rs_user_policy 0.0.3 → 0.0.4

data/README.rdoc

@@ -27,10 +27,15 @@ The second input file is the user assignments JSON file which assigns users to r
 User Assignment JSON should be in the following format
 
   {
-    "ryan.geyer@rightscale.com": "role_name"
+    "ryan.geyer@rightscale.com": {
+      "roles": [
+        "role_name"
+      ]
+    }
   }
 
 There are two default roles which do not need to be defined in the policy file.  "immutable" which indicates that no changes should be performed on the user, and "delete" which indicates that all permissions should be removed for the user in all accounts.
+Both "immutable" and "delete", if present will take precedence over any other roles assigned to the user.
 
 Many email:role pairs can be specified. in the user assignments JSON
 
@@ -50,8 +55,16 @@ So, given a policy file like;
 And a user assignments file like;
 
   {
-    "user1@email.com": "team1",
-    "user2@email.com": "team2"
+    "user1@email.com": {
+      "roles": [
+        "team1"
+      ]
+    },
+    "user2@email.com": {
+      "roles": [
+        "team2"
+      ]
+    }
   }
 
 And operating on the accounts 12345 and 23456;
@@ -70,7 +83,11 @@ Second is the user_assignments-<timestamp>.json file.  This will be a combinatio
 
 == TODO
 
-* Allow a user to belong to more than one "role"
+* Allow users to be added who are not already invited to any RS parent or child account
+* In absence of a policy.json, create a new policy.json with base roles for each account discovered (I.E. Admin, Observer, Designer, etc)
+* Perhaps allow a role to inherit from another, or be a concatenation of several?
+* Handle the race condition where permissions have been deleted in the correct order, but API still throws 422 removing "observer" because the changes have not become consistent server side
+  * HTTP Code: 422, Response body: A user must have the observer role. (RightApi::Exceptions::ApiException)
 
 == Copyright
 

data/bin/rs_user_policy

@@ -24,8 +24,7 @@
 require 'trollop'
 require 'right_api_client'
 require 'logger'
-require File.expand_path(File.join(File.dirname(__FILE__), '..', 'lib', 'audit_log'))
-require File.expand_path(File.join(File.dirname(__FILE__), '..', 'lib', 'utilities'))
+require File.expand_path(File.join(File.dirname(__FILE__), '..', 'lib', 'rs_user_policy'))
 
 opts = Trollop::options do
   banner = "Manages users across many different child accounts of a RightScale Enterprise Master Account"
@@ -42,86 +41,47 @@ log = Logger.new(STDOUT)
 timestamp = Time::now.to_i
 deleted_users = []
 accounts = []
-user_href_resource_map = {}
-user_email_resource_map = {}
-permission_delete_order = [
-  'enterprise_manager',
-  'admin',
-  'security_manager',
-  'actor',
-  'billing',
-  'server_login',
-  'publisher',
-  'designer',
-  'library',
-  'lite_user',
-  'observer'
-]
-
-log.info("The dry_run option was selected, no action will be taken, but the user_assignments output and audit_log files will be written reflecting the actions which would have been taken") if opts[:dry_run]
+
+if opts[:dry_run]
+  log.info("The dry_run option was selected, no action will be taken, but the user_assignments output and audit_log files will be written reflecting the actions which would have been taken")
+end
 
 user_assignments_output = "user_assignments-#{timestamp}.json"
 
-audit_log = AuditLog.new opts.merge(:timestamp => timestamp)
-policy = {}
-
-def valid_policy_json_file?(json_file, &block)
-  # TODO: Also validate that the policy file is in the correct form.
-  # I.E. {
-  #   "policy-name": {
-  #     "account-href-or-default": ["list", "of", "permissions"]
-  #   }
-  #}
-  yield JSON.parse(File.read(json_file))
-  return true
-rescue JSON::ParserError
-  return false
-end
+audit_log = RsUserPolicy::AuditLog.new opts.merge(:timestamp => timestamp)
 
-if File.exists? opts[:policy]
-  if valid_policy_json_file?(opts[:policy]) do |p|
-      policy = p
-    end
-  else
-    log.fatal("The policy file named #{opts[:policy]} is not a properly formatted json file!")
-    exit 1
-  end
-else
-  log.fatal("The policy file named #{opts[:policy]} was not found!")
+policy = nil
+begin
+  policy = RsUserPolicy::Policy::JsonPolicy.new(:filename => opts[:policy])
+rescue Exception => e
+  log.fatal("Unable to initialize policy from filename #{opts[:policy]}.  Error: #{e.message}")
   exit 1
 end
 
