Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

feat(authorizer): add scraper authorizer

pull/11236/head
Kelvin Wang 2019-01-17 13:57:01 -05:00
parent 3bebc1bdc7
commit f0838e4c71
3 changed files with 679 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

136
authorizer/scraper.go Normal file
View File

@ -0,0 +1,136 @@
package authorizer
import (
"context"
"github.com/influxdata/influxdb"
)
var _ influxdb.ScraperTargetStoreService = (*ScraperTargetStoreService)(nil)
// ScraperTargetStoreService wraps a influxdb.ScraperTargetStoreService and authorizes actions
// against it appropriately.
type ScraperTargetStoreService struct {
s influxdb.ScraperTargetStoreService
}
// NewScraperTargetStoreService constructs an instance of an authorizing scraper target store serivce.
func NewScraperTargetStoreService(s influxdb.ScraperTargetStoreService) *ScraperTargetStoreService {
return &ScraperTargetStoreService{
s: s,
}
}
func newScraperPermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Permission, error) {
return influxdb.NewPermissionAtID(id, a, influxdb.ScraperResourceType, orgID)
}
func authorizeReadScraper(ctx context.Context, orgID, id influxdb.ID) error {
p, err := newScraperPermission(influxdb.ReadAction, orgID, id)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return nil
}
func authorizeWriteScraper(ctx context.Context, orgID, id influxdb.ID) error {
p, err := newScraperPermission(influxdb.WriteAction, orgID, id)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return nil
}
// GetTargetByID checks to see if the authorizer on context has read access to the id provided.
func (s *ScraperTargetStoreService) GetTargetByID(ctx context.Context, id influxdb.ID) (*influxdb.ScraperTarget, error) {
st, err := s.s.GetTargetByID(ctx, id)
if err != nil {
return nil, err
}
if err := authorizeReadScraper(ctx, st.OrgID, id); err != nil {
return nil, err
}
return st, nil
}
// ListTargets retrieves all scraper targets that match the provided filter and then filters the list down to only the resources that are authorized.
func (s *ScraperTargetStoreService) ListTargets(ctx context.Context) ([]influxdb.ScraperTarget, error) {
// TODO: we'll likely want to push this operation into the database eventually since fetching the whole list of data
// will likely be expensive.
ss, err := s.s.ListTargets(ctx)
if err != nil {
return nil, err
}
// This filters without allocating
// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
scrapers := ss[:0]
for _, st := range ss {
err := authorizeReadScraper(ctx, st.OrgID, st.ID)
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
return nil, err
}
if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
continue
}
scrapers = append(scrapers, st)
}
return scrapers, nil
}
// AddTarget checks to see if the authorizer on context has write access to the global scraper target resource.
func (s *ScraperTargetStoreService) AddTarget(ctx context.Context, st *influxdb.ScraperTarget) error {
p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.ScraperResourceType, st.OrgID)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return s.s.AddTarget(ctx, st)
}
// UpdateTarget checks to see if the authorizer on context has write access to the scraper target provided.
func (s *ScraperTargetStoreService) UpdateTarget(ctx context.Context, upd *influxdb.ScraperTarget) (*influxdb.ScraperTarget, error) {
st, err := s.GetTargetByID(ctx, upd.ID)
if err != nil {
return nil, err
}
if err := authorizeWriteScraper(ctx, st.OrgID, upd.ID); err != nil {
return nil, err
}
return s.s.UpdateTarget(ctx, upd)
}
// RemoveTarget checks to see if the authorizer on context has write access to the scraper target provided.
func (s *ScraperTargetStoreService) RemoveTarget(ctx context.Context, id influxdb.ID) error {
st, err := s.GetTargetByID(ctx, id)
if err != nil {
return err
}
if err := authorizeWriteScraper(ctx, st.OrgID, id); err != nil {
return err
}
return s.s.RemoveTarget(ctx, id)
}

542
authorizer/scraper_test.go Normal file
View File

@ -0,0 +1,542 @@
package authorizer_test
import (
"bytes"
"context"
"sort"
"testing"
"github.com/google/go-cmp/cmp"
"github.com/influxdata/influxdb"
"github.com/influxdata/influxdb/authorizer"
influxdbcontext "github.com/influxdata/influxdb/context"
"github.com/influxdata/influxdb/mock"
influxdbtesting "github.com/influxdata/influxdb/testing"
)
var scraperCmpOptions = cmp.Options{
cmp.Comparer(func(x, y []byte) bool {
return bytes.Equal(x, y)
}),
cmp.Transformer("Sort", func(in []influxdb.ScraperTarget) []influxdb.ScraperTarget {
out := append([]influxdb.ScraperTarget(nil), in...) // Copy input to avoid mutating it
sort.Slice(out, func(i, j int) bool {
return out[i].ID.String() > out[j].ID.String()
})
return out
}),
}
func TestScraperTargetStoreService_GetTargetByID(t *testing.T) {
type fields struct {
ScraperTargetStoreService influxdb.ScraperTargetStoreService
}
type args struct {
permission influxdb.Permission
id influxdb.ID
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to access id",
fields: fields{
ScraperTargetStoreService: &mock.ScraperTargetStoreService{
GetTargetByIDF: func(ctx context.Context, id influxdb.ID) (*influxdb.ScraperTarget, error) {
return &influxdb.ScraperTarget{
ID: id,
OrgID: 10,
}, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ScraperResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
id: 1,
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to access id",
fields: fields{
ScraperTargetStoreService: &mock.ScraperTargetStoreService{
GetTargetByIDF: func(ctx context.Context, id influxdb.ID) (*influxdb.ScraperTarget, error) {
return &influxdb.ScraperTarget{
ID: id,
OrgID: 10,
}, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ScraperResourceType,
ID: influxdbtesting.IDPtr(2),
},
},
id: 1,
},
wants: wants{
err: &influxdb.Error{
Msg: "read:orgs/000000000000000a/scrapers/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewScraperTargetStoreService(tt.fields.ScraperTargetStoreService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
_, err := s.GetTargetByID(ctx, tt.args.id)
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}
func TestScraperTargetStoreService_ListTargets(t *testing.T) {
type fields struct {
ScraperTargetStoreService influxdb.ScraperTargetStoreService
}
type args struct {
permission influxdb.Permission
}
type wants struct {
err error
scrapers []influxdb.ScraperTarget
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to see all scrapers",
fields: fields{
ScraperTargetStoreService: &mock.ScraperTargetStoreService{
ListTargetsF: func(ctx context.Context) ([]influxdb.ScraperTarget, error) {
return []influxdb.ScraperTarget{
{
ID: 1,
OrgID: 10,
},
{
ID: 2,
OrgID: 10,
},
{
ID: 3,
OrgID: 11,
},
}, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ScraperResourceType,
},
},
},
wants: wants{
scrapers: []influxdb.ScraperTarget{
{
ID: 1,
OrgID: 10,
},
{
ID: 2,
OrgID: 10,
},
{
ID: 3,
OrgID: 11,
},
},
},
},
{
name: "authorized to access a single orgs scrapers",
fields: fields{
ScraperTargetStoreService: &mock.ScraperTargetStoreService{
ListTargetsF: func(ctx context.Context) ([]influxdb.ScraperTarget, error) {
return []influxdb.ScraperTarget{
{
ID: 1,
OrgID: 10,
},
{
ID: 2,
OrgID: 10,
},
{
ID: 3,
OrgID: 11,
},
}, nil
},
},
},
args: args{
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ScraperResourceType,
OrgID: influxdbtesting.IDPtr(10),
},
},
},
wants: wants{
scrapers: []influxdb.ScraperTarget{
{
ID: 1,
OrgID: 10,
},
{
ID: 2,
OrgID: 10,
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewScraperTargetStoreService(tt.fields.ScraperTargetStoreService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
ts, err := s.ListTargets(ctx)
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
if diff := cmp.Diff(ts, tt.wants.scrapers, scraperCmpOptions...); diff != "" {
t.Errorf("scrapers are different -got/+want\ndiff %s", diff)
}
})
}
}
func TestScraperTargetStoreService_UpdateTarget(t *testing.T) {
type fields struct {
ScraperTargetStoreService influxdb.ScraperTargetStoreService
}
type args struct {
id influxdb.ID
permissions []influxdb.Permission
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to update scraper",
fields: fields{
ScraperTargetStoreService: &mock.ScraperTargetStoreService{
GetTargetByIDF: func(ctc context.Context, id influxdb.ID) (*influxdb.ScraperTarget, error) {
return &influxdb.ScraperTarget{
ID: 1,
OrgID: 10,
}, nil
},
UpdateTargetF: func(ctx context.Context, upd *influxdb.ScraperTarget) (*influxdb.ScraperTarget, error) {
return &influxdb.ScraperTarget{
ID: 1,
OrgID: 10,
}, nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.ScraperResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ScraperResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to update scraper",
fields: fields{
