authorization

package
v1.11.0-rc4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 7, 2016 License: Apache-2.0 Imports: 11 Imported by: 425

Documentation

Index

Constants

View Source
const (
	// AuthZApiRequest is the url for daemon request authorization
	AuthZApiRequest = "AuthZPlugin.AuthZReq"

	// AuthZApiResponse is the url for daemon response authorization
	AuthZApiResponse = "AuthZPlugin.AuthZRes"

	// AuthZApiImplements is the name of the interface all AuthZ plugins implement
	AuthZApiImplements = "authz"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Ctx

type Ctx struct {
	// contains filtered or unexported fields
}

Ctx stores a a single request-response interaction context

func NewCtx

func NewCtx(authZPlugins []Plugin, user, userAuthNMethod, requestMethod, requestURI string) *Ctx

NewCtx creates new authZ context, it is used to store authorization information related to a specific docker REST http session A context provides two method: Authenticate Request: Call authZ plugins with current REST request and AuthN response Request contains full HTTP packet sent to the docker daemon https://docs.docker.com/reference/api/docker_remote_api/

Authenticate Response: Call authZ plugins with full info about current REST request, REST response and AuthN response The response from this method may contains content that overrides the daemon response This allows authZ plugins to filter privileged content

If multiple authZ plugins are specified, the block/allow decision is based on ANDing all plugin results For response manipulation, the response from each plugin is piped between plugins. Plugin execution order is determined according to daemon parameters

func (*Ctx) AuthZRequest

func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error

AuthZRequest authorized the request to the docker daemon using authZ plugins

func (*Ctx) AuthZResponse

func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error

AuthZResponse authorized and manipulates the response from docker daemon using authZ plugins

type Plugin

type Plugin interface {
	// Name returns the registered plugin name
	Name() string

	// AuthZRequest authorize the request from the client to the daemon
	AuthZRequest(*Request) (*Response, error)

	// AuthZResponse authorize the response from the daemon to the client
	AuthZResponse(*Request) (*Response, error)
}

Plugin allows third party plugins to authorize requests and responses in the context of docker API

func NewPlugins

func NewPlugins(names []string) []Plugin

NewPlugins constructs and initialize the authorization plugins based on plugin names

type Request

type Request struct {
	// User holds the user extracted by AuthN mechanism
	User string `json:"User,omitempty"`

	// UserAuthNMethod holds the mechanism used to extract user details (e.g., krb)
	UserAuthNMethod string `json:"UserAuthNMethod,omitempty"`

	// RequestMethod holds the HTTP method (GET/POST/PUT)
	RequestMethod string `json:"RequestMethod,omitempty"`

	// RequestUri holds the full HTTP uri (e.g., /v1.21/version)
	RequestURI string `json:"RequestUri,omitempty"`

	// RequestBody stores the raw request body sent to the docker daemon
	RequestBody []byte `json:"RequestBody,omitempty"`

	// RequestHeaders stores the raw request headers sent to the docker daemon
	RequestHeaders map[string]string `json:"RequestHeaders,omitempty"`

	// ResponseStatusCode stores the status code returned from docker daemon
	ResponseStatusCode int `json:"ResponseStatusCode,omitempty"`

	// ResponseBody stores the raw response body sent from docker daemon
	ResponseBody []byte `json:"ResponseBody,omitempty"`

	// ResponseHeaders stores the response headers sent to the docker daemon
	ResponseHeaders map[string]string `json:"ResponseHeaders,omitempty"`
}

Request holds data required for authZ plugins

type Response

type Response struct {
	// Allow indicating whether the user is allowed or not
	Allow bool `json:"Allow"`

	// Msg stores the authorization message
	Msg string `json:"Msg,omitempty"`

	// Err stores a message in case there's an error
	Err string `json:"Err,omitempty"`
}

Response represents authZ plugin response

type ResponseModifier

type ResponseModifier interface {
	http.ResponseWriter
	http.Flusher
	http.CloseNotifier

	// RawBody returns the current http content
	RawBody() []byte

	// RawHeaders returns the current content of the http headers
	RawHeaders() ([]byte, error)

	// StatusCode returns the current status code
	StatusCode() int

	// OverrideBody replace the body of the HTTP reply
	OverrideBody(b []byte)

	// OverrideHeader replace the headers of the HTTP reply
	OverrideHeader(b []byte) error

	// OverrideStatusCode replaces the status code of the HTTP reply
	OverrideStatusCode(statusCode int)

	// Flush flushes all data to the HTTP response
	FlushAll() error

	// Hijacked indicates the response has been hijacked by the Docker daemon
	Hijacked() bool
}

ResponseModifier allows authorization plugins to read and modify the content of the http.response

func NewResponseModifier

func NewResponseModifier(rw http.ResponseWriter) ResponseModifier

NewResponseModifier creates a wrapper to an http.ResponseWriter to allow inspecting and modifying the content

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL