// NewModelManagerAPI creates a new api server endpoint for managing
// models.
func NewModelManagerAPI(
st common.ModelManagerBackend,
configGetter environs.EnvironConfigGetter,
authorizer facade.Authorizer,
) (*ModelManagerAPI, error) {
if !authorizer.AuthClient() {
return nil, common.ErrPerm
}
// Since we know this is a user tag (because AuthClient is true),
// we just do the type assertion to the UserTag.
apiUser, _ := authorizer.GetAuthTag().(names.UserTag)
// Pretty much all of the user manager methods have special casing for admin
// users, so look once when we start and remember if the user is an admin.
isAdmin, err := authorizer.HasPermission(permission.SuperuserAccess, st.ControllerTag())
if err != nil {
return nil, errors.Trace(err)
}
urlGetter := common.NewToolsURLGetter(st.ModelUUID(), st)
return &ModelManagerAPI{
ModelStatusAPI: common.NewModelStatusAPI(st, authorizer, apiUser),
state: st,
check: common.NewBlockChecker(st),
authorizer: authorizer,
toolsFinder: common.NewToolsFinder(configGetter, st, urlGetter),
apiUser: apiUser,
isAdmin: isAdmin,
}, nil
}
// NewCloudAPI creates a new API server endpoint for managing the controller's
// cloud definition and cloud credentials.
func NewCloudAPI(backend Backend, authorizer facade.Authorizer) (*CloudAPI, error) {
if !authorizer.AuthClient() {
return nil, common.ErrPerm
}
getUserAuthFunc := func() (common.AuthFunc, error) {
authUser, _ := authorizer.GetAuthTag().(names.UserTag)
isAdmin, err := authorizer.HasPermission(permission.SuperuserAccess, backend.ControllerTag())
if err != nil && !errors.IsNotFound(err) {
return nil, err
}
return func(tag names.Tag) bool {
userTag, ok := tag.(names.UserTag)
if !ok {
return false
}
return isAdmin || userTag == authUser
}, nil
}
return &CloudAPI{
backend: backend,
authorizer: authorizer,
getCredentialsAuthFunc: getUserAuthFunc,
}, nil
}
func NewUserManagerAPI(
st *state.State,
resources facade.Resources,
authorizer facade.Authorizer,
) (*UserManagerAPI, error) {
if !authorizer.AuthClient() {
return nil, common.ErrPerm
}
// Since we know this is a user tag (because AuthClient is true),
// we just do the type assertion to the UserTag.
apiUser, _ := authorizer.GetAuthTag().(names.UserTag)
// Pretty much all of the user manager methods have special casing for admin
// users, so look once when we start and remember if the user is an admin.
isAdmin, err := authorizer.HasPermission(permission.SuperuserAccess, st.ControllerTag())
if err != nil {
return nil, errors.Trace(err)
}
return &UserManagerAPI{
state: st,
authorizer: authorizer,
check: common.NewBlockChecker(st),
apiUser: apiUser,
isAdmin: isAdmin,
}, nil
}
// NewRebootAPI creates a new server-side RebootAPI facade.
func NewRebootAPI(st *state.State, resources facade.Resources, auth facade.Authorizer) (*RebootAPI, error) {
if !auth.AuthMachineAgent() {
return nil, common.ErrPerm
}
tag, ok := auth.GetAuthTag().(names.MachineTag)
if !ok {
return nil, errors.Errorf("Expected names.MachineTag, got %T", auth.GetAuthTag())
}
machine, err := st.Machine(tag.Id())
if err != nil {
return nil, errors.Trace(err)
}
canAccess := func() (common.AuthFunc, error) {
return auth.AuthOwner, nil
}
return &RebootAPI{
RebootActionGetter: common.NewRebootActionGetter(st, canAccess),
RebootRequester: common.NewRebootRequester(st, canAccess),
RebootFlagClearer: common.NewRebootFlagClearer(st, canAccess),
st: st,
machine: machine,
resources: resources,
auth: auth,
}, nil
}
// upgraderFacade is a bit unique vs the other API Facades, as it has two
// implementations that actually expose the same API and which one gets
// returned depends on who is calling.