ScraperTargetStoreService: &mock.ScraperTargetStoreService{
GetTargetByIDF: func(ctc context.Context, id influxdb.ID) (*influxdb.ScraperTarget, error) {
return &influxdb.ScraperTarget{
ID: 1,
OrgID: 10,
}, nil
},
UpdateTargetF: func(ctx context.Context, upd *influxdb.ScraperTarget) (*influxdb.ScraperTarget, error) {
return &influxdb.ScraperTarget{
ID: 1,
OrgID: 10,
}, nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ScraperResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/scrapers/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewScraperTargetStoreService(tt.fields.ScraperTargetStoreService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permissions})
_, err := s.UpdateTarget(ctx, &influxdb.ScraperTarget{ID: tt.args.id})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}
func TestScraperTargetStoreService_RemoveTarget(t *testing.T) {
type fields struct {
ScraperTargetStoreService influxdb.ScraperTargetStoreService
}
type args struct {
id influxdb.ID
permissions []influxdb.Permission
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to delete scraper",
fields: fields{
ScraperTargetStoreService: &mock.ScraperTargetStoreService{
GetTargetByIDF: func(ctc context.Context, id influxdb.ID) (*influxdb.ScraperTarget, error) {
return &influxdb.ScraperTarget{
ID: 1,
OrgID: 10,
}, nil
},
RemoveTargetF: func(ctx context.Context, id influxdb.ID) error {
return nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.ScraperResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ScraperResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to delete scraper",
fields: fields{
ScraperTargetStoreService: &mock.ScraperTargetStoreService{
GetTargetByIDF: func(ctc context.Context, id influxdb.ID) (*influxdb.ScraperTarget, error) {
return &influxdb.ScraperTarget{
ID: 1,
OrgID: 10,
}, nil
},
RemoveTargetF: func(ctx context.Context, id influxdb.ID) error {
return nil
},
},
},
args: args{
id: 1,
permissions: []influxdb.Permission{
{
Action: "read",
Resource: influxdb.Resource{
Type: influxdb.ScraperResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/scrapers/0000000000000001 is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewScraperTargetStoreService(tt.fields.ScraperTargetStoreService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permissions})
err := s.RemoveTarget(ctx, tt.args.id)
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}
func TestScraperTargetStoreService_AddTarget(t *testing.T) {
type fields struct {
ScraperTargetStoreService influxdb.ScraperTargetStoreService
}
type args struct {
permission influxdb.Permission
orgID influxdb.ID
}
type wants struct {
err error
}
tests := []struct {
name string
fields fields
args args
wants wants
}{
{
name: "authorized to create scraper",
fields: fields{
ScraperTargetStoreService: &mock.ScraperTargetStoreService{
AddTargetF: func(ctx context.Context, st *influxdb.ScraperTarget) error {
return nil
},
},
},
args: args{
orgID: 10,
permission: influxdb.Permission{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.ScraperResourceType,
OrgID: influxdbtesting.IDPtr(10),
},
},
},
wants: wants{
err: nil,
},
},
{
name: "unauthorized to create scraper",
fields: fields{
ScraperTargetStoreService: &mock.ScraperTargetStoreService{
AddTargetF: func(ctx context.Context, st *influxdb.ScraperTarget) error {
return nil
},
},
},
args: args{
orgID: 10,
permission: influxdb.Permission{
Action: "write",
Resource: influxdb.Resource{
Type: influxdb.ScraperResourceType,
ID: influxdbtesting.IDPtr(1),
},
},
},
wants: wants{
err: &influxdb.Error{
Msg: "write:orgs/000000000000000a/scrapers is unauthorized",
Code: influxdb.EUnauthorized,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewScraperTargetStoreService(tt.fields.ScraperTargetStoreService)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
err := s.AddTarget(ctx, &influxdb.ScraperTarget{OrgID: tt.args.orgID})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
}

2
http/api_handler.go
View File

@ -105,7 +105,7 @@ func NewAPIHandler(b *APIBackend) *APIHandler {
h.AuthorizationHandler.Logger = b.Logger.With(zap.String("handler", "auth")) h.AuthorizationHandler.Logger = b.Logger.With(zap.String("handler", "auth"))
h.ScraperHandler = NewScraperHandler() h.ScraperHandler = NewScraperHandler()
h.ScraperHandler.ScraperStorageService = b.ScraperTargetStoreService h.ScraperHandler.ScraperStorageService = authorizer.NewScraperTargetStoreService(b.ScraperTargetStoreService)
h.ScraperHandler.BucketService = b.BucketService h.ScraperHandler.BucketService = b.BucketService
h.ScraperHandler.OrganizationService = b.OrganizationService h.ScraperHandler.OrganizationService = b.OrganizationService
h.ScraperHandler.Logger = b.Logger.With(zap.String("handler", "scraper")) h.ScraperHandler.Logger = b.Logger.With(zap.String("handler", "scraper"))