strongdm 1.0.2 → 1.0.3

data/examples/Gemfile

@@ -1,3 +1,3 @@
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
-gem "strongdm"
+gem 'strongdm'

data/examples/listUsers.rb

@@ -1,17 +1,17 @@
 # Copyright 2020 StrongDM Inc
-#
+# 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-#
+# 
 #     http://www.apache.org/licenses/LICENSE-2.0
-#
+# 
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#
+# 
 require "strongdm"
 
 client = SDM::Client.new(ENV["SDM_API_ACCESS_KEY"], ENV["SDM_API_SECRET_KEY"])

data/examples/okta-sync/oktaSync.rb

@@ -1,64 +1,21 @@
 # Copyright 2020 StrongDM Inc
-#
+# 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-#
+# 
 #     http://www.apache.org/licenses/LICENSE-2.0
-#
+# 
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
+# 
 require "yaml"
 require "strongdm"
 require "oktakit"
 require "optparse"
-require "json"
 
 SDM_API_ACCESS_KEY = ENV.fetch("SDM_API_ACCESS_KEY", "")
 SDM_API_SECRET_KEY = ENV.fetch("SDM_API_SECRET_KEY", "")
@@ -136,7 +93,7 @@ def okta_sync
   current = {}
   grants.each { |g|
     current[g.account_id] = [] if not current[g.account_id]
-    current[g.account_id].push(g)
+    current[g.account_id].push({ :resource_id => g.resource_id, :id => g.id })
   }
 
   desired = {}
@@ -161,21 +118,18 @@ def okta_sync
   report[:bothUsersCount] = overlapping
   report[:sdmResourcesCount] = report[:sdmResources].size
 
-  accounts_in_roles = client.account_attachments.list("").map { |aa| [aa.account_id, true] }.to_h
-
   revocations = 0
   current.each { |aid, curRes|
-    next if accounts_in_roles[aid]
     desRes = desired[aid]
     desRes = [] if not desired[aid]
     curRes.each { |r|
-      if not(desRes.include? r.resource_id)
+      if not(desRes.include? r[:resource_id])
         if plan
-          puts "Plan: revoke %s from user %s\n" % [r.resource_id, aid]
+          puts "Plan: revoke %s from user %s\n" % [r[:resource_id], aid]
         else
-          client.account_grants.delete(r.id)
+          client.account_grants.delete(r[:id])
         end
-        report[:revocations].push(r)
+        report[:revocations].push(r[:id])
         revocations += 1
       end
     }
@@ -187,14 +141,14 @@ def okta_sync
     curRes = current[aid]
     curRes = [] if not current[aid]
     desRes.each { |r|
-      if not(curRes.map { |c| c.resource_id }.include? r)
+      if not(curRes.map { |c| c[:resource_id] }.include? r)
         ag = SDM::AccountGrant.new()
         ag.account_id = aid
         ag.resource_id = r
         if plan
           puts "Plan: grant %s to user %s\n" % [r, aid]
         else
-          ag = client.account_grants.create(ag).account_grant
+          client.account_grants.create(ag)
         end
         report[:grants].push(ag)
         grants += 1
@@ -206,10 +160,14 @@ def okta_sync
   report[:complete] = Time.now
 
   if verbose
-    puts JSON.pretty_generate(report)
+    puts report.to_json
   else
     puts "%d Okta users, %d strongDM users, %d overlapping users, %d grants, %d revocations" % [okta_users.size, accounts.size, overlapping, grants, revocations]
   end
 end
 
-okta_sync
+begin
+  okta_sync
+rescue StandardError => ex
+  puts "cannot synchronize with okta: " + ex.to_s
+end

data/examples/panicButton.rb

@@ -1,59 +1,17 @@
 # Copyright 2020 StrongDM Inc
-#
+# 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-#
+# 
 #     http://www.apache.org/licenses/LICENSE-2.0
-#
+# 
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
+# 
 require "strongdm"
 require "OpenSSL"
 require "JSON"

data/lib/errors/errors.rb

@@ -1,87 +1,85 @@
 # Copyright 2020 StrongDM Inc
-#
+# 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-#
+# 
 #     http://www.apache.org/licenses/LICENSE-2.0
-#
+# 
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#
+# 
 # This file was generated by protogen. DO NOT EDIT.
 
