2018-02-05 16:05:59 -05:00
|
|
|
package authorization // import "github.com/docker/docker/pkg/authorization"
|
2015-11-12 06:06:47 -05:00
|
|
|
|
|
|
|
import (
|
|
|
|
"bufio"
|
|
|
|
"bytes"
|
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
|
|
|
"net"
|
|
|
|
"net/http"
|
2016-03-31 13:53:21 -04:00
|
|
|
|
2017-07-26 17:42:13 -04:00
|
|
|
"github.com/sirupsen/logrus"
|
2015-11-12 06:06:47 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
// ResponseModifier allows authorization plugins to read and modify the content of the http.response
|
|
|
|
type ResponseModifier interface {
|
|
|
|
http.ResponseWriter
|
2016-02-04 10:41:41 -05:00
|
|
|
http.Flusher
|
2015-11-12 06:06:47 -05:00
|
|
|
|
|
|
|
// RawBody returns the current http content
|
|
|
|
RawBody() []byte
|
|
|
|
|
|
|
|
// RawHeaders returns the current content of the http headers
|
|
|
|
RawHeaders() ([]byte, error)
|
|
|
|
|
|
|
|
// StatusCode returns the current status code
|
|
|
|
StatusCode() int
|
|
|
|
|
2016-05-03 11:12:38 -04:00
|
|
|
// OverrideBody replaces the body of the HTTP reply
|
2015-11-12 06:06:47 -05:00
|
|
|
OverrideBody(b []byte)
|
|
|
|
|
2016-05-03 11:12:38 -04:00
|
|
|
// OverrideHeader replaces the headers of the HTTP reply
|
2015-11-12 06:06:47 -05:00
|
|
|
OverrideHeader(b []byte) error
|
|
|
|
|
|
|
|
// OverrideStatusCode replaces the status code of the HTTP reply
|
|
|
|
OverrideStatusCode(statusCode int)
|
|
|
|
|
2016-07-23 04:00:28 -04:00
|
|
|
// FlushAll flushes all data to the HTTP response
|
2016-02-04 10:41:41 -05:00
|
|
|
FlushAll() error
|
|
|
|
|
|
|
|
// Hijacked indicates the response has been hijacked by the Docker daemon
|
|
|
|
Hijacked() bool
|
2015-11-12 06:06:47 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewResponseModifier creates a wrapper to an http.ResponseWriter to allow inspecting and modifying the content
|
|
|
|
func NewResponseModifier(rw http.ResponseWriter) ResponseModifier {
|
|
|
|
return &responseModifier{rw: rw, header: make(http.Header)}
|
|
|
|
}
|
|
|
|
|
2018-04-11 15:19:15 -04:00
|
|
|
const maxBufferSize = 64 * 1024
|
|
|
|
|
2015-11-12 06:06:47 -05:00
|
|
|
// responseModifier is used as an adapter to http.ResponseWriter in order to manipulate and explore
|
|
|
|
// the http request/response from docker daemon
|
|
|
|
type responseModifier struct {
|
|
|
|
// The original response writer
|
2016-02-04 10:41:41 -05:00
|
|
|
rw http.ResponseWriter
|
2015-11-12 06:06:47 -05:00
|
|
|
// body holds the response body
|
|
|
|
body []byte
|
|
|
|
// header holds the response header
|
|
|
|
header http.Header
|
|
|
|
// statusCode holds the response status code
|
|
|
|
statusCode int
|
2016-02-04 10:41:41 -05:00
|
|
|
// hijacked indicates the request has been hijacked
|
|
|
|
hijacked bool
|
|
|
|
}
|
|
|
|
|
|
|
|
func (rm *responseModifier) Hijacked() bool {
|
|
|
|
return rm.hijacked
|
2015-11-12 06:06:47 -05:00
|
|
|
}
|
|
|
|
|
2022-09-23 14:16:47 -04:00
|
|
|
// WriteHeader stores the http status code
|
2015-11-12 06:06:47 -05:00
|
|
|
func (rm *responseModifier) WriteHeader(s int) {
|
2016-02-04 10:41:41 -05:00
|
|
|
// Use original request if hijacked
|
|
|
|
if rm.hijacked {
|
|
|
|
rm.rw.WriteHeader(s)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2015-11-12 06:06:47 -05:00
|
|
|
rm.statusCode = s
|
|
|
|
}
|
|
|
|
|
|
|
|
// Header returns the internal http header
|
|
|
|
func (rm *responseModifier) Header() http.Header {
|
2016-02-04 10:41:41 -05:00
|
|
|
// Use original header if hijacked
|
|
|
|
if rm.hijacked {
|
|
|
|
return rm.rw.Header()
|
|
|
|
}
|
|
|
|
|
2015-11-12 06:06:47 -05:00
|
|
|
return rm.header
|
|
|
|
}
|
|
|
|
|
2016-05-03 11:12:38 -04:00
|
|
|
// StatusCode returns the http status code
|
2015-11-12 06:06:47 -05:00
|
|
|
func (rm *responseModifier) StatusCode() int {
|
|
|
|
return rm.statusCode
|
|
|
|
}
|
|
|
|
|
2016-05-03 11:12:38 -04:00
|
|
|
// OverrideBody replaces the body of the HTTP response
|
2015-11-12 06:06:47 -05:00
|
|
|
func (rm *responseModifier) OverrideBody(b []byte) {
|
|
|
|
rm.body = b
|
|
|
|
}
|
|
|
|
|
2016-05-03 11:12:38 -04:00
|
|
|
// OverrideStatusCode replaces the status code of the HTTP response
|
2015-11-12 06:06:47 -05:00
|
|
|
func (rm *responseModifier) OverrideStatusCode(statusCode int) {
|
|
|
|
rm.statusCode = statusCode
|
|
|
|
}
|
|
|
|
|
2016-05-03 11:12:38 -04:00
|
|
|
// OverrideHeader replaces the headers of the HTTP response
|
2015-11-12 06:06:47 -05:00
|
|
|
func (rm *responseModifier) OverrideHeader(b []byte) error {
|
|
|
|
header := http.Header{}
|
2015-12-16 06:01:04 -05:00
|
|
|
if err := json.Unmarshal(b, &header); err != nil {
|
2015-11-12 06:06:47 -05:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
rm.header = header
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Write stores the byte array inside content
|
|
|
|
func (rm *responseModifier) Write(b []byte) (int, error) {
|
2016-02-04 10:41:41 -05:00
|
|
|
if rm.hijacked {
|
|
|
|
return rm.rw.Write(b)
|
|
|
|
}
|
|
|
|
|
2018-04-11 15:19:15 -04:00
|
|
|
if len(rm.body)+len(b) > maxBufferSize {
|
|
|
|
rm.Flush()
|
|
|
|
}
|
2015-11-12 06:06:47 -05:00
|
|
|
rm.body = append(rm.body, b...)
|
|
|
|
return len(b), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Body returns the response body
|
|
|
|
func (rm *responseModifier) RawBody() []byte {
|
|
|
|
return rm.body
|
|
|
|
}
|
|
|
|
|
|
|
|
func (rm *responseModifier) RawHeaders() ([]byte, error) {
|
|
|
|
var b bytes.Buffer
|
2015-12-16 06:01:04 -05:00
|
|
|
if err := rm.header.Write(&b); err != nil {
|
2015-11-12 06:06:47 -05:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return b.Bytes(), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Hijack returns the internal connection of the wrapped http.ResponseWriter
|
|
|
|
func (rm *responseModifier) Hijack() (net.Conn, *bufio.ReadWriter, error) {
|
2016-02-04 10:41:41 -05:00
|
|
|
rm.hijacked = true
|
|
|
|
rm.FlushAll()
|
|
|
|
|
2015-11-12 06:06:47 -05:00
|
|
|
hijacker, ok := rm.rw.(http.Hijacker)
|
|
|
|
if !ok {
|
2016-02-22 14:22:20 -05:00
|
|
|
return nil, nil, fmt.Errorf("Internal response writer doesn't support the Hijacker interface")
|
2015-11-12 06:06:47 -05:00
|
|
|
}
|
|
|
|
return hijacker.Hijack()
|
|
|
|
}
|
|
|
|
|
2016-02-04 10:41:41 -05:00
|
|
|
// Flush uses the internal flush API of the wrapped http.ResponseWriter
|
|
|
|
func (rm *responseModifier) Flush() {
|
|
|
|
flusher, ok := rm.rw.(http.Flusher)
|
|
|
|
if !ok {
|
2016-06-11 16:16:55 -04:00
|
|
|
logrus.Error("Internal response writer doesn't support the Flusher interface")
|
2016-02-04 10:41:41 -05:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
rm.FlushAll()
|
|
|
|
flusher.Flush()
|
|
|
|
}
|
|
|
|
|
|
|
|
// FlushAll flushes all data to the HTTP response
|
|
|
|
func (rm *responseModifier) FlushAll() error {
|
2015-11-12 06:06:47 -05:00
|
|
|
// Copy the header
|
|
|
|
for k, vv := range rm.header {
|
|
|
|
for _, v := range vv {
|
|
|
|
rm.rw.Header().Add(k, v)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-08-24 00:08:23 -04:00
|
|
|
// Copy the status code
|
|
|
|
// Also WriteHeader needs to be done after all the headers
|
|
|
|
// have been copied (above).
|
|
|
|
if rm.statusCode > 0 {
|
|
|
|
rm.rw.WriteHeader(rm.statusCode)
|
|
|
|
}
|
|
|
|
|
2016-02-04 10:41:41 -05:00
|
|
|
var err error
|
|
|
|
if len(rm.body) > 0 {
|
|
|
|
// Write body
|
2018-04-11 15:19:15 -04:00
|
|
|
var n int
|
|
|
|
n, err = rm.rw.Write(rm.body)
|
|
|
|
// TODO(@cpuguy83): there is now a relatively small buffer limit, instead of discarding our buffer here and
|
|
|
|
// allocating again later this should just keep using the same buffer and track the buffer position (like a bytes.Buffer with a fixed size)
|
|
|
|
rm.body = rm.body[n:]
|
2016-02-04 10:41:41 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// Clean previous data
|
|
|
|
rm.statusCode = 0
|
|
|
|
rm.header = http.Header{}
|
2015-11-12 06:06:47 -05:00
|
|
|
return err
|
|
|
|
}
|