Class: Conjur::Rack::User

Inherits:

Object

• Object
• Conjur::Rack::User

Defined in:

lib/conjur/rack/user.rb

Overview

Token data can be a string (which is the user login), or a Hash. If it's a hash, it should contain the user login keyed by the string 'login'. The rest of the payload is available as attributes.

Instance Attribute Summary

• #account ⇒ Object (also: #conjur_account) readonly

  Returns the value of attribute account.

• #audit_resources ⇒ Object readonly

  Returns the value of attribute audit_resources.

• #audit_roles ⇒ Object readonly

  Returns the value of attribute audit_roles.

• #privilege ⇒ Object readonly

  Returns the value of attribute privilege.

• #remote_ip ⇒ Object readonly

  Returns the value of attribute remote_ip.

• #token ⇒ Object readonly

  Returns the value of attribute token.

Instance Method Summary

• #api(cls = Conjur::API) ⇒ Object
• #attributes ⇒ Object
• #global_elevate? ⇒ Boolean

  True if and only if the user has valid global 'elevate' privilege.

• #global_reveal? ⇒ Boolean

  True if and only if the user has valid global 'reveal' privilege.

• #initialize(token, account, options = {}) ⇒ User constructor

  A new instance of User.

• #login ⇒ Object
• #role ⇒ Object
• #roleid ⇒ Object
• #validated_global_privilege ⇒ Object

  Returns the global privilege which was present on the request, if and only if the user actually has that privilege.

Constructor Details

#initialize(token, account, options = {}) ⇒ User

Returns a new instance of User.

# File 'lib/conjur/rack/user.rb', line 11

def initialize(token, account, options = {})
  @token = token
  @account = account
  # Third argument used to be the name of privilege, be
  # backwards compatible:
  if options.respond_to?(:to_str)
    @privilege = options
  else
    @privilege = options[:privilege]
    @remote_ip = options[:remote_ip]
    @audit_roles = options[:audit_roles]
    @audit_resources = options[:audit_resources]
  end
end

Instance Attribute Details

#account ⇒ Object (readonly) Also known as: conjur_account

Returns the value of attribute account.

# File 'lib/conjur/rack/user.rb', line 9

def account
  @account
end

#audit_resources ⇒ Object (readonly)

Returns the value of attribute audit_resources.

# File 'lib/conjur/rack/user.rb', line 9

def audit_resources
  @audit_resources
end

#audit_roles ⇒ Object (readonly)

Returns the value of attribute audit_roles.

# File 'lib/conjur/rack/user.rb', line 9

def audit_roles
  @audit_roles
end

#privilege ⇒ Object (readonly)

Returns the value of attribute privilege.

# File 'lib/conjur/rack/user.rb', line 9

def privilege
  @privilege
end

#remote_ip ⇒ Object (readonly)

Returns the value of attribute remote_ip.

# File 'lib/conjur/rack/user.rb', line 9

def remote_ip
  @remote_ip
end

#token ⇒ Object (readonly)

Returns the value of attribute token.

# File 'lib/conjur/rack/user.rb', line 9

def token
  @token
end

Instance Method Details

#api(cls = Conjur::API) ⇒ Object

# File 'lib/conjur/rack/user.rb', line 92

def api(cls = Conjur::API)
  args = [ token ]
  args.push remote_ip if remote_ip
  api = cls.new_from_token(*args)

  # These are features not present in some API versions.
  # Test for them and only apply if it makes sense. Ignore otherwise.
  %i(privilege audit_resources audit_roles).each do |feature|
    meth = "with_#{feature}".intern
    if api.respond_to?(meth) && (value = send(feature))
      api = api.send meth, value
    end
  end

  api
end

#attributes ⇒ Object

# File 'lib/conjur/rack/user.rb', line 64

def attributes
  parse_token

  @attributes || {}
end

#global_elevate? ⇒ Boolean

True if and only if the user has valid global 'elevate' privilege.

Returns:

• (Boolean)

# File 'lib/conjur/rack/user.rb', line 54

def global_elevate?
  validated_global_privilege == "elevate"
end

#global_reveal? ⇒ Boolean

True if and only if the user has valid global 'reveal' privilege.

Returns:

• (Boolean)

# File 'lib/conjur/rack/user.rb', line 49

def global_reveal?
  validated_global_privilege == "reveal"
end

#login ⇒ Object

# File 'lib/conjur/rack/user.rb', line 58

def login
  parse_token

  @login
end

#role ⇒ Object

# File 'lib/conjur/rack/user.rb', line 80

def role
  api.role(roleid)
end

#roleid ⇒ Object

# File 'lib/conjur/rack/user.rb', line 70

def roleid
  tokens = login.split('/')
  role_kind, roleid = if tokens.length == 1
    [ 'user', login ]
  else
    [ tokens[0], tokens[1..-1].join('/') ]
  end
  [ account, role_kind, roleid ].join(':')
end

#validated_global_privilege ⇒ Object

Returns the global privilege which was present on the request, if and only if the user actually has that privilege.

Returns nil if no global privilege was present in the request headers, or if a global privilege was present in the request headers, but the user doesn't actually have that privilege according to the Conjur server.

# File 'lib/conjur/rack/user.rb', line 38

def validated_global_privilege
  unless @validated_global_privilege
    @privilege = nil unless @privilege &&
            api.respond_to?(:global_privilege_permitted?) &&
            api.global_privilege_permitted?(@privilege)
    @validated_global_privilege = true
  end
  @privilege
end