// NewEnvironmentAPI creates a new instance of the Environment API. func NewEnvironmentAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*EnvironmentAPI, error) { // Can always watch for environ changes. getCanWatch := common.AuthAlways(true) // Does not get the secrets. getCanReadSecrets := common.AuthAlways(false) return &EnvironmentAPI{ EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets), }, nil }
// NewProvisionerAPI creates a new server-side ProvisionerAPI facade. func NewProvisionerAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*ProvisionerAPI, error) { if !authorizer.AuthMachineAgent() && !authorizer.AuthEnvironManager() { return nil, common.ErrPerm } getAuthFunc := func() (common.AuthFunc, error) { isEnvironManager := authorizer.AuthEnvironManager() isMachineAgent := authorizer.AuthMachineAgent() authEntityTag := authorizer.GetAuthTag() return func(tag string) bool { if isMachineAgent && tag == authEntityTag { // A machine agent can always access its own machine. return true } _, id, err := names.ParseTag(tag, names.MachineTagKind) if err != nil { return false } parentId := state.ParentId(id) if parentId == "" { // All top-level machines are accessible by the // environment manager. return isEnvironManager } // All containers with the authenticated machine as a // parent are accessible by it. return isMachineAgent && names.MachineTag(parentId) == authEntityTag }, nil } // Both provisioner types can watch the environment. getCanWatch := common.AuthAlways(true) // Only the environment provisioner can read secrets. getCanReadSecrets := common.AuthAlways(authorizer.AuthEnvironManager()) return &ProvisionerAPI{ Remover: common.NewRemover(st, false, getAuthFunc), StatusSetter: common.NewStatusSetter(st, getAuthFunc), DeadEnsurer: common.NewDeadEnsurer(st, getAuthFunc), PasswordChanger: common.NewPasswordChanger(st, getAuthFunc), LifeGetter: common.NewLifeGetter(st, getAuthFunc), StateAddresser: common.NewStateAddresser(st), APIAddresser: common.NewAPIAddresser(st, resources), ToolsGetter: common.NewToolsGetter(st, getAuthFunc), EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets), EnvironMachinesWatcher: common.NewEnvironMachinesWatcher(st, resources, getCanReadSecrets), InstanceIdGetter: common.NewInstanceIdGetter(st, getAuthFunc), st: st, resources: resources, authorizer: authorizer, getAuthFunc: getAuthFunc, getCanWatchMachines: getCanReadSecrets, }, nil }
// NewRsyslogAPI creates a new instance of the Rsyslog API. func NewRsyslogAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*RsyslogAPI, error) { // Can always watch for environ changes. getCanWatch := common.AuthAlways(true) // Does not get the secrets. getCanReadSecrets := common.AuthAlways(false) return &RsyslogAPI{ EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets), st: st, canModify: authorizer.AuthEnvironManager(), }, nil }
func (*environWatcherSuite) TestEnvironConfigGetAuthError(c *gc.C) { getCanReadSecrets := func() (common.AuthFunc, error) { return nil, fmt.Errorf("pow") } e := common.NewEnvironWatcher( &fakeEnvironAccessor{envConfig: testingEnvConfig(c)}, nil, nil, getCanReadSecrets, ) _, err := e.EnvironConfig() c.Assert(err, gc.ErrorMatches, "pow") }
func (*environWatcherSuite) TestWatchGetAuthError(c *gc.C) { getCanWatch := func() (common.AuthFunc, error) { return nil, fmt.Errorf("pow") } resources := common.NewResources() e := common.NewEnvironWatcher( &fakeEnvironAccessor{}, resources, getCanWatch, nil, ) _, err := e.WatchForEnvironConfigChanges() c.Assert(err, gc.ErrorMatches, "pow") c.Assert(resources.Count(), gc.Equals, 0) }
func (*environWatcherSuite) TestEnvironConfigFetchError(c *gc.C) { getCanReadSecrets := func() (common.AuthFunc, error) { return func(tag string) bool { return true }, nil } e := common.NewEnvironWatcher( &fakeEnvironAccessor{ envConfigError: fmt.Errorf("pow"), }, nil, nil, getCanReadSecrets, ) _, err := e.EnvironConfig() c.Assert(err, gc.ErrorMatches, "pow") }
func (*environWatcherSuite) TestWatchAuthError(c *gc.C) { getCanWatch := func() (common.AuthFunc, error) { return func(tag string) bool { return false }, nil } resources := common.NewResources() e := common.NewEnvironWatcher( &fakeEnvironAccessor{}, resources, getCanWatch, nil, ) result, err := e.WatchForEnvironConfigChanges() c.Assert(err, gc.ErrorMatches, "permission denied") c.Assert(result, gc.DeepEquals, params.NotifyWatchResult{}) c.Assert(resources.Count(), gc.Equals, 0) }
