mirror of
https://github.com/portainer/portainer.git
synced 2025-07-22 23:09:41 +02:00
179df06267
* feat(app): rework private registries and support private registries in kubernetes [EE-30] feat(api): backport private registries backend changes (#5072) * feat(api/bolt): backport bolt changes * feat(api/exec): backport exec changes * feat(api/http): backport http/handler/dockerhub changes * feat(api/http): backport http/handler/endpoints changes * feat(api/http): backport http/handler/registries changes * feat(api/http): backport http/handler/stacks changes * feat(api/http): backport http/handler changes * feat(api/http): backport http/proxy/factory/azure changes * feat(api/http): backport http/proxy/factory/docker changes * feat(api/http): backport http/proxy/factory/utils changes * feat(api/http): backport http/proxy/factory/kubernetes changes * feat(api/http): backport http/proxy/factory changes * feat(api/http): backport http/security changes * feat(api/http): backport http changes * feat(api/internal): backport internal changes * feat(api): backport api changes * feat(api/kubernetes): backport kubernetes changes * fix(api/http): changes on backend following backport feat(app): backport private registries frontend changes (#5056) * feat(app/docker): backport docker/components changes * feat(app/docker): backport docker/helpers changes * feat(app/docker): backport docker/views/container changes * feat(app/docker): backport docker/views/images changes * feat(app/docker): backport docker/views/registries changes * feat(app/docker): backport docker/views/services changes * feat(app/docker): backport docker changes * feat(app/kubernetes): backport kubernetes/components changes * feat(app/kubernetes): backport kubernetes/converters changes * feat(app/kubernetes): backport kubernetes/models changes * feat(app/kubernetes): backport kubernetes/registries changes * feat(app/kubernetes): backport kubernetes/services changes * feat(app/kubernetes): backport kubernetes/views/applications changes * feat(app/kubernetes): backport kubernetes/views/configurations changes * feat(app/kubernetes): backport kubernetes/views/configure changes * feat(app/kubernetes): backport kubernetes/views/resource-pools changes * feat(app/kubernetes): backport kubernetes/views changes * feat(app/portainer): backport portainer/components/accessManagement changes * feat(app/portainer): backport portainer/components/datatables changes * feat(app/portainer): backport portainer/components/forms changes * feat(app/portainer): backport portainer/components/registry-details changes * feat(app/portainer): backport portainer/models changes * feat(app/portainer): backport portainer/rest changes * feat(app/portainer): backport portainer/services changes * feat(app/portainer): backport portainer/views changes * feat(app/portainer): backport portainer changes * feat(app): backport app changes * config(project): gitignore + jsconfig changes gitignore all files under api/cmd/portainer but main.go and enable Code Editor autocomplete on import ... from '@/...' fix(app): fix pull rate limit checker fix(app/registries): sidebar menus and registry accesses users filtering fix(api): add missing kube client factory fix(kube): fetch dockerhub pull limits (#5133) fix(app): pre review fixes (#5142) * fix(app/registries): remove checkbox for endpointRegistries view * fix(endpoints): allow access to default namespace * fix(docker): fetch pull limits * fix(kube/ns): show selected registries for non admin Co-authored-by: Chaim Lev-Ari <chiptus@gmail.com> chore(webpack): ignore missing sourcemaps fix(registries): fetch registry config from url feat(kube/registries): ignore not found when deleting secret feat(db): move migration to db 31 fix(registries): fix bugs in PR EE-869 (#5169) * fix(registries): hide role * fix(endpoints): set empty access policy to edge endpoint * fix(registry): remove double arguments * fix(admin): ignore warning * feat(kube/configurations): tag registry secrets (#5157) * feat(kube/configurations): tag registry secrets * feat(kube/secrets): show registry secrets for admins * fix(registries): move