mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
8d3467626e
This makes separating middlewares from the core api easier. As an example, the authorization middleware is moved to it's own package. Initialize all static middlewares when the server is created, reducing allocations every time a route is wrapper with the middlewares. Signed-off-by: David Calavera <david.calavera@gmail.com>
60 lines
1.9 KiB
Go
60 lines
1.9 KiB
Go
package authorization
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"github.com/Sirupsen/logrus"
|
|
"golang.org/x/net/context"
|
|
)
|
|
|
|
// Middleware uses a list of plugins to
|
|
// handle authorization in the API requests.
|
|
type Middleware struct {
|
|
plugins []Plugin
|
|
}
|
|
|
|
// NewMiddleware creates a new Middleware
|
|
// with a slice of plugins.
|
|
func NewMiddleware(p []Plugin) Middleware {
|
|
return Middleware{
|
|
plugins: p,
|
|
}
|
|
}
|
|
|
|
// WrapHandler returns a new handler function wrapping the previous one in the request chain.
|
|
func (m Middleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
|
|
return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
|
|
|
|
user := ""
|
|
userAuthNMethod := ""
|
|
|
|
// Default authorization using existing TLS connection credentials
|
|
// FIXME: Non trivial authorization mechanisms (such as advanced certificate validations, kerberos support
|
|
// and ldap) will be extracted using AuthN feature, which is tracked under:
|
|
// https://github.com/docker/docker/pull/20883
|
|
if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
|
|
user = r.TLS.PeerCertificates[0].Subject.CommonName
|
|
userAuthNMethod = "TLS"
|
|
}
|
|
|
|
authCtx := NewCtx(m.plugins, user, userAuthNMethod, r.Method, r.RequestURI)
|
|
|
|
if err := authCtx.AuthZRequest(w, r); err != nil {
|
|
logrus.Errorf("AuthZRequest for %s %s returned error: %s", r.Method, r.RequestURI, err)
|
|
return err
|
|
}
|
|
|
|
rw := NewResponseModifier(w)
|
|
|
|
if err := handler(ctx, rw, r, vars); err != nil {
|
|
logrus.Errorf("Handler for %s %s returned error: %s", r.Method, r.RequestURI, err)
|
|
return err
|
|
}
|
|
|
|
if err := authCtx.AuthZResponse(rw, r); err != nil {
|
|
logrus.Errorf("AuthZResponse for %s %s returned error: %s", r.Method, r.RequestURI, err)
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
}
|