influxdb/authz.go

456 lines
14 KiB
Go

package influxdb
import (
"errors"
"fmt"
"path"
"github.com/influxdata/influxdb/v2/kit/platform"
errors2 "github.com/influxdata/influxdb/v2/kit/platform/errors"
)
var (
// ErrAuthorizerNotSupported notes that the provided authorizer is not supported for the action you are trying to perform.
ErrAuthorizerNotSupported = errors.New("your authorizer is not supported, please use *platform.Authorization as authorizer")
// ErrInvalidResourceType notes that the provided resource is invalid
ErrInvalidResourceType = errors.New("unknown resource type for permission")
// ErrInvalidAction notes that the provided action is invalid
ErrInvalidAction = errors.New("unknown action for permission")
)
// Authorizer will authorize a permission.
type Authorizer interface {
// PermissionSet returns the PermissionSet associated with the authorizer
PermissionSet() (PermissionSet, error)
// ID returns an identifier used for auditing.
Identifier() platform.ID
// GetUserID returns the user id.
GetUserID() platform.ID
// Kind metadata for auditing.
Kind() string
}
// PermissionAllowed determines if a permission is allowed.
func PermissionAllowed(perm Permission, ps []Permission) bool {
for _, p := range ps {
if p.Matches(perm) {
return true
}
}
return false
}
// Action is an enum defining all possible resource operations
type Action string
const (
// ReadAction is the action for reading.
ReadAction Action = "read" // 1
// WriteAction is the action for writing.
WriteAction Action = "write" // 2
)
var actions = []Action{
ReadAction, // 1
WriteAction, // 2
}
// Valid checks if the action is a member of the Action enum
func (a Action) Valid() (err error) {
switch a {
case ReadAction: // 1
case WriteAction: // 2
default:
err = ErrInvalidAction
}
return err
}
// ResourceType is an enum defining all resource types that have a permission model in platform
type ResourceType string
// Resource is an authorizable resource.
type Resource struct {
Type ResourceType `json:"type"`
ID *platform.ID `json:"id,omitempty"`
OrgID *platform.ID `json:"orgID,omitempty"`
}
// String stringifies a resource
func (r Resource) String() string {
if r.OrgID != nil && r.ID != nil {
return path.Join(string(OrgsResourceType), r.OrgID.String(), string(r.Type), r.ID.String())
}
if r.OrgID != nil {
return path.Join(string(OrgsResourceType), r.OrgID.String(), string(r.Type))
}
if r.ID != nil {
return path.Join(string(r.Type), r.ID.String())
}
return string(r.Type)
}
const (
// AuthorizationsResourceType gives permissions to one or more authorizations.
AuthorizationsResourceType = ResourceType("authorizations") // 0
// BucketsResourceType gives permissions to one or more buckets.
BucketsResourceType = ResourceType("buckets") // 1
// DashboardsResourceType gives permissions to one or more dashboards.
DashboardsResourceType = ResourceType("dashboards") // 2
// OrgsResourceType gives permissions to one or more orgs.
OrgsResourceType = ResourceType("orgs") // 3
// SourcesResourceType gives permissions to one or more sources.
SourcesResourceType = ResourceType("sources") // 4
// TasksResourceType gives permissions to one or more tasks.
TasksResourceType = ResourceType("tasks") // 5
// TelegrafsResourceType type gives permissions to a one or more telegrafs.
TelegrafsResourceType = ResourceType("telegrafs") // 6
// UsersResourceType gives permissions to one or more users.
UsersResourceType = ResourceType("users") // 7
// VariablesResourceType gives permission to one or more variables.
VariablesResourceType = ResourceType("variables") // 8
// ScraperResourceType gives permission to one or more scrapers.
ScraperResourceType = ResourceType("scrapers") // 9
// SecretsResourceType gives permission to one or more secrets.
SecretsResourceType = ResourceType("secrets") // 10
// LabelsResourceType gives permission to one or more labels.
LabelsResourceType = ResourceType("labels") // 11
// ViewsResourceType gives permission to one or more views.
ViewsResourceType = ResourceType("views") // 12
// DocumentsResourceType gives permission to one or more documents.
DocumentsResourceType = ResourceType("documents") // 13
// NotificationRuleResourceType gives permission to one or more notificationRules.
NotificationRuleResourceType = ResourceType("notificationRules") // 14
// NotificationEndpointResourceType gives permission to one or more notificationEndpoints.
NotificationEndpointResourceType = ResourceType("notificationEndpoints") // 15
// ChecksResourceType gives permission to one or more Checks.
ChecksResourceType = ResourceType("checks") // 16
// DBRPType gives permission to one or more DBRPs.
