feat(global): introduce user teams and new UAC system (#868)

api/http/proxy/access_control.go

@@ -0,0 +1,21 @@
+package proxy
+
+import "github.com/portainer/portainer"
+
+func canUserAccessResource(userID portainer.UserID, userTeamIDs []portainer.TeamID, resourceControl *portainer.ResourceControl) bool {
+	for _, authorizedUserAccess := range resourceControl.UserAccesses {
+		if userID == authorizedUserAccess.UserID {
+			return true
+		}
+	}
+
+	for _, authorizedTeamAccess := range resourceControl.TeamAccesses {
+		for _, userTeamID := range userTeamIDs {
+			if userTeamID == authorizedTeamAccess.TeamID {
+				return true
+			}
+		}
+	}
+
+	return false
+}

api/http/proxy/containers.go

@@ -0,0 +1,98 @@
+package proxy
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrDockerContainerIdentifierNotFound defines an error raised when Portainer is unable to find a container identifier
+	ErrDockerContainerIdentifierNotFound = portainer.Error("Docker container identifier not found")
+	containerIdentifier                  = "Id"
+	containerLabelForServiceIdentifier   = "com.docker.swarm.service.id"
+)
+
+// containerListOperation extracts the response as a JSON object, loop through the containers array
+// decorate and/or filter the containers based on resource controls before rewriting the response
+func containerListOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+	var err error
+	// ContainerList response is a JSON array
+	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
+	responseArray, err := getResponseAsJSONArray(response)
+	if err != nil {
+		return err
+	}
+
+	if operationContext.isAdmin {
+		responseArray, err = decorateContainerList(responseArray, operationContext.resourceControls)
+	} else {
+		responseArray, err = filterContainerList(responseArray, operationContext.resourceControls, operationContext.userID, operationContext.userTeamIDs)
+	}
+	if err != nil {
+		return err
+	}
+
+	return rewriteResponse(response, responseArray, http.StatusOK)
+}
+
+// containerInspectOperation extracts the response as a JSON object, verify that the user
+// has access to the container based on resource control (check are done based on the containerID and optional Swarm service ID)
+// and either rewrite an access denied response or a decorated container.
+func containerInspectOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+	// ContainerInspect response is a JSON object
+	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerInspect
+	responseObject, err := getResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	if responseObject[containerIdentifier] == nil {
+		return ErrDockerContainerIdentifierNotFound
+	}
+	containerID := responseObject[containerIdentifier].(string)
+
+	resourceControl := getResourceControlByResourceID(containerID, operationContext.resourceControls)
+	if resourceControl != nil {
+		if operationContext.isAdmin || canUserAccessResource(operationContext.userID, operationContext.userTeamIDs, resourceControl) {
+			responseObject = decorateObject(responseObject, resourceControl)
+		} else {
+			return rewriteAccessDeniedResponse(response)
+		}
+	}
+
+	containerLabels := extractContainerLabelsFromContainerInspectObject(responseObject)
+	if containerLabels != nil && containerLabels[containerLabelForServiceIdentifier] != nil {
+		serviceID := containerLabels[containerLabelForServiceIdentifier].(string)
+		resourceControl := getResourceControlByResourceID(serviceID, operationContext.resourceControls)
+		if resourceControl != nil {
+			if operationContext.isAdmin || canUserAccessResource(operationContext.userID, operationContext.userTeamIDs, resourceControl) {
+				responseObject = decorateObject(responseObject, resourceControl)
+			} else {
+				return rewriteAccessDeniedResponse(response)
+			}
+		}
+	}
+
+	return rewriteResponse(response, responseObject, http.StatusOK)
+}
+
+// extractContainerLabelsFromContainerInspectObject retrieve the Labels of the container if present.
+// Container schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerInspect
+func extractContainerLabelsFromContainerInspectObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Config.Labels
+	containerConfigObject := extractJSONField(responseObject, "Config")
+	if containerConfigObject != nil {
+		containerLabelsObject := extractJSONField(containerConfigObject, "Labels")
+		return containerLabelsObject
+	}
+	return nil
+}
+
+// extractContainerLabelsFromContainerListObject retrieve the Labels of the container if present.
+// Container schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
+func extractContainerLabelsFromContainerListObject(responseObject map[string]interface{}) map[string]interface{} {
+	// Labels are stored under Labels
+	containerLabelsObject := extractJSONField(responseObject, "Labels")
+	return containerLabelsObject
+}

