class Checkpoint::Grants

The repository of grants – a simple wrapper for the Sequel Datastore / grants table.

Attributes

grants[R]

Public Class Methods

new(grants: Checkpoint::DB::Grant) click to toggle source
# File lib/checkpoint/grants.rb, line 15
def initialize(grants: Checkpoint::DB::Grant)
  @grants = grants
end

Public Instance Methods

any?(agents, credentials, resources) click to toggle source
# File lib/checkpoint/grants.rb, line 23
def any?(agents, credentials, resources)
  where(agents, credentials, resources).first != nil
end
for(agents, credentials, resources) click to toggle source
# File lib/checkpoint/grants.rb, line 19
def for(agents, credentials, resources)
  where(agents, credentials, resources).all
end
grant!(agent, credential, resource) click to toggle source

Grant a credential.

This method takes a single agent, credential, and resource to create a grant. They are not expanded, though they may be general (e.g., an agent for users of an instituion or a wildcard for resources of some type).

@param agent [Agent] the agent to whom the credential should be granted @param credential [Credential] the credential to grant @param resource [Resource] the resource to which the credential should apply @return [Grant] the saved Grant; nil if the save fails

# File lib/checkpoint/grants.rb, line 73
def grant!(agent, credential, resource)
  grants.from(agent, credential, resource).save
end
revoke!(agents, credentials, resources) click to toggle source

Revoke a credential.

Take care to note that this follows the same matching semantics as {.for}. There is no expansion done here, but anything that matches what is supplied will be deleted. Of particular note is the default wildcard behavior of {Checkpoint::Resource::Resolver}: if a specific resource has been expanded by the resolver, and the array of the resource, a type wildcard, and the any-resource wildcard (as used for inherited matching) is supplied, the results may be surprising where there are grants at specific and general levels.

In general, the parameters should not have been expanded. If the intent is to revoke a general grant, the general details should be supplied, and likewise for the specific case.

Applications should interact with the {Checkpoint::Authority}, which exposes a more application-oriented interface. This repository should be considered internal to Checkpoint.

@param agents [Agent|Array] the agent or agents to match for deletion @param credentials [Credential|Array] the credential or credentials to match for deletion @param resources [Resource|Array] the resource or resources to match for deletion @return [Integer] the number of Grants deleted

# File lib/checkpoint/grants.rb, line 100
def revoke!(agents, credentials, resources)
  where(agents, credentials, resources).delete
end
what(agents, resources) click to toggle source

Find grants to the given agents on the given resources.

This is useful for finding what actions may be taken on particular items. Note that this low-level interface returns the full grants, rather than a unique set of credentials.

@return [Array<Grant>] the set of grants to any of the agents on any of

the resources
# File lib/checkpoint/grants.rb, line 47
def what(agents, resources)
  DB::Query::AR.new(agents, resources, **scope).all
end
which(agents, credentials) click to toggle source

Find grants to the given agents of the given credentials.

This is useful for finding which resources may acted upon. Note that this low-level interface returns the full grants, rather than a unique set of resources.

@return [Array<Grant>] the set of grants of any of the credentials to

any of the agents
# File lib/checkpoint/grants.rb, line 59
def which(agents, credentials)
  DB::Query::AC.new(agents, credentials, **scope).all
end
who(credentials, resources) click to toggle source

Find grants of the given credentials on the given resources.

This is useful for finding who should have particular access. Note that this low-level interface returns the full grants, rather than a unique set of agents.

@return [Array<Grant>] the set of grants of any of the credentials on

any of the resources
# File lib/checkpoint/grants.rb, line 35
def who(credentials, resources)
  DB::Query::CR.new(credentials, resources, **scope).all
end

Private Instance Methods

scope() click to toggle source
# File lib/checkpoint/grants.rb, line 106
def scope
  { scope: grants }
end
where(agents, credentials, resources) click to toggle source
# File lib/checkpoint/grants.rb, line 110
def where(agents, credentials, resources)
  DB::Query::ACR.new(agents, credentials, resources, **scope)
end