influxdb/authorizer/notification_rule.go

package authorizer

import (
	"context"

	"github.com/influxdata/influxdb/v2"
	"github.com/influxdata/influxdb/v2/kit/platform"
)

var _ influxdb.NotificationRuleStore = (*NotificationRuleStore)(nil)

// NotificationRuleStore wraps a influxdb.NotificationRuleStore and authorizes actions
// against it appropriately.
type NotificationRuleStore struct {
	s influxdb.NotificationRuleStore
	influxdb.UserResourceMappingService
	influxdb.OrganizationService
}

// NewNotificationRuleStore constructs an instance of an authorizing notification rule service.
func NewNotificationRuleStore(s influxdb.NotificationRuleStore, urm influxdb.UserResourceMappingService, org influxdb.OrganizationService) *NotificationRuleStore {
	return &NotificationRuleStore{
		s:                          s,
		UserResourceMappingService: urm,
		OrganizationService:        org,
	}
}

// FindNotificationRuleByID checks to see if the authorizer on context has read access to the id provided.
func (s *NotificationRuleStore) FindNotificationRuleByID(ctx context.Context, id platform.ID) (influxdb.NotificationRule, error) {
	nr, err := s.s.FindNotificationRuleByID(ctx, id)
	if err != nil {
		return nil, err
	}
	if _, _, err := AuthorizeRead(ctx, influxdb.NotificationRuleResourceType, nr.GetID(), nr.GetOrgID()); err != nil {
		return nil, err
	}
	return nr, nil
}

// FindNotificationRules retrieves all notification rules that match the provided filter and then filters the list down to only the resources that are authorized.
func (s *NotificationRuleStore) FindNotificationRules(ctx context.Context, filter influxdb.NotificationRuleFilter, opt ...influxdb.FindOptions) ([]influxdb.NotificationRule, int, error) {
	// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data
	// will likely be expensive.
	nrs, _, err := s.s.FindNotificationRules(ctx, filter, opt...)
	if err != nil {
		return nil, 0, err
	}
	return AuthorizeFindNotificationRules(ctx, nrs)
}

// CreateNotificationRule checks to see if the authorizer on context has write access to the global notification rule resource.
func (s *NotificationRuleStore) CreateNotificationRule(ctx context.Context, nr influxdb.NotificationRuleCreate, userID platform.ID) error {
	if _, _, err := AuthorizeCreate(ctx, influxdb.NotificationRuleResourceType, nr.GetOrgID()); err != nil {
		return err
	}
	return s.s.CreateNotificationRule(ctx, nr, userID)
}

// UpdateNotificationRule checks to see if the authorizer on context has write access to the notification rule provided.
func (s *NotificationRuleStore) UpdateNotificationRule(ctx context.Context, id platform.ID, upd influxdb.NotificationRuleCreate, userID platform.ID) (influxdb.NotificationRule, error) {
	nr, err := s.FindNotificationRuleByID(ctx, id)
	if err != nil {
		return nil, err
	}
	if _, _, err := AuthorizeWrite(ctx, influxdb.NotificationRuleResourceType, nr.GetID(), nr.GetOrgID()); err != nil {
		return nil, err
	}
	return s.s.UpdateNotificationRule(ctx, id, upd, userID)
}

// PatchNotificationRule checks to see if the authorizer on context has write access to the notification rule provided.
func (s *NotificationRuleStore) PatchNotificationRule(ctx context.Context, id platform.ID, upd influxdb.NotificationRuleUpdate) (influxdb.NotificationRule, error) {
	nr, err := s.s.FindNotificationRuleByID(ctx, id)
	if err != nil {
		return nil, err
	}
	if _, _, err := AuthorizeWrite(ctx, influxdb.NotificationRuleResourceType, nr.GetID(), nr.GetOrgID()); err != nil {
		return nil, err
	}
	return s.s.PatchNotificationRule(ctx, id, upd)
}

