// NewEnvironmentAPI creates a new instance of the Environment API.
func NewEnvironmentAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*EnvironmentAPI, error) {
// Can always watch for environ changes.
getCanWatch := common.AuthAlways(true)
// Does not get the secrets.
getCanReadSecrets := common.AuthAlways(false)
return &EnvironmentAPI{
EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets),
}, nil
}
// NewProvisionerAPI creates a new server-side ProvisionerAPI facade.
func NewProvisionerAPI(
st *state.State,
resources *common.Resources,
authorizer common.Authorizer,
) (*ProvisionerAPI, error) {
if !authorizer.AuthMachineAgent() && !authorizer.AuthEnvironManager() {
return nil, common.ErrPerm
}
getAuthFunc := func() (common.AuthFunc, error) {
isEnvironManager := authorizer.AuthEnvironManager()
isMachineAgent := authorizer.AuthMachineAgent()
authEntityTag := authorizer.GetAuthTag()
return func(tag string) bool {
if isMachineAgent && tag == authEntityTag {
// A machine agent can always access its own machine.
return true
}
t, err := names.ParseTag(tag, names.MachineTagKind)
if err != nil {
return false
}
parentId := state.ParentId(t.Id())
if parentId == "" {
// All top-level machines are accessible by the
// environment manager.
return isEnvironManager
}
// All containers with the authenticated machine as a
// parent are accessible by it.
return isMachineAgent && names.NewMachineTag(parentId).String() == authEntityTag
}, nil
}
// Both provisioner types can watch the environment.
getCanWatch := common.AuthAlways(true)
// Only the environment provisioner can read secrets.
getCanReadSecrets := common.AuthAlways(authorizer.AuthEnvironManager())
return &ProvisionerAPI{
Remover: common.NewRemover(st, false, getAuthFunc),
StatusSetter: common.NewStatusSetter(st, getAuthFunc),
DeadEnsurer: common.NewDeadEnsurer(st, getAuthFunc),
PasswordChanger: common.NewPasswordChanger(st, getAuthFunc),
LifeGetter: common.NewLifeGetter(st, getAuthFunc),
StateAddresser: common.NewStateAddresser(st),
APIAddresser: common.NewAPIAddresser(st, resources),
ToolsGetter: common.NewToolsGetter(st, getAuthFunc),
EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets),
EnvironMachinesWatcher: common.NewEnvironMachinesWatcher(st, resources, getCanReadSecrets),
InstanceIdGetter: common.NewInstanceIdGetter(st, getAuthFunc),
st: st,
resources: resources,
authorizer: authorizer,
getAuthFunc: getAuthFunc,
getCanWatchMachines: getCanReadSecrets,
}, nil
}
func (*environWatcherSuite) TestEnvironConfigGetAuthError(c *gc.C) {
getCanReadSecrets := func() (common.AuthFunc, error) {
return nil, fmt.Errorf("pow")
}
e := common.NewEnvironWatcher(
&fakeEnvironAccessor{envConfig: testingEnvConfig(c)},
nil,
nil,
getCanReadSecrets,
)
_, err := e.EnvironConfig()
c.Assert(err, gc.ErrorMatches, "pow")
}
func (*environWatcherSuite) TestWatchGetAuthError(c *gc.C) {
getCanWatch := func() (common.AuthFunc, error) {
return nil, fmt.Errorf("pow")
}
resources := common.NewResources()
e := common.NewEnvironWatcher(
&fakeEnvironAccessor{},
resources,
getCanWatch,
nil,
)
_, err := e.WatchForEnvironConfigChanges()
c.Assert(err, gc.ErrorMatches, "pow")
c.Assert(resources.Count(), gc.Equals, 0)
}
func (*environWatcherSuite) TestEnvironConfigFetchError(c *gc.C) {
getCanReadSecrets := func() (common.AuthFunc, error) {
return func(tag string) bool {
return true
}, nil
}
e := common.NewEnvironWatcher(
&fakeEnvironAccessor{
envConfigError: fmt.Errorf("pow"),
},
nil,
nil,
getCanReadSecrets,
)
_, err := e.EnvironConfig()
c.Assert(err, gc.ErrorMatches, "pow")
}
// NewRsyslogAPI creates a new instance of the Rsyslog API.
func NewRsyslogAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*RsyslogAPI, error) {
if !authorizer.AuthMachineAgent() && !authorizer.AuthUnitAgent() {
return nil, common.ErrPerm
}
// Can always watch for environ changes.
getCanWatch := common.AuthAlways(true)
// Does not get the secrets.
getCanReadSecrets := common.AuthAlways(false)
return &RsyslogAPI{
EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets),
st: st,
authorizer: authorizer,
resources: resources,
canModify: authorizer.AuthEnvironManager(),
StateAddresser: common.NewStateAddresser(st),
}, nil
}
func (*environWatcherSuite) TestWatchAuthError(c *gc.C) {
getCanWatch := func() (common.AuthFunc, error) {
return func(tag string) bool {
return false
}, nil
}
resources := common.NewResources()
e := common.NewEnvironWatcher(
&fakeEnvironAccessor{},
resources,
getCanWatch,
nil,
)
result, err := e.WatchForEnvironConfigChanges()
c.Assert(err, gc.ErrorMatches, "permission denied")
c.Assert(result, gc.DeepEquals, params.NotifyWatchResult{})
c.Assert(resources.Count(), gc.Equals, 0)
}
func (*environWatcherSuite) TestWatchSuccess(c *gc.C) {
getCanWatch := func() (common.AuthFunc, error) {
return func(tag string) bool {
return true
}, nil
}
resources := common.NewResources()
e := common.NewEnvironWatcher(
&fakeEnvironAccessor{},
resources,
getCanWatch,
nil,
)
result, err := e.WatchForEnvironConfigChanges()
c.Assert(err, gc.IsNil)
c.Assert(result, gc.DeepEquals, params.NotifyWatchResult{"1", nil})
c.Assert(resources.Count(), gc.Equals, 1)
}
func (*environWatcherSuite) TestEnvironConfigSuccess(c *gc.C) {
getCanReadSecrets := func() (common.AuthFunc, error) {
return func(tag string) bool {
return true
}, nil
}
testingEnvConfig := testingEnvConfig(c)
e := common.NewEnvironWatcher(
&fakeEnvironAccessor{envConfig: testingEnvConfig},
nil,
nil,
getCanReadSecrets,
)
result, err := e.EnvironConfig()
c.Assert(err, gc.IsNil)
// Make sure we can read the secret attribute (i.e. it's not masked).
