portainer/api/http/handler/stacks/handler.go

package stacks

import (
	"net/http"
	"sync"

	"github.com/gorilla/mux"
	httperror "github.com/portainer/libhttp/error"
	"github.com/portainer/portainer/api"
	"github.com/portainer/portainer/api/http/security"
)

// Handler is the HTTP handler used to handle stack operations.
type Handler struct {
	stackCreationMutex *sync.Mutex
	stackDeletionMutex *sync.Mutex
	requestBouncer     *security.RequestBouncer
	*mux.Router
	FileService            portainer.FileService
	GitService             portainer.GitService
	StackService           portainer.StackService
	EndpointService        portainer.EndpointService
	ResourceControlService portainer.ResourceControlService
	RegistryService        portainer.RegistryService
	DockerHubService       portainer.DockerHubService
	SwarmStackManager      portainer.SwarmStackManager
	ComposeStackManager    portainer.ComposeStackManager
	SettingsService        portainer.SettingsService
	UserService            portainer.UserService
	ExtensionService       portainer.ExtensionService
}

// NewHandler creates a handler to manage stack operations.
func NewHandler(bouncer *security.RequestBouncer) *Handler {
	h := &Handler{
		Router:             mux.NewRouter(),
		stackCreationMutex: &sync.Mutex{},
		stackDeletionMutex: &sync.Mutex{},
		requestBouncer:     bouncer,
	}
	h.Handle("/stacks",
		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackCreate))).Methods(http.MethodPost)
	h.Handle("/stacks",
		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackList))).Methods(http.MethodGet)
	h.Handle("/stacks/{id}",
		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackInspect))).Methods(http.MethodGet)
	h.Handle("/stacks/{id}",
		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackDelete))).Methods(http.MethodDelete)
	h.Handle("/stacks/{id}",
		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackUpdate))).Methods(http.MethodPut)
	h.Handle("/stacks/{id}/file",
		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackFile))).Methods(http.MethodGet)
	h.Handle("/stacks/{id}/migrate",
		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackMigrate))).Methods(http.MethodPost)
	return h
}

func (handler *Handler) userCanAccessStack(securityContext *security.RestrictedRequestContext, endpointID portainer.EndpointID, resourceControl *portainer.ResourceControl) (bool, error) {
	if securityContext.IsAdmin {
		return true, nil
	}

	userTeamIDs := make([]portainer.TeamID, 0)
	for _, membership := range securityContext.UserMemberships {
		userTeamIDs = append(userTeamIDs, membership.TeamID)
	}

	if resourceControl != nil && portainer.UserCanAccessResource(securityContext.UserID, userTeamIDs, resourceControl) {
		return true, nil
	}

	_, err := handler.ExtensionService.Extension(portainer.RBACExtension)
	if err == portainer.ErrObjectNotFound {
		return false, nil
	} else if err != nil && err != portainer.ErrObjectNotFound {
		return false, err
	}

	user, err := handler.UserService.User(securityContext.UserID)
	if err != nil {
		return false, err
	}

	_, ok := user.EndpointAuthorizations[endpointID][portainer.EndpointResourcesAccess]
	if ok {
		return true, nil
	}
	return false, nil
}
feat(stacks): support compose v2.0 stack (#1963) 2018-06-11 13:13:19 +00:00			`package stacks`

			`import (`
			`"net/http"`
			`"sync"`

			`"github.com/gorilla/mux"`
refactor(api): introduce libhttp usage (#2263) 2018-09-10 10:01:38 +00:00			`httperror "github.com/portainer/libhttp/error"`
refactor(api): refactor base import path (#2788) * refactor(api): refactor base import path * fix(build-system): update build_binary_devops * fix(build-system): fix build_binary_devops for linux * fix(build-system): fix build_binary_devops for Windows 2019-03-21 01:20:14 +00:00			`"github.com/portainer/portainer/api"`
			`"github.com/portainer/portainer/api/http/security"`
feat(stacks): support compose v2.0 stack (#1963) 2018-06-11 13:13:19 +00:00			`)`

			`// Handler is the HTTP handler used to handle stack operations.`
			`type Handler struct {`
			`stackCreationMutex *sync.Mutex`
			`stackDeletionMutex *sync.Mutex`
fix(api): add an authenticated access policy to the websocket endpoint (#1979) * fix(api): add an authenticated access policy to the websocket endpoint * refactor(api): centralize EndpointAccess validation * feat(api): validate id query parameter for the /websocket/exec endpoint 2018-06-18 09:56:31 +00:00			`requestBouncer *security.RequestBouncer`
feat(stacks): support compose v2.0 stack (#1963) 2018-06-11 13:13:19 +00:00			`*mux.Router`
			`FileService portainer.FileService`
			`GitService portainer.GitService`
			`StackService portainer.StackService`
			`EndpointService portainer.EndpointService`
			`ResourceControlService portainer.ResourceControlService`
			`RegistryService portainer.RegistryService`
			`DockerHubService portainer.DockerHubService`
			`SwarmStackManager portainer.SwarmStackManager`
			`ComposeStackManager portainer.ComposeStackManager`
fix(api): prevent the use of bind mounts in stacks if setting enabled (#3232) 2019-10-07 03:12:21 +00:00			`SettingsService portainer.SettingsService`
feat(api): rewrite access control management in Docker (#3337) * feat(api): decorate Docker resource creation response with resource control * fix(api): fix a potential resource control conflict between stacks/volumes * feat(api): generate a default private resource control instead of admin only * fix(api): fix default RC value * fix(api): update RC authorizations check to support admin only flag * refactor(api): relocate access control related methods * fix(api): fix a potential conflict when fetching RC from database * refactor(api): refactor access control logic * refactor(api): remove the concept of DecoratedStack * feat(api): automatically remove RC when removing a Docker resource * refactor(api): update filter resource methods documentation * refactor(api): update proxy package structure * refactor(api): renamed proxy/misc package * feat(api): re-introduce ResourceControlDelete operation as admin restricted * refactor(api): relocate default endpoint authorizations * feat(api): migrate RBAC data * feat(app): ResourceControl management refactor * fix(api): fix access control issue on stack deletion and automatically delete RC * fix(api): fix stack filtering * fix(api): fix UpdateResourceControl operation checks * refactor(api): introduce a NewTransport builder method * refactor(api): inject endpoint in Docker transport * refactor(api): introduce Docker client into Docker transport * refactor(api): refactor http/proxy package * feat(api): inspect a Docker resource labels during access control validation * fix(api): only apply automatic resource control creation on success response * fix(api): fix stack access control check * fix(api): use StatusCreated instead of StatusOK for automatic resource control creation * fix(app): resource control fixes * fix(api): fix an issue preventing administrator to inspect a resource with a RC * refactor(api): remove useless error return * refactor(api): document DecorateStacks function * fix(api): fix invalid resource control type for container deletion * feat(api): support Docker system networks * feat(api): update Swagger docs * refactor(api): rename transport variable * refactor(api): rename transport variable * feat(networks): add system tag for system networks * feat(api): add support for resource control labels * feat(api): upgrade to DBVersion 22 * refactor(api): refactor access control management in Docker proxy * refactor(api): re-implement docker proxy taskListOperation * refactor(api): review parameters declaration * refactor(api): remove extra blank line * refactor(api): review method comments * fix(api): fix invalid ServerAddress property and review method visibility * feat(api): update error message * feat(api): update restrictedVolumeBrowserOperation method * refactor(api): refactor method parameters * refactor(api): minor refactor * refactor(api): change Azure transport visibility * refactor(api): update struct documentation * refactor(api): update struct documentation * feat(api): review restrictedResourceOperation method * refactor(api): remove unused authorization methods * feat(api): apply RBAC when enabled on stack operations * fix(api): fix invalid data migration procedure for DBVersion = 22 * fix(app): RC duplicate on private resource * feat(api): change Docker API version logic for libcompose/client factory * fix(api): update access denied error message to be Docker API compliant * fix(api): update volume browsing authorizations data migration * fix(api): fix an issue with access control in multi-node agent Swarm cluster 2019-11-12 23:41:42 +00:00			`UserService portainer.UserService`
			`ExtensionService portainer.ExtensionService`
feat(stacks): support compose v2.0 stack (#1963) 2018-06-11 13:13:19 +00:00			`}`

			`// NewHandler creates a handler to manage stack operations.`
			`func NewHandler(bouncer security.RequestBouncer) Handler {`
			`h := &Handler{`
			`Router: mux.NewRouter(),`
			`stackCreationMutex: &sync.Mutex{},`
			`stackDeletionMutex: &sync.Mutex{},`
fix(api): add an authenticated access policy to the websocket endpoint (#1979) * fix(api): add an authenticated access policy to the websocket endpoint * refactor(api): centralize EndpointAccess validation * feat(api): validate id query parameter for the /websocket/exec endpoint 2018-06-18 09:56:31 +00:00			`requestBouncer: bouncer,`
feat(stacks): support compose v2.0 stack (#1963) 2018-06-11 13:13:19 +00:00			`}`
			`h.Handle("/stacks",`
feat(api): prevent non administrator users to use admin restricted API endpoints (#3227) 2019-10-07 03:10:51 +00:00			`bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackCreate))).Methods(http.MethodPost)`
feat(stacks): support compose v2.0 stack (#1963) 2018-06-11 13:13:19 +00:00			`h.Handle("/stacks",`
feat(api): prevent non administrator users to use admin restricted API endpoints (#3227) 2019-10-07 03:10:51 +00:00			`bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackList))).Methods(http.MethodGet)`
feat(stacks): support compose v2.0 stack (#1963) 2018-06-11 13:13:19 +00:00			`h.Handle("/stacks/{id}",`
feat(api): prevent non administrator users to use admin restricted API endpoints (#3227) 2019-10-07 03:10:51 +00:00			`bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackInspect))).Methods(http.MethodGet)`
feat(stacks): support compose v2.0 stack (#1963) 2018-06-11 13:13:19 +00:00			`h.Handle("/stacks/{id}",`
feat(api): prevent non administrator users to use admin restricted API endpoints (#3227) 2019-10-07 03:10:51 +00:00			`bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackDelete))).Methods(http.MethodDelete)`
feat(stacks): support compose v2.0 stack (#1963) 2018-06-11 13:13:19 +00:00			`h.Handle("/stacks/{id}",`
feat(api): prevent non administrator users to use admin restricted API endpoints (#3227) 2019-10-07 03:10:51 +00:00			`bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackUpdate))).Methods(http.MethodPut)`
feat(stacks): support compose v2.0 stack (#1963) 2018-06-11 13:13:19 +00:00			`h.Handle("/stacks/{id}/file",`
feat(api): prevent non administrator users to use admin restricted API endpoints (#3227) 2019-10-07 03:10:51 +00:00			`bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackFile))).Methods(http.MethodGet)`
feat(stacks): add the ability to migrate stacks to another endpoint (#1976) * feat(stacks): add the ability to migrate stacks to another endpoint * feat(stack-details): do not redirect to alternate endpoint after migration * fix(api): fix merge conflicts * feat(stack-details): add a modal to confirm stack migration 2018-06-19 15:28:40 +00:00			`h.Handle("/stacks/{id}/migrate",`
feat(api): prevent non administrator users to use admin restricted API endpoints (#3227) 2019-10-07 03:10:51 +00:00			`bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackMigrate))).Methods(http.MethodPost)`
feat(stacks): support compose v2.0 stack (#1963) 2018-06-11 13:13:19 +00:00			`return h`
			`}`
feat(api): rewrite access control management in Docker (#3337) * feat(api): decorate Docker resource creation response with resource control * fix(api): fix a potential resource control conflict between stacks/volumes * feat(api): generate a default private resource control instead of admin only * fix(api): fix default RC value * fix(api): update RC authorizations check to support admin only flag * refactor(api): relocate access control related methods * fix(api): fix a potential conflict when fetching RC from database * refactor(api): refactor access control logic * refactor(api): remove the concept of DecoratedStack * feat(api): automatically remove RC when removing a Docker resource * refactor(api): update filter resource methods