github.com/rumpl/bof@v23.0.0-rc.2+incompatible/integration/plugin/authz/authz_plugin_test.go (about) 1 //go:build !windows 2 // +build !windows 3 4 package authz // import "github.com/docker/docker/integration/plugin/authz" 5 6 import ( 7 "context" 8 "fmt" 9 "io" 10 "net" 11 "net/http" 12 "net/http/httputil" 13 "net/url" 14 "os" 15 "path/filepath" 16 "strconv" 17 "strings" 18 "testing" 19 "time" 20 21 "github.com/docker/docker/api/types" 22 eventtypes "github.com/docker/docker/api/types/events" 23 "github.com/docker/docker/client" 24 "github.com/docker/docker/integration/internal/container" 25 "github.com/docker/docker/pkg/archive" 26 "github.com/docker/docker/pkg/authorization" 27 "github.com/docker/docker/testutil/environment" 28 "gotest.tools/v3/assert" 29 "gotest.tools/v3/poll" 30 "gotest.tools/v3/skip" 31 ) 32 33 const ( 34 testAuthZPlugin = "authzplugin" 35 unauthorizedMessage = "User unauthorized authz plugin" 36 errorMessage = "something went wrong..." 37 serverVersionAPI = "/version" 38 ) 39 40 var ( 41 alwaysAllowed = []string{"/_ping", "/info"} 42 ctrl *authorizationController 43 ) 44 45 type authorizationController struct { 46 reqRes authorization.Response // reqRes holds the plugin response to the initial client request 47 resRes authorization.Response // resRes holds the plugin response to the daemon response 48 versionReqCount int // versionReqCount counts the number of requests to the server version API endpoint 49 versionResCount int // versionResCount counts the number of responses from the server version API endpoint 50 requestsURIs []string // requestsURIs stores all request URIs that are sent to the authorization controller 51 reqUser string 52 resUser string 53 } 54 55 func setupTestV1(t *testing.T) func() { 56 ctrl = &authorizationController{} 57 teardown := setupTest(t) 58 59 err := os.MkdirAll("/etc/docker/plugins", 0755) 60 assert.NilError(t, err) 61 62 fileName := fmt.Sprintf("/etc/docker/plugins/%s.spec", testAuthZPlugin) 63 err = os.WriteFile(fileName, []byte(server.URL), 0644) 64 assert.NilError(t, err) 65 66 return func() { 67 err := os.RemoveAll("/etc/docker/plugins") 68 assert.NilError(t, err) 69 70 teardown() 71 ctrl = nil 72 } 73 } 74 75 // check for always allowed endpoints to not inhibit test framework functions 76 func isAllowed(reqURI string) bool { 77 for _, endpoint := range alwaysAllowed { 78 if strings.HasSuffix(reqURI, endpoint) { 79 return true 80 } 81 } 82 return false 83 } 84 85 func TestAuthZPluginAllowRequest(t *testing.T) { 86 defer setupTestV1(t)() 87 ctrl.reqRes.Allow = true 88 ctrl.resRes.Allow = true 89 d.StartWithBusybox(t, "--authorization-plugin="+testAuthZPlugin) 90 91 c := d.NewClientT(t) 92 ctx := context.Background() 93 94 // Ensure command successful 95 cID := container.Run(ctx, t, c) 96 97 assertURIRecorded(t, ctrl.requestsURIs, "/containers/create") 98 assertURIRecorded(t, ctrl.requestsURIs, fmt.Sprintf("/containers/%s/start", cID)) 99 100 _, err := c.ServerVersion(ctx) 101 assert.NilError(t, err) 102 assert.Equal(t, 1, ctrl.versionReqCount) 103 assert.Equal(t, 1, ctrl.versionResCount) 104 } 105 106 func TestAuthZPluginTLS(t *testing.T) { 