Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

chore(authorizer): simplify permissions for alerts and notifications (#14701)

pull/14713/head
Jade McGough 2019-08-19 10:39:25 -07:00 committed by GitHub
parent b90cfc91e5
commit 7771cd7a7b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 81 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
authorizer/check.go
View File

@ -26,36 +26,6 @@ func NewCheckService(s influxdb.CheckService, urm influxdb.UserResourceMappingSe
}
}
func newChecksPermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Permission, error) {
return influxdb.NewPermissionAtID(id, a, influxdb.ChecksResourceType, orgID)
}
func authorizeReadChecks(ctx context.Context, orgID, id influxdb.ID) error {
p, err := newChecksPermission(influxdb.ReadAction, orgID, id)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return nil
}
func authorizeWriteChecks(ctx context.Context, orgID, id influxdb.ID) error {
p, err := newChecksPermission(influxdb.WriteAction, orgID, id)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return nil
}
// FindCheckByID checks to see if the authorizer on context has read access to the id provided.
func (s *CheckService) FindCheckByID(ctx context.Context, id influxdb.ID) (influxdb.Check, error) {
chk, err := s.s.FindCheckByID(ctx, id)
@ -63,7 +33,7 @@ func (s *CheckService) FindCheckByID(ctx context.Context, id influxdb.ID) (influ
return nil, err
}
if err := authorizeReadChecks(ctx, chk.GetOrgID(), chk.GetID()); err != nil {
if err := authorizeReadOrg(ctx, chk.GetOrgID()); err != nil {
return nil, err
}
@ -83,15 +53,20 @@ func (s *CheckService) FindChecks(ctx context.Context, filter influxdb.CheckFilt
// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
rules := chks[:0]
for _, chk := range chks {
err := authorizeReadChecks(ctx, chk.GetOrgID(), chk.GetID())
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
p, err := influxdb.NewPermission(influxdb.ReadAction, influxdb.OrgsResourceType, chk.GetOrgID())
if err != nil {
return nil, 0, err
}
err = IsAllowed(ctx, *p)
if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
continue
}
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
return nil, 0, err
}
rules = append(rules, chk)
}
@ -105,7 +80,7 @@ func (s *CheckService) FindCheck(ctx context.Context, filter influxdb.CheckFilte
return nil, err
}
if err := authorizeReadChecks(ctx, chk.GetOrgID(), chk.GetID()); err != nil {
if err := authorizeReadOrg(ctx, chk.GetOrgID()); err != nil {
return nil, err
}
@ -114,7 +89,7 @@ func (s *CheckService) FindCheck(ctx context.Context, filter influxdb.CheckFilte
// CreateCheck checks to see if the authorizer on context has write access to the global check resource.
func (s *CheckService) CreateCheck(ctx context.Context, chk influxdb.Check, userID influxdb.ID) error {
p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.ChecksResourceType, chk.GetOrgID())
p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.OrgsResourceType, chk.GetOrgID())
if err != nil {
return err
}
@ -133,7 +108,7 @@ func (s *CheckService) UpdateCheck(ctx context.Context, id influxdb.ID, upd infl
return nil, err
}
if err := authorizeWriteChecks(ctx, chk.GetOrgID(), id); err != nil {
if err := authorizeWriteOrg(ctx, chk.GetOrgID()); err != nil {
return nil, err
}
@ -147,7 +122,7 @@ func (s *CheckService) PatchCheck(ctx context.Context, id influxdb.ID, upd influ
return nil, err
}
if err := authorizeWriteChecks(ctx, chk.GetOrgID(), id); err != nil {
if err := authorizeWriteOrg(ctx, chk.GetOrgID()); err != nil {
return nil, err
}
@ -161,7 +136,7 @@ func (s *CheckService) DeleteCheck(ctx context.Context, id influxdb.ID) error {
return err
}
if err := authorizeWriteChecks(ctx, chk.GetOrgID(), id); err != nil {
if err := authorizeWriteOrg(ctx, chk.GetOrgID()); err != nil {
return err
}

