Class: Conjur::Policy::Planner::Grant

Inherits:
Base show all
Defined in:
lib/conjur/policy/planner/grants.rb

Instance Attribute Summary

Attributes inherited from Base

#api, #plan, #record

Instance Method Summary collapse

Methods inherited from Base

#account, #action, #create_record, #error, #initialize, #log, #resource, #resource_exists?, #resource_record, #role, #role_exists?, #role_record, #update_record

Methods included from Logger

included

Constructor Details

This class inherits a constructor from Conjur::Policy::Planner::Base

Instance Method Details

#do_planObject

Plans a role grant.

The Grant record can list multiple roles and members. Each member should be granted every role. If the replace option is set, then any existing grant on a role that is not given should be revoked, except for role admins.



13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
# File 'lib/conjur/policy/planner/grants.rb', line 13

def do_plan
  facts = RoleFacts.new self
  
  facts.add_requested_grant record
  
  Array(record.roles).each do |role|
    facts.role_grants(role) do |grant|
      facts.add_existing_grant role, grant
    end
  end
  
  facts.validate!
  
  facts.grants_to_apply.each do |grant|
    roleid, memberid, admin = grant
    grant = Conjur::Policy::Types::Grant.new
    grant.role = role_record roleid
    grant.member = Conjur::Policy::Types::Member.new role_record(memberid)
    grant.member.admin = admin
    action grant
  end

  if record.replace
    facts.grants_to_revoke.each do |grant|
      roleid, memberid = grant
      revoke = Conjur::Policy::Types::Revoke.new
      revoke.role = role_record roleid
      revoke.member = role_record(memberid)
      action revoke
    end
  end
end