Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #11135 from influxdata/feat/authorize-bucket 

authorize bucket service operations
pull/11169/head
Michael Desa 2019-01-16 16:25:03 -05:00 committed by GitHub
parent bc9a1afcba 59fde4a9de
commit a5154cf064
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 790 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

150
authorizer/bucket.go Normal file
View File

@ -0,0 +1,150 @@
package authorizer
import (
"context"
"github.com/influxdata/influxdb"
)
var _ influxdb.BucketService = (*BucketService)(nil)
// BucketService wraps a influxdb.BucketService and authorizes actions
// against it appropriately.
type BucketService struct {
s influxdb.BucketService
}
// NewBucketService constructs an instance of an authorizing bucket serivce.
func NewBucketService(s influxdb.BucketService) *BucketService {
return &BucketService{
s: s,
}
}
func newBucketPermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Permission, error) {
return influxdb.NewPermissionAtID(id, a, influxdb.BucketsResourceType, orgID)
}
func authorizeReadBucket(ctx context.Context, orgID, id influxdb.ID) error {
p, err := newBucketPermission(influxdb.ReadAction, orgID, id)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return nil
}
func authorizeWriteBucket(ctx context.Context, orgID, id influxdb.ID) error {
p, err := newBucketPermission(influxdb.WriteAction, orgID, id)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return nil
}
// FindBucketByID checks to see if the authorizer on context has read access to the id provided.
func (s *BucketService) FindBucketByID(ctx context.Context, id influxdb.ID) (*influxdb.Bucket, error) {
b, err := s.s.FindBucketByID(ctx, id)
if err != nil {
return nil, err
}
if err := authorizeReadBucket(ctx, b.OrganizationID, id); err != nil {
return nil, err
}
return b, nil
}
// FindBucket retrieves the bucket and checks to see if the authorizer on context has read access to the bucket.
func (s *BucketService) FindBucket(ctx context.Context, filter influxdb.BucketFilter) (*influxdb.Bucket, error) {
b, err := s.s.FindBucket(ctx, filter)
if err != nil {
return nil, err
}
if err := authorizeReadBucket(ctx, b.OrganizationID, b.ID); err != nil {
return nil, err
}
return b, nil
}
// FindBuckets retrieves all buckets that match the provided filter and then filters the list down to only the resources that are authorized.
func (s *BucketService) FindBuckets(ctx context.Context, filter influxdb.BucketFilter, opt ...influxdb.FindOptions) ([]*influxdb.Bucket, int, error) {
// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data
// will likely be expensive.
bs, _, err := s.s.FindBuckets(ctx, filter, opt...)
if err != nil {
return nil, 0, err
}
// This filters without allocating
// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
buckets := bs[:0]
for _, b := range bs {
err := authorizeReadBucket(ctx, b.OrganizationID, b.ID)
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
return nil, 0, err
}
if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
continue
}
buckets = append(buckets, b)
}
return buckets, len(buckets), nil
}
// CreateBucket checks to see if the authorizer on context has write access to the global buckets resource.
func (s *BucketService) CreateBucket(ctx context.Context, b *influxdb.Bucket) error {
p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.BucketsResourceType, b.OrganizationID)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return s.s.CreateBucket(ctx, b)
}
// UpdateBucket checks to see if the authorizer on context has write access to the bucket provided.
func (s *BucketService) UpdateBucket(ctx context.Context, id influxdb.ID, upd influxdb.BucketUpdate) (*influxdb.Bucket, error) {
b, err := s.FindBucketByID(ctx, id)
if err != nil {
return nil, err
}
if err := authorizeWriteBucket(ctx, b.OrganizationID, id); err != nil {
return nil, err
}
return s.s.UpdateBucket(ctx, id, upd)
}
// DeleteBucket checks to see if the authorizer on context has write access to the bucket provided.
func (s *BucketService) DeleteBucket(ctx context.Context, id influxdb.ID) error {
b, err := s.FindBucketByID(ctx, id)
if err != nil {
return err
}
if err := authorizeWriteBucket(ctx, b.OrganizationID, id); err != nil {
return err
}
return s.s.DeleteBucket(ctx, id)
}

