Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #11015 from influxdata/feat/task-validation 

feat(task): Add validations for all task actions
pull/11043/head
Lyon Hill 2019-01-14 08:16:27 -07:00 committed by GitHub
parent 32c63cd038 bc9755ae75
commit dfbbfc53cd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 661 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

180
task/validator.go
View File

@ -35,6 +35,40 @@ func NewValidator(ts platform.TaskService, bs platform.BucketService) platform.T
preAuth: query.NewPreAuthorizer(bs),
}
}
func (ts *taskServiceValidator) FindTaskByID(ctx context.Context, id platform.ID) (*platform.Task, error) {
task, err := ts.TaskService.FindTaskByID(ctx, id)
if err != nil {
return nil, err
}
perm, err := platform.NewPermission(platform.ReadAction, platform.TasksResource, task.Organization)
if err != nil {
return nil, err
}
if err := validatePermission(ctx, *perm); err != nil {
return nil, err
}
return task, nil
}
func (ts *taskServiceValidator) FindTasks(ctx context.Context, filter platform.TaskFilter) ([]*platform.Task, int, error) {
if filter.Organization != nil {
perm, err := platform.NewPermission(platform.ReadAction, platform.TasksResource, *filter.Organization)
if err != nil {
return nil, -1, err
}
if err := validatePermission(ctx, *perm); err != nil {
return nil, -1, err
}
}
// TODO(lyon): If the user no longer has permission to the organization we might fail or filter here?
return ts.TaskService.FindTasks(ctx, filter)
}
func (ts *taskServiceValidator) CreateTask(ctx context.Context, t *platform.Task) error {
p, err := platform.NewPermission(platform.WriteAction, platform.TasksResource, t.Organization)
@ -53,7 +87,151 @@ func (ts *taskServiceValidator) CreateTask(ctx context.Context, t *platform.Task
return ts.TaskService.CreateTask(ctx, t)
}
// TODO(lh): add permission checking for the all the platform.TaskService functions.
func (ts *taskServiceValidator) UpdateTask(ctx context.Context, id platform.ID, upd platform.TaskUpdate) (*platform.Task, error) {
task, err := ts.TaskService.FindTaskByID(ctx, id)
if err != nil {
return nil, err
}
p, err := platform.NewPermission(platform.WriteAction, platform.TasksResource, task.Organization)
if err != nil {
return nil, err
}
if err := validatePermission(ctx, *p); err != nil {
return nil, err
}
if err := validateBucket(ctx, task.Flux, ts.preAuth); err != nil {
return nil, err
}
return ts.TaskService.UpdateTask(ctx, id, upd)
}
func (ts *taskServiceValidator) DeleteTask(ctx context.Context, id platform.ID) error {
task, err := ts.TaskService.FindTaskByID(ctx, id)
if err != nil {
return err
}
p, err := platform.NewPermission(platform.WriteAction, platform.TasksResource, task.Organization)
if err != nil {
return err
}
if err := validatePermission(ctx, *p); err != nil {
return err
}
return ts.TaskService.DeleteTask(ctx, id)
}
func (ts *taskServiceValidator) FindLogs(ctx context.Context, filter platform.LogFilter) ([]*platform.Log, int, error) {
if filter.Org != nil {
perm, err := platform.NewPermission(platform.ReadAction, platform.TasksResource, *filter.Org)
if err != nil {
return nil, -1, err
}
if err := validatePermission(ctx, *perm); err != nil {
return nil, -1, err
}
}
// TODO(lyon): If the user no longer has permission to the organization we might fail or filter here?
return ts.TaskService.FindLogs(ctx, filter)
}
func (ts *taskServiceValidator) FindRuns(ctx context.Context, filter platform.RunFilter) ([]*platform.Run, int, error) {
if filter.Org != nil {
perm, err := platform.NewPermission(platform.ReadAction, platform.TasksResource, *filter.Org)
if err != nil {
return nil, -1, err
}
if err := validatePermission(ctx, *perm); err != nil {
return nil, -1, err
}
}
// TODO(lyon): If the user no longer has permission to the organization we might fail or filter here?
