Class: SDM::Client
- Inherits:
-
Object
- Object
- SDM::Client
- Defined in:
- lib/strongdm.rb
Overview
Client bundles all the services together and initializes them.
Instance Attribute Summary collapse
-
#_test_options ⇒ Object
readonly
Returns the value of attribute _test_options.
-
#account_attachments ⇒ Object
readonly
AccountAttachments assign an account to a role or composite role.
-
#account_grants ⇒ Object
readonly
AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.
-
#accounts ⇒ Object
readonly
Accounts are users that have access to strongDM.
-
#api_access_key ⇒ Object
readonly
API authentication token (read-only).
-
#base_retry_delay ⇒ Object
readonly
Returns the value of attribute base_retry_delay.
-
#control_panel ⇒ Object
readonly
ControlPanel contains all administrative controls.
-
#max_retries ⇒ Object
readonly
Returns the value of attribute max_retries.
-
#max_retry_delay ⇒ Object
readonly
Returns the value of attribute max_retry_delay.
-
#nodes ⇒ Object
readonly
Nodes make up the strongDM network, and allow your users to connect securely to your resources.
-
#resources ⇒ Object
readonly
Returns the value of attribute resources.
-
#role_attachments ⇒ Object
readonly
RoleAttachments represent relationships between composite roles and the roles that make up those composite roles.
-
#role_grants ⇒ Object
readonly
RoleGrants represent relationships between composite roles and the roles that make up those composite roles.
-
#roles ⇒ Object
readonly
Roles are tools for controlling user access to resources.
-
#secret_stores ⇒ Object
readonly
SecretStores are servers where resource secrets (passwords, keys) are stored.
Instance Method Summary collapse
- #get_metadata(method_name, req) ⇒ Object
-
#initialize(api_access_key, api_secret_key, host: "api.strongdm.com:443", insecure: false) ⇒ Client
constructor
Creates a new strongDM API client.
- #jitterSleep(iter) ⇒ Object
- #shouldRetry(iter, err) ⇒ Object
- #sign(method_name, msg_bytes) ⇒ Object
Constructor Details
#initialize(api_access_key, api_secret_key, host: "api.strongdm.com:443", insecure: false) ⇒ Client
Creates a new strongDM API client.
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
# File 'lib/strongdm.rb', line 33 def initialize(api_access_key, api_secret_key, host: "api.strongdm.com:443", insecure: false) raise TypeError, "client access key must be a string" unless api_access_key.kind_of?(String) raise TypeError, "client secret key must be a string" unless api_secret_key.kind_of?(String) raise TypeError, "client host must be a string" unless host.kind_of?(String) @api_access_key = api_access_key.strip @api_secret_key = Base64.strict_decode64(api_secret_key.strip) @max_retries = DEFAULT_MAX_RETRIES @base_retry_delay = DEFAULT_BASE_RETRY_DELAY @max_retry_delay = DEFAULT_MAX_RETRY_DELAY @account_attachments = AccountAttachments.new(host, insecure, self) @account_grants = AccountGrants.new(host, insecure, self) @accounts = Accounts.new(host, insecure, self) @control_panel = ControlPanel.new(host, insecure, self) @nodes = Nodes.new(host, insecure, self) @resources = Resources.new(host, insecure, self) @role_attachments = RoleAttachments.new(host, insecure, self) @role_grants = RoleGrants.new(host, insecure, self) @roles = Roles.new(host, insecure, self) @secret_stores = SecretStores.new(host, insecure, self) @_test_options = Hash.new end |
Instance Attribute Details
#_test_options ⇒ Object (readonly)
Returns the value of attribute _test_options.
139 140 141 |
# File 'lib/strongdm.rb', line 139 def @_test_options end |
#account_attachments ⇒ Object (readonly)
AccountAttachments assign an account to a role or composite role.
106 107 108 |
# File 'lib/strongdm.rb', line 106 def @account_attachments end |
#account_grants ⇒ Object (readonly)
AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.
108 109 110 |
# File 'lib/strongdm.rb', line 108 def account_grants @account_grants end |
#accounts ⇒ Object (readonly)
Accounts are users that have access to strongDM. There are two types of accounts:
-
Users: humans who are authenticated through username and password or SSO.
