// NewProvisionerAPI creates a new server-side ProvisionerAPI facade. func NewProvisionerAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*ProvisionerAPI, error) { if !authorizer.AuthMachineAgent() && !authorizer.AuthEnvironManager() { return nil, common.ErrPerm } getAuthFunc := func() (common.AuthFunc, error) { isEnvironManager := authorizer.AuthEnvironManager() isMachineAgent := authorizer.AuthMachineAgent() authEntityTag := authorizer.GetAuthTag() return func(tag string) bool { if isMachineAgent && tag == authEntityTag { // A machine agent can always access its own machine. return true } _, id, err := names.ParseTag(tag, names.MachineTagKind) if err != nil { return false } parentId := state.ParentId(id) if parentId == "" { // All top-level machines are accessible by the // environment manager. return isEnvironManager } // All containers with the authenticated machine as a // parent are accessible by it. return isMachineAgent && names.MachineTag(parentId) == authEntityTag }, nil } // Both provisioner types can watch the environment. getCanWatch := common.AuthAlways(true) // Only the environment provisioner can read secrets. getCanReadSecrets := common.AuthAlways(authorizer.AuthEnvironManager()) return &ProvisionerAPI{ Remover: common.NewRemover(st, false, getAuthFunc), StatusSetter: common.NewStatusSetter(st, getAuthFunc), DeadEnsurer: common.NewDeadEnsurer(st, getAuthFunc), PasswordChanger: common.NewPasswordChanger(st, getAuthFunc), LifeGetter: common.NewLifeGetter(st, getAuthFunc), StateAddresser: common.NewStateAddresser(st), APIAddresser: common.NewAPIAddresser(st, resources), ToolsGetter: common.NewToolsGetter(st, getAuthFunc), EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets), EnvironMachinesWatcher: common.NewEnvironMachinesWatcher(st, resources, getCanReadSecrets), InstanceIdGetter: common.NewInstanceIdGetter(st, getAuthFunc), st: st, resources: resources, authorizer: authorizer, getAuthFunc: getAuthFunc, getCanWatchMachines: getCanReadSecrets, }, nil }
// NewLoggerAPI creates a new server-side logger API end point. func NewLoggerAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*LoggerAPI, error) { if !authorizer.AuthMachineAgent() && !authorizer.AuthUnitAgent() { return nil, common.ErrPerm } return &LoggerAPI{state: st, resources: resources, authorizer: authorizer}, nil }
// NewCharmRevisionUpdaterAPI creates a new server-side charmrevisionupdater API end point. func NewCharmRevisionUpdaterAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*CharmRevisionUpdaterAPI, error) { if !authorizer.AuthMachineAgent() && !authorizer.AuthEnvironManager() { return nil, common.ErrPerm } return &CharmRevisionUpdaterAPI{ state: st, resources: resources, authorizer: authorizer}, nil }
// NewAPI returns an object implementing an agent API // with the given authorizer representing the currently logged in client. func NewAPI(st *state.State, auth common.Authorizer) (*API, error) { // Agents are defined to be any user that's not a client user. if !auth.AuthMachineAgent() && !auth.AuthUnitAgent() { return nil, common.ErrPerm } getCanChange := func() (common.AuthFunc, error) { return auth.AuthOwner, nil } return &API{ PasswordChanger: common.NewPasswordChanger(st, getCanChange), st: st, auth: auth, }, nil }
// NewKeyUpdaterAPI creates a new server-side keyupdater API end point. func NewKeyUpdaterAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*KeyUpdaterAPI, error) { // Only machine agents have access to the keyupdater service. if !authorizer.AuthMachineAgent() { return nil, common.ErrPerm } // No-one else except the machine itself can only read a machine's own credentials. getCanRead := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } return &KeyUpdaterAPI{state: st, resources: resources, authorizer: authorizer, getCanRead: getCanRead}, nil }
// NewUpgraderAPI creates a new client-side UpgraderAPI facade. func NewUpgraderAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*UpgraderAPI, error) { if !authorizer.AuthMachineAgent() { return nil, common.ErrPerm } getCanReadWrite := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } return &UpgraderAPI{ ToolsGetter: common.NewToolsGetter(st, getCanReadWrite), ToolsSetter: common.NewToolsSetter(st, getCanReadWrite), st: st, resources: resources, authorizer: authorizer, }, nil }
// NewMachinerAPI creates a new instance of the Machiner API. func NewMachinerAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*MachinerAPI, error) { if !authorizer.AuthMachineAgent() { return nil, common.ErrPerm } getCanModify := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } getCanRead := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } return &MachinerAPI{ LifeGetter: common.NewLifeGetter(st, getCanRead), StatusSetter: common.NewStatusSetter(st, getCanModify), DeadEnsurer: common.NewDeadEnsurer(st, getCanModify), AgentEntityWatcher: common.NewAgentEntityWatcher(st, resources, getCanRead), APIAddresser: common.NewAPIAddresser(st, resources), st: st, auth: authorizer, getCanModify: getCanModify, }, nil }
// NewDeployerAPI creates a new server-side DeployerAPI facade. func NewDeployerAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*DeployerAPI, error) { if !authorizer.AuthMachineAgent() { return nil, common.ErrPerm } getAuthFunc := func() (common.AuthFunc, error) { // Get all units of the machine and cache them. thisMachineTag := authorizer.GetAuthTag() units, err := getAllUnits(st, thisMachineTag) if err != nil { return nil, err } // Then we just check if the unit is already known. return func(tag string) bool { for _, unit := range units { if names.UnitTag(unit) == tag { return true } } return false }, nil } getCanWatch := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } return &DeployerAPI{ Remover: common.NewRemover(st, true, getAuthFunc), PasswordChanger: common.NewPasswordChanger(st, getAuthFunc), LifeGetter: common.NewLifeGetter(st, getAuthFunc), StateAddresser: common.NewStateAddresser(st), APIAddresser: common.NewAPIAddresser(st, resources), UnitsWatcher: common.NewUnitsWatcher(st, resources, getCanWatch), st: st, resources: resources, authorizer: authorizer, }, nil }