mirror of
https://github.com/portainer/portainer.git
synced 2025-07-22 23:09:41 +02:00
12a512f01f
* feat(edge): fix webconsole and agent deployment command * feat(edge): display agent features when connected to IoT endpoint * feat(edge): add -e CAP_HOST_MANAGEMENT=1 to agent command * feat(edge): add -v /:/host and --name portainer_agent_iot to agent command * style(endpoint-creation): refactor IoT agent to Edge agent * refactor(api): rename AgentIoTEnvironment to AgentEdgeEnvironment * refactor(api): rename AgentIoTEnvironment to AgentEdgeEnvironment * feat(endpoint-creation): update Edge agent deployment instructions * feat(edge): wip edge * feat(edge): refactor key creation * feat(edge): update deployment instructions * feat(home): update Edge agent endpoint item * feat(edge): support dynamic ports * feat(edge): support sleep/wake and snapshots * feat(edge): support offline mode * feat(edge): host job support for Edge endpoints * feat(edge): introduce STANDBY state * feat(edge): update Edge agent deployment command * feat(edge): introduce EDGE_ID support * feat(edge): update default inactivity interval to 5min * feat(edge): reload Edge schedules after restart * fix(edge): fix execution of endpoint job against an Edge endpoint * fix(edge): fix minor issues with scheduling UI/UX * feat(edge): introduce EdgeSchedule version management * feat(edge): switch back to REQUIRED state from ACTIVE on error * refactor(edge): remove comment * feat(edge): updated tunnel status management * feat(edge): fix flickering UI when accessing Edge endpoint from home view * feat(edge): remove STANDBY status * fix(edge): fix an issue with console and Swarm endpoint * fix(edge): fix an issue with stack deployment * fix(edge): reset timer when applying active status * feat(edge): add background ping for Edge endpoints * fix(edge): fix infinite loading loop after Edge endpoint connection failure * fix(home): fix an issue with merge * feat(api): remove SnapshotRaw from EndpointList response * feat(api): add pagination for EndpointList operation * feat(api): rename last_id query parameter to start * feat(api): implement filter for EndpointList operation * fix(edge): prevent a pointer issue after removing an active Edge endpoint * feat(home): front - endpoint backend pagination (#2990) * feat(home): endpoint pagination with backend * feat(api): remove default limit value * fix(endpoints): fix a minor issue with column span * fix(endpointgroup-create): fix an issue with endpoint group creation * feat(app): minor loading optimizations * refactor(api): small refactor of EndpointList operation * fix(home): fix minor loading text display issue * refactor(api): document bolt services functions * feat(home): minor optimization * fix(api): replace seek with index scanning for EndpointPaginated * fix(api): fix invalid starting index issue * fix(api): first implementation of working filter * fix(home): endpoints list keeps backend pagination when it needs to * fix(api): endpoint pagination doesn't drop the first item on pages >=2 anymore * fix(home): UI flickering on page/filter load/change * feat(auth): login spinner * feat(api): support searching in associated endpoint group data * refactor(api): remove unused API endpoint * refactor(api): remove comment * refactor(api): refactor proxy manager * feat(api): declare EndpointList params as optional * feat(api): support groupID filter on endpoints route * feat(api): add new API operations endpointGroupAddEndpoint and endpointGroupDeleteEndpoint * feat(edge): new icon for Edge agent endpoint * fix(edge): fix missing exec quick action * fix(edge): add loading indicator when connecting to Edge endpoint * feat(edge): disable service webhooks for Edge endpoints * feat(endpoints): backend pagination for endpoints view (#3004) * feat(edge): dynamic loading for stack migration feature * feat(edge): wordwrap