github.com/ttys3/engine@v17.12.1-ce-rc2+incompatible/pkg/authorization/api.go (about) 1 package authorization 2 3 import ( 4 "crypto/x509" 5 "encoding/json" 6 "encoding/pem" 7 ) 8 9 const ( 10 // AuthZApiRequest is the url for daemon request authorization 11 AuthZApiRequest = "AuthZPlugin.AuthZReq" 12 13 // AuthZApiResponse is the url for daemon response authorization 14 AuthZApiResponse = "AuthZPlugin.AuthZRes" 15 16 // AuthZApiImplements is the name of the interface all AuthZ plugins implement 17 AuthZApiImplements = "authz" 18 ) 19 20 // PeerCertificate is a wrapper around x509.Certificate which provides a sane 21 // encoding/decoding to/from PEM format and JSON. 22 type PeerCertificate x509.Certificate 23 24 // MarshalJSON returns the JSON encoded pem bytes of a PeerCertificate. 25 func (pc *PeerCertificate) MarshalJSON() ([]byte, error) { 26 b := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: pc.Raw}) 27 return json.Marshal(b) 28 } 29 30 // UnmarshalJSON populates a new PeerCertificate struct from JSON data. 31 func (pc *PeerCertificate) UnmarshalJSON(b []byte) error { 32 var buf []byte 33 if err := json.Unmarshal(b, &buf); err != nil { 34 return err 35 } 36 derBytes, _ := pem.Decode(buf) 37 c, err := x509.ParseCertificate(derBytes.Bytes) 38 if err != nil { 39 return err 40 } 41 *pc = PeerCertificate(*c) 42 return nil 43 } 44 45 // Request holds data required for authZ plugins 46 type Request struct { 47 // User holds the user extracted by AuthN mechanism 48 User string `json:"User,omitempty"` 49 50 // UserAuthNMethod holds the mechanism used to extract user details (e.g., krb) 51 UserAuthNMethod string `json:"UserAuthNMethod,omitempty"` 52 53 // RequestMethod holds the HTTP method (GET/POST/PUT) 54 RequestMethod string `json:"RequestMethod,omitempty"` 55 56 // RequestUri holds the full HTTP uri (e.g., /v1.21/version) 57 RequestURI string `json:"RequestUri,omitempty"` 58 59 // RequestBody stores the raw request body sent to the docker daemon 60 RequestBody []byte `json:"RequestBody,omitempty"` 61 62 // RequestHeaders stores the raw request headers sent to the docker daemon 63 RequestHeaders map[string]string `json:"RequestHeaders,omitempty"` 64 65 // RequestPeerCertificates stores the request's TLS peer certificates in PEM format 66 RequestPeerCertificates []*PeerCertificate `json:"RequestPeerCertificates,omitempty"` 67 68 // ResponseStatusCode stores the status code returned from docker daemon 69 ResponseStatusCode int `json:"ResponseStatusCode,omitempty"` 70 71 // ResponseBody stores the raw response body sent from docker daemon 72 ResponseBody []byte `json:"ResponseBody,omitempty"` 73 74 // ResponseHeaders stores the response headers sent to the docker daemon 75 ResponseHeaders map[string]string `json:"ResponseHeaders,omitempty"` 76 } 77 78 // Response represents authZ plugin response 79 type Response struct { 80 // Allow indicating whether the user is allowed or not 81 Allow bool `json:"Allow"` 82 83 // Msg stores the authorization message 84 Msg string `json:"Msg,omitempty"` 85 86 // Err stores a message in case there's an error 87 Err string `json:"Err,omitempty"` 88 }