Class: SDM::Client

Inherits:
Object
  • Object
show all
Defined in:
lib/strongdm.rb

Overview

Client bundles all the services together and initializes them.

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(api_access_key, api_secret_key, host: "api.strongdm.com:443", insecure: false, retry_rate_limit_errors: true, page_limit: 50) ⇒ Client

Creates a new strongDM API client.

Raises:

  • (TypeError)


36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# File 'lib/strongdm.rb', line 36

def initialize(api_access_key, api_secret_key, host: "api.strongdm.com:443", insecure: false, retry_rate_limit_errors: true, page_limit: 50)
  raise TypeError, "client access key must be a string" unless api_access_key.kind_of?(String)
  raise TypeError, "client secret key must be a string" unless api_secret_key.kind_of?(String)
  raise TypeError, "client host must be a string" unless host.kind_of?(String)
  @api_access_key = api_access_key.strip
  @api_secret_key = Base64.strict_decode64(api_secret_key.strip)
  @max_retries = DEFAULT_MAX_RETRIES
  @base_retry_delay = DEFAULT_BASE_RETRY_DELAY
  @max_retry_delay = DEFAULT_MAX_RETRY_DELAY
  @page_limit = page_limit
  @expose_rate_limit_errors = (not retry_rate_limit_errors)
  @snapshot_time = nil
  begin
    if insecure
      @channel = GRPC::Core::Channel.new(host, {}, :this_channel_is_insecure)
    else
      cred = GRPC::Core::ChannelCredentials.new()
      @channel = GRPC::Core::Channel.new(host, {}, cred)
    end
  rescue => exception
    raise Plumbing::convert_error_to_porcelain(exception)
  end
  @access_requests = AccessRequests.new(@channel, self)
  @access_request_events_history = AccessRequestEventsHistory.new(@channel, self)
  @access_requests_history = AccessRequestsHistory.new(@channel, self)
  @account_attachments = AccountAttachments.new(@channel, self)
  @account_attachments_history = AccountAttachmentsHistory.new(@channel, self)
  @account_grants = AccountGrants.new(@channel, self)
  @account_grants_history = AccountGrantsHistory.new(@channel, self)
  @account_permissions = AccountPermissions.new(@channel, self)
  @account_resources = AccountResources.new(@channel, self)
  @account_resources_history = AccountResourcesHistory.new(@channel, self)
  @accounts = Accounts.new(@channel, self)
  @accounts_history = AccountsHistory.new(@channel, self)
  @activities = Activities.new(@channel, self)
  @control_panel = ControlPanel.new(@channel, self)
  @nodes = Nodes.new(@channel, self)
  @nodes_history = NodesHistory.new(@channel, self)
  @organization_history = OrganizationHistory.new(@channel, self)
  @peering_group_nodes = PeeringGroupNodes.new(@channel, self)
  @peering_group_peers = PeeringGroupPeers.new(@channel, self)
  @peering_group_resources = PeeringGroupResources.new(@channel, self)
  @peering_groups = PeeringGroups.new(@channel, self)
  @queries = Queries.new(@channel, self)
  @remote_identities = RemoteIdentities.new(@channel, self)
  @remote_identities_history = RemoteIdentitiesHistory.new(@channel, self)
  @remote_identity_groups = RemoteIdentityGroups.new(@channel, self)
  @remote_identity_groups_history = RemoteIdentityGroupsHistory.new(@channel, self)
  @replays = Replays.new(@channel, self)
  @resources = Resources.new(@channel, self)
  @resources_history = ResourcesHistory.new(@channel, self)
  @role_resources = RoleResources.new(@channel, self)
  @role_resources_history = RoleResourcesHistory.new(@channel, self)
  @roles = Roles.new(@channel, self)
  @roles_history = RolesHistory.new(@channel, self)
  @secret_stores = SecretStores.new(@channel, self)
  @secret_stores_history = SecretStoresHistory.new(@channel, self)
  @workflows = Workflows.new(@channel, self)
  @workflow_approvers_history = WorkflowApproversHistory.new(@channel, self)
  @workflow_assignments_history = WorkflowAssignmentsHistory.new(@channel, self)
  @workflow_roles_history = WorkflowRolesHistory.new(@channel, self)
  @workflows_history = WorkflowsHistory.new(@channel, self)
end

Instance Attribute Details

#access_request_events_historyObject (readonly)

AccessRequestEventsHistory provides records of all changes to the state of an AccessRequest.

