Class: Conjur::Resource

Inherits:

RestClient::Resource

• Object
• RestClient::Resource
• Conjur::Resource

Includes:

Exists, HasAttributes, PathBased

Defined in:

lib/conjur/resource.rb

Class Method Summary

• .all(opts = {}) ⇒ Object

  Returns all resources (optionally qualified by kind) visible to the user with given credentials.

Instance Method Summary

• #create(options = {}) ⇒ Object
• #delete(options = {}) ⇒ Object
• #deny(privilege, role, options = {}) ⇒ Object
• #give_to(owner, options = {}) ⇒ Object

  Changes the owner of a resource.

• #identifier ⇒ Object
• #permit(privilege, role, options = {}) ⇒ Object
• #permitted?(privilege, options = {}) ⇒ Boolean

  True if the logged-in role, or a role specified using the acting-as option, has the specified privilege on this resource.

• #permitted_roles(permission, options = {}) ⇒ Object

  Lists roles that have a specified permission on the resource.

• #resourceid ⇒ Object (also: #resource_id)

  Name convention according to Role#roleid.

Methods included from PathBased

#account, #kind

Methods included from HasAttributes

#attributes, #attributes=, #refresh, #save, #to_json

Methods included from Exists

#exists?

Class Method Details

.all(opts = {}) ⇒ Object

Returns all resources (optionally qualified by kind) visible to the user with given credentials. Options are:

• host - authz url,

• credentials,

• account,

• kind (optional).

# File 'lib/conjur/resource.rb', line 114

def self.all opts = {}
  host, credentials, account, kind = opts.values_at(*[:host, :credentials, :account, :kind])
  fail ArgumentError, "host and account are required" unless [host, account].all?

  credentials ||= {}

  path = "#{account}/resources"
  path += "/#{kind}" if kind
  resource = RestClient::Resource.new(host, credentials)[path]
  JSON.parse resource.get
end

Instance Method Details

#create(options = {}) ⇒ Object

# File 'lib/conjur/resource.rb', line 38

def create(options = {})
  log do |logger|
    logger << "Creating resource #{kind}:#{identifier}"
    unless options.empty?
      logger << " with options #{options.to_json}"
    end
  end
  self.put(options)
end

#delete(options = {}) ⇒ Object

# File 'lib/conjur/resource.rb', line 58

def delete(options = {})
  log do |logger|
    logger << "Deleting resource #{kind}:#{identifier}"
    unless options.empty?
      logger << " with options #{options.to_json}"
    end
  end
  super options
end

#deny(privilege, role, options = {}) ⇒ Object

# File 'lib/conjur/resource.rb', line 86

def deny(privilege, role, options = {})
  eachable(privilege).each do |p|
    log do |logger|
      logger << "Denying #{p} on resource #{kind}:#{identifier} by #{role}"
      unless options.empty?
        logger << " with options #{options.to_json}"
      end
    end
    self["?deny&privilege=#{query_escape p}&role=#{query_escape role}"].post(options)
  end
end

#give_to(owner, options = {}) ⇒ Object

Changes the owner of a resource

# File 'lib/conjur/resource.rb', line 54

def give_to(owner, options = {})
  self.put(options.merge(owner: owner))
end

#identifier ⇒ Object

# File 'lib/conjur/resource.rb', line 27

def identifier
  match_path(3..-1)
end

#permit(privilege, role, options = {}) ⇒ Object

# File 'lib/conjur/resource.rb', line 68

def permit(privilege, role, options = {})
  eachable(privilege).each do |p|
    log do |logger|
      logger << "Permitting #{p} on resource #{kind}:#{identifier} by #{role}"
      unless options.empty?
        logger << " with options #{options.to_json}"
      end
    end
    
    begin
      self["?permit&privilege=#{query_escape p}&role=#{query_escape role}"].post(options)
    rescue RestClient::Forbidden
      # TODO: Remove once permit is idempotent
      raise $! unless $!.http_body == "Privilege already granted."
    end
  end
end

#permitted?(privilege, options = {}) ⇒ Boolean

True if the logged-in role, or a role specified using the acting-as option, has the specified privilege on this resource.

Returns:

• (Boolean)

# File 'lib/conjur/resource.rb', line 100

def permitted?(privilege, options = {})
  self["?check&privilege=#{query_escape privilege}"].get(options)
  true
rescue RestClient::ResourceNotFound
  false
end

#permitted_roles(permission, options = {}) ⇒ Object

Lists roles that have a specified permission on the resource.

# File 'lib/conjur/resource.rb', line 49

def permitted_roles(permission, options = {})
  JSON.parse RestClient::Resource.new(Conjur::Authz::API.host, self.options)["#{account}/roles/allowed_to/#{permission}/#{path_escape kind}/#{path_escape identifier}"].get(options)
end

#resourceid ⇒ Object Also known as: resource_id

Name convention according to Role#roleid.

# File 'lib/conjur/resource.rb', line 32

def resourceid 
  [account, kind, identifier].join ':'
end