RubyGems - strongdm - Versions diffs - 15.41.0 → 15.43.0 - Mend

strongdm 15.41.0 → 15.43.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

checksums.yaml +4 -4
data/.git/ORIG_HEAD +1 -1
data/.git/index +0 -0
data/.git/logs/HEAD +3 -3
data/.git/logs/refs/heads/master +2 -2
data/.git/logs/refs/remotes/origin/HEAD +1 -1
data/.git/objects/pack/{pack-72042e33d36ca85cdfa5c79a6b28c7e6d0bf83d7.idx → pack-4d13e40791f92a784a9a6a0f8729932092f3c50f.idx} +0 -0
data/.git/objects/pack/{pack-72042e33d36ca85cdfa5c79a6b28c7e6d0bf83d7.pack → pack-4d13e40791f92a784a9a6a0f8729932092f3c50f.pack} +0 -0
data/.git/packed-refs +3 -2
data/.git/refs/heads/master +1 -1
data/lib/constants.rb +1 -0
data/lib/interceptors.rb +200 -0
data/lib/strongdm.rb +8 -1
data/lib/svc.rb +577 -0
data/lib/version +1 -1
data/lib/version.rb +1 -1
metadata +5 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5b1e9f52173a0bece622752999286e3fbefef573f7c9a8cee68fc6687e73414d
-  data.tar.gz: 6cc7b1cc2900a86d9ecb939b67dff13189ced426becb976e110070d3b16efb9f
+  metadata.gz: 07b05d002ea762434e9a42b6da278425d8bb2adf661df165169151ead7aedbda
+  data.tar.gz: fff4b6adece624583f2ccc960359612db92edde0a6af9ada9468013740cc5f16
 SHA512:
-  metadata.gz: 49280bb2ba6cb9925a9a8a6456cb05d3fcfd9fb26992e04490c82ea19f31ac0e158a5aa6883bc96a6a7be6a3d117dc0f34a5dc02bb7bf73ab9b9b5d21c803aa8
-  data.tar.gz: 868450c0b94a863c315ee0a881c1d3d0627e2284eb3c28cc3682ee62f0c0566ce4a93afa0ba7f3cc5889a40281f0d1f2220f9d7652048b060e060e34c00b9146
+  metadata.gz: 63a76d68d110c41c6c7838a4927186c8606a0c61c4eacfa2d47a729e4e0754561331e70d80a5e1f2916caae212619296c42bf38a15f0c07bc8d641d122fbebb4
+  data.tar.gz: 22e7bb7ce4c40f7935ef05feb46d1dbc2e41a9d2ccb2fa6526743dec30e55c5fe6819f9502e4c0d790b88478162ba10588372fde8691d6f2183db6ed60eb49f0

data/.git/ORIG_HEAD CHANGED Viewed

	@@ -1 +1 @@
1	- ~~b20e3c16d138fc17c80e82311c7613a915bc3569~~
1	+ b23f0912dbe900e5bd24222f9971c7820ddf128d

data/.git/index CHANGED Viewed

Binary file

data/.git/logs/HEAD CHANGED Viewed

@@ -1,3 +1,3 @@
-0000000000000000000000000000000000000000 b20e3c16d138fc17c80e82311c7613a915bc3569 root <root@e35d0cf551cb.(none)> 1765963630 +0000	clone: from github.com:strongdm/strongdm-sdk-ruby.git
-b20e3c16d138fc17c80e82311c7613a915bc3569 b20e3c16d138fc17c80e82311c7613a915bc3569 root <root@e35d0cf551cb.(none)> 1765963630 +0000	checkout: moving from master to master
-b20e3c16d138fc17c80e82311c7613a915bc3569 b23f0912dbe900e5bd24222f9971c7820ddf128d root <root@e35d0cf551cb.(none)> 1765963630 +0000	merge origin/development: Fast-forward
+0000000000000000000000000000000000000000 b23f0912dbe900e5bd24222f9971c7820ddf128d root <root@cbe5b8a77e04.(none)> 1766504191 +0000	clone: from github.com:strongdm/strongdm-sdk-ruby.git
+b23f0912dbe900e5bd24222f9971c7820ddf128d b23f0912dbe900e5bd24222f9971c7820ddf128d root <root@cbe5b8a77e04.(none)> 1766504191 +0000	checkout: moving from master to master
+b23f0912dbe900e5bd24222f9971c7820ddf128d 1170439941e521c29339b4d2314cae0e1526759e root <root@cbe5b8a77e04.(none)> 1766504191 +0000	merge origin/development: Fast-forward

data/.git/logs/refs/heads/master CHANGED Viewed

@@ -1,2 +1,2 @@
-0000000000000000000000000000000000000000 b20e3c16d138fc17c80e82311c7613a915bc3569 root <root@e35d0cf551cb.(none)> 1765963630 +0000	clone: from github.com:strongdm/strongdm-sdk-ruby.git
-b20e3c16d138fc17c80e82311c7613a915bc3569 b23f0912dbe900e5bd24222f9971c7820ddf128d root <root@e35d0cf551cb.(none)> 1765963630 +0000	merge origin/development: Fast-forward
+0000000000000000000000000000000000000000 b23f0912dbe900e5bd24222f9971c7820ddf128d root <root@cbe5b8a77e04.(none)> 1766504191 +0000	clone: from github.com:strongdm/strongdm-sdk-ruby.git
+b23f0912dbe900e5bd24222f9971c7820ddf128d 1170439941e521c29339b4d2314cae0e1526759e root <root@cbe5b8a77e04.(none)> 1766504191 +0000	merge origin/development: Fast-forward

data/.git/logs/refs/remotes/origin/HEAD CHANGED Viewed

	@@ -1 +1 @@
1	- 0000000000000000000000000000000000000000 ~~b20e3c16d138fc17c80e82311c7613a915bc3569~~ root <root@~~e35d0cf551cb~~.(none)> ~~1765963630~~ +0000 clone: from github.com:strongdm/strongdm-sdk-ruby.git
1	+ 0000000000000000000000000000000000000000 b23f0912dbe900e5bd24222f9971c7820ddf128d root <root@cbe5b8a77e04.(none)> 1766504191 +0000 clone: from github.com:strongdm/strongdm-sdk-ruby.git

data/.git/objects/pack/{pack-72042e33d36ca85cdfa5c79a6b28c7e6d0bf83d7.idx → pack-4d13e40791f92a784a9a6a0f8729932092f3c50f.idx} RENAMED Viewed

Binary file

data/.git/objects/pack/{pack-72042e33d36ca85cdfa5c79a6b28c7e6d0bf83d7.pack → pack-4d13e40791f92a784a9a6a0f8729932092f3c50f.pack} RENAMED Viewed

Binary file

data/.git/packed-refs CHANGED Viewed

@@ -1,6 +1,6 @@
 # pack-refs with: peeled fully-peeled sorted
-b23f0912dbe900e5bd24222f9971c7820ddf128d refs/remotes/origin/development
-b20e3c16d138fc17c80e82311c7613a915bc3569 refs/remotes/origin/master
+1170439941e521c29339b4d2314cae0e1526759e refs/remotes/origin/development
+b23f0912dbe900e5bd24222f9971c7820ddf128d refs/remotes/origin/master
 2e4fe8087177ddea9b3991ca499f758384839c89 refs/tags/untagged-84fd83a4484c785cce63
 04f604866214fab4d5663b5171a3e596331577bd refs/tags/v0.9.4
 6f9a7b75b345c65fb554884907b7060680c807b7 refs/tags/v0.9.5
@@ -128,6 +128,7 @@ e2a4215bd3bbfb822423e11e81b9ad47bef03840 refs/tags/v15.36.0
 740f705c286a25c2abae5a44b52fe330cc4e3e71 refs/tags/v15.39.0
 cf3b15b82cb0c4229609c07c870c6cb4fd38ef75 refs/tags/v15.4.0
 b20e3c16d138fc17c80e82311c7613a915bc3569 refs/tags/v15.40.0
+b23f0912dbe900e5bd24222f9971c7820ddf128d refs/tags/v15.41.0
 0be2c5e7f7a90c49077548cb3a9bce234219b9f0 refs/tags/v15.5.0
 4b9cd43c5dda3f369b82b6a56132a5470ff9ff53 refs/tags/v15.6.0
 6e8e9210b26f02ebe925b8e81909ba42985cfde7 refs/tags/v15.7.0

data/.git/refs/heads/master CHANGED Viewed

	@@ -1 +1 @@
1	- ~~b23f0912dbe900e5bd24222f9971c7820ddf128d~~
1	+ 1170439941e521c29339b4d2314cae0e1526759e

data/lib/constants.rb CHANGED Viewed

@@ -333,6 +333,7 @@ module SDM
     RESOURCE_LOCKED = "user locked a resource"
     RESOURCE_UNLOCKED = "user unlocked a resource"
     RESOURCE_FORCE_UNLOCKED = "admin force-unlocked a resource"
+    RESOURCE_LOCK_REJECTED = "user lock rejected for a resource"
     CONCURRENT_AUTHENTICATION_REVOKED_PER_ORG_SETTING = "concurrent authentications revoked per organization settings"
     PEERING_GROUP_TOGGLED = "peering group toggled"
     PEERING_GROUP_CREATED = "peering group created"

data/lib/interceptors.rb ADDED Viewed

@@ -0,0 +1,200 @@
+# Copyright 2020 StrongDM Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# @internal Code generated by protogen. DO NOT EDIT.
+require "openssl"
+require_relative "./grpc/plumbing"
+module SDM
+  # MethodInterceptor provides a generic hook system for modifying
+  # requests and responses before/after gRPC calls
+  class MethodInterceptor
+    def initialize(client)
+      @client = client
+      @before_hooks = {}
+      @after_hooks = {}
+    end
+    # Register a hook to run before a method call
+    # method_name: "ServiceName.MethodName" (e.g., "ManagedSecrets.Create")
+    # block: receives (service_instance, request) and should return modified request
+    def before(method_name, &block)
+      @before_hooks[method_name] = block
+    end
+    # Register a hook to run after a method call
+    # method_name: "ServiceName.MethodName"
+    # block: receives (service_instance, request, response) and should return modified response
+    def after(method_name, &block)
+      @after_hooks[method_name] = block
+    end
+    # Execute before hooks for a method
+    def execute_before(method_name, service_instance, request)
+      hook = @before_hooks[method_name]
+      return request unless hook
+      hook.call(service_instance, request)
+    end
+    # Execute after hooks for a method
+    def execute_after(method_name, service_instance, request, response)
+      hook = @after_hooks[method_name]
+      return response unless hook
+      hook.call(service_instance, request, response)
+    end
+  end
+  # SecretEncryptionInterceptor implements encryption for managed secrets
+  class SecretEncryptionInterceptor
+    def initialize(client)
+      @client = client
+      @public_key_cache = {}
+      @private_key = nil
+    end
+    # Lazy-load private key for retrievals
+    def private_key
+      @private_key ||= OpenSSL::PKey::RSA.new(4096)
+    end
+    # Cache a secret engine's public key
+    def cache_public_key(engine_id, public_key_pem)
+      return if public_key_pem.nil? || public_key_pem.empty?
+      @public_key_cache[engine_id] = OpenSSL::PKey::RSA.new(public_key_pem)
+    end
+    # Get cached public key
+    def get_public_key(engine_id)
+      @public_key_cache[engine_id]
+    end
+    # Encrypt data using RSA-OAEP with SHA256
+    def encrypt(public_key, plaintext)
+      return plaintext if plaintext.nil? || plaintext.empty?
+      public_key.encrypt(plaintext, rsa_padding_mode: "oaep", rsa_oaep_md: "sha256", rsa_mgf1_md: "sha256")
+    end
+    # Decrypt data using RSA-OAEP with SHA256
+    def decrypt(ciphertext)
+      return ciphertext if ciphertext.nil? || ciphertext.empty?
+      private_key.decrypt(ciphertext, rsa_padding_mode: "oaep", rsa_oaep_md: "sha256", rsa_mgf1_md: "sha256")
+    end
+    # Export public key in PEM format
+    def export_public_key
+      private_key.public_key.to_pem
+    end
+    # Setup hooks on the interceptor
+    def setup(interceptor)
+      setup_managed_secrets_hooks(interceptor)
+      setup_secret_engines_hooks(interceptor)
+    end
+    private
+    def setup_managed_secrets_hooks(interceptor)
+      # Hook for ManagedSecrets.Create - encrypt before sending
+      interceptor.before("ManagedSecrets.Create") do |service, req|
+        secret = req.managed_secret
+        if secret && !secret.value.nil? && !secret.value.empty? && !secret.secret_engine_id.nil?
+          # Try to get public key from cache or fetch it
+          pub_key = get_public_key(secret.secret_engine_id)
+          if pub_key.nil?
+            begin
+              @client.secret_engines.get(secret.secret_engine_id)
+              pub_key = get_public_key(secret.secret_engine_id)
+            rescue
+              # If fetch fails, let server handle it
+            end
+          end
+          # Encrypt if we have the key
+          if pub_key
+            secret.value = encrypt(pub_key, secret.value)
+          end
+        end
+        req
+      end
+      # Hook for ManagedSecrets.Update - encrypt before sending
+      interceptor.before("ManagedSecrets.Update") do |service, req|
+        secret = req.managed_secret
+        if secret && !secret.value.nil? && !secret.value.empty? && !secret.secret_engine_id.nil?
+          pub_key = get_public_key(secret.secret_engine_id)
+          if pub_key.nil?
+            begin
+              @client.secret_engines.get(secret.secret_engine_id)
+              pub_key = get_public_key(secret.secret_engine_id)
+            rescue
+              # If fetch fails, let server handle it
+            end
+          end
+          if pub_key
+            secret.value = encrypt(pub_key, secret.value)
+          end
+        end
+        req
+      end
+      # Hook for ManagedSecrets.Retrieve - add public key and decrypt response
+      interceptor.before("ManagedSecrets.Retrieve") do |service, req|
+        if req.public_key.nil? || req.public_key.empty?
+          req.public_key = export_public_key
+        end
+        req
+      end
+      interceptor.after("ManagedSecrets.Retrieve") do |service, req, resp|
+        # Only decrypt if we provided the public key
+        if req.public_key == export_public_key
+          secret = resp.managed_secret
+          if secret && !secret.value.nil? && !secret.value.empty?
+            secret.value = decrypt(secret.value)
+          end
+        end
+        resp
+      end
+    end
+    def setup_secret_engines_hooks(interceptor)
+      # Hook for SecretEngines.Get - cache public key after response
+      interceptor.after("SecretEngines.Get") do |service, req, resp|
+        engine = Plumbing::convert_secret_engine_to_porcelain(resp.secret_engine)
+        if engine && !engine.id.nil? && !engine.public_key.nil?
+          cache_public_key(engine.id, engine.public_key)
+        end
+        resp
+      end
+    end
+  end
+  # EnumeratorInterceptor provides utilities for wrapping enumerators with hooks
+  module EnumeratorInterceptor
+    # Wraps an enumerator to cache secret engine public keys
+    def self.wrap_secret_engine_list(enumerator, encryption_interceptor)
+      Enumerator.new do |yielder|
+        enumerator.each do |engine|
+          if engine && !engine.id.nil? && !engine.public_key.nil?
+            encryption_interceptor.cache_public_key(engine.id, engine.public_key)
+          end
+          yielder << engine
+        end
+      end
+    end
+  end
+end

