THIS IS A TEST INSTANCE ONLY! REPOSITORIES CAN BE DELETED AT ANY TIME!

This is Gitea test Portainer repository mirror from Github
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

796 lines
30 KiB

  1. package portainer
  2. // AuthorizationService represents a service used to
  3. // update authorizations associated to a user or team.
  4. type AuthorizationService struct {
  5. endpointService EndpointService
  6. endpointGroupService EndpointGroupService
  7. registryService RegistryService
  8. roleService RoleService
  9. teamMembershipService TeamMembershipService
  10. userService UserService
  11. }
  12. // AuthorizationServiceParameters are the required parameters
  13. // used to create a new AuthorizationService.
  14. type AuthorizationServiceParameters struct {
  15. EndpointService EndpointService
  16. EndpointGroupService EndpointGroupService
  17. RegistryService RegistryService
  18. RoleService RoleService
  19. TeamMembershipService TeamMembershipService
  20. UserService UserService
  21. }
  22. // NewAuthorizationService returns a point to a new AuthorizationService instance.
  23. func NewAuthorizationService(parameters *AuthorizationServiceParameters) *AuthorizationService {
  24. return &AuthorizationService{
  25. endpointService: parameters.EndpointService,
  26. endpointGroupService: parameters.EndpointGroupService,
  27. registryService: parameters.RegistryService,
  28. roleService: parameters.RoleService,
  29. teamMembershipService: parameters.TeamMembershipService,
  30. userService: parameters.UserService,
  31. }
  32. }
  33. // DefaultEndpointAuthorizationsForEndpointAdministratorRole returns the default endpoint authorizations
  34. // associated to the endpoint administrator role.
  35. func DefaultEndpointAuthorizationsForEndpointAdministratorRole() Authorizations {
  36. return map[Authorization]bool{
  37. OperationDockerContainerArchiveInfo: true,
  38. OperationDockerContainerList: true,
  39. OperationDockerContainerExport: true,
  40. OperationDockerContainerChanges: true,
  41. OperationDockerContainerInspect: true,
  42. OperationDockerContainerTop: true,
  43. OperationDockerContainerLogs: true,
  44. OperationDockerContainerStats: true,
  45. OperationDockerContainerAttachWebsocket: true,
  46. OperationDockerContainerArchive: true,
  47. OperationDockerContainerCreate: true,
  48. OperationDockerContainerPrune: true,
  49. OperationDockerContainerKill: true,
  50. OperationDockerContainerPause: true,
  51. OperationDockerContainerUnpause: true,
  52. OperationDockerContainerRestart: true,
  53. OperationDockerContainerStart: true,
  54. OperationDockerContainerStop: true,
  55. OperationDockerContainerWait: true,
  56. OperationDockerContainerResize: true,
  57. OperationDockerContainerAttach: true,
  58. OperationDockerContainerExec: true,
  59. OperationDockerContainerRename: true,
  60. OperationDockerContainerUpdate: true,
  61. OperationDockerContainerPutContainerArchive: true,
  62. OperationDockerContainerDelete: true,
  63. OperationDockerImageList: true,
  64. OperationDockerImageSearch: true,
  65. OperationDockerImageGetAll: true,
  66. OperationDockerImageGet: true,
  67. OperationDockerImageHistory: true,
  68. OperationDockerImageInspect: true,
  69. OperationDockerImageLoad: true,
  70. OperationDockerImageCreate: true,
  71. OperationDockerImagePrune: true,
  72. OperationDockerImagePush: true,
  73. OperationDockerImageTag: true,
  74. OperationDockerImageDelete: true,
  75. OperationDockerImageCommit: true,
  76. OperationDockerImageBuild: true,
  77. OperationDockerNetworkList: true,
  78. OperationDockerNetworkInspect: true,
  79. OperationDockerNetworkCreate: true,
  80. OperationDockerNetworkConnect: true,
  81. OperationDockerNetworkDisconnect: true,
  82. OperationDockerNetworkPrune: true,
  83. OperationDockerNetworkDelete: true,
  84. OperationDockerVolumeList: true,
  85. OperationDockerVolumeInspect: true,
  86. OperationDockerVolumeCreate: true,
  87. OperationDockerVolumePrune: true,
  88. OperationDockerVolumeDelete: true,
  89. OperationDockerExecInspect: true,
  90. OperationDockerExecStart: true,
  91. OperationDockerExecResize: true,
  92. OperationDockerSwarmInspect: true,
  93. OperationDockerSwarmUnlockKey: true,
  94. OperationDockerSwarmInit: true,
  95. OperationDockerSwarmJoin: true,
  96. OperationDockerSwarmLeave: true,
  97. OperationDockerSwarmUpdate: true,
  98. OperationDockerSwarmUnlock: true,
  99. OperationDockerNodeList: true,
  100. OperationDockerNodeInspect: true,
  101. OperationDockerNodeUpdate: true,
  102. OperationDockerNodeDelete: true,
  103. OperationDockerServiceList: true,
  104. OperationDockerServiceInspect: true,
  105. OperationDockerServiceLogs: true,
  106. OperationDockerServiceCreate: true,
  107. OperationDockerServiceUpdate: true,
  108. OperationDockerServiceDelete: true,
  109. OperationDockerSecretList: true,
  110. OperationDockerSecretInspect: true,
  111. OperationDockerSecretCreate: true,
  112. OperationDockerSecretUpdate: true,
  113. OperationDockerSecretDelete: true,
  114. OperationDockerConfigList: true,
  115. OperationDockerConfigInspect: true,
  116. OperationDockerConfigCreate: true,
  117. OperationDockerConfigUpdate: true,
  118. OperationDockerConfigDelete: true,
  119. OperationDockerTaskList: true,
  120. OperationDockerTaskInspect: true,
  121. OperationDockerTaskLogs: true,
  122. OperationDockerPluginList: true,
  123. OperationDockerPluginPrivileges: true,
  124. OperationDockerPluginInspect: true,
  125. OperationDockerPluginPull: true,
  126. OperationDockerPluginCreate: true,
  127. OperationDockerPluginEnable: true,
  128. OperationDockerPluginDisable: true,
  129. OperationDockerPluginPush: true,
  130. OperationDockerPluginUpgrade: true,
  131. OperationDockerPluginSet: true,
  132. OperationDockerPluginDelete: true,
  133. OperationDockerSessionStart: true,
  134. OperationDockerDistributionInspect: true,
  135. OperationDockerBuildPrune: true,
  136. OperationDockerBuildCancel: true,
  137. OperationDockerPing: true,
  138. OperationDockerInfo: true,
  139. OperationDockerVersion: true,
  140. OperationDockerEvents: true,
  141. OperationDockerSystem: true,
  142. OperationDockerUndefined: true,
  143. OperationDockerAgentPing: true,
  144. OperationDockerAgentList: true,
  145. OperationDockerAgentHostInfo: true,
  146. OperationDockerAgentBrowseDelete: true,
  147. OperationDockerAgentBrowseGet: true,
  148. OperationDockerAgentBrowseList: true,
  149. OperationDockerAgentBrowsePut: true,
  150. OperationDockerAgentBrowseRename: true,
  151. OperationDockerAgentUndefined: true,
  152. OperationPortainerResourceControlCreate: true,
  153. OperationPortainerResourceControlUpdate: true,
  154. OperationPortainerStackList: true,
  155. OperationPortainerStackInspect: true,
  156. OperationPortainerStackFile: true,
  157. OperationPortainerStackCreate: true,
  158. OperationPortainerStackMigrate: true,
  159. OperationPortainerStackUpdate: true,
  160. OperationPortainerStackDelete: true,
  161. OperationPortainerWebsocketExec: true,
  162. OperationPortainerWebhookList: true,
  163. OperationPortainerWebhookCreate: true,
  164. OperationPortainerWebhookDelete: true,
  165. OperationIntegrationStoridgeAdmin: true,
  166. EndpointResourcesAccess: true,
  167. }
  168. }
  169. // DefaultEndpointAuthorizationsForHelpDeskRole returns the default endpoint authorizations
  170. // associated to the helpdesk role.
