v3(bindings): Get details of a credential binding (cloudfoundry#1798)

[#173529480](https://www.pivotaltracker.com/story/show/173529480)
[#173510836](https://www.pivotaltracker.com/story/show/173510836)

Author: Derik Evangelista

app/controllers/v3/service_credential_bindings_controller.rb

@@ -1,6 +1,7 @@
 require 'fetchers/service_credential_binding_fetcher'
 require 'fetchers/service_credential_binding_list_fetcher'
 require 'presenters/v3/service_credential_binding_presenter'
+require 'presenters/v3/service_credential_binding_details_presenter'
 require 'messages/service_credential_bindings_list_message'
 require 'messages/service_credential_bindings_show_message'
 require 'decorators/include_binding_app_decorator'
@@ -33,6 +34,13 @@ def show
     render status: :ok, json: serialized(message)
   end
 
+  def details
+    ensure_service_credential_binding_is_accessible!
+    not_found! unless can_read_secrets_in_the_binding_space?
+
+    render status: :ok, json: credential_binding_details
+  end
+
   private
 
   AVAILABLE_DECORATORS = [
@@ -65,6 +73,10 @@ def serialized(message)
     Presenters::V3::ServiceCredentialBindingPresenter.new(service_credential_binding, decorators: decorators(message)).to_hash
   end
 
+  def credential_binding_details
+    Presenters::V3::ServiceCredentialBindingDetailsPresenter.new(service_credential_binding).to_hash
+  end
+
   def ensure_service_credential_binding_is_accessible!
     not_found! unless service_credential_binding_exists?
   end
@@ -77,6 +89,18 @@ def service_credential_binding_exists?
     !!service_credential_binding
   end
 
+  def can_read_secrets_in_the_binding_space?
+    permission_queryer.can_read_secrets_in_space?(binding_space.guid, binding_org.guid)
+  end
+
+  def binding_space
+    service_credential_binding.space
+  end
+
+  def binding_org
+    service_credential_binding.space.organization
+  end
+
   def list_fetcher
     @list_fetcher ||= VCAP::CloudController::ServiceCredentialBindingListFetcher.new
   end

app/models/services/service_credential_binding_view.rb

@@ -14,11 +14,18 @@ module Types
         Sequel.as(:service_keys__created_at, :created_at),
         Sequel.as(:service_keys__updated_at, :updated_at),
         Sequel.as(:service_keys__name, :name),
+        Sequel.as(:service_keys__credentials, :credentials),
+        Sequel.as(:service_keys__salt, :salt),
+        Sequel.as(:service_keys__encryption_key_label, :encryption_key_label),
+        Sequel.as(:service_keys__encryption_iterations, :encryption_iterations),
         Sequel.as(:service_instances__guid, :service_instance_guid),
         Sequel.as(:service_instances__name, :service_instance_name),
         Sequel.as(nil, :app_guid),
         Sequel.as(nil, :app_name),
-        Sequel.as(:service_keys__service_instance_id, :service_instance_id)
+        Sequel.as(:service_keys__service_instance_id, :service_instance_id),
+        Sequel.as(nil, :syslog_drain_url),
+        Sequel.as(nil, :volume_mounts),
+        Sequel.as(nil, :volume_mounts_salt)
       ).join(
         :service_instances, id: Sequel[:service_keys][:service_instance_id]
       ).join(
@@ -33,11 +40,18 @@ module Types
         Sequel.as(:service_bindings__created_at, :created_at),
         Sequel.as(:service_bindings__updated_at, :updated_at),
         Sequel.as(:service_bindings__name, :name),
+        Sequel.as(:service_bindings__credentials, :credentials),
+        Sequel.as(:service_bindings__salt, :salt),
+        Sequel.as(:service_bindings__encryption_key_label, :encryption_key_label),
+        Sequel.as(:service_bindings__encryption_iterations, :encryption_iterations),
         Sequel.as(:service_bindings__service_instance_guid, :service_instance_guid),
         Sequel.as(:service_instances__name, :service_instance_name),
         Sequel.as(:service_bindings__app_guid, :app_guid),
         Sequel.as(:apps__name, :app_name),
-        Sequel.as(nil, :service_instance_id)
+        Sequel.as(nil, :service_instance_id),
+        Sequel.as(:service_bindings__syslog_drain_url, :syslog_drain_url),
+        Sequel.as(:service_bindings__volume_mounts, :volume_mounts),
+        Sequel.as(:service_bindings__volume_mounts_salt, :volume_mounts_salt)
       ).join(
         :apps, guid: Sequel[:service_bindings][:app_guid]
       ).join(

