conjur-policy-parser 0.12.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: d09622031d68f8262a298eeec435416ad158d842
+  data.tar.gz: cadd61e2c1d4ba6f4d2737b44282cbd07c5ac3b4
+SHA512:
+  metadata.gz: a58c0b1ad5c21aaf99b3501526d4496cbe410b4d6bc5dea3f353bd9808c3fbf5486360eef6541bff6e1c9c6ac0346b0a2281269210c555118e2905e7b966aaac
+  data.tar.gz: 5467b4b25b748ac3096184af3ee3c744de875e3e5ced0f31b5c7ac2b1e2df9e049acb5070c62a292848042e4c575633764736f1b02340c25e1f193f0f1cce290

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.project

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>conjur-policy-parser</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>com.aptana.ide.core.unifiedBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>com.aptana.ruby.core.rubynature</nature>
+		<nature>com.aptana.projects.webnature</nature>
+	</natures>
+</projectDescription>

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.2.4
+before_install: gem install bundler -v 1.11.2

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in conjur-policy-parser.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Kevin Gilpin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,41 @@
+# Conjur::Policy::Parser
+
+Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/conjur/policy/parser`. To experiment with that code, run `bin/console` for an interactive prompt.
+
+TODO: Delete this and the text above, and describe your gem
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'conjur-policy-parser'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install conjur-policy-parser
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/conjur-policy-parser.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+require 'ci/reporter/rake/rspec'
+
+RSpec::Core::RakeTask.new :spec
+
+task :jenkins => ['ci:setup:rspec', :spec] do
+end
+
+task default: [:spec]

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "conjur/policy/parser"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/ci/test.sh

@@ -0,0 +1,6 @@
+#!/bin/bash -ex
+
+cd /src/conjur-policy-parser
+bundle
+
+bundle exec rake jenkins || true

data/conjur-policy-parser.gemspec

@@ -0,0 +1,31 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'conjur-policy-parser-version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "conjur-policy-parser"
+  spec.version       = Conjur::Policy::Parser::VERSION
+  spec.authors       = ["Kevin Gilpin"]
+  spec.email         = ["kgilpin@gmail.com"]
+
+  spec.summary       = %q{Parse the Conjur policy YAML format.}
+  spec.homepage      = "https://github.com/conjurinc/conjur-policy-parser"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "safe_yaml"
+  spec.add_dependency "activesupport", "~> 4.2"
+
+  spec.add_development_dependency "bundler", "~> 1.11"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "rspec-expectations"
+  spec.add_development_dependency "ci_reporter_rspec"
+  spec.add_development_dependency "simplecov"
+  spec.add_development_dependency "pry"
+end

data/jenkins.sh

@@ -0,0 +1,27 @@
+#!/bin/bash -ex
+
+CONJUR_VERSION=${CONJUR_VERSION:-"4.8"}
+DOCKER_IMAGE=${DOCKER_IMAGE:-"registry.tld/conjur-appliance-cuke-master:$CONJUR_VERSION-stable"}
+NOKILL=${NOKILL:-"0"}
+PULL=${PULL:-"1"}
+
+if [ -z "$CONJUR_CONTAINER" ]; then
+	if [ "$PULL" == "1" ]; then
+	    docker pull $DOCKER_IMAGE
+	fi
+	
+	cid=$(docker run --privileged -d -v ${PWD}:/src/conjur-policy-parser $DOCKER_IMAGE)
+	function finish {
+    	if [ "$NOKILL" != "1" ]; then
+			docker rm -f ${cid}
+		fi
+	}
+	trap finish EXIT
+	
+	>&2 echo "Container id:"
+	>&2 echo $cid
+else
+	cid=${CONJUR_CONTAINER}
+fi
+
+docker exec -i ${cid} /src/conjur-policy-parser/ci/test.sh

data/lib/conjur-policy-parser-version.rb

@@ -0,0 +1,7 @@
+module Conjur
+  module Policy
+    module Parser
+      VERSION = "0.12.0"
+    end
+  end
+end

data/lib/conjur-policy-parser.rb

@@ -0,0 +1,32 @@
+require 'conjur-policy-parser-version'
+require 'yaml'
+require 'safe_yaml'
+require 'active_support'
+require 'active_support/core_ext'
+SafeYAML::OPTIONS[:default_mode] = :safe
+SafeYAML::OPTIONS[:deserialize_symbols] = false
+   
+module Conjur
+  module Policy
+  end
+end
+  
+require 'conjur/policy/logger'
+require 'conjur/policy/invalid'
+require 'conjur/policy/types/base'
+require 'conjur/policy/types/include'
+require 'conjur/policy/types/records'
+require 'conjur/policy/types/member'
+require 'conjur/policy/types/grant'
+require 'conjur/policy/types/revoke'
+require 'conjur/policy/types/permit'
+require 'conjur/policy/types/deny'
+require 'conjur/policy/types/create'
+require 'conjur/policy/types/give'
+require 'conjur/policy/types/retire'
+require 'conjur/policy/types/update'
+require 'conjur/policy/types/policy'
+require 'conjur/policy/yaml/handler'
+require 'conjur/policy/yaml/loader'
+require 'conjur/policy/resolver'
+require 'conjur/policy/doc'

data/lib/conjur/policy/doc.rb

@@ -0,0 +1,43 @@
+module Conjur
+  module Policy
+    module Doc
+      Attribute = Struct.new(:id, :kind)
+
+      Operation = Struct.new(:id, :super_id, :description, :example, :attributes)
+      
+      class << self
+        def list
+          all_types = Set.new
+          new_types = Set.new
+          new_types += Conjur::Policy::Types::Base.subclasses
+          all_types += new_types
+          while !new_types.empty?
+            iteration_new_types = Set.new
+            new_types.each do |type|
+              subtypes = type.subclasses
+              iteration_new_types += (Set.new(subtypes) - all_types)
+              all_types += subtypes
+            end
+            new_types = iteration_new_types.dup
+            iteration_new_types.clear
+          end
+          all_types.map do |type|
+            # TODO: I am not sure what this is
+            next if type == Conjur::Policy::Ruby::Policy
+
+            description = type.send(:description) rescue ""
+            example = type.send(:example) rescue ""
+            attributes = type.fields.map do |id, kind|
+              Attribute.new(id, kind)
+            end
+            unless attributes.empty?
+              super_id = type.superclass.short_name rescue nil
+              super_id = nil if super_id == "Base"
+              Operation.new(type.short_name, super_id, description, example, attributes)
+            end
+          end.compact.sort{|a,b| a.id <=> b.id}
+        end
+      end
+    end
+  end
+end

data/lib/conjur/policy/invalid.rb

@@ -0,0 +1,12 @@
+module Conjur
+  module Policy
+    class Invalid < Exception
+      attr_reader :mark
+      
+      def initialize message, filename, mark
+        super [ "Error at line #{mark.line}, column #{mark.column} in #{filename}", message ].join(' : ')
+        @mark = mark
+      end
+    end
+  end
+end

data/lib/conjur/policy/logger.rb

@@ -0,0 +1,12 @@
+module Conjur::Policy::Logger
+  def self.included base
+    base.module_eval do
+      # Override the logger with this method.
+      cattr_accessor :logger
+      
+      require 'logger'
+      self.logger = Logger.new(STDERR)
+      self.logger.level = (ENV['DEBUG'] == "true" ? Logger::DEBUG : Logger::INFO)
+    end
+  end
+end

