strongdm 1.0.0 → 1.0.1

data/examples/Gemfile

@@ -1,3 +1,3 @@
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
-gem 'strongdm'
+gem "strongdm"

data/examples/listUsers.rb

@@ -1,21 +1,21 @@
 # Copyright 2020 StrongDM Inc
-# 
+#
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-# 
+#
 #     http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-# 
+#
 require "strongdm"
 
-client = SDM::Client.new(ENV['SDM_API_ACCESS_KEY'], ENV['SDM_API_SECRET_KEY'])
-users = client.accounts.list('')
+client = SDM::Client.new(ENV["SDM_API_ACCESS_KEY"], ENV["SDM_API_SECRET_KEY"])
+users = client.accounts.list("")
 users.each { |user|
-	p user
-}
+  p user
+}

data/examples/okta-sync/Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+gem "strongdm"
+gem "oktakit"

data/examples/okta-sync/Gemfile.lock

@@ -0,0 +1,38 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    faraday (1.0.0)
+      multipart-post (>= 1.2, < 3)
+    google-protobuf (3.11.4)
+    googleapis-common-protos-types (1.0.4)
+      google-protobuf (~> 3.0)
+    grpc (1.27.0)
+      google-protobuf (~> 3.11)
+      googleapis-common-protos-types (~> 1.0)
+    grpc-tools (1.27.0)
+    ipaddr (1.2.2)
+    multipart-post (2.1.1)
+    oktakit (0.2.0)
+      sawyer (~> 0.8.1)
+    openssl (2.1.2)
+      ipaddr
+    public_suffix (4.0.3)
+    sawyer (0.8.2)
+      addressable (>= 2.3.5)
+      faraday (> 0.8, < 2.0)
+    strongdm (1.0.0)
+      grpc (~> 1.27.0, >= 1.27.0)
+      grpc-tools (~> 1.27.0, >= 1.27.0)
+      openssl (~> 2.1.2, >= 2.1.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  oktakit
+  strongdm
+
+BUNDLED WITH
+   1.17.2

data/examples/okta-sync/matchers.yml

@@ -0,0 +1,11 @@
+---
+    groups:
+      -
+        name: db/mongo
+        resources:
+          - type:mongo name:don*
+          - type:ssh name:dev*
+      -
+        name: app/web
+        resources:
+          - type:ssh name:dev-web*

