feat(extensions): introduce RBAC extension (#2900)

2025-08-02 20:35:25 +02:00 · 2019-05-24 18:04:58 +12:00 · 2019-05-24 18:04:58 +12:00 · 8057aa45c4
commit 8057aa45c4
parent 27a0188949
196 changed files with 3321 additions and 1316 deletions
--- a/api/http/proxy/docker_transport.go
+++ b/api/http/proxy/docker_transport.go
@ -24,12 +24,14 @@ type (
 		DockerHubService       portainer.DockerHubService
 		SettingsService        portainer.SettingsService
 		SignatureService       portainer.DigitalSignatureService
+		endpointIdentifier     portainer.EndpointID
 	}
-	restrictedOperationContext struct {
-		isAdmin          bool
-		userID           portainer.UserID
-		userTeamIDs      []portainer.TeamID
-		resourceControls []portainer.ResourceControl
+	restrictedDockerOperationContext struct {
+		isAdmin                bool
+		endpointResourceAccess bool
+		userID                 portainer.UserID
+		userTeamIDs            []portainer.TeamID
+		resourceControls       []portainer.ResourceControl
 	}
 	registryAccessContext struct {
 		isAdmin         bool
@ -44,7 +46,7 @@ type (
 		Serveraddress string `json:"serveraddress"`
 	}
 	operationExecutor struct {
-		operationContext *restrictedOperationContext
+		operationContext *restrictedDockerOperationContext
 		labelBlackList   []portainer.Pair
 	}
 	restrictedOperationRequest func(*http.Response, *operationExecutor) error
@ -460,7 +462,7 @@ func (p *proxyTransport) createRegistryAccessContext(request *http.Request) (*re
 	return accessContext, nil
 }

-func (p *proxyTransport) createOperationContext(request *http.Request) (*restrictedOperationContext, error) {
+func (p *proxyTransport) createOperationContext(request *http.Request) (*restrictedDockerOperationContext, error) {
 	var err error
 	tokenData, err := security.RetrieveTokenData(request)
 	if err != nil {
@ -472,15 +474,21 @@ func (p *proxyTransport) createOperationContext(request *http.Request) (*restric
 		return nil, err
 	}

-	operationContext := &restrictedOperationContext{
-		isAdmin:          true,
-		userID:           tokenData.ID,
-		resourceControls: resourceControls,
+	operationContext := &restrictedDockerOperationContext{
+		isAdmin:                true,
+		userID:                 tokenData.ID,
+		resourceControls:       resourceControls,
+		endpointResourceAccess: false,
 	}

 	if tokenData.Role != portainer.AdministratorRole {
 		operationContext.isAdmin = false

+		_, ok := tokenData.EndpointAuthorizations[p.endpointIdentifier][portainer.EndpointResourcesAccess]
+		if ok {
+			operationContext.endpointResourceAccess = true
+		}
+
 		teamMemberships, err := p.TeamMembershipService.TeamMembershipsByUserID(tokenData.ID)
 		if err != nil {
 			return nil, err