strongdm 1.0.7 → 1.0.8

data/lib/grpc/drivers_pb.rb

@@ -27,7 +27,8 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
         optional :athena, :message, 100, "v1.Athena"
         optional :big_query, :message, 200, "v1.BigQuery"
         optional :cassandra, :message, 300, "v1.Cassandra"
-        optional :db_2, :message, 2200, "v1.DB2"
+        optional :db_2_i, :message, 2400, "v1.DB2I"
+        optional :db_2_luw, :message, 2200, "v1.DB2LUW"
         optional :druid, :message, 400, "v1.Druid"
         optional :dynamo_db, :message, 500, "v1.DynamoDB"
         optional :amazon_es, :message, 600, "v1.AmazonES"
@@ -107,7 +108,19 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :port, :int32, 5
       optional :tls_required, :bool, 6
     end
-    add_message "v1.DB2" do
+    add_message "v1.DB2I" do
+      optional :id, :string, 32768
+      optional :name, :string, 32769
+      optional :healthy, :bool, 32770
+      optional :tags, :message, 32771, "v1.Tags"
+      optional :hostname, :string, 1
+      optional :username, :string, 2
+      optional :password, :string, 3
+      optional :port_override, :int32, 4
+      optional :port, :int32, 5
+      optional :tls_required, :bool, 7
+    end
+    add_message "v1.DB2LUW" do
       optional :id, :string, 32768
       optional :name, :string, 32769
       optional :healthy, :bool, 32770
@@ -651,7 +664,8 @@ module V1
   Athena = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.Athena").msgclass
   BigQuery = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.BigQuery").msgclass
   Cassandra = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.Cassandra").msgclass
-  DB2 = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.DB2").msgclass
+  DB2I = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.DB2I").msgclass
+  DB2LUW = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.DB2LUW").msgclass
   Druid = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.Druid").msgclass
   DynamoDB = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.DynamoDB").msgclass
   AmazonES = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("v1.AmazonES").msgclass

