Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

score authorizer on orgID

pull/12734/head
Jade McGough 2019-03-19 11:07:36 -07:00
parent 9306fb3f7c
commit 3cb07a8701
2 changed files with 106 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
authorizer/label.go
View File

@ -21,16 +21,8 @@ func NewLabelService(s influxdb.LabelService) *LabelService {
}
}
func newLabelPermission(a influxdb.Action, id influxdb.ID) (*influxdb.Permission, error) {
p := &influxdb.Permission{
Action: a,
Resource: influxdb.Resource{
Type: influxdb.LabelsResourceType,
ID: &id,
},
}
return p, p.Valid()
func newLabelPermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Permission, error) {
return influxdb.NewPermissionAtID(id, a, influxdb.LabelsResourceType, orgID)
}
func newResourcePermission(a influxdb.Action, id influxdb.ID, resourceType influxdb.ResourceType) (*influxdb.Permission, error) {
@ -62,8 +54,8 @@ func authorizeLabelMappingAction(ctx context.Context, action influxdb.Action, id
return nil
}
func authorizeReadLabel(ctx context.Context, id influxdb.ID) error {
p, err := newLabelPermission(influxdb.ReadAction, id)
func authorizeReadLabel(ctx context.Context, orgID, id influxdb.ID) error {
p, err := newLabelPermission(influxdb.ReadAction, orgID, id)
if err != nil {
return err
}
@ -75,8 +67,8 @@ func authorizeReadLabel(ctx context.Context, id influxdb.ID) error {
return nil
}
func authorizeWriteLabel(ctx context.Context, id influxdb.ID) error {
p, err := newLabelPermission(influxdb.WriteAction, id)
func authorizeWriteLabel(ctx context.Context, orgID, id influxdb.ID) error {
p, err := newLabelPermission(influxdb.WriteAction, orgID, id)
if err != nil {
return err
}
@ -90,12 +82,12 @@ func authorizeWriteLabel(ctx context.Context, id influxdb.ID) error {
// FindLabelByID checks to see if the authorizer on context has read access to the label id provided.
func (s *LabelService) FindLabelByID(ctx context.Context, id influxdb.ID) (*influxdb.Label, error) {
if err := authorizeReadLabel(ctx, id); err != nil {
l, err := s.s.FindLabelByID(ctx, id)
if err != nil {
return nil, err
}
l, err := s.s.FindLabelByID(ctx, id)
if err != nil {
if err := authorizeReadLabel(ctx, l.OrganizationID, id); err != nil {
return nil, err
}
@ -115,7 +107,7 @@ func (s *LabelService) FindLabels(ctx context.Context, filter influxdb.LabelFilt
// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
labels := ls[:0]
for _, l := range ls {
err := authorizeReadLabel(ctx, l.ID)
err := authorizeReadLabel(ctx, l.OrganizationID, l.ID)
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
return nil, err
}
@ -144,7 +136,7 @@ func (s *LabelService) FindResourceLabels(ctx context.Context, filter influxdb.L
labels := ls[:0]
for _, l := range ls {
err := authorizeReadLabel(ctx, l.ID)
err := authorizeReadLabel(ctx, l.OrganizationID, l.ID)
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
return nil, err
}
@ -170,7 +162,12 @@ func (s *LabelService) CreateLabel(ctx context.Context, l *influxdb.Label) error
// CreateLabelMapping checks to see if the authorizer on context has write access to the label and the resource contained by the label mapping in creation.
func (s *LabelService) CreateLabelMapping(ctx context.Context, m *influxdb.LabelMapping) error {
if err := authorizeWriteLabel(ctx, m.LabelID); err != nil {
l, err := s.s.FindLabelByID(ctx, m.LabelID)
if err != nil {
return err
}
if err := authorizeWriteLabel(ctx, l.OrganizationID, m.LabelID); err != nil {
return err
}
@ -183,12 +180,12 @@ func (s *LabelService) CreateLabelMapping(ctx context.Context, m *influxdb.Label
// UpdateLabel checks to see if the authorizer on context has write access to the label provided.
func (s *LabelService) UpdateLabel(ctx context.Context, id influxdb.ID, upd influxdb.LabelUpdate) (*influxdb.Label, error) {
_, err := s.s.FindLabelByID(ctx, id)
l, err := s.s.FindLabelByID(ctx, id)
if err != nil {
return nil, err
}
if err := authorizeWriteLabel(ctx, id); err != nil {
if err := authorizeWriteLabel(ctx, l.OrganizationID, id); err != nil {
return nil, err
}
@ -197,12 +194,12 @@ func (s *LabelService) UpdateLabel(ctx context.Context, id influxdb.ID, upd infl
// DeleteLabel checks to see if the authorizer on context has write access to the label provided.
func (s *LabelService) DeleteLabel(ctx context.Context, id influxdb.ID) error {
_, err := s.s.FindLabelByID(ctx, id)
l, err := s.s.FindLabelByID(ctx, id)
if err != nil {
return err
}
if err := authorizeWriteLabel(ctx, id); err != nil {
if err := authorizeWriteLabel(ctx, l.OrganizationID, id); err != nil {
return err
}
@ -211,12 +208,12 @@ func (s *LabelService) DeleteLabel(ctx context.Context, id influxdb.ID) error {
// DeleteLabelMapping checks to see if the authorizer on context has write access to the label and the resource of the label mapping to delete.
func (s *LabelService) DeleteLabelMapping(ctx context.Context, m *influxdb.LabelMapping) error {
_, err := s.s.FindLabelByID(ctx, m.LabelID)
l, err := s.s.FindLabelByID(ctx, m.LabelID)
if err != nil {
return err
}
if err := authorizeWriteLabel(ctx, m.LabelID); err != nil {
if err := authorizeWriteLabel(ctx, l.OrganizationID, m.LabelID); err != nil {
return err
}