// Both of them conform to the exact Upgrader API, so the actual calls that are
// available do not depend on who is currently connected.
func upgraderFacade(st *state.State, resources facade.Resources, auth facade.Authorizer) (Upgrader, error) {
// The type of upgrader we return depends on who is asking.
// Machines get an UpgraderAPI, units get a UnitUpgraderAPI.
// This is tested in the api/upgrader package since there
// are currently no direct srvRoot tests.
// TODO(dfc) this is redundant
tag, err := names.ParseTag(auth.GetAuthTag().String())
if err != nil {
return nil, common.ErrPerm
}
switch tag.(type) {
case names.MachineTag:
return NewUpgraderAPI(st, resources, auth)
case names.UnitTag:
return NewUnitUpgraderAPI(st, resources, auth)
}
// Not a machine or unit.
return nil, common.ErrPerm
}
// NewDeployerAPI creates a new server-side DeployerAPI facade.
func NewDeployerAPI(
st *state.State,
resources facade.Resources,
authorizer facade.Authorizer,
) (*DeployerAPI, error) {
if !authorizer.AuthMachineAgent() {
return nil, common.ErrPerm
}
getAuthFunc := func() (common.AuthFunc, error) {
// Get all units of the machine and cache them.
thisMachineTag := authorizer.GetAuthTag()
units, err := getAllUnits(st, thisMachineTag)
if err != nil {
return nil, err
}
// Then we just check if the unit is already known.
return func(tag names.Tag) bool {
for _, unit := range units {
// TODO (thumper): remove the names.Tag conversion when gccgo
// implements concrete-type-to-interface comparison correctly.
if names.Tag(names.NewUnitTag(unit)) == tag {
return true
}
}
return false
}, nil
}
getCanWatch := func() (common.AuthFunc, error) {
return authorizer.AuthOwner, nil
}
return &DeployerAPI{
Remover: common.NewRemover(st, true, getAuthFunc),
PasswordChanger: common.NewPasswordChanger(st, getAuthFunc),
LifeGetter: common.NewLifeGetter(st, getAuthFunc),
StateAddresser: common.NewStateAddresser(st),
APIAddresser: common.NewAPIAddresser(st, resources),
UnitsWatcher: common.NewUnitsWatcher(st, resources, getCanWatch),
StatusSetter: common.NewStatusSetter(st, getAuthFunc),
st: st,
resources: resources,
authorizer: authorizer,
}, nil
}
// NewControllerAPI creates a new api server endpoint for managing
// environments.
func NewControllerAPI(
st *state.State,
resources facade.Resources,
authorizer facade.Authorizer,
) (*ControllerAPI, error) {
if !authorizer.AuthClient() {
return nil, errors.Trace(common.ErrPerm)
}
// Since we know this is a user tag (because AuthClient is true),
// we just do the type assertion to the UserTag.
apiUser, _ := authorizer.GetAuthTag().(names.UserTag)
environConfigGetter := stateenvirons.EnvironConfigGetter{st}
return &ControllerAPI{
ControllerConfigAPI: common.NewControllerConfig(st),
CloudSpecAPI: cloudspec.NewCloudSpec(environConfigGetter.CloudSpec, common.AuthFuncForTag(st.ModelTag())),
state: st,
authorizer: authorizer,
apiUser: apiUser,
resources: resources,
}, nil
}
// NewKeyManagerAPI creates a new server-side keyupdater API end point.
func NewKeyManagerAPI(st *state.State, resources facade.Resources, authorizer facade.Authorizer) (*KeyManagerAPI, error) {
// Only clients and environment managers can access the key manager service.
if !authorizer.AuthClient() && !authorizer.AuthModelManager() {
return nil, common.ErrPerm
}
env, err := st.Model()
if err != nil {
return nil, errors.Trace(err)
}
// For gccgo interface comparisons, we need a Tag.
owner := names.Tag(env.Owner())
// TODO(wallyworld) - replace stub with real canRead function
// For now, only admins can read authorised ssh keys.
canRead := func(user string) bool {
// Are we a machine agent operating as the system identity?
if user == config.JujuSystemKey {
_, ismachinetag := authorizer.GetAuthTag().(names.MachineTag)
return ismachinetag
}
return authorizer.GetAuthTag() == owner
}
// TODO(wallyworld) - replace stub with real canWrite function
// For now, only admins can write authorised ssh keys for users.