edge key * feat(endpoint-groups): backend pagination support for create and edit * feat(endpoint-groups): debounce on filter for create/edit views * feat(endpoint-groups): filter assigned on create view * (endpoint-groups): unassigned endpoints edit view * refactor(endpoint-groups): code clean * feat(endpoint-groups): remove message for Unassigned group * refactor(websocket): minor refactor associated to Edge agent * feat(endpoint-group): enable backend pagination (#3017) * feat(api): support groupID filter on endpoints route * feat(api): add new API operations endpointGroupAddEndpoint and endpointGroupDeleteEndpoint * feat(endpoint-groups): backend pagination support for create and edit * feat(endpoint-groups): debounce on filter for create/edit views * feat(endpoint-groups): filter assigned on create view * (endpoint-groups): unassigned endpoints edit view * refactor(endpoint-groups): code clean * feat(endpoint-groups): remove message for Unassigned group * refactor(api): endpoint group endpoint association refactor * refactor(api): rename files and remove comments * refactor(api): remove usage of utils * refactor(api): optional parameters * Merge branch 'feat-endpoint-backend-pagination' into edge # Conflicts: # api/bolt/endpoint/endpoint.go # api/http/handler/endpointgroups/endpointgroup_update.go # api/http/handler/endpointgroups/handler.go # api/http/handler/endpoints/endpoint_list.go # app/portainer/services/api/endpointService.js * fix(api): fix default tunnel server credentials * feat(api): update endpointListOperation behavior and parameters * fix(api): fix interface declaration * feat(edge): support configurable Edge agent checkin interval * feat(edge): support dynamic tunnel credentials * feat(edge): update Edge agent deployment commands * style(edge): update Edge agent settings text * refactor(edge): remove unused credentials management methods * feat(edge): associate a remote addr to tunnel credentials * style(edge): update Edge endpoint icon * feat(edge): support encrypted tunnel credentials * fix(edge): fix invalid pointer cast * feat(bolt): decode endpoints with jsoniter * feat(edge): persist reverse tunnel keyseed * refactor(edge): minor refactor * feat(edge): update chisel library usage * refactor(endpoint): use controller function * feat(api): database migration to DBVersion 19 * refactor(api): refactor AddSchedule function * refactor(schedules): remove comment * refactor(api): remove comment * refactor(api): remove comment * feat(api): tunnel manager now only manage Edge endpoints * refactor(api): clean-up and clarification of the Edge service * refactor(api): clean-up and clarification of the Edge service * fix(api): fix an issue with Edge agent snapshots * refactor(api): add missing comments * refactor(api): update constant description * style(home): remove loading text on error * feat(endpoint): remove 15s timeout for ping request * style(home): display information about associated Edge endpoints * feat(home): redirect to endpoint details on click on unassociated Edge endpoint * feat(settings): remove 60s Edge poll frequency option
519 lines
15 KiB
Go
519 lines
15 KiB
Go
package proxy
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"net/http"
|
|
"path"
|
|
"regexp"
|
|
"strings"
|
|
|
|
"github.com/portainer/portainer/api"
|
|
"github.com/portainer/portainer/api/http/security"
|
|
)
|
|
|
|
var apiVersionRe = regexp.MustCompile(`(/v[0-9]\.[0-9]*)?`)
|
|
|
|
type (
|
|
proxyTransport struct {
|
|
dockerTransport *http.Transport
|
|
enableSignature bool
|
|
ResourceControlService portainer.ResourceControlService
|
|
TeamMembershipService portainer.TeamMembershipService
|
|
RegistryService portainer.RegistryService
|
|
DockerHubService portainer.DockerHubService
|
|
SettingsService portainer.SettingsService
|
|
SignatureService portainer.DigitalSignatureService
|
|
