influxdb/authorizer/label.go

package authorizer

import (
	"context"
	"errors"

	"github.com/influxdata/influxdb"
)

var _ influxdb.LabelService = (*LabelService)(nil)

// LabelService wraps a influxdb.LabelService and authorizes actions
// against it appropriately.
type LabelService struct {
	s      influxdb.LabelService
	orgSvc OrganizationService
}

// NewLabelServiceWithOrg constructs an instance of an authorizing label serivce.
// Replaces NewLabelService.
func NewLabelServiceWithOrg(s influxdb.LabelService, orgSvc OrganizationService) *LabelService {
	return &LabelService{
		s:      s,
		orgSvc: orgSvc,
	}
}

func newLabelPermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Permission, error) {
	return influxdb.NewPermissionAtID(id, a, influxdb.LabelsResourceType, orgID)
}

func newResourcePermission(a influxdb.Action, orgID, id influxdb.ID, resourceType influxdb.ResourceType) (*influxdb.Permission, error) {
	if err := resourceType.Valid(); err != nil {
		return nil, err
	}

	p := &influxdb.Permission{
		Action: a,
		Resource: influxdb.Resource{
			Type:  resourceType,
			ID:    &id,
			OrgID: &orgID,
		},
	}

	return p, p.Valid()
}

func authorizeLabelMappingAction(ctx context.Context, action influxdb.Action, orgID, id influxdb.ID, resourceType influxdb.ResourceType) error {
	p, err := newResourcePermission(action, orgID, id, resourceType)
	if err != nil {
		return err
	}

	if err := IsAllowed(ctx, *p); err != nil {
		return err
	}

	return nil
}

func authorizeReadLabel(ctx context.Context, orgID, id influxdb.ID) error {
	p, err := newLabelPermission(influxdb.ReadAction, orgID, id)
	if err != nil {
		return err
	}

	if err := IsAllowed(ctx, *p); err != nil {
		return err
	}

	return nil
}

func authorizeWriteLabel(ctx context.Context, orgID, id influxdb.ID) error {
	p, err := newLabelPermission(influxdb.WriteAction, orgID, id)
	if err != nil {
		return err
	}

	if err := IsAllowed(ctx, *p); err != nil {
		return err
	}

	return nil
}

// FindLabelByID checks to see if the authorizer on context has read access to the label id provided.
func (s *LabelService) FindLabelByID(ctx context.Context, id influxdb.ID) (*influxdb.Label, error) {
	l, err := s.s.FindLabelByID(ctx, id)
	if err != nil {
		return nil, err
	}

	if err := authorizeReadLabel(ctx, l.OrgID, id); err != nil {
		return nil, err
	}

	return l, nil
}

// FindLabels retrieves all labels that match the provided filter and then filters the list down to only the resources that are authorized.
func (s *LabelService) FindLabels(ctx context.Context, filter influxdb.LabelFilter, opt ...influxdb.FindOptions) ([]*influxdb.Label, error) {
	// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data
	// will likely be expensive.
	ls, err := s.s.FindLabels(ctx, filter, opt...)
	if err != nil {
		return nil, err
	}

	// This filters without allocating
	// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
	labels := ls[:0]
	for _, l := range ls {
		err := authorizeReadLabel(ctx, l.OrgID, l.ID)
		if err != nil &&
			influxdb.ErrorCode(err) != influxdb.EUnauthorized &&
			influxdb.ErrorCode(err) != influxdb.EInvalid {
			return nil, err
		}

		if influxdb.ErrorCode(err) == influxdb.EUnauthorized ||
			influxdb.ErrorCode(err) == influxdb.EInvalid {
			continue
		}

		labels = append(labels, l)
	}

	return labels, nil
}

// FindResourceLabels retrieves all labels belonging to the filtering resource if the authorizer on context has read access to it.
// Then it filters the list down to only the labels that are authorized.
func (s *LabelService) FindResourceLabels(ctx context.Context, filter influxdb.LabelMappingFilter) ([]*influxdb.Label, error) {
	if err := filter.ResourceType.Valid(); err != nil {
		return nil, err
	}

