feat(extensions): introduce RBAC extension (#2900)

2025-08-02 20:35:25 +02:00 · 2019-05-24 18:04:58 +12:00 · 2019-05-24 18:04:58 +12:00 · 8057aa45c4
commit 8057aa45c4
parent 27a0188949
196 changed files with 3321 additions and 1316 deletions
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@ -117,11 +117,60 @@ func (handler *Handler) authenticateLDAPAndCreateUser(w http.ResponseWriter, use

 func (handler *Handler) writeToken(w http.ResponseWriter, user *portainer.User) *httperror.HandlerError {
 	tokenData := &portainer.TokenData{
-		ID:       user.ID,
-		Username: user.Username,
-		Role:     user.Role,
+		ID:                      user.ID,
+		Username:                user.Username,
+		Role:                    user.Role,
+		PortainerAuthorizations: user.PortainerAuthorizations,
 	}

+	_, err := handler.ExtensionService.Extension(portainer.RBACExtension)
+	if err == portainer.ErrObjectNotFound {
+		return handler.persistAndWriteToken(w, tokenData)
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a extension with the specified identifier inside the database", err}
+	}
+
+	endpointAuthorizations, err := handler.getAuthorizations(user)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve authorizations associated to the user", err}
+	}
+	tokenData.EndpointAuthorizations = endpointAuthorizations
+
+	return handler.persistAndWriteToken(w, tokenData)
+}
+
+func (handler *Handler) getAuthorizations(user *portainer.User) (portainer.EndpointAuthorizations, error) {
+	endpointAuthorizations := portainer.EndpointAuthorizations{}
+	if user.Role == portainer.AdministratorRole {
+		return endpointAuthorizations, nil
+	}
+
+	userMemberships, err := handler.TeamMembershipService.TeamMembershipsByUserID(user.ID)
+	if err != nil {
+		return endpointAuthorizations, err
+	}
+
+	endpoints, err := handler.EndpointService.Endpoints()
+	if err != nil {
+		return endpointAuthorizations, err
+	}
+
+	endpointGroups, err := handler.EndpointGroupService.EndpointGroups()
+	if err != nil {
+		return endpointAuthorizations, err
+	}
+
+	roles, err := handler.RoleService.Roles()
+	if err != nil {
+		return endpointAuthorizations, err
+	}
+
+	endpointAuthorizations = getUserEndpointAuthorizations(user, endpoints, endpointGroups, roles, userMemberships)
+
+	return endpointAuthorizations, nil
+}
+
+func (handler *Handler) persistAndWriteToken(w http.ResponseWriter, tokenData *portainer.TokenData) *httperror.HandlerError {
 	token, err := handler.JWTService.GenerateToken(tokenData)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to generate JWT token", err}
--- a/api/http/handler/auth/authenticate_oauth.go
+++ b/api/http/handler/auth/authenticate_oauth.go
@ -3,8 +3,8 @@ package auth
 import (
 	"encoding/json"
 	"io/ioutil"
-	"net/http"
 	"log"
+	"net/http"

