strongdm 1.0.7 → 1.0.13

data/examples/okta-sync/Gemfile

@@ -1,4 +0,0 @@
-source "https://rubygems.org"
-
-gem "strongdm"
-gem "oktakit"

data/examples/okta-sync/Gemfile.lock

@@ -1,38 +0,0 @@
-GEM
-  remote: https://rubygems.org/
-  specs:
-    addressable (2.7.0)
-      public_suffix (>= 2.0.2, < 5.0)
-    faraday (1.0.0)
-      multipart-post (>= 1.2, < 3)
-    google-protobuf (3.11.4)
-    googleapis-common-protos-types (1.0.4)
-      google-protobuf (~> 3.0)
-    grpc (1.27.0)
-      google-protobuf (~> 3.11)
-      googleapis-common-protos-types (~> 1.0)
-    grpc-tools (1.27.0)
-    ipaddr (1.2.2)
-    multipart-post (2.1.1)
-    oktakit (0.2.0)
-      sawyer (~> 0.8.1)
-    openssl (2.1.2)
-      ipaddr
-    public_suffix (4.0.3)
-    sawyer (0.8.2)
-      addressable (>= 2.3.5)
-      faraday (> 0.8, < 2.0)
-    strongdm (1.0.0)
-      grpc (~> 1.27.0, >= 1.27.0)
-      grpc-tools (~> 1.27.0, >= 1.27.0)
-      openssl (~> 2.1.2, >= 2.1.2)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  oktakit
-  strongdm
-
-BUNDLED WITH
-   1.17.2

data/examples/okta-sync/matchers.yml

@@ -1,11 +0,0 @@
----
-    groups:
-      -
-        name: db/mongo
-        resources:
-          - type:mongo name:don*
-          - type:ssh name:dev*
-      -
-        name: app/web
-        resources:
-          - type:ssh name:dev-web*

data/examples/okta-sync/oktaSync.rb

@@ -1,173 +0,0 @@
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-require "yaml"
-require "strongdm"
-require "oktakit"
-require "optparse"
-
-SDM_API_ACCESS_KEY = ENV.fetch("SDM_API_ACCESS_KEY", "")
-SDM_API_SECRET_KEY = ENV.fetch("SDM_API_SECRET_KEY", "")
-OKTA_CLIENT_TOKEN = ENV.fetch("OKTA_CLIENT_TOKEN", "")
-OKTA_CLIENT_ORGURL = ENV.fetch("OKTA_CLIENT_ORGURL", "")
-
-def okta_sync
-  if SDM_API_ACCESS_KEY == "" || SDM_API_SECRET_KEY == "" || OKTA_CLIENT_TOKEN == "" || OKTA_CLIENT_ORGURL == ""
-    puts "SDM_API_ACCESS_KEY, SDM_API_SECRET_KEY, OKTA_CLIENT_TOKEN, and OKTA_CLIENT_ORGURL must be set"
-    exit
-  end
-
-  report = {
-    :start => Time.now,
-
-    :oktaUsersCount => 0,
-    :oktaUsers => [],
-
-    :sdmUsersCount => 0,
-    :sdmUsers => [],
-
-    :bothUsersCount => 0,
-
-    :sdmResourcesCount => 0,
-    :sdmResources => {},
-
-    :permissionsGranted => 0,
-    :permissionsRevoked => 0,
-    :grants => [],
-    :revocations => [],
-
-    :matchers => {},
-  }
-
-  plan = false
-  verbose = false
-  OptionParser.new do |opts|
-    opts.banner = "Usage oktaSync.rb [options]"
-    opts.on("-p", "--plan", "calculate changes but do not apply them") do |p|
-      plan = p
-    end
-    opts.on("-v", "--verbose", "print detailed report") do |v|
-      verbose = v
-    end
-  end.parse!
-
-  client = SDM::Client.new(SDM_API_ACCESS_KEY, SDM_API_SECRET_KEY)
-  okta_client = Oktakit.new(token: OKTA_CLIENT_TOKEN, api_endpoint: OKTA_CLIENT_ORGURL + "/api/v1")
-  matchers = YAML.load(File.read("matchers.yml"))
-  report[:matchers] = matchers
-
-  all_users = okta_client.list_users({
-    'query': {
-      'search': "profile.department eq \"Engineering\" and (status eq \"ACTIVE\")",
-    },
-  })
-
-  okta_users = Array.new()
-  all_users[0].each { |u|
-    groups = okta_client.get_member_groups(u.id)
-    group_names = Array.new()
-    groups[0].each { |ug|
-      group_names.push(ug.profile.name)
-    }
-    okta_users.push({ :login => u.profile.login, :first_name => u.profile.firstName, :last_name => u.profile.LastName, :groups => group_names })
-  }
-  report[:oktaUsers] = okta_users
-  report[:oktaUsersCount] = okta_users.size
-
-  accounts = client.accounts.list("type:user").map { |a| [a.email, a] }.to_h
-  report[:sdmUsers] = accounts
-  report[:sdmUsersCount] = accounts.size
-  grants = client.account_grants.list("").map { |ag| ag }
-
-  current = {}
-  grants.each { |g|
-    current[g.account_id] = [] if not current[g.account_id]
-    current[g.account_id].push({ :resource_id => g.resource_id, :id => g.id })
-  }
-
-  desired = {}
-  overlapping = 0
-  matchers["groups"].each { |group|
-    group["resources"].each { |resourceQuery|
-      client.resources.list(resourceQuery).each { |res|
-        report[:sdmResources][res.id] = res
-        okta_users.each { |u|
-          if u[:groups].include? group["name"]
-            account = accounts[u[:login]]
-            if account != nil
-              overlapping += 1
-              desired[account.id] = [] if not desired[account.id]
-              desired[account.id].push(res.id)
-            end
-          end
-        }
-      }
-    }
-  }
-  report[:bothUsersCount] = overlapping
-  report[:sdmResourcesCount] = report[:sdmResources].size
-
-  revocations = 0
-  current.each { |aid, curRes|
-    desRes = desired[aid]
-    desRes = [] if not desired[aid]
-    curRes.each { |r|
-      if not(desRes.include? r[:resource_id])
-        if plan
-          puts "Plan: revoke %s from user %s\n" % [r[:resource_id], aid]
-        else
-          client.account_grants.delete(r[:id])
-        end
-        report[:revocations].push(r[:id])
-        revocations += 1
-      end
-    }
-  }
-  report[:permissionsRevoked] = revocations
-
-  grants = 0
-  desired.each { |aid, desRes|
-    curRes = current[aid]
-    curRes = [] if not current[aid]
-    desRes.each { |r|
-      if not(curRes.map { |c| c[:resource_id] }.include? r)
-        ag = SDM::AccountGrant.new()
-        ag.account_id = aid
-        ag.resource_id = r
-        if plan
-          puts "Plan: grant %s to user %s\n" % [r, aid]
-        else
-          client.account_grants.create(ag)
-        end
-        report[:grants].push(ag)
-        grants += 1
-      end
-    }
-  }
-  report[:permissionsGranted] = grants
-
-  report[:complete] = Time.now
-
-  if verbose
-    puts report.to_json
-  else
-    puts "%d Okta users, %d strongDM users, %d overlapping users, %d grants, %d revocations" % [okta_users.size, accounts.size, overlapping, grants, revocations]
-  end
-end
-
-begin
-  okta_sync
-rescue StandardError => ex
-  puts "cannot synchronize with okta: " + ex.to_s
-end

