feat(authorizer): add scraper authorizer

2019-01-17 13:57:01 -05:00 · 2019-01-17 13:57:01 -05:00 · f0838e4c71
parent 3bebc1bdc7
commit f0838e4c71
3 changed files with 679 additions and 1 deletions
--- a/authorizer/scraper.go
+++ b/authorizer/scraper.go
@ -0,0 +1,136 @@
+package authorizer
+
+import (
+	"context"
+
+	"github.com/influxdata/influxdb"
+)
+
+var _ influxdb.ScraperTargetStoreService = (*ScraperTargetStoreService)(nil)
+
+// ScraperTargetStoreService wraps a influxdb.ScraperTargetStoreService and authorizes actions
+// against it appropriately.
+type ScraperTargetStoreService struct {
+	s influxdb.ScraperTargetStoreService
+}
+
+// NewScraperTargetStoreService constructs an instance of an authorizing scraper target store serivce.
+func NewScraperTargetStoreService(s influxdb.ScraperTargetStoreService) *ScraperTargetStoreService {
+	return &ScraperTargetStoreService{
+		s: s,
+	}
+}
+
+func newScraperPermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Permission, error) {
+	return influxdb.NewPermissionAtID(id, a, influxdb.ScraperResourceType, orgID)
+}
+
+func authorizeReadScraper(ctx context.Context, orgID, id influxdb.ID) error {
+	p, err := newScraperPermission(influxdb.ReadAction, orgID, id)
+	if err != nil {
+		return err
+	}
+
+	if err := IsAllowed(ctx, *p); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func authorizeWriteScraper(ctx context.Context, orgID, id influxdb.ID) error {
+	p, err := newScraperPermission(influxdb.WriteAction, orgID, id)
+	if err != nil {
+		return err
+	}
+
+	if err := IsAllowed(ctx, *p); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// GetTargetByID checks to see if the authorizer on context has read access to the id provided.
+func (s *ScraperTargetStoreService) GetTargetByID(ctx context.Context, id influxdb.ID) (*influxdb.ScraperTarget, error) {
+	st, err := s.s.GetTargetByID(ctx, id)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := authorizeReadScraper(ctx, st.OrgID, id); err != nil {
+		return nil, err
+	}
+
+	return st, nil
+}
+
+// ListTargets retrieves all scraper targets that match the provided filter and then filters the list down to only the resources that are authorized.
+func (s *ScraperTargetStoreService) ListTargets(ctx context.Context) ([]influxdb.ScraperTarget, error) {
+	// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data
+	// will likely be expensive.
+	ss, err := s.s.ListTargets(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	// This filters without allocating
+	// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
+	scrapers := ss[:0]
+	for _, st := range ss {
+		err := authorizeReadScraper(ctx, st.OrgID, st.ID)
+		if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
+			return nil, err
+		}
+
+		if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
+			continue
+		}
+
+		scrapers = append(scrapers, st)
+	}
+
+	return scrapers, nil
+}
+
+// AddTarget checks to see if the authorizer on context has write access to the global scraper target resource.
+func (s *ScraperTargetStoreService) AddTarget(ctx context.Context, st *influxdb.ScraperTarget) error {
+	p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.ScraperResourceType, st.OrgID)
+	if err != nil {
+		return err
+	}
+
+	if err := IsAllowed(ctx, *p); err != nil {
+		return err
+	}
+
+	return s.s.AddTarget(ctx, st)
+}
+
+// UpdateTarget checks to see if the authorizer on context has write access to the scraper target provided.
+func (s *ScraperTargetStoreService) UpdateTarget(ctx context.Context, upd *influxdb.ScraperTarget) (*influxdb.ScraperTarget, error) {
+	st, err := s.GetTargetByID(ctx, upd.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := authorizeWriteScraper(ctx, st.OrgID, upd.ID); err != nil {
+		return nil, err
+	}
+
+	return s.s.UpdateTarget(ctx, upd)
+}
+
+// RemoveTarget checks to see if the authorizer on context has write access to the scraper target provided.