api/http/proxy/decorator.go

@@ -0,0 +1,90 @@
+package proxy
+
+import "github.com/portainer/portainer"
+
+// decorateVolumeList loops through all volumes and will decorate any volume with an existing resource control.
+// Volume object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
+func decorateVolumeList(volumeData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedVolumeData := make([]interface{}, 0)
+
+	for _, volume := range volumeData {
+
+		volumeObject := volume.(map[string]interface{})
+		if volumeObject[volumeIdentifier] == nil {
+			return nil, ErrDockerVolumeIdentifierNotFound
+		}
+
+		volumeID := volumeObject[volumeIdentifier].(string)
+		resourceControl := getResourceControlByResourceID(volumeID, resourceControls)
+		if resourceControl != nil {
+			volumeObject = decorateObject(volumeObject, resourceControl)
+		}
+		decoratedVolumeData = append(decoratedVolumeData, volumeObject)
+	}
+
+	return decoratedVolumeData, nil
+}
+
+// decorateContainerList loops through all containers and will decorate any container with an existing resource control.
+// Check is based on the container ID and optional Swarm service ID.
+// Container object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
+func decorateContainerList(containerData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedContainerData := make([]interface{}, 0)
+
+	for _, container := range containerData {
+
+		containerObject := container.(map[string]interface{})
+		if containerObject[containerIdentifier] == nil {
+			return nil, ErrDockerContainerIdentifierNotFound
+		}
+
+		containerID := containerObject[containerIdentifier].(string)
+		resourceControl := getResourceControlByResourceID(containerID, resourceControls)
+		if resourceControl != nil {
+			containerObject = decorateObject(containerObject, resourceControl)
+		}
+
+		containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
+		if containerLabels != nil && containerLabels[containerLabelForServiceIdentifier] != nil {
+			serviceID := containerLabels[containerLabelForServiceIdentifier].(string)
+			resourceControl := getResourceControlByResourceID(serviceID, resourceControls)
+			if resourceControl != nil {
+				containerObject = decorateObject(containerObject, resourceControl)
+			}
+		}
+
+		decoratedContainerData = append(decoratedContainerData, containerObject)
+	}
+
+	return decoratedContainerData, nil
+}
+
+// decorateServiceList loops through all services and will decorate any service with an existing resource control.
+// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
+func decorateServiceList(serviceData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedServiceData := make([]interface{}, 0)
+
+	for _, service := range serviceData {
+
+		serviceObject := service.(map[string]interface{})
+		if serviceObject[serviceIdentifier] == nil {
+			return nil, ErrDockerServiceIdentifierNotFound
+		}
+
+		serviceID := serviceObject[serviceIdentifier].(string)
+		resourceControl := getResourceControlByResourceID(serviceID, resourceControls)
+		if resourceControl != nil {
+			serviceObject = decorateObject(serviceObject, resourceControl)
+		}
+		decoratedServiceData = append(decoratedServiceData, serviceObject)
+	}
+
+	return decoratedServiceData, nil
+}
+
+func decorateObject(object map[string]interface{}, resourceControl *portainer.ResourceControl) map[string]interface{} {
+	metadata := make(map[string]interface{})
+	metadata["ResourceControl"] = resourceControl
+	object["Portainer"] = metadata
+	return object
+}

api/http/proxy/factory.go

@@ -0,0 +1,55 @@
+package proxy
+
+import (
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/crypto"
+)
+
+// proxyFactory is a factory to create reverse proxies to Docker endpoints
+type proxyFactory struct {
+	ResourceControlService portainer.ResourceControlService
+	TeamMembershipService  portainer.TeamMembershipService
+}
+
+func (factory *proxyFactory) newHTTPProxy(u *url.URL) http.Handler {
+	u.Scheme = "http"
+	return factory.createReverseProxy(u)
+}
+
+func (factory *proxyFactory) newHTTPSProxy(u *url.URL, endpoint *portainer.Endpoint) (http.Handler, error) {
+	u.Scheme = "https"
+	proxy := factory.createReverseProxy(u)
+	config, err := crypto.CreateTLSConfiguration(endpoint.TLSCACertPath, endpoint.TLSCertPath, endpoint.TLSKeyPath)
+	if err != nil {
+		return nil, err
+	}
+
+	proxy.Transport.(*proxyTransport).dockerTransport.TLSClientConfig = config
+	return proxy, nil
+}
+
+func (factory *proxyFactory) newSocketProxy(path string) http.Handler {
+	proxy := &socketProxy{}
+	transport := &proxyTransport{
+		ResourceControlService: factory.ResourceControlService,
+		TeamMembershipService:  factory.TeamMembershipService,
+		dockerTransport:        newSocketTransport(path),
+	}
+	proxy.Transport = transport
+	return proxy
+}
+
+func (factory *proxyFactory) createReverseProxy(u *url.URL) *httputil.ReverseProxy {
+	proxy := newSingleHostReverseProxyWithHostHeader(u)
+	transport := &proxyTransport{
+		ResourceControlService: factory.ResourceControlService,
+		TeamMembershipService:  factory.TeamMembershipService,
+		dockerTransport:        newHTTPTransport(),
+	}
+	proxy.Transport = transport
+	return proxy
+}

api/http/proxy/filter.go

@@ -0,0 +1,91 @@
+package proxy
+
+import "github.com/portainer/portainer"
+
+// filterVolumeList loops through all volumes, filters volumes without any resource control (public resources) or with
+// any resource control giving access to the user (these volumes will be decorated).
+// Volume object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
+func filterVolumeList(volumeData []interface{}, resourceControls []portainer.ResourceControl, userID portainer.UserID, userTeamIDs []portainer.TeamID) ([]interface{}, error) {
+	filteredVolumeData := make([]interface{}, 0)
+
+	for _, volume := range volumeData {
+		volumeObject := volume.(map[string]interface{})
+		if volumeObject[volumeIdentifier] == nil {
+			return nil, ErrDockerVolumeIdentifierNotFound
+		}
+
+		volumeID := volumeObject[volumeIdentifier].(string)
+		resourceControl := getResourceControlByResourceID(volumeID, resourceControls)
+		if resourceControl == nil {
+			filteredVolumeData = append(filteredVolumeData, volumeObject)
+		} else if resourceControl != nil && canUserAccessResource(userID, userTeamIDs, resourceControl) {
+			volumeObject = decorateObject(volumeObject, resourceControl)
+			filteredVolumeData = append(filteredVolumeData, volumeObject)
+		}
+	}
+
+	return filteredVolumeData, nil
+}
+
+// filterContainerList loops through all containers, filters containers without any resource control (public resources) or with
+// any resource control giving access to the user (check on container ID and optional Swarm service ID, these containers will be decorated).
+// Container object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
+func filterContainerList(containerData []interface{}, resourceControls []portainer.ResourceControl, userID portainer.UserID, userTeamIDs []portainer.TeamID) ([]interface{}, error) {
+	filteredContainerData := make([]interface{}, 0)
+
+	for _, container := range containerData {
+		containerObject := container.(map[string]interface{})
+		if containerObject[containerIdentifier] == nil {
+			return nil, ErrDockerContainerIdentifierNotFound
+		}
+
+		containerID := containerObject[containerIdentifier].(string)
+		resourceControl := getResourceControlByResourceID(containerID, resourceControls)
+		if resourceControl == nil {
+			// check if container is part of a Swarm service
+			containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
+			if containerLabels != nil && containerLabels[containerLabelForServiceIdentifier] != nil {
+				serviceID := containerLabels[containerLabelForServiceIdentifier].(string)
+				serviceResourceControl := getResourceControlByResourceID(serviceID, resourceControls)
+				if serviceResourceControl == nil {
+					filteredContainerData = append(filteredContainerData, containerObject)
+				} else if serviceResourceControl != nil && canUserAccessResource(userID, userTeamIDs, serviceResourceControl) {
+					containerObject = decorateObject(containerObject, serviceResourceControl)
+					filteredContainerData = append(filteredContainerData, containerObject)
+				}
+			} else {
+				filteredContainerData = append(filteredContainerData, containerObject)
+			}
+		} else if resourceControl != nil && canUserAccessResource(userID, userTeamIDs, resourceControl) {
+			containerObject = decorateObject(containerObject, resourceControl)
+			filteredContainerData = append(filteredContainerData, containerObject)
+		}
+	}
+
+	return filteredContainerData, nil
+}
+
+// filterServiceList loops through all services, filters services without any resource control (public resources) or with
+// any resource control giving access to the user (these services will be decorated).
+// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
+func filterServiceList(serviceData []interface{}, resourceControls []portainer.ResourceControl, userID portainer.UserID, userTeamIDs []portainer.TeamID) ([]interface{}, error) {
+	filteredServiceData := make([]interface{}, 0)
+
+	for _, service := range serviceData {
+		serviceObject := service.(map[string]interface{})
+		if serviceObject[serviceIdentifier] == nil {
+			return nil, ErrDockerServiceIdentifierNotFound
+		}
+
+		serviceID := serviceObject[serviceIdentifier].(string)
+		resourceControl := getResourceControlByResourceID(serviceID, resourceControls)
+		if resourceControl == nil {
+			filteredServiceData = append(filteredServiceData, serviceObject)
+		} else if resourceControl != nil && canUserAccessResource(userID, userTeamIDs, resourceControl) {
+			serviceObject = decorateObject(serviceObject, resourceControl)
+			filteredServiceData = append(filteredServiceData, serviceObject)
+		}
+	}
+
+	return filteredServiceData, nil
+}

