Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #18508 from influxdata/bb/dbrp-bucket-permissions 

fix(dbrp): Change DBRP mapping service to use Buckets resource permissions
pull/18535/head
Brett Buddin 2020-06-16 10:07:40 -04:00 committed by GitHub
parent b1f7d03ad1 d8aa318985
commit 42ef78d0c5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 84 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
authorizer/authorize_find.go
View File

@ -12,7 +12,7 @@ func AuthorizeFindDBRPs(ctx context.Context, rs []*influxdb.DBRPMappingV2) ([]*i
// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating // https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
rrs := rs[:0] rrs := rs[:0]
for _, r := range rs { for _, r := range rs {
_, _, err := AuthorizeRead(ctx, influxdb.DBRPResourceType, r.ID, r.OrganizationID) _, _, err := AuthorizeRead(ctx, influxdb.BucketsResourceType, r.BucketID, r.OrganizationID)
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized { if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
return nil, 0, err return nil, 0, err
} }

18
dbrp/middleware_auth.go
View File

@ -18,10 +18,14 @@ func NewAuthorizedService(s influxdb.DBRPMappingServiceV2) *AuthorizedService {
} }
func (svc AuthorizedService) FindByID(ctx context.Context, orgID, id influxdb.ID) (*influxdb.DBRPMappingV2, error) { func (svc AuthorizedService) FindByID(ctx context.Context, orgID, id influxdb.ID) (*influxdb.DBRPMappingV2, error) {
if _, _, err := authorizer.AuthorizeRead(ctx, influxdb.DBRPResourceType, id, orgID); err != nil { mapping, err := svc.DBRPMappingServiceV2.FindByID(ctx, orgID, id)
if err != nil {
return nil, err return nil, err
} }
return svc.DBRPMappingServiceV2.FindByID(ctx, orgID, id) if _, _, err := authorizer.AuthorizeRead(ctx, influxdb.BucketsResourceType, mapping.BucketID, orgID); err != nil {
return nil, err
}
return mapping, nil
} }
func (svc AuthorizedService) FindMany(ctx context.Context, filter influxdb.DBRPMappingFilterV2, opts ...influxdb.FindOptions) ([]*influxdb.DBRPMappingV2, int, error) { func (svc AuthorizedService) FindMany(ctx context.Context, filter influxdb.DBRPMappingFilterV2, opts ...influxdb.FindOptions) ([]*influxdb.DBRPMappingV2, int, error) {
@ -33,21 +37,25 @@ func (svc AuthorizedService) FindMany(ctx context.Context, filter influxdb.DBRPM
} }
func (svc AuthorizedService) Create(ctx context.Context, t *influxdb.DBRPMappingV2) error { func (svc AuthorizedService) Create(ctx context.Context, t *influxdb.DBRPMappingV2) error {
if _, _, err := authorizer.AuthorizeCreate(ctx, influxdb.DBRPResourceType, t.OrganizationID); err != nil { if _, _, err := authorizer.AuthorizeWrite(ctx, influxdb.BucketsResourceType, t.BucketID, t.OrganizationID); err != nil {
return err return err
} }
return svc.DBRPMappingServiceV2.Create(ctx, t) return svc.DBRPMappingServiceV2.Create(ctx, t)
} }
func (svc AuthorizedService) Update(ctx context.Context, u *influxdb.DBRPMappingV2) error { func (svc AuthorizedService) Update(ctx context.Context, u *influxdb.DBRPMappingV2) error {
if _, _, err := authorizer.AuthorizeWrite(ctx, influxdb.DBRPResourceType, u.ID, u.OrganizationID); err != nil { if _, _, err := authorizer.AuthorizeWrite(ctx, influxdb.BucketsResourceType, u.BucketID, u.OrganizationID); err != nil {
return err return err
} }
return svc.DBRPMappingServiceV2.Update(ctx, u) return svc.DBRPMappingServiceV2.Update(ctx, u)
} }
func (svc AuthorizedService) Delete(ctx context.Context, orgID, id influxdb.ID) error { func (svc AuthorizedService) Delete(ctx context.Context, orgID, id influxdb.ID) error {
if _, _, err := authorizer.AuthorizeWrite(ctx, influxdb.DBRPResourceType, id, orgID); err != nil { mapping, err := svc.DBRPMappingServiceV2.FindByID(ctx, orgID, id)
if err != nil {
return err
}
if _, _, err := authorizer.AuthorizeWrite(ctx, influxdb.BucketsResourceType, mapping.BucketID, orgID); err != nil {
return err return err
} }
return svc.DBRPMappingServiceV2.Delete(ctx, orgID, id) return svc.DBRPMappingServiceV2.Delete(ctx, orgID, id)

