conjur-asset-dsl2 0.5.0 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/{CHANGELOG → CHANGELOG.md} +7 -0
- data/Gemfile +2 -0
- data/conjur-asset-dsl2.gemspec +1 -0
- data/lib/conjur-asset-dsl2-version.rb +1 -1
- data/lib/conjur/dsl2/planner/facts.rb +179 -0
- data/lib/conjur/dsl2/planner/grants.rb +49 -82
- data/lib/conjur/dsl2/planner/permissions.rb +67 -54
- data/lib/conjur/dsl2/resolver.rb +18 -3
- data/lib/conjur/dsl2/types/member.rb +4 -0
- metadata +18 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 57aa36f4305e541f313b8a833623d6100929ae50
|
|
4
|
+
data.tar.gz: dcabd391389d702f971b3a12aee54afadf53c914
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 62e2362f4202eaa0d48b0db4c597515531c592b63abcc8118bd88c1b8ce5ee9e4354e895ca1cf43dbea79e4a823d1d8c250c1fa5b724fca284a501fdbad695fb
|
|
7
|
+
data.tar.gz: 08a1ec598a5d4f23e1bb27dd939f5eaddeff097bcf0d9aebaf1ca8fabf6949134827daaf656d5a27c3d384b07dc7f5bf6b9e6a579a65f264109744f0e9dddb70
|
data/{CHANGELOG → CHANGELOG.md}
RENAMED
|
@@ -1,6 +1,13 @@
|
|
|
1
|
+
# 0.6.0
|
|
2
|
+
|
|
3
|
+
* Implement the !deny statement.
|
|
4
|
+
* Eliminate un-necessary privilege and role revocations.
|
|
5
|
+
|
|
1
6
|
# 0.5.0
|
|
2
7
|
|
|
3
8
|
* Refactor how the policy statements are validated and normalized, fixing some bugs in the process.
|
|
9
|
+
* In record ids, replace the string '$namespace' with the policy namespace. This enables cross-policy
|
|
10
|
+
entitlements to be made more flexibly.
|
|
4
11
|
|
|
5
12
|
# 0.4.4
|
|
6
13
|
|
data/Gemfile
CHANGED
data/conjur-asset-dsl2.gemspec
CHANGED
|
@@ -0,0 +1,179 @@
|
|
|
1
|
+
module Conjur
|
|
2
|
+
module DSL2
|
|
3
|
+
module Planner
|
|
4
|
+
# Stores the state of existing and requested grants (roles or privileges).
|
|
5
|
+
#
|
|
6
|
+
# The difference between the existing and requested grants can be used to determine
|
|
7
|
+
# specifically what actions should be performed in order to bring the state of the server
|
|
8
|
+
# into compliance with the policy.
|
|
9
|
+
class BaseFacts
|
|
10
|
+
attr_accessor :planner, :existing, :requested, :existing_with_admin_flag, :requested_with_admin_flag
|
|
11
|
+
|
|
12
|
+
# Whether to sort the grants. By default this is off; turning it on makes the output
|
|
13
|
+
# deterministic which is nice for testing.
|
|
14
|
+
cattr_accessor :sort
|
|
15
|
+
|
|
16
|
+
def initialize planner
|
|
17
|
+
@planner = planner
|
|
18
|
+
@requested = Set.new
|
|
19
|
+
@requested_with_admin_flag = Set.new
|
|
20
|
+
@existing = Set.new
|
|
21
|
+
@existing_with_admin_flag = Set.new
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def api
|
|
25
|
+
planner.api
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
# Return the set of grants which are requested but not already held.
|
|
29
|
+
#
|
|
30
|
+
# Note that if a grant is held with a different admin option than requested,
|
|
31
|
+
# re-applying with the new admin option will update the grant and create
|
|
32
|
+
# the desired state.
|
|
33
|
+
def grants_to_apply
|
|
34
|
+
sort(requested_with_admin_flag - existing_with_admin_flag)
