[WIP] permissions API

controller/comments_blackbox_test.go

@@ -7,6 +7,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/fabric8-services/fabric8-wit/configuration"
+
 	token "github.com/dgrijalva/jwt-go"
 	"github.com/fabric8-services/fabric8-wit/account"
 	"github.com/fabric8-services/fabric8-wit/app"
@@ -582,7 +584,7 @@ func (s *CommentsSuite) TestNotificationSendOnUpdate() {
 	assert.Equal(s.T(), c.Data.ID.String(), s.notification.Messages[0].TargetID)
 }
 
-func CreateSecuredSpace(t *testing.T, db application.DB, config SpaceConfiguration, owner account.Identity, userIDs string) app.Space {
+func CreateSecuredSpace(t *testing.T, db application.DB, config *configuration.Registry, owner account.Identity, userIDs string) app.Space {
 	svc := testsupport.ServiceAsSpaceUser("Collaborators-Service", owner, &TestSpaceAuthzService{owner: owner, userIDs: userIDs})
 	spaceCtrl := NewSpaceController(svc, db, config, &DummyResourceManager{})
 	require.NotNil(t, spaceCtrl)

controller/deployments.go

@@ -9,13 +9,16 @@ import (
 	"time"
 
 	"github.com/fabric8-services/fabric8-wit/app"
+	witclient "github.com/fabric8-services/fabric8-wit/client"
 	"github.com/fabric8-services/fabric8-wit/configuration"
 	"github.com/fabric8-services/fabric8-wit/errors"
 	"github.com/fabric8-services/fabric8-wit/jsonapi"
 	"github.com/fabric8-services/fabric8-wit/kubernetes"
 	"github.com/fabric8-services/fabric8-wit/log"
+	"github.com/fabric8-services/fabric8-wit/rest"
 
 	"github.com/goadesign/goa"
+	goauuid "github.com/goadesign/goa/uuid"
 	errs "github.com/pkg/errors"
 	uuid "github.com/satori/go.uuid"
 	"golang.org/x/net/websocket"
@@ -332,6 +335,9 @@ func (c *DeploymentsController) ShowDeploymentStats(ctx *app.ShowDeploymentStats
 // ShowSpace runs the showSpace action.
 func (c *DeploymentsController) ShowSpace(ctx *app.ShowSpaceDeploymentsContext) error {
 
+	// should we ask k8s for permissions on select objects? default is no
+	checkPerms := ctx.Qp != nil && *ctx.Qp
+
 	kc, err := c.GetKubeClient(ctx)
 	defer cleanup(kc)
 	if err != nil {
@@ -355,6 +361,69 @@ func (c *DeploymentsController) ShowSpace(ctx *app.ShowSpaceDeploymentsContext)
 	// Kubernetes doesn't know about space ID, so add it here
 	space.ID = ctx.SpaceID
 
