Skip to content

Commit 4d23821

Browse files
jvanderhoofjvanderhoof
committed
Initial set of Factory templates
This commit includes an initial set of Factory templates. These may need some work before the official release.
1 parent 98ae9ca commit 4d23821

File tree

10 files changed

+779
-0
lines changed

10 files changed

+779
-0
lines changed

app/domain/factories/templates/authenticators/v1/authn_oidc.rb

Lines changed: 111 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,111 @@
1+
# frozen_string_literal: true
2+
3+
require 'base64'
4+
5+
module Factories
6+
module Templates
7+
module Authenticators
8+
module V1
9+
class AuthnOidc
10+
class << self
11+
def policy_template
12+
<<~TEMPLATE
13+
- !policy
14+
id: <%= id %>
15+
annotations:
16+
factory: authenticators/v1/authn-oidc
17+
<% annotations.each do |key, value| -%>
18+
<%= key %>: <%= value %>
19+
<% end -%>
20+
body:
21+
- !webservice
22+
23+
- !variable provider-uri
24+
- !variable client-id
25+
- !variable client-secret
26+
- !variable redirect-uri
27+
- !variable claim-mapping
28+
29+
- !group
30+
id: authenticatable
31+
annotations:
32+
description: Group with permission to authenticate using this authenticator
33+
34+
- !permit
35+
role: !group authenticatable
36+
privilege: [ read, authenticate ]
37+
resource: !webservice
38+
39+
- !webservice
40+
id: status
41+
annotations:
42+
description: Web service for checking authenticator status
43+
44+
- !group
45+
id: operators
46+
annotations:
47+
description: Group with permission to check the authenticator status
48+
49+
- !permit
50+
role: !group operators
51+
privilege: [ read ]
52+
resource: !webservice status
53+
TEMPLATE
54+
end
55+
56+
def data
57+
Base64.encode64({
58+
version: 'v1',
59+
policy: Base64.encode64(policy_template),
60+
policy_branch: "conjur/authn-oidc",
61+
schema: {
62+
"$schema": "http://json-schema.org/draft-06/schema#",
63+
"title": "Authn-OIDC Template",
64+
"description": "Create a new Authn-OIDC Authenticator",
65+
"type": "object",
66+
"properties": {
67+
"id": {
68+
"description": "Service ID of the Authenticator",
69+
"type": "string"
70+
},
71+
"annotations": {
72+
"description": "Additional annotations",
73+
"type": "object"
74+
},
75+
"variables": {
76+
"type": "object",
77+
"properties": {
78+
"provider-uri": {
79+
"description": "OIDC Provider endpoint",
80+
"type": "string"
81+
},
82+
"client-id": {
83+
"description": "OIDC Client ID",
84+
"type": "string"
85+
},
86+
"client-secret": {
87+
"description": "OIDC Client Secret",
88+
"type": "string"
89+
},
90+
"redirect-uri": {
91+
"description": "Target URL to redirect to after successful authentication",
92+
"type": "string"
93+
},
94+
"claim-mapping": {
95+
"description": "OIDC JWT claim mapping. This value must match to a Conjur Host ID.",
96+
"type": "string"
97+
}
98+
},
99+
"required": %w[provider-uri client-id client-secret claim-mapping]
100+
}
101+
},
102+
"required": %w[id variables]
103+
}
104+
}.to_json)
105+
end
106+
end
107+
end
108+
end
109+
end
110+
end
111+
end

app/domain/factories/templates/base/v1/base_policy.rb

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
# frozen_string_literal: true
2+
3+
module Factories
4+
module Templates
5+
module Base
6+
module V1
7+
class BasePolicy
8+
class << self
9+
def policy
10+
<<~TEMPLATE
11+
- !policy
12+
id: conjur
13+
body:
14+
- !policy
15+
id: factories
16+
body:
17+
- !policy
18+
id: core
19+
annotations:
20+
description: "Create Conjur primatives and manage permissions"
21+
body:
22+
- !variable v1/grant
23+
- !variable v1/group
24+
- !variable v1/host
25+
- !variable v1/layer
26+
- !variable v1/managed-policy
27+
- !variable v1/policy
28+
- !variable v1/user
29+
30+
- !policy
31+
id: authenticators
32+
annotations:
33+
description: "Generate new Authenticators"
34+
body:
35+
- !variable v1/authn-oidc
36+
- !policy
37+
id: connections
38+
annotations:
39+
description: "Create connections to external services"
40+
body:
41+
- !variable v1/database
42+
- !variable v2/database
43+
TEMPLATE
44+
end
45+
end
46+
end
47+
end
48+
end
49+
end
50+
end

