feat(uac): add multi user management and UAC (#647)

2025-08-02 20:35:25 +02:00 · 2017-03-12 17:24:15 +01:00 · 2017-03-12 17:24:15 +01:00 · 80d50378c5
commit 80d50378c5
parent f28f223624
91 changed files with 3973 additions and 866 deletions
--- a/api/bolt/data_migration.go
+++ b/api/bolt/data_migration.go
@ -0,0 +1,76 @@
+package bolt
+
+import (
+	"github.com/boltdb/bolt"
+	"github.com/portainer/portainer"
+)
+
+type Migrator struct {
+	UserService            *UserService
+	EndpointService        *EndpointService
+	ResourceControlService *ResourceControlService
+	VersionService         *VersionService
+	CurrentDBVersion       int
+	store                  *Store
+}
+
+func NewMigrator(store *Store, version int) *Migrator {
+	return &Migrator{
+		UserService:            store.UserService,
+		EndpointService:        store.EndpointService,
+		ResourceControlService: store.ResourceControlService,
+		VersionService:         store.VersionService,
+		CurrentDBVersion:       version,
+		store:                  store,
+	}
+}
+
+func (m *Migrator) Migrate() error {
+
+	// Portainer < 1.12
+	if m.CurrentDBVersion == 0 {
+		err := m.updateAdminUser()
+		if err != nil {
+			return err
+		}
+	}
+
+	err := m.VersionService.StoreDBVersion(portainer.DBVersion)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (m *Migrator) updateAdminUser() error {
+	u, err := m.UserService.UserByUsername("admin")
+	if err == nil {
+		admin := &portainer.User{
+			Username: "admin",
+			Password: u.Password,
+			Role:     portainer.AdministratorRole,
+		}
+		err = m.UserService.CreateUser(admin)
+		if err != nil {
+			return err
+		}
+		err = m.removeLegacyAdminUser()
+		if err != nil {
+			return err
+		}
+	} else if err != nil && err != portainer.ErrUserNotFound {
+		return err
+	}
+	return nil
+}
+
+func (m *Migrator) removeLegacyAdminUser() error {
+	return m.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(userBucketName))
+		err := bucket.Delete([]byte("admin"))
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}
--- a/api/bolt/datastore.go
+++ b/api/bolt/datastore.go
@ -1,9 +1,12 @@
 package bolt

 import (
+	"log"
+	"os"
 	"time"

 	"github.com/boltdb/bolt"
+	"github.com/portainer/portainer"
 )

 // Store defines the implementation of portainer.DataStore using
@ -13,29 +16,49 @@ type Store struct {
 	Path string

 	// Services
-	UserService     *UserService
-	EndpointService *EndpointService
+	UserService            *UserService
+	EndpointService        *EndpointService
+	ResourceControlService *ResourceControlService
+	VersionService         *VersionService

-	db *bolt.DB
+	db                    *bolt.DB
+	checkForDataMigration bool
 }

 const (
-	databaseFileName         = "portainer.db"
-	userBucketName           = "users"
-	endpointBucketName       = "endpoints"
-	activeEndpointBucketName = "activeEndpoint"
+	databaseFileName                   = "portainer.db"
+	versionBucketName                  = "version"
+	userBucketName                     = "users"
+	endpointBucketName                 = "endpoints"
+	containerResourceControlBucketName = "containerResourceControl"
+	serviceResourceControlBucketName   = "serviceResourceControl"
+	volumeResourceControlBucketName    = "volumeResourceControl"
 )

 // NewStore initializes a new Store and the associated services
-func NewStore(storePath string) *Store {
+func NewStore(storePath string) (*Store, error) {
 	store := &Store{
-		Path:            storePath,
-		UserService:     &UserService{},
-		EndpointService: &EndpointService{},
+		Path:                   storePath,
+		UserService:            &UserService{},
+		EndpointService:        &EndpointService{},
+		ResourceControlService: &ResourceControlService{},
+		VersionService:         &VersionService{},
 	}
 	store.UserService.store = store
 	store.EndpointService.store = store
-	return store
+	store.ResourceControlService.store = store
+	store.VersionService.store = store
+
+	_, err := os.Stat(storePath)
+	if err != nil && os.IsNotExist(err) {
+		store.checkForDataMigration = false
+	} else if err != nil {
+		return nil, err
+	} else {
+		store.checkForDataMigration = true
+	}
+
+	return store, nil
 }

