func (*agentEntityWatcherSuite) TestWatch(c *gc.C) { st := &fakeState{ entities: map[string]entityWithError{ "x0": &fakeAgentEntityWatcher{fetchError: "x0 fails"}, "x1": &fakeAgentEntityWatcher{}, "x2": &fakeAgentEntityWatcher{}, }, } getCanWatch := func() (common.AuthFunc, error) { return func(tag string) bool { switch tag { case "x0", "x1": return true } return false }, nil } resources := common.NewResources() a := common.NewAgentEntityWatcher(st, resources, getCanWatch) entities := params.Entities{[]params.Entity{ {"x0"}, {"x1"}, {"x2"}, {"x3"}, }} result, err := a.Watch(entities) c.Assert(err, gc.IsNil) c.Assert(result, gc.DeepEquals, params.NotifyWatchResults{ Results: []params.NotifyWatchResult{ {Error: ¶ms.Error{Message: "x0 fails"}}, {"1", nil}, {Error: apiservertesting.ErrUnauthorized}, {Error: apiservertesting.ErrUnauthorized}, }, }) }
func (*agentEntityWatcherSuite) TestWatchError(c *gc.C) { getCanWatch := func() (common.AuthFunc, error) { return nil, fmt.Errorf("pow") } resources := common.NewResources() a := common.NewAgentEntityWatcher( &fakeState{}, resources, getCanWatch, ) _, err := a.Watch(params.Entities{[]params.Entity{{"x0"}}}) c.Assert(err, gc.ErrorMatches, "pow") }
func (*agentEntityWatcherSuite) TestWatchNoArgsNoError(c *gc.C) { getCanWatch := func() (common.AuthFunc, error) { return nil, fmt.Errorf("pow") } resources := common.NewResources() a := common.NewAgentEntityWatcher( &fakeState{}, resources, getCanWatch, ) result, err := a.Watch(params.Entities{}) c.Assert(err, gc.IsNil) c.Assert(result.Results, gc.HasLen, 0) }
// NewMachinerAPI creates a new instance of the Machiner API. func NewMachinerAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*MachinerAPI, error) { if !authorizer.AuthMachineAgent() { return nil, common.ErrPerm } getCanModify := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } getCanRead := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } return &MachinerAPI{ LifeGetter: common.NewLifeGetter(st, getCanRead), StatusSetter: common.NewStatusSetter(st, getCanModify), DeadEnsurer: common.NewDeadEnsurer(st, getCanModify), AgentEntityWatcher: common.NewAgentEntityWatcher(st, resources, getCanRead), APIAddresser: common.NewAPIAddresser(st, resources), st: st, auth: authorizer, getCanModify: getCanModify, }, nil }
// NewUniterAPI creates a new instance of the Uniter API. func NewUniterAPI(st *state.State, resources *common.Resources, authorizer common.Authorizer) (*UniterAPI, error) { if !authorizer.AuthUnitAgent() { return nil, common.ErrPerm } accessUnit := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } accessService := func() (common.AuthFunc, error) { unit, ok := authorizer.GetAuthEntity().(*state.Unit) if !ok { panic("authenticated entity is not a unit") } return func(tag string) bool { return tag == names.ServiceTag(unit.ServiceName()) }, nil } accessUnitOrService := common.AuthEither(accessUnit, accessService) // Uniter can always watch for environ changes. getCanWatch := common.AuthAlways(true) // Uniter can not get the secrets. getCanReadSecrets := common.AuthAlways(false) return &UniterAPI{ LifeGetter: common.NewLifeGetter(st, accessUnitOrService), StatusSetter: common.NewStatusSetter(st, accessUnit), DeadEnsurer: common.NewDeadEnsurer(st, accessUnit), AgentEntityWatcher: common.NewAgentEntityWatcher(st, resources, accessUnitOrService), APIAddresser: common.NewAPIAddresser(st, resources), EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets), st: st, auth: authorizer, resources: resources, accessUnit: accessUnit, accessService: accessService, }, nil }
// NewFirewallerAPI creates a new server-side FirewallerAPI facade. func NewFirewallerAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*FirewallerAPI, error) { if !authorizer.AuthEnvironManager() { // Firewaller must run as environment manager. return nil, common.ErrPerm } // Set up the various authorization checkers. accessUnit := getAuthFuncForTagKind(names.UnitTagKind) accessService := getAuthFuncForTagKind(names.ServiceTagKind) accessMachine := getAuthFuncForTagKind(names.MachineTagKind) accessEnviron := getAuthFuncForTagKind("") accessUnitOrService := common.AuthEither(accessUnit, accessService) accessUnitServiceOrMachine := common.AuthEither(accessUnitOrService, accessMachine) // Life() is supported for units, services or machines. lifeGetter := common.NewLifeGetter( st, accessUnitServiceOrMachine, ) // EnvironConfig() and WatchForEnvironConfigChanges() are allowed // with unrestriced access. environWatcher := common.NewEnvironWatcher( st, resources, accessEnviron, accessEnviron, ) // Watch() is supported for units or services. entityWatcher := common.NewAgentEntityWatcher( st, resources, accessUnitOrService, ) // WatchUnits() is supported for machines. unitsWatcher := common.NewUnitsWatcher(st, resources, accessMachine, ) // WatchEnvironMachines() is allowed with unrestricted access. machinesWatcher := common.NewEnvironMachinesWatcher( st, resources, accessEnviron, ) // InstanceId() is supported for machines. instanceIdGetter := common.NewInstanceIdGetter( st, accessMachine, ) return &FirewallerAPI{ LifeGetter: lifeGetter, EnvironWatcher: environWatcher, AgentEntityWatcher: entityWatcher, UnitsWatcher: unitsWatcher, EnvironMachinesWatcher: machinesWatcher, InstanceIdGetter: instanceIdGetter, st: st, resources: resources, authorizer: authorizer, accessUnit: accessUnit, accessService: accessService, }, nil }