Class: SDM::Client

Inherits:

Object

• Object
• SDM::Client

Defined in:

lib/strongdm.rb

Overview

Client bundles all the services together and initializes them.

Instance Attribute Summary

• #account_attachments ⇒ Object readonly

  AccountAttachments assign an account to a role.

• #account_attachments_history ⇒ Object readonly

  AccountAttachmentsHistory records all changes to the state of an AccountAttachment.

• #account_grants ⇒ Object readonly

  AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.

• #account_grants_history ⇒ Object readonly

  AccountGrantsHistory records all changes to the state of an AccountGrant.

• #account_permissions ⇒ Object readonly

  AccountPermissions records the granular permissions accounts have, allowing them to execute relevant commands via StrongDM's APIs.

• #account_resources ⇒ Object readonly

  AccountResources enumerates the resources to which accounts have access.

• #accounts ⇒ Object readonly

  Accounts are users that have access to strongDM.

• #accounts_history ⇒ Object readonly

  AccountsHistory records all changes to the state of an Account.

• #activities ⇒ Object readonly

  An Activity is a record of an action taken against a strongDM deployment, e.g.

• #api_access_key ⇒ Object readonly

  API authentication token (read-only).

• #base_retry_delay ⇒ Object readonly

  Returns the value of attribute base_retry_delay.

• #control_panel ⇒ Object readonly

  ControlPanel contains all administrative controls.

• #max_retries ⇒ Object readonly

  Returns the value of attribute max_retries.

• #max_retry_delay ⇒ Object readonly

  Returns the value of attribute max_retry_delay.

• #nodes ⇒ Object readonly

  Nodes make up the strongDM network, and allow your users to connect securely to your resources.

• #nodes_history ⇒ Object readonly

  NodesHistory records all changes to the state of a Node.

• #organization_history ⇒ Object readonly

  OrganizationHistory records all changes to the state of an Organization.

• #queries ⇒ Object readonly

  A Query is a record of a single client request to a resource, such as an SQL query.

• #remote_identities ⇒ Object readonly

  RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource.

• #remote_identities_history ⇒ Object readonly

  RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity.

• #remote_identity_groups ⇒ Object readonly

  A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts.

• #remote_identity_groups_history ⇒ Object readonly

  RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup.

• #replays ⇒ Object readonly

  A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session (otherwise referred to as a query).

• #resources ⇒ Object readonly

  Resources are databases, servers, clusters, websites, or clouds that strongDM delegates access to.

• #resources_history ⇒ Object readonly

  ResourcesHistory records all changes to the state of a Resource.

• #role_resources ⇒ Object readonly

  RoleResources enumerates the resources to which roles have access.

• #role_resources_history ⇒ Object readonly

  RoleResourcesHistory records all changes to the state of a RoleResource.

• #roles ⇒ Object readonly

  A Role has a list of access rules which determine which Resources the members of the Role have access to.

• #roles_history ⇒ Object readonly

  RolesHistory records all changes to the state of a Role.

• #secret_stores ⇒ Object readonly

  SecretStores are servers where resource secrets (passwords, keys) are stored.

• #secret_stores_history ⇒ Object readonly

  SecretStoresHistory records all changes to the state of a SecretStore.

• #snapshot_time ⇒ Object readonly

  Optional timestamp at which to provide historical data.

Instance Method Summary

• #close ⇒ Object

  Closes this client and releases all resources held by it.

• #initialize(api_access_key, api_secret_key, host: "api.strongdm.com:443", insecure: false, retry_rate_limit_errors: true) ⇒ Client constructor

  Creates a new strongDM API client.

• #sign(method_name, msg_bytes) ⇒ Object
• #snapshot_at(snapshot_time) ⇒ Object

  Constructs a read-only client that will provide historical data from the provided timestamp.

Constructor Details

#initialize(api_access_key, api_secret_key, host: "api.strongdm.com:443", insecure: false, retry_rate_limit_errors: true) ⇒ Client

Creates a new strongDM API client.

Raises:

• (TypeError)

