2017-05-23 18:56:10 +00:00
|
|
|
package security
|
|
|
|
|
|
|
|
import (
|
2020-07-07 21:57:52 +00:00
|
|
|
"net/http"
|
|
|
|
"strings"
|
2021-11-30 02:31:16 +00:00
|
|
|
"time"
|
2020-05-14 02:14:28 +00:00
|
|
|
|
2023-04-27 02:22:05 +00:00
|
|
|
"github.com/pkg/errors"
|
2018-09-10 10:01:38 +00:00
|
|
|
httperror "github.com/portainer/libhttp/error"
|
2021-04-06 10:08:43 +00:00
|
|
|
portainer "github.com/portainer/portainer/api"
|
2021-11-30 02:31:16 +00:00
|
|
|
"github.com/portainer/portainer/api/apikey"
|
chore(store) EE-1981: Refactor/store/error checking, and other refactoring (#6173)
* use the Store interface IsErrObjectNotFound() to avoid revealing internal errors
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* what happens when you extract the datastore interfaces into their own package
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* Start renaming Storage methods
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the boltdb specific code from the Portainer storage code (example, the others need the same)
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more extract bolt.Tx from datastore code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* minimise imports by putting moving the struct definition into the file that needs the Service imports
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more extraction of boltdb.Tx
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the use of bucket.SetSequence
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* almost done - just endpoint.Synchonise :/
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* so, endpoint.Synchonize looks hard, but i can't find where we use it, so 'delete first refactoring'
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix test compile errors
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* test compile fixes after rebase
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix a mis-remembering I had wrt deserialisation - last time i used AnyData - jsoniter's bindTo looks interesting for the same reason
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* set us up to make the connection an interface
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* make the db connection a datastore interface, and separate out our datastore services from the bolt ones
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* rename methods to something less oltdb internals specific
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* these errors are not boltdb secific
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* start using the db-backend factory method too
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* export boltdb raw in case we can't export from the service layer
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add a raw export from boltdb to yaml for broken db's, and an export services to yaml in backup
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add the version info by hand for now
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* actually, the export from services can be fully typed - its the import that needs to do more work
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* redo raw export, and make import capable of using it
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add DockerHub
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* migration from anything older than v1.21.0 has been broken for quite a while, deleting the un-tested code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix go test ./... again
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* my goland wasn't setup to gofmt
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* move the two extremely dubious migration tests down into store, so they can use the test store code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* the migrator is now free of boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* reverse goland overzealous replcement of internal with boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more undo over-zealous goland internal->boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* yay, now bolt is only mentioned inside the api/database/ dir
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* and this might be the last of the boltdb references?
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add todo
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the store code into a separate module too
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* don't need the fileService in boltdb anymore
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* use IsErrObjectNotFound()
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* use a string to select what database backend we use
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* make isNew store an ephemeral bool that doesn't stay true after we've initialised it
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* move the import.json wip to a separate file so its more obvious - we'll be using it for testing, emergency fixups, and in the next part of the store work, when we improve migrations and data model lifecycles
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* undo vscode formatting html
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix app templates symbol (#6221)
* feat(webhook) EE-2125 send registry auth haeder when update swarms service via webhook (#6220)
* feat(webhook) EE-2125 add some helpers to registry utils
* feat(webhook) EE-2125 persist registryID when creating a webhook
* feat(webhook) EE-2125 send registry auth header when executing a webhook
* feat(webhook) EE-2125 send registryID to backend when creating a service with webhook
* feat(webhook) EE-2125 use the initial registry ID to create webhook on editing service screen
* feat(webhook) EE-2125 update webhook when update registry
* feat(webhook) EE-2125 add endpoint of update webhook
* feat(webhook) EE-2125 code cleanup
* feat(webhook) EE-2125 fix a typo
* feat(webhook) EE-2125 fix circle import issue with unit test
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* fix(kubeconfig): show kubeconfig download button for non admin users [EE-2123] (#6204)
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* fix data-cy for k8s cluster menu (#6226)
LGTM
* feat(stack): make stack created from app template editable EE-1941 (#6104)
feat(stack): make stack from app template editable
* fix(container):disable Duplicate/Edit button when the container is portainer (#6223)
* fix/ee-1909/show-pull-image-error (#6195)
Co-authored-by: sunportainer <ericsun@SG1.local>
* feat(cy): add data-cy to helm install button (#6241)
* feat(cy): add data-cy to add registry button (#6242)
* refactor(app): convert root folder files to es6 (#4159)
* refactor(app): duplicate constants as es6 exports (#4158)
* fix(docker): provide workaround to save network name variable (#6080)
* fix/EE-1862/unable-to-stop-or-remove-stack workaround for var without default value in yaml file
* fix/EE-1862/unable-to-stop-or-remove-stack check yaml file
* fixed func and var names
* wrapper error and used bool for stringset
* UT case for createNetworkEnvFile
* UT case for %s=%s
* powerful StringSet
* wrapper error for extract network name
* wrapper all the return err
* store more env
* put to env file
* make default value None
* feat: gzip static resources (#6258)
* fix(ssl)//handle --sslcert and --sslkey ee-2106 (#6203)
* fix/ee-2106/handle-sslcert-sslkey
Co-authored-by: sunportainer <ericsun@SG1.local>
* fix(server):support disable https only ee-2068 (#6232)
* fix/ee-2068/disable-forcely-https
* feat(store): implement store tests EE-2112 (#6224)
* add store tests
* add some more tests
* Update missing helm user repo methods
* remove redundant comments
* add webhook export
* update webhooks
* use the Store interface IsErrObjectNotFound() to avoid revealing internal errors
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* what happens when you extract the datastore interfaces into their own package
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* Start renaming Storage methods
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the boltdb specific code from the Portainer storage code (example, the others need the same)
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more extract bolt.Tx from datastore code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* minimise imports by putting moving the struct definition into the file that needs the Service imports
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more extraction of boltdb.Tx
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the use of bucket.SetSequence
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* almost done - just endpoint.Synchonise :/
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* so, endpoint.Synchonize looks hard, but i can't find where we use it, so 'delete first refactoring'
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix test compile errors
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* test compile fixes after rebase
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix a mis-remembering I had wrt deserialisation - last time i used AnyData - jsoniter's bindTo looks interesting for the same reason
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* set us up to make the connection an interface
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* make the db connection a datastore interface, and separate out our datastore services from the bolt ones
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* rename methods to something less oltdb internals specific
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* these errors are not boltdb secific
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* start using the db-backend factory method too
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* export boltdb raw in case we can't export from the service layer
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add a raw export from boltdb to yaml for broken db's, and an export services to yaml in backup
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add the version info by hand for now
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* actually, the export from services can be fully typed - its the import that needs to do more work
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* redo raw export, and make import capable of using it
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add DockerHub
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* migration from anything older than v1.21.0 has been broken for quite a while, deleting the un-tested code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix go test ./... again
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* my goland wasn't setup to gofmt
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* move the two extremely dubious migration tests down into store, so they can use the test store code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* the migrator is now free of boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* reverse goland overzealous replcement of internal with boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more undo over-zealous goland internal->boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* yay, now bolt is only mentioned inside the api/database/ dir
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* and this might be the last of the boltdb references?
