strongdm 1.0.2 → 1.0.10

data/lib/version

@@ -1,3 +1,17 @@
+# Copyright 2020 StrongDM Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
 module SDM
-  VERSION = "1.0.1"
-end
+  VERSION = "1.0.10"
+end

data/lib/version.rb

@@ -13,5 +13,5 @@
 # limitations under the License.
 #
 module SDM
-  VERSION = "1.0.2"
+  VERSION = "1.0.10"
 end

data/strongdm.gemspec

@@ -2,15 +2,15 @@
 require File.expand_path("../lib/version.rb", __FILE__)
 
 Gem::Specification.new do |s|
-  s.name = "strongdm"
-  s.version = SDM::VERSION
-  s.platform = Gem::Platform::RUBY
-  s.authors = ["strongDM Team"]
-  s.email = ["sdk-feedback@strongdm.com"]
-  s.homepage = "http://rubygems.org/gems/strongdm"
-  s.summary = "strongDM SDK for the Ruby programming language."
+  s.name        = "strongdm"
+  s.version     = SDM::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ['strongDM Team']
+  s.email       = ['sdk-feedback@strongdm.com']
+  s.homepage    = "http://rubygems.org/gems/strongdm"
+  s.summary     = "strongDM SDK for the Ruby programming language."
   s.description = "strongDM Ruby Library for automating interactions with strongDM."
-  s.licenses = ["Apache-2.0"]
+  s.licenses    = ["Apache-2.0"]
   s.required_ruby_version = ">= 2.3.0"
   s.required_rubygems_version = ">= 1.3.6"
 
@@ -18,6 +18,6 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency "grpc-tools", "~> 1.27.0", ">= 1.27.0"
   s.add_runtime_dependency "openssl", "~> 2.1.2", ">= 2.1.2"
 
-  s.files = `git ls-files | grep -v "strongdm-#{SDM::VERSION}.gem"`.split("\n")
-  s.require_path = "lib"
+  s.files        = `git ls-files | grep -v "strongdm-#{SDM::VERSION}.gem"`.split("\n")
+  s.require_path = 'lib'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: strongdm
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 1.0.10
 platform: ruby
 authors:
 - strongDM Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-01 00:00:00.000000000 Z
+date: 2020-08-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: grpc
@@ -114,10 +114,14 @@ files:
 - doc/SDM/BadRequestError.html
 - doc/SDM/BigQuery.html
 - doc/SDM/Cassandra.html
+- doc/SDM/Citus.html
 - doc/SDM/Client.html
 - doc/SDM/Clustrix.html
 - doc/SDM/Cockroach.html
 - doc/SDM/CreateResponseMetadata.html
+- doc/SDM/DB2.html
+- doc/SDM/DB2LUW.html
+- doc/SDM/DB2i.html
 - doc/SDM/DeadlineExceededError.html
 - doc/SDM/DeleteResponseMetadata.html
 - doc/SDM/Druid.html
@@ -184,6 +188,7 @@ files:
 - doc/SDM/Roles.html
 - doc/SDM/SQLServer.html
 - doc/SDM/SSH.html
+- doc/SDM/SSHCert.html
 - doc/SDM/Service.html
 - doc/SDM/Snowflake.html
 - doc/SDM/Sybase.html
@@ -208,6 +213,7 @@ files:
 - doc/V1/RoleGrants/Service.html
 - doc/V1/Roles.html
 - doc/V1/Roles/Service.html
+- doc/V1/Tags.html
 - doc/created.rid
 - doc/css/fonts.css
 - doc/css/rdoc.css
@@ -261,14 +267,7 @@ files:
 - doc/strongdm_gemspec.html
 - doc/table_of_contents.html
 - examples/Gemfile
-- examples/Gemfile.lock
-- examples/README.md
 - examples/listUsers.rb
-- examples/okta-sync/Gemfile
-- examples/okta-sync/Gemfile.lock
-- examples/okta-sync/matchers.yml
-- examples/okta-sync/oktaSync.rb
-- examples/panicButton.rb
 - lib/errors/errors.rb
 - lib/grpc/account_attachments_pb.rb
 - lib/grpc/account_attachments_services_pb.rb
@@ -291,6 +290,7 @@ files:
 - lib/grpc/roles_pb.rb
 - lib/grpc/roles_services_pb.rb
 - lib/grpc/spec_pb.rb
+- lib/grpc/tags_pb.rb
 - lib/models/porcelain.rb
 - lib/strongdm.rb
 - lib/svc.rb

