// NewProvisionerAPI creates a new server-side ProvisionerAPI facade. func NewProvisionerAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*ProvisionerAPI, error) { if !authorizer.AuthMachineAgent() && !authorizer.AuthEnvironManager() { return nil, common.ErrPerm } getAuthFunc := func() (common.AuthFunc, error) { isEnvironManager := authorizer.AuthEnvironManager() isMachineAgent := authorizer.AuthMachineAgent() authEntityTag := authorizer.GetAuthTag() return func(tag names.Tag) bool { if isMachineAgent && tag == authEntityTag { // A machine agent can always access its own machine. return true } switch tag := tag.(type) { case names.MachineTag: parentId := state.ParentId(tag.Id()) if parentId == "" { // All top-level machines are accessible by the // environment manager. return isEnvironManager } // All containers with the authenticated machine as a // parent are accessible by it. // TODO(dfc) sometimes authEntity tag is nil, which is fine because nil is // only equal to nil, but it suggests someone is passing an authorizer // with a nil tag. return isMachineAgent && names.NewMachineTag(parentId) == authEntityTag default: return false } }, nil } env, err := st.Environment() if err != nil { return nil, err } urlGetter := common.NewToolsURLGetter(env.UUID(), st) return &ProvisionerAPI{ Remover: common.NewRemover(st, false, getAuthFunc), StatusSetter: common.NewStatusSetter(st, getAuthFunc), StatusGetter: common.NewStatusGetter(st, getAuthFunc), DeadEnsurer: common.NewDeadEnsurer(st, getAuthFunc), PasswordChanger: common.NewPasswordChanger(st, getAuthFunc), LifeGetter: common.NewLifeGetter(st, getAuthFunc), StateAddresser: common.NewStateAddresser(st), APIAddresser: common.NewAPIAddresser(st, resources), EnvironWatcher: common.NewEnvironWatcher(st, resources, authorizer), EnvironMachinesWatcher: common.NewEnvironMachinesWatcher(st, resources, authorizer), InstanceIdGetter: common.NewInstanceIdGetter(st, getAuthFunc), ToolsFinder: common.NewToolsFinder(st, st, urlGetter), st: st, resources: resources, authorizer: authorizer, getAuthFunc: getAuthFunc, }, nil }
// NewInstancePollerAPI creates a new server-side InstancePoller API // facade. func NewInstancePollerAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*InstancePollerAPI, error) { if !authorizer.AuthEnvironManager() { // InstancePoller must run as environment manager. return nil, common.ErrPerm } accessMachine := common.AuthFuncForTagKind(names.MachineTagKind) sti := getState(st) // Life() is supported for machines. lifeGetter := common.NewLifeGetter( sti, accessMachine, ) // EnvironConfig() and WatchForEnvironConfigChanges() are allowed // with unrestriced access. environWatcher := common.NewEnvironWatcher( sti, resources, authorizer, ) // WatchEnvironMachines() is allowed with unrestricted access. machinesWatcher := common.NewEnvironMachinesWatcher( sti, resources, authorizer, ) // InstanceId() is supported for machines. instanceIdGetter := common.NewInstanceIdGetter( sti, accessMachine, ) // Status() is supported for machines. statusGetter := common.NewStatusGetter( sti, accessMachine, ) return &InstancePollerAPI{ LifeGetter: lifeGetter, EnvironWatcher: environWatcher, EnvironMachinesWatcher: machinesWatcher, InstanceIdGetter: instanceIdGetter, StatusGetter: statusGetter, st: sti, resources: resources, authorizer: authorizer, accessMachine: accessMachine, }, nil }
func (s *environMachinesWatcherSuite) TestWatchAuthError(c *gc.C) { authorizer := apiservertesting.FakeAuthorizer{ Tag: names.NewMachineTag("1"), EnvironManager: false, } resources := common.NewResources() s.AddCleanup(func(_ *gc.C) { resources.StopAll() }) e := common.NewEnvironMachinesWatcher( &fakeEnvironMachinesWatcher{}, resources, authorizer, ) _, err := e.WatchEnvironMachines() c.Assert(err, gc.ErrorMatches, "permission denied") c.Assert(resources.Count(), gc.Equals, 0) }
func (s *environMachinesWatcherSuite) TestWatchEnvironMachines(c *gc.C) { authorizer := apiservertesting.FakeAuthorizer{ Tag: names.NewMachineTag("0"), EnvironManager: true, } resources := common.NewResources() s.AddCleanup(func(_ *gc.C) { resources.StopAll() }) e := common.NewEnvironMachinesWatcher( &fakeEnvironMachinesWatcher{initial: []string{"foo"}}, resources, authorizer, ) result, err := e.WatchEnvironMachines() c.Assert(err, jc.ErrorIsNil) c.Assert(result, jc.DeepEquals, params.StringsWatchResult{"1", []string{"foo"}, nil}) c.Assert(resources.Count(), gc.Equals, 1) }
// NewFirewallerAPI creates a new server-side FirewallerAPI facade. func NewFirewallerAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*FirewallerAPI, error) { if !authorizer.AuthEnvironManager() { // Firewaller must run as environment manager. return nil, common.ErrPerm } // Set up the various authorization checkers. accessEnviron := common.AuthFuncForTagKind(names.EnvironTagKind) accessUnit := common.AuthFuncForTagKind(names.UnitTagKind) accessService := common.AuthFuncForTagKind(names.ServiceTagKind) accessMachine := common.AuthFuncForTagKind(names.MachineTagKind) accessUnitOrService := common.AuthEither(accessUnit, accessService) accessUnitServiceOrMachine := common.AuthEither(accessUnitOrService, accessMachine) // Life() is supported for units, services or machines. lifeGetter := common.NewLifeGetter( st, accessUnitServiceOrMachine, ) // EnvironConfig() and WatchForEnvironConfigChanges() are allowed // with unrestriced access. environWatcher := common.NewEnvironWatcher( st, resources, authorizer, ) // Watch() is supported for services only. entityWatcher := common.NewAgentEntityWatcher( st, resources, accessService, ) // WatchUnits() is supported for machines. unitsWatcher := common.NewUnitsWatcher(st, resources, accessMachine, ) // WatchEnvironMachines() is allowed with unrestricted access. machinesWatcher := common.NewEnvironMachinesWatcher( st, resources, authorizer, ) // InstanceId() is supported for machines. instanceIdGetter := common.NewInstanceIdGetter( st, accessMachine, ) return &FirewallerAPI{ LifeGetter: lifeGetter, EnvironWatcher: environWatcher, AgentEntityWatcher: entityWatcher, UnitsWatcher: unitsWatcher, EnvironMachinesWatcher: machinesWatcher, InstanceIdGetter: instanceIdGetter, st: st, resources: resources, authorizer: authorizer, accessUnit: accessUnit, accessService: accessService, accessMachine: accessMachine, accessEnviron: accessEnviron, }, nil }