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add todo
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the store code into a separate module too
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* don't need the fileService in boltdb anymore
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* use IsErrObjectNotFound()
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* use a string to select what database backend we use
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* make isNew store an ephemeral bool that doesn't stay true after we've initialised it
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* move the import.json wip to a separate file so its more obvious - we'll be using it for testing, emergency fixups, and in the next part of the store work, when we improve migrations and data model lifecycles
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* undo vscode formatting html
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* Update missing helm user repo methods
* feat(store): implement store tests EE-2112 (#6224)
* add store tests
* add some more tests
* remove redundant comments
* add webhook export
* update webhooks
* fix build issues after rebasing
* move migratorparams
* remove unneeded integer type conversions
* disable the db import/export for now
Co-authored-by: Richard Wei <54336863+WaysonWei@users.noreply.github.com>
Co-authored-by: cong meng <mcpacino@gmail.com>
Co-authored-by: Simon Meng <simon.meng@portainer.io>
Co-authored-by: Marcelo Rydel <marcelorydel26@gmail.com>
Co-authored-by: Hao Zhang <hao.zhang@portainer.io>
Co-authored-by: sunportainer <93502624+sunportainer@users.noreply.github.com>
Co-authored-by: sunportainer <ericsun@SG1.local>
Co-authored-by: wheresolivia <78844659+wheresolivia@users.noreply.github.com>
Co-authored-by: Chaim Lev-Ari <chiptus@users.noreply.github.com>
Co-authored-by: Chao Geng <93526589+chaogeng77977@users.noreply.github.com>
Co-authored-by: Dmitry Salakhov <to@dimasalakhov.com>
Co-authored-by: Matt Hook <hookenz@gmail.com>
2021-12-15 02:26:09 +00:00
|
|
|
"github.com/portainer/portainer/api/dataservices"
|
2020-07-07 21:57:52 +00:00
|
|
|
httperrors "github.com/portainer/portainer/api/http/errors"
|
2017-05-23 18:56:10 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
type (
|
|
|
|
// RequestBouncer represents an entity that manages API request accesses
|
|
|
|
RequestBouncer struct {
|
chore(store) EE-1981: Refactor/store/error checking, and other refactoring (#6173)
* use the Store interface IsErrObjectNotFound() to avoid revealing internal errors
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* what happens when you extract the datastore interfaces into their own package
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* Start renaming Storage methods
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the boltdb specific code from the Portainer storage code (example, the others need the same)
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more extract bolt.Tx from datastore code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* minimise imports by putting moving the struct definition into the file that needs the Service imports
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more extraction of boltdb.Tx
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the use of bucket.SetSequence
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* almost done - just endpoint.Synchonise :/
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* so, endpoint.Synchonize looks hard, but i can't find where we use it, so 'delete first refactoring'
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix test compile errors
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* test compile fixes after rebase
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix a mis-remembering I had wrt deserialisation - last time i used AnyData - jsoniter's bindTo looks interesting for the same reason
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* set us up to make the connection an interface
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* make the db connection a datastore interface, and separate out our datastore services from the bolt ones
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* rename methods to something less oltdb internals specific
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* these errors are not boltdb secific
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* start using the db-backend factory method too
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* export boltdb raw in case we can't export from the service layer
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add a raw export from boltdb to yaml for broken db's, and an export services to yaml in backup
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add the version info by hand for now
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* actually, the export from services can be fully typed - its the import that needs to do more work
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* redo raw export, and make import capable of using it
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add DockerHub
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* migration from anything older than v1.21.0 has been broken for quite a while, deleting the un-tested code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix go test ./... again
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* my goland wasn't setup to gofmt
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* move the two extremely dubious migration tests down into store, so they can use the test store code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* the migrator is now free of boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* reverse goland overzealous replcement of internal with boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more undo over-zealous goland internal->boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* yay, now bolt is only mentioned inside the api/database/ dir
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* and this might be the last of the boltdb references?
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add todo
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the store code into a separate module too
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* don't need the fileService in boltdb anymore
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* use IsErrObjectNotFound()
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* use a string to select what database backend we use
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* make isNew store an ephemeral bool that doesn't stay true after we've initialised it
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* move the import.json wip to a separate file so its more obvious - we'll be using it for testing, emergency fixups, and in the next part of the store work, when we improve migrations and data model lifecycles
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* undo vscode formatting html
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix app templates symbol (#6221)
* feat(webhook) EE-2125 send registry auth haeder when update swarms service via webhook (#6220)
* feat(webhook) EE-2125 add some helpers to registry utils
* feat(webhook) EE-2125 persist registryID when creating a webhook
* feat(webhook) EE-2125 send registry auth header when executing a webhook
* feat(webhook) EE-2125 send registryID to backend when creating a service with webhook
* feat(webhook) EE-2125 use the initial registry ID to create webhook on editing service screen
* feat(webhook) EE-2125 update webhook when update registry
* feat(webhook) EE-2125 add endpoint of update webhook
* feat(webhook) EE-2125 code cleanup
* feat(webhook) EE-2125 fix a typo
* feat(webhook) EE-2125 fix circle import issue with unit test
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* fix(kubeconfig): show kubeconfig download button for non admin users [EE-2123] (#6204)
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* fix data-cy for k8s cluster menu (#6226)
LGTM
* feat(stack): make stack created from app template editable EE-1941 (#6104)
feat(stack): make stack from app template editable
* fix(container):disable Duplicate/Edit button when the container is portainer (#6223)
* fix/ee-1909/show-pull-image-error (#6195)
Co-authored-by: sunportainer <ericsun@SG1.local>
* feat(cy): add data-cy to helm install button (#6241)
* feat(cy): add data-cy to add registry button (#6242)
* refactor(app): convert root folder files to es6 (#4159)
* refactor(app): duplicate constants as es6 exports (#4158)
* fix(docker): provide workaround to save network name variable (#6080)
* fix/EE-1862/unable-to-stop-or-remove-stack workaround for var without default value in yaml file
* fix/EE-1862/unable-to-stop-or-remove-stack check yaml file
* fixed func and var names
* wrapper error and used bool for stringset
* UT case for createNetworkEnvFile
* UT case for %s=%s
* powerful StringSet
* wrapper error for extract network name
* wrapper all the return err
* store more env
* put to env file
* make default value None
* feat: gzip static resources (#6258)
* fix(ssl)//handle --sslcert and --sslkey ee-2106 (#6203)
* fix/ee-2106/handle-sslcert-sslkey
Co-authored-by: sunportainer <ericsun@SG1.local>
* fix(server):support disable https only ee-2068 (#6232)
* fix/ee-2068/disable-forcely-https
* feat(store): implement store tests EE-2112 (#6224)
* add store tests
* add some more tests
* Update missing helm user repo methods
* remove redundant comments
* add webhook export
* update webhooks
* use the Store interface IsErrObjectNotFound() to avoid revealing internal errors
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* what happens when you extract the datastore interfaces into their own package
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* Start renaming Storage methods
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the boltdb specific code from the Portainer storage code (example, the others need the same)
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more extract bolt.Tx from datastore code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* minimise imports by putting moving the struct definition into the file that needs the Service imports
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more extraction of boltdb.Tx
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the use of bucket.SetSequence
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* almost done - just endpoint.Synchonise :/
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* so, endpoint.Synchonize looks hard, but i can't find where we use it, so 'delete first refactoring'
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix test compile errors
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* test compile fixes after rebase
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix a mis-remembering I had wrt deserialisation - last time i used AnyData - jsoniter's bindTo looks interesting for the same reason
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* set us up to make the connection an interface
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* make the db connection a datastore interface, and separate out our datastore services from the bolt ones
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* rename methods to something less oltdb internals specific
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* these errors are not boltdb secific
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* start using the db-backend factory method too
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* export boltdb raw in case we can't export from the service layer
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add a raw export from boltdb to yaml for broken db's, and an export services to yaml in backup
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add the version info by hand for now
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* actually, the export from services can be fully typed - its the import that needs to do more work
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* redo raw export, and make import capable of using it
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add DockerHub
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* migration from anything older than v1.21.0 has been broken for quite a while, deleting the un-tested code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix go test ./... again
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* my goland wasn't setup to gofmt
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* move the two extremely dubious migration tests down into store, so they can use the test store code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* the migrator is now free of boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* reverse goland overzealous replcement of internal with boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more undo over-zealous goland internal->boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* yay, now bolt is only mentioned inside the api/database/ dir
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* and this might be the last of the boltdb references?