data/examples/panicButton.rb

@@ -1,138 +0,0 @@
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-require "strongdm"
-require "OpenSSL"
-require "JSON"
-
-# panicButton.rb suspends all users except for one admin,
-# in the fake use case of a critical break in or something
-# usage:
-# ruby panicButton.rb adminuser@email.com
-# to revert back to pre-panic state:
-# ruby panicButton.rb revert
-def main
-  access_key = ENV["SDM_API_ACCESS_KEY"]
-  secret_key = ENV["SDM_API_SECRET_KEY"]
-  if access_key == nil or secret_key == nil
-    puts "SDM_API_ACCESS_KEY and SDM_API_SECRET_KEY must be provided"
-    return
-  end
-  client = SDM::Client.new(access_key, secret_key)
-
-  if ARGV.size == 1 and ARGV[0] == "revert"
-    state_file = File.open("state.json")
-    state = JSON.load(state_file)
-
-    reinstated_count = 0
-
-    users = client.accounts.list("")
-    users.each { |user|
-      if user.suspended
-        reinstated_count += 1
-        user.suspended = false
-        client.accounts.update(user)
-      end
-    }
-    state["attachments"].each { |attachment|
-      begin
-        a = SDM::AccountAttachment.new()
-        a.account_id = attachment["account_id"]
-        a.role_id = attachment["role_id"]
-        client.account_attachments.create(a)
-      rescue SDM::AlreadyExistsError
-      rescue => ex
-        puts "skipping creation of attachment due to error: " + ex.to_s
-      end
-    }
-    state["grants"].each { |attachment|
-      begin
-        g = SDM::AccountGrant.new()
-        g.account_id = attachment["account_id"]
-        g.resource_id = attachment["resource_id"]
-        client.account_grants.create(g)
-      rescue SDM::AlreadyExistsError
-      rescue => ex
-        puts "skipping creation of grant due to error: " + ex.to_s
-      end
-    }
-
-    puts "reinstated " + reinstated_count.to_s + " users"
-    puts "recreated " + state["attachments"].size.to_s + " account attachments"
-    puts "recreated " + state["grants"].size.to_s + " account grants"
-
-    return
-  end
-
-  admin_email = ""
-  if ARGV.size == 1
-    admin_email = ARGV[0]
-  else
-    puts "please provide an admin email to preserve"
-    return 1
-  end
-
-  admin_user_id = ""
-  users = client.accounts.list("email:?", admin_email)
-  users.each { |user|
-    admin_user_id = user.id
-  }
-
-  account_attachments = client.account_attachments.list("")
-  account_grants = client.account_grants.list("")
-
-  state = {
-    'attachments': account_attachments.map { |x|
-      if x.account_id != admin_user_id
-        out = {
-          'account_id': x.account_id,
-          'role_id': x.role_id,
-        }
-      end
-    }.reject { |x| x == nil },
-    'grants': account_grants.map { |x|
-      if x.account_id != admin_user_id and x.valid_until == nil
-        out = {
-          'account_id': x.account_id,
-          'resource_id': x.resource_id,
-        }
-      end
-    }.reject { |x| x == nil },
-  }
-
-  puts "storing " + state[:attachments].size.to_s + " account attachments in state"
-  puts "storing " + state[:grants].size.to_s + " account grants in state"
-
-  state_file = File.open("state.json", "w")
-  state_file.write(state.to_json)
-
-  suspended_count = 0
-  users = client.accounts.list("")
-  users.each { |user|
-    if user.instance_of? SDM::User and user.email == admin_email
-      next
-    end
-    user.suspended = true
-    begin
-      client.accounts.update(user)
-      suspended_count += 1
-    rescue StandardError => ex
-      puts "skipping user " + user.id + " on account of error: " + ex.to_s
-    end
-  }
-
-  puts "suspended " + suspended_count.to_s + " users"
-end
-
-main()