func newUndertakerAPI(st State, resources *common.Resources, authorizer common.Authorizer) (*UndertakerAPI, error) { if !authorizer.AuthMachineAgent() || !authorizer.AuthModelManager() { return nil, common.ErrPerm } model, err := st.Model() if err != nil { return nil, errors.Trace(err) } getCanModifyModel := func() (common.AuthFunc, error) { return func(tag names.Tag) bool { if st.IsController() { return true } // Only the agent's model can be modified. modelTag, ok := tag.(names.ModelTag) if !ok { return false } return modelTag.Id() == model.UUID() }, nil } return &UndertakerAPI{ st: st, resources: resources, StatusSetter: common.NewStatusSetter(st, getCanModifyModel), }, nil }
// NewRebootAPI creates a new server-side RebootAPI facade. func NewRebootAPI(st *state.State, resources *common.Resources, auth common.Authorizer) (*RebootAPI, error) { if !auth.AuthMachineAgent() { return nil, common.ErrPerm } tag, ok := auth.GetAuthTag().(names.MachineTag) if !ok { return nil, errors.Errorf("Expected names.MachineTag, got %T", auth.GetAuthTag()) } machine, err := st.Machine(tag.Id()) if err != nil { return nil, errors.Trace(err) } canAccess := func() (common.AuthFunc, error) { return auth.AuthOwner, nil } return &RebootAPI{ RebootActionGetter: common.NewRebootActionGetter(st, canAccess), RebootRequester: common.NewRebootRequester(st, canAccess), RebootFlagClearer: common.NewRebootFlagClearer(st, canAccess), st: st, machine: machine, resources: resources, auth: auth, }, nil }
func newUndertakerAPI(st State, resources *common.Resources, authorizer common.Authorizer) (*UndertakerAPI, error) { if !authorizer.AuthMachineAgent() || !authorizer.AuthModelManager() { return nil, common.ErrPerm } return &UndertakerAPI{ st: st, resources: resources, }, nil }
// NewProvisionerAPI creates a new server-side ProvisionerAPI facade. func NewProvisionerAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*ProvisionerAPI, error) { if !authorizer.AuthMachineAgent() && !authorizer.AuthEnvironManager() { return nil, common.ErrPerm } getAuthFunc := func() (common.AuthFunc, error) { isEnvironManager := authorizer.AuthEnvironManager() isMachineAgent := authorizer.AuthMachineAgent() authEntityTag := authorizer.GetAuthTag() return func(tag names.Tag) bool { if isMachineAgent && tag == authEntityTag { // A machine agent can always access its own machine. return true } switch tag := tag.(type) { case names.MachineTag: parentId := state.ParentId(tag.Id()) if parentId == "" { // All top-level machines are accessible by the // environment manager. return isEnvironManager } // All containers with the authenticated machine as a // parent are accessible by it. // TODO(dfc) sometimes authEntity tag is nil, which is fine because nil is // only equal to nil, but it suggests someone is passing an authorizer // with a nil tag. return isMachineAgent && names.NewMachineTag(parentId) == authEntityTag default: return false } }, nil } env, err := st.Environment() if err != nil { return nil, err } urlGetter := common.NewToolsURLGetter(env.UUID(), st) return &ProvisionerAPI{ Remover: common.NewRemover(st, false, getAuthFunc), StatusSetter: common.NewStatusSetter(st, getAuthFunc), StatusGetter: common.NewStatusGetter(st, getAuthFunc), DeadEnsurer: common.NewDeadEnsurer(st, getAuthFunc), PasswordChanger: common.NewPasswordChanger(st, getAuthFunc), LifeGetter: common.NewLifeGetter(st, getAuthFunc), StateAddresser: common.NewStateAddresser(st), APIAddresser: common.NewAPIAddresser(st, resources), EnvironWatcher: common.NewEnvironWatcher(st, resources, authorizer), EnvironMachinesWatcher: common.NewEnvironMachinesWatcher(st, resources, authorizer), InstanceIdGetter: common.NewInstanceIdGetter(st, getAuthFunc), ToolsFinder: common.NewToolsFinder(st, st, urlGetter), st: st, resources: resources, authorizer: authorizer, getAuthFunc: getAuthFunc, }, nil }
// New creates a Facade backed by backend and resources. If auth // doesn't identity the client as a machine agent or a unit agent, // it will return common.ErrPerm. func New(backend Backend, resources *common.Resources, auth common.Authorizer) (*Facade, error) { if !auth.AuthMachineAgent() && !auth.AuthUnitAgent() { return nil, common.ErrPerm } return &Facade{ backend: backend, resources: resources, }, nil }
// NewLoggerAPI creates a new server-side logger API end point. func NewLoggerAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*LoggerAPI, error) { if !authorizer.AuthMachineAgent() && !authorizer.AuthUnitAgent() { return nil, common.ErrPerm } return &LoggerAPI{state: st, resources: resources, authorizer: authorizer}, nil }
