fix(api): manage registry authentication in the API (#1751)

2025-07-24 15:59:41 +02:00 · 2018-03-23 08:44:43 +10:00 · 2018-03-23 08:44:43 +10:00 · 30dfd3d616
commit 30dfd3d616
parent c267f8bf57
11 changed files with 183 additions and 42 deletions
--- a/api/http/proxy/factory.go
+++ b/api/http/proxy/factory.go
@ -15,6 +15,8 @@ type proxyFactory struct {
 	ResourceControlService portainer.ResourceControlService
 	TeamMembershipService  portainer.TeamMembershipService
 	SettingsService        portainer.SettingsService
+	RegistryService        portainer.RegistryService
+	DockerHubService       portainer.DockerHubService
 }

 func (factory *proxyFactory) newExtensionHTTPPRoxy(u *url.URL) http.Handler {
@ -45,6 +47,8 @@ func (factory *proxyFactory) newDockerSocketProxy(path string) http.Handler {
 		ResourceControlService: factory.ResourceControlService,
 		TeamMembershipService:  factory.TeamMembershipService,
 		SettingsService:        factory.SettingsService,
+		RegistryService:        factory.RegistryService,
+		DockerHubService:       factory.DockerHubService,
 		dockerTransport:        newSocketTransport(path),
 	}
 	proxy.Transport = transport
@ -57,6 +61,8 @@ func (factory *proxyFactory) createDockerReverseProxy(u *url.URL) *httputil.Reve
 		ResourceControlService: factory.ResourceControlService,
 		TeamMembershipService:  factory.TeamMembershipService,
 		SettingsService:        factory.SettingsService,
+		RegistryService:        factory.RegistryService,
+		DockerHubService:       factory.DockerHubService,
 		dockerTransport:        &http.Transport{},
 	}
 	proxy.Transport = transport
--- a/api/http/proxy/manager.go
+++ b/api/http/proxy/manager.go
@ -17,7 +17,7 @@ type Manager struct {
 }

 // NewManager initializes a new proxy Service
-func NewManager(resourceControlService portainer.ResourceControlService, teamMembershipService portainer.TeamMembershipService, settingsService portainer.SettingsService) *Manager {
+func NewManager(resourceControlService portainer.ResourceControlService, teamMembershipService portainer.TeamMembershipService, settingsService portainer.SettingsService, registryService portainer.RegistryService, dockerHubService portainer.DockerHubService) *Manager {
 	return &Manager{
 		proxies:          cmap.New(),
 		extensionProxies: cmap.New(),
@ -25,6 +25,8 @@ func NewManager(resourceControlService portainer.ResourceControlService, teamMem
 			ResourceControlService: resourceControlService,
 			TeamMembershipService:  teamMembershipService,
 			SettingsService:        settingsService,
+			RegistryService:        registryService,
+			DockerHubService:       dockerHubService,
 		},
 	}
 }
--- a/api/http/proxy/registry.go
+++ b/api/http/proxy/registry.go
@ -0,0 +1,37 @@
+package proxy
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/http/security"
+)
+
+func createRegistryAuthenticationHeader(serverAddress string, accessContext *registryAccessContext) *registryAuthenticationHeader {
+	var authenticationHeader *registryAuthenticationHeader
+
+	if serverAddress == "" {
+		authenticationHeader = &registryAuthenticationHeader{
+			Username:      accessContext.dockerHub.Username,
+			Password:      accessContext.dockerHub.Password,
+			Serveraddress: "docker.io",
+		}
+	} else {
+		var matchingRegistry *portainer.Registry
+		for _, registry := range accessContext.registries {
+			if registry.URL == serverAddress &&
+				(accessContext.isAdmin || (!accessContext.isAdmin && security.AuthorizedRegistryAccess(&registry, accessContext.userID, accessContext.teamMemberships))) {
+				matchingRegistry = &registry
+				break
+			}
+		}
+
+		if matchingRegistry != nil {
+			authenticationHeader = &registryAuthenticationHeader{
+				Username:      matchingRegistry.Username,
+				Password:      matchingRegistry.Password,
+				Serveraddress: matchingRegistry.URL,
+			}
+		}
+	}
+
+	return authenticationHeader
+}
--- a/api/http/proxy/transport.go
+++ b/api/http/proxy/transport.go
@ -1,6 +1,8 @@
 package proxy