94
dbrp/middleware_auth_test.go
View File

@ -34,13 +34,20 @@ func TestAuth_FindByID(t *testing.T) {
{ {
name: "authorized to access id by org id", name: "authorized to access id by org id",
fields: fields{ fields: fields{
service: &mock.DBRPMappingServiceV2{}, service: &mock.DBRPMappingServiceV2{
FindByIDFn: func(_ context.Context, _, _ influxdb.ID) (*influxdb.DBRPMappingV2, error) {
return &influxdb.DBRPMappingV2{
OrganizationID: influxdb.ID(1),
BucketID: influxdb.ID(1),
}, nil
},
},
}, },
args: args{ args: args{
permission: influxdb.Permission{ permission: influxdb.Permission{
Action: "read", Action: "read",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.DBRPResourceType, Type: influxdb.BucketsResourceType,
OrgID: influxdbtesting.IDPtr(1), OrgID: influxdbtesting.IDPtr(1),
}, },
}, },
@ -54,13 +61,20 @@ func TestAuth_FindByID(t *testing.T) {
{ {
name: "authorized to access id by id", name: "authorized to access id by id",
fields: fields{ fields: fields{
service: &mock.DBRPMappingServiceV2{}, service: &mock.DBRPMappingServiceV2{
FindByIDFn: func(_ context.Context, _, _ influxdb.ID) (*influxdb.DBRPMappingV2, error) {
return &influxdb.DBRPMappingV2{
OrganizationID: influxdb.ID(1),
BucketID: influxdb.ID(1),
}, nil
},
},
}, },
args: args{ args: args{
permission: influxdb.Permission{ permission: influxdb.Permission{
Action: "read", Action: "read",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.DBRPResourceType, Type: influxdb.BucketsResourceType,
ID: influxdbtesting.IDPtr(1), ID: influxdbtesting.IDPtr(1),
}, },
}, },
@ -74,13 +88,20 @@ func TestAuth_FindByID(t *testing.T) {
{ {
name: "unauthorized to access id by org id", name: "unauthorized to access id by org id",
fields: fields{ fields: fields{
service: &mock.DBRPMappingServiceV2{}, service: &mock.DBRPMappingServiceV2{
FindByIDFn: func(_ context.Context, _, _ influxdb.ID) (*influxdb.DBRPMappingV2, error) {
return &influxdb.DBRPMappingV2{
OrganizationID: influxdb.ID(2),
BucketID: influxdb.ID(1),
}, nil
},
},
}, },
args: args{ args: args{
permission: influxdb.Permission{ permission: influxdb.Permission{
Action: "read", Action: "read",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.DBRPResourceType, Type: influxdb.BucketsResourceType,
OrgID: influxdbtesting.IDPtr(1), OrgID: influxdbtesting.IDPtr(1),
}, },
}, },
@ -89,7 +110,7 @@ func TestAuth_FindByID(t *testing.T) {
}, },
wants: wants{ wants: wants{
err: &influxdb.Error{ err: &influxdb.Error{
Msg: "read:orgs/0000000000000002/dbrp/0000000000000001 is unauthorized", Msg: "read:orgs/0000000000000002/buckets/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized, Code: influxdb.EUnauthorized,
}, },
}, },
@ -97,7 +118,14 @@ func TestAuth_FindByID(t *testing.T) {
{ {
name: "unauthorized to access id by id", name: "unauthorized to access id by id",
fields: fields{ fields: fields{
service: &mock.DBRPMappingServiceV2{}, service: &mock.DBRPMappingServiceV2{
FindByIDFn: func(_ context.Context, _, _ influxdb.ID) (*influxdb.DBRPMappingV2, error) {
return &influxdb.DBRPMappingV2{
OrganizationID: influxdb.ID(1),
BucketID: influxdb.ID(1),
}, nil
},
},
}, },
args: args{ args: args{
permission: influxdb.Permission{ permission: influxdb.Permission{
@ -112,7 +140,7 @@ func TestAuth_FindByID(t *testing.T) {
}, },
wants: wants{ wants: wants{
err: &influxdb.Error{ err: &influxdb.Error{
Msg: "read:orgs/0000000000000002/dbrp/0000000000000001 is unauthorized", Msg: "read:orgs/0000000000000002/buckets/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized, Code: influxdb.EUnauthorized,
}, },
}, },
@ -230,7 +258,7 @@ func TestAuth_FindMany(t *testing.T) {
permissions: []influxdb.Permission{{ permissions: []influxdb.Permission{{
Action: "read", Action: "read",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.DBRPResourceType, Type: influxdb.BucketsResourceType,
OrgID: influxdbtesting.IDPtr(1), OrgID: influxdbtesting.IDPtr(1),
}, },
}}, }},
@ -287,21 +315,21 @@ func TestAuth_FindMany(t *testing.T) {
{ {
Action: "read", Action: "read",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.DBRPResourceType, Type: influxdb.BucketsResourceType,
OrgID: influxdbtesting.IDPtr(1), OrgID: influxdbtesting.IDPtr(1),
}, },
}, },
{ {
Action: "read", Action: "read",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.DBRPResourceType, Type: influxdb.BucketsResourceType,
OrgID: influxdbtesting.IDPtr(2), OrgID: influxdbtesting.IDPtr(2),
