mirror of https://github.com/portainer/portainer
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
205 lines
8.8 KiB
205 lines
8.8 KiB
package proxy
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"github.com/portainer/portainer/api"
|
|
)
|
|
|
|
const (
|
|
// ErrDockerContainerIdentifierNotFound defines an error raised when Portainer is unable to find a container identifier
|
|
ErrDockerContainerIdentifierNotFound = portainer.Error("Docker container identifier not found")
|
|
containerIdentifier = "Id"
|
|
containerLabelForServiceIdentifier = "com.docker.swarm.service.id"
|
|
containerLabelForSwarmStackIdentifier = "com.docker.stack.namespace"
|
|
containerLabelForComposeStackIdentifier = "com.docker.compose.project"
|
|
)
|
|
|
|
// containerListOperation extracts the response as a JSON object, loop through the containers array
|
|
// decorate and/or filter the containers based on resource controls before rewriting the response
|
|
func containerListOperation(response *http.Response, executor *operationExecutor) error {
|
|
var err error
|
|
// ContainerList response is a JSON array
|
|
// https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
|
|
responseArray, err := getResponseAsJSONArray(response)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if executor.operationContext.isAdmin || executor.operationContext.endpointResourceAccess {
|
|
responseArray, err = decorateContainerList(responseArray, executor.operationContext.resourceControls)
|
|
} else {
|
|
responseArray, err = filterContainerList(responseArray, executor.operationContext)
|
|
}
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if executor.labelBlackList != nil {
|
|
responseArray, err = filterContainersWithBlackListedLabels(responseArray, executor.labelBlackList)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
return rewriteResponse(response, responseArray, http.StatusOK)
|
|
}
|
|
|
|
// containerInspectOperation extracts the response as a JSON object, verify that the user
|
|
// has access to the container based on resource control (check are done based on the containerID and optional Swarm service ID)
|
|
// and either rewrite an access denied response or a decorated container.
|
|
func containerInspectOperation(response *http.Response, executor *operationExecutor) error {
|
|
// ContainerInspect response is a JSON object
|
|
// https://docs.docker.com/engine/api/v1.28/#operation/ContainerInspect
|
|
responseObject, err := getResponseAsJSONOBject(response)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if responseObject[containerIdentifier] == nil {
|
|
return ErrDockerContainerIdentifierNotFound
|
|
}
|
|
|
|
containerID := responseObject[containerIdentifier].(string)
|
|
responseObject, access := applyResourceAccessControl(responseObject, containerID, executor.operationContext)
|
|
if access {
|
|
return rewriteResponse(response, responseObject, http.StatusOK)
|
|
}
|
|
|
|
containerLabels := extractContainerLabelsFromContainerInspectObject(responseObject)
|
|
responseObject, access = applyResourceAccessControlFromLabel(containerLabels, responseObject, containerLabelForServiceIdentifier, executor.operationContext)
|
|
if access {
|
|
return rewriteResponse(response, responseObject, http.StatusOK)
|
|
}
|
|
|
|
responseObject, access = applyResourceAccessControlFromLabel(containerLabels, responseObject, containerLabelForSwarmStackIdentifier, executor.operationContext)
|
|
if access {
|
|
return rewriteResponse(response, responseObject, http.StatusOK)
|
|
}
|
|
|
|
responseObject, access = applyResourceAccessControlFromLabel(containerLabels, responseObject, containerLabelForComposeStackIdentifier, executor.operationContext)
|
|
if access {
|
|
return rewriteResponse(response, responseObject, http.StatusOK)
|
|
}
|
|
|
|
return rewriteAccessDeniedResponse(response)
|
|
}
|
|
|
|
// extractContainerLabelsFromContainerInspectObject retrieve the Labels of the container if present.
|
|
// Container schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerInspect
|
|
func extractContainerLabelsFromContainerInspectObject(responseObject map[string]interface{}) map[string]interface{} {
|
|
// Labels are stored under Config.Labels
|
|
containerConfigObject := extractJSONField(responseObject, "Config")
|
|
if containerConfigObject != nil {
|
|
containerLabelsObject := extractJSONField(containerConfigObject, "Labels")
|
|
return containerLabelsObject
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// extractContainerLabelsFromContainerListObject retrieve the Labels of the container if present.
|
|
// Container schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
|
|
func extractContainerLabelsFromContainerListObject(responseObject map[string]interface{}) map[string]interface{} {
|
|
// Labels are stored under Labels
|
|
containerLabelsObject := extractJSONField(responseObject, "Labels")
|
|
return containerLabelsObject
|
|
}
|
|
|
|
// decorateContainerList loops through all containers and decorates any container with an existing resource control.