data/examples/okta-sync/oktaSync.rb

@@ -0,0 +1,173 @@
+# Copyright 2020 StrongDM Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+require "yaml"
+require "strongdm"
+require "oktakit"
+require "optparse"
+
+SDM_API_ACCESS_KEY = ENV.fetch("SDM_API_ACCESS_KEY", "")
+SDM_API_SECRET_KEY = ENV.fetch("SDM_API_SECRET_KEY", "")
+OKTA_CLIENT_TOKEN = ENV.fetch("OKTA_CLIENT_TOKEN", "")
+OKTA_CLIENT_ORGURL = ENV.fetch("OKTA_CLIENT_ORGURL", "")
+
+def okta_sync
+  if SDM_API_ACCESS_KEY == "" || SDM_API_SECRET_KEY == "" || OKTA_CLIENT_TOKEN == "" || OKTA_CLIENT_ORGURL == ""
+    puts "SDM_API_ACCESS_KEY, SDM_API_SECRET_KEY, OKTA_CLIENT_TOKEN, and OKTA_CLIENT_ORGURL must be set"
+    exit
+  end
+
+  report = {
+    :start => Time.now,
+
+    :oktaUsersCount => 0,
+    :oktaUsers => [],
+
+    :sdmUsersCount => 0,
+    :sdmUsers => [],
+
+    :bothUsersCount => 0,
+
+    :sdmResourcesCount => 0,
+    :sdmResources => {},
+
+    :permissionsGranted => 0,
+    :permissionsRevoked => 0,
+    :grants => [],
+    :revocations => [],
+
+    :matchers => {},
+  }
+
+  plan = false
+  verbose = false
+  OptionParser.new do |opts|
+    opts.banner = "Usage oktaSync.rb [options]"
+    opts.on("-p", "--plan", "calculate changes but do not apply them") do |p|
+      plan = p
+    end
+    opts.on("-v", "--verbose", "print detailed report") do |v|
+      verbose = v
+    end
+  end.parse!
+
+  client = SDM::Client.new(SDM_API_ACCESS_KEY, SDM_API_SECRET_KEY)
+  okta_client = Oktakit.new(token: OKTA_CLIENT_TOKEN, api_endpoint: OKTA_CLIENT_ORGURL + "/api/v1")
+  matchers = YAML.load(File.read("matchers.yml"))
+  report[:matchers] = matchers
+
+  all_users = okta_client.list_users({
+    'query': {
+      'search': "profile.department eq \"Engineering\" and (status eq \"ACTIVE\")",
+    },
+  })
+
+  okta_users = Array.new()
+  all_users[0].each { |u|
+    groups = okta_client.get_member_groups(u.id)
+    group_names = Array.new()
+    groups[0].each { |ug|
+      group_names.push(ug.profile.name)
+    }
+    okta_users.push({ :login => u.profile.login, :first_name => u.profile.firstName, :last_name => u.profile.LastName, :groups => group_names })
+  }
+  report[:oktaUsers] = okta_users
+  report[:oktaUsersCount] = okta_users.size
+
+  accounts = client.accounts.list("type:user").map { |a| [a.email, a] }.to_h
+  report[:sdmUsers] = accounts
+  report[:sdmUsersCount] = accounts.size
+  grants = client.account_grants.list("").map { |ag| ag }
+
+  current = {}
+  grants.each { |g|
+    current[g.account_id] = [] if not current[g.account_id]
+    current[g.account_id].push({ :resource_id => g.resource_id, :id => g.id })
+  }
+
+  desired = {}
+  overlapping = 0
+  matchers["groups"].each { |group|
+    group["resources"].each { |resourceQuery|
+      client.resources.list(resourceQuery).each { |res|
+        report[:sdmResources][res.id] = res
+        okta_users.each { |u|
+          if u[:groups].include? group["name"]
+            account = accounts[u[:login]]
+            if account != nil
+              overlapping += 1
+              desired[account.id] = [] if not desired[account.id]
+              desired[account.id].push(res.id)
+            end
+          end
+        }
+      }
+    }
+  }
+  report[:bothUsersCount] = overlapping
+  report[:sdmResourcesCount] = report[:sdmResources].size
+
+  revocations = 0
+  current.each { |aid, curRes|
+    desRes = desired[aid]
+    desRes = [] if not desired[aid]
+    curRes.each { |r|
+      if not(desRes.include? r[:resource_id])
+        if plan
+          puts "Plan: revoke %s from user %s\n" % [r[:resource_id], aid]
+        else
+          client.account_grants.delete(r[:id])
+        end
+        report[:revocations].push(r[:id])
+        revocations += 1
+      end
+    }
+  }
+  report[:permissionsRevoked] = revocations
+
+  grants = 0
+  desired.each { |aid, desRes|
+    curRes = current[aid]
+    curRes = [] if not current[aid]
+    desRes.each { |r|
+      if not(curRes.map { |c| c[:resource_id] }.include? r)
+        ag = SDM::AccountGrant.new()
+        ag.account_id = aid
+        ag.resource_id = r
+        if plan
+          puts "Plan: grant %s to user %s\n" % [r, aid]
+        else
+          client.account_grants.create(ag)
+        end
+        report[:grants].push(ag)
+        grants += 1
+      end
+    }
+  }
+  report[:permissionsGranted] = grants
+
+  report[:complete] = Time.now
+
+  if verbose
+    puts report.to_json
+  else
+    puts "%d Okta users, %d strongDM users, %d overlapping users, %d grants, %d revocations" % [okta_users.size, accounts.size, overlapping, grants, revocations]
+  end
+end
+
+begin
+  okta_sync
+rescue StandardError => ex
+  puts "cannot synchronize with okta: " + ex.to_s
+end

