class Conjur::Policy::Planner::Deny
Plans a permission denial.
A Deny
statement is generated if the permission is currently held. Otherwise, its a nop.
Public Instance Methods
do_plan()
click to toggle source
# File lib/conjur/policy/planner/permissions.rb, line 55 def do_plan facts = PrivilegeFacts.new self # Load all the permissions as both requested and existing grants. # Then remove the Deny record, and see what's left. privileges = Array(record.privileges) Array(record.resources).each do |resource| facts.resource_permissions(resource, privileges) do |permission| permit_record = Types::Permit.new permit_record.role = Types::Role.new(permission['role']) permit_record.role.admin = permission['grant_option'] permit_record.privilege = permission['privilege'] permit_record.resource = Types::Resource.new(permission['resource']) facts.add_requested_permission permit_record facts.add_existing_permission permission end end facts.remove_revoked_permission record facts.validate! facts.grants_to_revoke.each do |grant| role, privilege, resource = grant deny = Conjur::Policy::Types::Deny.new deny.resource = resource_record resource deny.privilege = privilege deny.role = role_record(role) action deny end end