2017-05-23 18:56:10 +00:00
|
|
|
package proxy
|
|
|
|
|
2018-08-19 05:57:28 +00:00
|
|
|
import (
|
2019-03-21 01:20:14 +00:00
|
|
|
"github.com/portainer/portainer/api"
|
2018-08-19 05:57:28 +00:00
|
|
|
)
|
2017-05-23 18:56:10 +00:00
|
|
|
|
2017-10-15 17:24:40 +00:00
|
|
|
type (
|
|
|
|
// ExtendedStack represents a stack combined with its associated access control
|
|
|
|
ExtendedStack struct {
|
|
|
|
portainer.Stack
|
|
|
|
ResourceControl portainer.ResourceControl `json:"ResourceControl"`
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2018-06-11 13:13:19 +00:00
|
|
|
// applyResourceAccessControlFromLabel returns an optionally decorated object as the first return value and the
|
2017-10-15 17:24:40 +00:00
|
|
|
// access level for the user (granted or denied) as the second return value.
|
|
|
|
// It will retrieve an identifier from the labels object. If an identifier exists, it will check for
|
|
|
|
// an existing resource control associated to it.
|
|
|
|
// Returns a decorated object and authorized access (true) when a resource control is found and the user can access the resource.
|
2018-08-19 05:57:28 +00:00
|
|
|
// Returns the original object and denied access (false) when no resource control is found.
|
2017-10-15 17:24:40 +00:00
|
|
|
// Returns the original object and denied access (false) when a resource control is found and the user cannot access the resource.
|
|
|
|
func applyResourceAccessControlFromLabel(labelsObject, resourceObject map[string]interface{}, labelIdentifier string,
|
2019-05-24 06:04:58 +00:00
|
|
|
context *restrictedDockerOperationContext) (map[string]interface{}, bool) {
|
2017-10-15 17:24:40 +00:00
|
|
|
|
|
|
|
if labelsObject != nil && labelsObject[labelIdentifier] != nil {
|
|
|
|
resourceIdentifier := labelsObject[labelIdentifier].(string)
|
|
|
|
return applyResourceAccessControl(resourceObject, resourceIdentifier, context)
|
|
|
|
}
|
2018-08-19 05:57:28 +00:00
|
|
|
return resourceObject, false
|
2017-10-15 17:24:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// applyResourceAccessControl returns an optionally decorated object as the first return value and the
|
|
|
|
// access level for the user (granted or denied) as the second return value.
|
|
|
|
// Returns a decorated object and authorized access (true) when a resource control is found to the specified resource
|
|
|
|
// identifier and the user can access the resource.
|
2018-08-19 05:57:28 +00:00
|
|
|
// Returns the original object and authorized access (false) when no resource control is found for the specified
|
2017-10-15 17:24:40 +00:00
|
|
|
// resource identifier.
|
|
|
|
// Returns the original object and denied access (false) when a resource control is associated to the resource
|
|
|
|
// and the user cannot access the resource.
|
|
|
|
func applyResourceAccessControl(resourceObject map[string]interface{}, resourceIdentifier string,
|
2019-05-24 06:04:58 +00:00
|
|
|
context *restrictedDockerOperationContext) (map[string]interface{}, bool) {
|
2017-10-15 17:24:40 +00:00
|
|
|
|
|
|
|
resourceControl := getResourceControlByResourceID(resourceIdentifier, context.resourceControls)
|
2018-08-19 05:57:28 +00:00
|
|
|
if resourceControl == nil {
|
2019-05-24 06:04:58 +00:00
|
|
|
return resourceObject, context.isAdmin || context.endpointResourceAccess
|
2017-10-15 17:24:40 +00:00
|
|
|
}
|
|
|
|
|
2019-05-24 06:04:58 +00:00
|
|
|
if context.isAdmin || context.endpointResourceAccess || resourceControl.Public || canUserAccessResource(context.userID, context.userTeamIDs, resourceControl) {
|
2018-08-19 05:57:28 +00:00
|
|
|
resourceObject = decorateObject(resourceObject, resourceControl)
|
|
|
|
return resourceObject, true
|
|
|
|
}
|
|
|
|
|
|
|
|
return resourceObject, false
|
2017-10-15 17:24:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// decorateResourceWithAccessControlFromLabel will retrieve an identifier from the labels object. If an identifier exists,
|
|
|
|
// it will check for an existing resource control associated to it. If a resource control is found, the resource object will be
|
|
|
|
// decorated. If no identifier can be found in the labels or no resource control is associated to the identifier, the resource
|
|
|
|
// object will not be changed.
|
|
|
|
func decorateResourceWithAccessControlFromLabel(labelsObject, resourceObject map[string]interface{}, labelIdentifier string,
|
|
|
|
resourceControls []portainer.ResourceControl) map[string]interface{} {
|
|
|
|
|
|
|
|
if labelsObject != nil && labelsObject[labelIdentifier] != nil {
|
|
|
|
resourceIdentifier := labelsObject[labelIdentifier].(string)
|
|
|
|
resourceObject = decorateResourceWithAccessControl(resourceObject, resourceIdentifier, resourceControls)
|
|
|
|
}
|
|
|
|
|
|
|
|
return resourceObject
|
|
|
|
}
|
|
|
|
|
|
|
|
// decorateResourceWithAccessControl will check if a resource control is associated to the specified resource identifier.
