idnio 2.3.2b

data/lib/objects/reference-resolver.rb

@@ -0,0 +1,137 @@
+#!/usr/bin/env ruby
+require "json"
+require "idnio/idnapi"
+require "idnio/program"
+
+module ReferenceResolver
+
+  @@default_identity_ref = nil
+
+  @@default_cluster_ref = nil
+
+  def self.get_default_identity_ref
+    if @@default_identity_ref.nil?
+      @@default_identity_ref = ReferenceResolver.get_identity_ref( "slpt.services" )
+    end
+    return @@default_identity_ref
+  end #def self.get_default_identity_ref
+
+  def self.get_identity_ref( name )
+
+    query = {
+      "queryType": "SAILPOINT",
+      "query": {
+        "query": "name:#{name}"
+      }
+    }
+    response = IDNAPI.post_json( "#{$url}/beta/search/identities?count=true&offset=0&limit=1", $token, query )
+
+    unless response['X-Total-Count'].nil?
+      count = response['X-Total-Count'].to_i
+
+      if count == 1 # Make sure we have a unique result.
+
+        identities = JSON.parse( response.body )
+
+        identity = identities.first
+
+        identity_ref = {
+          "type": "IDENTITY",
+          "id": identity['id'],
+          "name": identity['name']
+        }
+
+        return identity_ref
+
+      elsif name != "slpt.services"  # We don't have a unique result, and we're not looking up slpt.services, so we'll look that up instead.
+
+        $log.debug "\t\tCannot resolve unique identity '#{name}'. Resolving identity 'slpt.services' instead."
+        return ReferenceResolver.get_default_identity_ref
+
+      else # We don't have a unique result, and we couldn't resolve anything else. Punt. Hopefully we never see this message.
+
+        $log.debug "\t\tCannot resolve identity '#{name}' . Giving up with no identity."
+        return nil
+
+      end
+
+    end # if response['X-Total-Count'].nil?
+
+    return nil # catch all.
+
+  end # def self.get_identity_ref ( name )
+
+  def self.get_default_cluster_ref
+
+    if @@default_cluster_ref.nil?
+
+      response = IDNAPI.get( "#{$url}/cc/api/cluster/list", $token )
+
+      case response
+      when Net::HTTPSuccess
+
+        clusters = JSON.parse( response.body )
+
+        unless clusters.nil? || clusters.empty?
+
+          cluster = clusters.first
+
+          cluster_ref = {
+            "type": "CLUSTER",
+            "id": "#{cluster['configuration']['clusterExternalId']}",
+            "name": "#{cluster['name']}"
+          }
+
+          @@default_cluster_ref = cluster_ref
+
+        end #unless clusters["items"].nil?
+
+      else
+        $log.error "\tError: Unable to fetch clusters."
+      end # case response
+
+    end # if @@default_cluster_ref.nil?
+
+    return @@default_cluster_ref
+
+  end # def self.get_default_cluster_ref
+
+  def self.get_cluster_ref( name )
+
+    response = IDNAPI.get( "#{$url}/cc/api/cluster/list", $token )
+
+    case response
+    when Net::HTTPSuccess
+
+      clusters = JSON.parse( response.body )
+
+      unless clusters.nil? || clusters.empty?
+
+        clusters.each do |cluster|
+
+          # If we match the name of the cluster we are looking for.
+          if cluster['name'] == name
+
+            cluster_ref = {
+              "type": "CLUSTER",
+              "id": "#{cluster['configuration']['clusterExternalId']}",
+              "name": "#{cluster['name']}"
+            }
+            return cluster_ref
+
+          end # if cluster['name'] == name
+
+        end # clusters.each do |cluster|
+
+      end # unless clusters["items"].nil?
+
+    else
+      $log.error "\tError: Unable to fetch clusters."
+    end # case response
+
+    $log.warn "\tUnable to find a cluster which matches name #{name}."
+
+    return nil
+
+  end # def self.get_cluster_ref( name )
+end

