func (s *ConsumptionSuite) TestGrantRevokeServiceToTeam(c *check.C) { ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Write([]byte("{'AA': 2}")) })) defer ts.Close() se := service.Service{Name: "go", Endpoint: map[string]string{"production": ts.URL}} err := se.Create() c.Assert(err, check.IsNil) defer s.conn.Services().Remove(bson.M{"_id": se.Name}) si := service.ServiceInstance{Name: "si-test", ServiceName: "go", Teams: []string{s.team.Name}} err = si.Create() c.Assert(err, check.IsNil) defer service.DeleteInstance(&si) team := auth.Team{Name: "test"} s.conn.Teams().Insert(team) defer s.conn.Teams().Remove(bson.M{"name": team.Name}) url := fmt.Sprintf("/services/%s/instances/permission/%s/%s?:instance=%s&:team=%s&:service=%s", si.ServiceName, si.Name, team.Name, si.Name, team.Name, si.ServiceName) request, err := http.NewRequest("PUT", url, nil) c.Assert(err, check.IsNil) recorder := httptest.NewRecorder() err = serviceInstanceGrantTeam(recorder, request, s.token) c.Assert(err, check.IsNil) sinst, err := service.GetServiceInstance(si.ServiceName, si.Name) c.Assert(err, check.IsNil) c.Assert(sinst.Teams, check.DeepEquals, []string{s.team.Name, team.Name}) request, err = http.NewRequest("DELETE", url, nil) c.Assert(err, check.IsNil) err = serviceInstanceRevokeTeam(recorder, request, s.token) c.Assert(err, check.IsNil) sinst, err = service.GetServiceInstance(si.ServiceName, si.Name) c.Assert(err, check.IsNil) c.Assert(sinst.Teams, check.DeepEquals, []string{s.team.Name}) }
func getServiceInstanceOrError(serviceName string, instanceName string) (*service.ServiceInstance, error) { serviceInstance, err := service.GetServiceInstance(serviceName, instanceName) if err != nil { switch err { case service.ErrServiceInstanceNotFound: return nil, &errors.HTTP{ Code: http.StatusNotFound, Message: err.Error(), } default: return nil, err } } return serviceInstance, nil }
func getServiceInstanceOrError(name string, u *auth.User) (*service.ServiceInstance, error) { si, err := service.GetServiceInstance(name, u) if err != nil { switch err { case service.ErrServiceInstanceNotFound: return nil, &errors.HTTP{ Code: http.StatusNotFound, Message: err.Error(), } case service.ErrAccessNotAllowed: return nil, &errors.HTTP{ Code: http.StatusForbidden, Message: err.Error(), } default: return nil, err } } return si, nil }
func setAllowed(evt *event.Event) (err error) { defer func() { if err != nil { fmt.Printf("setting global context to evt %q: %s\n", evt.String(), err) err = nil } }() switch evt.Target.Type { case event.TargetTypeApp: var a *app.App a, err = app.GetByName(evt.Target.Value) if err != nil { evt.Allowed = event.Allowed(permission.PermAppReadEvents) if evt.Cancelable { evt.Allowed = event.Allowed(permission.PermAppUpdateEvents) } return err } ctxs := append(permission.Contexts(permission.CtxTeam, a.Teams), permission.Context(permission.CtxApp, a.Name), permission.Context(permission.CtxPool, a.Pool), ) evt.Allowed = event.Allowed(permission.PermAppReadEvents, ctxs...) if evt.Cancelable { evt.Allowed = event.Allowed(permission.PermAppUpdateEvents, ctxs...) } case event.TargetTypeTeam: evt.Allowed = event.Allowed(permission.PermTeamReadEvents, permission.Context(permission.CtxTeam, evt.Target.Value)) case event.TargetTypeService: s := service.Service{Name: evt.Target.Value} err = s.Get() if err != nil { evt.Allowed = event.Allowed(permission.PermServiceReadEvents) return err } evt.Allowed = event.Allowed(permission.PermServiceReadEvents, append(permission.Contexts(permission.CtxTeam, s.OwnerTeams), permission.Context(permission.CtxService, s.Name), )..., ) case event.TargetTypeServiceInstance: v := strings.SplitN(evt.Target.Value, "/", 2) if len(v) != 2 { evt.Allowed = event.Allowed(permission.PermServiceInstanceReadEvents) return nil } var si *service.ServiceInstance si, err = service.GetServiceInstance(v[0], v[1]) if err != nil { evt.Allowed = event.Allowed(permission.PermServiceInstanceReadEvents) return err } evt.Allowed = event.Allowed(permission.PermServiceReadEvents, append(permission.Contexts(permission.CtxTeam, si.Teams), permission.Context(permission.CtxServiceInstance, evt.Target.Value), )..., ) case event.TargetTypePool: evt.Allowed = event.Allowed(permission.PermPoolReadEvents, permission.Context(permission.CtxPool, evt.Target.Value)) case event.TargetTypeUser: evt.Allowed = event.Allowed(permission.PermUserReadEvents, permission.Context(permission.CtxUser, evt.Target.Value)) case event.TargetTypeIaas: evt.Allowed = event.Allowed(permission.PermMachineReadEvents, permission.Context(permission.CtxIaaS, evt.Target.Value)) case event.TargetTypeContainer: var provisioners []provision.Provisioner provisioners, err = provision.Registry() if err != nil { return err } var a provision.App for _, p := range provisioners { if finderProv, ok := p.(provision.UnitFinderProvisioner); ok { a, err = finderProv.GetAppFromUnitID(evt.Target.Value) _, isNotFound := err.(*provision.UnitNotFoundError) if err == nil || !isNotFound { break } } } if err != nil { return err } evt.Allowed = event.Allowed(permission.PermAppReadEvents, append(permission.Contexts(permission.CtxTeam, a.GetTeamsName()), permission.Context(permission.CtxApp, a.GetName()), permission.Context(permission.CtxPool, a.GetPool()), )..., ) case event.TargetTypeNode: var provisioners []provision.Provisioner provisioners, err = provision.Registry() if err != nil { return err } var ctxs []permission.PermissionContext for _, p := range provisioners { if nodeProvisioner, ok := p.(provision.NodeProvisioner); ok { var nodes []provision.Node nodes, err = nodeProvisioner.ListNodes([]string{evt.Target.Value}) if err != nil { return err } ctxs = append(ctxs, permission.Context(permission.CtxPool, nodes[0].Pool())) } } evt.Allowed = event.Allowed(permission.PermPoolReadEvents, ctxs...) case event.TargetTypeRole: evt.Allowed = event.Allowed(permission.PermRoleReadEvents) default: evt.Allowed = event.Allowed(permission.PermDebug) } return nil }