class Conjur::Rack::User
Token data can be a string (which is the user login), or a Hash. If it’s a hash, it should contain the user login keyed by the string ‘login’. The rest of the payload is available as attributes
.
Attributes
account[R]
audit_resources[R]
audit_roles[R]
conjur_account[R]
privilege[R]
remote_ip[R]
token[R]
Public Class Methods
new(token, account, options = {})
click to toggle source
# File lib/conjur/rack/user.rb, line 11 def initialize(token, account, options = {}) @token = token @account = account # Third argument used to be the name of privilege, be # backwards compatible: if options.respond_to?(:to_str) @privilege = options else @privilege = options[:privilege] @remote_ip = options[:remote_ip] @audit_roles = options[:audit_roles] @audit_resources = options[:audit_resources] end end
Public Instance Methods
api(cls = Conjur::API)
click to toggle source
# File lib/conjur/rack/user.rb, line 92 def api(cls = Conjur::API) args = [ token ] args.push remote_ip if remote_ip api = cls.new_from_token(*args) # These are features not present in some API versions. # Test for them and only apply if it makes sense. Ignore otherwise. %i(privilege audit_resources audit_roles).each do |feature| meth = "with_#{feature}".intern if api.respond_to?(meth) && (value = send(feature)) api = api.send meth, value end end api end
attributes()
click to toggle source
# File lib/conjur/rack/user.rb, line 64 def attributes parse_token @attributes || {} end
global_elevate?()
click to toggle source
True if and only if the user has valid global ‘elevate’ privilege.
# File lib/conjur/rack/user.rb, line 54 def global_elevate? validated_global_privilege == "elevate" end
global_reveal?()
click to toggle source
True if and only if the user has valid global ‘reveal’ privilege.
# File lib/conjur/rack/user.rb, line 49 def global_reveal? validated_global_privilege == "reveal" end
login()
click to toggle source
# File lib/conjur/rack/user.rb, line 58 def login parse_token @login end
role()
click to toggle source
# File lib/conjur/rack/user.rb, line 80 def role api.role(roleid) end
roleid()
click to toggle source
# File lib/conjur/rack/user.rb, line 70 def roleid tokens = login.split('/') role_kind, roleid = if tokens.length == 1 [ 'user', login ] else [ tokens[0], tokens[1..-1].join('/') ] end [ account, role_kind, roleid ].join(':') end
validated_global_privilege()
click to toggle source
Returns the global privilege which was present on the request, if and only if the user actually has that privilege.
Returns nil if no global privilege was present in the request headers, or if a global privilege was present in the request headers, but the user doesn’t actually have that privilege according to the Conjur
server.
# File lib/conjur/rack/user.rb, line 38 def validated_global_privilege unless @validated_global_privilege @privilege = nil unless @privilege && api.respond_to?(:global_privilege_permitted?) && api.global_privilege_permitted?(@privilege) @validated_global_privilege = true end @privilege end
Protected Instance Methods
load_jwt(jwt)
click to toggle source
# File lib/conjur/rack/user.rb, line 135 def load_jwt jwt @attributes = jwt.claims.merge (jwt.header || {}) # just pass all the info @login = jwt.claims['sub'] or raise "No 'sub' field in claims" end
load_legacy(data)
click to toggle source
# File lib/conjur/rack/user.rb, line 124 def load_legacy data if data.is_a?(String) @login = token['data'] elsif data.is_a?(Hash) @attributes = token['data'].clone @login = @attributes.delete('login') or raise "No 'login' field in token data" else raise "Expecting String or Hash token data, got #{data.class.name}" end end
parse_token()
click to toggle source
# File lib/conjur/rack/user.rb, line 111 def parse_token return if @login @token = Slosilo::JWT token load_jwt token rescue ArgumentError if data = token['data'] return load_legacy data else raise "malformed token" end end