func (s *toolsSuite) TestTools(c *gc.C) { getCanRead := func() (common.AuthFunc, error) { return func(tag string) bool { return tag == "machine-0" || tag == "machine-42" }, nil } tg := common.NewToolsGetter(s.State, getCanRead) c.Assert(tg, gc.NotNil) err := s.machine0.SetAgentVersion(version.Current) c.Assert(err, gc.IsNil) args := params.Entities{ Entities: []params.Entity{ {Tag: "machine-0"}, {Tag: "machine-1"}, {Tag: "machine-42"}, }} result, err := tg.Tools(args) c.Assert(err, gc.IsNil) c.Assert(result.Results, gc.HasLen, 3) c.Assert(result.Results[0].Tools, gc.NotNil) c.Assert(result.Results[0].Tools.Version, gc.DeepEquals, version.Current) c.Assert(result.Results[0].DisableSSLHostnameVerification, jc.IsFalse) c.Assert(result.Results[1].Error, gc.DeepEquals, apiservertesting.ErrUnauthorized) c.Assert(result.Results[2].Error, gc.DeepEquals, apiservertesting.NotFoundError("machine 42")) }
// NewProvisionerAPI creates a new server-side ProvisionerAPI facade. func NewProvisionerAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*ProvisionerAPI, error) { if !authorizer.AuthMachineAgent() && !authorizer.AuthEnvironManager() { return nil, common.ErrPerm } getAuthFunc := func() (common.AuthFunc, error) { isEnvironManager := authorizer.AuthEnvironManager() isMachineAgent := authorizer.AuthMachineAgent() authEntityTag := authorizer.GetAuthTag() return func(tag string) bool { if isMachineAgent && tag == authEntityTag { // A machine agent can always access its own machine. return true } _, id, err := names.ParseTag(tag, names.MachineTagKind) if err != nil { return false } parentId := state.ParentId(id) if parentId == "" { // All top-level machines are accessible by the // environment manager. return isEnvironManager } // All containers with the authenticated machine as a // parent are accessible by it. return isMachineAgent && names.MachineTag(parentId) == authEntityTag }, nil } // Both provisioner types can watch the environment. getCanWatch := common.AuthAlways(true) // Only the environment provisioner can read secrets. getCanReadSecrets := common.AuthAlways(authorizer.AuthEnvironManager()) return &ProvisionerAPI{ Remover: common.NewRemover(st, false, getAuthFunc), StatusSetter: common.NewStatusSetter(st, getAuthFunc), DeadEnsurer: common.NewDeadEnsurer(st, getAuthFunc), PasswordChanger: common.NewPasswordChanger(st, getAuthFunc), LifeGetter: common.NewLifeGetter(st, getAuthFunc), StateAddresser: common.NewStateAddresser(st), APIAddresser: common.NewAPIAddresser(st, resources), ToolsGetter: common.NewToolsGetter(st, getAuthFunc), EnvironWatcher: common.NewEnvironWatcher(st, resources, getCanWatch, getCanReadSecrets), EnvironMachinesWatcher: common.NewEnvironMachinesWatcher(st, resources, getCanReadSecrets), InstanceIdGetter: common.NewInstanceIdGetter(st, getAuthFunc), st: st, resources: resources, authorizer: authorizer, getAuthFunc: getAuthFunc, getCanWatchMachines: getCanReadSecrets, }, nil }
func (s *toolsSuite) TestToolsError(c *gc.C) { getCanRead := func() (common.AuthFunc, error) { return nil, fmt.Errorf("splat") } tg := common.NewToolsGetter(s.State, getCanRead) args := params.Entities{ Entities: []params.Entity{{Tag: "machine-42"}}, } result, err := tg.Tools(args) c.Assert(err, gc.ErrorMatches, "splat") c.Assert(result.Results, gc.HasLen, 1) }
// NewUpgraderAPI creates a new client-side UpgraderAPI facade. func NewUpgraderAPI( st *state.State, resources *common.Resources, authorizer common.Authorizer, ) (*UpgraderAPI, error) { if !authorizer.AuthMachineAgent() { return nil, common.ErrPerm } getCanReadWrite := func() (common.AuthFunc, error) { return authorizer.AuthOwner, nil } return &UpgraderAPI{ ToolsGetter: common.NewToolsGetter(st, getCanReadWrite), ToolsSetter: common.NewToolsSetter(st, getCanReadWrite), st: st, resources: resources, authorizer: authorizer, }, nil }