[WIP] permissions API

17c1e9de-a89a-494b-91c4-819a013cb3b9

@@ -0,0 +1 @@
+{"data":{"attributes":{"created-at":"2018-07-02T04:00:57.297291Z","description":"","name":"rgarg-osiotest1-AGILE-space-2018-07-02T05-00-57","updated-at":"2018-07-02T04:00:57.297291Z","version":0},"id":"17c1e9de-a89a-494b-91c4-819a013cb3b9","links":{"backlog":{"meta":{"totalCount":46},"self":"https://api.openshift.io/api/spaces/17c1e9de-a89a-494b-91c4-819a013cb3b9/backlog"},"filters":"https://api.openshift.io/api/filters","related":"https://api.openshift.io/api/spaces/17c1e9de-a89a-494b-91c4-819a013cb3b9","self":"https://api.openshift.io/api/spaces/17c1e9de-a89a-494b-91c4-819a013cb3b9","workitemlinktypes":"https://api.openshift.io/api/spacetemplates/f405fa41-a8bb-46db-8800-2dbe13da1418/workitemlinktypes","workitemtypes":"https://api.openshift.io/api/spacetemplates/f405fa41-a8bb-46db-8800-2dbe13da1418/workitemtypes"},"relationships":{"areas":{"links":{"related":"https://api.openshift.io/api/spaces/17c1e9de-a89a-494b-91c4-819a013cb3b9/areas"}},"backlog":{"links":{"related":"https://api.openshift.io/api/spaces/17c1e9de-a89a-494b-91c4-819a013cb3b9/backlog"},"meta":{"totalCount":46}},"codebases":{"links":{"related":"https://api.openshift.io/api/spaces/17c1e9de-a89a-494b-91c4-819a013cb3b9/codebases"}},"collaborators":{"links":{"related":"https://api.openshift.io/api/spaces/17c1e9de-a89a-494b-91c4-819a013cb3b9/collaborators"}},"filters":{"links":{"related":"https://api.openshift.io/api/filters"}},"iterations":{"links":{"related":"https://api.openshift.io/api/spaces/17c1e9de-a89a-494b-91c4-819a013cb3b9/iterations"}},"labels":{"links":{"related":"https://api.openshift.io/api/spaces/17c1e9de-a89a-494b-91c4-819a013cb3b9/labels"}},"owned-by":{"data":{"id":"02227dc6-f4fe-451b-9549-4c5b7becc5e7","type":"identities"},"links":{"related":"https://api.openshift.io/api/users/02227dc6-f4fe-451b-9549-4c5b7becc5e7"}},"space-template":{"data":{"id":"f405fa41-a8bb-46db-8800-2dbe13da1418","type":"spacetemplates"},"links":{"related":"https://api.openshift.io/api/spacetemplates/f405fa41-a8bb-46db-8800-2dbe13da1418","self":"https://api.openshift.io/api/spacetemplates/f405fa41-a8bb-46db-8800-2dbe13da1418"}},"workitemlinktypes":{"links":{"related":"https://api.openshift.io/api/spacetemplates/f405fa41-a8bb-46db-8800-2dbe13da1418/workitemlinktypes"}},"workitems":{"links":{"related":"https://api.openshift.io/api/spaces/17c1e9de-a89a-494b-91c4-819a013cb3b9/workitems"}},"workitemtypegroups":{"links":{"related":"https://api.openshift.io/api/spacetemplates/f405fa41-a8bb-46db-8800-2dbe13da1418/workitemtypegroups"}},"workitemtypes":{"links":{"related":"https://api.openshift.io/api/spacetemplates/f405fa41-a8bb-46db-8800-2dbe13da1418/workitemtypes"}}},"type":"spaces"}}

Makefile

@@ -317,6 +317,16 @@ regenerate: clean-generated generate
 dev: prebuild-check deps generate $(FRESH_BIN) docker-compose-up
 	F8_DEVELOPER_MODE_ENABLED=true $(FRESH_BIN)
 
