Class: Conjur::Resource
- Inherits:
-
RestClient::Resource
- Object
- RestClient::Resource
- Conjur::Resource
- Includes:
- Exists, HasAttributes, PathBased
- Defined in:
- lib/conjur/resource.rb
Class Method Summary collapse
-
.all(opts = {}) ⇒ Object
Returns all resources (optionally qualified by kind) visible to the user with given credentials.
Instance Method Summary collapse
-
#annotations ⇒ Object
(also: #tags)
Return a Conjur::Annotations instance to read and manipulate our annotations.
- #create(options = {}) ⇒ Object
- #delete(options = {}) ⇒ Object
- #deny(privilege, role, options = {}) ⇒ Object
-
#give_to(owner, options = {}) ⇒ Object
Changes the owner of a resource.
- #identifier ⇒ Object
- #ownerid ⇒ Object (also: #owner)
- #permit(privilege, role, options = {}) ⇒ Object
-
#permitted?(privilege, options = {}) ⇒ Boolean
True if the logged-in role, or a role specified using the acting-as option, has the specified
privilege
on this resource. -
#permitted_roles(permission, options = {}) ⇒ Object
Lists roles that have a specified permission on the resource.
-
#resourceid ⇒ Object
(also: #resource_id)
Name convention according to Role#roleid.
Methods included from Exists
Methods included from PathBased
Methods included from HasAttributes
#attributes, #attributes=, #invalidate, #refresh, #save, #to_json
Class Method Details
.all(opts = {}) ⇒ Object
Returns all resources (optionally qualified by kind) visible to the user with given credentials. Options are:
-
host - authz url,
-
credentials,
-
account,
-
kind (optional),
-
search (optional),
-
limit (optional),
-
offset (optional).
141 142 143 144 145 146 147 148 149 150 151 152 153 154 |
# File 'lib/conjur/resource.rb', line 141 def self.all opts = {} host, credentials, account, kind = opts.values_at(*[:host, :credentials, :account, :kind]) fail ArgumentError, "host and account are required" unless [host, account].all? credentials ||= {} path = "#{account}/resources" path += "/#{kind}" if kind query = opts.slice(:acting_as, :limit, :offset, :search) path += "?#{query.to_query}" unless query.empty? resource = RestClient::Resource.new(host, credentials)[path] JSON.parse resource.get end |
Instance Method Details
#annotations ⇒ Object Also known as:
Return a Conjur::Annotations instance to read and manipulate our annotations.
126 127 128 |
# File 'lib/conjur/resource.rb', line 126 def annotations @annotations ||= Conjur::Annotations.new(self) end |
#create(options = {}) ⇒ Object
46 47 48 49 50 51 52 53 54 |
# File 'lib/conjur/resource.rb', line 46 def create( = {}) log do |logger| logger << "Creating resource #{resourceid}" unless .empty? logger << " with options #{.to_json}" end end self.put() end |
#delete(options = {}) ⇒ Object
67 68 69 70 71 72 73 74 75 |
# File 'lib/conjur/resource.rb', line 67 def delete( = {}) log do |logger| logger << "Deleting resource #{resourceid}" unless .empty? logger << " with options #{.to_json}" end end super end |
#deny(privilege, role, options = {}) ⇒ Object
96 97 98 99 100 101 102 103 104 105 106 107 |
# File 'lib/conjur/resource.rb', line 96 def deny(privilege, role, = {}) role = cast(role, :roleid) eachable(privilege).each do |p| log do |logger| logger << "Denying #{p} on resource #{resourceid} by #{role}" unless .empty? logger << " with options #{.to_json}" end end self["?deny&privilege=#{query_escape p}&role=#{query_escape role}"].post() end end |
#give_to(owner, options = {}) ⇒ Object
Changes the owner of a resource
62 63 64 65 |
# File 'lib/conjur/resource.rb', line 62 def give_to(owner, = {}) owner = cast(owner, :roleid) self.put(.merge(owner: owner)) end |
#identifier ⇒ Object
29 30 31 |
# File 'lib/conjur/resource.rb', line 29 def identifier match_path(3..-1) end |
#ownerid ⇒ Object Also known as: owner
33 34 35 |
# File 'lib/conjur/resource.rb', line 33 def ownerid attributes['owner'] end |
#permit(privilege, role, options = {}) ⇒ Object
77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
# File 'lib/conjur/resource.rb', line 77 def permit(privilege, role, = {}) role = cast(role, :roleid) eachable(privilege).each do |p| log do |logger| logger << "Permitting #{p} on resource #{resourceid} by #{role}" unless .empty? logger << " with options #{.to_json}" end end begin self["?permit&privilege=#{query_escape p}&role=#{query_escape role}"].post() rescue RestClient::Forbidden # TODO: Remove once permit is idempotent raise $! unless $!.http_body == "Privilege already granted." end end end |
#permitted?(privilege, options = {}) ⇒ Boolean
True if the logged-in role, or a role specified using the acting-as option, has the specified privilege
on this resource.
111 112 113 114 115 116 117 118 119 120 121 122 123 |
# File 'lib/conjur/resource.rb', line 111 def permitted?(privilege, = {}) params = { check: true, privilege: query_escape(privilege) } params[:acting_as] = [:acting_as] if [:acting_as] self["?#{params.to_query}"].get() true rescue RestClient::Forbidden false rescue RestClient::ResourceNotFound false end |
#permitted_roles(permission, options = {}) ⇒ Object
Lists roles that have a specified permission on the resource.
57 58 59 |
# File 'lib/conjur/resource.rb', line 57 def permitted_roles(, = {}) JSON.parse RestClient::Resource.new(Conjur::Authz::API.host, self.)["#{account}/roles/allowed_to/#{}/#{path_escape kind}/#{path_escape identifier}"].get() end |
#resourceid ⇒ Object Also known as: resource_id
Name convention according to Role#roleid.
40 41 42 |
# File 'lib/conjur/resource.rb', line 40 def resourceid [account, kind, identifier].join ':' end |