Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Move user roles and role names to roles package

pull/10616/head
Michael Desa 2017-11-03 16:32:05 -04:00
parent 4781cb3673
commit 9b194168a6
11 changed files with 100 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
roles/roles.go
View File

@ -3,6 +3,8 @@ package roles
import (
"context"
"fmt"
"github.com/influxdata/chronograf"
)
type contextKey string
@ -22,10 +24,40 @@ func validRole(ctx context.Context) error {
return fmt.Errorf("expected role key to be a string")
}
switch role {
// TODO(desa): make real roles
case "member", "viewer", "editor", "admin":
case MemberRoleName, ViewerRoleName, EditorRoleName, AdminRoleName:
return nil
default:
return fmt.Errorf("expected role key to be set")
}
}
// Chronograf User Roles
const (
MemberRoleName = "member"
ViewerRoleName = "viewer"
EditorRoleName = "editor"
AdminRoleName = "admin"
SuperAdminRoleName = "superadmin"
)
var (
// MemberRole is the role for a user who can only perform No operations.
MemberRole = chronograf.Role{
Name: MemberRoleName,
}
// ViewerRole is the role for a user who can only perform READ operations on Dashboards, Rules, and Sources
ViewerRole = chronograf.Role{
Name: ViewerRoleName,
}
// EditorRole is the role for a user who can perform READ and WRITE operations on Dashboards, Rules, and Sources
EditorRole = chronograf.Role{
Name: EditorRoleName,
}
// AdminRole is the role for a user who can perform READ and WRITE operations on Dashboards, Rules, Sources, and Users
AdminRole = chronograf.Role{
Name: AdminRoleName,
}
)

13
roles/sources.go
View File

@ -111,21 +111,20 @@ func (s *SourcesStore) Update(ctx context.Context, d chronograf.Source) error {
}
func hasAuthorizedRole(sourceRole, providedRole string) bool {
// TODO(desa): make real roles
switch sourceRole {
case "viewer":
case ViewerRoleName:
switch providedRole {
case "viewer", "editor", "admin":
case ViewerRoleName, EditorRoleName, AdminRoleName:
return true
}
case "editor":
case EditorRoleName:
switch providedRole {
case "editor", "admin":
case EditorRoleName, AdminRoleName:
return true
}
case "admin":
case AdminRoleName:
switch providedRole {
case "admin":
case AdminRoleName:
return true
}
}

19
server/auth.go
View File

@ -70,7 +70,7 @@ func AuthorizedUser(
}
ctx = context.WithValue(ctx, organizations.ContextKey, fmt.Sprintf("%d", defaultOrg.ID))
// TODO(desa): remove this in place of actual string value
ctx = context.WithValue(ctx, roles.ContextKey, "admin")
ctx = context.WithValue(ctx, roles.ContextKey, roles.AdminRoleName)
r = r.WithContext(ctx)
next(w, r)
return
@ -124,8 +124,7 @@ func AuthorizedUser(
ctx = context.WithValue(ctx, organizations.ContextKey, p.Organization)
serverCtx := context.WithValue(ctx, SuperAdminKey, true)
// the DataStore expects that the roles context key be set for future calls
// TODO(desa): remove hard coding
serverCtx = context.WithValue(serverCtx, roles.ContextKey, "admin")
serverCtx = context.WithValue(serverCtx, roles.ContextKey, roles.AdminRoleName)
// TODO: seems silly to look up a user twice
u, err := store.Users(serverCtx).Get(serverCtx, chronograf.UserQuery{
Name: &p.Subject,
@ -178,28 +177,28 @@ func hasAuthorizedRole(u *chronograf.User, role string) bool {
}
switch role {
case ViewerRoleName:
case roles.ViewerRoleName:
for _, r := range u.Roles {
switch r.Name {
case ViewerRoleName, EditorRoleName, AdminRoleName:
case roles.ViewerRoleName, roles.EditorRoleName, roles.AdminRoleName:
return true
}
}
case EditorRoleName:
case roles.EditorRoleName:
for _, r := range u.Roles {
switch r.Name {
case EditorRoleName, AdminRoleName:
case roles.EditorRoleName, roles.AdminRoleName:
return true
}
}
case AdminRoleName:
case roles.AdminRoleName:
for _, r := range u.Roles {
switch r.Name {
case AdminRoleName:
case roles.AdminRoleName:
return true
}
}
case SuperAdminRoleName:
case roles.SuperAdminRoleName:
// SuperAdmins should have been authorized before this.
// This is only meant to restrict access for non-superadmins.
return false

