Class: Conjur::Policy::Planner::PrivilegeFacts

Inherits:

BaseFacts

• Object
• BaseFacts
• Conjur::Policy::Planner::PrivilegeFacts

Defined in:

lib/conjur/policy/planner/facts.rb

Overview

Privilege grants are [ roleid, privilege, resourceid, grant_option ].

Instance Attribute Summary

Attributes inherited from BaseFacts

#existing, #existing_with_admin_flag, #planner, #requested, #requested_with_admin_flag

Instance Method Summary

• #add_existing_permission(permission) ⇒ Object

  Add a permission that is already held.

• #add_requested_permission(permit) ⇒ Object

  Add a Types::deny to the set of requested grants.

• #remove_revoked_permission(deny) ⇒ Object

  Removes a Types::Deny from the set of requested grants.

• #resource_permissions(resource, privileges, &block) ⇒ Object

  Enumerate all existing permissions for the specified resource.

• #validate! ⇒ Object

  Validate that all the requested roles exist.

Methods inherited from BaseFacts

#api, #grants_to_apply, #grants_to_revoke, #initialize, #validate_resource_exists!, #validate_role_exists!

Constructor Details

This class inherits a constructor from Conjur::Policy::Planner::BaseFacts

Instance Method Details

#add_existing_permission(permission) ⇒ Object

Add a permission that is already held.

# File 'lib/conjur/policy/planner/facts.rb', line 178

def add_existing_permission permission
  existing.add [ permission['role'], permission['privilege'], permission['resource'] ]
  existing_with_admin_flag.add [ permission['role'], permission['privilege'], permission['resource'], permission['grant_option'] ]
end

#add_requested_permission(permit) ⇒ Object

Add a Types::deny to the set of requested grants.

# File 'lib/conjur/policy/planner/facts.rb', line 153

def add_requested_permission permit
  Array(permit.roles).each do |member|
    Array(permit.privileges).each do |privilege|
      Array(permit.resources).each do |resource|
        requested.add [ member.role.roleid, privilege, resource.resourceid ]
        requested_with_admin_flag.add [ member.role.roleid, privilege, resource.resourceid, !!member.admin ]
      end
    end
  end
end

#remove_revoked_permission(deny) ⇒ Object

Removes a Types::Deny from the set of requested grants.

# File 'lib/conjur/policy/planner/facts.rb', line 165

def remove_revoked_permission deny
  Array(deny.roles).each do |role|
    Array(deny.privileges).each do |privilege|
      Array(deny.resources).each do |resource|
        requested.delete [ role.roleid, privilege, resource.resourceid ]
        requested_with_admin_flag.delete [ role.roleid, privilege, resource.resourceid, true ]
        requested_with_admin_flag.delete [ role.roleid, privilege, resource.resourceid, false ]
      end
    end
  end
end

#resource_permissions(resource, privileges, &block) ⇒ Object

Enumerate all existing permissions for the specified resource. Only permissions that apply the specified privilege are considered. Each permission is yielded to the block.

# File 'lib/conjur/policy/planner/facts.rb', line 122

def resource_permissions resource, privileges, &block
  permissions = begin
    resource = JSON.parse(api.resource(resource.resourceid).get)
    # Malformed resource ids can be interpreted as a resource search
    if resource.is_a?(Array)
      []
    else 
      resource['permissions']
    end
  rescue RestClient::ResourceNotFound
    if api.resource(resource.resourceid).exists?
      $stderr.puts "WARNING: Unable to fetch permissions of resource #{resource.resourceid}. Use 'elevate' mode, or at least 'reveal' mode, for policy management."
    end
    []
  end
  permissions.select{|p| privileges.member?(p['privilege'])}.each do |permission|
    yield permission
  end
end

#validate! ⇒ Object

Validate that all the requested roles exist.

# File 'lib/conjur/policy/planner/facts.rb', line 143

def validate!
  requested.to_a.map{|row| row[0]}.uniq.each do |roleid|
    validate_role_exists! roleid
  end
  requested.to_a.map{|row| row[2]}.uniq.each do |resourceid|
    validate_resource_exists! resourceid
  end
end