fix: scope user resources correctly for custom api token (#3905)

Author: TCL735

src/authorizations/components/CustomApiTokenOverlay.tsx

@@ -35,6 +35,7 @@ import {AppState, ResourceType, Authorization} from 'src/types'
 import {Bucket, Telegraf} from 'src/client'
 
 // Seletors
+import {getMe} from 'src/me/selectors'
 import {getOrg} from 'src/organizations/selectors'
 import {getAll} from 'src/resources/selectors'
 import {getResourcesStatus} from 'src/resources/selectors/getResourcesStatus'
@@ -59,6 +60,7 @@ interface StateProps {
   remoteDataState: RemoteDataState
   orgID: string
   orgName: string
+  meID: string
 }
 interface DispatchProps {
   getBuckets: () => void
@@ -231,8 +233,13 @@ const CustomApiTokenOverlay: FC<Props> = props => {
   }
 
   const generateToken = async () => {
-    const {orgID, showOverlay, orgName, createAuthorization} = props
-    const apiPermissions = formatApiPermissions(permissions, orgID, orgName)
+    const {meID, orgID, showOverlay, orgName, createAuthorization} = props
+    const apiPermissions = formatApiPermissions(
+      permissions,
+      meID,
+      orgID,
+      orgName
+    )
 
     const token: Authorization = {
       orgID: orgID,
@@ -384,6 +391,7 @@ const mstp = (state: AppState) => {
     remoteDataState,
     orgID: getOrg(state).id,
     orgName: getOrg(state).name,
+    meID: getMe(state).id,
   }
 }
 

src/authorizations/utils/permissions.test.ts

@@ -708,6 +708,7 @@ const apiPermission5 = [
     },
   },
 ]
+
 test('all-access tokens/authorizations production test', () => {
   if (CLOUD) {
     expect(allAccessPermissions('bulldogs', 'mario')).toMatchObject(cloudHvhs)
@@ -744,6 +745,7 @@ describe('generateDescription method', () => {
   })
 })
 
+const meID = '08e1982cb86af000'
 const orgID = 'ba9198e037d35d4d'
 const orgName = 'dev'
 const monitoringID = '25a6692ba25d7147'
@@ -868,26 +870,62 @@ const orgsApiPerm = [
 describe('Testing formatApiPermissions function', () => {
   test('does it convert all access permission object into api permission', () => {
     expect(
-      formatApiPermissions(allAccessAccordionPerms, orgID, orgName)
+      formatApiPermissions(allAccessAccordionPerms, meID, orgID, orgName)
     ).toMatchObject(allAccessApiPerm)
   })
+
   test('does it convert non-all access permission object into api permission', () => {
     expect(
-      formatApiPermissions(nonAllAcessAccordionPerms, orgID, orgName)
+      formatApiPermissions(nonAllAcessAccordionPerms, meID, orgID, orgName)
     ).toMatchObject(nonAllAcessApiPerms)
   })
+
   test('does it convert orgs permission object into api permission', () => {
     expect(
-      formatApiPermissions(orgsAccordionPerm, orgID, orgName)
+      formatApiPermissions(orgsAccordionPerm, meID, orgID, orgName)
     ).toMatchObject(orgsApiPerm)
   })
+
+  test('if custom api token for users has correct scope', () => {
+    const permissions = {
+      annotations: {read: false, write: false},
+      authorizations: {read: false, write: false},
+      buckets: {
+        read: false,
+        write: false,
+        sublevelPermissions: {
+          '3a64ac1f8ade33ef': {
+            id: '3a64ac1f8ade33ef',
+            name: 'devbucket',
+            orgID,
+            permissions: {read: false, write: false},
+          },
+        },
+      },
+      orgs: {read: false, write: false},
+      users: {read: true, write: true},
+    }
+
+    expect(formatApiPermissions(permissions, meID, orgID, orgName)).toEqual([
+      {
+        action: 'read',
+        resource: {id: meID, type: 'users'},
+      },
+      {
+        action: 'write',
+        resource: {id: meID, type: 'users'},
+      },
+    ])
+  })
 })
+
 describe('Testing formatPermissionsObj function', () => {
   test('for api permissions with IDs, it creates perms with sublevel permissions', () => {
     expect(formatPermissionsObj(nonAllAcessApiPerms)).toMatchObject(
       nonAllAcessAccordionPerms2
     )
   })
+
   test('for all access permissions, it creates an all access accordion api permission', () => {
     expect(formatPermissionsObj(orgsApiPerm)).toMatchObject(orgsAccordionPerm)
   })

src/authorizations/utils/permissions.ts

@@ -169,7 +169,7 @@ export const formatPermissionsObj = permissions => {
   return newPerms
 }
 
-export const formatApiPermissions = (permissions, orgID, orgName) => {
+export const formatApiPermissions = (permissions, meID, orgID, orgName) => {
   const apiPerms = []
   Object.keys(permissions).forEach(key => {
     if (key === 'otherResources') {
@@ -185,6 +185,14 @@ export const formatApiPermissions = (permissions, orgID, orgName) => {
             type: key,
           },
         })
+      } else if (key === 'users') {
+        apiPerms.push({
+          action: 'read',
+          resource: {
+            id: meID,
+            type: key,
+          },
+        })
       } else {
         apiPerms.push({
           action: 'read',
@@ -205,6 +213,14 @@ export const formatApiPermissions = (permissions, orgID, orgName) => {
             type: key,
           },
         })
+      } else if (key === 'users') {
+        apiPerms.push({
+          action: 'write',
+          resource: {
+            id: meID,
+            type: key,
+          },
+        })
       } else {
         apiPerms.push({
           action: 'write',