Class: Legion::Rbac::Role

Inherits:

Object

• Object
• Legion::Rbac::Role

Includes:

Logging::Helper

Defined in:

lib/legion/rbac/role.rb

Instance Attribute Summary

• #capability_denials ⇒ Object readonly

  Returns the value of attribute capability_denials.

• #capability_grants ⇒ Object readonly

  Returns the value of attribute capability_grants.

• #cross_team ⇒ Object readonly

  Returns the value of attribute cross_team.

• #deny_rules ⇒ Object readonly

  Returns the value of attribute deny_rules.

• #description ⇒ Object readonly

  Returns the value of attribute description.

• #name ⇒ Object readonly

  Returns the value of attribute name.

• #permissions ⇒ Object readonly

  Returns the value of attribute permissions.

Instance Method Summary

• #capability_allowed?(capability) ⇒ Boolean
• #cross_team? ⇒ Boolean
• #initialize(name:, description: '', permissions: [], deny: [], cross_team: false, capability_grants: [], capability_denials: []) ⇒ Role constructor

  A new instance of Role.

Constructor Details

#initialize(name:, description: '', permissions: [], deny: [], cross_team: false, capability_grants: [], capability_denials: []) ⇒ Role

Returns a new instance of Role.

# File 'lib/legion/rbac/role.rb', line 14

def initialize(name:, description: '', permissions: [], deny: [], cross_team: false,
               capability_grants: [], capability_denials: [])
  @name = name.to_s
  @description = description
  @permissions = permissions.map do |p|
    Permission.new(resource_pattern: p[:resource], actions: p[:actions])
  end
  @deny_rules = deny.map do |d|
    DenyRule.new(resource_pattern: d[:resource], above_level: d[:above_level])
  end
  @cross_team = cross_team
  @capability_grants = Array(capability_grants).map(&:to_sym)
  @capability_denials = Array(capability_denials).map(&:to_sym)
  log.debug(
    "RBAC role initialized name=#{@name} permissions=#{@permissions.size} deny_rules=#{@deny_rules.size} " \
    "cross_team=#{@cross_team} capability_grants=#{@capability_grants.size} capability_denials=#{@capability_denials.size}"
  )
end

Instance Attribute Details

#capability_denials ⇒ Object (readonly)

Returns the value of attribute capability_denials.

# File 'lib/legion/rbac/role.rb', line 11

def capability_denials
  @capability_denials
end

#capability_grants ⇒ Object (readonly)

Returns the value of attribute capability_grants.

# File 'lib/legion/rbac/role.rb', line 11

def capability_grants
  @capability_grants
end

#cross_team ⇒ Object (readonly)

Returns the value of attribute cross_team.

# File 'lib/legion/rbac/role.rb', line 11

def cross_team
  @cross_team
end

#deny_rules ⇒ Object (readonly)

Returns the value of attribute deny_rules.

# File 'lib/legion/rbac/role.rb', line 11

def deny_rules
  @deny_rules
end

#description ⇒ Object (readonly)

Returns the value of attribute description.

# File 'lib/legion/rbac/role.rb', line 11

def description
  @description
end

#name ⇒ Object (readonly)

Returns the value of attribute name.

# File 'lib/legion/rbac/role.rb', line 11

def name
  @name
end

#permissions ⇒ Object (readonly)

Returns the value of attribute permissions.

# File 'lib/legion/rbac/role.rb', line 11

def permissions
  @permissions
end

Instance Method Details

#capability_allowed?(capability) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/legion/rbac/role.rb', line 37

def capability_allowed?(capability)
  cap = capability.to_sym
  if @capability_denials.include?(cap)
    log.debug("RBAC role capability name=#{@name} capability=#{cap} allowed=false reason=denied")
    return false
  end

  allowed = @capability_grants.include?(cap)
  log.debug("RBAC role capability name=#{@name} capability=#{cap} allowed=#{allowed}")
  allowed
end

#cross_team? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/legion/rbac/role.rb', line 33

def cross_team?
  @cross_team == true
end