From 288bab66dd45a722622aa9d36d9cb02705eda546 Mon Sep 17 00:00:00 2001
From: Liam Young <liam.young@canonical.com>
Date: Tue, 8 Jan 2019 13:59:39 +0000
Subject: [PATCH] Add request_access_to_group method

Add request_access_to_group method to allow a client to request
ceph permissions.

Change-Id: I8a7f0bf47c39509eec71a286bd51ec53c58d7e0d
---
 requires.py                 | 29 ++++++++++++++++++++
 unit_tests/test_requires.py | 53 +++++++++++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+)

diff --git a/requires.py b/requires.py
index 2813dfc..65378da 100644
--- a/requires.py
+++ b/requires.py
@@ -113,6 +113,35 @@ class CephClientRequires(RelationBase):
         self.set_local(key='broker_req', value=current_request.request)
         send_request_if_needed(current_request, relation=self.relation_name)
 
+    def request_access_to_group(self, name, namespace=None, permission=None,
+                                key_name=None, object_prefix_permissions=None):
+        """
+        Adds the requested permissions to service's Ceph key
+
+        Adds the requested permissions to the current service's Ceph key,
+        allowing the key to access only the specified pools or
+        object prefixes. object_prefix_permissions should be a dictionary
+        keyed on the permission with the corresponding value being a list
+        of prefixes to apply that permission to.
+            {
+                'rwx': ['prefix1', 'prefix2'],
+                'class-read': ['prefix3']}
+        @param name: Target group name for permissions request.
+        @param namespace: namespace to further restrict pool access.
+        @param permission: Permission to be requested against pool
+        @param key_name: userid to grant permission to
+        @param object_prefix_permissions: Add object_prefix permissions.
+        """
+        current_request = self.get_current_request()
+        current_request.add_op_request_access_to_group(
+            name,
+            namespace=namespace,
+            permission=permission,
+            key_name=key_name,
+            object_prefix_permissions=object_prefix_permissions)
+        self.set_local(key='broker_req', value=current_request.request)
+        send_request_if_needed(current_request, relation=self.relation_name)
+
     def get_remote_all(self, key, default=None):
         """Return a list of all values presented by remote units for key"""
         # TODO: might be a nicer way todo this - written a while back!
diff --git a/unit_tests/test_requires.py b/unit_tests/test_requires.py
index 007a407..7eea958 100644
--- a/unit_tests/test_requires.py
+++ b/unit_tests/test_requires.py
@@ -264,6 +264,59 @@ class TestCephClientRequires(unittest.TestCase):
                     'pg_num': None,
                     'weight': None}])
 
+    def test_request_access_to_group_new_request(self):
+        self.patch_kr('get_local', '{"ops": []}')
+        self.patch_kr('set_local')
+        self.cr.request_access_to_group(
+            'volumes',
+            key_name='cinder',
+            object_prefix_permissions={'class-read': ['rbd_children']},
+            permission='rwx')
+        ceph_broker_rq = self.send_request_if_needed.mock_calls[0][1][0]
+        self.assertEqual(
+            ceph_broker_rq.ops,
+            [{
+                'group': 'volumes',
+                'group-permission': 'rwx',
+                'name': 'cinder',
+                'namespace': None,
+                'object-prefix-permissions': {'class-read': ['rbd_children']},
+                'op': 'add-permissions-to-key'}])
+
+    def test_request_access_to_group_existing_request(self):
+        req = (
+            '{"api-version": 1, '
+            '"ops": [{"op": "create-pool", "name": "volumes", "replicas": 3, '
+            '"pg_num": null, "weight": null, "group": null, '
+            '"group-namespace": null}], '
+            '"request-id": "9e34123e-fa0c-11e8-ad9c-fa163ed1cc55"}')
+        self.patch_kr('get_local', req)
+        self.cr.request_access_to_group(
+            'volumes',
+            key_name='cinder',
+            object_prefix_permissions={'class-read': ['rbd_children']},
+            permission='rwx')
+        ceph_broker_rq = self.send_request_if_needed.mock_calls[0][1][0]
+        self.assertEqual(
+            ceph_broker_rq.ops,
+            [
+                {
+                    'op': 'create-pool',
+                    'name': 'volumes',
+                    'replicas': 3,
+                    'group': None,
+                    'group-namespace': None,
+                    'pg_num': None,
+                    'weight': None},
+                {
+                    'group': 'volumes',
+                    'group-permission': 'rwx',
+                    'name': 'cinder',
+                    'namespace': None,
+                    'object-prefix-permissions': {
+                        'class-read': ['rbd_children']},
+                    'op': 'add-permissions-to-key'}])
+
     @mock.patch.object(requires.hookenv, 'related_units')
     @mock.patch.object(requires.hookenv, 'relation_get')
     def test_get_remote_all(self, relation_get, related_units):