conjur-asset-policy 0.11.0 → 0.12.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/lib/conjur/policy/executor.rb +2 -1
- data/lib/conjur/policy/planner/facts.rb +1 -1
- data/lib/conjur/policy/resolver.rb +37 -20
- data/lib/conjur/policy/types/grant.rb +1 -1
- data/lib/conjur-asset-policy-version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 732a8fcb5a23935b82fc07265db3be863089812c
|
|
4
|
+
data.tar.gz: 784b0e8d3b8046139505bd22e2b7391c3834e77a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bd97981df95275d082423425b57a31d298d101350f5660c7bb0172907848fec16028c50bc86d432e6770bd4b114f3fd3630df8d753fd17faff40b548af742877
|
|
7
|
+
data.tar.gz: debefb8562d2cea4420b78b268e78732574046db85fd5b01039eb4f4cce79b4fa82ae1930f358761f4e84ae268e87f9fc0f2dc4f4b584a17c86858f73378b9e9
|
data/CHANGELOG.md
CHANGED
|
@@ -54,8 +54,9 @@ module Conjur
|
|
|
54
54
|
def execute actions
|
|
55
55
|
require 'net/https'
|
|
56
56
|
uri = URI.parse(Conjur.configuration.appliance_url)
|
|
57
|
+
use_ssl = uri.scheme == 'https'
|
|
57
58
|
@base_path = uri.path
|
|
58
|
-
Net::HTTP.start uri.host, uri.port, use_ssl:
|
|
59
|
+
Net::HTTP.start uri.host, uri.port, use_ssl: use_ssl do |http|
|
|
59
60
|
@http = http
|
|
60
61
|
actions.each do |step|
|
|
61
62
|
invoke step
|
|
@@ -106,7 +106,7 @@ module Conjur
|
|
|
106
106
|
end
|
|
107
107
|
end
|
|
108
108
|
|
|
109
|
-
# Add a Conjur::API::
|
|
109
|
+
# Add a Conjur::API::Role grant that is already held.
|
|
110
110
|
def add_existing_grant role, grant
|
|
111
111
|
existing.add [ role.roleid, grant.member.roleid ]
|
|
112
112
|
existing_with_admin_flag.add [ role.roleid, grant.member.roleid, grant.admin_option ]
|
|
@@ -6,7 +6,7 @@ module Conjur
|
|
|
6
6
|
class << self
|
|
7
7
|
# Resolve records to the specified owner id and namespace.
|
|
8
8
|
def resolve records, account, ownerid, namespace = nil
|
|
9
|
-
resolver_classes = [ AccountResolver,
|
|
9
|
+
resolver_classes = [ AccountResolver, IdSubstitutionResolver, AnnotationSubstitutionResolver, OwnerResolver, FlattenResolver, DuplicateResolver ]
|
|
10
10
|
resolver_classes.each do |cls|
|
|
11
11
|
resolver = cls.new account, ownerid, namespace
|
|
12
12
|
records = resolver.resolve records
|
|
@@ -67,15 +67,35 @@ module Conjur
|
|
|
67
67
|
end
|
|
68
68
|
end
|
|
69
69
|
|
|
70
|
-
|
|
71
|
-
class IdResolver < Resolver
|
|
70
|
+
class SubstitutionResolver < Resolver
|
|
72
71
|
SUBSTITUTIONS = { "$namespace" => :namespace }
|
|
73
|
-
|
|
72
|
+
|
|
74
73
|
def resolve records
|
|
75
|
-
traverse records, Set.new, method(:
|
|
74
|
+
traverse records, Set.new, method(:resolve_field), method(:on_resolve_policy)
|
|
75
|
+
end
|
|
76
|
+
|
|
77
|
+
protected
|
|
78
|
+
|
|
79
|
+
def substitute! id
|
|
80
|
+
SUBSTITUTIONS.each do |k,v|
|
|
81
|
+
next unless value = send(v)
|
|
82
|
+
id.gsub! k, value
|
|
83
|
+
end
|
|
84
|
+
end
|
|
85
|
+
|
|
86
|
+
def on_resolve_policy policy, visited
|
|
87
|
+
saved_namespace = @namespace
|
|
88
|
+
@namespace = policy.id
|
|
89
|
+
traverse policy.body, visited, method(:resolve_field), method(:on_resolve_policy)
|
|
90
|
+
ensure
|
|
91
|
+
@namespace = saved_namespace
|
|
76
92
|
end
|
|
93
|
+
end
|
|
94
|
+
|
|
95
|
+
# Makes all ids absolute, by prepending the namespace (if any) and the enclosing policy (if any).
|
|
96
|
+
class IdSubstitutionResolver < SubstitutionResolver
|
|
77
97
|
|
|
78
|
-
def
|
|
98
|
+
def resolve_field record, visited
|
|
79
99
|
if record.respond_to?(:id) && record.respond_to?(:id=)
|
|
80
100
|
id = record.id
|
|
81
101
|
if id.blank?
|
|
@@ -96,15 +116,7 @@ module Conjur
|
|
|
96
116
|
record.id = id
|
|
97
117
|
end
|
|
98
118
|
|
|
99
|
-
traverse record.referenced_records, visited, method(:
|
|
100
|
-
end
|
|
101
|
-
|
|
102
|
-
def on_resolve_policy policy, visited
|
|
103
|
-
saved_namespace = @namespace
|
|
104
|
-
@namespace = policy.id
|
|
105
|
-
traverse policy.body, visited, method(:resolve_id), method(:on_resolve_policy)
|
|
106
|
-
ensure
|
|
107
|
-
@namespace = saved_namespace
|
|
119
|
+
traverse record.referenced_records, visited, method(:resolve_field), method(:on_resolve_policy)
|
|
108
120
|
end
|
|
109
121
|
|
|
110
122
|
protected
|
|
@@ -112,12 +124,17 @@ module Conjur
|
|
|
112
124
|
def user_namespace
|
|
113
125
|
namespace.gsub('/', '-') if namespace
|
|
114
126
|
end
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
127
|
+
end
|
|
128
|
+
|
|
129
|
+
class AnnotationSubstitutionResolver < SubstitutionResolver
|
|
130
|
+
def resolve_field record, visited
|
|
131
|
+
if record.respond_to?(:annotations) && (annotations = record.annotations)
|
|
132
|
+
annotations.each do |k,v|
|
|
133
|
+
substitute! v
|
|
134
|
+
end
|
|
120
135
|
end
|
|
136
|
+
|
|
137
|
+
traverse record.referenced_records, visited, method(:resolve_field), method(:on_resolve_policy)
|
|
121
138
|
end
|
|
122
139
|
end
|
|
123
140
|
|
|
@@ -60,7 +60,7 @@ See also: [Permit](#reference/permit) for [Resources](#reference/resource)
|
|
|
60
60
|
then member.map(&:admin).all?
|
|
61
61
|
else member.admin
|
|
62
62
|
end
|
|
63
|
-
"Grant #{role_str} to #{member_str}#{replace ? '
|
|
63
|
+
"Grant #{role_str} to #{member_str}#{replace ? ' with replacement ' : ''}#{admin ? ' with admin option' : ''}"
|
|
64
64
|
end
|
|
65
65
|
end
|
|
66
66
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: conjur-asset-policy
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.12.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Kevin Gilpin
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-06-20 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: safe_yaml
|