Class: Conjur::Policy::Planner::Revoke

Inherits:
Base show all
Defined in:
lib/conjur/policy/planner/grants.rb

Instance Attribute Summary

Attributes inherited from Base

#api, #plan, #record

Instance Method Summary collapse

Methods inherited from Base

#account, #action, #create_record, #error, #initialize, #log, #resource, #resource_exists?, #resource_record, #role, #role_exists?, #role_record, #update_record

Methods included from Logger

included

Constructor Details

This class inherits a constructor from Conjur::Policy::Planner::Base

Instance Method Details

#do_planObject 



48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
 
# File 'lib/conjur/policy/planner/grants.rb', line 48

def do_plan
  facts = RoleFacts.new self
  
  # Load all the role members as both requested and existing grants.
  # Then revoke the Grant record, and see what's left.
  Array(record.roles).each do |role|
    facts.role_grants(role) do |grant|
      grant_record = Types::Grant.new
      grant_record.role = Types::Role.new(role.roleid)
      grant_record.member = Types::Member.new Types::Role.new(grant.member.roleid)
      grant_record.member.admin = grant.admin_option
      facts.add_requested_grant grant_record
      
      facts.add_existing_grant role, grant
    end
  end

  facts.remove_revoked_grant record
  
  facts.validate!
  
  facts.grants_to_revoke.each do |grant|
    roleid, memberid = grant
    revoke = Conjur::Policy::Types::Revoke.new
    revoke.role = role_record roleid
    revoke.member = role_record(memberid)
    action revoke
  end
end