class Conjur::DSL2::Planner::PrivilegeFacts

Privilege grants are [ roleid, privilege, resourceid, grant_option ].

Public Instance Methods

add_existing_permission(permission) click to toggle source

Add a permission that is already held.

# File lib/conjur/dsl2/planner/facts.rb, line 172
def add_existing_permission permission
  existing.add [ permission['role'], permission['privilege'], permission['resource'] ]
  existing_with_admin_flag.add [ permission['role'], permission['privilege'], permission['resource'], permission['grant_option'] ]
end
add_requested_permission(permit) click to toggle source

Add a Types::deny to the set of requested grants.

# File lib/conjur/dsl2/planner/facts.rb, line 147
def add_requested_permission permit
  Array(permit.roles).each do |member|
    Array(permit.privileges).each do |privilege|
      Array(permit.resources).each do |resource|
        requested.add [ member.role.roleid, privilege, resource.resourceid ]
        requested_with_admin_flag.add [ member.role.roleid, privilege, resource.resourceid, !!member.admin ]
      end
    end
  end
end
remove_revoked_permission(deny) click to toggle source

Removes a Types::Deny from the set of requested grants.

# File lib/conjur/dsl2/planner/facts.rb, line 159
def remove_revoked_permission deny
  Array(deny.roles).each do |role|
    Array(deny.privileges).each do |privilege|
      Array(deny.resources).each do |resource|
        requested.delete [ role.roleid, privilege, resource.resourceid ]
        requested_with_admin_flag.delete [ role.roleid, privilege, resource.resourceid, true ]
        requested_with_admin_flag.delete [ role.roleid, privilege, resource.resourceid, false ]
      end
    end
  end
end
resource_permissions(resource, privileges) { |permission| ... } click to toggle source

Enumerate all existing permissions for the specified resource. Only permissions that apply the specified privilege are considered. Each permission is yielded to the block.

# File lib/conjur/dsl2/planner/facts.rb, line 122
def resource_permissions resource, privileges, &block
  permissions = begin
    JSON.parse(api.resource(resource.resourceid).get)['permissions'] 
  rescue RestClient::ResourceNotFound
    if api.resource(resource.resourceid).exists?
      $stderr.puts "WARNING: Unable to fetch permissions of resource #{resource.resourceid}. Use 'elevate' mode, or at least 'reveal' mode, for policy management."
    end
    []
  end
  permissions.select{|p| privileges.member?(p['privilege'])}.each do |permission|
    yield permission
  end
end
validate!() click to toggle source

Validate that all the requested roles exist.

# File lib/conjur/dsl2/planner/facts.rb, line 137
def validate!
  requested.to_a.map{|row| row[0]}.uniq.each do |roleid|
    validate_role_exists! roleid
  end
  requested.to_a.map{|row| row[2]}.uniq.each do |resourceid|
    validate_resource_exists! resourceid
  end
end