feat(api): rewrite access control management in Docker (#3337)

* feat(api): decorate Docker resource creation response with resource control * fix(api): fix a potential resource control conflict between stacks/volumes * feat(api): generate a default private resource control instead of admin only * fix(api): fix default RC value * fix(api): update RC authorizations check to support admin only flag * refactor(api): relocate access control related methods * fix(api): fix a potential conflict when fetching RC from database * refactor(api): refactor access control logic * refactor(api): remove the concept of DecoratedStack * feat(api): automatically remove RC when removing a Docker resource * refactor(api): update filter resource methods documentation * refactor(api): update proxy package structure * refactor(api): renamed proxy/misc package * feat(api): re-introduce ResourceControlDelete operation as admin restricted * refactor(api): relocate default endpoint authorizations * feat(api): migrate RBAC data * feat(app): ResourceControl management refactor * fix(api): fix access control issue on stack deletion and automatically delete RC * fix(api): fix stack filtering * fix(api): fix UpdateResourceControl operation checks * refactor(api): introduce a NewTransport builder method * refactor(api): inject endpoint in Docker transport * refactor(api): introduce Docker client into Docker transport * refactor(api): refactor http/proxy package * feat(api): inspect a Docker resource labels during access control validation * fix(api): only apply automatic resource control creation on success response * fix(api): fix stack access control check * fix(api): use StatusCreated instead of StatusOK for automatic resource control creation * fix(app): resource control fixes * fix(api): fix an issue preventing administrator to inspect a resource with a RC * refactor(api): remove useless error return * refactor(api): document DecorateStacks function * fix(api): fix invalid resource control type for container deletion * feat(api): support Docker system networks * feat(api): update Swagger docs * refactor(api): rename transport variable * refactor(api): rename transport variable * feat(networks): add system tag for system networks * feat(api): add support for resource control labels * feat(api): upgrade to DBVersion 22 * refactor(api): refactor access control management in Docker proxy * refactor(api): re-implement docker proxy taskListOperation * refactor(api): review parameters declaration * refactor(api): remove extra blank line * refactor(api): review method comments * fix(api): fix invalid ServerAddress property and review method visibility * feat(api): update error message * feat(api): update restrictedVolumeBrowserOperation method * refactor(api): refactor method parameters * refactor(api): minor refactor * refactor(api): change Azure transport visibility * refactor(api): update struct documentation * refactor(api): update struct documentation * feat(api): review restrictedResourceOperation method * refactor(api): remove unused authorization methods * feat(api): apply RBAC when enabled on stack operations * fix(api): fix invalid data migration procedure for DBVersion = 22 * fix(app): RC duplicate on private resource * feat(api): change Docker API version logic for libcompose/client factory * fix(api): update access denied error message to be Docker API compliant * fix(api): update volume browsing authorizations data migration * fix(api): fix an issue with access control in multi-node agent Swarm cluster
2025-08-04 21:35:23 +02:00 · 2019-11-13 12:41:42 +13:00 · 2019-11-13 12:41:42 +13:00 · 19d4db13be
commit 19d4db13be
parent 198e92c734
118 changed files with 3600 additions and 3020 deletions
--- a/api/http/proxy/factory/docker/volumes.go
+++ b/api/http/proxy/factory/docker/volumes.go
@ -0,0 +1,89 @@
+package docker
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/docker/docker/client"
+
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/proxy/factory/responseutils"
+)
+
+const (
+	volumeObjectIdentifier = "Name"
+)
+
+func getInheritedResourceControlFromVolumeLabels(dockerClient *client.Client, volumeID string, resourceControls []portainer.ResourceControl) (*portainer.ResourceControl, error) {
+	volume, err := dockerClient.VolumeInspect(context.Background(), volumeID)
+	if err != nil {
+		return nil, err
+	}
+
+	swarmStackName := volume.Labels[resourceLabelForDockerSwarmStackName]
+	if swarmStackName != "" {
+		return portainer.GetResourceControlByResourceIDAndType(swarmStackName, portainer.StackResourceControl, resourceControls), nil
+	}
+
+	return nil, nil
+}
+
+// volumeListOperation extracts the response as a JSON object, loop through the volume array
+// decorate and/or filter the volumes based on resource controls before rewriting the response.
+func (transport *Transport) volumeListOperation(response *http.Response, executor *operationExecutor) error {
+	// VolumeList response is a JSON object
+	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
+	responseObject, err := responseutils.GetResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	// The "Volumes" field contains the list of volumes as an array of JSON objects
+	if responseObject["Volumes"] != nil {
+		volumeData := responseObject["Volumes"].([]interface{})
+
+		resourceOperationParameters := &resourceOperationParameters{
+			resourceIdentifierAttribute: volumeObjectIdentifier,
+			resourceType:                portainer.VolumeResourceControl,
+			labelsObjectSelector:        selectorVolumeLabels,
+		}
+
+		volumeData, err = transport.applyAccessControlOnResourceList(resourceOperationParameters, volumeData, executor)
+		if err != nil {
+			return err
+		}
+
+		// Overwrite the original volume list
+		responseObject["Volumes"] = volumeData
+	}
+
+	return responseutils.RewriteResponse(response, responseObject, http.StatusOK)
+}
+
+// volumeInspectOperation extracts the response as a JSON object, verify that the user
+// has access to the volume based on any existing resource control and either rewrite an access denied response or a decorated volume.
+func (transport *Transport) volumeInspectOperation(response *http.Response, executor *operationExecutor) error {
+	// VolumeInspect response is a JSON object
+	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeInspect
+	responseObject, err := responseutils.GetResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	resourceOperationParameters := &resourceOperationParameters{
+		resourceIdentifierAttribute: volumeObjectIdentifier,
+		resourceType:                portainer.VolumeResourceControl,
+		labelsObjectSelector:        selectorVolumeLabels,
+	}
+
+	return transport.applyAccessControlOnResource(resourceOperationParameters, responseObject, response, executor)
+}
+
+// selectorVolumeLabels retrieve the labels object associated to the volume object.
+// Labels are available under the "Labels" property.
+// API schema references:
+// https://docs.docker.com/engine/api/v1.28/#operation/VolumeInspect
+// https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
+func selectorVolumeLabels(responseObject map[string]interface{}) map[string]interface{} {
+	return responseutils.GetJSONObject(responseObject, "Labels")
+}