-user_assignments = {}
-if opts[:user_assignments]
-  if File.exists? opts[:user_assignments]
-    user_assignments = JSON.parse(File.read(opts[:user_assignments]))
-  else
-    log.warn("The user_assigments file named #{opts[:user_assignments]} was not found.  All users will be treated as immutable and written to the user_assigments output file.")
-  end
-else
-  log.warn("No user_assignments file was specified.  All users will be treated as immutable and written to the user_assigments output file.")
+user_assignments_options = opts[:user_assignments] ? { :filename => opts[:user_assignments] } : {}
+user_assignments = RsUserPolicy::UserAssignments::JsonUserAssignments.new(user_assignments_options)
+if user_assignments.length == 0
+  log.warn("No user_assignments file was specified or the file could not be found.  All users will be treated as immutable and written to the user_assigments output file.")
 end
 
+user_collection = RsUserPolicy::UserCollection.new
+
 client = RightApi::Client.new(:email => opts[:rs_email], :password => opts[:rs_pass], :account_id => opts[:rs_acct_num])
 master_account = client.accounts(:id => opts[:rs_acct_num]).show()
-client.users().index.each do |user|
-  user_href_resource_map[user.href] = user
-  user_email_resource_map[user.email] = user
-end
+user_collection.add_users(client.users.index)
+user_collection.add_permissions(master_account.href, client.permissions.index)
 
 accounts << {:client => client, :href => master_account.href, :name => master_account.name}
 
 log.info("Operating on the Enterprise Master Account #{master_account.name}")
 
 begin
-  client.child_accounts().index.each do |child|
-    child_client = RightApi::Client.new(:email => opts[:rs_email], :password => opts[:rs_pass], :account_id => Utilities.id_from_href(child.href))
+  client.child_accounts.index.each do |child|
+    child_client = RightApi::Client.new(:email => opts[:rs_email], :password => opts[:rs_pass], :account_id => RsUserPolicy::Utilities.id_from_href(child.href))
     accounts << {:client => child_client, :href => child.href, :name => child.name}
 
-    child_client.users().index.each do |user|
-      user_href_resource_map[user.href] = user
-      user_email_resource_map[user.email] = user
-    end
+    user_collection.add_users(child_client.users.index)
+    user_collection.add_permissions(child.href, child_client.permissions.index)
   end
 rescue RightApi::Exceptions::ApiException => e
   if e.message =~ /Permission denied/
@@ -131,80 +91,38 @@ rescue RightApi::Exceptions::ApiException => e
   end
 end
 
-accounts.each do |account|
-  child_client = account[:client]
-  users = {}
-  user_email_resource_map.each do |email,user|
-    users[email] = {}
-  end
-
-  log.info("#{account[:name]} - #{account[:href]}")
+begin
+  accounts.each do |account|
+    child_client = account[:client]
 
-  permissions = child_client.permissions().index
-  log.info("There are #{permissions.length} unique permissions")
-  permissions.each do |permission|
-    user_email = user_href_resource_map[permission.user.href].email || permission.user.href
-    users[user_email] = {} unless users.key?(user_email)
-    users[user_email][permission.role_title] = permission.href
-  end
-  log.info("There are #{users.length} unique Users")
+    log.info("#{account[:name]} - #{account[:href]}")
+    user_collection.users.each do |user|
+      email = user.email
+      user_role = user_assignments.get_roles(email)
+      existing_permissions = user.get_api_permissions(account[:href])
 
