Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix: allow authorized label service to be called indirectly (#17111) 

* fix: allow authorized label service to be called indirectly

17071 exists because pkger loads all service resources as authorized on
start, resulting in them all being authorized when referenced indirectly
(not hit directly via api by consumer). Rather than restructure pkger to
only authorize direct services, this allows proper indirect auth to
labels (the cause of 17071).

* Add orgService to tests

* Add resource types to find orgID from
pull/17208/head
Greg 2020-03-11 10:58:39 -06:00 committed by GitHub
parent e25b8e5931
commit f98874566c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 132 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
authorizer/label.go
View File

@ -2,6 +2,7 @@ package authorizer
import (
"context"
"errors"
"github.com/influxdata/influxdb"
)
@ -11,13 +12,16 @@ var _ influxdb.LabelService = (*LabelService)(nil)
// LabelService wraps a influxdb.LabelService and authorizes actions
// against it appropriately.
type LabelService struct {
s influxdb.LabelService
s influxdb.LabelService
orgSvc OrganizationService
}
// NewLabelService constructs an instance of an authorizing label serivce.
func NewLabelService(s influxdb.LabelService) *LabelService {
// NewLabelServiceWithOrg constructs an instance of an authorizing label serivce.
// Replaces NewLabelService.
func NewLabelServiceWithOrg(s influxdb.LabelService, orgSvc OrganizationService) *LabelService {
return &LabelService{
s: s,
s: s,
orgSvc: orgSvc,
}
}
@ -25,7 +29,7 @@ func newLabelPermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Per
return influxdb.NewPermissionAtID(id, a, influxdb.LabelsResourceType, orgID)
}
func newResourcePermission(a influxdb.Action, id influxdb.ID, resourceType influxdb.ResourceType) (*influxdb.Permission, error) {
func newResourcePermission(a influxdb.Action, orgID, id influxdb.ID, resourceType influxdb.ResourceType) (*influxdb.Permission, error) {
if err := resourceType.Valid(); err != nil {
return nil, err
}
@ -33,38 +37,17 @@ func newResourcePermission(a influxdb.Action, id influxdb.ID, resourceType influ
p := &influxdb.Permission{
Action: a,
Resource: influxdb.Resource{
Type: resourceType,
ID: &id,
Type: resourceType,
ID: &id,
OrgID: &orgID,
},
}
return p, p.Valid()
}
func authorizeLabelMappingAction(ctx context.Context, action influxdb.Action, id influxdb.ID, resourceType influxdb.ResourceType) error {
p, err := newResourcePermission(action, id, resourceType)
if err != nil {
return err
}
if err := IsAllowed(ctx, *p); err != nil {
return err
}
return nil
}
// NOTE(affo): documents only create a URM of type `OrgMappingType`.
// So, the permissions are not user-scoped, but org-scoped.
// When a user authenticates he/she is allowed to read/write documents for an org, instead,
// in other services, a user is allowed to read/write specific resources (e.g. dashboard with ID xxx).
// This makes documents a special case for the label service.
// Changing labels for a document must be checked against a permission for the org the user is in,
// not for the specific document.
// However we don't know the orgs for the user, so, the best we can do, is to check that the user has
// permissions for the label's org rather than the document's.
func authorizeDocumentLabelMappingAction(ctx context.Context, action influxdb.Action, orgID influxdb.ID) error {
p, err := newDocumentOrgPermission(action, orgID)
func authorizeLabelMappingAction(ctx context.Context, action influxdb.Action, orgID, id influxdb.ID, resourceType influxdb.ResourceType) error {
p, err := newResourcePermission(action, orgID, id, resourceType)
if err != nil {
return err
}
@ -150,14 +133,16 @@ func (s *LabelService) FindLabels(ctx context.Context, filter influxdb.LabelFilt
// FindResourceLabels retrieves all labels belonging to the filtering resource if the authorizer on context has read access to it.
// Then it filters the list down to only the labels that are authorized.
func (s *LabelService) FindResourceLabels(ctx context.Context, filter influxdb.LabelMappingFilter) ([]*influxdb.Label, error) {
// NOTE(affo): see `authorizeDocumentLabelMappingAction` note.
// The best we can do here is to skip this first check because we don't have
// any document-specific permission available.
// Then, we canm check that the user is authorized to access documents under the label's orgID.
if filter.ResourceType != influxdb.DocumentsResourceType {
if err := authorizeLabelMappingAction(ctx, influxdb.ReadAction, filter.ResourceID, filter.ResourceType); err != nil {
return nil, err
}
if s.orgSvc == nil {
return nil, errors.New("failed to find orgSvc")
}
orgID, err := s.orgSvc.FindResourceOrganizationID(ctx, filter.ResourceType, filter.ResourceID)
if err != nil {
return nil, err
}
if err := authorizeLabelMappingAction(ctx, influxdb.ReadAction, orgID, filter.ResourceID, filter.ResourceType); err != nil {
return nil, err
}
ls, err := s.s.FindResourceLabels(ctx, filter)
@ -167,12 +152,7 @@ func (s *LabelService) FindResourceLabels(ctx context.Context, filter influxdb.L
labels := ls[:0]
for _, l := range ls {
var err error
err = authorizeDocumentLabelMappingAction(ctx, influxdb.ReadAction, l.OrgID)
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
return nil, err
}
err = authorizeReadLabel(ctx, l.OrgID, l.ID)
err := authorizeReadLabel(ctx, l.OrgID, l.ID)
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
return nil, err
}
@ -207,17 +187,9 @@ func (s *LabelService) CreateLabelMapping(ctx context.Context, m *influxdb.Label
return err
}
// NOTE(affo): see `authorizeDocumentLabelMappingAction` note.
// The best we can do here is to check that the user is authorized to access documents
// under the label's orgID, because we don't have any document-specific permission available.
if m.ResourceType == influxdb.DocumentsResourceType {
if err := authorizeDocumentLabelMappingAction(ctx, influxdb.ReadAction, l.OrgID); err != nil {
return err
}
} else {
if err := authorizeLabelMappingAction(ctx, influxdb.WriteAction, m.ResourceID, m.ResourceType); err != nil {
return err
}
// if err := authorizeLabelMappingAction(ctx, influxdb.WriteAction, m.ResourceID, m.ResourceType); err != nil {
if err := authorizeLabelMappingAction(ctx, influxdb.WriteAction, l.OrgID, m.ResourceID, m.ResourceType); err != nil {
return err
}
return s.s.CreateLabelMapping(ctx, m)
@ -262,17 +234,8 @@ func (s *LabelService) DeleteLabelMapping(ctx context.Context, m *influxdb.Label
return err
}
// NOTE(affo): see `authorizeDocumentLabelMappingAction` note.
// The best we can do here is to check that the user is authorized to access documents
// under the label's orgID, because we don't have any document-specific permission available.
if m.ResourceType == influxdb.DocumentsResourceType {
if err := authorizeDocumentLabelMappingAction(ctx, influxdb.ReadAction, l.OrgID); err != nil {
return err
}
} else {
if err := authorizeLabelMappingAction(ctx, influxdb.WriteAction, m.ResourceID, m.ResourceType); err != nil {
return err
}
if err := authorizeLabelMappingAction(ctx, influxdb.WriteAction, l.OrgID, m.ResourceID, m.ResourceType); err != nil {
return err
}
return s.s.DeleteLabelMapping(ctx, m)