api/http/proxy/manager.go

@@ -0,0 +1,68 @@
+package proxy
+
+import (
+	"net/http"
+	"net/url"
+
+	"github.com/orcaman/concurrent-map"
+	"github.com/portainer/portainer"
+)
+
+// Manager represents a service used to manage Docker proxies.
+type Manager struct {
+	proxyFactory *proxyFactory
+	proxies      cmap.ConcurrentMap
+}
+
+// NewManager initializes a new proxy Service
+func NewManager(resourceControlService portainer.ResourceControlService, teamMembershipService portainer.TeamMembershipService) *Manager {
+	return &Manager{
+		proxies: cmap.New(),
+		proxyFactory: &proxyFactory{
+			ResourceControlService: resourceControlService,
+			TeamMembershipService:  teamMembershipService,
+		},
+	}
+}
+
+// CreateAndRegisterProxy creates a new HTTP reverse proxy and adds it to the registered proxies.
+// It can also be used to create a new HTTP reverse proxy and replace an already registered proxy.
+func (manager *Manager) CreateAndRegisterProxy(endpoint *portainer.Endpoint) (http.Handler, error) {
+	var proxy http.Handler
+
+	endpointURL, err := url.Parse(endpoint.URL)
+	if err != nil {
+		return nil, err
+	}
+
+	if endpointURL.Scheme == "tcp" {
+		if endpoint.TLS {
+			proxy, err = manager.proxyFactory.newHTTPSProxy(endpointURL, endpoint)
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			proxy = manager.proxyFactory.newHTTPProxy(endpointURL)
+		}
+	} else {
+		// Assume unix:// scheme
+		proxy = manager.proxyFactory.newSocketProxy(endpointURL.Path)
+	}
+
+	manager.proxies.Set(string(endpoint.ID), proxy)
+	return proxy, nil
+}
+
+// GetProxy returns the proxy associated to a key
+func (manager *Manager) GetProxy(key string) http.Handler {
+	proxy, ok := manager.proxies.Get(key)
+	if !ok {
+		return nil
+	}
+	return proxy.(http.Handler)
+}
+
+// DeleteProxy deletes the proxy associated to a key
+func (manager *Manager) DeleteProxy(key string) {
+	manager.proxies.Remove(key)
+}