-  users.each do |email,user|
-    unless user_assignments.key?(email)
-      user_assignments[email] = 'immutable'
-    end
-    # Allow some different options about possibly prompting the user etc
-    # TODO: Put this in a begin/rescue/end that allows stuff to continue and create an audit_log in the event of an error
-    case user_assignments[email]
-      when 'immutable'
-        # By design, do nothing
-      when 'delete'
+      # Allow some different options about possibly prompting the user etc
+      if user_role.include?('delete')
         # Note: This is an explicit delete across all master and child accounts
         # a user can also be effectively deleted if they have an empty list of
         # permissions for a particular account
         unless opts[:dry_run]
-          log.debug("Gonna delete #{JSON.pretty_generate(user)}")
-
-          Utilities.yield_on_keys_in_order(permission_delete_order, user) do |role_title,perm_href|
-            log.debug("I KEELZ U PERMISSION! #{email} - #{role_title}")
-            child_client.permissions(:id => Utilities.id_from_href(perm_href)).destroy()
-            deleted_users << email
-          end
+          log.debug("Deleting #{user.email} from #{account[:name]} by removing these permissions #{JSON.pretty_generate(existing_permissions)}")
+          user.clear_permissions(account[:href], child_client)
+          user_assignments.delete(user.email)
         end
         audit_log.add_entry(email, account[:name], 'deleted', 'deleted')
-      else
-        user_policy = []
-        if policy[user_assignments[email]].key?(account[:href])
-          user_policy = policy[user_assignments[email]][account[:href]]
-        elsif policy[user_assignments[email]].key?('default')
-          user_policy = policy[user_assignments[email]]['default']
-        end
-        removed = (user_policy.length == 0) ? user.keys : user.keys - user_policy
-        added = user_policy - user.keys
-        changes = "-#{removed} +#{added}"
-        unless opts[:dry_run]
-          # Convert the role_title array into a hash with the hrefs
-          remove_hash = Hash[removed.map {|role| [role, user[role]]}]
-
-          Utilities.yield_on_keys_in_order(permission_delete_order, remove_hash) do |role_title, href|
-            child_client.permissions(:id => Utilities.id_from_href(href)).destroy()
-          end
-
-          if added.length > 0
-            add_hash = Hash[added.map {|x| [x, nil]}]
-            Utilities.yield_on_keys_in_order(['observer'], add_hash) do |role_title,foo|
-              child_client.permissions.create({'permission[user_href]' => user_email_resource_map[email].href, 'permission[role_title]' => role_title})
-            end
-          end
-        end
+      elsif !user_role.include?("immutable")
+        user_policy = policy.get_permissions(user_role, account[:href])
+        removed,added = user.set_api_permissions(user_policy, account[:href], child_client, opts)
+        changes = "-#{removed.values} +#{added.values}"
         audit_log.add_entry(email, account[:name], 'update_permissions', changes) unless removed.length + added.length == 0
+      end
     end
   end
+rescue RightApi::Exceptions::ApiException => e
+  log.fatal("A RightScale API exception occurred - #{e}")
 end
 
-deleted_users.each do |email|
-  user_assignments.delete(email)
-end
-
-File.open(user_assignments_output, 'w') {|f| f.write(JSON.pretty_generate(user_assignments))}
+user_assignments.serialize(:filename => user_assignments_output)
 audit_log.write_file

data/lib/rs_user_policy/audit_log.rb

@@ -0,0 +1,59 @@
+# Copyright (c) 2012 Ryan J. Geyer
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module RsUserPolicy
+  class AuditLog
+
+    attr_accessor :filename, :audit_log
+
+    # Initializes a new AuditLog
+    #
+    # @param [Hash] options A hash of options that impact the audit log filename.
+    # @option options [String] :timestamp The timestamp to append to the filename
+    # @option options [Bool] :dry_run A boolean indicating if this is a dry run
+    def initialize(options={})
+      timestamp = options[:timestamp] || Time.now.to_i
+      @audit_log = {}
+      @filename = "audit_log#{options[:dry_run] ? '_dryrun' : ''}-#{timestamp}.json"
+    end
+
+    # Adds a new entry to the audit log
+    #
+    # @param [String] email The email address of the user impacted by the change
+    # @param [String] account The account name impacted by the change
+    # @param [String] action The action performed.  Expected options are ['update_permissions', 'deleted']
+    # @param [String] changes A free form description of the changes
+    def add_entry(email, account, action, changes)
+      @audit_log[email] = [] unless audit_log[email]
+      @audit_log[email] << {
+        :account => account,
+        :action => action,
+        :changes => changes
+      }
+    end
+
+    # Writes the audit log to a file
+    #
+    def write_file
+      File.open(@filename, 'w') {|f| f.write(JSON.pretty_generate(@audit_log))}
+    end
+  end
+end