data/lib/objects/roles.rb

@@ -0,0 +1,117 @@
+#!/usr/bin/env ruby
+require "json"
+require "csv"
+require "idnio/idnapi"
+require "idnio/program"
+require "idnio/markdown"
+
+module Roles
+
+  def self.querysearch( query )
+
+    response = IDNAPI.get( "#{$url}/v2/search/roles?offset=0&limit=10&query=#{query}", $token )
+
+    case response
+    when Net::HTTPSuccess
+
+      roles = JSON.parse( response.body )
+
+      unless roles.nil? || roles.empty?
+        return roles.first
+      end
+
+    end
+
+    return nil
+
+  end
+
+  #
+  # Exports Role configurations.
+  #
+  def self.export( directory )
+
+    response = IDNAPI.get( "#{$url}/cc/api/role/list", $token )
+
+    unless response.nil?
+
+      roles = JSON.parse( response.body )
+
+      $log.info "\tDetected #{roles['count']} roles."
+
+      roles['items'].each do |role|
+
+        apNames = ""
+
+        $log.info "\tRole: #{role["displayName"]}"
+
+        role_response = IDNAPI.get( "#{$url}/cc/api/role/get/?id=#{role["id"]}", $token )
+
+        full_role = JSON.parse( role_response.body )
+
+        full_role['accessProfileIds'].each do |ap|
+
+          response = IDNAPI.get( "#{$url}/v2/search/accessprofiles?query='id=#{ap}''", $token )
+
+          unless response.nil?
+            result = JSON.parse( response.body )
+            result.each do |r|
+
+              apNames << r['name']
+              apNames << ";"
+            end
+          end
+        end
+        full_role['accessProfileNames'] = apNames
+
+        Program.write_file( "#{directory}/roles/", "Role - #{full_role["displayName"]}.json", JSON.pretty_generate(full_role) )
+      end
+    end
+  end
+
+  #
+  # Import Role configurations.
+  #
+  def self.import( directory )
+    $log.warn "\tImport for object type roles is not supported at this time."
+  end
+
+  #
+  # Documents Role configurations.
+  #
+  def self.doc
+    Markdown.h2( "Roles" )
+
+    Markdown.text( "| Name | Description | Selector | Access Profiles |\n")
+    Markdown.text( "|------|-------------|----------|-----------------|\n")
+
+    response = IDNAPI.get( "#{$url}/cc/api/role/list", $token )
+    unless response.nil?
+        roles = JSON.parse( response.body )
+
+        $log.info "\tDetected #{roles['count']} roles."
+
+        roles['items'].each do |role|
+          $log.info "\tRole: #{role["displayName"]}"
+          role_response = IDNAPI.get( "#{$url}/cc/api/role/get/?id=#{role["id"]}", $token )
+          full_role = JSON.parse( role_response.body )
+          search_role = Roles.querysearch( "name:\"#{role["displayName"]}\"" )
+          accessProfileNames = ""
+
+            unless search_role["accessProfiles"].nil?
+              search_role["accessProfiles"].each do |ap|
+                if accessProfileNames != ""
+                  accessProfileNames += ","
+                end
+                accessProfileNames += ap["name"]
+              end
+            end
+          #end
+          Markdown.text( "|#{full_role["displayName"]}|#{full_role["description"]}|#{full_role["selector"]}|#{accessProfileNames}|\n")
+        end
+    end
+
+    Markdown.write
+  end
+
+end

data/lib/objects/rules.rb

@@ -0,0 +1,198 @@
+#!/usr/bin/env ruby
+require "json"
+require "idnio/idnapi"
+require "idnio/program"
+require "idnio/markdown"
+
+module Rules
+
+  @@default_rules = [
+    "AccessIQ Add Usage Certification",
+    "Account Report Form Customizer",
+    "Active Directory Customization",
+    "After Operation Rule Template for  Web Services",
+    "All Objects",
+    "Approval Library",
+    "Azure AD Customization",
+    "Before Operation Rule Template for Web Services Connector",
+    "Build Manual Action Approvals",
+    "CEFActivityCorrelation",
+    "CEFTransformRule",
+    "Certification Report Customizer",
+    "Check Password Policy",
+    "Clear CustomGlobal",
+    "Cloud Account Attribute Transform",
+    "Cloud Account Group Refresh Rule",
+    "Cloud Active Phase Enter Rule",
+    "Cloud Approval Escalation Rule",
+    "Cloud Calculate Authentication Alias",
+    "Cloud Calculate Identity Status",
+    "Cloud Calculate Internal Identity Status",
+    "Cloud Cert Item Customization Rule",
+    "Cloud Certification Reassignment Rule",
+    "Cloud Clone Existing Account",
+    "Cloud Correlate Manager by AccountId",
+    "Cloud Detect Lifecycle State Change",
+    "Cloud End Phase Enter Rule",
+    "Cloud Flat File CustomizationRule",
+    "Cloud Identity Refresh Rule",
+    "Cloud Identity Tester",
+    "Cloud Promote Identity Attribute",
+    "CMS Cert Item Customization Rule",
+    "CMS Certification Reassignment Rule",
+    "CMS Execute Campaign Filter",
+    "Correct Link Idx Column",
+    "Create Password",
+    "Create Unique Account ID",
+    "Create Unique LDAP Attribute",
+    "Exclude Uncorrelated Identities",
+    "Execute Campaign Filter",
+    "Get Manager LDAP DN",
+    "Identity Report Form Customizer",
+    "IdentityNowSAML",
+    "JDBCProvisioning Rule Adapter",
+    "LCM Build Identity ApprovalSet",
+    "LCM Build Identity Approvers",
+    "LCM Build Owner Approvals",
+    "LCM Validate Identity Name",
+    "LCM Validate Password",
+    "LCM Workflow Library",
+    "Microsoft Office365 Customization",
+    "No Correlator",
+    "Objects in Requestee's Assigned Scope",
+    "Objects in Requestor's Authorized Scopes",
+    "Objects in Requestor's Authorized Scopes or Requestee's Assigned Scope",
+    "Objects Owned by the Requestor",
+    "Privileged Access Report Customizer",
+    "Privileged Access Report Validation Rule",
+    "Report Completion Notification",
+    "Report Scorecard Value Renderer",
+    "SuccessFactorsOperationProvisioning",
+    "System Configured Locale Rule",
+    "Task Completion Email Rule",
+    "WindowsActivityRuleLibrary",
+    "Workflow Library"
+  ]
+
+  #
+  # Get Rule XML
+  #
+  def self.get_xml( rule )
+
+    if rule.nil?
+      return nil
+    end
+
+    rule_xml = "<?xml version='1.0' encoding='UTF-8'?>\n<!DOCTYPE Rule PUBLIC 'sailpoint.dtd' 'sailpoint.dtd'>\n<Rule language='beanshell' name='#{rule['name']}'"
+
+    unless rule['type'].nil?
+      rule_xml += " type='#{rule['type']}' "
+    end
+
+    unless rule['description'].nil?
+      rule_description = rule['description'].gsub(/\t+|\s+/," ").gsub(/(\r\n)+|\r+|^\s+|\s+$|\n+?/,"")
+    else
+      rule_description = ""
+    end
+
+    rule_xml += ">\n\t<Description>#{rule_description}</Description>\n\t<Source><![CDATA[\n#{rule['source']}\n]]></Source>\n</Rule>"
+
+    return rule_xml
+  end
+
+  #
+  # Exports Rule configurations.
+  #
+  def self.export( directory )
+
+    response = IDNAPI.get( "#{$url}/cc/api/rule/list", $token )
+
+    case response
+    when Net::HTTPSuccess
+
+      rules = JSON.parse( response.body )
+
+      $log.info "\tDetected #{rules["count"]} rules."
+
+      rules["items"].each do |rule|
+
+        if (!@@default_rules.include? rule["name"]) || $config["include-defaults"]
+
+          $log.info "\tRule: #{rule["name"]}"
+
+          if rule["type"].nil?
+            Program.write_file( "#{directory}/rules/", "Rule - Generic - #{rule["name"]}.xml", Rules.get_xml( rule ) )
+          else
+            Program.write_file( "#{directory}/rules/", "Rule - #{rule["type"]} - #{rule["name"]}.xml", Rules.get_xml( rule ) )
+          end
+
+        else
+
+          $log.info "\tSkipping Default Rule: #{rule["name"]}"
+
+        end # if (!@@default_transforms.include? transform["id"]...
+
+      end # rules["items"].each do |rule|
+
+    else
+      $log.error "\tError: Unable to fetch rules."
+    end # case response
+
+  end
+
+  #
+  # Imports Rule configurations.
+  #
+  def self.import( directory )
+    $log.warn "\t Import of rules is not supported. Please contact SailPoint in order to install a rule in the system."
+  end
+
+  #
+  # Documents Rule configurations.
+  #
+  def self.doc
+
+    response = IDNAPI.get( "#{$url}/cc/api/rule/list", $token )
+
+    case response
+    when Net::HTTPSuccess
+
+      rules = JSON.parse( response.body )
+
+      $log.info "\tDetected #{rules["count"]} rules."
+
+      Markdown.h2 "Rules"
+
+      rules["items"].each do |rule|
+
+        if (!@@default_rules.include? rule["name"]) || $config["include-defaults"]
+
+          $log.info "\tRule: #{rule["name"]}"
+
+          if rule["type"].nil?
+            Markdown.h3 "#{rule["name"]} (Generic)"
+          else
+            Markdown.h3 "#{rule["name"]} (#{rule["type"]})"
+          end
+
+          unless rule['description'].nil?
+              Markdown.text "#{rule['description'].gsub(/\t+|\s+/," ").gsub(/(\r\n)+|\r+|^\s+|\s+$|\n+?/,"")}\n"
+          end
+
+          Markdown.xml Rules.get_xml( rule )
+
+        else
+
+          $log.info "\tSkipping Default Rule: #{rule["name"]}"
+
+        end # if (!@@default_transforms.include? transform["id"]...
+
+      end # rules["items"].each do |rule|
+
+    else
+      $log.error "\tError: Unable to fetch rules."
+    end # case response
+
+    Markdown.write
+  end
+end