Class: SDM::Client

Inherits:
Object
  • Object
show all
Defined in:
lib/strongdm.rb

Overview

Client bundles all the services together and initializes them.

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(api_access_key, api_secret_key, host: "api.strongdm.com:443", insecure: false, retry_rate_limit_errors: true, page_limit: 50) ⇒ Client

Creates a new strongDM API client.

Raises:

  • (TypeError) 


36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
 
# File 'lib/strongdm.rb', line 36

def initialize(api_access_key, api_secret_key, host: "api.strongdm.com:443", insecure: false, retry_rate_limit_errors: true, page_limit: 50)
  raise TypeError, "client access key must be a string" unless api_access_key.kind_of?(String)
  raise TypeError, "client secret key must be a string" unless api_secret_key.kind_of?(String)
  raise TypeError, "client host must be a string" unless host.kind_of?(String)
  @api_access_key = api_access_key.strip
  @api_secret_key = Base64.strict_decode64(api_secret_key.strip)
  @max_retries = DEFAULT_MAX_RETRIES
  @base_retry_delay = DEFAULT_BASE_RETRY_DELAY
  @max_retry_delay = DEFAULT_MAX_RETRY_DELAY
  @page_limit = page_limit
  @expose_rate_limit_errors = (not retry_rate_limit_errors)
  @snapshot_time = nil
  begin
    if insecure
      @channel = GRPC::Core::Channel.new(host, {}, :this_channel_is_insecure)
    else
      cred = GRPC::Core::ChannelCredentials.new()
      @channel = GRPC::Core::Channel.new(host, {}, cred)
    end
  rescue => exception
    raise Plumbing::convert_error_to_porcelain(exception)
  end
  @access_requests = AccessRequests.new(@channel, self)
  @access_request_events_history = AccessRequestEventsHistory.new(@channel, self)
  @access_requests_history = AccessRequestsHistory.new(@channel, self)
  @account_attachments = AccountAttachments.new(@channel, self)
  @account_attachments_history = AccountAttachmentsHistory.new(@channel, self)
  @account_grants = AccountGrants.new(@channel, self)
  @account_grants_history = AccountGrantsHistory.new(@channel, self)
  @account_permissions = AccountPermissions.new(@channel, self)
  @account_resources = AccountResources.new(@channel, self)
  @account_resources_history = AccountResourcesHistory.new(@channel, self)
  @accounts = Accounts.new(@channel, self)
  @accounts_history = AccountsHistory.new(@channel, self)
  @activities = Activities.new(@channel, self)
  @approval_workflow_approvers = ApprovalWorkflowApprovers.new(@channel, self)
  @approval_workflow_approvers_history = ApprovalWorkflowApproversHistory.new(@channel, self)
  @approval_workflow_steps = ApprovalWorkflowSteps.new(@channel, self)
  @approval_workflow_steps_history = ApprovalWorkflowStepsHistory.new(@channel, self)
  @approval_workflows = ApprovalWorkflows.new(@channel, self)
  @approval_workflows_history = ApprovalWorkflowsHistory.new(@channel, self)
  @control_panel = ControlPanel.new(@channel, self)
  @identity_aliases = IdentityAliases.new(@channel, self)
  @identity_aliases_history = IdentityAliasesHistory.new(@channel, self)
  @identity_sets = IdentitySets.new(@channel, self)
  @identity_sets_history = IdentitySetsHistory.new(@channel, self)
  @nodes = Nodes.new(@channel, self)
  @nodes_history = NodesHistory.new(@channel, self)
  @organization_history = OrganizationHistory.new(@channel, self)
  @peering_group_nodes = PeeringGroupNodes.new(@channel, self)
  @peering_group_peers = PeeringGroupPeers.new(@channel, self)
  @peering_group_resources = PeeringGroupResources.new(@channel, self)
  @peering_groups = PeeringGroups.new(@channel, self)
  @policies = Policies.new(@channel, self)
  @policies_history = PoliciesHistory.new(@channel, self)
  @proxy_cluster_keys = ProxyClusterKeys.new(@channel, self)
  @queries = Queries.new(@channel, self)
  @remote_identities = RemoteIdentities.new(@channel, self)
  @remote_identities_history = RemoteIdentitiesHistory.new(@channel, self)
  @remote_identity_groups = RemoteIdentityGroups.new(@channel, self)
  @remote_identity_groups_history = RemoteIdentityGroupsHistory.new(@channel, self)
  @replays = Replays.new(@channel, self)
  @resources = Resources.new(@channel, self)
  @resources_history = ResourcesHistory.new(@channel, self)
  @role_resources = RoleResources.new(@channel, self)
  @role_resources_history = RoleResourcesHistory.new(@channel, self)
  @roles = Roles.new(@channel, self)
  @roles_history = RolesHistory.new(@channel, self)
  @secret_stores = SecretStores.new(@channel, self)
  @secret_store_healths = SecretStoreHealths.new(@channel, self)
  @secret_stores_history = SecretStoresHistory.new(@channel, self)
  @workflow_approvers = WorkflowApprovers.new(@channel, self)
  @workflow_approvers_history = WorkflowApproversHistory.new(@channel, self)
  @workflow_assignments = WorkflowAssignments.new(@channel, self)
  @workflow_assignments_history = WorkflowAssignmentsHistory.new(@channel, self)
  @workflow_roles = WorkflowRoles.new(@channel, self)
  @workflow_roles_history = WorkflowRolesHistory.new(@channel, self)
  @workflows = Workflows.new(@channel, self)
  @workflows_history = WorkflowsHistory.new(@channel, self)
end

