feat(extensions): introduce RBAC extension (#2900)

2025-08-05 13:55:21 +02:00 · 2019-05-24 18:04:58 +12:00 · 2019-05-24 18:04:58 +12:00 · 8057aa45c4
commit 8057aa45c4
parent 27a0188949
196 changed files with 3321 additions and 1316 deletions
--- a/api/http/handler/registries/handler.go
+++ b/api/http/handler/registries/handler.go
@ -33,19 +33,17 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 	}

 	h.Handle("/registries",
-		bouncer.AdministratorAccess(httperror.LoggerHandler(h.registryCreate))).Methods(http.MethodPost)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.registryCreate))).Methods(http.MethodPost)
 	h.Handle("/registries",
-		bouncer.RestrictedAccess(httperror.LoggerHandler(h.registryList))).Methods(http.MethodGet)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.registryList))).Methods(http.MethodGet)
 	h.Handle("/registries/{id}",
-		bouncer.RestrictedAccess(httperror.LoggerHandler(h.registryInspect))).Methods(http.MethodGet)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.registryInspect))).Methods(http.MethodGet)
 	h.Handle("/registries/{id}",
-		bouncer.AdministratorAccess(httperror.LoggerHandler(h.registryUpdate))).Methods(http.MethodPut)
-	h.Handle("/registries/{id}/access",
-		bouncer.AdministratorAccess(httperror.LoggerHandler(h.registryUpdateAccess))).Methods(http.MethodPut)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.registryUpdate))).Methods(http.MethodPut)
 	h.Handle("/registries/{id}/configure",
-		bouncer.AdministratorAccess(httperror.LoggerHandler(h.registryConfigure))).Methods(http.MethodPost)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.registryConfigure))).Methods(http.MethodPost)
 	h.Handle("/registries/{id}",
-		bouncer.AdministratorAccess(httperror.LoggerHandler(h.registryDelete))).Methods(http.MethodDelete)
+		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.registryDelete))).Methods(http.MethodDelete)
 	h.PathPrefix("/registries/{id}/v2").Handler(
 		bouncer.RestrictedAccess(httperror.LoggerHandler(h.proxyRequestsToRegistryAPI)))

--- a/api/http/handler/registries/proxy.go
+++ b/api/http/handler/registries/proxy.go
@ -5,6 +5,8 @@ import (
 	"net/http"
 	"strconv"

+	"github.com/portainer/portainer/api/http/security"
+
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/portainer/api"
@ -24,6 +26,15 @@ func (handler *Handler) proxyRequestsToRegistryAPI(w http.ResponseWriter, r *htt
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a registry with the specified identifier inside the database", err}
 	}

+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
+	}
+
+	if !securityContext.IsAdmin {
+		return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", portainer.ErrResourceAccessDenied}
+	}
+
 	err = handler.requestBouncer.RegistryAccess(r, registry)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access registry", portainer.ErrEndpointAccessDenied}
--- a/api/http/handler/registries/registry_create.go
+++ b/api/http/handler/registries/registry_create.go
@ -53,14 +53,14 @@ func (handler *Handler) registryCreate(w http.ResponseWriter, r *http.Request) *
 	}

 	registry := &portainer.Registry{
-		Type:            portainer.RegistryType(payload.Type),
-		Name:            payload.Name,
-		URL:             payload.URL,
-		Authentication:  payload.Authentication,
-		Username:        payload.Username,
-		Password:        payload.Password,
-		AuthorizedUsers: []portainer.UserID{},
-		AuthorizedTeams: []portainer.TeamID{},
+		Type:               portainer.RegistryType(payload.Type),
+		Name:               payload.Name,
+		URL:                payload.URL,
+		Authentication:     payload.Authentication,
+		Username:           payload.Username,
+		Password:           payload.Password,
+		UserAccessPolicies: portainer.UserAccessPolicies{},
+		TeamAccessPolicies: portainer.TeamAccessPolicies{},
 	}

 	err = handler.RegistryService.CreateRegistry(registry)
--- a/api/http/handler/registries/registry_update.go
+++ b/api/http/handler/registries/registry_update.go
@ -11,11 +11,13 @@ import (
 )

 type registryUpdatePayload struct {
-	Name           string
-	URL            string
-	Authentication bool
-	Username       string
-	Password       string
+	Name               string
+	URL                string
+	Authentication     bool
+	Username           string
+	Password           string
+	UserAccessPolicies portainer.UserAccessPolicies
+	TeamAccessPolicies portainer.TeamAccessPolicies
 }

 func (payload *registryUpdatePayload) Validate(r *http.Request) error {
@ -73,6 +75,14 @@ func (handler *Handler) registryUpdate(w http.ResponseWriter, r *http.Request) *
 		registry.Password = ""
 	}

+	if payload.UserAccessPolicies != nil {
+		registry.UserAccessPolicies = payload.UserAccessPolicies
+	}
+
+	if payload.TeamAccessPolicies != nil {
+		registry.TeamAccessPolicies = payload.TeamAccessPolicies
+	}
+
 	err = handler.RegistryService.UpdateRegistry(registry.ID, registry)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist registry changes inside the database", err}
--- a/api/http/handler/registries/registry_update_access.go
+++ b/api/http/handler/registries/registry_update_access.go
@ -1,63 +0,0 @@
-package registries
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-)
-
-type registryUpdateAccessPayload struct {
-	AuthorizedUsers []int
-	AuthorizedTeams []int
-}
-
-func (payload *registryUpdateAccessPayload) Validate(r *http.Request) error {
-	return nil
-}
-
-// PUT request on /api/registries/:id/access
-func (handler *Handler) registryUpdateAccess(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	registryID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid registry identifier route variable", err}
-	}
-
-	var payload registryUpdateAccessPayload
-	err = request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
-	}
-
-	registry, err := handler.RegistryService.Registry(portainer.RegistryID(registryID))
-	if err == portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a registry with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a registry with the specified identifier inside the database", err}
-	}
-
-	if payload.AuthorizedUsers != nil {
-		authorizedUserIDs := []portainer.UserID{}
-		for _, value := range payload.AuthorizedUsers {
-			authorizedUserIDs = append(authorizedUserIDs, portainer.UserID(value))
-		}
-		registry.AuthorizedUsers = authorizedUserIDs
-	}
-
-	if payload.AuthorizedTeams != nil {
-		authorizedTeamIDs := []portainer.TeamID{}
-		for _, value := range payload.AuthorizedTeams {
-			authorizedTeamIDs = append(authorizedTeamIDs, portainer.TeamID(value))
-		}
-		registry.AuthorizedTeams = authorizedTeamIDs
-	}
-
-	err = handler.RegistryService.UpdateRegistry(registry.ID, registry)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist registry changes inside the database", err}
-	}
-
-	return response.JSON(w, registry)
-}