2017-05-23 18:56:10 +00:00
|
|
|
package proxy
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
|
|
|
|
|
|
|
"github.com/portainer/portainer"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
// ErrDockerServiceIdentifierNotFound defines an error raised when Portainer is unable to find a service identifier
|
|
|
|
ErrDockerServiceIdentifierNotFound = portainer.Error("Docker service identifier not found")
|
|
|
|
serviceIdentifier = "ID"
|
|
|
|
)
|
|
|
|
|
|
|
|
// serviceListOperation extracts the response as a JSON array, loop through the service array
|
|
|
|
// decorate and/or filter the services based on resource controls before rewriting the response
|
2017-06-01 08:14:55 +00:00
|
|
|
func serviceListOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
|
2017-05-23 18:56:10 +00:00
|
|
|
var err error
|
|
|
|
// ServiceList response is a JSON array
|
|
|
|
// https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
|
|
|
|
responseArray, err := getResponseAsJSONArray(response)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2017-06-01 08:14:55 +00:00
|
|
|
if executor.operationContext.isAdmin {
|
|
|
|
responseArray, err = decorateServiceList(responseArray, executor.operationContext.resourceControls)
|
2017-05-23 18:56:10 +00:00
|
|
|
} else {
|
2017-06-01 08:14:55 +00:00
|
|
|
responseArray, err = filterServiceList(responseArray, executor.operationContext.resourceControls, executor.operationContext.userID, executor.operationContext.userTeamIDs)
|
2017-05-23 18:56:10 +00:00
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return rewriteResponse(response, responseArray, http.StatusOK)
|
|
|
|
}
|
|
|
|
|
|
|
|
// serviceInspectOperation extracts the response as a JSON object, verify that the user
|
|
|
|
// has access to the service based on resource control and either rewrite an access denied response
|
|
|
|
// or a decorated service.
|
2017-06-01 08:14:55 +00:00
|
|
|
func serviceInspectOperation(request *http.Request, response *http.Response, executor *operationExecutor) error {
|
2017-05-23 18:56:10 +00:00
|
|
|
// ServiceInspect response is a JSON object
|
|
|
|
// https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
|
|
|
|
responseObject, err := getResponseAsJSONOBject(response)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if responseObject[serviceIdentifier] == nil {
|
|
|
|
return ErrDockerServiceIdentifierNotFound
|
|
|
|
}
|
|
|
|
serviceID := responseObject[serviceIdentifier].(string)
|
|
|
|
|
2017-06-01 08:14:55 +00:00
|
|
|
resourceControl := getResourceControlByResourceID(serviceID, executor.operationContext.resourceControls)
|
2017-05-23 18:56:10 +00:00
|
|
|
if resourceControl != nil {
|
2017-06-01 08:14:55 +00:00
|
|
|
if executor.operationContext.isAdmin || canUserAccessResource(executor.operationContext.userID, executor.operationContext.userTeamIDs, resourceControl) {
|
2017-05-23 18:56:10 +00:00
|
|
|
responseObject = decorateObject(responseObject, resourceControl)
|
|
|
|
} else {
|
|
|
|
return rewriteAccessDeniedResponse(response)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return rewriteResponse(response, responseObject, http.StatusOK)
|
|
|
|
}
|