// NewModelManagerAPI creates a new api server endpoint for managing
// models.
func NewModelManagerAPI(
st common.ModelManagerBackend,
configGetter environs.EnvironConfigGetter,
authorizer facade.Authorizer,
) (*ModelManagerAPI, error) {
if !authorizer.AuthClient() {
return nil, common.ErrPerm
}
// Since we know this is a user tag (because AuthClient is true),
// we just do the type assertion to the UserTag.
apiUser, _ := authorizer.GetAuthTag().(names.UserTag)
// Pretty much all of the user manager methods have special casing for admin
// users, so look once when we start and remember if the user is an admin.
isAdmin, err := authorizer.HasPermission(permission.SuperuserAccess, st.ControllerTag())
if err != nil {
return nil, errors.Trace(err)
}
urlGetter := common.NewToolsURLGetter(st.ModelUUID(), st)
return &ModelManagerAPI{
ModelStatusAPI: common.NewModelStatusAPI(st, authorizer, apiUser),
state: st,
check: common.NewBlockChecker(st),
authorizer: authorizer,
toolsFinder: common.NewToolsFinder(configGetter, st, urlGetter),
apiUser: apiUser,
isAdmin: isAdmin,
}, nil
}
// NewCloudAPI creates a new API server endpoint for managing the controller's
// cloud definition and cloud credentials.
func NewCloudAPI(backend Backend, authorizer facade.Authorizer) (*CloudAPI, error) {
if !authorizer.AuthClient() {
return nil, common.ErrPerm
}
getUserAuthFunc := func() (common.AuthFunc, error) {
authUser, _ := authorizer.GetAuthTag().(names.UserTag)
isAdmin, err := authorizer.HasPermission(permission.SuperuserAccess, backend.ControllerTag())
if err != nil && !errors.IsNotFound(err) {
return nil, err
}
return func(tag names.Tag) bool {
userTag, ok := tag.(names.UserTag)
if !ok {
return false
}
return isAdmin || userTag == authUser
}, nil
}
return &CloudAPI{
backend: backend,
authorizer: authorizer,
getCredentialsAuthFunc: getUserAuthFunc,
}, nil
}
func NewUserManagerAPI(
st *state.State,
resources facade.Resources,
authorizer facade.Authorizer,
) (*UserManagerAPI, error) {
if !authorizer.AuthClient() {
return nil, common.ErrPerm
}
// Since we know this is a user tag (because AuthClient is true),
// we just do the type assertion to the UserTag.
apiUser, _ := authorizer.GetAuthTag().(names.UserTag)
// Pretty much all of the user manager methods have special casing for admin
// users, so look once when we start and remember if the user is an admin.
isAdmin, err := authorizer.HasPermission(permission.SuperuserAccess, st.ControllerTag())
if err != nil {
return nil, errors.Trace(err)
}
return &UserManagerAPI{
state: st,
authorizer: authorizer,
check: common.NewBlockChecker(st),
apiUser: apiUser,
isAdmin: isAdmin,
}, nil
}
func checkAuth(authorizer facade.Authorizer, st *state.State) error {
if !authorizer.AuthClient() {
return errors.Trace(common.ErrPerm)
}
if isAdmin, err := authorizer.HasPermission(permission.SuperuserAccess, st.ControllerTag()); err != nil {
return errors.Trace(err)
} else if !isAdmin {
// The entire facade is only accessible to controller administrators.
return errors.Trace(common.ErrPerm)
}
return nil
}
// NewAPI creates a new instance of the Backups API facade.
func NewAPI(backend Backend, resources facade.Resources, authorizer facade.Authorizer) (*API, error) {
isControllerAdmin, err := authorizer.HasPermission(permission.SuperuserAccess, backend.ControllerTag())
if err != nil && !errors.IsNotFound(err) {
return nil, errors.Trace(err)
}
if !authorizer.AuthClient() || !isControllerAdmin {
return nil, common.ErrPerm
}
// For now, backup operations are only permitted on the controller environment.
if !backend.IsController() {
return nil, errors.New("backups are not supported for hosted models")
}
// Get the backup paths.
dataDir, err := extractResourceValue(resources, "dataDir")
if err != nil {
return nil, errors.Trace(err)
}
logsDir, err := extractResourceValue(resources, "logDir")
if err != nil {
return nil, errors.Trace(err)
}
paths := backups.Paths{
DataDir: dataDir,
LogsDir: logsDir,
}
// Build the API.
machineID, err := extractResourceValue(resources, "machineID")
if err != nil {
return nil, errors.Trace(err)
}
b := API{
backend: backend,
paths: &paths,
machineID: machineID,
}
return &b, nil
}
