feat(http): block writes to system buckets (#14920)

2019-09-05 11:22:18 -07:00 · 2019-09-05 11:22:18 -07:00 · 6e6e7fef9b
parent b98552a6c6
commit 6e6e7fef9b
3 changed files with 18 additions and 1 deletions
--- a/authorizer/bucket.go
+++ b/authorizer/bucket.go
@ -106,7 +106,7 @@ func (s *BucketService) FindBuckets(ctx context.Context, filter influxdb.BucketF
 	buckets := bs[:0]
 	for _, b := range bs {
 		// temporary hack for system buckets
-		if b.ID == influxdb.TasksSystemBucketID || b.ID == influxdb.MonitoringSystemBucketID {
+		if b.IsSystem() {
 			buckets = append(buckets, b)
 			continue
 		}
--- a/bucket.go
+++ b/bucket.go
@ -6,6 +6,8 @@ import (
 	"time"
 )

+// TasksSystemBucketID and MonitoringSystemBucketID are IDs that are reserved for system buckets.
+// If any system bucket IDs are added, Bucket.IsSystem must be updated to include them.
 const (
 	// TasksSystemBucketID is the fixed ID for our tasks system bucket
 	TasksSystemBucketID = ID(10)
@ -27,6 +29,12 @@ type Bucket struct {
 	CRUDLog
 }

+// TODO(jade): move this logic to a type set directly on Bucket.
+// IsSystem returns true if a bucket is a known system bucket
+func (b *Bucket) IsSystem() bool {
+	return b.ID == TasksSystemBucketID || b.ID == MonitoringSystemBucketID
+}
+
 // ops for buckets error and buckets op logs.
 var (
 	OpFindBucketByID = "FindBucketByID"
--- a/http/write_handler.go
+++ b/http/write_handler.go
@ -177,6 +177,15 @@ func (h *WriteHandler) handleWrite(w http.ResponseWriter, r *http.Request) {
 		bucket = b
 	}

+	// TODO(jade): remove this after system buckets issue is resolved
+	if bucket.IsSystem() {
+		h.HandleHTTPError(ctx, &platform.Error{
+			Code: platform.EForbidden,
+			Op:   "http/handleWrite",
+			Msg:  fmt.Sprintf("cannot write to internal bucket %s", bucket.Name),
+		}, w)
+	}
+
 	p, err := platform.NewPermissionAtID(bucket.ID, platform.WriteAction, platform.BucketsResourceType, org.ID)
 	if err != nil {
 		h.HandleHTTPError(ctx, &platform.Error{