influxdb/label/middleware_auth.go

package label

import (
	"context"

	"github.com/influxdata/influxdb/v2"
	"github.com/influxdata/influxdb/v2/authorizer"
	"github.com/influxdata/influxdb/v2/kit/platform"
)

var _ influxdb.LabelService = (*AuthedLabelService)(nil)

type AuthedLabelService struct {
	s             influxdb.LabelService
	orgIDResolver authorizer.OrgIDResolver
}

// NewAuthedLabelService constructs an instance of an authorizing label serivce.
func NewAuthedLabelService(s influxdb.LabelService, orgIDResolver authorizer.OrgIDResolver) *AuthedLabelService {
	return &AuthedLabelService{
		s:             s,
		orgIDResolver: orgIDResolver,
	}
}
func (s *AuthedLabelService) CreateLabel(ctx context.Context, l *influxdb.Label) error {
	if _, _, err := authorizer.AuthorizeCreate(ctx, influxdb.LabelsResourceType, l.OrgID); err != nil {
		return err
	}
	return s.s.CreateLabel(ctx, l)
}

func (s *AuthedLabelService) FindLabels(ctx context.Context, filter influxdb.LabelFilter, opt ...influxdb.FindOptions) ([]*influxdb.Label, error) {
	// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data
	// will likely be expensive.
	ls, err := s.s.FindLabels(ctx, filter, opt...)
	if err != nil {
		return nil, err
	}
	ls, _, err = authorizer.AuthorizeFindLabels(ctx, ls)
	return ls, err
}

// FindLabelByID checks to see if the authorizer on context has read access to the label id provided.
func (s *AuthedLabelService) FindLabelByID(ctx context.Context, id platform.ID) (*influxdb.Label, error) {
	l, err := s.s.FindLabelByID(ctx, id)
	if err != nil {
		return nil, err
	}
	if _, _, err := authorizer.AuthorizeRead(ctx, influxdb.LabelsResourceType, id, l.OrgID); err != nil {
		return nil, err
	}
	return l, nil
}

// FindResourceLabels retrieves all labels belonging to the filtering resource if the authorizer on context has read access to it.
// Then it filters the list down to only the labels that are authorized.
func (s *AuthedLabelService) FindResourceLabels(ctx context.Context, filter influxdb.LabelMappingFilter) ([]*influxdb.Label, error) {
	if err := filter.ResourceType.Valid(); err != nil {
		return nil, err
	}

	orgID, err := s.orgIDResolver.FindResourceOrganizationID(ctx, filter.ResourceType, filter.ResourceID)
	if err != nil {
		return nil, err
	}

	if _, _, err := authorizer.AuthorizeRead(ctx, filter.ResourceType, filter.ResourceID, orgID); err != nil {
		return nil, err
	}

	// first fetch all labels for this resource
	ls, err := s.s.FindResourceLabels(ctx, filter)
	if err != nil {
		return nil, err
	}

	// then filter the labels we got to return only the ones the user is authorized to read
	ls, _, err = authorizer.AuthorizeFindLabels(ctx, ls)
	return ls, err
}

// UpdateLabel checks to see if the authorizer on context has write access to the label provided.
func (s *AuthedLabelService) UpdateLabel(ctx context.Context, id platform.ID, upd influxdb.LabelUpdate) (*influxdb.Label, error) {
	l, err := s.s.FindLabelByID(ctx, id)
	if err != nil {
		return nil, err
	}
	if _, _, err := authorizer.AuthorizeWrite(ctx, influxdb.LabelsResourceType, l.ID, l.OrgID); err != nil {
		return nil, err
	}
	return s.s.UpdateLabel(ctx, id, upd)
}

