feat(stacks): support compose v2.0 stack (#1963)

2025-07-19 13:29:41 +02:00 · 2018-06-11 15:13:19 +02:00 · 2018-06-11 15:13:19 +02:00 · e3d564325b
commit e3d564325b
parent ef15cd30eb
174 changed files with 7898 additions and 5849 deletions
--- a/api/http/handler/endpointproxy/handler.go
+++ b/api/http/handler/endpointproxy/handler.go
@ -0,0 +1,50 @@
+package endpointproxy
+
+import (
+	"github.com/gorilla/mux"
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/proxy"
+	"github.com/portainer/portainer/http/security"
+)
+
+// Handler is the HTTP handler used to proxy requests to external APIs.
+type Handler struct {
+	*mux.Router
+	EndpointService       portainer.EndpointService
+	EndpointGroupService  portainer.EndpointGroupService
+	TeamMembershipService portainer.TeamMembershipService
+	ProxyManager          *proxy.Manager
+}
+
+// NewHandler creates a handler to proxy requests to external APIs.
+func NewHandler(bouncer *security.RequestBouncer) *Handler {
+	h := &Handler{
+		Router: mux.NewRouter(),
+	}
+	h.PathPrefix("/{id}/azure").Handler(
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.proxyRequestsToAzureAPI)))
+	h.PathPrefix("/{id}/docker").Handler(
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.proxyRequestsToDockerAPI)))
+	h.PathPrefix("/{id}/extensions/storidge").Handler(
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.proxyRequestsToStoridgeAPI)))
+	return h
+}
+
+func (handler *Handler) checkEndpointAccess(endpoint *portainer.Endpoint, userID portainer.UserID) error {
+	memberships, err := handler.TeamMembershipService.TeamMembershipsByUserID(userID)
+	if err != nil {
+		return err
+	}
+
+	group, err := handler.EndpointGroupService.EndpointGroup(endpoint.GroupID)
+	if err != nil {
+		return err
+	}
+
+	if !security.AuthorizedEndpointAccess(endpoint, group, userID, memberships) {
+		return portainer.ErrEndpointAccessDenied
+	}
+
+	return nil
+}
--- a/api/http/handler/endpointproxy/proxy_azure.go
+++ b/api/http/handler/endpointproxy/proxy_azure.go
@ -0,0 +1,53 @@
+package endpointproxy
+
+import (
+	"strconv"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/security"
+
+	"net/http"
+)
+
+func (handler *Handler) proxyRequestsToAzureAPI(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrEndpointNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
+	}
+
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user authentication token", err}
+	}
+
+	if tokenData.Role != portainer.AdministratorRole {
+		err = handler.checkEndpointAccess(endpoint, tokenData.ID)
+		if err != nil && err == portainer.ErrEndpointAccessDenied {
+			return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", portainer.ErrEndpointAccessDenied}
+		} else if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to verify permission to access endpoint", err}
+		}
+	}
+
+	var proxy http.Handler
+	proxy = handler.ProxyManager.GetProxy(string(endpointID))
+	if proxy == nil {
+		proxy, err = handler.ProxyManager.CreateAndRegisterProxy(endpoint)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create proxy", err}
+		}
+	}
+
+	id := strconv.Itoa(endpointID)
+	http.StripPrefix("/"+id+"/azure", proxy).ServeHTTP(w, r)
+	return nil
+}
--- a/api/http/handler/endpointproxy/proxy_docker.go
+++ b/api/http/handler/endpointproxy/proxy_docker.go
@ -0,0 +1,53 @@
+package endpointproxy
+
+import (
+	"strconv"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/security"
+
+	"net/http"
+)
+
+func (handler *Handler) proxyRequestsToDockerAPI(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrEndpointNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
+	}
+
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user authentication token", err}
+	}
+
+	if tokenData.Role != portainer.AdministratorRole {
+		err = handler.checkEndpointAccess(endpoint, tokenData.ID)
+		if err != nil && err == portainer.ErrEndpointAccessDenied {
+			return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", portainer.ErrEndpointAccessDenied}
+		} else if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to verify permission to access endpoint", err}
+		}
+	}
+
+	var proxy http.Handler
+	proxy = handler.ProxyManager.GetProxy(string(endpointID))
+	if proxy == nil {
+		proxy, err = handler.ProxyManager.CreateAndRegisterProxy(endpoint)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create proxy", err}
+		}
+	}
+
+	id := strconv.Itoa(endpointID)
+	http.StripPrefix("/"+id+"/docker", proxy).ServeHTTP(w, r)
+	return nil
+}
--- a/api/http/handler/endpointproxy/proxy_storidge.go
+++ b/api/http/handler/endpointproxy/proxy_storidge.go
@ -0,0 +1,66 @@
+package endpointproxy
+
+import (
+	"strconv"
+
+	"github.com/portainer/portainer"
+	httperror "github.com/portainer/portainer/http/error"
+	"github.com/portainer/portainer/http/request"
+	"github.com/portainer/portainer/http/security"
+
+	"net/http"
+)
+
+func (handler *Handler) proxyRequestsToStoridgeAPI(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrEndpointNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
+	}
+
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user authentication token", err}
+	}
+
+	if tokenData.Role != portainer.AdministratorRole {
+		err = handler.checkEndpointAccess(endpoint, tokenData.ID)
+		if err != nil && err == portainer.ErrEndpointAccessDenied {
+			return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", portainer.ErrEndpointAccessDenied}
+		} else if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to verify permission to access endpoint", err}
+		}
+	}
+
+	var storidgeExtension *portainer.EndpointExtension
+	for _, extension := range endpoint.Extensions {
+		if extension.Type == portainer.StoridgeEndpointExtension {
+			storidgeExtension = &extension
+		}
+	}
+
+	if storidgeExtension == nil {
+		return &httperror.HandlerError{http.StatusServiceUnavailable, "Storidge extension not supported on this endpoint", portainer.ErrEndpointExtensionNotSupported}
+	}
+
+	proxyExtensionKey := string(endpoint.ID) + "_" + string(portainer.StoridgeEndpointExtension)
+
+	var proxy http.Handler
+	proxy = handler.ProxyManager.GetExtensionProxy(proxyExtensionKey)
+	if proxy == nil {
+		proxy, err = handler.ProxyManager.CreateAndRegisterExtensionProxy(proxyExtensionKey, storidgeExtension.URL)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create extension proxy", err}
+		}
+	}
+
+	id := strconv.Itoa(endpointID)
+	http.StripPrefix("/"+id+"/extensions/storidge", proxy).ServeHTTP(w, r)
+	return nil
+}