strongdm 14.17.0 → 14.20.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f6b8f409390da4d50e0f847b07f2ecffbbe0fd2788a71733362a14840e133c32
-  data.tar.gz: 7ff9d3f9d6ce6e28f1fad7b5441d56e9170caa90d8dbb874415915803ca5b8a4
+  metadata.gz: ffc2f684354edc591bd80a6bc6b06e5c60ba616361b52bbe4841615aa7038049
+  data.tar.gz: 4734c850b046b1d0a673500f38f75199396b10314c576b1fe8015db6d5ff9e17
 SHA512:
-  metadata.gz: ba02cf5434706265d5081948135f74cd4a82d02011f17e08ed9b996840d5592a57bacba957b9fafbbec6d75aa72f09ee05da1cd3d38e45f3e55247583c63e78d
-  data.tar.gz: cd45b5d0b226155336d3404256066469f85cbcfe4a0f62e1a1b0f9f28be4c296b808eb74ca48d843889e12c4961c6fc234bf7055e60328cb22d4c2d80324e3d6
+  metadata.gz: b574d54bf9023fbeb95d65992ec43a3ec8e7af1a4643ac01125e71517fc521c67605f4c243a2559c28ea34bfda1a9c628df14e71bd8163477fe019663dbdbb4c
+  data.tar.gz: c6e75c6c48358596a8d78428ef5e1499db065d3400e7bceddd7be4141526ea0a916e8d5c0b545a26bae42c158f39ccaeea2ee3069269279b733c36dd31e002ef

data/.git/ORIG_HEAD

@@ -1 +1 @@
-208194810b58fc7e050508e7df5360b4f39d5b68
+88d2b85cd4a760ba5f48260c9a1799a441f96369

data/.git/logs/HEAD

@@ -1,3 +1,3 @@
-0000000000000000000000000000000000000000 208194810b58fc7e050508e7df5360b4f39d5b68 root <root@16b027a199a6.(none)> 1747852935 +0000	clone: from github.com:strongdm/strongdm-sdk-ruby.git
-208194810b58fc7e050508e7df5360b4f39d5b68 208194810b58fc7e050508e7df5360b4f39d5b68 root <root@16b027a199a6.(none)> 1747852935 +0000	checkout: moving from master to master
-208194810b58fc7e050508e7df5360b4f39d5b68 88d2b85cd4a760ba5f48260c9a1799a441f96369 root <root@16b027a199a6.(none)> 1747852935 +0000	merge origin/development: Fast-forward
+0000000000000000000000000000000000000000 88d2b85cd4a760ba5f48260c9a1799a441f96369 root <root@a26af7fed765.(none)> 1748044166 +0000	clone: from github.com:strongdm/strongdm-sdk-ruby.git
+88d2b85cd4a760ba5f48260c9a1799a441f96369 88d2b85cd4a760ba5f48260c9a1799a441f96369 root <root@a26af7fed765.(none)> 1748044166 +0000	checkout: moving from master to master
+88d2b85cd4a760ba5f48260c9a1799a441f96369 7d85e318ab1eda4e409329d726facc84bbaa57c2 root <root@a26af7fed765.(none)> 1748044166 +0000	merge origin/development: Fast-forward

data/.git/logs/refs/heads/master

@@ -1,2 +1,2 @@
-0000000000000000000000000000000000000000 208194810b58fc7e050508e7df5360b4f39d5b68 root <root@16b027a199a6.(none)> 1747852935 +0000	clone: from github.com:strongdm/strongdm-sdk-ruby.git
-208194810b58fc7e050508e7df5360b4f39d5b68 88d2b85cd4a760ba5f48260c9a1799a441f96369 root <root@16b027a199a6.(none)> 1747852935 +0000	merge origin/development: Fast-forward
+0000000000000000000000000000000000000000 88d2b85cd4a760ba5f48260c9a1799a441f96369 root <root@a26af7fed765.(none)> 1748044166 +0000	clone: from github.com:strongdm/strongdm-sdk-ruby.git
+88d2b85cd4a760ba5f48260c9a1799a441f96369 7d85e318ab1eda4e409329d726facc84bbaa57c2 root <root@a26af7fed765.(none)> 1748044166 +0000	merge origin/development: Fast-forward

data/.git/logs/refs/remotes/origin/HEAD

@@ -1 +1 @@
-0000000000000000000000000000000000000000 208194810b58fc7e050508e7df5360b4f39d5b68 root <root@16b027a199a6.(none)> 1747852935 +0000	clone: from github.com:strongdm/strongdm-sdk-ruby.git
+0000000000000000000000000000000000000000 88d2b85cd4a760ba5f48260c9a1799a441f96369 root <root@a26af7fed765.(none)> 1748044166 +0000	clone: from github.com:strongdm/strongdm-sdk-ruby.git

data/.git/packed-refs

@@ -1,6 +1,6 @@
 # pack-refs with: peeled fully-peeled sorted 
-88d2b85cd4a760ba5f48260c9a1799a441f96369 refs/remotes/origin/development
-208194810b58fc7e050508e7df5360b4f39d5b68 refs/remotes/origin/master
+7d85e318ab1eda4e409329d726facc84bbaa57c2 refs/remotes/origin/development
+88d2b85cd4a760ba5f48260c9a1799a441f96369 refs/remotes/origin/master
 2e4fe8087177ddea9b3991ca499f758384839c89 refs/tags/untagged-84fd83a4484c785cce63
 04f604866214fab4d5663b5171a3e596331577bd refs/tags/v0.9.4
 6f9a7b75b345c65fb554884907b7060680c807b7 refs/tags/v0.9.5
@@ -86,6 +86,7 @@ d92875bdf2278c475f52984d1165544d287e2255 refs/tags/v14.10.0
 39946f5be0cf4bd4a6f3432cbe1caa0889a9fcf2 refs/tags/v14.12.0
 6a06ac49ca3c4d8d829450631d5f809c0fd5f593 refs/tags/v14.13.0
 208194810b58fc7e050508e7df5360b4f39d5b68 refs/tags/v14.14.0
+88d2b85cd4a760ba5f48260c9a1799a441f96369 refs/tags/v14.17.0
 f9539f7781664eb4681b99f12cbcc5d613e241ab refs/tags/v14.2.0
 435ad5faee6a7b0f94295b5d5fe9060611a81df3 refs/tags/v14.3.0
 90b476259dcfed955ebd9339fbe2bbb0c2086b6d refs/tags/v14.4.0

data/.git/refs/heads/master

@@ -1 +1 @@
-88d2b85cd4a760ba5f48260c9a1799a441f96369
+7d85e318ab1eda4e409329d726facc84bbaa57c2

data/lib/grpc/drivers_pb.rb

@@ -1215,6 +1215,8 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :subdomain, :string, 32775
       optional :allow_resource_role_bypass, :bool, 15
       optional :certificate_authority, :string, 4
+      optional :discovery_enabled, :bool, 13
+      optional :discovery_username, :string, 14
       optional :healthcheck_namespace, :string, 6
       optional :identity_alias_healthcheck_username, :string, 8
       optional :identity_set_id, :string, 7

data/lib/grpc/plumbing.rb

@@ -7693,6 +7693,8 @@ module SDM
       porcelain.allow_resource_role_bypass = (plumbing.allow_resource_role_bypass)
       porcelain.bind_interface = (plumbing.bind_interface)
       porcelain.certificate_authority = (plumbing.certificate_authority)
+      porcelain.discovery_enabled = (plumbing.discovery_enabled)
+      porcelain.discovery_username = (plumbing.discovery_username)
       porcelain.egress_filter = (plumbing.egress_filter)
       porcelain.healthcheck_namespace = (plumbing.healthcheck_namespace)
       porcelain.healthy = (plumbing.healthy)
@@ -7716,6 +7718,8 @@ module SDM
       plumbing.allow_resource_role_bypass = (porcelain.allow_resource_role_bypass)
       plumbing.bind_interface = (porcelain.bind_interface)
       plumbing.certificate_authority = (porcelain.certificate_authority)
+      plumbing.discovery_enabled = (porcelain.discovery_enabled)
+      plumbing.discovery_username = (porcelain.discovery_username)
       plumbing.egress_filter = (porcelain.egress_filter)
       plumbing.healthcheck_namespace = (porcelain.healthcheck_namespace)
       plumbing.healthy = (porcelain.healthy)
@@ -11369,6 +11373,7 @@ module SDM
       porcelain.encrypted = (plumbing.encrypted)
       porcelain.id = (plumbing.id)
       porcelain.identity_alias_username = (plumbing.identity_alias_username)
+      porcelain.metadata_json = (plumbing.metadata_json)
       porcelain.query_body = (plumbing.query_body)
       porcelain.query_category = (plumbing.query_category)
       porcelain.query_hash = (plumbing.query_hash)
@@ -11405,6 +11410,7 @@ module SDM
       plumbing.encrypted = (porcelain.encrypted)
       plumbing.id = (porcelain.id)
       plumbing.identity_alias_username = (porcelain.identity_alias_username)
+      plumbing.metadata_json = (porcelain.metadata_json)
       plumbing.query_body = (porcelain.query_body)
       plumbing.query_category = (porcelain.query_category)
       plumbing.query_hash = (porcelain.query_hash)

