Implements role parameter in check command in API

conjurapi/client.go

@@ -327,12 +327,18 @@ func (c *Client) ChangeUserPasswordRequest(username string, password string, new
 	return req, nil
 }
 
-func (c *Client) CheckPermissionRequest(resourceID string, privilege string) (*http.Request, error) {
+func (c *Client) CheckPermissionRequest(resourceID string, roleID string, privilege string) (*http.Request, error) {
 	account, kind, id, err := parseID(resourceID)
 	if err != nil {
 		return nil, err
 	}
-	checkURL := makeRouterURL(c.resourcesURL(account), kind, url.QueryEscape(id)).withFormattedQuery("check=true&privilege=%s", url.QueryEscape(privilege)).String()
+
+	var checkURL string
+	if len(roleID) != 0 {
+		checkURL = makeRouterURL(c.resourcesURL(account), kind, url.QueryEscape(id)).withFormattedQuery("check=true&role=%s&privilege=%s", url.QueryEscape(roleID), url.QueryEscape(privilege)).String()
+	} else {
+		checkURL = makeRouterURL(c.resourcesURL(account), kind, url.QueryEscape(id)).withFormattedQuery("check=true&privilege=%s", url.QueryEscape(privilege)).String()
+	}
 
 	return http.NewRequest(
 		"GET",

conjurapi/resource.go

@@ -16,8 +16,8 @@ type ResourceFilter struct {
 
 // CheckPermission determines whether the authenticated user has a specified privilege
 // on a resource.
-func (c *Client) CheckPermission(resourceID, privilege string) (bool, error) {
-	req, err := c.CheckPermissionRequest(resourceID, privilege)
+func (c *Client) CheckPermission(resourceID string, roleID string, privilege string) (bool, error) {
+	req, err := c.CheckPermissionRequest(resourceID, roleID, privilege)
 	if err != nil {
 		return false, err
 	}

conjurapi/resource_test.go

@@ -7,18 +7,18 @@ import (
 )
 
 func TestClient_CheckPermission(t *testing.T) {
-	checkAllowed := func(conjur *Client, id string) func(t *testing.T) {
+	checkAllowed := func(conjur *Client, id string, role string) func(t *testing.T) {
 		return func(t *testing.T) {
-			allowed, err := conjur.CheckPermission(id, "execute")
+			allowed, err := conjur.CheckPermission(id, role, "execute")
 
 			assert.NoError(t, err)
 			assert.True(t, allowed)
 		}
 	}
 
-	checkNonExisting := func(conjur *Client, id string) func(t *testing.T) {
+	checkNotAllowed := func(conjur *Client, id string, role string) func(t *testing.T) {
 		return func(t *testing.T) {
-			allowed, err := conjur.CheckPermission(id, "execute")
+			allowed, err := conjur.CheckPermission(id, role, "execute")
 
 			assert.NoError(t, err)
 			assert.False(t, allowed)
@@ -28,9 +28,10 @@ func TestClient_CheckPermission(t *testing.T) {
 	conjur, err := conjurSetup(&Config{}, defaultTestPolicy)
 	assert.NoError(t, err)
 
-	t.Run("Check an allowed permission", checkAllowed(conjur, "cucumber:variable:db-password"))
-
-	t.Run("Check a permission on a non-existent resource", checkNonExisting(conjur, "cucumber:variable:foobar"))
+	t.Run("Check an allowed permission for default admin role", checkAllowed(conjur, "cucumber:variable:db-password", ""))
+	t.Run("Check an allowed permission for a role", checkAllowed(conjur, "cucumber:variable:db-password", "cucumber:user:alice"))
+	t.Run("Check a permission on a non-existent resource", checkNotAllowed(conjur, "cucumber:variable:foobar", "cucumber:user:alice"))
+	t.Run("Check no permission for a role", checkNotAllowed(conjur, "cucumber:variable:db-password", "cucumber:host:bob"))
 }
 
 func TestClient_ResourceExists(t *testing.T) {