data/lib/conjur/policy/resolver.rb

@@ -0,0 +1,262 @@
+module Conjur
+  module Policy
+    class Resolver
+      attr_reader :account, :ownerid, :namespace
+      
+      class << self
+        # Resolve records to the specified owner id and namespace.
+        def resolve records, account, ownerid, namespace = nil
+          resolver_classes = [ AccountResolver, IdSubstitutionResolver, AnnotationSubstitutionResolver, OwnerResolver, FlattenResolver, DuplicateResolver ]
+          resolver_classes.each do |cls|
+            resolver = cls.new account, ownerid, namespace
+            records = resolver.resolve records
+          end
+          records
+        end
+      end
+      
+      # +account+ is required. It's the default account whenever no account is specified.
+      # +ownerid+ is required. Any records without an owner will be assigned this owner. The exception
+      # is records defined in a policy, which are always owned by the policy role unless an explicit owner
+      # is indicated (which would be rare).
+      # +namespace+ is optional. It's prepended to the id of every record, except for ids which begin
+      # with a '/' character.
+      def initialize account, ownerid, namespace = nil
+        @account = account
+        @ownerid   = ownerid
+        @namespace = namespace
+        
+        raise "account is required" unless account
+        raise "ownerid is required" unless ownerid
+        raise "ownerid must be fully qualified" unless ownerid.split(":", 3).length == 3
+      end
+      
+      protected
+      
+      # Traverse an Array-ish of records, calling a +handler+ method for each one.
+      # If a record is a Policy, then the +policy_handler+ is invoked, after the +handler+.
+      def traverse records, visited, handler, policy_handler = nil
+        Array(records).flatten.each do |record|
+          next unless visited.add?(id_of(record))
+
+          handler.call record, visited
+          policy_handler.call record, visited if policy_handler && record.is_a?(Types::Policy)
+        end
+      end
+      
+      def id_of record
+        record.object_id
+      end
+    end
+    
+    # Updates all nil +account+ fields to the default account.
+    class AccountResolver < Resolver
+      def resolve records
+        traverse records, Set.new, method(:resolve_account), method(:on_resolve_policy)
+      end
+      
+      def resolve_account record, visited
+        if record.respond_to?(:account) && record.respond_to?(:account=) && record.account.nil?
+          record.account = @account
+        end
+        traverse record.referenced_records, visited, method(:resolve_account), method(:on_resolve_policy)
+      end
+      
+      def on_resolve_policy policy, visited
+        traverse policy.body, visited, method(:resolve_account), method(:on_resolve_policy)
+      end
+    end
+
+    class SubstitutionResolver < Resolver
+      SUBSTITUTIONS = { "$namespace" => :namespace }
+        
+      def resolve records
+        traverse records, Set.new, method(:resolve_field), method(:on_resolve_policy)
+      end
+      
+      protected
+      
+      def substitute! id
+        SUBSTITUTIONS.each do |k,v|
+          next unless value = send(v)
+          id.gsub! k, value
+        end
+      end
+      
+      def on_resolve_policy policy, visited
+        saved_namespace = @namespace
+        @namespace = policy.id
+        traverse policy.body, visited, method(:resolve_field), method(:on_resolve_policy)
+      ensure
+        @namespace = saved_namespace
+      end
+    end
+    
+    # Makes all ids absolute, by prepending the namespace (if any) and the enclosing policy (if any).
+    class IdSubstitutionResolver < SubstitutionResolver
+      
+      def resolve_field record, visited
+        if record.respond_to?(:id) && record.respond_to?(:id=)
+          id = record.id
+          if id.blank?
+            raise "#{record.class.simple_name} has no id" unless namespace
+            id = namespace
+          elsif id[0] == '/'
+            id = id[1..-1]
+          else
+            if record.respond_to?(:resource_kind) && record.resource_kind == "user"
+              id = [ id, user_namespace ].compact.join('@')
+            else
+              id = [ namespace, id ].compact.join('/')
+            end
+          end
+
+          substitute! id
+          
+          record.id = id
+        end
+        
+        traverse record.referenced_records, visited, method(:resolve_field), method(:on_resolve_policy)
+      end
+      
+      protected
+      
+      def user_namespace
+        namespace.gsub('/', '-') if namespace
+      end
+    end
+    
+    class AnnotationSubstitutionResolver < SubstitutionResolver
+      def resolve_field record, visited
+        if record.respond_to?(:annotations) && (annotations = record.annotations)
+          annotations.each do |k,v|
+            substitute! v
