revert(azure): revert removal (#3890)

* Revert "fix(sidebar): show docker sidebar when needed (#3852)" This reverts commit 59da17dde4. * Revert "refactor(azure): remove Azure ACI endpoint support (#3803)" This reverts commit 493de20540.
2025-07-24 07:49:41 +02:00 · 2020-06-09 05:43:32 +03:00 · 2020-06-09 05:43:32 +03:00 · b58c2facfe
commit b58c2facfe
parent 25ca036070
65 changed files with 1793 additions and 50 deletions
--- a/api/http/client/client.go
+++ b/api/http/client/client.go
@ -2,9 +2,12 @@ package client

 import (
 	"crypto/tls"
+	"encoding/json"
+	"fmt"
 	"io/ioutil"
 	"log"
 	"net/http"
+	"net/url"
 	"strings"
 	"time"

@ -16,6 +19,55 @@ const (
 	defaultHTTPTimeout       = 5
 )

+// HTTPClient represents a client to send HTTP requests.
+type HTTPClient struct {
+	*http.Client
+}
+
+// NewHTTPClient is used to build a new HTTPClient.
+func NewHTTPClient() *HTTPClient {
+	return &HTTPClient{
+		&http.Client{
+			Timeout: time.Second * time.Duration(defaultHTTPTimeout),
+		},
+	}
+}
+
+// AzureAuthenticationResponse represents an Azure API authentication response.
+type AzureAuthenticationResponse struct {
+	AccessToken string `json:"access_token"`
+	ExpiresOn   string `json:"expires_on"`
+}
+
+// ExecuteAzureAuthenticationRequest is used to execute an authentication request
+// against the Azure API. It re-uses the same http.Client.
+func (client *HTTPClient) ExecuteAzureAuthenticationRequest(credentials *portainer.AzureCredentials) (*AzureAuthenticationResponse, error) {
+	loginURL := fmt.Sprintf("https://login.microsoftonline.com/%s/oauth2/token", credentials.TenantID)
+	params := url.Values{
+		"grant_type":    {"client_credentials"},
+		"client_id":     {credentials.ApplicationID},
+		"client_secret": {credentials.AuthenticationKey},
+		"resource":      {"https://management.azure.com/"},
+	}
+
+	response, err := client.PostForm(loginURL, params)
+	if err != nil {
+		return nil, err
+	}
+
+	if response.StatusCode != http.StatusOK {
+		return nil, portainer.ErrAzureInvalidCredentials
+	}
+
+	var token AzureAuthenticationResponse
+	err = json.NewDecoder(response.Body).Decode(&token)
+	if err != nil {
+		return nil, err
+	}
+
+	return &token, nil
+}
+
 // Get executes a simple HTTP GET to the specified URL and returns
 // the content of the response body. Timeout can be specified via the timeout parameter,
 // will default to defaultHTTPTimeout if set to 0.
--- a/api/http/handler/endpointproxy/handler.go
+++ b/api/http/handler/endpointproxy/handler.go
@ -23,6 +23,8 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 		Router:         mux.NewRouter(),
 		requestBouncer: bouncer,
 	}
+	h.PathPrefix("/{id}/azure").Handler(
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.proxyRequestsToAzureAPI)))
 	h.PathPrefix("/{id}/docker").Handler(
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.proxyRequestsToDockerAPI)))
 	h.PathPrefix("/{id}/storidge").Handler(
--- a/api/http/handler/endpointproxy/proxy_azure.go
+++ b/api/http/handler/endpointproxy/proxy_azure.go
@ -0,0 +1,43 @@
+package endpointproxy
+
+import (
+	"strconv"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/portainer/api"
+
+	"net/http"
+)
+
+func (handler *Handler) proxyRequestsToAzureAPI(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
+	}
+
+	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
+	}
+
+	err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint, false)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
+	}
+
+	var proxy http.Handler
+	proxy = handler.ProxyManager.GetEndpointProxy(endpoint)
+	if proxy == nil {
+		proxy, err = handler.ProxyManager.CreateAndRegisterEndpointProxy(endpoint)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create proxy", err}
+		}
+	}
+
+	id := strconv.Itoa(endpointID)
+	http.StripPrefix("/"+id+"/azure", proxy).ServeHTTP(w, r)
+	return nil
+}
--- a/api/http/handler/endpoints/endpoint_create.go
+++ b/api/http/handler/endpoints/endpoint_create.go
@ -18,19 +18,22 @@ import (
 )

