fix: remove empty db and collection from privileges (#2583)

mcasimir · gribnoysup · web-flow · commit 3581237bf1f3 · 2021-11-12T10:38:11.000+01:00
* fix: remove undefined from db and collection list

* allow empty collection names

* chore(data-service): Clarify what exactly we are skipping when extracting dbs and colls from privileges

Co-authored-by: Sergey Petushkov &lt;petushkov.sergey@gmail.com&gt;
diff --git a/packages/data-service/src/instance-detail-helper.spec.ts b/packages/data-service/src/instance-detail-helper.spec.ts
@@ -253,6 +253,65 @@ describe('instance-detail-helper', function () {
       expect(dbs).to.have.nested.property('foo.bar').deep.eq([]);
     });
 
+    context('with known resources', function () {
+      it('ignores cluster privileges', function () {
+        const dbs = extractPrivilegesByDatabaseAndCollection([
+          { resource: { db: 'foo', collection: 'bar' }, actions: [] },
+          { resource: { db: 'buz', collection: 'bla' }, actions: [] },
+          { resource: { cluster: true }, actions: [] },
+        ]);
+
+        expect(dbs).to.deep.eq({
+          foo: {
+            bar: [],
+          },
+          buz: {
+            bla: [],
+          },
+        });
+      });
+
+      it('ignores anyResource privileges', function () {
+        const dbs = extractPrivilegesByDatabaseAndCollection([
+          { resource: { db: 'foo', collection: 'bar' }, actions: [] },
+          { resource: { db: 'buz', collection: 'bla' }, actions: [] },
+          { resource: { anyResource: true }, actions: [] },
+        ]);
+
+        expect(dbs).to.deep.eq({
+          foo: {
+            bar: [],
+          },
+          buz: {
+            bla: [],
+          },
+        });
+      });
+    });
+
+    context('with unknown resources', function () {
+      it("ignores everything that doesn't have database and collection in resource", function () {
+        const dbs = extractPrivilegesByDatabaseAndCollection([
+          { resource: { db: 'foo', collection: 'bar' }, actions: [] },
+          { resource: { db: 'buz', collection: 'bla' }, actions: [] },
+          { resource: { this: true }, actions: [] },
+          { resource: { is: true }, actions: [] },
+          { resource: { not: true }, actions: [] },
+          { resource: { valid: true }, actions: [] },
+          { resource: { resource: true }, actions: [] },
+        ] as any);
+
+        expect(dbs).to.deep.eq({
+          foo: {
+            bar: [],
+          },
+          buz: {
+            bla: [],
+          },
+        });
+      });
+    });
+
     it('keeps records for all collections in a database', function () {
       const dbs = extractPrivilegesByDatabaseAndCollection([
         { resource: { db: 'foo', collection: 'bar' }, actions: [] },
diff --git a/packages/data-service/src/instance-detail-helper.ts b/packages/data-service/src/instance-detail-helper.ts
@@ -176,14 +176,26 @@ export function extractPrivilegesByDatabaseAndCollection(
 
   const result: DatabaseCollectionPrivileges = {};
 
-  for (const {
-    resource: { db, collection },
-    actions,
-  } of filteredPrivileges) {
-    if (result[db]) {
-      Object.assign(result[db], { [collection]: actions });
-    } else {
-      result[db] = { [collection]: actions };
+  for (const { resource, actions } of filteredPrivileges) {
+    // Documented resources include roles for dbs/colls, cluster, or in rare cases
+    // anyResource, additionally there seem to be undocumented ones like
+    // system_buckets and who knows what else. To make sure we are only cover
+    // cases that we can meaningfully handle here, roles for the
+    // databases/collections, we are skipping all roles where these are
+    // undefined
+    //
+    // See: https://docs.mongodb.com/manual/reference/resource-document/#std-label-resource-document
+    if (
+      typeof resource.db !== 'undefined' &&
+      typeof resource.collection !== 'undefined'
+    ) {
+      const { db, collection } = resource;
+
+      if (result[db]) {
+        Object.assign(result[db], { [collection]: actions });
+      } else {
+        result[db] = { [collection]: actions };
+      }
     }
   }
 
@@ -216,14 +228,6 @@ function isNotAuthorized(err: AnyError) {
   return new RegExp('not (authorized|allowed)').test(msg);
 }
 
-function isMongosLocalException(err: AnyError) {
-  if (!err) {
-    return false;
-  }
-  const msg = err.message || JSON.stringify(err);
-  return new RegExp('database through mongos').test(msg);
-}
-
 function ignoreNotAuthorized<T>(fallback: T): (err: AnyError) => Promise<T> {
   return (err: AnyError) => {
     if (isNotAuthorized(err)) {
diff --git a/packages/data-service/src/run-command.ts b/packages/data-service/src/run-command.ts
@@ -11,7 +11,20 @@ export type ConnectionStatus = {
 export type ConnectionStatusWithPrivileges = ConnectionStatus & {
   authInfo: {
     authenticatedUserPrivileges: {
-      resource: { db: string; collection: string };
+      resource:
+        | { db?: never; collection?: never; cluster: true; anyResource?: never }
+        | {
+            db: string;
+            collection: string;
+            cluster?: never;
+            anyResource?: never;
+          }
+        | {
+            db?: never;
+            collection?: never;
+            cluster?: never;
+            anyResource: true;
+          };
       actions: string[];
     }[];
   };