628
authorizer/bucket_test.go Normal file
View File

@ -0,0 +1,628 @@
package authorizer_test
import (
"bytes"
"context"
"sort"
"testing"
"github.com/google/go-cmp/cmp"
"github.com/influxdata/influxdb"
"github.com/influxdata/influxdb/authorizer"
influxdbcontext "github.com/influxdata/influxdb/context"
"github.com/influxdata/influxdb/mock"
influxdbtesting "github.com/influxdata/influxdb/testing"
)
var bucketCmpOptions = cmp.Options{
cmp.Comparer(func(x, y []byte) bool {
return bytes.Equal(x, y)
}),
cmp.Transformer("Sort", func(in []*influxdb.Bucket) []*influxdb.Bucket {
out := append([]*influxdb.Bucket(nil), in...) // Copy input to avoid mutating it
sort.Slice(out, func(i, j int) bool {
return out[i].ID.String() > out[j].ID.String()
})
return out
}),
}
func TestBucketService_FindBucketByID(t *testing.T) {
type fields struct {
BucketService influxdb.BucketService
}
type args struct {
permission influxdb.Permission
id influxdb.ID
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to access id",
fields: fields{
BucketService: &mock.BucketService{
FindBucketByIDFn: func(ctx context.Context, id influxdb.ID) (*influxdb.Bucket, error) {
return &influxdb.Bucket{
ID: id,
OrganizationID: 10,
}, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.BucketsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
id: 1,
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to access id",
fields: fields{
BucketService: &mock.BucketService{
FindBucketByIDFn: func(ctx context.Context, id influxdb.ID) (*influxdb.Bucket, error) {
return &influxdb.Bucket{
ID: id,
OrganizationID: 10,
}, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.BucketsResourceType,
ID: influxdbtesting.IDPtr(2),
},
},
id: 1,
},
wants: wants{
err: &influxdb.Error{
Msg: "read:orgs/000000000000000a/buckets/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewBucketService(tt.fields.BucketService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
_, err := s.FindBucketByID(ctx, tt.args.id)
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}
func TestBucketService_FindBucket(t *testing.T) {
type fields struct {
BucketService influxdb.BucketService
}
type args struct {
permission influxdb.Permission
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to access bucket",
fields: fields{
BucketService: &mock.BucketService{
FindBucketFn: func(ctx context.Context, filter influxdb.BucketFilter) (*influxdb.Bucket, error) {
return &influxdb.Bucket{
ID: 1,
OrganizationID: 10,
}, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.BucketsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to access bucket",
fields: fields{
BucketService: &mock.BucketService{
FindBucketFn: func(ctx context.Context, filter influxdb.BucketFilter) (*influxdb.Bucket, error) {
return &influxdb.Bucket{
ID: 1,
OrganizationID: 10,
}, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.BucketsResourceType,
ID: influxdbtesting.IDPtr(2),
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "read:orgs/000000000000000a/buckets/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewBucketService(tt.fields.BucketService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
_, err := s.FindBucket(ctx, influxdb.BucketFilter{})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}
func TestBucketService_FindBuckets(t *testing.T) {
type fields struct {
BucketService influxdb.BucketService
}
type args struct {
permission influxdb.Permission
}
type wants struct {
err error
buckets []*influxdb.Bucket
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to see all buckets",
fields: fields{
BucketService: &mock.BucketService{
FindBucketsFn: func(ctx context.Context, filter influxdb.BucketFilter, opt ...influxdb.FindOptions) ([]*influxdb.Bucket, int, error) {
return []*influxdb.Bucket{
{
ID: 1,
OrganizationID: 10,
},
{
ID: 2,
OrganizationID: 10,
},
{
ID: 3,
OrganizationID: 11,
},
}, 3, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.BucketsResourceType,
},
},
},
wants: wants{
buckets: []*influxdb.Bucket{
{
ID: 1,
OrganizationID: 10,
},
{
ID: 2,
OrganizationID: 10,
},
{
ID: 3,
OrganizationID: 11,
},
},
},
},
{
name: "authorized to access a single orgs buckets",
fields: fields{
BucketService: &mock.BucketService{
FindBucketsFn: func(ctx context.Context, filter influxdb.BucketFilter, opt ...influxdb.FindOptions) ([]*influxdb.Bucket, int, error) {
return []*influxdb.Bucket{
{
ID: 1,
OrganizationID: 10,
},
{
ID: 2,
OrganizationID: 10,
},
{
ID: 3,
OrganizationID: 11,
},
}, 3, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.BucketsResourceType,
OrgID: influxdbtesting.IDPtr(10),
},
},
},
wants: wants{
buckets: []*influxdb.Bucket{
{
ID: 1,
