fix: prevent unauthorized writes in flux "to" function (#24077)
* fix: prevent unauthorized writes in flux "to" function * test: add test for "to" permissions fixpull/24085/head
Jeffrey Smith II
GitHub
parent
ec7fdd3a58
commit
06a59020d0
|
|
@ -12,6 +12,8 @@ import (
|
|||
"github.com/influxdata/flux/execute"
|
||||
"github.com/influxdata/flux/memory"
|
||||
"github.com/influxdata/flux/values"
|
||||
influxdb2 "github.com/influxdata/influxdb/v2"
|
||||
"github.com/influxdata/influxdb/v2/authorizer"
|
||||
"github.com/influxdata/influxdb/v2/kit/platform"
|
||||
"github.com/influxdata/influxdb/v2/kit/platform/errors"
|
||||
"github.com/influxdata/influxdb/v2/models"
|
||||
|
|
@ -120,6 +122,15 @@ func (p Provider) WriterFor(ctx context.Context, conf influxdb.Config) (influxdb
|
|||
return nil, err
|
||||
}
|
||||
|
||||
// err will be set if we are not authorized, we don't care about the other return values.
|
||||
_, _, err = authorizer.AuthorizeWrite(ctx, influxdb2.BucketsResourceType, bucketID, reqOrgID)
|
||||
if err != nil {
|
||||
return nil, &errors.Error{
|
||||
Code: errors.EForbidden,
|
||||
Msg: "user not authorized to write",
|
||||
}
|
||||
}
|
||||
|
||||
return &localPointsWriter{
|
||||
ctx: ctx,
|
||||
buf: make([]models.Point, 1<<14),
|
||||
|
|
|
|||
|
|
@ -10,6 +10,8 @@ import (
|
|||
"github.com/influxdata/flux/execute"
|
||||
"github.com/influxdata/flux/execute/table"
|
||||
"github.com/influxdata/flux/execute/table/static"
|
||||
influxdb2 "github.com/influxdata/influxdb/v2"
|
||||
context2 "github.com/influxdata/influxdb/v2/context"
|
||||
"github.com/influxdata/influxdb/v2/kit/platform"
|
||||
"github.com/influxdata/influxdb/v2/kit/platform/errors"
|
||||
"github.com/influxdata/influxdb/v2/mock"
|
||||
|
|
@ -220,3 +222,84 @@ func TestProvider_SeriesCardinalityReader_MissingRequestContext(t *testing.T) {
|
|||
|
||||
require.Equal(t, wantErr, gotErr)
|
||||
}
|
||||
|
||||
func TestWriterFor(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
auth := influxdb2.Authorization{
|
||||
Status: influxdb2.Active,
|
||||
Permissions: []influxdb2.Permission{
|
||||
{
|
||||
Action: influxdb2.WriteAction,
|
||||
Resource: influxdb2.Resource{
|
||||
Type: influxdb2.BucketsResourceType,
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
provider := influxdb.Provider{
|
||||
Reader: storageflux.NewReader(&mock.ReadsStore{}),
|
||||
BucketLookup: mock.BucketLookup{},
|
||||
}
|
||||
|
||||
conf := influxdb.Config{
|
||||
Bucket: influxdb.NameOrID{
|
||||
Name: "my-bucket",
|
||||
},
|
||||
}
|
||||
|
||||
ctx := context.Background()
|
||||
req := query.Request{
|
||||
OrganizationID: platform.ID(2),
|
||||
}
|
||||
ctx = query.ContextWithRequest(ctx, &req)
|
||||
ctx = context2.SetAuthorizer(ctx, &auth)
|
||||
|
||||
_, gotErr := provider.WriterFor(ctx, conf)
|
||||
|
||||
require.Nil(t, gotErr)
|
||||
}
|
||||
|
||||
func TestWriterFor_Error(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
auth := influxdb2.Authorization{
|
||||
Status: influxdb2.Active,
|
||||
Permissions: []influxdb2.Permission{
|
||||
{
|
||||
Action: influxdb2.ReadAction,
|
||||
Resource: influxdb2.Resource{
|
||||
Type: influxdb2.BucketsResourceType,
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
provider := influxdb.Provider{
|
||||
Reader: storageflux.NewReader(&mock.ReadsStore{}),
|
||||
BucketLookup: mock.BucketLookup{},
|
||||
}
|
||||
|
||||
conf := influxdb.Config{
|
||||
Bucket: influxdb.NameOrID{
|
||||
Name: "my-bucket",
|
||||
},
|
||||
}
|
||||
|
||||
ctx := context.Background()
|
||||
req := query.Request{
|
||||
OrganizationID: platform.ID(2),
|
||||
}
|
||||
ctx = query.ContextWithRequest(ctx, &req)
|
||||
ctx = context2.SetAuthorizer(ctx, &auth)
|
||||
|
||||
_, gotErr := provider.WriterFor(ctx, conf)
|
||||
|
||||
wantErr := &errors.Error{
|
||||
Code: errors.EForbidden,
|
||||
Msg: "user not authorized to write",
|
||||
}
|
||||
|
||||
require.Equal(t, wantErr, gotErr)
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue