Class: Conjur::Resource
- Inherits:
-
RestClient::Resource
- Object
- RestClient::Resource
- Conjur::Resource
- Includes:
- Exists, HasAttributes, PathBased
- Defined in:
- lib/conjur/resource.rb
Class Method Summary collapse
-
.all(opts = {}) ⇒ Object
Returns all resources (optionally qualified by kind) visible to the user with given credentials.
Instance Method Summary collapse
-
#annotations ⇒ Object
(also: #tags)
Return a Conjur::Annotations instance to read and manipulate our annotations.
- #create(options = {}) ⇒ Object
- #delete(options = {}) ⇒ Object
- #deny(privilege, role, options = {}) ⇒ Object
-
#give_to(owner, options = {}) ⇒ Object
Changes the owner of a resource.
- #identifier ⇒ Object
- #permit(privilege, role, options = {}) ⇒ Object
-
#permitted?(privilege, options = {}) ⇒ Boolean
True if the logged-in role, or a role specified using the acting-as option, has the specified
privilege
on this resource. -
#permitted_roles(permission, options = {}) ⇒ Object
Lists roles that have a specified permission on the resource.
-
#resourceid ⇒ Object
(also: #resource_id)
Name convention according to Role#roleid.
Methods included from PathBased
Methods included from HasAttributes
#attributes, #attributes=, #invalidate, #refresh, #save, #to_json
Methods included from Exists
Class Method Details
.all(opts = {}) ⇒ Object
Returns all resources (optionally qualified by kind) visible to the user with given credentials. Options are:
-
host - authz url,
-
credentials,
-
account,
-
kind (optional),
-
search (optional),
-
limit (optional),
-
offset (optional).
133 134 135 136 137 138 139 140 141 142 143 144 145 146 |
# File 'lib/conjur/resource.rb', line 133 def self.all opts = {} host, credentials, account, kind = opts.values_at(*[:host, :credentials, :account, :kind]) fail ArgumentError, "host and account are required" unless [host, account].all? credentials ||= {} path = "#{account}/resources" path += "/#{kind}" if kind query = opts.slice(:acting_as, :limit, :offset, :search) path += "?#{query.to_query}" unless query.empty? resource = RestClient::Resource.new(host, credentials)[path] JSON.parse resource.get end |
Instance Method Details
#annotations ⇒ Object Also known as:
Return a Conjur::Annotations instance to read and manipulate our annotations.
118 119 120 |
# File 'lib/conjur/resource.rb', line 118 def annotations @annotations ||= Conjur::Annotations.new(self) end |
#create(options = {}) ⇒ Object
40 41 42 43 44 45 46 47 48 |
# File 'lib/conjur/resource.rb', line 40 def create( = {}) log do |logger| logger << "Creating resource #{resourceid}" unless .empty? logger << " with options #{.to_json}" end end self.put() end |
#delete(options = {}) ⇒ Object
61 62 63 64 65 66 67 68 69 |
# File 'lib/conjur/resource.rb', line 61 def delete( = {}) log do |logger| logger << "Deleting resource #{resourceid}" unless .empty? logger << " with options #{.to_json}" end end super end |
#deny(privilege, role, options = {}) ⇒ Object
90 91 92 93 94 95 96 97 98 99 100 101 |
# File 'lib/conjur/resource.rb', line 90 def deny(privilege, role, = {}) role = cast(role, :roleid) eachable(privilege).each do |p| log do |logger| logger << "Denying #{p} on resource #{resourceid} by #{role}" unless .empty? logger << " with options #{.to_json}" end end self["?deny&privilege=#{query_escape p}&role=#{query_escape role}"].post() end end |
#give_to(owner, options = {}) ⇒ Object
Changes the owner of a resource
56 57 58 59 |
# File 'lib/conjur/resource.rb', line 56 def give_to(owner, = {}) owner = cast(owner, :roleid) self.put(.merge(owner: owner)) end |
#identifier ⇒ Object
29 30 31 |
# File 'lib/conjur/resource.rb', line 29 def identifier match_path(3..-1) end |
#permit(privilege, role, options = {}) ⇒ Object
71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 |
# File 'lib/conjur/resource.rb', line 71 def permit(privilege, role, = {}) role = cast(role, :roleid) eachable(privilege).each do |p| log do |logger| logger << "Permitting #{p} on resource #{resourceid} by #{role}" unless .empty? logger << " with options #{.to_json}" end end begin self["?permit&privilege=#{query_escape p}&role=#{query_escape role}"].post() rescue RestClient::Forbidden # TODO: Remove once permit is idempotent raise $! unless $!.http_body == "Privilege already granted." end end end |
#permitted?(privilege, options = {}) ⇒ Boolean
True if the logged-in role, or a role specified using the acting-as option, has the specified privilege
on this resource.
105 106 107 108 109 110 111 112 113 114 115 |
# File 'lib/conjur/resource.rb', line 105 def permitted?(privilege, = {}) params = { check: true, privilege: query_escape(privilege) } params[:acting_as] = [:acting_as] if [:acting_as] self["?#{params.to_query}"].get() true rescue RestClient::ResourceNotFound false end |
#permitted_roles(permission, options = {}) ⇒ Object
Lists roles that have a specified permission on the resource.
51 52 53 |
# File 'lib/conjur/resource.rb', line 51 def permitted_roles(, = {}) JSON.parse RestClient::Resource.new(Conjur::Authz::API.host, self.)["#{account}/roles/allowed_to/#{}/#{path_escape kind}/#{path_escape identifier}"].get() end |
#resourceid ⇒ Object Also known as: resource_id
Name convention according to Role#roleid.
34 35 36 |
# File 'lib/conjur/resource.rb', line 34 def resourceid [account, kind, identifier].join ':' end |