portainer/api/internal/registryutils/access/access.go

package access

import (
	"fmt"
	portainer "github.com/portainer/portainer/api"
	"github.com/portainer/portainer/api/http/security"
)

func hasPermission(
	dataStore portainer.DataStore,
	userID portainer.UserID,
	endpointID portainer.EndpointID,
	registry *portainer.Registry,
) (hasPermission bool, err error) {
	user, err := dataStore.User().User(userID)
	if err != nil {
		return
	}

	if user.Role == portainer.AdministratorRole {
		return true, err
	}

	teamMemberships, err := dataStore.TeamMembership().TeamMembershipsByUserID(userID)
	if err != nil {
		return
	}

	hasPermission = security.AuthorizedRegistryAccess(registry, user, teamMemberships, endpointID)

	return
}

// GetAccessibleRegistry get the registry if the user has permission
func GetAccessibleRegistry(
	dataStore portainer.DataStore,
	userID portainer.UserID,
	endpointID portainer.EndpointID,
	registryID portainer.RegistryID,
) (registry *portainer.Registry, err error) {

	registry, err = dataStore.Registry().Registry(registryID)
	if err != nil {
		return
	}

	hasPermission, err := hasPermission(dataStore, userID, endpointID, registry)
	if err != nil {
		return
	}

	if !hasPermission {
		err = fmt.Errorf("user does not has permission to get the registry")
		return nil, err
	}

	return
}
feat(webhook) EE-2125 send registry auth haeder when update swarms service via webhook (#6220) * feat(webhook) EE-2125 add some helpers to registry utils * feat(webhook) EE-2125 persist registryID when creating a webhook * feat(webhook) EE-2125 send registry auth header when executing a webhook * feat(webhook) EE-2125 send registryID to backend when creating a service with webhook * feat(webhook) EE-2125 use the initial registry ID to create webhook on editing service screen * feat(webhook) EE-2125 update webhook when update registry * feat(webhook) EE-2125 add endpoint of update webhook * feat(webhook) EE-2125 code cleanup * feat(webhook) EE-2125 fix a typo * feat(webhook) EE-2125 fix circle import issue with unit test Co-authored-by: Simon Meng <simon.meng@portainer.io> 2021-12-07 09:11:44 +13:00			`package access`

			`import (`
			`"fmt"`
			`portainer "github.com/portainer/portainer/api"`
			`"github.com/portainer/portainer/api/http/security"`
			`)`

			`func hasPermission(`
			`dataStore portainer.DataStore,`
			`userID portainer.UserID,`
			`endpointID portainer.EndpointID,`
			`registry *portainer.Registry,`
			`) (hasPermission bool, err error) {`
			`user, err := dataStore.User().User(userID)`
			`if err != nil {`
			`return`
			`}`

			`if user.Role == portainer.AdministratorRole {`
			`return true, err`
			`}`

			`teamMemberships, err := dataStore.TeamMembership().TeamMembershipsByUserID(userID)`
			`if err != nil {`
			`return`
			`}`

			`hasPermission = security.AuthorizedRegistryAccess(registry, user, teamMemberships, endpointID)`

			`return`
			`}`

			`// GetAccessibleRegistry get the registry if the user has permission`
			`func GetAccessibleRegistry(`
			`dataStore portainer.DataStore,`
			`userID portainer.UserID,`
			`endpointID portainer.EndpointID,`
			`registryID portainer.RegistryID,`
			`) (registry *portainer.Registry, err error) {`

			`registry, err = dataStore.Registry().Registry(registryID)`
			`if err != nil {`
			`return`
			`}`

			`hasPermission, err := hasPermission(dataStore, userID, endpointID, registry)`
			`if err != nil {`
			`return`
			`}`

			`if !hasPermission {`
			`err = fmt.Errorf("user does not has permission to get the registry")`
			`return nil, err`
			`}`

			`return`
			`}`