Skip to content

Commit

Permalink
add AssignPolicy API call
Browse files Browse the repository at this point in the history
This commit adds the `AssignPolicy` client API
that assigns a policy to an identity.
  • Loading branch information
aead committed Jan 8, 2024
1 parent 00e7890 commit 6b500c0
Show file tree
Hide file tree
Showing 5 changed files with 167 additions and 23 deletions.
41 changes: 41 additions & 0 deletions kms/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -885,6 +885,47 @@ func (c *Client) CreatePolicy(ctx context.Context, req *CreatePolicyRequest) err
return nil
}

// AssignPolicy assigns the req.Policy within req.Enclave to the req.Identity.
// Both, the policy and identity, must reside within the same enclave.
//
// It returns ErrEnclaveNotFound if no such enclave exists, ErrPolicyNotFound
// if no such policy exists and ErrIdentityNotFound if no such identity exists.
func (c *Client) AssignPolicy(ctx context.Context, req *AssignPolicyRequest) error {
const (
Method = http.MethodPatch
Path = api.PathPolicyAssign
StatusOK = http.StatusOK
ContentType = headers.ContentTypeAppAny // accept JSON or protobuf
)

body, err := pb.Marshal(req)
if err != nil {
return err
}

url, err := c.lb.URL(Path, req.Policy)
if err != nil {
return err
}
r, err := http.NewRequestWithContext(ctx, Method, url, bytes.NewReader(body))
if err != nil {
return err
}
r.Header.Set(headers.Accept, ContentType)
r.Header.Set(headers.Enclave, req.Enclave)

resp, err := c.client.Do(r)
if err != nil {
return err
}
defer resp.Body.Close()

if resp.StatusCode != StatusOK {
return readError(resp)
}
return nil
}

// DescribePolicy returns metadata about the policy req.Name within
// the req.Enclave.
//
Expand Down
1 change: 1 addition & 0 deletions kms/internal/api/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ const (
PathSecretKeyDecrypt = "/v1/key/decrypt/"

PathPolicyCreate = "/v1/policy/create/"
PathPolicyAssign = "/v1/policy/assign/"
PathPolicyDescribe = "/v1/policy/describe/"
PathPolicyRead = "/v1/policy/read/"
PathPolicyDelete = "/v1/policy/delete/"
Expand Down
111 changes: 88 additions & 23 deletions kms/protobuf/request.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions kms/protobuf/request.proto
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,11 @@ message CreatePolicyRequest {
map<string, string> Deny = 2 [ json_name = "deny" ];
}

message AssignPolicyRequest {
// Identity is the identity to which the policy should apply.
string Identity = 1 [ json_name = "identity" ];
}

message CreateIdentityRequest {
// Privilege is the privilege the identity has. Either, "SysAdmin", "Admin" or
// "User".
Expand Down
32 changes: 32 additions & 0 deletions kms/request.go
Original file line number Diff line number Diff line change
Expand Up @@ -380,6 +380,38 @@ func (r *CreatePolicyRequest) UnmarshalPB(v *pb.CreatePolicyRequest) error {
return nil
}

// AssignPolicyRequest contains options for assigning a policy to an identity.
type AssignPolicyRequest struct {
// Enclave is the KMS enclave containing the policy and identity.
Enclave string

// Policy is the name of the policy that gets assigned to the identity.
Policy string

// Identity is the identity to which the policy should apply.
Identity Identity
}

// MarshalPB converts the AssignPolicyRequest into its protobuf representation.
func (r *AssignPolicyRequest) MarshalPB(v *pb.AssignPolicyRequest) error {
if r.Identity == "" {
return errors.New("kms: identity is empty")
}

v.Identity = r.Identity.String()
return nil
}

// UnmarshalPB initializes the AssignPolicyRequest from its protobuf representation.
func (r *AssignPolicyRequest) UnmarshalPB(v *pb.AssignPolicyRequest) error {
if v.Identity == "" {
return errors.New("kms: identity is empty")
}

r.Identity = Identity(v.Identity)
return nil
}

// PolicyRequest contains options for fetching a policy and
// policy metadata.
type PolicyRequest struct {
Expand Down

0 comments on commit 6b500c0

Please sign in to comment.