data/lib/rs_user_policy/policy/json_policy.rb

@@ -0,0 +1,88 @@
+# Copyright (c) 2012 Ryan J. Geyer
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+require File.expand_path(File.join(File.dirname(__FILE__), 'policy'))
+require 'json'
+
+module RsUserPolicy
+  module Policy
+    class JsonPolicy
+      include Policy
+
+      # Initializes a new Policy
+      #
+      # If more than one source is passed into options, the order of preference will be
+      # [:json, :json_str, :filename]
+      #
+      # @param [Hash] options A hash of inputs for the new JSONPolicy
+      # @option options [Hash] :json A hash containing the policy
+      # @option options [String] :json_str A JSON string containing the policy
+      # @option options [String] :filename Path and filename to a file containing the policy in JSON
+      #
+      # @raise [ArgumentError] If neither a filename or json object were supplied
+      # @raise [Errno::ENOENT] If :filename was specified but the policy file does not exist
+      # @raise [JSON::ParseError] If the policy is not valid JSON
+      def initialize(options={})
+        if ([:filename, :json, :json_str] & options.keys()).empty?
+          raise ArgumentError, "You must supply either a filename, JSON string, or a JSON object"
+        end
+
+        if options.has_key?(:json)
+          @policy = options[:json]
+        elsif options.has_key?(:json_str)
+          @policy = JSON.parse(options[:json_str])
+        else
+          @policy = JSON.parse(File.read(options[:filename]))
+        end
+
+        validate()
+      end
+
+      # Returns an array of permissions for a particular role in a particular RightScale account
+      #
+      # @param [Array<String>] roles An array of role names for which permissions should be fetched
+      # @param [String] account_href A RightScale API 1.5 href for the RightScale account
+      #
+      # @return [Array<String>] A list of permissions for the role and account pair requested.  An empty array is returned if no policy exists for the requested pair
+      def get_permissions(roles, account_href)
+        permissions = []
+        roles.each do |role|
+          if @policy.has_key?(role)
+            permissions = permissions + (@policy[role][account_href] || @policy[role]['default'] || [])
+          end
+        end
+        permissions.uniq
+      end
+
+      private
+
+      def validate()
+        # TODO: Also validate that the policy file is in the correct form.
+        # I.E. {
+        #   "policy-name": {
+        #     "account-href-or-default": ["list", "of", "permissions"]
+        #   }
+        #}
+      end
+
+    end
+  end
+end

data/lib/{utilities.rb → rs_user_policy/policy/policy.rb}

@@ -19,36 +19,18 @@
 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
-class Utilities
-
-  # Uses a regex to parse a RightScale API resource id from it's relative href
-  #
-  # === Parameters
-  # href(String):: The relative href of the RightScale API resource
-  #
-  # === Return
-  # The resources ID
-  def self.id_from_href(href)
-    matches = /.*\/([0-9]*)/.match(href)
-    matches[1] || nil
-  end
-
-  # Operates on the key/value pairs in a hash in the order specified in 'order'
-  # followed by any key/value pairs not specified in the order
-  #
-  # === Parameters
-  # order(Array):: An array containing keys in the order they should be yielded to the block
-  # hash(Hash):: The hash to operate on in the specified order
-  # block(Closure):: A closure to yield to
-  def self.yield_on_keys_in_order(order, hash, &block)
-    order.each do |key|
-      if hash.key?(key)
-        yield key, hash.delete(key)
+module RsUserPolicy
+  module Policy
+    module Policy
+      # Returns an array of permissions for a particular role in a particular RightScale account
+      #
+      # @param [Array<String>] roles An array of role names for which permissions should be fetched
+      # @param [String] account_href A RightScale API 1.5 href for the RightScale account
+      #
+      # @return [Array<String>] A list of permissions for the role and account pair requested.  An empty array is returned if no policy exists for the requested pair
+      def get_permissions(roles, account_href)
+        raise NotImplementedError, "Please implement this in your concrete class"
       end
     end
-    hash.each do |key,val|
-      yield key, val
-    end
   end
-
 end