+	if checkPerms {
+		// next, try to get permissions
+		guid := goauuid.UUID(ctx.SpaceID)
+
+		// permission for all deployments
+		for _, appl := range space.Attributes.Applications {
+			for _, depl := range appl.Attributes.Deployments {
+				deployPath := witclient.SetDeploymentDeploymentsPath(guid, appl.Attributes.Name, depl.Attributes.Name)
+				deployURLStr := rest.AbsoluteURL(ctx.Request, deployPath)
+				if err != nil {
+					return jsonapi.JSONErrorResponse(ctx, errs.Wrapf(err, "could not retrieve path for %s", *kubeSpaceName))
+				}
+				envName := depl.Attributes.Name
+				methods := []string{}
+				canScale, err := kc.CanScaleDeployment(envName)
+				if err != nil {
+					return jsonapi.JSONErrorResponse(ctx, errs.Wrapf(err, "could not retrieve permission for %s", *kubeSpaceName))
+				}
+				if canScale {
+					methods = append(methods, "PATCH")
+				}
+				canDelete, err := kc.CanDeleteDeployment(envName)
+				if err != nil {
+					return jsonapi.JSONErrorResponse(ctx, errs.Wrapf(err, "could not retrieve permission for %s", *kubeSpaceName))
+				}
+				if canDelete {
+					methods = append(methods, "DELETE")
+				}
+				// NOTE: we don't actually allow GET to this endpoint, so don't claim we do by adding "GET" to methods
+				depl.Links.Self = &app.LinkWithAccess{
+					Href: &deployURLStr,
+					Meta: &app.EndpointAccess{
+						Methods: methods,
+					},
+				}
+			}
+		}
+
+		// permssions for this space
+		spaceURLStr := rest.AbsoluteURL(ctx.Request, witclient.ShowSpacePath(guid))
+		if err != nil {
+			return jsonapi.JSONErrorResponse(ctx, errs.Wrapf(err, "could not retrieve path for  %s", *kubeSpaceName))
+		}
+
+		methods := []string{}
+		canGetSpace, err := kc.CanGetSpace()
+		if err != nil {
+			return jsonapi.JSONErrorResponse(ctx, errs.Wrapf(err, "could not retrieve permission for %s", *kubeSpaceName))
+		}
+		if canGetSpace {
+			methods = append(methods, "GET")
+		}
+		// DELETE, etc come later
+		space.Links = &app.SimpleSpaceLinks{
+			Space: &app.LinkWithAccess{
+				Href: &spaceURLStr,
+				Meta: &app.EndpointAccess{
+					Methods: methods,
+				},
+			},
+		}
+	}
+
 	res := &app.SimpleSpaceSingle{
 		Data: space,
 	}

controller/deployments_blackbox_test.go

@@ -243,7 +243,7 @@ func TestShowSpace(t *testing.T) {
 			return createOSIOClientMock(t, spaceName), nil
 		}
 		// when
-		_, result := test.ShowSpaceDeploymentsOK(t, context.Background(), svc, ctrl, space.SystemSpace)
+		_, result := test.ShowSpaceDeploymentsOK(t, context.Background(), svc, ctrl, space.SystemSpace, nil)
 		// then
 		assert.Equal(t, space.SystemSpace, result.Data.ID, "space ID should be %s", space.SystemSpace.String())
 		assert.NotNil(t, result.Data.Attributes, "space attributes must be non-nil")
@@ -260,7 +260,7 @@ func TestShowSpace(t *testing.T) {
 				return nil, fmt.Errorf("failure")
 			}
 			// when/then
-			test.ShowSpaceDeploymentsInternalServerError(t, context.Background(), svc, ctrl, space.SystemSpace)
+			test.ShowSpaceDeploymentsInternalServerError(t, context.Background(), svc, ctrl, space.SystemSpace, nil)
 		})
 
 		t.Run("get space bad request", func(t *testing.T) {
@@ -277,7 +277,7 @@ func TestShowSpace(t *testing.T) {
 				return createOSIOClientMock(t, spaceName), nil
 			}
 			// when
-			test.ShowSpaceDeploymentsBadRequest(t, context.Background(), svc, ctrl, space.SystemSpace)
+			test.ShowSpaceDeploymentsBadRequest(t, context.Background(), svc, ctrl, space.SystemSpace, nil)
 			// then verify that the Close method was called
 			assert.Equal(t, uint64(1), kubeClientMock.CloseCounter)
 		})

controller/deployments_osioclient.go

@@ -37,7 +37,7 @@ var _ ResponseReader = (*IOResponseReader)(nil)
 
 // WitClient is an interface for mocking the witclient.Client
 type WitClient interface {
-	ShowSpace(ctx context.Context, path string, ifModifiedSince *string, ifNoneMatch *string) (*http.Response, error)
+	ShowSpace(ctx context.Context, path string, qp *bool, ifModifiedSince *string, ifNoneMatch *string) (*http.Response, error)
 	ShowUserService(ctx context.Context, path string) (*http.Response, error)
 }
 
@@ -141,7 +141,7 @@ func (osioclient *OSIOClient) GetUserServices(ctx context.Context) (*app.UserSer
 func (osioclient *OSIOClient) GetSpaceByID(ctx context.Context, spaceID uuid.UUID) (*app.Space, error) {
 	guid := goauuid.UUID(spaceID)
 	urlpath := witclient.ShowSpacePath(guid)
-	resp, err := osioclient.wc.ShowSpace(goasupport.ForwardContextRequestID(ctx), urlpath, nil, nil)
+	resp, err := osioclient.wc.ShowSpace(goasupport.ForwardContextRequestID(ctx), urlpath, nil, nil, nil)
 	if err != nil {
 		return nil, errs.Wrapf(err, "could not connect to %s", urlpath)
 	}

controller/deployments_osioclient_test.go

@@ -42,7 +42,7 @@ type MockWitClient struct {
 	UserServiceHttpResponseError error
 }
 
-func (m *MockWitClient) ShowSpace(ctx context.Context, path string, ifModifiedSince *string, ifNoneMatch *string) (*http.Response, error) {
+func (m *MockWitClient) ShowSpace(ctx context.Context, path string, qp *bool, ifModifiedSince *string, ifNoneMatch *string) (*http.Response, error) {
 	return m.SpaceHttpResponse, m.SpaceHttpResponseError
 }
 

controller/space.go

@@ -30,7 +30,7 @@ import (
 )
 
 const (
-	// APIStringTypeCodebase contains the JSON API type for codebases
+	// APIStringTypeSpace contains the JSON API type for codebases
 	APIStringTypeSpace = "spaces"
 )
 
@@ -48,13 +48,14 @@ type SpaceController struct {
 	resourceManager   auth.ResourceManager
 	DeploymentsClient *http.Client
 	CodebaseClient    *http.Client
+	ClientGetter
 }
 
 // NewSpaceController creates a space controller.
 func NewSpaceController(
 	service *goa.Service,
 	db application.DB,
-	config SpaceConfiguration,
+	config *configuration.Registry,
 	resourceManager auth.ResourceManager) *SpaceController {
 
 	return &SpaceController{
@@ -64,6 +65,9 @@ func NewSpaceController(
 		resourceManager:   resourceManager,
 		DeploymentsClient: http.DefaultClient,
 		CodebaseClient:    http.DefaultClient,
+		ClientGetter: &defaultClientGetter{
+			config: config,
+		},
 	}
 }
 
@@ -364,7 +368,7 @@ func deleteOpenShiftResource(
 
 	// get all the apps and envs
 	path := client.ShowSpaceDeploymentsPath(spaceID)
-	resp, err := cl.ShowSpaceDeployments(ctx, path)
+	resp, err := cl.ShowSpaceDeployments(ctx, path, nil)
 	if err != nil {
 		return errors.NewInternalError(ctx,
 			fmt.Errorf("could not get deployments: %v", err))
@@ -475,6 +479,7 @@ func (c *SpaceController) List(ctx *app.ListSpaceContext) error {
 