data/lib/grpc/plumbing.rb

@@ -854,8 +854,11 @@ module SDM
       if porcelain.instance_of? Cassandra
         plumbing.cassandra = convert_cassandra_to_plumbing(porcelain)
       end
-      if porcelain.instance_of? DB2
-        plumbing.db_2 = convert_db_2_to_plumbing(porcelain)
+      if porcelain.instance_of? DB2I
+        plumbing.db_2_i = convert_db_2_i_to_plumbing(porcelain)
+      end
+      if porcelain.instance_of? DB2LUW
+        plumbing.db_2_luw = convert_db_2_luw_to_plumbing(porcelain)
       end
       if porcelain.instance_of? Druid
         plumbing.druid = convert_druid_to_plumbing(porcelain)
@@ -1002,8 +1005,11 @@ module SDM
       if plumbing.cassandra != nil
         return convert_cassandra_to_porcelain(plumbing.cassandra)
       end
-      if plumbing.db_2 != nil
-        return convert_db_2_to_porcelain(plumbing.db_2)
+      if plumbing.db_2_i != nil
+        return convert_db_2_i_to_porcelain(plumbing.db_2_i)
+      end
+      if plumbing.db_2_luw != nil
+        return convert_db_2_luw_to_porcelain(plumbing.db_2_luw)
       end
       if plumbing.druid != nil
         return convert_druid_to_porcelain(plumbing.druid)
@@ -1304,11 +1310,63 @@ module SDM
       end
       items
     end
-    def self.convert_db_2_to_porcelain(plumbing)
+    def self.convert_db_2_i_to_porcelain(plumbing)
+      if plumbing == nil
+        return nil
+      end
+      porcelain = DB2I.new()
+      porcelain.id = (plumbing.id)
+      porcelain.name = (plumbing.name)
+      porcelain.healthy = (plumbing.healthy)
+      porcelain.tags = convert_tags_to_porcelain(plumbing.tags)
+      porcelain.hostname = (plumbing.hostname)
+      porcelain.username = (plumbing.username)
+      porcelain.password = (plumbing.password)
+      porcelain.port_override = (plumbing.port_override)
+      porcelain.port = (plumbing.port)
+      porcelain.tls_required = (plumbing.tls_required)
+      porcelain
+    end
+
+    def self.convert_db_2_i_to_plumbing(porcelain)
+      if porcelain == nil
+        return nil
+      end
+      plumbing = V1::DB2I.new()
+      plumbing.id = (porcelain.id) unless porcelain.id == nil
+      plumbing.name = (porcelain.name) unless porcelain.name == nil
+      plumbing.healthy = (porcelain.healthy) unless porcelain.healthy == nil
+      plumbing.tags = convert_tags_to_plumbing(porcelain.tags) unless porcelain.tags == nil
+      plumbing.hostname = (porcelain.hostname) unless porcelain.hostname == nil
+      plumbing.username = (porcelain.username) unless porcelain.username == nil
+      plumbing.password = (porcelain.password) unless porcelain.password == nil
+      plumbing.port_override = (porcelain.port_override) unless porcelain.port_override == nil
+      plumbing.port = (porcelain.port) unless porcelain.port == nil
+      plumbing.tls_required = (porcelain.tls_required) unless porcelain.tls_required == nil
+      plumbing
+    end
+    def self.convert_repeated_db_2_i_to_plumbing(porcelains)
+      items = Array.new
+      porcelains.each do |porcelain|
+        plumbing = convert_db_2_i_to_plumbing(porcelain)
+        items.append(plumbing)
+      end
+      items
+    end
+
+    def self.convert_repeated_db_2_i_to_porcelain(plumbings)
+      items = Array.new
+      plumbings.each do |plumbing|
+        porcelain = convert_db_2_i_to_porcelain(plumbing)
+        items.append(porcelain)
+      end
+      items
+    end
+    def self.convert_db_2_luw_to_porcelain(plumbing)
       if plumbing == nil
         return nil
       end
-      porcelain = DB2.new()
+      porcelain = DB2LUW.new()
       porcelain.id = (plumbing.id)
       porcelain.name = (plumbing.name)
       porcelain.healthy = (plumbing.healthy)
@@ -1322,11 +1380,11 @@ module SDM
       porcelain
     end
 
-    def self.convert_db_2_to_plumbing(porcelain)
+    def self.convert_db_2_luw_to_plumbing(porcelain)
       if porcelain == nil
         return nil
       end
-      plumbing = V1::DB2.new()
+      plumbing = V1::DB2LUW.new()
       plumbing.id = (porcelain.id) unless porcelain.id == nil
       plumbing.name = (porcelain.name) unless porcelain.name == nil
       plumbing.healthy = (porcelain.healthy) unless porcelain.healthy == nil
@@ -1339,19 +1397,19 @@ module SDM
       plumbing.port = (porcelain.port) unless porcelain.port == nil
       plumbing
     end
-    def self.convert_repeated_db_2_to_plumbing(porcelains)
+    def self.convert_repeated_db_2_luw_to_plumbing(porcelains)
       items = Array.new
       porcelains.each do |porcelain|
-        plumbing = convert_db_2_to_plumbing(porcelain)
+        plumbing = convert_db_2_luw_to_plumbing(porcelain)
         items.append(plumbing)
       end
       items
     end
 