data/lib/rs_user_policy/right_api/permission_utilities.rb

@@ -0,0 +1,129 @@
+# Copyright (c) 2012 Ryan J. Geyer
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module RsUserPolicy
+  module RightApi
+    # A set of utility methods for manipulating permissions using the RightScale right_api_client gem
+    #
+    # Allows bulk actions on permissions without worrying about the complexity of retrying,
+    # creating/deleting in the correct order, and the like.
+    #
+    class PermissionUtilities
+
+      @@permission_delete_order = [
+        'enterprise_manager',
+        'admin',
+        'security_manager',
+        'actor',
+        'billing',
+        'server_login',
+        'publisher',
+        'designer',
+        'library',
+        'lite_user',
+        'observer'
+      ]
+
+      # Destroys all passed in permissions with the specified client.
+      # This method handles deleting permissions in the appropriate order to avoid the dreaded;
+      # RightApi::Exceptions::ApiException: Error: HTTP Code: 422, Response body: A user must have the observer role.
+      # TODO: Handle a 422 resulting from calling delete too quickly and attempting to remove "observer" when other deletes have not been committed
+      #
+      # @param [Array<RightApi::ResourceDetail>] permissions
+      #   A hash of permissions where the key is the RightScale API href, and the
+      #   value is the role_title.  These permissions can be for one or many users, allowing a bulk actions.
+      # @param [RightApi::Client] client
+      #   An active RightApi::Client instance for the account referenced in account_href
+      #
+      # @raise [RightApi::Exceptions::ApiException] If an unrecoverable API error has occurred.
+      #
+      # @return [Hash] A hash where the keys are the permission hrefs destroyed, and the values are the role_title of those permissions
+      def self.destroy_permissions(permissions, client)
+        perms_hash = {}
+        permissions.each{|p| perms_hash[p.href] = p.role_title }
+        RsUserPolicy::Utilities.yield_on_values_in_order(@@permission_delete_order, perms_hash) do |perm_href,role_title|
+          client.permissions(:id => RsUserPolicy::Utilities.id_from_href(perm_href)).destroy()
+        end
+        perms_hash
+      end
+
+      # Creates all the passed in permissions using the supplied client.
+      # This method handles creating permissions with "observer" first in order to avoide the dreaded;
+      # RightApi::Exceptions::ApiException: Error: HTTP Code: 422, Response body: A user must have the observer role.
+      #
+      # @param [Hash] permissions
+      #   A hash where the key is a RightScale API User href, and the value is a hash where the key is the permission role_title that the user should be granted, and the value is nil.
+      #
+      # @param [RightApi::Client] client
+      #   An active RightApi::Client instance for the account referenced in account_href
+      #
+      # @raise [RightApi::Exceptions::ApiException] If an unrecoverable API error has occurred.
+      #
+      # @return [Hash] The permissions input hash, where the nil values have been replaced with the href of the permission which was created.
+      #
+      # @example Create "observer" and "admin" permissions for two users
+      #   client = RightApi::Client.new(</snip>)
+      #
+      #   permissions = {
+      #     '/api/users/123' => {
+      #       'observer' => nil,
+      #       'admin' => nil
+      #     },
+      #     '/api/users/456' => {
+      #       'observer' => nil,
+      #       'admin' => nil
+      #     }
+      #   }
+      #
+      #   response = RsUserPolicy::RightApi::PermissionUtilities.create_permissions(permissions, client)
+      #
+      #   puts JSON.pretty_generate(response)
+      #
+      #   # Output would be as follows
+      #   {
+      #     '/api/users/123' => {
+      #       'observer' => '/api/permissions/1',
+      #       'admin' => '/api/permissions/2'
+      #     },
+      #     '/api/users/456' => {
+      #       'observer' => '/api/permissions/3',
+      #       'admin' => '/api/permissions/4'
+      #     }
+      #   }
+      def self.create_permissions(permissions, client)
+        permissions.each do |user_href,perm_ary|
+          user_perms_hash = Hash[perm_ary.keys.map{|p| [p, user_href]}]
+          RsUserPolicy::Utilities.yield_on_values_in_order(['observer'], user_perms_hash) do |role_title,user_href|
+            created_permission = client.permissions.create(
+              {
+                'permission[user_href]' => user_href,
+                'permission[role_title]' => role_title
+              }
+            )
+            permissions[user_href][role_title] = created_permission.href
+          end
+        end
+        permissions
+      end
+
+    end
+  end
+end