125
authorizer/label_test.go
View File

@ -18,6 +18,15 @@ const (
orgOneID = "020f755c3c083000"
)
var (
orgOneInfluxID = influxdbtesting.MustIDBase16(orgOneID)
orgSvc = &mock.OrganizationService{
FindResourceOrganizationIDF: func(_ context.Context, _ influxdb.ResourceType, _ influxdb.ID) (influxdb.ID, error) {
return orgOneInfluxID, nil
},
}
)
var labelCmpOptions = cmp.Options{
cmp.Comparer(func(x, y []byte) bool {
return bytes.Equal(x, y)
@ -56,7 +65,7 @@ func TestLabelService_FindLabelByID(t *testing.T) {
FindLabelByIDFn: func(ctx context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: id,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
}, nil
},
},
@ -82,7 +91,7 @@ func TestLabelService_FindLabelByID(t *testing.T) {
FindLabelByIDFn: func(ctx context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: id,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
}, nil
},
},
@ -108,7 +117,7 @@ func TestLabelService_FindLabelByID(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewLabelService(tt.fields.LabelService)
s := authorizer.NewLabelServiceWithOrg(tt.fields.LabelService, orgSvc)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
@ -145,15 +154,15 @@ func TestLabelService_FindLabels(t *testing.T) {
return []*influxdb.Label{
{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 2,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 3,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
}, nil
},
@ -171,15 +180,15 @@ func TestLabelService_FindLabels(t *testing.T) {
labels: []*influxdb.Label{
{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 2,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 3,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
},
},
@ -192,15 +201,15 @@ func TestLabelService_FindLabels(t *testing.T) {
return []*influxdb.Label{
{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 2,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 3,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
}, nil
},
@ -219,7 +228,7 @@ func TestLabelService_FindLabels(t *testing.T) {
labels: []*influxdb.Label{
{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
},
},
@ -232,15 +241,15 @@ func TestLabelService_FindLabels(t *testing.T) {
return []*influxdb.Label{
{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 2,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 3,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
}, nil
},
@ -263,7 +272,7 @@ func TestLabelService_FindLabels(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewLabelService(tt.fields.LabelService)
s := authorizer.NewLabelServiceWithOrg(tt.fields.LabelService, orgSvc)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
@ -303,13 +312,13 @@ func TestLabelService_UpdateLabel(t *testing.T) {
FindLabelByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
}, nil
},
UpdateLabelFn: func(ctx context.Context, id influxdb.ID, upd influxdb.LabelUpdate) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
}, nil
},
},
@ -337,13 +346,13 @@ func TestLabelService_UpdateLabel(t *testing.T) {
FindLabelByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
}, nil
},
UpdateLabelFn: func(ctx context.Context, id influxdb.ID, upd influxdb.LabelUpdate) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
}, nil
},
},
@ -371,7 +380,7 @@ func TestLabelService_UpdateLabel(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewLabelService(tt.fields.LabelService)
s := authorizer.NewLabelServiceWithOrg(tt.fields.LabelService, orgSvc)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permissions})
@ -407,7 +416,7 @@ func TestLabelService_DeleteLabel(t *testing.T) {
FindLabelByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
}, nil
},
DeleteLabelFn: func(ctx context.Context, id influxdb.ID) error {
@ -423,7 +432,7 @@ func TestLabelService_DeleteLabel(t *testing.T) {
Resource: influxdb.Resource{
Type: influxdb.LabelsResourceType,
ID: influxdbtesting.IDPtr(1),
OrgID: influxdbtesting.IDPtr(influxdbtesting.MustIDBase16(orgOneID)),
OrgID: influxdbtesting.IDPtr(orgOneInfluxID),
},
},
},
@ -439,7 +448,7 @@ func TestLabelService_DeleteLabel(t *testing.T) {
FindLabelByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
}, nil
},
DeleteLabelFn: func(ctx context.Context, id influxdb.ID) error {
@ -455,7 +464,7 @@ func TestLabelService_DeleteLabel(t *testing.T) {
Resource: influxdb.Resource{
Type: influxdb.LabelsResourceType,
ID: influxdbtesting.IDPtr(1),
OrgID: influxdbtesting.IDPtr(influxdbtesting.MustIDBase16(orgOneID)),
OrgID: influxdbtesting.IDPtr(orgOneInfluxID),
},
},
},
@ -471,7 +480,7 @@ func TestLabelService_DeleteLabel(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewLabelService(tt.fields.LabelService)
s := authorizer.NewLabelServiceWithOrg(tt.fields.LabelService, orgSvc)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permissions})
@ -512,7 +521,7 @@ func TestLabelService_CreateLabel(t *testing.T) {
permission: influxdb.Permission{
Action: "read",
Resource: influxdb.Resource{
ID: influxdbtesting.IDPtr(influxdbtesting.MustIDBase16(orgOneID)),
ID: influxdbtesting.IDPtr(orgOneInfluxID),
Type: influxdb.OrgsResourceType,
},
},
@ -549,12 +558,12 @@ func TestLabelService_CreateLabel(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewLabelService(tt.fields.LabelService)
