feat(webhook) EE-2125 send registry auth haeder when update swarms service via webhook (#6220)

* feat(webhook) EE-2125 add some helpers to registry utils

* feat(webhook) EE-2125 persist registryID when creating a webhook

* feat(webhook) EE-2125 send registry auth header when executing a webhook

* feat(webhook) EE-2125 send registryID to backend when creating a service with webhook

* feat(webhook) EE-2125 use the initial registry ID to create webhook on editing service screen

* feat(webhook) EE-2125 update webhook when update registry

* feat(webhook) EE-2125 add endpoint of update webhook

* feat(webhook) EE-2125 code cleanup

* feat(webhook) EE-2125 fix a typo

* feat(webhook) EE-2125 fix circle import issue with unit test

Co-authored-by: Simon Meng <simon.meng@portainer.io>

api/bolt/webhook/webhook.go

@@ -150,3 +150,9 @@ func (service *Service) CreateWebhook(webhook *portainer.Webhook) error {
 		return bucket.Put(internal.Itob(int(webhook.ID)), data)
 	})
 }
+
+// UpdateWebhook update a webhook.
+func (service *Service) UpdateWebhook(ID portainer.WebhookID, webhook *portainer.Webhook) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.connection, BucketName, identifier, webhook)
+}

api/http/handler/webhooks/handler.go

@@ -24,6 +24,8 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 	}
 	h.Handle("/webhooks",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.webhookCreate))).Methods(http.MethodPost)
+	h.Handle("/webhooks/{id}",
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.webhookUpdate))).Methods(http.MethodPut)
 	h.Handle("/webhooks",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.webhookList))).Methods(http.MethodGet)
 	h.Handle("/webhooks/{id}",

api/http/handler/webhooks/webhook_create.go

@@ -2,6 +2,8 @@ package webhooks
 
 import (
 	"errors"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/registryutils/access"
 	"net/http"
 
 	"github.com/asaskevich/govalidator"
@@ -16,6 +18,7 @@ import (
 type webhookCreatePayload struct {
 	ResourceID  string
 	EndpointID  int
+	RegistryID portainer.RegistryID
 	WebhookType int
 }
 
@@ -60,6 +63,20 @@ func (handler *Handler) webhookCreate(w http.ResponseWriter, r *http.Request) *h
 		return &httperror.HandlerError{http.StatusConflict, "A webhook for this resource already exists", errors.New("A webhook for this resource already exists")}
 	}
 
+	endpointID := portainer.EndpointID(payload.EndpointID)
+
+	if payload.RegistryID != 0 {
+		tokenData, err := security.RetrieveTokenData(r)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user authentication token", err}
+		}
+
+		_, err = access.GetAccessibleRegistry(handler.DataStore, tokenData.ID, endpointID, payload.RegistryID)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusForbidden, "Permission deny to access registry", err}
+		}
+	}
+
 	token, err := uuid.NewV4()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Error creating unique token", err}
@@ -68,7 +85,8 @@ func (handler *Handler) webhookCreate(w http.ResponseWriter, r *http.Request) *h
 	webhook = &portainer.Webhook{
 		Token:       token.String(),
 		ResourceID:  payload.ResourceID,
-		EndpointID:  portainer.EndpointID(payload.EndpointID),
+		EndpointID:  endpointID,
+		RegistryID:  payload.RegistryID,
 		WebhookType: portainer.WebhookType(payload.WebhookType),
 	}
 

api/http/handler/webhooks/webhook_execute.go

@@ -3,6 +3,7 @@ package webhooks
 import (
 	"context"
 	"errors"
+	"github.com/portainer/portainer/api/internal/registryutils"
 	"net/http"
 	"strings"
 
@@ -41,6 +42,7 @@ func (handler *Handler) webhookExecute(w http.ResponseWriter, r *http.Request) *
 
 	resourceID := webhook.ResourceID
 	endpointID := webhook.EndpointID
+	registryID := webhook.RegistryID
 	webhookType := webhook.WebhookType
 
 	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
@@ -54,13 +56,19 @@ func (handler *Handler) webhookExecute(w http.ResponseWriter, r *http.Request) *
 
 	switch webhookType {
 	case portainer.ServiceWebhook:
-		return handler.executeServiceWebhook(w, endpoint, resourceID, imageTag)
+		return handler.executeServiceWebhook(w, endpoint, resourceID, registryID, imageTag)
 	default:
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unsupported webhook type", errors.New("Webhooks for this resource are not currently supported")}
 	}
 }
 
-func (handler *Handler) executeServiceWebhook(w http.ResponseWriter, endpoint *portainer.Endpoint, resourceID string, imageTag string) *httperror.HandlerError {
+func (handler *Handler) executeServiceWebhook(
+	w http.ResponseWriter,
+	endpoint *portainer.Endpoint,
+	resourceID string,
+	registryID portainer.RegistryID,
+	imageTag string,
+) *httperror.HandlerError {
 	dockerClient, err := handler.DockerClientFactory.CreateClient(endpoint, "")
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Error creating docker client", err}
@@ -86,7 +94,26 @@ func (handler *Handler) executeServiceWebhook(w http.ResponseWriter, endpoint *p
 		service.Spec.TaskTemplate.ContainerSpec.Image = imageName
 	}
 
