Files
portainer/api/http/handler/stacks/create_kubernetes_stack.go
T
Yi Chen 05cd7094a5 fix(RBAC): authorize advanced deployment (#116)
* * removed authorization in stack deployment, will let k8s handling it

* * removed unused import

* + OperationK8sApplicationsAdvancedDeploymentRW for user
* check namespace authorization in k8s stack deployment endpoint

* - remove OperationK8sApplicationsAdvancedDeploymentRW from user
2020-11-30 13:02:05 +13:00

94 lines
3.4 KiB
Go

package stacks
import (
"errors"
"net/http"
"github.com/asaskevich/govalidator"
httperror "github.com/portainer/libhttp/error"
"github.com/portainer/libhttp/request"
"github.com/portainer/libhttp/response"
portainer "github.com/portainer/portainer/api"
"github.com/portainer/portainer/api/http/security"
)
type kubernetesStackPayload struct {
ComposeFormat bool
Namespace string
StackFileContent string
}
func (payload *kubernetesStackPayload) Validate(r *http.Request) error {
if govalidator.IsNull(payload.StackFileContent) {
return errors.New("Invalid stack file content")
}
if govalidator.IsNull(payload.Namespace) {
return errors.New("Invalid namespace")
}
return nil
}
type createKubernetesStackResponse struct {
Output string `json:"Output"`
}
func (handler *Handler) createKubernetesStack(w http.ResponseWriter, r *http.Request, endpoint *portainer.Endpoint) *httperror.HandlerError {
permissionDeniedErr := "Permission denied to access endpoint"
tokenData, err := security.RetrieveTokenData(r)
if err != nil {
return &httperror.HandlerError{http.StatusForbidden, permissionDeniedErr, err}
}
var payload kubernetesStackPayload
err = request.DecodeAndValidateJSONPayload(r, &payload)
if err != nil {
return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
}
namespace := payload.Namespace
if tokenData.Role != portainer.AdministratorRole {
// check if the user has OperationK8sApplicationsAdvancedDeploymentRW access in the endpoint
endpointRole, err := handler.AuthorizationService.GetUserEndpointRole(int(tokenData.ID), int(endpoint.ID))
if err != nil {
return &httperror.HandlerError{http.StatusForbidden, permissionDeniedErr, err}
} else if !endpointRole.Authorizations[portainer.OperationK8sApplicationsAdvancedDeploymentRW] {
err = errors.New(permissionDeniedErr)
return &httperror.HandlerError{http.StatusForbidden, permissionDeniedErr, err}
}
// will skip if user can access all namespaces
if !endpointRole.Authorizations[portainer.OperationK8sAccessAllNamespaces] {
cli, err := handler.KubernetesClientFactory.GetKubeClient(endpoint)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create Kubernetes client", err}
}
// check if the user has RW access to the namespace
namespaceAuthorizations, err := handler.AuthorizationService.GetNamespaceAuthorizations(int(tokenData.ID), *endpoint, cli)
if err != nil {
return &httperror.HandlerError{http.StatusForbidden, permissionDeniedErr, err}
} else if auth, ok := namespaceAuthorizations[namespace]; !ok || !auth[portainer.OperationK8sAccessNamespaceWrite] {
err = errors.New(permissionDeniedErr)
return &httperror.HandlerError{http.StatusForbidden, permissionDeniedErr, err}
}
}
}
output, err := handler.deployKubernetesStack(endpoint, payload.StackFileContent, payload.ComposeFormat, namespace)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to deploy Kubernetes stack", err}
}
resp := &createKubernetesStackResponse{
Output: string(output),
}
return response.JSON(w, resp)
}
func (handler *Handler) deployKubernetesStack(endpoint *portainer.Endpoint, data string, composeFormat bool, namespace string) ([]byte, error) {
handler.stackCreationMutex.Lock()
defer handler.stackCreationMutex.Unlock()
return handler.KubernetesDeployer.Deploy(endpoint, data, composeFormat, namespace)
}