diff --git a/authorizer/label.go b/authorizer/label.go index 3a874ce99e..7345cdb361 100644 --- a/authorizer/label.go +++ b/authorizer/label.go @@ -21,16 +21,8 @@ func NewLabelService(s influxdb.LabelService) *LabelService { } } -func newLabelPermission(a influxdb.Action, id influxdb.ID) (*influxdb.Permission, error) { - p := &influxdb.Permission{ - Action: a, - Resource: influxdb.Resource{ - Type: influxdb.LabelsResourceType, - ID: &id, - }, - } - - return p, p.Valid() +func newLabelPermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Permission, error) { + return influxdb.NewPermissionAtID(id, a, influxdb.LabelsResourceType, orgID) } func newResourcePermission(a influxdb.Action, id influxdb.ID, resourceType influxdb.ResourceType) (*influxdb.Permission, error) { @@ -62,8 +54,8 @@ func authorizeLabelMappingAction(ctx context.Context, action influxdb.Action, id return nil } -func authorizeReadLabel(ctx context.Context, id influxdb.ID) error { - p, err := newLabelPermission(influxdb.ReadAction, id) +func authorizeReadLabel(ctx context.Context, orgID, id influxdb.ID) error { + p, err := newLabelPermission(influxdb.ReadAction, orgID, id) if err != nil { return err } @@ -75,8 +67,8 @@ func authorizeReadLabel(ctx context.Context, id influxdb.ID) error { return nil } -func authorizeWriteLabel(ctx context.Context, id influxdb.ID) error { - p, err := newLabelPermission(influxdb.WriteAction, id) +func authorizeWriteLabel(ctx context.Context, orgID, id influxdb.ID) error { + p, err := newLabelPermission(influxdb.WriteAction, orgID, id) if err != nil { return err } @@ -90,12 +82,12 @@ func authorizeWriteLabel(ctx context.Context, id influxdb.ID) error { // FindLabelByID checks to see if the authorizer on context has read access to the label id provided. func (s *LabelService) FindLabelByID(ctx context.Context, id influxdb.ID) (*influxdb.Label, error) { - if err := authorizeReadLabel(ctx, id); err != nil { + l, err := s.s.FindLabelByID(ctx, id) + if err != nil { return nil, err } - l, err := s.s.FindLabelByID(ctx, id) - if err != nil { + if err := authorizeReadLabel(ctx, l.OrganizationID, id); err != nil { return nil, err } @@ -115,7 +107,7 @@ func (s *LabelService) FindLabels(ctx context.Context, filter influxdb.LabelFilt // https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating labels := ls[:0] for _, l := range ls { - err := authorizeReadLabel(ctx, l.ID) + err := authorizeReadLabel(ctx, l.OrganizationID, l.ID) if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized { return nil, err } @@ -144,7 +136,7 @@ func (s *LabelService) FindResourceLabels(ctx context.Context, filter influxdb.L labels := ls[:0] for _, l := range ls { - err := authorizeReadLabel(ctx, l.ID) + err := authorizeReadLabel(ctx, l.OrganizationID, l.ID) if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized { return nil, err } @@ -170,7 +162,12 @@ func (s *LabelService) CreateLabel(ctx context.Context, l *influxdb.Label) error // CreateLabelMapping checks to see if the authorizer on context has write access to the label and the resource contained by the label mapping in creation. func (s *LabelService) CreateLabelMapping(ctx context.Context, m *influxdb.LabelMapping) error { - if err := authorizeWriteLabel(ctx, m.LabelID); err != nil { + l, err := s.s.FindLabelByID(ctx, m.LabelID) + if err != nil { + return err + } + + if err := authorizeWriteLabel(ctx, l.OrganizationID, m.LabelID); err != nil { return err } @@ -183,12 +180,12 @@ func (s *LabelService) CreateLabelMapping(ctx context.Context, m *influxdb.Label // UpdateLabel checks to see if the authorizer on context has write access to the label provided. func (s *LabelService) UpdateLabel(ctx context.Context, id influxdb.ID, upd influxdb.LabelUpdate) (*influxdb.Label, error) { - _, err := s.s.FindLabelByID(ctx, id) + l, err := s.s.FindLabelByID(ctx, id) if err != nil { return nil, err } - if err := authorizeWriteLabel(ctx, id); err != nil { + if err := authorizeWriteLabel(ctx, l.OrganizationID, id); err != nil { return nil, err } @@ -197,12 +194,12 @@ func (s *LabelService) UpdateLabel(ctx context.Context, id influxdb.ID, upd infl // DeleteLabel checks to see if the authorizer on context has write access to the label provided. func (s *LabelService) DeleteLabel(ctx context.Context, id influxdb.ID) error { - _, err := s.s.FindLabelByID(ctx, id) + l, err := s.s.FindLabelByID(ctx, id) if err != nil { return err } - if err := authorizeWriteLabel(ctx, id); err != nil { + if err := authorizeWriteLabel(ctx, l.OrganizationID, id); err != nil { return err } @@ -211,12 +208,12 @@ func (s *LabelService) DeleteLabel(ctx context.Context, id influxdb.ID) error { // DeleteLabelMapping checks to see if the authorizer on context has write access to the label and the resource of the label mapping to delete. func (s *LabelService) DeleteLabelMapping(ctx context.Context, m *influxdb.LabelMapping) error { - _, err := s.s.FindLabelByID(ctx, m.LabelID) + l, err := s.s.FindLabelByID(ctx, m.LabelID) if err != nil { return err } - if err := authorizeWriteLabel(ctx, m.LabelID); err != nil { + if err := authorizeWriteLabel(ctx, l.OrganizationID, m.LabelID); err != nil { return err } diff --git a/authorizer/label_test.go b/authorizer/label_test.go index 26e33ad119..7bd55ace87 100644 --- a/authorizer/label_test.go +++ b/authorizer/label_test.go @@ -55,7 +55,8 @@ func TestLabelService_FindLabelByID(t *testing.T) { LabelService: &mock.LabelService{ FindLabelByIDFn: func(ctx context.Context, id influxdb.ID) (*influxdb.Label, error) { return &influxdb.Label{ - ID: id, + ID: id, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, nil }, }, @@ -80,7 +81,8 @@ func TestLabelService_FindLabelByID(t *testing.T) { LabelService: &mock.LabelService{ FindLabelByIDFn: func(ctx context.Context, id influxdb.ID) (*influxdb.Label, error) { return &influxdb.Label{ - ID: id, + ID: id, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, nil }, }, @@ -97,7 +99,7 @@ func TestLabelService_FindLabelByID(t *testing.T) { }, wants: wants{ err: &influxdb.Error{ - Msg: "read:labels/0000000000000001 is unauthorized", + Msg: "read:orgs/020f755c3c083000/labels/0000000000000001 is unauthorized", Code: influxdb.EUnauthorized, }, }, @@ -142,13 +144,16 @@ func TestLabelService_FindLabels(t *testing.T) { FindLabelsFn: func(ctx context.Context, filter influxdb.LabelFilter) ([]*influxdb.Label, error) { return []*influxdb.Label{ { - ID: 1, + ID: 1, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 2, + ID: 2, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 3, + ID: 3, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, }, nil }, @@ -165,13 +170,16 @@ func TestLabelService_FindLabels(t *testing.T) { wants: wants{ labels: []*influxdb.Label{ { - ID: 1, + ID: 1, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 2, + ID: 2, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 3, + ID: 3, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, }, }, @@ -183,13 +191,16 @@ func TestLabelService_FindLabels(t *testing.T) { FindLabelsFn: func(ctx context.Context, filter influxdb.LabelFilter) ([]*influxdb.Label, error) { return []*influxdb.Label{ { - ID: 1, + ID: 1, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 2, + ID: 2, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 3, + ID: 3, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, }, nil }, @@ -207,7 +218,8 @@ func TestLabelService_FindLabels(t *testing.T) { wants: wants{ labels: []*influxdb.Label{ { - ID: 1, + ID: 1, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, }, }, @@ -219,13 +231,16 @@ func TestLabelService_FindLabels(t *testing.T) { FindLabelsFn: func(ctx context.Context, filter influxdb.LabelFilter) ([]*influxdb.Label, error) { return []*influxdb.Label{ { - ID: 1, + ID: 1, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 2, + ID: 2, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 3, + ID: 3, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, }, nil }, @@ -287,12 +302,14 @@ func TestLabelService_UpdateLabel(t *testing.T) { LabelService: &mock.LabelService{ FindLabelByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Label, error) { return &influxdb.Label{ - ID: 1, + ID: 1, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, nil }, UpdateLabelFn: func(ctx context.Context, id influxdb.ID, upd influxdb.LabelUpdate) (*influxdb.Label, error) { return &influxdb.Label{ - ID: 1, + ID: 1, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, nil }, }, @@ -319,12 +336,14 @@ func TestLabelService_UpdateLabel(t *testing.T) { LabelService: &mock.LabelService{ FindLabelByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Label, error) { return &influxdb.Label{ - ID: 1, + ID: 1, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, nil }, UpdateLabelFn: func(ctx context.Context, id influxdb.ID, upd influxdb.LabelUpdate) (*influxdb.Label, error) { return &influxdb.Label{ - ID: 1, + ID: 1, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, nil }, }, @@ -343,7 +362,7 @@ func TestLabelService_UpdateLabel(t *testing.T) { }, wants: wants{ err: &influxdb.Error{ - Msg: "write:labels/0000000000000001 is unauthorized", + Msg: "write:orgs/020f755c3c083000/labels/0000000000000001 is unauthorized", Code: influxdb.EUnauthorized, }, }, @@ -387,7 +406,8 @@ func TestLabelService_DeleteLabel(t *testing.T) { LabelService: &mock.LabelService{ FindLabelByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Label, error) { return &influxdb.Label{ - ID: 1, + ID: 1, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, nil }, DeleteLabelFn: func(ctx context.Context, id influxdb.ID) error { @@ -401,8 +421,9 @@ func TestLabelService_DeleteLabel(t *testing.T) { { Action: "write", Resource: influxdb.Resource{ - Type: influxdb.LabelsResourceType, - ID: influxdbtesting.IDPtr(1), + Type: influxdb.LabelsResourceType, + ID: influxdbtesting.IDPtr(1), + OrgID: influxdbtesting.IDPtr(influxdbtesting.MustIDBase16(orgOneID)), }, }, }, @@ -417,7 +438,8 @@ func TestLabelService_DeleteLabel(t *testing.T) { LabelService: &mock.LabelService{ FindLabelByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Label, error) { return &influxdb.Label{ - ID: 1, + ID: 1, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, nil }, DeleteLabelFn: func(ctx context.Context, id influxdb.ID) error { @@ -431,15 +453,16 @@ func TestLabelService_DeleteLabel(t *testing.T) { { Action: "read", Resource: influxdb.Resource{ - Type: influxdb.LabelsResourceType, - ID: influxdbtesting.IDPtr(1), + Type: influxdb.LabelsResourceType, + ID: influxdbtesting.IDPtr(1), + OrgID: influxdbtesting.IDPtr(influxdbtesting.MustIDBase16(orgOneID)), }, }, }, }, wants: wants{ err: &influxdb.Error{ - Msg: "write:labels/0000000000000001 is unauthorized", + Msg: "write:orgs/020f755c3c083000/labels/0000000000000001 is unauthorized", Code: influxdb.EUnauthorized, }, }, @@ -562,13 +585,16 @@ func TestLabelService_FindResourceLabels(t *testing.T) { FindResourceLabelsFn: func(ctx context.Context, f influxdb.LabelMappingFilter) ([]*influxdb.Label, error) { return []*influxdb.Label{ { - ID: 1, + ID: 1, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 2, + ID: 2, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 3, + ID: 3, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, }, nil }, @@ -599,13 +625,16 @@ func TestLabelService_FindResourceLabels(t *testing.T) { err: nil, labels: []*influxdb.Label{ { - ID: 1, + ID: 1, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 2, + ID: 2, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 3, + ID: 3, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, }, }, @@ -617,13 +646,16 @@ func TestLabelService_FindResourceLabels(t *testing.T) { FindResourceLabelsFn: func(ctx context.Context, f influxdb.LabelMappingFilter) ([]*influxdb.Label, error) { return []*influxdb.Label{ { - ID: 1, + ID: 1, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 2, + ID: 2, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 3, + ID: 3, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, }, nil }, @@ -655,7 +687,8 @@ func TestLabelService_FindResourceLabels(t *testing.T) { err: nil, labels: []*influxdb.Label{ { - ID: 3, + ID: 3, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, }, }, @@ -667,13 +700,16 @@ func TestLabelService_FindResourceLabels(t *testing.T) { FindResourceLabelsFn: func(ctx context.Context, f influxdb.LabelMappingFilter) ([]*influxdb.Label, error) { return []*influxdb.Label{ { - ID: 1, + ID: 1, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 2, + ID: 2, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 3, + ID: 3, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, }, nil }, @@ -705,13 +741,16 @@ func TestLabelService_FindResourceLabels(t *testing.T) { FindResourceLabelsFn: func(ctx context.Context, f influxdb.LabelMappingFilter) ([]*influxdb.Label, error) { return []*influxdb.Label{ { - ID: 1, + ID: 1, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 2, + ID: 2, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, { - ID: 3, + ID: 3, + OrganizationID: influxdbtesting.MustIDBase16(orgOneID), }, }, nil },