feat(extensions): introduce RBAC extension (#2900)

2025-08-04 21:35:23 +02:00 · 2019-05-24 18:04:58 +12:00 · 2019-05-24 18:04:58 +12:00 · 8057aa45c4
commit 8057aa45c4
parent 27a0188949
196 changed files with 3321 additions and 1316 deletions
--- a/api/http/security/rbac.go
+++ b/api/http/security/rbac.go
@ -0,0 +1,59 @@
+package security
+
+import (
+	"encoding/json"
+	"net/http"
+	"time"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+const (
+	defaultHTTPTimeout = 5
+)
+
+type rbacExtensionClient struct {
+	httpClient   *http.Client
+	extensionURL string
+	licenseKey   string
+}
+
+func newRBACExtensionClient(extensionURL string) *rbacExtensionClient {
+	return &rbacExtensionClient{
+		extensionURL: extensionURL,
+		httpClient: &http.Client{
+			Timeout: time.Second * time.Duration(defaultHTTPTimeout),
+		},
+	}
+}
+
+func (client *rbacExtensionClient) setLicenseKey(licenseKey string) {
+	client.licenseKey = licenseKey
+}
+
+func (client *rbacExtensionClient) checkAuthorization(authRequest *portainer.APIOperationAuthorizationRequest) error {
+	encodedAuthRequest, err := json.Marshal(authRequest)
+	if err != nil {
+		return err
+	}
+
+	req, err := http.NewRequest("GET", client.extensionURL+"/authorized_operation", nil)
+	if err != nil {
+		return err
+	}
+
+	req.Header.Set("X-RBAC-AuthorizationRequest", string(encodedAuthRequest))
+	req.Header.Set("X-PortainerExtension-License", client.licenseKey)
+
+	resp, err := client.httpClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusNoContent {
+		return portainer.ErrAuthorizationRequired
+	}
+
+	return nil
+}