package authorization import ( "net/http" "github.com/Sirupsen/logrus" "golang.org/x/net/context" ) // Middleware uses a list of plugins to // handle authorization in the API requests. type Middleware struct { plugins []Plugin } // NewMiddleware creates a new Middleware // with a slice of plugins. func NewMiddleware(p []Plugin) Middleware { return Middleware{ plugins: p, } } // WrapHandler returns a new handler function wrapping the previous one in the request chain. func (m Middleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error { return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error { user := "" userAuthNMethod := "" // Default authorization using existing TLS connection credentials // FIXME: Non trivial authorization mechanisms (such as advanced certificate validations, kerberos support // and ldap) will be extracted using AuthN feature, which is tracked under: // https://github.com/docker/docker/pull/20883 if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 { user = r.TLS.PeerCertificates[0].Subject.CommonName userAuthNMethod = "TLS" } authCtx := NewCtx(m.plugins, user, userAuthNMethod, r.Method, r.RequestURI) if err := authCtx.AuthZRequest(w, r); err != nil { logrus.Errorf("AuthZRequest for %s %s returned error: %s", r.Method, r.RequestURI, err) return err } rw := NewResponseModifier(w) if err := handler(ctx, rw, r, vars); err != nil { logrus.Errorf("Handler for %s %s returned error: %s", r.Method, r.RequestURI, err) return err } if err := authCtx.AuthZResponse(rw, r); err != nil { logrus.Errorf("AuthZResponse for %s %s returned error: %s", r.Method, r.RequestURI, err) return err } return nil } }