Skip to content

Commit b30637d

Browse files
jvanderhoofjvanderhoof
committed
Initial set of Factory templates
This commit includes an initial set of Factory templates. These may need some work before the official release.
1 parent f980350 commit b30637d

File tree

9 files changed

+595
-1
lines changed

9 files changed

+595
-1
lines changed

app/domain/factories/templates/authenticators/v1/authn_oidc.rb

Lines changed: 112 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,112 @@
1+
# frozen_string_literal: true
2+
3+
require 'base64'
4+
5+
module Factories
6+
module Templates
7+
module Authenticators
8+
module V1
9+
class AuthnOidc
10+
class << self
11+
def policy_template
12+
<<~TEMPLATE
13+
- !policy
14+
id: <%= id %>
15+
annotations:
16+
factory: authenticators/v1/authn-oidc
17+
<% annotations.each do |key, value| -%>
18+
<%= key %>: <%= value %>
19+
<% end -%>
20+
21+
body:
22+
- !webservice
23+
24+
- !variable provider-uri
25+
- !variable client-id
26+
- !variable client-secret
27+
- !variable redirect-uri
28+
- !variable claim-mapping
29+
30+
- !group
31+
id: authenticatable
32+
annotations:
33+
description: Group with permission to authenticate using this authenticator
34+
35+
- !permit
36+
role: !group authenticatable
37+
privilege: [ read, authenticate ]
38+
resource: !webservice
39+
40+
- !webservice
41+
id: status
42+
annotations:
43+
description: Web service for checking authenticator status
44+
45+
- !group
46+
id: operators
47+
annotations:
48+
description: Group with permission to check the authenticator status
49+
50+
- !permit
51+
role: !group operators
52+
privilege: [ read ]
53+
resource: !webservice status
54+
TEMPLATE
55+
end
56+
57+
def data
58+
Base64.encode64({
59+
version: 'v1',
60+
policy: Base64.encode64(policy_template),
61+
policy_branch: "conjur/authn-oidc",
62+
schema: {
63+
"$schema": "http://json-schema.org/draft-06/schema#",
64+
"title": "Authn-OIDC Template",
65+
"description": "Create a new Authn-OIDC Authenticator",
66+
"type": "object",
67+
"properties": {
68+
"id": {
69+
"description": "Service ID of the Authenticator",
70+
"type": "string"
71+
},
72+
"annotations": {
73+
"description": "Additional annotations",
74+
"type": "object"
75+
},
76+
"variables": {
77+
"type": "object",
78+
"properties": {
79+
"provider-uri": {
80+
"description": "OIDC Provider endpoint",
81+
"type": "string"
82+
},
83+
"client-id": {
84+
"description": "OIDC Client ID",
85+
"type": "string"
86+
},
87+
"client-secret": {
88+
"description": "OIDC Client Secret",
89+
"type": "string"
90+
},
91+
"redirect-uri": {
92+
"description": "Target URL to redirect to after successful authentication",
93+
"type": "string"
94+
},
95+
"claim-mapping": {
96+
"description": "OIDC JWT claim mapping. This value must match to a Conjur Host ID.",
97+
"type": "string"
98+
}
99+
},
100+
"required": %w[provider-uri client-id client-secret claim-mapping]
101+
}
102+
},
103+
"required": %w[id variables]
104+
}
105+
}.to_json)
106+
end
107+
end
108+
end
109+
end
110+
end
111+
end
112+
end

app/domain/factories/templates/base/v1/base_policy.rb

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
# frozen_string_literal: true
2+
3+
module Factories
4+
module Templates
5+
module Base
6+
module V1
7+
class BasePolicy
8+
class << self
9+
def policy
10+
<<~TEMPLATE
11+
- !policy
12+
id: conjur
13+
body:
14+
- !policy
15+
id: factories
16+
body:
17+
- !policy
18+
id: core
19+
annotations:
20+
description: "Create Conjur primatives and manage permissions"
21+
body:
22+
- !variable v1/grant
23+
- !variable v1/group
24+
- !variable v1/host
25+
- !variable v1/layer
26+
- !variable v1/managed-policy
27+
- !variable v1/policy
28+
- !variable v1/user
29+
30+
- !policy
31+
id: authenticators
32+
annotations:
33+
description: "Generate new Authenticators"
34+
body:
35+
- !variable v1/authn-oidc
36+
- !policy
37+
id: connections
38+
annotations:
39+
description: "Create connections to external services"
40+
body:
41+
- !variable v1/database
42+
- !variable v2/database
43+
TEMPLATE
44+
end
45+
end
46+
end
47+
end
48+
end
49+
end
50+
end