127
authorizer/label_test.go
View File

@ -55,7 +55,8 @@ func TestLabelService_FindLabelByID(t *testing.T) {
LabelService: &mock.LabelService{
FindLabelByIDFn: func(ctx context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: id,
ID: id,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
}, nil
},
},
@ -80,7 +81,8 @@ func TestLabelService_FindLabelByID(t *testing.T) {
LabelService: &mock.LabelService{
FindLabelByIDFn: func(ctx context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: id,
ID: id,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
}, nil
},
},
@ -97,7 +99,7 @@ func TestLabelService_FindLabelByID(t *testing.T) {
},
wants: wants{
err: &influxdb.Error{
Msg: "read:labels/0000000000000001 is unauthorized",
Msg: "read:orgs/020f755c3c083000/labels/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
@ -142,13 +144,16 @@ func TestLabelService_FindLabels(t *testing.T) {
FindLabelsFn: func(ctx context.Context, filter influxdb.LabelFilter) ([]*influxdb.Label, error) {
return []*influxdb.Label{
{
ID: 1,
ID: 1,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 2,
ID: 2,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 3,
ID: 3,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
}, nil
},
@ -165,13 +170,16 @@ func TestLabelService_FindLabels(t *testing.T) {
wants: wants{
labels: []*influxdb.Label{
{
ID: 1,
ID: 1,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 2,
ID: 2,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 3,
ID: 3,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
},
},
@ -183,13 +191,16 @@ func TestLabelService_FindLabels(t *testing.T) {
FindLabelsFn: func(ctx context.Context, filter influxdb.LabelFilter) ([]*influxdb.Label, error) {
return []*influxdb.Label{
{
ID: 1,
ID: 1,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 2,
ID: 2,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 3,
ID: 3,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
}, nil
},
@ -207,7 +218,8 @@ func TestLabelService_FindLabels(t *testing.T) {
wants: wants{
labels: []*influxdb.Label{
{
ID: 1,
ID: 1,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
},
},
@ -219,13 +231,16 @@ func TestLabelService_FindLabels(t *testing.T) {
FindLabelsFn: func(ctx context.Context, filter influxdb.LabelFilter) ([]*influxdb.Label, error) {
return []*influxdb.Label{
{
ID: 1,
ID: 1,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 2,
ID: 2,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 3,
ID: 3,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
}, nil
},
@ -287,12 +302,14 @@ func TestLabelService_UpdateLabel(t *testing.T) {
LabelService: &mock.LabelService{
FindLabelByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
ID: 1,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
}, nil
},
UpdateLabelFn: func(ctx context.Context, id influxdb.ID, upd influxdb.LabelUpdate) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
ID: 1,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
}, nil
},
},
@ -319,12 +336,14 @@ func TestLabelService_UpdateLabel(t *testing.T) {
LabelService: &mock.LabelService{
FindLabelByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
ID: 1,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
}, nil
},
UpdateLabelFn: func(ctx context.Context, id influxdb.ID, upd influxdb.LabelUpdate) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
ID: 1,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
}, nil
},
},
@ -343,7 +362,7 @@ func TestLabelService_UpdateLabel(t *testing.T) {
},
wants: wants{
err: &influxdb.Error{
Msg: "write:labels/0000000000000001 is unauthorized",
Msg: "write:orgs/020f755c3c083000/labels/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