api/http/proxy/response.go

@@ -0,0 +1,90 @@
+package proxy
+
+import (
+	"bytes"
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+	"strconv"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrEmptyResponseBody defines an error raised when portainer excepts to parse the body of a HTTP response and there is nothing to parse
+	ErrEmptyResponseBody = portainer.Error("Empty response body")
+)
+
+func extractJSONField(jsonObject map[string]interface{}, key string) map[string]interface{} {
+	object := jsonObject[key]
+	if object != nil {
+		return object.(map[string]interface{})
+	}
+	return nil
+}
+
+func getResponseAsJSONOBject(response *http.Response) (map[string]interface{}, error) {
+	responseData, err := getResponseBodyAsGenericJSON(response)
+	if err != nil {
+		return nil, err
+	}
+
+	responseObject := responseData.(map[string]interface{})
+	return responseObject, nil
+}
+
+func getResponseAsJSONArray(response *http.Response) ([]interface{}, error) {
+	responseData, err := getResponseBodyAsGenericJSON(response)
+	if err != nil {
+		return nil, err
+	}
+
+	responseObject := responseData.([]interface{})
+	return responseObject, nil
+}
+
+func getResponseBodyAsGenericJSON(response *http.Response) (interface{}, error) {
+	var data interface{}
+	if response.Body != nil {
+		body, err := ioutil.ReadAll(response.Body)
+		if err != nil {
+			return nil, err
+		}
+
+		err = response.Body.Close()
+		if err != nil {
+			return nil, err
+		}
+
+		err = json.Unmarshal(body, &data)
+		if err != nil {
+			return nil, err
+		}
+
+		return data, nil
+	}
+	return nil, ErrEmptyResponseBody
+}
+
+func writeAccessDeniedResponse() (*http.Response, error) {
+	response := &http.Response{}
+	err := rewriteResponse(response, portainer.ErrResourceAccessDenied, http.StatusForbidden)
+	return response, err
+}
+
+func rewriteAccessDeniedResponse(response *http.Response) error {
+	return rewriteResponse(response, portainer.ErrResourceAccessDenied, http.StatusForbidden)
+}
+
+func rewriteResponse(response *http.Response, newResponseData interface{}, statusCode int) error {
+	jsonData, err := json.Marshal(newResponseData)
+	if err != nil {
+		return err
+	}
+	body := ioutil.NopCloser(bytes.NewReader(jsonData))
+	response.StatusCode = statusCode
+	response.Body = body
+	response.ContentLength = int64(len(jsonData))
+	response.Header.Set("Content-Length", strconv.Itoa(len(jsonData)))
+	return nil
+}

api/http/proxy/reverse_proxy.go

@@ -0,0 +1,46 @@
+package proxy
+
+import (
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"strings"
+)
+
+// NewSingleHostReverseProxyWithHostHeader is based on NewSingleHostReverseProxy
+// from golang.org/src/net/http/httputil/reverseproxy.go and merely sets the Host
+// HTTP header, which NewSingleHostReverseProxy deliberately preserves.
+func newSingleHostReverseProxyWithHostHeader(target *url.URL) *httputil.ReverseProxy {
+	targetQuery := target.RawQuery
+	director := func(req *http.Request) {
+		req.URL.Scheme = target.Scheme
+		req.URL.Host = target.Host
+		req.URL.Path = singleJoiningSlash(target.Path, req.URL.Path)
+		req.Host = req.URL.Host
+		if targetQuery == "" || req.URL.RawQuery == "" {
+			req.URL.RawQuery = targetQuery + req.URL.RawQuery
+		} else {
+			req.URL.RawQuery = targetQuery + "&" + req.URL.RawQuery
+		}
+		if _, ok := req.Header["User-Agent"]; !ok {
+			// explicitly disable User-Agent so it's not set to default value
+			req.Header.Set("User-Agent", "")
+		}
+	}
+	return &httputil.ReverseProxy{Director: director}
+}
+
+// singleJoiningSlash from golang.org/src/net/http/httputil/reverseproxy.go
+// included here for use in NewSingleHostReverseProxyWithHostHeader
+// because its used in NewSingleHostReverseProxy from golang.org/src/net/http/httputil/reverseproxy.go
+func singleJoiningSlash(a, b string) string {
+	aslash := strings.HasSuffix(a, "/")
+	bslash := strings.HasPrefix(b, "/")
+	switch {
+	case aslash && bslash:
+		return a + b[1:]
+	case !aslash && !bslash:
+		return a + "/" + b
+	}
+	return a + b
+}

