dave/coolify
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

feat: token permissions

Browse Source 
feat: handle sensitive data
feat: handle read-only data
This commit is contained in:
Andras Bacsai
2024-07-02 12:15:58 +02:00
parent 1249b1ece9
commit c39d6dd407
28 changed files with 328 additions and 201 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
app/Http/Controllers/Api/ApplicationsController.php
View File

@@ -21,6 +21,27 @@ use Visus\Cuid2\Cuid2;
class ApplicationsController extends Controller
{
private function removeSensitiveData($application)
{
$token = auth()->user()->currentAccessToken();
if ($token->can('view:sensitive')) {
return serializeApiResponse($application);
}
$application->makeHidden([
'custom_labels',
'dockerfile',
'docker_compose',
'docker_compose_raw',
'manual_webhook_secret_bitbucket',
'manual_webhook_secret_gitea',
'manual_webhook_secret_github',
'manual_webhook_secret_gitlab',
'private_key_id',
]);
return serializeApiResponse($application);
}
public function applications(Request $request)
{
$teamId = getTeamIdFromToken();
@@ -32,7 +53,7 @@ class ApplicationsController extends Controller
$applications->push($projects->pluck('applications')->flatten());
$applications = $applications->flatten();
$applications = $applications->map(function ($application) {
return serializeApiResponse($application);
return $this->removeSensitiveData($application);
});
return response()->json([
@@ -484,10 +505,6 @@ class ApplicationsController extends Controller
if (! $uuid) {
return response()->json(['success' => false, 'message' => 'UUID is required.'], 400);
}
$return = validateIncomingRequest($request);
if ($return instanceof \Illuminate\Http\JsonResponse) {
return $return;
}
$application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->uuid)->first();
if (! $application) {
return response()->json(['success' => false, 'message' => 'Application not found.'], 404);
@@ -495,7 +512,7 @@ class ApplicationsController extends Controller
return response()->json([
'success' => true,
'data' => serializeApiResponse($application),
'data' => $this->removeSensitiveData($application),
]);
}
@@ -625,7 +642,7 @@ class ApplicationsController extends Controller
return response()->json([
'success' => true,
'data' => serializeApiResponse($application),
'data' => $this->removeSensitiveData($application),
]);
}
@@ -635,10 +652,6 @@ class ApplicationsController extends Controller
if (is_null($teamId)) {
return invalidTokenResponse();
}
$return = validateIncomingRequest($request);
if ($return instanceof \Illuminate\Http\JsonResponse) {
return $return;
}
$application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->uuid)->first();
if (! $application) {

25
app/Http/Controllers/Api/DatabasesController.php
View File

@@ -20,6 +20,27 @@ use Illuminate\Validation\Rule;
class DatabasesController extends Controller
{
private function removeSensitiveData($database)
{
$token = auth()->user()->currentAccessToken();
if ($token->can('view:sensitive')) {
return serializeApiResponse($database);
}
$database->makeHidden([
'internal_db_url',
'external_db_url',
'postgres_password',
'dragonfly_password',
'redis_password',
'mongo_initdb_root_password',
'keydb_password',
'clickhouse_admin_password',
]);
return serializeApiResponse($database);
}
public function databases(Request $request)
{
$teamId = getTeamIdFromToken();
@@ -32,7 +53,7 @@ class DatabasesController extends Controller
$databases = $databases->merge($project->databases());
}
$databases = $databases->map(function ($database) {
return serializeApiResponse($database);
return $this->removeSensitiveData($database);
});
return response()->json([
@@ -57,7 +78,7 @@ class DatabasesController extends Controller
return response()->json([
'success' => true,
'data' => serializeApiResponse($database),
'data' => $this->removeSensitiveData($database),
]);
}

16
app/Http/Controllers/Api/DeployController.php
View File

@@ -20,6 +20,20 @@ use Visus\Cuid2\Cuid2;
class DeployController extends Controller
{
private function removeSensitiveData($deployment)
{
$token = auth()->user()->currentAccessToken();
if ($token->can('view:sensitive')) {
return serializeApiResponse($deployment);
}
$deployment->makeHidden([
'logs',
]);
return serializeApiResponse($deployment);
}
public function deployments(Request $request)
{
$teamId = getTeamIdFromToken();
@@ -61,7 +75,7 @@ class DeployController extends Controller
return response()->json([
'success' => true,
'data' => serializeApiResponse($deployment->makeHidden('logs')),
'data' => $this->removeSensitiveData($deployment),
]);
}

