feat(policy-RBAC): ensure RBAC policy overrides existing RBAC settings [R8S-777] (#1718)

This commit is contained in:
Ali
2026-02-10 23:44:44 +13:00
committed by GitHub
parent a1208974ac
commit 49e623dfeb
7 changed files with 590 additions and 204 deletions
+175
View File
@@ -0,0 +1,175 @@
package authorization
import (
portainer "github.com/portainer/portainer/api"
)
// ResolvedAccess represents the result of dynamic authorization resolution.
// It contains both the computed role and its authorizations for convenience.
type ResolvedAccess struct {
Role *portainer.Role
Authorizations portainer.Authorizations
}
// ResolverInput contains all the data needed to resolve user access to an endpoint.
// This struct is used to pass data to the resolution functions without requiring
// database access, making it easier to test and allowing callers to control data fetching.
type ResolverInput struct {
User *portainer.User
Endpoint *portainer.Endpoint
EndpointGroup portainer.EndpointGroup
UserMemberships []portainer.TeamMembership
Roles []portainer.Role
}
// ComputeBaseRole computes the user's role on an endpoint from base access settings.
// It checks access in precedence order:
// 1. User → Endpoint direct access
// 2. User → Endpoint Group access (inherited)
// 3. User's Teams → Endpoint access
// 4. User's Teams → Endpoint Group access (inherited)
//
// Returns the first matching role, or nil if no access is configured.
func ComputeBaseRole(input ResolverInput) *portainer.Role {
group := input.EndpointGroup
// 1. Check user → endpoint direct access
if role := GetRoleFromUserAccessPolicies(
input.User.ID,
input.Endpoint.UserAccessPolicies,
input.Roles,
); role != nil {
return role
}
// 2. Check user → endpoint group access (inherited)
if role := GetRoleFromUserAccessPolicies(
input.User.ID,
group.UserAccessPolicies,
input.Roles,
); role != nil {
return role
}
// 3. Check user's teams → endpoint access
if role := GetRoleFromTeamAccessPolicies(
input.UserMemberships,
input.Endpoint.TeamAccessPolicies,
input.Roles,
); role != nil {
return role
}
// 4. Check user's teams → endpoint group access (inherited)
if role := GetRoleFromTeamAccessPolicies(
input.UserMemberships,
group.TeamAccessPolicies,
input.Roles,
); role != nil {
return role
}
return nil
}
// ResolveUserEndpointAccess resolves a user's effective access to an endpoint.
// In CE, this returns the base role computed from endpoint/group access settings.
// EE extends this to also consider applied RBAC policies.
//
// Returns nil if the user has no access to the endpoint.
func ResolveUserEndpointAccess(input ResolverInput) *ResolvedAccess {
role := ComputeBaseRole(input)
if role == nil {
return nil
}
return &ResolvedAccess{
Role: role,
Authorizations: role.Authorizations,
}
}
// GetRoleFromUserAccessPolicies returns the role for a user from user access policies.
// Returns nil if the user is not in the policies.
func GetRoleFromUserAccessPolicies(
userID portainer.UserID,
policies portainer.UserAccessPolicies,
roles []portainer.Role,
) *portainer.Role {
if policies == nil {
return nil
}
policy, ok := policies[userID]
if !ok {
return nil
}
return FindRoleByID(policy.RoleID, roles)
}
// GetRoleFromTeamAccessPolicies returns the highest priority role for a user
// based on their team memberships and the team access policies.
// If a user belongs to multiple teams with access, the role with highest priority wins.
// Returns nil if none of the user's teams have access.
func GetRoleFromTeamAccessPolicies(
memberships []portainer.TeamMembership,
policies portainer.TeamAccessPolicies,
roles []portainer.Role,
) *portainer.Role {
if policies == nil || len(memberships) == 0 {
return nil
}
// Collect all roles from team memberships
var matchingRoles []*portainer.Role
for _, membership := range memberships {
policy, ok := policies[membership.TeamID]
if !ok {
continue
}
role := FindRoleByID(policy.RoleID, roles)
if role != nil {
matchingRoles = append(matchingRoles, role)
}
}
if len(matchingRoles) == 0 {
return nil
}
// Return the role with highest priority
return GetHighestPriorityRole(matchingRoles)
}
// GetHighestPriorityRole returns the role with the highest priority from a slice.
