Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #11207 from influxdata/feat/authorize-dashboards 

add dashboard authorization
pull/11281/head
Michael Desa 2019-01-18 07:55:15 -05:00 committed by GitHub
parent 58a555a619 78249fdb89
commit c9f2a597a4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 984 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
authorizer/bucket.go
View File

@ -123,7 +123,7 @@ func (s *BucketService) CreateBucket(ctx context.Context, b *influxdb.Bucket) er
// UpdateBucket checks to see if the authorizer on context has write access to the bucket provided. // UpdateBucket checks to see if the authorizer on context has write access to the bucket provided.
func (s *BucketService) UpdateBucket(ctx context.Context, id influxdb.ID, upd influxdb.BucketUpdate) (*influxdb.Bucket, error) { func (s *BucketService) UpdateBucket(ctx context.Context, id influxdb.ID, upd influxdb.BucketUpdate) (*influxdb.Bucket, error) {
b, err := s.FindBucketByID(ctx, id) b, err := s.s.FindBucketByID(ctx, id)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -137,7 +137,7 @@ func (s *BucketService) UpdateBucket(ctx context.Context, id influxdb.ID, upd in
// DeleteBucket checks to see if the authorizer on context has write access to the bucket provided. // DeleteBucket checks to see if the authorizer on context has write access to the bucket provided.
func (s *BucketService) DeleteBucket(ctx context.Context, id influxdb.ID) error { func (s *BucketService) DeleteBucket(ctx context.Context, id influxdb.ID) error {
b, err := s.FindBucketByID(ctx, id) b, err := s.s.FindBucketByID(ctx, id)
if err != nil { if err != nil {
return err return err
} }

214
authorizer/dashboard.go Normal file
View File

@ -0,0 +1,214 @@
package authorizer
import (
"context"
"github.com/influxdata/influxdb"
)
var _ influxdb.DashboardService = (*DashboardService)(nil)
// DashboardService wraps a influxdb.DashboardService and authorizes actions
// against it appropriately.
type DashboardService struct {
s influxdb.DashboardService
}
// NewDashboardService constructs an instance of an authorizing dashboard serivce.
func NewDashboardService(s influxdb.DashboardService) *DashboardService {
return &DashboardService{
s: s,
}
}
func newDashboardPermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Permission, error) {
return influxdb.NewPermissionAtID(id, a, influxdb.DashboardsResourceType, orgID)
}
func authorizeReadDashboard(ctx context.Context, orgID, id influxdb.ID) error {
p, err := newDashboardPermission(influxdb.ReadAction, orgID, id)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return nil
}
func authorizeWriteDashboard(ctx context.Context, orgID, id influxdb.ID) error {
p, err := newDashboardPermission(influxdb.WriteAction, orgID, id)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return nil
}
// FindDashboardByID checks to see if the authorizer on context has read access to the id provided.
func (s *DashboardService) FindDashboardByID(ctx context.Context, id influxdb.ID) (*influxdb.Dashboard, error) {
b, err := s.s.FindDashboardByID(ctx, id)
if err != nil {
return nil, err
}
if err := authorizeReadDashboard(ctx, b.OrganizationID, id); err != nil {
return nil, err
}
return b, nil
}
// FindDashboards retrieves all dashboards that match the provided filter and then filters the list down to only the resources that are authorized.
func (s *DashboardService) FindDashboards(ctx context.Context, filter influxdb.DashboardFilter, opt influxdb.FindOptions) ([]*influxdb.Dashboard, int, error) {
// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data
// will likely be expensive.
bs, _, err := s.s.FindDashboards(ctx, filter, opt)
if err != nil {
return nil, 0, err
}
// This filters without allocating
// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
dashboards := bs[:0]
for _, b := range bs {
err := authorizeReadDashboard(ctx, b.OrganizationID, b.ID)
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
return nil, 0, err
}
if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
continue
}
dashboards = append(dashboards, b)
}
return dashboards, len(dashboards), nil
}
// CreateDashboard checks to see if the authorizer on context has write access to the global dashboards resource.
func (s *DashboardService) CreateDashboard(ctx context.Context, b *influxdb.Dashboard) error {
p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.DashboardsResourceType, b.OrganizationID)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return s.s.CreateDashboard(ctx, b)
}
// UpdateDashboard checks to see if the authorizer on context has write access to the dashboard provided.
