feat(policy-RBAC): ensure RBAC policy overrides existing RBAC settings [R8S-777] (#1718)
This commit is contained in:
@@ -0,0 +1,175 @@
|
||||
package authorization
|
||||
|
||||
import (
|
||||
portainer "github.com/portainer/portainer/api"
|
||||
)
|
||||
|
||||
// ResolvedAccess represents the result of dynamic authorization resolution.
|
||||
// It contains both the computed role and its authorizations for convenience.
|
||||
type ResolvedAccess struct {
|
||||
Role *portainer.Role
|
||||
Authorizations portainer.Authorizations
|
||||
}
|
||||
|
||||
// ResolverInput contains all the data needed to resolve user access to an endpoint.
|
||||
// This struct is used to pass data to the resolution functions without requiring
|
||||
// database access, making it easier to test and allowing callers to control data fetching.
|
||||
type ResolverInput struct {
|
||||
User *portainer.User
|
||||
Endpoint *portainer.Endpoint
|
||||
EndpointGroup portainer.EndpointGroup
|
||||
UserMemberships []portainer.TeamMembership
|
||||
Roles []portainer.Role
|
||||
}
|
||||
|
||||
// ComputeBaseRole computes the user's role on an endpoint from base access settings.
|
||||
// It checks access in precedence order:
|
||||
// 1. User → Endpoint direct access
|
||||
// 2. User → Endpoint Group access (inherited)
|
||||
// 3. User's Teams → Endpoint access
|
||||
// 4. User's Teams → Endpoint Group access (inherited)
|
||||
//
|
||||
// Returns the first matching role, or nil if no access is configured.
|
||||
func ComputeBaseRole(input ResolverInput) *portainer.Role {
|
||||
group := input.EndpointGroup
|
||||
|
||||
// 1. Check user → endpoint direct access
|
||||
if role := GetRoleFromUserAccessPolicies(
|
||||
input.User.ID,
|
||||
input.Endpoint.UserAccessPolicies,
|
||||
input.Roles,
|
||||
); role != nil {
|
||||
return role
|
||||
}
|
||||
|
||||
// 2. Check user → endpoint group access (inherited)
|
||||
if role := GetRoleFromUserAccessPolicies(
|
||||
input.User.ID,
|
||||
group.UserAccessPolicies,
|
||||
input.Roles,
|
||||
); role != nil {
|
||||
return role
|
||||
}
|
||||
|
||||
// 3. Check user's teams → endpoint access
|
||||
if role := GetRoleFromTeamAccessPolicies(
|
||||
input.UserMemberships,
|
||||
input.Endpoint.TeamAccessPolicies,
|
||||
input.Roles,
|
||||
); role != nil {
|
||||
return role
|
||||
}
|
||||
|
||||
// 4. Check user's teams → endpoint group access (inherited)
|
||||
if role := GetRoleFromTeamAccessPolicies(
|
||||
input.UserMemberships,
|
||||
group.TeamAccessPolicies,
|
||||
input.Roles,
|
||||
); role != nil {
|
||||
return role
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// ResolveUserEndpointAccess resolves a user's effective access to an endpoint.
|
||||
// In CE, this returns the base role computed from endpoint/group access settings.
|
||||
// EE extends this to also consider applied RBAC policies.
|
||||
//
|
||||
// Returns nil if the user has no access to the endpoint.
|
||||
func ResolveUserEndpointAccess(input ResolverInput) *ResolvedAccess {
|
||||
role := ComputeBaseRole(input)
|
||||
if role == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
return &ResolvedAccess{
|
||||
Role: role,
|
||||
Authorizations: role.Authorizations,
|
||||
}
|
||||
}
|
||||
|
||||
// GetRoleFromUserAccessPolicies returns the role for a user from user access policies.
|
||||
// Returns nil if the user is not in the policies.
|
||||
func GetRoleFromUserAccessPolicies(
|
||||
userID portainer.UserID,
|
||||
policies portainer.UserAccessPolicies,
|
||||
roles []portainer.Role,
|
||||
) *portainer.Role {
|
||||
if policies == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
policy, ok := policies[userID]
|
||||
if !ok {
|
||||
return nil
|
||||
}
|
||||
|
||||
return FindRoleByID(policy.RoleID, roles)
|
||||
}
|
||||
|
||||
// GetRoleFromTeamAccessPolicies returns the highest priority role for a user
|
||||
// based on their team memberships and the team access policies.
|
||||
// If a user belongs to multiple teams with access, the role with highest priority wins.
|
||||
// Returns nil if none of the user's teams have access.
|
||||
func GetRoleFromTeamAccessPolicies(
|
||||
memberships []portainer.TeamMembership,
|
||||
policies portainer.TeamAccessPolicies,
|
||||
roles []portainer.Role,
|
||||
) *portainer.Role {
|
||||
if policies == nil || len(memberships) == 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
// Collect all roles from team memberships
|
||||
var matchingRoles []*portainer.Role
|
||||
for _, membership := range memberships {
|
||||
policy, ok := policies[membership.TeamID]
|
||||
if !ok {
|
||||
continue
|
||||
}
|
||||
|
||||
role := FindRoleByID(policy.RoleID, roles)
|
||||
if role != nil {
|
||||
matchingRoles = append(matchingRoles, role)
|
||||
}
|
||||
}
|
||||
|
||||
if len(matchingRoles) == 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
// Return the role with highest priority
|
||||
return GetHighestPriorityRole(matchingRoles)
|
||||
}
|
||||
|
||||
// GetHighestPriorityRole returns the role with the highest priority from a slice.
|
||||
// In Portainer's role system, higher priority numbers = higher priority (lower access usually gives higher priority).
|
||||
// Current role priorities from highest to lowest: Read-only User (6), Standard User (5),
|
||||
// Namespace Operator (4), Helpdesk (3), Operator (2), Environment Administrator (1).
|
||||
// Returns nil if the slice is empty.
|
||||
func GetHighestPriorityRole(roles []*portainer.Role) *portainer.Role {
|
||||
if len(roles) == 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
highest := roles[0]
|
||||
for _, role := range roles[1:] {
|
||||
if role.Priority > highest.Priority {
|
||||
highest = role
|
||||
}
|
||||
}
|
||||
|
||||
return highest
|
||||
}
|
||||
|
||||
// FindRoleByID finds a role by its ID in a slice of roles.
|
||||
// Returns nil if the role is not found.
|
||||
func FindRoleByID(roleID portainer.RoleID, roles []portainer.Role) *portainer.Role {
|
||||
for i := range roles {
|
||||
if roles[i].ID == roleID {
|
||||
return &roles[i]
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
Reference in New Issue
Block a user