150 lines
4.2 KiB
Go
150 lines
4.2 KiB
Go
package authorizer
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/influxdata/influxdb"
|
|
)
|
|
|
|
var _ influxdb.VariableService = (*VariableService)(nil)
|
|
|
|
// VariableService wraps a influxdb.VariableService and authorizes actions
|
|
// against it appropriately.
|
|
type VariableService struct {
|
|
s influxdb.VariableService
|
|
}
|
|
|
|
// NewVariableService constructs an instance of an authorizing variable service.
|
|
func NewVariableService(s influxdb.VariableService) *VariableService {
|
|
return &VariableService{
|
|
s: s,
|
|
}
|
|
}
|
|
|
|
func newVariablePermission(a influxdb.Action, orgID, id influxdb.ID) (*influxdb.Permission, error) {
|
|
return influxdb.NewPermissionAtID(id, a, influxdb.VariablesResourceType, orgID)
|
|
}
|
|
|
|
func authorizeReadVariable(ctx context.Context, orgID, id influxdb.ID) error {
|
|
p, err := newVariablePermission(influxdb.ReadAction, orgID, id)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := IsAllowed(ctx, *p); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func authorizeWriteVariable(ctx context.Context, orgID, id influxdb.ID) error {
|
|
p, err := newVariablePermission(influxdb.WriteAction, orgID, id)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := IsAllowed(ctx, *p); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// FindVariableByID checks to see if the authorizer on context has read access to the id provided.
|
|
func (s *VariableService) FindVariableByID(ctx context.Context, id influxdb.ID) (*influxdb.Variable, error) {
|
|
m, err := s.s.FindVariableByID(ctx, id)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if err := authorizeReadVariable(ctx, m.OrganizationID, id); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return m, nil
|
|
}
|
|
|
|
// FindVariables retrieves all variables that match the provided filter and then filters the list down to only the resources that are authorized.
|
|
func (s *VariableService) FindVariables(ctx context.Context, filter influxdb.VariableFilter, opt ...influxdb.FindOptions) ([]*influxdb.Variable, error) {
|
|
// TODO: we'll likely want to push this operation into the database since fetching the whole list of data will likely be expensive.
|
|
ms, err := s.s.FindVariables(ctx, filter, opt...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// This filters without allocating
|
|
// https://github.com/golang/go/wiki/SliceTricks#filtering-without-allocating
|
|
variables := ms[:0]
|
|
for _, m := range ms {
|
|
err := authorizeReadVariable(ctx, m.OrganizationID, m.ID)
|
|
if err != nil && influxdb.ErrorCode(err) != influxdb.EUnauthorized {
|
|
return nil, err
|
|
}
|
|
|
|
if influxdb.ErrorCode(err) == influxdb.EUnauthorized {
|
|
continue
|
|
}
|
|
|
|
variables = append(variables, m)
|
|
}
|
|
|
|
return variables, nil
|
|
}
|
|
|
|
// CreateVariable checks to see if the authorizer on context has write access to the global variable resource.
|
|
func (s *VariableService) CreateVariable(ctx context.Context, m *influxdb.Variable) error {
|
|
p, err := influxdb.NewPermission(influxdb.WriteAction, influxdb.VariablesResourceType, m.OrganizationID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := IsAllowed(ctx, *p); err != nil {
|
|
return err
|
|
}
|
|
|
|
return s.s.CreateVariable(ctx, m)
|
|
}
|
|
|
|
// UpdateVariable checks to see if the authorizer on context has write access to the variable provided.
|
|
func (s *VariableService) UpdateVariable(ctx context.Context, id influxdb.ID, upd *influxdb.VariableUpdate) (*influxdb.Variable, error) {
|
|
m, err := s.FindVariableByID(ctx, id)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if err := authorizeWriteVariable(ctx, m.OrganizationID, id); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return s.s.UpdateVariable(ctx, id, upd)
|
|
}
|
|
|
|
// ReplaceVariable checks to see if the authorizer on context has write access to the variable provided.
|
|
func (s *VariableService) ReplaceVariable(ctx context.Context, m *influxdb.Variable) error {
|
|
m, err := s.FindVariableByID(ctx, m.ID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := authorizeWriteVariable(ctx, m.OrganizationID, m.ID); err != nil {
|
|
return err
|
|
}
|
|
|
|
return s.s.ReplaceVariable(ctx, m)
|
|
}
|
|
|
|
// DeleteVariable checks to see if the authorizer on context has write access to the variable provided.
|
|
func (s *VariableService) DeleteVariable(ctx context.Context, id influxdb.ID) error {
|
|
m, err := s.FindVariableByID(ctx, id)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := authorizeWriteVariable(ctx, m.OrganizationID, id); err != nil {
|
|
return err
|
|
}
|
|
|
|
return s.s.DeleteVariable(ctx, id)
|
|
}
|