influxdb/authorizer/macro.go

package authorizer

import (
	"context"

	"github.com/influxdata/influxdb"
)

var _ influxdb.MacroService = (*MacroService)(nil)

// MacroService wraps a influxdb.MacroService and authorizes actions
// against it appropriately.
type MacroService struct {
	s influxdb.MacroService
}

// NewMacroService constructs an instance of an authorizing macro service.
func NewMacroService(s influxdb.MacroService) *MacroService {
	return &MacroService{
		s: s,
	}
}

func newMacroPermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Permission, error) {
	return influxdb.NewPermissionAtID(id, a, influxdb.MacrosResourceType, orgID)
}

func authorizeReadMacro(ctx context.Context, orgID, id influxdb.ID) error {
	p, err := newMacroPermission(influxdb.ReadAction, orgID, id)
	if err != nil {
		return err
	}

	if err := IsAllowed(ctx, *p); err != nil {
		return err
	}

	return nil
}

func authorizeWriteMacro(ctx context.Context, orgID, id influxdb.ID) error {
	p, err := newMacroPermission(influxdb.WriteAction, orgID, id)
	if err != nil {
		return err
	}

	if err := IsAllowed(ctx, *p); err != nil {
		return err
	}

	return nil
}

// FindMacroByID checks to see if the authorizer on context has read access to the id provided.
func (s *MacroService) FindMacroByID(ctx context.Context, id influxdb.ID) (*influxdb.Macro, error) {
	m, err := s.s.FindMacroByID(ctx, id)
	if err != nil {
		return nil, err
	}

	if err := authorizeReadMacro(ctx, m.OrganizationID, id); err != nil {
		return nil, err
	}

	return m, nil
}

// FindMacros retrieves all macros that match the provided filter and then filters the list down to only the resources that are authorized.
func (s *MacroService) FindMacros(ctx context.Context, filter influxdb.MacroFilter, opt ...influxdb.FindOptions) ([]*influxdb.Macro, error) {
	// TODO: we'll likely want to push this operation into the database since fetching the whole list of data will likely be expensive.
	ms, err := s.s.FindMacros(ctx, filter, opt...)
	if err != nil {
		return nil, err
	}

	// This filters without allocating
	// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
	macros := ms[:0]
	for _, m := range ms {
		err := authorizeReadMacro(ctx, m.OrganizationID, m.ID)
		if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
			return nil, err
		}

		if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
			continue
		}

		macros = append(macros, m)
	}

	return macros, nil
}

// CreateMacro checks to see if the authorizer on context has write access to the global macro resource.
func (s *MacroService) CreateMacro(ctx context.Context, m *influxdb.Macro) error {
	p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.MacrosResourceType, m.OrganizationID)
	if err != nil {
		return err
	}

	if err := IsAllowed(ctx, *p); err != nil {
		return err
	}

	return s.s.CreateMacro(ctx, m)
}

// UpdateMacro checks to see if the authorizer on context has write access to the macro provided.
func (s *MacroService) UpdateMacro(ctx context.Context, id influxdb.ID, upd *influxdb.MacroUpdate) (*influxdb.Macro, error) {
	m, err := s.FindMacroByID(ctx, id)
	if err != nil {
		return nil, err
	}

	if err := authorizeWriteMacro(ctx, m.OrganizationID, id); err != nil {
		return nil, err
	}

	return s.s.UpdateMacro(ctx, id, upd)
}

// ReplaceMacro checks to see if the authorizer on context has write access to the macro provided.
func (s *MacroService) ReplaceMacro(ctx context.Context, m *influxdb.Macro) error {
	m, err := s.FindMacroByID(ctx, m.ID)
	if err != nil {
		return err
	}

	if err := authorizeWriteMacro(ctx, m.OrganizationID, m.ID); err != nil {
		return err
	}

	return s.s.ReplaceMacro(ctx, m)
}

// DeleteMacro checks to see if the authorizer on context has write access to the macro provided.
func (s *MacroService) DeleteMacro(ctx context.Context, id influxdb.ID) error {
	m, err := s.FindMacroByID(ctx, id)
	if err != nil {
		return err
	}

	if err := authorizeWriteMacro(ctx, m.OrganizationID, id); err != nil {
		return err
	}

	return s.s.DeleteMacro(ctx, id)
}
feat(authorizer): macro authorizer Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com> 2019-01-17 13:21:20 +00:00			`package authorizer`

			`import (`
			`"context"`

			`"github.com/influxdata/influxdb"`
			`)`

			`var _ influxdb.MacroService = (*MacroService)(nil)`

			`// MacroService wraps a influxdb.MacroService and authorizes actions`
			`// against it appropriately.`
			`type MacroService struct {`
			`s influxdb.MacroService`
			`}`

