2016-04-08 19:22:39 -04:00
|
|
|
package authorization
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
2016-10-11 19:31:45 -04:00
|
|
|
"sync"
|
2016-04-08 19:22:39 -04:00
|
|
|
|
2016-10-07 17:53:17 -04:00
|
|
|
"github.com/docker/docker/pkg/plugingetter"
|
2017-07-26 17:42:13 -04:00
|
|
|
"github.com/sirupsen/logrus"
|
2016-04-08 19:22:39 -04:00
|
|
|
"golang.org/x/net/context"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Middleware uses a list of plugins to
|
|
|
|
// handle authorization in the API requests.
|
|
|
|
type Middleware struct {
|
2016-10-11 19:31:45 -04:00
|
|
|
mu sync.Mutex
|
2016-04-08 19:22:39 -04:00
|
|
|
plugins []Plugin
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewMiddleware creates a new Middleware
|
2016-05-16 14:12:48 -04:00
|
|
|
// with a slice of plugins names.
|
2016-10-07 17:53:17 -04:00
|
|
|
func NewMiddleware(names []string, pg plugingetter.PluginGetter) *Middleware {
|
|
|
|
SetPluginGetter(pg)
|
2016-05-16 14:12:48 -04:00
|
|
|
return &Middleware{
|
|
|
|
plugins: newPlugins(names),
|
2016-04-08 19:22:39 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-06-13 07:12:42 -04:00
|
|
|
func (m *Middleware) getAuthzPlugins() []Plugin {
|
2017-03-17 17:57:23 -04:00
|
|
|
m.mu.Lock()
|
|
|
|
defer m.mu.Unlock()
|
|
|
|
return m.plugins
|
|
|
|
}
|
|
|
|
|
2016-05-16 14:12:48 -04:00
|
|
|
// SetPlugins sets the plugin used for authorization
|
|
|
|
func (m *Middleware) SetPlugins(names []string) {
|
2016-10-11 19:31:45 -04:00
|
|
|
m.mu.Lock()
|
2016-05-16 14:12:48 -04:00
|
|
|
m.plugins = newPlugins(names)
|
2016-10-11 19:31:45 -04:00
|
|
|
m.mu.Unlock()
|
2016-05-16 14:12:48 -04:00
|
|
|
}
|
|
|
|
|
2017-06-13 06:52:04 -04:00
|
|
|
// RemovePlugin removes a single plugin from this authz middleware chain
|
|
|
|
func (m *Middleware) RemovePlugin(name string) {
|
|
|
|
m.mu.Lock()
|
|
|
|
defer m.mu.Unlock()
|
|
|
|
plugins := m.plugins[:0]
|
|
|
|
for _, authPlugin := range m.plugins {
|
|
|
|
if authPlugin.Name() != name {
|
|
|
|
plugins = append(plugins, authPlugin)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
m.plugins = plugins
|
|
|
|
}
|
|
|
|
|
2016-04-08 19:22:39 -04:00
|
|
|
// WrapHandler returns a new handler function wrapping the previous one in the request chain.
|
2016-05-16 14:12:48 -04:00
|
|
|
func (m *Middleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
|
2016-04-08 19:22:39 -04:00
|
|
|
return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
|
2017-06-13 07:12:42 -04:00
|
|
|
plugins := m.getAuthzPlugins()
|
2016-10-11 19:31:45 -04:00
|
|
|
if len(plugins) == 0 {
|
2016-05-16 14:12:48 -04:00
|
|
|
return handler(ctx, w, r, vars)
|
|
|
|
}
|
|
|
|
|
2016-04-08 19:22:39 -04:00
|
|
|
user := ""
|
|
|
|
userAuthNMethod := ""
|
|
|
|
|
|
|
|
// Default authorization using existing TLS connection credentials
|
|
|
|
// FIXME: Non trivial authorization mechanisms (such as advanced certificate validations, kerberos support
|
|
|
|
// and ldap) will be extracted using AuthN feature, which is tracked under:
|
|
|
|
// https://github.com/docker/docker/pull/20883
|
|
|
|
if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
|
|
|
|
user = r.TLS.PeerCertificates[0].Subject.CommonName
|
|
|
|
userAuthNMethod = "TLS"
|
|
|
|
}
|
|
|
|
|
2016-10-11 19:31:45 -04:00
|
|
|
authCtx := NewCtx(plugins, user, userAuthNMethod, r.Method, r.RequestURI)
|
2016-04-08 19:22:39 -04:00
|
|
|
|
|
|
|
if err := authCtx.AuthZRequest(w, r); err != nil {
|
|
|
|
logrus.Errorf("AuthZRequest for %s %s returned error: %s", r.Method, r.RequestURI, err)
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
rw := NewResponseModifier(w)
|
|
|
|
|
2016-10-10 18:13:48 -04:00
|
|
|
var errD error
|
|
|
|
|
|
|
|
if errD = handler(ctx, rw, r, vars); errD != nil {
|
|
|
|
logrus.Errorf("Handler for %s %s returned error: %s", r.Method, r.RequestURI, errD)
|
2016-04-08 19:22:39 -04:00
|
|
|
}
|
|
|
|
|
2017-03-17 17:57:23 -04:00
|
|
|
// There's a chance that the authCtx.plugins was updated. One of the reasons
|
|
|
|
// this can happen is when an authzplugin is disabled.
|
2017-06-13 07:12:42 -04:00
|
|
|
plugins = m.getAuthzPlugins()
|
2017-03-17 17:57:23 -04:00
|
|
|
if len(plugins) == 0 {
|
|
|
|
logrus.Debug("There are no authz plugins in the chain")
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
authCtx.plugins = plugins
|
|
|
|
|
2016-10-10 18:13:48 -04:00
|
|
|
if err := authCtx.AuthZResponse(rw, r); errD == nil && err != nil {
|
2016-04-08 19:22:39 -04:00
|
|
|
logrus.Errorf("AuthZResponse for %s %s returned error: %s", r.Method, r.RequestURI, err)
|
|
|
|
return err
|
|
|
|
}
|
2016-10-10 18:13:48 -04:00
|
|
|
|
|
|
|
if errD != nil {
|
|
|
|
return errD
|
|
|
|
}
|
|
|
|
|
2016-04-08 19:22:39 -04:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|