From a2d29df21bb820f442f7275131ac3072f75a914d Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Mon, 27 May 2019 10:41:12 +1200
Subject: [PATCH] fix(rbac): add specific authorization for Storidge management

---
 api/bolt/init.go                                 |  1 +
 api/http/handler/endpointproxy/handler.go        |  2 +-
 api/http/handler/endpointproxy/proxy_storidge.go |  2 +-
 api/http/handler/handler.go                      |  2 +-
 api/portainer.go                                 |  2 ++
 app/extensions/storidge/rest/storidge.js         |  2 +-
 app/portainer/views/sidebar/sidebar.html         | 10 +++++-----
 7 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/api/bolt/init.go b/api/bolt/init.go
index 81ee26dff..27e0b251b 100644
--- a/api/bolt/init.go
+++ b/api/bolt/init.go
@@ -164,6 +164,7 @@ func (store *Store) Init() error {
 				portainer.OperationPortainerWebhookList:               true,
 				portainer.OperationPortainerWebhookCreate:             true,
 				portainer.OperationPortainerWebhookDelete:             true,
+				portainer.OperationIntegrationStoridgeAdmin:           true,
 				portainer.EndpointResourcesAccess:                     true,
 			},
 		}
diff --git a/api/http/handler/endpointproxy/handler.go b/api/http/handler/endpointproxy/handler.go
index 7f0dec6b2..15a1101ba 100644
--- a/api/http/handler/endpointproxy/handler.go
+++ b/api/http/handler/endpointproxy/handler.go
@@ -26,7 +26,7 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 		bouncer.RestrictedAccess(httperror.LoggerHandler(h.proxyRequestsToAzureAPI)))
 	h.PathPrefix("/{id}/docker").Handler(
 		bouncer.RestrictedAccess(httperror.LoggerHandler(h.proxyRequestsToDockerAPI)))
-	h.PathPrefix("/{id}/extensions/storidge").Handler(
+	h.PathPrefix("/{id}/storidge").Handler(
 		bouncer.RestrictedAccess(httperror.LoggerHandler(h.proxyRequestsToStoridgeAPI)))
 	return h
 }
diff --git a/api/http/handler/endpointproxy/proxy_storidge.go b/api/http/handler/endpointproxy/proxy_storidge.go
index 465ebfb52..f2d2aacb1 100644
--- a/api/http/handler/endpointproxy/proxy_storidge.go
+++ b/api/http/handler/endpointproxy/proxy_storidge.go
@@ -53,6 +53,6 @@ func (handler *Handler) proxyRequestsToStoridgeAPI(w http.ResponseWriter, r *htt
 	}
 
 	id := strconv.Itoa(endpointID)
-	http.StripPrefix("/"+id+"/extensions/storidge", proxy).ServeHTTP(w, r)
+	http.StripPrefix("/"+id+"/storidge", proxy).ServeHTTP(w, r)
 	return nil
 }
diff --git a/api/http/handler/handler.go b/api/http/handler/handler.go
index 4d867540b..9dc541641 100644
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@@ -71,7 +71,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		switch {
 		case strings.Contains(r.URL.Path, "/docker/"):
 			http.StripPrefix("/api/endpoints", h.EndpointProxyHandler).ServeHTTP(w, r)
-		case strings.Contains(r.URL.Path, "/extensions/storidge"):
+		case strings.Contains(r.URL.Path, "/storidge/"):
 			http.StripPrefix("/api/endpoints", h.EndpointProxyHandler).ServeHTTP(w, r)
 		case strings.Contains(r.URL.Path, "/azure/"):
 			http.StripPrefix("/api/endpoints", h.EndpointProxyHandler).ServeHTTP(w, r)
diff --git a/api/portainer.go b/api/portainer.go
index 69a0ee124..ae13fdedf 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1223,6 +1223,8 @@ const (
 	OperationPortainerWebhookCreate           Authorization = "PortainerWebhookCreate"
 	OperationPortainerWebhookDelete           Authorization = "PortainerWebhookDelete"
 
