portainer/api/http/proxy/factory/responseutils/response.go

package responseutils

import (
	"bytes"
	"encoding/json"
	"errors"
	"io/ioutil"
	"log"
	"net/http"
	"strconv"
)

// GetResponseAsJSONOBject returns the response content as a generic JSON object
func GetResponseAsJSONOBject(response *http.Response) (map[string]interface{}, error) {
	responseData, err := getResponseBodyAsGenericJSON(response)
	if err != nil {
		return nil, err
	}

	responseObject := responseData.(map[string]interface{})
	return responseObject, nil
}

// GetResponseAsJSONArray returns the response content as an array of generic JSON object
func GetResponseAsJSONArray(response *http.Response) ([]interface{}, error) {
	responseData, err := getResponseBodyAsGenericJSON(response)
	if err != nil {
		return nil, err
	}

	switch responseObject := responseData.(type) {
	case []interface{}:
		return responseObject, nil
	case map[string]interface{}:
		if responseObject["message"] != nil {
			return nil, errors.New(responseObject["message"].(string))
		}
		log.Printf("[ERROR] [http,proxy,response] [message: invalid response format, expecting JSON array] [response: %+v]", responseObject)
		return nil, errors.New("unable to parse response: expected JSON array, got JSON object")
	default:
		log.Printf("[ERROR] [http,proxy,response] [message: invalid response format, expecting JSON array] [response: %+v]", responseObject)
		return nil, errors.New("unable to parse response: expected JSON array")
	}
}

func getResponseBodyAsGenericJSON(response *http.Response) (interface{}, error) {
	if response.Body == nil {
		return nil, errors.New("unable to parse response: empty response body")
	}

	var data interface{}
	body, err := ioutil.ReadAll(response.Body)
	if err != nil {
		return nil, err
	}

	err = response.Body.Close()
	if err != nil {
		return nil, err
	}

	err = json.Unmarshal(body, &data)
	if err != nil {
		return nil, err
	}

	return data, nil
}

type dockerErrorResponse struct {
	Message string `json:"message,omitempty"`
}

// WriteAccessDeniedResponse will create a new access denied response
func WriteAccessDeniedResponse() (*http.Response, error) {
	response := &http.Response{}
	err := RewriteResponse(response, dockerErrorResponse{Message: "access denied to resource"}, http.StatusForbidden)
	return response, err
}

// RewriteAccessDeniedResponse will overwrite the existing response with an access denied response
func RewriteAccessDeniedResponse(response *http.Response) error {
	return RewriteResponse(response, dockerErrorResponse{Message: "access denied to resource"}, http.StatusForbidden)
}

// RewriteResponse will replace the existing response body and status code with the one specified
// in parameters
func RewriteResponse(response *http.Response, newResponseData interface{}, statusCode int) error {
	jsonData, err := json.Marshal(newResponseData)
	if err != nil {
		return err
	}

	body := ioutil.NopCloser(bytes.NewReader(jsonData))

	response.StatusCode = statusCode
	response.Body = body
	response.ContentLength = int64(len(jsonData))

	if response.Header == nil {
		response.Header = make(http.Header)
	}
	response.Header.Set("Content-Length", strconv.Itoa(len(jsonData)))

	return nil
}
feat(api): rewrite access control management in Docker (#3337) * feat(api): decorate Docker resource creation response with resource control * fix(api): fix a potential resource control conflict between stacks/volumes * feat(api): generate a default private resource control instead of admin only * fix(api): fix default RC value * fix(api): update RC authorizations check to support admin only flag * refactor(api): relocate access control related methods * fix(api): fix a potential conflict when fetching RC from database * refactor(api): refactor access control logic * refactor(api): remove the concept of DecoratedStack * feat(api): automatically remove RC when removing a Docker resource * refactor(api): update filter resource methods documentation * refactor(api): update proxy package structure * refactor(api): renamed proxy/misc package * feat(api): re-introduce ResourceControlDelete operation as admin restricted * refactor(api): relocate default endpoint authorizations * feat(api): migrate RBAC data * feat(app): ResourceControl management refactor * fix(api): fix access control issue on stack deletion and automatically delete RC * fix(api): fix stack filtering * fix(api): fix UpdateResourceControl operation checks * refactor(api): introduce a NewTransport builder method * refactor(api): inject endpoint in Docker transport * refactor(api): introduce Docker client into Docker transport * refactor(api): refactor http/proxy package * feat(api): inspect a Docker resource labels during access control validation * fix(api): only apply automatic resource control creation on success response * fix(api): fix stack access control check * fix(api): use StatusCreated instead of StatusOK for automatic resource control creation * fix(app): resource control fixes * fix(api): fix an issue preventing administrator to inspect a resource with a RC * refactor(api): remove useless error return * refactor(api): document DecorateStacks function * fix(api): fix invalid resource control type for container deletion * feat(api): support Docker system networks * feat(api): update Swagger docs * refactor(api): rename transport variable * refactor(api): rename transport variable * feat(networks): add system tag for system networks * feat(api): add support for resource control labels * feat(api): upgrade to DBVersion 22 * refactor(api): refactor access control management in Docker proxy * refactor(api): re-implement docker proxy taskListOperation * refactor(api): review parameters declaration * refactor(api): remove extra blank line * refactor(api): review method comments * fix(api): fix invalid ServerAddress property and review method visibility * feat(api): update error message * feat(api): update restrictedVolumeBrowserOperation method * refactor(api): refactor method parameters * refactor(api): minor refactor * refactor(api): change Azure transport visibility * refactor(api): update struct documentation * refactor(api): update struct documentation * feat(api): review restrictedResourceOperation method * refactor(api): remove unused authorization methods * feat(api): apply RBAC when enabled on stack operations * fix(api): fix invalid data migration procedure for DBVersion = 22 * fix(app): RC duplicate on private resource * feat(api): change Docker API version logic for libcompose/client factory * fix(api): update access denied error message to be Docker API compliant * fix(api): update volume browsing authorizations data migration * fix(api): fix an issue with access control in multi-node agent Swarm cluster 2019-11-12 23:41:42 +00:00			`package responseutils`

