class Conjur::Policy::Planner::Grant

Public Instance Methods

do_plan() click to toggle source

Plans a role grant.

The Grant record can list multiple roles and members. Each member should be granted every role. If the replace option is set, then any existing grant on a role that is not given should be revoked, except for role admins.

# File lib/conjur/policy/planner/grants.rb, line 13
def do_plan
  facts = RoleFacts.new self
  
  facts.add_requested_grant record
  
  Array(record.roles).each do |role|
    facts.role_grants(role) do |grant|
      facts.add_existing_grant role, grant
    end
  end
  
  facts.validate!
  
  facts.grants_to_apply.each do |grant|
    roleid, memberid, admin = grant
    grant = Conjur::Policy::Types::Grant.new
    grant.role = role_record roleid
    grant.member = Conjur::Policy::Types::Member.new role_record(memberid)
    grant.member.admin = admin
    action grant
  end

  if record.replace
    facts.grants_to_revoke.each do |grant|
      roleid, memberid = grant
      revoke = Conjur::Policy::Types::Revoke.new
      revoke.role = role_record roleid
      revoke.member = role_record(memberid)
      action revoke
    end
  end
end