Class: Conjur::Policy::Planner::Revoke
- Defined in:
- lib/conjur/policy/planner/grants.rb
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
Methods inherited from Base
#account, #action, #create_record, #error, #initialize, #log, #resource, #resource_exists?, #resource_record, #role, #role_exists?, #role_record, #update_record
Methods included from Logger
Constructor Details
This class inherits a constructor from Conjur::Policy::Planner::Base
Instance Method Details
#do_plan ⇒ Object
48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 |
# File 'lib/conjur/policy/planner/grants.rb', line 48 def do_plan facts = RoleFacts.new self # Load all the role members as both requested and existing grants. # Then revoke the Grant record, and see what's left. Array(record.roles).each do |role| facts.role_grants(role) do |grant| grant_record = Types::Grant.new grant_record.role = Types::Role.new(role.roleid) grant_record.member = Types::Member.new Types::Role.new(grant.member.roleid) grant_record.member.admin = grant.admin_option facts.add_requested_grant grant_record facts.add_existing_grant role, grant end end facts.remove_revoked_grant record facts.validate! facts.grants_to_revoke.each do |grant| roleid, memberid = grant revoke = Conjur::Policy::Types::Revoke.new revoke.role = role_record roleid revoke.member = role_record(memberid) action revoke end end |