			`import (`
			`"bytes"`
			`"encoding/json"`
			`"errors"`
			`"io/ioutil"`
			`"log"`
			`"net/http"`
			`"strconv"`
			`)`

			`// GetResponseAsJSONOBject returns the response content as a generic JSON object`
			`func GetResponseAsJSONOBject(response *http.Response) (map[string]interface{}, error) {`
			`responseData, err := getResponseBodyAsGenericJSON(response)`
			`if err != nil {`
			`return nil, err`
			`}`

			`responseObject := responseData.(map[string]interface{})`
			`return responseObject, nil`
			`}`

			`// GetResponseAsJSONArray returns the response content as an array of generic JSON object`
			`func GetResponseAsJSONArray(response *http.Response) ([]interface{}, error) {`
			`responseData, err := getResponseBodyAsGenericJSON(response)`
			`if err != nil {`
			`return nil, err`
			`}`

			`switch responseObject := responseData.(type) {`
			`case []interface{}:`
			`return responseObject, nil`
			`case map[string]interface{}:`
			`if responseObject["message"] != nil {`
			`return nil, errors.New(responseObject["message"].(string))`
			`}`
			`log.Printf("[ERROR] [http,proxy,response] [message: invalid response format, expecting JSON array] [response: %+v]", responseObject)`
			`return nil, errors.New("unable to parse response: expected JSON array, got JSON object")`
			`default:`
			`log.Printf("[ERROR] [http,proxy,response] [message: invalid response format, expecting JSON array] [response: %+v]", responseObject)`
			`return nil, errors.New("unable to parse response: expected JSON array")`
			`}`
			`}`

			`func getResponseBodyAsGenericJSON(response *http.Response) (interface{}, error) {`
			`if response.Body == nil {`
			`return nil, errors.New("unable to parse response: empty response body")`
			`}`

			`var data interface{}`
			`body, err := ioutil.ReadAll(response.Body)`
			`if err != nil {`
			`return nil, err`
			`}`

			`err = response.Body.Close()`
			`if err != nil {`
			`return nil, err`
			`}`

			`err = json.Unmarshal(body, &data)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return data, nil`
			`}`

			`type dockerErrorResponse struct {`
			Message string `json:"message,omitempty"`
			`}`

			`// WriteAccessDeniedResponse will create a new access denied response`
			`func WriteAccessDeniedResponse() (*http.Response, error) {`
			`response := &http.Response{}`
			`err := RewriteResponse(response, dockerErrorResponse{Message: "access denied to resource"}, http.StatusForbidden)`
			`return response, err`
			`}`

			`// RewriteAccessDeniedResponse will overwrite the existing response with an access denied response`
			`func RewriteAccessDeniedResponse(response *http.Response) error {`
			`return RewriteResponse(response, dockerErrorResponse{Message: "access denied to resource"}, http.StatusForbidden)`
			`}`

			`// RewriteResponse will replace the existing response body and status code with the one specified`
			`// in parameters`
			`func RewriteResponse(response *http.Response, newResponseData interface{}, statusCode int) error {`
			`jsonData, err := json.Marshal(newResponseData)`
			`if err != nil {`
			`return err`
			`}`

			`body := ioutil.NopCloser(bytes.NewReader(jsonData))`

			`response.StatusCode = statusCode`
			`response.Body = body`
			`response.ContentLength = int64(len(jsonData))`

			`if response.Header == nil {`
			`response.Header = make(http.Header)`
			`}`
			`response.Header.Set("Content-Length", strconv.Itoa(len(jsonData)))`

			`return nil`
			`}`