return ts.TaskService.FindRuns(ctx, filter)
}
func (ts *taskServiceValidator) FindRunByID(ctx context.Context, taskID, runID platform.ID) (*platform.Run, error) {
task, err := ts.TaskService.FindTaskByID(ctx, taskID)
if err != nil {
return nil, err
}
p, err := platform.NewPermission(platform.ReadAction, platform.TasksResource, task.Organization)
if err != nil {
return nil, err
}
if err := validatePermission(ctx, *p); err != nil {
return nil, err
}
return ts.TaskService.FindRunByID(ctx, taskID, runID)
}
func (ts *taskServiceValidator) CancelRun(ctx context.Context, taskID, runID platform.ID) error {
task, err := ts.TaskService.FindTaskByID(ctx, taskID)
if err != nil {
return err
}
p, err := platform.NewPermission(platform.WriteAction, platform.TasksResource, task.Organization)
if err != nil {
return err
}
if err := validatePermission(ctx, *p); err != nil {
return err
}
return ts.TaskService.CancelRun(ctx, taskID, runID)
}
func (ts *taskServiceValidator) RetryRun(ctx context.Context, taskID, runID platform.ID) (*platform.Run, error) {
task, err := ts.TaskService.FindTaskByID(ctx, taskID)
if err != nil {
return nil, err
}
p, err := platform.NewPermission(platform.WriteAction, platform.TasksResource, task.Organization)
if err != nil {
return nil, err
}
if err := validatePermission(ctx, *p); err != nil {
return nil, err
}
return ts.TaskService.RetryRun(ctx, taskID, runID)
}
func (ts *taskServiceValidator) ForceRun(ctx context.Context, taskID platform.ID, scheduledFor int64) (*platform.Run, error) {
task, err := ts.TaskService.FindTaskByID(ctx, taskID)
if err != nil {
return nil, err
}
p, err := platform.NewPermission(platform.WriteAction, platform.TasksResource, task.Organization)
if err != nil {
return nil, err
}
if err := validatePermission(ctx, *p); err != nil {
return nil, err
}
return ts.TaskService.ForceRun(ctx, taskID, scheduledFor)
}
func validatePermission(ctx context.Context, perm platform.Permission) error {
auth, err := platcontext.GetAuthorizer(ctx)

482
task/validator_test.go Normal file
View File

@ -0,0 +1,482 @@
package task_test
import (
"context"
"errors"
"testing"
"github.com/influxdata/influxdb"
pctx "github.com/influxdata/influxdb/context"
"github.com/influxdata/influxdb/http"
"github.com/influxdata/influxdb/inmem"
"github.com/influxdata/influxdb/mock"
"github.com/influxdata/influxdb/task"
)
func TestOnboardingValidation(t *testing.T) {
svc := inmem.NewService()
validator := task.NewValidator(mockTaskService(), svc)
r, err := svc.Generate(context.Background(), &influxdb.OnboardingRequest{
User: "dude",
Password: "secret",
Org: "thing",
Bucket: "holder",
RetentionPeriod: 1,
})
if err != nil {
t.Fatal(err)
}
ctx := pctx.SetAuthorizer(context.Background(), r.Auth)
err = validator.CreateTask(ctx, &influxdb.Task{
Organization: r.Org.ID,
Flux: `option task = {
name: "my_task",
every: 1s,
}
from(bucket:"holder") |> range(start:-5m) |> to(bucket:"holder", org:"thing")`,
})
if err != nil {
t.Fatal(err)
}
}
func mockTaskService() influxdb.TaskService {
task := influxdb.Task{
ID: influxdb.ID(2),
Organization: influxdb.ID(1),
Name: "cows",
Owner: influxdb.User{ID: influxdb.ID(3), Name: "farmer"},
Flux: `option task = {
name: "my_task",
every: 1s,
}
from(bucket:"holder") |> range(start:-5m) |> to(bucket:"holder", org:"thing")`,
Every: "1s",
}
log := influxdb.Log("howdy partner")
run := influxdb.Run{
ID: influxdb.ID(10),
TaskID: influxdb.ID(2),
Status: "completed",
ScheduledFor: "a while ago",
StartedAt: "not so long ago",
FinishedAt: "more recently",
Log: log,
}
return &mock.TaskService{
FindTaskByIDFn: func(context.Context, influxdb.ID) (*influxdb.Task, error) {
return &task, nil
},
FindTasksFn: func(context.Context, influxdb.TaskFilter) ([]*influxdb.Task, int, error) {