43
server/auth_test.go
View File

@ -12,6 +12,7 @@ import (
clog "github.com/influxdata/chronograf/log"
"github.com/influxdata/chronograf/mocks"
"github.com/influxdata/chronograf/oauth2"
"github.com/influxdata/chronograf/roles"
"github.com/influxdata/chronograf/server"
)
@ -115,7 +116,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.ViewerRoleName,
Name: roles.ViewerRoleName,
Organization: "1337",
},
},
@ -167,7 +168,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.EditorRoleName,
Name: roles.EditorRoleName,
Organization: "1337",
},
},
@ -219,7 +220,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.AdminRoleName,
Name: roles.AdminRoleName,
Organization: "1337",
},
},
@ -271,7 +272,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.ViewerRoleName,
Name: roles.ViewerRoleName,
Organization: "1337",
},
},
@ -323,7 +324,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.EditorRoleName,
Name: roles.EditorRoleName,
Organization: "1337",
},
},
@ -375,7 +376,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.AdminRoleName,
Name: roles.AdminRoleName,
Organization: "1337",
},
},
@ -427,7 +428,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.ViewerRoleName,
Name: roles.ViewerRoleName,
Organization: "1337",
},
},
@ -479,7 +480,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.EditorRoleName,
Name: roles.EditorRoleName,
Organization: "1337",
},
},
@ -531,7 +532,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.AdminRoleName,
Name: roles.AdminRoleName,
Organization: "1337",
},
},
@ -872,7 +873,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.ViewerRoleName,
Name: roles.ViewerRoleName,
Organization: "1337",
},
},
@ -924,7 +925,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.EditorRoleName,
Name: roles.EditorRoleName,
Organization: "1337",
},
},
@ -976,7 +977,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.AdminRoleName,
Name: roles.AdminRoleName,
Organization: "1337",
},
},
@ -1029,7 +1030,7 @@ func TestAuthorizedUser(t *testing.T) {
SuperAdmin: true,
Roles: []chronograf.Role{
{
Name: server.MemberRoleName,
Name: roles.MemberRoleName,
Organization: "1337",
},
},
@ -1082,7 +1083,7 @@ func TestAuthorizedUser(t *testing.T) {
SuperAdmin: true,
Roles: []chronograf.Role{
{
Name: server.MemberRoleName,
Name: roles.MemberRoleName,
Organization: "1337",
},
},
@ -1135,7 +1136,7 @@ func TestAuthorizedUser(t *testing.T) {
SuperAdmin: true,
Roles: []chronograf.Role{
{
Name: server.MemberRoleName,
Name: roles.MemberRoleName,
Organization: "1337",
},
},
@ -1188,7 +1189,7 @@ func TestAuthorizedUser(t *testing.T) {
SuperAdmin: true,
Roles: []chronograf.Role{
{
Name: server.MemberRoleName,
Name: roles.MemberRoleName,
Organization: "1337",
},
},
@ -1240,7 +1241,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.AdminRoleName,
Name: roles.AdminRoleName,
Organization: "1337",
},
},
@ -1288,7 +1289,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.AdminRoleName,
Name: roles.AdminRoleName,
Organization: "1337",
},
},
@ -1339,7 +1340,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.AdminRoleName,
Name: roles.AdminRoleName,
Organization: "1337",
},
},
@ -1391,7 +1392,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.AdminRoleName,
Name: roles.AdminRoleName,
Organization: "1337",
},
},
@ -1450,7 +1451,7 @@ func TestAuthorizedUser(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: server.AdminRoleName,
Name: roles.AdminRoleName,
Organization: "1337",
},
},

3
server/me.go
View File

@ -10,6 +10,7 @@ import (
"github.com/influxdata/chronograf"
"github.com/influxdata/chronograf/oauth2"
"github.com/influxdata/chronograf/organizations"
"github.com/influxdata/chronograf/roles"
)
type meLinks struct {
@ -249,7 +250,7 @@ func (s *Service) Me(w http.ResponseWriter, r *http.Request) {
Scheme: scheme,
Roles: []chronograf.Role{
{
Name: MemberRoleName,
Name: roles.MemberRoleName,
// This is the ID of the default organization
Organization: fmt.Sprintf("%d", defaultOrg.ID),
},

