v3(services): Get a single credential binding for key type - implement permissions

[#173243882](https://www.pivotaltracker.com/story/show/173243882)

Signed-off-by: Brian Butz <bbutz@pivotal.io>

Author: FelisiaM

app/controllers/v3/service_credential_bindings_controller.rb

@@ -0,0 +1,36 @@
+class ServiceCredentialBindingsController < ApplicationController
+  before_action :ensure_service_key_exists!
+  before_action :ensure_user_has_access!
+
+  def show
+    render status: :ok, json: hashed_params.slice(:guid)
+  end
+
+  private
+
+  def ensure_service_key_exists!
+    service_key_not_found! unless service_key_exists?
+  end
+
+  def ensure_user_has_access!
+    service_key_not_found! unless allowed_to_access_space?
+  end
+
+  def service_key_not_found!
+    resource_not_found!(:service_credential_binding)
+  end
+
+  def service_key
+    @service_key ||= ServiceKey.first(guid: hashed_params[:guid])
+  end
+
+  def service_key_exists?
+    !!service_key
+  end
+
+  def allowed_to_access_space?
+    space = service_key.service_instance.space
+
+    permission_queryer.can_read_from_space?(space.guid, space.organization_guid)
+  end
+end

app/controllers/v3/service_instances_controller.rb

@@ -168,7 +168,7 @@ def relationships_shared_spaces
   def credentials
     service_instance = UserProvidedServiceInstance.first(guid: hashed_params[:guid])
     service_instance_not_found! unless service_instance && can_read_service_instance?(service_instance)
-    unauthorized! unless permission_queryer.can_read_secrets_in_space?(service_instance.space.guid, service_instance.space.organization.guid)
+    unauthorized! unless permission_queryer.can_read_secrets_in_space?(service_instance.space.guid, service_instance.space.organization_guid)
 
     render status: :ok, json: (service_instance.credentials || {})
   end
@@ -308,7 +308,7 @@ def can_read_service_instance?(service_instance)
   end
 
   def can_read_space?(space)
-    permission_queryer.can_read_from_space?(space.guid, space.organization.guid)
+    permission_queryer.can_read_from_space?(space.guid, space.organization_guid)
   end
 
   def can_write_space?(space)

config/routes.rb

@@ -184,6 +184,9 @@
   get '/service_bindings', to: 'service_bindings#index'
   delete '/service_bindings/:guid', to: 'service_bindings#destroy'
 
+  # service_credential_bindings
+  get '/service_credential_bindings/:guid', to: 'service_credential_bindings#show'
+
   # service_brokers
   get '/service_brokers', to: 'service_brokers#index'
   get '/service_brokers/:guid', to: 'service_brokers#show'

spec/request/service_credential_bindings_spec.rb

@@ -0,0 +1,65 @@
+require 'spec_helper'
+require 'request_spec_shared_examples'
+
+RSpec.describe 'v3 service credential bindings' do
+  let(:user) { VCAP::CloudController::User.make }
+  let(:org) { VCAP::CloudController::Organization.make }
+  let(:space) { VCAP::CloudController::Space.make(organization: org) }
+  let(:other_space) { VCAP::CloudController::Space.make }
+
+  describe 'GET /v3/service_credential_bindings/:key_guid' do
+    context 'key exists' do
+      let(:key) { VCAP::CloudController::ServiceKey.make(service_instance: instance) }
+      let(:instance) { VCAP::CloudController::ManagedServiceInstance.make(space: space) }
+      let(:api_call) { ->(user_headers) { get "/v3/service_credential_bindings/#{key.guid}", nil, user_headers } }
+
+      context 'global roles' do
+        let(:expected_codes_and_responses) do
+          Hash.new({ code: 200, response_object: { guid: key.guid } })
+        end
+
+        it_behaves_like 'permissions for single object endpoint', GLOBAL_SCOPES
+      end
+
+      context 'local roles' do
+        context 'user is in the original space of the service instance' do
+          let(:expected_codes_and_responses) do
+            Hash.new({ code: 200, response_object: { guid: key.guid } }).tap do |h|
+              h['org_auditor'] = { code: 404 }
+              h['org_billing_manager'] = { code: 404 }
+              h['no_role'] = { code: 404 }
+            end
+          end
+
+          it_behaves_like 'permissions for single object endpoint', LOCAL_ROLES
+        end
+
+        context 'user is in a space that the service instance is shared to' do
+          let(:instance) { VCAP::CloudController::ManagedServiceInstance.make(space: other_space) }
+
+          before do
+            instance.add_shared_space(space)
+          end
+
+          let(:api_call) { ->(user_headers) { get "/v3/service_credential_bindings/#{key.guid}", nil, user_headers } }
+
+          let(:expected_codes_and_responses) do
+            Hash.new(code: 404)
+          end
+
+          it_behaves_like 'permissions for single object endpoint', LOCAL_ROLES
+        end
+      end
+    end
+
+    context 'no such binding exists' do
+      let(:api_call) { ->(user_headers) { get '/v3/service_credential_bindings/no-binding', nil, user_headers } }
+
+      let(:expected_codes_and_responses) do
+        Hash.new(code: 404)
+      end
+
+      it_behaves_like 'permissions for single object endpoint', ALL_PERMISSIONS
+    end
+  end
+end

spec/request/service_instances_spec.rb

@@ -25,14 +25,14 @@
       let(:guid) { instance.guid }
 
       let(:expected_codes_and_responses) do
-        h = Hash.new(
+        Hash.new(
           code: 200,
           response_object: create_managed_json(instance),
-        )
-        h['org_auditor'] = { code: 404 }
-        h['org_billing_manager'] = { code: 404 }
-        h['no_role'] = { code: 404 }
-        h
+        ).tap do |h|
+          h['org_auditor'] = { code: 404 }
+          h['org_billing_manager'] = { code: 404 }
+          h['no_role'] = { code: 404 }
+        end
       end
 
       it_behaves_like 'permissions for single object endpoint', ALL_PERMISSIONS