Class: Conjur::DSL2::Planner::RoleFacts

Inherits:

BaseFacts

• Object
• BaseFacts
• Conjur::DSL2::Planner::RoleFacts

Defined in:

lib/conjur/dsl2/planner/facts.rb

Overview

Role grants are a tuple of [ roleid, member_roleid, admin_option ].

Instance Attribute Summary

Attributes inherited from BaseFacts

#existing, #existing_with_admin_flag, #planner, #requested, #requested_with_admin_flag

Instance Method Summary

• #add_existing_grant(role, grant) ⇒ Object

  Add a Conjur::API::Rolerevoke that is already held.

• #add_requested_grant(grant) ⇒ Object

  Add a Types::Grant to the set of requested grants.

• #remove_revoked_grant(revoke) ⇒ Object

  Removes a Types::Revoke from the set of requested grants.

• #role_grants(role, &block) ⇒ Object

  Enumerate all existing grants on the specified role.

• #validate! ⇒ Object

  Validate that all the requested roles exist.

Methods inherited from BaseFacts

#api, #grants_to_apply, #grants_to_revoke, #initialize, #validate_resource_exists!, #validate_role_exists!

Constructor Details

This class inherits a constructor from Conjur::DSL2::Planner::BaseFacts

Instance Method Details

#add_existing_grant(role, grant) ⇒ Object

Add a Conjur::API::Rolerevoke that is already held.

# File 'lib/conjur/dsl2/planner/facts.rb', line 110

def add_existing_grant role, grant
  existing.add [ role.roleid, grant.member.roleid ]
  existing_with_admin_flag.add [ role.roleid, grant.member.roleid, grant.admin_option ]
end

#add_requested_grant(grant) ⇒ Object

Add a Types::Grant to the set of requested grants.

# File 'lib/conjur/dsl2/planner/facts.rb', line 89

def add_requested_grant grant
  Array(grant.roles).each do |role|
    Array(grant.members).each do |member|
      requested.add [ role.roleid, member.role.roleid ]
      requested_with_admin_flag.add [ role.roleid, member.role.roleid, !!member.admin ]
    end
  end
end

#remove_revoked_grant(revoke) ⇒ Object

Removes a Types::Revoke from the set of requested grants.

# File 'lib/conjur/dsl2/planner/facts.rb', line 99

def remove_revoked_grant revoke
  Array(revoke.roles).each do |role|
    Array(revoke.members).each do |member|
      requested.delete [ role.roleid, member.roleid ]
      requested_with_admin_flag.delete [ role.roleid, member.roleid, true ]
      requested_with_admin_flag.delete [ role.roleid, member.roleid, false ]
    end
  end
end

#role_grants(role, &block) ⇒ Object

Enumerate all existing grants on the specified role. Each grant is yielded to the block.

# File 'lib/conjur/dsl2/planner/facts.rb', line 68

def role_grants role, &block
  begin
    api.role(role.roleid).members
  rescue RestClient::ResourceNotFound
    if api.role(role.roleid).exists?
      $stderr.puts "WARNING: Unable to fetch members of role #{role.roleid}. Use 'elevate' mode, or at least 'reveal' mode, for policy management."
    end
    []
  end.each do |grant|
    yield grant
  end
end

#validate! ⇒ Object

Validate that all the requested roles exist.

# File 'lib/conjur/dsl2/planner/facts.rb', line 82

def validate!
  requested.to_a.flatten.uniq.each do |roleid|
    validate_role_exists! roleid
  end
end