feat(extensions): introduce RBAC extension (#2900)

api/http/handler/extensions/extension_create.go

@@ -70,6 +70,13 @@ func (handler *Handler) extensionCreate(w http.ResponseWriter, r *http.Request)
 
 	extension.Enabled = true
 
+	if extension.ID == portainer.RBACExtension {
+		err = handler.upgradeRBACData()
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "An error occured during database update", err}
+		}
+	}
+
 	err = handler.ExtensionService.Persist(extension)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist extension status inside the database", err}

api/http/handler/extensions/handler.go

@@ -12,8 +12,11 @@ import (
 // Handler is the HTTP handler used to handle extension operations.
 type Handler struct {
 	*mux.Router
-	ExtensionService portainer.ExtensionService
-	ExtensionManager portainer.ExtensionManager
+	ExtensionService     portainer.ExtensionService
+	ExtensionManager     portainer.ExtensionManager
+	EndpointGroupService portainer.EndpointGroupService
+	EndpointService      portainer.EndpointService
+	RegistryService      portainer.RegistryService
 }
 
 // NewHandler creates a handler to manage extension operations.
@@ -23,15 +26,15 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 	}
 
 	h.Handle("/extensions",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.extensionList))).Methods(http.MethodGet)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.extensionList))).Methods(http.MethodGet)
 	h.Handle("/extensions",
-		bouncer.AdministratorAccess(httperror.LoggerHandler(h.extensionCreate))).Methods(http.MethodPost)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.extensionCreate))).Methods(http.MethodPost)
 	h.Handle("/extensions/{id}",
-		bouncer.AdministratorAccess(httperror.LoggerHandler(h.extensionInspect))).Methods(http.MethodGet)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.extensionInspect))).Methods(http.MethodGet)
 	h.Handle("/extensions/{id}",
-		bouncer.AdministratorAccess(httperror.LoggerHandler(h.extensionDelete))).Methods(http.MethodDelete)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.extensionDelete))).Methods(http.MethodDelete)
 	h.Handle("/extensions/{id}/update",
-		bouncer.AdministratorAccess(httperror.LoggerHandler(h.extensionUpdate))).Methods(http.MethodPost)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.extensionUpdate))).Methods(http.MethodPost)
 
 	return h
 }

api/http/handler/extensions/upgrade.go

@@ -0,0 +1,59 @@
+package extensions
+
+import portainer "github.com/portainer/portainer/api"
+
+func updateUserAccessPolicyToReadOnlyRole(policies portainer.UserAccessPolicies, key portainer.UserID) {
+	tmp := policies[key]
+	tmp.RoleID = 4
+	policies[key] = tmp
+}
+
+func updateTeamAccessPolicyToReadOnlyRole(policies portainer.TeamAccessPolicies, key portainer.TeamID) {
+	tmp := policies[key]
+	tmp.RoleID = 4
+	policies[key] = tmp
+}
+
+func (handler *Handler) upgradeRBACData() error {
+	endpointGroups, err := handler.EndpointGroupService.EndpointGroups()
+	if err != nil {
+		return err
+	}
+
+	for _, endpointGroup := range endpointGroups {
+		for key := range endpointGroup.UserAccessPolicies {
+			updateUserAccessPolicyToReadOnlyRole(endpointGroup.UserAccessPolicies, key)
+		}
+
+		for key := range endpointGroup.TeamAccessPolicies {
+			updateTeamAccessPolicyToReadOnlyRole(endpointGroup.TeamAccessPolicies, key)
+		}
+
+		err := handler.EndpointGroupService.UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
+		if err != nil {
+			return err
+		}
+
+	}
+
+	endpoints, err := handler.EndpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range endpoints {
+		for key := range endpoint.UserAccessPolicies {
+			updateUserAccessPolicyToReadOnlyRole(endpoint.UserAccessPolicies, key)
+		}
+
+		for key := range endpoint.TeamAccessPolicies {
+			updateTeamAccessPolicyToReadOnlyRole(endpoint.TeamAccessPolicies, key)
+		}
+
+		err := handler.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}