Class: Conjur::Policy::Planner::Grant
- Defined in:
- lib/conjur/policy/planner/grants.rb
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
-
#do_plan ⇒ Object
Plans a role grant.
Methods inherited from Base
#account, #action, #create_record, #error, #initialize, #log, #resource, #resource_exists?, #resource_record, #role, #role_exists?, #role_record, #update_record
Methods included from Logger
Constructor Details
This class inherits a constructor from Conjur::Policy::Planner::Base
Instance Method Details
#do_plan ⇒ Object
Plans a role grant.
The Grant record can list multiple roles and members. Each member should be granted every role. If the replace
option is set, then any existing grant on a role that is not given should be revoked, except for role admins.
13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
# File 'lib/conjur/policy/planner/grants.rb', line 13 def do_plan facts = RoleFacts.new self facts.add_requested_grant record Array(record.roles).each do |role| facts.role_grants(role) do |grant| facts.add_existing_grant role, grant end end facts.validate! facts.grants_to_apply.each do |grant| roleid, memberid, admin = grant grant = Conjur::Policy::Types::Grant.new grant.role = role_record roleid grant.member = Conjur::Policy::Types::Member.new role_record(memberid) grant.member.admin = admin action grant end if record.replace facts.grants_to_revoke.each do |grant| roleid, memberid = grant revoke = Conjur::Policy::Types::Revoke.new revoke.role = role_record roleid revoke.member = role_record(memberid) action revoke end end end |