strongdm 3.6.1__zip → 3.7.0__zip

strongdm-3.7.0/strongdm/activities_pb2_grpc.py

@@ -0,0 +1,124 @@
+# Copyright 2020 StrongDM Inc
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# 
+# Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT!
+"""Client and server classes corresponding to protobuf-defined services."""
+import grpc
+
+from . import activities_pb2 as activities__pb2
+
+
+class ActivitiesStub(object):
+    """An Activity is a record of an action taken against a strongDM deployment, e.g.
+    a user creation, resource deletion, sso configuration change, etc. The Activities
+    service is read-only.
+    """
+
+    def __init__(self, channel):
+        """Constructor.
+
+        Args:
+            channel: A grpc.Channel.
+        """
+        self.Get = channel.unary_unary(
+                '/v1.Activities/Get',
+                request_serializer=activities__pb2.ActivityGetRequest.SerializeToString,
+                response_deserializer=activities__pb2.ActivityGetResponse.FromString,
+                )
+        self.List = channel.unary_unary(
+                '/v1.Activities/List',
+                request_serializer=activities__pb2.ActivityListRequest.SerializeToString,
+                response_deserializer=activities__pb2.ActivityListResponse.FromString,
+                )
+
+
+class ActivitiesServicer(object):
+    """An Activity is a record of an action taken against a strongDM deployment, e.g.
+    a user creation, resource deletion, sso configuration change, etc. The Activities
+    service is read-only.
+    """
+
+    def Get(self, request, context):
+        """Get reads one Activity by ID.
+        """
+        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
+        context.set_details('Method not implemented!')
+        raise NotImplementedError('Method not implemented!')
+
+    def List(self, request, context):
+        """List gets a list of Activities matching a given set of criteria.
+        """
+        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
+        context.set_details('Method not implemented!')
+        raise NotImplementedError('Method not implemented!')
+
+
+def add_ActivitiesServicer_to_server(servicer, server):
+    rpc_method_handlers = {
+            'Get': grpc.unary_unary_rpc_method_handler(
+                    servicer.Get,
+                    request_deserializer=activities__pb2.ActivityGetRequest.FromString,
+                    response_serializer=activities__pb2.ActivityGetResponse.SerializeToString,
+            ),
+            'List': grpc.unary_unary_rpc_method_handler(
+                    servicer.List,
+                    request_deserializer=activities__pb2.ActivityListRequest.FromString,
+                    response_serializer=activities__pb2.ActivityListResponse.SerializeToString,
+            ),
+    }
+    generic_handler = grpc.method_handlers_generic_handler(
+            'v1.Activities', rpc_method_handlers)
+    server.add_generic_rpc_handlers((generic_handler,))
+
+
+ # This class is part of an EXPERIMENTAL API.
+class Activities(object):
+    """An Activity is a record of an action taken against a strongDM deployment, e.g.
+    a user creation, resource deletion, sso configuration change, etc. The Activities
+    service is read-only.
+    """
+
+    @staticmethod
+    def Get(request,
+            target,
+            options=(),
+            channel_credentials=None,
+            call_credentials=None,
+            insecure=False,
+            compression=None,
+            wait_for_ready=None,
+            timeout=None,
+            metadata=None):
+        return grpc.experimental.unary_unary(request, target, '/v1.Activities/Get',
+            activities__pb2.ActivityGetRequest.SerializeToString,
+            activities__pb2.ActivityGetResponse.FromString,
+            options, channel_credentials,
+            insecure, call_credentials, compression, wait_for_ready, timeout, metadata)
+
+    @staticmethod
+    def List(request,
+            target,
+            options=(),
+            channel_credentials=None,
+            call_credentials=None,
+            insecure=False,
+            compression=None,
+            wait_for_ready=None,
+            timeout=None,
+            metadata=None):
+        return grpc.experimental.unary_unary(request, target, '/v1.Activities/List',
+            activities__pb2.ActivityListRequest.SerializeToString,
+            activities__pb2.ActivityListResponse.FromString,
+            options, channel_credentials,
+            insecure, call_credentials, compression, wait_for_ready, timeout, metadata)

strongdm-3.7.0/strongdm/client.py

@@ -0,0 +1,432 @@
+# Copyright 2020 StrongDM Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# This file was generated by protogen. DO NOT EDIT.
+
+import base64
+import copy
+import datetime
+import grpc
+import hashlib
+import hmac
+import random
+import time
+from . import svc
+from . import plumbing
+
+# These defaults are taken from AWS. Customization of these values
+# is a future step in the API.
+DEFAULT_MAX_RETRIES = 3
+DEFAULT_BASE_RETRY_DELAY = 0.0030  # 30 ms
+DEFAULT_MAX_RETRY_DELAY = 300  # 300 seconds
+API_VERSION = '2021-08-23'
+USER_AGENT = 'strongdm-sdk-python/3.7.0'
+
+
+class Client:
+    '''Client interacts with the strongDM API.'''