// DeleteLabel checks to see if the authorizer on context has write access to the label provided.
func (s *AuthedLabelService) DeleteLabel(ctx context.Context, id platform.ID) error {
	l, err := s.s.FindLabelByID(ctx, id)
	if err != nil {
		return err
	}
	if _, _, err := authorizer.AuthorizeWrite(ctx, influxdb.LabelsResourceType, l.ID, l.OrgID); err != nil {
		return err
	}
	return s.s.DeleteLabel(ctx, id)
}

// CreateLabelMapping checks to see if the authorizer on context has write access to the label and the resource contained by the label mapping in creation.
func (s *AuthedLabelService) CreateLabelMapping(ctx context.Context, m *influxdb.LabelMapping) error {
	l, err := s.s.FindLabelByID(ctx, m.LabelID)
	if err != nil {
		return err
	}

	if _, _, err := authorizer.AuthorizeWrite(ctx, influxdb.LabelsResourceType, m.LabelID, l.OrgID); err != nil {
		return err
	}
	if _, _, err := authorizer.AuthorizeWrite(ctx, m.ResourceType, m.ResourceID, l.OrgID); err != nil {
		return err
	}
	return s.s.CreateLabelMapping(ctx, m)
}

// DeleteLabelMapping checks to see if the authorizer on context has write access to the label and the resource of the label mapping to delete.
func (s *AuthedLabelService) DeleteLabelMapping(ctx context.Context, m *influxdb.LabelMapping) error {
	l, err := s.s.FindLabelByID(ctx, m.LabelID)
	if err != nil {
		return err
	}
	if _, _, err := authorizer.AuthorizeWrite(ctx, influxdb.LabelsResourceType, m.LabelID, l.OrgID); err != nil {
		return err
	}
	if _, _, err := authorizer.AuthorizeWrite(ctx, m.ResourceType, m.ResourceID, l.OrgID); err != nil {
		return err
	}
	return s.s.DeleteLabelMapping(ctx, m)
}
refactor: add new label package (#18078) 2020-05-21 18:30:19 +00:00			`package label`

			`import (`
			`"context"`

			`"github.com/influxdata/influxdb/v2"`
			`"github.com/influxdata/influxdb/v2/authorizer"`
fix: more expressive errors (#22448) * fix: more expressive errors Closes #22446 * fix: server only logging for untyped errors * chore: fix formatting 2021-09-13 19:12:35 +00:00			`"github.com/influxdata/influxdb/v2/kit/platform"`
refactor: add new label package (#18078) 2020-05-21 18:30:19 +00:00			`)`

			`var _ influxdb.LabelService = (*AuthedLabelService)(nil)`

			`type AuthedLabelService struct {`
refactor(notification): move rule service into own package (#19804) * refactor(notification): move rule service into own package * chore(launcher): fix tests to use clients as opposed to direct kv service * chore(influx): update task cli to consume core domain model task from client * chore(kv): remove rule service behaviours from kv This also introduces the org id resolver type. Which is transplanted from the kv service. As this one function coupled all resource capabilities onto the kv service. Making removing these capabilities impossible. Moving this type out into its own package which depends on each service explicitly ensures we don't have one type which has to implement all the service contracts. * fix(launcher): remove double reference to influxdb package 2020-10-27 11:45:05 +00:00			`s influxdb.LabelService`
			`orgIDResolver authorizer.OrgIDResolver`
refactor: add new label package (#18078) 2020-05-21 18:30:19 +00:00			`}`

