Class: Conjur::Resource
- Inherits:
-
RestClient::Resource
- Object
- RestClient::Resource
- Conjur::Resource
- Includes:
- Exists, HasAttributes, PathBased
- Defined in:
- lib/conjur/resource.rb
Class Method Summary collapse
-
.all(opts = {}) ⇒ Object
Returns all resources (optionally qualified by kind) visible to the user with given credentials.
Instance Method Summary collapse
- #create(options = {}) ⇒ Object
- #delete(options = {}) ⇒ Object
- #deny(privilege, role, options = {}) ⇒ Object
-
#give_to(owner, options = {}) ⇒ Object
Changes the owner of a resource.
- #identifier ⇒ Object
- #permit(privilege, role, options = {}) ⇒ Object
-
#permitted?(privilege, options = {}) ⇒ Boolean
True if the logged-in role, or a role specified using the acting-as option, has the specified
privilege
on this resource. -
#permitted_roles(permission, options = {}) ⇒ Object
Lists roles that have a specified permission on the resource.
-
#resourceid ⇒ Object
(also: #resource_id)
Name convention according to Role#roleid.
Methods included from PathBased
Methods included from HasAttributes
#attributes, #attributes=, #refresh, #save, #to_json
Methods included from Exists
Class Method Details
.all(opts = {}) ⇒ Object
Returns all resources (optionally qualified by kind) visible to the user with given credentials. Options are:
-
host - authz url,
-
credentials,
-
account,
-
kind (optional).
114 115 116 117 118 119 120 121 122 123 124 |
# File 'lib/conjur/resource.rb', line 114 def self.all opts = {} host, credentials, account, kind = opts.values_at(*[:host, :credentials, :account, :kind]) fail ArgumentError, "host and account are required" unless [host, account].all? credentials ||= {} path = "#{account}/resources" path += "/#{kind}" if kind resource = RestClient::Resource.new(host, credentials)[path] JSON.parse resource.get end |
Instance Method Details
#create(options = {}) ⇒ Object
38 39 40 41 42 43 44 45 46 |
# File 'lib/conjur/resource.rb', line 38 def create( = {}) log do |logger| logger << "Creating resource #{kind}:#{identifier}" unless .empty? logger << " with options #{.to_json}" end end self.put() end |
#delete(options = {}) ⇒ Object
58 59 60 61 62 63 64 65 66 |
# File 'lib/conjur/resource.rb', line 58 def delete( = {}) log do |logger| logger << "Deleting resource #{kind}:#{identifier}" unless .empty? logger << " with options #{.to_json}" end end super end |
#deny(privilege, role, options = {}) ⇒ Object
86 87 88 89 90 91 92 93 94 95 96 |
# File 'lib/conjur/resource.rb', line 86 def deny(privilege, role, = {}) eachable(privilege).each do |p| log do |logger| logger << "Denying #{p} on resource #{kind}:#{identifier} by #{role}" unless .empty? logger << " with options #{.to_json}" end end self["?deny&privilege=#{query_escape p}&role=#{query_escape role}"].post() end end |
#give_to(owner, options = {}) ⇒ Object
Changes the owner of a resource
54 55 56 |
# File 'lib/conjur/resource.rb', line 54 def give_to(owner, = {}) self.put(.merge(owner: owner)) end |
#identifier ⇒ Object
27 28 29 |
# File 'lib/conjur/resource.rb', line 27 def identifier match_path(3..-1) end |
#permit(privilege, role, options = {}) ⇒ Object
68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 |
# File 'lib/conjur/resource.rb', line 68 def permit(privilege, role, = {}) eachable(privilege).each do |p| log do |logger| logger << "Permitting #{p} on resource #{kind}:#{identifier} by #{role}" unless .empty? logger << " with options #{.to_json}" end end begin self["?permit&privilege=#{query_escape p}&role=#{query_escape role}"].post() rescue RestClient::Forbidden # TODO: Remove once permit is idempotent raise $! unless $!.http_body == "Privilege already granted." end end end |
#permitted?(privilege, options = {}) ⇒ Boolean
True if the logged-in role, or a role specified using the acting-as option, has the specified privilege
on this resource.
100 101 102 103 104 105 |
# File 'lib/conjur/resource.rb', line 100 def permitted?(privilege, = {}) self["?check&privilege=#{query_escape privilege}"].get() true rescue RestClient::ResourceNotFound false end |
#permitted_roles(permission, options = {}) ⇒ Object
Lists roles that have a specified permission on the resource.
49 50 51 |
# File 'lib/conjur/resource.rb', line 49 def permitted_roles(, = {}) JSON.parse RestClient::Resource.new(Conjur::Authz::API.host, self.)["#{account}/roles/allowed_to/#{}/#{path_escape kind}/#{path_escape identifier}"].get() end |
#resourceid ⇒ Object Also known as: resource_id
Name convention according to Role#roleid.
32 33 34 |
# File 'lib/conjur/resource.rb', line 32 def resourceid [account, kind, identifier].join ':' end |