Instance Attribute Details

#access_request_events_historyObject (readonly)

AccessRequestEventsHistory provides records of all changes to the state of an AccessRequest.

See AccessRequestEventsHistory.



212
213
214
 
# File 'lib/strongdm.rb', line 212

def access_request_events_history
  @access_request_events_history
end

#access_requestsObject (readonly)

AccessRequests are requests for access to a resource that may match a Workflow.

See AccessRequests.



208
209
210
 
# File 'lib/strongdm.rb', line 208

def access_requests
  @access_requests
end

#access_requests_historyObject (readonly)

AccessRequestsHistory provides records of all changes to the state of an AccessRequest.

See AccessRequestsHistory.



216
217
218
 
# File 'lib/strongdm.rb', line 216

def access_requests_history
  @access_requests_history
end

#account_attachmentsObject (readonly)

AccountAttachments assign an account to a role.

See AccountAttachments.



220
221
222
 
# File 'lib/strongdm.rb', line 220

def 
  @account_attachments
end

#account_attachments_historyObject (readonly)

AccountAttachmentsHistory records all changes to the state of an AccountAttachment.

See AccountAttachmentsHistory.



224
225
226
 
# File 'lib/strongdm.rb', line 224

def 
  @account_attachments_history
end

#account_grantsObject (readonly)

AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.

See AccountGrants.



228
229
230
 
# File 'lib/strongdm.rb', line 228

def 
  @account_grants
end

#account_grants_historyObject (readonly)

AccountGrantsHistory records all changes to the state of an AccountGrant.

See AccountGrantsHistory.



232
233
234
 
# File 'lib/strongdm.rb', line 232

def 
  @account_grants_history
end

#account_permissionsObject (readonly)

AccountPermissions records the granular permissions accounts have, allowing them to execute relevant commands via StrongDM's APIs.

See AccountPermissions.



237
238
239
 
# File 'lib/strongdm.rb', line 237

def 
  @account_permissions
end

#account_resourcesObject (readonly)

AccountResources enumerates the resources to which accounts have access. The AccountResources service is read-only.

See AccountResources.



242
243
244
 
# File 'lib/strongdm.rb', line 242

def 
  @account_resources
end

#account_resources_historyObject (readonly)

AccountResourcesHistory records all changes to the state of a AccountResource.

See AccountResourcesHistory.



246
247
248
 
# File 'lib/strongdm.rb', line 246

def 
  @account_resources_history
end

#accountsObject (readonly)

Accounts are users that have access to strongDM. There are two types of accounts:

  1. Users: humans who are authenticated through username and password or SSO.
  2. Service Accounts: machines that are authenticated using a service token.
  3. Tokens are access keys with permissions that can be used for authentication.

See Accounts.



253
254
255
 
# File 'lib/strongdm.rb', line 253

def accounts
  @accounts
end

#accounts_historyObject (readonly)

AccountsHistory records all changes to the state of an Account.

See AccountsHistory.



257
258
259
 
# File 'lib/strongdm.rb', line 257

def accounts_history
  @accounts_history
end

#activitiesObject (readonly)

An Activity is a record of an action taken against a strongDM deployment, e.g. a user creation, resource deletion, sso configuration change, etc. The Activities service is read-only.

See Activities.



263
264
265
 
# File 'lib/strongdm.rb', line 263

def activities
  @activities
end

#api_access_keyObject (readonly)

API authentication token (read-only).



202
203
204
 
# File 'lib/strongdm.rb', line 202

def api_access_key
  @api_access_key
end

#approval_workflow_approversObject (readonly)

ApprovalWorkflowApprovers link approval workflow approvers to an ApprovalWorkflowStep

See ApprovalWorkflowApprovers.



