2017-11-06 08:47:31 +00:00
|
|
|
package proxy
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
|
|
|
|
2019-03-21 01:20:14 +00:00
|
|
|
"github.com/portainer/portainer/api"
|
2017-11-06 08:47:31 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
// ErrDockerConfigIdentifierNotFound defines an error raised when Portainer is unable to find a config identifier
|
|
|
|
ErrDockerConfigIdentifierNotFound = portainer.Error("Docker config identifier not found")
|
|
|
|
configIdentifier = "ID"
|
|
|
|
)
|
|
|
|
|
|
|
|
// configListOperation extracts the response as a JSON object, loop through the configs array
|
|
|
|
// decorate and/or filter the configs based on resource controls before rewriting the response
|
2018-05-06 07:15:57 +00:00
|
|
|
func configListOperation(response *http.Response, executor *operationExecutor) error {
|
2017-11-06 08:47:31 +00:00
|
|
|
var err error
|
|
|
|
|
|
|
|
// ConfigList response is a JSON array
|
|
|
|
// https://docs.docker.com/engine/api/v1.30/#operation/ConfigList
|
|
|
|
responseArray, err := getResponseAsJSONArray(response)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-05-24 06:04:58 +00:00
|
|
|
if executor.operationContext.isAdmin || executor.operationContext.endpointResourceAccess {
|
2017-11-06 08:47:31 +00:00
|
|
|
responseArray, err = decorateConfigList(responseArray, executor.operationContext.resourceControls)
|
|
|
|
} else {
|
|
|
|
responseArray, err = filterConfigList(responseArray, executor.operationContext)
|
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return rewriteResponse(response, responseArray, http.StatusOK)
|
|
|
|
}
|
|
|
|
|
|
|
|
// configInspectOperation extracts the response as a JSON object, verify that the user
|
|
|
|
// has access to the config based on resource control (check are done based on the configID and optional Swarm service ID)
|
|
|
|
// and either rewrite an access denied response or a decorated config.
|
2018-05-06 07:15:57 +00:00
|
|
|
func configInspectOperation(response *http.Response, executor *operationExecutor) error {
|
2017-11-06 08:47:31 +00:00
|
|
|
// ConfigInspect response is a JSON object
|
|
|
|
// https://docs.docker.com/engine/api/v1.30/#operation/ConfigInspect
|
|
|
|
responseObject, err := getResponseAsJSONOBject(response)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if responseObject[configIdentifier] == nil {
|
|
|
|
return ErrDockerConfigIdentifierNotFound
|
|
|
|
}
|
|
|
|
|
|
|
|
configID := responseObject[configIdentifier].(string)
|
|
|
|
responseObject, access := applyResourceAccessControl(responseObject, configID, executor.operationContext)
|
|
|
|
if !access {
|
|
|
|
return rewriteAccessDeniedResponse(response)
|
|
|
|
}
|
|
|
|
|
|
|
|
return rewriteResponse(response, responseObject, http.StatusOK)
|
|
|
|
}
|
|
|
|
|
|
|
|
// decorateConfigList loops through all configs and decorates any config with an existing resource control.
|
|
|
|
// Resource controls checks are based on: resource identifier.
|
|
|
|
// Config object schema reference: https://docs.docker.com/engine/api/v1.30/#operation/ConfigList
|
|
|
|
func decorateConfigList(configData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
|
|
|
|
decoratedConfigData := make([]interface{}, 0)
|
|
|
|
|
|
|
|
for _, config := range configData {
|
|
|
|
|
|
|
|
configObject := config.(map[string]interface{})
|
|
|
|
if configObject[configIdentifier] == nil {
|
|
|
|
return nil, ErrDockerConfigIdentifierNotFound
|
|
|
|
}
|
|
|
|
|
|
|
|
configID := configObject[configIdentifier].(string)
|
|
|
|
configObject = decorateResourceWithAccessControl(configObject, configID, resourceControls)
|
|
|
|
|
|
|
|
decoratedConfigData = append(decoratedConfigData, configObject)
|
|
|
|
}
|
|
|
|
|
|
|
|
return decoratedConfigData, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// filterConfigList loops through all configs and filters public configs (no associated resource control)
|
|
|
|
// as well as authorized configs (access granted to the user based on existing resource control).
|
|
|
|
// Authorized configs are decorated during the process.
|
|
|
|
// Resource controls checks are based on: resource identifier.
|
|
|
|
// Config object schema reference: https://docs.docker.com/engine/api/v1.30/#operation/ConfigList
|
2019-05-24 06:04:58 +00:00
|
|
|
func filterConfigList(configData []interface{}, context *restrictedDockerOperationContext) ([]interface{}, error) {
|
2017-11-06 08:47:31 +00:00
|
|
|
filteredConfigData := make([]interface{}, 0)
|
|
|
|
|
|
|
|
for _, config := range configData {
|
|
|
|
configObject := config.(map[string]interface{})
|
|
|
|
if configObject[configIdentifier] == nil {
|
|
|
|
return nil, ErrDockerConfigIdentifierNotFound
|
|
|
|
}
|
|
|
|
|
|
|
|
configID := configObject[configIdentifier].(string)
|
|
|
|
configObject, access := applyResourceAccessControl(configObject, configID, context)
|
|
|
|
if access {
|
|
|
|
filteredConfigData = append(filteredConfigData, configObject)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return filteredConfigData, nil
|
|
|
|
}
|