func assertVolumeNoMachine(c *gc.C, id string) {
_, ok := names.VolumeMachine(names.NewVolumeTag(id))
c.Assert(ok, gc.Equals, false)
}
// NewStorageProvisionerAPI creates a new server-side StorageProvisionerAPI facade.
func NewStorageProvisionerAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*StorageProvisionerAPI, error) {
if !authorizer.AuthMachineAgent() {
return nil, common.ErrPerm
}
canAccessStorageMachine := func(tag names.MachineTag, allowEnvironManager bool) bool {
authEntityTag := authorizer.GetAuthTag()
if tag == authEntityTag {
// Machine agents can access volumes
// scoped to their own machine.
return true
}
parentId := state.ParentId(tag.Id())
if parentId == "" {
return allowEnvironManager && authorizer.AuthEnvironManager()
}
// All containers with the authenticated
// machine as a parent are accessible by it.
return names.NewMachineTag(parentId) == authEntityTag
}
getScopeAuthFunc := func() (common.AuthFunc, error) {
return func(tag names.Tag) bool {
switch tag := tag.(type) {
case names.EnvironTag:
// Environment managers can access all volumes
// and filesystems scoped to the environment.
isEnvironManager := authorizer.AuthEnvironManager()
return isEnvironManager && tag == st.EnvironTag()
case names.MachineTag:
return canAccessStorageMachine(tag, false)
default:
return false
}
}, nil
}
canAccessStorageEntity := func(tag names.Tag, allowMachines bool) bool {
switch tag := tag.(type) {
case names.VolumeTag:
machineTag, ok := names.VolumeMachine(tag)
if ok {
return canAccessStorageMachine(machineTag, false)
}
return authorizer.AuthEnvironManager()
case names.FilesystemTag:
machineTag, ok := names.FilesystemMachine(tag)
if ok {
return canAccessStorageMachine(machineTag, false)
}
return authorizer.AuthEnvironManager()
case names.MachineTag:
return allowMachines && canAccessStorageMachine(tag, true)
default:
return false
}
}
getStorageEntityAuthFunc := func() (common.AuthFunc, error) {
return func(tag names.Tag) bool {
return canAccessStorageEntity(tag, false)
}, nil
}
getLifeAuthFunc := func() (common.AuthFunc, error) {
return func(tag names.Tag) bool {
return canAccessStorageEntity(tag, true)
}, nil
}
getAttachmentAuthFunc := func() (func(names.MachineTag, names.Tag) bool, error) {
// getAttachmentAuthFunc returns a function that validates
// access by the authenticated user to an attachment.
return func(machineTag names.MachineTag, attachmentTag names.Tag) bool {
// Machine agents can access their own machine, and
// machines contained. Environment managers can access
// top-level machines.
if !canAccessStorageMachine(machineTag, true) {
return false
}
// Environment managers can access environment-scoped
// volumes and volumes scoped to their own machines.
// Other machine agents can access volumes regardless
// of their scope.
if !authorizer.AuthEnvironManager() {
return true
}
var machineScope names.MachineTag
var hasMachineScope bool
switch attachmentTag := attachmentTag.(type) {
case names.VolumeTag:
machineScope, hasMachineScope = names.VolumeMachine(attachmentTag)
case names.FilesystemTag:
machineScope, hasMachineScope = names.FilesystemMachine(attachmentTag)
}
return !hasMachineScope || machineScope == authorizer.GetAuthTag()
}, nil
}
getMachineAuthFunc := func() (common.AuthFunc, error) {
return func(tag names.Tag) bool {
if tag, ok := tag.(names.MachineTag); ok {
return canAccessStorageMachine(tag, true)
}
return false
}, nil
}
getBlockDevicesAuthFunc := func() (common.AuthFunc, error) {
return func(tag names.Tag) bool {
if tag, ok := tag.(names.MachineTag); ok {
return canAccessStorageMachine(tag, false)
}
return false
}, nil
}
stateInterface := getState(st)
settings := getSettingsManager(st)
return &StorageProvisionerAPI{
LifeGetter: common.NewLifeGetter(stateInterface, getLifeAuthFunc),
DeadEnsurer: common.NewDeadEnsurer(stateInterface, getStorageEntityAuthFunc),
EnvironWatcher: common.NewEnvironWatcher(stateInterface, resources, authorizer),
InstanceIdGetter: common.NewInstanceIdGetter(st, getMachineAuthFunc),
StatusSetter: common.NewStatusSetter(st, getStorageEntityAuthFunc),
st: stateInterface,
settings: settings,
resources: resources,
authorizer: authorizer,
getScopeAuthFunc: getScopeAuthFunc,
getStorageEntityAuthFunc: getStorageEntityAuthFunc,
getAttachmentAuthFunc: getAttachmentAuthFunc,
getMachineAuthFunc: getMachineAuthFunc,
getBlockDevicesAuthFunc: getBlockDevicesAuthFunc,
}, nil
}
func assertVolumeMachine(c *gc.C, id string, expect names.MachineTag) {
t, ok := names.VolumeMachine(names.NewVolumeTag(id))
c.Assert(ok, gc.Equals, true)
c.Assert(t, gc.Equals, expect)
}