lib/conjur/command/resources.rb in conjur-cli-5.6.6 vs lib/conjur/command/resources.rb in conjur-cli-6.0.0.rc1
- old
+ new
@@ -18,190 +18,73 @@
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
class Conjur::Command::Resources < Conjur::Command
- desc "Manage resources"
- command :resource do |resource|
+ desc "Show an object"
+ arg_name "RESOURCE"
+ command :show do |c|
+ c.action do |global_options,options,args|
+ id = full_resource_id( require_arg(args, "RESOURCE") )
+ display api.resource(id).attributes
+ end
+ end
+
+ desc "List objects"
+ command :list do |c|
+ c.desc "Filter by kind"
+ c.flag [:k, :kind]
- resource.desc "Create a new resource [DEPRECATED]"
- resource.arg_name "RESOURCE"
- resource.command :create do |c|
- acting_as_option(c)
+ command_options_for_list c
- c.action do |global_options,options,args|
- notify_deprecated
+ c.action do |global_options, options, args|
+ command_impl_for_list global_options, options, args
+ end
+ end
- id = full_resource_id( require_arg(args, "RESOURCE") )
- resource = api.resource(id)
+ desc "Check for a privilege on a resource"
+ long_desc """
+By default, the privilege is checked for the logged-in user.
+Permission checks may be performed for other roles using the optional role argument.
+When the role argument is used, either the logged-in user must either own the specified
+resource or must have specified role in its memberships.
+"""
+ arg_name "RESOURCE PRIVILEGE"
+ command :check do |c|
+ c.desc "Role to check. By default, the current logged-in role is used"
+ c.flag [:r,:role]
- if ownerid = options.delete(:ownerid)
- options[:acting_as] = ownerid
- end
-
- resource.create(options)
- display resource.attributes
+ c.action do |global_options,options,args|
+ id = full_resource_id(require_arg(args, "RESOURCE"))
+ privilege = args.shift or raise "Missing parameter: privilege"
+ role = if options[:role]
+ full_role_id(options[:role])
+ else
+ nil
end
+ puts api.resource(id).permitted? privilege, role: role
end
+ end
- resource.desc "Show a resource"
- resource.arg_name "RESOURCE"
- resource.command :show do |c|
- c.action do |global_options,options,args|
- id = full_resource_id( require_arg(args, "RESOURCE") )
- display api.resource(id).attributes
- end
- end
-
+ desc "Manage resources"
+ command :resource do |resource|
resource.desc "Determines whether a resource exists"
resource.arg_name "RESOURCE"
resource.command :exists do |c|
c.action do |global_options,options,args|
id = full_resource_id( require_arg(args, "RESOURCE") )
puts api.resource(id).exists?
end
end
-
- resource.desc "Give a privilege on a resource [DEPRECATED]"
- resource.arg_name "RESOURCE ROLE PRIVILEGE"
- resource.command :permit do |c|
- c.desc "allow transfer to other roles"
- c.switch [:g, :grantable]
- c.action do |global_options,options,args|
- notify_deprecated
-
- id = full_resource_id( require_arg(args, "RESOURCE") )
- role = require_arg(args, "ROLE")
- privilege = require_arg(args, "PRIVILEGE")
- $stderr.print "Granting #{role} permission to #{privilege} #{id}... "
- unless options[:g]
- api.resource(id).permit privilege, role
- else
- api.resource(id).permit privilege, role, grant_option: true
- end
-
- puts "Permission granted"
- end
- end
-
- resource.desc "Deny a privilege on a resource [DEPRECATED]"
- resource.arg_name "RESOURCE ROLE PRIVILEGE"
- resource.command :deny do |c|
- c.action do |global_options,options,args|
- notify_deprecated
-
- id = full_resource_id( require_arg(args, "RESOURCE") )
- role = require_arg(args, "ROLE")
- privilege = require_arg(args, "PRIVILEGE")
- api.resource(id).deny privilege, role
- puts "Permission revoked"
- end
- end
-
- resource.desc "Check for a privilege on a resource"
- resource.long_desc """
- By default, the privilege is checked for the logged-in user.
- Permission checks may be performed for other roles using the optional role argument.
- When the role argument is used, either the logged-in user must either own the specified
- resource or be an admin of the specified role (i.e. be granted the specified role with grant option).
- """
+
+ resource.desc "List roles with a specified privilege on the resource"
resource.arg_name "RESOURCE PRIVILEGE"
- resource.command :check do |c|
- c.desc "Role to check. By default, the current logged-in role is used"
- c.flag [:r,:role]
-
- c.action do |global_options,options,args|
- id = full_resource_id( require_arg(args, "RESOURCE") )
- privilege = args.shift or raise "Missing parameter: privilege"
- if role = options[:role]
- role = api.role(role)
- puts role.permitted? id, privilege
- else
- puts api.resource(id).permitted? privilege
- end
- end
- end
-
- resource.desc "Grant ownership on a resource to a new owner [DEPRECATED]"
- resource.arg_name "RESOURCE USER"
- resource.command :give do |c|
- c.action do |global_options,options,args|
- notify_deprecated
-
- id = full_resource_id( require_arg(args, "RESOURCE") )
- owner = require_arg(args, "USER")
- api.resource(id).give_to owner
- puts "Ownership granted"
- end
- end
-
- resource.desc "List roles with a specified permission on the resource"
- resource.arg_name "RESOURCE PERMISSION"
resource.command :permitted_roles do |c|
- command_option_kind c
- command_options_for_search c
-
c.action do |global_options,options,args|
- id = full_resource_id( require_arg(args, "RESOURCE") )
- permission = require_arg(args, "PERMISSION")
+ id = full_resource_id(require_arg(args, "RESOURCE"))
+ permission = require_arg(args, "PRIVILEGE")
- opts = process_command_options_for_search(options)
- display api.resource(id).permitted_roles(permission, opts)
- end
- end
-
- resource.desc "Set an annotation on a resource [DEPRECATED]"
- resource.arg_name "RESOURCE ANNOTATION value"
- resource.command :annotate do |c|
- interactive_option c
-
- c.action do |global_options, options, args|
- notify_deprecated
-
- id = full_resource_id require_arg(args, 'RESOURCE')
-
- annotations = if options[:interactive]
- prompt_for_annotations
- else
- name = require_arg args, 'ANNOTATION'
- value = require_arg args, 'value'
- { name => value }
- end
- unless annotations.blank?
- api.resource(id).annotations.merge!(annotations)
- puts "Set annotations #{annotations.keys} for resource '#{id}'"
- end
- end
- end
-
- resource.desc "Show an annotation for a resource"
- resource.arg_name "RESOURCE ANNOTATION"
- resource.command :annotation do |c|
- c.action do |global_options, options, args|
- id = full_resource_id require_arg args, 'RESOURCE'
- name = require_arg args, 'ANNOTATION'
- value = api.resource(id).annotations[name]
- puts value unless value.nil?
- end
- end
-
- resource.desc "Print annotations as JSON"
- resource.arg_name 'RESOURCE'
- resource.command :annotations do |c|
- c.action do |go, o, args|
- id = full_resource_id require_arg args, 'RESOURCE'
- annots = api.resource(id).annotations.to_h
- puts annots.to_json
- end
- end
-
- resource.desc "List all resources"
- resource.command :list do |c|
- command_option_kind c
- command_options_for_list c
-
- c.action do |global_options, options, args|
- command_impl_for_list global_options, options, args
+ display api.resource(id).permitted_roles(permission)
end
end
end
end