ReverseTunnelService portainer.ReverseTunnelService
|
|
endpointIdentifier portainer.EndpointID
|
|
endpointType portainer.EndpointType
|
|
}
|
|
restrictedDockerOperationContext struct {
|
|
isAdmin bool
|
|
endpointResourceAccess bool
|
|
userID portainer.UserID
|
|
userTeamIDs []portainer.TeamID
|
|
resourceControls []portainer.ResourceControl
|
|
}
|
|
registryAccessContext struct {
|
|
isAdmin bool
|
|
userID portainer.UserID
|
|
teamMemberships []portainer.TeamMembership
|
|
registries []portainer.Registry
|
|
dockerHub *portainer.DockerHub
|
|
}
|
|
registryAuthenticationHeader struct {
|
|
Username string `json:"username"`
|
|
Password string `json:"password"`
|
|
Serveraddress string `json:"serveraddress"`
|
|
}
|
|
operationExecutor struct {
|
|
operationContext *restrictedDockerOperationContext
|
|
labelBlackList []portainer.Pair
|
|
}
|
|
restrictedOperationRequest func(*http.Response, *operationExecutor) error
|
|
operationRequest func(*http.Request) error
|
|
)
|
|
|
|
func (p *proxyTransport) RoundTrip(request *http.Request) (*http.Response, error) {
|
|
return p.proxyDockerRequest(request)
|
|
}
|
|
|
|
func (p *proxyTransport) executeDockerRequest(request *http.Request) (*http.Response, error) {
|
|
response, err := p.dockerTransport.RoundTrip(request)
|
|
|
|
if p.endpointType != portainer.EdgeAgentEnvironment {
|
|
return response, err
|
|
}
|
|
|
|
if err == nil {
|
|
p.ReverseTunnelService.SetTunnelStatusToActive(p.endpointIdentifier)
|
|
} else {
|
|
p.ReverseTunnelService.SetTunnelStatusToIdle(p.endpointIdentifier)
|
|
}
|
|
|
|
return response, err
|
|
}
|
|
|
|
func (p *proxyTransport) proxyDockerRequest(request *http.Request) (*http.Response, error) {
|
|
path := apiVersionRe.ReplaceAllString(request.URL.Path, "")
|
|
request.URL.Path = path
|
|
|
|
if p.enableSignature {
|
|
signature, err := p.SignatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
request.Header.Set(portainer.PortainerAgentPublicKeyHeader, p.SignatureService.EncodedPublicKey())
|
|
request.Header.Set(portainer.PortainerAgentSignatureHeader, signature)
|
|
}
|
|
|
|
switch {
|
|
case strings.HasPrefix(path, "/configs"):
|
|
return p.proxyConfigRequest(request)
|
|
case strings.HasPrefix(path, "/containers"):
|
|
return p.proxyContainerRequest(request)
|
|
case strings.HasPrefix(path, "/services"):
|
|
return p.proxyServiceRequest(request)
|
|
case strings.HasPrefix(path, "/volumes"):
|
|
return p.proxyVolumeRequest(request)
|
|
case strings.HasPrefix(path, "/networks"):
|
|
return p.proxyNetworkRequest(request)
|
|
case strings.HasPrefix(path, "/secrets"):
|
|
return p.proxySecretRequest(request)
|
|
case strings.HasPrefix(path, "/swarm"):
|
|
return p.proxySwarmRequest(request)
|
|
case strings.HasPrefix(path, "/nodes"):
|
|
return p.proxyNodeRequest(request)
|
|
case strings.HasPrefix(path, "/tasks"):
|
|
return p.proxyTaskRequest(request)
|
|
case strings.HasPrefix(path, "/build"):
|
|
return p.proxyBuildRequest(request)
|
|
case strings.HasPrefix(path, "/images"):
|
|
return p.proxyImageRequest(request)
|
|
default:
|
|
return p.executeDockerRequest(request)
|
|
}
|
|
}
|
|
|
|
func (p *proxyTransport) proxyConfigRequest(request *http.Request) (*http.Response, error) {
|
|
switch requestPath := request.URL.Path; requestPath {
|
|
case "/configs/create":
|
|
return p.executeDockerRequest(request)
|
|
|
|
case "/configs":
|
|
return p.rewriteOperation(request, configListOperation)
|
|
|
|
default:
|
|
// assume /configs/{id}
|
|
if request.Method == http.MethodGet {
|
|
return p.rewriteOperation(request, configInspectOperation)
|
|
}
|
|
configID := path.Base(requestPath)
|
|
return p.restrictedOperation(request, configID)
|
|
}
|
|
}
|
|
|
|
func (p *proxyTransport) proxyContainerRequest(request *http.Request) (*http.Response, error) {
|
|
switch requestPath := request.URL.Path; requestPath {
|
|
case "/containers/create":