-    def self.convert_repeated_db_2_to_porcelain(plumbings)
+    def self.convert_repeated_db_2_luw_to_porcelain(plumbings)
       items = Array.new
       plumbings.each do |plumbing|
-        porcelain = convert_db_2_to_porcelain(plumbing)
+        porcelain = convert_db_2_luw_to_porcelain(plumbing)
         items.append(porcelain)
       end
       items

data/lib/models/porcelain.rb

@@ -834,7 +834,82 @@ module SDM
     end
   end
 
-  class DB2
+  class DB2I
+    # Unique identifier of the Resource.
+    attr_accessor :id
+    # Unique human-readable name of the Resource.
+    attr_accessor :name
+    # True if the datasource is reachable and the credentials are valid.
+    attr_accessor :healthy
+    # Tags is a map of key, value pairs.
+    attr_accessor :tags
+
+    attr_accessor :hostname
+
+    attr_accessor :username
+
+    attr_accessor :password
+
+    attr_accessor :port_override
+
+    attr_accessor :port
+
+    attr_accessor :tls_required
+
+    def initialize(
+      id: nil,
+      name: nil,
+      healthy: nil,
+      tags: nil,
+      hostname: nil,
+      username: nil,
+      password: nil,
+      port_override: nil,
+      port: nil,
+      tls_required: nil
+    )
+      if id != nil
+        @id = id
+      end
+      if name != nil
+        @name = name
+      end
+      if healthy != nil
+        @healthy = healthy
+      end
+      if tags != nil
+        @tags = tags
+      end
+      if hostname != nil
+        @hostname = hostname
+      end
+      if username != nil
+        @username = username
+      end
+      if password != nil
+        @password = password
+      end
+      if port_override != nil
+        @port_override = port_override
+      end
+      if port != nil
+        @port = port
+      end
+      if tls_required != nil
+        @tls_required = tls_required
+      end
+    end
+
+    def to_json(options = {})
+      hash = {}
+      self.instance_variables.each do |var|
+        hash[var.id2name.delete_prefix("@")] = self.instance_variable_get var
+      end
+      hash.to_json
+    end
+  end
+
+  class DB2LUW
     # Unique identifier of the Resource.
     attr_accessor :id
     # Unique human-readable name of the Resource.

data/lib/version

@@ -1,17 +1,17 @@
 # Copyright 2020 StrongDM Inc
-# 
+#
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-# 
+#
 #     http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-# 
+#
 module SDM
-  VERSION = "1.0.7"
+  VERSION = "1.0.8"
 end

data/lib/version.rb

@@ -13,5 +13,5 @@
 # limitations under the License.
 #
 module SDM
-  VERSION = "1.0.7"
+  VERSION = "1.0.8"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: strongdm
 version: !ruby/object:Gem::Version
-  version: 1.0.7
+  version: 1.0.8
 platform: ruby
 authors:
 - strongDM Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-06-12 00:00:00.000000000 Z
+date: 2020-07-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: grpc
@@ -120,6 +120,8 @@ files:
 - doc/SDM/Cockroach.html
 - doc/SDM/CreateResponseMetadata.html
 - doc/SDM/DB2.html
+- doc/SDM/DB2LUW.html
+- doc/SDM/DB2i.html
 - doc/SDM/DeadlineExceededError.html
 - doc/SDM/DeleteResponseMetadata.html
 - doc/SDM/Druid.html
@@ -264,16 +266,6 @@ files:
 - doc/lib/version.html
 - doc/strongdm_gemspec.html
 - doc/table_of_contents.html
-- examples/Gemfile
-- examples/Gemfile.lock
-- examples/README.md
-- examples/ldap-sync/ldapSync.rb
-- examples/listUsers.rb
-- examples/okta-sync/Gemfile
-- examples/okta-sync/Gemfile.lock
-- examples/okta-sync/matchers.yml
-- examples/okta-sync/oktaSync.rb
-- examples/panicButton.rb
 - lib/errors/errors.rb
 - lib/grpc/account_attachments_pb.rb
 - lib/grpc/account_attachments_services_pb.rb

data/examples/Gemfile

@@ -1,3 +0,0 @@
-source "https://rubygems.org"
-
-gem "strongdm"

data/examples/Gemfile.lock

@@ -1,14 +0,0 @@
-GEM
-  specs:
-    ipaddr (1.2.2)
-    openssl (2.1.2)
-      ipaddr
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  openssl
-
-BUNDLED WITH
-   1.17.2

