feat(agent): add agent support (#1828)

2025-07-24 15:59:41 +02:00 · 2018-05-06 09:15:57 +02:00 · 2018-05-06 09:15:57 +02:00 · 2327d696e0
commit 2327d696e0
parent 77a85bd385
116 changed files with 1900 additions and 689 deletions
--- a/api/http/proxy/access_control.go
+++ b/api/http/proxy/access_control.go
@ -98,9 +98,12 @@ func canUserAccessResource(userID portainer.UserID, userTeamIDs []portainer.Team
 }

 func decorateObject(object map[string]interface{}, resourceControl *portainer.ResourceControl) map[string]interface{} {
-	metadata := make(map[string]interface{})
-	metadata["ResourceControl"] = resourceControl
-	object["Portainer"] = metadata
+	if object["Portainer"] == nil {
+		object["Portainer"] = make(map[string]interface{})
+	}
+
+	portainerMetadata := object["Portainer"].(map[string]interface{})
+	portainerMetadata["ResourceControl"] = resourceControl
 	return object
 }

--- a/api/http/proxy/configs.go
+++ b/api/http/proxy/configs.go
@ -14,7 +14,7 @@ const (

 // configListOperation extracts the response as a JSON object, loop through the configs array
 // decorate and/or filter the configs based on resource controls before rewriting the response
-func configListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func configListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error

 	// ConfigList response is a JSON array
@ -39,7 +39,7 @@ func configListOperation(request *http.Request, response *http.Response, executo
 // configInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the config based on resource control (check are done based on the configID and optional Swarm service ID)
 // and either rewrite an access denied response or a decorated config.
-func configInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func configInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// ConfigInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.30/#operation/ConfigInspect
 	responseObject, err := getResponseAsJSONOBject(response)
--- a/api/http/proxy/containers.go
+++ b/api/http/proxy/containers.go
@ -16,7 +16,7 @@ const (

 // containerListOperation extracts the response as a JSON object, loop through the containers array
 // decorate and/or filter the containers based on resource controls before rewriting the response
-func containerListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func containerListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 	// ContainerList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
@ -47,7 +47,7 @@ func containerListOperation(request *http.Request, response *http.Response, exec
 // containerInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the container based on resource control (check are done based on the containerID and optional Swarm service ID)
 // and either rewrite an access denied response or a decorated container.
-func containerInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func containerInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// ContainerInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerInspect
 	responseObject, err := getResponseAsJSONOBject(response)
--- a/api/http/proxy/factory.go
+++ b/api/http/proxy/factory.go
@ -17,6 +17,7 @@ type proxyFactory struct {
 	SettingsService        portainer.SettingsService
 	RegistryService        portainer.RegistryService
 	DockerHubService       portainer.DockerHubService
+	SignatureService       portainer.DigitalSignatureService
 }

 func (factory *proxyFactory) newExtensionHTTPPRoxy(u *url.URL) http.Handler {
@ -24,10 +25,11 @@ func (factory *proxyFactory) newExtensionHTTPPRoxy(u *url.URL) http.Handler {
 	return newSingleHostReverseProxyWithHostHeader(u)
 }

-func (factory *proxyFactory) newDockerHTTPSProxy(u *url.URL, endpoint *portainer.Endpoint) (http.Handler, error) {
+func (factory *proxyFactory) newDockerHTTPSProxy(u *url.URL, tlsConfig *portainer.TLSConfiguration, enableSignature bool) (http.Handler, error) {
 	u.Scheme = "https"
-	proxy := factory.createDockerReverseProxy(u)
-	config, err := crypto.CreateTLSConfiguration(&endpoint.TLSConfig)
+
+	proxy := factory.createDockerReverseProxy(u, enableSignature)
+	config, err := crypto.CreateTLSConfiguration(tlsConfig)
 	if err != nil {
 		return nil, err
 	}
@ -36,14 +38,15 @@ func (factory *proxyFactory) newDockerHTTPSProxy(u *url.URL, endpoint *portainer
 	return proxy, nil
 }

-func (factory *proxyFactory) newDockerHTTPProxy(u *url.URL) http.Handler {
+func (factory *proxyFactory) newDockerHTTPProxy(u *url.URL, enableSignature bool) http.Handler {
 	u.Scheme = "http"
-	return factory.createDockerReverseProxy(u)
+	return factory.createDockerReverseProxy(u, enableSignature)
 }

 func (factory *proxyFactory) newDockerSocketProxy(path string) http.Handler {
 	proxy := &socketProxy{}
 	transport := &proxyTransport{
+		enableSignature:        false,
 		ResourceControlService: factory.ResourceControlService,
 		TeamMembershipService:  factory.TeamMembershipService,
 		SettingsService:        factory.SettingsService,
@ -55,9 +58,10 @@ func (factory *proxyFactory) newDockerSocketProxy(path string) http.Handler {
 	return proxy
 }

-func (factory *proxyFactory) createDockerReverseProxy(u *url.URL) *httputil.ReverseProxy {
+func (factory *proxyFactory) createDockerReverseProxy(u *url.URL, enableSignature bool) *httputil.ReverseProxy {
 	proxy := newSingleHostReverseProxyWithHostHeader(u)
 	transport := &proxyTransport{
+		enableSignature:        enableSignature,
 		ResourceControlService: factory.ResourceControlService,
 		TeamMembershipService:  factory.TeamMembershipService,
 		SettingsService:        factory.SettingsService,
@ -65,6 +69,11 @@ func (factory *proxyFactory) createDockerReverseProxy(u *url.URL) *httputil.Reve
 		DockerHubService:       factory.DockerHubService,
 		dockerTransport:        &http.Transport{},
 	}
+
+	if enableSignature {
+		transport.SignatureService = factory.SignatureService
+	}
+
 	proxy.Transport = transport
 	return proxy
 }
--- a/api/http/proxy/manager.go
+++ b/api/http/proxy/manager.go
@ -9,24 +9,37 @@ import (
 	"github.com/portainer/portainer"
 )

-// Manager represents a service used to manage Docker proxies.
-type Manager struct {
-	proxyFactory     *proxyFactory
-	proxies          cmap.ConcurrentMap
-	extensionProxies cmap.ConcurrentMap
-}
+type (
+	// Manager represents a service used to manage Docker proxies.
+	Manager struct {
+		proxyFactory     *proxyFactory
+		proxies          cmap.ConcurrentMap
+		extensionProxies cmap.ConcurrentMap
+	}
+
+	// ManagerParams represents the required parameters to create a new Manager instance.
+	ManagerParams struct {
+		ResourceControlService portainer.ResourceControlService
+		TeamMembershipService  portainer.TeamMembershipService
+		SettingsService        portainer.SettingsService
+		RegistryService        portainer.RegistryService
+		DockerHubService       portainer.DockerHubService
+		SignatureService       portainer.DigitalSignatureService
+	}
+)

 // NewManager initializes a new proxy Service
-func NewManager(resourceControlService portainer.ResourceControlService, teamMembershipService portainer.TeamMembershipService, settingsService portainer.SettingsService, registryService portainer.RegistryService, dockerHubService portainer.DockerHubService) *Manager {
+func NewManager(parameters *ManagerParams) *Manager {
 	return &Manager{
 		proxies:          cmap.New(),
 		extensionProxies: cmap.New(),
 		proxyFactory: &proxyFactory{
-			ResourceControlService: resourceControlService,
-			TeamMembershipService:  teamMembershipService,
-			SettingsService:        settingsService,
-			RegistryService:        registryService,
-			DockerHubService:       dockerHubService,
+			ResourceControlService: parameters.ResourceControlService,
+			TeamMembershipService:  parameters.TeamMembershipService,
+			SettingsService:        parameters.SettingsService,
+			RegistryService:        parameters.RegistryService,
+			DockerHubService:       parameters.DockerHubService,
+			SignatureService:       parameters.SignatureService,
 		},
 	}
 }
@ -41,14 +54,19 @@ func (manager *Manager) CreateAndRegisterProxy(endpoint *portainer.Endpoint) (ht
 		return nil, err
 	}

+	enableSignature := false
+	if endpoint.Type == portainer.AgentOnDockerEnvironment {
+		enableSignature = true
+	}
+
 	if endpointURL.Scheme == "tcp" {
-		if endpoint.TLSConfig.TLS {
-			proxy, err = manager.proxyFactory.newDockerHTTPSProxy(endpointURL, endpoint)
+		if endpoint.TLSConfig.TLS || endpoint.TLSConfig.TLSSkipVerify {
+			proxy, err = manager.proxyFactory.newDockerHTTPSProxy(endpointURL, &endpoint.TLSConfig, enableSignature)
 			if err != nil {
 				return nil, err
 			}
 		} else {
-			proxy = manager.proxyFactory.newDockerHTTPProxy(endpointURL)
+			proxy = manager.proxyFactory.newDockerHTTPProxy(endpointURL, enableSignature)
 		}
 	} else {
 		// Assume unix:// scheme
--- a/api/http/proxy/networks.go
+++ b/api/http/proxy/networks.go
@ -15,7 +15,7 @@ const (

 // networkListOperation extracts the response as a JSON object, loop through the networks array
 // decorate and/or filter the networks based on resource controls before rewriting the response
-func networkListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func networkListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 	// NetworkList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/NetworkList
@ -39,7 +39,7 @@ func networkListOperation(request *http.Request, response *http.Response, execut
 // networkInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the network based on resource control and either rewrite an access denied response
 // or a decorated network.
-func networkInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func networkInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// NetworkInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/NetworkInspect
 	responseObject, err := getResponseAsJSONOBject(response)
--- a/api/http/proxy/secrets.go
+++ b/api/http/proxy/secrets.go
@ -14,7 +14,7 @@ const (

