feat(secrets): add UAC (#1200)

2025-07-25 08:19:40 +02:00 · 2017-09-19 17:10:15 +02:00 · 2017-09-19 17:10:15 +02:00 · 61f652da04
commit 61f652da04
parent a2b4cd8050
11 changed files with 221 additions and 20 deletions
--- a/api/http/handler/resource_control.go
+++ b/api/http/handler/resource_control.go
@ -80,6 +80,8 @@ func (handler *ResourceHandler) handlePostResources(w http.ResponseWriter, r *ht
 		resourceControlType = portainer.VolumeResourceControl
 	case "network":
 		resourceControlType = portainer.NetworkResourceControl
+	case "secret":
+		resourceControlType = portainer.SecretResourceControl
 	default:
 		httperror.WriteErrorResponse(w, portainer.ErrInvalidResourceControlType, http.StatusBadRequest, handler.Logger)
 		return
--- a/api/http/proxy/decorator.go
+++ b/api/http/proxy/decorator.go
@ -106,6 +106,30 @@ func decorateNetworkList(networkData []interface{}, resourceControls []portainer
 	return decoratedNetworkData, nil
 }

+// decorateSecretList loops through all secrets and will decorate any secret with an existing resource control.
+// Secret object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/SecretList
+func decorateSecretList(secretData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
+	decoratedSecretData := make([]interface{}, 0)
+
+	for _, secret := range secretData {
+
+		secretObject := secret.(map[string]interface{})
+		if secretObject[secretIdentifier] == nil {
+			return nil, ErrDockerSecretIdentifierNotFound
+		}
+
+		secretID := secretObject[secretIdentifier].(string)
+		resourceControl := getResourceControlByResourceID(secretID, resourceControls)
+		if resourceControl != nil {
+			secretObject = decorateObject(secretObject, resourceControl)
+		}
+
+		decoratedSecretData = append(decoratedSecretData, secretObject)
+	}
+
+	return decoratedSecretData, nil
+}
+
 func decorateObject(object map[string]interface{}, resourceControl *portainer.ResourceControl) map[string]interface{} {
 	metadata := make(map[string]interface{})
 	metadata["ResourceControl"] = resourceControl
--- a/api/http/proxy/filter.go
+++ b/api/http/proxy/filter.go
@ -135,3 +135,28 @@ func filterNetworkList(networkData []interface{}, resourceControls []portainer.R