s := authorizer.NewLabelServiceWithOrg(tt.fields.LabelService, orgSvc)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{[]influxdb.Permission{tt.args.permission}})
err := s.CreateLabel(ctx, &influxdb.Label{Name: "name", OrgID: influxdbtesting.MustIDBase16(orgOneID)})
err := s.CreateLabel(ctx, &influxdb.Label{Name: "name", OrgID: orgOneInfluxID})
influxdbtesting.ErrorsEqual(t, err, tt.wants.err)
})
}
@ -586,15 +595,15 @@ func TestLabelService_FindResourceLabels(t *testing.T) {
return []*influxdb.Label{
{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 2,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 3,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
}, nil
},
@ -626,15 +635,15 @@ func TestLabelService_FindResourceLabels(t *testing.T) {
labels: []*influxdb.Label{
{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 2,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 3,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
},
},
@ -647,15 +656,15 @@ func TestLabelService_FindResourceLabels(t *testing.T) {
return []*influxdb.Label{
{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 2,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 3,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
}, nil
},
@ -688,7 +697,7 @@ func TestLabelService_FindResourceLabels(t *testing.T) {
labels: []*influxdb.Label{
{
ID: 3,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
},
},
@ -701,15 +710,15 @@ func TestLabelService_FindResourceLabels(t *testing.T) {
return []*influxdb.Label{
{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 2,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 3,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
}, nil
},
@ -742,15 +751,15 @@ func TestLabelService_FindResourceLabels(t *testing.T) {
return []*influxdb.Label{
{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 2,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
{
ID: 3,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
},
}, nil
},
@ -772,7 +781,7 @@ func TestLabelService_FindResourceLabels(t *testing.T) {
},
wants: wants{
err: &influxdb.Error{
Msg: "read:buckets/000000000000000a is unauthorized",
Msg: "read:orgs/020f755c3c083000/buckets/000000000000000a is unauthorized",
Code: influxdb.EUnauthorized,
},
},
@ -781,7 +790,7 @@ func TestLabelService_FindResourceLabels(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewLabelService(tt.fields.LabelService)
s := authorizer.NewLabelServiceWithOrg(tt.fields.LabelService, orgSvc)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permissions})
@ -821,7 +830,7 @@ func TestLabelService_CreateLabelMapping(t *testing.T) {
FindLabelByIDFn: func(ctx context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
}, nil
},
CreateLabelMappingFn: func(ctx context.Context, lm *influxdb.LabelMapping) error {
@ -862,7 +871,7 @@ func TestLabelService_CreateLabelMapping(t *testing.T) {
FindLabelByIDFn: func(ctx context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
}, nil
},
CreateLabelMappingFn: func(ctx context.Context, lm *influxdb.LabelMapping) error {
@ -888,7 +897,7 @@ func TestLabelService_CreateLabelMapping(t *testing.T) {
wants: wants{
err: &influxdb.Error{
Code: influxdb.EUnauthorized,
Msg: "write:buckets/0000000000000002 is unauthorized",
Msg: "write:orgs/020f755c3c083000/buckets/0000000000000002 is unauthorized",
},
},
},
@ -899,7 +908,7 @@ func TestLabelService_CreateLabelMapping(t *testing.T) {
FindLabelByIDFn: func(ctx context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
}, nil
},
CreateLabelMappingFn: func(ctx context.Context, lm *influxdb.LabelMapping) error {
@ -933,7 +942,7 @@ func TestLabelService_CreateLabelMapping(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewLabelService(tt.fields.LabelService)
s := authorizer.NewLabelServiceWithOrg(tt.fields.LabelService, orgSvc)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permissions})
@ -969,7 +978,7 @@ func TestLabelService_DeleteLabelMapping(t *testing.T) {
FindLabelByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
}, nil
},
DeleteLabelMappingFn: func(ctx context.Context, m *influxdb.LabelMapping) error {
@ -1010,7 +1019,7 @@ func TestLabelService_DeleteLabelMapping(t *testing.T) {
FindLabelByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
}, nil
},
DeleteLabelMappingFn: func(ctx context.Context, m *influxdb.LabelMapping) error {
@ -1036,7 +1045,7 @@ func TestLabelService_DeleteLabelMapping(t *testing.T) {
wants: wants{
err: &influxdb.Error{
Code: influxdb.EUnauthorized,
Msg: "write:buckets/0000000000000002 is unauthorized",
Msg: "write:orgs/020f755c3c083000/buckets/0000000000000002 is unauthorized",
},
},
},
@ -1047,7 +1056,7 @@ func TestLabelService_DeleteLabelMapping(t *testing.T) {
FindLabelByIDFn: func(ctc context.Context, id influxdb.ID) (*influxdb.Label, error) {
return &influxdb.Label{
ID: 1,
OrgID: influxdbtesting.MustIDBase16(orgOneID),
OrgID: orgOneInfluxID,
}, nil
},
DeleteLabelMappingFn: func(ctx context.Context, m *influxdb.LabelMapping) error {
@ -1081,7 +1090,7 @@ func TestLabelService_DeleteLabelMapping(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := authorizer.NewLabelService(tt.fields.LabelService)
s := authorizer.NewLabelServiceWithOrg(tt.fields.LabelService, orgSvc)
ctx := context.Background()
ctx = influxdbcontext.SetAuthorizer(ctx, &Authorizer{tt.args.permissions})