-
**Service Accounts:** machines that are authenticated using a service token.
112 113 114 |
# File 'lib/strongdm.rb', line 112 def accounts @accounts end |
#api_access_key ⇒ Object (readonly)
API authentication token (read-only).
104 105 106 |
# File 'lib/strongdm.rb', line 104 def api_access_key @api_access_key end |
#base_retry_delay ⇒ Object (readonly)
Returns the value of attribute base_retry_delay.
100 101 102 |
# File 'lib/strongdm.rb', line 100 def base_retry_delay @base_retry_delay end |
#control_panel ⇒ Object (readonly)
ControlPanel contains all administrative controls.
114 115 116 |
# File 'lib/strongdm.rb', line 114 def control_panel @control_panel end |
#max_retries ⇒ Object (readonly)
Returns the value of attribute max_retries.
99 100 101 |
# File 'lib/strongdm.rb', line 99 def max_retries @max_retries end |
#max_retry_delay ⇒ Object (readonly)
Returns the value of attribute max_retry_delay.
101 102 103 |
# File 'lib/strongdm.rb', line 101 def max_retry_delay @max_retry_delay end |
#nodes ⇒ Object (readonly)
Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:
-
Gateways are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers.
-
Relays are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.
118 119 120 |
# File 'lib/strongdm.rb', line 118 def nodes @nodes end |
#resources ⇒ Object (readonly)
Returns the value of attribute resources.
120 121 122 |
# File 'lib/strongdm.rb', line 120 def resources @resources end |
#role_attachments ⇒ Object (readonly)
RoleAttachments represent relationships between composite roles and the roles that make up those composite roles. When a composite role is attached to another role, the permissions granted to members of the composite role are augmented to include the permissions granted to members of the attached role.
125 126 127 |
# File 'lib/strongdm.rb', line 125 def @role_attachments end |
#role_grants ⇒ Object (readonly)
RoleGrants represent relationships between composite roles and the roles that make up those composite roles. When a composite role is attached to another role, the permissions granted to members of the composite role are augmented to include the permissions granted to members of the attached role.
130 131 132 |
# File 'lib/strongdm.rb', line 130 def role_grants @role_grants end |
#roles ⇒ Object (readonly)
Roles are tools for controlling user access to resources. Each Role holds a list of resources which they grant access to. Composite roles are a special type of Role which have no resource associations of their own, but instead grant access to the combined resources associated with a set of child roles. Each user can be a member of one Role or composite role.
136 137 138 |
# File 'lib/strongdm.rb', line 136 def roles @roles end |
#secret_stores ⇒ Object (readonly)
SecretStores are servers where resource secrets (passwords, keys) are stored.
138 139 140 |
# File 'lib/strongdm.rb', line 138 def secret_stores @secret_stores end |
Instance Method Details
#get_metadata(method_name, req) ⇒ Object
55 56 57 58 59 60 61 62 |
# File 'lib/strongdm.rb', line 55 def (method_name, req) return { 'x-sdm-authentication': @api_access_key, 'x-sdm-signature': self.sign(method_name, req.to_proto), 'x-sdm-api-version': API_VERSION, 'x-sdm-user-agent': USER_AGENT, } end |
#jitterSleep(iter) ⇒ Object
80 81 82 83 84 85 86 87 |
# File 'lib/strongdm.rb', line 80 def jitterSleep(iter) dur_max = @base_retry_delay * 2 ** iter if (dur_max > @max_retry_delay) dur_max = @max_retry_delay end dur = rand() * dur_max sleep(dur) end |
#shouldRetry(iter, err) ⇒ Object
89 90 91 92 93 94 95 96 97 |
# File 'lib/strongdm.rb', line 89 def shouldRetry(iter, err) if (iter >= @max_retries - 1) return false end if not err.is_a? GRPC::BadStatus return true end return err.code() == 13 end |
#sign(method_name, msg_bytes) ⇒ Object
64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
# File 'lib/strongdm.rb', line 64 def sign(method_name, msg_bytes) current_utc_date = Time.now.utc date = sprintf("%04d-%02d-%02d", current_utc_date.year, current_utc_date.month, current_utc_date.day) signing_key = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, @api_secret_key, date) signing_key = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, signing_key, "sdm_api_v1") sha_req = Digest::SHA256.new sha_req << method_name sha_req << "\n" sha_req << msg_bytes request_hash = sha_req.digest return Base64.strict_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, signing_key, request_hash)) end |