data/examples/README.md

@@ -1,5 +0,0 @@
-Prior to running examples, run:
-
-```ShellSession
-$ bundler install
-```

data/examples/ldap-sync/ldapSync.rb

@@ -1,290 +0,0 @@
-# Copyright 2020 StrongDM Inc
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-require "yaml"
-require "strongdm"
-require "net/ldap"
-require "optparse"
-require "logger"
-
-# This script reads from an LDAP server and does the following writes in StrongDM:
-# - creates roles for each configured organizational unit (OU)
-# - creates accounts for users in those OUs
-# - attaches those accounts to their corresponding roles
-# - grants resources to these roles based on configured filters
-# - detaches accounts from roles, deletes accounts, and deletes grants as necessary
-
-# IMPORTANT CAVEATS:
-# - this script can pull existing StrongDM users into its purview. then, if the
-#   user is removed from LDAP, it will delete the user.
-# - if you need to delete an entire role / OU, you'll need to do it manually.
-#   this script does not touch roles that are not in the config file.
-
-# Example config file:
-
-# organizationalUnits:
-#   - dn: OU=Other-OU,DC=j42,DC=xyz
-#     role: Other-OU
-#     resources:
-#       - name:*Other-OU*
-#       - name:*Multi*
-#   - dn: OU=admins,DC=j42,DC=xyz
-#     role: admins
-#     resources:
-#       - name:*admins*
-#   - dn: OU=People,DC=j42,DC=xyz
-#     role: People
-#     resources:
-#       - name:*People*
-
-SDM_API_ACCESS_KEY = ENV.fetch("SDM_API_ACCESS_KEY", "")
-SDM_API_SECRET_KEY = ENV.fetch("SDM_API_SECRET_KEY", "")
-LDAP_HOST = ENV.fetch("LDAP_HOST", "")
-LDAP_BIND_DN = ENV.fetch("LDAP_BIND_DN", "")
-LDAP_PASSWORD = ENV.fetch("LDAP_PASSWORD", "")
-
-# gets the first item in a list or generator
-def first(attrib)
-  result = nil
-  attrib.each do |item|
-    if result == nil
-      result = item
-    end
-  end
-  result
-end
-
-def ldap_sync
-  if SDM_API_ACCESS_KEY == "" || SDM_API_SECRET_KEY == "" || LDAP_BIND_DN == ""
-    puts "SDM_API_ACCESS_KEY, SDM_API_SECRET_KEY, and LDAP_BIND_DN must be set"
-    exit 1
-  end
-
-  plan = false
-  verbose = false
-  configPath = "config.yml"
-  OptionParser.new do |opts|
-    opts.banner = "Usage ldapSync.rb [options]"
-    opts.on("-p", "--plan", "calculate changes but do not apply them") do |p|
-      plan = p
-    end
-    opts.on("-v", "--verbose", "print detailed report") do |v|
-      verbose = v
-    end
-    opts.on("-c", "--config FILE", "specify path to config YAML file (default: 'config.yml')") do |v|
-      configPath = v
-    end
-  end.parse!
-
-  begin
-    config = YAML.load(File.read(configPath))
-  rescue StandardError => ex
-    raise ex, "failed to parse #{configPath}"
-  end
-
-  begin
-    sdmClient = SDM::Client.new(SDM_API_ACCESS_KEY, SDM_API_SECRET_KEY, host: "api.strongdmdev.com:443")
-  rescue SDM::RPCError => ex
-    raise ex, "failed to create StrongDM client"
-  end
-
-  ldap = Net::LDAP.new
-  ldap.host = LDAP_HOST
-  ldap.auth LDAP_BIND_DN, LDAP_PASSWORD
-  if not ldap.bind
-    puts "failed to bind LDAP connection - authentication error"
-    exit 1
-  end
-
-  sdmRoles = {} # map of name to ID
-  sdmAccounts = {} # map of email to id
-  sdmResources = {} # map of ID to name
-  sdmAccountsById = {} # map of id to { :email, :firstName, :lastName }
-  sdmAccountsWithAttachments = {} # map of email to id of all accounts that are in the roles we're interested in
-  sdmAccountAttachments = {} # map of role name to list of emails
