feat(settings): add setting to disable device mapping for regular users (#4017)

* feat(settings): introduce device mapping service * feat(containers): hide devices field when setting is on * feat(containers): prevent passing of devices when not allowed * feat(stacks): prevent non admin from device mapping * feat(stacks): disallow swarm stack creation for user * refactor(settings): replace disableDeviceMapping with allow * fix(stacks): remove check for disable device mappings from swarm * feat(settings): rename field to disable * feat(settings): supply default value for disableDeviceMapping * feat(container): check for endpoint admin
2020-07-13 07:32:56 +03:00
parent dffcd3fdfd
commit 5ebb03cb4e
16 changed files with 93 additions and 9 deletions
--- a/api/http/proxy/factory/docker/containers.go
+++ b/api/http/proxy/factory/docker/containers.go
@@ -156,8 +156,9 @@ func containerHasBlackListedLabel(containerLabels map[string]interface{}, labelB
 func (transport *Transport) decorateContainerCreationOperation(request *http.Request, resourceIdentifierAttribute string, resourceType portainer.ResourceControlType) (*http.Response, error) {
 	type PartialContainer struct {
 		HostConfig struct {
-			Privileged bool   `json:"Privileged"`
-			PidMode    string `json:"PidMode"`
+			Privileged bool          `json:"Privileged"`
+			PidMode    string        `json:"PidMode"`
+			Devices    []interface{} `json:"Devices"`
 		} `json:"HostConfig"`
 	}

@@ -186,14 +187,18 @@ func (transport *Transport) decorateContainerCreationOperation(request *http.Req
 		endpointResourceAccess = true
 	}

-	if (rbacExtension != nil && !endpointResourceAccess && tokenData.Role != portainer.AdministratorRole) || (rbacExtension == nil && tokenData.Role != portainer.AdministratorRole) {
+	isAdmin := (rbacExtension != nil && endpointResourceAccess) || tokenData.Role == portainer.AdministratorRole

+	if !isAdmin {
 		settings, err := transport.settingsService.Settings()
 		if err != nil {
 			return nil, err
 		}

-		if !settings.AllowPrivilegedModeForRegularUsers || !settings.AllowHostNamespaceForRegularUsers {
+		if !settings.AllowPrivilegedModeForRegularUsers ||
+			!settings.AllowHostNamespaceForRegularUsers ||
+			!settings.AllowDeviceMappingForRegularUsers {
+
 			body, err := ioutil.ReadAll(request.Body)
 			if err != nil {
 				return nil, err
@@ -213,6 +218,10 @@ func (transport *Transport) decorateContainerCreationOperation(request *http.Req
 				return forbiddenResponse, errors.New("forbidden to use pid host namespace")
 			}

+			if len(partialContainer.HostConfig.Devices) > 0 {
+				return nil, errors.New("forbidden to use device mapping")
+			}
+
 			request.Body = ioutil.NopCloser(bytes.NewBuffer(body))
 		}
 	}