|
|
return p.executeDockerRequest(request)
|
|
|
|
case "/containers/prune":
|
|
return p.administratorOperation(request)
|
|
|
|
case "/containers/json":
|
|
return p.rewriteOperationWithLabelFiltering(request, containerListOperation)
|
|
|
|
default:
|
|
// This section assumes /containers/**
|
|
if match, _ := path.Match("/containers/*/*", requestPath); match {
|
|
// Handle /containers/{id}/{action} requests
|
|
containerID := path.Base(path.Dir(requestPath))
|
|
action := path.Base(requestPath)
|
|
|
|
if action == "json" {
|
|
return p.rewriteOperation(request, containerInspectOperation)
|
|
}
|
|
return p.restrictedOperation(request, containerID)
|
|
} else if match, _ := path.Match("/containers/*", requestPath); match {
|
|
// Handle /containers/{id} requests
|
|
containerID := path.Base(requestPath)
|
|
return p.restrictedOperation(request, containerID)
|
|
}
|
|
return p.executeDockerRequest(request)
|
|
}
|
|
}
|
|
|
|
func (p *proxyTransport) proxyServiceRequest(request *http.Request) (*http.Response, error) {
|
|
switch requestPath := request.URL.Path; requestPath {
|
|
case "/services/create":
|
|
return p.replaceRegistryAuthenticationHeader(request)
|
|
|
|
case "/services":
|
|
return p.rewriteOperation(request, serviceListOperation)
|
|
|
|
default:
|
|
// This section assumes /services/**
|
|
if match, _ := path.Match("/services/*/*", requestPath); match {
|
|
// Handle /services/{id}/{action} requests
|
|
serviceID := path.Base(path.Dir(requestPath))
|
|
return p.restrictedOperation(request, serviceID)
|
|
} else if match, _ := path.Match("/services/*", requestPath); match {
|
|
// Handle /services/{id} requests
|
|
serviceID := path.Base(requestPath)
|
|
|
|
if request.Method == http.MethodGet {
|
|
return p.rewriteOperation(request, serviceInspectOperation)
|
|
}
|
|
return p.restrictedOperation(request, serviceID)
|
|
}
|
|
return p.executeDockerRequest(request)
|
|
}
|
|
}
|
|
|
|
func (p *proxyTransport) proxyVolumeRequest(request *http.Request) (*http.Response, error) {
|
|
switch requestPath := request.URL.Path; requestPath {
|
|
case "/volumes/create":
|
|
return p.executeDockerRequest(request)
|
|
|
|
case "/volumes/prune":
|
|
return p.administratorOperation(request)
|
|
|
|
case "/volumes":
|
|
return p.rewriteOperation(request, volumeListOperation)
|
|
|
|
default:
|
|
// assume /volumes/{name}
|
|
if request.Method == http.MethodGet {
|
|
return p.rewriteOperation(request, volumeInspectOperation)
|
|
}
|
|
volumeID := path.Base(requestPath)
|
|
return p.restrictedOperation(request, volumeID)
|
|
}
|
|
}
|
|
|
|
func (p *proxyTransport) proxyNetworkRequest(request *http.Request) (*http.Response, error) {
|
|
switch requestPath := request.URL.Path; requestPath {
|
|
case "/networks/create":
|
|
return p.executeDockerRequest(request)
|
|
|
|
case "/networks":
|
|
return p.rewriteOperation(request, networkListOperation)
|
|
|
|
default:
|
|
// assume /networks/{id}
|
|
if request.Method == http.MethodGet {
|
|
return p.rewriteOperation(request, networkInspectOperation)
|
|
}
|
|
networkID := path.Base(requestPath)
|
|
return p.restrictedOperation(request, networkID)
|
|
}
|
|
}
|
|
|
|
func (p *proxyTransport) proxySecretRequest(request *http.Request) (*http.Response, error) {
|
|
switch requestPath := request.URL.Path; requestPath {
|
|
case "/secrets/create":
|
|
return p.executeDockerRequest(request)
|
|
|
|
case "/secrets":
|
|
return p.rewriteOperation(request, secretListOperation)
|
|
|
|
default:
|
|
// assume /secrets/{id}
|
|
if request.Method == http.MethodGet {
|
|
return p.rewriteOperation(request, secretInspectOperation)
|
|
}
|
|
secretID := path.Base(requestPath)
|
|
return p.restrictedOperation(request, secretID)
|
|
}
|
|
}
|
|
|
|
func (p *proxyTransport) proxyNodeRequest(request *http.Request) (*http.Response, error) {
|
|
requestPath := request.URL.Path
|
|
