RubyGems - subiam - Versions diffs - 1.2.1 - Mend

subiam 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

checksums.yaml +7 -0
data/.gitignore +19 -0
data/.rspec +4 -0
data/Gemfile +4 -0
data/LICENSE.txt +48 -0
data/README.md +408 -0
data/Rakefile +5 -0
data/bin/subiam +189 -0
data/lib/subiam/client.rb +565 -0
data/lib/subiam/driver.rb +466 -0
data/lib/subiam/dsl/context/group.rb +35 -0
data/lib/subiam/dsl/context/managed_policy.rb +23 -0
data/lib/subiam/dsl/context/role.rb +59 -0
data/lib/subiam/dsl/context/user.rb +43 -0
data/lib/subiam/dsl/context.rb +101 -0
data/lib/subiam/dsl/converter.rb +202 -0
data/lib/subiam/dsl/helper/arn.rb +22 -0
data/lib/subiam/dsl.rb +9 -0
data/lib/subiam/exporter.rb +278 -0
data/lib/subiam/ext/array_ext.rb +13 -0
data/lib/subiam/ext/hash_ext.rb +41 -0
data/lib/subiam/ext/string_ext.rb +25 -0
data/lib/subiam/logger.rb +27 -0
data/lib/subiam/password_manager.rb +41 -0
data/lib/subiam/template_helper.rb +20 -0
data/lib/subiam/utils.rb +31 -0
data/lib/subiam/version.rb +3 -0
data/lib/subiam.rb +36 -0
data/spec/spec_helper.rb +95 -0
data/spec/subiam/attach_detach_policy_spec.rb +389 -0
data/spec/subiam/create_spec.rb +271 -0
data/spec/subiam/custom_managed_policy_spec.rb +232 -0
data/spec/subiam/delete_spec.rb +549 -0
data/spec/subiam/hash_ext_spec.rb +61 -0
data/spec/subiam/ignore_login_profile_spec.rb +73 -0
data/spec/subiam/rename_spec.rb +476 -0
data/spec/subiam/style_spec.rb +189 -0
data/spec/subiam/target_spec.rb +150 -0
data/spec/subiam/update_spec.rb +911 -0
data/subiam.gemspec +32 -0
metadata +251 -0

data/lib/subiam/client.rb ADDED Viewed

@@ -0,0 +1,565 @@
+class Subiam::Client
+  include Subiam::Logger::Helper
+  def initialize(options = {})
+    @options = {:format => :ruby}.merge(options)
+    aws_config = options[:aws_config] || {}
+    @iam = Aws::IAM::Client.new(aws_config)
+    @driver = Subiam::Driver.new(@iam, options)
+    @password_manager = options[:password_manager] || Subiam::PasswordManager.new('-', options)
+    @target = nil
+  end
+  def export(export_options = {})
+    exported, group_users, instance_profile_roles = Subiam::Exporter.export(@iam, @options)
+    exported.sort_array!
+    if block_given?
