mirror of
https://github.com/portainer/portainer.git
synced 2025-07-22 14:59:41 +02:00
19d4db13be
* feat(api): decorate Docker resource creation response with resource control * fix(api): fix a potential resource control conflict between stacks/volumes * feat(api): generate a default private resource control instead of admin only * fix(api): fix default RC value * fix(api): update RC authorizations check to support admin only flag * refactor(api): relocate access control related methods * fix(api): fix a potential conflict when fetching RC from database * refactor(api): refactor access control logic * refactor(api): remove the concept of DecoratedStack * feat(api): automatically remove RC when removing a Docker resource * refactor(api): update filter resource methods documentation * refactor(api): update proxy package structure * refactor(api): renamed proxy/misc package * feat(api): re-introduce ResourceControlDelete operation as admin restricted * refactor(api): relocate default endpoint authorizations * feat(api): migrate RBAC data * feat(app): ResourceControl management refactor * fix(api): fix access control issue on stack deletion and automatically delete RC * fix(api): fix stack filtering * fix(api): fix UpdateResourceControl operation checks * refactor(api): introduce a NewTransport builder method * refactor(api): inject endpoint in Docker transport * refactor(api): introduce Docker client into Docker transport * refactor(api): refactor http/proxy package * feat(api): inspect a Docker resource labels during access control validation * fix(api): only apply automatic resource control creation on success response * fix(api): fix stack access control check * fix(api): use StatusCreated instead of StatusOK for automatic resource control creation * fix(app): resource control fixes * fix(api): fix an issue preventing administrator to inspect a resource with a RC * refactor(api): remove useless error return * refactor(api): document DecorateStacks function * fix(api): fix invalid resource control type for container deletion * feat(api): support Docker system networks * feat(api): update Swagger docs * refactor(api): rename transport variable * refactor(api): rename transport variable * feat(networks): add system tag for system networks * feat(api): add support for resource control labels * feat(api): upgrade to DBVersion 22 * refactor(api): refactor access control management in Docker proxy * refactor(api): re-implement docker proxy taskListOperation * refactor(api): review parameters declaration * refactor(api): remove extra blank line * refactor(api): review method comments * fix(api): fix invalid ServerAddress property and review method visibility * feat(api): update error message * feat(api): update restrictedVolumeBrowserOperation method * refactor(api): refactor method parameters * refactor(api): minor refactor * refactor(api): change Azure transport visibility * refactor(api): update struct documentation * refactor(api): update struct documentation * feat(api): review restrictedResourceOperation method * refactor(api): remove unused authorization methods * feat(api): apply RBAC when enabled on stack operations * fix(api): fix invalid data migration procedure for DBVersion = 22 * fix(app): RC duplicate on private resource * feat(api): change Docker API version logic for libcompose/client factory * fix(api): update access denied error message to be Docker API compliant * fix(api): update volume browsing authorizations data migration * fix(api): fix an issue with access control in multi-node agent Swarm cluster
113 lines
3.9 KiB
Go
113 lines
3.9 KiB
Go
package resourcecontrols
|
|
|
|
import (
|
|
"errors"
|
|
"net/http"
|
|
|
|
"github.com/asaskevich/govalidator"
|
|
httperror "github.com/portainer/libhttp/error"
|
|
"github.com/portainer/libhttp/request"
|
|
"github.com/portainer/libhttp/response"
|
|
"github.com/portainer/portainer/api"
|
|
)
|
|
|
|
type resourceControlCreatePayload struct {
|
|
ResourceID string
|
|
Type string
|
|
Public bool
|
|
AdministratorsOnly bool
|
|
Users []int
|
|
Teams []int
|
|
SubResourceIDs []string
|
|
}
|
|
|
|
func (payload *resourceControlCreatePayload) Validate(r *http.Request) error {
|
|
if govalidator.IsNull(payload.ResourceID) {
|
|
return errors.New("invalid payload: invalid resource identifier")
|
|
}
|
|
|
|
if govalidator.IsNull(payload.Type) {
|
|
return errors.New("invalid payload: invalid type")
|
|
}
|
|
|
|
if len(payload.Users) == 0 && len(payload.Teams) == 0 && !payload.Public && !payload.AdministratorsOnly {
|
|
return errors.New("invalid payload: must specify Users, Teams, Public or AdministratorsOnly")
|
|
}
|
|
|
|
if payload.Public && payload.AdministratorsOnly {
|
|
return errors.New("invalid payload: cannot set both public and administrators only flags to true")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// POST request on /api/resource_controls
|
|
func (handler *Handler) resourceControlCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
|
|
var payload resourceControlCreatePayload
|
|
err := request.DecodeAndValidateJSONPayload(r, &payload)
|
|
if err != nil {
|
|
return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
|
|
}
|
|
|
|
var resourceControlType portainer.ResourceControlType
|
|
switch payload.Type {
|
|
case "container":
|
|
resourceControlType = portainer.ContainerResourceControl
|
|
case "service":
|
|
resourceControlType = portainer.ServiceResourceControl
|
|
case "volume":
|
|
resourceControlType = portainer.VolumeResourceControl
|
|
case "network":
|
|
resourceControlType = portainer.NetworkResourceControl
|
|
case "secret":
|
|
resourceControlType = portainer.SecretResourceControl
|
|
case "stack":
|
|
resourceControlType = portainer.StackResourceControl
|
|
case "config":
|
|
resourceControlType = portainer.ConfigResourceControl
|
|
default:
|
|
return &httperror.HandlerError{http.StatusBadRequest, "Invalid type value. Value must be one of: container, service, volume, network, secret, stack or config", portainer.ErrInvalidResourceControlType}
|
|
}
|
|
|
|
rc, err := handler.ResourceControlService.ResourceControlByResourceIDAndType(payload.ResourceID, resourceControlType)
|
|
if err != nil {
|
|
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve resource controls from the database", err}
|
|
}
|
|
if rc != nil {
|
|
return &httperror.HandlerError{http.StatusConflict, "A resource control is already associated to this resource", portainer.ErrResourceControlAlreadyExists}
|
|
}
|
|
|
|
var userAccesses = make([]portainer.UserResourceAccess, 0)
|
|
for _, v := range payload.Users {
|
|
userAccess := portainer.UserResourceAccess{
|
|
UserID: portainer.UserID(v),
|
|
AccessLevel: portainer.ReadWriteAccessLevel,
|
|
}
|
|
userAccesses = append(userAccesses, userAccess)
|
|
}
|
|
|
|
var teamAccesses = make([]portainer.TeamResourceAccess, 0)
|
|
for _, v := range payload.Teams {
|
|
teamAccess := portainer.TeamResourceAccess{
|
|
TeamID: portainer.TeamID(v),
|
|
AccessLevel: portainer.ReadWriteAccessLevel,
|
|
}
|
|
teamAccesses = append(teamAccesses, teamAccess)
|
|
}
|
|
|
|
resourceControl := portainer.ResourceControl{
|
|
ResourceID: payload.ResourceID,
|
|
SubResourceIDs: payload.SubResourceIDs,
|
|
Type: resourceControlType,
|
|
Public: payload.Public,
|
|
AdministratorsOnly: payload.AdministratorsOnly,
|
|
UserAccesses: userAccesses,
|
|
TeamAccesses: teamAccesses,
|
|
}
|
|
|
|
err = handler.ResourceControlService.CreateResourceControl(&resourceControl)
|
|
if err != nil {
|
|
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the resource control inside the database", err}
|
|
}
|
|
|
|
return response.JSON(w, resourceControl)
|
|
}
|