Influxdata
/
chronograf
mirror of https://github.com/influxdata/chronograf.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update enterprise users and roles to remove diffs instead of all

pull/2426/head
Chris Goller 2017-11-28 22:22:41 -06:00
parent 37d96f7cc7
commit 03f378d5d2
2 changed files with 100 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

157
enterprise/meta.go
View File

@ -23,8 +23,6 @@ type MetaClient struct {
client client client client
} }
type ClientBuilder func() client
// NewMetaClient represents a meta node in an Influx Enterprise cluster // NewMetaClient represents a meta node in an Influx Enterprise cluster
func NewMetaClient(url *url.URL) *MetaClient { func NewMetaClient(url *url.URL) *MetaClient {
return &MetaClient{ return &MetaClient{
@ -118,39 +116,10 @@ func (m *MetaClient) DeleteUser(ctx context.Context, name string) error {
return m.Post(ctx, "/user", a, nil) return m.Post(ctx, "/user", a, nil)
} }
// RemoveAllUserPerms revokes all permissions for a user in Influx Enterprise // RemoveUserPerms revokes permissions for a user in Influx Enterprise
func (m *MetaClient) RemoveAllUserPerms(ctx context.Context, name string) error { func (m *MetaClient) RemoveUserPerms(ctx context.Context, name string, perms Permissions) error {
user, err := m.User(ctx, name)
if err != nil {
return err
}
// No permissions to remove
if len(user.Permissions) == 0 {
return nil
}
a := &UserAction{ a := &UserAction{
Action: "remove-permissions", Action: "remove-permissions",
User: user,
}
return m.Post(ctx, "/user", a, nil)
}
// SetUserPerms removes all permissions and then adds the requested perms
func (m *MetaClient) SetUserPerms(ctx context.Context, name string, perms Permissions) error {
err := m.RemoveAllUserPerms(ctx, name)
if err != nil {
return err
}
// No permissions to add, so, user is in the right state
if len(perms) == 0 {
return nil
}
a := &UserAction{
Action: "add-permissions",
User: &User{ User: &User{
Name: name, Name: name,
Permissions: perms, Permissions: perms,
@ -159,6 +128,38 @@ func (m *MetaClient) SetUserPerms(ctx context.Context, name string, perms Permis
return m.Post(ctx, "/user", a, nil) return m.Post(ctx, "/user", a, nil)
} }
// SetUserPerms removes permissions not in set and then adds the requested perms
func (m *MetaClient) SetUserPerms(ctx context.Context, name string, perms Permissions) error {
user, err := m.User(ctx, name)
if err != nil {
return err
}
revoke, add := permissionsDifference(perms, user.Permissions)
// first, revoke all the permissions the user currently has, but,
// shouldn't...
if len(revoke) > 0 {
err := m.RemoveUserPerms(ctx, name, revoke)
if err != nil {
return err
}
}
// ... next, add any permissions the user should have
if len(add) > 0 {
a := &UserAction{
Action: "add-permissions",
User: &User{
Name: name,
Permissions: add,
},
}
return m.Post(ctx, "/user", a, nil)
}
return nil
}
// UserRoles returns a map of users to all of their current roles // UserRoles returns a map of users to all of their current roles
func (m *MetaClient) UserRoles(ctx context.Context) (map[string]Roles, error) { func (m *MetaClient) UserRoles(ctx context.Context) (map[string]Roles, error) {
res, err := m.Roles(ctx, nil) res, err := m.Roles(ctx, nil)
@ -235,39 +236,10 @@ func (m *MetaClient) DeleteRole(ctx context.Context, name string) error {
return m.Post(ctx, "/role", a, nil) return m.Post(ctx, "/role", a, nil)
} }
// RemoveAllRolePerms removes all permissions from a role // RemoveRolePerms revokes permissions from a role
func (m *MetaClient) RemoveAllRolePerms(ctx context.Context, name string) error { func (m *MetaClient) RemoveRolePerms(ctx context.Context, name string, perms Permissions) error {
role, err := m.Role(ctx, name)
if err != nil {
return err
}
// No permissions to remove
if len(role.Permissions) == 0 {
return nil
}
a := &RoleAction{ a := &RoleAction{
Action: "remove-permissions", Action: "remove-permissions",
Role: role,
}
return m.Post(ctx, "/role", a, nil)
}
// SetRolePerms removes all permissions and then adds the requested perms to role
func (m *MetaClient) SetRolePerms(ctx context.Context, name string, perms Permissions) error {
err := m.RemoveAllRolePerms(ctx, name)
if err != nil {
return err
}
// No permissions to add, so, role is in the right state
if len(perms) == 0 {
return nil
}
a := &RoleAction{
Action: "add-permissions",
Role: &Role{ Role: &Role{
Name: name, Name: name,
Permissions: perms, Permissions: perms,
@ -276,7 +248,39 @@ func (m *MetaClient) SetRolePerms(ctx context.Context, name string, perms Permis
return m.Post(ctx, "/role", a, nil) return m.Post(ctx, "/role", a, nil)
} }
// SetRoleUsers removes all users and then adds the requested users to role // SetRolePerms removes permissions not in set and then adds the requested perms to role
func (m *MetaClient) SetRolePerms(ctx context.Context, name string, perms Permissions) error {
role, err := m.Role(ctx, name)
if err != nil {
return err
}
revoke, add := permissionsDifference(perms, role.Permissions)
// first, revoke all the permissions the role currently has, but,
// shouldn't...
if len(revoke) > 0 {
err := m.RemoveRolePerms(ctx, name, revoke)
if err != nil {
return err
}
}
// ... next, add any permissions the role should have
if len(add) > 0 {
a := &RoleAction{
Action: "add-permissions",
Role: &Role{
Name: name,
Permissions: add,
},
}
return m.Post(ctx, "/role", a, nil)
}
return nil
}
// SetRoleUsers removes users not in role and then adds the requested users to role
func (m *MetaClient) SetRoleUsers(ctx context.Context, name string, users []string) error { func (m *MetaClient) SetRoleUsers(ctx context.Context, name string, users []string) error {
role, err := m.Role(ctx, name) role, err := m.Role(ctx, name)
if err != nil { if err != nil {
@ -320,6 +324,29 @@ func Difference(wants []string, haves []string) (revoke []string, add []string)
return return
} }
func permissionsDifference(wants Permissions, haves Permissions) (revoke Permissions, add Permissions) {
revoke = make(Permissions)
add = make(Permissions)
for scope, want := range wants {
have, ok := haves[scope]
if ok {
r, a := Difference(want, have)
revoke[scope] = r
add[scope] = a
} else {
add[scope] = want
}
}
for scope, have := range haves {
_, ok := wants[scope]
if !ok {
revoke[scope] = have
}
}
return
}
// AddRoleUsers updates a role to have additional users. // AddRoleUsers updates a role to have additional users.
func (m *MetaClient) AddRoleUsers(ctx context.Context, name string, users []string) error { func (m *MetaClient) AddRoleUsers(ctx context.Context, name string, users []string) error {
// No permissions to add, so, role is in the right state // No permissions to add, so, role is in the right state

