strongdm 1.0.5 → 1.0.12

data/lib/strongdm.rb

@@ -90,19 +90,17 @@ module SDM
 
     # API authentication token (read-only).
     attr_reader :api_access_key
-    # AccountAttachments assign an account to a role.
+    # AccountAttachments assign an account to a role or composite role.
     attr_reader :account_attachments
     # AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.
     attr_reader :account_grants
-    # Accounts are users that have access to strongDM.
-    # There are two types of accounts:
-    # 1. **Regular users:** humans who are authenticated through username and password or SSO
-    # 2. **Service users:** machines that are authneticated using a service token
+    # Accounts are users that have access to strongDM. There are two types of accounts:
+    # 1. **Users:** humans who are authenticated through username and password or SSO.
+    # 2. **Service Accounts:** machines that are authenticated using a service token.
     attr_reader :accounts
-    # Nodes make up the strongDM network, and allow your users to connect securely to your resources.
-    # There are two types of nodes:
-    # 1. **Relay:** creates connectivity to your datasources, while maintaining the egress-only nature of your firewall
-    # 1. **Gateways:** a relay that also listens for connections from strongDM clients
+    # Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:
+    # - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers.
+    # - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.
     attr_reader :nodes
 
     attr_reader :resources

data/lib/svc.rb

@@ -24,7 +24,7 @@ Dir[File.join(__dir__, "grpc", "*.rb")].each { |file| require file }
 Dir[File.join(__dir__, "models", "*.rb")].each { |file| require file }
 
 module SDM
-  # AccountAttachments assign an account to a role.
+  # AccountAttachments assign an account to a role or composite role.
   class AccountAttachments
     def initialize(host, insecure, parent)
       begin
@@ -43,13 +43,11 @@ module SDM
     # Create registers a new AccountAttachment.
     def create(
       account_attachment,
-      options: nil,
       deadline: nil
     )
       req = V1::AccountAttachmentCreateRequest.new()
 
       req.account_attachment = Plumbing::convert_account_attachment_to_plumbing(account_attachment)
-      req.options = Plumbing::convert_account_attachment_create_options_to_plumbing(options)
       tries = 0
       plumbing_response = nil
       loop do
@@ -312,10 +310,9 @@ module SDM
     end
   end
 
-  # Accounts are users that have access to strongDM.
-  # There are two types of accounts:
-  # 1. **Regular users:** humans who are authenticated through username and password or SSO
-  # 2. **Service users:** machines that are authneticated using a service token
+  # Accounts are users that have access to strongDM. There are two types of accounts:
+  # 1. **Users:** humans who are authenticated through username and password or SSO.
+  # 2. **Service Accounts:** machines that are authenticated using a service token.
   class Accounts
     def initialize(host, insecure, parent)
       begin
@@ -489,10 +486,9 @@ module SDM
     end
   end
 
-  # Nodes make up the strongDM network, and allow your users to connect securely to your resources.
-  # There are two types of nodes:
-  # 1. **Relay:** creates connectivity to your datasources, while maintaining the egress-only nature of your firewall
-  # 1. **Gateways:** a relay that also listens for connections from strongDM clients
+  # Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:
+  # - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers.
+  # - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.
   class Nodes
     def initialize(host, insecure, parent)
       begin

data/lib/version

@@ -1,17 +1,17 @@
 # Copyright 2020 StrongDM Inc
-# 
+#
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-# 
+#
 #     http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-# 
+#
 module SDM
-  VERSION = "1.0.5"
+  VERSION = "1.0.12"
 end

data/lib/version.rb

@@ -13,5 +13,5 @@
 # limitations under the License.
 #
 module SDM
-  VERSION = "1.0.5"
+  VERSION = "1.0.12"
 end

