Module: Conjur::ActsAsResource

Included in:
ActsAsAsset, Deputy
Defined in:
lib/conjur/acts_as_resource.rb

Overview

This module is included in asset classes that have an associated resource.

Instance Method Summary collapse

Instance Method Details

#deny(privilege, role)

This method returns an undefined value.

Deny role permission to perform actions corresponding to privilege on the underlying resource.

Parameters:

  • privilege (String, #each)

    A permission name or an Enumerable of permissions to deny. In the later, all permissions will be denied.

  • role (String, :roleid)

    A full role id or a role-ish object whose permissions we will deny.

See Also:



103
104
105
# File 'lib/conjur/acts_as_resource.rb', line 103

def deny(privilege, role)
  resource.deny privilege, role
end

#permit(privilege, role, options = {})

This method returns an undefined value.

Permit role to perform privilege on this resource. A permission represents an ability to perform certain (application defined) actions on this resource.

This method is equivalent to calling resource.permit.

Examples:

Allow a group and its members to get the value of a Conjur variable

group = api.group 'some-project/developers'
variable = api.variable 'some-project/development/postgres-uri'
variable.permit 'execute', group

Parameters:

  • privilege (String)

    the privilege to grant

  • role (String, #roleid)

    the role to which the privilege is granted

  • options (Hash, nil) (defaults to: {})

    options to pass through to RestClient::Resource#post

Raises:

  • (RestClient::Forbidden)

    if you don’t have permission to perform this operation.

See Also:



90
91
92
# File 'lib/conjur/acts_as_resource.rb', line 90

def permit(privilege, role, options = {})
  resource.permit privilege, role, options
end

#resourceConjur::Resource

Return the Resource associated with this asset.

Returns:



32
33
34
35
36
# File 'lib/conjur/acts_as_resource.rb', line 32

def resource
  require 'conjur/resource'
  # NOTE: should we use specific class to build sub-url below?
  Conjur::Resource.new(Conjur::Authz::API.host, self.options)[[ , 'resources', path_escape(resource_kind), path_escape(resource_id) ].join('/')]
end

#resource_kindString

The kind of resource underlying the asset. The kind is the second token in a Conjur id like "account:kind:id".

Returns:

  • (String)

    the resource kind for the underlying resource

See Also:

  • Conjur:Resource#kind


50
51
52
# File 'lib/conjur/acts_as_resource.rb', line 50

def resource_kind
  self.class.name.split("::")[-1].underscore.split('/').join('-')
end

#resourceidString

Return the qualified id of the resource associated with this asset.

Returns:

  • (String)

    the qualified id of the resource associated with this asset.



41
42
43
# File 'lib/conjur/acts_as_resource.rb', line 41

def resourceid
  [ , resource_kind, resource_id ].join(':')
end