@ -387,7 +406,8 @@ func TestLabelService_DeleteLabel(t *testing.T) {
LabelService: &mock.LabelService{
FindLabelByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
ID: 1,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
}, nil
},
DeleteLabelFn: func(ctx context.Context, id influxdb.ID) error {
@ -401,8 +421,9 @@ func TestLabelService_DeleteLabel(t *testing.T) {
{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.LabelsResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.LabelsResourceType,
ID: influxdbtesting.IDPtr(1),
OrgID: influxdbtesting.IDPtr(influxdbtesting.MustIDBase16(orgOneID)),
},
},
},
@ -417,7 +438,8 @@ func TestLabelService_DeleteLabel(t *testing.T) {
LabelService: &mock.LabelService{
FindLabelByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
ID: 1,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
}, nil
},
DeleteLabelFn: func(ctx context.Context, id influxdb.ID) error {
@ -431,15 +453,16 @@ func TestLabelService_DeleteLabel(t *testing.T) {
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.LabelsResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.LabelsResourceType,
ID: influxdbtesting.IDPtr(1),
OrgID: influxdbtesting.IDPtr(influxdbtesting.MustIDBase16(orgOneID)),
},
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:labels/0000000000000001 is unauthorized",
Msg: "write:orgs/020f755c3c083000/labels/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
@ -562,13 +585,16 @@ func TestLabelService_FindResourceLabels(t *testing.T) {
FindResourceLabelsFn: func(ctx context.Context, f influxdb.LabelMappingFilter) ([]*influxdb.Label, error) {
return []*influxdb.Label{
{
ID: 1,
ID: 1,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 2,
ID: 2,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 3,
ID: 3,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
}, nil
},
@ -599,13 +625,16 @@ func TestLabelService_FindResourceLabels(t *testing.T) {
err: nil,
labels: []*influxdb.Label{
{
ID: 1,
ID: 1,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 2,
ID: 2,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 3,
ID: 3,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
},
},
@ -617,13 +646,16 @@ func TestLabelService_FindResourceLabels(t *testing.T) {
FindResourceLabelsFn: func(ctx context.Context, f influxdb.LabelMappingFilter) ([]*influxdb.Label, error) {
return []*influxdb.Label{
{
ID: 1,
ID: 1,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 2,
ID: 2,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 3,
ID: 3,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
}, nil
},
@ -655,7 +687,8 @@ func TestLabelService_FindResourceLabels(t *testing.T) {
err: nil,
labels: []*influxdb.Label{
{
ID: 3,
ID: 3,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
},
},
@ -667,13 +700,16 @@ func TestLabelService_FindResourceLabels(t *testing.T) {
FindResourceLabelsFn: func(ctx context.Context, f influxdb.LabelMappingFilter) ([]*influxdb.Label, error) {
return []*influxdb.Label{
{
ID: 1,
ID: 1,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 2,
ID: 2,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 3,
ID: 3,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
}, nil
},
@ -705,13 +741,16 @@ func TestLabelService_FindResourceLabels(t *testing.T) {
FindResourceLabelsFn: func(ctx context.Context, f influxdb.LabelMappingFilter) ([]*influxdb.Label, error) {
return []*influxdb.Label{
{
ID: 1,
ID: 1,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 2,
ID: 2,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
{
ID: 3,
ID: 3,
OrganizationID: influxdbtesting.MustIDBase16(orgOneID),
},
}, nil
},