// NewProvisionerAPI creates a new server-side ProvisionerAPI facade.
func NewProvisionerAPI(
st *state.State,
resources *common.Resources,
authorizer common.Authorizer,
) (*ProvisionerAPI, error) {
if !authorizer.AuthMachineAgent() && !authorizer.AuthEnvironManager() {
return nil, common.ErrPerm
}
getAuthFunc := func() (common.AuthFunc, error) {
isEnvironManager := authorizer.AuthEnvironManager()
isMachineAgent := authorizer.AuthMachineAgent()
authEntityTag := authorizer.GetAuthTag()
return func(tag string) bool {
if isMachineAgent && tag == authEntityTag {
// A machine agent can always access its own machine.
return true
}
t, err := names.ParseTag(tag, names.MachineTagKind)
if err != nil {
return false
}
parentId := state.ParentId(t.Id())
if parentId == "" {
// All top-level machines are accessible by the
// environment manager.
return isEnvironManager
}
// All containers with the authenticated machine as a
// parent are accessible by it.
return isMachineAgent && names.NewMachineTag(parentId).String() == authEntityTag
}, nil
}
// Both provisioner types can watch the environment.
getCanWatch := common.AuthAlways(true)
// Only the environment provisioner can read secrets.
getCanReadSecrets := common.AuthAlways(authorizer.AuthEnvironManager())
return &ProvisionerAPI{
Remover: common.NewRemover(st, false, getAuthFunc),
StatusSetter: common.NewStatusSetter(st, getAuthFunc),
DeadEnsurer: common.NewDeadEnsurer(st, getAuthFunc),
PasswordChanger: common.NewPasswordChanger(st, getAuthFunc),
LifeGetter: common.NewLifeGetter(st, getAuthFunc),
StateAddresser: common.NewStateAddresser(st),
APIAddresser: common.NewAPIAddresser(st, resources),
ToolsGetter: common.NewToolsGetter(st, getAuthFunc),
EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets),
EnvironMachinesWatcher: common.NewEnvironMachinesWatcher(st, resources, getCanReadSecrets),
InstanceIdGetter: common.NewInstanceIdGetter(st, getAuthFunc),
st: st,
resources: resources,
authorizer: authorizer,
getAuthFunc: getAuthFunc,
getCanWatchMachines: getCanReadSecrets,
}, nil
}
// NewNetworkerAPI creates a new client-side Networker API facade.
func NewNetworkerAPI(
st *state.State,
resources *common.Resources,
authorizer common.Authorizer,
) (*NetworkerAPI, error) {
if !authorizer.AuthMachineAgent() {
return nil, common.ErrPerm
}
getAuthFunc := func() (common.AuthFunc, error) {
authEntityTag := authorizer.GetAuthTag().String()
return func(tag string) bool {
if tag == authEntityTag {
// A machine agent can always access its own machine.
return true
}
t, err := names.ParseMachineTag(tag)
if err != nil {
// Only machine tags are allowed.
return false
}
id := t.Id()
for parentId := state.ParentId(id); parentId != ""; parentId = state.ParentId(parentId) {
// Until a top-level machine is reached.
// TODO(dfc) comparing the two interfaces caused a compiler crash with
// gcc version 4.9.0 (Ubuntu 4.9.0-7ubuntu1). Work around the issue
// by comparing by string value.
if names.NewMachineTag(parentId).String() == authEntityTag {
// All containers with the authenticated machine as a
// parent are accessible by it.
return true
}
}
// Not found authorized machine agent among ancestors of the current one.
return false
}, nil
}
return &NetworkerAPI{
st: st,
resources: resources,
authorizer: authorizer,
getAuthFunc: getAuthFunc,
}, nil
}
// upgraderFacade is a bit unique vs the other API Facades, as it has two
// implementations that actually expose the same API and which one gets
// returned depends on who is calling.
// Both of them conform to the exact Upgrader API, so the actual calls that are
// available do not depend on who is currently connected.
func upgraderFacade(st *state.State, resources *common.Resources, auth common.Authorizer) (Upgrader, error) {
// The type of upgrader we return depends on who is asking.
// Machines get an UpgraderAPI, units get a UnitUpgraderAPI.
// This is tested in the state/api/upgrader package since there
// are currently no direct srvRoot tests.