// In Portainer's role system, higher priority numbers = higher priority (lower access usually gives higher priority).
// Current role priorities from highest to lowest: Read-only User (6), Standard User (5),
// Namespace Operator (4), Helpdesk (3), Operator (2), Environment Administrator (1).
// Returns nil if the slice is empty.
func GetHighestPriorityRole(roles []*portainer.Role) *portainer.Role {
if len(roles) == 0 {
return nil
}
highest := roles[0]
for _, role := range roles[1:] {
if role.Priority > highest.Priority {
highest = role
}
}
return highest
}
// FindRoleByID finds a role by its ID in a slice of roles.
// Returns nil if the role is not found.
func FindRoleByID(roleID portainer.RoleID, roles []portainer.Role) *portainer.Role {
for i := range roles {
if roles[i].ID == roleID {
return &roles[i]
}
}
return nil
}
+405
View File
@@ -0,0 +1,405 @@
package authorization
import (
"testing"
portainer "github.com/portainer/portainer/api"
"github.com/stretchr/testify/assert"
)
// Test role fixtures
// In Portainer's role system, higher priority numbers = higher priority (more powerful).
// Order from highest to lowest: Read-only (4), Helpdesk (3), Operator (2), Admin (1).
var (
roleAdmin = portainer.Role{
ID: 1,
Name: "Environment Administrator",
Priority: 1,
Authorizations: portainer.Authorizations{"admin": true},
}
roleOperator = portainer.Role{
ID: 2,
Name: "Operator",
Priority: 2,
Authorizations: portainer.Authorizations{"operator": true},
}
roleHelpdesk = portainer.Role{
ID: 3,
Name: "Helpdesk",
Priority: 3,
Authorizations: portainer.Authorizations{"helpdesk": true},
}
roleReadOnly = portainer.Role{
ID: 4,
Name: "Read-only",
Priority: 4,
Authorizations: portainer.Authorizations{"readonly": true},
}
allRoles = []portainer.Role{roleAdmin, roleOperator, roleHelpdesk, roleReadOnly}
)
func TestComputeBaseRole_UserEndpointAccess(t *testing.T) {
is := assert.New(t)
user := &portainer.User{ID: 1}
endpoint := &portainer.Endpoint{
ID: 1,
GroupID: 1,
UserAccessPolicies: portainer.UserAccessPolicies{
1: {RoleID: roleOperator.ID},
},
}
input := ResolverInput{
User: user,
Endpoint: endpoint,
EndpointGroup: portainer.EndpointGroup{},
UserMemberships: []portainer.TeamMembership{},
Roles: allRoles,
}
role := ComputeBaseRole(input)
is.NotNil(role)
is.Equal(roleOperator.ID, role.ID)
is.Equal("Operator", role.Name)
}
func TestComputeBaseRole_UserGroupAccess(t *testing.T) {
is := assert.New(t)
user := &portainer.User{ID: 1}
endpoint := &portainer.Endpoint{
ID: 1,
GroupID: 10,
UserAccessPolicies: portainer.UserAccessPolicies{}, // No direct access
}
groups := []portainer.EndpointGroup{
{
ID: 10,
UserAccessPolicies: portainer.UserAccessPolicies{
1: {RoleID: roleHelpdesk.ID}, // User has access via group
},
},
}
input := ResolverInput{
User: user,
Endpoint: endpoint,
EndpointGroup: groups[0],
UserMemberships: []portainer.TeamMembership{},
Roles: allRoles,
}
role := ComputeBaseRole(input)
is.NotNil(role)
is.Equal(roleHelpdesk.ID, role.ID)
is.Equal("Helpdesk", role.Name)
}
func TestComputeBaseRole_TeamEndpointAccess(t *testing.T) {
is := assert.New(t)
user := &portainer.User{ID: 1}
endpoint := &portainer.Endpoint{
ID: 1,
GroupID: 1,
UserAccessPolicies: portainer.UserAccessPolicies{}, // No user access
TeamAccessPolicies: portainer.TeamAccessPolicies{
100: {RoleID: roleReadOnly.ID}, // Team 100 has access
