Class: Conjur::Resource

Inherits:

RestClient::Resource

• Object
• RestClient::Resource
• Conjur::Resource

Includes:

Exists, HasAttributes, PathBased

Defined in:

lib/conjur/resource.rb

Class Method Summary

• .all(opts = {}) ⇒ Object

  Returns all resources (optionally qualified by kind) visible to the user with given credentials.

Instance Method Summary

• #annotations ⇒ Object (also: #tags)

  Return a Conjur::Annotations instance to read and manipulate our annotations.

• #create(options = {}) ⇒ Object
• #delete(options = {}) ⇒ Object
• #deny(privilege, role, options = {}) ⇒ Object
• #give_to(owner, options = {}) ⇒ Object

  Changes the owner of a resource.

• #identifier ⇒ Object
• #permit(privilege, role, options = {}) ⇒ Object
• #permitted?(privilege, options = {}) ⇒ Boolean

  True if the logged-in role, or a role specified using the acting-as option, has the specified privilege on this resource.

• #permitted_roles(permission, options = {}) ⇒ Object

  Lists roles that have a specified permission on the resource.

• #resourceid ⇒ Object (also: #resource_id)

  Name convention according to Role#roleid.

Methods included from PathBased

#account, #kind

Methods included from HasAttributes

#attributes, #attributes=, #invalidate, #refresh, #save, #to_json

Methods included from Exists

#exists?

Class Method Details

.all(opts = {}) ⇒ Object

Returns all resources (optionally qualified by kind) visible to the user with given credentials. Options are:

• host - authz url,

• credentials,

• account,

• kind (optional),

• search (optional),

• limit (optional),

• offset (optional).

# File 'lib/conjur/resource.rb', line 133

def self.all opts = {}
  host, credentials, account, kind = opts.values_at(*[:host, :credentials, :account, :kind])
  fail ArgumentError, "host and account are required" unless [host, account].all?

  credentials ||= {}

  path = "#{account}/resources" 
  path += "/#{kind}" if kind
  query = opts.slice(:acting_as, :limit, :offset, :search)
  path += "?#{query.to_query}" unless query.empty?
  resource = RestClient::Resource.new(host, credentials)[path]
  
  JSON.parse resource.get
end

Instance Method Details

#annotations ⇒ Object Also known as: tags

Return a Conjur::Annotations instance to read and manipulate our annotations.

# File 'lib/conjur/resource.rb', line 118

def annotations
  @annotations ||= Conjur::Annotations.new(self)
end

#create(options = {}) ⇒ Object

# File 'lib/conjur/resource.rb', line 40

def create(options = {})
  log do |logger|
    logger << "Creating resource #{resourceid}"
    unless options.empty?
      logger << " with options #{options.to_json}"
    end
  end
  self.put(options)
end

#delete(options = {}) ⇒ Object

# File 'lib/conjur/resource.rb', line 61

def delete(options = {})
  log do |logger|
    logger << "Deleting resource #{resourceid}"
    unless options.empty?
      logger << " with options #{options.to_json}"
    end
  end
  super options
end

#deny(privilege, role, options = {}) ⇒ Object

# File 'lib/conjur/resource.rb', line 90

def deny(privilege, role, options = {})
  role = cast(role, :roleid)
  eachable(privilege).each do |p|
    log do |logger|
      logger << "Denying #{p} on resource #{resourceid} by #{role}"
      unless options.empty?
        logger << " with options #{options.to_json}"
      end
    end
    self["?deny&privilege=#{query_escape p}&role=#{query_escape role}"].post(options)
  end
end

#give_to(owner, options = {}) ⇒ Object

Changes the owner of a resource

# File 'lib/conjur/resource.rb', line 56

def give_to(owner, options = {})
  owner = cast(owner, :roleid)
  self.put(options.merge(owner: owner))
end

#identifier ⇒ Object

# File 'lib/conjur/resource.rb', line 29

def identifier
  match_path(3..-1)
end

#permit(privilege, role, options = {}) ⇒ Object

# File 'lib/conjur/resource.rb', line 71

def permit(privilege, role, options = {})
  role = cast(role, :roleid)
  eachable(privilege).each do |p|
    log do |logger|
      logger << "Permitting #{p} on resource #{resourceid} by #{role}"
      unless options.empty?
        logger << " with options #{options.to_json}"
      end
    end
    
    begin
      self["?permit&privilege=#{query_escape p}&role=#{query_escape role}"].post(options)
    rescue RestClient::Forbidden
      # TODO: Remove once permit is idempotent
      raise $! unless $!.http_body == "Privilege already granted."
    end
  end
end

#permitted?(privilege, options = {}) ⇒ Boolean

True if the logged-in role, or a role specified using the acting-as option, has the specified privilege on this resource.

Returns:

• (Boolean)

# File 'lib/conjur/resource.rb', line 105

def permitted?(privilege, options = {})
  params = {
    check: true,
    privilege: query_escape(privilege)
  }
  params[:acting_as] = options[:acting_as] if options[:acting_as]
  self["?#{params.to_query}"].get(options)
  true
rescue RestClient::ResourceNotFound
  false
end

#permitted_roles(permission, options = {}) ⇒ Object

Lists roles that have a specified permission on the resource.

# File 'lib/conjur/resource.rb', line 51

def permitted_roles(permission, options = {})
  JSON.parse RestClient::Resource.new(Conjur::Authz::API.host, self.options)["#{account}/roles/allowed_to/#{permission}/#{path_escape kind}/#{path_escape identifier}"].get(options)
end

#resourceid ⇒ Object Also known as: resource_id

Name convention according to Role#roleid.

# File 'lib/conjur/resource.rb', line 34

def resourceid 
  [account, kind, identifier].join ':'
end