// TODO(dfc) this is redundant
tag, err := names.ParseTag(auth.GetAuthTag().String())
if err != nil {
return nil, common.ErrPerm
}
switch tag.(type) {
case names.MachineTag:
return NewUpgraderAPI(st, resources, auth)
case names.UnitTag:
return NewUnitUpgraderAPI(st, resources, auth)
}
// Not a machine or unit.
return nil, common.ErrPerm
}
// NewNetworkerAPI creates a new client-side Networker API facade.
func NewNetworkerAPI(
st *state.State,
_ *common.Resources,
authorizer common.Authorizer,
) (*NetworkerAPI, error) {
if !authorizer.AuthMachineAgent() {
return nil, common.ErrPerm
}
getAuthFunc := func() (common.AuthFunc, error) {
authEntityTag := authorizer.GetAuthTag()
return func(tag string) bool {
if tag == authEntityTag {
// A machine agent can always access its own machine.
return true
}
t, err := names.ParseTag(tag, names.MachineTagKind)
if err != nil {
// Only machine tags are allowed.
return false
}
id := t.Id()
for parentId := state.ParentId(id); parentId != ""; parentId = state.ParentId(parentId) {
// Until a top-level machine is reached.
if names.NewMachineTag(parentId).String() == authEntityTag {
// All containers with the authenticated machine as a
// parent are accessible by it.
return true
}
}
// Not found authorized machine agent among ancestors of the current one.
return false
}, nil
}
return &NetworkerAPI{
st: st,
authorizer: authorizer,
getAuthFunc: getAuthFunc,
}, nil
}
// NewDeployerAPI creates a new server-side DeployerAPI facade.
func NewDeployerAPI(
st *state.State,
resources *common.Resources,
authorizer common.Authorizer,
) (*DeployerAPI, error) {
if !authorizer.AuthMachineAgent() {
return nil, common.ErrPerm
}
getAuthFunc := func() (common.AuthFunc, error) {
// Get all units of the machine and cache them.
thisMachineTag := authorizer.GetAuthTag()
units, err := getAllUnits(st, thisMachineTag)
if err != nil {
return nil, err
}
// Then we just check if the unit is already known.
return func(tag string) bool {
for _, unit := range units {
if names.NewUnitTag(unit).String() == tag {
return true
}
}
return false
}, nil
}
getCanWatch := func() (common.AuthFunc, error) {
return authorizer.AuthOwner, nil
}
return &DeployerAPI{
Remover: common.NewRemover(st, true, getAuthFunc),
PasswordChanger: common.NewPasswordChanger(st, getAuthFunc),
LifeGetter: common.NewLifeGetter(st, getAuthFunc),
StateAddresser: common.NewStateAddresser(st),
APIAddresser: common.NewAPIAddresser(st, resources),
UnitsWatcher: common.NewUnitsWatcher(st, resources, getCanWatch),
st: st,
resources: resources,
authorizer: authorizer,
}, nil
}
// NewKeyManagerAPI creates a new server-side keyupdater API end point.
func NewKeyManagerAPI(
st *state.State,
resources *common.Resources,
authorizer common.Authorizer,
) (*KeyManagerAPI, error) {
// Only clients and environment managers can access the key manager service.
if !authorizer.AuthClient() && !authorizer.AuthEnvironManager() {
return nil, common.ErrPerm
}
// TODO(wallyworld) - replace stub with real canRead function
// For now, only admins can read authorised ssh keys.
getCanRead := func() (common.AuthFunc, error) {
return func(_ string) bool {
return authorizer.GetAuthTag() == adminUser
}, nil
}
// TODO(wallyworld) - replace stub with real canWrite function
// For now, only admins can write authorised ssh keys for users.
// Machine agents can write the juju-system-key.
getCanWrite := func() (common.AuthFunc, error) {
return func(tag string) bool {
// Are we a machine agent writing the Juju system key.
if tag == config.JujuSystemKey {
// TODO(dfc) this can never be false
_, err := names.ParseMachineTag(authorizer.GetAuthTag().String())
return err == nil
}
// Are we writing the auth key for a user.
if _, err := st.User(tag); err != nil {
return false
}
return authorizer.GetAuthTag() == adminUser
}, nil
}
return &KeyManagerAPI{
state: st, resources: resources, authorizer: authorizer, getCanRead: getCanRead, getCanWrite: getCanWrite}, nil
}