Class: Conjur::Policy::Planner::BaseFacts

Inherits:

Object

• Object
• Conjur::Policy::Planner::BaseFacts

Defined in:

lib/conjur/policy/planner/facts.rb

Overview

Stores the state of existing and requested grants (roles or privileges).

The difference between the existing and requested grants can be used to determine specifically what actions should be performed in order to bring the state of the server into compliance with the policy.

Direct Known Subclasses

PrivilegeFacts, RoleFacts

Instance Attribute Summary

• #existing ⇒ Object

  Returns the value of attribute existing.

• #existing_with_admin_flag ⇒ Object

  Returns the value of attribute existing_with_admin_flag.

• #planner ⇒ Object

  Returns the value of attribute planner.

• #requested ⇒ Object

  Returns the value of attribute requested.

• #requested_with_admin_flag ⇒ Object

  Returns the value of attribute requested_with_admin_flag.

Instance Method Summary

• #api ⇒ Object
• #grants_to_apply ⇒ Object

  Return the set of grants which are requested but not already held.

• #grants_to_revoke ⇒ Object

  Return the set of grants which are held but not requested.

• #initialize(planner) ⇒ BaseFacts constructor

  A new instance of BaseFacts.

• #validate_resource_exists!(resource) ⇒ Object
• #validate_role_exists!(role) ⇒ Object

Constructor Details

#initialize(planner) ⇒ BaseFacts

Returns a new instance of BaseFacts.

# File 'lib/conjur/policy/planner/facts.rb', line 16

def initialize planner
  @planner = planner
  @requested = Set.new
  @requested_with_admin_flag = Set.new
  @existing  = Set.new
  @existing_with_admin_flag  = Set.new
end

Instance Attribute Details

#existing ⇒ Object

Returns the value of attribute existing.

# File 'lib/conjur/policy/planner/facts.rb', line 10

def existing
  @existing
end

#existing_with_admin_flag ⇒ Object

Returns the value of attribute existing_with_admin_flag.

# File 'lib/conjur/policy/planner/facts.rb', line 10

def existing_with_admin_flag
  @existing_with_admin_flag
end

#planner ⇒ Object

Returns the value of attribute planner.

# File 'lib/conjur/policy/planner/facts.rb', line 10

def planner
  @planner
end

#requested ⇒ Object

Returns the value of attribute requested.

# File 'lib/conjur/policy/planner/facts.rb', line 10

def requested
  @requested
end

#requested_with_admin_flag ⇒ Object

Returns the value of attribute requested_with_admin_flag.

# File 'lib/conjur/policy/planner/facts.rb', line 10

def requested_with_admin_flag
  @requested_with_admin_flag
end

Instance Method Details

#api ⇒ Object

# File 'lib/conjur/policy/planner/facts.rb', line 24

def api
  planner.api
end

#grants_to_apply ⇒ Object

Return the set of grants which are requested but not already held.

Note that if a grant is held with a different admin option than requested, re-applying with the new admin option will update the grant and create the desired state.

# File 'lib/conjur/policy/planner/facts.rb', line 33

def grants_to_apply
  sort(requested_with_admin_flag - existing_with_admin_flag)
end

#grants_to_revoke ⇒ Object

Return the set of grants which are held but not requested.

The admin flag is ignored by this method. So, if a grant exists (with or without admin), and it is not requested (with or without admin), it is revoked. The case in which the grant is held with a different admin option than requested is handled by grants_to_apply.

# File 'lib/conjur/policy/planner/facts.rb', line 43

def grants_to_revoke
  sort(existing - requested)
end

#validate_resource_exists!(resource) ⇒ Object

# File 'lib/conjur/policy/planner/facts.rb', line 51

def validate_resource_exists! resource
  planner.error("Resource not found: #{resource}") unless planner.resource_exists?(resource)
end

#validate_role_exists!(role) ⇒ Object

# File 'lib/conjur/policy/planner/facts.rb', line 47

def validate_role_exists! role
  planner.error("Role not found: #{role}") unless planner.role_exists?(role)
end