Merge pull request #14353 from influxdata/task/require-token-for-crea…

…tion chore(tasks): remove old auth code and allow only token auth
influxdata · Jul 26, 2019 · 0161438 · 0161438
2 parents a481d4a + 7b96bd9
commit 0161438
Show file tree

Hide file tree

Showing 11 changed files with 76 additions and 273 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -29,10 +29,12 @@
 
 1. [14256](https://github.com/influxdata/influxdb/pull/14256): Add time zone support to UI
 2. [14243](https://github.com/influxdata/influxdb/pull/14243): Addded new storage inspection tool to verify tsm files
+3. [14353](https://github.com/influxdata/influxdb/pull/14353): Require a token to be supplied for all task creation
 
 ### Bug Fixes
 
-1. [14287](https://github.com/influxdata/influxdb/pull/14287) Fix incorrect reporting of task as successful when error occurs during result iteration
+1. [14287](https://github.com/influxdata/influxdb/pull/14287): Fix incorrect reporting of task as successful when error occurs during result iteration
+1. [14412](https://github.com/influxdata/influxdb/pull/14412): Fix incorrect notification type for manually running a Task
 
 ### Known Issues
 
@@ -102,6 +104,7 @@
 1. [13945](https://github.com/influxdata/influxdb/pull/13945): Fix crash when opening histogram settings with no data
 
 ### UI Improvements
+
 1. [#13835](https://github.com/influxdata/influxdb/pull/13835): Render checkboxes in query builder tag selection lists
 1. [#13856](https://github.com/influxdata/influxdb/pull/13856): Fix jumbled card text in Telegraf configuration wizard
 1. [#13888](https://github.com/influxdata/influxdb/pull/13888): Change scrapers in scrapers list to be resource cards
@@ -112,6 +115,7 @@
 **NOTE: This will remove all tasks from your InfluxDB v2.0 instance.**
 
 ### Features
+
 1. [13423](https://github.com/influxdata/influxdb/pull/13423): Set autorefresh of dashboard to pause if absolute time range is selected
 1. [13473](https://github.com/influxdata/influxdb/pull/13473): Switch task back end to a more modular and flexible system
 1. [13493](https://github.com/influxdata/influxdb/pull/13493): Add org profile tab with ability to edit organization name
@@ -122,6 +126,7 @@
 1. [13715](https://github.com/influxdata/influxdb/pull/13715): Added a new Local Metrics Dashboard template that is created during Quick Start
 
 ### Bug Fixes
+
 1. [13584](https://github.com/influxdata/influxdb/pull/13584): Fixed scroll clipping found in label editing flow
 1. [13585](https://github.com/influxdata/influxdb/pull/13585): Prevent overlapping text and dot in time range dropdown
 1. [13602](https://github.com/influxdata/influxdb/pull/13602): Updated link in notes cell to a more useful site
@@ -133,6 +138,7 @@
 1. [13742](https://github.com/influxdata/influxdb/pull/13742): Updated the `systemTime` function to use `system.time`
 
 ### UI Improvements
+
 1. [13424](https://github.com/influxdata/influxdb/pull/13424): Add general polish and empty states to Create Dashboard from Template overlay
 
 ## v2.0.0-alpha.8 [2019-04-12]
@@ -147,9 +153,11 @@
 1. [13345](https://github.com/influxdata/influxdb/pull/13345): Added a new Getting Started with Flux Template
 
 ### Bug Fixes
+
 1. [13284](https://github.com/influxdata/influxdb/pull/13284): Update shift to timeShift in the flux functions side bar
 
 ### UI Improvements
+
 1. [13287](https://github.com/influxdata/influxdb/pull/13287): Update cursor to grab when hovering draggable areas
 1. [13311](https://github.com/influxdata/influxdb/pull/13311): Sync note editor text and preview scrolling
 1. [13249](https://github.com/influxdata/influxdb/pull/13249): Add the ability to create a bucket when creating an organization

diff --git a/authorizer/task.go b/authorizer/task.go
@@ -118,6 +118,10 @@ func (ts *taskServiceValidator) CreateTask(ctx context.Context, t platform.TaskC
 	span, ctx := tracing.StartSpanFromContext(ctx)
 	defer span.Finish()
 