data/strongdm.gemspec

@@ -7,7 +7,7 @@ Gem::Specification.new do |s|
   s.platform = Gem::Platform::RUBY
   s.authors = ["strongDM Team"]
   s.email = ["sdk-feedback@strongdm.com"]
-  s.homepage = "http://rubygems.org/gems/strongdm"
+  s.homepage = "https://github.com/strongdm/strongdm-sdk-ruby"
   s.summary = "strongDM SDK for the Ruby programming language."
   s.description = "strongDM Ruby Library for automating interactions with strongDM."
   s.licenses = ["Apache-2.0"]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: strongdm
 version: !ruby/object:Gem::Version
-  version: 1.0.5
+  version: 1.0.12
 platform: ruby
 authors:
 - strongDM Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-06-09 00:00:00.000000000 Z
+date: 2020-08-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: grpc
@@ -120,6 +120,8 @@ files:
 - doc/SDM/Cockroach.html
 - doc/SDM/CreateResponseMetadata.html
 - doc/SDM/DB2.html
+- doc/SDM/DB2LUW.html
+- doc/SDM/DB2i.html
 - doc/SDM/DeadlineExceededError.html
 - doc/SDM/DeleteResponseMetadata.html
 - doc/SDM/Druid.html
@@ -265,14 +267,7 @@ files:
 - doc/strongdm_gemspec.html
 - doc/table_of_contents.html
 - examples/Gemfile
-- examples/Gemfile.lock
-- examples/README.md
 - examples/listUsers.rb
-- examples/okta-sync/Gemfile
-- examples/okta-sync/Gemfile.lock
-- examples/okta-sync/matchers.yml
-- examples/okta-sync/oktaSync.rb
-- examples/panicButton.rb
 - lib/errors/errors.rb
 - lib/grpc/account_attachments_pb.rb
 - lib/grpc/account_attachments_services_pb.rb
@@ -302,7 +297,7 @@ files:
 - lib/version
 - lib/version.rb
 - strongdm.gemspec
-homepage: http://rubygems.org/gems/strongdm
+homepage: https://github.com/strongdm/strongdm-sdk-ruby
 licenses:
 - Apache-2.0
 metadata: {}

data/examples/Gemfile.lock

@@ -1,14 +0,0 @@
-GEM
-  specs:
-    ipaddr (1.2.2)
-    openssl (2.1.2)
-      ipaddr
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  openssl
-
-BUNDLED WITH
-   1.17.2

data/examples/README.md

@@ -1,5 +0,0 @@
-Prior to running examples, run:
-
-```ShellSession
-$ bundler install
-```

data/examples/okta-sync/Gemfile

@@ -1,4 +0,0 @@
-source "https://rubygems.org"
-
-gem "strongdm"
-gem "oktakit"

data/examples/okta-sync/Gemfile.lock

@@ -1,38 +0,0 @@
-GEM
-  remote: https://rubygems.org/
-  specs:
-    addressable (2.7.0)
-      public_suffix (>= 2.0.2, < 5.0)
-    faraday (1.0.0)
-      multipart-post (>= 1.2, < 3)
-    google-protobuf (3.11.4)
-    googleapis-common-protos-types (1.0.4)
-      google-protobuf (~> 3.0)
-    grpc (1.27.0)
-      google-protobuf (~> 3.11)
-      googleapis-common-protos-types (~> 1.0)
-    grpc-tools (1.27.0)
-    ipaddr (1.2.2)
-    multipart-post (2.1.1)
-    oktakit (0.2.0)
-      sawyer (~> 0.8.1)
-    openssl (2.1.2)
-      ipaddr
-    public_suffix (4.0.3)
-    sawyer (0.8.2)
-      addressable (>= 2.3.5)
-      faraday (> 0.8, < 2.0)
-    strongdm (1.0.0)
-      grpc (~> 1.27.0, >= 1.27.0)
-      grpc-tools (~> 1.27.0, >= 1.27.0)
-      openssl (~> 2.1.2, >= 2.1.2)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  oktakit
-  strongdm
-
-BUNDLED WITH
-   1.17.2

data/examples/okta-sync/matchers.yml

@@ -1,11 +0,0 @@
----
-    groups:
-      -
-        name: db/mongo
-        resources:
-          - type:mongo name:don*
-          - type:ssh name:dev*
-      -
-        name: app/web
-        resources:
-          - type:ssh name:dev-web*

