security

package
v0.0.0-...-270f78c Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 31, 2023 License: Zlib Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrAuthorizationRequired = errors.New("Authorization required for this operation")
)

Functions

func AuthorizedAccess

func AuthorizedAccess(userID portainer.UserID, memberships []portainer.TeamMembership, userAccessPolicies portainer.UserAccessPolicies, teamAccessPolicies portainer.TeamAccessPolicies) bool

AuthorizedAccess verifies the userID or memberships are authorized to use an object per the supplied access policies

func AuthorizedEndpointAccess

func AuthorizedEndpointAccess(endpoint *portainer.Endpoint, endpointGroup *portainer.EndpointGroup, userID portainer.UserID, memberships []portainer.TeamMembership) bool

AuthorizedEndpointAccess ensure that the user can access the specified environment(endpoint). It will check if the user is part of the authorized users or part of a team that is listed in the authorized teams of the environment(endpoint) and the associated group.

func AuthorizedIsAdmin

func AuthorizedIsAdmin(context *RestrictedRequestContext) bool

AuthorizedIsAdmin ensure that the user is an admin

func AuthorizedIsTeamLeader

func AuthorizedIsTeamLeader(context *RestrictedRequestContext) bool

AuthorizedIsTeamLeader ensure that the user is an admin or a team leader

func AuthorizedRegistryAccess

func AuthorizedRegistryAccess(registry *portainer.Registry, user *portainer.User, teamMemberships []portainer.TeamMembership, endpointID portainer.EndpointID) bool

AuthorizedRegistryAccess ensure that the user can access the specified registry. It will check if the user is part of the authorized users or part of a team that is listed in the authorized teams for a specified environment(endpoint),

func AuthorizedResourceControlAccess

func AuthorizedResourceControlAccess(resourceControl *portainer.ResourceControl, context *RestrictedRequestContext) bool

AuthorizedResourceControlAccess checks whether the user can alter an existing resource control.

func AuthorizedResourceControlUpdate

func AuthorizedResourceControlUpdate(resourceControl *portainer.ResourceControl, context *RestrictedRequestContext) bool

AuthorizedResourceControlUpdate ensure that the user can update a resource control object. A non-administrator user cannot create a resource control where: * the Public flag is set false * the AdministratorsOnly flag is set to true * he wants to create a resource control without any user/team accesses * he wants to add more than one user in the user accesses * he wants to add a user in the user accesses that is not corresponding to its id * he wants to add a team he is not a member of

func AuthorizedTeamManagement

func AuthorizedTeamManagement(teamID portainer.TeamID, context *RestrictedRequestContext) bool

AuthorizedTeamManagement ensure that access to the management of the specified team is granted. It will check if the user is either administrator or leader of that team.

func FilterEndpointGroups

func FilterEndpointGroups(endpointGroups []portainer.EndpointGroup, context *RestrictedRequestContext) []portainer.EndpointGroup

FilterEndpointGroups filters environment(endpoint) groups based on user role and team memberships. Non administrator users only have access to authorized environment(endpoint) groups.

func FilterEndpoints

func FilterEndpoints(endpoints []portainer.Endpoint, groups []portainer.EndpointGroup, context *RestrictedRequestContext) []portainer.Endpoint

FilterEndpoints filters environments(endpoints) based on user role and team memberships. Non administrator only have access to authorized environments(endpoints) (can be inherited via endpoint groups).

func FilterLeaderTeams

func FilterLeaderTeams(teams []portainer.Team, context *RestrictedRequestContext) []portainer.Team

FilterLeaderTeams filters teams based on user role. Team leaders only have access to team they lead.

func FilterRegistries

func FilterRegistries(registries []portainer.Registry, user *portainer.User, teamMemberships []portainer.TeamMembership, endpointID portainer.EndpointID) []portainer.Registry

FilterRegistries filters registries based on user role and team memberships. Non administrator users only have access to authorized registries.

func FilterUserTeams

func FilterUserTeams(teams []portainer.Team, context *RestrictedRequestContext) []portainer.Team

FilterUserTeams filters teams based on user role. non-administrator users only have access to team they are member of.

func FilterUsers

func FilterUsers(users []portainer.User, context *RestrictedRequestContext) []portainer.User

FilterUsers filters users based on user role. Non-administrator users only have access to non-administrator users.

func IsAdmin

func IsAdmin(request *http.Request) (bool, error)

IsAdmin returns true if the logged-in user is an admin

func NewPasswordStrengthChecker

func NewPasswordStrengthChecker(settings settingsService) *passwordStrengthChecker

func RetrieveTokenData

func RetrieveTokenData(request *http.Request) (*portainer.TokenData, error)

RetrieveTokenData returns the TokenData object stored in the request context.

func StoreRestrictedRequestContext

func StoreRestrictedRequestContext(request *http.Request, requestContext *RestrictedRequestContext) context.Context

StoreRestrictedRequestContext stores a RestrictedRequestContext object inside the request context and returns the enhanced context.