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add todo
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the store code into a separate module too
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* don't need the fileService in boltdb anymore
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* use IsErrObjectNotFound()
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* use a string to select what database backend we use
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* make isNew store an ephemeral bool that doesn't stay true after we've initialised it
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* move the import.json wip to a separate file so its more obvious - we'll be using it for testing, emergency fixups, and in the next part of the store work, when we improve migrations and data model lifecycles
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* undo vscode formatting html
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* Update missing helm user repo methods
* feat(store): implement store tests EE-2112 (#6224)
* add store tests
* add some more tests
* remove redundant comments
* add webhook export
* update webhooks
* fix build issues after rebasing
* move migratorparams
* remove unneeded integer type conversions
* disable the db import/export for now
Co-authored-by: Richard Wei <54336863+WaysonWei@users.noreply.github.com>
Co-authored-by: cong meng <mcpacino@gmail.com>
Co-authored-by: Simon Meng <simon.meng@portainer.io>
Co-authored-by: Marcelo Rydel <marcelorydel26@gmail.com>
Co-authored-by: Hao Zhang <hao.zhang@portainer.io>
Co-authored-by: sunportainer <93502624+sunportainer@users.noreply.github.com>
Co-authored-by: sunportainer <ericsun@SG1.local>
Co-authored-by: wheresolivia <78844659+wheresolivia@users.noreply.github.com>
Co-authored-by: Chaim Lev-Ari <chiptus@users.noreply.github.com>
Co-authored-by: Chao Geng <93526589+chaogeng77977@users.noreply.github.com>
Co-authored-by: Dmitry Salakhov <to@dimasalakhov.com>
Co-authored-by: Matt Hook <hookenz@gmail.com>
2021-12-15 02:26:09 +00:00
|
|
|
dataStore dataservices.DataStore
|
|
|
|
jwtService dataservices.JWTService
|
2021-11-30 02:31:16 +00:00
|
|
|
apiKeyService apikey.APIKeyService
|
2018-06-18 09:56:31 +00:00
|
|
|
}
|
|
|
|
|
2017-05-23 18:56:10 +00:00
|
|
|
// RestrictedRequestContext is a data structure containing information
|
2019-10-07 03:10:51 +00:00
|
|
|
// used in AuthenticatedAccess
|
2017-05-23 18:56:10 +00:00
|
|
|
RestrictedRequestContext struct {
|
|
|
|
IsAdmin bool
|
|
|
|
IsTeamLeader bool
|
|
|
|
UserID portainer.UserID
|
|
|
|
UserMemberships []portainer.TeamMembership
|
|
|
|
}
|
2021-11-30 02:31:16 +00:00
|
|
|
|
|
|
|
// tokenLookup looks up a token in the request
|
|
|
|
tokenLookup func(*http.Request) *portainer.TokenData
|
2017-05-23 18:56:10 +00:00
|
|
|
)
|
|
|
|
|
2021-11-30 02:31:16 +00:00
|
|
|
const apiKeyHeader = "X-API-KEY"
|
|
|
|
|
2017-05-23 18:56:10 +00:00
|
|
|
// NewRequestBouncer initializes a new RequestBouncer
|
chore(store) EE-1981: Refactor/store/error checking, and other refactoring (#6173)
* use the Store interface IsErrObjectNotFound() to avoid revealing internal errors
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* what happens when you extract the datastore interfaces into their own package
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* Start renaming Storage methods
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the boltdb specific code from the Portainer storage code (example, the others need the same)
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more extract bolt.Tx from datastore code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* minimise imports by putting moving the struct definition into the file that needs the Service imports
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more extraction of boltdb.Tx
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the use of bucket.SetSequence
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* almost done - just endpoint.Synchonise :/
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* so, endpoint.Synchonize looks hard, but i can't find where we use it, so 'delete first refactoring'
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix test compile errors
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* test compile fixes after rebase
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix a mis-remembering I had wrt deserialisation - last time i used AnyData - jsoniter's bindTo looks interesting for the same reason
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* set us up to make the connection an interface
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* make the db connection a datastore interface, and separate out our datastore services from the bolt ones
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* rename methods to something less oltdb internals specific
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* these errors are not boltdb secific
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* start using the db-backend factory method too
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* export boltdb raw in case we can't export from the service layer
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add a raw export from boltdb to yaml for broken db's, and an export services to yaml in backup
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add the version info by hand for now
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* actually, the export from services can be fully typed - its the import that needs to do more work
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* redo raw export, and make import capable of using it
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add DockerHub
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* migration from anything older than v1.21.0 has been broken for quite a while, deleting the un-tested code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix go test ./... again
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* my goland wasn't setup to gofmt
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* move the two extremely dubious migration tests down into store, so they can use the test store code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* the migrator is now free of boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* reverse goland overzealous replcement of internal with boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more undo over-zealous goland internal->boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* yay, now bolt is only mentioned inside the api/database/ dir
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* and this might be the last of the boltdb references?
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add todo
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the store code into a separate module too
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* don't need the fileService in boltdb anymore
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* use IsErrObjectNotFound()
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* use a string to select what database backend we use
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* make isNew store an ephemeral bool that doesn't stay true after we've initialised it
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* move the import.json wip to a separate file so its more obvious - we'll be using it for testing, emergency fixups, and in the next part of the store work, when we improve migrations and data model lifecycles
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* undo vscode formatting html
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix app templates symbol (#6221)
* feat(webhook) EE-2125 send registry auth haeder when update swarms service via webhook (#6220)
* feat(webhook) EE-2125 add some helpers to registry utils
* feat(webhook) EE-2125 persist registryID when creating a webhook
* feat(webhook) EE-2125 send registry auth header when executing a webhook
* feat(webhook) EE-2125 send registryID to backend when creating a service with webhook
* feat(webhook) EE-2125 use the initial registry ID to create webhook on editing service screen
* feat(webhook) EE-2125 update webhook when update registry
* feat(webhook) EE-2125 add endpoint of update webhook
* feat(webhook) EE-2125 code cleanup
* feat(webhook) EE-2125 fix a typo
* feat(webhook) EE-2125 fix circle import issue with unit test
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* fix(kubeconfig): show kubeconfig download button for non admin users [EE-2123] (#6204)
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* fix data-cy for k8s cluster menu (#6226)
LGTM
* feat(stack): make stack created from app template editable EE-1941 (#6104)
feat(stack): make stack from app template editable
* fix(container):disable Duplicate/Edit button when the container is portainer (#6223)
* fix/ee-1909/show-pull-image-error (#6195)
Co-authored-by: sunportainer <ericsun@SG1.local>
* feat(cy): add data-cy to helm install button (#6241)
* feat(cy): add data-cy to add registry button (#6242)
* refactor(app): convert root folder files to es6 (#4159)
* refactor(app): duplicate constants as es6 exports (#4158)
* fix(docker): provide workaround to save network name variable (#6080)
* fix/EE-1862/unable-to-stop-or-remove-stack workaround for var without default value in yaml file
* fix/EE-1862/unable-to-stop-or-remove-stack check yaml file
* fixed func and var names
* wrapper error and used bool for stringset
* UT case for createNetworkEnvFile
* UT case for %s=%s
* powerful StringSet
* wrapper error for extract network name
* wrapper all the return err
* store more env
* put to env file
* make default value None
* feat: gzip static resources (#6258)
* fix(ssl)//handle --sslcert and --sslkey ee-2106 (#6203)
* fix/ee-2106/handle-sslcert-sslkey
Co-authored-by: sunportainer <ericsun@SG1.local>
* fix(server):support disable https only ee-2068 (#6232)
* fix/ee-2068/disable-forcely-https
* feat(store): implement store tests EE-2112 (#6224)
* add store tests
* add some more tests
* Update missing helm user repo methods
* remove redundant comments
* add webhook export
* update webhooks
* use the Store interface IsErrObjectNotFound() to avoid revealing internal errors
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* what happens when you extract the datastore interfaces into their own package
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* Start renaming Storage methods
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the boltdb specific code from the Portainer storage code (example, the others need the same)
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more extract bolt.Tx from datastore code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* minimise imports by putting moving the struct definition into the file that needs the Service imports
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more extraction of boltdb.Tx
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the use of bucket.SetSequence
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* almost done - just endpoint.Synchonise :/
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* so, endpoint.Synchonize looks hard, but i can't find where we use it, so 'delete first refactoring'
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix test compile errors
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* test compile fixes after rebase
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix a mis-remembering I had wrt deserialisation - last time i used AnyData - jsoniter's bindTo looks interesting for the same reason
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* set us up to make the connection an interface
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* make the db connection a datastore interface, and separate out our datastore services from the bolt ones
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* rename methods to something less oltdb internals specific
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* these errors are not boltdb secific
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* start using the db-backend factory method too
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* export boltdb raw in case we can't export from the service layer
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add a raw export from boltdb to yaml for broken db's, and an export services to yaml in backup
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add the version info by hand for now
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* actually, the export from services can be fully typed - its the import that needs to do more work
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* redo raw export, and make import capable of using it
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add DockerHub
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* migration from anything older than v1.21.0 has been broken for quite a while, deleting the un-tested code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix go test ./... again
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* my goland wasn't setup to gofmt
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* move the two extremely dubious migration tests down into store, so they can use the test store code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* the migrator is now free of boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* reverse goland overzealous replcement of internal with boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more undo over-zealous goland internal->boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* yay, now bolt is only mentioned inside the api/database/ dir
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* and this might be the last of the boltdb references?
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add todo
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the store code into a separate module too
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* don't need the fileService in boltdb anymore
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* use IsErrObjectNotFound()
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* use a string to select what database backend we use
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* make isNew store an ephemeral bool that doesn't stay true after we've initialised it
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* move the import.json wip to a separate file so its more obvious - we'll be using it for testing, emergency fixups, and in the next part of the store work, when we improve migrations and data model lifecycles
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* undo vscode formatting html
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* Update missing helm user repo methods
* feat(store): implement store tests EE-2112 (#6224)
* add store tests
* add some more tests
* remove redundant comments
* add webhook export
* update webhooks
* fix build issues after rebasing
* move migratorparams
* remove unneeded integer type conversions
* disable the db import/export for now
Co-authored-by: Richard Wei <54336863+WaysonWei@users.noreply.github.com>
Co-authored-by: cong meng <mcpacino@gmail.com>
Co-authored-by: Simon Meng <simon.meng@portainer.io>
Co-authored-by: Marcelo Rydel <marcelorydel26@gmail.com>
Co-authored-by: Hao Zhang <hao.zhang@portainer.io>
Co-authored-by: sunportainer <93502624+sunportainer@users.noreply.github.com>
Co-authored-by: sunportainer <ericsun@SG1.local>
Co-authored-by: wheresolivia <78844659+wheresolivia@users.noreply.github.com>
Co-authored-by: Chaim Lev-Ari <chiptus@users.noreply.github.com>
Co-authored-by: Chao Geng <93526589+chaogeng77977@users.noreply.github.com>
Co-authored-by: Dmitry Salakhov <to@dimasalakhov.com>
Co-authored-by: Matt Hook <hookenz@gmail.com>
2021-12-15 02:26:09 +00:00
|
|
|
func NewRequestBouncer(dataStore dataservices.DataStore, jwtService dataservices.JWTService, apiKeyService apikey.APIKeyService) *RequestBouncer {
|
2017-05-23 18:56:10 +00:00
|
|
|
return &RequestBouncer{
|
2021-11-30 02:31:16 +00:00
|
|
|
dataStore: dataStore,
|
|
|
|
jwtService: jwtService,
|
|
|
|
apiKeyService: apiKeyService,
|
2017-05-23 18:56:10 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-09-20 00:14:22 +00:00
|
|
|
// PublicAccess defines a security check for public API environments(endpoints).
|
|
|
|
// No authentication is required to access these environments(endpoints).
|
2017-05-23 18:56:10 +00:00
|
|
|
func (bouncer *RequestBouncer) PublicAccess(h http.Handler) http.Handler {
|
2023-01-06 19:25:41 +00:00
|
|
|
return mwSecureHeaders(h)
|
2017-05-23 18:56:10 +00:00
|
|
|
}
|
|
|
|
|
2021-09-20 00:14:22 +00:00
|
|
|
// AdminAccess defines a security check for API environments(endpoints) that require an authorization check.
|
|
|
|
// Authentication is required to access these environments(endpoints).
|
|
|
|
// The administrator role is required to use these environments(endpoints).
|
2019-10-07 03:10:51 +00:00
|
|
|
// The request context will be enhanced with a RestrictedRequestContext object
|
|
|
|
// that might be used later to inside the API operation for extra authorization validation
|
|
|
|
// and resource filtering.
|
|
|
|
func (bouncer *RequestBouncer) AdminAccess(h http.Handler) http.Handler {
|
2019-05-24 06:04:58 +00:00
|
|
|
h = bouncer.mwUpgradeToRestrictedRequest(h)
|
2019-10-07 03:10:51 +00:00
|
|
|
h = bouncer.mwCheckPortainerAuthorizations(h, true)
|
2019-05-24 06:04:58 +00:00
|
|
|
h = bouncer.mwAuthenticatedUser(h)
|
2017-05-23 18:56:10 +00:00
|
|
|
return h
|
|
|
|
}
|
|
|
|
|
2021-09-20 00:14:22 +00:00
|
|
|
// RestrictedAccess defines a security check for restricted API environments(endpoints).
|
|
|
|
// Authentication is required to access these environments(endpoints).
|
2017-05-23 18:56:10 +00:00
|
|
|
// The request context will be enhanced with a RestrictedRequestContext object
|
2019-10-07 03:10:51 +00:00
|
|
|
// that might be used later to inside the API operation for extra authorization validation
|
|
|
|
// and resource filtering.
|
2017-05-23 18:56:10 +00:00
|
|
|
func (bouncer *RequestBouncer) RestrictedAccess(h http.Handler) http.Handler {
|
2019-10-07 03:10:51 +00:00
|
|
|
h = bouncer.mwUpgradeToRestrictedRequest(h)
|
|
|
|
h = bouncer.mwCheckPortainerAuthorizations(h, false)
|
|
|
|
h = bouncer.mwAuthenticatedUser(h)
|
|
|
|
return h
|
|
|
|
}
|
|
|
|
|
2022-06-03 04:44:42 +00:00
|
|
|
// TeamLeaderAccess defines a security check for APIs require team leader privilege
|
|
|
|
//
|
|
|
|
// Bouncer operations are applied backwards:
|
2022-12-30 18:26:46 +00:00
|
|
|
// - Parse the JWT from the request and stored in context, user has to be authenticated
|
|
|
|
// - Upgrade to the restricted request
|
|
|
|
// - User is admin or team leader
|
2022-06-03 04:44:42 +00:00
|
|
|
func (bouncer *RequestBouncer) TeamLeaderAccess(h http.Handler) http.Handler {
|
|
|
|
h = bouncer.mwIsTeamLeader(h)
|
|
|
|
h = bouncer.mwUpgradeToRestrictedRequest(h)
|
|
|
|
h = bouncer.mwAuthenticatedUser(h)
|
|
|
|
return h
|
|
|
|
}
|
|
|
|
|
2021-09-20 00:14:22 +00:00
|
|
|
// AuthenticatedAccess defines a security check for restricted API environments(endpoints).
|
|
|
|
// Authentication is required to access these environments(endpoints).
|
2019-10-07 03:10:51 +00:00
|
|
|
// The request context will be enhanced with a RestrictedRequestContext object
|
|
|
|
// that might be used later to inside the API operation for extra authorization validation
|
|
|
|
// and resource filtering.
|
|
|
|
func (bouncer *RequestBouncer) AuthenticatedAccess(h http.Handler) http.Handler {
|
2017-05-23 18:56:10 +00:00
|
|
|
h = bouncer.mwUpgradeToRestrictedRequest(h)
|
2019-05-24 06:04:58 +00:00
|
|
|
h = bouncer.mwAuthenticatedUser(h)
|
2017-05-23 18:56:10 +00:00
|
|
|
return h
|
|
|
|
}
|
|
|
|
|
2019-05-24 06:04:58 +00:00
|
|
|
// AuthorizedEndpointOperation retrieves the JWT token from the request context and verifies
|
2021-09-20 00:14:22 +00:00
|
|
|
// that the user can access the specified environment(endpoint).
