Class: Conjur::Resource
- Inherits:
-
RestClient::Resource
- Object
- RestClient::Resource
- Conjur::Resource
- Includes:
- HasAttributes, PathBased
- Defined in:
- lib/conjur/resource.rb
Class Method Summary collapse
-
.all(opts = {}) ⇒ Object
Returns all resources (optionally qualified by kind) visible to the user with given credentials.
Instance Method Summary collapse
-
#annotations ⇒ Object
(also: #tags)
Return a Conjur::Annotations instance to read and manipulate our annotations.
- #create(options = {}) ⇒ Object
- #delete(options = {}) ⇒ Object
- #deny(privilege, role, options = {}) ⇒ Object
- #exists?(options = {}) ⇒ Boolean
-
#give_to(owner, options = {}) ⇒ Object
Changes the owner of a resource.
- #identifier ⇒ Object
- #ownerid ⇒ Object (also: #owner)
- #permit(privilege, role, options = {}) ⇒ Object
-
#permitted?(privilege, options = {}) ⇒ Boolean
True if the logged-in role, or a role specified using the acting-as option, has the specified
privilege
on this resource. -
#permitted_roles(permission, options = {}) ⇒ Object
Lists roles that have a specified permission on the resource.
-
#resourceid ⇒ Object
(also: #resource_id)
Name convention according to Role#roleid.
Methods included from PathBased
Methods included from HasAttributes
#attributes, #attributes=, #invalidate, #refresh, #save, #to_json
Class Method Details
.all(opts = {}) ⇒ Object
Returns all resources (optionally qualified by kind) visible to the user with given credentials. Options are:
-
host - authz url,
-
credentials,
-
account,
-
kind (optional),
-
search (optional),
-
limit (optional),
-
offset (optional).
151 152 153 154 155 156 157 158 159 160 161 162 163 164 |
# File 'lib/conjur/resource.rb', line 151 def self.all opts = {} host, credentials, account, kind = opts.values_at(*[:host, :credentials, :account, :kind]) fail ArgumentError, "host and account are required" unless [host, account].all? credentials ||= {} path = "#{account}/resources" path += "/#{kind}" if kind query = opts.slice(:acting_as, :limit, :offset, :search) path += "?#{query.to_query}" unless query.empty? resource = RestClient::Resource.new(host, credentials)[path] JSON.parse resource.get end |
Instance Method Details
#annotations ⇒ Object Also known as:
Return a Conjur::Annotations instance to read and manipulate our annotations.
136 137 138 |
# File 'lib/conjur/resource.rb', line 136 def annotations @annotations ||= Conjur::Annotations.new(self) end |
#create(options = {}) ⇒ Object
45 46 47 48 49 50 51 52 53 |
# File 'lib/conjur/resource.rb', line 45 def create( = {}) log do |logger| logger << "Creating resource #{resourceid}" unless .empty? logger << " with options #{.to_json}" end end self.put() end |
#delete(options = {}) ⇒ Object
77 78 79 80 81 82 83 84 85 |
# File 'lib/conjur/resource.rb', line 77 def delete( = {}) log do |logger| logger << "Deleting resource #{resourceid}" unless .empty? logger << " with options #{.to_json}" end end super end |
#deny(privilege, role, options = {}) ⇒ Object
106 107 108 109 110 111 112 113 114 115 116 117 |
# File 'lib/conjur/resource.rb', line 106 def deny(privilege, role, = {}) role = cast(role, :roleid) eachable(privilege).each do |p| log do |logger| logger << "Denying #{p} on resource #{resourceid} by #{role}" unless .empty? logger << " with options #{.to_json}" end end self["?deny&privilege=#{query_escape p}&role=#{query_escape role}"].post() end end |
#exists?(options = {}) ⇒ Boolean
55 56 57 58 59 60 61 62 63 64 |
# File 'lib/conjur/resource.rb', line 55 def exists?( = {}) begin self.head() true rescue RestClient::Forbidden true rescue RestClient::ResourceNotFound false end end |
#give_to(owner, options = {}) ⇒ Object
Changes the owner of a resource
72 73 74 75 |
# File 'lib/conjur/resource.rb', line 72 def give_to(owner, = {}) owner = cast(owner, :roleid) self.put(.merge(owner: owner)) end |
#identifier ⇒ Object
28 29 30 |
# File 'lib/conjur/resource.rb', line 28 def identifier match_path(3..-1) end |
#ownerid ⇒ Object Also known as: owner
32 33 34 |
# File 'lib/conjur/resource.rb', line 32 def ownerid attributes['owner'] end |
#permit(privilege, role, options = {}) ⇒ Object
87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 |
# File 'lib/conjur/resource.rb', line 87 def permit(privilege, role, = {}) role = cast(role, :roleid) eachable(privilege).each do |p| log do |logger| logger << "Permitting #{p} on resource #{resourceid} by #{role}" unless .empty? logger << " with options #{.to_json}" end end begin self["?permit&privilege=#{query_escape p}&role=#{query_escape role}"].post() rescue RestClient::Forbidden # TODO: Remove once permit is idempotent raise $! unless $!.http_body == "Privilege already granted." end end end |
#permitted?(privilege, options = {}) ⇒ Boolean
True if the logged-in role, or a role specified using the acting-as option, has the specified privilege
on this resource.
121 122 123 124 125 126 127 128 129 130 131 132 133 |
# File 'lib/conjur/resource.rb', line 121 def permitted?(privilege, = {}) params = { check: true, privilege: query_escape(privilege) } params[:acting_as] = [:acting_as] if [:acting_as] self["?#{params.to_query}"].get() true rescue RestClient::Forbidden false rescue RestClient::ResourceNotFound false end |
#permitted_roles(permission, options = {}) ⇒ Object
Lists roles that have a specified permission on the resource.
67 68 69 |
# File 'lib/conjur/resource.rb', line 67 def permitted_roles(, = {}) JSON.parse RestClient::Resource.new(Conjur::Authz::API.host, self.)["#{account}/roles/allowed_to/#{}/#{path_escape kind}/#{path_escape identifier}"].get() end |
#resourceid ⇒ Object Also known as: resource_id
Name convention according to Role#roleid.
39 40 41 |
# File 'lib/conjur/resource.rb', line 39 def resourceid [account, kind, identifier].join ':' end |