portainer/api/http/handler/docker.go

package handler

import (
	"strconv"

	"github.com/portainer/portainer"
	httperror "github.com/portainer/portainer/http/error"
	"github.com/portainer/portainer/http/proxy"
	"github.com/portainer/portainer/http/security"

	"log"
	"net/http"
	"os"

	"github.com/gorilla/mux"
)

// DockerHandler represents an HTTP API handler for proxying requests to the Docker API.
type DockerHandler struct {
	*mux.Router
	Logger                *log.Logger
	EndpointService       portainer.EndpointService
	TeamMembershipService portainer.TeamMembershipService
	ProxyManager          *proxy.Manager
}

// NewDockerHandler returns a new instance of DockerHandler.
func NewDockerHandler(bouncer *security.RequestBouncer) *DockerHandler {
	h := &DockerHandler{
		Router: mux.NewRouter(),
		Logger: log.New(os.Stderr, "", log.LstdFlags),
	}
	h.PathPrefix("/{id}/docker").Handler(
		bouncer.AuthenticatedAccess(http.HandlerFunc(h.proxyRequestsToDockerAPI)))
	return h
}

func (handler *DockerHandler) checkEndpointAccessControl(endpoint *portainer.Endpoint, userID portainer.UserID) bool {
	for _, authorizedUserID := range endpoint.AuthorizedUsers {
		if authorizedUserID == userID {
			return true
		}
	}

	memberships, _ := handler.TeamMembershipService.TeamMembershipsByUserID(userID)
	for _, authorizedTeamID := range endpoint.AuthorizedTeams {
		for _, membership := range memberships {
			if membership.TeamID == authorizedTeamID {
				return true
			}
		}
	}
	return false
}

func (handler *DockerHandler) proxyRequestsToDockerAPI(w http.ResponseWriter, r *http.Request) {
	vars := mux.Vars(r)
	id := vars["id"]

	parsedID, err := strconv.Atoi(id)
	if err != nil {
		httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
		return
	}

	endpointID := portainer.EndpointID(parsedID)
	endpoint, err := handler.EndpointService.Endpoint(endpointID)
	if err != nil {
		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
		return
	}

	tokenData, err := security.RetrieveTokenData(r)
	if err != nil {
		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
		return
	}
	if tokenData.Role != portainer.AdministratorRole && !handler.checkEndpointAccessControl(endpoint, tokenData.ID) {
		httperror.WriteErrorResponse(w, portainer.ErrEndpointAccessDenied, http.StatusForbidden, handler.Logger)
		return
	}

	var proxy http.Handler
	proxy = handler.ProxyManager.GetProxy(string(endpointID))
	if proxy == nil {
		proxy, err = handler.ProxyManager.CreateAndRegisterProxy(endpoint)
		if err != nil {
			httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)
			return
		}
	}

	http.StripPrefix("/"+id+"/docker", proxy).ServeHTTP(w, r)
}
feat(global): introduce user teams and new UAC system (#868) 2017-05-23 18:56:10 +00:00			`package handler`

			`import (`
			`"strconv"`

			`"github.com/portainer/portainer"`
			`httperror "github.com/portainer/portainer/http/error"`
			`"github.com/portainer/portainer/http/proxy"`
			`"github.com/portainer/portainer/http/security"`

			`"log"`
			`"net/http"`
			`"os"`

			`"github.com/gorilla/mux"`
			`)`

			`// DockerHandler represents an HTTP API handler for proxying requests to the Docker API.`
			`type DockerHandler struct {`
			`*mux.Router`
			`Logger *log.Logger`
			`EndpointService portainer.EndpointService`
			`TeamMembershipService portainer.TeamMembershipService`
			`ProxyManager *proxy.Manager`
			`}`

			`// NewDockerHandler returns a new instance of DockerHandler.`
			`func NewDockerHandler(bouncer security.RequestBouncer) DockerHandler {`
			`h := &DockerHandler{`
			`Router: mux.NewRouter(),`
			`Logger: log.New(os.Stderr, "", log.LstdFlags),`
			`}`
refactor(api): relocate /docker API endpoint under /endpoints (#1053) 2017-07-20 14:22:27 +00:00			`h.PathPrefix("/{id}/docker").Handler(`
feat(global): introduce user teams and new UAC system (#868) 2017-05-23 18:56:10 +00:00			`bouncer.AuthenticatedAccess(http.HandlerFunc(h.proxyRequestsToDockerAPI)))`
			`return h`
			`}`

			`func (handler DockerHandler) checkEndpointAccessControl(endpoint portainer.Endpoint, userID portainer.UserID) bool {`
			`for _, authorizedUserID := range endpoint.AuthorizedUsers {`
			`if authorizedUserID == userID {`
			`return true`
			`}`
			`}`

			`memberships, _ := handler.TeamMembershipService.TeamMembershipsByUserID(userID)`
			`for _, authorizedTeamID := range endpoint.AuthorizedTeams {`
			`for _, membership := range memberships {`
			`if membership.TeamID == authorizedTeamID {`
			`return true`
			`}`
			`}`
			`}`
			`return false`
			`}`

			`func (handler DockerHandler) proxyRequestsToDockerAPI(w http.ResponseWriter, r http.Request) {`
			`vars := mux.Vars(r)`
			`id := vars["id"]`

			`parsedID, err := strconv.Atoi(id)`
			`if err != nil {`
			`httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)`
			`return`
			`}`

			`endpointID := portainer.EndpointID(parsedID)`
			`endpoint, err := handler.EndpointService.Endpoint(endpointID)`
			`if err != nil {`
			`httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)`
			`return`
			`}`

			`tokenData, err := security.RetrieveTokenData(r)`
			`if err != nil {`
			`httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)`
			`return`
			`}`
			`if tokenData.Role != portainer.AdministratorRole && !handler.checkEndpointAccessControl(endpoint, tokenData.ID) {`
			`httperror.WriteErrorResponse(w, portainer.ErrEndpointAccessDenied, http.StatusForbidden, handler.Logger)`
			`return`
			`}`

			`var proxy http.Handler`
			`proxy = handler.ProxyManager.GetProxy(string(endpointID))`
			`if proxy == nil {`
			`proxy, err = handler.ProxyManager.CreateAndRegisterProxy(endpoint)`
			`if err != nil {`
			`httperror.WriteErrorResponse(w, err, http.StatusBadRequest, handler.Logger)`
			`return`
			`}`
			`}`

refactor(api): relocate /docker API endpoint under /endpoints (#1053) 2017-07-20 14:22:27 +00:00			`http.StripPrefix("/"+id+"/docker", proxy).ServeHTTP(w, r)`
feat(global): introduce user teams and new UAC system (#868) 2017-05-23 18:56:10 +00:00			`}`