bosh-director 1.3200.0 → 1.3202.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 634bdc4da008c31275e924ef19624d4e812d281a
-  data.tar.gz: 819f05473912f7888618d23d6277705a7c360440
+  metadata.gz: 2c0a7cb66eb81b7bc267bfbe73d9c21b7493842a
+  data.tar.gz: cb26be183757635f946fc7db7b440e5d5cd745fa
 SHA512:
-  metadata.gz: b4ea8e52ad2ed2802492c8cfd3ed2ff5a723b9a2b7812d929f8cc422826a204ef4715ad97975a68470e04555078bf3b71aefe1f3468464a296e75d6a37a6dc22
-  data.tar.gz: 7044c0da7e694f38d7792b7ff65b8e609f99bb5251b65930137fb64ca07de7fcc3ffb6440aa9a3960ab6bfd5f834cb5a90dc618c910a909a52b9aadff5f62aa3
+  metadata.gz: c007a923353b2face4ab79b4e11a5aee2a5ef8838433cd4bb4bdb3339336f4b8d54727fb2cf9f8761d9f0cae51b644ca42a8ba6e15b19c23a3a6fe2405f0f00c
+  data.tar.gz: f4e508a6c6920cd4da88f4c614d07b09f690962ef900485bfda426f6e09159765595e0549530e96192b3dd9f7dc9722f84f156eb173ae7ecc3dafcb6184c877a

data/db/migrations/director/20160211193904_add_scopes_to_deployment.rb

@@ -0,0 +1,7 @@
+Sequel.migration do
+  change do
+    alter_table(:deployments) do
+      add_column :scopes, String, default: 'bosh.admin'
+    end
+  end
+end

data/lib/bosh/director.rb

@@ -88,6 +88,7 @@ require 'bosh/director/problem_scanner/scanner'
 require 'bosh/director/problem_resolver'
 require 'bosh/director/error_ignorer'
 require 'bosh/director/deployment_deleter'
+require 'bosh/director/permission_authorizer'
 require 'bosh/director/transactor'
 require 'bosh/director/sequel'
 require 'common/thread_pool'

data/lib/bosh/director/api/controllers/deployments_controller.rb

@@ -125,7 +125,7 @@ module Bosh::Director
 
       delete '/:deployment/snapshots/:cid' do
         deployment = @deployment_manager.find_by_name(params[:deployment])
-        snapshot = @snapshot_manager.find_by_cid(deployment, params[:cid])
+        @snapshot_manager.find_by_cid(deployment, params[:cid])
 
         task = @snapshot_manager.delete_snapshots_task(current_user, [params[:cid]])
         redirect "/tasks/#{task.id}"
@@ -133,8 +133,8 @@ module Bosh::Director
 
       get '/', scope: :read do
         latest_cloud_config = Api::CloudConfigManager.new.latest
-        deployments = Models::Deployment.order_by(:name.asc).map do |deployment|
-        cloud_config = if deployment.cloud_config.nil?
+        deployments = @deployment_manager.find_available(token_scopes).map do |deployment|
+          cloud_config = if deployment.cloud_config.nil?
                          'none'
                        elsif deployment.cloud_config == latest_cloud_config
                          'latest'
@@ -272,9 +272,10 @@ module Bosh::Director
           context = JSON.parse(params['context'])
           cloud_config = Api::CloudConfigManager.new.find_by_id(context['cloud_config_id'])
         else
-          cloud_config =Api::CloudConfigManager.new.latest
+          cloud_config = Api::CloudConfigManager.new.latest
         end
 
+        options.merge!('scopes' => token_scopes)
         task = @deployment_manager.create_deployment(current_user, request.body, cloud_config, options)
         redirect "/tasks/#{task.id}"
       end

data/lib/bosh/director/api/deployment_manager.rb

@@ -3,14 +3,21 @@ module Bosh::Director
     class DeploymentManager
       include ApiHelper
 
-      # Finds deployment by name
-      # @param [String] name
-      # @return [Models::Deployment] Deployment model
-      # @raise [DeploymentNotFound]
+      def initialize
+        @permission_authorizer = Bosh::Director::PermissionAuthorizer.new
+      end
+
       def find_by_name(name)
         DeploymentLookup.new.by_name(name)
       end
 
