fix(api/docker): no authorized user can call restricted api [EE-6808] (…

…#11480)
portainer · May 21, 2024 · d283c63 · d283c63
1 parent d15e2cd
commit d283c63
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 2 deletions.
diff --git a/api/http/handler/docker/containers/handler.go b/api/http/handler/docker/containers/handler.go
@@ -7,6 +7,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/docker"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
+	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 )
@@ -30,7 +31,7 @@ func NewHandler(routePrefix string, bouncer security.BouncerService, dataStore d
 	}
 
 	router := h.PathPrefix(routePrefix).Subrouter()
-	router.Use(bouncer.AuthenticatedAccess)
+	router.Use(bouncer.AuthenticatedAccess, middlewares.CheckEndpointAuthorization(bouncer))
 
 	router.Handle("/{containerId}/gpus", httperror.LoggerHandler(h.containerGpusInspect)).Methods(http.MethodGet)
 	router.Handle("/{containerId}/recreate", httperror.LoggerHandler(h.recreate)).Methods(http.MethodPost)

diff --git a/api/http/handler/docker/images/handler.go b/api/http/handler/docker/images/handler.go
@@ -4,6 +4,7 @@ import (
 	"net/http"
 
 	"github.com/portainer/portainer/api/docker/client"
+	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 
@@ -25,7 +26,7 @@ func NewHandler(routePrefix string, bouncer security.BouncerService, dockerClien
 	}
 
 	router := h.PathPrefix(routePrefix).Subrouter()
-	router.Use(bouncer.AuthenticatedAccess)
+	router.Use(bouncer.AuthenticatedAccess, middlewares.CheckEndpointAuthorization(bouncer))
 
 	router.Handle("", httperror.LoggerHandler(h.imagesList)).Methods(http.MethodGet)
 	return h

diff --git a/api/http/middlewares/endpoint.go b/api/http/middlewares/endpoint.go
@@ -7,6 +7,7 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	requesthelpers "github.com/portainer/portainer/pkg/libhttp/request"
 
@@ -63,3 +64,22 @@ func FetchEndpoint(request *http.Request) (*portainer.Endpoint, error) {
 
 	return contextData.(*portainer.Endpoint), nil
 }
+
+func CheckEndpointAuthorization(bouncer security.BouncerService) mux.MiddlewareFunc {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			endpoint, err := FetchEndpoint(r)
+			if err != nil {
+				httperror.WriteError(w, http.StatusNotFound, "Unable to find an environment on request context", err)
+				return
+			}
+
+			if err = bouncer.AuthorizedEndpointOperation(r, endpoint); err != nil {
+				httperror.WriteError(w, http.StatusForbidden, "Permission denied to access environment", err)
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}