return []*influxdb.Task{&task}, 1, nil
},
CreateTaskFn: func(_ context.Context, t *influxdb.Task) error {
t.ID = 1
return nil
},
UpdateTaskFn: func(context.Context, influxdb.ID, influxdb.TaskUpdate) (*influxdb.Task, error) {
return &task, nil
},
DeleteTaskFn: func(context.Context, influxdb.ID) error {
return nil
},
FindLogsFn: func(context.Context, influxdb.LogFilter) ([]*influxdb.Log, int, error) {
return []*influxdb.Log{&log}, 1, nil
},
FindRunsFn: func(context.Context, influxdb.RunFilter) ([]*influxdb.Run, int, error) {
return []*influxdb.Run{&run}, 1, nil
},
FindRunByIDFn: func(context.Context, influxdb.ID, influxdb.ID) (*influxdb.Run, error) {
return &run, nil
},
CancelRunFn: func(context.Context, influxdb.ID, influxdb.ID) error {
return nil
},
RetryRunFn: func(context.Context, influxdb.ID, influxdb.ID) (*influxdb.Run, error) {
return &run, nil
},
ForceRunFn: func(context.Context, influxdb.ID, int64) (*influxdb.Run, error) {
return &run, nil
},
}
}
func TestValidations(t *testing.T) {
inmem := inmem.NewService()
validTaskService := task.NewValidator(mockTaskService(), inmem)
r, err := inmem.Generate(context.Background(), &influxdb.OnboardingRequest{
User: "dude",
Password: "secret",
Org: "thing",
Bucket: "holder",
RetentionPeriod: 1,
})
orgID := influxdb.ID(1)
taskID := influxdb.ID(2)
if err != nil {
t.Fatal(err)
}
tests := []struct {
name string
check func(context.Context, influxdb.TaskService) error
auth *influxdb.Authorization
}{
{
name: "create failure",
check: func(ctx context.Context, svc influxdb.TaskService) error {
err := svc.CreateTask(ctx, &influxdb.Task{
Organization: r.Org.ID,
Name: "cows",
Owner: influxdb.User{ID: influxdb.ID(2), Name: "farmer"},
Flux: `option task = {
name: "my_task",
every: 1s,
}
from(bucket:"holder") |> range(start:-5m) |> to(bucket:"holder", org:"thing")`,
Every: "1s",
})
if err == nil {
return errors.New("failed to error without permission")
}
return nil
},
auth: &influxdb.Authorization{},
},
{
name: "create success",
auth: r.Auth,
check: func(ctx context.Context, svc influxdb.TaskService) error {
err := svc.CreateTask(ctx, &influxdb.Task{
Organization: r.Org.ID,
Name: "cows",
Owner: *r.User,
Flux: `option task = {
name: "my_task",
every: 1s,
}
from(bucket:"holder") |> range(start:-5m) |> to(bucket:"holder", org:"thing")`,
Every: "1s",
})
return err
},
},
{
name: "create badbucket",
auth: r.Auth,
check: func(ctx context.Context, svc influxdb.TaskService) error {
err := svc.CreateTask(ctx, &influxdb.Task{
Organization: r.Org.ID,
Name: "cows",
Owner: *r.User,
Flux: `option task = {
name: "my_task",
every: 1s,
}
from(bucket:"bad") |> range(start:-5m) |> to(bucket:"bad", org:"thing")`,
Every: "1s",
})
if err == nil {
return errors.New("created task without bucket permission")
}
return nil
},
},
{
name: "FindTaskByID missing auth",
auth: &influxdb.Authorization{Permissions: []influxdb.Permission{}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, err := svc.FindTaskByID(ctx, taskID)
if err == nil {
return errors.New("returned without error without permission")
}
return nil
},
},
{
name: "FindTaskByID with auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.ReadAction, Resource: influxdb.TasksResource, OrgID: orgID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, err := svc.FindTaskByID(ctx, taskID)
return err
},
},
{
name: "FindTasks with bad auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.ReadAction, Resource: influxdb.OrgsResource, OrgID: taskID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, _, err := svc.FindTasks(ctx, influxdb.TaskFilter{
Organization: &orgID,
})
if err == nil {
return errors.New("returned no error with a invalid auth")
}
