feat(settings): add settings management (#906)

2025-07-25 08:19:40 +02:00 · 2017-06-01 10:14:55 +02:00 · 2017-06-01 10:14:55 +02:00 · c7e306841a
commit c7e306841a
parent 5e74a3993b
93 changed files with 1086 additions and 457 deletions
--- a/api/http/proxy/containers.go
+++ b/api/http/proxy/containers.go
@ -15,7 +15,7 @@ const (

 // containerListOperation extracts the response as a JSON object, loop through the containers array
 // decorate and/or filter the containers based on resource controls before rewriting the response
-func containerListOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+func containerListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
 	var err error
 	// ContainerList response is a JSON array
 	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
@ -24,22 +24,30 @@ func containerListOperation(request *http.Request, response *http.Response, oper
 		return err
 	}

-	if operationContext.isAdmin {
-		responseArray, err = decorateContainerList(responseArray, operationContext.resourceControls)
+	if executor.operationContext.isAdmin {
+		responseArray, err = decorateContainerList(responseArray, executor.operationContext.resourceControls)
 	} else {
-		responseArray, err = filterContainerList(responseArray, operationContext.resourceControls, operationContext.userID, operationContext.userTeamIDs)
+		responseArray, err = filterContainerList(responseArray, executor.operationContext.resourceControls,
+			executor.operationContext.userID, executor.operationContext.userTeamIDs)
 	}
 	if err != nil {
 		return err
 	}

+	if executor.labelBlackList != nil {
+		responseArray, err = filterContainersWithBlackListedLabels(responseArray, executor.labelBlackList)
+		if err != nil {
+			return err
+		}
+	}
+
 	return rewriteResponse(response, responseArray, http.StatusOK)
 }

 // containerInspectOperation extracts the response as a JSON object, verify that the user
 // has access to the container based on resource control (check are done based on the containerID and optional Swarm service ID)
 // and either rewrite an access denied response or a decorated container.
-func containerInspectOperation(request *http.Request, response *http.Response, operationContext *restrictedOperationContext) error {
+func containerInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
 	// ContainerInspect response is a JSON object
 	// https://docs.docker.com/engine/api/v1.28/#operation/ContainerInspect
 	responseObject, err := getResponseAsJSONOBject(response)
@ -52,9 +60,10 @@ func containerInspectOperation(request *http.Request, response *http.Response, o
 	}
 	containerID := responseObject[containerIdentifier].(string)

-	resourceControl := getResourceControlByResourceID(containerID, operationContext.resourceControls)
+	resourceControl := getResourceControlByResourceID(containerID, executor.operationContext.resourceControls)
 	if resourceControl != nil {
-		if operationContext.isAdmin || canUserAccessResource(operationContext.userID, operationContext.userTeamIDs, resourceControl) {
+		if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID,
+			executor.operationContext.userTeamIDs, resourceControl) {
 			responseObject = decorateObject(responseObject, resourceControl)
 		} else {
 			return rewriteAccessDeniedResponse(response)
@ -64,9 +73,10 @@ func containerInspectOperation(request *http.Request, response *http.Response, o
 	containerLabels := extractContainerLabelsFromContainerInspectObject(responseObject)
 	if containerLabels != nil && containerLabels[containerLabelForServiceIdentifier] != nil {
 		serviceID := containerLabels[containerLabelForServiceIdentifier].(string)
-		resourceControl := getResourceControlByResourceID(serviceID, operationContext.resourceControls)
+		resourceControl := getResourceControlByResourceID(serviceID, executor.operationContext.resourceControls)
 		if resourceControl != nil {
-			if operationContext.isAdmin || canUserAccessResource(operationContext.userID, operationContext.userTeamIDs, resourceControl) {
+			if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID,
+				executor.operationContext.userTeamIDs, resourceControl) {
 				responseObject = decorateObject(responseObject, resourceControl)
 			} else {
 				return rewriteAccessDeniedResponse(response)