Module: Cloudant::Security

Included in:
API
Defined in:
lib/cloudant/security.rb

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.check_roles(roles) ⇒ Object

Checks input array to make sure it contains only valid roles. Any invalid roles will be removed. If there are a mix of valid and invalid roles in the array, the new user will be created with only the valid roles. If the input is empty, or no valid roles are present, no user will be created.



71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
 
# File 'lib/cloudant/security.rb', line 71

def self.check_roles(roles)
  all_roles = ["_reader","_writer","_admin","_replicator","_db_updates","_design","_shards","_security"]
  validated = []

  if roles && roles.is_a?(Array)
    roles.each do |role| 
      role_str = role.to_s
      role_str = role_str[1..-1] if role_str[0] == "_"
      role_str = "_#{role_str}" 

      validated <<  role_str if all_roles.include?(role_str)
    end
  end

  validated = nil if validated.empty?
  validated
end

Instance Method Details

#create_api_keysObject

Returns => “str”, “key” => “str”, “ok” => true



28
29
30
 
# File 'lib/cloudant/security.rb', line 28

def create_api_keys
  @conn.query({url_path: "_api/v2/api_keys", method: :post})
end

#delete_user(user) ⇒ Object

Accepts a string - a key with permissions already existing in the database If the key isn’t found within the database, no changes are made.



59
60
61
62
63
64
65
 
# File 'lib/cloudant/security.rb', line 59

def delete_user(user)
  users    = roles
  existing = users["cloudant"]
  
  existing.delete(user) if existing
  update_roles(users)
end

#new_user(user_roles) ⇒ Object

Methd to create and authorize a new set of credentials. :new_user accepts and array of either symbols or hashes, corresponding to the roles available in Cloudant as see in all_roles below. Returns the credentials and roles => “str”, “key” => “str”, “ok” => true, “roles”: []



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
# File 'lib/cloudant/security.rb', line 36

def new_user(user_roles)
  checked = Security.check_roles(user_roles)

  if checked
    users = roles
    keys  = create_api_keys

    existing_users    = users["cloudant"]
    users["cloudant"] = {} unless existing_users # If no users exist a blank has is returned instead of {"cloudant": {}}

    users["cloudant"][keys["key"]] = checked
    keys["roles"] = checked
    
    update_roles(users)
  else
    raise ArgumentError.new('invalid - permitted roles: reader, writer, admin, replicator, db_updates, design, shards, security')
  end

  keys
end

#permissionsObject

The Security Module contains methods to read and modify existing users, permissions, and credentials. The default credentials provided upon account creaton have _admin level access to all account databases; any subsequent users or API keys created must have permissions explicitly set.

View permissions for the current user Can only be accessed after performing cookie auth



11
12
13
 
# File 'lib/cloudant/security.rb', line 11

def permissions
  @conn.query({url_path: "_session", method: :get})
end

#rolesObject

View existing user permissions in the database Returns => {“key” => [“_permission”]}



17
18
19
 
# File 'lib/cloudant/security.rb', line 17

def roles
  @conn.query({url_path: "_api/v2/db/#{database}/_security", method: :get})
end

#update_roles(doc) ⇒ Object

Grant or revoke permissions Accepts a document: => {“key” => [“_permission”]}



23
24
25
 
# File 'lib/cloudant/security.rb', line 23

def update_roles(doc)
  @conn.query({url_path: "_api/v2/db/#{database}/_security", opts: doc, method: :put})
end