2021-08-23 09:14:53 -04:00
|
|
|
//go:build !windows
|
2017-09-22 09:05:56 -04:00
|
|
|
// +build !windows
|
|
|
|
|
2018-02-05 16:05:59 -05:00
|
|
|
package authz // import "github.com/docker/docker/integration/plugin/authz"
|
2017-09-22 09:05:56 -04:00
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
2021-08-24 06:10:50 -04:00
|
|
|
"io"
|
2017-09-22 09:05:56 -04:00
|
|
|
"net/http"
|
|
|
|
"net/http/httptest"
|
|
|
|
"os"
|
|
|
|
"strings"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/docker/docker/pkg/authorization"
|
|
|
|
"github.com/docker/docker/pkg/plugins"
|
2019-08-29 16:52:40 -04:00
|
|
|
"github.com/docker/docker/testutil/daemon"
|
|
|
|
"github.com/docker/docker/testutil/environment"
|
2020-02-07 08:39:24 -05:00
|
|
|
"gotest.tools/v3/skip"
|
2017-09-22 09:05:56 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
testEnv *environment.Execution
|
|
|
|
d *daemon.Daemon
|
|
|
|
server *httptest.Server
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestMain(m *testing.M) {
|
|
|
|
var err error
|
|
|
|
testEnv, err = environment.New()
|
|
|
|
if err != nil {
|
|
|
|
fmt.Println(err)
|
|
|
|
os.Exit(1)
|
|
|
|
}
|
2017-10-18 17:59:16 -04:00
|
|
|
err = environment.EnsureFrozenImagesLinux(testEnv)
|
|
|
|
if err != nil {
|
|
|
|
fmt.Println(err)
|
|
|
|
os.Exit(1)
|
|
|
|
}
|
2017-09-22 09:05:56 -04:00
|
|
|
|
|
|
|
testEnv.Print()
|
|
|
|
setupSuite()
|
|
|
|
exitCode := m.Run()
|
|
|
|
teardownSuite()
|
|
|
|
|
|
|
|
os.Exit(exitCode)
|
|
|
|
}
|
|
|
|
|
|
|
|
func setupTest(t *testing.T) func() {
|
2018-04-25 05:03:43 -04:00
|
|
|
skip.If(t, testEnv.IsRemoteDaemon, "cannot run daemon when remote daemon")
|
2018-04-19 05:14:15 -04:00
|
|
|
skip.If(t, testEnv.DaemonInfo.OSType == "windows")
|
2020-03-13 09:37:09 -04:00
|
|
|
skip.If(t, testEnv.IsRootless, "rootless mode has different view of localhost")
|
2017-09-22 09:05:56 -04:00
|
|
|
environment.ProtectAll(t, testEnv)
|
|
|
|
|
2019-09-30 08:23:56 -04:00
|
|
|
d = daemon.New(t, daemon.WithExperimental())
|
2017-09-22 09:05:56 -04:00
|
|
|
|
|
|
|
return func() {
|
|
|
|
if d != nil {
|
|
|
|
d.Stop(t)
|
|
|
|
}
|
|
|
|
testEnv.Clean(t)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func setupSuite() {
|
|
|
|
mux := http.NewServeMux()
|
|
|
|
server = httptest.NewServer(mux)
|
|
|
|
|
|
|
|
mux.HandleFunc("/Plugin.Activate", func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
b, err := json.Marshal(plugins.Manifest{Implements: []string{authorization.AuthZApiImplements}})
|
|
|
|
if err != nil {
|
|
|
|
panic("could not marshal json for /Plugin.Activate: " + err.Error())
|
|
|
|
}
|
|
|
|
w.Write(b)
|
|
|
|
})
|
|
|
|
|
|
|
|
mux.HandleFunc("/AuthZPlugin.AuthZReq", func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
defer r.Body.Close()
|
2021-08-24 06:10:50 -04:00
|
|
|
body, err := io.ReadAll(r.Body)
|
2017-09-22 09:05:56 -04:00
|
|
|
if err != nil {
|
|
|
|
panic("could not read body for /AuthZPlugin.AuthZReq: " + err.Error())
|
|
|
|
}
|
|
|
|
authReq := authorization.Request{}
|
|
|
|
err = json.Unmarshal(body, &authReq)
|
|
|
|
if err != nil {
|
|
|
|
panic("could not unmarshal json for /AuthZPlugin.AuthZReq: " + err.Error())
|
|
|
|
}
|
|
|
|
|
|
|
|
assertBody(authReq.RequestURI, authReq.RequestHeaders, authReq.RequestBody)
|
|
|
|