|
|
|
|
// An error is returned when access to the environments(endpoints) is denied or if the user do not have the required
|
2019-05-24 06:04:58 +00:00
|
|
|
// authorization to execute the operation.
|
2020-08-11 05:41:37 +00:00
|
|
|
func (bouncer *RequestBouncer) AuthorizedEndpointOperation(r *http.Request, endpoint *portainer.Endpoint) error {
|
2018-06-18 09:56:31 +00:00
|
|
|
tokenData, err := RetrieveTokenData(r)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if tokenData.Role == portainer.AdministratorRole {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-05-20 05:23:15 +00:00
|
|
|
memberships, err := bouncer.dataStore.TeamMembership().TeamMembershipsByUserID(tokenData.ID)
|
2018-06-18 09:56:31 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2020-05-20 05:23:15 +00:00
|
|
|
group, err := bouncer.dataStore.EndpointGroup().EndpointGroup(endpoint.GroupID)
|
2018-06-18 09:56:31 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-09-16 02:45:14 +00:00
|
|
|
if !AuthorizedEndpointAccess(endpoint, group, tokenData.ID, memberships) {
|
2020-07-07 21:57:52 +00:00
|
|
|
return httperrors.ErrEndpointAccessDenied
|
2018-06-18 09:56:31 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-09-20 00:14:22 +00:00
|
|
|
// AuthorizedEdgeEndpointOperation verifies that the request was received from a valid Edge environment(endpoint)
|
2020-05-14 02:14:28 +00:00
|
|
|
func (bouncer *RequestBouncer) AuthorizedEdgeEndpointOperation(r *http.Request, endpoint *portainer.Endpoint) error {
|
2020-07-05 23:21:03 +00:00
|
|
|
if endpoint.Type != portainer.EdgeAgentOnKubernetesEnvironment && endpoint.Type != portainer.EdgeAgentOnDockerEnvironment {
|
2021-09-08 08:42:17 +00:00
|
|
|
return errors.New("Invalid environment type")
|
2020-05-14 02:14:28 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
edgeIdentifier := r.Header.Get(portainer.PortainerAgentEdgeIDHeader)
|
|
|
|
if edgeIdentifier == "" {
|
|
|
|
return errors.New("missing Edge identifier")
|
|
|
|
}
|
|
|
|
|
|
|
|
if endpoint.EdgeID != "" && endpoint.EdgeID != edgeIdentifier {
|
|
|
|
return errors.New("invalid Edge identifier")
|
|
|
|
}
|
|
|
|
|
2023-04-27 02:22:05 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// TrustedEdgeEnvironmentAccess defines a security check for Edge environments, checks if
|
|
|
|
// the request is coming from a trusted Edge environment
|
2023-05-18 17:58:33 +00:00
|
|
|
func (bouncer *RequestBouncer) TrustedEdgeEnvironmentAccess(tx dataservices.DataStoreTx, endpoint *portainer.Endpoint) error {
|
2023-04-27 02:22:05 +00:00
|
|
|
if endpoint.UserTrusted {
|
2022-01-23 19:48:04 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2023-05-18 17:58:33 +00:00
|
|
|
settings, err := tx.Settings().Settings()
|
2022-01-23 19:48:04 +00:00
|
|
|
if err != nil {
|
2023-04-27 02:22:05 +00:00
|
|
|
return errors.WithMessage(err, "could not retrieve the settings")
|
2022-01-23 19:48:04 +00:00
|
|
|
}
|
|
|
|
|
2022-04-19 18:43:36 +00:00
|
|
|
if !settings.TrustOnFirstConnect {
|
2022-01-23 19:48:04 +00:00
|
|
|
return errors.New("the device has not been trusted yet")
|
|
|
|
}
|
|
|
|
|
2020-05-14 02:14:28 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-11-30 02:31:16 +00:00
|
|
|
// mwAuthenticatedUser authenticates a request by
|
|
|
|
// - adding a secure handlers to the response
|
|
|
|
// - authenticating the request with a valid token
|
2019-05-24 06:04:58 +00:00
|
|
|
func (bouncer *RequestBouncer) mwAuthenticatedUser(h http.Handler) http.Handler {
|
2021-11-30 02:31:16 +00:00
|
|
|
h = bouncer.mwAuthenticateFirst([]tokenLookup{
|
|
|
|
bouncer.JWTAuthLookup,
|
|
|
|
bouncer.apiKeyLookup,
|
|
|
|
}, h)
|
2019-05-24 06:04:58 +00:00
|
|
|
h = mwSecureHeaders(h)
|
|
|
|
return h
|
|
|
|
}
|
|
|
|
|
|
|
|
// mwCheckPortainerAuthorizations will verify that the user has the required authorization to access
|
2021-09-20 00:14:22 +00:00
|
|
|
// a specific API environment(endpoint).
|
2020-08-11 05:41:37 +00:00
|
|
|
// If the administratorOnly flag is specified, this will prevent non-admin
|
2021-09-20 00:14:22 +00:00
|
|
|
// users from accessing the environment(endpoint).
|
2019-10-07 03:10:51 +00:00
|
|
|
func (bouncer *RequestBouncer) mwCheckPortainerAuthorizations(next http.Handler, administratorOnly bool) http.Handler {
|
2017-05-23 18:56:10 +00:00
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
2019-05-24 06:04:58 +00:00
|
|
|
tokenData, err := RetrieveTokenData(r)
|
|
|
|
if err != nil {
|
2020-07-07 21:57:52 +00:00
|
|
|
httperror.WriteError(w, http.StatusForbidden, "Access denied", httperrors.ErrUnauthorized)
|
2019-05-24 06:04:58 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if tokenData.Role == portainer.AdministratorRole {
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2020-08-11 05:41:37 +00:00
|
|
|
if administratorOnly {
|
|
|
|
httperror.WriteError(w, http.StatusForbidden, "Access denied", httperrors.ErrUnauthorized)
|
2019-05-24 06:04:58 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2020-08-11 05:41:37 +00:00
|
|
|
_, err = bouncer.dataStore.User().User(tokenData.ID)
|
2022-12-30 18:26:46 +00:00
|
|
|
if bouncer.dataStore.IsErrObjectNotFound(err) {
|
2020-07-07 21:57:52 +00:00
|
|
|
httperror.WriteError(w, http.StatusUnauthorized, "Unauthorized", httperrors.ErrUnauthorized)
|
2019-09-09 22:58:26 +00:00
|
|
|
return
|
|
|
|
} else if err != nil {
|
|
|
|
httperror.WriteError(w, http.StatusInternalServerError, "Unable to retrieve user details from the database", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2017-05-23 18:56:10 +00:00
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
// mwUpgradeToRestrictedRequest will enhance the current request with
|
|
|
|
// a new RestrictedRequestContext object.
|
|
|
|
func (bouncer *RequestBouncer) mwUpgradeToRestrictedRequest(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
tokenData, err := RetrieveTokenData(r)
|
|
|
|
if err != nil {
|
2020-07-07 21:57:52 +00:00
|
|
|
httperror.WriteError(w, http.StatusForbidden, "Access denied", httperrors.ErrResourceAccessDenied)
|
2017-05-23 18:56:10 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
requestContext, err := bouncer.newRestrictedContextRequest(tokenData.ID, tokenData.Role)
|
|
|
|
if err != nil {
|
2018-06-11 13:13:19 +00:00
|
|
|
httperror.WriteError(w, http.StatusInternalServerError, "Unable to create restricted request context ", err)
|
2017-05-23 18:56:10 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-07-14 09:15:21 +00:00
|
|
|
ctx := StoreRestrictedRequestContext(r, requestContext)
|
2017-05-23 18:56:10 +00:00
|
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2022-06-03 04:44:42 +00:00
|
|
|
// mwIsTeamLeader will verify that the user is an admin or a team leader
|
|
|
|
func (bouncer *RequestBouncer) mwIsTeamLeader(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
securityContext, err := RetrieveRestrictedRequestContext(r)
|
|
|
|
if err != nil {
|
|
|
|
httperror.WriteError(w, http.StatusInternalServerError, "Unable to retrieve restricted request context ", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if !securityContext.IsAdmin && !securityContext.IsTeamLeader {
|
|
|
|
httperror.WriteError(w, http.StatusForbidden, "Access denied", httperrors.ErrUnauthorized)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2021-11-30 02:31:16 +00:00
|
|
|
// mwAuthenticateFirst authenticates a request an auth token.
