From ad203603062f12b4565098fd41477c3d224d491e Mon Sep 17 00:00:00 2001
From: Trent Mick <trentm@gmail.com>
Date: Tue, 7 Jun 2016 14:19:06 -0700
Subject: [PATCH] joyent/node-triton#120 `triton -r,--role ROLE ...` to be able
 to take up an RBAC role

---
 CHANGES.md       |  4 ++--
 lib/cli.js       | 16 ++++++++--------
 lib/cloudapi2.js | 11 +++++++++++
 lib/tritonapi.js |  2 ++
 package.json     |  2 +-
 5 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index bfd1f45..867c827 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -5,9 +5,9 @@ Known issues:
 - `triton ssh ...` disables ssh ControlMaster to avoid issue #52.
 
 
-## 4.11.1 (not yet released)
+## 4.12.0 (not yet released)
 
-(nothing yet)
+- [#120] `triton -r,--role ROLE ...` option to take up an RBAC role(s).
 
 
 ## 4.11.0
diff --git a/lib/cli.js b/lib/cli.js
index 0499760..d5533b8 100644
--- a/lib/cli.js
+++ b/lib/cli.js
@@ -115,14 +115,13 @@ var OPTIONS = [
             'or SDC_USER=USER.',
         helpArg: 'USER'
     },
-    // TODO: full rbac support
-    //{
-    //    names: ['role'],
-    //    type: 'arrayOfString',
-    //    env: 'MANTA_ROLE',
-    //    help: 'Assume a role. Use multiple times or once with a list',
-    //    helpArg: 'ROLE,ROLE,...'
-    //},
+    {
+        names: ['role', 'r'],
+        type: 'arrayOfCommaSepString',
+        env: 'MANTA_ROLE',
+        help: 'Assume an RBAC role. Use multiple times or once with a list',
+        helpArg: 'ROLE,ROLE,...'
+    },
     {
         names: ['keyId', 'k'],
         type: 'string',
@@ -562,6 +561,7 @@ CLI.prototype._applyProfileOverrides =
     [
         {oname: 'account', pname: 'account'},
         {oname: 'user', pname: 'user'},
+        {oname: 'role', pname: 'roles'},
         {oname: 'url', pname: 'url'},
         {oname: 'keyId', pname: 'keyId'},
         {oname: 'insecure', pname: 'insecure'},
diff --git a/lib/cloudapi2.js b/lib/cloudapi2.js
index 2a26eb4..6949e56 100644
--- a/lib/cloudapi2.js
+++ b/lib/cloudapi2.js
@@ -67,6 +67,7 @@ var OS_PLATFORM = os.platform();
  *      - {String} account (required) The account login name.
  *      - {Function} sign (required) An http-signature auth signing function
  *      - {String} user (optional) The RBAC user login name.
+ *      - {Array of String} roles (optional) RBAC role(s) to take up.
  *      - {String} version (optional) Used for the accept-version header. This
  *        defaults to '*', meaning that over time you could experience breaking
  *        changes. Specifying a value is strongly recommended. E.g. '~7.1'.
@@ -91,12 +92,14 @@ function CloudApi(options) {
     assert.string(options.account, 'options.account');
     assert.func(options.sign, 'options.sign');
     assert.optionalString(options.user, 'options.user');
+    assert.optionalArrayOfString(options.roles, 'options.roles');
     assert.optionalString(options.version, 'options.version');
     assert.optionalObject(options.log, 'options.log');
 
     this.url = options.url;
     this.account = options.account;
     this.user = options.user; // optional RBAC subuser
+    this.roles = options.roles;
     this.sign = options.sign;
     this.log = options.log || new bunyannoop.BunyanNoopLogger();
     if (!options.version) {
@@ -228,6 +231,14 @@ CloudApi.prototype._request = function _request(opts, cb) {
         break;
     }
 
+    if (self.roles && self.roles.length > 0) {
+        if (opts.path.indexOf('?') !== -1) {
+            opts.path += '&as-role=' + self.roles.join(',');
+        } else {
+            opts.path += '?as-role=' + self.roles.join(',');
+        }
+    }
+
     self._getAuthHeaders(function (err, headers) {
         if (err) {
             cb(err);
diff --git a/lib/tritonapi.js b/lib/tritonapi.js
index e9df679..83ea8f3 100644
--- a/lib/tritonapi.js
+++ b/lib/tritonapi.js
@@ -177,6 +177,7 @@ TritonApi.prototype._cloudapiFromProfile =
     assert.string(profile.keyId, 'profile.keyId');
     assert.string(profile.url, 'profile.url');
     assert.optionalString(profile.user, 'profile.user');
+    assert.optionalArrayOfString(profile.roles, 'profile.roles');
     assert.optionalString(profile.privKey, 'profile.privKey');
     assert.optionalBool(profile.insecure, 'profile.insecure');
     assert.optionalString(profile.acceptVersion, 'profile.acceptVersion');
@@ -204,6 +205,7 @@ TritonApi.prototype._cloudapiFromProfile =
         url: profile.url,
         account: profile.actAsAccount || profile.account,
         user: profile.user,
+        roles: profile.roles,
         version: acceptVersion,
         rejectUnauthorized: rejectUnauthorized,
         sign: sign,
diff --git a/package.json b/package.json
index 1948f46..ee687bf 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "triton",
   "description": "Joyent Triton CLI and client (https://www.joyent.com/triton)",
-  "version": "4.11.1",
+  "version": "4.12.0",
   "author": "Joyent (joyent.com)",
   "dependencies": {
     "assert-plus": "0.2.0",