Documentation ¶
Index ¶
Constants ¶
const ( // AuthZApiRequest is the url for daemon request authorization AuthZApiRequest = "AuthZPlugin.AuthZReq" // AuthZApiResponse is the url for daemon response authorization AuthZApiResponse = "AuthZPlugin.AuthZRes" // AuthZApiImplements is the name of the interface all AuthZ plugins implement AuthZApiImplements = "authz" )
Variables ¶
var ( // ErrInvalidPlugin indicates that the plugin cannot be used. This is // because the plugin was not found or does not implement necessary // functionality ErrInvalidPlugin = errors.New("invalid plugin") )
Functions ¶
func GetPluginGetter ¶
func GetPluginGetter() plugingetter.PluginGetter
GetPluginGetter gets the plugingetter
func SetPluginGetter ¶
func SetPluginGetter(pg plugingetter.PluginGetter)
SetPluginGetter sets the plugingetter
Types ¶
type Ctx ¶
type Ctx struct {
// contains filtered or unexported fields
}
Ctx stores a single request-response interaction context
func NewCtx ¶
NewCtx creates new authZ context, it is used to store authorization information related to a specific docker REST http session A context provides two method: Authenticate Request: Call authZ plugins with current REST request and AuthN response Request contains full HTTP packet sent to the docker daemon https://docs.docker.com/engine/reference/api/docker_remote_api/
Authenticate Response: Call authZ plugins with full info about current REST request, REST response and AuthN response The response from this method may contains content that overrides the daemon response This allows authZ plugins to filter privileged content
If multiple authZ plugins are specified, the block/allow decision is based on ANDing all plugin results For response manipulation, the response from each plugin is piped between plugins. Plugin execution order is determined according to daemon parameters
func (*Ctx) AuthZRequest ¶
AuthZRequest authorized the request to the docker daemon using authZ plugins Side effect: If the authz plugin is invalid, then update ctx.plugins, so that the caller(middleware) can update its list and stop retrying with invalid plugins.
func (*Ctx) AuthZResponse ¶
func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error
AuthZResponse authorized and manipulates the response from docker daemon using authZ plugins Side effect: If the authz plugin is invalid, then update ctx.plugins, so that the caller(middleware) can update its list and stop retrying with invalid plugins.
type Middleware ¶
type Middleware struct {
// contains filtered or unexported fields
}
Middleware uses a list of plugins to handle authorization in the API requests.
func NewMiddleware ¶
func NewMiddleware(names []string, pg plugingetter.PluginGetter) *Middleware
NewMiddleware creates a new Middleware with a slice of plugins names.
func (*Middleware) SetPlugins ¶
func (m *Middleware) SetPlugins(names []string)
SetPlugins sets the plugin used for authorization
func (*Middleware) WrapHandler ¶
func (m *Middleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error
WrapHandler returns a new handler function wrapping the previous one in the request chain.
type Plugin ¶
type Plugin interface { // Name returns the registered plugin name Name() string // AuthZRequest authorizes the request from the client to the daemon AuthZRequest(*Request) (*Response, error) // AuthZResponse authorizes the response from the daemon to the client AuthZResponse(*Request) (*Response, error) }
Plugin allows third party plugins to authorize requests and responses in the context of docker API
type Request ¶
type Request struct { // User holds the user extracted by AuthN mechanism User string `json:"User,omitempty"` // UserAuthNMethod holds the mechanism used to extract user details (e.g., krb) UserAuthNMethod string `json:"UserAuthNMethod,omitempty"` // RequestMethod holds the HTTP method (GET/POST/PUT) RequestMethod string `json:"RequestMethod,omitempty"` // RequestUri holds the full HTTP uri (e.g., /v1.21/version) RequestURI string `json:"RequestUri,omitempty"` // RequestBody stores the raw request body sent to the docker daemon RequestBody []byte `json:"RequestBody,omitempty"` // RequestHeaders stores the raw request headers sent to the docker daemon RequestHeaders map[string]string `json:"RequestHeaders,omitempty"` // ResponseStatusCode stores the status code returned from docker daemon ResponseStatusCode int `json:"ResponseStatusCode,omitempty"` // ResponseBody stores the raw response body sent from docker daemon ResponseBody []byte `json:"ResponseBody,omitempty"` // ResponseHeaders stores the response headers sent to the docker daemon ResponseHeaders map[string]string `json:"ResponseHeaders,omitempty"` }
Request holds data required for authZ plugins
type Response ¶
type Response struct { // Allow indicating whether the user is allowed or not Allow bool `json:"Allow"` // Msg stores the authorization message Msg string `json:"Msg,omitempty"` // Err stores a message in case there's an error Err string `json:"Err,omitempty"` }
Response represents authZ plugin response
type ResponseModifier ¶
type ResponseModifier interface { http.ResponseWriter http.Flusher http.CloseNotifier // RawBody returns the current http content RawBody() []byte // RawHeaders returns the current content of the http headers RawHeaders() ([]byte, error) // StatusCode returns the current status code StatusCode() int // OverrideBody replaces the body of the HTTP reply OverrideBody(b []byte) // OverrideHeader replaces the headers of the HTTP reply OverrideHeader(b []byte) error // OverrideStatusCode replaces the status code of the HTTP reply OverrideStatusCode(statusCode int) // FlushAll flushes all data to the HTTP response FlushAll() error // Hijacked indicates the response has been hijacked by the Docker daemon Hijacked() bool }
ResponseModifier allows authorization plugins to read and modify the content of the http.response
func NewResponseModifier ¶
func NewResponseModifier(rw http.ResponseWriter) ResponseModifier
NewResponseModifier creates a wrapper to an http.ResponseWriter to allow inspecting and modifying the content