documentation * refactor(api): update proxy package structure * refactor(api): renamed proxy/misc package * feat(api): re-introduce ResourceControlDelete operation as admin restricted * refactor(api): relocate default endpoint authorizations * feat(api): migrate RBAC data * feat(app): ResourceControl management refactor * fix(api): fix access control issue on stack deletion and automatically delete RC * fix(api): fix stack filtering * fix(api): fix UpdateResourceControl operation checks * refactor(api): introduce a NewTransport builder method * refactor(api): inject endpoint in Docker transport * refactor(api): introduce Docker client into Docker transport * refactor(api): refactor http/proxy package * feat(api): inspect a Docker resource labels during access control validation * fix(api): only apply automatic resource control creation on success response * fix(api): fix stack access control check * fix(api): use StatusCreated instead of StatusOK for automatic resource control creation * fix(app): resource control fixes * fix(api): fix an issue preventing administrator to inspect a resource with a RC * refactor(api): remove useless error return * refactor(api): document DecorateStacks function * fix(api): fix invalid resource control type for container deletion * feat(api): support Docker system networks * feat(api): update Swagger docs * refactor(api): rename transport variable * refactor(api): rename transport variable * feat(networks): add system tag for system networks * feat(api): add support for resource control labels * feat(api): upgrade to DBVersion 22 * refactor(api): refactor access control management in Docker proxy * refactor(api): re-implement docker proxy taskListOperation * refactor(api): review parameters declaration * refactor(api): remove extra blank line * refactor(api): review method comments * fix(api): fix invalid ServerAddress property and review method visibility * feat(api): update error message * feat(api): update restrictedVolumeBrowserOperation method * refactor(api): refactor method parameters * refactor(api): minor refactor * refactor(api): change Azure transport visibility * refactor(api): update struct documentation * refactor(api): update struct documentation * feat(api): review restrictedResourceOperation method * refactor(api): remove unused authorization methods * feat(api): apply RBAC when enabled on stack operations * fix(api): fix invalid data migration procedure for DBVersion = 22 * fix(app): RC duplicate on private resource * feat(api): change Docker API version logic for libcompose/client factory * fix(api): update access denied error message to be Docker API compliant * fix(api): update volume browsing authorizations data migration * fix(api): fix an issue with access control in multi-node agent Swarm cluster 2019-11-12 23:41:42 +00:00
			`func (handler Handler) userCanAccessStack(securityContext security.RestrictedRequestContext, endpointID portainer.EndpointID, resourceControl *portainer.ResourceControl) (bool, error) {`
			`if securityContext.IsAdmin {`
			`return true, nil`
			`}`

			`userTeamIDs := make([]portainer.TeamID, 0)`
			`for _, membership := range securityContext.UserMemberships {`
			`userTeamIDs = append(userTeamIDs, membership.TeamID)`
			`}`

			`if resourceControl != nil && portainer.UserCanAccessResource(securityContext.UserID, userTeamIDs, resourceControl) {`
			`return true, nil`
			`}`

			`_, err := handler.ExtensionService.Extension(portainer.RBACExtension)`
			`if err == portainer.ErrObjectNotFound {`
			`return false, nil`
			`} else if err != nil && err != portainer.ErrObjectNotFound {`
			`return false, err`
			`}`

			`user, err := handler.UserService.User(securityContext.UserID)`
			`if err != nil {`
			`return false, err`
			`}`

			`_, ok := user.EndpointAuthorizations[endpointID][portainer.EndpointResourcesAccess]`
			`if ok {`
			`return true, nil`
			`}`
			`return false, nil`
			`}`