// NewAPIWithBacking creates a new server-side API facade with the given Backing. func NewAPIWithBacking(st Backend, resources *common.Resources, authorizer common.Authorizer) (*ProxyUpdaterAPI, error) { if !(authorizer.AuthMachineAgent() || authorizer.AuthUnitAgent()) { return &ProxyUpdaterAPI{}, common.ErrPerm } return &ProxyUpdaterAPI{ backend: st, resources: resources, authorizer: authorizer, }, nil }
// NewCharmRevisionUpdaterAPI creates a new server-side charmrevisionupdater API end point. func NewCharmRevisionUpdaterAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*CharmRevisionUpdaterAPI, error) { if !authorizer.AuthMachineAgent() && !authorizer.AuthEnvironManager() { return nil, common.ErrPerm } return &CharmRevisionUpdaterAPI{ state: st, resources: resources, authorizer: authorizer}, nil }
// NewRsyslogAPI creates a new instance of the Rsyslog API. func NewRsyslogAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*RsyslogAPI, error) { if !authorizer.AuthMachineAgent() && !authorizer.AuthUnitAgent() { return nil, common.ErrPerm } return &RsyslogAPI{ EnvironWatcher: common.NewEnvironWatcher(st, resources, authorizer), st: st, authorizer: authorizer, resources: resources, canModify: authorizer.AuthEnvironManager(), StateAddresser: common.NewStateAddresser(st), }, nil }
// NewAPI returns an object implementing an agent API // with the given authorizer representing the currently logged in client. func NewAPI(st *state.State, resources *common.Resources, auth common.Authorizer) (*API, error) { // Agents are defined to be any user that's not a client user. if !auth.AuthMachineAgent() && !auth.AuthUnitAgent() { return nil, common.ErrPerm } getCanChange := func() (common.AuthFunc, error) { return auth.AuthOwner, nil } return &API{ PasswordChanger: common.NewPasswordChanger(st, getCanChange), st: st, auth: auth, }, nil }
// NewAPI creates a new API server endpoint for the model migration // master worker. func NewAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*API, error) { if !(authorizer.AuthMachineAgent() || authorizer.AuthUnitAgent()) { return nil, common.ErrPerm } return &API{ backend: getBackend(st), authorizer: authorizer, resources: resources, }, nil }
// NewMetricsAdderAPI creates a new API endpoint for adding metrics to state. func NewMetricsAdderAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*MetricsAdderAPI, error) { // TODO(cmars): remove unit agent auth, once worker/metrics/sender manifold // can be righteously relocated to machine agent. if !authorizer.AuthMachineAgent() && !authorizer.AuthUnitAgent() { return nil, common.ErrPerm } return &MetricsAdderAPI{ state: st, }, nil }
// NewFacade creates a new server-side machineactions API end point. func NewFacade( backend Backend, resources *common.Resources, authorizer common.Authorizer, ) (*Facade, error) { if !authorizer.AuthMachineAgent() { return nil, common.ErrPerm } return &Facade{ backend: backend, resources: resources, accessMachine: authorizer.AuthOwner, }, nil }
// NewKeyUpdaterAPI creates a new server-side keyupdater API end point. func NewKeyUpdaterAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*KeyUpdaterAPI, error) { // Only machine agents have access to the keyupdater service. if !authorizer.AuthMachineAgent() { return nil, common.ErrPerm } // No-one else except the machine itself can only read a machine's own credentials. getCanRead := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } return &KeyUpdaterAPI{state: st, resources: resources, authorizer: authorizer, getCanRead: getCanRead}, nil }
// NewNetworkerAPI creates a new server-side Networker API facade. func NewNetworkerAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*NetworkerAPI, error) { if !authorizer.AuthMachineAgent() { return nil, common.ErrPerm } getAuthFunc := func() (common.AuthFunc, error) { authEntityTag := authorizer.GetAuthTag() return func(tag names.Tag) bool { if tag == authEntityTag { // A machine agent can always access its own machine. return true } if _, ok := tag.(names.MachineTag); !ok { // Only machine tags are allowed. return false } id := tag.Id() for parentId := state.ParentId(id); parentId != ""; parentId = state.ParentId(parentId) { // Until a top-level machine is reached. // TODO (thumper): remove the names.Tag conversion when gccgo // implements concrete-type-to-interface comparison correctly. if names.Tag(names.NewMachineTag(parentId)) == authEntityTag { // All containers with the authenticated machine as a // parent are accessible by it. return true } } // Not found authorized machine agent among ancestors of the current one. return false }, nil } return &NetworkerAPI{ st: st, resources: resources, authorizer: authorizer, getAuthFunc: getAuthFunc, }, nil }
