func (*passwordSuite) TestSetPasswordsNoArgsNoError(c *gc.C) {
getCanChange := func() (common.AuthFunc, error) {
return nil, fmt.Errorf("splat")
}
pc := common.NewPasswordChanger(&fakeState{}, getCanChange)
result, err := pc.SetPasswords(params.EntityPasswords{})
c.Assert(err, gc.IsNil)
c.Assert(result.Results, gc.HasLen, 0)
}
// NewProvisionerAPI creates a new server-side ProvisionerAPI facade.
func NewProvisionerAPI(
st *state.State,
resources *common.Resources,
authorizer common.Authorizer,
) (*ProvisionerAPI, error) {
if !authorizer.AuthMachineAgent() && !authorizer.AuthEnvironManager() {
return nil, common.ErrPerm
}
getAuthFunc := func() (common.AuthFunc, error) {
isEnvironManager := authorizer.AuthEnvironManager()
isMachineAgent := authorizer.AuthMachineAgent()
authEntityTag := authorizer.GetAuthTag()
return func(tag string) bool {
if isMachineAgent && tag == authEntityTag {
// A machine agent can always access its own machine.
return true
}
_, id, err := names.ParseTag(tag, names.MachineTagKind)
if err != nil {
return false
}
parentId := state.ParentId(id)
if parentId == "" {
// All top-level machines are accessible by the
// environment manager.
return isEnvironManager
}
// All containers with the authenticated machine as a
// parent are accessible by it.
return isMachineAgent && names.MachineTag(parentId) == authEntityTag
}, nil
}
// Both provisioner types can watch the environment.
getCanWatch := common.AuthAlways(true)
// Only the environment provisioner can read secrets.
getCanReadSecrets := common.AuthAlways(authorizer.AuthEnvironManager())
return &ProvisionerAPI{
Remover: common.NewRemover(st, false, getAuthFunc),
StatusSetter: common.NewStatusSetter(st, getAuthFunc),
DeadEnsurer: common.NewDeadEnsurer(st, getAuthFunc),
PasswordChanger: common.NewPasswordChanger(st, getAuthFunc),
LifeGetter: common.NewLifeGetter(st, getAuthFunc),
StateAddresser: common.NewStateAddresser(st),
APIAddresser: common.NewAPIAddresser(st, resources),
ToolsGetter: common.NewToolsGetter(st, getAuthFunc),
EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets),
EnvironMachinesWatcher: common.NewEnvironMachinesWatcher(st, resources, getCanReadSecrets),
InstanceIdGetter: common.NewInstanceIdGetter(st, getAuthFunc),
st: st,
resources: resources,
authorizer: authorizer,
getAuthFunc: getAuthFunc,
getCanWatchMachines: getCanReadSecrets,
}, nil
}
func (*passwordSuite) TestSetPasswords(c *gc.C) {
st := &fakeState{
entities: map[string]entityWithError{
"x0": &fakeAuthenticator{},
"x1": &fakeAuthenticator{},
"x2": &fakeAuthenticator{
err: fmt.Errorf("x2 error"),
},
"x3": &fakeAuthenticator{
fetchError: "x3 error",
},
"x4": &fakeUnitAuthenticator{},
"x5": &fakeMachineAuthenticator{jobs: []state.MachineJob{state.JobHostUnits}},
"x6": &fakeMachineAuthenticator{jobs: []state.MachineJob{state.JobManageEnviron}},
},
}
getCanChange := func() (common.AuthFunc, error) {
return func(tag string) bool {
return tag != "x0"
}, nil
}
pc := common.NewPasswordChanger(st, getCanChange)
var changes []params.EntityPassword
for i := 0; i < len(st.entities); i++ {
tag := fmt.Sprintf("x%d", i)
changes = append(changes, params.EntityPassword{
Tag: tag,
Password: fmt.Sprintf("%spass", tag),
