Merge pull request #14834 from influxdata/fix/check-auth

fix: authorize check and notification rule services correctly
2019-08-28 09:30:29 -04:00 · 2019-08-28 09:30:29 -04:00 · ac4d7f9200
parent 8766243470 d43e14eb7a
commit ac4d7f9200
4 changed files with 16 additions and 47 deletions
--- a/authorizer/check.go
+++ b/authorizer/check.go
@ -53,21 +53,9 @@ func (s *CheckService) FindChecks(ctx context.Context, filter influxdb.CheckFilt
 	// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
 	rules := chks[:0]
 	for _, chk := range chks {
-		p, err := influxdb.NewPermission(influxdb.ReadAction, influxdb.OrgsResourceType, chk.GetOrgID())
-		if err != nil {
-			return nil, 0, err
+		if err := authorizeReadOrg(ctx, chk.GetOrgID()); err == nil {
+			rules = append(rules, chk)
 		}
-
-		err = IsAllowed(ctx, *p)
-		if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
-			continue
-		}
-
-		if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
-			return nil, 0, err
-		}
-
-		rules = append(rules, chk)
 	}

 	return rules, len(rules), nil
@ -89,12 +77,7 @@ func (s *CheckService) FindCheck(ctx context.Context, filter influxdb.CheckFilte

 // CreateCheck checks to see if the authorizer on context has write access to the global check resource.
 func (s *CheckService) CreateCheck(ctx context.Context, chk influxdb.Check, userID influxdb.ID) error {
-	p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.OrgsResourceType, chk.GetOrgID())
-	if err != nil {
-		return err
-	}
-
-	if err := IsAllowed(ctx, *p); err != nil {
+	if err := authorizeWriteOrg(ctx, chk.GetOrgID()); err != nil {
 		return err
 	}

--- a/authorizer/check_test.go
+++ b/authorizer/check_test.go
@ -230,8 +230,8 @@ func TestCheckService_FindChecks(t *testing.T) {
 				permission: influxdb.Permission{
 					Action: "read",
 					Resource: influxdb.Resource{
-						Type:  influxdb.OrgsResourceType,
-						OrgID: influxdbtesting.IDPtr(10),
+						Type: influxdb.OrgsResourceType,
+						ID:   influxdbtesting.IDPtr(10),
 					},
 				},
 			},
@ -650,8 +650,8 @@ func TestCheckService_CreateCheck(t *testing.T) {
 				permission: influxdb.Permission{
 					Action: "write",
 					Resource: influxdb.Resource{
-						Type:  influxdb.OrgsResourceType,
-						OrgID: influxdbtesting.IDPtr(10),
+						Type: influxdb.OrgsResourceType,
+						ID:   influxdbtesting.IDPtr(10),
 					},
 				},
 			},
@ -680,7 +680,7 @@ func TestCheckService_CreateCheck(t *testing.T) {
 			},
 			wants: wants{
 				err: &influxdb.Error{
-					Msg:  "write:orgs/000000000000000a/orgs is unauthorized",
+					Msg:  "write:orgs/000000000000000a is unauthorized",
 					Code: influxdb.EUnauthorized,
 				},
 			},
--- a/authorizer/notification_rule.go
+++ b/authorizer/notification_rule.go
@ -52,17 +52,9 @@ func (s *NotificationRuleStore) FindNotificationRules(ctx context.Context, filte
 	// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
 	rules := nrs[:0]
 	for _, nr := range nrs {
-		p, err := influxdb.NewPermission(influxdb.ReadAction, influxdb.OrgsResourceType, nr.GetOrgID())
-		if err != nil {
-			return nil, 0, err
+		if err := authorizeReadOrg(ctx, nr.GetOrgID()); err == nil {
+			rules = append(rules, nr)
 		}
-
-		err = IsAllowed(ctx, *p)
-		if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
-			continue
-		}
-
-		rules = append(rules, nr)
 	}

 	return rules, len(rules), nil
@ -70,15 +62,9 @@ func (s *NotificationRuleStore) FindNotificationRules(ctx context.Context, filte

 // CreateNotificationRule checks to see if the authorizer on context has write access to the global notification rule resource.
 func (s *NotificationRuleStore) CreateNotificationRule(ctx context.Context, nr influxdb.NotificationRule, userID influxdb.ID) error {
-	p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.OrgsResourceType, nr.GetOrgID())
-	if err != nil {
+	if err := authorizeWriteOrg(ctx, nr.GetOrgID()); err != nil {
 		return err
 	}
-
-	if err := IsAllowed(ctx, *p); err != nil {
-		return err
-	}
-
 	return s.s.CreateNotificationRule(ctx, nr, userID)
 }

--- a/authorizer/notification_rule_test.go
+++ b/authorizer/notification_rule_test.go
@ -230,8 +230,8 @@ func TestNotificationRuleStore_FindNotificationRules(t *testing.T) {
 				permission: influxdb.Permission{
 					Action: "read",
 					Resource: influxdb.Resource{
-						Type:  influxdb.OrgsResourceType,
-						OrgID: influxdbtesting.IDPtr(10),
+						Type: influxdb.OrgsResourceType,
+						ID:   influxdbtesting.IDPtr(10),
 					},
 				},
 			},
@ -650,8 +650,8 @@ func TestNotificationRuleStore_CreateNotificationRule(t *testing.T) {
 				permission: influxdb.Permission{
 					Action: "write",
 					Resource: influxdb.Resource{
-						Type:  influxdb.OrgsResourceType,
-						OrgID: influxdbtesting.IDPtr(10),
+						Type: influxdb.OrgsResourceType,
+						ID:   influxdbtesting.IDPtr(10),
 					},
 				},
 			},
@ -680,7 +680,7 @@ func TestNotificationRuleStore_CreateNotificationRule(t *testing.T) {
 			},
 			wants: wants{
 				err: &influxdb.Error{
-					Msg:  "write:orgs/000000000000000a/orgs is unauthorized",
+					Msg:  "write:orgs/000000000000000a is unauthorized",
 					Code: influxdb.EUnauthorized,
 				},
 			},