c.Check(result.Config["secret"], gc.Equals, "pork")
c.Check(map[string]interface{}(result.Config), jc.DeepEquals, testingEnvConfig.AllAttrs())
}
func (*environWatcherSuite) TestEnvironConfigReadSecretsFalse(c *gc.C) {
getCanReadSecrets := func() (common.AuthFunc, error) {
return func(tag string) bool {
return false
}, nil
}
testingEnvConfig := testingEnvConfig(c)
e := common.NewEnvironWatcher(
&fakeEnvironAccessor{envConfig: testingEnvConfig},
nil,
nil,
getCanReadSecrets,
)
result, err := e.EnvironConfig()
c.Assert(err, gc.IsNil)
// Make sure the secret attribute is masked.
c.Check(result.Config["secret"], gc.Equals, "not available")
// And only that is masked.
result.Config["secret"] = "pork"
c.Check(map[string]interface{}(result.Config), jc.DeepEquals, testingEnvConfig.AllAttrs())
}
// NewUniterAPI creates a new instance of the Uniter API.
func NewUniterAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*UniterAPI, error) {
if !authorizer.AuthUnitAgent() {
return nil, common.ErrPerm
}
accessUnit := func() (common.AuthFunc, error) {
return authorizer.AuthOwner, nil
}
accessService := func() (common.AuthFunc, error) {
unit, ok := authorizer.GetAuthEntity().(*state.Unit)
if !ok {
panic("authenticated entity is not a unit")
}
return func(tag string) bool {
return tag == names.NewServiceTag(unit.ServiceName()).String()
}, nil
}
accessUnitOrService := common.AuthEither(accessUnit, accessService)
// Uniter can always watch for environ changes.
getCanWatch := common.AuthAlways(true)
// Uniter can not get the secrets.
getCanReadSecrets := common.AuthAlways(false)
return &UniterAPI{
LifeGetter: common.NewLifeGetter(st, accessUnitOrService),
StatusSetter: common.NewStatusSetter(st, accessUnit),
DeadEnsurer: common.NewDeadEnsurer(st, accessUnit),
AgentEntityWatcher: common.NewAgentEntityWatcher(st, resources, accessUnitOrService),
APIAddresser: common.NewAPIAddresser(st, resources),
EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets),
st: st,
auth: authorizer,
resources: resources,
accessUnit: accessUnit,
accessService: accessService,
}, nil
}
// NewFirewallerAPI creates a new server-side FirewallerAPI facade.
func NewFirewallerAPI(
st *state.State,
resources *common.Resources,
authorizer common.Authorizer,
) (*FirewallerAPI, error) {
if !authorizer.AuthEnvironManager() {
// Firewaller must run as environment manager.
return nil, common.ErrPerm
}
// Set up the various authorization checkers.
accessUnit := getAuthFuncForTagKind(names.UnitTagKind)
accessService := getAuthFuncForTagKind(names.ServiceTagKind)
accessMachine := getAuthFuncForTagKind(names.MachineTagKind)
accessEnviron := getAuthFuncForTagKind("")
accessUnitOrService := common.AuthEither(accessUnit, accessService)
accessUnitServiceOrMachine := common.AuthEither(accessUnitOrService, accessMachine)
// Life() is supported for units, services or machines.
lifeGetter := common.NewLifeGetter(
st,
accessUnitServiceOrMachine,
)
// EnvironConfig() and WatchForEnvironConfigChanges() are allowed
// with unrestriced access.
environWatcher := common.NewEnvironWatcher(
st,
resources,
accessEnviron,
accessEnviron,
)
// Watch() is supported for units or services.
entityWatcher := common.NewAgentEntityWatcher(
st,
resources,
accessUnitOrService,
)
// WatchUnits() is supported for machines.
unitsWatcher := common.NewUnitsWatcher(st,
resources,
accessMachine,
)
// WatchEnvironMachines() is allowed with unrestricted access.
machinesWatcher := common.NewEnvironMachinesWatcher(
st,
resources,
accessEnviron,
)
// InstanceId() is supported for machines.
instanceIdGetter := common.NewInstanceIdGetter(
st,
accessMachine,
)
return &FirewallerAPI{
LifeGetter: lifeGetter,
EnvironWatcher: environWatcher,
AgentEntityWatcher: entityWatcher,
UnitsWatcher: unitsWatcher,
EnvironMachinesWatcher: machinesWatcher,
InstanceIdGetter: instanceIdGetter,
st: st,
resources: resources,
authorizer: authorizer,
accessUnit: accessUnit,
accessService: accessService,
}, nil
}