Merge pull request #46 from Toshbrown/master

CM permissions changes
me-box · Mar 3, 2017 · dabae95 · dabae95
2 parents e2bdcde + 150e0d6
commit dabae95
Show file tree

Hide file tree

Showing 6 changed files with 131 additions and 34 deletions.
diff --git a/DevStartInContiner.sh b/DevStartInContiner.sh
@@ -9,11 +9,12 @@ docker create \
 	-v /var/run/docker.sock:/var/run/docker.sock \
 	-v `pwd`:/cm \
 	--name databox-cm \
-	--label databox.type=container-manager \
 	-e "DATABOX_DEV=1" \
+	--label databox.type=container-manager \
 	-p 8989:8989 \
 	-t node:latest npm --prefix /cm start
 
+
 docker network connect databox-cloud-net databox-cm
 docker network connect databox-app-net databox-cm
 docker network connect databox-driver-net databox-cm

diff --git a/src/config.json b/src/config.json
@@ -1,5 +1,5 @@
 {
-	"registryUrl": "docker.io/databoxsystems",
+	"registryUrl": "registry.hub.docker.com/databoxsystems",
 	"storeUrl": "https://store.iotdatabox.com",
 	"registryUrl_dev": "localhost:5000",
 	"storeUrl_dev": "http://localhost:8181",

diff --git a/src/container-manager.js b/src/container-manager.js
@@ -264,6 +264,8 @@ exports.removeContainer = function (cont) {
 					db.deleteSLA(name, false)
 						.then(resolve(info))
 						.catch((err) => reject(err));
+
+					revokeContainerPermissions({'name': name});
 				});
 			});
 	});
@@ -437,11 +439,12 @@ exports.launchArbiter = function () {
 
 
 var DATABOX_LOGSTORE_ENDPOINT = null;
+var DATABOX_LOGSTORE_NAME = "databox-logstore";
 var DATABOX_LOGSTORE_PORT = 8080;
 exports.launchLogStore = function () {
 
 	return new Promise((resolve, reject) => {
-		var name = "databox-logstore" + ARCH;
+		var name = DATABOX_LOGSTORE_NAME + ARCH;
 		var arbiterToken = "";
 		pullImage(name + ":latest")
 			.then(() => {
@@ -485,7 +488,7 @@ exports.launchLogStore = function () {
 				return updateArbiter(update);
 			})
 			.then((logstore) => {
-				DATABOX_LOGSTORE_ENDPOINT = 'https://' + name + ':' + DATABOX_LOGSTORE_PORT;
+				DATABOX_LOGSTORE_ENDPOINT = 'https://' + DATABOX_LOGSTORE_NAME + ':' + DATABOX_LOGSTORE_PORT;
 				resolve(logstore);
 			})
 			.catch((err) => {
@@ -664,6 +667,67 @@ var updateArbiter = function (data) {
 };
 exports.updateArbiter = updateArbiter;
 
+var updateContainerPermissions = function (permissions) {
+
+	return new Promise((resolve, reject) => {
+		getContainer(arbiterName)
+			.then((Arbiter) => {
+				return getContainerInfo(Arbiter);
+			})
+			.then((arbiterInfo) => {
+				var options = {
+						url: DATABOX_ARBITER_ENDPOINT + "/cm/grant-container-permissions",
+						method:'POST',
+						form: permissions,
+						agent: arbiterAgent,
+						headers: {
+							'x-api-key': arbiterKey
+						}
+					};
+				request(
+					options,
+					function (err, response, body) {
+						if (err) {
+							reject(err);
+							return;
+						}
+						resolve(JSON.parse(body));
+					});
+			})
+			.catch((err) => reject(err));
+	});
+};
+
+var revokeContainerPermissions = function (permissions) {
+	return new Promise((resolve, reject) => {
+		getContainer(arbiterName)
+			.then((Arbiter) => {
+				return getContainerInfo(Arbiter);
+			})
+			.then((arbiterInfo) => {
+				var options = {
+						url: DATABOX_ARBITER_ENDPOINT + "/cm/delete-container-info",
+						method:'POST',
+						form: permissions,
+						agent: arbiterAgent,
+						headers: {
+							'x-api-key': arbiterKey
+						}
+					};
+				request(
+					options,
+					function (err, response, body) {
+						if (err) {
+							reject(err);
+							return;
+						}
+						resolve();
+					});
+			})
+			.catch((err) => reject(err));
+	});
+};
+
 var launchDependencies = function (containerSLA) {
 	var promises = [];
 	for (var requiredType in containerSLA['resource-requirements']) {
@@ -786,10 +850,18 @@ let launchContainer = function (containerSLA) {
 					}
 					config.Binds = binds;
 				}
-
+				proms = [];
 				if ('datasources' in containerSLA) {
 					for (let datasource of containerSLA.datasources) {
 						config.Env.push("DATASOURCE_" + datasource.clientid + "=" + JSON.stringify(datasource.hypercat));
+						if (datasource.enabled) {
+ 							// Grant read assess to enabled datasources
+							 proms.push(updateContainerPermissions({
+										name: containerSLA.name,
+										route: {target:containerSLA.host, path: containerSLA.api_url, method:'GET'}
+										//caveats: ""
+									}));
+ 						}
 					}
 				}
 