See AccessRequestEventsHistory.



195
196
197
# File 'lib/strongdm.rb', line 195

def access_request_events_history
  @access_request_events_history
end

#access_requestsObject (readonly)

AccessRequests are requests for access to a resource that may match a Workflow.

See AccessRequests.



191
192
193
# File 'lib/strongdm.rb', line 191

def access_requests
  @access_requests
end

#access_requests_historyObject (readonly)

AccessRequestsHistory provides records of all changes to the state of an AccessRequest.

See AccessRequestsHistory.



199
200
201
# File 'lib/strongdm.rb', line 199

def access_requests_history
  @access_requests_history
end

#account_attachmentsObject (readonly)

AccountAttachments assign an account to a role.

See AccountAttachments.



203
204
205
# File 'lib/strongdm.rb', line 203

def 
  @account_attachments
end

#account_attachments_historyObject (readonly)

AccountAttachmentsHistory records all changes to the state of an AccountAttachment.

See AccountAttachmentsHistory.



207
208
209
# File 'lib/strongdm.rb', line 207

def 
  @account_attachments_history
end

#account_grantsObject (readonly)

AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.

See AccountGrants.



211
212
213
# File 'lib/strongdm.rb', line 211

def 
  @account_grants
end

#account_grants_historyObject (readonly)

AccountGrantsHistory records all changes to the state of an AccountGrant.

See AccountGrantsHistory.



215
216
217
# File 'lib/strongdm.rb', line 215

def 
  @account_grants_history
end

#account_permissionsObject (readonly)

AccountPermissions records the granular permissions accounts have, allowing them to execute relevant commands via StrongDM's APIs.

See AccountPermissions.



220
221
222
# File 'lib/strongdm.rb', line 220

def 
  @account_permissions
end

#account_resourcesObject (readonly)

AccountResources enumerates the resources to which accounts have access. The AccountResources service is read-only.

See AccountResources.



225
226
227
# File 'lib/strongdm.rb', line 225

def 
  @account_resources
end

#account_resources_historyObject (readonly)

AccountResourcesHistory records all changes to the state of a AccountResource.

See AccountResourcesHistory.



229
230
231
# File 'lib/strongdm.rb', line 229

def 
  @account_resources_history
end

#accountsObject (readonly)

Accounts are users that have access to strongDM. There are two types of accounts:

  1. Users: humans who are authenticated through username and password or SSO.
  2. Service Accounts: machines that are authenticated using a service token.

See Accounts.



235
236
237
# File 'lib/strongdm.rb', line 235

def accounts
  @accounts
end

#accounts_historyObject (readonly)

AccountsHistory records all changes to the state of an Account.

See AccountsHistory.



239
240
241
# File 'lib/strongdm.rb', line 239

def accounts_history
  @accounts_history
end

#activitiesObject (readonly)

An Activity is a record of an action taken against a strongDM deployment, e.g. a user creation, resource deletion, sso configuration change, etc. The Activities service is read-only.

See Activities.



245
246
247
# File 'lib/strongdm.rb', line 245

def activities
  @activities
end

#api_access_keyObject (readonly)

API authentication token (read-only).



185
186
187
# File 'lib/strongdm.rb', line 185

def api_access_key
  @api_access_key
end

#base_retry_delayObject (readonly)

Returns the value of attribute base_retry_delay.



180
181
182
# File 'lib/strongdm.rb', line 180

def base_retry_delay
  @base_retry_delay
end

#control_panelObject (readonly)

ControlPanel contains all administrative controls.

See SDM::ControlPanel.



249
250
251
# File 'lib/strongdm.rb', line 249

def control_panel
  @control_panel
end

#max_retriesObject (readonly)

Returns the value of attribute max_retries.



179
180
181
# File 'lib/strongdm.rb', line 179

def max_retries
  @max_retries
end

#max_retry_delayObject (readonly)

Returns the value of attribute max_retry_delay.



