subiam 1.2.1

data/lib/subiam/dsl/context.rb

@@ -0,0 +1,101 @@
+class Subiam::DSL::Context
+  include Subiam::TemplateHelper
+
+  def self.eval(dsl, path, options = {})
+    self.new(path, options) {
+      eval(dsl, binding, path)
+    }
+  end
+
+  attr_reader :result
+
+  def initialize(path, options = {}, &block)
+    @path = path
+    @options = options
+    @result = {:users => {}, :groups => {}, :roles => {}, :instance_profiles => {}, :policies => {}, :target => nil}
+
+    @context = Hashie::Mash.new(
+      :path => path,
+      :options => options,
+      :templates => {}
+    )
+
+    instance_eval(&block)
+  end
+
+  def template(name, &block)
+    @context.templates[name.to_s] = block
+  end
+
+  private
+
+  def import(file)
+    iamfile = (file =~ %r|\A/|) ? file : File.expand_path(File.join(File.dirname(@path), file))
+
+    if File.exist?(iamfile)
+      instance_eval(File.read(iamfile), iamfile)
+    elsif File.exist?(iamfile + '.rb')
+      instance_eval(File.read(iamfile + '.rb'), iamfile + '.rb')
+    else
+      raise("File: #{iamfile} or #{iamfile + '.rb'} not found.")
+    end
+  end
+
+  def target(regexp)
+    @result[:target] = regexp
+  end
+
+  def user(name, user_options = {}, &block)
+    name = name.to_s
+
+    if @result[:users][name]
+      raise "User `#{name}` is already defined"
+    end
+
+    attrs = Subiam::DSL::Context::User.new(@context, name, &block).result
+    @result[:users][name] = user_options.merge(attrs)
+  end
+
+  def group(name, group_options = {}, &block)
+    name = name.to_s
+
+    if @result[:groups][name]
+      raise "Group `#{name}` is already defined"
+    end
+
+    attrs = Subiam::DSL::Context::Group.new(@context, name, &block).result
+    @result[:groups][name] = group_options.merge(attrs)
+  end
+
+  def role(name, role_options = {}, &block)
+    name = name.to_s
+
+    if @result[:roles][name]
+      raise "Role `#{name}` is already defined"
+    end
+
+    attrs = Subiam::DSL::Context::Role.new(@context, name, &block).result
+    @result[:roles][name] = role_options.merge(attrs)
+  end
+
+  def instance_profile(name, instance_profile_options = {}, &block)
+    name = name.to_s
+
+    if @result[:instance_profiles][name]
+      raise "instance_profile `#{name}` is already defined"
+    end
+
+    @result[:instance_profiles][name] = instance_profile_options
+  end
+
+  def managed_policy(name, policy_options = {}, &block)
+    name = name.to_s
+
+    if @result[:policies][name]
+      raise "ManagedPolicy `#{name}` is already defined"
+    end
+
+    attrs = Subiam::DSL::Context::ManagedPolicy.new(@context, name, &block).result
+    @result[:policies][name] = policy_options.merge(attrs)
+  end
+end

data/lib/subiam/dsl/converter.rb

@@ -0,0 +1,202 @@
+class Subiam::DSL::Converter
+  def self.convert(exported, options = {})
+    self.new(exported, options).convert
+  end
+
+  def initialize(exported, options = {})
+    @exported = exported
+    @options = options
+  end
+
+  def convert
+    [
+      output_users(@exported[:users]),
+      output_groups(@exported[:groups]),
+      output_roles(@exported[:roles]),
+      output_instance_profiles(@exported[:instance_profiles]),
+      output_managed_policies(@exported[:policies]),
+    ].join("\n")
+  end
+
+  private
+
+  def output_users(users)
+    users.each.sort_by {|k, v| k }.map {|user_name, attrs|
+      next unless target_matched?(user_name)
+      output_user(user_name, attrs)
+    }.select {|i| i }.join("\n")
+  end
+
+  def output_user(user_name, attrs)
+    user_options = {:path => attrs[:path]}
+
+    <<-EOS
+user #{user_name.inspect}, #{Subiam::Utils.unbrace(user_options.inspect)} do
+  #{output_login_profile(attrs[:login_profile])}
+
+  #{output_user_groups(attrs[:groups])}
+
+  #{output_policies(attrs[:policies])}
+
+  #{output_attached_managed_policies(attrs[:attached_managed_policies])}
+end
+    EOS
+  end
+
+  def output_user_groups(groups)
+    if groups.empty?
+      groups = ['# no group']
+    else
+      groups = groups.map {|i| i.inspect }
+    end
+
+    groups = "\n    " + groups.join(",\n    ") + "\n  "
+    "groups(#{groups})"
+  end
+
+  def output_login_profile(login_profile)
+    if login_profile
+      "login_profile #{Subiam::Utils.unbrace(login_profile.inspect)}"
+    else
+      '# login_profile :password_reset_required=>true'
+    end
+  end
+
+  def output_groups(groups)
+    groups.each.sort_by {|k, v| k }.map {|group_name, attrs|
+      next unless target_matched?(group_name)
+      output_group(group_name, attrs)
+    }.select {|i| i }.join("\n")
+  end
+
+  def output_group(group_name, attrs)
+    group_options = {:path => attrs[:path]}
+
+    <<-EOS
+group #{group_name.inspect}, #{Subiam::Utils.unbrace(group_options.inspect)} do
+  #{output_policies(attrs[:policies])}
+
+  #{output_attached_managed_policies(attrs[:attached_managed_policies])}
+end
+    EOS
+  end
+
+  def output_roles(roles)
+    roles.each.sort_by {|k, v| k }.map {|role_name, attrs|
+      next unless target_matched?(role_name)
+      output_role(role_name, attrs)
+    }.select {|i| i }.join("\n")
+  end
+
+  def output_role(role_name, attrs)
+    role_options = {:path => attrs[:path]}
+
+    <<-EOS
+role #{role_name.inspect}, #{Subiam::Utils.unbrace(role_options.inspect)} do
+  #{output_role_instance_profiles(attrs[:instance_profiles])}
+
+  #{output_assume_role_policy_document(attrs[:assume_role_policy_document])}
+
+  #{output_policies(attrs[:policies])}
+
+  #{output_attached_managed_policies(attrs[:attached_managed_policies])}
+end
+    EOS
+  end
+
+  def output_role_instance_profiles(instance_profiles)
+    if instance_profiles.empty?
+      instance_profiles = ['# no instance_profile']
+    else
+      instance_profiles = instance_profiles.map {|i| i.inspect }
+    end
+
+    instance_profiles = "\n    " + instance_profiles.join(",\n    ") + "\n  "
+    "instance_profiles(#{instance_profiles})"
+  end
+
+  def output_instance_profiles(instance_profiles)
+    instance_profiles.each.sort_by {|k, v| k }.map {|instance_profile_name, attrs|
+      next unless target_matched?(instance_profile_name)
+      output_instance_profile(instance_profile_name, attrs)
+    }.select {|i| i }.join("\n")
+  end
+
+  def output_assume_role_policy_document(assume_role_policy_document)
+    assume_role_policy_document = assume_role_policy_document.pretty_inspect
+    assume_role_policy_document.gsub!("\n", "\n    ").strip!
+
+    <<-EOS.strip
+  assume_role_policy_document do
+    #{assume_role_policy_document}
+  end
+    EOS
+  end
+
+  def output_instance_profile(instance_profile_name, attrs)
+    instance_profile_options = {:path => attrs[:path]}
+
+    <<-EOS
+instance_profile #{instance_profile_name.inspect}, #{Subiam::Utils.unbrace(instance_profile_options.inspect)}
+    EOS
+  end
+
+  def output_policies(policies)
+    if policies.empty?
+      "# no policy"
+    else
+      policies.map {|policy_name, policy_document|
+        output_policy(policy_name, policy_document)
+      }.join("\n\n  ").strip
+    end
+  end
+
+  def output_policy(policy_name, policy_document)
+    policy_document = policy_document.pretty_inspect
+    policy_document.gsub!("\n", "\n    ").strip!
+
+    <<-EOS.strip
+  policy #{policy_name.inspect} do
+    #{policy_document}
+  end
+    EOS
+  end
+
+  def output_attached_managed_policies(attached_managed_policies)
+    if attached_managed_policies.empty?
+      attached_managed_policies = ['# attached_managed_policy']
+    else
+      attached_managed_policies = attached_managed_policies.map {|i| i.inspect }
+    end
+
+    attached_managed_policies = "\n    " + attached_managed_policies.join(",\n    ") + "\n  "
+    "attached_managed_policies(#{attached_managed_policies})"
+  end
+
+  def output_managed_policies(policies)
+    policies.each.sort_by {|k, v| k }.map {|policy_name, attrs|
+      next unless target_matched?(policy_name)
+      output_managed_policy(policy_name, attrs)
+    }.select {|i| i }.join("\n")
+  end
+
+  def output_managed_policy(policy_name, attrs)
+    policy_options = {:path => attrs[:path]}
+    policy_document = attrs[:document].pretty_inspect
+    policy_document.gsub!("\n", "\n    ").strip!
+
+    <<-EOS
+managed_policy #{policy_name.inspect}, #{Subiam::Utils.unbrace(policy_options.inspect)} do
+  #{policy_document}
+end
+    EOS
+  end
+
+  def target_matched?(name)
+    if @options[:target]
+      name =~ @options[:target]
+    else
+      true
+    end
+  end
+end

data/lib/subiam/dsl/helper/arn.rb

@@ -0,0 +1,22 @@
+module Subiam::DSL::Helper
+  module Arn
+    private
+
+    def arn_policy_by_aws(name)
+      "arn:aws:iam::aws:policy/#{name}"
+    end
+
+    def arn_policy_by_current_account(name)
+      "arn:aws:iam::#{current_account}:policy/#{name}"
+    end
+
+    def current_account
+      if @current_account
+        return @current_account
+      end
+      aws_config = (@context.options && @context.options[:aws_config]) ? @context.options[:aws_config] : {}
+      sts = Aws::STS::Client.new(aws_config)
+      @current_account = sts.get_caller_identity.user_id
+    end
+  end
+end

data/lib/subiam/dsl.rb

@@ -0,0 +1,9 @@
+class Subiam::DSL
+  def self.convert(exported, options = {})
+    Subiam::DSL::Converter.convert(exported, options)
+  end
+
+  def self.parse(dsl, path, options = {})
+    Subiam::DSL::Context.eval(dsl, path, options).result
+  end
+end

data/lib/subiam/exporter.rb

@@ -0,0 +1,278 @@
+# coding: utf-8
+class Subiam::Exporter
+  AWS_MANAGED_POLICY_PREFIX = 'arn:aws:iam::aws:'
+
+  def self.export(iam, options = {})
+    self.new(iam, options).export
+  end
+
+  def initialize(iam, options = {})
+    @iam = iam
+    @options = options
+    @mutex = Mutex.new
+    @concurrency = options[:export_concurrency] || 16
+  end
+
+  def export
+    account_authorization_details = get_account_authorization_details
+
+    users = account_authorization_details[:user_detail_list]
+    groups = account_authorization_details[:group_detail_list]
+    roles = account_authorization_details[:role_detail_list]
+    policies = account_authorization_details[:policies]
+    instance_profiles = list_instance_profiles
+    group_users = {}
+    instance_profile_roles = {}
+
+    unless @options[:no_progress]
+      progress_total = users.length + groups.length + roles.length + instance_profiles.length
+
+      @progressbar = ProgressBar.create(
+                       :format => ' %bᗧ%i %p%%',
+                       :progress_mark  => ' ',
+                       :remainder_mark => '･',
+                       :total => progress_total,
+                       :output => $stderr)
+    end
+
+    expected = {
+      :users => export_users(users, group_users),
+      :groups => export_groups(groups),
+      :roles => export_roles(roles, instance_profile_roles),
+      :instance_profiles => export_instance_profiles(instance_profiles),
+      :policies => export_policies(policies),
+    }
+
+    [expected, group_users, instance_profile_roles]
+  end
+
+  private
+
+  def export_users(users, group_users)
+    result = {}
+
+    Parallel.each(users, :in_threads => @concurrency) do |user|
+      user_name = user.user_name
+      groups = user.group_list
+      policies = export_user_policies(user)
+      login_profile = export_login_profile(user_name)
+      attached_managed_policies = user.attached_managed_policies.map(&:policy_arn)
+
+      @mutex.synchronize do
+        groups.each do |group_name|
+          group_users[group_name] ||= []
+          group_users[group_name] << user_name
+        end
+
+        result[user_name] = {
+          :path => user.path,
+          :groups => groups,
+          :policies => policies,
+          :attached_managed_policies => attached_managed_policies
+        }
+
+        if login_profile
+          result[user_name][:login_profile] = login_profile
+        end
+
+        progress
+      end
+    end
+
+    result
+  end
+
+  def export_user_policies(user)
+    result = {}
+
+    user.user_policy_list.each do |policy|
+      document = CGI.unescape(policy.policy_document)
+      result[policy.policy_name] = JSON.parse(document)
+    end
+
+    result
+  end
+
+  def export_login_profile(user_name)
+    begin
+      resp = @iam.get_login_profile(:user_name => user_name)
+      {:password_reset_required => resp.login_profile.password_reset_required}
+    rescue Aws::IAM::Errors::NoSuchEntity
+      nil
+    end
+  end
+
+  def export_groups(groups)
+    result = {}
+
+    Parallel.each(groups, :in_threads => @concurrency) do |group|
+      group_name = group.group_name
+      policies = export_group_policies(group)
+      attached_managed_policies = group.attached_managed_policies.map(&:policy_arn)
+
+      @mutex.synchronize do
+        result[group_name] = {
+          :path => group.path,
+          :policies => policies,
+          :attached_managed_policies => attached_managed_policies,
+        }
+
+        progress
+      end
+    end
+
+    result
+  end
+
+  def export_group_policies(group)
+    result = {}
+
+    group.group_policy_list.each do |policy|
+      document = CGI.unescape(policy.policy_document)
+      result[policy.policy_name] = JSON.parse(document)
+    end
+
+    result
+  end
+
+  def export_roles(roles, instance_profile_roles)
+    result = {}
+
+    Parallel.each(roles, :in_threads => @concurrency) do |role|
+      role_name = role.role_name
+      instance_profiles = role.instance_profile_list.map {|i| i.instance_profile_name }
+      policies = export_role_policies(role)
+      attached_managed_policies = role.attached_managed_policies.map(&:policy_arn)
+
+      @mutex.synchronize do
+        instance_profiles.each do |instance_profile_name|
+          instance_profile_roles[instance_profile_name] ||= []
+          instance_profile_roles[instance_profile_name] << role_name
+        end
+
+        document = CGI.unescape(role.assume_role_policy_document)
+
+        result[role_name] = {
+          :path => role.path,
+          :assume_role_policy_document => JSON.parse(document),
+          :instance_profiles => instance_profiles,
+          :policies => policies,
+          :attached_managed_policies => attached_managed_policies,
+        }
+
+        progress
+      end
+    end
+
+    result
+  end
+
+  def export_role_policies(role)
+    result = {}
+
+    role.role_policy_list.each do |policy|
+      document = CGI.unescape(policy.policy_document)
+      result[policy.policy_name] = JSON.parse(document)
+    end
+
+    result
+  end
+
+  def export_instance_profiles(instance_profiles)
+    result = {}
+
+    Parallel.each(instance_profiles, :in_threads => @concurrency) do |instance_profile|
+      instance_profile_name = instance_profile.instance_profile_name
+
+      @mutex.synchronize do
+        result[instance_profile_name] = {
+          :path => instance_profile.path,
+        }
+
+        progress
+      end
+    end
+
+    result
+  end
+
+  def export_policies(policies)
+    result = {}
+
+    Parallel.each(policies, :in_threads => @concurrency) do |policy|
+      if policy.arn.start_with?(AWS_MANAGED_POLICY_PREFIX)
+        next
+      end
+
+      policy_name = policy.policy_name
+      document = export_policy_document(policy)
+
+      result[policy_name] = {
+        :path => policy.path,
+        :document => document,
+      }
+    end
+
+    result
+  end
+
+  def export_policy_document(policy)
+    policy_version = nil
+
+    policy_version_list = policy.policy_version_list.sort_by do |pv|
+      pv.version_id[1..-1].to_i
+    end
+
+    policy_version_list.each do |pv|
+      policy_version = pv
+
+      if pv.is_default_version
+        break
+      end
+    end
+
+    document = CGI.unescape(policy_version.document)
+    JSON.parse(document)
+  end
+
+  def list_instance_profiles
+    @iam.list_instance_profiles.map {|resp|
+      resp.instance_profiles.to_a
+    }.flatten
+  end
+
+  def get_account_authorization_details
+    account_authorization_details = {}
+
+    unless @options[:no_progress]
+      progressbar = ProgressBar.create(:title => 'Loading', :total => nil, :output => $stderr)
+    end
+
+    keys = [
+      :user_detail_list,
+      :group_detail_list,
+      :role_detail_list,
+      :policies,
+    ]
+
+    keys.each do |key|
+      account_authorization_details[key] = []
+    end
+
+    @iam.get_account_authorization_details.each do |resp|
+      keys.each do |key|
+        account_authorization_details[key].concat(resp[key])
+
+        unless @options[:no_progress]
+          progressbar.increment
+        end
+      end
+    end
+
+    account_authorization_details
+  end
+
+  def progress
+    @progressbar.increment if @progressbar
+  end
+end

data/lib/subiam/ext/array_ext.rb

@@ -0,0 +1,13 @@
+class Array
+  def keys_to_s_recursive
+    new_one = []
+    self.each_with_index do |elem, index|
+      if elem.respond_to? :keys_to_s_recursive
+        new_one[index] = elem.keys_to_s_recursive
+        next
+      end
+      new_one[index] = elem
+    end
+    new_one
+  end
+end

data/lib/subiam/ext/hash_ext.rb

@@ -0,0 +1,41 @@
+class Hash
+  def sort_array!
+    keys.each do |key|
+      value = self[key]
+      self[key] = sort_array0(value)
+    end
+
+    self
+  end
+
+  def keys_to_s_recursive
+    new_one = {}
+    self.each do |key, elem|
+      if elem.respond_to? :keys_to_s_recursive
+        new_one[key.to_s] = elem.keys_to_s_recursive
+        next
+      end
+      new_one[key.to_s] = elem
+    end
+    new_one
+  end
+
+  private
+
+  def sort_array0(value)
+    case value
+    when Hash
+      new_value = {}
+
+      value.each do |k, v|
+        new_value[k] = sort_array0(v)
+      end
+
+      new_value
+    when Array
+      value.map {|v| sort_array0(v) }.sort_by(&:to_s)
+    else
+      value
+    end
+  end
+end

data/lib/subiam/ext/string_ext.rb

@@ -0,0 +1,25 @@
+class String
+  @@colorize = false
+
+  class << self
+    def colorize=(value)
+      @@colorize = value
+    end
+
+    def colorize
+      @@colorize
+    end
+  end # of class methods
+
+  Term::ANSIColor::Attribute.named_attributes.map do |attribute|
+    class_eval(<<-EOS, __FILE__, __LINE__ + 1)
+      def #{attribute.name}
+        if @@colorize
+          Term::ANSIColor.send(#{attribute.name.inspect}, self)
+        else
+          self
+        end
+      end
+    EOS
+  end
+end