dockerhub to beginning * refactor(registries): use endpoint scoped registries feat(registries): filter by namespace if supplied feat(access-managment): filter users for registry (#5191) * refactor(access-manage): move users selector to component * feat(access-managment): filter users for registry refactor(registries): sync code with CE (#5200) * refactor(registry): add inspect handler under endpoints * refactor(endpoint): sync endpoint_registries_list * refactor(endpoints): sync registry_access * fix(db): rename migration functions * fix(registries): show accesses for admin * fix(kube): set token on transport * refactor(kube): move secret help to bottom * fix(kuberentes): remove shouldLog parameter * style(auth): add description of security.IsAdmin * feat(security): allow admin access to registry * feat(edge): connect to edge endpoint when creating client * style(portainer): change deprecation version * refactor(sidebar): hide manage * refactor(containers): revert changes * style(container): remove whitespace * fix(endpoint): add handler to registy on endpointService * refactor(image): use endpointService.registries * fix(kueb/namespaces): rename resource pool to namespace * fix(kube/namespace): move selected registries * fix(api/registries): hide accesses on registry creation Co-authored-by: LP B <xAt0mZ@users.noreply.github.com> refactor(api): remove code duplication after rebase fix(app/registries): replace last registry api usage by endpoint registry api fix(api/endpoints): update registry access policies on endpoint deletion (#5226) [EE-1027] fix(db): update db version * fix(dockerhub): fetch rate limits * fix(registry/tests): supply restricred context * fix(registries): show proget registry only when selected * fix(registry): create dockerhub registry * feat(db): move migrations to db 32 Co-authored-by: Chaim Lev-Ari <chiptus@gmail.com>
342 lines
14 KiB
Go
342 lines
14 KiB
Go
package docker
|
|
|
|
import (
|
|
"log"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/portainer/portainer/api/internal/stackutils"
|
|
|
|
"github.com/portainer/portainer/api/http/proxy/factory/utils"
|
|
"github.com/portainer/portainer/api/internal/authorization"
|
|
|
|
portainer "github.com/portainer/portainer/api"
|
|
)
|
|
|
|
const (
|
|
resourceLabelForPortainerTeamResourceControl = "io.portainer.accesscontrol.teams"
|
|
resourceLabelForPortainerUserResourceControl = "io.portainer.accesscontrol.users"
|
|
resourceLabelForPortainerPublicResourceControl = "io.portainer.accesscontrol.public"
|
|
resourceLabelForDockerSwarmStackName = "com.docker.stack.namespace"
|
|
resourceLabelForDockerServiceID = "com.docker.swarm.service.id"
|
|
resourceLabelForDockerComposeStackName = "com.docker.compose.project"
|
|
)
|
|
|
|
type (
|
|
resourceLabelsObjectSelector func(map[string]interface{}) map[string]interface{}
|
|
resourceOperationParameters struct {
|
|
resourceIdentifierAttribute string
|
|
resourceType portainer.ResourceControlType
|
|
labelsObjectSelector resourceLabelsObjectSelector
|
|
}
|
|
)
|
|
|
|
func getUniqueElements(items string) []string {
|
|
result := []string{}
|
|
seen := make(map[string]struct{})
|
|
for _, item := range strings.Split(items, ",") {
|
|
v := strings.TrimSpace(item)
|
|
if v == "" {
|
|
continue
|
|
}
|
|
if _, ok := seen[v]; !ok {
|
|
result = append(result, v)
|
|
seen[v] = struct{}{}
|
|
}
|
|
}
|
|
|
|
return result
|
|
}
|
|
|
|
func (transport *Transport) newResourceControlFromPortainerLabels(labelsObject map[string]interface{}, resourceID string, resourceType portainer.ResourceControlType) (*portainer.ResourceControl, error) {
|
|
if labelsObject[resourceLabelForPortainerPublicResourceControl] != nil {
|
|
resourceControl := authorization.NewPublicResourceControl(resourceID, resourceType)
|
|
|
|
err := transport.dataStore.ResourceControl().CreateResourceControl(resourceControl)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return resourceControl, nil
|
|
}
|
|
|
|
teamNames := make([]string, 0)
|
|
userNames := make([]string, 0)
|
|
if labelsObject[resourceLabelForPortainerTeamResourceControl] != nil {
|
|