 // Open opens and initializes the BoltDB database.
@ -47,7 +70,11 @@ func (store *Store) Open() error {
 	}
 	store.db = db
 	return db.Update(func(tx *bolt.Tx) error {
-		_, err := tx.CreateBucketIfNotExists([]byte(userBucketName))
+		_, err := tx.CreateBucketIfNotExists([]byte(versionBucketName))
+		if err != nil {
+			return err
+		}
+		_, err = tx.CreateBucketIfNotExists([]byte(userBucketName))
 		if err != nil {
 			return err
 		}
@ -55,7 +82,15 @@ func (store *Store) Open() error {
 		if err != nil {
 			return err
 		}
-		_, err = tx.CreateBucketIfNotExists([]byte(activeEndpointBucketName))
+		_, err = tx.CreateBucketIfNotExists([]byte(containerResourceControlBucketName))
+		if err != nil {
+			return err
+		}
+		_, err = tx.CreateBucketIfNotExists([]byte(serviceResourceControlBucketName))
+		if err != nil {
+			return err
+		}
+		_, err = tx.CreateBucketIfNotExists([]byte(volumeResourceControlBucketName))
 		if err != nil {
 			return err
 		}
@ -70,3 +105,32 @@ func (store *Store) Close() error {
 	}
 	return nil
 }
+
+// MigrateData automatically migrate the data based on the DBVersion.
+func (store *Store) MigrateData() error {
+	if !store.checkForDataMigration {
+		err := store.VersionService.StoreDBVersion(portainer.DBVersion)
+		if err != nil {
+			return err
+		}
+		return nil
+	}
+
+	version, err := store.VersionService.DBVersion()
+	if err == portainer.ErrDBVersionNotFound {
+		version = 0
+	} else if err != nil {
+		return err
+	}
+
+	if version < portainer.DBVersion {
+		log.Printf("Migrating database from version %v to %v.\n", version, portainer.DBVersion)
+		migrator := NewMigrator(store, version)
+		err = migrator.Migrate()
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
--- a/api/bolt/endpoint_service.go
+++ b/api/bolt/endpoint_service.go
@ -12,10 +12,6 @@ type EndpointService struct {
 	store *Store
 }

-const (
-	activeEndpointID = 0
-)
-
 // Endpoint returns an endpoint by ID.
 func (service *EndpointService) Endpoint(ID portainer.EndpointID) (*portainer.Endpoint, error) {
 	var data []byte
@ -138,62 +134,6 @@ func (service *EndpointService) DeleteEndpoint(ID portainer.EndpointID) error {
 	})
 }

-// GetActive returns the active endpoint.
-func (service *EndpointService) GetActive() (*portainer.Endpoint, error) {
-	var data []byte
-	err := service.store.db.View(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(activeEndpointBucketName))
-		value := bucket.Get(internal.Itob(activeEndpointID))
-		if value == nil {
-			return portainer.ErrEndpointNotFound
-		}
-
-		data = make([]byte, len(value))
-		copy(data, value)
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	var endpoint portainer.Endpoint
-	err = internal.UnmarshalEndpoint(data, &endpoint)
-	if err != nil {
-		return nil, err
-	}
-	return &endpoint, nil
-}
-
-// SetActive saves an endpoint as active.
-func (service *EndpointService) SetActive(endpoint *portainer.Endpoint) error {
-	return service.store.db.Update(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(activeEndpointBucketName))
-
-		data, err := internal.MarshalEndpoint(endpoint)
-		if err != nil {
-			return err
-		}
-
-		err = bucket.Put(internal.Itob(activeEndpointID), data)
-		if err != nil {
-			return err
-		}
-		return nil
-	})
-}
-
-// DeleteActive deletes the active endpoint.
-func (service *EndpointService) DeleteActive() error {
-	return service.store.db.Update(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(activeEndpointBucketName))
-		err := bucket.Delete(internal.Itob(activeEndpointID))
-		if err != nil {
-			return err
-		}
-		return nil
-	})
-}
-
 func marshalAndStoreEndpoint(endpoint *portainer.Endpoint, bucket *bolt.Bucket) error {
 	data, err := internal.MarshalEndpoint(endpoint)
 	if err != nil {
@ -210,6 +150,5 @@ func marshalAndStoreEndpoint(endpoint *portainer.Endpoint, bucket *bolt.Bucket)
 func storeNewEndpoint(endpoint *portainer.Endpoint, bucket *bolt.Bucket) error {
 	id, _ := bucket.NextSequence()
 	endpoint.ID = portainer.EndpointID(id)
-
 	return marshalAndStoreEndpoint(endpoint, bucket)
 }
--- a/api/bolt/internal/internal.go
+++ b/api/bolt/internal/internal.go
@ -27,6 +27,16 @@ func UnmarshalEndpoint(data []byte, endpoint *portainer.Endpoint) error {
 	return json.Unmarshal(data, endpoint)
 }

