class Conjur::Policy::Planner::RoleFacts

Role grants are a tuple of [ roleid, member_roleid, admin_option ].

Public Instance Methods

add_existing_grant(role, grant) click to toggle source

Add a Conjur::API::Role grant that is already held.

# File lib/conjur/policy/planner/facts.rb, line 110
def add_existing_grant role, grant
  existing.add [ role.roleid, grant.member.roleid ]
  existing_with_admin_flag.add [ role.roleid, grant.member.roleid, grant.admin_option ]
end
add_requested_grant(grant) click to toggle source

Add a Types::Grant to the set of requested grants.

# File lib/conjur/policy/planner/facts.rb, line 89
def add_requested_grant grant
  Array(grant.roles).each do |role|
    Array(grant.members).each do |member|
      requested.add [ role.roleid, member.role.roleid ]
      requested_with_admin_flag.add [ role.roleid, member.role.roleid, !!member.admin ]
    end
  end
end
remove_revoked_grant(revoke) click to toggle source

Removes a Types::Revoke from the set of requested grants.

# File lib/conjur/policy/planner/facts.rb, line 99
def remove_revoked_grant revoke
  Array(revoke.roles).each do |role|
    Array(revoke.members).each do |member|
      requested.delete [ role.roleid, member.roleid ]
      requested_with_admin_flag.delete [ role.roleid, member.roleid, true ]
      requested_with_admin_flag.delete [ role.roleid, member.roleid, false ]
    end
  end
end
role_grants(role) { |grant| ... } click to toggle source

Enumerate all existing grants on the specified role. Each grant is yielded to the block.

# File lib/conjur/policy/planner/facts.rb, line 68
def role_grants role, &block
  begin
    api.role(role.roleid).members
  rescue RestClient::ResourceNotFound
    if api.role(role.roleid).exists?
      $stderr.puts "WARNING: Unable to fetch members of role #{role.roleid}. Use 'elevate' mode, or at least 'reveal' mode, for policy management."
    end
    []
  end.each do |grant|
    yield grant
  end
end
validate!() click to toggle source

Validate that all the requested roles exist.

# File lib/conjur/policy/planner/facts.rb, line 82
def validate!
  requested.to_a.flatten.uniq.each do |roleid|
    validate_role_exists! roleid
  end
end