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
# Return the set of grants which are held but not requested.
|
|
38
|
+
#
|
|
39
|
+
# The admin flag is ignored by this method. So, if a grant exists (with or without
|
|
40
|
+
# admin), and it is not requested (with or without admin), it is revoked. The
|
|
41
|
+
# case in which the grant is held with a different admin option than requested
|
|
42
|
+
# is handled by +grants_to_apply+.
|
|
43
|
+
def grants_to_revoke
|
|
44
|
+
sort(existing - requested)
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
def validate_role_exists! role
|
|
48
|
+
error("Role not found: #{role}") unless planner.role_exists?(role)
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
def validate_resource_exists! resource
|
|
52
|
+
error("Resource not found: #{resource}") unless planner.resource_exists?(resource)
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
protected
|
|
56
|
+
|
|
57
|
+
# Sort a result if +sort+ is enabled.
|
|
58
|
+
def sort result
|
|
59
|
+
self.class.sort ? result.to_a.sort : result
|
|
60
|
+
end
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
# Role grants are a tuple of [ roleid, member_roleid, admin_option ].
|
|
64
|
+
class RoleFacts < BaseFacts
|
|
65
|
+
|
|
66
|
+
# Enumerate all existing grants on the specified +role+.
|
|
67
|
+
# Each grant is yielded to the block.
|
|
68
|
+
def role_grants role, &block
|
|
69
|
+
begin
|
|
70
|
+
api.role(role.roleid).members
|
|
71
|
+
rescue RestClient::ResourceNotFound
|
|
72
|
+
if api.role(role.roleid).exists?
|
|
73
|
+
$stderr.puts "WARNING: Unable to fetch members of role #{role.roleid}. Use 'elevate' mode, or at least 'reveal' mode, for policy management."
|
|
74
|
+
end
|
|
75
|
+
[]
|
|
76
|
+
end.each do |grant|
|
|
77
|
+
yield grant
|
|
78
|
+
end
|
|
79
|
+
end
|
|
80
|
+
|
|
81
|
+
# Validate that all the requested roles exist.
|
|
82
|
+
def validate!
|
|
83
|
+
requested.to_a.flatten.uniq.each do |roleid|
|
|
84
|
+
validate_role_exists! roleid
|
|
85
|
+
end
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
# Add a Types::Grant to the set of requested grants.
|
|
89
|
+
def add_requested_grant grant
|
|
90
|
+
Array(grant.roles).each do |role|
|
|
91
|
+
Array(grant.members).each do |member|
|
|
92
|
+
requested.add [ role.roleid, member.role.roleid ]
|
|
93
|
+
requested_with_admin_flag.add [ role.roleid, member.role.roleid, !!member.admin ]
|
|
94
|
+
end
|
|
95
|
+
end
|
|
96
|
+
end
|
|
97
|
+
|
|
98
|
+
# Removes a Types::Revoke from the set of requested grants.
|
|
99
|
+
def remove_revoked_grant revoke
|
|
100
|
+
Array(revoke.roles).each do |role|
|
|
101
|
+
Array(revoke.members).each do |member|
|
|
102
|
+
requested.delete [ role.roleid, member.roleid ]
|
|
103
|
+
requested_with_admin_flag.delete [ role.roleid, member.roleid, true ]
|
|
104
|
+
requested_with_admin_flag.delete [ role.roleid, member.roleid, false ]
|
|
105
|
+
end
|
|
106
|
+
end
|
|
107
|
+
end
|
|
108
|
+
|
|
109
|
+
# Add a Conjur::API::Rolerevoke that is already held.
|
|
110
|
+
def add_existing_grant role, grant
|
|
111
|
+
existing.add [ role.roleid, grant.member.roleid ]
|
|
112
|
+
existing_with_admin_flag.add [ role.roleid, grant.member.roleid, grant.admin_option ]
|
|
113
|
+
end
|
|
114
|
+
end
|
|
115
|
+
|
|
116
|
+
# Privilege grants are [ roleid, privilege, resourceid, grant_option ].
|
|
117
|
+
class PrivilegeFacts < BaseFacts
|
|
118
|
+
|
|
119
|
+
# Enumerate all existing permissions for the specified +resource+.
|
|
120
|
+
# Only permissions that apply the specified +privilege+ are considered.
|
|
121
|
+
# Each permission is yielded to the block.
|
|
122
|
+
def resource_permissions resource, privileges, &block
|
|
123
|
+
permissions = begin
|
|
124
|
+
JSON.parse(api.resource(resource.resourceid).get)['permissions']
|
|
125
|
+
rescue RestClient::ResourceNotFound
|
|
126
|
+
if api.resource(resource.resourceid).exists?
|
|
127
|
+
$stderr.puts "WARNING: Unable to fetch permissions of resource #{resource.resourceid}. Use 'elevate' mode, or at least 'reveal' mode, for policy management."