data/examples/panicButton.rb

@@ -1,18 +1,4 @@
 # Copyright 2020 StrongDM Inc
-# 
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-# 
-#     http://www.apache.org/licenses/LICENSE-2.0
-# 
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# 
-# Copyright 2020 StrongDM Inc
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -26,7 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-
 require "strongdm"
 require "OpenSSL"
 require "JSON"
@@ -38,117 +23,116 @@ require "JSON"
 # to revert back to pre-panic state:
 # ruby panicButton.rb revert
 def main
-    access_key = ENV["SDM_API_ACCESS_KEY"]
-    secret_key = ENV["SDM_API_SECRET_KEY"]
-    if access_key == nil or secret_key == nil
-        puts "SDM_API_ACCESS_KEY and SDM_API_SECRET_KEY must be provided"
-        return
-    end
-    client = SDM::Client.new(access_key, secret_key)
-
-    if ARGV.size == 1 and ARGV[0] == "revert"
-        state_file = File.open("state.json")
-        state = JSON.load(state_file)
-
-        reinstated_count = 0
+  access_key = ENV["SDM_API_ACCESS_KEY"]
+  secret_key = ENV["SDM_API_SECRET_KEY"]
+  if access_key == nil or secret_key == nil
+    puts "SDM_API_ACCESS_KEY and SDM_API_SECRET_KEY must be provided"
+    return
+  end
+  client = SDM::Client.new(access_key, secret_key)
+
+  if ARGV.size == 1 and ARGV[0] == "revert"
+    state_file = File.open("state.json")
+    state = JSON.load(state_file)
+
+    reinstated_count = 0
+
+    users = client.accounts.list("")
+    users.each { |user|
+      if user.suspended
+        reinstated_count += 1
+        user.suspended = false
+        client.accounts.update(user)
+      end
+    }
+    state["attachments"].each { |attachment|
+      begin
+        a = SDM::AccountAttachment.new()
+        a.account_id = attachment["account_id"]
+        a.role_id = attachment["role_id"]
+        client.account_attachments.create(a)
+      rescue SDM::AlreadyExistsError
+      rescue => ex
+        puts "skipping creation of attachment due to error: " + ex.to_s
+      end
+    }
+    state["grants"].each { |attachment|
+      begin
+        g = SDM::AccountGrant.new()
+        g.account_id = attachment["account_id"]
+        g.resource_id = attachment["resource_id"]
+        client.account_grants.create(g)
+      rescue SDM::AlreadyExistsError
+      rescue => ex
+        puts "skipping creation of grant due to error: " + ex.to_s
+      end
+    }
 
