feat(webhook) EE-2125 send registry auth haeder when update swarms service via webhook (#6220)

* feat(webhook) EE-2125 add some helpers to registry utils * feat(webhook) EE-2125 persist registryID when creating a webhook * feat(webhook) EE-2125 send registry auth header when executing a webhook * feat(webhook) EE-2125 send registryID to backend when creating a service with webhook * feat(webhook) EE-2125 use the initial registry ID to create webhook on editing service screen * feat(webhook) EE-2125 update webhook when update registry * feat(webhook) EE-2125 add endpoint of update webhook * feat(webhook) EE-2125 code cleanup * feat(webhook) EE-2125 fix a typo * feat(webhook) EE-2125 fix circle import issue with unit test Co-authored-by: Simon Meng <simon.meng@portainer.io>
2025-07-24 15:59:41 +02:00 · 2021-12-07 09:11:44 +13:00 · 2021-12-07 09:11:44 +13:00 · 98972dec0d
commit 98972dec0d
parent aa8fc52106
12 changed files with 254 additions and 8 deletions
--- a/api/http/handler/webhooks/handler.go
+++ b/api/http/handler/webhooks/handler.go
@ -24,6 +24,8 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 	}
 	h.Handle("/webhooks",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.webhookCreate))).Methods(http.MethodPost)
+	h.Handle("/webhooks/{id}",
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.webhookUpdate))).Methods(http.MethodPut)
 	h.Handle("/webhooks",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.webhookList))).Methods(http.MethodGet)
 	h.Handle("/webhooks/{id}",
--- a/api/http/handler/webhooks/webhook_create.go
+++ b/api/http/handler/webhooks/webhook_create.go
@ -2,6 +2,8 @@ package webhooks

 import (
 	"errors"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/registryutils/access"
 	"net/http"

 	"github.com/asaskevich/govalidator"
@ -16,6 +18,7 @@ import (
 type webhookCreatePayload struct {
 	ResourceID  string
 	EndpointID  int
+	RegistryID portainer.RegistryID
 	WebhookType int
 }

@ -60,6 +63,20 @@ func (handler *Handler) webhookCreate(w http.ResponseWriter, r *http.Request) *h
 		return &httperror.HandlerError{http.StatusConflict, "A webhook for this resource already exists", errors.New("A webhook for this resource already exists")}
 	}

+	endpointID := portainer.EndpointID(payload.EndpointID)
+
+	if payload.RegistryID != 0 {
+		tokenData, err := security.RetrieveTokenData(r)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user authentication token", err}
+		}
+
+		_, err = access.GetAccessibleRegistry(handler.DataStore, tokenData.ID, endpointID, payload.RegistryID)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusForbidden, "Permission deny to access registry", err}
+		}
+	}
+
 	token, err := uuid.NewV4()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Error creating unique token", err}
@ -68,7 +85,8 @@ func (handler *Handler) webhookCreate(w http.ResponseWriter, r *http.Request) *h
 	webhook = &portainer.Webhook{
 		Token:       token.String(),
 		ResourceID:  payload.ResourceID,
-		EndpointID:  portainer.EndpointID(payload.EndpointID),
+		EndpointID:  endpointID,
+		RegistryID:  payload.RegistryID,
 		WebhookType: portainer.WebhookType(payload.WebhookType),
 	}

--- a/api/http/handler/webhooks/webhook_execute.go
+++ b/api/http/handler/webhooks/webhook_execute.go
@ -3,6 +3,7 @@ package webhooks
 import (
 	"context"
 	"errors"
+	"github.com/portainer/portainer/api/internal/registryutils"
 	"net/http"
 	"strings"

@ -41,6 +42,7 @@ func (handler *Handler) webhookExecute(w http.ResponseWriter, r *http.Request) *

 	resourceID := webhook.ResourceID
 	endpointID := webhook.EndpointID
+	registryID := webhook.RegistryID
 	webhookType := webhook.WebhookType