api/http/proxy/service.go

@@ -0,0 +1,64 @@
+package proxy
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrDockerServiceIdentifierNotFound defines an error raised when Portainer is unable to find a service identifier
+	ErrDockerServiceIdentifierNotFound = portainer.Error("Docker service identifier not found")
+	serviceIdentifier                  = "ID"
+)
+
+// serviceListOperation extracts the response as a JSON array, loop through the service array
+// decorate and/or filter the services based on resource controls before rewriting the response
+func serviceListOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+	var err error
+	// ServiceList response is a JSON array
+	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
+	responseArray, err := getResponseAsJSONArray(response)
+	if err != nil {
+		return err
+	}
+
+	if operationContext.isAdmin {
+		responseArray, err = decorateServiceList(responseArray, operationContext.resourceControls)
+	} else {
+		responseArray, err = filterServiceList(responseArray, operationContext.resourceControls, operationContext.userID, operationContext.userTeamIDs)
+	}
+	if err != nil {
+		return err
+	}
+
+	return rewriteResponse(response, responseArray, http.StatusOK)
+}
+
+// serviceInspectOperation extracts the response as a JSON object, verify that the user
+// has access to the service based on resource control and either rewrite an access denied response
+// or a decorated service.
+func serviceInspectOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+	// ServiceInspect response is a JSON object
+	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
+	responseObject, err := getResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	if responseObject[serviceIdentifier] == nil {
+		return ErrDockerServiceIdentifierNotFound
+	}
+	serviceID := responseObject[serviceIdentifier].(string)
+
+	resourceControl := getResourceControlByResourceID(serviceID, operationContext.resourceControls)
+	if resourceControl != nil {
+		if operationContext.isAdmin || canUserAccessResource(operationContext.userID, operationContext.userTeamIDs, resourceControl) {
+			responseObject = decorateObject(responseObject, resourceControl)
+		} else {
+			return rewriteAccessDeniedResponse(response)
+		}
+	}
+
+	return rewriteResponse(response, responseObject, http.StatusOK)
+}

api/http/proxy/socket.go

@@ -0,0 +1,40 @@
+package proxy
+
+// unixSocketHandler represents a handler to proxy HTTP requests via a unix:// socket
+import (
+	"io"
+	"net/http"
+
+	httperror "github.com/portainer/portainer/http/error"
+)
+
+type socketProxy struct {
+	Transport *proxyTransport
+}
+
+func (proxy *socketProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	// Force URL/domain to http/unixsocket to be able to
+	// use http.Transport RoundTrip to do the requests via the socket
+	r.URL.Scheme = "http"
+	r.URL.Host = "unixsocket"
+
+	res, err := proxy.Transport.proxyDockerRequest(r)
+	if err != nil {
+		code := http.StatusInternalServerError
+		if res != nil && res.StatusCode != 0 {
+			code = res.StatusCode
+		}
+		httperror.WriteErrorResponse(w, err, code, nil)
+		return
+	}
+	defer res.Body.Close()
+
+	for k, vv := range res.Header {
+		for _, v := range vv {
+			w.Header().Add(k, v)
+		}
+	}
+	if _, err := io.Copy(w, res.Body); err != nil {
+		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, nil)
+	}
+}