+// MarshalResourceControl encodes a resource control object to binary format.
+func MarshalResourceControl(rc *portainer.ResourceControl) ([]byte, error) {
+	return json.Marshal(rc)
+}
+
+// UnmarshalResourceControl decodes a resource control object from a binary data.
+func UnmarshalResourceControl(data []byte, rc *portainer.ResourceControl) error {
+	return json.Unmarshal(data, rc)
+}
+
 // Itob returns an 8-byte big endian representation of v.
 // This function is typically used for encoding integer IDs to byte slices
 // so that they can be used as BoltDB keys.
--- a/api/bolt/resourcecontrol_service.go
+++ b/api/bolt/resourcecontrol_service.go
@ -0,0 +1,110 @@
+package bolt
+
+import (
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+// ResourceControlService represents a service for managing resource controls.
+type ResourceControlService struct {
+	store *Store
+}
+
+func getBucketNameByResourceControlType(rcType portainer.ResourceControlType) string {
+	bucketName := containerResourceControlBucketName
+	if rcType == portainer.ServiceResourceControl {
+		bucketName = serviceResourceControlBucketName
+	} else if rcType == portainer.VolumeResourceControl {
+		bucketName = volumeResourceControlBucketName
+	}
+	return bucketName
+}
+
+// ResourceControl returns a resource control object by resource ID
+func (service *ResourceControlService) ResourceControl(resourceID string, rcType portainer.ResourceControlType) (*portainer.ResourceControl, error) {
+	var data []byte
+	bucketName := getBucketNameByResourceControlType(rcType)
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(bucketName))
+		value := bucket.Get([]byte(resourceID))
+		if value == nil {
+			return nil
+		}
+
+		data = make([]byte, len(value))
+		copy(data, value)
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	if data == nil {
+		return nil, nil
+	}
+
+	var rc portainer.ResourceControl
+	err = internal.UnmarshalResourceControl(data, &rc)
+	if err != nil {
+		return nil, err
+	}
+	return &rc, nil
+}
+
+// ResourceControls returns all resource control objects
+func (service *ResourceControlService) ResourceControls(rcType portainer.ResourceControlType) ([]portainer.ResourceControl, error) {
+	var rcs = make([]portainer.ResourceControl, 0)
+	bucketName := getBucketNameByResourceControlType(rcType)
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(bucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var rc portainer.ResourceControl
+			err := internal.UnmarshalResourceControl(v, &rc)
+			if err != nil {
+				return err
+			}
+			rcs = append(rcs, rc)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return rcs, nil
+}
+
+// CreateResourceControl creates a new resource control
+func (service *ResourceControlService) CreateResourceControl(resourceID string, rc *portainer.ResourceControl, rcType portainer.ResourceControlType) error {
+	bucketName := getBucketNameByResourceControlType(rcType)
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(bucketName))
+		data, err := internal.MarshalResourceControl(rc)
+		if err != nil {
+			return err
+		}
+
+		err = bucket.Put([]byte(resourceID), data)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// DeleteResourceControl deletes a resource control object by resource ID
+func (service *ResourceControlService) DeleteResourceControl(resourceID string, rcType portainer.ResourceControlType) error {
+	bucketName := getBucketNameByResourceControlType(rcType)
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(bucketName))
+		err := bucket.Delete([]byte(resourceID))
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}
--- a/api/bolt/user_service.go
+++ b/api/bolt/user_service.go
@ -12,12 +12,12 @@ type UserService struct {
 	store *Store
 }