+	if t.Token == "" {
+		return nil, influxdb.ErrMissingToken
+	}
+
 	p, err := platform.NewPermission(platform.WriteAction, platform.TasksResourceType, t.OrganizationID)
 	if err != nil {
 		return nil, err

diff --git a/authorizer/task_test.go b/authorizer/task_test.go
@@ -38,6 +38,7 @@ func TestOnboardingValidation(t *testing.T) {
 
 	_, err = ts.CreateTask(ctx, influxdb.TaskCreate{
 		OrganizationID: r.Org.ID,
+		Token:          r.Auth.Token,
 		Flux: `option task = {
  name: "my_task",
  every: 1s,
@@ -219,6 +220,7 @@ from(bucket:"holder") |> range(start:-5m) |> to(bucket:"holder", org:"thing")`,
 			check: func(ctx context.Context, svc influxdb.TaskService) error {
 				_, err := svc.CreateTask(ctx, influxdb.TaskCreate{
 					OrganizationID: r.Org.ID,
+					Token:          r.Auth.Token,
 					Flux: `option task = {
  name: "my_task",
  every: 1s,

diff --git a/http/swagger.yml b/http/swagger.yml
@@ -8603,9 +8603,9 @@ components:
           description: The Flux script to run for this task.
           type: string
         token:
-          description: The token to use for authenticating this task when it executes queries. If omitted, uses the token associated with the request that creates the task.
+          description: The token to use for authenticating this task when it executes queries.
           type: string
-      required: [flux]
+      required: [flux, token]
     TaskUpdateRequest:
       type: object
       properties:

diff --git a/http/task_service.go b/http/task_service.go
@@ -13,16 +13,12 @@ import (
 	"strings"
 	"time"
 
-	"github.com/influxdata/flux/lang"
 	influxdb "github.com/influxdata/influxdb"
 	platform "github.com/influxdata/influxdb"
-	"github.com/influxdata/influxdb/authorizer"
 	pcontext "github.com/influxdata/influxdb/context"
 	"github.com/influxdata/influxdb/kit/tracing"
 	"github.com/influxdata/influxdb/kv"
-	"github.com/influxdata/influxdb/query"
 	"github.com/influxdata/influxdb/task/backend"
-	"github.com/influxdata/influxdb/task/options"
 	"github.com/julienschmidt/httprouter"
 	"go.uber.org/zap"
 )
@@ -369,114 +365,9 @@ func decodeGetTasksRequest(ctx context.Context, r *http.Request, orgs platform.O
 	return req, nil
 }
 
