_roleid(record.owner), default_account: default_account)
-          elsif plan.ownerid
-            record.owner = Conjur::DSL2::Types::Role.new(plan.ownerid, default_account: default_account)
-          end
           
           if record.resource?
             existing = resource.exists? ? resource.annotations : {}
@@ -182,30 +161,11 @@ module Conjur
             end
           end
 
-          plan.roles_created.add(record.roleid(account)) if record.role?
-          plan.resources_created.add(record.resourceid(account)) if record.resource?
+          plan.roles_created.add(record.roleid) if record.role?
+          plan.resources_created.add(record.resourceid) if record.resource?
           action create
         end
       end
-      
-      class Array < Base
-        # Array sorts before everything because sanity.
-        def <=> other
-          -1
-        end
-
-        def do_plan
-
-          planners = record.map do |item|
-            Planner.planner_for(item, api)
-          end.sort
-
-          planners.each do |planner|
-            planner.plan = self.plan
-            planner.do_plan
-          end
-        end
-      end
     end
   end
 end

data/lib/conjur/dsl2/planner/grants.rb

@@ -3,7 +3,16 @@ require 'conjur/dsl2/planner/base'
 module Conjur
   module DSL2
     module Planner
-      class Grant < Base
+      class RoleAction < Base
+        def verify_roles_available roles
+          # Check all roles / members involved
+          roles.each do |role|
+            error("role not found: #{role.roleid} in #{plan.roles_created.to_a}") unless role_exists?(role)
+          end
+        end
+      end
+      
+      class Grant < RoleAction
         # Plans a role grant.
         # 
         # The Grant record can list multiple roles and members. Each member should
@@ -16,30 +25,27 @@ module Conjur
           given_admins = Set.new
           requested_grants = Hash.new { |hash, key| hash[key] = [] }
 
-          # Check all roles / members involved
-          (roles + members.map(&:role)).each do |role|
-            error("role not found: #{scoped_roleid(role)} in #{plan.roles_created.to_a}") unless role_exists?(role)
-          end
+          verify_roles_available roles + members.map(&:role)
 
           roles.each do |role|
             grants = begin
-              api.role(scoped_roleid(role)).members
+              api.role(role.roleid).members
             rescue RestClient::ResourceNotFound
               []
             end
             
             grants.each do |grant|
               member_roleid = grant.member.roleid
-              given_grants[scoped_roleid(role)].push [ member_roleid, grant.admin_option ]
+              given_grants[role.roleid].push [ member_roleid, grant.admin_option ]
               given_admins << member_roleid if grant.admin_option
             end
             members.each do |member|
-              requested_grants[scoped_roleid(role)].push [ scoped_roleid(member.role), !!member.admin ]
+              requested_grants[role.roleid].push [ member.role.roleid, !!member.admin ]
             end
           end
           
           roles.each do |role|
-            roleid = scoped_roleid(role)
+            roleid = role.roleid
             given = given_grants[roleid]
             requested = requested_grants[roleid]
             
@@ -55,7 +61,7 @@ module Conjur
             if record.replace
               (Set.new(given) - Set.new(requested)).each do |p|
                 member, _ = p
-                member_roleid = role_record(member).roleid(account)
+                member_roleid = role_record(member).roleid
                 next if given_admins.member?(member_roleid)
                 revoke = Conjur::DSL2::Types::Revoke.new
                 revoke.role = role_record roleid
@@ -67,10 +73,33 @@ module Conjur
         end
       end
       
-      class Revoke < Base
+      class Revoke < RoleAction
         def do_plan
-          Array(record.roles).each do |role|
-            Array(record.members).each do |member|
+          roles = Array(record.roles)
+          members = Array(record.members)
+          given_grants = Hash.new { |hash, key| hash[key] = [] }
+
+          verify_roles_available roles + members
+
+          roles.each do |role|
+            grants = begin
+              api.role(role.roleid).members
+            rescue RestClient::ResourceNotFound
+              []
+            end
+            
+            grants.each do |grant|
+              member_roleid = grant.member.roleid
+              given_grants[role.roleid].push member_roleid
+            end
+          end
+          
+          roles.each do |role|
+            roleid = role.roleid
+            given = given_grants[roleid]
+            members.each do |member|
+              next unless given.member?(member.roleid)
+          
               revoke = Conjur::DSL2::Types::Revoke.new
               revoke.role = role
               revoke.member = member

data/lib/conjur/dsl2/planner/permissions.rb

@@ -11,17 +11,14 @@ module Conjur
       # privilege on an existing resource that is *not* given should be denied.
       class Permit < Base
         def do_plan
-
           resources = Array(record.resources)
           privileges = Array(record.privilege)
           given_permissions = Hash.new { |hash, key| hash[key] = [] }
           requested_permissions = Hash.new { |hash, key| hash[key] = [] }
 
