chore(authorizer): user org perm for endpoints

authorizer/notification_endpoint.go

@@ -32,52 +32,6 @@ func NewNotificationEndpointService(
 	}
 }
 
-func newNotificationEndpointPermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Permission, error) {
-	return influxdb.NewPermissionAtID(id, a, influxdb.NotificationEndpointResourceType, orgID)
-}
-
-func authorizeReadNotificationEndpoint(ctx context.Context, orgID, id influxdb.ID) error {
-	p, err := newNotificationEndpointPermission(influxdb.ReadAction, orgID, id)
-	if err != nil {
-		return err
-	}
-
-	pOrg, err := newOrgPermission(influxdb.WriteAction, orgID)
-	if err != nil {
-		return err
-	}
-
-	err0 := IsAllowed(ctx, *p)
-	err1 := IsAllowed(ctx, *pOrg)
-
-	if err0 != nil && err1 != nil {
-		return err0
-	}
-
-	return nil
-}
-
-func authorizeWriteNotificationEndpoint(ctx context.Context, orgID, id influxdb.ID) error {
-	p, err := newNotificationEndpointPermission(influxdb.WriteAction, orgID, id)
-	if err != nil {
-		return err
-	}
-
-	pOrg, err := newOrgPermission(influxdb.WriteAction, orgID)
-	if err != nil {
-		return err
-	}
-
-	err0 := IsAllowed(ctx, *p)
-	err1 := IsAllowed(ctx, *pOrg)
-
-	if err0 != nil && err1 != nil {
-		return err0
-	}
-
-	return nil
-}
-
 // FindNotificationEndpointByID checks to see if the authorizer on context has read access to the id provided.
 func (s *NotificationEndpointService) FindNotificationEndpointByID(ctx context.Context, id influxdb.ID) (influxdb.NotificationEndpoint, error) {
 	edp, err := s.s.FindNotificationEndpointByID(ctx, id)
@@ -85,7 +39,7 @@ func (s *NotificationEndpointService) FindNotificationEndpointByID(ctx context.C
 		return nil, err
 	}
 
-	if err := authorizeReadNotificationEndpoint(ctx, edp.GetOrgID(), edp.GetID()); err != nil {
+	if err := authorizeReadOrg(ctx, edp.GetOrgID()); err != nil {
 		return nil, err
 	}
 
@@ -105,7 +59,7 @@ func (s *NotificationEndpointService) FindNotificationEndpoints(ctx context.Cont
 	// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
 	endpoints := edps[:0]
 	for _, edp := range edps {
-		err := authorizeReadNotificationEndpoint(ctx, edp.GetOrgID(), edp.GetID())
+		err := authorizeReadOrg(ctx, edp.GetOrgID())
 		if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
 			return nil, 0, err
 		}
@@ -149,7 +103,7 @@ func (s *NotificationEndpointService) UpdateNotificationEndpoint(ctx context.Con
 		return nil, err
 	}
 
-	if err := authorizeWriteNotificationEndpoint(ctx, edp.GetOrgID(), id); err != nil {
+	if err := authorizeWriteOrg(ctx, edp.GetOrgID()); err != nil {
 		return nil, err
 	}
 
@@ -163,7 +117,7 @@ func (s *NotificationEndpointService) PatchNotificationEndpoint(ctx context.Cont
 		return nil, err
 	}
 
-	if err := authorizeWriteNotificationEndpoint(ctx, edp.GetOrgID(), id); err != nil {
+	if err := authorizeWriteOrg(ctx, edp.GetOrgID()); err != nil {
 		return nil, err
 	}
 
@@ -177,7 +131,7 @@ func (s *NotificationEndpointService) DeleteNotificationEndpoint(ctx context.Con
 		return err
 	}
 
-	if err := authorizeWriteNotificationEndpoint(ctx, edp.GetOrgID(), id); err != nil {
+	if err := authorizeWriteOrg(ctx, edp.GetOrgID()); err != nil {
 		return err
 	}
 

