github.com/influxdata/influxdb/v2@v2.7.6/replications/transport/middleware_auth.go

github.com/influxdata/influxdb/v2@v2.7.6/replications/transport/middleware_auth.go (about)

     1  package transport
     2  
     3  import (
     4  	"context"
     5  
     6  	"github.com/influxdata/influxdb/v2"
     7  	"github.com/influxdata/influxdb/v2/authorizer"
     8  	"github.com/influxdata/influxdb/v2/kit/platform"
     9  	"github.com/influxdata/influxdb/v2/kit/platform/errors"
    10  )
    11  
    12  func newAuthCheckingService(underlying ReplicationService) *authCheckingService {
    13  	return &authCheckingService{underlying}
    14  }
    15  
    16  type authCheckingService struct {
    17  	underlying ReplicationService
    18  }
    19  
    20  var _ ReplicationService = (*authCheckingService)(nil)
    21  
    22  func (a authCheckingService) ListReplications(ctx context.Context, filter influxdb.ReplicationListFilter) (*influxdb.Replications, error) {
    23  	rs, err := a.underlying.ListReplications(ctx, filter)
    24  	if err != nil {
    25  		return nil, err
    26  	}
    27  
    28  	rrs := rs.Replications[:0]
    29  	for _, r := range rs.Replications {
    30  		_, _, err := authorizer.AuthorizeRead(ctx, influxdb.ReplicationsResourceType, r.ID, r.OrgID)
    31  		if err != nil && errors.ErrorCode(err) != errors.EUnauthorized {
    32  			return nil, err
    33  		}
    34  		if errors.ErrorCode(err) == errors.EUnauthorized {
    35  			continue
    36  		}
    37  		rrs = append(rrs, r)
    38  	}
    39  	return &influxdb.Replications{Replications: rrs}, nil
    40  }
    41  
    42  func (a authCheckingService) CreateReplication(ctx context.Context, request influxdb.CreateReplicationRequest) (*influxdb.Replication, error) {
    43  	if err := a.authCreateReplication(ctx, request); err != nil {
    44  		return nil, err
    45  	}
    46  	return a.underlying.CreateReplication(ctx, request)
    47  }
    48  
    49  func (a authCheckingService) ValidateNewReplication(ctx context.Context, request influxdb.CreateReplicationRequest) error {
    50  	if err := a.authCreateReplication(ctx, request); err != nil {
    51  		return err
    52  	}
    53  	return a.underlying.ValidateNewReplication(ctx, request)
    54  }
    55  
    56  func (a authCheckingService) authCreateReplication(ctx context.Context, request influxdb.CreateReplicationRequest) error {
    57  	if _, _, err := authorizer.AuthorizeCreate(ctx, influxdb.ReplicationsResourceType, request.OrgID); err != nil {
    58  		return err
    59  	}
    60  	// N.B. creating a replication requires read-access to both the source bucket and the target remote.
    61  	if _, _, err := authorizer.AuthorizeRead(ctx, influxdb.BucketsResourceType, request.LocalBucketID, request.OrgID); err != nil {
    62  		return err
    63  	}
    64  	if _, _, err := authorizer.AuthorizeRead(ctx, influxdb.RemotesResourceType, request.RemoteID, request.OrgID); err != nil {
    65  		return err
    66  	}
    67  	return nil
    68  }
    69  
    70  func (a authCheckingService) GetReplication(ctx context.Context, id platform.ID) (*influxdb.Replication, error) {
    71  	r, err := a.underlying.GetReplication(ctx, id)
    72  	if err != nil {
    73  		return nil, err
    74  	}
    75  	if _, _, err := authorizer.AuthorizeRead(ctx, influxdb.ReplicationsResourceType, id, r.OrgID); err != nil {
    76  		return nil, err
    77  	}
    78  	return r, nil
    79  }
    80  
    81  func (a authCheckingService) UpdateReplication(ctx context.Context, id platform.ID, request influxdb.UpdateReplicationRequest) (*influxdb.Replication, error) {
    82  	if err := a.authUpdateReplication(ctx, id, request); err != nil {
    83  		return nil, err
    84  	}
    85  	return a.underlying.UpdateReplication(ctx, id, request)
    86  }
    87  
    88  func (a authCheckingService) ValidateUpdatedReplication(ctx context.Context, id platform.ID, request influxdb.UpdateReplicationRequest) error {
    89  	if err := a.authUpdateReplication(ctx, id, request); err != nil {
    90  		return err
    91  	}
    92  	return a.underlying.ValidateUpdatedReplication(ctx, id, request)
    93  }
    94  
    95  func (a authCheckingService) authUpdateReplication(ctx context.Context, id platform.ID, request influxdb.UpdateReplicationRequest) error {
    96  	r, err := a.underlying.GetReplication(ctx, id)
    97  	if err != nil {
    98  		return err
    99  	}
   100  	if _, _, err := authorizer.AuthorizeWrite(ctx, influxdb.ReplicationsResourceType, id, r.OrgID); err != nil {
   101  		return err
   102  	}
   103  	if request.RemoteID != nil {
   104  		if _, _, err := authorizer.AuthorizeRead(ctx, influxdb.RemotesResourceType, *request.RemoteID, r.OrgID); err != nil {
   105  			return err
   106  		}
   107  	}
   108  	return nil
   109  }
   110  
   111  func (a authCheckingService) DeleteReplication(ctx context.Context, id platform.ID) error {
   112  	r, err := a.underlying.GetReplication(ctx, id)
   113  	if err != nil {
   114  		return err
   115  	}
   116  	if _, _, err := authorizer.AuthorizeWrite(ctx, influxdb.ReplicationsResourceType, id, r.OrgID); err != nil {
   117  		return err
   118  	}
   119  	return a.underlying.DeleteReplication(ctx, id)
   120  }
   121  
   122  func (a authCheckingService) ValidateReplication(ctx context.Context, id platform.ID) error {
   123  	r, err := a.underlying.GetReplication(ctx, id)
   124  	if err != nil {
   125  		return err
   126  	}
   127  	if _, _, err := authorizer.AuthorizeRead(ctx, influxdb.ReplicationsResourceType, id, r.OrgID); err != nil {
   128  		return err
   129  	}
   130  	return a.underlying.ValidateReplication(ctx, id)
   131  }