api/http/proxy/transport.go

@@ -0,0 +1,237 @@
+package proxy
+
+import (
+	"net"
+	"net/http"
+	"path"
+	"strings"
+
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/http/security"
+)
+
+type (
+	proxyTransport struct {
+		dockerTransport        *http.Transport
+		ResourceControlService portainer.ResourceControlService
+		TeamMembershipService  portainer.TeamMembershipService
+	}
+	restrictedOperationContext struct {
+		isAdmin          bool
+		userID           portainer.UserID
+		userTeamIDs      []portainer.TeamID
+		resourceControls []portainer.ResourceControl
+	}
+	restrictedOperationRequest func(*http.Request, *http.Response, *restrictedOperationContext) error
+)
+
+func newSocketTransport(socketPath string) *http.Transport {
+	return &http.Transport{
+		Dial: func(proto, addr string) (conn net.Conn, err error) {
+			return net.Dial("unix", socketPath)
+		},
+	}
+}
+
+func newHTTPTransport() *http.Transport {
+	return &http.Transport{}
+}
+
+func (p *proxyTransport) RoundTrip(request *http.Request) (*http.Response, error) {
+	return p.proxyDockerRequest(request)
+}
+
+func (p *proxyTransport) executeDockerRequest(request *http.Request) (*http.Response, error) {
+	return p.dockerTransport.RoundTrip(request)
+}
+
+func (p *proxyTransport) proxyDockerRequest(request *http.Request) (*http.Response, error) {
+	path := request.URL.Path
+
+	if strings.HasPrefix(path, "/containers") {
+		return p.proxyContainerRequest(request)
+	} else if strings.HasPrefix(path, "/services") {
+		return p.proxyServiceRequest(request)
+	} else if strings.HasPrefix(path, "/volumes") {
+		return p.proxyVolumeRequest(request)
+	}
+
+	return p.executeDockerRequest(request)
+}
+
+func (p *proxyTransport) proxyContainerRequest(request *http.Request) (*http.Response, error) {
+	// return p.executeDockerRequest(request)
+	switch requestPath := request.URL.Path; requestPath {
+	case "/containers/create":
+		return p.executeDockerRequest(request)
+
+	case "/containers/prune":
+		return p.administratorOperation(request)
+
+	case "/containers/json":
+		return p.rewriteOperation(request, containerListOperation)
+
+	default:
+		// This section assumes /containers/**
+		if match, _ := path.Match("/containers/*/*", requestPath); match {
+			// Handle /containers/{id}/{action} requests
+			containerID := path.Base(path.Dir(requestPath))
+			action := path.Base(requestPath)
+
+			if action == "json" {
+				return p.rewriteOperation(request, containerInspectOperation)
+			}
+			return p.restrictedOperation(request, containerID)
+		} else if match, _ := path.Match("/containers/*", requestPath); match {
+			// Handle /containers/{id} requests
+			containerID := path.Base(requestPath)
+			return p.restrictedOperation(request, containerID)
+		}
+		return p.executeDockerRequest(request)
+	}
+}
+
+func (p *proxyTransport) proxyServiceRequest(request *http.Request) (*http.Response, error) {
+	switch requestPath := request.URL.Path; requestPath {
+	case "/services/create":
+		return p.executeDockerRequest(request)
+
+	case "/volumes/prune":
+		return p.administratorOperation(request)
+
+	case "/services":
+		return p.rewriteOperation(request, serviceListOperation)
+
+	default:
+		// This section assumes /services/**
+		if match, _ := path.Match("/services/*/*", requestPath); match {
+			// Handle /services/{id}/{action} requests
+			serviceID := path.Base(path.Dir(requestPath))
+			return p.restrictedOperation(request, serviceID)
+		} else if match, _ := path.Match("/services/*", requestPath); match {
+			// Handle /services/{id} requests
+			serviceID := path.Base(requestPath)
+
+			if request.Method == http.MethodGet {
+				return p.rewriteOperation(request, serviceInspectOperation)
+			}
+			return p.restrictedOperation(request, serviceID)
+		}
+		return p.executeDockerRequest(request)
+	}
+}
+
+func (p *proxyTransport) proxyVolumeRequest(request *http.Request) (*http.Response, error) {
+	switch requestPath := request.URL.Path; requestPath {
+	case "/volumes/create":
+		return p.executeDockerRequest(request)
+
+	case "/volumes/prune":
+		return p.administratorOperation(request)
+
+	case "/volumes":
+		return p.rewriteOperation(request, volumeListOperation)
+
+	default:
+		// assume /volumes/{name}
+		if request.Method == http.MethodGet {
+			return p.rewriteOperation(request, volumeInspectOperation)
+		}
+		volumeID := path.Base(requestPath)
+		return p.restrictedOperation(request, volumeID)
+	}
+}
+
+// restrictedOperation ensures that the current user has the required authorizations
+// before executing the original request.
+func (p *proxyTransport) restrictedOperation(request *http.Request, resourceID string) (*http.Response, error) {
+	var err error
+	tokenData, err := security.RetrieveTokenData(request)
+	if err != nil {
+		return nil, err
+	}
+
+	if tokenData.Role != portainer.AdministratorRole {
+
+		teamMemberships, err := p.TeamMembershipService.TeamMembershipsByUserID(tokenData.ID)
+		if err != nil {
+			return nil, err
+		}
+
+		userTeamIDs := make([]portainer.TeamID, 0)
+		for _, membership := range teamMemberships {
+			userTeamIDs = append(userTeamIDs, membership.TeamID)
+		}
+
+		resourceControls, err := p.ResourceControlService.ResourceControls()
+		if err != nil {
+			return nil, err
+		}
+
+		resourceControl := getResourceControlByResourceID(resourceID, resourceControls)
+		if resourceControl != nil && !canUserAccessResource(tokenData.ID, userTeamIDs, resourceControl) {
+			return writeAccessDeniedResponse()
+		}
+	}
+
+	return p.executeDockerRequest(request)
+}
+
+// rewriteOperation will create a new operation context with data that will be used
+// to decorate the original request's response.
+func (p *proxyTransport) rewriteOperation(request *http.Request, operation restrictedOperationRequest) (*http.Response, error) {
+	var err error
+	tokenData, err := security.RetrieveTokenData(request)
+	if err != nil {
+		return nil, err
+	}
+
+	resourceControls, err := p.ResourceControlService.ResourceControls()
+	if err != nil {
+		return nil, err
+	}
+
+	operationContext := &restrictedOperationContext{
+		isAdmin:          true,
+		userID:           tokenData.ID,
+		resourceControls: resourceControls,
+	}
+
+	if tokenData.Role != portainer.AdministratorRole {
+		operationContext.isAdmin = false
+
+		teamMemberships, err := p.TeamMembershipService.TeamMembershipsByUserID(tokenData.ID)
+		if err != nil {
+			return nil, err
+		}
+
+		userTeamIDs := make([]portainer.TeamID, 0)
+		for _, membership := range teamMemberships {
+			userTeamIDs = append(userTeamIDs, membership.TeamID)
+		}
+		operationContext.userTeamIDs = userTeamIDs
+	}
+
+	response, err := p.executeDockerRequest(request)
+	if err != nil {
+		return response, err
+	}
+
+	err = operation(request, response, operationContext)
+	return response, err
+}
+
+// administratorOperation ensures that the user has administrator privileges
+// before executing the original request.
+func (p *proxyTransport) administratorOperation(request *http.Request) (*http.Response, error) {
+	tokenData, err := security.RetrieveTokenData(request)
+	if err != nil {
+		return nil, err
+	}
+
+	if tokenData.Role != portainer.AdministratorRole {
+		return writeAccessDeniedResponse()
+	}
+
+	return p.executeDockerRequest(request)
+}