 type endpointCreatePayload struct {
-	Name                string
-	URL                 string
-	EndpointType        int
-	PublicURL           string
-	GroupID             int
-	TLS                 bool
-	TLSSkipVerify       bool
-	TLSSkipClientVerify bool
-	TLSCACertFile       []byte
-	TLSCertFile         []byte
-	TLSKeyFile          []byte
-	TagIDs              []portainer.TagID
-	EdgeCheckinInterval int
+	Name                   string
+	URL                    string
+	EndpointType           int
+	PublicURL              string
+	GroupID                int
+	TLS                    bool
+	TLSSkipVerify          bool
+	TLSSkipClientVerify    bool
+	TLSCACertFile          []byte
+	TLSCertFile            []byte
+	TLSKeyFile             []byte
+	AzureApplicationID     string
+	AzureTenantID          string
+	AzureAuthenticationKey string
+	TagIDs                 []portainer.TagID
+	EdgeCheckinInterval    int
 }

 func (payload *endpointCreatePayload) Validate(r *http.Request) error {
@ -42,7 +45,7 @@ func (payload *endpointCreatePayload) Validate(r *http.Request) error {

 	endpointType, err := request.RetrieveNumericMultiPartFormValue(r, "EndpointType", false)
 	if err != nil || endpointType == 0 {
-		return portainer.Error("Invalid endpoint type value. Value must be one of: 1 (Docker environment), 2 (Agent environment) or 4 (Edge Agent environment)")
+		return portainer.Error("Invalid endpoint type value. Value must be one of: 1 (Docker environment), 2 (Agent environment), 3 (Azure environment) or 4 (Edge Agent environment)")
 	}
 	payload.EndpointType = endpointType

@ -94,14 +97,35 @@ func (payload *endpointCreatePayload) Validate(r *http.Request) error {
 		}
 	}

-	endpointURL, err := request.RetrieveMultiPartFormValue(r, "URL", true)
-	if err != nil {
-		return portainer.Error("Invalid endpoint URL")
-	}
-	payload.URL = endpointURL
+	switch portainer.EndpointType(payload.EndpointType) {
+	case portainer.AzureEnvironment:
+		azureApplicationID, err := request.RetrieveMultiPartFormValue(r, "AzureApplicationID", false)
+		if err != nil {
+			return portainer.Error("Invalid Azure application ID")
+		}
+		payload.AzureApplicationID = azureApplicationID

-	publicURL, _ := request.RetrieveMultiPartFormValue(r, "PublicURL", true)
-	payload.PublicURL = publicURL
+		azureTenantID, err := request.RetrieveMultiPartFormValue(r, "AzureTenantID", false)
+		if err != nil {
+			return portainer.Error("Invalid Azure tenant ID")
+		}
+		payload.AzureTenantID = azureTenantID
+
+		azureAuthenticationKey, err := request.RetrieveMultiPartFormValue(r, "AzureAuthenticationKey", false)
+		if err != nil {
+			return portainer.Error("Invalid Azure authentication key")
+		}
+		payload.AzureAuthenticationKey = azureAuthenticationKey
+	default:
+		url, err := request.RetrieveMultiPartFormValue(r, "URL", true)
+		if err != nil {
+			return portainer.Error("Invalid endpoint URL")
+		}
+		payload.URL = url
+
+		publicURL, _ := request.RetrieveMultiPartFormValue(r, "PublicURL", true)
+		payload.PublicURL = publicURL
+	}