},
}
memberships := []portainer.TeamMembership{
{UserID: 1, TeamID: 100}, // User is in team 100
}
input := ResolverInput{
User: user,
Endpoint: endpoint,
EndpointGroup: portainer.EndpointGroup{},
UserMemberships: memberships,
Roles: allRoles,
}
role := ComputeBaseRole(input)
is.NotNil(role)
is.Equal(roleReadOnly.ID, role.ID)
}
func TestComputeBaseRole_TeamGroupAccess(t *testing.T) {
is := assert.New(t)
user := &portainer.User{ID: 1}
endpoint := &portainer.Endpoint{
ID: 1,
GroupID: 10,
UserAccessPolicies: portainer.UserAccessPolicies{},
TeamAccessPolicies: portainer.TeamAccessPolicies{}, // No direct team access
}
groups := []portainer.EndpointGroup{
{
ID: 10,
UserAccessPolicies: portainer.UserAccessPolicies{},
TeamAccessPolicies: portainer.TeamAccessPolicies{
100: {RoleID: roleOperator.ID}, // Team 100 has group access
},
},
}
memberships := []portainer.TeamMembership{
{UserID: 1, TeamID: 100},
}
input := ResolverInput{
User: user,
Endpoint: endpoint,
EndpointGroup: groups[0],
UserMemberships: memberships,
Roles: allRoles,
}
role := ComputeBaseRole(input)
is.NotNil(role)
is.Equal(roleOperator.ID, role.ID)
}
func TestComputeBaseRole_Precedence(t *testing.T) {
is := assert.New(t)
t.Run("User endpoint access takes precedence over group access", func(t *testing.T) {
user := &portainer.User{ID: 1}
endpoint := &portainer.Endpoint{
ID: 1,
GroupID: 10,
UserAccessPolicies: portainer.UserAccessPolicies{
1: {RoleID: roleOperator.ID}, // Direct access
},
}
groups := []portainer.EndpointGroup{
{
ID: 10,
UserAccessPolicies: portainer.UserAccessPolicies{
1: {RoleID: roleAdmin.ID}, // Group access (higher role, but lower precedence)
},
},
}
input := ResolverInput{
User: user,
Endpoint: endpoint,
EndpointGroup: groups[0],
Roles: allRoles,
}
role := ComputeBaseRole(input)
is.NotNil(role)
is.Equal(roleOperator.ID, role.ID, "Direct endpoint access should take precedence")
})
t.Run("User access takes precedence over team access", func(t *testing.T) {
user := &portainer.User{ID: 1}
endpoint := &portainer.Endpoint{
ID: 1,
GroupID: 1,
UserAccessPolicies: portainer.UserAccessPolicies{
1: {RoleID: roleHelpdesk.ID},
},
TeamAccessPolicies: portainer.TeamAccessPolicies{
100: {RoleID: roleAdmin.ID}, // Team has higher role
},
}
memberships := []portainer.TeamMembership{
{UserID: 1, TeamID: 100},
}
input := ResolverInput{
User: user,
Endpoint: endpoint,
UserMemberships: memberships,
Roles: allRoles,
}
role := ComputeBaseRole(input)
is.NotNil(role)
is.Equal(roleHelpdesk.ID, role.ID, "User access should take precedence over team access")
})
t.Run("Team endpoint access takes precedence over team group access", func(t *testing.T) {
user := &portainer.User{ID: 1}
endpoint := &portainer.Endpoint{
ID: 1,
GroupID: 10,
TeamAccessPolicies: portainer.TeamAccessPolicies{
100: {RoleID: roleReadOnly.ID}, // Direct team endpoint access
},
}
groups := []portainer.EndpointGroup{
{
ID: 10,
TeamAccessPolicies: portainer.TeamAccessPolicies{
100: {RoleID: roleAdmin.ID}, // Team group access (higher role)
},
},
}
memberships := []portainer.TeamMembership{
{UserID: 1, TeamID: 100},
}
input := ResolverInput{
User: user,
Endpoint: endpoint,
EndpointGroup: groups[0],
UserMemberships: memberships,
Roles: allRoles,
}
role := ComputeBaseRole(input)
is.NotNil(role)
is.Equal(roleReadOnly.ID, role.ID, "Team endpoint access should take precedence over team group access")
})
}
func TestComputeBaseRole_NoAccess(t *testing.T) {
is := assert.New(t)
user := &portainer.User{ID: 1}
endpoint := &portainer.Endpoint{
ID: 1,
GroupID: 10,
UserAccessPolicies: portainer.UserAccessPolicies{},
TeamAccessPolicies: portainer.TeamAccessPolicies{},
}
groups := []portainer.EndpointGroup{
{
ID: 10,
UserAccessPolicies: portainer.UserAccessPolicies{},
TeamAccessPolicies: portainer.TeamAccessPolicies{},
},
}
input := ResolverInput{
User: user,
Endpoint: endpoint,
EndpointGroup: groups[0],
UserMemberships: []portainer.TeamMembership{},
Roles: allRoles,
}
role := ComputeBaseRole(input)
is.Nil(role)
}
func TestComputeBaseRole_MultipleTeams_HighestPriorityWins(t *testing.T) {
is := assert.New(t)
user := &portainer.User{ID: 1}
endpoint := &portainer.Endpoint{
ID: 1,
GroupID: 1,
TeamAccessPolicies: portainer.TeamAccessPolicies{
100: {RoleID: roleReadOnly.ID}, // Highest priority (4)
200: {RoleID: roleAdmin.ID}, // Lowest priority (1)
300: {RoleID: roleOperator.ID}, // Medium priority (2)
},
}
memberships := []portainer.TeamMembership{
{UserID: 1, TeamID: 100},
{UserID: 1, TeamID: 200},
{UserID: 1, TeamID: 300},
}
input := ResolverInput{
User: user,
Endpoint: endpoint,
EndpointGroup: portainer.EndpointGroup{},
UserMemberships: memberships,
Roles: allRoles,
}
role := ComputeBaseRole(input)
is.NotNil(role)
is.Equal(roleReadOnly.ID, role.ID, "Highest priority role should be selected when user is in multiple teams")
}
func TestResolveUserEndpointAccess(t *testing.T) {
is := assert.New(t)
t.Run("Returns resolved access with role and authorizations", func(t *testing.T) {
user := &portainer.User{ID: 1}
endpoint := &portainer.Endpoint{
ID: 1,
UserAccessPolicies: portainer.UserAccessPolicies{
1: {RoleID: roleOperator.ID},
},
}
input := ResolverInput{
User: user,
Endpoint: endpoint,
Roles: allRoles,
}
access := ResolveUserEndpointAccess(input)
is.NotNil(access)
is.Equal(roleOperator.ID, access.Role.ID)
is.True(access.Authorizations["operator"])
})
t.Run("Returns nil when no access", func(t *testing.T) {
user := &portainer.User{ID: 1}
endpoint := &portainer.Endpoint{ID: 1}
input := ResolverInput{
User: user,
Endpoint: endpoint,
Roles: allRoles,
}
access := ResolveUserEndpointAccess(input)
is.Nil(access)
})
}
func TestFindRoleByID(t *testing.T) {
is := assert.New(t)
t.Run("Finds existing role", func(t *testing.T) {
role := FindRoleByID(roleOperator.ID, allRoles)
is.NotNil(role)
is.Equal(roleOperator.ID, role.ID)
})
t.Run("Returns nil for non-existent role", func(t *testing.T) {
role := FindRoleByID(999, allRoles)
is.Nil(role)
})
t.Run("Returns nil for empty roles slice", func(t *testing.T) {
role := FindRoleByID(1, []portainer.Role{})
is.Nil(role)
})
}
func TestGetHighestPriorityRole(t *testing.T) {
is := assert.New(t)
t.Run("Returns nil for empty slice", func(t *testing.T) {
result := GetHighestPriorityRole([]*portainer.Role{})
is.Nil(result)
})
t.Run("Returns single role", func(t *testing.T) {
result := GetHighestPriorityRole([]*portainer.Role{&roleOperator})
is.Equal(roleOperator.ID, result.ID)
})
t.Run("Returns highest priority from multiple roles", func(t *testing.T) {
result := GetHighestPriorityRole([]*portainer.Role{&roleReadOnly, &roleAdmin, &roleOperator})
is.Equal(roleReadOnly.ID, result.ID)
})
}