	if s.orgSvc == nil {
		return nil, errors.New("failed to find orgSvc")
	}
	orgID, err := s.orgSvc.FindResourceOrganizationID(ctx, filter.ResourceType, filter.ResourceID)
	if err != nil {
		return nil, err
	}

	if err := authorizeLabelMappingAction(ctx, influxdb.ReadAction, orgID, filter.ResourceID, filter.ResourceType); err != nil {
		return nil, err
	}

	ls, err := s.s.FindResourceLabels(ctx, filter)
	if err != nil {
		return nil, err
	}

	labels := ls[:0]
	for _, l := range ls {
		err := authorizeReadLabel(ctx, l.OrgID, l.ID)
		if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
			return nil, err
		}

		if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
			continue
		}

		labels = append(labels, l)
	}

	return labels, nil
}

// CreateLabel checks to see if the authorizer on context has write access to the new label's org.
func (s *LabelService) CreateLabel(ctx context.Context, l *influxdb.Label) error {
	if err := authorizeWriteOrg(ctx, l.OrgID); err != nil {
		return err
	}

	return s.s.CreateLabel(ctx, l)
}

// CreateLabelMapping checks to see if the authorizer on context has write access to the label and the resource contained by the label mapping in creation.
func (s *LabelService) CreateLabelMapping(ctx context.Context, m *influxdb.LabelMapping) error {
	l, err := s.s.FindLabelByID(ctx, m.LabelID)
	if err != nil {
		return err
	}

	if err := authorizeWriteLabel(ctx, l.OrgID, m.LabelID); err != nil {
		return err
	}

	// if err := authorizeLabelMappingAction(ctx, influxdb.WriteAction, m.ResourceID, m.ResourceType); err != nil {
	if err := authorizeLabelMappingAction(ctx, influxdb.WriteAction, l.OrgID, m.ResourceID, m.ResourceType); err != nil {
		return err
	}

	return s.s.CreateLabelMapping(ctx, m)
}

// UpdateLabel checks to see if the authorizer on context has write access to the label provided.
func (s *LabelService) UpdateLabel(ctx context.Context, id influxdb.ID, upd influxdb.LabelUpdate) (*influxdb.Label, error) {
	l, err := s.s.FindLabelByID(ctx, id)
	if err != nil {
		return nil, err
	}

	if err := authorizeWriteLabel(ctx, l.OrgID, id); err != nil {
		return nil, err
	}

	return s.s.UpdateLabel(ctx, id, upd)
}

// DeleteLabel checks to see if the authorizer on context has write access to the label provided.
func (s *LabelService) DeleteLabel(ctx context.Context, id influxdb.ID) error {
	l, err := s.s.FindLabelByID(ctx, id)
	if err != nil {
		return err
	}

	if err := authorizeWriteLabel(ctx, l.OrgID, id); err != nil {
		return err
	}

	return s.s.DeleteLabel(ctx, id)
}

// DeleteLabelMapping checks to see if the authorizer on context has write access to the label and the resource of the label mapping to delete.
func (s *LabelService) DeleteLabelMapping(ctx context.Context, m *influxdb.LabelMapping) error {
	l, err := s.s.FindLabelByID(ctx, m.LabelID)
	if err != nil {
		return err
	}

	if err := authorizeWriteLabel(ctx, l.OrgID, m.LabelID); err != nil {
		return err
	}

	if err := authorizeLabelMappingAction(ctx, influxdb.WriteAction, l.OrgID, m.ResourceID, m.ResourceType); err != nil {
		return err
	}

	return s.s.DeleteLabelMapping(ctx, m)
}
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`package authorizer`

			`import (`
			`"context"`
fix: allow authorized label service to be called indirectly (#17111) * fix: allow authorized label service to be called indirectly 17071 exists because pkger loads all service resources as authorized on start, resulting in them all being authorized when referenced indirectly (not hit directly via api by consumer). Rather than restructure pkger to only authorize direct services, this allows proper indirect auth to labels (the cause of 17071). * Add orgService to tests * Add resource types to find orgID from 2020-03-11 16:58:39 +00:00			`"errors"`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00
			`"github.com/influxdata/influxdb"`
			`)`

			`var _ influxdb.LabelService = (*LabelService)(nil)`

			`// LabelService wraps a influxdb.LabelService and authorizes actions`
			`// against it appropriately.`
			`type LabelService struct {`
fix: allow authorized label service to be called indirectly (#17111) * fix: allow authorized label service to be called indirectly 17071 exists because pkger loads all service resources as authorized on start, resulting in them all being authorized when referenced indirectly (not hit directly via api by consumer). Rather than restructure pkger to only authorize direct services, this allows proper indirect auth to labels (the cause of 17071). * Add orgService to tests * Add resource types to find orgID from 2020-03-11 16:58:39 +00:00			`s influxdb.LabelService`
			`orgSvc OrganizationService`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`}`

fix: allow authorized label service to be called indirectly (#17111) * fix: allow authorized label service to be called indirectly 17071 exists because pkger loads all service resources as authorized on start, resulting in them all being authorized when referenced indirectly (not hit directly via api by consumer). Rather than restructure pkger to only authorize direct services, this allows proper indirect auth to labels (the cause of 17071). * Add orgService to tests * Add resource types to find orgID from 2020-03-11 16:58:39 +00:00			`// NewLabelServiceWithOrg constructs an instance of an authorizing label serivce.`
			`// Replaces NewLabelService.`
			`func NewLabelServiceWithOrg(s influxdb.LabelService, orgSvc OrganizationService) *LabelService {`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`return &LabelService{`
fix: allow authorized label service to be called indirectly (#17111) * fix: allow authorized label service to be called indirectly 17071 exists because pkger loads all service resources as authorized on start, resulting in them all being authorized when referenced indirectly (not hit directly via api by consumer). Rather than restructure pkger to only authorize direct services, this allows proper indirect auth to labels (the cause of 17071). * Add orgService to tests * Add resource types to find orgID from 2020-03-11 16:58:39 +00:00			`s: s,`
			`orgSvc: orgSvc,`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`}`
			`}`

score authorizer on orgID 2019-03-19 18:07:36 +00:00			`func newLabelPermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Permission, error) {`
			`return influxdb.NewPermissionAtID(id, a, influxdb.LabelsResourceType, orgID)`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`}`

fix: allow authorized label service to be called indirectly (#17111) * fix: allow authorized label service to be called indirectly 17071 exists because pkger loads all service resources as authorized on start, resulting in them all being authorized when referenced indirectly (not hit directly via api by consumer). Rather than restructure pkger to only authorize direct services, this allows proper indirect auth to labels (the cause of 17071). * Add orgService to tests * Add resource types to find orgID from 2020-03-11 16:58:39 +00:00			`func newResourcePermission(a influxdb.Action, orgID, id influxdb.ID, resourceType influxdb.ResourceType) (*influxdb.Permission, error) {`
feat(authorizer): authorization of label mappings creation 2019-01-22 17:55:56 +00:00			`if err := resourceType.Valid(); err != nil {`
			`return nil, err`
			`}`

			`p := &influxdb.Permission{`
			`Action: a,`
			`Resource: influxdb.Resource{`
fix: allow authorized label service to be called indirectly (#17111) * fix: allow authorized label service to be called indirectly 17071 exists because pkger loads all service resources as authorized on start, resulting in them all being authorized when referenced indirectly (not hit directly via api by consumer). Rather than restructure pkger to only authorize direct services, this allows proper indirect auth to labels (the cause of 17071). * Add orgService to tests * Add resource types to find orgID from 2020-03-11 16:58:39 +00:00			`Type: resourceType,`
			`ID: &id,`
			`OrgID: &orgID,`
feat(authorizer): authorization of label mappings creation 2019-01-22 17:55:56 +00:00			`},`
			`}`

			`return p, p.Valid()`
			`}`

fix: allow authorized label service to be called indirectly (#17111) * fix: allow authorized label service to be called indirectly 17071 exists because pkger loads all service resources as authorized on start, resulting in them all being authorized when referenced indirectly (not hit directly via api by consumer). Rather than restructure pkger to only authorize direct services, this allows proper indirect auth to labels (the cause of 17071). * Add orgService to tests * Add resource types to find orgID from 2020-03-11 16:58:39 +00:00			`func authorizeLabelMappingAction(ctx context.Context, action influxdb.Action, orgID, id influxdb.ID, resourceType influxdb.ResourceType) error {`
			`p, err := newResourcePermission(action, orgID, id, resourceType)`
fix(http): refactor document service and fix auth 2020-03-04 20:03:07 +00:00			`if err != nil {`
			`return err`
			`}`

			`if err := IsAllowed(ctx, *p); err != nil {`
			`return err`
			`}`

			`return nil`
			`}`

score authorizer on orgID 2019-03-19 18:07:36 +00:00			`func authorizeReadLabel(ctx context.Context, orgID, id influxdb.ID) error {`
			`p, err := newLabelPermission(influxdb.ReadAction, orgID, id)`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`if err != nil {`
			`return err`
			`}`

			`if err := IsAllowed(ctx, *p); err != nil {`
			`return err`
			`}`

			`return nil`
			`}`

score authorizer on orgID 2019-03-19 18:07:36 +00:00			`func authorizeWriteLabel(ctx context.Context, orgID, id influxdb.ID) error {`
			`p, err := newLabelPermission(influxdb.WriteAction, orgID, id)`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`if err != nil {`
			`return err`
			`}`

			`if err := IsAllowed(ctx, *p); err != nil {`
			`return err`
			`}`

			`return nil`
			`}`

			`// FindLabelByID checks to see if the authorizer on context has read access to the label id provided.`
			`func (s LabelService) FindLabelByID(ctx context.Context, id influxdb.ID) (influxdb.Label, error) {`
score authorizer on orgID 2019-03-19 18:07:36 +00:00			`l, err := s.s.FindLabelByID(ctx, id)`
			`if err != nil {`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`return nil, err`
			`}`

organizationID -> orgID 2019-04-11 22:50:02 +00:00			`if err := authorizeReadLabel(ctx, l.OrgID, id); err != nil {`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`return nil, err`
			`}`

			`return l, nil`
			`}`

			`// FindLabels retrieves all labels that match the provided filter and then filters the list down to only the resources that are authorized.`
			`func (s LabelService) FindLabels(ctx context.Context, filter influxdb.LabelFilter, opt ...influxdb.FindOptions) ([]influxdb.Label, error) {`
			`// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data`
			`// will likely be expensive.`
			`ls, err := s.s.FindLabels(ctx, filter, opt...)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// This filters without allocating`
			`// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating`
			`labels := ls[:0]`
			`for _, l := range ls {`
organizationID -> orgID 2019-04-11 22:50:02 +00:00			`err := authorizeReadLabel(ctx, l.OrgID, l.ID)`
fix(authorization): ignore the labels 2019-03-20 02:53:35 +00:00			`if err != nil &&`
			`influxdb.ErrorCode(err) != influxdb.EUnauthorized &&`
			`influxdb.ErrorCode(err) != influxdb.EInvalid {`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`return nil, err`
			`}`

fix(authorization): ignore the labels 2019-03-20 02:53:35 +00:00			`if influxdb.ErrorCode(err) == influxdb.EUnauthorized \|\|`
			`influxdb.ErrorCode(err) == influxdb.EInvalid {`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`continue`
			`}`

