2020-03-04 20:03:07 +00:00
|
|
|
package authorizer
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
|
|
|
|
2021-03-30 18:10:02 +00:00
|
|
|
"github.com/influxdata/influxdb/v2/kit/platform"
|
|
|
|
|
2020-04-03 17:39:20 +00:00
|
|
|
"github.com/influxdata/influxdb/v2"
|
2020-03-04 20:03:07 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
var _ influxdb.DocumentService = (*DocumentService)(nil)
|
|
|
|
var _ influxdb.DocumentStore = (*documentStore)(nil)
|
|
|
|
|
|
|
|
type DocumentService struct {
|
|
|
|
s influxdb.DocumentService
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewDocumentService constructs an instance of an authorizing document service.
|
|
|
|
func NewDocumentService(s influxdb.DocumentService) influxdb.DocumentService {
|
|
|
|
return &DocumentService{
|
|
|
|
s: s,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *DocumentService) CreateDocumentStore(ctx context.Context, name string) (influxdb.DocumentStore, error) {
|
|
|
|
ds, err := s.s.CreateDocumentStore(ctx, name)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &documentStore{s: ds}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *DocumentService) FindDocumentStore(ctx context.Context, name string) (influxdb.DocumentStore, error) {
|
|
|
|
ds, err := s.s.FindDocumentStore(ctx, name)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &documentStore{s: ds}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type documentStore struct {
|
|
|
|
s influxdb.DocumentStore
|
|
|
|
}
|
|
|
|
|
2021-03-30 18:10:02 +00:00
|
|
|
func newDocumentPermission(a influxdb.Action, orgID platform.ID, did *platform.ID) (*influxdb.Permission, error) {
|
2020-03-12 08:52:37 +00:00
|
|
|
if did != nil {
|
|
|
|
return influxdb.NewPermissionAtID(*did, a, influxdb.DocumentsResourceType, orgID)
|
|
|
|
}
|
2020-03-04 20:03:07 +00:00
|
|
|
return influxdb.NewPermission(a, influxdb.DocumentsResourceType, orgID)
|
|
|
|
}
|
|
|
|
|
2021-03-30 18:10:02 +00:00
|
|
|
func toPerms(action influxdb.Action, orgs map[platform.ID]influxdb.UserType, did *platform.ID) ([]influxdb.Permission, error) {
|
2020-03-04 20:03:07 +00:00
|
|
|
ps := make([]influxdb.Permission, 0, len(orgs))
|
|
|
|
for orgID := range orgs {
|
2020-03-12 08:52:37 +00:00
|
|
|
p, err := newDocumentPermission(action, orgID, did)
|
2020-03-04 20:03:07 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
ps = append(ps, *p)
|
|
|
|
}
|
|
|
|
return ps, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *documentStore) CreateDocument(ctx context.Context, d *influxdb.Document) error {
|
|
|
|
if len(d.Organizations) == 0 {
|
|
|
|
return fmt.Errorf("cannot authorize document creation without any orgID")
|
|
|
|
}
|
2020-03-12 08:52:37 +00:00
|
|
|
ps, err := toPerms(influxdb.WriteAction, d.Organizations, nil)
|
2020-03-04 20:03:07 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err := IsAllowedAny(ctx, ps); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return s.s.CreateDocument(ctx, d)
|
|
|
|
}
|
|
|
|
|
2021-03-30 18:10:02 +00:00
|
|
|
func (s *documentStore) FindDocument(ctx context.Context, id platform.ID) (*influxdb.Document, error) {
|
2020-03-04 20:03:07 +00:00
|
|
|
d, err := s.s.FindDocument(ctx, id)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-03-12 08:52:37 +00:00
|
|
|
ps, err := toPerms(influxdb.ReadAction, d.Organizations, &id)
|
2020-03-04 20:03:07 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if err := IsAllowedAny(ctx, ps); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return d, nil
|
|
|
|
}
|
|
|
|
|
2021-03-30 18:10:02 +00:00
|
|
|
func (s *documentStore) FindDocuments(ctx context.Context, oid platform.ID) ([]*influxdb.Document, error) {
|
2020-11-09 11:50:48 +00:00
|
|
|
if _, _, err := AuthorizeOrgReadResource(ctx, influxdb.DocumentsResourceType, oid); err != nil {
|
2020-03-04 20:03:07 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2020-11-09 11:50:48 +00:00
|
|
|
return s.s.FindDocuments(ctx, oid)
|
2020-03-04 20:03:07 +00:00
|
|
|
}
|