Class: Conjur::Policy::Planner::PrivilegeFacts
- Defined in:
- lib/conjur/policy/planner/facts.rb
Overview
Privilege grants are [ roleid, privilege, resourceid, grant_option ].
Instance Attribute Summary
Attributes inherited from BaseFacts
#existing, #existing_with_admin_flag, #planner, #requested, #requested_with_admin_flag
Instance Method Summary collapse
-
#add_existing_permission(permission) ⇒ Object
Add a permission that is already held.
-
#add_requested_permission(permit) ⇒ Object
Add a Types::deny to the set of requested grants.
-
#remove_revoked_permission(deny) ⇒ Object
Removes a Types::Deny from the set of requested grants.
-
#resource_permissions(resource, privileges, &block) ⇒ Object
Enumerate all existing permissions for the specified
resource
. -
#validate! ⇒ Object
Validate that all the requested roles exist.
Methods inherited from BaseFacts
#api, #grants_to_apply, #grants_to_revoke, #initialize, #validate_resource_exists!, #validate_role_exists!
Constructor Details
This class inherits a constructor from Conjur::Policy::Planner::BaseFacts
Instance Method Details
#add_existing_permission(permission) ⇒ Object
Add a permission that is already held.
178 179 180 181 |
# File 'lib/conjur/policy/planner/facts.rb', line 178 def existing.add [ ['role'], ['privilege'], ['resource'] ] existing_with_admin_flag.add [ ['role'], ['privilege'], ['resource'], ['grant_option'] ] end |
#add_requested_permission(permit) ⇒ Object
Add a Types::deny to the set of requested grants.
153 154 155 156 157 158 159 160 161 162 |
# File 'lib/conjur/policy/planner/facts.rb', line 153 def permit Array(permit.roles).each do |member| Array(permit.privileges).each do |privilege| Array(permit.resources).each do |resource| requested.add [ member.role.roleid, privilege, resource.resourceid ] requested_with_admin_flag.add [ member.role.roleid, privilege, resource.resourceid, !!member.admin ] end end end end |
#remove_revoked_permission(deny) ⇒ Object
Removes a Types::Deny from the set of requested grants.
165 166 167 168 169 170 171 172 173 174 175 |
# File 'lib/conjur/policy/planner/facts.rb', line 165 def deny Array(deny.roles).each do |role| Array(deny.privileges).each do |privilege| Array(deny.resources).each do |resource| requested.delete [ role.roleid, privilege, resource.resourceid ] requested_with_admin_flag.delete [ role.roleid, privilege, resource.resourceid, true ] requested_with_admin_flag.delete [ role.roleid, privilege, resource.resourceid, false ] end end end end |
#resource_permissions(resource, privileges, &block) ⇒ Object
Enumerate all existing permissions for the specified resource
. Only permissions that apply the specified privilege
are considered. Each permission is yielded to the block.
122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 |
# File 'lib/conjur/policy/planner/facts.rb', line 122 def resource, privileges, &block = begin resource = JSON.parse(api.resource(resource.resourceid).get) # Malformed resource ids can be interpreted as a resource search if resource.is_a?(Array) [] else resource['permissions'] end rescue RestClient::ResourceNotFound if api.resource(resource.resourceid).exists? $stderr.puts "WARNING: Unable to fetch permissions of resource #{resource.resourceid}. Use 'elevate' mode, or at least 'reveal' mode, for policy management." end [] end .select{|p| privileges.member?(p['privilege'])}.each do || yield end end |
#validate! ⇒ Object
Validate that all the requested roles exist.
143 144 145 146 147 148 149 150 |
# File 'lib/conjur/policy/planner/facts.rb', line 143 def validate! requested.to_a.map{|row| row[0]}.uniq.each do |roleid| validate_role_exists! roleid end requested.to_a.map{|row| row[2]}.uniq.each do |resourceid| validate_resource_exists! resourceid end end |