+
+.PHONY: dev-pp
+dev-pp: prebuild-check deps generate $(FRESH_BIN) docker-compose-up
+	FABRIC8_WIT_API_URL=https://api.prod-preview.openshift.io F8_CONFIG_FILE_PATH=jstconfig-pp.yaml F8_DEVELOPER_MODE_ENABLED=true $(FRESH_BIN)
+
+.PHONY: dev-prod
+dev-prod: prebuild-check deps generate $(FRESH_BIN) docker-compose-up
+	FABRIC8_WIT_API_URL=https://api.openshift.io F8_CONFIG_FILE_PATH=jstconfig-prod.yaml F8_DEVELOPER_MODE_ENABLED=true $(FRESH_BIN)
+
+
 .PHONY: docker-compose-up
 docker-compose-up:
 ifeq ($(UNAME_S),Darwin)

Makefile.mine

@@ -0,0 +1,8 @@
+
+.PHONY: dev-pp
+dev-pp: prebuild-check deps generate $(FRESH_BIN) docker-compose-up
+	FABRIC8_WIT_API_URL=https://api.prod-preview.openshift.io F8_CONFIG_FILE_PATH=jstconfig-pp.yaml F8_DEVELOPER_MODE_ENABLED=true $(FRESH_BIN)
+
+.PHONY: dev-prod
+dev-prod: prebuild-check deps generate $(FRESH_BIN) docker-compose-up
+	FABRIC8_WIT_API_URL=https://api.openshift.io F8_CONFIG_FILE_PATH=jstconfig-prod.yaml F8_DEVELOPER_MODE_ENABLED=true $(FRESH_BIN)

actions/rules/action_field_set.go

@@ -39,7 +39,11 @@ func (act ActionFieldSet) storeWorkItem(wi *workitem.WorkItem) (*workitem.WorkIt
 	var storeResultWorkItem *workitem.WorkItem
 	err := application.Transactional(act.Db, func(appl application.Application) error {
 		var err error
+<<<<<<< HEAD
+		storeResultWorkItem, err = appl.WorkItems().Save(act.Ctx, wi.SpaceID, *wi, *act.UserID)
+=======
 		storeResultWorkItem, _, err = appl.WorkItems().Save(act.Ctx, wi.SpaceID, *wi, *act.UserID)
+>>>>>>> upstream/master
 		if err != nil {
 			return errs.Wrap(err, "error updating work item")
 		}

controller/deployments.go

@@ -332,12 +332,46 @@ func (c *DeploymentsController) ShowDeploymentStats(ctx *app.ShowDeploymentStats
 // ShowSpace runs the showSpace action.
 func (c *DeploymentsController) ShowSpace(ctx *app.ShowSpaceDeploymentsContext) error {
 
+	// TODO - get from ctx
+	//checkPerms := true
+
 	kc, err := c.GetKubeClient(ctx)
 	defer cleanup(kc)
 	if err != nil {
 		return jsonapi.JSONErrorResponse(ctx, err)
 	}
 
+	/****
+		guid := goauuid.UUID(ctx.SpaceID)
+		spaceURLStr := rest.AbsoluteURL(ctx.Request, fmt.Sprintf(witclient.ShowSpacePath(guid)))
+
+		if checkPerms {
+			canRead, err := kc.CanGetSpace()
+			if err != nil {
+				return jsonapi.JSONErrorResponse(ctx, err)
+			}
+			if !canRead {
+				// return a non-space with empty permissions
+				emptySpace := &app.SimpleSpace{
+					ID:   ctx.SpaceID,
+					Type: "space",
+					Links: &app.SimpleSpaceLinks{
+						Space: &app.LinkWithAccess{
+							Href: &spaceURLStr,
+							Meta: &app.EndpointAccess{
+								Methods: []string{},
+							},
+						},
+					},
+				}
+				res := &app.SimpleSpaceSingle{
+					Data: emptySpace,
+				}
+
+				return ctx.OK(res)
+			}
+		}
+	**/
 	kubeSpaceName, err := c.getSpaceNameFromSpaceID(ctx, ctx.SpaceID)
 	if err != nil || kubeSpaceName == nil {
 		return jsonapi.JSONErrorResponse(ctx, errors.NewNotFoundError("osio space", ctx.SpaceID.String()))
@@ -354,7 +388,22 @@ func (c *DeploymentsController) ShowSpace(ctx *app.ShowSpaceDeploymentsContext)
 