  171. func DefaultEndpointAuthorizationsForHelpDeskRole(volumeBrowsingAuthorizations bool) Authorizations {
  172. authorizations := map[Authorization]bool{
  173. OperationDockerContainerArchiveInfo: true,
  174. OperationDockerContainerList: true,
  175. OperationDockerContainerChanges: true,
  176. OperationDockerContainerInspect: true,
  177. OperationDockerContainerTop: true,
  178. OperationDockerContainerLogs: true,
  179. OperationDockerContainerStats: true,
  180. OperationDockerImageList: true,
  181. OperationDockerImageSearch: true,
  182. OperationDockerImageGetAll: true,
  183. OperationDockerImageGet: true,
  184. OperationDockerImageHistory: true,
  185. OperationDockerImageInspect: true,
  186. OperationDockerNetworkList: true,
  187. OperationDockerNetworkInspect: true,
  188. OperationDockerVolumeList: true,
  189. OperationDockerVolumeInspect: true,
  190. OperationDockerSwarmInspect: true,
  191. OperationDockerNodeList: true,
  192. OperationDockerNodeInspect: true,
  193. OperationDockerServiceList: true,
  194. OperationDockerServiceInspect: true,
  195. OperationDockerServiceLogs: true,
  196. OperationDockerSecretList: true,
  197. OperationDockerSecretInspect: true,
  198. OperationDockerConfigList: true,
  199. OperationDockerConfigInspect: true,
  200. OperationDockerTaskList: true,
  201. OperationDockerTaskInspect: true,
  202. OperationDockerTaskLogs: true,
  203. OperationDockerPluginList: true,
  204. OperationDockerDistributionInspect: true,
  205. OperationDockerPing: true,
  206. OperationDockerInfo: true,
  207. OperationDockerVersion: true,
  208. OperationDockerEvents: true,
  209. OperationDockerSystem: true,
  210. OperationDockerAgentPing: true,
  211. OperationDockerAgentList: true,
  212. OperationDockerAgentHostInfo: true,
  213. OperationPortainerStackList: true,
  214. OperationPortainerStackInspect: true,
  215. OperationPortainerStackFile: true,
  216. OperationPortainerWebhookList: true,
  217. EndpointResourcesAccess: true,
  218. }
  219. if volumeBrowsingAuthorizations {
  220. authorizations[OperationDockerAgentBrowseGet] = true
  221. authorizations[OperationDockerAgentBrowseList] = true
  222. }
  223. return authorizations
  224. }
  225. // DefaultEndpointAuthorizationsForStandardUserRole returns the default endpoint authorizations
  226. // associated to the standard user role.
  227. func DefaultEndpointAuthorizationsForStandardUserRole(volumeBrowsingAuthorizations bool) Authorizations {
  228. authorizations := map[Authorization]bool{
  229. OperationDockerContainerArchiveInfo: true,
  230. OperationDockerContainerList: true,
  231. OperationDockerContainerExport: true,
  232. OperationDockerContainerChanges: true,
  233. OperationDockerContainerInspect: true,
  234. OperationDockerContainerTop: true,
  235. OperationDockerContainerLogs: true,
  236. OperationDockerContainerStats: true,
  237. OperationDockerContainerAttachWebsocket: true,
  238. OperationDockerContainerArchive: true,
  239. OperationDockerContainerCreate: true,
  240. OperationDockerContainerKill: true,
  241. OperationDockerContainerPause: true,
  242. OperationDockerContainerUnpause: true,
  243. OperationDockerContainerRestart: true,
  244. OperationDockerContainerStart: true,
  245. OperationDockerContainerStop: true,
  246. OperationDockerContainerWait: true,
  247. OperationDockerContainerResize: true,
  248. OperationDockerContainerAttach: true,
  249. OperationDockerContainerExec: true,
  250. OperationDockerContainerRename: true,
  251. OperationDockerContainerUpdate: true,
  252. OperationDockerContainerPutContainerArchive: true,
  253. OperationDockerContainerDelete: true,
  254. OperationDockerImageList: true,
  255. OperationDockerImageSearch: true,
  256. OperationDockerImageGetAll: true,
  257. OperationDockerImageGet: true,
  258. OperationDockerImageHistory: true,
  259. OperationDockerImageInspect: true,
  260. OperationDockerImageLoad: true,
  261. OperationDockerImageCreate: true,
  262. OperationDockerImagePush: true,
