Class: SDM::Client

Inherits:

Object

• Object
• SDM::Client

Defined in:

lib/strongdm.rb

Overview

Client bundles all the services together and initializes them.

Instance Attribute Summary

• #_test_options ⇒ Object readonly

  Returns the value of attribute _test_options.

• #account_attachments ⇒ Object readonly

  AccountAttachments assign an account to a role.

• #account_grants ⇒ Object readonly

  AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.

• #accounts ⇒ Object readonly

  Accounts are users that have access to strongDM.

• #api_access_key ⇒ Object readonly

  API authentication token (read-only).

• #base_retry_delay ⇒ Object readonly

  Returns the value of attribute base_retry_delay.

• #max_retries ⇒ Object readonly

  Returns the value of attribute max_retries.

• #max_retry_delay ⇒ Object readonly

  Returns the value of attribute max_retry_delay.

• #nodes ⇒ Object readonly

  Nodes make up the strongDM network, and allow your users to connect securely to your resources.

• #resources ⇒ Object readonly

  Returns the value of attribute resources.

• #role_attachments ⇒ Object readonly

  RoleAttachments represent relationships between composite roles and the roles that make up those composite roles.

• #role_grants ⇒ Object readonly

  RoleGrants represent relationships between composite roles and the roles that make up those composite roles.

• #roles ⇒ Object readonly

  Roles are tools for controlling user access to resources.

Instance Method Summary

• #get_metadata(method_name, req) ⇒ Object
• #initialize(api_access_key, api_secret_key, host: "api.strongdm.com:443", insecure: false) ⇒ Client constructor

  Creates a new strongDM API client.

• #jitterSleep(iter) ⇒ Object
• #shouldRetry(iter, err) ⇒ Object
• #sign(method_name, msg_bytes) ⇒ Object

Constructor Details

#initialize(api_access_key, api_secret_key, host: "api.strongdm.com:443", insecure: false) ⇒ Client

Creates a new strongDM API client.

# File 'lib/strongdm.rb', line 31

def initialize(api_access_key, api_secret_key, host:"api.strongdm.com:443", insecure:false)
    @api_access_key = api_access_key
    @api_secret_key = Base64.strict_decode64(api_secret_key)
    @max_retries = DEFAULT_MAX_RETRIES
    @base_retry_delay = DEFAULT_BASE_RETRY_DELAY
    @max_retry_delay = DEFAULT_MAX_RETRY_DELAY
    @account_attachments = AccountAttachments.new(host, insecure, self)
    @account_grants = AccountGrants.new(host, insecure, self)
    @accounts = Accounts.new(host, insecure, self)
    @nodes = Nodes.new(host, insecure, self)
    @resources = Resources.new(host, insecure, self)
    @role_attachments = RoleAttachments.new(host, insecure, self)
    @role_grants = RoleGrants.new(host, insecure, self)
    @roles = Roles.new(host, insecure, self)
    @_test_options = Hash.new
end

Instance Attribute Details

#_test_options ⇒ Object (readonly)

Returns the value of attribute _test_options.

# File 'lib/strongdm.rb', line 125

def _test_options
  @_test_options
end

#account_attachments ⇒ Object (readonly)

AccountAttachments assign an account to a role.

# File 'lib/strongdm.rb', line 94

def account_attachments
  @account_attachments
end

#account_grants ⇒ Object (readonly)

AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.

# File 'lib/strongdm.rb', line 96

def account_grants
  @account_grants
end

#accounts ⇒ Object (readonly)

Accounts are users that have access to strongDM. There are two types of accounts:

1. **Regular users:** humans who are authenticated through username and password or SSO

2. **Service users:** machines that are authneticated using a service token

# File 'lib/strongdm.rb', line 101

def accounts
  @accounts
end

#api_access_key ⇒ Object (readonly)

API authentication token (read-only).

# File 'lib/strongdm.rb', line 92

def api_access_key
  @api_access_key
end

#base_retry_delay ⇒ Object (readonly)

Returns the value of attribute base_retry_delay.

# File 'lib/strongdm.rb', line 88

def base_retry_delay
  @base_retry_delay
end

#max_retries ⇒ Object (readonly)

Returns the value of attribute max_retries.

# File 'lib/strongdm.rb', line 87

def max_retries
  @max_retries
end

#max_retry_delay ⇒ Object (readonly)

Returns the value of attribute max_retry_delay.

# File 'lib/strongdm.rb', line 89

def max_retry_delay
  @max_retry_delay
end

#nodes ⇒ Object (readonly)

Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:

1. Relay: creates connectivity to your datasources, while maintaining the egress-only nature of your firewall

2. Gateways: a relay that also listens for connections from strongDM clients

# File 'lib/strongdm.rb', line 106

def nodes
  @nodes
end

#resources ⇒ Object (readonly)

Returns the value of attribute resources.

# File 'lib/strongdm.rb', line 108

def resources
  @resources
end

#role_attachments ⇒ Object (readonly)

RoleAttachments represent relationships between composite roles and the roles that make up those composite roles. When a composite role is attached to another role, the permissions granted to members of the composite role are augmented to include the permissions granted to members of the attached role.

# File 'lib/strongdm.rb', line 113

def role_attachments
  @role_attachments
end

#role_grants ⇒ Object (readonly)

RoleGrants represent relationships between composite roles and the roles that make up those composite roles. When a composite role is attached to another role, the permissions granted to members of the composite role are augmented to include the permissions granted to members of the attached role.

# File 'lib/strongdm.rb', line 118

def role_grants
  @role_grants
end

#roles ⇒ Object (readonly)

Roles are tools for controlling user access to resources. Each Role holds a list of resources which they grant access to. Composite roles are a special type of Role which have no resource associations of their own, but instead grant access to the combined resources associated with a set of child roles. Each user can be a member of one Role or composite role.

# File 'lib/strongdm.rb', line 124

def roles
  @roles
end

Instance Method Details

#get_metadata(method_name, req) ⇒ Object

# File 'lib/strongdm.rb', line 48

def get_metadata(method_name, req)
    return { 'x-sdm-authentication': @api_access_key,'x-sdm-signature': self.sign(method_name, req.to_proto)}
end

#jitterSleep(iter) ⇒ Object

# File 'lib/strongdm.rb', line 68

def jitterSleep(iter)
    dur_max = @base_retry_delay * 2**iter
    if (dur_max > @max_retry_delay)
        dur_max = @max_retry_delay
    end
    dur = rand() * dur_max
    sleep(dur)
end

#shouldRetry(iter, err) ⇒ Object

# File 'lib/strongdm.rb', line 77

def shouldRetry(iter, err)
    if (iter >= @max_retries-1)
        return false
    end
    if not err .is_a? GRPC::BadStatus
        return true
    end
    return err.code() == 13
end

#sign(method_name, msg_bytes) ⇒ Object

# File 'lib/strongdm.rb', line 52

def sign(method_name, msg_bytes)
    current_utc_date = Time.now.utc
    date = sprintf("%04d-%02d-%02d",current_utc_date.year, current_utc_date.month, current_utc_date.day)

    signing_key = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, @api_secret_key, date)
    signing_key = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, signing_key, 'sdm_api_v1')

    sha_req = Digest::SHA256.new
    sha_req << method_name
    sha_req << "\n"
    sha_req << msg_bytes
    request_hash = sha_req.digest

    return Base64.strict_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, signing_key, request_hash))
end