data/examples/okta-sync/oktaSync.rb

@@ -1,173 +0,0 @@
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-require "yaml"
-require "strongdm"
-require "oktakit"
-require "optparse"
-
-SDM_API_ACCESS_KEY = ENV.fetch("SDM_API_ACCESS_KEY", "")
-SDM_API_SECRET_KEY = ENV.fetch("SDM_API_SECRET_KEY", "")
-OKTA_CLIENT_TOKEN = ENV.fetch("OKTA_CLIENT_TOKEN", "")
-OKTA_CLIENT_ORGURL = ENV.fetch("OKTA_CLIENT_ORGURL", "")
-
-def okta_sync
-  if SDM_API_ACCESS_KEY == "" || SDM_API_SECRET_KEY == "" || OKTA_CLIENT_TOKEN == "" || OKTA_CLIENT_ORGURL == ""
-    puts "SDM_API_ACCESS_KEY, SDM_API_SECRET_KEY, OKTA_CLIENT_TOKEN, and OKTA_CLIENT_ORGURL must be set"
-    exit
-  end
-
-  report = {
-    :start => Time.now,
-
-    :oktaUsersCount => 0,
-    :oktaUsers => [],
-
-    :sdmUsersCount => 0,
-    :sdmUsers => [],
-
-    :bothUsersCount => 0,
-
-    :sdmResourcesCount => 0,
-    :sdmResources => {},
-
-    :permissionsGranted => 0,
-    :permissionsRevoked => 0,
-    :grants => [],
-    :revocations => [],
-
-    :matchers => {},
-  }
-
-  plan = false
-  verbose = false
-  OptionParser.new do |opts|
-    opts.banner = "Usage oktaSync.rb [options]"
-    opts.on("-p", "--plan", "calculate changes but do not apply them") do |p|
-      plan = p
-    end
-    opts.on("-v", "--verbose", "print detailed report") do |v|
-      verbose = v
-    end
-  end.parse!
-
-  client = SDM::Client.new(SDM_API_ACCESS_KEY, SDM_API_SECRET_KEY)
-  okta_client = Oktakit.new(token: OKTA_CLIENT_TOKEN, api_endpoint: OKTA_CLIENT_ORGURL + "/api/v1")
-  matchers = YAML.load(File.read("matchers.yml"))
-  report[:matchers] = matchers
-
-  all_users = okta_client.list_users({
-    'query': {
-      'search': "profile.department eq \"Engineering\" and (status eq \"ACTIVE\")",
-    },
-  })
-
-  okta_users = Array.new()
-  all_users[0].each { |u|
-    groups = okta_client.get_member_groups(u.id)
-    group_names = Array.new()
-    groups[0].each { |ug|
-      group_names.push(ug.profile.name)
-    }
-    okta_users.push({ :login => u.profile.login, :first_name => u.profile.firstName, :last_name => u.profile.LastName, :groups => group_names })
-  }
-  report[:oktaUsers] = okta_users
-  report[:oktaUsersCount] = okta_users.size
-
-  accounts = client.accounts.list("type:user").map { |a| [a.email, a] }.to_h
-  report[:sdmUsers] = accounts
-  report[:sdmUsersCount] = accounts.size
-  grants = client.account_grants.list("").map { |ag| ag }
-
-  current = {}
-  grants.each { |g|
-    current[g.account_id] = [] if not current[g.account_id]
-    current[g.account_id].push({ :resource_id => g.resource_id, :id => g.id })
-  }
-
-  desired = {}
-  overlapping = 0
-  matchers["groups"].each { |group|
-    group["resources"].each { |resourceQuery|
-      client.resources.list(resourceQuery).each { |res|
-        report[:sdmResources][res.id] = res
-        okta_users.each { |u|
-          if u[:groups].include? group["name"]
-            account = accounts[u[:login]]
-            if account != nil
-              overlapping += 1
-              desired[account.id] = [] if not desired[account.id]
-              desired[account.id].push(res.id)
-            end
-          end
-        }
-      }
-    }
-  }
-  report[:bothUsersCount] = overlapping
-  report[:sdmResourcesCount] = report[:sdmResources].size
-
-  revocations = 0
-  current.each { |aid, curRes|
-    desRes = desired[aid]
-    desRes = [] if not desired[aid]
-    curRes.each { |r|
-      if not(desRes.include? r[:resource_id])
-        if plan
-          puts "Plan: revoke %s from user %s\n" % [r[:resource_id], aid]
-        else
-          client.account_grants.delete(r[:id])
-        end
-        report[:revocations].push(r[:id])
-        revocations += 1
-      end
-    }
-  }
-  report[:permissionsRevoked] = revocations
-
-  grants = 0
-  desired.each { |aid, desRes|
-    curRes = current[aid]
-    curRes = [] if not current[aid]
-    desRes.each { |r|
-      if not(curRes.map { |c| c[:resource_id] }.include? r)
-        ag = SDM::AccountGrant.new()
-        ag.account_id = aid
-        ag.resource_id = r
-        if plan
-          puts "Plan: grant %s to user %s\n" % [r, aid]
-        else
-          client.account_grants.create(ag)
-        end
-        report[:grants].push(ag)
-        grants += 1
-      end
-    }
-  }
-  report[:permissionsGranted] = grants
-
-  report[:complete] = Time.now
-
-  if verbose
-    puts report.to_json
-  else
-    puts "%d Okta users, %d strongDM users, %d overlapping users, %d grants, %d revocations" % [okta_users.size, accounts.size, overlapping, grants, revocations]
-  end
-end
-
-begin
-  okta_sync
-rescue StandardError => ex
-  puts "cannot synchronize with okta: " + ex.to_s
-end

