class Conjur::Policy::Planner::BaseFacts

Stores the state of existing and requested grants (roles or privileges).

The difference between the existing and requested grants can be used to determine specifically what actions should be performed in order to bring the state of the server into compliance with the policy.

Attributes

existing[RW]
existing_with_admin_flag[RW]
planner[RW]
requested[RW]
requested_with_admin_flag[RW]

Public Class Methods

new(planner) click to toggle source
# File lib/conjur/policy/planner/facts.rb, line 16
def initialize planner
  @planner = planner
  @requested = Set.new
  @requested_with_admin_flag = Set.new
  @existing  = Set.new
  @existing_with_admin_flag  = Set.new
end

Public Instance Methods

api() click to toggle source
# File lib/conjur/policy/planner/facts.rb, line 24
def api
  planner.api
end
grants_to_apply() click to toggle source

Return the set of grants which are requested but not already held.

Note that if a grant is held with a different admin option than requested, re-applying with the new admin option will update the grant and create the desired state.

# File lib/conjur/policy/planner/facts.rb, line 33
def grants_to_apply
  sort(requested_with_admin_flag - existing_with_admin_flag)
end
grants_to_revoke() click to toggle source

Return the set of grants which are held but not requested.

The admin flag is ignored by this method. So, if a grant exists (with or without admin), and it is not requested (with or without admin), it is revoked. The case in which the grant is held with a different admin option than requested is handled by grants_to_apply.

# File lib/conjur/policy/planner/facts.rb, line 43
def grants_to_revoke
  sort(existing - requested)
end
validate_resource_exists!(resource) click to toggle source
# File lib/conjur/policy/planner/facts.rb, line 51
def validate_resource_exists! resource
  planner.error("Resource not found: #{resource}") unless planner.resource_exists?(resource)
end
validate_role_exists!(role) click to toggle source
# File lib/conjur/policy/planner/facts.rb, line 47
def validate_role_exists! role
  planner.error("Role not found: #{role}") unless planner.role_exists?(role)
end

Protected Instance Methods

sort(result) click to toggle source

Sort a result if sort is enabled.

# File lib/conjur/policy/planner/facts.rb, line 58
def sort result
  self.class.sort ? result.to_a.sort : result
end