feat(waiting-room): show and filter by check in [EE-5186] (#8701)

2025-08-02 20:35:25 +02:00 · 2023-04-27 09:22:05 +07:00 · 2023-04-27 09:22:05 +07:00 · 4b9c857d85
commit 4b9c857d85
parent b5771df6a8
10 changed files with 108 additions and 25 deletions
--- a/api/http/handler/endpointedge/endpoint_edgestatus_inspect.go
+++ b/api/http/handler/endpointedge/endpoint_edgestatus_inspect.go
@ -117,6 +117,11 @@ func (handler *Handler) endpointEdgeStatusInspect(w http.ResponseWriter, r *http
 		return httperror.InternalServerError("Unable to Unable to persist environment changes inside the database", err)
 	}

+	err = handler.requestBouncer.TrustedEdgeEnvironmentAccess(endpoint)
+	if err != nil {
+		return httperror.Forbidden("Permission denied to access environment", err)
+	}
+
 	checkinInterval := endpoint.EdgeCheckinInterval
 	if endpoint.EdgeCheckinInterval == 0 {
 		settings, err := handler.DataStore.Settings().Settings()
--- a/api/http/handler/endpoints/endpoint_list.go
+++ b/api/http/handler/endpoints/endpoint_list.go
@ -45,6 +45,7 @@ const (
 // @param agentVersions query []string false "will return only environments with on of these agent versions"
 // @param edgeAsync query bool false "if exists true show only edge async agents, false show only standard edge agents. if missing, will show both types (relevant only for edge agents)"
 // @param edgeDeviceUntrusted query bool false "if true, show only untrusted edge agents, if false show only trusted edge agents (relevant only for edge agents)"
+// @param edgeCheckInPassedSeconds query number false "if bigger then zero, show only edge agents that checked-in in the last provided seconds (relevant only for edge agents)"
 // @param name query string false "will return only environments(endpoints) with this name"
 // @success 200 {array} portainer.Endpoint "Endpoints"
 // @failure 500 "Server error"
--- a/api/http/handler/endpoints/filter.go
+++ b/api/http/handler/endpoints/filter.go
@ -23,11 +23,12 @@ type EnvironmentsQuery struct {
 	groupIds         []portainer.EndpointGroupID
 	status           []portainer.EndpointStatus
 	// if edgeAsync not nil, will filter edge endpoints based on this value
-	edgeAsync           *bool
-	edgeDeviceUntrusted bool
-	excludeSnapshots    bool
-	name                string
-	agentVersions       []string
+	edgeAsync                *bool
+	edgeDeviceUntrusted      bool
+	excludeSnapshots         bool
+	name                     string
+	agentVersions            []string
+	edgeCheckInPassedSeconds int
 }

 func parseQuery(r *http.Request) (EnvironmentsQuery, error) {
@ -77,19 +78,22 @@ func parseQuery(r *http.Request) (EnvironmentsQuery, error) {

 	excludeSnapshots, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshots", true)

+	edgeCheckInPassedSeconds, _ := request.RetrieveNumericQueryParameter(r, "edgeCheckInPassedSeconds", true)
+
 	return EnvironmentsQuery{
-		search:              search,
-		types:               endpointTypes,
-		tagIds:              tagIDs,
-		endpointIds:         endpointIDs,
-		tagsPartialMatch:    tagsPartialMatch,
-		groupIds:            groupIDs,
-		status:              status,
-		edgeAsync:           edgeAsync,
-		edgeDeviceUntrusted: edgeDeviceUntrusted,
-		excludeSnapshots:    excludeSnapshots,
-		name:                name,
-		agentVersions:       agentVersions,
+		search:                   search,
+		types:                    endpointTypes,
+		tagIds:                   tagIDs,
+		endpointIds:              endpointIDs,
+		tagsPartialMatch:         tagsPartialMatch,
+		groupIds:                 groupIDs,
+		status:                   status,
+		edgeAsync:                edgeAsync,
+		edgeDeviceUntrusted:      edgeDeviceUntrusted,
+		excludeSnapshots:         excludeSnapshots,
+		name:                     name,
+		agentVersions:            agentVersions,
+		edgeCheckInPassedSeconds: edgeCheckInPassedSeconds,
 	}, nil
 }

@ -128,6 +132,22 @@ func (handler *Handler) filterEndpointsByQuery(filteredEndpoints []portainer.End
 		return endpoint.UserTrusted == !query.edgeDeviceUntrusted
 	})

+	if query.edgeCheckInPassedSeconds > 0 {
+		filteredEndpoints = filter(filteredEndpoints, func(endpoint portainer.Endpoint) bool {
+			// ignore non-edge endpoints
+			if !endpointutils.IsEdgeEndpoint(&endpoint) {
+				return true
+			}
+
+			// filter out endpoints that have never checked in
+			if endpoint.LastCheckInDate == 0 {
+				return false
+			}
+
+			return time.Now().Unix()-endpoint.LastCheckInDate < int64(query.edgeCheckInPassedSeconds)
+		})
+	}
+
 	if len(query.status) > 0 {
 		filteredEndpoints = filterEndpointsByStatuses(filteredEndpoints, query.status, settings)
 	}
--- a/api/http/security/bouncer.go
+++ b/api/http/security/bouncer.go
@ -1,12 +1,11 @@
 package security

 import (
-	"errors"
-	"fmt"
 	"net/http"
 	"strings"
 	"time"

+	"github.com/pkg/errors"
 	httperror "github.com/portainer/libhttp/error"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/apikey"
@ -147,13 +146,19 @@ func (bouncer *RequestBouncer) AuthorizedEdgeEndpointOperation(r *http.Request,
 		return errors.New("invalid Edge identifier")
 	}

-	if endpoint.LastCheckInDate > 0 || endpoint.UserTrusted {
+	return nil
+}
+
+// TrustedEdgeEnvironmentAccess defines a security check for Edge environments, checks if
+// the request is coming from a trusted Edge environment
+func (bouncer *RequestBouncer) TrustedEdgeEnvironmentAccess(endpoint *portainer.Endpoint) error {
+	if endpoint.UserTrusted {
 		return nil
 	}

 	settings, err := bouncer.dataStore.Settings().Settings()
 	if err != nil {
-		return fmt.Errorf("could not retrieve the settings: %w", err)
+		return errors.WithMessage(err, "could not retrieve the settings")
 	}

 	if !settings.TrustOnFirstConnect {