func (s *DashboardService) UpdateDashboard(ctx context.Context, id influxdb.ID, upd influxdb.DashboardUpdate) (*influxdb.Dashboard, error) {
b, err := s.s.FindDashboardByID(ctx, id)
if err != nil {
return nil, err
}
if err := authorizeWriteDashboard(ctx, b.OrganizationID, id); err != nil {
return nil, err
}
return s.s.UpdateDashboard(ctx, id, upd)
}
// DeleteDashboard checks to see if the authorizer on context has write access to the dashboard provided.
func (s *DashboardService) DeleteDashboard(ctx context.Context, id influxdb.ID) error {
b, err := s.s.FindDashboardByID(ctx, id)
if err != nil {
return err
}
if err := authorizeWriteDashboard(ctx, b.OrganizationID, id); err != nil {
return err
}
return s.s.DeleteDashboard(ctx, id)
}
func (s *DashboardService) AddDashboardCell(ctx context.Context, id influxdb.ID, c *influxdb.Cell, opts influxdb.AddDashboardCellOptions) error {
b, err := s.s.FindDashboardByID(ctx, id)
if err != nil {
return err
}
if err := authorizeWriteDashboard(ctx, b.OrganizationID, id); err != nil {
return err
}
return s.s.AddDashboardCell(ctx, id, c, opts)
}
func (s *DashboardService) RemoveDashboardCell(ctx context.Context, dashboardID influxdb.ID, cellID influxdb.ID) error {
b, err := s.s.FindDashboardByID(ctx, dashboardID)
if err != nil {
return err
}
if err := authorizeWriteDashboard(ctx, b.OrganizationID, dashboardID); err != nil {
return err
}
return s.s.RemoveDashboardCell(ctx, dashboardID, cellID)
}
func (s *DashboardService) UpdateDashboardCell(ctx context.Context, dashboardID influxdb.ID, cellID influxdb.ID, upd influxdb.CellUpdate) (*influxdb.Cell, error) {
b, err := s.s.FindDashboardByID(ctx, dashboardID)
if err != nil {
return nil, err
}
if err := authorizeWriteDashboard(ctx, b.OrganizationID, dashboardID); err != nil {
return nil, err
}
return s.s.UpdateDashboardCell(ctx, dashboardID, cellID, upd)
}
func (s *DashboardService) GetDashboardCellView(ctx context.Context, dashboardID influxdb.ID, cellID influxdb.ID) (*influxdb.View, error) {
b, err := s.s.FindDashboardByID(ctx, dashboardID)
if err != nil {
return nil, err
}
if err := authorizeReadDashboard(ctx, b.OrganizationID, dashboardID); err != nil {
return nil, err
}
return s.s.GetDashboardCellView(ctx, dashboardID, cellID)
}
func (s *DashboardService) UpdateDashboardCellView(ctx context.Context, dashboardID influxdb.ID, cellID influxdb.ID, upd influxdb.ViewUpdate) (*influxdb.View, error) {
b, err := s.s.FindDashboardByID(ctx, dashboardID)
if err != nil {
return nil, err
}
if err := authorizeWriteDashboard(ctx, b.OrganizationID, dashboardID); err != nil {
return nil, err
}
return s.s.UpdateDashboardCellView(ctx, dashboardID, cellID, upd)
}
func (s *DashboardService) ReplaceDashboardCells(ctx context.Context, id influxdb.ID, c []*influxdb.Cell) error {
b, err := s.s.FindDashboardByID(ctx, id)
if err != nil {
return err
}
if err := authorizeWriteDashboard(ctx, b.OrganizationID, id); err != nil {
return err
}
return s.s.ReplaceDashboardCells(ctx, id, c)
}

767
authorizer/dashboard_test.go Normal file
View File

@ -0,0 +1,767 @@
package authorizer_test
import (
"bytes"
"context"
"sort"
"testing"
"github.com/google/go-cmp/cmp"
"github.com/influxdata/influxdb"
"github.com/influxdata/influxdb/authorizer"
influxdbcontext "github.com/influxdata/influxdb/context"
"github.com/influxdata/influxdb/mock"
influxdbtesting "github.com/influxdata/influxdb/testing"
)
var dashboardCmpOptions = cmp.Options{
cmp.Comparer(func(x, y []byte) bool {
return bytes.Equal(x, y)
}),
cmp.Transformer("Sort", func(in []*influxdb.Dashboard) []*influxdb.Dashboard {
out := append([]*influxdb.Dashboard(nil), in...) // Copy input to avoid mutating it
sort.Slice(out, func(i, j int) bool {
return out[i].ID.String() > out[j].ID.String()
})
return out
}),
}
func TestDashboardService_FindDashboardByID(t *testing.T) {
type fields struct {
DashboardService influxdb.DashboardService
}
type args struct {
permission influxdb.Permission
id influxdb.ID
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to access id",
fields: fields{
DashboardService: &mock.DashboardService{
FindDashboardByIDF: func(ctx context.Context, id influxdb.ID) (*influxdb.Dashboard, error) {
return &influxdb.Dashboard{
ID: id,
OrganizationID: 10,
}, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.DashboardsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
