From a1a725945ba44670c2b4b0002eb0ab49c213cbda Mon Sep 17 00:00:00 2001 From: Daniel Moran Date: Fri, 22 Oct 2021 18:03:09 -0400 Subject: [PATCH] chore: fix KV migration to add notebooks and annotations to all-access tokens (#22738) --- ...otations-notebooks-to-all-access-tokens.go | 24 +++++++++++++++---- ...ons-notebooks-to-all-access-tokens_test.go | 4 ++-- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/kv/migration/all/0017_add-annotations-notebooks-to-all-access-tokens.go b/kv/migration/all/0017_add-annotations-notebooks-to-all-access-tokens.go index c332d00c06..f01e6ae7eb 100644 --- a/kv/migration/all/0017_add-annotations-notebooks-to-all-access-tokens.go +++ b/kv/migration/all/0017_add-annotations-notebooks-to-all-access-tokens.go @@ -36,7 +36,7 @@ var Migration0017_AddAnnotationsNotebooksToAllAccessTokens = UpOnlyMigration( // Add any tokens to the list that match the list of permission from an // "old" all-access token - if permListsMatch(oldAllAccessPerms(t.OrgID), t.Permissions) { + if permListsMatch(oldAllAccessPerms(t.OrgID, t.UserID), t.Permissions) { tokens = append(tokens, t) } @@ -88,10 +88,24 @@ func extraAllAccessPerms(orgId platform.ID) []influxdb.Permission { // oldAllAccessPerms is the list of permissions from an "old" all-access token - prior to // the addition of the notebooks an annotations resource type. -func oldAllAccessPerms(orgId platform.ID) []influxdb.Permission { - perms := oldOpPerms() - for i := range perms { - perms[i].Resource.OrgID = &orgId +func oldAllAccessPerms(orgId platform.ID, userId platform.ID) []influxdb.Permission { + opPerms := oldOpPerms() + perms := make([]influxdb.Permission, 0, len(opPerms)-1) // -1 because write-org permission isn't included. + for _, p := range opPerms { + if p.Resource.Type == influxdb.OrgsResourceType { + // All-access grants read-only access to the enclosing org. + if p.Action == influxdb.WriteAction { + continue + } + p.Resource.ID = &orgId + } else if p.Resource.Type == influxdb.UsersResourceType { + // It grants read and write access to the associated user. + p.Resource.ID = &userId + } else { + // It grants read and write access to all other resources in the enclosing org. + p.Resource.OrgID = &orgId + } + perms = append(perms, p) } return perms } diff --git a/kv/migration/all/0017_add-annotations-notebooks-to-all-access-tokens_test.go b/kv/migration/all/0017_add-annotations-notebooks-to-all-access-tokens_test.go index d680886a23..4c708b3013 100644 --- a/kv/migration/all/0017_add-annotations-notebooks-to-all-access-tokens_test.go +++ b/kv/migration/all/0017_add-annotations-notebooks-to-all-access-tokens_test.go @@ -43,7 +43,7 @@ func TestMigration_AnnotationsNotebooksAllAccessToken(t *testing.T) { ID: id2, // an all-access token OrgID: OrgID, UserID: UserID, - Permissions: oldAllAccessPerms(OrgID), + Permissions: oldAllAccessPerms(OrgID, UserID), }, } @@ -96,7 +96,7 @@ func TestMigration_AnnotationsNotebooksAllAccessToken(t *testing.T) { var token influxdb.Authorization require.NoError(t, json.Unmarshal(b, &token)) - require.ElementsMatch(t, append(oldAllAccessPerms(OrgID), extraAllAccessPerms(OrgID)...), token.Permissions) + require.ElementsMatch(t, append(oldAllAccessPerms(OrgID, UserID), extraAllAccessPerms(OrgID)...), token.Permissions) return nil }) require.NoError(t, err)