|
|
|
|
// A result of a first succeded token lookup would be used for the authentication.
|
|
|
|
func (bouncer *RequestBouncer) mwAuthenticateFirst(tokenLookups []tokenLookup, next http.Handler) http.Handler {
|
2017-05-23 18:56:10 +00:00
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
2021-11-30 02:31:16 +00:00
|
|
|
var token *portainer.TokenData
|
2017-05-23 18:56:10 +00:00
|
|
|
|
2021-11-30 02:31:16 +00:00
|
|
|
for _, lookup := range tokenLookups {
|
|
|
|
token = lookup(r)
|
|
|
|
|
|
|
|
if token != nil {
|
|
|
|
break
|
|
|
|
}
|
2020-06-09 09:55:36 +00:00
|
|
|
}
|
|
|
|
|
2021-11-30 02:31:16 +00:00
|
|
|
if token == nil {
|
|
|
|
httperror.WriteError(w, http.StatusUnauthorized, "A valid authorisation token is missing", httperrors.ErrUnauthorized)
|
2020-06-09 09:55:36 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
chore(store) EE-1981: Refactor/store/error checking, and other refactoring (#6173)
* use the Store interface IsErrObjectNotFound() to avoid revealing internal errors
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* what happens when you extract the datastore interfaces into their own package
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* Start renaming Storage methods
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the boltdb specific code from the Portainer storage code (example, the others need the same)
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more extract bolt.Tx from datastore code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* minimise imports by putting moving the struct definition into the file that needs the Service imports
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more extraction of boltdb.Tx
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the use of bucket.SetSequence
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* almost done - just endpoint.Synchonise :/
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* so, endpoint.Synchonize looks hard, but i can't find where we use it, so 'delete first refactoring'
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix test compile errors
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* test compile fixes after rebase
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix a mis-remembering I had wrt deserialisation - last time i used AnyData - jsoniter's bindTo looks interesting for the same reason
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* set us up to make the connection an interface
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* make the db connection a datastore interface, and separate out our datastore services from the bolt ones
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* rename methods to something less oltdb internals specific
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* these errors are not boltdb secific
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* start using the db-backend factory method too
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* export boltdb raw in case we can't export from the service layer
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add a raw export from boltdb to yaml for broken db's, and an export services to yaml in backup
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add the version info by hand for now
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* actually, the export from services can be fully typed - its the import that needs to do more work
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* redo raw export, and make import capable of using it
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add DockerHub
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* migration from anything older than v1.21.0 has been broken for quite a while, deleting the un-tested code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix go test ./... again
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* my goland wasn't setup to gofmt
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* move the two extremely dubious migration tests down into store, so they can use the test store code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* the migrator is now free of boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* reverse goland overzealous replcement of internal with boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more undo over-zealous goland internal->boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* yay, now bolt is only mentioned inside the api/database/ dir
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* and this might be the last of the boltdb references?
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add todo
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the store code into a separate module too
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* don't need the fileService in boltdb anymore
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* use IsErrObjectNotFound()
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* use a string to select what database backend we use
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* make isNew store an ephemeral bool that doesn't stay true after we've initialised it
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* move the import.json wip to a separate file so its more obvious - we'll be using it for testing, emergency fixups, and in the next part of the store work, when we improve migrations and data model lifecycles
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* undo vscode formatting html
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix app templates symbol (#6221)
* feat(webhook) EE-2125 send registry auth haeder when update swarms service via webhook (#6220)
* feat(webhook) EE-2125 add some helpers to registry utils
* feat(webhook) EE-2125 persist registryID when creating a webhook
* feat(webhook) EE-2125 send registry auth header when executing a webhook
* feat(webhook) EE-2125 send registryID to backend when creating a service with webhook
* feat(webhook) EE-2125 use the initial registry ID to create webhook on editing service screen
* feat(webhook) EE-2125 update webhook when update registry
* feat(webhook) EE-2125 add endpoint of update webhook
* feat(webhook) EE-2125 code cleanup
* feat(webhook) EE-2125 fix a typo
* feat(webhook) EE-2125 fix circle import issue with unit test
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* fix(kubeconfig): show kubeconfig download button for non admin users [EE-2123] (#6204)
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* fix data-cy for k8s cluster menu (#6226)
LGTM
* feat(stack): make stack created from app template editable EE-1941 (#6104)
feat(stack): make stack from app template editable
* fix(container):disable Duplicate/Edit button when the container is portainer (#6223)
* fix/ee-1909/show-pull-image-error (#6195)
Co-authored-by: sunportainer <ericsun@SG1.local>
* feat(cy): add data-cy to helm install button (#6241)
* feat(cy): add data-cy to add registry button (#6242)
* refactor(app): convert root folder files to es6 (#4159)
* refactor(app): duplicate constants as es6 exports (#4158)
* fix(docker): provide workaround to save network name variable (#6080)
* fix/EE-1862/unable-to-stop-or-remove-stack workaround for var without default value in yaml file
* fix/EE-1862/unable-to-stop-or-remove-stack check yaml file
* fixed func and var names
* wrapper error and used bool for stringset
* UT case for createNetworkEnvFile
* UT case for %s=%s
* powerful StringSet
* wrapper error for extract network name
* wrapper all the return err
* store more env
* put to env file
* make default value None
* feat: gzip static resources (#6258)
* fix(ssl)//handle --sslcert and --sslkey ee-2106 (#6203)
* fix/ee-2106/handle-sslcert-sslkey
Co-authored-by: sunportainer <ericsun@SG1.local>
* fix(server):support disable https only ee-2068 (#6232)
* fix/ee-2068/disable-forcely-https
* feat(store): implement store tests EE-2112 (#6224)
* add store tests
* add some more tests
* Update missing helm user repo methods
* remove redundant comments
* add webhook export
* update webhooks
* use the Store interface IsErrObjectNotFound() to avoid revealing internal errors
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* what happens when you extract the datastore interfaces into their own package
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* Start renaming Storage methods
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the boltdb specific code from the Portainer storage code (example, the others need the same)
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more extract bolt.Tx from datastore code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* minimise imports by putting moving the struct definition into the file that needs the Service imports
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more extraction of boltdb.Tx
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the use of bucket.SetSequence
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* almost done - just endpoint.Synchonise :/
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* so, endpoint.Synchonize looks hard, but i can't find where we use it, so 'delete first refactoring'
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix test compile errors
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* test compile fixes after rebase
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix a mis-remembering I had wrt deserialisation - last time i used AnyData - jsoniter's bindTo looks interesting for the same reason
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* set us up to make the connection an interface
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* make the db connection a datastore interface, and separate out our datastore services from the bolt ones
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* rename methods to something less oltdb internals specific
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* these errors are not boltdb secific
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* start using the db-backend factory method too
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* export boltdb raw in case we can't export from the service layer
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add a raw export from boltdb to yaml for broken db's, and an export services to yaml in backup
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add the version info by hand for now
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* actually, the export from services can be fully typed - its the import that needs to do more work
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* redo raw export, and make import capable of using it
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add DockerHub
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* migration from anything older than v1.21.0 has been broken for quite a while, deleting the un-tested code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* fix go test ./... again
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* my goland wasn't setup to gofmt
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* move the two extremely dubious migration tests down into store, so they can use the test store code
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* the migrator is now free of boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* reverse goland overzealous replcement of internal with boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* more undo over-zealous goland internal->boltdb
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* yay, now bolt is only mentioned inside the api/database/ dir
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* and this might be the last of the boltdb references?