181
182
183
# File 'lib/strongdm.rb', line 181

def max_retry_delay
  @max_retry_delay
end

#nodesObject (readonly)

Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:

  • Gateways are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers.
  • Relays are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.

See Nodes.



255
256
257
# File 'lib/strongdm.rb', line 255

def nodes
  @nodes
end

#nodes_historyObject (readonly)

NodesHistory records all changes to the state of a Node.

See NodesHistory.



259
260
261
# File 'lib/strongdm.rb', line 259

def nodes_history
  @nodes_history
end

#organization_historyObject (readonly)

OrganizationHistory records all changes to the state of an Organization.

See OrganizationHistory.



263
264
265
# File 'lib/strongdm.rb', line 263

def organization_history
  @organization_history
end

#page_limitObject

Returns the value of attribute page_limit.



182
183
184
# File 'lib/strongdm.rb', line 182

def page_limit
  @page_limit
end

#peering_group_nodesObject (readonly)

PeeringGroupNodes provides the building blocks necessary to obtain attach a node to a peering group.

See PeeringGroupNodes.



267
268
269
# File 'lib/strongdm.rb', line 267

def peering_group_nodes
  @peering_group_nodes
end

#peering_group_peersObject (readonly)

PeeringGroupPeers provides the building blocks necessary to link two peering groups.

See PeeringGroupPeers.



271
272
273
# File 'lib/strongdm.rb', line 271

def peering_group_peers
  @peering_group_peers
end

#peering_group_resourcesObject (readonly)

PeeringGroupResources provides the building blocks necessary to obtain attach a resource to a peering group.

See PeeringGroupResources.



275
276
277
# File 'lib/strongdm.rb', line 275

def peering_group_resources
  @peering_group_resources
end

#peering_groupsObject (readonly)

PeeringGroups provides the building blocks necessary to obtain explicit network topology and routing.

See PeeringGroups.



279
280
281
# File 'lib/strongdm.rb', line 279

def peering_groups
  @peering_groups
end

#queriesObject (readonly)

A Query is a record of a single client request to a resource, such as a SQL query. Long-running SSH, RDP, or Kubernetes interactive sessions also count as queries. The Queries service is read-only.

See Queries.



285
286
287
# File 'lib/strongdm.rb', line 285

def queries
  @queries
end

#remote_identitiesObject (readonly)

RemoteIdentities assign a resource directly to an account, giving the account the permission to connect to that resource.

See RemoteIdentities.



289
290
291
# File 'lib/strongdm.rb', line 289

def remote_identities
  @remote_identities
end

#remote_identities_historyObject (readonly)

RemoteIdentitiesHistory records all changes to the state of a RemoteIdentity.

See RemoteIdentitiesHistory.



293
294
295
# File 'lib/strongdm.rb', line 293

def remote_identities_history
  @remote_identities_history
end

#remote_identity_groupsObject (readonly)

A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts. An Account's relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects.

See RemoteIdentityGroups.



298
299
300
# File 'lib/strongdm.rb', line 298

def remote_identity_groups
  @remote_identity_groups
end

#remote_identity_groups_historyObject (readonly)

RemoteIdentityGroupsHistory records all changes to the state of a RemoteIdentityGroup.

See RemoteIdentityGroupsHistory.



302
303
304
# File 'lib/strongdm.rb', line 302

def remote_identity_groups_history
  @remote_identity_groups_history
end

#replaysObject (readonly)

A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session (otherwise referred to as a query). The Replays service is read-only.

See Replays.



307
308
309
# File 'lib/strongdm.rb', line 307

def replays
  @replays
end

#resourcesObject (readonly)

Resources are databases, servers, clusters, websites, or clouds that strongDM delegates access to.

See Resources.



312
313
314
# File 'lib/strongdm.rb', line 312

def resources
  @resources
end

#resources_historyObject (readonly)

ResourcesHistory records all changes to the state of a Resource.

See ResourcesHistory.



316
317
318
# File 'lib/strongdm.rb', line 316

def resources_history
  @resources_history
end

#role_resourcesObject (readonly)

RoleResources enumerates the resources to which roles have access. The RoleResources service is read-only.

See RoleResources.