|
|
// assume /nodes/{id}
|
|
if path.Base(requestPath) != "nodes" {
|
|
return p.administratorOperation(request)
|
|
}
|
|
|
|
return p.executeDockerRequest(request)
|
|
}
|
|
|
|
func (p *proxyTransport) proxySwarmRequest(request *http.Request) (*http.Response, error) {
|
|
switch requestPath := request.URL.Path; requestPath {
|
|
case "/swarm":
|
|
return p.rewriteOperation(request, swarmInspectOperation)
|
|
default:
|
|
// assume /swarm/{action}
|
|
return p.administratorOperation(request)
|
|
}
|
|
}
|
|
|
|
func (p *proxyTransport) proxyTaskRequest(request *http.Request) (*http.Response, error) {
|
|
switch requestPath := request.URL.Path; requestPath {
|
|
case "/tasks":
|
|
return p.rewriteOperation(request, taskListOperation)
|
|
default:
|
|
// assume /tasks/{id}
|
|
return p.executeDockerRequest(request)
|
|
}
|
|
}
|
|
|
|
func (p *proxyTransport) proxyBuildRequest(request *http.Request) (*http.Response, error) {
|
|
return p.interceptAndRewriteRequest(request, buildOperation)
|
|
}
|
|
|
|
func (p *proxyTransport) proxyImageRequest(request *http.Request) (*http.Response, error) {
|
|
switch requestPath := request.URL.Path; requestPath {
|
|
case "/images/create":
|
|
return p.replaceRegistryAuthenticationHeader(request)
|
|
default:
|
|
if path.Base(requestPath) == "push" && request.Method == http.MethodPost {
|
|
return p.replaceRegistryAuthenticationHeader(request)
|
|
}
|
|
return p.executeDockerRequest(request)
|
|
}
|
|
}
|
|
|
|
func (p *proxyTransport) replaceRegistryAuthenticationHeader(request *http.Request) (*http.Response, error) {
|
|
accessContext, err := p.createRegistryAccessContext(request)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
originalHeader := request.Header.Get("X-Registry-Auth")
|
|
|
|
if originalHeader != "" {
|
|
|
|
decodedHeaderData, err := base64.StdEncoding.DecodeString(originalHeader)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var originalHeaderData registryAuthenticationHeader
|
|
err = json.Unmarshal(decodedHeaderData, &originalHeaderData)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
authenticationHeader := createRegistryAuthenticationHeader(originalHeaderData.Serveraddress, accessContext)
|
|
|
|
headerData, err := json.Marshal(authenticationHeader)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
header := base64.StdEncoding.EncodeToString(headerData)
|
|
|
|
request.Header.Set("X-Registry-Auth", header)
|
|
}
|
|
|
|
return p.executeDockerRequest(request)
|
|
}
|
|
|
|
// restrictedOperation ensures that the current user has the required authorizations
|
|
// before executing the original request.
|
|
func (p *proxyTransport) restrictedOperation(request *http.Request, resourceID string) (*http.Response, error) {
|
|
var err error
|
|
tokenData, err := security.RetrieveTokenData(request)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if tokenData.Role != portainer.AdministratorRole {
|
|
|
|
teamMemberships, err := p.TeamMembershipService.TeamMembershipsByUserID(tokenData.ID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
userTeamIDs := make([]portainer.TeamID, 0)
|
|
for _, membership := range teamMemberships {
|
|
userTeamIDs = append(userTeamIDs, membership.TeamID)
|
|
}
|
|
|
|
resourceControls, err := p.ResourceControlService.ResourceControls()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
resourceControl := getResourceControlByResourceID(resourceID, resourceControls)
|
|
if resourceControl != nil && !canUserAccessResource(tokenData.ID, userTeamIDs, resourceControl) {
|
|
return writeAccessDeniedResponse()
|
|
}
|
|
}
|
|
|
|
return p.executeDockerRequest(request)
|
|
}
|
|
|
|
// rewriteOperationWithLabelFiltering will create a new operation context with data that will be used
|
|
// to decorate the original request's response as well as retrieve all the black listed labels
|
|
// to filter the resources.
