From 46ade4d94afce697fa034acf3233ff151c096dc1 Mon Sep 17 00:00:00 2001
From: William Baker <wbaker@gmail.com>
Date: Mon, 23 Aug 2021 09:47:12 -0600
Subject: [PATCH] fix: auth requests use org and user names if present (#22272)

* fix: auth requests use org and user names if present

* chore: update CHANGELOG
---
 CHANGELOG.md                      |  1 +
 authorization/http_server.go      | 22 +++++++-------
 authorization/http_server_test.go | 50 +++++++++++++++++++++++++++++++
 3 files changed, 62 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0a2ec923d09..63dba97e523 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -83,6 +83,7 @@ This release adds an embedded SQLite database for storing metadata required by t
 1. [#22228](https://github.com/influxdata/influxdb/pull/22228): influxdb2 packages should depend on curl
 1. [#22211](https://github.com/influxdata/influxdb/pull/22211): Prevent scheduling an inactivated tasks after updating it
 1. [#22235](https://github.com/influxdata/influxdb/pull/22235): Avoid compaction queue stats flutter
+1. [#22272](https://github.com/influxdata/influxdb/pull/22272): Requests to `/api/v2/authorizations` filter correctly on `org` and `user` parameters
 
 ## v2.0.7 [2021-06-04]
 
diff --git a/authorization/http_server.go b/authorization/http_server.go
index 731fd50c8da..1bc01b9c7b5 100644
--- a/authorization/http_server.go
+++ b/authorization/http_server.go
@@ -391,17 +391,9 @@ func (h *AuthHandler) handleGetAuthorizations(w http.ResponseWriter, r *http.Req
 		return
 	}
 
-	opts := influxdb.FindOptions{}
-	as, _, err := h.authSvc.FindAuthorizations(ctx, req.filter, opts)
-
-	if err != nil {
-		h.api.Err(w, r, err)
-		return
-	}
-
 	f := req.filter
-	// If the user or org name was provided, look up the ID first
-	if f.User != nil {
+	// Look up user ID and org ID if they were not provided, but names were
+	if f.UserID == nil && f.User != nil {
 		u, err := h.tenantService.FindUser(ctx, influxdb.UserFilter{Name: f.User})
 		if err != nil {
 			h.api.Err(w, r, err)
@@ -410,7 +402,7 @@ func (h *AuthHandler) handleGetAuthorizations(w http.ResponseWriter, r *http.Req
 		f.UserID = &u.ID
 	}
 
-	if f.Org != nil {
+	if f.OrgID == nil && f.Org != nil {
 		o, err := h.tenantService.FindOrganization(ctx, influxdb.OrganizationFilter{Name: f.Org})
 		if err != nil {
 			h.api.Err(w, r, err)
@@ -419,6 +411,14 @@ func (h *AuthHandler) handleGetAuthorizations(w http.ResponseWriter, r *http.Req
 		f.OrgID = &o.ID
 	}
 
+	opts := influxdb.FindOptions{}
+	as, _, err := h.authSvc.FindAuthorizations(ctx, f, opts)
+
+	if err != nil {
+		h.api.Err(w, r, err)
+		return
+	}
+
 	auths := make([]*authResponse, 0, len(as))
 	for _, a := range as {
 		ps, err := h.newPermissionsResponse(ctx, a.Permissions)
diff --git a/authorization/http_server_test.go b/authorization/http_server_test.go
index 9675a4bf0bb..9bf489419b0 100644
--- a/authorization/http_server_test.go
+++ b/authorization/http_server_test.go
@@ -13,6 +13,7 @@ import (
 
 	"github.com/influxdata/influxdb/v2/kit/platform"
 	"github.com/influxdata/influxdb/v2/kit/platform/errors"
+	"github.com/stretchr/testify/require"
 
 	"github.com/go-chi/chi"
 	"github.com/google/go-cmp/cmp"
@@ -394,6 +395,55 @@ func TestService_handleGetAuthorization(t *testing.T) {
 	}
 }
 
+func TestGetAuthorizationsWithNames(t *testing.T) {
+	t.Parallel()
+
+	testUserName := "user"
+	testUserID := itesting.MustIDBase16("6c7574652c206f6e")
+	testOrgName := "org"
+	testOrgID := itesting.MustIDBase16("9d70616e656d2076")
+
+	ts := &tenantService{
+		FindUserFn: func(ctx context.Context, f influxdb.UserFilter) (*influxdb.User, error) {
+			require.Equal(t, &testUserName, f.Name)
+
+			return &influxdb.User{
+				ID:   testUserID,
+				Name: testUserName,
+			}, nil
+		},
+
+		FindOrganizationF: func(ctx context.Context, f influxdb.OrganizationFilter) (*influxdb.Organization, error) {
+			require.Equal(t, &testOrgName, f.Name)
+
+			return &influxdb.Organization{
+				ID:   testOrgID,
+				Name: testOrgName,
+			}, nil
+		},
+	}
+
+	as := &mock.AuthorizationService{
+		FindAuthorizationsFn: func(ctx context.Context, f influxdb.AuthorizationFilter, opts ...influxdb.FindOptions) ([]*influxdb.Authorization, int, error) {
+			require.Equal(t, &testOrgID, f.OrgID)
+			require.Equal(t, &testUserID, f.UserID)
+
+			return []*influxdb.Authorization{}, 0, nil
+		},
+	}
+
+	h := NewHTTPAuthHandler(zaptest.NewLogger(t), as, ts)
+
+	w := httptest.NewRecorder()
+	r := httptest.NewRequest("get", "http://any.url", nil)
+	qp := r.URL.Query()
+	qp.Add("user", testUserName)
+	qp.Add("org", testOrgName)
+	r.URL.RawQuery = qp.Encode()
+
+	h.handleGetAuthorizations(w, r)
+}
+
 func TestService_handleGetAuthorizations(t *testing.T) {
 	type fields struct {
 		AuthorizationService influxdb.AuthorizationService