+func (s *ScraperTargetStoreService) RemoveTarget(ctx context.Context, id influxdb.ID) error {
+	st, err := s.GetTargetByID(ctx, id)
+	if err != nil {
+		return err
+	}
+
+	if err := authorizeWriteScraper(ctx, st.OrgID, id); err != nil {
+		return err
+	}
+
+	return s.s.RemoveTarget(ctx, id)
+}
--- a/authorizer/scraper_test.go
+++ b/authorizer/scraper_test.go
@ -0,0 +1,542 @@
+package authorizer_test
+
+import (
+	"bytes"
+	"context"
+	"sort"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/influxdata/influxdb"
+	"github.com/influxdata/influxdb/authorizer"
+	influxdbcontext "github.com/influxdata/influxdb/context"
+	"github.com/influxdata/influxdb/mock"
+	influxdbtesting "github.com/influxdata/influxdb/testing"
+)
+
+var scraperCmpOptions = cmp.Options{
+	cmp.Comparer(func(x, y []byte) bool {
+		return bytes.Equal(x, y)
+	}),
+	cmp.Transformer("Sort", func(in []influxdb.ScraperTarget) []influxdb.ScraperTarget {
+		out := append([]influxdb.ScraperTarget(nil), in...) // Copy input to avoid mutating it
+		sort.Slice(out, func(i, j int) bool {
+			return out[i].ID.String() > out[j].ID.String()
+		})
+		return out
+	}),
+}
+
+func TestScraperTargetStoreService_GetTargetByID(t *testing.T) {
+	type fields struct {
+		ScraperTargetStoreService influxdb.ScraperTargetStoreService
+	}
+	type args struct {
+		permission influxdb.Permission
+		id         influxdb.ID
+	}
+	type wants struct {
+		err error
+	}
+
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		wants  wants
+	}{
+		{
+			name: "authorized to access id",
+			fields: fields{
+				ScraperTargetStoreService: &mock.ScraperTargetStoreService{
+					GetTargetByIDF: func(ctx context.Context, id influxdb.ID) (*influxdb.ScraperTarget, error) {
+						return &influxdb.ScraperTarget{
+							ID:    id,
+							OrgID: 10,
+						}, nil
+					},
+				},
+			},
+			args: args{
+				permission: influxdb.Permission{
+					Action: "read",
+					Resource: influxdb.Resource{
+						Type: influxdb.ScraperResourceType,
+						ID:   influxdbtesting.IDPtr(1),
+					},
+				},
+				id: 1,
+			},
+			wants: wants{
+				err: nil,
+			},
+		},
+		{
+			name: "unauthorized to access id",
+			fields: fields{
+				ScraperTargetStoreService: &mock.ScraperTargetStoreService{
+					GetTargetByIDF: func(ctx context.Context, id influxdb.ID) (*influxdb.ScraperTarget, error) {
+						return &influxdb.ScraperTarget{
+							ID:    id,
+							OrgID: 10,
+						}, nil
+					},
+				},
+			},
+			args: args{
+				permission: influxdb.Permission{
+					Action: "read",
+					Resource: influxdb.Resource{
+						Type: influxdb.ScraperResourceType,
+						ID:   influxdbtesting.IDPtr(2),
+					},
+				},
+				id: 1,
+			},
+			wants: wants{
+				err: &influxdb.Error{
+					Msg:  "read:orgs/000000000000000a/scrapers/0000000000000001 is unauthorized",
+					Code: influxdb.EUnauthorized,
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := authorizer.NewScraperTargetStoreService(tt.fields.ScraperTargetStoreService)
+
+			ctx := context.Background()
+			ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
+
+			_, err := s.GetTargetByID(ctx, tt.args.id)
+			influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
+		})
+	}
+}
+
+func TestScraperTargetStoreService_ListTargets(t *testing.T) {
+	type fields struct {
+		ScraperTargetStoreService influxdb.ScraperTargetStoreService
+	}
+	type args struct {
+		permission influxdb.Permission