+      def find_available(token_scopes)
+        deployments = Bosh::Director::Models::Deployment.order_by(:name.asc).all
+        deployments.select do |deployment|
+          @permission_authorizer.is_authorized?(deployment.scopes.split((',')), token_scopes)
+        end
+      end
+
       def create_deployment(username, deployment_manifest, cloud_config, options = {})
         random_name = "deployment-#{SecureRandom.uuid}"
         deployment_manifest_dir = Dir::tmpdir

data/lib/bosh/director/api/extensions/scoping.rb

@@ -2,9 +2,15 @@ module Bosh::Director
   module Api
     module Extensions
       module Scoping
+        ROUTES_WITH_EXTENDED_TIMEOUT = ['/stemcells', '/releases', '/restore']
+
         module Helpers
           def current_user
             @user.username if @user
+            end
+
+          def token_scopes
+            @user.scopes if @user
           end
         end
 
@@ -29,7 +35,11 @@ module Bosh::Director
 
             if auth_provided
               begin
-                @user = identity_provider.get_user(request.env)
+                extended_token_timeout = ROUTES_WITH_EXTENDED_TIMEOUT.include?(request.path) &&
+                    request.media_type == mime_type(:multipart) &&
+                    request.request_method == 'POST'
+
+                @user = identity_provider.get_user(request.env, extended_token_timeout: extended_token_timeout)
               rescue AuthenticationError
               end
             end

data/lib/bosh/director/api/local_identity_provider.rb

@@ -6,7 +6,7 @@ module Bosh
       class LocalIdentityProvider
         extend Forwardable
 
-        def initialize(options, _)
+        def initialize(options)
           users = options.fetch('users', [])
           @user_manager = Bosh::Director::Api::UserManagerProvider.new.user_manager(users)
         end
@@ -18,7 +18,7 @@ module Bosh
           {'type' => 'basic', 'options' => {}}
         end
 
-        def get_user(request_env)
+        def get_user(request_env, _)
           auth ||= Rack::Auth::Basic::Request.new(request_env)
           raise AuthenticationError unless auth.provided? && auth.basic? && auth.credentials
 
@@ -38,7 +38,11 @@ module Bosh
         end
       end
 
-      class LocalUser < Struct.new(:username, :password); end
+      class LocalUser < Struct.new(:username, :password)
+        def scopes
+          ['bosh.admin']
+        end
+      end
     end
   end
 end

data/lib/bosh/director/api/uaa_identity_provider.rb

@@ -4,10 +4,12 @@ module Bosh
   module Director
     module Api
       class UAAIdentityProvider
-        def initialize(options, director_uuid_provider)
+        MAX_TOKEN_EXTENSION_TIME_IN_SECONDS = 3600
+
+        def initialize(options)
           @url = options.fetch('url')
           Config.logger.debug "Initializing UAA Identity provider with url #{@url}"
-          @director_uuid = director_uuid_provider.uuid
+          @permission_authorizer = Bosh::Director::PermissionAuthorizer.new
           @token_coder = CF::UAA::TokenCoder.new(skey: options.fetch('symmetric_key', nil), pkey: options.fetch('public_key', nil), scope: [])
         end
 
@@ -24,9 +26,20 @@ module Bosh
           }
         end
 
-        def get_user(request_env)
+        def get_user(request_env, options)
           auth_header = request_env['HTTP_AUTHORIZATION']
-          token = @token_coder.decode(auth_header)
+
+          if options[:extended_token_timeout]
+            request_time_in_seconds = request_env.fetch('HTTP_X_BOSH_UPLOAD_REQUEST_TIME').to_i
+            request_time_in_seconds = MAX_TOKEN_EXTENSION_TIME_IN_SECONDS if request_time_in_seconds > MAX_TOKEN_EXTENSION_TIME_IN_SECONDS
+
+            Config.logger.debug("Using extended token timeout, request took #{request_time_in_seconds} seconds")
+
+            token = @token_coder.decode_at_reference_time(auth_header, Time.now.to_i - request_time_in_seconds)
+          else
+            token = @token_coder.decode(auth_header)
+          end
+
           UaaUser.new(token)
         rescue CF::UAA::DecodeError, CF::UAA::AuthError => e
           raise AuthenticationError, e.message
@@ -35,36 +48,16 @@ module Bosh
         def valid_access?(user, requested_access)
           if user.scopes
             required_scopes = required_scopes(requested_access)
-            return has_admin_scope?(user.scopes) || contains_requested_scope?(required_scopes, user.scopes)
+            return @permission_authorizer.has_team_admin_scope?(user.scopes) ||
+                    @permission_authorizer.has_admin_scope?(user.scopes) ||
+                    @permission_authorizer.contains_requested_scope?(required_scopes, user.scopes)
           end
 