16
enterprise/meta_test.go
View File

@ -595,7 +595,7 @@ func TestMetaClient_SetUserPerms(t *testing.T) {
wantErr bool wantErr bool
}{ }{
{ {
name: "Successful set permissions User", name: "Remove all permissions for a user",
fields: fields{ fields: fields{
URL: &url.URL{ URL: &url.URL{
Host: "twinpinesmall.net:8091", Host: "twinpinesmall.net:8091",
@ -615,7 +615,7 @@ func TestMetaClient_SetUserPerms(t *testing.T) {
wantRm: `{"action":"remove-permissions","user":{"name":"admin","permissions":{"":["ViewAdmin","ViewChronograf"]}}}`, wantRm: `{"action":"remove-permissions","user":{"name":"admin","permissions":{"":["ViewAdmin","ViewChronograf"]}}}`,
}, },
{ {
name: "Successful set permissions User", name: "Remove some permissions and add others",
fields: fields{ fields: fields{
URL: &url.URL{ URL: &url.URL{
Host: "twinpinesmall.net:8091", Host: "twinpinesmall.net:8091",
@ -1137,7 +1137,7 @@ func TestMetaClient_SetRolePerms(t *testing.T) {
wantErr bool wantErr bool
}{ }{
{ {
name: "Successful set permissions role", name: "Remove all roles from user",
fields: fields{ fields: fields{
URL: &url.URL{ URL: &url.URL{
Host: "twinpinesmall.net:8091", Host: "twinpinesmall.net:8091",
@ -1154,10 +1154,10 @@ func TestMetaClient_SetRolePerms(t *testing.T) {
ctx: context.Background(), ctx: context.Background(),
name: "admin", name: "admin",
}, },
wantRm: `{"action":"remove-permissions","role":{"name":"admin","permissions":{"":["ViewAdmin","ViewChronograf"]},"users":["marty"]}}`, wantRm: `{"action":"remove-permissions","role":{"name":"admin","permissions":{"":["ViewAdmin","ViewChronograf"]}}}`,
}, },
{ {
name: "Successful set single permissions role", name: "Remove some users and add permissions to other",
fields: fields{ fields: fields{
URL: &url.URL{ URL: &url.URL{
Host: "twinpinesmall.net:8091", Host: "twinpinesmall.net:8091",
@ -1179,7 +1179,7 @@ func TestMetaClient_SetRolePerms(t *testing.T) {
}, },
}, },
}, },
wantRm: `{"action":"remove-permissions","role":{"name":"admin","permissions":{"":["ViewAdmin","ViewChronograf"]},"users":["marty"]}}`, wantRm: `{"action":"remove-permissions","role":{"name":"admin","permissions":{"":["ViewAdmin","ViewChronograf"]}}}`,
wantAdd: `{"action":"add-permissions","role":{"name":"admin","permissions":{"telegraf":["ReadData"]}}}`, wantAdd: `{"action":"add-permissions","role":{"name":"admin","permissions":{"telegraf":["ReadData"]}}}`,
}, },
} }
@ -1218,7 +1218,7 @@ func TestMetaClient_SetRolePerms(t *testing.T) {
got, _ := ioutil.ReadAll(prm.Body) got, _ := ioutil.ReadAll(prm.Body)
if string(got) != tt.wantRm { if string(got) != tt.wantRm {
t.Errorf("%q. MetaClient.SetRolePerms() = %v, want %v", tt.name, string(got), tt.wantRm) t.Errorf("%q. MetaClient.SetRolePerms() removal = \n%v\n, want \n%v\n", tt.name, string(got), tt.wantRm)
} }
if tt.wantAdd != "" { if tt.wantAdd != "" {
prm := reqs[2] prm := reqs[2]
@ -1231,7 +1231,7 @@ func TestMetaClient_SetRolePerms(t *testing.T) {
got, _ := ioutil.ReadAll(prm.Body) got, _ := ioutil.ReadAll(prm.Body)
if string(got) != tt.wantAdd { if string(got) != tt.wantAdd {
t.Errorf("%q. MetaClient.SetRolePerms() = %v, want %v", tt.name, string(got), tt.wantAdd) t.Errorf("%q. MetaClient.SetRolePerms() addition = \n%v\n, want \n%v\n", tt.name, string(got), tt.wantAdd)
} }
} }
} }