  263. OperationDockerImageTag: true,
  264. OperationDockerImageDelete: true,
  265. OperationDockerImageCommit: true,
  266. OperationDockerImageBuild: true,
  267. OperationDockerNetworkList: true,
  268. OperationDockerNetworkInspect: true,
  269. OperationDockerNetworkCreate: true,
  270. OperationDockerNetworkConnect: true,
  271. OperationDockerNetworkDisconnect: true,
  272. OperationDockerNetworkDelete: true,
  273. OperationDockerVolumeList: true,
  274. OperationDockerVolumeInspect: true,
  275. OperationDockerVolumeCreate: true,
  276. OperationDockerVolumeDelete: true,
  277. OperationDockerExecInspect: true,
  278. OperationDockerExecStart: true,
  279. OperationDockerExecResize: true,
  280. OperationDockerSwarmInspect: true,
  281. OperationDockerSwarmUnlockKey: true,
  282. OperationDockerSwarmInit: true,
  283. OperationDockerSwarmJoin: true,
  284. OperationDockerSwarmLeave: true,
  285. OperationDockerSwarmUpdate: true,
  286. OperationDockerSwarmUnlock: true,
  287. OperationDockerNodeList: true,
  288. OperationDockerNodeInspect: true,
  289. OperationDockerNodeUpdate: true,
  290. OperationDockerNodeDelete: true,
  291. OperationDockerServiceList: true,
  292. OperationDockerServiceInspect: true,
  293. OperationDockerServiceLogs: true,
  294. OperationDockerServiceCreate: true,
  295. OperationDockerServiceUpdate: true,
  296. OperationDockerServiceDelete: true,
  297. OperationDockerSecretList: true,
  298. OperationDockerSecretInspect: true,
  299. OperationDockerSecretCreate: true,
  300. OperationDockerSecretUpdate: true,
  301. OperationDockerSecretDelete: true,
  302. OperationDockerConfigList: true,
  303. OperationDockerConfigInspect: true,
  304. OperationDockerConfigCreate: true,
  305. OperationDockerConfigUpdate: true,
  306. OperationDockerConfigDelete: true,
  307. OperationDockerTaskList: true,
  308. OperationDockerTaskInspect: true,
  309. OperationDockerTaskLogs: true,
  310. OperationDockerPluginList: true,
  311. OperationDockerPluginPrivileges: true,
  312. OperationDockerPluginInspect: true,
  313. OperationDockerPluginPull: true,
  314. OperationDockerPluginCreate: true,
  315. OperationDockerPluginEnable: true,
  316. OperationDockerPluginDisable: true,
  317. OperationDockerPluginPush: true,
  318. OperationDockerPluginUpgrade: true,
  319. OperationDockerPluginSet: true,
  320. OperationDockerPluginDelete: true,
  321. OperationDockerSessionStart: true,
  322. OperationDockerDistributionInspect: true,
  323. OperationDockerBuildPrune: true,
  324. OperationDockerBuildCancel: true,
  325. OperationDockerPing: true,
  326. OperationDockerInfo: true,
  327. OperationDockerVersion: true,
  328. OperationDockerEvents: true,
  329. OperationDockerSystem: true,
  330. OperationDockerUndefined: true,
  331. OperationDockerAgentPing: true,
  332. OperationDockerAgentList: true,
  333. OperationDockerAgentHostInfo: true,
  334. OperationDockerAgentUndefined: true,
  335. OperationPortainerResourceControlUpdate: true,
  336. OperationPortainerStackList: true,
  337. OperationPortainerStackInspect: true,
  338. OperationPortainerStackFile: true,
  339. OperationPortainerStackCreate: true,
  340. OperationPortainerStackMigrate: true,
  341. OperationPortainerStackUpdate: true,
  342. OperationPortainerStackDelete: true,
  343. OperationPortainerWebsocketExec: true,
  344. OperationPortainerWebhookList: true,
  345. OperationPortainerWebhookCreate: true,
  346. }
  347. if volumeBrowsingAuthorizations {
  348. authorizations[OperationDockerAgentBrowseGet] = true
  349. authorizations[OperationDockerAgentBrowseList] = true
  350. authorizations[OperationDockerAgentBrowseDelete] = true
  351. authorizations[OperationDockerAgentBrowsePut] = true
  352. authorizations[OperationDockerAgentBrowseRename] = true
  353. }
  354. return authorizations
  355. }
  356. // DefaultEndpointAuthorizationsForReadOnlyUserRole returns the default endpoint authorizations
  357. // associated to the readonly user role.