			`labels = append(labels, l)`
			`}`

			`return labels, nil`
			`}`

feat(authorizer): authorize the look up of labels by resource 2019-01-23 17:39:06 +00:00			`// FindResourceLabels retrieves all labels belonging to the filtering resource if the authorizer on context has read access to it.`
			`// Then it filters the list down to only the labels that are authorized.`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`func (s LabelService) FindResourceLabels(ctx context.Context, filter influxdb.LabelMappingFilter) ([]influxdb.Label, error) {`
fix(labels): add check for write permissions to create label (#17174) 2020-03-12 17:51:50 +00:00			`if err := filter.ResourceType.Valid(); err != nil {`
			`return nil, err`
			`}`

fix: allow authorized label service to be called indirectly (#17111) * fix: allow authorized label service to be called indirectly 17071 exists because pkger loads all service resources as authorized on start, resulting in them all being authorized when referenced indirectly (not hit directly via api by consumer). Rather than restructure pkger to only authorize direct services, this allows proper indirect auth to labels (the cause of 17071). * Add orgService to tests * Add resource types to find orgID from 2020-03-11 16:58:39 +00:00			`if s.orgSvc == nil {`
			`return nil, errors.New("failed to find orgSvc")`
			`}`
			`orgID, err := s.orgSvc.FindResourceOrganizationID(ctx, filter.ResourceType, filter.ResourceID)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if err := authorizeLabelMappingAction(ctx, influxdb.ReadAction, orgID, filter.ResourceID, filter.ResourceType); err != nil {`
			`return nil, err`
feat(authorizer): authorize the look up of labels by resource 2019-01-23 17:39:06 +00:00			`}`

			`ls, err := s.s.FindResourceLabels(ctx, filter)`
			`if err != nil {`
			`return nil, err`
			`}`

			`labels := ls[:0]`
			`for _, l := range ls {`
fix: allow authorized label service to be called indirectly (#17111) * fix: allow authorized label service to be called indirectly 17071 exists because pkger loads all service resources as authorized on start, resulting in them all being authorized when referenced indirectly (not hit directly via api by consumer). Rather than restructure pkger to only authorize direct services, this allows proper indirect auth to labels (the cause of 17071). * Add orgService to tests * Add resource types to find orgID from 2020-03-11 16:58:39 +00:00			`err := authorizeReadLabel(ctx, l.OrgID, l.ID)`
feat(authorizer): authorize the look up of labels by resource 2019-01-23 17:39:06 +00:00			`if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {`
			`return nil, err`
			`}`

			`if influxdb.ErrorCode(err) == influxdb.EUnauthorized {`
			`continue`
			`}`

			`labels = append(labels, l)`
			`}`

			`return labels, nil`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`}`

fix(labels): add check for write permissions to create label (#17174) 2020-03-12 17:51:50 +00:00			`// CreateLabel checks to see if the authorizer on context has write access to the new label's org.`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`func (s LabelService) CreateLabel(ctx context.Context, l influxdb.Label) error {`
fix(labels): add check for write permissions to create label (#17174) 2020-03-12 17:51:50 +00:00			`if err := authorizeWriteOrg(ctx, l.OrgID); err != nil {`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`return err`
			`}`

			`return s.s.CreateLabel(ctx, l)`
			`}`

feat(authorizer): authorization for deletion of label mappings Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com> 2019-01-23 14:28:17 +00:00			`// CreateLabelMapping checks to see if the authorizer on context has write access to the label and the resource contained by the label mapping in creation.`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`func (s LabelService) CreateLabelMapping(ctx context.Context, m influxdb.LabelMapping) error {`
score authorizer on orgID 2019-03-19 18:07:36 +00:00			`l, err := s.s.FindLabelByID(ctx, m.LabelID)`
			`if err != nil {`
			`return err`
			`}`

organizationID -> orgID 2019-04-11 22:50:02 +00:00			`if err := authorizeWriteLabel(ctx, l.OrgID, m.LabelID); err != nil {`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`return err`
			`}`