func (*environWatcherSuite) TestWatchSuccess(c *gc.C) { getCanWatch := func() (common.AuthFunc, error) { return func(tag string) bool { return true }, nil } resources := common.NewResources() e := common.NewEnvironWatcher( &fakeEnvironAccessor{}, resources, getCanWatch, nil, ) result, err := e.WatchForEnvironConfigChanges() c.Assert(err, gc.IsNil) c.Assert(result, gc.DeepEquals, params.NotifyWatchResult{"1", nil}) c.Assert(resources.Count(), gc.Equals, 1) }
func (*environWatcherSuite) TestEnvironConfigSuccess(c *gc.C) { getCanReadSecrets := func() (common.AuthFunc, error) { return func(tag string) bool { return true }, nil } testingEnvConfig := testingEnvConfig(c) e := common.NewEnvironWatcher( &fakeEnvironAccessor{envConfig: testingEnvConfig}, nil, nil, getCanReadSecrets, ) result, err := e.EnvironConfig() c.Assert(err, gc.IsNil) // Make sure we can read the secret attribute (i.e. it's not masked). c.Check(result.Config["secret"], gc.Equals, "pork") c.Check(map[string]interface{}(result.Config), jc.DeepEquals, testingEnvConfig.AllAttrs()) }
func (*environWatcherSuite) TestEnvironConfigReadSecretsFalse(c *gc.C) { getCanReadSecrets := func() (common.AuthFunc, error) { return func(tag string) bool { return false }, nil } testingEnvConfig := testingEnvConfig(c) e := common.NewEnvironWatcher( &fakeEnvironAccessor{envConfig: testingEnvConfig}, nil, nil, getCanReadSecrets, ) result, err := e.EnvironConfig() c.Assert(err, gc.IsNil) // Make sure the secret attribute is masked. c.Check(result.Config["secret"], gc.Equals, "not available") // And only that is masked. result.Config["secret"] = "pork" c.Check(map[string]interface{}(result.Config), jc.DeepEquals, testingEnvConfig.AllAttrs()) }
// NewUniterAPI creates a new instance of the Uniter API. func NewUniterAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*UniterAPI, error) { if !authorizer.AuthUnitAgent() { return nil, common.ErrPerm } accessUnit := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } accessService := func() (common.AuthFunc, error) { unit, ok := authorizer.GetAuthEntity().(*state.Unit) if !ok { panic("authenticated entity is not a unit") } return func(tag string) bool { return tag == names.ServiceTag(unit.ServiceName()) }, nil } accessUnitOrService := common.AuthEither(accessUnit, accessService) // Uniter can always watch for environ changes. getCanWatch := common.AuthAlways(true) // Uniter can not get the secrets. getCanReadSecrets := common.AuthAlways(false) return &UniterAPI{ LifeGetter: common.NewLifeGetter(st, accessUnitOrService), StatusSetter: common.NewStatusSetter(st, accessUnit), DeadEnsurer: common.NewDeadEnsurer(st, accessUnit), AgentEntityWatcher: common.NewAgentEntityWatcher(st, resources, accessUnitOrService), APIAddresser: common.NewAPIAddresser(st, resources), EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets), st: st, auth: authorizer, resources: resources, accessUnit: accessUnit, accessService: accessService, }, nil }
// NewFirewallerAPI creates a new server-side FirewallerAPI facade. func NewFirewallerAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*FirewallerAPI, error) { if !authorizer.AuthEnvironManager() { // Firewaller must run as environment manager. return nil, common.ErrPerm } // Set up the various authorization checkers. accessUnit := getAuthFuncForTagKind(names.UnitTagKind) accessService := getAuthFuncForTagKind(names.ServiceTagKind) accessMachine := getAuthFuncForTagKind(names.MachineTagKind) accessEnviron := getAuthFuncForTagKind("") accessUnitOrService := common.AuthEither(accessUnit, accessService) accessUnitServiceOrMachine := common.AuthEither(accessUnitOrService, accessMachine) // Life() is supported for units, services or machines. lifeGetter := common.NewLifeGetter( st, accessUnitServiceOrMachine, ) // EnvironConfig() and WatchForEnvironConfigChanges() are allowed // with unrestriced access. environWatcher := common.NewEnvironWatcher( st, resources, accessEnviron, accessEnviron, ) // Watch() is supported for units or services. entityWatcher := common.NewAgentEntityWatcher( st, resources, accessUnitOrService, ) // WatchUnits() is supported for machines. unitsWatcher := common.NewUnitsWatcher(st, resources, accessMachine, ) // WatchEnvironMachines() is allowed with unrestricted access. machinesWatcher := common.NewEnvironMachinesWatcher( st, resources, accessEnviron, ) // InstanceId() is supported for machines. instanceIdGetter := common.NewInstanceIdGetter( st, accessMachine, ) return &FirewallerAPI{ LifeGetter: lifeGetter, EnvironWatcher: environWatcher, AgentEntityWatcher: entityWatcher, UnitsWatcher: unitsWatcher, EnvironMachinesWatcher: machinesWatcher, InstanceIdGetter: instanceIdGetter, st: st, resources: resources, authorizer: authorizer, accessUnit: accessUnit, accessService: accessService, }, nil }