data/lib/grpc/queries_pb.rb

@@ -65,6 +65,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :authzJson, :string, 28
       optional :client_ip, :string, 29
       optional :identity_alias_username, :string, 30
+      optional :metadata_json, :string, 31
     end
     add_message "v1.QueryCapture" do
       optional :width, :int32, 1

data/lib/models/porcelain.rb

@@ -7696,6 +7696,11 @@ module SDM
     attr_accessor :bind_interface
     # The CA to authenticate TLS connections with.
     attr_accessor :certificate_authority
+    # If true, configures discovery of a cluster to be run from a node.
+    attr_accessor :discovery_enabled
+    # If a cluster is configured for user impersonation, this is the user to impersonate when
+    # running discovery.
+    attr_accessor :discovery_username
     # A filter applied to the routing logic to pin datasource to nodes.
     attr_accessor :egress_filter
     # The path used to check the health of your connection.  Defaults to `default`.
@@ -7725,6 +7730,8 @@ module SDM
       allow_resource_role_bypass: nil,
       bind_interface: nil,
       certificate_authority: nil,
+      discovery_enabled: nil,
+      discovery_username: nil,
       egress_filter: nil,
       healthcheck_namespace: nil,
       healthy: nil,
@@ -7741,6 +7748,8 @@ module SDM
       @allow_resource_role_bypass = allow_resource_role_bypass == nil ? false : allow_resource_role_bypass
       @bind_interface = bind_interface == nil ? "" : bind_interface
       @certificate_authority = certificate_authority == nil ? "" : certificate_authority
+      @discovery_enabled = discovery_enabled == nil ? false : discovery_enabled
+      @discovery_username = discovery_username == nil ? "" : discovery_username
       @egress_filter = egress_filter == nil ? "" : egress_filter
       @healthcheck_namespace = healthcheck_namespace == nil ? "" : healthcheck_namespace
       @healthy = healthy == nil ? false : healthy
@@ -11149,6 +11158,8 @@ module SDM
     attr_accessor :id
     # The username of the IdentityAlias used to access the Resource.
     attr_accessor :identity_alias_username
+    # Driver specific metadata associated with this query.
+    attr_accessor :metadata_json
     # The captured content of the Query.
     # For queries against SSH, Kubernetes, and RDP resources, this contains a JSON representation of the QueryCapture.
     attr_accessor :query_body
@@ -11199,6 +11210,7 @@ module SDM
       encrypted: nil,
       id: nil,
       identity_alias_username: nil,
+      metadata_json: nil,
       query_body: nil,
       query_category: nil,
       query_hash: nil,
@@ -11228,6 +11240,7 @@ module SDM
       @encrypted = encrypted == nil ? false : encrypted
       @id = id == nil ? "" : id
       @identity_alias_username = identity_alias_username == nil ? "" : identity_alias_username
+      @metadata_json = metadata_json == nil ? "" : metadata_json
       @query_body = query_body == nil ? "" : query_body
       @query_category = query_category == nil ? "" : query_category
       @query_hash = query_hash == nil ? "" : query_hash

data/lib/strongdm.rb

@@ -25,25 +25,27 @@ module SDM #:nodoc:
 
   # Client bundles all the services together and initializes them.
   class Client
-    DEFAULT_MAX_RETRIES = 3
-    DEFAULT_BASE_RETRY_DELAY = 0.0030 # 30 ms
-    DEFAULT_MAX_RETRY_DELAY = 300 # 300 seconds
+    DEFAULT_BASE_RETRY_DELAY = 1 # 1 second
+    DEFAULT_MAX_RETRY_DELAY = 120 # 120 seconds
+    DEFAULT_RETRY_FACTOR = 1.6
+    DEFAULT_RETRY_JITTER = 0.2
     API_VERSION = "2025-04-14"
-    USER_AGENT = "strongdm-sdk-ruby/14.17.0"
-    private_constant :DEFAULT_MAX_RETRIES, :DEFAULT_BASE_RETRY_DELAY, :DEFAULT_MAX_RETRY_DELAY, :API_VERSION, :USER_AGENT
+    USER_AGENT = "strongdm-sdk-ruby/14.20.0"
+    private_constant :DEFAULT_BASE_RETRY_DELAY, :DEFAULT_MAX_RETRY_DELAY, :DEFAULT_RETRY_FACTOR, :DEFAULT_RETRY_JITTER, :API_VERSION, :USER_AGENT
 