|
|
func (p *proxyTransport) rewriteOperationWithLabelFiltering(request *http.Request, operation restrictedOperationRequest) (*http.Response, error) {
|
|
operationContext, err := p.createOperationContext(request)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
settings, err := p.SettingsService.Settings()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
executor := &operationExecutor{
|
|
operationContext: operationContext,
|
|
labelBlackList: settings.BlackListedLabels,
|
|
}
|
|
|
|
return p.executeRequestAndRewriteResponse(request, operation, executor)
|
|
}
|
|
|
|
// rewriteOperation will create a new operation context with data that will be used
|
|
// to decorate the original request's response.
|
|
func (p *proxyTransport) rewriteOperation(request *http.Request, operation restrictedOperationRequest) (*http.Response, error) {
|
|
operationContext, err := p.createOperationContext(request)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
executor := &operationExecutor{
|
|
operationContext: operationContext,
|
|
}
|
|
|
|
return p.executeRequestAndRewriteResponse(request, operation, executor)
|
|
}
|
|
|
|
func (p *proxyTransport) interceptAndRewriteRequest(request *http.Request, operation operationRequest) (*http.Response, error) {
|
|
err := operation(request)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return p.executeDockerRequest(request)
|
|
}
|
|
|
|
func (p *proxyTransport) executeRequestAndRewriteResponse(request *http.Request, operation restrictedOperationRequest, executor *operationExecutor) (*http.Response, error) {
|
|
response, err := p.executeDockerRequest(request)
|
|
if err != nil {
|
|
return response, err
|
|
}
|
|
|
|
err = operation(response, executor)
|
|
return response, err
|
|
}
|
|
|
|
// administratorOperation ensures that the user has administrator privileges
|
|
// before executing the original request.
|
|
func (p *proxyTransport) administratorOperation(request *http.Request) (*http.Response, error) {
|
|
tokenData, err := security.RetrieveTokenData(request)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if tokenData.Role != portainer.AdministratorRole {
|
|
return writeAccessDeniedResponse()
|
|
}
|
|
|
|
return p.executeDockerRequest(request)
|
|
}
|
|
|
|
func (p *proxyTransport) createRegistryAccessContext(request *http.Request) (*registryAccessContext, error) {
|
|
tokenData, err := security.RetrieveTokenData(request)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
accessContext := ®istryAccessContext{
|
|
isAdmin: true,
|
|
userID: tokenData.ID,
|
|
}
|
|
|
|
hub, err := p.DockerHubService.DockerHub()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
accessContext.dockerHub = hub
|
|
|
|
registries, err := p.RegistryService.Registries()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
accessContext.registries = registries
|
|
|
|
if tokenData.Role != portainer.AdministratorRole {
|
|
accessContext.isAdmin = false
|
|
|
|
teamMemberships, err := p.TeamMembershipService.TeamMembershipsByUserID(tokenData.ID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
accessContext.teamMemberships = teamMemberships
|
|
}
|
|
|
|
return accessContext, nil
|
|
}
|
|
|
|
func (p *proxyTransport) createOperationContext(request *http.Request) (*restrictedDockerOperationContext, error) {
|
|
var err error
|
|
tokenData, err := security.RetrieveTokenData(request)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
resourceControls, err := p.ResourceControlService.ResourceControls()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
operationContext := &restrictedDockerOperationContext{
|
|
isAdmin: true,
|
|
userID: tokenData.ID,
|
|
resourceControls: resourceControls,
|
|
endpointResourceAccess: false,
|
|
}
|
|
|
|
if tokenData.Role != portainer.AdministratorRole {
|
|
operationContext.isAdmin = false
|
|
|
|
_, ok := tokenData.EndpointAuthorizations[p.endpointIdentifier][portainer.EndpointResourcesAccess]
|
|
if ok {
|
|
operationContext.endpointResourceAccess = true
|
|
}
|
|
|
|
teamMemberships, err := p.TeamMembershipService.TeamMembershipsByUserID(tokenData.ID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
userTeamIDs := make([]portainer.TeamID, 0)
|
|
for _, membership := range teamMemberships {
|
|
userTeamIDs = append(userTeamIDs, membership.TeamID)
|
|
}
|
|
operationContext.userTeamIDs = userTeamIDs
|
|
}
|
|
|
|
return operationContext, nil
|
|
}
|