Class: Conjur::Policy::Planner::PrivilegeFacts
- Defined in:
- lib/conjur/policy/planner/facts.rb
Overview
Privilege grants are [ roleid, privilege, resourceid, grant_option ].
Instance Attribute Summary
Attributes inherited from BaseFacts
#existing, #existing_with_admin_flag, #planner, #requested, #requested_with_admin_flag
Instance Method Summary collapse
-
#add_existing_permission(permission) ⇒ Object
Add a permission that is already held.
-
#add_requested_permission(permit) ⇒ Object
Add a Types::deny to the set of requested grants.
-
#remove_revoked_permission(deny) ⇒ Object
Removes a Types::Deny from the set of requested grants.
-
#resource_permissions(resource, privileges, &block) ⇒ Object
Enumerate all existing permissions for the specified
resource
. -
#validate! ⇒ Object
Validate that all the requested roles exist.
Methods inherited from BaseFacts
#api, #grants_to_apply, #grants_to_revoke, #initialize, #validate_resource_exists!, #validate_role_exists!
Constructor Details
This class inherits a constructor from Conjur::Policy::Planner::BaseFacts
Instance Method Details
#add_existing_permission(permission) ⇒ Object
Add a permission that is already held.
172 173 174 175 |
# File 'lib/conjur/policy/planner/facts.rb', line 172 def existing.add [ ['role'], ['privilege'], ['resource'] ] existing_with_admin_flag.add [ ['role'], ['privilege'], ['resource'], ['grant_option'] ] end |
#add_requested_permission(permit) ⇒ Object
Add a Types::deny to the set of requested grants.
147 148 149 150 151 152 153 154 155 156 |
# File 'lib/conjur/policy/planner/facts.rb', line 147 def permit Array(permit.roles).each do |member| Array(permit.privileges).each do |privilege| Array(permit.resources).each do |resource| requested.add [ member.role.roleid, privilege, resource.resourceid ] requested_with_admin_flag.add [ member.role.roleid, privilege, resource.resourceid, !!member.admin ] end end end end |
#remove_revoked_permission(deny) ⇒ Object
Removes a Types::Deny from the set of requested grants.
159 160 161 162 163 164 165 166 167 168 169 |
# File 'lib/conjur/policy/planner/facts.rb', line 159 def deny Array(deny.roles).each do |role| Array(deny.privileges).each do |privilege| Array(deny.resources).each do |resource| requested.delete [ role.roleid, privilege, resource.resourceid ] requested_with_admin_flag.delete [ role.roleid, privilege, resource.resourceid, true ] requested_with_admin_flag.delete [ role.roleid, privilege, resource.resourceid, false ] end end end end |
#resource_permissions(resource, privileges, &block) ⇒ Object
Enumerate all existing permissions for the specified resource
. Only permissions that apply the specified privilege
are considered. Each permission is yielded to the block.
122 123 124 125 126 127 128 129 130 131 132 133 134 |
# File 'lib/conjur/policy/planner/facts.rb', line 122 def resource, privileges, &block = begin JSON.parse(api.resource(resource.resourceid).get)['permissions'] rescue RestClient::ResourceNotFound if api.resource(resource.resourceid).exists? $stderr.puts "WARNING: Unable to fetch permissions of resource #{resource.resourceid}. Use 'elevate' mode, or at least 'reveal' mode, for policy management." end [] end .select{|p| privileges.member?(p['privilege'])}.each do || yield end end |
#validate! ⇒ Object
Validate that all the requested roles exist.
137 138 139 140 141 142 143 144 |
# File 'lib/conjur/policy/planner/facts.rb', line 137 def validate! requested.to_a.map{|row| row[0]}.uniq.each do |roleid| validate_role_exists! roleid end requested.to_a.map{|row| row[2]}.uniq.each do |resourceid| validate_resource_exists! resourceid end end |