 // Show runs the show action.
 func (c *SpaceController) Show(ctx *app.ShowSpaceContext) error {
+
 	var s *space.Space
 	err := application.Transactional(c.db, func(appl application.Application) error {
 		var err error
@@ -490,8 +495,46 @@ func (c *SpaceController) Show(ctx *app.ShowSpaceContext) error {
 	if err != nil {
 		return jsonapi.JSONErrorResponse(ctx, err)
 	}
+
+	var methods []string
+	if ctx.Qp != nil && *ctx.Qp {
+		// 'qp' (QueryPerms query parameter) is true:
+		// ask Kubernetes if this user can access this space
+		// (this is different from the WIT Space database access)
+		kc, err := c.GetKubeClient(ctx)
+		defer cleanup(kc)
+		if err != nil {
+			log.Error(ctx, map[string]interface{}{
+				"err":      err,
+				"space_id": ctx.SpaceID,
+			}, "unable create a KubeClient")
+			return jsonapi.JSONErrorResponse(ctx, err)
+		}
+		canRead, err := kc.CanGetSpace()
+		if err != nil {
+			log.Error(ctx, map[string]interface{}{
+				"err":      err,
+				"space_id": ctx.SpaceID,
+			}, "unable retrieve permissions from CanGetSpace()")
+			return jsonapi.JSONErrorResponse(ctx, err)
+		}
+		if canRead {
+			methods = []string{"GET"}
+		} else {
+			methods = []string{}
+		}
+	} else {
+		methods = []string{}
+	}
+
 	return ctx.ConditionalRequest(*s, c.config.GetCacheControlSpace, func() error {
-		spaceData, err := ConvertSpaceFromModel(ctx.Request, *s, IncludeBacklogTotalCount(ctx.Context, c.db))
+		var spaceData *app.Space
+		var err error
+		if ctx.Qp != nil && *ctx.Qp {
+			spaceData, err = ConvertSpaceFromModel(ctx.Request, *s, IncludeBacklogTotalCount(ctx.Context, c.db), IncludeMethodAccess(ctx.Context, ctx.Request, methods))
+		} else {
+			spaceData, err = ConvertSpaceFromModel(ctx.Request, *s, IncludeBacklogTotalCount(ctx.Context, c.db))
+		}
 		if err != nil {
 			log.Error(ctx, map[string]interface{}{
 				"err":      err,
@@ -632,7 +675,7 @@ func ConvertSpaceToModel(appSpace app.Space) space.Space {
 // conversion from internal to API
 type SpaceConvertFunc func(*http.Request, *space.Space, *app.Space) error
 
-// IncludeBacklog returns a SpaceConvertFunc that includes the a link to the backlog
+// IncludeBacklogTotalCount returns a SpaceConvertFunc that includes the a link to the backlog
 // along with the total count of items in the backlog of the current space
 func IncludeBacklogTotalCount(ctx context.Context, db application.DB) SpaceConvertFunc {
 	return func(req *http.Request, modelSpace *space.Space, appSpace *app.Space) error {
@@ -646,6 +689,22 @@ func IncludeBacklogTotalCount(ctx context.Context, db application.DB) SpaceConve
 	}
 }
 
+// IncludeMethodAccess returns a SpaceConvertFunc that includes method access metadata
+// along with the total count of items in the backlog of the current space
+func IncludeMethodAccess(ctx context.Context, req *http.Request, perms []string) SpaceConvertFunc {
+	return func(req *http.Request, modelSpace *space.Space, appSpace *app.Space) error {
+		spaceIDStr := modelSpace.ID.String()
+		relatedDeployments := rest.AbsoluteURL(req, fmt.Sprintf("/api/deployments/spaces/%s", spaceIDStr))
+		appSpace.Links.Deployments = &app.LinkWithAccess{
+			Href: &relatedDeployments,
+			Meta: &app.EndpointAccess{
+				Methods: perms,
+			},
+		}
+		return nil
+	}
+}
+
 // ConvertSpacesFromModel converts between internal and external REST representation
 func ConvertSpacesFromModel(request *http.Request, spaces []space.Space, additional ...SpaceConvertFunc) ([]*app.Space, error) {
 	var result = make([]*app.Space, len(spaces))
@@ -662,6 +721,12 @@ func ConvertSpacesFromModel(request *http.Request, spaces []space.Space, additio
 // ConvertSpaceFromModel converts between internal and external REST representation
 func ConvertSpaceFromModel(request *http.Request, sp space.Space, options ...SpaceConvertFunc) (*app.Space, error) {
 	selfURL := rest.AbsoluteURL(request, app.SpaceHref(sp.ID))
+	/**	selfWithPerms := &app.LinkWithAccess{
+		Href: &selfURL,
+		Meta: &app.EndpointAccess{
+			Methods: []string{"GET", "POST", "DELETE", "PATCH"},
+		},
+	}**/
 	spaceIDStr := sp.ID.String()
 	relatedIterations := rest.AbsoluteURL(request, fmt.Sprintf("/api/spaces/%s/iterations", spaceIDStr))
 	relatedAreas := rest.AbsoluteURL(request, fmt.Sprintf("/api/spaces/%s/areas", spaceIDStr))