-	_, err = dockerClient.ServiceUpdate(context.Background(), resourceID, service.Version, service.Spec, dockertypes.ServiceUpdateOptions{QueryRegistry: true})
+	serviceUpdateOptions := dockertypes.ServiceUpdateOptions{
+		QueryRegistry: true,
+	}
+
+	if registryID != 0 {
+		registry, err := handler.DataStore.Registry().Registry(registryID)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Error getting registry", err}
+		}
+
+		if registry.Authentication {
+			registryutils.EnsureRegTokenValid(handler.DataStore, registry)
+			serviceUpdateOptions.EncodedRegistryAuth, err = registryutils.GetRegistryAuthHeader(registry)
+			if err != nil {
+				return &httperror.HandlerError{http.StatusInternalServerError, "Error getting registry auth header", err}
+			}
+		}
+	}
+
+	_, err = dockerClient.ServiceUpdate(context.Background(), resourceID, service.Version, service.Spec, serviceUpdateOptions)
 
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Error updating service", err}

api/http/handler/webhooks/webhook_update.go

@@ -0,0 +1,76 @@
+package webhooks
+
+import (
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/registryutils/access"
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+	bolterrors "github.com/portainer/portainer/api/bolt/errors"
+)
+
+type webhookUpdatePayload struct {
+	RegistryID portainer.RegistryID
+}
+
+func (payload *webhookUpdatePayload) Validate(r *http.Request) error {
+	return nil
+}
+
+// @summary Update a webhook
+// @description **Access policy**: authenticated
+// @security ApiKeyAuth
+// @security jwt
+// @tags webhooks
+// @accept json
+// @produce json
+// @param body body webhookUpdatePayload true "Webhook data"
+// @success 200 {object} portainer.Webhook
+// @failure 400
+// @failure 409
+// @failure 500
+// @router /webhooks/{id} [put]
+func (handler *Handler) webhookUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	id, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid webhook id", err}
+	}
+	webhookID := portainer.WebhookID(id)
+
+	var payload webhookUpdatePayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	webhook, err := handler.DataStore.Webhook().Webhook(webhookID)
+	if err == bolterrors.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a webhooks with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a webhooks with the specified identifier inside the database", err}
+	}
+
+	if payload.RegistryID != 0 {
+		tokenData, err := security.RetrieveTokenData(r)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user authentication token", err}
+		}
+
+		_, err = access.GetAccessibleRegistry(handler.DataStore, tokenData.ID, webhook.EndpointID, payload.RegistryID)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusForbidden, "Permission deny to access registry", err}
+		}
+	}
+
+	webhook.RegistryID = payload.RegistryID
+
+	err = handler.DataStore.Webhook().UpdateWebhook(portainer.WebhookID(id), webhook)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the webhook inside the database", err}
+	}
+
+	return response.JSON(w, webhook)
+}

api/internal/registryutils/access/access.go

@@ -0,0 +1,58 @@
+package access
+
+import (
+	"fmt"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/security"
+)
+
+func hasPermission(
+	dataStore portainer.DataStore,
+	userID portainer.UserID,
+	endpointID portainer.EndpointID,
+	registry *portainer.Registry,
+) (hasPermission bool, err error) {
+	user, err := dataStore.User().User(userID)
+	if err != nil {
+		return
+	}
+
+	if user.Role == portainer.AdministratorRole {
+		return true, err
+	}
+
+	teamMemberships, err := dataStore.TeamMembership().TeamMembershipsByUserID(userID)
+	if err != nil {
+		return
+	}
+
+	hasPermission = security.AuthorizedRegistryAccess(registry, user, teamMemberships, endpointID)
+
+	return
+}
+
+// GetAccessibleRegistry get the registry if the user has permission
+func GetAccessibleRegistry(
+	dataStore portainer.DataStore,
+	userID portainer.UserID,
+	endpointID portainer.EndpointID,
+	registryID portainer.RegistryID,
+) (registry *portainer.Registry, err error) {
+
+	registry, err = dataStore.Registry().Registry(registryID)
+	if err != nil {
+		return
+	}
+
+	hasPermission, err := hasPermission(dataStore, userID, endpointID, registry)
+	if err != nil {
+		return
+	}
+
+	if !hasPermission {
+		err = fmt.Errorf("user does not has permission to get the registry")
+		return nil, err
+	}
+
+	return
+}

api/internal/registryutils/auth_header.go

@@ -0,0 +1,36 @@
+package registryutils
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	portainer "github.com/portainer/portainer/api"
+)
+
+type (
+	authHeader struct {
+		Username      string `json:"username"`
+		Password      string `json:"password"`
+		ServerAddress string `json:"serveraddress"`
+	}
+)
+
+// GetRegistryAuthHeader generate the X-Registry-Auth header from registry
+func GetRegistryAuthHeader(registry *portainer.Registry) (header string, err error) {
+	authHeader := authHeader{
+		ServerAddress: registry.URL,
+	}
+
+	authHeader.Username, authHeader.Password, err = GetRegEffectiveCredential(registry)
+	if err != nil {
+		return
+	}
+
+	headerData, err := json.Marshal(authHeader)
+	if err != nil {
+		return
+	}
+
+	header = base64.StdEncoding.EncodeToString(headerData)
+
+	return
+}

api/portainer.go

@@ -1127,6 +1127,7 @@ type (
 		Token       string      `json:"Token"`
 		ResourceID  string      `json:"ResourceId"`
 		EndpointID  EndpointID  `json:"EndpointId"`
+		RegistryID  RegistryID  `json:"RegistryId"`
 		WebhookType WebhookType `json:"Type"`
 	}
 
@@ -1541,6 +1542,7 @@ type (
 		Webhooks() ([]Webhook, error)
 		Webhook(ID WebhookID) (*Webhook, error)
 		CreateWebhook(portainer *Webhook) error
+		UpdateWebhook(ID WebhookID, webhook *Webhook) error
 		WebhookByResourceID(resourceID string) (*Webhook, error)
 		WebhookByToken(token string) (*Webhook, error)
 		DeleteWebhook(serviceID WebhookID) error