})
}
results, err := pc.SetPasswords(params.EntityPasswords{
Changes: changes,
})
c.Assert(err, gc.IsNil)
c.Assert(results, jc.DeepEquals, params.ErrorResults{
Results: []params.ErrorResult{
{apiservertesting.ErrUnauthorized},
{nil},
{¶ms.Error{Message: "x2 error"}},
{¶ms.Error{Message: "x3 error"}},
{nil},
{nil},
{nil},
},
})
c.Check(st.entities["x0"].(*fakeAuthenticator).pass, gc.Equals, "")
c.Check(st.entities["x1"].(*fakeAuthenticator).pass, gc.Equals, "x1pass")
c.Check(st.entities["x2"].(*fakeAuthenticator).pass, gc.Equals, "")
c.Check(st.entities["x4"].(*fakeUnitAuthenticator).pass, gc.Equals, "x4pass")
c.Check(st.entities["x4"].(*fakeUnitAuthenticator).mongoPass, gc.Equals, "")
c.Check(st.entities["x5"].(*fakeMachineAuthenticator).pass, gc.Equals, "x5pass")
c.Check(st.entities["x5"].(*fakeMachineAuthenticator).mongoPass, gc.Equals, "")
c.Check(st.entities["x6"].(*fakeMachineAuthenticator).pass, gc.Equals, "x6pass")
c.Check(st.entities["x6"].(*fakeMachineAuthenticator).mongoPass, gc.Equals, "x6pass")
}
// NewAPI returns an object implementing an agent API
// with the given authorizer representing the currently logged in client.
func NewAPI(st *state.State, auth common.Authorizer) (*API, error) {
// Agents are defined to be any user that's not a client user.
if !auth.AuthMachineAgent() && !auth.AuthUnitAgent() {
return nil, common.ErrPerm
}
getCanChange := func() (common.AuthFunc, error) {
return auth.AuthOwner, nil
}
return &API{
PasswordChanger: common.NewPasswordChanger(st, getCanChange),
st: st,
auth: auth,
}, nil
}
func (*passwordSuite) TestSetPasswordsError(c *gc.C) {
getCanChange := func() (common.AuthFunc, error) {
return nil, fmt.Errorf("splat")
}
pc := common.NewPasswordChanger(&fakeState{}, getCanChange)
var changes []params.EntityPassword
for i := 0; i < 4; i++ {
tag := fmt.Sprintf("x%d", i)
changes = append(changes, params.EntityPassword{
Tag: tag,
Password: fmt.Sprintf("%spass", tag),
})
}
_, err := pc.SetPasswords(params.EntityPasswords{Changes: changes})
c.Assert(err, gc.ErrorMatches, "splat")
}
// NewDeployerAPI creates a new server-side DeployerAPI facade.
func NewDeployerAPI(
st *state.State,
resources *common.Resources,
authorizer common.Authorizer,
) (*DeployerAPI, error) {
if !authorizer.AuthMachineAgent() {
return nil, common.ErrPerm
}
getAuthFunc := func() (common.AuthFunc, error) {
// Get all units of the machine and cache them.
thisMachineTag := authorizer.GetAuthTag()
units, err := getAllUnits(st, thisMachineTag)
if err != nil {
return nil, err
}
// Then we just check if the unit is already known.
return func(tag string) bool {
for _, unit := range units {
if names.UnitTag(unit) == tag {
return true
}
}
return false
}, nil
}
getCanWatch := func() (common.AuthFunc, error) {
return authorizer.AuthOwner, nil
}
return &DeployerAPI{
Remover: common.NewRemover(st, true, getAuthFunc),
PasswordChanger: common.NewPasswordChanger(st, getAuthFunc),
LifeGetter: common.NewLifeGetter(st, getAuthFunc),
StateAddresser: common.NewStateAddresser(st),
APIAddresser: common.NewAPIAddresser(st, resources),
UnitsWatcher: common.NewUnitsWatcher(st, resources, getCanWatch),
st: st,
resources: resources,
authorizer: authorizer,
}, nil
}