27
app/Http/Controllers/Api/TeamController.php
View File

@@ -7,17 +7,36 @@ use Illuminate\Http\Request;
class TeamController extends Controller
{
private function removeSensitiveData($team)
{
$token = auth()->user()->currentAccessToken();
if ($token->can('view:sensitive')) {
return serializeApiResponse($team);
}
$team->makeHidden([
'smtp_username',
'smtp_password',
'resend_api_key',
'telegram_token',
]);
return serializeApiResponse($team);
}
public function teams(Request $request)
{
$teamId = getTeamIdFromToken();
if (is_null($teamId)) {
return invalidTokenResponse();
}
$teams = auth()->user()->teams;
$teams = auth()->user()->teams->sortBy('id');
$teams = $teams->map(function ($team) {
return $this->removeSensitiveData($team);
});
return response()->json([
'success' => true,
'data' => serializeApiResponse($teams),
'data' => $teams,
]);
}
@@ -33,6 +52,7 @@ class TeamController extends Controller
if (is_null($team)) {
return response()->json(['success' => false, 'message' => 'Team not found.', 'docs' => 'https://coolify.io/docs/api-reference/get-team-by-teamid'], 404);
}
$team = $this->removeSensitiveData($team);
return response()->json([
'success' => true,
@@ -52,10 +72,11 @@ class TeamController extends Controller
if (is_null($team)) {
return response()->json(['success' => false, 'message' => 'Team not found.', 'docs' => 'https://coolify.io/docs/api-reference/get-team-by-teamid-members'], 404);
}
$members = $team->members;
return response()->json([
'success' => true,
'data' => serializeApiResponse($team->members),
'data' => serializeApiResponse($members),
]);
}

2
app/Http/Kernel.php
View File

@@ -67,5 +67,7 @@ class Kernel extends HttpKernel
'signed' => \App\Http\Middleware\ValidateSignature::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
'abilities' => \Laravel\Sanctum\Http\Middleware\CheckAbilities::class,
'ability' => \Laravel\Sanctum\Http\Middleware\CheckForAnyAbility::class,
];
}

25
app/Http/Middleware/OnlyRootApiToken.php Normal file
View File

@@ -0,0 +1,25 @@
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
class OnlyRootApiToken
{
/**
* Handle an incoming request.
*
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
*/
public function handle(Request $request, Closure $next): Response
{
$token = auth()->user()->currentAccessToken();
if ($token->can('*')) {
return $next($request);
}
return response()->json(['success' => false, 'message' => 'You are not allowed to perform this action.'], 403);
}
}

28
app/Http/Middleware/ReadOnlyApiToken.php Normal file
View File

@@ -0,0 +1,28 @@
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
class ReadOnlyApiToken
{
/**
* Handle an incoming request.
*
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
*/
public function handle(Request $request, Closure $next): Response
{
$token = auth()->user()->currentAccessToken();
if ($token->can('*')) {
return $next($request);
}
if ($token->can('read-only')) {
return response()->json(['success' => false, 'message' => 'You are not allowed to perform this action.'], 403);
}
return $next($request);
}
}

3
app/Jobs/DatabaseBackupJob.php
View File

@@ -332,8 +332,7 @@ class DatabaseBackupJob implements ShouldBeEncrypted, ShouldQueue
private function backup_standalone_mongodb(string $databaseWithCollections): void
{
try {
ray($this->database->toArray());
$url = $this->database->get_db_url(useInternal: true);
$url = $this->database->internal_db_url;
if ($databaseWithCollections === 'all') {
$commands[] = 'mkdir -p '.$this->backup_dir;
if (str($this->database->image)->startsWith('mongo:4.0')) {

9
app/Livewire/Project/Database/Clickhouse/General.php
View File

@@ -46,10 +46,8 @@ class General extends Component
public function mount()
{
$this->db_url = $this->database->get_db_url(true);
if ($this->database->is_public) {
$this->db_url_public = $this->database->get_db_url();
}
$this->db_url = $this->database->internal_db_url;
$this->db_url_public = $this->database->external_db_url;
$this->server = data_get($this->database, 'destination.server');
}
@@ -87,13 +85,12 @@ class General extends Component
return;
}
StartDatabaseProxy::run($this->database);
$this->db_url_public = $this->database->get_db_url();
$this->dispatch('success', 'Database is now publicly accessible.');
} else {
StopDatabaseProxy::run($this->database);
$this->db_url_public = null;
$this->dispatch('success', 'Database is no longer publicly accessible.');
}
$this->db_url_public = $this->database->external_db_url;
$this->database->save();
} catch (\Throwable $e) {
$this->database->is_public = ! $this->database->is_public;

9
app/Livewire/Project/Database/Dragonfly/General.php
View File

@@ -44,10 +44,8 @@ class General extends Component
public function mount()
{
$this->db_url = $this->database->get_db_url(true);
if ($this->database->is_public) {
$this->db_url_public = $this->database->get_db_url();
}
$this->db_url = $this->database->internal_db_url;
$this->db_url_public = $this->database->external_db_url;
$this->server = data_get($this->database, 'destination.server');
}
@@ -102,13 +100,12 @@ class General extends Component
return;
}
StartDatabaseProxy::run($this->database);
$this->db_url_public = $this->database->get_db_url();
$this->dispatch('success', 'Database is now publicly accessible.');
} else {
StopDatabaseProxy::run($this->database);
$this->db_url_public = null;
$this->dispatch('success', 'Database is no longer publicly accessible.');
}
$this->db_url_public = $this->database->external_db_url;
$this->database->save();
} catch (\Throwable $e) {
$this->database->is_public = ! $this->database->is_public;

9
app/Livewire/Project/Database/Keydb/General.php
View File

@@ -46,10 +46,8 @@ class General extends Component
public function mount()
{
$this->db_url = $this->database->get_db_url(true);
if ($this->database->is_public) {
$this->db_url_public = $this->database->get_db_url();
}
$this->db_url = $this->database->internal_db_url;
$this->db_url_public = $this->database->external_db_url;
$this->server = data_get($this->database, 'destination.server');
}
@@ -108,13 +106,12 @@ class General extends Component
return;
}
StartDatabaseProxy::run($this->database);
$this->db_url_public = $this->database->get_db_url();
$this->dispatch('success', 'Database is now publicly accessible.');
} else {
StopDatabaseProxy::run($this->database);
$this->db_url_public = null;
$this->dispatch('success', 'Database is no longer publicly accessible.');
}
$this->db_url_public = $this->database->external_db_url;
$this->database->save();
} catch (\Throwable $e) {
$this->database->is_public = ! $this->database->is_public;

9
app/Livewire/Project/Database/Mariadb/General.php
View File

@@ -52,10 +52,8 @@ class General extends Component
public function mount()
{
$this->db_url = $this->database->get_db_url(true);
if ($this->database->is_public) {
$this->db_url_public = $this->database->get_db_url();
}
$this->db_url = $this->database->internal_db_url;
$this->db_url_public = $this->database->external_db_url;
$this->server = data_get($this->database, 'destination.server');
}
@@ -114,13 +112,12 @@ class General extends Component
return;
}
StartDatabaseProxy::run($this->database);
$this->db_url_public = $this->database->get_db_url();
$this->dispatch('success', 'Database is now publicly accessible.');
} else {
StopDatabaseProxy::run($this->database);
$this->db_url_public = null;
$this->dispatch('success', 'Database is no longer publicly accessible.');
}
$this->db_url_public = $this->database->external_db_url;
$this->database->save();
} catch (\Throwable $e) {
$this->database->is_public = ! $this->database->is_public;

9
app/Livewire/Project/Database/Mongodb/General.php
View File

@@ -50,10 +50,8 @@ class General extends Component
public function mount()
{
$this->db_url = $this->database->get_db_url(true);
if ($this->database->is_public) {
$this->db_url_public = $this->database->get_db_url();
}
$this->db_url = $this->database->internal_db_url;
$this->db_url_public = $this->database->external_db_url;
$this->server = data_get($this->database, 'destination.server');
}
@@ -115,13 +113,12 @@ class General extends Component
return;
}
StartDatabaseProxy::run($this->database);
$this->db_url_public = $this->database->get_db_url();
$this->dispatch('success', 'Database is now publicly accessible.');
} else {
StopDatabaseProxy::run($this->database);
$this->db_url_public = null;
$this->dispatch('success', 'Database is no longer publicly accessible.');
}
$this->db_url_public = $this->database->external_db_url;
$this->database->save();
} catch (\Throwable $e) {
$this->database->is_public = ! $this->database->is_public;

