RubyGems - subiam - Versions diffs - 1.2.1 - Mend

subiam 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

checksums.yaml +7 -0
data/.gitignore +19 -0
data/.rspec +4 -0
data/Gemfile +4 -0
data/LICENSE.txt +48 -0
data/README.md +408 -0
data/Rakefile +5 -0
data/bin/subiam +189 -0
data/lib/subiam/client.rb +565 -0
data/lib/subiam/driver.rb +466 -0
data/lib/subiam/dsl/context/group.rb +35 -0
data/lib/subiam/dsl/context/managed_policy.rb +23 -0
data/lib/subiam/dsl/context/role.rb +59 -0
data/lib/subiam/dsl/context/user.rb +43 -0
data/lib/subiam/dsl/context.rb +101 -0
data/lib/subiam/dsl/converter.rb +202 -0
data/lib/subiam/dsl/helper/arn.rb +22 -0
data/lib/subiam/dsl.rb +9 -0
data/lib/subiam/exporter.rb +278 -0
data/lib/subiam/ext/array_ext.rb +13 -0
data/lib/subiam/ext/hash_ext.rb +41 -0
data/lib/subiam/ext/string_ext.rb +25 -0
data/lib/subiam/logger.rb +27 -0
data/lib/subiam/password_manager.rb +41 -0
data/lib/subiam/template_helper.rb +20 -0
data/lib/subiam/utils.rb +31 -0
data/lib/subiam/version.rb +3 -0
data/lib/subiam.rb +36 -0
data/spec/spec_helper.rb +95 -0
data/spec/subiam/attach_detach_policy_spec.rb +389 -0
data/spec/subiam/create_spec.rb +271 -0
data/spec/subiam/custom_managed_policy_spec.rb +232 -0
data/spec/subiam/delete_spec.rb +549 -0
data/spec/subiam/hash_ext_spec.rb +61 -0
data/spec/subiam/ignore_login_profile_spec.rb +73 -0
data/spec/subiam/rename_spec.rb +476 -0
data/spec/subiam/style_spec.rb +189 -0
data/spec/subiam/target_spec.rb +150 -0
data/spec/subiam/update_spec.rb +911 -0
data/subiam.gemspec +32 -0
metadata +251 -0

data/spec/subiam/delete_spec.rb ADDED Viewed

@@ -0,0 +1,549 @@
+# subiam which forked from subiam doesn't use delete
+xdescribe 'delete' do
+  let(:dsl) do
+    <<-RUBY
+      user "bob", :path=>"/devloper/" do
+        login_profile :password_reset_required=>true
+        groups(
+          "Admin",
+          "SES"
+        )
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+      end
+      user "mary", :path=>"/staff/" do
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+      end
+      group "Admin", :path=>"/admin/" do
+        policy "Admin" do
+          {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+        end
+      end
+      group "SES", :path=>"/ses/" do
+        policy "ses-policy" do
+          {"Statement"=>
+            [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+        end
+      end
+      role "my-role", :path=>"/any/" do
+        instance_profiles(
+          "my-instance-profile"
+        )
+        assume_role_policy_document do
+          {"Version"=>"2012-10-17",
+           "Statement"=>
+            [{"Sid"=>"",
+              "Effect"=>"Allow",
+              "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+              "Action"=>"sts:AssumeRole"}]}
+        end
+        policy "role-policy" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+      end
+      instance_profile "my-instance-profile", :path=>"/profile/"
+    RUBY
+  end
+  let(:expected) do
+    {:users=>
+      {"bob"=>
+        {:path=>"/devloper/",
+         :groups=>["Admin", "SES"],
+         :attached_managed_policies=>[],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}},
+         :login_profile=>{:password_reset_required=>true}},
+       "mary"=>
+        {:path=>"/staff/",
+         :groups=>[],
+         :attached_managed_policies=>[],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}}}},
+     :groups=>
+      {"Admin"=>
+        {:path=>"/admin/",
+         :attached_managed_policies=>[],
+         :policies=>
+          {"Admin"=>
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}}},
+       "SES"=>
+        {:path=>"/ses/",
+         :attached_managed_policies=>[],
+         :policies=>
+          {"ses-policy"=>
+            {"Statement"=>
+              [{"Effect"=>"Allow",
+                "Action"=>"ses:SendRawEmail",
+                "Resource"=>"*"}]}}}},
+     :policies => {},
+     :roles=>
+      {"my-role"=>
+        {:path=>"/any/",
+         :assume_role_policy_document=>
+          {"Version"=>"2012-10-17",
+           "Statement"=>
+            [{"Sid"=>"",
+              "Effect"=>"Allow",
+              "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+              "Action"=>"sts:AssumeRole"}]},
+         :instance_profiles=>["my-instance-profile"],
+         :attached_managed_policies=>[],
+         :policies=>
+          {"role-policy"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}}}},
+     :instance_profiles=>{"my-instance-profile"=>{:path=>"/profile/"}}}
+  end
+  before(:each) do
+    apply { dsl }
+  end
+  context 'when delete group' do
+    let(:delete_group_dsl) do
+      <<-RUBY
+        user "bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+          groups(
+            "Admin"
+          )
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+        role "my-role", :path=>"/any/" do
+          instance_profiles(
+            "my-instance-profile"
+          )
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        instance_profile "my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+    subject { client }
+    it do
+      updated = apply(subject) { delete_group_dsl }
+      expect(updated).to be_truthy
+      expected[:users]["bob"][:groups] = ["Admin"]
+      expected[:groups].delete("SES")
+      expect(export).to eq expected
+    end
+  end
+  context 'when delete user' do
+    let(:delete_user_dsl) do
+      <<-RUBY
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+        group "SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+        role "my-role", :path=>"/any/" do
+          instance_profiles(
+            "my-instance-profile"
+          )
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        instance_profile "my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+    subject { client }
+    it do
+      updated = apply(subject) { delete_user_dsl }
+      expect(updated).to be_truthy
+      expected[:users].delete("bob")
+      expect(export).to eq expected
+    end
+  end
+  context 'when delete user_and_group' do
+    let(:delete_user_and_group_dsl) do
+      <<-RUBY
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+        role "my-role", :path=>"/any/" do
+          instance_profiles(
+            "my-instance-profile"
+          )
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        instance_profile "my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+    context 'when apply' do
+      subject { client }
+      it do
+        updated = apply(subject) { delete_user_and_group_dsl }
+        expect(updated).to be_truthy
+        expected[:users].delete("bob")
+        expected[:groups].delete("SES")
+        expect(export).to eq expected
+      end
+    end
+    context 'when dry-run' do
+      subject { client(dry_run: true) }
+      it do
+        updated = apply(subject) { delete_user_and_group_dsl }
+        expect(updated).to be_falsey
+        expect(export).to eq expected
+      end
+    end
+  end
+  context 'when delete instance_profile' do
+    let(:delete_instance_profiles_dsl) do
+      <<-RUBY
+        user "bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+          groups(
+            "Admin",
+            "SES"
+          )
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+        group "SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+        role "my-role", :path=>"/any/" do
+          instance_profiles(
+          )
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+      RUBY
+    end
+    subject { client }
+    it do
+      updated = apply(subject) { delete_instance_profiles_dsl }
+      expect(updated).to be_truthy
+      expected[:roles]["my-role"][:instance_profiles] = []
+      expected[:instance_profiles].delete("my-instance-profile")
+      expect(export).to eq expected
+    end
+  end
+  context 'when delete role' do
+    let(:delete_role_dsl) do
+      <<-RUBY
+        user "bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+          groups(
+            "Admin",
+            "SES"
+          )
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+        group "SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+        instance_profile "my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+    subject { client }
+    it do
+      updated = apply(subject) { delete_role_dsl }
+      expect(updated).to be_truthy
+      expected[:roles].delete("my-role")
+      expect(export).to eq expected
+    end
+  end
+  context 'when delete role and instance_profile' do
+    let(:delete_role_and_instance_profile_dsl) do
+      <<-RUBY
+        user "bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+          groups(
+            "Admin",
+            "SES"
+          )
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+        group "SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+      RUBY
+    end
+    subject { client }
+    it do
+      updated = apply(subject) { delete_role_and_instance_profile_dsl }
+      expect(updated).to be_truthy
+      expected[:roles].delete("my-role")
+      expected[:instance_profiles].delete("my-instance-profile")
+      expect(export).to eq expected
+    end
+  end
+end

