provision/docker: add permission checking to moveContainersHandler

tsuru · Nov 25, 2015 · 7ee1a7e · 7ee1a7e
1 parent f491c58
commit 7ee1a7e
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 5 deletions.
diff --git a/provision/docker/docker.go b/provision/docker/docker.go
@@ -51,16 +51,24 @@ func urlToHost(urlStr string) string {
 }
 
 func (p *dockerProvisioner) hostToNodeAddress(host string) (string, error) {
-	nodes, err := p.Cluster().Nodes()
+	node, err := p.getNodeByHost(host)
 	if err != nil {
 		return "", err
 	}
+	return node.Address, nil
+}
+
+func (p *dockerProvisioner) getNodeByHost(host string) (cluster.Node, error) {
+	nodes, err := p.Cluster().Nodes()
+	if err != nil {
+		return cluster.Node{}, err
+	}
 	for _, node := range nodes {
 		if urlToHost(node.Address) == host {
-			return node.Address, nil
+			return node, nil
 		}
 	}
-	return "", fmt.Errorf("Host `%s` not found", host)
+	return cluster.Node{}, fmt.Errorf("Host `%s` not found", host)
 }
 
 func randomString() string {

diff --git a/provision/docker/handlers.go b/provision/docker/handlers.go
@@ -347,9 +347,26 @@ func moveContainersHandler(w http.ResponseWriter, r *http.Request, t auth.Token)
 	if from == "" || to == "" {
 		return fmt.Errorf("Invalid params: from: %s - to: %s", from, to)
 	}
-	writer := &tsuruIo.SimpleJsonMessageEncoderWriter{
-		Encoder: json.NewEncoder(w),
+	originHost, err := mainDockerProvisioner.getNodeByHost(from)
+	if err != nil {
+		return &errors.HTTP{Code: http.StatusNotFound, Message: err.Error()}
+	}
+	destinationHost, err := mainDockerProvisioner.getNodeByHost(to)
+	if err != nil {
+		return &errors.HTTP{Code: http.StatusNotFound, Message: err.Error()}
+	}
+	var permContexts []permission.PermissionContext
+	originPool, ok := originHost.Metadata["pool"]
+	if ok {
+		permContexts = append(permContexts, permission.Context(permission.CtxPool, originPool))
+	}
+	if pool, ok := destinationHost.Metadata["pool"]; ok && pool != originPool {
+		permContexts = append(permContexts, permission.Context(permission.CtxPool, pool))
 	}
+	if !permission.Check(t, permission.PermNode, permContexts...) {
+		return permission.ErrUnauthorized
+	}
+	writer := &tsuruIo.SimpleJsonMessageEncoderWriter{Encoder: json.NewEncoder(w)}
 	err = mainDockerProvisioner.MoveContainers(from, to, writer)
 	if err != nil {
 		fmt.Fprintf(writer, "Error trying to move containers: %s\n", err.Error())

diff --git a/provision/docker/handlers_test.go b/provision/docker/handlers_test.go
@@ -696,6 +696,8 @@ func (s *HandlersSuite) TestMoveContainersHandler(c *check.C) {
 	request, err := http.NewRequest("POST", "/docker/containers/move", b)
 	c.Assert(err, check.IsNil)
 	request.Header.Set("Authorization", "bearer "+s.token.GetValue())
+	mainDockerProvisioner.Cluster().Register(cluster.Node{Address: "http://localhost:2375"})
+	mainDockerProvisioner.Cluster().Register(cluster.Node{Address: "http://127.0.0.1:2375"})
 	server := api.RunServer(true)
 	server.ServeHTTP(recorder, request)
 	c.Assert(recorder.Code, check.Equals, http.StatusOK)