// OpenAPI tries to open the state using the given Conf. If it
// returns a non-empty newPassword, the password used to connect
// to the state should be changed accordingly - the caller should write the
// configuration with StateInfo.Password set to newPassword, then
// set the entity's password accordingly.
func (c *Conf) OpenAPI(dialOpts api.DialOpts) (st *api.State, newPassword string, err error) {
info := *c.APIInfo
info.Nonce = c.MachineNonce
if info.Password != "" {
st, err := api.Open(&info, dialOpts)
if err == nil {
return st, "", nil
}
if params.ErrCode(err) != params.CodeUnauthorized {
return nil, "", err
}
// Access isn't authorized even though we have a password
// This can happen if we crash after saving the
// password but before changing it, so we'll try again
// with the old password.
}
info.Password = c.OldPassword
st, err = api.Open(&info, dialOpts)
if err != nil {
return nil, "", err
}
// We've succeeded in connecting with the old password, so
// we can now change it to something more private.
password, err := utils.RandomPassword()
if err != nil {
st.Close()
return nil, "", err
}
return st, password, nil
}
func (utilsSuite) TestRandomPassword(c *C) {
p, err := utils.RandomPassword()
c.Assert(err, IsNil)
if len(p) < 18 {
c.Errorf("password too short: %q", p)
}
// check we're not adding base64 padding.
c.Assert(p[len(p)-1], Not(Equals), '=')
}
func (p *Provisioner) setupAuthentication(m *state.Machine) (*state.Info, *api.Info, error) {
password, err := utils.RandomPassword()
if err != nil {
return nil, nil, fmt.Errorf("cannot make password for machine %v: %v", m, err)
}
if err := m.SetMongoPassword(password); err != nil {
return nil, nil, fmt.Errorf("cannot set password for machine %v: %v", m, err)
}
stateInfo := *p.stateInfo
stateInfo.Tag = m.Tag()
stateInfo.Password = password
apiInfo := *p.apiInfo
apiInfo.Tag = m.Tag()
apiInfo.Password = password
return &stateInfo, &apiInfo, nil
}
func (s *openSuite) TestOpenAPINoPassword(c *C) {
conf := agent.Conf{
APIInfo: s.APIInfo(c),
}
conf.OldPassword = conf.APIInfo.Password
conf.APIInfo.Password = ""
st, newPassword, err := conf.OpenAPI(api.DialOpts{})
c.Assert(err, IsNil)
defer st.Close()
c.Assert(newPassword, Matches, ".+")
c.Assert(st, NotNil)
p, err := utils.RandomPassword()
c.Assert(err, IsNil)
c.Assert(newPassword, HasLen, len(p))
c.Assert(conf.OldPassword, Equals, s.APIInfo(c).Password)
}
func (s *openSuite) TestOpenAPIFallbackPassword(c *gc.C) {
conf := agent.Conf{
APIInfo: s.APIInfo(c),
}
conf.OldPassword = conf.APIInfo.Password
conf.APIInfo.Password = "******"
st, newPassword, err := conf.OpenAPI(api.DialOpts{})
c.Assert(err, gc.IsNil)
defer st.Close()
c.Assert(newPassword, gc.Matches, ".+")
c.Assert(st, gc.NotNil)
p, err := utils.RandomPassword()
c.Assert(err, gc.IsNil)
c.Assert(newPassword, gc.HasLen, len(p))
c.Assert(conf.OldPassword, gc.Equals, s.APIInfo(c).Password)
}
// ConfigureBootstrapMachine adds the initial machine into state. As a part
// of this process the environmental constraints are saved as constraints used
// when bootstrapping are considered constraints for the entire environment.
func ConfigureBootstrapMachine(
st *state.State,
cons constraints.Value,
datadir string,
jobs []state.MachineJob,
instId instance.Id,
characteristics instance.HardwareCharacteristics,
) error {
logger.Debugf("setting environment constraints")
if err := st.SetEnvironConstraints(cons); err != nil {
return err
}
logger.Debugf("create bootstrap machine in state")
m, err := st.InjectMachine(version.Current.Series, cons, instId, characteristics, jobs...)
if err != nil {
return err
}
// Read the machine agent's password and change it to
// a new password (other agents will change their password
// via the API connection).
logger.Debugf("create new random password for machine %v", m.Id())
mconf, err := agent.ReadConf(datadir, m.Tag())
if err != nil {
return err
}
newPassword, err := utils.RandomPassword()
if err != nil {
return err
}
mconf.StateInfo.Password = newPassword
mconf.APIInfo.Password = newPassword
mconf.OldPassword = ""
if err := mconf.Write(); err != nil {
return err
}
if err := m.SetMongoPassword(newPassword); err != nil {
return err
}
if err := m.SetPassword(newPassword); err != nil {
return err
}
return nil
}
func (auth *simpleAuth) SetupAuthentication(machine *state.Machine) (*state.Info, *api.Info, error) {
password, err := utils.RandomPassword()
if err != nil {
return nil, nil, fmt.Errorf("cannot make password for machine %v: %v", machine, err)
}
if err := machine.SetPassword(password); err != nil {
return nil, nil, fmt.Errorf("cannot set API password for machine %v: %v", machine, err)
}
if err := machine.SetMongoPassword(password); err != nil {
return nil, nil, fmt.Errorf("cannot set mongo password for machine %v: %v", machine, err)
}
stateInfo := *auth.stateInfo
stateInfo.Tag = machine.Tag()
stateInfo.Password = password
apiInfo := *auth.apiInfo
apiInfo.Tag = machine.Tag()
apiInfo.Password = password
return &stateInfo, &apiInfo, nil
}
// deploy will deploy the supplied unit with the deployer's manager. It will
// panic if it observes inconsistent internal state.
func (d *Deployer) deploy(unit *apideployer.Unit) error {
unitName := unit.Name()
if d.deployed.Contains(unit.Name()) {
panic("must not re-deploy a deployed unit")
}
logger.Infof("deploying unit %q", unitName)
initialPassword, err := utils.RandomPassword()
if err != nil {
return err
}
if err := unit.SetPassword(initialPassword); err != nil {
return fmt.Errorf("cannot set password for unit %q: %v", unitName, err)
}
if err := d.ctx.DeployUnit(unitName, initialPassword); err != nil {
return err
}
d.deployed.Add(unitName)
return nil
}