security

package
v0.0.0-...-4560a53 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 31, 2023 License: Zlib Imports: 13 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrAuthorizationRequired = errors.New("Authorization required for this operation")
)

Functions

func AuthorizedAccess 

func AuthorizedAccess(userID portainer.UserID, memberships []portainer.TeamMembership, userAccessPolicies portainer.UserAccessPolicies, teamAccessPolicies portainer.TeamAccessPolicies) bool

AuthorizedAccess verifies the userID or memberships are authorized to use an object per the supplied access policies

func AuthorizedEndpointAccess 

func AuthorizedEndpointAccess(endpoint *portainer.Endpoint, endpointGroup *portainer.EndpointGroup, userID portainer.UserID, memberships []portainer.TeamMembership) bool

AuthorizedEndpointAccess ensure that the user can access the specified environment(endpoint). It will check if the user is part of the authorized users or part of a team that is listed in the authorized teams of the environment(endpoint) and the associated group.

func AuthorizedIsAdmin 

func AuthorizedIsAdmin(context *RestrictedRequestContext) bool

AuthorizedIsAdmin ensure that the user is an admin

func AuthorizedIsTeamLeader 

func AuthorizedIsTeamLeader(context *RestrictedRequestContext) bool

AuthorizedIsTeamLeader ensure that the user is an admin or a team leader

func AuthorizedRegistryAccess 

func AuthorizedRegistryAccess(registry *portainer.Registry, user *portainer.User, teamMemberships []portainer.TeamMembership, endpointID portainer.EndpointID) bool

AuthorizedRegistryAccess ensure that the user can access the specified registry. It will check if the user is part of the authorized users or part of a team that is listed in the authorized teams for a specified environment(endpoint),

func AuthorizedResourceControlAccess 

func AuthorizedResourceControlAccess(resourceControl *portainer.ResourceControl, context *RestrictedRequestContext) bool

AuthorizedResourceControlAccess checks whether the user can alter an existing resource control.

func AuthorizedResourceControlUpdate 

func AuthorizedResourceControlUpdate(resourceControl *portainer.ResourceControl, context *RestrictedRequestContext) bool

AuthorizedResourceControlUpdate ensure that the user can update a resource control object. A non-administrator user cannot create a resource control where: * the Public flag is set false * the AdministratorsOnly flag is set to true * he wants to create a resource control without any user/team accesses * he wants to add more than one user in the user accesses * he wants to add a user in the user accesses that is not corresponding to its id * he wants to add a team he is not a member of

func AuthorizedTeamManagement 

func AuthorizedTeamManagement(teamID portainer.TeamID, context *RestrictedRequestContext) bool

AuthorizedTeamManagement ensure that access to the management of the specified team is granted. It will check if the user is either administrator or leader of that team.

func FilterEndpointGroups 

func FilterEndpointGroups(endpointGroups []portainer.EndpointGroup, context *RestrictedRequestContext) []portainer.EndpointGroup

FilterEndpointGroups filters environment(endpoint) groups based on user role and team memberships. Non administrator users only have access to authorized environment(endpoint) groups.

func FilterEndpoints 

func FilterEndpoints(endpoints []portainer.Endpoint, groups []portainer.EndpointGroup, context *RestrictedRequestContext) []portainer.Endpoint

FilterEndpoints filters environments(endpoints) based on user role and team memberships. Non administrator only have access to authorized environments(endpoints) (can be inherited via endpoint groups).

func FilterLeaderTeams 

func FilterLeaderTeams(teams []portainer.Team, context *RestrictedRequestContext) []portainer.Team

FilterLeaderTeams filters teams based on user role. Team leaders only have access to team they lead.

func FilterRegistries 

func FilterRegistries(registries []portainer.Registry, user *portainer.User, teamMemberships []portainer.TeamMembership, endpointID portainer.EndpointID) []portainer.Registry

FilterRegistries filters registries based on user role and team memberships. Non administrator users only have access to authorized registries.

func FilterUserTeams 

func FilterUserTeams(teams []portainer.Team, context *RestrictedRequestContext) []portainer.Team

FilterUserTeams filters teams based on user role. non-administrator users only have access to team they are member of.

func FilterUsers 

func FilterUsers(users []portainer.User, context *RestrictedRequestContext) []portainer.User

FilterUsers filters users based on user role. Non-administrator users only have access to non-administrator users.

func IsAdmin 

func IsAdmin(request *http.Request) (bool, error)

IsAdmin returns true if the logged-in user is an admin

func NewPasswordStrengthChecker 

func NewPasswordStrengthChecker(settings settingsService) *passwordStrengthChecker

func RetrieveTokenData 

func RetrieveTokenData(request *http.Request) (*portainer.TokenData, error)

RetrieveTokenData returns the TokenData object stored in the request context.

func StoreRestrictedRequestContext 

func StoreRestrictedRequestContext(request *http.Request, requestContext *RestrictedRequestContext) context.Context

StoreRestrictedRequestContext stores a RestrictedRequestContext object inside the request context and returns the enhanced context.

func StoreTokenData 

func StoreTokenData(request *http.Request, tokenData *portainer.TokenData) context.Context

StoreTokenData stores a TokenData object inside the request context and returns the enhanced context.

func StripAddrPort 

func StripAddrPort(addr string) string

StripAddrPort removes port from IP address

Types

type BouncerService 

type BouncerService interface {
	PublicAccess(http.Handler) http.Handler
	AdminAccess(http.Handler) http.Handler
	RestrictedAccess(http.Handler) http.Handler
	TeamLeaderAccess(http.Handler) http.Handler
	AuthenticatedAccess(http.Handler) http.Handler
	EdgeComputeOperation(http.Handler) http.Handler

