class Conjur::Rack::User

Token data can be a string (which is the user login), or a Hash. If it’s a hash, it should contain the user login keyed by the string ‘login’. The rest of the payload is available as attributes.

Attributes

account[R]
audit_resources[R]
audit_roles[R]
conjur_account[R]
privilege[R]
remote_ip[R]
token[R]

Public Class Methods

new(token, account, options = {}) click to toggle source
# File lib/conjur/rack/user.rb, line 11
def initialize(token, account, options = {})
  @token = token
  @account = account
  # Third argument used to be the name of privilege, be
  # backwards compatible:
  if options.respond_to?(:to_str)
    @privilege = options
  else
    @privilege = options[:privilege]
    @remote_ip = options[:remote_ip]
    @audit_roles = options[:audit_roles]
    @audit_resources = options[:audit_resources]
  end
end

Public Instance Methods

api(cls = Conjur::API) click to toggle source
# File lib/conjur/rack/user.rb, line 92
def api(cls = Conjur::API)
  args = [ token ]
  args.push remote_ip if remote_ip
  api = cls.new_from_token(*args)

  # These are features not present in some API versions.
  # Test for them and only apply if it makes sense. Ignore otherwise.
  %i(privilege audit_resources audit_roles).each do |feature|
    meth = "with_#{feature}".intern
    if api.respond_to?(meth) && (value = send(feature))
      api = api.send meth, value
    end
  end

  api
end
attributes() click to toggle source
# File lib/conjur/rack/user.rb, line 64
def attributes
  parse_token

  @attributes || {}
end
global_elevate?() click to toggle source

True if and only if the user has valid global ‘elevate’ privilege.

# File lib/conjur/rack/user.rb, line 54
def global_elevate?
  validated_global_privilege == "elevate"
end
global_reveal?() click to toggle source

True if and only if the user has valid global ‘reveal’ privilege.

# File lib/conjur/rack/user.rb, line 49
def global_reveal?
  validated_global_privilege == "reveal"
end
login() click to toggle source
# File lib/conjur/rack/user.rb, line 58
def login
  parse_token

  @login
end
role() click to toggle source
# File lib/conjur/rack/user.rb, line 80
def role
  api.role(roleid)
end
roleid() click to toggle source
# File lib/conjur/rack/user.rb, line 70
def roleid
  tokens = login.split('/')
  role_kind, roleid = if tokens.length == 1
    [ 'user', login ]
  else
    [ tokens[0], tokens[1..-1].join('/') ]
  end
  [ account, role_kind, roleid ].join(':')
end
validated_global_privilege() click to toggle source

Returns the global privilege which was present on the request, if and only if the user actually has that privilege.

Returns nil if no global privilege was present in the request headers, or if a global privilege was present in the request headers, but the user doesn’t actually have that privilege according to the Conjur server.

# File lib/conjur/rack/user.rb, line 38
def validated_global_privilege
  unless @validated_global_privilege
    @privilege = nil unless @privilege &&
            api.respond_to?(:global_privilege_permitted?) &&
            api.global_privilege_permitted?(@privilege)
    @validated_global_privilege = true
  end
  @privilege
end

Protected Instance Methods

load_jwt(jwt) click to toggle source
# File lib/conjur/rack/user.rb, line 135
def load_jwt jwt
  @attributes = jwt.claims.merge (jwt.header || {}) # just pass all the info
  @login = jwt.claims['sub'] or raise "No 'sub' field in claims"
end
load_legacy(data) click to toggle source
# File lib/conjur/rack/user.rb, line 124
def load_legacy data
  if data.is_a?(String)
    @login = token['data']
  elsif data.is_a?(Hash)
    @attributes = token['data'].clone
    @login = @attributes.delete('login') or raise "No 'login' field in token data"
  else
    raise "Expecting String or Hash token data, got #{data.class.name}"
  end
end
parse_token() click to toggle source
# File lib/conjur/rack/user.rb, line 111
def parse_token
  return if @login

  @token = Slosilo::JWT token
  load_jwt token
rescue ArgumentError
  if data = token['data']
    return load_legacy data
  else
    raise "malformed token"
  end
end