conjur-asset-policy 0.7.1 → 0.8.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/bin/console +1 -1
- data/lib/conjur/command/policy.rb +6 -19
- data/lib/conjur/policy/types/policy.rb +24 -23
- data/lib/conjur-asset-policy-version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a58e3e9c9b42f19ae3269559eb53c9416f735c90
|
|
4
|
+
data.tar.gz: 13ecf6c9c65fa0a96952db6fe0cc737fb3822896
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5a74c38f536f5b93ef8c78296cfb034c13c347ceed6db3870de289ad6f78bdf2254acb35d83a6a202f7a72011d8bedba07f4307b5d8914fcdf4c148fb55ac3ba
|
|
7
|
+
data.tar.gz: 692dd195bd990bbb94c32003a34469d22167d6c972a1918dc83f211fcca7f6347cfc2024cd0ec36d371fc3529f232537bccfcc8ffc189e931971c4208eed730b
|
data/CHANGELOG.md
CHANGED
data/bin/console
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
#!/usr/bin/env ruby
|
|
2
2
|
|
|
3
3
|
require "bundler/setup"
|
|
4
|
-
require "conjur-asset-
|
|
4
|
+
require "conjur-asset-policy"
|
|
5
5
|
|
|
6
6
|
# You can add fixtures and/or initialization code here to make experimenting
|
|
7
7
|
# with your gem easier. You can also use a different console, if you like.
|
|
@@ -21,9 +21,9 @@
|
|
|
21
21
|
require 'conjur-asset-policy'
|
|
22
22
|
|
|
23
23
|
class Conjur::Command::Policy < Conjur::DSLCommand
|
|
24
|
-
def self.load filename
|
|
24
|
+
def self.load filename
|
|
25
25
|
script = script_from_filename filename
|
|
26
|
-
loader
|
|
26
|
+
loader.load script, filename
|
|
27
27
|
end
|
|
28
28
|
|
|
29
29
|
def self.script_from_filename filename
|
|
@@ -45,19 +45,8 @@ class Conjur::Command::Policy < Conjur::DSLCommand
|
|
|
45
45
|
end
|
|
46
46
|
end
|
|
47
47
|
|
|
48
|
-
def self.loader
|
|
49
|
-
|
|
50
|
-
filename =~ /\.([^.]+)$/
|
|
51
|
-
syntax = $1
|
|
52
|
-
end
|
|
53
|
-
raise "No syntax provided or detected" unless syntax
|
|
54
|
-
syntax = case syntax
|
|
55
|
-
when 'yaml', 'yml'
|
|
56
|
-
'YAML'
|
|
57
|
-
when 'rb', 'ruby'
|
|
58
|
-
'Ruby'
|
|
59
|
-
end
|
|
60
|
-
mod = Conjur::Policy.const_get syntax
|
|
48
|
+
def self.loader
|
|
49
|
+
mod = Conjur::Policy.const_get 'YAML'
|
|
61
50
|
mod.const_get "Loader"
|
|
62
51
|
end
|
|
63
52
|
|
|
@@ -136,9 +125,6 @@ command. Therefore, a policy can be loaded in three steps, if desired:
|
|
|
136
125
|
c.desc "Policy namespace (optional)"
|
|
137
126
|
c.flag [:namespace]
|
|
138
127
|
|
|
139
|
-
c.desc "Syntax (ruby or YAML, will be auto-detected from file extension)"
|
|
140
|
-
c.flag [:syntax]
|
|
141
|
-
|
|
142
128
|
c.desc "Print the actions that would be performed"
|
|
143
129
|
c.switch [:"dry-run"]
|
|
144
130
|
|
|
@@ -156,7 +142,7 @@ command. Therefore, a policy can be loaded in three steps, if desired:
|
|
|
156
142
|
Conjur.log = "stderr"
|
|
157
143
|
|
|
158
144
|
filename = args.pop
|
|
159
|
-
records = load filename
|
|
145
|
+
records = load filename
|
|
160
146
|
|
|
161
147
|
ownerid = options[:ownerid]
|
|
162
148
|
unless ownerid
|
|
@@ -179,6 +165,7 @@ command. Therefore, a policy can be loaded in three steps, if desired:
|
|
|
179
165
|
puts plan.actions.to_yaml
|
|
180
166
|
end
|
|
181
167
|
else
|
|
168
|
+
$stderr.puts plan.actions.map(&:to_s)
|
|
182
169
|
context = execute api, plan.actions
|
|
183
170
|
|
|
184
171
|
if options[:context]
|
|
@@ -5,16 +5,16 @@ module Conjur
|
|
|
5
5
|
def tag
|
|
6
6
|
[ "!", self.class.name.split("::")[-1].underscore ].join
|
|
7
7
|
end
|
|
8
|
-
|
|
8
|
+
|
|
9
9
|
def encode_with coder
|
|
10
10
|
coder.represent_seq tag, self
|
|
11
11
|
end
|
|
12
12
|
end
|
|
13
|
-
|
|
13
|
+
|
|
14
14
|
module Tagless
|
|
15
15
|
def tag; nil; end
|
|
16
16
|
end
|
|
17
|
-
|
|
17
|
+
|
|
18
18
|
module CustomStatement
|
|
19
19
|
def custom_statement handler, &block
|
|
20
20
|
record = yield
|
|
@@ -25,67 +25,67 @@ module Conjur
|
|
|
25
25
|
do_scope record, &handler