+    def __init__(self,
+                 api_access_key,
+                 api_secret,
+                 host='api.strongdm.com:443',
+                 insecure=False,
+                 retry_rate_limit_errors=True):
+        '''
+        Create a new Client.
+
+        - api_access_key: the access key to authenticate with strongDM
+        - api_secret: the secret key to authenticate with strongDM
+        '''
+        self.api_access_key = api_access_key.strip()
+        self.api_secret = base64.b64decode(api_secret.strip())
+        self.max_retries = DEFAULT_MAX_RETRIES
+        self.base_retry_delay = DEFAULT_BASE_RETRY_DELAY
+        self.max_retry_delay = DEFAULT_MAX_RETRY_DELAY
+        self.expose_rate_limit_errors = (not retry_rate_limit_errors)
+        self.snapshot_datetime = None
+        self._test_options = {}
+
+        try:
+            if insecure:
+                channel = grpc.insecure_channel(host)
+            else:
+                creds = grpc.ssl_channel_credentials()
+                channel = grpc.secure_channel(host, creds)
+        except Exception as e:
+            raise plumbing.convert_error_to_porcelain(e) from e
+        self.channel = channel
+        self.account_attachments = svc.AccountAttachments(channel, self)
+        '''
+         AccountAttachments assign an account to a role.
+
+        See `strongdm.svc.AccountAttachments`.
+        '''
+        self.account_attachments_history = svc.AccountAttachmentsHistory(
+            channel, self)
+        '''
+         AccountAttachmentsHistory records all changes to the state of an AccountAttachment.
+
+        See `strongdm.svc.AccountAttachmentsHistory`.
+        '''
+        self.account_grants = svc.AccountGrants(channel, self)
+        '''
+         AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.
+
+        See `strongdm.svc.AccountGrants`.
+        '''
+        self.account_grants_history = svc.AccountGrantsHistory(channel, self)
+        '''
+         AccountGrantsHistory records all changes to the state of an AccountGrant.
+
+        See `strongdm.svc.AccountGrantsHistory`.
+        '''
+        self.account_permissions = svc.AccountPermissions(channel, self)
+        '''
+         AccountPermissions records the granular permissions accounts have, allowing them to execute
+         relevant commands via StrongDM's APIs.
+
+        See `strongdm.svc.AccountPermissions`.
+        '''
+        self.account_resources = svc.AccountResources(channel, self)
+        '''
+         AccountResources enumerates the resources to which accounts have access.
+         The AccountResources service is read-only.
+
+        See `strongdm.svc.AccountResources`.
+        '''
+        self.accounts = svc.Accounts(channel, self)
+        '''
+         Accounts are users that have access to strongDM. There are two types of accounts:
+         1. **Users:** humans who are authenticated through username and password or SSO.
+         2. **Service Accounts:** machines that are authenticated using a service token.
+
+        See `strongdm.svc.Accounts`.
+        '''
+        self.accounts_history = svc.AccountsHistory(channel, self)
+        '''
+         AccountsHistory records all changes to the state of an Account.
+
+        See `strongdm.svc.AccountsHistory`.
+        '''
+        self.activities = svc.Activities(channel, self)
+        '''
+         An Activity is a record of an action taken against a strongDM deployment, e.g.
+         a user creation, resource deletion, sso configuration change, etc. The Activities
+         service is read-only.
+
+        See `strongdm.svc.Activities`.
+        '''
+        self.control_panel = svc.ControlPanel(channel, self)
+        '''
+         ControlPanel contains all administrative controls.
+
+        See `strongdm.svc.ControlPanel`.
+        '''
+        self.nodes = svc.Nodes(channel, self)
+        '''
+         Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:
+         - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers.
+         - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.
+
+        See `strongdm.svc.Nodes`.
+        '''
+        self.nodes_history = svc.NodesHistory(channel, self)
+        '''
+         NodesHistory records all changes to the state of a Node.
+
+        See `strongdm.svc.NodesHistory`.
+        '''
+        self.organization_history = svc.OrganizationHistory(channel, self)
+        '''
+         OrganizationHistory records all changes to the state of an Organization.
+
+        See `strongdm.svc.OrganizationHistory`.
+        '''
+        self.queries = svc.Queries(channel, self)
+        '''
+         A Query is a record of a single client request to a resource, such as an SQL query.
+         Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries.
+         The Queries service is read-only.
+
+        See `strongdm.svc.Queries`.
+        '''
+        self.remote_identities = svc.RemoteIdentities(channel, self)
+        '''
+         RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource.
+
+        See `strongdm.svc.RemoteIdentities`.
+        '''
+        self.remote_identities_history = svc.RemoteIdentitiesHistory(
+            channel, self)
+        '''
+         RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity.