app/domain/factories/templates/connections/v1/database.rb

Lines changed: 105 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,105 @@
1+
# frozen_string_literal: true
2+
3+
require 'base64'
4+
5+
module Factories
6+
module Templates
7+
module Connections
8+
module V1
9+
class Database
10+
class << self
11+
def policy_template
12+
<<~TEMPLATE
13+
- !policy
14+
id: <%= id %>
15+
annotations:
16+
factory: connections/v1/database
17+
<% annotations.each do |key, value| -%>
18+
<%= key %>: <%= value %>
19+
<% end -%>
20+
21+
body:
22+
- &variables
23+
- !variable url
24+
- !variable port
25+
- !variable username
26+
- !variable password
27+
28+
- !group consumers
29+
- !group administrators
30+
31+
# consumers can read and execute
32+
- !permit
33+
resource: *variables
34+
privileges: [ read, execute ]
35+
role: !group consumers
36+
37+
# administrators can update (and read and execute, via role grant)
38+
- !permit
39+
resource: *variables
40+
privileges: [ update ]
41+
role: !group administrators
42+
43+
# administrators has role consumers
44+
- !grant
45+
member: !group administrators
46+
role: !group consumers
47+
TEMPLATE
48+
end
49+
50+
def data
51+
Base64.encode64({
52+
version: 1,
53+
policy: Base64.encode64(policy_template),
54+
policy_branch: "<%= branch %>",
55+
schema: {
56+
"$schema": "http://json-schema.org/draft-06/schema#",
57+
"title": "Database Connection Template",
58+
"description": "All information for connecting to a database",
59+
"type": "object",
60+
"properties": {
61+
"id": {
62+
"description": "Database Connection Identifier",
63+
"type": "string"
64+
},
65+
"branch": {
66+
"description": "Policy branch to load this connection into",
67+
"type": "string"
68+
},
69+
"annotations": {
70+
"description": "Additional annotations",
71+
"type": "object"
72+
},
73+
"variables": {
74+
"type": "object",
75+
"properties": {
76+
"url": {
77+
"description": "Database URL",
78+
"type": "string"
79+
},
80+
"port": {
81+
"description": "Database Port",
82+
"type": "string"
83+
},
84+
"username": {
85+
"description": "Database Username",
86+
"type": "string"
87+
},
88+
"password": {
89+
"description": "Database Password",
90+
"type": "string"
91+
},
92+
},
93+
"required": %w[url port username password]
94+
}
95+
},
96+
"required": %w[id branch variables]
97+
}
98+
}.to_json)
99+
end
100+
end
101+
end
102+
end
103+
end
104+
end
105+
end

app/domain/factories/templates/core/v1/grant.rb

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
# frozen_string_literal: true
2+
3+
require 'base64'
4+
5+
module Factories
6+
module Templates
7+
module Core
8+
module V1
9+
class Grant
10+
class << self
11+
def policy_template
12+
<<~TEMPLATE
13+
- !grant
14+
member: !<%= member_resource_type %> <%= member_resource_id %>
15+
role: !<%= role_resource_type %> <%= role_resource_id %>
16+
TEMPLATE
17+
end
18+
19+
def data
20+
Base64.encode64({
21+
version: 1,
22+
policy: Base64.encode64(policy_template),
23+
policy_branch: "<%= branch %>",
24+
schema: {
25+
"$schema": "http://json-schema.org/draft-06/schema#",
26+
"title": "Grant Template",
27+
"description": "Assigns a Role to another Role",
28+
"type": "object",
29+
"properties": {
30+
"branch": {
31+
"description": "Policy branch to load this grant into",
32+
"type": "string"
33+
},
34+
"member_resource_type": {
35+
"description": "The member type (group, host, user, etc.) for the grant",
36+
"type": "string"
37+
},
38+
"member_resource_id": {
39+
"description": "The member resource identifier for the grant",
40+
"type": "string"
41+
},
42+
"role_resource_type": {
43+
"description": "The role type (group, host, user, etc.) for the grant",
44+
"type": "string"
45+
},
46+
"role_resource_id": {
47+
"description": "The role resource identifier for the grant",
48+
"type": "string"
49+
}
50+
},
51+
"required": %w[branch member_resource_type member_resource_id role_resource_type role_resource_id]
52+
}
53+
}.to_json)
54+
end
55+
end
56+
end
57+
end
58+
end
59+
end
60+
end

app/domain/factories/templates/core/v1/group.rb

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
# frozen_string_literal: true
2+
3+
require 'base64'
4+
5+
module Factories
6+
module Templates
7+
module Core
8+
module V1
9+
class Group
10+
class << self
11+
def policy_template
12+
<<~TEMPLATE
13+
- !group
14+
id: <%= id %>
15+
<% if defined?(owner_role) && defined?(owner_type) -%>
16+
owner: !<%= owner_type %> <%= owner_role %>
17+
<% end -%>
18+
annotations:
19+
factory: core/v1/group
20+
<% annotations.each do |key, value| -%>
21+
<%= key %>: <%= value %>
22+
<% end -%>
23+
TEMPLATE
24+
end
25+
26+
def data
27+
Base64.encode64({
28+
version: 1,
29+
policy: Base64.encode64(policy_template),
30+
policy_branch: "<%= branch %>",
31+
schema: {
32+
"$schema": "http://json-schema.org/draft-06/schema#",
33+
"title": "Group Template",
34+
"description": "Creates a Conjur Group",
35+
"type": "object",
36+
"properties": {
37+
"id": {
38+
"description": "Group Identifier",
39+
"type": "string"
40+
},
41+
"branch": {
42+
"description": "Policy branch to load this group into",
43+
"type": "string"
44+
},
45+
"owner_role": {
46+
"description": "The Conjur Role that will own this group",
47+
"type": "string"
48+
},
49+
"owner_type": {
50+
"description": "The resource type of the owner of this group",
51+
"type": "string"
52+
},
53+
"annotations": {
54+
"description": "Additional annotations",
55+
"type": "object"
56+
}
57+
},
58+
"required": %w[id branch]
59+
}
60+
}.to_json)
61+
end
62+
end
63+
end
64+
end
65+
end
66+
end
67+
end

0 commit comments

Comments
 (0)