influxdb/tenant/middleware_org_auth.go

package tenant

import (
	"context"

	"github.com/influxdata/influxdb/v2"
	"github.com/influxdata/influxdb/v2/authorizer"
	icontext "github.com/influxdata/influxdb/v2/context"
	"github.com/influxdata/influxdb/v2/kit/platform"
)

var _ influxdb.OrganizationService = (*AuthedOrgService)(nil)

// TODO (al): remove authorizer/org when the org service moves to tenant

// AuthedOrgService wraps a influxdb.OrganizationService and authorizes actions
// against it appropriately.
type AuthedOrgService struct {
	s influxdb.OrganizationService
}

// NewAuthedOrgService constructs an instance of an authorizing org service.
func NewAuthedOrgService(s influxdb.OrganizationService) *AuthedOrgService {
	return &AuthedOrgService{
		s: s,
	}
}

// FindOrganizationByID checks to see if the authorizer on context has read access to the id provided.
func (s *AuthedOrgService) FindOrganizationByID(ctx context.Context, id platform.ID) (*influxdb.Organization, error) {
	if _, _, err := authorizer.AuthorizeReadOrg(ctx, id); err != nil {
		return nil, err
	}
	return s.s.FindOrganizationByID(ctx, id)
}

// FindOrganization retrieves the organization and checks to see if the authorizer on context has read access to the org.
func (s *AuthedOrgService) FindOrganization(ctx context.Context, filter influxdb.OrganizationFilter) (*influxdb.Organization, error) {
	o, err := s.s.FindOrganization(ctx, filter)
	if err != nil {
		return nil, err
	}
	if _, _, err := authorizer.AuthorizeReadOrg(ctx, o.ID); err != nil {
		return nil, err
	}
	return o, nil
}

// FindOrganizations retrieves all organizations that match the provided filter and then filters the list down to only the resources that are authorized.
func (s *AuthedOrgService) FindOrganizations(ctx context.Context, filter influxdb.OrganizationFilter, opt ...influxdb.FindOptions) ([]*influxdb.Organization, int, error) {
	if filter.Name == nil && filter.ID == nil && filter.UserID == nil {
		// if the user doesnt have permission to look up all orgs we need to add this users id to the filter to save lookup time
		auth, err := icontext.GetAuthorizer(ctx)
		if err != nil {
			return nil, 0, err
		}
		if _, _, err := authorizer.AuthorizeReadGlobal(ctx, influxdb.OrgsResourceType); err != nil {
			userid := auth.GetUserID()
			filter.UserID = &userid
		}
	}

	os, _, err := s.s.FindOrganizations(ctx, filter, opt...)
	if err != nil {
		return nil, 0, err
	}
	return authorizer.AuthorizeFindOrganizations(ctx, os)
}

// CreateOrganization checks to see if the authorizer on context has write access to the global orgs resource.
func (s *AuthedOrgService) CreateOrganization(ctx context.Context, o *influxdb.Organization) error {
	if _, _, err := authorizer.AuthorizeWriteGlobal(ctx, influxdb.OrgsResourceType); err != nil {
		return err
	}
	return s.s.CreateOrganization(ctx, o)
}

// UpdateOrganization checks to see if the authorizer on context has write access to the organization provided.
func (s *AuthedOrgService) UpdateOrganization(ctx context.Context, id platform.ID, upd influxdb.OrganizationUpdate) (*influxdb.Organization, error) {
	if _, _, err := authorizer.AuthorizeWriteOrg(ctx, id); err != nil {
		return nil, err
	}
	return s.s.UpdateOrganization(ctx, id, upd)
}

// DeleteOrganization checks to see if the authorizer on context has write access to the organization provided.
func (s *AuthedOrgService) DeleteOrganization(ctx context.Context, id platform.ID) error {
	if _, _, err := authorizer.AuthorizeWriteOrg(ctx, id); err != nil {
		return err
	}
	return s.s.DeleteOrganization(ctx, id)
}
refactor(tenant): move org auth layer to tenant service (#17468) 2020-03-27 18:47:30 +00:00			`package tenant`

			`import (`
			`"context"`

refactor: rewrite imports to include the /v2 suffix for version 2 2020-04-03 17:39:20 +00:00			`"github.com/influxdata/influxdb/v2"`
			`"github.com/influxdata/influxdb/v2/authorizer"`
fix: org filtering for both kv and tenant need to match behaviors. (#17758) 2020-04-16 18:22:21 +00:00			`icontext "github.com/influxdata/influxdb/v2/context"`
fix: more expressive errors (#22448) * fix: more expressive errors Closes #22446 * fix: server only logging for untyped errors * chore: fix formatting 2021-09-13 19:12:35 +00:00			`"github.com/influxdata/influxdb/v2/kit/platform"`
refactor(tenant): move org auth layer to tenant service (#17468) 2020-03-27 18:47:30 +00:00			`)`

