Class: Conjur::Policy::Planner::Permit

Inherits:
Base show all
Defined in:
lib/conjur/policy/planner/permissions.rb

Overview

Plans a permission.

The Permit record can list multiple roles, privileges, and resources. Each privilege should be allowed to each role on each resource. If the replace option is set, then any existing privilege on an existing resource that is not given should be denied.

Instance Attribute Summary

Attributes inherited from Base

#api, #plan, #record

Instance Method Summary collapse

Methods inherited from Base

#account, #action, #create_record, #error, #initialize, #log, #resource, #resource_exists?, #resource_record, #role, #role_exists?, #role_record, #update_record

Methods included from Logger

included

Constructor Details

This class inherits a constructor from Conjur::Policy::Planner::Base

Instance Method Details

#do_planObject 



13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
 
# File 'lib/conjur/policy/planner/permissions.rb', line 13

def do_plan
  facts = PrivilegeFacts.new self
  
  facts.add_requested_permission record
  
  privileges = Array(record.privileges)
  Array(record.resources).each do |resource|
    facts.resource_permissions(resource, privileges) do |permission|
      facts.add_existing_permission permission
    end
  end
      
  facts.validate!

  facts.grants_to_apply.each do |grant|
    role, privilege, resource, admin = grant
    
    permit = Conjur::Policy::Types::Permit.new
    permit.resource = resource_record resource
    permit.privilege = privilege
    permit.role = Conjur::Policy::Types::Member.new role_record(role)
    permit.role.admin = true if admin
    action permit
  end          

  if record.replace
    facts.grants_to_revoke.each do |grant|
      roleid, privilege, resourceid = grant
      deny = Conjur::Policy::Types::Deny.new
      deny.resource = resource_record resourceid
      deny.privilege = privilege
      deny.role = role_record(roleid)
      action deny
    end
  end
end