conjur-policy-parser 0.12.0

data/lib/conjur/policy/types/deny.rb

@@ -0,0 +1,33 @@
+module Conjur::Policy::Types
+  class Deny < Base
+
+    self.description = %(
+Deny privilege(s) on a [Resource](#reference/resource) to a role.
+Once a privilege is denied, permission checks performed by the role
+will return `false`.
+
+If the role does not hold the privilege, this statement is a nop.
+
+See also: [Revoke](#reference/revoke) for [Roles](#reference/role)
+)
+
+    self.example = %(
+- !variable secret
+- !user rando
+- !deny
+    role: !user rando
+    privilege: read
+    resource: !variable secret
+)
+
+    attribute :role, kind: :role, dsl_accessor: true
+    attribute :privilege, kind: :string, dsl_accessor: true
+    attribute :resource, dsl_accessor: true
+        
+    include ResourceMemberDSL
+
+    def to_s
+      "Deny #{role} to '#{privilege}' #{resource}"
+    end
+  end
+end

data/lib/conjur/policy/types/give.rb

@@ -0,0 +1,28 @@
+module Conjur::Policy::Types
+  class Give < Base
+    attribute :resource, kind: :resource
+    attribute :owner, kind: :role
+
+    self.description = %(
+Give ownership of a resource to a [Role](#reference/role).
+    
+When the owner role performs a permission check on an owned resource, the
+result is always `true`.
+
+[More](/key_concepts/rbac.html) on role-based access control in Conjur.
+)
+
+    self.example = %(
+- !user Link
+- !secret song-of-storms
+
+- !give
+    resource: !secret song-of-storms
+    owner: !user Link
+)
+
+    def to_s
+      "Give #{resource} to #{owner}"
+    end
+  end
+end

data/lib/conjur/policy/types/grant.rb

@@ -0,0 +1,72 @@
+module Conjur::Policy::Types
+  class Grant < Base
+    attribute :role, dsl_accessor: true
+    attribute :member
+    attribute :replace, kind: :boolean, singular: true, dsl_accessor: true
+
+    include RoleMemberDSL
+    include AutomaticRoleDSL
+
+    self.description = %(
+Grant one [Role](#reference/role) to another. When role A is granted to role B, 
+then role B is said to "have" role A. The set of all memberships of role B
+will include A. The set of direct members of role A will include role B.
+    
+If the role is granted with `admin` option, then the grantee (role B),
+in addition to having the role, can also grant and revoke the role
+to other roles.
+
+The only limitation on role grants is that there may never be a cycle 
+in the role graph. For example, if role A is granted to role B, then role B
+cannot be granted to role A.
+
+Several types of Conjur records are roles. For example, Users, Groups,
+Hosts and Layers are all roles. This means they can be granted to and 
+revoked from each other. For example, when a Group is granted to a User, 
+the User gains all the privileges of the Group. (Note: "Adding" a User to 
+a Group is just another way to say that the Group role is granted to the User).
+
+Some `grant` operations have additional semantics beyond the role grant:
+    
+* When a Layer is granted to a Host, the automatic roles on the Layer are granted
+    privileges on the Host. Specifically, the `observe` role is given `read` privilege,
+    `use_host` is given `execute`, and `admin_host` is given `update`. The `admin`
+    option is ignored.
+
+[More](/key_concepts/rbac.html) on role-based access control in Conjur.
+    
+See also: [Permit](#reference/permit) for [Resources](#reference/resource)
+)
+
+    self.example = %(
+- !user Link
+- !user Navi
+
+- !grant
+    role: !user Navi
+    member: !user Link
+)
+
+    def to_s
+      role_str   = if role.kind_of?(Array)
+        role.join(', ')
+      else
+        role
+      end
+      member_str = if member.kind_of?(Array)
+        member.map(&:role).join(', ')
+      elsif member 
+        member.role
+      end
+      admin = Array(member).map do |member|
+        member && member.admin
+      end
+      admin_str = if Array(member).count == admin.select{|admin| admin}.count
+        " with admin option"
+      elsif admin.any?
+        " with admin options: #{admin.join(', ')}"
+      end
+      %Q(Grant #{role_str} to #{member_str}#{replace ? ' with replacement ' : ''}#{admin_str})
+    end
+  end
+end

data/lib/conjur/policy/types/include.rb

@@ -0,0 +1,46 @@
+module Conjur::Policy::Types
+  # Include another policy into the policy.
+  class Include < Base
+    attribute :file, kind: :string, type: String, singular: true, dsl_accessor: true
+
+    self.description = %(
+Includes the contents of another policy file.
+
+By using this feature, policies for an entire organization can be
+defined in one source repository, and then unified by a top-level
+"Conjurfile".
+
+Attributes:
+
+* **file** path to the included policy file, relative to the including policy file.
+    This is the default attribute, so it can be specified in shorthand form as:
+    `- !include the-policy.yml`
+
+Included policies inherit the namespace and owner of the enclosing
+context. To include a policy with a different namespace and owner,
+first define an enclosing policy record with the following attributes:
+    
+* **id** the name which is appended to the current namespace
+* **owner** the desired owner
+    
+Then, within the body of that policy, include the additional 
+policy files.
+)
+
+    self.example = %(
+- !include groups.yml
+    
+- !policy
+  id: ops
+  owner: !group operations
+  body:
+  - !include jenkins-master.yml
+  - !include ansible.yml
+  - !include openvpn.yml
+)
+    
+    def id= value
+      self.file = value
+    end
+  end
+end

data/lib/conjur/policy/types/member.rb

@@ -0,0 +1,37 @@
+module Conjur::Policy::Types
+  class Member < Base
+    def initialize role = nil
+      self.role = role
+    end
+
+    attribute :role
+    attribute :admin, kind: :boolean, singular: true
+
+    self.description = %(
+Designate the members of a [Role](#reference/role) such as a [Group](#reference/group).
+    
+The member indicates the "grantee" (which role will gain the role grant), as well as the
+`admin` option which determines whether the grantee can grant/revoke the role to other roles.
+
+The default value for `admin` is `false`.
+)
+
+    self.example = %(
+- !user dee
+- !user dum
+- !group brothers
+
+- !grant
+  role: !group brothers
+  members:
+  - !user dee
+  - !member dum
+      role: !user dum
+      admin: true
+)
+
+    def to_s
+      "#{role} #{admin ? 'with' : 'without'} admin option"
+    end
+  end
+end

data/lib/conjur/policy/types/permit.rb

@@ -0,0 +1,59 @@
+module Conjur
+  module Policy
+    module Types
+      class Permit < Base
+        attribute :role, kind: :member
+        attribute :privilege, kind: :string, dsl_accessor: true
+        attribute :resource, dsl_accessor: true
+        attribute :replace, kind: :boolean, singular: true, dsl_accessor: true
+
+        self.description = %(
+Give permissions on a [Resource](#reference/resource) to a [Role](#reference/role). 
+
+Once a privilege is given, permission checks performed by the role
+will return `true`.
+
+Note that permissions are not "inherited" in the same way that roles are.
+If role A is granted to role B, then role B "inherits" all the privileges held 
+by role A. If role A can `execute` a variable, then role B can as well.
+The privileges on each resource are distinct, regardless of how they are named.
+If role A has `execute` privilege on a resource called `dev`, the role does **not**
+gain any privileges on a resource called `dev/password`. Role-based access control
+is explicit in this way to avoid unintendend side-effects from the way that 
+resources are named.
+        
+[More](/key_concepts/rbac.html) on role-based access control in Conjur.
+        
+See also: [Deny](#reference/deny)
+)
+
+        self.example = %(
+- !variable answer
+- !user deep_thought
+
+- !permit
+    role: !user deep_thought
+    privileges: [ read, execute, update ]
+    resource: !variable answer
+)
+        
+        include ResourceMemberDSL
+        
+        def initialize privilege = nil
+          self.privilege = privilege
+        end
+        
+        def to_s
+          if Array === role
+            role_string = role.map &:role
+            admin = false
+          else
+            role_string = role.role
+            admin = role.admin
+          end
+          "Permit #{role_string} to [#{Array(privilege).join(', ')}] on #{Array(resource).join(', ')}#{admin ? ' with grant option' : ''}"
+        end
+      end
+    end
+  end
+end

