Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
influxdb/authorizer/label.go

234 lines
6.1 KiB
Go
Raw Normal View History

feat(authorizer): initial (incomplete) auth for labels v2
2019-01-22 13:40:20 +00:00
package authorizer
import (
"context"
"github.com/influxdata/influxdb"
)
var _ influxdb.LabelService = (*LabelService)(nil)
// LabelService wraps a influxdb.LabelService and authorizes actions
// against it appropriately.
type LabelService struct {
s influxdb.LabelService
}
// NewLabelService constructs an instance of an authorizing label serivce.
func NewLabelService(s influxdb.LabelService) *LabelService {
return &LabelService{
s: s,
}
}
func newLabelPermission(a influxdb.Action, id influxdb.ID) (*influxdb.Permission, error) {
p := &influxdb.Permission{
Action: a,
Resource: influxdb.Resource{
Type: influxdb.LabelsResourceType,
ID: &id,
},
}
return p, p.Valid()
}
feat(authorizer): authorization of label mappings creation
2019-01-22 17:55:56 +00:00
func newResourcePermission(a influxdb.Action, id influxdb.ID, resourceType influxdb.ResourceType) (*influxdb.Permission, error) {
if err := resourceType.Valid(); err != nil {
return nil, err
}
p := &influxdb.Permission{
Action: a,
Resource: influxdb.Resource{
Type: resourceType,
ID: &id,
},
}
return p, p.Valid()
}
func authorizeLabelMappingAction(ctx context.Context, action influxdb.Action, id influxdb.ID, resourceType influxdb.ResourceType) error {
p, err := newResourcePermission(action, id, resourceType)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return nil
}
feat(authorizer): initial (incomplete) auth for labels v2
2019-01-22 13:40:20 +00:00
func authorizeReadLabel(ctx context.Context, id influxdb.ID) error {
p, err := newLabelPermission(influxdb.ReadAction, id)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return nil
}
func authorizeWriteLabel(ctx context.Context, id influxdb.ID) error {
p, err := newLabelPermission(influxdb.WriteAction, id)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return nil
}
// FindLabelByID checks to see if the authorizer on context has read access to the label id provided.
func (s *LabelService) FindLabelByID(ctx context.Context, id influxdb.ID) (*influxdb.Label, error) {
if err := authorizeReadLabel(ctx, id); err != nil {
return nil, err
}
l, err := s.s.FindLabelByID(ctx, id)
if err != nil {
return nil, err
}
return l, nil
}
// FindLabels retrieves all labels that match the provided filter and then filters the list down to only the resources that are authorized.
func (s *LabelService) FindLabels(ctx context.Context, filter influxdb.LabelFilter, opt ...influxdb.FindOptions) ([]*influxdb.Label, error) {
// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data
// will likely be expensive.
ls, err := s.s.FindLabels(ctx, filter, opt...)
if err != nil {
return nil, err
}
// This filters without allocating
// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
labels := ls[:0]
for _, l := range ls {
err := authorizeReadLabel(ctx, l.ID)
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
return nil, err
}
if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
continue
}
labels = append(labels, l)
}
return labels, nil
}
feat(authorizer): authorize the look up of labels by resource
2019-01-23 17:39:06 +00:00
// FindResourceLabels retrieves all labels belonging to the filtering resource if the authorizer on context has read access to it.
// Then it filters the list down to only the labels that are authorized.
feat(authorizer): initial (incomplete) auth for labels v2
2019-01-22 13:40:20 +00:00
func (s *LabelService) FindResourceLabels(ctx context.Context, filter influxdb.LabelMappingFilter) ([]*influxdb.Label, error) {
feat(authorizer): authorize the look up of labels by resource
2019-01-23 17:39:06 +00:00
if err := authorizeLabelMappingAction(ctx, influxdb.ReadAction, filter.ResourceID, filter.ResourceType); err != nil {
return nil, err
}
ls, err := s.s.FindResourceLabels(ctx, filter)
if err != nil {
return nil, err
}
labels := ls[:0]
for _, l := range ls {
err := authorizeReadLabel(ctx, l.ID)
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
return nil, err
}
if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
continue
}
labels = append(labels, l)
}
return labels, nil
feat(authorizer): initial (incomplete) auth for labels v2
2019-01-22 13:40:20 +00:00
}
// CreateLabel checks to see if the authorizer on context has write access to the global labels resource.
func (s *LabelService) CreateLabel(ctx context.Context, l *influxdb.Label) error {
p, err := influxdb.NewGlobalPermission(influxdb.WriteAction, influxdb.LabelsResourceType)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return s.s.CreateLabel(ctx, l)
}
feat(authorizer): authorization for deletion of label mappings Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-01-23 14:28:17 +00:00
// CreateLabelMapping checks to see if the authorizer on context has write access to the label and the resource contained by the label mapping in creation.
feat(authorizer): initial (incomplete) auth for labels v2
2019-01-22 13:40:20 +00:00
func (s *LabelService) CreateLabelMapping(ctx context.Context, m *influxdb.LabelMapping) error {
feat(authorizer): authorization of label mappings creation
2019-01-22 17:55:56 +00:00
if err := authorizeWriteLabel(ctx, m.LabelID); err != nil {
feat(authorizer): initial (incomplete) auth for labels v2
2019-01-22 13:40:20 +00:00
return err
}
feat(authorizer): authorization of label mappings creation
2019-01-22 17:55:56 +00:00
if err := authorizeLabelMappingAction(ctx, influxdb.WriteAction, m.ResourceID, m.ResourceType); err != nil {
return err
}
return s.s.CreateLabelMapping(ctx, m)
feat(authorizer): initial (incomplete) auth for labels v2
2019-01-22 13:40:20 +00:00
}
// UpdateLabel checks to see if the authorizer on context has write access to the label provided.
func (s *LabelService) UpdateLabel(ctx context.Context, id influxdb.ID, upd influxdb.LabelUpdate) (*influxdb.Label, error) {
_, err := s.s.FindLabelByID(ctx, id)
if err != nil {
return nil, err
}
if err := authorizeWriteLabel(ctx, id); err != nil {
return nil, err
}
return s.s.UpdateLabel(ctx, id, upd)
}
// DeleteLabel checks to see if the authorizer on context has write access to the label provided.
func (s *LabelService) DeleteLabel(ctx context.Context, id influxdb.ID) error {
_, err := s.s.FindLabelByID(ctx, id)
if err != nil {
return err
}
if err := authorizeWriteLabel(ctx, id); err != nil {
return err
}
return s.s.DeleteLabel(ctx, id)
}
feat(authorizer): authorization for deletion of label mappings Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-01-23 14:28:17 +00:00
// DeleteLabelMapping checks to see if the authorizer on context has write access to the label and the resource of the label mapping to delete.
feat(authorizer): initial (incomplete) auth for labels v2
2019-01-22 13:40:20 +00:00
func (s *LabelService) DeleteLabelMapping(ctx context.Context, m *influxdb.LabelMapping) error {
feat(authorizer): authorization for deletion of label mappings Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
2019-01-23 14:28:17 +00:00
_, err := s.s.FindLabelByID(ctx, m.LabelID)
if err != nil {
return err
}
if err := authorizeWriteLabel(ctx, m.LabelID); err != nil {
return err
}
if err := authorizeLabelMappingAction(ctx, influxdb.WriteAction, m.ResourceID, m.ResourceType); err != nil {
return err
}
return s.s.DeleteLabelMapping(ctx, m)
feat(authorizer): initial (incomplete) auth for labels v2
2019-01-22 13:40:20 +00:00
}