// CharmURL returns the charm URL for all given units or services. func (u *UniterAPI) CharmURL(args params.Entities) (params.StringBoolResults, error) { result := params.StringBoolResults{ Results: make([]params.StringBoolResult, len(args.Entities)), } accessUnitOrService := common.AuthEither(u.accessUnit, u.accessService) canAccess, err := accessUnitOrService() if err != nil { return params.StringBoolResults{}, err } for i, entity := range args.Entities { err := common.ErrPerm if canAccess(entity.Tag) { var unitOrService state.Entity unitOrService, err = u.st.FindEntity(entity.Tag) if err == nil { charmURLer := unitOrService.(interface { CharmURL() (*charm.URL, bool) }) curl, ok := charmURLer.CharmURL() if curl != nil { result.Results[i].Result = curl.String() result.Results[i].Ok = ok } } } result.Results[i].Error = common.ServerError(err) } return result, nil }
func (s *commonSuite) TestAuthEither(c *gc.C) { for i, test := range authEitherTests { c.Logf("test %d: %s", i, test.about) authEither := common.AuthEither(test.a, test.b) either, err := authEither() if test.err == "" { c.Assert(err, gc.IsNil) ok := either(test.tag) c.Assert(ok, gc.Equals, test.expect) } else { c.Assert(err, gc.ErrorMatches, test.err) c.Assert(either, gc.IsNil) } } }
// NewUniterAPI creates a new instance of the Uniter API. func NewUniterAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*UniterAPI, error) { if !authorizer.AuthUnitAgent() { return nil, common.ErrPerm } accessUnit := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } accessService := func() (common.AuthFunc, error) { unit, ok := authorizer.GetAuthEntity().(*state.Unit) if !ok { panic("authenticated entity is not a unit") } return func(tag string) bool { return tag == names.ServiceTag(unit.ServiceName()) }, nil } accessUnitOrService := common.AuthEither(accessUnit, accessService) // Uniter can always watch for environ changes. getCanWatch := common.AuthAlways(true) // Uniter can not get the secrets. getCanReadSecrets := common.AuthAlways(false) return &UniterAPI{ LifeGetter: common.NewLifeGetter(st, accessUnitOrService), StatusSetter: common.NewStatusSetter(st, accessUnit), DeadEnsurer: common.NewDeadEnsurer(st, accessUnit), AgentEntityWatcher: common.NewAgentEntityWatcher(st, resources, accessUnitOrService), APIAddresser: common.NewAPIAddresser(st, resources), EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets), st: st, auth: authorizer, resources: resources, accessUnit: accessUnit, accessService: accessService, }, nil }
// NewFirewallerAPI creates a new server-side FirewallerAPI facade. func NewFirewallerAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*FirewallerAPI, error) { if !authorizer.AuthEnvironManager() { // Firewaller must run as environment manager. return nil, common.ErrPerm } // Set up the various authorization checkers. accessUnit := getAuthFuncForTagKind(names.UnitTagKind) accessService := getAuthFuncForTagKind(names.ServiceTagKind) accessMachine := getAuthFuncForTagKind(names.MachineTagKind) accessEnviron := getAuthFuncForTagKind("") accessUnitOrService := common.AuthEither(accessUnit, accessService) accessUnitServiceOrMachine := common.AuthEither(accessUnitOrService, accessMachine) // Life() is supported for units, services or machines. lifeGetter := common.NewLifeGetter( st, accessUnitServiceOrMachine, ) // EnvironConfig() and WatchForEnvironConfigChanges() are allowed // with unrestriced access. environWatcher := common.NewEnvironWatcher( st, resources, accessEnviron, accessEnviron, ) // Watch() is supported for units or services. entityWatcher := common.NewAgentEntityWatcher( st, resources, accessUnitOrService, ) // WatchUnits() is supported for machines. unitsWatcher := common.NewUnitsWatcher(st, resources, accessMachine, ) // WatchEnvironMachines() is allowed with unrestricted access. machinesWatcher := common.NewEnvironMachinesWatcher( st, resources, accessEnviron, ) // InstanceId() is supported for machines. instanceIdGetter := common.NewInstanceIdGetter( st, accessMachine, ) return &FirewallerAPI{ LifeGetter: lifeGetter, EnvironWatcher: environWatcher, AgentEntityWatcher: entityWatcher, UnitsWatcher: unitsWatcher, EnvironMachinesWatcher: machinesWatcher, InstanceIdGetter: instanceIdGetter, st: st, resources: resources, authorizer: authorizer, accessUnit: accessUnit, accessService: accessService, }, nil }