func getDeployerAuth(preparerConfig *PreparerConfig) (auth.Policy, error) {
var authPolicy auth.Policy
switch t, _ := preparerConfig.Auth["type"].(string); t {
case "":
return nil, util.Errorf("must specify authorization policy type")
case auth.Null:
authPolicy = auth.NullPolicy{}
case auth.Keyring:
var authConfig KeyringAuth
err := castYaml(preparerConfig.Auth, &authConfig)
if err != nil {
return nil, util.Errorf("error configuring keyring auth: %s", err)
}
if authConfig.KeyringPath == "" {
return nil, util.Errorf("keyring auth must contain a path to the keyring")
}
authPolicy, err = auth.NewFileKeyringPolicy(
authConfig.KeyringPath,
map[types.PodID][]string{POD_ID: authConfig.AuthorizedDeployers},
)
if err != nil {
return nil, util.Errorf("error configuring keyring auth: %s", err)
}
case auth.User:
var userConfig UserAuth
err := castYaml(preparerConfig.Auth, &userConfig)
if err != nil {
return nil, util.Errorf("error configuring user auth: %s", err)
}
if userConfig.KeyringPath == "" {
return nil, util.Errorf("user auth must contain a path to the keyring")
}
if userConfig.DeployPolicyPath == "" {
return nil, util.Errorf("user auth must contain a path to the deploy policy")
}
authPolicy, err = auth.NewUserPolicy(
userConfig.KeyringPath,
userConfig.DeployPolicyPath,
POD_ID,
string(POD_ID),
)
if err != nil {
return nil, util.Errorf("error configuring user auth: %s", err)
}
default:
if t, ok := preparerConfig.Auth["type"].(string); ok {
return nil, util.Errorf("unrecognized auth type: %s", t)
}
return nil, util.Errorf("unrecognized auth type")
}
return authPolicy, nil
}
func authorize(manifest manifest.Manifest) error {
var policy auth.Policy
var err error
switch *authType {
case auth.Null:
if *keyring != "" {
return util.Errorf("--keyring may not be specified if --auth-type is '%s'", *authType)
}
if *deployPolicy != "" {
return util.Errorf("--deploy-policy may not be specified if --auth-type is '%s'", *authType)
}
if len(*allowedUsers) != 0 {
return util.Errorf("--allowed-users may not be specified if --auth-type is '%s'", *authType)
}
return nil
case auth.Keyring:
if *keyring == "" {
return util.Errorf("Must specify --keyring if --auth-type is '%s'", *authType)
}
if len(*allowedUsers) == 0 {
return util.Errorf("Must specify at least one allowed user if using a keyring auth type")
}
policy, err = auth.NewFileKeyringPolicy(
*keyring,
map[types.PodID][]string{
constants.PreparerPodID: *allowedUsers,
},
)
if err != nil {
return err
}
case auth.User:
if *keyring == "" {
return util.Errorf("Must specify --keyring if --auth-type is '%s'", *authType)
}
if *deployPolicy == "" {
return util.Errorf("Must specify --deploy-policy if --auth-type is '%s'", *authType)
}
policy, err = auth.NewUserPolicy(
*keyring,
*deployPolicy,
constants.PreparerPodID,
constants.PreparerPodID.String(),
)
if err != nil {
return err
}
default:
return util.Errorf("Unknown --auth-type: %s", *authType)
}
logger := logging.NewLogger(logrus.Fields{})
logger.Logger.Formatter = new(logrus.TextFormatter)
err = policy.AuthorizeApp(manifest, logger)
if err != nil {
if err, ok := err.(auth.Error); ok {
logger.WithFields(err.Fields).Errorln(err)
} else {
logger.NoFields().Errorln(err)
}
return err
}
return nil
}
func New(preparerConfig *PreparerConfig, logger logging.Logger) (*Preparer, error) {
addHooks(preparerConfig, logger)
if preparerConfig.ConsulAddress == "" {
return nil, util.Errorf("No Consul address given to the preparer")
}
if preparerConfig.PodRoot == "" {
return nil, util.Errorf("No pod root given to the preparer")
}
if preparerConfig.LogLevel != "" {
lv, err := logrus.ParseLevel(preparerConfig.LogLevel)
if err != nil {
return nil, util.Errorf("Received invalid log level %q", preparerConfig.LogLevel)
}
logger.Logger.Level = lv
}
var err error
var authPolicy auth.Policy
switch t, _ := preparerConfig.Auth["type"].(string); t {
case "":
return nil, util.Errorf("must specify authorization policy type")
case "none":
authPolicy = auth.NullPolicy{}
case "keyring":
var authConfig KeyringAuth
err := castYaml(preparerConfig.Auth, &authConfig)
if err != nil {
return nil, util.Errorf("error configuring keyring auth: %s", err)
}
if authConfig.KeyringPath == "" {
return nil, util.Errorf("keyring auth must contain a path to the keyring")
}
authPolicy, err = auth.NewFileKeyringPolicy(
authConfig.KeyringPath,
map[string][]string{POD_ID: authConfig.AuthorizedDeployers},
)
if err != nil {
return nil, util.Errorf("error configuring keyring auth: %s", err)
}
case "user":
var userConfig UserAuth
err := castYaml(preparerConfig.Auth, &userConfig)
if err != nil {
return nil, util.Errorf("error configuring user auth: %s", err)
}
if userConfig.KeyringPath == "" {
return nil, util.Errorf("user auth must contain a path to the keyring")
}
if userConfig.DeployPolicyPath == "" {
return nil, util.Errorf("user auth must contain a path to the deploy policy")
}
authPolicy, err = auth.NewUserPolicy(
userConfig.KeyringPath,
userConfig.DeployPolicyPath,
POD_ID,
POD_ID,
)
if err != nil {
return nil, util.Errorf("error configuring user auth: %s", err)
}
default:
if t, ok := preparerConfig.Auth["type"].(string); ok {
return nil, util.Errorf("unrecognized auth type: %s", t)
}
return nil, util.Errorf("unrecognized auth type")
}
store, err := preparerConfig.GetStore()
if err != nil {
return nil, err
}
listener := HookListener{
Intent: store,
HookPrefix: kp.HOOK_TREE,
DestinationDir: path.Join(pods.DEFAULT_PATH, "hooks"),
ExecDir: preparerConfig.HooksDirectory,
Logger: logger,
authPolicy: authPolicy,
}
err = os.MkdirAll(preparerConfig.PodRoot, 0755)
if err != nil {
return nil, util.Errorf("Could not create preparer pod directory: %s", err)
}
consulCAFile := preparerConfig.ConsulCAFile
if consulCAFile == "" {
consulCAFile = preparerConfig.CAFile
}
return &Preparer{
node: preparerConfig.NodeName,
store: store,
hooks: hooks.Hooks(preparerConfig.HooksDirectory, &logger),
hookListener: listener,
Logger: logger,
podRoot: preparerConfig.PodRoot,
authPolicy: authPolicy,
caFile: consulCAFile,
}, nil
}