2019-01-22 13:40:20 +00:00
package authorizer
import (
"context"
2020-03-11 16:58:39 +00:00
"errors"
2019-01-22 13:40:20 +00:00
2020-04-03 17:39:20 +00:00
"github.com/influxdata/influxdb/v2"
2019-01-22 13:40:20 +00:00
)
var _ influxdb . LabelService = ( * LabelService ) ( nil )
// LabelService wraps a influxdb.LabelService and authorizes actions
// against it appropriately.
type LabelService struct {
2020-03-11 16:58:39 +00:00
s influxdb . LabelService
orgSvc OrganizationService
2019-01-22 13:40:20 +00:00
}
2020-03-11 16:58:39 +00:00
// NewLabelServiceWithOrg constructs an instance of an authorizing label serivce.
// Replaces NewLabelService.
func NewLabelServiceWithOrg ( s influxdb . LabelService , orgSvc OrganizationService ) * LabelService {
2019-01-22 13:40:20 +00:00
return & LabelService {
2020-03-11 16:58:39 +00:00
s : s ,
orgSvc : orgSvc ,
2019-01-22 13:40:20 +00:00
}
}
// FindLabelByID checks to see if the authorizer on context has read access to the label id provided.
func ( s * LabelService ) FindLabelByID ( ctx context . Context , id influxdb . ID ) ( * influxdb . Label , error ) {
2019-03-19 18:07:36 +00:00
l , err := s . s . FindLabelByID ( ctx , id )
if err != nil {
2019-01-22 13:40:20 +00:00
return nil , err
}
2020-03-16 14:29:17 +00:00
if _ , _ , err := AuthorizeRead ( ctx , influxdb . LabelsResourceType , id , l . OrgID ) ; err != nil {
2019-01-22 13:40:20 +00:00
return nil , err
}
return l , nil
}
// FindLabels retrieves all labels that match the provided filter and then filters the list down to only the resources that are authorized.
func ( s * LabelService ) FindLabels ( ctx context . Context , filter influxdb . LabelFilter , opt ... influxdb . FindOptions ) ( [ ] * influxdb . Label , error ) {
// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data
// will likely be expensive.
ls , err := s . s . FindLabels ( ctx , filter , opt ... )
if err != nil {
return nil , err
}
2020-03-16 14:29:17 +00:00
ls , _ , err = AuthorizeFindLabels ( ctx , ls )
return ls , err
2019-01-22 13:40:20 +00:00
}
2019-01-23 17:39:06 +00:00
// FindResourceLabels retrieves all labels belonging to the filtering resource if the authorizer on context has read access to it.
// Then it filters the list down to only the labels that are authorized.
2019-01-22 13:40:20 +00:00
func ( s * LabelService ) FindResourceLabels ( ctx context . Context , filter influxdb . LabelMappingFilter ) ( [ ] * influxdb . Label , error ) {
2020-03-12 17:51:50 +00:00
if err := filter . ResourceType . Valid ( ) ; err != nil {
return nil , err
}
2020-03-11 16:58:39 +00:00
if s . orgSvc == nil {
return nil , errors . New ( "failed to find orgSvc" )
}
orgID , err := s . orgSvc . FindResourceOrganizationID ( ctx , filter . ResourceType , filter . ResourceID )
if err != nil {
return nil , err
}
2020-03-16 14:29:17 +00:00
if _ , _ , err := AuthorizeRead ( ctx , filter . ResourceType , filter . ResourceID , orgID ) ; err != nil {
2020-03-11 16:58:39 +00:00
return nil , err
2019-01-23 17:39:06 +00:00
}
ls , err := s . s . FindResourceLabels ( ctx , filter )
if err != nil {
return nil , err
}
2020-03-16 14:29:17 +00:00
ls , _ , err = AuthorizeFindLabels ( ctx , ls )
return ls , err
2019-01-22 13:40:20 +00:00
}
2020-03-12 17:51:50 +00:00
// CreateLabel checks to see if the authorizer on context has write access to the new label's org.