// NewUpgraderAPI creates a new client-side UpgraderAPI facade. func NewUpgraderAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*UpgraderAPI, error) { if !authorizer.AuthMachineAgent() { return nil, common.ErrPerm } getCanReadWrite := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } return &UpgraderAPI{ ToolsGetter: common.NewToolsGetter(st, getCanReadWrite), ToolsSetter: common.NewToolsSetter(st, getCanReadWrite), st: st, resources: resources, authorizer: authorizer, }, nil }
// NewDeployerAPI creates a new server-side DeployerAPI facade. func NewDeployerAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*DeployerAPI, error) { if !authorizer.AuthMachineAgent() { return nil, common.ErrPerm } getAuthFunc := func() (common.AuthFunc, error) { // Get all units of the machine and cache them. thisMachineTag := authorizer.GetAuthTag() units, err := getAllUnits(st, thisMachineTag) if err != nil { return nil, err } // Then we just check if the unit is already known. return func(tag names.Tag) bool { for _, unit := range units { // TODO (thumper): remove the names.Tag conversion when gccgo // implements concrete-type-to-interface comparison correctly. if names.Tag(names.NewUnitTag(unit)) == tag { return true } } return false }, nil } getCanWatch := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } return &DeployerAPI{ Remover: common.NewRemover(st, true, getAuthFunc), PasswordChanger: common.NewPasswordChanger(st, getAuthFunc), LifeGetter: common.NewLifeGetter(st, getAuthFunc), StateAddresser: common.NewStateAddresser(st), APIAddresser: common.NewAPIAddresser(st, resources), UnitsWatcher: common.NewUnitsWatcher(st, resources, getCanWatch), st: st, resources: resources, authorizer: authorizer, }, nil }
func newMigrationStatusWatcher( st *state.State, resources *common.Resources, auth common.Authorizer, id string, ) (interface{}, error) { if !(auth.AuthMachineAgent() || auth.AuthUnitAgent()) { return nil, common.ErrPerm } w, ok := resources.Get(id).(state.NotifyWatcher) if !ok { return nil, common.ErrUnknownWatcher } return &srvMigrationStatusWatcher{ watcher: w, id: id, resources: resources, st: getMigrationBackend(st), }, nil }
// NewMachinerAPI creates a new instance of the Machiner API. func NewMachinerAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*MachinerAPI, error) { if !authorizer.AuthMachineAgent() { return nil, common.ErrPerm } getCanModify := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } getCanRead := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } return &MachinerAPI{ LifeGetter: common.NewLifeGetter(st, getCanRead), StatusSetter: common.NewStatusSetter(st, getCanModify), DeadEnsurer: common.NewDeadEnsurer(st, getCanModify), AgentEntityWatcher: common.NewAgentEntityWatcher(st, resources, getCanRead), APIAddresser: common.NewAPIAddresser(st, resources), st: st, auth: authorizer, getCanModify: getCanModify, }, nil }
// NewMetricsManagerAPI creates a new API endpoint for calling metrics manager functions. func NewMetricsManagerAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*MetricsManagerAPI, error) { if !(authorizer.AuthMachineAgent() && authorizer.AuthEnvironManager()) { return nil, common.ErrPerm } // Allow access only to the current environment. accessEnviron := func() (common.AuthFunc, error) { return func(tag names.Tag) bool { if tag == nil { return false } return tag == st.EnvironTag() }, nil } return &MetricsManagerAPI{ state: st, accessEnviron: accessEnviron, }, nil }
// NewDiskManagerAPI creates a new server-side DiskManager API facade. func NewDiskManagerAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*DiskManagerAPI, error) { if !authorizer.AuthMachineAgent() { return nil, common.ErrPerm } authEntityTag := authorizer.GetAuthTag() getAuthFunc := func() (common.AuthFunc, error) { return func(tag names.Tag) bool { // A machine agent can always access its own machine. return tag == authEntityTag }, nil } return &DiskManagerAPI{ st: getState(st), authorizer: authorizer, getAuthFunc: getAuthFunc, }, nil }
// NewUpgraderAPI creates a new server-side UpgraderAPI facade. func NewUpgraderAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*UpgraderAPI, error) { if !authorizer.AuthMachineAgent() { return nil, common.ErrPerm } getCanReadWrite := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } env, err := st.Model() if err != nil { return nil, err } urlGetter := common.NewToolsURLGetter(env.UUID(), st) return &UpgraderAPI{ ToolsGetter: common.NewToolsGetter(st, st, st, urlGetter, getCanReadWrite), ToolsSetter: common.NewToolsSetter(st, getCanReadWrite), st: st, resources: resources, authorizer: authorizer, }, nil }
