Class: Conjur::Policy::Planner::PrivilegeFacts

Inherits:
BaseFacts show all
Defined in:
lib/conjur/policy/planner/facts.rb

Overview

Privilege grants are [ roleid, privilege, resourceid, grant_option ].

Instance Attribute Summary

Attributes inherited from BaseFacts

#existing, #existing_with_admin_flag, #planner, #requested, #requested_with_admin_flag

Instance Method Summary collapse

Methods inherited from BaseFacts

#api, #grants_to_apply, #grants_to_revoke, #initialize, #validate_resource_exists!, #validate_role_exists!

Constructor Details

This class inherits a constructor from Conjur::Policy::Planner::BaseFacts

Instance Method Details

#add_existing_permission(permission) ⇒ Object

Add a permission that is already held.



172
173
174
175
 
# File 'lib/conjur/policy/planner/facts.rb', line 172

def add_existing_permission permission
  existing.add [ permission['role'], permission['privilege'], permission['resource'] ]
  existing_with_admin_flag.add [ permission['role'], permission['privilege'], permission['resource'], permission['grant_option'] ]
end

#add_requested_permission(permit) ⇒ Object

Add a Types::deny to the set of requested grants.



147
148
149
150
151
152
153
154
155
156
 
# File 'lib/conjur/policy/planner/facts.rb', line 147

def add_requested_permission permit
  Array(permit.roles).each do |member|
    Array(permit.privileges).each do |privilege|
      Array(permit.resources).each do |resource|
        requested.add [ member.role.roleid, privilege, resource.resourceid ]
        requested_with_admin_flag.add [ member.role.roleid, privilege, resource.resourceid, !!member.admin ]
      end
    end
  end
end

#remove_revoked_permission(deny) ⇒ Object

Removes a Types::Deny from the set of requested grants.



159
160
161
162
163
164
165
166
167
168
169
 
# File 'lib/conjur/policy/planner/facts.rb', line 159

def remove_revoked_permission deny
  Array(deny.roles).each do |role|
    Array(deny.privileges).each do |privilege|
      Array(deny.resources).each do |resource|
        requested.delete [ role.roleid, privilege, resource.resourceid ]
        requested_with_admin_flag.delete [ role.roleid, privilege, resource.resourceid, true ]
        requested_with_admin_flag.delete [ role.roleid, privilege, resource.resourceid, false ]
      end
    end
  end
end

#resource_permissions(resource, privileges, &block) ⇒ Object

Enumerate all existing permissions for the specified resource. Only permissions that apply the specified privilege are considered. Each permission is yielded to the block.



122
123
124
125
126
127
128
129
130
131
132
133
134
 
# File 'lib/conjur/policy/planner/facts.rb', line 122

def resource_permissions resource, privileges, &block
  permissions = begin
    JSON.parse(api.resource(resource.resourceid).get)['permissions'] 
  rescue RestClient::ResourceNotFound
    if api.resource(resource.resourceid).exists?
      $stderr.puts "WARNING: Unable to fetch permissions of resource #{resource.resourceid}. Use 'elevate' mode, or at least 'reveal' mode, for policy management."
    end
    []
  end
  permissions.select{|p| privileges.member?(p['privilege'])}.each do |permission|
    yield permission
  end
end

#validate!Object

Validate that all the requested roles exist.



137
138
139
140
141
142
143
144
 
# File 'lib/conjur/policy/planner/facts.rb', line 137

def validate!
  requested.to_a.map{|row| row[0]}.uniq.each do |roleid|
    validate_role_exists! roleid
  end
  requested.to_a.map{|row| row[2]}.uniq.each do |resourceid|
    validate_resource_exists! resourceid
  end
end