app/presenters/v3/service_credential_binding_details_presenter.rb

@@ -0,0 +1,27 @@
+require_relative 'base_presenter'
+
+module VCAP
+  module CloudController
+    module Presenters
+      module V3
+        class ServiceCredentialBindingDetailsPresenter < BasePresenter
+          def to_hash
+            {
+              credentials: credentials,
+              syslog_drain_url: @resource.syslog_drain_url,
+              volume_mounts: @resource.volume_mounts || nil
+            }.compact
+          end
+
+          private
+
+          def credentials
+            JSON.parse(@resource.credentials)
+          rescue JSON::ParserError
+            nil
+          end
+        end
+      end
+    end
+  end
+end

config/routes.rb

@@ -187,7 +187,11 @@
   # service_credential_bindings
   resources :service_credential_bindings,
             param: :guid,
-            only: [:show, :index]
+            only: [:show, :index] do
+    member do
+      get :details
+    end
+  end
 
   # service_route_bindings
   resources :service_route_bindings,

docs/v3/source/includes/api_resources/_service_credential_bindings.erb

@@ -63,6 +63,16 @@
 }
 <% end %>
 
+<% content_for :single_service_credential_binding_details do %>
+{
+  "credentials": {
+    "connection": "mydb://user@password:example.com"
+  },
+  "syslog_drain_url": "http://syslog.example.com/drain",
+  "volume_mounts": ["/vcap/data", "store"]
+}
+<% end %>
+
 <% content_for :paginated_list_of_service_credential_bindings do |base_url| %>
 {
   "pagination": {

docs/v3/source/includes/experimental_resources/service_credential_bindings/_details.md.erb

@@ -0,0 +1,35 @@
+### Get a service credential binding details
+
+```
+Example Request
+```
+
+```shell
+curl "https://api.example.org/v3/service_credential_bindings/[guid]/details" \
+  -X GET \
+  -H "Authorization: bearer [token]"
+```
+
+```
+Example Credential Binding Details Response
+```
+
+```http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+<%= yield_content :single_service_credential_binding_details %>
+```
+
+This endpoint retrieves the service credential binding details.
+
+#### Definition
+`GET /v3/service_service_credential_bindings/:guid/details`
+
+
+#### Permitted roles
+ |
+--- | ---
+Admin |
+Admin Read-Only |
+Space Developer |

docs/v3/source/index.md

@@ -359,6 +359,7 @@ includes:
   - experimental_resources/service_credential_bindings/object
   - experimental_resources/service_credential_bindings/get
   - experimental_resources/service_credential_bindings/list
+  - experimental_resources/service_credential_bindings/details
   - experimental_resources/service_instances/header
   - experimental_resources/service_instances/create
   - experimental_resources/service_instances/get

spec/request/service_credential_bindings_spec.rb

@@ -344,7 +344,7 @@ def check_filtered_bindings(*bindings)
     end
   end
 
-  describe 'GET /v3/service_credential_bindings/:app_guid' do
+  describe 'GET /v3/service_credential_bindings/:app_binding_guid' do
     let(:app_to_bind_to) { VCAP::CloudController::AppModel.make(space: space) }
     let(:app_binding) do
       VCAP::CloudController::ServiceBinding.make(service_instance: instance, app: app_to_bind_to).tap do |binding|
@@ -450,6 +450,99 @@ def check_filtered_bindings(*bindings)
     end
   end
 
+  describe 'GET /v3/service_credential_bindings/:binding_guid/details' do
+    let(:details) {
+      {
+        service_instance: instance,
+        volume_mounts: ['foo', 'bar'],
+        syslog_drain_url: 'some-drain-url',
+        credentials: '{"cred_key": "creds-val-64", "magic": true}'
+      }
+    }
+    let(:app_binding) { VCAP::CloudController::ServiceBinding.make(**details) }
+    let(:instance) { VCAP::CloudController::ManagedServiceInstance.make(space: space) }
+    let(:api_call) { ->(user_headers) { get "/v3/service_credential_bindings/#{app_binding.guid}/details", nil, user_headers } }
+    let(:binding_credentials) {
+      {
+        credentials: {
+          cred_key: 'creds-val-64',
+          magic: true
+        },
+        syslog_drain_url: 'some-drain-url',
+        volume_mounts: ['foo', 'bar']
+      }
+    }
+
+    context 'permissions' do
+      it_behaves_like 'permissions for single object endpoint', ALL_PERMISSIONS do
+        let(:expected_codes_and_responses) do
+          Hash.new(code: 404).tap do |h|
+            h['space_developer'] = { code: 200, response_object: binding_credentials }
+            h['admin'] = { code: 200, response_object: binding_credentials }
+            h['admin_read_only'] = { code: 200, response_object: binding_credentials }
+          end
+        end
+      end
+
+      describe 'when the service instance is shared' do
+        let(:originating_space) { VCAP::CloudController::Space.make }
+        let(:shared_space) { space }
+        let(:user_in_shared_space) {
+          u = VCAP::CloudController::User.make
+          shared_space.organization.add_user(u)
+          shared_space.add_developer(u)
+          u
+        }
+        let(:user_in_originating_space) do
+          u = VCAP::CloudController::User.make
+          originating_space.organization.add_user(u)
+          originating_space.add_developer(u)
+          u
+        end
+        let(:instance) { VCAP::CloudController::ManagedServiceInstance.make(space: originating_space) }
+        let(:details) {
+          {
+            service_instance: instance,
+            credentials: '{"password": "terces"}',
+            app: source_app
+          }
+        }
+
+        before do
+          instance.add_shared_space(shared_space)
+        end
+
+        context 'bindings in the originating space' do
+          let(:source_app) { VCAP::CloudController::AppModel.make(space: originating_space) }
+
+          it 'should return the credentials for users in the originating space' do
+            api_call.call(headers_for(user_in_originating_space))
+            expect(last_response).to have_status_code(200)
+          end
+
+          it 'should return 404 for users in the shared space' do
+            api_call.call(headers_for(user_in_shared_space))
+            expect(last_response).to have_status_code(404)
+          end
+        end
+
+        context 'bindings in the shared space' do
+          let(:source_app) { VCAP::CloudController::AppModel.make(space: shared_space) }
+
+          it 'should return 404 for users in the originating space' do
+            api_call.call(headers_for(user_in_originating_space))
+            expect(last_response).to have_status_code(404)
+          end
+
+          it 'should return the credentials for users in the shared space space' do
+            api_call.call(headers_for(user_in_shared_space))
+            expect(last_response).to have_status_code(200)
+          end
+        end
+      end
+    end
+  end
+
   def expected_json(binding)
     {
       guid: binding.guid,

spec/support/fakes/blueprints.rb

@@ -448,6 +448,7 @@ module VCAP::CloudController
     syslog_drain_url { nil }
     type { 'app' }
     name { nil }
+    guid { Sham.guid }
   end
 
   ServiceKey.blueprint do

spec/unit/fetchers/service_credential_binding_list_fetcher_spec.rb

@@ -18,15 +18,37 @@ module CloudController
       describe 'app and key bindings' do
         let(:space) { VCAP::CloudController::Space.make }
         let(:instance) { VCAP::CloudController::ManagedServiceInstance.make(space: space) }
-        let!(:key_binding) { VCAP::CloudController::ServiceKey.make(service_instance: instance) }
-        let!(:app_binding) { VCAP::CloudController::ServiceBinding.make(service_instance: instance, name: Sham.name) }
+
+        let(:key_details) {
+          {
+            credentials: '{"some":"key"}'
+          }
+        }
+
+        let(:app_binding_details) {
+          {
+            credentials: '{"some":"app secret"}',
+            syslog_drain_url: 'http://example.com/drain-app',
+            volume_mounts: ['ccc', 'ddd']
+          }
+        }
+        let!(:key_binding) { VCAP::CloudController::ServiceKey.make(service_instance: instance, **key_details) }
+        let!(:app_binding) { VCAP::CloudController::ServiceBinding.make(service_instance: instance, name: Sham.name, **app_binding_details) }
 
         context 'when getting everything' do
           it 'returns both key and app bindings' do
             bindings = fetcher.fetch(space_guids: :all, message: message).all
-            binding_guids = bindings.map(&:guid)
+            to_hash = ->(b) {
+              {
+                guid: b.guid,
+                credentials: b.credentials,
+                syslog_drain_url: b.try(:syslog_drain_url) || nil,
+                volume_mounts: b.try(:volume_mount) || []
+              }
+            }
 
-            expect(binding_guids).to contain_exactly(key_binding.guid, app_binding.guid)
+            actual_bindings = bindings.map { |b| to_hash.call(b) }
+            expect(actual_bindings).to contain_exactly(to_hash.call(key_binding), to_hash.call(app_binding))
           end
         end