 	// Kubernetes doesn't know about space ID, so add it here
 	space.ID = ctx.SpaceID
+	/**
+		// next, try to get permissions
+		allowedMethods := []string{"GET"}
 
+		if err != nil {
+			return jsonapi.JSONErrorResponse(ctx, errs.Wrapf(err, "could not retrieve space %s", *kubeSpaceName))
+		}
+		space.Links = &app.SimpleSpaceLinks{
+			Space: &app.LinkWithAccess{
+				Href: &spaceURLStr,
+				Meta: &app.EndpointAccess{
+					Methods: []string{"GET", "POST", "DELETE", "PATCH"},
+				},
+			},
+		}
+	***/
 	res := &app.SimpleSpaceSingle{
 		Data: space,
 	}

controller/deployments_osioclient.go

@@ -37,7 +37,7 @@ var _ ResponseReader = (*IOResponseReader)(nil)
 
 // WitClient is an interface for mocking the witclient.Client
 type WitClient interface {
-	ShowSpace(ctx context.Context, path string, ifModifiedSince *string, ifNoneMatch *string) (*http.Response, error)
+	ShowSpace(ctx context.Context, path string, qp *bool, ifModifiedSince *string, ifNoneMatch *string) (*http.Response, error)
 	ShowUserService(ctx context.Context, path string) (*http.Response, error)
 }
 
@@ -141,7 +141,7 @@ func (osioclient *OSIOClient) GetUserServices(ctx context.Context) (*app.UserSer
 func (osioclient *OSIOClient) GetSpaceByID(ctx context.Context, spaceID uuid.UUID) (*app.Space, error) {
 	guid := goauuid.UUID(spaceID)
 	urlpath := witclient.ShowSpacePath(guid)
-	resp, err := osioclient.wc.ShowSpace(goasupport.ForwardContextRequestID(ctx), urlpath, nil, nil)
+	resp, err := osioclient.wc.ShowSpace(goasupport.ForwardContextRequestID(ctx), urlpath, nil, nil, nil)
 	if err != nil {
 		return nil, errs.Wrapf(err, "could not connect to %s", urlpath)
 	}

controller/deployments_osioclient_test.go

@@ -42,7 +42,7 @@ type MockWitClient struct {
 	UserServiceHttpResponseError error
 }
 
-func (m *MockWitClient) ShowSpace(ctx context.Context, path string, ifModifiedSince *string, ifNoneMatch *string) (*http.Response, error) {
+func (m *MockWitClient) ShowSpace(ctx context.Context, path string, qp *bool, ifModifiedSince *string, ifNoneMatch *string) (*http.Response, error) {
 	return m.SpaceHttpResponse, m.SpaceHttpResponseError
 }
 

controller/deployments_urlprovider.go

@@ -199,23 +199,20 @@ func (up *tenantURLProvider) GetEnvironmentMapping() map[string]string {
 			log.Error(nil, map[string]interface{}{
 				"namespace": envNS,
 			}, "namespace has no type")
-		} else if !isInternalNamespace(*envName) {
+		} else {
 			result[*envName] = envNS
 		}
 	}
 	return result
 }
 
 // Types of namespaces where the user does not deploy applications
-var internalNamespaceTypes = []string{"user", "che", "jenkins"}
+var internalNamespaceTypes = map[string]struct{}{"user": {}, "che": {}, "jenkins": {}}
 
