policy.rb in conjur-asset-policy-0.11.0

- old
+ new

@@ -52,11 +52,11 @@
 
   def self.execute api, records, options = {}
     actions = []
     records.each do |record|
       executor_class = Conjur::Policy::Executor.class_for(record)
-      executor = executor_class.new(record, actions)
+      executor = executor_class.new(api, record, actions)
       executor.execute
     end
     Conjur::Policy::HTTPExecutor.new(api).execute actions
   end
 
@@ -153,10 +153,24 @@
           end
           ownerid = [ Conjur.configuration.account, user_kind, user_id ].join(":")
         end
 
         records = Conjur::Policy::Resolver.resolve(records, Conjur.configuration.account, ownerid, options[:namespace])
-        plan = Conjur::Policy::Planner.plan(records, api)
+        plan_api = if api.privilege == "elevate"
+          # Check if the user has 'reveal'
+          # In order to do this, the 'elevate' privilege must be removed, otherwise the permission
+          # check always returns 'true'
+          naked_api = api.dup
+          naked_api.privilege = nil
+          if naked_api.global_privilege_permitted?("reveal")
+            api.with_privilege("reveal")
+          else
+            api
+          end
+        else
+          api
+        end
+        plan = Conjur::Policy::Planner.plan(records, plan_api)
 
         if options[:"dry-run"]
           case options[:"format"]
           when 'text'
             puts plan.actions.map(&:to_s)