flyio: add AppFeatureSet caveat

superfly · Jul 2, 2024 · b4fab9f · b4fab9f
1 parent ed68b73
commit b4fab9f
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 0 deletions.
diff --git a/caveat.go b/caveat.go
@@ -41,6 +41,7 @@ const (
 	AttestationAuthGoogleUserID
 	CavAction
 	CavFlyioCommands
+	CavFlyioAppFeatureSet
 
 	// allocate internal blocks of size 255 here
 	block255Min    CaveatType = 1 << 16

diff --git a/flyio/access.go b/flyio/access.go
@@ -12,6 +12,7 @@ type Access struct {
 	Action         resset.Action `json:"action,omitempty"`
 	OrgID          *uint64       `json:"orgid,omitempty"`
 	AppID          *uint64       `json:"appid,omitempty"`
+	AppFeature     *string       `json:"app_feature,omitempty"`
 	Feature        *string       `json:"feature,omitempty"`
 	Volume         *string       `json:"volume,omitempty"`
 	Machine        *string       `json:"machine,omitempty"`
@@ -106,6 +107,18 @@ var _ AppIDGetter = (*Access)(nil)
 // GetAppID implements AppIDGetter.
 func (a *Access) GetAppID() *uint64 { return a.AppID }
 
+// AppFeatureGetter is an interface allowing other packages to implement
+// Accesses that work with Caveats defined in this package.
+type AppFeatureGetter interface {
+	resset.Access
+	GetAppFeature() *string
+}
+
+var _ AppFeatureGetter = (*Access)(nil)
+
+// GetAppFeature implements AppFeatureGetter.
+func (a *Access) GetAppFeature() *string { return a.AppFeature }
+
 // FeatureGetter is an interface allowing other packages to implement Accesses
 // that work with Caveats defined in this package.
 type FeatureGetter interface {

diff --git a/flyio/caveats.go b/flyio/caveats.go
@@ -22,6 +22,7 @@ const (
 	CavClusters          = macaroon.CavFlyioClusters
 	CavNoAdminFeatures   = macaroon.CavNoAdminFeatures
 	CavCommands          = macaroon.CavFlyioCommands
+	CavAppFeatureSet     = macaroon.CavFlyioAppFeatureSet
 )
 
 type FromMachine struct {
@@ -366,3 +367,19 @@ func (c *Commands) Prohibits(a macaroon.Access) error {
 
 	return nil
 }
+
+type AppFeatureSet struct {
+	Features resset.ResourceSet[string] `json:"features"`
+}
+
+func init()                                              { macaroon.RegisterCaveatType(&AppFeatureSet{}) }
+func (c *AppFeatureSet) CaveatType() macaroon.CaveatType { return CavAppFeatureSet }
+func (c *AppFeatureSet) Name() string                    { return "AppFeatureSet" }
+
+func (c *AppFeatureSet) Prohibits(a macaroon.Access) error {
+	f, isFlyioAccess := a.(AppFeatureGetter)
+	if !isFlyioAccess {
+		return fmt.Errorf("%w: access isnt AppFeatureGetter", macaroon.ErrInvalidAccess)
+	}
+	return c.Features.Prohibits(f.GetAppFeature(), f.GetAction())
+}