data/examples/Gemfile.lock

@@ -1,14 +0,0 @@
-GEM
-  specs:
-    ipaddr (1.2.2)
-    openssl (2.1.2)
-      ipaddr
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  openssl
-
-BUNDLED WITH
-   1.17.2

data/examples/README.md

@@ -1,5 +0,0 @@
-Prior to running examples, run:
-
-```ShellSession
-$ bundler install
-```

data/examples/okta-sync/Gemfile

@@ -1,4 +0,0 @@
-source "https://rubygems.org"
-
-gem "strongdm"
-gem "oktakit"

data/examples/okta-sync/Gemfile.lock

@@ -1,38 +0,0 @@
-GEM
-  remote: https://rubygems.org/
-  specs:
-    addressable (2.7.0)
-      public_suffix (>= 2.0.2, < 5.0)
-    faraday (1.0.0)
-      multipart-post (>= 1.2, < 3)
-    google-protobuf (3.11.4)
-    googleapis-common-protos-types (1.0.4)
-      google-protobuf (~> 3.0)
-    grpc (1.27.0)
-      google-protobuf (~> 3.11)
-      googleapis-common-protos-types (~> 1.0)
-    grpc-tools (1.27.0)
-    ipaddr (1.2.2)
-    multipart-post (2.1.1)
-    oktakit (0.2.0)
-      sawyer (~> 0.8.1)
-    openssl (2.1.2)
-      ipaddr
-    public_suffix (4.0.3)
-    sawyer (0.8.2)
-      addressable (>= 2.3.5)
-      faraday (> 0.8, < 2.0)
-    strongdm (1.0.0)
-      grpc (~> 1.27.0, >= 1.27.0)
-      grpc-tools (~> 1.27.0, >= 1.27.0)
-      openssl (~> 2.1.2, >= 2.1.2)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  oktakit
-  strongdm
-
-BUNDLED WITH
-   1.17.2

data/examples/okta-sync/matchers.yml

@@ -1,11 +0,0 @@
----
-    groups:
-      -
-        name: db/mongo
-        resources:
-          - type:mongo name:don*
-          - type:ssh name:dev*
-      -
-        name: app/web
-        resources:
-          - type:ssh name:dev-web*

