influxdb/authz.go

package platform

import "fmt"

// Authorizer will authorize a permission.
type Authorizer interface {
	// Allowed returns true is the associated permission is allowed by the authorizer
	Allowed(p Permission) bool

	// ID returns an identifier used for auditing.
	Identifier() ID

	// Kind metadata for auditing.
	Kind() string
}

func allowed(p Permission, ps []Permission) bool {
	for _, perm := range ps {
		if perm.Action == p.Action && perm.Resource == p.Resource {
			return true
		}
	}
	return false
}

type action string

const (
	// ReadAction is the action for reading.
	ReadAction action = "read"
	// WriteAction is the action for writing.
	WriteAction action = "write"
	// CreateAction is the action for creating new resources.
	CreateAction action = "create"
	// DeleteAction is the action for deleting an existing resource.
	DeleteAction action = "delete"
)

type resource string

const (
	// UserResource represents the user resource actions can apply to.
	UserResource = resource("user")
	// OrganizationResource represents the org resource actions can apply to.
	OrganizationResource = resource("org")
)

// TaskResource represents the task resource scoped to an organization.
func TaskResource(orgID ID) resource {
	return resource(fmt.Sprintf("org/%s/task", orgID))
}

// BucketResource constructs a bucket resource.
func BucketResource(id ID) resource {
	return resource(fmt.Sprintf("bucket/%s", id))
}

// Permission defines an action and a resource.
type Permission struct {
	Action   action   `json:"action"`
	Resource resource `json:"resource"`
}

func (p Permission) String() string {
	return fmt.Sprintf("%s:%s", p.Action, p.Resource)
}

var (
	// CreateUserPermission is a permission for creating users.
	CreateUserPermission = Permission{
		Action:   CreateAction,
		Resource: UserResource,
	}
	// DeleteUserPermission is a permission for deleting users.
	DeleteUserPermission = Permission{
		Action:   DeleteAction,
		Resource: UserResource,
	}
)

// ReadBucketPermission constructs a permission for reading a bucket.
func ReadBucketPermission(id ID) Permission {
	return Permission{
		Action:   ReadAction,
		Resource: BucketResource(id),
	}
}

// WriteBucketPermission constructs a permission for writing to a bucket.
func WriteBucketPermission(id ID) Permission {
	return Permission{
		Action:   WriteAction,
		Resource: BucketResource(id),
	}
}
feat(platform): add authorizer interface This iterface is supposed to be something that both sessions and authorizations can share so that other components can authorize requests as they see fit. 2018-09-28 17:02:34 +00:00			`package platform`

			`import "fmt"`

			`// Authorizer will authorize a permission.`
			`type Authorizer interface {`
feat(http): add authentication handler middleware 2018-09-28 18:33:35 +00:00			`// Allowed returns true is the associated permission is allowed by the authorizer`
feat(platform): add authorizer interface This iterface is supposed to be something that both sessions and authorizations can share so that other components can authorize requests as they see fit. 2018-09-28 17:02:34 +00:00			`Allowed(p Permission) bool`
feat(http): add authentication handler middleware 2018-09-28 18:33:35 +00:00
			`// ID returns an identifier used for auditing.`
			`Identifier() ID`

			`// Kind metadata for auditing.`
			`Kind() string`
feat(platform): add authorizer interface This iterface is supposed to be something that both sessions and authorizations can share so that other components can authorize requests as they see fit. 2018-09-28 17:02:34 +00:00			`}`

			`func allowed(p Permission, ps []Permission) bool {`
			`for _, perm := range ps {`
			`if perm.Action == p.Action && perm.Resource == p.Resource {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			`type action string`

			`const (`
			`// ReadAction is the action for reading.`
			`ReadAction action = "read"`
			`// WriteAction is the action for writing.`
			`WriteAction action = "write"`
			`// CreateAction is the action for creating new resources.`
			`CreateAction action = "create"`
			`// DeleteAction is the action for deleting an existing resource.`
			`DeleteAction action = "delete"`
			`)`

			`type resource string`

			`const (`
			`// UserResource represents the user resource actions can apply to.`
			`UserResource = resource("user")`
			`// OrganizationResource represents the org resource actions can apply to.`
			`OrganizationResource = resource("org")`
			`)`

			`// TaskResource represents the task resource scoped to an organization.`
			`func TaskResource(orgID ID) resource {`
			`return resource(fmt.Sprintf("org/%s/task", orgID))`
			`}`

			`// BucketResource constructs a bucket resource.`
			`func BucketResource(id ID) resource {`
			`return resource(fmt.Sprintf("bucket/%s", id))`
			`}`

			`// Permission defines an action and a resource.`
			`type Permission struct {`
			Action action `json:"action"`
			Resource resource `json:"resource"`
			`}`

			`func (p Permission) String() string {`
			`return fmt.Sprintf("%s:%s", p.Action, p.Resource)`
			`}`

			`var (`
			`// CreateUserPermission is a permission for creating users.`
			`CreateUserPermission = Permission{`
			`Action: CreateAction,`
			`Resource: UserResource,`
			`}`
			`// DeleteUserPermission is a permission for deleting users.`
			`DeleteUserPermission = Permission{`
			`Action: DeleteAction,`
			`Resource: UserResource,`
			`}`
			`)`

			`// ReadBucketPermission constructs a permission for reading a bucket.`
			`func ReadBucketPermission(id ID) Permission {`
			`return Permission{`
			`Action: ReadAction,`
			`Resource: BucketResource(id),`
			`}`
			`}`

			`// WriteBucketPermission constructs a permission for writing to a bucket.`
			`func WriteBucketPermission(id ID) Permission {`
			`return Permission{`
			`Action: WriteAction,`
			`Resource: BucketResource(id),`
			`}`
			`}`