lib/conjur/policy/planner/base.rb in conjur-asset-policy-0.8.2 vs lib/conjur/policy/planner/base.rb in conjur-asset-policy-0.8.3

@@ -88,10 +88,12 @@
             yield
           }
         end
 
         def update_record
+          log { "Updating #{record}" }
+          
           update = Conjur::Policy::Types::Update.new
           update.record = record
 
           changed = false
           record.custom_attribute_names.each do |attr|
@@ -104,10 +106,11 @@
             if new_value
               if new_value == existing_value
                 record.send "#{attr}=", nil
               else
                 raise "Cannot modify immutable attribute '#{record.resource_kind}.#{attr}'" if record.immutable_attribute_names.member?(attr)
+                log { "Attribute #{attr} will be updated" }
                 changed = true
               end
             end
           end
           
@@ -118,34 +121,45 @@
               existing_value = existing[attr]
               new_value = record.annotations[attr]
               if new_value == existing_value
                 record.annotations.delete attr
               else
+                log { "Annotation #{attr} will be updated" }
                 changed = true
               end
             end
             
+            log { "Record owner is #{record.owner.roleid}" }
+            log { "Resource owner is #{resource.owner}" }
             if record.owner && resource.owner != record.owner.roleid
+              log { "Resource owner will be changed to #{record.owner.roleid}" }
+
               give = Conjur::Policy::Types::Give.new
               give.resource = Conjur::Policy::Types::Resource.new(record.resourceid)
               give.owner = Conjur::Policy::Types::Role.new(record.owner.roleid)
               action give
-              
-              if record.role?
-                grant = Conjur::Policy::Types::Grant.new
-                grant.role = Conjur::Policy::Types::Role.new(record.roleid)
-                grant.member = Conjur::Policy::Types::Member.new
-                grant.member.role = Conjur::Policy::Types::Role.new(record.owner.roleid)
-                grant.member.admin = true
-                action grant
-              end
             end
           end
+
+          if record.role?
+            unless api.role(record.owner.roleid).can_admin_role?(role)
+              log { "Role will be granted to #{record.owner.roleid} with admin option" }
+  
+              grant = Conjur::Policy::Types::Grant.new
+              grant.role = Conjur::Policy::Types::Role.new(record.roleid)
+              grant.member = Conjur::Policy::Types::Member.new
+              grant.member.role = Conjur::Policy::Types::Role.new(record.owner.roleid)
+              grant.member.admin = true
+              action grant
+            end
+          end
           
           action update if changed
         end
         
         def create_record
+          log { "Creating #{record}" }
+
           create = Conjur::Policy::Types::Create.new
           create.record = record
           
           if record.resource?
             existing = resource.exists? ? resource.annotations : {}