func (*instanceIdGetterSuite) TestInstanceId(c *gc.C) {
st := &fakeState{
entities: map[names.Tag]entityWithError{
u("x/0"): &fakeInstanceIdGetter{instanceId: "foo"},
u("x/1"): &fakeInstanceIdGetter{instanceId: "bar"},
u("x/2"): &fakeInstanceIdGetter{instanceId: "baz", err: "x2 error"},
u("x/3"): &fakeInstanceIdGetter{fetchError: "x3 error"},
},
}
getCanRead := func() (common.AuthFunc, error) {
x0 := u("x/0")
x2 := u("x/2")
x3 := u("x/3")
return func(tag names.Tag) bool {
return tag == x0 || tag == x2 || tag == x3
}, nil
}
ig := common.NewInstanceIdGetter(st, getCanRead)
entities := params.Entities{[]params.Entity{
{"unit-x-0"}, {"unit-x-1"}, {"unit-x-2"}, {"unit-x-3"}, {"unit-x-4"},
}}
results, err := ig.InstanceId(entities)
c.Assert(err, jc.ErrorIsNil)
c.Assert(results, jc.DeepEquals, params.StringResults{
Results: []params.StringResult{
{Result: "foo"},
{Error: apiservertesting.ErrUnauthorized},
{Error: ¶ms.Error{Message: "x2 error"}},
{Error: ¶ms.Error{Message: "x3 error"}},
{Error: apiservertesting.ErrUnauthorized},
},
})
}
func (*instanceIdGetterSuite) TestInstanceIdError(c *gc.C) {
getCanRead := func() (common.AuthFunc, error) {
return nil, fmt.Errorf("pow")
}
ig := common.NewInstanceIdGetter(&fakeState{}, getCanRead)
_, err := ig.InstanceId(params.Entities{[]params.Entity{{"unit-x-0"}}})
c.Assert(err, gc.ErrorMatches, "pow")
}
// NewProvisionerAPI creates a new server-side ProvisionerAPI facade.
func NewProvisionerAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*ProvisionerAPI, error) {
if !authorizer.AuthMachineAgent() && !authorizer.AuthEnvironManager() {
return nil, common.ErrPerm
}
getAuthFunc := func() (common.AuthFunc, error) {
isEnvironManager := authorizer.AuthEnvironManager()
isMachineAgent := authorizer.AuthMachineAgent()
authEntityTag := authorizer.GetAuthTag()
return func(tag names.Tag) bool {
if isMachineAgent && tag == authEntityTag {
// A machine agent can always access its own machine.
return true
}
switch tag := tag.(type) {
case names.MachineTag:
parentId := state.ParentId(tag.Id())
if parentId == "" {
// All top-level machines are accessible by the
// environment manager.
return isEnvironManager
}
// All containers with the authenticated machine as a
// parent are accessible by it.
// TODO(dfc) sometimes authEntity tag is nil, which is fine because nil is
// only equal to nil, but it suggests someone is passing an authorizer
// with a nil tag.
return isMachineAgent && names.NewMachineTag(parentId) == authEntityTag
default:
return false
}
}, nil
}
env, err := st.Environment()
if err != nil {
return nil, err
}
urlGetter := common.NewToolsURLGetter(env.UUID(), st)
return &ProvisionerAPI{
Remover: common.NewRemover(st, false, getAuthFunc),
StatusSetter: common.NewStatusSetter(st, getAuthFunc),
StatusGetter: common.NewStatusGetter(st, getAuthFunc),
DeadEnsurer: common.NewDeadEnsurer(st, getAuthFunc),
PasswordChanger: common.NewPasswordChanger(st, getAuthFunc),
LifeGetter: common.NewLifeGetter(st, getAuthFunc),
StateAddresser: common.NewStateAddresser(st),
APIAddresser: common.NewAPIAddresser(st, resources),
EnvironWatcher: common.NewEnvironWatcher(st, resources, authorizer),
EnvironMachinesWatcher: common.NewEnvironMachinesWatcher(st, resources, authorizer),
InstanceIdGetter: common.NewInstanceIdGetter(st, getAuthFunc),
ToolsFinder: common.NewToolsFinder(st, st, urlGetter),
st: st,
resources: resources,
authorizer: authorizer,
getAuthFunc: getAuthFunc,
}, nil
}
// NewInstancePollerAPI creates a new server-side InstancePoller API
// facade.
func NewInstancePollerAPI(
st *state.State,
resources facade.Resources,
authorizer facade.Authorizer,
clock clock.Clock,
) (*InstancePollerAPI, error) {
if !authorizer.AuthModelManager() {
// InstancePoller must run as environment manager.
return nil, common.ErrPerm
}
accessMachine := common.AuthFuncForTagKind(names.MachineTagKind)
sti := getState(st)
// Life() is supported for machines.
lifeGetter := common.NewLifeGetter(
sti,
accessMachine,
)
// ModelConfig() and WatchForModelConfigChanges() are allowed
// with unrestriced access.
modelWatcher := common.NewModelWatcher(
sti,
resources,
authorizer,
)
// WatchModelMachines() is allowed with unrestricted access.
machinesWatcher := common.NewModelMachinesWatcher(
sti,
resources,
authorizer,
)
// InstanceId() is supported for machines.
instanceIdGetter := common.NewInstanceIdGetter(
sti,
accessMachine,
)
// Status() is supported for machines.
statusGetter := common.NewStatusGetter(
sti,
accessMachine,
)
return &InstancePollerAPI{
LifeGetter: lifeGetter,
ModelWatcher: modelWatcher,
ModelMachinesWatcher: machinesWatcher,
InstanceIdGetter: instanceIdGetter,
StatusGetter: statusGetter,
st: sti,
resources: resources,
authorizer: authorizer,
accessMachine: accessMachine,
clock: clock,
}, nil
}
// NewFirewallerAPI creates a new server-side FirewallerAPI facade.
func NewFirewallerAPI(
st *state.State,
resources facade.Resources,
authorizer facade.Authorizer,
) (*FirewallerAPI, error) {
if !authorizer.AuthModelManager() {
// Firewaller must run as environment manager.
return nil, common.ErrPerm
}
// Set up the various authorization checkers.
accessEnviron := common.AuthFuncForTagKind(names.ModelTagKind)
accessUnit := common.AuthFuncForTagKind(names.UnitTagKind)
accessService := common.AuthFuncForTagKind(names.ApplicationTagKind)
accessMachine := common.AuthFuncForTagKind(names.MachineTagKind)
accessUnitOrService := common.AuthEither(accessUnit, accessService)
accessUnitServiceOrMachine := common.AuthEither(accessUnitOrService, accessMachine)
// Life() is supported for units, services or machines.
lifeGetter := common.NewLifeGetter(
st,
accessUnitServiceOrMachine,
)
// ModelConfig() and WatchForModelConfigChanges() are allowed
// with unrestriced access.
modelWatcher := common.NewModelWatcher(
st,
resources,
authorizer,
)
// Watch() is supported for applications only.
entityWatcher := common.NewAgentEntityWatcher(
st,
resources,
accessService,
)
// WatchUnits() is supported for machines.
unitsWatcher := common.NewUnitsWatcher(st,
resources,
accessMachine,
)
// WatchModelMachines() is allowed with unrestricted access.
machinesWatcher := common.NewModelMachinesWatcher(
st,
resources,
authorizer,
)
// InstanceId() is supported for machines.
instanceIdGetter := common.NewInstanceIdGetter(
st,
accessMachine,
)
environConfigGetter := stateenvirons.EnvironConfigGetter{st}
cloudSpecAPI := cloudspec.NewCloudSpec(environConfigGetter.CloudSpec, common.AuthFuncForTag(st.ModelTag()))
return &FirewallerAPI{
LifeGetter: lifeGetter,
ModelWatcher: modelWatcher,
AgentEntityWatcher: entityWatcher,
UnitsWatcher: unitsWatcher,
ModelMachinesWatcher: machinesWatcher,
InstanceIdGetter: instanceIdGetter,
CloudSpecAPI: cloudSpecAPI,
st: st,
resources: resources,
authorizer: authorizer,
accessUnit: accessUnit,
accessService: accessService,
accessMachine: accessMachine,
accessEnviron: accessEnviron,
}, nil
}
// NewStorageProvisionerAPI creates a new server-side StorageProvisionerAPI facade.
func NewStorageProvisionerAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*StorageProvisionerAPI, error) {
if !authorizer.AuthMachineAgent() {
return nil, common.ErrPerm
}
canAccessStorageMachine := func(tag names.MachineTag, allowEnvironManager bool) bool {
authEntityTag := authorizer.GetAuthTag()
if tag == authEntityTag {
// Machine agents can access volumes
// scoped to their own machine.
return true
}
parentId := state.ParentId(tag.Id())
if parentId == "" {
return allowEnvironManager && authorizer.AuthEnvironManager()
}
// All containers with the authenticated
// machine as a parent are accessible by it.
return names.NewMachineTag(parentId) == authEntityTag
}
getScopeAuthFunc := func() (common.AuthFunc, error) {
return func(tag names.Tag) bool {
switch tag := tag.(type) {
case names.EnvironTag:
// Environment managers can access all volumes
// and filesystems scoped to the environment.
isEnvironManager := authorizer.AuthEnvironManager()
return isEnvironManager && tag == st.EnvironTag()
case names.MachineTag:
return canAccessStorageMachine(tag, false)
default:
return false
}
}, nil
}
canAccessStorageEntity := func(tag names.Tag, allowMachines bool) bool {
switch tag := tag.(type) {
case names.VolumeTag:
machineTag, ok := names.VolumeMachine(tag)
if ok {
return canAccessStorageMachine(machineTag, false)
}
return authorizer.AuthEnvironManager()
case names.FilesystemTag:
machineTag, ok := names.FilesystemMachine(tag)
if ok {
return canAccessStorageMachine(machineTag, false)
}
return authorizer.AuthEnvironManager()
case names.MachineTag:
return allowMachines && canAccessStorageMachine(tag, true)
default:
return false
}
}
getStorageEntityAuthFunc := func() (common.AuthFunc, error) {
return func(tag names.Tag) bool {
return canAccessStorageEntity(tag, false)
}, nil
}
getLifeAuthFunc := func() (common.AuthFunc, error) {
return func(tag names.Tag) bool {
return canAccessStorageEntity(tag, true)
}, nil
}
getAttachmentAuthFunc := func() (func(names.MachineTag, names.Tag) bool, error) {
// getAttachmentAuthFunc returns a function that validates
// access by the authenticated user to an attachment.
return func(machineTag names.MachineTag, attachmentTag names.Tag) bool {
// Machine agents can access their own machine, and
// machines contained. Environment managers can access
// top-level machines.
if !canAccessStorageMachine(machineTag, true) {
return false
}
// Environment managers can access environment-scoped
// volumes and volumes scoped to their own machines.
// Other machine agents can access volumes regardless
// of their scope.
if !authorizer.AuthEnvironManager() {
return true
}
var machineScope names.MachineTag
var hasMachineScope bool
switch attachmentTag := attachmentTag.(type) {
case names.VolumeTag:
machineScope, hasMachineScope = names.VolumeMachine(attachmentTag)
case names.FilesystemTag:
machineScope, hasMachineScope = names.FilesystemMachine(attachmentTag)
}
return !hasMachineScope || machineScope == authorizer.GetAuthTag()
}, nil
}
getMachineAuthFunc := func() (common.AuthFunc, error) {
return func(tag names.Tag) bool {
if tag, ok := tag.(names.MachineTag); ok {
return canAccessStorageMachine(tag, true)
}
return false
}, nil
}
getBlockDevicesAuthFunc := func() (common.AuthFunc, error) {
return func(tag names.Tag) bool {
if tag, ok := tag.(names.MachineTag); ok {
return canAccessStorageMachine(tag, false)
}
return false
}, nil
}
stateInterface := getState(st)
settings := getSettingsManager(st)
return &StorageProvisionerAPI{
LifeGetter: common.NewLifeGetter(stateInterface, getLifeAuthFunc),
DeadEnsurer: common.NewDeadEnsurer(stateInterface, getStorageEntityAuthFunc),
EnvironWatcher: common.NewEnvironWatcher(stateInterface, resources, authorizer),
InstanceIdGetter: common.NewInstanceIdGetter(st, getMachineAuthFunc),
StatusSetter: common.NewStatusSetter(st, getStorageEntityAuthFunc),
st: stateInterface,
settings: settings,
resources: resources,
authorizer: authorizer,
getScopeAuthFunc: getScopeAuthFunc,
getStorageEntityAuthFunc: getStorageEntityAuthFunc,
getAttachmentAuthFunc: getAttachmentAuthFunc,
getMachineAuthFunc: getMachineAuthFunc,
getBlockDevicesAuthFunc: getBlockDevicesAuthFunc,
}, nil
}
// NewFirewallerAPI creates a new server-side FirewallerAPI facade.
func NewFirewallerAPI(
st *state.State,
resources *common.Resources,
authorizer common.Authorizer,
) (*FirewallerAPI, error) {
if !authorizer.AuthEnvironManager() {
// Firewaller must run as environment manager.
return nil, common.ErrPerm
}
// Set up the various authorization checkers.
accessEnviron := common.AuthFuncForTagKind(names.EnvironTagKind)
accessUnit := common.AuthFuncForTagKind(names.UnitTagKind)
accessService := common.AuthFuncForTagKind(names.ServiceTagKind)
accessMachine := common.AuthFuncForTagKind(names.MachineTagKind)
accessUnitOrService := common.AuthEither(accessUnit, accessService)
accessUnitServiceOrMachine := common.AuthEither(accessUnitOrService, accessMachine)
// Life() is supported for units, services or machines.
lifeGetter := common.NewLifeGetter(
st,
accessUnitServiceOrMachine,
)
// EnvironConfig() and WatchForEnvironConfigChanges() are allowed
// with unrestriced access.
environWatcher := common.NewEnvironWatcher(
st,
resources,
authorizer,
)
// Watch() is supported for services only.
entityWatcher := common.NewAgentEntityWatcher(
st,
resources,
accessService,
)
// WatchUnits() is supported for machines.
unitsWatcher := common.NewUnitsWatcher(st,
resources,
accessMachine,
)
// WatchEnvironMachines() is allowed with unrestricted access.
machinesWatcher := common.NewEnvironMachinesWatcher(
st,
resources,
authorizer,
)
// InstanceId() is supported for machines.
instanceIdGetter := common.NewInstanceIdGetter(
st,
accessMachine,
)
return &FirewallerAPI{
LifeGetter: lifeGetter,
EnvironWatcher: environWatcher,
AgentEntityWatcher: entityWatcher,
UnitsWatcher: unitsWatcher,
EnvironMachinesWatcher: machinesWatcher,
InstanceIdGetter: instanceIdGetter,
st: st,
resources: resources,
authorizer: authorizer,
accessUnit: accessUnit,
accessService: accessService,
accessMachine: accessMachine,
accessEnviron: accessEnviron,
}, nil
}