id: 1,
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to access id",
fields: fields{
DashboardService: &mock.DashboardService{
FindDashboardByIDF: func(ctx context.Context, id influxdb.ID) (*influxdb.Dashboard, error) {
return &influxdb.Dashboard{
ID: id,
OrganizationID: 10,
}, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.DashboardsResourceType,
ID: influxdbtesting.IDPtr(2),
},
},
id: 1,
},
wants: wants{
err: &influxdb.Error{
Msg: "read:orgs/000000000000000a/dashboards/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewDashboardService(tt.fields.DashboardService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
_, err := s.FindDashboardByID(ctx, tt.args.id)
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}
func TestDashboardService_FindDashboards(t *testing.T) {
type fields struct {
DashboardService influxdb.DashboardService
}
type args struct {
permission influxdb.Permission
}
type wants struct {
err error
dashboards []*influxdb.Dashboard
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to see all dashboards",
fields: fields{
DashboardService: &mock.DashboardService{
FindDashboardsF: func(ctx context.Context, filter influxdb.DashboardFilter, opt influxdb.FindOptions) ([]*influxdb.Dashboard, int, error) {
return []*influxdb.Dashboard{
{
ID: 1,
OrganizationID: 10,
},
{
ID: 2,
OrganizationID: 10,
},
{
ID: 3,
OrganizationID: 11,
},
}, 3, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.DashboardsResourceType,
},
},
},
wants: wants{
dashboards: []*influxdb.Dashboard{
{
ID: 1,
OrganizationID: 10,
},
{
ID: 2,
OrganizationID: 10,
},
{
ID: 3,
OrganizationID: 11,
},
},
},
},
{
name: "authorized to access a single orgs dashboards",
fields: fields{
DashboardService: &mock.DashboardService{
FindDashboardsF: func(ctx context.Context, filter influxdb.DashboardFilter, opt influxdb.FindOptions) ([]*influxdb.Dashboard, int, error) {
return []*influxdb.Dashboard{
{
ID: 1,
OrganizationID: 10,
},
{
ID: 2,
OrganizationID: 10,
},
{
ID: 3,
OrganizationID: 11,
},
}, 3, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.DashboardsResourceType,
OrgID: influxdbtesting.IDPtr(10),
},
},
},
wants: wants{
dashboards: []*influxdb.Dashboard{
{
ID: 1,
OrganizationID: 10,
},
{
ID: 2,
OrganizationID: 10,
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewDashboardService(tt.fields.DashboardService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
dashboards, _, err := s.FindDashboards(ctx, influxdb.DashboardFilter{}, influxdb.FindOptions{})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
if diff := cmp.Diff(dashboards, tt.wants.dashboards, dashboardCmpOptions...); diff != "" {
t.Errorf("dashboards are different -got/+want\ndiff %s", diff)
}
})
}
}
func TestDashboardService_UpdateDashboard(t *testing.T) {
type fields struct {
DashboardService influxdb.DashboardService
}
type args struct {
id influxdb.ID
permissions []influxdb.Permission
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to update dashboard",
fields: fields{
DashboardService: &mock.DashboardService{
FindDashboardByIDF: func(ctc context.Context, id influxdb.ID) (*influxdb.Dashboard, error) {
return &influxdb.Dashboard{
ID: 1,
OrganizationID: 10,
}, nil
},
UpdateDashboardF: func(ctx context.Context, id influxdb.ID, upd influxdb.DashboardUpdate) (*influxdb.Dashboard, error) {
return &influxdb.Dashboard{
ID: 1,
OrganizationID: 10,
}, nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.DashboardsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.DashboardsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to update dashboard",
fields: fields{
DashboardService: &mock.DashboardService{
FindDashboardByIDF: func(ctc context.Context, id influxdb.ID) (*influxdb.Dashboard, error) {
return &influxdb.Dashboard{
ID: 1,
OrganizationID: 10,
}, nil
},
UpdateDashboardF: func(ctx context.Context, id influxdb.ID, upd influxdb.DashboardUpdate) (*influxdb.Dashboard, error) {
return &influxdb.Dashboard{
ID: 1,
OrganizationID: 10,
}, nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.DashboardsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/dashboards/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewDashboardService(tt.fields.DashboardService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permissions})
_, err := s.UpdateDashboard(ctx, tt.args.id, influxdb.DashboardUpdate{})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}