9
app/Livewire/Project/Database/Mysql/General.php
View File

@@ -52,10 +52,8 @@ class General extends Component
public function mount()
{
$this->db_url = $this->database->get_db_url(true);
if ($this->database->is_public) {
$this->db_url_public = $this->database->get_db_url();
}
$this->db_url = $this->database->internal_db_url;
$this->db_url_public = $this->database->external_db_url;
$this->server = data_get($this->database, 'destination.server');
}
@@ -113,13 +111,12 @@ class General extends Component
return;
}
StartDatabaseProxy::run($this->database);
$this->db_url_public = $this->database->get_db_url();
$this->dispatch('success', 'Database is now publicly accessible.');
} else {
StopDatabaseProxy::run($this->database);
$this->db_url_public = null;
$this->dispatch('success', 'Database is no longer publicly accessible.');
}
$this->db_url_public = $this->database->external_db_url;
$this->database->save();
} catch (\Throwable $e) {
$this->database->is_public = ! $this->database->is_public;

9
app/Livewire/Project/Database/Postgresql/General.php
View File

@@ -72,10 +72,8 @@ class General extends Component
public function mount()
{
$this->db_url = $this->database->get_db_url(true);
if ($this->database->is_public) {
$this->db_url_public = $this->database->get_db_url();
}
$this->db_url = $this->database->internal_db_url;
$this->db_url_public = $this->database->external_db_url;
$this->server = data_get($this->database, 'destination.server');
}
@@ -118,13 +116,12 @@ class General extends Component
return;
}
StartDatabaseProxy::run($this->database);
$this->db_url_public = $this->database->get_db_url();
$this->dispatch('success', 'Database is now publicly accessible.');
} else {
StopDatabaseProxy::run($this->database);
$this->db_url_public = null;
$this->dispatch('success', 'Database is no longer publicly accessible.');
}
$this->db_url_public = $this->database->external_db_url;
$this->database->save();
} catch (\Throwable $e) {
$this->database->is_public = ! $this->database->is_public;

9
app/Livewire/Project/Database/Redis/General.php
View File

@@ -46,10 +46,8 @@ class General extends Component
public function mount()
{
$this->db_url = $this->database->get_db_url(true);
if ($this->database->is_public) {
$this->db_url_public = $this->database->get_db_url();
}
$this->db_url = $this->database->internal_db_url;
$this->db_url_public = $this->database->external_db_url;
$this->server = data_get($this->database, 'destination.server');
}
@@ -102,13 +100,12 @@ class General extends Component
return;
}
StartDatabaseProxy::run($this->database);
$this->db_url_public = $this->database->get_db_url();
$this->dispatch('success', 'Database is now publicly accessible.');
} else {
StopDatabaseProxy::run($this->database);
$this->db_url_public = null;
$this->dispatch('success', 'Database is no longer publicly accessible.');
}
$this->db_url_public = $this->database->external_db_url;
$this->database->save();
} catch (\Throwable $e) {
$this->database->is_public = ! $this->database->is_public;

42
app/Livewire/Security/ApiTokens.php
View File

@@ -10,6 +10,12 @@ class ApiTokens extends Component
public $tokens = [];
public bool $viewSensitiveData = false;
public bool $readOnly = true;
public array $permissions = ['read-only'];
public function render()
{
return view('livewire.security.api-tokens');
@@ -17,7 +23,33 @@ class ApiTokens extends Component
public function mount()
{
$this->tokens = auth()->user()->tokens;
$this->tokens = auth()->user()->tokens->sortByDesc('created_at');
}
public function updatedViewSensitiveData()
{
if ($this->viewSensitiveData) {
$this->permissions[] = 'view:sensitive';
$this->permissions = array_diff($this->permissions, ['*']);
} else {
$this->permissions = array_diff($this->permissions, ['view:sensitive']);
}
if (count($this->permissions) == 0) {
$this->permissions = ['*'];
}
}
public function updatedReadOnly()
{
if ($this->readOnly) {
$this->permissions[] = 'read-only';
$this->permissions = array_diff($this->permissions, ['*']);
} else {
$this->permissions = array_diff($this->permissions, ['read-only']);
}
if (count($this->permissions) == 0) {
$this->permissions = ['*'];
}
}
public function addNewToken()
@@ -26,7 +58,13 @@ class ApiTokens extends Component
$this->validate([
'description' => 'required|min:3|max:255',
]);
$token = auth()->user()->createToken($this->description);
// if ($this->viewSensitiveData) {
// $this->permissions[] = 'view:sensitive';
// }
// if ($this->readOnly) {
// $this->permissions[] = 'read-only';
// }
$token = auth()->user()->createToken($this->description, $this->permissions);
$this->tokens = auth()->user()->tokens;
session()->flash('token', $token->plainTextToken);
} catch (\Exception $e) {

