| Left: | ||
| Right: |
| LEFT | RIGHT |
|---|---|
| 1 // Copyright 2013 Canonical Ltd. | 1 // Copyright 2013 Canonical Ltd. |
| 2 // Licensed under the AGPLv3, see LICENCE file for details. | 2 // Licensed under the AGPLv3, see LICENCE file for details. |
| 3 | 3 |
| 4 package apiserver | 4 package apiserver |
| 5 | 5 |
| 6 import ( | 6 import ( |
| 7 "launchpad.net/juju-core/state" | 7 "launchpad.net/juju-core/state" |
| 8 "launchpad.net/juju-core/state/apiserver/common" | 8 "launchpad.net/juju-core/state/apiserver/common" |
| 9 "launchpad.net/juju-core/state/apiserver/machiner" | 9 "launchpad.net/juju-core/state/apiserver/machiner" |
| 10 "launchpad.net/juju-core/state/multiwatcher" | 10 "launchpad.net/juju-core/state/multiwatcher" |
| 11 ) | 11 ) |
| 12 | 12 |
| 13 // srvRoot represents a single client's connection to the state. | 13 // srvRoot represents a single client's connection to the state. |
| 14 type srvRoot struct { | 14 type srvRoot struct { |
| 15 admin *srvAdmin | 15 admin *srvAdmin |
| 16 client *srvClient | 16 client *srvClient |
| 17 state *srvState | 17 state *srvState |
| 18 srv *Server | 18 srv *Server |
| 19 machiner *machiner.Machiner | |
| 20 resources *resources | 19 resources *resources |
| 21 | 20 |
| 22 user authUser | 21 user authUser |
| 23 } | 22 } |
| 24 | 23 |
| 25 func newStateServer(srv *Server) *srvRoot { | 24 func newStateServer(srv *Server) *srvRoot { |
| 26 r := &srvRoot{ | 25 r := &srvRoot{ |
| 27 srv: srv, | 26 srv: srv, |
| 28 resources: newResources(), | 27 resources: newResources(), |
| 29 } | 28 } |
| 30 r.admin = &srvAdmin{ | 29 r.admin = &srvAdmin{ |
| 31 root: r, | 30 root: r, |
| 32 } | 31 } |
| 33 r.client = &srvClient{ | 32 r.client = &srvClient{ |
| 34 root: r, | 33 root: r, |
| 35 } | 34 } |
| 36 r.state = &srvState{ | 35 r.state = &srvState{ |
| 37 root: r, | 36 root: r, |
| 38 } | 37 } |
| 39 r.machiner = machiner.New(r.srv.state, r) | |
|
rog
2013/06/05 16:30:43
i wonder if it might not make more sense to create
dimitern
2013/06/06 09:36:01
How can we decide when an error should be returned
rog
2013/06/06 11:32:08
machiner.New can make the same authorization decis
dimitern
2013/06/06 16:17:36
Done.
| |
| 40 return r | 38 return r |
| 41 } | 39 } |
| 42 | 40 |
| 43 // Kill implements rpc.Killer. It cleans up any resources that need | 41 // Kill implements rpc.Killer. It cleans up any resources that need |
| 44 // cleaning up to ensure that all outstanding requests return. | 42 // cleaning up to ensure that all outstanding requests return. |
| 45 func (r *srvRoot) Kill() { | 43 func (r *srvRoot) Kill() { |
| 46 r.resources.stopAll() | 44 r.resources.stopAll() |
| 47 } | 45 } |
| 48 | 46 |
| 49 // Admin returns an object that provides API access | 47 // Admin returns an object that provides API access |
| (...skipping 29 matching lines...) Expand all Loading... | |
| 79 if e == nil { | 77 if e == nil { |
| 80 return common.ErrNotLoggedIn | 78 return common.ErrNotLoggedIn |
| 81 } | 79 } |
| 82 if isAgent(e) { | 80 if isAgent(e) { |
| 83 return common.ErrPerm | 81 return common.ErrPerm |
| 84 } | 82 } |
| 85 return nil | 83 return nil |
| 86 } | 84 } |
| 87 | 85 |
| 88 // Machiner returns an object that provides access to the Machiner API | 86 // Machiner returns an object that provides access to the Machiner API |
| 89 // facade. Version argument is reserved for future use and currently | 87 // facade. The id argument is reserved for future use and currently |
| 90 // needs to be empty. | 88 // needs to be empty. |
| 91 func (r *srvRoot) Machiner(version string) (*machiner.Machiner, error) { | 89 func (r *srvRoot) Machiner(id string) (*machiner.Machiner, error) { |
| 92 » if err := r.requireAgent(); err != nil { | 90 » if id != "" { |
|
rog
2013/06/05 16:30:43
this doesn't seem right. shouldn't we check that t
dimitern
2013/06/06 09:36:01
AIUI we need a machine tag to check that, hence th
rog
2013/06/06 11:32:08
this code allows a uniter to get a Machiner object
dimitern
2013/06/06 16:17:36
Changed as suggested.
| |
| 93 » » return nil, err | 91 » » // Safeguard id for possible future use. |
| 94 » } | 92 » » return nil, common.ErrBadId |
| 95 » if version != "" { | 93 » } |
| 96 » » return nil, common.ErrBadVersion | 94 » return machiner.New(r.srv.state, r) |
| 97 » } | |
| 98 » return r.machiner, nil | |
| 99 } | 95 } |
| 100 | 96 |
| 101 // User returns an object that provides | 97 // User returns an object that provides |
| 102 // API access to methods on a state.User. | 98 // API access to methods on a state.User. |
| 103 func (r *srvRoot) User(name string) (*srvUser, error) { | 99 func (r *srvRoot) User(name string) (*srvUser, error) { |
| 104 // Any user is allowed to access their own user object. | 100 // Any user is allowed to access their own user object. |
| 105 // We check at this level rather than at the operation | 101 // We check at this level rather than at the operation |
| 106 // level to stop malicious probing for current user names. | 102 // level to stop malicious probing for current user names. |
| 107 // When we provide support for user administration, | 103 // When we provide support for user administration, |
| 108 // this will need to be changed to allow access to | 104 // this will need to be changed to allow access to |
| (...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 215 if err := r.requireClient(); err != nil { | 211 if err := r.requireClient(); err != nil { |
| 216 return nil, err | 212 return nil, err |
| 217 } | 213 } |
| 218 if id != "" { | 214 if id != "" { |
| 219 // Safeguard id for possible future use. | 215 // Safeguard id for possible future use. |
| 220 return nil, common.ErrBadId | 216 return nil, common.ErrBadId |
| 221 } | 217 } |
| 222 return r.client, nil | 218 return r.client, nil |
| 223 } | 219 } |
| 224 | 220 |
| 221 // IsLoggedIn returns whether the user is currently logged in and | |
| 222 // authenticated. | |
| 223 func (r *srvRoot) IsLoggedIn() bool { | |
| 224 return r.user.authenticator() != nil | |
| 225 } | |
| 226 | |
| 227 // AuthMachineAgent returns whether the current client is a machine agent. | |
| 228 func (r *srvRoot) AuthMachineAgent() bool { | |
| 229 if !r.IsLoggedIn() { | |
| 230 return false | |
| 231 } | |
| 232 e := r.user.authenticator() | |
| 233 if _, ok := e.(*state.Machine); !ok { | |
| 234 return false | |
| 235 } | |
| 236 return true | |
| 237 } | |
| 238 | |
| 225 // AuthOwner returns whether the authenticated user's tag matches the | 239 // AuthOwner returns whether the authenticated user's tag matches the |
| 226 // given entity's tag. | 240 // given entity's tag. |
| 227 func (r *srvRoot) AuthOwner(entity common.Tagger) bool { | 241 func (r *srvRoot) AuthOwner(entity common.Tagger) bool { |
| 228 authUser := r.user.authenticator() | 242 authUser := r.user.authenticator() |
| 229 return authUser.Tag() == entity.Tag() | 243 return authUser.Tag() == entity.Tag() |
| 230 } | 244 } |
| 231 | 245 |
| 232 // AuthEnvironManager returns whether the authenticated user is a | 246 // AuthEnvironManager returns whether the authenticated user is a |
| 233 // machine with running the ManageEnviron job. | 247 // machine with running the ManageEnviron job. |
| 234 func (r *srvRoot) AuthEnvironManager() bool { | 248 func (r *srvRoot) AuthEnvironManager() bool { |
| 235 authUser := r.user.authenticator() | 249 authUser := r.user.authenticator() |
| 236 return isMachineWithJob(authUser, state.JobManageEnviron) | 250 return isMachineWithJob(authUser, state.JobManageEnviron) |
| 237 } | 251 } |
| LEFT | RIGHT |
