confdb,asserts,daemon: add confdb-control api

canonical · Dec 18, 2024 · ea1a5cf · ea1a5cf
1 parent d916b68
commit ea1a5cf
Show file tree

Hide file tree

Showing 7 changed files with 640 additions and 53 deletions.
diff --git a/asserts/confdb.go b/asserts/confdb.go
@@ -119,6 +119,21 @@ type ConfdbControl struct {
 	operators map[string]*confdb.Operator
 }
 
+func NewConfdbControl(serial *Serial) *ConfdbControl {
+	return &ConfdbControl{
+		assertionBase: assertionBase{
+			headers: map[string]interface{}{
+				"type":     "confdb-control",
+				"brand-id": serial.BrandID(),
+				"model":    serial.Model(),
+				"serial":   serial.Serial(),
+				"groups":   []any{},
+			},
+		},
+		operators: map[string]*confdb.Operator{},
+	}
+}
+
 // BrandID returns the brand identifier of the device.
 func (cc *ConfdbControl) BrandID() string {
 	return cc.HeaderString("brand-id")
@@ -135,6 +150,52 @@ func (cc *ConfdbControl) Serial() string {
 	return cc.HeaderString("serial")
 }
 
+// IsDelegated checks if <accountID>/<registry>/<view> is delegated to
+// <operatorID> under the authentication method <auth>.
+func (cc *ConfdbControl) IsDelegated(operatorID, view string, auth []string) (bool, error) {
+	operator, ok := cc.operators[operatorID]
+	if !ok {
+		// nothing is delegated to this operator
+		return false, nil
+	}
+
+	return operator.IsDelegated(view, auth)
+}
+
+// Delegate delegates the given views under the provided authentication methods to the operator.
+func (cc *ConfdbControl) Delegate(operatorID string, views []string, auth []string) error {
+	operator, ok := cc.operators[operatorID]
+	if !ok {
+		operator = &confdb.Operator{ID: operatorID}
+	}
+
+	err := operator.Delegate(views, auth)
+	if err != nil {
+		return err
+	}
+
+	cc.operators[operatorID] = operator
+	return nil
+}
+
+// Revoke withdraws remote access to the views that have been delegated under
+// the authentication methods.
+func (cc *ConfdbControl) Revoke(operatorID string, views []string, auth []string) error {
+	operator, ok := cc.operators[operatorID]
+	if !ok {
+		// nothing is delegated to this operator
+		return nil
+	}
+
+	if len(views) == 0 && len(auth) == 0 {
+		// completely revoke access from this operator
+		delete(cc.operators, operatorID)
+		return nil
+	}
+
+	return operator.Revoke(views, auth)
+}
+
 // assembleConfdbControl creates a new confdb-control assertion after validating
 // all required fields and constraints.
 func assembleConfdbControl(assert assertionBase) (Assertion, error) {
@@ -209,7 +270,7 @@ func parseConfdbControlGroups(rawGroups []interface{}) (map[string]*confdb.Opera
 			return nil, fmt.Errorf(`%s: "views" must be provided`, errPrefix)
 		}
 
-		if err := operator.AddControlGroup(views, auth); err != nil {
+		if err := operator.Delegate(views, auth); err != nil {
 			return nil, fmt.Errorf(`%s: %w`, errPrefix, err)
 		}
 	}

diff --git a/asserts/confdb_test.go b/asserts/confdb_test.go
@@ -335,12 +335,12 @@ func (s *confdbCtrlSuite) TestDecodeInvalid(c *C) {
 		{
 			"      - operator-key",
 			"      - foo-bar",
-			"cannot parse group at position 1: cannot add group: invalid authentication method: foo-bar",
+			"cannot parse group at position 1: cannot delegate: invalid authentication method: foo-bar",
 		},
 		{
 			"canonical/network/control-interfaces",
 			"canonical",
-			`cannot parse group at position 2: view "canonical" must be in the format account/confdb/view`,
+			`cannot parse group at position 2: cannot delegate: view "canonical" must be in the format account/confdb/view`,
 		},
 	}