strongdm 15.41.0 → 15.44.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5b1e9f52173a0bece622752999286e3fbefef573f7c9a8cee68fc6687e73414d
-  data.tar.gz: 6cc7b1cc2900a86d9ecb939b67dff13189ced426becb976e110070d3b16efb9f
+  metadata.gz: ce4a3c69eb97f4b8a93947190db567417e1f4eefcdeaf18f15444159186c70d7
+  data.tar.gz: fffb501db75633dffc8c344a799fcabe2bc3f1ea2862be66d36f036631ea64d0
 SHA512:
-  metadata.gz: 49280bb2ba6cb9925a9a8a6456cb05d3fcfd9fb26992e04490c82ea19f31ac0e158a5aa6883bc96a6a7be6a3d117dc0f34a5dc02bb7bf73ab9b9b5d21c803aa8
-  data.tar.gz: 868450c0b94a863c315ee0a881c1d3d0627e2284eb3c28cc3682ee62f0c0566ce4a93afa0ba7f3cc5889a40281f0d1f2220f9d7652048b060e060e34c00b9146
+  metadata.gz: 8d58f24f7d86471d96c6bf8e497d1a5bffdfc04592cdf054a4c3742cb6db00c2666abf92234150588a0ef2cae3e2588a50ddd3837bb30254954af7b3578436be
+  data.tar.gz: 6d6ff726b001250e581d8a3f10dabba33a32821fc353058e7b19a9713ef6a8fd475310388eab3bc0a76045cfbd1346f4e135d28136ddaf0757489604f4deb627

data/.git/ORIG_HEAD

@@ -1 +1 @@
-b20e3c16d138fc17c80e82311c7613a915bc3569
+1170439941e521c29339b4d2314cae0e1526759e

data/.git/logs/HEAD

@@ -1,3 +1,3 @@
-0000000000000000000000000000000000000000 b20e3c16d138fc17c80e82311c7613a915bc3569 root <root@e35d0cf551cb.(none)> 1765963630 +0000	clone: from github.com:strongdm/strongdm-sdk-ruby.git
-b20e3c16d138fc17c80e82311c7613a915bc3569 b20e3c16d138fc17c80e82311c7613a915bc3569 root <root@e35d0cf551cb.(none)> 1765963630 +0000	checkout: moving from master to master
-b20e3c16d138fc17c80e82311c7613a915bc3569 b23f0912dbe900e5bd24222f9971c7820ddf128d root <root@e35d0cf551cb.(none)> 1765963630 +0000	merge origin/development: Fast-forward
+0000000000000000000000000000000000000000 1170439941e521c29339b4d2314cae0e1526759e root <root@4389641f949d.(none)> 1767894497 +0000	clone: from github.com:strongdm/strongdm-sdk-ruby.git
+1170439941e521c29339b4d2314cae0e1526759e 1170439941e521c29339b4d2314cae0e1526759e root <root@4389641f949d.(none)> 1767894497 +0000	checkout: moving from master to master
+1170439941e521c29339b4d2314cae0e1526759e 75a012035de3f39e75968747f1365c6f501d73d9 root <root@4389641f949d.(none)> 1767894497 +0000	merge origin/development: Fast-forward

data/.git/logs/refs/heads/master

@@ -1,2 +1,2 @@
-0000000000000000000000000000000000000000 b20e3c16d138fc17c80e82311c7613a915bc3569 root <root@e35d0cf551cb.(none)> 1765963630 +0000	clone: from github.com:strongdm/strongdm-sdk-ruby.git
-b20e3c16d138fc17c80e82311c7613a915bc3569 b23f0912dbe900e5bd24222f9971c7820ddf128d root <root@e35d0cf551cb.(none)> 1765963630 +0000	merge origin/development: Fast-forward
+0000000000000000000000000000000000000000 1170439941e521c29339b4d2314cae0e1526759e root <root@4389641f949d.(none)> 1767894497 +0000	clone: from github.com:strongdm/strongdm-sdk-ruby.git
+1170439941e521c29339b4d2314cae0e1526759e 75a012035de3f39e75968747f1365c6f501d73d9 root <root@4389641f949d.(none)> 1767894497 +0000	merge origin/development: Fast-forward