 	return filteredNetworkData, nil
 }
+
+// filterSecretList loops through all secrets, filters secrets without any resource control (public resources) or with
+// any resource control giving access to the user (these secrets will be decorated).
+// Secret object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/SecretList
+func filterSecretList(secretData []interface{}, resourceControls []portainer.ResourceControl, userID portainer.UserID, userTeamIDs []portainer.TeamID) ([]interface{}, error) {
+	filteredSecretData := make([]interface{}, 0)
+
+	for _, secret := range secretData {
+		secretObject := secret.(map[string]interface{})
+		if secretObject[secretIdentifier] == nil {
+			return nil, ErrDockerSecretIdentifierNotFound
+		}
+
+		secretID := secretObject[secretIdentifier].(string)
+		resourceControl := getResourceControlByResourceID(secretID, resourceControls)
+		if resourceControl == nil {
+			filteredSecretData = append(filteredSecretData, secretObject)
+		} else if resourceControl != nil && canUserAccessResource(userID, userTeamIDs, resourceControl) {
+			secretObject = decorateObject(secretObject, resourceControl)
+			filteredSecretData = append(filteredSecretData, secretObject)
+		}
+	}
+
+	return filteredSecretData, nil
+}
--- a/api/http/proxy/secrets.go
+++ b/api/http/proxy/secrets.go
@ -0,0 +1,67 @@
+package proxy
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer"
+)
+
+const (
+	// ErrDockerSecretIdentifierNotFound defines an error raised when Portainer is unable to find a secret identifier
+	ErrDockerSecretIdentifierNotFound = portainer.Error("Docker secret identifier not found")
+	secretIdentifier                  = "ID"
+)
+
+// secretListOperation extracts the response as a JSON object, loop through the secrets array
+// decorate and/or filter the secrets based on resource controls before rewriting the response
+func secretListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+	var err error
+
+	// SecretList response is a JSON array
+	// https://docs.docker.com/engine/api/v1.28/#operation/SecretList
+	responseArray, err := getResponseAsJSONArray(response)
+	if err != nil {
+		return err
+	}
+
+	if executor.operationContext.isAdmin {
+		responseArray, err = decorateSecretList(responseArray, executor.operationContext.resourceControls)
+	} else {
+		responseArray, err = filterSecretList(responseArray, executor.operationContext.resourceControls,
+			executor.operationContext.userID, executor.operationContext.userTeamIDs)
+	}
+	if err != nil {
+		return err
+	}
+
+	return rewriteResponse(response, responseArray, http.StatusOK)
+}
+
+// secretInspectOperation extracts the response as a JSON object, verify that the user
+// has access to the secret based on resource control (check are done based on the secretID and optional Swarm service ID)
+// and either rewrite an access denied response or a decorated secret.
+func secretInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
+	// SecretInspect response is a JSON object
+	// https://docs.docker.com/engine/api/v1.28/#operation/SecretInspect
+	responseObject, err := getResponseAsJSONOBject(response)
+	if err != nil {
+		return err
+	}
+
+	if responseObject[secretIdentifier] == nil {
+		return ErrDockerSecretIdentifierNotFound
+	}
+	secretID := responseObject[secretIdentifier].(string)
+
+	resourceControl := getResourceControlByResourceID(secretID, executor.operationContext.resourceControls)
+	if resourceControl != nil {
+		if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID,
+			executor.operationContext.userTeamIDs, resourceControl) {
+			responseObject = decorateObject(responseObject, resourceControl)
+		} else {
+			return rewriteAccessDeniedResponse(response)
+		}
+	}
+
+	return rewriteResponse(response, responseObject, http.StatusOK)
+}
--- a/api/http/proxy/transport.go
+++ b/api/http/proxy/transport.go
@ -62,6 +62,8 @@ func (p *proxyTransport) proxyDockerRequest(request *http.Request) (*http.Respon
 		return p.proxyVolumeRequest(request)
 	case strings.HasPrefix(path, "/networks"):
 		return p.proxyNetworkRequest(request)
+	case strings.HasPrefix(path, "/secrets"):
+		return p.proxySecretRequest(request)
 	case strings.HasPrefix(path, "/swarm"):
 		return p.proxySwarmRequest(request)
 	default:
@ -157,12 +159,30 @@ func (p *proxyTransport) proxyNetworkRequest(request *http.Request) (*http.Respo
 		return p.rewriteOperation(request, networkListOperation)

 	default:
-		// assume /networks/{name}
+		// assume /networks/{id}
 		if request.Method == http.MethodGet {
 			return p.rewriteOperation(request, networkInspectOperation)
 		}
-		volumeID := path.Base(requestPath)
-		return p.restrictedOperation(request, volumeID)
+		networkID := path.Base(requestPath)
+		return p.restrictedOperation(request, networkID)
+	}
+}
+
+func (p *proxyTransport) proxySecretRequest(request *http.Request) (*http.Response, error) {
+	switch requestPath := request.URL.Path; requestPath {
+	case "/secrets/create":
+		return p.executeDockerRequest(request)
+
+	case "/secrets":
+		return p.rewriteOperation(request, secretListOperation)
+
+	default:
+		// assume /secrets/{id}
+		if request.Method == http.MethodGet {
+			return p.rewriteOperation(request, secretInspectOperation)
+		}
+		secretID := path.Base(requestPath)
+		return p.restrictedOperation(request, secretID)
 	}
 }