Class: Conjur::Policy::Planner::Permit
- Defined in:
- lib/conjur/policy/planner/permissions.rb
Overview
Plans a permission.
The Permit record can list multiple roles, privileges, and resources. Each privilege should be allowed to each role on each resource. If the replace
option is set, then any existing privilege on an existing resource that is not given should be denied.
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
Methods inherited from Base
#account, #action, #create_record, #error, #initialize, #log, #record_type, #resource, #resource_exists?, #role, #role_exists?, #role_record, #update_record
Methods included from Logger
Constructor Details
This class inherits a constructor from Conjur::Policy::Planner::Base
Instance Method Details
#do_plan ⇒ Object
13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
# File 'lib/conjur/policy/planner/permissions.rb', line 13 def do_plan facts = PrivilegeFacts.new self facts. record privileges = Array(record.privileges) Array(record.resources).each do |resource| facts.(resource, privileges) do || facts. end end facts.validate! facts.grants_to_apply.each do |grant| role, privilege, resource, admin = grant permit = Conjur::Policy::Types::Permit.new permit.resource = resource_record resource permit.privilege = privilege permit.role = Conjur::Policy::Types::Member.new role_record(role) permit.role.admin = true if admin action permit end if record.replace facts.grants_to_revoke.each do |grant| roleid, privilege, resourceid = grant deny = Conjur::Policy::Types::Deny.new deny.resource = resource_record resourceid deny.privilege = privilege deny.role = role_record(roleid) action deny end end end |