miam 0.1.0.beta

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 78a6357ad96eb46c37e14554170823849a1b7299
+  data.tar.gz: 5e8e8b62d90cfa1d313874b5d842a505bb07bcfe
+SHA512:
+  metadata.gz: 2bbe33cd3fc4274a239bfde9bff8eee340af294178b873f9b3f1c533a5efd02f0a41a960ee8d752f54c252eadba21a3f2a1484f939a94e16c96690e173e8ee3f
+  data.tar.gz: aa09af7d99890cd20908d5f6991846978bc40fcdf007e2cc7b152e72f81f13e49b00b9120646e34524ec95e66bc863a12b5586c49d54518146e4593fa8d01382

data/.gitignore

@@ -0,0 +1,18 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+test.rb
+IAMfile
+*.iam
+account.csv

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in miam.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Genki Sugawara
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,112 @@
+# Miam
+
+Miam is a tool to manage IAM.
+
+It defines the state of IAM using DSL, and updates IAM according to DSL.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'miam'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install miam --pre
+
+## Usage
+
+```sh
+export AWS_ACCESS_KEY_ID='...'
+export AWS_SECRET_ACCESS_KEY='...'
+export AWS_REGION='us-east-1'
+miam -e -o IAMfile  # export IAM
+vi IAMfile
+miam -a --dry-run
+miam -a             # apply `IAMfile`
+```
+
+## Help
+
+```
+Usage: miam [options]
+    -p, --profile PROFILE_NAME
+        --credentials-path PATH
+    -k, --access-key ACCESS_KEY
+    -s, --secret-key SECRET_KEY
+    -r, --region REGION
+    -a, --apply
+    -f, --file FILE
+        --dry-run
+        --account-output FILE
+    -e, --export
+    -o, --output FILE
+        --split
+        --no-color
+        --no-progress
+        --debug
+```
+
+## IAMfile example
+
+```ruby
+require 'other/iamfile'
+
+user "bob", path: "/developer/" do
+  login_profile password_reset_required: true
+
+  groups(
+    "Admin"
+  )
+
+  policy "bob-policy" do
+    {"Version"=>"2012-10-17",
+     "Statement"=>
+      [{"Action"=>
+         ["s3:Get*",
+          "s3:List*"],
+        "Effect"=>"Allow",
+        "Resource"=>"*"}]}
+  end
+end
+
+user "mary", path: "/staff/" do
+  # login_profile password_reset_required: true
+
+  groups(
+    # no group
+  )
+
+  policy "s3-readonly" do
+    {"Version"=>"2012-10-17",
+     "Statement"=>
+      [{"Action"=>
+         ["s3:Get*",
+          "s3:List*"],
+        "Effect"=>"Allow",
+        "Resource"=>"*"}]}
+  end
+
+  policy "route53-readonly" do
+    {"Version"=>"2012-10-17",
+     "Statement"=>
+      [{"Action"=>
+         ["route53:Get*",
+          "route53:List*"],
+        "Effect"=>"Allow",
+        "Resource"=>"*"}]}
+  end
+end
+
+group "Admin", path: "/admin/" do
+  policy "Admin" do
+    {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+  end
+end
+```