           false
         end
 
         def required_scopes(requested_access)
-          permissions[requested_access]
-        end
-
-        private
-
-        def permissions
-          {
-            :read  => ['bosh.admin', "bosh.#{@director_uuid}.admin", 'bosh.read', "bosh.#{@director_uuid}.read"],
-            :write => ['bosh.admin', "bosh.#{@director_uuid}.admin"]
-          }
-        end
-
-        def has_admin_scope?(token_scopes)
-          !(intersect(permissions[:write], token_scopes).empty?)
-        end
-
-        def contains_requested_scope?(valid_scopes, token_scopes)
-          return false unless valid_scopes
-          !(intersect(valid_scopes, token_scopes).empty?)
-        end
-
-        def intersect(valid_scopes, token_scopes)
-          valid_scopes & token_scopes
+          @permission_authorizer.permissions[requested_access]
         end
       end
 

data/lib/bosh/director/config.rb

@@ -430,7 +430,7 @@ module Bosh::Director
         end
 
         Config.logger.debug("Director configured with '#{provider_name}' user management provider")
-        provider_class.new(user_management[provider_name] || {}, Bosh::Director::Api::DirectorUUIDProvider.new(Config))
+        provider_class.new(user_management[provider_name] || {})
       end
     end
 

data/lib/bosh/director/deployment_plan/deployment_repo.rb

@@ -1,22 +1,40 @@
-module Bosh
-  module Director
-    module DeploymentPlan
-      class DeploymentRepo
-        def find_or_create_by_name(name)
-          deployment = Models::Deployment.find(name: name)
-          return deployment if deployment
+module Bosh::Director
+  module DeploymentPlan
+    class DeploymentRepo
+      def initialize
+        @permission_authorizer = Bosh::Director::PermissionAuthorizer.new
+      end
+
+      def find_or_create_by_name(name, options={})
+        attributes = {name: name}
+        deployment = Bosh::Director::Models::Deployment.find(attributes)
+
+        if options['scopes']
+          attributes.merge!(scopes: options['scopes'].join(','))
+        end
+
+        if options['scopes'] && deployment
+          @permission_authorizer.raise_error_if_unauthorized(options['scopes'], deployment.scopes.split(','))
+        end
+
+        return deployment if deployment
+
+        create_for_attributes(attributes)
+      end
+
+      private
 
-          canonical_name = Canonicalizer.canonicalize(name)
-          transactor = Transactor.new
-          transactor.retryable_transaction(Models::Deployment.db) do
-            Models::Deployment.each do |other|
-              if Canonicalizer.canonicalize(other.name) == canonical_name
+      def create_for_attributes(attributes)
+        canonical_name = Canonicalizer.canonicalize(attributes[:name])
+        transactor = Transactor.new
+        transactor.retryable_transaction(Models::Deployment.db) do
+          Bosh::Director::Models::Deployment.each do |other|
+            if Canonicalizer.canonicalize(other.name) == canonical_name
                 raise DeploymentCanonicalNameTaken,
-                  "Invalid deployment name `#{name}', canonical name already taken (`#{canonical_name}')"
-              end
+                "Invalid deployment name `#{attributes[:name]}', canonical name already taken (`#{canonical_name}')"
             end
-            Models::Deployment.create(name: name)
           end
+          Bosh::Director::Models::Deployment.create(attributes)
         end
       end
     end

data/lib/bosh/director/deployment_plan/deployment_spec_parser.rb

@@ -70,7 +70,17 @@ module Bosh::Director
       end
 
       def parse_jobs
+        if @deployment_manifest.has_key?('jobs') && @deployment_manifest.has_key?('instance_groups')
+          raise JobBothInstanceGroupAndJob, "Deployment specifies both jobs and instance_groups keys, only one is allowed"
+        end
+
         jobs = safe_property(@deployment_manifest, 'jobs', :class => Array, :default => [])
+        instance_groups = safe_property(@deployment_manifest, 'instance_groups', :class => Array, :default => [])
+
+        if !instance_groups.empty?
+          jobs = instance_groups
+        end
+
         jobs.each do |job_spec|
           # get state specific for this job or all jobs
           state_overrides = @job_states.fetch(job_spec['name'], @job_states.fetch('*', {}))

data/lib/bosh/director/deployment_plan/instance.rb

@@ -114,6 +114,7 @@ module Bosh::Director
             state: state,
             compilation: @compilation,
             uuid: SecureRandom.uuid,
+            availability_zone: availability_zone_name,
             bootstrap: false
           })
         @uuid = @model.uuid

data/lib/bosh/director/deployment_plan/job_spec_parser.rb

@@ -116,6 +116,11 @@ module Bosh::Director
 
       def parse_templates
         templates = safe_property(@job_spec, 'templates', class: Array, optional: true)
+        jobs = safe_property(@job_spec, 'jobs', class: Array, optional: true)
+
+        if jobs && !jobs.empty?
+          templates = jobs
+        end
 
         if templates
           templates.each do |template_spec|
@@ -325,15 +330,23 @@ module Bosh::Director
       def validate_templates
         template_property = safe_property(@job_spec, 'template', optional: true)
         templates_property = safe_property(@job_spec, 'templates', optional: true)
+        jobs_property = safe_property(@job_spec, 'jobs', optional: true)
 
         if template_property && templates_property
-          raise JobInvalidTemplates,
-                "Job `#{@job.name}' specifies both template and templates keys, only one is allowed"
+          raise JobInvalidTemplates, "Job `#{@job.name}' specifies both template and templates keys, only one is allowed"
+        end
+
+        if templates_property && jobs_property
+          raise JobInvalidTemplates, "Job `#{@job.name}' specifies both templates and jobs keys, only one is allowed"
+        end
+
+        if template_property && jobs_property
+          raise JobInvalidTemplates, "Job `#{@job.name}' specifies both template and jobs keys, only one is allowed"
         end
 
-        if [template_property, templates_property].compact.empty?
+        if [template_property, templates_property, jobs_property].compact.empty?
           raise ValidationMissingField,
-                "Job `#{@job.name}' does not specify template or templates keys, one is required"
+                "Job `#{@job.name}' does not specify template, templates, or jobs keys, one is required"
         end
       end
 

data/lib/bosh/director/deployment_plan/manual_network_subnet.rb

@@ -69,10 +69,13 @@ module Bosh::Director
 
         static_ips = Set.new
         each_ip(static_property) do |ip|
-          unless range.contains?(ip) && !restricted_ips.include?(ip)
+          if restricted_ips.include?(ip)
             raise NetworkStaticIpOutOfRange,
-              "Static IP `#{format_ip(ip)}' is out of " +
-                "network `#{network_name}' range"
+              "Static IP `#{format_ip(ip)}' is in network `#{network_name}' reserved range"
+          end
+          unless range.contains?(ip)
+            raise NetworkStaticIpOutOfRange,
+              "Static IP `#{format_ip(ip)}' is out of network `#{network_name}' range"
           end
           static_ips.add(ip)
         end

data/lib/bosh/director/deployment_plan/planner_factory.rb

@@ -51,7 +51,7 @@ module Bosh
           @logger.debug("Migrated cloud config manifest:\n#{cloud_manifest}")
           name = deployment_manifest['name']
 
-          deployment_model = @deployment_repo.find_or_create_by_name(name)
+          deployment_model = @deployment_repo.find_or_create_by_name(name, options)
 
           attrs = {
             name: name,

data/lib/bosh/director/disk_manager.rb

@@ -27,10 +27,13 @@ module Bosh::Director
         disk.update(:active => true) if disk
       end
 
-      orphan_mounted_persistent_disk(instance, old_disk) if old_disk
+      orphan_mounted_persistent_disk(instance.model, old_disk) if old_disk
 
       inactive_disks = Models::PersistentDisk.where(active: false, instance: instance.model)
-      inactive_disks.each{|disk| detach_and_orphan_disk(disk, instance.model) }
+      inactive_disks.each do |disk|
+        detach_disk(instance.model, disk)
+        orphan_disk(disk)
+      end
     end
 
     def attach_disks_if_needed(instance_plan)
@@ -65,6 +68,24 @@ module Bosh::Director
       end
     end
 
+    def unorphan_disk(disk, instance_id)
+      @transactor.retryable_transaction(Bosh::Director::Config.db) do
+        new_disk = Models::PersistentDisk.create(
+            disk_cid: disk.disk_cid,
+            instance_id: instance_id,
+            active: true,
+            size: disk.size,
+            cloud_properties: disk.cloud_properties)
+
+        disk.orphan_snapshots.each do |snapshot|
+          Models::Snapshot.create(persistent_disk: new_disk, snapshot_cid: snapshot.snapshot_cid, clean: snapshot.clean)
+          snapshot.destroy
+        end
+
+        disk.destroy
+      end
+    end
+
     def list_orphan_disks
       Models::OrphanDisk.all.map do |disk|
         {
@@ -92,7 +113,7 @@ module Bosh::Director
     def unmount_disk_for(instance_plan)
       disk = instance_plan.instance.model.persistent_disk
       return if disk.nil?
-      unmount(instance_plan.instance, disk)
+      unmount_disk(instance_plan.instance.model, disk)
     end
 
     def delete_orphan_disk(orphan_disk)
@@ -109,33 +130,62 @@ module Bosh::Director
       end
     end
 