|
|
128
|
+
end
|
|
129
|
+
[]
|
|
130
|
+
end
|
|
131
|
+
permissions.select{|p| privileges.member?(p['privilege'])}.each do |permission|
|
|
132
|
+
yield permission
|
|
133
|
+
end
|
|
134
|
+
end
|
|
135
|
+
|
|
136
|
+
# Validate that all the requested roles exist.
|
|
137
|
+
def validate!
|
|
138
|
+
requested.to_a.map{|row| row[0]}.uniq.each do |roleid|
|
|
139
|
+
validate_role_exists! roleid
|
|
140
|
+
end
|
|
141
|
+
requested.to_a.map{|row| row[2]}.uniq.each do |resourceid|
|
|
142
|
+
validate_resource_exists! resourceid
|
|
143
|
+
end
|
|
144
|
+
end
|
|
145
|
+
|
|
146
|
+
# Add a Types::deny to the set of requested grants.
|
|
147
|
+
def add_requested_permission permit
|
|
148
|
+
Array(permit.roles).each do |member|
|
|
149
|
+
Array(permit.privileges).each do |privilege|
|
|
150
|
+
Array(permit.resources).each do |resource|
|
|
151
|
+
requested.add [ member.role.roleid, privilege, resource.resourceid ]
|
|
152
|
+
requested_with_admin_flag.add [ member.role.roleid, privilege, resource.resourceid, !!member.admin ]
|
|
153
|
+
end
|
|
154
|
+
end
|
|
155
|
+
end
|
|
156
|
+
end
|
|
157
|
+
|
|
158
|
+
# Removes a Types::Deny from the set of requested grants.
|
|
159
|
+
def remove_revoked_permission deny
|
|
160
|
+
Array(deny.roles).each do |role|
|
|
161
|
+
Array(deny.privileges).each do |privilege|
|
|
162
|
+
Array(deny.resources).each do |resource|
|
|
163
|
+
requested.delete [ role.roleid, privilege, resource.resourceid ]
|
|
164
|
+
requested_with_admin_flag.delete [ role.roleid, privilege, resource.resourceid, true ]
|
|
165
|
+
requested_with_admin_flag.delete [ role.roleid, privilege, resource.resourceid, false ]
|
|
166
|
+
end
|
|
167
|
+
end
|
|
168
|
+
end
|
|
169
|
+
end
|
|
170
|
+
|
|
171
|
+
# Add a permission that is already held.
|
|
172
|
+
def add_existing_permission permission
|
|
173
|
+
existing.add [ permission['role'], permission['privilege'], permission['resource'] ]
|
|
174
|
+
existing_with_admin_flag.add [ permission['role'], permission['privilege'], permission['resource'], permission['grant_option'] ]
|
|
175
|
+
end
|
|
176
|
+
end
|
|
177
|
+
end
|
|
178
|
+
end
|
|
179
|
+
end
|
|
@@ -1,110 +1,77 @@
|
|
|
1
1
|
require 'conjur/dsl2/planner/base'
|
|
2
|
+
require 'conjur/dsl2/planner/facts'
|
|
2
3
|
|
|
3
4
|
module Conjur
|
|
4
5
|
module DSL2
|
|
5
6
|
module Planner
|
|
6
|
-
class
|
|
7
|
-
def verify_roles_available roles
|
|
8
|
-
# Check all roles / members involved
|
|
9
|
-
roles.each do |role|
|
|
10
|
-
error("role not found: #{role.roleid} in #{plan.roles_created.to_a}") unless role_exists?(role)