 // secretListOperation extracts the response as a JSON object, loop through the secrets array
 // decorate and/or filter the secrets based on resource controls before rewriting the response
-func secretListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func secretListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error

 	// SecretList response is a JSON array
@ -39,7 +39,7 @@ func secretListOperation(request *http.Request, response *http.Response, executo
 // secretInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the secret based on resource control (check are done based on the secretID and optional Swarm service ID)
 // and either rewrite an access denied response or a decorated secret.
-func secretInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func secretInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// SecretInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/SecretInspect
 	responseObject, err := getResponseAsJSONOBject(response)
--- a/api/http/proxy/services.go
+++ b/api/http/proxy/services.go
@ -15,7 +15,7 @@ const (

 // serviceListOperation extracts the response as a JSON array, loop through the service array
 // decorate and/or filter the services based on resource controls before rewriting the response
-func serviceListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func serviceListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 	// ServiceList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
@ -39,7 +39,7 @@ func serviceListOperation(request *http.Request, response *http.Response, execut
 // serviceInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the service based on resource control and either rewrite an access denied response
 // or a decorated service.
-func serviceInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func serviceInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// ServiceInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
 	responseObject, err := getResponseAsJSONOBject(response)
--- a/api/http/proxy/tasks.go
+++ b/api/http/proxy/tasks.go
@ -15,7 +15,7 @@ const (

 // taskListOperation extracts the response as a JSON object, loop through the tasks array
 // and filter the tasks based on resource controls before rewriting the response
-func taskListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func taskListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error

 	// TaskList response is a JSON array
--- a/api/http/proxy/transport.go
+++ b/api/http/proxy/transport.go
@ -17,11 +17,13 @@ var apiVersionRe = regexp.MustCompile(`(/v[0-9]\.[0-9]*)?`)
 type (
 	proxyTransport struct {
 		dockerTransport        *http.Transport
+		enableSignature        bool
 		ResourceControlService portainer.ResourceControlService
 		TeamMembershipService  portainer.TeamMembershipService
 		RegistryService        portainer.RegistryService
 		DockerHubService       portainer.DockerHubService
 		SettingsService        portainer.SettingsService
+		SignatureService       portainer.DigitalSignatureService
 	}
 	restrictedOperationContext struct {
 		isAdmin          bool
@ -45,7 +47,7 @@ type (
 		operationContext *restrictedOperationContext
 		labelBlackList   []portainer.Pair
 	}
-	restrictedOperationRequest func(*http.Request, *http.Response, *operationExecutor) error
+	restrictedOperationRequest func(*http.Response, *operationExecutor) error
 	operationRequest           func(*http.Request) error
 )

@ -61,6 +63,16 @@ func (p *proxyTransport) proxyDockerRequest(request *http.Request) (*http.Respon
 	path := apiVersionRe.ReplaceAllString(request.URL.Path, "")
 	request.URL.Path = path

+	if p.enableSignature {
+		signature, err := p.SignatureService.Sign(portainer.PortainerAgentSignatureMessage)
+		if err != nil {
+			return nil, err
+		}
+
+		request.Header.Set(portainer.PortainerAgentPublicKeyHeader, p.SignatureService.EncodedPublicKey())
+		request.Header.Set(portainer.PortainerAgentSignatureHeader, signature)
+	}
+
 	switch {
 	case strings.HasPrefix(path, "/configs"):
 		return p.proxyConfigRequest(request)
@ -392,7 +404,7 @@ func (p *proxyTransport) executeRequestAndRewriteResponse(request *http.Request,
 		return response, err
 	}

-	err = operation(request, response, executor)
+	err = operation(response, executor)
 	return response, err
 }

--- a/api/http/proxy/volumes.go
+++ b/api/http/proxy/volumes.go
@ -15,7 +15,7 @@ const (

 // volumeListOperation extracts the response as a JSON object, loop through the volume array
 // decorate and/or filter the volumes based on resource controls before rewriting the response
-func volumeListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func volumeListOperation(response *http.Response, executor *operationExecutor) error {
 	var err error
 	// VolumeList response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
@ -48,7 +48,7 @@ func volumeListOperation(request *http.Request, response *http.Response, executo
 // volumeInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the volume based on any existing resource control and either rewrite an access denied response
 // or a decorated volume.
-func volumeInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+func volumeInspectOperation(response *http.Response, executor *operationExecutor) error {
 	// VolumeInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeInspect
 	responseObject, err := getResponseAsJSONOBject(response)