321
322
323
# File 'lib/strongdm.rb', line 321

def role_resources
  @role_resources
end

#role_resources_historyObject (readonly)

RoleResourcesHistory records all changes to the state of a RoleResource.

See RoleResourcesHistory.



325
326
327
# File 'lib/strongdm.rb', line 325

def role_resources_history
  @role_resources_history
end

#rolesObject (readonly)

A Role has a list of access rules which determine which Resources the members of the Role have access to. An Account can be a member of multiple Roles via AccountAttachments.

See Roles.



331
332
333
# File 'lib/strongdm.rb', line 331

def roles
  @roles
end

#roles_historyObject (readonly)

RolesHistory records all changes to the state of a Role.

See RolesHistory.



335
336
337
# File 'lib/strongdm.rb', line 335

def roles_history
  @roles_history
end

#secret_storesObject (readonly)

SecretStores are servers where resource secrets (passwords, keys) are stored.

See SecretStores.



339
340
341
# File 'lib/strongdm.rb', line 339

def secret_stores
  @secret_stores
end

#secret_stores_historyObject (readonly)

SecretStoresHistory records all changes to the state of a SecretStore.

See SecretStoresHistory.



343
344
345
# File 'lib/strongdm.rb', line 343

def secret_stores_history
  @secret_stores_history
end

#snapshot_timeObject

Optional timestamp at which to provide historical data



187
188
189
# File 'lib/strongdm.rb', line 187

def snapshot_time
  @snapshot_time
end

#workflow_approvers_historyObject (readonly)

WorkflowApproversHistory provides records of all changes to the state of a WorkflowApprover.

See WorkflowApproversHistory.



353
354
355
# File 'lib/strongdm.rb', line 353

def workflow_approvers_history
  @workflow_approvers_history
end

#workflow_assignments_historyObject (readonly)

WorkflowAssignmentsHistory provides records of all changes to the state of a WorkflowAssignment.

See WorkflowAssignmentsHistory.



357
358
359
# File 'lib/strongdm.rb', line 357

def workflow_assignments_history
  @workflow_assignments_history
end

#workflow_roles_historyObject (readonly)

WorkflowRolesHistory provides records of all changes to the state of a WorkflowRole

See WorkflowRolesHistory.



361
362
363
# File 'lib/strongdm.rb', line 361

def workflow_roles_history
  @workflow_roles_history
end

#workflowsObject (readonly)

Workflows are the collection of rules that define the resources to which access can be requested, the users that can request that access, and the mechanism for approving those requests which can either but automatic approval or a set of users authorized to approve the requests.

See Workflows.



349
350
351
# File 'lib/strongdm.rb', line 349

def workflows
  @workflows
end

#workflows_historyObject (readonly)

WorkflowsHistory provides records of all changes to the state of a Workflow.

See WorkflowsHistory.



365
366
367
# File 'lib/strongdm.rb', line 365

def workflows_history
  @workflows_history
end

Instance Method Details

#closeObject

Closes this client and releases all resources held by it.



101
102
103
104
105
106
107
# File 'lib/strongdm.rb', line 101

def close
  begin
    @channel.close()
  rescue => exception
    raise Plumbing::convert_error_to_porcelain(exception)
  end
end

#sign(method_name, msg_bytes) ⇒ Object



119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# File 'lib/strongdm.rb', line 119

def sign(method_name, msg_bytes)
  current_utc_date = Time.now.utc
  date = sprintf("%04d-%02d-%02d", current_utc_date.year, current_utc_date.month, current_utc_date.day)

  signing_key = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, @api_secret_key, date)
  signing_key = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, signing_key, "sdm_api_v1")

  sha_req = Digest::SHA256.new
  sha_req << method_name
  sha_req << "\n"
  sha_req << msg_bytes
  request_hash = sha_req.digest

  return Base64.strict_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, signing_key, request_hash))
end

#snapshot_at(snapshot_time) ⇒ Object

Constructs a read-only client that will provide historical data from the provided timestamp. See SnapshotClient.



173
174
175
176
177
# File 'lib/strongdm.rb', line 173

def snapshot_at(snapshot_time)
  client = self.clone
  client.snapshot_time = snapshot_time
  return SnapshotClient.new(client)
end