-    def orphan_mounted_persistent_disk(instance, disk)
-      unmount(instance, disk)
-
-      disk_cid = disk.disk_cid
-      if disk_cid.nil?
-        @logger.info('Skipping disk detaching, instance does not have a disk')
-        return
-      end
-
-      detach_and_orphan_disk(disk, instance.model)
-    end
-
     def attach_disk(instance_model)
       disk_cid = instance_model.persistent_disk_cid
       return @logger.info('Skipping disk attaching') if disk_cid.nil?
 
       begin
         @cloud.attach_disk(instance_model.vm_cid, disk_cid)
-        AgentClient.with_vm_credentials_and_agent_id(instance_model.credentials, instance_model.agent_id).mount_disk(disk_cid)
+        agent_client(instance_model).mount_disk(disk_cid)
       rescue => e
         @logger.warn("Failed to attach disk to new VM: #{e.inspect}")
         raise e
       end
     end
 
+    def detach_disk(instance_model, disk)
+      begin
+        @logger.info("Detaching disk #{disk.disk_cid}")
+        @cloud.detach_disk(instance_model.vm_cid, disk.disk_cid)
+      rescue Bosh::Clouds::DiskNotAttached
+        if disk.active
+          raise CloudDiskNotAttached,
+                "`#{instance_model}' VM should have persistent disk attached " +
+                    "but it doesn't (according to CPI)"
+        end
+      end
+    end
+
+    def unmount_disk(instance_model, disk)
+      disk_cid = disk.disk_cid
+      if disk_cid.nil?
+        @logger.info('Skipping disk unmounting, instance does not have a disk')
+        return
+      end
+
+      if agent_mounted_disks(instance_model).include?(disk_cid)
+        @logger.info("Stopping instance '#{instance_model}' before unmount")
+        agent_client(instance_model).stop
+        @logger.info("Unmounting disk '#{disk_cid}'")
+        agent_client(instance_model).unmount_disk(disk_cid)
+      end
+    end
+
     private
 
+    def orphan_mounted_persistent_disk(instance_model, disk)
+      unmount_disk(instance_model, disk)
+
+      disk_cid = disk.disk_cid
+      if disk_cid.nil?
+        @logger.info('Skipping disk detaching, instance does not have a disk')
+        return
+      end
+
+      detach_disk(instance_model, disk)
+      orphan_disk(disk)
+    end
+
     def delete_orphan_snapshot(orphan_snapshot)
       begin
         snapshot_cid = orphan_snapshot.snapshot_cid
@@ -157,36 +207,7 @@ module Bosh::Director
           clean: snapshot.clean,
           snapshot_created_at: snapshot.created_at
         )
-        snapshot.delete
-      end
-    end
-
-    def detach_and_orphan_disk(disk, instance_model)
-      begin
-        @logger.info("Detaching disk #{disk.disk_cid}")
-        @cloud.detach_disk(instance_model.vm_cid, disk.disk_cid)
-      rescue Bosh::Clouds::DiskNotAttached
-        if disk.active
-          raise CloudDiskNotAttached,
-                "`#{instance_model}' VM should have persistent disk attached " +
-                  "but it doesn't (according to CPI)"
-        end
-      end
-      orphan_disk(disk)
-    end
-
-    def unmount(instance, disk)
-      disk_cid = disk.disk_cid
-      if disk_cid.nil?
-        @logger.info('Skipping disk unmounting, instance does not have a disk')
-        return
-      end
-
-      if agent_mounted_disks(instance).include?(disk_cid)
-        @logger.info("Stopping instance '#{instance}' before unmount")
-        agent_client(instance).stop
-        @logger.info("Unmounting disk '#{disk_cid}'")
-        agent_client(instance).unmount_disk(disk_cid)
+        snapshot.destroy
       end
     end
 
@@ -196,7 +217,7 @@ module Bosh::Director
     def check_persistent_disk(instance_plan)
       instance = instance_plan.instance
       return if instance.model.persistent_disks.empty?
-      agent_disk_cid = agent_mounted_disks(instance).first
+      agent_disk_cid = agent_mounted_disks(instance.model).first
 
       if agent_disk_cid.nil? && !instance_plan.needs_disk?
         @logger.debug('Disk is already detached')
@@ -214,12 +235,12 @@ module Bosh::Director
       end
     end
 
-    def agent_mounted_disks(instance)
-      agent_client(instance).list_disk
+    def agent_mounted_disks(instance_model)
+      agent_client(instance_model).list_disk
     end
 
