// NewInstancePollerAPI creates a new server-side InstancePoller API
// facade.
func NewInstancePollerAPI(
st *state.State,
resources facade.Resources,
authorizer facade.Authorizer,
clock clock.Clock,
) (*InstancePollerAPI, error) {
if !authorizer.AuthModelManager() {
// InstancePoller must run as environment manager.
return nil, common.ErrPerm
}
accessMachine := common.AuthFuncForTagKind(names.MachineTagKind)
sti := getState(st)
// Life() is supported for machines.
lifeGetter := common.NewLifeGetter(
sti,
accessMachine,
)
// ModelConfig() and WatchForModelConfigChanges() are allowed
// with unrestriced access.
modelWatcher := common.NewModelWatcher(
sti,
resources,
authorizer,
)
// WatchModelMachines() is allowed with unrestricted access.
machinesWatcher := common.NewModelMachinesWatcher(
sti,
resources,
authorizer,
)
// InstanceId() is supported for machines.
instanceIdGetter := common.NewInstanceIdGetter(
sti,
accessMachine,
)
// Status() is supported for machines.
statusGetter := common.NewStatusGetter(
sti,
accessMachine,
)
return &InstancePollerAPI{
LifeGetter: lifeGetter,
ModelWatcher: modelWatcher,
ModelMachinesWatcher: machinesWatcher,
InstanceIdGetter: instanceIdGetter,
StatusGetter: statusGetter,
st: sti,
resources: resources,
authorizer: authorizer,
accessMachine: accessMachine,
clock: clock,
}, nil
}
func (s *modelMachinesWatcherSuite) TestWatchAuthError(c *gc.C) {
authorizer := apiservertesting.FakeAuthorizer{
Tag: names.NewMachineTag("1"),
EnvironManager: false,
}
resources := common.NewResources()
s.AddCleanup(func(_ *gc.C) { resources.StopAll() })
e := common.NewModelMachinesWatcher(
&fakeModelMachinesWatcher{},
resources,
authorizer,
)
_, err := e.WatchModelMachines()
c.Assert(err, gc.ErrorMatches, "permission denied")
c.Assert(resources.Count(), gc.Equals, 0)
}
func (s *modelMachinesWatcherSuite) TestWatchModelMachines(c *gc.C) {
authorizer := apiservertesting.FakeAuthorizer{
Tag: names.NewMachineTag("0"),
EnvironManager: true,
}
resources := common.NewResources()
s.AddCleanup(func(_ *gc.C) { resources.StopAll() })
e := common.NewModelMachinesWatcher(
&fakeModelMachinesWatcher{initial: []string{"foo"}},
resources,
authorizer,
)
result, err := e.WatchModelMachines()
c.Assert(err, jc.ErrorIsNil)
c.Assert(result, jc.DeepEquals, params.StringsWatchResult{"1", []string{"foo"}, nil})
c.Assert(resources.Count(), gc.Equals, 1)
}
// NewProvisionerAPI creates a new server-side ProvisionerAPI facade.
func NewProvisionerAPI(st *state.State, resources facade.Resources, authorizer facade.Authorizer) (*ProvisionerAPI, error) {
if !authorizer.AuthMachineAgent() && !authorizer.AuthModelManager() {
return nil, common.ErrPerm
}
getAuthFunc := func() (common.AuthFunc, error) {
isModelManager := authorizer.AuthModelManager()
isMachineAgent := authorizer.AuthMachineAgent()
authEntityTag := authorizer.GetAuthTag()
return func(tag names.Tag) bool {
if isMachineAgent && tag == authEntityTag {
// A machine agent can always access its own machine.
return true
}
switch tag := tag.(type) {
case names.MachineTag:
parentId := state.ParentId(tag.Id())
if parentId == "" {
// All top-level machines are accessible by the
// environment manager.
return isModelManager
}
// All containers with the authenticated machine as a
// parent are accessible by it.
// TODO(dfc) sometimes authEntity tag is nil, which is fine because nil is
// only equal to nil, but it suggests someone is passing an authorizer
// with a nil tag.
return isMachineAgent && names.NewMachineTag(parentId) == authEntityTag
default:
return false
}
}, nil
}
getAuthOwner := func() (common.AuthFunc, error) {
return authorizer.AuthOwner, nil
}
model, err := st.Model()
if err != nil {
return nil, err
}
configGetter := stateenvirons.EnvironConfigGetter{st}
env, err := environs.GetEnviron(configGetter, environs.New)
if err != nil {
return nil, err
}
urlGetter := common.NewToolsURLGetter(model.UUID(), st)
storageProviderRegistry := stateenvirons.NewStorageProviderRegistry(env)
return &ProvisionerAPI{
Remover: common.NewRemover(st, false, getAuthFunc),
StatusSetter: common.NewStatusSetter(st, getAuthFunc),
StatusGetter: common.NewStatusGetter(st, getAuthFunc),
DeadEnsurer: common.NewDeadEnsurer(st, getAuthFunc),
PasswordChanger: common.NewPasswordChanger(st, getAuthFunc),
LifeGetter: common.NewLifeGetter(st, getAuthFunc),
StateAddresser: common.NewStateAddresser(st),
APIAddresser: common.NewAPIAddresser(st, resources),
ModelWatcher: common.NewModelWatcher(st, resources, authorizer),
ModelMachinesWatcher: common.NewModelMachinesWatcher(st, resources, authorizer),
ControllerConfigAPI: common.NewControllerConfig(st),
InstanceIdGetter: common.NewInstanceIdGetter(st, getAuthFunc),
ToolsFinder: common.NewToolsFinder(configGetter, st, urlGetter),
ToolsGetter: common.NewToolsGetter(st, configGetter, st, urlGetter, getAuthOwner),
st: st,
resources: resources,
authorizer: authorizer,
configGetter: configGetter,
storageProviderRegistry: storageProviderRegistry,
storagePoolManager: poolmanager.New(state.NewStateSettings(st), storageProviderRegistry),
getAuthFunc: getAuthFunc,
}, nil
}
// NewFirewallerAPI creates a new server-side FirewallerAPI facade.
func NewFirewallerAPI(
st *state.State,
resources facade.Resources,
authorizer facade.Authorizer,
) (*FirewallerAPI, error) {
if !authorizer.AuthModelManager() {
// Firewaller must run as environment manager.
return nil, common.ErrPerm
}
// Set up the various authorization checkers.
accessEnviron := common.AuthFuncForTagKind(names.ModelTagKind)
accessUnit := common.AuthFuncForTagKind(names.UnitTagKind)
accessService := common.AuthFuncForTagKind(names.ApplicationTagKind)
accessMachine := common.AuthFuncForTagKind(names.MachineTagKind)
accessUnitOrService := common.AuthEither(accessUnit, accessService)
accessUnitServiceOrMachine := common.AuthEither(accessUnitOrService, accessMachine)
// Life() is supported for units, services or machines.
lifeGetter := common.NewLifeGetter(
st,
accessUnitServiceOrMachine,
)
// ModelConfig() and WatchForModelConfigChanges() are allowed
// with unrestriced access.
modelWatcher := common.NewModelWatcher(
st,
resources,
authorizer,
)
// Watch() is supported for applications only.
entityWatcher := common.NewAgentEntityWatcher(
st,
resources,
accessService,
)
// WatchUnits() is supported for machines.
unitsWatcher := common.NewUnitsWatcher(st,
resources,
accessMachine,
)
// WatchModelMachines() is allowed with unrestricted access.
machinesWatcher := common.NewModelMachinesWatcher(
st,
resources,
authorizer,
)
// InstanceId() is supported for machines.
instanceIdGetter := common.NewInstanceIdGetter(
st,
accessMachine,
)
environConfigGetter := stateenvirons.EnvironConfigGetter{st}
cloudSpecAPI := cloudspec.NewCloudSpec(environConfigGetter.CloudSpec, common.AuthFuncForTag(st.ModelTag()))
return &FirewallerAPI{
LifeGetter: lifeGetter,
ModelWatcher: modelWatcher,
AgentEntityWatcher: entityWatcher,
UnitsWatcher: unitsWatcher,
ModelMachinesWatcher: machinesWatcher,
InstanceIdGetter: instanceIdGetter,
CloudSpecAPI: cloudSpecAPI,
st: st,
resources: resources,
authorizer: authorizer,
accessUnit: accessUnit,
accessService: accessService,
accessMachine: accessMachine,
accessEnviron: accessEnviron,
}, nil
}