			`// NewMacroService constructs an instance of an authorizing macro service.`
			`func NewMacroService(s influxdb.MacroService) *MacroService {`
			`return &MacroService{`
			`s: s,`
			`}`
			`}`

			`func newMacroPermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Permission, error) {`
			`return influxdb.NewPermissionAtID(id, a, influxdb.MacrosResourceType, orgID)`
			`}`

			`func authorizeReadMacro(ctx context.Context, orgID, id influxdb.ID) error {`
			`p, err := newMacroPermission(influxdb.ReadAction, orgID, id)`
			`if err != nil {`
			`return err`
			`}`

			`if err := IsAllowed(ctx, *p); err != nil {`
			`return err`
			`}`

			`return nil`
			`}`

			`func authorizeWriteMacro(ctx context.Context, orgID, id influxdb.ID) error {`
			`p, err := newMacroPermission(influxdb.WriteAction, orgID, id)`
			`if err != nil {`
			`return err`
			`}`

			`if err := IsAllowed(ctx, *p); err != nil {`
			`return err`
			`}`

			`return nil`
			`}`

			`// FindMacroByID checks to see if the authorizer on context has read access to the id provided.`
			`func (s MacroService) FindMacroByID(ctx context.Context, id influxdb.ID) (influxdb.Macro, error) {`
			`m, err := s.s.FindMacroByID(ctx, id)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if err := authorizeReadMacro(ctx, m.OrganizationID, id); err != nil {`
			`return nil, err`
			`}`

			`return m, nil`
			`}`

			`// FindMacros retrieves all macros that match the provided filter and then filters the list down to only the resources that are authorized.`
			`func (s MacroService) FindMacros(ctx context.Context, filter influxdb.MacroFilter, opt ...influxdb.FindOptions) ([]influxdb.Macro, error) {`
			`// TODO: we'll likely want to push this operation into the database since fetching the whole list of data will likely be expensive.`
			`ms, err := s.s.FindMacros(ctx, filter, opt...)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// This filters without allocating`
			`// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating`
			`macros := ms[:0]`
			`for _, m := range ms {`
			`err := authorizeReadMacro(ctx, m.OrganizationID, m.ID)`
			`if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {`
			`return nil, err`
			`}`

			`if influxdb.ErrorCode(err) == influxdb.EUnauthorized {`
			`continue`
			`}`

			`macros = append(macros, m)`
			`}`

			`return macros, nil`
			`}`

			`// CreateMacro checks to see if the authorizer on context has write access to the global macro resource.`
			`func (s MacroService) CreateMacro(ctx context.Context, m influxdb.Macro) error {`
			`p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.MacrosResourceType, m.OrganizationID)`
			`if err != nil {`
			`return err`
			`}`

			`if err := IsAllowed(ctx, *p); err != nil {`
			`return err`
			`}`

			`return s.s.CreateMacro(ctx, m)`
			`}`

			`// UpdateMacro checks to see if the authorizer on context has write access to the macro provided.`
			`func (s MacroService) UpdateMacro(ctx context.Context, id influxdb.ID, upd influxdb.MacroUpdate) (*influxdb.Macro, error) {`
			`m, err := s.FindMacroByID(ctx, id)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if err := authorizeWriteMacro(ctx, m.OrganizationID, id); err != nil {`
			`return nil, err`
			`}`

			`return s.s.UpdateMacro(ctx, id, upd)`
			`}`

			`// ReplaceMacro checks to see if the authorizer on context has write access to the macro provided.`
			`func (s MacroService) ReplaceMacro(ctx context.Context, m influxdb.Macro) error {`
			`m, err := s.FindMacroByID(ctx, m.ID)`
			`if err != nil {`
			`return err`
			`}`

			`if err := authorizeWriteMacro(ctx, m.OrganizationID, m.ID); err != nil {`
			`return err`
			`}`

			`return s.s.ReplaceMacro(ctx, m)`
			`}`

			`// DeleteMacro checks to see if the authorizer on context has write access to the macro provided.`
			`func (s *MacroService) DeleteMacro(ctx context.Context, id influxdb.ID) error {`
			`m, err := s.FindMacroByID(ctx, id)`
			`if err != nil {`
			`return err`
			`}`

			`if err := authorizeWriteMacro(ctx, m.OrganizationID, id); err != nil {`
			`return err`
			`}`

			`return s.s.DeleteMacro(ctx, id)`
			`}`