add GetPolicy API

This commit adds the `GetPolicy` and unifies the
`DescribePolicyRequest` into the `PolicyRequest`.

Signed-off-by: Andreas Auernhammer <[email protected]>

kms/client.go

@@ -948,7 +948,7 @@ func (c *Client) CreatePolicy(ctx context.Context, req *CreatePolicyRequest) err
 //
 // It returns ErrEnclaveNotFound if no such enclave exists and
 // ErrPolicyNotFound if no such policy exists.
-func (c *Client) DescribePolicy(ctx context.Context, req *DescribePolicyRequest) (*DescribePolicyResponse, error) {
+func (c *Client) DescribePolicy(ctx context.Context, req *PolicyRequest) (*DescribePolicyResponse, error) {
 	const (
 		Method      = http.MethodGet
 		Path        = api.PathPolicyDescribe
@@ -984,6 +984,46 @@ func (c *Client) DescribePolicy(ctx context.Context, req *DescribePolicyRequest)
 	return &data, nil
 }
 
+// GetPolicy fetches the policy req.Name within the req.Enclave.
+//
+// It returns ErrEnclaveNotFound if no such enclave exists and
+// ErrPolicyNotFound if no such policy exists.
+func (c *Client) GetPolicy(ctx context.Context, req *PolicyRequest) (*PolicyResponse, error) {
+	const (
+		Method      = http.MethodGet
+		Path        = api.PathPolicyRead
+		StatusOK    = http.StatusOK
+		ContentType = headers.ContentTypeAppAny // accept JSON or protobuf
+	)
+
+	url, err := c.lb.URL(Path, req.Name)
+	if err != nil {
+		return nil, err
+	}
+	r, err := http.NewRequestWithContext(ctx, Method, url, nil)
+	if err != nil {
+		return nil, err
+	}
+	r.Header.Set(headers.Accept, ContentType)
+	r.Header.Set(headers.Enclave, req.Enclave)
+
+	resp, err := c.client.Do(r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != StatusOK {
+		return nil, readError(resp)
+	}
+
+	var data PolicyResponse
+	if err := readResponse(resp, &data); err != nil {
+		return nil, err
+	}
+	return &data, nil
+}
+
 // DeletePolicy deletes the policy with the name req.Name within req.Enclave.
 //
 // It returns ErrEnclaveNotFound if no such enclave exists and ErrPolicyNotFound

kms/internal/api/api.go

@@ -24,6 +24,7 @@ const (
 
 	PathPolicyCreate   = "/v1/policy/create/"
 	PathPolicyDescribe = "/v1/policy/describe/"
+	PathPolicyRead     = "/v1/policy/read/"
 	PathPolicyDelete   = "/v1/policy/delete/"
 	PathPolicyList     = "/v1/policy/list/"
 

kms/protobuf/response.proto

@@ -223,6 +223,27 @@ message DescribePolicyResponse {
   string CreatedBy = 5 [ json_name="created_by" ];
 }
 
+message PolicyResponse {
+  // Name is the name of the policy.
+  string Name = 1 [ json_name = "name" ];
+
+  // Allow contains a set of API path patterns and corresponding policy rules.
+  // Requests that match at least one path, but not any deny pattern, and
+  // pass the corresponding policy rule are accepted by the server.
+  map<string,string> Allow = 2 [ json_name = "allow" ];
+
+  // Deny contains a set of API path patterns and corresponding policy rules.
+  // Requests that match at least one path and pass the corresponding policy
+  // rule are rejected by the server.
+  map<string,string> Deny = 3 [ json_name = "deny" ];
+
+  // CreatedAt is the point in time when this policy got created.
+  google.protobuf.Timestamp CreatedAt = 4 [ json_name="created_at" ];
+
+  // CreatedBy is the identity that created the policy.
+  string CreatedBy = 5 [ json_name="created_by" ];
+}
+
 message ListPolicyNamesResponse {
   // Names is the list of policy names.
   repeated string Names = 1 [ json_name = "names" ];

kms/request.go

@@ -406,16 +406,16 @@ func (r *CreatePolicyRequest) UnmarshalPB(v *pb.CreatePolicyRequest) error {
 		r.Allow[path] = Rule{}
 	}
 
-	r.Allow = make(map[string]Rule, len(v.Deny))
+	r.Deny = make(map[string]Rule, len(v.Deny))
 	for path := range v.Deny {
 		r.Deny[path] = Rule{}
 	}
 	return nil
 }
 
-// DescribePolicyRequest contains options for fetching metadata
-// about a policy.
-type DescribePolicyRequest struct {
+// PolicyRequest contains options for fetching a policy and
+// policy metadata.
+type PolicyRequest struct {
 	// Enclave is the KMS enclave containing the policy.
 	Enclave string