chore: fix KV migration to add notebooks and annotations to all-access tokens (#22738)

2021-10-22 18:03:09 -04:00 · 2021-10-22 18:03:09 -04:00 · a1a725945b
parent 7171e0752a
commit a1a725945b
2 changed files with 21 additions and 7 deletions
--- a/kv/migration/all/0017_add-annotations-notebooks-to-all-access-tokens.go
+++ b/kv/migration/all/0017_add-annotations-notebooks-to-all-access-tokens.go
@ -36,7 +36,7 @@ var Migration0017_AddAnnotationsNotebooksToAllAccessTokens = UpOnlyMigration(

 				// Add any tokens to the list that match the list of permission from an
 				// "old" all-access token
-				if permListsMatch(oldAllAccessPerms(t.OrgID), t.Permissions) {
+				if permListsMatch(oldAllAccessPerms(t.OrgID, t.UserID), t.Permissions) {
 					tokens = append(tokens, t)
 				}

@ -88,10 +88,24 @@ func extraAllAccessPerms(orgId platform.ID) []influxdb.Permission {

 // oldAllAccessPerms is the list of permissions from an "old" all-access token - prior to
 // the addition of the notebooks an annotations resource type.
-func oldAllAccessPerms(orgId platform.ID) []influxdb.Permission {
-	perms := oldOpPerms()
-	for i := range perms {
-		perms[i].Resource.OrgID = &orgId
+func oldAllAccessPerms(orgId platform.ID, userId platform.ID) []influxdb.Permission {
+	opPerms := oldOpPerms()
+	perms := make([]influxdb.Permission, 0, len(opPerms)-1) // -1 because write-org permission isn't included.
+	for _, p := range opPerms {
+		if p.Resource.Type == influxdb.OrgsResourceType {
+			// All-access grants read-only access to the enclosing org.
+			if p.Action == influxdb.WriteAction {
+				continue
+			}
+			p.Resource.ID = &orgId
+		} else if p.Resource.Type == influxdb.UsersResourceType {
+			// It grants read and write access to the associated user.
+			p.Resource.ID = &userId
+		} else {
+			// It grants read and write access to all other resources in the enclosing org.
+			p.Resource.OrgID = &orgId
+		}
+		perms = append(perms, p)
 	}
 	return perms
 }
--- a/kv/migration/all/0017_add-annotations-notebooks-to-all-access-tokens_test.go
+++ b/kv/migration/all/0017_add-annotations-notebooks-to-all-access-tokens_test.go
@ -43,7 +43,7 @@ func TestMigration_AnnotationsNotebooksAllAccessToken(t *testing.T) {
 			ID:          id2, // an all-access token
 			OrgID:       OrgID,
 			UserID:      UserID,
-			Permissions: oldAllAccessPerms(OrgID),
+			Permissions: oldAllAccessPerms(OrgID, UserID),
 		},
 	}

@ -96,7 +96,7 @@ func TestMigration_AnnotationsNotebooksAllAccessToken(t *testing.T) {
 		var token influxdb.Authorization
 		require.NoError(t, json.Unmarshal(b, &token))

-		require.ElementsMatch(t, append(oldAllAccessPerms(OrgID), extraAllAccessPerms(OrgID)...), token.Permissions)
+		require.ElementsMatch(t, append(oldAllAccessPerms(OrgID, UserID), extraAllAccessPerms(OrgID)...), token.Permissions)
 		return nil
 	})
 	require.NoError(t, err)