github.com/vincentwoo/docker@v0.7.3-0.20160116130405-82401a4b13c0/pkg/authorization/authz.go (about) 1 package authorization 2 3 import ( 4 "bufio" 5 "bytes" 6 "fmt" 7 "io" 8 "net/http" 9 "strings" 10 11 "github.com/Sirupsen/logrus" 12 "github.com/docker/docker/pkg/ioutils" 13 ) 14 15 const maxBodySize = 1048576 // 1MB 16 17 // NewCtx creates new authZ context, it is used to store authorization information related to a specific docker 18 // REST http session 19 // A context provides two method: 20 // Authenticate Request: 21 // Call authZ plugins with current REST request and AuthN response 22 // Request contains full HTTP packet sent to the docker daemon 23 // https://docs.docker.com/reference/api/docker_remote_api/ 24 // 25 // Authenticate Response: 26 // Call authZ plugins with full info about current REST request, REST response and AuthN response 27 // The response from this method may contains content that overrides the daemon response 28 // This allows authZ plugins to filter privileged content 29 // 30 // If multiple authZ plugins are specified, the block/allow decision is based on ANDing all plugin results 31 // For response manipulation, the response from each plugin is piped between plugins. Plugin execution order 32 // is determined according to daemon parameters 33 func NewCtx(authZPlugins []Plugin, user, userAuthNMethod, requestMethod, requestURI string) *Ctx { 34 return &Ctx{ 35 plugins: authZPlugins, 36 user: user, 37 userAuthNMethod: userAuthNMethod, 38 requestMethod: requestMethod, 39 requestURI: requestURI, 40 } 41 } 42 43 // Ctx stores a a single request-response interaction context 44 type Ctx struct { 45 user string 46 userAuthNMethod string 47 requestMethod string 48 requestURI string 49 plugins []Plugin 50 // authReq stores the cached request object for the current transaction 51 authReq *Request 52 } 53 54 // AuthZRequest authorized the request to the docker daemon using authZ plugins 55 func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error { 56 var body []byte 57 if sendBody(ctx.requestURI, r.Header) { 58 if r.ContentLength < maxBodySize { 59 var err error 60 body, r.Body, err = drainBody(r.Body) 61 if err != nil { 62 return err 63 } 64 } 65 } 66 67 var h bytes.Buffer 68 if err := r.Header.Write(&h); err != nil { 69 return err 70 } 71 72 ctx.authReq = &Request{ 73 User: ctx.user, 74 UserAuthNMethod: ctx.userAuthNMethod, 75 RequestMethod: ctx.requestMethod, 76 RequestURI: ctx.requestURI, 77 RequestBody: body, 78 RequestHeaders: headers(r.Header), 79 } 80 81 for _, plugin := range ctx.plugins { 82 logrus.Debugf("AuthZ request using plugin %s", plugin.Name()) 83 84 authRes, err := plugin.AuthZRequest(ctx.authReq) 85 if err != nil { 86 return fmt.Errorf("plugin %s failed with error: %s", plugin.Name(), err) 87 } 88 89 if !authRes.Allow { 90 return fmt.Errorf("authorization denied by plugin %s: %s", plugin.Name(), authRes.Msg) 91 } 92 } 93 94 return nil 95 } 96 97 // AuthZResponse authorized and manipulates the response from docker daemon using authZ plugins 98 func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error { 99 ctx.authReq.ResponseStatusCode = rm.StatusCode() 100 ctx.authReq.ResponseHeaders = headers(rm.Header()) 101 102 if sendBody(ctx.requestURI, rm.Header()) { 103 ctx.authReq.ResponseBody = rm.RawBody() 104 } 105 106 for _, plugin := range ctx.plugins { 107 logrus.Debugf("AuthZ response using plugin %s", plugin.Name()) 108 109 authRes, err := plugin.AuthZResponse(ctx.authReq) 110 if err != nil { 111 return fmt.Errorf("plugin %s failed with error: %s", plugin.Name(), err) 112 } 113 114 if !authRes.Allow { 115 return fmt.Errorf("authorization denied by plugin %s: %s", plugin.Name(), authRes.Msg) 116 } 117 } 118 119 rm.Flush() 120 121 return nil 122 } 123 124 // drainBody dump the body, it reads the body data into memory and 125 // see go sources /go/src/net/http/httputil/dump.go 126 func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) { 127 bufReader := bufio.NewReaderSize(body, maxBodySize) 128 newBody := ioutils.NewReadCloserWrapper(bufReader, func() error { return body.Close() }) 129 130 data, err := bufReader.Peek(maxBodySize) 131 if err != io.EOF { 132 // This means the request is larger than our max 133 if err == bufio.ErrBufferFull { 134 return nil, newBody, nil 135 } 136 // This means we had an error reading 137 return nil, nil, err 138 } 139 140 return data, newBody, nil 141 } 142 143 // sendBody returns true when request/response body should be sent to AuthZPlugin 144 func sendBody(url string, header http.Header) bool { 145 // Skip body for auth endpoint 146 if strings.HasSuffix(url, "/auth") { 147 return false 148 } 149 150 // body is sent only for text or json messages 151 v := header.Get("Content-Type") 152 return strings.HasPrefix(v, "text/") || v == "application/json" 153 } 154 155 // headers returns flatten version of the http headers excluding authorization 156 func headers(header http.Header) map[string]string { 157 v := make(map[string]string, 0) 158 for k, values := range header { 159 // Skip authorization headers 160 if strings.EqualFold(k, "Authorization") || strings.EqualFold(k, "X-Registry-Config") || strings.EqualFold(k, "X-Registry-Auth") { 161 continue 162 } 163 for _, val := range values { 164 v[k] = val 165 } 166 } 167 return v 168 }