107 defer setupTestV1(t)() 108 const ( 109 testDaemonHTTPSAddr = "tcp://localhost:4271" 110 cacertPath = "../../testdata/https/ca.pem" 111 serverCertPath = "../../testdata/https/server-cert.pem" 112 serverKeyPath = "../../testdata/https/server-key.pem" 113 clientCertPath = "../../testdata/https/client-cert.pem" 114 clientKeyPath = "../../testdata/https/client-key.pem" 115 ) 116 117 d.Start(t, 118 "--authorization-plugin="+testAuthZPlugin, 119 "--tlsverify", 120 "--tlscacert", cacertPath, 121 "--tlscert", serverCertPath, 122 "--tlskey", serverKeyPath, 123 "-H", testDaemonHTTPSAddr) 124 125 ctrl.reqRes.Allow = true 126 ctrl.resRes.Allow = true 127 128 c, err := newTLSAPIClient(testDaemonHTTPSAddr, cacertPath, clientCertPath, clientKeyPath) 129 assert.NilError(t, err) 130 131 _, err = c.ServerVersion(context.Background()) 132 assert.NilError(t, err) 133 134 assert.Equal(t, "client", ctrl.reqUser) 135 assert.Equal(t, "client", ctrl.resUser) 136 } 137 138 func newTLSAPIClient(host, cacertPath, certPath, keyPath string) (client.APIClient, error) { 139 dialer := &net.Dialer{ 140 KeepAlive: 30 * time.Second, 141 Timeout: 30 * time.Second, 142 } 143 return client.NewClientWithOpts( 144 client.WithTLSClientConfig(cacertPath, certPath, keyPath), 145 client.WithDialContext(dialer.DialContext), 146 client.WithHost(host)) 147 } 148 149 func TestAuthZPluginDenyRequest(t *testing.T) { 150 defer setupTestV1(t)() 151 d.Start(t, "--authorization-plugin="+testAuthZPlugin) 152 ctrl.reqRes.Allow = false 153 ctrl.reqRes.Msg = unauthorizedMessage 154 155 c := d.NewClientT(t) 156 157 // Ensure command is blocked 158 _, err := c.ServerVersion(context.Background()) 159 assert.Assert(t, err != nil) 160 assert.Equal(t, 1, ctrl.versionReqCount) 161 assert.Equal(t, 0, ctrl.versionResCount) 162 163 // Ensure unauthorized message appears in response 164 assert.Equal(t, fmt.Sprintf("Error response from daemon: authorization denied by plugin %s: %s", testAuthZPlugin, unauthorizedMessage), err.Error()) 165 } 166 167 // TestAuthZPluginAPIDenyResponse validates that when authorization 168 // plugin deny the request, the status code is forbidden 169 func TestAuthZPluginAPIDenyResponse(t *testing.T) { 170 defer setupTestV1(t)() 171 d.Start(t, "--authorization-plugin="+testAuthZPlugin) 172 ctrl.reqRes.Allow = false 173 ctrl.resRes.Msg = unauthorizedMessage 174 175 daemonURL, err := url.Parse(d.Sock()) 176 assert.NilError(t, err) 177 178 conn, err := net.DialTimeout(daemonURL.Scheme, daemonURL.Path, time.Second*10) 179 assert.NilError(t, err) 180 c := httputil.NewClientConn(conn, nil) 181 req, err := http.NewRequest(http.MethodGet, "/version", nil) 182 assert.NilError(t, err) 183 resp, err := c.Do(req) 184 185 assert.NilError(t, err) 186 assert.DeepEqual(t, http.StatusForbidden, resp.StatusCode) 187 } 188 189 func TestAuthZPluginDenyResponse(t *testing.T) { 190 defer setupTestV1(t)() 191 d.Start(t, "--authorization-plugin="+testAuthZPlugin) 192 ctrl.reqRes.Allow = true 193 ctrl.resRes.Allow = false 194 ctrl.resRes.Msg = unauthorizedMessage 195 196 c := d.NewClientT(t) 197 198 // Ensure command is blocked 199 _, err := c.ServerVersion(context.Background()) 