Class: Conjur::Rack::User

Inherits:

Object

• Object
• Conjur::Rack::User

Defined in:

lib/conjur/rack/user.rb

Overview

Token data can be a string (which is the user login), or a Hash. If it’s a hash, it should contain the user login keyed by the string ‘login’. The rest of the payload is available as attributes.

Instance Attribute Summary

• #account ⇒ Object (also: #conjur_account) readonly

  Returns the value of attribute account.

• #audit_resources ⇒ Object readonly

  Returns the value of attribute audit_resources.

• #audit_roles ⇒ Object readonly

  Returns the value of attribute audit_roles.

• #privilege ⇒ Object readonly

  Returns the value of attribute privilege.

• #remote_ip ⇒ Object readonly

  Returns the value of attribute remote_ip.

• #token ⇒ Object readonly

  Returns the value of attribute token.

Instance Method Summary

• #api(cls = Conjur::API) ⇒ Object
• #attributes ⇒ Object
• #global_elevate? ⇒ Boolean

  True if and only if the user has valid global ‘elevate’ privilege.

• #global_reveal? ⇒ Boolean

  True if and only if the user has valid global ‘reveal’ privilege.

• #initialize(token, account, options = {}) ⇒ User constructor

  A new instance of User.

• #login ⇒ Object
• #role ⇒ Object
• #roleid ⇒ Object
• #validated_global_privilege ⇒ Object

  Returns the global privilege which was present on the request, if and only if the user actually has that privilege.

Constructor Details

#initialize(token, account, options = {}) ⇒ User

Returns a new instance of User.

# File 'lib/conjur/rack/user.rb', line 11

def initialize(token, account, options = {})
  @token = token
  @account = account
  # Third argument used to be the name of privilege, be
  # backwards compatible:
  if options.respond_to?(:to_str)
    @privilege = options
  else
    @privilege = options[:privilege]
    @remote_ip = options[:remote_ip]
    @audit_roles = options[:audit_roles]
    @audit_resources = options[:audit_resources]
  end
end

Instance Attribute Details

#account ⇒ Object (readonly) Also known as: conjur_account

Returns the value of attribute account.

# File 'lib/conjur/rack/user.rb', line 9

def account
  @account
end

#audit_resources ⇒ Object (readonly)

Returns the value of attribute audit_resources.

# File 'lib/conjur/rack/user.rb', line 9

def audit_resources
  @audit_resources
end

#audit_roles ⇒ Object (readonly)

Returns the value of attribute audit_roles.

# File 'lib/conjur/rack/user.rb', line 9

def audit_roles
  @audit_roles
end

#privilege ⇒ Object (readonly)

Returns the value of attribute privilege.

# File 'lib/conjur/rack/user.rb', line 9

def privilege
  @privilege
end

#remote_ip ⇒ Object (readonly)

Returns the value of attribute remote_ip.

# File 'lib/conjur/rack/user.rb', line 9

def remote_ip
  @remote_ip
end

#token ⇒ Object (readonly)

Returns the value of attribute token.

# File 'lib/conjur/rack/user.rb', line 9

def token
  @token
end

Instance Method Details

#api(cls = Conjur::API) ⇒ Object

# File 'lib/conjur/rack/user.rb', line 90

def api(cls = Conjur::API)
  args = [ token ]
  args.push remote_ip if remote_ip
  api = cls.new_from_token(*args)
  api = api.with_privilege(privilege) if privilege
  api = api.with_audit_resources(audit_resources) if audit_resources
  api = api.with_audit_roles(audit_roles) if audit_roles

  api
end

#attributes ⇒ Object

# File 'lib/conjur/rack/user.rb', line 62

def attributes
  parse_token

  @attributes || {}
end

#global_elevate? ⇒ Boolean

True if and only if the user has valid global ‘elevate’ privilege.

Returns:

• (Boolean)

# File 'lib/conjur/rack/user.rb', line 52

def global_elevate?
  validated_global_privilege == "elevate"
end

#global_reveal? ⇒ Boolean

True if and only if the user has valid global ‘reveal’ privilege.

Returns:

• (Boolean)

# File 'lib/conjur/rack/user.rb', line 47

def global_reveal?
  validated_global_privilege == "reveal"
end

#login ⇒ Object

# File 'lib/conjur/rack/user.rb', line 56

def login
  parse_token

  @login
end

#role ⇒ Object

# File 'lib/conjur/rack/user.rb', line 78

def role
  api.role(roleid)
end

#roleid ⇒ Object

# File 'lib/conjur/rack/user.rb', line 68

def roleid
  tokens = login.split('/')
  role_kind, roleid = if tokens.length == 1
    [ 'user', login ]
  else
    [ tokens[0], tokens[1..-1].join('/') ]
  end
  [ account, role_kind, roleid ].join(':')
end

#validated_global_privilege ⇒ Object

Returns the global privilege which was present on the request, if and only if the user actually has that privilege.

Returns nil if no global privilege was present in the request headers, or if a global privilege was present in the request headers, but the user doesn’t actually have that privilege according to the Conjur server.

# File 'lib/conjur/rack/user.rb', line 38

def validated_global_privilege
  unless @validated_global_privilege
    @privilege = nil if @privilege && !api.global_privilege_permitted?(@privilege)
    @validated_global_privilege = true
  end
  @privilege
end