Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #14834 from influxdata/fix/check-auth 

fix: authorize check and notification rule services correctly
pull/14837/head
Michael Desa 2019-08-28 09:30:29 -04:00 committed by GitHub
parent 8766243470 d43e14eb7a
commit ac4d7f9200
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 16 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
authorizer/check.go
View File

@ -53,21 +53,9 @@ func (s *CheckService) FindChecks(ctx context.Context, filter influxdb.CheckFilt
// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating // https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
rules := chks[:0] rules := chks[:0]
for _, chk := range chks { for _, chk := range chks {
p, err := influxdb.NewPermission(influxdb.ReadAction, influxdb.OrgsResourceType, chk.GetOrgID()) if err := authorizeReadOrg(ctx, chk.GetOrgID()); err == nil {
if err != nil { rules = append(rules, chk)
return nil, 0, err
} }
err = IsAllowed(ctx, *p)
if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
continue
}
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
return nil, 0, err
}
rules = append(rules, chk)
} }
return rules, len(rules), nil return rules, len(rules), nil
@ -89,12 +77,7 @@ func (s *CheckService) FindCheck(ctx context.Context, filter influxdb.CheckFilte
// CreateCheck checks to see if the authorizer on context has write access to the global check resource. // CreateCheck checks to see if the authorizer on context has write access to the global check resource.
func (s *CheckService) CreateCheck(ctx context.Context, chk influxdb.Check, userID influxdb.ID) error { func (s *CheckService) CreateCheck(ctx context.Context, chk influxdb.Check, userID influxdb.ID) error {
p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.OrgsResourceType, chk.GetOrgID()) if err := authorizeWriteOrg(ctx, chk.GetOrgID()); err != nil {
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err return err
} }

10
authorizer/check_test.go
View File

@ -230,8 +230,8 @@ func TestCheckService_FindChecks(t *testing.T) {
permission: influxdb.Permission{ permission: influxdb.Permission{
Action: "read", Action: "read",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType, Type: influxdb.OrgsResourceType,
OrgID: influxdbtesting.IDPtr(10), ID: influxdbtesting.IDPtr(10),
}, },
}, },
}, },
@ -650,8 +650,8 @@ func TestCheckService_CreateCheck(t *testing.T) {
permission: influxdb.Permission{ permission: influxdb.Permission{
Action: "write", Action: "write",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType, Type: influxdb.OrgsResourceType,
OrgID: influxdbtesting.IDPtr(10), ID: influxdbtesting.IDPtr(10),
}, },
}, },
}, },
@ -680,7 +680,7 @@ func TestCheckService_CreateCheck(t *testing.T) {
}, },
wants: wants{ wants: wants{
err: &influxdb.Error{ err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/orgs is unauthorized", Msg: "write:orgs/000000000000000a is unauthorized",
Code: influxdb.EUnauthorized, Code: influxdb.EUnauthorized,
}, },
}, },

20
authorizer/notification_rule.go
View File

@ -52,17 +52,9 @@ func (s *NotificationRuleStore) FindNotificationRules(ctx context.Context, filte
// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating // https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
rules := nrs[:0] rules := nrs[:0]
for _, nr := range nrs { for _, nr := range nrs {
p, err := influxdb.NewPermission(influxdb.ReadAction, influxdb.OrgsResourceType, nr.GetOrgID()) if err := authorizeReadOrg(ctx, nr.GetOrgID()); err == nil {
if err != nil { rules = append(rules, nr)
return nil, 0, err
} }
err = IsAllowed(ctx, *p)
if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
continue
}
rules = append(rules, nr)
} }
return rules, len(rules), nil return rules, len(rules), nil
@ -70,15 +62,9 @@ func (s *NotificationRuleStore) FindNotificationRules(ctx context.Context, filte
// CreateNotificationRule checks to see if the authorizer on context has write access to the global notification rule resource. // CreateNotificationRule checks to see if the authorizer on context has write access to the global notification rule resource.
func (s *NotificationRuleStore) CreateNotificationRule(ctx context.Context, nr influxdb.NotificationRule, userID influxdb.ID) error { func (s *NotificationRuleStore) CreateNotificationRule(ctx context.Context, nr influxdb.NotificationRule, userID influxdb.ID) error {
p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.OrgsResourceType, nr.GetOrgID()) if err := authorizeWriteOrg(ctx, nr.GetOrgID()); err != nil {
if err != nil {
return err return err
} }
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return s.s.CreateNotificationRule(ctx, nr, userID) return s.s.CreateNotificationRule(ctx, nr, userID)
} }

10
authorizer/notification_rule_test.go
View File

@ -230,8 +230,8 @@ func TestNotificationRuleStore_FindNotificationRules(t *testing.T) {
permission: influxdb.Permission{ permission: influxdb.Permission{
Action: "read", Action: "read",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType, Type: influxdb.OrgsResourceType,
OrgID: influxdbtesting.IDPtr(10), ID: influxdbtesting.IDPtr(10),
}, },
}, },
}, },
@ -650,8 +650,8 @@ func TestNotificationRuleStore_CreateNotificationRule(t *testing.T) {
permission: influxdb.Permission{ permission: influxdb.Permission{
Action: "write", Action: "write",
Resource: influxdb.Resource{ Resource: influxdb.Resource{
Type: influxdb.OrgsResourceType, Type: influxdb.OrgsResourceType,
OrgID: influxdbtesting.IDPtr(10), ID: influxdbtesting.IDPtr(10),
}, },
}, },
}, },
@ -680,7 +680,7 @@ func TestNotificationRuleStore_CreateNotificationRule(t *testing.T) {
}, },
wants: wants{ wants: wants{
err: &influxdb.Error{ err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/orgs is unauthorized", Msg: "write:orgs/000000000000000a is unauthorized",
Code: influxdb.EUnauthorized, Code: influxdb.EUnauthorized,
}, },
}, },