Class: Conjur::Resource
- Inherits:
-
RestClient::Resource
- Object
- RestClient::Resource
- Conjur::Resource
- Includes:
- Exists, HasAttributes, PathBased
- Defined in:
- lib/conjur/resource.rb
Overview
A Conjur::Resource
instance represents a Conjur
Resource.
You should not instantiate this class directly. Instead, you can get an instance from the API#resource and API#resources methods, or from the ActsAsResource#resource method present on objects representing Conjur assets that have associated resources.
Instance Method Summary collapse
-
#annotations ⇒ Conjur::Annotations
(also: #tags)
Return an Annotations object to manipulate and view annotations.
-
#deny(privilege, role, options = {})
The inverse operation of
#permit
. -
#give_to(owner, options = {})
Changes the owner of a resource.
-
#identifier ⇒ String
The identifier part of the
resource_id
for this resource. -
#ownerid ⇒ String
(also: #owner)
The full role id of the role that owns this resource.
-
#permit(privilege, role, options = {})
Grant
privilege
on this resource torole
. -
#permitted?(privilege, options = {}) ⇒ Boolean
True if the logged-in role, or a role specified using the :acting_as option, has the specified +privilege+ on this resource.
-
#permitted_roles(permission, options = {}) ⇒ Array<String>
Lists roles that have a specified permission on the resource.
-
#resourceid ⇒ String
(also: #resource_id)
Return the full id for this resource.
Methods included from Exists
Methods included from PathBased
Methods included from HasAttributes
#attributes, #invalidate, #refresh, #save, #to_json
Instance Method Details
#annotations ⇒ Conjur::Annotations Also known as:
Return an Annotations object to manipulate and view annotations.
257 258 259 |
# File 'lib/conjur/resource.rb', line 257 def annotations @annotations ||= Conjur::Annotations.new(self) end |
#deny(privilege, role, options = {})
This method returns an undefined value.
The inverse operation of #permit
. Deny permission privilege
to role
on this resource.
198 199 200 201 202 203 204 205 206 207 208 209 210 |
# File 'lib/conjur/resource.rb', line 198 def deny(privilege, role, = {}) role = cast(role, :roleid) eachable(privilege).each do |p| log do |logger| logger << "Denying #{p} on resource #{resourceid} by #{role}" unless .empty? logger << " with options #{.to_json}" end end self["?deny&privilege=#{query_escape p}&role=#{query_escape role}"].post() end nil end |
#give_to(owner, options = {})
This method returns an undefined value.
Changes the owner of a resource. You must be the owner of the resource or a member of the owner role to do this.
117 118 119 120 121 122 123 124 |
# File 'lib/conjur/resource.rb', line 117 def give_to(owner, = {}) owner = cast(owner, :roleid) invalidate do self.put(.merge(owner: owner)) end nil end |
#identifier ⇒ String
The identifier part of the resource_id
for this resource. The identifier
is the resource id without the account
and kind
parts.
45 46 47 |
# File 'lib/conjur/resource.rb', line 45 def identifier match_path(3..-1) end |
#ownerid ⇒ String Also known as: owner
The full role id of the role that owns this resource.
57 58 59 |
# File 'lib/conjur/resource.rb', line 57 def ownerid attributes['owner'] end |
#permit(privilege, role, options = {})
This method returns an undefined value.
Grant privilege
on this resource to role
.
This operation is idempotent, that is, nothing will happen if you attempt to grant a privilege that the role already has on this resource.
163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 |
# File 'lib/conjur/resource.rb', line 163 def permit(privilege, role, = {}) role = cast(role, :roleid) eachable(privilege).each do |p| log do |logger| logger << "Permitting #{p} on resource #{resourceid} by #{role}" unless .empty? logger << " with options #{.to_json}" end end begin self["?permit&privilege=#{query_escape p}&role=#{query_escape role}"].post() rescue RestClient::Forbidden # TODO: Remove once permit is idempotent raise $! unless $!.http_body == "Privilege already granted." end end nil end |
#permitted?(privilege, options = {}) ⇒ Boolean
True if the logged-in role, or a role specified using the :acting_as option, has the specified +privilege+ on this resource.
228 229 230 231 232 233 234 235 236 237 238 239 240 241 |
# File 'lib/conjur/resource.rb', line 228 def permitted?(privilege, = {}) # TODO this method should accept an optional role rather than putting it in the options hash. params = { check: true, privilege: query_escape(privilege) } params[:acting_as] = [:acting_as] if [:acting_as] self["?#{params.to_query}"].get() true rescue RestClient::Forbidden false rescue RestClient::ResourceNotFound false end |
#permitted_roles(permission, options = {}) ⇒ Array<String>
Lists roles that have a specified permission on the resource.
This will return only roles of which api.current_user is a member.
103 104 105 |
# File 'lib/conjur/resource.rb', line 103 def permitted_roles(, = {}) JSON.parse RestClient::Resource.new(Conjur::Authz::API.host, self.)["#{account}/roles/allowed_to/#{}/#{path_escape kind}/#{path_escape identifier}"].get() end |
#resourceid ⇒ String Also known as: resource_id
Return the full id for this resource. The format is account:kind:identifier
72 73 74 |
# File 'lib/conjur/resource.rb', line 72 def resourceid [account, kind, identifier].join ':' end |