fix: allow authorized label service to be called indirectly (#17111) * fix: allow authorized label service to be called indirectly 17071 exists because pkger loads all service resources as authorized on start, resulting in them all being authorized when referenced indirectly (not hit directly via api by consumer). Rather than restructure pkger to only authorize direct services, this allows proper indirect auth to labels (the cause of 17071). * Add orgService to tests * Add resource types to find orgID from 2020-03-11 16:58:39 +00:00			`// if err := authorizeLabelMappingAction(ctx, influxdb.WriteAction, m.ResourceID, m.ResourceType); err != nil {`
			`if err := authorizeLabelMappingAction(ctx, influxdb.WriteAction, l.OrgID, m.ResourceID, m.ResourceType); err != nil {`
			`return err`
feat(authorizer): authorization of label mappings creation 2019-01-22 17:55:56 +00:00			`}`

			`return s.s.CreateLabelMapping(ctx, m)`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`}`

			`// UpdateLabel checks to see if the authorizer on context has write access to the label provided.`
			`func (s LabelService) UpdateLabel(ctx context.Context, id influxdb.ID, upd influxdb.LabelUpdate) (influxdb.Label, error) {`
score authorizer on orgID 2019-03-19 18:07:36 +00:00			`l, err := s.s.FindLabelByID(ctx, id)`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`if err != nil {`
			`return nil, err`
			`}`

organizationID -> orgID 2019-04-11 22:50:02 +00:00			`if err := authorizeWriteLabel(ctx, l.OrgID, id); err != nil {`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`return nil, err`
			`}`

			`return s.s.UpdateLabel(ctx, id, upd)`
			`}`

			`// DeleteLabel checks to see if the authorizer on context has write access to the label provided.`
			`func (s *LabelService) DeleteLabel(ctx context.Context, id influxdb.ID) error {`
score authorizer on orgID 2019-03-19 18:07:36 +00:00			`l, err := s.s.FindLabelByID(ctx, id)`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`if err != nil {`
			`return err`
			`}`

organizationID -> orgID 2019-04-11 22:50:02 +00:00			`if err := authorizeWriteLabel(ctx, l.OrgID, id); err != nil {`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`return err`
			`}`

			`return s.s.DeleteLabel(ctx, id)`
			`}`

feat(authorizer): authorization for deletion of label mappings Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com> 2019-01-23 14:28:17 +00:00			`// DeleteLabelMapping checks to see if the authorizer on context has write access to the label and the resource of the label mapping to delete.`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`func (s LabelService) DeleteLabelMapping(ctx context.Context, m influxdb.LabelMapping) error {`
score authorizer on orgID 2019-03-19 18:07:36 +00:00			`l, err := s.s.FindLabelByID(ctx, m.LabelID)`
feat(authorizer): authorization for deletion of label mappings Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com> 2019-01-23 14:28:17 +00:00			`if err != nil {`
			`return err`
			`}`

organizationID -> orgID 2019-04-11 22:50:02 +00:00			`if err := authorizeWriteLabel(ctx, l.OrgID, m.LabelID); err != nil {`
feat(authorizer): authorization for deletion of label mappings Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com> 2019-01-23 14:28:17 +00:00			`return err`
			`}`

fix: allow authorized label service to be called indirectly (#17111) * fix: allow authorized label service to be called indirectly 17071 exists because pkger loads all service resources as authorized on start, resulting in them all being authorized when referenced indirectly (not hit directly via api by consumer). Rather than restructure pkger to only authorize direct services, this allows proper indirect auth to labels (the cause of 17071). * Add orgService to tests * Add resource types to find orgID from 2020-03-11 16:58:39 +00:00			`if err := authorizeLabelMappingAction(ctx, influxdb.WriteAction, l.OrgID, m.ResourceID, m.ResourceType); err != nil {`
			`return err`
feat(authorizer): authorization for deletion of label mappings Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com> 2019-01-23 14:28:17 +00:00			`}`

			`return s.s.DeleteLabelMapping(ctx, m)`
feat(authorizer): initial (incomplete) auth for labels v2 2019-01-22 13:40:20 +00:00			`}`