267
268
269
 
# File 'lib/strongdm.rb', line 267

def approval_workflow_approvers
  @approval_workflow_approvers
end

#approval_workflow_approvers_historyObject (readonly)

ApprovalWorkflowApproversHistory records all changes to the state of an ApprovalWorkflowApprover.

See ApprovalWorkflowApproversHistory.



271
272
273
 
# File 'lib/strongdm.rb', line 271

def approval_workflow_approvers_history
  @approval_workflow_approvers_history
end

#approval_workflow_stepsObject (readonly)

ApprovalWorkflowSteps link approval workflow steps to an ApprovalWorkflow

See ApprovalWorkflowSteps.



275
276
277
 
# File 'lib/strongdm.rb', line 275

def approval_workflow_steps
  @approval_workflow_steps
end

#approval_workflow_steps_historyObject (readonly)

ApprovalWorkflowStepsHistory records all changes to the state of an ApprovalWorkflowStep.

See ApprovalWorkflowStepsHistory.



279
280
281
 
# File 'lib/strongdm.rb', line 279

def approval_workflow_steps_history
  @approval_workflow_steps_history
end

#approval_workflowsObject (readonly)

ApprovalWorkflows are the mechanism by which requests for access can be viewed by authorized approvers and be approved or denied.

See ApprovalWorkflows.



284
285
286
 
# File 'lib/strongdm.rb', line 284

def approval_workflows
  @approval_workflows
end

#approval_workflows_historyObject (readonly)

ApprovalWorkflowsHistory records all changes to the state of an ApprovalWorkflow.

See ApprovalWorkflowsHistory.



288
289
290
 
# File 'lib/strongdm.rb', line 288

def approval_workflows_history
  @approval_workflows_history
end

#base_retry_delayObject (readonly)

Returns the value of attribute base_retry_delay.



197
198
199
 
# File 'lib/strongdm.rb', line 197

def base_retry_delay
  @base_retry_delay
end

#control_panelObject (readonly)

ControlPanel contains all administrative controls.

See SDM::ControlPanel.



292
293
294
 
# File 'lib/strongdm.rb', line 292

def control_panel
  @control_panel
end

#identity_aliasesObject (readonly)

IdentityAliases assign an alias to an account within an IdentitySet. The alias is used as the username when connecting to a identity supported resource.

See IdentityAliases.



297
298
299
 
# File 'lib/strongdm.rb', line 297

def identity_aliases
  @identity_aliases
end

#identity_aliases_historyObject (readonly)

IdentityAliasesHistory records all changes to the state of a IdentityAlias.

See IdentityAliasesHistory.



301
302
303
 
# File 'lib/strongdm.rb', line 301

def identity_aliases_history
  @identity_aliases_history
end

#identity_setsObject (readonly)

A IdentitySet is a named grouping of Identity Aliases for Accounts. An Account's relationship to a IdentitySet is defined via IdentityAlias objects.

See IdentitySets.



306
307
308
 
# File 'lib/strongdm.rb', line 306

def identity_sets
  @identity_sets
end

#identity_sets_historyObject (readonly)

IdentitySetsHistory records all changes to the state of a IdentitySet.

See IdentitySetsHistory.



310
311
312
 
# File 'lib/strongdm.rb', line 310

def identity_sets_history
  @identity_sets_history
end

#max_retriesObject (readonly)

Returns the value of attribute max_retries.



196
197
198
 
# File 'lib/strongdm.rb', line 196

def max_retries
  @max_retries
end

#max_retry_delayObject (readonly)

Returns the value of attribute max_retry_delay.



198
199
200
 
# File 'lib/strongdm.rb', line 198

def max_retry_delay
  @max_retry_delay
end

#nodesObject (readonly)

Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:

  • Gateways are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers.
  • Relays are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.

See Nodes.



316
317
318
 
# File 'lib/strongdm.rb', line 316

def nodes
  @nodes
end

#nodes_historyObject (readonly)

NodesHistory records all changes to the state of a Node.

See NodesHistory.



320
321
322
 
# File 'lib/strongdm.rb', line 320

def nodes_history
  @nodes_history
end

#organization_historyObject (readonly)

OrganizationHistory records all changes to the state of an Organization.

See OrganizationHistory.



324
325
326
 
# File 'lib/strongdm.rb', line 324

def organization_history
  @organization_history
end

#page_limitObject

Returns the value of attribute page_limit.



199
200
201
 
# File 'lib/strongdm.rb', line 199

def page_limit
  @page_limit
end

#peering_group_nodesObject (readonly)

PeeringGroupNodes provides the building blocks necessary to obtain attach a node to a peering group.