-func isInternalNamespace(envType string) bool {
-	for _, internalType := range internalNamespaceTypes {
-		if envType == internalType {
-			return true
-		}
-	}
-	return false
+// CanDeploy returns true if the environment type provided can be deployed to as part of a pipeline
+func (up *tenantURLProvider) CanDeploy(envType string) bool {
+	_, pres := internalNamespaceTypes[envType]
+	return !pres
 }
 
 func (up *tenantURLProvider) GetAPIToken() (*string, error) {

controller/deployments_urlprovider_test.go

@@ -225,22 +225,31 @@ func TestTenantGetEnvironmentMapping(t *testing.T) {
 			testName:  "Basic",
 			inputFile: "user-services.json",
 			expectedMap: map[string]string{
-				"run":   "theuser-run",
-				"stage": "theuser-stage",
+				"user":    "theuser",
+				"run":     "theuser-run",
+				"stage":   "theuser-stage",
+				"che":     "theuser-che",
+				"jenkins": "theuser-jenkins",
 			},
 		},
 		{
 			testName:  "No Type",
 			inputFile: "user-services-no-type.json",
 			expectedMap: map[string]string{
-				"run": "theuser-run",
+				"user":    "theuser",
+				"run":     "theuser-run",
+				"che":     "theuser-che",
+				"jenkins": "theuser-jenkins",
 			},
 		},
 		{
 			testName:  "Empty Type",
 			inputFile: "user-services-empty-type.json",
 			expectedMap: map[string]string{
-				"run": "theuser-run",
+				"user":    "theuser",
+				"run":     "theuser-run",
+				"che":     "theuser-che",
+				"jenkins": "theuser-jenkins",
 			},
 		},
 	}
@@ -259,6 +268,29 @@ func TestTenantGetEnvironmentMapping(t *testing.T) {
 	}
 }
 
+func TestTenantCanDeploy(t *testing.T) {
+	testCases := []struct {
+		envType  string
+		expected bool
+	}{
+		{"user", false},
+		{"test", true},
+		{"stage", true},
+		{"run", true},
+		{"che", false},
+		{"jenkins", false},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.envType, func(t *testing.T) {
+			provider, err := getDefaultTenantProvider()
+			require.NoError(t, err)
+			result := provider.CanDeploy(testCase.envType)
+			require.Equal(t, testCase.expected, result, "Incorrect result from CanDeploy")
+		})
+	}
+}
+
 //////////////////////////////////////////////////////////////////////////////////////////////////
 
 func tostring(item interface{}) string {

controller/space.go

@@ -48,13 +48,14 @@ type SpaceController struct {
 	resourceManager   auth.ResourceManager
 	DeploymentsClient *http.Client
 	CodebaseClient    *http.Client
+	ClientGetter
 }
 
 // NewSpaceController creates a space controller.
 func NewSpaceController(
 	service *goa.Service,
 	db application.DB,
-	config SpaceConfiguration,
+	config *configuration.Registry,
 	resourceManager auth.ResourceManager) *SpaceController {
 
 	return &SpaceController{
@@ -64,6 +65,9 @@ func NewSpaceController(
 		resourceManager:   resourceManager,
 		DeploymentsClient: http.DefaultClient,
 		CodebaseClient:    http.DefaultClient,
+		ClientGetter: &defaultClientGetter{
+			config: config,
+		},
 	}
 }
 
