github.com/ttys3/engine@v17.12.1-ce-rc2+incompatible/pkg/authorization/api.go (about)

     1  package authorization
     2  
     3  import (
     4  	"crypto/x509"
     5  	"encoding/json"
     6  	"encoding/pem"
     7  )
     8  
     9  const (
    10  	// AuthZApiRequest is the url for daemon request authorization
    11  	AuthZApiRequest = "AuthZPlugin.AuthZReq"
    12  
    13  	// AuthZApiResponse is the url for daemon response authorization
    14  	AuthZApiResponse = "AuthZPlugin.AuthZRes"
    15  
    16  	// AuthZApiImplements is the name of the interface all AuthZ plugins implement
    17  	AuthZApiImplements = "authz"
    18  )
    19  
    20  // PeerCertificate is a wrapper around x509.Certificate which provides a sane
    21  // encoding/decoding to/from PEM format and JSON.
    22  type PeerCertificate x509.Certificate
    23  
    24  // MarshalJSON returns the JSON encoded pem bytes of a PeerCertificate.
    25  func (pc *PeerCertificate) MarshalJSON() ([]byte, error) {
    26  	b := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: pc.Raw})
    27  	return json.Marshal(b)
    28  }
    29  
    30  // UnmarshalJSON populates a new PeerCertificate struct from JSON data.
    31  func (pc *PeerCertificate) UnmarshalJSON(b []byte) error {
    32  	var buf []byte
    33  	if err := json.Unmarshal(b, &buf); err != nil {
    34  		return err
    35  	}
    36  	derBytes, _ := pem.Decode(buf)
    37  	c, err := x509.ParseCertificate(derBytes.Bytes)
    38  	if err != nil {
    39  		return err
    40  	}
    41  	*pc = PeerCertificate(*c)
    42  	return nil
    43  }
    44  
    45  // Request holds data required for authZ plugins
    46  type Request struct {
    47  	// User holds the user extracted by AuthN mechanism
    48  	User string `json:"User,omitempty"`
    49  
    50  	// UserAuthNMethod holds the mechanism used to extract user details (e.g., krb)
    51  	UserAuthNMethod string `json:"UserAuthNMethod,omitempty"`
    52  
    53  	// RequestMethod holds the HTTP method (GET/POST/PUT)
    54  	RequestMethod string `json:"RequestMethod,omitempty"`
    55  
    56  	// RequestUri holds the full HTTP uri (e.g., /v1.21/version)
    57  	RequestURI string `json:"RequestUri,omitempty"`
    58  
    59  	// RequestBody stores the raw request body sent to the docker daemon
    60  	RequestBody []byte `json:"RequestBody,omitempty"`
    61  
    62  	// RequestHeaders stores the raw request headers sent to the docker daemon
    63  	RequestHeaders map[string]string `json:"RequestHeaders,omitempty"`
    64  
    65  	// RequestPeerCertificates stores the request's TLS peer certificates in PEM format
    66  	RequestPeerCertificates []*PeerCertificate `json:"RequestPeerCertificates,omitempty"`
    67  
    68  	// ResponseStatusCode stores the status code returned from docker daemon
    69  	ResponseStatusCode int `json:"ResponseStatusCode,omitempty"`
    70  
    71  	// ResponseBody stores the raw response body sent from docker daemon
    72  	ResponseBody []byte `json:"ResponseBody,omitempty"`
    73  
    74  	// ResponseHeaders stores the response headers sent to the docker daemon
    75  	ResponseHeaders map[string]string `json:"ResponseHeaders,omitempty"`
    76  }
    77  
    78  // Response represents authZ plugin response
    79  type Response struct {
    80  	// Allow indicating whether the user is allowed or not
    81  	Allow bool `json:"Allow"`
    82  
    83  	// Msg stores the authorization message
    84  	Msg string `json:"Msg,omitempty"`
    85  
    86  	// Err stores a message in case there's an error
    87  	Err string `json:"Err,omitempty"`
    88  }