class Conjur::Policy::Planner::Deny

Plans a permission denial.

A Deny statement is generated if the permission is currently held. Otherwise, its a nop.

Public Instance Methods

do_plan() click to toggle source
# File lib/conjur/policy/planner/permissions.rb, line 55
def do_plan
  facts = PrivilegeFacts.new self
  
  # Load all the permissions as both requested and existing grants.
  # Then remove the Deny record, and see what's left.
  privileges = Array(record.privileges)
  Array(record.resources).each do |resource|
    facts.resource_permissions(resource, privileges) do |permission|
      permit_record = Types::Permit.new
      permit_record.role = Types::Role.new(permission['role'])
      permit_record.role.admin = permission['grant_option']
      permit_record.privilege = permission['privilege']
      permit_record.resource = Types::Resource.new(permission['resource'])
      facts.add_requested_permission permit_record
      
      facts.add_existing_permission permission
    end
  end
    
  facts.remove_revoked_permission record
  
  facts.validate!
  
  facts.grants_to_revoke.each do |grant|
    role, privilege, resource = grant
    deny = Conjur::Policy::Types::Deny.new
    deny.resource = resource_record resource
    deny.privilege = privilege
    deny.role = role_record(role)
    action deny
  end
end