 	checkinInterval, _ := request.RetrieveNumericMultiPartFormValue(r, "CheckinInterval", true)
 	payload.EdgeCheckinInterval = checkinInterval
@ -158,7 +182,9 @@ func (handler *Handler) endpointCreate(w http.ResponseWriter, r *http.Request) *
 }

 func (handler *Handler) createEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
-	if portainer.EndpointType(payload.EndpointType) == portainer.EdgeAgentEnvironment {
+	if portainer.EndpointType(payload.EndpointType) == portainer.AzureEnvironment {
+		return handler.createAzureEndpoint(payload)
+	} else if portainer.EndpointType(payload.EndpointType) == portainer.EdgeAgentEnvironment {
 		return handler.createEdgeAgentEndpoint(payload)
 	}

@ -168,6 +194,44 @@ func (handler *Handler) createEndpoint(payload *endpointCreatePayload) (*portain
 	return handler.createUnsecuredEndpoint(payload)
 }

+func (handler *Handler) createAzureEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
+	credentials := portainer.AzureCredentials{
+		ApplicationID:     payload.AzureApplicationID,
+		TenantID:          payload.AzureTenantID,
+		AuthenticationKey: payload.AzureAuthenticationKey,
+	}
+
+	httpClient := client.NewHTTPClient()
+	_, err := httpClient.ExecuteAzureAuthenticationRequest(&credentials)
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate against Azure", err}
+	}
+
+	endpointID := handler.DataStore.Endpoint().GetNextIdentifier()
+	endpoint := &portainer.Endpoint{
+		ID:                 portainer.EndpointID(endpointID),
+		Name:               payload.Name,
+		URL:                "https://management.azure.com",
+		Type:               portainer.AzureEnvironment,
+		GroupID:            portainer.EndpointGroupID(payload.GroupID),
+		PublicURL:          payload.PublicURL,
+		UserAccessPolicies: portainer.UserAccessPolicies{},
+		TeamAccessPolicies: portainer.TeamAccessPolicies{},
+		Extensions:         []portainer.EndpointExtension{},
+		AzureCredentials:   credentials,
+		TagIDs:             payload.TagIDs,
+		Status:             portainer.EndpointStatusUp,
+		Snapshots:          []portainer.Snapshot{},
+	}
+
+	err = handler.saveEndpointAndUpdateAuthorizations(endpoint)
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "An error occured while trying to create the endpoint", err}
+	}
+
+	return endpoint, nil
+}
+
 func (handler *Handler) createEdgeAgentEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
 	endpointType := portainer.EdgeAgentEnvironment
 	endpointID := handler.DataStore.Endpoint().GetNextIdentifier()
--- a/api/http/handler/endpoints/endpoint_snapshot.go
+++ b/api/http/handler/endpoints/endpoint_snapshot.go
@ -23,6 +23,10 @@ func (handler *Handler) endpointSnapshot(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
 	}

+	if endpoint.Type == portainer.AzureEnvironment {
+		return &httperror.HandlerError{http.StatusBadRequest, "Snapshots not supported for Azure endpoints", err}
+	}
+
 	snapshot, snapshotError := handler.Snapshotter.CreateSnapshot(endpoint)

 	latestEndpointReference, err := handler.DataStore.Endpoint().Endpoint(endpoint.ID)
--- a/api/http/handler/endpoints/endpoint_snapshots.go
+++ b/api/http/handler/endpoints/endpoint_snapshots.go
@ -17,6 +17,10 @@ func (handler *Handler) endpointSnapshots(w http.ResponseWriter, r *http.Request
 	}

 	for _, endpoint := range endpoints {
+		if endpoint.Type == portainer.AzureEnvironment {
+			continue
+		}
+
 		snapshot, snapshotError := handler.Snapshotter.CreateSnapshot(&endpoint)