+          end
+        end
+
+        traverse record.referenced_records, visited, method(:resolve_field), method(:on_resolve_policy)
+      end
+    end
+    
+    # Sets the owner field for any records which support it, and don't have an owner specified.
+    # Within a policy, the default owner is the policy role. For global records, the 
+    # default owner is the +ownerid+ specified in the constructor.
+    class OwnerResolver < Resolver
+      def resolve records
+        traverse records, Set.new, method(:resolve_owner), method(:on_resolve_policy)
+      end
+      
+      def resolve_owner record, visited
+        if record.respond_to?(:owner) && record.owner.nil?
+          record.owner = Types::Role.new(@ownerid)
+        end
+      end
+      
+      def on_resolve_policy policy, visited
+        saved_ownerid = @ownerid
+        @ownerid = [ policy.account, "policy", policy.id ].join(":")
+        traverse policy.body, visited, method(:resolve_owner), method(:on_resolve_policy)
+      ensure
+        @ownerid = saved_ownerid
+      end
+    end
+    
+    # Flattens and sorts all records into a single list, including YAML lists and policy body.
+    class FlattenResolver < Resolver
+      def resolve records
+        @result = []
+        traverse records, Set.new, method(:resolve_record), method(:on_resolve_policy)
+
+        # Sort record creation before anything else.
+        # Sort record creation in dependency order (if A owns B, then A will be created before B).
+        # Otherwise, preserve the existing order.
+
+        @stable_index = {}
+        @result.each_with_index do |obj, idx|
+          @stable_index[obj] = idx
+        end
+        @referenced_record_index = {}
+        @result.each_with_index do |obj, idx|
+          @referenced_record_index[obj] = obj.referenced_records.select{|r| r.respond_to?(:roleid)}.map(&:roleid)
+        end
+        @result.flatten.sort do |a,b|
+          score = sort_score(a) - sort_score(b)
+          if score == 0
+            if a.respond_to?(:roleid) && @referenced_record_index[b].member?(a.roleid) &&
+              b.respond_to?(:roleid) && @referenced_record_index[a].member?(b.roleid)
+              raise "Dependency cycle encountered between #{a} and #{b}"
+            elsif a.respond_to?(:roleid) && @referenced_record_index[b].member?(a.roleid)
+              score = -1
+            elsif b.respond_to?(:roleid) && @referenced_record_index[a].member?(b.roleid)
+              score = 1
+            else
+              score = @stable_index[a] - @stable_index[b]
+            end
+          end
+          score
+        end
+      end
+      
+      protected
+      
+      # Sort "Create" and "Record" objects to the front.
+      def sort_score record
+        if record.is_a?(Types::Create) || record.is_a?(Types::Record)
+          -1
+        else
+          0
+        end
+      end
+      
+      # Add the record to the result.
+      def resolve_record record, visited
+        @result += Array(record)
+      end
+
+      # Recurse on the policy body records.
+      def on_resolve_policy policy, visited
+        body = policy.body
+        policy.remove_instance_variable "@body"
+        traverse body, visited, method(:resolve_record), method(:on_resolve_policy)
+      end
+    end
+    
+    # Raises an exception if the same record is declared more than once.
+    class DuplicateResolver < Resolver
+      def resolve records
+        seen = Set.new
+        Array(records).flatten.each do |record|
+          if record.respond_to?(:id) && !seen.add?([ record.class.short_name, record.id ])
+            raise "#{record} is declared more than once"
+          end
+        end
+      end
+    end
+    
+    # Unsets attributes that make for more verbose YAML output. This class is used to 
+    # compact YAML expectations in test cases. It expects pre-flattened input.
+    #
+    # +account+ attributes which match the provided account are set to nil.
+    # +owner+ attributes which match the provided ownerid are removed.
+    class CompactOutputResolver < Resolver
+      def resolve records
+        traverse records, Set.new, method(:resolve_owner)
+        traverse records, Set.new, method(:resolve_account)
+      end
+      
+      def resolve_account record, visited
+        if record.respond_to?(:account) && record.respond_to?(:account=) && record.account && record.account == self.account
+          record.remove_instance_variable :@account
+        end
+        traverse record.referenced_records, visited, method(:resolve_account)
+      end
+
+      def resolve_owner record, visited
+        if record.respond_to?(:owner) && record.respond_to?(:owner=) && record.owner && record.owner.roleid == self.ownerid
+          record.remove_instance_variable :@owner
+        end
+        traverse record.referenced_records, visited, method(:resolve_owner)
+      end
+    end
+  end
+end