|
|
11
|
-
end
|
|
12
|
-
end
|
|
13
|
-
end
|
|
14
|
-
|
|
15
|
-
class Grant < RoleAction
|
|
7
|
+
class Grant < Base
|
|
16
8
|
# Plans a role grant.
|
|
17
9
|
#
|
|
18
10
|
# The Grant record can list multiple roles and members. Each member should
|
|
19
11
|
# be granted every role. If the +replace+ option is set, then any existing
|
|
20
12
|
# grant on a role that is *not* given should be revoked, except for role admins.
|
|
21
13
|
def do_plan
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
roles.each do |role|
|
|
31
|
-
grants = begin
|
|
32
|
-
api.role(role.roleid).members
|
|
33
|
-
rescue RestClient::ResourceNotFound
|
|
34
|
-
[]
|
|
35
|
-
end
|
|
36
|
-
|
|
37
|
-
grants.each do |grant|
|
|
38
|
-
member_roleid = grant.member.roleid
|
|
39
|
-
given_grants[role.roleid].push [ member_roleid, grant.admin_option ]
|
|
40
|
-
given_admins << member_roleid if grant.admin_option
|
|
41
|
-
end
|
|
42
|
-
members.each do |member|
|
|
43
|
-
requested_grants[role.roleid].push [ member.role.roleid, !!member.admin ]
|
|
14
|
+
facts = RoleFacts.new self
|
|
15
|
+
|
|
16
|
+
facts.add_requested_grant record
|
|
17
|
+
|
|
18
|
+
Array(record.roles).each do |role|
|
|
19
|
+
facts.role_grants(role) do |grant|
|
|
20
|
+
facts.add_existing_grant role, grant
|
|
44
21
|
end
|
|
45
22
|
end
|
|
46
23
|
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
grant.member.admin = true if admin
|
|
58
|
-
action grant
|
|
59
|
-
end
|
|
24
|
+
facts.validate!
|
|
25
|
+
|
|
26
|
+
facts.grants_to_apply.each do |grant|
|
|
27
|
+
roleid, memberid, admin = grant
|
|
28
|
+
grant = Conjur::DSL2::Types::Grant.new
|
|
29
|
+
grant.role = role_record roleid
|
|
30
|
+
grant.member = Conjur::DSL2::Types::Member.new role_record(memberid)
|
|
31
|
+
grant.member.admin = admin
|
|
32
|
+
action grant
|
|
33
|
+
end
|
|
60
34
|
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
revoke.member = role_record(member)
|
|
69
|
-
action revoke
|
|
70
|
-
end
|
|
35
|
+
if record.replace
|
|
36
|
+
facts.grants_to_revoke.each do |grant|
|
|
37
|
+
roleid, memberid = grant
|
|
38
|
+
revoke = Conjur::DSL2::Types::Revoke.new
|
|
39
|
+
revoke.role = role_record roleid
|
|
40
|
+
revoke.member = role_record(memberid)
|
|
41
|
+
action revoke
|
|
71
42
|
end
|
|
72
43
|
end
|
|
73
44
|
end
|
|
74
45
|
end
|
|
75
46
|
|
|
76
|
-
class Revoke <
|
|
47
|
+
class Revoke < Base
|
|
77
48
|
def do_plan
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
grants.each do |grant|
|
|
92
|
-
member_roleid = grant.member.roleid
|
|
93
|
-
given_grants[role.roleid].push member_roleid
|
|
49
|
+
facts = RoleFacts.new self
|
|
50
|
+
|
|
51
|
+
# Load all the role members as both requested and existing grants.
|
|
52
|
+
# Then revoke the Grant record, and see what's left.
|
|
53
|
+
Array(record.roles).each do |role|
|
|
54
|
+
facts.role_grants(role) do |grant|
|
|
55
|
+
grant_record = Types::Grant.new
|
|
56
|
+
grant_record.role = Types::Role.new(role.roleid)
|
|
57
|
+
grant_record.member = Types::Member.new Types::Role.new(grant.member.roleid)
|
|
58
|
+
grant_record.member.admin = grant.admin_option
|
|
59
|
+
facts.add_requested_grant grant_record
|
|
60
|
+
|
|
61
|
+
facts.add_existing_grant role, grant
|
|
94
62
|
end
|
|
95
63
|
end
|
|
64
|
+
|
|
65
|
+
facts.remove_revoked_grant record
|
|
96
66
|
|
|
97
|
-
|
|
98
|
-
roleid = role.roleid
|
|
99
|
-
given = given_grants[roleid]
|
|
100
|
-
members.each do |member|
|
|
101
|
-
next unless given.member?(member.roleid)
|
|
67
|
+
facts.validate!
|
|
102
68
|
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
69
|
+
facts.grants_to_revoke.each do |grant|
|
|
70
|
+
roleid, memberid = grant
|
|
71
|
+
revoke = Conjur::DSL2::Types::Revoke.new
|
|
72
|
+
revoke.role = role_record roleid
|
|
73
|
+
revoke.member = role_record(memberid)
|
|
74
|
+
action revoke
|
|
108
75
|
end
|
|
109
76
|
end
|
|
110
77
|
end
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
require 'conjur/dsl2/planner/base'
|
|
2
|
-
require '
|
|
2
|
+
require 'conjur/dsl2/planner/facts'
