feat(api): rewrite access control management in Docker (#3337)

* feat(api): decorate Docker resource creation response with resource control * fix(api): fix a potential resource control conflict between stacks/volumes * feat(api): generate a default private resource control instead of admin only * fix(api): fix default RC value * fix(api): update RC authorizations check to support admin only flag * refactor(api): relocate access control related methods * fix(api): fix a potential conflict when fetching RC from database * refactor(api): refactor access control logic * refactor(api): remove the concept of DecoratedStack * feat(api): automatically remove RC when removing a Docker resource * refactor(api): update filter resource methods documentation * refactor(api): update proxy package structure * refactor(api): renamed proxy/misc package * feat(api): re-introduce ResourceControlDelete operation as admin restricted * refactor(api): relocate default endpoint authorizations * feat(api): migrate RBAC data * feat(app): ResourceControl management refactor * fix(api): fix access control issue on stack deletion and automatically delete RC * fix(api): fix stack filtering * fix(api): fix UpdateResourceControl operation checks * refactor(api): introduce a NewTransport builder method * refactor(api): inject endpoint in Docker transport * refactor(api): introduce Docker client into Docker transport * refactor(api): refactor http/proxy package * feat(api): inspect a Docker resource labels during access control validation * fix(api): only apply automatic resource control creation on success response * fix(api): fix stack access control check * fix(api): use StatusCreated instead of StatusOK for automatic resource control creation * fix(app): resource control fixes * fix(api): fix an issue preventing administrator to inspect a resource with a RC * refactor(api): remove useless error return * refactor(api): document DecorateStacks function * fix(api): fix invalid resource control type for container deletion * feat(api): support Docker system networks * feat(api): update Swagger docs * refactor(api): rename transport variable * refactor(api): rename transport variable * feat(networks): add system tag for system networks * feat(api): add support for resource control labels * feat(api): upgrade to DBVersion 22 * refactor(api): refactor access control management in Docker proxy * refactor(api): re-implement docker proxy taskListOperation * refactor(api): review parameters declaration * refactor(api): remove extra blank line * refactor(api): review method comments * fix(api): fix invalid ServerAddress property and review method visibility * feat(api): update error message * feat(api): update restrictedVolumeBrowserOperation method * refactor(api): refactor method parameters * refactor(api): minor refactor * refactor(api): change Azure transport visibility * refactor(api): update struct documentation * refactor(api): update struct documentation * feat(api): review restrictedResourceOperation method * refactor(api): remove unused authorization methods * feat(api): apply RBAC when enabled on stack operations * fix(api): fix invalid data migration procedure for DBVersion = 22 * fix(app): RC duplicate on private resource * feat(api): change Docker API version logic for libcompose/client factory * fix(api): update access denied error message to be Docker API compliant * fix(api): update volume browsing authorizations data migration * fix(api): fix an issue with access control in multi-node agent Swarm cluster
2025-07-24 15:59:41 +02:00 · 2019-11-13 12:41:42 +13:00 · 2019-11-13 12:41:42 +13:00 · 19d4db13be
commit 19d4db13be
parent 198e92c734
118 changed files with 3600 additions and 3020 deletions
--- a/api/http/security/authorization.go
+++ b/api/http/security/authorization.go
@ -4,40 +4,6 @@ import (
 	"github.com/portainer/portainer/api"
 )

-// AuthorizedResourceControlDeletion ensure that the user can delete a resource control object.
-// A non-administrator user cannot delete a resource control where:
-// * the Public flag is false
-// * he is not one of the users in the user accesses
-// * he is not a member of any team within the team accesses
-func AuthorizedResourceControlDeletion(resourceControl *portainer.ResourceControl, context *RestrictedRequestContext) bool {
-	if context.IsAdmin || resourceControl.Public {
-		return true
-	}
-
-	userAccessesCount := len(resourceControl.UserAccesses)
-	teamAccessesCount := len(resourceControl.TeamAccesses)
-
-	if teamAccessesCount > 0 {
-		for _, access := range resourceControl.TeamAccesses {
-			for _, membership := range context.UserMemberships {
-				if membership.TeamID == access.TeamID {
-					return true
-				}
-			}
-		}
-	}
-
-	if userAccessesCount > 0 {
-		for _, access := range resourceControl.UserAccesses {
-			if access.UserID == context.UserID {
-				return true
-			}
-		}
-	}
-
-	return false
-}
-
 // AuthorizedResourceControlAccess checks whether the user can alter an existing resource control.
 func AuthorizedResourceControlAccess(resourceControl *portainer.ResourceControl, context *RestrictedRequestContext) bool {
 	if context.IsAdmin || resourceControl.Public {
@ -62,30 +28,22 @@ func AuthorizedResourceControlAccess(resourceControl *portainer.ResourceControl,
 }

 // AuthorizedResourceControlUpdate ensure that the user can update a resource control object.
-// It reuses the creation restrictions and adds extra checks.
-// A non-administrator user cannot update a resource control where:
-// * he wants to put one or more user in the user accesses
-func AuthorizedResourceControlUpdate(resourceControl *portainer.ResourceControl, context *RestrictedRequestContext) bool {
-	userAccessesCount := len(resourceControl.UserAccesses)
-	if !context.IsAdmin && userAccessesCount > 0 {
-		return false
-	}
-
-	return AuthorizedResourceControlCreation(resourceControl, context)
-}
-
-// AuthorizedResourceControlCreation ensure that the user can create a resource control object.
 // A non-administrator user cannot create a resource control where:
 // * the Public flag is set false
+// * the AdministatorsOnly flag is set to true
 // * he wants to create a resource control without any user/team accesses
 // * he wants to add more than one user in the user accesses
 // * he wants to add a user in the user accesses that is not corresponding to its id
 // * he wants to add a team he is not a member of
-func AuthorizedResourceControlCreation(resourceControl *portainer.ResourceControl, context *RestrictedRequestContext) bool {
+func AuthorizedResourceControlUpdate(resourceControl *portainer.ResourceControl, context *RestrictedRequestContext) bool {
 	if context.IsAdmin || resourceControl.Public {
 		return true
 	}

+	if resourceControl.AdministratorsOnly {
+		return false
+	}
+
 	userAccessesCount := len(resourceControl.UserAccesses)
 	teamAccessesCount := len(resourceControl.TeamAccesses)

@ -133,15 +91,6 @@ func AuthorizedTeamManagement(teamID portainer.TeamID, context *RestrictedReques
 	return false
 }

-// AuthorizedUserManagement ensure that access to the management of the specified user is granted.
-// It will check if the user is either administrator or the owner of the user account.
-func AuthorizedUserManagement(userID portainer.UserID, context *RestrictedRequestContext) bool {
-	if context.IsAdmin || context.UserID == userID {
-		return true
-	}
-	return false
-}
-
 // authorizedEndpointAccess ensure that the user can access the specified endpoint.
 // It will check if the user is part of the authorized users or part of a team that is
 // listed in the authorized teams of the endpoint and the associated group.