-// User returns a user by username.
-func (service *UserService) User(username string) (*portainer.User, error) {
+// User returns a user by ID
+func (service *UserService) User(ID portainer.UserID) (*portainer.User, error) {
 	var data []byte
 	err := service.store.db.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(userBucketName))
-		value := bucket.Get([]byte(username))
+		value := bucket.Get(internal.Itob(int(ID)))
 		if value == nil {
 			return portainer.ErrUserNotFound
 		}
@ -38,8 +38,88 @@ func (service *UserService) User(username string) (*portainer.User, error) {
 	return &user, nil
 }

+// UserByUsername returns a user by username.
+func (service *UserService) UserByUsername(username string) (*portainer.User, error) {
+	var user *portainer.User
+
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(userBucketName))
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var u portainer.User
+			err := internal.UnmarshalUser(v, &u)
+			if err != nil {
+				return err
+			}
+			if u.Username == username {
+				user = &u
+			}
+		}
+
+		if user == nil {
+			return portainer.ErrUserNotFound
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return user, nil
+}
+
+// Users return an array containing all the users.
+func (service *UserService) Users() ([]portainer.User, error) {
+	var users = make([]portainer.User, 0)
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(userBucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var user portainer.User
+			err := internal.UnmarshalUser(v, &user)
+			if err != nil {
+				return err
+			}
+			users = append(users, user)
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return users, nil
+}
+
+// UsersByRole return an array containing all the users with the specified role.
+func (service *UserService) UsersByRole(role portainer.UserRole) ([]portainer.User, error) {
+	var users = make([]portainer.User, 0)
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(userBucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var user portainer.User
+			err := internal.UnmarshalUser(v, &user)
+			if err != nil {
+				return err
+			}
+			if user.Role == role {
+				users = append(users, user)
+			}
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return users, nil
+}
+
 // UpdateUser saves a user.
-func (service *UserService) UpdateUser(user *portainer.User) error {
+func (service *UserService) UpdateUser(ID portainer.UserID, user *portainer.User) error {
 	data, err := internal.MarshalUser(user)
 	if err != nil {
 		return err
@ -47,7 +127,41 @@ func (service *UserService) UpdateUser(user *portainer.User) error {

 	return service.store.db.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(userBucketName))
-		err = bucket.Put([]byte(user.Username), data)
+		err = bucket.Put(internal.Itob(int(ID)), data)
+
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// CreateUser creates a new user.
+func (service *UserService) CreateUser(user *portainer.User) error {
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(userBucketName))
+
+		id, _ := bucket.NextSequence()
+		user.ID = portainer.UserID(id)
+
+		data, err := internal.MarshalUser(user)
+		if err != nil {
+			return err
+		}
+
+		err = bucket.Put(internal.Itob(int(user.ID)), data)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}
+
+// DeleteUser deletes a user.
+func (service *UserService) DeleteUser(ID portainer.UserID) error {
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(userBucketName))
+		err := bucket.Delete(internal.Itob(int(ID)))
 		if err != nil {
 			return err
 		}
--- a/api/bolt/version_service.go
+++ b/api/bolt/version_service.go
@ -0,0 +1,58 @@
+package bolt
+
+import (
+	"strconv"
+
+	"github.com/portainer/portainer"
+
+	"github.com/boltdb/bolt"
+)
+
+// EndpointService represents a service for managing users.
+type VersionService struct {
+	store *Store
+}
+
+const (
+	DBVersionKey = "DB_VERSION"
+)
+
+// DBVersion the stored database version.
+func (service *VersionService) DBVersion() (int, error) {
+	var data []byte
+	err := service.store.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(versionBucketName))
+		value := bucket.Get([]byte(DBVersionKey))
+		if value == nil {
+			return portainer.ErrDBVersionNotFound
+		}
+
+		data = make([]byte, len(value))
+		copy(data, value)
+		return nil
+	})
+	if err != nil {
+		return 0, err
+	}
+
+	dbVersion, err := strconv.Atoi(string(data))
+	if err != nil {
+		return 0, err
+	}
+
+	return dbVersion, nil
+}
+
+// StoreDBVersion store the database version.
+func (service *VersionService) StoreDBVersion(version int) error {
+	return service.store.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(versionBucketName))
+
+		data := []byte(strconv.Itoa(version))
+		err := bucket.Put([]byte(DBVersionKey), data)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}