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* add todo
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* extract the store code into a separate module too
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* don't need the fileService in boltdb anymore
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* use IsErrObjectNotFound()
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* use a string to select what database backend we use
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* make isNew store an ephemeral bool that doesn't stay true after we've initialised it
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* move the import.json wip to a separate file so its more obvious - we'll be using it for testing, emergency fixups, and in the next part of the store work, when we improve migrations and data model lifecycles
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* undo vscode formatting html
Signed-off-by: Sven Dowideit <sven.dowideit@portainer.io>
* Update missing helm user repo methods
* feat(store): implement store tests EE-2112 (#6224)
* add store tests
* add some more tests
* remove redundant comments
* add webhook export
* update webhooks
* fix build issues after rebasing
* move migratorparams
* remove unneeded integer type conversions
* disable the db import/export for now
Co-authored-by: Richard Wei <54336863+WaysonWei@users.noreply.github.com>
Co-authored-by: cong meng <mcpacino@gmail.com>
Co-authored-by: Simon Meng <simon.meng@portainer.io>
Co-authored-by: Marcelo Rydel <marcelorydel26@gmail.com>
Co-authored-by: Hao Zhang <hao.zhang@portainer.io>
Co-authored-by: sunportainer <93502624+sunportainer@users.noreply.github.com>
Co-authored-by: sunportainer <ericsun@SG1.local>
Co-authored-by: wheresolivia <78844659+wheresolivia@users.noreply.github.com>
Co-authored-by: Chaim Lev-Ari <chiptus@users.noreply.github.com>
Co-authored-by: Chao Geng <93526589+chaogeng77977@users.noreply.github.com>
Co-authored-by: Dmitry Salakhov <to@dimasalakhov.com>
Co-authored-by: Matt Hook <hookenz@gmail.com>
2021-12-15 02:26:09 +00:00
|
|
|
_, err := bouncer.dataStore.User().User(token.ID)
|
|
|
|
if err != nil && bouncer.dataStore.IsErrObjectNotFound(err) {
|
|
|
|
httperror.WriteError(w, http.StatusUnauthorized, "Unauthorized", httperrors.ErrUnauthorized)
|
|
|
|
return
|
|
|
|
} else if err != nil {
|
|
|
|
httperror.WriteError(w, http.StatusInternalServerError, "Unable to retrieve user details from the database", err)
|
2020-06-09 09:55:36 +00:00
|
|
|
return
|
2017-05-23 18:56:10 +00:00
|
|
|
}
|
|
|
|
|
2021-11-30 02:31:16 +00:00
|
|
|
ctx := StoreTokenData(r, token)
|
2017-05-23 18:56:10 +00:00
|
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2021-11-30 02:31:16 +00:00
|
|
|
// JWTAuthLookup looks up a valid bearer in the request.
|
|
|
|
func (bouncer *RequestBouncer) JWTAuthLookup(r *http.Request) *portainer.TokenData {
|
|
|
|
// get token from the Authorization header or query parameter
|
|
|
|
token, err := extractBearerToken(r)
|
|
|
|
if err != nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
tokenData, err := bouncer.jwtService.ParseAndVerifyToken(token)
|
|
|
|
if err != nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return tokenData
|
|
|
|
}
|
|
|
|
|
|
|
|
// apiKeyLookup looks up an verifies an api-key by:
|
|
|
|
// - computing the digest of the raw api-key
|
|
|
|
// - verifying it exists in cache/database
|
|
|
|
// - matching the key to a user (ID, Role)
|
|
|
|
// If the key is valid/verified, the last updated time of the key is updated.
|
|
|
|
// Successful verification of the key will return a TokenData object - since the downstream handlers
|
|
|
|
// utilise the token injected in the request context.
|
|
|
|
func (bouncer *RequestBouncer) apiKeyLookup(r *http.Request) *portainer.TokenData {
|
|
|
|
rawAPIKey, ok := extractAPIKey(r)
|
|
|
|
if !ok {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
digest := bouncer.apiKeyService.HashRaw(rawAPIKey)
|
|
|
|
|
|
|
|
user, apiKey, err := bouncer.apiKeyService.GetDigestUserAndKey(digest)
|
|
|
|
if err != nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
tokenData := &portainer.TokenData{
|
|
|
|
ID: user.ID,
|
|
|
|
Username: user.Username,
|
|
|
|
Role: user.Role,
|
|
|
|
}
|
|
|
|
if _, err := bouncer.jwtService.GenerateToken(tokenData); err != nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// update the last used time of the key
|
|
|
|
apiKey.LastUsed = time.Now().UTC().Unix()
|
|
|
|
bouncer.apiKeyService.UpdateAPIKey(&apiKey)
|
|
|
|
|
|
|
|
return tokenData
|
|
|
|
}
|
|
|
|
|
|
|
|
// extractBearerToken extracts the Bearer token from the request header or query parameter and returns the token.
|
|
|
|
func extractBearerToken(r *http.Request) (string, error) {
|
feat(helm/templates): helm app templates EE-943 (#5449)
* feat(helm): add helm chart backport to ce EE-1409 (#5425)
* EE-1311 Helm Chart Backport from EE
* backport to ce
Co-authored-by: Matt Hook <hookenz@gmail.com>
* feat(helm): list and configure helm chart (#5431)
* backport and tidyup code
* --amend
* using rocket icon for charts
* helm chart bugfix - clear category button
* added matomo analytics for helm chart install
* fix web editor exit warning without changes
* editor modified exit bugfix
* fixed notifications typo
* updated helm template text
* helper text to convey slow helm templates load
Co-authored-by: zees-dev <dev.786zshan@gmail.com>
* removing redundant time-consuming api call by using prop attribute
* feat(helm) helm chart backport from ee EE-1311 (#5436)
* Add missing defaultHelmRepoUrl and mock testing
* Backport EE-1477
* Backport updates to helm tests from EE
* add https by default changes and ssl to tls renaming from EE
* Port install integration test. Disabled by default to pass CI checks
* merged changes from EE for the integration test
* kube proxy whitelist updated to support internal helm install command
Co-authored-by: zees-dev <dev.786zshan@gmail.com>
* Pull in all changes from tech review in EE-943
* added helm to sidebar after rebase, sync CE with EE
* bugfix: kubectl shell not opening - bearer token bug
* tidy go modules & remove yarn-error.log
* removed redundant handler (not used) - to match EE
* resolved merge conflicts, updated code
* feat(helm/views): helm release and application views EE-1236 (#5529)
* feat(helm): add helm chart backport to ce EE-1409 (#5425)
* EE-1311 Helm Chart Backport from EE
* backport to ce
Co-authored-by: Matt Hook <hookenz@gmail.com>
* Pull in all changes from tech review in EE-943
* added helm to sidebar after rebase, sync CE with EE
* removed redundant handler (not used) - to match EE
* feat(helm) display helm charts - backend EE-1236
* copy over components for new applications view EE-1236
* Add new applications datatable component
* Add more migrated files
* removed test not applicable to CE
* baclkported EE app data table code to CE
* removed redundant helm repo url
* resolved conflicts, updated code
* using endpoint middleware
* PR review fixes
* using constants, openapi updated
Co-authored-by: Richard Wei <54336863+WaysonWei@users.noreply.github.com>
Co-authored-by: zees-dev <dev.786zshan@gmail.com>
* fixed test conflicts, go linted
* feat(helm/templates-add): helm templates add repo for user support EE-1278 (#5514)
* feat(helm): add helm chart backport to ce EE-1409 (#5425)
* EE-1311 Helm Chart Backport from EE
* backport to ce
Co-authored-by: Matt Hook <hookenz@gmail.com>
* feat(helm) helm chart backport from ee EE-1311 (#5436)
* Add missing defaultHelmRepoUrl and mock testing
* Backport EE-1477