7
server/me_test.go
View File

@ -14,6 +14,7 @@ import (
"github.com/influxdata/chronograf/log"
"github.com/influxdata/chronograf/mocks"
"github.com/influxdata/chronograf/oauth2"
"github.com/influxdata/chronograf/roles"
)
type MockUsers struct{}
@ -295,7 +296,7 @@ func TestService_MeOrganizations(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: AdminRoleName,
Name: roles.AdminRoleName,
Organization: "1337",
},
},
@ -354,7 +355,7 @@ func TestService_MeOrganizations(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: AdminRoleName,
Name: roles.AdminRoleName,
Organization: "1337",
},
},
@ -465,7 +466,7 @@ func TestService_MeOrganizations(t *testing.T) {
Scheme: "oauth2",
Roles: []chronograf.Role{
{
Name: AdminRoleName,
Name: roles.AdminRoleName,
Organization: "1337",
},
},

9
server/mux.go
View File

@ -12,6 +12,7 @@ import (
"github.com/bouk/httprouter"
"github.com/influxdata/chronograf" // When julienschmidt/httprouter v2 w/ context is out, switch
"github.com/influxdata/chronograf/oauth2"
"github.com/influxdata/chronograf/roles"
)
const (
@ -71,7 +72,7 @@ func NewMux(opts MuxOpts, service Service) http.Handler {
return AuthorizedUser(
service.Store,
opts.UseAuth,
ViewerRoleName,
roles.ViewerRoleName,
opts.Logger,
next,
)
@ -80,7 +81,7 @@ func NewMux(opts MuxOpts, service Service) http.Handler {
return AuthorizedUser(
service.Store,
opts.UseAuth,
EditorRoleName,
roles.EditorRoleName,
opts.Logger,
next,
)
@ -89,7 +90,7 @@ func NewMux(opts MuxOpts, service Service) http.Handler {
return AuthorizedUser(
service.Store,
opts.UseAuth,
AdminRoleName,
roles.AdminRoleName,
opts.Logger,
next,
)
@ -98,7 +99,7 @@ func NewMux(opts MuxOpts, service Service) http.Handler {
return AuthorizedUser(
service.Store,
opts.UseAuth,
SuperAdminRoleName,
roles.SuperAdminRoleName,
opts.Logger,
next,
)

4
server/sources.go
View File

@ -10,6 +10,7 @@ import (
"github.com/bouk/httprouter"
"github.com/influxdata/chronograf"
"github.com/influxdata/chronograf/influx"
"github.com/influxdata/chronograf/roles"
)
type sourceLinks struct {
@ -315,8 +316,7 @@ func ValidSourceRequest(s chronograf.Source, defaultOrgID string) error {
}
if s.Role == "" {
// TODO(desa): removed bare string here
s.Role = "viewer"
s.Role = roles.ViewerRoleName
}
return nil
}

3
server/stores.go
View File

@ -40,8 +40,7 @@ func hasRoleContext(ctx context.Context) (string, bool) {
return "", false
}
switch role {
// TODO(desa): make real roles
case "member", "viewer", "editor", "admin":
case roles.MemberRoleName, roles.ViewerRoleName, roles.EditorRoleName, roles.AdminRoleName:
return role, true
default:
return "", false

