feat(roles-management): integrate rbac extension (#6)

* refactor(rbac): move client extension code

* feat(app): remove checks for extension

* feat(rbac): remove checks for extensions

* feat(extensions): remove reference to rbac extensions

* feat(roles): add changes from codebase before removal of rbac

* refactor(security): remove rbac service

* refactor(security): use AdminAccess as an alias

* fix(access): rename policies type

* style(security): add comment about Aliasing AdminAccess to RestrictedAccess

* feat(bolt): add auth migration from ce to ee

* feat(stacks): use authorized access to stop/start stacks

* fix(bolt): supply right params to migrator

* feat(rbac): get authorization on client side
This commit is contained in:
Chaim Lev-Ari
2020-10-07 13:21:14 +03:00
committed by GitHub
parent 1a57f656e8
commit 8dba19694a
81 changed files with 2655 additions and 123 deletions
+10 -3
View File
@@ -65,7 +65,7 @@ func (handler *Handler) stackDelete(w http.ResponseWriter, r *http.Request) *htt
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find the endpoint associated to the stack inside the database", err}
}
err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint, true)
if err != nil {
return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
}
@@ -114,7 +114,14 @@ func (handler *Handler) deleteExternalStack(r *http.Request, w http.ResponseWrit
return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: endpointId", err}
}
if !securityContext.IsAdmin {
user, err := handler.DataStore.User().User(securityContext.UserID)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to load user information from the database", err}
}
_, endpointResourceAccess := user.EndpointAuthorizations[portainer.EndpointID(endpointID)][portainer.EndpointResourcesAccess]
if !securityContext.IsAdmin && !endpointResourceAccess {
return &httperror.HandlerError{http.StatusUnauthorized, "Permission denied to delete the stack", httperrors.ErrUnauthorized}
}
@@ -133,7 +140,7 @@ func (handler *Handler) deleteExternalStack(r *http.Request, w http.ResponseWrit
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find the endpoint associated to the stack inside the database", err}
}
err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint, true)
if err != nil {
return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
}