			`// NewAuthedLabelService constructs an instance of an authorizing label serivce.`
refactor(notification): move rule service into own package (#19804) * refactor(notification): move rule service into own package * chore(launcher): fix tests to use clients as opposed to direct kv service * chore(influx): update task cli to consume core domain model task from client * chore(kv): remove rule service behaviours from kv This also introduces the org id resolver type. Which is transplanted from the kv service. As this one function coupled all resource capabilities onto the kv service. Making removing these capabilities impossible. Moving this type out into its own package which depends on each service explicitly ensures we don't have one type which has to implement all the service contracts. * fix(launcher): remove double reference to influxdb package 2020-10-27 11:45:05 +00:00			`func NewAuthedLabelService(s influxdb.LabelService, orgIDResolver authorizer.OrgIDResolver) *AuthedLabelService {`
refactor: add new label package (#18078) 2020-05-21 18:30:19 +00:00			`return &AuthedLabelService{`
refactor(notification): move rule service into own package (#19804) * refactor(notification): move rule service into own package * chore(launcher): fix tests to use clients as opposed to direct kv service * chore(influx): update task cli to consume core domain model task from client * chore(kv): remove rule service behaviours from kv This also introduces the org id resolver type. Which is transplanted from the kv service. As this one function coupled all resource capabilities onto the kv service. Making removing these capabilities impossible. Moving this type out into its own package which depends on each service explicitly ensures we don't have one type which has to implement all the service contracts. * fix(launcher): remove double reference to influxdb package 2020-10-27 11:45:05 +00:00			`s: s,`
			`orgIDResolver: orgIDResolver,`
refactor: add new label package (#18078) 2020-05-21 18:30:19 +00:00			`}`
			`}`
			`func (s AuthedLabelService) CreateLabel(ctx context.Context, l influxdb.Label) error {`
			`if _, _, err := authorizer.AuthorizeCreate(ctx, influxdb.LabelsResourceType, l.OrgID); err != nil {`
			`return err`
			`}`
			`return s.s.CreateLabel(ctx, l)`
			`}`

			`func (s AuthedLabelService) FindLabels(ctx context.Context, filter influxdb.LabelFilter, opt ...influxdb.FindOptions) ([]influxdb.Label, error) {`
			`// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data`
			`// will likely be expensive.`
			`ls, err := s.s.FindLabels(ctx, filter, opt...)`
			`if err != nil {`
			`return nil, err`
			`}`
			`ls, _, err = authorizer.AuthorizeFindLabels(ctx, ls)`
			`return ls, err`
			`}`

			`// FindLabelByID checks to see if the authorizer on context has read access to the label id provided.`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			`func (s AuthedLabelService) FindLabelByID(ctx context.Context, id platform.ID) (influxdb.Label, error) {`
refactor: add new label package (#18078) 2020-05-21 18:30:19 +00:00			`l, err := s.s.FindLabelByID(ctx, id)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if _, _, err := authorizer.AuthorizeRead(ctx, influxdb.LabelsResourceType, id, l.OrgID); err != nil {`
			`return nil, err`
			`}`
			`return l, nil`
			`}`

			`// FindResourceLabels retrieves all labels belonging to the filtering resource if the authorizer on context has read access to it.`
			`// Then it filters the list down to only the labels that are authorized.`
			`func (s AuthedLabelService) FindResourceLabels(ctx context.Context, filter influxdb.LabelMappingFilter) ([]influxdb.Label, error) {`
			`if err := filter.ResourceType.Valid(); err != nil {`
			`return nil, err`
			`}`
feat: add feature flag for new labels service (#18215) 2020-05-28 15:26:08 +00:00
refactor(notification): move rule service into own package (#19804) * refactor(notification): move rule service into own package * chore(launcher): fix tests to use clients as opposed to direct kv service * chore(influx): update task cli to consume core domain model task from client * chore(kv): remove rule service behaviours from kv This also introduces the org id resolver type. Which is transplanted from the kv service. As this one function coupled all resource capabilities onto the kv service. Making removing these capabilities impossible. Moving this type out into its own package which depends on each service explicitly ensures we don't have one type which has to implement all the service contracts. * fix(launcher): remove double reference to influxdb package 2020-10-27 11:45:05 +00:00			`orgID, err := s.orgIDResolver.FindResourceOrganizationID(ctx, filter.ResourceType, filter.ResourceID)`
refactor: add new label package (#18078) 2020-05-21 18:30:19 +00:00			`if err != nil {`
			`return nil, err`
			`}`