  358. func DefaultEndpointAuthorizationsForReadOnlyUserRole(volumeBrowsingAuthorizations bool) Authorizations {
  359. authorizations := map[Authorization]bool{
  360. OperationDockerContainerArchiveInfo: true,
  361. OperationDockerContainerList: true,
  362. OperationDockerContainerChanges: true,
  363. OperationDockerContainerInspect: true,
  364. OperationDockerContainerTop: true,
  365. OperationDockerContainerLogs: true,
  366. OperationDockerContainerStats: true,
  367. OperationDockerImageList: true,
  368. OperationDockerImageSearch: true,
  369. OperationDockerImageGetAll: true,
  370. OperationDockerImageGet: true,
  371. OperationDockerImageHistory: true,
  372. OperationDockerImageInspect: true,
  373. OperationDockerNetworkList: true,
  374. OperationDockerNetworkInspect: true,
  375. OperationDockerVolumeList: true,
  376. OperationDockerVolumeInspect: true,
  377. OperationDockerSwarmInspect: true,
  378. OperationDockerNodeList: true,
  379. OperationDockerNodeInspect: true,
  380. OperationDockerServiceList: true,
  381. OperationDockerServiceInspect: true,
  382. OperationDockerServiceLogs: true,
  383. OperationDockerSecretList: true,
  384. OperationDockerSecretInspect: true,
  385. OperationDockerConfigList: true,
  386. OperationDockerConfigInspect: true,
  387. OperationDockerTaskList: true,
  388. OperationDockerTaskInspect: true,
  389. OperationDockerTaskLogs: true,
  390. OperationDockerPluginList: true,
  391. OperationDockerDistributionInspect: true,
  392. OperationDockerPing: true,
  393. OperationDockerInfo: true,
  394. OperationDockerVersion: true,
  395. OperationDockerEvents: true,
  396. OperationDockerSystem: true,
  397. OperationDockerAgentPing: true,
  398. OperationDockerAgentList: true,
  399. OperationDockerAgentHostInfo: true,
  400. OperationPortainerStackList: true,
  401. OperationPortainerStackInspect: true,
  402. OperationPortainerStackFile: true,
  403. OperationPortainerWebhookList: true,
  404. }
  405. if volumeBrowsingAuthorizations {
  406. authorizations[OperationDockerAgentBrowseGet] = true
  407. authorizations[OperationDockerAgentBrowseList] = true
  408. }
  409. return authorizations
  410. }
  411. // DefaultPortainerAuthorizations returns the default Portainer authorizations used by non-admin users.
  412. func DefaultPortainerAuthorizations() Authorizations {
  413. return map[Authorization]bool{
  414. OperationPortainerDockerHubInspect: true,
  415. OperationPortainerEndpointGroupList: true,
  416. OperationPortainerEndpointList: true,
  417. OperationPortainerEndpointInspect: true,
  418. OperationPortainerEndpointExtensionAdd: true,
  419. OperationPortainerEndpointExtensionRemove: true,
  420. OperationPortainerExtensionList: true,
  421. OperationPortainerMOTD: true,
  422. OperationPortainerRegistryList: true,
  423. OperationPortainerRegistryInspect: true,
  424. OperationPortainerTeamList: true,
  425. OperationPortainerTemplateList: true,
  426. OperationPortainerTemplateInspect: true,
  427. OperationPortainerUserList: true,
  428. OperationPortainerUserInspect: true,
  429. OperationPortainerUserMemberships: true,
  430. }
  431. }
  432. // UpdateVolumeBrowsingAuthorizations will update all the volume browsing authorizations for each role (except endpoint administrator)
  433. // based on the specified removeAuthorizations parameter. If removeAuthorizations is set to true, all
  434. // the authorizations will be dropped for the each role. If removeAuthorizations is set to false, the authorizations
  435. // will be reset based for each role.