 module SDM
 
-  # RPCError is a generic RPC error
-  class RPCError < StandardError
-    attr_reader :code
-
-    def initialize(msg, code)
-      @code = code
-      super(msg)
+    # RPCError is a generic RPC error
+    class RPCError < StandardError
+        attr_reader :code
+        def initialize(msg, code)
+            @code = code
+            super(msg)
+        end
     end
-  end
 
-  # DeadlineExceededError indicates an RPC call timed out
-  class DeadlineExceededError < RPCError
-    def initialize(msg)
-      super(msg, 4)
+    # DeadlineExceededError indicates an RPC call timed out
+    class DeadlineExceededError < RPCError
+        def initialize(msg)
+            super(msg, 4)
+        end
     end
-  end
 
-  # AlreadyExistsError is used when an entity already exists in the system
-  class AlreadyExistsError < RPCError
-    def initialize(msg)
-      super(msg, 6)
+    # AlreadyExistsError is used when an entity already exists in the system
+    class AlreadyExistsError < RPCError
+        def initialize(msg)
+            super(msg, 6)
+        end
     end
-  end
 
-  # NotFoundError is used when an entity does not exist in the system
-  class NotFoundError < RPCError
-    def initialize(msg)
-      super(msg, 5)
+    # NotFoundError is used when an entity does not exist in the system
+    class NotFoundError < RPCError
+        def initialize(msg)
+            super(msg, 5)
+        end
     end
-  end
 
-  # BadRequestError identifies a bad request sent by the client
-  class BadRequestError < RPCError
-    def initialize(msg)
-      super(msg, 3)
+    # BadRequestError identifies a bad request sent by the client
+    class BadRequestError < RPCError
+        def initialize(msg)
+            super(msg, 3)
+        end
     end
-  end
 
-  # AuthenticationError is used to specify an authentication failure condition
-  class AuthenticationError < RPCError
-    def initialize(msg)
-      super(msg, 16)
+    # AuthenticationError is used to specify an authentication failure condition
+    class AuthenticationError < RPCError
+        def initialize(msg)
+            super(msg, 16)
+        end
     end
-  end
 
-  # PermissionError is used to specify a permissions violation
-  class PermissionError < RPCError
-    def initialize(msg)
-      super(msg, 7)
+    # PermissionError is used to specify a permissions violation
+    class PermissionError < RPCError
+        def initialize(msg)
+            super(msg, 7)
+        end
     end
-  end
 
-  # InternalError is used to specify an internal system error
-  class InternalError < RPCError
-    def initialize(msg)
-      super(msg, 13)
+    # InternalError is used to specify an internal system error
+    class InternalError < RPCError
+        def initialize(msg)
+            super(msg, 13)
+        end
     end
-  end
-
-  # RateLimitError is used for rate limit excess condition
-  class RateLimitError < RPCError
-    attr_reader :rate_limit
 
-    def initialize(msg, rate_limit)
-      @rate_limit = rate_limit
-      super(msg, 8)
+    # RateLimitError is used for rate limit excess condition
+    class RateLimitError < RPCError
+        attr_reader :rate_limit
+        def initialize(msg, rate_limit)
+            @rate_limit = rate_limit
+            super(msg, 8)
+        end
     end
-  end
 end

data/lib/grpc/account_attachments_pb.rb

@@ -1,26 +1,26 @@
 # Copyright 2020 StrongDM Inc
-#
+# 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-#
+# 
 #     http://www.apache.org/licenses/LICENSE-2.0
-#
+# 
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#
+# 
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # source: account_attachments.proto
 
-require "google/protobuf"
+require 'google/protobuf'
 
-require "google/api/annotations_pb"
-require "protoc-gen-swagger/options/annotations_pb"
-require "options_pb"
-require "spec_pb"
+require 'google/api/annotations_pb'
+require 'protoc-gen-swagger/options/annotations_pb'
+require 'options_pb'
+require 'spec_pb'
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("account_attachments.proto", :syntax => :proto3) do
     add_message "v1.AccountAttachmentCreateRequest" do

data/lib/grpc/account_attachments_services_pb.rb

@@ -1,32 +1,33 @@
 # Copyright 2020 StrongDM Inc
-#
+# 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-#
+# 
 #     http://www.apache.org/licenses/LICENSE-2.0
-#
+# 
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#
+# 
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # Source: account_attachments.proto for package 'v1'
 