	AuthorizedEndpointOperation(*http.Request, *portainer.Endpoint) error
	AuthorizedEdgeEndpointOperation(*http.Request, *portainer.Endpoint) error
	TrustedEdgeEnvironmentAccess(dataservices.DataStoreTx, *portainer.Endpoint) error
	JWTAuthLookup(*http.Request) *portainer.TokenData
}

type PasswordStrengthChecker 

type PasswordStrengthChecker interface {
	Check(password string) bool
}

type RateLimiter 

type RateLimiter struct {
	*defender.Defender
}

RateLimiter represents an entity that manages request rate limiting

func NewRateLimiter 

func NewRateLimiter(maxRequests int, duration time.Duration, banDuration time.Duration) *RateLimiter

NewRateLimiter initializes a new RateLimiter

func (*RateLimiter) LimitAccess 

func (limiter *RateLimiter) LimitAccess(next http.Handler) http.Handler

LimitAccess wraps current request with check if remote address does not goes above the defined limits

type RequestBouncer 

type RequestBouncer struct {
	// contains filtered or unexported fields
}

RequestBouncer represents an entity that manages API request accesses

func NewRequestBouncer 

func NewRequestBouncer(dataStore dataservices.DataStore, jwtService dataservices.JWTService, apiKeyService apikey.APIKeyService) *RequestBouncer

NewRequestBouncer initializes a new RequestBouncer

func (*RequestBouncer) AdminAccess 

func (bouncer *RequestBouncer) AdminAccess(h http.Handler) http.Handler

AdminAccess defines a security check for API environments(endpoints) that require an authorization check. Authentication is required to access these environments(endpoints). The administrator role is required to use these environments(endpoints). The request context will be enhanced with a RestrictedRequestContext object that might be used later to inside the API operation for extra authorization validation and resource filtering.

func (*RequestBouncer) AuthenticatedAccess 

func (bouncer *RequestBouncer) AuthenticatedAccess(h http.Handler) http.Handler

AuthenticatedAccess defines a security check for restricted API environments(endpoints). Authentication is required to access these environments(endpoints). The request context will be enhanced with a RestrictedRequestContext object that might be used later to inside the API operation for extra authorization validation and resource filtering.

func (*RequestBouncer) AuthorizedEdgeEndpointOperation 

func (bouncer *RequestBouncer) AuthorizedEdgeEndpointOperation(r *http.Request, endpoint *portainer.Endpoint) error

AuthorizedEdgeEndpointOperation verifies that the request was received from a valid Edge environment(endpoint)

func (*RequestBouncer) AuthorizedEndpointOperation 

func (bouncer *RequestBouncer) AuthorizedEndpointOperation(r *http.Request, endpoint *portainer.Endpoint) error

AuthorizedEndpointOperation retrieves the JWT token from the request context and verifies that the user can access the specified environment(endpoint). An error is returned when access to the environments(endpoints) is denied or if the user do not have the required authorization to execute the operation.

func (*RequestBouncer) EdgeComputeOperation 

func (bouncer *RequestBouncer) EdgeComputeOperation(next http.Handler) http.Handler

EdgeComputeOperation defines a restricted edge compute operation. Use of this operation will only be authorized if edgeCompute is enabled in settings

func (*RequestBouncer) JWTAuthLookup 

func (bouncer *RequestBouncer) JWTAuthLookup(r *http.Request) *portainer.TokenData

JWTAuthLookup looks up a valid bearer in the request.

func (*RequestBouncer) PublicAccess 

func (bouncer *RequestBouncer) PublicAccess(h http.Handler) http.Handler

PublicAccess defines a security check for public API environments(endpoints). No authentication is required to access these environments(endpoints).

func (*RequestBouncer) RestrictedAccess 

func (bouncer *RequestBouncer) RestrictedAccess(h http.Handler) http.Handler

RestrictedAccess defines a security check for restricted API environments(endpoints). Authentication is required to access these environments(endpoints). The request context will be enhanced with a RestrictedRequestContext object that might be used later to inside the API operation for extra authorization validation and resource filtering.

func (*RequestBouncer) TeamLeaderAccess 

func (bouncer *RequestBouncer) TeamLeaderAccess(h http.Handler) http.Handler

TeamLeaderAccess defines a security check for APIs require team leader privilege

Bouncer operations are applied backwards:

  • Parse the JWT from the request and stored in context, user has to be authenticated
  • Upgrade to the restricted request
  • User is admin or team leader

func (*RequestBouncer) TrustedEdgeEnvironmentAccess 

func (bouncer *RequestBouncer) TrustedEdgeEnvironmentAccess(tx dataservices.DataStoreTx, endpoint *portainer.Endpoint) error

TrustedEdgeEnvironmentAccess defines a security check for Edge environments, checks if the request is coming from a trusted Edge environment

type RestrictedRequestContext 

type RestrictedRequestContext struct {
	IsAdmin         bool
	IsTeamLeader    bool
	UserID          portainer.UserID
	UserMemberships []portainer.TeamMembership
}

RestrictedRequestContext is a data structure containing information used in AuthenticatedAccess

func RetrieveRestrictedRequestContext 

func RetrieveRestrictedRequestContext(request *http.Request) (*RestrictedRequestContext, error)

RetrieveRestrictedRequestContext returns the RestrictedRequestContext object stored in the request context.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.