  436. func (service AuthorizationService) UpdateVolumeBrowsingAuthorizations(remove bool) error {
  437. roles, err := service.roleService.Roles()
  438. if err != nil {
  439. return err
  440. }
  441. for _, role := range roles {
  442. // all roles except endpoint administrator
  443. if role.ID != RoleID(1) {
  444. updateRoleVolumeBrowsingAuthorizations(&role, remove)
  445. err := service.roleService.UpdateRole(role.ID, &role)
  446. if err != nil {
  447. return err
  448. }
  449. }
  450. }
  451. return nil
  452. }
  453. func updateRoleVolumeBrowsingAuthorizations(role *Role, removeAuthorizations bool) {
  454. if !removeAuthorizations {
  455. delete(role.Authorizations, OperationDockerAgentBrowseDelete)
  456. delete(role.Authorizations, OperationDockerAgentBrowseGet)
  457. delete(role.Authorizations, OperationDockerAgentBrowseList)
  458. delete(role.Authorizations, OperationDockerAgentBrowsePut)
  459. delete(role.Authorizations, OperationDockerAgentBrowseRename)
  460. return
  461. }
  462. role.Authorizations[OperationDockerAgentBrowseGet] = true
  463. role.Authorizations[OperationDockerAgentBrowseList] = true
  464. // Standard-user
  465. if role.ID == RoleID(3) {
  466. role.Authorizations[OperationDockerAgentBrowseDelete] = true
  467. role.Authorizations[OperationDockerAgentBrowsePut] = true
  468. role.Authorizations[OperationDockerAgentBrowseRename] = true
  469. }
  470. }
  471. // RemoveTeamAccessPolicies will remove all existing access policies associated to the specified team
  472. func (service *AuthorizationService) RemoveTeamAccessPolicies(teamID TeamID) error {
  473. endpoints, err := service.endpointService.Endpoints()
  474. if err != nil {
  475. return err
  476. }
  477. for _, endpoint := range endpoints {
  478. for policyTeamID := range endpoint.TeamAccessPolicies {
  479. if policyTeamID == teamID {
  480. delete(endpoint.TeamAccessPolicies, policyTeamID)
  481. err := service.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
  482. if err != nil {
  483. return err
  484. }
  485. break
  486. }
  487. }
  488. }
  489. endpointGroups, err := service.endpointGroupService.EndpointGroups()
  490. if err != nil {
  491. return err
  492. }
  493. for _, endpointGroup := range endpointGroups {
  494. for policyTeamID := range endpointGroup.TeamAccessPolicies {
  495. if policyTeamID == teamID {
  496. delete(endpointGroup.TeamAccessPolicies, policyTeamID)
  497. err := service.endpointGroupService.UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
  498. if err != nil {
  499. return err
  500. }
  501. break
  502. }
  503. }
  504. }
  505. registries, err := service.registryService.Registries()
  506. if err != nil {
  507. return err
  508. }
  509. for _, registry := range registries {
  510. for policyTeamID := range registry.TeamAccessPolicies {
  511. if policyTeamID == teamID {
  512. delete(registry.TeamAccessPolicies, policyTeamID)
  513. err := service.registryService.UpdateRegistry(registry.ID, &registry)
  514. if err != nil {
  515. return err
  516. }
  517. break
  518. }
  519. }
  520. }
  521. return service.UpdateUsersAuthorizations()
  522. }
  523. // RemoveUserAccessPolicies will remove all existing access policies associated to the specified user
  524. func (service *AuthorizationService) RemoveUserAccessPolicies(userID UserID) error {
  525. endpoints, err := service.endpointService.Endpoints()
  526. if err != nil {
  527. return err
  528. }
  529. for _, endpoint := range endpoints {
  530. for policyUserID := range endpoint.UserAccessPolicies {