|
|
3
3
|
|
|
4
4
|
module Conjur
|
|
5
5
|
module DSL2
|
|
@@ -11,65 +11,78 @@ module Conjur
|
|
|
11
11
|
# privilege on an existing resource that is *not* given should be denied.
|
|
12
12
|
class Permit < Base
|
|
13
13
|
def do_plan
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
resources.each do |resource|
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
rescue RestClient::ResourceNotFound
|
|
23
|
-
[]
|
|
24
|
-
end
|
|
25
|
-
|
|
26
|
-
permissions.each do |permission|
|
|
27
|
-
if privileges.member?(permission['privilege'])
|
|
28
|
-
given_permissions[[permission['privilege'], permission['resource']]].push [ permission['role'], permission['grant_option'] ]
|
|
29
|
-
end
|
|
14
|
+
facts = PrivilegeFacts.new self
|
|
15
|
+
|
|
16
|
+
facts.add_requested_permission record
|
|
17
|
+
|
|
18
|
+
privileges = Array(record.privileges)
|
|
19
|
+
Array(record.resources).each do |resource|
|
|
20
|
+
facts.resource_permissions(resource, privileges) do |permission|
|
|
21
|
+
facts.add_existing_permission permission
|
|
30
22
|
end
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
facts.validate!
|
|
31
26
|
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
27
|
+
facts.grants_to_apply.each do |grant|
|
|
28
|
+
role, privilege, resource, admin = grant
|
|
29
|
+
|
|
30
|
+
permit = Conjur::DSL2::Types::Permit.new
|
|
31
|
+
permit.resource = resource_record resource
|
|
32
|
+
permit.privilege = privilege
|
|
33
|
+
permit.role = Conjur::DSL2::Types::Member.new role_record(role)
|
|
34
|
+
permit.role.admin = true if admin
|
|
35
|
+
action permit
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
if record.replace
|
|
39
|
+
facts.grants_to_revoke.each do |grant|
|
|
40
|
+
roleid, privilege, resourceid = grant
|
|
41
|
+
deny = Conjur::DSL2::Types::Deny.new
|
|
42
|
+
deny.resource = resource_record resourceid
|
|
43
|
+
deny.privilege = privilege
|
|
44
|
+
deny.role = role_record(roleid)
|
|
45
|
+
action deny
|
|
36
46
|
end
|
|
37
47
|
end
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
if record.replace
|
|
62
|
-
(Set.new(given) - Set.new(requested)).each do |p|
|
|
63
|
-
role, admin = p
|
|
64
|
-
deny = Conjur::DSL2::Types::Deny.new
|
|
65
|
-
deny.resource = resource_record target
|
|
66
|
-
deny.privilege = privilege
|
|
67
|
-
deny.role = role_record(role)
|
|
68
|
-
action deny
|
|
69
|
-
end
|
|
70
|
-
end
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
# Plans a permission denial.
|
|
52
|
+
#
|
|
53
|
+
# A Deny statement is generated if the permission is currently held. Otherwise, its a nop.
|
|
54
|
+
class Deny < Base
|
|
55
|
+
def do_plan
|
|
56
|
+
facts = PrivilegeFacts.new self
|
|
57
|
+
|
|
58
|
+
# Load all the permissions as both requested and existing grants.
|
|
59
|
+
# Then remove the Deny record, and see what's left.
|
|
60
|
+
privileges = Array(record.privileges)
|
|
61
|
+
Array(record.resources).each do |resource|
|
|
62
|
+
facts.resource_permissions(resource, privileges) do |permission|
|
|
63
|
+
permit_record = Types::Permit.new
|
|
64
|
+
permit_record.role = Types::Role.new(permission['role'])
|
|
65
|
+
permit_record.role.admin = permission['grant_option']
|
|
66
|
+
permit_record.privilege = permission['privilege']
|
|
67
|
+
permit_record.resource = Types::Resource.new(permission['resource'])
|
|
68
|
+
facts.add_requested_permission permit_record
|
|
69
|
+
|
|
70
|
+
facts.add_existing_permission permission
|
|
71
71
|
end
|
|
72
72
|
end
|
|
73
|
+
|
|
74
|
+
facts.remove_revoked_permission record
|
|
75
|
+
|
|
76
|
+
facts.validate!
