auth

package module
v0.0.0-...-d1148cd Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 28, 2018 License: Apache-2.0 Imports: 23 Imported by: 12

README

Docker-Check-Access

Sometimes you find yourself between a rock and hard place. In this case, you're in charge of a multi-tenant docker environment but you're not in directly in charge of authorization of all the containers in your system. What do you do?

Well, this package is designed to help with that. We'll make calls to a docker registry provider on your behalf to find out if a user has permission to touch a container in your docker environment.

Example use:

package modify

import (
    "github.com/fsouza/go-dockerclient"
	"github.com/wercker/docker-check-access"
)

func ModifyLocalContainer(auth auth.Authenticator, container *docker.Container) error {
    //check to see if we have an error, or we can't access
    if ok, err := auth.CheckAccess(); err != nil || !ok {
        return errors.New("You can't access that!")
    }
   // move along with messing with your local container
}

Documentation

Index

Constants

This section is empty.

Variables

View Source
var ErrRepoNotAuthorized = errors.New("Not Authorized to access the repository")

ErrRepoNotAuthorized is the error thrown when user could not be authroized on the repository present on remote regustry with supplied credentials

View Source
var ErrRepoNotFound = errors.New("Unable to find repository on remote registry")

ErrRepoNotFound is the error thrown when we were unable to find the repository you want to check the user's access to on the remote repository

View Source
var ErrUnexpectedResponse = errors.New("Unexpected Response")

ErrUnexpectedResponse is the error thrown when we get a result from the registry that the library wasn't able to parse

Functions

This section is empty.

Types

type AmazonAuth

type AmazonAuth struct {
	// contains filtered or unexported fields
}

AmazonAuth implements Authenticator. It's purpose is to check whether or not a certain user with the given accessKey and accessSecret is allowed to interact with a amazon container registry given by registryID in the constructor

func NewAmazonAuth

func NewAmazonAuth(registryID, accessKey, accessSecret, region string, strictIAM bool) *AmazonAuth

func (*AmazonAuth) CheckAccess

func (a *AmazonAuth) CheckAccess(Repository string, scope Scope) (bool, error)

CheckAccess checks to see if the current amazon user has permissions defined by scope on the given repository

func (AmazonAuth) Password

func (a AmazonAuth) Password() string

Password is a getter for the private member token in struct AmazonAuth useful if you want to use the token in calls to a remote docker API

func (AmazonAuth) Repository

func (a AmazonAuth) Repository(repo string) string

GetRepo returns the name of a full amazon ECR repository. It is useful when using making calls to a remote Docker API

func (AmazonAuth) Username

func (a AmazonAuth) Username() string

type Authenticator

type Authenticator interface {
	CheckAccess(string, Scope) (bool, error)
	Password() string
	Username() string
	Repository(string) string
}

An Authenticator is the interface that wraps the CheckAccess method It implements 4 methods: CheckAccess - which checks to see if a user is allowed to read and write to a certain docker repository specefied by a repository name Password - which returns the password for any authenticator object, or any token an external service such as Amazon ECR or Google GCR might return to use as a password Username which return the username for any authenticator object, or any defualt username an external service such as Amazon ECR or Google GCR might use Repository returns the full normalized repository name

type Azure

type Azure struct {
	// contains filtered or unexported fields
}

Azure struct containing all the fields required for authentication with azure container registry

func NewAzure

func NewAzure(clientID, clientSecret, subscriptionID, tenantID, resourceGroupName, registryName, loginServer string) (*Azure, error)

NewAzure creates ServicePrincipleToken and a BearerAuthorizer from it and populates an Azure struct

func (*Azure) CheckAccess

func (a *Azure) CheckAccess(Repository string, scope Scope) (bool, error)

CheckAccess makes a call to Azure to get the registry information. If that succeedes. check push access to registry as a standard v2 repository using DockerAuth

func (*Azure) Password

func (a *Azure) Password() string

Password returns password for the registry (clientSecret)

func (*Azure) Repository

func (a *Azure) Repository(repository string) string

Repository returns "taggable" repository name

func (*Azure) Username

func (a *Azure) Username() string

Username returns username for the registry (cliendId)

type DockerAuth

type DockerAuth struct {
	RegistryURL *url.URL
	// contains filtered or unexported fields
}

DockerAuth implements Authenticator. It's purpose is to check whether a user has access to a Docker container by checking against a remote registry provider.

func NewDockerAuth

func NewDockerAuth(RegistryURL *url.URL, username, password string) *DockerAuth

NewDockerAuth is a constructor that takes in a remote registry url to check repository permission and basic authentication parameters for API calls to against a Docker Version 2 regisagainst a Docker Version 2 registry provider.

func (*DockerAuth) CheckAccess

func (d *DockerAuth) CheckAccess(repository string, scope Scope) (bool, error)

CheckAccess takes a repository and tries to get a JWT token from a docker registry 2 provider, if it succeeds in getting the token, we return true. If there is a failure grabbing the token, we return false and an error explaning what went wrong. CheckAccess uses the following flow to get the token: https://docs.docker.com/registry/spec/auth/jwt Meaning, it first makes a call without any authentication/authorization parameters to check if the registry requires any authentication at all, and if that doesn't work it tries to request a token from the challenge in the Www-Authenticate header.

func (*DockerAuth) Password

func (d *DockerAuth) Password() string

func (*DockerAuth) Repository

func (d *DockerAuth) Repository(repo string) string

func (*DockerAuth) Username

func (d *DockerAuth) Username() string

type DockerAuthV1

type DockerAuthV1 struct {
	*DockerAuth
}

DockerAuthV1 implements Authenticator. It's purpose is to check whether a user has access to a Docker container by checking against a remote registry provider that still uses the Docker Version 1 registry specification. It should be able to call DockerAuth's Username Password and Repository methods

func NewDockerAuthV1

func NewDockerAuthV1(registryURL *url.URL, username, password string) DockerAuthV1

func (DockerAuthV1) CheckAccess

func (d DockerAuthV1) CheckAccess(repository string, scope Scope) (bool, error)

type PolicyText

type PolicyText struct {
	Version   string      `json:"Version"`
	Statement []Statement `json:"Statement"`
}

type Scope

type Scope string

Scope defines the possible types of scopes

const (
	Push Scope = "PUSH"
	Pull Scope = "PULL"
)

type Statement

type Statement struct {
	Sid       string          `json:"Sid"`
	Effect    string          `json:"Effect"`
	Principal json.RawMessage `json:"Principal"`
	Action    []string        `json:"Action"`
}

type TokenResp

type TokenResp struct {
	Token       string `json:"token"`
	AccessToken string `json:"access_token"`
}

TokenResp - Contains access token returned from the docker registry after successful authn and authz. access token field name can be either "token" or "access_token" in json returned by the registry

func (TokenResp) GetToken

func (resp TokenResp) GetToken() string

GetToken - Returns token string from TokenResp

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL