// stateForRequestAuthenticatedAgent is like stateForRequestAuthenticated // except that it also verifies that the authenticated entity is an agent. func (ctxt *httpContext) stateForRequestAuthenticatedAgent(r *http.Request) (*state.State, state.Entity, error) { authFunc := common.AuthEither( common.AuthFuncForTagKind(names.MachineTagKind), common.AuthFuncForTagKind(names.UnitTagKind), ) st, entity, err := ctxt.stateForRequestAuthenticated(r) if err != nil { return nil, nil, errors.Trace(err) } if ok, err := checkPermissions(entity.Tag(), authFunc); !ok { return nil, nil, err } return st, entity, nil }
func (s *commonSuite) TestAuthFuncForTagKind(c *gc.C) { // TODO(dimitern): This list of all supported tags and kinds needs // to live in juju/names. uuid, err := utils.NewUUID() c.Assert(err, jc.ErrorIsNil) allTags := []names.Tag{ nil, // invalid tag names.NewActionTag(uuid.String()), names.NewCharmTag("cs:precise/missing"), names.NewModelTag(uuid.String()), names.NewFilesystemTag("20/20"), names.NewLocalUserTag("user"), names.NewMachineTag("42"), names.NewNetworkTag("public"), names.NewRelationTag("wordpress:mysql mysql:db"), names.NewServiceTag("wordpress"), names.NewSpaceTag("apps"), names.NewStorageTag("foo/42"), names.NewUnitTag("wordpress/5"), names.NewUserTag("joe"), names.NewVolumeTag("80/20"), } for i, allowedTag := range allTags { c.Logf("test #%d: allowedTag: %v", i, allowedTag) var allowedKind string if allowedTag != nil { allowedKind = allowedTag.Kind() } getAuthFunc := common.AuthFuncForTagKind(allowedKind) authFunc, err := getAuthFunc() if allowedKind == "" { c.Check(err, gc.ErrorMatches, "tag kind cannot be empty") c.Check(authFunc, gc.IsNil) continue } else if !c.Check(err, jc.ErrorIsNil) { continue } for j, givenTag := range allTags { c.Logf("test #%d.%d: givenTag: %v", i, j, givenTag) var givenKind string if givenTag != nil { givenKind = givenTag.Kind() } if allowedKind == givenKind { c.Check(authFunc(givenTag), jc.IsTrue) } else { c.Check(authFunc(givenTag), jc.IsFalse) } } } }
// NewInstancePollerAPI creates a new server-side InstancePoller API // facade. func NewInstancePollerAPI( st *state.State, resources facade.Resources, authorizer facade.Authorizer, clock clock.Clock, ) (*InstancePollerAPI, error) { if !authorizer.AuthModelManager() { // InstancePoller must run as environment manager. return nil, common.ErrPerm } accessMachine := common.AuthFuncForTagKind(names.MachineTagKind) sti := getState(st) // Life() is supported for machines. lifeGetter := common.NewLifeGetter( sti, accessMachine, ) // ModelConfig() and WatchForModelConfigChanges() are allowed // with unrestriced access. modelWatcher := common.NewModelWatcher( sti, resources, authorizer, ) // WatchModelMachines() is allowed with unrestricted access. machinesWatcher := common.NewModelMachinesWatcher( sti, resources, authorizer, ) // InstanceId() is supported for machines. instanceIdGetter := common.NewInstanceIdGetter( sti, accessMachine, ) // Status() is supported for machines. statusGetter := common.NewStatusGetter( sti, accessMachine, ) return &InstancePollerAPI{ LifeGetter: lifeGetter, ModelWatcher: modelWatcher, ModelMachinesWatcher: machinesWatcher, InstanceIdGetter: instanceIdGetter, StatusGetter: statusGetter, st: sti, resources: resources, authorizer: authorizer, accessMachine: accessMachine, clock: clock, }, nil }
// stateForRequestAuthenticatedUser is like stateForRequestAuthenticated // except that it also verifies that the authenticated entity is a user. func (ctxt *httpContext) stateForRequestAuthenticatedUser(r *http.Request) (*state.State, state.Entity, error) { st, entity, err := ctxt.stateForRequestAuthenticated(r) if err != nil { return nil, nil, errors.Trace(err) } if ok, err := checkPermissions(entity.Tag(), common.AuthFuncForTagKind(names.UserTagKind)); !ok { return nil, nil, err } return st, entity, nil }
// NewFirewallerAPI creates a new server-side FirewallerAPI facade. func NewFirewallerAPI( st *state.State, resources facade.Resources, authorizer facade.Authorizer, ) (*FirewallerAPI, error) { if !authorizer.AuthModelManager() { // Firewaller must run as environment manager. return nil, common.ErrPerm } // Set up the various authorization checkers. accessEnviron := common.AuthFuncForTagKind(names.ModelTagKind) accessUnit := common.AuthFuncForTagKind(names.UnitTagKind) accessService := common.AuthFuncForTagKind(names.ApplicationTagKind) accessMachine := common.AuthFuncForTagKind(names.MachineTagKind) accessUnitOrService := common.AuthEither(accessUnit, accessService) accessUnitServiceOrMachine := common.AuthEither(accessUnitOrService, accessMachine) // Life() is supported for units, services or machines. lifeGetter := common.NewLifeGetter( st, accessUnitServiceOrMachine, ) // ModelConfig() and WatchForModelConfigChanges() are allowed // with unrestriced access. modelWatcher := common.NewModelWatcher( st, resources, authorizer, ) // Watch() is supported for applications only. entityWatcher := common.NewAgentEntityWatcher( st, resources, accessService, ) // WatchUnits() is supported for machines. unitsWatcher := common.NewUnitsWatcher(st, resources, accessMachine, ) // WatchModelMachines() is allowed with unrestricted access. machinesWatcher := common.NewModelMachinesWatcher( st, resources, authorizer, ) // InstanceId() is supported for machines. instanceIdGetter := common.NewInstanceIdGetter( st, accessMachine, ) environConfigGetter := stateenvirons.EnvironConfigGetter{st} cloudSpecAPI := cloudspec.NewCloudSpec(environConfigGetter.CloudSpec, common.AuthFuncForTag(st.ModelTag())) return &FirewallerAPI{ LifeGetter: lifeGetter, ModelWatcher: modelWatcher, AgentEntityWatcher: entityWatcher, UnitsWatcher: unitsWatcher, ModelMachinesWatcher: machinesWatcher, InstanceIdGetter: instanceIdGetter, CloudSpecAPI: cloudSpecAPI, st: st, resources: resources, authorizer: authorizer, accessUnit: accessUnit, accessService: accessService, accessMachine: accessMachine, accessEnviron: accessEnviron, }, nil }
// NewFirewallerAPI creates a new server-side FirewallerAPI facade. func NewFirewallerAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*FirewallerAPI, error) { if !authorizer.AuthEnvironManager() { // Firewaller must run as environment manager. return nil, common.ErrPerm } // Set up the various authorization checkers. accessEnviron := common.AuthFuncForTagKind(names.EnvironTagKind) accessUnit := common.AuthFuncForTagKind(names.UnitTagKind) accessService := common.AuthFuncForTagKind(names.ServiceTagKind) accessMachine := common.AuthFuncForTagKind(names.MachineTagKind) accessUnitOrService := common.AuthEither(accessUnit, accessService) accessUnitServiceOrMachine := common.AuthEither(accessUnitOrService, accessMachine) // Life() is supported for units, services or machines. lifeGetter := common.NewLifeGetter( st, accessUnitServiceOrMachine, ) // EnvironConfig() and WatchForEnvironConfigChanges() are allowed // with unrestriced access. environWatcher := common.NewEnvironWatcher( st, resources, authorizer, ) // Watch() is supported for services only. entityWatcher := common.NewAgentEntityWatcher( st, resources, accessService, ) // WatchUnits() is supported for machines. unitsWatcher := common.NewUnitsWatcher(st, resources, accessMachine, ) // WatchEnvironMachines() is allowed with unrestricted access. machinesWatcher := common.NewEnvironMachinesWatcher( st, resources, authorizer, ) // InstanceId() is supported for machines. instanceIdGetter := common.NewInstanceIdGetter( st, accessMachine, ) return &FirewallerAPI{ LifeGetter: lifeGetter, EnvironWatcher: environWatcher, AgentEntityWatcher: entityWatcher, UnitsWatcher: unitsWatcher, EnvironMachinesWatcher: machinesWatcher, InstanceIdGetter: instanceIdGetter, st: st, resources: resources, authorizer: authorizer, accessUnit: accessUnit, accessService: accessService, accessMachine: accessMachine, accessEnviron: accessEnviron, }, nil }