concatenatedTeamNames := labelsObject[resourceLabelForPortainerTeamResourceControl].(string)
|
|
teamNames = getUniqueElements(concatenatedTeamNames)
|
|
}
|
|
|
|
if labelsObject[resourceLabelForPortainerUserResourceControl] != nil {
|
|
concatenatedUserNames := labelsObject[resourceLabelForPortainerUserResourceControl].(string)
|
|
userNames = getUniqueElements(concatenatedUserNames)
|
|
}
|
|
|
|
if len(teamNames) > 0 || len(userNames) > 0 {
|
|
teamIDs := make([]portainer.TeamID, 0)
|
|
userIDs := make([]portainer.UserID, 0)
|
|
|
|
for _, name := range teamNames {
|
|
team, err := transport.dataStore.Team().TeamByName(name)
|
|
if err != nil {
|
|
log.Printf("[WARN] [http,proxy,docker] [message: unknown team name in access control label, ignoring access control rule for this team] [name: %s] [resource_id: %s]", name, resourceID)
|
|
continue
|
|
}
|
|
|
|
teamIDs = append(teamIDs, team.ID)
|
|
}
|
|
|
|
for _, name := range userNames {
|
|
user, err := transport.dataStore.User().UserByUsername(name)
|
|
if err != nil {
|
|
log.Printf("[WARN] [http,proxy,docker] [message: unknown user name in access control label, ignoring access control rule for this user] [name: %s] [resource_id: %s]", name, resourceID)
|
|
continue
|
|
}
|
|
|
|
userIDs = append(userIDs, user.ID)
|
|
}
|
|
|
|
resourceControl := authorization.NewRestrictedResourceControl(resourceID, resourceType, userIDs, teamIDs)
|
|
|
|
err := transport.dataStore.ResourceControl().CreateResourceControl(resourceControl)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return resourceControl, nil
|
|
}
|
|
|
|
return nil, nil
|
|
}
|
|
|
|
func (transport *Transport) createPrivateResourceControl(resourceIdentifier string, resourceType portainer.ResourceControlType, userID portainer.UserID) (*portainer.ResourceControl, error) {
|
|
resourceControl := authorization.NewPrivateResourceControl(resourceIdentifier, resourceType, userID)
|
|
|
|
err := transport.dataStore.ResourceControl().CreateResourceControl(resourceControl)
|
|
if err != nil {
|
|
log.Printf("[ERROR] [http,proxy,docker,transport] [message: unable to persist resource control] [resource: %s] [err: %s]", resourceIdentifier, err)
|
|
return nil, err
|
|
}
|
|
|
|
return resourceControl, nil
|
|
}
|
|
|
|
func (transport *Transport) getInheritedResourceControlFromServiceOrStack(resourceIdentifier, nodeName string, resourceType portainer.ResourceControlType, resourceControls []portainer.ResourceControl) (*portainer.ResourceControl, error) {
|
|
client := transport.dockerClient
|
|
|
|
if nodeName != "" {
|
|
dockerClient, err := transport.dockerClientFactory.CreateClient(transport.endpoint, nodeName)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer dockerClient.Close()
|
|
|
|
client = dockerClient
|
|
}
|
|
|
|
switch resourceType {
|
|
case portainer.ContainerResourceControl:
|
|
return getInheritedResourceControlFromContainerLabels(client, transport.endpoint.ID, resourceIdentifier, resourceControls)
|
|
case portainer.NetworkResourceControl:
|
|
return getInheritedResourceControlFromNetworkLabels(client, transport.endpoint.ID, resourceIdentifier, resourceControls)
|
|
case portainer.VolumeResourceControl:
|
|
return getInheritedResourceControlFromVolumeLabels(client, transport.endpoint.ID, resourceIdentifier, resourceControls)
|
|
case portainer.ServiceResourceControl:
|
|
return getInheritedResourceControlFromServiceLabels(client, transport.endpoint.ID, resourceIdentifier, resourceControls)
|
|
case portainer.ConfigResourceControl:
|
|
return getInheritedResourceControlFromConfigLabels(client, transport.endpoint.ID, resourceIdentifier, resourceControls)
|
|
case portainer.SecretResourceControl:
|
|
return getInheritedResourceControlFromSecretLabels(client, transport.endpoint.ID, resourceIdentifier, resourceControls)
|
|
}
|
|
|
|
return nil, nil
|
|
}
|
|
|
|
func (transport *Transport) applyAccessControlOnResource(parameters *resourceOperationParameters, responseObject map[string]interface{}, response *http.Response, executor *operationExecutor) error {
|
|
if responseObject[parameters.resourceIdentifierAttribute] == nil {
|
|
