class Conjur::Policy::Resolver

Attributes

account[R]
namespace[R]
ownerid[R]

Public Class Methods

new(account, ownerid, namespace = nil) click to toggle source

account is required. It's the default account whenever no account is specified. ownerid is required. Any records without an owner will be assigned this owner. The exception is records defined in a policy, which are always owned by the policy role unless an explicit owner is indicated (which would be rare). namespace is optional. It's prepended to the id of every record, except for ids which begin with a '/' character.

# File lib/conjur/policy/resolver.rb, line 24
def initialize account, ownerid, namespace = nil
  @account = account
  @ownerid   = ownerid
  @namespace = namespace
  
  raise "account is required" unless account
  raise "ownerid is required" unless ownerid
  raise "ownerid must be fully qualified" unless ownerid.split(":", 3).length == 3
end
resolve(records, account, ownerid, namespace = nil) click to toggle source

Resolve records to the specified owner id and namespace.

# File lib/conjur/policy/resolver.rb, line 8
def resolve records, account, ownerid, namespace = nil
  resolver_classes = [ AccountResolver, IdSubstitutionResolver, AnnotationSubstitutionResolver, OwnerResolver, FlattenResolver, DuplicateResolver ]
  resolver_classes.each do |cls|
    resolver = cls.new account, ownerid, namespace
    records = resolver.resolve records
  end
  records
end

Protected Instance Methods

id_of(record) click to toggle source
# File lib/conjur/policy/resolver.rb, line 47
def id_of record
  record.object_id
end
traverse(records, visited, handler, policy_handler = nil) click to toggle source

Traverse an Array-ish of records, calling a handler method for each one. If a record is a Policy, then the policy_handler is invoked, after the handler.

# File lib/conjur/policy/resolver.rb, line 38
def traverse records, visited, handler, policy_handler = nil
  Array(records).flatten.each do |record|
    next unless visited.add?(id_of(record))

    handler.call record, visited
    policy_handler.call record, visited if policy_handler && record.is_a?(Types::Policy)
  end
end