data/lib/strongdm.rb CHANGED Viewed

@@ -16,6 +16,7 @@
 # @internal Code generated by protogen. DO NOT EDIT.
 require_relative "./svc"
+require_relative "./interceptors"
 require "base64"
 require "grpc"
 require "openssl"
@@ -30,7 +31,7 @@ module SDM #:nodoc:
     DEFAULT_RETRY_FACTOR = 1.6
     DEFAULT_RETRY_JITTER = 0.2
     API_VERSION = "2025-04-14"
-    USER_AGENT = "strongdm-sdk-ruby/15.41.0"
+    USER_AGENT = "strongdm-sdk-ruby/15.43.0"
     private_constant :DEFAULT_BASE_RETRY_DELAY, :DEFAULT_MAX_RETRY_DELAY, :DEFAULT_RETRY_FACTOR, :DEFAULT_RETRY_JITTER, :API_VERSION, :USER_AGENT
     # Creates a new strongDM API client.
@@ -47,6 +48,10 @@ module SDM #:nodoc:
       @page_limit = page_limit
       @retry_rate_limit_errors = retry_rate_limit_errors
       @snapshot_time = nil
+      # Initialize method interceptor for request/response hooks
+      @interceptor = MethodInterceptor.new(self)
+      @encryption_interceptor = SecretEncryptionInterceptor.new(self)
+      @encryption_interceptor.setup(@interceptor)
       begin
         if insecure
           @channel = GRPC::Core::Channel.new(host, {}, :this_channel_is_insecure)
@@ -234,6 +239,8 @@ module SDM #:nodoc:
     attr_reader :api_access_key
     # Optional timestamp at which to provide historical data
     attr_reader :snapshot_time
+    # Method interceptor for request/response hooks (read-only).
+    attr_reader :interceptor
     # AccessRequests are requests for access to a resource that may match a Workflow.
     #
     # See {AccessRequests}.