data/.git/logs/refs/remotes/origin/HEAD

@@ -1 +1 @@
-0000000000000000000000000000000000000000 b20e3c16d138fc17c80e82311c7613a915bc3569 root <root@e35d0cf551cb.(none)> 1765963630 +0000	clone: from github.com:strongdm/strongdm-sdk-ruby.git
+0000000000000000000000000000000000000000 1170439941e521c29339b4d2314cae0e1526759e root <root@4389641f949d.(none)> 1767894497 +0000	clone: from github.com:strongdm/strongdm-sdk-ruby.git

data/.git/packed-refs

@@ -1,6 +1,6 @@
 # pack-refs with: peeled fully-peeled sorted 
-b23f0912dbe900e5bd24222f9971c7820ddf128d refs/remotes/origin/development
-b20e3c16d138fc17c80e82311c7613a915bc3569 refs/remotes/origin/master
+75a012035de3f39e75968747f1365c6f501d73d9 refs/remotes/origin/development
+1170439941e521c29339b4d2314cae0e1526759e refs/remotes/origin/master
 2e4fe8087177ddea9b3991ca499f758384839c89 refs/tags/untagged-84fd83a4484c785cce63
 04f604866214fab4d5663b5171a3e596331577bd refs/tags/v0.9.4
 6f9a7b75b345c65fb554884907b7060680c807b7 refs/tags/v0.9.5
@@ -128,6 +128,8 @@ e2a4215bd3bbfb822423e11e81b9ad47bef03840 refs/tags/v15.36.0
 740f705c286a25c2abae5a44b52fe330cc4e3e71 refs/tags/v15.39.0
 cf3b15b82cb0c4229609c07c870c6cb4fd38ef75 refs/tags/v15.4.0
 b20e3c16d138fc17c80e82311c7613a915bc3569 refs/tags/v15.40.0
+b23f0912dbe900e5bd24222f9971c7820ddf128d refs/tags/v15.41.0
+1170439941e521c29339b4d2314cae0e1526759e refs/tags/v15.43.0
 0be2c5e7f7a90c49077548cb3a9bce234219b9f0 refs/tags/v15.5.0
 4b9cd43c5dda3f369b82b6a56132a5470ff9ff53 refs/tags/v15.6.0
 6e8e9210b26f02ebe925b8e81909ba42985cfde7 refs/tags/v15.7.0

data/.git/refs/heads/master

@@ -1 +1 @@
-b23f0912dbe900e5bd24222f9971c7820ddf128d
+75a012035de3f39e75968747f1365c6f501d73d9

data/lib/constants.rb

@@ -333,6 +333,7 @@ module SDM
     RESOURCE_LOCKED = "user locked a resource"
     RESOURCE_UNLOCKED = "user unlocked a resource"
     RESOURCE_FORCE_UNLOCKED = "admin force-unlocked a resource"
+    RESOURCE_LOCK_REJECTED = "user lock rejected for a resource"
     CONCURRENT_AUTHENTICATION_REVOKED_PER_ORG_SETTING = "concurrent authentications revoked per organization settings"
     PEERING_GROUP_TOGGLED = "peering group toggled"
     PEERING_GROUP_CREATED = "peering group created"

data/lib/grpc/discovery_connectors_pb.rb

@@ -106,10 +106,11 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       repeated :services, :string, 5
       repeated :include_tags, :message, 6, "v1.Tag"
       repeated :exclude_tags, :message, 7, "v1.Tag"
-      optional :project_number, :string, 20
-      optional :provider_id, :string, 21
-      optional :pool_id, :string, 22
       repeated :project_ids, :string, 23
+      optional :workload_project_number, :string, 24
+      optional :workload_project_id, :string, 25
+      optional :workload_provider_id, :string, 26
+      optional :workload_pool_id, :string, 27
     end
   end
 end

data/lib/grpc/plumbing.rb

@@ -7178,12 +7178,13 @@ module SDM
       porcelain.id = (plumbing.id)
       porcelain.include_tags = convert_repeated_tag_to_porcelain(plumbing.include_tags)
       porcelain.name = (plumbing.name)
-      porcelain.pool_id = (plumbing.pool_id)
       porcelain.project_ids = (plumbing.project_ids)
-      porcelain.project_number = (plumbing.project_number)
-      porcelain.provider_id = (plumbing.provider_id)
       porcelain.scan_period = (plumbing.scan_period)
       porcelain.services = (plumbing.services)
+      porcelain.workload_pool_id = (plumbing.workload_pool_id)
+      porcelain.workload_project_id = (plumbing.workload_project_id)
+      porcelain.workload_project_number = (plumbing.workload_project_number)
+      porcelain.workload_provider_id = (plumbing.workload_provider_id)
       porcelain
     end
 
@@ -7197,12 +7198,13 @@ module SDM
       plumbing.id = (porcelain.id)
       plumbing.include_tags += convert_repeated_tag_to_plumbing(porcelain.include_tags)
       plumbing.name = (porcelain.name)
-      plumbing.pool_id = (porcelain.pool_id)
       plumbing.project_ids += (porcelain.project_ids)
-      plumbing.project_number = (porcelain.project_number)
-      plumbing.provider_id = (porcelain.provider_id)
       plumbing.scan_period = (porcelain.scan_period)
       plumbing.services += (porcelain.services)
+      plumbing.workload_pool_id = (porcelain.workload_pool_id)
+      plumbing.workload_project_id = (porcelain.workload_project_id)
+      plumbing.workload_project_number = (porcelain.workload_project_number)
+      plumbing.workload_provider_id = (porcelain.workload_provider_id)
       plumbing
     end
     def self.convert_repeated_gcp_connector_to_plumbing(porcelains)

data/lib/interceptors.rb

@@ -0,0 +1,200 @@
+# Copyright 2020 StrongDM Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# @internal Code generated by protogen. DO NOT EDIT.
+
+require "openssl"
+require_relative "./grpc/plumbing"
+
+module SDM
+  # MethodInterceptor provides a generic hook system for modifying
+  # requests and responses before/after gRPC calls
+  class MethodInterceptor
+    def initialize(client)
+      @client = client
+      @before_hooks = {}
+      @after_hooks = {}
+    end
+
+    # Register a hook to run before a method call
+    # method_name: "ServiceName.MethodName" (e.g., "ManagedSecrets.Create")
+    # block: receives (service_instance, request) and should return modified request
+    def before(method_name, &block)
+      @before_hooks[method_name] = block
+    end
+
+    # Register a hook to run after a method call
+    # method_name: "ServiceName.MethodName"
+    # block: receives (service_instance, request, response) and should return modified response
+    def after(method_name, &block)
+      @after_hooks[method_name] = block
+    end
+
+    # Execute before hooks for a method
+    def execute_before(method_name, service_instance, request)
+      hook = @before_hooks[method_name]
+      return request unless hook
+      hook.call(service_instance, request)
+    end
+
+    # Execute after hooks for a method
+    def execute_after(method_name, service_instance, request, response)
+      hook = @after_hooks[method_name]
+      return response unless hook
+      hook.call(service_instance, request, response)
+    end
+  end
+
+  # SecretEncryptionInterceptor implements encryption for managed secrets
+  class SecretEncryptionInterceptor
+    def initialize(client)
+      @client = client
+      @public_key_cache = {}
+      @private_key = nil
+    end
+
+    # Lazy-load private key for retrievals
+    def private_key
+      @private_key ||= OpenSSL::PKey::RSA.new(4096)
+    end
+
+    # Cache a secret engine's public key
+    def cache_public_key(engine_id, public_key_pem)
+      return if public_key_pem.nil? || public_key_pem.empty?
+      @public_key_cache[engine_id] = OpenSSL::PKey::RSA.new(public_key_pem)
+    end
+
+    # Get cached public key
+    def get_public_key(engine_id)
+      @public_key_cache[engine_id]
+    end
+
+    # Encrypt data using RSA-OAEP with SHA256
+    def encrypt(public_key, plaintext)
+      return plaintext if plaintext.nil? || plaintext.empty?
+      public_key.encrypt(plaintext, rsa_padding_mode: "oaep", rsa_oaep_md: "sha256", rsa_mgf1_md: "sha256")
+    end
+
+    # Decrypt data using RSA-OAEP with SHA256
+    def decrypt(ciphertext)
+      return ciphertext if ciphertext.nil? || ciphertext.empty?
+      private_key.decrypt(ciphertext, rsa_padding_mode: "oaep", rsa_oaep_md: "sha256", rsa_mgf1_md: "sha256")
+    end
+
+    # Export public key in PEM format
+    def export_public_key
+      private_key.public_key.to_pem
+    end
+
+    # Setup hooks on the interceptor
+    def setup(interceptor)
+      setup_managed_secrets_hooks(interceptor)
+      setup_secret_engines_hooks(interceptor)
+    end
+
+    private
+
+    def setup_managed_secrets_hooks(interceptor)
+      # Hook for ManagedSecrets.Create - encrypt before sending
+      interceptor.before("ManagedSecrets.Create") do |service, req|
+        secret = req.managed_secret
+        if secret && !secret.value.nil? && !secret.value.empty? && !secret.secret_engine_id.nil?
+          # Try to get public key from cache or fetch it
+          pub_key = get_public_key(secret.secret_engine_id)
+          if pub_key.nil?
+            begin
+              @client.secret_engines.get(secret.secret_engine_id)
+              pub_key = get_public_key(secret.secret_engine_id)
+            rescue
+              # If fetch fails, let server handle it
+            end
+          end
+
+          # Encrypt if we have the key
+          if pub_key
+            secret.value = encrypt(pub_key, secret.value)
+          end
+        end
+        req
+      end
+
+      # Hook for ManagedSecrets.Update - encrypt before sending
+      interceptor.before("ManagedSecrets.Update") do |service, req|
+        secret = req.managed_secret
+        if secret && !secret.value.nil? && !secret.value.empty? && !secret.secret_engine_id.nil?
+          pub_key = get_public_key(secret.secret_engine_id)
+          if pub_key.nil?
+            begin
+              @client.secret_engines.get(secret.secret_engine_id)
+              pub_key = get_public_key(secret.secret_engine_id)
+            rescue
+              # If fetch fails, let server handle it
+            end
+          end
+
+          if pub_key
+            secret.value = encrypt(pub_key, secret.value)
+          end
+        end
+        req
+      end
+
+      # Hook for ManagedSecrets.Retrieve - add public key and decrypt response
+      interceptor.before("ManagedSecrets.Retrieve") do |service, req|
+        if req.public_key.nil? || req.public_key.empty?
+          req.public_key = export_public_key
+        end
+        req
+      end
+
+      interceptor.after("ManagedSecrets.Retrieve") do |service, req, resp|
+        # Only decrypt if we provided the public key
+        if req.public_key == export_public_key
+          secret = resp.managed_secret
+          if secret && !secret.value.nil? && !secret.value.empty?
+            secret.value = decrypt(secret.value)
+          end
+        end
+        resp
+      end
+    end
+
+    def setup_secret_engines_hooks(interceptor)
+      # Hook for SecretEngines.Get - cache public key after response
+      interceptor.after("SecretEngines.Get") do |service, req, resp|
+        engine = Plumbing::convert_secret_engine_to_porcelain(resp.secret_engine)
+        if engine && !engine.id.nil? && !engine.public_key.nil?
+          cache_public_key(engine.id, engine.public_key)
+        end
+        resp
+      end
+    end
+  end
+
+  # EnumeratorInterceptor provides utilities for wrapping enumerators with hooks
+  module EnumeratorInterceptor
+    # Wraps an enumerator to cache secret engine public keys
+    def self.wrap_secret_engine_list(enumerator, encryption_interceptor)
+      Enumerator.new do |yielder|
+        enumerator.each do |engine|
+          if engine && !engine.id.nil? && !engine.public_key.nil?
+            encryption_interceptor.cache_public_key(engine.id, engine.public_key)
+          end
+          yielder << engine
+        end
+      end
+    end
+  end
+end

data/lib/models/porcelain.rb

@@ -6974,18 +6974,20 @@ module SDM
     attr_accessor :include_tags
     # Unique human-readable name of the Connector.
     attr_accessor :name
-    # PoolId is the GCP Workload Pool Identifier used to authenticate our JWT
-    attr_accessor :pool_id
     # ProjectIds is the list of GCP Projects the connector will scan
     attr_accessor :project_ids
-    # ProjectNumber is the GCP Project the Workload Pool is defined in
-    attr_accessor :project_number
-    # ProviderId is the GCP Workload Provider Identifier used to authenticate our JWT
-    attr_accessor :provider_id
     # ScanPeriod identifies which remote system this Connector discovers
     attr_accessor :scan_period
     # Services is a list of services this connector should scan.
     attr_accessor :services
+    # WorkloadPoolId is the GCP Workload Pool Identifier used to authenticate our JWT
+    attr_accessor :workload_pool_id
+    # WorkloadProjectId is the GCP Project ID where the Workload Pool is defined
+    attr_accessor :workload_project_id
+    # WorkloadProjectNumber is the GCP Project Number where the Workload Pool is defined
+    attr_accessor :workload_project_number
+    # WorkloadProviderId is the GCP Workload Provider Identifier used to authenticate our JWT
+    attr_accessor :workload_provider_id
 
     def initialize(
       description: nil,
@@ -6993,24 +6995,26 @@ module SDM
       id: nil,
       include_tags: nil,
       name: nil,
-      pool_id: nil,
       project_ids: nil,
-      project_number: nil,
-      provider_id: nil,
       scan_period: nil,
-      services: nil
+      services: nil,
+      workload_pool_id: nil,
+      workload_project_id: nil,
+      workload_project_number: nil,
+      workload_provider_id: nil
     )
       @description = description == nil ? "" : description
       @exclude_tags = exclude_tags == nil ? [] : exclude_tags
       @id = id == nil ? "" : id
       @include_tags = include_tags == nil ? [] : include_tags
       @name = name == nil ? "" : name
-      @pool_id = pool_id == nil ? "" : pool_id
       @project_ids = project_ids == nil ? [] : project_ids
-      @project_number = project_number == nil ? "" : project_number
-      @provider_id = provider_id == nil ? "" : provider_id
       @scan_period = scan_period == nil ? "" : scan_period
       @services = services == nil ? [] : services
+      @workload_pool_id = workload_pool_id == nil ? "" : workload_pool_id
+      @workload_project_id = workload_project_id == nil ? "" : workload_project_id
+      @workload_project_number = workload_project_number == nil ? "" : workload_project_number
+      @workload_provider_id = workload_provider_id == nil ? "" : workload_provider_id
     end
 
     def to_json(options = {})

data/lib/strongdm.rb

@@ -16,6 +16,7 @@
 # @internal Code generated by protogen. DO NOT EDIT.
 
 require_relative "./svc"
+require_relative "./interceptors"
 require "base64"
 require "grpc"
 require "openssl"
@@ -30,7 +31,7 @@ module SDM #:nodoc:
     DEFAULT_RETRY_FACTOR = 1.6
     DEFAULT_RETRY_JITTER = 0.2
     API_VERSION = "2025-04-14"
-    USER_AGENT = "strongdm-sdk-ruby/15.41.0"
+    USER_AGENT = "strongdm-sdk-ruby/15.44.0"
     private_constant :DEFAULT_BASE_RETRY_DELAY, :DEFAULT_MAX_RETRY_DELAY, :DEFAULT_RETRY_FACTOR, :DEFAULT_RETRY_JITTER, :API_VERSION, :USER_AGENT
 
     # Creates a new strongDM API client.
@@ -47,6 +48,10 @@ module SDM #:nodoc:
       @page_limit = page_limit
       @retry_rate_limit_errors = retry_rate_limit_errors
       @snapshot_time = nil
+      # Initialize method interceptor for request/response hooks
+      @interceptor = MethodInterceptor.new(self)
+      @encryption_interceptor = SecretEncryptionInterceptor.new(self)
+      @encryption_interceptor.setup(@interceptor)
       begin
         if insecure
           @channel = GRPC::Core::Channel.new(host, {}, :this_channel_is_insecure)
@@ -234,6 +239,8 @@ module SDM #:nodoc:
     attr_reader :api_access_key
     # Optional timestamp at which to provide historical data
     attr_reader :snapshot_time
+    # Method interceptor for request/response hooks (read-only).
+    attr_reader :interceptor
     # AccessRequests are requests for access to a resource that may match a Workflow.
     #
     # See {AccessRequests}.