mirror of https://github.com/portainer/portainer
150 lines
5.0 KiB
Go
150 lines
5.0 KiB
Go
package azure
|
|
|
|
import (
|
|
"log"
|
|
"net/http"
|
|
|
|
portainer "github.com/portainer/portainer/api"
|
|
"github.com/portainer/portainer/api/http/security"
|
|
"github.com/portainer/portainer/api/internal/authorization"
|
|
)
|
|
|
|
func (transport *Transport) createAzureRequestContext(request *http.Request) (*azureRequestContext, error) {
|
|
var err error
|
|
|
|
tokenData, err := security.RetrieveTokenData(request)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
resourceControls, err := transport.dataStore.ResourceControl().ResourceControls()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
context := &azureRequestContext{
|
|
isAdmin: true,
|
|
userID: tokenData.ID,
|
|
resourceControls: resourceControls,
|
|
}
|
|
|
|
if tokenData.Role != portainer.AdministratorRole {
|
|
context.isAdmin = false
|
|
|
|
teamMemberships, err := transport.dataStore.TeamMembership().TeamMembershipsByUserID(tokenData.ID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
userTeamIDs := make([]portainer.TeamID, 0)
|
|
for _, membership := range teamMemberships {
|
|
userTeamIDs = append(userTeamIDs, membership.TeamID)
|
|
}
|
|
context.userTeamIDs = userTeamIDs
|
|
}
|
|
|
|
return context, nil
|
|
}
|
|
|
|
func decorateObject(object map[string]interface{}, resourceControl *portainer.ResourceControl) map[string]interface{} {
|
|
if object["Portainer"] == nil {
|
|
object["Portainer"] = make(map[string]interface{})
|
|
}
|
|
|
|
portainerMetadata := object["Portainer"].(map[string]interface{})
|
|
portainerMetadata["ResourceControl"] = resourceControl
|
|
return object
|
|
}
|
|
|
|
func (transport *Transport) createPrivateResourceControl(
|
|
resourceIdentifier string,
|
|
resourceType portainer.ResourceControlType,
|
|
userID portainer.UserID) (*portainer.ResourceControl, error) {
|
|
|
|
resourceControl := authorization.NewPrivateResourceControl(resourceIdentifier, resourceType, userID)
|
|
|
|
err := transport.dataStore.ResourceControl().CreateResourceControl(resourceControl)
|
|
if err != nil {
|
|
log.Printf("[ERROR] [http,proxy,azure,transport] [message: unable to persist resource control] [resource: %s] [err: %s]", resourceIdentifier, err)
|
|
return nil, err
|
|
}
|
|
|
|
return resourceControl, nil
|
|
}
|
|
|
|
func (transport *Transport) userCanDeleteContainerGroup(request *http.Request, context *azureRequestContext) bool {
|
|
if context.isAdmin {
|
|
return true
|
|
}
|
|
resourceIdentifier := request.URL.Path
|
|
resourceControl := transport.findResourceControl(resourceIdentifier, context)
|
|
return authorization.UserCanAccessResource(context.userID, context.userTeamIDs, resourceControl)
|
|
}
|
|
|
|
func (transport *Transport) decorateContainerGroups(containerGroups []interface{}, context *azureRequestContext) []interface{} {
|
|
decoratedContainerGroups := make([]interface{}, 0)
|
|
|
|
for _, containerGroup := range containerGroups {
|
|
containerGroup = transport.decorateContainerGroup(containerGroup.(map[string]interface{}), context)
|
|
decoratedContainerGroups = append(decoratedContainerGroups, containerGroup)
|
|
}
|
|
|
|
return decoratedContainerGroups
|
|
}
|
|
|
|
func (transport *Transport) decorateContainerGroup(containerGroup map[string]interface{}, context *azureRequestContext) map[string]interface{} {
|
|
containerGroupId, ok := containerGroup["id"].(string)
|
|
if ok {
|
|
resourceControl := transport.findResourceControl(containerGroupId, context)
|
|
if resourceControl != nil {
|
|
containerGroup = decorateObject(containerGroup, resourceControl)
|
|
}
|
|
} else {
|
|
log.Printf("[WARN] [http,proxy,azure,decorate] [message: unable to find resource id property in container group]")
|
|
}
|
|
|
|
return containerGroup
|
|
}
|
|
|
|
func (transport *Transport) filterContainerGroups(containerGroups []interface{}, context *azureRequestContext) []interface{} {
|
|
filteredContainerGroups := make([]interface{}, 0)
|
|
|
|
for _, containerGroup := range containerGroups {
|
|
userCanAccessResource := false
|
|
containerGroup := containerGroup.(map[string]interface{})
|
|
portainerObject, ok := containerGroup["Portainer"].(map[string]interface{})
|
|
if ok {
|
|
resourceControl, ok := portainerObject["ResourceControl"].(*portainer.ResourceControl)
|
|
if ok {
|
|
userCanAccessResource = authorization.UserCanAccessResource(context.userID, context.userTeamIDs, resourceControl)
|
|
}
|
|
}
|
|
|
|
if context.isAdmin || userCanAccessResource {
|
|
filteredContainerGroups = append(filteredContainerGroups, containerGroup)
|
|
}
|
|
}
|
|
|
|
return filteredContainerGroups
|
|
}
|
|
|
|
func (transport *Transport) removeResourceControl(containerGroup map[string]interface{}, context *azureRequestContext) error {
|
|
containerGroupID, ok := containerGroup["id"].(string)
|
|
if ok {
|
|
resourceControl := transport.findResourceControl(containerGroupID, context)
|
|
if resourceControl != nil {
|
|
err := transport.dataStore.ResourceControl().DeleteResourceControl(resourceControl.ID)
|
|
return err
|
|
}
|
|
} else {
|
|
log.Printf("[WARN] [http,proxy,azure] [message: missign ID in container group]")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (transport *Transport) findResourceControl(containerGroupId string, context *azureRequestContext) *portainer.ResourceControl {
|
|
resourceControl := authorization.GetResourceControlByResourceIDAndType(containerGroupId, portainer.ContainerGroupResourceControl, context.resourceControls)
|
|
return resourceControl
|
|
}
|