2015-11-12 06:06:47 -05:00
|
|
|
package authorization
|
|
|
|
|
2016-06-12 11:19:43 -04:00
|
|
|
import (
|
|
|
|
"sync"
|
|
|
|
|
2016-10-07 17:53:17 -04:00
|
|
|
"github.com/docker/docker/pkg/plugingetter"
|
2016-06-12 11:19:43 -04:00
|
|
|
"github.com/docker/docker/pkg/plugins"
|
|
|
|
)
|
2015-11-12 06:06:47 -05:00
|
|
|
|
|
|
|
// Plugin allows third party plugins to authorize requests and responses
|
|
|
|
// in the context of docker API
|
|
|
|
type Plugin interface {
|
2015-12-18 06:34:19 -05:00
|
|
|
// Name returns the registered plugin name
|
|
|
|
Name() string
|
|
|
|
|
2016-05-03 11:12:38 -04:00
|
|
|
// AuthZRequest authorizes the request from the client to the daemon
|
2015-12-16 06:01:04 -05:00
|
|
|
AuthZRequest(*Request) (*Response, error)
|
2015-11-12 06:06:47 -05:00
|
|
|
|
2016-05-03 11:12:38 -04:00
|
|
|
// AuthZResponse authorizes the response from the daemon to the client
|
2015-12-16 06:01:04 -05:00
|
|
|
AuthZResponse(*Request) (*Response, error)
|
2015-11-12 06:06:47 -05:00
|
|
|
}
|
|
|
|
|
2016-05-16 14:12:48 -04:00
|
|
|
// newPlugins constructs and initializes the authorization plugins based on plugin names
|
|
|
|
func newPlugins(names []string) []Plugin {
|
2015-12-20 13:44:01 -05:00
|
|
|
plugins := []Plugin{}
|
|
|
|
pluginsMap := make(map[string]struct{})
|
|
|
|
for _, name := range names {
|
|
|
|
if _, ok := pluginsMap[name]; ok {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
pluginsMap[name] = struct{}{}
|
|
|
|
plugins = append(plugins, newAuthorizationPlugin(name))
|
2015-11-12 06:06:47 -05:00
|
|
|
}
|
|
|
|
return plugins
|
|
|
|
}
|
|
|
|
|
2016-10-07 17:53:17 -04:00
|
|
|
var getter plugingetter.PluginGetter
|
|
|
|
|
|
|
|
// SetPluginGetter sets the plugingetter
|
|
|
|
func SetPluginGetter(pg plugingetter.PluginGetter) {
|
|
|
|
getter = pg
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetPluginGetter gets the plugingetter
|
|
|
|
func GetPluginGetter() plugingetter.PluginGetter {
|
|
|
|
return getter
|
|
|
|
}
|
|
|
|
|
2015-11-12 06:06:47 -05:00
|
|
|
// authorizationPlugin is an internal adapter to docker plugin system
|
|
|
|
type authorizationPlugin struct {
|
2016-05-16 11:50:55 -04:00
|
|
|
plugin *plugins.Client
|
2015-11-12 06:06:47 -05:00
|
|
|
name string
|
2016-06-12 11:19:43 -04:00
|
|
|
once sync.Once
|
2015-11-12 06:06:47 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
func newAuthorizationPlugin(name string) Plugin {
|
|
|
|
return &authorizationPlugin{name: name}
|
|
|
|
}
|
|
|
|
|
2015-12-18 06:34:19 -05:00
|
|
|
func (a *authorizationPlugin) Name() string {
|
|
|
|
return a.name
|
|
|
|
}
|
2015-11-12 06:06:47 -05:00
|
|
|
|
2015-12-18 06:34:19 -05:00
|
|
|
func (a *authorizationPlugin) AuthZRequest(authReq *Request) (*Response, error) {
|
2015-12-16 06:01:04 -05:00
|
|
|
if err := a.initPlugin(); err != nil {
|
2015-11-12 06:06:47 -05:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2015-12-16 06:01:04 -05:00
|
|
|
authRes := &Response{}
|
2016-05-16 11:50:55 -04:00
|
|
|
if err := a.plugin.Call(AuthZApiRequest, authReq, authRes); err != nil {
|
2015-11-12 06:06:47 -05:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return authRes, nil
|
|
|
|
}
|
|
|
|
|
2015-12-16 06:01:04 -05:00
|
|
|
func (a *authorizationPlugin) AuthZResponse(authReq *Request) (*Response, error) {
|
|
|
|
if err := a.initPlugin(); err != nil {
|
2015-11-12 06:06:47 -05:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2015-12-16 06:01:04 -05:00
|
|
|
authRes := &Response{}
|
2016-05-16 11:50:55 -04:00
|
|
|
if err := a.plugin.Call(AuthZApiResponse, authReq, authRes); err != nil {
|
2015-11-12 06:06:47 -05:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return authRes, nil
|
|
|
|
}
|
|
|
|
|
2016-05-03 11:12:38 -04:00
|
|
|
// initPlugin initializes the authorization plugin if needed
|
2015-12-16 06:01:04 -05:00
|
|
|
func (a *authorizationPlugin) initPlugin() error {
|
2015-11-12 06:06:47 -05:00
|
|
|
// Lazy loading of plugins
|
2016-06-12 11:19:43 -04:00
|
|
|
var err error
|
|
|
|
a.once.Do(func() {
|
|
|
|
if a.plugin == nil {
|
2016-10-07 17:53:17 -04:00
|
|
|
var plugin plugingetter.CompatPlugin
|
|
|
|
var e error
|
|
|
|
|
|
|
|
if pg := GetPluginGetter(); pg != nil {
|
|
|
|
plugin, e = pg.Get(a.name, AuthZApiImplements, plugingetter.LOOKUP)
|
|
|
|
} else {
|
|
|
|
plugin, e = plugins.Get(a.name, AuthZApiImplements)
|
|
|
|
}
|
2016-05-16 11:50:55 -04:00
|
|
|
if e != nil {
|
2016-11-02 17:29:40 -04:00
|
|
|
err = e
|
2016-05-16 11:50:55 -04:00
|
|
|
return
|
|
|
|
}
|
|
|
|
a.plugin = plugin.Client()
|
2015-11-12 06:06:47 -05:00
|
|
|
}
|
2016-06-12 11:19:43 -04:00
|
|
|
})
|
|
|
|
return err
|
2015-11-12 06:06:47 -05:00
|
|
|
}
|