62
authorizer/check_test.go
View File

@ -65,8 +65,8 @@ func TestCheckService_FindCheckByID(t *testing.T) {
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
id: 1,
@ -93,7 +93,7 @@ func TestCheckService_FindCheckByID(t *testing.T) {
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(2),
},
},
@ -101,7 +101,7 @@ func TestCheckService_FindCheckByID(t *testing.T) {
},
wants: wants{
err: &influxdb.Error{
Msg: "read:orgs/000000000000000a/checks/0000000000000001 is unauthorized",
Msg: "read:orgs/000000000000000a is unauthorized",
Code: influxdb.EUnauthorized,
},
},
@ -171,7 +171,7 @@ func TestCheckService_FindChecks(t *testing.T) {
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
Type: influxdb.OrgsResourceType,
},
},
},
@ -230,7 +230,7 @@ func TestCheckService_FindChecks(t *testing.T) {
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
Type: influxdb.OrgsResourceType,
OrgID: influxdbtesting.IDPtr(10),
},
},
@ -317,15 +317,15 @@ func TestCheckService_UpdateCheck(t *testing.T) {
{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
},
@ -362,15 +362,15 @@ func TestCheckService_UpdateCheck(t *testing.T) {
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/checks/0000000000000001 is unauthorized",
Msg: "write:orgs/000000000000000a is unauthorized",
Code: influxdb.EUnauthorized,
},
},
@ -436,15 +436,15 @@ func TestCheckService_PatchCheck(t *testing.T) {
{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
},
@ -481,15 +481,15 @@ func TestCheckService_PatchCheck(t *testing.T) {
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/checks/0000000000000001 is unauthorized",
Msg: "write:orgs/000000000000000a is unauthorized",
Code: influxdb.EUnauthorized,
},
},
@ -550,15 +550,15 @@ func TestCheckService_DeleteCheck(t *testing.T) {
{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
},
@ -590,15 +590,15 @@ func TestCheckService_DeleteCheck(t *testing.T) {
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/checks/0000000000000001 is unauthorized",
Msg: "write:orgs/000000000000000a is unauthorized",
Code: influxdb.EUnauthorized,
},
},
@ -637,7 +637,7 @@ func TestCheckService_CreateCheck(t *testing.T) {
wants wants
}{
{
name: "authorized to create check",
name: "authorized to create check with org owner",
fields: fields{
CheckService: &mock.CheckService{
CreateCheckFn: func(ctx context.Context, chk influxdb.Check, userID influxdb.ID) error {
@ -650,7 +650,7 @@ func TestCheckService_CreateCheck(t *testing.T) {
permission: influxdb.Permission{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
Type: influxdb.OrgsResourceType,
OrgID: influxdbtesting.IDPtr(10),
},
},
@ -673,14 +673,14 @@ func TestCheckService_CreateCheck(t *testing.T) {
permission: influxdb.Permission{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.ChecksResourceType,
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/checks is unauthorized",
Msg: "write:orgs/000000000000000a/orgs is unauthorized",
Code: influxdb.EUnauthorized,
},
},

49
authorizer/notification_rule.go
View File

@ -25,36 +25,6 @@ func NewNotificationRuleStore(s influxdb.NotificationRuleStore, urm influxdb.Use
}
}
func newNotificationRulePermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Permission, error) {
return influxdb.NewPermissionAtID(id, a, influxdb.NotificationRuleResourceType, orgID)
}
func authorizeReadNotificationRule(ctx context.Context, orgID, id influxdb.ID) error {
p, err := newNotificationRulePermission(influxdb.ReadAction, orgID, id)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return nil
}
func authorizeWriteNotificationRule(ctx context.Context, orgID, id influxdb.ID) error {
p, err := newNotificationRulePermission(influxdb.WriteAction, orgID, id)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return nil
}
// FindNotificationRuleByID checks to see if the authorizer on context has read access to the id provided.
func (s *NotificationRuleStore) FindNotificationRuleByID(ctx context.Context, id influxdb.ID) (influxdb.NotificationRule, error) {
nr, err := s.s.FindNotificationRuleByID(ctx, id)
@ -62,7 +32,7 @@ func (s *NotificationRuleStore) FindNotificationRuleByID(ctx context.Context, id
return nil, err
}
if err := authorizeReadNotificationRule(ctx, nr.GetOrgID(), nr.GetID()); err != nil {
if err := authorizeReadOrg(ctx, nr.GetOrgID()); err != nil {
return nil, err
}
@ -82,11 +52,12 @@ func (s *NotificationRuleStore) FindNotificationRules(ctx context.Context, filte
// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
rules := nrs[:0]
for _, nr := range nrs {
err := authorizeReadNotificationRule(ctx, nr.GetOrgID(), nr.GetID())
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
p, err := influxdb.NewPermission(influxdb.ReadAction, influxdb.OrgsResourceType, nr.GetOrgID())
if err != nil {
return nil, 0, err
}
err = IsAllowed(ctx, *p)
if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
continue
}
@ -99,7 +70,7 @@ func (s *NotificationRuleStore) FindNotificationRules(ctx context.Context, filte
// CreateNotificationRule checks to see if the authorizer on context has write access to the global notification rule resource.
func (s *NotificationRuleStore) CreateNotificationRule(ctx context.Context, nr influxdb.NotificationRule, userID influxdb.ID) error {
p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.NotificationRuleResourceType, nr.GetOrgID())
p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.OrgsResourceType, nr.GetOrgID())
if err != nil {
return err
}
@ -118,7 +89,7 @@ func (s *NotificationRuleStore) UpdateNotificationRule(ctx context.Context, id i
return nil, err
}
if err := authorizeWriteNotificationRule(ctx, nr.GetOrgID(), id); err != nil {
if err := authorizeWriteOrg(ctx, nr.GetOrgID()); err != nil {
return nil, err
}
@ -127,12 +98,12 @@ func (s *NotificationRuleStore) UpdateNotificationRule(ctx context.Context, id i
// PatchNotificationRule checks to see if the authorizer on context has write access to the notification rule provided.
func (s *NotificationRuleStore) PatchNotificationRule(ctx context.Context, id influxdb.ID, upd influxdb.NotificationRuleUpdate) (influxdb.NotificationRule, error) {
nr, err := s.FindNotificationRuleByID(ctx, id)
nr, err := s.s.FindNotificationRuleByID(ctx, id)
if err != nil {
return nil, err
}
if err := authorizeWriteNotificationRule(ctx, nr.GetOrgID(), id); err != nil {
if err := authorizeWriteOrg(ctx, nr.GetOrgID()); err != nil {
return nil, err
}
@ -141,12 +112,12 @@ func (s *NotificationRuleStore) PatchNotificationRule(ctx context.Context, id in
// DeleteNotificationRule checks to see if the authorizer on context has write access to the notification rule provided.
func (s *NotificationRuleStore) DeleteNotificationRule(ctx context.Context, id influxdb.ID) error {
nr, err := s.FindNotificationRuleByID(ctx, id)
nr, err := s.s.FindNotificationRuleByID(ctx, id)
if err != nil {
return err
}
if err := authorizeWriteNotificationRule(ctx, nr.GetOrgID(), id); err != nil {
if err := authorizeWriteOrg(ctx, nr.GetOrgID()); err != nil {
return err
}

54
authorizer/notification_rule_test.go
View File

@ -65,8 +65,8 @@ func TestNotificationRuleStore_FindNotificationRuleByID(t *testing.T) {
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.NotificationRuleResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
id: 1,
@ -93,7 +93,7 @@ func TestNotificationRuleStore_FindNotificationRuleByID(t *testing.T) {
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.NotificationRuleResourceType,
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(2),
},
},
@ -101,7 +101,7 @@ func TestNotificationRuleStore_FindNotificationRuleByID(t *testing.T) {
},
wants: wants{
err: &influxdb.Error{
Msg: "read:orgs/000000000000000a/notificationRules/0000000000000001 is unauthorized",
Msg: "read:orgs/000000000000000a is unauthorized",
Code: influxdb.EUnauthorized,
},
},
@ -171,7 +171,7 @@ func TestNotificationRuleStore_FindNotificationRules(t *testing.T) {
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.NotificationRuleResourceType,
Type: influxdb.OrgsResourceType,
},
},
},
@ -230,7 +230,7 @@ func TestNotificationRuleStore_FindNotificationRules(t *testing.T) {
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.NotificationRuleResourceType,
Type: influxdb.OrgsResourceType,
OrgID: influxdbtesting.IDPtr(10),
},
},
@ -317,15 +317,15 @@ func TestNotificationRuleStore_UpdateNotificationRule(t *testing.T) {
{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.NotificationRuleResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.NotificationRuleResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
},
@ -362,15 +362,15 @@ func TestNotificationRuleStore_UpdateNotificationRule(t *testing.T) {
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.NotificationRuleResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/notificationRules/0000000000000001 is unauthorized",
Msg: "write:orgs/000000000000000a is unauthorized",
Code: influxdb.EUnauthorized,
},
},
@ -436,15 +436,15 @@ func TestNotificationRuleStore_PatchNotificationRule(t *testing.T) {
{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.NotificationRuleResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.NotificationRuleResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
},
@ -481,7 +481,7 @@ func TestNotificationRuleStore_PatchNotificationRule(t *testing.T) {
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.NotificationRuleResourceType,
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
@ -489,7 +489,7 @@ func TestNotificationRuleStore_PatchNotificationRule(t *testing.T) {
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/notificationRules/0000000000000001 is unauthorized",
Msg: "write:orgs/000000000000000a is unauthorized",
Code: influxdb.EUnauthorized,
},
},
@ -550,14 +550,14 @@ func TestNotificationRuleStore_DeleteNotificationRule(t *testing.T) {
{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.NotificationRuleResourceType,
ID: influxdbtesting.IDPtr(1),
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(10),
},
},
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.NotificationRuleResourceType,
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
@ -590,7 +590,7 @@ func TestNotificationRuleStore_DeleteNotificationRule(t *testing.T) {
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.NotificationRuleResourceType,
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
@ -598,7 +598,7 @@ func TestNotificationRuleStore_DeleteNotificationRule(t *testing.T) {
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/notificationRules/0000000000000001 is unauthorized",
Msg: "write:orgs/000000000000000a is unauthorized",
Code: influxdb.EUnauthorized,
},
},
@ -650,7 +650,7 @@ func TestNotificationRuleStore_CreateNotificationRule(t *testing.T) {
permission: influxdb.Permission{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.NotificationRuleResourceType,
Type: influxdb.OrgsResourceType,
OrgID: influxdbtesting.IDPtr(10),
},
},
@ -673,14 +673,14 @@ func TestNotificationRuleStore_CreateNotificationRule(t *testing.T) {
permission: influxdb.Permission{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.NotificationRuleResourceType,
Type: influxdb.OrgsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/notificationRules is unauthorized",
Msg: "write:orgs/000000000000000a/orgs is unauthorized",
Code: influxdb.EUnauthorized,
},
},