Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

feat(authorizer): add check

pull/14521/head
Kelvin Wang 2019-07-31 15:52:51 -04:00
parent 0e5091ed21
commit 5072e207ee
2 changed files with 872 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
authorizer/check.go Normal file
View File

@ -0,0 +1,168 @@
package authorizer
import (
"context"
"github.com/influxdata/influxdb"
)
var _ influxdb.CheckService = (*CheckService)(nil)
// CheckService wraps a influxdb.CheckService and authorizes actions
// against it appropriately.
type CheckService struct {
s influxdb.CheckService
influxdb.UserResourceMappingService
influxdb.OrganizationService
}
// NewCheckService constructs an instance of an authorizing check serivce.
func NewCheckService(s influxdb.CheckService, urm influxdb.UserResourceMappingService, org influxdb.OrganizationService) *CheckService {
return &CheckService{
s: s,
UserResourceMappingService: urm,
OrganizationService: org,
}
}
func newChecksPermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Permission, error) {
return influxdb.NewPermissionAtID(id, a, influxdb.ChecksResourceType, orgID)
}
func authorizeReadChecks(ctx context.Context, orgID, id influxdb.ID) error {
p, err := newChecksPermission(influxdb.ReadAction, orgID, id)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return nil
}
func authorizeWriteChecks(ctx context.Context, orgID, id influxdb.ID) error {
p, err := newChecksPermission(influxdb.WriteAction, orgID, id)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return nil
}
// FindCheckByID checks to see if the authorizer on context has read access to the id provided.
func (s *CheckService) FindCheckByID(ctx context.Context, id influxdb.ID) (influxdb.Check, error) {
chk, err := s.s.FindCheckByID(ctx, id)
if err != nil {
return nil, err
}
if err := authorizeReadChecks(ctx, chk.GetOrgID(), chk.GetID()); err != nil {
return nil, err
}
return chk, nil
}
// FindChecks retrieves all checks that match the provided filter and then filters the list down to only the resources that are authorized.
func (s *CheckService) FindChecks(ctx context.Context, filter influxdb.CheckFilter, opt ...influxdb.FindOptions) ([]influxdb.Check, int, error) {
// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data
// will likely be expensive.
chks, _, err := s.s.FindChecks(ctx, filter, opt...)
if err != nil {
return nil, 0, err
}
// This filters without allocating
// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
rules := chks[:0]
for _, chk := range chks {
err := authorizeReadChecks(ctx, chk.GetOrgID(), chk.GetID())
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
return nil, 0, err
}
if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
continue
}
rules = append(rules, chk)
}
return rules, len(rules), nil
}
// FindCheck will return the check.
func (s *CheckService) FindCheck(ctx context.Context, filter influxdb.CheckFilter) (influxdb.Check, error) {
chk, err := s.s.FindCheck(ctx, filter)
if err != nil {
return nil, err
}
if err := authorizeReadChecks(ctx, chk.GetOrgID(), chk.GetID()); err != nil {
return nil, err
}
return chk, nil
}
// CreateCheck checks to see if the authorizer on context has write access to the global check resource.
func (s *CheckService) CreateCheck(ctx context.Context, chk influxdb.Check) error {
p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.ChecksResourceType, chk.GetOrgID())
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return s.s.CreateCheck(ctx, chk)
}
// UpdateCheck checks to see if the authorizer on context has write access to the check provided.
func (s *CheckService) UpdateCheck(ctx context.Context, id influxdb.ID, upd influxdb.Check) (influxdb.Check, error) {
chk, err := s.FindCheckByID(ctx, id)
if err != nil {
return nil, err
}
if err := authorizeWriteChecks(ctx, chk.GetOrgID(), id); err != nil {
return nil, err
}
return s.s.UpdateCheck(ctx, id, upd)
}
// PatchCheck checks to see if the authorizer on context has write access to the check provided.
func (s *CheckService) PatchCheck(ctx context.Context, id influxdb.ID, upd influxdb.CheckUpdate) (influxdb.Check, error) {
chk, err := s.FindCheckByID(ctx, id)
if err != nil {
return nil, err
}
if err := authorizeWriteChecks(ctx, chk.GetOrgID(), id); err != nil {
return nil, err
}
return s.s.PatchCheck(ctx, id, upd)
}
// DeleteCheck checks to see if the authorizer on context has write access to the check provided.
func (s *CheckService) DeleteCheck(ctx context.Context, id influxdb.ID) error {
chk, err := s.FindCheckByID(ctx, id)
if err != nil {
return err
}
if err := authorizeWriteChecks(ctx, chk.GetOrgID(), id); err != nil {
return err
}
return s.s.DeleteCheck(ctx, id)
}

