portainer/api/http/proxy/services.go

package proxy

import (
	"net/http"

	"github.com/portainer/portainer/api"
)

const (
	// ErrDockerServiceIdentifierNotFound defines an error raised when Portainer is unable to find a service identifier
	ErrDockerServiceIdentifierNotFound = portainer.Error("Docker service identifier not found")
	serviceIdentifier                  = "ID"
	serviceLabelForStackIdentifier     = "com.docker.stack.namespace"
)

// serviceListOperation extracts the response as a JSON array, loop through the service array
// decorate and/or filter the services based on resource controls before rewriting the response
func serviceListOperation(response *http.Response, executor *operationExecutor) error {
	var err error
	// ServiceList response is a JSON array
	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
	responseArray, err := getResponseAsJSONArray(response)
	if err != nil {
		return err
	}

	if executor.operationContext.isAdmin || executor.operationContext.endpointResourceAccess {
		responseArray, err = decorateServiceList(responseArray, executor.operationContext.resourceControls)
	} else {
		responseArray, err = filterServiceList(responseArray, executor.operationContext)
	}
	if err != nil {
		return err
	}

	return rewriteResponse(response, responseArray, http.StatusOK)
}

// serviceInspectOperation extracts the response as a JSON object, verify that the user
// has access to the service based on resource control and either rewrite an access denied response
// or a decorated service.
func serviceInspectOperation(response *http.Response, executor *operationExecutor) error {
	// ServiceInspect response is a JSON object
	// https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
	responseObject, err := getResponseAsJSONOBject(response)
	if err != nil {
		return err
	}

	if responseObject[serviceIdentifier] == nil {
		return ErrDockerServiceIdentifierNotFound
	}

	serviceID := responseObject[serviceIdentifier].(string)
	responseObject, access := applyResourceAccessControl(responseObject, serviceID, executor.operationContext)
	if access {
		return rewriteResponse(response, responseObject, http.StatusOK)
	}

	serviceLabels := extractServiceLabelsFromServiceInspectObject(responseObject)
	responseObject, access = applyResourceAccessControlFromLabel(serviceLabels, responseObject, serviceLabelForStackIdentifier, executor.operationContext)
	if access {
		return rewriteResponse(response, responseObject, http.StatusOK)
	}

	return rewriteAccessDeniedResponse(response)
}

// extractServiceLabelsFromServiceInspectObject retrieve the Labels of the service if present.
// Service schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect
func extractServiceLabelsFromServiceInspectObject(responseObject map[string]interface{}) map[string]interface{} {
	// Labels are stored under Spec.Labels
	serviceSpecObject := extractJSONField(responseObject, "Spec")
	if serviceSpecObject != nil {
		return extractJSONField(serviceSpecObject, "Labels")
	}
	return nil
}

// extractServiceLabelsFromServiceListObject retrieve the Labels of the service if present.
// Service schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
func extractServiceLabelsFromServiceListObject(responseObject map[string]interface{}) map[string]interface{} {
	// Labels are stored under Spec.Labels
	serviceSpecObject := extractJSONField(responseObject, "Spec")
	if serviceSpecObject != nil {
		return extractJSONField(serviceSpecObject, "Labels")
	}
	return nil
}

// decorateServiceList loops through all services and decorates any service with an existing resource control.
// Resource controls checks are based on: resource identifier, stack identifier (from label).
// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
func decorateServiceList(serviceData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
	decoratedServiceData := make([]interface{}, 0)

	for _, service := range serviceData {

		serviceObject := service.(map[string]interface{})
		if serviceObject[serviceIdentifier] == nil {
			return nil, ErrDockerServiceIdentifierNotFound
		}

		serviceID := serviceObject[serviceIdentifier].(string)
		serviceObject = decorateResourceWithAccessControl(serviceObject, serviceID, resourceControls)

		serviceLabels := extractServiceLabelsFromServiceListObject(serviceObject)
		serviceObject = decorateResourceWithAccessControlFromLabel(serviceLabels, serviceObject, serviceLabelForStackIdentifier, resourceControls)

		decoratedServiceData = append(decoratedServiceData, serviceObject)
	}

	return decoratedServiceData, nil
}

// filterServiceList loops through all services and filters public services (no associated resource control)
// as well as authorized services (access granted to the user based on existing resource control).
// Authorized services are decorated during the process.
// Resource controls checks are based on: resource identifier, stack identifier (from label).
// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList
func filterServiceList(serviceData []interface{}, context *restrictedDockerOperationContext) ([]interface{}, error) {
	filteredServiceData := make([]interface{}, 0)

	for _, service := range serviceData {
		serviceObject := service.(map[string]interface{})
		if serviceObject[serviceIdentifier] == nil {
			return nil, ErrDockerServiceIdentifierNotFound
		}

		serviceID := serviceObject[serviceIdentifier].(string)
		serviceObject, access := applyResourceAccessControl(serviceObject, serviceID, context)
		if !access {
			serviceLabels := extractServiceLabelsFromServiceListObject(serviceObject)
			serviceObject, access = applyResourceAccessControlFromLabel(serviceLabels, serviceObject, serviceLabelForStackIdentifier, context)
		}

		if access {
			filteredServiceData = append(filteredServiceData, serviceObject)
		}
	}

	return filteredServiceData, nil
}
feat(stacks): add support for stack deploy (#1280) 7 years ago			`package proxy`

			`import (`
			`"net/http"`

refactor(api): refactor base import path (#2788) * refactor(api): refactor base import path * fix(build-system): update build_binary_devops * fix(build-system): fix build_binary_devops for linux * fix(build-system): fix build_binary_devops for Windows 6 years ago			`"github.com/portainer/portainer/api"`
feat(stacks): add support for stack deploy (#1280) 7 years ago			`)`

			`const (`
			`// ErrDockerServiceIdentifierNotFound defines an error raised when Portainer is unable to find a service identifier`
			`ErrDockerServiceIdentifierNotFound = portainer.Error("Docker service identifier not found")`
			`serviceIdentifier = "ID"`
			`serviceLabelForStackIdentifier = "com.docker.stack.namespace"`
			`)`

			`// serviceListOperation extracts the response as a JSON array, loop through the service array`
			`// decorate and/or filter the services based on resource controls before rewriting the response`
feat(agent): add agent support (#1828) 7 years ago			`func serviceListOperation(response http.Response, executor operationExecutor) error {`
feat(stacks): add support for stack deploy (#1280) 7 years ago			`var err error`
			`// ServiceList response is a JSON array`
			`// https://docs.docker.com/engine/api/v1.28/#operation/ServiceList`
			`responseArray, err := getResponseAsJSONArray(response)`
			`if err != nil {`
			`return err`
			`}`

feat(extensions): introduce RBAC extension (#2900) 6 years ago			`if executor.operationContext.isAdmin \|\| executor.operationContext.endpointResourceAccess {`
feat(stacks): add support for stack deploy (#1280) 7 years ago			`responseArray, err = decorateServiceList(responseArray, executor.operationContext.resourceControls)`
			`} else {`
			`responseArray, err = filterServiceList(responseArray, executor.operationContext)`
			`}`
			`if err != nil {`
			`return err`
			`}`

			`return rewriteResponse(response, responseArray, http.StatusOK)`
			`}`

			`// serviceInspectOperation extracts the response as a JSON object, verify that the user`
			`// has access to the service based on resource control and either rewrite an access denied response`
			`// or a decorated service.`
feat(agent): add agent support (#1828) 7 years ago			`func serviceInspectOperation(response http.Response, executor operationExecutor) error {`
feat(stacks): add support for stack deploy (#1280) 7 years ago			`// ServiceInspect response is a JSON object`
			`// https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect`
			`responseObject, err := getResponseAsJSONOBject(response)`
			`if err != nil {`
			`return err`
			`}`

			`if responseObject[serviceIdentifier] == nil {`
			`return ErrDockerServiceIdentifierNotFound`
			`}`

			`serviceID := responseObject[serviceIdentifier].(string)`
			`responseObject, access := applyResourceAccessControl(responseObject, serviceID, executor.operationContext)`
feat(UAC): change default ownership to admininstrators (#2137) * #960 feat(UAC): change ownership to admins for externally created ressources * feat(UAC): change ownership to admins for externally created resources Deprecated AdministratorsOnly js and go backend * #960 feat(UAC): remove AdministratorsOnly property and minor GUI fixes Update swagger definition changing AdministratorsOnly to Public * #960 feat(UAC): fix create resource with access control data * #960 feat(UAC): authorization of non-admin users for restricted operations On stacks, containers networks, services , tasks and volumes. * #960 feat(UAC): database migration to version 14 The administrator resources are deleted and Public resources are now managed by admins * #960 feat(UAC): small fixes from PR #2137 * #960 feat(UAC): improve the readability of the source code * feat(UAC) fix displayed ownership for Swarm related resources (#960) 6 years ago			`if access {`
			`return rewriteResponse(response, responseObject, http.StatusOK)`
feat(stacks): add support for stack deploy (#1280) 7 years ago			`}`

			`serviceLabels := extractServiceLabelsFromServiceInspectObject(responseObject)`
			`responseObject, access = applyResourceAccessControlFromLabel(serviceLabels, responseObject, serviceLabelForStackIdentifier, executor.operationContext)`
feat(UAC): change default ownership to admininstrators (#2137) * #960 feat(UAC): change ownership to admins for externally created ressources * feat(UAC): change ownership to admins for externally created resources Deprecated AdministratorsOnly js and go backend * #960 feat(UAC): remove AdministratorsOnly property and minor GUI fixes Update swagger definition changing AdministratorsOnly to Public * #960 feat(UAC): fix create resource with access control data * #960 feat(UAC): authorization of non-admin users for restricted operations On stacks, containers networks, services , tasks and volumes. * #960 feat(UAC): database migration to version 14 The administrator resources are deleted and Public resources are now managed by admins * #960 feat(UAC): small fixes from PR #2137 * #960 feat(UAC): improve the readability of the source code * feat(UAC) fix displayed ownership for Swarm related resources (#960) 6 years ago			`if access {`
			`return rewriteResponse(response, responseObject, http.StatusOK)`
feat(stacks): add support for stack deploy (#1280) 7 years ago			`}`

feat(UAC): change default ownership to admininstrators (#2137) * #960 feat(UAC): change ownership to admins for externally created ressources * feat(UAC): change ownership to admins for externally created resources Deprecated AdministratorsOnly js and go backend * #960 feat(UAC): remove AdministratorsOnly property and minor GUI fixes Update swagger definition changing AdministratorsOnly to Public * #960 feat(UAC): fix create resource with access control data * #960 feat(UAC): authorization of non-admin users for restricted operations On stacks, containers networks, services , tasks and volumes. * #960 feat(UAC): database migration to version 14 The administrator resources are deleted and Public resources are now managed by admins * #960 feat(UAC): small fixes from PR #2137 * #960 feat(UAC): improve the readability of the source code * feat(UAC) fix displayed ownership for Swarm related resources (#960) 6 years ago			`return rewriteAccessDeniedResponse(response)`
feat(stacks): add support for stack deploy (#1280) 7 years ago			`}`

			`// extractServiceLabelsFromServiceInspectObject retrieve the Labels of the service if present.`
			`// Service schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceInspect`
			`func extractServiceLabelsFromServiceInspectObject(responseObject map[string]interface{}) map[string]interface{} {`
			`// Labels are stored under Spec.Labels`
			`serviceSpecObject := extractJSONField(responseObject, "Spec")`
			`if serviceSpecObject != nil {`
			`return extractJSONField(serviceSpecObject, "Labels")`
			`}`
			`return nil`
			`}`

			`// extractServiceLabelsFromServiceListObject retrieve the Labels of the service if present.`
			`// Service schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList`
			`func extractServiceLabelsFromServiceListObject(responseObject map[string]interface{}) map[string]interface{} {`
			`// Labels are stored under Spec.Labels`
			`serviceSpecObject := extractJSONField(responseObject, "Spec")`
			`if serviceSpecObject != nil {`
			`return extractJSONField(serviceSpecObject, "Labels")`
			`}`
			`return nil`
			`}`