@@ -800,11 +872,12 @@ let launchContainer = function (containerSLA) {
 					}
 				}
 
-				// Create Container
-				return dockerHelper.createContainer(config);
+				// TODO: Separate from other promises
+ 				proms.push(dockerHelper.createContainer(config));
+ 				return Promise.all(proms);
 			})
-			.then((container) => {
-				return startContainer(container);
+			.then((results) => {
+				return startContainer(results[results.length - 1]);
 			})
 			.then((container) => {
 				launched.push(container);
@@ -822,6 +895,46 @@ let launchContainer = function (containerSLA) {
 				return updateArbiter(update);
 			})
 			.then(() => {
+				//grant write access to requested stores
+				var dependentStores = launched.filter((itm)=>{ return itm.type == 'store'; });
+				for(store of dependentStores) {
+
+					if(containerSLA.localContainerName != store.name) {
+
+						console.log('[Adding read permissions] for ' + containerSLA.localContainerName + ' on ' + store.name + '/status');
+						updateContainerPermissions({
+							name: containerSLA.localContainerName,
+							route: {target: store.name, path: '/status', method:'GET'}
+							//caveats: ""
+						})
+						.catch((err)=>{
+							console.log("[ERROR adding permissions for " + name + "] " + err);
+							reject(err);
+						});
+
+						console.log('[Adding write permissions] for ' + containerSLA.localContainerName + ' on ' + store.name);
+						updateContainerPermissions({
+							name: containerSLA.localContainerName,
+							route: {target: store.name, path: '/*', method:'POST'}
+							//caveats: ""
+						})
+						.catch((err)=>{
+							console.log("[ERROR adding permissions for " + name + "] " + err);
+							reject(err);
+						});
+
+						console.log('[Adding write permissions] for ' + containerSLA.localContainerName + ' on ' + DATABOX_LOGSTORE_NAME + '/' + containerSLA.localContainerName);
+						updateContainerPermissions({
+							name: containerSLA.localContainerName,
+							route: {target: DATABOX_LOGSTORE_NAME, path: '/' + containerSLA.localContainerName + '/*', method:'POST'}
+							//caveats: ""
+						})
+						.catch((err)=>{
+							console.log("[ERROR adding permissions for " + name + "] " + err);
+							reject(err);
+						});
+					}
+				}
 				resolve(launched);
 			})
 			.catch((err) => {

diff --git a/src/lib/databox-macaroon-cache.js b/src/lib/databox-macaroon-cache.js
@@ -15,25 +15,27 @@ var macaroonCache = {};
  * @return {Promise} A promise that resolves with a shared secret gotten from the arbiter
  * 
  */
-function getMacaroon(host) {
+function getMacaroon(host,path) {
     return new Promise((resolve, reject) => {
 
         if(macaroonCache[host]) {
             console.log("[macaroonCache] returning cashed macaroon");
             //TODO check if the macaroon has expired? for now if a request fails we invalidate the macaroon
-            resolve(macaroonCache[host]);
+            resolve(macaroonCache[host+path]);
             return;
         }
 
         //
         // Macroon has not been requested. Get a new one.
         //
-        console.log("[macaroonCache] cashed macaroon not found for " + host + " requesting one");
+        console.log("[macaroonCache] cashed macaroon not found for " + host+path + " requesting one");
         var opts = {
                 uri: DATABOX_ARBITER_ENDPOINT+'/token',
                 method: 'POST',
                 form: {
                             target: host,
+                            path: path,
+                            method: 'GET',
                         },
                 headers: {'X-Api-Key': ARBITER_TOKEN},
                 agent: httpsAgent
@@ -50,9 +52,9 @@ function getMacaroon(host) {
                 reject(body);
                 return;
             }
-            macaroonCache[host] = body;
+            macaroonCache[host+path] = body;
             console.log("[macaroonCache] returning new macaroon");
-            resolve(macaroonCache[host]);
+            resolve(macaroonCache[host+path]);
         });
     });
 }

diff --git a/src/lib/databox-request-promise.js b/src/lib/databox-request-promise.js
@@ -70,7 +70,7 @@ module.exports = function (options,callback) {
             //
             // we are talking to another databox component so we need a macaroon!
             //
-            macaroonCache.getMacaroon(host)
+            macaroonCache.getMacaroon(host,path)
             .then((macaroon)=>{
                 //do the request and call back when done
                 options.headers = {'X-Api-Key': macaroon};

diff --git a/src/server.js b/src/server.js
@@ -22,25 +22,6 @@ var url = require('url');
 
 var app = express();
 
-//
-// The  container manager can't always access or resolve containers by hostname.
-// This catches any resolve errors and points them at 127.0.0.1.
-// It it enables the  container manager UI to proxy over https to any docker container
-// along as it knows the docker assigned port that the service is running on. 
-// N.B this effects all dns lookups by the container manager!!
-/*var dns = require('dns');
-var origLookup = dns.lookup
-dns.lookup = function (domain, options, callback) {
-	origLookup(domain, options, function(err, address, family){
-		if(err) {
-			console.log("[DNS Intercepted] for " + domain + " returning 127.0.0.1");
-			callback(null, '127.0.0.1', 4);
-		} else {
-			callback(err, address, family);
-		}
-	});
-};*/
-
 module.exports = {
 	proxies: {},
 	app: app,