influxdb/query/preauthorizer.go

package query

import (
	"context"

	"github.com/influxdata/flux"
	"github.com/influxdata/platform"
	"github.com/pkg/errors"
)

// PreAuthorizer provides a method for ensuring that the buckets accessed by a query spec
// are allowed access by the given Authorization.  This is a pre-check provided as a way for
// callers to fail early for operations that are not allowed.  However, it's still possible
// for authorization to be denied at runtime even if this check passes.
type PreAuthorizer interface {
	PreAuthorize(ctx context.Context, spec *flux.Spec, auth *platform.Authorization) error
}

// NewPreAuthorizer creates a new PreAuthorizer
func NewPreAuthorizer(bucketService platform.BucketService) PreAuthorizer {
	return &preAuthorizer{bucketService: bucketService}
}

type preAuthorizer struct {
	bucketService platform.BucketService
}

// PreAuthorize finds all the buckets read and written by the given spec, and ensures that execution is allowed
// given the Authorization.  Returns nil on success, and an error with an appropriate message otherwise.
func (a *preAuthorizer) PreAuthorize(ctx context.Context, spec *flux.Spec, auth *platform.Authorization) error {

	readBuckets, writeBuckets, err := BucketsAccessed(spec)

	if err != nil {
		return errors.Wrap(err, "Could not retrieve buckets for query.Spec")
	}

	for _, readBucketFilter := range readBuckets {
		bucket, err := a.bucketService.FindBucket(ctx, readBucketFilter)
		if err != nil {
			return errors.Wrapf(err, "Bucket service error")
		} else if bucket == nil {
			return errors.New("bucket service returned nil bucket")
		}

		reqPerm := platform.ReadBucketPermission(bucket.ID)
		if !auth.Allowed(reqPerm) {
			return errors.New("no read permission for bucket: \"" + bucket.Name + "\"")
		}
	}

	for _, writeBucketFilter := range writeBuckets {
		bucket, err := a.bucketService.FindBucket(context.Background(), writeBucketFilter)
		if err != nil {
			return errors.Wrapf(err, "Could not find bucket %v", writeBucketFilter)
		}

		reqPerm := platform.WriteBucketPermission(bucket.ID)
		if !auth.Allowed(reqPerm) {
			return errors.New("no write permission for bucket: \"" + bucket.Name + "\"")
		}
	}

	return nil
}
Create PreAuthorizer interface, BucketAwareOperationSpec interface (#664) 2018-09-05 19:06:26 +00:00			`package query`

			`import (`
			`"context"`
refactor: Migrate query package to influxdata/flux repository 2018-09-06 18:09:52 +00:00
			`"github.com/influxdata/flux"`
			`"github.com/influxdata/platform"`
			`"github.com/pkg/errors"`
Create PreAuthorizer interface, BucketAwareOperationSpec interface (#664) 2018-09-05 19:06:26 +00:00			`)`

			`// PreAuthorizer provides a method for ensuring that the buckets accessed by a query spec`
			`// are allowed access by the given Authorization. This is a pre-check provided as a way for`
			`// callers to fail early for operations that are not allowed. However, it's still possible`
			`// for authorization to be denied at runtime even if this check passes.`
			`type PreAuthorizer interface {`
refactor: Migrate query package to influxdata/flux repository 2018-09-06 18:09:52 +00:00			`PreAuthorize(ctx context.Context, spec flux.Spec, auth platform.Authorization) error`
Create PreAuthorizer interface, BucketAwareOperationSpec interface (#664) 2018-09-05 19:06:26 +00:00			`}`

			`// NewPreAuthorizer creates a new PreAuthorizer`
			`func NewPreAuthorizer(bucketService platform.BucketService) PreAuthorizer {`
			`return &preAuthorizer{bucketService: bucketService}`
			`}`

			`type preAuthorizer struct {`
			`bucketService platform.BucketService`
			`}`

			`// PreAuthorize finds all the buckets read and written by the given spec, and ensures that execution is allowed`
			`// given the Authorization. Returns nil on success, and an error with an appropriate message otherwise.`
refactor: Migrate query package to influxdata/flux repository 2018-09-06 18:09:52 +00:00			`func (a preAuthorizer) PreAuthorize(ctx context.Context, spec flux.Spec, auth *platform.Authorization) error {`
Create PreAuthorizer interface, BucketAwareOperationSpec interface (#664) 2018-09-05 19:06:26 +00:00
chore: Updates to be able to remove platform as a dependency of Flux 2018-09-11 22:56:51 +00:00			`readBuckets, writeBuckets, err := BucketsAccessed(spec)`
Create PreAuthorizer interface, BucketAwareOperationSpec interface (#664) 2018-09-05 19:06:26 +00:00
			`if err != nil {`
			`return errors.Wrap(err, "Could not retrieve buckets for query.Spec")`
			`}`

			`for _, readBucketFilter := range readBuckets {`
			`bucket, err := a.bucketService.FindBucket(ctx, readBucketFilter)`
			`if err != nil {`
			`return errors.Wrapf(err, "Bucket service error")`
			`} else if bucket == nil {`
Ensure error strings not capitalised ST1005 2018-11-21 14:22:35 +00:00			`return errors.New("bucket service returned nil bucket")`
Create PreAuthorizer interface, BucketAwareOperationSpec interface (#664) 2018-09-05 19:06:26 +00:00			`}`

			`reqPerm := platform.ReadBucketPermission(bucket.ID)`
feat(platform): add authorizer interface This iterface is supposed to be something that both sessions and authorizations can share so that other components can authorize requests as they see fit. 2018-09-28 17:02:34 +00:00			`if !auth.Allowed(reqPerm) {`
Ensure error strings not capitalised ST1005 2018-11-21 14:22:35 +00:00			`return errors.New("no read permission for bucket: \"" + bucket.Name + "\"")`
Create PreAuthorizer interface, BucketAwareOperationSpec interface (#664) 2018-09-05 19:06:26 +00:00			`}`
			`}`

			`for _, writeBucketFilter := range writeBuckets {`
			`bucket, err := a.bucketService.FindBucket(context.Background(), writeBucketFilter)`
			`if err != nil {`
			`return errors.Wrapf(err, "Could not find bucket %v", writeBucketFilter)`
			`}`

			`reqPerm := platform.WriteBucketPermission(bucket.ID)`
feat(platform): add authorizer interface This iterface is supposed to be something that both sessions and authorizations can share so that other components can authorize requests as they see fit. 2018-09-28 17:02:34 +00:00			`if !auth.Allowed(reqPerm) {`
Ensure error strings not capitalised ST1005 2018-11-21 14:22:35 +00:00			`return errors.New("no write permission for bucket: \"" + bucket.Name + "\"")`
Create PreAuthorizer interface, BucketAwareOperationSpec interface (#664) 2018-09-05 19:06:26 +00:00			`}`
			`}`

			`return nil`
			`}`