func StoreTokenData

func StoreTokenData(request *http.Request, tokenData *portainer.TokenData) context.Context

StoreTokenData stores a TokenData object inside the request context and returns the enhanced context.

func StripAddrPort

func StripAddrPort(addr string) string

StripAddrPort removes port from IP address

Types

type PasswordStrengthChecker

type PasswordStrengthChecker interface {
	Check(password string) bool
}

type RateLimiter

type RateLimiter struct {
	*defender.Defender
}

RateLimiter represents an entity that manages request rate limiting

func NewRateLimiter

func NewRateLimiter(maxRequests int, duration time.Duration, banDuration time.Duration) *RateLimiter

NewRateLimiter initializes a new RateLimiter

func (*RateLimiter) LimitAccess

func (limiter *RateLimiter) LimitAccess(next http.Handler) http.Handler

LimitAccess wraps current request with check if remote address does not goes above the defined limits

type RequestBouncer

type RequestBouncer struct {
	// contains filtered or unexported fields
}

RequestBouncer represents an entity that manages API request accesses

func NewRequestBouncer

func NewRequestBouncer(dataStore dataservices.DataStore, jwtService dataservices.JWTService, apiKeyService apikey.APIKeyService) *RequestBouncer

NewRequestBouncer initializes a new RequestBouncer

func (*RequestBouncer) AdminAccess

func (bouncer *RequestBouncer) AdminAccess(h http.Handler) http.Handler

AdminAccess defines a security check for API environments(endpoints) that require an authorization check. Authentication is required to access these environments(endpoints). The administrator role is required to use these environments(endpoints). The request context will be enhanced with a RestrictedRequestContext object that might be used later to inside the API operation for extra authorization validation and resource filtering.

func (*RequestBouncer) AuthenticatedAccess

func (bouncer *RequestBouncer) AuthenticatedAccess(h http.Handler) http.Handler

AuthenticatedAccess defines a security check for restricted API environments(endpoints). Authentication is required to access these environments(endpoints). The request context will be enhanced with a RestrictedRequestContext object that might be used later to inside the API operation for extra authorization validation and resource filtering.

func (*RequestBouncer) AuthorizedEdgeEndpointOperation

func (bouncer *RequestBouncer) AuthorizedEdgeEndpointOperation(r *http.Request, endpoint *portainer.Endpoint) error

AuthorizedEdgeEndpointOperation verifies that the request was received from a valid Edge environment(endpoint)

func (*RequestBouncer) AuthorizedEndpointOperation

func (bouncer *RequestBouncer) AuthorizedEndpointOperation(r *http.Request, endpoint *portainer.Endpoint) error

AuthorizedEndpointOperation retrieves the JWT token from the request context and verifies that the user can access the specified environment(endpoint). An error is returned when access to the environments(endpoints) is denied or if the user do not have the required authorization to execute the operation.

func (*RequestBouncer) EdgeComputeOperation

func (bouncer *RequestBouncer) EdgeComputeOperation(next http.Handler) http.Handler

EdgeComputeOperation defines a restricted edge compute operation. Use of this operation will only be authorized if edgeCompute is enabled in settings

func (*RequestBouncer) JWTAuthLookup

func (bouncer *RequestBouncer) JWTAuthLookup(r *http.Request) *portainer.TokenData

JWTAuthLookup looks up a valid bearer in the request.

func (*RequestBouncer) PublicAccess

func (bouncer *RequestBouncer) PublicAccess(h http.Handler) http.Handler

PublicAccess defines a security check for public API environments(endpoints). No authentication is required to access these environments(endpoints).

func (*RequestBouncer) RestrictedAccess

func (bouncer *RequestBouncer) RestrictedAccess(h http.Handler) http.Handler

RestrictedAccess defines a security check for restricted API environments(endpoints). Authentication is required to access these environments(endpoints). The request context will be enhanced with a RestrictedRequestContext object that might be used later to inside the API operation for extra authorization validation and resource filtering.

func (*RequestBouncer) TeamLeaderAccess

func (bouncer *RequestBouncer) TeamLeaderAccess(h http.Handler) http.Handler

TeamLeaderAccess defines a security check for APIs require team leader privilege

Bouncer operations are applied backwards:

  • Parse the JWT from the request and stored in context, user has to be authenticated
  • Upgrade to the restricted request
  • User is admin or team leader

type RestrictedRequestContext

type RestrictedRequestContext struct {
	IsAdmin         bool
	IsTeamLeader    bool
	UserID          portainer.UserID
	UserMemberships []portainer.TeamMembership
}

RestrictedRequestContext is a data structure containing information used in AuthenticatedAccess

func RetrieveRestrictedRequestContext

func RetrieveRestrictedRequestContext(request *http.Request) (*RestrictedRequestContext, error)

RetrieveRestrictedRequestContext returns the RestrictedRequestContext object stored in the request context.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL