class Conjur::Policy::Planner::Permit
Plans a permission.
The Permit
record can list multiple roles, privileges, and resources. Each privilege should be allowed to each role on each resource. If the replace
option is set, then any existing privilege on an existing resource that is not given should be denied.
Public Instance Methods
do_plan()
click to toggle source
# File lib/conjur/policy/planner/permissions.rb, line 13 def do_plan facts = PrivilegeFacts.new self facts.add_requested_permission record privileges = Array(record.privileges) Array(record.resources).each do |resource| facts.resource_permissions(resource, privileges) do |permission| facts.add_existing_permission permission end end facts.validate! facts.grants_to_apply.each do |grant| role, privilege, resource, admin = grant permit = Conjur::Policy::Types::Permit.new permit.resource = resource_record resource permit.privilege = privilege permit.role = Conjur::Policy::Types::Member.new role_record(role) permit.role.admin = true if admin action permit end if record.replace facts.grants_to_revoke.each do |grant| roleid, privilege, resourceid = grant deny = Conjur::Policy::Types::Deny.new deny.resource = resource_record resourceid deny.privilege = privilege deny.role = role_record(roleid) action deny end end end