Merge commit

GitOrigin-RevId: 0905d6d383e9c5c4672b97827c7d11cc0d70d344

Author: ucirello

example/okta-sync/matchers.yml

@@ -0,0 +1,11 @@
+---
+groups:
+  -
+    name: db/mongo
+    resources:
+      - type:mongo name:don*
+      - type:ssh name:dev*
+  -
+    name: app/web
+    resources:
+      - type:ssh name:dev-web*

example/okta-sync/okta-sync.py

@@ -0,0 +1,112 @@
+import yaml
+import os
+import strongdm
+from okta.framework.ApiClient import ApiClient
+from okta.framework.Utils import Utils
+from okta.models.user.User import User
+from okta.models.usergroup.UserGroup import UserGroup
+
+def load_matchers():
+    f = open('matchers.yml')
+    data = yaml.load(f, Loader = yaml.Loader)
+    return data
+
+class OktaUser:
+    def __init__(self, login, first_name, last_name, groups):
+        self.login = login
+        self.first_name = first_name
+        self.last_name = last_name
+        self.groups = groups
+    def __repr__(self):
+        return "%s %s"%(self.login,self.groups)
+
+def load_okta_users():
+    ret = []
+    apiClient = ApiClient(pathname='/api/v1/users', base_url=os.getenv('OKTA_CLIENT_ORGURL'), api_token=os.getenv('OKTA_CLIENT_TOKEN'))
+    params = {
+        'search': "profile.department eq \"Engineering\" and (status eq \"ACTIVE\")"
+    }
+    response = ApiClient.get_path(apiClient, '/', params=params)
+    users = Utils.deserialize(response.text, User)
+    for u in users:
+        response = ApiClient.get_path(apiClient, '/{}/groups'.format(u.id))
+        userGroups = Utils.deserialize(response.text, UserGroup)
+        groups = []
+        for ug in userGroups:
+            groups.append(ug.profile.name)
+        oktaUser = OktaUser(u.profile.login, u.profile.firstName, u.profile.lastName, groups)
+        ret.append(oktaUser)
+    return ret
+
+def main():
+    try:
+        okta_sync()
+    except Exception as ex:
+        print("okta sync failed:"+str(ex))
+
+def okta_sync():
+    SDM_API_ACCESS_KEY = os.getenv('SDM_API_ACCESS_KEY')
+    SDM_API_SECRET_KEY = os.getenv('SDM_API_SECRET_KEY')
+    OKTA_CLIENT_TOKEN = os.getenv('OKTA_CLIENT_TOKEN')
+    OKTA_CLIENT_ORGURL = os.getenv('OKTA_CLIENT_ORGURL')
+
+    if SDM_API_ACCESS_KEY is None or SDM_API_SECRET_KEY is None \
+        or OKTA_CLIENT_TOKEN is None or OKTA_CLIENT_ORGURL is None:
+        print("SDM_API_ACCESS_KEY, SDM_API_SECRET_KEY, OKTA_CLIENT_TOKEN, and OKTA_CLIENT_ORGURL must be set")
+        return
+
+    matchers = load_matchers()
+    okta_users = load_okta_users()
+
+    client = strongdm.Client(SDM_API_ACCESS_KEY, SDM_API_SECRET_KEY)
+
+    accounts = {o.email:o.id for o in client.accounts.list("")}
+    permissions = [v for v in client.account_grants.list("")]
+
+    # define current state
+    current = {}
+    for p in permissions:
+        if p.account_id not in current:
+            current[p.account_id] = set()
+        current[p.account_id].add((p.resource_id,p.id))
+
+    # define desired state
+    desired = {}
+    overlapping = 0
+    for group in matchers["groups"]:
+        for resourceQuery in group["resources"]:
+            for res in client.resources.list(resourceQuery):
+                for u in okta_users:
+                    if group["name"] in u.groups:
+                        if u.login not in accounts:
+                            continue
+                        overlapping+=1
+                        aid = accounts[u.login]
+                        if aid not in desired:
+                            desired[aid] = set()
+                        desired[aid].add(res.id)
+
+    # revoke things
+    revocations = 0
+    for aid,curRes in current.items():
+        desRes = desired.get(aid,set())
+        for rid in curRes:
+            if rid[0] not in desRes:
+                revocations+=1
+                client.account_grants.delete(rid[1])
+
+    # grant things
+    grants = 0
+    for aid,desRes in desired.items():
+        curRes = current.get(aid,set())
+        for rid in desRes:
+            for cr in curRes:
+                if rid != cr[0]:
+                    grants+=1
+                    client.account_grants.create(strongdm.AccountGrant(resource_id=rid, account_id=aid))
+
+    print("{} Okta users, {} strongDM users, {} overlapping users, {} grants, {} revocations".format(\
+        len(okta_users),len(accounts), overlapping, grants, revocations))
+
+if __name__ == '__main__':
+    main()