  531. if policyUserID == userID {
  532. delete(endpoint.UserAccessPolicies, policyUserID)
  533. err := service.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
  534. if err != nil {
  535. return err
  536. }
  537. break
  538. }
  539. }
  540. }
  541. endpointGroups, err := service.endpointGroupService.EndpointGroups()
  542. if err != nil {
  543. return err
  544. }
  545. for _, endpointGroup := range endpointGroups {
  546. for policyUserID := range endpointGroup.UserAccessPolicies {
  547. if policyUserID == userID {
  548. delete(endpointGroup.UserAccessPolicies, policyUserID)
  549. err := service.endpointGroupService.UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
  550. if err != nil {
  551. return err
  552. }
  553. break
  554. }
  555. }
  556. }
  557. registries, err := service.registryService.Registries()
  558. if err != nil {
  559. return err
  560. }
  561. for _, registry := range registries {
  562. for policyUserID := range registry.UserAccessPolicies {
  563. if policyUserID == userID {
  564. delete(registry.UserAccessPolicies, policyUserID)
  565. err := service.registryService.UpdateRegistry(registry.ID, &registry)
  566. if err != nil {
  567. return err
  568. }
  569. break
  570. }
  571. }
  572. }
  573. return nil
  574. }
  575. // UpdateUsersAuthorizations will trigger an update of the authorizations for all the users.
  576. func (service *AuthorizationService) UpdateUsersAuthorizations() error {
  577. users, err := service.userService.Users()
  578. if err != nil {
  579. return err
  580. }
  581. for _, user := range users {
  582. err := service.updateUserAuthorizations(user.ID)
  583. if err != nil {
  584. return err
  585. }
  586. }
  587. return nil
  588. }
  589. func (service *AuthorizationService) updateUserAuthorizations(userID UserID) error {
  590. user, err := service.userService.User(userID)
  591. if err != nil {
  592. return err
  593. }
  594. endpointAuthorizations, err := service.getAuthorizations(user)
  595. if err != nil {
  596. return err
  597. }
  598. user.EndpointAuthorizations = endpointAuthorizations
  599. return service.userService.UpdateUser(userID, user)
  600. }
  601. func (service *AuthorizationService) getAuthorizations(user *User) (EndpointAuthorizations, error) {
  602. endpointAuthorizations := EndpointAuthorizations{}
  603. if user.Role == AdministratorRole {
  604. return endpointAuthorizations, nil
  605. }
  606. userMemberships, err := service.teamMembershipService.TeamMembershipsByUserID(user.ID)
  607. if err != nil {
  608. return endpointAuthorizations, err
  609. }
  610. endpoints, err := service.endpointService.Endpoints()
  611. if err != nil {
  612. return endpointAuthorizations, err
  613. }
  614. endpointGroups, err := service.endpointGroupService.EndpointGroups()
  615. if err != nil {
  616. return endpointAuthorizations, err
  617. }
  618. roles, err := service.roleService.Roles()
  619. if err != nil {
  620. return endpointAuthorizations, err
  621. }
  622. endpointAuthorizations = getUserEndpointAuthorizations(user, endpoints, endpointGroups, roles, userMemberships)
  623. return endpointAuthorizations, nil
  624. }
  625. func getUserEndpointAuthorizations(user *User, endpoints []Endpoint, endpointGroups []EndpointGroup, roles []Role, userMemberships []TeamMembership) EndpointAuthorizations {
  626. endpointAuthorizations := make(EndpointAuthorizations)
  627. groupUserAccessPolicies := map[EndpointGroupID]UserAccessPolicies{}
  628. groupTeamAccessPolicies := map[EndpointGroupID]TeamAccessPolicies{}
  629. for _, endpointGroup := range endpointGroups {
