414e62503b
* fix(rbac): Not enforcing on backend for resource creation, application edit and console log operations of users that this should be prevented for * + k8s access user namespaces policy + debug logs * fix multiple authorization calculation issues * * use endpoint role rather than user role for calculating authorizations * * fix namespace role binding * * check user authorization in k8s pod exec * * fix some of the logging messages Co-authored-by: yi-portainer <yi.chen@portainer.io>
41 lines
1.5 KiB
Go
41 lines
1.5 KiB
Go
package websocket
|
|
|
|
import (
|
|
"github.com/gorilla/mux"
|
|
"github.com/gorilla/websocket"
|
|
httperror "github.com/portainer/libhttp/error"
|
|
portainer "github.com/portainer/portainer/api"
|
|
"github.com/portainer/portainer/api/http/security"
|
|
"github.com/portainer/portainer/api/internal/authorization"
|
|
"github.com/portainer/portainer/api/kubernetes/cli"
|
|
)
|
|
|
|
// Handler is the HTTP handler used to handle websocket operations.
|
|
type Handler struct {
|
|
*mux.Router
|
|
DataStore portainer.DataStore
|
|
SignatureService portainer.DigitalSignatureService
|
|
ReverseTunnelService portainer.ReverseTunnelService
|
|
KubernetesClientFactory *cli.ClientFactory
|
|
authorizationService *authorization.Service
|
|
requestBouncer *security.RequestBouncer
|
|
connectionUpgrader websocket.Upgrader
|
|
}
|
|
|
|
// NewHandler creates a handler to manage websocket operations.
|
|
func NewHandler(bouncer *security.RequestBouncer, authorizationService *authorization.Service) *Handler {
|
|
h := &Handler{
|
|
Router: mux.NewRouter(),
|
|
connectionUpgrader: websocket.Upgrader{},
|
|
requestBouncer: bouncer,
|
|
authorizationService: authorizationService,
|
|
}
|
|
h.PathPrefix("/websocket/exec").Handler(
|
|
bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.websocketExec)))
|
|
h.PathPrefix("/websocket/attach").Handler(
|
|
bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.websocketAttach)))
|
|
h.PathPrefix("/websocket/pod").Handler(
|
|
bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.websocketPodExec)))
|
|
return h
|
|
}
|