Allow to filter by keytype on key GET

2 files changed, 20 insertions, 0 deletions

diff --git a/API.md b/API.md
index a2f7cba..b7395ab 100644
--- a/API.md
+++ b/API.md
@@ -53,11 +53,15 @@ Getting keys
 A GET operation with the name of the key:
 GET /secrets/name/of/key
 
+A query parameter named 'type' can be provided, in that case the key is
+returned only if it matches the requested type.
+
 Returns:
 - 200 and a JSON formatted key in case of success.
 - 401 if authentication is necessary
 - 403 if access to the key is forbidden
 - 404 if no key was found
+- 406 not acceptable, key exists but does not match type requested
 
 
 Storing keys
diff --git a/custodia/secrets.py b/custodia/secrets.py
index 397754b..a6958e3 100644
--- a/custodia/secrets.py
+++ b/custodia/secrets.py
@@ -182,11 +182,17 @@ class Secrets(HTTPConsumer):
         response['code'] = 204
 
     def _get_key(self, trail, request, response):
+        reqtype = request.get('query', dict()).get('type')
         key = self._db_key(trail)
         try:
             output = self.root.store.get(key)
             if output is None:
                 raise HTTPError(404)
+            if reqtype is not None:
+                key = json.loads(output)
+                keytype = key.get('type')
+                if keytype != reqtype:
+                    raise HTTPError(406)
             response['output'] = output
         except CSStoreError:
             raise HTTPError(500)
@@ -405,6 +411,16 @@ class SecretsTests(unittest.TestCase):
 
         self.assertEqual(err.exception.code, 404)
 
+    def test_5_GETkey_errors_406(self):
+        req = {'remote_user': 'test',
+               'query': {'type': 'complex'},
+               'trail': ['test', 'key1']}
+        rep = {}
+        with self.assertRaises(HTTPError) as err:
+            self.GET(req, rep)
+
+        self.assertEqual(err.exception.code, 406)
+
     def test_6_LISTkeys_errors_404_1(self):
         req = {'remote_user': 'test',
                'trail': ['test', 'case', '']}