+	}
+	type wants struct {
+		err      error
+		scrapers []influxdb.ScraperTarget
+	}
+
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		wants  wants
+	}{
+		{
+			name: "authorized to see all scrapers",
+			fields: fields{
+				ScraperTargetStoreService: &mock.ScraperTargetStoreService{
+					ListTargetsF: func(ctx context.Context) ([]influxdb.ScraperTarget, error) {
+						return []influxdb.ScraperTarget{
+							{
+								ID:    1,
+								OrgID: 10,
+							},
+							{
+								ID:    2,
+								OrgID: 10,
+							},
+							{
+								ID:    3,
+								OrgID: 11,
+							},
+						}, nil
+					},
+				},
+			},
+			args: args{
+				permission: influxdb.Permission{
+					Action: "read",
+					Resource: influxdb.Resource{
+						Type: influxdb.ScraperResourceType,
+					},
+				},
+			},
+			wants: wants{
+				scrapers: []influxdb.ScraperTarget{
+					{
+						ID:    1,
+						OrgID: 10,
+					},
+					{
+						ID:    2,
+						OrgID: 10,
+					},
+					{
+						ID:    3,
+						OrgID: 11,
+					},
+				},
+			},
+		},
+		{
+			name: "authorized to access a single orgs scrapers",
+			fields: fields{
+				ScraperTargetStoreService: &mock.ScraperTargetStoreService{
+					ListTargetsF: func(ctx context.Context) ([]influxdb.ScraperTarget, error) {
+						return []influxdb.ScraperTarget{
+							{
+								ID:    1,
+								OrgID: 10,
+							},
+							{
+								ID:    2,
+								OrgID: 10,
+							},
+							{
+								ID:    3,
+								OrgID: 11,
+							},
+						}, nil
+					},
+				},
+			},
+			args: args{
+				permission: influxdb.Permission{
+					Action: "read",
+					Resource: influxdb.Resource{
+						Type:  influxdb.ScraperResourceType,
+						OrgID: influxdbtesting.IDPtr(10),
+					},
+				},
+			},
+			wants: wants{
+				scrapers: []influxdb.ScraperTarget{
+					{
+						ID:    1,
+						OrgID: 10,
+					},
+					{
+						ID:    2,
+						OrgID: 10,
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := authorizer.NewScraperTargetStoreService(tt.fields.ScraperTargetStoreService)
+
+			ctx := context.Background()
+			ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
+
+			ts, err := s.ListTargets(ctx)
+			influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
+
+			if diff := cmp.Diff(ts, tt.wants.scrapers, scraperCmpOptions...); diff != "" {
+				t.Errorf("scrapers are different -got/+want\ndiff %s", diff)
+			}
+		})
+	}
+}
+
+func TestScraperTargetStoreService_UpdateTarget(t *testing.T) {
+	type fields struct {
+		ScraperTargetStoreService influxdb.ScraperTargetStoreService
+	}
+	type args struct {
+		id          influxdb.ID
+		permissions []influxdb.Permission
+	}
+	type wants struct {
+		err error
+	}
+
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		wants  wants
+	}{
+		{
+			name: "authorized to update scraper",
+			fields: fields{
+				ScraperTargetStoreService: &mock.ScraperTargetStoreService{
+					GetTargetByIDF: func(ctc context.Context, id influxdb.ID) (*influxdb.ScraperTarget, error) {
+						return &influxdb.ScraperTarget{
+							ID:    1,
+							OrgID: 10,
+						}, nil
+					},
+					UpdateTargetF: func(ctx context.Context, upd *influxdb.ScraperTarget) (*influxdb.ScraperTarget, error) {
+						return &influxdb.ScraperTarget{
+							ID:    1,
+							OrgID: 10,
+						}, nil
+					},
+				},
+			},
+			args: args{
+				id: 1,
+				permissions: []influxdb.Permission{
