influxdb/tenant/middleware_onboarding_auth.go

50 lines
1.7 KiB
Go

package tenant
import (
"context"
"github.com/influxdata/influxdb/v2"
"github.com/influxdata/influxdb/v2/authorizer"
)
var _ influxdb.OnboardingService = (*AuthedOnboardSvc)(nil)
// TODO (al): remove authorizer/org when the org service moves to tenant
// AuthedOnboardSvc wraps a influxdb.OnboardingService and authorizes actions
// against it appropriately.
type AuthedOnboardSvc struct {
s influxdb.OnboardingService
}
// NewAuthedOnboardSvc constructs an instance of an authorizing org service.
func NewAuthedOnboardSvc(s influxdb.OnboardingService) *AuthedOnboardSvc {
return &AuthedOnboardSvc{
s: s,
}
}
// IsOnboarding pass through. this is handled by the underlying service layer
func (s *AuthedOnboardSvc) IsOnboarding(ctx context.Context) (bool, error) {
return s.s.IsOnboarding(ctx)
}
// OnboardInitialUser pass through. this is handled by the underlying service layer
func (s *AuthedOnboardSvc) OnboardInitialUser(ctx context.Context, req *influxdb.OnboardingRequest) (*influxdb.OnboardingResults, error) {
return s.s.OnboardInitialUser(ctx, req)
}
// OnboardUser needs to confirm this user has access to do global create for multiple resources
func (s *AuthedOnboardSvc) OnboardUser(ctx context.Context, req *influxdb.OnboardingRequest) (*influxdb.OnboardingResults, error) {
if _, _, err := authorizer.AuthorizeWriteGlobal(ctx, influxdb.OrgsResourceType); err != nil {
return nil, err
}
if _, _, err := authorizer.AuthorizeWriteGlobal(ctx, influxdb.UsersResourceType); err != nil {
return nil, err
}
if _, _, err := authorizer.AuthorizeWriteGlobal(ctx, influxdb.BucketsResourceType); err != nil {
return nil, err
}
return s.s.OnboardUser(ctx, req)
}