portainer/api/http/docker_handler.go

package http

import (
	"strconv"

	"github.com/portainer/portainer"

	"log"
	"net/http"
	"net/url"
	"os"

	"github.com/gorilla/mux"
)

// DockerHandler represents an HTTP API handler for proxying requests to the Docker API.
type DockerHandler struct {
	*mux.Router
	Logger          *log.Logger
	EndpointService portainer.EndpointService
	ProxyFactory    ProxyFactory
	proxies         map[portainer.EndpointID]http.Handler
}

// NewDockerHandler returns a new instance of DockerHandler.
func NewDockerHandler(mw *middleWareService, resourceControlService portainer.ResourceControlService) *DockerHandler {
	h := &DockerHandler{
		Router: mux.NewRouter(),
		Logger: log.New(os.Stderr, "", log.LstdFlags),
		ProxyFactory: ProxyFactory{
			ResourceControlService: resourceControlService,
		},
		proxies: make(map[portainer.EndpointID]http.Handler),
	}
	h.PathPrefix("/{id}/").Handler(
		mw.authenticated(http.HandlerFunc(h.proxyRequestsToDockerAPI)))
	return h
}

func checkEndpointAccessControl(endpoint *portainer.Endpoint, userID portainer.UserID) bool {
	for _, authorizedUserID := range endpoint.AuthorizedUsers {
		if authorizedUserID == userID {
			return true
		}
	}
	return false
}

func (handler *DockerHandler) proxyRequestsToDockerAPI(w http.ResponseWriter, r *http.Request) {
	vars := mux.Vars(r)
	id := vars["id"]

	parsedID, err := strconv.Atoi(id)
	if err != nil {
		Error(w, err, http.StatusBadRequest, handler.Logger)
		return
	}

	endpointID := portainer.EndpointID(parsedID)
	endpoint, err := handler.EndpointService.Endpoint(endpointID)
	if err != nil {
		Error(w, err, http.StatusInternalServerError, handler.Logger)
		return
	}

	tokenData, err := extractTokenDataFromRequestContext(r)
	if err != nil {
		Error(w, err, http.StatusInternalServerError, handler.Logger)
	}
	if tokenData.Role != portainer.AdministratorRole && !checkEndpointAccessControl(endpoint, tokenData.ID) {
		Error(w, portainer.ErrEndpointAccessDenied, http.StatusForbidden, handler.Logger)
		return
	}

	proxy := handler.proxies[endpointID]
	if proxy == nil {
		proxy, err = handler.createAndRegisterEndpointProxy(endpoint)
		if err != nil {
			Error(w, err, http.StatusBadRequest, handler.Logger)
			return
		}
	}
	http.StripPrefix("/"+id, proxy).ServeHTTP(w, r)
}

func (handler *DockerHandler) createAndRegisterEndpointProxy(endpoint *portainer.Endpoint) (http.Handler, error) {
	var proxy http.Handler

	endpointURL, err := url.Parse(endpoint.URL)
	if err != nil {
		return nil, err
	}

	if endpointURL.Scheme == "tcp" {
		if endpoint.TLS {
			proxy, err = handler.ProxyFactory.newHTTPSProxy(endpointURL, endpoint)
			if err != nil {
				return nil, err
			}
		} else {
			proxy = handler.ProxyFactory.newHTTPProxy(endpointURL)
		}
	} else {
		// Assume unix:// scheme
		proxy = handler.ProxyFactory.newSocketProxy(endpointURL.Path)
	}

	handler.proxies[endpoint.ID] = proxy
	return proxy, nil
}
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`package http`

			`import (`
feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`"strconv"`

refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`"github.com/portainer/portainer"`

			`"log"`
			`"net/http"`
			`"net/url"`
			`"os"`
feat(global): multi endpoint management (#407) 2016-12-25 20:34:02 +00:00
			`"github.com/gorilla/mux"`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`)`

			`// DockerHandler represents an HTTP API handler for proxying requests to the Docker API.`
			`type DockerHandler struct {`
			`*mux.Router`
feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`Logger *log.Logger`
			`EndpointService portainer.EndpointService`
			`ProxyFactory ProxyFactory`
			`proxies map[portainer.EndpointID]http.Handler`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`}`