// Machine agents can write the juju-system-key.
canWrite := func(user string) bool {
// Are we a machine agent writing the Juju system key.
if user == config.JujuSystemKey {
_, ismachinetag := authorizer.GetAuthTag().(names.MachineTag)
return ismachinetag
}
// No point looking to see if the user exists as we are not
// yet storing keys on the user.
return authorizer.GetAuthTag() == owner
}
return &KeyManagerAPI{
state: st,
resources: resources,
authorizer: authorizer,
canRead: canRead,
canWrite: canWrite,
check: common.NewBlockChecker(st),
}, nil
}
// NewProvisionerAPI creates a new server-side ProvisionerAPI facade.
func NewProvisionerAPI(st *state.State, resources facade.Resources, authorizer facade.Authorizer) (*ProvisionerAPI, error) {
if !authorizer.AuthMachineAgent() && !authorizer.AuthModelManager() {
return nil, common.ErrPerm
}
getAuthFunc := func() (common.AuthFunc, error) {
isModelManager := authorizer.AuthModelManager()
isMachineAgent := authorizer.AuthMachineAgent()
authEntityTag := authorizer.GetAuthTag()
return func(tag names.Tag) bool {
if isMachineAgent && tag == authEntityTag {
// A machine agent can always access its own machine.
return true
}
switch tag := tag.(type) {
case names.MachineTag:
parentId := state.ParentId(tag.Id())
if parentId == "" {
// All top-level machines are accessible by the
// environment manager.
return isModelManager
}
// All containers with the authenticated machine as a
// parent are accessible by it.
// TODO(dfc) sometimes authEntity tag is nil, which is fine because nil is
// only equal to nil, but it suggests someone is passing an authorizer
// with a nil tag.
return isMachineAgent && names.NewMachineTag(parentId) == authEntityTag
default:
return false
}
}, nil
}
getAuthOwner := func() (common.AuthFunc, error) {
return authorizer.AuthOwner, nil
}
model, err := st.Model()
if err != nil {
return nil, err
}
configGetter := stateenvirons.EnvironConfigGetter{st}
env, err := environs.GetEnviron(configGetter, environs.New)
if err != nil {
return nil, err
}
urlGetter := common.NewToolsURLGetter(model.UUID(), st)
storageProviderRegistry := stateenvirons.NewStorageProviderRegistry(env)
return &ProvisionerAPI{
Remover: common.NewRemover(st, false, getAuthFunc),
StatusSetter: common.NewStatusSetter(st, getAuthFunc),
StatusGetter: common.NewStatusGetter(st, getAuthFunc),
DeadEnsurer: common.NewDeadEnsurer(st, getAuthFunc),
PasswordChanger: common.NewPasswordChanger(st, getAuthFunc),
LifeGetter: common.NewLifeGetter(st, getAuthFunc),
StateAddresser: common.NewStateAddresser(st),
APIAddresser: common.NewAPIAddresser(st, resources),
ModelWatcher: common.NewModelWatcher(st, resources, authorizer),
ModelMachinesWatcher: common.NewModelMachinesWatcher(st, resources, authorizer),
ControllerConfigAPI: common.NewControllerConfig(st),
InstanceIdGetter: common.NewInstanceIdGetter(st, getAuthFunc),
ToolsFinder: common.NewToolsFinder(configGetter, st, urlGetter),
ToolsGetter: common.NewToolsGetter(st, configGetter, st, urlGetter, getAuthOwner),
st: st,
resources: resources,
authorizer: authorizer,
configGetter: configGetter,
storageProviderRegistry: storageProviderRegistry,
storagePoolManager: poolmanager.New(state.NewStateSettings(st), storageProviderRegistry),
getAuthFunc: getAuthFunc,
}, nil
}
// NewUniterAPIV4 creates a new instance of the Uniter API, version 3.
