2019-01-16 19:41:57 +00:00
package authorizer
import (
"context"
2020-04-03 17:39:20 +00:00
"github.com/influxdata/influxdb/v2"
2020-04-16 18:22:21 +00:00
icontext "github.com/influxdata/influxdb/v2/context"
2021-09-13 19:12:35 +00:00
"github.com/influxdata/influxdb/v2/kit/platform"
2019-01-16 19:41:57 +00:00
)
var _ influxdb . OrganizationService = ( * OrgService ) ( nil )
// OrgService wraps a influxdb.OrganizationService and authorizes actions
// against it appropriately.
type OrgService struct {
s influxdb . OrganizationService
}
2020-11-11 18:54:21 +00:00
// NewOrgService constructs an instance of an authorizing org service.
2019-01-16 19:41:57 +00:00
func NewOrgService ( s influxdb . OrganizationService ) * OrgService {
return & OrgService {
s : s ,
}
}
// FindOrganizationByID checks to see if the authorizer on context has read access to the id provided.
2021-03-30 18:10:02 +00:00
func ( s * OrgService ) FindOrganizationByID ( ctx context . Context , id platform . ID ) ( * influxdb . Organization , error ) {
2020-03-16 14:29:17 +00:00
if _ , _ , err := AuthorizeReadOrg ( ctx , id ) ; err != nil {
2019-01-16 19:41:57 +00:00
return nil , err
}
return s . s . FindOrganizationByID ( ctx , id )
}
// FindOrganization retrieves the organization and checks to see if the authorizer on context has read access to the org.
func ( s * OrgService ) FindOrganization ( ctx context . Context , filter influxdb . OrganizationFilter ) ( * influxdb . Organization , error ) {
o , err := s . s . FindOrganization ( ctx , filter )
if err != nil {
return nil , err
}
2020-03-16 14:29:17 +00:00
if _ , _ , err := AuthorizeReadOrg ( ctx , o . ID ) ; err != nil {
2019-01-16 19:41:57 +00:00
return nil , err
}
return o , nil
}
// FindOrganizations retrieves all organizations that match the provided filter and then filters the list down to only the resources that are authorized.
func ( s * OrgService ) FindOrganizations ( ctx context . Context , filter influxdb . OrganizationFilter , opt ... influxdb . FindOptions ) ( [ ] * influxdb . Organization , int , error ) {
2020-04-16 18:22:21 +00:00
if filter . Name == nil && filter . ID == nil && filter . UserID == nil {
// if the user doesnt have permission to look up all orgs we need to add this users id to the filter to save lookup time
auth , err := icontext . GetAuthorizer ( ctx )
if err != nil {
return nil , 0 , err
}
if _ , _ , err := AuthorizeReadGlobal ( ctx , influxdb . OrgsResourceType ) ; err != nil {
userid := auth . GetUserID ( )
filter . UserID = & userid
}
}
2019-01-16 19:41:57 +00:00
// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data
// will likely be expensive.
os , _ , err := s . s . FindOrganizations ( ctx , filter , opt ... )
if err != nil {
return nil , 0 , err
}
2020-03-16 14:29:17 +00:00
return AuthorizeFindOrganizations ( ctx , os )
2019-01-16 19:41:57 +00:00
}
// CreateOrganization checks to see if the authorizer on context has write access to the global orgs resource.
func ( s * OrgService ) CreateOrganization ( ctx context . Context , o * influxdb . Organization ) error {
2020-03-16 14:29:17 +00:00
if _ , _ , err := AuthorizeWriteGlobal ( ctx , influxdb . OrgsResourceType ) ; err != nil {
2019-01-16 19:41:57 +00:00
return err
}
return s . s . CreateOrganization ( ctx , o )
}
// UpdateOrganization checks to see if the authorizer on context has write access to the organization provided.
2021-03-30 18:10:02 +00:00
func ( s * OrgService ) UpdateOrganization ( ctx context . Context , id platform . ID , upd influxdb . OrganizationUpdate ) ( * influxdb . Organization , error ) {
2020-03-16 14:29:17 +00:00
if _ , _ , err := AuthorizeWriteOrg ( ctx , id ) ; err != nil {
2019-01-16 19:41:57 +00:00
return nil , err
}
return s . s . UpdateOrganization ( ctx , id , upd )
}
// DeleteOrganization checks to see if the authorizer on context has write access to the organization provided.
2021-03-30 18:10:02 +00:00
func ( s * OrgService ) DeleteOrganization ( ctx context . Context , id platform . ID ) error {
2020-03-16 14:29:17 +00:00
if _ , _ , err := AuthorizeWriteOrg ( ctx , id ) ; err != nil {
2019-01-16 19:41:57 +00:00
return err
}
return s . s . DeleteOrganization ( ctx , id )
}