func (*deadEnsurerSuite) TestEnsureDeadError(c *gc.C) {
getCanModify := func() (common.AuthFunc, error) {
return nil, fmt.Errorf("pow")
}
d := common.NewDeadEnsurer(&fakeState{}, getCanModify)
_, err := d.EnsureDead(params.Entities{[]params.Entity{{"x0"}}})
c.Assert(err, gc.ErrorMatches, "pow")
}
func (*removeSuite) TestEnsureDeadNoArgsNoError(c *gc.C) {
getCanModify := func() (common.AuthFunc, error) {
return nil, fmt.Errorf("pow")
}
d := common.NewDeadEnsurer(&fakeState{}, getCanModify)
result, err := d.EnsureDead(params.Entities{})
c.Assert(err, gc.IsNil)
c.Assert(result.Results, gc.HasLen, 0)
}
// NewProvisionerAPI creates a new server-side ProvisionerAPI facade.
func NewProvisionerAPI(
st *state.State,
resources *common.Resources,
authorizer common.Authorizer,
) (*ProvisionerAPI, error) {
if !authorizer.AuthMachineAgent() && !authorizer.AuthEnvironManager() {
return nil, common.ErrPerm
}
getAuthFunc := func() (common.AuthFunc, error) {
isEnvironManager := authorizer.AuthEnvironManager()
isMachineAgent := authorizer.AuthMachineAgent()
authEntityTag := authorizer.GetAuthTag()
return func(tag string) bool {
if isMachineAgent && tag == authEntityTag {
// A machine agent can always access its own machine.
return true
}
_, id, err := names.ParseTag(tag, names.MachineTagKind)
if err != nil {
return false
}
parentId := state.ParentId(id)
if parentId == "" {
// All top-level machines are accessible by the
// environment manager.
return isEnvironManager
}
// All containers with the authenticated machine as a
// parent are accessible by it.
return isMachineAgent && names.MachineTag(parentId) == authEntityTag
}, nil
}
// Both provisioner types can watch the environment.
getCanWatch := common.AuthAlways(true)
// Only the environment provisioner can read secrets.
getCanReadSecrets := common.AuthAlways(authorizer.AuthEnvironManager())
return &ProvisionerAPI{
Remover: common.NewRemover(st, false, getAuthFunc),
StatusSetter: common.NewStatusSetter(st, getAuthFunc),
DeadEnsurer: common.NewDeadEnsurer(st, getAuthFunc),
PasswordChanger: common.NewPasswordChanger(st, getAuthFunc),
LifeGetter: common.NewLifeGetter(st, getAuthFunc),
StateAddresser: common.NewStateAddresser(st),
APIAddresser: common.NewAPIAddresser(st, resources),
ToolsGetter: common.NewToolsGetter(st, getAuthFunc),
EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets),
EnvironMachinesWatcher: common.NewEnvironMachinesWatcher(st, resources, getCanReadSecrets),
InstanceIdGetter: common.NewInstanceIdGetter(st, getAuthFunc),
st: st,
resources: resources,
authorizer: authorizer,
getAuthFunc: getAuthFunc,
getCanWatchMachines: getCanReadSecrets,
}, nil
}
// NewMachinerAPI creates a new instance of the Machiner API.
func NewMachinerAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*MachinerAPI, error) {
if !authorizer.AuthMachineAgent() {
return nil, common.ErrPerm
}
getCanModify := func() (common.AuthFunc, error) {
return authorizer.AuthOwner, nil
}
getCanRead := func() (common.AuthFunc, error) {
return authorizer.AuthOwner, nil
}
return &MachinerAPI{
LifeGetter: common.NewLifeGetter(st, getCanRead),
StatusSetter: common.NewStatusSetter(st, getCanModify),
DeadEnsurer: common.NewDeadEnsurer(st, getCanModify),
AgentEntityWatcher: common.NewAgentEntityWatcher(st, resources, getCanRead),
APIAddresser: common.NewAPIAddresser(st, resources),
st: st,
auth: authorizer,
getCanModify: getCanModify,
}, nil
}
// NewUniterAPI creates a new instance of the Uniter API.
func NewUniterAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*UniterAPI, error) {
if !authorizer.AuthUnitAgent() {
return nil, common.ErrPerm
}
accessUnit := func() (common.AuthFunc, error) {
return authorizer.AuthOwner, nil
}
accessService := func() (common.AuthFunc, error) {
unit, ok := authorizer.GetAuthEntity().(*state.Unit)
if !ok {
panic("authenticated entity is not a unit")
}
return func(tag string) bool {
return tag == names.ServiceTag(unit.ServiceName())
}, nil
}
accessUnitOrService := common.AuthEither(accessUnit, accessService)
// Uniter can always watch for environ changes.
getCanWatch := common.AuthAlways(true)
// Uniter can not get the secrets.
getCanReadSecrets := common.AuthAlways(false)
return &UniterAPI{
LifeGetter: common.NewLifeGetter(st, accessUnitOrService),
StatusSetter: common.NewStatusSetter(st, accessUnit),
DeadEnsurer: common.NewDeadEnsurer(st, accessUnit),
AgentEntityWatcher: common.NewAgentEntityWatcher(st, resources, accessUnitOrService),
APIAddresser: common.NewAPIAddresser(st, resources),
EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets),
st: st,
auth: authorizer,
resources: resources,
accessUnit: accessUnit,
accessService: accessService,
}, nil
}
func (*deadEnsurerSuite) TestEnsureDead(c *gc.C) {
st := &fakeState{
entities: map[string]entityWithError{
"x0": &fakeDeadEnsurer{life: state.Dying, err: fmt.Errorf("x0 fails")},
"x1": &fakeDeadEnsurer{life: state.Alive},
"x2": &fakeDeadEnsurer{life: state.Dying},
"x3": &fakeDeadEnsurer{life: state.Dead},
"x4": &fakeDeadEnsurer{fetchError: "x4 error"},
},
}
getCanModify := func() (common.AuthFunc, error) {
return func(tag string) bool {
switch tag {
case "x0", "x1", "x2", "x4":
return true
}
return false
}, nil
}
d := common.NewDeadEnsurer(st, getCanModify)
entities := params.Entities{[]params.Entity{
{"x0"}, {"x1"}, {"x2"}, {"x3"}, {"x4"}, {"x5"},
}}
result, err := d.EnsureDead(entities)
c.Assert(err, gc.IsNil)
c.Assert(result, gc.DeepEquals, params.ErrorResults{
Results: []params.ErrorResult{
{¶ms.Error{Message: "x0 fails"}},
{nil},
{nil},
{apiservertesting.ErrUnauthorized},
{¶ms.Error{Message: "x4 error"}},
{apiservertesting.ErrUnauthorized},
},
})
}