2
cmd/influxd/launcher/launcher.go
View File

@ -823,7 +823,7 @@ func (m *Launcher) run(ctx context.Context) (err error) {
pkger.WithBucketSVC(authorizer.NewBucketService(b.BucketService)),
pkger.WithCheckSVC(authorizer.NewCheckService(b.CheckService, authedURMSVC, authedOrgSVC)),
pkger.WithDashboardSVC(authorizer.NewDashboardService(b.DashboardService)),
pkger.WithLabelSVC(authorizer.NewLabelService(b.LabelService)),
pkger.WithLabelSVC(authorizer.NewLabelServiceWithOrg(b.LabelService, b.OrgLookupService)),
pkger.WithNotificationEndpointSVC(authorizer.NewNotificationEndpointService(b.NotificationEndpointService, authedURMSVC, authedOrgSVC)),
pkger.WithNotificationRuleSVC(authorizer.NewNotificationRuleStore(b.NotificationRuleStore, authedURMSVC, authedOrgSVC)),
pkger.WithSecretSVC(authorizer.NewSecretService(b.SecretService)),

4
http/api_handler.go
View File

@ -144,14 +144,14 @@ func NewAPIHandler(b *APIBackend, opts ...APIHandlerOptFn) *APIHandler {
h.Mount(prefixDelete, NewDeleteHandler(b.Logger, deleteBackend))
documentBackend := NewDocumentBackend(b.Logger.With(zap.String("handler", "document")), b)
documentBackend.LabelService = authorizer.NewLabelService(b.LabelService)
documentBackend.LabelService = authorizer.NewLabelServiceWithOrg(b.LabelService, b.OrgLookupService)
documentBackend.DocumentService = authorizer.NewDocumentService(b.DocumentService)
h.Mount(prefixDocuments, NewDocumentHandler(documentBackend))
fluxBackend := NewFluxBackend(b.Logger.With(zap.String("handler", "query")), b)
h.Mount(prefixQuery, NewFluxHandler(b.Logger, fluxBackend))
h.Mount(prefixLabels, NewLabelHandler(b.Logger, authorizer.NewLabelService(b.LabelService), b.HTTPErrorHandler))
h.Mount(prefixLabels, NewLabelHandler(b.Logger, authorizer.NewLabelServiceWithOrg(b.LabelService, b.OrgLookupService), b.HTTPErrorHandler))
notificationEndpointBackend := NewNotificationEndpointBackend(b.Logger.With(zap.String("handler", "notificationEndpoint")), b)
notificationEndpointBackend.NotificationEndpointService = authorizer.NewNotificationEndpointService(b.NotificationEndpointService,