|
|
77
|
+
|
|
78
|
+
facts.grants_to_revoke.each do |grant|
|
|
79
|
+
role, privilege, resource = grant
|
|
80
|
+
deny = Conjur::DSL2::Types::Deny.new
|
|
81
|
+
deny.resource = resource_record resource
|
|
82
|
+
deny.privilege = privilege
|
|
83
|
+
deny.role = role_record(role)
|
|
84
|
+
action deny
|
|
85
|
+
end
|
|
73
86
|
end
|
|
74
87
|
end
|
|
75
88
|
end
|
data/lib/conjur/dsl2/resolver.rb
CHANGED
|
@@ -69,6 +69,8 @@ module Conjur
|
|
|
69
69
|
|
|
70
70
|
# Makes all ids absolute, by prepending the namespace (if any) and the enclosing policy (if any).
|
|
71
71
|
class IdResolver < Resolver
|
|
72
|
+
SUBSTITUTIONS = { "$namespace" => :namespace }
|
|
73
|
+
|
|
72
74
|
def resolve records
|
|
73
75
|
traverse records, Set.new, method(:resolve_id), method(:on_resolve_policy)
|
|
74
76
|
end
|
|
@@ -78,12 +80,16 @@ module Conjur
|
|
|
78
80
|
id = record.id
|
|
79
81
|
if id.blank?
|
|
80
82
|
raise "#{record.to_s} has no id, and no namespace is available to populate it" unless namespace
|
|
81
|
-
|
|
83
|
+
id = namespace
|
|
82
84
|
elsif id[0] == '/'
|
|
83
|
-
|
|
85
|
+
id = id[1..-1]
|
|
84
86
|
else
|
|
85
|
-
|
|
87
|
+
id = [ namespace, id ].compact.join('/')
|
|
86
88
|
end
|
|
89
|
+
|
|
90
|
+
substitute! id
|
|
91
|
+
|
|
92
|
+
record.id = id
|
|
87
93
|
end
|
|
88
94
|
|
|
89
95
|
traverse record.referenced_records, visited, method(:resolve_id), method(:on_resolve_policy)
|
|
@@ -96,6 +102,15 @@ module Conjur
|
|
|
96
102
|
ensure
|
|
97
103
|
@namespace = saved_namespace
|
|
98
104
|
end
|
|
105
|
+
|
|
106
|
+
protected
|
|
107
|
+
|
|
108
|
+
def substitute! id
|
|
109
|
+
SUBSTITUTIONS.each do |k,v|
|
|
110
|
+
next unless value = send(v)
|
|
111
|
+
id.gsub! k, value
|
|
112
|
+
end
|
|
113
|
+
end
|
|
99
114
|
end
|
|
100
115
|
|
|
101
116
|
# Sets the owner field for any records which support it, and don't have an owner specified.
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: conjur-asset-dsl2
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Kevin Gilpin
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-02-
|
|
11
|
+
date: 2016-02-25 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: safe_yaml
|
|
@@ -164,6 +164,20 @@ dependencies:
|
|
|
164
164
|
- - '>='
|
|
165
165
|
- !ruby/object:Gem::Version
|
|
166
166
|
version: '0'
|
|
167
|
+
- !ruby/object:Gem::Dependency
|
|
168
|
+
name: simplecov
|
|
169
|
+
requirement: !ruby/object:Gem::Requirement
|
|
170
|
+
requirements:
|
|
171
|
+
- - '>='
|
|
172
|
+
- !ruby/object:Gem::Version
|
|
173
|
+
version: '0'
|
|
174
|
+
type: :development
|
|
175
|
+
prerelease: false
|
|
176
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
177
|
+
requirements:
|
|
178
|
+
- - '>='
|
|
179
|
+
- !ruby/object:Gem::Version
|
|
180
|
+
version: '0'
|
|
167
181
|
description:
|
|
168
182
|
email:
|
|
169
183
|
- kgilpin@conjur.net
|
|
@@ -176,7 +190,7 @@ files:
|
|
|
176
190
|
- .project
|
|
177
191
|
- .rspec
|
|
178
192
|
- .travis.yml
|
|
179
|
-
- CHANGELOG
|
|
193
|
+
- CHANGELOG.md
|
|
180
194
|
- Gemfile
|
|
181
195
|
- LICENSE.txt
|
|
182
196
|
- README.md
|
|
@@ -205,6 +219,7 @@ files:
|
|
|
205
219
|
- lib/conjur/dsl2/plan.rb
|
|
206
220
|
- lib/conjur/dsl2/planner.rb
|
|
207
221
|
- lib/conjur/dsl2/planner/base.rb
|
|
222
|
+
- lib/conjur/dsl2/planner/facts.rb
|
|
208
223
|
- lib/conjur/dsl2/planner/grants.rb
|
|
209
224
|
- lib/conjur/dsl2/planner/permissions.rb
|
|
210
225
|
- lib/conjur/dsl2/planner/record.rb
|