// DeleteNotificationRule checks to see if the authorizer on context has write access to the notification rule provided.
func (s *NotificationRuleStore) DeleteNotificationRule(ctx context.Context, id platform.ID) error {
	nr, err := s.s.FindNotificationRuleByID(ctx, id)
	if err != nil {
		return err
	}
	if _, _, err := AuthorizeWrite(ctx, influxdb.NotificationRuleResourceType, nr.GetID(), nr.GetOrgID()); err != nil {
		return err
	}
	return s.s.DeleteNotificationRule(ctx, id)
}
feat(authorizer): add notification rule authorizer 2019-07-25 14:56:12 +00:00			`package authorizer`

			`import (`
			`"context"`

refactor: rewrite imports to include the /v2 suffix for version 2 2020-04-03 17:39:20 +00:00			`"github.com/influxdata/influxdb/v2"`
fix: more expressive errors (#22448) * fix: more expressive errors Closes #22446 * fix: server only logging for untyped errors * chore: fix formatting 2021-09-13 19:12:35 +00:00			`"github.com/influxdata/influxdb/v2/kit/platform"`
feat(authorizer): add notification rule authorizer 2019-07-25 14:56:12 +00:00			`)`

			`var _ influxdb.NotificationRuleStore = (*NotificationRuleStore)(nil)`

			`// NotificationRuleStore wraps a influxdb.NotificationRuleStore and authorizes actions`
			`// against it appropriately.`
			`type NotificationRuleStore struct {`
			`s influxdb.NotificationRuleStore`
			`influxdb.UserResourceMappingService`
			`influxdb.OrganizationService`
			`}`

fix: correct various typos (#19987) Co-authored-by: kumakichi <xyesan@gmail.com> 2020-11-11 18:54:21 +00:00			`// NewNotificationRuleStore constructs an instance of an authorizing notification rule service.`
feat(authorizer): add notification rule authorizer 2019-07-25 14:56:12 +00:00			`func NewNotificationRuleStore(s influxdb.NotificationRuleStore, urm influxdb.UserResourceMappingService, org influxdb.OrganizationService) *NotificationRuleStore {`
			`return &NotificationRuleStore{`
			`s: s,`
			`UserResourceMappingService: urm,`
			`OrganizationService: org,`
			`}`
			`}`

			`// FindNotificationRuleByID checks to see if the authorizer on context has read access to the id provided.`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			`func (s *NotificationRuleStore) FindNotificationRuleByID(ctx context.Context, id platform.ID) (influxdb.NotificationRule, error) {`
feat(authorizer): add notification rule authorizer 2019-07-25 14:56:12 +00:00			`nr, err := s.s.FindNotificationRuleByID(ctx, id)`
			`if err != nil {`
			`return nil, err`
			`}`
refactor(authorizer): auth micro framework 2020-03-16 14:29:17 +00:00			`if _, _, err := AuthorizeRead(ctx, influxdb.NotificationRuleResourceType, nr.GetID(), nr.GetOrgID()); err != nil {`
feat(authorizer): add notification rule authorizer 2019-07-25 14:56:12 +00:00			`return nil, err`
			`}`
			`return nr, nil`
			`}`

			`// FindNotificationRules retrieves all notification rules that match the provided filter and then filters the list down to only the resources that are authorized.`
			`func (s *NotificationRuleStore) FindNotificationRules(ctx context.Context, filter influxdb.NotificationRuleFilter, opt ...influxdb.FindOptions) ([]influxdb.NotificationRule, int, error) {`
			`// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data`
			`// will likely be expensive.`
			`nrs, _, err := s.s.FindNotificationRules(ctx, filter, opt...)`
			`if err != nil {`
			`return nil, 0, err`
			`}`
refactor(authorizer): auth micro framework 2020-03-16 14:29:17 +00:00			`return AuthorizeFindNotificationRules(ctx, nrs)`
feat(authorizer): add notification rule authorizer 2019-07-25 14:56:12 +00:00			`}`