return nil
},
},
{
name: "FindTasks with auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.ReadAction, Resource: influxdb.TasksResource, OrgID: orgID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, _, err := svc.FindTasks(ctx, influxdb.TaskFilter{
Organization: &orgID,
})
return err
},
},
{
name: "FindTasks without org",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.ReadAction, Resource: influxdb.TasksResource, OrgID: orgID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, _, err := svc.FindTasks(ctx, influxdb.TaskFilter{})
return err
},
},
{
name: "UpdateTask with bad auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.ReadAction, Resource: influxdb.TasksResource, OrgID: orgID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
flux := `option task = {
name: "my_task",
every: 1s,
}
from(bucket:"holder") |> range(start:-5m) |> to(bucket:"holder", org:"thing")`
_, err := svc.UpdateTask(ctx, 2, influxdb.TaskUpdate{
Flux: &flux,
})
if err == nil {
return errors.New("returned no error with a invalid auth")
}
return nil
},
},
{
name: "UpdateTask with auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{
influxdb.Permission{Action: influxdb.WriteAction, Resource: influxdb.TasksResource, OrgID: orgID},
influxdb.Permission{Action: influxdb.WriteAction, Resource: influxdb.BucketsResource, OrgID: r.Org.ID, ID: &r.Bucket.ID},
influxdb.Permission{Action: influxdb.ReadAction, Resource: influxdb.BucketsResource, OrgID: r.Org.ID, ID: &r.Bucket.ID},
}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
flux := `option task = {
name: "my_task",
every: 1s,
}
from(bucket:"holder") |> range(start:-5m) |> to(bucket:"holder", org:"thing")`
_, err := svc.UpdateTask(ctx, 2, influxdb.TaskUpdate{
Flux: &flux,
})
return err
},
},
{
name: "UpdateTask with bad bucket",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.WriteAction, Resource: influxdb.TasksResource, OrgID: orgID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
flux := `option task = {
name: "my_task",
every: 1s,
}
from(bucket:"cows") |> range(start:-5m) |> to(bucket:"cows", org:"thing")`
_, err := svc.UpdateTask(ctx, 2, influxdb.TaskUpdate{
Flux: &flux,
})
if err == nil {
return errors.New("returned no error with unauthorized bucket")
}
return nil
},
},
{
name: "DeleteTask missing auth",
auth: &influxdb.Authorization{Permissions: []influxdb.Permission{}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
err := svc.DeleteTask(ctx, taskID)
if err == nil {
return errors.New("returned without error without permission")
}
return nil
},
},
{
name: "DeleteTask readonly auth",
auth: &influxdb.Authorization{Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.ReadAction, Resource: influxdb.TasksResource, OrgID: orgID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
err := svc.DeleteTask(ctx, taskID)
if err == nil {
return errors.New("returned without error without permission")
}
return nil
},
},
{
name: "DeleteTask with auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.WriteAction, Resource: influxdb.TasksResource, OrgID: orgID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
err := svc.DeleteTask(ctx, taskID)
return err
},
},
{
name: "FindLogs with bad auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.ReadAction, Resource: influxdb.OrgsResource, OrgID: taskID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, _, err := svc.FindLogs(ctx, influxdb.LogFilter{
Org: &orgID,
})
if err == nil {
return errors.New("returned no error with a invalid auth")
}
return nil
},
},
{
name: "FindLogs with auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.ReadAction, Resource: influxdb.TasksResource, OrgID: orgID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, _, err := svc.FindLogs(ctx, influxdb.LogFilter{