  630. groupUserAccessPolicies[endpointGroup.ID] = endpointGroup.UserAccessPolicies
  631. groupTeamAccessPolicies[endpointGroup.ID] = endpointGroup.TeamAccessPolicies
  632. }
  633. for _, endpoint := range endpoints {
  634. authorizations := getAuthorizationsFromUserEndpointPolicy(user, &endpoint, roles)
  635. if len(authorizations) > 0 {
  636. endpointAuthorizations[endpoint.ID] = authorizations
  637. continue
  638. }
  639. authorizations = getAuthorizationsFromUserEndpointGroupPolicy(user, &endpoint, roles, groupUserAccessPolicies)
  640. if len(authorizations) > 0 {
  641. endpointAuthorizations[endpoint.ID] = authorizations
  642. continue
  643. }
  644. authorizations = getAuthorizationsFromTeamEndpointPolicies(userMemberships, &endpoint, roles)
  645. if len(authorizations) > 0 {
  646. endpointAuthorizations[endpoint.ID] = authorizations
  647. continue
  648. }
  649. authorizations = getAuthorizationsFromTeamEndpointGroupPolicies(userMemberships, &endpoint, roles, groupTeamAccessPolicies)
  650. if len(authorizations) > 0 {
  651. endpointAuthorizations[endpoint.ID] = authorizations
  652. }
  653. }
  654. return endpointAuthorizations
  655. }
  656. func getAuthorizationsFromUserEndpointPolicy(user *User, endpoint *Endpoint, roles []Role) Authorizations {
  657. policyRoles := make([]RoleID, 0)
  658. policy, ok := endpoint.UserAccessPolicies[user.ID]
  659. if ok {
  660. policyRoles = append(policyRoles, policy.RoleID)
  661. }
  662. return getAuthorizationsFromRoles(policyRoles, roles)
  663. }
  664. func getAuthorizationsFromUserEndpointGroupPolicy(user *User, endpoint *Endpoint, roles []Role, groupAccessPolicies map[EndpointGroupID]UserAccessPolicies) Authorizations {
  665. policyRoles := make([]RoleID, 0)
  666. policy, ok := groupAccessPolicies[endpoint.GroupID][user.ID]
  667. if ok {
  668. policyRoles = append(policyRoles, policy.RoleID)
  669. }
  670. return getAuthorizationsFromRoles(policyRoles, roles)
  671. }
  672. func getAuthorizationsFromTeamEndpointPolicies(memberships []TeamMembership, endpoint *Endpoint, roles []Role) Authorizations {
  673. policyRoles := make([]RoleID, 0)
  674. for _, membership := range memberships {
  675. policy, ok := endpoint.TeamAccessPolicies[membership.TeamID]
  676. if ok {
  677. policyRoles = append(policyRoles, policy.RoleID)
  678. }
  679. }
  680. return getAuthorizationsFromRoles(policyRoles, roles)
  681. }
  682. func getAuthorizationsFromTeamEndpointGroupPolicies(memberships []TeamMembership, endpoint *Endpoint, roles []Role, groupAccessPolicies map[EndpointGroupID]TeamAccessPolicies) Authorizations {
  683. policyRoles := make([]RoleID, 0)
  684. for _, membership := range memberships {
  685. policy, ok := groupAccessPolicies[endpoint.GroupID][membership.TeamID]
  686. if ok {
  687. policyRoles = append(policyRoles, policy.RoleID)
  688. }
  689. }
  690. return getAuthorizationsFromRoles(policyRoles, roles)
  691. }
  692. func getAuthorizationsFromRoles(roleIdentifiers []RoleID, roles []Role) Authorizations {
  693. var associatedRoles []Role
  694. for _, id := range roleIdentifiers {
  695. for _, role := range roles {
  696. if role.ID == id {
  697. associatedRoles = append(associatedRoles, role)
  698. break
  699. }
  700. }
  701. }
  702. var authorizations Authorizations
  703. highestPriority := 0
  704. for _, role := range associatedRoles {
  705. if role.Priority > highestPriority {
  706. highestPriority = role.Priority
  707. authorizations = role.Authorizations
  708. }
  709. }
  710. return authorizations
  711. }