 		latestEndpointReference, err := handler.DataStore.Endpoint().Endpoint(endpoint.ID)
--- a/api/http/handler/endpoints/endpoint_update.go
+++ b/api/http/handler/endpoints/endpoint_update.go
@ -9,21 +9,25 @@ import (
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
 	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/client"
 )

 type endpointUpdatePayload struct {
-	Name                *string
-	URL                 *string
-	PublicURL           *string
-	GroupID             *int
-	TLS                 *bool
-	TLSSkipVerify       *bool
-	TLSSkipClientVerify *bool
-	Status              *int
-	TagIDs              []portainer.TagID
-	UserAccessPolicies  portainer.UserAccessPolicies
-	TeamAccessPolicies  portainer.TeamAccessPolicies
-	EdgeCheckinInterval *int
+	Name                   *string
+	URL                    *string
+	PublicURL              *string
+	GroupID                *int
+	TLS                    *bool
+	TLSSkipVerify          *bool
+	TLSSkipClientVerify    *bool
+	Status                 *int
+	AzureApplicationID     *string
+	AzureTenantID          *string
+	AzureAuthenticationKey *string
+	TagIDs                 []portainer.TagID
+	UserAccessPolicies     portainer.UserAccessPolicies
+	TeamAccessPolicies     portainer.TeamAccessPolicies
+	EdgeCheckinInterval    *int
 }

 func (payload *endpointUpdatePayload) Validate(r *http.Request) error {
@ -138,6 +142,26 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		}
 	}

+	if endpoint.Type == portainer.AzureEnvironment {
+		credentials := endpoint.AzureCredentials
+		if payload.AzureApplicationID != nil {
+			credentials.ApplicationID = *payload.AzureApplicationID
+		}
+		if payload.AzureTenantID != nil {
+			credentials.TenantID = *payload.AzureTenantID
+		}
+		if payload.AzureAuthenticationKey != nil {
+			credentials.AuthenticationKey = *payload.AzureAuthenticationKey
+		}
+
+		httpClient := client.NewHTTPClient()
+		_, authErr := httpClient.ExecuteAzureAuthenticationRequest(&credentials)
+		if authErr != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate against Azure", authErr}
+		}
+		endpoint.AzureCredentials = credentials
+	}
+
 	if payload.TLS != nil {
 		folder := strconv.Itoa(endpointID)

@ -182,7 +206,7 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		}
 	}

-	if payload.URL != nil || payload.TLS != nil {
+	if payload.URL != nil || payload.TLS != nil || endpoint.Type == portainer.AzureEnvironment {
 		_, err = handler.ProxyManager.CreateAndRegisterEndpointProxy(endpoint)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to register HTTP proxy for the endpoint", err}
--- a/api/http/handler/endpoints/handler.go
+++ b/api/http/handler/endpoints/handler.go
@ -12,6 +12,7 @@ import (
 )