-    def agent_client(instance)
-      AgentClient.with_vm_credentials_and_agent_id(instance.model.credentials, instance.model.agent_id)
+    def agent_client(instance_model)
+      AgentClient.with_vm_credentials_and_agent_id(instance_model.credentials, instance_model.agent_id)
     end
 
     def create_and_attach_disk(instance_plan, vm_recreator)
@@ -247,14 +268,14 @@ module Bosh::Director
     end
 
     def mount_and_migrate_disk(instance, new_disk, old_disk)
-      agent_client = agent_client(instance)
+      agent_client = agent_client(instance.model)
       agent_client.mount_disk(new_disk.disk_cid)
       # Mirgate to and from cids are actually ignored by the agent.
       # The first mount invocation is the source, and the last mount invocation is the target.
       agent_client.migrate_disk(old_disk.disk_cid, new_disk.disk_cid) if old_disk
     rescue => e
       @logger.debug("Failed to migrate disk, deleting new disk. #{e.inspect}")
-      orphan_mounted_persistent_disk(instance, new_disk)
+      orphan_mounted_persistent_disk(instance.model, new_disk)
       raise e
     end
 
@@ -264,8 +285,8 @@ module Bosh::Director
 
       disk_size = job.persistent_disk_type.disk_size
       cloud_properties = job.persistent_disk_type.cloud_properties
-
       disk_cid = @cloud.create_disk(disk_size, cloud_properties, instance_model.vm_cid)
+
       Models::PersistentDisk.create(
         disk_cid: disk_cid,
         active: false,

data/lib/bosh/director/errors.rb

@@ -175,6 +175,7 @@ module Bosh::Director
   JobMissingAvailabilityZones = err(140017)
   JobUnknownAvailabilityZone = err(140018)
   JobAmbiguousEnv = err(140019)
+  JobBothInstanceGroupAndJob = err(140020)
 
   # Manifest parsing: job networks section
   JobUnknownNetwork = err(150001)
@@ -267,4 +268,7 @@ module Bosh::Director
   AttachDiskErrorUnknownInstance = err(520001)
   AttachDiskNoPersistentDisk =  err(520002)
   AttachDiskInvalidInstanceState = err(520003)
+
+  # Authorization errors
+  UnauthorizedToAccessDeployment = err(600000)
 end

data/lib/bosh/director/instance_updater/state_applier.rb

@@ -24,7 +24,14 @@ module Bosh::Director
 
       if @instance.state == 'started'
         if current_state['job_state'] != 'running'
-          raise AgentJobNotRunning, "`#{@instance}' is not running after update"
+          failing_jobs = Array(current_state['processes']).map do |process|
+            process['name'] if process['state'] != 'starting' && process['state'] != 'running'
+          end.compact
+
+          error_message = "`#{@instance}' is not running after update."
+          error_message += " Review logs for failed jobs: #{failing_jobs.join(", ")}" if !failing_jobs.empty?
+
+          raise AgentJobNotRunning, error_message
         else
           @agent_client.run_script('post-start', {})
         end

data/lib/bosh/director/jobs/attach_disk.rb

@@ -18,11 +18,28 @@ module Bosh::Director
         @instance_id = instance_id
         @disk_cid = disk_cid
         @transactor = Transactor.new
+        @disk_manager = DiskManager.new(Config.cloud, logger)
       end
 
       def perform
         instance = query_instance_model
+        validate_instance(instance)
 
+        @transactor.retryable_transaction(instance.db) do
+          handle_previous_disk(instance) if instance.persistent_disk
+          handle_new_disk(instance)
+        end
+
+        "attached disk '#{@disk_cid}' to '#{@job_name}/#{@instance_id}' in deployment '#{@deployment_name}'"
+      end
+
+      private
+
+      def query_instance_model
+        Models::Instance.filter(job: @job_name, uuid: @instance_id).first
+      end
+
+      def validate_instance(instance)
         if instance.nil? || instance.deployment.name != @deployment_name
           raise AttachDiskErrorUnknownInstance, "Instance '#{@job_name}/#{@instance_id}' in deployment '#{@deployment_name}' was not found"
         end
@@ -30,94 +47,34 @@ module Bosh::Director
         if instance.state != 'detached' && instance.state != 'stopped'
           raise AttachDiskInvalidInstanceState, "Instance '#{@job_name}/#{@instance_id}' in deployment '#{@deployment_name}' must be in 'bosh stopped' state"
         end
+      end
 