			`// NewDockerHandler returns a new instance of DockerHandler.`
feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`func NewDockerHandler(mw middleWareService, resourceControlService portainer.ResourceControlService) DockerHandler {`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`h := &DockerHandler{`
feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`Router: mux.NewRouter(),`
			`Logger: log.New(os.Stderr, "", log.LstdFlags),`
			`ProxyFactory: ProxyFactory{`
			`ResourceControlService: resourceControlService,`
			`},`
			`proxies: make(map[portainer.EndpointID]http.Handler),`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`}`
feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`h.PathPrefix("/{id}/").Handler(`
			`mw.authenticated(http.HandlerFunc(h.proxyRequestsToDockerAPI)))`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`return h`
			`}`

feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`func checkEndpointAccessControl(endpoint *portainer.Endpoint, userID portainer.UserID) bool {`
			`for _, authorizedUserID := range endpoint.AuthorizedUsers {`
			`if authorizedUserID == userID {`
			`return true`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`}`
			`}`
feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`return false`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`}`

feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`func (handler DockerHandler) proxyRequestsToDockerAPI(w http.ResponseWriter, r http.Request) {`
			`vars := mux.Vars(r)`
			`id := vars["id"]`
feat(api): Connect to docker behind a name based virtual host proxy (#379) This involves copying and modifying go's httputil.NewSingleHostReverseProxy, which is documented to (perhaps surprisingly) leave the Host header untouched. Instead, we set the Host header to the target host for the connection for the benefit of name based virtual host proxies that make use of this. The value it would otherwise have in this app, typically 'localhost:8000', is strange and unlikely to be any use. See golang/go#7618 and golang/go#10342 2016-12-24 04:49:29 +00:00
feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`parsedID, err := strconv.Atoi(id)`
			`if err != nil {`
			`Error(w, err, http.StatusBadRequest, handler.Logger)`
			`return`
feat(api): Connect to docker behind a name based virtual host proxy (#379) This involves copying and modifying go's httputil.NewSingleHostReverseProxy, which is documented to (perhaps surprisingly) leave the Host header untouched. Instead, we set the Host header to the target host for the connection for the benefit of name based virtual host proxies that make use of this. The value it would otherwise have in this app, typically 'localhost:8000', is strange and unlikely to be any use. See golang/go#7618 and golang/go#10342 2016-12-24 04:49:29 +00:00			`}`

feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`endpointID := portainer.EndpointID(parsedID)`
			`endpoint, err := handler.EndpointService.Endpoint(endpointID)`
			`if err != nil {`
			`Error(w, err, http.StatusInternalServerError, handler.Logger)`
			`return`
			`}`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00
feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`tokenData, err := extractTokenDataFromRequestContext(r)`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`if err != nil {`
feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`Error(w, err, http.StatusInternalServerError, handler.Logger)`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`}`
feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`if tokenData.Role != portainer.AdministratorRole && !checkEndpointAccessControl(endpoint, tokenData.ID) {`
			`Error(w, portainer.ErrEndpointAccessDenied, http.StatusForbidden, handler.Logger)`
			`return`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`}`

feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`proxy := handler.proxies[endpointID]`
			`if proxy == nil {`
			`proxy, err = handler.createAndRegisterEndpointProxy(endpoint)`
			`if err != nil {`
			`Error(w, err, http.StatusBadRequest, handler.Logger)`
			`return`
			`}`
			`}`
			`http.StripPrefix("/"+id, proxy).ServeHTTP(w, r)`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`}`

feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`func (handler DockerHandler) createAndRegisterEndpointProxy(endpoint portainer.Endpoint) (http.Handler, error) {`
			`var proxy http.Handler`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00
feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`endpointURL, err := url.Parse(endpoint.URL)`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`if err != nil {`
feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`return nil, err`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`}`

feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`if endpointURL.Scheme == "tcp" {`
			`if endpoint.TLS {`
			`proxy, err = handler.ProxyFactory.newHTTPSProxy(endpointURL, endpoint)`
			`if err != nil {`
			`return nil, err`
			`}`
			`} else {`
			`proxy = handler.ProxyFactory.newHTTPProxy(endpointURL)`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`}`
feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00			`} else {`
			`// Assume unix:// scheme`
			`proxy = handler.ProxyFactory.newSocketProxy(endpointURL.Path)`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`}`
feat(uac): add multi user management and UAC (#647) 2017-03-12 16:24:15 +00:00
			`handler.proxies[endpoint.ID] = proxy`
			`return proxy, nil`
refactor(api): API overhaul (#392) 2016-12-18 05:21:29 +00:00			`}`