// NewClient creates a new instance of the Client Facade.
func NewClient(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*Client, error) {
if !authorizer.AuthClient() {
return nil, common.ErrPerm
}
return &Client{api: &API{
state: st,
auth: authorizer,
resources: resources,
statusSetter: common.NewStatusSetter(st, common.AuthAlways(true)),
}}, nil
}
func newClientAllWatcher(st *state.State, resources *common.Resources, auth common.Authorizer, id string) (interface{}, error) {
if !auth.AuthClient() {
return nil, common.ErrPerm
}
watcher, ok := resources.Get(id).(*multiwatcher.Watcher)
if !ok {
return nil, common.ErrUnknownWatcher
}
return &srvClientAllWatcher{
watcher: watcher,
id: id,
resources: resources,
}, nil
}
func NewUserManagerAPI(
st *state.State,
authorizer common.Authorizer,
) (*UserManagerAPI, error) {
if !authorizer.AuthClient() {
return nil, common.ErrPerm
}
// TODO(mattyw) - replace stub with real canWrite function
getCanWrite := common.AuthAlways(true)
// TODO(waigani) - replace stub with real canRead function
getCanRead := common.AuthAlways(true)
return &UserManagerAPI{
state: st,
authorizer: authorizer,
getCanWrite: getCanWrite,
getCanRead: getCanRead},
nil
}
// NewKeyManagerAPI creates a new server-side keyupdater API end point.
func NewKeyManagerAPI(
st *state.State,
resources *common.Resources,
authorizer common.Authorizer,
) (*KeyManagerAPI, error) {
// Only clients and environment managers can access the key manager service.
if !authorizer.AuthClient() && !authorizer.AuthEnvironManager() {
return nil, common.ErrPerm
}
// TODO(wallyworld) - replace stub with real canRead function
// For now, only admins can read authorised ssh keys.
getCanRead := func() (common.AuthFunc, error) {
return func(_ string) bool {
return authorizer.GetAuthTag() == adminUser
}, nil
}
// TODO(wallyworld) - replace stub with real canWrite function
// For now, only admins can write authorised ssh keys for users.
// Machine agents can write the juju-system-key.
getCanWrite := func() (common.AuthFunc, error) {
return func(tag string) bool {
// Are we a machine agent writing the Juju system key.
if tag == config.JujuSystemKey {
// TODO(dfc) this can never be false
_, err := names.ParseMachineTag(authorizer.GetAuthTag().String())
return err == nil
}
// Are we writing the auth key for a user.
if _, err := st.User(tag); err != nil {
return false
}
return authorizer.GetAuthTag() == adminUser
}, nil
}
return &KeyManagerAPI{
state: st, resources: resources, authorizer: authorizer, getCanRead: getCanRead, getCanWrite: getCanWrite}, nil
}