feat(configs): add support for docker configs (#996)

api/http/handler/resource_control.go

@@ -84,6 +84,8 @@ func (handler *ResourceHandler) handlePostResources(w http.ResponseWriter, r *ht
 		resourceControlType = portainer.SecretResourceControl
 	case "stack":
 		resourceControlType = portainer.StackResourceControl
+	case "config":
+		resourceControlType = portainer.ConfigResourceControl
 	default:
 		httperror.WriteErrorResponse(w, portainer.ErrInvalidResourceControlType, http.StatusBadRequest, handler.Logger)
 		return

api/http/proxy/configs.go

@@ -0,0 +1,107 @@
+package proxy
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrDockerConfigIdentifierNotFound defines an error raised when Portainer is unable to find a config identifier
+	ErrDockerConfigIdentifierNotFound = portainer.Error("Docker config identifier not found")
+	configIdentifier                  = "ID"
+)
+
+// configListOperation extracts the response as a JSON object, loop through the configs array
+// decorate and/or filter the configs based on resource controls before rewriting the response
+func configListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+	var err error
+
+	// ConfigList response is a JSON array
+	// https://docs.docker.com/engine/api/v1.30/#operation/ConfigList
+	responseArray, err := getResponseAsJSONArray(response)
+	if err != nil {
+		return err
+	}
+
+	if executor.operationContext.isAdmin {
+		responseArray, err = decorateConfigList(responseArray, executor.operationContext.resourceControls)
+	} else {
+		responseArray, err = filterConfigList(responseArray, executor.operationContext)
+	}
+	if err != nil {
+		return err
+	}
+
+	return rewriteResponse(response, responseArray, http.StatusOK)
+}
+
+// configInspectOperation extracts the response as a JSON object, verify that the user
+// has access to the config based on resource control (check are done based on the configID and optional Swarm service ID)
+// and either rewrite an access denied response or a decorated config.
+func configInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+	// ConfigInspect response is a JSON object
+	// https://docs.docker.com/engine/api/v1.30/#operation/ConfigInspect
+	responseObject, err := getResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	if responseObject[configIdentifier] == nil {
+		return ErrDockerConfigIdentifierNotFound
+	}
+
+	configID := responseObject[configIdentifier].(string)
+	responseObject, access := applyResourceAccessControl(responseObject, configID, executor.operationContext)
+	if !access {
+		return rewriteAccessDeniedResponse(response)
+	}
+
+	return rewriteResponse(response, responseObject, http.StatusOK)
+}
+
+// decorateConfigList loops through all configs and decorates any config with an existing resource control.
+// Resource controls checks are based on: resource identifier.
+// Config object schema reference: https://docs.docker.com/engine/api/v1.30/#operation/ConfigList
+func decorateConfigList(configData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedConfigData := make([]interface{}, 0)
+
+	for _, config := range configData {
+
+		configObject := config.(map[string]interface{})
+		if configObject[configIdentifier] == nil {
+			return nil, ErrDockerConfigIdentifierNotFound
+		}
+
+		configID := configObject[configIdentifier].(string)
+		configObject = decorateResourceWithAccessControl(configObject, configID, resourceControls)
+
+		decoratedConfigData = append(decoratedConfigData, configObject)
+	}
+
+	return decoratedConfigData, nil
+}
+
+// filterConfigList loops through all configs and filters public configs (no associated resource control)
+// as well as authorized configs (access granted to the user based on existing resource control).
+// Authorized configs are decorated during the process.
+// Resource controls checks are based on: resource identifier.
+// Config object schema reference: https://docs.docker.com/engine/api/v1.30/#operation/ConfigList
+func filterConfigList(configData []interface{}, context *restrictedOperationContext) ([]interface{}, error) {
+	filteredConfigData := make([]interface{}, 0)
+
+	for _, config := range configData {
+		configObject := config.(map[string]interface{})
+		if configObject[configIdentifier] == nil {
+			return nil, ErrDockerConfigIdentifierNotFound
+		}
+
+		configID := configObject[configIdentifier].(string)
+		configObject, access := applyResourceAccessControl(configObject, configID, context)
+		if access {
+			filteredConfigData = append(filteredConfigData, configObject)
+		}
+	}
+
+	return filteredConfigData, nil
+}

api/http/proxy/transport.go

@@ -41,6 +41,8 @@ func (p *proxyTransport) proxyDockerRequest(request *http.Request) (*http.Respon
 	path := request.URL.Path
 
 	switch {
+	case strings.HasPrefix(path, "/configs"):
+		return p.proxyConfigRequest(request)
 	case strings.HasPrefix(path, "/containers"):
 		return p.proxyContainerRequest(request)
 	case strings.HasPrefix(path, "/services"):
@@ -62,6 +64,24 @@ func (p *proxyTransport) proxyDockerRequest(request *http.Request) (*http.Respon
 	}
 }
 
+func (p *proxyTransport) proxyConfigRequest(request *http.Request) (*http.Response, error) {
+	switch requestPath := request.URL.Path; requestPath {
+	case "/configs/create":
+		return p.executeDockerRequest(request)
+
+	case "/configs":
+		return p.rewriteOperation(request, configListOperation)
+
+	default:
+		// assume /configs/{id}
+		if request.Method == http.MethodGet {
+			return p.rewriteOperation(request, configInspectOperation)
+		}
+		configID := path.Base(requestPath)
+		return p.restrictedOperation(request, configID)
+	}
+}
+
 func (p *proxyTransport) proxyContainerRequest(request *http.Request) (*http.Response, error) {
 	switch requestPath := request.URL.Path; requestPath {
 	case "/containers/create":