     # Creates a new strongDM API client.
-    def initialize(api_access_key, api_secret_key, host: "app.strongdm.com:443", insecure: false, retry_rate_limit_errors: true, page_limit: 50)
+    def initialize(api_access_key, api_secret_key, host: "app.strongdm.com:443", insecure: false, retry_rate_limit_errors: true, page_limit: 0)
       raise TypeError, "client access key must be a string" unless api_access_key.kind_of?(String)
       raise TypeError, "client secret key must be a string" unless api_secret_key.kind_of?(String)
       raise TypeError, "client host must be a string" unless host.kind_of?(String)
       @api_access_key = api_access_key.strip
       @api_secret_key = Base64.strict_decode64(api_secret_key.strip)
-      @max_retries = DEFAULT_MAX_RETRIES
       @base_retry_delay = DEFAULT_BASE_RETRY_DELAY
       @max_retry_delay = DEFAULT_MAX_RETRY_DELAY
+      @retry_factor = DEFAULT_RETRY_FACTOR
+      @retry_jitter = DEFAULT_RETRY_JITTER
       @page_limit = page_limit
-      @expose_rate_limit_errors = (not retry_rate_limit_errors)
+      @retry_rate_limit_errors = retry_rate_limit_errors
       @snapshot_time = nil
       begin
         if insecure
@@ -153,18 +155,44 @@ module SDM #:nodoc:
     end
 
     # @private
-    def jitterSleep(iter)
-      dur_max = @base_retry_delay * 2 ** iter
-      if (dur_max > @max_retry_delay)
-        dur_max = @max_retry_delay
+    def exponentialBackoff(retries, deadline = nil)
+      if retries == 0
+        return applyDeadline(@base_retry_delay, deadline)
       end
-      dur = rand() * dur_max
-      sleep(dur)
+      backoff, max = @base_retry_delay, @max_retry_delay
+      while backoff < max and retries > 0
+        backoff *= @retry_factor
+        retries -= 1
+      end
+      if backoff > max
+        backoff = max
+      end
+      # Randomize backoff delays so that if a cluster of requests start at
+      # the same time, they won't operate in lockstep.
+      backoff *= 1 + @retry_jitter * (rand() * 2 - 1)
+      if backoff < 0
+        return 0
+      end
+
+      return applyDeadline(backoff, deadline)
+    end
+
+    # @private
+    def applyDeadline(backoff, deadline)
+      if deadline.nil?
+        return backoff
+      end
+      remaining = deadline - Time.now
+      if remaining < 0
+        return 0
+      end
+      return [backoff, remaining].min
     end
 
     # @private
-    def shouldRetry(iter, err)
-      if (iter >= @max_retries - 1)
+    def shouldRetry(retries, err, deadline = nil)
+      # Check if we've passed the deadline
+      if !deadline.nil? && Time.now >= deadline
         return false
       end
       # The grpc library unfortunately does not raise a more specific error class.
@@ -172,20 +200,12 @@ module SDM #:nodoc:
         return false
       end
       if not err.is_a? GRPC::BadStatus
-        return true
+        return false
       end
-      porcelainErr = Plumbing::convert_error_to_porcelain(err)
-      if (not @expose_rate_limit_errors) and (porcelainErr.is_a? RateLimitError)
-        sleep_for = porcelainErr.rate_limit.reset_at - Time.now
-        # If timezones or clock drift causes this calculation to fail,
-        # wait at most one minute.
-        if sleep_for < 0 or sleep_for > 60
-          sleep_for = 60
-        end
-        sleep(sleep_for)
+      if @retry_rate_limit_errors and err.code() == 8
         return true
       end
-      return (err.code() == 13 or err.code() == 14)
+      return (retries <= 3) && ((err.code() == 13) || (err.code() == 14))
     end
 
     # Constructs a read-only client that will provide historical data from the provided timestamp.
@@ -196,7 +216,11 @@ module SDM #:nodoc:
       return SnapshotClient.new(client)
     end
 
-    attr_reader :max_retries
+    # @deprecated
+    def max_retries
+      3
+    end
+
     attr_reader :base_retry_delay
     attr_reader :max_retry_delay
     attr_accessor :page_limit