 import (
+	"encoding/base64"
+	"encoding/json"
 	"net/http"
 	"path"
 	"strings"
@ -14,6 +16,8 @@ type (
 		dockerTransport        *http.Transport
 		ResourceControlService portainer.ResourceControlService
 		TeamMembershipService  portainer.TeamMembershipService
+		RegistryService        portainer.RegistryService
+		DockerHubService       portainer.DockerHubService
 		SettingsService        portainer.SettingsService
 	}
 	restrictedOperationContext struct {
@ -22,6 +26,18 @@ type (
 		userTeamIDs      []portainer.TeamID
 		resourceControls []portainer.ResourceControl
 	}
+	registryAccessContext struct {
+		isAdmin         bool
+		userID          portainer.UserID
+		teamMemberships []portainer.TeamMembership
+		registries      []portainer.Registry
+		dockerHub       *portainer.DockerHub
+	}
+	registryAuthenticationHeader struct {
+		Username      string `json:"username"`
+		Password      string `json:"password"`
+		Serveraddress string `json:"serveraddress"`
+	}
 	operationExecutor struct {
 		operationContext *restrictedOperationContext
 		labelBlackList   []portainer.Pair
@ -62,6 +78,8 @@ func (p *proxyTransport) proxyDockerRequest(request *http.Request) (*http.Respon
 		return p.proxyTaskRequest(request)
 	case strings.HasPrefix(path, "/build"):
 		return p.proxyBuildRequest(request)
+	case strings.HasPrefix(path, "/images"):
+		return p.proxyImageRequest(request)
 	default:
 		return p.executeDockerRequest(request)
 	}
@ -119,7 +137,7 @@ func (p *proxyTransport) proxyContainerRequest(request *http.Request) (*http.Res
 func (p *proxyTransport) proxyServiceRequest(request *http.Request) (*http.Response, error) {
 	switch requestPath := request.URL.Path; requestPath {
 	case "/services/create":
-		return p.executeDockerRequest(request)
+		return p.replaceRegistryAuthenticationHeader(request)

 	case "/services":
 		return p.rewriteOperation(request, serviceListOperation)
@ -235,6 +253,54 @@ func (p *proxyTransport) proxyBuildRequest(request *http.Request) (*http.Respons
 	return p.interceptAndRewriteRequest(request, buildOperation)
 }

+func (p *proxyTransport) proxyImageRequest(request *http.Request) (*http.Response, error) {
+	switch requestPath := request.URL.Path; requestPath {
+	case "/images/create":
+		return p.replaceRegistryAuthenticationHeader(request)
+	default:
+		if match, _ := path.Match("/images/*/push", requestPath); match {
+			return p.replaceRegistryAuthenticationHeader(request)
+		}
+		return p.executeDockerRequest(request)
+	}
+}
+
+func (p *proxyTransport) replaceRegistryAuthenticationHeader(request *http.Request) (*http.Response, error) {
+	accessContext, err := p.createRegistryAccessContext(request)
+	if err != nil {
+		return nil, err
+	}
+
+	originalHeader := request.Header.Get("X-Registry-Auth")
+
+	if originalHeader != "" {
+
+		decodedHeaderData, err := base64.StdEncoding.DecodeString(originalHeader)
+		if err != nil {
+			return nil, err
+		}
+
+		var originalHeaderData registryAuthenticationHeader
+		err = json.Unmarshal(decodedHeaderData, &originalHeaderData)
+		if err != nil {
+			return nil, err
+		}
+
+		authenticationHeader := createRegistryAuthenticationHeader(originalHeaderData.Serveraddress, accessContext)
+
+		headerData, err := json.Marshal(authenticationHeader)
+		if err != nil {
+			return nil, err
+		}
+
+		header := base64.StdEncoding.EncodeToString(headerData)
+
+		request.Header.Set("X-Registry-Auth", header)
+	}
+
+	return p.executeDockerRequest(request)
+}
+
 // restrictedOperation ensures that the current user has the required authorizations
 // before executing the original request.
 func (p *proxyTransport) restrictedOperation(request *http.Request, resourceID string) (*http.Response, error) {
@ -270,7 +336,7 @@ func (p *proxyTransport) restrictedOperation(request *http.Request, resourceID s
 	return p.executeDockerRequest(request)
 }

-// rewriteOperation will create a new operation context with data that will be used
+// rewriteOperationWithLabelFiltering will create a new operation context with data that will be used
 // to decorate the original request's response as well as retrieve all the black listed labels
 // to filter the resources.
 func (p *proxyTransport) rewriteOperationWithLabelFiltering(request *http.Request, operation restrictedOperationRequest) (*http.Response, error) {
@ -341,6 +407,43 @@ func (p *proxyTransport) administratorOperation(request *http.Request) (*http.Re
 	return p.executeDockerRequest(request)
 }

+func (p *proxyTransport) createRegistryAccessContext(request *http.Request) (*registryAccessContext, error) {
+	tokenData, err := security.RetrieveTokenData(request)
+	if err != nil {
+		return nil, err
+	}
+
+	accessContext := &registryAccessContext{
+		isAdmin: true,
+		userID:  tokenData.ID,
+	}
+
+	hub, err := p.DockerHubService.DockerHub()
+	if err != nil {
+		return nil, err
+	}
+	accessContext.dockerHub = hub
+
+	registries, err := p.RegistryService.Registries()
+	if err != nil {
+		return nil, err
+	}
+	accessContext.registries = registries
+
+	if tokenData.Role != portainer.AdministratorRole {
+		accessContext.isAdmin = false
+
+		teamMemberships, err := p.TeamMembershipService.TeamMembershipsByUserID(tokenData.ID)
+		if err != nil {
+			return nil, err
+		}
+
+		accessContext.teamMemberships = teamMemberships
+	}
+
+	return accessContext, nil
+}
+
 func (p *proxyTransport) createOperationContext(request *http.Request) (*restrictedOperationContext, error) {
 	var err error
 	tokenData, err := security.RetrieveTokenData(request)