			`var _ influxdb.OrganizationService = (*AuthedOrgService)(nil)`

			`// TODO (al): remove authorizer/org when the org service moves to tenant`

			`// AuthedOrgService wraps a influxdb.OrganizationService and authorizes actions`
			`// against it appropriately.`
			`type AuthedOrgService struct {`
			`s influxdb.OrganizationService`
			`}`

fix: correct various typos (#19987) Co-authored-by: kumakichi <xyesan@gmail.com> 2020-11-11 18:54:21 +00:00			`// NewAuthedOrgService constructs an instance of an authorizing org service.`
refactor(tenant): move org auth layer to tenant service (#17468) 2020-03-27 18:47:30 +00:00			`func NewAuthedOrgService(s influxdb.OrganizationService) *AuthedOrgService {`
			`return &AuthedOrgService{`
			`s: s,`
			`}`
			`}`

			`// FindOrganizationByID checks to see if the authorizer on context has read access to the id provided.`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			`func (s AuthedOrgService) FindOrganizationByID(ctx context.Context, id platform.ID) (influxdb.Organization, error) {`
refactor(tenant): move org auth layer to tenant service (#17468) 2020-03-27 18:47:30 +00:00			`if _, _, err := authorizer.AuthorizeReadOrg(ctx, id); err != nil {`
			`return nil, err`
			`}`
			`return s.s.FindOrganizationByID(ctx, id)`
			`}`

			`// FindOrganization retrieves the organization and checks to see if the authorizer on context has read access to the org.`
			`func (s AuthedOrgService) FindOrganization(ctx context.Context, filter influxdb.OrganizationFilter) (influxdb.Organization, error) {`
			`o, err := s.s.FindOrganization(ctx, filter)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if _, _, err := authorizer.AuthorizeReadOrg(ctx, o.ID); err != nil {`
			`return nil, err`
			`}`
			`return o, nil`
			`}`

			`// FindOrganizations retrieves all organizations that match the provided filter and then filters the list down to only the resources that are authorized.`
			`func (s AuthedOrgService) FindOrganizations(ctx context.Context, filter influxdb.OrganizationFilter, opt ...influxdb.FindOptions) ([]influxdb.Organization, int, error) {`
fix: org filtering for both kv and tenant need to match behaviors. (#17758) 2020-04-16 18:22:21 +00:00			`if filter.Name == nil && filter.ID == nil && filter.UserID == nil {`
			`// if the user doesnt have permission to look up all orgs we need to add this users id to the filter to save lookup time`
			`auth, err := icontext.GetAuthorizer(ctx)`
			`if err != nil {`
			`return nil, 0, err`
			`}`
			`if _, _, err := authorizer.AuthorizeReadGlobal(ctx, influxdb.OrgsResourceType); err != nil {`
			`userid := auth.GetUserID()`
			`filter.UserID = &userid`
			`}`
			`}`

refactor(tenant): move org auth layer to tenant service (#17468) 2020-03-27 18:47:30 +00:00			`os, _, err := s.s.FindOrganizations(ctx, filter, opt...)`
			`if err != nil {`
			`return nil, 0, err`
			`}`
			`return authorizer.AuthorizeFindOrganizations(ctx, os)`
			`}`

			`// CreateOrganization checks to see if the authorizer on context has write access to the global orgs resource.`
			`func (s AuthedOrgService) CreateOrganization(ctx context.Context, o influxdb.Organization) error {`
			`if _, _, err := authorizer.AuthorizeWriteGlobal(ctx, influxdb.OrgsResourceType); err != nil {`
			`return err`
			`}`
			`return s.s.CreateOrganization(ctx, o)`
			`}`

			`// UpdateOrganization checks to see if the authorizer on context has write access to the organization provided.`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			`func (s AuthedOrgService) UpdateOrganization(ctx context.Context, id platform.ID, upd influxdb.OrganizationUpdate) (influxdb.Organization, error) {`
refactor(tenant): move org auth layer to tenant service (#17468) 2020-03-27 18:47:30 +00:00			`if _, _, err := authorizer.AuthorizeWriteOrg(ctx, id); err != nil {`
			`return nil, err`
			`}`
			`return s.s.UpdateOrganization(ctx, id, upd)`
			`}`

			`// DeleteOrganization checks to see if the authorizer on context has write access to the organization provided.`
refactor: automated move of errors and id from root to kit (#21101) Co-authored-by: Sam Arnold <sarnold@influxdata.com> 2021-03-30 18:10:02 +00:00			`func (s *AuthedOrgService) DeleteOrganization(ctx context.Context, id platform.ID) error {`
refactor(tenant): move org auth layer to tenant service (#17468) 2020-03-27 18:47:30 +00:00			`if _, _, err := authorizer.AuthorizeWriteOrg(ctx, id); err != nil {`
			`return err`
			`}`
			`return s.s.DeleteOrganization(ctx, id)`
			`}`