rs_user_policy 0.0.5 → 0.1.3

data/README.rdoc

@@ -10,13 +10,15 @@ While the tests are not exhaustive, the current build status is..
 You must pass in your RightScale authentication information, and a policy file.  You can also specify one or many RightScale accounts using the --rs-acct-num or -a parameters.  If an account that you specify is an Enterprise Master account, all Enterprise Children accounts will automatically be included.
 
   Options:
-            --rs-email, -r <s>:   You RightScale User Email Address
+              --rs-email, -r <s>:   You RightScale User Email Address
              --rs-pass, -s <s>:   Your RightScale User Password
          --rs-acct-num, -a <s>:   A RightScale Enterprise Master Account ID
               --policy, -p <s>:   The path to a JSON file containing the role to permissions policy to enforce
     --user-assignments, -u <s>:   The path to a JSON file containing email address => role pairs for user assignments
                  --dry-run, -d:   A flag indicating that no changes should be made, only the user_assignments.json should be evaluated (or created) and
                                   the audit_log.json produced
+               --authority, -t:   A flag indicating that all users in the user_assignments file "MUST" exist, and will always be created.  Effectively
+                                  asserting that the user_assignments is your canonical authority for users.
                     --help, -h:   Show this message
 
 Example (One account)
@@ -57,8 +59,6 @@ User Assignment JSON should be in the following format
 There are two default roles which do not need to be defined in the policy file.  "immutable" which indicates that no changes should be performed on the user, and "delete" which indicates that all permissions should be removed for the user in all accounts.
 Both "immutable" and "delete", if present will take precedence over any other roles assigned to the user.
 
-Many email:role pairs can be specified. in the user assignments JSON
-
 So, given a policy file like;
 
   {
@@ -103,14 +103,24 @@ This tool can also be used to create net-new users who have either never used Ri
       "company": "RightScale",
       "first_name": "Net",
       "last_name": "New",
-      "phone": "9999999999"
+      "phone": "9999999999",
+      "create": "yes"
     }
   }
 
 The order of the additional parameters does not matter.  The properties list can also include "identity_provider_href" and "principal_uid" or "password" to specify the users authentication details.  If no authentication details are supplied a random secure password will be generated, and written to the output user_assignments.json file.
 
+*NOTE:* See the Authority section below for details on the "create" property
+
 If a user with the specified email already exists, but that user does not have any permissions in the account(s) targetted by the tool, these additional properties are still required, but will be ignored.
 
+==== Authority
+
+By default, rs_user_policy assumes that RightScale is the authority for the existence of users.  Meaning, if a user exists in the user_assigments, but does not exist in RightScale, the user will not be created by rs_user_policy.  In order to override this there are two options.
+
+1. Specifying the --authority commandline option implies that ALL users who are in the user_assignments should be created with the provided parameters
+2. For individual users in the user_assignments, you can add a property named "create" with any value.  The user will be created, and the "create" property will be removed.
+
 == Output
 
 When the script is run, it will produce two JSON files as output.
@@ -123,10 +133,9 @@ Second is the user_assignments-<timestamp>.json file.  This will be a combinatio
 
 * In absence of a policy.json, create a new policy.json with base roles for each account discovered (I.E. Admin, Observer, Designer, etc)
 * Perhaps allow a role to inherit from another, or be a concatenation of several?
-* Handle the race condition where permissions have been deleted in the correct order, but API still throws 422 removing "observer" because the changes have not become consistent server side
-  * HTTP Code: 422, Response body: A user must have the observer role. (RightApi::Exceptions::ApiException)
-  * 2012/12/18 - This does not appear to be an issue any longer.  Or at least I am not encountering it anymore.  Perhaps this was a transient issue?
+* Provide a mechanism for "temporary" users with an expiration date
+  * Perhaps allow the user to enter a different role after the expiration date, rather than being removed completely?
 