+	OperationIntegrationStoridgeAdmin Authorization = "IntegrationStoridgeAdmin"
+
 	OperationDockerUndefined      Authorization = "DockerUndefined"
 	OperationDockerAgentUndefined Authorization = "DockerAgentUndefined"
 	OperationPortainerUndefined   Authorization = "PortainerUndefined"
diff --git a/app/extensions/storidge/rest/storidge.js b/app/extensions/storidge/rest/storidge.js
index bb6a36333..97655f875 100644
--- a/app/extensions/storidge/rest/storidge.js
+++ b/app/extensions/storidge/rest/storidge.js
@@ -1,7 +1,7 @@
 angular.module('extension.storidge')
 .factory('Storidge', ['$resource', 'API_ENDPOINT_ENDPOINTS', 'EndpointProvider', function StoridgeFactory($resource, API_ENDPOINT_ENDPOINTS, EndpointProvider) {
   'use strict';
-  return $resource(API_ENDPOINT_ENDPOINTS + '/:endpointId/extensions/storidge/:resource/:id/:action', {
+  return $resource(API_ENDPOINT_ENDPOINTS + '/:endpointId/storidge/:resource/:id/:action', {
     endpointId: EndpointProvider.endpointID
   },
   {
diff --git a/app/portainer/views/sidebar/sidebar.html b/app/portainer/views/sidebar/sidebar.html
index 0f833f739..fcc624920 100644
--- a/app/portainer/views/sidebar/sidebar.html
+++ b/app/portainer/views/sidebar/sidebar.html
@@ -24,18 +24,18 @@
       admin-access="!applicationState.application.authentication || isAdmin"
       offline-mode="endpointState.OfflineMode"
     ></docker-sidebar-content>
-    <li class="sidebar-title" ng-if="applicationState.endpoint.mode && applicationState.endpoint.extensions.length > 0">
+    <li class="sidebar-title" authorization="IntegrationStoridgeAdmin" ng-if="applicationState.endpoint.mode && applicationState.endpoint.extensions.length > 0">
       <span>Integrations</span>
     </li>
-    <li class="sidebar-list" ng-if="applicationState.endpoint.mode && applicationState.endpoint.extensions.indexOf('storidge') !== -1 && applicationState.endpoint.mode.provider === 'DOCKER_SWARM_MODE' && applicationState.endpoint.mode.role === 'MANAGER'">
+    <li authorization="IntegrationStoridgeAdmin" class="sidebar-list" ng-if="applicationState.endpoint.mode && applicationState.endpoint.extensions.indexOf('storidge') !== -1 && applicationState.endpoint.mode.provider === 'DOCKER_SWARM_MODE' && applicationState.endpoint.mode.role === 'MANAGER'">
       <a ui-sref="storidge.cluster" ui-sref-active="active">Storidge <span class="menu-icon fa fa-bolt fa-fw"></span></a>
-      <div class="sidebar-sublist" ng-if="toggle && ($state.current.name === 'storidge.cluster' || $state.current.name === 'storidge.profiles' || $state.current.name === 'storidge.monitor' || $state.current.name === 'storidge.profiles.new' || $state.current.name === 'storidge.profiles.profile' || $state.current.name === 'storidge.drives' || $state.current.name === 'storidge.drives.drive')">
+      <div class="sidebar-sublist" ng-if="toggle && ($state.current.name === 'storidge.cluster' || $state.current.name === 'storidge.profiles' || $state.current.name === 'storidge.monitor' || $state.current.name === 'storidge.profiles.new' || $state.current.name === 'storidge.profiles.profile' || $state.current.name === 'storidge.drives' || $state.current.name === 'storidge.drives.drive' || $state.current.name === 'storidge.cluster.node')">
         <a ui-sref="storidge.monitor" ui-sref-active="active">Monitor</a>
       </div>
-      <div class="sidebar-sublist" ng-if="toggle && ($state.current.name === 'storidge.cluster' || $state.current.name === 'storidge.profiles' || $state.current.name === 'storidge.monitor' || $state.current.name === 'storidge.profiles.new' || $state.current.name === 'storidge.profiles.profile' || $state.current.name === 'storidge.drives' || $state.current.name === 'storidge.drives.drive')">
+      <div class="sidebar-sublist" ng-if="toggle && ($state.current.name === 'storidge.cluster' || $state.current.name === 'storidge.profiles' || $state.current.name === 'storidge.monitor' || $state.current.name === 'storidge.profiles.new' || $state.current.name === 'storidge.profiles.profile' || $state.current.name === 'storidge.drives' || $state.current.name === 'storidge.drives.drive' || $state.current.name === 'storidge.cluster.node')">
         <a ui-sref="storidge.profiles" ui-sref-active="active">Profiles</a>
       </div>
-      <div class="sidebar-sublist" ng-if="toggle && ($state.current.name === 'storidge.cluster' || $state.current.name === 'storidge.profiles' || $state.current.name === 'storidge.monitor' || $state.current.name === 'storidge.profiles.new' || $state.current.name === 'storidge.profiles.profile' || $state.current.name === 'storidge.drives' || $state.current.name === 'storidge.drives.drive')">
+      <div class="sidebar-sublist" ng-if="toggle && ($state.current.name === 'storidge.cluster' || $state.current.name === 'storidge.profiles' || $state.current.name === 'storidge.monitor' || $state.current.name === 'storidge.profiles.new' || $state.current.name === 'storidge.profiles.profile' || $state.current.name === 'storidge.drives' || $state.current.name === 'storidge.drives.drive' || $state.current.name === 'storidge.cluster.node')">
         <a ui-sref="storidge.drives" ui-sref-active="active">Drives</a>
       </div>
     </li>