-
-
           resources.each do |resource|
             permissions = begin
-              JSON.parse(api.resource(scoped_resourceid(resource)).get)['permissions'] 
+              JSON.parse(api.resource(resource.resourceid).get)['permissions'] 
             rescue RestClient::ResourceNotFound
               []
             end
@@ -34,17 +31,17 @@ module Conjur
 
             privileges.each do |privilege|
               Array(record.roles).each do |role|
-                requested_permissions[[privilege, scoped_resourceid(resource)]].push [ scoped_roleid(role.role), !!role.admin ]
+                requested_permissions[[privilege, resource.resourceid]].push [ role.role.roleid, !!role.admin ]
               end
             end
           end
                       
           resources.each do |resource|
-            error("resource not found: #{resource}") unless resource_exists?(resource)
+            error(%Q("Resource "#{resource}" not found in [#{plan.resources_created.to_a.sort.join(', ')}])) unless resource_exists?(resource)
 
             privileges.each do |privilege|
 
-              target = scoped_resourceid(resource)
+              target = resource.resourceid
               given = given_permissions[[privilege, target]]
               requested = requested_permissions[[privilege, target]]
 

data/lib/conjur/dsl2/planner/record.rb

@@ -4,11 +4,6 @@ module Conjur
   module DSL2
     module Planner      
       module ActsAsRecord
-        # Record objects sort before everything else
-        def <=> other
-          other.kind_of?(ActsAsRecord) ? 0 : -1
-        end
-
         def do_plan
           if object.exists?
             update_record
@@ -38,7 +33,8 @@ module Conjur
         include ActsAsRecord
         
         def object
-          @object ||= api.send(record.resource_kind, scoped_id(record))
+          raise "Cannot create a record in non-default account #{record.account}" unless record.account == Conjur.configuration.account
+          @object ||= api.send(record.resource_kind, record.id)
         end
       end
       
@@ -47,57 +43,27 @@ module Conjur
 
       class Policy < Base
         def do_plan
-          role = record.role(default_account)
-          Role.new(role, api).tap do |role|
+          unless record.body.nil?
+            error('Not expecting a body element in policy')
+          end
+          
+          # Create the role
+          Role.new(record.role, api).tap do |role|
             role.plan = plan
             role.do_plan
           end
 
-          if record.body.nil?
-            error('missing body element in policy')
-          end
-
-          plan.ownerid = role.roleid(account)
-          resource = record.resource(default_account)
-          if record.annotations
-            resource.annotations = record.annotations
+          # Copy the annotations
+          Hash(record.annotations).each do |k,v|
+            record.resource.annotations ||= {}
+            record.resource.annotations[k] = v
           end
 
-          Resource.new(resource, api).tap do |resource|
+          # Create the resource
+          Resource.new(record.resource, api).tap do |resource|
             resource.plan = plan
             resource.do_plan
           end
-
-          planners = record.body.map do |record|
-            Planner.planner_for(record, api)
-          end.sort
-
-          log{ "Planing policy with body #{planners.map{|p| p.class.name}}" }
-
-          planners.each do |planner|
-            planner.log{  "Planning #{planner}"}
-            ownerid = plan.ownerid
-            begin
-              plan.policy = self.record
-              
-              # Set the ownerid to the namespace-scoped roleid of the policy
-              ownerid = plan.policy.roleid(account)
-              if plan.namespace
-                account, kind, id = ownerid.split(':', 3)
-                ownerid = [ account, kind, [ plan.namespace, id ].join("/") ].join(":")
-              end
-              ownerid = ownerid
-              plan.ownerid = ownerid
-
-              planner.plan = plan
-              planner.log { "Planning policy record #{record}" }
-              planner.do_plan
-              planner.log { "Done" }
-            ensure
-              plan.policy = nil
-              plan.ownerid = ownerid
-            end
-          end
         end
       end
     end