assertAuthHeaders(authReq.RequestHeaders)
|
|
|
|
|
|
|
|
// Count only server version api
|
|
|
|
if strings.HasSuffix(authReq.RequestURI, serverVersionAPI) {
|
|
|
|
ctrl.versionReqCount++
|
|
|
|
}
|
|
|
|
|
|
|
|
ctrl.requestsURIs = append(ctrl.requestsURIs, authReq.RequestURI)
|
|
|
|
|
|
|
|
reqRes := ctrl.reqRes
|
|
|
|
if isAllowed(authReq.RequestURI) {
|
|
|
|
reqRes = authorization.Response{Allow: true}
|
|
|
|
}
|
|
|
|
if reqRes.Err != "" {
|
|
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
|
|
}
|
|
|
|
b, err := json.Marshal(reqRes)
|
|
|
|
if err != nil {
|
|
|
|
panic("could not marshal json for /AuthZPlugin.AuthZReq: " + err.Error())
|
|
|
|
}
|
|
|
|
|
|
|
|
ctrl.reqUser = authReq.User
|
|
|
|
w.Write(b)
|
|
|
|
})
|
|
|
|
|
|
|
|
mux.HandleFunc("/AuthZPlugin.AuthZRes", func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
defer r.Body.Close()
|
2021-08-24 06:10:50 -04:00
|
|
|
body, err := io.ReadAll(r.Body)
|
2017-09-22 09:05:56 -04:00
|
|
|
if err != nil {
|
|
|
|
panic("could not read body for /AuthZPlugin.AuthZRes: " + err.Error())
|
|
|
|
}
|
|
|
|
authReq := authorization.Request{}
|
|
|
|
err = json.Unmarshal(body, &authReq)
|
|
|
|
if err != nil {
|
|
|
|
panic("could not unmarshal json for /AuthZPlugin.AuthZRes: " + err.Error())
|
|
|
|
}
|
|
|
|
|
|
|
|
assertBody(authReq.RequestURI, authReq.ResponseHeaders, authReq.ResponseBody)
|
|
|
|
assertAuthHeaders(authReq.ResponseHeaders)
|
|
|
|
|
|
|
|
// Count only server version api
|
|
|
|
if strings.HasSuffix(authReq.RequestURI, serverVersionAPI) {
|
|
|
|
ctrl.versionResCount++
|
|
|
|
}
|
|
|
|
resRes := ctrl.resRes
|
|
|
|
if isAllowed(authReq.RequestURI) {
|
|
|
|
resRes = authorization.Response{Allow: true}
|
|
|
|
}
|
|
|
|
if resRes.Err != "" {
|
|
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
|
|
}
|
|
|
|
b, err := json.Marshal(resRes)
|
|
|
|
if err != nil {
|
|
|
|
panic("could not marshal json for /AuthZPlugin.AuthZRes: " + err.Error())
|
|
|
|
}
|
|
|
|
ctrl.resUser = authReq.User
|
|
|
|
w.Write(b)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func teardownSuite() {
|
|
|
|
if server == nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
server.Close()
|
|
|
|
}
|
|
|
|
|
|
|
|
// assertAuthHeaders validates authentication headers are removed
|
|
|
|
func assertAuthHeaders(headers map[string]string) error {
|
|
|
|
for k := range headers {
|
|
|
|
if strings.Contains(strings.ToLower(k), "auth") || strings.Contains(strings.ToLower(k), "x-registry") {
|
|
|
|
panic(fmt.Sprintf("Found authentication headers in request '%v'", headers))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// assertBody asserts that body is removed for non text/json requests
|
|
|
|
func assertBody(requestURI string, headers map[string]string, body []byte) {
|
|
|
|
if strings.Contains(strings.ToLower(requestURI), "auth") && len(body) > 0 {
|
|
|
|
panic("Body included for authentication endpoint " + string(body))
|
|
|
|
}
|
|
|
|
|
|
|
|
for k, v := range headers {
|
|
|
|
if strings.EqualFold(k, "Content-Type") && strings.HasPrefix(v, "text/") || v == "application/json" {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if len(body) > 0 {
|
|
|
|
panic(fmt.Sprintf("Body included while it should not (Headers: '%v')", headers))
|
|
|
|
}
|
|
|
|
}
|