Skip to content

Commit

Permalink
Merge pull request #8 from neuroforgede/wip/setup_registry_auth#main
Browse files Browse the repository at this point in the history
Add SERVICE_ALLOW_LISTED_NETWORKS to network get and list endpoints f…
  • Loading branch information
s4ke authored Aug 9, 2024
2 parents e026e00 + fdf4ae0 commit 3ab72a8
Showing 1 changed file with 11 additions and 6 deletions.
17 changes: 11 additions & 6 deletions swarmgate/routes.ts
Original file line number Diff line number Diff line change
Expand Up @@ -570,14 +570,17 @@ export function setupRoutes(tenantLabelValue: string) {

// Networks

function isNetworkOwned(network: Docker.NetworkInspectInfo): boolean {
function isNetworkOwned(network: Docker.NetworkInspectInfo, includeAllowListed: boolean): boolean {
if(includeAllowListed && SERVICE_ALLOW_LISTED_NETWORKS.includes(network.Name)) {
return true;
}
return !!(network.Labels && network.Labels[tenantLabel] == tenantLabelValue);
}

async function isOwnedNetwork(networkId: string): Promise<boolean> {
async function isOwnedNetwork(networkId: string, includeAllowListed: boolean = false): Promise<boolean> {
try {
const network = await docker.getNetwork(networkId).inspect();
return network && isNetworkOwned(network);
return network && isNetworkOwned(network, includeAllowListed);
} catch (error) {
console.error(error);
return false;
Expand Down Expand Up @@ -617,7 +620,7 @@ export function setupRoutes(tenantLabelValue: string) {
});
// list the service allow listed networks as well
// this is fine, read only only here.
const ownedNetworks = networks.filter((net) => isNetworkOwned(net) || SERVICE_ALLOW_LISTED_NETWORKS.includes(net));
const ownedNetworks = networks.filter((net) => isNetworkOwned(net, true));
res.json(ownedNetworks);
} catch (error: any) {
console.error(error);
Expand All @@ -629,7 +632,9 @@ export function setupRoutes(tenantLabelValue: string) {
router.delete('/:version?/networks/:id', async (req, res) => {
const networkId = req.params.id;

if (await isOwnedNetwork(networkId)) {
// get the service allow listed networks as well
// this is fine, read only only here.
if (await isOwnedNetwork(networkId, true)) {
try {
const network = docker.getNetwork(networkId);
await network.remove({});
Expand All @@ -649,7 +654,7 @@ export function setupRoutes(tenantLabelValue: string) {

// allowed to get the service allow listed networks as well
// this is fine, read only only here.
if (await isOwnedNetwork(networkId) && !SERVICE_ALLOW_LISTED_NETWORKS.includes(net)) {
if (await isOwnedNetwork(networkId, true)) {
try {
const network = docker.getNetwork(networkId);

Expand Down

0 comments on commit 3ab72a8

Please sign in to comment.