data/lib/conjur/dsl2/planner.rb

@@ -7,14 +7,10 @@ module Conjur
   module DSL2
     module Planner
       class << self
-        def plan records, api, options = {}
-          namespace = options[:namespace]
-          ownerid   = options[:ownerid]
-          plan = options[:plan] || Plan.new
+        def plan records, api, plan = nil
+          plan ||= Plan.new
           plan.tap do |plan|
-            plan.namespace = namespace if namespace
-            plan.ownerid = ownerid if ownerid
-            Array(records).map{ |record| planner_for(record, api) }.sort.each do |planner|
+            Array(records).map{ |record| planner_for(record, api) }.each do |planner|
               planner.plan = plan
               planner.log { %Q(Planning "#{planner.record} using #{planner.class}") }
               begin

data/lib/conjur/dsl2/resolver.rb

@@ -0,0 +1,216 @@
+module Conjur
+  module DSL2
+    class Resolver
+      attr_reader :account, :ownerid, :namespace
+      
+      class << self
+        # Resolve records to the specified owner id and namespace.
+        def resolve records, account, ownerid, namespace = nil
+          resolver_classes = [ AccountResolver, IdResolver, OwnerResolver, FlattenResolver ]
+          resolver_classes.each do |cls|
+            resolver = cls.new account, ownerid, namespace
+            records = resolver.resolve records
+          end
+          records
+        end
+      end
+      
+      # +account+ is required. It's the default account whenever no account is specified.
+      # +ownerid+ is required. Any records without an owner will be assigned this owner. The exception
+      # is records defined in a policy, which are always owned by the policy role unless an explicit owner
+      # is indicated (which would be rare).
+      # +namespace+ is optional. It's prepended to the id of every record, except for ids which begin
+      # with a '/' character.
+      def initialize account, ownerid, namespace = nil
+        @account = account
+        @ownerid   = ownerid
+        @namespace = namespace
+        
+        raise "account is required" unless account
+        raise "ownerid is required" unless ownerid
+        raise "ownerid must be fully qualified" unless ownerid.split(":", 3).length == 3
+      end
+      
+      protected
+      
+      # Traverse an Array-ish of records, calling a +handler+ method for each one.
+      # If a record is a Policy, then the +policy_handler+ is invoked, after the +handler+.
+      def traverse records, visited, handler, policy_handler = nil
+        Array(records).flatten.each do |record|
+          next unless visited.add?(id_of(record))
+
+          handler.call record, visited
+          policy_handler.call record, visited if policy_handler && record.is_a?(Types::Policy)
+        end
+      end
+      
+      def id_of record
+        record.object_id
+      end
+    end
+    
+    # Updates all nil +account+ fields to the default account.
+    class AccountResolver < Resolver
+      def resolve records
+        traverse records, Set.new, method(:resolve_account), method(:on_resolve_policy)
+      end
+      
+      def resolve_account record, visited
+        if record.respond_to?(:account) && record.respond_to?(:account=) && record.account.nil?
+          record.account = @account
+        end
+        traverse record.referenced_records, visited, method(:resolve_account), method(:on_resolve_policy)
+      end
+      
+      def on_resolve_policy policy, visited
+        traverse policy.body, visited, method(:resolve_account), method(:on_resolve_policy)
+      end
+    end
+
+    # Makes all ids absolute, by prepending the namespace (if any) and the enclosing policy (if any).
+    class IdResolver < Resolver
+      def resolve records
+        traverse records, Set.new, method(:resolve_id), method(:on_resolve_policy)
+      end
+      
+      def resolve_id record, visited
+        if record.respond_to?(:id) && record.respond_to?(:id=)
+          id = record.id
+          if id.blank?
+            raise "#{record.to_s} has no id, and no namespace is available to populate it" unless namespace
+            record.id = namespace
+          elsif id[0] == '/'
+            record.id = id[1..-1]
+          else
+            record.id = [ namespace, id ].compact.join('/')
+          end
+        end
+        
+        traverse record.referenced_records, visited, method(:resolve_id), method(:on_resolve_policy)
+      end
+      
+      def on_resolve_policy policy, visited
+        saved_namespace = @namespace
+        @namespace = policy.id
+        traverse policy.body, visited, method(:resolve_id), method(:on_resolve_policy)
+      ensure
+        @namespace = saved_namespace
+      end
+    end
+    
+    # Sets the owner field for any records which support it, and don't have an owner specified.