feat: add feature flag for new labels service (#18215) 2020-05-28 15:26:08 +00:00			`if _, _, err := authorizer.AuthorizeRead(ctx, filter.ResourceType, filter.ResourceID, orgID); err != nil {`
			`return nil, err`
refactor: add new label package (#18078) 2020-05-21 18:30:19 +00:00			`}`

feat: add feature flag for new labels service (#18215) 2020-05-28 15:26:08 +00:00			`// first fetch all labels for this resource`
			`ls, err := s.s.FindResourceLabels(ctx, filter)`
			`if err != nil {`
refactor: add new label package (#18078) 2020-05-21 18:30:19 +00:00			`return nil, err`
			`}`

			`// then filter the labels we got to return only the ones the user is authorized to read`
			`ls, _, err = authorizer.AuthorizeFindLabels(ctx, ls)`
			`return ls, err`
			`}`

			`// UpdateLabel checks to see if the authorizer on context has write access to the label provided.`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			`func (s AuthedLabelService) UpdateLabel(ctx context.Context, id platform.ID, upd influxdb.LabelUpdate) (influxdb.Label, error) {`
refactor: add new label package (#18078) 2020-05-21 18:30:19 +00:00			`l, err := s.s.FindLabelByID(ctx, id)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if _, _, err := authorizer.AuthorizeWrite(ctx, influxdb.LabelsResourceType, l.ID, l.OrgID); err != nil {`
			`return nil, err`
			`}`
			`return s.s.UpdateLabel(ctx, id, upd)`
			`}`

			`// DeleteLabel checks to see if the authorizer on context has write access to the label provided.`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			`func (s *AuthedLabelService) DeleteLabel(ctx context.Context, id platform.ID) error {`
refactor: add new label package (#18078) 2020-05-21 18:30:19 +00:00			`l, err := s.s.FindLabelByID(ctx, id)`
			`if err != nil {`
			`return err`
			`}`
			`if _, _, err := authorizer.AuthorizeWrite(ctx, influxdb.LabelsResourceType, l.ID, l.OrgID); err != nil {`
			`return err`
			`}`
			`return s.s.DeleteLabel(ctx, id)`
			`}`

			`// CreateLabelMapping checks to see if the authorizer on context has write access to the label and the resource contained by the label mapping in creation.`
			`func (s AuthedLabelService) CreateLabelMapping(ctx context.Context, m influxdb.LabelMapping) error {`
			`l, err := s.s.FindLabelByID(ctx, m.LabelID)`
			`if err != nil {`
			`return err`
			`}`
feat: add feature flag for new labels service (#18215) 2020-05-28 15:26:08 +00:00
refactor: add new label package (#18078) 2020-05-21 18:30:19 +00:00			`if _, _, err := authorizer.AuthorizeWrite(ctx, influxdb.LabelsResourceType, m.LabelID, l.OrgID); err != nil {`
			`return err`
			`}`
			`if _, _, err := authorizer.AuthorizeWrite(ctx, m.ResourceType, m.ResourceID, l.OrgID); err != nil {`
			`return err`
			`}`
			`return s.s.CreateLabelMapping(ctx, m)`
			`}`

			`// DeleteLabelMapping checks to see if the authorizer on context has write access to the label and the resource of the label mapping to delete.`
			`func (s AuthedLabelService) DeleteLabelMapping(ctx context.Context, m influxdb.LabelMapping) error {`
			`l, err := s.s.FindLabelByID(ctx, m.LabelID)`
			`if err != nil {`
			`return err`
			`}`
			`if _, _, err := authorizer.AuthorizeWrite(ctx, influxdb.LabelsResourceType, m.LabelID, l.OrgID); err != nil {`
			`return err`
			`}`
			`if _, _, err := authorizer.AuthorizeWrite(ctx, m.ResourceType, m.ResourceID, l.OrgID); err != nil {`
			`return err`
			`}`
			`return s.s.DeleteLabelMapping(ctx, m)`
			`}`