+					{
+						Action: "write",
+						Resource: influxdb.Resource{
+							Type: influxdb.ScraperResourceType,
+							ID:   influxdbtesting.IDPtr(1),
+						},
+					},
+					{
+						Action: "read",
+						Resource: influxdb.Resource{
+							Type: influxdb.ScraperResourceType,
+							ID:   influxdbtesting.IDPtr(1),
+						},
+					},
+				},
+			},
+			wants: wants{
+				err: nil,
+			},
+		},
+		{
+			name: "unauthorized to update scraper",
+			fields: fields{
+				ScraperTargetStoreService: &mock.ScraperTargetStoreService{
+					GetTargetByIDF: func(ctc context.Context, id influxdb.ID) (*influxdb.ScraperTarget, error) {
+						return &influxdb.ScraperTarget{
+							ID:    1,
+							OrgID: 10,
+						}, nil
+					},
+					UpdateTargetF: func(ctx context.Context, upd *influxdb.ScraperTarget) (*influxdb.ScraperTarget, error) {
+						return &influxdb.ScraperTarget{
+							ID:    1,
+							OrgID: 10,
+						}, nil
+					},
+				},
+			},
+			args: args{
+				id: 1,
+				permissions: []influxdb.Permission{
+					{
+						Action: "read",
+						Resource: influxdb.Resource{
+							Type: influxdb.ScraperResourceType,
+							ID:   influxdbtesting.IDPtr(1),
+						},
+					},
+				},
+			},
+			wants: wants{
+				err: &influxdb.Error{
+					Msg:  "write:orgs/000000000000000a/scrapers/0000000000000001 is unauthorized",
+					Code: influxdb.EUnauthorized,
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := authorizer.NewScraperTargetStoreService(tt.fields.ScraperTargetStoreService)
+
+			ctx := context.Background()
+			ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permissions})
+
+			_, err := s.UpdateTarget(ctx, &influxdb.ScraperTarget{ID: tt.args.id})
+			influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
+		})
+	}
+}
+
+func TestScraperTargetStoreService_RemoveTarget(t *testing.T) {
+	type fields struct {
+		ScraperTargetStoreService influxdb.ScraperTargetStoreService
+	}
+	type args struct {
+		id          influxdb.ID
+		permissions []influxdb.Permission
+	}
+	type wants struct {
+		err error
+	}
+
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		wants  wants
+	}{
+		{
+			name: "authorized to delete scraper",
+			fields: fields{
+				ScraperTargetStoreService: &mock.ScraperTargetStoreService{
+					GetTargetByIDF: func(ctc context.Context, id influxdb.ID) (*influxdb.ScraperTarget, error) {
+						return &influxdb.ScraperTarget{
+							ID:    1,
+							OrgID: 10,
+						}, nil
+					},
+					RemoveTargetF: func(ctx context.Context, id influxdb.ID) error {
+						return nil
+					},
+				},
+			},
+			args: args{
+				id: 1,
+				permissions: []influxdb.Permission{
+					{
+						Action: "write",
+						Resource: influxdb.Resource{
+							Type: influxdb.ScraperResourceType,
+							ID:   influxdbtesting.IDPtr(1),
+						},
+					},
+					{
+						Action: "read",
+						Resource: influxdb.Resource{
+							Type: influxdb.ScraperResourceType,
+							ID:   influxdbtesting.IDPtr(1),
+						},
+					},
+				},
+			},
+			wants: wants{
+				err: nil,
+			},
+		},
+		{
+			name: "unauthorized to delete scraper",
+			fields: fields{
+				ScraperTargetStoreService: &mock.ScraperTargetStoreService{
+					GetTargetByIDF: func(ctc context.Context, id influxdb.ID) (*influxdb.ScraperTarget, error) {
+						return &influxdb.ScraperTarget{
+							ID:    1,
+							OrgID: 10,
+						}, nil
+					},