func NewUniterAPIV4(st *state.State, resources facade.Resources, authorizer facade.Authorizer) (*UniterAPIV3, error) {
if !authorizer.AuthUnitAgent() {
return nil, common.ErrPerm
}
var unit *state.Unit
var err error
switch tag := authorizer.GetAuthTag().(type) {
case names.UnitTag:
unit, err = st.Unit(tag.Id())
if err != nil {
return nil, errors.Trace(err)
}
default:
return nil, errors.Errorf("expected names.UnitTag, got %T", tag)
}
accessUnit := func() (common.AuthFunc, error) {
return authorizer.AuthOwner, nil
}
accessService := func() (common.AuthFunc, error) {
switch tag := authorizer.GetAuthTag().(type) {
case names.UnitTag:
entity, err := st.Unit(tag.Id())
if err != nil {
return nil, errors.Trace(err)
}
applicationName := entity.ApplicationName()
applicationTag := names.NewApplicationTag(applicationName)
return func(tag names.Tag) bool {
return tag == applicationTag
}, nil
default:
return nil, errors.Errorf("expected names.UnitTag, got %T", tag)
}
}
accessMachine := func() (common.AuthFunc, error) {
switch tag := authorizer.GetAuthTag().(type) {
case names.UnitTag:
entity, err := st.Unit(tag.Id())
if err != nil {
return nil, errors.Trace(err)
}
machineId, err := entity.AssignedMachineId()
if err != nil {
return nil, errors.Trace(err)
}
machineTag := names.NewMachineTag(machineId)
return func(tag names.Tag) bool {
return tag == machineTag
}, nil
default:
return nil, errors.Errorf("expected names.UnitTag, got %T", tag)
}
}
storageAPI, err := newStorageAPI(getStorageState(st), resources, accessUnit)
if err != nil {
return nil, err
}
msAPI, err := meterstatus.NewMeterStatusAPI(st, resources, authorizer)
if err != nil {
return nil, errors.Annotate(err, "could not create meter status API handler")
}
accessUnitOrService := common.AuthEither(accessUnit, accessService)
return &UniterAPIV3{
LifeGetter: common.NewLifeGetter(st, accessUnitOrService),
DeadEnsurer: common.NewDeadEnsurer(st, accessUnit),
AgentEntityWatcher: common.NewAgentEntityWatcher(st, resources, accessUnitOrService),
APIAddresser: common.NewAPIAddresser(st, resources),
ModelWatcher: common.NewModelWatcher(st, resources, authorizer),
RebootRequester: common.NewRebootRequester(st, accessMachine),
LeadershipSettingsAccessor: leadershipSettingsAccessorFactory(st, resources, authorizer),
MeterStatus: msAPI,
// TODO(fwereade): so *every* unit should be allowed to get/set its
// own status *and* its service's? This is not a pleasing arrangement.
StatusAPI: NewStatusAPI(st, accessUnitOrService),
st: st,
auth: authorizer,
resources: resources,
accessUnit: accessUnit,
accessService: accessService,
accessMachine: accessMachine,
unit: unit,
StorageAPI: *storageAPI,
}, nil
}
// NewStorageProvisionerAPI creates a new server-side StorageProvisionerAPI facade.
func NewStorageProvisionerAPI(
st Backend,
resources facade.Resources,
authorizer facade.Authorizer,
registry storage.ProviderRegistry,
poolManager poolmanager.PoolManager,
) (*StorageProvisionerAPI, error) {
if !authorizer.AuthMachineAgent() {
return nil, common.ErrPerm
}
canAccessStorageMachine := func(tag names.MachineTag, allowEnvironManager bool) bool {
authEntityTag := authorizer.GetAuthTag()
if tag == authEntityTag {
// Machine agents can access volumes
// scoped to their own machine.