data/lib/rs_user_policy/user.rb

@@ -0,0 +1,119 @@
+# Copyright (c) 2012 Ryan J. Geyer
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module RsUserPolicy
+  class User
+    attr_reader :email, :href
+
+    # Initializes read only attributes for an RsUserPolicy::User
+    #
+    # @param [String] email The email address of the user
+    # @param [String] href The RightScale API href of the user
+    def initialize(email, href)
+      @email = email
+      @href = href
+      @permissions = {}
+    end
+
+    # Adds a single permission for a single RightScale account
+    #
+    # @param [String] account_href The RightScale API href of the account
+    # @param [RightApi::ResourceDetail] permission A single RightApi::ResourceDetail for a permission.
+    def add_permission(account_href, permission)
+      @permissions[account_href] ||= []
+      @permissions[account_href] << permission
+    end
+
+    # Returns the RightScale permissions the user has for the specified account href
+    #
+    # @param [String] account_href The RightScale API href of the account
+    #
+    # @return [Array<RightApi::ResourceDetail>] An array of permission RightApi::ResourceDetail objects
+    def get_api_permissions(account_href)
+      @permissions[account_href] || []
+    end
+
+    # Removes all permissions for the user in the specified rightscale account using the supplied client
+    #
+    # @param [String] account_href The RightScale API href of the account
+    # @param [RightApi::Client] client An active RightApi::Client instance for the account referenced in account_href
+    # @param [Hash] options Optional parameters
+    # @option options [Bool] :dry_run If true, no API calls will be made, but the return value will contain the actions which would have been taken
+    #
+    # @raise [RightApi::Exceptions::ApiException] If an unrecoverable API error has occurred.
+    #
+    # @return [Hash] A hash where the keys are the permission hrefs destroyed, and the keys are the role_title of those permissions
+    def clear_permissions(account_href, client, options={})
+      options = {:dry_run => false}.merge(options)
+      current_permissions = get_api_permissions(account_href)
+      if options[:dry_run]
+        Hash[current_permissions.map{|p| [p.href, p.role_title]}]
+      else
+        RsUserPolicy::RightApi::PermissionUtilities.destroy_permissions(
+          current_permissions,
+          client
+        )
+      end
+    end
+
+    # Removes and adds permissions as appropriate so that the users current permissions reflect
+    # the desired set passed in as "permissions"
+    #
+    # @param [Array<String>] permissions The list of desired permissions for the user in the specified account
+    # @param [String] account_href The RightScale API href of the account
+    # @param [RightApi::Client] client An active RightApi::Client instance for the account referenced in account_href
+    # @param [Hash] options Optional parameters
+    # @option options [Bool] :dry_run If true, no API calls will be made, but the return value will contain the actions which would have been taken
+    #
+    # @raise [RightApi::Exceptions::ApiException] If an unrecoverable API error has occurred.
+    #
+    # @return [Hash,Hash] A tuple where two hashes are returned.  The keys of the hashes are the href of the permission, and the values are the role_title of the permission.  The first hash is the permissions removed, and the second hash is the permissions added
+    def set_api_permissions(permissions, account_href, client, options={})
+      options = {:dry_run => false}.merge(options)
+      existing_api_permissions_response = get_api_permissions(account_href)
+      existing_api_permissions = Hash[existing_api_permissions_response.map{|p| [p.role_title, p] }]
+      if permissions.length == 0
+        return clear_permissions(account_href, client, options), {}
+      else
+        permissions_to_remove = (existing_api_permissions.keys - permissions).map{|p| existing_api_permissions[p]}
+        remove_response = Hash[permissions_to_remove.map{|p| [p.href, p.role_title]}]
+        unless options[:dry_run]
+          remove_response = RsUserPolicy::RightApi::PermissionUtilities.destroy_permissions(permissions_to_remove, client)
+        end
+
+        permissions_to_add = {
+          @href => Hash[(permissions - existing_api_permissions.keys).map{|p| [p,nil]}]
+        }
+        add_response = {}
+        if options[:dry_run]
+          href_idx = 0
+          add_response = {
+            @href => Hash[(permissions - existing_api_permissions.keys).map{|p| [p,(href_idx += 1)]}]
+          }
+        else
+          add_response = RsUserPolicy::RightApi::PermissionUtilities.create_permissions(permissions_to_add, client)
+        end
+
+        return remove_response, Hash[add_response[@href].keys.map{|p| [add_response[@href][p],p]}]
+      end
+    end
+  end
+end

data/lib/rs_user_policy/user_assignments/json_user_assignments.rb

@@ -0,0 +1,114 @@
+# Copyright (c) 2012 Ryan J. Geyer
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+require File.expand_path(File.join(File.dirname(__FILE__), 'user_assignments'))
+require 'json'
+
+module RsUserPolicy
+  module UserAssignments
+    class JsonUserAssignments
+      include UserAssignments
+
+      # Initializes a new UserAssignments
+      #
+      # If more than one source is passed into options, the order of preference will be
+      # [:json, :json_str, :filename]
+      #
+      # @param [Hash] options A hash of inputs for the new JsonUserAssignments, where the keys are;
+      # @option options [Hash] :json A hash containing the user assignments
+      # @option options [String] :json_str A JSON string containing the user assignments
+      # @option options [String] :filename Path and filename to a file containing the user assignments in JSON
+      #
+      # @raise [Errno::ENOENT] If :filename was specified but the policy file does not exist
+      # @raise [JSON::ParserError] If the policy is not valid JSON
+      def initialize(options={})
+        begin
+          if options.has_key?(:json)
+            @user_assignments = options[:json]
+          elsif options.has_key?(:json_str)
+            @user_assignments = JSON.parse(options[:json_str])
+          elsif options.has_key?(:filename)
+            @user_assignments = JSON.parse(File.read(options[:filename]))
+          else
+            @user_assignments = {}
+          end
+        rescue Errno::ENOENT, JSON::ParserError
+          @user_assignments = {}
+        end
+
+        validate()
+      end
+
+      # @return [Int] The number of users in the user assignments object
+      def length
+        @user_assignments.length
+      end
+
+      # @return [Int] The number of users in the user assignments object
+      def size
+        self.length
+      end
+
+      # Returns the roles assigned to the user.  If the user does not exist
+      # they should be automatically created with the role "immutable"
+      #
+      # @param [String] email The email address for the user
+      #
+      # @return [Array<String>] The roles assigned to the user
+      def get_roles(email)
+        # TODO: This seems expensive to do in an accessor?
+        unless @user_assignments.key?(email)
+          @user_assignments[email] = {'roles' => ['immutable']}
+        end
+        @user_assignments[email]['roles']
+      end
+
+      # Deletes a user from the user assignments
+      #
+      # @param [String] email The email address for the user
+      def delete(email)
+        @user_assignments.delete(email)
+      end
+
+      # Commits any changes made to the UserAssignments object back to
+      # it's original data store.  This is an opportunity to perform
+      # DB flushes or write back to a source file.
+      #
+      # @param [Hash] options A hash containing only one key;
+      # @option options [String] :filename The filename to write out the JSON state of this JsonUserAssignments object
+      #
+      # @raise [ArgumentError] When no output file is specified
+      def serialize(options={})
+        raise ArgumentError, "You must specify the :filename option" unless options.has_key?(:filename)
+        File.open(options[:filename], 'w') {|f| f.write(JSON.pretty_generate(@user_assignments))}
+      end
+
+      private
+
+      def validate()
+        # TODO: Also validate that the user assignments file is in the correct form.
+        # I.E. {
+        #   "email@address.com": "role"
+        #}
+      end
+    end
+  end
+end