// NewStorageProvisionerAPI creates a new server-side StorageProvisionerAPI facade. func NewStorageProvisionerAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*StorageProvisionerAPI, error) { if !authorizer.AuthMachineAgent() { return nil, common.ErrPerm } canAccessStorageMachine := func(tag names.MachineTag, allowEnvironManager bool) bool { authEntityTag := authorizer.GetAuthTag() if tag == authEntityTag { // Machine agents can access volumes // scoped to their own machine. return true } parentId := state.ParentId(tag.Id()) if parentId == "" { return allowEnvironManager && authorizer.AuthEnvironManager() } // All containers with the authenticated // machine as a parent are accessible by it. return names.NewMachineTag(parentId) == authEntityTag } getScopeAuthFunc := func() (common.AuthFunc, error) { return func(tag names.Tag) bool { switch tag := tag.(type) { case names.EnvironTag: // Environment managers can access all volumes // and filesystems scoped to the environment. isEnvironManager := authorizer.AuthEnvironManager() return isEnvironManager && tag == st.EnvironTag() case names.MachineTag: return canAccessStorageMachine(tag, false) default: return false } }, nil } canAccessStorageEntity := func(tag names.Tag, allowMachines bool) bool { switch tag := tag.(type) { case names.VolumeTag: machineTag, ok := names.VolumeMachine(tag) if ok { return canAccessStorageMachine(machineTag, false) } return authorizer.AuthEnvironManager() case names.FilesystemTag: machineTag, ok := names.FilesystemMachine(tag) if ok { return canAccessStorageMachine(machineTag, false) } return authorizer.AuthEnvironManager() case names.MachineTag: return allowMachines && canAccessStorageMachine(tag, true) default: return false } } getStorageEntityAuthFunc := func() (common.AuthFunc, error) { return func(tag names.Tag) bool { return canAccessStorageEntity(tag, false) }, nil } getLifeAuthFunc := func() (common.AuthFunc, error) { return func(tag names.Tag) bool { return canAccessStorageEntity(tag, true) }, nil } getAttachmentAuthFunc := func() (func(names.MachineTag, names.Tag) bool, error) { // getAttachmentAuthFunc returns a function that validates // access by the authenticated user to an attachment. return func(machineTag names.MachineTag, attachmentTag names.Tag) bool { // Machine agents can access their own machine, and // machines contained. Environment managers can access // top-level machines. if !canAccessStorageMachine(machineTag, true) { return false } // Environment managers can access environment-scoped // volumes and volumes scoped to their own machines. // Other machine agents can access volumes regardless // of their scope. if !authorizer.AuthEnvironManager() { return true } var machineScope names.MachineTag var hasMachineScope bool switch attachmentTag := attachmentTag.(type) { case names.VolumeTag: machineScope, hasMachineScope = names.VolumeMachine(attachmentTag) case names.FilesystemTag: machineScope, hasMachineScope = names.FilesystemMachine(attachmentTag) } return !hasMachineScope || machineScope == authorizer.GetAuthTag() }, nil } getMachineAuthFunc := func() (common.AuthFunc, error) { return func(tag names.Tag) bool { if tag, ok := tag.(names.MachineTag); ok { return canAccessStorageMachine(tag, true) } return false }, nil } getBlockDevicesAuthFunc := func() (common.AuthFunc, error) { return func(tag names.Tag) bool { if tag, ok := tag.(names.MachineTag); ok { return canAccessStorageMachine(tag, false) } return false }, nil } stateInterface := getState(st) settings := getSettingsManager(st) return &StorageProvisionerAPI{ LifeGetter: common.NewLifeGetter(stateInterface, getLifeAuthFunc), DeadEnsurer: common.NewDeadEnsurer(stateInterface, getStorageEntityAuthFunc), EnvironWatcher: common.NewEnvironWatcher(stateInterface, resources, authorizer), InstanceIdGetter: common.NewInstanceIdGetter(st, getMachineAuthFunc), StatusSetter: common.NewStatusSetter(st, getStorageEntityAuthFunc), st: stateInterface, settings: settings, resources: resources, authorizer: authorizer, getScopeAuthFunc: getScopeAuthFunc, getStorageEntityAuthFunc: getStorageEntityAuthFunc, getAttachmentAuthFunc: getAttachmentAuthFunc, getMachineAuthFunc: getMachineAuthFunc, getBlockDevicesAuthFunc: getBlockDevicesAuthFunc, }, nil }
func isAgent(auth common.Authorizer) bool { return auth.AuthMachineAgent() || auth.AuthUnitAgent() }