-        if instance.persistent_disk.nil?
-          raise AttachDiskNoPersistentDisk, "Job '#{@job_name}' is not configured with a persistent disk"
-        end
-
+      def handle_previous_disk(instance)
         previous_persistent_disk = instance.persistent_disk
-        @transactor.retryable_transaction(instance.db) do
-          instance.persistent_disk.update(active: false)
-
-          orphan_disk = Models::OrphanDisk[:disk_cid => @disk_cid]
-          if orphan_disk
-
-            current_disk = Models::PersistentDisk[instance_id: instance.id]
-            if current_disk
-              create_orphan_disk_from_current_disk(current_disk)
-            end
-
-            create_new_disk_from_orphan_disk(orphan_disk, instance)
-          else
-            Models::PersistentDisk.create(disk_cid: @disk_cid, instance_id: instance.id, active: true, size: 1, cloud_properties: {})
-          end
-        end
+        previous_persistent_disk.update(active: false)
 
         if instance.state == 'stopped'
-          instance = query_instance_model
-          deployment_plan_instance = deployment_plan_instance(instance)
-          if deployment_plan_instance.nil?
-            raise AttachDiskErrorUnknownInstance, "Deployment plan instance not found for instance model with id #{@instance_id}"
-          end
-
-          disk_manager = DiskManager.new(Config.cloud, logger)
-          disk_manager.orphan_mounted_persistent_disk(deployment_plan_instance, previous_persistent_disk)
-          disk_manager.attach_disk(instance)
+          @disk_manager.detach_disk(instance, previous_persistent_disk)
+          @disk_manager.unmount_disk(instance, previous_persistent_disk)
         end
 
-        "attached disk '#{@disk_cid}' to '#{@job_name}/#{@instance_id}' in deployment '#{@deployment_name}'"
+        @disk_manager.orphan_disk(previous_persistent_disk)
       end
 
-      private
-
-      def create_orphan_disk_from_current_disk(current_disk)
-        new_orphan_disk = Models::OrphanDisk.create(disk_cid: current_disk.disk_cid,
-                                                    size: current_disk.size,
-                                                    availability_zone: current_disk.instance.availability_zone,
-                                                    deployment_name: current_disk.instance.deployment.name,
-                                                    instance_name: current_disk.instance.name,
-                                                    cloud_properties: current_disk.cloud_properties)
-
-        current_disk.snapshots.each do |snapshot|
-          Models::OrphanSnapshot.create(orphan_disk: new_orphan_disk,
-                                        snapshot_cid: snapshot.snapshot_cid,
-                                        clean: snapshot.clean,
-                                        snapshot_created_at: snapshot.created_at)
-          snapshot.destroy
+      def handle_new_disk(instance)
+        orphan_disk = Models::OrphanDisk[:disk_cid => @disk_cid]
+        if orphan_disk
+          @disk_manager.unorphan_disk(orphan_disk, instance.id)
+        else
+          Models::PersistentDisk.create(disk_cid: @disk_cid, instance_id: instance.id, active: true, size: 1, cloud_properties: {})
         end
 
-        current_disk.destroy
-      end
-
-      def create_new_disk_from_orphan_disk(orphan_disk, instance)
-        new_disk = Models::PersistentDisk.create(disk_cid: orphan_disk.disk_cid,
-                                                 instance_id: instance.id,
-                                                 active: true,
-                                                 size: orphan_disk.size,
-                                                 cloud_properties: orphan_disk.cloud_properties)
-
-        orphan_disk.orphan_snapshots.each do |snapshot|
-          Models::Snapshot.create(persistent_disk: new_disk, snapshot_cid: snapshot.snapshot_cid, clean: snapshot.clean)
-          snapshot.destroy
+        if instance.state == 'stopped'
+          instance = query_instance_model
+          @disk_manager.attach_disk(instance)
         end
-
-        orphan_disk.destroy
-      end
-
-      def query_instance_model
-        Models::Instance.filter(job: @job_name, uuid: @instance_id).to_a.first
       end
 
-      def deployment_plan_instance(instance)
-        deployment_model = Api::DeploymentLookup.new.by_name(@deployment_name)
-        planner_factory = DeploymentPlan::PlannerFactory.create(logger)
-        deployment_plan = planner_factory.create_from_model(deployment_model)
-        job = deployment_plan.job(@job_name)
-
-        deployment_plan_instance = DeploymentPlan::Instance.create_from_job(job, 0, instance.state, deployment_model, instance.state, instance.availability_zone, logger)
-        deployment_plan_instance.bind_existing_instance_model(instance)
-        deployment_plan_instance
-      end
     end
   end
 end

data/lib/bosh/director/jobs/update_deployment.rb

@@ -12,8 +12,8 @@ module Bosh::Director
       def initialize(manifest_file_path, cloud_config_id, options = {})
         @blobstore = App.instance.blobstores.blobstore
         @manifest_file_path = manifest_file_path
-        @options = options
         @cloud_config_id = cloud_config_id
+        @options = options
       end
 
