class SDM::Client

Client bundles all the services together and initializes them.

Attributes

_test_options[R]
account_attachments[R]

AccountAttachments assign an account to a role or composite role.

account_grants[R]

AccountGrants assign a resource directly to an account, giving the account the permission to connect to that resource.

accounts[R]

Accounts are users that have access to strongDM. There are two types of accounts:

  1. *Users:* humans who are authenticated through username and password or SSO.

  2. **Service Accounts:** machines that are authenticated using a service token.

api_access_key[R]

API authentication token (read-only).

base_retry_delay[R]
control_panel[R]

ControlPanel contains all administrative controls.

max_retries[R]
max_retry_delay[R]
nodes[R]

Nodes make up the strongDM network, and allow your users to connect securely to your resources. There are two types of nodes:

  • *Gateways* are the entry points into network. They listen for connection from the strongDM client, and provide access to databases and servers.

  • *Relays* are used to extend the strongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.

resources[R]
role_attachments[R]

RoleAttachments represent relationships between composite roles and the roles that make up those composite roles. When a composite role is attached to another role, the permissions granted to members of the composite role are augmented to include the permissions granted to members of the attached role.

role_grants[R]

RoleGrants represent relationships between composite roles and the roles that make up those composite roles. When a composite role is attached to another role, the permissions granted to members of the composite role are augmented to include the permissions granted to members of the attached role.

roles[R]

Roles are tools for controlling user access to resources. Each Role holds a list of resources which they grant access to. Composite roles are a special type of Role which have no resource associations of their own, but instead grant access to the combined resources associated with a set of child roles. Each user can be a member of one Role or composite role.

secret_stores[R]

SecretStores are servers where resource secrets (passwords, keys) are stored.

Public Class Methods

new(api_access_key, api_secret_key, host:"api.strongdm.com:443", insecure:false) click to toggle source

Creates a new strongDM API client.

# File lib/strongdm.rb, line 31
def initialize(api_access_key, api_secret_key, host:"api.strongdm.com:443", insecure:false)
    @api_access_key = api_access_key
    @api_secret_key = Base64.strict_decode64(api_secret_key)
    @max_retries = DEFAULT_MAX_RETRIES
    @base_retry_delay = DEFAULT_BASE_RETRY_DELAY
    @max_retry_delay = DEFAULT_MAX_RETRY_DELAY
    @account_attachments = AccountAttachments.new(host, insecure, self)
    @account_grants = AccountGrants.new(host, insecure, self)
    @accounts = Accounts.new(host, insecure, self)
    @control_panel = ControlPanel.new(host, insecure, self)
    @nodes = Nodes.new(host, insecure, self)
    @resources = Resources.new(host, insecure, self)
    @role_attachments = RoleAttachments.new(host, insecure, self)
    @role_grants = RoleGrants.new(host, insecure, self)
    @roles = Roles.new(host, insecure, self)
    @secret_stores = SecretStores.new(host, insecure, self)
    @_test_options = Hash.new
end

Public Instance Methods

get_metadata(method_name, req) click to toggle source 
# File lib/strongdm.rb, line 50
def get_metadata(method_name, req)
    return { 'x-sdm-authentication': @api_access_key,'x-sdm-signature': self.sign(method_name, req.to_proto)}
end
jitterSleep(iter) click to toggle source 
# File lib/strongdm.rb, line 70
def jitterSleep(iter)
    dur_max = @base_retry_delay * 2**iter
    if (dur_max > @max_retry_delay)
        dur_max = @max_retry_delay
    end
    dur = rand() * dur_max
    sleep(dur)
end
shouldRetry(iter, err) click to toggle source 
# File lib/strongdm.rb, line 79
def shouldRetry(iter, err)
    if (iter >= @max_retries-1)
        return false
    end
    if not err .is_a? GRPC::BadStatus
        return true
    end
    return err.code() == 13
end
sign(method_name, msg_bytes) click to toggle source 
# File lib/strongdm.rb, line 54
def sign(method_name, msg_bytes)
    current_utc_date = Time.now.utc
    date = sprintf("%04d-%02d-%02d",current_utc_date.year, current_utc_date.month, current_utc_date.day)

    signing_key = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, @api_secret_key, date)
    signing_key = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, signing_key, 'sdm_api_v1')

    sha_req = Digest::SHA256.new
    sha_req << method_name
    sha_req << "\n"
    sha_req << msg_bytes
    request_hash = sha_req.digest

    return Base64.strict_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, signing_key, request_hash))
end