data/lib/rs_user_policy/user_assignments/user_assignments.rb

@@ -0,0 +1,62 @@
+# Copyright (c) 2012 Ryan J. Geyer
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module RsUserPolicy
+  module UserAssignments
+    module UserAssignments
+      # @return [Int] The number of users in the user assignments object
+      def length
+        raise NotImplementedError, "Please implement this in your concrete class"
+      end
+
+      # @return [Int] The number of users in the user assignments object
+      def size
+        raise NotImplementedError, "Please implement this in your concrete class"
+      end
+
+      # Returns the roles assigned to the user.  If the user does not exist
+      # they should be automatically created with the role "immutable"
+      #
+      # @param [String] email The email address for the user
+      #
+      # @return [Array<String>] The roles assigned to the user
+      def get_roles(email)
+        raise NotImplementedError, "Please implement this in your concrete class"
+      end
+
+      # Deletes a user from the user assignments
+      #
+      # @param [String] email The email address for the user
+      def delete(email)
+        raise NotImplementedError, "Please implement this in your concrete class"
+      end
+
+      # Commits any changes made to the UserAssignments object back to
+      # it's original data store.  This is an opportunity to perform
+      # DB flushes or write back to a source file.
+      #
+      # @param [Hash] options A hash of values which may be required to serialize
+      def serialize(options={})
+        raise NotImplementedError, "Please implement this in your concrete class"
+      end
+    end
+  end
+end

data/lib/rs_user_policy/user_collection.rb

@@ -0,0 +1,61 @@
+# Copyright (c) 2012 Ryan J. Geyer
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module RsUserPolicy
+  class UserCollection
+
+    def initialize
+      @users_by_href = {}
+    end
+
+    # TODO: An .each iterator.. instead of a .users accessor
+
+    # @return [Array<RsUserPolicy::User>] An array of RsUserPolicy::User added to the collection
+    def users
+      @users_by_href.values
+    end
+
+    # Adds users to this collection only if the collection does not already
+    # include the specified users.  The users RightScale API href is used
+    # as the unique identifier for deduplication
+    #
+    # @param [Array<RightApi::ResourceDetail>] An array of ResourceDetail from the Right API Client for users.  Returned by client.users.index
+    def add_users(users)
+      users.each do |user|
+        unless @users_by_href.has_key?(user.href)
+          @users_by_href[user.href] = RsUserPolicy::User.new(user.email, user.href)
+        end
+      end
+    end
+
+    def [](idx)
+      @users_by_href[idx]
+    end
+
+    def add_permissions(account_href, permissions)
+      permissions.each do |permission|
+        user_href = permission.user.href
+        add_users([permission.user])
+        @users_by_href[user_href].add_permission(account_href, permission)
+      end
+    end
+  end
+end