2
http/document_service_test.go
View File

@ -73,7 +73,7 @@ func setup(t *testing.T) (func(auth influxdb.Authorizer) *httptest.Server, func(
backend := NewMockDocumentBackend(t)
backend.HTTPErrorHandler = http.ErrorHandler(0)
backend.DocumentService = authorizer.NewDocumentService(svc)
backend.LabelService = authorizer.NewLabelService(svc)
backend.LabelService = authorizer.NewLabelServiceWithOrg(svc, svc)
serverFn := func(auth influxdb.Authorizer) *httptest.Server {
handler := httpmock.NewAuthMiddlewareHandler(NewDocumentHandler(backend), auth)
return httptest.NewServer(handler)

18
kv/org.go
View File

@ -730,6 +730,24 @@ func (s *Service) FindResourceOrganizationID(ctx context.Context, rt influxdb.Re
return influxdb.InvalidID(), err
}
return r.OrgID, nil
case influxdb.ChecksResourceType:
r, err := s.FindCheckByID(ctx, id)
if err != nil {
return influxdb.InvalidID(), err
}
return r.GetOrgID(), nil
case influxdb.NotificationEndpointResourceType:
r, err := s.FindNotificationEndpointByID(ctx, id)
if err != nil {
return influxdb.InvalidID(), err
}
return r.GetOrgID(), nil
case influxdb.NotificationRuleResourceType:
r, err := s.FindNotificationRuleByID(ctx, id)
if err != nil {
return influxdb.InvalidID(), err
}
return r.GetOrgID(), nil
}
return influxdb.InvalidID(), &influxdb.Error{

19
mock/org_service.go
View File

@ -2,6 +2,7 @@ package mock
import (
"context"
platform "github.com/influxdata/influxdb"
)
@ -9,12 +10,13 @@ var _ platform.OrganizationService = &OrganizationService{}
// OrganizationService is a mock organization server.
type OrganizationService struct {
FindOrganizationByIDF func(ctx context.Context, id platform.ID) (*platform.Organization, error)
FindOrganizationF func(ctx context.Context, filter platform.OrganizationFilter) (*platform.Organization, error)
FindOrganizationsF func(ctx context.Context, filter platform.OrganizationFilter, opt ...platform.FindOptions) ([]*platform.Organization, int, error)
CreateOrganizationF func(ctx context.Context, b *platform.Organization) error
UpdateOrganizationF func(ctx context.Context, id platform.ID, upd platform.OrganizationUpdate) (*platform.Organization, error)
DeleteOrganizationF func(ctx context.Context, id platform.ID) error
FindOrganizationByIDF func(ctx context.Context, id platform.ID) (*platform.Organization, error)
FindOrganizationF func(ctx context.Context, filter platform.OrganizationFilter) (*platform.Organization, error)
FindOrganizationsF func(ctx context.Context, filter platform.OrganizationFilter, opt ...platform.FindOptions) ([]*platform.Organization, int, error)
CreateOrganizationF func(ctx context.Context, b *platform.Organization) error
UpdateOrganizationF func(ctx context.Context, id platform.ID, upd platform.OrganizationUpdate) (*platform.Organization, error)
DeleteOrganizationF func(ctx context.Context, id platform.ID) error
FindResourceOrganizationIDF func(ctx context.Context, rt platform.ResourceType, id platform.ID) (platform.ID, error)
}
// NewOrganizationService returns a mock OrganizationService where its methods will return
@ -65,3 +67,8 @@ func (s *OrganizationService) UpdateOrganization(ctx context.Context, id platfor
func (s *OrganizationService) DeleteOrganization(ctx context.Context, id platform.ID) error {
return s.DeleteOrganizationF(ctx, id)
}
// FindResourceOrganizationID calls FindResourceOrganizationIDF.
func (s *OrganizationService) FindResourceOrganizationID(ctx context.Context, rt platform.ResourceType, id platform.ID) (platform.ID, error) {
return s.FindResourceOrganizationIDF(ctx, rt, id)
}