data/examples/okta-sync/oktaSync.rb

@@ -1,215 +0,0 @@
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-require "yaml"
-require "strongdm"
-require "oktakit"
-require "optparse"
-require "json"
-
-SDM_API_ACCESS_KEY = ENV.fetch("SDM_API_ACCESS_KEY", "")
-SDM_API_SECRET_KEY = ENV.fetch("SDM_API_SECRET_KEY", "")
-OKTA_CLIENT_TOKEN = ENV.fetch("OKTA_CLIENT_TOKEN", "")
-OKTA_CLIENT_ORGURL = ENV.fetch("OKTA_CLIENT_ORGURL", "")
-
-def okta_sync
-  if SDM_API_ACCESS_KEY == "" || SDM_API_SECRET_KEY == "" || OKTA_CLIENT_TOKEN == "" || OKTA_CLIENT_ORGURL == ""
-    puts "SDM_API_ACCESS_KEY, SDM_API_SECRET_KEY, OKTA_CLIENT_TOKEN, and OKTA_CLIENT_ORGURL must be set"
-    exit
-  end
-
-  report = {
-    :start => Time.now,
-
-    :oktaUsersCount => 0,
-    :oktaUsers => [],
-
-    :sdmUsersCount => 0,
-    :sdmUsers => [],
-
-    :bothUsersCount => 0,
-
-    :sdmResourcesCount => 0,
-    :sdmResources => {},
-
-    :permissionsGranted => 0,
-    :permissionsRevoked => 0,
-    :grants => [],
-    :revocations => [],
-
-    :matchers => {},
-  }
-
-  plan = false
-  verbose = false
-  OptionParser.new do |opts|
-    opts.banner = "Usage oktaSync.rb [options]"
-    opts.on("-p", "--plan", "calculate changes but do not apply them") do |p|
-      plan = p
-    end
-    opts.on("-v", "--verbose", "print detailed report") do |v|
-      verbose = v
-    end
-  end.parse!
-
-  client = SDM::Client.new(SDM_API_ACCESS_KEY, SDM_API_SECRET_KEY)
-  okta_client = Oktakit.new(token: OKTA_CLIENT_TOKEN, api_endpoint: OKTA_CLIENT_ORGURL + "/api/v1")
-  matchers = YAML.load(File.read("matchers.yml"))
-  report[:matchers] = matchers
-
-  all_users = okta_client.list_users({
-    'query': {
-      'search': "profile.department eq \"Engineering\" and (status eq \"ACTIVE\")",
-    },
-  })
-
-  okta_users = Array.new()
-  all_users[0].each { |u|
-    groups = okta_client.get_member_groups(u.id)
-    group_names = Array.new()
-    groups[0].each { |ug|
-      group_names.push(ug.profile.name)
-    }
-    okta_users.push({ :login => u.profile.login, :first_name => u.profile.firstName, :last_name => u.profile.LastName, :groups => group_names })
-  }
-  report[:oktaUsers] = okta_users
-  report[:oktaUsersCount] = okta_users.size
-
-  accounts = client.accounts.list("type:user").map { |a| [a.email, a] }.to_h
-  report[:sdmUsers] = accounts
-  report[:sdmUsersCount] = accounts.size
-  grants = client.account_grants.list("").map { |ag| ag }
-
-  current = {}
-  grants.each { |g|
-    current[g.account_id] = [] if not current[g.account_id]
-    current[g.account_id].push(g)
-  }
-
-  desired = {}
-  overlapping = 0
-  matchers["groups"].each { |group|
-    group["resources"].each { |resourceQuery|
-      client.resources.list(resourceQuery).each { |res|
-        report[:sdmResources][res.id] = res
-        okta_users.each { |u|
-          if u[:groups].include? group["name"]
-            account = accounts[u[:login]]
-            if account != nil
-              overlapping += 1
-              desired[account.id] = [] if not desired[account.id]
-              desired[account.id].push(res.id)
-            end
-          end
-        }
-      }
-    }
-  }
-  report[:bothUsersCount] = overlapping
-  report[:sdmResourcesCount] = report[:sdmResources].size
-
-  accounts_in_roles = client.account_attachments.list("").map { |aa| [aa.account_id, true] }.to_h
-
-  revocations = 0
-  current.each { |aid, curRes|
-    next if accounts_in_roles[aid]
-    desRes = desired[aid]
-    desRes = [] if not desired[aid]
-    curRes.each { |r|
-      if not(desRes.include? r.resource_id)
-        if plan
-          puts "Plan: revoke %s from user %s\n" % [r.resource_id, aid]
-        else
-          client.account_grants.delete(r.id)
-        end
-        report[:revocations].push(r)
-        revocations += 1
-      end
-    }
-  }
-  report[:permissionsRevoked] = revocations
-
-  grants = 0
-  desired.each { |aid, desRes|
-    curRes = current[aid]
-    curRes = [] if not current[aid]
-    desRes.each { |r|
-      if not(curRes.map { |c| c.resource_id }.include? r)
-        ag = SDM::AccountGrant.new()
-        ag.account_id = aid
-        ag.resource_id = r
-        if plan
-          puts "Plan: grant %s to user %s\n" % [r, aid]
-        else
-          ag = client.account_grants.create(ag).account_grant
-        end
-        report[:grants].push(ag)
-        grants += 1
-      end
-    }
-  }
-  report[:permissionsGranted] = grants
-
-  report[:complete] = Time.now
-
-  if verbose
-    puts JSON.pretty_generate(report)
-  else
-    puts "%d Okta users, %d strongDM users, %d overlapping users, %d grants, %d revocations" % [okta_users.size, accounts.size, overlapping, grants, revocations]
-  end
-end
-
-okta_sync