authorizer/notification_endpoint_test.go

@@ -46,34 +46,6 @@ func TestNotificationEndpointService_FindNotificationEndpointByID(t *testing.T)
 		args   args
 		wants  wants
 	}{
-		{
-			name: "authorized to access id",
-			fields: fields{
-				NotificationEndpointService: &mock.NotificationEndpointService{
-					FindNotificationEndpointByIDF: func(ctx context.Context, id influxdb.ID) (influxdb.NotificationEndpoint, error) {
-						return &endpoint.Slack{
-							Base: endpoint.Base{
-								ID:    id,
-								OrgID: 10,
-							},
-						}, nil
-					},
-				},
-			},
-			args: args{
-				permission: influxdb.Permission{
-					Action: "read",
-					Resource: influxdb.Resource{
-						Type: influxdb.NotificationEndpointResourceType,
-						ID:   influxdbtesting.IDPtr(1),
-					},
-				},
-				id: 1,
-			},
-			wants: wants{
-				err: nil,
-			},
-		},
 		{
 			name: "authorized to access id with org",
 			fields: fields{
@@ -90,7 +62,7 @@ func TestNotificationEndpointService_FindNotificationEndpointByID(t *testing.T)
 			},
 			args: args{
 				permission: influxdb.Permission{
-					Action: "write",
+					Action: "read",
 					Resource: influxdb.Resource{
 						Type: influxdb.OrgsResourceType,
 						ID:   influxdbtesting.IDPtr(10),
@@ -128,7 +100,7 @@ func TestNotificationEndpointService_FindNotificationEndpointByID(t *testing.T)
 			},
 			wants: wants{
 				err: &influxdb.Error{
-					Msg:  "read:orgs/000000000000000a/notificationEndpoints/0000000000000001 is unauthorized",
+					Msg:  "read:orgs/000000000000000a is unauthorized",
 					Code: influxdb.EUnauthorized,
 				},
 			},
@@ -198,7 +170,7 @@ func TestNotificationEndpointService_FindNotificationEndpoints(t *testing.T) {
 				permission: influxdb.Permission{
 					Action: "read",
 					Resource: influxdb.Resource{
-						Type: influxdb.NotificationEndpointResourceType,
+						Type: influxdb.OrgsResourceType,
 					},
 				},
 			},
@@ -257,8 +229,8 @@ func TestNotificationEndpointService_FindNotificationEndpoints(t *testing.T) {
 				permission: influxdb.Permission{
 					Action: "read",
 					Resource: influxdb.Resource{
-						Type:  influxdb.NotificationEndpointResourceType,
-						OrgID: influxdbtesting.IDPtr(10),
+						Type: influxdb.OrgsResourceType,
+						ID:   influxdbtesting.IDPtr(10),
 					},
 				},
 			},
@@ -318,51 +290,6 @@ func TestNotificationEndpointService_UpdateNotificationEndpoint(t *testing.T) {
 		args   args
 		wants  wants
 	}{
-		{
-			name: "authorized to update notificationEndpoint",
-			fields: fields{
-				NotificationEndpointService: &mock.NotificationEndpointService{
-					FindNotificationEndpointByIDF: func(ctc context.Context, id influxdb.ID) (influxdb.NotificationEndpoint, error) {
-						return &endpoint.Slack{
-							Base: endpoint.Base{
-								ID:    1,
-								OrgID: 10,
-							},
-						}, nil
-					},
-					UpdateNotificationEndpointF: func(ctx context.Context, id influxdb.ID, upd influxdb.NotificationEndpoint, userID influxdb.ID) (influxdb.NotificationEndpoint, error) {
-						return &endpoint.Slack{
-							Base: endpoint.Base{
-								ID:    1,
-								OrgID: 10,
-							},
-						}, nil
-					},
-				},
-			},
-			args: args{
-				id: 1,
-				permissions: []influxdb.Permission{
-					{
-						Action: "write",
-						Resource: influxdb.Resource{
-							Type: influxdb.NotificationEndpointResourceType,
-							ID:   influxdbtesting.IDPtr(1),
-						},
-					},
-					{
-						Action: "read",
-						Resource: influxdb.Resource{
-							Type: influxdb.NotificationEndpointResourceType,
-							ID:   influxdbtesting.IDPtr(1),
-						},
-					},
-				},
-			},
-			wants: wants{
-				err: nil,
-			},
-		},
 		{
 			name: "authorized to update notificationEndpoint with org owner",
 			fields: fields{
@@ -395,6 +322,13 @@ func TestNotificationEndpointService_UpdateNotificationEndpoint(t *testing.T) {
 							ID:   influxdbtesting.IDPtr(10),
 						},
 					},
+					{
+						Action: "read",
+						Resource: influxdb.Resource{
+							Type: influxdb.OrgsResourceType,
+							ID:   influxdbtesting.IDPtr(10),
+						},
+					},
 				},
 			},
 			wants: wants{
@@ -429,15 +363,15 @@ func TestNotificationEndpointService_UpdateNotificationEndpoint(t *testing.T) {
 					{
 						Action: "read",
 						Resource: influxdb.Resource{
-							Type: influxdb.NotificationEndpointResourceType,
-							ID:   influxdbtesting.IDPtr(1),
+							Type: influxdb.OrgsResourceType,
+							ID:   influxdbtesting.IDPtr(10),