data/Rakefile

@@ -0,0 +1,2 @@
+require 'bundler/gem_tasks'
+

data/bin/miam

@@ -0,0 +1,143 @@
+#!/usr/bin/env ruby
+$: << File.expand_path("#{File.dirname __FILE__}/../lib")
+require 'rubygems'
+require 'miam'
+require 'optparse'
+
+Version = Miam::VERSION
+DEFAULT_FILENAME = 'IAMfile'
+
+mode = nil
+file = DEFAULT_FILENAME
+output_file = '-'
+account_output = 'account.csv'
+split = false
+
+options = {
+  :dry_run => false,
+  :color   => true,
+  :debug   => false,
+}
+
+options[:password_manager] = Miam::PasswordManager.new(account_output, options)
+
+ARGV.options do |opt|
+  begin
+    access_key = nil
+    secret_key = nil
+    region = nil
+    profile_name = nil
+    credentials_path = nil
+
+    opt.on('-p', '--profile PROFILE_NAME')  {|v| profile_name               = v                                     }
+    opt.on(''  , '--credentials-path PATH') {|v| credentials_path           = v                                     }
+    opt.on('-k', '--access-key ACCESS_KEY') {|v| access_key                 = v                                     }
+    opt.on('-s', '--secret-key SECRET_KEY') {|v| secret_key                 = v                                     }
+    opt.on('-r', '--region REGION')         {|v| region                     = v                                     }
+    opt.on('-a', '--apply')                 {    mode                       = :apply                                }
+    opt.on('-f', '--file FILE')             {|v| file                       = v                                     }
+    opt.on('',   '--dry-run')               {    options[:dry_run]          = true                                  }
+    opt.on(''  , '--account-output FILE')   {|v| options[:password_manager] = Miam::PasswordManager.new(v, options) }
+    opt.on(''  , '--split')                 {    split                      = true                                  }
+    opt.on('-e', '--export')                {    mode                       = :export                               }
+    opt.on('-o', '--output FILE')           {|v| output_file                = v                                     }
+    opt.on(''  , '--split')                 {    split                      = true                                  }
+    opt.on(''  , '--no-color')              {    options[:color]            = false                                 }
+    opt.on(''  , '--no-progress')           {    options[:no_progress]      = true                                  }
+    opt.on(''  , '--debug')                 {    options[:debug]            = true                                  }
+    opt.parse!
+
+    aws_opts = {}
+
+    if access_key and secret_key
+      aws_opts.update(
+        :access_key_id => access_key,
+        :secret_access_key => secret_key
+      )
+    elsif profile_name or credentials_path
+      credentials_opts = {}
+      credentials_opts[:profile_name] = profile_name if profile_name
+      credentials_opts[:path] = credentials_path if credentials_path
+      credentials = Aws::SharedCredentials.new(credentials_opts)
+      aws_opts[:credentials] = credentials
+    elsif (access_key and !secret_key) or (!access_key and secret_key) or mode.nil?
+      puts opt.help
+      exit 1
+    end
+
+    aws_opts[:region] = region if region
+    Aws.config.update(aws_opts)
+  rescue => e
+    $stderr.puts("[ERROR] #{e.message}")
+    exit 1
+  end
+end
+
+String.colorize = options[:color]
+
+if options[:debug]
+  Aws.config.update(
+    :http_wire_trace => true,
+    :logger => Miam::Logger.instance
+  )
+end
+
+begin
+  logger = Miam::Logger.instance
+  logger.set_debug(options[:debug])
+  client = Miam::Client.new(options)
+
+  case mode
+  when :export
+    if split
+      logger.info('Export IAM')
+      output_file = DEFAULT_FILENAME if output_file == '-'
+      requires = []
+
+      client.export do |users_or_groups, dsl|
+        iam_file = File.join(File.dirname(output_file), "#{users_or_groups}.iam")
+        requires << iam_file
+        logger.info("  write `#{iam_file}`")
+
+        open(iam_file, 'wb') do |f|
+          f.puts dsl
+        end
+      end
+
+      logger.info("  write `#{output_file}`")
+
+      open(output_file, 'wb') do |f|
+        requires.each do |iam_file|
+          f.puts "require '#{File.basename iam_file}'"
+        end
+      end
+    else
+      if output_file == '-'
+        logger.info('# Export IAM')
+        puts client.export
+      else
+        logger.info("Export IAM to `#{output_file}`")
+        open(output_file, 'wb') {|f| f.puts client.export }
+      end
+    end
+  when :apply
+    unless File.exist?(file)
+      raise "No IAMfile found (looking for: #{file})"
+    end
+
+    msg = "Apply `#{file}` to IAM"
+    msg << ' (dry-run)' if options[:dry_run]
+    logger.info(msg)
+
+    updated = client.apply(file)
+
+    logger.info('No change'.intense_blue) unless updated
+  end
+rescue => e
+  if options[:debug]
+    raise e
+  else
+    $stderr.puts("[ERROR] #{e.message}".red)
+    exit 1
+  end
+end