704
authorizer/check_test.go Normal file
View File

@ -0,0 +1,704 @@
package authorizer_test
import (
"bytes"
"context"
"sort"
"testing"
"github.com/influxdata/influxdb/notification/check"
"github.com/google/go-cmp/cmp"
"github.com/influxdata/influxdb"
"github.com/influxdata/influxdb/authorizer"
influxdbcontext "github.com/influxdata/influxdb/context"
"github.com/influxdata/influxdb/mock"
influxdbtesting "github.com/influxdata/influxdb/testing"
)
var checkCmpOptions = cmp.Options{
cmp.Comparer(func(x, y []byte) bool {
return bytes.Equal(x, y)
}),
cmp.Transformer("Sort", func(in []influxdb.Check) []influxdb.Check {
out := append([]influxdb.Check(nil), in...) // Copy input to avoid mutating it
sort.Slice(out, func(i, j int) bool {
return out[i].GetID() > out[j].GetID()
})
return out
}),
}
func TestCheckService_FindCheckByID(t *testing.T) {
type fields struct {
CheckService influxdb.CheckService
}
type args struct {
permission influxdb.Permission
id influxdb.ID
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to access id",
fields: fields{
CheckService: &mock.CheckService{
FindCheckByIDFn: func(ctx context.Context, id influxdb.ID) (influxdb.Check, error) {
return &check.Deadman{
Base: check.Base{
ID: id,
OrgID: 10,
},
}, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
id: 1,
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to access id",
fields: fields{
CheckService: &mock.CheckService{
FindCheckByIDFn: func(ctx context.Context, id influxdb.ID) (influxdb.Check, error) {
return &check.Deadman{
Base: check.Base{
ID: id,
OrgID: 10,
},
}, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(2),
},
},
id: 1,
},
wants: wants{
err: &influxdb.Error{
Msg: "read:orgs/000000000000000a/checks/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewCheckService(tt.fields.CheckService, mock.NewUserResourceMappingService(), mock.NewOrganizationService())
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
_, err := s.FindCheckByID(ctx, tt.args.id)
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}
func TestCheckService_FindChecks(t *testing.T) {
type fields struct {
CheckService influxdb.CheckService
}
type args struct {
permission influxdb.Permission
}
type wants struct {
err error
checks []influxdb.Check
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to see all checks",
fields: fields{
CheckService: &mock.CheckService{
FindChecksFn: func(ctx context.Context, filter influxdb.CheckFilter, opt ...influxdb.FindOptions) ([]influxdb.Check, int, error) {
return []influxdb.Check{
&check.Deadman{
Base: check.Base{
ID: 1,
OrgID: 10,
},
},
&check.Deadman{
Base: check.Base{
ID: 2,
OrgID: 10,
},
},
&check.Threshold{
Base: check.Base{
ID: 3,
OrgID: 11,
},
},
}, 3, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
},
},
},
wants: wants{
checks: []influxdb.Check{
&check.Deadman{
Base: check.Base{
ID: 1,
OrgID: 10,
},
},
&check.Deadman{
Base: check.Base{
ID: 2,
OrgID: 10,
},
},
&check.Threshold{
Base: check.Base{
ID: 3,
OrgID: 11,
},
},
},
},
},
{
name: "authorized to access a single orgs checks",
fields: fields{
CheckService: &mock.CheckService{
FindChecksFn: func(ctx context.Context, filter influxdb.CheckFilter, opt ...influxdb.FindOptions) ([]influxdb.Check, int, error) {
return []influxdb.Check{
&check.Deadman{
Base: check.Base{
ID: 1,
OrgID: 10,
},
},
&check.Deadman{
Base: check.Base{
ID: 2,
OrgID: 10,
},
},
&check.Threshold{
Base: check.Base{
ID: 3,
OrgID: 11,
},
},
}, 3, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
OrgID: influxdbtesting.IDPtr(10),
},
},
},
wants: wants{
checks: []influxdb.Check{
&check.Deadman{
Base: check.Base{
ID: 1,
OrgID: 10,
},
},
&check.Deadman{
Base: check.Base{
ID: 2,
OrgID: 10,
},
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewCheckService(tt.fields.CheckService, mock.NewUserResourceMappingService(), mock.NewOrganizationService())
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
ts, _, err := s.FindChecks(ctx, influxdb.CheckFilter{})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
if diff := cmp.Diff(ts, tt.wants.checks, checkCmpOptions...); diff != "" {
t.Errorf("checks are different -got/+want\ndiff %s", diff)
}
})
}
}
func TestCheckService_UpdateCheck(t *testing.T) {
type fields struct {
CheckService influxdb.CheckService
}
type args struct {
id influxdb.ID
permissions []influxdb.Permission
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to update check",
fields: fields{
CheckService: &mock.CheckService{
FindCheckByIDFn: func(ctx context.Context, id influxdb.ID) (influxdb.Check, error) {
return &check.Deadman{
Base: check.Base{
ID: 1,
OrgID: 10,
},
}, nil
},
UpdateCheckFn: func(ctx context.Context, id influxdb.ID, upd influxdb.Check) (influxdb.Check, error) {
return &check.Deadman{
Base: check.Base{
ID: 1,
OrgID: 10,
},
}, nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to update check",
fields: fields{
CheckService: &mock.CheckService{
FindCheckByIDFn: func(ctx context.Context, id influxdb.ID) (influxdb.Check, error) {
return &check.Deadman{
Base: check.Base{
ID: 1,
OrgID: 10,
},
}, nil
},
UpdateCheckFn: func(ctx context.Context, id influxdb.ID, upd influxdb.Check) (influxdb.Check, error) {
return &check.Deadman{
Base: check.Base{
ID: 1,
OrgID: 10,
},
}, nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/checks/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewCheckService(tt.fields.CheckService, mock.NewUserResourceMappingService(), mock.NewOrganizationService())
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permissions})
_, err := s.UpdateCheck(ctx, tt.args.id, &check.Deadman{})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}
func TestCheckService_PatchCheck(t *testing.T) {
type fields struct {
CheckService influxdb.CheckService
}
type args struct {
id influxdb.ID
permissions []influxdb.Permission
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to patch check",
fields: fields{
CheckService: &mock.CheckService{
FindCheckByIDFn: func(ctx context.Context, id influxdb.ID) (influxdb.Check, error) {
return &check.Deadman{
Base: check.Base{
ID: 1,
OrgID: 10,
},
}, nil
},
PatchCheckFn: func(ctx context.Context, id influxdb.ID, upd influxdb.CheckUpdate) (influxdb.Check, error) {
return &check.Deadman{
Base: check.Base{
ID: 1,
OrgID: 10,
},
}, nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to patch check",
fields: fields{
CheckService: &mock.CheckService{
FindCheckByIDFn: func(ctx context.Context, id influxdb.ID) (influxdb.Check, error) {
return &check.Deadman{
Base: check.Base{
ID: 1,
OrgID: 10,
},
}, nil
},
PatchCheckFn: func(ctx context.Context, id influxdb.ID, upd influxdb.CheckUpdate) (influxdb.Check, error) {
return &check.Deadman{
Base: check.Base{
ID: 1,
OrgID: 10,
},
}, nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/checks/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewCheckService(tt.fields.CheckService, mock.NewUserResourceMappingService(), mock.NewOrganizationService())
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permissions})
_, err := s.PatchCheck(ctx, tt.args.id, influxdb.CheckUpdate{})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}
func TestCheckService_DeleteCheck(t *testing.T) {
type fields struct {
CheckService influxdb.CheckService
}
type args struct {
id influxdb.ID
permissions []influxdb.Permission
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to delete check",
fields: fields{
CheckService: &mock.CheckService{
FindCheckByIDFn: func(ctx context.Context, id influxdb.ID) (influxdb.Check, error) {
return &check.Deadman{
Base: check.Base{
ID: 1,
OrgID: 10,
},
}, nil
},
DeleteCheckFn: func(ctx context.Context, id influxdb.ID) error {
return nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to delete check",
fields: fields{
CheckService: &mock.CheckService{
FindCheckByIDFn: func(ctx context.Context, id influxdb.ID) (influxdb.Check, error) {
return &check.Deadman{
Base: check.Base{
ID: 1,
OrgID: 10,
},
}, nil
},
DeleteCheckFn: func(ctx context.Context, id influxdb.ID) error {
return nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/checks/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewCheckService(tt.fields.CheckService, mock.NewUserResourceMappingService(), mock.NewOrganizationService())
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permissions})
err := s.DeleteCheck(ctx, tt.args.id)
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}
func TestCheckService_CreateCheck(t *testing.T) {
type fields struct {
CheckService influxdb.CheckService
}
type args struct {
permission influxdb.Permission
orgID influxdb.ID
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to create check",
fields: fields{
CheckService: &mock.CheckService{
CreateCheckFn: func(ctx context.Context, chk influxdb.Check) error {
return nil
},
},
},
args: args{
orgID: 10,
permission: influxdb.Permission{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
OrgID: influxdbtesting.IDPtr(10),
},
},
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to create check",
fields: fields{
CheckService: &mock.CheckService{
CreateCheckFn: func(ctx context.Context, chk influxdb.Check) error {
return nil
},
},
},
args: args{
orgID: 10,
permission: influxdb.Permission{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/checks is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewCheckService(tt.fields.CheckService, mock.NewUserResourceMappingService(), mock.NewOrganizationService())
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
err := s.CreateCheck(ctx, &check.Deadman{
Base: check.Base{
OrgID: tt.args.orgID},
})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}