|
|
// Resource controls checks are based on: resource identifier, service identifier (from label), stack identifier (from label).
|
|
// Container object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
|
|
func decorateContainerList(containerData []interface{}, resourceControls []portainer.ResourceControl) ([]interface{}, error) {
|
|
decoratedContainerData := make([]interface{}, 0)
|
|
|
|
for _, container := range containerData {
|
|
|
|
containerObject := container.(map[string]interface{})
|
|
if containerObject[containerIdentifier] == nil {
|
|
return nil, ErrDockerContainerIdentifierNotFound
|
|
}
|
|
|
|
containerID := containerObject[containerIdentifier].(string)
|
|
containerObject = decorateResourceWithAccessControl(containerObject, containerID, resourceControls)
|
|
|
|
containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
|
|
containerObject = decorateResourceWithAccessControlFromLabel(containerLabels, containerObject, containerLabelForServiceIdentifier, resourceControls)
|
|
containerObject = decorateResourceWithAccessControlFromLabel(containerLabels, containerObject, containerLabelForSwarmStackIdentifier, resourceControls)
|
|
containerObject = decorateResourceWithAccessControlFromLabel(containerLabels, containerObject, containerLabelForComposeStackIdentifier, resourceControls)
|
|
|
|
decoratedContainerData = append(decoratedContainerData, containerObject)
|
|
}
|
|
|
|
return decoratedContainerData, nil
|
|
}
|
|
|
|
// filterContainerList loops through all containers and filters public containers (no associated resource control)
|
|
// as well as authorized containers (access granted to the user based on existing resource control).
|
|
// Authorized containers are decorated during the process.
|
|
// Resource controls checks are based on: resource identifier, service identifier (from label), stack identifier (from label).
|
|
// Container object schema reference: https://docs.docker.com/engine/api/v1.28/#operation/ContainerList
|
|
func filterContainerList(containerData []interface{}, context *restrictedDockerOperationContext) ([]interface{}, error) {
|
|
filteredContainerData := make([]interface{}, 0)
|
|
|
|
for _, container := range containerData {
|
|
containerObject := container.(map[string]interface{})
|
|
if containerObject[containerIdentifier] == nil {
|
|
return nil, ErrDockerContainerIdentifierNotFound
|
|
}
|
|
|
|
containerID := containerObject[containerIdentifier].(string)
|
|
containerObject, access := applyResourceAccessControl(containerObject, containerID, context)
|
|
if !access {
|
|
containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
|
|
containerObject, access = applyResourceAccessControlFromLabel(containerLabels, containerObject, containerLabelForComposeStackIdentifier, context)
|
|
if !access {
|
|
containerObject, access = applyResourceAccessControlFromLabel(containerLabels, containerObject, containerLabelForServiceIdentifier, context)
|
|
if !access {
|
|
containerObject, access = applyResourceAccessControlFromLabel(containerLabels, containerObject, containerLabelForSwarmStackIdentifier, context)
|
|
}
|
|
}
|
|
}
|
|
|
|
if access {
|
|
filteredContainerData = append(filteredContainerData, containerObject)
|
|
}
|
|
}
|
|
|
|
return filteredContainerData, nil
|
|
}
|
|
|
|
// filterContainersWithLabels loops through a list of containers, and filters containers that do not contains
|
|
// any labels in the labels black list.
|
|
func filterContainersWithBlackListedLabels(containerData []interface{}, labelBlackList []portainer.Pair) ([]interface{}, error) {
|
|
filteredContainerData := make([]interface{}, 0)
|
|
|
|
for _, container := range containerData {
|
|
containerObject := container.(map[string]interface{})
|
|
|
|
containerLabels := extractContainerLabelsFromContainerListObject(containerObject)
|
|
if containerLabels != nil {
|
|
if !containerHasBlackListedLabel(containerLabels, labelBlackList) {
|
|
filteredContainerData = append(filteredContainerData, containerObject)
|
|
}
|
|
} else {
|
|
filteredContainerData = append(filteredContainerData, containerObject)
|
|
}
|
|
}
|
|
|
|
return filteredContainerData, nil
|
|
}
|
|
|
|
func containerHasBlackListedLabel(containerLabels map[string]interface{}, labelBlackList []portainer.Pair) bool {
|
|
for key, value := range containerLabels {
|
|
labelName := key
|
|
labelValue := value.(string)
|
|
|
|
for _, blackListedLabel := range labelBlackList {
|
|
if blackListedLabel.Name == labelName && blackListedLabel.Value == labelValue {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|