feat(endpoint-groups): add endpoint-groups (#1837)

2025-08-03 04:45:21 +02:00 · 2018-04-26 18:08:46 +02:00 · 2018-04-26 18:08:46 +02:00 · 1162549209
commit 1162549209
parent 2ffcb946b1
58 changed files with 1838 additions and 265 deletions
--- a/api/http/security/authorization.go
+++ b/api/http/security/authorization.go
@ -124,34 +124,37 @@ func AuthorizedUserManagement(userID portainer.UserID, context *RestrictedReques

 // AuthorizedEndpointAccess ensure that the user can access the specified endpoint.
 // It will check if the user is part of the authorized users or part of a team that is
+// listed in the authorized teams of the endpoint and the associated group.
+func AuthorizedEndpointAccess(endpoint *portainer.Endpoint, endpointGroup *portainer.EndpointGroup, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
+	groupAccess := authorizedAccess(userID, memberships, endpointGroup.AuthorizedUsers, endpointGroup.AuthorizedTeams)
+	if !groupAccess {
+		return authorizedAccess(userID, memberships, endpoint.AuthorizedUsers, endpoint.AuthorizedTeams)
+	}
+	return true
+}
+
+// AuthorizedEndpointGroupAccess ensure that the user can access the specified endpoint group.
+// It will check if the user is part of the authorized users or part of a team that is
 // listed in the authorized teams.
-func AuthorizedEndpointAccess(endpoint *portainer.Endpoint, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
-	for _, authorizedUserID := range endpoint.AuthorizedUsers {
-		if authorizedUserID == userID {
-			return true
-		}
-	}
-	for _, membership := range memberships {
-		for _, authorizedTeamID := range endpoint.AuthorizedTeams {
-			if membership.TeamID == authorizedTeamID {
-				return true
-			}
-		}
-	}
-	return false
+func AuthorizedEndpointGroupAccess(endpointGroup *portainer.EndpointGroup, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
+	return authorizedAccess(userID, memberships, endpointGroup.AuthorizedUsers, endpointGroup.AuthorizedTeams)
 }

 // AuthorizedRegistryAccess ensure that the user can access the specified registry.
 // It will check if the user is part of the authorized users or part of a team that is
 // listed in the authorized teams.
 func AuthorizedRegistryAccess(registry *portainer.Registry, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
-	for _, authorizedUserID := range registry.AuthorizedUsers {
+	return authorizedAccess(userID, memberships, registry.AuthorizedUsers, registry.AuthorizedTeams)
+}
+
+func authorizedAccess(userID portainer.UserID, memberships []portainer.TeamMembership, authorizedUsers []portainer.UserID, authorizedTeams []portainer.TeamID) bool {
+	for _, authorizedUserID := range authorizedUsers {
 		if authorizedUserID == userID {
 			return true
 		}
 	}
 	for _, membership := range memberships {
-		for _, authorizedTeamID := range registry.AuthorizedTeams {
+		for _, authorizedTeamID := range authorizedTeams {
 			if membership.TeamID == authorizedTeamID {
 				return true
 			}
--- a/api/http/security/filter.go
+++ b/api/http/security/filter.go
@ -79,15 +79,17 @@ func FilterRegistries(registries []portainer.Registry, context *RestrictedReques
 }

 // FilterEndpoints filters endpoints based on user role and team memberships.
-// Non administrator users only have access to authorized endpoints.
-func FilterEndpoints(endpoints []portainer.Endpoint, context *RestrictedRequestContext) ([]portainer.Endpoint, error) {
+// Non administrator users only have access to authorized endpoints (can be inherited via endoint groups).
+func FilterEndpoints(endpoints []portainer.Endpoint, groups []portainer.EndpointGroup, context *RestrictedRequestContext) ([]portainer.Endpoint, error) {
 	filteredEndpoints := endpoints

 	if !context.IsAdmin {
 		filteredEndpoints = make([]portainer.Endpoint, 0)

 		for _, endpoint := range endpoints {
-			if AuthorizedEndpointAccess(&endpoint, context.UserID, context.UserMemberships) {
+			endpointGroup := getAssociatedGroup(&endpoint, groups)
+
+			if AuthorizedEndpointAccess(&endpoint, endpointGroup, context.UserID, context.UserMemberships) {
 				filteredEndpoints = append(filteredEndpoints, endpoint)
 			}
 		}
@ -95,3 +97,30 @@ func FilterEndpoints(endpoints []portainer.Endpoint, context *RestrictedRequestC

 	return filteredEndpoints, nil
 }
+
+// FilterEndpointGroups filters endpoint groups based on user role and team memberships.
+// Non administrator users only have access to authorized endpoint groups.
+func FilterEndpointGroups(endpointGroups []portainer.EndpointGroup, context *RestrictedRequestContext) ([]portainer.EndpointGroup, error) {
+	filteredEndpointGroups := endpointGroups
+
+	if !context.IsAdmin {
+		filteredEndpointGroups = make([]portainer.EndpointGroup, 0)
+
+		for _, group := range endpointGroups {
+			if AuthorizedEndpointGroupAccess(&group, context.UserID, context.UserMemberships) {
+				filteredEndpointGroups = append(filteredEndpointGroups, group)
+			}
+		}
+	}
+
+	return filteredEndpointGroups, nil
+}
+
+func getAssociatedGroup(endpoint *portainer.Endpoint, groups []portainer.EndpointGroup) *portainer.EndpointGroup {
+	for _, group := range groups {
+		if group.ID == endpoint.GroupID {
+			return &group
+		}
+	}
+	return nil
+}