 						},
 					},
 				},
 			},
 			wants: wants{
 				err: &influxdb.Error{
-					Msg:  "write:orgs/000000000000000a/notificationEndpoints/0000000000000001 is unauthorized",
+					Msg:  "write:orgs/000000000000000a is unauthorized",
 					Code: influxdb.EUnauthorized,
 				},
 			},
@@ -505,50 +439,12 @@ func TestNotificationEndpointService_PatchNotificationEndpoint(t *testing.T) {
 					{
 						Action: "write",
 						Resource: influxdb.Resource{
-							Type: influxdb.NotificationEndpointResourceType,
-							ID:   influxdbtesting.IDPtr(1),
+							Type: influxdb.OrgsResourceType,
+							ID:   influxdbtesting.IDPtr(10),
 						},
 					},
 					{
 						Action: "read",
-						Resource: influxdb.Resource{
-							Type: influxdb.NotificationEndpointResourceType,
-							ID:   influxdbtesting.IDPtr(1),
-						},
-					},
-				},
-			},
-			wants: wants{
-				err: nil,
-			},
-		},
-		{
-			name: "authorized to patch notificationEndpoint",
-			fields: fields{
-				NotificationEndpointService: &mock.NotificationEndpointService{
-					FindNotificationEndpointByIDF: func(ctc context.Context, id influxdb.ID) (influxdb.NotificationEndpoint, error) {
-						return &endpoint.Slack{
-							Base: endpoint.Base{
-								ID:    1,
-								OrgID: 10,
-							},
-						}, nil
-					},
-					PatchNotificationEndpointF: func(ctx context.Context, id influxdb.ID, upd influxdb.NotificationEndpointUpdate) (influxdb.NotificationEndpoint, error) {
-						return &endpoint.Slack{
-							Base: endpoint.Base{
-								ID:    1,
-								OrgID: 10,
-							},
-						}, nil
-					},
-				},
-			},
-			args: args{
-				id: 1,
-				permissions: []influxdb.Permission{
-					{
-						Action: "write",
 						Resource: influxdb.Resource{
 							Type: influxdb.OrgsResourceType,
 							ID:   influxdbtesting.IDPtr(10),
@@ -588,15 +484,15 @@ func TestNotificationEndpointService_PatchNotificationEndpoint(t *testing.T) {
 					{
 						Action: "read",
 						Resource: influxdb.Resource{
-							Type: influxdb.NotificationEndpointResourceType,
-							ID:   influxdbtesting.IDPtr(1),
+							Type: influxdb.OrgsResourceType,
+							ID:   influxdbtesting.IDPtr(10),
 						},
 					},
 				},
 			},
 			wants: wants{
 				err: &influxdb.Error{
-					Msg:  "write:orgs/000000000000000a/notificationEndpoints/0000000000000001 is unauthorized",
+					Msg:  "write:orgs/000000000000000a is unauthorized",
 					Code: influxdb.EUnauthorized,
 				},
 			},
@@ -658,45 +554,12 @@ func TestNotificationEndpointService_DeleteNotificationEndpoint(t *testing.T) {
 					{
 						Action: "write",
 						Resource: influxdb.Resource{
-							Type: influxdb.NotificationEndpointResourceType,
-							ID:   influxdbtesting.IDPtr(1),
+							Type: influxdb.OrgsResourceType,
+							ID:   influxdbtesting.IDPtr(10),
 						},
 					},
 					{
 						Action: "read",
-						Resource: influxdb.Resource{
-							Type: influxdb.NotificationEndpointResourceType,
-							ID:   influxdbtesting.IDPtr(1),
-						},
-					},
-				},
-			},
-			wants: wants{
-				err: nil,
-			},
-		},
-		{
-			name: "authorized to delete notificationEndpoint",
-			fields: fields{
-				NotificationEndpointService: &mock.NotificationEndpointService{
-					FindNotificationEndpointByIDF: func(ctc context.Context, id influxdb.ID) (influxdb.NotificationEndpoint, error) {
-						return &endpoint.Slack{
-							Base: endpoint.Base{
-								ID:    1,
-								OrgID: 10,
-							},
-						}, nil
-					},
-					DeleteNotificationEndpointF: func(ctx context.Context, id influxdb.ID) error {
-						return nil
-					},
-				},
-			},
-			args: args{
-				id: 1,
-				permissions: []influxdb.Permission{
-					{
-						Action: "write",
 						Resource: influxdb.Resource{
 							Type: influxdb.OrgsResourceType,
 							ID:   influxdbtesting.IDPtr(10),
@@ -731,15 +594,15 @@ func TestNotificationEndpointService_DeleteNotificationEndpoint(t *testing.T) {
 					{
 						Action: "read",
 						Resource: influxdb.Resource{
-							Type: influxdb.NotificationEndpointResourceType,
-							ID:   influxdbtesting.IDPtr(1),
+							Type: influxdb.OrgsResourceType,
+							ID:   influxdbtesting.IDPtr(10),
 						},
 					},
 				},
 			},
 			wants: wants{
 				err: &influxdb.Error{
-					Msg:  "write:orgs/000000000000000a/notificationEndpoints/0000000000000001 is unauthorized",
+					Msg:  "write:orgs/000000000000000a is unauthorized",
 					Code: influxdb.EUnauthorized,
 				},
 			},