-// createBootstrapTaskAuthorizationIfNotExists checks if a the task create request hasn't specified a token, and if the request came from a session,
-// and if both of those are true, it creates an authorization and return it.
-//
-// Note that the created authorization will have permissions required for the task,
-// but it won't have permissions to read the task, as we don't have the task ID yet.
-//
-// This method may return a nil error and a nil authorization, if there wasn't a need to create an authorization.
-func (h *TaskHandler) createBootstrapTaskAuthorizationIfNotExists(ctx context.Context, a platform.Authorizer, t *platform.TaskCreate) (*platform.Authorization, error) {
-	if t.Token != "" {
-		return nil, nil
-	}
-
-	s, ok := a.(*platform.Session)
-	if !ok {
-		// If an authorization was used continue
-		return nil, nil
-	}
-
-	prog, err := lang.Compile(t.Flux, time.Now())
-	if err != nil {
-		return nil, err
-	}
-
-	preAuthorizer := query.NewPreAuthorizer(h.BucketService)
-	ps, err := preAuthorizer.RequiredPermissions(ctx, prog.Ast, &t.OrganizationID)
-	if err != nil {
-		return nil, err
-	}
-
-	if err := authorizer.VerifyPermissions(ctx, ps); err != nil {
-		return nil, err
-	}
-
-	opts, err := options.FromScript(t.Flux)
-	if err != nil {
-		return nil, err
-	}
-
-	auth := &platform.Authorization{
-		OrgID:       t.OrganizationID,
-		UserID:      s.UserID,
-		Permissions: ps,
-		Description: fmt.Sprintf("bootstrap authorization for task %q", opts.Name),
-	}
-
-	if err := h.AuthorizationService.CreateAuthorization(ctx, auth); err != nil {
-		return nil, err
-	}
-
-	t.Token = auth.Token
-
-	return auth, nil
-}
-
-func (h *TaskHandler) finalizeBootstrappedTaskAuthorization(ctx context.Context, bootstrap *platform.Authorization, task *platform.Task) error {
-	// If we created a bootstrapped authorization for a task,
-	// we need to replace it with a new authorization that allows read access on the task.
-	// Unfortunately for this case, updating authorizations is not allowed.
-	readTaskPerm, err := platform.NewPermissionAtID(task.ID, platform.ReadAction, platform.TasksResourceType, bootstrap.OrgID)
-	if err != nil {
-		// We should never fail to create a new permission like this.
-		return err
-	}
-	authzWithTask := &platform.Authorization{
-		UserID:      bootstrap.UserID,
-		OrgID:       bootstrap.OrgID,
-		Permissions: append([]platform.Permission{*readTaskPerm}, bootstrap.Permissions...),
-		Description: fmt.Sprintf("auto-generated authorization for task %q", task.Name),
-	}
-
-	if err := h.AuthorizationService.CreateAuthorization(ctx, authzWithTask); err != nil {
-		h.logger.Warn("Failed to finalize bootstrap authorization", zap.String("taskID", task.ID.String()))
-		// The task exists with an authorization that can't read the task.
-		return err
-	}
-
-	// Assign the new authorization...
-	u, err := h.TaskService.UpdateTask(ctx, task.ID, platform.TaskUpdate{Token: authzWithTask.Token})
-	if err != nil {
-		h.logger.Warn("Failed to assign finalized authorization", zap.String("authorizationID", bootstrap.ID.String()), zap.String("taskID", task.ID.String()))
-		// The task exists with an authorization that can't read the task,
-		// and we've created a new authorization for the task but not assigned it.
-		return err
-	}
-	*task = *u
-
-	// .. and delete the old one.
-	if err := h.AuthorizationService.DeleteAuthorization(ctx, bootstrap.ID); err != nil {
-		// Since this is the last thing we're doing, just log it if we fail to delete for some reason.
-		h.logger.Warn("Failed to delete bootstrap authorization", zap.String("authorizationID", bootstrap.ID.String()), zap.String("taskID", task.ID.String()))
-	}
-
-	return nil
-}
-
 func (h *TaskHandler) handlePostTask(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	h.logger.Debug("task create request", zap.String("r", fmt.Sprint(r)))
-	auth, err := pcontext.GetAuthorizer(ctx)
-	if err != nil {
-		err = &platform.Error{
-			Err:  err,
-			Code: platform.EUnauthorized,
-			Msg:  "failed to get authorizer",
-		}
-		h.HandleHTTPError(ctx, err, w)
-		return
-	}
 
 	req, err := decodePostTaskRequest(ctx, r)
 	if err != nil {
@@ -507,7 +398,6 @@ func (h *TaskHandler) handlePostTask(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	bootstrapAuthz, err := h.createBootstrapTaskAuthorizationIfNotExists(ctx, auth, &req.TaskCreate)
 	if err != nil {
 		h.HandleHTTPError(ctx, err, w)
 		return
@@ -526,20 +416,6 @@ func (h *TaskHandler) handlePostTask(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if bootstrapAuthz != nil {
-		// There was a bootstrapped authorization for this task.
-		// Now we need to apply the final authorization for the task.
-		if err := h.finalizeBootstrappedTaskAuthorization(ctx, bootstrapAuthz, task); err != nil {
-			err = &platform.Error{
-				Err:  err,
-				Msg:  fmt.Sprintf("successfully created task with ID %s, but failed to finalize bootstrap token for task", task.ID.String()),
-				Code: platform.EInternal,
-			}
-			h.HandleHTTPError(ctx, err, w)
-			return
-		}
-	}
-	h.logger.Debug("tasks created", zap.String("task", fmt.Sprint(task)))
 	if err := encodeResponse(ctx, w, http.StatusCreated, newTaskResponse(*task, []*platform.Label{})); err != nil {
 		logEncodingError(h.logger, r, err)
 		return
@@ -1467,6 +1343,10 @@ func (t TaskService) CreateTask(ctx context.Context, tc platform.TaskCreate) (*p
 	span, _ := tracing.StartSpanFromContext(ctx)
 	defer span.Finish()
 
+	if tc.Token == "" {
+		return nil, influxdb.ErrMissingToken
+	}
+
 	u, err := NewURL(t.Addr, tasksPath)
 	if err != nil {
 		return nil, err