controller/space_blackbox_test.go

@@ -847,7 +847,7 @@ func (s *SpaceControllerTestSuite) TestShowSpace() {
 		svc, ctrl := s.SecuredController(testsupport.TestIdentity)
 		_, created := test.CreateSpaceCreated(t, svc.Context, svc, ctrl, p)
 		// when
-		res, fetched := test.ShowSpaceOK(t, svc.Context, svc, ctrl, *created.Data.ID, nil, nil)
+		res, fetched := test.ShowSpaceOK(t, svc.Context, svc, ctrl, *created.Data.ID, nil, nil, nil)
 		// then
 		eTag, lastModified, _ := assertResponseHeaders(t, res)
 		assert.Equal(t, app.ToHTTPTime(getSpaceUpdatedAt(*created)), lastModified)
@@ -865,7 +865,7 @@ func (s *SpaceControllerTestSuite) TestShowSpace() {
 			_, created := test.CreateSpaceCreated(t, svc.Context, svc, ctrl, p)
 			// when
 			ifModifiedSince := app.ToHTTPTime(created.Data.Attributes.UpdatedAt.Add(-1 * time.Hour))
-			res, _ := test.ShowSpaceOK(t, svc.Context, svc, ctrl, *created.Data.ID, &ifModifiedSince, nil)
+			res, _ := test.ShowSpaceOK(t, svc.Context, svc, ctrl, *created.Data.ID, nil, &ifModifiedSince, nil)
 			// then
 			eTag, lastModified, _ := assertResponseHeaders(t, res)
 			assert.Equal(t, app.ToHTTPTime(getSpaceUpdatedAt(*created)), lastModified)
@@ -881,7 +881,7 @@ func (s *SpaceControllerTestSuite) TestShowSpace() {
 			_, created := test.CreateSpaceCreated(t, svc.Context, svc, ctrl, p)
 			// when
 			ifNoneMatch := "foo_etag"
-			res, _ := test.ShowSpaceOK(t, svc.Context, svc, ctrl, *created.Data.ID, nil, &ifNoneMatch)
+			res, _ := test.ShowSpaceOK(t, svc.Context, svc, ctrl, *created.Data.ID, nil, nil, &ifNoneMatch)
 			// then
 			eTag, lastModified, _ := assertResponseHeaders(t, res)
 			assert.Equal(t, app.ToHTTPTime(getSpaceUpdatedAt(*created)), lastModified)
@@ -897,7 +897,7 @@ func (s *SpaceControllerTestSuite) TestShowSpace() {
 			_, created := test.CreateSpaceCreated(t, svc.Context, svc, ctrl, p)
 			// when/then
 			ifModifiedSince := app.ToHTTPTime(getSpaceUpdatedAt(*created))
-			test.ShowSpaceNotModified(t, svc.Context, svc, ctrl, *created.Data.ID, &ifModifiedSince, nil)
+			test.ShowSpaceNotModified(t, svc.Context, svc, ctrl, *created.Data.ID, nil, &ifModifiedSince, nil)
 		})
 
 		t.Run("not modified with if-none-match header", func(t *testing.T) {
@@ -909,7 +909,7 @@ func (s *SpaceControllerTestSuite) TestShowSpace() {
 			_, created := test.CreateSpaceCreated(t, svc.Context, svc, ctrl, p)
 			// when/then
 			ifNoneMatch := generateSpaceTag(*created)
-			test.ShowSpaceNotModified(t, svc.Context, svc, ctrl, *created.Data.ID, nil, &ifNoneMatch)
+			test.ShowSpaceNotModified(t, svc.Context, svc, ctrl, *created.Data.ID, nil, nil, &ifNoneMatch)
 
 		})
 	})
@@ -918,7 +918,7 @@ func (s *SpaceControllerTestSuite) TestShowSpace() {
 		// given
 		svc, ctrl := s.UnSecuredController()
 		// when/then
-		test.ShowSpaceNotFound(t, svc.Context, svc, ctrl, uuid.NewV4(), nil, nil)
+		test.ShowSpaceNotFound(t, svc.Context, svc, ctrl, uuid.NewV4(), nil, nil, nil)
 	})
 
 }