 	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
--- a/api/http/handler/auth/authorization.go
+++ b/api/http/handler/auth/authorization.go
@ -0,0 +1,122 @@
+package auth
+
+import portainer "github.com/portainer/portainer/api"
+
+func getUserEndpointAuthorizations(user *portainer.User, endpoints []portainer.Endpoint, endpointGroups []portainer.EndpointGroup, roles []portainer.Role, userMemberships []portainer.TeamMembership) portainer.EndpointAuthorizations {
+	endpointAuthorizations := make(portainer.EndpointAuthorizations)
+
+	groupUserAccessPolicies := map[portainer.EndpointGroupID]portainer.UserAccessPolicies{}
+	groupTeamAccessPolicies := map[portainer.EndpointGroupID]portainer.TeamAccessPolicies{}
+	for _, endpointGroup := range endpointGroups {
+		groupUserAccessPolicies[endpointGroup.ID] = endpointGroup.UserAccessPolicies
+		groupTeamAccessPolicies[endpointGroup.ID] = endpointGroup.TeamAccessPolicies
+	}
+
+	for _, endpoint := range endpoints {
+		authorizations := getAuthorizationsFromUserEndpointPolicy(user, &endpoint, roles)
+		if len(authorizations) > 0 {
+			endpointAuthorizations[endpoint.ID] = authorizations
+			continue
+		}
+
+		authorizations = getAuthorizationsFromUserEndpointGroupPolicy(user, &endpoint, roles, groupUserAccessPolicies)
+		if len(authorizations) > 0 {
+			endpointAuthorizations[endpoint.ID] = authorizations
+			continue
+		}
+
+		authorizations = getAuthorizationsFromTeamEndpointPolicies(userMemberships, &endpoint, roles)
+		if len(authorizations) > 0 {
+			endpointAuthorizations[endpoint.ID] = authorizations
+			continue
+		}
+
+		endpointAuthorizations[endpoint.ID] = getAuthorizationsFromTeamEndpointGroupPolicies(userMemberships, &endpoint, roles, groupTeamAccessPolicies)
+	}
+
+	return endpointAuthorizations
+}
+
+func getAuthorizationsFromUserEndpointPolicy(user *portainer.User, endpoint *portainer.Endpoint, roles []portainer.Role) portainer.Authorizations {
+	policyRoles := make([]portainer.RoleID, 0)
+
+	policy, ok := endpoint.UserAccessPolicies[user.ID]
+	if ok {
+		policyRoles = append(policyRoles, policy.RoleID)
+	}
+
+	return getAuthorizationsFromRoles(policyRoles, roles)
+}
+
+func getAuthorizationsFromUserEndpointGroupPolicy(user *portainer.User, endpoint *portainer.Endpoint, roles []portainer.Role, groupAccessPolicies map[portainer.EndpointGroupID]portainer.UserAccessPolicies) portainer.Authorizations {
+	policyRoles := make([]portainer.RoleID, 0)
+
+	policy, ok := groupAccessPolicies[endpoint.GroupID][user.ID]
+	if ok {
+		policyRoles = append(policyRoles, policy.RoleID)
+	}
+
+	return getAuthorizationsFromRoles(policyRoles, roles)
+}
+
+func getAuthorizationsFromTeamEndpointPolicies(memberships []portainer.TeamMembership, endpoint *portainer.Endpoint, roles []portainer.Role) portainer.Authorizations {
+	policyRoles := make([]portainer.RoleID, 0)
+
+	for _, membership := range memberships {
+		policy, ok := endpoint.TeamAccessPolicies[membership.TeamID]
+		if ok {
+			policyRoles = append(policyRoles, policy.RoleID)
+		}
+	}
+
+	return getAuthorizationsFromRoles(policyRoles, roles)
+}
+
+func getAuthorizationsFromTeamEndpointGroupPolicies(memberships []portainer.TeamMembership, endpoint *portainer.Endpoint, roles []portainer.Role, groupAccessPolicies map[portainer.EndpointGroupID]portainer.TeamAccessPolicies) portainer.Authorizations {
+	policyRoles := make([]portainer.RoleID, 0)
+
+	for _, membership := range memberships {
+		policy, ok := groupAccessPolicies[endpoint.GroupID][membership.TeamID]
+		if ok {
+			policyRoles = append(policyRoles, policy.RoleID)
+		}
+	}
+
+	return getAuthorizationsFromRoles(policyRoles, roles)
+}
+
+func getAuthorizationsFromRoles(roleIdentifiers []portainer.RoleID, roles []portainer.Role) portainer.Authorizations {
+	var roleAuthorizations []portainer.Authorizations
+	for _, id := range roleIdentifiers {
+		for _, role := range roles {
+			if role.ID == id {
+				roleAuthorizations = append(roleAuthorizations, role.Authorizations)
+				break
+			}
+		}
+	}
+
+	processedAuthorizations := make(portainer.Authorizations)
+	if len(roleAuthorizations) > 0 {
+		processedAuthorizations = roleAuthorizations[0]
+		for idx, authorizations := range roleAuthorizations {
+			if idx == 0 {
+				continue
+			}
+			processedAuthorizations = mergeAuthorizations(processedAuthorizations, authorizations)
+		}
+	}
+
+	return processedAuthorizations
+}
+
+func mergeAuthorizations(a, b portainer.Authorizations) portainer.Authorizations {
+	c := make(map[portainer.Authorization]bool)
+
+	for k := range b {
+		if _, ok := a[k]; ok {
+			c[k] = true
+		}
+	}
+	return c
+}
--- a/api/http/handler/auth/handler.go
+++ b/api/http/handler/auth/handler.go
@ -30,6 +30,9 @@ type Handler struct {
 	TeamService           portainer.TeamService
 	TeamMembershipService portainer.TeamMembershipService
 	ExtensionService      portainer.ExtensionService
+	EndpointService       portainer.EndpointService
+	EndpointGroupService  portainer.EndpointGroupService
+	RoleService           portainer.RoleService
 	ProxyManager          *proxy.Manager
 }