 func hideFields(endpoint *portainer.Endpoint) {
+	endpoint.AzureCredentials = portainer.AzureCredentials{}
 	if len(endpoint.Snapshots) > 0 {
 		endpoint.Snapshots[0].SnapshotRaw = portainer.SnapshotRaw{}
 	}
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@ -90,6 +90,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			http.StripPrefix("/api/endpoints", h.EndpointProxyHandler).ServeHTTP(w, r)
 		case strings.Contains(r.URL.Path, "/storidge/"):
 			http.StripPrefix("/api/endpoints", h.EndpointProxyHandler).ServeHTTP(w, r)
+		case strings.Contains(r.URL.Path, "/azure/"):
+			http.StripPrefix("/api/endpoints", h.EndpointProxyHandler).ServeHTTP(w, r)
 		case strings.Contains(r.URL.Path, "/edge/"):
 			http.StripPrefix("/api/endpoints", h.EndpointEdgeHandler).ServeHTTP(w, r)
 		default:
--- a/api/http/proxy/factory/azure.go
+++ b/api/http/proxy/factory/azure.go
@ -0,0 +1,20 @@
+package factory
+
+import (
+	"net/http"
+	"net/url"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/proxy/factory/azure"
+)
+
+func newAzureProxy(endpoint *portainer.Endpoint) (http.Handler, error) {
+	remoteURL, err := url.Parse(azureAPIBaseURL)
+	if err != nil {
+		return nil, err
+	}
+
+	proxy := newSingleHostReverseProxyWithHostHeader(remoteURL)
+	proxy.Transport = azure.NewTransport(&endpoint.AzureCredentials)
+	return proxy, nil
+}
--- a/api/http/proxy/factory/azure/transport.go
+++ b/api/http/proxy/factory/azure/transport.go
@ -0,0 +1,80 @@
+package azure
+
+import (
+	"net/http"
+	"strconv"
+	"sync"
+	"time"
+
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/client"
+)
+
+type (
+	azureAPIToken struct {
+		value          string
+		expirationTime time.Time
+	}
+
+	Transport struct {
+		credentials *portainer.AzureCredentials
+		client      *client.HTTPClient
+		token       *azureAPIToken
+		mutex       sync.Mutex
+	}
+)
+
+// NewTransport returns a pointer to a new instance of Transport that implements the HTTP Transport
+// interface for proxying requests to the Azure API.
+func NewTransport(credentials *portainer.AzureCredentials) *Transport {
+	return &Transport{
+		credentials: credentials,
+		client:      client.NewHTTPClient(),
+	}
+}
+
+// RoundTrip is the implementation of the the http.RoundTripper interface
+func (transport *Transport) RoundTrip(request *http.Request) (*http.Response, error) {
+	err := transport.retrieveAuthenticationToken()
+	if err != nil {
+		return nil, err
+	}
+
+	request.Header.Set("Authorization", "Bearer "+transport.token.value)
+	return http.DefaultTransport.RoundTrip(request)
+}
+
+func (transport *Transport) authenticate() error {
+	token, err := transport.client.ExecuteAzureAuthenticationRequest(transport.credentials)
+	if err != nil {
+		return err
+	}
+
+	expiresOn, err := strconv.ParseInt(token.ExpiresOn, 10, 64)
+	if err != nil {
+		return err
+	}
+
+	transport.token = &azureAPIToken{
+		value:          token.AccessToken,
+		expirationTime: time.Unix(expiresOn, 0),
+	}
+
+	return nil
+}
+
+func (transport *Transport) retrieveAuthenticationToken() error {
+	transport.mutex.Lock()
+	defer transport.mutex.Unlock()
+
+	if transport.token == nil {
+		return transport.authenticate()
+	}
+
+	timeLimit := time.Now().Add(-5 * time.Minute)
+	if timeLimit.After(transport.token.expirationTime) {
+		return transport.authenticate()
+	}
+
+	return nil
+}
--- a/api/http/proxy/factory/factory.go
+++ b/api/http/proxy/factory/factory.go
@ -10,6 +10,8 @@ import (
 	"github.com/portainer/portainer/api/docker"
 )

+const azureAPIBaseURL = "https://management.azure.com"
+
 var extensionPorts = map[portainer.ExtensionID]string{
 	portainer.RegistryManagementExtension:  "7001",
 	portainer.OAuthAuthenticationExtension: "7002",
@ -69,6 +71,11 @@ func (factory *ProxyFactory) NewLegacyExtensionProxy(extensionAPIURL string) (ht

 // NewEndpointProxy returns a new reverse proxy (filesystem based or HTTP) to an endpoint API server
 func (factory *ProxyFactory) NewEndpointProxy(endpoint *portainer.Endpoint) (http.Handler, error) {
+	switch endpoint.Type {
+	case portainer.AzureEnvironment:
+		return newAzureProxy(endpoint)
+	}
+
 	return factory.newDockerProxy(endpoint)
 }