Org: &orgID,
})
return err
},
},
{
name: "FindLogs without org",
auth: &influxdb.Authorization{Status: "active"},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, _, err := svc.FindLogs(ctx, influxdb.LogFilter{})
return err
},
},
{
name: "FindRuns with bad auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.ReadAction, Resource: influxdb.OrgsResource, OrgID: taskID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, _, err := svc.FindRuns(ctx, influxdb.RunFilter{
Org: &orgID,
})
if err == nil {
return errors.New("returned no error with a invalid auth")
}
return nil
},
},
{
name: "FindRuns with auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.ReadAction, Resource: influxdb.TasksResource, OrgID: orgID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, _, err := svc.FindRuns(ctx, influxdb.RunFilter{
Org: &orgID,
})
return err
},
},
{
name: "FindRuns without org",
auth: &influxdb.Authorization{Status: "active"},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, _, err := svc.FindRuns(ctx, influxdb.RunFilter{})
return err
},
},
{
name: "FindRunByID missing auth",
auth: &influxdb.Authorization{Permissions: []influxdb.Permission{}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, err := svc.FindRunByID(ctx, taskID, 10)
if err == nil {
return errors.New("returned without error without permission")
}
return nil
},
},
{
name: "FindRunByID with auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.ReadAction, Resource: influxdb.TasksResource, OrgID: orgID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, err := svc.FindRunByID(ctx, taskID, 10)
return err
},
},
{
name: "CancelRun with bad auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.ReadAction, Resource: influxdb.OrgsResource, OrgID: taskID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
err := svc.CancelRun(ctx, 2, 10)
if err == nil {
return errors.New("returned no error with a invalid auth")
}
return nil
},
},
{
name: "CancelRun with auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.WriteAction, Resource: influxdb.TasksResource, OrgID: orgID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
err := svc.CancelRun(ctx, 2, 10)
return err
},
},
{
name: "RetryRun with bad auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.ReadAction, Resource: influxdb.OrgsResource, OrgID: taskID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, err := svc.RetryRun(ctx, 2, 10)
if err == nil {
return errors.New("returned no error with a invalid auth")
}
return nil
},
},
{
name: "RetryRun with auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.WriteAction, Resource: influxdb.TasksResource, OrgID: orgID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, err := svc.RetryRun(ctx, 2, 10)
return err
},
},
{
name: "ForceRun with bad auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.ReadAction, Resource: influxdb.OrgsResource, OrgID: taskID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, err := svc.ForceRun(ctx, 2, 10000)
if err == nil {
return errors.New("returned no error with a invalid auth")
}
return nil
},
},
{
name: "ForceRun with auth",
auth: &influxdb.Authorization{Status: "active", Permissions: []influxdb.Permission{influxdb.Permission{Action: influxdb.WriteAction, Resource: influxdb.TasksResource, OrgID: orgID}}},
check: func(ctx context.Context, svc influxdb.TaskService) error {
_, err := svc.ForceRun(ctx, 2, 10000)
return err
},
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
ctx := pctx.SetAuthorizer(context.Background(), test.auth)
if err := test.check(ctx, validTaskService); err != nil {
if aerr, ok := err.(http.AuthzError); ok {
t.Error(aerr.AuthzError())
}
t.Error(err)
}
})
}
}