func TestDashboardService_DeleteDashboard(t *testing.T) {
type fields struct {
DashboardService influxdb.DashboardService
}
type args struct {
id influxdb.ID
permissions []influxdb.Permission
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to delete dashboard",
fields: fields{
DashboardService: &mock.DashboardService{
FindDashboardByIDF: func(ctc context.Context, id influxdb.ID) (*influxdb.Dashboard, error) {
return &influxdb.Dashboard{
ID: 1,
OrganizationID: 10,
}, nil
},
DeleteDashboardF: func(ctx context.Context, id influxdb.ID) error {
return nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.DashboardsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.DashboardsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to delete dashboard",
fields: fields{
DashboardService: &mock.DashboardService{
FindDashboardByIDF: func(ctc context.Context, id influxdb.ID) (*influxdb.Dashboard, error) {
return &influxdb.Dashboard{
ID: 1,
OrganizationID: 10,
}, nil
},
DeleteDashboardF: func(ctx context.Context, id influxdb.ID) error {
return nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.DashboardsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/dashboards/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewDashboardService(tt.fields.DashboardService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permissions})
err := s.DeleteDashboard(ctx, tt.args.id)
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}
func TestDashboardService_CreateDashboard(t *testing.T) {
type fields struct {
DashboardService influxdb.DashboardService
}
type args struct {
permission influxdb.Permission
orgID influxdb.ID
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to create dashboard",
fields: fields{
DashboardService: &mock.DashboardService{
CreateDashboardF: func(ctx context.Context, o *influxdb.Dashboard) error {
return nil
},
},
},
args: args{
orgID: 10,
permission: influxdb.Permission{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.DashboardsResourceType,
OrgID: influxdbtesting.IDPtr(10),
},
},
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to create dashboard",
fields: fields{
DashboardService: &mock.DashboardService{
CreateDashboardF: func(ctx context.Context, o *influxdb.Dashboard) error {
return nil
},
},
},
args: args{
orgID: 10,
permission: influxdb.Permission{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.DashboardsResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/dashboards is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewDashboardService(tt.fields.DashboardService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
err := s.CreateDashboard(ctx, &influxdb.Dashboard{OrganizationID: tt.args.orgID})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}
func TestDashboardService_WriteDashboardCell(t *testing.T) {
type fields struct {
DashboardService influxdb.DashboardService
}
type args struct {
permission influxdb.Permission
orgID influxdb.ID
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to write dashboard cells/cell/view",
fields: fields{
DashboardService: &mock.DashboardService{
FindDashboardByIDF: func(ctx context.Context, id influxdb.ID) (*influxdb.Dashboard, error) {
return &influxdb.Dashboard{
ID: id,
OrganizationID: 10,
}, nil
},
AddDashboardCellF: func(ctx context.Context, id influxdb.ID, c *influxdb.Cell, opts influxdb.AddDashboardCellOptions) error {
return nil
},
RemoveDashboardCellF: func(ctx context.Context, id influxdb.ID, cid influxdb.ID) error {
return nil
},
ReplaceDashboardCellsF: func(ctx context.Context, id influxdb.ID, cs []*influxdb.Cell) error {
return nil
},
UpdateDashboardCellF: func(ctx context.Context, id influxdb.ID, cid influxdb.ID, upd influxdb.CellUpdate) (*influxdb.Cell, error) {
return &influxdb.Cell{}, nil
},
UpdateDashboardCellViewF: func(ctx context.Context, id influxdb.ID, cid influxdb.ID, upd influxdb.ViewUpdate) (*influxdb.View, error) {
return &influxdb.View{}, nil
},
},
},
args: args{
orgID: 10,
permission: influxdb.Permission{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.DashboardsResourceType,
OrgID: influxdbtesting.IDPtr(10),
},
},
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to write dashboard cells/cell/view",
fields: fields{
DashboardService: &mock.DashboardService{