data/lib/rs_user_policy/utilities.rb

@@ -0,0 +1,60 @@
+# Copyright (c) 2012 Ryan J. Geyer
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module RsUserPolicy
+  class Utilities
+    # Uses a regex to parse a RightScale API resource id from it's relative href
+    #
+    # @param [String] href The relative href of the RightScale API resource
+    # @return [String] The unique ID of the resource
+    def self.id_from_href(href)
+      matches = /.*\/([0-9]*)/.match(href)
+      matches[1] || nil
+    end
+
+    # Operates on the key/value pairs in a hash in the order specified in 'order'
+    # followed by any key/value pairs not specified in the order
+    #
+    # @param [Array] order An array containing keys in the order they should be yielded to the block
+    # @param [Hash] hash The hash to operate on in the specified order
+    # @param [Closure] block A closure to yield to
+    def self.yield_on_keys_in_order(order, hash, &block)
+      order.each do |key|
+        hash.select{|k,v| k == key}.each{|k,v| yield k,v }
+      end
+      hash.select{|k,v| !order.include?(k)}.each{|k,v| yield k,v}
+    end
+
+    # Operates on the key/value pairs in a hash in the order specified in 'order'
+    # followed by any key/value pairs not specified in the order
+    #
+    # @param [Array] order An array containing values in the order they should be yielded to the block
+    # @param [Hash] hash The hash to operate on in the specified order
+    # @param [Closure] block A closure to yield to
+    def self.yield_on_values_in_order(order, hash, &block)
+      order.each do |value|
+        hash.select{|k,v| v == value}.each{|k,v| yield k,v }
+      end
+      hash.select{|k,v| !order.include?(v) }.each{|k,v| yield k,v }
+    end
+
+  end
+end

data/lib/rs_user_policy.rb

@@ -0,0 +1,23 @@
+# Copyright (c) 2012 Ryan J. Geyer
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+glob_path = File.expand_path(File.join(File.dirname(__FILE__), 'rs_user_policy')) + '/**/*.rb'
+Dir.glob(glob_path, &method(:require))

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rs_user_policy
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-11-20 00:00:00.000000000 Z
+date: 2012-12-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: right_api_client
@@ -51,8 +51,16 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- lib/audit_log.rb
-- lib/utilities.rb
+- lib/rs_user_policy/audit_log.rb
+- lib/rs_user_policy/policy/json_policy.rb
+- lib/rs_user_policy/policy/policy.rb
+- lib/rs_user_policy/right_api/permission_utilities.rb
+- lib/rs_user_policy/user.rb
+- lib/rs_user_policy/user_assignments/json_user_assignments.rb
+- lib/rs_user_policy/user_assignments/user_assignments.rb
+- lib/rs_user_policy/user_collection.rb
+- lib/rs_user_policy/utilities.rb
+- lib/rs_user_policy.rb
 - bin/rs_user_policy
 - LICENSE.txt
 - README.rdoc
@@ -71,7 +79,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -2736044117757199136
+      hash: -4206610464842566721
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -80,7 +88,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -2736044117757199136
+      hash: -4206610464842566721
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.24

data/lib/audit_log.rb

@@ -1,59 +0,0 @@
-# Copyright (c) 2012 Ryan J. Geyer
-#
-# Permission is hereby granted, free of charge, to any person obtaining
-# a copy of this software and associated documentation files (the
-# "Software"), to deal in the Software without restriction, including
-# without limitation the rights to use, copy, modify, merge, publish,
-# distribute, sublicense, and/or sell copies of the Software, and to
-# permit persons to whom the Software is furnished to do so, subject to
-# the following conditions:
-#
-# The above copyright notice and this permission notice shall be
-# included in all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-class AuditLog
-
-  attr_accessor :filename, :audit_log
-
-  # Initializes a new AuditLog
-  #
-  # === Parameters
-  # options(Hash):: A hash of options that impact the audit log filename.  Possible options are;
-  #   :timestamp(String):: The timestamp to append to the filename
-  #   :dry_run(Bool):: A boolean indicating if this is a dry run
-  def initialize(options={})
-    timestamp = options[:timestamp] || Time.now.to_i
-    @audit_log = {}
-    @filename = "audit_log#{options[:dry_run] ? '_dryrun' : ''}-#{timestamp}.json"
-  end
-
-  # Adds a new entry to the audit log
-  #
-  # === Parameters
-  # email(String):: The email address of the user impacted by the change
-  # account(String):: The account name impacted by the change
-  # action(String):: The action performed.  Expected options are ['update_permissions', 'deleted']
-  # changes(String):: A free form description of the changes
-  def add_entry(email, account, action, changes)
-    @audit_log[email] = [] unless audit_log[email]
-    @audit_log[email] << {
-      :account => account,
-      :action => action,
-      :changes => changes
-    }
-  end
-
-  # Writes the audit log to a file
-  #
-  def write_file
-    File.open(@filename, 'w') {|f| f.write(JSON.pretty_generate(@audit_log))}
-  end
-end