package settings import ( "errors" "net/http" "time" "github.com/asaskevich/govalidator" httperror "github.com/portainer/libhttp/error" "github.com/portainer/libhttp/request" "github.com/portainer/libhttp/response" portainer "github.com/portainer/portainer/api" bolterrors "github.com/portainer/portainer/api/bolt/errors" "github.com/portainer/portainer/api/filesystem" ) type settingsUpdatePayload struct { LogoURL *string BlackListedLabels []portainer.Pair AuthenticationMethod *int LDAPSettings *portainer.LDAPSettings OAuthSettings *portainer.OAuthSettings AllowBindMountsForRegularUsers *bool AllowPrivilegedModeForRegularUsers *bool AllowHostNamespaceForRegularUsers *bool AllowVolumeBrowserForRegularUsers *bool AllowDeviceMappingForRegularUsers *bool AllowStackManagementForRegularUsers *bool AllowContainerCapabilitiesForRegularUsers *bool EnableHostManagementFeatures *bool SnapshotInterval *string TemplatesURL *string EdgeAgentCheckinInterval *int EnableEdgeComputeFeatures *bool UserSessionTimeout *string } func (payload *settingsUpdatePayload) Validate(r *http.Request) error { if *payload.AuthenticationMethod != 1 && *payload.AuthenticationMethod != 2 && *payload.AuthenticationMethod != 3 { return errors.New("Invalid authentication method value. Value must be one of: 1 (internal), 2 (LDAP/AD) or 3 (OAuth)") } if payload.LogoURL != nil && *payload.LogoURL != "" && !govalidator.IsURL(*payload.LogoURL) { return errors.New("Invalid logo URL. Must correspond to a valid URL format") } if payload.TemplatesURL != nil && *payload.TemplatesURL != "" && !govalidator.IsURL(*payload.TemplatesURL) { return errors.New("Invalid external templates URL. Must correspond to a valid URL format") } if payload.UserSessionTimeout != nil { _, err := time.ParseDuration(*payload.UserSessionTimeout) if err != nil { return errors.New("Invalid user session timeout") } } return nil } // PUT request on /api/settings func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError { var payload settingsUpdatePayload err := request.DecodeAndValidateJSONPayload(r, &payload) if err != nil { return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err} } settings, err := handler.DataStore.Settings().Settings() if err != nil { return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve the settings from the database", err} } if payload.AuthenticationMethod != nil { settings.AuthenticationMethod = portainer.AuthenticationMethod(*payload.AuthenticationMethod) } if payload.LogoURL != nil { settings.LogoURL = *payload.LogoURL } if payload.TemplatesURL != nil { settings.TemplatesURL = *payload.TemplatesURL } if payload.BlackListedLabels != nil { settings.BlackListedLabels = payload.BlackListedLabels } if payload.LDAPSettings != nil { ldapReaderDN := settings.LDAPSettings.ReaderDN ldapPassword := settings.LDAPSettings.Password if payload.LDAPSettings.ReaderDN != "" { ldapReaderDN = payload.LDAPSettings.ReaderDN } if payload.LDAPSettings.Password != "" { ldapPassword = payload.LDAPSettings.Password } settings.LDAPSettings = *payload.LDAPSettings settings.LDAPSettings.ReaderDN = ldapReaderDN settings.LDAPSettings.Password = ldapPassword } if payload.OAuthSettings != nil { clientSecret := payload.OAuthSettings.ClientSecret if clientSecret == "" { clientSecret = settings.OAuthSettings.ClientSecret } settings.OAuthSettings = *payload.OAuthSettings settings.OAuthSettings.ClientSecret = clientSecret } if payload.AllowBindMountsForRegularUsers != nil { settings.AllowBindMountsForRegularUsers = *payload.AllowBindMountsForRegularUsers } if payload.AllowPrivilegedModeForRegularUsers != nil { settings.AllowPrivilegedModeForRegularUsers = *payload.AllowPrivilegedModeForRegularUsers } updateAuthorizations := false if payload.AllowVolumeBrowserForRegularUsers != nil { settings.AllowVolumeBrowserForRegularUsers = *payload.AllowVolumeBrowserForRegularUsers updateAuthorizations = true } if payload.EnableHostManagementFeatures != nil { settings.EnableHostManagementFeatures = *payload.EnableHostManagementFeatures } if payload.EnableEdgeComputeFeatures != nil { settings.EnableEdgeComputeFeatures = *payload.EnableEdgeComputeFeatures } if payload.AllowHostNamespaceForRegularUsers != nil { settings.AllowHostNamespaceForRegularUsers = *payload.AllowHostNamespaceForRegularUsers } if payload.AllowStackManagementForRegularUsers != nil { settings.AllowStackManagementForRegularUsers = *payload.AllowStackManagementForRegularUsers } if payload.AllowContainerCapabilitiesForRegularUsers != nil { settings.AllowContainerCapabilitiesForRegularUsers = *payload.AllowContainerCapabilitiesForRegularUsers } if payload.SnapshotInterval != nil && *payload.SnapshotInterval != settings.SnapshotInterval { err := handler.updateSnapshotInterval(settings, *payload.SnapshotInterval) if err != nil { return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update snapshot interval", err} } } if payload.EdgeAgentCheckinInterval != nil { settings.EdgeAgentCheckinInterval = *payload.EdgeAgentCheckinInterval } if payload.UserSessionTimeout != nil { settings.UserSessionTimeout = *payload.UserSessionTimeout userSessionDuration, _ := time.ParseDuration(*payload.UserSessionTimeout) handler.JWTService.SetUserSessionDuration(userSessionDuration) } if payload.AllowDeviceMappingForRegularUsers != nil { settings.AllowDeviceMappingForRegularUsers = *payload.AllowDeviceMappingForRegularUsers } tlsError := handler.updateTLS(settings) if tlsError != nil { return tlsError } err = handler.DataStore.Settings().UpdateSettings(settings) if err != nil { return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist settings changes inside the database", err} } if updateAuthorizations { err := handler.updateVolumeBrowserSetting(settings) if err != nil { return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update RBAC authorizations", err} } } return response.JSON(w, settings) } func (handler *Handler) updateVolumeBrowserSetting(settings *portainer.Settings) error { err := handler.AuthorizationService.UpdateVolumeBrowsingAuthorizations(settings.AllowVolumeBrowserForRegularUsers) if err != nil { return err } extension, err := handler.DataStore.Extension().Extension(portainer.RBACExtension) if err != nil && err != bolterrors.ErrObjectNotFound { return err } if extension != nil { err = handler.AuthorizationService.UpdateUsersAuthorizations() if err != nil { return err } } return nil } func (handler *Handler) updateSnapshotInterval(settings *portainer.Settings, snapshotInterval string) error { settings.SnapshotInterval = snapshotInterval err := handler.SnapshotService.SetSnapshotInterval(snapshotInterval) if err != nil { return err } return nil } func (handler *Handler) updateTLS(settings *portainer.Settings) *httperror.HandlerError { if (settings.LDAPSettings.TLSConfig.TLS || settings.LDAPSettings.StartTLS) && !settings.LDAPSettings.TLSConfig.TLSSkipVerify { caCertPath, _ := handler.FileService.GetPathForTLSFile(filesystem.LDAPStorePath, portainer.TLSFileCA) settings.LDAPSettings.TLSConfig.TLSCACertPath = caCertPath } else { settings.LDAPSettings.TLSConfig.TLSCACertPath = "" err := handler.FileService.DeleteTLSFiles(filesystem.LDAPStorePath) if err != nil { return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove TLS files from disk", err} } } return nil }