See PeeringGroupNodes.



328
329
330
 
# File 'lib/strongdm.rb', line 328

def peering_group_nodes
  @peering_group_nodes
end

#peering_group_peersObject (readonly)

PeeringGroupPeers provides the building blocks necessary to link two peering groups.

See PeeringGroupPeers.



332
333
334
 
# File 'lib/strongdm.rb', line 332

def peering_group_peers
  @peering_group_peers
end

#peering_group_resourcesObject (readonly)

PeeringGroupResources provides the building blocks necessary to obtain attach a resource to a peering group.

See PeeringGroupResources.



336
337
338
 
# File 'lib/strongdm.rb', line 336

def peering_group_resources
  @peering_group_resources
end

#peering_groupsObject (readonly)

PeeringGroups provides the building blocks necessary to obtain explicit network topology and routing.

See PeeringGroups.



340
341
342
 
# File 'lib/strongdm.rb', line 340

def peering_groups
  @peering_groups
end

#policiesObject (readonly)

Policies are the collection of one or more statements that enforce fine-grained access control for the users of an organization.

See Policies.



345
346
347
 
# File 'lib/strongdm.rb', line 345

def policies
  @policies
end

#policies_historyObject (readonly)

PoliciesHistory records all changes to the state of a Policy.

See PoliciesHistory.



349
350
351
 
# File 'lib/strongdm.rb', line 349

def policies_history
  @policies_history
end

#proxy_cluster_keysObject (readonly)

Proxy Cluster Keys are authentication keys for all proxies within a cluster. The proxies within a cluster share the same key. One cluster can have multiple keys in order to facilitate key rotation.

See ProxyClusterKeys.



355
356
357
 
# File 'lib/strongdm.rb', line 355

def proxy_cluster_keys
  @proxy_cluster_keys
end

#queriesObject (readonly)

A Query is a record of a single client request to a resource, such as a SQL query. Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries. The Queries service is read-only.

See Queries.



361
362
363
 
# File 'lib/strongdm.rb', line 361

def queries
  @queries
end

#remote_identitiesObject (readonly)

RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource.

See RemoteIdentities.



365
366
367
 
# File 'lib/strongdm.rb', line 365

def remote_identities
  @remote_identities
end

#remote_identities_historyObject (readonly)

RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity.

See RemoteIdentitiesHistory.



369
370
371
 
# File 'lib/strongdm.rb', line 369

def remote_identities_history
  @remote_identities_history
end

#remote_identity_groupsObject (readonly)

A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects.

See RemoteIdentityGroups.



374
375
376
 
# File 'lib/strongdm.rb', line 374

def remote_identity_groups
  @remote_identity_groups
end

#remote_identity_groups_historyObject (readonly)

RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup.

See RemoteIdentityGroupsHistory.



378
379
380
 
# File 'lib/strongdm.rb', line 378

def remote_identity_groups_history
  @remote_identity_groups_history
end

#replaysObject (readonly)

A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session (otherwise referred to as a query). The Replays service is read-only.

See Replays.



383
384
385
 
# File 'lib/strongdm.rb', line 383

def replays
  @replays
end

#resourcesObject (readonly)

Resources are databases, servers, clusters, websites, or clouds that strongDM delegates access to.

See Resources.



388
389
390
 
# File 'lib/strongdm.rb', line 388

def resources
  @resources
end

#resources_historyObject (readonly)

ResourcesHistory records all changes to the state of a Resource.

See ResourcesHistory.



392
393
394
 
# File 'lib/strongdm.rb', line 392

def resources_history
  @resources_history
end

#role_resourcesObject (readonly)

RoleResources enumerates the resources to which roles have access. The RoleResources service is read-only.

See RoleResources.



397
398
399
 
# File 'lib/strongdm.rb', line 397

def role_resources
  @role_resources
end

#role_resources_historyObject (readonly)

RoleResourcesHistory records all changes to the state of a RoleResource.

See RoleResourcesHistory.



401
402
403
 
# File 'lib/strongdm.rb', line 401

def role_resources_history
  @role_resources_history
end

#rolesObject (readonly)

A Role has a list of access rules which determine which Resources the members of the Role have access to. An Account can be a member of multiple Roles via AccountAttachments.

See Roles.



407
408
409
 
# File 'lib/strongdm.rb', line 407

def roles
  @roles
end

#roles_historyObject (readonly)

RolesHistory records all changes to the state of a Role.

See RolesHistory.