200 assert.Assert(t, err != nil) 201 assert.Equal(t, 1, ctrl.versionReqCount) 202 assert.Equal(t, 1, ctrl.versionResCount) 203 204 // Ensure unauthorized message appears in response 205 assert.Equal(t, fmt.Sprintf("Error response from daemon: authorization denied by plugin %s: %s", testAuthZPlugin, unauthorizedMessage), err.Error()) 206 } 207 208 // TestAuthZPluginAllowEventStream verifies event stream propagates 209 // correctly after request pass through by the authorization plugin 210 func TestAuthZPluginAllowEventStream(t *testing.T) { 211 skip.If(t, testEnv.DaemonInfo.OSType != "linux") 212 skip.If(t, testEnv.DaemonInfo.OSType == "windows") 213 214 defer setupTestV1(t)() 215 ctrl.reqRes.Allow = true 216 ctrl.resRes.Allow = true 217 d.StartWithBusybox(t, "--authorization-plugin="+testAuthZPlugin) 218 219 c := d.NewClientT(t) 220 ctx := context.Background() 221 222 startTime := strconv.FormatInt(systemTime(t, c, testEnv).Unix(), 10) 223 events, errs, cancel := systemEventsSince(c, startTime) 224 defer cancel() 225 226 // Create a container and wait for the creation events 227 cID := container.Run(ctx, t, c) 228 poll.WaitOn(t, container.IsInState(ctx, c, cID, "running")) 229 230 created := false 231 started := false 232 for !created && !started { 233 select { 234 case event := <-events: 235 if event.Type == eventtypes.ContainerEventType && event.Actor.ID == cID { 236 if event.Action == "create" { 237 created = true 238 } 239 if event.Action == "start" { 240 started = true 241 } 242 } 243 case err := <-errs: 244 if err == io.EOF { 245 t.Fatal("premature end of event stream") 246 } 247 assert.NilError(t, err) 248 case <-time.After(30 * time.Second): 249 // Fail the test 250 t.Fatal("event stream timeout") 251 } 252 } 253 254 // Ensure both events and container endpoints are passed to the 255 // authorization plugin 256 assertURIRecorded(t, ctrl.requestsURIs, "/events") 257 assertURIRecorded(t, ctrl.requestsURIs, "/containers/create") 258 assertURIRecorded(t, ctrl.requestsURIs, fmt.Sprintf("/containers/%s/start", cID)) 259 } 260 261 func systemTime(t *testing.T, client client.APIClient, testEnv *environment.Execution) time.Time { 262 if testEnv.IsLocalDaemon() { 263 return time.Now() 264 } 265 266 ctx := context.Background() 267 info, err := client.Info(ctx) 268 assert.NilError(t, err) 269 270 dt, err := time.Parse(time.RFC3339Nano, info.SystemTime) 271 assert.NilError(t, err, "invalid time format in GET /info response") 272 return dt 273 } 274 275 func systemEventsSince(client client.APIClient, since string) (<-chan eventtypes.Message, <-chan error, func()) { 276 eventOptions := types.EventsOptions{ 277 Since: since, 278 } 279 ctx, cancel := context.WithCancel(context.Background()) 280 events, errs := client.Events(ctx, eventOptions) 281 282 return events, errs, cancel 283 } 284 285 func TestAuthZPluginErrorResponse(t *testing.T) { 286 defer setupTestV1(t)() 287 d.Start(t, "--authorization-plugin="+testAuthZPlugin) 288 ctrl.reqRes.Allow = true 289 ctrl.resRes.Err = errorMessage 290 291 c := d.NewClientT(t) 292 293 // Ensure command is blocked 294 _, err := c.ServerVersion(context.Background()) 