 == Copyright
 
-Copyright (c) 2012 Ryan J. Geyer. See LICENSE.txt for further details.
+Copyright (c) 2012-2013 Ryan J. Geyer. See LICENSE.txt for further details.

data/bin/rs_user_policy

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 
-# Copyright (c) 2012 Ryan J. Geyer
+# Copyright (c) 2012-2013 Ryan J. Geyer
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -27,6 +27,15 @@ require 'logger'
 require 'digest/md5'
 require File.expand_path(File.join(File.dirname(__FILE__), '..', 'lib', 'rs_user_policy'))
 
+class UserResourceDetailMock
+  attr_reader :email, :href
+
+  def initialize(email, href)
+    @email = email
+    @href = href
+  end
+end
+
 opts = Trollop::options do
   banner = "Manages users across many different child accounts of a RightScale Enterprise Master Account"
 
@@ -36,6 +45,7 @@ opts = Trollop::options do
   opt :policy, "The path to a JSON file containing the role to permissions policy to enforce", :type => :string, :required => true
   opt :user_assignments, "The path to a JSON file containing email address => role pairs for user assignments", :type => :string
   opt :dry_run, "A flag indicating that no changes should be made, only the user_assignments.json should be evaluated (or created) and the audit_log.json produced"
+  opt :authority, "A flag indicating that all users in the user_assignments file \"MUST\" exist, and will always be created.  Effectively asserting that the user_assignments is your canonical authority for users."
 end
 
 log = Logger.new(STDOUT)
@@ -72,33 +82,54 @@ multi_client.each do |account_id, account|
   child_client = account[:client]
   child_account = child_client.accounts(:id => account_id).show()
   account_href = child_account.href
-  users_hash = Hash[child_client.users.index.map{|user| [user.href, user.email] }]
-  user_collection.add_users(users_hash)
+  user_collection.add_users(child_client.users.index)
   user_collection.add_permissions(account_href, child_client.permissions.index)
 end
 
-# Populate the user_assignments with hrefs
+# Populate the user_assignments with extra bits..
 user_collection.users.each do |user|
-  user_assignments[user.email]["href"] = user.href
+  user_hash = user.to_hash
+  user_hash.delete(:permissions)
+  user_assignments[user.email].merge!(user_hash)
 end
 
-net_new_users = user_assignments.list - user_collection.users.map{|u| u.email }
+user_assignments_without_delete = user_assignments.list.select do |assn|
+  roles = user_assignments.get_roles(assn)
+  !roles.include?("delete")
+end
+
+net_new_users = user_assignments_without_delete - user_collection.users.map{|u| u.email }
 
 net_new_users.each do |net_new_user_email|
   client = multi_client[opts[:rs_acct_num].first()][:client]
   user_create_params = user_assignments[net_new_user_email]
   user_create_params = {:email => net_new_user_email}.merge(user_create_params)
-  unless user_create_params.key?("password") || (user_create_params.key?("identity_provider_href") && user_create_params.key?("principal_uid"))
-    pass = RsUserPolicy::Utilities.generate_compliant_password
-    user_create_params["password"] = pass
-    user_assignments[net_new_user_email]["password"] = pass
-  end
   net_new_user_href = Digest::MD5.hexdigest((Time.now.to_i + rand(256)).to_s)
+
+  unless opts[:authority] || user_create_params.key?("create")
+    log.info("User (#{net_new_user_email}) was not found in any of the accounts or child accounts being operated on.  rs_user_policy was not executed with --authority, nor did (#{net_new_user_email}) have a \"create\" property, so no action is being taken.")
+    next
+  end
+
+  net_new_user = UserResourceDetailMock.new(net_new_user_email, net_new_user_href)
   unless opts[:dry_run]
-    net_new_user = client.users.create(:user => user_create_params)
-    net_new_user_href = net_new_user.href
+    unless user_create_params.key?("password") || (user_create_params.key?("identity_provider_href") && user_create_params.key?("principal_uid"))
+      pass = RsUserPolicy::Utilities.generate_compliant_password
+      user_create_params["password"] = pass
+      user_assignments[net_new_user_email]["password"] = pass
+    end
+
+    begin
+      net_new_user = client.users.create(:user => user_create_params)
+      net_new_user_href = net_new_user.href
+      user_assignments[net_new_user_email].delete("create")
+    rescue RightApi::Exceptions::ApiException => e
+      log.error("Failed to create a user with the following properties.\n  Properties: #{JSON.pretty_generate(user_create_params)}\n  Error: #{e}")
+      next
+    end
   end
-  user_collection.add_users({net_new_user_href => net_new_user_email})
+  audit_log.add_entry(net_new_user_email, net_new_user_href, "created", "created")
+  user_collection.add_users([net_new_user])
   user_assignments[net_new_user_email]["href"] = net_new_user_href
 end
 
