Module: Conjur::ActsAsResource

Included in:

ActsAsAsset, Deputy

Defined in:

lib/conjur/acts_as_resource.rb

Overview

This module is included in asset classes that have an associated resource.

Instance Method Summary

• #deny(privilege, role)

  Deny role permission to perform actions corresponding to privilege on the underlying resource.

• #permit(privilege, role, options = {})

  Permit role to perform privilege on this resource.

• #resource ⇒ Conjur::Resource

  Return the Resource associated with this asset.

• #resource_kind ⇒ String

  The kind of resource underlying the asset.

• #resourceid ⇒ String

  Return the qualified id of the resource associated with this asset.

Instance Method Details

#deny(privilege, role)

This method returns an undefined value.

Deny role permission to perform actions corresponding to privilege on the underlying resource.

Parameters:

• privilege (String, #each) —

  A permission name or an Enumerable of permissions to deny. In the later, all permissions will be denied.

• role (String, :roleid) —

  A full role id or a role-ish object whose permissions we will deny.

See Also:

• Resource#deny

# File 'lib/conjur/acts_as_resource.rb', line 103

def deny(privilege, role)
  resource.deny privilege, role
end

#permit(privilege, role, options = {})

This method returns an undefined value.

Permit role to perform privilege on this resource. A permission represents an ability to perform certain (application defined) actions on this resource.

This method is equivalent to calling resource.permit.

Examples:

Allow a group and its members to get the value of a Conjur variable

group = api.group 'some-project/developers'
variable = api.variable 'some-project/development/postgres-uri'
variable.permit 'execute', group

Parameters:

• privilege (String) —

  the privilege to grant

• role (String, #roleid) —

  the role to which the privilege is granted

• options (Hash, nil) (defaults to: {}) —

  options to pass through to RestClient::Resource#post

Raises:

• (RestClient::Forbidden) —

  if you don't have permission to perform this operation.

See Also:

• Resource#permit

# File 'lib/conjur/acts_as_resource.rb', line 90

def permit(privilege, role, options = {})
  resource.permit privilege, role, options
end

#resource ⇒ Conjur::Resource

Return the Resource associated with this asset.

Returns:

• (Conjur::Resource) —

  the resource associated with this asset

# File 'lib/conjur/acts_as_resource.rb', line 32

def resource
  require 'conjur/resource'
  # NOTE: should we use specific class to build sub-url below?
  Conjur::Resource.new(Conjur::Authz::API.host, self.options)[[ core_conjur_account, 'resources', path_escape(resource_kind), path_escape(resource_id) ].join('/')]
end

#resource_kind ⇒ String

The kind of resource underlying the asset. The kind is the second token in a Conjur id like "account:kind:id".

Returns:

• (String) —

  the resource kind for the underlying resource

See Also:

• Conjur:Resource#kind

# File 'lib/conjur/acts_as_resource.rb', line 50

def resource_kind
  self.class.name.split("::")[-1].underscore.split('/').join('-')
end

#resourceid ⇒ String

Return the qualified id of the resource associated with this asset.

Returns:

• (String) —

  the qualified id of the resource associated with this asset.

# File 'lib/conjur/acts_as_resource.rb', line 41

def resourceid
  [ core_conjur_account, resource_kind, resource_id ].join(':')
end