295 assert.Assert(t, err != nil) 296 assert.Equal(t, fmt.Sprintf("Error response from daemon: plugin %s failed with error: %s: %s", testAuthZPlugin, authorization.AuthZApiResponse, errorMessage), err.Error()) 297 } 298 299 func TestAuthZPluginErrorRequest(t *testing.T) { 300 defer setupTestV1(t)() 301 d.Start(t, "--authorization-plugin="+testAuthZPlugin) 302 ctrl.reqRes.Err = errorMessage 303 304 c := d.NewClientT(t) 305 306 // Ensure command is blocked 307 _, err := c.ServerVersion(context.Background()) 308 assert.Assert(t, err != nil) 309 assert.Equal(t, fmt.Sprintf("Error response from daemon: plugin %s failed with error: %s: %s", testAuthZPlugin, authorization.AuthZApiRequest, errorMessage), err.Error()) 310 } 311 312 func TestAuthZPluginEnsureNoDuplicatePluginRegistration(t *testing.T) { 313 defer setupTestV1(t)() 314 d.Start(t, "--authorization-plugin="+testAuthZPlugin, "--authorization-plugin="+testAuthZPlugin) 315 316 ctrl.reqRes.Allow = true 317 ctrl.resRes.Allow = true 318 319 c := d.NewClientT(t) 320 321 _, err := c.ServerVersion(context.Background()) 322 assert.NilError(t, err) 323 324 // assert plugin is only called once.. 325 assert.Equal(t, 1, ctrl.versionReqCount) 326 assert.Equal(t, 1, ctrl.versionResCount) 327 } 328 329 func TestAuthZPluginEnsureLoadImportWorking(t *testing.T) { 330 defer setupTestV1(t)() 331 ctrl.reqRes.Allow = true 332 ctrl.resRes.Allow = true 333 d.StartWithBusybox(t, "--authorization-plugin="+testAuthZPlugin, "--authorization-plugin="+testAuthZPlugin) 334 335 c := d.NewClientT(t) 336 ctx := context.Background() 337 338 tmp, err := os.MkdirTemp("", "test-authz-load-import") 339 assert.NilError(t, err) 340 defer os.RemoveAll(tmp) 341 342 savedImagePath := filepath.Join(tmp, "save.tar") 343 344 err = imageSave(c, savedImagePath, "busybox") 345 assert.NilError(t, err) 346 err = imageLoad(c, savedImagePath) 347 assert.NilError(t, err) 348 349 exportedImagePath := filepath.Join(tmp, "export.tar") 350 351 cID := container.Run(ctx, t, c) 352 353 responseReader, err := c.ContainerExport(context.Background(), cID) 354 assert.NilError(t, err) 355 defer responseReader.Close() 356 file, err := os.Create(exportedImagePath) 357 assert.NilError(t, err) 358 defer file.Close() 359 _, err = io.Copy(file, responseReader) 360 assert.NilError(t, err) 361 362 err = imageImport(c, exportedImagePath) 363 assert.NilError(t, err) 364 } 365 366 func TestAuthzPluginEnsureContainerCopyToFrom(t *testing.T) { 367 defer setupTestV1(t)() 368 ctrl.reqRes.Allow = true 369 ctrl.resRes.Allow = true 370 d.StartWithBusybox(t, "--authorization-plugin="+testAuthZPlugin, "--authorization-plugin="+testAuthZPlugin) 371 372 dir, err := os.MkdirTemp("", t.Name()) 373 assert.NilError(t, err) 374 defer os.RemoveAll(dir) 375 376 f, err := os.CreateTemp(dir, "send") 377 assert.NilError(t, err) 378 defer f.Close() 379 380 buf := make([]byte, 1024) 381 fileSize := len(buf) * 1024 * 10 382 for written := 0; written < fileSize; { 383 n, err := f.Write(buf) 384 assert.NilError(t, err) 385 written += n 386 } 387 388 c := d.NewClientT(t) 389 ctx := context.Background() 390 391 cID := container.Run(ctx, t, c) 392 defer