data/spec/subiam/hash_ext_spec.rb ADDED Viewed

@@ -0,0 +1,61 @@
+describe 'Hash#sort_array!' do
+  let(:hash) do
+    {:users=>
+      {"bob"=>
+        {:path=>"/devloper/",
+         :groups=>[],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Put*", "s3:List*", "s3:Get*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}},
+         :attached_managed_policies=>[
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess",
+          "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"],
+         :login_profile=>{:password_reset_required=>true}}}}
+  end
+  let(:expected_hash) do
+    {:users=>
+      {"bob"=>
+        {:path=>"/devloper/",
+         :groups=>[],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*", "s3:Put*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}},
+         :attached_managed_policies=>[
+          "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"],
+         :login_profile=>{:password_reset_required=>true}}}}
+  end
+  subject { hash.sort_array! }
+  it { is_expected.to eq expected_hash }
+end
+describe 'Hash#keys_to_s_recursive' do
+  let(:hash) do
+    {S3:
+         {Statement:
+              [{Action: ["s3:Put*", "s3:List*", "s3:Get*"],
+                Effect: "Allow",
+                Resource: "*"}]}}
+  end
+  let(:expected_hash) do
+    {"S3" =>
+         {"Statement" =>
+              [{"Action" => ["s3:Put*", "s3:List*", "s3:Get*"],
+                "Effect" => "Allow",
+                "Resource" => "*"}]}}
+  end
+  subject { hash.keys_to_s_recursive }
+  it { is_expected.to eq expected_hash }
+end

data/spec/subiam/ignore_login_profile_spec.rb ADDED Viewed

@@ -0,0 +1,73 @@
+describe 'ignore login profile' do
+  let(:dsl) do
+    <<-RUBY
+      target /^iam-test-/
+      user "iam-test-bob", :path=>"/devloper/" do
+        login_profile :password_reset_required=>true
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+      end
+    RUBY
+  end
+  let(:update_dsl) do
+    <<-RUBY
+      target /^iam-test-/
+      user "iam-test-bob", :path=>"/devloper/" do
+        login_profile :password_reset_required=>false
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*",
+                "s3:Put*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+      end
+    RUBY
+  end
+  let(:expected) do
+    {:users=>
+      {"iam-test-bob"=>
+        {:path=>"/devloper/",
+         :groups=>[],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*", "s3:Put*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}},
+         :attached_managed_policies=>[],
+         :login_profile=>{:password_reset_required=>true}}},
+     :groups=>{},
+     :policies=>{},
+     :roles=>{},
+     :instance_profiles=>{}}
+  end
+  before(:each) do
+    apply { dsl }
+  end
+  context 'when no change' do
+    subject { client(ignore_login_profile: true) }
+    it do
+      updated = apply(subject) { update_dsl }
+      expect(updated).to be_truthy
+      expect(export).to eq expected
+    end
+  end
+end