data/lib/conjur/policy/types/policy.rb

@@ -0,0 +1,180 @@
+module Conjur
+  module Policy
+    module Types
+      class YAMLList < Array
+        def tag
+          [ "!", self.class.name.split("::")[-1].underscore ].join
+        end
+
+        def encode_with coder
+          coder.represent_seq tag, self
+        end
+      end
+
+      module Tagless
+        def tag; nil; end
+      end
+
+      module CustomStatement
+        def custom_statement handler, &block
+          record = yield
+          class << record
+            include RecordReferenceFactory
+          end
+          push record
+          do_scope record, &handler
+        end
+      end
+
+      module Grants
+        include CustomStatement
+
+        def grant &block
+          custom_statement(block) do
+            Conjur::Policy::Types::Grant.new
+          end
+        end
+
+        def revoke &block
+          custom_statement(block) do
+            Conjur::Policy::Types::Revoke.new
+          end
+        end
+      end
+
+      module Permissions
+        include CustomStatement
+
+        def permit privilege, &block
+          custom_statement(block) do
+            Conjur::Policy::Types::Permit.new(privilege)
+          end
+        end
+
+        def give &block
+          custom_statement(block) do
+            Conjur::Policy::Types::Give.new
+          end
+        end
+
+        def retire &block
+          custom_statement(block) do
+            Conjur::Policy::Types::Retire.new
+          end
+        end
+      end
+
+      # Entitlements will allow creation of any record, as well as declaration
+      # of permit, deny, grant and revoke.
+      class Entitlements < YAMLList
+        include Tagless
+        include Grants
+        include Permissions
+
+        def policy id=nil, &block
+          policy = Policy.new
+          policy.id(id) unless id.nil?
+          push policy
+
+          do_scope policy, &block
+        end
+      end
+
+      class Body < YAMLList
+        include Grants
+        include Permissions
+      end
+
+      # Policy includes the functionality of Entitlements, wrapped in a
+      # policy role, policy resource, policy id and policy version.
+      class Policy < Record
+        include ActsAsResource
+        include ActsAsRole
+
+        self.description = %(
+Create a policy. A policy is composed of the following:
+        
+* **id** A unique id, which can be prefixed by a `namespace`.
+* **body** A set of records such as variables, groups and layers which are "owned" by the policy.
+        
+Under the hood, a Policy is actually a role *and* a resource.
+The role is a role whose kind is "policy", and it has the specified `id`. By default
+the policy role is granted, with `admin` option, to the `--as-group` or `--as-role` option which is specified
+when the policy is loaded. The policy resource is a resource whose kind is "policy", and
+whose owner is the policy role.
+        
+All the records declared in the `body` of the policy are also owned by the policy role
+by default. As a result, the role specified by `--as-group` or `--as-role` has full
+ownership and management of everything defined in the policy.
+
+Policies should be self-contained; they should not generally make any reference to 
+records from outside the policy. This way, the policy can be loaded with different
+`--as-group`, `--as-role`, and `--namespace` options to serve different functions in the workflow.
+For example, if a policy is loaded into the `dev` namespace with `--as-group dev-admin`, 
+then a "dev" version of the policy is created with full management assigned to the `dev-admin` group.
+
+[See above](#example) for an example of a complete policy.
+)
+
+        self.example = %(
+- !policy
+    id: example/v1
+    body:
+    - &secrets
+      - !variable secret
+        
+    - !layer
+        
+    - !grant
+        role: !layer
+        permissions: [ read, execute ]
+        resources: *secrets
+)
+
+        def role
+          raise "account is nil" unless account
+          @role ||= Role.new("#{account}:policy:#{id}").tap do |role|
+            role.owner = Role.new(owner.roleid)
+          end
+        end
+
+        def resource
+          raise "account is nil" unless account
+          @resource ||= Resource.new("#{account}:policy:#{id}").tap do |resource|
+            resource.owner = Role.new(role.roleid)
+          end
+        end
+
+        # Body is handled specially.
+        def referenced_records
+          super - Array(@body)
+        end
+
+        def body &block
+          if block_given?
+            singleton :body, lambda { Body.new }, &block
+          end
+          @body
+        end
+
+        def body= body
+          @body = body
+        end
+
+        protected
+
+        def singleton id, factory, &block
+          object = instance_variable_get("@#{id}")
+          unless object
+            object = factory.call
+            class << object
+              include Tagless
+            end
+            instance_variable_set("@#{id}", object)
+          end
+          do_scope object, &block
+        end
+      end
+    end
+  end
+end