Docker/portainer
Docker/portainer
1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-07-24 07:49:41 +02:00
Code Issues Releases Activity

chore(docker): clean up the code EE-7325 (#11997)

Browse source
This commit is contained in:
andres-portainer 2024-07-05 16:19:46 -03:00 committed by GitHub
parent faca64442f
commit 340830d121
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 280 additions and 254 deletions
Download patch file Download diff file Expand all files Collapse all files

48
api/http/proxy/factory/docker/services.go
View file

@ -59,8 +59,8 @@ func (transport *Transport) serviceListOperation(response *http.Response, execut
// serviceInspectOperation extracts the response as a JSON object, verify that the user
// has access to the service based on resource control and either rewrite an access denied response or a decorated service.
func (transport *Transport) serviceInspectOperation(response *http.Response, executor *operationExecutor) error {
//ServiceInspect response is a JSON object
//https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
// ServiceInspect response is a JSON object
// https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
responseObject, err := utils.GetResponseAsJSONObject(response)
if err != nil {
return err
@ -85,6 +85,7 @@ func selectorServiceLabels(responseObject map[string]any) map[string]any {
if serviceSpecObject != nil {
return utils.GetJSONObject(serviceSpecObject, "Labels")
}
return nil
}
@ -108,33 +109,34 @@ func (transport *Transport) decorateServiceCreationOperation(request *http.Reque
return nil, err
}
if !isAdminOrEndpointAdmin {
securitySettings, err := transport.fetchEndpointSecuritySettings()
if err != nil {
return nil, err
}
if isAdminOrEndpointAdmin {
return transport.replaceRegistryAuthenticationHeader(request)
}
body, err := io.ReadAll(request.Body)
if err != nil {
return nil, err
}
securitySettings, err := transport.fetchEndpointSecuritySettings()
if err != nil {
return nil, err
}
partialService := &PartialService{}
err = json.Unmarshal(body, partialService)
if err != nil {
return nil, err
}
body, err := io.ReadAll(request.Body)
if err != nil {
return nil, err
}
if !securitySettings.AllowBindMountsForRegularUsers && (len(partialService.TaskTemplate.ContainerSpec.Mounts) > 0) {
for _, mount := range partialService.TaskTemplate.ContainerSpec.Mounts {
if mount.Type == "bind" {
return forbiddenResponse, errors.New("forbidden to use bind mounts")
}
partialService := &PartialService{}
if err := json.Unmarshal(body, partialService); err != nil {
return nil, err
}
if !securitySettings.AllowBindMountsForRegularUsers && (len(partialService.TaskTemplate.ContainerSpec.Mounts) > 0) {
for _, mount := range partialService.TaskTemplate.ContainerSpec.Mounts {
if mount.Type == "bind" {
return forbiddenResponse, errors.New("forbidden to use bind mounts")
}
}
request.Body = io.NopCloser(bytes.NewBuffer(body))
}
request.Body = io.NopCloser(bytes.NewBuffer(body))
return transport.replaceRegistryAuthenticationHeader(request)
}