13
app/Models/StandaloneClickhouse.php
View File

@@ -195,7 +195,7 @@ class StandaloneClickhouse extends BaseModel
protected function internalDbUrl(): Attribute
{
return new Attribute(
get: fn () => "clickhouse://{$this->clickhouse_user}:{$this->clickhouse_password}@{$this->uuid}:9000/{$this->clickhouse_db}",
get: fn () => "clickhouse://{$this->clickhouse_admin_user}:{$this->clickhouse_admin_password}@{$this->uuid}:9000/{$this->clickhouse_db}",
);
}
@@ -204,7 +204,7 @@ class StandaloneClickhouse extends BaseModel
return new Attribute(
get: function () {
if ($this->is_public && $this->public_port) {
return "clickhouse://{$this->clickhouse_user}:{$this->clickhouse_password}@{$this->destination->server->getIp}:{$this->public_port}/{$this->clickhouse_db}";
return "clickhouse://{$this->clickhouse_admin_user}:{$this->clickhouse_admin_password}@{$this->destination->server->getIp}:{$this->public_port}/{$this->clickhouse_db}";
}
return null;
@@ -212,15 +212,6 @@ class StandaloneClickhouse extends BaseModel
);
}
public function get_db_url(bool $useInternal = false)
{
if ($this->is_public && ! $useInternal) {
return $this->externalDbUrl;
} else {
return $this->internalDbUrl;
}
}
public function environment()
{
return $this->belongsTo(Environment::class);

9
app/Models/StandaloneDragonfly.php
View File

@@ -212,15 +212,6 @@ class StandaloneDragonfly extends BaseModel
);
}
public function get_db_url(bool $useInternal = false)
{
if ($this->is_public && ! $useInternal) {
return $this->externalDbUrl;
} else {
return $this->internalDbUrl;
}
}
public function environment()
{
return $this->belongsTo(Environment::class);

9
app/Models/StandaloneKeydb.php
View File

@@ -212,15 +212,6 @@ class StandaloneKeydb extends BaseModel
);
}
public function get_db_url(bool $useInternal = false)
{
if ($this->is_public && ! $useInternal) {
return $this->externalDbUrl;
} else {
return $this->internalDbUrl;
}
}
public function environment()
{
return $this->belongsTo(Environment::class);

9
app/Models/StandaloneMariadb.php
View File

@@ -212,15 +212,6 @@ class StandaloneMariadb extends BaseModel
);
}
public function get_db_url(bool $useInternal = false)
{
if ($this->is_public && ! $useInternal) {
return $this->externalDbUrl;
} else {
return $this->internalDbUrl;
}
}
public function environment()
{
return $this->belongsTo(Environment::class);

9
app/Models/StandaloneMongodb.php
View File

@@ -232,15 +232,6 @@ class StandaloneMongodb extends BaseModel
);
}
public function get_db_url(bool $useInternal = false)
{
if ($this->is_public && ! $useInternal) {
return $this->externalDbUrl;
} else {
return $this->internalDbUrl;
}
}
public function environment()
{
return $this->belongsTo(Environment::class);

9
app/Models/StandaloneMysql.php
View File

@@ -213,15 +213,6 @@ class StandaloneMysql extends BaseModel
);
}
public function get_db_url(bool $useInternal = false)
{
if ($this->is_public && ! $useInternal) {
return $this->externalDbUrl;
} else {
return $this->internalDbUrl;
}
}
public function environment()
{
return $this->belongsTo(Environment::class);

9
app/Models/StandalonePostgresql.php
View File

@@ -213,15 +213,6 @@ class StandalonePostgresql extends BaseModel
);
}
public function get_db_url(bool $useInternal = false)
{
if ($this->is_public && ! $useInternal) {
return $this->externalDbUrl;
} else {
return $this->internalDbUrl;
}
}
public function environment()
{
return $this->belongsTo(Environment::class);

9
app/Models/StandaloneRedis.php
View File

@@ -208,15 +208,6 @@ class StandaloneRedis extends BaseModel
);
}
public function get_db_url(bool $useInternal = false)
{
if ($this->is_public && ! $useInternal) {
return $this->externalDbUrl;
} else {
return $this->internalDbUrl;
}
}
public function environment()
{
return $this->belongsTo(Environment::class);