class Conjur::Policy::Planner::Permit

Plans a permission.

The Permit record can list multiple roles, privileges, and resources. Each privilege should be allowed to each role on each resource. If the replace option is set, then any existing privilege on an existing resource that is not given should be denied.

Public Instance Methods

do_plan() click to toggle source
# File lib/conjur/policy/planner/permissions.rb, line 13
def do_plan
  facts = PrivilegeFacts.new self
  
  facts.add_requested_permission record
  
  privileges = Array(record.privileges)
  Array(record.resources).each do |resource|
    facts.resource_permissions(resource, privileges) do |permission|
      facts.add_existing_permission permission
    end
  end
      
  facts.validate!

  facts.grants_to_apply.each do |grant|
    role, privilege, resource, admin = grant
    
    permit = Conjur::Policy::Types::Permit.new
    permit.resource = resource_record resource
    permit.privilege = privilege
    permit.role = Conjur::Policy::Types::Member.new role_record(role)
    permit.role.admin = true if admin
    action permit
  end          

  if record.replace
    facts.grants_to_revoke.each do |grant|
      roleid, privilege, resourceid = grant
      deny = Conjur::Policy::Types::Deny.new
      deny.resource = resource_record resourceid
      deny.privilege = privilege
      deny.role = role_record(roleid)
      action deny
    end
  end
end