log.Printf("[WARN] [message: unable to find resource identifier property in resource object] [identifier_attribute: %s]", parameters.resourceIdentifierAttribute)
|
|
return nil
|
|
}
|
|
|
|
if parameters.resourceType == portainer.NetworkResourceControl {
|
|
systemResourceControl := findSystemNetworkResourceControl(responseObject)
|
|
if systemResourceControl != nil {
|
|
responseObject = decorateObject(responseObject, systemResourceControl)
|
|
return utils.RewriteResponse(response, responseObject, http.StatusOK)
|
|
}
|
|
}
|
|
|
|
resourceIdentifier := responseObject[parameters.resourceIdentifierAttribute].(string)
|
|
resourceLabelsObject := parameters.labelsObjectSelector(responseObject)
|
|
|
|
resourceControl, err := transport.findResourceControl(resourceIdentifier, parameters.resourceType, resourceLabelsObject, executor.operationContext.resourceControls)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if resourceControl == nil && (executor.operationContext.isAdmin) {
|
|
return utils.RewriteResponse(response, responseObject, http.StatusOK)
|
|
}
|
|
|
|
if executor.operationContext.isAdmin || (resourceControl != nil && authorization.UserCanAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl)) {
|
|
responseObject = decorateObject(responseObject, resourceControl)
|
|
return utils.RewriteResponse(response, responseObject, http.StatusOK)
|
|
}
|
|
|
|
return utils.RewriteAccessDeniedResponse(response)
|
|
}
|
|
|
|
func (transport *Transport) applyAccessControlOnResourceList(parameters *resourceOperationParameters, resourceData []interface{}, executor *operationExecutor) ([]interface{}, error) {
|
|
if executor.operationContext.isAdmin {
|
|
return transport.decorateResourceList(parameters, resourceData, executor.operationContext.resourceControls)
|
|
}
|
|
|
|
return transport.filterResourceList(parameters, resourceData, executor.operationContext)
|
|
}
|
|
|
|
func (transport *Transport) decorateResourceList(parameters *resourceOperationParameters, resourceData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
|
|
decoratedResourceData := make([]interface{}, 0)
|
|
|
|
for _, resource := range resourceData {
|
|
resourceObject := resource.(map[string]interface{})
|
|
|
|
if resourceObject[parameters.resourceIdentifierAttribute] == nil {
|
|
log.Printf("[WARN] [http,proxy,docker,decorate] [message: unable to find resource identifier property in resource list element] [identifier_attribute: %s]", parameters.resourceIdentifierAttribute)
|
|
continue
|
|
}
|
|
|
|
if parameters.resourceType == portainer.NetworkResourceControl {
|
|
systemResourceControl := findSystemNetworkResourceControl(resourceObject)
|
|
if systemResourceControl != nil {
|
|
resourceObject = decorateObject(resourceObject, systemResourceControl)
|
|
decoratedResourceData = append(decoratedResourceData, resourceObject)
|
|
continue
|
|
}
|
|
}
|
|
|
|
resourceIdentifier := resourceObject[parameters.resourceIdentifierAttribute].(string)
|
|
resourceLabelsObject := parameters.labelsObjectSelector(resourceObject)
|
|
|
|
resourceControl, err := transport.findResourceControl(resourceIdentifier, parameters.resourceType, resourceLabelsObject, resourceControls)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if resourceControl != nil {
|
|
resourceObject = decorateObject(resourceObject, resourceControl)
|
|
}
|
|
|
|
decoratedResourceData = append(decoratedResourceData, resourceObject)
|
|
}
|
|
|
|
return decoratedResourceData, nil
|
|
}
|
|
|
|
func (transport *Transport) filterResourceList(parameters *resourceOperationParameters, resourceData []interface{}, context *restrictedDockerOperationContext) ([]interface{}, error) {
|
|
filteredResourceData := make([]interface{}, 0)
|
|
|
|
for _, resource := range resourceData {
|
|
resourceObject := resource.(map[string]interface{})
|
|
if resourceObject[parameters.resourceIdentifierAttribute] == nil {
|
|
log.Printf("[WARN] [http,proxy,docker,filter] [message: unable to find resource identifier property in resource list element] [identifier_attribute: %s]", parameters.resourceIdentifierAttribute)
|
|
continue
|
|
}
|
|
|
|