-  sdmRoleGrants = {} # map of role name to list of { :resourceId, :grantId }
-  ldapRoles = [] # list of names
-  ldapAccounts = {} # map of email to { :firstName, :lastName }
-  ldapAccountAttachments = {} # map of role name to list of emails
-  desiredRoleGrants = {} # map of role name to list of resource IDs
-
-  # get SDM accounts
-  sdmClient.accounts.list("").each do |account|
-    sdmAccounts[account.email] = account.id
-    sdmAccountsById[account.id] = { :email => account.email, :firstName => account.first_name, :lastName => account.last_name }
-  end
-
-  # get SDM resources
-  sdmClient.resources.list("").each do |resource|
-    sdmResources[resource.id] = resource.name
-  end
-
-  # loop through OUs
-  config["organizationalUnits"].each do |ou|
-
-    # get SDM state for this OU
-    role = first(sdmClient.roles.list("name:?", ou["role"]))
-    if role
-      sdmRoles[role.name] = role.id
-
-      # get accounts attached to this role
-      accountEmails = []
-      sdmClient.account_attachments.list("roleid:?", role.id).each do |attachment|
-        sdmAccount = sdmAccountsById[attachment.account_id]
-        email = sdmAccount[:email]
-        sdmAccountsWithAttachments[email] = attachment.account_id
-        accountEmails.push(email)
-      end
-      sdmAccountAttachments[role.name] = accountEmails
-
-      # get resources granted to this role
-      roleGrants = []
-      sdmClient.role_grants.list("roleid:?", role.id).each do |grant|
-        roleGrants.push({ :resourceId => grant.resource_id, :grantId => grant.id })
-      end
-      sdmRoleGrants[role.name] = roleGrants
-
-      # get resources that we want to grant to this role
-      filteredResources = {} # map of resource ID to true (to prevent duplicates)
-      filters = ou["resources"] # list of filter strings
-      if filters
-        filters.each do |filter|
-          sdmClient.resources.list(filter).each do |resource|
-            filteredResources[resource.id] = true
-          end
-        end
-        desiredRoleGrants[role.name] = filteredResources.keys
-      end
-    end
-
-    # get LDAP state for this OU
-    ldapRoles.push(ou["role"].to_s)
-    roleAccounts = []
-    ldap.search(:base => ou["dn"], :filter => Net::LDAP::Filter.eq("objectclass", "user"), :return_result => false) do |entry|
-      ldapAccounts[first(entry.mail).to_s] = {
-        :firstName => first(entry.givenname).to_s,
-        :lastName => first(entry.sn).to_s,
-      }
-      roleAccounts.push(first(entry.mail).to_s)
-    end
-    ldapAccountAttachments[ou["role"].to_s] = roleAccounts
-  end
-
-  # compute diff
-  report = {
-    :createRoles => [],
-    :deleteAccounts => [],
-    :updateAccounts => [],
-    :createAccounts => [],
-    :createAccountAttachments => [],
-    :deleteAccountAttachments => [],
-    :deleteRoleGrants => [],
-    :createRoleGrants => [],
-  }
-  # createRoles
-  ldapRoles.each do |roleName|
-    next if sdmRoles[roleName]
-    report[:createRoles].push(roleName)
-    next if plan
-    response = sdmClient.roles.create(SDM::Role.new(name: roleName))
-    sdmRoles[roleName] = response.role.id
-  end
-  # deleteAccounts
-  sdmAccountsWithAttachments.each do |email, id|
-    next if ldapAccounts[email]
-    report[:deleteAccounts].push(email)
-    next if plan
-    sdmClient.accounts.delete(id)
-  end
-  # updateAccounts
-  sdmAccountsWithAttachments.each do |email, id|
-    ldapAccount = ldapAccounts[email]
-    next if not ldapAccount
