skull_island 1.2.7 → 1.2.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e8e575e528393418b57488afb653a8baa09afa06f97b88e86fcc7d984fb5bba6
-  data.tar.gz: a6a00f4e7c432fa0cfd77f6cc22b3cbbdc936043d12ac68e337d4500e8bb42d8
+  metadata.gz: 83a5a4bbb01bcbd6b9837e72533d2ce4ef7b7515435da663a5f098e2ac64dde0
+  data.tar.gz: 227036f85eb431f3a7feab16e24c994d7702e168df5e773b53c6a89ed79368a0
 SHA512:
-  metadata.gz: 892f21ee6b9d43f943cbb562ae72d62e936928acc562752f8d3a7b42c3713a7281408fa401f49eb6c6394d34659131c0288c4c7832c3e5608bb58f67ee040ed3
-  data.tar.gz: 047ce3c0207470966af51a017d71ee23bcfa03fbe0a4371defdc4a1405e697549e519349af71ef5c3a6bcdfc8cc41d85201106d19a672d68e2fcbe8ae5d73fa9
+  metadata.gz: fecb0e599904792539a4656d7bea043a14a0eb7f90c5fc6f59b450f32b1cbeb326fab1837a445df107536fb750ad83b4eda0f446b9231aaaebe19bcc3f7861c8
+  data.tar.gz: '039460f3aacc5981e3f820210dee37888990bb7930baa142eef457d10fe04d0a977ef955f5dd2b9169ffa78867879c0fe0a9ffe590db198a556bf1f3397251d5'

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    skull_island (1.2.7)
+    skull_island (1.2.8)
       deepsort (~> 0.4)
       erubi (~> 1.8)
       json (~> 2.1)

data/README.md

@@ -85,6 +85,10 @@ skull_island export --verbose /path/to/export.yml
 
 Exporting, by default, exports the entire configuration of a Kong gateway, but will strip out special meta-data tags added by Skull Island to track projects. If, instead, you'd like to export **only** the configuration for a specific project, you can add `--project foo` (where `foo` is the name of your project) to export only those resources associated with it and maintain the special key in the exported YAML.
 
+#### Exporting Credentials
+
+For most credential types, exporting works as expected (you'll see the plaintext value in the exported YAML). With `BasicauthCredential`s, however, this is not the case. This isn't a limitation of `skull_island`; rather, it is the [expected behavior](https://github.com/Kong/kong/issues/4237) of the Admin API developers. This tool, when exporting these credentials, can only provide the salted-SHA1 hash of the password, and it does so by wrapping it in a special `hash{}` notation. This allows `skull_island` to distinguish between changing the value to the literal string and comparing the _hashed_ values. The import process is also smart enough to compare plaintext to hashed values returned from the API for existing values, so it won't recreate credentials every run.
+
 ### Importing
 
 Skull Island also supports importing configurations (both partial and full) from a YAML + ERB document:
@@ -182,6 +186,8 @@ certificates: []
 consumers:
 - username: foo
   custom_id: foo
+  acls:
+  - group: searchusers
   credentials:
     key-auth:
     - key: q90r8908w09rqw9jfj09jq0f8y389
@@ -233,6 +239,13 @@ plugins:
     - x-api-key
     run_on_preflight: true
   service: "<%= lookup :service, 'search_api' %>"
+- name: acl
+  enabled: true
+  config:
+    hide_groups_header: false
+    whitelist:
+    - searchusers
+  service: "<%= lookup :service, 'search_api' %>"
 ```
 
 All top-level keys (other than `version` and `project`) require an Array as a parameter, either by providing a list of entries or an empty Array (`[]`). The above shows how to use the `lookup()` function to refer to another resource. This "looks up" the resource type (`service` in this case) by `name` (`search_api` in this case) and resolves its `id`. This function can also be used to lookup a `route` or `upstream` by its `name`, or a `consumer` by its `username`. Note that Kong itself doesn't _require_ `route` resources to have unique names, so you'll need to enforce that practice yourself for `lookup` to be useful for Routes.
@@ -376,7 +389,7 @@ resource.created_at
 # => #<DateTime: 2018-07-17T12:51:28+00:00 ((2458317j,46288s,0n),+0s,2299161j)>
 ```
 
-#### Consumers (and their Credentials)
+#### Consumers (along with their Access Control Lists and Credentials)
 
 Note that for Consumer credentials, only [`key-auth`](https://docs.konghq.com/hub/kong-inc/key-auth/), [`jwt`](https://docs.konghq.com/hub/kong-inc/jwt/), and [`basic-auth`](https://docs.konghq.com/hub/kong-inc/basic-auth/) are currently supported.
 
@@ -397,6 +410,8 @@ resource.created_at
 # => #<DateTime: 2018-07-17T12:51:28+00:00 ((2458317j,46288s,0n),+0s,2299161j)>
 resource.plugins
 # => #<SkullIsland::ResourceCollection:0x00007f9f1e564f3e...
+resource.acls
+# => #<SkullIsland::ResourceCollection:0x00007f9f1e765b3c...
 resource.credentials
 # => {}
 resource.add_credential!(key: '932948e89e09e2989d8092') # adds a KeyauthCredential
@@ -411,6 +426,8 @@ resource.credentials['basic-auth']
 # => #<SkullIsland::ResourceCollection:0x00007f9f1e564f3f...
 resource.credentials['basic-auth'].first.username
 # => "test"
+resource.add_acl!(group: 'somegroup')
+# => true
 ```
 
 #### Plugins

data/lib/skull_island/resources/access_control_list.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+module SkullIsland
+  # Resource classes go here...
+  module Resources
+    # The ACL resource class
+    #
+    # @see https://docs.konghq.com/hub/kong-inc/acl/ ACL API definition
+    class AccessControlList < Resource
+      property :group, validate: true
+      property(
+        :consumer,
+        required: true, validate: true, preprocess: true, postprocess: true
+      )
+      property :created_at, read_only: true, postprocess: true
+
+      def self.batch_import(data, verbose: false, test: false)
+        raise(Exceptions::InvalidArguments) unless data.is_a?(Array)
+
+        known_ids = []
+
+        data.each_with_index do |resource_data, index|
+          resource = new
+          resource.delayed_set(:group, resource_data, 'group')
+          resource.delayed_set(:consumer, resource_data, 'consumer')
+          resource.import_update_or_skip(index: index, verbose: verbose, test: test)
+          known_ids << resource.id
+        end
+
+        known_ids
+      end
+
+      def self.relative_uri
+        'acls'
+      end
+
+      def relative_uri
+        consumer ? "#{consumer.relative_uri}/acls/#{id}" : nil
+      end
+
+      def save_uri
+        consumer ? "#{consumer.relative_uri}/acls" : nil
+      end
+
+      def export(options = {})
+        hash = { 'group' => group }
+        hash['consumer'] = "<%= lookup :consumer, '#{consumer.username}' %>" if consumer
+        [*options[:exclude]].each do |exclude|
+          hash.delete(exclude.to_s)
+        end
+        [*options[:include]].each do |inc|
+          hash[inc.to_s] = send(inc.to_sym)
+        end
+        hash.reject { |_, value| value.nil? }
+      end
+
+      # Keys can't be updated, only created or deleted
+      def modified_existing?
+        false
+      end
+
+      def project
+        consumer ? consumer.project : nil
+      end
+
+      private
+
+      def postprocess_consumer(value)
+        if value.is_a?(Hash)
+          Consumer.new(
+            entity: value,
+            lazy: true,
+            tainted: false
+          )
+        else
+          value
+        end
+      end
+
+      def preprocess_consumer(input)
+        if input.is_a?(Hash)
+          input
+        else
+          { 'id' => input.id }
+        end
+      end
+
+      # Used to validate {#consumer} on set
+      def validate_consumer(value)
+        # allow either a Consumer object or a Hash
+        value.is_a?(Consumer) || value.is_a?(Hash)
+      end
+
+      # Used to validate {#group} on set
+      def validate_group(value)
+        # allow a String
+        value.is_a?(String)
+      end
+    end
+  end
+end

data/lib/skull_island/resources/consumer.rb

@@ -17,6 +17,7 @@ module SkullIsland
       # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/PerceivedComplexity
       # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/MethodLength
       def self.batch_import(data, verbose: false, test: false, project: nil, time: nil)
         raise(Exceptions::InvalidArguments) unless data.is_a?(Array)
 
@@ -57,6 +58,14 @@ module SkullIsland
             test: test
           )
 
+          known_acls = AccessControlList.batch_import(
+            (
+              resource_data.dig('acls') || []
+            ).map { |t| t.merge('consumer' => { 'id' => resource.id }) },
+            verbose: verbose,
+            test: test
+          )
+
           next unless project
 
           basic_creds = BasicauthCredential.all.select { |c| c.consumer == resource }
@@ -76,11 +85,38 @@ module SkullIsland
             puts "[WARN] ! Removing #{res.class.name} (#{res.id})"
             res.destroy
           end
+
+          acls = AccessControlList.all.select { |acl| acl.consumer == resource }
+          acls.reject { |res| known_acls.include?(res.id) }.map do |res|
+            puts "[WARN] ! Removing #{res.class.name} (#{res.id})"
+            res.destroy
+          end
         end
         # rubocop:enable Metrics/BlockLength
 
         cleanup_except(project, known_ids) if project
       end
+      # rubocop:enable Metrics/MethodLength
+
+      def acls
+        AccessControlList.where(:consumer, self, api_client: api_client)
+      end
+
+      def add_acl!(details)
+        r = if details.is_a?(AccessControlList)
+              details
+            elsif details.is_a?(String)
+              resource = AccessControlList.new(api_client: api_client)
+              resource.group = details
+              resource
+            else
+              resource = AccessControlList.new(api_client: api_client)
+              resource.group = details[:group]
+              resource
+            end
+        r.consumer = self
+        r.save
+      end
 
       def add_credential!(details)
         r = if [BasicauthCredential, JWTCredential, KeyauthCredential].include? details.class
@@ -130,6 +166,7 @@ module SkullIsland
         hash = { 'username' => username, 'custom_id' => custom_id }
         creds = credentials_for_export
         hash['credentials'] = creds unless creds.empty?
+        hash['acls'] = acls.map { |acl| acl.export(exclude: 'consumer') } unless acls.empty?
         hash['tags'] = tags unless tags.empty?
         [*options[:exclude]].each do |exclude|
           hash.delete(exclude.to_s)

data/lib/skull_island/resources/plugin.rb

@@ -59,11 +59,12 @@ module SkullIsland
         super.reject { |k| %i[run_on].include? k }
       end
 
+      # rubocop:disable Metrics/AbcSize
       def export(options = {})
         hash = {
           'name' => name,
           'enabled' => enabled?,
-          'config' => config.deep_sort
+          'config' => config.deep_sort.compact
         }
         hash['consumer'] = "<%= lookup :consumer, '#{consumer.username}' %>" if consumer
         hash['route'] = "<%= lookup :route, '#{route.name}' %>" if route
@@ -78,6 +79,7 @@ module SkullIsland
         hash.reject { |_, value| value.nil? }
       end
 
+      # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/PerceivedComplexity
       def modified_existing?
         return false unless new?
@@ -86,14 +88,15 @@ module SkullIsland
         same_name = self.class.where(:name, name)
         return false if same_name.size.zero?
 
-        same_name_and_consumer = same_name.where(:consumer, consumer)
-        same_name_and_route = same_name.where(:route, route)
-        same_name_and_service = same_name.where(:service, service)
-        existing = if same_name_and_consumer.size == 1
+        same_name_and_consumer = consumer ? same_name.where(:consumer, consumer) : nil
+        same_name_and_route = route ? same_name.where(:route, route) : nil
+        same_name_and_service = service ? same_name.where(:service, service) : nil
+
+        existing = if same_name_and_consumer && same_name_and_consumer.size == 1
                      same_name_and_consumer.first
-                   elsif same_name_and_route.size == 1
+                   elsif same_name_and_route && same_name_and_route.size == 1
                      same_name_and_route.first
-                   elsif same_name_and_service.size == 1
+                   elsif same_name_and_service && same_name_and_service.size == 1
                      same_name_and_service.first
                    end
         if existing
@@ -104,6 +107,8 @@ module SkullIsland
         end
       end
       # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/CyclomaticComplexity
+      # rubocop:enable Metrics/AbcSize
 
       private
 
@@ -112,7 +117,7 @@ module SkullIsland
       end
 
       def postprocess_config(value)
-        value.deep_sort
+        value.deep_sort.compact
       end
 
       def postprocess_consumer(value)

data/lib/skull_island/version.rb

@@ -4,6 +4,6 @@ module SkullIsland
   VERSION = [
     1, # Major
     2, # Minor
-    7  # Patch
+    8  # Patch
   ].join('.')
 end

data/lib/skull_island.rb

@@ -45,6 +45,7 @@ require 'skull_island/helpers/resource_class'
 require 'skull_island/helpers/migration'
 require 'skull_island/validations/resource'
 require 'skull_island/resource'
+require 'skull_island/resources/access_control_list'
 require 'skull_island/resources/certificate'
 require 'skull_island/resources/basicauth_credential'
 require 'skull_island/resources/jwt_credential'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: skull_island
 version: !ruby/object:Gem::Version
-  version: 1.2.7
+  version: 1.2.8
 platform: ruby
 authors:
 - Jonathan Gnagy
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-09-05 00:00:00.000000000 Z
+date: 2019-09-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: deepsort
@@ -249,6 +249,7 @@ files:
 - lib/skull_island/lru_cache.rb
 - lib/skull_island/resource.rb
 - lib/skull_island/resource_collection.rb
+- lib/skull_island/resources/access_control_list.rb
 - lib/skull_island/resources/basicauth_credential.rb
 - lib/skull_island/resources/certificate.rb
 - lib/skull_island/resources/consumer.rb