example/okta-sync/requirements.txt

@@ -0,0 +1,2 @@
+strongdm
+okta

example/panicButton.py

@@ -0,0 +1,114 @@
+# Copyright 2020 StrongDM Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+import sys
+import os.path
+import pprint
+import time
+import json
+import os
+import strongdm
+
+# panicButton.py suspends all users except for one admin,
+# in the fake use case of a critical break in or something
+# usage:
+# python3 panicButton.py [email protected]
+# to revert back to pre-panic state:
+# python3 panicButton.py revert
+def main():
+    access_key = os.getenv("SDM_API_ACCESS_KEY")
+    secret_key = os.getenv("SDM_API_SECRET_KEY")
+    if access_key is None or secret_key is None:
+        print("SDM_API_ACCESS_KEY and SDM_API_SECRET_KEY must be provided")
+        return 1
+
+    client = strongdm.Client(access_key, secret_key)
+
+    if len(sys.argv) == 2 and sys.argv[1] == "revert":
+        with open('state.json', 'r') as infile:
+            state = json.load(infile)
+
+            reinstated_count = 0
+
+            users = client.accounts.list('')
+            for user in users:
+                if not user.suspended:
+                    continue
+                reinstated_count += 1
+                user.suspended = False
+                client.accounts.update(user)
+            for attachment in state['attachments']:
+                try:
+                    client.account_attachments.create(strongdm.AccountAttachment(account_id=attachment["account_id"],role_id=attachment["role_id"]))
+                except strongdm.errors.AlreadyExistsError:
+                    pass
+                except Exception as ex:
+                    print("skipping creation of attachment due to error: ", str(ex))
+            for grant in state['grants']:
+                try:
+                    client.account_grants.create(strongdm.AccountGrant(account_id=grant["account_id"],resource_id=grant["resource_id"]))
+                except strongdm.errors.AlreadyExistsError:
+                    pass
+                except Exception as ex:
+                    print("skipping creation of grant due to error: ", str(ex))
+            print("reinstated " + str(reinstated_count) + " users")
+            print("recreated " + str(len(state['attachments'])) + " account attachments")
+            print("recreated " + str(len(state['grants'])) + " account grants")
+        return
+
+    admin_email = ""
+    if len(sys.argv) == 2:
+        admin_email = sys.argv[1]
+    else:
+        print("please provide an admin email to preserve")
+        return 1
+
+    admin_user_id = ""
+    users = client.accounts.list('email:?', admin_email)
+    for user in users:
+        admin_user_id = user.id
+
+    account_attachments = client.account_attachments.list('')
+    account_grants = client.account_grants.list('')
+
+    state = {
+        'attachments': [{"account_id":x.account_id,"role_id":x.role_id} for x in account_attachments if x.account_id != admin_user_id],
+        'grants': [{"account_id":x.account_id,"resource_id":x.resource_id} for x in account_grants if x.account_id != admin_user_id and x.valid_until is None],
+    }
+
+    print("storing " + str(len(state['attachments'])) + " account attachments in state")
+    print("storing " + str(len(state['grants'])) + " account grants in state")
+
+    with open('state.json', 'w') as outfile:
+        json.dump(state, outfile)
+
+
+    suspended_count = 0
+    users = client.accounts.list('')
+    for user in users:
+        if isinstance(user, strongdm.User) and user.email == admin_email:
+            continue
+        user.suspended = True
+        try:
+            client.accounts.update(user)
+            suspended_count += 1
+        except Exception as ex:
+            print("skipping user " + user.id + " on account of error: " + str(ex))
+
+
+    print("suspended " + str(suspended_count) + " users ")
+
+
+if __name__ == "__main__":
+    main()

strongdm/plumbing.py

@@ -51,7 +51,10 @@ def quote_filter_args(filter, *args):
 
 
 def timestamp_to_porcelain(t):
-    return t.ToDatetime().replace(tzinfo=datetime.timezone.utc)
+    ts = t.ToDatetime().replace(tzinfo=datetime.timezone.utc)
+    if ts == datetime.datetime(1970,1,1,0,0,0,0,datetime.timezone.utc):
+        return None
+    return ts
 
 
 def timestamp_to_plumbing(t):