class Conjur::DSL2::Planner::PrivilegeFacts
Privilege grants are [ roleid, privilege, resourceid, grant_option ].
Public Instance Methods
add_existing_permission(permission)
click to toggle source
Add a permission that is already held.
# File lib/conjur/dsl2/planner/facts.rb, line 172 def add_existing_permission permission existing.add [ permission['role'], permission['privilege'], permission['resource'] ] existing_with_admin_flag.add [ permission['role'], permission['privilege'], permission['resource'], permission['grant_option'] ] end
add_requested_permission(permit)
click to toggle source
Add a Types::deny to the set of requested grants.
# File lib/conjur/dsl2/planner/facts.rb, line 147 def add_requested_permission permit Array(permit.roles).each do |member| Array(permit.privileges).each do |privilege| Array(permit.resources).each do |resource| requested.add [ member.role.roleid, privilege, resource.resourceid ] requested_with_admin_flag.add [ member.role.roleid, privilege, resource.resourceid, !!member.admin ] end end end end
remove_revoked_permission(deny)
click to toggle source
Removes a Types::Deny
from the set of requested grants.
# File lib/conjur/dsl2/planner/facts.rb, line 159 def remove_revoked_permission deny Array(deny.roles).each do |role| Array(deny.privileges).each do |privilege| Array(deny.resources).each do |resource| requested.delete [ role.roleid, privilege, resource.resourceid ] requested_with_admin_flag.delete [ role.roleid, privilege, resource.resourceid, true ] requested_with_admin_flag.delete [ role.roleid, privilege, resource.resourceid, false ] end end end end
resource_permissions(resource, privileges) { |permission| ... }
click to toggle source
Enumerate all existing permissions for the specified resource
. Only permissions that apply the specified privilege
are considered. Each permission is yielded to the block.
# File lib/conjur/dsl2/planner/facts.rb, line 122 def resource_permissions resource, privileges, &block permissions = begin JSON.parse(api.resource(resource.resourceid).get)['permissions'] rescue RestClient::ResourceNotFound if api.resource(resource.resourceid).exists? $stderr.puts "WARNING: Unable to fetch permissions of resource #{resource.resourceid}. Use 'elevate' mode, or at least 'reveal' mode, for policy management." end [] end permissions.select{|p| privileges.member?(p['privilege'])}.each do |permission| yield permission end end
validate!()
click to toggle source
Validate that all the requested roles exist.
# File lib/conjur/dsl2/planner/facts.rb, line 137 def validate! requested.to_a.map{|row| row[0]}.uniq.each do |roleid| validate_role_exists! roleid end requested.to_a.map{|row| row[2]}.uniq.each do |resourceid| validate_resource_exists! resourceid end end