+					RemoveTargetF: func(ctx context.Context, id influxdb.ID) error {
+						return nil
+					},
+				},
+			},
+			args: args{
+				id: 1,
+				permissions: []influxdb.Permission{
+					{
+						Action: "read",
+						Resource: influxdb.Resource{
+							Type: influxdb.ScraperResourceType,
+							ID:   influxdbtesting.IDPtr(1),
+						},
+					},
+				},
+			},
+			wants: wants{
+				err: &influxdb.Error{
+					Msg:  "write:orgs/000000000000000a/scrapers/0000000000000001 is unauthorized",
+					Code: influxdb.EUnauthorized,
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := authorizer.NewScraperTargetStoreService(tt.fields.ScraperTargetStoreService)
+
+			ctx := context.Background()
+			ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permissions})
+
+			err := s.RemoveTarget(ctx, tt.args.id)
+			influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
+		})
+	}
+}
+
+func TestScraperTargetStoreService_AddTarget(t *testing.T) {
+	type fields struct {
+		ScraperTargetStoreService influxdb.ScraperTargetStoreService
+	}
+	type args struct {
+		permission influxdb.Permission
+		orgID      influxdb.ID
+	}
+	type wants struct {
+		err error
+	}
+
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		wants  wants
+	}{
+		{
+			name: "authorized to create scraper",
+			fields: fields{
+				ScraperTargetStoreService: &mock.ScraperTargetStoreService{
+					AddTargetF: func(ctx context.Context, st *influxdb.ScraperTarget) error {
+						return nil
+					},
+				},
+			},
+			args: args{
+				orgID: 10,
+				permission: influxdb.Permission{
+					Action: "write",
+					Resource: influxdb.Resource{
+						Type:  influxdb.ScraperResourceType,
+						OrgID: influxdbtesting.IDPtr(10),
+					},
+				},
+			},
+			wants: wants{
+				err: nil,
+			},
+		},
+		{
+			name: "unauthorized to create scraper",
+			fields: fields{
+				ScraperTargetStoreService: &mock.ScraperTargetStoreService{
+					AddTargetF: func(ctx context.Context, st *influxdb.ScraperTarget) error {
+						return nil
+					},
+				},
+			},
+			args: args{
+				orgID: 10,
+				permission: influxdb.Permission{
+					Action: "write",
+					Resource: influxdb.Resource{
+						Type: influxdb.ScraperResourceType,
+						ID:   influxdbtesting.IDPtr(1),
+					},
+				},
+			},
+			wants: wants{
+				err: &influxdb.Error{
+					Msg:  "write:orgs/000000000000000a/scrapers is unauthorized",
+					Code: influxdb.EUnauthorized,
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := authorizer.NewScraperTargetStoreService(tt.fields.ScraperTargetStoreService)
+
+			ctx := context.Background()
+			ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
+
+			err := s.AddTarget(ctx, &influxdb.ScraperTarget{OrgID: tt.args.orgID})
+			influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
+		})
+	}
+}
--- a/http/api_handler.go
+++ b/http/api_handler.go
@ -105,7 +105,7 @@ func NewAPIHandler(b *APIBackend) *APIHandler {
 	h.AuthorizationHandler.Logger = b.Logger.With(zap.String("handler", "auth"))

 	h.ScraperHandler = NewScraperHandler()
-	h.ScraperHandler.ScraperStorageService = b.ScraperTargetStoreService
+	h.ScraperHandler.ScraperStorageService = authorizer.NewScraperTargetStoreService(b.ScraperTargetStoreService)
 	h.ScraperHandler.BucketService = b.BucketService
 	h.ScraperHandler.OrganizationService = b.OrganizationService
 	h.ScraperHandler.Logger = b.Logger.With(zap.String("handler", "scraper"))