// CharmURL returns the charm URL for all given units or services.
func (u *UniterAPI) CharmURL(args params.Entities) (params.StringBoolResults, error) {
result := params.StringBoolResults{
Results: make([]params.StringBoolResult, len(args.Entities)),
}
accessUnitOrService := common.AuthEither(u.accessUnit, u.accessService)
canAccess, err := accessUnitOrService()
if err != nil {
return params.StringBoolResults{}, err
}
for i, entity := range args.Entities {
err := common.ErrPerm
if canAccess(entity.Tag) {
var unitOrService state.Entity
unitOrService, err = u.st.FindEntity(entity.Tag)
if err == nil {
charmURLer := unitOrService.(interface {
CharmURL() (*charm.URL, bool)
})
curl, ok := charmURLer.CharmURL()
if curl != nil {
result.Results[i].Result = curl.String()
result.Results[i].Ok = ok
}
}
}
result.Results[i].Error = common.ServerError(err)
}
return result, nil
}
func (s *commonSuite) TestAuthEither(c *gc.C) {
for i, test := range authEitherTests {
c.Logf("test %d: %s", i, test.about)
authEither := common.AuthEither(test.a, test.b)
either, err := authEither()
if test.err == "" {
c.Assert(err, gc.IsNil)
ok := either(test.tag)
c.Assert(ok, gc.Equals, test.expect)
} else {
c.Assert(err, gc.ErrorMatches, test.err)
c.Assert(either, gc.IsNil)
}
}
}
// NewUniterAPI creates a new instance of the Uniter API.
func NewUniterAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*UniterAPI, error) {
if !authorizer.AuthUnitAgent() {
return nil, common.ErrPerm
}
accessUnit := func() (common.AuthFunc, error) {
return authorizer.AuthOwner, nil
}
accessService := func() (common.AuthFunc, error) {
unit, ok := authorizer.GetAuthEntity().(*state.Unit)
if !ok {
panic("authenticated entity is not a unit")
}
return func(tag string) bool {
return tag == names.ServiceTag(unit.ServiceName())
}, nil
}
accessUnitOrService := common.AuthEither(accessUnit, accessService)
// Uniter can always watch for environ changes.
getCanWatch := common.AuthAlways(true)
// Uniter can not get the secrets.
getCanReadSecrets := common.AuthAlways(false)
return &UniterAPI{
LifeGetter: common.NewLifeGetter(st, accessUnitOrService),
StatusSetter: common.NewStatusSetter(st, accessUnit),
DeadEnsurer: common.NewDeadEnsurer(st, accessUnit),
AgentEntityWatcher: common.NewAgentEntityWatcher(st, resources, accessUnitOrService),
APIAddresser: common.NewAPIAddresser(st, resources),
EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets),
st: st,
auth: authorizer,
resources: resources,
accessUnit: accessUnit,
accessService: accessService,
}, nil
}
// NewFirewallerAPI creates a new server-side FirewallerAPI facade.
func NewFirewallerAPI(
st *state.State,
resources *common.Resources,
authorizer common.Authorizer,
) (*FirewallerAPI, error) {
if !authorizer.AuthEnvironManager() {
// Firewaller must run as environment manager.
return nil, common.ErrPerm
}
// Set up the various authorization checkers.
accessUnit := getAuthFuncForTagKind(names.UnitTagKind)
accessService := getAuthFuncForTagKind(names.ServiceTagKind)
accessMachine := getAuthFuncForTagKind(names.MachineTagKind)
accessEnviron := getAuthFuncForTagKind("")
accessUnitOrService := common.AuthEither(accessUnit, accessService)
accessUnitServiceOrMachine := common.AuthEither(accessUnitOrService, accessMachine)
// Life() is supported for units, services or machines.
lifeGetter := common.NewLifeGetter(
st,
accessUnitServiceOrMachine,
)
// EnvironConfig() and WatchForEnvironConfigChanges() are allowed
// with unrestriced access.
environWatcher := common.NewEnvironWatcher(
st,
resources,
accessEnviron,
accessEnviron,
)
// Watch() is supported for units or services.
entityWatcher := common.NewAgentEntityWatcher(
st,
resources,
accessUnitOrService,
)
// WatchUnits() is supported for machines.
unitsWatcher := common.NewUnitsWatcher(st,
resources,
accessMachine,
)
// WatchEnvironMachines() is allowed with unrestricted access.
machinesWatcher := common.NewEnvironMachinesWatcher(
st,
resources,
accessEnviron,
)
// InstanceId() is supported for machines.
instanceIdGetter := common.NewInstanceIdGetter(
st,
accessMachine,
)
return &FirewallerAPI{
LifeGetter: lifeGetter,
EnvironWatcher: environWatcher,
AgentEntityWatcher: entityWatcher,
UnitsWatcher: unitsWatcher,
EnvironMachinesWatcher: machinesWatcher,
InstanceIdGetter: instanceIdGetter,
st: st,
resources: resources,
authorizer: authorizer,
accessUnit: accessUnit,
accessService: accessService,
}, nil
}