# File 'lib/strongdm.rb', line 36

def initialize(api_access_key, api_secret_key, host: "api.strongdm.com:443", insecure: false, retry_rate_limit_errors: true)
  raise TypeError, "client access key must be a string" unless api_access_key.kind_of?(String)
  raise TypeError, "client secret key must be a string" unless api_secret_key.kind_of?(String)
  raise TypeError, "client host must be a string" unless host.kind_of?(String)
  @api_access_key = api_access_key.strip
  @api_secret_key = Base64.strict_decode64(api_secret_key.strip)
  @max_retries = DEFAULT_MAX_RETRIES
  @base_retry_delay = DEFAULT_BASE_RETRY_DELAY
  @max_retry_delay = DEFAULT_MAX_RETRY_DELAY
  @expose_rate_limit_errors = (not retry_rate_limit_errors)
  @snapshot_time = nil
  begin
    if insecure
      @channel = GRPC::Core::Channel.new(host, {}, :this_channel_is_insecure)
    else
      cred = GRPC::Core::ChannelCredentials.new()
      @channel = GRPC::Core::Channel.new(host, {}, cred)
    end
  rescue => exception
    raise Plumbing::convert_error_to_porcelain(exception)
  end
  @account_attachments = AccountAttachments.new(@channel, self)
  @account_attachments_history = AccountAttachmentsHistory.new(@channel, self)
  @account_grants = AccountGrants.new(@channel, self)
  @account_grants_history = AccountGrantsHistory.new(@channel, self)
  @account_permissions = AccountPermissions.new(@channel, self)
  @account_resources = AccountResources.new(@channel, self)
  @accounts = Accounts.new(@channel, self)
  @accounts_history = AccountsHistory.new(@channel, self)
  @activities = Activities.new(@channel, self)
  @control_panel = ControlPanel.new(@channel, self)
  @nodes = Nodes.new(@channel, self)
  @nodes_history = NodesHistory.new(@channel, self)
  @organization_history = OrganizationHistory.new(@channel, self)
  @queries = Queries.new(@channel, self)
  @remote_identities = RemoteIdentities.new(@channel, self)
  @remote_identities_history = RemoteIdentitiesHistory.new(@channel, self)
  @remote_identity_groups = RemoteIdentityGroups.new(@channel, self)
  @remote_identity_groups_history = RemoteIdentityGroupsHistory.new(@channel, self)
  @replays = Replays.new(@channel, self)
  @resources = Resources.new(@channel, self)
  @resources_history = ResourcesHistory.new(@channel, self)
  @role_resources = RoleResources.new(@channel, self)
  @role_resources_history = RoleResourcesHistory.new(@channel, self)
  @roles = Roles.new(@channel, self)
  @roles_history = RolesHistory.new(@channel, self)
  @secret_stores = SecretStores.new(@channel, self)
  @secret_stores_history = SecretStoresHistory.new(@channel, self)
  @_test_options = Hash.new
end

Instance Attribute Details

#account_attachments ⇒ Object (readonly)

AccountAttachments assign an account to a role.

See AccountAttachments.

# File 'lib/strongdm.rb', line 177

def account_attachments
  @account_attachments
end

#account_attachments_history ⇒ Object (readonly)

AccountAttachmentsHistory records all changes to the state of an AccountAttachment.

See AccountAttachmentsHistory.

# File 'lib/strongdm.rb', line 181

def account_attachments_history
  @account_attachments_history
end

#account_grants ⇒ Object (readonly)

AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.

See AccountGrants.

# File 'lib/strongdm.rb', line 185

def account_grants
  @account_grants
end

#account_grants_history ⇒ Object (readonly)

AccountGrantsHistory records all changes to the state of an AccountGrant.

See AccountGrantsHistory.

# File 'lib/strongdm.rb', line 189

def account_grants_history
  @account_grants_history
end

#account_permissions ⇒ Object (readonly)

AccountPermissions records the granular permissions accounts have, allowing them to execute relevant commands via StrongDM's APIs.

See AccountPermissions.

# File 'lib/strongdm.rb', line 194

def account_permissions
  @account_permissions
end

#account_resources ⇒ Object (readonly)

AccountResources enumerates the resources to which accounts have access. The AccountResources service is read-only.

See AccountResources.

# File 'lib/strongdm.rb', line 199

def account_resources
  @account_resources
end

#accounts ⇒ Object (readonly)

Accounts are users that have access to strongDM. There are two types of accounts:

1. Users: humans who are authenticated through username and password or SSO.
2. Service Accounts: machines that are authenticated using a service token.

See Accounts.

# File 'lib/strongdm.rb', line 205

def accounts
  @accounts
end

#accounts_history ⇒ Object (readonly)

AccountsHistory records all changes to the state of an Account.

See AccountsHistory.

# File 'lib/strongdm.rb', line 209

def accounts_history
  @accounts_history
end

#activities ⇒ Object (readonly)

An Activity is a record of an action taken against a strongDM deployment, e.g. a user creation, resource deletion, sso configuration change, etc. The Activities service is read-only.

See Activities.

# File 'lib/strongdm.rb', line 215

def activities
  @activities
end

#api_access_key ⇒ Object (readonly)

API authentication token (read-only).

# File 'lib/strongdm.rb', line 171

def api_access_key
  @api_access_key
end

#base_retry_delay ⇒ Object (readonly)

Returns the value of attribute base_retry_delay.

# File 'lib/strongdm.rb', line 167

def base_retry_delay
  @base_retry_delay
end

#control_panel ⇒ Object (readonly)

ControlPanel contains all administrative controls.

See SDM::ControlPanel.

# File 'lib/strongdm.rb', line 219

def control_panel
  @control_panel
end

#max_retries ⇒ Object (readonly)

Returns the value of attribute max_retries.

# File 'lib/strongdm.rb', line 166

def max_retries
  @max_retries
end

#max_retry_delay ⇒ Object (readonly)

Returns the value of attribute max_retry_delay.

# File 'lib/strongdm.rb', line 168

def max_retry_delay
  @max_retry_delay
end

#nodes ⇒ Object (readonly)

Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:

• Gateways are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers.
• Relays are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.

See Nodes.

# File 'lib/strongdm.rb', line 225

def nodes
  @nodes
end

#nodes_history ⇒ Object (readonly)

NodesHistory records all changes to the state of a Node.

See NodesHistory.

# File 'lib/strongdm.rb', line 229

def nodes_history
  @nodes_history
end

#organization_history ⇒ Object (readonly)

OrganizationHistory records all changes to the state of an Organization.

See OrganizationHistory.

# File 'lib/strongdm.rb', line 233

def organization_history
  @organization_history
end

#queries ⇒ Object (readonly)

A Query is a record of a single client request to a resource, such as an SQL query. Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries. The Queries service is read-only.

See Queries.

# File 'lib/strongdm.rb', line 239

def queries
  @queries
end

#remote_identities ⇒ Object (readonly)

RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource.

See RemoteIdentities.

# File 'lib/strongdm.rb', line 243

def remote_identities
  @remote_identities
end

#remote_identities_history ⇒ Object (readonly)

RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity.

See RemoteIdentitiesHistory.

# File 'lib/strongdm.rb', line 247

def remote_identities_history
  @remote_identities_history
end

#remote_identity_groups ⇒ Object (readonly)

A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects.

See RemoteIdentityGroups.

# File 'lib/strongdm.rb', line 252

def remote_identity_groups
  @remote_identity_groups
end

#remote_identity_groups_history ⇒ Object (readonly)

RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup.

See RemoteIdentityGroupsHistory.

# File 'lib/strongdm.rb', line 256

def remote_identity_groups_history
  @remote_identity_groups_history
end

#replays ⇒ Object (readonly)

A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session (otherwise referred to as a query). The Replays service is read-only.

See Replays.

# File 'lib/strongdm.rb', line 261

def replays
  @replays
end

#resources ⇒ Object (readonly)

Resources are databases, servers, clusters, websites, or clouds that strongDM delegates access to.

See Resources.

# File 'lib/strongdm.rb', line 266

def resources
  @resources
end

#resources_history ⇒ Object (readonly)

ResourcesHistory records all changes to the state of a Resource.

See ResourcesHistory.

# File 'lib/strongdm.rb', line 270

def resources_history
  @resources_history
end

#role_resources ⇒ Object (readonly)

RoleResources enumerates the resources to which roles have access. The RoleResources service is read-only.

See RoleResources.

# File 'lib/strongdm.rb', line 275

def role_resources
  @role_resources
end

#role_resources_history ⇒ Object (readonly)

RoleResourcesHistory records all changes to the state of a RoleResource.

See RoleResourcesHistory.

# File 'lib/strongdm.rb', line 279

def role_resources_history
  @role_resources_history
end

#roles ⇒ Object (readonly)

A Role has a list of access rules which determine which Resources the members of the Role have access to. An Account can be a member of multiple Roles via AccountAttachments.

See Roles.

# File 'lib/strongdm.rb', line 285

def roles
  @roles
end

#roles_history ⇒ Object (readonly)

RolesHistory records all changes to the state of a Role.

See RolesHistory.

# File 'lib/strongdm.rb', line 289

def roles_history
  @roles_history
end

#secret_stores ⇒ Object (readonly)

SecretStores are servers where resource secrets (passwords, keys) are stored.

See SecretStores.

# File 'lib/strongdm.rb', line 293

def secret_stores
  @secret_stores
end

#secret_stores_history ⇒ Object (readonly)

SecretStoresHistory records all changes to the state of a SecretStore.

See SecretStoresHistory.

# File 'lib/strongdm.rb', line 297

def secret_stores_history
  @secret_stores_history
end

#snapshot_time ⇒ Object

Optional timestamp at which to provide historical data

# File 'lib/strongdm.rb', line 173

def snapshot_time
  @snapshot_time
end

Instance Method Details

#close ⇒ Object

Closes this client and releases all resources held by it.

# File 'lib/strongdm.rb', line 88

def close
  begin
    @channel.close()
  rescue => exception
    raise Plumbing::convert_error_to_porcelain(exception)
  end
end

#sign(method_name, msg_bytes) ⇒ Object

# File 'lib/strongdm.rb', line 106

def sign(method_name, msg_bytes)
  current_utc_date = Time.now.utc
  date = sprintf("%04d-%02d-%02d", current_utc_date.year, current_utc_date.month, current_utc_date.day)

  signing_key = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, @api_secret_key, date)
  signing_key = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, signing_key, "sdm_api_v1")

  sha_req = Digest::SHA256.new
  sha_req << method_name
  sha_req << "\n"
  sha_req << msg_bytes
  request_hash = sha_req.digest

  return Base64.strict_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, signing_key, request_hash))
end

#snapshot_at(snapshot_time) ⇒ Object

Constructs a read-only client that will provide historical data from the provided timestamp. See SnapshotClient.

# File 'lib/strongdm.rb', line 160

def snapshot_at(snapshot_time)
  client = self.clone
  client.snapshot_time = snapshot_time
  return SnapshotClient.new(client)
end