-require "grpc"
-require "account_attachments_pb"
+require 'grpc'
+require 'account_attachments_pb'
 
 module V1
   module AccountAttachments
     # AccountAttachments assign an account to a role.
     class Service
+
       include GRPC::GenericService
 
       self.marshal_class_method = :encode
       self.unmarshal_class_method = :decode
-      self.service_name = "v1.AccountAttachments"
+      self.service_name = 'v1.AccountAttachments'
 
       # Create registers a new AccountAttachment.
       rpc :Create, AccountAttachmentCreateRequest, AccountAttachmentCreateResponse

data/lib/grpc/account_grants_pb.rb

@@ -1,27 +1,27 @@
 # Copyright 2020 StrongDM Inc
-#
+# 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-#
+# 
 #     http://www.apache.org/licenses/LICENSE-2.0
-#
+# 
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#
+# 
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # source: account_grants.proto
 
-require "google/protobuf"
+require 'google/protobuf'
 
-require "google/api/annotations_pb"
-require "protoc-gen-swagger/options/annotations_pb"
-require "google/protobuf/timestamp_pb"
-require "options_pb"
-require "spec_pb"
+require 'google/api/annotations_pb'
+require 'protoc-gen-swagger/options/annotations_pb'
+require 'google/protobuf/timestamp_pb'
+require 'options_pb'
+require 'spec_pb'
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("account_grants.proto", :syntax => :proto3) do
     add_message "v1.AccountGrantCreateRequest" do

data/lib/grpc/account_grants_services_pb.rb

@@ -1,32 +1,33 @@
 # Copyright 2020 StrongDM Inc
-#
+# 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-#
+# 
 #     http://www.apache.org/licenses/LICENSE-2.0
-#
+# 
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#
+# 
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # Source: account_grants.proto for package 'v1'
 
-require "grpc"
-require "account_grants_pb"
+require 'grpc'
+require 'account_grants_pb'
 
 module V1
   module AccountGrants
-    # AccountGrants connect a resource directly to an account, giving the account the permission to connect to that resource.
+    # AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.
     class Service
+
       include GRPC::GenericService
 
       self.marshal_class_method = :encode
       self.unmarshal_class_method = :decode
-      self.service_name = "v1.AccountGrants"
+      self.service_name = 'v1.AccountGrants'
 
       # Create registers a new AccountGrant.
       rpc :Create, AccountGrantCreateRequest, AccountGrantCreateResponse

data/lib/grpc/accounts_pb.rb

@@ -1,26 +1,26 @@
 # Copyright 2020 StrongDM Inc
-#
+# 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-#
+# 
 #     http://www.apache.org/licenses/LICENSE-2.0
-#
+# 
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#
+# 
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # source: accounts.proto
 
-require "google/protobuf"
+require 'google/protobuf'
 
-require "google/api/annotations_pb"
-require "protoc-gen-swagger/options/annotations_pb"
-require "options_pb"
-require "spec_pb"
+require 'google/api/annotations_pb'
+require 'protoc-gen-swagger/options/annotations_pb'
+require 'options_pb'
+require 'spec_pb'
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("accounts.proto", :syntax => :proto3) do
     add_message "v1.AccountCreateRequest" do

data/lib/grpc/accounts_services_pb.rb

@@ -1,22 +1,22 @@
 # Copyright 2020 StrongDM Inc
-#
+# 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-#
+# 
 #     http://www.apache.org/licenses/LICENSE-2.0
-#
+# 
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#
+# 
 # Generated by the protocol buffer compiler.  DO NOT EDIT!
 # Source: accounts.proto for package 'v1'
 
-require "grpc"
-require "accounts_pb"
+require 'grpc'
+require 'accounts_pb'
 
 module V1
   module Accounts
@@ -25,11 +25,12 @@ module V1
     # 1. **Regular users:** humans who are authenticated through username and password or SSO
     # 2. **Service users:** machines that are authneticated using a service token
     class Service
+
       include GRPC::GenericService
 
       self.marshal_class_method = :encode
       self.unmarshal_class_method = :decode
-      self.service_name = "v1.Accounts"
+      self.service_name = 'v1.Accounts'
 
       # Create registers a new Account.
       rpc :Create, AccountCreateRequest, AccountCreateResponse