|
|
|
|
// If a resource control is found, the resource object will be decorated, otherwise it will not be changed.
|
|
|
|
func decorateResourceWithAccessControl(resourceObject map[string]interface{}, resourceIdentifier string,
|
|
|
|
resourceControls []portainer.ResourceControl) map[string]interface{} {
|
|
|
|
|
|
|
|
resourceControl := getResourceControlByResourceID(resourceIdentifier, resourceControls)
|
|
|
|
if resourceControl != nil {
|
|
|
|
return decorateObject(resourceObject, resourceControl)
|
|
|
|
}
|
|
|
|
return resourceObject
|
|
|
|
}
|
|
|
|
|
2017-05-23 18:56:10 +00:00
|
|
|
func canUserAccessResource(userID portainer.UserID, userTeamIDs []portainer.TeamID, resourceControl *portainer.ResourceControl) bool {
|
|
|
|
for _, authorizedUserAccess := range resourceControl.UserAccesses {
|
|
|
|
if userID == authorizedUserAccess.UserID {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, authorizedTeamAccess := range resourceControl.TeamAccesses {
|
|
|
|
for _, userTeamID := range userTeamIDs {
|
|
|
|
if userTeamID == authorizedTeamAccess.TeamID {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-08-19 05:57:28 +00:00
|
|
|
return resourceControl.Public
|
2017-05-23 18:56:10 +00:00
|
|
|
}
|
2017-10-15 17:24:40 +00:00
|
|
|
|
|
|
|
func decorateObject(object map[string]interface{}, resourceControl *portainer.ResourceControl) map[string]interface{} {
|
2018-05-06 07:15:57 +00:00
|
|
|
if object["Portainer"] == nil {
|
|
|
|
object["Portainer"] = make(map[string]interface{})
|
|
|
|
}
|
|
|
|
|
|
|
|
portainerMetadata := object["Portainer"].(map[string]interface{})
|
|
|
|
portainerMetadata["ResourceControl"] = resourceControl
|
2017-10-15 17:24:40 +00:00
|
|
|
return object
|
|
|
|
}
|
|
|
|
|
|
|
|
func getResourceControlByResourceID(resourceID string, resourceControls []portainer.ResourceControl) *portainer.ResourceControl {
|
|
|
|
for _, resourceControl := range resourceControls {
|
|
|
|
if resourceID == resourceControl.ResourceID {
|
|
|
|
return &resourceControl
|
|
|
|
}
|
|
|
|
for _, subResourceID := range resourceControl.SubResourceIDs {
|
|
|
|
if resourceID == subResourceID {
|
|
|
|
return &resourceControl
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// CanAccessStack checks if a user can access a stack
|
|
|
|
func CanAccessStack(stack *portainer.Stack, resourceControl *portainer.ResourceControl, userID portainer.UserID, memberships []portainer.TeamMembership) bool {
|
2018-08-19 05:57:28 +00:00
|
|
|
if resourceControl == nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2017-10-15 17:24:40 +00:00
|
|
|
userTeamIDs := make([]portainer.TeamID, 0)
|
|
|
|
for _, membership := range memberships {
|
|
|
|
userTeamIDs = append(userTeamIDs, membership.TeamID)
|
|
|
|
}
|
|
|
|
|
|
|
|
if canUserAccessResource(userID, userTeamIDs, resourceControl) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2018-08-19 05:57:28 +00:00
|
|
|
return resourceControl.Public
|
2017-10-15 17:24:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// FilterStacks filters stacks based on user role and resource controls.
|
|
|
|
func FilterStacks(stacks []portainer.Stack, resourceControls []portainer.ResourceControl, isAdmin bool,
|
|
|
|
userID portainer.UserID, memberships []portainer.TeamMembership) []ExtendedStack {
|
|
|
|
|
|
|
|
filteredStacks := make([]ExtendedStack, 0)
|
|
|
|
|
|
|
|
userTeamIDs := make([]portainer.TeamID, 0)
|
|
|
|
for _, membership := range memberships {
|
|
|
|
userTeamIDs = append(userTeamIDs, membership.TeamID)
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, stack := range stacks {
|
|
|
|
extendedStack := ExtendedStack{stack, portainer.ResourceControl{}}
|
|
|
|
resourceControl := getResourceControlByResourceID(stack.Name, resourceControls)
|
2018-08-19 05:57:28 +00:00
|
|
|
if resourceControl == nil && isAdmin {
|
2017-10-15 17:24:40 +00:00
|
|
|
filteredStacks = append(filteredStacks, extendedStack)
|
2018-08-19 05:57:28 +00:00
|
|
|
} else if resourceControl != nil && (isAdmin || resourceControl.Public || canUserAccessResource(userID, userTeamIDs, resourceControl)) {
|
2017-10-15 17:24:40 +00:00
|
|
|
extendedStack.ResourceControl = *resourceControl
|
|
|
|
filteredStacks = append(filteredStacks, extendedStack)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return filteredStacks
|
|
|
|
}
|