class Checkpoint::Grants
The repository of grants – a simple wrapper for the Sequel Datastore / grants table.
Attributes
Public Class Methods
# File lib/checkpoint/grants.rb, line 15 def initialize(grants: Checkpoint::DB::Grant) @grants = grants end
Public Instance Methods
# File lib/checkpoint/grants.rb, line 23 def any?(agents, credentials, resources) where(agents, credentials, resources).first != nil end
# File lib/checkpoint/grants.rb, line 19 def for(agents, credentials, resources) where(agents, credentials, resources).all end
Grant a credential.
This method takes a single agent, credential, and resource to create a grant. They are not expanded, though they may be general (e.g., an agent for users of an instituion or a wildcard for resources of some type).
@param agent [Agent] the agent to whom the credential should be granted @param credential [Credential] the credential to grant @param resource [Resource] the resource to which the credential should apply @return [Grant] the saved Grant; nil if the save fails
# File lib/checkpoint/grants.rb, line 73 def grant!(agent, credential, resource) grants.from(agent, credential, resource).save end
Revoke a credential.
Take care to note that this follows the same matching semantics as {.for}. There is no expansion done here, but anything that matches what is supplied will be deleted. Of particular note is the default wildcard behavior of {Checkpoint::Resource::Resolver}: if a specific resource has been expanded by the resolver, and the array of the resource, a type wildcard, and the any-resource wildcard (as used for inherited matching) is supplied, the results may be surprising where there are grants at specific and general levels.
In general, the parameters should not have been expanded. If the intent is to revoke a general grant, the general details should be supplied, and likewise for the specific case.
Applications should interact with the {Checkpoint::Authority}, which exposes a more application-oriented interface. This repository should be considered internal to Checkpoint
.
@param agents [Agent|Array] the agent or agents to match for deletion @param credentials [Credential|Array] the credential or credentials to match for deletion @param resources [Resource|Array] the resource or resources to match for deletion @return [Integer] the number of Grants
deleted
# File lib/checkpoint/grants.rb, line 100 def revoke!(agents, credentials, resources) where(agents, credentials, resources).delete end
Find grants to the given agents on the given resources.
This is useful for finding what actions may be taken on particular items. Note that this low-level interface returns the full grants, rather than a unique set of credentials.
@return [Array<Grant>] the set of grants to any of the agents on any of
the resources
# File lib/checkpoint/grants.rb, line 47 def what(agents, resources) DB::Query::AR.new(agents, resources, **scope).all end
Find grants to the given agents of the given credentials.
This is useful for finding which resources may acted upon. Note that this low-level interface returns the full grants, rather than a unique set of resources.
@return [Array<Grant>] the set of grants of any of the credentials to
any of the agents
# File lib/checkpoint/grants.rb, line 59 def which(agents, credentials) DB::Query::AC.new(agents, credentials, **scope).all end
Find grants of the given credentials on the given resources.
This is useful for finding who should have particular access. Note that this low-level interface returns the full grants, rather than a unique set of agents.
@return [Array<Grant>] the set of grants of any of the credentials on
any of the resources
# File lib/checkpoint/grants.rb, line 35 def who(credentials, resources) DB::Query::CR.new(credentials, resources, **scope).all end
Private Instance Methods
# File lib/checkpoint/grants.rb, line 106 def scope { scope: grants } end
# File lib/checkpoint/grants.rb, line 110 def where(agents, credentials, resources) DB::Query::ACR.new(agents, credentials, resources, **scope) end