}, },
}, },
{ {
Action: "read", Action: "read",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.DBRPResourceType, Type: influxdb.BucketsResourceType,
OrgID: influxdbtesting.IDPtr(3), OrgID: influxdbtesting.IDPtr(3),
}, },
}, },
@ -382,12 +410,14 @@ func TestAuth_Create(t *testing.T) {
m: influxdb.DBRPMappingV2{ m: influxdb.DBRPMappingV2{
ID: 1, ID: 1,
OrganizationID: 1, OrganizationID: 1,
BucketID: 2,
}, },
permission: influxdb.Permission{ permission: influxdb.Permission{
Action: "write", Action: "write",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.DBRPResourceType, Type: influxdb.BucketsResourceType,
OrgID: influxdbtesting.IDPtr(1), OrgID: influxdbtesting.IDPtr(1),
ID: influxdbtesting.IDPtr(2),
}, },
}, },
}, },
@ -404,18 +434,20 @@ func TestAuth_Create(t *testing.T) {
m: influxdb.DBRPMappingV2{ m: influxdb.DBRPMappingV2{
ID: 1, ID: 1,
OrganizationID: 1, OrganizationID: 1,
BucketID: 2,
}, },
permission: influxdb.Permission{ permission: influxdb.Permission{
Action: "read", Action: "read",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.DBRPResourceType, Type: influxdb.BucketsResourceType,
OrgID: influxdbtesting.IDPtr(1), OrgID: influxdbtesting.IDPtr(1),
ID: influxdbtesting.IDPtr(2),
}, },
}, },
}, },
wants: wants{ wants: wants{
err: &influxdb.Error{ err: &influxdb.Error{
Msg: "write:orgs/0000000000000001/dbrp is unauthorized", Msg: "write:orgs/0000000000000001/buckets/0000000000000002 is unauthorized",
Code: influxdb.EUnauthorized, Code: influxdb.EUnauthorized,
}, },
}, },
@ -463,7 +495,7 @@ func TestAuth_Update(t *testing.T) {
permission: influxdb.Permission{ permission: influxdb.Permission{
Action: "write", Action: "write",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.DBRPResourceType, Type: influxdb.BucketsResourceType,
OrgID: influxdbtesting.IDPtr(1), OrgID: influxdbtesting.IDPtr(1),
}, },
}, },
@ -483,7 +515,7 @@ func TestAuth_Update(t *testing.T) {
permission: influxdb.Permission{ permission: influxdb.Permission{
Action: "read", Action: "read",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.DBRPResourceType, Type: influxdb.BucketsResourceType,
OrgID: influxdbtesting.IDPtr(1), OrgID: influxdbtesting.IDPtr(1),
}, },
}, },
@ -492,7 +524,7 @@ func TestAuth_Update(t *testing.T) {
}, },
wants: wants{ wants: wants{
err: &influxdb.Error{ err: &influxdb.Error{
Msg: "write:orgs/0000000000000001/dbrp/0000000000000001 is unauthorized", Msg: "write:orgs/0000000000000001/buckets/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized, Code: influxdb.EUnauthorized,
}, },
}, },
@ -535,13 +567,20 @@ func TestAuth_Delete(t *testing.T) {
{ {
name: "authorized", name: "authorized",
fields: fields{ fields: fields{
service: &mock.DBRPMappingServiceV2{}, service: &mock.DBRPMappingServiceV2{
FindByIDFn: func(_ context.Context, _, _ influxdb.ID) (*influxdb.DBRPMappingV2, error) {
return &influxdb.DBRPMappingV2{
OrganizationID: influxdb.ID(1),
BucketID: influxdb.ID(1),
}, nil
},
},
}, },
args: args{ args: args{
permission: influxdb.Permission{ permission: influxdb.Permission{
Action: "write", Action: "write",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.DBRPResourceType, Type: influxdb.BucketsResourceType,
OrgID: influxdbtesting.IDPtr(1), OrgID: influxdbtesting.IDPtr(1),
}, },
}, },
@ -555,13 +594,20 @@ func TestAuth_Delete(t *testing.T) {
{ {
name: "unauthorized", name: "unauthorized",
fields: fields{ fields: fields{
service: &mock.DBRPMappingServiceV2{}, service: &mock.DBRPMappingServiceV2{
FindByIDFn: func(_ context.Context, _, _ influxdb.ID) (*influxdb.DBRPMappingV2, error) {
return &influxdb.DBRPMappingV2{
OrganizationID: influxdb.ID(1),
BucketID: influxdb.ID(1),
}, nil
},
},
}, },
args: args{ args: args{
permission: influxdb.Permission{ permission: influxdb.Permission{
Action: "read", Action: "read",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.DBRPResourceType, Type: influxdb.BucketsResourceType,
OrgID: influxdbtesting.IDPtr(1), OrgID: influxdbtesting.IDPtr(1),
}, },
}, },
@ -570,7 +616,7 @@ func TestAuth_Delete(t *testing.T) {
}, },
wants: wants{ wants: wants{
err: &influxdb.Error{ err: &influxdb.Error{
Msg: "write:orgs/0000000000000001/dbrp/0000000000000001 is unauthorized", Msg: "write:orgs/0000000000000001/buckets/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized, Code: influxdb.EUnauthorized,
}, },
}, },