       def perform

data/lib/bosh/director/models/director_attribute.rb

@@ -26,6 +26,11 @@ module Bosh::Director::Models
       end
     end
 
+    def self.uuid
+      uuid = first(name: 'uuid')
+      return uuid.value if uuid
+    end
+
     def self.update_or_create_uuid(value, logger)
       if where(name: 'uuid').update(value: value) == 0
         create(name: 'uuid', value: value)

data/lib/bosh/director/permission_authorizer.rb

@@ -0,0 +1,54 @@
+module Bosh::Director
+  class PermissionAuthorizer
+    def initialize
+      @director_uuid ||= Bosh::Director::Models::DirectorAttribute.uuid
+    end
+
+    def has_admin_scope?(token_scopes)
+      !(intersect(permissions[:write], token_scopes).empty?)
+    end
+
+    def has_admin_or_director_read_scope?(token_scopes)
+      !(intersect(permissions[:read], token_scopes).empty?)
+    end
+
+    def has_team_admin_scope?(token_scopes)
+      token_scopes.any? do |e|
+        /bosh.teams.[^\.]+.admin/ =~ e
+      end
+    end
+
+    def contains_requested_scope?(valid_scopes, token_scopes)
+      return false unless valid_scopes
+      !(intersect(valid_scopes, token_scopes).empty?)
+    end
+
+    def permissions
+      {
+        :read  => ['bosh.admin', "bosh.#{@director_uuid}.admin", 'bosh.read', "bosh.#{@director_uuid}.read"],
+        :write => ['bosh.admin', "bosh.#{@director_uuid}.admin"]
+      }
+    end
+
+    def is_authorized?(provided_scopes, token_scopes)
+      return true if has_admin_or_director_read_scope?(token_scopes)
+
+      return contains_requested_scope?(provided_scopes, token_scopes)
+    end
+
+    def raise_error_if_unauthorized(provided_scopes, deployment_scopes)
+      return if has_admin_scope?(provided_scopes)
+
+      if (deployment_scopes & provided_scopes).empty?
+        raise Bosh::Director::UnauthorizedToAccessDeployment,
+          'You are unauthorized to view this deployment. Please contact the BOSH admin.'
+      end
+    end
+
+    private
+
+    def intersect(valid_scopes, token_scopes)
+      valid_scopes & token_scopes
+    end
+  end
+end

data/lib/bosh/director/version.rb

@@ -1,5 +1,5 @@
 module Bosh
   module Director
-    VERSION = '1.3200.0'
+    VERSION = '1.3202.0'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bosh-director
 version: !ruby/object:Gem::Version
-  version: 1.3200.0
+  version: 1.3202.0
 platform: ruby
 authors:
 - VMware
@@ -16,98 +16,98 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3200.0
+        version: 1.3202.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3200.0
+        version: 1.3202.0
 - !ruby/object:Gem::Dependency
   name: bosh_cpi
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3200.0
+        version: 1.3202.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3200.0
+        version: 1.3202.0
 - !ruby/object:Gem::Dependency
   name: bosh-registry
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3200.0
+        version: 1.3202.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3200.0
+        version: 1.3202.0
 - !ruby/object:Gem::Dependency
   name: blobstore_client
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3200.0
+        version: 1.3202.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3200.0
+        version: 1.3202.0
 - !ruby/object:Gem::Dependency
   name: bosh-core
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3200.0
+        version: 1.3202.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3200.0
+        version: 1.3202.0
 - !ruby/object:Gem::Dependency
   name: bosh-director-core
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3200.0
+        version: 1.3202.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3200.0
+        version: 1.3202.0
 - !ruby/object:Gem::Dependency
   name: bosh-template
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3200.0
+        version: 1.3202.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3200.0
+        version: 1.3202.0
 - !ruby/object:Gem::Dependency
   name: bosh_openstack_cpi
   requirement: !ruby/object:Gem::Requirement
@@ -658,6 +658,7 @@ files:
 - db/migrations/director/20151229184742_add_vm_attributes_to_instance.rb
 - db/migrations/director/20160108191637_drop_vm_env_json_from_instance.rb
 - db/migrations/director/20160121003800_drop_vms_fkeys.rb
+- db/migrations/director/20160211193904_add_scopes_to_deployment.rb
 - db/migrations/dns/20120123234908_initial.rb
 - lib/bosh/director.rb
 - lib/bosh/director/agent_client.rb
@@ -907,6 +908,7 @@ files:
 - lib/bosh/director/models/user.rb
 - lib/bosh/director/nats_rpc.rb
 - lib/bosh/director/network_reservation.rb
+- lib/bosh/director/permission_authorizer.rb
 - lib/bosh/director/problem_handlers/base.rb
 - lib/bosh/director/problem_handlers/inactive_disk.rb
 - lib/bosh/director/problem_handlers/invalid_problem.rb