app/domain/factories/templates/connections/v1/database.rb

Lines changed: 104 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,104 @@
1+
# frozen_string_literal: true
2+
3+
require 'base64'
4+
5+
module Factories
6+
module Templates
7+
module Connections
8+
module V1
9+
class Database
10+
class << self
11+
def policy_template
12+
<<~TEMPLATE
13+
- !policy
14+
id: <%= id %>
15+
annotations:
16+
factory: connections/database
17+
<% annotations.each do |key, value| -%>
18+
<%= key %>: <%= value %>
19+
<% end -%>
20+
body:
21+
- &variables
22+
- !variable url
23+
- !variable port
24+
- !variable username
25+
- !variable password
26+
27+
- !group consumers
28+
- !group administrators
29+
30+
# consumers can read and execute
31+
- !permit
32+
resource: *variables
33+
privileges: [ read, execute ]
34+
role: !group consumers
35+
36+
# administrators can update (and read and execute, via role grant)
37+
- !permit
38+
resource: *variables
39+
privileges: [ update ]
40+
role: !group administrators
41+
42+
# administrators has role consumers
43+
- !grant
44+
member: !group administrators
45+
role: !group consumers
46+
TEMPLATE
47+
end
48+
49+
def data
50+
Base64.encode64({
51+
version: 1,
52+
policy: Base64.encode64(policy_template),
53+
policy_branch: "<%= branch %>",
54+
schema: {
55+
"$schema": "http://json-schema.org/draft-06/schema#",
56+
"title": "Database Connection Template",
57+
"description": "All information for connecting to a database",
58+
"type": "object",
59+
"properties": {
60+
"id": {
61+
"description": "Database Connection Identifier",
62+
"type": "string"
63+
},
64+
"branch": {
65+
"description": "Policy branch to load this connection into",
66+
"type": "string"
67+
},
68+
"annotations": {
69+
"description": "Additional annotations",
70+
"type": "object"
71+
},
72+
"variables": {
73+
"type": "object",
74+
"properties": {
75+
"url": {
76+
"description": "Database URL",
77+
"type": "string"
78+
},
79+
"port": {
80+
"description": "Database Port",
81+
"type": "string"
82+
},
83+
"username": {
84+
"description": "Database Username",
85+
"type": "string"
86+
},
87+
"password": {
88+
"description": "Database Password",
89+
"type": "string"
90+
},
91+
},
92+
"required": %w[url port username password]
93+
}
94+
},
95+
"required": %w[id branch variables]
96+
}
97+
}.to_json)
98+
end
99+
end
100+
end
101+
end
102+
end
103+
end
104+
end

app/domain/factories/templates/core/v1/grant.rb

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
# frozen_string_literal: true
2+
3+
require 'base64'
4+
5+
module Factories
6+
module Templates
7+
module Core
8+
module V1
9+
class Grant
10+
class << self
11+
def policy_template
12+
<<~TEMPLATE
13+
- !grant
14+
member: !<%= member_resource_type %> <%= member_resource_id %>
15+
role: !<%= role_resource_type %> <%= role_resource_id %>
16+
TEMPLATE
17+
end
18+
19+
def data
20+
Base64.encode64({
21+
version: 1,
22+
policy: Base64.encode64(policy_template),
23+
policy_branch: "<%= branch %>",
24+
schema: {
25+
"$schema": "http://json-schema.org/draft-06/schema#",
26+
"title": "Grant Template",
27+
"description": "Assigns a Role to Role",
28+
"type": "object",
29+
"properties": {
30+
"branch": {
31+
"description": "Policy branch to load this group into",
32+
"type": "string"
33+
},
34+
"annotations": {
35+
"description": "Additional annotations to add to the group",
36+
"type": "object"
37+
}
38+
},
39+
"required": %w[branch]
40+
}
41+
}.to_json)
42+
end
43+
end
44+
end
45+
end
46+
end
47+
end
48+
end

app/domain/factories/templates/core/v1/group.rb

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
# frozen_string_literal: true
2+
3+
require 'base64'
4+
5+
module Factories
6+
module Templates
7+
module Core
8+
module V1
9+
class Group
10+
class << self
11+
def policy_template
12+
<<~TEMPLATE
13+
- !group
14+
id: <%= id %>
15+
<% if defined?(owner_role) && defined?(owner_type) -%>
16+
owner: !<%= owner_type %> <%= owner_role %>
17+
<% end -%>
18+
annotations:
19+
factory: core/v1/group
20+
<% annotations.each do |key, value| -%>
21+
<%= key %>: <%= value %>
22+
<% end -%>
23+
TEMPLATE
24+
end
25+
26+
def data
27+
Base64.encode64({
28+
version: 1,
29+
policy: Base64.encode64(policy_template),
30+
policy_branch: "<%= branch %>",
31+
schema: {
32+
"$schema": "http://json-schema.org/draft-06/schema#",
33+
"title": "Group Template",
34+
"description": "Creates a Conjur Group",
35+
"type": "object",
36+
"properties": {
37+
"id": {
38+
"description": "Group Identifier",
39+
"type": "string"
40+
},
41+
"branch": {
42+
"description": "Policy branch to load this group into",
43+
"type": "string"
44+
},
45+
"owner_role": {
46+
"description": "The Conjur Role that will own this group",
47+
"type": "string"
48+
},
49+
"owner_type": {
50+
"description": "The resource type of the owner of this group",
51+
"type": "string"
52+
},
53+
"annotations": {
54+
"description": "Additional annotations",
55+
"type": "object"
56+
}
57+
},
58+
"required": %w[id branch]
59+
}
60+
}.to_json)
61+
end
62+
end
63+
end
64+
end
65+
end
66+
end
67+
end

0 commit comments

Comments
 (0)