			`// CreateNotificationRule checks to see if the authorizer on context has write access to the global notification rule resource.`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			`func (s *NotificationRuleStore) CreateNotificationRule(ctx context.Context, nr influxdb.NotificationRuleCreate, userID platform.ID) error {`
refactor(authorizer): auth micro framework 2020-03-16 14:29:17 +00:00			`if _, _, err := AuthorizeCreate(ctx, influxdb.NotificationRuleResourceType, nr.GetOrgID()); err != nil {`
feat(authorizer): add notification rule authorizer 2019-07-25 14:56:12 +00:00			`return err`
			`}`
			`return s.s.CreateNotificationRule(ctx, nr, userID)`
			`}`

			`// UpdateNotificationRule checks to see if the authorizer on context has write access to the notification rule provided.`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			`func (s *NotificationRuleStore) UpdateNotificationRule(ctx context.Context, id platform.ID, upd influxdb.NotificationRuleCreate, userID platform.ID) (influxdb.NotificationRule, error) {`
feat(authorizer): add notification rule authorizer 2019-07-25 14:56:12 +00:00			`nr, err := s.FindNotificationRuleByID(ctx, id)`
			`if err != nil {`
			`return nil, err`
			`}`
refactor(authorizer): auth micro framework 2020-03-16 14:29:17 +00:00			`if _, _, err := AuthorizeWrite(ctx, influxdb.NotificationRuleResourceType, nr.GetID(), nr.GetOrgID()); err != nil {`
feat(authorizer): add notification rule authorizer 2019-07-25 14:56:12 +00:00			`return nil, err`
			`}`
			`return s.s.UpdateNotificationRule(ctx, id, upd, userID)`
			`}`

feat(http): patch notification rule 2019-07-28 14:08:12 +00:00			`// PatchNotificationRule checks to see if the authorizer on context has write access to the notification rule provided.`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			`func (s *NotificationRuleStore) PatchNotificationRule(ctx context.Context, id platform.ID, upd influxdb.NotificationRuleUpdate) (influxdb.NotificationRule, error) {`
chore(authorizer): simplify permissions for alerts and notifications (#14701) 2019-08-19 17:39:25 +00:00			`nr, err := s.s.FindNotificationRuleByID(ctx, id)`
feat(http): patch notification rule 2019-07-28 14:08:12 +00:00			`if err != nil {`
			`return nil, err`
			`}`
refactor(authorizer): auth micro framework 2020-03-16 14:29:17 +00:00			`if _, _, err := AuthorizeWrite(ctx, influxdb.NotificationRuleResourceType, nr.GetID(), nr.GetOrgID()); err != nil {`
feat(http): patch notification rule 2019-07-28 14:08:12 +00:00			`return nil, err`
			`}`
			`return s.s.PatchNotificationRule(ctx, id, upd)`
			`}`

feat(authorizer): add notification rule authorizer 2019-07-25 14:56:12 +00:00			`// DeleteNotificationRule checks to see if the authorizer on context has write access to the notification rule provided.`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			`func (s *NotificationRuleStore) DeleteNotificationRule(ctx context.Context, id platform.ID) error {`
chore(authorizer): simplify permissions for alerts and notifications (#14701) 2019-08-19 17:39:25 +00:00			`nr, err := s.s.FindNotificationRuleByID(ctx, id)`
feat(authorizer): add notification rule authorizer 2019-07-25 14:56:12 +00:00			`if err != nil {`
			`return err`
			`}`
refactor(authorizer): auth micro framework 2020-03-16 14:29:17 +00:00			`if _, _, err := AuthorizeWrite(ctx, influxdb.NotificationRuleResourceType, nr.GetID(), nr.GetOrgID()); err != nil {`
feat(authorizer): add notification rule authorizer 2019-07-25 14:56:12 +00:00			`return err`
			`}`
			`return s.s.DeleteNotificationRule(ctx, id)`
			`}`