feat(api): relocate authorizations outside of JWT (#3079)

* feat(api): relocate authorizations outside of JWT

* fix(api): update user authorization after enabling the RBAC extension

* feat(api): add PortainerEndpointList operation in the default portainer authorizations

* feat(auth): retrieve authorization from API instead of JWT

* refactor(auth): move permissions retrieval to function

* refactor(api): document authorizations methods

api/http/proxy/docker_transport.go

@@ -19,6 +19,7 @@ type (
 		dockerTransport        *http.Transport
 		enableSignature        bool
 		ResourceControlService portainer.ResourceControlService
+		UserService            portainer.UserService
 		TeamMembershipService  portainer.TeamMembershipService
 		RegistryService        portainer.RegistryService
 		DockerHubService       portainer.DockerHubService
@@ -498,7 +499,12 @@ func (p *proxyTransport) createOperationContext(request *http.Request) (*restric
 	if tokenData.Role != portainer.AdministratorRole {
 		operationContext.isAdmin = false
 
-		_, ok := tokenData.EndpointAuthorizations[p.endpointIdentifier][portainer.EndpointResourcesAccess]
+		user, err := p.UserService.User(operationContext.userID)
+		if err != nil {
+			return nil, err
+		}
+
+		_, ok := user.EndpointAuthorizations[p.endpointIdentifier][portainer.EndpointResourcesAccess]
 		if ok {
 			operationContext.endpointResourceAccess = true
 		}

api/http/proxy/factory.go

@@ -16,6 +16,7 @@ const AzureAPIBaseURL = "https://management.azure.com"
 // proxyFactory is a factory to create reverse proxies to Docker endpoints
 type proxyFactory struct {
 	ResourceControlService portainer.ResourceControlService
+	UserService            portainer.UserService
 	TeamMembershipService  portainer.TeamMembershipService
 	SettingsService        portainer.SettingsService
 	RegistryService        portainer.RegistryService
@@ -70,6 +71,7 @@ func (factory *proxyFactory) createDockerReverseProxy(u *url.URL, endpoint *port
 	transport := &proxyTransport{
 		enableSignature:        enableSignature,
 		ResourceControlService: factory.ResourceControlService,
+		UserService:            factory.UserService,
 		TeamMembershipService:  factory.TeamMembershipService,
 		SettingsService:        factory.SettingsService,
 		RegistryService:        factory.RegistryService,

api/http/proxy/factory_local.go

@@ -13,6 +13,7 @@ func (factory *proxyFactory) newLocalProxy(path string, endpoint *portainer.Endp
 	transport := &proxyTransport{
 		enableSignature:        false,
 		ResourceControlService: factory.ResourceControlService,
+		UserService:            factory.UserService,
 		TeamMembershipService:  factory.TeamMembershipService,
 		SettingsService:        factory.SettingsService,
 		RegistryService:        factory.RegistryService,

api/http/proxy/factory_local_windows.go

@@ -3,10 +3,11 @@
 package proxy
 
 import (
-	"github.com/Microsoft/go-winio"
 	"net"
 	"net/http"
 
+	"github.com/Microsoft/go-winio"
+
 	portainer "github.com/portainer/portainer/api"
 )
 
@@ -15,6 +16,7 @@ func (factory *proxyFactory) newLocalProxy(path string, endpoint *portainer.Endp
 	transport := &proxyTransport{
 		enableSignature:        false,
 		ResourceControlService: factory.ResourceControlService,
+		UserService:            factory.UserService,
 		TeamMembershipService:  factory.TeamMembershipService,
 		SettingsService:        factory.SettingsService,
 		RegistryService:        factory.RegistryService,

api/http/proxy/manager.go

@@ -31,6 +31,7 @@ type (
 	// ManagerParams represents the required parameters to create a new Manager instance.
 	ManagerParams struct {
 		ResourceControlService portainer.ResourceControlService
+		UserService            portainer.UserService
 		TeamMembershipService  portainer.TeamMembershipService
 		SettingsService        portainer.SettingsService
 		RegistryService        portainer.RegistryService
@@ -48,6 +49,7 @@ func NewManager(parameters *ManagerParams) *Manager {
 		legacyExtensionProxies: cmap.New(),
 		proxyFactory: &proxyFactory{
 			ResourceControlService: parameters.ResourceControlService,
+			UserService:            parameters.UserService,
 			TeamMembershipService:  parameters.TeamMembershipService,
 			SettingsService:        parameters.SettingsService,
 			RegistryService:        parameters.RegistryService,