* Backport updates to helm tests from EE
* add https by default changes and ssl to tls renaming from EE
* Port install integration test. Disabled by default to pass CI checks
* merged changes from EE for the integration test
* kube proxy whitelist updated to support internal helm install command
Co-authored-by: zees-dev <dev.786zshan@gmail.com>
* Pull in all changes from tech review in EE-943
* feat(helm): add helm chart backport to ce EE-1409 (#5425)
* EE-1311 Helm Chart Backport from EE
* backport to ce
Co-authored-by: Matt Hook <hookenz@gmail.com>
* Pull in all changes from tech review in EE-943
* added helm to sidebar after rebase, sync CE with EE
* backport EE-1278, squashed, diffed, updated
* helm install openapi spec update
* resolved conflicts, updated code
* - matching ee codebase at 0afe57034449ee0e9f333d92c252a13995a93019
- helm install using endpoint middleware
- remove trailing slash from added/persisted helm repo urls
* feat(helm) use libhelm url validator and improved path assembly EE-1554 (#5561)
* feat(helm/userrepos) fix getting global repo for ordinary users EE-1562 (#5567)
* feat(helm/userrepos) fix getting global repo for ordinary users EE-1562
* post review changes and further backported changes from EE
* resolved conflicts, updated code
* fixed helm_install handler unit test
* user cannot add existing repo if suffix is '/' (#5571)
* feat(helm/docs) fix broken swagger docs EE-1278 (#5572)
* Fix swagger docs
* minor correction
* fix(helm): migrating code from user handler to helm handler (#5573)
* - migrated user_helm_repos to helm endpoint handler
- migrated api operations from user factory/service to helm factory/service
- passing endpointId into helm service/factory as endpoint provider is deprecated
* upgrade libhelm to hide secrets
Co-authored-by: Matt Hook <hookenz@gmail.com>
* removed duplicate file - due to merge conflict
* dependency injection in helm factory
Co-authored-by: Richard Wei <54336863+WaysonWei@users.noreply.github.com>
Co-authored-by: Matt Hook <hookenz@gmail.com>
* kubernetes.templates -> kubernetes.templates.helm name conflict fix
* Validate the URL added as a public helm repo (#5579)
* fix(helm): helm app deletion fix EE-1581 (#5582)
* updated helm lib to show correct error on uninstall failure
* passing down helm app namespace on deletion
* fix(k8s): EE-1591 non-admin users cannot deploy charts containing secrets (#5590)
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* fix(helm): helm epic bugfixes EE-1582 EE-1593 (#5585)
* - trim trailing slash and lowercase before persisting helm repo
- browser helm templates url /kubernetes/templates/templates -> /kubernetes/templates/helm
- fix publish url
- fix helm repo add refresh
- semi-fix k8s app expansion
* Tidy up swagger documentation related to helm. Make json consistent
* fixed helm release page for non-default namespaces
* k8s app view table expansion bugfix
* EE-1593: publish url load balancer fallback
Co-authored-by: Matt Hook <hookenz@gmail.com>
* k8s app list fix for charts with deployments containing multiple pods - which use the same label (#5599)
* fix(kubernetes): app list view fix for secrets with long keys or values EE-1600 (#5600)
* k8s app secrets key value text overflow ellipses
* wrapping key value pairs instead of ellipses
* fix(helm): helm apps bundling issue across different namespaces EE-1619 (#5602)
* helm apps bundling issue across different namespaces
* - code comments and indentation to ease reading
- moved namespace calc out of loop
* feat(helm/test) disable slow helm search test by default EE-1599 (#5598)
* skip helm_repo_search as it's an integration test
* switch to portainer built in integration test checker
* make module order match EE
* don't print test struct out when skipping integration test
Co-authored-by: Richard Wei <54336863+WaysonWei@users.noreply.github.com>
Co-authored-by: Matt Hook <hookenz@gmail.com>
Co-authored-by: cong meng <mcpacino@gmail.com>
Co-authored-by: Simon Meng <simon.meng@portainer.io>
2021-09-10 02:06:57 +00:00
|
|
|
// Optionally, token might be set via the "token" query parameter.
|
|
|
|
// For example, in websocket requests
|
|
|
|
token := r.URL.Query().Get("token")
|
|
|
|
|
|
|
|
tokens, ok := r.Header["Authorization"]
|
|
|
|
if ok && len(tokens) >= 1 {
|
|
|
|
token = tokens[0]
|
|
|
|
token = strings.TrimPrefix(token, "Bearer ")
|
|
|
|
}
|
|
|
|
if token == "" {
|
|
|
|
return "", httperrors.ErrUnauthorized
|
|
|
|
}
|
|
|
|
return token, nil
|
|
|
|
}
|
|
|
|
|
2021-11-30 02:31:16 +00:00
|
|
|
// extractAPIKey extracts the api key from the api key request header or query params.
|
|
|
|
func extractAPIKey(r *http.Request) (apikey string, ok bool) {
|
|
|
|
// extract the API key from the request header
|
|
|
|
apikey = r.Header.Get(apiKeyHeader)
|
|
|
|
if apikey != "" {
|
|
|
|
return apikey, true
|
|
|
|
}
|
|
|
|
|
|
|
|
// extract the API key from query params.
|
|
|
|
// Case-insensitive check for the "X-API-KEY" query param.
|
|
|
|
query := r.URL.Query()
|
|
|
|
for k, v := range query {
|
|
|
|
if strings.EqualFold(k, apiKeyHeader) {
|
|
|
|
return v[0], true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return "", false
|
|
|
|
}
|
|
|
|
|
2019-05-24 06:04:58 +00:00
|
|
|
// mwSecureHeaders provides secure headers middleware for handlers.
|
|
|
|
func mwSecureHeaders(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
2023-01-06 19:25:41 +00:00
|
|
|
w.Header().Set("X-XSS-Protection", "1; mode=block")
|
|
|
|
w.Header().Set("X-Content-Type-Options", "nosniff")
|
2019-05-24 06:04:58 +00:00
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2017-05-23 18:56:10 +00:00
|
|
|
func (bouncer *RequestBouncer) newRestrictedContextRequest(userID portainer.UserID, userRole portainer.UserRole) (*RestrictedRequestContext, error) {
|
2021-04-06 10:08:43 +00:00
|
|
|
if userRole == portainer.AdministratorRole {
|
|
|
|
return &RestrictedRequestContext{
|
|
|
|
IsAdmin: true,
|
|
|
|
UserID: userID,
|
|
|
|
}, nil
|
2017-05-23 18:56:10 +00:00
|
|
|
}
|
|
|
|
|
2021-04-06 10:08:43 +00:00
|
|
|
memberships, err := bouncer.dataStore.TeamMembership().TeamMembershipsByUserID(userID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2017-05-23 18:56:10 +00:00
|
|
|
|
2021-04-06 10:08:43 +00:00
|
|
|
isTeamLeader := false
|
|
|
|
for _, membership := range memberships {
|
|
|
|
if membership.Role == portainer.TeamLeader {
|
|
|
|
isTeamLeader = true
|
2017-05-23 18:56:10 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-04-06 10:08:43 +00:00
|
|
|
return &RestrictedRequestContext{
|
|
|
|
IsAdmin: false,
|
|
|
|
UserID: userID,
|
|
|
|
IsTeamLeader: isTeamLeader,
|
|
|
|
UserMemberships: memberships,
|
|
|
|
}, nil
|
2017-05-23 18:56:10 +00:00
|
|
|
}
|
2020-06-25 03:25:51 +00:00
|
|
|
|
2022-09-28 17:56:32 +00:00
|
|
|
// EdgeComputeOperation defines a restricted edge compute operation.
|
2020-06-25 03:25:51 +00:00
|
|
|
// Use of this operation will only be authorized if edgeCompute is enabled in settings
|
|
|
|
func (bouncer *RequestBouncer) EdgeComputeOperation(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
settings, err := bouncer.dataStore.Settings().Settings()
|
|
|
|
if err != nil {
|
|
|
|
httperror.WriteError(w, http.StatusServiceUnavailable, "Unable to retrieve settings", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if !settings.EnableEdgeComputeFeatures {
|
|
|
|
httperror.WriteError(w, http.StatusServiceUnavailable, "Edge compute features are disabled", errors.New("Edge compute features are disabled"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|