+    # Within a policy, the default owner is the policy role. For global records, the 
+    # default owner is the +ownerid+ specified in the constructor.
+    class OwnerResolver < Resolver
+      def resolve records
+        traverse records, Set.new, method(:resolve_owner), method(:on_resolve_policy)
+      end
+      
+      def resolve_owner record, visited
+        if record.respond_to?(:owner) && record.respond_to?(:owner) && record.owner.nil?
+          record.owner = Types::Role.new(@ownerid)
+        end
+      end
+      
+      def on_resolve_policy policy, visited
+        saved_ownerid = @ownerid
+        @ownerid = [ policy.account, "policy", policy.id ].join(":")
+        traverse policy.body, visited, method(:resolve_owner), method(:on_resolve_policy)
+      ensure
+        @ownerid = saved_ownerid
+      end
+    end
+    
+    # Flattens and sorts all records into a single list, including YAML lists and policy body.
+    class FlattenResolver < Resolver
+      def resolve records
+        @result = []
+        traverse records, Set.new, method(:resolve_record), method(:on_resolve_policy)
+
+        # Sort record creation before anything else.
+        # Sort record creation in dependency order (if A owns B, then A will be created before B).
+        # Otherwise, preserve the existing order.
+
+        @stable_index = {}
+        @result.each_with_index do |obj, idx|
+          @stable_index[obj] = idx
+        end
+        @referenced_record_index = {}
+        @result.each_with_index do |obj, idx|
+          @referenced_record_index[obj] = obj.referenced_records.select{|r| r.respond_to?(:roleid)}.map(&:roleid)
+        end
+        @result.flatten.sort do |a,b|
+          score = sort_score(a) - sort_score(b)
+          if score == 0
+            if a.respond_to?(:roleid) && @referenced_record_index[b].member?(a.roleid)
+              score = -1
+            elsif b.respond_to?(:roleid) && @referenced_record_index[a].member?(b.roleid)
+              score = 1
+            else
+              score = @stable_index[a] - @stable_index[b]
+            end
+          end
+          score
+        end
+      end
+      
+      protected
+      
+      # Select things uniquely by class and id, in this resolver.
+      def id_of record
+        if record.respond_to?(:id)
+          [ record.id, record.class.name ].join("@")
+        else
+          super
+        end
+      end
+      
+      # Sort "Create" and "Record" objects to the front.
+      def sort_score record
+        if record.is_a?(Types::Create) || record.is_a?(Types::Record)
+          -1
+        else
+          0
+        end
+      end
+      
+      # Add the record to the result.
+      def resolve_record record, visited
+        @result += Array(record)
+      end
+
+      # Recurse on the policy body records.
+      def on_resolve_policy policy, visited
+        body = policy.body
+        policy.remove_instance_variable "@body"
+        traverse body, visited, method(:resolve_record), method(:on_resolve_policy)
+      end
+    end
+    
+    # Unsets attributes that make for more verbose YAML output. This class is used to 
+    # compact YAML expectations in test cases. It expects pre-flattened input.
+    #
+    # +account+ attributes which match the provided account are set to nil.
+    # +owner+ attributes which match the provided ownerid are removed.
+    class CompactOutputResolver < Resolver
+      def resolve records
+        traverse records, Set.new, method(:resolve_owner)
+        traverse records, Set.new, method(:resolve_account)
+      end
+      
+      def resolve_account record, visited
+        if record.respond_to?(:account) && record.respond_to?(:account=) && record.account && record.account == self.account
+          record.remove_instance_variable :@account
+        end
+        traverse record.referenced_records, visited, method(:resolve_account)
+      end
+
+      def resolve_owner record, visited
+        if record.respond_to?(:owner) && record.respond_to?(:owner=) && record.owner && record.owner.roleid == self.ownerid
+          record.remove_instance_variable :@owner
+        end
+        traverse record.referenced_records, visited, method(:resolve_owner)
+      end
+    end
+  end
+end

data/lib/conjur/dsl2/types/base.rb

@@ -52,7 +52,6 @@ module Conjur
         # +converter+ if the +test_function+ fails, the converter is called to coerce the type. 
         # It should return +nil+ if its unable to do so.
         def expect_type value, type_name, test_function, converter = nil
-
           if test_function.is_a?(Class)
             cls = test_function
             test_function = lambda{ value.is_a?(cls) } 
@@ -274,9 +273,6 @@ module Conjur
         extend TypeChecking
         extend AttributeDefinition
         
