v3(services): Return credential binding info for both key and app bindings (cloudfoundry#1750)

Brian Butz · web-flow · commit 8ee41d47cc41 · 2020-07-23T15:50:43.000+01:00
[#173148626](https://www.pivotaltracker.com/story/show/173148626)
diff --git a/app/controllers/v3/service_credential_bindings_controller.rb b/app/controllers/v3/service_credential_bindings_controller.rb
@@ -1,35 +1,48 @@
+require 'fetchers/service_credential_binding_fetcher'
+
 class ServiceCredentialBindingsController < ApplicationController
-  before_action :ensure_service_key_exists!
+  before_action :ensure_service_credential_binding_exists!
   before_action :ensure_user_has_access!
 
   def show
-    render status: :ok, json: hashed_params.slice(:guid)
+    render status: :ok, json: serialized
   end
 
   private
 
-  def ensure_service_key_exists!
-    service_key_not_found! unless service_key_exists?
+  def serialized
+    {
+      guid: service_credential_binding.guid,
+      type: service_credential_binding.type
+    }
+  end
+
+  def ensure_service_credential_binding_exists!
+    not_found! unless service_credential_binding_exists?
   end
 
   def ensure_user_has_access!
-    service_key_not_found! unless allowed_to_access_space?
+    not_found! unless allowed_to_access_space?
   end
 
-  def service_key_not_found!
+  def not_found!
     resource_not_found!(:service_credential_binding)
   end
 
-  def service_key
-    @service_key ||= ServiceKey.first(guid: hashed_params[:guid])
+  def service_credential_binding
+    @service_credential_binding ||= fetcher.fetch(hashed_params[:guid])
+  end
+
+  def fetcher
+    @fetcher ||= VCAP::CloudController::ServiceCredentialBindingFetcher.new
   end
 
-  def service_key_exists?
-    !!service_key
+  def service_credential_binding_exists?
+    !!service_credential_binding
   end
 
   def allowed_to_access_space?
-    space = service_key.service_instance.space
+    space = service_credential_binding.space
 
     permission_queryer.can_read_from_space?(space.guid, space.organization_guid)
   end
diff --git a/app/fetchers/service_credential_binding_fetcher.rb b/app/fetchers/service_credential_binding_fetcher.rb
@@ -0,0 +1,17 @@
+module VCAP
+  module CloudController
+    class ServiceCredentialBindingFetcher
+      ServiceInstanceCredential = Struct.new(:guid, :type, :space).freeze
+
+      def fetch(guid)
+        ServiceCredentialBinding::View.first(guid: guid).try do |db_binding|
+          ServiceInstanceCredential.new(
+            db_binding.guid,
+            db_binding.type,
+            db_binding.space
+          )
+        end
+      end
+    end
+  end
+end
diff --git a/app/models.rb b/app/models.rb
@@ -130,6 +130,7 @@
 require 'models/services/service_usage_event'
 require 'models/services/service_key'
 require 'models/services/route_binding'
+require 'models/services/service_credential_binding_view'
 
 require 'models/request_count'
 require 'models/orphaned_blob'
diff --git a/app/models/services/service_credential_binding_view.rb b/app/models/services/service_credential_binding_view.rb
@@ -0,0 +1,48 @@
+module VCAP
+  module CloudController
+    module ServiceCredentialBinding
+      module Types
+        SERVICE_KEY = 'key'.freeze
+        SERVICE_BINDING = 'app'.freeze
+      end
+
+      SERVICE_KEY_VIEW = VCAP::CloudController::ServiceKey.select(
+        :guid,
+        Sequel.as(Types::SERVICE_KEY, :type),
+        :service_instance_id,
+        Sequel.as(nil, :app_guid)
+      ).freeze
+
+      SERVICE_BINDING_VIEW = VCAP::CloudController::ServiceBinding.select(
+        :guid,
+        Sequel.as(Types::SERVICE_BINDING, :type),
+        Sequel.as(nil, :service_instance_id),
+        :app_guid
+      ).freeze
+
+      VIEW = [
+        SERVICE_KEY_VIEW,
+        SERVICE_BINDING_VIEW
+      ].inject do |statement, sub_select|
+        statement.union(sub_select, all: true, from_self: false)
+      end.freeze
+
+      class View < Sequel::Model(VIEW)
+        many_to_one :service_instance, class: 'VCAP::CloudController::ServiceInstance'
+        many_to_one :app, class: 'VCAP::CloudController::AppModel', key: :app_guid, primary_key: :guid, without_guid_generation: true
+
+        def space
+          relation =
+            case type
+            when Types::SERVICE_BINDING
+              app
+            else
+              service_instance
+            end
+
+          relation.space
+        end
+      end
+    end
+  end
+end
diff --git a/spec/request/service_credential_bindings_spec.rb b/spec/request/service_credential_bindings_spec.rb
@@ -7,59 +7,103 @@
   let(:space) { VCAP::CloudController::Space.make(organization: org) }
   let(:other_space) { VCAP::CloudController::Space.make }
 