+      [:users, :groups, :roles, :instance_profiles, :policies].each do |type|
+        splitted = {:users => {}, :groups => {}, :roles => {}, :instance_profiles => {}, :policies => {}}
+        if export_options[:split_more]
+          exported[type].sort_by {|k, v| k }.each do |name, attrs|
+            more_splitted = splitted.dup
+            more_splitted[type] = {}
+            more_splitted[type][name] = attrs
+            dsl = exec_by_format(
+              :ruby => proc { Subiam::DSL.convert(more_splitted, @options).strip },
+              :json => proc { JSON.pretty_generate(more_splitted) }
+            )
+            yield(:type => type, :name => name, :dsl => dsl)
+          end
+        else
+          splitted[type] = exported[type]
+          dsl = exec_by_format(
+            :ruby => proc { Subiam::DSL.convert(splitted, @options).strip },
+            :json => proc { JSON.pretty_generate(splitted) }
+          )
+          yield(:type => type, :dsl => dsl)
+        end
+      end
+    else
+      dsl = exec_by_format(
+        :ruby => proc { Subiam::DSL.convert(exported, @options).strip },
+        :json => proc { JSON.pretty_generate(exported) }
+      )
+    end
+  end
+  def apply(file)
+    walk(file)
+  end
+  private
+  def walk(file)
+    expected = load_file(file)
+    unless expected[:target]
+      raise "Required setting on DSL `target` not found"
+    end
+    @target = expected[:target]
+    actual, group_users, instance_profile_roles = Subiam::Exporter.export(@iam, @options)
+    updated = pre_walk_managed_policies(expected[:policies], actual[:policies])
+    updated = walk_groups(expected[:groups], actual[:groups], actual[:users], group_users) || updated
+    updated = walk_users(expected[:users], actual[:users], group_users) || updated
+    updated = walk_instance_profiles(expected[:instance_profiles], actual[:instance_profiles], actual[:roles], instance_profile_roles) || updated
+    updated = walk_roles(expected[:roles], actual[:roles], instance_profile_roles) || updated
+    updated = post_walk_managed_policies(actual[:policies]) || updated
+    if @options[:dry_run]
+      false
+    else
+      updated
+    end
+  end
+  def walk_users(expected, actual, group_users)
+    updated = scan_rename(:user, expected, actual, group_users)
+    expected.each do |user_name, expected_attrs|
+      next unless target_matched?(user_name)
+      actual_attrs = actual.delete(user_name)
+      if actual_attrs
+        updated = walk_path(:user, user_name, expected_attrs[:path], actual_attrs[:path]) || updated
+        updated = walk_user(user_name, expected_attrs, actual_attrs) || updated
+      else
+        actual_attrs = @driver.create_user(user_name, expected_attrs)
+        access_key = @driver.create_access_key(user_name)
+        if access_key
+          @password_manager.puts_password(user_name, access_key[:access_key_id], access_key[:secret_access_key])
+        end
+        walk_user(user_name, expected_attrs, actual_attrs)
+        updated = true
+      end
+    end
+    if @options[:enable_delete]
+      actual.each do |user_name, attrs|
+        next unless target_matched?(user_name)
+        @driver.delete_user(user_name, attrs)
+        group_users.each do |group_name, users|
+          users.delete(user_name)
+        end
+        updated = true
+      end
+    end
+    updated
+  end
+  def walk_user(user_name, expected_attrs, actual_attrs)
+    updated = walk_login_profile(user_name, expected_attrs[:login_profile], actual_attrs[:login_profile])
+    updated = walk_user_groups(user_name, expected_attrs[:groups], actual_attrs[:groups]) || updated
+    updated = walk_attached_managed_policies(:user, user_name, expected_attrs[:attached_managed_policies], actual_attrs[:attached_managed_policies]) || updated
+    walk_policies(:user, user_name, expected_attrs[:policies], actual_attrs[:policies]) || updated
+  end
+  def walk_login_profile(user_name, expected_login_profile, actual_login_profile)
+    updated = false
+    [expected_login_profile, actual_login_profile].each do |login_profile|
+      if login_profile and not login_profile.has_key?(:password_reset_required)
+        login_profile[:password_reset_required] = false
+      end
+    end
+    if expected_login_profile and not actual_login_profile
+      expected_login_profile[:password] ||= @password_manager.identify(user_name, :login_profile)
+      @driver.create_login_profile(user_name, expected_login_profile)
+      updated = true
+    elsif not expected_login_profile and actual_login_profile
+      @driver.delete_login_profile(user_name)
+      updated = true
+    elsif expected_login_profile != actual_login_profile
+      if @options[:ignore_login_profile]
+        log(:warn, "User `#{user_name}`: difference of loging profile has been ignored: expected=#{expected_login_profile.inspect}, actual=#{actual_login_profile.inspect}", :color => :yellow)
+      else
+        @driver.update_login_profile(user_name, expected_login_profile, actual_login_profile)
+        updated = true
+      end
+    end
+    updated
+  end
+  def walk_user_groups(user_name, expected_groups, actual_groups)
+    expected_groups = expected_groups.sort
+    actual_groups = actual_groups.sort
+    updated = false
+    if expected_groups != actual_groups
+      add_groups = expected_groups - actual_groups
+      remove_groups = actual_groups - expected_groups
+      unless add_groups.empty?
+        @driver.add_user_to_groups(user_name, add_groups)
+      end
+      unless remove_groups.empty?
+        @driver.remove_user_from_groups(user_name, remove_groups)
+      end
+      updated = true
+    end
+    updated
+  end
+  def walk_groups(expected, actual, actual_users, group_users)
+    updated = scan_rename(:group, expected, actual, group_users)
+    expected.each do |group_name, expected_attrs|
+      next unless target_matched?(group_name)
+      actual_attrs = actual.delete(group_name)
+      if actual_attrs
+        updated = walk_path(:group, group_name, expected_attrs[:path], actual_attrs[:path]) || updated
+        updated = walk_group(group_name, expected_attrs, actual_attrs) || updated
+      else
+        actual_attrs = @driver.create_group(group_name, expected_attrs)
+        walk_group(group_name, expected_attrs, actual_attrs)
+        updated = true
+      end
+    end
+    if @options[:enable_delete]
+      actual.each do |group_name, attrs|
+        next unless target_matched?(group_name)
+        next unless @options[:enable_delete]
+        users_in_group = group_users.delete(group_name) || []
+        @driver.delete_group(group_name, attrs, users_in_group)
+        actual_users.each do |user_name, user_attrs|
+          user_attrs[:groups].delete(group_name)
+        end
+        updated = true
+      end
+    end
+    updated
+  end
+  def walk_group(group_name, expected_attrs, actual_attrs)
+    updated = walk_policies(:group, group_name, expected_attrs[:policies], actual_attrs[:policies])
+    walk_attached_managed_policies(:group, group_name, expected_attrs[:attached_managed_policies], actual_attrs[:attached_managed_policies]) || updated
+  end
+  def walk_roles(expected, actual, instance_profile_roles)
+    updated = false
+    expected.each do |role_name, expected_attrs|
+      next unless target_matched?(role_name)
+      actual_attrs = actual.delete(role_name)
+      if actual_attrs
+        updated = walk_role(role_name, expected_attrs, actual_attrs) || updated
+      else
+        actual_attrs = @driver.create_role(role_name, expected_attrs)
+        walk_role(role_name, expected_attrs, actual_attrs)
+        updated = true
+      end
+    end
+    if @options[:enable_delete]
+      actual.each do |role_name, attrs|
+        next unless target_matched?(role_name)
+        instance_profile_names = []
+        instance_profile_roles.each do |instance_profile_name, roles|
+          if roles.include?(role_name)
+            instance_profile_names << instance_profile_name
+          end
+        end
+        @driver.delete_role(role_name, instance_profile_names, attrs)
+        instance_profile_roles.each do |instance_profile_name, roles|
+          roles.delete(role_name)
+        end
+        updated = true
+      end
+    end
+    updated
+  end
+  def walk_role(role_name, expected_attrs, actual_attrs)
+    if expected_attrs.values_at(:path) != actual_attrs.values_at(:path)
+      log(:warn, "Role `#{role_name}`: 'path' cannot be updated", :color => :yellow)
+    end
+    updated = walk_assume_role_policy(role_name, expected_attrs[:assume_role_policy_document], actual_attrs[:assume_role_policy_document])
+    updated = walk_role_instance_profiles(role_name, expected_attrs[:instance_profiles], actual_attrs[:instance_profiles]) || updated
+    updated = walk_attached_managed_policies(:role, role_name, expected_attrs[:attached_managed_policies], actual_attrs[:attached_managed_policies]) || updated
+    walk_policies(:role, role_name, expected_attrs[:policies], actual_attrs[:policies]) || updated
+  end
+  def walk_assume_role_policy(role_name, expected_assume_role_policy, actual_assume_role_policy)
+    updated = false
+    expected_assume_role_policy.sort_array!
+    actual_assume_role_policy.sort_array!
+    if expected_assume_role_policy != actual_assume_role_policy
+      @driver.update_assume_role_policy(role_name, expected_assume_role_policy, actual_assume_role_policy)
+      updated = true
+    end
+    updated
+  end
+  def walk_role_instance_profiles(role_name, expected_instance_profiles, actual_instance_profiles)
+    expected_instance_profiles = expected_instance_profiles.sort
+    actual_instance_profiles = actual_instance_profiles.sort
+    updated = false
+    if expected_instance_profiles != actual_instance_profiles
+      add_instance_profiles = expected_instance_profiles - actual_instance_profiles
+      remove_instance_profiles = actual_instance_profiles - expected_instance_profiles
+      unless add_instance_profiles.empty?
+        @driver.add_role_to_instance_profiles(role_name, add_instance_profiles)
+      end
+      unless remove_instance_profiles.empty?
+        @driver.remove_role_from_instance_profiles(role_name, remove_instance_profiles)
+      end
+      updated = true
+    end
+    updated
+  end
+  def walk_instance_profiles(expected, actual, actual_roles, instance_profile_roles)
+    updated = false
+    expected.each do |instance_profile_name, expected_attrs|
+      next unless target_matched?(instance_profile_name)
+      actual_attrs = actual.delete(instance_profile_name)
+      if actual_attrs
+        updated = walk_instance_profile(instance_profile_name, expected_attrs, actual_attrs) || updated
+      else
+        actual_attrs = @driver.create_instance_profile(instance_profile_name, expected_attrs)
+        walk_instance_profile(instance_profile_name, expected_attrs, actual_attrs)
+        updated = true
+      end
+    end
+    if @options[:enable_delete]
+      actual.each do |instance_profile_name, attrs|
+        next unless target_matched?(instance_profile_name)
+        roles_in_instance_profile = instance_profile_roles.delete(instance_profile_name) || []
+        @driver.delete_instance_profile(instance_profile_name, attrs, roles_in_instance_profile)
+        actual_roles.each do |role_name, role_attrs|
+          role_attrs[:instance_profiles].delete(instance_profile_name)
+        end
+        updated = true
+      end
+    end
+    updated
+  end
+  def walk_instance_profile(instance_profile_name, expected_attrs, actual_attrs)
+    updated = false
+    if expected_attrs != actual_attrs
+      log(:warn, "InstanceProfile `#{instance_profile_name}`: 'path' cannot be updated", :color => :yellow)
+    end
+    updated
+  end
+  def scan_rename(type, expected, actual, group_users)
+    updated = false
+    expected.each do |name, expected_attrs|
+      renamed_from = expected_attrs[:renamed_from]
+      next unless renamed_from
+      actual_attrs = actual.delete(renamed_from)
+      next unless actual_attrs
+      @driver.update_name(type, renamed_from, name)
+      actual[name] = actual_attrs
+      case type
+      when :user
+        group_users.each do |group_name, users|
+          users.each do |user_name|
+            if user_name == renamed_from
+              user_name.replace(name)
+            end
+          end
+        end
+      when :group
+        users = group_users.delete(renamed_from)
+        group_users[name] = users if users
+      end
+      updated = true
+    end
+    updated
+  end
+  def walk_path(type, user_or_group_name, expected_path, actual_path)
+    updated = false
+    if expected_path != actual_path
+      @driver.update_path(type, user_or_group_name, expected_path, actual_path)
+      updated = true
+    end
+    updated
+  end
+  def walk_policies(type, user_or_group_name, expected_policies, actual_policies)
+    updated = false
+    expected_policies.each do |policy_name, expected_document|
+      actual_document = actual_policies.delete(policy_name)
+      if actual_document
+        updated = walk_policy(type, user_or_group_name, policy_name, expected_document, actual_document) || updated
+      else
+        @driver.create_policy(type, user_or_group_name, policy_name, expected_document)
+        updated = true
+      end
+    end
+    actual_policies.each do |policy_name, document|
+      @driver.delete_policy(type, user_or_group_name, policy_name)
+      updated = true
+    end
+    updated
+  end
+  def walk_policy(type, user_or_group_name, policy_name, expected_document, actual_document)
+    updated = false
+    expected_document.sort_array!
+    actual_document.sort_array!
+    if expected_document != actual_document
+      @driver.update_policy(type, user_or_group_name, policy_name, expected_document, actual_document)
+      updated = true
+    end
+    updated
+  end
+  def walk_attached_managed_policies(type, name, expected_attached_managed_policies, actual_attached_managed_policies)
+    expected_attached_managed_policies = expected_attached_managed_policies.sort
+    actual_attached_managed_policies = actual_attached_managed_policies.sort
+    updated = false
+    if expected_attached_managed_policies != actual_attached_managed_policies
+      add_attached_managed_policies = expected_attached_managed_policies - actual_attached_managed_policies
+      remove_attached_managed_policies = actual_attached_managed_policies - expected_attached_managed_policies
+      unless add_attached_managed_policies.empty?
+        @driver.attach_policies(type, name, add_attached_managed_policies)
+      end
+      unless remove_attached_managed_policies.empty?
+        @driver.detach_policies(type, name, remove_attached_managed_policies)
+      end
+      updated = true
+    end
+    updated
+  end
+  def pre_walk_managed_policies(expected, actual)
+    updated = false
+    expected.each do |policy_name, expected_attrs|
+      next unless target_matched?(policy_name)
+      actual_attrs = actual.delete(policy_name)
+      if actual_attrs
+        if expected_attrs[:path] != actual_attrs[:path]
+          log(:warn, "ManagedPolicy `#{policy_name}`: 'path' cannot be updated", :color => :yellow)
+        end
+        updated = walk_managed_policy(policy_name, expected_attrs[:document], actual_attrs[:document]) || updated
+      else
+        @driver.create_managed_policy(policy_name, expected_attrs)
+        updated = true
+      end
+    end
+    updated
+  end
+  def walk_managed_policy(policy_name, expected_document, actual_document)
+    updated = false
+    expected_document.sort_array!
+    actual_document.sort_array!
+    if expected_document != actual_document
+      @driver.update_managed_policy(policy_name, expected_document, actual_document)
+      updated = true
+    end
+    updated
+  end
+  def post_walk_managed_policies(actual)
+    updated = false
+    if @options[:enable_delete]
+      actual.each do |policy_name, actual_attrs|
+        next unless target_matched?(policy_name)
+        @driver.delete_managed_policy(policy_name)
+        updated = true
+      end
+    end
+    updated
+  end
+  def load_file(file)
+    if file.kind_of?(String)
+      open(file) do |f|
+        exec_by_format(
+          :ruby => proc { Subiam::DSL.parse(f.read, file, @options) },
+          :json => proc { load_json(f) }
+        )
+      end
+    elsif file.respond_to?(:read)
+      exec_by_format(
+        :ruby => proc { Subiam::DSL.parse(file.read, file.path, @options) },
+        :json => proc { load_json(f) }
+      )
+    else
+      raise TypeError, "can't convert #{file} into File"
+    end
+  end
+  def target_matched?(name)
+    name =~ @target
+  end
+  def exec_by_format(proc_by_format)
+    format_proc = proc_by_format[@options[:format]]
+    raise "Invalid format: #{@options[:format]}" unless format_proc
+    format_proc.call
+  end
+  def load_json(json)
+    json = JSON.load(json)
+    normalized = {}
+    json.each do |top_key, top_value|
+      normalized[top_key.to_sym] = top_attrs = {}
+      top_value.each do |second_key, second_value|
+        top_attrs[second_key] = second_attrs = {}
+        second_value.each do |third_key, third_value|
+          third_key = third_key.to_sym
+          if third_key == :login_profile
+            new_third_value = {}
+            third_value.each {|k, v| new_third_value[k.to_sym] = v }
+            third_value = new_third_value
+          end
+          second_attrs[third_key] = third_value
+        end
+      end
+    end
+    normalized
+  end
+end