c.ContainerRemove(ctx, cID, types.ContainerRemoveOptions{Force: true}) 393 394 _, err = f.Seek(0, io.SeekStart) 395 assert.NilError(t, err) 396 397 srcInfo, err := archive.CopyInfoSourcePath(f.Name(), false) 398 assert.NilError(t, err) 399 srcArchive, err := archive.TarResource(srcInfo) 400 assert.NilError(t, err) 401 defer srcArchive.Close() 402 403 dstDir, preparedArchive, err := archive.PrepareArchiveCopy(srcArchive, srcInfo, archive.CopyInfo{Path: "/test"}) 404 assert.NilError(t, err) 405 406 err = c.CopyToContainer(ctx, cID, dstDir, preparedArchive, types.CopyToContainerOptions{}) 407 assert.NilError(t, err) 408 409 rdr, _, err := c.CopyFromContainer(ctx, cID, "/test") 410 assert.NilError(t, err) 411 _, err = io.Copy(io.Discard, rdr) 412 assert.NilError(t, err) 413 } 414 415 func imageSave(client client.APIClient, path, image string) error { 416 ctx := context.Background() 417 responseReader, err := client.ImageSave(ctx, []string{image}) 418 if err != nil { 419 return err 420 } 421 defer responseReader.Close() 422 file, err := os.Create(path) 423 if err != nil { 424 return err 425 } 426 defer file.Close() 427 _, err = io.Copy(file, responseReader) 428 return err 429 } 430 431 func imageLoad(client client.APIClient, path string) error { 432 file, err := os.Open(path) 433 if err != nil { 434 return err 435 } 436 defer file.Close() 437 quiet := true 438 ctx := context.Background() 439 response, err := client.ImageLoad(ctx, file, quiet) 440 if err != nil { 441 return err 442 } 443 defer response.Body.Close() 444 return nil 445 } 446 447 func imageImport(client client.APIClient, path string) error { 448 file, err := os.Open(path) 449 if err != nil { 450 return err 451 } 452 defer file.Close() 453 options := types.ImageImportOptions{} 454 ref := "" 455 source := types.ImageImportSource{ 456 Source: file, 457 SourceName: "-", 458 } 459 ctx := context.Background() 460 responseReader, err := client.ImageImport(ctx, source, ref, options) 461 if err != nil { 462 return err 463 } 464 defer responseReader.Close() 465 return nil 466 } 467 468 func TestAuthZPluginHeader(t *testing.T) { 469 defer setupTestV1(t)() 470 ctrl.reqRes.Allow = true 471 ctrl.resRes.Allow = true 472 d.StartWithBusybox(t, "--debug", "--authorization-plugin="+testAuthZPlugin) 473 474 daemonURL, err := url.Parse(d.Sock()) 475 assert.NilError(t, err) 476 477 conn, err := net.DialTimeout(daemonURL.Scheme, daemonURL.Path, time.Second*10) 478 assert.NilError(t, err) 479 client := httputil.NewClientConn(conn, nil) 480 req, err := http.NewRequest(http.MethodGet, "/version", nil) 481 assert.NilError(t, err) 482 resp, err := client.Do(req) 483 assert.NilError(t, err) 484 assert.Equal(t, "application/json", resp.Header["Content-Type"][0]) 485 } 486 487 // assertURIRecorded verifies that the given URI was sent and recorded 488 // in the authz plugin 489 func assertURIRecorded(t *testing.T, uris []string, uri string) { 490 var found bool 491 for _, u := range uris { 492 if strings.Contains(u, uri) { 493 found = true 494 break 495 } 496 } 497 if !found { 498 t.Fatalf("Expected to find URI '%s', recorded uris '%s'", uri, strings.Join(uris, ",")) 499 } 500 }