data/examples/panicButton.rb

@@ -1,138 +0,0 @@
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-require "strongdm"
-require "OpenSSL"
-require "JSON"
-
-# panicButton.rb suspends all users except for one admin,
-# in the fake use case of a critical break in or something
-# usage:
-# ruby panicButton.rb adminuser@email.com
-# to revert back to pre-panic state:
-# ruby panicButton.rb revert
-def main
-  access_key = ENV["SDM_API_ACCESS_KEY"]
-  secret_key = ENV["SDM_API_SECRET_KEY"]
-  if access_key == nil or secret_key == nil
-    puts "SDM_API_ACCESS_KEY and SDM_API_SECRET_KEY must be provided"
-    return
-  end
-  client = SDM::Client.new(access_key, secret_key)
-
-  if ARGV.size == 1 and ARGV[0] == "revert"
-    state_file = File.open("state.json")
-    state = JSON.load(state_file)
-
-    reinstated_count = 0
-
-    users = client.accounts.list("")
-    users.each { |user|
-      if user.suspended
-        reinstated_count += 1
-        user.suspended = false
-        client.accounts.update(user)
-      end
-    }
-    state["attachments"].each { |attachment|
-      begin
-        a = SDM::AccountAttachment.new()
-        a.account_id = attachment["account_id"]
-        a.role_id = attachment["role_id"]
-        client.account_attachments.create(a)
-      rescue SDM::AlreadyExistsError
-      rescue => ex
-        puts "skipping creation of attachment due to error: " + ex.to_s
-      end
-    }
-    state["grants"].each { |attachment|
-      begin
-        g = SDM::AccountGrant.new()
-        g.account_id = attachment["account_id"]
-        g.resource_id = attachment["resource_id"]
-        client.account_grants.create(g)
-      rescue SDM::AlreadyExistsError
-      rescue => ex
-        puts "skipping creation of grant due to error: " + ex.to_s
-      end
-    }
-
-    puts "reinstated " + reinstated_count.to_s + " users"
-    puts "recreated " + state["attachments"].size.to_s + " account attachments"
-    puts "recreated " + state["grants"].size.to_s + " account grants"
-
-    return
-  end
-
-  admin_email = ""
-  if ARGV.size == 1
-    admin_email = ARGV[0]
-  else
-    puts "please provide an admin email to preserve"
-    return 1
-  end
-
-  admin_user_id = ""
-  users = client.accounts.list("email:?", admin_email)
-  users.each { |user|
-    admin_user_id = user.id
-  }
-
-  account_attachments = client.account_attachments.list("")
-  account_grants = client.account_grants.list("")
-
-  state = {
-    'attachments': account_attachments.map { |x|
-      if x.account_id != admin_user_id
-        out = {
-          'account_id': x.account_id,
-          'role_id': x.role_id,
-        }
-      end
-    }.reject { |x| x == nil },
-    'grants': account_grants.map { |x|
-      if x.account_id != admin_user_id and x.valid_until == nil
-        out = {
-          'account_id': x.account_id,
-          'resource_id': x.resource_id,
-        }
-      end
-    }.reject { |x| x == nil },
-  }
-
-  puts "storing " + state[:attachments].size.to_s + " account attachments in state"
-  puts "storing " + state[:grants].size.to_s + " account grants in state"
-
-  state_file = File.open("state.json", "w")
-  state_file.write(state.to_json)
-
-  suspended_count = 0
-  users = client.accounts.list("")
-  users.each { |user|
-    if user.instance_of? SDM::User and user.email == admin_email
-      next
-    end
-    user.suspended = true
-    begin
-      client.accounts.update(user)
-      suspended_count += 1
-    rescue StandardError => ex
-      puts "skipping user " + user.id + " on account of error: " + ex.to_s
-    end
-  }
-
-  puts "suspended " + suspended_count.to_s + " users"
-end
-
-main()