subiam 1.2.1

data/lib/subiam/logger.rb

@@ -0,0 +1,27 @@
+class Subiam::Logger < ::Logger
+  include Singleton
+
+  def initialize
+    super($stdout)
+
+    self.formatter = proc do |severity, datetime, progname, msg|
+      "#{msg}\n"
+    end
+
+    self.level = Logger::INFO
+  end
+
+  def set_debug(value)
+    self.level = value ? Logger::DEBUG : Logger::INFO
+  end
+
+  module Helper
+    def log(level, message, log_options = {})
+      message = "[#{level.to_s.upcase}] #{message}" unless level == :info
+      message << ' (dry-run)' if @options[:dry_run]
+      message = message.send(log_options[:color]) if log_options[:color]
+      logger = @options[:logger] || Subiam::Logger.instance
+      logger.send(level, message)
+    end
+  end
+end

data/lib/subiam/password_manager.rb

@@ -0,0 +1,41 @@
+class Subiam::PasswordManager
+  include Subiam::Logger::Helper
+
+  def initialize(output, options = {})
+    @output = output
+    @options = options
+  end
+
+  def identify(user, type)
+    password = mkpasswd
+    puts_password(user, type, password)
+    password
+  end
+
+  def puts_password(user, type, password)
+    log(:info, "User `#{user}` > `#{type}`: put password to `#{@output}`")
+
+    open_output do |f|
+      f.puts("#{user},#{type},#{password}")
+    end
+  end
+
+  private
+
+  def mkpasswd(len = 8)
+    [*1..9, *'A'..'Z', *'a'..'z'].shuffle.slice(0, len).join
+  end
+
+  def open_output
+    return if @options[:dry_run]
+
+    if @output == '-'
+      yield($stdout)
+      $stdout.flush
+    else
+      open(@output, 'a') do |f|
+        yield(f)
+      end
+    end
+  end
+end

data/lib/subiam/template_helper.rb

@@ -0,0 +1,20 @@
+module Subiam
+  module TemplateHelper
+    def include_template(template_name, context = {})
+      tmplt = @context.templates[template_name.to_s]
+
+      unless tmplt
+        raise "Template `#{template_name}` is not defined"
+      end
+
+      context_orig = @context
+      @context = @context.merge(context)
+      instance_eval(&tmplt)
+      @context = context_orig
+    end
+
+    def context
+      @context
+    end
+  end
+end

data/lib/subiam/utils.rb

@@ -0,0 +1,31 @@
+class Subiam::Utils
+  class << self
+    def unbrace(str)
+      str.sub(/\A\s*\{/, '').sub(/\}\s*\z/, '')
+    end
+
+    def camelize(str)
+      str.slice(0, 1).upcase + str.slice(1..-1).downcase
+    end
+
+    def bytesize(str)
+      if str.respond_to?(:bytesize)
+        str.bytesize
+      else
+        str.length
+      end
+    end
+
+    def diff(obj1, obj2, options = {})
+      diffy = Diffy::Diff.new(
+        obj1.pretty_inspect,
+        obj2.pretty_inspect,
+        :diff => '-u'
+      )
+
+      out = diffy.to_s(options[:color] ? :color : :text).gsub(/\s+\z/m, '')
+      out.gsub!(/^/, options[:indent]) if options[:indent]
+      out
+    end
+  end # of class methods
+end

data/lib/subiam/version.rb

@@ -0,0 +1,3 @@
+module Subiam
+  VERSION = '1.2.1'
+end

data/lib/subiam.rb

@@ -0,0 +1,36 @@
+require 'cgi'
+require 'json'
+require 'logger'
+require 'pp'
+require 'singleton'
+require 'thread'
+
+require 'aws-sdk-core'
+Aws.use_bundled_cert!
+
+require 'ruby-progressbar'
+require 'parallel'
+require 'term/ansicolor'
+require 'diffy'
+require 'hashie'
+
+module Subiam ; end
+require 'subiam/ext/array_ext'
+require 'subiam/ext/hash_ext'
+require 'subiam/ext/string_ext'
+require 'subiam/logger'
+require 'subiam/template_helper'
+require 'subiam/client'
+require 'subiam/driver'
+require 'subiam/dsl'
+require 'subiam/dsl/helper/arn'
+require 'subiam/dsl/context'
+require 'subiam/dsl/context/group'
+require 'subiam/dsl/context/managed_policy'
+require 'subiam/dsl/context/role'
+require 'subiam/dsl/context/user'
+require 'subiam/dsl/converter'
+require 'subiam/exporter'
+require 'subiam/password_manager'
+require 'subiam/utils'
+require 'subiam/version'

data/spec/spec_helper.rb

@@ -0,0 +1,95 @@
+if ENV['TRAVIS']
+  require 'simplecov'
+  require 'coveralls'
+
+  SimpleCov.formatter = Coveralls::SimpleCov::Formatter
+  SimpleCov.start do
+    add_filter "spec/"
+  end
+end
+
+require 'tempfile'
+require 'subiam'
+
+Aws.config.update(
+  access_key_id: ENV['MIAM_TEST_ACCESS_KEY_ID'] || 'scott',
+  secret_access_key: ENV['MIAM_TEST_SECRET_ACCESS_KEY'] || 'tiger'
+)
+
+MIAM_TEST_ACCOUNT_ID = Aws::IAM::Client.new.get_user.user.user_id
+
+RSpec.configure do |config|
+  config.before(:each) do
+    apply { 'target /.*/' }
+  end
+
+  config.after(:all) do
+    apply { 'target /.*/' }
+  end
+end
+
+def client(user_options = {})
+  options = {
+    logger: Logger.new('/dev/null'),
+    no_progress: true,
+    enable_delete: true,
+  }
+
+  options[:password_manager] = Subiam::PasswordManager.new('/dev/null', options)
+
+  if_debug do
+    logger = Subiam::Logger.instance
+    logger.set_debug(true)
+
+    options.update(
+      debug: true,
+      logger: logger,
+      aws_config: {
+        http_wire_trace: true,
+        logger: logger
+      },
+    )
+  end
+
+  options = options.merge(user_options)
+  Subiam::Client.new(options)
+end
+
+def tempfile(content, options = {})
+  basename = "#{File.basename __FILE__}.#{$$}"
+  basename = [basename, options[:ext]] if options[:ext]
+
+  Tempfile.open(basename) do |f|
+    f.puts(content)
+    f.flush
+    f.rewind
+    yield(f)
+  end
+end
+
+def apply(cli = client)
+  tempfile(yield) do |f|
+    begin
+      cli.apply(f.path)
+    rescue Aws::IAM::Errors::EntityTemporarilyUnmodifiable
+      sleep 3
+      retry
+    end
+  end
+end
+
+def parse(cli = client)
+  tempfile(yield) do |f|
+    cli.__send__(:load_file, f.path)
+  end
+end
+
+def export(options = {})
+  options = {no_progress: true}.merge(options)
+  cli = options.delete(:client) || Aws::IAM::Client.new
+  Subiam::Exporter.export(cli, options)[0]
+end
+
+def if_debug
+  yield if ENV['DEBUG'] == '1'
+end

data/spec/subiam/attach_detach_policy_spec.rb

@@ -0,0 +1,389 @@
+describe 'attach/detach policy' do
+  let(:dsl) do
+    <<-RUBY
+      target /^iam-test-/
+
+      user "iam-test-bob", :path=>"/devloper/" do
+        login_profile :password_reset_required=>true
+
+        groups(
+          "iam-test-Admin",
+          "iam-test-SES"
+        )
+
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+
+      user "iam-test-mary", :path=>"/staff/" do
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+
+      group "iam-test-Admin", :path=>"/admin/" do
+        policy "Admin" do
+          {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+
+      group "iam-test-SES", :path=>"/ses/" do
+        policy "ses-policy" do
+          {"Statement"=>
+            [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+
+      role "iam-test-my-role", :path=>"/any/" do
+        instance_profiles(
+          "iam-test-my-instance-profile"
+        )
+
+        assume_role_policy_document do
+          {"Version"=>"2012-10-17",
+           "Statement"=>
+            [{"Sid"=>"",
+              "Effect"=>"Allow",
+              "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+              "Action"=>"sts:AssumeRole"}]}
+        end
+
+        policy "role-policy" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+
+      instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
+    RUBY
+  end
+
+  let(:expected) do
+    {:users=>
+      {"iam-test-bob"=>
+        {:path=>"/devloper/",
+         :groups=>["iam-test-Admin", "iam-test-SES"],
+         :attached_managed_policies=>[
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}},
+         :login_profile=>{:password_reset_required=>true}},
+       "iam-test-mary"=>
+        {:path=>"/staff/",
+         :groups=>[],
+         :attached_managed_policies=>[
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}}}},
+     :groups=>
+      {"iam-test-Admin"=>
+        {:path=>"/admin/",
+         :attached_managed_policies=>[
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"],
+         :policies=>
+          {"Admin"=>
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}}},
+       "iam-test-SES"=>
+        {:path=>"/ses/",
+         :attached_managed_policies=>[
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"],
+         :policies=>
+          {"ses-policy"=>
+            {"Statement"=>
+              [{"Effect"=>"Allow",
+                "Action"=>"ses:SendRawEmail",
+                "Resource"=>"*"}]}}}},
+     :policies=>{},
+     :roles=>
+      {"iam-test-my-role"=>
+        {:path=>"/any/",
+         :assume_role_policy_document=>
+          {"Version"=>"2012-10-17",
+           "Statement"=>
+            [{"Sid"=>"",
+              "Effect"=>"Allow",
+              "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+              "Action"=>"sts:AssumeRole"}]},
+         :instance_profiles=>["iam-test-my-instance-profile"],
+         :attached_managed_policies=>[
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"],
+         :policies=>
+          {"role-policy"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}}}},
+     :instance_profiles=>{"iam-test-my-instance-profile"=>{:path=>"/profile/"}}}
+  end
+
+  before(:each) do
+    apply { dsl }
+  end
+
+  context 'when no change' do
+    subject { client }
+
+    it do
+      updated = apply(subject) { dsl }
+      expect(updated).to be_falsey
+      expect(export).to eq expected
+    end
+  end
+
+  context 'when attach policy' do
+    let(:update_policy_dsl) do
+      <<-RUBY
+        target /^iam-test-/
+
+        user "iam-test-bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+
+          groups(
+            "iam-test-Admin",
+            "iam-test-SES"
+          )
+
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+
+          attached_managed_policies(
+            "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+          )
+        end
+
+        user "iam-test-mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+
+          attached_managed_policies(
+            "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess",
+            "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
+          )
+        end
+
+        group "iam-test-Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+
+          attached_managed_policies(
+            "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+          )
+        end
+
+        group "iam-test-SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+
+          attached_managed_policies(
+            "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess",
+            "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
+          )
+        end
+
+        role "iam-test-my-role", :path=>"/any/" do
+          instance_profiles(
+            "iam-test-my-instance-profile"
+          )
+
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+
+          attached_managed_policies(
+            "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess",
+            "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
+          )
+        end
+
+        instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+
+    subject { client }
+
+    it do
+      updated = apply(subject) { update_policy_dsl }
+      expect(updated).to be_truthy
+      expected[:users]["iam-test-mary"][:attached_managed_policies] << "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
+      expected[:groups]["iam-test-SES"][:attached_managed_policies] << "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
+      expected[:roles]["iam-test-my-role"][:attached_managed_policies] << "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
+      expect(export).to eq expected
+    end
+  end
+
+  context 'when detach policy' do
+    let(:update_policy_dsl) do
+      <<-RUBY
+        target /^iam-test-/
+
+        user "iam-test-bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+
+          groups(
+            "iam-test-Admin",
+            "iam-test-SES"
+          )
+
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+
+          attached_managed_policies(
+            "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+          )
+        end
+
+        user "iam-test-mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+
+          attached_managed_policies(
+          )
+        end
+
+        group "iam-test-Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+
+          attached_managed_policies(
+            "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+          )
+        end
+
+        group "iam-test-SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+
+          attached_managed_policies(
+          )
+        end
+
+        role "iam-test-my-role", :path=>"/any/" do
+          instance_profiles(
+            "iam-test-my-instance-profile"
+          )
+
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+
+          attached_managed_policies(
+          )
+        end
+
+        instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+
+    subject { client }
+
+    it do
+      updated = apply(subject) { update_policy_dsl }
+      expect(updated).to be_truthy
+      expected[:users]["iam-test-mary"][:attached_managed_policies].clear
+      expected[:groups]["iam-test-SES"][:attached_managed_policies].clear
+      expected[:roles]["iam-test-my-role"][:attached_managed_policies].clear
+      expect(export).to eq expected
+    end
+  end
+end