data/lib/miam.rb

@@ -0,0 +1,24 @@
+require 'cgi'
+require 'json'
+require 'logger'
+require 'pp'
+require 'singleton'
+
+require 'aws-sdk-core'
+require 'ruby-progressbar'
+require 'term/ansicolor'
+
+module Miam; end
+require 'miam/logger'
+require 'miam/client'
+require 'miam/driver'
+require 'miam/dsl'
+require 'miam/dsl/context'
+require 'miam/dsl/context/group'
+require 'miam/dsl/context/user'
+require 'miam/dsl/converter'
+require 'miam/exporter'
+require 'miam/ext/string_ext'
+require 'miam/password_manager'
+require 'miam/utils'
+require 'miam/version'

data/lib/miam/client.rb

@@ -0,0 +1,268 @@
+class Miam::Client
+  def initialize(options = {})
+    @options = options
+    aws_config = options.delete(:aws_config) || {}
+    @iam = Aws::IAM::Client.new(aws_config)
+    @driver = Miam::Driver.new(@iam, options)
+    @password_manager = options[:password_manager] || Miam::PasswordManager.new('-', options)
+  end
+
+  def export
+    exported, group_users = Miam::Exporter.export(@iam, @options) do |export_options|
+      progress(*export_options.values_at(:progress_total, :progress))
+    end
+
+    if block_given?
+      [:users, :groups].each do |users_or_groups|
+        splitted = {:users => {}, :groups => {}}
+        splitted[users_or_groups] = exported[users_or_groups]
+        yield(users_or_groups, Miam::DSL.convert(splitted, @options).strip)
+      end
+    else
+      Miam::DSL.convert(exported, @options)
+    end
+  end
+
+  def apply(file)
+    walk(file)
+  end
+
+  private
+
+  def walk(file)
+    expected = load_file(file)
+
+    actual, group_users = Miam::Exporter.export(@iam, @options) do |export_options|
+      progress(*export_options.values_at(:progress_total, :progress))
+    end
+
+    updated = walk_groups(expected[:groups], actual[:groups], actual[:users], group_users)
+    updated = walk_users(expected[:users], actual[:users], group_users) || updated
+
+    if @options[:dry_run]
+      false
+    else
+      updated
+    end
+  end
+
+  def walk_users(expected, actual, group_users)
+    updated = scan_rename(:user, expected, actual, group_users)
+
+    expected.each do |user_name, expected_attrs|
+      actual_attrs = actual.delete(user_name)
+
+      if actual_attrs
+        updated = walk_user(user_name, expected_attrs, actual_attrs) || updated
+      else
+        actual_attrs = @driver.create_user(user_name, expected_attrs)
+        access_key = @driver.create_access_key(user_name)
+
+        if access_key
+          @password_manager.puts_password(user_name, access_key[:access_key_id], access_key[:secret_access_key])
+        end
+
+        walk_user(user_name, expected_attrs, actual_attrs)
+        updated = true
+      end
+    end
+
+    actual.each do |user_name, attrs|
+      @driver.delete_user(user_name, attrs)
+
+      group_users.each do |group_name, users|
+        users.delete(user_name)
+      end
+
+      updated = true
+    end
+
+    updated
+  end
+
+  def walk_user(user_name, expected_attrs, actual_attrs)
+    updated = walk_login_profile(user_name, expected_attrs[:login_profile], actual_attrs[:login_profile])
+    updated = walk_user_groups(user_name, expected_attrs[:groups], actual_attrs[:groups]) || updated
+    walk_policies(:user, user_name, expected_attrs[:policies], actual_attrs[:policies])
+  end
+
+  def walk_login_profile(user_name, expected_login_profile, actual_login_profile)
+    updated = false
+
+    [expected_login_profile, actual_login_profile].each do |login_profile|
+      if login_profile and not login_profile.has_key?(:password_reset_required)
+        login_profile[:password_reset_required] = false
+      end
+    end
+
+    if expected_login_profile and not actual_login_profile
+      expected_login_profile[:password] ||= @password_manager.identify(user_name, :login_profile)
+      @driver.create_login_profile(user_name, expected_login_profile)
+      updated = true
+    elsif not expected_login_profile and actual_login_profile
+      @driver.delete_login_profile(user_name)
+      updated = true
+    elsif expected_login_profile != actual_login_profile
+      @driver.update_login_profile(user_name, expected_login_profile)
+      updated = true
+    end
+
+    updated
+  end
+
+  def walk_user_groups(user_name, expected_groups, actual_groups)
+    expected_groups = expected_groups.sort
+    actual_groups = actual_groups.sort
+    updated = false
+
+    if expected_groups != actual_groups
+      add_groups = expected_groups - actual_groups
+      remove_groups = actual_groups - expected_groups
+
+      unless add_groups.empty?
+        @driver.add_user_to_groups(user_name, add_groups)
+      end
+
+      unless remove_groups.empty?
+        @driver.remove_user_from_groups(user_name, remove_groups)
+      end
+
+      updated = true
+    end
+
+    updated
+  end
+
+  def walk_groups(expected, actual, actual_users, group_users)
+    updated = scan_rename(:group, expected, actual, group_users)
+
+    expected.each do |group_name, expected_attrs|
+      actual_attrs = actual.delete(group_name)
+
+      if actual_attrs
+        updated = walk_path(:group, group_name, expected_attrs[:path], actual_attrs[:path]) || updated
+        updated = walk_group(group_name, expected_attrs, actual_attrs) || updated
+      else
+        actual_attrs = @driver.create_group(group_name, expected_attrs)
+        walk_group(group_name, expected_attrs, actual_attrs)
+        updated = true
+      end
+    end
+
+    actual.each do |group_name, attrs|
+      users_in_group = group_users.delete(group_name) || []
+      @driver.delete_group(group_name, attrs, users_in_group)
+
+      actual_users.each do |user_name, user_attrs|
+        user_attrs[:groups].delete(group_name)
+      end
+
+      updated = true
+    end
+
+    updated
+  end
+
+  def walk_group(group_name, expected_attrs, actual_attrs)
+    walk_policies(:group, group_name, expected_attrs[:policies], actual_attrs[:policies])
+  end
+
+  def scan_rename(type, expected, actual, group_users)
+    updated = false
+
+    expected.each do |name, expected_attrs|
+      renamed_from = expected_attrs[:renamed_from]
+      next unless renamed_from
+
+      actual_attrs = actual.delete(renamed_from)
+      next unless actual_attrs
+
+      @driver.update_name(type, renamed_from, name)
+      actual[name] = actual_attrs
+
+      case type
+      when :user
+        group_users.each do |group_name, users|
+          users.each do |user_name|
+            if user_name == renamed_from
+              user_name.replace(name)
+            end
+          end
+        end
+      when :group
+        users = group_users.delete(renamed_from)
+        group_users[name] = users if users
+      end
+
+      updated = true
+    end
+
+    updated
+  end
+
+  def walk_path(type, user_or_group_name, expected_path, actual_path)
+    updated = false
+
+    if expected_path != actual_path
+      @driver.update_path(type, user_or_group_name, expected_path)
+      updated = true
+    end
+
+    updated
+  end
+
+  def walk_policies(type, user_or_group_name, expected_policies, actual_policies)
+    updated = false
+
+    expected_policies.each do |policy_name, expected_document|
+      actual_document = actual_policies.delete(policy_name)
+
+      if actual_document
+        updated = walk_policy(type, user_or_group_name, policy_name, expected_document, actual_document) || updated
+      else
+        @driver.create_policy(type, user_or_group_name, policy_name, expected_document)
+        updated = true
+      end
+    end
+
+    actual_policies.each do |policy_name, document|
+      @driver.delete_policy(type, user_or_group_name, policy_name)
+      updated = true
+    end
+
+    updated
+  end
+
+  def walk_policy(type, user_or_group_name, policy_name, expected_document, actual_document)
+    updated = false
+
+    if expected_document != actual_document
+      @driver.update_policy(type, user_or_group_name, policy_name, expected_document)
+      updated = true
+    end
+
+    updated
+  end
+
+  def load_file(file)
+    if file.kind_of?(String)
+      open(file) do |f|
+        Miam::DSL.parse(f.read, file)
+      end
+    elsif file.respond_to?(:read)
+      Miam::DSL.parse(file.read, file.path)
+    else
+      raise TypeError, "can't convert #{file} into File"
+    end
+  end
+
+  def progress(total, n)
+    return if @options[:no_progress]
+
+    unless @progressbar
+      @progressbar = ProgressBar.create(:title => "Loading", :total => total, :output => $stderr)
+    end
+
+    @progressbar.progress = n
+  end
+end