feat(extensions): introduce RBAC extension (#2900)

2025-08-02 20:35:25 +02:00 · 2019-05-24 18:04:58 +12:00 · 2019-05-24 18:04:58 +12:00 · 8057aa45c4
commit 8057aa45c4
parent 27a0188949
196 changed files with 3321 additions and 1316 deletions
--- a/api/http/handler/endpoints/endpoint_create.go
+++ b/api/http/handler/endpoints/endpoint_create.go
@ -172,19 +172,19 @@ func (handler *Handler) createAzureEndpoint(payload *endpointCreatePayload) (*po

 	endpointID := handler.EndpointService.GetNextIdentifier()
 	endpoint := &portainer.Endpoint{
-		ID:               portainer.EndpointID(endpointID),
-		Name:             payload.Name,
-		URL:              "https://management.azure.com",
-		Type:             portainer.AzureEnvironment,
-		GroupID:          portainer.EndpointGroupID(payload.GroupID),
-		PublicURL:        payload.PublicURL,
-		AuthorizedUsers:  []portainer.UserID{},
-		AuthorizedTeams:  []portainer.TeamID{},
-		Extensions:       []portainer.EndpointExtension{},
-		AzureCredentials: credentials,
-		Tags:             payload.Tags,
-		Status:           portainer.EndpointStatusUp,
-		Snapshots:        []portainer.Snapshot{},
+		ID:                 portainer.EndpointID(endpointID),
+		Name:               payload.Name,
+		URL:                "https://management.azure.com",
+		Type:               portainer.AzureEnvironment,
+		GroupID:            portainer.EndpointGroupID(payload.GroupID),
+		PublicURL:          payload.PublicURL,
+		UserAccessPolicies: portainer.UserAccessPolicies{},
+		TeamAccessPolicies: portainer.TeamAccessPolicies{},
+		Extensions:         []portainer.EndpointExtension{},
+		AzureCredentials:   credentials,
+		Tags:               payload.Tags,
+		Status:             portainer.EndpointStatusUp,
+		Snapshots:          []portainer.Snapshot{},
 	}

 	err = handler.EndpointService.CreateEndpoint(endpoint)
@ -224,12 +224,12 @@ func (handler *Handler) createUnsecuredEndpoint(payload *endpointCreatePayload)
 		TLSConfig: portainer.TLSConfiguration{
 			TLS: false,
 		},
-		AuthorizedUsers: []portainer.UserID{},
-		AuthorizedTeams: []portainer.TeamID{},
-		Extensions:      []portainer.EndpointExtension{},
-		Tags:            payload.Tags,
-		Status:          portainer.EndpointStatusUp,
-		Snapshots:       []portainer.Snapshot{},
+		UserAccessPolicies: portainer.UserAccessPolicies{},
+		TeamAccessPolicies: portainer.TeamAccessPolicies{},
+		Extensions:         []portainer.EndpointExtension{},
+		Tags:               payload.Tags,
+		Status:             portainer.EndpointStatusUp,
+		Snapshots:          []portainer.Snapshot{},
 	}

 	err := handler.snapshotAndPersistEndpoint(endpoint)
@ -268,12 +268,12 @@ func (handler *Handler) createTLSSecuredEndpoint(payload *endpointCreatePayload)
 			TLS:           payload.TLS,
 			TLSSkipVerify: payload.TLSSkipVerify,
 		},
-		AuthorizedUsers: []portainer.UserID{},
-		AuthorizedTeams: []portainer.TeamID{},
-		Extensions:      []portainer.EndpointExtension{},
-		Tags:            payload.Tags,
-		Status:          portainer.EndpointStatusUp,
-		Snapshots:       []portainer.Snapshot{},
+		UserAccessPolicies: portainer.UserAccessPolicies{},
+		TeamAccessPolicies: portainer.TeamAccessPolicies{},
+		Extensions:         []portainer.EndpointExtension{},
+		Tags:               payload.Tags,
+		Status:             portainer.EndpointStatusUp,
+		Snapshots:          []portainer.Snapshot{},
 	}

 	filesystemError := handler.storeTLSFiles(endpoint, payload)
--- a/api/http/handler/endpoints/endpoint_inspect.go
+++ b/api/http/handler/endpoints/endpoint_inspect.go
@ -23,9 +23,9 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
 	}

-	err = handler.requestBouncer.EndpointAccess(r, endpoint)
+	err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint, false)
 	if err != nil {
-		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", portainer.ErrEndpointAccessDenied}
+		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
 	}

 	hideFields(endpoint)
--- a/api/http/handler/endpoints/endpoint_job.go
+++ b/api/http/handler/endpoints/endpoint_job.go
@ -70,11 +70,6 @@ func (handler *Handler) endpointJob(w http.ResponseWriter, r *http.Request) *htt
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
 	}