			`// decorateServiceList loops through all services and decorates any service with an existing resource control.`
			`// Resource controls checks are based on: resource identifier, stack identifier (from label).`
			`// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList`
			`func decorateServiceList(serviceData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {`
			`decoratedServiceData := make([]interface{}, 0)`

			`for _, service := range serviceData {`

			`serviceObject := service.(map[string]interface{})`
			`if serviceObject[serviceIdentifier] == nil {`
			`return nil, ErrDockerServiceIdentifierNotFound`
			`}`

			`serviceID := serviceObject[serviceIdentifier].(string)`
			`serviceObject = decorateResourceWithAccessControl(serviceObject, serviceID, resourceControls)`

			`serviceLabels := extractServiceLabelsFromServiceListObject(serviceObject)`
			`serviceObject = decorateResourceWithAccessControlFromLabel(serviceLabels, serviceObject, serviceLabelForStackIdentifier, resourceControls)`

			`decoratedServiceData = append(decoratedServiceData, serviceObject)`
			`}`

			`return decoratedServiceData, nil`
			`}`

			`// filterServiceList loops through all services and filters public services (no associated resource control)`
			`// as well as authorized services (access granted to the user based on existing resource control).`
			`// Authorized services are decorated during the process.`
			`// Resource controls checks are based on: resource identifier, stack identifier (from label).`
			`// Service object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ServiceList`
feat(extensions): introduce RBAC extension (#2900) 6 years ago			`func filterServiceList(serviceData []interface{}, context *restrictedDockerOperationContext) ([]interface{}, error) {`
feat(stacks): add support for stack deploy (#1280) 7 years ago			`filteredServiceData := make([]interface{}, 0)`

			`for _, service := range serviceData {`
			`serviceObject := service.(map[string]interface{})`
			`if serviceObject[serviceIdentifier] == nil {`
			`return nil, ErrDockerServiceIdentifierNotFound`
			`}`

			`serviceID := serviceObject[serviceIdentifier].(string)`
			`serviceObject, access := applyResourceAccessControl(serviceObject, serviceID, context)`
feat(UAC): change default ownership to admininstrators (#2137) * #960 feat(UAC): change ownership to admins for externally created ressources * feat(UAC): change ownership to admins for externally created resources Deprecated AdministratorsOnly js and go backend * #960 feat(UAC): remove AdministratorsOnly property and minor GUI fixes Update swagger definition changing AdministratorsOnly to Public * #960 feat(UAC): fix create resource with access control data * #960 feat(UAC): authorization of non-admin users for restricted operations On stacks, containers networks, services , tasks and volumes. * #960 feat(UAC): database migration to version 14 The administrator resources are deleted and Public resources are now managed by admins * #960 feat(UAC): small fixes from PR #2137 * #960 feat(UAC): improve the readability of the source code * feat(UAC) fix displayed ownership for Swarm related resources (#960) 6 years ago			`if !access {`
feat(stacks): add support for stack deploy (#1280) 7 years ago			`serviceLabels := extractServiceLabelsFromServiceListObject(serviceObject)`
			`serviceObject, access = applyResourceAccessControlFromLabel(serviceLabels, serviceObject, serviceLabelForStackIdentifier, context)`
feat(UAC): change default ownership to admininstrators (#2137) * #960 feat(UAC): change ownership to admins for externally created ressources * feat(UAC): change ownership to admins for externally created resources Deprecated AdministratorsOnly js and go backend * #960 feat(UAC): remove AdministratorsOnly property and minor GUI fixes Update swagger definition changing AdministratorsOnly to Public * #960 feat(UAC): fix create resource with access control data * #960 feat(UAC): authorization of non-admin users for restricted operations On stacks, containers networks, services , tasks and volumes. * #960 feat(UAC): database migration to version 14 The administrator resources are deleted and Public resources are now managed by admins * #960 feat(UAC): small fixes from PR #2137 * #960 feat(UAC): improve the readability of the source code * feat(UAC) fix displayed ownership for Swarm related resources (#960) 6 years ago			`}`

			`if access {`
			`filteredServiceData = append(filteredServiceData, serviceObject)`
feat(stacks): add support for stack deploy (#1280) 7 years ago			`}`
			`}`

			`return filteredServiceData, nil`
			`}`