api/http/proxy/utils.go

@@ -0,0 +1,17 @@
+package proxy
+
+import "github.com/portainer/portainer"
+
+func getResourceControlByResourceID(resourceID string, resourceControls []portainer.ResourceControl) *portainer.ResourceControl {
+	for _, resourceControl := range resourceControls {
+		if resourceID == resourceControl.ResourceID {
+			return &resourceControl
+		}
+		for _, subResourceID := range resourceControl.SubResourceIDs {
+			if resourceID == subResourceID {
+				return &resourceControl
+			}
+		}
+	}
+	return nil
+}

api/http/proxy/volumes.go

@@ -0,0 +1,73 @@
+package proxy
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrDockerVolumeIdentifierNotFound defines an error raised when Portainer is unable to find a volume identifier
+	ErrDockerVolumeIdentifierNotFound = portainer.Error("Docker volume identifier not found")
+	volumeIdentifier                  = "Name"
+)
+
+// volumeListOperation extracts the response as a JSON object, loop through the volume array
+// decorate and/or filter the volumes based on resource controls before rewriting the response
+func volumeListOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+	var err error
+	// VolumeList response is a JSON object
+	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
+	responseObject, err := getResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	// The "Volumes" field contains the list of volumes as an array of JSON objects
+	// Response schema reference: https://docs.docker.com/engine/api/v1.28/#operation/VolumeList
+	if responseObject["Volumes"] != nil {
+		volumeData := responseObject["Volumes"].([]interface{})
+
+		if operationContext.isAdmin {
+			volumeData, err = decorateVolumeList(volumeData, operationContext.resourceControls)
+		} else {
+			volumeData, err = filterVolumeList(volumeData, operationContext.resourceControls, operationContext.userID, operationContext.userTeamIDs)
+		}
+		if err != nil {
+			return err
+		}
+
+		// Overwrite the original volume list
+		responseObject["Volumes"] = volumeData
+	}
+
+	return rewriteResponse(response, responseObject, http.StatusOK)
+}
+
+// volumeInspectOperation extracts the response as a JSON object, verify that the user
+// has access to the volume based on resource control and either rewrite an access denied response
+// or a decorated volume.
+func volumeInspectOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+	// VolumeInspect response is a JSON object
+	// https://docs.docker.com/engine/api/v1.28/#operation/VolumeInspect
+	responseObject, err := getResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	if responseObject[volumeIdentifier] == nil {
+		return ErrDockerVolumeIdentifierNotFound
+	}
+	volumeID := responseObject[volumeIdentifier].(string)
+
+	resourceControl := getResourceControlByResourceID(volumeID, operationContext.resourceControls)
+	if resourceControl != nil {
+		if operationContext.isAdmin || canUserAccessResource(operationContext.userID, operationContext.userTeamIDs, resourceControl) {
+			responseObject = decorateObject(responseObject, resourceControl)
+		} else {
+			return rewriteAccessDeniedResponse(response)
+		}
+	}
+
+	return rewriteResponse(response, responseObject, http.StatusOK)
+}