-        # On creation, an owner can always be specified.
-        attr_accessor :owner
-        
         # Stores the mapping from attribute names to Ruby class names that will be constructed
         # to populate the attribute.
         inheritable_attr :yaml_fields
@@ -303,6 +299,18 @@ module Conjur
           false
         end
         
+        # Gets all 'child' records.
+        def referenced_records
+          result = []
+          instance_variables.map do |var|
+            value = instance_variable_get var
+            Array(value).each do |val|
+              result.push val if val.is_a?(Conjur::DSL2::Types::Base)
+            end
+          end
+          result.flatten
+        end
+        
         class << self
           # Hook to register the YAML type.
           def inherited cls
@@ -314,6 +322,8 @@ module Conjur
             self.name.demodulize
           end
           
+          alias simple_name short_name
+          
           def register_yaml_type simple_name
             ::YAML.add_tag "!#{simple_name}", self
           end

data/lib/conjur/dsl2/types/create.rb

@@ -1,7 +1,7 @@
 module Conjur::DSL2::Types
   class Create < Base
     attribute :record
-    
+        
     def to_s
       messages = [ "Create #{record}" ]
       if record.resource?

data/lib/conjur/dsl2/types/deny.rb

@@ -7,7 +7,7 @@ module Conjur
         attribute :resource, dsl_accessor: true
         
         include ResourceMemberDSL
-        
+
         def to_s
           "Deny #{role} to '#{privilege}' #{resource}"
         end

data/lib/conjur/dsl2/types/permit.rb

@@ -14,7 +14,14 @@ module Conjur
         end
         
         def to_s
-          "Permit #{role.role} to [#{Array(privilege).join(', ')}] on #{Array(resource).join(', ')}#{role.admin ? ' with grant option' : ''}"
+          if Array === role
+            role_string = role.map &:role
+            admin = false
+          else
+            role_string = role.role
+            admin = role.admin
+          end
+          "Permit #{role_string} to [#{Array(privilege).join(', ')}] on #{Array(resource).join(', ')}#{admin ? ' with grant option' : ''}"
         end
       end
     end

data/lib/conjur/dsl2/types/policy.rb

@@ -91,12 +91,23 @@ module Conjur
         include ActsAsResource
         include ActsAsRole
         
-        def role default_account
-          Role.new("#{self.account || default_account}:policy:#{id}", default_account: default_account)
+        def role
+          raise "account is nil" unless account
+          @role ||= Role.new("#{account}:policy:#{id}").tap do |role|
+            role.owner = Role.new(owner.roleid)
+          end
         end
 
-        def resource default_account
-          Resource.new("#{self.account || default_account}:policy:#{id}", default_account: default_account)
+        def resource
+          raise "account is nil" unless account
+          @resource ||= Resource.new("#{account}:policy:#{id}").tap do |resource|
+            resource.owner = Role.new(role.roleid)
+          end
+        end
+        
+        # Body is handled specially.
+        def referenced_records
+          super - Array(@body)
         end
         
         def body &block

data/lib/conjur/dsl2/types/records.rb

@@ -34,9 +34,9 @@ module Conjur
         def initialize id = nil
           self.id = id if id
         end
-
+        
         def to_s
-          "#{resource_kind.gsub('_', ' ')} '#{id}'#{account ? ' in account \'' + account + '\'': ''}"
+          "#{resource_kind.gsub('_', ' ')} '#{id}'#{account && account != Conjur.configuration.account ? ' in account \'' + account + '\'': ''}"
         end
         
         def resourceid default_account = nil
@@ -66,7 +66,7 @@ module Conjur
       end
       
       module ActsAsRole
-        def roleid default_account
+        def roleid default_account = nil
           [ account || default_account, role_kind, id ].join(":")
         end
         
