github.com/sijibomii/docker@v0.0.0-20231230191044-5cf6ca554647/pkg/authorization/authz.go (about) 1 package authorization 2 3 import ( 4 "bufio" 5 "bytes" 6 "fmt" 7 "io" 8 "net/http" 9 "strings" 10 11 "github.com/Sirupsen/logrus" 12 "github.com/docker/docker/pkg/ioutils" 13 ) 14 15 const maxBodySize = 1048576 // 1MB 16 17 // NewCtx creates new authZ context, it is used to store authorization information related to a specific docker 18 // REST http session 19 // A context provides two method: 20 // Authenticate Request: 21 // Call authZ plugins with current REST request and AuthN response 22 // Request contains full HTTP packet sent to the docker daemon 23 // https://docs.docker.com/reference/api/docker_remote_api/ 24 // 25 // Authenticate Response: 26 // Call authZ plugins with full info about current REST request, REST response and AuthN response 27 // The response from this method may contains content that overrides the daemon response 28 // This allows authZ plugins to filter privileged content 29 // 30 // If multiple authZ plugins are specified, the block/allow decision is based on ANDing all plugin results 31 // For response manipulation, the response from each plugin is piped between plugins. Plugin execution order 32 // is determined according to daemon parameters 33 func NewCtx(authZPlugins []Plugin, user, userAuthNMethod, requestMethod, requestURI string) *Ctx { 34 return &Ctx{ 35 plugins: authZPlugins, 36 user: user, 37 userAuthNMethod: userAuthNMethod, 38 requestMethod: requestMethod, 39 requestURI: requestURI, 40 } 41 } 42 43 // Ctx stores a a single request-response interaction context 44 type Ctx struct { 45 user string 46 userAuthNMethod string 47 requestMethod string 48 requestURI string 49 plugins []Plugin 50 // authReq stores the cached request object for the current transaction 51 authReq *Request 52 } 53 54 // AuthZRequest authorized the request to the docker daemon using authZ plugins 55 func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error { 56 var body []byte 57 if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize { 58 var err error 59 body, r.Body, err = drainBody(r.Body) 60 if err != nil { 61 return err 62 } 63 } 64 65 var h bytes.Buffer 66 if err := r.Header.Write(&h); err != nil { 67 return err 68 } 69 70 ctx.authReq = &Request{ 71 User: ctx.user, 72 UserAuthNMethod: ctx.userAuthNMethod, 73 RequestMethod: ctx.requestMethod, 74 RequestURI: ctx.requestURI, 75 RequestBody: body, 76 RequestHeaders: headers(r.Header), 77 } 78 79 for _, plugin := range ctx.plugins { 80 logrus.Debugf("AuthZ request using plugin %s", plugin.Name()) 81 82 authRes, err := plugin.AuthZRequest(ctx.authReq) 83 if err != nil { 84 return fmt.Errorf("plugin %s failed with error: %s", plugin.Name(), err) 85 } 86 87 if !authRes.Allow { 88 return fmt.Errorf("authorization denied by plugin %s: %s", plugin.Name(), authRes.Msg) 89 } 90 } 91 92 return nil 93 } 94 95 // AuthZResponse authorized and manipulates the response from docker daemon using authZ plugins 96 func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error { 97 ctx.authReq.ResponseStatusCode = rm.StatusCode() 98 ctx.authReq.ResponseHeaders = headers(rm.Header()) 99 100 if sendBody(ctx.requestURI, rm.Header()) { 101 ctx.authReq.ResponseBody = rm.RawBody() 102 } 103 104 for _, plugin := range ctx.plugins { 105 logrus.Debugf("AuthZ response using plugin %s", plugin.Name()) 106 107 authRes, err := plugin.AuthZResponse(ctx.authReq) 108 if err != nil { 109 return fmt.Errorf("plugin %s failed with error: %s", plugin.Name(), err) 110 } 111 112 if !authRes.Allow { 113 return fmt.Errorf("authorization denied by plugin %s: %s", plugin.Name(), authRes.Msg) 114 } 115 } 116 117 rm.FlushAll() 118 119 return nil 120 } 121 122 // drainBody dump the body (if it's length is less than 1MB) without modifying the request state 123 func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) { 124 bufReader := bufio.NewReaderSize(body, maxBodySize) 125 newBody := ioutils.NewReadCloserWrapper(bufReader, func() error { return body.Close() }) 126 127 data, err := bufReader.Peek(maxBodySize) 128 // Body size exceeds max body size 129 if err == nil { 130 logrus.Warnf("Request body is larger than: '%d' skipping body", maxBodySize) 131 return nil, newBody, nil 132 } 133 // Body size is less than maximum size 134 if err == io.EOF { 135 return data, newBody, nil 136 } 137 // Unknown error 138 return nil, newBody, err 139 } 140 141 // sendBody returns true when request/response body should be sent to AuthZPlugin 142 func sendBody(url string, header http.Header) bool { 143 // Skip body for auth endpoint 144 if strings.HasSuffix(url, "/auth") { 145 return false 146 } 147 148 // body is sent only for text or json messages 149 return header.Get("Content-Type") == "application/json" 150 } 151 152 // headers returns flatten version of the http headers excluding authorization 153 func headers(header http.Header) map[string]string { 154 v := make(map[string]string, 0) 155 for k, values := range header { 156 // Skip authorization headers 157 if strings.EqualFold(k, "Authorization") || strings.EqualFold(k, "X-Registry-Config") || strings.EqualFold(k, "X-Registry-Auth") { 158 continue 159 } 160 for _, val := range values { 161 v[k] = val 162 } 163 } 164 return v 165 }