+  context 'GET /v3/service_credential_bindings/:missing_key' do
+    let(:api_call) { ->(user_headers) { get '/v3/service_credential_bindings/no-binding', nil, user_headers } }
+
+    let(:expected_codes_and_responses) do
+      Hash.new(code: 404)
+    end
+
+    it_behaves_like 'permissions for single object endpoint', ALL_PERMISSIONS
+  end
+
   describe 'GET /v3/service_credential_bindings/:key_guid' do
-    context 'key exists' do
-      let(:key) { VCAP::CloudController::ServiceKey.make(service_instance: instance) }
-      let(:instance) { VCAP::CloudController::ManagedServiceInstance.make(space: space) }
-      let(:api_call) { ->(user_headers) { get "/v3/service_credential_bindings/#{key.guid}", nil, user_headers } }
+    let(:key) { VCAP::CloudController::ServiceKey.make(service_instance: instance) }
+    let(:instance) { VCAP::CloudController::ManagedServiceInstance.make(space: space) }
+    let(:api_call) { ->(user_headers) { get "/v3/service_credential_bindings/#{key.guid}", nil, user_headers } }
+    let(:expected_object) { { guid: key.guid, type: 'key' } }
 
-      context 'global roles' do
+    context 'global roles' do
+      let(:expected_codes_and_responses) do
+        Hash.new({ code: 200, response_object: expected_object })
+      end
+
+      it_behaves_like 'permissions for single object endpoint', GLOBAL_SCOPES
+    end
+
+    context 'local roles' do
+      context 'user is in the original space of the service instance' do
         let(:expected_codes_and_responses) do
-          Hash.new({ code: 200, response_object: { guid: key.guid } })
+          Hash.new({ code: 200, response_object: expected_object }).tap do |h|
+            h['org_auditor'] = { code: 404 }
+            h['org_billing_manager'] = { code: 404 }
+            h['no_role'] = { code: 404 }
+          end
         end
 
-        it_behaves_like 'permissions for single object endpoint', GLOBAL_SCOPES
+        it_behaves_like 'permissions for single object endpoint', LOCAL_ROLES
       end
 
-      context 'local roles' do
-        context 'user is in the original space of the service instance' do
-          let(:expected_codes_and_responses) do
-            Hash.new({ code: 200, response_object: { guid: key.guid } }).tap do |h|
-              h['org_auditor'] = { code: 404 }
-              h['org_billing_manager'] = { code: 404 }
-              h['no_role'] = { code: 404 }
-            end
-          end
+      context 'user is in a space that the service instance is shared to' do
+        let(:instance) { VCAP::CloudController::ManagedServiceInstance.make(space: other_space) }
 
-          it_behaves_like 'permissions for single object endpoint', LOCAL_ROLES
+        before do
+          instance.add_shared_space(space)
         end
 
-        context 'user is in a space that the service instance is shared to' do
-          let(:instance) { VCAP::CloudController::ManagedServiceInstance.make(space: other_space) }
+        let(:api_call) { ->(user_headers) { get "/v3/service_credential_bindings/#{key.guid}", nil, user_headers } }
 
-          before do
-            instance.add_shared_space(space)
-          end
+        let(:expected_codes_and_responses) do
+          Hash.new(code: 404)
+        end
 
-          let(:api_call) { ->(user_headers) { get "/v3/service_credential_bindings/#{key.guid}", nil, user_headers } }
+        it_behaves_like 'permissions for single object endpoint', LOCAL_ROLES
+      end
+    end
+  end
 
-          let(:expected_codes_and_responses) do
-            Hash.new(code: 404)
-          end
+  describe 'GET /v3/service_credential_bindings/:app_guid' do
+    let(:app_binding) { VCAP::CloudController::ServiceBinding.make(service_instance: instance) }
+    let(:instance) { VCAP::CloudController::ManagedServiceInstance.make(space: space) }
+    let(:api_call) { ->(user_headers) { get "/v3/service_credential_bindings/#{app_binding.guid}", nil, user_headers } }
+    let(:expected_object) { { guid: app_binding.guid, type: 'app' } }
 
-          it_behaves_like 'permissions for single object endpoint', LOCAL_ROLES
-        end
+    context 'global roles' do
+      let(:expected_codes_and_responses) do
+        Hash.new({ code: 200, response_object: expected_object })
       end
+
+      it_behaves_like 'permissions for single object endpoint', GLOBAL_SCOPES
     end
 