@@ -100,7 +100,7 @@ module Conjur
         end
 
         def to_s
-          "#{kind} #{self.class.short_name.underscore} '#{id}'#{account ? ' in account \'' + account + '\'': ''}"
+          "#{kind} #{self.class.short_name.underscore} '#{id}'#{account && account != Conjur.configuration.account ? ' in account \'' + account + '\'': ''}"
         end
       end
       
@@ -209,13 +209,15 @@ module Conjur
         attribute :role_name, kind: :string, singular: true
         
         class << self
-          def build fullid, default_account
+          def build fullid
             account, kind, id = fullid.split(':', 3)
             raise "Expecting @ for kind, got #{kind}" unless kind == "@"
-            record_kind, record_id, role_name = id.split('/', 3)
+            id_tokens = id.split('/')
+            record_kind = id_tokens.shift
+            role_name = id_tokens.pop
             record = Conjur::DSL2::Types.const_get(record_kind.classify).new.tap do |record|
-              record.id = record_id
-              record.account = account unless account == default_account
+              record.id = id_tokens.join('/')
+              record.account = account
             end
             self.new record, role_name
           end

data/lib/conjur-asset-dsl2-version.rb

@@ -1,7 +1,7 @@
 module Conjur
   module Asset
     module DSL2
-      VERSION = "0.4.4"
+      VERSION = "0.5.0"
     end
   end
 end

data/lib/conjur-asset-dsl2.rb

@@ -29,5 +29,6 @@ require 'conjur/dsl2/types/policy'
 require 'conjur/dsl2/yaml/handler'
 require 'conjur/dsl2/yaml/loader'
 require 'conjur/dsl2/ruby/loader'
+require 'conjur/dsl2/resolver'
 require 'conjur/dsl2/planner'
 require 'conjur/dsl2/executor'

data/policy-bug.yml

@@ -0,0 +1,7 @@
+- !policy
+  id: test
+  body:
+    - !group
+      id: a
+    - !layer
+      owner: !group a

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: conjur-asset-dsl2
 version: !ruby/object:Gem::Version
-  version: 0.4.4
+  version: 0.5.0
 platform: ruby
 authors:
 - Kevin Gilpin
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-02-15 00:00:00.000000000 Z
+date: 2016-02-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: safe_yaml
@@ -177,7 +177,6 @@ files:
 - .rspec
 - .travis.yml
 - CHANGELOG
-- Dockerfile.dev
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -185,6 +184,7 @@ files:
 - backup.tar
 - bin/console
 - bin/setup
+- ci/test.sh
 - conjur-asset-dsl2.gemspec
 - jenkins.sh
 - lib/conjur-asset-dsl2-version.rb
@@ -208,6 +208,7 @@ files:
 - lib/conjur/dsl2/planner/grants.rb
 - lib/conjur/dsl2/planner/permissions.rb
 - lib/conjur/dsl2/planner/record.rb
+- lib/conjur/dsl2/resolver.rb
 - lib/conjur/dsl2/ruby/loader.rb
 - lib/conjur/dsl2/types/base.rb
 - lib/conjur/dsl2/types/create.rb
@@ -223,6 +224,7 @@ files:
 - lib/conjur/dsl2/types/update.rb
 - lib/conjur/dsl2/yaml/handler.rb
 - lib/conjur/dsl2/yaml/loader.rb
+- policy-bug.yml
 - syntax.md
 homepage: https://github.com/conjurinc/conjur-asset-dsl2
 licenses:

data/Dockerfile.dev

@@ -1,19 +0,0 @@
-FROM registry.tld/conjur-appliance-cuke-master:4.6-stable
-
-WORKDIR /src/conjur-asset-dsl2
-
-RUN mkdir -p /src/conjur-asset-dsl2
-RUN mkdir -p /src/conjur-asset-dsl2/lib
-RUN mkdir -p /src/conjur-asset-dsl2/tmp
-
-ADD Gemfile ./
-ADD conjur-asset-dsl2.gemspec ./
-ADD lib/conjur-asset-dsl2-version.rb ./lib/
-RUN bundle
-ADD . .
-
-ENV CONJUR_AUTHN_LOGIN   admin
-ENV CONJUR_AUTHN_API_KEY secret
-ENV CONJUR_ACCOUNT cucumber
-ENV CONJUR_APPLIANCE_URL https://localhost/api
-ENV CONJUR_CERT_FILE     /opt/conjur/etc/ssl/ca.pem