2019-01-22 13:40:20 +00:00
func ( s * LabelService ) CreateLabel ( ctx context . Context , l * influxdb . Label ) error {
2020-03-16 14:29:17 +00:00
if _ , _ , err := AuthorizeCreate ( ctx , influxdb . LabelsResourceType , l . OrgID ) ; err != nil {
2019-01-22 13:40:20 +00:00
return err
}
return s . s . CreateLabel ( ctx , l )
}
2019-01-23 14:28:17 +00:00
// CreateLabelMapping checks to see if the authorizer on context has write access to the label and the resource contained by the label mapping in creation.
2019-01-22 13:40:20 +00:00
func ( s * LabelService ) CreateLabelMapping ( ctx context . Context , m * influxdb . LabelMapping ) error {
2019-03-19 18:07:36 +00:00
l , err := s . s . FindLabelByID ( ctx , m . LabelID )
if err != nil {
return err
}
2020-03-16 14:29:17 +00:00
if _ , _ , err := AuthorizeWrite ( ctx , influxdb . LabelsResourceType , m . LabelID , l . OrgID ) ; err != nil {
2019-01-22 13:40:20 +00:00
return err
}
2020-03-16 14:29:17 +00:00
if _ , _ , err := AuthorizeWrite ( ctx , m . ResourceType , m . ResourceID , l . OrgID ) ; err != nil {
2020-03-11 16:58:39 +00:00
return err
2019-01-22 17:55:56 +00:00
}
return s . s . CreateLabelMapping ( ctx , m )
2019-01-22 13:40:20 +00:00
}
// UpdateLabel checks to see if the authorizer on context has write access to the label provided.
func ( s * LabelService ) UpdateLabel ( ctx context . Context , id influxdb . ID , upd influxdb . LabelUpdate ) ( * influxdb . Label , error ) {
2019-03-19 18:07:36 +00:00
l , err := s . s . FindLabelByID ( ctx , id )
2019-01-22 13:40:20 +00:00
if err != nil {
return nil , err
}
2020-03-16 14:29:17 +00:00
if _ , _ , err := AuthorizeWrite ( ctx , influxdb . LabelsResourceType , l . ID , l . OrgID ) ; err != nil {
2019-01-22 13:40:20 +00:00
return nil , err
}
return s . s . UpdateLabel ( ctx , id , upd )
}
// DeleteLabel checks to see if the authorizer on context has write access to the label provided.
func ( s * LabelService ) DeleteLabel ( ctx context . Context , id influxdb . ID ) error {
2019-03-19 18:07:36 +00:00
l , err := s . s . FindLabelByID ( ctx , id )
2019-01-22 13:40:20 +00:00
if err != nil {
return err
}
2020-03-16 14:29:17 +00:00
if _ , _ , err := AuthorizeWrite ( ctx , influxdb . LabelsResourceType , l . ID , l . OrgID ) ; err != nil {
2019-01-22 13:40:20 +00:00
return err
}
return s . s . DeleteLabel ( ctx , id )
}
2019-01-23 14:28:17 +00:00
// DeleteLabelMapping checks to see if the authorizer on context has write access to the label and the resource of the label mapping to delete.
2019-01-22 13:40:20 +00:00
func ( s * LabelService ) DeleteLabelMapping ( ctx context . Context , m * influxdb . LabelMapping ) error {
2019-03-19 18:07:36 +00:00
l , err := s . s . FindLabelByID ( ctx , m . LabelID )
2019-01-23 14:28:17 +00:00
if err != nil {
return err
}
2020-03-16 14:29:17 +00:00
if _ , _ , err := AuthorizeWrite ( ctx , influxdb . LabelsResourceType , m . LabelID , l . OrgID ) ; err != nil {
2019-01-23 14:28:17 +00:00
return err
}
2020-03-16 14:29:17 +00:00
if _ , _ , err := AuthorizeWrite ( ctx , m . ResourceType , m . ResourceID , l . OrgID ) ; err != nil {
2020-03-11 16:58:39 +00:00
return err
2019-01-23 14:28:17 +00:00
}
return s . s . DeleteLabelMapping ( ctx , m )
2019-01-22 13:40:20 +00:00
}