-	err = handler.requestBouncer.EndpointAccess(r, endpoint)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", portainer.ErrEndpointAccessDenied}
-	}
-
 	switch method {
 	case "file":
 		return handler.executeJobFromFile(w, r, endpoint, nodeName)
--- a/api/http/handler/endpoints/endpoint_update.go
+++ b/api/http/handler/endpoints/endpoint_update.go
@ -24,6 +24,8 @@ type endpointUpdatePayload struct {
 	AzureTenantID          *string
 	AzureAuthenticationKey *string
 	Tags                   []string
+	UserAccessPolicies     portainer.UserAccessPolicies
+	TeamAccessPolicies     portainer.TeamAccessPolicies
 }

 func (payload *endpointUpdatePayload) Validate(r *http.Request) error {
@ -74,6 +76,14 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		endpoint.Tags = payload.Tags
 	}

+	if payload.UserAccessPolicies != nil {
+		endpoint.UserAccessPolicies = payload.UserAccessPolicies
+	}
+
+	if payload.TeamAccessPolicies != nil {
+		endpoint.TeamAccessPolicies = payload.TeamAccessPolicies
+	}
+
 	if payload.Status != nil {
 		switch *payload.Status {
 		case 1:
--- a/api/http/handler/endpoints/endpoint_update_access.go
+++ b/api/http/handler/endpoints/endpoint_update_access.go
@ -1,67 +0,0 @@
-package endpoints
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-)
-
-type endpointUpdateAccessPayload struct {
-	AuthorizedUsers []int
-	AuthorizedTeams []int
-}
-
-func (payload *endpointUpdateAccessPayload) Validate(r *http.Request) error {
-	return nil
-}
-
-// PUT request on /api/endpoints/:id/access
-func (handler *Handler) endpointUpdateAccess(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	if !handler.authorizeEndpointManagement {
-		return &httperror.HandlerError{http.StatusServiceUnavailable, "Endpoint management is disabled", ErrEndpointManagementDisabled}
-	}
-
-	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
-	}
-
-	var payload endpointUpdateAccessPayload
-	err = request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
-	}
-
-	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
-	if err == portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
-	}
-
-	if payload.AuthorizedUsers != nil {
-		authorizedUserIDs := []portainer.UserID{}
-		for _, value := range payload.AuthorizedUsers {
-			authorizedUserIDs = append(authorizedUserIDs, portainer.UserID(value))
-		}
-		endpoint.AuthorizedUsers = authorizedUserIDs
-	}
-
-	if payload.AuthorizedTeams != nil {
-		authorizedTeamIDs := []portainer.TeamID{}
-		for _, value := range payload.AuthorizedTeams {
-			authorizedTeamIDs = append(authorizedTeamIDs, portainer.TeamID(value))
-		}
-		endpoint.AuthorizedTeams = authorizedTeamIDs
-	}
-
-	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint changes inside the database", err}
-	}
-
-	return response.JSON(w, endpoint)
-}
--- a/api/http/handler/endpoints/handler.go
+++ b/api/http/handler/endpoints/handler.go
@ -37,32 +37,30 @@ type Handler struct {
 // NewHandler creates a handler to manage endpoint operations.
 func NewHandler(bouncer *security.RequestBouncer, authorizeEndpointManagement bool) *Handler {
 	h := &Handler{
-		Router: mux.NewRouter(),
+		Router:                      mux.NewRouter(),
 		authorizeEndpointManagement: authorizeEndpointManagement,
 		requestBouncer:              bouncer,
 	}

 	h.Handle("/endpoints",
-		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointCreate))).Methods(http.MethodPost)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.endpointCreate))).Methods(http.MethodPost)
 	h.Handle("/endpoints/snapshot",
-		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointSnapshots))).Methods(http.MethodPost)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.endpointSnapshots))).Methods(http.MethodPost)
 	h.Handle("/endpoints",
-		bouncer.RestrictedAccess(httperror.LoggerHandler(h.endpointList))).Methods(http.MethodGet)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.endpointList))).Methods(http.MethodGet)
 	h.Handle("/endpoints/{id}",
-		bouncer.RestrictedAccess(httperror.LoggerHandler(h.endpointInspect))).Methods(http.MethodGet)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.endpointInspect))).Methods(http.MethodGet)
 	h.Handle("/endpoints/{id}",
-		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointUpdate))).Methods(http.MethodPut)
-	h.Handle("/endpoints/{id}/access",
-		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointUpdateAccess))).Methods(http.MethodPut)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.endpointUpdate))).Methods(http.MethodPut)
 	h.Handle("/endpoints/{id}",
-		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointDelete))).Methods(http.MethodDelete)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.endpointDelete))).Methods(http.MethodDelete)
 	h.Handle("/endpoints/{id}/extensions",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.endpointExtensionAdd))).Methods(http.MethodPost)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.endpointExtensionAdd))).Methods(http.MethodPost)
 	h.Handle("/endpoints/{id}/extensions/{extensionType}",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.endpointExtensionRemove))).Methods(http.MethodDelete)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.endpointExtensionRemove))).Methods(http.MethodDelete)
 	h.Handle("/endpoints/{id}/job",
-		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointJob))).Methods(http.MethodPost)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.endpointJob))).Methods(http.MethodPost)
 	h.Handle("/endpoints/{id}/snapshot",
-		bouncer.AdministratorAccess(httperror.LoggerHandler(h.endpointSnapshot))).Methods(http.MethodPost)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.endpointSnapshot))).Methods(http.MethodPost)
 	return h
 }