deputy53 0.6.4 → 0.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 217f1845177eea5e0ab32c345d91b417e371be0b
-  data.tar.gz: 1a2e6eaf480af3717e8fa29cb6a2992fec35b775
+  metadata.gz: 3176f6abe3bb2ec36eec12b0e26d5aff702ac7d2
+  data.tar.gz: d0c2c6466d04300338952950d893d6dcbb7c908b
 SHA512:
-  metadata.gz: 5d60478b9b1940f528d873cfe2b5b4c4a2783593e16ad7328407fc056d0b0ec1d7afd9fd6c663f07757a84252d0b229a24f479d2ff3b41fffbc7bfc86bf81af3
-  data.tar.gz: 4d0e9fc2752d5ffcd6fd825976228aaac54126ee67148a96b44848bffa04f594f351b502945d6cf18f8c1e0a48236907a1f411a7ee13e8fe0618cd6b31abc171
+  metadata.gz: 3b204023a1ae60cd83a9c3813eb8d249f31ed6411ee67de290b6fbe696b6611317fc5a5d6811381345c70eba4dcbe25b18702c961f9fe3702f452e4011d98ca4
+  data.tar.gz: d436ea1be8d21f944e1a2e732b1cd66745795e7187fce93c0c2abd66ac943e205958d085001b0386ccc4eba0d248ddccf3e0677eb73f14f3fcd442ff57025d24

data/README.org

@@ -26,10 +26,30 @@
 
 * Usage
 
+** Delegate a subdomain to a new hosted zone
+
   #+BEGIN_SRC shell
     deputy53 delegate <subdomain>
   #+END_SRC
 
+** Assign control of a subdomain to an IAM entity
+
+   If =identity= is omitted, it will be inferred from the subdomain.
+
+   #+BEGIN_SRC shell
+     deputy53 assign <subdomain> [identity]
+   #+END_SRC
+
+** Generate a policy granting control of this zone
+
+   If you need to review or modify the policy generated by ~deputy53~, the
+   =policy= command will dump it to =STDOUT= in a format suitable for use with
+   tools such as ~awscli~ or ~piranha~.
+
+   #+BEGIN_SRC shell
+     deputy53 policy <subdomain>
+   #+END_SRC
+
 * License
 
   ~deputy53~ is available under the [[https://tldrlegal.com/license/mit-license][MIT License]]. See ~LICENSE.txt~ for the full text.

data/UPGRADING.org

@@ -0,0 +1,6 @@
+#+TITLE: Upgrading Notes
+
+* 0.7 -> 0.8
+
+  - ~Deputy53::Route53#id~ now raises a ~ZoneNotFoundError~ when the requested
+    zone is not found, rather than a ~KeyError~.

data/lib/deputy53/assigner.rb

@@ -0,0 +1,45 @@
+require 'aws-sdk'
+require 'json'
+require_relative 'contracted_object'
+require_relative 'iam'
+require_relative 'route53'
+
+module Deputy53
+  # Assigns control of a zone to an identity
+  class Assigner < ContractedObject
+    Contract None => IAM
+    def iam
+      @iam ||= IAM.new
+    end
+
+    Contract None => Route53
+    def route53
+      @route53 ||= Route53.new
+    end
+
+    Contract String => String
+    def policy(subdomain)
+      zone = route53.id(subdomain).sub(%r{^/}, '')
+      document = {
+        'Version' => '2012-10-17',
+        'Statement' => [
+          'Effect' => 'Allow',
+          'Action' => ['route53domains:*', 'route53:*'],
+          'Resource' => "arn:aws:route53:::#{zone}"
+        ]
+      }
+      JSON.dump document
+    end
+
+    Contract String, String => Bool
+    def assign(subdomain, identity)
+      identity = iam.identity identity
+
+      true if iam.api.method("put_#{identity.type}_policy").call(
+        :"#{identity.type}_name" => identity.name,
+        policy_name: "manage-dns@#{subdomain}",
+        policy_document: policy(subdomain)
+      )
+    end
+  end
+end

data/lib/deputy53/cli.rb

@@ -1,9 +1,22 @@
 require_relative 'agent'
+require_relative 'assigner'
 
 module Deputy53
+  # CommandLine Interface
   class CLI
     def delegate(subdomain)
       Agent.new(subdomain).delegate
     end
+
+    def assign(subdomain, user = nil)
+      subdomain = "#{subdomain}." unless subdomain.end_with? '.'
+      user ||= subdomain.split('.').slice(0..-3).join('.')
+      Assigner.new.assign(subdomain, user)
+    end
+
+    def policy(subdomain)
+      subdomain = "#{subdomain}." unless subdomain.end_with? '.'
+      Assigner.new.policy(subdomain)
+    end
   end
 end

data/lib/deputy53/exceptions.rb

@@ -0,0 +1,7 @@
+module Deputy53
+  class NameError < ::NameError; end
+  class AmbiguousNameError < NameError; end
+  class NotFoundError < NameError; end
+  class ZoneNotFoundError < NotFoundError; end
+  class IdentityNotFoundError < NotFoundError; end
+end

data/lib/deputy53/iam.rb

@@ -0,0 +1,68 @@
+require 'aws-sdk'
+require_relative 'contracted_object'
+require_relative 'identity'
+require_relative 'exceptions'
+
+module Deputy53
+  # An IAM Client
+  class IAM < ContractedObject
+    Contract None => ::Aws::IAM::Client
+    def api
+      @api ||= ::Aws::IAM::Client.new region: region
+    end
+
+    Contract None => String
+    def region
+      ENV.fetch('AWS_DEFAULT_REGION') { 'us-west-2' }
+    end
+
+    Contract None => ArrayOf[::Aws::IAM::Types::User]
+    def users
+      @users ||= api.list_users.users
+    end
+
+    Contract None => ArrayOf[::Aws::IAM::Types::Group]
+    def groups
+      @groups ||= api.list_groups.groups
+    end
+    Contract None => ArrayOf[::Aws::IAM::Types::Role]
+    def roles
+      @roles ||= api.list_roles.roles
+    end
+
+    Contract None => ArrayOf[Identity]
+    def identities
+      @identities ||= [users, groups, roles]
+                      .reduce(:+)
+                      .map { |i| Identity.new i }
+    end
+
+    Contract None => ArrayOf[String]
+    def names
+      identities.map(&:name)
+    end
+
+    Contract String => Bool
+    def exists?(name)
+      names.include? name
+    end
+
+    Contract String => Bool
+    def unambiguous?(name)
+      names.count { |n| n == name } == 1
+    end
+
+    Contract String => Identity
+    def identity(name)
+      raise IdentityNotFoundError unless exists? name
+      raise AmbiguousNameError unless unambiguous? name
+
+      identities.select { |i| i.name == name }.first
+    end
+
+    Contract String => String
+    def id(name)
+      identity(name).id
+    end
+  end
+end

data/lib/deputy53/identity.rb

@@ -0,0 +1,27 @@
+require_relative 'contracted_object'
+
+module Deputy53
+  # Unified class for Users, Groups, and Roles.
+  class Identity < ContractedObject
+    Contract Xor[::Aws::IAM::Types::User, ::Aws::IAM::Types::Group, ::Aws::IAM::Types::Role] => Identity
+    def initialize(identity)
+      @identity = identity
+      self
+    end
+
+    Contract None => Enum[:user, :group, :role]
+    def type
+      @type ||= @identity.arn.split(':').last.split('/').first.to_sym
+    end
+
+    Contract None => String
+    def name
+      @name ||= @identity.method("#{type}_name").call
+    end
+
+    Contract None => String
+    def id
+      @id ||= @identity.method("#{type}_id").call
+    end
+  end
+end

data/lib/deputy53/route53.rb

@@ -1,4 +1,5 @@
 require 'aws-sdk'
+require_relative 'exceptions'
 
 module Deputy53
   # A Route53 Client
@@ -35,7 +36,7 @@ module Deputy53
 
     Contract String => String
     def id(name)
-      raise KeyError unless zone? name
+      raise ZoneNotFoundError unless zone? name
       zones(name).first.id
     end
   end

data/lib/deputy53.rb

@@ -1,5 +1,7 @@
 require_relative 'deputy53/agent'
+require_relative 'deputy53/assigner'
 require_relative 'deputy53/cli'
+require_relative 'deputy53/exceptions'
 require_relative 'deputy53/contracted_object'
 require_relative 'deputy53/route53'
 require_relative 'deputy53/zone'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: deputy53
 version: !ruby/object:Gem::Version
-  version: 0.6.4
+  version: 0.13.0
 platform: ruby
 authors:
 - Chris Olstrom
@@ -100,12 +100,17 @@ files:
 - Gemfile
 - LICENSE.txt
 - README.org
+- UPGRADING.org
 - bin/deputy53
 - deputy53.gemspec
 - lib/deputy53.rb
 - lib/deputy53/agent.rb
+- lib/deputy53/assigner.rb
 - lib/deputy53/cli.rb
 - lib/deputy53/contracted_object.rb
+- lib/deputy53/exceptions.rb
+- lib/deputy53/iam.rb
+- lib/deputy53/identity.rb
 - lib/deputy53/route53.rb
 - lib/deputy53/zone.rb
 homepage: https://github.com/colstrom/deputy53