 	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
@ -54,13 +56,19 @@ func (handler *Handler) webhookExecute(w http.ResponseWriter, r *http.Request) *

 	switch webhookType {
 	case portainer.ServiceWebhook:
-		return handler.executeServiceWebhook(w, endpoint, resourceID, imageTag)
+		return handler.executeServiceWebhook(w, endpoint, resourceID, registryID, imageTag)
 	default:
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unsupported webhook type", errors.New("Webhooks for this resource are not currently supported")}
 	}
 }

-func (handler *Handler) executeServiceWebhook(w http.ResponseWriter, endpoint *portainer.Endpoint, resourceID string, imageTag string) *httperror.HandlerError {
+func (handler *Handler) executeServiceWebhook(
+	w http.ResponseWriter,
+	endpoint *portainer.Endpoint,
+	resourceID string,
+	registryID portainer.RegistryID,
+	imageTag string,
+) *httperror.HandlerError {
 	dockerClient, err := handler.DockerClientFactory.CreateClient(endpoint, "")
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Error creating docker client", err}
@ -86,7 +94,26 @@ func (handler *Handler) executeServiceWebhook(w http.ResponseWriter, endpoint *p
 		service.Spec.TaskTemplate.ContainerSpec.Image = imageName
 	}

-	_, err = dockerClient.ServiceUpdate(context.Background(), resourceID, service.Version, service.Spec, dockertypes.ServiceUpdateOptions{QueryRegistry: true})
+	serviceUpdateOptions := dockertypes.ServiceUpdateOptions{
+		QueryRegistry: true,
+	}
+
+	if registryID != 0 {
+		registry, err := handler.DataStore.Registry().Registry(registryID)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Error getting registry", err}
+		}
+
+		if registry.Authentication {
+			registryutils.EnsureRegTokenValid(handler.DataStore, registry)
+			serviceUpdateOptions.EncodedRegistryAuth, err = registryutils.GetRegistryAuthHeader(registry)
+			if err != nil {
+				return &httperror.HandlerError{http.StatusInternalServerError, "Error getting registry auth header", err}
+			}
+		}
+	}
+
+	_, err = dockerClient.ServiceUpdate(context.Background(), resourceID, service.Version, service.Spec, serviceUpdateOptions)

 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Error updating service", err}
--- a/api/http/handler/webhooks/webhook_update.go
+++ b/api/http/handler/webhooks/webhook_update.go
@ -0,0 +1,76 @@
+package webhooks
+
+import (
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/registryutils/access"
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+	bolterrors "github.com/portainer/portainer/api/bolt/errors"
+)
+
+type webhookUpdatePayload struct {
+	RegistryID portainer.RegistryID
+}
+
+func (payload *webhookUpdatePayload) Validate(r *http.Request) error {
+	return nil
+}
+
+// @summary Update a webhook
+// @description **Access policy**: authenticated
+// @security ApiKeyAuth
+// @security jwt
+// @tags webhooks
+// @accept json
+// @produce json
+// @param body body webhookUpdatePayload true "Webhook data"
+// @success 200 {object} portainer.Webhook
+// @failure 400
+// @failure 409
+// @failure 500
+// @router /webhooks/{id} [put]
+func (handler *Handler) webhookUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	id, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid webhook id", err}
+	}
+	webhookID := portainer.WebhookID(id)
+
+	var payload webhookUpdatePayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	webhook, err := handler.DataStore.Webhook().Webhook(webhookID)
+	if err == bolterrors.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a webhooks with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a webhooks with the specified identifier inside the database", err}
+	}
+
+	if payload.RegistryID != 0 {
+		tokenData, err := security.RetrieveTokenData(r)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user authentication token", err}
+		}
+
+		_, err = access.GetAccessibleRegistry(handler.DataStore, tokenData.ID, webhook.EndpointID, payload.RegistryID)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusForbidden, "Permission deny to access registry", err}
+		}
+	}
+
+	webhook.RegistryID = payload.RegistryID
+
+	err = handler.DataStore.Webhook().UpdateWebhook(portainer.WebhookID(id), webhook)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the webhook inside the database", err}
+	}
+
+	return response.JSON(w, webhook)
+}