36
server/users.go
View File

@ -10,6 +10,7 @@ import (
"github.com/bouk/httprouter"
"github.com/influxdata/chronograf"
"github.com/influxdata/chronograf/roles"
)
type userRequest struct {
@ -64,10 +65,10 @@ func (r *userRequest) ValidRoles() error {
}
orgs[r.Organization] = true
switch r.Name {
case MemberRoleName, ViewerRoleName, EditorRoleName, AdminRoleName:
case roles.MemberRoleName, roles.ViewerRoleName, roles.EditorRoleName, roles.AdminRoleName:
continue
default:
return fmt.Errorf("Unknown role %s. Valid roles are 'viewer', 'editor', 'admin', and 'superadmin'", r.Name)
return fmt.Errorf("Unknown role %s. Valid roles are 'member', 'viewer', 'editor', 'admin', and 'superadmin'", r.Name)
}
}
}
@ -125,37 +126,6 @@ func newUsersResponse(users []chronograf.User) *usersResponse {
}
}
// Chronograf User Roles
const (
MemberRoleName = "member"
ViewerRoleName = "viewer"
EditorRoleName = "editor"
AdminRoleName = "admin"
SuperAdminRoleName = "superadmin"
)
var (
// MemberRole is the role for a user who can only perform No operations.
MemberRole = chronograf.Role{
Name: MemberRoleName,
}
// ViewerRole is the role for a user who can only perform READ operations on Dashboards, Rules, and Sources
ViewerRole = chronograf.Role{
Name: ViewerRoleName,
}
// EditorRole is the role for a user who can perform READ and WRITE operations on Dashboards, Rules, and Sources
EditorRole = chronograf.Role{
Name: EditorRoleName,
}
// AdminRole is the role for a user who can perform READ and WRITE operations on Dashboards, Rules, Sources, and Users
AdminRole = chronograf.Role{
Name: AdminRoleName,
}
)
// UserID retrieves a Chronograf user with ID from store
func (s *Service) UserID(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()

23
server/users_test.go
View File

@ -14,6 +14,7 @@ import (
"github.com/influxdata/chronograf"
"github.com/influxdata/chronograf/log"
"github.com/influxdata/chronograf/mocks"
"github.com/influxdata/chronograf/roles"
)
func TestService_UserID(t *testing.T) {
@ -56,7 +57,7 @@ func TestService_UserID(t *testing.T) {
Provider: "google",
Scheme: "oauth2",
Roles: []chronograf.Role{
ViewerRole,
roles.ViewerRole,
},
}, nil
default:
@ -501,7 +502,7 @@ func TestService_UpdateUser(t *testing.T) {
Provider: "github",
Scheme: "oauth2",
Roles: []chronograf.Role{
EditorRole,
roles.EditorRole,
},
}, nil
default:
@ -520,7 +521,7 @@ func TestService_UpdateUser(t *testing.T) {
user: &userRequest{
ID: 1336,
Roles: []chronograf.Role{
AdminRole,
roles.AdminRole,
},
},
},
@ -803,7 +804,7 @@ func TestService_Users(t *testing.T) {
Provider: "google",
Scheme: "oauth2",
Roles: []chronograf.Role{
EditorRole,
roles.EditorRole,
},
},
{
@ -847,7 +848,7 @@ func TestService_Users(t *testing.T) {
Provider: "google",
Scheme: "oauth2",
Roles: []chronograf.Role{
EditorRole,
roles.EditorRole,
},
},
}, nil
@ -915,7 +916,7 @@ func TestUserRequest_ValidCreate(t *testing.T) {
Provider: "auth0",
Scheme: "oauth2",
Roles: []chronograf.Role{
EditorRole,
roles.EditorRole,
},
},
},
@ -930,7 +931,7 @@ func TestUserRequest_ValidCreate(t *testing.T) {
Provider: "auth0",
Scheme: "oauth2",
Roles: []chronograf.Role{
EditorRole,
roles.EditorRole,
},
},
},
@ -945,7 +946,7 @@ func TestUserRequest_ValidCreate(t *testing.T) {
Name: "billietta",
Scheme: "oauth2",
Roles: []chronograf.Role{
EditorRole,
roles.EditorRole,
},
},
},
@ -960,7 +961,7 @@ func TestUserRequest_ValidCreate(t *testing.T) {
Name: "billietta",
Provider: "auth0",
Roles: []chronograf.Role{
EditorRole,
roles.EditorRole,
},
},
},
@ -983,7 +984,7 @@ func TestUserRequest_ValidCreate(t *testing.T) {
},
},
wantErr: true,
err: fmt.Errorf("Unknown role BilliettaSpecialRole. Valid roles are 'viewer', 'editor', 'admin', and 'superadmin'"),
err: fmt.Errorf("Unknown role BilliettaSpecialRole. Valid roles are 'member', 'viewer', 'editor', 'admin', and 'superadmin'"),
},
}
@ -1020,7 +1021,7 @@ func TestUserRequest_ValidUpdate(t *testing.T) {
u: &userRequest{
ID: 1337,
Roles: []chronograf.Role{
EditorRole,
roles.EditorRole,
},
},
},