resourceIdentifier := resourceObject[parameters.resourceIdentifierAttribute].(string)
|
|
resourceLabelsObject := parameters.labelsObjectSelector(resourceObject)
|
|
|
|
if parameters.resourceType == portainer.NetworkResourceControl {
|
|
systemResourceControl := findSystemNetworkResourceControl(resourceObject)
|
|
if systemResourceControl != nil {
|
|
resourceObject = decorateObject(resourceObject, systemResourceControl)
|
|
filteredResourceData = append(filteredResourceData, resourceObject)
|
|
continue
|
|
}
|
|
}
|
|
|
|
resourceControl, err := transport.findResourceControl(resourceIdentifier, parameters.resourceType, resourceLabelsObject, context.resourceControls)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if resourceControl == nil {
|
|
if context.isAdmin {
|
|
filteredResourceData = append(filteredResourceData, resourceObject)
|
|
}
|
|
continue
|
|
}
|
|
|
|
if context.isAdmin || authorization.UserCanAccessResource(context.userID, context.userTeamIDs, resourceControl) {
|
|
resourceObject = decorateObject(resourceObject, resourceControl)
|
|
filteredResourceData = append(filteredResourceData, resourceObject)
|
|
}
|
|
}
|
|
|
|
return filteredResourceData, nil
|
|
}
|
|
|
|
func (transport *Transport) findResourceControl(resourceIdentifier string, resourceType portainer.ResourceControlType, resourceLabelsObject map[string]interface{}, resourceControls []portainer.ResourceControl) (*portainer.ResourceControl, error) {
|
|
resourceControl := authorization.GetResourceControlByResourceIDAndType(resourceIdentifier, resourceType, resourceControls)
|
|
if resourceControl != nil {
|
|
return resourceControl, nil
|
|
}
|
|
|
|
if resourceLabelsObject != nil {
|
|
if resourceLabelsObject[resourceLabelForDockerServiceID] != nil {
|
|
inheritedServiceIdentifier := resourceLabelsObject[resourceLabelForDockerServiceID].(string)
|
|
resourceControl = authorization.GetResourceControlByResourceIDAndType(inheritedServiceIdentifier, portainer.ServiceResourceControl, resourceControls)
|
|
|
|
if resourceControl != nil {
|
|
return resourceControl, nil
|
|
}
|
|
}
|
|
|
|
if resourceLabelsObject[resourceLabelForDockerSwarmStackName] != nil {
|
|
stackName := resourceLabelsObject[resourceLabelForDockerSwarmStackName].(string)
|
|
stackResourceID := stackutils.ResourceControlID(transport.endpoint.ID, stackName)
|
|
resourceControl = authorization.GetResourceControlByResourceIDAndType(stackResourceID, portainer.StackResourceControl, resourceControls)
|
|
|
|
if resourceControl != nil {
|
|
return resourceControl, nil
|
|
}
|
|
}
|
|
|
|
if resourceLabelsObject[resourceLabelForDockerComposeStackName] != nil {
|
|
stackName := resourceLabelsObject[resourceLabelForDockerComposeStackName].(string)
|
|
stackResourceID := stackutils.ResourceControlID(transport.endpoint.ID, stackName)
|
|
resourceControl = authorization.GetResourceControlByResourceIDAndType(stackResourceID, portainer.StackResourceControl, resourceControls)
|
|
|
|
if resourceControl != nil {
|
|
return resourceControl, nil
|
|
}
|
|
}
|
|
|
|
return transport.newResourceControlFromPortainerLabels(resourceLabelsObject, resourceIdentifier, resourceType)
|
|
}
|
|
|
|
return nil, nil
|
|
}
|
|
|
|
func getStackResourceIDFromLabels(resourceLabelsObject map[string]string, endpointID portainer.EndpointID) string {
|
|
if resourceLabelsObject[resourceLabelForDockerSwarmStackName] != "" {
|
|
stackName := resourceLabelsObject[resourceLabelForDockerSwarmStackName]
|
|
return stackutils.ResourceControlID(endpointID, stackName)
|
|
}
|
|
|
|
if resourceLabelsObject[resourceLabelForDockerComposeStackName] != "" {
|
|
stackName := resourceLabelsObject[resourceLabelForDockerComposeStackName]
|
|
return stackutils.ResourceControlID(endpointID, stackName)
|
|
}
|
|
|
|
return ""
|
|
}
|
|
|
|
func decorateObject(object map[string]interface{}, resourceControl *portainer.ResourceControl) map[string]interface{} {
|
|
if object["Portainer"] == nil {
|
|
object["Portainer"] = make(map[string]interface{})
|
|
}
|
|
|
|
portainerMetadata := object["Portainer"].(map[string]interface{})
|
|
portainerMetadata["ResourceControl"] = resourceControl
|
|
return object
|
|
}
|