data/examples/panicButton.rb

@@ -1,180 +0,0 @@
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-require "strongdm"
-require "OpenSSL"
-require "JSON"
-
-# panicButton.rb suspends all users except for one admin,
-# in the fake use case of a critical break in or something
-# usage:
-# ruby panicButton.rb adminuser@email.com
-# to revert back to pre-panic state:
-# ruby panicButton.rb revert
-def main
-  access_key = ENV["SDM_API_ACCESS_KEY"]
-  secret_key = ENV["SDM_API_SECRET_KEY"]
-  if access_key == nil or secret_key == nil
-    puts "SDM_API_ACCESS_KEY and SDM_API_SECRET_KEY must be provided"
-    return
-  end
-  client = SDM::Client.new(access_key, secret_key)
-
-  if ARGV.size == 1 and ARGV[0] == "revert"
-    state_file = File.open("state.json")
-    state = JSON.load(state_file)
-
-    reinstated_count = 0
-
-    users = client.accounts.list("")
-    users.each { |user|
-      if user.suspended
-        reinstated_count += 1
-        user.suspended = false
-        client.accounts.update(user)
-      end
-    }
-    state["attachments"].each { |attachment|
-      begin
-        a = SDM::AccountAttachment.new()
-        a.account_id = attachment["account_id"]
-        a.role_id = attachment["role_id"]
-        client.account_attachments.create(a)
-      rescue SDM::AlreadyExistsError
-      rescue => ex
-        puts "skipping creation of attachment due to error: " + ex.to_s
-      end
-    }
-    state["grants"].each { |attachment|
-      begin
-        g = SDM::AccountGrant.new()
-        g.account_id = attachment["account_id"]
-        g.resource_id = attachment["resource_id"]
-        client.account_grants.create(g)
-      rescue SDM::AlreadyExistsError
-      rescue => ex
-        puts "skipping creation of grant due to error: " + ex.to_s
-      end
-    }
-
-    puts "reinstated " + reinstated_count.to_s + " users"
-    puts "recreated " + state["attachments"].size.to_s + " account attachments"
-    puts "recreated " + state["grants"].size.to_s + " account grants"
-
-    return
-  end
-
-  admin_email = ""
-  if ARGV.size == 1
-    admin_email = ARGV[0]
-  else
-    puts "please provide an admin email to preserve"
-    return 1
-  end
-
-  admin_user_id = ""
-  users = client.accounts.list("email:?", admin_email)
-  users.each { |user|
-    admin_user_id = user.id
-  }
-
-  account_attachments = client.account_attachments.list("")
-  account_grants = client.account_grants.list("")
-
-  state = {
-    'attachments': account_attachments.map { |x|
-      if x.account_id != admin_user_id
-        out = {
-          'account_id': x.account_id,
-          'role_id': x.role_id,
-        }
-      end
-    }.reject { |x| x == nil },
-    'grants': account_grants.map { |x|
-      if x.account_id != admin_user_id and x.valid_until == nil
-        out = {
-          'account_id': x.account_id,
-          'resource_id': x.resource_id,
-        }
-      end
-    }.reject { |x| x == nil },
-  }
-
-  puts "storing " + state[:attachments].size.to_s + " account attachments in state"
-  puts "storing " + state[:grants].size.to_s + " account grants in state"
-
-  state_file = File.open("state.json", "w")
-  state_file.write(state.to_json)
-
-  suspended_count = 0
-  users = client.accounts.list("")
-  users.each { |user|
-    if user.instance_of? SDM::User and user.email == admin_email
-      next
-    end
-    user.suspended = true
-    begin
-      client.accounts.update(user)
-      suspended_count += 1
-    rescue StandardError => ex
-      puts "skipping user " + user.id + " on account of error: " + ex.to_s
-    end
-  }
-
-  puts "suspended " + suspended_count.to_s + " users"
-end
-
-main()