OrganizationID: 10,
},
{
ID: 2,
OrganizationID: 10,
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewBucketService(tt.fields.BucketService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
buckets, _, err := s.FindBuckets(ctx, influxdb.BucketFilter{})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
if diff := cmp.Diff(buckets, tt.wants.buckets, bucketCmpOptions...); diff != "" {
t.Errorf("buckets are different -got/+want\ndiff %s", diff)
}
})
}
}
func TestBucketService_UpdateBucket(t *testing.T) {
type fields struct {
BucketService influxdb.BucketService
}
type args struct {
id influxdb.ID
permissions []influxdb.Permission
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to update bucket",
fields: fields{
BucketService: &mock.BucketService{
FindBucketByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Bucket, error) {
return &influxdb.Bucket{
ID: 1,
OrganizationID: 10,
}, nil
},
UpdateBucketFn: func(ctx context.Context, id influxdb.ID, upd influxdb.BucketUpdate) (*influxdb.Bucket, error) {
return &influxdb.Bucket{
ID: 1,
OrganizationID: 10,
}, nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.BucketsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.BucketsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to update bucket",
fields: fields{
BucketService: &mock.BucketService{
FindBucketByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Bucket, error) {
return &influxdb.Bucket{
ID: 1,
OrganizationID: 10,
}, nil
},
UpdateBucketFn: func(ctx context.Context, id influxdb.ID, upd influxdb.BucketUpdate) (*influxdb.Bucket, error) {
return &influxdb.Bucket{
ID: 1,
OrganizationID: 10,
}, nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.BucketsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/buckets/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewBucketService(tt.fields.BucketService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permissions})
_, err := s.UpdateBucket(ctx, tt.args.id, influxdb.BucketUpdate{})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}
func TestBucketService_DeleteBucket(t *testing.T) {
type fields struct {
BucketService influxdb.BucketService
}
type args struct {
id influxdb.ID
permissions []influxdb.Permission
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to delete bucket",
fields: fields{
BucketService: &mock.BucketService{
FindBucketByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Bucket, error) {
return &influxdb.Bucket{
ID: 1,
OrganizationID: 10,
}, nil
},
DeleteBucketFn: func(ctx context.Context, id influxdb.ID) error {
return nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.BucketsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.BucketsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to delete bucket",
fields: fields{
BucketService: &mock.BucketService{
FindBucketByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Bucket, error) {
return &influxdb.Bucket{
ID: 1,
OrganizationID: 10,
}, nil
},
DeleteBucketFn: func(ctx context.Context, id influxdb.ID) error {
return nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.BucketsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/buckets/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewBucketService(tt.fields.BucketService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permissions})
err := s.DeleteBucket(ctx, tt.args.id)
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}
func TestBucketService_CreateBucket(t *testing.T) {
type fields struct {
BucketService influxdb.BucketService
}
type args struct {
permission influxdb.Permission
orgID influxdb.ID
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to create bucket",
fields: fields{
BucketService: &mock.BucketService{
CreateBucketFn: func(ctx context.Context, o *influxdb.Bucket) error {
return nil
},
},
},
args: args{
orgID: 10,
permission: influxdb.Permission{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.BucketsResourceType,
OrgID: influxdbtesting.IDPtr(10),
},
},
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to create bucket",
fields: fields{
BucketService: &mock.BucketService{
CreateBucketFn: func(ctx context.Context, o *influxdb.Bucket) error {
return nil
},
},
},
args: args{
orgID: 10,
permission: influxdb.Permission{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.BucketsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/buckets is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewBucketService(tt.fields.BucketService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
err := s.CreateBucket(ctx, &influxdb.Bucket{OrganizationID: tt.args.orgID})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}

