conjur-asset-policy 0.8.2 → 0.8.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 50a925ab9c0b3cc1cf364562a47febdbdd5c01c6
-  data.tar.gz: f3e862f395e06ac573208673946f00ea77104731
+  metadata.gz: 7d3f421be05da2eced0b95bfa1028a1a3e01695f
+  data.tar.gz: 73121a9f79529fae31f28c8f7ed08842b8481bd8
 SHA512:
-  metadata.gz: 93a51bd70d02dd5f461ceb0fd0b5c1d03d37241fa509bcfbfafa92fca217e4bd88fdb8cca5d2f9e86d3c1a91b62331824046ce8845ea7929980e18b9e12b5f5c
-  data.tar.gz: aba8fcc0f6110fa8319648ac929bb3d6acfb196d85ef8e5f0591817a2ddc4bb9e622777072a59142f496c674bf31f71e3cfadfb3dcc2d07d6eb1b62f6db48896
+  metadata.gz: 857b7d9be7f6a76d6721b51c8a479fb78ad125efbbf76ade98d10671e6b7cfc561c4b39a5dc5466b0801a482aed09c2feab439cff839532565a89e7d56a2e7f7
+  data.tar.gz: 1208b5fefe05b10c7d7c7b212f76cbda8344eaaf141b9c3d62181720db172a8056bc18f15b8122b8a7cdbbdd7ec4532afac6faa63678dc5387d52a479c04e7f8

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+# 0.8.3
+
+* When re-loading a policy, properly apply `--as-group` and `--as-role` by changing the ownership of top-level records as needed.
+
 # 0.8.2
 
 * When user is created with a namespace, form an id that looks like an email address with the namespace as the domain.

data/lib/conjur-asset-policy-version.rb

@@ -1,7 +1,7 @@
 module Conjur
   module Asset
     module Policy
-      VERSION = "0.8.2"
+      VERSION = "0.8.3"
     end
   end
 end

data/lib/conjur-asset-policy.rb

@@ -12,6 +12,9 @@ module Conjur
 end
   
 require 'rest-client'
+
+require 'conjur/api/patches/role'
+
 require 'conjur/policy/logger'
 require 'conjur/policy/invalid'
 require 'conjur/policy/types/base'

data/lib/conjur/api/patches/role.rb

@@ -0,0 +1,14 @@
+require 'conjur/api'
+
+class Conjur::Role
+  # This role can admin the target +role+ if this role has a role which is an admin member of
+  # +role+. This determination is made by expanding all roles of +self+, then doing the set 
+  # intersection with the direct members of +role+, and looking for an overlapping member that
+  # has +admin_option+.
+  def can_admin_role? role
+    return true if self.roleid == role.roleid
+    
+    memberships = self.memberships.map(&:roleid)
+    role.members.any?{|m| memberships.include?(m.member.roleid) && m.admin_option}
+  end
+end

data/lib/conjur/policy/planner/base.rb

@@ -90,6 +90,8 @@ module Conjur
         end
 
         def update_record
+          log { "Updating #{record}" }
+          
           update = Conjur::Policy::Types::Update.new
           update.record = record
 
@@ -106,6 +108,7 @@ module Conjur
                 record.send "#{attr}=", nil
               else
                 raise "Cannot modify immutable attribute '#{record.resource_kind}.#{attr}'" if record.immutable_attribute_names.member?(attr)
+                log { "Attribute #{attr} will be updated" }
                 changed = true
               end
             end
@@ -120,24 +123,33 @@ module Conjur
               if new_value == existing_value
                 record.annotations.delete attr
               else
+                log { "Annotation #{attr} will be updated" }
                 changed = true
               end
             end
             
+            log { "Record owner is #{record.owner.roleid}" }
+            log { "Resource owner is #{resource.owner}" }
             if record.owner && resource.owner != record.owner.roleid
+              log { "Resource owner will be changed to #{record.owner.roleid}" }
+
               give = Conjur::Policy::Types::Give.new
               give.resource = Conjur::Policy::Types::Resource.new(record.resourceid)
               give.owner = Conjur::Policy::Types::Role.new(record.owner.roleid)
               action give
-              
-              if record.role?
-                grant = Conjur::Policy::Types::Grant.new
-                grant.role = Conjur::Policy::Types::Role.new(record.roleid)
-                grant.member = Conjur::Policy::Types::Member.new
-                grant.member.role = Conjur::Policy::Types::Role.new(record.owner.roleid)
-                grant.member.admin = true
-                action grant
-              end
+            end
+          end
+
+          if record.role?
+            unless api.role(record.owner.roleid).can_admin_role?(role)
+              log { "Role will be granted to #{record.owner.roleid} with admin option" }
+  
+              grant = Conjur::Policy::Types::Grant.new
+              grant.role = Conjur::Policy::Types::Role.new(record.roleid)
+              grant.member = Conjur::Policy::Types::Member.new
+              grant.member.role = Conjur::Policy::Types::Role.new(record.owner.roleid)
+              grant.member.admin = true
+              action grant
             end
           end
           
@@ -145,6 +157,8 @@ module Conjur
         end
         
         def create_record
+          log { "Creating #{record}" }
+
           create = Conjur::Policy::Types::Create.new
           create.record = record
           

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: conjur-asset-policy
 version: !ruby/object:Gem::Version
-  version: 0.8.2
+  version: 0.8.3
 platform: ruby
 authors:
 - Kevin Gilpin
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-04-12 00:00:00.000000000 Z
+date: 2016-04-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: safe_yaml
@@ -188,6 +188,7 @@ files:
 - jenkins.sh
 - lib/conjur-asset-policy-version.rb
 - lib/conjur-asset-policy.rb
+- lib/conjur/api/patches/role.rb
 - lib/conjur/command/policy.rb
 - lib/conjur/policy/doc.rb
 - lib/conjur/policy/executor.rb