-        users = client.accounts.list('')
-        users.each{ |user|
-            if user.suspended
-                reinstated_count += 1
-                user.suspended = false
-                client.accounts.update(user)
-            end
+    puts "reinstated " + reinstated_count.to_s + " users"
+    puts "recreated " + state["attachments"].size.to_s + " account attachments"
+    puts "recreated " + state["grants"].size.to_s + " account grants"
+
+    return
+  end
+
+  admin_email = ""
+  if ARGV.size == 1
+    admin_email = ARGV[0]
+  else
+    puts "please provide an admin email to preserve"
+    return 1
+  end
+
+  admin_user_id = ""
+  users = client.accounts.list("email:?", admin_email)
+  users.each { |user|
+    admin_user_id = user.id
+  }
+
+  account_attachments = client.account_attachments.list("")
+  account_grants = client.account_grants.list("")
+
+  state = {
+    'attachments': account_attachments.map { |x|
+      if x.account_id != admin_user_id
+        out = {
+          'account_id': x.account_id,
+          'role_id': x.role_id,
         }
-        state["attachments"].each { |attachment|
-            begin
-                a = SDM::AccountAttachment.new()
-                a.account_id = attachment["account_id"]
-                a.role_id = attachment["role_id"]
-                client.account_attachments.create(a)
-            rescue SDM::AlreadyExistsError
-            rescue => ex
-                puts "skipping creation of attachment due to error: " + ex.to_s
-            end
-        }
-        state["grants"].each { |attachment|
-            begin
-                g = SDM::AccountGrant.new()
-                g.account_id = attachment["account_id"]
-                g.resource_id = attachment["resource_id"]
-                client.account_grants.create(g)
-            rescue SDM::AlreadyExistsError
-            rescue => ex
-                puts "skipping creation of grant due to error: " + ex.to_s
-            end
+      end
+    }.reject { |x| x == nil },
+    'grants': account_grants.map { |x|
+      if x.account_id != admin_user_id and x.valid_until == nil
+        out = {
+          'account_id': x.account_id,
+          'resource_id': x.resource_id,
         }
+      end
+    }.reject { |x| x == nil },
+  }
 
-        puts "reinstated " + reinstated_count.to_s + " users"
-        puts "recreated " + state["attachments"].size.to_s + " account attachments"
-        puts "recreated " + state["grants"].size.to_s + " account grants"
+  puts "storing " + state[:attachments].size.to_s + " account attachments in state"
+  puts "storing " + state[:grants].size.to_s + " account grants in state"
 
-        return
-    end
+  state_file = File.open("state.json", "w")
+  state_file.write(state.to_json)
 
-    admin_email = ""
-    if ARGV.size == 1
-        admin_email = ARGV[0]
-    else
-        puts "please provide an admin email to preserve"
-        return 1
+  suspended_count = 0
+  users = client.accounts.list("")
+  users.each { |user|
+    if user.instance_of? SDM::User and user.email == admin_email
+      next
     end
+    user.suspended = true
+    begin
+      client.accounts.update(user)
+      suspended_count += 1
+    rescue StandardError => ex
+      puts "skipping user " + user.id + " on account of error: " + ex.to_s
+    end
+  }
 
-    admin_user_id = ""
-    users = client.accounts.list("email:?", admin_email)
-    users.each{ |user|
-        admin_user_id = user.id
-    }
-
-    account_attachments = client.account_attachments.list('')
-    account_grants = client.account_grants.list('')
-
-    state = {
-        'attachments': account_attachments.map{|x|
-            if x.account_id != admin_user_id
-                out = {
-                    'account_id': x.account_id,
-                    'role_id': x.role_id,
-                }
-            end
-        }.reject{|x| x == nil},
-        'grants': account_grants.map{|x|
-            if x.account_id != admin_user_id and x.valid_until == nil
-                out = {
-                    'account_id': x.account_id,
-                    'resource_id': x.resource_id,
-                }
-            end
-        }.reject{|x| x == nil},
-    }
-
-    puts "storing " + state[:attachments].size.to_s + " account attachments in state"
-    puts "storing " + state[:grants].size.to_s + " account grants in state"
-
-    state_file = File.open("state.json", "w")
-    state_file.write(state.to_json)
-
-    suspended_count = 0
-    users = client.accounts.list('')
-    users.each{ |user|
-        if user.instance_of? SDM::User and user.email == admin_email
-            next
-        end
-        user.suspended = true
-        begin
-            client.accounts.update(user)
-            suspended_count += 1
-        rescue StandardError => ex
-            puts "skipping user " + user.id + " on account of error: " + ex.to_s
-        end
-    }
-
-    puts "suspended " + suspended_count.to_s + " users"
-
+  puts "suspended " + suspended_count.to_s + " users"
 end
 
-main()
+main()