@@ -470,6 +474,11 @@ func (c *SpaceController) List(ctx *app.ListSpaceContext) error {
 // Show runs the show action.
 func (c *SpaceController) Show(ctx *app.ShowSpaceContext) error {
 	var s *space.Space
+	s = &space.Space{
+		Name: "fakespacename",
+	}
+
+	/**
 	err := application.Transactional(c.db, func(appl application.Application) error {
 		var err error
 		s, err = appl.Spaces().Load(ctx.Context, ctx.SpaceID)
@@ -484,8 +493,46 @@ func (c *SpaceController) Show(ctx *app.ShowSpaceContext) error {
 	if err != nil {
 		return jsonapi.JSONErrorResponse(ctx, err)
 	}
+	***/
+	var methods []string
+	if ctx.Qp != nil && *ctx.Qp {
+		// 'qp' (QueryPerms query parameter) is true:
+		// ask Kubernetes if this user can access this space
+		// (this is different from the WIT Space database access)
+		kc, err := c.GetKubeClient(ctx)
+		defer cleanup(kc)
+		if err != nil {
+			log.Error(ctx, map[string]interface{}{
+				"err":      err,
+				"space_id": ctx.SpaceID,
+			}, "unable create a KubeClient")
+			return jsonapi.JSONErrorResponse(ctx, err)
+		}
+		canRead, err := kc.CanGetSpace()
+		if err != nil {
+			log.Error(ctx, map[string]interface{}{
+				"err":      err,
+				"space_id": ctx.SpaceID,
+			}, "unable retrieve permissions from CanGetSpace()")
+			return jsonapi.JSONErrorResponse(ctx, err)
+		}
+		if canRead {
+			methods = []string{"GET"}
+		} else {
+			methods = []string{}
+		}
+	} else {
+		methods = []string{}
+	}
+
 	return ctx.ConditionalRequest(*s, c.config.GetCacheControlSpace, func() error {
-		spaceData, err := ConvertSpaceFromModel(ctx.Request, *s, IncludeBacklogTotalCount(ctx.Context, c.db))
+		var spaceData *app.Space
+		var err error
+		if ctx.Qp != nil && *ctx.Qp {
+			spaceData, err = ConvertSpaceFromModel(ctx.Request, *s /*IncludeBacklogTotalCount(ctx.Context, c.db),*/, IncludeMethodAccess(ctx.Context, ctx.Request, methods))
+		} else {
+			spaceData, err = ConvertSpaceFromModel(ctx.Request, *s, IncludeBacklogTotalCount(ctx.Context, c.db))
+		}
 		if err != nil {
 			log.Error(ctx, map[string]interface{}{
 				"err":      err,
@@ -626,7 +673,7 @@ func ConvertSpaceToModel(appSpace app.Space) space.Space {
 // conversion from internal to API
 type SpaceConvertFunc func(*http.Request, *space.Space, *app.Space) error
 
-// IncludeBacklog returns a SpaceConvertFunc that includes the a link to the backlog
+// IncludeBacklogTotalCount returns a SpaceConvertFunc that includes the a link to the backlog
 // along with the total count of items in the backlog of the current space
 func IncludeBacklogTotalCount(ctx context.Context, db application.DB) SpaceConvertFunc {
 	return func(req *http.Request, modelSpace *space.Space, appSpace *app.Space) error {
@@ -640,6 +687,22 @@ func IncludeBacklogTotalCount(ctx context.Context, db application.DB) SpaceConve
 	}
 }
 
+// IncludeMethodAccess returns a SpaceConvertFunc that includes method access metadata
+// along with the total count of items in the backlog of the current space
+func IncludeMethodAccess(ctx context.Context, req *http.Request, perms []string) SpaceConvertFunc {
+	return func(req *http.Request, modelSpace *space.Space, appSpace *app.Space) error {
+		spaceIDStr := modelSpace.ID.String()
+		relatedDeployments := rest.AbsoluteURL(req, fmt.Sprintf("/api/deployments/spaces/%s", spaceIDStr))
+		appSpace.Links.Deployments = &app.LinkWithAccess{
+			Href: &relatedDeployments,
+			Meta: &app.EndpointAccess{
+				Methods: perms,
+			},
+		}
+		return nil
+	}
+}
+
 // ConvertSpacesFromModel converts between internal and external REST representation
 func ConvertSpacesFromModel(request *http.Request, spaces []space.Space, additional ...SpaceConvertFunc) ([]*app.Space, error) {
 	var result = make([]*app.Space, len(spaces))
@@ -656,6 +719,12 @@ func ConvertSpacesFromModel(request *http.Request, spaces []space.Space, additio
 // ConvertSpaceFromModel converts between internal and external REST representation
 func ConvertSpaceFromModel(request *http.Request, sp space.Space, options ...SpaceConvertFunc) (*app.Space, error) {
 	selfURL := rest.AbsoluteURL(request, app.SpaceHref(sp.ID))
+	/**	selfWithPerms := &app.LinkWithAccess{
+		Href: &selfURL,
+		Meta: &app.EndpointAccess{
+			Methods: []string{"GET", "POST", "DELETE", "PATCH"},
+		},
+	}**/
 	spaceIDStr := sp.ID.String()
 	relatedIterations := rest.AbsoluteURL(request, fmt.Sprintf("/api/spaces/%s/iterations", spaceIDStr))
 	relatedAreas := rest.AbsoluteURL(request, fmt.Sprintf("/api/spaces/%s/areas", spaceIDStr))