+
+        See `strongdm.svc.RemoteIdentitiesHistory`.
+        '''
+        self.remote_identity_groups = svc.RemoteIdentityGroups(channel, self)
+        '''
+         A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts.
+         An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects.
+
+        See `strongdm.svc.RemoteIdentityGroups`.
+        '''
+        self.remote_identity_groups_history = svc.RemoteIdentityGroupsHistory(
+            channel, self)
+        '''
+         RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup.
+
+        See `strongdm.svc.RemoteIdentityGroupsHistory`.
+        '''
+        self.replays = svc.Replays(channel, self)
+        '''
+         A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session
+         (otherwise referred to as a query). The Replays service is read-only.
+
+        See `strongdm.svc.Replays`.
+        '''
+        self.resources = svc.Resources(channel, self)
+        '''
+         Resources are databases, servers, clusters, websites, or clouds that strongDM
+         delegates access to.
+
+        See `strongdm.svc.Resources`.
+        '''
+        self.resources_history = svc.ResourcesHistory(channel, self)
+        '''
+         ResourcesHistory records all changes to the state of a Resource.
+
+        See `strongdm.svc.ResourcesHistory`.
+        '''
+        self.role_resources = svc.RoleResources(channel, self)
+        '''
+         RoleResources enumerates the resources to which roles have access.
+         The RoleResources service is read-only.
+
+        See `strongdm.svc.RoleResources`.
+        '''
+        self.role_resources_history = svc.RoleResourcesHistory(channel, self)
+        '''
+         RoleResourcesHistory records all changes to the state of a RoleResource.
+
+        See `strongdm.svc.RoleResourcesHistory`.
+        '''
+        self.roles = svc.Roles(channel, self)
+        '''
+         A Role has a list of access rules which determine which Resources the members
+         of the Role have access to. An Account can be a member of multiple Roles via
+         AccountAttachments.
+
+        See `strongdm.svc.Roles`.
+        '''
+        self.roles_history = svc.RolesHistory(channel, self)
+        '''
+         RolesHistory records all changes to the state of a Role.
+
+        See `strongdm.svc.RolesHistory`.
+        '''
+        self.secret_stores = svc.SecretStores(channel, self)
+        '''
+         SecretStores are servers where resource secrets (passwords, keys) are stored.
+
+        See `strongdm.svc.SecretStores`.
+        '''
+        self.secret_stores_history = svc.SecretStoresHistory(channel, self)
+        '''
+         SecretStoresHistory records all changes to the state of a SecretStore.
+
+        See `strongdm.svc.SecretStoresHistory`.
+        '''
+
+    def close(self):
+        '''Closes this Client and releases all resources held by it.
+
+        Closing the Client will immediately terminate all RPCs active with the
+        Client and it is not valid to invoke new RPCs with the Client.
+
+        This method is idempotent.
+        '''
+        self.channel.close()
+
+    def get_metadata(self, method_name, req):
+        return [
+            ('x-sdm-authentication', self.api_access_key),
+            ('x-sdm-signature', self.sign(method_name,
+                                          req.SerializeToString())),
+            ('x-sdm-api-version', API_VERSION),
+            ('x-sdm-user-agent', USER_AGENT),
+        ]
+
+    def sign(self, method_name, request_bytes):
+        def hmac_digest(key, msg_byte_string):
+            return hmac.new(key, msg=msg_byte_string,
+                            digestmod=hashlib.sha256).digest()
+
+        current_utc_date = datetime.datetime.utcnow().strftime('%Y-%m-%d')
+        signing_key = hmac_digest(self.api_secret, current_utc_date.encode())
+        signing_key = hmac_digest(signing_key, b'sdm_api_v1')
+
+        hash = hashlib.sha256()
+
+        hash.update(method_name.encode())
+        hash.update(b'\n')
+        hash.update(request_bytes)
+
+        return base64.b64encode(hmac_digest(signing_key, hash.digest()))
+
+    def jitterSleep(self, iter):
+        dur_max = self.base_retry_delay * 2**iter
+        if (dur_max > self.max_retry_delay):
+            dur_max = self.max_retry_delay
+        # get a value between 0 and max
+        dur = random.random() * dur_max
+        time.sleep(dur)
+
+    def shouldRetry(self, iter, err):
+        if (iter >= self.max_retries - 1):
+            return False
+        if not isinstance(err, grpc.RpcError):
+            return True
+        if (not self.expose_rate_limit_errors
+            ) and err.code() == grpc.StatusCode.RESOURCE_EXHAUSTED:
+            porcelain_err = plumbing.convert_error_to_porcelain(err)
+            wait_until = porcelain_err.rate_limit.reset_at
+            now = datetime.datetime.now(datetime.timezone.utc)
+            sleep_for = (wait_until - now).total_seconds()
+            # If timezones or clock drift causes this calculation to fail,
+            # wait at most one minute.
+            if sleep_for < 0 or sleep_for > 60:
+                sleep_for = 60
+            time.sleep(sleep_for)
+            return True
+        return err.code() == grpc.StatusCode.INTERNAL or err.code(
+        ) == grpc.StatusCode.UNAVAILABLE
+
+    def snapshot_at(self, snapshot_datetime):
+        '''
+        Constructs a read-only client that will provide historical data from the provided timestamp.
+
+        See `SnapshotClient`.
+        '''
+        client = copy.copy(self)
+        client.snapshot_datetime = snapshot_datetime
+        client.account_attachments = svc.AccountAttachments(
+            client.channel, client)
+        client.account_grants = svc.AccountGrants(client.channel, client)
+        client.account_permissions = svc.AccountPermissions(
+            client.channel, client)
+        client.account_resources = svc.AccountResources(client.channel, client)
+        client.accounts = svc.Accounts(client.channel, client)
+        client.nodes = svc.Nodes(client.channel, client)
+        client.remote_identities = svc.RemoteIdentities(client.channel, client)
+        client.remote_identity_groups = svc.RemoteIdentityGroups(
+            client.channel, client)
+        client.resources = svc.Resources(client.channel, client)
+        client.role_resources = svc.RoleResources(client.channel, client)
+        client.roles = svc.Roles(client.channel, client)
+        client.secret_stores = svc.SecretStores(client.channel, client)
+        return SnapshotClient(client)
+
+
+class SnapshotClient:
+    '''SnapshotClient exposes methods to query historical records at a provided timestamp.'''
+    def __init__(self, client):
+        self.account_attachments = svc.SnapshotAccountAttachments(
+            client.account_attachments)
+        '''
+         AccountAttachments assign an account to a role.
+
+        See `strongdm.svc.SnapshotAccountAttachments`.
+        '''
+        self.account_grants = svc.SnapshotAccountGrants(client.account_grants)
+        '''
+         AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.
+
+        See `strongdm.svc.SnapshotAccountGrants`.
+        '''
+        self.account_permissions = svc.SnapshotAccountPermissions(
+            client.account_permissions)
+        '''
+         AccountPermissions records the granular permissions accounts have, allowing them to execute
+         relevant commands via StrongDM's APIs.
+
+        See `strongdm.svc.SnapshotAccountPermissions`.
+        '''
+        self.account_resources = svc.SnapshotAccountResources(
+            client.account_resources)
+        '''
+         AccountResources enumerates the resources to which accounts have access.
+         The AccountResources service is read-only.
+
+        See `strongdm.svc.SnapshotAccountResources`.
+        '''
+        self.accounts = svc.SnapshotAccounts(client.accounts)
+        '''
+         Accounts are users that have access to strongDM. There are two types of accounts:
+         1. **Users:** humans who are authenticated through username and password or SSO.
+         2. **Service Accounts:** machines that are authenticated using a service token.
+
+        See `strongdm.svc.SnapshotAccounts`.
+        '''
+        self.nodes = svc.SnapshotNodes(client.nodes)
+        '''
+         Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:
+         - **Gateways** are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers.
+         - **Relays** are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.
+
+        See `strongdm.svc.SnapshotNodes`.
+        '''
+        self.remote_identities = svc.SnapshotRemoteIdentities(
+            client.remote_identities)
+        '''
+         RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource.
+
+        See `strongdm.svc.SnapshotRemoteIdentities`.
+        '''
+        self.remote_identity_groups = svc.SnapshotRemoteIdentityGroups(
+            client.remote_identity_groups)
+        '''
+         A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts.
+         An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects.
+
+        See `strongdm.svc.SnapshotRemoteIdentityGroups`.
+        '''
+        self.resources = svc.SnapshotResources(client.resources)
+        '''
+         Resources are databases, servers, clusters, websites, or clouds that strongDM
+         delegates access to.
+
+        See `strongdm.svc.SnapshotResources`.
+        '''
+        self.role_resources = svc.SnapshotRoleResources(client.role_resources)
+        '''
+         RoleResources enumerates the resources to which roles have access.
+         The RoleResources service is read-only.
+
+        See `strongdm.svc.SnapshotRoleResources`.
+        '''
+        self.roles = svc.SnapshotRoles(client.roles)
+        '''
+         A Role has a list of access rules which determine which Resources the members
+         of the Role have access to. An Account can be a member of multiple Roles via
+         AccountAttachments.
+
+        See `strongdm.svc.SnapshotRoles`.
+        '''
+        self.secret_stores = svc.SnapshotSecretStores(client.secret_stores)
+        '''
+         SecretStores are servers where resource secrets (passwords, keys) are stored.
+
+        See `strongdm.svc.SnapshotSecretStores`.
+        '''