DBRPResourceType = ResourceType("dbrp") // 17
// NotebooksResourceType gives permission to one or more notebooks.
NotebooksResourceType = ResourceType("notebooks") // 18
// AnnotationsResourceType gives permission to one or more annotations.
AnnotationsResourceType = ResourceType("annotations") // 19
// RemotesResourceType gives permission to one or more remote connections.
RemotesResourceType = ResourceType("remotes") // 20
// ReplicationsResourceType gives permission to one or more replications.
ReplicationsResourceType = ResourceType("replications") // 21
// InstanceResourceType is a special permission that allows ownership of the entire instance (creating orgs/operator tokens/etc)
InstanceResourceType = ResourceType("instance") // 22
)
// AllResourceTypes is the list of all known resource types.
var AllResourceTypes = []ResourceType{
AuthorizationsResourceType, // 0
BucketsResourceType, // 1
DashboardsResourceType, // 2
OrgsResourceType, // 3
SourcesResourceType, // 4
TasksResourceType, // 5
TelegrafsResourceType, // 6
UsersResourceType, // 7
VariablesResourceType, // 8
ScraperResourceType, // 9
SecretsResourceType, // 10
LabelsResourceType, // 11
ViewsResourceType, // 12
DocumentsResourceType, // 13
NotificationRuleResourceType, // 14
NotificationEndpointResourceType, // 15
ChecksResourceType, // 16
DBRPResourceType, // 17
NotebooksResourceType, // 18
AnnotationsResourceType, // 19
RemotesResourceType, // 20
ReplicationsResourceType, // 21
InstanceResourceType, // 22
// NOTE: when modifying this list, please update the swagger for components.schemas.Permission resource enum.
}
// Valid checks if the resource type is a member of the ResourceType enum.
func (r Resource) Valid() (err error) {
return r.Type.Valid()
}
// Valid checks if the resource type is a member of the ResourceType enum.
func (t ResourceType) Valid() (err error) {
switch t {
case AuthorizationsResourceType: // 0
case BucketsResourceType: // 1
case DashboardsResourceType: // 2
case OrgsResourceType: // 3
case TasksResourceType: // 4
case TelegrafsResourceType: // 5
case SourcesResourceType: // 6
case UsersResourceType: // 7
case VariablesResourceType: // 8
case ScraperResourceType: // 9
case SecretsResourceType: // 10
case LabelsResourceType: // 11
case ViewsResourceType: // 12
case DocumentsResourceType: // 13
case NotificationRuleResourceType: // 14
case NotificationEndpointResourceType: // 15
case ChecksResourceType: // 16
case DBRPResourceType: // 17
case NotebooksResourceType: // 18
case AnnotationsResourceType: // 19
case RemotesResourceType: // 20
case ReplicationsResourceType: // 21
case InstanceResourceType: // 22
default:
err = ErrInvalidResourceType
}
return err
}
type PermissionSet []Permission
func (ps PermissionSet) Allowed(p Permission) bool {
return PermissionAllowed(p, ps)
}
// Permission defines an action and a resource.
type Permission struct {
Action Action `json:"action"`
Resource Resource `json:"resource"`
}
// Matches returns whether or not one permission matches the other.
func (p Permission) Matches(perm Permission) bool {
return p.matchesV1(perm)
}
func (p Permission) matchesV1(perm Permission) bool {
if p.Action != perm.Action {
return false
}
if p.Resource.Type == InstanceResourceType {
return true
}
if p.Resource.Type != perm.Resource.Type {
return false
}
if p.Resource.OrgID == nil && p.Resource.ID == nil {
return true
}
if p.Resource.OrgID != nil && perm.Resource.OrgID != nil && p.Resource.ID != nil && perm.Resource.ID != nil {
if *p.Resource.OrgID != *perm.Resource.OrgID && *p.Resource.ID == *perm.Resource.ID {
fmt.Printf("v1: old match used: p.Resource.OrgID=%s perm.Resource.OrgID=%s p.Resource.ID=%s",
*p.Resource.OrgID, *perm.Resource.OrgID, *p.Resource.ID)
}
}
if p.Resource.OrgID != nil && p.Resource.ID == nil {
pOrgID := *p.Resource.OrgID
if perm.Resource.OrgID != nil {
permOrgID := *perm.Resource.OrgID
if pOrgID == permOrgID {
return true
}
}
}
if p.Resource.ID != nil {
pID := *p.Resource.ID
if perm.Resource.ID != nil {
permID := *perm.Resource.ID
if pID == permID {
return true
}
}
}
return false
}
func (p Permission) String() string {
return fmt.Sprintf("%s:%s", p.Action, p.Resource)
}
// Valid checks if there the resource and action provided is known.
