func (s *ConsumptionSuite) TestGrantRevokeServiceToTeam(c *check.C) {
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("{'AA': 2}"))
}))
defer ts.Close()
se := service.Service{Name: "go", Endpoint: map[string]string{"production": ts.URL}}
err := se.Create()
c.Assert(err, check.IsNil)
defer s.conn.Services().Remove(bson.M{"_id": se.Name})
si := service.ServiceInstance{Name: "si-test", ServiceName: "go", Teams: []string{s.team.Name}}
err = si.Create()
c.Assert(err, check.IsNil)
defer service.DeleteInstance(&si)
team := auth.Team{Name: "test"}
s.conn.Teams().Insert(team)
defer s.conn.Teams().Remove(bson.M{"name": team.Name})
url := fmt.Sprintf("/services/%s/instances/permission/%s/%s?:instance=%s&:team=%s&:service=%s", si.ServiceName, si.Name,
team.Name, si.Name, team.Name, si.ServiceName)
request, err := http.NewRequest("PUT", url, nil)
c.Assert(err, check.IsNil)
recorder := httptest.NewRecorder()
err = serviceInstanceGrantTeam(recorder, request, s.token)
c.Assert(err, check.IsNil)
sinst, err := service.GetServiceInstance(si.ServiceName, si.Name)
c.Assert(err, check.IsNil)
c.Assert(sinst.Teams, check.DeepEquals, []string{s.team.Name, team.Name})
request, err = http.NewRequest("DELETE", url, nil)
c.Assert(err, check.IsNil)
err = serviceInstanceRevokeTeam(recorder, request, s.token)
c.Assert(err, check.IsNil)
sinst, err = service.GetServiceInstance(si.ServiceName, si.Name)
c.Assert(err, check.IsNil)
c.Assert(sinst.Teams, check.DeepEquals, []string{s.team.Name})
}
func getServiceInstanceOrError(serviceName string, instanceName string) (*service.ServiceInstance, error) {
serviceInstance, err := service.GetServiceInstance(serviceName, instanceName)
if err != nil {
switch err {
case service.ErrServiceInstanceNotFound:
return nil, &errors.HTTP{
Code: http.StatusNotFound,
Message: err.Error(),
}
default:
return nil, err
}
}
return serviceInstance, nil
}
func getServiceInstanceOrError(name string, u *auth.User) (*service.ServiceInstance, error) {
si, err := service.GetServiceInstance(name, u)
if err != nil {
switch err {
case service.ErrServiceInstanceNotFound:
return nil, &errors.HTTP{
Code: http.StatusNotFound,
Message: err.Error(),
}
case service.ErrAccessNotAllowed:
return nil, &errors.HTTP{
Code: http.StatusForbidden,
Message: err.Error(),
}
default:
return nil, err
}
}
return si, nil
}
func setAllowed(evt *event.Event) (err error) {
defer func() {
if err != nil {
fmt.Printf("setting global context to evt %q: %s\n", evt.String(), err)
err = nil
}
}()
switch evt.Target.Type {
case event.TargetTypeApp:
var a *app.App
a, err = app.GetByName(evt.Target.Value)
if err != nil {
evt.Allowed = event.Allowed(permission.PermAppReadEvents)
if evt.Cancelable {
evt.Allowed = event.Allowed(permission.PermAppUpdateEvents)
}
return err
}
ctxs := append(permission.Contexts(permission.CtxTeam, a.Teams),
permission.Context(permission.CtxApp, a.Name),
permission.Context(permission.CtxPool, a.Pool),
)
evt.Allowed = event.Allowed(permission.PermAppReadEvents, ctxs...)
if evt.Cancelable {
evt.Allowed = event.Allowed(permission.PermAppUpdateEvents, ctxs...)
}
case event.TargetTypeTeam:
evt.Allowed = event.Allowed(permission.PermTeamReadEvents, permission.Context(permission.CtxTeam, evt.Target.Value))
case event.TargetTypeService:
s := service.Service{Name: evt.Target.Value}
err = s.Get()
if err != nil {
evt.Allowed = event.Allowed(permission.PermServiceReadEvents)
return err
}
evt.Allowed = event.Allowed(permission.PermServiceReadEvents,
append(permission.Contexts(permission.CtxTeam, s.OwnerTeams),
permission.Context(permission.CtxService, s.Name),
)...,
)
case event.TargetTypeServiceInstance:
v := strings.SplitN(evt.Target.Value, "/", 2)
if len(v) != 2 {
evt.Allowed = event.Allowed(permission.PermServiceInstanceReadEvents)
return nil
}
var si *service.ServiceInstance
si, err = service.GetServiceInstance(v[0], v[1])
if err != nil {
evt.Allowed = event.Allowed(permission.PermServiceInstanceReadEvents)
return err
}
evt.Allowed = event.Allowed(permission.PermServiceReadEvents,
append(permission.Contexts(permission.CtxTeam, si.Teams),
permission.Context(permission.CtxServiceInstance, evt.Target.Value),
)...,
)
case event.TargetTypePool:
evt.Allowed = event.Allowed(permission.PermPoolReadEvents, permission.Context(permission.CtxPool, evt.Target.Value))
case event.TargetTypeUser:
evt.Allowed = event.Allowed(permission.PermUserReadEvents, permission.Context(permission.CtxUser, evt.Target.Value))
case event.TargetTypeIaas:
evt.Allowed = event.Allowed(permission.PermMachineReadEvents, permission.Context(permission.CtxIaaS, evt.Target.Value))
case event.TargetTypeContainer:
var provisioners []provision.Provisioner
provisioners, err = provision.Registry()
if err != nil {
return err
}
var a provision.App
for _, p := range provisioners {
if finderProv, ok := p.(provision.UnitFinderProvisioner); ok {
a, err = finderProv.GetAppFromUnitID(evt.Target.Value)
_, isNotFound := err.(*provision.UnitNotFoundError)
if err == nil || !isNotFound {
break
}
}
}
if err != nil {
return err
}
evt.Allowed = event.Allowed(permission.PermAppReadEvents,
append(permission.Contexts(permission.CtxTeam, a.GetTeamsName()),
permission.Context(permission.CtxApp, a.GetName()),
permission.Context(permission.CtxPool, a.GetPool()),
)...,
)
case event.TargetTypeNode:
var provisioners []provision.Provisioner
provisioners, err = provision.Registry()
if err != nil {
return err
}
var ctxs []permission.PermissionContext
for _, p := range provisioners {
if nodeProvisioner, ok := p.(provision.NodeProvisioner); ok {
var nodes []provision.Node
nodes, err = nodeProvisioner.ListNodes([]string{evt.Target.Value})
if err != nil {
return err
}
ctxs = append(ctxs, permission.Context(permission.CtxPool, nodes[0].Pool()))
}
}
evt.Allowed = event.Allowed(permission.PermPoolReadEvents, ctxs...)
case event.TargetTypeRole:
evt.Allowed = event.Allowed(permission.PermRoleReadEvents)
default:
evt.Allowed = event.Allowed(permission.PermDebug)
}
return nil
}