-    context 'no such binding exists' do
-      let(:api_call) { ->(user_headers) { get '/v3/service_credential_bindings/no-binding', nil, user_headers } }
+    context 'local roles' do
+      context 'user is in the original space of the service instance' do
+        let(:expected_codes_and_responses) do
+          Hash.new({ code: 200, response_object: expected_object }).tap do |h|
+            h['org_auditor'] = { code: 404 }
+            h['org_billing_manager'] = { code: 404 }
+            h['no_role'] = { code: 404 }
+          end
+        end
 
-      let(:expected_codes_and_responses) do
-        Hash.new(code: 404)
+        it_behaves_like 'permissions for single object endpoint', LOCAL_ROLES
       end
 
-      it_behaves_like 'permissions for single object endpoint', ALL_PERMISSIONS
+      context 'user is in a space that the service instance is shared to' do
+        let(:instance) { VCAP::CloudController::ManagedServiceInstance.make(space: other_space) }
+
+        before do
+          instance.add_shared_space(space)
+        end
+
+        let(:api_call) { ->(user_headers) { get "/v3/service_credential_bindings/#{app_binding.guid}", nil, user_headers } }
+
+        let(:expected_codes_and_responses) do
+          Hash.new(code: 404)
+        end
+
+        it_behaves_like 'permissions for single object endpoint', LOCAL_ROLES
+      end
     end
   end
 end
diff --git a/spec/unit/fetchers/service_credential_binding_fetcher_spec.rb b/spec/unit/fetchers/service_credential_binding_fetcher_spec.rb
@@ -0,0 +1,105 @@
+require 'spec_helper'
+require 'fetchers/service_credential_binding_fetcher'
+
+module VCAP
+  module CloudController
+    RSpec.describe ServiceCredentialBindingFetcher do
+      let(:fetcher) { ServiceCredentialBindingFetcher.new }
+
+      describe 'not a real guid' do
+        it 'should return nothing' do
+          credential_binding = fetcher.fetch('does-not-exist')
+          expect(credential_binding).to be_nil
+        end
+      end
+
+      describe 'service keys' do
+        let(:type) { 'key' }
+        let(:space) { Space.make }
+        let(:service_instance) { ManagedServiceInstance.make(space: space) }
+        let!(:service_key) { ServiceKey.make(service_instance: service_instance) }
+
+        it 'can be found' do
+          credential_binding = fetcher.fetch(service_key.guid)
+
+          expect(credential_binding).not_to be_nil
+          expect(credential_binding.type).to eql(type)
+        end
+
+        it 'can access the space' do
+          credential_binding = fetcher.fetch(service_key.guid)
+
+          expect(credential_binding.space).to eql(space)
+        end
+      end
+
+      describe 'app bindings' do
+        let(:type) { 'app' }
+
+        describe 'managed services' do
+          let(:space) { Space.make }
+          let(:service_instance) { ManagedServiceInstance.make(space: space) }
+          let!(:app_binding) { ServiceBinding.make(service_instance: service_instance) }
+
+          it 'can be found' do
+            credential_binding = fetcher.fetch(app_binding.guid)
+
+            expect(credential_binding).not_to be_nil
+            expect(credential_binding.type).to eql(type)
+          end
+
+          it 'can access the space' do
+            credential_binding = fetcher.fetch(app_binding.guid)
+
+            expect(credential_binding.space).to eql(space)
+          end
+        end
+
+        describe 'user provided services' do
+          let(:space) { Space.make }
+          let(:service_instance) { UserProvidedServiceInstance.make(space: space) }
+          let!(:app_binding) { ServiceBinding.make(service_instance: service_instance) }
+
+          it 'can be found' do
+            credential_binding = fetcher.fetch(app_binding.guid)
+
+            expect(credential_binding).not_to be_nil
+            expect(credential_binding.type).to eql(type)
+          end
+
+          it 'can access the space' do
+            credential_binding = fetcher.fetch(app_binding.guid)
+
+            expect(credential_binding.space).to eql(space)
+          end
+        end
+
+        describe 'shared services' do
+          let(:space) { Space.make }
+          let(:other_space) { Space.make }
+          let(:service_instance) do
+            ManagedServiceInstance.make(space: other_space).tap do |si|
+              si.shared_spaces << space
+            end
+          end
+
+          let(:app) { AppModel.make(space: space) }
+          let!(:app_binding) { ServiceBinding.make(service_instance: service_instance, app: app) }
+
+          it 'can be found' do
+            credential_binding = fetcher.fetch(app_binding.guid)
+
+            expect(credential_binding).not_to be_nil
+            expect(credential_binding.type).to eql(type)
+          end
+
+          it "can access the app's space" do
+            credential_binding = fetcher.fetch(app_binding.guid)
+
+            expect(credential_binding.space).to eql(space)
+          end
+        end
+      end
+    end
+  end
+end