func (p *Permission) Valid() error {
if err := p.Resource.Valid(); err != nil {
return &errors2.Error{
Code: errors2.EInvalid,
Err: err,
Msg: "invalid resource type for permission",
}
}
if err := p.Action.Valid(); err != nil {
return &errors2.Error{
Code: errors2.EInvalid,
Err: err,
Msg: "invalid action type for permission",
}
}
if p.Resource.OrgID != nil && !p.Resource.OrgID.Valid() {
return &errors2.Error{
Code: errors2.EInvalid,
Err: platform.ErrInvalidID,
Msg: "invalid org id for permission",
}
}
if p.Resource.ID != nil && !p.Resource.ID.Valid() {
return &errors2.Error{
Code: errors2.EInvalid,
Err: platform.ErrInvalidID,
Msg: "invalid id for permission",
}
}
return nil
}
// NewPermission returns a permission with provided arguments.
func NewPermission(a Action, rt ResourceType, orgID platform.ID) (*Permission, error) {
p := &Permission{
Action: a,
Resource: Resource{
Type: rt,
OrgID: &orgID,
},
}
return p, p.Valid()
}
// NewResourcePermission returns a permission with provided arguments.
func NewResourcePermission(a Action, rt ResourceType, rid platform.ID) (*Permission, error) {
p := &Permission{
Action: a,
Resource: Resource{
Type: rt,
ID: &rid,
},
}
return p, p.Valid()
}
// NewGlobalPermission constructs a global permission capable of accessing any resource of type rt.
func NewGlobalPermission(a Action, rt ResourceType) (*Permission, error) {
p := &Permission{
Action: a,
Resource: Resource{
Type: rt,
},
}
return p, p.Valid()
}
// NewPermissionAtID creates a permission with the provided arguments.
func NewPermissionAtID(id platform.ID, a Action, rt ResourceType, orgID platform.ID) (*Permission, error) {
p := &Permission{
Action: a,
Resource: Resource{
Type: rt,
OrgID: &orgID,
ID: &id,
},
}
return p, p.Valid()
}
// OperPermissions are the default permissions for those who setup the application.
func OperPermissions() []Permission {
ps := []Permission{}
for _, r := range AllResourceTypes {
// For now, we are only allowing instance permissions when logged in through session auth
// That is handled in user resource mapping
if r == InstanceResourceType {
continue
}
for _, a := range actions {
ps = append(ps, Permission{Action: a, Resource: Resource{Type: r}})
}
}
return ps
}
// ReadAllPermissions represents permission to read all data and metadata.
// Like OperPermissions, but allows read-only users.
func ReadAllPermissions() []Permission {
ps := make([]Permission, len(AllResourceTypes))
for i, t := range AllResourceTypes {
// For now, we are only allowing instance permissions when logged in through session auth
// That is handled in user resource mapping
if t == InstanceResourceType {
continue
}
ps[i] = Permission{Action: ReadAction, Resource: Resource{Type: t}}
}
return ps
}
// OwnerPermissions are the default permissions for those who own a resource.
func OwnerPermissions(orgID platform.ID) []Permission {
ps := []Permission{}
for _, r := range AllResourceTypes {
// For now, we are only allowing instance permissions when logged in through session auth
// That is handled in user resource mapping
if r == InstanceResourceType {
continue
}
for _, a := range actions {
if r == OrgsResourceType {
ps = append(ps, Permission{Action: a, Resource: Resource{Type: r, ID: &orgID}})
continue
}
ps = append(ps, Permission{Action: a, Resource: Resource{Type: r, OrgID: &orgID}})
}
}
return ps
}
// MePermissions is the permission to read/write myself.
func MePermissions(userID platform.ID) []Permission {
ps := []Permission{}
for _, a := range actions {
ps = append(ps, Permission{Action: a, Resource: Resource{Type: UsersResourceType, ID: &userID}})
}
return ps
}
// MemberPermissions are the default permissions for those who can see a resource.
func MemberPermissions(orgID platform.ID) []Permission {
ps := []Permission{}
for _, r := range AllResourceTypes {
// For now, we are only allowing instance permissions when logged in through session auth
// That is handled in user resource mapping
if r == InstanceResourceType {
continue
}
if r == OrgsResourceType {
ps = append(ps, Permission{Action: ReadAction, Resource: Resource{Type: r, ID: &orgID}})
continue
}
ps = append(ps, Permission{Action: ReadAction, Resource: Resource{Type: r, OrgID: &orgID}})
}
return ps
}
// MemberBucketPermission are the default permissions for those who can see a resource.
func MemberBucketPermission(bucketID platform.ID) Permission {
return Permission{Action: ReadAction, Resource: Resource{Type: BucketsResourceType, ID: &bucketID}}
}