@@ -145,4 +176,4 @@ user_collection.users.each do |user|
 end unless opts[:dry_run]
 
 user_assignments.serialize(:filename => user_assignments_output)
-audit_log.write_file
+audit_log.write_file

data/lib/rs_user_policy/audit_log.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2012 Ryan J. Geyer
+# Copyright (c) 2012-2013 Ryan J. Geyer
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -39,7 +39,7 @@ module RsUserPolicy
     #
     # @param [String] email The email address of the user impacted by the change
     # @param [String] account The account name impacted by the change
-    # @param [String] action The action performed.  Expected options are ['update_permissions', 'deleted']
+    # @param [String] action The action performed.  Expected options are ['update_permissions', 'created', 'deleted']
     # @param [String] changes A free form description of the changes
     def add_entry(email, account, action, changes)
       @audit_log[email] = [] unless audit_log[email]

data/lib/rs_user_policy/user.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2012 Ryan J. Geyer
+# Copyright (c) 2012-2013 Ryan J. Geyer
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -25,14 +25,25 @@ module RsUserPolicy
 
     # Initializes read only attributes for an RsUserPolicy::User
     #
-    # @param [String] email The email address of the user
-    # @param [String] href The RightScale API href of the user
-    def initialize(email, href)
-      @email = email
-      @href = href
+    # @param [RightApi::ResourceDetail] user The user detail returned by RightApi::Client
+    def initialize(user)
+      @email = user.email
+      @href = user.href
+      @user = user
       @permissions = {}
     end
 
+    # Converts this object to a hash which can be serialized
+    def to_hash()
+      rethash = {
+        :permissions => @permissions
+      }
+      (@user.attributes - [:links]).each do |attr_sym|
+        rethash[attr_sym.to_sym] = @user.send(attr_sym.to_s)
+      end
+      rethash
+    end
+
     # Adds a single permission for a single RightScale account
     #
     # @param [String] account_href The RightScale API href of the account

data/lib/rs_user_policy/user_collection.rb

@@ -1,4 +1,4 @@
-# Copyright (c) 2012 Ryan J. Geyer
+# Copyright (c) 2012-2013 Ryan J. Geyer
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -37,11 +37,11 @@ module RsUserPolicy
     # include the specified users.  The users RightScale API href is used
     # as the unique identifier for deduplication
     #
-    # @param [Hash] users A hash where the key is a users href, and the value is the users email
+    # @param [Array<RightApi::ResourceDetail>] users An array of RightAPI::ResourceDetail for the resource type "user"
     def add_users(users)
-      users.each do |href, email|
-        unless @users_by_href.has_key?(href)
-          @users_by_href[href] = RsUserPolicy::User.new(email, href)
+      users.each do |user|
+        unless @users_by_href.has_key?(user.href)
+          @users_by_href[user.href] = RsUserPolicy::User.new(user)
         end
       end
     end
@@ -55,7 +55,7 @@ module RsUserPolicy
         user_href = permission.user.href
         unless @users_by_href.has_key?(user_href)
           user = permission.user.show()
-          @users_by_href[user.href] = RsUserPolicy::User.new(user.email, user.href)
+          @users_by_href[user.href] = RsUserPolicy::User.new(user)
         end
         @users_by_href[user_href].add_permission(account_href, permission)
       end

data/lib/rs_user_policy/utilities.rb

@@ -57,13 +57,19 @@ module RsUserPolicy
     end
 
     def self.generate_compliant_password(size=12)
-      chars = (
-        ('a'..'z').to_a +
-        ('A'..'Z').to_a +
-        ('0'..'9').to_a +
-        ["!","@","#","$","%","^","&","*","(",")","-","_","=","+"]
-      ) - %w(i o 0 1 l 0)
-      (1..size).collect{|a| chars[rand(chars.size)] }.join
+      compliant = nil
+      password = ''
+      until compliant
+        chars = (
+          ('a'..'z').to_a +
+          ('A'..'Z').to_a +
+          ('0'..'9').to_a +
+          ["!","@","#","$","%","^","&","*","(",")","-","_","=","+"]
+        ) - %w(i o 0 1 l 0)
+        password = (1..size).collect{|a| chars[rand(chars.size)] }.join
+        compliant = password =~ /^(?=.*[^a-zA-Z])(?=.*[a-z])(?=.*[A-Z])(?=.*[!@\#\$%\^&\*\(\)\-_=\+]).+$/
+      end
+      password
     end
 
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rs_user_policy
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.1.3
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-12-18 00:00:00.000000000 Z
+date: 2013-02-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: right_api_client
@@ -80,7 +80,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 3250796022551410117
+      hash: -2197135940528599574
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -89,7 +89,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 3250796022551410117
+      hash: -2197135940528599574
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.24