Docker/portainer
Docker/portainer
1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-08-02 20:35:25 +02:00
Code Issues Releases Activity

feat(endpointgroups): implement support for transactions EE-5328 (#8944)

Browse source
This commit is contained in:
andres-portainer 2023-05-16 14:47:31 -03:00 committed by GitHub
parent 077046030d
commit d29b688eb9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 287 additions and 88 deletions
Download patch file Download diff file Expand all files Collapse all files

25
api/internal/authorization/endpint_role_with_override.go → api/internal/authorization/endpoint_role_with_override.go
View file

@ -1,9 +1,13 @@
package authorization
import portainer "github.com/portainer/portainer/api"
import (
portainer "github.com/portainer/portainer/api"
"github.com/portainer/portainer/api/dataservices"
)
// CleanNAPWithOverridePolicies Clean Namespace Access Policies with override policies
func (service *Service) CleanNAPWithOverridePolicies(
tx dataservices.DataStoreTx,
endpoint *portainer.Endpoint,
endpointGroup *portainer.EndpointGroup,
) error {
@ -21,10 +25,11 @@ func (service *Service) CleanNAPWithOverridePolicies(
for namespace, policy := range accessPolicies {
for teamID := range policy.TeamAccessPolicies {
access, err := service.getTeamEndpointAccessWithPolicies(teamID, endpoint, endpointGroup)
access, err := service.getTeamEndpointAccessWithPolicies(tx, teamID, endpoint, endpointGroup)
if err != nil {
return err
}
if !access {
delete(accessPolicies[namespace].TeamAccessPolicies, teamID)
hasChange = true
@ -32,10 +37,11 @@ func (service *Service) CleanNAPWithOverridePolicies(
}
for userID := range policy.UserAccessPolicies {
access, err := service.getUserEndpointAccessWithPolicies(userID, endpoint, endpointGroup)
access, err := service.getUserEndpointAccessWithPolicies(tx, userID, endpoint, endpointGroup)
if err != nil {
return err
}
if !access {
delete(accessPolicies[namespace].UserAccessPolicies, userID)
hasChange = true
@ -51,27 +57,28 @@ func (service *Service) CleanNAPWithOverridePolicies(
}
func (service *Service) getUserEndpointAccessWithPolicies(
tx dataservices.DataStoreTx,
userID portainer.UserID,
endpoint *portainer.Endpoint,
endpointGroup *portainer.EndpointGroup,
) (bool, error) {
memberships, err := service.dataStore.TeamMembership().TeamMembershipsByUserID(userID)
memberships, err := tx.TeamMembership().TeamMembershipsByUserID(userID)
if err != nil {
return false, err
}
if endpointGroup == nil {
endpointGroup, err = service.dataStore.EndpointGroup().EndpointGroup(endpoint.GroupID)
endpointGroup, err = tx.EndpointGroup().EndpointGroup(endpoint.GroupID)
if err != nil {
return false, err
}
}
if userAccess(userID, endpoint.UserAccessPolicies, endpoint.TeamAccessPolicies, memberships) {
if userAccess(tx, userID, endpoint.UserAccessPolicies, endpoint.TeamAccessPolicies, memberships) {
return true, nil
}
if userAccess(userID, endpointGroup.UserAccessPolicies, endpointGroup.TeamAccessPolicies, memberships) {
if userAccess(tx, userID, endpointGroup.UserAccessPolicies, endpointGroup.TeamAccessPolicies, memberships) {
return true, nil
}
@ -80,6 +87,7 @@ func (service *Service) getUserEndpointAccessWithPolicies(
}
func userAccess(
tx dataservices.DataStoreTx,
userID portainer.UserID,
userAccessPolicies portainer.UserAccessPolicies,
teamAccessPolicies portainer.TeamAccessPolicies,
@ -99,13 +107,14 @@ func userAccess(
}
func (service *Service) getTeamEndpointAccessWithPolicies(
tx dataservices.DataStoreTx,
teamID portainer.TeamID,
endpoint *portainer.Endpoint,
endpointGroup *portainer.EndpointGroup,
) (bool, error) {
if endpointGroup == nil {
var err error
endpointGroup, err = service.dataStore.EndpointGroup().EndpointGroup(endpoint.GroupID)
endpointGroup, err = tx.EndpointGroup().EndpointGroup(endpoint.GroupID)
if err != nil {
return false, err
}