|
|
26
26
|
end
|
|
27
27
|
end
|
|
28
|
-
|
|
28
|
+
|
|
29
29
|
module Grants
|
|
30
30
|
include CustomStatement
|
|
31
|
-
|
|
31
|
+
|
|
32
32
|
def grant &block
|
|
33
33
|
custom_statement(block) do
|
|
34
34
|
Conjur::Policy::Types::Grant.new
|
|
35
35
|
end
|
|
36
36
|
end
|
|
37
|
-
|
|
37
|
+
|
|
38
38
|
def revoke &block
|
|
39
39
|
custom_statement(block) do
|
|
40
40
|
Conjur::Policy::Types::Revoke.new
|
|
41
41
|
end
|
|
42
42
|
end
|
|
43
43
|
end
|
|
44
|
-
|
|
44
|
+
|
|
45
45
|
module Permissions
|
|
46
46
|
include CustomStatement
|
|
47
|
-
|
|
47
|
+
|
|
48
48
|
def permit privilege, &block
|
|
49
49
|
custom_statement(block) do
|
|
50
50
|
Conjur::Policy::Types::Permit.new(privilege)
|
|
51
51
|
end
|
|
52
52
|
end
|
|
53
|
-
|
|
53
|
+
|
|
54
54
|
def give &block
|
|
55
55
|
custom_statement(block) do
|
|
56
56
|
Conjur::Policy::Types::Give.new
|
|
57
57
|
end
|
|
58
58
|
end
|
|
59
|
-
|
|
59
|
+
|
|
60
60
|
def retire &block
|
|
61
61
|
custom_statement(block) do
|
|
62
62
|
Conjur::Policy::Types::Retire.new
|
|
63
63
|
end
|
|
64
64
|
end
|
|
65
65
|
end
|
|
66
|
-
|
|
66
|
+
|
|
67
67
|
# Entitlements will allow creation of any record, as well as declaration
|
|
68
68
|
# of permit, deny, grant and revoke.
|
|
69
69
|
class Entitlements < YAMLList
|
|
70
70
|
include Tagless
|
|
71
71
|
include Grants
|
|
72
72
|
include Permissions
|
|
73
|
-
|
|
73
|
+
|
|
74
74
|
def policy id=nil, &block
|
|
75
75
|
policy = Policy.new
|
|
76
76
|
policy.id(id) unless id.nil?
|
|
77
77
|
push policy
|
|
78
|
-
|
|
78
|
+
|
|
79
79
|
do_scope policy, &block
|
|
80
80
|
end
|
|
81
81
|
end
|
|
82
|
-
|
|
82
|
+
|
|
83
83
|
class Body < YAMLList
|
|
84
84
|
include Grants
|
|
85
85
|
include Permissions
|
|
86
86
|
end
|
|
87
|
-
|
|
88
|
-
# Policy includes the functionality of Entitlements, wrapped in a
|
|
87
|
+
|
|
88
|
+
# Policy includes the functionality of Entitlements, wrapped in a
|
|
89
89
|
# policy role, policy resource, policy id and policy version.
|
|
90
90
|
class Policy < Record
|
|
91
91
|
include ActsAsResource
|
|
@@ -100,7 +100,8 @@ Create a versioned policy.
|
|
|
100
100
|
self.example = %(
|
|
101
101
|
- !user operator
|
|
102
102
|
|
|
103
|
-
- !policy
|
|
103
|
+
- !policy
|
|
104
|
+
id: example/v1
|
|
104
105
|
owner: !user operator
|
|
105
106
|
body:
|
|
106
107
|
- !variable secret
|
|
@@ -109,7 +110,7 @@ Create a versioned policy.
|
|
|
109
110
|
permissions: [ read, execute, update ]
|
|
110
111
|
resource: !variable secret
|
|
111
112
|
)
|
|
112
|
-
|
|
113
|
+
|
|
113
114
|
def role
|
|
114
115
|
raise "account is nil" unless account
|
|
115
116
|
@role ||= Role.new("#{account}:policy:#{id}").tap do |role|
|
|
@@ -123,25 +124,25 @@ Create a versioned policy.
|
|
|
123
124
|
resource.owner = Role.new(role.roleid)
|
|
124
125
|
end
|
|
125
126
|
end
|
|
126
|
-
|
|
127
|
+
|
|
127
128
|
# Body is handled specially.
|
|
128
129
|
def referenced_records
|
|
129
130
|
super - Array(@body)
|
|
130
131
|
end
|
|
131
|
-
|
|
132
|
+
|
|
132
133
|
def body &block
|
|
133
134
|
if block_given?
|
|
134
135
|
singleton :body, lambda { Body.new }, &block
|
|
135
136
|
end
|
|
136
137
|
@body
|
|
137
138
|
end
|
|
138
|
-
|
|
139
|
+
|
|
139
140
|
def body= body
|
|
140
141
|
@body = body
|
|
141
142
|
end
|
|
142
|
-
|
|
143
|
+
|
|
143
144
|
protected
|
|
144
|
-
|
|
145
|
+
|
|
145
146
|
def singleton id, factory, &block
|
|
146
147
|
object = instance_variable_get("@#{id}")
|
|
147
148
|
unless object
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: conjur-asset-policy
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.8.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Kevin Gilpin
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-04-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: safe_yaml
|