12
authorizer/org_test.go
View File

@ -105,7 +105,7 @@ func TestOrgService_FindOrganizationByID(t *testing.T) {
s := authorizer.NewOrgService(tt.fields.OrgService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permission})
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
_, err := s.FindOrganizationByID(ctx, tt.args.id)
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
@ -188,7 +188,7 @@ func TestOrgService_FindOrganization(t *testing.T) {
s := authorizer.NewOrgService(tt.fields.OrgService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permission})
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
_, err := s.FindOrganization(ctx, influxdb.OrganizationFilter{})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
@ -298,7 +298,7 @@ func TestOrgService_FindOrganizations(t *testing.T) {
s := authorizer.NewOrgService(tt.fields.OrgService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permission})
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
orgs, _, err := s.FindOrganizations(ctx, influxdb.OrganizationFilter{})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
@ -388,7 +388,7 @@ func TestOrgService_UpdateOrganization(t *testing.T) {
s := authorizer.NewOrgService(tt.fields.OrgService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permission})
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
_, err := s.UpdateOrganization(ctx, tt.args.id, influxdb.OrganizationUpdate{})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
@ -470,7 +470,7 @@ func TestOrgService_DeleteOrganization(t *testing.T) {
s := authorizer.NewOrgService(tt.fields.OrgService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permission})
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
err := s.DeleteOrganization(ctx, tt.args.id)
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
@ -548,7 +548,7 @@ func TestOrgService_CreateOrganization(t *testing.T) {
s := authorizer.NewOrgService(tt.fields.OrgService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permission})
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
err := s.CreateOrganization(ctx, &influxdb.Organization{})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)

4
authorizer/util_test.go
View File

@ -4,11 +4,11 @@ import "github.com/influxdata/influxdb"
// Authorizer is mock authorizer that can be used in testing.
type Authorizer struct {
Permission influxdb.Permission
Permissions []influxdb.Permission
}
func (a *Authorizer) Allowed(p influxdb.Permission) bool {
return influxdb.PermissionAllowed(p, []influxdb.Permission{a.Permission})
return influxdb.PermissionAllowed(p, a.Permissions)
}
func (a *Authorizer) Identifier() influxdb.ID {

5
http/api_handler.go
View File

@ -72,6 +72,9 @@ type APIBackend struct {
// NewAPIHandler constructs all api handlers beneath it and returns an APIHandler
func NewAPIHandler(b *APIBackend) *APIHandler {
h := &APIHandler{}
b.BucketService = authorizer.NewBucketService(b.BucketService)
b.OrganizationService = authorizer.NewOrgService(b.OrganizationService)
sessionBackend := NewSessionBackend(b)
h.SessionHandler = NewSessionHandler(sessionBackend)
@ -80,7 +83,7 @@ func NewAPIHandler(b *APIBackend) *APIHandler {
h.BucketHandler.BucketOperationLogService = b.BucketOperationLogService
h.OrgHandler = NewOrgHandler(b.UserResourceMappingService, b.LabelService, b.UserService)
h.OrgHandler.OrganizationService = authorizer.NewOrgService(b.OrganizationService)
h.OrgHandler.OrganizationService = b.OrganizationService
h.OrgHandler.BucketService = b.BucketService
h.OrgHandler.OrganizationOperationLogService = b.OrganizationOperationLogService
h.OrgHandler.SecretService = b.SecretService