return true
}
parentId := state.ParentId(tag.Id())
if parentId == "" {
return allowEnvironManager && authorizer.AuthModelManager()
}
// All containers with the authenticated
// machine as a parent are accessible by it.
return names.NewMachineTag(parentId) == authEntityTag
}
getScopeAuthFunc := func() (common.AuthFunc, error) {
return func(tag names.Tag) bool {
switch tag := tag.(type) {
case names.ModelTag:
// Environment managers can access all volumes
// and filesystems scoped to the environment.
isModelManager := authorizer.AuthModelManager()
return isModelManager && tag == st.ModelTag()
case names.MachineTag:
return canAccessStorageMachine(tag, false)
default:
return false
}
}, nil
}
canAccessStorageEntity := func(tag names.Tag, allowMachines bool) bool {
switch tag := tag.(type) {
case names.VolumeTag:
machineTag, ok := names.VolumeMachine(tag)
if ok {
return canAccessStorageMachine(machineTag, false)
}
return authorizer.AuthModelManager()
case names.FilesystemTag:
machineTag, ok := names.FilesystemMachine(tag)
if ok {
return canAccessStorageMachine(machineTag, false)
}
return authorizer.AuthModelManager()
case names.MachineTag:
return allowMachines && canAccessStorageMachine(tag, true)
default:
return false
}
}
getStorageEntityAuthFunc := func() (common.AuthFunc, error) {
return func(tag names.Tag) bool {
return canAccessStorageEntity(tag, false)
}, nil
}
getLifeAuthFunc := func() (common.AuthFunc, error) {
return func(tag names.Tag) bool {
return canAccessStorageEntity(tag, true)
}, nil
}
getAttachmentAuthFunc := func() (func(names.MachineTag, names.Tag) bool, error) {
// getAttachmentAuthFunc returns a function that validates
// access by the authenticated user to an attachment.
return func(machineTag names.MachineTag, attachmentTag names.Tag) bool {
// Machine agents can access their own machine, and
// machines contained. Environment managers can access
// top-level machines.
if !canAccessStorageMachine(machineTag, true) {
return false
}
// Environment managers can access model-scoped
// volumes and volumes scoped to their own machines.
// Other machine agents can access volumes regardless
// of their scope.
if !authorizer.AuthModelManager() {
return true
}
var machineScope names.MachineTag
var hasMachineScope bool
switch attachmentTag := attachmentTag.(type) {
case names.VolumeTag:
machineScope, hasMachineScope = names.VolumeMachine(attachmentTag)
case names.FilesystemTag:
machineScope, hasMachineScope = names.FilesystemMachine(attachmentTag)
}
return !hasMachineScope || machineScope == authorizer.GetAuthTag()
}, nil
}
getMachineAuthFunc := func() (common.AuthFunc, error) {
return func(tag names.Tag) bool {
if tag, ok := tag.(names.MachineTag); ok {
return canAccessStorageMachine(tag, true)
}
return false
}, nil
}
getBlockDevicesAuthFunc := func() (common.AuthFunc, error) {
return func(tag names.Tag) bool {
if tag, ok := tag.(names.MachineTag); ok {
return canAccessStorageMachine(tag, false)
}
return false
}, nil
}
return &StorageProvisionerAPI{
LifeGetter: common.NewLifeGetter(st, getLifeAuthFunc),
DeadEnsurer: common.NewDeadEnsurer(st, getStorageEntityAuthFunc),
InstanceIdGetter: common.NewInstanceIdGetter(st, getMachineAuthFunc),
StatusSetter: common.NewStatusSetter(st, getStorageEntityAuthFunc),
st: st,
resources: resources,
authorizer: authorizer,
registry: registry,
poolManager: poolManager,
getScopeAuthFunc: getScopeAuthFunc,
getStorageEntityAuthFunc: getStorageEntityAuthFunc,
getAttachmentAuthFunc: getAttachmentAuthFunc,
getMachineAuthFunc: getMachineAuthFunc,
getBlockDevicesAuthFunc: getBlockDevicesAuthFunc,
}, nil
}