411
412
413
 
# File 'lib/strongdm.rb', line 411

def roles_history
  @roles_history
end

#secret_store_healthsObject (readonly)

SecretStoreHealths exposes health states for secret stores.

See SecretStoreHealths.



419
420
421
 
# File 'lib/strongdm.rb', line 419

def secret_store_healths
  @secret_store_healths
end

#secret_storesObject (readonly)

SecretStores are servers where resource secrets (passwords, keys) are stored.

See SecretStores.



415
416
417
 
# File 'lib/strongdm.rb', line 415

def secret_stores
  @secret_stores
end

#secret_stores_historyObject (readonly)

SecretStoresHistory records all changes to the state of a SecretStore.

See SecretStoresHistory.



423
424
425
 
# File 'lib/strongdm.rb', line 423

def secret_stores_history
  @secret_stores_history
end

#snapshot_timeObject

Optional timestamp at which to provide historical data



204
205
206
 
# File 'lib/strongdm.rb', line 204

def snapshot_time
  @snapshot_time
end

#workflow_approversObject (readonly)

WorkflowApprovers is an account or a role with the ability to approve requests bound to a workflow.

See WorkflowApprovers.



427
428
429
 
# File 'lib/strongdm.rb', line 427

def workflow_approvers
  @workflow_approvers
end

#workflow_approvers_historyObject (readonly)

WorkflowApproversHistory provides records of all changes to the state of a WorkflowApprover.

See WorkflowApproversHistory.



431
432
433
 
# File 'lib/strongdm.rb', line 431

def workflow_approvers_history
  @workflow_approvers_history
end

#workflow_assignmentsObject (readonly)

WorkflowAssignments links a Resource to a Workflow. The assigned resources are those that a user can request access to via the workflow.

See WorkflowAssignments.



436
437
438
 
# File 'lib/strongdm.rb', line 436

def workflow_assignments
  @workflow_assignments
end

#workflow_assignments_historyObject (readonly)

WorkflowAssignmentsHistory provides records of all changes to the state of a WorkflowAssignment.

See WorkflowAssignmentsHistory.



440
441
442
 
# File 'lib/strongdm.rb', line 440

def workflow_assignments_history
  @workflow_assignments_history
end

#workflow_rolesObject (readonly)

WorkflowRole links a role to a workflow. The linked roles indicate which roles a user must be a part of to request access to a resource via the workflow.

See WorkflowRoles.



445
446
447
 
# File 'lib/strongdm.rb', line 445

def workflow_roles
  @workflow_roles
end

#workflow_roles_historyObject (readonly)

WorkflowRolesHistory provides records of all changes to the state of a WorkflowRole

See WorkflowRolesHistory.



449
450
451
 
# File 'lib/strongdm.rb', line 449

def workflow_roles_history
  @workflow_roles_history
end

#workflowsObject (readonly)

Workflows are the collection of rules that define the resources to which access can be requested, the users that can request that access, and the mechanism for approving those requests which can either be automatic approval or a set of users authorized to approve the requests.

See Workflows.



455
456
457
 
# File 'lib/strongdm.rb', line 455

def workflows
  @workflows
end

#workflows_historyObject (readonly)

WorkflowsHistory provides records of all changes to the state of a Workflow.

See WorkflowsHistory.



459
460
461
 
# File 'lib/strongdm.rb', line 459

def workflows_history
  @workflows_history
end

Instance Method Details

#closeObject

Closes this client and releases all resources held by it.



118
119
120
121
122
123
124
 
# File 'lib/strongdm.rb', line 118

def close
  begin
    @channel.close()
  rescue => exception
    raise Plumbing::convert_error_to_porcelain(exception)
  end
end

#sign(method_name, msg_bytes) ⇒ Object 



136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
 
# File 'lib/strongdm.rb', line 136

def sign(method_name, msg_bytes)
  current_utc_date = Time.now.utc
  date = sprintf("%04d-%02d-%02d", current_utc_date.year, current_utc_date.month, current_utc_date.day)

  signing_key = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, @api_secret_key, date)
  signing_key = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, signing_key, "sdm_api_v1")

  sha_req = Digest::SHA256.new
  sha_req << method_name
  sha_req << "\n"
  sha_req << msg_bytes
  request_hash = sha_req.digest

  return Base64.strict_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, signing_key, request_hash))
end

#snapshot_at(snapshot_time) ⇒ Object

Constructs a read-only client that will provide historical data from the provided timestamp. See SnapshotClient.



190
191
192
193
194
 
# File 'lib/strongdm.rb', line 190

def snapshot_at(snapshot_time)
  client = self.clone
  client.snapshot_time = snapshot_time
  return SnapshotClient.new(client)
end