FindDashboardByIDF: func(ctx context.Context, id influxdb.ID) (*influxdb.Dashboard, error) {
return &influxdb.Dashboard{
ID: id,
OrganizationID: 10,
}, nil
},
AddDashboardCellF: func(ctx context.Context, id influxdb.ID, c *influxdb.Cell, opts influxdb.AddDashboardCellOptions) error {
return nil
},
ReplaceDashboardCellsF: func(ctx context.Context, id influxdb.ID, cs []*influxdb.Cell) error {
return nil
},
UpdateDashboardCellF: func(ctx context.Context, id influxdb.ID, cid influxdb.ID, upd influxdb.CellUpdate) (*influxdb.Cell, error) {
return &influxdb.Cell{}, nil
},
RemoveDashboardCellF: func(ctx context.Context, id influxdb.ID, cid influxdb.ID) error {
return nil
},
UpdateDashboardCellViewF: func(ctx context.Context, id influxdb.ID, cid influxdb.ID, upd influxdb.ViewUpdate) (*influxdb.View, error) {
return &influxdb.View{}, nil
},
},
},
args: args{
orgID: 10,
permission: influxdb.Permission{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.DashboardsResourceType,
ID: influxdbtesting.IDPtr(100),
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/dashboards/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewDashboardService(tt.fields.DashboardService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
err := s.AddDashboardCell(ctx, 1, &influxdb.Cell{}, influxdb.AddDashboardCellOptions{})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
err = s.RemoveDashboardCell(ctx, 1, 2)
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
_, err = s.UpdateDashboardCellView(ctx, 1, 2, influxdb.ViewUpdate{})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
_, err = s.UpdateDashboardCell(ctx, 1, 2, influxdb.CellUpdate{})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
err = s.ReplaceDashboardCells(ctx, 1, []*influxdb.Cell{})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}
func TestDashboardService_FindDashboardCellView(t *testing.T) {
type fields struct {
DashboardService influxdb.DashboardService
}
type args struct {
permission influxdb.Permission
orgID influxdb.ID
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to read dashboard cells/cell/view",
fields: fields{
DashboardService: &mock.DashboardService{
FindDashboardByIDF: func(ctx context.Context, id influxdb.ID) (*influxdb.Dashboard, error) {
return &influxdb.Dashboard{
ID: id,
OrganizationID: 10,
}, nil
},
GetDashboardCellViewF: func(ctx context.Context, id influxdb.ID, cid influxdb.ID) (*influxdb.View, error) {
return &influxdb.View{}, nil
},
},
},
args: args{
orgID: 10,
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.DashboardsResourceType,
OrgID: influxdbtesting.IDPtr(10),
},
},
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to read dashboard cells/cell/view",
fields: fields{
DashboardService: &mock.DashboardService{
FindDashboardByIDF: func(ctx context.Context, id influxdb.ID) (*influxdb.Dashboard, error) {
return &influxdb.Dashboard{
ID: id,
OrganizationID: 10,
}, nil
},
GetDashboardCellViewF: func(ctx context.Context, id influxdb.ID, cid influxdb.ID) (*influxdb.View, error) {
return &influxdb.View{}, nil
},
},
},
args: args{
orgID: 10,
permission: influxdb.Permission{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.DashboardsResourceType,
ID: influxdbtesting.IDPtr(100),
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "read:orgs/000000000000000a/dashboards/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewDashboardService(tt.fields.DashboardService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
_, err := s.GetDashboardCellView(ctx, 1, 1)
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}

2
http/api_handler.go
View File

@ -92,7 +92,7 @@ func NewAPIHandler(b *APIBackend) *APIHandler {
h.UserHandler.UserOperationLogService = b.UserOperationLogService h.UserHandler.UserOperationLogService = b.UserOperationLogService
h.DashboardHandler = NewDashboardHandler(b.UserResourceMappingService, b.LabelService, b.UserService) h.DashboardHandler = NewDashboardHandler(b.UserResourceMappingService, b.LabelService, b.UserService)
h.DashboardHandler.DashboardService = b.DashboardService h.DashboardHandler.DashboardService = authorizer.NewDashboardService(b.DashboardService)
h.DashboardHandler.DashboardOperationLogService = b.DashboardOperationLogService h.DashboardHandler.DashboardOperationLogService = b.DashboardOperationLogService
h.MacroHandler = NewMacroHandler() h.MacroHandler = NewMacroHandler()