-    sdmAccount = sdmAccountsById[id]
-    next if sdmAccount[:firstName] == ldapAccount[:firstName] and sdmAccount[:lastName] == ldapAccount[:lastName]
-    report[:updateAccounts].push(email)
-    next if plan
-    sdmClient.accounts.update(SDM::User.new(id: id, first_name: ldapAccount[:firstName], last_name: ldapAccount[:lastName]))
-  end
-  # createAccounts
-  ldapAccounts.each do |email, account|
-    next if sdmAccounts[email]
-    report[:createAccounts].push(email)
-    next if plan
-    response = sdmClient.accounts.create(SDM::User.new(email: email, first_name: account[:firstName], last_name: account[:lastName]))
-    sdmAccounts[response.account.email] = response.account.id
-  end
-  # deleteAccountAttachments
-  sdmAccountAttachments.each do |roleName, accounts|
-    roleId = sdmRoles[roleName]
-    ldapAccountsInRole = ldapAccountAttachments[roleName]
-    accounts.each do |email|
-      next if ldapAccountsInRole and ldapAccountsInRole.include? email
-      report[:deleteAccountAttachments].push({ :role => roleName, :account => email })
-      next if plan
-      accountId = sdmAccounts[email]
-      attachment = first(sdmClient.account_attachments.list("accountid:? roleid:?", accountId, roleId))
-      next if not attachment # already deleted by the deleteAccounts step
-      sdmClient.account_attachments.delete(attachment.id)
-    end
-  end
-  # createAccountAttachments
-  ldapAccountAttachments.each do |roleName, accounts|
-    roleId = sdmRoles[roleName]
-    sdmAccountsInRole = sdmAccountAttachments[roleName]
-    accounts.each do |email|
-      next if sdmAccountsInRole and sdmAccountsInRole.include? email
-      report[:createAccountAttachments].push({ :role => roleName, :account => email })
-      accountId = sdmAccounts[email]
-      next if plan
-      sdmClient.account_attachments.create(SDM::AccountAttachment.new(account_id: accountId, role_id: roleId))
-    end
-  end
-  # deleteRoleGrants
-  sdmRoleGrants.each do |roleName, roleGrants|
-    desired = desiredRoleGrants[roleName]
-    roleGrants.each do |grant|
-      next if desired and desired.include? grant[:resourceId]
-      resourceName = sdmResources[grant[:resourceId]]
-      report[:deleteRoleGrants].push({ :role => roleName, :resource => resourceName })
-      next if plan
-      sdmClient.role_grants.delete(grant[:grantId])
-    end
-  end
-  # createRoleGrants
-  desiredRoleGrants.each do |roleName, roleGrants|
-    roleId = sdmRoles[roleName]
-    existing = sdmRoleGrants[roleName]
-    roleGrants.each do |resourceId|
-      next if existing and existing.find { |existingGrant| existingGrant[:resourceId] == resourceId }
-      resourceName = sdmResources[resourceId]
-      report[:createRoleGrants].push({ :role => roleName, :resource => resourceName })
-      next if plan
-      sdmClient.role_grants.create(SDM::RoleGrant.new(role_id: roleId, resource_id: resourceId))
-    end
-  end
-  if verbose
-    puts JSON.pretty_generate(report)
-  else
-    puts "Create #{report[:createRoles].length} roles"
-    puts "Delete #{report[:deleteAccounts].length} accounts"
-    puts "Create #{report[:createAccounts].length} accounts"
-    puts "Delete #{report[:deleteAccountAttachments].length} account attachments"
-    puts "Create #{report[:createAccountAttachments].length} account attachments"
-    puts "Delete #{report[:deleteRoleGrants].length} role grants"
-    puts "Create #{report[:createRoleGrants].length} role grants"
-  end
-end
-
-ldap_sync